2014-10-10 19:51:06 +02:00
|
|
|
## This file is part of the coreboot project.
|
|
|
|
##
|
|
|
|
## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved.
|
2018-07-28 23:30:49 +02:00
|
|
|
## Copyright (C) 2018 Siemens AG
|
2014-10-10 19:51:06 +02:00
|
|
|
##
|
|
|
|
## This program is free software; you can redistribute it and/or modify
|
|
|
|
## it under the terms of the GNU General Public License as published by
|
|
|
|
## the Free Software Foundation; version 2 of the License.
|
|
|
|
##
|
|
|
|
## This program is distributed in the hope that it will be useful,
|
|
|
|
## but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
## GNU General Public License for more details.
|
|
|
|
##
|
|
|
|
|
2017-02-14 02:53:29 +01:00
|
|
|
menu "Verified Boot (vboot)"
|
|
|
|
|
2019-12-17 08:56:43 +01:00
|
|
|
config VBOOT_LIB
|
|
|
|
bool
|
|
|
|
help
|
|
|
|
Build and link the vboot library. Makes the vboot API accessible across
|
|
|
|
all coreboot stages, without enabling vboot verification. For verification,
|
|
|
|
please see the VBOOT option below.
|
|
|
|
|
2017-02-14 02:53:29 +01:00
|
|
|
config VBOOT
|
|
|
|
bool "Verify firmware with vboot."
|
|
|
|
default n
|
2019-12-17 08:56:43 +01:00
|
|
|
select VBOOT_LIB
|
2018-02-27 19:40:52 +01:00
|
|
|
select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2
|
2020-01-15 01:25:56 +01:00
|
|
|
depends on 0 = 0 # Must have a 'depends on' or board overrides will break it.
|
2016-07-25 20:48:03 +02:00
|
|
|
help
|
2017-02-14 02:53:29 +01:00
|
|
|
Enabling VBOOT will use vboot to verify the components of the firmware
|
|
|
|
(stages, payload, etc).
|
|
|
|
|
|
|
|
if VBOOT
|
2016-07-25 20:48:03 +02:00
|
|
|
|
2019-07-23 10:26:30 +02:00
|
|
|
comment "Anti-Rollback Protection disabled because mocking secdata is enabled."
|
|
|
|
depends on VBOOT_MOCK_SECDATA
|
|
|
|
|
2018-11-08 10:59:40 +01:00
|
|
|
config VBOOT_MEASURED_BOOT
|
|
|
|
bool "Enable Measured Boot"
|
|
|
|
default n
|
2019-07-23 10:26:30 +02:00
|
|
|
depends on TPM1 || TPM2
|
2018-11-08 10:59:40 +01:00
|
|
|
depends on !VBOOT_RETURN_FROM_VERSTAGE
|
|
|
|
help
|
|
|
|
Enables measured boot mode in vboot (experimental)
|
|
|
|
|
|
|
|
config VBOOT_MEASURED_BOOT_RUNTIME_DATA
|
|
|
|
string "Runtime data whitelist"
|
|
|
|
default ""
|
|
|
|
depends on VBOOT_MEASURED_BOOT
|
|
|
|
help
|
|
|
|
Runtime data whitelist of cbfs filenames. Needs to be a comma separated
|
|
|
|
list
|
|
|
|
|
2018-07-28 23:30:49 +02:00
|
|
|
config VBOOT_SLOTS_RW_A
|
|
|
|
bool "Firmware RO + RW_A"
|
|
|
|
help
|
|
|
|
Have one update partition beside the RO partition.
|
|
|
|
|
|
|
|
config VBOOT_SLOTS_RW_AB
|
|
|
|
bool "Firmware RO + RW_A + RW_B"
|
|
|
|
select VBOOT_SLOTS_RW_A
|
|
|
|
help
|
|
|
|
Have two update partitions beside the RO partition.
