kontron-vx3060-s2: simplify example, add build test, improve docs

Author: rizlik

.github/workflows/test-build-kontron-vx3060-s2.yml

@@ -0,0 +1,25 @@
+name: kontron_vx3060_s2 build test
+
+on:
+  pull_request:
+    branches: [ '*' ]
+jobs:
+  fsp_qemu_test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true
+      - name: install req
+        run: |
+          sudo apt-get update
+          sudo apt-get install --no-install-recommends -y -q nasm gcc-multilib
+      - name: setup git
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "Your Name"
+      - name: run test
+        run: |
+          cp config/examples/kontron_vx3060_s2.config .config
+          ./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh
+          make

config/examples/kontron_vx3060_s2.config

@@ -1,7 +1,7 @@
 ARCH=x86_64
 TARGET=kontron_vx3060_s2
 WOLFBOOT_SMALL_STACK=0
-SIGN=ECC384
+SIGN=ECC256
 HASH=SHA256
 DEBUG=0
 SPMATH=1
@@ -21,47 +21,32 @@ WOLFBOOT_LOAD_BASE=0x58000200
 WOLFBOOT_SECTOR_SIZE?=0x1000
 WOLFBOOT_DATA_ADDRESS=0x1000000
 
-
-FSP_S_BASE=0xffea0000
 FSP_T_BASE=0xfff59000
 FSP_M_BASE=0xfff60000
 
 WOLFBOOT_ORIGIN=0xfff00000
-# 4 MB
+# 6 MB
 BOOTLOADER_PARTITION_SIZE=0x600000
-# 12 MB
-BIOS_REGION_SIZE=0xc00000
 
 UCODE0_BASE=0xffd90000
 UCODE0_BIN=src/x86/ucode0.bin
 
 FSP_T_BIN=./src/x86/fsp_t.bin
 FSP_M_BIN=./src/x86/fsp_m.bin
 FSP_S_BIN=./src/x86/fsp_s.bin
-FSP_S_UPD_DATA_BIN=./src/x86/fsp_s_upd_data.bin
 
 X86_UART_BASE=0xFE032000
 X86_UART_REG_WIDTH=4
 X86_UART_MMIO=1
-
 PCH_PCR_BASE=0xFD000000
 PCI_ECAM_BASE=0xC0000000
-
 PCI_USE_ECAM=1
 PCH_HAS_PCR=1
-
 64BIT=1
 ELF=1
 DEBUG_ELF=0
 MULTIBOOT2=1
-
 FSP_S_LOAD_BASE=0x0FED5F00
 STAGE1_AUTH=1
-MEASURED_BOOT=1
-MEASURED_PCR_A=0
 DISK_LOCK=0
-WOLFTPM=1
-WOLFBOOT_TPM_SEAL=1
-WOLFBOOT_TPM_SEAL_KEY_ID=1
-WOLFBOOT_UNIVERSAL_KEYSTORE=1
 DEBUG_SYMBOLS=1

docs/Targets.md

@@ -9,6 +9,7 @@ This README describes configuration of supported targets.
 * [Cypress PSoC-6](#cypress-psoc-6)
 * [Infineon AURIX TC3xx](#infineon-aurix-tc3xx)
 * [Intel x86-64 Intel FSP](#intel-x86_64-with-intel-fsp-support)
+* [Kontron VX3060-S2](#kontron-vx3060-s2)
 * [Microchip SAMA5D3](#microchip-sama5d3)
 * [Microchip SAME51](#microchip-same51)
 * [Nordic nRF52840](#nordic-nrf52840)
@@ -3199,24 +3200,96 @@ IMAGE=test-app/image.elf SIGN=--ecc384 tools/scripts/x86_fsp/qemu/make_hd.sh
 For more advanced uses of TPM, please check [TPM.md](TPM.md) to configure wolfBoot
 according to your secure boot strategy.
 
-### Running on Kontron VX3060-S2
+## Kontron VX3060-S2
 
-A reference configuration and helper scripts are provided to run wolfBoot on
-Kontron VX3060-S2 board.
-A flash dump of the original Flash BIOS is needed.
-To compile a flashable image run the following steps:
+wolfBoot supports Kontron VX3060-S2 board using Intel Firmware Support Package
+(FSP). You can find more details about the wolfBoot support with Intel FSP in
+the above [section](#intel-x86_64-with-intel-fsp-support). A minimal
+configuration example is provided in
+[config/examples/kontron_vx3060_s2.config](config/examples/kontron_vx3060_s2.config).
+In order to produce a flashable flash image, a dump of the original flash is
+required. To build wolfBoot, follow the following steps:
 
 ```
 cp config/examples/kontron_vx3060_s2.config .config
 ./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh
-make tpmtools
-./tools/scripts/x86_fsp/tgl/assemble_image.sh -k
-make CFLAGS_EXTRA="-DHAVE_ECC256"
+make
 ./tools/scripts/x86_fsp/tgl/assemble_image.sh -n /path/to/original/flash/dump
 ```
 
