<p>Lin Huang has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/23348">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">TEST_ONLY: Rainier: use MOCK_TPM and disable EC_RW_SYNC in Scarlet<br><br>there are some problem when AP and H1 do SPI transfer, it alway<br>happen "irq timeout", so use MOCK_TPM first. And disable<br>DISABLE_EC_SOFTWARE_SYNC.<br><br>Change-Id: Ia3976bee85dd06e8bb83df0c737f3c5f96e9d5b6<br>Signed-off-by: Lin Huang <hl@rock-chips.com><br>---<br>M src/mainboard/google/gru/Kconfig<br>A src/vboot/Kconfig<br>2 files changed, 321 insertions(+), 3 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/48/23348/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/mainboard/google/gru/Kconfig b/src/mainboard/google/gru/Kconfig</span><br><span>index bbaec72..6375b29 100644</span><br><span>--- a/src/mainboard/google/gru/Kconfig</span><br><span>+++ b/src/mainboard/google/gru/Kconfig</span><br><span>@@ -59,10 +59,12 @@</span><br><span> select SPI_FLASH_WINBOND</span><br><span> </span><br><span> config VBOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ select VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> select EC_GOOGLE_CHROMEEC_SWITCHES</span><br><span style="color: hsl(0, 100%, 40%);">- select MAINBOARD_HAS_SPI_TPM_CR50 if GRU_HAS_TPM2</span><br><span style="color: hsl(0, 100%, 40%);">- select SPI_TPM if GRU_HAS_TPM2</span><br><span style="color: hsl(0, 100%, 40%);">- select VBOOT_VBNV_FLASH</span><br><span style="color: hsl(120, 100%, 40%);">+ #select MAINBOARD_HAS_SPI_TPM_CR50 if GRU_HAS_TPM2</span><br><span style="color: hsl(120, 100%, 40%);">+ #select SPI_TPM if GRU_HAS_TPM2</span><br><span style="color: hsl(120, 100%, 40%);">+ #select VBOOT_VBNV_FLASH</span><br><span> </span><br><span> config MAINBOARD_DIR</span><br><span> string</span><br><span>diff --git a/src/vboot/Kconfig b/src/vboot/Kconfig</span><br><span>new file mode 100644</span><br><span>index 0000000..78664ad</span><br><span>--- /dev/null</span><br><span>+++ b/src/vboot/Kconfig</span><br><span>@@ -0,0 +1,316 @@</span><br><span style="color: hsl(120, 100%, 40%);">+## This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+## it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+## the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+## but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+## GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+menu "Verified Boot (vboot)"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Verify firmware with vboot."</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ select TPM if !MAINBOARD_HAS_TPM2 && !VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(120, 100%, 40%);">+ select TPM2 if MAINBOARD_HAS_TPM2 && !VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(120, 100%, 40%);">+ select TPM_INIT_FAILURE_IS_FATAL if PC80_SYSTEM && LPC_TPM</span><br><span style="color: hsl(120, 100%, 40%);">+ select SKIP_TPM_STARTUP_ON_NORMAL_BOOT if PC80_SYSTEM && LPC_TPM</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on HAVE_HARD_RESET</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Enabling VBOOT will use vboot to verify the components of the firmware</span><br><span style="color: hsl(120, 100%, 40%);">+ (stages, payload, etc).</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+if VBOOT</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_VBNV_CMOS</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on PC80_SYSTEM</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ VBNV is stored in CMOS</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_VBNV_OFFSET</span><br><span style="color: hsl(120, 100%, 40%);">+ hex</span><br><span style="color: hsl(120, 100%, 40%);">+ default 0x26</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on VBOOT_VBNV_CMOS</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ CMOS offset for VbNv data. This value must match cmos.layout</span><br><span style="color: hsl(120, 100%, 40%);">+ in the mainboard directory, minus 14 bytes for the RTC.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_VBNV_CMOS_BACKUP_TO_FLASH</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on VBOOT_VBNV_CMOS && BOOT_DEVICE_SUPPORTS_WRITES</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Vboot non-volatile storage data will be backed up from CMOS to flash</span><br><span style="color: hsl(120, 100%, 40%);">+ and restored from flash if the CMOS is invalid due to power loss.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_VBNV_EC</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ VBNV is stored in EC</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_VBNV_FLASH</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on BOOT_DEVICE_SUPPORTS_WRITES</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ VBNV is stored in flash storage</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_STARTS_IN_BOOTBLOCK</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Firmware verification happens during the end of or right after the</span><br><span style="color: hsl(120, 100%, 40%);">+ bootblock. This implies that a static VBOOT2_WORK() buffer must be</span><br><span style="color: hsl(120, 100%, 40%);">+ allocated in memlayout.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_STARTS_IN_ROMSTAGE</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on !VBOOT_STARTS_IN_BOOTBLOCK</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Firmware verification happens during the end of romstage (after</span><br><span style="color: hsl(120, 100%, 40%);">+ memory initialization). This implies that vboot working data is</span><br><span style="color: hsl(120, 100%, 40%);">+ allocated in CBMEM.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Mock secdata for firmware verification"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware</span><br><span style="color: hsl(120, 100%, 40%);">+ verification to avoid access to a secdata storage (typically TPM).