security/vboot: Add support for GSCVD (Google "RO verification")

This patch adds a new CONFIG_VBOOT_GSCVD option that will be enabled by default for TPM_GOOGLE_TI50 devices. It makes the build system run the `futility gscvd` command to create a GSCVD (GSC verification data) which signs the CBFS trust anchor (bootblock and GBB). In order for this to work, boards will need to have an RO_GSCVD section in their FMAP, and production boards should override the CONFIG_VBOOT_GSC_BOARD_ID option with the correct ID for each variant. BUG=b:229015103 Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: I1cf86e90b2687e81edadcefa5a8826b02fbc8b24 Reviewed-on: https://review.coreboot.org/c/coreboot/+/64707 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Yu-Ping Wu <yupingso@google.com>
2022-05-19 14:37:21 -07:00
parent 600856dec2
commit 5eda52a599
5 changed files with 113 additions and 9 deletions
--- a/src/mainboard/google/skyrim/Kconfig
+++ b/src/mainboard/google/skyrim/Kconfig
@@ -78,6 +78,11 @@ config VBOOT
 	select VBOOT_SEPARATE_VERSTAGE
 	select VBOOT_STARTS_IN_BOOTBLOCK

+# TODO: Remove once CBFS verification on AMD has been fixed.
+config VBOOT_GSCVD
+	bool
+	default n
+
 if !EM100	# EM100 defaults in soc/amd/common/blocks/spi/Kconfig
 config EFS_SPI_READ_MODE
 	default 2          # Dual IO (1-1-2)