diff options
| author | Randall Spangler <rspangler@chromium.org> | 2016-11-23 12:21:03 -0800 |
|---|---|---|
| committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2017-08-21 16:45:19 +0000 |
| commit | 8e25580609f0e571c839a94fedd51de75caa70ba (patch) | |
| tree | fa7ecd666016f7825cd64fe1ad0d9b8f052aa4ab | |
| parent | 297932c2618e463203ca955eb75d62b88a491c1c (diff) | |
| download | vboot-8e25580609f0e571c839a94fedd51de75caa70ba.tar.gz | |
firmware: Split out kernel UI
This moves the UI loops out of vboot_api_kernel.c into vboot_ui.c, so
that it'll be easier to support different UIs for different form factors.
This change also fixes some FW FAFT items (ex: firmware_CorruptBothFwSigAB)
which is failed by incorrect recovery reason '2'.
BUG=chromium:611535,b:64546699,b:64816192
BRANCH=none
TEST=make runtests; build_packages --board=reef chromeos-firmware; boot reef
Change-Id: I451b15f65aceb427ffdd94b19f44e91ebc10a860
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/414289
Reviewed-by: Patrick Georgi <pgeorgi@chromium.org>
Reviewed-by: Shelley Chen <shchen@chromium.org>
(cherry picked from commit df4eb2bb7be9d61bfe9bdf6c33f836f358b18cf6)
Reviewed-on: https://chromium-review.googlesource.com/622170
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: Kevin Chiu <Kevin.Chiu@quantatw.com>
Commit-Queue: Kevin Chiu <Kevin.Chiu@quantatw.com>
| -rw-r--r-- | Makefile | 1 | ||||
| -rw-r--r-- | firmware/lib/include/vboot_kernel.h | 14 | ||||
| -rw-r--r-- | firmware/lib/vboot_api_kernel.c | 561 | ||||
| -rw-r--r-- | firmware/lib/vboot_ui.c | 581 |
4 files changed, 610 insertions, 547 deletions
@@ -339,6 +339,7 @@ VBSLK_SRCS = \ firmware/lib/vboot_audio.c \ firmware/lib/vboot_display.c \ firmware/lib/vboot_kernel.c \ + firmware/lib/vboot_ui.c \ firmware/lib/region-kernel.c \ # Code common to both vboot 2.0 (old structs) and 2.1 (new structs) diff --git a/firmware/lib/include/vboot_kernel.h b/firmware/lib/include/vboot_kernel.h index 1c3221cb..f117fa77 100644 --- a/firmware/lib/include/vboot_kernel.h +++ b/firmware/lib/include/vboot_kernel.h @@ -72,4 +72,18 @@ VbError_t VbBootDeveloper(struct vb2_context *ctx, VbCommonParams *cparams); */ VbError_t VbBootRecovery(struct vb2_context *ctx, VbCommonParams *cparams); +/** + * Return the current FWMP flags. Valid only inside VbSelectAndLoadKernel(). + */ +uint32_t vb2_get_fwmp_flags(void); + +/** + * Commit NvStorage. + * + * This may be called by UI functions which need to save settings before they + * sit in an infinite loop waiting for shutdown (this is, by a UI state which + * will never return). + */ +void vb2_nv_commit(struct vb2_context *ctx); + #endif /* VBOOT_REFERENCE_VBOOT_KERNEL_H_ */ diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c index 5dad3b86..1e49c46c 100644 --- a/firmware/lib/vboot_api_kernel.c +++ b/firmware/lib/vboot_api_kernel.c @@ -21,9 +21,7 @@ #include "utility.h" #include "vb2_common.h" #include "vboot_api.h" -#include "vboot_audio.h" #include "vboot_common.h" -#include "vboot_display.h" #include "vboot_kernel.h" #include "vboot_nvstorage.h" @@ -59,13 +57,6 @@ static void VbSetRecoveryRequest(struct vb2_context *ctx, vb2_nv_set(ctx, VB2_NV_RECOVERY_REQUEST, recovery_request); } -static void VbSetRecoverySubcode(struct vb2_context *ctx, - uint32_t recovery_request) -{ - VBDEBUG(("VbSetRecoverySubcode(%d)\n", (int)recovery_request)); - vb2_nv_set(ctx, VB2_NV_RECOVERY_SUBCODE, recovery_request); -} - static void VbNvLoad(void) { VbExNvStorageRead(vnc.raw); @@ -79,42 +70,21 @@ static void VbNvCommit(void) VbExNvStorageWrite(vnc.raw); } -static void VbAllowUsbBoot(struct vb2_context *ctx) -{ - VBDEBUG(("%s\n", __func__)); - vb2_nv_set(ctx, VB2_NV_DEV_BOOT_USB, 1); -} - -/** - * Checks GBB flags against VbExIsShutdownRequested() shutdown request to - * determine if a shutdown is required. - * - * Returns true if a shutdown is required and false if no shutdown is required. - */ -static int VbWantShutdown(uint32_t gbb_flags) +void vb2_nv_commit(struct vb2_context *ctx) { - uint32_t shutdown_request = VbExIsShutdownRequested(); - - /* If desired, ignore shutdown request due to lid closure. */ - if (gbb_flags & GBB_FLAG_DISABLE_LID_SHUTDOWN) - shutdown_request &= ~VB_SHUTDOWN_REQUEST_LID_CLOSED; + /* Copy nvdata back to old vboot1 nv context if needed */ + if (ctx->flags & VB2_CONTEXT_NVDATA_CHANGED) { + memcpy(vnc.raw, ctx->nvdata, VB2_NVDATA_SIZE); + vnc.raw_changed = 1; + ctx->flags &= ~VB2_CONTEXT_NVDATA_CHANGED; + } - return !!shutdown_request; + VbNvCommit(); } -static void VbTryLegacy(int allowed) +uint32_t vb2_get_fwmp_flags(void) { - if (!allowed) - VBDEBUG(("VbBootDeveloper() - Legacy boot is disabled\n")); - else if (0 != RollbackKernelLock(0)) - VBDEBUG(("Error locking kernel versions on legacy boot.