| # SPDX-License-Identifier: GPL-2.0-only |
| |
| menu "Verified Boot (vboot)" |
| |
| config VBOOT_LIB |
| bool |
| help |
| Build and link the vboot library. Makes the vboot API accessible across |
| all coreboot stages, without enabling vboot verification. For verification, |
| please see the VBOOT option below. |
| |
| config VBOOT |
| bool "Verify firmware with vboot." |
| default n |
| select VBOOT_LIB |
| select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2 |
| depends on 0 = 0 # Must have a 'depends on' or board overrides will break it. |
| help |
| Enabling VBOOT will use vboot to verify the components of the firmware |
| (stages, payload, etc). |
| |
| if VBOOT |
| |
| comment "Anti-Rollback Protection disabled because mocking secdata is enabled." |
| depends on VBOOT_MOCK_SECDATA |
| |
| config VBOOT_SLOTS_RW_A |
| bool "Firmware RO + RW_A" |
| help |
| Have one update partition beside the RO partition. |
| |
| config VBOOT_SLOTS_RW_AB |
| bool "Firmware RO + RW_A + RW_B" |
| select VBOOT_SLOTS_RW_A |
| help |
| Have two update partitions beside the RO partition. |
| |
| config VBOOT_VBNV_CMOS |
| bool |
| default n |
| depends on PC80_SYSTEM |
| help |
| VBNV is stored in CMOS |
| |
| config VBOOT_VBNV_OFFSET |
| hex |
| default 0x26 |
| depends on VBOOT_VBNV_CMOS |
| help |
| CMOS offset for VbNv data. This value must match cmos.layout |
| in the mainboard directory, minus 14 bytes for the RTC. |
| |
| config VBOOT_VBNV_CMOS_BACKUP_TO_FLASH |
| bool |
| default n |
| depends on VBOOT_VBNV_CMOS && BOOT_DEVICE_SUPPORTS_WRITES |
| help |
| Vboot non-volatile storage data will be backed up from CMOS to flash |
| and restored from flash if the CMOS is invalid due to power loss. |
| |
| config VBOOT_VBNV_EC |
| bool |
| default n |
| help |
| VBNV is stored in EC |
| |
| config VBOOT_VBNV_FLASH |
| bool |
| default n |
| depends on BOOT_DEVICE_SUPPORTS_WRITES |
| help |
| VBNV is stored in flash storage |
| |
| config VBOOT_STARTS_BEFORE_BOOTBLOCK |
| def_bool n |
| select VBOOT_SEPARATE_VERSTAGE |
| help |
| Firmware verification happens before the main processor is brought |
| online. |
| |
| config VBOOT_STARTS_IN_BOOTBLOCK |
| bool |
| default n |
| help |
| Firmware verification happens during the end of or right after the |
| bootblock. This implies that a static VBOOT2_WORK() buffer must be |
| allocated in memlayout. |
| |
| config VBOOT_STARTS_IN_ROMSTAGE |
| bool |
| default n |
| depends on !VBOOT_STARTS_IN_BOOTBLOCK |
| help |
| Firmware verification happens during the end of romstage (after |
| memory initialization). This implies that the vboot work buffer is |
| in CBMEM from the start and doesn't need to be reserved in memlayout. |
| |
| config VBOOT_MOCK_SECDATA |
| bool "Mock secdata for firmware verification" |
| default n |
| help |
| Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware |
| verification to avoid access to a secdata storage (typically TPM). |
| All operations for a secdata storage will be successful. This option |
| can be used during development when a TPM is not present or broken. |
| THIS SHOULD NOT BE LEFT ON FOR PRODUCTION DEVICES. |
| |
| config VBOOT_DISABLE_DEV_ON_RECOVERY |
| bool |
| default n |
| help |
| When this option is enabled, the Chrome OS device leaves the |
| developer mode as soon as recovery request is detected. This is |
| handy on embedded devices with limited input capabilities. |
| |
| config VBOOT_SEPARATE_VERSTAGE |
| bool |
| default n |
| depends on VBOOT_STARTS_IN_BOOTBLOCK || VBOOT_STARTS_BEFORE_BOOTBLOCK |
| help |
| If this option is set, vboot verification runs in a standalone stage |
| that is loaded from the bootblock and exits into romstage. If it is |
| not set, the verification code is linked directly into the bootblock |
| or the romstage and runs as part of that stage (cf. related options |
| VBOOT_STARTS_IN_BOOTBLOCK/_ROMSTAGE and VBOOT_RETURN_FROM_VERSTAGE). |
| |
| config VBOOT_RETURN_FROM_VERSTAGE |
| bool |
| default n |
