vboot: add magic and version to vb2_shared_data

In order for vb2_shared_data to cross application boundaries,
it needs magic and version fields.

These can be initialized in vb2_init_context, which is called
implicitly via vb2api_fw_phase1 and vb2api_fail.

On re-init, check fields for validity.

BUG=b:124141368, b:124192753
TEST=make clean && make runtests
BRANCH=none

Change-Id: I90005833836f13f60813bdf82f0e4dbb8d9afecd
Reviewed-on: https://chromium-review.googlesource.com/1521406
Commit-Ready: Joel Kitching <kitching@chromium.org>
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>

4 files changed, 70 insertions, 2 deletions

diff --git a/firmware/2lib/2misc.c b/firmware/2lib/2misc.c
index 5d82fc03..95cbae35 100644
--- a/firmware/2lib/2misc.c
+++ b/firmware/2lib/2misc.c
@@ -121,9 +121,18 @@ int vb2_init_context(struct vb2_context *ctx)
 {
 	struct vb2_shared_data *sd = vb2_get_sd(ctx);
 
-	/* Don't do anything if the context has already been initialized */
-	if (ctx->workbuf_used)
+	/* Don't do anything if context and workbuf have already been
+	 * initialized. */
+	if (ctx->workbuf_used) {
+		if (sd->magic != VB2_SHARED_DATA_MAGIC)
+			return VB2_ERROR_SHARED_DATA_MAGIC;
+
+		if (sd->struct_version_major != VB2_SHARED_DATA_VERSION_MAJOR ||
+		    sd->struct_version_minor < VB2_SHARED_DATA_VERSION_MINOR)
+			return VB2_ERROR_SHARED_DATA_VERSION;
+
 		return VB2_SUCCESS;
+	}
 
 	/*
 	 * Workbuf had better be big enough for our shared data struct and
@@ -137,6 +146,9 @@ int vb2_init_context(struct vb2_context *ctx)
 
 	/* Initialize the shared data at the start of the work buffer */
 	memset(sd, 0, sizeof(*sd));
+	sd->magic = VB2_SHARED_DATA_MAGIC;
+	sd->struct_version_major = VB2_SHARED_DATA_VERSION_MAJOR;
+	sd->struct_version_minor = VB2_SHARED_DATA_VERSION_MINOR;
 	ctx->workbuf_used = vb2_wb_round_up(sizeof(*sd));
 	return VB2_SUCCESS;
 }
diff --git a/firmware/2lib/include/2return_codes.h b/firmware/2lib/include/2return_codes.h
index 92e4eb1c..5992806d 100644
--- a/firmware/2lib/include/2return_codes.h
+++ b/firmware/2lib/include/2return_codes.h
@@ -497,6 +497,12 @@ enum vb2_return_code {
 	/* Expected and image hashes are different size in ec_sync_phase1() */
 	VB2_ERROR_EC_HASH_SIZE,
 
+	/* Incompatible version for vb2_shared_data structure being loaded */
+	VB2_ERROR_SHARED_DATA_VERSION,
+
+	/* Bad magic number in vb2_shared_data structure */
+	VB2_ERROR_SHARED_DATA_MAGIC,
+
 	/**********************************************************************
 	 * API-level errors
 	 */
diff --git a/firmware/2lib/include/2struct.h b/firmware/2lib/include/2struct.h
index d3f7f445..a67518c8 100644
--- a/firmware/2lib/include/2struct.h
+++ b/firmware/2lib/include/2struct.h
@@ -69,11 +69,25 @@ enum vb2_shared_data_status {
 	VB2_SD_STATUS_SECDATAK_INIT = (1 << 4),
 };
 
+/* "V2SD" = vb2_shared_data.magic */
+#define VB2_SHARED_DATA_MAGIC 0x44533256
+
+/* Current version of vb2_shared_data struct */
+#define VB2_SHARED_DATA_VERSION_MAJOR 1
+#define VB2_SHARED_DATA_VERSION_MINOR 0
+
 /*
  * Data shared between vboot API calls.  Stored at the start of the work
  * buffer.
  */
 struct vb2_shared_data {
+	/* Magic number for struct (VB2_SHARED_DATA_MAGIC) */
+	uint32_t magic;
+
+	/* Version of this structure */
+	uint16_t struct_version_major;
+	uint16_t struct_version_minor;
+
 	/* Flags; see enum vb2_shared_data_flags */
 	uint32_t flags;
 
diff --git a/tests/vb2_misc_tests.c b/tests/vb2_misc_tests.c
index f17ac1b1..9b331cc1 100644
--- a/tests/vb2_misc_tests.c
+++ b/tests/vb2_misc_tests.c
@@ -88,12 +88,48 @@ static void init_context_tests(void)
 	TEST_SUCC(vb2_init_context(&c), "Init context good");
 	TEST_EQ(c.workbuf_used, vb2_wb_round_up(sizeof(struct vb2_shared_data)),
 		"Init vbsd");
+	TEST_EQ(sd->magic, VB2_SHARED_DATA_MAGIC, "Bad magic");
+	TEST_EQ(sd->struct_version_major, VB2_SHARED_DATA_VERSION_MAJOR,
+		"No major version");
+	TEST_EQ(sd->struct_version_minor, VB2_SHARED_DATA_VERSION_MINOR,
+		"No minor version");
 
 	/* Don't re-init if used is non-zero */
 	c.workbuf_used = 200;
 	TEST_SUCC(vb2_init_context(&c), "Re-init context good");
 	TEST_EQ(c.workbuf_used, 200, "Didn't re-init");
 
+	/* Error if re-init with incorrect magic */
+	sd->magic = 0xdeadbeef;
+	TEST_EQ(vb2_init_context(&c),
+		VB2_ERROR_SHARED_DATA_MAGIC, "Missed bad magic");
+	sd->magic = VB2_SHARED_DATA_MAGIC;
+
+	/* Success if re-init with higher minor version */
+	sd->struct_version_minor++;
+	TEST_SUCC(vb2_init_context(&c), "Didn't allow higher minor version");
+	sd->struct_version_minor = VB2_SHARED_DATA_VERSION_MINOR;
+
+	/* Error if re-init with lower minor version */
+	if (VB2_SHARED_DATA_VERSION_MINOR > 0) {
+		sd->struct_version_minor--;
+		TEST_EQ(vb2_init_context(&c), VB2_ERROR_SHARED_DATA_VERSION,
+			"Allowed lower minor version");
+		sd->struct_version_minor = VB2_SHARED_DATA_VERSION_MINOR;
+	}
+
+	/* Error if re-init with higher major version */
+	sd->struct_version_major++;
+	TEST_EQ(vb2_init_context(&c),
+		VB2_ERROR_SHARED_DATA_VERSION, "Allowed higher major version");
+	sd->struct_version_major = VB2_SHARED_DATA_VERSION_MAJOR;
+
+	/* Error if re-init with lower major version */
+	sd->struct_version_major--;
+	TEST_EQ(vb2_init_context(&c),
+		VB2_ERROR_SHARED_DATA_VERSION, "Allowed lower major version");
+	sd->struct_version_major = VB2_SHARED_DATA_VERSION_MAJOR;
+
 	/* Handle workbuf errors */
 	c.workbuf_used = 0;
 	c.workbuf_size = sizeof(struct vb2_shared_data) - 1;