Update coreboot from 4.8.1 to 4.9

[tlaurion]

No description provided.

[JeffreyAbbinante]

Refer to pull request #501

[tlaurion]

@JeffreyAbbinante :

cd heads
cp -r patches/coreboot-4.8.1/ patches/coreboot-4.9 

Start the work!! :)
Most of the patches seem to have been merged already. @kylerankin : Librem13v2 patches would need to be validated.

I was expecting to see measured boot offered into coreboot to play with it on x230, asked @zaolin over slack if only the following platforms were supported:

user@build-x230-coreboot-49:~/heads/build/coreboot-4.9$ grep -R CONFIG_VBOOT_MEASURED_BOOT
src/soc/amd/stoneyridge/Makefile.inc:postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += i2c.c
src/soc/intel/apollolake/Makefile.inc:postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += gspi.c

On which he replied that all platforms were supported. Unfortunately, it doesn't seem to be the case. I see vboot being supported in all platforms, and measured boot being a suboption only for some boards:
make -C build/coreboot-4.9/ DOTCONFIG=../../config/coreboot-x230.config menuconfig

[JeffreyAbbinante]

What patches should I be leaving out? I only have an X230 to test them on.

[tlaurion]

@JeffreyAbbinante :

• 0000-measuredboot.patch needs to be figured out for sure.

As validating and porting all of the other patches so measure boot works for all supported boards before this PR being merged :)

[JeffreyAbbinante]

Can you contribute to my pull request? I can add you to my fork if you like. For now, I have coreboot 4.9 booting with the heads system.

[flammit]

@JeffreyAbbinante FYI what @tlaurion is referring to is that the patches/ directory is version-specific (patches/coreboot-4.8.1), so while you've updated the coreboot module to be 4.9, the patches to coreboot that provide Heads-specific functionality need to be migrated and tested as well. Right now, your system is booting using vanilla coreboot without the module measurement, etc.

[JeffreyAbbinante]

@flammit I understood what he meant. I am compiling a version with the patches already right now.

[flammit]

@JeffreyAbbinante whoops - that's what I get for not reading the whole thread. sorry about that and thanks for the help!

[JeffreyAbbinante]

@flammit no problem. Would anyone happen to know what patches were merged into upstream?

[tlaurion]

@JeffreyAbbinante :

I'm unfortunately doing something else right now and can't review the patches. I've started, but since I did not see measure boot functions as I was expecting and the measured patch failed, I went to do other things after asking @zaolin for more information.

Here is what I have in my bash history to test applicability of each patch:

cd heads
find ./ -name *_verify|xargs rm
tar cvzf packages-coreboot49.tar.gz  ./build/coreboot-4.9/util/crossgcc/tarballs/ packages/
cp -r patches/coreboot-4.8.1/ patches/coreboot-4.9
rm -rf build/coreboot-4.9/ && tar zxvf packages-coreboot49.tar.gz && make BOARD=x230

The patches present under patches/coreboot-4.9 will be applied one one by one when building the coreboot module you modified already following upper level Makefile instructions.
Then one by one, verify what failed in .rej files produced, and modify original patches accordingly and repeat:
rm -rf build/coreboot-4.9/ && tar zxvf packages-coreboot49.tar.gz && make BOARD=x230

Would anyone happen to know what patches were merged into upstream?

Most of them were. You will see warnings from patch command requesting you if you want those changes to be applied in reverse (to undo the patch).

I will resume attempts in the next following days but i'm really happy someone else is also taking a look at it :)

Let us know where it hangs!

[JeffreyAbbinante]

So I took out my other laptop with a bit more processing power... to make compiling faster. I hope to find some stuff later this week.

[JeffreyAbbinante]

The measured boot patch needs work for sure.
"Applying patch file : patches/coreboot-4.9/0000-measuredboot.patch patching file src/Kconfig Hunk #1 succeeded at 278 (offset 18 lines). can't find file to patch at input line 31 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff --git ./src/drivers/pc80/tpm/romstage.c ./src/drivers/pc80/tpm/romstage.c |index b8e4705..7732e66 100644 |--- ./src/drivers/pc80/tpm/romstage.c |+++ ./src/drivers/pc80/tpm/romstage.c -------------------------- File to patch:"

[JeffreyAbbinante]

I went through the work of testing all the patches individually. This is what I got so far. Some of the patches were already applied but it seems like we all have a lot of work to do.

