kontron-vx3060-s2: simplify example, add build test, improve docs

2024-12-19 16:44:17 +00:00 · 2024-12-19 16:44:17 +00:00 · 7008f68707
parent 1276e152b6
commit 7008f68707
4 changed files with 118 additions and 47 deletions
--- a/.github/workflows/test-build-kontron-vx3060-s2.yml
+++ b/.github/workflows/test-build-kontron-vx3060-s2.yml
@ -0,0 +1,25 @@
 name: kontron_vx3060_s2 build test
 on:
  pull_request:
    branches: [ '*' ]
 jobs:
  fsp_qemu_test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          submodules: true
      - name: install req
        run: |
          sudo apt-get update
          sudo apt-get install --no-install-recommends -y -q nasm gcc-multilib
      - name: setup git
        run: |
          git config --global user.email "you@example.com"
          git config --global user.name "Your Name"
      - name: run test
        run: |
          cp config/examples/kontron_vx3060_s2.config .config
          ./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh
          make
--- a/config/examples/kontron_vx3060_s2.config
+++ b/config/examples/kontron_vx3060_s2.config
@ -1,7 +1,7 @@
 ARCH=x86_64
 TARGET=kontron_vx3060_s2
 WOLFBOOT_SMALL_STACK=0
-SIGN=ECC384
+SIGN=ECC256
 HASH=SHA256
 DEBUG=0
 SPMATH=1
@ -21,16 +21,12 @@ WOLFBOOT_LOAD_BASE=0x58000200
 WOLFBOOT_SECTOR_SIZE?=0x1000
 WOLFBOOT_DATA_ADDRESS=0x1000000
 FSP_S_BASE=0xffea0000
 FSP_T_BASE=0xfff59000
 FSP_M_BASE=0xfff60000
 WOLFBOOT_ORIGIN=0xfff00000
-# 4 MB
+# 6 MB
 BOOTLOADER_PARTITION_SIZE=0x600000
 # 12 MB
 BIOS_REGION_SIZE=0xc00000
 UCODE0_BASE=0xffd90000
 UCODE0_BIN=src/x86/ucode0.bin
@ -38,30 +34,19 @@ UCODE0_BIN=src/x86/ucode0.bin
 FSP_T_BIN=./src/x86/fsp_t.bin
 FSP_M_BIN=./src/x86/fsp_m.bin
 FSP_S_BIN=./src/x86/fsp_s.bin
 FSP_S_UPD_DATA_BIN=./src/x86/fsp_s_upd_data.bin
 X86_UART_BASE=0xFE032000
 X86_UART_REG_WIDTH=4
 X86_UART_MMIO=1
 PCH_PCR_BASE=0xFD000000
 PCI_ECAM_BASE=0xC0000000
 PCI_USE_ECAM=1
 PCH_HAS_PCR=1
 64BIT=1
 ELF=1
 DEBUG_ELF=0
 MULTIBOOT2=1
 FSP_S_LOAD_BASE=0x0FED5F00
 STAGE1_AUTH=1
 MEASURED_BOOT=1
 MEASURED_PCR_A=0
 DISK_LOCK=0
 WOLFTPM=1
 WOLFBOOT_TPM_SEAL=1
 WOLFBOOT_TPM_SEAL_KEY_ID=1
 WOLFBOOT_UNIVERSAL_KEYSTORE=1
 DEBUG_SYMBOLS=1
--- a/docs/Targets.md
+++ b/docs/Targets.md
@ -9,6 +9,7 @@ This README describes configuration of supported targets.
 * [Cypress PSoC-6](#cypress-psoc-6)
 * [Infineon AURIX TC3xx](#infineon-aurix-tc3xx)
 * [Intel x86-64 Intel FSP](#intel-x86_64-with-intel-fsp-support)
 * [Kontron VX3060-S2](#kontron-vx3060-s2)
 * [Microchip SAMA5D3](#microchip-sama5d3)
 * [Microchip SAME51](#microchip-same51)
 * [Nordic nRF52840](#nordic-nrf52840)
@ -3199,24 +3200,97 @@ IMAGE=test-app/image.elf SIGN=--ecc384 tools/scripts/x86_fsp/qemu/make_hd.sh
 For more advanced uses of TPM, please check [TPM.md](TPM.md) to configure wolfBoot
 according to your secure boot strategy.