\n")); - else - VbExLegacy(); /* will not return if successful */ - - /* If legacy boot fails, beep and return to calling UI loop. */ - VbExBeep(120, 400); - VbExSleepMs(120); - VbExBeep(120, 400); + return fwmp.flags; } /** @@ -214,95 +184,6 @@ uint32_t VbTryLoadKernel(struct vb2_context *ctx, VbCommonParams *cparams, return retval; } -uint32_t VbTryUsb(struct vb2_context *ctx, VbCommonParams *cparams) -{ - uint32_t retval = VbTryLoadKernel(ctx, cparams, VB_DISK_FLAG_REMOVABLE); - if (VBERROR_SUCCESS == retval) { - VBDEBUG(("VbBootDeveloper() - booting USB\n")); - } else { - VBDEBUG(("VbBootDeveloper() - no kernel found on USB\n")); - VbExBeep(250, 200); - VbExSleepMs(120); - /* - * Clear recovery requests from failed - * kernel loading, so that powering off - * at this point doesn't put us into - * recovery mode. - */ - VbSetRecoveryRequest(ctx, VBNV_RECOVERY_NOT_REQUESTED); - } - return retval; -} - -#define CONFIRM_KEY_DELAY 20 /* Check confirm screen keys every 20ms */ - -int VbUserConfirms(struct vb2_context *ctx, VbCommonParams *cparams, - uint32_t confirm_flags) -{ - VbSharedDataHeader *shared = - (VbSharedDataHeader *)cparams->shared_data_blob; - uint32_t key; - uint32_t key_flags; - uint32_t button; - int rec_button_was_pressed = 0; - - VBDEBUG(("Entering %s(0x%x)\n", __func__, confirm_flags)); - - /* Await further instructions */ - while (1) { - if (VbWantShutdown(cparams->gbb->flags)) - return -1; - key = VbExKeyboardReadWithFlags(&key_flags); - button = VbExGetSwitches(VB_INIT_FLAG_REC_BUTTON_PRESSED); - switch (key) { - case '\r': - /* If we require a trusted keyboard for confirmation, - * but the keyboard may be faked (for instance, a USB - * device), beep and keep waiting. - */ - if (confirm_flags & VB_CONFIRM_MUST_TRUST_KEYBOARD && - !(key_flags & VB_KEY_FLAG_TRUSTED_KEYBOARD)) { - VbExBeep(120, 400); - break; - } - - VBDEBUG(("%s() - Yes (1)\n", __func__)); - return 1; - break; - case ' ': - VBDEBUG(("%s() - Space (%d)\n", __func__, - confirm_flags & VB_CONFIRM_SPACE_MEANS_NO)); - if (confirm_flags & VB_CONFIRM_SPACE_MEANS_NO) - return 0; - break; - case 0x1b: - VBDEBUG(("%s() - No (0)\n", __func__)); - return 0; - break; - default: - /* If the recovery button is physical, and is pressed, - * this is also a YES, but must wait for release. - */ - if (!(shared->flags & VBSD_BOOT_REC_SWITCH_VIRTUAL)) { - if (button) { - VBDEBUG(("%s() - Rec button pressed\n", - __func__)); - rec_button_was_pressed = 1; - } else if (rec_button_was_pressed) { - VBDEBUG(("%s() - Rec button (1)\n", - __func__)); - return 1; - } - } - VbCheckDisplayKey(ctx, cparams, key); - } - VbExSleepMs(CONFIRM_KEY_DELAY); - } - - /* Not reached, but compiler will complain without it */ - return -1; -} - VbError_t VbBootNormal(struct vb2_context *ctx, VbCommonParams *cparams) { VbSharedDataHeader *shared = @@ -353,409 +234,6 @@ VbError_t VbBootNormal(struct vb2_context *ctx, VbCommonParams *cparams) return rv; } -static const char dev_disable_msg[] = - "Developer mode is disabled on this device by system policy.\n" - "For more information, see http://dev.chromium.org/chromium-os/fwmp\n" - "\n"; - -VbError_t VbBootDeveloper(struct vb2_context *ctx, VbCommonParams *cparams) -{ - GoogleBinaryBlockHeader *gbb = cparams->gbb; - VbSharedDataHeader *shared = - (VbSharedDataHeader *)cparams->shared_data_blob; - - uint32_t disable_dev_boot = 0; - uint32_t use_usb = 0; - uint32_t use_legacy = 0; - uint32_t ctrl_d_pressed = 0; - - VbAudioContext *audio = 0; - - VBDEBUG(("Entering %s()\n", __func__)); - - /* Check if USB booting is allowed */ - uint32_t allow_usb = vb2_nv_get(ctx, VB2_NV_DEV_BOOT_USB); - uint32_t allow_legacy = vb2_nv_get(ctx, VB2_NV_DEV_BOOT_LEGACY); - - /* Check if the default is to boot using disk, usb, or legacy */ - uint32_t default_boot = vb2_nv_get(ctx, VB2_NV_DEV_DEFAULT_BOOT); - - if(default_boot == VBNV_DEV_DEFAULT_BOOT_USB) - use_usb = 1; - if(default_boot == VBNV_DEV_DEFAULT_BOOT_LEGACY) - use_legacy = 1; - - /* Handle GBB flag override */ - if (gbb->flags & GBB_FLAG_FORCE_DEV_BOOT_USB) - allow_usb = 1; - if (gbb->flags & GBB_FLAG_FORCE_DEV_BOOT_LEGACY) - allow_legacy = 1; - if (gbb->flags & GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY) { - use_legacy = 1; - use_usb = 0; - } - - /* Handle FWMP override */ - if (fwmp.flags & FWMP_DEV_ENABLE_USB) - allow_usb = 1; - if (fwmp.flags & FWMP_DEV_ENABLE_LEGACY) - allow_legacy = 1; - if (fwmp.flags & FWMP_DEV_DISABLE_BOOT) { - if (gbb->flags & GBB_FLAG_FORCE_DEV_SWITCH_ON) { - VBDEBUG(("%s() - FWMP_DEV_DISABLE_BOOT rejected by " - "FORCE_DEV_SWITCH_ON\n", - __func__)); - } else { - disable_dev_boot = 1; - } - } - - /* If dev mode is disabled, only allow TONORM */ - while (disable_dev_boot) { - VBDEBUG(("%s() - dev_disable_boot is set.