WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

kontron-vx3060-s2: simplify example, add build test, improve docs

pull/530/head
Marco Oliverio 2024-12-19 16:44:17 +00:00 committed by Daniele Lacamera
parent 1276e152b6
commit 7008f68707
4 changed files with 118 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
.github/workflows/test-build-kontron-vx3060-s2.yml vendored 100644
View File

@ -0,0 +1,25 @@
name: kontron_vx3060_s2 build test
on:
pull_request:
branches: [ '*' ]
jobs:
fsp_qemu_test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
submodules: true
- name: install req
run: |
sudo apt-get update
sudo apt-get install --no-install-recommends -y -q nasm gcc-multilib
- name: setup git
run: |
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
- name: run test
run: |
cp config/examples/kontron_vx3060_s2.config .config
./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh
make

19
config/examples/kontron_vx3060_s2.config
View File

@ -1,7 +1,7 @@
ARCH=x86_64 ARCH=x86_64
TARGET=kontron_vx3060_s2 TARGET=kontron_vx3060_s2
WOLFBOOT_SMALL_STACK=0 WOLFBOOT_SMALL_STACK=0
SIGN=ECC384 SIGN=ECC256
HASH=SHA256 HASH=SHA256
DEBUG=0 DEBUG=0
SPMATH=1 SPMATH=1
@ -21,16 +21,12 @@ WOLFBOOT_LOAD_BASE=0x58000200
WOLFBOOT_SECTOR_SIZE?=0x1000 WOLFBOOT_SECTOR_SIZE?=0x1000
WOLFBOOT_DATA_ADDRESS=0x1000000 WOLFBOOT_DATA_ADDRESS=0x1000000
FSP_S_BASE=0xffea0000
FSP_T_BASE=0xfff59000 FSP_T_BASE=0xfff59000
FSP_M_BASE=0xfff60000 FSP_M_BASE=0xfff60000
WOLFBOOT_ORIGIN=0xfff00000 WOLFBOOT_ORIGIN=0xfff00000
# 4 MB # 6 MB
BOOTLOADER_PARTITION_SIZE=0x600000 BOOTLOADER_PARTITION_SIZE=0x600000
# 12 MB
BIOS_REGION_SIZE=0xc00000
UCODE0_BASE=0xffd90000 UCODE0_BASE=0xffd90000
UCODE0_BIN=src/x86/ucode0.bin UCODE0_BIN=src/x86/ucode0.bin
@ -38,30 +34,19 @@ UCODE0_BIN=src/x86/ucode0.bin
FSP_T_BIN=./src/x86/fsp_t.bin FSP_T_BIN=./src/x86/fsp_t.bin
FSP_M_BIN=./src/x86/fsp_m.bin FSP_M_BIN=./src/x86/fsp_m.bin
FSP_S_BIN=./src/x86/fsp_s.bin FSP_S_BIN=./src/x86/fsp_s.bin
FSP_S_UPD_DATA_BIN=./src/x86/fsp_s_upd_data.bin
X86_UART_BASE=0xFE032000 X86_UART_BASE=0xFE032000
X86_UART_REG_WIDTH=4 X86_UART_REG_WIDTH=4
X86_UART_MMIO=1 X86_UART_MMIO=1
PCH_PCR_BASE=0xFD000000 PCH_PCR_BASE=0xFD000000
PCI_ECAM_BASE=0xC0000000 PCI_ECAM_BASE=0xC0000000
PCI_USE_ECAM=1 PCI_USE_ECAM=1
PCH_HAS_PCR=1 PCH_HAS_PCR=1
64BIT=1 64BIT=1
ELF=1 ELF=1
DEBUG_ELF=0 DEBUG_ELF=0
MULTIBOOT2=1 MULTIBOOT2=1
FSP_S_LOAD_BASE=0x0FED5F00 FSP_S_LOAD_BASE=0x0FED5F00
STAGE1_AUTH=1 STAGE1_AUTH=1
MEASURED_BOOT=1
MEASURED_PCR_A=0
DISK_LOCK=0 DISK_LOCK=0
WOLFTPM=1
WOLFBOOT_TPM_SEAL=1
WOLFBOOT_TPM_SEAL_KEY_ID=1
WOLFBOOT_UNIVERSAL_KEYSTORE=1
DEBUG_SYMBOLS=1 DEBUG_SYMBOLS=1

