xref: /aosp_15_r20/external/coreboot/src/security/vboot/Makefile.mk (revision b9411a12aaaa7e1e6a6fb7c5e057f44ee179a49c) 
1## SPDX-License-Identifier: GPL-2.0-only
2
3ifeq ($(CONFIG_VBOOT_LIB),y)
4
5bootblock-y += vboot_lib.c
6verstage-y += vboot_lib.c
7romstage-y += vboot_lib.c
8ramstage-y += vboot_lib.c
9postcar-y += vboot_lib.c
10
11vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\
12		       $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\
13		       $(filter-out -I$(obj),$(1))))
14
15# call with $1 = stage name to create rules for building the library
16# for the stage and adding it to the stage's set of object files.
17define vboot-for-stage
18VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a
19VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1)))
20VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1))
21VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts))
22VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes
23VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG
24
25$$(VBOOT_LIB_$(1)): $(obj)/config.h
26	printf "    MAKE       $(subst $(obj)/,,$(@))\n"
27	+FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \
28	CC="$$(CC_$(1))" \
29	CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \
30	EC_EFS="$(CONFIG_VBOOT_EC_EFS)" \
31	X86_SHA_EXT="$(if $(CONFIG_ARCH_$(call toupper,$(1))_X86_32)$(CONFIG_ARCH_$(call toupper,$(1))_X86_64),$\
32			$(CONFIG_VBOOT_X86_SHA256_ACCELERATION))" \
33	VB2_X86_RSA_ACCELERATION="$(if $(CONFIG_ARCH_$(call toupper,$(1))_X86_32)$(CONFIG_ARCH_$(call toupper,$(1))_X86_64),$\
34			$(CONFIG_VBOOT_X86_RSA_ACCELERATION))" \
35	ARMV8_CRYPTO_EXT="$(if $(CONFIG_ARCH_$(call toupper,$(1))_ARMV8_64),$$(CONFIG_VBOOT_ARMV8_CE_SHA256_ACCELERATION))" \
36	ARM64_RSA_ACCELERATION="$(if $(CONFIG_ARCH_$(call toupper,$(1))_ARM64),$$(CONFIG_VBOOT_ARM64_RSA_ACCELERATION))" \
37	$(MAKE) -C $(VBOOT_SOURCE) \
38		BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
39		V=$(V) \
40		USE_FLASHROM=0 \
41		fwlib \
42		$(if $(CONFIG_SBOM_VBOOT),$$(abspath $$(dir $$(VBOOT_LIB_$(1))))/vboot_host.pc)
43
44.PHONY: $$(VBOOT_LIB_$(1))
45
46$(1)-srcs += $$(VBOOT_LIB_$(1))
47
48endef # vboot-for-stage
49
50$(eval $(call vboot-for-stage,bootblock))
51ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y)
52$(eval $(call vboot-for-stage,romstage))
53endif
54$(eval $(call vboot-for-stage,ramstage))
55$(eval $(call vboot-for-stage,postcar))
56
57endif # CONFIG_VBOOT_LIB
58
59ifeq ($(CONFIG_VBOOT),y)
60
61bootblock-y += bootmode.c
62romstage-y += bootmode.c
63ramstage-y += bootmode.c
64verstage-y += bootmode.c
65postcar-y += bootmode.c
66
67verstage-generic-ccopts += -D__VERSTAGE__
68
69bootblock-y += vbnv.c
70verstage-y += vbnv.c
71romstage-y += vbnv.c
72ramstage-y += vbnv.c
73postcar-y += vbnv.c
74
75romstage-$(CONFIG_VBOOT_EARLY_EC_SYNC) += ec_sync.c
76
77bootblock-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
78verstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
79romstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
80ramstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
81postcar-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
82
83bootblock-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
84verstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
85romstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
86ramstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
87postcar-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
88
89bootblock-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
90verstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
91romstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
92ramstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
93postcar-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
94
95bootblock-y += vboot_loader.c
96romstage-y += vboot_loader.c