\n", __func__)); - VbDisplayScreen(ctx, cparams, VB_SCREEN_DEVELOPER_TO_NORM, 0); - VbExDisplayDebugInfo(dev_disable_msg); - - /* Ignore space in VbUserConfirms()... */ - switch (VbUserConfirms(ctx, cparams, 0)) { - case 1: - VBDEBUG(("%s() - leaving dev-mode.\n", __func__)); - vb2_nv_set(ctx, VB2_NV_DISABLE_DEV_REQUEST, 1); - VbDisplayScreen(ctx, cparams, - VB_SCREEN_TO_NORM_CONFIRMED, - 0); - VbExSleepMs(5000); - return VBERROR_REBOOT_REQUIRED; - case -1: - VBDEBUG(("%s() - shutdown requested\n", __func__)); - return VBERROR_SHUTDOWN_REQUESTED; - default: - /* Ignore user attempt to cancel */ - VBDEBUG(("%s() - ignore cancel TONORM\n", __func__)); - } - } - - /* Show the dev mode warning screen */ - VbDisplayScreen(ctx, cparams, VB_SCREEN_DEVELOPER_WARNING, 0); - - /* Get audio/delay context */ - audio = VbAudioOpen(cparams); - - /* We'll loop until we finish the delay or are interrupted */ - do { - uint32_t key; - - if (VbWantShutdown(gbb->flags)) { - VBDEBUG(("VbBootDeveloper() - shutdown requested!\n")); - VbAudioClose(audio); - return VBERROR_SHUTDOWN_REQUESTED; - } - - key = VbExKeyboardRead(); - switch (key) { - case 0: - /* nothing pressed */ - break; - case '\r': - /* Only disable virtual dev switch if allowed by GBB */ - if (!(gbb->flags & GBB_FLAG_ENTER_TRIGGERS_TONORM)) - break; - case ' ': - /* See if we should disable virtual dev-mode switch. */ - VBDEBUG(("%s shared->flags=0x%x\n", - __func__, shared->flags)); - if (shared->flags & VBSD_HONOR_VIRT_DEV_SWITCH && - shared->flags & VBSD_BOOT_DEV_SWITCH_ON) { - /* Stop the countdown while we go ask... */ - VbAudioClose(audio); - if (gbb->flags & GBB_FLAG_FORCE_DEV_SWITCH_ON) { - /* - * TONORM won't work (only for - * non-shipping devices). - */ - VBDEBUG(("%s() - TONORM rejected by " - "FORCE_DEV_SWITCH_ON\n", - __func__)); - VbExDisplayDebugInfo( - "WARNING: TONORM prohibited by " - "GBB FORCE_DEV_SWITCH_ON.\n\n"); - VbExBeep(120, 400); - break; - } - VbDisplayScreen(ctx, cparams, - VB_SCREEN_DEVELOPER_TO_NORM, - 0); - /* Ignore space in VbUserConfirms()... */ - switch (VbUserConfirms(ctx, cparams, 0)) { - case 1: - VBDEBUG(("%s() - leaving dev-mode.\n", - __func__)); - vb2_nv_set(ctx, VB2_NV_DISABLE_DEV_REQUEST, - 1); - VbDisplayScreen(ctx, - cparams, - VB_SCREEN_TO_NORM_CONFIRMED, - 0); - VbExSleepMs(5000); - return VBERROR_REBOOT_REQUIRED; - case -1: - VBDEBUG(("%s() - shutdown requested\n", - __func__)); - return VBERROR_SHUTDOWN_REQUESTED; - default: - /* Stay in dev-mode */ - VBDEBUG(("%s() - stay in dev-mode\n", - __func__)); - VbDisplayScreen(ctx, - cparams, - VB_SCREEN_DEVELOPER_WARNING, - 0); - /* Start new countdown */ - audio = VbAudioOpen(cparams); - } - } else { - /* - * No virtual dev-mode switch, so go directly - * to recovery mode. - */ - VBDEBUG(("%s() - going to recovery\n", - __func__)); - VbSetRecoveryRequest(ctx, - VBNV_RECOVERY_RW_DEV_SCREEN); - VbAudioClose(audio); - return VBERROR_LOAD_KERNEL_RECOVERY; - } - break; - case 0x04: - /* Ctrl+D = dismiss warning; advance to timeout */ - VBDEBUG(("VbBootDeveloper() - " - "user pressed Ctrl+D; skip delay\n")); - ctrl_d_pressed = 1; - goto fallout; - break; - case 0x0c: - VBDEBUG(("VbBootDeveloper() - " - "user pressed Ctrl+L; Try legacy boot\n")); - VbTryLegacy(allow_legacy); - break; - - case VB_KEY_CTRL_ENTER: - /* - * The Ctrl-Enter is special for Lumpy test purpose; - * fall through to Ctrl+U handler. - */ - case 0x15: - /* Ctrl+U = try USB boot, or beep if failure */ - VBDEBUG(("VbBootDeveloper() - " - "user pressed Ctrl+U; try USB\n")); - if (!allow_usb) { - VBDEBUG(("VbBootDeveloper() - " - "USB booting is disabled\n")); - VbExDisplayDebugInfo( - "WARNING: Booting from external media " - "(USB/SD) has not been enabled. Refer " - "to the developer-mode documentation " - "for details.