From fd96da95c4a36ffae8118400aa8cdab0d50b5060 Mon Sep 17 00:00:00 2001
From: Martin Roth <gaumless@gmail.com>
Date: Thu, 18 Jan 2024 12:31:22 -0700
Subject: device, security: Rename Makefiles from .inc to .mk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The .inc suffix is confusing to various tools as it's not specific to
Makefiles. This means that editors don't recognize the files, and don't
open them with highlighting and any other specific editor functionality.

This issue is also seen in the release notes generation script where
Makefiles get renamed before running cloc.

Signed-off-by: Martin Roth <gaumless@gmail.com>
Change-Id: I41f8a9b5d1bdb647a915da1a5e95161b2e34df28
Reviewed-on: https://review.coreboot.org/c/coreboot/+/80082
Reviewed-by: Michael Niewöhner <foss@mniewoehner.de>
Reviewed-by: Maximilian Brune <maximilian.brune@9elements.com>
Reviewed-by: Felix Singer <service+coreboot-gerrit@felixsinger.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 src/security/Makefile.inc                     |   7 -
 src/security/Makefile.mk                      |   7 +
 src/security/intel/Makefile.inc               |   5 -
 src/security/intel/Makefile.mk                |   5 +
 src/security/intel/cbnt/Makefile.inc          | 165 -----------
 src/security/intel/cbnt/Makefile.mk           | 165 +++++++++++
 src/security/intel/stm/Makefile.inc           |  21 --
 src/security/intel/stm/Makefile.mk            |  21 ++
 src/security/intel/txt/Makefile.inc           |  56 ----
 src/security/intel/txt/Makefile.mk            |  56 ++++
 src/security/lockdown/Makefile.inc            |  11 -
 src/security/lockdown/Makefile.mk             |  11 +
 src/security/memory/Makefile.inc              |   7 -
 src/security/memory/Makefile.mk               |   7 +
 src/security/tpm/Makefile.inc                 |  78 -----
 src/security/tpm/Makefile.mk                  |  78 +++++
 src/security/tpm/tss/vendor/cr50/Makefile.inc |   7 -
 src/security/tpm/tss/vendor/cr50/Makefile.mk  |   7 +
 src/security/vboot/Makefile.inc               | 400 --------------------------
 src/security/vboot/Makefile.mk                | 400 ++++++++++++++++++++++++++
 20 files changed, 757 insertions(+), 757 deletions(-)
 delete mode 100644 src/security/Makefile.inc
 create mode 100644 src/security/Makefile.mk
 delete mode 100644 src/security/intel/Makefile.inc
 create mode 100644 src/security/intel/Makefile.mk
 delete mode 100644 src/security/intel/cbnt/Makefile.inc
 create mode 100644 src/security/intel/cbnt/Makefile.mk
 delete mode 100644 src/security/intel/stm/Makefile.inc
 create mode 100644 src/security/intel/stm/Makefile.mk
 delete mode 100644 src/security/intel/txt/Makefile.inc
 create mode 100644 src/security/intel/txt/Makefile.mk
 delete mode 100644 src/security/lockdown/Makefile.inc
 create mode 100644 src/security/lockdown/Makefile.mk
 delete mode 100644 src/security/memory/Makefile.inc
 create mode 100644 src/security/memory/Makefile.mk
 delete mode 100644 src/security/tpm/Makefile.inc
 create mode 100644 src/security/tpm/Makefile.mk
 delete mode 100644 src/security/tpm/tss/vendor/cr50/Makefile.inc
 create mode 100644 src/security/tpm/tss/vendor/cr50/Makefile.mk
 delete mode 100644 src/security/vboot/Makefile.inc
 create mode 100644 src/security/vboot/Makefile.mk

(limited to 'src/security')

diff --git a/src/security/Makefile.inc b/src/security/Makefile.inc
deleted file mode 100644
index b7922d41d59e..000000000000
--- a/src/security/Makefile.inc
+++ /dev/null
@@ -1,7 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-only
-
-subdirs-y += vboot
-subdirs-y += tpm
-subdirs-y += memory
-subdirs-y += intel
-subdirs-y += lockdown
diff --git a/src/security/Makefile.mk b/src/security/Makefile.mk
new file mode 100644
index 000000000000..b7922d41d59e
--- /dev/null
+++ b/src/security/Makefile.mk
@@ -0,0 +1,7 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+subdirs-y += vboot
+subdirs-y += tpm
+subdirs-y += memory
+subdirs-y += intel
+subdirs-y += lockdown
diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc
deleted file mode 100644
index 25e28ed86941..000000000000
--- a/src/security/intel/Makefile.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-only
-
-subdirs-y += txt
-subdirs-y += stm
-subdirs-y += cbnt
diff --git a/src/security/intel/Makefile.mk b/src/security/intel/Makefile.mk
new file mode 100644
index 000000000000..25e28ed86941
--- /dev/null
+++ b/src/security/intel/Makefile.mk
@@ -0,0 +1,5 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+subdirs-y += txt
+subdirs-y += stm
+subdirs-y += cbnt
diff --git a/src/security/intel/cbnt/Makefile.inc b/src/security/intel/cbnt/Makefile.inc
deleted file mode 100644
index e912bf0726d3..000000000000
--- a/src/security/intel/cbnt/Makefile.inc
+++ /dev/null
@@ -1,165 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-only
-
-ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
-
-all-y += logging.c
-ramstage-y += cmos.c
-
-# As specified in Intel Trusted Execution Technology and Boot Guard Server BIOS
-# Specification, document number # 558294
-PK_HASH_ALG_SHA1:=4
-PK_HASH_ALG_SHA256:=11
-PK_HASH_ALG_SHA384:=12
-
-# The private key also contains the public key, so use that if a private key is provided.
-ifeq ($(CONFIG_INTEL_CBNT_NEED_KM_PRIV_KEY),y)
-$(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE))
-	openssl pkey -in $< -pubout > $@
-else ifeq ($(CONFIG_INTEL_CBNT_NEED_KM_PUB_KEY),y)
-$(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PUB_KEY_FILE))
-	cp $< $@
-endif
-
-# The private key also contains the public key, so use that if a private key is provided.
-ifeq ($(CONFIG_INTEL_CBNT_NEED_BPM_PRIV_KEY),y)
-$(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE))
-	openssl pkey -in $< -pubout > $@
-else ifeq ($(CONFIG_INTEL_CBNT_NEED_BPM_PUB_KEY),y)
-$(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PUB_KEY_FILE))
-	cp $< $@
-endif
-
-CBNT_PROV:=$(obj)/cbnt-prov
-CBNT_CFG:=$(obj)/cbnt.json
-
-ifneq ($(CONFIG_INTEL_CBNT_PROV_EXTERNAL_BIN),y)
-$(CBNT_PROV):
-	printf "    CBNT_PROV    building tool\n"
-	cd 3rdparty/intel-sec-tools; \
-	GO111MODULE=on go build -o $(abspath $@) cmd/cbnt-prov/main.go cmd/cbnt-prov/cmd.go
-else
-$(CBNT_PROV): $(call strip_quotes, $(CONFIG_INTEL_CBNT_PROV_EXTERNAL_BIN_PATH))
-	cp $< $@
-endif
-
-$(CBNT_CFG): $(call strip_quotes, $(CONFIG_INTEL_CBNT_CBNT_PROV_CFG_FILE))
-	cp $(CONFIG_INTEL_CBNT_CBNT_PROV_CFG_FILE) $@
-
-ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y)
-ifeq ($(CONFIG_INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE),y)
-$(obj)/bpm_unsigned.bin: $(obj)/coreboot.pre $(CBNT_PROV) $(CBNT_CFG)
-	printf "    CBNT_PROV    creating unsigned BPM using config file\n"
-	$(CBNT_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut
-else
-$(obj)/bpm_unsigned.bin: $(obj)/coreboot.pre $(CBNT_PROV) set_fit_ptr
-	printf "    CBNT_PROV    creating unsigned BPM\n"
-	$(CBNT_PROV) bpm-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_BPM_REVISION) \
-				 --svn=$(CONFIG_INTEL_CBNT_BPM_SVN) \
-				 --acmsvn=$(CONFIG_INTEL_CBNT_ACM_SVN) \
-				 --nems=$(CONFIG_INTEL_CBNT_NUM_NEM_PAGES) \
-				 --pbet=$(CONFIG_INTEL_CBNT_PBET) \
-				 --ibbflags=$(CONFIG_INTEL_CBNT_IBB_FLAGS) \
-				 --entrypoint=$(shell printf "%d" 0xfffffff0) \
-				 --ibbhash=$(PK_HASH_ALG_SHA256),$(PK_HASH_ALG_SHA1),$(PK_HASH_ALG_SHA384) \
-				 --sinitmin=$(CONFIG_INTEL_CBNT_SINIT_SVN) \
-				 --txtflags=0 \
-				 --powerdowninterval=$(CONFIG_INTEL_CBNT_PD_INTERVAL) \
-				 --acpibaseoffset=$(shell printf "%d" $(CONFIG_INTEL_ACPI_BASE_ADDRESS)) \
-				 --powermbaseoffset=$(shell printf "%d" $(CONFIG_INTEL_PCH_PWRM_BASE_ADDRESS)) \
-				 --cmosoff0=$(shell printf "%d" $(CONFIG_INTEL_CBNT_CMOS_OFFSET)) \
-				 --cmosoff1=$(call int-add, $(CONFIG_INTEL_CBNT_CMOS_OFFSET) 1) \
-				 --cut \
-				 --out=$(obj)/bpm_cfg.json
-endif
-
-ifeq ($(CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED),y)
-build_complete:: $(obj)/bpm_unsigned.bin
-
-show_notices::
-	@printf "\n** WARNING **\n"
-	@printf "Build generated an unsigned BPM image: build/bpm_unsigned.bin.\n"
-	@printf "The resulting image will not work with CBnT.\n"
-	@printf "After you have externally signed the image you can add it to the coreboot image:\n"
-	@printf "$$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16\n"
