| # SPDX-License-Identifier: GPL-2.0-only |
| |
| menu "Verified Boot (vboot)" |
| |
| config VBOOT_LIB |
| bool |
| help |
| Build and link the vboot library. Makes the vboot API accessible across |
| all coreboot stages, without enabling vboot verification. For verification, |
| please see the VBOOT option below. |
| |
| config VBOOT |
| bool "Verify firmware with vboot." |
| default n |
| select VBOOT_LIB |
| select VBOOT_MOCK_SECDATA if !TPM |
| depends on 0 = 0 # Must have a 'depends on' or board overrides will break it. |
| help |
| Enabling VBOOT will use vboot to verify the components of the firmware |
| (stages, payload, etc). |
| |
| if VBOOT |
| |
| comment "Anti-Rollback Protection disabled because mocking secdata is enabled." |
| depends on VBOOT_MOCK_SECDATA |
| |
| config VBOOT_SLOTS_RW_A |
| bool "Firmware RO + RW_A" |
| help |
| Have one update partition beside the RO partition. |
| |
| config VBOOT_SLOTS_RW_AB |
| bool "Firmware RO + RW_A + RW_B" |
| select VBOOT_SLOTS_RW_A |
| help |
| Have two update partitions beside the RO partition. |
| |
| config VBOOT_CBFS_INTEGRATION |
| bool "Enable vboot and CBFS integration" |
| default n |
| depends on VBOOT_SLOTS_RW_A |
| depends on CBFS_VERIFICATION |
| select INCLUDE_CONFIG_FILE # futility needs this to auto-detect signing type |
| help |
| Say yes here to enable cryptographic verification of RW slots CBFS |
| metadata. This will replace body hash verification. |
| |
| This option enables integration of vboot and CBFS. Verification of RW |
| slots is performed by calculation of their CBFS metadata hash. |
| It also requires CBFS_VERIFICATION to be enabled, so that CBFS files |
| contents are correctly verified. |
| |
| config VBOOT_VBNV_CMOS |
| bool |
| default n |
| depends on PC80_SYSTEM |
| help |
| VBNV is stored in CMOS |
| |
| config VBOOT_VBNV_OFFSET |
| hex |
| default 0x26 |
| depends on VBOOT_VBNV_CMOS |
| help |
| CMOS offset for VbNv data. This value must match cmos.layout |
| in the mainboard directory, minus 14 bytes for the RTC. |
| |
| config VBOOT_VBNV_CMOS_BACKUP_TO_FLASH |
| bool |
| default n |
| depends on VBOOT_VBNV_CMOS && BOOT_DEVICE_SUPPORTS_WRITES |
| help |
| Vboot non-volatile storage data will be backed up from CMOS to flash |
| and restored from flash if the CMOS is invalid due to power loss. |
| |
| config VBOOT_VBNV_FLASH |
| bool |
| default n |
| depends on BOOT_DEVICE_SUPPORTS_WRITES |
| help |
| VBNV is stored in flash storage |
| |
| config VBOOT_STARTS_BEFORE_BOOTBLOCK |
| def_bool n |
| select VBOOT_SEPARATE_VERSTAGE |
| help |
| Firmware verification happens before the main processor is brought |
| online. |
| |
| config VBOOT_STARTS_IN_BOOTBLOCK |
| bool |
| default n |
| help |
| Firmware verification happens during the end of or right after the |
| bootblock. This implies that a static VBOOT2_WORK() buffer must be |
| allocated in memlayout. |
| |
| config VBOOT_STARTS_IN_ROMSTAGE |
| bool |
| default n |
| depends on !VBOOT_STARTS_IN_BOOTBLOCK |
| help |
| Firmware verification happens during the end of romstage (after |
| memory initialization). This implies that the vboot work buffer is |
| in CBMEM from the start and doesn't need to be reserved in memlayout. |
| |
| config VBOOT_MOCK_SECDATA |
| bool "Mock secdata for firmware verification" |
| default n |
| help |
| Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware |
| verification to avoid access to a secdata storage (typically TPM). |
| All operations for a secdata storage will be successful. This option |
| can be used during development when a TPM is not present or broken. |
| THIS SHOULD NOT BE LEFT ON FOR PRODUCTION DEVICES. |
| |
| config VBOOT_DISABLE_DEV_ON_RECOVERY |
| bool |
| default n |
| help |
| When this option is enabled, the ChromeOS device leaves the |
