Merge branch 'master' into fix/pcr0_detect_txt_enabled

2021-05-06 12:07:27 +01:00 · 2021-05-06 12:07:27 +01:00 · be74de6728
parent 9b9c69f911 875763e421
commit be74de6728
4 changed files with 62 additions and 5 deletions
--- a/cmd/cbnt-prov/cmd.go
+++ b/cmd/cbnt-prov/cmd.go
@ -128,6 +128,7 @@ type generateBPMCmd struct {
 	IbbSegbase  uint32               `flag optional name:"ibbsegbase" help:"Value for IbbSegment structure"`
 	IbbSegsize  uint32               `flag optional name:"ibbsegsize" help:"Value for IBB segment structure"`
 	IbbSegFlag  uint16               `flag optional name:"ibbsegflag" help:"Reducted"`
+	Coreboot    bool                 `flag optional name:"coreboot" help:"Required when BIOS binary file is a coreboot image"`
 	// TXT args
 	SinitMin          uint8                       `flag optional name:"sinitmin" help:"OEM authorized SinitMinSvn value"`
 	TXTFlags          bootpolicy.TXTControlFlags  `flag optional name:"txtflags" help:"TXT Element control flags"`
@ -415,11 +416,20 @@ func (g *generateBPMCmd) Run(ctx *context) error {
 			se.DigestList.List[iterator].HashAlg = g.IbbHash[iterator]
 		}

-		seg := *bootpolicy.NewIBBSegment()
-		seg.Base = g.IbbSegbase
-		seg.Size = g.IbbSegsize
-		seg.Flags = g.IbbSegFlag
-		se.IBBSegments = append(se.IBBSegments, seg)
+		if g.IbbSegbase != 0 {
+			seg := *bootpolicy.NewIBBSegment()
+			seg.Base = g.IbbSegbase
+			seg.Size = g.IbbSegsize
+			seg.Flags = g.IbbSegFlag
+			se.IBBSegments = append(se.IBBSegments, seg)
+		}
+		if g.Coreboot {
+			ibbs, err := cbnt.FindAdditionalIBBs(g.BIOS)
+			if err != nil {
+				return err
+			}
+			se.IBBSegments = append(se.IBBSegments, ibbs...)
+		}

 		cbnto.BootPolicyManifest.SE = append(cbnto.BootPolicyManifest.SE, *se)

--- a/go.mod
+++ b/go.mod
@ -16,6 +16,7 @@ require (
 	github.com/google/uuid v1.2.0
 	github.com/intel-go/cpuid v0.0.0-20200819041909-2aa72927c3e2
 	github.com/kr/pretty v0.2.1 // indirect
+	github.com/linuxboot/cbfs v0.0.0-20210504130259-7e6ab4ccb5aa
 	github.com/linuxboot/fiano v6.0.0-rc.0.20210427094458-991eadf32b6a+incompatible
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/steakknife/hamming v0.0.0-20180906055917-c99c65617cd3
--- a/go.sum
+++ b/go.sum
@ -241,6 +241,11 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+
 github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/linuxboot/fiano v5.0.0+incompatible h1:DZAZO0z9l35cakTNnkdh+yWRZfzCCJnDHmPAYW/t0No=
+github.com/linuxboot/cbfs v0.0.0-20210427144633-800f7849937f h1:9E+AteMLhYXSy66VsoE+JVDHmgSo9LXSessrjS+v4mg=
+github.com/linuxboot/cbfs v0.0.0-20210427144633-800f7849937f/go.mod h1:aO3vI0+YnezdSVke7+A7wL/d7QFJgq04oo7+3x0Y3Bo=
+github.com/linuxboot/cbfs v0.0.0-20210504130259-7e6ab4ccb5aa h1:rPAsF/VXW48u/JmtSXifY0yvz/5ow3X+Cj3qIuVavW4=
+github.com/linuxboot/cbfs v0.0.0-20210504130259-7e6ab4ccb5aa/go.mod h1:aO3vI0+YnezdSVke7+A7wL/d7QFJgq04oo7+3x0Y3Bo=
+github.com/linuxboot/fiano v6.0.0-rc+incompatible/go.mod h1:IPKmAwYdbidivI8+nWCBO97QkdsiF8OThAHowU8Tvdk=
 github.com/linuxboot/fiano v6.0.0-rc.0.20210212032429-91b79e9335d4+incompatible h1:U60PidlAhhlHVKIXC1RIBUvDIrW3e/SiKTbzXOT3Zpc=
 github.com/linuxboot/fiano v6.0.0-rc.0.20210212032429-91b79e9335d4+incompatible/go.mod h1:IPKmAwYdbidivI8+nWCBO97QkdsiF8OThAHowU8Tvdk=
 github.com/linuxboot/fiano v6.0.0-rc.0.20210427094458-991eadf32b6a+incompatible h1:QWVmkVGWK79Rby0X9VAZ1BXJtw9qqxSgst3SkqsWVMo=
--- a/pkg/provisioning/cbnt/tools.go
+++ b/pkg/provisioning/cbnt/tools.go
@ -11,6 +11,8 @@ import (
 	"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/common/pretty"
 	"github.com/9elements/converged-security-suite/v2/pkg/intel/metadata/manifest/key"
 	"github.com/9elements/converged-security-suite/v2/pkg/tools"
+
+	"github.com/linuxboot/cbfs/pkg/cbfs"
 )

 // WriteCBnTStructures takes a firmware image and extracts boot policy manifest, key manifest and acm into seperate files.
@ -290,3 +292,42 @@ func StitchFITEntries(biosFilename string, acm, bpm, km []byte) error {
 	}
 	return nil
 }
+
+// FindAdditionalIBBs takes a coreboot image and finds componentName to create
+// additional IBBSegment.
+func FindAdditionalIBBs(imagepath string) ([]bootpolicy.IBBSegment, error) {
+	ibbs := make([]bootpolicy.IBBSegment, 0)
+	image, err := os.Open(imagepath)
+	if err != nil {
+		return nil, err
+	}
+	defer image.Close()
+
+	stat, err := image.Stat()
+	if err != nil {
+		return nil, err
+	}
+
+	img, err := cbfs.NewImage(image)
+	if err != nil {
+		return nil, err
+	}
+
+	flashBase := 0xffffffff - stat.Size() + 1
+	cbfsbaseaddr := img.Area.Offset
+	for _, seg := range img.Segs {
+		switch seg.GetFile().Name {
+		case
+			"fspt.bin",
+			"fallback/verstage",
+			"bootblock":
+
+			ibb := bootpolicy.NewIBBSegment()
+			ibb.Base = uint32(flashBase) + cbfsbaseaddr + seg.GetFile().RecordStart + seg.GetFile().SubHeaderOffset
+			ibb.Size = seg.GetFile().Size
+			ibb.Flags = 0
+			ibbs = append(ibbs, *ibb)
+		}
+	}
+	return ibbs, nil
+}