From e22ceb974fc551e41ca588c2b524a0a91fbe5d5a Mon Sep 17 00:00:00 2001 From: Joel Kitching Date: Mon, 9 Dec 2019 18:51:00 +0800 Subject: vboot: remove secdata TPM backend code In vboot 2 design, secdata spaces are read/written by the vboot caller, and not by vboot itself. We still need to maintain a vb2ex_commit_data callback for edge cases, such as when the vboot UI prompts the user to reboot. BUG=b:124141368, chromium:972956 TEST=Build locally, flash and boot eve, check logs for secdata writes and locks TEST=make clean && make runtests BRANCH=none Change-Id: Ib3b628549185749a290dd65e297f2e19adecbc66 Cq-Depend: chromium:1958012 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1958070 Reviewed-by: Joel Kitching Commit-Queue: Joel Kitching Tested-by: Joel Kitching --- Makefile | 26 +- firmware/include/vboot_test.h | 7 - firmware/lib/include/secdata_tpm.h | 33 -- firmware/lib/include/vboot_kernel.h | 11 - firmware/lib/mocked_secdata_tpm.c | 44 --- firmware/lib/secdata_tpm.c | 189 ------------ firmware/lib/vboot_api_kernel.c | 113 ++----- firmware/lib/vboot_kernel.c | 1 - firmware/lib/vboot_ui.c | 12 +- firmware/lib/vboot_ui_common.c | 7 - firmware/lib/vboot_ui_menu.c | 1 - firmware/stub/vboot_api_stub_init.c | 5 +- tests/secdata_tpm_tests.c | 587 ------------------------------------ tests/vb2_auxfw_sync_tests.c | 1 - tests/vb2_ec_sync_tests.c | 1 - tests/vboot_api_devmode_tests.c | 1 - tests/vboot_api_kernel2_tests.c | 6 - tests/vboot_api_kernel4_tests.c | 112 +++---- tests/vboot_api_kernel_tests.c | 1 - tests/vboot_detach_menu_tests.c | 6 - tests/vboot_display_tests.c | 1 - tests/vboot_kernel_tests.c | 1 - utility/load_kernel_test.c | 1 - 23 files changed, 89 insertions(+), 1078 deletions(-) delete mode 100644 firmware/lib/include/secdata_tpm.h delete mode 100644 firmware/lib/mocked_secdata_tpm.c delete mode 100644 firmware/lib/secdata_tpm.c delete mode 100644 tests/secdata_tpm_tests.c diff --git a/Makefile b/Makefile index c71f5e32..b12029e8 100644 --- a/Makefile +++ b/Makefile @@ -427,13 +427,9 @@ TLCL_SRCS = \ firmware/lib/tpm2_lite/marshaling.c endif -# Support real TPM unless BIOS sets MOCK_TPM -ifeq (${MOCK_TPM},) -FWLIB_SRCS += \ - firmware/lib/secdata_tpm.c -else +# Support real TPM unless MOCK_TPM is set +ifneq (${MOCK_TPM},) FWLIB_SRCS += \ - firmware/lib/mocked_secdata_tpm.c \ firmware/lib/tpm_lite/mocked_tlcl.c endif @@ -723,16 +719,12 @@ TEST_NAMES = \ tests/vboot_kernel_tests \ tests/verify_kernel -ifeq (${MOCK_TPM},) -# secdata_tpm_tests and tlcl_tests only work when MOCK_TPM is disabled -TEST_NAMES += \ - tests/secdata_tpm_tests -ifeq (${TPM2_MODE},) +ifeq (${MOCK_TPM}${TPM2_MODE},) +# tlcl_tests only works when MOCK_TPM is disabled # TODO(apronin): tests for TPM2 case? TEST_NAMES += \ tests/tlcl_tests endif -endif TEST_FUTIL_NAMES = \ tests/futility/binary_editor \ @@ -1284,15 +1276,11 @@ runtestscripts: test_setup genfuzztestcases .PHONY: runmisctests runmisctests: test_setup -ifeq (${MOCK_TPM},) -# secdata_tpm_tests and tlcl_tests only work when MOCK_TPM is disabled - ${RUNTEST} ${BUILD_RUN}/tests/secdata_tpm_tests -ifeq (${TPM2_MODE},) -# TODO(apronin): tests for TPM2 case? + ${RUNTEST} ${BUILD_RUN}/tests/subprocess_tests +ifeq (${MOCK_TPM}${TPM2_MODE},) +# tlcl_tests only