1 /* Firmware Interface Table support */
2 /* SPDX-License-Identifier: GPL-2.0-only */
12 /* FIXME: This code assumes it is being executed on a little endian machine. */
14 #define FIT_POINTER_LOCATION 0xffffffc0
15 #define FIT_TABLE_LOWEST_ADDRESS ((uint32_t)(-(16 << 20)))
16 #define FIT_ENTRY_CHECKSUM_VALID 0x80
17 #define FIT_HEADER_VERSION 0x0100
18 #define FIT_HEADER_ADDRESS "_FIT_ "
19 #define FIT_MICROCODE_VERSION 0x0100
20 #define FIT_TXT_VERSION 0x0100
22 #define FIT_SIZE_ALIGNMENT 16
26 * Address is the base address of the firmware component
27 * must be aligned on 16 byte boundary
31 * Size is the span of the component in multiple of 16 bytes
32 * Bits [24:31] are reserved and must be set to 0
34 uint32_t size_reserved
;
36 * Component's version number in binary coded decimal (BCD) format.
37 * For the FIT header entry, the value in this field will indicate the
38 * revision number of the FIT data structure. The upper byte of the
39 * revision field indicates the major revision and the lower byte
40 * indicates the minor revision.
44 * FIT types 0x00 to 0x7F
45 * Bit 7 (C_V) indicates whether component has valid checksum.
47 uint8_t type_checksum_valid
;
49 * Component's checksum. The modulo sum of all the bytes in the
50 * component and the value in this field (Chksum) must add up to zero.
51 * This field is only valid if the C_V flag is non-zero.
57 struct fit_entry header
;
58 struct fit_entry entries
[];
61 struct microcode_header
{
65 uint32_t processor_signature
;
67 uint32_t loader_revision
;
68 uint32_t processor_flags
;
74 struct microcode_entry
{
79 static inline void *rom_buffer_pointer(struct buffer
*buffer
, int offset
)
81 return &buffer
->data
[offset
];
84 static inline size_t fit_entry_size_bytes(const struct fit_entry
*entry
)
86 return (entry
->size_reserved
& 0xffffff) << 4;
89 static inline void fit_entry_update_size(struct fit_entry
*entry
,
92 /* Size is multiples of 16 bytes. */
93 entry
->size_reserved
= (size_bytes
>> 4) & 0xffffff;
96 static inline void fit_entry_add_size(struct fit_entry
*entry
,
99 int size
= fit_entry_size_bytes(entry
);
101 fit_entry_update_size(entry
, size
);
104 static inline int fit_entry_type(struct fit_entry
*entry
)
106 return entry
->type_checksum_valid
& ~FIT_ENTRY_CHECKSUM_VALID
;
110 * Get an offset from a host pointer. This function assumes the ROM is located
111 * in the host address space at [4G - romsize -> 4G). It also assume all
112 * pointers have values within this address range.
114 static inline int ptr_to_offset(fit_offset_converter_t helper
,
115 const struct buffer
*region
, uint32_t host_ptr
)
117 return helper(region
, -host_ptr
);
121 * Get a pointer from an offset. This function assumes the ROM is located
122 * in the host address space at [4G - romsize -> 4G). It also assume all
123 * pointers have values within this address range.
125 static inline uint32_t offset_to_ptr(fit_offset_converter_t helper
,
126 const struct buffer
*region
, int offset
)
128 return -helper(region
, offset
);
132 * Return the number of FIT entries.
134 static inline size_t fit_table_entries(const struct fit_table
*fit
)
139 return (fit_entry_size_bytes(&fit
->header
) / FIT_SIZE_ALIGNMENT
) - 1;
143 * Return the number of unused entries.
145 static inline size_t fit_free_space(struct fit_table
*fit
,
146 const size_t max_entries
)
151 return max_entries
- fit_table_entries(fit
);
155 * Sort entries by type and fill gaps (entries with type unused).
156 * To be called after adding or deleting entries.
158 * This one is critical, as mentioned in Chapter 1.2.1 "FIT Ordering Rules"
159 * "Firmware Interface Table BIOS Specification".
