coreboot on skylake originally did ship with romcc bootblock and
verstage running after it. However, that configuration makes boot
flows very complicated. No platform in the current code base uses
this combination. Make VBOOT_STARTS_IN_BOOTBLOCK depend on
C_ENVIRONMENT_BOOTBLOCK.
BUG=b:78656686
Change-Id: Ia9446f209521f71c91b83d579b9e2d89744292bc
Signed-off-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-on: https://review.coreboot.org/25984
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Subrata Banik <subrata.banik@intel.com>
Reviewed-by: Justin TerAvest <teravest@chromium.org>
Reviewed-by: Hannah Williams <hannah.williams@intel.com>
Add a function that will check the various requirements to
enable USB Device Controller (UDC):
- developer mode enabled
- GBB flag set or VBNV flag set
If VBOOT is not enabled, then default is to allow UDC enabling.
BUG=b:78577893
BRANCH=poppy
Change-Id: Id146ac1065f209865372aeb423f66ae734702954
Signed-off-by: Duncan Laurie <dlaurie@google.com>
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://review.coreboot.org/25847
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
In TPM 2.0 case, if the factory initialization is interrupted after
defining, say, the kernel tpm nvram space but before writing to this
space, the following will happen upon reboot when the factory
initialization will be re-attempted. Writing to this space will be
skipped, and coreboot will finish the factory initialization with
this space remained unwritten. At a later stage, when the rollback
logic will attempt to check the version in the kernel space, it will
fail (TPM2.0 returns an error when reading from unwritten spaces),
and the system will go into recovery with no way out (since the
kernel space will never be written).
This change fixes that by always writing to the kernel, MRC hash and
firmware spaces during factory initialization, even if the space
already existed by that time.
BUG=b:71884828
TEST=delete, define, but not write to the kernel space; trigger
factory initialization; coreboot should fill the kernel
space and continue booting.
Change-Id: I48d8bb4f9fc0e5276e6ec81247b3b6768ec9fa3b
Signed-off-by: Andrey Pronin <apronin@google.com>
Reviewed-on: https://review.coreboot.org/23456
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
* Move code from src/lib and src/include into src/security/tpm
* Split TPM TSS 1.2 and 2.0
* Fix header includes
* Add a new directory structure with kconfig and makefile includes
Change-Id: Id15a9aa6bd367560318dfcfd450bf5626ea0ec2b
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/22103
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
In order to make VBOOT2 independent from the CHROMEOS
kconfig option a weak method for get_write_protect_state
and get_recovery_mode_switch() is required.
Introduce a kconfig option for controlling this
behaviour.
This is a temporary fix and will be removed afterwards.
Change-Id: I3b1555bd93e1605e04d5c3ea6a752eb1459e426e
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/22102
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martinroth@google.com>
This commit just moves the vboot sources into
the security directory and fixes kconfig/makefile paths.
Fix vboot2 headers
Change-Id: Icd87f95640186f7a625242a3937e1dd13347eb60
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/22074
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martinroth@google.com>
