From cdf6f3a4ba8429ad76738ff46220c067da065001 Mon Sep 17 00:00:00 2001 From: Bill XIE Date: Tue, 17 Dec 2019 15:56:43 +0800 Subject: [PATCH] security/vboot: Add a dedicated flag for building of vboot library As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better to introduce a dedicated flag CONFIG_VBOOT_LIB to control the building and linking of the vboot library, and make other flags needing vboot library select it. Only the actual verification stuff should be conditional on CONFIG_VBOOT. Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE Reviewed-on: https://review.coreboot.org/c/coreboot/+/37787 Tested-by: build bot (Jenkins) Reviewed-by: Joel Kitching --- src/security/vboot/Kconfig | 9 +++++ src/security/vboot/Makefile.inc | 70 +++++++++++++++++---------------- 2 files changed, 46 insertions(+), 33 deletions(-) diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index e03b51dd06..787cdbefb1 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -15,9 +15,18 @@ menu "Verified Boot (vboot)" +config VBOOT_LIB + bool + depends on !VENDORCODE_ELTAN_VBOOT && !VENDORCODE_ELTAN_MBOOT + help + Build and link the vboot library. Makes the vboot API accessible across + all coreboot stages, without enabling vboot verification. For verification, + please see the VBOOT option below. + config VBOOT bool "Verify firmware with vboot." default n + select VBOOT_LIB select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2 depends on !MISSING_BOARD_RESET help diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 8052549bde..a700e0051a 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -14,6 +14,43 @@ ## GNU General Public License for more details. ## +ifeq ($(CONFIG_VBOOT_LIB),y) + +vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\ + $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\ + $(filter-out -I$(obj),$(1)))) + +# call with $1 = stage name to create rules for building the library +# for the stage and adding it to the stage's set of object files. +define vboot-for-stage +VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a +VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1))) +VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1)) +VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts)) +VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes +VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG + +$$(VBOOT_LIB_$(1)): $(obj)/config.h + printf " MAKE $(subst $(obj)/,,$(@))\n" + +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \ + CC="$$(CC_$(1))" \ + CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \ + $(MAKE) -C $(VBOOT_SOURCE) \ + BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \ + V=$(V) \ + fwlib + +$(1)-srcs += $$(VBOOT_LIB_$(1)) + +endef # vboot-for-stage + +$(eval $(call vboot-for-stage,bootblock)) +$(eval $(call vboot-for-stage,romstage)) +$(eval $(call vboot-for-stage,ramstage)) +$(eval $(call vboot-for-stage,postcar)) + +endif # CONFIG_VBOOT_LIB + ifeq ($(CONFIG_VBOOT),y) bootblock-y += bootmode.c @@ -95,39 +132,6 @@ postcar-y += common.c romstage-$(CONFIG_FSP2_0_USES_TPM_MRC_HASH) += mrc_cache_hash_tpm.c -vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\ - $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\ - $(filter-out -I$(obj),$(1)))) - -# call with $1 = stage name to create rules for building the library -# for the stage and adding it to the stage's set of object files. -define vboot-for-stage -VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a -VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1))) -VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1)) -VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts)) -VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes -VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG - -$$(VBOOT_LIB_$(1)): $(obj)/config.h - printf " MAKE $(subst $(obj)/,,$(@))\n" - +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \ - CC="$$(CC_$(1))" \ - CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \ - $(MAKE) -C $(VBOOT_SOURCE) \ - BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \ - V=$(V) \ - fwlib - -$(1)-srcs += $$(VBOOT_LIB_$(1)) - -endef # vboot-for-stage - -$(eval $(call vboot-for-stage,bootblock)) -$(eval $(call vboot-for-stage,romstage)) -$(eval $(call vboot-for-stage,ramstage)) -$(eval $(call vboot-for-stage,postcar)) - ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y) $(eval $(call vboot-for-stage,verstage))