[XS] Change in coreboot[main]: security/vboot: Include new gbb flag to enforce CSE sync - coreboot-gerrit

2 Aug 2024

Felix Held has submitted this change. ( https://review.coreboot.org/c/coreboot/+/83685?usp=email )
(
2 is the latest approved patch-set.
No files were changed between the latest approved patch-set and the submitted one.
 )Change subject: security/vboot: Include new gbb flag to enforce CSE sync
......................................................................
security/vboot: Include new gbb flag to enforce CSE sync
This patch adds a GBB flag to coreboot, which, when enabled, enforces
CSE sync even if the current CSE version matches the version in CBFS.
The CSME sync GBB and flag are designed to enhance autotest
functionalities and are not intended or recommended for use in
developing any other features.
BUG=b:353053317
TEST=futility gbb --help
Cq-Depend: chromium:5718196
Change-Id: I6352959e1e898a90b4c6e12a22f8d6513f90ded9
Signed-off-by: Dinesh Gehlot digehlot@google.com
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83685
Reviewed-by: Yu-Ping Wu yupingso@google.com
Reviewed-by: Subrata Banik subratabanik@google.com
Tested-by: build bot (Jenkins) no-reply@coreboot.org
---
M src/security/vboot/Kconfig
M src/security/vboot/Makefile.mk
2 files changed, 5 insertions(+), 0 deletions(-)
Approvals:
  Yu-Ping Wu: Looks good to me, approved
  build bot (Jenkins): Verified
  Subrata Banik: Looks good to me, approved

diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index e30e8ee..7e291e0 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -451,6 +451,10 @@
    bool "Enable USB Device Controller"
    default n
+config GBB_FLAG_FORCE_CSE_SYNC
+	bool "Running tests; enforce CSE sync"
+	default n
+
 endmenu # GBB
menu "Vboot Keys"
diff --git a/src/security/vboot/Makefile.mk b/src/security/vboot/Makefile.mk
index 48a6c9d..e9b3eb6 100644
--- a/src/security/vboot/Makefile.mk
+++ b/src/security/vboot/Makefile.mk
@@ -265,6 +265,7 @@
    $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_MANUAL_RECOVERY),0x4000) \
    $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FWMP),0x8000) \
    $(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_UDC),0x10000) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_CSE_SYNC),0x20000) \
    )
ifneq ($(CONFIG_GBB_BMPFV_FILE),)
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/83685?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: I6352959e1e898a90b4c6e12a22f8d6513f90ded9
Gerrit-Change-Number: 83685
Gerrit-PatchSet: 4
Gerrit-Owner: Dinesh Gehlot digehlot@google.com
Gerrit-Reviewer: Felix Held felix-coreboot@felixheld.de
Gerrit-Reviewer: Julius Werner jwerner@chromium.org
Gerrit-Reviewer: Subrata Banik subratabanik@google.com
Gerrit-Reviewer: Yu-Ping Wu yupingso@google.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org



    