coreboot-kgpe-d16/src/security/vboot/Kconfig
Martin Roth 8a3a3c820b security/vboot: Add option to run verstage before bootblock
For AMD's family 17h, verstage can run as a userspace app in the PSP
before the X86 is released. The flags for this have been made generic
to support any other future systems that might run verstage before
the main processor starts.

Although an attempt has been made to make things somewhat generic,
since this is the first and currently only chip to support verstage
before bootblock, there are a number of options which might ultimately
be needed which have currently been left out for simplicity.  Examples
of this are:
- PCI is not currently supported - this is currently just a given
instead of making a separate Kconfig option for it.
- The PSP uses an ARM v7 processor, so that's the only processor that
is getting updated for the verstage-before-bootblock option.

BUG=b:158124527
TEST=Build with following patches

Signed-off-by: Martin Roth <martin@coreboot.org>
Change-Id: I4849777cb7ba9f90fe8428b82c21884d1e662b96
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41814
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
2020-06-15 21:04:00 +00:00

357 lines
9.8 KiB
Text

# SPDX-License-Identifier: GPL-2.0-only
menu "Verified Boot (vboot)"
config VBOOT_LIB
bool
help
Build and link the vboot library. Makes the vboot API accessible across
all coreboot stages, without enabling vboot verification. For verification,
please see the VBOOT option below.
config VBOOT
bool "Verify firmware with vboot."
default n
select VBOOT_LIB
select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2
depends on 0 = 0 # Must have a 'depends on' or board overrides will break it.
help
Enabling VBOOT will use vboot to verify the components of the firmware
(stages, payload, etc).
if VBOOT
comment "Anti-Rollback Protection disabled because mocking secdata is enabled."
depends on VBOOT_MOCK_SECDATA
config VBOOT_SLOTS_RW_A
bool "Firmware RO + RW_A"
help
Have one update partition beside the RO partition.
config VBOOT_SLOTS_RW_AB
bool "Firmware RO + RW_A + RW_B"
select VBOOT_SLOTS_RW_A
help
Have two update partitions beside the RO partition.
config VBOOT_VBNV_CMOS
bool
default n
depends on PC80_SYSTEM
help
VBNV is stored in CMOS
config VBOOT_VBNV_OFFSET
hex
default 0x26
depends on VBOOT_VBNV_CMOS
help
CMOS offset for VbNv data. This value must match cmos.layout
in the mainboard directory, minus 14 bytes for the RTC.
config VBOOT_VBNV_CMOS_BACKUP_TO_FLASH
bool
default n
depends on VBOOT_VBNV_CMOS && BOOT_DEVICE_SUPPORTS_WRITES
help
Vboot non-volatile storage data will be backed up from CMOS to flash
and restored from flash if the CMOS is invalid due to power loss.
config VBOOT_VBNV_EC
bool
default n
help
VBNV is stored in EC
config VBOOT_VBNV_FLASH
bool
default n
depends on BOOT_DEVICE_SUPPORTS_WRITES
help
VBNV is stored in flash storage
config VBOOT_STARTS_BEFORE_BOOTBLOCK
def_bool n
select VBOOT_SEPARATE_VERSTAGE
help
Firmware verification happens before the main processor is brought
online.
config VBOOT_STARTS_IN_BOOTBLOCK
bool
default n
help
Firmware verification happens during the end of or right after the
bootblock. This implies that a static VBOOT2_WORK() buffer must be
allocated in memlayout.
config VBOOT_STARTS_IN_ROMSTAGE
bool
default n
depends on !VBOOT_STARTS_IN_BOOTBLOCK
help
Firmware verification happens during the end of romstage (after
memory initialization). This implies that the vboot work buffer is
in CBMEM from the start and doesn't need to be reserved in memlayout.
config VBOOT_MOCK_SECDATA
bool "Mock secdata for firmware verification"
default n
help
Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware
verification to avoid access to a secdata storage (typically TPM).
All operations for a secdata storage will be successful. This option
can be used during development when a TPM is not present or broken.
THIS SHOULD NOT BE LEFT ON FOR PRODUCTION DEVICES.
config VBOOT_DISABLE_DEV_ON_RECOVERY
bool
default n
help
When this option is enabled, the Chrome OS device leaves the
developer mode as soon as recovery request is detected. This is
handy on embedded devices with limited input capabilities.
config VBOOT_SEPARATE_VERSTAGE
bool
default n
depends on VBOOT_STARTS_IN_BOOTBLOCK || VBOOT_STARTS_BEFORE_BOOTBLOCK
help
If this option is set, vboot verification runs in a standalone stage
that is loaded from the bootblock and exits into romstage. If it is
not set, the verification code is linked directly into the bootblock
or the romstage and runs as part of that stage (cf. related options
VBOOT_STARTS_IN_BOOTBLOCK/_ROMSTAGE and VBOOT_RETURN_FROM_VERSTAGE).
config VBOOT_RETURN_FROM_VERSTAGE
bool
default n
depends on VBOOT_SEPARATE_VERSTAGE
help
If this is set, the verstage returns back to the calling stage instead
of exiting to the succeeding stage so that the verstage space can be
reused by the succeeding stage. This is useful if a RAM space is too
small to fit both the verstage and the succeeding stage.
config VBOOT_MUST_REQUEST_DISPLAY
bool
default y if VGA_ROM_RUN
default n
help
Set this option to indicate to vboot that this platform will skip its
display initialization on a normal (non-recovery, non-developer) boot.
Unless display is specifically requested, the video option ROM is not
loaded, and any other native display initialization code is not run.
config VBOOT_ALWAYS_ENABLE_DISPLAY
bool "Force to always enable display"
default n
help
