security/vboot: Include new gbb flag to enforce CSE sync

This patch adds a GBB flag to coreboot, which, when enabled, enforces
CSE sync even if the current CSE version matches the version in CBFS.
The CSME sync GBB and flag are designed to enhance autotest
functionalities and are not intended or recommended for use in
developing any other features.

BUG=b:353053317
TEST=futility gbb --help

Cq-Depend: chromium:5718196
Change-Id: I6352959e1e898a90b4c6e12a22f8d6513f90ded9
Signed-off-by: Dinesh Gehlot <digehlot@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83685
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Reviewed-by: Subrata Banik <subratabanik@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

2 files changed, 5 insertions, 0 deletions

diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index e30e8ee372..7e291e0c70 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -451,6 +451,10 @@ config GBB_FLAG_ENABLE_UDC
 	bool "Enable USB Device Controller"
 	default n
 
+config GBB_FLAG_FORCE_CSE_SYNC
+	bool "Running tests; enforce CSE sync"
+	default n
+
 endmenu # GBB
 
 menu "Vboot Keys"
diff --git a/src/security/vboot/Makefile.mk b/src/security/vboot/Makefile.mk
index 48a6c9de91..e9b3eb69f1 100644
--- a/src/security/vboot/Makefile.mk
+++ b/src/security/vboot/Makefile.mk
@@ -265,6 +265,7 @@ GBB_FLAGS := $(call int-add, \
 	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_MANUAL_RECOVERY),0x4000) \
 	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FWMP),0x8000) \
 	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_UDC),0x10000) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_CSE_SYNC),0x20000) \
 	)
 
 ifneq ($(CONFIG_GBB_BMPFV_FILE),)