From 967a76bd811088b2a8bd7f008b2436e31ab4e5b3 Mon Sep 17 00:00:00 2001 From: Jakub Czapiga Date: Fri, 19 Aug 2022 12:25:27 +0200 Subject: vboot: Add VBOOT_CBFS_INTEGRATION support This patch introduces support signing and verification of firmware slots using CBFS metadata hash verification method for faster initial verification. To have complete verification, CBFS_VERIFICATION should also be enabled, as metadata hash covers only files metadata, not their contents. This patch also adapts mainboards and SoCs to new vboot reset requirements. TEST=Google Volteer/Voxel boots with VBOOT_CBFS_INTEGRATION enabled Signed-off-by: Jakub Czapiga Change-Id: I40ae01c477c4e4f7a1c90e4026a8a868ae64b5ca Reviewed-on: https://review.coreboot.org/c/coreboot/+/66909 Reviewed-by: Yu-Ping Wu Tested-by: build bot (Jenkins) --- src/include/cbfs_glue.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'src/include') diff --git a/src/include/cbfs_glue.h b/src/include/cbfs_glue.h index d4fe367d6c..99dc48db5f 100644 --- a/src/include/cbfs_glue.h +++ b/src/include/cbfs_glue.h @@ -13,11 +13,17 @@ * safety, we only need to verify the metadata hash in the initial stage and can assume it stays * valid in later stages. If TOCTOU safety is required, we may need them in every stage to * reverify metadata that had to be reloaded from flash (e.g. because it didn't fit the mcache). + * Moreover, if VBOOT_CBFS_INTEGRATION and verification are both enabled, then hashing functions + * are required during verification stage. * Note that this only concerns metadata hashing -- file access functions may still link hashing * routines independently for file data hashing. */ #define CBFS_ENABLE_HASHING (CONFIG(CBFS_VERIFICATION) && \ - (CONFIG(TOCTOU_SAFETY) || ENV_INITIAL_STAGE)) + (CONFIG(TOCTOU_SAFETY) || ENV_INITIAL_STAGE || \ + (CONFIG(VBOOT_CBFS_INTEGRATION) && \ + (verification_should_run() || \ + (verstage_should_load() && \ + CONFIG(VBOOT_RETURN_FROM_VERSTAGE)))))) #define CBFS_HASH_HWCRYPTO vboot_hwcrypto_allowed() #define ERROR(...) printk(BIOS_ERR, "CBFS ERROR: " __VA_ARGS__) -- cgit v1.2.3