Set this option to indicate to vboot that display should always be enabled.
config VBOOT_ALWAYS_ALLOW_UDC
bool "Always allow UDC"
default n
depends on !CHROMEOS
help
This option allows UDC to be enabled regardless of the vboot state.
config VBOOT_HAS_REC_HASH_SPACE
bool
default n
help
Set this option to indicate to vboot that recovery data hash space
is present in TPM.
config VBOOT_LID_SWITCH
bool
default n
help
Whether this platform has a lid switch. If it does, vboot will not
decrement try counters for boot failures if the lid is closed.
config VBOOT_WIPEOUT_SUPPORTED
bool
default n
help
When this option is enabled, the firmware provides the ability to
signal the application the need for factory reset (a.k.a. wipe
out) of the device
config VBOOT_FWID_MODEL
string "Firmware ID model"
default "Google_$(CONFIG_MAINBOARD_PART_NUMBER)" if CHROMEOS
default "$(CONFIG_MAINBOARD_VENDOR)_$(CONFIG_MAINBOARD_PART_NUMBER)"
help
This is the first part of the FWID written to various regions of a
vboot firmware image to identify its version.
config VBOOT_FWID_VERSION
string "Firmware ID version"
default ".$(KERNELVERSION)"
help
This is the second part of the FWID written to various regions of a
vboot firmware image to identify its version.
config VBOOT_NO_BOARD_SUPPORT
bool "Allow the use of vboot without board support"
default n
help
Enable weak functions for get_write_protect_state and
get_recovery_mode_switch in order to proceed with refactoring
of the vboot2 code base. Later on this code is removed and replaced
by interfaces.
config RO_REGION_ONLY
string "Additional files that should not be copied to RW"
default ""
help
Add a space delimited list of filenames that should only be in the
RO section.
config RW_REGION_ONLY
string
default ""
depends on VBOOT_SLOTS_RW_A
help
Add a space delimited list of filenames that should only be in the
RW sections.
config VBOOT_ENABLE_CBFS_FALLBACK
bool
default n
depends on VBOOT_SLOTS_RW_A
help
When this option is enabled cbfs_boot_locate will look for a file in the RO
(COREBOOT) region if it isn't available in the active RW region.
config VBOOT_EARLY_EC_SYNC
bool
default n
depends on EC_GOOGLE_CHROMEEC
help
Enables CrOS EC software sync in romstage, before memory training
runs. This is useful mainly as a way to achieve full USB-PD
negotiation earlier in the boot flow, as the EC will only do this once
it has made the sysjump to its RW firmware. It should not
significantly impact boot time, as this operation will be performed
later in the boot flow if it is disabled here.
config VBOOT_EC_EFS
bool "Early firmware selection (EFS) EC"
default n
help
CrosEC can support EFS: Early Firmware Selection. If it's enabled,
software sync needs to also support it. This setting tells vboot to
perform EFS software sync.
menu "GBB configuration"
config GBB_HWID
string "Hardware ID"
default ""
help
A hardware identifier for device. On Chrome OS this is used for auto
update and recovery, and will be generated when manufacturing by the
factory software, in a strictly defined format.
Leave empty to get a test-only Chrome OS HWID v2 string generated.
config GBB_BMPFV_FILE
string "Path to bmpfv image"
default ""
config GBB_FLAG_DEV_SCREEN_SHORT_DELAY
bool "Reduce dev screen delay"
default n
config GBB_FLAG_LOAD_OPTION_ROMS
bool "Load option ROMs"
default n
config GBB_FLAG_ENABLE_ALTERNATE_OS
bool "Allow booting a non-Chrome OS kernel if dev switch is on"
default n
config GBB_FLAG_FORCE_DEV_SWITCH_ON
bool "Force dev switch on"
default n
config GBB_FLAG_FORCE_DEV_BOOT_USB
bool "Allow booting from USB in dev mode even if dev_boot_usb=0"
default y
config GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK
bool "Disable firmware rollback protection"
default y
config GBB_FLAG_ENTER_TRIGGERS_TONORM
bool "Return to normal boot with Enter"
default n
config GBB_FLAG_FORCE_DEV_BOOT_LEGACY
bool "Allow booting to legacy in dev mode even if dev_boot_legacy=0"
default n
config GBB_FLAG_RUNNING_FAFT
bool "Running FAFT tests; used as a hint to disable other debug features"
default n
config GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC
bool "Disable EC software sync"
default n
config GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY
bool "Default to booting to legacy in dev mode"
default n
config GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC
bool "Disable PD software sync"
default n
config GBB_FLAG_DISABLE_LID_SHUTDOWN
bool "Disable shutdown on closed lid"
default n
config GBB_FLAG_FORCE_MANUAL_RECOVERY
bool "Always assume manual recovery in recovery mode"
default n
config GBB_FLAG_DISABLE_FWMP
bool "Disable Firmware Management Parameters (FWMP)"
default n
endmenu # GBB
menu "Vboot Keys"
config VBOOT_ROOT_KEY
string "Root key (public)"
default "$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk"
config VBOOT_RECOVERY_KEY
string "Recovery key (public)"
default "$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk"
config VBOOT_FIRMWARE_PRIVKEY
string "Firmware key (private)"
default "$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk"
config VBOOT_KERNEL_KEY
string "Kernel subkey (public)"
default "$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk"
config VBOOT_KEYBLOCK
string "Keyblock to use for the RW regions"
default "$(VBOOT_SOURCE)/tests/devkeys/firmware.keyblock"
config VBOOT_KEYBLOCK_VERSION
int "Keyblock version number"
default 1
config VBOOT_KEYBLOCK_PREAMBLE_FLAGS
hex "Keyblock preamble flags"
default 0x0
endmenu # Keys
endif # VBOOT
endmenu # Verified Boot (vboot)