Change in coreboot[master]: security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library.
Bill XIE has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library. ......................................................................
security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library.
As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better build and link the vboot library less conditionally. Only the actual verification stuff should be conditional on CONFIG_VBOOT.
Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 42 insertions(+), 35 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/87/37787/1
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index a829443..353c46c 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -15,9 +15,13 @@
menu "Verified Boot (vboot)"
+config VBOOT_LIB + bool + config VBOOT bool "Verify firmware with vboot." default n + select VBOOT_LIB select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2 depends on !MISSING_BOARD_RESET help diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 5292bd1..99cf08c 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -14,6 +14,43 @@ ## GNU General Public License for more details. ##
+ifeq ($(CONFIG_VBOOT_LIB),y) + +vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\ + $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\ + $(filter-out -I$(obj),$(1)))) + +# call with $1 = stage name to create rules for building the library +# for the stage and adding it to the stage's set of object files. +define vboot-for-stage +VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a +VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1))) +VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1)) +VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts)) +VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes +VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG + +$$(VBOOT_LIB_$(1)): $(obj)/config.h + printf " MAKE $(subst $(obj)/,,$(@))\n" + +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \ + CC="$$(CC_$(1))" \ + CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \ + $(MAKE) -C $(VBOOT_SOURCE) \ + BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \ + V=$(V) \ + fwlib + +$(1)-srcs += $$(VBOOT_LIB_$(1)) + +endef # vboot-for-stage + +CFLAGS_common += -I3rdparty/vboot/firmware/2lib/include + +$(eval $(call vboot-for-stage,bootblock)) +$(eval $(call vboot-for-stage,romstage)) +$(eval $(call vboot-for-stage,ramstage)) +$(eval $(call vboot-for-stage,postcar)) + ifeq ($(CONFIG_VBOOT),y)
bootblock-y += bootmode.c @@ -95,41 +132,6 @@
romstage-$(CONFIG_FSP2_0_USES_TPM_MRC_HASH) += mrc_cache_hash_tpm.c
-vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\ - $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\ - $(filter-out -I$(obj),$(1)))) - -# call with $1 = stage name to create rules for building the library -# for the stage and adding it to the stage's set of object files. -define vboot-for-stage -VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a -VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1))) -VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1)) -VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts)) -VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes -VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG - -$$(VBOOT_LIB_$(1)): $(obj)/config.h - printf " MAKE $(subst $(obj)/,,$(@))\n" - +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \ - CC="$$(CC_$(1))" \ - CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \ - $(MAKE) -C $(VBOOT_SOURCE) \ - BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \ - V=$(V) \ - fwlib - -$(1)-srcs += $$(VBOOT_LIB_$(1)) - -endef # vboot-for-stage - -CFLAGS_common += -I3rdparty/vboot/firmware/2lib/include - -$(eval $(call vboot-for-stage,bootblock)) -$(eval $(call vboot-for-stage,romstage)) -$(eval $(call vboot-for-stage,ramstage)) -$(eval $(call vboot-for-stage,postcar)) - ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
$(eval $(call vboot-for-stage,verstage)) @@ -328,3 +330,4 @@ endif
endif # CONFIG_VBOOT +endif # CONFIG_VBOOT_LIB
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library. ......................................................................
Patch Set 1: Code-Review+1
Paul Menzel has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library. ......................................................................
Patch Set 1:
(1 comment)
https://review.coreboot.org/c/coreboot/+/37787/1//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/37787/1//COMMIT_MSG@7 PS1, Line 7: security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library. Please remove the dot/period at the end of the commit message summary.
Hello Aaron Durbin, Wim Vervoorn, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/37787
to look at the new patch set (#2).
Change subject: security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library ......................................................................
security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library
As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better build and link the vboot library less conditionally. Only the actual verification stuff should be conditional on CONFIG_VBOOT.
Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 42 insertions(+), 35 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/87/37787/2
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library ......................................................................