| developer mode as soon as recovery request is detected. This is |
| handy on embedded devices with limited input capabilities. |
| |
| config VBOOT_SEPARATE_VERSTAGE |
| bool |
| default n |
| depends on VBOOT_STARTS_IN_BOOTBLOCK || VBOOT_STARTS_BEFORE_BOOTBLOCK |
| help |
| If this option is set, vboot verification runs in a standalone stage |
| that is loaded from the bootblock and exits into romstage. If it is |
| not set, the verification code is linked directly into the bootblock |
| or the romstage and runs as part of that stage (cf. related options |
| VBOOT_STARTS_IN_BOOTBLOCK/_ROMSTAGE and VBOOT_RETURN_FROM_VERSTAGE). |
| |
| config VBOOT_RETURN_FROM_VERSTAGE |
| bool |
| default n |
| depends on VBOOT_SEPARATE_VERSTAGE |
| help |
| If this is set, the verstage returns back to the calling stage instead |
| of exiting to the succeeding stage so that the verstage space can be |
| reused by the succeeding stage. This is useful if a RAM space is too |
| small to fit both the verstage and the succeeding stage. |
| |
| config VBOOT_MUST_REQUEST_DISPLAY |
| bool |
| default y if VGA_ROM_RUN |
| default n |
| help |
| Set this option to indicate to vboot that this platform will skip its |
| display initialization on a normal (non-recovery, non-developer) boot. |
| Unless display is specifically requested, the video option ROM is not |
| loaded, and any other native display initialization code is not run. |
| |
| config VBOOT_ALWAYS_ENABLE_DISPLAY |
| bool "Force to always enable display" |
| default n |
| help |
| Set this option to indicate to vboot that display should always be enabled. |
| |
| config VBOOT_ALWAYS_ALLOW_UDC |
| bool "Always allow UDC" |
| default n |
| depends on !CHROMEOS |
| help |
| This option allows UDC to be enabled regardless of the vboot state. |
| |
| config VBOOT_HAS_REC_HASH_SPACE |
| bool |
| default y if MRC_SAVE_HASH_IN_TPM && HAS_RECOVERY_MRC_CACHE |
| default n |
| help |
| Set this option to indicate to vboot that recovery data hash space |
| is present in TPM. |
| |
| config VBOOT_LID_SWITCH |
| bool |
| default n |
| help |
| Whether this platform has a lid switch. If it does, vboot will not |
| decrement try counters for boot failures if the lid is closed. |
| |
| config VBOOT_WIPEOUT_SUPPORTED |
| bool |
| default n |
| help |
| When this option is enabled, the firmware provides the ability to |
| signal the application the need for factory reset (a.k.a. wipe |
| out) of the device |
| |
| config VBOOT_FWID_MODEL |
| string "Firmware ID model" |
| default "Google_\$(CONFIG_MAINBOARD_PART_NUMBER)" if CHROMEOS |
| default "\$(CONFIG_MAINBOARD_VENDOR)_\$(CONFIG_MAINBOARD_PART_NUMBER)" |
| help |
| This is the first part of the FWID written to various regions of a |
| vboot firmware image to identify its version. |
| |
| config VBOOT_FWID_VERSION |
| string "Firmware ID version" |
| default ".\$(KERNELVERSION)" |
| help |
| This is the second part of the FWID written to various regions of a |
| vboot firmware image to identify its version. |
| |
| config VBOOT_NO_BOARD_SUPPORT |
| bool "Allow the use of vboot without board support" |
| default n |
| help |
| Enable weak functions for get_write_protect_state and |
| get_recovery_mode_switch in order to proceed with refactoring |
| of the vboot2 code base. Later on this code is removed and replaced |
| by interfaces. |
| |
| config RO_REGION_ONLY |
| string "Additional files that should not be copied to RW" |
| default "" |
| help |
| Add a space delimited list of filenames that should only be in the |
| RO section. |
| |
| config RW_REGION_ONLY |
| string |
| default "" |
| depends on VBOOT_SLOTS_RW_A |
| help |
| Add a space delimited list of filenames that should only be in the |
| RW sections. |
| |
| config RWA_REGION_ONLY |
| string |
| default "" |
