search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
crossgcc: Remove "Make"
[coreboot.git] / util / cbfstool / fit.c
blob44573cadee3a2375323266277a8489feb63a1456
1 /* Firmware Interface Table support */
2 /* SPDX-License-Identifier: GPL-2.0-only */
3
4 #include <inttypes.h>
5 #include <stdint.h>
6 #include <stdio.h>
7 #include <stdlib.h>
8 #include <string.h>
9
10 #include "fit.h"
11
12 /* FIXME: This code assumes it is being executed on a little endian machine. */
13
14 #define FIT_POINTER_LOCATION 0xffffffc0
15 #define FIT_TABLE_LOWEST_ADDRESS ((uint32_t)(-(16 << 20)))
16 #define FIT_ENTRY_CHECKSUM_VALID 0x80
17 #define FIT_HEADER_VERSION 0x0100
18 #define FIT_HEADER_ADDRESS "_FIT_ "
19 #define FIT_MICROCODE_VERSION 0x0100
20 #define FIT_TXT_VERSION 0x0100
21
22 #define FIT_SIZE_ALIGNMENT 16
23
24 struct fit_entry {
25 /**
26 * Address is the base address of the firmware component
27 * must be aligned on 16 byte boundary
28 */
29 uint64_t address;
30 /**
31 * Size is the span of the component in multiple of 16 bytes
32 * Bits [24:31] are reserved and must be set to 0
33 */
34 uint32_t size_reserved;
35 /**
36 * Component's version number in binary coded decimal (BCD) format.
37 * For the FIT header entry, the value in this field will indicate the
38 * revision number of the FIT data structure. The upper byte of the
39 * revision field indicates the major revision and the lower byte
40 * indicates the minor revision.
41 */
42 uint16_t version;
43 /**
44 * FIT types 0x00 to 0x7F
45 * Bit 7 (C_V) indicates whether component has valid checksum.
46 */
47 uint8_t type_checksum_valid;
48 /**
49 * Component's checksum. The modulo sum of all the bytes in the
50 * component and the value in this field (Chksum) must add up to zero.
51 * This field is only valid if the C_V flag is non-zero.
52 */
53 uint8_t checksum;
54 } __packed;
55
56 struct fit_table {
57 struct fit_entry header;
58 struct fit_entry entries[];
59 } __packed;
60
61 struct microcode_header {
62 uint32_t version;
63 uint32_t revision;
64 uint32_t date;
65 uint32_t processor_signature;
66 uint32_t checksum;
67 uint32_t loader_revision;
68 uint32_t processor_flags;
69 uint32_t data_size;
70 uint32_t total_size;
71 uint8_t reserved[12];
72 } __packed;
73
74 struct microcode_entry {
75 int offset;
76 int size;
77 };
78
79 static inline void *rom_buffer_pointer(struct buffer *buffer, int offset)
80 {
81 return &buffer->data[offset];
82 }
83
84 static inline size_t fit_entry_size_bytes(const struct fit_entry *entry)
85 {
86 return (entry->size_reserved & 0xffffff) << 4;
87 }
88
89 static inline void fit_entry_update_size(struct fit_entry *entry,
90 const int size_bytes)
91 {
92 /* Size is multiples of 16 bytes. */
93 entry->size_reserved = (size_bytes >> 4) & 0xffffff;
94 }
95
96 static inline void fit_entry_add_size(struct fit_entry *entry,
97 const int size_bytes)
98 {
99 int size = fit_entry_size_bytes(entry);
100 size += size_bytes;
101 fit_entry_update_size(entry, size);
102 }
103
104 static inline int fit_entry_type(struct fit_entry *entry)
105 {
106 return entry->type_checksum_valid & ~FIT_ENTRY_CHECKSUM_VALID;
107 }
108
109 /*
110 * Get an offset from a host pointer. This function assumes the ROM is located
111 * in the host address space at [4G - romsize -> 4G). It also assume all
112 * pointers have values within this address range.