97ramstage-y += vboot_loader.c
98verstage-y += vboot_loader.c
99postcar-y += vboot_loader.c
100
101bootblock-y += vboot_common.c
102verstage-y += vboot_common.c
103romstage-y += vboot_common.c
104ramstage-y += vboot_common.c
105postcar-y += vboot_common.c
106
107bootblock-y += common.c
108verstage-y += vboot_logic.c
109verstage-y += common.c
110ifeq ($(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),)
111verstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += verstage.c
112endif
113ifeq (${CONFIG_VBOOT_MOCK_SECDATA},y)
114verstage-y += secdata_mock.c
115romstage-y += secdata_mock.c
116ramstage-y += secdata_mock.c
117else
118verstage-y += secdata_tpm.c
119romstage-y += secdata_tpm.c
120ramstage-y += secdata_tpm.c
121
122verstage-$(CONFIG_TPM1) += secdata_tpm1.c
123romstage-$(CONFIG_TPM1) += secdata_tpm1.c
124ramstage-$(CONFIG_TPM1) += secdata_tpm1.c
125
126verstage-$(CONFIG_TPM2) += secdata_tpm2.c
127romstage-$(CONFIG_TPM2) += secdata_tpm2.c
128ramstage-$(CONFIG_TPM2) += secdata_tpm2.c
129endif
130
131verstage-$(CONFIG_TPM) += tpm_common.c
132
133romstage-y += common.c
134
135ramstage-y += common.c
136postcar-y += common.c
137
138romstage-$(CONFIG_MRC_SAVE_HASH_IN_TPM) += mrc_cache_hash_tpm.c
139ramstage-$(CONFIG_MRC_SAVE_HASH_IN_TPM) += mrc_cache_hash_tpm.c
140
141ramstage-$(CONFIG_SOC_AMD_GFX_CACHE_VBIOS_IN_FMAP) += vbios_cache_hash_tpm.c
142
143ifeq ($(CONFIG_VBOOT_X86_RSA_ACCELERATION),y)
144CPPFLAGS_common += -DVB2_X86_RSA_ACCELERATION
145endif
146
147ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
148
149$(eval $(call vboot-for-stage,verstage))
150
151ifeq ($(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),)
152cbfs-files-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += $(CONFIG_CBFS_PREFIX)/verstage
153$(CONFIG_CBFS_PREFIX)/verstage-file := $(objcbfs)/verstage.elf
154$(CONFIG_CBFS_PREFIX)/verstage-type := stage
155$(CONFIG_CBFS_PREFIX)/verstage-compression := $(CBFS_PRERAM_COMPRESS_FLAG)
156endif	# CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK
157
158ifeq ($(CONFIG_ARCH_VERSTAGE_X86_32)$(CONFIG_ARCH_VERSTAGE_X86_64),y)
159$(CONFIG_CBFS_PREFIX)/verstage-options := -a 64
160ifeq ($(CONFIG_NO_XIP_EARLY_STAGES),y)
161$(CONFIG_CBFS_PREFIX)/verstage-options += -S ".car.data"
162else
163$(CONFIG_CBFS_PREFIX)/verstage-options += -S ".car.data,.data"
164endif
165
166# If CAR does not support execution of code, verstage on x86 is expected to be
167# xip.
168ifneq ($(CONFIG_NO_XIP_EARLY_STAGES),y)
169$(CONFIG_CBFS_PREFIX)/verstage-options += --xip
170endif
171
172endif
173$(CONFIG_CBFS_PREFIX)/verstage-options += $(TXTIBB)
174
175else # CONFIG_VBOOT_SEPARATE_VERSTAGE
176ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y)
177postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs))
178else
179ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y)
180postinclude-hooks += $$(eval romstage-srcs += $$(verstage-srcs))
181else
182postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs))
183endif
184endif
185endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
186
187#RO-Partition is always there!
188VBOOT_PARTITIONS := COREBOOT
189# Check for RW_A partition
190ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
191VBOOT_PARTITIONS += FW_MAIN_A
192RW_PARTITIONS := FW_MAIN_A
193endif
194# Check for RW_B partition
195ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
196VBOOT_PARTITIONS += FW_MAIN_B
197RW_PARTITIONS += FW_MAIN_B
198endif
199
200# Return the regions a specific file should be placed in. The files listed below and the ones
201# that are specified in CONFIG_RO_REGION_ONLY, are only specified in the RO region. The files
202# specified in the CONFIG_RW_REGION_ONLY are placed in all RW regions.  Files specified
203# in CONFIG_RWA_REGION_ONLY or CONFIG_RWB_REGION_ONLY get placed only in those sections.