\n"); - VbExBeep(120, 400); - VbExSleepMs(120); - VbExBeep(120, 400); - } else { - /* - * Clear the screen to show we get the Ctrl+U - * key press. - */ - VbDisplayScreen(ctx, cparams, VB_SCREEN_BLANK, - 0); - if (VBERROR_SUCCESS == - VbTryUsb(ctx, cparams)) { - VbAudioClose(audio); - return VBERROR_SUCCESS; - } else { - /* Show dev mode warning screen again */ - VbDisplayScreen(ctx, - cparams, - VB_SCREEN_DEVELOPER_WARNING, - 0); - } - } - break; - default: - VBDEBUG(("VbBootDeveloper() - pressed key %d\n", key)); - VbCheckDisplayKey(ctx, cparams, key); - break; - } - } while(VbAudioLooping(audio)); - - fallout: - - /* If defaulting to legacy boot, try that unless Ctrl+D was pressed */ - if (use_legacy && !ctrl_d_pressed) { - VBDEBUG(("VbBootDeveloper() - defaulting to legacy\n")); - VbTryLegacy(allow_legacy); - } - - if ((use_usb && !ctrl_d_pressed) && allow_usb) { - if (VBERROR_SUCCESS == VbTryUsb(ctx, cparams)) { - VbAudioClose(audio); - return VBERROR_SUCCESS; - } - } - - /* Timeout or Ctrl+D; attempt loading from fixed disk */ - VBDEBUG(("VbBootDeveloper() - trying fixed disk\n")); - VbAudioClose(audio); - return VbTryLoadKernel(ctx, cparams, VB_DISK_FLAG_FIXED); -} - -/* Delay in recovery mode */ -#define REC_DISK_DELAY 1000 /* Check disks every 1s */ -#define REC_KEY_DELAY 20 /* Check keys every 20ms */ -#define REC_MEDIA_INIT_DELAY 500 /* Check removable media every 500ms */ - -VbError_t VbBootRecovery(struct vb2_context *ctx, VbCommonParams *cparams) -{ - VbSharedDataHeader *shared = - (VbSharedDataHeader *)cparams->shared_data_blob; - uint32_t retval; - uint32_t key; - int i; - - VBDEBUG(("VbBootRecovery() start\n")); - - /* - * If the dev-mode switch is off and the user didn't press the recovery - * button (recovery was triggerred automatically), show 'broken' screen. - * The user can either only shutdown to abort or hit esc+refresh+power - * to initiate recovery as instructed on the screen. - */ - if (!(shared->flags & VBSD_BOOT_DEV_SWITCH_ON) && - !(shared->flags & VBSD_BOOT_REC_SWITCH_ON)) { - /* - * We have to save the reason here so that it will survive - * coming up three-finger-salute. We're saving it in - * VBNV_RECOVERY_SUBCODE to avoid a recovery loop. - * If we save the reason in VBNV_RECOVERY_REQUEST, we will come - * back here, thus, we won't be able to give a user a chance to - * reboot to workaround boot hicups. - */ - VBDEBUG(("VbBootRecovery() saving recovery reason (%#x)\n", - shared->recovery_reason)); - VbSetRecoverySubcode(ctx, shared->recovery_reason); - VbNvCommit(); - VbDisplayScreen(ctx, cparams, VB_SCREEN_OS_BROKEN, 0); - VBDEBUG(("VbBootRecovery() waiting for manual recovery\n")); - while (1) { - VbCheckDisplayKey(ctx, cparams, VbExKeyboardRead()); - if (VbWantShutdown(cparams->gbb->flags)) - return VBERROR_SHUTDOWN_REQUESTED; - VbExSleepMs(REC_KEY_DELAY); - } - } - - /* Loop and wait for a recovery image */ - VBDEBUG(("VbBootRecovery() waiting for a recovery image\n")); - while (1) { - VBDEBUG(("VbBootRecovery() attempting to load kernel2\n")); - retval = VbTryLoadKernel(ctx, cparams, VB_DISK_FLAG_REMOVABLE); - - /* - * Clear recovery requests from failed kernel loading, since - * we're already in recovery mode. Do this now, so that - * powering off after inserting an invalid disk doesn't leave - * us stuck in recovery mode. - */ - VbSetRecoveryRequest(ctx, VBNV_RECOVERY_NOT_REQUESTED); - - if (VBERROR_SUCCESS == retval) - break; /* Found a recovery kernel */ - - VbDisplayScreen(ctx, cparams, VBERROR_NO_DISK_FOUND == retval ? - VB_SCREEN_RECOVERY_INSERT : - VB_SCREEN_RECOVERY_NO_GOOD, - 0); - - /* - * Scan keyboard more frequently than media, since x86 - * platforms don't like to scan USB too rapidly. - */ - for (i = 0; i < REC_DISK_DELAY; i += REC_KEY_DELAY) { - key = VbExKeyboardRead(); - /* - * We might want to enter dev-mode from the Insert - * screen if all of the following are true: - * - user pressed Ctrl-D - * - we can honor the virtual dev switch - * - not already in dev mode - * - user forced recovery mode - * - EC isn't pwned - */ - if (key == 0x04 && - shared->flags & VBSD_HONOR_VIRT_DEV_SWITCH && - !(shared->flags & VBSD_BOOT_DEV_SWITCH_ON) && - (shared->flags & VBSD_BOOT_REC_SWITCH_ON) && - VbExTrustEC(0)) { - if (!(shared->flags & - VBSD_BOOT_REC_SWITCH_VIRTUAL) && - VbExGetSwitches( - VB_INIT_FLAG_REC_BUTTON_PRESSED)) { - /* - * Is the recovery button stuck? In - * any case we don't like this. Beep - * and ignore. - */ - VBDEBUG(("%s() - ^D but rec switch " - "is pressed\n", __func__)); - VbExBeep(120, 400); - continue; - } - - /* Ask the user to confirm entering dev-mode */ - VbDisplayScreen(ctx, cparams, - VB_SCREEN_RECOVERY_TO_DEV, - 0); - /* SPACE means no... */ - uint32_t vbc_flags = - VB_CONFIRM_SPACE_MEANS_NO | - VB_CONFIRM_MUST_TRUST_KEYBOARD; - switch (VbUserConfirms(ctx, cparams, - vbc_flags)) { - case 1: - VBDEBUG(("%s() Enabling dev-mode...