[coreboot-gerrit] Change in coreboot[master]: security/vboot: Make vboot first class citizen

Philipp Deppenwiese (Code Review) gerrit at coreboot.org
Mon Feb 26 18:50:19 CET 2018 

Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/23873


Change subject: security/vboot: Make vboot first class citizen
......................................................................

security/vboot: Make vboot first class citizen

* Add selection of vboot partition layout,
* Add auto generation for vboot flashmap layouts.

Change-Id: If1ac6db16647eba4ddb28b74d1e0501224c841df
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
---
M Makefile.inc
M src/security/vboot/Kconfig
M src/security/vboot/Makefile.inc
3 files changed, 73 insertions(+), 1 deletion(-)



  git pull ssh://review.coreboot.org:29418/coreboot refs/changes/73/23873/1

diff --git a/Makefile.inc b/Makefile.inc
index ca157a2..28b9b48 100644
--- a/Makefile.inc
+++ b/Makefile.inc
@@ -766,7 +766,19 @@
 # For a description of the flash layout described by these variables, check
 # the $(DEFAULT_FLASHMAP) .fmd files.
 ifeq ($(CONFIG_ARCH_X86),y)
+ifeq ($(CONFIG_VBOOT),)
 DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-x86.fmd
+else
+ifeq ($(CONFIG_VBOOT_SAFETY_AB),y)
+DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-x86-ro-a-b.fmd
+endif
+ifeq ($(CONFIG_VBOOT_SAFETY_A),y)
+DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-x86-ro-a.fmd
+endif
+ifeq ($(CONFIG_VBOOT_NO_SAFETY),y)
+DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-x86-ro.fmd
+endif
+endif
 # entire flash
 FMAP_ROM_ADDR := $(call int-subtract, 0x100000000 $(CONFIG_ROM_SIZE))
 FMAP_ROM_SIZE := $(CONFIG_ROM_SIZE)
@@ -791,7 +803,19 @@
 FMAP_CBFS_BASE := $(call int-add, $(FMAP_CONSOLE_SIZE) $(FMAP_FMAP_SIZE))
 FMAP_CBFS_SIZE := $(call int-subtract, $(FMAP_BIOS_SIZE) $(FMAP_CBFS_BASE))
 else # ifeq ($(CONFIG_ARCH_X86),y)
+ifeq ($(CONFIG_VBOOT),)
 DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default.fmd
+else
+ifeq ($(CONFIG_VBOOT_SAFETY_AB),y)
+DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-ro-a-b.fmd
+endif
+ifeq ($(CONFIG_VBOOT_SAFETY_A),y)
+DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-ro-a.fmd
+endif
+ifeq ($(CONFIG_VBOOT_NO_SAFETY),y)
+DEFAULT_FLASHMAP:=$(top)/util/cbfstool/default-ro.fmd
+endif
+endif
 # entire flash
 FMAP_ROM_ADDR := 0
 FMAP_ROM_SIZE := $(CONFIG_ROM_SIZE)
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index b92aa24..4373883 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -28,6 +28,24 @@
 
 choice
 
+prompt "Failure safety"
+	default VBOOT_SAFETY_AB
+	help
+	  Select the boot mode in which VBOOT should run.
+
+config VBOOT_SAFETY_AB
+	bool "Firmware A & B"
+
+config VBOOT_SAFETY_A
+	bool "Firmware A"
+
+config VBOOT_NO_SAFETY
+	bool "Firmware RO only"
+
+endchoice
+
+choice
+
 prompt "Boot mode"
 	default VBOOT_MODE_VERIFIED_BOOT
 	help
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index 8709f5a..2887cb4 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -152,6 +152,19 @@
 endif
 endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
 
+# Check safety mode
+ifeq ($(CONFIG_VBOOT_SAFETY_AB),y)
+VBOOT_PARTITIONS := COREBOOT FW_MAIN_A FW_MAIN_B
+endif
+
+ifeq ($(CONFIG_VBOOT_SAFETY_A),y)
+VBOOT_PARTITIONS := COREBOOT FW_MAIN_A
+endif
+
+ifeq ($(CONFIG_VBOOT_NO_SAFETY),y)
+VBOOT_PARTITIONS := COREBOOT
+endif
+
 # Define a list of files that need to be in RO only.
 # All other files will be installed into RO and RW regions
 # Use $(sort) to cut down on extra spaces that would be translated to commas
@@ -167,7 +180,7 @@
 		vbgfx.bin \
 		rmu.bin \
 		$(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \
-		,$(1)),COREBOOT,COREBOOT FW_MAIN_A FW_MAIN_B)))
+		,$(1)),COREBOOT,$(VBOOT_PARTITIONS))))
 
 CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID))
 CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
@@ -237,8 +250,13 @@
 	@printf "    WRITE GBB\n"
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region
+ifeq ($(CONFIG_VBOOT_SAFETY_AB),y)
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region
+endif
+ifeq ($(CONFIG_VBOOT_SAFETY_A),y)
+	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region
+endif
 
 ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),)
 build_complete::
@@ -270,8 +288,20 @@
 		--kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
 		--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS)
 
+ifeq ($(CONFIG_VBOOT_SAFETY_AB),y)
 files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin
+	@printf "    FLASHMAP Layout generated for RO, A and B partition.\n"
+endif
+ifeq ($(CONFIG_VBOOT_SAFETY_A),y)
+files_added:: $(obj)/VBLOCK_A.bin
+	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
+	@printf "    FLASHMAP Layout generated for RO and A partition.\n"
+endif
+ifeq ($(CONFIG_VBOOT_NO_SAFETY),y)
+files_added::
+	@printf "    FLASHMAP Layout generated for RO partition only, beware no updates possible!\n"
+endif
 
 endif # CONFIG_VBOOT

-- 
To view, visit https://review.coreboot.org/23873
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: If1ac6db16647eba4ddb28b74d1e0501224c841df
Gerrit-Change-Number: 23873
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180226/37a320de/attachment-0001.html>

More information about the coreboot-gerrit mailing list