Makefile: Enable more warnings for host utilities / tests

This patch adds a bunch of more warnings that are already enabled in
coreboot and thus already enabled for firmware builds anyway (because
coreboot just passes its CFLAGS through). Enabling it in the vboot
Makefile means they also apply to host utilities and tests, which sounds
desirable for consistency.

Fix enough of the cruft and bad coding practices that accumulated over
the years of not having warnings enabled to get it to build again (this
includes making functions static, removing dead code, cleaning up
prototypes, etc.).

Also remove -fno-strict-aliasing from the x86 firmware build options,
because it's not clear why it's there (coreboot isn't doing this, so
presumably it's not needed).

BRANCH=None
BUG=None
TEST=make runtests

Change-Id: Ie4a42083c4770a4eca133b22725be9ba85b24184
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1598721
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
diff --git a/Makefile b/Makefile
index 5b66855..bcb0daf 100644
--- a/Makefile
+++ b/Makefile
@@ -137,32 +137,29 @@
 # Flag ordering: arch, then -f, then -m, then -W
 DEBUG_FLAGS := $(if ${DEBUG},-g -O0,-Os)
 WERROR := -Werror
-COMMON_FLAGS := -nostdinc -pipe \
-	-ffreestanding -fno-builtin -fno-stack-protector \
-	${WERROR} -Wall -Wstrict-prototypes ${DEBUG_FLAGS}
+FIRMWARE_FLAGS := -nostdinc -ffreestanding -fno-builtin -fno-stack-protector
+COMMON_FLAGS := -pipe ${WERROR} -Wall -Wstrict-prototypes -Wtype-limits \
+	-Wundef -Wmissing-prototypes -Wno-trigraphs -Wredundant-decls \
+	-Wwrite-strings -Wstrict-aliasing -Wshadow -Wdate-time ${DEBUG_FLAGS}
 
 # Note: FIRMWARE_ARCH is defined by the Chromium OS ebuild.
 ifeq (${FIRMWARE_ARCH}, arm)
 CC ?= armv7a-cros-linux-gnueabihf-gcc
-CFLAGS ?= -march=armv5 \
-	-fno-common -ffixed-r8 \
-	-mfloat-abi=hard -marm -mabi=aapcs-linux -mno-thumb-interwork \
-	${COMMON_FLAGS}
+CFLAGS ?= -march=armv5 -fno-common -ffixed-r8 -mfloat-abi=hard -marm
+	-mabi=aapcs-linux -mno-thumb-interwork ${FIRMWARE_FLAGS} ${COMMON_FLAGS}
 else ifeq (${FIRMWARE_ARCH}, x86)
 CC ?= i686-pc-linux-gnu-gcc
 # Drop -march=i386 to permit use of SSE instructions
-CFLAGS ?= \
-	-ffunction-sections -fvisibility=hidden -fno-strict-aliasing \
-	-fomit-frame-pointer -fno-toplevel-reorder -fno-dwarf2-cfi-asm \
-	-mpreferred-stack-boundary=2 \
-	${COMMON_FLAGS}
+CFLAGS ?= -ffunction-sections -fvisibility=hidden -fomit-frame-pointer \
+	-fno-toplevel-reorder -fno-dwarf2-cfi-asm -mpreferred-stack-boundary=2 \
+	${FIRMWARE_FLAGS} ${COMMON_FLAGS}
 else ifeq (${FIRMWARE_ARCH}, x86_64)
-CFLAGS ?= ${COMMON_FLAGS} \
-	-fvisibility=hidden -fno-strict-aliasing -fomit-frame-pointer
+CFLAGS ?= ${FIRMWARE_FLAGS} ${COMMON_FLAGS} -fvisibility=hidden \
+	-fomit-frame-pointer
 else
 # FIRMWARE_ARCH not defined; assuming local compile.
 CC ?= gcc
-CFLAGS += -DCHROMEOS_ENVIRONMENT -Wall ${WERROR} ${DEBUG_FLAGS}
+CFLAGS += -DCHROMEOS_ENVIRONMENT ${COMMON_FLAGS}
 CHROMEOS_ENVIRONMENT = 1
 endif
 
diff --git a/cgpt/cgpt.c b/cgpt/cgpt.c
index 0977b65..d06874e 100644
--- a/cgpt/cgpt.c
+++ b/cgpt/cgpt.c
@@ -40,7 +40,7 @@
   {"legacy", cmd_legacy, "Switch between GPT and Legacy GPT"},
 };
 
-void Usage(void) {
+static void Usage(void) {
   int i;
 
   printf("\nUsage: %s COMMAND [OPTIONS] DRIVE\n\n"
diff --git a/cgpt/cgpt.h b/cgpt/cgpt.h
index c53f0f3..6cf5899 100644
--- a/cgpt/cgpt.h
+++ b/cgpt/cgpt.h
@@ -96,19 +96,6 @@
                 const uint64_t sector_count);
 
 
-/* GUID conversion functions. Accepted format:
- *
- *   "C12A7328-F81F-11D2-BA4B-00A0C93EC93B"
- *
- * At least GUID_STRLEN bytes should be reserved in 'str' (included the tailing
- * '\0').
- */
-#define GUID_STRLEN 37
-int StrToGuid(const char *str, Guid *guid);
-void GuidToStr(const Guid *guid, char *str, unsigned int buflen);
-int GuidEqual(const Guid *guid1, const Guid *guid2);
-int IsZero(const Guid *guid);
-
 /* Constant global type values to compare against */
 extern const Guid guid_chromeos_firmware;
 extern const Guid guid_chromeos_kernel;
diff --git a/cgpt/cgpt_common.c b/cgpt/cgpt_common.c
index c129d92..90fe45a 100644
--- a/cgpt/cgpt_common.c
+++ b/cgpt/cgpt_common.c
@@ -327,7 +327,7 @@
   // Clear struct for proper error handling.
   memset(drive, 0, sizeof(struct drive));
 
-  drive->fd = open(drive_path, mode | 
+  drive->fd = open(drive_path, mode |
 #ifndef HAVE_MACOS
 		               O_LARGEFILE |
 #endif
@@ -677,8 +677,8 @@
 
 const static struct {
   const Guid *type;
-  char *name;
-  char *description;
+  const char *name;
+  const char *description;
 } supported_types[] = {
   {&guid_chromeos_firmware, "firmware", "ChromeOS firmware"},
   {&guid_chromeos_kernel, "kernel", "ChromeOS kernel"},
@@ -981,7 +981,7 @@
 
 /* The above five fields are shared between primary and secondary headers.
  * We can recover one header from another through copying those fields. */
-void CopySynonymousParts(GptHeader* target, const GptHeader* source) {
+static void CopySynonymousParts(GptHeader* target, const GptHeader* source) {
   target->first_usable_lba = source->first_usable_lba;
   target->last_usable_lba = source->last_usable_lba;
   target->number_of_entries = source->number_of_entries;
@@ -1087,7 +1087,6 @@
 }
 
 /* Optional */
-int __GenerateGuid(Guid *newguid) { return CGPT_FAILED; };
 #ifndef HAVE_MACOS
-int GenerateGuid(Guid *newguid) __attribute__((weak, alias("__GenerateGuid")));
+__attribute__((weak)) int GenerateGuid(Guid *newguid) { return CGPT_FAILED; };
 #endif
diff --git a/cgpt/cgpt_find.c b/cgpt/cgpt_find.c
index bf94b58..9cf87dd 100644
--- a/cgpt/cgpt_find.c
+++ b/cgpt/cgpt_find.c
@@ -71,7 +71,7 @@
 // This needs to handle /dev/mmcblk0 -> /dev/mmcblk0p3, /dev/sda -> /dev/sda3
 static void showmatch(CgptFindParams *params, const char *filename,
                       int partnum, GptEntry *entry) {
-  char * format = "%s%d\n";
+  const char * format = "%s%d\n";
 
   /*
    * Follow convention from disk_name() in kernel block/partition-generic.c
diff --git a/cgpt/cgpt_show.c b/cgpt/cgpt_show.c
index 7240a6a..5f20988 100644
--- a/cgpt/cgpt_show.c
+++ b/cgpt/cgpt_show.c
@@ -49,7 +49,8 @@
 #define PARTITION_FMT  "%12"PRId64"%12"PRId64"%8d  %s\n"
 #define PARTITION_MORE "%12s%12s%8s  %s%s\n", "", "", ""
 
-void PrintSignature(const char *indent, const char *sig, size_t n, int raw) {
+static void PrintSignature(const char *indent, const char *sig, size_t n,
+                           int raw) {
   size_t i;
   printf("%sSig: ", indent);
   if (!raw) {
@@ -162,7 +163,7 @@
     printf(PARTITION_MORE, "Attr: ", contents);
 }
 
-void EntriesDetails(struct drive *drive, const int secondary, int raw) {
+static void EntriesDetails(struct drive *drive, const int secondary, int raw) {
   uint32_t i;
 
   for (i = 0; i < GetNumberOfEntries(drive); ++i) {
diff --git a/firmware/2lib/2rsa.c b/firmware/2lib/2rsa.c
index f54e83c..5fda959 100644
--- a/firmware/2lib/2rsa.c
+++ b/firmware/2lib/2rsa.c
@@ -13,6 +13,7 @@
 #include "2common.h"
 #include "2rsa.h"
 #include "2sha.h"
+#include "vboot_test.h"
 
