| blob | 7e291e0c701c9f5b1a3cd96426db1fa9c48ea0c2 |
1 # SPDX-License-Identifier: GPL-2.0-only
3 menu "Verified Boot (vboot)"
5 config VBOOT_LIB
6 bool
7 help
8 Build and link the vboot library. Makes the vboot API accessible across
9 all coreboot stages, without enabling vboot verification. For verification,
10 please see the VBOOT option below.
12 config VBOOT
13 bool "Verify firmware with vboot."
14 default n
15 select VBOOT_LIB
16 select VBOOT_MOCK_SECDATA if !TPM
17 depends on 0 = 0 # Must have a 'depends on' or board overrides will break it.
18 help
19 Enabling VBOOT will use vboot to verify the components of the firmware
20 (stages, payload, etc).
22 if VBOOT
24 comment "Anti-Rollback Protection disabled because mocking secdata is enabled."
25 depends on VBOOT_MOCK_SECDATA
27 config VBOOT_SLOTS_RW_A
28 bool "Firmware RO + RW_A"
29 help
30 Have one update partition beside the RO partition.
32 config VBOOT_SLOTS_RW_AB
33 bool "Firmware RO + RW_A + RW_B"
34 select VBOOT_SLOTS_RW_A
35 help
36 Have two update partitions beside the RO partition.
38 config VBOOT_CBFS_INTEGRATION
39 bool "Enable vboot and CBFS integration"
40 default n
41 depends on VBOOT_SLOTS_RW_A
42 depends on CBFS_VERIFICATION
43 select INCLUDE_CONFIG_FILE # futility needs this to auto-detect signing type
44 help
45 Say yes here to enable cryptographic verification of RW slots CBFS
46 metadata. This will replace body hash verification.
48 This option enables integration of vboot and CBFS. Verification of RW
49 slots is performed by calculation of their CBFS metadata hash.
50 It also requires CBFS_VERIFICATION to be enabled, so that CBFS files
51 contents are correctly verified.
53 config VBOOT_VBNV_CMOS
54 bool
55 default n
56 depends on PC80_SYSTEM
57 help
58 VBNV is stored in CMOS
60 config VBOOT_VBNV_OFFSET
61 hex
62 default 0x26
63 depends on VBOOT_VBNV_CMOS
64 help
65 CMOS offset for VbNv data. This value must match cmos.layout
66 in the mainboard directory, minus 14 bytes for the RTC.
68 config VBOOT_VBNV_CMOS_BACKUP_TO_FLASH
69 bool
70 default n
71 depends on VBOOT_VBNV_CMOS && BOOT_DEVICE_SUPPORTS_WRITES
72 help
73 Vboot non-volatile storage data will be backed up from CMOS to flash
74 and restored from flash if the CMOS is invalid due to power loss.
76 config VBOOT_VBNV_FLASH
77 bool
78 default n
79 depends on BOOT_DEVICE_SUPPORTS_WRITES
80 help
81 VBNV is stored in flash storage
83 config VBOOT_STARTS_BEFORE_BOOTBLOCK
84 def_bool n
85 select VBOOT_SEPARATE_VERSTAGE
86 help
87 Firmware verification happens before the main processor is brought
88 online.
90 config VBOOT_STARTS_IN_BOOTBLOCK
91 bool
92 default n
93 select SEPARATE_ROMSTAGE
94 help
95 Firmware verification happens during the end of or right after the
96 bootblock. This implies that a static VBOOT2_WORK() buffer must be
97 allocated in memlayout.
99 config VBOOT_STARTS_IN_ROMSTAGE
100 bool
101 default n
102 depends on !VBOOT_STARTS_IN_BOOTBLOCK
103 help
104 Firmware verification happens during the end of romstage (after
105 memory initialization). This implies that the vboot work buffer is
106 in CBMEM from the start and doesn't need to be reserved in memlayout.
108 config VBOOT_MOCK_SECDATA
109 bool "Mock secdata for firmware verification"
110 default n
111 help
112 Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware
113 verification to avoid access to a secdata storage (typically TPM).
114 All operations for a secdata storage will be successful. This option
115 can be used during development when a TPM is not present or broken.
116 THIS SHOULD NOT BE LEFT ON FOR PRODUCTION DEVICES.
118 config VBOOT_DISABLE_DEV_ON_RECOVERY
119 bool
120 default n
121 help
122 When this option is enabled, the ChromeOS device leaves the
123 developer mode as soon as recovery request is detected. This is
124 handy on embedded devices with limited input capabilities.
