summaryrefslogtreecommitdiff
path: root/src/security
diff options
context:
space:
mode:
Diffstat (limited to 'src/security')
-rw-r--r--src/security/vboot/Makefile.inc44
1 files changed, 13 insertions, 31 deletions
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index 2caeb17434..252a91efe5 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -344,39 +344,21 @@ files_added:: $(FUTILITY)
$(obj)/coreboot.rom
endif
-# Extract FW_MAIN_? region and minimize it if the last file is empty, so it
-# doesn't contain this empty file (that can have a significant size),
-# improving a lot on hash times due to a smaller amount of data loaded from
-# firmware storage.
-# When passing the minimized image to vbutil_firmware, its length is recorded
-# in the keyblock, and coreboot's vboot code clips the region_device to match,
-# which prevents any potential extension attacks.
-$(obj)/FW_MAIN_%.bin: $(obj)/coreboot.rom
- $(CBFSTOOL) $< truncate -r $(basename $(notdir $@)) > $@.tmp.size
- $(CBFSTOOL) $< read -r $(basename $(notdir $@)) -f $@.tmp
- head -c $$( printf "%d" $$(cat $@.tmp.size)) $@.tmp > $@.tmp2
- mv $@.tmp2 $@
- rm -f $@.tmp $@.tmp.size
-
-$(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY)
- $(FUTILITY) vbutil_firmware \
- --vblock $@ \
- --keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
+ifneq (,$(filter y,$(CONFIG_VBOOT_SLOTS_RW_A) $(CONFIG_VBOOT_SLOTS_RW_AB)))
+files_added:: $(obj)/coreboot.rom $(FUTILITY) $(CBFSTOOL)
+ CBFSTOOL="$(CBFSTOOL)" \
+ $(FUTILITY) sign \
--signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \
- --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \
- --fv $< \
+ --keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
--kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
- --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS)
-
-ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
-files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin
- $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
- $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin
- @printf " FLASHMAP Layout generated for RO, A and B partition.\n"
-else ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
-files_added:: $(obj)/VBLOCK_A.bin
- $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
- @printf " FLASHMAP Layout generated for RO and A partition.\n"
+ --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \
+ --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) \
+ $(obj)/coreboot.rom
+ if [ "$(CONFIG_VBOOT_SLOTS_RW_AB)" = 'y' ]; then \
+ printf " FLASHMAP Layout generated for RO, A and B partition.\n"; \
+ elif [ "$(CONFIG_VBOOT_SLOTS_RW_A)" = 'y' ]; then \
+ printf " FLASHMAP Layout generated for RO and A partition.\n"; \
+ fi
else
files_added::
@printf " FLASHMAP Layout generated for RO partition only.\n"