-	@printf "$$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom\n"
-else
-$(obj)/bpm.bin: $(obj)/bpm_unsigned.bin $(CBNT_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE))
-	printf "    CBNT_PROV    signing real BPM\n"
-	$(CBNT_PROV) bpm-sign $< $@ $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE) ""
-
-# Add BPM at the end of the build when all files have been added
-$(call add_intermediate, add_bpm, $(obj)/bpm.bin)
-	printf "    CBNT       Adding BPM\n"
-	-$(CBFSTOOL) $< remove -n boot_policy_manifest.bin 2>/dev/null
-	$(CBFSTOOL) $< add -f $(obj)/bpm.bin -n boot_policy_manifest.bin -a 0x10 -t raw
-
-$(call add_intermediate, fit_bpm, set_fit_ptr add_bpm $(IFITTOOL))
-	printf "    IFITTOOL   Adding BPM\n"
-	$(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
-
-endif # CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED
-
-else # CONFIG_INTEL_CBNT_GENERATE_BPM
-
-ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"")
-cbfs-files-y += boot_policy_manifest.bin
-boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY)
-boot_policy_manifest.bin-type := raw
-boot_policy_manifest.bin-align := 0x10
-
-$(call add_intermediate, add_bpm_fit, $(IFITTOOL) set_fit_ptr)
-	$(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
-endif
-endif # CONFIG_INTEL_CBNT_GENERATE_BPM
-
-ifeq ($(CONFIG_INTEL_CBNT_GENERATE_KM),y)
-ifeq ($(CONFIG_INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE),y)
-$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(CBNT_PROV) $(CBNT_CFG)
-	printf "    CBNT_PROV    creating unsigned KM using config file\n"
-	$(CBNT_PROV) km-gen $@ $< --config=$(CBNT_CFG)
-else
-$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(obj)/bpm_pub.pem $(CBNT_PROV)
-	printf "    CBNT_PROV    creating unsigned KM\n"
-	$(CBNT_PROV) km-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_KM_REVISION) \
-				--svn=$(CONFIG_INTEL_CBNT_KM_SVN) \
-				--id=$(CONFIG_INTEL_CBNT_KM_ID) \
-				--pkhashalg=$(PK_HASH_ALG_SHA256) \
-				--bpmpubkey=$(obj)/bpm_pub.pem \
-				--bpmhashalgo=$(PK_HASH_ALG_SHA256) \
-				--out=$(obj)/km_cfg.json
-endif
-
-$(obj)/km.bin: $(obj)/km_unsigned.bin $(CBNT_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE))
-	printf "    CBNT_PROV    signing KM\n"
-	$(CBNT_PROV) km-sign $< $@ $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE) ""
-
-KM_FILE=$(obj)/km.bin
-else
-KM_FILE=$(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
-endif
-
-ifneq ($(KM_FILE),"")
-ifeq ($(CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED),y)
-$(call add_intermediate, gen_unsigned_km, $(obj)/km_unsigned.bin)
-	@printf "Generating unsgined KM\n"
-
-show_notices::
-	@printf "\n** WARNING **\n"
-	@printf "Build generated an unsigned KM image: build/km_unsiged.bin.\n"
-	@printf "The resulting image will not work with CBnT.\n"
-	@printf "After you have externally signed the image you can add it to the coreboot image:\n"
-	@printf "$$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16\n"
-	@printf "$$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom\n"
-
-else
-cbfs-files-y += key_manifest.bin
-key_manifest.bin-file := $(KM_FILE)
-key_manifest.bin-type := raw
-key_manifest.bin-align := 0x10
-
-$(call add_intermediate, add_km_fit, $(IFITTOOL) set_fit_ptr)
-	$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
-endif
-
-endif # CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED
-endif # CONFIG_INTEL_CBNT_SUPPORT
diff --git a/src/security/intel/cbnt/Makefile.mk b/src/security/intel/cbnt/Makefile.mk
new file mode 100644
index 000000000000..e912bf0726d3
--- /dev/null
+++ b/src/security/intel/cbnt/Makefile.mk
@@ -0,0 +1,165 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+ifeq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
+
+all-y += logging.c
+ramstage-y += cmos.c
+
+# As specified in Intel Trusted Execution Technology and Boot Guard Server BIOS
+# Specification, document number # 558294
+PK_HASH_ALG_SHA1:=4
+PK_HASH_ALG_SHA256:=11
+PK_HASH_ALG_SHA384:=12
+
+# The private key also contains the public key, so use that if a private key is provided.
+ifeq ($(CONFIG_INTEL_CBNT_NEED_KM_PRIV_KEY),y)
+$(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE))
+	openssl pkey -in $< -pubout > $@
+else ifeq ($(CONFIG_INTEL_CBNT_NEED_KM_PUB_KEY),y)
+$(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PUB_KEY_FILE))
+	cp $< $@
+endif
+
+# The private key also contains the public key, so use that if a private key is provided.
+ifeq ($(CONFIG_INTEL_CBNT_NEED_BPM_PRIV_KEY),y)
+$(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE))
+	openssl pkey -in $< -pubout > $@
+else ifeq ($(CONFIG_INTEL_CBNT_NEED_BPM_PUB_KEY),y)
+$(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PUB_KEY_FILE))
+	cp $< $@
+endif
+
+CBNT_PROV:=$(obj)/cbnt-prov
+CBNT_CFG:=$(obj)/cbnt.json
+
+ifneq ($(CONFIG_INTEL_CBNT_PROV_EXTERNAL_BIN),y)
+$(CBNT_PROV):
+	printf "    CBNT_PROV    building tool\n"
+	cd 3rdparty/intel-sec-tools; \
+	GO111MODULE=on go build -o $(abspath $@) cmd/cbnt-prov/main.go cmd/cbnt-prov/cmd.go
+else
+$(CBNT_PROV): $(call strip_quotes, $(CONFIG_INTEL_CBNT_PROV_EXTERNAL_BIN_PATH))
+	cp $< $@
+endif
+
+$(CBNT_CFG): $(call strip_quotes, $(CONFIG_INTEL_CBNT_CBNT_PROV_CFG_FILE))
+	cp $(CONFIG_INTEL_CBNT_CBNT_PROV_CFG_FILE) $@
+
+ifeq ($(CONFIG_INTEL_CBNT_GENERATE_BPM),y)
+ifeq ($(CONFIG_INTEL_CBNT_CBNT_PROV_BPM_USE_CFG_FILE),y)
+$(obj)/bpm_unsigned.bin: $(obj)/coreboot.pre $(CBNT_PROV) $(CBNT_CFG)
+	printf "    CBNT_PROV    creating unsigned BPM using config file\n"
+	$(CBNT_PROV) bpm-gen $@ $< --config=$(CBNT_CFG) --cut
+else
+$(obj)/bpm_unsigned.bin: $(obj)/coreboot.pre $(CBNT_PROV) set_fit_ptr
+	printf "    CBNT_PROV    creating unsigned BPM\n"
+	$(CBNT_PROV) bpm-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_BPM_REVISION) \
+				 --svn=$(CONFIG_INTEL_CBNT_BPM_SVN) \
+				 --acmsvn=$(CONFIG_INTEL_CBNT_ACM_SVN) \
+				 --nems=$(CONFIG_INTEL_CBNT_NUM_NEM_PAGES) \
+				 --pbet=$(CONFIG_INTEL_CBNT_PBET) \
+				 --ibbflags=$(CONFIG_INTEL_CBNT_IBB_FLAGS) \
+				 --entrypoint=$(shell printf "%d" 0xfffffff0) \
+				 --ibbhash=$(PK_HASH_ALG_SHA256),$(PK_HASH_ALG_SHA1),$(PK_HASH_ALG_SHA384) \
+				 --sinitmin=$(CONFIG_INTEL_CBNT_SINIT_SVN) \
+				 --txtflags=0 \
+				 --powerdowninterval=$(CONFIG_INTEL_CBNT_PD_INTERVAL) \
+				 --acpibaseoffset=$(shell printf "%d" $(CONFIG_INTEL_ACPI_BASE_ADDRESS)) \
+				 --powermbaseoffset=$(shell printf "%d" $(CONFIG_INTEL_PCH_PWRM_BASE_ADDRESS)) \
+				 --cmosoff0=$(shell printf "%d" $(CONFIG_INTEL_CBNT_CMOS_OFFSET)) \
+				 --cmosoff1=$(call int-add, $(CONFIG_INTEL_CBNT_CMOS_OFFSET) 1) \
+				 --cut \
+				 --out=$(obj)/bpm_cfg.json
+endif
+
+ifeq ($(CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED),y)
+build_complete:: $(obj)/bpm_unsigned.bin
+
+show_notices::
+	@printf "\n** WARNING **\n"
+	@printf "Build generated an unsigned BPM image: build/bpm_unsigned.bin.\n"
+	@printf "The resulting image will not work with CBnT.\n"
+	@printf "After you have externally signed the image you can add it to the coreboot image:\n"
+	@printf "$$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16\n"
+	@printf "$$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom\n"
+else
+$(obj)/bpm.bin: $(obj)/bpm_unsigned.bin $(CBNT_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE))
+	printf "    CBNT_PROV    signing real BPM\n"
+	$(CBNT_PROV) bpm-sign $< $@ $(CONFIG_INTEL_CBNT_BPM_PRIV_KEY_FILE) ""
+
+# Add BPM at the end of the build when all files have been added
+$(call add_intermediate, add_bpm, $(obj)/bpm.bin)
+	printf "    CBNT       Adding BPM\n"
+	-$(CBFSTOOL) $< remove -n boot_policy_manifest.bin 2>/dev/null
+	$(CBFSTOOL) $< add -f $(obj)/bpm.bin -n boot_policy_manifest.bin -a 0x10 -t raw
+
+$(call add_intermediate, fit_bpm, set_fit_ptr add_bpm $(IFITTOOL))
+	printf "    IFITTOOL   Adding BPM\n"
+	$(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+
+endif # CONFIG_INTEL_CBNT_BPM_ONLY_UNSIGNED
+
+else # CONFIG_INTEL_CBNT_GENERATE_BPM
+
+ifneq ($(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY),"")
+cbfs-files-y += boot_policy_manifest.bin
+boot_policy_manifest.bin-file := $(CONFIG_INTEL_CBNT_BOOT_POLICY_MANIFEST_BINARY)
+boot_policy_manifest.bin-type := raw
+boot_policy_manifest.bin-align := 0x10
+
+$(call add_intermediate, add_bpm_fit, $(IFITTOOL) set_fit_ptr)
