vboot: Add VBOOT_CBFS_INTEGRATION support

This patch introduces support signing and verification of firmware slots using CBFS metadata hash verification method for faster initial verification. To have complete verification, CBFS_VERIFICATION should also be enabled, as metadata hash covers only files metadata, not their contents. This patch also adapts mainboards and SoCs to new vboot reset requirements. TEST=Google Volteer/Voxel boots with VBOOT_CBFS_INTEGRATION enabled Signed-off-by: Jakub Czapiga <jacz@semihalf.com> Change-Id: I40ae01c477c4e4f7a1c90e4026a8a868ae64b5ca Reviewed-on: https://review.coreboot.org/c/coreboot/+/66909 Reviewed-by: Yu-Ping Wu <yupingso@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2022-08-19 12:25:27 +02:00
parent fe17a7d4d4
commit 967a76bd81
13 changed files with 102 additions and 33 deletions
--- a/src/include/cbfs_glue.h
+++ b/src/include/cbfs_glue.h
@@ -13,11 +13,17 @@
 * safety, we only need to verify the metadata hash in the initial stage and can assume it stays
 * valid in later stages. If TOCTOU safety is required, we may need them in every stage to
 * reverify metadata that had to be reloaded from flash (e.g. because it didn't fit the mcache).
+ * Moreover, if VBOOT_CBFS_INTEGRATION and verification are both enabled, then hashing functions
+ * are required during verification stage.
 * Note that this only concerns metadata hashing -- file access functions may still link hashing
 * routines independently for file data hashing.
 */
 #define CBFS_ENABLE_HASHING (CONFIG(CBFS_VERIFICATION) && \
-			     (CONFIG(TOCTOU_SAFETY) || ENV_INITIAL_STAGE))
+			     (CONFIG(TOCTOU_SAFETY) || ENV_INITIAL_STAGE || \
+			      (CONFIG(VBOOT_CBFS_INTEGRATION) && \
+				(verification_should_run() || \
+				 (verstage_should_load() && \
+				  CONFIG(VBOOT_RETURN_FROM_VERSTAGE))))))
 #define CBFS_HASH_HWCRYPTO vboot_hwcrypto_allowed()

 #define ERROR(...) printk(BIOS_ERR, "CBFS ERROR: " __VA_ARGS__)