Patch Set 2:
(1 comment)
At last I have chosen to add the flag VBOOT_LIB to control the building of vboot library, rather than leaving it built unconditionally, in order to avoid wasting time to build vboot library when it is completely unused.
https://review.coreboot.org/c/coreboot/+/37787/1//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/37787/1//COMMIT_MSG@7 PS1, Line 7: security/vboot: Intruduce CONFIG_VBOOT_LIB to control vboot library.
Please remove the dot/period at the end of the commit message summary.
Done
Hello Aaron Durbin, Wim Vervoorn, Julius Werner, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/37787
to look at the new patch set (#3).
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
security/vboot: Add a dedicated flag for building of vboot library
As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better to introduce a dedicated flag CONFIG_VBOOT_LIB to control the building and linking of the vboot library, and make other flags needing vboot library select it. Only the actual verification stuff should be conditional on CONFIG_VBOOT.
Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 42 insertions(+), 35 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/87/37787/3
Joel Kitching has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
Patch Set 4:
(5 comments)
Another naming option would be to use:
VBOOT (or VBOOT_LIB) - include the vboot library functions VBOOT_VERIFY_FIRMWARE - enable firmware verification
What do you think?
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Kconfig@... PS4, Line 18: config Also need to add:
depends on !VENDORCODE_ELTAN_VBOOT && !VENRDORCODE_ELTAN_MBOOT
Adding fhendriks for comment.
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Kconfig@... PS4, Line 19: bool Please add a string description here, as well as a "help" description.
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... File src/security/vboot/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... PS4, Line 46: : CFLAGS_common += -I3rdparty/vboot/firmware/2lib/include Note that I just removed this line in: https://review.coreboot.org/c/coreboot/+/37786
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... PS4, Line 53: I'd prefer to just end the ifeq block here. We can rely on the Kconfig logic to give us a valid combination of VBOOT_LIB and VBOOT config variables.
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... PS4, Line 137: $(eval $(call vboot-for-stage,verstage)) Should this move up as well? Or are we guaranteed that VBOOT_SEPARATE_VERSTAGE will only be enabled when VBOOT is enabled?
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
Patch Set 4:
(5 comments)
Patch Set 4:
(5 comments)
Another naming option would be to use:
VBOOT (or VBOOT_LIB) - include the vboot library functions VBOOT_VERIFY_FIRMWARE - enable firmware verification
What do you think?
I would rather keep the VBOOT flag, for I don't know how to efficiently and correctly change hundreds of its appearance around the whole coreboot tree.
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Kconfig@... PS4, Line 18: config
Also need to add: […]
Done
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Kconfig@... PS4, Line 19: bool
Please add a string description here, as well as a "help" description.
"help" description added, but VBOOT_LIB is designed as a hidden flag for other visible flags (e.g. VBOOT and future TSPI_MEASURED_BOOT in CB:35077) to select, so flag description will be omitted to keep this flag hidden from menu.
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... File src/security/vboot/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... PS4, Line 46: : CFLAGS_common += -I3rdparty/vboot/firmware/2lib/include
Note that I just removed this line in: […]
Removed.
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... PS4, Line 53:
I'd prefer to just end the ifeq block here. […]
Done
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... PS4, Line 137: $(eval $(call vboot-for-stage,verstage))
Should this move up as well? Or are we guaranteed that VBOOT_SEPARATE_VERSTAGE will only be enabled […]
I believe verstage is introduced for verified boot. Besides, VBOOT_SEPARATE_VERSTAGE is available only when VBOOT is set.
Hello Aaron Durbin, Wim Vervoorn, Julius Werner, Frans Hendriks, build bot (Jenkins), Joel Kitching, Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/37787
to look at the new patch set (#5).
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
security/vboot: Add a dedicated flag for building of vboot library
As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better to introduce a dedicated flag CONFIG_VBOOT_LIB to control the building and linking of the vboot library, and make other flags needing vboot library select it. Only the actual verification stuff should be conditional on CONFIG_VBOOT.
Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 44 insertions(+), 35 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/87/37787/5
Hello Aaron Durbin, Wim Vervoorn, Julius Werner, Frans Hendriks, build bot (Jenkins), Joel Kitching, Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/37787
to look at the new patch set (#6).