\n", - __func__)); - if (TPM_SUCCESS != SetVirtualDevMode(1)) - return VBERROR_TPM_SET_BOOT_MODE_STATE; - VBDEBUG(("%s() Reboot so it will take " - "effect\n", __func__)); - if (VbExGetSwitches - (VB_INIT_FLAG_ALLOW_USB_BOOT)) - VbAllowUsbBoot(ctx); - return VBERROR_REBOOT_REQUIRED; - case -1: - VBDEBUG(("%s() - Shutdown requested\n", - __func__)); - return VBERROR_SHUTDOWN_REQUESTED; - default: /* zero, actually */ - VBDEBUG(("%s() - Not enabling " - "dev-mode\n", __func__)); - /* - * Jump out of the outer loop to - * refresh the display quickly. - */ - i = 4; - break; - } - } else { - VbCheckDisplayKey(ctx, cparams, key); - } - if (VbWantShutdown(cparams->gbb->flags)) - return VBERROR_SHUTDOWN_REQUESTED; - VbExSleepMs(REC_KEY_DELAY); - } - } - - return VBERROR_SUCCESS; -} - /* This function is also used by tests */ void VbApiKernelFree(VbCommonParams *cparams) { @@ -907,8 +385,7 @@ static VbError_t vb2_kernel_phase4(VbCommonParams *cparams, return VBERROR_SUCCESS; } -static void vb2_kernel_cleanup(VbCommonParams *cparams, - VbSelectAndLoadKernelParams *kparams) +static void vb2_kernel_cleanup(struct vb2_context *ctx, VbCommonParams *cparams) { VbSharedDataHeader *shared = (VbSharedDataHeader *)cparams->shared_data_blob; @@ -918,18 +395,12 @@ static void vb2_kernel_cleanup(VbCommonParams *cparams, * * TODO: This should propagate up to higher levels */ + /* Free buffers */ free(unaligned_workbuf); - /* Copy nvdata back to old vboot1 nv context if needed */ - if (ctx.flags & VB2_CONTEXT_NVDATA_CHANGED) { - memcpy(vnc.raw, ctx.nvdata, VB2_NVDATA_SIZE); - vnc.raw_changed = 1; - ctx.flags &= ~VB2_CONTEXT_NVDATA_CHANGED; - } - VbApiKernelFree(cparams); - VbNvCommit(); + vb2_nv_commit(ctx); /* Stop timer */ shared->timer_vb_select_and_load_kernel_exit = VbExGetTimer(); @@ -958,14 +429,10 @@ VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams, /* Recovery boot. This has UI. */ retval = VbBootRecovery(&ctx, cparams); VbExEcEnteringMode(0, VB_EC_RECOVERY); - VbDisplayScreen(&ctx, cparams, VB_SCREEN_BLANK, 0); - } else if (shared->flags & VBSD_BOOT_DEV_SWITCH_ON) { /* Developer boot. This has UI. */ retval = VbBootDeveloper(&ctx, cparams); VbExEcEnteringMode(0, VB_EC_DEVELOPER); - VbDisplayScreen(&ctx, cparams, VB_SCREEN_BLANK, 0); - } else { /* Normal boot */ retval = VbBootNormal(&ctx, cparams); @@ -977,7 +444,7 @@ VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams, if (VBERROR_SUCCESS == retval) retval = vb2_kernel_phase4(cparams, kparams); - vb2_kernel_cleanup(cparams, kparams); + vb2_kernel_cleanup(&ctx, cparams); /* Pass through return value from boot path */ VB2_DEBUG("%s returning %d\n", __func__, (int)retval); diff --git a/firmware/lib/vboot_ui.c b/firmware/lib/vboot_ui.c new file mode 100644 index 00000000..8f9ada49 --- /dev/null +++ b/firmware/lib/vboot_ui.c @@ -0,0 +1,581 @@ +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + * + * High-level firmware wrapper API - user interface for RW firmware + */ + +#include "sysincludes.h" + +#include "2sysincludes.h" +#include "2common.h" +#include "2misc.h" +#include "2nvstorage.h" +#include "2rsa.h" +#include "ec_sync.h" +#include "gbb_access.h" +#include "gbb_header.h" +#include "load_kernel_fw.h" +#include "region.h" +#include "rollback_index.h" +#include "utility.h" +#include "vb2_common.h" +#include "vboot_api.h" +#include "vboot_audio.h" +#include "vboot_common.h" +#include "vboot_display.h" +#include "vboot_kernel.h" +#include "vboot_nvstorage.h" + +static void VbAllowUsbBoot(struct vb2_context *ctx) +{ + VBDEBUG(("%s\n", __func__)); + vb2_nv_set(ctx, VB2_NV_DEV_BOOT_USB, 1); +} + +/** + * Checks GBB flags against VbExIsShutdownRequested() shutdown request to + * determine if a shutdown is required. + * + * Returns true if a shutdown is required and false if no shutdown is required. + */ +static int VbWantShutdown(uint32_t gbb_flags) +{ + uint32_t shutdown_request = VbExIsShutdownRequested(); + + /* If desired, ignore shutdown request due to lid closure. */ + if (gbb_flags & GBB_FLAG_DISABLE_LID_SHUTDOWN) + shutdown_request &= ~VB_SHUTDOWN_REQUEST_LID_CLOSED; + + return !!shutdown_request; +} + +static void VbTryLegacy(int allowed) +{ + if (!allowed) + VBDEBUG(("VbBootDeveloper() - Legacy boot is disabled\n")); + else if (0 != RollbackKernelLock(0)) + VBDEBUG(("Error locking kernel versions on legacy boot.