works when MOCK_TPM is disabled ${RUNTEST} ${BUILD_RUN}/tests/tlcl_tests endif -endif - ${RUNTEST} ${BUILD_RUN}/tests/subprocess_tests ${RUNTEST} ${BUILD_RUN}/tests/utility_string_tests ${RUNTEST} ${BUILD_RUN}/tests/vboot_api_devmode_tests ${RUNTEST} ${BUILD_RUN}/tests/vboot_api_kernel2_tests diff --git a/firmware/include/vboot_test.h b/firmware/include/vboot_test.h index a6ed8c09..1f0a6629 100644 --- a/firmware/include/vboot_test.h +++ b/firmware/include/vboot_test.h @@ -29,11 +29,4 @@ vb2_error_t vb2_check_padding(const uint8_t *sig, struct LoadKernelParams; struct LoadKernelParams *VbApiKernelGetParams(void); -/**************************************************************************** - * secdata_tpm.c */ - -extern int secdata_kernel_locked; -uint32_t tlcl_clear_and_reenable(void); -uint32_t tlcl_safe_write(uint32_t index, const void *data, uint32_t length); - #endif /* VBOOT_REFERENCE_TEST_API_H_ */ diff --git a/firmware/lib/include/secdata_tpm.h b/firmware/lib/include/secdata_tpm.h deleted file mode 100644 index 3cf1ae75..00000000 --- a/firmware/lib/include/secdata_tpm.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Functions for querying, manipulating and locking secure data spaces - * stored in the TPM NVRAM. - */ - -#ifndef VBOOT_REFERENCE_SECDATA_TPM_H_ -#define VBOOT_REFERENCE_SECDATA_TPM_H_ - -#include "2api.h" - -/* TPM NVRAM location indices. */ -#define FIRMWARE_NV_INDEX 0x1007 -#define KERNEL_NV_INDEX 0x1008 -/* BACKUP_NV_INDEX (size 16) used to live at 0x1009; now deprecated */ -#define FWMP_NV_INDEX 0x100a -#define REC_HASH_NV_INDEX 0x100b -#define REC_HASH_NV_SIZE VB2_SHA256_DIGEST_SIZE -/* Space to hold a temporary SHA256 digest of a public key for USB autoconfig; - * see crbug.com/845589. */ -#define OOBE_USB_AUTOCONFIG_KEY_DIGEST_NV_INDEX 0x100c -#define OOBE_USB_AUTOCONFIG_KEY_DIGEST_NV_SIZE VB2_SHA256_DIGEST_SIZE - -/* All functions return TPM_SUCCESS (zero) if successful, non-zero if error */ -uint32_t secdata_firmware_write(struct vb2_context *ctx); -uint32_t secdata_kernel_read(struct vb2_context *ctx); -uint32_t secdata_kernel_write(struct vb2_context *ctx); -uint32_t secdata_kernel_lock(struct vb2_context *ctx); -uint32_t secdata_fwmp_read(struct vb2_context *ctx); - -#endif /* VBOOT_REFERENCE_SECDATA_TPM_H_ */ diff --git a/firmware/lib/include/vboot_kernel.h b/firmware/lib/include/vboot_kernel.h index 5337d0ad..4754f6d8 100644 --- a/firmware/lib/include/vboot_kernel.h +++ b/firmware/lib/include/vboot_kernel.h @@ -83,17 +83,6 @@ vb2_error_t VbBootRecoveryMenu(struct vb2_context *ctx); */ void vb2_init_ui(void); -/** - * Locks secdata_kernel. - * - * Should be used right before attempting to leave vboot (by booting - * an OS or chainloading to another firmware). - * - * @param ctx Vboot context - * @returns VB2_SUCCESS, or non-zero error code. - */ -vb2_error_t vb2_secdata_kernel_lock(struct vb2_context *ctx); - /** * Writes modified secdata spaces and nvdata. * diff --git a/firmware/lib/mocked_secdata_tpm.c b/firmware/lib/mocked_secdata_tpm.c deleted file mode 100644 index 373c4940..00000000 --- a/firmware/lib/mocked_secdata_tpm.c +++ /dev/null @@ -1,44 +0,0 @@ -/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Functions for querying, manipulating and locking