rollback_index: Add recovery parameter to RollbackKernelLock.stabilize-4443.B

RollbackKernelLock previously checked a global to determine recovery
mode state. Since we have two copies of vboot_reference in firmware
(in coreboot and depthcharge), this creates a problem with
synchronization. Remove the global entirely and instead pass the
recovery state to RollbackKernelLock.

BUG=chrome-os-partner:20913.
TEST=Manual. Boot factory install shim in recovery mode and verify TPM
clear operations succeed. Boot in dev mode and verify "Lock physical
presence" print on UART.
BRANCH=FalcoPeppy.

Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: I4e751d4a9ca60cd57c5c662ce86eba595fb22ba2
Reviewed-on: https://gerrit.chromium.org/gerrit/62874
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

4 files changed, 6 insertions, 12 deletions

diff --git a/firmware/lib/include/rollback_index.h b/firmware/lib/include/rollback_index.h
index 748dce97..386ad77f 100644
--- a/firmware/lib/include/rollback_index.h
+++ b/firmware/lib/include/rollback_index.h
@@ -117,7 +117,7 @@ uint32_t RollbackKernelWrite(uint32_t version);
 /**
  * Lock must be called.  Internally, it's ignored in recovery mode.
  */
-uint32_t RollbackKernelLock(void);
+uint32_t RollbackKernelLock(int recovery_mode);
 
 /****************************************************************************/
 
diff --git a/firmware/lib/mocked_rollback_index.c b/firmware/lib/mocked_rollback_index.c
index e866f137..6f026a33 100644
--- a/firmware/lib/mocked_rollback_index.c
+++ b/firmware/lib/mocked_rollback_index.c
@@ -49,7 +49,7 @@ uint32_t RollbackFirmwareWrite(uint32_t version) {
 }
 
 
-uint32_t RollbackFirmwareLock(void) {
+uint32_t RollbackFirmwareLock(int recovery_mode) {
   return TPM_SUCCESS;
 }
 
diff --git a/firmware/lib/rollback_index.c b/firmware/lib/rollback_index.c
index 3744f4bb..619ba013 100644
--- a/firmware/lib/rollback_index.c
+++ b/firmware/lib/rollback_index.c
@@ -38,8 +38,6 @@ uint32_t WriteSpaceKernel(RollbackSpaceKernel *rsk);
 #undef DISABLE_ROLLBACK_TPM
 #endif
 
-static int g_rollback_recovery_mode = 0;
-
 #define RETURN_ON_FAILURE(tpm_command) do {				\
 		uint32_t result_;					\
 		if ((result_ = (tpm_command)) != TPM_SUCCESS) {		\
@@ -355,10 +353,6 @@ uint32_t SetupTPM(int recovery_mode, int developer_mode,
 
 	VBDEBUG(("TPM: SetupTPM(r%d, d%d)\n", recovery_mode, developer_mode));
 
-	/* Global variables are usable in recovery mode */
-	if (recovery_mode)
-		g_rollback_recovery_mode = 1;
-
 	RETURN_ON_FAILURE(TlclLibInit());
 
 #ifdef TEGRA_SOFT_REBOOT_WORKAROUND
@@ -540,7 +534,7 @@ uint32_t RollbackKernelWrite(uint32_t version)
 	return TPM_SUCCESS;
 }
 
-uint32_t RollbackKernelLock(void)
+uint32_t RollbackKernelLock(int recovery_mode)
 {
 	return TPM_SUCCESS;
 }
@@ -635,9 +629,9 @@ uint32_t RollbackKernelWrite(uint32_t version)
 	return WriteSpaceKernel(&rsk);
 }
 
-uint32_t RollbackKernelLock(void)
+uint32_t RollbackKernelLock(int recovery_mode)
 {
-	if (g_rollback_recovery_mode)
+	if (recovery_mode)
 		return TPM_SUCCESS;
 	else
 		return TlclLockPhysicalPresence();
diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c
index 895a81d4..f253e92d 100644
--- a/firmware/lib/vboot_api_kernel.c
+++ b/firmware/lib/vboot_api_kernel.c
@@ -970,7 +970,7 @@ VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams,
 	       sizeof(kparams->partition_guid));
 
 	/* Lock the kernel versions.  Ignore errors in recovery mode. */
-	tpm_status = RollbackKernelLock();
+	tpm_status = RollbackKernelLock(shared->recovery_reason);
 	if (0 != tpm_status) {
 		VBDEBUG(("Error locking kernel versions.\n"));
 		if (!shared->recovery_reason) {