From a2bc2540c2d004b475b401ccf0b162c2452857bb Mon Sep 17 00:00:00 2001 From: Arthur Heymans Date: Sat, 29 May 2021 08:10:49 +0200 Subject: Allow to build romstage sources inside the bootblock Having a separate romstage is only desirable: - with advanced setups like vboot or normal/fallback - boot medium is slow at startup (some ARM SOCs) - bootblock is limited in size (Intel APL 32K) When this is not the case there is no need for the extra complexity that romstage brings. Including the romstage sources inside the bootblock substantially reduces the total code footprint. Often the resulting code is 10-20k smaller. This is controlled via a Kconfig option. TESTED: works on qemu x86, arm and aarch64 with and without VBOOT. Change-Id: Id68390edc1ba228b121cca89b80c64a92553e284 Signed-off-by: Arthur Heymans Reviewed-on: https://review.coreboot.org/c/coreboot/+/55068 Reviewed-by: Julius Werner Tested-by: build bot (Jenkins) Reviewed-by: Felix Held --- src/security/vboot/Kconfig | 1 + src/security/vboot/Makefile.inc | 6 ++++++ src/security/vboot/misc.h | 2 +- src/security/vboot/vboot_common.c | 2 +- 4 files changed, 9 insertions(+), 2 deletions(-) (limited to 'src/security') diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index a2af5d256417..2d5b20f50dc4 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -90,6 +90,7 @@ config VBOOT_STARTS_BEFORE_BOOTBLOCK config VBOOT_STARTS_IN_BOOTBLOCK bool default n + depends on SEPARATE_ROMSTAGE help Firmware verification happens during the end of or right after the bootblock. This implies that a static VBOOT2_WORK() buffer must be diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index f1524440444e..1b3568a1ece1 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -43,7 +43,9 @@ $(1)-srcs += $$(VBOOT_LIB_$(1)) endef # vboot-for-stage $(eval $(call vboot-for-stage,bootblock)) +ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y) $(eval $(call vboot-for-stage,romstage)) +endif $(eval $(call vboot-for-stage,ramstage)) $(eval $(call vboot-for-stage,postcar)) @@ -157,7 +159,11 @@ else # CONFIG_VBOOT_SEPARATE_VERSTAGE ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y) postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs)) else +ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y) postinclude-hooks += $$(eval romstage-srcs += $$(verstage-srcs)) +else +postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs)) +endif endif endif # CONFIG_VBOOT_SEPARATE_VERSTAGE diff --git a/src/security/vboot/misc.h b/src/security/vboot/misc.h index 8310647760d7..a7069f38fed5 100644 --- a/src/security/vboot/misc.h +++ b/src/security/vboot/misc.h @@ -48,7 +48,7 @@ static inline int verification_should_run(void) if (CONFIG(VBOOT_SEPARATE_VERSTAGE)) return ENV_SEPARATE_VERSTAGE; else if (CONFIG(VBOOT_STARTS_IN_ROMSTAGE)) - return ENV_ROMSTAGE; + return ENV_RAMINIT; else if (CONFIG(VBOOT_STARTS_IN_BOOTBLOCK)) return ENV_BOOTBLOCK; else diff --git a/src/security/vboot/vboot_common.c b/src/security/vboot/vboot_common.c index f9080c585a8c..68df1406a769 100644 --- a/src/security/vboot/vboot_common.c +++ b/src/security/vboot/vboot_common.c @@ -29,7 +29,7 @@ static void save_secdata(struct vb2_context *ctx) void vboot_save_data(struct vb2_context *ctx) { - if (!verification_should_run() && !(ENV_ROMSTAGE && CONFIG(VBOOT_EARLY_EC_SYNC))) { + if (!verification_should_run() && !(ENV_RAMINIT && CONFIG(VBOOT_EARLY_EC_SYNC))) { if (ctx->flags & (VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED | VB2_CONTEXT_SECDATA_KERNEL_CHANGED)) -- cgit v1.2.3