src/security/vboot/Kconfig

## This file is part of the coreboot project.
##
## Copyright (C) 2014 The ChromiumOS Authors.  All rights reserved.
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; version 2 of the License.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
##

menu "Verified Boot (vboot)"

config VBOOT
	bool "Verify firmware with vboot."
	default n
	select TPM if !MAINBOARD_HAS_TPM2 && !VBOOT_MOCK_SECDATA
	select TPM2 if MAINBOARD_HAS_TPM2 && !VBOOT_MOCK_SECDATA
	select TPM_INIT_FAILURE_IS_FATAL if PC80_SYSTEM && LPC_TPM
	select SKIP_TPM_STARTUP_ON_NORMAL_BOOT if PC80_SYSTEM && LPC_TPM
	depends on HAVE_HARD_RESET
	help
	  Enabling VBOOT will use vboot to verify the components of the firmware
	  (stages, payload, etc).

if VBOOT

config VBOOT_VBNV_CMOS
	bool
	default n
	depends on PC80_SYSTEM
	help
	  VBNV is stored in CMOS

config VBOOT_VBNV_OFFSET
	hex
	default 0x26
	depends on VBOOT_VBNV_CMOS
	help
	  CMOS offset for VbNv data. This value must match cmos.layout
	  in the mainboard directory, minus 14 bytes for the RTC.

config VBOOT_VBNV_CMOS_BACKUP_TO_FLASH
	bool
	default n
	depends on VBOOT_VBNV_CMOS && BOOT_DEVICE_SUPPORTS_WRITES
	help
	  Vboot non-volatile storage data will be backed up from CMOS to flash
	  and restored from flash if the CMOS is invalid due to power loss.

config VBOOT_VBNV_EC
	bool
	default n
	help
	  VBNV is stored in EC

config VBOOT_VBNV_FLASH
	bool
	default n
	depends on BOOT_DEVICE_SUPPORTS_WRITES
	help
	  VBNV is stored in flash storage

config VBOOT_STARTS_IN_BOOTBLOCK
	bool
	default n
	depends on C_ENVIRONMENT_BOOTBLOCK
	help
	  Firmware verification happens during the end of or right after the
	  bootblock. This implies that a static VBOOT2_WORK() buffer must be
	  allocated in memlayout.

config VBOOT_STARTS_IN_ROMSTAGE
	bool
	default n
	depends on !VBOOT_STARTS_IN_BOOTBLOCK
	help
	  Firmware verification happens during the end of romstage (after
	  memory initialization). This implies that vboot working data is
	  allocated in CBMEM.

config VBOOT_MOCK_SECDATA
	bool "Mock secdata for firmware verification"
	default n
	help
	  Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware
	  verification to avoid access to a secdata storage (typically TPM).
	  All operations for a secdata storage will be successful. This option
	  can be used during development when a TPM is not present or broken.
	  THIS SHOULD NOT BE LEFT ON FOR PRODUCTION DEVICES.

config VBOOT_DISABLE_DEV_ON_RECOVERY
	bool
	default n
	help
	  When this option is enabled, the Chrome OS device leaves the
	  developer mode as soon as recovery request is detected. This is
	  handy on embedded devices with limited input capabilities.

config VBOOT_SEPARATE_VERSTAGE
	bool
	default n
	depends on VBOOT_STARTS_IN_BOOTBLOCK
	help
	  If this option is set, vboot verification runs in a standalone stage
	  that is loaded from the bootblock and exits into romstage. If it is
	  not set, the verification code is linked directly into the bootblock
	  or the romstage and runs as part of that stage (cf. related options
	  VBOOT_STARTS_IN_BOOTBLOCK/_ROMSTAGE and VBOOT_RETURN_FROM_VERSTAGE).

config VBOOT_RETURN_FROM_VERSTAGE
	bool
	default n
	depends on VBOOT_SEPARATE_VERSTAGE
	help
	  If this is set, the verstage returns back to the calling stage instead
	  of exiting to the succeeding stage so that the verstage space can be
	  reused by the succeeding stage. This is useful if a RAM space is too
	  small to fit both the verstage and the succeeding stage.

config VBOOT_SAVE_RECOVERY_REASON_ON_REBOOT
	bool
	default n
	help
	  This option ensures that the recovery request is not lost because of
	  reboots caused after vboot verification is run. e.g. reboots caused by
	  FSP components on Intel platforms.

config VBOOT_OPROM_MATTERS
	bool
	default n
	help
	  Set this option to indicate to vboot that this platform will skip its
	  display initialization on a normal (non-recovery, non-developer) boot.
	  Vboot calls this "oprom matters" because on x86 devices this
	  traditionally meant that the video option ROM will not be loaded, but
	  it works functionally the same for other platforms that can skip their
	  native display initialization code instead.

config VBOOT_HAS_REC_HASH_SPACE
	bool
	default n
	help
	  Set this option to indicate to vboot that recovery data hash space
	  is present in TPM.

config VBOOT_SOFT_REBOOT_WORKAROUND
	bool
	default n

config VBOOT_EC_SOFTWARE_SYNC
	bool "Enable EC software sync"
	default y if EC_GOOGLE_CHROMEEC
	default n
	help
	  EC software sync is a mechanism where the AP helps the EC verify its
	  firmware similar to how vboot verifies the main system firmware. This
	  option selects whether vboot should support EC software sync.

