vboot: Move remaining features out of vendorcode/google/chromeos
This patch attempts to finish the separation between CONFIG_VBOOT and CONFIG_CHROMEOS by moving the remaining options and code (including image generation code for things like FWID and GBB flags, which are intrinsic to vboot itself) from src/vendorcode/google/chromeos to src/vboot. Also taking this opportunity to namespace all VBOOT Kconfig options, and clean up menuconfig visibility for them (i.e. some options were visible even though they were tied to the hardware while others were invisible even though it might make sense to change them). CQ-DEPEND=CL:459088 Change-Id: I3e2e31150ebf5a96b6fe507ebeb53a41ecf88122 Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/18984 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This commit is contained in:
Julius Werner
@ -59,24 +59,6 @@ config CHROMEOS_RAMOOPS_RAM_SIZE
|
||||
default 0x00100000
|
||||
depends on CHROMEOS_RAMOOPS
|
||||
|
||||
config EC_SOFTWARE_SYNC
|
||||
bool "Enable EC software sync"
|
||||
default y if EC_GOOGLE_CHROMEEC
|
||||
default n
|
||||
depends on VBOOT
|
||||
help
|
||||
EC software sync is a mechanism where the AP helps the EC verify its
|
||||
firmware similar to how vboot verifies the main system firmware. This
|
||||
option selects whether depthcharge should support EC software sync.
|
||||
|
||||
config VBOOT_EC_SLOW_UPDATE
|
||||
bool "EC is slow to update"
|
||||
default n
|
||||
depends on EC_SOFTWARE_SYNC
|
||||
help
|
||||
Whether the EC (or PD) is slow to update and needs to display a
|
||||
screen that informs the user the update is happening.
|
||||
|
||||
config NO_TPM_RESUME
|
||||
bool
|
||||
default n
|
||||
@ -85,55 +67,12 @@ config NO_TPM_RESUME
|
||||
boards, booting Windows will break if the TPM resume command
|
||||
is sent during an S3 resume.
|
||||
|
||||
config PHYSICAL_DEV_SWITCH
|
||||
bool
|
||||
default n
|
||||
help
|
||||
Whether this platform has a physical developer switch. Note that this
|
||||
disables virtual dev switch functionality (through secdata). Operation
|
||||
where both a physical pin and the virtual switch get sampled is not
|
||||
supported by coreboot.
|
||||
|
||||
config PHYSICAL_REC_SWITCH
|
||||
bool
|
||||
default n
|
||||
help
|
||||
Whether this platform has a physical recovery switch
|
||||
|
||||
config LID_SWITCH
|
||||
bool "Lid switch is present"
|
||||
default n
|
||||
help
|
||||
Whether this platform has a lid switch
|
||||
|
||||
config WIPEOUT_SUPPORTED
|
||||
bool "User is able to request factory reset"
|
||||
default n
|
||||
help
|
||||
When this option is enabled, the firmware provides the ability to
|
||||
signal the application the need for factory reset (a.k.a. wipe
|
||||
out) of the device
|
||||
|
||||
config HAVE_REGULATORY_DOMAIN
|
||||
bool "Add regulatory domain methods"
|
||||
default n
|
||||
help
|
||||
This option is needed to add ACPI regulatory domain methods
|
||||
|
||||
config CHROMEOS_FWID_MODEL
|
||||
string "Chrome OS Firmware ID model"
|
||||
default "$(CONFIG_MAINBOARD_VENDOR)_$(CONFIG_MAINBOARD_PART_NUMBER)"
|
||||
help
|
||||
This is the first part of the FWID written to various regions of a
|
||||
Chrome OS firmware image to identify its version.
|
||||
|
||||
config CHROMEOS_FWID_VERSION
|
||||
string "Chrome OS Firmware ID version"
|
||||
default "$(KERNELVERSION)"
|
||||
help
|
||||
This is the second part of the FWID written to various regions of a
|
||||
Chrome OS firmware image to identify its version.