113 */
114 static inline int ptr_to_offset(fit_offset_converter_t helper,
115 const struct buffer *region, uint32_t host_ptr)
116 {
117 return helper(region, -host_ptr);
118 }
119
120 /*
121 * Get a pointer from an offset. This function assumes the ROM is located
122 * in the host address space at [4G - romsize -> 4G). It also assume all
123 * pointers have values within this address range.
124 */
125 static inline uint32_t offset_to_ptr(fit_offset_converter_t helper,
126 const struct buffer *region, int offset)
127 {
128 return -helper(region, offset);
129 }
130
131 /*
132 * Return the number of FIT entries.
133 */
134 static inline size_t fit_table_entries(const struct fit_table *fit)
135 {
136 if (!fit)
137 return 0;
138
139 return (fit_entry_size_bytes(&fit->header) / FIT_SIZE_ALIGNMENT) - 1;
140 }
141
142 /*
143 * Return the number of unused entries.
144 */
145 static inline size_t fit_free_space(struct fit_table *fit,
146 const size_t max_entries)
147 {
148 if (!fit)
149 return 0;
150
151 return max_entries - fit_table_entries(fit);
152 }
153
154 /*
155 * Sort entries by type and fill gaps (entries with type unused).
156 * To be called after adding or deleting entries.
157 *
158 * This one is critical, as mentioned in Chapter 1.2.1 "FIT Ordering Rules"
159 * "Firmware Interface Table BIOS Specification".
160 *
161 * We need to use a stable sorting algorithm, as the order of
162 * FIT_TYPE_BIOS_STARTUP matter for measurements.
163 */
164 static void sort_fit_table(struct fit_table *fit)
165 {
166 struct fit_entry tmp;
167 size_t i, j;
168 int swapped;
169
170 /* Bubble sort entries */
171 for (j = 0; j < fit_table_entries(fit) - 1; j++) {
172 swapped = 0;
173 for (i = 0; i < fit_table_entries(fit) - j - 1; i++) {
174 if (fit->entries[i].type_checksum_valid <=
175 fit->entries[i + 1].type_checksum_valid)
176 continue;
177 /* SWAP entries */
178 memcpy(&tmp, &fit->entries[i], sizeof(tmp));
179 memcpy(&fit->entries[i], &fit->entries[i + 1],
180 sizeof(fit->entries[i]));
181 memcpy(&fit->entries[i + 1], &tmp,
182 sizeof(fit->entries[i + 1]));
183 swapped = 1;
184 }
185 if (!swapped)
186 break;
187 }
188 }
189
190 static int fit_table_verified(struct fit_table *table)
191 {
192 if (!table)
193 return 0;
194
195 /* Check that the address field has the proper signature. */
196 if (strncmp((const char *)&table->header.address, FIT_HEADER_ADDRESS,
197 sizeof(table->header.address)))
198 return 0;
199
200 if (table->header.version != FIT_HEADER_VERSION)
201 return 0;
202
203 if (fit_entry_type(&table->header) != FIT_TYPE_HEADER)
204 return 0;
205
206 /* Assume that the FIT table contains at least the header */
207 if (fit_entry_size_bytes(&table->header) < sizeof(struct fit_entry))
208 return 0;
209
210 return 1;
211 }
212
213 /*
214 * Update the FIT checksum.
215 * To be called after modifiying the table.
216 */
217 static void update_fit_checksum(struct fit_table *fit)
218 {
219 int size_bytes;
220 uint8_t *buffer;
221 uint8_t result;
222 int i;
223
224 if (!fit)
225 return;
226
227 fit->header.checksum = 0;
228 size_bytes = fit_entry_size_bytes(&fit->header);
229 result = 0;
230 buffer = (void *)fit;
231 for (i = 0; i < size_bytes; i++)
232 result += buffer[i];
233 fit->header.checksum = -result;
234 }
235
236 /*
237 * Return a pointer to the next free entry.
238 * Caller must take care if enough space is available.