 /**
  * a[] -= mod
@@ -312,6 +313,13 @@
 	0x05,0x00,0x04,0x40
 };
 
+/**
+ * Check pkcs 1.5 padding bytes
+ *
+ * @param sig		Signature to verify
+ * @param key		Key to take signature and hash algorithms from
+ * @return VB2_SUCCESS, or non-zero if error.
+ */
 int vb2_check_padding(const uint8_t *sig, const struct vb2_public_key *key)
 {
 	/* Determine padding to use depending on the signature type */
diff --git a/firmware/2lib/include/2rsa.h b/firmware/2lib/include/2rsa.h
index 7e63a6a..4357029 100644
--- a/firmware/2lib/include/2rsa.h
+++ b/firmware/2lib/include/2rsa.h
@@ -51,15 +51,6 @@
  */
 uint32_t vb2_packed_key_size(enum vb2_signature_algorithm sig_alg);
 
-/**
- * Check pkcs 1.5 padding bytes
- *
- * @param sig		Signature to verify
- * @param key		Key to take signature and hash algorithms from
- * @return VB2_SUCCESS, or non-zero if error.
- */
-int vb2_check_padding(const uint8_t *sig, const struct vb2_public_key *key);
-
 /* Size of work buffer sufficient for vb2_rsa_verify_digest() worst case */
 #define VB2_VERIFY_RSA_DIGEST_WORKBUF_BYTES (3 * 1024)
 
diff --git a/firmware/bdb/bdb.c b/firmware/bdb/bdb.c
index e102d7b..30d1058 100644
--- a/firmware/bdb/bdb.c
+++ b/firmware/bdb/bdb.c
@@ -21,7 +21,7 @@
  * @param size		Size of string buffer in characters
  * @return 1 if string has a null terminator, 0 if not
  */
-int string_has_null(const char *s, size_t size)
+static int string_has_null(const char *s, size_t size)
 {
 	for (; size; size--) {
 		if (*s++ == 0)
@@ -327,9 +327,9 @@
 
 /*****************************************************************************/
 
-int bdb_verify_sig(const struct bdb_key *key,
-		   const struct bdb_sig *sig,
-		   const uint8_t *digest)
+static int bdb_verify_sig(const struct bdb_key *key,
+			  const struct bdb_sig *sig,
+			  const uint8_t *digest)
 {
 	/* Key and signature algorithms must match */
 	if (key->sig_alg != sig->sig_alg)
diff --git a/firmware/include/vboot_test.h b/firmware/include/vboot_test.h
new file mode 100644
index 0000000..b8e59a2
--- /dev/null
+++ b/firmware/include/vboot_test.h
@@ -0,0 +1,33 @@
+/* Copyright 2019 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ */
+
+#ifndef VBOOT_REFERENCE_TEST_API_H_
+#define VBOOT_REFERENCE_TEST_API_H_
+
+/* This header is for APIs that are only used by test code. */
+
+/*
+ * Internal functions from 2rsa.c that have error conditions we can't trigger
+ * from the public APIs.  These include checks for bad algorithms where the
+ * next call level up already checks for bad algorithms, etc.
+ *
+ * These functions aren't in 2rsa.h because they're not part of the public
+ * APIs.
+ */
+struct vb2_public_key;
+int vb2_mont_ge(const struct vb2_public_key *key, uint32_t *a);
+int vb2_check_padding(const uint8_t *sig, const struct vb2_public_key *key);
+
+enum VbEcBootMode_t;
+enum VbEcBootMode_t VbGetMode(void);
+
+struct RollbackSpaceFwmp;
+struct RollbackSpaceFwmp *VbApiKernelGetFwmp(void);
+
+struct LoadKernelParams;
+struct LoadKernelParams *VbApiKernelGetParams(void);
+
+#endif  /* VBOOT_REFERENCE_TEST_API_H_ */
diff --git a/firmware/lib/region-init.c b/firmware/lib/region-init.c
index 5cfd4ed..ef67687 100644
--- a/firmware/lib/region-init.c
+++ b/firmware/lib/region-init.c
@@ -18,8 +18,8 @@
 #include "vboot_api.h"
 #include "vboot_struct.h"
 
-VbError_t VbGbbReadData(struct vb2_context *ctx,
-			uint32_t offset, uint32_t size, void *buf)
+static VbError_t VbGbbReadData(struct vb2_context *ctx,
+			       uint32_t offset, uint32_t size, void *buf)
 {
 	struct vb2_shared_data *sd = vb2_get_sd(ctx);
 
diff --git a/firmware/lib/tpm2_lite/marshaling.c b/firmware/lib/tpm2_lite/marshaling.c
index e20bcda..1a3e84a 100644
--- a/firmware/lib/tpm2_lite/marshaling.c
+++ b/firmware/lib/tpm2_lite/marshaling.c
@@ -125,7 +125,7 @@
 }
 
 static void unmarshal_authorization_section(void **buffer, int *size,
-					    char *cmd_name)
+					    const char *cmd_name)
 {
 	/*
 	 * Let's ignore the authorisation section. It should be 5 bytes total,
diff --git a/firmware/lib/tpm2_lite/tlcl.c b/firmware/lib/tpm2_lite/tlcl.c
index 61c4c41..8705143 100644
--- a/firmware/lib/tpm2_lite/tlcl.c
+++ b/firmware/lib/tpm2_lite/tlcl.c
@@ -38,7 +38,8 @@
 {
 	/* Command/response buffer. */
 	static uint8_t cr_buffer[TPM_BUFFER_SIZE];
-	uint32_t out_size, in_size, res;
+	int out_size, res;
+	uint32_t in_size;
 
 	out_size = tpm_marshal_command(command, command_body,
 				       cr_buffer, sizeof(cr_buffer));
@@ -601,7 +602,7 @@
 // Converts TPM_PT_VENDOR_STRING_x |value| to an array of bytes in |buf|.
 // Returns the number of bytes in the array.
 // |buf| should be at least 4 bytes long.
-size_t tlcl_vendor_string_parse(uint32_t value, uint8_t* buf)
+static size_t tlcl_vendor_string_parse(uint32_t value, uint8_t* buf)
 {
 	size_t len = 0;
 	int shift = 24;
diff --git a/firmware/lib/tpm_lite/tlcl.c b/firmware/lib/tpm_lite/tlcl.c
index c03e869..41f7cad 100644
--- a/firmware/lib/tpm_lite/tlcl.c
+++ b/firmware/lib/tpm_lite/tlcl.c
@@ -252,10 +252,10 @@
 /* Fills in the authentication block at the end of the command. The command body
  * should already be initialized in |command_buffer|, and the included command
  * size should account for the auth block that gets filled in. */
-uint32_t AddRequestAuthBlock(struct auth_session* auth_session,
-			     uint8_t* command_buffer,
-			     uint32_t command_buffer_size,
-			     uint8_t continue_auth_session)
+static uint32_t AddRequestAuthBlock(struct auth_session* auth_session,
+				    uint8_t* command_buffer,
+				    uint32_t command_buffer_size,
+				    uint8_t continue_auth_session)
 {
 	if (!auth_session->valid) {
 		return TPM_E_AUTHFAIL;
@@ -316,10 +316,10 @@
 	return TPM_SUCCESS;
 }
 
-uint32_t CheckResponseAuthBlock(struct auth_session* auth_session,
-				TPM_COMMAND_CODE ordinal,
-				uint8_t* response_buffer,
-				uint32_t response_buffer_size)
+static uint32_t CheckResponseAuthBlock(struct auth_session* auth_session,
+				       TPM_COMMAND_CODE ordinal,
+				       uint8_t* response_buffer,
+				       uint32_t response_buffer_size)
 {
 	if (!auth_session->valid) {
 		return TPM_E_AUTHFAIL;
diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c
index 11a1659..038622b 100644
--- a/firmware/lib/vboot_api_kernel.c
+++ b/firmware/lib/vboot_api_kernel.c
@@ -22,6 +22,7 @@
 #include "vboot_api.h"
 #include "vboot_common.h"
 #include "vboot_kernel.h"
+#include "vboot_test.h"
 
