diff options
author | Furquan Shaikh <furquan@google.com> | 2015-10-28 13:01:27 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2015-10-28 20:44:39 -0700 |
commit | 55484550bcedc2b70d84504ec59932f441988838 (patch) | |
tree | 11e104b115fa7920461044bf7e29c497f4a87b6b /firmware/lib/vboot_api_kernel.c | |
parent | d6723ed12b429834c2627c009aab58f0db20ce73 (diff) | |
download | vboot-55484550bcedc2b70d84504ec59932f441988838.tar.gz |
VbVerifyMemoryBootImage: Allow integrity-only check in dev mode with
FASTBOOT_FULL_CAP set
This change allows developers to boot dev-signed boot images in
unlocked mode if DEV_BOOT_FASTBOOT_FULL_CAP is set in VbNvStorage or
GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set.
BUG=chrome-os-partner:47002
BRANCH=None
TEST=Compiles successfully. make -j runtests
Change-Id: I56e3879594da1b57051dfe242ff347ac970c96bb
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/309606
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Diffstat (limited to 'firmware/lib/vboot_api_kernel.c')
-rw-r--r-- | firmware/lib/vboot_api_kernel.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c index fcec4cb7..94c2c8a7 100644 --- a/firmware/lib/vboot_api_kernel.c +++ b/firmware/lib/vboot_api_kernel.c @@ -1226,6 +1226,7 @@ VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams, uint64_t body_offset; int hash_only = 0; int dev_switch; + uint32_t allow_fastboot_full_cap = 0; if ((boot_image == NULL) || (image_size == 0)) return VBERROR_INVALID_PARAMETER; @@ -1252,13 +1253,24 @@ VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams, /* * We don't care verifying the image if: * 1. dev-mode switch is on and - * 2. GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set. + * 2a. GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set, or + * 2b. DEV_BOOT_FASTBOOT_FULL_CAP flag is set in NvStorage * * Check only the integrity of the image. */ dev_switch = shared->flags & VBSD_BOOT_DEV_SWITCH_ON; - if (dev_switch && (cparams->gbb->flags & - GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP)) { + + VbExNvStorageRead(vnc.raw); + VbNvSetup(&vnc); + VbNvGet(&vnc, VBNV_DEV_BOOT_FASTBOOT_FULL_CAP, + &allow_fastboot_full_cap); + + if (0 == allow_fastboot_full_cap) { + allow_fastboot_full_cap = !!(cparams->gbb->flags & + GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP); + } + + if (dev_switch && allow_fastboot_full_cap) { VBDEBUG(("Only performing integrity-check.\n")); hash_only = 1; } else { |