[coreboot-gerrit] Change in coreboot[master]: security/vboot: Add selection for firmware slots used by VBOOT

Philipp Deppenwiese (Code Review) gerrit at coreboot.org
Thu Nov 8 17:19:40 CET 2018 

Philipp Deppenwiese has submitted this change and it was merged. ( https://review.coreboot.org/27714 )

Change subject: security/vboot: Add selection for firmware slots used by VBOOT
......................................................................

security/vboot: Add selection for firmware slots used by VBOOT

Make the firmware slot configuration in VBOOT selectable. The following
three modes are available:
  -RO only
  -RO + RW_A
  -RO + RW_A + RW_B

The mode "RO only" is the lowest mode with no safety during update.
You can select either RW_A or RW_AB via Kconfig which will add the
selected parttions to the final image.

Change-Id: I278fc060522b13048b00090b8e5261c14496f56e
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
Signed-off-by: Werner Zeh <werner.zeh at siemens.com>
Reviewed-on: https://review.coreboot.org/27714
Tested-by: build bot (Jenkins) <no-reply at coreboot.org>
Reviewed-by: Aaron Durbin <adurbin at chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
---
M src/security/vboot/Kconfig
M src/security/vboot/Makefile.inc
M src/vendorcode/google/chromeos/Kconfig
3 files changed, 42 insertions(+), 1 deletion(-)

Approvals:
  build bot (Jenkins): Verified
  Aaron Durbin: Looks good to me, approved
  Philipp Deppenwiese: Looks good to me, approved



diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index 77483d1..a3e9b86 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -1,6 +1,7 @@
 ## This file is part of the coreboot project.
 ##
 ## Copyright (C) 2014 The ChromiumOS Authors.  All rights reserved.
+## Copyright (C) 2018 Siemens AG
 ##
 ## This program is free software; you can redistribute it and/or modify
 ## it under the terms of the GNU General Public License as published by
@@ -25,6 +26,18 @@
 
 if VBOOT
 
+config VBOOT_SLOTS_RW_A
+	bool "Firmware RO + RW_A"
+	help
+	  Have one update partition beside the RO partition.
+
+config VBOOT_SLOTS_RW_AB
+	bool "Firmware RO + RW_A + RW_B"
+	select VBOOT_SLOTS_RW_A
+	help
+	  Have two update partitions beside the RO partition.
+
+
 config VBOOT_VBNV_CMOS
 	bool
 	default n
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index f51db80..da5d5b1 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -2,6 +2,7 @@
 ## This file is part of the coreboot project.
 ##
 ## Copyright (C) 2014 The ChromiumOS Authors.  All rights reserved.
+## Copyright (C) 2018 Siemens AG
 ##
 ## This program is free software; you can redistribute it and/or modify
 ## it under the terms of the GNU General Public License as published by
@@ -144,6 +145,17 @@
 endif
 endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
 
+#RO-Partition is always there!
+VBOOT_PARTITIONS := COREBOOT
+# Check for RW_A partition
+ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
+VBOOT_PARTITIONS += FW_MAIN_A
+endif
+# Check for RW_B partition
+ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
+VBOOT_PARTITIONS += FW_MAIN_B
+endif
+
 # Define a list of files that need to be in RO only.
 # All other files will be installed into RO and RW regions
 # Use $(sort) to cut down on extra spaces that would be translated to commas
@@ -161,7 +173,7 @@
 		cmos_layout.bin \
 		cmos.default \
 		$(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \
-		,$(1)),COREBOOT,COREBOOT FW_MAIN_A FW_MAIN_B)))
+		,$(1)),COREBOOT,$(VBOOT_PARTITIONS))))
 
 CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID))
 CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
@@ -237,8 +249,12 @@
 	@printf "    WRITE GBB\n"
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region
+ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region
+endif
+ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region
+endif
 
 ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),)
 build_complete::
@@ -270,8 +286,19 @@
 		--kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
 		--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS)
 
+ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
 files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
 	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin
+	@printf "    FLASHMAP Layout generated for RO, A and B partition.\n"
+else ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
+files_added:: $(obj)/VBLOCK_A.bin
+	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
+	@printf "    FLASHMAP Layout generated for RO and A partition.\n"
+else
+files_added::
+	@printf "    FLASHMAP Layout generated for RO partition only.\n"
+	@printf "             Beware that there is no failure safety in case of update now!\n"
+endif
 
 endif # CONFIG_VBOOT
diff --git a/src/vendorcode/google/chromeos/Kconfig b/src/vendorcode/google/chromeos/Kconfig
index 1dd726f..26ee31e 100644
--- a/src/vendorcode/google/chromeos/Kconfig
+++ b/src/vendorcode/google/chromeos/Kconfig
@@ -25,6 +25,7 @@
 	select COLLECT_TIMESTAMPS
 	select VBOOT
 	select VPD
+	select VBOOT_SLOTS_RW_AB
 	help
 	  Enable ChromeOS specific features like the GPIO sub table in
 	  the coreboot table. NOTE: Enabling this option on an unsupported

-- 
To view, visit https://review.coreboot.org/27714
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I278fc060522b13048b00090b8e5261c14496f56e
Gerrit-Change-Number: 27714
Gerrit-PatchSet: 9
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: Aaron Durbin <adurbin at chromium.org>
Gerrit-Reviewer: Julius Werner <jwerner at chromium.org>
Gerrit-Reviewer: Patrick Rudolph <siro at das-labor.org>
Gerrit-Reviewer: Paul Menzel <paulepanter at users.sourceforge.net>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: Werner Zeh <werner.zeh at siemens.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply at coreboot.org>
Gerrit-CC: Patrick Rudolph <patrick.rudolph at 9elements.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20181108/edf03d49/attachment.html>

More information about the coreboot-gerrit mailing list