VbVerifyMemoryBootImage: Allow integrity-only check in dev mode with

FASTBOOT_FULL_CAP set

This change allows developers to boot dev-signed boot images in
unlocked mode if DEV_BOOT_FASTBOOT_FULL_CAP is set in VbNvStorage or
GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set.

BUG=chrome-os-partner:47002
BRANCH=None
TEST=Compiles successfully. make -j runtests

Change-Id: I56e3879594da1b57051dfe242ff347ac970c96bb
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/309606
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>

1 files changed, 17 insertions, 0 deletions

diff --git a/tests/vboot_api_kernel5_tests.c b/tests/vboot_api_kernel5_tests.c
index 8c59622f..a372e178 100644
--- a/tests/vboot_api_kernel5_tests.c
+++ b/tests/vboot_api_kernel5_tests.c
@@ -145,6 +145,12 @@ int VerifyData(const uint8_t *data, uint64_t size, const VbSignature *sig,
 	return VBERROR_SUCCESS;
 }
 
+VbError_t VbExNvStorageRead(uint8_t *buf)
+{
+	Memcpy(buf, vnc.raw, sizeof(vnc.raw));
+	return VBERROR_SUCCESS;
+}
+
 static void VerifyMemoryBootImageTest(void)
 {
 	uint32_t u;
@@ -200,6 +206,17 @@ static void VerifyMemoryBootImageTest(void)
 		VBERROR_INVALID_KERNEL_FOUND, "Key verify failed");
 	TEST_EQ(hash_only_check, 1, "  hash check");
 
+	/* Key Block Hash Failure -- VBNV */
+	ResetMocks();
+	shared->flags = VBSD_BOOT_DEV_SWITCH_ON;
+	key_block_verify_fail = 1;
+	VbNvSet(&vnc, VBNV_DEV_BOOT_FASTBOOT_FULL_CAP, 1);
+	VbNvTeardown(&vnc);
+	TEST_EQ(VbVerifyMemoryBootImage(&cparams, &kparams, kernel_buffer,
+					kernel_buffer_size),
+		VBERROR_INVALID_KERNEL_FOUND, "Key verify failed");
+	TEST_EQ(hash_only_check, 1, "  hash check -- VBNV flag");
+
 	/* Developer flag mismatch - dev switch on */
 	ResetMocks();
 	kbh.key_block_flags = KEY_BLOCK_FLAG_DEVELOPER_0 |