239 */
240 static struct fit_entry *get_next_free_entry(struct fit_table *fit)
241 {
242 return &fit->entries[fit_table_entries(fit)];
243 }
244
245 static void fit_location_from_cbfs_header(uint32_t *current_offset,
246 uint32_t *file_length, void *ptr)
247 {
248 struct buffer buf;
249 struct cbfs_file header;
250 memset(&buf, 0, sizeof(buf));
251
252 buf.data = ptr;
253 buf.size = sizeof(header);
254
255 bgets(&buf, header.magic, sizeof(header.magic));
256 header.len = xdr_be.get32(&buf);
257 header.type = xdr_be.get32(&buf);
258 header.attributes_offset = xdr_be.get32(&buf);
259 header.offset = xdr_be.get32(&buf);
260
261 *current_offset = header.offset;
262 *file_length = header.len;
263 }
264
265 static int
266 parse_microcode_blob(struct cbfs_image *image,
267 const char *blob_name,
268 size_t *mcus_found,
269 struct microcode_entry *mcus,
270 const size_t max_fit_entries)
271 {
272 size_t num_mcus;
273 uint32_t current_offset;
274 uint32_t file_length;
275 struct cbfs_file *mcode_file;
276
277 mcode_file = cbfs_get_entry(image, blob_name);
278 if (!mcode_file)
279 return 1;
280
281 fit_location_from_cbfs_header(&current_offset, &file_length,
282 mcode_file);
283 current_offset += cbfs_get_entry_addr(image, mcode_file);
284
285 num_mcus = 0;
286 while (file_length > sizeof(struct microcode_header)) {
287 const struct microcode_header *mcu_header;
288
289 mcu_header = rom_buffer_pointer(&image->buffer, current_offset);
290 if (!mcu_header) {
291 ERROR("Couldn't parse microcode header.\n");
292 return 1;
293 }
294
295 /* Newer microcode updates include a size field, whereas older
296 * containers set it at 0 and are exactly 2048 bytes long */
297 uint32_t total_size = mcu_header->total_size ?: 2048;
298
299 /* Quickly sanity check a prospective microcode update. */
300 if (total_size < sizeof(*mcu_header))
301 break;
302
303 /* FIXME: Should the checksum be validated? */
304 mcus[num_mcus].offset = current_offset;
305 mcus[num_mcus].size = total_size;
306
307 /* Proceed to next payload. */
308 current_offset += mcus[num_mcus].size;
309 file_length -= mcus[num_mcus].size;
310 num_mcus++;
311 /* Reached limit of FIT entries. */
312 if (num_mcus == max_fit_entries)
313 break;
314 if (file_length < sizeof(struct microcode_header))
315 break;
316 }
317
318 /* Update how many microcode updates we found. */
319 *mcus_found = num_mcus;
320
321 return 0;
322 }
323
324 /* There can be zero or more FIT_TYPE_MICROCODE entries */
325 static void update_fit_ucode_entry(struct fit_table *fit,
326 struct fit_entry *entry,
327 const uint64_t mcu_addr)
328 {
329 entry->address = mcu_addr;
330 /*
331 * While loading MCU, its size is not referred from FIT and
332 * rather from the MCU header, hence we can assign zero here.
333 */
334 entry->size_reserved = 0;
335 entry->type_checksum_valid = FIT_TYPE_MICROCODE;
336 entry->version = FIT_MICROCODE_VERSION;
337 entry->checksum = 0;
338 fit_entry_add_size(&fit->header, sizeof(struct fit_entry));
339 }
340
341 /*
342 * There can be zero or one FIT_TYPE_BIOS_ACM entry per table.
343 * In case there's a FIT_TYPE_BIOS_ACM entry, at least one
344 * FIT_TYPE_BIOS_STARTUP entry must exist.
345 *
346 * The caller has to provide valid arguments as those aren't verfied.
347 */
348 static void update_fit_bios_acm_entry(struct fit_table *fit,
349 struct fit_entry *entry,
350 const uint64_t acm_addr)
351 {
352 entry->address = acm_addr;
353 /*
354 * The Address field points to a BIOS ACM. The Address field points to
355 * the first byte of the AC module header. When BIOS ACM is loaded in
356 * Authenticated Code RAM, one MTRR base/limit pair is used to map it.
