From 5eda52a599e9dac2f51de3738c9da0a8d96ee17a Mon Sep 17 00:00:00 2001 From: Julius Werner Date: Thu, 19 May 2022 14:37:21 -0700 Subject: security/vboot: Add support for GSCVD (Google "RO verification") This patch adds a new CONFIG_VBOOT_GSCVD option that will be enabled by default for TPM_GOOGLE_TI50 devices. It makes the build system run the `futility gscvd` command to create a GSCVD (GSC verification data) which signs the CBFS trust anchor (bootblock and GBB). In order for this to work, boards will need to have an RO_GSCVD section in their FMAP, and production boards should override the CONFIG_VBOOT_GSC_BOARD_ID option with the correct ID for each variant. BUG=b:229015103 Signed-off-by: Julius Werner Change-Id: I1cf86e90b2687e81edadcefa5a8826b02fbc8b24 Reviewed-on: https://review.coreboot.org/c/coreboot/+/64707 Tested-by: build bot (Jenkins) Reviewed-by: Yu-Ping Wu --- src/mainboard/google/brya/Kconfig | 4 ++++ src/mainboard/google/skyrim/Kconfig | 5 +++++ src/mainboard/google/volteer/Kconfig | 4 ++++ 3 files changed, 13 insertions(+) (limited to 'src/mainboard') diff --git a/src/mainboard/google/brya/Kconfig b/src/mainboard/google/brya/Kconfig index 9066a093c6..4ab0e29632 100644 --- a/src/mainboard/google/brya/Kconfig +++ b/src/mainboard/google/brya/Kconfig @@ -244,6 +244,10 @@ config VBOOT select VBOOT_EARLY_EC_SYNC if !BOARD_GOOGLE_BASEBOARD_NISSA select VBOOT_LID_SWITCH +config VBOOT_GSC_BOARD_ID + string + default "LBTV" if BOARD_GOOGLE_JOXER + config DIMM_SPD_SIZE default 512 diff --git a/src/mainboard/google/skyrim/Kconfig b/src/mainboard/google/skyrim/Kconfig index 5da562ac04..50068e78a4 100644 --- a/src/mainboard/google/skyrim/Kconfig +++ b/src/mainboard/google/skyrim/Kconfig @@ -78,6 +78,11 @@ config VBOOT select VBOOT_SEPARATE_VERSTAGE select VBOOT_STARTS_IN_BOOTBLOCK +# TODO: Remove once CBFS verification on AMD has been fixed. +config VBOOT_GSCVD + bool + default n + if !EM100 # EM100 defaults in soc/amd/common/blocks/spi/Kconfig config EFS_SPI_READ_MODE default 2 # Dual IO (1-1-2) diff --git a/src/mainboard/google/volteer/Kconfig b/src/mainboard/google/volteer/Kconfig index 682d247300..8947cd8bcf 100644 --- a/src/mainboard/google/volteer/Kconfig +++ b/src/mainboard/google/volteer/Kconfig @@ -135,6 +135,10 @@ config CHROMEOS select VBOOT_EARLY_EC_SYNC select VBOOT_LID_SWITCH +config VBOOT_GSCVD + bool + default n + config CHROMEOS_WIFI_SAR bool "Enable SAR options for Chrome OS build" depends on CHROMEOS -- cgit v1.2.3