diff options
| author | Julius Werner <jwerner@chromium.org> | 2022-05-19 14:37:21 -0700 |
|---|---|---|
| committer | Felix Held <felix-coreboot@felixheld.de> | 2022-06-21 12:31:48 +0000 |
| commit | 5eda52a599e9dac2f51de3738c9da0a8d96ee17a (patch) | |
| tree | 67b54142260c70a1433538ebf2a8ed42c8b3d88f /src/mainboard | |
| parent | 600856dec27dcb32687c8d0098a92822024c7f2c (diff) | |
security/vboot: Add support for GSCVD (Google "RO verification")
This patch adds a new CONFIG_VBOOT_GSCVD option that will be enabled by
default for TPM_GOOGLE_TI50 devices. It makes the build system run the
`futility gscvd` command to create a GSCVD (GSC verification data) which
signs the CBFS trust anchor (bootblock and GBB). In order for this to
work, boards will need to have an RO_GSCVD section in their FMAP, and
production boards should override the CONFIG_VBOOT_GSC_BOARD_ID option
with the correct ID for each variant.
BUG=b:229015103
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I1cf86e90b2687e81edadcefa5a8826b02fbc8b24
Reviewed-on: https://review.coreboot.org/c/coreboot/+/64707
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Diffstat (limited to 'src/mainboard')
| -rw-r--r-- | src/mainboard/google/brya/Kconfig | 4 | ||||
| -rw-r--r-- | src/mainboard/google/skyrim/Kconfig | 5 | ||||
| -rw-r--r-- | src/mainboard/google/volteer/Kconfig | 4 |
3 files changed, 13 insertions, 0 deletions
diff --git a/src/mainboard/google/brya/Kconfig b/src/mainboard/google/brya/Kconfig index 9066a093c6..4ab0e29632 100644 --- a/src/mainboard/google/brya/Kconfig +++ b/src/mainboard/google/brya/Kconfig @@ -244,6 +244,10 @@ config VBOOT select VBOOT_EARLY_EC_SYNC if !BOARD_GOOGLE_BASEBOARD_NISSA select VBOOT_LID_SWITCH +config VBOOT_GSC_BOARD_ID + string + default "LBTV" if BOARD_GOOGLE_JOXER + config DIMM_SPD_SIZE default 512 diff --git a/src/mainboard/google/skyrim/Kconfig b/src/mainboard/google/skyrim/Kconfig index 5da562ac04..50068e78a4 100644 --- a/src/mainboard/google/skyrim/Kconfig +++ b/src/mainboard/google/skyrim/Kconfig @@ -78,6 +78,11 @@ config VBOOT select VBOOT_SEPARATE_VERSTAGE select VBOOT_STARTS_IN_BOOTBLOCK +# TODO: Remove once CBFS verification on AMD has been fixed. +config VBOOT_GSCVD + bool + default n + if !EM100 # EM100 defaults in soc/amd/common/blocks/spi/Kconfig config EFS_SPI_READ_MODE default 2 # Dual IO (1-1-2) diff --git a/src/mainboard/google/volteer/Kconfig b/src/mainboard/google/volteer/Kconfig index 682d247300..8947cd8bcf 100644 --- a/src/mainboard/google/volteer/Kconfig +++ b/src/mainboard/google/volteer/Kconfig @@ -135,6 +135,10 @@ config CHROMEOS select VBOOT_EARLY_EC_SYNC select VBOOT_LID_SWITCH +config VBOOT_GSCVD + bool + default n + config CHROMEOS_WIFI_SAR bool "Enable SAR options for Chrome OS build" depends on CHROMEOS |