security/vboot: Add support for GSCVD (Google "RO verification")

This patch adds a new CONFIG_VBOOT_GSCVD option that will be enabled by
default for TPM_GOOGLE_TI50 devices. It makes the build system run the
`futility gscvd` command to create a GSCVD (GSC verification data) which
signs the CBFS trust anchor (bootblock and GBB). In order for this to
work, boards will need to have an RO_GSCVD section in their FMAP, and
production boards should override the CONFIG_VBOOT_GSC_BOARD_ID option
with the correct ID for each variant.

BUG=b:229015103

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I1cf86e90b2687e81edadcefa5a8826b02fbc8b24
Reviewed-on: https://review.coreboot.org/c/coreboot/+/64707
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>

1 files changed, 45 insertions, 9 deletions

diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index 3e29c7e655..04770c94eb 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -290,6 +290,37 @@ config VBOOT_DEFINE_WIDEVINE_COUNTERS
 	  config will only define the counter space. Counters need to be incremented
 	  separately before any read operation is performed on them.
 
+config VBOOT_HASH_BLOCK_SIZE
+	hex
+	default 0x400
+	help
+	  Set the default hash size.  Generally 1k is reasonable, but in some
+	  cases it may improve hashing speed to increase the size.
+
+	  Note that this buffer is allocated in the stack.  Although the
+	  build should fail if the stack size is exceeded, it's something to
+	  be aware of when changing the size.
+
+config VBOOT_GSCVD
+	bool "Generate GSC verification data"
+	depends on TPM_GOOGLE
+	select CBFS_VERIFICATION
+	default n if TPM_GOOGLE_CR50
+	default y
+	help
+	  Generate a Google Security Chip Verification Data (GSCVD) structure on the flash to
+	  allow the GSC to verify the CBFS verification anchor. Used by default with Ti50 GSCs.
+	  Requires an RO_GSCVD FMAP section.
+
+config VBOOT_GSC_BOARD_ID
+	string
+	depends on VBOOT_GSCVD
+	default "ZZCR"
+	help
+	  GSC board ID to be embedded in the GSCVD. Usually each specific mainboard variant
+	  has its own. Google engineers can find these in the go/cros-dlm database ("Products").
+	  (Note: This is a completely separate thing from coreboot's `board_id()` function.)
+
 menu "GBB configuration"
 
 config GBB_HWID
@@ -400,16 +431,21 @@ config VBOOT_KEYBLOCK_PREAMBLE_FLAGS
 	hex "Keyblock preamble flags"
 	default 0x0
 
-config VBOOT_HASH_BLOCK_SIZE
-	hex
-	default 0x400
-	help
-	  Set the default hash size.  Generally 1k is reasonable, but in some
-	  cases it may improve hashing speed to increase the size.
+if VBOOT_GSCVD
 
-	  Note that this buffer is allocated in the stack.  Although the
-	  build should fail if the stack size is exceeded, it's something to
-	  be aware of when changing the size.
+config VBOOT_GSCVD_ROOT_PUBKEY
+	string "GSCVD root key (public)"
+	default "\$(VBOOT_SOURCE)/tests/devkeys/arv_root.vbpubk"
+
+config VBOOT_GSCVD_PLATFORM_PRIVKEY
+	string "GSCVD platform key (private)"
+	default "\$(VBOOT_SOURCE)/tests/devkeys/arv_platform.vbprivk"
+
+config VBOOT_GSCVD_PLATFORM_KEYBLOCK
+	string "GSCVD platform keyblock (public)"
+	default "\$(VBOOT_SOURCE)/tests/devkeys/arv_platform.keyblock"
+
+endif # VBOOT_GSCVD
 
 endmenu # Keys
 endif # VBOOT