config VBOOT_EC_SLOW_UPDATE
	bool
	default n
	depends on VBOOT_EC_SOFTWARE_SYNC
	help
	  Whether the EC (or PD) is slow to update and needs to display a
	  screen that informs the user the update is happening.

config VBOOT_EC_EFS
	bool
	default n
	depends on VBOOT_EC_SOFTWARE_SYNC
	help
	  CrosEC can support EFS: Early Firmware Selection. If it's enabled,
	  software sync need to also support it. This setting tells vboot to
	  perform EFS software sync.

config VBOOT_PHYSICAL_DEV_SWITCH
	bool
	default n
	help
	  Whether this platform has a physical developer switch. Note that this
	  disables virtual dev switch functionality (through secdata). Operation
	  where both a physical pin and the virtual switch get sampled is not
	  supported by coreboot.

config VBOOT_PHYSICAL_REC_SWITCH
	bool
	default n
	help
	  Whether this platform has a physical recovery switch.

config VBOOT_LID_SWITCH
	bool
	default n
	help
	  Whether this platform has a lid switch. If it does, vboot will not
	  decrement try counters for boot failures if the lid is closed.

config VBOOT_WIPEOUT_SUPPORTED
	bool
	default n
	help
	  When this option is enabled, the firmware provides the ability to
	  signal the application the need for factory reset (a.k.a. wipe
	  out) of the device

config VBOOT_FWID_MODEL
	string "Firmware ID model"
	default "Google_$(CONFIG_MAINBOARD_PART_NUMBER)" if CHROMEOS
	default "$(CONFIG_MAINBOARD_VENDOR)_$(CONFIG_MAINBOARD_PART_NUMBER)"
	help
	  This is the first part of the FWID written to various regions of a
	  vboot firmware image to identify its version.

config VBOOT_FWID_VERSION
	string "Firmware ID version"
	default ".$(KERNELVERSION)"
	help
	  This is the second part of the FWID written to various regions of a
	  vboot firmware image to identify its version.

config VBOOT_NO_BOARD_SUPPORT
	bool "Allow the use of vboot without board support"
	default n
	help
	  Enable weak functions for get_write_protect_state and
	  get_recovery_mode_switch in order to proceed with refactoring
	  of the vboot2 code base. Later on this code is removed and replaced
	  by interfaces.

config RO_REGION_ONLY
	string "Additional files that should not be copied to RW"
	default ""
	help
	  Add a space delimited list of filenames that should only be in the
	  RO section.

menu "GBB configuration"

config GBB_HWID
	string "Hardware ID"
	default "NOCONF HWID"

config GBB_BMPFV_FILE
	string "Path to bmpfv image"
	default ""

config GBB_FLAG_DEV_SCREEN_SHORT_DELAY
	bool "Reduce dev screen delay"
	default n

config GBB_FLAG_LOAD_OPTION_ROMS
	bool "Load option ROMs"
	default n

config GBB_FLAG_ENABLE_ALTERNATE_OS
	bool "Allow booting a non-Chrome OS kernel if dev switch is on"
	default n

config GBB_FLAG_FORCE_DEV_SWITCH_ON
	bool "Force dev switch on"
	default n

config GBB_FLAG_FORCE_DEV_BOOT_USB
	bool "Allow booting from USB in dev mode even if dev_boot_usb=0"
	default y

config GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK
	bool "Disable firmware rollback protection"
	default y

config GBB_FLAG_ENTER_TRIGGERS_TONORM
	bool "Return to normal boot with Enter"
	default n

config GBB_FLAG_FORCE_DEV_BOOT_LEGACY
	bool "Allow booting to legacy in dev mode even if dev_boot_legacy=0"
	default n

config GBB_FLAG_FAFT_KEY_OVERIDE
	bool "Allow booting using alternative keys for FAFT servo testing"
	default n

config GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC
	bool "Disable EC software sync"
	default n

config GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY
	bool "Default to booting to legacy in dev mode"
	default n

config GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC
	bool "Disable PD software sync"
	default n

config GBB_FLAG_DISABLE_LID_SHUTDOWN
	bool "Disable shutdown on closed lid"
	default n

config GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP
	bool "Allow fastboot even if dev_boot_fastboot_full_cap=0"
	default n

config GBB_FLAG_FORCE_MANUAL_RECOVERY
	bool "Always assume manual recovery in recovery mode"
	default n

config GBB_FLAG_DISABLE_FWMP
	bool "Disable Firmware Management Parameters (FWMP)"
	default n

endmenu # GBB

menu "Vboot Keys"
config VBOOT_ROOT_KEY
	string "Root key (public)"
	default "$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk"

config VBOOT_RECOVERY_KEY
	string "Recovery key (public)"
	default "$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk"

config VBOOT_FIRMWARE_PRIVKEY
	string "Firmware key (private)"
	default "$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk"

config VBOOT_KERNEL_KEY
	string "Kernel subkey (public)"
	default "$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk"

config VBOOT_KEYBLOCK
	string "Keyblock to use for the RW regions"
	default "$(VBOOT_SOURCE)/tests/devkeys/firmware.keyblock"

config VBOOT_KEYBLOCK_VERSION
	int "Keyblock version number"
	default 1

config VBOOT_KEYBLOCK_PREAMBLE_FLAGS
	hex "Keyblock preamble flags"
	default 0x0

endmenu # Keys
endif # VBOOT
endmenu # Verified Boot (vboot)