diff options
author | Julius Werner <jwerner@chromium.org> | 2017-02-13 17:53:29 -0800 |
---|---|---|
committer | Julius Werner <jwerner@chromium.org> | 2017-03-28 22:18:13 +0200 |
commit | 58c3938705af5dd96456216a17d579868e0f5b77 (patch) | |
tree | b1531c163a2679c76395090717e835a851e027ae /src/vboot/Makefile.inc | |
parent | 73d042bd90bc8877f9bfd8b846578fe3e12444c3 (diff) | |
download | coreboot-58c3938705af5dd96456216a17d579868e0f5b77.tar.xz |
vboot: Move remaining features out of vendorcode/google/chromeos
This patch attempts to finish the separation between CONFIG_VBOOT and
CONFIG_CHROMEOS by moving the remaining options and code (including
image generation code for things like FWID and GBB flags, which are
intrinsic to vboot itself) from src/vendorcode/google/chromeos to
src/vboot. Also taking this opportunity to namespace all VBOOT Kconfig
options, and clean up menuconfig visibility for them (i.e. some options
were visible even though they were tied to the hardware while others
were invisible even though it might make sense to change them).
CQ-DEPEND=CL:459088
Change-Id: I3e2e31150ebf5a96b6fe507ebeb53a41ecf88122
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/18984
Tested-by: build bot (Jenkins)
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Diffstat (limited to 'src/vboot/Makefile.inc')
-rw-r--r-- | src/vboot/Makefile.inc | 125 |
1 files changed, 118 insertions, 7 deletions
diff --git a/src/vboot/Makefile.inc b/src/vboot/Makefile.inc index a09811b52c..56a3bacb72 100644 --- a/src/vboot/Makefile.inc +++ b/src/vboot/Makefile.inc @@ -67,17 +67,17 @@ verstage-y += common.c verstage-y += verstage.c ifeq (${CONFIG_VBOOT_MOCK_SECDATA},y) libverstage-y += secdata_mock.c -romstage-$(CONFIG_SEPARATE_VERSTAGE) += secdata_mock.c +romstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_mock.c else libverstage-y += secdata_tpm.c -romstage-$(CONFIG_SEPARATE_VERSTAGE) += secdata_tpm.c +romstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_tpm.c endif romstage-y += vboot_handoff.c common.c ramstage-y += common.c postcar-y += common.c -ifeq ($(CONFIG_SEPARATE_VERSTAGE),y) +ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y) VB_FIRMWARE_ARCH := $(ARCHDIR-$(ARCH-verstage-y)) else ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y) @@ -85,7 +85,7 @@ VB_FIRMWARE_ARCH := $(ARCHDIR-$(ARCH-bootblock-y)) else VB_FIRMWARE_ARCH := $(ARCHDIR-$(ARCH-romstage-y)) endif -endif # CONFIG_SEPARATE_VERSTAGE +endif # CONFIG_VBOOT_SEPARATE_VERSTAGE VB2_LIB = $(obj)/external/vboot_reference/vboot_fw20.a VBOOT_CFLAGS += $(patsubst -I%,-I$(top)/%, $(filter-out -I$(obj), $(filter-out -include $(src)/include/kconfig.h, $(CPPFLAGS_libverstage)))) @@ -106,7 +106,7 @@ $(VB2_LIB): $(obj)/config.h libverstage-srcs += $(VB2_LIB) -ifeq ($(CONFIG_SEPARATE_VERSTAGE),y) +ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y) # This works under the assumption that romstage and verstage use the same # architecture and thus CC_verstage is the same as CC_romstage. If this is not @@ -115,7 +115,7 @@ ifeq ($(CONFIG_VBOOT_HAS_REC_HASH_SPACE),y) romstage-srcs += $(VB2_LIB) endif -cbfs-files-$(CONFIG_SEPARATE_VERSTAGE) += $(CONFIG_CBFS_PREFIX)/verstage +cbfs-files-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += $(CONFIG_CBFS_PREFIX)/verstage $(CONFIG_CBFS_PREFIX)/verstage-file := $(objcbfs)/verstage.elf $(CONFIG_CBFS_PREFIX)/verstage-type := stage $(CONFIG_CBFS_PREFIX)/verstage-compression := $(CBFS_PRERAM_COMPRESS_FLAG) @@ -137,7 +137,7 @@ bootblock-srcs += $(objgenerated)/libverstage.a else romstage-srcs += $(objgenerated)/libverstage.a endif -endif # CONFIG_SEPARATE_VERSTAGE +endif # CONFIG_VBOOT_SEPARATE_VERSTAGE # Define a list of files that need to be in RO only. # All other files will be installed into RO and RW regions @@ -155,4 +155,115 @@ regions-for-file = $(subst $(spc),$(comma),$(sort \ rmu.bin \ ,$(1)),COREBOOT,COREBOOT FW_MAIN_A FW_MAIN_B))) +CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID)) +CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE)) +CONFIG_VBOOT_KEYBLOCK := $(call strip_quotes,$(CONFIG_VBOOT_KEYBLOCK)) +CONFIG_VBOOT_FIRMWARE_PRIVKEY := $(call strip_quotes,$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)) +CONFIG_VBOOT_KERNEL_KEY := $(call