126 config VBOOT_SEPARATE_VERSTAGE
127 bool
128 default n
129 depends on VBOOT_STARTS_IN_BOOTBLOCK || VBOOT_STARTS_BEFORE_BOOTBLOCK
130 help
131 If this option is set, vboot verification runs in a standalone stage
132 that is loaded from the bootblock and exits into romstage. If it is
133 not set, the verification code is linked directly into the bootblock
134 or the romstage and runs as part of that stage (cf. related options
135 VBOOT_STARTS_IN_BOOTBLOCK/_ROMSTAGE and VBOOT_RETURN_FROM_VERSTAGE).
137 config VBOOT_RETURN_FROM_VERSTAGE
138 bool
139 default n
140 depends on VBOOT_SEPARATE_VERSTAGE
141 help
142 If this is set, the verstage returns back to the calling stage instead
143 of exiting to the succeeding stage so that the verstage space can be
144 reused by the succeeding stage. This is useful if a RAM space is too
145 small to fit both the verstage and the succeeding stage.
147 config VBOOT_MUST_REQUEST_DISPLAY
148 bool
149 default y if VGA_ROM_RUN
150 default n
151 help
152 Set this option to indicate to vboot that this platform will skip its
153 display initialization on a normal (non-recovery, non-developer) boot.
154 Unless display is specifically requested, the video option ROM is not
155 loaded, and any other native display initialization code is not run.
157 config VBOOT_ALWAYS_ENABLE_DISPLAY
158 bool "Force to always enable display"
159 default y if BMP_LOGO
160 default n
161 help
162 Set this option to indicate to vboot that display should always be enabled.
164 config VBOOT_ALWAYS_ALLOW_UDC
165 bool "Always allow UDC"
166 default n
167 depends on !CHROMEOS
168 help
169 This option allows UDC to be enabled regardless of the vboot state.
171 config VBOOT_HAS_REC_HASH_SPACE
172 bool
173 default y if MRC_SAVE_HASH_IN_TPM && HAS_RECOVERY_MRC_CACHE
174 default n
175 help
176 Set this option to indicate to vboot that recovery data hash space
177 is present in TPM.
179 config VBOOT_LID_SWITCH
180 bool
181 default n
182 help
183 Whether this platform has a lid switch. If it does, vboot will not
184 decrement try counters for boot failures if the lid is closed.
186 config VBOOT_WIPEOUT_SUPPORTED
187 bool
188 default n
189 help
190 When this option is enabled, the firmware provides the ability to
191 signal the application the need for factory reset (a.k.a. wipe
192 out) of the device
194 config VBOOT_FWID_MODEL
195 string "Firmware ID model"
196 default "Google_\$(CONFIG_MAINBOARD_PART_NUMBER)" if CHROMEOS
197 default "\$(CONFIG_MAINBOARD_VENDOR)_\$(CONFIG_MAINBOARD_PART_NUMBER)"
198 help
199 This is the first part of the FWID written to various regions of a
200 vboot firmware image to identify its version.
202 config VBOOT_FWID_VERSION
203 string "Firmware ID version"
204 default ".\$(KERNELVERSION)"
205 help
206 This is the second part of the FWID written to various regions of a
207 vboot firmware image to identify its version.
209 config VBOOT_NO_BOARD_SUPPORT
210 bool "Allow the use of vboot without board support"
211 default n
212 help
213 Enable weak functions for get_write_protect_state and
214 get_recovery_mode_switch in order to proceed with refactoring
215 of the vboot2 code base. Later on this code is removed and replaced
216 by interfaces.
218 config RO_REGION_ONLY
219 string "Additional files that should not be copied to RW"
220 default ""
221 help
222 Add a space delimited list of filenames that should only be in the
223 RO section.
225 config RW_REGION_ONLY
226 string
227 default ""
228 depends on VBOOT_SLOTS_RW_A
229 help
230 Add a space delimited list of filenames that should only be in the
231 RW sections.
233 config RWA_REGION_ONLY
234 string
235 default ""
236 depends on VBOOT_SLOTS_RW_AB
237 help
238 Add a space-delimited list of filenames that should only be in the
239 RW-A section.
241 config RWB_REGION_ONLY
242 string
243 default ""
244 depends on VBOOT_SLOTS_RW_AB
245 help
246 Add a space-delimited list of filenames that should only be in the
247 RW-B section.
249 config CBFS_MCACHE_RW_PERCENTAGE
250 int "Percentage of CBFS metadata cache used for RW CBFS"
251 depends on !NO_CBFS_MCACHE
252 default 50
253 help
254 The amount of the CBFS_MCACHE area that's used for the RW CBFS, in
255 percent from 0 to 100. The remaining area will be used for the RO
256 CBFS. Default is an even 50/50 split. When VBOOT is disabled, this
257 will automatically be 0 (meaning the whole MCACHE is used for RO).
