| Age | Commit message (Collapse) | Author |
|---|
|
We've just decided to remove the only known use of the VBSD_SW_WP flag
in vboot (https://chromium-review.googlesource.com/c/575389), since it
was unused and never reliable on all platforms anyway. Therefore, we can
now also remove the coreboot infrastructure that supported it. It
doesn't really hurt anyone, but removing it saves a small bit of effort
for future platforms.
Change-Id: I6706eba2761a73482e03f3bf46343cf1d84f154b
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/20628
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
|
|
The virtualized developer switch was invented five years ago and has
been used on every vboot system ever since. We shouldn't need to specify
it again and again for every new board. This patch flips the Kconfig
logic around and replaces CONFIG_VIRTUAL_DEV_SWITCH with
CONFIG_PHYSICAL_DEV_SWITCH, so that only a few ancient boards need to
set it and it fits better with CONFIG_PHYSICAL_REC_SWITCH. (Also set the
latter for Lumpy which seems to have been omitted incorrectly, and hide
it from menuconfig since it's a hardware parameter that shouldn't be
configurable.)
Since almost all our developer switches are virtual, it doesn't make
sense for every board to pass a non-existent or non-functional developer
mode switch in the coreboot tables, so let's get rid of that. It's also
dangerously confusing for many boards to define a get_developer_mode()
function that reads an actual pin (often from a debug header) which will
not be honored by coreboot because CONFIG_PHYSICAL_DEV_SWITCH isn't set.
Therefore, this patch removes all those non-functional instances of that
function. In the future, either the board has a physical dev switch and
must define it, or it doesn't and must not.
In a similar sense (and since I'm touching so many board configs
anyway), it's annoying that we have to keep selecting EC_SOFTWARE_SYNC.
Instead, it should just be assumed by default whenever a Chrome EC is
present in the system. This way, it can also still be overridden by
menuconfig.
CQ-DEPEND=CL:459701
Change-Id: If9cbaa7df530580a97f00ef238e3d9a8a86a4a7f
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/18980
Tested-by: build bot (Jenkins)
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
|
|
Add the necessary files and changes to support vboot.
TEST=Build and run on Galileo Gen2 with a SparkFun CryptoShield
1. Obtain and install a SparkFun CryptoShield.
https://www.sparkfun.com/products/13183
2. Edit src/mainboard/intel/galileo/Kconfig to select
VBOOT_WITH_CRYPTO_SHIELD
3. Use make menuconfig to update the config values and select a
payload that will fit. I used SeaBIOS which does not boot.
4. Build coreboot
5. Use the command file below to generate the signed coreboot image.
6. Flash build/coreboot.rom onto the Galileo board
7. The test is successful if verstage detects that it needs recovery
after Phase 1. This is expected because the image does not contain
the GBB section.
8. Flash build/coreboot.signed.bin onto the Galileo board
9. The test is successful if verstage reaches Phase 4 and selects SLOT
A to load the rest of the files.
commands:
gbb_utility -c 0x100,0x1000,0x7ce80,0x1000 gbb.blob
dd conv=fdatasync ibs=4096 obs=4096 count=1553 \
if=build/coreboot.rom of=build/coreboot.signed.rom
dd conv=fdatasync obs=4096 obs=4096 seek=1553 if=gbb.blob \
of=build/coreboot.signed.rom
dd conv=fdatasync ibs=4096 obs=4096 skip=1680 seek=1680 \
count=368 if=build/coreboot.rom of=build/coreboot.signed.rom
gbb_utility \
--set --hwid='Galileo' \
-r $PWD/keys/recovery_key.vbpubk \
-k $PWD/keys/root_key.vbpubk \
build/coreboot.signed.rom
3rdparty/vboot/scripts/image_signing/sign_firmware.sh \
build/coreboot.signed.rom \
$PWD/keys \
build/coreboot.signed.rom
Change-Id: I02eb0ef647cd34c13a5fe8be0bdbe1bb38524d0c
Signed-off-by: Lee Leahy <leroy.p.leahy@intel.com>
Reviewed-on: https://review.coreboot.org/18821
Tested-by: build bot (Jenkins)
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
|
|
This reverts commit a50ced2eba20a007fa5b486c251c252ad09868cf.
Change-Id: I4f7d3177015bfe280111843014c310e0d333cb17
Signed-off-by: Lee Leahy <leroy.p.leahy@intel.com>
Reviewed-on: https://review.coreboot.org/18814
Tested-by: build bot (Jenkins)
|
|
Add the necessary files and changes to support vboot.
TEST=Build and run on Galileo Gen2 with a SparkFun CryptoShield
1. Obtain and install a SparkFun CryptoShield.
https://www.sparkfun.com/products/13183
2. Edit src/mainboard/intel/galileo/Kconfig to select
VBOOT_WITH_CRYPTO_SHIELD
3. Use make menuconfig to update the config values and select a
payload that will fit. I used SeaBIOS which does not boot.
4. Build coreboot
5. Use the command file below to generate the signed coreboot image.
6. Flash build/coreboot.rom onto the Galileo board
7. The test is successful if verstage detects that it needs recovery
after Phase 1. This is expected because the image does not contain
the GBB section.
8. Flash build/coreboot.signed.bin onto the Galileo board
9. The test is successful if verstage reaches Phase 4 and selects SLOT
A to load the rest of the files.
#!/bin/sh
#
# The necessary tools were built and installed using the following
commands:
#
# pushd 3rdparty/vboot
# make
# sudo make install
# popd
#
# The keys were made using the following command
#
# 3rdparty/vboot/scripts/keygeneration/create_new_keys.sh \
# --4k --4k-root --output $PWD/keys
#
#
# Create the GBB area blob
#
gbb_utility -c 0x100,0x1000,0x7ce80,0x1000 gbb.blob
#
# Add the empty GBB to the coreboot.rom image
#
dd conv=fdatasync ibs=4096 obs=4096 count=1553 \
if=build/coreboot.rom of=build/coreboot.signed.rom
dd conv=fdatasync obs=4096 obs=4096 seek=1553 if=gbb.blob \
of=build/coreboot.signed.rom
dd conv=fdatasync ibs=4096 obs=4096 skip=1680 seek=1680 \
count=368 if=build/coreboot.rom of=build/coreboot.signed.rom
#
# Add the keys and HWID to the GBB
#
gbb_utility \
--set --hwid='Galileo' \
-r $PWD/keys/recovery_key.vbpubk \
-k $PWD/keys/root_key.vbpubk \
build/coreboot.signed.rom
#
# Sign the firmware with the keys
#
3rdparty/vboot/scripts/image_signing/sign_firmware.sh \
build/coreboot.signed.rom \
$PWD/keys \
build/coreboot.signed.rom
Change-Id: I96170412e7bbc2b9c747ff5e2c845f29220353ed
Signed-off-by: Lee Leahy <leroy.p.leahy@intel.com>
Reviewed-on: https://review.coreboot.org/18041
Tested-by: Martin Roth <martinroth@google.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
|