161 * We need to use a stable sorting algorithm, as the order of
162 * FIT_TYPE_BIOS_STARTUP matter for measurements.
164 static void sort_fit_table(struct fit_table
*fit
)
166 struct fit_entry tmp
;
170 /* Bubble sort entries */
171 for (j
= 0; j
< fit_table_entries(fit
) - 1; j
++) {
173 for (i
= 0; i
< fit_table_entries(fit
) - j
- 1; i
++) {
174 if (fit
->entries
[i
].type_checksum_valid
<=
175 fit
->entries
[i
+ 1].type_checksum_valid
)
178 memcpy(&tmp
, &fit
->entries
[i
], sizeof(tmp
));
179 memcpy(&fit
->entries
[i
], &fit
->entries
[i
+ 1],
180 sizeof(fit
->entries
[i
]));
181 memcpy(&fit
->entries
[i
+ 1], &tmp
,
182 sizeof(fit
->entries
[i
+ 1]));
190 static int fit_table_verified(struct fit_table
*table
)
195 /* Check that the address field has the proper signature. */
196 if (strncmp((const char *)&table
->header
.address
, FIT_HEADER_ADDRESS
,
197 sizeof(table
->header
.address
)))
200 if (table
->header
.version
!= FIT_HEADER_VERSION
)
203 if (fit_entry_type(&table
->header
) != FIT_TYPE_HEADER
)
206 /* Assume that the FIT table contains at least the header */
207 if (fit_entry_size_bytes(&table
->header
) < sizeof(struct fit_entry
))
214 * Update the FIT checksum.
215 * To be called after modifiying the table.
217 static void update_fit_checksum(struct fit_table
*fit
)
227 fit
->header
.checksum
= 0;
228 size_bytes
= fit_entry_size_bytes(&fit
->header
);
230 buffer
= (void *)fit
;
231 for (i
= 0; i
< size_bytes
; i
++)
233 fit
->header
.checksum
= -result
;
237 * Return a pointer to the next free entry.
238 * Caller must take care if enough space is available.
240 static struct fit_entry
*get_next_free_entry(struct fit_table
*fit
)
242 return &fit
->entries
[fit_table_entries(fit
)];
245 static void fit_location_from_cbfs_header(uint32_t *current_offset
,
246 uint32_t *file_length
, void *ptr
)
249 struct cbfs_file header
;
250 memset(&buf
, 0, sizeof(buf
));
253 buf
.size
= sizeof(header
);
255 bgets(&buf
, header
.magic
, sizeof(header
.magic
));
256 header
.len
= xdr_be
.get32(&buf
);
257 header
.type
= xdr_be
.get32(&buf
);
258 header
.attributes_offset
= xdr_be
.get32(&buf
);
259 header
.offset
= xdr_be
.get32(&buf
);
261 *current_offset
= header
.offset
;
262 *file_length
= header
.len
;
266 parse_microcode_blob(struct cbfs_image
*image
,
267 const char *blob_name
,
269 struct microcode_entry
*mcus
,
270 const size_t max_fit_entries
)
273 uint32_t current_offset
;
274 uint32_t file_length
;
275 struct cbfs_file
*mcode_file
;
277 mcode_file
= cbfs_get_entry(image
, blob_name
);
281 fit_location_from_cbfs_header(¤t_offset
, &file_length
,
283 current_offset
+= cbfs_get_entry_addr(image
, mcode_file
);
286 while (file_length
> sizeof(struct microcode_header
)) {
287 const struct microcode_header
*mcu_header
;
289 mcu_header
= rom_buffer_pointer(&image
->buffer
, current_offset
);
291 ERROR("Couldn't parse microcode header.\n");
295 /* Newer microcode updates include a size field, whereas older
296 * containers set it at 0 and are exactly 2048 bytes long */
297 uint32_t total_size
= mcu_header
->total_size
?: 2048;
299 /* Quickly sanity check a prospective microcode update. */
300 if (total_size
< sizeof(*mcu_header
))
303 /* FIXME: Should the checksum be validated? */
304 mcus
[num_mcus
].offset
= current_offset
;
305 mcus
[num_mcus
].size
= total_size
;
307 /* Proceed to next payload. */
308 current_offset
+= mcus
[num_mcus
].size
;
309 file_length
-= mcus
[num_mcus
].size
;
311 /* Reached limit of FIT entries. */
312 if (num_mcus
== max_fit_entries
)
314 if (file_length
< sizeof(struct microcode_header
))
318 /* Update how many microcode updates we found. */
319 *mcus_found
= num_mcus
;
324 /* There can be zero or more FIT_TYPE_MICROCODE entries */
325 static void update_fit_ucode_entry(struct fit_table
*fit
,
326 struct fit_entry
*entry
,
327 const uint64_t mcu_addr
)
329 entry
->address
= mcu_addr
;
331 * While loading MCU, its size is not referred from FIT and
332 * rather from the MCU header, hence we can assign zero here.