94
docs/Targets.md
View File

@ -9,6 +9,7 @@ This README describes configuration of supported targets.
* [Cypress PSoC-6](#cypress-psoc-6) * [Cypress PSoC-6](#cypress-psoc-6)
* [Infineon AURIX TC3xx](#infineon-aurix-tc3xx) * [Infineon AURIX TC3xx](#infineon-aurix-tc3xx)
* [Intel x86-64 Intel FSP](#intel-x86_64-with-intel-fsp-support) * [Intel x86-64 Intel FSP](#intel-x86_64-with-intel-fsp-support)
* [Kontron VX3060-S2](#kontron-vx3060-s2)
* [Microchip SAMA5D3](#microchip-sama5d3) * [Microchip SAMA5D3](#microchip-sama5d3)
* [Microchip SAME51](#microchip-same51) * [Microchip SAME51](#microchip-same51)
* [Nordic nRF52840](#nordic-nrf52840) * [Nordic nRF52840](#nordic-nrf52840)
@ -3199,24 +3200,97 @@ IMAGE=test-app/image.elf SIGN=--ecc384 tools/scripts/x86_fsp/qemu/make_hd.sh
For more advanced uses of TPM, please check [TPM.md](TPM.md) to configure wolfBoot For more advanced uses of TPM, please check [TPM.md](TPM.md) to configure wolfBoot
according to your secure boot strategy. according to your secure boot strategy.
### Running on Kontron VX3060-S2 ## Kontron VX3060-S2
A reference configuration and helper scripts are provided to run wolfBoot on wolfBoot supports Kontron VX3060-S2 board using Intel Firmware Support Package
Kontron VX3060-S2 board. (FSP). You can find more details about the wolfBoot support with Intel FSP in
A flash dump of the original Flash BIOS is needed. the above [section](#intel-x86_64-with-intel-fsp-support). A minimal
To compile a flashable image run the following steps: configuration example is provided in
[config/examples/kontron_vx3060_s2.config](config/examples/kontron_vx3060_s2.config).
In order to produce a flashable flash image, a dump of the original flash is
required. To build wolfBoot, follow the following steps:
``` ```
cp config/examples/kontron_vx3060_s2.config .config cp config/examples/kontron_vx3060_s2.config .config
./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh ./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh
make tpmtools make
./tools/scripts/x86_fsp/tgl/assemble_image.sh -k
make CFLAGS_EXTRA="-DHAVE_ECC256"
./tools/scripts/x86_fsp/tgl/assemble_image.sh -n /path/to/original/flash/dump ./tools/scripts/x86_fsp/tgl/assemble_image.sh -n /path/to/original/flash/dump
``` ```
they produce a file named `final_image.bin` inside the root folder of the After running the above commands, you should find a file named `final_image.bin` in the root folder of the repository. The image can be flashed directly into the board.
repository that can be directly flashed into the BIOS flash of the board. By default wolfBoot tries to read a wolfBoot image from the SATA drive.
The drive should be partitioned with a GPT table, wolfBoot tries to load an image saved in the 5th or the 6th partition.
You can find more details in `src/update_disk.c`. wolfBoot doesn't try to read from a filesystem and the images need to be written directly into the partition.
This is an example boot log:
```
Press any key within 2 seconds to toogle BIOS flash chip
Cache-as-RAM initialized
FSP-T:A.0.7E build 70
FSP-M:A.0.7E build 70
microcode revision: AA, date: 12-28-2022
machine_update_m_params
calling FspMemInit...
warm reset required
Press any key within 2 seconds to toogle BIOS flash chip
Cache-as-RAM initialized
FSP-T:A.0.7E build 70
FSP-M:A.0.7E build 70
microcode revision: AA, date: 12-28-2022
machine_update_m_params
calling FspMemInit...
success
top reserved 0_78C50000h
mem: [ 0x78C40000, 0x78C50000 ] - stack (0x10000)
mem: [ 0x78C3FFF4, 0x78C40000 ] - stage2 parameter (0xC)
hoblist@0x78C90000
mem: [ 0x78C38000, 0x78C3FFF4 ] - page tables (0x7FF4)
page table @ 0x78C38000 [length: 7000]
mem: [ 0x78C37FF8, 0x78C38000 ] - stage2 ptr holder (0x8)
TOLUM: 0x78C37FF8
mem: [ 0x100000, 0x100014 ] - stage1 .data (0x14)
mem: [ 0x100020, 0x100040 ] - stage1 .bss (0x20)
CPUID(0):1B 756E6547 6C65746E
mem: [ 0x58000100, 0x5806196C ] - wolfboot (0x6186C)
mem: [ 0x5806196C, 0x58282000 ] - wolfboot .bss (0x220694)
load wolfboot end
Authenticating wolfboot at 58000200...
Boot partition: 0x58000100 (sz 399212, ver 0x1, type 0x201)
verify_payload: image open successfully.
verify_payload: integrity OK. Checking signature.
wolfBoot: verified OK.
starting wolfboot 64bit
call temp ram exit...successA.0.7E build 70
call silicon...successcap a 2268409840
ddt disabled 0
device enable: 172049
device enable: 172049
AHCI port 0: Disk detected (det: 04 ipm: 00)
AHCI port 1: Disk detected (det: 03 ipm: 01)
SATA disk drive detected on AHCI port 1
Reading MBR...
Found GPT PTE at sector 1
Found valid boot signature in MBR
Valid GPT partition table
Current LBA: 0x1
Backup LBA: 0x6FCCF2F
Max number of partitions: 128
Software limited: only allowing up to 16 partitions per disk.
Disk size: 1107095552
disk0.p0 (0_8000000h@ 0_100000)
disk0.p1 (0_20000000h@ 0_8100000)
disk0.p2 (4_0h@ 0_28100000)
disk0.p3 (4_0h@ 4_28100000)
disk0.p4 (1_0h@ 8_28100000)
disk0.p5 (0_80000000h@ 9_28100000)
disk0.p6 (0_80000000h@ 9_A8100000)
Total partitions on disk0: 7
Checking primary OS image in 0,5...
Checking secondary OS image in 0,6...
Versions, A:1 B:1
Load address 0x58282000
Attempting boot from partition A
```
At this point, the kernel image in partition "A" is verified and staged and you should be seeing the log messages of your OS booting.
## Infineon AURIX TC3xx ## Infineon AURIX TC3xx