+	$(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+endif
+endif # CONFIG_INTEL_CBNT_GENERATE_BPM
+
+ifeq ($(CONFIG_INTEL_CBNT_GENERATE_KM),y)
+ifeq ($(CONFIG_INTEL_CBNT_CBNT_PROV_KM_USE_CFG_FILE),y)
+$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(CBNT_PROV) $(CBNT_CFG)
+	printf "    CBNT_PROV    creating unsigned KM using config file\n"
+	$(CBNT_PROV) km-gen $@ $< --config=$(CBNT_CFG)
+else
+$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(obj)/bpm_pub.pem $(CBNT_PROV)
+	printf "    CBNT_PROV    creating unsigned KM\n"
+	$(CBNT_PROV) km-gen $@ $< --revision=$(CONFIG_INTEL_CBNT_KM_REVISION) \
+				--svn=$(CONFIG_INTEL_CBNT_KM_SVN) \
+				--id=$(CONFIG_INTEL_CBNT_KM_ID) \
+				--pkhashalg=$(PK_HASH_ALG_SHA256) \
+				--bpmpubkey=$(obj)/bpm_pub.pem \
+				--bpmhashalgo=$(PK_HASH_ALG_SHA256) \
+				--out=$(obj)/km_cfg.json
+endif
+
+$(obj)/km.bin: $(obj)/km_unsigned.bin $(CBNT_PROV) $(call strip_quotes, $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE))
+	printf "    CBNT_PROV    signing KM\n"
+	$(CBNT_PROV) km-sign $< $@ $(CONFIG_INTEL_CBNT_KM_PRIV_KEY_FILE) ""
+
+KM_FILE=$(obj)/km.bin
+else
+KM_FILE=$(CONFIG_INTEL_CBNT_KEY_MANIFEST_BINARY)
+endif
+
+ifneq ($(KM_FILE),"")
+ifeq ($(CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED),y)
+$(call add_intermediate, gen_unsigned_km, $(obj)/km_unsigned.bin)
+	@printf "Generating unsgined KM\n"
+
+show_notices::
+	@printf "\n** WARNING **\n"
+	@printf "Build generated an unsigned KM image: build/km_unsiged.bin.\n"
+	@printf "The resulting image will not work with CBnT.\n"
+	@printf "After you have externally signed the image you can add it to the coreboot image:\n"
+	@printf "$$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16\n"
+	@printf "$$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom\n"
+
+else
+cbfs-files-y += key_manifest.bin
+key_manifest.bin-file := $(KM_FILE)
+key_manifest.bin-type := raw
+key_manifest.bin-align := 0x10
+
+$(call add_intermediate, add_km_fit, $(IFITTOOL) set_fit_ptr)
+	$(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+endif
+
+endif # CONFIG_INTEL_CBNT_KM_ONLY_UNSIGNED
+endif # CONFIG_INTEL_CBNT_SUPPORT
diff --git a/src/security/intel/stm/Makefile.inc b/src/security/intel/stm/Makefile.inc
deleted file mode 100644
index 90b7c188f7ff..000000000000
--- a/src/security/intel/stm/Makefile.inc
+++ /dev/null
@@ -1,21 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-only
-
-# put the stm where it can be found
-
-cbfs-files-$(CONFIG_STM) += stm.bin
-stm.bin-file := $(CONFIG_STM_BINARY_FILE)
-stm.bin-type := raw
-
-ramstage-$(CONFIG_STM) += SmmStm.c
-ramstage-$(CONFIG_STM) += StmPlatformSmm.c
-ramstage-$(CONFIG_STM) += StmPlatformResource.c
-
-3rdparty/stm/Stm/build/StmPkg/Core/stm.bin: $(obj)/config.h
-	$(MAKE) -C src/security/intel/stm \
-		CONFIG_STM_TTYS0_BASE=$(CONFIG_STM_TTYS0_BASE) \
-		CONFIG_STM_HEAPSIZE=$(CONFIG_STM_HEAPSIZE) \
-		CONFIG_STM_CONSOLE_DEBUG=$(CONFIG_STM_CONSOLE_DEBUG) \
-		CONFIG_STM_CONSOLE_RELEASE=$(CONFIG_STM_CONSOLE_RELEASE) \
-		CONFIG_STM_GIT_BRANCH=$(CONFIG_STM_GIT_BRANCH) \
-		CONFIG_STM_STMPE_ENABLED=$(CONFIG_STM_STMPE_ENABLED) \
-		CONFIG_STM_CBMEM_CONSOLE=$(CONFIG_STM_CBMEM_CONSOLE)
diff --git a/src/security/intel/stm/Makefile.mk b/src/security/intel/stm/Makefile.mk
new file mode 100644
index 000000000000..90b7c188f7ff
--- /dev/null
+++ b/src/security/intel/stm/Makefile.mk
@@ -0,0 +1,21 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+# put the stm where it can be found
+
+cbfs-files-$(CONFIG_STM) += stm.bin
+stm.bin-file := $(CONFIG_STM_BINARY_FILE)
+stm.bin-type := raw
+
+ramstage-$(CONFIG_STM) += SmmStm.c
+ramstage-$(CONFIG_STM) += StmPlatformSmm.c
+ramstage-$(CONFIG_STM) += StmPlatformResource.c
+
+3rdparty/stm/Stm/build/StmPkg/Core/stm.bin: $(obj)/config.h
+	$(MAKE) -C src/security/intel/stm \
+		CONFIG_STM_TTYS0_BASE=$(CONFIG_STM_TTYS0_BASE) \
+		CONFIG_STM_HEAPSIZE=$(CONFIG_STM_HEAPSIZE) \
+		CONFIG_STM_CONSOLE_DEBUG=$(CONFIG_STM_CONSOLE_DEBUG) \
+		CONFIG_STM_CONSOLE_RELEASE=$(CONFIG_STM_CONSOLE_RELEASE) \
+		CONFIG_STM_GIT_BRANCH=$(CONFIG_STM_GIT_BRANCH) \
+		CONFIG_STM_STMPE_ENABLED=$(CONFIG_STM_STMPE_ENABLED) \
+		CONFIG_STM_CBMEM_CONSOLE=$(CONFIG_STM_CBMEM_CONSOLE)
diff --git a/src/security/intel/txt/Makefile.inc b/src/security/intel/txt/Makefile.inc
deleted file mode 100644
index c1fc0c45271d..000000000000
--- a/src/security/intel/txt/Makefile.inc
+++ /dev/null
@@ -1,56 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-only
-
-romstage-$(CONFIG_INTEL_TXT_LIB) += txtlib.c
-
-ifeq ($(CONFIG_INTEL_TXT),y)
-
-all-y += logging.c
-
-romstage-y += romstage.c
-romstage-y += getsec_sclean.S
-romstage-y += getsec.c
-
-romstage-y += common.c
-
-ramstage-y += common.c
-ramstage-y += getsec.c
-ramstage-y += getsec_enteraccs.S
-ramstage-y += ramstage.c
-
-cbfs-files-y += $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)
-$(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE)
-$(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-type := raw
-$(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT)
-
-ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"")
-cbfs-files-y += $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)
-$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-file := $(CONFIG_INTEL_TXT_SINITACM_FILE)
-$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-type := raw
-$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-align := 0x10
-$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-compression := lzma
-endif
-
-ifeq ($(CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE),y)
-
-$(call add_intermediate, add_acm_fit, $(IFITTOOL) set_fit_ptr)
-	$(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \
-		-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
-
-# CBnT does not use FIT for IBB
-ifneq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
-# Initial BootBlock files
-ibb-files := $(foreach file,$(cbfs-files), \
-	$(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \
-		$(call extract_nth,2,$(file)),))
-
-ibb-files += bootblock
-
-$(call add_intermediate, add_ibb_fit, $(IFITTOOL) set_fit_ptr)
-	$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \
-		-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true
-
-endif # INTEL_CBNT_SUPPORT
-
-endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE
-
-endif # INTEL_TXT
diff --git a/src/security/intel/txt/Makefile.mk b/src/security/intel/txt/Makefile.mk
new file mode 100644
index 000000000000..c1fc0c45271d
--- /dev/null
+++ b/src/security/intel/txt/Makefile.mk
@@ -0,0 +1,56 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+romstage-$(CONFIG_INTEL_TXT_LIB) += txtlib.c
+
+ifeq ($(CONFIG_INTEL_TXT),y)
+
+all-y += logging.c
+
+romstage-y += romstage.c
+romstage-y += getsec_sclean.S
+romstage-y += getsec.c
+
+romstage-y += common.c
+
+ramstage-y += common.c
+ramstage-y += getsec.c
+ramstage-y += getsec_enteraccs.S
+ramstage-y += ramstage.c
+
+cbfs-files-y += $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)
+$(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE)
+$(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-type := raw
+$(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT)
+
+ifneq ($(CONFIG_INTEL_TXT_SINITACM_FILE),"")
+cbfs-files-y += $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)
+$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-file := $(CONFIG_INTEL_TXT_SINITACM_FILE)
+$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-type := raw
+$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-align := 0x10
+$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-compression := lzma
+endif
+
+ifeq ($(CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE),y)
+
+$(call add_intermediate, add_acm_fit, $(IFITTOOL) set_fit_ptr)
+	$(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \
+		-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+
+# CBnT does not use FIT for IBB
+ifneq ($(CONFIG_INTEL_CBNT_SUPPORT),y)
+# Initial BootBlock files
+ibb-files := $(foreach file,$(cbfs-files), \
+	$(if $(shell echo '$(call extract_nth,7,$(file))'|grep -- --ibb), \
+		$(call extract_nth,2,$(file)),))
+
+ibb-files += bootblock
+
+$(call add_intermediate, add_ibb_fit, $(IFITTOOL) set_fit_ptr)