334 entry
->size_reserved
= 0;
335 entry
->type_checksum_valid
= FIT_TYPE_MICROCODE
;
336 entry
->version
= FIT_MICROCODE_VERSION
;
338 fit_entry_add_size(&fit
->header
, sizeof(struct fit_entry
));
342 * There can be zero or one FIT_TYPE_BIOS_ACM entry per table.
343 * In case there's a FIT_TYPE_BIOS_ACM entry, at least one
344 * FIT_TYPE_BIOS_STARTUP entry must exist.
346 * The caller has to provide valid arguments as those aren't verfied.
348 static void update_fit_bios_acm_entry(struct fit_table
*fit
,
349 struct fit_entry
*entry
,
350 const uint64_t acm_addr
)
352 entry
->address
= acm_addr
;
354 * The Address field points to a BIOS ACM. The Address field points to
355 * the first byte of the AC module header. When BIOS ACM is loaded in
356 * Authenticated Code RAM, one MTRR base/limit pair is used to map it.
358 entry
->size_reserved
= 0;
359 entry
->type_checksum_valid
= FIT_TYPE_BIOS_ACM
;
360 entry
->version
= FIT_TXT_VERSION
;
362 fit_entry_add_size(&fit
->header
, sizeof(struct fit_entry
));
366 * In case there's a FIT_TYPE_BIOS_ACM entry, at least one
367 * FIT_TYPE_BIOS_STARTUP entry must exist.
369 * The caller has to provide valid arguments as those aren't verfied.
371 static void update_fit_bios_startup_entry(struct fit_table
*fit
,
372 struct fit_entry
*entry
,
373 const uint64_t sm_addr
,
374 const uint32_t sm_size
)
376 entry
->address
= sm_addr
;
377 assert(sm_size
% 16 == 0);
379 * BIOS Startup code is defined as the code that gets control at the
380 * reset vector and continues the chain of trust in TCG-compliant
381 * fashion. In addition, this code may also configure memory and SMRAM.
383 fit_entry_update_size(entry
, sm_size
);
384 entry
->type_checksum_valid
= FIT_TYPE_BIOS_STARTUP
;
385 entry
->version
= FIT_TXT_VERSION
;
387 fit_entry_add_size(&fit
->header
, sizeof(struct fit_entry
));
391 * There can be zero or one FIT_TYPE_BIOS_POLICY Record in the FIT.
392 * If the platform uses the hash comparison method and employs a
393 * failsafe bootblock, one FIT_TYPE_BIOS_POLICY entry is needed to
394 * contain the failsafe hash.
395 * If the platform uses the Signature verification method, one
396 * FIT_TYPE_BIOS_POLICY entry is needed. In this case, the entry
397 * contains the OEM key, hash of the BIOS and signature over the hash
399 * In all other cases, the FIT_TYPE_BIOS_POLICY record is not required.
401 * The caller has to provide valid arguments as those aren't verfied.
