2lib/2ec_sync: Clear VB2_CONTEXT_EC_TRUSTED before jumping to RW

Currently the EC is trusted if any of the conditions are met:
* The ctx flag VB2_CONTEXT_EC_TRUSTED is set.
* vb2ex_ec_trusted() returns trusted.

With introducing the boot mode area in ctx, the vb2ex_ec_trusted will be
deprecated and the VB2_CONTEXT_EC_TRUSTED will become the only condition
to decide if EC is trusted.

This CL clears the flag while EC jumps to RW, which is the prerequisite
before landing the coreboot changes.

Also update the tests of ec_sync()

BRANCH=none
BUG=b:181931817
TEST=emerge-trogdor coreboot vboot_reference depthcharge

Signed-off-by: Hsuan Ting Chen <roccochen@chromium.org>
Change-Id: I4711093353f5a92157c4c00c859c01f08fc3607f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3139538
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>

2 files changed, 21 insertions, 0 deletions

diff --git a/firmware/2lib/2ec_sync.c b/firmware/2lib/2ec_sync.c
index 9c49cebc..20490e08 100644
--- a/firmware/2lib/2ec_sync.c
+++ b/firmware/2lib/2ec_sync.c
@@ -212,6 +212,10 @@ static vb2_error_t sync_ec(struct vb2_context *ctx)
 		return VB2_REQUEST_REBOOT_EC_TO_RO;
 	}
 
+	/* We no longer trust the EC once it is already in RW or tries to jump
+	   to RW. */
+	ctx->flags &= ~VB2_CONTEXT_EC_TRUSTED;
+
 	/* Tell EC to jump to RW. It should already be in RW for EFS2. */
 	if (!(sd->flags & VB2_SD_FLAG_ECSYNC_EC_IN_RW)) {
 		VB2_DEBUG("jumping to EC-RW\n");
diff --git a/tests/vb2_ec_sync_tests.c b/tests/vb2_ec_sync_tests.c
index ea0dbf11..16496e44 100644
--- a/tests/vb2_ec_sync_tests.c
+++ b/tests/vb2_ec_sync_tests.c
@@ -96,6 +96,13 @@ static void ResetMocks(void)
 	memset(hmir, 0, sizeof(hmir));
 	hmir[0] = 42;
 	vb2_secdata_kernel_set_ec_hash(ctx, hmir);
+
+	/*
+	 * This flag should not involve in the steps deciding whether EC is
+	 * running RW. The only concern here is we need to clear this flag after
+	 * attempting a jump to RW.
+	 */
+	ctx->flags |= VB2_CONTEXT_EC_TRUSTED;
 }
 
 /* Mock functions */
@@ -515,6 +522,8 @@ static void VbSoftwareSyncTest(void)
 	TEST_EQ(ec_ro_protected, 1, "ec ro protected");
 	TEST_EQ(ec_rw_protected, 1, "ec rw protected");
 	TEST_EQ(ec_run_image, 1, "ec run image");
+	TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+		   "  VB2_CONTEXT_EC_TRUSTED is cleared");
 
 	ResetMocks();
 	test_ssync(0, 0, "AP-RW, EC-RO -> EC-RW");
@@ -523,6 +532,8 @@ static void VbSoftwareSyncTest(void)
 	TEST_EQ(ec_ro_protected, 1, "  ec ro protected");
 	TEST_EQ(ec_rw_protected, 1, "  ec rw protected");
 	TEST_EQ(ec_run_image, 1, "  ec run image");
+	TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+		   "  VB2_CONTEXT_EC_TRUSTED is cleared");
 
 	ResetMocks();
 	jump_retval = VB2_ERROR_MOCK;
@@ -533,6 +544,8 @@ static void VbSoftwareSyncTest(void)
 	TEST_EQ(ec_ro_protected, 0, "  ec ro protected");
 	TEST_EQ(ec_rw_protected, 0, "  ec rw protected");
 	TEST_EQ(ec_run_image, 0, "  ec run image");
+	TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+		   "  VB2_CONTEXT_EC_TRUSTED is cleared");
 
 	ResetMocks();
 	jump_retval = VB2_REQUEST_REBOOT_EC_TO_RO;
@@ -543,6 +556,8 @@ static void VbSoftwareSyncTest(void)
 	TEST_EQ(ec_ro_protected, 0, "  ec ro protected");
 	TEST_EQ(ec_rw_protected, 0, "  ec rw protected");
 	TEST_EQ(ec_run_image, 0, "  ec run image");
+	TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+		   "  VB2_CONTEXT_EC_TRUSTED is cleared");
 
 	ResetMocks();
 	protect_retval = VB2_ERROR_MOCK;
@@ -552,6 +567,8 @@ static void VbSoftwareSyncTest(void)
 	TEST_EQ(ec_ro_protected, 0, "ec ro protected");
 	TEST_EQ(ec_rw_protected, 0, "ec rw protected");
 	TEST_EQ(ec_run_image, 1, "ec run image");
+	TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+		   "  VB2_CONTEXT_EC_TRUSTED is cleared");
 
 	/* No longer check for shutdown requested */
 	ResetMocks();