1# SPDX-License-Identifier: GPL-2.0-only 2 3menu "Verified Boot (vboot)" 4 5config VBOOT_LIB 6 bool 7 help 8 Build and link the vboot library. Makes the vboot API accessible across 9 all coreboot stages, without enabling vboot verification. For verification, 10 please see the VBOOT option below. 11 12config VBOOT 13 bool "Verify firmware with vboot." 14 default n 15 select VBOOT_LIB 16 select VBOOT_MOCK_SECDATA if !TPM 17 depends on 0 = 0 # Must have a 'depends on' or board overrides will break it. 18 help 19 Enabling VBOOT will use vboot to verify the components of the firmware 20 (stages, payload, etc). 21 22if VBOOT 23 24comment "Anti-Rollback Protection disabled because mocking secdata is enabled." 25 depends on VBOOT_MOCK_SECDATA 26 27config VBOOT_SLOTS_RW_A 28 bool "Firmware RO + RW_A" 29 help 30 Have one update partition beside the RO partition. 31 32config VBOOT_SLOTS_RW_AB 33 bool "Firmware RO + RW_A + RW_B" 34 select VBOOT_SLOTS_RW_A 35 help 36 Have two update partitions beside the RO partition. 37 38config VBOOT_CBFS_INTEGRATION 39 bool "Enable vboot and CBFS integration" 40 default n 41 depends on VBOOT_SLOTS_RW_A 42 depends on CBFS_VERIFICATION 43 select INCLUDE_CONFIG_FILE # futility needs this to auto-detect signing type 44 help 45 Say yes here to enable cryptographic verification of RW slots CBFS 46 metadata. This will replace body hash verification. 47 48 This option enables integration of vboot and CBFS. Verification of RW 49 slots is performed by calculation of their CBFS metadata hash. 50 It also requires CBFS_VERIFICATION to be enabled, so that CBFS files 51 contents are correctly verified. 52 53config VBOOT_VBNV_CMOS 54 bool 55 default n 56 depends on PC80_SYSTEM 57 help 58 VBNV is stored in CMOS 59 60config VBOOT_VBNV_OFFSET 61 hex 62 default 0x26 63 depends on VBOOT_VBNV_CMOS 64 help 65 CMOS offset for VbNv data. This value must match cmos.layout 66 in the mainboard directory, minus 14 bytes for the RTC. 67 68config VBOOT_VBNV_CMOS_BACKUP_TO_FLASH 69 bool 70 default n 71 depends on VBOOT_VBNV_CMOS && BOOT_DEVICE_SUPPORTS_WRITES 72 help 73 Vboot non-volatile storage data will be backed up from CMOS to flash 74 and restored from flash if the CMOS is invalid due to power loss. 75 76config VBOOT_VBNV_FLASH 77 bool 78 default n 79 depends on BOOT_DEVICE_SUPPORTS_WRITES 80 help 81 VBNV is stored in flash storage 82 83config VBOOT_STARTS_BEFORE_BOOTBLOCK 84 def_bool n 85 select VBOOT_SEPARATE_VERSTAGE 86 help 87 Firmware verification happens before the main processor is brought 88 online. 89 90config VBOOT_STARTS_IN_BOOTBLOCK 91 bool 92 default n 93 select SEPARATE_ROMSTAGE 94 help 95 Firmware verification happens during the end of or right after the 96 bootblock. This implies that a static VBOOT2_WORK() buffer must be 97 allocated in memlayout. 98 99config VBOOT_STARTS_IN_ROMSTAGE 100 bool 101 default n 102 depends on !VBOOT_STARTS_IN_BOOTBLOCK 103 help 104 Firmware verification happens during the end of romstage (after 105 memory initialization). This implies that the vboot work buffer is 106 in CBMEM from the start and doesn't need to be reserved in memlayout. 107 108config VBOOT_MOCK_SECDATA 109 bool "Mock secdata for firmware verification" 110 default n 111 help 112 Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware 113 verification to avoid access to a secdata storage (typically TPM). 114 All operations for a secdata storage will be successful. This option 115 can be used during development when a TPM is not present or broken. 116 THIS SHOULD NOT BE LEFT ON FOR PRODUCTION DEVICES. 117 118config VBOOT_DISABLE_DEV_ON_RECOVERY 119 bool 120 default n 121 help 122 When this option is enabled, the ChromeOS device leaves the 123 developer mode as soon as recovery request is detected. This is 124 handy on embedded devices with limited input capabilities. 125 126config VBOOT_SEPARATE_VERSTAGE 127 bool 128 default n 129 depends on VBOOT_STARTS_IN_BOOTBLOCK || VBOOT_STARTS_BEFORE_BOOTBLOCK 130 help 131 If this option is set, vboot verification runs in a standalone stage 132 that is loaded from the bootblock and exits into romstage. If it is 133 not set, the verification code is linked directly into the bootblock 134 or the romstage and runs as part of that stage (cf. related options 135 VBOOT_STARTS_IN_BOOTBLOCK/_ROMSTAGE and VBOOT_RETURN_FROM_VERSTAGE). 