|
|
|
|
|
2016-07-25 20:48:03 +02:00
|
|
|
config VBOOT_VBNV_CMOS
|
2017-02-14 02:53:29 +01:00
|
|
|
bool
|
2016-07-25 20:48:03 +02:00
|
|
|
default n
|
2017-02-14 02:53:29 +01:00
|
|
|
depends on PC80_SYSTEM
|
2016-07-25 20:48:03 +02:00
|
|
|
help
|
|
|
|
VBNV is stored in CMOS
|
|
|
|
|
2017-02-14 02:53:29 +01:00
|
|
|
config VBOOT_VBNV_OFFSET
|
|
|
|
hex
|
|
|
|
default 0x26
|
|
|
|
depends on VBOOT_VBNV_CMOS
|
|
|
|
help
|
|
|
|
CMOS offset for VbNv data. This value must match cmos.layout
|
|
|
|
in the mainboard directory, minus 14 bytes for the RTC.
|
|
|
|
|
2016-07-25 20:48:03 +02:00
|
|
|
config VBOOT_VBNV_CMOS_BACKUP_TO_FLASH
|
2017-02-14 02:53:29 +01:00
|
|
|
bool
|
2016-07-25 20:48:03 +02:00
|
|
|
default n
|
2016-08-12 19:48:58 +02:00
|
|
|
depends on VBOOT_VBNV_CMOS && BOOT_DEVICE_SUPPORTS_WRITES
|
2016-07-25 20:48:03 +02:00
|
|
|
help
|
|
|
|
Vboot non-volatile storage data will be backed up from CMOS to flash
|
|
|
|
and restored from flash if the CMOS is invalid due to power loss.
|
|
|
|
|
|
|
|
config VBOOT_VBNV_EC
|
2017-02-14 02:53:29 +01:00
|
|
|
bool
|
2016-07-25 20:48:03 +02:00
|
|
|
default n
|
|
|
|
help
|
|
|
|
VBNV is stored in EC
|
|
|
|
|
|
|
|
config VBOOT_VBNV_FLASH
|
2017-02-14 02:53:29 +01:00
|
|
|
bool
|
|
|
|
default n
|
2016-08-12 19:48:58 +02:00
|
|
|
depends on BOOT_DEVICE_SUPPORTS_WRITES
|
2016-07-25 20:48:03 +02:00
|
|
|
help
|
|
|
|
VBNV is stored in flash storage
|
|
|
|
|
2015-04-28 23:17:25 +02:00
|
|
|
config VBOOT_STARTS_IN_BOOTBLOCK
|
2017-02-14 02:53:29 +01:00
|
|
|
bool
|
2015-04-28 23:17:25 +02:00
|
|
|
default n
|
|
|
|
help
|
2017-02-14 02:53:29 +01:00
|
|
|
Firmware verification happens during the end of or right after the
|
|
|
|
bootblock. This implies that a static VBOOT2_WORK() buffer must be
|
|
|
|
allocated in memlayout.
|
2015-04-28 23:17:25 +02:00
|
|
|
|
|
|
|
config VBOOT_STARTS_IN_ROMSTAGE
|
2017-02-14 02:53:29 +01:00
|
|
|
bool
|
2015-04-28 23:17:25 +02:00
|
|
|
default n
|
2017-02-14 02:53:29 +01:00
|
|
|
depends on !VBOOT_STARTS_IN_BOOTBLOCK
|
2015-04-28 23:17:25 +02:00
|
|
|
help
|
2017-02-14 02:53:29 +01:00
|
|
|
Firmware verification happens during the end of romstage (after
|
2020-02-14 10:16:53 +01:00
|
|
|
memory initialization). This implies that the vboot work buffer is
|
|
|
|
in CBMEM from the start and doesn't need to be reserved in memlayout.