|
||||
|
||||
config CHROMEOS_DISABLE_PLATFORM_HIERARCHY_ON_RESUME
|
||||
bool
|
||||
default y
|
||||
@ -148,108 +87,5 @@ config CHROMEOS_DISABLE_PLATFORM_HIERARCHY_ON_RESUME
|
||||
on normal boot as well as resume and coreboot is only involved
|
||||
in the resume piece w.r.t. the platform hierarchy.
|
||||
|
||||
menu "GBB configuration"
|
||||
|
||||
config GBB_HWID
|
||||
string "Hardware ID"
|
||||
default "NOCONF HWID"
|
||||
|
||||
config GBB_BMPFV_FILE
|
||||
string "Path to bmpfv image"
|
||||
default ""
|
||||
|
||||
config GBB_FLAG_DEV_SCREEN_SHORT_DELAY
|
||||
bool "Reduce dev screen delay"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_LOAD_OPTION_ROMS
|
||||
bool "Load option ROMs"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_ENABLE_ALTERNATE_OS
|
||||
bool "Allow booting a non-Chrome OS kernel if dev switch is on"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_FORCE_DEV_SWITCH_ON
|
||||
bool "Force dev switch on"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_FORCE_DEV_BOOT_USB
|
||||
bool "Allow booting from USB in dev mode even if dev_boot_usb=0"
|
||||
default y
|
||||
|
||||
config GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK
|
||||
bool "Disable firmware rollback protection"
|
||||
default y
|
||||
|
||||
config GBB_FLAG_ENTER_TRIGGERS_TONORM
|
||||
bool "Return to normal boot with Enter"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_FORCE_DEV_BOOT_LEGACY
|
||||
bool "Allow booting to legacy in dev mode even if dev_boot_legacy=0"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_FAFT_KEY_OVERIDE
|
||||
bool "Allow booting using alternative keys for FAFT servo testing"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC
|
||||
bool "Disable EC software sync"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY
|
||||
bool "Default to booting to legacy in dev mode"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC
|
||||
bool "Disable PD software sync"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_DISABLE_LID_SHUTDOWN
|
||||
bool "Disable shutdown on closed lid"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP
|
||||
bool "Allow fastboot even if dev_boot_fastboot_full_cap=0"
|
||||
default n
|
||||
|
||||
config GBB_FLAG_ENABLE_SERIAL
|
||||
bool "Tell vboot to enable serial console"
|
||||
default n
|
||||
|
||||
endmenu # GBB
|
||||
|
||||
menu "Vboot Keys"
|
||||
config VBOOT_ROOT_KEY
|
||||
string "Root key (public)"
|
||||
default "$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk"
|
||||
|
||||
config VBOOT_RECOVERY_KEY
|
||||
string "Recovery key (public)"
|
||||
default "$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk"
|
||||
|
||||
config VBOOT_FIRMWARE_PRIVKEY
|
||||
string "Firmware key (private)"
|
||||
default "$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk"
|
||||
|
||||
config VBOOT_KERNEL_KEY
|
||||
string "Kernel subkey (public)"
|
||||
default "$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk"
|
||||
|
||||
config VBOOT_KEYBLOCK
|
||||
string "Keyblock to use for the RW regions"
|
||||
default "$(VBOOT_SOURCE)/tests/devkeys/firmware.keyblock"
|
||||
|
||||
config VBOOT_KEYBLOCK_VERSION
|
||||
int "Keyblock version number"
|
||||
default 1
|
||||
|
||||
config VBOOT_KEYBLOCK_PREAMBLE_FLAGS
|
||||
hex "Keyblock preamble flags"