23
tools/scripts/x86_fsp/tgl/assemble_image.sh
View File

@ -3,20 +3,10 @@
WOLFBOOT_DIR=$(pwd) WOLFBOOT_DIR=$(pwd)
# 16 MB # 16 MB
BIOS_REGION_SIZE=16777216
BIOS_REGION_PATH=/tmp/bios.bin BIOS_REGION_PATH=/tmp/bios.bin
SIGN_OPTIONS="--ecc384 --sha256"
SIGN_KEY=$WOLFBOOT_DIR/wolfboot_signing_private_key.der
SIGN_TOOL=./tools/keytools/sign
set -e set -e
make_keys()
{
make keytools
./tools/keytools/keygen --ecc384 -g wolfboot_signing_private_key.der --ecc256 -g tpm_seal_key.key -keystoreDir src/
}
build_and_sign_image() build_and_sign_image()
{ {
# compute the size differences between $FLASH_DUMP and "$WOLFBOOT_DIR"/wolfboot_stage1.bin and store it in SIZE # compute the size differences between $FLASH_DUMP and "$WOLFBOOT_DIR"/wolfboot_stage1.bin and store it in SIZE
@ -26,27 +16,24 @@ build_and_sign_image()
cp "$FLASH_DUMP" "$WOLFBOOT_DIR/temp_image.bin" cp "$FLASH_DUMP" "$WOLFBOOT_DIR/temp_image.bin"
truncate -s $SIZE "$WOLFBOOT_DIR/temp_image.bin" truncate -s $SIZE "$WOLFBOOT_DIR/temp_image.bin"
cat "$WOLFBOOT_DIR/temp_image.bin" "$BIOS_REGION_PATH" > "$WOLFBOOT_DIR/final_image.bin" cat "$WOLFBOOT_DIR/temp_image.bin" "$BIOS_REGION_PATH" > "$WOLFBOOT_DIR/final_image.bin"
if grep -q '^WOLFBOOT_TPM_SEAL=1$' .config; then
PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1) PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1)
"$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key -pcr=0 -pcrdigest=$PCR0 "$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key -pcr=0 -pcrdigest="$PCR0"
IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig
fi
} }
assemble() assemble()
{ {
cp $WOLFBOOT_DIR/wolfboot_stage1.bin $BIOS_REGION_PATH cp "$WOLFBOOT_DIR/wolfboot_stage1.bin" $BIOS_REGION_PATH
build_and_sign_image build_and_sign_image
} }
# Parse command line options # Parse command line options
while getopts "ks:n:m:" opt; do while getopts "s:n:m:" opt; do
case "$opt" in case "$opt" in
k)
make_keys
exit 0
;;
n) n)
FLASH_DUMP="$OPTARG" FLASH_DUMP="$OPTARG"
IBG=0
;; ;;
*) *)
echo "Usage: $0 [-k] [-s FLASH_DUMP]" echo "Usage: $0 [-k] [-s FLASH_DUMP]"