| ## This file is part of the coreboot project. |
| ## |
| ## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved. |
| ## |
| ## This program is free software; you can redistribute it and/or modify |
| ## it under the terms of the GNU General Public License as published by |
| ## the Free Software Foundation; version 2 of the License. |
| ## |
| ## This program is distributed in the hope that it will be useful, |
| ## but WITHOUT ANY WARRANTY; without even the implied warranty of |
| ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| ## GNU General Public License for more details. |
| ## |
| |
| config VBOOT_VBNV_OFFSET |
| hex |
| default 0x26 |
| depends on PC80_SYSTEM |
| help |
| CMOS offset for VbNv data. This value must match cmos.layout |
| in the mainboard directory, minus 14 bytes for the RTC. |
| |
| config VBOOT_VBNV_CMOS |
| bool "Vboot non-volatile storage in CMOS." |
| default n |
| help |
| VBNV is stored in CMOS |
| |
| config VBOOT_VBNV_CMOS_BACKUP_TO_FLASH |
| bool "Back up Vboot non-volatile storage from CMOS to flash." |
| default n |
| depends on VBOOT_VBNV_CMOS && BOOT_DEVICE_SUPPORTS_WRITES |
| help |
| Vboot non-volatile storage data will be backed up from CMOS to flash |
| and restored from flash if the CMOS is invalid due to power loss. |
| |
| config VBOOT_VBNV_EC |
| bool "Vboot non-volatile storage in EC." |
| default n |
| help |
| VBNV is stored in EC |
| |
| config VBOOT_VBNV_FLASH |
| def_bool n |
| depends on BOOT_DEVICE_SUPPORTS_WRITES |
| help |
| VBNV is stored in flash storage |
| |
| config VBOOT_STARTS_IN_BOOTBLOCK |
| bool "Vboot starts verifying in bootblock" |
| default n |
| depends on VBOOT |
| help |
| Firmware verification happens during or at the end of bootblock. |
| |
| config VBOOT_STARTS_IN_ROMSTAGE |
| bool "Vboot starts verifying in romstage" |
| default n |
| depends on VBOOT && !VBOOT_STARTS_IN_BOOTBLOCK |
| help |
| Firmware verification happens during or at the end of romstage. |
| |
| config VBOOT_MOCK_SECDATA |
| bool "Mock secdata for firmware verification" |
| default n |
| depends on VBOOT |
| help |
| Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware |
| verification to avoid access to a secdata storage (typically TPM). |
| All operations for a secdata storage will be successful. This option |
| can be used during development when a TPM is not present or broken. |
| THIS SHOULD NOT BE LEFT ON FOR PRODUCTION DEVICES. |
| |
| config VBOOT_DISABLE_DEV_ON_RECOVERY |
| bool "Disable dev mode on recovery requests" |
| default n |
| depends on VBOOT |
| help |
| When this option is enabled, the Chrome OS device leaves the |
| developer mode as soon as recovery request is detected. This is |
| handy on embedded devices with limited input capabilities. |
| |
| config SEPARATE_VERSTAGE |
| bool "Vboot verification is built into a separate stage" |
| default n |
| depends on VBOOT |
| |
| config RETURN_FROM_VERSTAGE |
| bool "The separate verification stage returns to its caller" |
| default n |
| depends on SEPARATE_VERSTAGE |
| help |
| If this is set, the verstage returns back to the calling stage instead |
| of exiting to the succeeding stage so that the verstage space can be |
| reused by the succeeding stage. This is useful if a RAM space is too |
| small to fit both the verstage and the succeeding stage. |
| |
| config CHIPSET_PROVIDES_VERSTAGE_MAIN_SYMBOL |
| bool "The chipset provides the main() entry point for verstage" |
| default n |
| depends on SEPARATE_VERSTAGE |
| help |
| The chipset code provides their own main() entry point. |
| |
| config VBOOT_DYNAMIC_WORK_BUFFER |
| bool "Vboot's work buffer is dynamically allocated." |
| default y if ARCH_ROMSTAGE_X86_32 && !SEPARATE_VERSTAGE |
| default n |
| depends on VBOOT |
| help |
| This option is used when there isn't enough pre-main memory |
| RAM to allocate the vboot work buffer. That means vboot verification |
| is after memory init and requires main memory to back the work |
| buffer. |
| |
| config VBOOT_SAVE_RECOVERY_REASON_ON_REBOOT |
| bool |
| default n |
| depends on VBOOT |
| help |
| This option ensures that the recovery request is not lost because of |
| reboots caused after vboot verification is run. e.g. reboots caused by |
| FSP components on Intel platforms. |
| |
| config VBOOT_OPROM_MATTERS |
| bool "Video option ROM matters (= can skip display init)" |
| default n |
| depends on VBOOT |
| help |
| Set this option to indicate to vboot that this platform will skip its |
| display initialization on a normal (non-recovery, non-developer) boot. |
| Vboot calls this "oprom matters" because on x86 devices this |
| traditionally meant that the video option ROM will not be loaded, but |
| it works functionally the same for other platforms that can skip their |
| native display initialization code instead. |
| |
| config VBOOT_HAS_REC_HASH_SPACE |
| bool |
| default n |
| depends on VBOOT |
| help |
| Set this option to indicate to vboot that recovery data hash space |
| is present in TPM. |
| |
| config VBOOT |
| bool "Verify firmware with vboot." |
| default n |
| select TPM if !MAINBOARD_HAS_TPM2 |
| select TPM2 if MAINBOARD_HAS_TPM2 |
| select TPM_INIT_FAILURE_IS_FATAL if PC80_SYSTEM && LPC_TPM |
| select SKIP_TPM_STARTUP_ON_NORMAL_BOOT if PC80_SYSTEM && LPC_TPM |
| depends on HAVE_HARD_RESET |
| help |
| Enabling VBOOT will use vboot to verify the components of the firmware |
| (stages, payload, etc). |