GNUBoot/coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
coreboot-kgpe-d16/src/include/cbfs_glue.h
Jakub Czapiga 967a76bd81 vboot: Add VBOOT_CBFS_INTEGRATION support 
This patch introduces support signing and verification of firmware
slots using CBFS metadata hash verification method for faster initial
verification. To have complete verification, CBFS_VERIFICATION should
also be enabled, as metadata hash covers only files metadata, not their
contents.

This patch also adapts mainboards and SoCs to new vboot reset
requirements.

TEST=Google Volteer/Voxel boots with VBOOT_CBFS_INTEGRATION enabled

Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: I40ae01c477c4e4f7a1c90e4026a8a868ae64b5ca
Reviewed-on: https://review.coreboot.org/c/coreboot/+/66909
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2022-11-08 23:03:49 +00:00

48 lines
1.8 KiB
C
Raw Blame History

/* SPDX-License-Identifier: GPL-2.0-only */
#ifndef _CBFS_GLUE_H_
#define _CBFS_GLUE_H_
#include <commonlib/region.h>
#include <console/console.h>
#include <security/vboot/misc.h>
/*
* This flag prevents linking hashing functions into stages where they're not required. We don't
* need them at all if verification is disabled. If verification is enabled without TOCTOU
* safety, we only need to verify the metadata hash in the initial stage and can assume it stays
* valid in later stages. If TOCTOU safety is required, we may need them in every stage to
* reverify metadata that had to be reloaded from flash (e.g. because it didn't fit the mcache).
* Moreover, if VBOOT_CBFS_INTEGRATION and verification are both enabled, then hashing functions
* are required during verification stage.
* Note that this only concerns metadata hashing -- file access functions may still link hashing
* routines independently for file data hashing.
*/
#define CBFS_ENABLE_HASHING (CONFIG(CBFS_VERIFICATION) && \
(CONFIG(TOCTOU_SAFETY) || ENV_INITIAL_STAGE || \
(CONFIG(VBOOT_CBFS_INTEGRATION) && \
(verification_should_run() || \
(verstage_should_load() && \
CONFIG(VBOOT_RETURN_FROM_VERSTAGE))))))
#define CBFS_HASH_HWCRYPTO vboot_hwcrypto_allowed()
#define ERROR(...) printk(BIOS_ERR, "CBFS ERROR: " __VA_ARGS__)
#define LOG(...) printk(BIOS_INFO, "CBFS: " __VA_ARGS__)
#define DEBUG(...) do { \
if (CONFIG(DEBUG_CBFS)) \
printk(BIOS_SPEW, "CBFS DEBUG: " __VA_ARGS__); \
} while (0)
typedef const struct region_device *cbfs_dev_t;
static inline ssize_t cbfs_dev_read(cbfs_dev_t dev, void *buffer, size_t offset, size_t size)
{
return rdev_readat(dev, buffer, offset, size);
}
static inline size_t cbfs_dev_size(cbfs_dev_t dev)
{
return region_device_sz(dev);
}
#endif /* _CBFS_GLUE_H_ */
Reference in a new issue View git blame Copy permalink