vboot: Add VBOOT_CBFS_INTEGRATION support

This patch introduces support signing and verification of firmware slots using CBFS metadata hash verification method for faster initial verification. To have complete verification, CBFS_VERIFICATION should also be enabled, as metadata hash covers only files metadata, not their contents. This patch also adapts mainboards and SoCs to new vboot reset requirements. TEST=Google Volteer/Voxel boots with VBOOT_CBFS_INTEGRATION enabled Signed-off-by: Jakub Czapiga <jacz@semihalf.com> Change-Id: I40ae01c477c4e4f7a1c90e4026a8a868ae64b5ca Reviewed-on: https://review.coreboot.org/c/coreboot/+/66909 Reviewed-by: Yu-Ping Wu <yupingso@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2022-08-19 12:25:27 +02:00
parent fe17a7d4d4
commit 967a76bd81
13 changed files with 102 additions and 33 deletions
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -35,6 +35,20 @@ config VBOOT_SLOTS_RW_AB
 	help
 	  Have two update partitions beside the RO partition.

+config VBOOT_CBFS_INTEGRATION
+	bool "Enable vboot and CBFS integration"
+	default n
+	depends on VBOOT_SLOTS_RW_A
+	depends on CBFS_VERIFICATION
+	help
+	  Say yes here to enable cryptographic verification of RW slots CBFS
+	  metadata. This will replace body hash verification.
+
+	  This option enables integration of vboot and CBFS. Verification of RW
+	  slots is performed by calculation of their CBFS metadata hash.
+	  It also requires CBFS_VERIFICATION to be enabled, so that CBFS files
+	  contents are correctly verified.
+
 config VBOOT_VBNV_CMOS
 	bool
 	default n