| depends on VBOOT_SEPARATE_VERSTAGE |
| help |
| If this is set, the verstage returns back to the calling stage instead |
| of exiting to the succeeding stage so that the verstage space can be |
| reused by the succeeding stage. This is useful if a RAM space is too |
| small to fit both the verstage and the succeeding stage. |
| |
| config VBOOT_MUST_REQUEST_DISPLAY |
| bool |
| default y if VGA_ROM_RUN |
| default n |
| help |
| Set this option to indicate to vboot that this platform will skip its |
| display initialization on a normal (non-recovery, non-developer) boot. |
| Unless display is specifically requested, the video option ROM is not |
| loaded, and any other native display initialization code is not run. |
| |
| config VBOOT_ALWAYS_ENABLE_DISPLAY |
| bool "Force to always enable display" |
| default n |
| help |
| Set this option to indicate to vboot that display should always be enabled. |
| |
| config VBOOT_ALWAYS_ALLOW_UDC |
| bool "Always allow UDC" |
| default n |
| depends on !CHROMEOS |
| help |
| This option allows UDC to be enabled regardless of the vboot state. |
| |
| config VBOOT_HAS_REC_HASH_SPACE |
| bool |
| default y if MRC_SAVE_HASH_IN_TPM && HAS_RECOVERY_MRC_CACHE |
| default n |
| help |
| Set this option to indicate to vboot that recovery data hash space |
| is present in TPM. |
| |
| config VBOOT_LID_SWITCH |
| bool |
| default n |
| help |
| Whether this platform has a lid switch. If it does, vboot will not |
| decrement try counters for boot failures if the lid is closed. |
| |
| config VBOOT_WIPEOUT_SUPPORTED |
| bool |
| default n |
| help |
| When this option is enabled, the firmware provides the ability to |
| signal the application the need for factory reset (a.k.a. wipe |
| out) of the device |
| |
| config VBOOT_FWID_MODEL |
| string "Firmware ID model" |
| default "Google_\$(CONFIG_MAINBOARD_PART_NUMBER)" if CHROMEOS |
| default "\$(CONFIG_MAINBOARD_VENDOR)_\$(CONFIG_MAINBOARD_PART_NUMBER)" |
| help |
| This is the first part of the FWID written to various regions of a |
| vboot firmware image to identify its version. |
| |
| config VBOOT_FWID_VERSION |
| string "Firmware ID version" |
| default ".\$(KERNELVERSION)" |
| help |
| This is the second part of the FWID written to various regions of a |
| vboot firmware image to identify its version. |
| |
| config VBOOT_NO_BOARD_SUPPORT |
| bool "Allow the use of vboot without board support" |
| default n |
| help |
| Enable weak functions for get_write_protect_state and |
| get_recovery_mode_switch in order to proceed with refactoring |
| of the vboot2 code base. Later on this code is removed and replaced |
| by interfaces. |
| |
| config RO_REGION_ONLY |
| string "Additional files that should not be copied to RW" |
| default "" |
| help |
| Add a space delimited list of filenames that should only be in the |
| RO section. |
| |
| config RW_REGION_ONLY |
| string |
| default "" |
| depends on VBOOT_SLOTS_RW_A |
| help |
| Add a space delimited list of filenames that should only be in the |
| RW sections. |
| |
| config RWA_REGION_ONLY |
| string |
| default "" |
| depends on VBOOT_SLOTS_RW_AB |
| help |
| Add a space-delimited list of filenames that should only be in the |
| RW-A section. |
| |
| config RWB_REGION_ONLY |
| string |
| default "" |
| depends on VBOOT_SLOTS_RW_AB |
| help |
| Add a space-delimited list of filenames that should only be in the |
| RW-B section. |
| |
| config VBOOT_ENABLE_CBFS_FALLBACK |
| bool |
| default n |
| depends on VBOOT_SLOTS_RW_A |
| help |
| When this option is enabled cbfs_boot_locate will look for a file in the RO |
| (COREBOOT) region if it isn't available in the active RW region. |
| |
| config VBOOT_EARLY_EC_SYNC |
| bool |
| default n |
| depends on EC_GOOGLE_CHROMEEC |
| help |
| Enables CrOS EC software sync in romstage, before memory training |
| runs. This is useful mainly as a way to achieve full USB-PD |
| negotiation earlier in the boot flow, as the EC will only do this once |
| it has made the sysjump to its RW firmware. It should not |