 /* Global variables */
 static struct RollbackSpaceFwmp fwmp;
diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c
index 8d74f99..57ab53d 100644
--- a/firmware/lib/vboot_kernel.c
+++ b/firmware/lib/vboot_kernel.c
@@ -128,14 +128,14 @@
  *			VB2_VERIFY_KERNEL_PREAMBLE_WORKBUF_BYTES bytes.
  * @return VB2_SUCCESS, or non-zero error code.
  */
-int vb2_verify_kernel_vblock(struct vb2_context *ctx,
-			     uint8_t *kbuf,
-			     uint32_t kbuf_size,
-			     const struct vb2_packed_key *kernel_subkey,
-			     const LoadKernelParams *params,
-			     uint32_t min_version,
-			     VbSharedDataKernelPart *shpart,
-			     struct vb2_workbuf *wb)
+static int vb2_verify_kernel_vblock(struct vb2_context *ctx,
+				    uint8_t *kbuf,
+				    uint32_t kbuf_size,
+				    const struct vb2_packed_key *kernel_subkey,
+				    const LoadKernelParams *params,
+				    uint32_t min_version,
+				    VbSharedDataKernelPart *shpart,
+				    struct vb2_workbuf *wb)
 {
 	/* Unpack kernel subkey */
 	struct vb2_public_key kernel_subkey2;
@@ -312,13 +312,13 @@
  * @param shpart	Destination for verification results
  * @return VB2_SUCCESS, or non-zero error code.
  */
-int vb2_load_partition(struct vb2_context *ctx,
-		       VbExStream_t stream,
-		       const struct vb2_packed_key *kernel_subkey,
-		       uint32_t flags,
-		       LoadKernelParams *params,
-		       uint32_t min_version,
-		       VbSharedDataKernelPart *shpart)
+static int vb2_load_partition(struct vb2_context *ctx,
+			      VbExStream_t stream,
+			      const struct vb2_packed_key *kernel_subkey,
+			      uint32_t flags,
+			      LoadKernelParams *params,
+			      uint32_t min_version,
+			      VbSharedDataKernelPart *shpart)
 {
 	struct vb2_workbuf wblocal;
 	vb2_workbuf_from_ctx(ctx, &wblocal);
diff --git a/firmware/lib/vboot_ui.c b/firmware/lib/vboot_ui.c
index acffc6c..5934d0c 100644
--- a/firmware/lib/vboot_ui.c
+++ b/firmware/lib/vboot_ui.c
@@ -77,7 +77,7 @@
 	return shutdown_request;
 }
 
-uint32_t VbTryUsb(struct vb2_context *ctx)
+static uint32_t VbTryUsb(struct vb2_context *ctx)
 {
 	uint32_t retval = VbTryLoadKernel(ctx, VB_DISK_FLAG_REMOVABLE);
 	if (VBERROR_SUCCESS == retval) {
@@ -177,7 +177,7 @@
  * This shows the user a list of bootloaders and allows selection of one of
  * them. We loop forever until something is chosen or Escape is pressed.
  */
-VbError_t vb2_altfw_ui(struct vb2_context *ctx)
+static VbError_t vb2_altfw_ui(struct vb2_context *ctx)
 {
 	int active = 1;
 
@@ -235,7 +235,8 @@
 /*
  * Prompt the user to enter the vendor data
  */
-VbError_t vb2_enter_vendor_data_ui(struct vb2_context *ctx, char *data_value)
+static VbError_t vb2_enter_vendor_data_ui(struct vb2_context *ctx,
+					  char *data_value)
 {
 	int len = 0;
 	VbScreenData data = {
@@ -314,7 +315,7 @@
 /*
  * User interface for setting the vendor data in VPD
  */
-VbError_t vb2_vendor_data_ui(struct vb2_context *ctx)
+static VbError_t vb2_vendor_data_ui(struct vb2_context *ctx)
 {
 	char data_value[VENDOR_DATA_LENGTH + 1];
 	VbScreenData data = {
@@ -399,7 +400,7 @@
  * can press the power button to confirm or press escape. There is a 30-second
  * timeout which acts the same as escape.
  */
-VbError_t vb2_diagnostics_ui(struct vb2_context *ctx)
+static VbError_t vb2_diagnostics_ui(struct vb2_context *ctx)
 {
 	int active = 1;
 	int power_button_was_pressed = 0;
@@ -515,7 +516,7 @@
 	"For more information, see http://dev.chromium.org/chromium-os/fwmp\n"
 	"\n";
 
-VbError_t vb2_developer_ui(struct vb2_context *ctx)
+static VbError_t vb2_developer_ui(struct vb2_context *ctx)
 {
 	struct vb2_shared_data *sd = vb2_get_sd(ctx);
 	VbSharedDataHeader *shared = sd->vbsd;
diff --git a/firmware/stub/tpm_lite_stub.c b/firmware/stub/tpm_lite_stub.c
index 4eb0c52..e999466 100644
--- a/firmware/stub/tpm_lite_stub.c
+++ b/firmware/stub/tpm_lite_stub.c
@@ -195,7 +195,7 @@
 
 VbError_t VbExTpmOpen(void)
 {
-	char* device_path;
+	const char *device_path;
 	struct timespec delay;
 	int retries, saved_errno;
 
diff --git a/firmware/stub/vboot_api_stub.c b/firmware/stub/vboot_api_stub.c
index f62e932..496d720 100644
--- a/firmware/stub/vboot_api_stub.c
+++ b/firmware/stub/vboot_api_stub.c
@@ -14,6 +14,7 @@
 #include <sys/time.h>
 
 #include "vboot_api.h"
+#include "vboot_test.h"
 
 static enum VbEcBootMode_t vboot_mode;
 
@@ -80,12 +81,6 @@
 	return VBERROR_SUCCESS;
 }
 
-VbError_t VbExEcRebootToRO(int devidx)
-{
-	/* Nothing to reboot, so all we can do is return failure. */
-	return VBERROR_UNKNOWN;
-}
-
 VbError_t VbExEcDisableJump(int devidx)
 {
 	return VBERROR_SUCCESS;
diff --git a/futility/cmd_create.c b/futility/cmd_create.c
index 9996449..fe8fd73 100644
--- a/futility/cmd_create.c
+++ b/futility/cmd_create.c
@@ -80,7 +80,7 @@
 
 }
 
-static int vb1_make_keypair()
+static int vb1_make_keypair(void)
 {
 	struct vb2_private_key *privkey = NULL;
 	struct vb2_packed_key *pubkey = NULL;
@@ -161,7 +161,7 @@
 	return ret;
 }
 
-static int vb2_make_keypair()
+static int vb2_make_keypair(void)
 {
 	struct vb2_private_key *privkey = 0;
 	struct vb2_public_key *pubkey = 0;
diff --git a/futility/cmd_dump_fmap.c b/futility/cmd_dump_fmap.c
index 1c5b070..2ab981b 100644
--- a/futility/cmd_dump_fmap.c
+++ b/futility/cmd_dump_fmap.c
@@ -187,8 +187,8 @@
 	}
 }
 
-static void line(int indent, char *name,
-		 uint32_t start, uint32_t end, uint32_t size, char *append)
+static void line(int indent, const char *name, uint32_t start, uint32_t end,
+		 uint32_t size, const char *append)
 {
 	int i;
 	for (i = 0; i < indent; i++)
diff --git a/futility/cmd_gbb_utility.c b/futility/cmd_gbb_utility.c
index 796eca7..02f4757 100644
--- a/futility/cmd_gbb_utility.c
+++ b/futility/cmd_gbb_utility.c
@@ -83,7 +83,7 @@
 	{NULL, 0, NULL, 0},
 };
 
-static char *short_opts = ":gsc:o:k:b:r:";
+static const char *short_opts = ":gsc:o:k:b:r:";
 
 /* Change the has_arg field of a long_opts entry */
 static void opt_has_arg(const char *name, int val)
diff --git a/futility/cmd_load_fmap.c b/futility/cmd_load_fmap.c
index 897a085..a732b1a 100644
--- a/futility/cmd_load_fmap.c
+++ b/futility/cmd_load_fmap.c
@@ -52,7 +52,7 @@
 	{"help",        0, NULL, OPT_HELP},
 	{NULL,          0, NULL, 0},
 };
-static char *short_opts = ":o:";
+static const char *short_opts = ":o:";
 
 
 static int copy_to_area(char *file, uint8_t *buf, uint32_t len, char *area)
diff --git a/futility/cmd_show.c b/futility/cmd_show.c
index b33f019..50f668b 100644
--- a/futility/cmd_show.c
+++ b/futility/cmd_show.c
@@ -436,7 +436,7 @@
 	{"help",        0, NULL, OPT_HELP},
 	{NULL, 0, NULL, 0},
 };
-static char *short_opts = ":f:k:t";
+static const char *short_opts = ":f:k:t";
 
 
 static int show_type(char *filename)
diff --git a/futility/cmd_sign.c b/futility/cmd_sign.c
index cc2b3e6..8b6b252 100644
--- a/futility/cmd_sign.c
+++ b/futility/cmd_sign.c
@@ -630,7 +630,7 @@
 	{"help",         0, NULL, OPT_HELP},
 	{NULL,           0, NULL, 0},
 };
-static char *short_opts = ":s:b:k:S:B:v:f:d:l:";
+static const char *short_opts = ":s:b:k:S:B:v:f:d:l:";
 
 /* Return zero on success */
 static int parse_number_opt(const char *arg, const char *name, uint32_t *dest)
diff --git a/futility/cmd_validate_rec_mrc.c b/futility/cmd_validate_rec_mrc.c
index e4b57d8..2f60915 100644
--- a/futility/cmd_validate_rec_mrc.c
+++ b/futility/cmd_validate_rec_mrc.c
@@ -49,7 +49,7 @@
 #define REGF_METADATA_BLOCK_SIZE	REGF_BLOCK_GRANULARITY
 #define REGF_UNALLOCATED_BLOCK		0xffff
 
-unsigned long compute_ip_checksum(const void *addr, unsigned long length)
+static unsigned long compute_ip_checksum(const void *addr, unsigned long length)
 {
 	const uint8_t *ptr;
 	volatile union {
diff --git a/futility/file_type.h b/futility/file_type.h
index a1be217..a389713 100644
--- a/futility/file_type.h
+++ b/futility/file_type.h
@@ -57,7 +57,12 @@
 			 const char *filename,
 			 uint8_t *buf, uint32_t len);
 