258 Do NOT change this value for vboot RW updates!
260 config VBOOT_CLEAR_RECOVERY_IN_RAMSTAGE
261 bool "Clear the recovery request at the end of ramstage"
262 default n
263 help
264 If this option is enabled, the recovery request will be cleared and
265 saved to VBNV storage at the end of ramstage. This is useful for
266 platforms without vboot-integrated payloads, to avoid being stuck in
267 the recovery mode.
269 config VBOOT_ENABLE_CBFS_FALLBACK
270 bool
271 default n
272 depends on VBOOT_SLOTS_RW_A
273 help
274 When this option is enabled, the CBFS code will look for a file in the
275 RO (COREBOOT) region if it isn't available in the active RW region.
277 config VBOOT_EARLY_EC_SYNC
278 bool
279 default n
280 depends on EC_GOOGLE_CHROMEEC
281 help
282 Enables CrOS EC software sync in romstage, before memory training
283 runs. This is useful mainly as a way to achieve full USB-PD
284 negotiation earlier in the boot flow, as the EC will only do this once
285 it has made the sysjump to its RW firmware. It should not
286 significantly impact boot time, as this operation will be performed
287 later in the boot flow if it is disabled here.
289 config VBOOT_EC_EFS
290 bool "Early firmware selection (EFS) EC"
291 default n
292 help
293 CrosEC can support EFS: Early Firmware Selection. If it's enabled,
294 software sync needs to also support it. This setting tells vboot to
295 perform EFS software sync.
297 config VBOOT_X86_SHA256_ACCELERATION
298 bool "Use sha extension for sha256 hash calculation"
299 default n
300 depends on ARCH_X86
301 help
302 Use sha256msg1, sha256msg2, sha256rnds2 instruction to accelerate
303 SHA hash calculation in vboot.
305 config VBOOT_X86_RSA_ACCELERATION
306 bool "Use SSE2 instructions for RSA signature verification"
307 default n
308 depends on ARCH_X86
309 help
310 Use paddq, pmuludq, psrlq, punpckldq and punpcklqdq SSE2
311 instructions to accelerate the modulus exponentiation which
312 is part of the RSA signature verification process.
314 config VBOOT_ARMV8_CE_SHA256_ACCELERATION
315 bool "Use ARMv8 Crypto Extension for sha256 hash calculation"
316 default y if CHROMEOS
317 default n
318 depends on ARCH_ARM64
319 help
320 Use ARMv8 Crypto Extension to accelerate SHA hash calculation in vboot.
322 config VBOOT_ARM64_RSA_ACCELERATION
323 bool "Use arm64 SIMD instructions to accelerate RSA signature verification"
324 default y
325 depends on ARCH_VERSTAGE_ARM64
326 help
327 Use arm64 SIMD instructions (NEON) to parallelize two multiplications
328 in the modulus exponentiation algorithm, which speeds up RSA signature
329 verification in vboot. This is supported on all arm64 CPUs so you'd
330 generally always want this enabled, unless your SoC is overriding
331 vboot's hwcrypto API with its own crypto accelerator IP instead (or
332 you're trying really hard to save on code size).
334 config VBOOT_DEFINE_WIDEVINE_COUNTERS
335 bool
336 default n
337 help
338 Set up Widevine Secure Counters in TPM NVRAM by defining space. Enabling this
339 config will only define the counter space. Counters need to be incremented
340 separately before any read operation is performed on them.
342 config VBOOT_HASH_BLOCK_SIZE
343 hex
344 default 0x400
345 help
346 Set the default hash size. Generally 1k is reasonable, but in some
347 cases it may improve hashing speed to increase the size.
349 Note that this buffer is allocated in the stack. Although the
350 build should fail if the stack size is exceeded, it's something to
351 be aware of when changing the size.
353 config VBOOT_GSCVD
354 bool "Generate GSC verification data"
355 depends on TPM_GOOGLE
356 select CBFS_VERIFICATION
357 default n if TPM_GOOGLE_CR50
358 default y
359 help
360 Generate a Google Security Chip Verification Data (GSCVD) structure on the flash to
361 allow the GSC to verify the CBFS verification anchor. Used by default with Ti50 GSCs.
362 Requires an RO_GSCVD FMAP section.
364 config VBOOT_GSC_BOARD_ID
365 string
366 depends on VBOOT_GSCVD
367 default "ZZCR"
368 help
369 GSC board ID to be embedded in the GSCVD. Usually each specific mainboard variant
370 has its own. Google engineers can find these in the go/cros-dlm database ("Products").
