security/vboot: Add support for GSCVD (Google "RO verification")
This patch adds a new CONFIG_VBOOT_GSCVD option that will be enabled by
default for TPM_GOOGLE_TI50 devices. It makes the build system run the
`futility gscvd` command to create a GSCVD (GSC verification data) which
signs the CBFS trust anchor (bootblock and GBB). In order for this to
work, boards will need to have an RO_GSCVD section in their FMAP, and
production boards should override the CONFIG_VBOOT_GSC_BOARD_ID option
with the correct ID for each variant.
BUG=b:229015103
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I1cf86e90b2687e81edadcefa5a8826b02fbc8b24
Reviewed-on: https://review.coreboot.org/c/coreboot/+/64707
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
diff --git a/src/mainboard/google/brya/Kconfig b/src/mainboard/google/brya/Kconfig
index 9066a09..4ab0e29 100644
--- a/src/mainboard/google/brya/Kconfig
+++ b/src/mainboard/google/brya/Kconfig
@@ -244,6 +244,10 @@
select VBOOT_EARLY_EC_SYNC if !BOARD_GOOGLE_BASEBOARD_NISSA
select VBOOT_LID_SWITCH
+config VBOOT_GSC_BOARD_ID
+ string
+ default "LBTV" if BOARD_GOOGLE_JOXER
+
config DIMM_SPD_SIZE
default 512