357 */
358 entry->size_reserved = 0;
359 entry->type_checksum_valid = FIT_TYPE_BIOS_ACM;
360 entry->version = FIT_TXT_VERSION;
361 entry->checksum = 0;
362 fit_entry_add_size(&fit->header, sizeof(struct fit_entry));
363 }
364
365 /*
366 * In case there's a FIT_TYPE_BIOS_ACM entry, at least one
367 * FIT_TYPE_BIOS_STARTUP entry must exist.
368 *
369 * The caller has to provide valid arguments as those aren't verfied.
370 */
371 static void update_fit_bios_startup_entry(struct fit_table *fit,
372 struct fit_entry *entry,
373 const uint64_t sm_addr,
374 const uint32_t sm_size)
375 {
376 entry->address = sm_addr;
377 assert(sm_size % 16 == 0);
378 /*
379 * BIOS Startup code is defined as the code that gets control at the
380 * reset vector and continues the chain of trust in TCG-compliant
381 * fashion. In addition, this code may also configure memory and SMRAM.
382 */
383 fit_entry_update_size(entry, sm_size);
384 entry->type_checksum_valid = FIT_TYPE_BIOS_STARTUP;
385 entry->version = FIT_TXT_VERSION;
386 entry->checksum = 0;
387 fit_entry_add_size(&fit->header, sizeof(struct fit_entry));
388 }
389
390 /*
391 * There can be zero or one FIT_TYPE_BIOS_POLICY Record in the FIT.
392 * If the platform uses the hash comparison method and employs a
393 * failsafe bootblock, one FIT_TYPE_BIOS_POLICY entry is needed to
394 * contain the failsafe hash.
395 * If the platform uses the Signature verification method, one
396 * FIT_TYPE_BIOS_POLICY entry is needed. In this case, the entry
397 * contains the OEM key, hash of the BIOS and signature over the hash
398 * using the OEM key.
399 * In all other cases, the FIT_TYPE_BIOS_POLICY record is not required.
400 *
401 * The caller has to provide valid arguments as those aren't verfied.
402 */
403 static void update_fit_bios_policy_entry(struct fit_table *fit,
404 struct fit_entry *entry,
405 const uint64_t lcp_policy_addr,
406 const uint32_t lcp_policy_size)
407 {
408 entry->address = lcp_policy_addr;
409 fit_entry_update_size(entry, lcp_policy_size);
410 entry->type_checksum_valid = FIT_TYPE_BIOS_POLICY;
411 entry->version = FIT_TXT_VERSION;
412 entry->checksum = 0;
413 fit_entry_add_size(&fit->header, sizeof(struct fit_entry));
414 }
415
416 /*
417 * There can be zero or one FIT_TYPE_TXT_POLICY entries
418 *
419 * The caller has to provide valid arguments as those aren't verfied.
420 */
421 static void update_fit_txt_policy_entry(struct fit_table *fit,
422 struct fit_entry *entry,
423 uint64_t txt_policy_addr)
424 {
425 entry->address = txt_policy_addr;
426 /*
427 * Points to the flag indicating if TXT is enabled on this platform.
428 * If not present, TXT is not disabled by FIT.
429 */
430 entry->size_reserved = 0;
431 entry->type_checksum_valid = FIT_TYPE_TXT_POLICY;
432 entry->version = 0x1;
433 entry->checksum = 0;
434 fit_entry_add_size(&fit->header, sizeof(struct fit_entry));
435 }
436
437 /* Special case for ucode CBFS file, as it might contain more than one ucode */
438 int fit_add_microcode_file(struct fit_table *fit,
439 struct cbfs_image *image,
440 const char *blob_name,
441 fit_offset_converter_t offset_helper,
442 const size_t max_fit_entries)
443 {
444 struct microcode_entry *mcus;
445
446 size_t i;
447 size_t mcus_found;
448
449 mcus = malloc(sizeof(*mcus) * max_fit_entries);
450 if (!mcus) {
451 ERROR("Couldn't allocate memory for microcode entries.\n");
452 return 1;
453 }
454
455 if (parse_microcode_blob(image, blob_name, &mcus_found, mcus,
456 max_fit_entries)) {
457 ERROR("Couldn't parse microcode blob.\n");
458 free(mcus);
459 return 1;
460 }
461
462 if (mcus_found > fit_free_space(fit, max_fit_entries)) {
463 ERROR("Maximum of FIT entries reached.\n");
464 free(mcus);
465 return 1;
466 }
467
468 for (i = 0; i < mcus_found; i++) {
469 if (fit_add_entry(fit,
470 offset_to_ptr(offset_helper, &image->buffer,
471 mcus[i].offset),
472 0,
473 FIT_TYPE_MICROCODE,
474 max_fit_entries)) {
475
476 free(mcus);
477 return 1;
478 }
479 }
480
481 free(mcus);
482 return 0;
483 }
484
485 /*
486 * Return a pointer to the active FIT.