Applying patch file : patches/coreboot-4.9/0000-measuredboot.patch
patching file src/Kconfig
Hunk #1 succeeded at 278 (offset 18 lines).
can't find file to patch at input line 31
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:

|diff --git ./src/drivers/pc80/tpm/romstage.c ./src/drivers/pc80/tpm/romstage.c
|index b8e4705..7732e66 100644
|--- ./src/drivers/pc80/tpm/romstage.c
|+++ ./src/drivers/pc80/tpm/romstage.c

File to patch:

Applying patch file : patches/coreboot-4.9/0007-intel-fsp-fsp2_0-Fix-FSP-2.0-headers-to-match-github.patch
can't find file to patch at input line 22
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:

|From 8e7e0e390fcfda226f0d78bfa883ffee12f751a8 Mon Sep 17 00:00:00 2001
|From: Youness Alaoui youness.alaoui@puri.sm
|Date: Fri, 9 Feb 2018 18:32:51 -0500
|Subject: [PATCH 7/9] intel/fsp/fsp2_0: Fix FSP 2.0 headers to match github
| version
|
|The current FSP 2.0 headers do not match the headers from the official
|FSP 2.0 image that was released on github [1].
|
|[1] https://github.com/IntelFsp/FSP/tree/Kabylake/KabylakeFspBinPkg
|
|Change-Id: I233bf7cf6f62e9e1b389d42a09461717a3285f0f

Signed-off-by: Youness Alaoui youness.alaoui@puri.sm
src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h
1 file changed, 1 insertion(+), 4 deletions(-)

|
|diff --git a/src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h b/src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h
|index 248b4d5ef1..3abc877a19 100644
|--- a/src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h
|+++ b/src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h

File to patch:

Applying patch file : patches/coreboot-4.9/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch
patching file src/arch/x86/postcar.c
Hunk #1 FAILED at 19.
Hunk #2 succeeded at 40 (offset -3 lines).
1 out of 2 hunks FAILED -- saving rejects to file src/arch/x86/postcar.c.rej
patching file src/drivers/intel/fsp2_0/memory_init.c
Hunk #1 FAILED at 150.
Hunk #2 succeeded at 408 (offset -75 lines).
1 out of 2 hunks FAILED -- saving rejects to file src/drivers/intel/fsp2_0/memory_init.c.rej
patching file src/drivers/intel/fsp2_0/silicon_init.c
Hunk #2 succeeded at 104 (offset 2 lines).
Hunk #3 succeeded at 122 (offset 2 lines).
patching file src/drivers/pc80/tpm/Makefile.inc
Hunk #1 FAILED at 3.
1 out of 1 hunk FAILED -- saving rejects to file src/drivers/pc80/tpm/Makefile.inc.rej
patching file src/security/tpm/Makefile.inc
Hunk #1 FAILED at 4.
1 out of 1 hunk FAILED -- saving rejects to file src/security/tpm/Makefile.inc.rej
make[1]: *** [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1
make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9'
Makefile:559: recipe for target 'all' failed
make: *** [all] Error 2

Applying patch file : patches/coreboot-4.9/0020-kgpe-d16.patch
patching file src/mainboard/asus/kgpe-d16/Kconfig
Hunk #1 succeeded at 27 (offset -1 lines).
patching file src/mainboard/asus/kgpe-d16/devicetree.cb
patching file src/mainboard/asus/kgpe-d16/dsdt.asl
Hunk #1 succeeded at 51 (offset 1 line).
Hunk #2 succeeded at 489 (offset 1 line).
Hunk #3 succeeded at 617 (offset 1 line).
patching file src/mainboard/asus/kgpe-d16/mainboard.c
Hunk #1 succeeded at 66 (offset -4 lines).
patching file src/mainboard/asus/kgpe-d16/romstage.c
Hunk #1 FAILED at 88.
1 out of 1 hunk FAILED -- saving rejects to file src/mainboard/asus/kgpe-d16/romstage.c.rej
make[1]: *** [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1
make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9'
Makefile:559: recipe for target 'all' failed
make: *** [all] Error 2

Applying patch file : patches/coreboot-4.9/0030-sandybridge.patch
patching file src/northbridge/intel/sandybridge/romstage.c
Hunk #1 FAILED at 29.
Hunk #2 succeeded at 70 (offset -2 lines).
Hunk #3 FAILED at 130.
2 out of 3 hunks FAILED -- saving rejects to file src/northbridge/intel/sandybridge/romstage.c.rej
make[1]: *** [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1
make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9'
Makefile:559: recipe for target 'all' failed
make: *** [all] Error 2

Applying patch file : patches/coreboot-4.9/0050-buildgcc-Do-not-try-to-install-GCC-if-build-failed.patch
patching file util/crossgcc/buildgcc
Hunk #1 FAILED at 751.
1 out of 1 hunk FAILED -- saving rejects to file util/crossgcc/buildgcc.rej
make[1]: *** [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1
make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9'
Makefile:559: recipe for target 'all' failed
make: *** [all] Error 2