-/* Declare the file_type functions. */
+/*
+ * Declare the file_type functions. Certain functions are reused for more than
+ * one file type, leading to redundant declarations here.
+ */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wredundant-decls"
 #define R_(FOO) \
 	enum futil_file_type FOO(uint8_t *buf, uint32_t len);
 #define S_(FOO) \
@@ -69,5 +74,6 @@
 #undef NONE
 #undef S_
 #undef R_
+#pragma GCC diagnostic pop
 
 #endif	/* VBOOT_REFERENCE_FUTILITY_FILE_TYPE_H_ */
diff --git a/futility/file_type.inc b/futility/file_type.inc
index b48c6c4..5fd83c2 100644
--- a/futility/file_type.inc
+++ b/futility/file_type.inc
@@ -68,7 +68,7 @@
 	  NONE,
 	  S_(ft_sign_raw_kernel))
 FILE_TYPE(CHROMIUMOS_DISK,  "disk_img",      "chromiumos disk image",
-	  NONE,
+	  R_(ft_recognize_gpt),
 	  NONE,
 	  NONE)
 FILE_TYPE(RWSIG,            "rwsig",         "RW device image",
diff --git a/futility/futility.c b/futility/futility.c
index f0a42e2..3fc09c8 100644
--- a/futility/futility.c
+++ b/futility/futility.c
@@ -31,7 +31,7 @@
 static int log_fd = -1;
 
 /* Write the string and a newline. Silently give up on errors */
-static void log_str(char *prefix, char *str)
+static void log_str(const char *prefix, const char *str)
 {
 	int len, done, n;
 
@@ -238,7 +238,7 @@
 		if (cmd) {
 			/* Let the command provide its own help */
 			argv[0] = argv[1];
-			argv[1] = "--help";
+			argv[1] = (char *)"--help";
 			return run_command(cmd, argc, argv);
 		}
 	}
@@ -358,11 +358,11 @@
 	 * by rearranging argv[].
 	 */
 	if (helpind) {
-		int i;
+		int j;
 		optind--;
-		for (i = helpind; i < optind; i++)
-			argv[i] = argv[i + 1];
-		argv[i] = "help";
+		for (j = helpind; j < optind; j++)
+			argv[j] = argv[j + 1];
+		argv[j] = (char *)"help";
 	}
 
 	/* We require a command name. */
diff --git a/futility/updater.c b/futility/updater.c
index 37fe665..8dad7d4 100644
--- a/futility/updater.c
+++ b/futility/updater.c
@@ -185,7 +185,7 @@
 
 
 /* An helper function to return "mainfw_act" system property.  */
-static int host_get_mainfw_act()
+static int host_get_mainfw_act(void)
 {
 	char buf[VB_MAX_STRING_PROPERTY];
 
@@ -201,13 +201,13 @@
 }
 
 /* A helper function to return the "tpm_fwver" system property. */
-static int host_get_tpm_fwver()
+static int host_get_tpm_fwver(void)
 {
 	return VbGetSystemPropertyInt("tpm_fwver");
 }
 
 /* A helper function to return the "hardware write protection" status. */
-static int host_get_wp_hw()
+static int host_get_wp_hw(void)
 {
 	/* wpsw refers to write protection 'switch', not 'software'. */
 	int v = VbGetSystemPropertyInt("wpsw_cur");
@@ -220,13 +220,13 @@
 }
 
 /* A helper function to return "fw_vboot2" system property. */
-static int host_get_fw_vboot2()
+static int host_get_fw_vboot2(void)
 {
 	return VbGetSystemPropertyInt("fw_vboot2");
 }
 
 /* A help function to get $(mosys platform version). */
-static int host_get_platform_version()
+static int host_get_platform_version(void)
 {
 	char *result = host_shell("mosys platform version");
 	int rev = -1;
@@ -341,7 +341,7 @@
 }
 
 /* Helper function to return host software write protection status. */
-static int host_get_wp_sw()
+static int host_get_wp_sw(void)
 {
 	return host_get_wp(PROG_HOST);
 }
diff --git a/futility/updater.h b/futility/updater.h
index bb30ffb..57e5b0b 100644
--- a/futility/updater.h
+++ b/futility/updater.h
@@ -47,7 +47,7 @@
 };
 
 struct system_property {
-	int (*getter)();
+	int (*getter)(void);
 	int value;
 	int initialized;
 };
@@ -106,7 +106,8 @@
 struct updater_config_arguments {
 	char *image, *ec_image, *pd_image;
 	char *archive, *quirks, *mode;
-	char *programmer, *model, *signature_id;
+	const char *programmer;
+	char *model, *signature_id;
 	char *emulation, *sys_props, *write_protection;
 	char *output_dir;
 	char *repack, *unpack;
@@ -167,7 +168,7 @@
  * Allocates and initializes a updater_config object with default values.
  * Returns the newly allocated object, or NULL on error.
  */
-struct updater_config *updater_new_config();
+struct updater_config *updater_new_config(void);
 
 /*
  * Releases all resources in an updater configuration object.
diff --git a/futility/updater_archive.c b/futility/updater_archive.c
index 6503ad0..afa04b9 100644
--- a/futility/updater_archive.c
+++ b/futility/updater_archive.c
@@ -403,9 +403,8 @@
  * The arg argument will also be passed to callback.
  * Returns 0 on success otherwise non-zero as failure.
  */
-int archive_walk(
-		struct archive *ar, void *arg,
-		int (*callback)(const char *path, void *arg))
+static int archive_walk(struct archive *ar, void *arg,
+			int (*callback)(const char *path, void *arg))
 {
 	if (!ar)
 		return archive_fallback_walk(NULL, arg, callback);
diff --git a/futility/vb2_helper.c b/futility/vb2_helper.c
index 475a059..fae1d25 100644
--- a/futility/vb2_helper.c
+++ b/futility/vb2_helper.c
@@ -21,6 +21,7 @@
 
 #include "file_type.h"
 #include "futility.h"
+#include "futility_options.h"
 
 int vb2_lookup_hash_alg(const char *str, enum vb2_hash_algorithm *alg)
 {
diff --git a/host/arch/arm/lib/crossystem_arch.c b/host/arch/arm/lib/crossystem_arch.c
index 4dabb28..8f46965 100644
--- a/host/arch/arm/lib/crossystem_arch.c
+++ b/host/arch/arm/lib/crossystem_arch.c
@@ -578,7 +578,7 @@
 {
 	char *str = NULL;
 	char *rv = NULL;
-	char *prop = NULL;
+	const char *prop = NULL;
 
 	if (!strcasecmp(name,"arch"))
 		return StrCopy(dest, "arm", size);
@@ -617,8 +617,3 @@
 	/* All is handled in arch independent fashion */
 	return -1;
 }
-
-int VbArchInit(void)
-{
-	return 0;
-}
diff --git a/host/lib/crossystem.c b/host/lib/crossystem.c
index 08b481d..34ac972 100644
--- a/host/lib/crossystem.c
+++ b/host/lib/crossystem.c
@@ -187,14 +187,14 @@
 
 /* Determine whether the running OS image was built for debugging.
  * Returns 1 if yes, 0 if no or indeterminate. */
-int VbGetDebugBuild(void)
+static int VbGetDebugBuild(void)
 {
 	return VB_BUILD_OPTION_DEBUG == VbScanBuildOption();
 }
 
 /* Determine whether OS-level debugging should be allowed.
  * Returns 1 if yes, 0 if no or indeterminate. */
-int VbGetCrosDebug(void)
+static int VbGetCrosDebug(void)
 {
 	/* If the currently running system specifies its debug status, use
 	 * that in preference to other indicators. */
@@ -213,8 +213,8 @@
 	return 0;
 }
 
-char *GetVdatLoadFirmwareDebug(char *dest, int size,
-			       const VbSharedDataHeader *sh)
+static char *GetVdatLoadFirmwareDebug(char *dest, int size,
+				      const VbSharedDataHeader *sh)
 {
 	snprintf(dest, size,
 		 "Check A result=%d\n"
@@ -232,8 +232,8 @@
 
 #define TRUNCATED "\n(truncated)\n"
 
-char *GetVdatLoadKernelDebug(char *dest, int size,
-			     const VbSharedDataHeader *sh)
+static char *GetVdatLoadKernelDebug(char *dest, int size,
+				    const VbSharedDataHeader *sh)
 {
 	int used = 0;
 	int first_call_tracked = 0;
@@ -325,7 +325,7 @@
 	return dest;
 }
 
-char *GetVdatString(char *dest, int size, VdatStringField field)
+static char *GetVdatString(char *dest, int size, VdatStringField field)
 {
 	VbSharedDataHeader *sh = VbSharedDataRead();
 	char *value = dest;
@@ -380,7 +380,7 @@
 	return value;
 }
 
-int GetVdatInt(VdatIntField field)
+static int GetVdatInt(VdatIntField field)
 {
 	VbSharedDataHeader* sh = VbSharedDataRead();
 	int value = -1;
@@ -806,7 +806,7 @@
 	return retval;
 }
 
