Gitiles
Code Review Sign In
review.coreboot.org / coreboot / 7837c203d615fce03c6d89d99ba9a746619e49d4 / . / src / security / vboot / Makefile.inc
blob: 6f18a35de58f17de07d94a46a5244676a7c6bc91 [file] [log] [blame]
Daisuke Nojiri742fc8d2014-10-10 10:51:06 -0700[diff] [blame]1##
2## This file is part of the coreboot project.
3##
4## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved.
5##
6## This program is free software; you can redistribute it and/or modify
7## it under the terms of the GNU General Public License as published by
8## the Free Software Foundation; version 2 of the License.
9##
10## This program is distributed in the hope that it will be useful,
11## but WITHOUT ANY WARRANTY; without even the implied warranty of
12## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13## GNU General Public License for more details.
14##
Daisuke Nojiri742fc8d2014-10-10 10:51:06 -0700[diff] [blame]15
Julius Werner5fc7c282017-03-17 14:29:10 -0700[diff] [blame]16ifeq ($(CONFIG_VBOOT),y)
17
Furquan Shaikh0325dc62016-07-25 13:02:36 -0700[diff] [blame]18bootblock-y += bootmode.c
19romstage-y += bootmode.c
20ramstage-y += bootmode.c
21verstage-y += bootmode.c
22postcar-y += bootmode.c
23
Aaron Durbin26681ec2015-05-01 16:48:54 -0500[diff] [blame]24verstage-generic-ccopts += -D__PRE_RAM__ -D__VERSTAGE__
Daisuke Nojiri742fc8d2014-10-10 10:51:06 -0700[diff] [blame]25
Furquan Shaikh7632ce02018-03-29 14:49:40 -0700[diff] [blame]26ramstage-y += gbb.c
27
Furquan Shaikh2a12e2e2016-07-25 11:48:03 -0700[diff] [blame]28bootblock-y += vbnv.c
29verstage-y += vbnv.c
30romstage-y += vbnv.c
31ramstage-y += vbnv.c
32
33bootblock-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
34verstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
35romstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
36ramstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
37
38bootblock-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
39verstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
40romstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
41ramstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
42
43bootblock-$(CONFIG_VBOOT_VBNV_EC) += vbnv_ec.c
44verstage-$(CONFIG_VBOOT_VBNV_EC) += vbnv_ec.c
45romstage-$(CONFIG_VBOOT_VBNV_EC) += vbnv_ec.c
46ramstage-$(CONFIG_VBOOT_VBNV_EC) += vbnv_ec.c
47
48bootblock-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
49verstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
50romstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
51ramstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
52
Aaron Durbin17200ad2015-05-01 16:48:54 -0500[diff] [blame]53bootblock-y += vboot_loader.c
54romstage-y += vboot_loader.c
55ramstage-y += vboot_loader.c
56verstage-y += vboot_loader.c
Andrey Petrov60c64322016-04-14 14:12:47 -0700[diff] [blame]57postcar-y += vboot_loader.c
Aaron Durbin17200ad2015-05-01 16:48:54 -0500[diff] [blame]58
Furquan Shaikh2a12e2e2016-07-25 11:48:03 -0700[diff] [blame]59bootblock-y += vboot_common.c
60verstage-y += vboot_common.c
61romstage-y += vboot_common.c
62ramstage-y += vboot_common.c
63postcar-y += vboot_common.c
Daisuke Nojiri742fc8d2014-10-10 10:51:06 -0700[diff] [blame]64
Daisuke Nojiri54af6252014-11-04 12:32:29 -0800[diff] [blame]65bootblock-y += common.c
Julius Wernere91d1702017-03-20 15:32:15 -0700[diff] [blame]66verstage-y += vboot_logic.c
Daisuke Nojiri5d302c72015-04-09 08:18:22 -0700[diff] [blame]67verstage-y += common.c
Julius Wernere91d1702017-03-20 15:32:15 -0700[diff] [blame]68verstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += verstage.c