\n")); + else + VbExLegacy(); /* will not return if successful */ + + /* If legacy boot fails, beep and return to calling UI loop. */ + VbExBeep(120, 400); + VbExSleepMs(120); + VbExBeep(120, 400); +} + +uint32_t VbTryUsb(struct vb2_context *ctx, VbCommonParams *cparams) +{ + uint32_t retval = VbTryLoadKernel(ctx, cparams, VB_DISK_FLAG_REMOVABLE); + if (VBERROR_SUCCESS == retval) { + VBDEBUG(("VbBootDeveloper() - booting USB\n")); + } else { + VBDEBUG(("VbBootDeveloper() - no kernel found on USB\n")); + VbExBeep(250, 200); + VbExSleepMs(120); + /* + * Clear recovery requests from failed + * kernel loading, so that powering off + * at this point doesn't put us into + * recovery mode. + */ + vb2_nv_set(ctx, VB2_NV_RECOVERY_REQUEST, + VBNV_RECOVERY_NOT_REQUESTED); + } + return retval; +} + +#define CONFIRM_KEY_DELAY 20 /* Check confirm screen keys every 20ms */ + +int VbUserConfirms(struct vb2_context *ctx, VbCommonParams *cparams, + uint32_t confirm_flags) +{ + VbSharedDataHeader *shared = + (VbSharedDataHeader *)cparams->shared_data_blob; + uint32_t key; + uint32_t key_flags; + uint32_t button; + int rec_button_was_pressed = 0; + + VBDEBUG(("Entering %s(0x%x)\n", __func__, confirm_flags)); + + /* Await further instructions */ + while (1) { + if (VbWantShutdown(cparams->gbb->flags)) + return -1; + key = VbExKeyboardReadWithFlags(&key_flags); + button = VbExGetSwitches(VB_INIT_FLAG_REC_BUTTON_PRESSED); + switch (key) { + case '\r': + /* If we require a trusted keyboard for confirmation, + * but the keyboard may be faked (for instance, a USB + * device), beep and keep waiting. + */ + if (confirm_flags & VB_CONFIRM_MUST_TRUST_KEYBOARD && + !(key_flags & VB_KEY_FLAG_TRUSTED_KEYBOARD)) { + VbExBeep(120, 400); + break; + } + + VBDEBUG(("%s() - Yes (1)\n", __func__)); + return 1; + break; + case ' ': + VBDEBUG(("%s() - Space (%d)\n", __func__, + confirm_flags & VB_CONFIRM_SPACE_MEANS_NO)); + if (confirm_flags & VB_CONFIRM_SPACE_MEANS_NO) + return 0; + break; + case 0x1b: + VBDEBUG(("%s() - No (0)\n", __func__)); + return 0; + break; + default: + /* If the recovery button is physical, and is pressed, + * this is also a YES, but must wait for release. + */ + if (!(shared->flags & VBSD_BOOT_REC_SWITCH_VIRTUAL)) { + if (button) { + VBDEBUG(("%s() - Rec button pressed\n", + __func__)); + rec_button_was_pressed = 1; + } else if (rec_button_was_pressed) { + VBDEBUG(("%s() - Rec button (1)\n", + __func__)); + return 1; + } + } + VbCheckDisplayKey(ctx, cparams, key); + } + VbExSleepMs(CONFIRM_KEY_DELAY); + } + + /* Not reached, but compiler will complain without it */ + return -1; +} + +static const char dev_disable_msg[] = + "Developer mode is disabled on this device by system policy.\n" + "For more information, see http://dev.chromium.org/chromium-os/fwmp\n" + "\n"; + +VbError_t vb2_developer_ui(struct vb2_context *ctx, VbCommonParams *cparams) +{ + GoogleBinaryBlockHeader *gbb = cparams->gbb; + VbSharedDataHeader *shared = + (VbSharedDataHeader *)cparams->shared_data_blob; + + uint32_t disable_dev_boot = 0; + uint32_t use_usb = 0; + uint32_t use_legacy = 0; + uint32_t ctrl_d_pressed = 0; + + VbAudioContext *audio = 0; + + VBDEBUG(("Entering %s()\n", __func__)); + + /* Check if USB booting is allowed */ + uint32_t allow_usb = vb2_nv_get(ctx, VB2_NV_DEV_BOOT_USB); + uint32_t allow_legacy = vb2_nv_get(ctx, VB2_NV_DEV_BOOT_LEGACY); + + /* Check if the default is to boot using disk, usb, or legacy */ + uint32_t default_boot = vb2_nv_get(ctx, VB2_NV_DEV_DEFAULT_BOOT); + + if(default_boot == VBNV_DEV_DEFAULT_BOOT_USB) + use_usb = 1; + if(default_boot == VBNV_DEV_DEFAULT_BOOT_LEGACY) + use_legacy = 1; + + /* Handle GBB flag override */ + if (gbb->flags & GBB_FLAG_FORCE_DEV_BOOT_USB) + allow_usb = 1; + if (gbb->flags & GBB_FLAG_FORCE_DEV_BOOT_LEGACY) + allow_legacy = 1; + if (gbb->flags & GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY) { + use_legacy = 1; + use_usb = 0; + } + + /* Handle FWMP override */ + uint32_t fwmp_flags = vb2_get_fwmp_flags(); + if (fwmp_flags & FWMP_DEV_ENABLE_USB) + allow_usb = 1; + if (fwmp_flags & FWMP_DEV_ENABLE_LEGACY) + allow_legacy = 1; + if (fwmp_flags & FWMP_DEV_DISABLE_BOOT) { + if (gbb->flags & GBB_FLAG_FORCE_DEV_SWITCH_ON) { + VBDEBUG(("%s() - FWMP_DEV_DISABLE_BOOT rejected by " + "FORCE_DEV_SWITCH_ON\n", + __func__)); + } else { + disable_dev_boot = 1; + } + } + + /* If dev mode is disabled, only allow TONORM */ + while (disable_dev_boot) { + VBDEBUG(("%s() - dev_disable_boot is set.\n", __func__)); + VbDisplayScreen(ctx, cparams, VB_SCREEN_DEVELOPER_TO_NORM, 0); + VbExDisplayDebugInfo(dev_disable_msg); + + /* Ignore space in VbUserConfirms()... */ + switch (VbUserConfirms(ctx, cparams, 0)) { + case 1: + VBDEBUG(("%s() - leaving dev-mode.\n", __func__)); + vb2_nv_set(ctx, VB2_NV_DISABLE_DEV_REQUEST, 1); + VbDisplayScreen(ctx, cparams, + VB_SCREEN_TO_NORM_CONFIRMED, + 0); + VbExSleepMs(5000); + return VBERROR_REBOOT_REQUIRED; + case -1: + VBDEBUG(("%s() - shutdown requested\n", __func__)); + return VBERROR_SHUTDOWN_REQUESTED; + default: + /* Ignore user attempt to cancel */ + VBDEBUG(("%s() - ignore cancel TONORM\n", __func__)); + } + } + + /* Show the dev mode warning screen */ + VbDisplayScreen(ctx, cparams, VB_SCREEN_DEVELOPER_WARNING, 0); + + /* Get audio/delay context */ + audio = VbAudioOpen(cparams); + + /* We'll loop until we finish the delay or are interrupted */ + do { + uint32_t key; + + if (VbWantShutdown(gbb->flags)) { + VBDEBUG(("VbBootDeveloper() - shutdown requested!