+	$(foreach file, $(ibb-files), $(shell $(IFITTOOL) -f $< -a -n $(file) -t 7 \
+		-s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -r COREBOOT)) true
+
+endif # INTEL_CBNT_SUPPORT
+
+endif # CPU_INTEL_FIRMWARE_INTERFACE_TABLE
+
+endif # INTEL_TXT
diff --git a/src/security/lockdown/Makefile.inc b/src/security/lockdown/Makefile.inc
deleted file mode 100644
index 00405fa6f5df..000000000000
--- a/src/security/lockdown/Makefile.inc
+++ /dev/null
@@ -1,11 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-or-later
-
-ifneq ($(CONFIG_BOOTMEDIA_LOCK_NONE),y)
-
-ifeq ($(CONFIG_BOOTMEDIA_LOCK_IN_VERSTAGE),y)
-verstage-y += lockdown.c
-else
-ramstage-y += lockdown.c
-endif
-
-endif
diff --git a/src/security/lockdown/Makefile.mk b/src/security/lockdown/Makefile.mk
new file mode 100644
index 000000000000..00405fa6f5df
--- /dev/null
+++ b/src/security/lockdown/Makefile.mk
@@ -0,0 +1,11 @@
+## SPDX-License-Identifier: GPL-2.0-or-later
+
+ifneq ($(CONFIG_BOOTMEDIA_LOCK_NONE),y)
+
+ifeq ($(CONFIG_BOOTMEDIA_LOCK_IN_VERSTAGE),y)
+verstage-y += lockdown.c
+else
+ramstage-y += lockdown.c
+endif
+
+endif
diff --git a/src/security/memory/Makefile.inc b/src/security/memory/Makefile.inc
deleted file mode 100644
index 4f07bbbcb4ec..000000000000
--- a/src/security/memory/Makefile.inc
+++ /dev/null
@@ -1,7 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-only
-
-romstage-$(CONFIG_PLATFORM_HAS_DRAM_CLEAR) += memory.c
-postcar-$(CONFIG_PLATFORM_HAS_DRAM_CLEAR) += memory.c
-ramstage-$(CONFIG_PLATFORM_HAS_DRAM_CLEAR) += memory.c
-
-ramstage-$(CONFIG_PLATFORM_HAS_DRAM_CLEAR) += memory_clear.c
diff --git a/src/security/memory/Makefile.mk b/src/security/memory/Makefile.mk
new file mode 100644
index 000000000000..4f07bbbcb4ec
--- /dev/null
+++ b/src/security/memory/Makefile.mk
@@ -0,0 +1,7 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+romstage-$(CONFIG_PLATFORM_HAS_DRAM_CLEAR) += memory.c
+postcar-$(CONFIG_PLATFORM_HAS_DRAM_CLEAR) += memory.c
+ramstage-$(CONFIG_PLATFORM_HAS_DRAM_CLEAR) += memory.c
+
+ramstage-$(CONFIG_PLATFORM_HAS_DRAM_CLEAR) += memory_clear.c
diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc
deleted file mode 100644
index ade96569408b..000000000000
--- a/src/security/tpm/Makefile.inc
+++ /dev/null
@@ -1,78 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-only
-
-subdirs-$(CONFIG_TPM_GOOGLE) += tss/vendor/cr50
-
-## TSS
-
-ifeq ($(CONFIG_TPM1),y)
-
-ramstage-y += tss/tcg-1.2/tss.c
-romstage-y += tss/tcg-1.2/tss.c
-bootblock-y += tss/tcg-1.2/tss.c
-verstage-y += tss/tcg-1.2/tss.c
-postcar-y += tss/tcg-1.2/tss.c
-
-## TSPI
-
-ramstage-y += tspi/tspi.c
-romstage-y += tspi/tspi.c
-bootblock-y += tspi/tspi.c
-verstage-y += tspi/tspi.c
-postcar-y += tspi/tspi.c
-
-endif # CONFIG_TPM1
-
-ifeq ($(CONFIG_TPM2),y)
-
-ramstage-y += tss/tcg-2.0/tss_marshaling.c
-ramstage-y += tss/tcg-2.0/tss.c
-
-romstage-y += tss/tcg-2.0/tss_marshaling.c
-romstage-y += tss/tcg-2.0/tss.c
-
-verstage-$(CONFIG_VBOOT) += tss/tcg-2.0/tss_marshaling.c
-verstage-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c
-
-postcar-y += tss/tcg-2.0/tss_marshaling.c
-postcar-y += tss/tcg-2.0/tss.c
-
-bootblock-y += tss/tcg-2.0/tss_marshaling.c
-bootblock-y += tss/tcg-2.0/tss.c
-
-## TSPI
-
-ramstage-y += tspi/tspi.c
-romstage-y += tspi/tspi.c
-bootblock-y += tspi/tspi.c
-verstage-$(CONFIG_VBOOT) += tspi/tspi.c
-postcar-y += tspi/tspi.c
-
-endif # CONFIG_TPM2
-
-ifeq ($(CONFIG_TPM_MEASURED_BOOT),y)
-
-bootblock-y += tspi/crtm.c
-verstage-y += tspi/crtm.c
-romstage-y += tspi/crtm.c
-ramstage-y += tspi/crtm.c
-postcar-y += tspi/crtm.c
-
-ramstage-$(CONFIG_TPM_LOG_CB) += tspi/log.c
-romstage-$(CONFIG_TPM_LOG_CB) += tspi/log.c
-verstage-$(CONFIG_TPM_LOG_CB) += tspi/log.c
-postcar-$(CONFIG_TPM_LOG_CB) += tspi/log.c
-bootblock-$(CONFIG_TPM_LOG_CB) += tspi/log.c
-
-ramstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-romstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-verstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-postcar-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-bootblock-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-
-ramstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
-romstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
-verstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
-postcar-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
-bootblock-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
-
-endif # CONFIG_TPM_MEASURED_BOOT
diff --git a/src/security/tpm/Makefile.mk b/src/security/tpm/Makefile.mk
new file mode 100644
index 000000000000..ade96569408b
--- /dev/null
+++ b/src/security/tpm/Makefile.mk
@@ -0,0 +1,78 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+subdirs-$(CONFIG_TPM_GOOGLE) += tss/vendor/cr50
+
+## TSS
+
+ifeq ($(CONFIG_TPM1),y)
+
+ramstage-y += tss/tcg-1.2/tss.c
+romstage-y += tss/tcg-1.2/tss.c
+bootblock-y += tss/tcg-1.2/tss.c
+verstage-y += tss/tcg-1.2/tss.c
+postcar-y += tss/tcg-1.2/tss.c
+
+## TSPI
+
+ramstage-y += tspi/tspi.c
+romstage-y += tspi/tspi.c
+bootblock-y += tspi/tspi.c
+verstage-y += tspi/tspi.c
+postcar-y += tspi/tspi.c
+
+endif # CONFIG_TPM1
+
+ifeq ($(CONFIG_TPM2),y)
+
+ramstage-y += tss/tcg-2.0/tss_marshaling.c
+ramstage-y += tss/tcg-2.0/tss.c
+
+romstage-y += tss/tcg-2.0/tss_marshaling.c
+romstage-y += tss/tcg-2.0/tss.c
+
+verstage-$(CONFIG_VBOOT) += tss/tcg-2.0/tss_marshaling.c
+verstage-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c
+
+postcar-y += tss/tcg-2.0/tss_marshaling.c
+postcar-y += tss/tcg-2.0/tss.c
+
+bootblock-y += tss/tcg-2.0/tss_marshaling.c
+bootblock-y += tss/tcg-2.0/tss.c
+
+## TSPI
+
+ramstage-y += tspi/tspi.c
+romstage-y += tspi/tspi.c
+bootblock-y += tspi/tspi.c
+verstage-$(CONFIG_VBOOT) += tspi/tspi.c
+postcar-y += tspi/tspi.c
+
+endif # CONFIG_TPM2
+
+ifeq ($(CONFIG_TPM_MEASURED_BOOT),y)
+
+bootblock-y += tspi/crtm.c
+verstage-y += tspi/crtm.c
+romstage-y += tspi/crtm.c
+ramstage-y += tspi/crtm.c
+postcar-y += tspi/crtm.c
+
+ramstage-$(CONFIG_TPM_LOG_CB) += tspi/log.c
+romstage-$(CONFIG_TPM_LOG_CB) += tspi/log.c
+verstage-$(CONFIG_TPM_LOG_CB) += tspi/log.c
+postcar-$(CONFIG_TPM_LOG_CB) += tspi/log.c
+bootblock-$(CONFIG_TPM_LOG_CB) += tspi/log.c
+
+ramstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+romstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+verstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+postcar-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+bootblock-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+
+ramstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
+romstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
+verstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
+postcar-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
+bootblock-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
+
+endif # CONFIG_TPM_MEASURED_BOOT
diff --git a/src/security/tpm/tss/vendor/cr50/Makefile.inc b/src/security/tpm/tss/vendor/cr50/Makefile.inc
deleted file mode 100644
index 0a16fa197822..000000000000
--- a/src/security/tpm/tss/vendor/cr50/Makefile.inc
+++ /dev/null
@@ -1,7 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-only
-
-ramstage-y += cr50.c
-romstage-y += cr50.c
-postcar-y += cr50.c
-
-verstage-$(CONFIG_VBOOT) += cr50.c
diff --git a/src/security/tpm/tss/vendor/cr50/Makefile.mk b/src/security/tpm/tss/vendor/cr50/Makefile.mk
new file mode 100644
index 000000000000..0a16fa197822
--- /dev/null
+++ b/src/security/tpm/tss/vendor/cr50/Makefile.mk
@@ -0,0 +1,7 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+ramstage-y += cr50.c
+romstage-y += cr50.c
+postcar-y += cr50.c
+
+verstage-$(CONFIG_VBOOT) += cr50.c
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
deleted file mode 100644
index 1689efb15582..000000000000
--- a/src/security/vboot/Makefile.inc
+++ /dev/null
@@ -1,400 +0,0 @@
-## SPDX-License-Identifier: GPL-2.0-only
-
-ifeq ($(CONFIG_VBOOT_LIB),y)
-
-bootblock-y += vboot_lib.c
-verstage-y += vboot_lib.c
-romstage-y += vboot_lib.c
-ramstage-y += vboot_lib.c
-postcar-y += vboot_lib.c
-
-vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\
-		       $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\
-		       $(filter-out -I$(obj),$(1))))
-
-# call with $1 = stage name to create rules for building the library
-# for the stage and adding it to the stage's set of object files.
