Allow to build romstage sources inside the bootblock

Having a separate romstage is only desirable:
 - with advanced setups like vboot or normal/fallback
 - boot medium is slow at startup (some ARM SOCs)
 - bootblock is limited in size (Intel APL 32K)

When this is not the case there is no need for the extra complexity
that romstage brings. Including the romstage sources inside the
bootblock substantially reduces the total code footprint. Often the
resulting code is 10-20k smaller.

This is controlled via a Kconfig option.

TESTED: works on qemu x86, arm and aarch64 with and without VBOOT.

Change-Id: Id68390edc1ba228b121cca89b80c64a92553e284
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/55068
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>

4 files changed, 9 insertions, 2 deletions

diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index a2af5d256417..2d5b20f50dc4 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -90,6 +90,7 @@ config VBOOT_STARTS_BEFORE_BOOTBLOCK
 config VBOOT_STARTS_IN_BOOTBLOCK
 	bool
 	default n
+	depends on SEPARATE_ROMSTAGE
 	help
 	  Firmware verification happens during the end of or right after the
 	  bootblock. This implies that a static VBOOT2_WORK() buffer must be
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index f1524440444e..1b3568a1ece1 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -43,7 +43,9 @@ $(1)-srcs += $$(VBOOT_LIB_$(1))
 endef # vboot-for-stage
 
 $(eval $(call vboot-for-stage,bootblock))
+ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y)
 $(eval $(call vboot-for-stage,romstage))
+endif
 $(eval $(call vboot-for-stage,ramstage))
 $(eval $(call vboot-for-stage,postcar))
 
@@ -157,7 +159,11 @@ else # CONFIG_VBOOT_SEPARATE_VERSTAGE
 ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y)
 postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs))
 else
+ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y)
 postinclude-hooks += $$(eval romstage-srcs += $$(verstage-srcs))
+else
+postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs))
+endif
 endif
 endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
 
diff --git a/src/security/vboot/misc.h b/src/security/vboot/misc.h
index 8310647760d7..a7069f38fed5 100644
--- a/src/security/vboot/misc.h
+++ b/src/security/vboot/misc.h
@@ -48,7 +48,7 @@ static inline int verification_should_run(void)
 	if (CONFIG(VBOOT_SEPARATE_VERSTAGE))
 		return ENV_SEPARATE_VERSTAGE;
 	else if (CONFIG(VBOOT_STARTS_IN_ROMSTAGE))
-		return ENV_ROMSTAGE;
+		return ENV_RAMINIT;
 	else if (CONFIG(VBOOT_STARTS_IN_BOOTBLOCK))
 		return ENV_BOOTBLOCK;
 	else
diff --git a/src/security/vboot/vboot_common.c b/src/security/vboot/vboot_common.c
index f9080c585a8c..68df1406a769 100644
--- a/src/security/vboot/vboot_common.c
+++ b/src/security/vboot/vboot_common.c
@@ -29,7 +29,7 @@ static void save_secdata(struct vb2_context *ctx)
 
 void vboot_save_data(struct vb2_context *ctx)
 {
-	if (!verification_should_run() && !(ENV_ROMSTAGE && CONFIG(VBOOT_EARLY_EC_SYNC))) {
+	if (!verification_should_run() && !(ENV_RAMINIT && CONFIG(VBOOT_EARLY_EC_SYNC))) {
 		if (ctx->flags
 		    & (VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED
 		       | VB2_CONTEXT_SECDATA_KERNEL_CHANGED))