-static int ExecuteMosys(char * const argv[], char *buf, size_t bufsize)
+static int ExecuteMosys(const char * const argv[], char *buf, size_t bufsize)
 {
 	int status, mosys_to_crossystem[2];
 	pid_t pid;
@@ -833,8 +833,9 @@
 				exit(1);
 			}
 		}
-		/* Execute mosys */
-		execv(InAndroid() ? MOSYS_ANDROID_PATH : MOSYS_CROS_PATH, argv);
+		/* Execute mosys (needs cast because POSIX is stupid) */
+		execv(InAndroid() ? MOSYS_ANDROID_PATH : MOSYS_CROS_PATH,
+		      (char * const *)argv);
 		/* We shouldn't be here; exit now! */
 		fprintf(stderr, "execv() of mosys failed\n");
 		close(mosys_to_crossystem[1]);
@@ -878,7 +879,7 @@
 	 * the header byte to determine the records size, or if it calls back
 	 * to crossystem to read the VBSD flag.
 	 */
-	char * const argv[] = {
+	const char * const argv[] = {
 		InAndroid() ? MOSYS_ANDROID_PATH : MOSYS_CROS_PATH,
 		"nvram", "vboot", "read", NULL
 	};
@@ -905,7 +906,7 @@
 int vb2_write_nv_storage_mosys(struct vb2_context *ctx)
 {
 	char hexstring[VB2_NVDATA_SIZE_V2 * 2 + 1];
-	char * const argv[] = {
+	const char * const argv[] = {
 		InAndroid() ? MOSYS_ANDROID_PATH : MOSYS_CROS_PATH,
 		"nvram", "vboot", "write", hexstring, NULL
 	};
diff --git a/host/lib/extract_vmlinuz.c b/host/lib/extract_vmlinuz.c
index 2d8a43d..efce2ef 100644
--- a/host/lib/extract_vmlinuz.c
+++ b/host/lib/extract_vmlinuz.c
@@ -9,6 +9,7 @@
 #include <string.h>
 
 #include "vb2_struct.h"
+#include "vboot_host.h"
 #include "vboot_struct.h"
 
 
diff --git a/host/lib21/host_key.c b/host/lib21/host_key.c
index 2066a22..76fbf28 100644
--- a/host/lib21/host_key.c
+++ b/host/lib21/host_key.c
@@ -350,7 +350,7 @@
 			static const struct vb2_private_key key = {
 				.hash_alg = VB2_HASH_SHA1,
 				.sig_alg = VB2_SIG_NONE,
-				.desc = "Unsigned SHA1",
+				.desc = (char *)"Unsigned SHA1",
 				.id = VB2_ID_NONE_SHA1,
 			};
 			*key_ptr = &key;
@@ -363,7 +363,7 @@
 			static const struct vb2_private_key key = {
 				.hash_alg = VB2_HASH_SHA256,
 				.sig_alg = VB2_SIG_NONE,
-				.desc = "Unsigned SHA-256",
+				.desc = (char *)"Unsigned SHA-256",
 				.id = VB2_ID_NONE_SHA256,
 			};
 			*key_ptr = &key;
@@ -376,7 +376,7 @@
 			static const struct vb2_private_key key = {
 				.hash_alg = VB2_HASH_SHA512,
 				.sig_alg = VB2_SIG_NONE,
-				.desc = "Unsigned SHA-512",
+				.desc = (char *)"Unsigned SHA-512",
 				.id = VB2_ID_NONE_SHA512,
 			};
 			*key_ptr = &key;
diff --git a/tests/bdb_sprw_test.c b/tests/bdb_sprw_test.c
index 1f5be95..8395275 100644
--- a/tests/bdb_sprw_test.c
+++ b/tests/bdb_sprw_test.c
@@ -59,9 +59,9 @@
 		.oem_area_0_size = sizeof(oem_area_0),
 		.oem_area_1 = oem_area_1,
 		.oem_area_1_size = sizeof(oem_area_1),
-		.header_sig_description = "The header sig",
-		.data_sig_description = "The data sig",
-		.data_description = "Test BDB data",
+		.header_sig_description = (char *)"The header sig",
+		.data_sig_description = (char *)"The data sig",
+		.data_description = (char *)"Test BDB data",
 		.data_version = 3,
 		.hash = hash,
 		.num_hashes = num_hashes,
diff --git a/tests/bdb_test.c b/tests/bdb_test.c
index 0dd7619..693d619 100644
--- a/tests/bdb_test.c
+++ b/tests/bdb_test.c
@@ -14,7 +14,7 @@
 #include "host.h"
 #include "test_common.h"
 
-void check_header_tests(void)
+static void check_header_tests(void)
 {
 	struct bdb_header sgood = {
 		.struct_magic = BDB_HEADER_MAGIC,
@@ -58,7 +58,7 @@
 	TEST_EQ_S(bdb_check_header(&s, ssize), BDB_ERROR_BDB_SIZE);
 }
 
-void check_key_tests(void)
+static void check_key_tests(void)
 {
 	struct bdb_key sgood = {
 		.struct_magic = BDB_KEY_MAGIC,
@@ -119,7 +119,7 @@
 	TEST_EQ_S(bdb_check_key(&s, ssize), BDB_ERROR_SIG_ALG);
 }
 
-void check_sig_tests(void)
+static void check_sig_tests(void)
 {
 	struct bdb_sig sgood = {
 		.struct_magic = BDB_SIG_MAGIC,
@@ -179,7 +179,7 @@
 	TEST_EQ_S(bdb_check_sig(&s, ssize), BDB_ERROR_SIG_ALG);
 }
 
-void check_data_tests(void)
+static void check_data_tests(void)
 {
 	struct bdb_data sgood = {
 		.struct_magic = BDB_DATA_MAGIC,
@@ -248,7 +248,7 @@
 /**
  * Test bdb_verify() and bdb_create()
  */
-void check_bdb_verify(const char *key_dir)
+static void check_bdb_verify(const char *key_dir)
 {
 	uint8_t oem_area_0[32] = "Some OEM area.";
 	uint8_t oem_area_1[64] = "Some other OEM area.";
@@ -279,9 +279,9 @@
 		.oem_area_0_size = sizeof(oem_area_0),
 		.oem_area_1 = oem_area_1,
 		.oem_area_1_size = sizeof(oem_area_1),
-		.header_sig_description = "The header sig",
-		.data_sig_description = "The data sig",
-		.data_description = "Test BDB data",
+		.header_sig_description = (char *)"The header sig",
+		.data_sig_description = (char *)"The data sig",
+		.data_description = (char *)"Test BDB data",
 		.data_version = 3,
 		.hash = hash,
 		.num_hashes = 2,
diff --git a/tests/cgptlib_test.c b/tests/cgptlib_test.c
index a886174..669f796 100644
--- a/tests/cgptlib_test.c
+++ b/tests/cgptlib_test.c
@@ -1645,7 +1645,7 @@
 	return TEST_OK;
 }
 
-static int CheckHeaderOffDevice()
+static int CheckHeaderOffDevice(void)
 {
 	GptData* gpt = GetEmptyGptData();
 	BuildTestGptData(gpt);
@@ -1711,7 +1711,7 @@
 	int i;
 	int error_count = 0;
 	struct {
-		char *name;
+		const char *name;
 		test_func fp;
 		int retval;
 	} test_cases[] = {
diff --git a/tests/cgptlib_test.h b/tests/cgptlib_test.h
index 90e76fc..0f226bd 100644
--- a/tests/cgptlib_test.h
+++ b/tests/cgptlib_test.h
@@ -14,7 +14,7 @@
 };
 
 #define TEST_CASE(func) #func, func
-typedef int (*test_func)();
+typedef int (*test_func)(void);
 
 #define ARRAY_SIZE(array) (sizeof(array) / sizeof(array[0]))
 
diff --git a/tests/crc32_test.c b/tests/crc32_test.c
index 81bdba9..a9631a5 100644
--- a/tests/crc32_test.c
+++ b/tests/crc32_test.c
@@ -11,7 +11,7 @@
 
 #define MAX_VECTOR_LEN 256
 
-int TestCrc32TestVectors() {
+int TestCrc32TestVectors(void) {
 	struct {
 		uint8_t vector[MAX_VECTOR_LEN];
 		int len;
diff --git a/tests/crc32_test.h b/tests/crc32_test.h
index 493d34e..18530f9 100644
--- a/tests/crc32_test.h
+++ b/tests/crc32_test.h
@@ -5,6 +5,6 @@
 #ifndef VBOOT_REFERENCE_CRC32_TEST_H_
 #define VBOOT_REFERENCE_CRC32_TEST_H_
 
-int TestCrc32TestVectors();
+int TestCrc32TestVectors(void);
 
 #endif  /* VBOOT_REFERENCE_CRC32_TEST_H_ */
diff --git a/tests/ec_sync_tests.c b/tests/ec_sync_tests.c
index a971b96..571eef6 100644
--- a/tests/ec_sync_tests.c
+++ b/tests/ec_sync_tests.c
@@ -202,7 +202,7 @@
 	return update_retval;
 }
 