secure data spaces - * stored in the TPM NVRAM (mock versions). - */ - -#include "2api.h" -#include "2secdata.h" -#include "secdata_tpm.h" -#include "tss_constants.h" - -int secdata_kernel_locked = 0; - -uint32_t secdata_firmware_write(struct vb2_context *ctx) -{ - ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED; - return TPM_SUCCESS; -} - -uint32_t secdata_kernel_read(struct vb2_context *ctx) -{ - vb2api_secdata_kernel_create(ctx); - return TPM_SUCCESS; -} - -uint32_t secdata_kernel_write(struct vb2_context *ctx) -{ - ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED; - return TPM_SUCCESS; -} - -uint32_t secdata_kernel_lock(struct vb2_context *ctx) -{ - secdata_kernel_locked = 1; - return TPM_SUCCESS; -} - -uint32_t secdata_fwmp_read(struct vb2_context *ctx) -{ - ctx->flags |= VB2_CONTEXT_NO_SECDATA_FWMP; - return TPM_SUCCESS; -} diff --git a/firmware/lib/secdata_tpm.c b/firmware/lib/secdata_tpm.c deleted file mode 100644 index b8f3522c..00000000 --- a/firmware/lib/secdata_tpm.c +++ /dev/null @@ -1,189 +0,0 @@ -/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Functions for querying, manipulating and locking secure data spaces - * stored in the TPM NVRAM. - */ - -#include "2api.h" -#include "2common.h" -#include "secdata_tpm.h" -#include "tlcl.h" -#include "tss_constants.h" -#include "vboot_test.h" - -#define RETURN_ON_FAILURE(tpm_command) do { \ - uint32_t result_; \ - if ((result_ = (tpm_command)) != TPM_SUCCESS) { \ - VB2_DEBUG("TPM: %#x returned by " #tpm_command \ - "\n", (int)result_); \ - return result_; \ - } \ - } while (0) - -#define PRINT_BYTES(title, value) do { \ - int i; \ - VB2_DEBUG(title); \ - VB2_DEBUG_RAW(":"); \ - for (i = 0; i < sizeof(*(value)); i++) \ - VB2_DEBUG_RAW(" %02x", *((uint8_t *)(value) + i)); \ - VB2_DEBUG_RAW("\n"); \ - } while (0) - -/* Keeps track of whether the kernel space has already been locked or not. */ -int secdata_kernel_locked = 0; - -/** - * Issue a TPM_Clear and reenable/reactivate the TPM. - */ -uint32_t tlcl_clear_and_reenable(void) -{ - VB2_DEBUG("TPM: clear_and_reenable\n"); - RETURN_ON_FAILURE(TlclForceClear()); - RETURN_ON_FAILURE(TlclSetEnable()); - RETURN_ON_FAILURE(TlclSetDeactivated(0)); - - return TPM_SUCCESS; -} - -/** - * Like TlclWrite(), but checks for write errors due to hitting the 64-write - * limit and clears the TPM when that happens. This can only happen when the - * TPM is unowned, so it is OK to clear it (and we really have no choice). - * This is not expected to happen frequently, but it could happen. - */ -uint32_t tlcl_safe_write(uint32_t index, const void *data, uint32_t length) -{ - uint32_t result = TlclWrite(index, data, length); - if (result == TPM_E_MAXNVWRITES) { - RETURN_ON_FAILURE(tlcl_clear_and_reenable()); - return TlclWrite(index, data, length); - } else { - return result; - } -} - -/* Functions to read and write firmware and kernel spaces. */ - -uint32_t secdata_firmware_write(struct vb2_context *ctx) -{ - if (!(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED)) { - VB2_DEBUG("TPM: secdata_firmware unchanged\n"); - return TPM_SUCCESS; - } - - if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { - VB2_DEBUG("Error: secdata_firmware modified " - "in non-recovery mode?