Furquan Shaikh2a12e2e2016-07-25 11:48:03 -0700[diff] [blame]69ifeq (${CONFIG_VBOOT_MOCK_SECDATA},y)
Julius Wernere91d1702017-03-20 15:32:15 -0700[diff] [blame]70verstage-y += secdata_mock.c
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]71romstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_mock.c
Daisuke Nojiri5d302c72015-04-09 08:18:22 -0700[diff] [blame]72else
Julius Wernere91d1702017-03-20 15:32:15 -0700[diff] [blame]73verstage-y += secdata_tpm.c
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]74romstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_tpm.c
Daisuke Nojiri5d302c72015-04-09 08:18:22 -0700[diff] [blame]75endif
Daisuke Nojiri742fc8d2014-10-10 10:51:06 -0700[diff] [blame]76romstage-y += vboot_handoff.c common.c
77
Aaron Durbin17200ad2015-05-01 16:48:54 -0500[diff] [blame]78ramstage-y += common.c
Andrey Petrov60c64322016-04-14 14:12:47 -0700[diff] [blame]79postcar-y += common.c
Aaron Durbin17200ad2015-05-01 16:48:54 -0500[diff] [blame]80
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]81ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
Aaron Durbind1cf44c2015-05-08 15:58:06 -0500[diff] [blame]82VB_FIRMWARE_ARCH := $(ARCHDIR-$(ARCH-verstage-y))
83else
84ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y)
85VB_FIRMWARE_ARCH := $(ARCHDIR-$(ARCH-bootblock-y))
86else
87VB_FIRMWARE_ARCH := $(ARCHDIR-$(ARCH-romstage-y))
88endif
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]89endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
Aaron Durbind1cf44c2015-05-08 15:58:06 -0500[diff] [blame]90
Bill Richardsonc8603152015-01-27 17:28:18 -0800[diff] [blame]91VB2_LIB = $(obj)/external/vboot_reference/vboot_fw20.a
Julius Wernere91d1702017-03-20 15:32:15 -0700[diff] [blame]92VBOOT_CFLAGS += $(patsubst -I%,-I$(top)/%, $(filter-out -I$(obj), $(filter-out -include $(src)/include/kconfig.h, $(CPPFLAGS_verstage))))
93VBOOT_CFLAGS += $(CFLAGS_verstage)
94VBOOT_CFLAGS += $(verstage-c-ccopts)
Paul Kocialkowski6a106942015-08-03 23:03:27 +0200[diff] [blame]95VBOOT_CFLAGS += -I$(abspath $(obj)) -include $(top)/src/include/kconfig.h -Wno-missing-prototypes
Daisuke Nojiri742fc8d2014-10-10 10:51:06 -0700[diff] [blame]96VBOOT_CFLAGS += -DVBOOT_DEBUG
97
98$(VB2_LIB): $(obj)/config.h
Patrick Georgi78a5f222017-01-30 15:29:34 +0100[diff] [blame]99 printf " MAKE $(subst $(obj)/,,$(@))\n"
100 +FIRMWARE_ARCH=$(VB_FIRMWARE_ARCH) \
Daisuke Nojiri742fc8d2014-10-10 10:51:06 -0700[diff] [blame]101 CC="$(CC_verstage)" \
102 CFLAGS="$(VBOOT_CFLAGS)" VBOOT2="y" \
Paul Kocialkowski46114512016-07-24 12:10:38 +0200[diff] [blame]103 $(MAKE) -C $(VBOOT_SOURCE) \
Paul Kocialkowski6a106942015-08-03 23:03:27 +0200[diff] [blame]104 BUILD=$(abspath $(dir $(VB2_LIB))) \
Daisuke Nojiri742fc8d2014-10-10 10:51:06 -0700[diff] [blame]105 V=$(V) \
Bill Richardsonc8603152015-01-27 17:28:18 -0800[diff] [blame]106 fwlib20
Daisuke Nojiri742fc8d2014-10-10 10:51:06 -0700[diff] [blame]107
Julius Wernere91d1702017-03-20 15:32:15 -0700[diff] [blame]108verstage-srcs += $(VB2_LIB)
Patrick Georgiba808872015-04-27 18:09:22 +0200[diff] [blame]109
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]110ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
Furquan Shaikhb038f412016-11-07 23:47:11 -0800[diff] [blame]111
112# This works under the assumption that romstage and verstage use the same
113# architecture and thus CC_verstage is the same as CC_romstage. If this is not
114# true, VB2_LIB needs to ensure that correct CC is being used.