-VbError_t VbDisplayScreen(struct vb2_context *ctx, uint32_t screen, int force,
+VbError_t VbDisplayScreen(struct vb2_context *c, uint32_t screen, int force,
 			  const VbScreenData *data)
 {
 	if (screens_count < ARRAY_SIZE(screens_displayed))
diff --git a/tests/futility/test_file_types.c b/tests/futility/test_file_types.c
index 2bf2788..c77802b 100644
--- a/tests/futility/test_file_types.c
+++ b/tests/futility/test_file_types.c
@@ -46,7 +46,7 @@
 {
 	char filename[PATH_MAX];
 	char status[80];
-	char *srcdir;
+	const char *srcdir;
 	enum futil_file_type type;
 	int i;
 
diff --git a/tests/sha_test_vectors.h b/tests/sha_test_vectors.h
index 9214799..d2532b9 100644
--- a/tests/sha_test_vectors.h
+++ b/tests/sha_test_vectors.h
@@ -8,10 +8,10 @@
 #ifndef VBOOT_REFERENCE_SHA_TEST_VECTORS_H_
 #define VBOOT_REFERENCE_SHA_TEST_VECTORS_H_
 
-char* oneblock_msg = "abc";
-char* multiblock_msg1 = "abcdbcdecdefdefgefghfghighijhijkijkl"
+const char* oneblock_msg = "abc";
+const char* multiblock_msg1 = "abcdbcdecdefdefgefghfghighijhijkijkl"
 		"jklmklmnlmnomnopnopq";
-char* multiblock_msg2= "abcdefghbcdefghicdefghijdefghijkefghi"
+const char* multiblock_msg2= "abcdefghbcdefghicdefghijdefghijkefghi"
 		"jklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnop"
 		"qrsmnopqrstnopqrstu";
 char* long_msg;
diff --git a/tests/tlcl_tests.c b/tests/tlcl_tests.c
index 00eae61..f9f990d 100644
--- a/tests/tlcl_tests.c
+++ b/tests/tlcl_tests.c
@@ -273,7 +273,7 @@
 /**
  * Test DefineSpaceEx
  */
-void DefineSpaceExTest(void) {
+static void DefineSpaceExTest(void) {
 	uint8_t osap_response[] = {
 		0x00, 0xc4, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00,
 		0x00, 0x00, 0x02, 0x41, 0x3d, 0xce, 0x20, 0xa2,
@@ -367,7 +367,7 @@
 /**
  * Test TlclInitNvAuthPolicy.
  */
-void InitNvAuthPolicyTest(void) {
+static void InitNvAuthPolicyTest(void) {
 	const uint8_t empty_selection_digest[] = {
 		0x79, 0xdd, 0xda, 0xfd, 0xc1, 0x97, 0xdc, 0xcc,
 		0xe9, 0x98, 0x9a, 0xee, 0xf5, 0x52, 0x89, 0xee,
@@ -798,7 +798,7 @@
 /**
  * Test ReadPubek
  */
-void ReadPubekTest(void) {
+static void ReadPubekTest(void) {
 	uint8_t response[] = {
 		0x00, 0xc4, 0x00, 0x00, 0x01, 0x3a, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x03,
@@ -922,7 +922,7 @@
 /**
  * Test TakeOwnership
  */
-void TakeOwnershipTest(void) {
+static void TakeOwnershipTest(void) {
 	uint8_t oiap_response[] = {
 		0x00, 0xc4, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x4c, 0x04, 0x1a, 0x18, 0xa9,
@@ -1071,7 +1071,7 @@
 /**
  * Test ReadDelegationFamilyTable
  */
-void ReadDelegationFamilyTableTest(void) {
+static void ReadDelegationFamilyTableTest(void) {
 	uint8_t response[] = {
 		0x00, 0xc4, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x25,
diff --git a/tests/tpm_lite/tlcl_tests.c b/tests/tpm_lite/tlcl_tests.c
index c164f4f..353b16c 100644
--- a/tests/tpm_lite/tlcl_tests.c
+++ b/tests/tpm_lite/tlcl_tests.c
@@ -14,7 +14,7 @@
 const char* resilient_startup = NULL;
 
 uint32_t TlclStartupIfNeeded(void) {
-	static char* null_getenv = "some string";  /* just a unique address */
+	static const char* null_getenv = "some string";  /* a unique address */
 	uint32_t result = TlclStartup();
 	if (resilient_startup == NULL) {
 		resilient_startup = getenv("TLCL_RESILIENT_STARTUP");
diff --git a/tests/vb20_common2_tests.c b/tests/vb20_common2_tests.c
index 2dea317..39e4c06 100644
--- a/tests/vb20_common2_tests.c
+++ b/tests/vb20_common2_tests.c
@@ -139,7 +139,7 @@
 }
 
 
-int test_algorithm(int key_algorithm, const char *keys_dir)
+static int test_algorithm(int key_algorithm, const char *keys_dir)
 {
 	char filename[1024];
 	struct vb2_private_key *private_key = NULL;
diff --git a/tests/vb20_common3_tests.c b/tests/vb20_common3_tests.c
index 5533124..255889f 100644
--- a/tests/vb20_common3_tests.c
+++ b/tests/vb20_common3_tests.c
@@ -509,8 +509,8 @@
 	free(body_sig);
 }
 
-int test_permutation(int signing_key_algorithm, int data_key_algorithm,
-		     const char *keys_dir)
+static int test_permutation(int signing_key_algorithm, int data_key_algorithm,
+			    const char *keys_dir)
 {
 	char filename[1024];
 	int retval = 1;
diff --git a/tests/vb20_kernel_tests.c b/tests/vb20_kernel_tests.c
index 213b9e6..6d93628 100644
--- a/tests/vb20_kernel_tests.c
+++ b/tests/vb20_kernel_tests.c
@@ -178,7 +178,7 @@
 int vb2_verify_keyblock(struct vb2_keyblock *block,
 			uint32_t size,
 			const struct vb2_public_key *key,
-			const struct vb2_workbuf *wb)
+			const struct vb2_workbuf *w)
 {
 	return mock_verify_keyblock_retval;
 }
@@ -186,7 +186,7 @@
 int vb2_verify_kernel_preamble(struct vb2_kernel_preamble *preamble,
 			       uint32_t size,
 			       const struct vb2_public_key *key,
-			       const struct vb2_workbuf *wb)
+			       const struct vb2_workbuf *w)
 {
 	return mock_verify_preamble_retval;
 }
diff --git a/tests/vb21_api_tests.c b/tests/vb21_api_tests.c
index 89e683b..1880940 100644
--- a/tests/vb21_api_tests.c
+++ b/tests/vb21_api_tests.c
@@ -124,12 +124,12 @@
 
 /* Mocked functions */
 
-int vb21_load_fw_keyblock(struct vb2_context *ctx)
+int vb21_load_fw_keyblock(struct vb2_context *c)
 {
 	return retval_vb21_load_fw_keyblock;
 }
 
-int vb21_load_fw_preamble(struct vb2_context *ctx)
+int vb21_load_fw_preamble(struct vb2_context *c)
 {
 	return retval_vb21_load_fw_preamble;
 }
diff --git a/tests/vb21_common2_tests.c b/tests/vb21_common2_tests.c
index 5a867ee..e74ad0a 100644
--- a/tests/vb21_common2_tests.c
+++ b/tests/vb21_common2_tests.c
@@ -237,7 +237,7 @@
 	free(buf2);
 }
 
-int test_algorithm(int key_algorithm, const char *keys_dir)
+static int test_algorithm(int key_algorithm, const char *keys_dir)
 {
 	char filename[1024];
 
diff --git a/tests/vb21_misc_tests.c b/tests/vb21_misc_tests.c
index c33432d..8cc3bbb 100644
--- a/tests/vb21_misc_tests.c
+++ b/tests/vb21_misc_tests.c
@@ -119,7 +119,7 @@
 
 /* Mocked functions */
 
-int vb2ex_read_resource(struct vb2_context *ctx,
+int vb2ex_read_resource(struct vb2_context *c,
 			enum vb2_resource_index index,
 			uint32_t offset,
 			void *buf,
diff --git a/tests/vb2_nvstorage_tests.c b/tests/vb2_nvstorage_tests.c
index 1dccdad..c63dd30 100644
--- a/tests/vb2_nvstorage_tests.c
+++ b/tests/vb2_nvstorage_tests.c
@@ -27,7 +27,7 @@
 	uint32_t default_value;   /* Expected default value */
 	uint32_t test_value;      /* Value to test writing */
 	uint32_t test_value2;     /* Second value to test writing */
-	char *desc;               /* Field description */
+	const char *desc;         /* Field description */
 };
 
 /* Array of fields to test, terminated with a field with desc==NULL. */
diff --git a/tests/vb2_rsa_utility_tests.c b/tests/vb2_rsa_utility_tests.c
index 63307b1..58203b2 100644
--- a/tests/vb2_rsa_utility_tests.c
+++ b/tests/vb2_rsa_utility_tests.c
@@ -16,17 +16,7 @@
 #include "test_common.h"
 #include "utility.h"
 #include "vboot_api.h"
-
-/*
- * Internal functions from 2rsa.c that have error conditions we can't trigger
- * from the public APIs.  These include checks for bad algorithms where the
- * next call level up already checks for bad algorithms, etc.
- *
- * These functions aren't in 2rsa.h because they're not part of the public
- * APIs.
- */
-int vb2_mont_ge(const struct vb2_public_key *key, uint32_t *a);
-int vb2_check_padding(const uint8_t *sig, const struct vb2_public_key *key);
+#include "vboot_test.h"
 