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
security/vboot: Add a dedicated flag for building of vboot library
As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better to introduce a dedicated flag CONFIG_VBOOT_LIB to control the building and linking of the vboot library, and make other flags needing vboot library select it. Only the actual verification stuff should be conditional on CONFIG_VBOOT.
Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 44 insertions(+), 33 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/87/37787/6
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
Patch Set 7: Code-Review+1
Joel Kitching has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
Patch Set 7:
(3 comments)
Another naming option would be to use:
VBOOT (or VBOOT_LIB) - include the vboot library functions VBOOT_VERIFY_FIRMWARE - enable firmware verification
What do you think?
I would rather keep the VBOOT flag, for I don't know how to efficiently and correctly change hundreds of its appearance around the whole coreboot tree.
Check out the `sed` utility.
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Kconfig@... PS4, Line 19: bool
"help" description added, but VBOOT_LIB is designed as a hidden flag for other visible flags (e.g. […]
Okay, that makes sense.
https://review.coreboot.org/c/coreboot/+/37787/7/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/37787/7/src/security/vboot/Kconfig@... PS7, Line 22: Building and linking the vboot library. How about just "Build and link the vboot library. Makes the vboot API accessible across all coreboot stages, without enabling vboot verification. For verification, please see the VBOOT option below."
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... File src/security/vboot/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/37787/4/src/security/vboot/Makefile... PS4, Line 137: $(eval $(call vboot-for-stage,verstage))
I believe verstage is introduced for verified boot. […]
OK.
Hello Aaron Durbin, Wim Vervoorn, Julius Werner, Frans Hendriks, build bot (Jenkins), Joel Kitching, Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/37787
to look at the new patch set (#8).
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
security/vboot: Add a dedicated flag for building of vboot library
As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better to introduce a dedicated flag CONFIG_VBOOT_LIB to control the building and linking of the vboot library, and make other flags needing vboot library select it. Only the actual verification stuff should be conditional on CONFIG_VBOOT.
Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 46 insertions(+), 33 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/87/37787/8
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
Patch Set 8:
(1 comment)
Patch Set 7:
(3 comments)
Another naming option would be to use:
VBOOT (or VBOOT_LIB) - include the vboot library functions VBOOT_VERIFY_FIRMWARE - enable firmware verification
What do you think?
I would rather keep the VBOOT flag, for I don't know how to efficiently and correctly change hundreds of its appearance around the whole coreboot tree.
Check out the `sed` utility.
But how to match and replace "VBOOT" without touching "*_VBOOT_*"?
https://review.coreboot.org/c/coreboot/+/37787/7/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/37787/7/src/security/vboot/Kconfig@... PS7, Line 22: Building and linking the vboot library.
How about just "Build and link the vboot library. […]
Done
Joel Kitching has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
Patch Set 8: Code-Review+2
But how to match and replace "VBOOT" without touching "*_VBOOT_*"?
Bill, probably the easiest way is to use a few different patterns. For example:
s/CONFIG(VBOOT)/CONFIG(VBOOT_VERIFY_FIRMWARE)/ s/config VBOOT/config VBOOT_VERIFY_FIRMWARE/
But anyways, if you want to leave it as VBOOT, I guess that's fine too.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
Patch Set 8:
Patch Set 8: Code-Review+2
But how to match and replace "VBOOT" without touching "*_VBOOT_*"?
Bill, probably the easiest way is to use a few different patterns. For example:
s/CONFIG(VBOOT)/CONFIG(VBOOT_VERIFY_FIRMWARE)/ s/config VBOOT/config VBOOT_VERIFY_FIRMWARE/
But anyways, if you want to leave it as VBOOT, I guess that's fine too.
The first one (with parenthesis boundaries) should be fine, but the second one may affect "config VBOOT_*", e.g. modify "config VBOOT_LIB" into "config VBOOT_VERIFY_FIRMWARE_LIB".
The second case needs an regexp matching "VBOOT" in "VBOOT$", "VBOOT," (in Makefile.inc), "VBOOT ", but not "VBOOT_*".
Joel Kitching has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
Patch Set 9:
The first one (with parenthesis boundaries) should be fine, but the second one may affect "config VBOOT_*", e.g. modify "config VBOOT_LIB" into "config VBOOT_VERIFY_FIRMWARE_LIB".
