diff options
| author | Hung-Te Lin <hungte@chromium.org> | 2018-09-22 10:59:01 +0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-09-27 19:43:56 -0700 |
| commit | cff44e7bdad016c35029af4cc25fffef361f598d (patch) | |
| tree | 4cf0b274adad62f0058a0f9315229d5bf3f16523 | |
| parent | 89a517730f0207dbef9b3ff219d360904dca456e (diff) | |
| download | vboot-cff44e7bdad016c35029af4cc25fffef361f598d.tar.gz | |
futility: update: Allow tpm_fwver=0 and allow --force to waive TPM check
By b/116298359#comment3, we know the tpm_fwver may be zero if the
firmware slot has been just created and no successful boots since last boot.
This is very common for factory and recovery so we should consider 0 as
"success".
There is still possible in early or proto builds, the device may have
vboot data structure changed so the updater calling vboot library cannot
get tpm_fwver properly. Also for people who wants to re-key their
devices with DEV firmware, we should allow waiving all TPM checks by
--force.
Also, in order to test that correctly, override_properties_from_list
should accept negative values to simulate failure in getting tpm_fwver
from VbGetSystemPropertyInt.
BRANCH=None
BUG=b:116298359
TEST=make futil; tests/futility/run_test_scripts.sh $(pwd)/build/futility
Change-Id: I09c91af36ceec340e393fb68999bea8d1907267d
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1239814
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
| -rw-r--r-- | futility/cmd_update.c | 41 | ||||
| -rwxr-xr-x | tests/futility/test_update.sh | 10 |
2 files changed, 35 insertions, 16 deletions
diff --git a/futility/cmd_update.c b/futility/cmd_update.c index c8553b70..ed9ee835 100644 --- a/futility/cmd_update.c +++ b/futility/cmd_update.c @@ -486,7 +486,7 @@ static void override_properties_from_list(const char *override_list, i++; wait_comma = 0; } - if (!isascii(c) || !isdigit(c)) + if (!isascii(c) || !(isdigit(c) || c == '-')) continue; if (i >= SYS_PROP_MAX) { ERROR("Too many fields (max is %d): %s.", @@ -1417,27 +1417,23 @@ static int legacy_needs_update(struct updater_config *cfg) * blocked by TPM's anti-rollback detection. * Returns 0 for success, otherwise failure. */ -static int check_compatible_tpm_keys(struct updater_config *cfg, - const struct firmware_image *rw_image) +static int do_check_compatible_tpm_keys(struct updater_config *cfg, + const struct firmware_image *rw_image) { unsigned int data_key_version = 0, firmware_version = 0, - tpm_data_key_version = 0, tpm_firmware_version = 0, - tpm_fwver = 0; + tpm_data_key_version = 0, tpm_firmware_version = 0; + int tpm_fwver = 0; /* Fail if the given image does not look good. */ if (get_key_versions(rw_image, FMAP_RW_VBLOCK_A, &data_key_version, &firmware_version) != 0) return -1; + /* The stored tpm_fwver can be 0 (b/116298359#comment3). */ tpm_fwver = get_system_property(SYS_PROP_TPM_FWVER, cfg); - if (tpm_fwver <= 0) { - ERROR("Invalid tpm_fwver: %#x (skipped checking).", tpm_fwver); - /* - * This is an error, but it may be common for early proto - * devices so we don't want to fail here. Just skip checking TPM - * if system tpm_fwver can't be fetched. - */ - return 0; + if (tpm_fwver < 0) { + ERROR("Invalid tpm_fwver: %d.", tpm_fwver); + return -1; } tpm_data_key_version = tpm_fwver >> 16; @@ -1459,6 +1455,25 @@ static int check_compatible_tpm_keys(struct updater_config *cfg, } /* + * Wrapper for do_check_compatible_tpm_keys. + * Will return 0 if do_check_compatible_tpm_keys success or if cfg.force_update + * is set; otherwise non-zero. + */ +static int check_compatible_tpm_keys(struct updater_config *cfg, + const struct firmware_image *rw_image) +{ + int r = do_check_compatible_tpm_keys(cfg, rw_image); + if (!r) + return r; + if (!cfg->force_update) { + ERROR("Add --force if you want to waive TPM checks."); + return r; + } + printf("TPM KEYS CHECK IS WAIVED BY --force. YOU ARE ON YOUR OWN.\n"); + return 0; +} + +/* * Quirk to enlarge a firmware image to match flash size. This is needed by * devices using multiple SPI flash with different sizes, for example 8M and * 16M. The image_to will be padded with 0xFF using the size of image_from. diff --git a/tests/futility/test_update.sh b/tests/futility/test_update.sh index 8c5e0d56..c5615f0f 100755 --- a/tests/futility/test_update.sh +++ b/tests/futility/test_update.sh @@ -158,14 +158,18 @@ test_update "Full update (TPM Anti-rollback: kernel key)" \ "${FROM_IMAGE}" "!Firmware version rollback detected (5->4)" \ -i "${TO_IMAGE}" --wp=0 --sys_props 1,0x10005,1 -test_update "Full update (Skip TPM check due to invalid tpm_fwver)" \ +test_update "Full update (TPM Anti-rollback: 0 as tpm_fwver)" \ "${FROM_IMAGE}" "${TMP}.expected.full" \ -i "${TO_IMAGE}" --wp=0 --sys_props 0,0x0,1 -test_update "Full update (Skip TPM check due to tpm_fwver error)" \ - "${FROM_IMAGE}" "${TMP}.expected.full" \ +test_update "Full update (TPM check failure due to invalid tpm_fwver)" \ + "${FROM_IMAGE}" "!Invalid tpm_fwver: -1" \ -i "${TO_IMAGE}" --wp=0 --sys_props 0,-1,1 +test_update "Full update (Skip TPM check with --force)" \ + "${FROM_IMAGE}" "${TMP}.expected.full" \ + -i "${TO_IMAGE}" --wp=0 --sys_props 0,-1,1 --force + # Test RW-only update. test_update "RW update" \ "${FROM_IMAGE}" "${TMP}.expected.rw" \ |