-define vboot-for-stage
-VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a
-VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1)))
-VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1))
-VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts))
-VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes
-VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG
-
-$$(VBOOT_LIB_$(1)): $(obj)/config.h
-	printf "    MAKE       $(subst $(obj)/,,$(@))\n"
-	+FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \
-	CC="$$(CC_$(1))" \
-	CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \
-	EC_EFS="$(CONFIG_VBOOT_EC_EFS)" \
-	X86_SHA_EXT="$(if $(CONFIG_ARCH_$(call toupper,$(1))_X86_32)$(CONFIG_ARCH_$(call toupper,$(1))_X86_64),$\
-			$(CONFIG_VBOOT_X86_SHA256_ACCELERATION))" \
-	VB2_X86_RSA_ACCELERATION="$(if $(CONFIG_ARCH_$(call toupper,$(1))_X86_32)$(CONFIG_ARCH_$(call toupper,$(1))_X86_64),$\
-			$(CONFIG_VBOOT_X86_RSA_ACCELERATION))" \
-	ARMV8_CRYPTO_EXT="$(if $(CONFIG_ARCH_$(call toupper,$(1))_ARMV8_64),$$(CONFIG_VBOOT_ARMV8_CE_SHA256_ACCELERATION))" \
-	$(MAKE) -C $(VBOOT_SOURCE) \
-		BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
-		V=$(V) \
-		USE_FLASHROM=0 \
-		fwlib \
-		$(if $(CONFIG_SBOM_VBOOT),$$(abspath $$(dir $$(VBOOT_LIB_$(1))))/vboot_host.pc)
-
-.PHONY: $$(VBOOT_LIB_$(1))
-
-$(1)-srcs += $$(VBOOT_LIB_$(1))
-
-endef # vboot-for-stage
-
-$(eval $(call vboot-for-stage,bootblock))
-ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y)
-$(eval $(call vboot-for-stage,romstage))
-endif
-$(eval $(call vboot-for-stage,ramstage))
-$(eval $(call vboot-for-stage,postcar))
-
-endif # CONFIG_VBOOT_LIB
-
-ifeq ($(CONFIG_VBOOT),y)
-
-bootblock-y += bootmode.c
-romstage-y += bootmode.c
-ramstage-y += bootmode.c
-verstage-y += bootmode.c
-postcar-y += bootmode.c
-
-verstage-generic-ccopts += -D__VERSTAGE__
-
-bootblock-y += vbnv.c
-verstage-y += vbnv.c
-romstage-y += vbnv.c
-ramstage-y += vbnv.c
-postcar-y += vbnv.c
-
-romstage-$(CONFIG_VBOOT_EARLY_EC_SYNC) += ec_sync.c
-
-bootblock-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
-verstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
-romstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
-ramstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
-postcar-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
-
-bootblock-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
-verstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
-romstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
-ramstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
-postcar-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
-
-bootblock-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
-verstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
-romstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
-ramstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
-postcar-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
-
-bootblock-y += vboot_loader.c
-romstage-y += vboot_loader.c
-ramstage-y += vboot_loader.c
-verstage-y += vboot_loader.c
-postcar-y += vboot_loader.c
-
-bootblock-y += vboot_common.c
-verstage-y += vboot_common.c
-romstage-y += vboot_common.c
-ramstage-y += vboot_common.c
-postcar-y += vboot_common.c
-
-bootblock-y += common.c
-verstage-y += vboot_logic.c
-verstage-y += common.c
-ifeq ($(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),)
-verstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += verstage.c
-endif
-ifeq (${CONFIG_VBOOT_MOCK_SECDATA},y)
-verstage-y += secdata_mock.c
-romstage-y += secdata_mock.c
-ramstage-y += secdata_mock.c
-else
-verstage-y += secdata_tpm.c
-romstage-y += secdata_tpm.c
-ramstage-y += secdata_tpm.c
-endif
-
-verstage-$(CONFIG_TPM) += tpm_common.c
-
-romstage-y += common.c
-
-ramstage-y += common.c
-postcar-y += common.c
-
-romstage-$(CONFIG_MRC_SAVE_HASH_IN_TPM) += mrc_cache_hash_tpm.c
-ramstage-$(CONFIG_MRC_SAVE_HASH_IN_TPM) += mrc_cache_hash_tpm.c
-
-ramstage-$(CONFIG_SOC_AMD_GFX_CACHE_VBIOS_IN_FMAP) += vbios_cache_hash_tpm.c
-
-ifeq ($(CONFIG_VBOOT_X86_RSA_ACCELERATION),y)
-CPPFLAGS_common += -DVB2_X86_RSA_ACCELERATION
-endif
-
-ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
-
-$(eval $(call vboot-for-stage,verstage))
-
-ifeq ($(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),)
-cbfs-files-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += $(CONFIG_CBFS_PREFIX)/verstage
-$(CONFIG_CBFS_PREFIX)/verstage-file := $(objcbfs)/verstage.elf
-$(CONFIG_CBFS_PREFIX)/verstage-type := stage
-$(CONFIG_CBFS_PREFIX)/verstage-compression := $(CBFS_PRERAM_COMPRESS_FLAG)
-endif	# CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK
-
-ifeq ($(CONFIG_ARCH_VERSTAGE_X86_32)$(CONFIG_ARCH_VERSTAGE_X86_64),y)
-$(CONFIG_CBFS_PREFIX)/verstage-options := -a 64
-ifeq ($(CONFIG_NO_XIP_EARLY_STAGES),y)
-$(CONFIG_CBFS_PREFIX)/verstage-options += -S ".car.data"
-else
-$(CONFIG_CBFS_PREFIX)/verstage-options += -S ".car.data,.data"
-endif
-
-# If CAR does not support execution of code, verstage on x86 is expected to be
-# xip.
-ifneq ($(CONFIG_NO_XIP_EARLY_STAGES),y)
-$(CONFIG_CBFS_PREFIX)/verstage-options += --xip
-endif
-
-endif
-$(CONFIG_CBFS_PREFIX)/verstage-options += $(TXTIBB)
-
-else # CONFIG_VBOOT_SEPARATE_VERSTAGE
-ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y)
-postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs))
-else
-ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y)
-postinclude-hooks += $$(eval romstage-srcs += $$(verstage-srcs))
-else
-postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs))
-endif
-endif
-endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
-
-#RO-Partition is always there!
-VBOOT_PARTITIONS := COREBOOT
-# Check for RW_A partition
-ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
-VBOOT_PARTITIONS += FW_MAIN_A
-RW_PARTITIONS := FW_MAIN_A
-endif
-# Check for RW_B partition
-ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
-VBOOT_PARTITIONS += FW_MAIN_B
-RW_PARTITIONS += FW_MAIN_B
-endif
-
-# Return the regions a specific file should be placed in. The files listed below and the ones
-# that are specified in CONFIG_RO_REGION_ONLY, are only specified in the RO region. The files
-# specified in the CONFIG_RW_REGION_ONLY are placed in all RW regions.  Files specified
-# in CONFIG_RWA_REGION_ONLY or CONFIG_RWB_REGION_ONLY get placed only in those sections.