The second case needs an regexp matching "VBOOT" in "VBOOT$", "VBOOT," (in Makefile.inc), "VBOOT ", but not "VBOOT_*".
Indeed =) There's always a clever sed command to be crafted.
Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/37787 )
Change subject: security/vboot: Add a dedicated flag for building of vboot library ......................................................................
security/vboot: Add a dedicated flag for building of vboot library
As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better to introduce a dedicated flag CONFIG_VBOOT_LIB to control the building and linking of the vboot library, and make other flags needing vboot library select it. Only the actual verification stuff should be conditional on CONFIG_VBOOT.
Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE persmule@hardenedlinux.org Reviewed-on: https://review.coreboot.org/c/coreboot/+/37787 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Joel Kitching kitching@google.com --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 46 insertions(+), 33 deletions(-)
Approvals: build bot (Jenkins): Verified Joel Kitching: Looks good to me, approved
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index e03b51d..787cdbe 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -15,9 +15,18 @@
menu "Verified Boot (vboot)"
+config VBOOT_LIB + bool + depends on !VENDORCODE_ELTAN_VBOOT && !VENDORCODE_ELTAN_MBOOT + help + Build and link the vboot library. Makes the vboot API accessible across + all coreboot stages, without enabling vboot verification. For verification, + please see the VBOOT option below. + config VBOOT bool "Verify firmware with vboot." default n + select VBOOT_LIB select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2 depends on !MISSING_BOARD_RESET help diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 8052549..a700e00 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -14,6 +14,43 @@ ## GNU General Public License for more details. ##
+ifeq ($(CONFIG_VBOOT_LIB),y) + +vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\ + $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\ + $(filter-out -I$(obj),$(1)))) + +# call with $1 = stage name to create rules for building the library +# for the stage and adding it to the stage's set of object files. +define vboot-for-stage +VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a +VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1))) +VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1)) +VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts)) +VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes +VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG + +$$(VBOOT_LIB_$(1)): $(obj)/config.h + printf " MAKE $(subst $(obj)/,,$(@))\n" + +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \ + CC="$$(CC_$(1))" \ + CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \ + $(MAKE) -C $(VBOOT_SOURCE) \ + BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \ + V=$(V) \ + fwlib + +$(1)-srcs += $$(VBOOT_LIB_$(1)) + +endef # vboot-for-stage + +$(eval $(call vboot-for-stage,bootblock)) +$(eval $(call vboot-for-stage,romstage)) +$(eval $(call vboot-for-stage,ramstage)) +$(eval $(call vboot-for-stage,postcar)) + +endif # CONFIG_VBOOT_LIB + ifeq ($(CONFIG_VBOOT),y)
bootblock-y += bootmode.c @@ -95,39 +132,6 @@
romstage-$(CONFIG_FSP2_0_USES_TPM_MRC_HASH) += mrc_cache_hash_tpm.c
-vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\ - $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\ - $(filter-out -I$(obj),$(1)))) - -# call with $1 = stage name to create rules for building the library -# for the stage and adding it to the stage's set of object files. -define vboot-for-stage -VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a -VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1))) -VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1)) -VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts)) -VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes -VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG - -$$(VBOOT_LIB_$(1)): $(obj)/config.h - printf " MAKE $(subst $(obj)/,,$(@))\n" - +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \ - CC="$$(CC_$(1))" \ - CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \ - $(MAKE) -C $(VBOOT_SOURCE) \ - BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \ - V=$(V) \ - fwlib - -$(1)-srcs += $$(VBOOT_LIB_$(1)) - -endef # vboot-for-stage - -$(eval $(call vboot-for-stage,bootblock)) -$(eval $(call vboot-for-stage,romstage)) -$(eval $(call vboot-for-stage,ramstage)) -$(eval $(call vboot-for-stage,postcar)) - ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
$(eval $(call vboot-for-stage,verstage))
-
Bill XIE (Code Review) -
Joel Kitching (Code Review)
-
Patrick Georgi (Code Review)
-
Paul Menzel (Code Review)
-
Wim Vervoorn (Code Review)