|
||||
default 0x0
|
||||
|
||||
endmenu # Keys
|
||||
|
||||
endif # CHROMEOS
|
||||
endmenu
|
||||
|
||||
@ -13,11 +13,6 @@
|
||||
## GNU General Public License for more details.
|
||||
##
|
||||
|
||||
bootblock-y += chromeos.c
|
||||
verstage-y += chromeos.c
|
||||
romstage-y += chromeos.c
|
||||
ramstage-y += chromeos.c
|
||||
|
||||
ramstage-$(CONFIG_ELOG) += elog.c
|
||||
ramstage-$(CONFIG_HAVE_ACPI_TABLES) += gnvs.c
|
||||
ramstage-$(CONFIG_HAVE_ACPI_TABLES) += acpi.c
|
||||
@ -31,114 +26,3 @@ ifeq ($(CONFIG_ARCH_MIPS),)
|
||||
bootblock-y += watchdog.c
|
||||
ramstage-y += watchdog.c
|
||||
endif
|
||||
|
||||
CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID))
|
||||
CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
|
||||
CONFIG_VBOOT_KEYBLOCK := $(call strip_quotes,$(CONFIG_VBOOT_KEYBLOCK))
|
||||
CONFIG_VBOOT_FIRMWARE_PRIVKEY := $(call strip_quotes,$(CONFIG_VBOOT_FIRMWARE_PRIVKEY))
|
||||
CONFIG_VBOOT_KERNEL_KEY := $(call strip_quotes,$(CONFIG_VBOOT_KERNEL_KEY))
|
||||
CONFIG_CHROMEOS_FWID_MODEL := $(call strip_quotes,$(CONFIG_CHROMEOS_FWID_MODEL))
|
||||
CONFIG_CHROMEOS_FWID_VERSION := $(call strip_quotes,$(CONFIG_CHROMEOS_FWID_VERSION))
|
||||
|
||||
# bool-to-mask(var, value)
|
||||
# return "value" if var is "y", 0 otherwise
|
||||
bool-to-mask = $(if $(filter y,$(1)),$(2),0)
|
||||
|
||||
GBB_FLAGS := $(call int-add, \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_DEV_SCREEN_SHORT_DELAY),0x1) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_LOAD_OPTION_ROMS),0x2) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_ALTERNATE_OS),0x4) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_SWITCH_ON),0x8) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_USB),0x10) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK),0x20) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENTER_TRIGGERS_TONORM),0x40) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_LEGACY),0x80) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_FAFT_KEY_OVERIDE),0x100) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC),0x200) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY),0x400) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC),0x800) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_LID_SHUTDOWN),0x1000) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP),0x2000) \
|
||||
$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_SERIAL),0x4000) \
|
||||
)
|
||||
|
||||
ifneq ($(CONFIG_GBB_BMPFV_FILE),)
|
||||
$(obj)/gbb.sizetmp: $(obj)/coreboot.rom
|
||||
$(CBFSTOOL) $< read -r GBB -f $@
|
||||
|
||||
$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY) $(obj)/gbb.sizetmp
|
||||
@printf " CREATE GBB (with BMPFV)\n"
|
||||
$(FUTILITY) gbb_utility -c 0x100,0x1000,$(call int-subtract,$(call file-size,$(obj)/gbb.sizetmp) 0x2180),0x1000 $@.tmp
|
||||
mv $@.tmp $@
|
||||
else
|
||||
$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY)
|
||||
@printf " CREATE GBB (without BMPFV)\n"
|
||||
$(FUTILITY) gbb_utility -c 0x100,0x1000,0,0x1000 $@.tmp
|
||||
mv $@.tmp $@
|
||||
endif
|
||||
|
||||
$(obj)/gbb.region: $(obj)/gbb.stub
|
||||
@printf " SETUP GBB\n"
|
||||
cp $< $@.tmp
|
||||
$(FUTILITY) gbb_utility -s \
|
||||
--hwid="$(CONFIG_GBB_HWID)" \
|
||||
--rootkey="$(CONFIG_VBOOT_ROOT_KEY)" \
|
||||
--recoverykey="$(CONFIG_VBOOT_RECOVERY_KEY)" \
|
||||
--flags=$(GBB_FLAGS) \
|
||||
$@.tmp
|
||||
ifneq ($(CONFIG_GBB_BMPFV_FILE),)
|
||||
$(FUTILITY) gbb_utility -s \
