diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 2caeb17434..252a91efe5 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -344,39 +344,21 @@ files_added:: $(FUTILITY) $(obj)/coreboot.rom endif -# Extract FW_MAIN_? region and minimize it if the last file is empty, so it -# doesn't contain this empty file (that can have a significant size), -# improving a lot on hash times due to a smaller amount of data loaded from -# firmware storage. -# When passing the minimized image to vbutil_firmware, its length is recorded -# in the keyblock, and coreboot's vboot code clips the region_device to match, -# which prevents any potential extension attacks. -$(obj)/FW_MAIN_%.bin: $(obj)/coreboot.rom - $(CBFSTOOL) $< truncate -r $(basename $(notdir $@)) > $@.tmp.size - $(CBFSTOOL) $< read -r $(basename $(notdir $@)) -f $@.tmp - head -c $$( printf "%d" $$(cat $@.tmp.size)) $@.tmp > $@.tmp2 - mv $@.tmp2 $@ - rm -f $@.tmp $@.tmp.size - -$(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY) - $(FUTILITY) vbutil_firmware \ - --vblock $@ \ - --keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \ +ifneq (,$(filter y,$(CONFIG_VBOOT_SLOTS_RW_A) $(CONFIG_VBOOT_SLOTS_RW_AB))) +files_added:: $(obj)/coreboot.rom $(FUTILITY) $(CBFSTOOL) + CBFSTOOL="$(CBFSTOOL)" \ + $(FUTILITY) sign \ --signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \ - --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \ - --fv $< \ + --keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \ --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \ - --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) - -ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y) -files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin - $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin - $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin - @printf " FLASHMAP Layout generated for RO, A and B partition.\n" -else ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y) -files_added:: $(obj)/VBLOCK_A.bin - $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin - @printf " FLASHMAP Layout generated for RO and A partition.\n" + --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \ + --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) \ + $(obj)/coreboot.rom + if [ "$(CONFIG_VBOOT_SLOTS_RW_AB)" = 'y' ]; then \ + printf " FLASHMAP Layout generated for RO, A and B partition.\n"; \ + elif [ "$(CONFIG_VBOOT_SLOTS_RW_A)" = 'y' ]; then \ + printf " FLASHMAP Layout generated for RO and A partition.\n"; \ + fi else files_added:: @printf " FLASHMAP Layout generated for RO partition only.\n"