136 137config VBOOT_RETURN_FROM_VERSTAGE 138 bool 139 default n 140 depends on VBOOT_SEPARATE_VERSTAGE 141 help 142 If this is set, the verstage returns back to the calling stage instead 143 of exiting to the succeeding stage so that the verstage space can be 144 reused by the succeeding stage. This is useful if a RAM space is too 145 small to fit both the verstage and the succeeding stage. 146 147config VBOOT_MUST_REQUEST_DISPLAY 148 bool 149 default y if VGA_ROM_RUN 150 default n 151 help 152 Set this option to indicate to vboot that this platform will skip its 153 display initialization on a normal (non-recovery, non-developer) boot. 154 Unless display is specifically requested, the video option ROM is not 155 loaded, and any other native display initialization code is not run. 156 157config VBOOT_ALWAYS_ENABLE_DISPLAY 158 bool "Force to always enable display" 159 default y if BMP_LOGO 160 default n 161 help 162 Set this option to indicate to vboot that display should always be enabled. 163 164config VBOOT_ALWAYS_ALLOW_UDC 165 bool "Always allow UDC" 166 default n 167 depends on !CHROMEOS 168 help 169 This option allows UDC to be enabled regardless of the vboot state. 170 171config VBOOT_HAS_REC_HASH_SPACE 172 bool 173 default y if MRC_SAVE_HASH_IN_TPM && HAS_RECOVERY_MRC_CACHE 174 default n 175 help 176 Set this option to indicate to vboot that recovery data hash space 177 is present in TPM. 178 179config VBOOT_LID_SWITCH 180 bool 181 default n 182 help 183 Whether this platform has a lid switch. If it does, vboot will not 184 decrement try counters for boot failures if the lid is closed. 185 186config VBOOT_WIPEOUT_SUPPORTED 187 bool 188 default n 189 help 190 When this option is enabled, the firmware provides the ability to 191 signal the application the need for factory reset (a.k.a. wipe 192 out) of the device 193 194config VBOOT_FWID_MODEL 195 string "Firmware ID model" 196 default "Google_\$(CONFIG_MAINBOARD_PART_NUMBER)" if CHROMEOS 197 default "\$(CONFIG_MAINBOARD_VENDOR)_\$(CONFIG_MAINBOARD_PART_NUMBER)" 198 help 199 This is the first part of the FWID written to various regions of a 200 vboot firmware image to identify its version. 201 202config VBOOT_FWID_VERSION 203 string "Firmware ID version" 204 default ".\$(KERNELVERSION)" 205 help 206 This is the second part of the FWID written to various regions of a 207 vboot firmware image to identify its version. 208 209config VBOOT_NO_BOARD_SUPPORT 210 bool "Allow the use of vboot without board support" 211 default n 212 help 213 Enable weak functions for get_write_protect_state and 214 get_recovery_mode_switch in order to proceed with refactoring 215 of the vboot2 code base. Later on this code is removed and replaced 216 by interfaces. 217 218config RO_REGION_ONLY 219 string "Additional files that should not be copied to RW" 220 default "" 221 help 222 Add a space delimited list of filenames that should only be in the 223 RO section. 224 225config RW_REGION_ONLY 226 string 227 default "" 228 depends on VBOOT_SLOTS_RW_A 229 help 230 Add a space delimited list of filenames that should only be in the 231 RW sections. 232 233config RWA_REGION_ONLY 234 string 235 default "" 236 depends on VBOOT_SLOTS_RW_AB 237 help 238 Add a space-delimited list of filenames that should only be in the 239 RW-A section. 240 241config RWB_REGION_ONLY 242 string 243 default "" 244 depends on VBOOT_SLOTS_RW_AB 245 help 246 Add a space-delimited list of filenames that should only be in the 247 RW-B section. 248 249config CBFS_MCACHE_RW_PERCENTAGE 250 int "Percentage of CBFS metadata cache used for RW CBFS" 251 depends on !NO_CBFS_MCACHE 252 default 50 253 help 254 The amount of the CBFS_MCACHE area that's used for the RW CBFS, in 255 percent from 0 to 100. The remaining area will be used for the RO 256 CBFS. Default is an even 50/50 split. When VBOOT is disabled, this 257 will automatically be 0 (meaning the whole MCACHE is used for RO). 