-# All other files will be installed into RO and RW regions
-# Use $(sort) to cut down on extra spaces that would be translated to commas
-regions-for-file = $(subst $(spc),$(comma),$(sort \
-	$(if $(value regions-for-file-$(1)), \
-		$(regions-for-file-$(1)), \
-		$(if $(filter $(if $(filter y,$(CONFIG_VBOOT_STARTS_IN_ROMSTAGE)), \
-			%/romstage,) \
-		header_pointer \
-		cbfs_master_header \
-		mts \
-		%/verstage \
-		locales \
-		locale_%.bin \
-		font.bin \
-		vbgfx.bin \
-		rmu.bin \
-		cmos_layout.bin \
-		cmos.default \
-		intel_fit \
-		intel_fit_ts \
-		fspt.bin \
-		pagetables \
-		$(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \
-		,$(1)),COREBOOT,\
-		$(if $(filter \
-		$(call strip_quotes,$(CONFIG_RWA_REGION_ONLY)) \
-		,$(1)), FW_MAIN_A, \
-		$(if $(filter \
-			$(call strip_quotes,$(CONFIG_RWB_REGION_ONLY)) \
-			,$(1)), FW_MAIN_B, \
-		$(if $(filter \
-			$(call strip_quotes,$(CONFIG_RW_REGION_ONLY)) \
-			,$(1)), $(RW_PARTITIONS), $(VBOOT_PARTITIONS) ) \
-		))))))
-
-CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID))
-CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
-CONFIG_VBOOT_KEYBLOCK := $(call strip_quotes,$(CONFIG_VBOOT_KEYBLOCK))
-CONFIG_VBOOT_FIRMWARE_PRIVKEY := $(call strip_quotes,$(CONFIG_VBOOT_FIRMWARE_PRIVKEY))
-CONFIG_VBOOT_KERNEL_KEY := $(call strip_quotes,$(CONFIG_VBOOT_KERNEL_KEY))
-CONFIG_VBOOT_FWID_MODEL := $(call strip_quotes,$(CONFIG_VBOOT_FWID_MODEL))
-CONFIG_VBOOT_FWID_VERSION := $(call strip_quotes,$(CONFIG_VBOOT_FWID_VERSION))
-
-# bool-to-mask(var, value)
-# return "value" if var is "y", 0 otherwise
-bool-to-mask = $(if $(filter y,$(1)),$(2),0)
-
-GBB_FLAGS := $(call int-add, \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DEV_SCREEN_SHORT_DELAY),0x1) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_LOAD_OPTION_ROMS),0x2) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_ALTERNATE_OS),0x4) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_SWITCH_ON),0x8) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_USB),0x10) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK),0x20) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENTER_TRIGGERS_TONORM),0x40) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_ALTFW),0x80) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_RUNNING_FAFT),0x100) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC),0x200) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DEFAULT_DEV_BOOT_ALTFW),0x400) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC),0x800) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_LID_SHUTDOWN),0x1000) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_MANUAL_RECOVERY),0x4000) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FWMP),0x8000) \
-	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_UDC),0x10000) \
-	)
-
-ifneq ($(CONFIG_GBB_BMPFV_FILE),)
-$(obj)/gbb.sizetmp: $(obj)/coreboot.rom
-	$(CBFSTOOL) $< read -r GBB -f $@
-
-$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY) $(obj)/gbb.sizetmp
-	@printf "    CREATE GBB (with BMPFV)\n"
-	$(FUTILITY) gbb_utility -c 0x100,0x1000,$(call int-subtract,$(call file-size,$(obj)/gbb.sizetmp) 0x2180),0x1000 $@.tmp
-	mv $@.tmp $@
-else
-$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY)
-	@printf "    CREATE GBB (without BMPFV)\n"
-	$(FUTILITY) gbb_utility -c 0x100,0x1000,0,0x1000 $@.tmp
-	mv $@.tmp $@
-endif
-
-# Generate a test-only HWID
-ifeq ($(CONFIG_GBB_HWID),)
-CONFIG_GBB_HWID := $$($(top)/util/chromeos/gen_test_hwid.sh "$(CONFIG_MAINBOARD_PART_NUMBER)")
-endif
-
-$(obj)/gbb.region: $(obj)/gbb.stub
-	@printf "    SETUP GBB\n"
-	cp $< $@.tmp
-	$(FUTILITY) gbb_utility -s \
-		--hwid="$(CONFIG_GBB_HWID)" \
-		--rootkey="$(CONFIG_VBOOT_ROOT_KEY)" \
-		--recoverykey="$(CONFIG_VBOOT_RECOVERY_KEY)" \
-		--flags=$(GBB_FLAGS) \
-		$@.tmp
-ifneq ($(CONFIG_GBB_BMPFV_FILE),)
-	$(FUTILITY) gbb_utility -s \
-		--bmpfv="$(CONFIG_GBB_BMPFV_FILE)" \
-		$@.tmp
-endif
-	mv $@.tmp $@
-
-$(obj)/fwid.version:
-	echo -n "$(CONFIG_VBOOT_FWID_VERSION)" > $@
-
-$(obj)/fwid.region: $(obj)/fwid.version
-	printf "%s%s\0" \
-		"$(CONFIG_VBOOT_FWID_MODEL)" \
-		"$$(cat "$(obj)/fwid.version")" > $@
-
-build_complete:: $(obj)/gbb.region $(obj)/fwid.region
-	@printf "    WRITE GBB\n"
-	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region
-	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region
-ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
-	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region
-endif
-ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
-	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region
-endif
-
-ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),)
-build_complete::
-	printf "\0" > $(obj)/shared_data.region
-	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r SHARED_DATA -i 0 -f $(obj)/shared_data.region
-endif
-
-fmap-section-offset-cmd = $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \
-					grep '^$(1) ' | cut '-d ' -f2
-fmap-section-size-cmd =   $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \
-					grep '^$(1) ' | cut '-d ' -f3
-
-ifeq ($(CONFIG_VBOOT_GSCVD),y)
-#
-# vboot-gscvd-ranges
-#
-# This variable expands to the list of ranges that will be verified by the GSC
-# before releasing the SoC from reset. It needs to cover all security-relevant
-# ranges of the flash that CBFS verification cannot cover itself. By default
-# this is the `GBB` FMAP section (not handled here but through the special `-G`
-# parameter to `futility gscvd` below) and the bootblock. Here we are
-# initializing the variable to expansions that produce ranges for both the
-# `BOOTBLOCK` FMAP section (filled up to the real size of
-# `$(objcbfs)/bootblock.bin`) and the `bootblock` file in the primary CBFS --
-# only one of those two should normally exist on a given platform.
-#
-# Platforms where the bootblock isn't the first and only thing loaded by the
-# hardware or which otherwise have special security-relevant flash areas that
-# cannot be covered normally by CBFS verification will need to manually add
-# ranges to this variable in their own Makefiles, in the format produced by
-# printf("%x:%x", start_offset, size). The variable is only expanded once in a
-# recipe of the `files_added` target, so $(shell) expansions that depend on
-# inspecting $(obj)/coreboot.rom (or any of its dependencies) are valid.
-#
-vboot-gscvd-ranges += $(shell ( \
-	offset=$$($(call fmap-section-offset-cmd,BOOTBLOCK)) ;\
-	if [ -n "$$offset" ]; then \
-		size=$$(wc -c < $(objcbfs)/bootblock.bin) ;\
-		printf "%x:%x" $$offset $$size ;\
-	fi ;\
-))
-vboot-gscvd-ranges += $(shell ( \
-	line=$$($(CBFSTOOL) $(obj)/coreboot.rom print -k | grep '^bootblock[[:space:]]') ;\
-	if [ -n "$$line" ]; then \
-		cbfs_start=$$($(call fmap-section-offset-cmd,COREBOOT)) ;\
-		offset=$$(printf "$$line" | cut -f2) ;\
-		size=$$(printf "$$line" | cut -f6) ;\
-		printf "%x:%x" $$((cbfs_start + offset)) $$size ;\
-	fi ;\
-))
-files_added:: $(FUTILITY)
-	@printf "    WRITE GSCVD\n"
-	gscvd_range_args="$(foreach range,$(vboot-gscvd-ranges),-R $(range))" ;\
-	if [ -z "$$gscvd_range_args" ]; then \
-		echo "ERROR: No valid GSCVD ranges detected in image!" ;\
-		exit 1 ;\
-	fi ;\
-	$(FUTILITY) gscvd -G $$gscvd_range_args -b $(CONFIG_VBOOT_GSC_BOARD_ID) \
-		-r "$(CONFIG_VBOOT_GSCVD_ROOT_PUBKEY)" \
-		-p "$(CONFIG_VBOOT_GSCVD_PLATFORM_PRIVKEY)" \
-		-k "$(CONFIG_VBOOT_GSCVD_PLATFORM_KEYBLOCK)" \
-		$(obj)/coreboot.rom
-endif
-
-ifneq (,$(filter y,$(CONFIG_VBOOT_SLOTS_RW_A) $(CONFIG_VBOOT_SLOTS_RW_AB)))
-files_added:: $(obj)/coreboot.rom $(FUTILITY) $(CBFSTOOL)
-	CBFSTOOL="$(CBFSTOOL)" \
-	$(FUTILITY) sign \
-		--signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \
-		--keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
-		--kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
-		--version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \
-		--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) \
-		$(obj)/coreboot.rom
-	if [ "$(CONFIG_VBOOT_SLOTS_RW_AB)" = 'y' ]; then \
-		printf "    FLASHMAP Layout generated for RO, A and B partition.\n"; \
-	elif [ "$(CONFIG_VBOOT_SLOTS_RW_A)" = 'y' ]; then \
-		printf "    FLASHMAP Layout generated for RO and A partition.\n"; \
-	fi
-else
-show_notices::
-	@printf "    FLASHMAP Layout generated for RO partition only.\n"
-	@printf "             Beware that there is no failure safety in case of update now!\n"
-endif
-
-endif # CONFIG_VBOOT
diff --git a/src/security/vboot/Makefile.mk b/src/security/vboot/Makefile.mk
new file mode 100644
index 000000000000..1689efb15582
--- /dev/null
+++ b/src/security/vboot/Makefile.mk
@@ -0,0 +1,400 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+ifeq ($(CONFIG_VBOOT_LIB),y)
+
+bootblock-y += vboot_lib.c
+verstage-y += vboot_lib.c
+romstage-y += vboot_lib.c
+ramstage-y += vboot_lib.c
+postcar-y += vboot_lib.c
+
+vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\
+		       $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\
+		       $(filter-out -I$(obj),$(1))))
+
+# call with $1 = stage name to create rules for building the library
+# for the stage and adding it to the stage's set of object files.
