diff options
author | Randall Spangler <rspangler@chromium.org> | 2011-03-18 12:44:27 -0700 |
---|---|---|
committer | Randall Spangler <rspangler@chromium.org> | 2011-03-18 12:44:27 -0700 |
commit | cabe6b3514f3228b350a7d07d6cc7cb39eecaaf6 (patch) | |
tree | 40c8aeeb07c2d843278726d6e3fa8db3fa2e0216 | |
parent | 17c712672f2c3a6d928c9bffde5b09c8baa1ba24 (diff) | |
download | vboot-cabe6b3514f3228b350a7d07d6cc7cb39eecaaf6.tar.gz |
Use VbSharedData instead of VbNvStorage for fwb_tries and kernkey_vfy
Change-Id: I5ed3509a9d4e578cd2e98f493dab59bc2fbd5827
R=dlaurie@chromium.org
BUG=chrome-os-partner:2748
TEST=manual
crossystem fwb_tries=3
(reboot)
crossystem tried_fwb
(should print 1)
crossystem fwb_tries=0
(reboot)
crossystem tried_fwb
(should print 0)
In dev mode...
Boot a kernel signed with the same key as in the firmware
crossystem kernkey_vfy
(should print sig)
Boot a kernel signed with a different key than the firmware
crossystem kernkey_vfy
(should print hash)
Review URL: http://codereview.chromium.org/6711045
-rw-r--r-- | firmware/include/vboot_nvstorage.h | 7 | ||||
-rw-r--r-- | firmware/lib/vboot_firmware.c | 1 | ||||
-rw-r--r-- | firmware/lib/vboot_kernel.c | 3 | ||||
-rw-r--r-- | firmware/lib/vboot_nvstorage.c | 25 | ||||
-rw-r--r-- | host/lib/crossystem.c | 23 | ||||
-rw-r--r-- | tests/vboot_nvstorage_test.c | 2 |
6 files changed, 16 insertions, 45 deletions
diff --git a/firmware/include/vboot_nvstorage.h b/firmware/include/vboot_nvstorage.h index 350a789e..c2a722f9 100644 --- a/firmware/include/vboot_nvstorage.h +++ b/firmware/include/vboot_nvstorage.h @@ -47,13 +47,6 @@ typedef enum VbNvParam { VBNV_LOCALIZATION_INDEX, /* Field reserved for kernel/user-mode use; 32-bit value. */ VBNV_KERNEL_FIELD, - /* Firmware checked RW slot B before slot A on the current boot because - * VBNV_TRY_B_COUNT was non-zero at that time. 0=no; 1=yes. */ - VBNV_TRIED_FIRMWARE_B, - /* Firmware verified the kernel key block signature using the key stored - * in the firmware. 0=no, just used the key block hash; 1=yes, used the - * key block signature. */ - VBNV_FW_VERIFIED_KERNEL_KEY, /* Verified boot API function which should generate a test error, if * error number (below) is non-zero. */ VBNV_TEST_ERROR_FUNC, diff --git a/firmware/lib/vboot_firmware.c b/firmware/lib/vboot_firmware.c index 6c895e92..4be4cb29 100644 --- a/firmware/lib/vboot_firmware.c +++ b/firmware/lib/vboot_firmware.c @@ -134,7 +134,6 @@ int LoadFirmware(LoadFirmwareParams* params) { VbNvSet(vnc, VBNV_TRY_B_COUNT, try_b_count - 1); shared->flags |= VBSD_FWB_TRIED; } - VbNvSet(vnc, VBNV_TRIED_FIRMWARE_B, try_b_count ? 