371 The specific board IDs are filled in as part of the production signing process, so
372 this value is just a default and doesn't need to be set per-variant in coreboot.
373 (Note: This is a completely separate thing from coreboot's `board_id()` function.)
375 menu "GBB configuration"
377 config GBB_HWID
378 string "Hardware ID"
379 default ""
380 help
381 A hardware identifier for device. On ChromeOS this is used for auto
382 update and recovery, and will be generated when manufacturing by the
383 factory software, in a strictly defined format.
384 Leave empty to get a test-only ChromeOS HWID v2 string generated.
386 config GBB_BMPFV_FILE
387 string "Path to bmpfv image"
388 default ""
390 config GBB_FLAG_DEV_SCREEN_SHORT_DELAY
391 bool "Reduce dev screen delay"
392 default n
394 config GBB_FLAG_LOAD_OPTION_ROMS
395 bool "Load option ROMs"
396 default n
398 config GBB_FLAG_ENABLE_ALTERNATE_OS
399 bool "Allow booting a non-ChromeOS kernel if dev switch is on"
400 default n
402 config GBB_FLAG_FORCE_DEV_SWITCH_ON
403 bool "Force dev switch on"
404 default n
406 config GBB_FLAG_FORCE_DEV_BOOT_USB
407 bool "Allow booting from USB in dev mode even if dev_boot_usb=0"
408 default y
410 config GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK
411 bool "Disable firmware rollback protection"
412 default y
414 config GBB_FLAG_ENTER_TRIGGERS_TONORM
415 bool "Return to normal boot with Enter"
416 default n
418 config GBB_FLAG_FORCE_DEV_BOOT_ALTFW
419 bool "Allow booting altfw in dev mode even if dev_boot_altfw=0"
420 default n
422 config GBB_FLAG_RUNNING_FAFT
423 bool "Running FAFT tests; used as a hint to disable other debug features"
424 default n
426 config GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC
427 bool "Disable EC software sync"
428 default n
430 config GBB_FLAG_DEFAULT_DEV_BOOT_ALTFW
431 bool "Default to booting altfw in dev mode"
432 default n
434 config GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC
435 bool "Disable PD software sync"
436 default n
438 config GBB_FLAG_DISABLE_LID_SHUTDOWN
439 bool "Disable shutdown on closed lid"
440 default n
442 config GBB_FLAG_FORCE_MANUAL_RECOVERY
443 bool "Always assume manual recovery in recovery mode"
444 default n
446 config GBB_FLAG_DISABLE_FWMP
447 bool "Disable Firmware Management Parameters (FWMP)"
448 default n
450 config GBB_FLAG_ENABLE_UDC
451 bool "Enable USB Device Controller"
452 default n
454 config GBB_FLAG_FORCE_CSE_SYNC
455 bool "Running tests; enforce CSE sync"
456 default n
458 endmenu # GBB
460 menu "Vboot Keys"
461 config VBOOT_ROOT_KEY
462 string "Root key (public)"
463 default "\$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk"
465 config VBOOT_RECOVERY_KEY
466 string "Recovery key (public)"
467 default "\$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk"
469 config VBOOT_FIRMWARE_PRIVKEY
470 string "Firmware key (private)"
471 default "\$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk"
473 config VBOOT_KERNEL_KEY
474 string "Kernel subkey (public)"
475 default "\$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk"
477 config VBOOT_KEYBLOCK
478 string "Keyblock to use for the RW regions"
479 default "\$(VBOOT_SOURCE)/tests/devkeys/firmware.keyblock"
481 config VBOOT_KEYBLOCK_VERSION
482 int "Keyblock version number"
483 default 1
485 config VBOOT_KEYBLOCK_PREAMBLE_FLAGS
486 hex "Keyblock preamble flags"
487 default 0x0
489 if VBOOT_GSCVD
491 config VBOOT_GSCVD_ROOT_PUBKEY
492 string "GSCVD root key (public)"
493 default "\$(VBOOT_SOURCE)/tests/devkeys/arv_root.vbpubk"
495 config VBOOT_GSCVD_PLATFORM_PRIVKEY
496 string "GSCVD platform key (private)"
497 default "\$(VBOOT_SOURCE)/tests/devkeys/arv_platform.vbprivk"
499 config VBOOT_GSCVD_PLATFORM_KEYBLOCK
500 string "GSCVD platform keyblock (public)"
501 default "\$(VBOOT_SOURCE)/tests/devkeys/arv_platform.keyblock"
503 endif # VBOOT_GSCVD
505 endmenu # Keys
506 endif # VBOOT
507 endmenu # Verified Boot (vboot)