|
2015-04-28 23:17:25 +02:00
|
|
|
|
2016-07-25 20:48:03 +02:00
|
|
|
config VBOOT_MOCK_SECDATA
|
2015-04-09 17:18:22 +02:00
|
|
|
bool "Mock secdata for firmware verification"
|
|
|
|
default n
|
|
|
|
help
|
2016-07-25 20:48:03 +02:00
|
|
|
Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware
|
2015-04-09 17:18:22 +02:00
|
|
|
verification to avoid access to a secdata storage (typically TPM).
|
|
|
|
All operations for a secdata storage will be successful. This option
|
|
|
|
can be used during development when a TPM is not present or broken.
|
|
|
|
THIS SHOULD NOT BE LEFT ON FOR PRODUCTION DEVICES.
|
|
|
|
|
2015-03-21 00:11:13 +01:00
|
|
|
config VBOOT_DISABLE_DEV_ON_RECOVERY
|
2017-02-14 02:53:29 +01:00
|
|
|
bool
|
2015-03-21 00:11:13 +01:00
|
|
|
default n
|
|
|
|
help
|
|
|
|
When this option is enabled, the Chrome OS device leaves the
|
|
|
|
developer mode as soon as recovery request is detected. This is
|
|
|
|
handy on embedded devices with limited input capabilities.
|
2015-04-27 18:13:50 +02:00
|
|
|
|
2017-02-14 02:53:29 +01:00
|
|
|
config VBOOT_SEPARATE_VERSTAGE
|
|
|
|
bool
|
2015-04-27 18:13:50 +02:00
|
|
|
default n
|
2017-02-14 02:53:29 +01:00
|
|
|
depends on VBOOT_STARTS_IN_BOOTBLOCK
|
2017-03-18 00:54:48 +01:00
|
|
|
help
|
|
|
|
If this option is set, vboot verification runs in a standalone stage
|
|
|
|
that is loaded from the bootblock and exits into romstage. If it is
|
|
|
|
not set, the verification code is linked directly into the bootblock
|
|
|
|
or the romstage and runs as part of that stage (cf. related options
|
2017-02-14 02:53:29 +01:00
|
|
|
VBOOT_STARTS_IN_BOOTBLOCK/_ROMSTAGE and VBOOT_RETURN_FROM_VERSTAGE).
|
2015-04-27 18:13:50 +02:00
|
|
|
|
2017-02-14 02:53:29 +01:00
|
|
|
config VBOOT_RETURN_FROM_VERSTAGE
|
|
|
|
bool
|
2015-04-28 23:17:25 +02:00
|
|
|
default n
|
2017-02-14 02:53:29 +01:00
|
|
|
depends on VBOOT_SEPARATE_VERSTAGE
|
2015-04-28 23:17:25 +02:00
|
|
|
help
|
|
|
|
If this is set, the verstage returns back to the calling stage instead
|
|
|
|
of exiting to the succeeding stage so that the verstage space can be
|
2016-07-30 16:18:46 +02:00
|
|
|
reused by the succeeding stage. This is useful if a RAM space is too
|
2015-04-28 23:17:25 +02:00
|
|
|
small to fit both the verstage and the succeeding stage.
|
2015-04-28 23:02:17 +02:00
|
|
|
|
2019-04-10 10:06:21 +02:00
|
|
|
config VBOOT_MUST_REQUEST_DISPLAY
|
2017-02-14 02:53:29 +01:00
|
|
|
bool
|
vboot: Select CONFIG_VBOOT_OPROM_MATTERS in more cases
This patch enables CONFIG_VBOOT_OPROM_MATTERS in a few more cases where
I think(?) it should be. Haswell, Broadwell and Baytrail Chromebooks
have this enabled in their old depthcharge firmware branches -- we
presumably just forgot to move it over when vboot2 migrated the option
to coreboot. Braswell didn't, but it seems like this requirement was
added when it was migrated to FSP 1.1...? (Not very sure about that one,
but it does call load_vbt() right now which executes things based on
display_init_required().) Additionally, it seems to make sense to enable
it whenever the user explicitly selects VGA_ROM_RUN in menuconfig (like
one of the Intel defconfigs does).