258 Do NOT change this value for vboot RW updates! 259 260config VBOOT_CLEAR_RECOVERY_IN_RAMSTAGE 261 bool "Clear the recovery request at the end of ramstage" 262 default n 263 help 264 If this option is enabled, the recovery request will be cleared and 265 saved to VBNV storage at the end of ramstage. This is useful for 266 platforms without vboot-integrated payloads, to avoid being stuck in 267 the recovery mode. 268 269config VBOOT_ENABLE_CBFS_FALLBACK 270 bool 271 default n 272 depends on VBOOT_SLOTS_RW_A 273 help 274 When this option is enabled, the CBFS code will look for a file in the 275 RO (COREBOOT) region if it isn't available in the active RW region. 276 277config VBOOT_EARLY_EC_SYNC 278 bool 279 default n 280 depends on EC_GOOGLE_CHROMEEC 281 help 282 Enables CrOS EC software sync in romstage, before memory training 283 runs. This is useful mainly as a way to achieve full USB-PD 284 negotiation earlier in the boot flow, as the EC will only do this once 285 it has made the sysjump to its RW firmware. It should not 286 significantly impact boot time, as this operation will be performed 287 later in the boot flow if it is disabled here. 288 289config VBOOT_EC_EFS 290 bool "Early firmware selection (EFS) EC" 291 default n 292 help 293 CrosEC can support EFS: Early Firmware Selection. If it's enabled, 294 software sync needs to also support it. This setting tells vboot to 295 perform EFS software sync. 296 297config VBOOT_X86_SHA256_ACCELERATION 298 bool "Use sha extension for sha256 hash calculation" 299 default n 300 depends on ARCH_X86 301 help 302 Use sha256msg1, sha256msg2, sha256rnds2 instruction to accelerate 303 SHA hash calculation in vboot. 304 305config VBOOT_X86_RSA_ACCELERATION 306 bool "Use SSE2 instructions for RSA signature verification" 307 default n 308 depends on ARCH_X86 309 help 310 Use paddq, pmuludq, psrlq, punpckldq and punpcklqdq SSE2 311 instructions to accelerate the modulus exponentiation which 312 is part of the RSA signature verification process. 313 314config VBOOT_ARMV8_CE_SHA256_ACCELERATION 315 bool "Use ARMv8 Crypto Extension for sha256 hash calculation" 316 default y if CHROMEOS 317 default n 318 depends on ARCH_ARM64 319 help 320 Use ARMv8 Crypto Extension to accelerate SHA hash calculation in vboot. 321 322config VBOOT_ARM64_RSA_ACCELERATION 323 bool "Use arm64 SIMD instructions to accelerate RSA signature verification" 324 default y 325 depends on ARCH_VERSTAGE_ARM64 326 help 327 Use arm64 SIMD instructions (NEON) to parallelize two multiplications 328 in the modulus exponentiation algorithm, which speeds up RSA signature 329 verification in vboot. This is supported on all arm64 CPUs so you'd 330 generally always want this enabled, unless your SoC is overriding 331 vboot's hwcrypto API with its own crypto accelerator IP instead (or 332 you're trying really hard to save on code size). 333 334config VBOOT_DEFINE_WIDEVINE_COUNTERS 335 bool 336 default n 337 help 338 Set up Widevine Secure Counters in TPM NVRAM by defining space. Enabling this 339 config will only define the counter space. Counters need to be incremented 340 separately before any read operation is performed on them. 341 342config VBOOT_HASH_BLOCK_SIZE 343 hex 344 default 0x400 345 help 346 Set the default hash size. Generally 1k is reasonable, but in some 347 cases it may improve hashing speed to increase the size. 348 349 Note that this buffer is allocated in the stack. Although the 350 build should fail if the stack size is exceeded, it's something to 351 be aware of when changing the size. 352 353config VBOOT_GSCVD 354 bool "Generate GSC verification data" 355 depends on TPM_GOOGLE 356 select CBFS_VERIFICATION 357 default n if TPM_GOOGLE_CR50 358 default y 359 help 360 Generate a Google Security Chip Verification Data (GSCVD) structure on the flash to 361 allow the GSC to verify the CBFS verification anchor. Used by default with Ti50 GSCs. 362 Requires an RO_GSCVD FMAP section. 