-### Running on Kontron VX3060-S2
+## Kontron VX3060-S2
-A reference configuration and helper scripts are provided to run wolfBoot on
+wolfBoot supports Kontron VX3060-S2 board using Intel Firmware Support Package
-Kontron VX3060-S2 board.
+(FSP). You can find more details about the wolfBoot support with Intel FSP in
-A flash dump of the original Flash BIOS is needed.
+the above [section](#intel-x86_64-with-intel-fsp-support). A minimal
-To compile a flashable image run the following steps:
+configuration example is provided in
 [config/examples/kontron_vx3060_s2.config](config/examples/kontron_vx3060_s2.config).
 In order to produce a flashable flash image, a dump of the original flash is
 required. To build wolfBoot, follow the following steps:
 ```
 cp config/examples/kontron_vx3060_s2.config .config
 ./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh
-make tpmtools
+make
 ./tools/scripts/x86_fsp/tgl/assemble_image.sh -k
 make CFLAGS_EXTRA="-DHAVE_ECC256"
 ./tools/scripts/x86_fsp/tgl/assemble_image.sh -n /path/to/original/flash/dump
 ```
-they produce a file named `final_image.bin` inside the root folder of the
+After running the above commands, you should find a file named `final_image.bin` in the root folder of the repository. The image can be flashed directly into the board.
-repository that can be directly flashed into the BIOS flash of the board.
+By default wolfBoot tries to read a wolfBoot image from the SATA drive.
 The drive should be partitioned with a GPT table, wolfBoot tries to load an image saved in the 5th or the 6th partition. 
 You can find more details in `src/update_disk.c`. wolfBoot doesn't try to read from a filesystem and the images need to be written directly into the partition.
 This is an example boot log:
 ```
 Press any key within 2 seconds to toogle BIOS flash chip
 Cache-as-RAM initialized
 FSP-T:A.0.7E build 70
 FSP-M:A.0.7E build 70
 microcode revision: AA, date: 12-28-2022
 machine_update_m_params
 calling FspMemInit...
 warm reset required
 Press any key within 2 seconds to toogle BIOS flash chip
 Cache-as-RAM initialized
 FSP-T:A.0.7E build 70
 FSP-M:A.0.7E build 70
 microcode revision: AA, date: 12-28-2022
 machine_update_m_params
 calling FspMemInit...
 success
 top reserved 0_78C50000h
 mem: [ 0x78C40000, 0x78C50000 ] - stack (0x10000)
 mem: [ 0x78C3FFF4, 0x78C40000 ] - stage2 parameter (0xC)
 hoblist@0x78C90000
 mem: [ 0x78C38000, 0x78C3FFF4 ] - page tables (0x7FF4)
 page table @ 0x78C38000 [length: 7000]
 mem: [ 0x78C37FF8, 0x78C38000 ] - stage2 ptr holder (0x8)
 TOLUM: 0x78C37FF8
 mem: [ 0x100000, 0x100014 ] - stage1 .data (0x14)
 mem: [ 0x100020, 0x100040 ] - stage1 .bss (0x20)
 CPUID(0):1B 756E6547 6C65746E
 mem: [ 0x58000100, 0x5806196C ] - wolfboot (0x6186C)
 mem: [ 0x5806196C, 0x58282000 ] - wolfboot .bss (0x220694)
 load wolfboot end
 Authenticating wolfboot at 58000200...
