diff options
author | Randall Spangler <rspangler@chromium.org> | 2011-03-01 13:04:22 -0800 |
---|---|---|
committer | Randall Spangler <rspangler@chromium.org> | 2011-03-01 13:04:22 -0800 |
commit | b416714a10cc8b8048009ca2ab0f3fa1dc4ac24b (patch) | |
tree | fd71d216ffdc6f15bf146cad0998137b8fe8a1a7 /firmware | |
parent | dfe4ca5e4057132b634c3df859ddecbdee35cd29 (diff) | |
download | vboot-b416714a10cc8b8048009ca2ab0f3fa1dc4ac24b.tar.gz |
Add crossystem support for nvram_cleared and kern_nv
Fix try_b processing
And move key block flags check up in LoadFirmware(), which speeds up
boot when the dev switch is off because it doesn't do a signature
check and then throw it out.
BUG=12282
TEST=build firmware, try by hand
Review URL: http://codereview.chromium.org/6596081
Change-Id: I10474e9e0ae324906dfe02a351347d04ce847f67
Diffstat (limited to 'firmware')
-rw-r--r-- | firmware/lib/vboot_firmware.c | 24 | ||||
-rw-r--r-- | firmware/lib/vboot_nvstorage.c | 10 |
2 files changed, 18 insertions, 16 deletions
diff --git a/firmware/lib/vboot_firmware.c b/firmware/lib/vboot_firmware.c index e8c8a86f..036441fb 100644 --- a/firmware/lib/vboot_firmware.c +++ b/firmware/lib/vboot_firmware.c @@ -116,10 +116,7 @@ int LoadFirmware(LoadFirmwareParams* params) { uint8_t* body_digest; /* If try B count is non-zero try firmware B first */ - index = (try_b_count ? i : 1 - i); - - /* Verify the key block */ - VBPERFSTART("VB_VKB"); + index = (try_b_count ? 1 - i : i); if (0 == index) { key_block = (VbKeyBlockHeader*)params->verification_block_0; vblock_size = params->verification_size_0; @@ -127,14 +124,10 @@ int LoadFirmware(LoadFirmwareParams* params) { key_block = (VbKeyBlockHeader*)params->verification_block_1; vblock_size = params->verification_size_1; } - if ((0 != KeyBlockVerify(key_block, vblock_size, root_key, 0))) { - VBDEBUG(("Key block verification failed.\n")); - VBPERFEND("VB_VKB"); - continue; - } - VBPERFEND("VB_VKB"); - /* Check the key block flags against the current boot mode. */ + /* Check the key block flags against the current boot mode. Do this + * before verifying the key block, since flags are faster to check than + * the RSA signature. */ if (!(key_block->key_block_flags & (is_dev ? KEY_BLOCK_FLAG_DEVELOPER_1 : KEY_BLOCK_FLAG_DEVELOPER_0))) { @@ -147,6 +140,15 @@ int LoadFirmware(LoadFirmwareParams* params) { continue; } + /* Verify the key block */ + VBPERFSTART("VB_VKB"); + if ((0 != KeyBlockVerify(key_block, vblock_size, root_key, 0))) { + VBDEBUG(("Key block verification failed.\n")); + VBPERFEND("VB_VKB"); + continue; + } + VBPERFEND("VB_VKB"); + /* Check for rollback of key version. */ key_version = key_block->data_key.key_version; if (key_version < (tpm_version >> 16)) { diff --git a/firmware/lib/vboot_nvstorage.c b/firmware/lib/vboot_nvstorage.c index d9158041..419a9fbc 100644 --- a/firmware/lib/vboot_nvstorage.c +++ b/firmware/lib/vboot_nvstorage.c @@ -21,7 +21,7 @@ #define BOOT_OFFSET 1 #define BOOT_DEBUG_RESET_MODE 0x80 -#define BOOT_TRY_B_COUNT 0x0F +#define BOOT_TRY_B_COUNT_MASK 0x0F #define RECOVERY_OFFSET 2 #define LOCALIZATION_OFFSET 3 @@ -107,7 +107,7 @@ int VbNvGet(VbNvContext* context, VbNvParam param, uint32_t* dest) { return 0; case VBNV_TRY_B_COUNT: - *dest = raw[BOOT_OFFSET] & BOOT_TRY_B_COUNT; + *dest = raw[BOOT_OFFSET] & BOOT_TRY_B_COUNT_MASK; return 0; case VBNV_RECOVERY_REQUEST: @@ -172,10 +172,10 @@ int VbNvSet(VbNvContext* context, VbNvParam param, uint32_t value) { case VBNV_TRY_B_COUNT: /* Clip to valid range. */ - if (value > BOOT_TRY_B_COUNT) - value = BOOT_TRY_B_COUNT - 1; + if (value > BOOT_TRY_B_COUNT_MASK) + value = BOOT_TRY_B_COUNT_MASK; - raw[BOOT_OFFSET] &= ~BOOT_TRY_B_COUNT; + raw[BOOT_OFFSET] &= ~BOOT_TRY_B_COUNT_MASK; raw[BOOT_OFFSET] |= (uint8_t)value; break; |