| depends on VBOOT_SLOTS_RW_AB |
| help |
| Add a space-delimited list of filenames that should only be in the |
| RW-A section. |
| |
| config RWB_REGION_ONLY |
| string |
| default "" |
| depends on VBOOT_SLOTS_RW_AB |
| help |
| Add a space-delimited list of filenames that should only be in the |
| RW-B section. |
| |
| config CBFS_MCACHE_RW_PERCENTAGE |
| int "Percentage of CBFS metadata cache used for RW CBFS" |
| depends on !NO_CBFS_MCACHE |
| default 50 |
| help |
| The amount of the CBFS_MCACHE area that's used for the RW CBFS, in |
| percent from 0 to 100. The remaining area will be used for the RO |
| CBFS. Default is an even 50/50 split. When VBOOT is disabled, this |
| will automatically be 0 (meaning the whole MCACHE is used for RO). |
| Do NOT change this value for vboot RW updates! |
| |
| config VBOOT_ENABLE_CBFS_FALLBACK |
| bool |
| default n |
| depends on VBOOT_SLOTS_RW_A |
| help |
| When this option is enabled, the CBFS code will look for a file in the |
| RO (COREBOOT) region if it isn't available in the active RW region. |
| |
| config VBOOT_EARLY_EC_SYNC |
| bool |
| default n |
| depends on EC_GOOGLE_CHROMEEC |
| help |
| Enables CrOS EC software sync in romstage, before memory training |
| runs. This is useful mainly as a way to achieve full USB-PD |
| negotiation earlier in the boot flow, as the EC will only do this once |
| it has made the sysjump to its RW firmware. It should not |
| significantly impact boot time, as this operation will be performed |
| later in the boot flow if it is disabled here. |
| |
| config VBOOT_EC_EFS |
| bool "Early firmware selection (EFS) EC" |
| default n |
| help |
| CrosEC can support EFS: Early Firmware Selection. If it's enabled, |
| software sync needs to also support it. This setting tells vboot to |
| perform EFS software sync. |
| |
| config VBOOT_X86_SHA256_ACCELERATION |
| bool "Use sha extension for sha256 hash calculation" |
| default n |
| depends on ARCH_X86 |
| help |
| Use sha256msg1, sha256msg2, sha256rnds2 instruction to accelerate |
| SHA hash calculation in vboot. |
| |
| config VBOOT_ARMV8_CE_SHA256_ACCELERATION |
| bool "Use ARMv8 Crypto Extension for sha256 hash calculation" |
| default y if CHROMEOS |
| default n |
| depends on ARCH_ARM64 |
| help |
| Use ARMv8 Crypto Extension to accelerate SHA hash calculation in vboot. |
| |
| config VBOOT_DEFINE_WIDEVINE_COUNTERS |
| bool |
| default n |
| help |
| Set up Widevine Secure Counters in TPM NVRAM by defining space. Enabling this |
| config will only define the counter space. Counters need to be incremented |
| separately before any read operation is performed on them. |
| |
| config VBOOT_HASH_BLOCK_SIZE |
| hex |
| default 0x400 |
| help |
| Set the default hash size. Generally 1k is reasonable, but in some |
| cases it may improve hashing speed to increase the size. |
| |
| Note that this buffer is allocated in the stack. Although the |
| build should fail if the stack size is exceeded, it's something to |
| be aware of when changing the size. |
| |
| config VBOOT_GSCVD |
| bool "Generate GSC verification data" |
| depends on TPM_GOOGLE |
| select CBFS_VERIFICATION |
| default n if TPM_GOOGLE_CR50 |
| default y |
| help |
| Generate a Google Security Chip Verification Data (GSCVD) structure on the flash to |
| allow the GSC to verify the CBFS verification anchor. Used by default with Ti50 GSCs. |
| Requires an RO_GSCVD FMAP section. |
| |
| config VBOOT_GSC_BOARD_ID |
| string |
| depends on VBOOT_GSCVD |
| default "ZZCR" |
| help |
| GSC board ID to be embedded in the GSCVD. Usually each specific mainboard variant |
| has its own. Google engineers can find these in the go/cros-dlm database ("Products"). |
| The specific board IDs are filled in as part of the production signing process, so |