\n"); - return TPM_E_AREA_LOCKED; - } - - PRINT_BYTES("TPM: write secdata_firmware", &ctx->secdata_firmware); - RETURN_ON_FAILURE(tlcl_safe_write(FIRMWARE_NV_INDEX, - ctx->secdata_firmware, - VB2_SECDATA_FIRMWARE_SIZE)); - - ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED; - return TPM_SUCCESS; -} - -uint32_t secdata_kernel_read(struct vb2_context *ctx) -{ -#ifndef TPM2_MODE - /* - * Before reading the kernel space, verify its permissions. If the - * kernel space has the wrong permission, we give up. This will need - * to be fixed by the recovery kernel. We will have to worry about - * this because at any time (even with PP turned off) the TPM owner can - * remove and redefine a PP-protected space (but not write to it). - */ - uint32_t perms; - - RETURN_ON_FAILURE(TlclGetPermissions(KERNEL_NV_INDEX, &perms)); - if (perms != TPM_NV_PER_PPWRITE) { - VB2_DEBUG("TPM: invalid secdata_kernel permissions: %#x\n", - perms); - return TPM_E_CORRUPTED_STATE; - } -#endif - - RETURN_ON_FAILURE(TlclRead(KERNEL_NV_INDEX, ctx->secdata_kernel, - VB2_SECDATA_KERNEL_SIZE)); - - PRINT_BYTES("TPM: read secdata_kernel", &ctx->secdata_kernel); - - if (vb2api_secdata_kernel_check(ctx)) { - VB2_DEBUG("TPM: secdata_kernel invalid (corrupted?)\n"); - return TPM_E_CORRUPTED_STATE; - } - - return TPM_SUCCESS; -} - -uint32_t secdata_kernel_write(struct vb2_context *ctx) -{ - if (!(ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED)) { - VB2_DEBUG("TPM: secdata_kernel unchanged\n"); - return TPM_SUCCESS; - } - - PRINT_BYTES("TPM: write secdata_kernel", &ctx->secdata_kernel); - - RETURN_ON_FAILURE(tlcl_safe_write(KERNEL_NV_INDEX, ctx->secdata_kernel, - VB2_SECDATA_KERNEL_SIZE)); - - ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED; - return TPM_SUCCESS; -} - -uint32_t secdata_kernel_lock(struct vb2_context *ctx) -{ - /* Skip if already locked */ - if (secdata_kernel_locked) { - VB2_DEBUG("TPM: secdata_kernel already locked; skipping\n"); - return TPM_SUCCESS; - } - - RETURN_ON_FAILURE(TlclLockPhysicalPresence()); - - VB2_DEBUG("TPM: secdata_kernel locked\n"); - secdata_kernel_locked = 1; - return TPM_SUCCESS; -} - -uint32_t secdata_fwmp_read(struct vb2_context *ctx) -{ - vb2_error_t rv; - uint8_t size = VB2_SECDATA_FWMP_MIN_SIZE; - uint32_t r; - - /* Try to read entire 1.0 struct */ - r = TlclRead(FWMP_NV_INDEX, ctx->secdata_fwmp, size); - if (TPM_E_BADINDEX == r) { - /* Missing space is not an error; tell vboot */ - VB2_DEBUG("TPM: no secdata_fwmp space\n"); - ctx->flags |= VB2_CONTEXT_NO_SECDATA_FWMP; - return TPM_SUCCESS; - } else if (TPM_SUCCESS != r) { - VB2_DEBUG("TPM: read secdata_fwmp returned %#x\n", r); - return r; - } - - /* Re-read more data if necessary */ - rv = vb2api_secdata_fwmp_check(ctx, &size); - if (rv == VB2_SUCCESS) - return VB2_SUCCESS; - - if (rv == VB2_ERROR_SECDATA_FWMP_INCOMPLETE) { - RETURN_ON_FAILURE(TlclRead(FWMP_NV_INDEX, ctx->secdata_fwmp, - size)); - - /* Check one more time */ - if (vb2api_secdata_fwmp_check(ctx, &size) == VB2_SUCCESS) - return VB2_SUCCESS; - } - - VB2_DEBUG("TPM: secdata_fwmp invalid (corrupted?)\n"); - return TPM_E_CORRUPTED_STATE; -} diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c index 3416a6fd..ef9cd4d9 100644 --- a/firmware/lib/vboot_api_kernel.c +++ b/firmware/lib/vboot_api_kernel.c @@ -13,7 +13,6 @@ #include "2secdata.h" #include "2sysincludes.