 /**
  * Test RSA utility funcs
diff --git a/tests/vb2_sha_tests.c b/tests/vb2_sha_tests.c
index 54bca66..6eae02f 100644
--- a/tests/vb2_sha_tests.c
+++ b/tests/vb2_sha_tests.c
@@ -15,7 +15,7 @@
 #include "sha_test_vectors.h"
 #include "test_common.h"
 
-void sha1_tests(void)
+static void sha1_tests(void)
 {
 	uint8_t digest[VB2_SHA1_DIGEST_SIZE];
 	uint8_t *test_inputs[3];
@@ -45,7 +45,7 @@
 		"vb2_hash_block_size(VB2_HASH_SHA1)");
 }
 
-void sha256_tests(void)
+static void sha256_tests(void)
 {
 	uint8_t digest[VB2_SHA256_DIGEST_SIZE];
 	uint8_t *test_inputs[3];
@@ -101,7 +101,7 @@
 	TEST_SUCC(memcmp(digest, expected_extend, sizeof(digest)), NULL);
 }
 
-void sha512_tests(void)
+static void sha512_tests(void)
 {
 	uint8_t digest[VB2_SHA512_DIGEST_SIZE];
 	uint8_t *test_inputs[3];
@@ -131,7 +131,7 @@
 		"vb2_hash_block_size(VB2_HASH_SHA512)");
 }
 
-void misc_tests(void)
+static void misc_tests(void)
 {
 	uint8_t digest[VB2_SHA512_DIGEST_SIZE];
 	struct vb2_digest_context dc;
diff --git a/tests/vboot_api_devmode_tests.c b/tests/vboot_api_devmode_tests.c
index 73e938a..9d20e32 100644
--- a/tests/vboot_api_devmode_tests.c
+++ b/tests/vboot_api_devmode_tests.c
@@ -39,7 +39,7 @@
 } note_event_t;
 
 typedef struct {
-	char *name;
+	const char *name;
 	uint32_t gbb_flags;
 	VbError_t beep_return;
 	uint32_t keypress_key;
diff --git a/tests/vboot_api_kernel2_tests.c b/tests/vboot_api_kernel2_tests.c
index 889d2cb..a3cbd48 100644
--- a/tests/vboot_api_kernel2_tests.c
+++ b/tests/vboot_api_kernel2_tests.c
@@ -23,6 +23,7 @@
 #include "vboot_display.h"
 #include "vboot_kernel.h"
 #include "vboot_struct.h"
+#include "vboot_test.h"
 
 /* Mock data */
 static uint8_t shared_data[VB_SHARED_DATA_MIN_SIZE];
@@ -59,9 +60,6 @@
 static char set_vendor_data[32];
 static int set_vendor_data_called;
 
-extern enum VbEcBootMode_t VbGetMode(void);
-extern struct RollbackSpaceFwmp *VbApiKernelGetFwmp(void);
-
 /* Reset mock data (for use before each test) */
 static void ResetMocks(void)
 {
@@ -214,12 +212,12 @@
 	return 1;
 }
 
-uint32_t VbTryLoadKernel(struct vb2_context *ctx, uint32_t get_info_flags)
+uint32_t VbTryLoadKernel(struct vb2_context *c, uint32_t get_info_flags)
 {
 	return vbtlk_retval + get_info_flags;
 }
 
-VbError_t VbDisplayScreen(struct vb2_context *ctx, uint32_t screen, int force,
+VbError_t VbDisplayScreen(struct vb2_context *c, uint32_t screen, int force,
 			  const VbScreenData *data)
 {
 	if (screens_count < ARRAY_SIZE(screens_displayed))
diff --git a/tests/vboot_api_kernel4_tests.c b/tests/vboot_api_kernel4_tests.c
index cb2179d..adad413 100644
--- a/tests/vboot_api_kernel4_tests.c
+++ b/tests/vboot_api_kernel4_tests.c
@@ -131,7 +131,7 @@
 	return rfr_retval;
 }
 
-uint32_t VbTryLoadKernel(struct vb2_context *ctx, uint32_t get_info_flags)
+uint32_t VbTryLoadKernel(struct vb2_context *c, uint32_t get_info_flags)
 {
 	shared->kernel_version_tpm = new_version;
 
@@ -141,7 +141,7 @@
 	return vbboot_retval;
 }
 
-VbError_t VbBootDeveloper(struct vb2_context *ctx)
+VbError_t VbBootDeveloper(struct vb2_context *c)
 {
 	shared->kernel_version_tpm = new_version;
 
@@ -151,7 +151,7 @@
 	return vbboot_retval;
 }
 
-VbError_t VbBootRecovery(struct vb2_context *ctx)
+VbError_t VbBootRecovery(struct vb2_context *c)
 {
 	shared->kernel_version_tpm = new_version;
 
@@ -161,7 +161,7 @@
 	return vbboot_retval;
 }
 
-VbError_t VbBootDiagnostic(struct vb2_context *ctx)
+VbError_t VbBootDiagnostic(struct vb2_context *c)
 {
 	if (vbboot_retval == -4)
 		return VBERROR_SIMULATED;
diff --git a/tests/vboot_api_kernel6_tests.c b/tests/vboot_api_kernel6_tests.c
index c44c3c1..27065ac 100644
--- a/tests/vboot_api_kernel6_tests.c
+++ b/tests/vboot_api_kernel6_tests.c
@@ -10,6 +10,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "rollback_index.h"
 #include "test_common.h"
 #include "vboot_api.h"
 
diff --git a/tests/vboot_api_kernel_tests.c b/tests/vboot_api_kernel_tests.c
index 06d7d69..1bc2c9a 100644
--- a/tests/vboot_api_kernel_tests.c
+++ b/tests/vboot_api_kernel_tests.c
@@ -20,8 +20,7 @@
 #include "utility.h"
 #include "vboot_api.h"
 #include "vboot_kernel.h"
-
-struct LoadKernelParams *VbApiKernelGetParams(void);
+#include "vboot_test.h"
 
 #define MAX_TEST_DISKS 10
 #define DEFAULT_COUNT -1
@@ -34,7 +33,7 @@
 } disk_desc_t;
 
 typedef struct {
-	char *name;
+	const char *name;
 
 	/* inputs for test case */
 	uint32_t want_flags;
@@ -249,7 +248,7 @@
 	t = test + i;
 }
 
-int is_nonzero(const void *vptr, size_t count)
+static int is_nonzero(const void *vptr, size_t count)
 {
 	const char *p = (const char *)vptr;
 	while (count--)
@@ -319,7 +318,7 @@
 	return VBERROR_SUCCESS;
 }
 
-VbError_t LoadKernel(struct vb2_context *ctx, LoadKernelParams *params)
+VbError_t LoadKernel(struct vb2_context *c, LoadKernelParams *params)
 {
 	got_find_disk = (const char *)params->disk_handle;
 	VB2_DEBUG("%s(%d): got_find_disk = %s\n", __FUNCTION__,
@@ -331,7 +330,7 @@
 	return t->loadkernel_return_val[load_kernel_calls++];
 }
 
-void vb2_nv_set(struct vb2_context *ctx,
+void vb2_nv_set(struct vb2_context *c,
 		enum vb2_nv_param param,
 		uint32_t value)
 {
diff --git a/tests/vboot_detach_menu_tests.c b/tests/vboot_detach_menu_tests.c
index 182ba3e..bf71a5f 100644
--- a/tests/vboot_detach_menu_tests.c
+++ b/tests/vboot_detach_menu_tests.c
@@ -24,6 +24,7 @@
 #include "vboot_display.h"
 #include "vboot_kernel.h"
 #include "vboot_struct.h"
+#include "vboot_test.h"
 #include "vboot_ui_menu_private.h"
 
 /* Mock data */
@@ -59,9 +60,6 @@
 static uint32_t mock_altfw_mask;
 static int vbexaltfwmask_called;
 
-extern enum VbEcBootMode_t VbGetMode(void);
-extern struct RollbackSpaceFwmp *VbApiKernelGetFwmp(void);
-
 /* Reset mock data (for use before each test) */
 static void ResetMocks(void)
 {
@@ -196,7 +194,7 @@
 	return 1;
 }
 
-VbError_t VbTryLoadKernel(struct vb2_context *ctx, uint32_t get_info_flags)
+VbError_t VbTryLoadKernel(struct vb2_context *c, uint32_t get_info_flags)
 {
 	if (vbtlk_retval_count < ARRAY_SIZE(vbtlk_retval) &&
 	    vbtlk_retval[vbtlk_retval_count] != 0)
@@ -204,7 +202,7 @@
 	return vbtlk_last_retval + get_info_flags;
 }
 
-VbError_t VbDisplayScreen(struct vb2_context *ctx, uint32_t screen, int force,
+VbError_t VbDisplayScreen(struct vb2_context *c, uint32_t screen, int force,
 			  const VbScreenData *data)
 {
 	if (screens_count < ARRAY_SIZE(screens_displayed))
@@ -214,7 +212,7 @@
 	return VBERROR_SUCCESS;
 }
 
-VbError_t VbDisplayMenu(struct vb2_context *ctx, uint32_t screen, int force,
+VbError_t VbDisplayMenu(struct vb2_context *c, uint32_t screen, int force,
 			uint32_t selected_index, uint32_t disabled_idx_mask)
 {
 	if (screens_count < ARRAY_SIZE(screens_displayed))
@@ -229,7 +227,7 @@
 	return VBERROR_SUCCESS;
 }
 