|
||||
--bmpfv="$(CONFIG_GBB_BMPFV_FILE)" \
|
||||
$@.tmp
|
||||
endif
|
||||
mv $@.tmp $@
|
||||
|
||||
$(obj)/fwid.region:
|
||||
printf "$(CONFIG_CHROMEOS_FWID_MODEL)$(CONFIG_CHROMEOS_FWID_VERSION)\0" > $@
|
||||
|
||||
build_complete:: $(obj)/gbb.region $(obj)/fwid.region
|
||||
@printf " WRITE GBB\n"
|
||||
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region
|
||||
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region
|
||||
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region
|
||||
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region
|
||||
|
||||
ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),)
|
||||
build_complete::
|
||||
printf "\0" > $(obj)/shared_data.region
|
||||
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r SHARED_DATA -i 0 -f $(obj)/shared_data.region
|
||||
endif
|
||||
|
||||
# Extract FW_MAIN_? region and minimize it if the last file is empty, so it
|
||||
# doesn't contain this empty file (that can have a significant size),
|
||||
# improving a lot on hash times due to a smaller amount of data loaded from
|
||||
# firmware storage.
|
||||
# When passing the minimized image to vbutil_firmware, its length is recorded
|
||||
# in the keyblock, and coreboot's vboot code clips the region_device to match,
|
||||
# which prevents any potential extension attacks.
|
||||
$(obj)/FW_MAIN_%.bin: $(obj)/coreboot.rom
|
||||
$(CBFSTOOL) $< read -r $(basename $(notdir $@)) -f $@.tmp
|
||||
$(CBFSTOOL) $(obj)/coreboot.rom print -k -r $(basename $(notdir $@)) | \
|
||||
tail -1 | \
|
||||
sed "s,^(empty)[[:space:]]\(0x[0-9a-f]*\)\tnull\t.*$$,\1," \
|
||||
> $@.tmp.size
|
||||
if [ -n "$$(cat $@.tmp.size)" ] && [ $$( printf "%d" $$(cat $@.tmp.size)) -gt 0 ]; then \
|
||||
head -c $$( printf "%d" $$(cat $@.tmp.size)) $@.tmp > $@.tmp2 && \
|
||||
mv $@.tmp2 $@; \
|
||||
else \
|
||||
mv $@.tmp $@; \
|
||||
fi
|
||||
|
||||
$(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY)
|
||||
$(FUTILITY) vbutil_firmware \
|
||||
--vblock $@ \
|
||||
--keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
|
||||
--signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \
|
||||
--version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \
|
||||
--fv $< \
|
||||
--kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
|
||||
--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS)
|
||||
|
||||
files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin
|
||||
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
|
||||
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin
|
||||
|
||||
@ -1,35 +0,0 @@
|
||||
/*
|
||||
* This file is part of the coreboot project.
|
||||
*
|
||||
* Copyright (C) 2011 The ChromiumOS Authors. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; version 2 of the License.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*/
|
||||
|
||||
#include <stddef.h>
|
||||
#include <string.h>
|
||||
#include "chromeos.h"
|
||||
|
||||
int __attribute__((weak)) clear_recovery_mode_switch(void)
|
||||
{
|
||||
// Weak implementation. Nothing to do.
|
||||
return 0;
|
||||
}
|
||||
|
||||
int __attribute__((weak)) get_sw_write_protect_state(void)
|
||||
{
|
||||
// Can be implemented by a platform / mainboard
|
||||
return 0;
|
||||
}
|
||||
|
||||
void __attribute__((weak)) log_recovery_mode_switch(void)
|
||||
{
|
||||
// Weak implementation. Nothing to do.
|
||||
}
|
||||
Reference in New Issue
Block a user