115ifeq ($(CONFIG_VBOOT_HAS_REC_HASH_SPACE),y)
116romstage-srcs += $(VB2_LIB)
117endif
118
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]119cbfs-files-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += $(CONFIG_CBFS_PREFIX)/verstage
Patrick Georgi1cab0122015-11-26 16:39:23 +0100[diff] [blame]120$(CONFIG_CBFS_PREFIX)/verstage-file := $(objcbfs)/verstage.elf
121$(CONFIG_CBFS_PREFIX)/verstage-type := stage
Julius Werner09f29212015-09-29 13:51:35 -0700[diff] [blame]122$(CONFIG_CBFS_PREFIX)/verstage-compression := $(CBFS_PRERAM_COMPRESS_FLAG)
Furquan Shaikh94b18a12016-05-04 23:25:16 -0700[diff] [blame]123
Patrick Georgi1cab0122015-11-26 16:39:23 +0100[diff] [blame]124ifeq ($(CONFIG_ARCH_VERSTAGE_X86_32)$(CONFIG_ARCH_VERSTAGE_X86_64),y)
Furquan Shaikh94b18a12016-05-04 23:25:16 -0700[diff] [blame]125$(CONFIG_CBFS_PREFIX)/verstage-options := -a 64 -S ".car.data"
126
127# If CAR does not support execution of code, verstage on x86 is expected to be
128# xip.
129ifneq ($(CONFIG_NO_XIP_EARLY_STAGES),y)
130$(CONFIG_CBFS_PREFIX)/verstage-options += --xip
131endif
Patrick Georgi1cab0122015-11-26 16:39:23 +0100[diff] [blame]132
133endif
134
Julius Wernere91d1702017-03-20 15:32:15 -0700[diff] [blame]135else # CONFIG_VBOOT_SEPARATE_VERSTAGE
Aaron Durbind1cf44c2015-05-08 15:58:06 -0500[diff] [blame]136ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y)
Julius Wernere91d1702017-03-20 15:32:15 -0700[diff] [blame]137postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs))
Aaron Durbin57e37282015-04-28 16:17:25 -0500[diff] [blame]138else
Julius Wernere91d1702017-03-20 15:32:15 -0700[diff] [blame]139postinclude-hooks += $$(eval romstage-srcs += $$(verstage-srcs))
Patrick Georgiefc6aa02015-04-27 18:13:50 +0200[diff] [blame]140endif
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]141endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
Patrick Georgic8d4abd2016-01-20 15:54:31 +0100[diff] [blame]142
143# Define a list of files that need to be in RO only.
144# All other files will be installed into RO and RW regions
145# Use $(sort) to cut down on extra spaces that would be translated to commas
146regions-for-file = $(subst $(spc),$(comma),$(sort \
147 $(if $(filter \
148 $(if $(filter y,$(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK)),, \
149 %/romstage) \
150 mts \
151 %/verstage \
Patrick Georgieda794d2016-02-05 11:01:24 +0100[diff] [blame]152 locales \
153 locale_%.bin \
154 font.bin \
155 vbgfx.bin \
Lee Leahy5e347522017-01-04 08:51:52 -0800[diff] [blame]156 rmu.bin \
Martin Rothbbd5ee412017-10-05 13:53:16 -0600[diff] [blame]157 $(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \
Patrick Georgic8d4abd2016-01-20 15:54:31 +0100[diff] [blame]158 ,$(1)),COREBOOT,COREBOOT FW_MAIN_A FW_MAIN_B)))
Furquan Shaikh0325dc62016-07-25 13:02:36 -0700[diff] [blame]159
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]160CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID))
161CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
162CONFIG_VBOOT_KEYBLOCK := $(call strip_quotes,$(CONFIG_VBOOT_KEYBLOCK))
163CONFIG_VBOOT_FIRMWARE_PRIVKEY := $(call strip_quotes,$(CONFIG_VBOOT_FIRMWARE_PRIVKEY))
164CONFIG_VBOOT_KERNEL_KEY := $(call strip_quotes,$(CONFIG_VBOOT_KERNEL_KEY))
165CONFIG_VBOOT_FWID_MODEL := $(call strip_quotes,$(CONFIG_VBOOT_FWID_MODEL))
166CONFIG_VBOOT_FWID_VERSION := $(call strip_quotes,$(CONFIG_VBOOT_FWID_VERSION))
167
168# bool-to-mask(var, value)
169# return "value" if var is "y", 0 otherwise
170bool-to-mask = $(if $(filter y,$(1)),$(2),0)
171
172GBB_FLAGS := $(call int-add, \
173 $(call bool-to-mask,$(CONFIG_GBB_FLAG_DEV_SCREEN_SHORT_DELAY),0x1) \
174 $(call bool-to-mask,$(CONFIG_GBB_FLAG_LOAD_OPTION_ROMS),0x2) \
175 $(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_ALTERNATE_OS),0x4) \
176 $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_SWITCH_ON),0x8) \
177 $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_USB),0x10) \
178 $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK),0x20) \
179 $(call bool-to-mask,$(CONFIG_GBB_FLAG_ENTER_TRIGGERS_TONORM),0x40) \
180 $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_LEGACY),0x80) \