-VbError_t VbDisplayDebugInfo(struct vb2_context *ctx)
+VbError_t VbDisplayDebugInfo(struct vb2_context *c)
 {
 	debug_info_displayed = 1;
 	return VBERROR_SUCCESS;
diff --git a/tests/vboot_kernel_tests.c b/tests/vboot_kernel_tests.c
index a5922ed..e94c5b7 100644
--- a/tests/vboot_kernel_tests.c
+++ b/tests/vboot_kernel_tests.c
@@ -25,6 +25,7 @@
 #include "load_kernel_fw.h"
 #include "rollback_index.h"
 #include "test_common.h"
+#include "vb2_common.h"
 #include "vb2_struct.h"
 #include "vboot_api.h"
 #include "vboot_common.h"
@@ -189,7 +190,7 @@
 
 /* Mocks */
 
-VbError_t VbExDiskRead(VbExDiskHandle_t handle, uint64_t lba_start,
+VbError_t VbExDiskRead(VbExDiskHandle_t h, uint64_t lba_start,
 		       uint64_t lba_count, void *buffer)
 {
 	LOGCALL("VbExDiskRead(h, %d, %d)\n", (int)lba_start, (int)lba_count);
@@ -203,7 +204,7 @@
 	return VBERROR_SUCCESS;
 }
 
-VbError_t VbExDiskWrite(VbExDiskHandle_t handle, uint64_t lba_start,
+VbError_t VbExDiskWrite(VbExDiskHandle_t h, uint64_t lba_start,
 			uint64_t lba_count, const void *buffer)
 {
 	LOGCALL("VbExDiskWrite(h, %d, %d)\n", (int)lba_start, (int)lba_count);
@@ -567,7 +568,7 @@
 
 }
 
-static void TestLoadKernel(int expect_retval, char *test_name)
+static void TestLoadKernel(int expect_retval, const char *test_name)
 {
 	TEST_EQ(LoadKernel(&ctx, &lkp), expect_retval, test_name);
 }
diff --git a/utility/crossystem.c b/utility/crossystem.c
index 68e3f51..3093f2a 100644
--- a/utility/crossystem.c
+++ b/utility/crossystem.c
@@ -11,11 +11,6 @@
 
 #include "crossystem.h"
 
-/*
- * Call arch specific init, if provided, otherwise use the 'weak' stub.
- */
-int __VbArchInit(void) { return 0; }
-int VbArchInit(void) __attribute__((weak, alias("__VbArchInit")));
 /* Flags for Param */
 #define IS_STRING      0x01  /* String (not present = integer) */
 #define CAN_WRITE      0x02  /* Writable (not present = read-only */
@@ -118,7 +113,7 @@
 
 
 /* Print help */
-void PrintHelp(const char *progname) {
+static void PrintHelp(const char *progname) {
   const Param *p;
 
   printf("\nUsage:\n"
@@ -146,7 +141,7 @@
 /* Find the parameter in the list.
  *
  * Returns the parameter, or NULL if no match. */
-const Param* FindParam(const char* name) {
+static const Param* FindParam(const char* name) {
   const Param* p;
   if (!name)
     return NULL;
@@ -161,7 +156,7 @@
 /* Set the specified parameter.
  *
  * Returns 0 if success, non-zero if error. */
-int SetParam(const Param* p, const char* value) {
+static int SetParam(const Param* p, const char* value) {
   if (!(p->flags & CAN_WRITE))
     return 1;  /* Parameter is read-only */
 
@@ -180,7 +175,7 @@
 /* Compares the parameter with the expected value.
  *
  * Returns 0 if success (match), non-zero if error (mismatch). */
-int CheckParam(const Param* p, char* expect) {
+static int CheckParam(const Param* p, const char* expect) {
   if (p->flags & IS_STRING) {
     char buf[VB_MAX_STRING_PROPERTY];
     const char* v = VbGetSystemPropertyString(p->name, buf, sizeof(buf));
@@ -202,7 +197,7 @@
 /* Print the specified parameter.
  *
  * Returns 0 if success, non-zero if error. */
-int PrintParam(const Param* p) {
+static int PrintParam(const Param* p) {
   if (p->flags & IS_STRING) {
     char buf[VB_MAX_STRING_PROPERTY];
     const char* v = VbGetSystemPropertyString(p->name, buf, sizeof(buf));
@@ -223,7 +218,7 @@
  * parameters that specify the NO_PRINT_ALL flag.
  *
  * Returns 0 if success, non-zero if error. */
-int PrintAllParams(int force_all) {
+static int PrintAllParams(int force_all) {
   const Param* p;
   int retval = 0;
   char buf[VB_MAX_STRING_PROPERTY];
@@ -263,11 +258,6 @@
   else
     progname = argv[0];
 
-  if (VbArchInit()) {
-    fprintf(stderr, "Failed to initialize\n");
-    return -1;
-  }
-
   /* If no args specified, print all params */
   if (argc == 1)
     return PrintAllParams(0);
@@ -287,7 +277,7 @@
     char* has_set = strchr(argv[i], '=');
     char* has_expect = strchr(argv[i], '?');
     char* name = strtok(argv[i], "=?");
-    char* value = strtok(NULL, "=?");
+    const char* value = strtok(NULL, "=?");
     const Param* p;
 
     /* Make sure args are well-formed. '' or '=foo' or '?foo' not allowed. */
diff --git a/utility/dumpRSAPublicKey.c b/utility/dumpRSAPublicKey.c
index 9e90003..d7f66e5 100644
--- a/utility/dumpRSAPublicKey.c
+++ b/utility/dumpRSAPublicKey.c
@@ -21,7 +21,7 @@
  * routines.
  */
 
-int check(RSA* key) {
+static int check(RSA* key) {
   const BIGNUM *n, *e;
   int public_exponent, modulus;
 
@@ -45,7 +45,7 @@
 
 /* Pre-processes and outputs RSA public key to standard out.
  */
-void output(RSA* key) {
+static void output(RSA* key) {
   int i, nwords;
   const BIGNUM *key_n;
   BIGNUM *N = NULL;
diff --git a/utility/tpmc.c b/utility/tpmc.c
index 2e1e518..f5012ea 100644
--- a/utility/tpmc.c
+++ b/utility/tpmc.c
@@ -65,10 +65,10 @@
 /* Converts a string in the form 0x[0-9a-f]+ to a 32-bit value.  Returns 0 for
  * success, non-zero for failure.
  */
-int HexStringToUint32(const char* string, uint32_t* value) {
+static int HexStringToUint32(const char* string, uint32_t* value) {
   char tail[1];
   /* strtoul is not as good because it overflows silently */
-  char* format = strncmp(string, "0x", 2) ? "%8x%s" : "0x%8x%s";
+  const char* format = strncmp(string, "0x", 2) ? "%8x%s" : "0x%8x%s";
   int n = sscanf(string, format, value, tail);
   return n != 1;
 }
@@ -76,7 +76,7 @@
 /* Converts a string in the form [0-9a-f]+ to an 8-bit value.  Returns 0 for
  * success, non-zero for failure.
  */
-int HexStringToUint8(const char* string, uint8_t* value) {
+static int HexStringToUint8(const char* string, uint8_t* value) {
   char* end;
   uint32_t large_value = strtoul(string, &end, 16);
   if (*end != '\0' || large_value > 0xff) {
@@ -86,7 +86,7 @@
   return 0;
 }
 
-int HexStringToArray(const char* string, uint8_t* value, int num_bytes) {
+static int HexStringToArray(const char* string, uint8_t* value, int num_bytes) {
   int len = strlen(string);
   if (!strncmp(string, "0x", 2)) {
     string += 2;
@@ -108,7 +108,7 @@
  * found.  Then returns min(result, OTHER_ERROR) since some error codes, such
  * as TPM_E_RETRY, do not fit in a byte.
  */
-uint8_t ErrorCheck(uint32_t result, const char* cmd) {
+static uint8_t ErrorCheck(uint32_t result, const char* cmd) {
   uint8_t exit_code = result > OTHER_ERROR ? OTHER_ERROR : result;
   if (result == 0) {
     return 0;
diff --git a/utility/verify_data.c b/utility/verify_data.c
index 50eeb9d..1bf6756 100644
--- a/utility/verify_data.c
+++ b/utility/verify_data.c
@@ -29,34 +29,6 @@
 #define COL_RED "\e[0;31m"
 #define COL_STOP "\e[m"
 
-uint8_t* read_signature(char* input_file, int len)
-{
-	int i, sigfd;
-	uint8_t* signature = NULL;
-	if ((sigfd = open(input_file, O_RDONLY)) == -1) {
-		fprintf(stderr, "Couldn't open signature file\n");
-		return NULL;
-	}
-
-	/* Read the signature into a buffer*/
-	signature = (uint8_t*) malloc(len);
-	if (!signature) {
-		close(sigfd);
-		return NULL;
-	}
-
-	if( (i = read(sigfd, signature, len)) != len ) {
-		fprintf(stderr, "Expected signature length %d, Received %d\n",
-			len, i);
-		close(sigfd);
-		free(signature);
-		return NULL;
-	}
-
-	close(sigfd);
-	return signature;
-}
-
 int main(int argc, char* argv[])
 {
 	uint8_t workbuf[VB2_VERIFY_DIGEST_WORKBUF_BYTES]