use coreboot vboot measured boot

[merge]

the goal here is basically to close #41 . Currently we have https://github.com/osresearch/heads/blob/master/patches/coreboot-4.8.1/0000-measuredboot.patch that allows us to do measurements in initrd. We can still continue to use this on top of a recent release of coreboot and should do so, and update coreboot independently of this task!

Now since https://review.coreboot.org/c/coreboot/+/29547 and https://review.coreboot.org/q/topic:%22LENOVO_VBOOT%22+(status:open%20OR%20status:merged) coreboot allows to measure boot as part of the vboot scheme. Even if we won't use parts of vboot (keys in GBB), but only the measured-boot part, it would make sense to use a well-define upstream maintained solution.

A different FMAP (fmd file) is being used in that case:
vboot basically supports 3 different parition schemes (FMAP) to choose from, that defines what funcitonality will be available. "RW_A and RW_B" (which would enable updates) is out of scope for us due to size limitation. "RW_A only" would theoretically be possible, but would also impose at least some unnecessary size limitations and also, we would not need to have a pre-defined static "RO" seperate of "RW_A". Our root of trust will be just Heads itself with it's code up until the point where we will enable write-protection for the SPI flash. Basically, our flashrom update-scripts need to run before that. The paritioning scheme to use for use will most likely be "RO only" (even if it's no static read-only, but locks the flash at some point).

I only quickly tried to write an appropriate "vboot_ro.fmd" file (not yet merged upstream) for the x230. "RO only" still reduces the available CBFS size for coreboot+payload a little, in order to fit into the vboot mechanism and I ran into problems with building because our kernel+initrd are just a little to big:

FLASH@0xff400000 0xc00000 {
	SI_ALL@0x0 0x500000 {
		SI_DESC@0x0 0x1000
		SI_GBE@0x1000 0x2000
		SI_ME@0x3000 0x4ed000
	}
	SI_BIOS@0x500000 0x700000 {
		WP_RO@0x0 0x700000 {
			FMAP@0x0 0x800
			RO_FRID@0x800 0x40
			RO_PADDING@0x840 0x7c0
			RO_VPD(PRESERVE)@0x1000 0x1000
			GBB@0x2000 0x1e000
			COREBOOT(CBFS)@0x20000 0x6e0000
		}
	}
}

Would this be enough? / Can this work?

So first, it seems like we need to reduce the size (of the x230 build). Mostl probably Linux.

And of course have a working fmd "ro" file (merged) and thus a working build. The tpm tools should still work, but what changes are needed in userspace for us to test this?

Please question everything I write here! I could be totally wrong about things and just want input from you if you know better. I hardly have had any time to look into this. Let's move forward and get rid of your patches.

[merge]

More TODOs besides getting smaller and getting the X230 to work:

• make sure all boards supported by Heads are hooked up to vboot in coreboot (fmd format file...)
• somehow handle the Librem laptops that don't have a TPM, in case that's a problem with vboot.