summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBill XIE <persmule@hardenedlinux.org>2019-12-17 15:56:43 +0800
committerPatrick Georgi <pgeorgi@google.com>2019-12-20 17:58:44 +0000
commitcdf6f3a4ba8429ad76738ff46220c067da065001 (patch)
treedf27c10c06d95b51d15a1cdcc88483dd73ba5359
parente9b1e0fe8873cb3131b0dc4741e83540e0d90a31 (diff)
security/vboot: Add a dedicated flag for building of vboot library
As discussed in CB:35077, since both measured boot and verified boot depends on vboot library, it had better to introduce a dedicated flag CONFIG_VBOOT_LIB to control the building and linking of the vboot library, and make other flags needing vboot library select it. Only the actual verification stuff should be conditional on CONFIG_VBOOT. Change-Id: Ia1907a11c851ee45a70582e02bdbe08fb18cc6a4 Signed-off-by: Bill XIE <persmule@hardenedlinux.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/37787 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Joel Kitching <kitching@google.com>
-rw-r--r--src/security/vboot/Kconfig9
-rw-r--r--src/security/vboot/Makefile.inc70
2 files changed, 46 insertions, 33 deletions
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index e03b51dd06..787cdbefb1 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -15,9 +15,18 @@
menu "Verified Boot (vboot)"
+config VBOOT_LIB
+ bool
+ depends on !VENDORCODE_ELTAN_VBOOT && !VENDORCODE_ELTAN_MBOOT
+ help
+ Build and link the vboot library. Makes the vboot API accessible across
+ all coreboot stages, without enabling vboot verification. For verification,
+ please see the VBOOT option below.
+
config VBOOT
bool "Verify firmware with vboot."
default n
+ select VBOOT_LIB
select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2
depends on !MISSING_BOARD_RESET
help
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index 8052549bde..a700e0051a 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -14,6 +14,43 @@
## GNU General Public License for more details.
##
+ifeq ($(CONFIG_VBOOT_LIB),y)
+
+vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\
+ $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\
+ $(filter-out -I$(obj),$(1))))
+
+# call with $1 = stage name to create rules for building the library
+# for the stage and adding it to the stage's set of object files.
+define vboot-for-stage
+VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a
+VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1)))
+VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1))
+VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts))
+VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes
+VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG
+
+$$(VBOOT_LIB_$(1)): $(obj)/config.h
+ printf " MAKE $(subst $(obj)/,,$(@))\n"
+ +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \
+ CC="$$(CC_$(1))" \
+ CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \
+ $(MAKE) -C $(VBOOT_SOURCE) \
+ BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
+ V=$(V) \
+ fwlib
+
+$(1)-srcs += $$(VBOOT_LIB_$(1))
+
+endef # vboot-for-stage
+
+$(eval $(call vboot-for-stage,bootblock))
+$(eval $(call vboot-for-stage,romstage))
+$(eval $(call vboot-for-stage,ramstage))
+$(eval $(call vboot-for-stage,postcar))
+
+endif # CONFIG_VBOOT_LIB
+
ifeq ($(CONFIG_VBOOT),y)
bootblock-y += bootmode.c
@@ -95,39 +132,6 @@ postcar-y += common.c
romstage-$(CONFIG_FSP2_0_USES_TPM_MRC_HASH) += mrc_cache_hash_tpm.c
-vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\
- $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\
- $(filter-out -I$(obj),$(1))))
-
-# call with $1 = stage name to create rules for building the library
-# for the stage and adding it to the stage's set of object files.
-define vboot-for-stage
-VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a
-VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1)))
-VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1))
-VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts))
-VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes
-VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG
-
-$$(VBOOT_LIB_$(1)): $(obj)/config.h
- printf " MAKE $(subst $(obj)/,,$(@))\n"
- +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \
- CC="$$(CC_$(1))" \
- CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \
- $(MAKE) -C $(VBOOT_SOURCE) \
- BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
- V=$(V) \
- fwlib
-
-$(1)-srcs += $$(VBOOT_LIB_$(1))
-
-endef # vboot-for-stage
-
-$(eval $(call vboot-for-stage,bootblock))
-$(eval $(call vboot-for-stage,romstage))
-$(eval $(call vboot-for-stage,ramstage))
-$(eval $(call vboot-for-stage,postcar))
-
ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
$(eval $(call vboot-for-stage,verstage))