</span><br><span style="color: hsl(120, 100%, 40%);">+ All operations for a secdata storage will be successful. This option</span><br><span style="color: hsl(120, 100%, 40%);">+ can be used during development when a TPM is not present or broken.</span><br><span style="color: hsl(120, 100%, 40%);">+ THIS SHOULD NOT BE LEFT ON FOR PRODUCTION DEVICES.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_DISABLE_DEV_ON_RECOVERY</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ When this option is enabled, the Chrome OS device leaves the</span><br><span style="color: hsl(120, 100%, 40%);">+ developer mode as soon as recovery request is detected. This is</span><br><span style="color: hsl(120, 100%, 40%);">+ handy on embedded devices with limited input capabilities.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_SEPARATE_VERSTAGE</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on VBOOT_STARTS_IN_BOOTBLOCK</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ If this option is set, vboot verification runs in a standalone stage</span><br><span style="color: hsl(120, 100%, 40%);">+ that is loaded from the bootblock and exits into romstage. If it is</span><br><span style="color: hsl(120, 100%, 40%);">+ not set, the verification code is linked directly into the bootblock</span><br><span style="color: hsl(120, 100%, 40%);">+ or the romstage and runs as part of that stage (cf. related options</span><br><span style="color: hsl(120, 100%, 40%);">+ VBOOT_STARTS_IN_BOOTBLOCK/_ROMSTAGE and VBOOT_RETURN_FROM_VERSTAGE).</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_RETURN_FROM_VERSTAGE</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on VBOOT_SEPARATE_VERSTAGE</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ If this is set, the verstage returns back to the calling stage instead</span><br><span style="color: hsl(120, 100%, 40%);">+ of exiting to the succeeding stage so that the verstage space can be</span><br><span style="color: hsl(120, 100%, 40%);">+ reused by the succeeding stage. This is useful if a RAM space is too</span><br><span style="color: hsl(120, 100%, 40%);">+ small to fit both the verstage and the succeeding stage.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_SAVE_RECOVERY_REASON_ON_REBOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ This option ensures that the recovery request is not lost because of</span><br><span style="color: hsl(120, 100%, 40%);">+ reboots caused after vboot verification is run. e.g. reboots caused by</span><br><span style="color: hsl(120, 100%, 40%);">+ FSP components on Intel platforms.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_OPROM_MATTERS</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Set this option to indicate to vboot that this platform will skip its</span><br><span style="color: hsl(120, 100%, 40%);">+ display initialization on a normal (non-recovery, non-developer) boot.</span><br><span style="color: hsl(120, 100%, 40%);">+ Vboot calls this "oprom matters" because on x86 devices this</span><br><span style="color: hsl(120, 100%, 40%);">+ traditionally meant that the video option ROM will not be loaded, but</span><br><span style="color: hsl(120, 100%, 40%);">+ it works functionally the same for other platforms that can skip their</span><br><span style="color: hsl(120, 100%, 40%);">+ native display initialization code instead.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_HAS_REC_HASH_SPACE</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Set this option to indicate to vboot that recovery data hash space</span><br><span style="color: hsl(120, 100%, 40%);">+ is present in TPM.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_SOFT_REBOOT_WORKAROUND</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_EC_SOFTWARE_SYNC</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Enable EC software sync"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ EC software sync is a mechanism where the AP helps the EC verify its</span><br><span style="color: hsl(120, 100%, 40%);">+ firmware similar to how vboot verifies the main system firmware. This</span><br><span style="color: hsl(120, 100%, 40%);">+ option selects whether vboot should support EC software sync.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_EC_SLOW_UPDATE</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on VBOOT_EC_SOFTWARE_SYNC</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Whether the EC (or PD) is slow to update and needs to display a</span><br><span style="color: hsl(120, 100%, 40%);">+ screen that informs the user the update is happening.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_PHYSICAL_DEV_SWITCH</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Whether this platform has a physical developer switch. Note that this</span><br><span style="color: hsl(120, 100%, 40%);">+ disables virtual dev switch functionality (through secdata). Operation</span><br><span style="color: hsl(120, 100%, 40%);">+ where both a physical pin and the virtual switch get sampled is not</span><br><span style="color: hsl(120, 100%, 40%);">+ supported by coreboot.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_PHYSICAL_REC_SWITCH</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Whether this platform has a physical recovery switch.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_LID_SWITCH</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Whether this platform has a lid switch. If it does, vboot will not</span><br><span style="color: hsl(120, 100%, 40%);">+ decrement try counters for boot failures if the lid is closed.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_WIPEOUT_SUPPORTED</span><br><span style="color: hsl(120, 100%, 40%);">+ bool</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ When this option is enabled, the firmware provides the ability to</span><br><span style="color: hsl(120, 100%, 40%);">+ signal the application the need for factory reset (a.k.a. wipe</span><br><span style="color: hsl(120, 100%, 40%);">+ out) of the device</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_FWID_MODEL</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Firmware ID model"</span><br><span style="color: hsl(120, 100%, 40%);">+ default "$(CONFIG_MAINBOARD_VENDOR)_$(CONFIG_MAINBOARD_PART_NUMBER)"</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ This is the first part of the FWID written to various regions of a</span><br><span style="color: hsl(120, 100%, 40%);">+ vboot firmware image to identify its version.