diff options
| -rw-r--r-- | Documentation/security/vboot/index.md | 20 | ||||
| -rw-r--r-- | src/lib/cbfs.c | 16 | ||||
| -rw-r--r-- | src/security/vboot/Kconfig | 9 |
3 files changed, 45 insertions, 0 deletions
diff --git a/Documentation/security/vboot/index.md b/Documentation/security/vboot/index.md index 97420893e5..400c2b5149 100644 --- a/Documentation/security/vboot/index.md +++ b/Documentation/security/vboot/index.md @@ -186,6 +186,26 @@ In addition to adding the coreboot files into the read-only region, enabling vboot causes the build script to add the read/write files into coreboot file systems in *FW_MAIN_A* and *FW_MAIN_B*. +**RO_REGION_ONLY** + +The files added to this list will only be placed in the read-only region and +not into the read/write coreboot file systems in *FW_MAIN_A* and *FW_MAIN_B*. + +**VBOOT_ENABLE_CBFS_FALLBACK** + +Normally coreboot will use the active read/write coreboot file system for all +of it's file access when VBOOT is active and is not in recovery mode. + +When the `VBOOT_ENABLE_CBFS_FALLBACK` option is enabled the cbfs file system will +first try to locate a file in the active read/write file system. If the file +doesn't exist here the file system will try to locate the file in the read-only +file system. + +This option can be used to prevent duplication of static data. Files can be +removed from the read/write partitions by adding them to the `RO_REGION_ONLY` +config. If a file needs to be changed in a later stage simply remove it from +this list. + *** ## Signing the coreboot Image diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c index 9ac1bc084b..13b5afb6ea 100644 --- a/src/lib/cbfs.c +++ b/src/lib/cbfs.c @@ -62,6 +62,22 @@ int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type) } int ret = cbfs_locate(fh, &rdev, name, type); + + if (CONFIG(VBOOT_ENABLE_CBFS_FALLBACK) && ret) { + + /* + * When VBOOT_ENABLE_CBFS_FALLBACK is enabled and a file is not available in the + * active RW region, the RO (COREBOOT) region will be used to locate the file. + * + * This functionality makes it possible to avoid duplicate files in the RO + * and RW partitions while maintaining updateability. + * + * Files can be added to the RO_REGION_ONLY config option to use this feature. + */ + printk(BIOS_DEBUG, "Fall back to RO region for %s\n", name); + ret = cbfs_locate_file_in_region(fh, "COREBOOT", name, type); + } + if (!ret) if (vboot_measure_cbfs_hook(fh, name)) return -1; diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index e3b8aa68e2..87bb80a561 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -220,6 +220,15 @@ config RO_REGION_ONLY Add a space delimited list of filenames that should only be in the RO section. + +config VBOOT_ENABLE_CBFS_FALLBACK + bool + default n + depends on VBOOT_SLOTS_RW_A + help + When this option is enabled cbfs_boot_locate will look for a file in the RO + (COREBOOT) region if it isn't available in the active RW region. + menu "GBB configuration" config GBB_HWID |