Once we have all this, one could take a step back and ask whether this
option still makes sense at all anymore. It's enabled for almost all
devices (that work with vboot at all), it will presumably be enabled for
all future devices, and it seems that most devices that don't enable it
use libgfxinit, which as far as I can tell isn't gated on
display_init_required() but probably should be. Realistically, whatever
kind of display init a board needs to do (native or option ROM), it's
probably expensive enough that it's worth skipping on a normal mode
vboot boot, and we'd want to have this enabled by default on everything
except boards that actually don't have a display. So maybe we should
flip it around to CONFIG_VBOOT_OPROM_DOESNT_MATTER, but doing that would
probably lead to nobody ever selecting it at all.
Not sure what the best solution there is yet, but I think this patch
at least moves things in the more correct direction.
Change-Id: Id96a88296ddb9cfbb58ea67d93e1638d95570e2c
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32114
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
2019-03-29 02:01:26 +01:00
|
|
|
default y if VGA_ROM_RUN
|
2016-07-25 20:48:03 +02:00
|
|
|
default n
|
|
|
|
help
|
|
|
|
Set this option to indicate to vboot that this platform will skip its
|
|
|
|
display initialization on a normal (non-recovery, non-developer) boot.
|
2019-04-10 10:06:21 +02:00
|
|
|
Unless display is specifically requested, the video option ROM is not
|
|
|
|
loaded, and any other native display initialization code is not run.
|
2016-07-25 20:48:03 +02:00
|
|
|
|
2019-11-15 14:02:02 +01:00
|
|
|
config VBOOT_ALWAYS_ENABLE_DISPLAY
|
|
|
|
bool "Force to always enable display"
|
|
|
|
default n
|
|
|
|
help
|
|
|
|
Set this option to indicate to vboot that display should always be enabled.
|
|
|
|
|
2020-01-14 16:18:27 +01:00
|
|
|
config VBOOT_ALWAYS_ALLOW_UDC
|
|
|
|
bool "Always allow UDC"
|
|
|
|
default n
|
|
|
|
depends on !CHROMEOS
|
|
|
|
help
|
|
|
|
This option allows UDC to be enabled regardless of the vboot state.
|
|
|
|
|
2016-11-08 08:47:11 +01:00
|
|
|
config VBOOT_HAS_REC_HASH_SPACE
|
|
|
|
bool
|
|
|
|
default n
|
|
|
|
help
|
|
|
|
Set this option to indicate to vboot that recovery data hash space
|
|
|
|
is present in TPM.
|
|
|
|
|
2017-02-14 02:53:29 +01:00
|
|
|
config VBOOT_LID_SWITCH
|
|
|
|
bool
|
|
|
|
default n
|
|
|
|
help
|
|
|
|
Whether this platform has a lid switch. If it does, vboot will not
|
|
|
|
decrement try counters for boot failures if the lid is closed.
|
|
|
|
|
|
|
|
config VBOOT_WIPEOUT_SUPPORTED
|
|
|
|
bool
|
|
|
|
default n
|
|
|
|
help
|
|
|
|
When this option is enabled, the firmware provides the ability to
|
|
|
|
signal the application the need for factory reset (a.k.a. wipe
|
|
|
|
out) of the device
|
|
|
|
|
|
|
|
config VBOOT_FWID_MODEL
|
|
|
|
string "Firmware ID model"
|
2017-09-09 00:14:30 +02:00
|
|
|
default "Google_$(CONFIG_MAINBOARD_PART_NUMBER)" if CHROMEOS
|
2017-02-14 02:53:29 +01:00
|
|
|
default "$(CONFIG_MAINBOARD_VENDOR)_$(CONFIG_MAINBOARD_PART_NUMBER)"
|
|
|
|
help
|
|
|
|
This is the first part of the FWID written to various regions of a
|
|
|
|
vboot firmware image to identify its version.
