GNUBoot/coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

security/vboot: Add selection for firmware slots used by VBOOT

Browse source 
Make the firmware slot configuration in VBOOT selectable. The following
three modes are available:
  -RO only
  -RO + RW_A
  -RO + RW_A + RW_B

The mode "RO only" is the lowest mode with no safety during update.
You can select either RW_A or RW_AB via Kconfig which will add the
selected parttions to the final image.

Change-Id: I278fc060522b13048b00090b8e5261c14496f56e
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/27714
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
This commit is contained in:
Philipp Deppenwiese 2018-07-28 23:30:49 +02:00 committed by Philipp Deppenwiese
parent de462804e1
commit a558ca9aae
3 changed files with 42 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/security/vboot/Kconfig
View file

@ -1,6 +1,7 @@
## This file is part of the coreboot project. ## This file is part of the coreboot project.
## ##
## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved. ## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved.
## Copyright (C) 2018 Siemens AG
## ##
## This program is free software; you can redistribute it and/or modify ## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by ## it under the terms of the GNU General Public License as published by
@ -25,6 +26,18 @@ config VBOOT
if VBOOT if VBOOT
config VBOOT_SLOTS_RW_A
bool "Firmware RO + RW_A"
help
Have one update partition beside the RO partition.
config VBOOT_SLOTS_RW_AB
bool "Firmware RO + RW_A + RW_B"
select VBOOT_SLOTS_RW_A
help
Have two update partitions beside the RO partition.
config VBOOT_VBNV_CMOS config VBOOT_VBNV_CMOS
bool bool
default n default n

29
src/security/vboot/Makefile.inc
View file

@ -2,6 +2,7 @@
## This file is part of the coreboot project. ## This file is part of the coreboot project.
## ##
## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved. ## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved.
## Copyright (C) 2018 Siemens AG
## ##
## This program is free software; you can redistribute it and/or modify ## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by ## it under the terms of the GNU General Public License as published by
@ -144,6 +145,17 @@ postinclude-hooks += $$(eval romstage-srcs += $$(verstage-srcs))
endif endif
endif # CONFIG_VBOOT_SEPARATE_VERSTAGE endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
#RO-Partition is always there!
VBOOT_PARTITIONS := COREBOOT
# Check for RW_A partition
ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
VBOOT_PARTITIONS += FW_MAIN_A
endif
# Check for RW_B partition
ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
VBOOT_PARTITIONS += FW_MAIN_B
endif
# Define a list of files that need to be in RO only. # Define a list of files that need to be in RO only.
# All other files will be installed into RO and RW regions # All other files will be installed into RO and RW regions
# Use $(sort) to cut down on extra spaces that would be translated to commas # Use $(sort) to cut down on extra spaces that would be translated to commas
@ -161,7 +173,7 @@ regions-for-file = $(subst $(spc),$(comma),$(sort \
cmos_layout.bin \ cmos_layout.bin \
cmos.default \ cmos.default \
$(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \ $(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \
,$(1)),COREBOOT,COREBOOT FW_MAIN_A FW_MAIN_B))) ,$(1)),COREBOOT,$(VBOOT_PARTITIONS))))
CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID)) CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID))
CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE)) CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
@ -237,8 +249,12 @@ build_complete:: $(obj)/gbb.region $(obj)/fwid.region
@printf " WRITE GBB\n" @printf " WRITE GBB\n"
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region $(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region
ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region
endif
ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region
endif
ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),) ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),)
build_complete:: build_complete::
@ -270,8 +286,19 @@ $(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY)
--kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \ --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS)
ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin
@printf " FLASHMAP Layout generated for RO, A and B partition.\n"
else ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
files_added:: $(obj)/VBLOCK_A.bin
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
@printf " FLASHMAP Layout generated for RO and A partition.\n"
else
files_added::
@printf " FLASHMAP Layout generated for RO partition only.\n"
@printf " Beware that there is no failure safety in case of update now!\n"
endif
endif # CONFIG_VBOOT endif # CONFIG_VBOOT

1
src/vendorcode/google/chromeos/Kconfig
View file

@ -25,6 +25,7 @@ config CHROMEOS
select COLLECT_TIMESTAMPS select COLLECT_TIMESTAMPS
select VBOOT select VBOOT
select VPD select VPD
select VBOOT_SLOTS_RW_AB
help help
Enable ChromeOS specific features like the GPIO sub table in Enable ChromeOS specific features like the GPIO sub table in
the coreboot table. NOTE: Enabling this option on an unsupported the coreboot table. NOTE: Enabling this option on an unsupported