 Boot partition: 0x58000100 (sz 399212, ver 0x1, type 0x201)
 verify_payload: image open successfully.
 verify_payload: integrity OK. Checking signature.
 wolfBoot: verified OK.
 starting wolfboot 64bit
 call temp ram exit...successA.0.7E build 70
 call silicon...successcap a 2268409840
 ddt disabled 0
 device enable: 172049
 device enable: 172049
 AHCI port 0: Disk detected (det: 04 ipm: 00)
 AHCI port 1: Disk detected (det: 03 ipm: 01)
 SATA disk drive detected on AHCI port 1
 Reading MBR...
 Found GPT PTE at sector 1
 Found valid boot signature in MBR
 Valid GPT partition table
 Current LBA: 0x1
 Backup LBA: 0x6FCCF2F
 Max number of partitions: 128
 Software limited: only allowing up to 16 partitions per disk.
 Disk size: 1107095552
 disk0.p0 (0_8000000h@ 0_100000)
 disk0.p1 (0_20000000h@ 0_8100000)
 disk0.p2 (4_0h@ 0_28100000)
 disk0.p3 (4_0h@ 4_28100000)
 disk0.p4 (1_0h@ 8_28100000)
 disk0.p5 (0_80000000h@ 9_28100000)
 disk0.p6 (0_80000000h@ 9_A8100000)
 Total partitions on disk0: 7
 Checking primary OS image in 0,5...
 Checking secondary OS image in 0,6...
 Versions, A:1 B:1
 Load address 0x58282000
 Attempting boot from partition A
 ```
 At this point, the kernel image in partition "A" is verified and staged and you should be seeing the log messages of your OS booting.
 ## Infineon AURIX TC3xx
--- a/tools/scripts/x86_fsp/tgl/assemble_image.sh
+++ b/tools/scripts/x86_fsp/tgl/assemble_image.sh
@ -3,20 +3,10 @@
 WOLFBOOT_DIR=$(pwd)
 # 16 MB
 BIOS_REGION_SIZE=16777216
 BIOS_REGION_PATH=/tmp/bios.bin
 SIGN_OPTIONS="--ecc384 --sha256"
 SIGN_KEY=$WOLFBOOT_DIR/wolfboot_signing_private_key.der
 SIGN_TOOL=./tools/keytools/sign
 set -e
 make_keys()
 {
    make keytools
    ./tools/keytools/keygen --ecc384 -g wolfboot_signing_private_key.der --ecc256 -g tpm_seal_key.key -keystoreDir src/
 }
 build_and_sign_image()
 {
    # compute the size differences between $FLASH_DUMP and "$WOLFBOOT_DIR"/wolfboot_stage1.bin and store it in SIZE
@ -26,27 +16,24 @@ build_and_sign_image()
    cp "$FLASH_DUMP" "$WOLFBOOT_DIR/temp_image.bin"
    truncate -s $SIZE "$WOLFBOOT_DIR/temp_image.bin"
    cat "$WOLFBOOT_DIR/temp_image.bin" "$BIOS_REGION_PATH" > "$WOLFBOOT_DIR/final_image.bin"
-    PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1)
+    if grep -q '^WOLFBOOT_TPM_SEAL=1$' .config; then
-    "$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key  -pcr=0 -pcrdigest=$PCR0
+        PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1)
-    IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig
+        "$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key -pcr=0 -pcrdigest="$PCR0"
        IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig
    fi
 }
 assemble()
 {
-    cp $WOLFBOOT_DIR/wolfboot_stage1.bin $BIOS_REGION_PATH
+    cp "$WOLFBOOT_DIR/wolfboot_stage1.bin" $BIOS_REGION_PATH
    build_and_sign_image
 }
 # Parse command line options
-while getopts "ks:n:m:" opt; do
+while getopts "s:n:m:" opt; do
    case "$opt" in
        k)
            make_keys
 	    exit 0
            ;;
        n)
            FLASH_DUMP="$OPTARG"
 	    IBG=0
            ;;
        *)
            echo "Usage: $0 [-k] [-s FLASH_DUMP]"