|
|
|
|
|
|
|
|
config VBOOT_FWID_VERSION
|
|
|
|
string "Firmware ID version"
|
2017-04-28 01:29:02 +02:00
|
|
|
default ".$(KERNELVERSION)"
|
2017-02-14 02:53:29 +01:00
|
|
|
help
|
|
|
|
This is the second part of the FWID written to various regions of a
|
|
|
|
vboot firmware image to identify its version.
|
|
|
|
|
2017-10-18 15:29:26 +02:00
|
|
|
config VBOOT_NO_BOARD_SUPPORT
|
|
|
|
bool "Allow the use of vboot without board support"
|
|
|
|
default n
|
|
|
|
help
|
|
|
|
Enable weak functions for get_write_protect_state and
|
|
|
|
get_recovery_mode_switch in order to proceed with refactoring
|
|
|
|
of the vboot2 code base. Later on this code is removed and replaced
|
|
|
|
by interfaces.
|
|
|
|
|
2017-10-05 21:53:16 +02:00
|
|
|
config RO_REGION_ONLY
|
|
|
|
string "Additional files that should not be copied to RW"
|
|
|
|
default ""
|
|
|
|
help
|
|
|
|
Add a space delimited list of filenames that should only be in the
|
|
|
|
RO section.
|
|
|
|
|
2019-11-01 10:47:01 +01:00
|
|
|
config RW_REGION_ONLY
|
|
|
|
string
|
|
|
|
default ""
|
|
|
|
depends on VBOOT_SLOTS_RW_A
|
|
|
|
help
|
|
|
|
Add a space delimited list of filenames that should only be in the
|
|
|
|
RW sections.
|
2019-11-05 14:09:16 +01:00
|
|
|
|
|
|
|
config VBOOT_ENABLE_CBFS_FALLBACK
|
|
|
|
bool
|
|
|
|
default n
|
|
|
|
depends on VBOOT_SLOTS_RW_A
|
|
|
|
help
|
|
|
|
When this option is enabled cbfs_boot_locate will look for a file in the RO
|
|
|
|
(COREBOOT) region if it isn't available in the active RW region.
|
|
|
|
|
2019-10-25 22:58:15 +02:00
|
|
|
config VBOOT_EARLY_EC_SYNC
|
|
|
|
bool
|
|
|
|
default n
|
|
|
|
depends on EC_GOOGLE_CHROMEEC
|
|
|
|
help
|
|
|
|
Enables CrOS EC software sync in romstage, before memory training
|
|
|
|
runs. This is useful mainly as a way to achieve full USB-PD
|
|
|
|
negotiation earlier in the boot flow, as the EC will only do this once
|
|
|
|
it has made the sysjump to its RW firmware. It should not
|
|
|
|
significantly impact boot time, as this operation will be performed
|
|
|
|
later in the boot flow if it is disabled here.
|
|
|
|
|
2017-02-14 02:53:29 +01:00
|
|
|
menu "GBB configuration"
|
|
|
|
|
|
|
|
config GBB_HWID
|
|
|
|
string "Hardware ID"
|
2019-09-27 06:23:20 +02:00
|
|
|
default ""
|
|
|
|
help
|
|
|
|
A hardware identifier for device. On Chrome OS this is used for auto
|
|
|
|
update and recovery, and will be generated when manufacturing by the
|
|
|
|
factory software, in a strictly defined format.
|
|
|
|
Leave empty to get a test-only Chrome OS HWID v2 string generated.
