security/vboot: Add a dedicated flag for building of vboot library

As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better to introduce a dedicated flag CONFIG_VBOOT_LIB to control the building and linking of the vboot library, and make other flags needing vboot library select it. Only the actual verification stuff should be conditional on CONFIG_VBOOT. Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE <persmule@hardenedlinux.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/37787 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Joel Kitching <kitching@google.com>
2019-12-17 15:56:43 +08:00
parent e9b1e0fe88
commit cdf6f3a4ba
2 changed files with 46 additions and 33 deletions
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -15,9 +15,18 @@

 menu "Verified Boot (vboot)"

+config VBOOT_LIB
+	bool
+	depends on !VENDORCODE_ELTAN_VBOOT && !VENDORCODE_ELTAN_MBOOT
+	help
+	  Build and link the vboot library. Makes the vboot API accessible across
+	  all coreboot stages, without enabling vboot verification. For verification,
+	  please see the VBOOT option below.
+
 config VBOOT
 	bool "Verify firmware with vboot."
 	default n
+	select VBOOT_LIB
 	select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2
 	depends on !MISSING_BOARD_RESET
 	help