[coreboot-gerrit] Change in coreboot[master]: security/vboot: Add a dedicated flag for building of vboot library

20 Dec 2019

Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library
......................................................................
security/vboot: Add a dedicated flag for building of vboot library
As discussed in CB:35077, since both measured boot and verified boot
depends on vboot library, it had better to introduce a dedicated flag
CONFIG_VBOOT_LIB to control the building and linking of the vboot
library, and make other flags needing vboot library select it. Only
the actual verification stuff should be conditional on CONFIG_VBOOT.
Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4
Signed-off-by: Bill XIE persmule@hardenedlinux.org
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37787
Tested-by: build bot (Jenkins) no-reply@coreboot.org
Reviewed-by: Joel Kitching kitching@google.com
---
M src/security/vboot/Kconfig
M src/security/vboot/Makefile.inc
2 files changed, 46 insertions(+), 33 deletions(-)
Approvals:
  build bot (Jenkins): Verified
  Joel Kitching: Looks good to me, approved

diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index e03b51d..787cdbe 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -15,9 +15,18 @@
menu "Verified Boot (vboot)"
+config VBOOT_LIB
+	bool
+	depends on !VENDORCODE_ELTAN_VBOOT && !VENDORCODE_ELTAN_MBOOT
+	help
+	  Build and link the vboot library. Makes the vboot API accessible across
+	  all coreboot stages, without enabling vboot verification. For verification,
+	  please see the VBOOT option below.
+
 config VBOOT
    bool "Verify firmware with vboot."
    default n
+	select VBOOT_LIB
    select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2
    depends on !MISSING_BOARD_RESET
    help
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index 8052549..a700e00 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -14,6 +14,43 @@
 ## GNU General Public License for more details.
 ##
+ifeq ($(CONFIG_VBOOT_LIB),y)
+
+vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\
+		       $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\
+		       $(filter-out -I$(obj),$(1))))
+
+# call with $1 = stage name to create rules for building the library
+# for the stage and adding it to the stage's set of object files.
+define vboot-for-stage
+VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a
+VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1)))
+VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1))
+VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts))
+VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes
+VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG
+
+$$(VBOOT_LIB_$(1)): $(obj)/config.h
+	printf "    MAKE       $(subst $(obj)/,,$(@))\n"
+	+FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \
+	CC="$$(CC_$(1))" \
+	CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \
+	$(MAKE) -C $(VBOOT_SOURCE) \
+		BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
+		V=$(V) \
+		fwlib
+
+$(1)-srcs += $$(VBOOT_LIB_$(1))
+
+endef # vboot-for-stage
+
+$(eval $(call vboot-for-stage,bootblock))
+$(eval $(call vboot-for-stage,romstage))
+$(eval $(call vboot-for-stage,ramstage))
+$(eval $(call vboot-for-stage,postcar))
+
+endif # CONFIG_VBOOT_LIB
+
 ifeq ($(CONFIG_VBOOT),y)
bootblock-y += bootmode.c
@@ -95,39 +132,6 @@
romstage-$(CONFIG_FSP2_0_USES_TPM_MRC_HASH) += mrc_cache_hash_tpm.c
-vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\
-		       $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\
-		       $(filter-out -I$(obj),$(1))))
-
-# call with $1 = stage name to create rules for building the library
-# for the stage and adding it to the stage's set of object files.
-define vboot-for-stage
-VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a
-VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1)))
-VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1))
-VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts))
-VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes
-VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG
-
-$$(VBOOT_LIB_$(1)): $(obj)/config.h
-	printf "    MAKE       $(subst $(obj)/,,$(@))\n"
-	+FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \
-	CC="$$(CC_$(1))" \
-	CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \
-	$(MAKE) -C $(VBOOT_SOURCE) \
-		BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
-		V=$(V) \
-		fwlib
-
-$(1)-srcs += $$(VBOOT_LIB_$(1))
-
-endef # vboot-for-stage
-
-$(eval $(call vboot-for-stage,bootblock))
-$(eval $(call vboot-for-stage,romstage))
-$(eval $(call vboot-for-stage,ramstage))
-$(eval $(call vboot-for-stage,postcar))
-
 ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
$(eval $(call vboot-for-stage,verstage))
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/37787
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4
Gerrit-Change-Number: 37787
Gerrit-PatchSet: 10
Gerrit-Owner: Bill XIE persmule@hardenedlinux.org
Gerrit-Reviewer: Aaron Durbin adurbin@chromium.org
Gerrit-Reviewer: Bill XIE persmule@hardenedlinux.org
Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com
Gerrit-Reviewer: Joel Kitching kitching@google.com
Gerrit-Reviewer: Julius Werner jwerner@chromium.org
Gerrit-Reviewer: Martin Roth martinroth@google.com
Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com
Gerrit-Reviewer: Wim Vervoorn wvervoorn@eltan.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net
Gerrit-MessageType: merged



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: security/vboot: Add a dedicated flag for building of vboot library