| this value is just a default and doesn't need to be set per-variant in coreboot. |
| (Note: This is a completely separate thing from coreboot's `board_id()` function.) |
| |
| menu "GBB configuration" |
| |
| config GBB_HWID |
| string "Hardware ID" |
| default "" |
| help |
| A hardware identifier for device. On ChromeOS this is used for auto |
| update and recovery, and will be generated when manufacturing by the |
| factory software, in a strictly defined format. |
| Leave empty to get a test-only ChromeOS HWID v2 string generated. |
| |
| config GBB_BMPFV_FILE |
| string "Path to bmpfv image" |
| default "" |
| |
| config GBB_FLAG_DEV_SCREEN_SHORT_DELAY |
| bool "Reduce dev screen delay" |
| default n |
| |
| config GBB_FLAG_LOAD_OPTION_ROMS |
| bool "Load option ROMs" |
| default n |
| |
| config GBB_FLAG_ENABLE_ALTERNATE_OS |
| bool "Allow booting a non-ChromeOS kernel if dev switch is on" |
| default n |
| |
| config GBB_FLAG_FORCE_DEV_SWITCH_ON |
| bool "Force dev switch on" |
| default n |
| |
| config GBB_FLAG_FORCE_DEV_BOOT_USB |
| bool "Allow booting from USB in dev mode even if dev_boot_usb=0" |
| default y |
| |
| config GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK |
| bool "Disable firmware rollback protection" |
| default y |
| |
| config GBB_FLAG_ENTER_TRIGGERS_TONORM |
| bool "Return to normal boot with Enter" |
| default n |
| |
| config GBB_FLAG_FORCE_DEV_BOOT_ALTFW |
| bool "Allow booting altfw in dev mode even if dev_boot_altfw=0" |
| default n |
| |
| config GBB_FLAG_RUNNING_FAFT |
| bool "Running FAFT tests; used as a hint to disable other debug features" |
| default n |
| |
| config GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC |
| bool "Disable EC software sync" |
| default n |
| |
| config GBB_FLAG_DEFAULT_DEV_BOOT_ALTFW |
| bool "Default to booting altfw in dev mode" |
| default n |
| |
| config GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC |
| bool "Disable PD software sync" |
| default n |
| |
| config GBB_FLAG_DISABLE_LID_SHUTDOWN |
| bool "Disable shutdown on closed lid" |
| default n |
| |
| config GBB_FLAG_FORCE_MANUAL_RECOVERY |
| bool "Always assume manual recovery in recovery mode" |
| default n |
| |
| config GBB_FLAG_DISABLE_FWMP |
| bool "Disable Firmware Management Parameters (FWMP)" |
| default n |
| |
| config GBB_FLAG_ENABLE_UDC |
| bool "Enable USB Device Controller" |
| default n |
| |
| endmenu # GBB |
| |
| menu "Vboot Keys" |
| config VBOOT_ROOT_KEY |
| string "Root key (public)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk" |
| |
| config VBOOT_RECOVERY_KEY |
| string "Recovery key (public)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk" |
| |
| config VBOOT_FIRMWARE_PRIVKEY |
| string "Firmware key (private)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk" |
| |
| config VBOOT_KERNEL_KEY |
| string "Kernel subkey (public)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk" |
| |
| config VBOOT_KEYBLOCK |
| string "Keyblock to use for the RW regions" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/firmware.keyblock" |
| |
| config VBOOT_KEYBLOCK_VERSION |
| int "Keyblock version number" |
| default 1 |
| |
| config VBOOT_KEYBLOCK_PREAMBLE_FLAGS |
| hex "Keyblock preamble flags" |
| default 0x0 |
| |
| if VBOOT_GSCVD |
| |
| config VBOOT_GSCVD_ROOT_PUBKEY |
| string "GSCVD root key (public)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/arv_root.vbpubk" |
| |
| config VBOOT_GSCVD_PLATFORM_PRIVKEY |
| string "GSCVD platform key (private)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/arv_platform.vbprivk" |
| |
| config VBOOT_GSCVD_PLATFORM_KEYBLOCK |
| string "GSCVD platform keyblock (public)" |
| default "\$(VBOOT_SOURCE)/tests/devkeys/arv_platform.keyblock" |
| |
| endif # VBOOT_GSCVD |
| |
| endmenu # Keys |
| endif # VBOOT |
| endmenu # Verified Boot (vboot) |