vboot: Add VBOOT_CBFS_INTEGRATION support

This patch introduces support signing and verification of firmware
slots using CBFS metadata hash verification method for faster initial
verification. To have complete verification, CBFS_VERIFICATION should
also be enabled, as metadata hash covers only files metadata, not their
contents.

This patch also adapts mainboards and SoCs to new vboot reset
requirements.

TEST=Google Volteer/Voxel boots with VBOOT_CBFS_INTEGRATION enabled

Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: I40ae01c477c4e4f7a1c90e4026a8a868ae64b5ca
Reviewed-on: https://review.coreboot.org/c/coreboot/+/66909
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

1 files changed, 7 insertions, 1 deletions

diff --git a/src/include/cbfs_glue.h b/src/include/cbfs_glue.h
index d4fe367d6c..99dc48db5f 100644
--- a/src/include/cbfs_glue.h
+++ b/src/include/cbfs_glue.h
@@ -13,11 +13,17 @@
  * safety, we only need to verify the metadata hash in the initial stage and can assume it stays
  * valid in later stages. If TOCTOU safety is required, we may need them in every stage to
  * reverify metadata that had to be reloaded from flash (e.g. because it didn't fit the mcache).
+ * Moreover, if VBOOT_CBFS_INTEGRATION and verification are both enabled, then hashing functions
+ * are required during verification stage.
  * Note that this only concerns metadata hashing -- file access functions may still link hashing
  * routines independently for file data hashing.
  */
 #define CBFS_ENABLE_HASHING (CONFIG(CBFS_VERIFICATION) && \
-			     (CONFIG(TOCTOU_SAFETY) || ENV_INITIAL_STAGE))
+			     (CONFIG(TOCTOU_SAFETY) || ENV_INITIAL_STAGE || \
+			      (CONFIG(VBOOT_CBFS_INTEGRATION) && \
+				(verification_should_run() || \
+				 (verstage_should_load() && \
+				  CONFIG(VBOOT_RETURN_FROM_VERSTAGE))))))
 #define CBFS_HASH_HWCRYPTO vboot_hwcrypto_allowed()
 
 #define ERROR(...) printk(BIOS_ERR, "CBFS ERROR: " __VA_ARGS__)