204# All other files will be installed into RO and RW regions
205# Use $(sort) to cut down on extra spaces that would be translated to commas
206regions-for-file = $(subst $(spc),$(comma),$(sort \
207	$(if $(value regions-for-file-$(1)), \
208		$(regions-for-file-$(1)), \
209		$(if $(filter $(if $(filter y,$(CONFIG_VBOOT_STARTS_IN_ROMSTAGE)), \
210			%/romstage,) \
211		header_pointer \
212		cbfs_master_header \
213		mts \
214		%/verstage \
215		locales \
216		locale_%.bin \
217		font.bin \
218		vbgfx.bin \
219		rmu.bin \
220		cmos_layout.bin \
221		cmos.default \
222		intel_fit \
223		intel_fit_ts \
224		fspt.bin \
225		pagetables \
226		$(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \
227		,$(1)),COREBOOT,\
228		$(if $(filter \
229		$(call strip_quotes,$(CONFIG_RWA_REGION_ONLY)) \
230		,$(1)), FW_MAIN_A, \
231		$(if $(filter \
232			$(call strip_quotes,$(CONFIG_RWB_REGION_ONLY)) \
233			,$(1)), FW_MAIN_B, \
234		$(if $(filter \
235			$(call strip_quotes,$(CONFIG_RW_REGION_ONLY)) \
236			,$(1)), $(RW_PARTITIONS), $(VBOOT_PARTITIONS) ) \
237		))))))
238
239CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID))
240CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
241CONFIG_VBOOT_KEYBLOCK := $(call strip_quotes,$(CONFIG_VBOOT_KEYBLOCK))
242CONFIG_VBOOT_FIRMWARE_PRIVKEY := $(call strip_quotes,$(CONFIG_VBOOT_FIRMWARE_PRIVKEY))
243CONFIG_VBOOT_KERNEL_KEY := $(call strip_quotes,$(CONFIG_VBOOT_KERNEL_KEY))
244CONFIG_VBOOT_FWID_MODEL := $(call strip_quotes,$(CONFIG_VBOOT_FWID_MODEL))
245CONFIG_VBOOT_FWID_VERSION := $(call strip_quotes,$(CONFIG_VBOOT_FWID_VERSION))
246
247# bool-to-mask(var, value)
248# return "value" if var is "y", 0 otherwise
249bool-to-mask = $(if $(filter y,$(1)),$(2),0)
250
251GBB_FLAGS := $(call int-add, \
252	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DEV_SCREEN_SHORT_DELAY),0x1) \
253	$(call bool-to-mask,$(CONFIG_GBB_FLAG_LOAD_OPTION_ROMS),0x2) \
254	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_ALTERNATE_OS),0x4) \
255	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_SWITCH_ON),0x8) \
256	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_USB),0x10) \
257	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK),0x20) \
258	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENTER_TRIGGERS_TONORM),0x40) \
259	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_ALTFW),0x80) \
260	$(call bool-to-mask,$(CONFIG_GBB_FLAG_RUNNING_FAFT),0x100) \
261	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC),0x200) \
262	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DEFAULT_DEV_BOOT_ALTFW),0x400) \
263	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC),0x800) \
264	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_LID_SHUTDOWN),0x1000) \
265	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_MANUAL_RECOVERY),0x4000) \
266	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FWMP),0x8000) \
267	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_UDC),0x10000) \
268	)
269
270ifneq ($(CONFIG_GBB_BMPFV_FILE),)
271$(obj)/gbb.sizetmp: $(obj)/coreboot.rom
272	$(CBFSTOOL) $< read -r GBB -f $@
273
274$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY) $(obj)/gbb.sizetmp
275	@printf "    CREATE GBB (with BMPFV)\n"
276	$(FUTILITY) gbb_utility -c 0x100,0x1000,$(call int-subtract,$(call file-size,$(obj)/gbb.sizetmp) 0x2180),0x1000 $@.tmp
277	mv $@.tmp $@
278else
279$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY)
280	@printf "    CREATE GBB (without BMPFV)\n"
281	$(FUTILITY) gbb_utility -c 0x100,0x1000,0,0x1000 $@.tmp
282	mv $@.tmp $@
283endif
284
285# Generate a test-only HWID
286ifeq ($(CONFIG_GBB_HWID),)
287CONFIG_GBB_HWID := $$($(top)/util/chromeos/gen_test_hwid.sh "$(CONFIG_MAINBOARD_PART_NUMBER)")
288endif
289
290$(obj)/gbb.region: $(obj)/gbb.stub
291	@printf "    SETUP GBB\n"
292	cp $< $@.tmp
293	$(FUTILITY) gbb_utility -s \
294		--hwid="$(CONFIG_GBB_HWID)" \
295		--rootkey="$(CONFIG_VBOOT_ROOT_KEY)" \
296		--recoverykey="$(CONFIG_VBOOT_RECOVERY_KEY)" \
297		--flags=$(GBB_FLAGS) \
298		$@.tmp
299ifneq ($(CONFIG_GBB_BMPFV_FILE),)
300	$(FUTILITY) gbb_utility -s \
301		--bmpfv="$(CONFIG_GBB_BMPFV_FILE)" \
302		$@.tmp
303endif
304	mv $@.tmp $@
305
306$(obj)/fwid.version:
307	echo -n "$(CONFIG_VBOOT_FWID_VERSION)" > $@
308
309$(obj)/fwid.region: $(obj)/fwid.version
310	printf "%s%s\0" \
311		"$(CONFIG_VBOOT_FWID_MODEL)" \
312		"$$(cat "$(obj)/fwid.version")" > $@
313
314build_complete:: $(obj)/gbb.region $(obj)/fwid.region
315	@printf "    WRITE GBB\n"
316	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region
317	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region
318ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
319	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region
320endif
321ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
322	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region
323endif
324
325ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),)
326build_complete::
327	printf "\0" > $(obj)/shared_data.region
328	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r SHARED_DATA -i 0 -f $(obj)/shared_data.region
329endif
330
331fmap-section-offset-cmd = $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \
332					grep '^$(1) ' | cut '-d ' -f2
333fmap-section-size-cmd =   $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \
334					grep '^$(1) ' | cut '-d ' -f3
335
336ifeq ($(CONFIG_VBOOT_GSCVD),y)
337#
338# vboot-gscvd-ranges
339#
340# This variable expands to the list of ranges that will be verified by the GSC
341# before releasing the SoC from reset. It needs to cover all security-relevant
342# ranges of the flash that CBFS verification cannot cover itself. By default
343# this is the `GBB` FMAP section (not handled here but through the special `-G`
344# parameter to `futility gscvd` below) and the bootblock. Here we are
345# initializing the variable to expansions that produce ranges for both the
346# `BOOTBLOCK` FMAP section (filled up to the real size of
347# `$(objcbfs)/bootblock.bin`) and the `bootblock` file in the primary CBFS --
348# only one of those two should normally exist on a given platform.