+define vboot-for-stage
+VBOOT_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw.a
+VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1)))
+VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1))
+VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts))
+VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes
+VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG
+
+$$(VBOOT_LIB_$(1)): $(obj)/config.h
+	printf "    MAKE       $(subst $(obj)/,,$(@))\n"
+	+FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \
+	CC="$$(CC_$(1))" \
+	CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \
+	EC_EFS="$(CONFIG_VBOOT_EC_EFS)" \
+	X86_SHA_EXT="$(if $(CONFIG_ARCH_$(call toupper,$(1))_X86_32)$(CONFIG_ARCH_$(call toupper,$(1))_X86_64),$\
+			$(CONFIG_VBOOT_X86_SHA256_ACCELERATION))" \
+	VB2_X86_RSA_ACCELERATION="$(if $(CONFIG_ARCH_$(call toupper,$(1))_X86_32)$(CONFIG_ARCH_$(call toupper,$(1))_X86_64),$\
+			$(CONFIG_VBOOT_X86_RSA_ACCELERATION))" \
+	ARMV8_CRYPTO_EXT="$(if $(CONFIG_ARCH_$(call toupper,$(1))_ARMV8_64),$$(CONFIG_VBOOT_ARMV8_CE_SHA256_ACCELERATION))" \
+	$(MAKE) -C $(VBOOT_SOURCE) \
+		BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
+		V=$(V) \
+		USE_FLASHROM=0 \
+		fwlib \
+		$(if $(CONFIG_SBOM_VBOOT),$$(abspath $$(dir $$(VBOOT_LIB_$(1))))/vboot_host.pc)
+
+.PHONY: $$(VBOOT_LIB_$(1))
+
+$(1)-srcs += $$(VBOOT_LIB_$(1))
+
+endef # vboot-for-stage
+
+$(eval $(call vboot-for-stage,bootblock))
+ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y)
+$(eval $(call vboot-for-stage,romstage))
+endif
+$(eval $(call vboot-for-stage,ramstage))
+$(eval $(call vboot-for-stage,postcar))
+
+endif # CONFIG_VBOOT_LIB
+
+ifeq ($(CONFIG_VBOOT),y)
+
+bootblock-y += bootmode.c
+romstage-y += bootmode.c
+ramstage-y += bootmode.c
+verstage-y += bootmode.c
+postcar-y += bootmode.c
+
+verstage-generic-ccopts += -D__VERSTAGE__
+
+bootblock-y += vbnv.c
+verstage-y += vbnv.c
+romstage-y += vbnv.c
+ramstage-y += vbnv.c
+postcar-y += vbnv.c
+
+romstage-$(CONFIG_VBOOT_EARLY_EC_SYNC) += ec_sync.c
+
+bootblock-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
+verstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
+romstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
+ramstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
+postcar-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c
+
+bootblock-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
+verstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
+romstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
+ramstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
+postcar-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c
+
+bootblock-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
+verstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
+romstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
+ramstage-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
+postcar-$(CONFIG_VBOOT_VBNV_FLASH) += vbnv_flash.c
+
+bootblock-y += vboot_loader.c
+romstage-y += vboot_loader.c
+ramstage-y += vboot_loader.c
+verstage-y += vboot_loader.c
+postcar-y += vboot_loader.c
+
+bootblock-y += vboot_common.c
+verstage-y += vboot_common.c
+romstage-y += vboot_common.c
+ramstage-y += vboot_common.c
+postcar-y += vboot_common.c
+
+bootblock-y += common.c
+verstage-y += vboot_logic.c
+verstage-y += common.c
+ifeq ($(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),)
+verstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += verstage.c
+endif
+ifeq (${CONFIG_VBOOT_MOCK_SECDATA},y)
+verstage-y += secdata_mock.c
+romstage-y += secdata_mock.c
+ramstage-y += secdata_mock.c
+else
+verstage-y += secdata_tpm.c
+romstage-y += secdata_tpm.c
+ramstage-y += secdata_tpm.c
+endif
+
+verstage-$(CONFIG_TPM) += tpm_common.c
+
+romstage-y += common.c
+
+ramstage-y += common.c
+postcar-y += common.c
+
+romstage-$(CONFIG_MRC_SAVE_HASH_IN_TPM) += mrc_cache_hash_tpm.c
+ramstage-$(CONFIG_MRC_SAVE_HASH_IN_TPM) += mrc_cache_hash_tpm.c
+
+ramstage-$(CONFIG_SOC_AMD_GFX_CACHE_VBIOS_IN_FMAP) += vbios_cache_hash_tpm.c
+
+ifeq ($(CONFIG_VBOOT_X86_RSA_ACCELERATION),y)
+CPPFLAGS_common += -DVB2_X86_RSA_ACCELERATION
+endif
+
+ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
+
+$(eval $(call vboot-for-stage,verstage))
+
+ifeq ($(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),)
+cbfs-files-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += $(CONFIG_CBFS_PREFIX)/verstage
+$(CONFIG_CBFS_PREFIX)/verstage-file := $(objcbfs)/verstage.elf
+$(CONFIG_CBFS_PREFIX)/verstage-type := stage
+$(CONFIG_CBFS_PREFIX)/verstage-compression := $(CBFS_PRERAM_COMPRESS_FLAG)
+endif	# CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK
+
+ifeq ($(CONFIG_ARCH_VERSTAGE_X86_32)$(CONFIG_ARCH_VERSTAGE_X86_64),y)
+$(CONFIG_CBFS_PREFIX)/verstage-options := -a 64
+ifeq ($(CONFIG_NO_XIP_EARLY_STAGES),y)
+$(CONFIG_CBFS_PREFIX)/verstage-options += -S ".car.data"
+else
+$(CONFIG_CBFS_PREFIX)/verstage-options += -S ".car.data,.data"
+endif
+
+# If CAR does not support execution of code, verstage on x86 is expected to be
+# xip.
+ifneq ($(CONFIG_NO_XIP_EARLY_STAGES),y)
+$(CONFIG_CBFS_PREFIX)/verstage-options += --xip
+endif
+
+endif
+$(CONFIG_CBFS_PREFIX)/verstage-options += $(TXTIBB)
+
+else # CONFIG_VBOOT_SEPARATE_VERSTAGE
+ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y)
+postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs))
+else
+ifeq ($(CONFIG_SEPARATE_ROMSTAGE),y)
+postinclude-hooks += $$(eval romstage-srcs += $$(verstage-srcs))
+else
+postinclude-hooks += $$(eval bootblock-srcs += $$(verstage-srcs))
+endif
+endif
+endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
+
+#RO-Partition is always there!
+VBOOT_PARTITIONS := COREBOOT
+# Check for RW_A partition
+ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
+VBOOT_PARTITIONS += FW_MAIN_A
+RW_PARTITIONS := FW_MAIN_A
+endif
+# Check for RW_B partition
+ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
+VBOOT_PARTITIONS += FW_MAIN_B
+RW_PARTITIONS += FW_MAIN_B
+endif
+
+# Return the regions a specific file should be placed in. The files listed below and the ones
+# that are specified in CONFIG_RO_REGION_ONLY, are only specified in the RO region. The files
+# specified in the CONFIG_RW_REGION_ONLY are placed in all RW regions.  Files specified
+# in CONFIG_RWA_REGION_ONLY or CONFIG_RWB_REGION_ONLY get placed only in those sections.
