lib/cbfs: Add fallback to RO region to cbfs_boot_locate

With this change cbfs_boot_locate will check the RO (COREBOOT) region if a file can not be found in the active RW region. By doing so it is not required to duplicate static files that are not intended to be updated to the RW regions. The coreboot image can still be updated by adding the file to the RW region. This change is intended to support VBOOT on systems with a small flash device. BUG=N/A TEST=tested on facebook fbg1701 Change-Id: I81ceaf927280cef9a3f09621c796c451e9115211 Signed-off-by: Wim Vervoorn <wvervoorn@eltan.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/36545 Reviewed-by: Frans Hendriks <fhendriks@eltan.com> Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2019-11-05 14:09:16 +01:00 · 2019-11-05 14:09:16 +01:00 · 114e2e8830
parent 32c8de10b0
commit 114e2e8830
3 changed files with 45 additions and 0 deletions
--- a/Documentation/security/vboot/index.md
+++ b/Documentation/security/vboot/index.md
@ -186,6 +186,26 @@ In addition to adding the coreboot files into the read-only region,
 enabling vboot causes the build script to add the read/write files into
 coreboot file systems in *FW_MAIN_A* and *FW_MAIN_B*.

+**RO_REGION_ONLY**  
+
+The files added to this list will only be placed in the read-only region and
+not into the read/write coreboot file systems in *FW_MAIN_A* and *FW_MAIN_B*.
+
+**VBOOT_ENABLE_CBFS_FALLBACK**  
+
+Normally coreboot will use the active read/write coreboot file system for all
+of it's file access when VBOOT is active and is not in recovery mode.
+
+When the `VBOOT_ENABLE_CBFS_FALLBACK` option is enabled the cbfs file system will
+first try to locate a file in the active read/write file system. If the file
+doesn't exist here the file system will try to locate the file in the read-only
+file system.
+
+This option can be used to prevent duplication of static data. Files can be
+removed from the read/write partitions by adding them to the `RO_REGION_ONLY`
+config. If a file needs to be changed in a later stage simply remove it from
+this list.
+
 ***

 ## Signing the coreboot Image
--- a/src/lib/cbfs.c
+++ b/src/lib/cbfs.c
@ -62,6 +62,22 @@ int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type)
 	}

 	int ret = cbfs_locate(fh, &rdev, name, type);
+
+	if (CONFIG(VBOOT_ENABLE_CBFS_FALLBACK) && ret) {
+
+		/*
+		 * When VBOOT_ENABLE_CBFS_FALLBACK is enabled and a file is not available in the
+		 * active RW region, the RO (COREBOOT) region will be used to locate the file.
+		 *
+		 * This functionality makes it possible to avoid duplicate files in the RO
+		 * and RW partitions while maintaining updateability.
+		 *
+		 * Files can be added to the RO_REGION_ONLY config option to use this feature.
+		 */
+		printk(BIOS_DEBUG, "Fall back to RO region for %s\n", name);
+		ret = cbfs_locate_file_in_region(fh, "COREBOOT", name, type);
+	}
+
 	if (!ret)
 		if (vboot_measure_cbfs_hook(fh, name))
 			return -1;
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@ -220,6 +220,15 @@ config RO_REGION_ONLY
 	  Add a space delimited list of filenames that should only be in the
 	  RO section.

+
+config VBOOT_ENABLE_CBFS_FALLBACK
+	bool
+	default n
+	depends on VBOOT_SLOTS_RW_A
+	help
+	  When this option is enabled cbfs_boot_locate will look for a file in the RO
+	  (COREBOOT) region if it isn't available in the active RW region.
+
 menu "GBB configuration"

 config GBB_HWID