487 */
488 struct fit_table *fit_get_table(struct buffer *bootblock,
489 fit_offset_converter_t offset_fn,
490 uint32_t topswap_size)
491 {
492 struct fit_table *fit;
493 uint32_t *fit_pointer;
494
495 fit_pointer = rom_buffer_pointer(bootblock,
496 ptr_to_offset(offset_fn, bootblock,
497 FIT_POINTER_LOCATION));
498
499 /* Ensure pointer is below 4GiB and within 16MiB of 4GiB */
500 if (fit_pointer[1] != 0 || fit_pointer[0] < FIT_TABLE_LOWEST_ADDRESS) {
501 ERROR("FIT not found.\n");
502 return NULL;
503 }
504
505 fit = rom_buffer_pointer(bootblock,
506 ptr_to_offset(offset_fn, bootblock, *fit_pointer));
507 if (!fit_table_verified(fit)) {
508 ERROR("FIT not found.\n");
509 return NULL;
510 }
511
512 if (topswap_size) {
513 struct fit_table *fit2 = (struct fit_table *)((uintptr_t)fit -
514 topswap_size);
515 if (!fit_table_verified(fit2)) {
516 ERROR("second FIT is invalid\n");
517 return NULL;
518 }
519 fit = fit2;
520 }
521
522 DEBUG("Operating on table (0x%x)\n", *fit_pointer - topswap_size);
523
524 return fit;
525 }
526
527 /*
528 * Dump the current FIT in human readable format to stdout.
529 */
530 int fit_dump(struct fit_table *fit)
531 {
532 size_t i;
533
534 if (!fit)
535 return 1;
536
537 printf("\n");
538 printf(" FIT table:\n");
539
540 if (fit_table_entries(fit) < 1) {
541 printf(" empty\n\n");
542 return 0;
543 }
544
545 printf(" %-6s %-20s %-16s %-8s\n", "Index", "Type", "Addr", "Size");
546
547 for (i = 0; i < fit_table_entries(fit); i++) {
548 const char *name;
549
550 switch (fit->entries[i].type_checksum_valid) {
551 case FIT_TYPE_MICROCODE:
552 name = "Microcode";
553 break;
554 case FIT_TYPE_BIOS_ACM:
555 name = "BIOS ACM";
556 break;
557 case FIT_TYPE_BIOS_STARTUP:
558 name = "BIOS Startup Module";
559 break;
560 case FIT_TYPE_TPM_POLICY:
561 name = "TPM Policy";
562 break;
563 case FIT_TYPE_BIOS_POLICY:
564 name = "BIOS Policy";
565 break;
566 case FIT_TYPE_TXT_POLICY:
567 name = "TXT Policy";
568 break;
569 case FIT_TYPE_KEY_MANIFEST:
570 name = "Key Manifest";
571 break;
572 case FIT_TYPE_BOOT_POLICY:
573 name = "Boot Policy";
574 break;
575 case FIT_TYPE_CSE_SECURE_BOOT:
576 name = "CSE SecureBoot";
577 break;
578 case FIT_TYPE_TXTSX_POLICY:
579 name = "TXTSX policy";
580 break;
581 case FIT_TYPE_JMP_DEBUG_POLICY:
582 name = "JMP debug policy";
583 break;
584 case FIT_TYPE_UNUSED:
585 name = "unused";
586 break;
587 default:
588 name = "unknown";
589 }
590
591 printf(" %6zd %-20s 0x%08"PRIx64" 0x%08zx\n", i, name,
592 fit->entries[i].address,
593 fit_entry_size_bytes(&fit->entries[i]));
594 }
595 printf("\n");
596 return 0;
597 }
598
599 /*
600 * Remove all entries from table.