403 static void update_fit_bios_policy_entry(struct fit_table
*fit
,
404 struct fit_entry
*entry
,
405 const uint64_t lcp_policy_addr
,
406 const uint32_t lcp_policy_size
)
408 entry
->address
= lcp_policy_addr
;
409 fit_entry_update_size(entry
, lcp_policy_size
);
410 entry
->type_checksum_valid
= FIT_TYPE_BIOS_POLICY
;
411 entry
->version
= FIT_TXT_VERSION
;
413 fit_entry_add_size(&fit
->header
, sizeof(struct fit_entry
));
417 * There can be zero or one FIT_TYPE_TXT_POLICY entries
419 * The caller has to provide valid arguments as those aren't verfied.
421 static void update_fit_txt_policy_entry(struct fit_table
*fit
,
422 struct fit_entry
*entry
,
423 uint64_t txt_policy_addr
)
425 entry
->address
= txt_policy_addr
;
427 * Points to the flag indicating if TXT is enabled on this platform.
428 * If not present, TXT is not disabled by FIT.
430 entry
->size_reserved
= 0;
431 entry
->type_checksum_valid
= FIT_TYPE_TXT_POLICY
;
432 entry
->version
= 0x1;
434 fit_entry_add_size(&fit
->header
, sizeof(struct fit_entry
));
437 /* Special case for ucode CBFS file, as it might contain more than one ucode */
438 int fit_add_microcode_file(struct fit_table
*fit
,
439 struct cbfs_image
*image
,
440 const char *blob_name
,
441 fit_offset_converter_t offset_helper
,
442 const size_t max_fit_entries
)
444 struct microcode_entry
*mcus
;
449 mcus
= malloc(sizeof(*mcus
) * max_fit_entries
);
451 ERROR("Couldn't allocate memory for microcode entries.\n");
455 if (parse_microcode_blob(image
, blob_name
, &mcus_found
, mcus
,
457 ERROR("Couldn't parse microcode blob.\n");
462 if (mcus_found
> fit_free_space(fit
, max_fit_entries
)) {
463 ERROR("Maximum of FIT entries reached.\n");
468 for (i
= 0; i
< mcus_found
; i
++) {
469 if (fit_add_entry(fit
,
470 offset_to_ptr(offset_helper
, &image
->buffer
,
486 * Return a pointer to the active FIT.
488 struct fit_table
*fit_get_table(struct buffer
*bootblock
,
489 fit_offset_converter_t offset_fn
,
490 uint32_t topswap_size
)
492 struct fit_table
*fit
;
493 uint32_t *fit_pointer
;
495 fit_pointer
= rom_buffer_pointer(bootblock
,
496 ptr_to_offset(offset_fn
, bootblock
,
497 FIT_POINTER_LOCATION
));
499 /* Ensure pointer is below 4GiB and within 16MiB of 4GiB */
500 if (fit_pointer
[1] != 0 || fit_pointer
[0] < FIT_TABLE_LOWEST_ADDRESS
) {
501 ERROR("FIT not found.\n");
505 fit
= rom_buffer_pointer(bootblock
,
506 ptr_to_offset(offset_fn
, bootblock
, *fit_pointer
));
507 if (!fit_table_verified(fit
)) {
508 ERROR("FIT not found.\n");
513 struct fit_table
*fit2
= (struct fit_table
*)((uintptr_t)fit
-
515 if (!fit_table_verified(fit2
)) {
516 ERROR("second FIT is invalid\n");
522 DEBUG("Operating on table (0x%x)\n", *fit_pointer
- topswap_size
);
528 * Dump the current FIT in human readable format to stdout.