349#
350# Platforms where the bootblock isn't the first and only thing loaded by the
351# hardware or which otherwise have special security-relevant flash areas that
352# cannot be covered normally by CBFS verification will need to manually add
353# ranges to this variable in their own Makefiles, in the format produced by
354# printf("%x:%x", start_offset, size). The variable is only expanded once in a
355# recipe of the `files_added` target, so $(shell) expansions that depend on
356# inspecting $(obj)/coreboot.rom (or any of its dependencies) are valid.
357#
358vboot-gscvd-ranges += $(shell ( \
359	offset=$$($(call fmap-section-offset-cmd,BOOTBLOCK)) ;\
360	if [ -n "$$offset" ]; then \
361		size=$$(wc -c < $(objcbfs)/bootblock.bin) ;\
362		printf "%x:%x" $$offset $$size ;\
363	fi ;\
364))
365vboot-gscvd-ranges += $(shell ( \
366	line=$$($(CBFSTOOL) $(obj)/coreboot.rom print -k | grep '^bootblock[[:space:]]') ;\
367	if [ -n "$$line" ]; then \
368		cbfs_start=$$($(call fmap-section-offset-cmd,COREBOOT)) ;\
369		offset=$$(printf "$$line" | cut -f2) ;\
370		size=$$(printf "$$line" | cut -f6) ;\
371		printf "%x:%x" $$((cbfs_start + offset)) $$size ;\
372	fi ;\
373))
374files_added:: $(FUTILITY)
375	@printf "    WRITE GSCVD\n"
376	gscvd_range_args="$(foreach range,$(vboot-gscvd-ranges),-R $(range))" ;\
377	if [ -z "$$gscvd_range_args" ]; then \
378		echo "ERROR: No valid GSCVD ranges detected in image!" ;\
379		exit 1 ;\
380	fi ;\
381	$(FUTILITY) gscvd -G $$gscvd_range_args -b $(CONFIG_VBOOT_GSC_BOARD_ID) \
382		-r "$(CONFIG_VBOOT_GSCVD_ROOT_PUBKEY)" \
383		-p "$(CONFIG_VBOOT_GSCVD_PLATFORM_PRIVKEY)" \
384		-k "$(CONFIG_VBOOT_GSCVD_PLATFORM_KEYBLOCK)" \
385		$(obj)/coreboot.rom
386endif
387
388ifneq (,$(filter y,$(CONFIG_VBOOT_SLOTS_RW_A) $(CONFIG_VBOOT_SLOTS_RW_AB)))
389files_added:: $(obj)/coreboot.rom $(FUTILITY) $(CBFSTOOL)
390	CBFSTOOL="$(CBFSTOOL)" \
391	$(FUTILITY) sign \
392		--signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \
393		--keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
394		--kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
395		--version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \
396		--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) \
397		$(obj)/coreboot.rom
398	if [ "$(CONFIG_VBOOT_SLOTS_RW_AB)" = 'y' ]; then \
399		printf "    FLASHMAP Layout generated for RO, A and B partition.\n"; \
400	elif [ "$(CONFIG_VBOOT_SLOTS_RW_A)" = 'y' ]; then \
401		printf "    FLASHMAP Layout generated for RO and A partition.\n"; \
402	fi
403else
404show_notices::
405	@printf "    FLASHMAP Layout generated for RO partition only.\n"
406	@printf "             Beware that there is no failure safety in case of update now!\n"
407endif
408
409endif # CONFIG_VBOOT
410