diff options
Diffstat (limited to 'firmware/lib20/api_kernel.c')
-rw-r--r-- | firmware/lib20/api_kernel.c | 97 |
1 files changed, 0 insertions, 97 deletions
diff --git a/firmware/lib20/api_kernel.c b/firmware/lib20/api_kernel.c index 8b146093..36456f61 100644 --- a/firmware/lib20/api_kernel.c +++ b/firmware/lib20/api_kernel.c @@ -16,103 +16,6 @@ #include "vb2_common.h" #include "vboot_struct.h" -int vb2api_is_developer_signed(struct vb2_context *ctx) -{ - struct vb2_shared_data *sd = vb2_get_sd(ctx); - - if (!sd->kernel_key_offset || !sd->kernel_key_size) { - VB2_REC_OR_DIE(ctx, "Cannot call this before kernel_phase1!\n"); - return 0; - } - - struct vb2_public_key key; - if (vb2_unpack_key(&key, vb2_member_of(sd, sd->kernel_key_offset))) - return 0; - - /* This is a debugging aid, not a security-relevant feature. There's no - reason to hardcode the whole key or waste time computing a hash. Just - spot check the starting bytes of the pseudorandom part of the key. */ - uint32_t devkey_n0inv = ctx->flags & VB2_CONTEXT_RECOVERY_MODE ? - 0x18cebcf5 : /* recovery_key.vbpubk @0x24 */ - 0xe0cd87d9; /* kernel_subkey.vbpubk @0x24 */ - - if (key.n0inv == devkey_n0inv) - return 1; - - return 0; -} - -vb2_error_t vb2api_kernel_phase1(struct vb2_context *ctx) -{ - struct vb2_shared_data *sd = vb2_get_sd(ctx); - struct vb2_workbuf wb; - struct vb2_packed_key *packed_key; - vb2_error_t rv; - - vb2_workbuf_from_ctx(ctx, &wb); - - /* - * Init secdata_kernel and secdata_fwmp spaces. No need to init - * secdata_firmware, since it was already read during firmware - * verification. Ignore errors in recovery mode. - */ - rv = vb2_secdata_kernel_init(ctx); - if (rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { - VB2_DEBUG("TPM: init secdata_kernel returned %#x\n", rv); - vb2api_fail(ctx, VB2_RECOVERY_SECDATA_KERNEL_INIT, rv); - return rv; - } - rv = vb2_secdata_fwmp_init(ctx); - if (rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { - VB2_DEBUG("TPM: init secdata_fwmp returned %#x\n", rv); - vb2api_fail(ctx, VB2_RECOVERY_SECDATA_FWMP_INIT, rv); - return rv; - } - - /* Read kernel version from secdata. */ - sd->kernel_version_secdata = - vb2_secdata_kernel_get(ctx, VB2_SECDATA_KERNEL_VERSIONS); - sd->kernel_version = sd->kernel_version_secdata; - - /* Find the key to use to verify the kernel keyblock */ - if ((ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { - /* Load recovery key from GBB. */ - rv = vb2_gbb_read_recovery_key(ctx, &packed_key, NULL, &wb); - if (rv) { - if (vb2_allow_recovery(ctx)) - VB2_DIE("GBB read recovery key failed.\n"); - else - /* - * If we're headed for the BROKEN screen, - * we won't need the recovery key. Just - * short-circuit with success. - */ - return VB2_SUCCESS; - } - } else { - /* Kernel subkey from firmware preamble */ - struct vb2_fw_preamble *pre; - - /* Make sure we have a firmware preamble loaded */ - if (!sd->preamble_size) - return VB2_ERROR_API_KPHASE1_PREAMBLE; - - pre = (struct vb2_fw_preamble *) - vb2_member_of(sd, sd->preamble_offset); - packed_key = &pre->kernel_subkey; - } - - sd->kernel_key_offset = vb2_offset_of(sd, packed_key); - sd->kernel_key_size = packed_key->key_offset + packed_key->key_size; - - vb2_set_workbuf_used(ctx, vb2_offset_of(sd, wb.buf)); - - if (vb2api_is_developer_signed(ctx)) - VB2_DEBUG("This is developer-signed firmware.\n"); - - return VB2_SUCCESS; -} - vb2_error_t vb2api_load_kernel_vblock(struct vb2_context *ctx) { vb2_error_t rv; |