\n")); + VbAudioClose(audio); + return VBERROR_SHUTDOWN_REQUESTED; + } + + key = VbExKeyboardRead(); + switch (key) { + case 0: + /* nothing pressed */ + break; + case '\r': + /* Only disable virtual dev switch if allowed by GBB */ + if (!(gbb->flags & GBB_FLAG_ENTER_TRIGGERS_TONORM)) + break; + case ' ': + /* See if we should disable virtual dev-mode switch. */ + VBDEBUG(("%s shared->flags=0x%x\n", + __func__, shared->flags)); + if (shared->flags & VBSD_HONOR_VIRT_DEV_SWITCH && + shared->flags & VBSD_BOOT_DEV_SWITCH_ON) { + /* Stop the countdown while we go ask... */ + VbAudioClose(audio); + if (gbb->flags & GBB_FLAG_FORCE_DEV_SWITCH_ON) { + /* + * TONORM won't work (only for + * non-shipping devices). + */ + VBDEBUG(("%s() - TONORM rejected by " + "FORCE_DEV_SWITCH_ON\n", + __func__)); + VbExDisplayDebugInfo( + "WARNING: TONORM prohibited by " + "GBB FORCE_DEV_SWITCH_ON.\n\n"); + VbExBeep(120, 400); + break; + } + VbDisplayScreen(ctx, cparams, + VB_SCREEN_DEVELOPER_TO_NORM, + 0); + /* Ignore space in VbUserConfirms()... */ + switch (VbUserConfirms(ctx, cparams, 0)) { + case 1: + VBDEBUG(("%s() - leaving dev-mode.\n", + __func__)); + vb2_nv_set(ctx, VB2_NV_DISABLE_DEV_REQUEST, + 1); + VbDisplayScreen(ctx, + cparams, + VB_SCREEN_TO_NORM_CONFIRMED, + 0); + VbExSleepMs(5000); + return VBERROR_REBOOT_REQUIRED; + case -1: + VBDEBUG(("%s() - shutdown requested\n", + __func__)); + return VBERROR_SHUTDOWN_REQUESTED; + default: + /* Stay in dev-mode */ + VBDEBUG(("%s() - stay in dev-mode\n", + __func__)); + VbDisplayScreen(ctx, + cparams, + VB_SCREEN_DEVELOPER_WARNING, + 0); + /* Start new countdown */ + audio = VbAudioOpen(cparams); + } + } else { + /* + * No virtual dev-mode switch, so go directly + * to recovery mode. + */ + VBDEBUG(("%s() - going to recovery\n", + __func__)); + vb2_nv_set(ctx, VB2_NV_RECOVERY_REQUEST, + VBNV_RECOVERY_RW_DEV_SCREEN); + VbAudioClose(audio); + return VBERROR_LOAD_KERNEL_RECOVERY; + } + break; + case 0x04: + /* Ctrl+D = dismiss warning; advance to timeout */ + VBDEBUG(("VbBootDeveloper() - " + "user pressed Ctrl+D; skip delay\n")); + ctrl_d_pressed = 1; + goto fallout; + break; + case 0x0c: + VBDEBUG(("VbBootDeveloper() - " + "user pressed Ctrl+L; Try legacy boot\n")); + VbTryLegacy(allow_legacy); + break; + + case VB_KEY_CTRL_ENTER: + /* + * The Ctrl-Enter is special for Lumpy test purpose; + * fall through to Ctrl+U handler. + */ + case 0x15: + /* Ctrl+U = try USB boot, or beep if failure */ + VBDEBUG(("VbBootDeveloper() - " + "user pressed Ctrl+U; try USB\n")); + if (!allow_usb) { + VBDEBUG(("VbBootDeveloper() - " + "USB booting is disabled\n")); + VbExDisplayDebugInfo( + "WARNING: Booting from external media " + "(USB/SD) has not been enabled. Refer " + "to the developer-mode documentation " + "for details.\n"); + VbExBeep(120, 400); + VbExSleepMs(120); + VbExBeep(120, 400); + } else { + /* + * Clear the screen to show we get the Ctrl+U + * key press. + */ + VbDisplayScreen(ctx, cparams, VB_SCREEN_BLANK, + 0); + if (VBERROR_SUCCESS == + VbTryUsb(ctx, cparams)) { + VbAudioClose(audio); + return VBERROR_SUCCESS; + } else { + /* Show dev mode warning screen again */ + VbDisplayScreen(ctx, + cparams, + VB_SCREEN_DEVELOPER_WARNING, + 0); + } + } + break; + default: + VBDEBUG(("VbBootDeveloper() - pressed key %d\n", key)); + VbCheckDisplayKey(ctx, cparams, key); + break; + } + } while(VbAudioLooping(audio)); + + fallout: + + /* If defaulting to legacy boot, try that unless Ctrl+D was pressed */ + if (use_legacy && !ctrl_d_pressed) { + VBDEBUG(("VbBootDeveloper() - defaulting to legacy\n")); + VbTryLegacy(allow_legacy); + } + + if ((use_usb && !ctrl_d_pressed) && allow_usb) { + if (VBERROR_SUCCESS == VbTryUsb(ctx, cparams)) { + VbAudioClose(audio); + return VBERROR_SUCCESS; + } + } + + /* Timeout or Ctrl+D; attempt loading from fixed disk */ + VBDEBUG(("VbBootDeveloper() - trying fixed disk\n")); + VbAudioClose(audio); + return VbTryLoadKernel(ctx, cparams, VB_DISK_FLAG_FIXED); +} + +VbError_t VbBootDeveloper(struct vb2_context *ctx, VbCommonParams *cparams) +{ + VbError_t retval = vb2_developer_ui(ctx, cparams); + VbDisplayScreen(ctx, cparams, VB_SCREEN_BLANK, 0); + return retval; +} + +/* Delay in recovery mode */ +#define REC_DISK_DELAY 1000 /* Check disks every 1s */ +#define REC_KEY_DELAY 20 /* Check keys every 20ms */ +#define REC_MEDIA_INIT_DELAY 500 /* Check removable media every 500ms */ + +VbError_t vb2_recovery_ui(struct vb2_context *ctx, VbCommonParams *cparams) +{ + VbSharedDataHeader *shared = + (VbSharedDataHeader *)cparams->shared_data_blob; + uint32_t retval; + uint32_t key; + int i; + + VBDEBUG(("VbBootRecovery() start\n")); + + /* + * If the dev-mode switch is off and the user didn't press the recovery + * button (recovery was triggerred automatically), show 'broken' screen. + * The user can either only shutdown to abort or hit esc+refresh+power + * to initiate recovery as instructed on the screen. + */ + if (!