diff options
author | Philipp Deppenwiese <zaolin@das-labor.org> | 2018-07-28 23:30:49 +0200 |
---|---|---|
committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2018-11-08 16:19:37 +0000 |
commit | a558ca9aaee1849a400885189038528afa272ef7 (patch) | |
tree | a637e73b4a53958534d6abbe0c38fd07019613cc /src | |
parent | de462804e1ba253285daa4c1ec0edf6da61fbc15 (diff) |
security/vboot: Add selection for firmware slots used by VBOOT
Make the firmware slot configuration in VBOOT selectable. The following
three modes are available:
-RO only
-RO + RW_A
-RO + RW_A + RW_B
The mode "RO only" is the lowest mode with no safety during update.
You can select either RW_A or RW_AB via Kconfig which will add the
selected parttions to the final image.
Change-Id: I278fc060522b13048b00090b8e5261c14496f56e
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/27714
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/security/vboot/Kconfig | 13 | ||||
-rw-r--r-- | src/security/vboot/Makefile.inc | 29 | ||||
-rw-r--r-- | src/vendorcode/google/chromeos/Kconfig | 1 |
3 files changed, 42 insertions, 1 deletions
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index 77483d1a43..a3e9b863cf 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -1,6 +1,7 @@ ## This file is part of the coreboot project. ## ## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved. +## Copyright (C) 2018 Siemens AG ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by @@ -25,6 +26,18 @@ config VBOOT if VBOOT +config VBOOT_SLOTS_RW_A + bool "Firmware RO + RW_A" + help + Have one update partition beside the RO partition. + +config VBOOT_SLOTS_RW_AB + bool "Firmware RO + RW_A + RW_B" + select VBOOT_SLOTS_RW_A + help + Have two update partitions beside the RO partition. + + config VBOOT_VBNV_CMOS bool default n diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index f51db80b12..da5d5b146e 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -2,6 +2,7 @@ ## This file is part of the coreboot project. ## ## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved. +## Copyright (C) 2018 Siemens AG ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by @@ -144,6 +145,17 @@ postinclude-hooks += $$(eval romstage-srcs += $$(verstage-srcs)) endif endif # CONFIG_VBOOT_SEPARATE_VERSTAGE +#RO-Partition is always there! +VBOOT_PARTITIONS := COREBOOT +# Check for RW_A partition +ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y) +VBOOT_PARTITIONS += FW_MAIN_A +endif +# Check for RW_B partition +ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y) +VBOOT_PARTITIONS += FW_MAIN_B +endif + # Define a list of files that need to be in RO only. # All other files will be installed into RO and RW regions # Use $(sort) to cut down on extra spaces that would be translated to commas @@ -161,7 +173,7 @@ regions-for-file = $(subst $(spc),$(comma),$(sort \ cmos_layout.bin \ cmos.default \ $(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \ - ,$(1)),COREBOOT,COREBOOT FW_MAIN_A FW_MAIN_B))) + ,$(1)),COREBOOT,$(VBOOT_PARTITIONS)))) CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID)) CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE)) @@ -237,8 +249,12 @@ build_complete:: $(obj)/gbb.region $(obj)/fwid.region @printf " WRITE GBB\n" $(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region +ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y) $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region +endif +ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y) $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region +endif ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),) build_complete:: @@ -270,8 +286,19 @@ $(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY) --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \ --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) +ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y) files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin + @printf " FLASHMAP Layout generated for RO, A and B partition.\n" +else ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y) +files_added:: $(obj)/VBLOCK_A.bin + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin + @printf " FLASHMAP Layout generated for RO and A partition.\n" +else +files_added:: + @printf " FLASHMAP Layout generated for RO partition only.\n" + @printf " Beware that there is no failure safety in case of update now!\n" +endif endif # CONFIG_VBOOT diff --git a/src/vendorcode/google/chromeos/Kconfig b/src/vendorcode/google/chromeos/Kconfig index 1dd726f551..26ee31edc7 100644 --- a/src/vendorcode/google/chromeos/Kconfig +++ b/src/vendorcode/google/chromeos/Kconfig @@ -25,6 +25,7 @@ config CHROMEOS select COLLECT_TIMESTAMPS select VBOOT select VPD + select VBOOT_SLOTS_RW_AB help Enable ChromeOS specific features like the GPIO sub table in the coreboot table. NOTE: Enabling this option on an unsupported |