-they produce a file named `final_image.bin` inside the root folder of the
-repository that can be directly flashed into the BIOS flash of the board.
+After running the above commands, you should find a file named `final_image.bin` in the root folder of the repository. The image can be flashed directly into the board.
+By default wolfBoot tries to read a wolfBoot image from the SATA drive.
+The drive should be partitioned with a GPT table, wolfBoot tries to load an image saved in the 5th or the 6th partition. 
+You can find more details in `src/update_disk.c`. wolfBoot doesn't try to read from a filesystem and the images need to be written directly into the partition.
+This is an example boot log:
+```
+Press any key within 2 seconds to toogle BIOS flash chip
+Cache-as-RAM initialized
+FSP-T:A.0.7E build 70
+FSP-M:A.0.7E build 70
+microcode revision: AA, date: 12-28-2022
+machine_update_m_params
+calling FspMemInit...
+warm reset required
+Press any key within 2 seconds to toogle BIOS flash chip
+Cache-as-RAM initialized
+FSP-T:A.0.7E build 70
+FSP-M:A.0.7E build 70
+microcode revision: AA, date: 12-28-2022
+machine_update_m_params
+calling FspMemInit...
+success
+top reserved 0_78C50000h
+mem: [ 0x78C40000, 0x78C50000 ] - stack (0x10000)
+mem: [ 0x78C3FFF4, 0x78C40000 ] - stage2 parameter (0xC)
+hoblist@0x78C90000
+mem: [ 0x78C38000, 0x78C3FFF4 ] - page tables (0x7FF4)
+page table @ 0x78C38000 [length: 7000]
+mem: [ 0x78C37FF8, 0x78C38000 ] - stage2 ptr holder (0x8)
+TOLUM: 0x78C37FF8
+mem: [ 0x100000, 0x100014 ] - stage1 .data (0x14)
+mem: [ 0x100020, 0x100040 ] - stage1 .bss (0x20)
+CPUID(0):1B 756E6547 6C65746E
+mem: [ 0x58000100, 0x5806196C ] - wolfboot (0x6186C)
+mem: [ 0x5806196C, 0x58282000 ] - wolfboot .bss (0x220694)
+load wolfboot end
+Authenticating wolfboot at 58000200...
+Boot partition: 0x58000100 (sz 399212, ver 0x1, type 0x201)
+verify_payload: image open successfully.
+verify_payload: integrity OK. Checking signature.
+wolfBoot: verified OK.
+starting wolfboot 64bit
+call temp ram exit...successA.0.7E build 70
+call silicon...successcap a 2268409840
+ddt disabled 0
+device enable: 172049
+device enable: 172049
+AHCI port 0: Disk detected (det: 04 ipm: 00)
+AHCI port 1: Disk detected (det: 03 ipm: 01)
+SATA disk drive detected on AHCI port 1
+Reading MBR...
+Found GPT PTE at sector 1
+Found valid boot signature in MBR
+Valid GPT partition table
+Current LBA: 0x1
+Backup LBA: 0x6FCCF2F
+Max number of partitions: 128
+Software limited: only allowing up to 16 partitions per disk.
+Disk size: 1107095552
+disk0.p0 (0_8000000h@ 0_100000)
+disk0.p1 (0_20000000h@ 0_8100000)
+disk0.p2 (4_0h@ 0_28100000)
+disk0.p3 (4_0h@ 4_28100000)
+disk0.p4 (1_0h@ 8_28100000)
+disk0.p5 (0_80000000h@ 9_28100000)
+disk0.p6 (0_80000000h@ 9_A8100000)
+Total partitions on disk0: 7
+Checking primary OS image in 0,5...
+Checking secondary OS image in 0,6...
+Versions, A:1 B:1
+Load address 0x58282000
+Attempting boot from partition A
+```
 
 ## Infineon AURIX TC3xx
 

tools/scripts/x86_fsp/tgl/assemble_image.sh

@@ -3,20 +3,10 @@
 WOLFBOOT_DIR=$(pwd)
 
 # 16 MB
-BIOS_REGION_SIZE=16777216
 BIOS_REGION_PATH=/tmp/bios.bin
-SIGN_OPTIONS="--ecc384 --sha256"
-SIGN_KEY=$WOLFBOOT_DIR/wolfboot_signing_private_key.der
-SIGN_TOOL=./tools/keytools/sign
 
 set -e
 
-make_keys()
-{
-    make keytools
-    ./tools/keytools/keygen --ecc384 -g wolfboot_signing_private_key.der --ecc256 -g tpm_seal_key.key -keystoreDir src/
-}
-
 build_and_sign_image()
 {
     # compute the size differences between $FLASH_DUMP and "$WOLFBOOT_DIR"/wolfboot_stage1.bin and store it in SIZE
@@ -26,27 +16,24 @@ build_and_sign_image()
     cp "$FLASH_DUMP" "$WOLFBOOT_DIR/temp_image.bin"
     truncate -s $SIZE "$WOLFBOOT_DIR/temp_image.bin"
     cat "$WOLFBOOT_DIR/temp_image.bin" "$BIOS_REGION_PATH" > "$WOLFBOOT_DIR/final_image.bin"
-    PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1)
-    "$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key  -pcr=0 -pcrdigest=$PCR0
-    IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig
+    if grep -q '^WOLFBOOT_TPM_SEAL=1$' .config; then
+        PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1)
+        "$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key -pcr=0 -pcrdigest="$PCR0"
+        IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig
+    fi
 }
 
 assemble()
 {
-    cp $WOLFBOOT_DIR/wolfboot_stage1.bin $BIOS_REGION_PATH
+    cp "$WOLFBOOT_DIR/wolfboot_stage1.bin" $BIOS_REGION_PATH
     build_and_sign_image
 }
 
 # Parse command line options
-while getopts "ks:n:m:" opt; do
+while getopts "s:n:m:" opt; do
     case "$opt" in
-        k)
-            make_keys
-	    exit 0
-            ;;
         n)
             FLASH_DUMP="$OPTARG"
-	    IBG=0
             ;;
         *)
             echo "Usage: $0 [-k] [-s FLASH_DUMP]"