363 364config VBOOT_GSC_BOARD_ID 365 string 366 depends on VBOOT_GSCVD 367 default "ZZCR" 368 help 369 GSC board ID to be embedded in the GSCVD. Usually each specific mainboard variant 370 has its own. Google engineers can find these in the go/cros-dlm database ("Products"). 371 The specific board IDs are filled in as part of the production signing process, so 372 this value is just a default and doesn't need to be set per-variant in coreboot. 373 (Note: This is a completely separate thing from coreboot's `board_id()` function.) 374 375menu "GBB configuration" 376 377config GBB_HWID 378 string "Hardware ID" 379 default "" 380 help 381 A hardware identifier for device. On ChromeOS this is used for auto 382 update and recovery, and will be generated when manufacturing by the 383 factory software, in a strictly defined format. 384 Leave empty to get a test-only ChromeOS HWID v2 string generated. 385 386config GBB_BMPFV_FILE 387 string "Path to bmpfv image" 388 default "" 389 390config GBB_FLAG_DEV_SCREEN_SHORT_DELAY 391 bool "Reduce dev screen delay" 392 default n 393 394config GBB_FLAG_LOAD_OPTION_ROMS 395 bool "Load option ROMs" 396 default n 397 398config GBB_FLAG_ENABLE_ALTERNATE_OS 399 bool "Allow booting a non-ChromeOS kernel if dev switch is on" 400 default n 401 402config GBB_FLAG_FORCE_DEV_SWITCH_ON 403 bool "Force dev switch on" 404 default n 405 406config GBB_FLAG_FORCE_DEV_BOOT_USB 407 bool "Allow booting from USB in dev mode even if dev_boot_usb=0" 408 default y 409 410config GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK 411 bool "Disable firmware rollback protection" 412 default y 413 414config GBB_FLAG_ENTER_TRIGGERS_TONORM 415 bool "Return to normal boot with Enter" 416 default n 417 418config GBB_FLAG_FORCE_DEV_BOOT_ALTFW 419 bool "Allow booting altfw in dev mode even if dev_boot_altfw=0" 420 default n 421 422config GBB_FLAG_RUNNING_FAFT 423 bool "Running FAFT tests; used as a hint to disable other debug features" 424 default n 425 426config GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC 427 bool "Disable EC software sync" 428 default n 429 430config GBB_FLAG_DEFAULT_DEV_BOOT_ALTFW 431 bool "Default to booting altfw in dev mode" 432 default n 433 434config GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC 435 bool "Disable PD software sync" 436 default n 437 438config GBB_FLAG_DISABLE_LID_SHUTDOWN 439 bool "Disable shutdown on closed lid" 440 default n 441 442config GBB_FLAG_FORCE_MANUAL_RECOVERY 443 bool "Always assume manual recovery in recovery mode" 444 default n 445 446config GBB_FLAG_DISABLE_FWMP 447 bool "Disable Firmware Management Parameters (FWMP)" 448 default n 449 450config GBB_FLAG_ENABLE_UDC 451 bool "Enable USB Device Controller" 452 default n 453 454endmenu # GBB 455 456menu "Vboot Keys" 457config VBOOT_ROOT_KEY 458 string "Root key (public)" 459 default "\$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk" 460 461config VBOOT_RECOVERY_KEY 462 string "Recovery key (public)" 463 default "\$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk" 464 465config VBOOT_FIRMWARE_PRIVKEY 466 string "Firmware key (private)" 467 default "\$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk" 468 469config VBOOT_KERNEL_KEY 470 string "Kernel subkey (public)" 471 default "\$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk" 472 473config VBOOT_KEYBLOCK 474 string "Keyblock to use for the RW regions" 475 default "\$(VBOOT_SOURCE)/tests/devkeys/firmware.keyblock" 476 477config VBOOT_KEYBLOCK_VERSION 478 int "Keyblock version number" 479 default 1 480 481config VBOOT_KEYBLOCK_PREAMBLE_FLAGS 482 hex "Keyblock preamble flags" 483 default 0x0 484 485if VBOOT_GSCVD 486 487config VBOOT_GSCVD_ROOT_PUBKEY 488 string "GSCVD root key (public)" 489 default "\$(VBOOT_SOURCE)/tests/devkeys/arv_root.vbpubk" 490 491config VBOOT_GSCVD_PLATFORM_PRIVKEY 492 string "GSCVD platform key (private)" 493 default "\$(VBOOT_SOURCE)/tests/devkeys/arv_platform.vbprivk" 494 495config VBOOT_GSCVD_PLATFORM_KEYBLOCK 496 string "GSCVD platform keyblock (public)" 497 default "\$(VBOOT_SOURCE)/tests/devkeys/arv_platform.keyblock" 498 499endif # VBOOT_GSCVD 500 501endmenu # Keys 502endif # VBOOT 503endmenu # Verified Boot (vboot) 504