601 */
602 int fit_clear_table(struct fit_table *fit)
603 {
604 if (!fit)
605 return 1;
606
607 memset(fit->entries, 0,
608 sizeof(struct fit_entry) * fit_table_entries(fit));
609
610 /* Reset entry counter in header */
611 fit_entry_update_size(&fit->header, sizeof(fit->header));
612
613 update_fit_checksum(fit);
614
615 return 0;
616 }
617
618 /*
619 * Returns true if the FIT type is know and can be added to the table.
620 */
621 int fit_is_supported_type(const enum fit_type type)
622 {
623 switch (type) {
624 case FIT_TYPE_MICROCODE:
625 case FIT_TYPE_BIOS_ACM:
626 case FIT_TYPE_BIOS_STARTUP:
627 case FIT_TYPE_BIOS_POLICY:
628 case FIT_TYPE_TXT_POLICY:
629 return 1;
630 case FIT_TYPE_TPM_POLICY:
631 case FIT_TYPE_KEY_MANIFEST:
632 case FIT_TYPE_BOOT_POLICY:
633 default:
634 return 0;
635 }
636 }
637
638 /*
639 * Adds an known entry to the FIT.
640 * len is optional for same types and might be zero.
641 * offset is an absolute address in 32-bit protected mode address space.
642 */
643 int fit_add_entry(struct fit_table *fit,
644 const uint32_t offset,
645 const uint32_t len,
646 const enum fit_type type,
647 const size_t max_fit_entries)
648 {
649 struct fit_entry *entry;
650
651 if (!fit) {
652 ERROR("Internal error.");
653 return 1;
654 }
655
656 if (fit_free_space(fit, max_fit_entries) < 1) {
657 ERROR("No space left in FIT.");
658 return 1;
659 }
660
661 if (!fit_is_supported_type(type)) {
662 ERROR("Unsupported FIT type %u\n", type);
663 return 1;
664 }
665
666 DEBUG("Adding new entry type %u at offset %zd\n", type,
667 fit_table_entries(fit));
668
669 entry = get_next_free_entry(fit);
670
671 switch (type) {
672 case FIT_TYPE_MICROCODE:
673 update_fit_ucode_entry(fit, entry, offset);
674 break;
675 case FIT_TYPE_BIOS_ACM:
676 update_fit_bios_acm_entry(fit, entry, offset);
677 break;
678 case FIT_TYPE_BIOS_STARTUP:
679 update_fit_bios_startup_entry(fit, entry, offset, len);
680 break;
681 case FIT_TYPE_BIOS_POLICY:
682 update_fit_bios_policy_entry(fit, entry, offset, len);
683 break;
684 case FIT_TYPE_TXT_POLICY:
685 update_fit_txt_policy_entry(fit, entry, offset);
686 break;
687 default:
688 return 1;
689 }
690
691 sort_fit_table(fit);
692
693 update_fit_checksum(fit);
694
695 return 0;
696 }
697
698 /*
699 * Delete one entry from table.
700 */
701 int fit_delete_entry(struct fit_table *fit,
702 const size_t idx)
703 {
704 if (!fit) {
705 ERROR("Internal error.");
706 return 1;
707 }
708
709 if (idx >= fit_table_entries(fit)) {
710 ERROR("Index out of range.");
711 return 1;
712 }
713
714 memset(&fit->entries[idx], 0, sizeof(struct fit_entry));
715
716 fit->entries[idx].type_checksum_valid = FIT_TYPE_UNUSED;
717
718 sort_fit_table(fit);
719
720 /* The unused entry is now the last one */
721 fit_entry_add_size(&fit->header, -(int)sizeof(struct fit_entry));
722
723 update_fit_checksum(fit);
724
725 return 0;
726 }
ast, secure and flexible OpenSource firmware