1 : 0); /* Allocate our internal data */ lfi = (VbLoadFirmwareInternal*)Malloc(sizeof(VbLoadFirmwareInternal)); diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c index 302a7f66..cfdd9b4c 100644 --- a/firmware/lib/vboot_kernel.c +++ b/firmware/lib/vboot_kernel.c @@ -651,9 +651,6 @@ int LoadKernel(LoadKernelParams* params) { LoadKernelExit: - /* Save whether the good partition's key block was fully verified */ - VbNvSet(vnc, VBNV_FW_VERIFIED_KERNEL_KEY, good_partition_key_block_valid); - /* Store recovery request, if any, then tear down non-volatile storage */ VbNvSet(vnc, VBNV_RECOVERY_REQUEST, LOAD_KERNEL_RECOVERY == retval ? recovery : VBNV_RECOVERY_NOT_REQUESTED); diff --git a/firmware/lib/vboot_nvstorage.c b/firmware/lib/vboot_nvstorage.c index 83f6ef5c..575fcb98 100644 --- a/firmware/lib/vboot_nvstorage.c +++ b/firmware/lib/vboot_nvstorage.c @@ -27,8 +27,6 @@ #define LOCALIZATION_OFFSET 3 #define FIRMWARE_FLAGS_OFFSET 5 -#define FIRMWARE_TRIED_FIRMWARE_B 0x80 -#define FIRMWARE_FW_VERIFIED_KERNEL_KEY 0x40 #define FIRMWARE_TEST_ERR_FUNC_MASK 0x38 #define FIRMWARE_TEST_ERR_FUNC_SHIFT 3 #define FIRMWARE_TEST_ERR_NUM_MASK 0x07 @@ -128,15 +126,6 @@ int VbNvGet(VbNvContext* context, VbNvParam param, uint32_t* dest) { | (raw[KERNEL_FIELD_OFFSET + 3] << 24)); return 0; - case VBNV_TRIED_FIRMWARE_B: - *dest = (raw[FIRMWARE_FLAGS_OFFSET] & FIRMWARE_TRIED_FIRMWARE_B ? 1 : 0); - return 0; - - case VBNV_FW_VERIFIED_KERNEL_KEY: - *dest = (raw[FIRMWARE_FLAGS_OFFSET] & FIRMWARE_FW_VERIFIED_KERNEL_KEY ? - 1 : 0); - return 0; - case VBNV_TEST_ERROR_FUNC: *dest = (raw[FIRMWARE_FLAGS_OFFSET] & FIRMWARE_TEST_ERR_FUNC_MASK) >> FIRMWARE_TEST_ERR_FUNC_SHIFT; @@ -213,20 +202,6 @@ int VbNvSet(VbNvContext* context, VbNvParam param, uint32_t value) { raw[KERNEL_FIELD_OFFSET + 3] = (uint8_t)(value >> 24); break; - case VBNV_TRIED_FIRMWARE_B: - if (value) - raw[FIRMWARE_FLAGS_OFFSET] |= FIRMWARE_TRIED_FIRMWARE_B; - else - raw[FIRMWARE_FLAGS_OFFSET] &= ~FIRMWARE_TRIED_FIRMWARE_B; - break; - - case VBNV_FW_VERIFIED_KERNEL_KEY: - if (value) - raw[FIRMWARE_FLAGS_OFFSET] |= FIRMWARE_FW_VERIFIED_KERNEL_KEY; - else - raw[FIRMWARE_FLAGS_OFFSET] &= ~FIRMWARE_FW_VERIFIED_KERNEL_KEY; - break; - case VBNV_TEST_ERROR_FUNC: raw[FIRMWARE_FLAGS_OFFSET] &= ~FIRMWARE_TEST_ERR_FUNC_MASK; raw[FIRMWARE_FLAGS_OFFSET] |= (value << FIRMWARE_TEST_ERR_FUNC_SHIFT) diff --git a/host/lib/crossystem.c b/host/lib/crossystem.c index ca61f74f..e841bad6 100644 --- a/host/lib/crossystem.c +++ b/host/lib/crossystem.c @@ -101,9 +101,12 @@ typedef enum VdatStringField { /* Fields that GetVdatInt() can get */ typedef enum VdatIntField { - VDAT_INT_FLAGS = 0, /* Flags */ - VDAT_INT_FW_VERSION_TPM, /* Current firmware version in TPM */ - VDAT_INT_KERNEL_VERSION_TPM /* Current kernel version in TPM */ + VDAT_INT_FLAGS = 0, /* Flags */ + VDAT_INT_FW_VERSION_TPM, /* Current firmware version in TPM */ + VDAT_INT_KERNEL_VERSION_TPM, /* Current kernel version in TPM */ + VDAT_INT_TRIED_FIRMWARE_B, /* Tried firmware B due to fwb_tries */ + VDAT_INT_KERNEL_KEY_VERIFIED /* Kernel key verified using + * signature, not just hash */ } VdatIntField; @@ -678,6 +681,12 @@ int GetVdatInt(VdatIntField field) { case VDAT_INT_KERNEL_VERSION_TPM: value = (int)sh->kernel_version_tpm; break; + case VDAT_INT_TRIED_FIRMWARE_B: + value = (sh->flags & VBSD_FWB_TRIED ? 1 : 0); + break; + case VDAT_INT_KERNEL_KEY_VERIFIED: + value = (sh->flags & VBSD_KERNEL_KEY_VERIFIED ? 1 : 0); + break; } Free(ab); @@ -719,9 +728,7 @@ int VbGetSystemPropertyInt(const char* name) { return (-1 == ReadFileInt(ACPI_CHSW_PATH) ? -1 : 0x00100000); } /* NV storage values with no defaults for older BIOS. */ - else if (!strcasecmp(name,"tried_fwb")) { - value = VbGetNvStorage(VBNV_TRIED_FIRMWARE_B); - } else if (!strcasecmp(name,"kern_nv")) { + else if (!strcasecmp(name,"kern_nv")) { value = VbGetNvStorage(VBNV_KERNEL_FIELD); } else if (!strcasecmp(name,"nvram_cleared")) { value = VbGetNvStorage(VBNV_KERNEL_SETTINGS_RESET); @@ -758,6 +765,8 @@ int VbGetSystemPropertyInt(const char* name) { value = GetVdatInt(VDAT_INT_FW_VERSION_TPM); } else if (!strcasecmp(name,"tpm_kernver")) { value = GetVdatInt(VDAT_INT_KERNEL_VERSION_TPM); + } else if (!strcasecmp(name,"tried_fwb")) { + value = GetVdatInt(VDAT_INT_TRIED_FIRMWARE_B); } return value; @@ -798,7 +807,7 @@ const char* VbGetSystemPropertyString(const char* name, char* dest, int size) { return NULL; } } else if (!strcasecmp(name,"kernkey_vfy")) { - switch(VbGetNvStorage(VBNV_FW_VERIFIED_KERNEL_KEY)) { + switch(GetVdatInt(VDAT_INT_KERNEL_KEY_VERIFIED)) { case 0: return "hash"; case 1: diff --git a/tests/vboot_nvstorage_test.c b/tests/vboot_nvstorage_test.c index 3d16b9fe..5306a648 100644 --- a/tests/vboot_nvstorage_test.c +++ b/tests/vboot_nvstorage_test.c @@ -29,8 +29,6 @@ static VbNvField nvfields[] = { {VBNV_RECOVERY_REQUEST, 0, 0x42, 0xED, "recovery request"}, {VBNV_LOCALIZATION_INDEX, 0, 0x69, 0xB0, "localization index"}, {VBNV_KERNEL_FIELD, 0, 0x12345678, 0xFEDCBA98, "kernel field"}, - {VBNV_TRIED_FIRMWARE_B, 0, 1, 0, "tried firmware B"}, - {VBNV_FW_VERIFIED_KERNEL_KEY, 0, 1, 0, "firmware verified kernel key"}, {VBNV_TEST_ERROR_FUNC, 0, 1, 7, "verified boot test error func"}, {VBNV_TEST_ERROR_NUM, 0, 3, 6, "verified boot test error number"}, {0, 0, 0, 0, NULL} |