| significantly impact boot time, as this operation will be performed |
| later in the boot flow if it is disabled here. |
| |
| config VBOOT_EC_EFS |
| bool "Early firmware selection (EFS) EC" |
| default n |
| help |
| CrosEC can support EFS: Early Firmware Selection. If it's enabled, |
| software sync needs to also support it. This setting tells vboot to |
| perform EFS software sync. |
| |
| menu "GBB configuration" |
| |
| config GBB_HWID |
| string "Hardware ID" |
| default "" |
| help |
| A hardware identifier for device. On Chrome OS this is used for auto |
| update and recovery, and will be generated when manufacturing by the |
| factory software, in a strictly defined format. |
| Leave empty to get a test-only Chrome OS HWID v2 string generated. |
| |
| config GBB_BMPFV_FILE |
| string "Path to bmpfv image" |
| default "" |
| |
| config GBB_FLAG_DEV_SCREEN_SHORT_DELAY |
| bool "Reduce dev screen delay" |
| default n |
| |
| config GBB_FLAG_LOAD_OPTION_ROMS |
| bool "Load option ROMs" |
| default n |
| |
| config GBB_FLAG_ENABLE_ALTERNATE_OS |
| bool "Allow booting a non-Chrome OS kernel if dev switch is on" |
| default n |
| |
| config GBB_FLAG_FORCE_DEV_SWITCH_ON |
| bool "Force dev switch on" |
| default n |
| |
| config GBB_FLAG_FORCE_DEV_BOOT_USB |
| bool "Allow booting from USB in dev mode even if dev_boot_usb=0" |
| default y |
| |
| config GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK |
| bool "Disable firmware rollback protection" |
| default y |
| |
| config GBB_FLAG_ENTER_TRIGGERS_TONORM |
| bool "Return to normal boot with Enter" |
| default n |
| |
| config GBB_FLAG_FORCE_DEV_BOOT_LEGACY |
| bool "Allow booting to legacy in dev mode even if dev_boot_legacy=0" |
| default n |
| |
| config GBB_FLAG_RUNNING_FAFT |
| bool "Running FAFT tests; used as a hint to disable other debug features" |
| default n |
| |
| config GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC |
| bool "Disable EC software sync" |
| default n |
| |
| config GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY |
| bool "Default to booting to legacy in dev mode" |
| default n |
| |
| config GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC |
| bool "Disable PD software sync" |
| default n |
| |
| config GBB_FLAG_DISABLE_LID_SHUTDOWN |
| bool "Disable shutdown on closed lid" |
| default n |
| |
| config GBB_FLAG_FORCE_MANUAL_RECOVERY |
| bool "Always assume manual recovery in recovery mode" |
| default n |
| |
| config GBB_FLAG_DISABLE_FWMP |
| bool "Disable Firmware Management Parameters (FWMP)" |
| default n |
| |
| config GBB_FLAG_ENABLE_UDC |
| bool "Enable USB Device Controller" |
| default n |
| |
| endmenu # GBB |
| |
| menu "Vboot Keys" |
| config VBOOT_ROOT_KEY |
| string "Root key (public)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk" |
| |
| config VBOOT_RECOVERY_KEY |
| string "Recovery key (public)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk" |
| |
| config VBOOT_FIRMWARE_PRIVKEY |
| string "Firmware key (private)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk" |
| |
| config VBOOT_KERNEL_KEY |
| string "Kernel subkey (public)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk" |
| |
| config VBOOT_KEYBLOCK |
| string "Keyblock to use for the RW regions" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/firmware.keyblock" |
| |
| config VBOOT_KEYBLOCK_VERSION |
| int "Keyblock version number" |
| default 1 |
| |
| config VBOOT_KEYBLOCK_PREAMBLE_FLAGS |
| hex "Keyblock preamble flags" |
| default 0x0 |
| |
| config VBOOT_HASH_BLOCK_SIZE |
| hex |
| default 0x400 |
| help |
| Set the default hash size. Generally 1k is reasonable, but in some |
| cases it may improve hashing speed to increase the size. |
| |
| Note that this buffer is allocated in the stack. Although the |
| build should fail if the stack size is exceeded, it's something to |
| be aware of when changing the size. |
| |
| endmenu # Keys |
| endif # VBOOT |
| endmenu # Verified Boot (vboot) |