+# All other files will be installed into RO and RW regions
+# Use $(sort) to cut down on extra spaces that would be translated to commas
+regions-for-file = $(subst $(spc),$(comma),$(sort \
+	$(if $(value regions-for-file-$(1)), \
+		$(regions-for-file-$(1)), \
+		$(if $(filter $(if $(filter y,$(CONFIG_VBOOT_STARTS_IN_ROMSTAGE)), \
+			%/romstage,) \
+		header_pointer \
+		cbfs_master_header \
+		mts \
+		%/verstage \
+		locales \
+		locale_%.bin \
+		font.bin \
+		vbgfx.bin \
+		rmu.bin \
+		cmos_layout.bin \
+		cmos.default \
+		intel_fit \
+		intel_fit_ts \
+		fspt.bin \
+		pagetables \
+		$(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \
+		,$(1)),COREBOOT,\
+		$(if $(filter \
+		$(call strip_quotes,$(CONFIG_RWA_REGION_ONLY)) \
+		,$(1)), FW_MAIN_A, \
+		$(if $(filter \
+			$(call strip_quotes,$(CONFIG_RWB_REGION_ONLY)) \
+			,$(1)), FW_MAIN_B, \
+		$(if $(filter \
+			$(call strip_quotes,$(CONFIG_RW_REGION_ONLY)) \
+			,$(1)), $(RW_PARTITIONS), $(VBOOT_PARTITIONS) ) \
+		))))))
+
+CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID))
+CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
+CONFIG_VBOOT_KEYBLOCK := $(call strip_quotes,$(CONFIG_VBOOT_KEYBLOCK))
+CONFIG_VBOOT_FIRMWARE_PRIVKEY := $(call strip_quotes,$(CONFIG_VBOOT_FIRMWARE_PRIVKEY))
+CONFIG_VBOOT_KERNEL_KEY := $(call strip_quotes,$(CONFIG_VBOOT_KERNEL_KEY))
+CONFIG_VBOOT_FWID_MODEL := $(call strip_quotes,$(CONFIG_VBOOT_FWID_MODEL))
+CONFIG_VBOOT_FWID_VERSION := $(call strip_quotes,$(CONFIG_VBOOT_FWID_VERSION))
+
+# bool-to-mask(var, value)
+# return "value" if var is "y", 0 otherwise
+bool-to-mask = $(if $(filter y,$(1)),$(2),0)
+
+GBB_FLAGS := $(call int-add, \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DEV_SCREEN_SHORT_DELAY),0x1) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_LOAD_OPTION_ROMS),0x2) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_ALTERNATE_OS),0x4) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_SWITCH_ON),0x8) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_USB),0x10) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK),0x20) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENTER_TRIGGERS_TONORM),0x40) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_DEV_BOOT_ALTFW),0x80) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_RUNNING_FAFT),0x100) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC),0x200) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DEFAULT_DEV_BOOT_ALTFW),0x400) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC),0x800) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_LID_SHUTDOWN),0x1000) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_FORCE_MANUAL_RECOVERY),0x4000) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_DISABLE_FWMP),0x8000) \
+	$(call bool-to-mask,$(CONFIG_GBB_FLAG_ENABLE_UDC),0x10000) \
+	)
+
+ifneq ($(CONFIG_GBB_BMPFV_FILE),)
+$(obj)/gbb.sizetmp: $(obj)/coreboot.rom
+	$(CBFSTOOL) $< read -r GBB -f $@
+
+$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY) $(obj)/gbb.sizetmp
+	@printf "    CREATE GBB (with BMPFV)\n"
+	$(FUTILITY) gbb_utility -c 0x100,0x1000,$(call int-subtract,$(call file-size,$(obj)/gbb.sizetmp) 0x2180),0x1000 $@.tmp
+	mv $@.tmp $@
+else
+$(obj)/gbb.stub: $(obj)/coreboot.rom $(FUTILITY)
+	@printf "    CREATE GBB (without BMPFV)\n"
+	$(FUTILITY) gbb_utility -c 0x100,0x1000,0,0x1000 $@.tmp
+	mv $@.tmp $@
+endif
+
+# Generate a test-only HWID
+ifeq ($(CONFIG_GBB_HWID),)
+CONFIG_GBB_HWID := $$($(top)/util/chromeos/gen_test_hwid.sh "$(CONFIG_MAINBOARD_PART_NUMBER)")
+endif
+
+$(obj)/gbb.region: $(obj)/gbb.stub
+	@printf "    SETUP GBB\n"
+	cp $< $@.tmp
+	$(FUTILITY) gbb_utility -s \
+		--hwid="$(CONFIG_GBB_HWID)" \
+		--rootkey="$(CONFIG_VBOOT_ROOT_KEY)" \
+		--recoverykey="$(CONFIG_VBOOT_RECOVERY_KEY)" \
+		--flags=$(GBB_FLAGS) \
+		$@.tmp
+ifneq ($(CONFIG_GBB_BMPFV_FILE),)
+	$(FUTILITY) gbb_utility -s \
+		--bmpfv="$(CONFIG_GBB_BMPFV_FILE)" \
+		$@.tmp
+endif
+	mv $@.tmp $@
+
+$(obj)/fwid.version:
+	echo -n "$(CONFIG_VBOOT_FWID_VERSION)" > $@
+
+$(obj)/fwid.region: $(obj)/fwid.version
+	printf "%s%s\0" \
+		"$(CONFIG_VBOOT_FWID_MODEL)" \
+		"$$(cat "$(obj)/fwid.version")" > $@
+
+build_complete:: $(obj)/gbb.region $(obj)/fwid.region
+	@printf "    WRITE GBB\n"
+	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region
+	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region
+ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y)
+	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region
+endif
+ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y)
+	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region
+endif
+
+ifneq ($(shell grep "SHARED_DATA" "$(CONFIG_FMDFILE)"),)
+build_complete::
+	printf "\0" > $(obj)/shared_data.region
+	$(CBFSTOOL) $(obj)/coreboot.rom write -u -r SHARED_DATA -i 0 -f $(obj)/shared_data.region
+endif
+
+fmap-section-offset-cmd = $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \
+					grep '^$(1) ' | cut '-d ' -f2
+fmap-section-size-cmd =   $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \
+					grep '^$(1) ' | cut '-d ' -f3
+
+ifeq ($(CONFIG_VBOOT_GSCVD),y)
+#
+# vboot-gscvd-ranges
+#
+# This variable expands to the list of ranges that will be verified by the GSC
+# before releasing the SoC from reset. It needs to cover all security-relevant
+# ranges of the flash that CBFS verification cannot cover itself. By default
+# this is the `GBB` FMAP section (not handled here but through the special `-G`
+# parameter to `futility gscvd` below) and the bootblock. Here we are
+# initializing the variable to expansions that produce ranges for both the
+# `BOOTBLOCK` FMAP section (filled up to the real size of
+# `$(objcbfs)/bootblock.bin`) and the `bootblock` file in the primary CBFS --
+# only one of those two should normally exist on a given platform.
+#
+# Platforms where the bootblock isn't the first and only thing loaded by the
+# hardware or which otherwise have special security-relevant flash areas that
+# cannot be covered normally by CBFS verification will need to manually add
+# ranges to this variable in their own Makefiles, in the format produced by
+# printf("%x:%x", start_offset, size). The variable is only expanded once in a
+# recipe of the `files_added` target, so $(shell) expansions that depend on
+# inspecting $(obj)/coreboot.rom (or any of its dependencies) are valid.
+#
+vboot-gscvd-ranges += $(shell ( \
+	offset=$$($(call fmap-section-offset-cmd,BOOTBLOCK)) ;\
+	if [ -n "$$offset" ]; then \
+		size=$$(wc -c < $(objcbfs)/bootblock.bin) ;\
+		printf "%x:%x" $$offset $$size ;\
+	fi ;\
+))
+vboot-gscvd-ranges += $(shell ( \
+	line=$$($(CBFSTOOL) $(obj)/coreboot.rom print -k | grep '^bootblock[[:space:]]') ;\
+	if [ -n "$$line" ]; then \
+		cbfs_start=$$($(call fmap-section-offset-cmd,COREBOOT)) ;\
+		offset=$$(printf "$$line" | cut -f2) ;\
+		size=$$(printf "$$line" | cut -f6) ;\
+		printf "%x:%x" $$((cbfs_start + offset)) $$size ;\
+	fi ;\
+))
+files_added:: $(FUTILITY)
+	@printf "    WRITE GSCVD\n"
+	gscvd_range_args="$(foreach range,$(vboot-gscvd-ranges),-R $(range))" ;\
+	if [ -z "$$gscvd_range_args" ]; then \
+		echo "ERROR: No valid GSCVD ranges detected in image!" ;\
+		exit 1 ;\
+	fi ;\
+	$(FUTILITY) gscvd -G $$gscvd_range_args -b $(CONFIG_VBOOT_GSC_BOARD_ID) \
+		-r "$(CONFIG_VBOOT_GSCVD_ROOT_PUBKEY)" \
+		-p "$(CONFIG_VBOOT_GSCVD_PLATFORM_PRIVKEY)" \
+		-k "$(CONFIG_VBOOT_GSCVD_PLATFORM_KEYBLOCK)" \
+		$(obj)/coreboot.rom
+endif
+
+ifneq (,$(filter y,$(CONFIG_VBOOT_SLOTS_RW_A) $(CONFIG_VBOOT_SLOTS_RW_AB)))
+files_added:: $(obj)/coreboot.rom $(FUTILITY) $(CBFSTOOL)
+	CBFSTOOL="$(CBFSTOOL)" \
+	$(FUTILITY) sign \
+		--signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \
+		--keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
+		--kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
+		--version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \
+		--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) \
+		$(obj)/coreboot.rom
+	if [ "$(CONFIG_VBOOT_SLOTS_RW_AB)" = 'y' ]; then \
+		printf "    FLASHMAP Layout generated for RO, A and B partition.\n"; \
+	elif [ "$(CONFIG_VBOOT_SLOTS_RW_A)" = 'y' ]; then \
+		printf "    FLASHMAP Layout generated for RO and A partition.\n"; \
+	fi
+else
+show_notices::
+	@printf "    FLASHMAP Layout generated for RO partition only.\n"
+	@printf "             Beware that there is no failure safety in case of update now!\n"
+endif
+
+endif # CONFIG_VBOOT
-- 
cgit v1.2.3