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "utility.h" #include "vb2_common.h" #include "vboot_api.h" @@ -228,7 +227,6 @@ static vb2_error_t vb2_kernel_setup(struct vb2_context *ctx, VbSelectAndLoadKernelParams *kparams) { struct vb2_shared_data *sd = vb2_get_sd(ctx); - uint32_t tpm_rv; vb2_error_t rv; /* Set selected boot mode in context object. @@ -290,24 +288,6 @@ static vb2_error_t vb2_kernel_setup(struct vb2_context *ctx, kparams->flags = 0; memset(kparams->partition_guid, 0, sizeof(kparams->partition_guid)); - /* - * Read secdata_kernel and secdata_fwmp spaces. No need to read - * secdata_firmware, since it was already read during firmware - * verification. Ignore errors in recovery mode. - */ - tpm_rv = secdata_kernel_read(ctx); - if (tpm_rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { - VB2_DEBUG("TPM: read secdata_kernel returned %#x\n", tpm_rv); - vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_R_ERROR, tpm_rv); - return VB2_ERROR_SECDATA_KERNEL_READ; - } - tpm_rv = secdata_fwmp_read(ctx); - if (tpm_rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { - VB2_DEBUG("TPM: read secdata_fwmp returned %#x\n", tpm_rv); - vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_R_ERROR, tpm_rv); - return VB2_ERROR_SECDATA_FWMP_READ; - } - /* * Init secdata_kernel and secdata_fwmp spaces. No need to init * secdata_firmware, since it was already read during firmware @@ -349,78 +329,48 @@ static void vb2_kernel_fill_kparams(struct vb2_context *ctx, sizeof(kparams->partition_guid)); } -vb2_error_t vb2_secdata_kernel_lock(struct vb2_context *ctx) -{ - uint32_t tpm_rv; - - /* Skip if in recovery mode. */ - if (ctx->flags & VB2_CONTEXT_RECOVERY_MODE) - return VB2_SUCCESS; - - tpm_rv = secdata_kernel_lock(ctx); - if (tpm_rv) { - VB2_DEBUG("TPM: lock secdata_kernel returned %#x\n", tpm_rv); - vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_L_ERROR, tpm_rv); - return VB2_ERROR_SECDATA_KERNEL_LOCK; - } - - return VB2_SUCCESS; -} - vb2_error_t vb2_commit_data(struct vb2_context *ctx) { - vb2_error_t call_rv; - vb2_error_t rv = VB2_SUCCESS; - uint32_t tpm_rv; - - /* Write secdata spaces. vboot never writes back to secdata_fwmp. */ - tpm_rv = secdata_firmware_write(ctx); - if (tpm_rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { - VB2_DEBUG("TPM: write secdata_firmware returned %#x\n", tpm_rv); - vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_W_ERROR, tpm_rv); - rv = VB2_ERROR_SECDATA_FIRMWARE_WRITE; - } - - tpm_rv = secdata_kernel_write(ctx); - if (tpm_rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { - VB2_DEBUG("TPM: write secdata_kernel returned %#x\n", tpm_rv); - vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_W_ERROR, tpm_rv); - if (rv == VB2_SUCCESS) - rv = VB2_ERROR_SECDATA_KERNEL_WRITE; - } + vb2_error_t rv = vb2ex_commit_data(ctx); - /* Always try to write nvdata, since it may have been changed by - setting a recovery reason above. */ + switch (rv) { + case VB2_SUCCESS: + break; - /* TODO(chromium:972956, chromium:1006689): Currently only commits - nvdata, but should eventually also commit secdata. */ - call_rv = vb2ex_commit_data(ctx); - switch (call_rv) { - case VB2_ERROR_NV_WRITE: - /* Don't bother with vb2api_fail since we can't write - nvdata anyways. */ - if (ctx->flags & VB2_CONTEXT_RECOVERY_MODE) { - VB2_DEBUG("write nvdata failed\n"); - if (rv == VB2_SUCCESS) - rv = call_rv; - } else { - /* Impossible to enter recovery mode */ - VB2_DIE("write nvdata failed\n"); + case VB2_ERROR_SECDATA_FIRMWARE_WRITE: + if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { + vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_W_ERROR, rv); + /* Run again to set recovery reason in nvdata. */ + vb2ex_commit_data(ctx); + return rv; } break; - case VB2_SUCCESS: + case VB2_ERROR_SECDATA_KERNEL_WRITE: + if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { + vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_W_ERROR, rv); + /* Run again to set recovery reason in nvdata. */ + vb2ex_commit_data(ctx); + return rv; + } break; default: - VB2_DEBUG("unknown commit error: %#x\n", call_rv); - if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE) && - rv == VB2_SUCCESS) - rv = call_rv; + VB2_DEBUG("unknown commit error: %#x\n", rv); + VBOOT_FALLTHROUGH; + + case VB2_ERROR_NV_WRITE: + if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) + /* + * We can't write to nvdata, so it's impossible to + * trigger recovery mode. Skip calling vb2api_fail + * and just die. + */ + VB2_DIE("write nvdata failed\n"); break; } - return rv; + return VB2_SUCCESS; } vb2_error_t VbSelectAndLoadKernel(struct vb2_context *ctx, @@ -498,11 +448,6 @@ vb2_error_t VbSelectAndLoadKernel(struct vb2_context *ctx, if (rv == VB2_SUCCESS) rv = call_rv; - /* Lock secdata_kernel, but retain any previous errors */ - call_rv = vb2_secdata_kernel_lock(ctx); - if (rv == VB2_SUCCESS) - rv = call_rv; - /* Pass through return value from boot path */ VB2_DEBUG("Returning %#x\n", rv); return rv; diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c index 4fc4d347..7821c418 100644 --- a/firmware/lib/vboot_kernel.c +++ b/firmware/lib/vboot_kernel.c @@ -17,7 +17,6 @@ #include "cgptlib_internal.h" #include "gpt_misc.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "utility.h" #include "vb2_common.h" #include "vboot_api.h" diff --git a/firmware/lib/vboot_ui.c b/firmware/lib/vboot_ui.c index 2c99884f..55b09e94 100644 --- a/firmware/lib/vboot_ui.c +++ b/firmware/lib/vboot_ui.c @@ -12,7 +12,6 @@ #include "2secdata.h" #include "2sysincludes.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "tlcl.h" #include "utility.h" #include "vb2_common.h" @@ -468,16 +467,7 @@ static vb2_error_t vb2_diagnostics_ui(struct vb2_context *ctx) if (action_confirmed) { VB2_DEBUG("Diagnostic requested, running\n"); - /* - * The following helps avoid use of the TPM after - * it's disabled (e.g., when vb2_try_altfw() calls - * secdata_kernel_lock() ). - */ - - if (secdata_kernel_lock(ctx)) { - VB2_DEBUG("Failed to lock TPM PP\n"); - vb2api_fail(ctx, VB2_RECOVERY_TPM_DISABLE_FAILED, 0); - } else if (vb2ex_tpm_set_mode(VB2_TPM_MODE_DISABLED) != + if (vb2ex_tpm_set_mode(VB2_TPM_MODE_DISABLED) != VB2_SUCCESS) { VB2_DEBUG("Failed to disable TPM\n"); vb2api_fail(ctx, VB2_RECOVERY_TPM_DISABLE_FAILED, 0); diff --git a/firmware/lib/vboot_ui_common.c b/firmware/lib/vboot_ui_common.c index 5bd0500c..49e20fd4 100644 --- a/firmware/lib/vboot_ui_common.c +++ b/firmware/lib/vboot_ui_common.c @@ -7,7 +7,6 @@ #include "2common.h" #include "2sysincludes.h" -#include "secdata_tpm.h" #include "vboot_api.h" #include "vboot_kernel.h" #include "vboot_ui_common.h" @@ -73,12 +72,6 @@ void vb2_try_altfw(struct vb2_context *ctx, int allowed, return; } - if (secdata_kernel_lock(ctx)) { - vb2_error_notify("Error locking kernel versions on legacy " - "boot.