530 int fit_dump(struct fit_table
*fit
)
538 printf(" FIT table:\n");
540 if (fit_table_entries(fit
) < 1) {
541 printf(" empty\n\n");
545 printf(" %-6s %-20s %-16s %-8s\n", "Index", "Type", "Addr", "Size");
547 for (i
= 0; i
< fit_table_entries(fit
); i
++) {
550 switch (fit
->entries
[i
].type_checksum_valid
) {
551 case FIT_TYPE_MICROCODE
:
554 case FIT_TYPE_BIOS_ACM
:
557 case FIT_TYPE_BIOS_STARTUP
:
558 name
= "BIOS Startup Module";
560 case FIT_TYPE_TPM_POLICY
:
563 case FIT_TYPE_BIOS_POLICY
:
564 name
= "BIOS Policy";
566 case FIT_TYPE_TXT_POLICY
:
569 case FIT_TYPE_KEY_MANIFEST
:
570 name
= "Key Manifest";
572 case FIT_TYPE_BOOT_POLICY
:
573 name
= "Boot Policy";
575 case FIT_TYPE_CSE_SECURE_BOOT
:
576 name
= "CSE SecureBoot";
578 case FIT_TYPE_TXTSX_POLICY
:
579 name
= "TXTSX policy";
581 case FIT_TYPE_JMP_DEBUG_POLICY
:
582 name
= "JMP debug policy";
584 case FIT_TYPE_UNUSED
:
591 printf(" %6zd %-20s 0x%08"PRIx64
" 0x%08zx\n", i
, name
,
592 fit
->entries
[i
].address
,
593 fit_entry_size_bytes(&fit
->entries
[i
]));
600 * Remove all entries from table.
602 int fit_clear_table(struct fit_table
*fit
)
607 memset(fit
->entries
, 0,
608 sizeof(struct fit_entry
) * fit_table_entries(fit
));
610 /* Reset entry counter in header */
611 fit_entry_update_size(&fit
->header
, sizeof(fit
->header
));
613 update_fit_checksum(fit
);
619 * Returns true if the FIT type is know and can be added to the table.
621 int fit_is_supported_type(const enum fit_type type
)
624 case FIT_TYPE_MICROCODE
:
625 case FIT_TYPE_BIOS_ACM
:
626 case FIT_TYPE_BIOS_STARTUP
:
627 case FIT_TYPE_BIOS_POLICY
:
628 case FIT_TYPE_TXT_POLICY
:
630 case FIT_TYPE_TPM_POLICY
:
631 case FIT_TYPE_KEY_MANIFEST
:
632 case FIT_TYPE_BOOT_POLICY
:
639 * Adds an known entry to the FIT.
640 * len is optional for same types and might be zero.
641 * offset is an absolute address in 32-bit protected mode address space.
643 int fit_add_entry(struct fit_table
*fit
,
644 const uint32_t offset
,
646 const enum fit_type type
,
647 const size_t max_fit_entries
)
649 struct fit_entry
*entry
;
652 ERROR("Internal error.");
656 if (fit_free_space(fit
, max_fit_entries
) < 1) {
657 ERROR("No space left in FIT.");
661 if (!fit_is_supported_type(type
)) {
662 ERROR("Unsupported FIT type %u\n", type
);
666 DEBUG("Adding new entry type %u at offset %zd\n", type
,
667 fit_table_entries(fit
));
669 entry
= get_next_free_entry(fit
);
672 case FIT_TYPE_MICROCODE
:
673 update_fit_ucode_entry(fit
, entry
, offset
);
675 case FIT_TYPE_BIOS_ACM
:
676 update_fit_bios_acm_entry(fit
, entry
, offset
);
678 case FIT_TYPE_BIOS_STARTUP
:
679 update_fit_bios_startup_entry(fit
, entry
, offset
, len
);
681 case FIT_TYPE_BIOS_POLICY
:
682 update_fit_bios_policy_entry(fit
, entry
, offset
, len
);
684 case FIT_TYPE_TXT_POLICY
:
685 update_fit_txt_policy_entry(fit
, entry
, offset
);
693 update_fit_checksum(fit
);
699 * Delete one entry from table.
701 int fit_delete_entry(struct fit_table
*fit
,
705 ERROR("Internal error.");
709 if (idx
>= fit_table_entries(fit
)) {
710 ERROR("Index out of range.");
714 memset(&fit
->entries
[idx
], 0, sizeof(struct fit_entry
));
716 fit
->entries
[idx
].type_checksum_valid
= FIT_TYPE_UNUSED
;
720 /* The unused entry is now the last one */
721 fit_entry_add_size(&fit
->header
, -(int)sizeof(struct fit_entry
));
723 update_fit_checksum(fit
);