Applying patch file : patches/coreboot-4.9/0051-buildgcc-Update-IASL-to-20180531.patch
patching file util/crossgcc/buildgcc
Hunk #1 FAILED at 18.
Hunk #2 FAILED at 42.
2 out of 2 hunks FAILED -- saving rejects to file util/crossgcc/buildgcc.rej
The next patch would delete the file util/crossgcc/patches/acpica-unix2-20161222_iasl.patch,
which does not exist! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0052-crossgcc-Update-to-clang-6.0-cmake-3.11.3.patch
patching file util/crossgcc/buildgcc
Reversed (or previously applied) patch detected! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0053-src-Get-rid-of-unneeded-whitespace.patch
patching file util/crossgcc/buildgcc
Reversed (or previously applied) patch detected! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0054-util-crossgcc-Allow-building-a-new-gcc-against-new-b.patch
patching file util/crossgcc/buildgcc
Hunk #1 FAILED at 752.
1 out of 1 hunk FAILED -- saving rejects to file util/crossgcc/buildgcc.rej
make[1]: *** [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1
make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9'
Makefile:559: recipe for target 'all' failed
make: *** [all] Error 2

Applying patch file : patches/coreboot-4.9/0055-crosgcc-patches-Add-make-patch-for-GLIBC-glob-interf.patch
patching file util/crossgcc/patches/make-4.2.1_gnu_glob_interface_v2.patch

Applying patch file : patches/coreboot-4.9/0056-util-crossgcc-update-to-gcc-8.1.0-and-binutils-2.30.patch
patching file util/crossgcc/buildgcc
Hunk #1 FAILED at 18.
Hunk #2 FAILED at 38.
Hunk #3 FAILED at 57.
3 out of 3 hunks FAILED -- saving rejects to file util/crossgcc/buildgcc.rej
patching file util/crossgcc/patches/binutils-2.30_mips-gold.patch (already renamed from util/crossgcc/patches/binutils-2.29.1_mips-gold.patch)
The next patch would create the file util/crossgcc/patches/binutils-2.30_nds32.patch,
which already exists! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0057-util-crosgcc-patches-update-make-4.2.1-patches.patch
The next patch would create the file util/crossgcc/patches/make-4.2.1_0053-glob-Do-not-assume-glibc-glob-internals.patch,
which already exists! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0058-util-crosgcc-Fix-most-shellcheck-errors-in-buildgcc.patch
patching file util/crossgcc/buildgcc
Reversed (or previously applied) patch detected! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0059-util-Add-description.md-to-each-util.patch
The next patch would create the file util/crossgcc/description.md,
which already exists! Assume -R? [n]

[tlaurion]

@zaolin confirms that measured boot hasn't made it to coreboot 4.9 as planned.

WiP here.

[MrChromebox]

0007-intel-fsp-fsp2_0-Fix-FSP-2.0-headers-to-match-github.patch

should be dropped, since coreboot now has the option to use the headers/binaries from the 3rdparty/fsp repo (which is a mirror of the Intel FSP github repo). Just requires changing the coreboot config for affected boards, which is trivial.

[tlaurion]

Let's track measured boot WiP upstream in coreboot and switch to coreboot git commit id once it's merged?

[tlaurion]

refer to #515

[tlaurion]

To be added in this PR

• integrate/ test :
  • Add VBOOT support
  • Enable VBOOT support
• check if fmap is correct
• set CMOS flags correctly

[merge]

To be added in this PR

* [ ]  integrate/ test :
  
  * [ ]  [Add VBOOT support](https://review.coreboot.org/c/coreboot/+/29816)
  * [ ]  [Enable VBOOT support](https://review.coreboot.org/c/coreboot/+/29815/1)

* [ ]  check if fmap is correct

* [ ]  set CMOS flags correctly

does this apply to the X230 too? Also, how about being lazy and bump coreboot with the next release that includes measured boot in vboot + support for the X230? I guess we'll have to do changes in userspace anyways? do we? which ones and who will do them? thanks!

[tlaurion]

@merge: I have none of the answers right now. I just added information here to update status. From my understanding, those changes would work with the x230 as well but need to be tested.

Yep, userspace will need to be adjusted also, since only a subset of PCRs are used now. I will find relative information on u-root and edit this post later on.

@zaolin: your direct input would be more then welcome on the work needing to be done.

Sent from my Galaxy S3 using FastHub-Libre

[tlaurion]

@merge : from https://review.coreboot.org/c/coreboot/+/29547/73/Documentation/security/vboot/measured_boot.md

userland tools will have to take into account sealing of only the following PCRs:

## Platform Configuration Register
	
Normally PCR 0-7 are reserved for firmware usage. In coreboot we use just 4 PCR
	
banks in order to store the measurements. coreboot uses the SHA-1 or SHA-256
	
hash algorithm depending on the TPM specification for measurements. PCR-4 to
	
PCR-7 are left empty.
	
	
### PCR-0
	
_Hash:_ SHA1
	
_Description:_ Google VBoot GBB flags.
	
	
### PCR-1
	
_Hash:_ SHA1/SHA256
	
_Description:_ Google VBoot GBB HWID.
	
	
### PCR-2
	
_Hash:_ SHA1/SHA256
	
_Description:_ Core Root of Trust for Measurement which includes all stages,
	
data and blobs.
	
	
### PCR-3
	
_Hash:_ SHA1/SHA256
	
_Description:_ Runtime data like hwinfo.hex or MRC cache.
	

[zaolin]

Estimation in man-days: 8 PD