summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Documentation/security/vboot/index.md20
-rw-r--r--src/lib/cbfs.c16
-rw-r--r--src/security/vboot/Kconfig9
3 files changed, 45 insertions, 0 deletions
diff --git a/Documentation/security/vboot/index.md b/Documentation/security/vboot/index.md
index 97420893e5..400c2b5149 100644
--- a/Documentation/security/vboot/index.md
+++ b/Documentation/security/vboot/index.md
@@ -186,6 +186,26 @@ In addition to adding the coreboot files into the read-only region,
enabling vboot causes the build script to add the read/write files into
coreboot file systems in *FW_MAIN_A* and *FW_MAIN_B*.
+**RO_REGION_ONLY**
+
+The files added to this list will only be placed in the read-only region and
+not into the read/write coreboot file systems in *FW_MAIN_A* and *FW_MAIN_B*.
+
+**VBOOT_ENABLE_CBFS_FALLBACK**
+
+Normally coreboot will use the active read/write coreboot file system for all
+of it's file access when VBOOT is active and is not in recovery mode.
+
+When the `VBOOT_ENABLE_CBFS_FALLBACK` option is enabled the cbfs file system will
+first try to locate a file in the active read/write file system. If the file
+doesn't exist here the file system will try to locate the file in the read-only
+file system.
+
+This option can be used to prevent duplication of static data. Files can be
+removed from the read/write partitions by adding them to the `RO_REGION_ONLY`
+config. If a file needs to be changed in a later stage simply remove it from
+this list.
+
***
## Signing the coreboot Image
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c
index 9ac1bc084b..13b5afb6ea 100644
--- a/src/lib/cbfs.c
+++ b/src/lib/cbfs.c
@@ -62,6 +62,22 @@ int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type)
}
int ret = cbfs_locate(fh, &rdev, name, type);
+
+ if (CONFIG(VBOOT_ENABLE_CBFS_FALLBACK) && ret) {
+
+ /*
+ * When VBOOT_ENABLE_CBFS_FALLBACK is enabled and a file is not available in the
+ * active RW region, the RO (COREBOOT) region will be used to locate the file.
+ *
+ * This functionality makes it possible to avoid duplicate files in the RO
+ * and RW partitions while maintaining updateability.
+ *
+ * Files can be added to the RO_REGION_ONLY config option to use this feature.
+ */
+ printk(BIOS_DEBUG, "Fall back to RO region for %s\n", name);
+ ret = cbfs_locate_file_in_region(fh, "COREBOOT", name, type);
+ }
+
if (!ret)
if (vboot_measure_cbfs_hook(fh, name))
return -1;
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index e3b8aa68e2..87bb80a561 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -220,6 +220,15 @@ config RO_REGION_ONLY
Add a space delimited list of filenames that should only be in the
RO section.
+
+config VBOOT_ENABLE_CBFS_FALLBACK
+ bool
+ default n
+ depends on VBOOT_SLOTS_RW_A
+ help
+ When this option is enabled cbfs_boot_locate will look for a file in the RO
+ (COREBOOT) region if it isn't available in the active RW region.
+
menu "GBB configuration"
config GBB_HWID