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_FWID_VERSION</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Firmware ID version"</span><br><span style="color: hsl(120, 100%, 40%);">+ default ".$(KERNELVERSION)"</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ This is the second part of the FWID written to various regions of a</span><br><span style="color: hsl(120, 100%, 40%);">+ vboot firmware image to identify its version.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+menu "GBB configuration"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_HWID</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Hardware ID"</span><br><span style="color: hsl(120, 100%, 40%);">+ default "NOCONF HWID"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_BMPFV_FILE</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Path to bmpfv image"</span><br><span style="color: hsl(120, 100%, 40%);">+ default ""</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_DEV_SCREEN_SHORT_DELAY</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Reduce dev screen delay"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_LOAD_OPTION_ROMS</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Load option ROMs"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_ENABLE_ALTERNATE_OS</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Allow booting a non-Chrome OS kernel if dev switch is on"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_FORCE_DEV_SWITCH_ON</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Force dev switch on"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_FORCE_DEV_BOOT_USB</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Allow booting from USB in dev mode even if dev_boot_usb=0"</span><br><span style="color: hsl(120, 100%, 40%);">+ default y</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Disable firmware rollback protection"</span><br><span style="color: hsl(120, 100%, 40%);">+ default y</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_ENTER_TRIGGERS_TONORM</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Return to normal boot with Enter"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_FORCE_DEV_BOOT_LEGACY</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Allow booting to legacy in dev mode even if dev_boot_legacy=0"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_FAFT_KEY_OVERIDE</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Allow booting using alternative keys for FAFT servo testing"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Disable EC software sync"</span><br><span style="color: hsl(120, 100%, 40%);">+ default y</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Default to booting to legacy in dev mode"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Disable PD software sync"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_DISABLE_LID_SHUTDOWN</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Disable shutdown on closed lid"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Allow fastboot even if dev_boot_fastboot_full_cap=0"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config GBB_FLAG_ENABLE_SERIAL</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Tell vboot to enable serial console"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+endmenu # GBB</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+menu "Vboot Keys"</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_ROOT_KEY</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Root key (public)"</span><br><span style="color: hsl(120, 100%, 40%);">+ default "$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_RECOVERY_KEY</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Recovery key (public)"</span><br><span style="color: hsl(120, 100%, 40%);">+ default "$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_FIRMWARE_PRIVKEY</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Firmware key (private)"</span><br><span style="color: hsl(120, 100%, 40%);">+ default "$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_KERNEL_KEY</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Kernel subkey (public)"</span><br><span style="color: hsl(120, 100%, 40%);">+ default "$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_KEYBLOCK</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Keyblock to use for the RW regions"</span><br><span style="color: hsl(120, 100%, 40%);">+ default "$(VBOOT_SOURCE)/tests/devkeys/firmware.keyblock"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_KEYBLOCK_VERSION</span><br><span style="color: hsl(120, 100%, 40%);">+ int "Keyblock version number"</span><br><span style="color: hsl(120, 100%, 40%);">+ default 1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_KEYBLOCK_PREAMBLE_FLAGS</span><br><span style="color: hsl(120, 100%, 40%);">+ hex "Keyblock preamble flags"</span><br><span style="color: hsl(120, 100%, 40%);">+ default 0x0</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+endmenu # Keys</span><br><span style="color: hsl(120, 100%, 40%);">+endif # VBOOT</span><br><span style="color: hsl(120, 100%, 40%);">+endmenu # Verified Boot (vboot)</span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/23348">change 23348</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/23348"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: Ia3976bee85dd06e8bb83df0c737f3c5f96e9d5b6 </div>
<div style="display:none"> Gerrit-Change-Number: 23348 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Lin Huang <hl@rock-chips.com> </div>