181 $(call bool-to-mask,$(CONFIG_GBB_FLAG_FAFT_KEY_OVERIDE),0x100) \
182 $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC),0x200) \
183 $(call bool-to-mask,$(CONFIG_GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY),0x400) \
184 $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC),0x800) \
185 $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_LID_SHUTDOWN),0x1000) \
186 $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP),0x2000) \
Julius Wernerae423852018-03-23 21:02:48 -0700[diff] [blame]187 $(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_MANUAL_RECOVERY),0x4000) \
188 $(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FWMP),0x8000) \
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]189 )
190
191ifneq ($(CONFIG_GBB_BMPFV_FILE),)
192$(obj)/gbb.sizetmp: $(obj)/coreboot.rom
193 $(CBFSTOOL) $< read -r GBB -f $@
194
195$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY) $(obj)/gbb.sizetmp
196 @printf " CREATE GBB (with BMPFV)\n"
197 $(FUTILITY) gbb_utility -c 0x100,0x1000,$(call int-subtract,$(call file-size,$(obj)/gbb.sizetmp) 0x2180),0x1000 $@.tmp
198 mv $@.tmp $@
199else
200$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY)
201 @printf " CREATE GBB (without BMPFV)\n"
202 $(FUTILITY) gbb_utility -c 0x100,0x1000,0,0x1000 $@.tmp
203 mv $@.tmp $@
204endif
205
206$(obj)/gbb.region: $(obj)/gbb.stub
207 @printf " SETUP GBB\n"
208 cp $< $@.tmp
209 $(FUTILITY) gbb_utility -s \
210 --hwid="$(CONFIG_GBB_HWID)" \
211 --rootkey="$(CONFIG_VBOOT_ROOT_KEY)" \
212 --recoverykey="$(CONFIG_VBOOT_RECOVERY_KEY)" \
213 --flags=$(GBB_FLAGS) \
214 $@.tmp
215ifneq ($(CONFIG_GBB_BMPFV_FILE),)
216 $(FUTILITY) gbb_utility -s \
217 --bmpfv="$(CONFIG_GBB_BMPFV_FILE)" \
218 $@.tmp
219endif
220 mv $@.tmp $@
221
222$(obj)/fwid.region:
223 printf "$(CONFIG_VBOOT_FWID_MODEL)$(CONFIG_VBOOT_FWID_VERSION)\0" > $@
224
225build_complete:: $(obj)/gbb.region $(obj)/fwid.region
226 @printf " WRITE GBB\n"
227 $(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region
228 $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region
229 $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region
230 $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region
231
232ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),)
233build_complete::
234 printf "\0" > $(obj)/shared_data.region
235 $(CBFSTOOL) $(obj)/coreboot.rom write -u -r SHARED_DATA -i 0 -f $(obj)/shared_data.region
236endif
237
238# Extract FW_MAIN_? region and minimize it if the last file is empty, so it
239# doesn't contain this empty file (that can have a significant size),
240# improving a lot on hash times due to a smaller amount of data loaded from
241# firmware storage.
242# When passing the minimized image to vbutil_firmware, its length is recorded
243# in the keyblock, and coreboot's vboot code clips the region_device to match,
244# which prevents any potential extension attacks.
245$(obj)/FW_MAIN_%.bin: $(obj)/coreboot.rom
Patrick Georgibf375e32017-09-20 12:01:28 +0200[diff] [blame]246 $(CBFSTOOL) $< truncate -r $(basename $(notdir $@)) > $@.tmp.size
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]247 $(CBFSTOOL) $< read -r $(basename $(notdir $@)) -f $@.tmp
Patrick Georgibf375e32017-09-20 12:01:28 +0200[diff] [blame]248 head -c $$( printf "%d" $$(cat $@.tmp.size)) $@.tmp > $@.tmp2
249 mv $@.tmp2 $@
250 rm -f $@.tmp $@.tmp.size
Julius Werner58c39382017-02-13 17:53:29 -0800[diff] [blame]251
252$(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY)
253 $(FUTILITY) vbutil_firmware \
254 --vblock $@ \
255 --keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
256 --signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \
257 --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \
258 --fv $< \
259 --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
260 --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS)
261
262files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin
263 $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
264 $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin
265
Furquan Shaikh0325dc62016-07-25 13:02:36 -0700[diff] [blame]266endif # CONFIG_VBOOT