\n", NULL, VB_BEEP_FAILED); - return; - } - /* Will not return if successful */ VbExLegacy(altfw_num); diff --git a/firmware/lib/vboot_ui_menu.c b/firmware/lib/vboot_ui_menu.c index 31ab3c16..d090fc06 100644 --- a/firmware/lib/vboot_ui_menu.c +++ b/firmware/lib/vboot_ui_menu.c @@ -12,7 +12,6 @@ #include "2secdata.h" #include "2sysincludes.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "utility.h" #include "vb2_common.h" #include "vboot_api.h" diff --git a/firmware/stub/vboot_api_stub_init.c b/firmware/stub/vboot_api_stub_init.c index d533325c..4688a7ea 100644 --- a/firmware/stub/vboot_api_stub_init.c +++ b/firmware/stub/vboot_api_stub_init.c @@ -5,12 +5,9 @@ * Stub implementations of firmware-provided API functions. */ - #include #include -#include #include -#include #include #include "2common.h" @@ -25,6 +22,8 @@ uint64_t VbExGetTimer(void) vb2_error_t vb2ex_commit_data(struct vb2_context *ctx) { + ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED; + ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED; ctx->flags &= ~VB2_CONTEXT_NVDATA_CHANGED; return VB2_SUCCESS; } diff --git a/tests/secdata_tpm_tests.c b/tests/secdata_tpm_tests.c deleted file mode 100644 index 32285ded..00000000 --- a/tests/secdata_tpm_tests.c +++ /dev/null @@ -1,587 +0,0 @@ -/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Tests for TPM secure data space functions - */ - -#include "2api.h" -#include "2secdata.h" -#include "secdata_tpm.h" -#include "test_common.h" -#include "tlcl.h" -#include "tss_constants.h" -#include "vboot_test.h" - -/* - * Buffer to hold accumulated list of calls to mocked Tlcl functions. - * Each function appends itself to the buffer and updates mock_cnext. - * - * Size of mock_calls[] should be big enough to handle all expected - * call sequences; 16KB should be plenty since none of the sequences - * below is more than a few hundred bytes. We could be more clever - * and use snprintf() with length checking below, at the expense of - * making all the mock implementations bigger. If this were code used - * outside of unit tests we'd want to do that, but here if we did - * overrun the buffer the worst that's likely to happen is we'll crash - * the test, and crash = failure anyway. - */ -static char mock_calls[16384]; -static char *mock_cnext = mock_calls; - -/* - * Variables to support mocked error values from Tlcl functions. Each - * call, mock_count is incremented. If mock_count==fail_at_count, return - * fail_with_error instead of the normal return value. - */ -static int mock_count = 0; -static int fail_at_count = 0; -static uint32_t fail_with_error = TPM_SUCCESS; -static int mock_bad_crc = 0; - -/* Params / backing store for mocked Tlcl functions. */ -static TPM_PERMANENT_FLAGS mock_pflags; -static uint8_t mock_rsf[VB2_SECDATA_FIRMWARE_SIZE]; -static uint8_t