Change in coreboot[master]: security/vboot: Allow files to go into only RW-A or RW-B region
Martin Roth has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42822 )
Change subject: security/vboot: Allow files to go into only RW-A or RW-B region ......................................................................
security/vboot: Allow files to go into only RW-A or RW-B region
The AMD firmware package created by amdfwtool contains pointers to the various binaries and settings. This means that we need different copies of the package in each region. This change allows for the different files in each of the 3 vboot regions.
BUG=b:158124527 TEST=Build trembyle; see the correct versions of the files getting built into the RW-A & RW-B regions.
Signed-off-by: Martin Roth martin@coreboot.org Change-Id: I45ff69dbc2266a67e05597bbe721fbf95cf41777 --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 26 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/22/42822/1
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index ad5b61e..ee8d36a 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -218,6 +218,22 @@ Add a space delimited list of filenames that should only be in the RW sections.
+config RWA_REGION_ONLY + string + default "" + depends on VBOOT_SLOTS_RW_AB + help + Add a space-delimited list of filenames that should only be in the + RW-A section. + +config RWB_REGION_ONLY + string + default "" + depends on VBOOT_SLOTS_RW_AB + help + Add a space-delimited list of filenames that should only be in the + RW-B section. + config VBOOT_ENABLE_CBFS_FALLBACK bool default n diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 1e0166e..90b2756 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -165,8 +165,9 @@ endif
# Return the regions a specific file should be placed in. The files listed below and the ones -# that are specified in CONFIG_RO_REGION_ONLY are only specified in the RO region. The files -# specified in the CONFIG_RW_REGION_ONLY are only placed in the RW regions. +# that are specified in CONFIG_RO_REGION_ONLY, are only specified in the RO region. The files +# specified in the CONFIG_RW_REGION_ONLY are placed in all RW regions. Files specified +# in CONFIG_RWA_REGION_ONLY or CONFIG_RWB_REGION_ONLY get placed only in those sections. # All other files will be installed into RO and RW regions # Use $(sort) to cut down on extra spaces that would be translated to commas regions-for-file = $(subst $(spc),$(comma),$(sort \ @@ -185,9 +186,15 @@ $(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \ ,$(1)),COREBOOT,\ $(if $(filter \ + $(call strip_quotes,$(CONFIG_RWA_REGION_ONLY)) \ + ,$(1)), FW_MAIN_A, \ + $(if $(filter \ + $(call strip_quotes,$(CONFIG_RWB_REGION_ONLY)) \ + ,$(1)), FW_MAIN_B, \ + $(if $(filter \ $(call strip_quotes,$(CONFIG_RW_REGION_ONLY)) \ ,$(1)), $(RW_PARTITIONS), $(VBOOT_PARTITIONS) ) \ - ))) + )))))
CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID)) CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
Raul Rangel has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/42822 )
Change subject: security/vboot: Allow files to go into only RW-A or RW-B region ......................................................................
Patch Set 1: Code-Review+2
Martin Roth has submitted this change. ( https://review.coreboot.org/c/coreboot/+/42822 )
Change subject: security/vboot: Allow files to go into only RW-A or RW-B region ......................................................................
security/vboot: Allow files to go into only RW-A or RW-B region
The AMD firmware package created by amdfwtool contains pointers to the various binaries and settings. This means that we need different copies of the package in each region. This change allows for the different files in each of the 3 vboot regions.
BUG=b:158124527 TEST=Build trembyle; see the correct versions of the files getting built into the RW-A & RW-B regions.
Signed-off-by: Martin Roth martin@coreboot.org Change-Id: I45ff69dbc2266a67e05597bbe721fbf95cf41777 Reviewed-on: https://review.coreboot.org/c/coreboot/+/42822 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Raul Rangel rrangel@chromium.org --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 26 insertions(+), 3 deletions(-)
Approvals: build bot (Jenkins): Verified Raul Rangel: Looks good to me, approved
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index ad5b61e..ee8d36a 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -218,6 +218,22 @@ Add a space delimited list of filenames that should only be in the RW sections.
+config RWA_REGION_ONLY + string + default "" + depends on VBOOT_SLOTS_RW_AB + help + Add a space-delimited list of filenames that should only be in the + RW-A section. + +config RWB_REGION_ONLY + string + default "" + depends on VBOOT_SLOTS_RW_AB + help + Add a space-delimited list of filenames that should only be in the + RW-B section. + config VBOOT_ENABLE_CBFS_FALLBACK bool default n diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 1e0166e..90b2756 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -165,8 +165,9 @@ endif
# Return the regions a specific file should be placed in. The files listed below and the ones -# that are specified in CONFIG_RO_REGION_ONLY are only specified in the RO region. The files -# specified in the CONFIG_RW_REGION_ONLY are only placed in the RW regions. +# that are specified in CONFIG_RO_REGION_ONLY, are only specified in the RO region. The files +# specified in the CONFIG_RW_REGION_ONLY are placed in all RW regions. Files specified +# in CONFIG_RWA_REGION_ONLY or CONFIG_RWB_REGION_ONLY get placed only in those sections. # All other files will be installed into RO and RW regions # Use $(sort) to cut down on extra spaces that would be translated to commas regions-for-file = $(subst $(spc),$(comma),$(sort \ @@ -185,9 +186,15 @@ $(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \ ,$(1)),COREBOOT,\ $(if $(filter \ + $(call strip_quotes,$(CONFIG_RWA_REGION_ONLY)) \ + ,$(1)), FW_MAIN_A, \ + $(if $(filter \ + $(call strip_quotes,$(CONFIG_RWB_REGION_ONLY)) \ + ,$(1)), FW_MAIN_B, \ + $(if $(filter \ $(call strip_quotes,$(CONFIG_RW_REGION_ONLY)) \ ,$(1)), $(RW_PARTITIONS), $(VBOOT_PARTITIONS) ) \ - ))) + )))))
CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID)) CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
-
Martin Roth (Code Review) -
Raul Rangel (Code Review)