strip_quotes,$(CONFIG_VBOOT_KERNEL_KEY)) +CONFIG_VBOOT_FWID_MODEL := $(call strip_quotes,$(CONFIG_VBOOT_FWID_MODEL)) +CONFIG_VBOOT_FWID_VERSION := $(call strip_quotes,$(CONFIG_VBOOT_FWID_VERSION)) + +# bool-to-mask(var, value) +# return "value" if var is "y", 0 otherwise +bool-to-mask = $(if $(filter y,$(1)),$(2),0) + +GBB_FLAGS := $(call int-add, \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_DEV_SCREEN_SHORT_DELAY),0x1) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_LOAD_OPTION_ROMS),0x2) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_ALTERNATE_OS),0x4) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_SWITCH_ON),0x8) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_USB),0x10) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK),0x20) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_ENTER_TRIGGERS_TONORM),0x40) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_LEGACY),0x80) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_FAFT_KEY_OVERIDE),0x100) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC),0x200) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY),0x400) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC),0x800) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_LID_SHUTDOWN),0x1000) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP),0x2000) \ + $(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_SERIAL),0x4000) \ + ) + +ifneq ($(CONFIG_GBB_BMPFV_FILE),) +$(obj)/gbb.sizetmp: $(obj)/coreboot.rom + $(CBFSTOOL) $< read -r GBB -f $@ + +$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY) $(obj)/gbb.sizetmp + @printf " CREATE GBB (with BMPFV)\n" + $(FUTILITY) gbb_utility -c 0x100,0x1000,$(call int-subtract,$(call file-size,$(obj)/gbb.sizetmp) 0x2180),0x1000 $@.tmp + mv $@.tmp $@ +else +$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY) + @printf " CREATE GBB (without BMPFV)\n" + $(FUTILITY) gbb_utility -c 0x100,0x1000,0,0x1000 $@.tmp + mv $@.tmp $@ +endif + +$(obj)/gbb.region: $(obj)/gbb.stub + @printf " SETUP GBB\n" + cp $< $@.tmp + $(FUTILITY) gbb_utility -s \ + --hwid="$(CONFIG_GBB_HWID)" \ + --rootkey="$(CONFIG_VBOOT_ROOT_KEY)" \ + --recoverykey="$(CONFIG_VBOOT_RECOVERY_KEY)" \ + --flags=$(GBB_FLAGS) \ + $@.tmp +ifneq ($(CONFIG_GBB_BMPFV_FILE),) + $(FUTILITY) gbb_utility -s \ + --bmpfv="$(CONFIG_GBB_BMPFV_FILE)" \ + $@.tmp +endif + mv $@.tmp $@ + +$(obj)/fwid.region: + printf "$(CONFIG_VBOOT_FWID_MODEL)$(CONFIG_VBOOT_FWID_VERSION)\0" > $@ + +build_complete:: $(obj)/gbb.region $(obj)/fwid.region + @printf " WRITE GBB\n" + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region + +ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),) +build_complete:: + printf "\0" > $(obj)/shared_data.region + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r SHARED_DATA -i 0 -f $(obj)/shared_data.region +endif + +# Extract FW_MAIN_? region and minimize it if the last file is empty, so it +# doesn't contain this empty file (that can have a significant size), +# improving a lot on hash times due to a smaller amount of data loaded from +# firmware storage. +# When passing the minimized image to vbutil_firmware, its length is recorded +# in the keyblock, and coreboot's vboot code clips the region_device to match, +# which prevents any potential extension attacks. +$(obj)/FW_MAIN_%.bin: $(obj)/coreboot.rom + $(CBFSTOOL) $< read -r $(basename $(notdir $@)) -f $@.tmp + $(CBFSTOOL) $(obj)/coreboot.rom print -k -r $(basename $(notdir $@)) | \ + tail -1 | \ + sed "s,^(empty)[[:space:]]\(0x[0-9a-f]*\)\tnull\t.*$$,\1," \ + > $@.tmp.size + if [ -n "$$(cat $@.tmp.size)" ] && [ $$( printf "%d" $$(cat $@.tmp.size)) -gt 0 ]; then \ + head -c $$( printf "%d" $$(cat $@.tmp.size)) $@.tmp > $@.tmp2 && \ + mv $@.tmp2 $@; \ + else \ + mv $@.tmp $@; \ + fi + +$(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY) + $(FUTILITY) vbutil_firmware \ + --vblock $@ \ + --keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \ + --signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \ + --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \ + --fv $< \ + --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \ + --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) + +files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin + endif # CONFIG_VBOOT |