|
2017-02-14 02:53:29 +01:00
|
|
|
|
|
|
|
config GBB_BMPFV_FILE
|
|
|
|
string "Path to bmpfv image"
|
|
|
|
default ""
|
|
|
|
|
|
|
|
config GBB_FLAG_DEV_SCREEN_SHORT_DELAY
|
|
|
|
bool "Reduce dev screen delay"
|
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_LOAD_OPTION_ROMS
|
|
|
|
bool "Load option ROMs"
|
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_ENABLE_ALTERNATE_OS
|
|
|
|
bool "Allow booting a non-Chrome OS kernel if dev switch is on"
|
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_FORCE_DEV_SWITCH_ON
|
|
|
|
bool "Force dev switch on"
|
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_FORCE_DEV_BOOT_USB
|
|
|
|
bool "Allow booting from USB in dev mode even if dev_boot_usb=0"
|
|
|
|
default y
|
|
|
|
|
|
|
|
config GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK
|
|
|
|
bool "Disable firmware rollback protection"
|
|
|
|
default y
|
|
|
|
|
|
|
|
config GBB_FLAG_ENTER_TRIGGERS_TONORM
|
|
|
|
bool "Return to normal boot with Enter"
|
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_FORCE_DEV_BOOT_LEGACY
|
|
|
|
bool "Allow booting to legacy in dev mode even if dev_boot_legacy=0"
|
|
|
|
default n
|
|
|
|
|
2019-12-04 08:33:57 +01:00
|
|
|
config GBB_FLAG_RUNNING_FAFT
|
|
|
|
bool "Running FAFT tests; used as a hint to disable other debug features"
|
2017-02-14 02:53:29 +01:00
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC
|
|
|
|
bool "Disable EC software sync"
|
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY
|
|
|
|
bool "Default to booting to legacy in dev mode"
|
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC
|
|
|
|
bool "Disable PD software sync"
|
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_DISABLE_LID_SHUTDOWN
|
|
|
|
bool "Disable shutdown on closed lid"
|
|
|
|
default n
|
|
|
|
|
2018-03-24 05:02:48 +01:00
|
|
|
config GBB_FLAG_FORCE_MANUAL_RECOVERY
|
|
|
|
bool "Always assume manual recovery in recovery mode"
|
|
|
|
default n
|
|
|
|
|
|
|
|
config GBB_FLAG_DISABLE_FWMP
|
|
|
|
bool "Disable Firmware Management Parameters (FWMP)"
|
2017-02-14 02:53:29 +01:00
|
|
|
default n
|
|
|
|
|
|
|
|
endmenu # GBB
|
|
|
|
|
|
|
|
menu "Vboot Keys"
|
|
|
|
config VBOOT_ROOT_KEY
|
|
|
|
string "Root key (public)"
|
|
|
|
default "$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk"
|
|
|
|
|
|
|
|
config VBOOT_RECOVERY_KEY
|
|
|
|
string "Recovery key (public)"
|
|
|
|
default "$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk"
|
|
|
|
|
|
|
|
config VBOOT_FIRMWARE_PRIVKEY
|
|
|
|
string "Firmware key (private)"
|
|
|
|
default "$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk"
|
|
|
|
|
|
|
|
config VBOOT_KERNEL_KEY
|
|
|
|
string "Kernel subkey (public)"
|
|
|
|
default "$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk"
|
|
|
|
|
|
|
|
config VBOOT_KEYBLOCK
|
|
|
|
string "Keyblock to use for the RW regions"
|
|
|
|
default "$(VBOOT_SOURCE)/tests/devkeys/firmware.keyblock"
|
|
|
|
|
|
|
|
config VBOOT_KEYBLOCK_VERSION
|
|
|
|
int "Keyblock version number"
|
|
|
|
default 1
|
|
|
|
|
|
|
|
config VBOOT_KEYBLOCK_PREAMBLE_FLAGS
|
|
|
|
hex "Keyblock preamble flags"
|
|
|
|
default 0x0
|
|
|
|
|
|
|
|
endmenu # Keys
|
|
|
|
endif # VBOOT
|
|
|
|
endmenu # Verified Boot (vboot)
|