Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/23873
Change subject: security/vboot: Make vboot first class citizen ......................................................................
security/vboot: Make vboot first class citizen
* Add selection of vboot partition layout, * Add auto generation for vboot flashmap layouts.
Change-Id: If1ac6db16647eba4ddb28b74d1e0501224c841df Signed-off-by: Philipp Deppenwiese zaolin@das-labor.org --- M Makefile.inc M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 3 files changed, 73 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/73/23873/1
diff --git a/Makefile.inc b/Makefile.inc index ca157a2..28b9b48 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -766,7 +766,19 @@ # For a description of the flash layout described by these variables, check # the $(DEFAULT_FLASHMAP) .fmd files. ifeq ($(CONFIG_ARCH_X86),y) +ifeq ($(CONFIG_VBOOT),) DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-x86.fmd +else +ifeq ($(CONFIG_VBOOT_SAFETY_AB),y) +DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-x86-ro-a-b.fmd +endif +ifeq ($(CONFIG_VBOOT_SAFETY_A),y) +DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-x86-ro-a.fmd +endif +ifeq ($(CONFIG_VBOOT_NO_SAFETY),y) +DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-x86-ro.fmd +endif +endif # entire flash FMAP_ROM_ADDR := $(call int-subtract, 0x100000000 $(CONFIG_ROM_SIZE)) FMAP_ROM_SIZE := $(CONFIG_ROM_SIZE) @@ -791,7 +803,19 @@ FMAP_CBFS_BASE := $(call int-add, $(FMAP_CONSOLE_SIZE) $(FMAP_FMAP_SIZE)) FMAP_CBFS_SIZE := $(call int-subtract, $(FMAP_BIOS_SIZE) $(FMAP_CBFS_BASE)) else # ifeq ($(CONFIG_ARCH_X86),y) +ifeq ($(CONFIG_VBOOT),) DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default.fmd +else +ifeq ($(CONFIG_VBOOT_SAFETY_AB),y) +DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-ro-a-b.fmd +endif +ifeq ($(CONFIG_VBOOT_SAFETY_A),y) +DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-ro-a.fmd +endif +ifeq ($(CONFIG_VBOOT_NO_SAFETY),y) +DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-ro.fmd +endif +endif # entire flash FMAP_ROM_ADDR := 0 FMAP_ROM_SIZE := $(CONFIG_ROM_SIZE) diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index b92aa24..4373883 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -28,6 +28,24 @@
choice
+prompt "Failure safety" + default VBOOT_SAFETY_AB + help + Select the boot mode in which VBOOT should run. + +config VBOOT_SAFETY_AB + bool "Firmware A & B" + +config VBOOT_SAFETY_A + bool "Firmware A" + +config VBOOT_NO_SAFETY + bool "Firmware RO only" + +endchoice + +choice + prompt "Boot mode" default VBOOT_MODE_VERIFIED_BOOT help diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 8709f5a..2887cb4 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -152,6 +152,19 @@ endif endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
+# Check safety mode +ifeq ($(CONFIG_VBOOT_SAFETY_AB),y) +VBOOT_PARTITIONS := COREBOOT FW_MAIN_A FW_MAIN_B +endif + +ifeq ($(CONFIG_VBOOT_SAFETY_A),y) +VBOOT_PARTITIONS := COREBOOT FW_MAIN_A +endif + +ifeq ($(CONFIG_VBOOT_NO_SAFETY),y) +VBOOT_PARTITIONS := COREBOOT +endif + # Define a list of files that need to be in RO only. # All other files will be installed into RO and RW regions # Use $(sort) to cut down on extra spaces that would be translated to commas @@ -167,7 +180,7 @@ vbgfx.bin \ rmu.bin \ $(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \ - ,$(1)),COREBOOT,COREBOOT FW_MAIN_A FW_MAIN_B))) + ,$(1)),COREBOOT,$(VBOOT_PARTITIONS))))
CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID)) CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE)) @@ -237,8 +250,13 @@ @printf " WRITE GBB\n" $(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region +ifeq ($(CONFIG_VBOOT_SAFETY_AB),y) $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region +endif +ifeq ($(CONFIG_VBOOT_SAFETY_A),y) + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region +endif
ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),) build_complete:: @@ -270,8 +288,20 @@ --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \ --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS)
+ifeq ($(CONFIG_VBOOT_SAFETY_AB),y) files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin + @printf " FLASHMAP Layout generated for RO, A and B partition.\n" +endif +ifeq ($(CONFIG_VBOOT_SAFETY_A),y) +files_added:: $(obj)/VBLOCK_A.bin + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin + @printf " FLASHMAP Layout generated for RO and A partition.\n" +endif +ifeq ($(CONFIG_VBOOT_NO_SAFETY),y) +files_added:: + @printf " FLASHMAP Layout generated for RO partition only, beware no updates possible!\n" +endif
endif # CONFIG_VBOOT