(shared->flags & VBSD_BOOT_DEV_SWITCH_ON) && + !(shared->flags & VBSD_BOOT_REC_SWITCH_ON)) { + /* + * We have to save the reason here so that it will survive + * coming up three-finger-salute. We're saving it in + * VBNV_RECOVERY_SUBCODE to avoid a recovery loop. + * If we save the reason in VBNV_RECOVERY_REQUEST, we will come + * back here, thus, we won't be able to give a user a chance to + * reboot to workaround boot hicups. + */ + VBDEBUG(("VbBootRecovery() saving recovery reason (%#x)\n", + shared->recovery_reason)); + vb2_nv_set(ctx, VB2_NV_RECOVERY_SUBCODE, + shared->recovery_reason); + /* + * Commit NV now, because it won't get saved if the user forces + * manual recovery via the three-finger salute. + */ + vb2_nv_commit(ctx); + + VbDisplayScreen(ctx, cparams, VB_SCREEN_OS_BROKEN, 0); + VBDEBUG(("VbBootRecovery() waiting for manual recovery\n")); + while (1) { + VbCheckDisplayKey(ctx, cparams, VbExKeyboardRead()); + if (VbWantShutdown(cparams->gbb->flags)) + return VBERROR_SHUTDOWN_REQUESTED; + VbExSleepMs(REC_KEY_DELAY); + } + } + + /* Loop and wait for a recovery image */ + VBDEBUG(("VbBootRecovery() waiting for a recovery image\n")); + while (1) { + VBDEBUG(("VbBootRecovery() attempting to load kernel2\n")); + retval = VbTryLoadKernel(ctx, cparams, VB_DISK_FLAG_REMOVABLE); + + /* + * Clear recovery requests from failed kernel loading, since + * we're already in recovery mode. Do this now, so that + * powering off after inserting an invalid disk doesn't leave + * us stuck in recovery mode. + */ + vb2_nv_set(ctx, VB2_NV_RECOVERY_REQUEST, + VBNV_RECOVERY_NOT_REQUESTED); + + if (VBERROR_SUCCESS == retval) + break; /* Found a recovery kernel */ + + VbDisplayScreen(ctx, cparams, VBERROR_NO_DISK_FOUND == retval ? + VB_SCREEN_RECOVERY_INSERT : + VB_SCREEN_RECOVERY_NO_GOOD, + 0); + + /* + * Scan keyboard more frequently than media, since x86 + * platforms don't like to scan USB too rapidly. + */ + for (i = 0; i < REC_DISK_DELAY; i += REC_KEY_DELAY) { + key = VbExKeyboardRead(); + /* + * We might want to enter dev-mode from the Insert + * screen if all of the following are true: + * - user pressed Ctrl-D + * - we can honor the virtual dev switch + * - not already in dev mode + * - user forced recovery mode + * - EC isn't pwned + */ + if (key == 0x04 && + shared->flags & VBSD_HONOR_VIRT_DEV_SWITCH && + !(shared->flags & VBSD_BOOT_DEV_SWITCH_ON) && + (shared->flags & VBSD_BOOT_REC_SWITCH_ON) && + VbExTrustEC(0)) { + if (!(shared->flags & + VBSD_BOOT_REC_SWITCH_VIRTUAL) && + VbExGetSwitches( + VB_INIT_FLAG_REC_BUTTON_PRESSED)) { + /* + * Is the recovery button stuck? In + * any case we don't like this. Beep + * and ignore. + */ + VBDEBUG(("%s() - ^D but rec switch " + "is pressed\n", __func__)); + VbExBeep(120, 400); + continue; + } + + /* Ask the user to confirm entering dev-mode */ + VbDisplayScreen(ctx, cparams, + VB_SCREEN_RECOVERY_TO_DEV, + 0); + /* SPACE means no... */ + uint32_t vbc_flags = + VB_CONFIRM_SPACE_MEANS_NO | + VB_CONFIRM_MUST_TRUST_KEYBOARD; + switch (VbUserConfirms(ctx, cparams, + vbc_flags)) { + case 1: + VBDEBUG(("%s() Enabling dev-mode...\n", + __func__)); + if (TPM_SUCCESS != SetVirtualDevMode(1)) + return VBERROR_TPM_SET_BOOT_MODE_STATE; + VBDEBUG(("%s() Reboot so it will take " + "effect\n", __func__)); + if (VbExGetSwitches + (VB_INIT_FLAG_ALLOW_USB_BOOT)) + VbAllowUsbBoot(ctx); + return VBERROR_REBOOT_REQUIRED; + case -1: + VBDEBUG(("%s() - Shutdown requested\n", + __func__)); + return VBERROR_SHUTDOWN_REQUESTED; + default: /* zero, actually */ + VBDEBUG(("%s() - Not enabling " + "dev-mode\n", __func__)); + /* + * Jump out of the outer loop to + * refresh the display quickly. + */ + i = 4; + break; + } + } else { + VbCheckDisplayKey(ctx, cparams, key); + } + if (VbWantShutdown(cparams->gbb->flags)) + return VBERROR_SHUTDOWN_REQUESTED; + VbExSleepMs(REC_KEY_DELAY); + } + } + + return VBERROR_SUCCESS; +} + +VbError_t VbBootRecovery(struct vb2_context *ctx, VbCommonParams *cparams) +{ + VbError_t retval = vb2_recovery_ui(ctx, cparams); + VbDisplayScreen(ctx, cparams, VB_SCREEN_BLANK, 0); + return retval; +} |