mock_rsk[VB2_SECDATA_KERNEL_SIZE]; -static uint8_t mock_fwmp[VB2_SECDATA_FWMP_MAX_SIZE]; -static uint32_t mock_fwmp_real_size; -static uint32_t mock_permissions; - -static uint8_t workbuf[VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE] - __attribute__ ((aligned (VB2_WORKBUF_ALIGN))); -static struct vb2_context *ctx; - -/* Reset the variables for the Tlcl mock functions. */ -static void reset_common_data(int fail_on_call, uint32_t fail_with_err) -{ - *mock_calls = 0; - mock_cnext = mock_calls; - mock_count = 0; - fail_at_count = fail_on_call; - fail_with_error = fail_with_err; - mock_bad_crc = 0; - - memset(&mock_pflags, 0, sizeof(mock_pflags)); - - /* Use value other than 0 for memcmp() checks */ - memset(&mock_rsf, 0xa6, sizeof(mock_rsf)); - memset(&mock_rsk, 0xa7, sizeof(mock_rsk)); - memset(&mock_fwmp, 0xa8, sizeof(mock_fwmp)); - - mock_fwmp_real_size = VB2_SECDATA_FWMP_MIN_SIZE; - - /* Note: only used when TPM2_MODE is disabled. */ -#ifndef TPM2_MODE - mock_permissions = TPM_NV_PER_PPWRITE; -#else - mock_permissions = 0; -#endif - - secdata_kernel_locked = 0; - - TEST_SUCC(vb2api_init(workbuf, sizeof(workbuf), &ctx), - "vb2api_init failed"); - - ctx->flags |= VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED; - ctx->flags |= VB2_CONTEXT_SECDATA_KERNEL_CHANGED; - ctx->flags |= VB2_CONTEXT_RECOVERY_MODE; -} - -/* Mock functions */ - -vb2_error_t vb2api_secdata_firmware_check(struct vb2_context *c) -{ - if (mock_bad_crc) - return VB2_ERROR_SECDATA_FIRMWARE_CRC; - - return VB2_SUCCESS; -} - -vb2_error_t vb2api_secdata_kernel_check(struct vb2_context *c) -{ - if (mock_bad_crc) - return VB2_ERROR_SECDATA_FIRMWARE_CRC; - - return VB2_SUCCESS; -} - -vb2_error_t vb2api_secdata_fwmp_check(struct vb2_context *c, uint8_t *size) -{ - if (*size < mock_fwmp_real_size) { - *size = mock_fwmp_real_size; - return VB2_ERROR_SECDATA_FWMP_INCOMPLETE; - } - - if (mock_bad_crc) - return VB2_ERROR_SECDATA_FIRMWARE_CRC; - - return VB2_SUCCESS; -} - -/****************************************************************************/ -/* Mocks for tlcl functions which log the calls made to mock_calls[]. */ - -uint32_t TlclLibInit(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclLibInit()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclStartup(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclStartup()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclResume(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclResume()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclForceClear(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclForceClear()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclSetEnable(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclSetEnable()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclSetDeactivated(uint8_t flag) -{ - mock_cnext += sprintf(mock_cnext, "TlclSetDeactivated(%d)\n", flag); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclRead(uint32_t index, void* data, uint32_t length) -{ - mock_cnext += sprintf(mock_cnext, "TlclRead(%#x, %d)\n", - index, length); - - if (FIRMWARE_NV_INDEX == index) { - TEST_EQ(length, sizeof(mock_rsf), "TlclRead rsf size"); - memcpy(data, &mock_rsf, length); - } else if (KERNEL_NV_INDEX == index) { - TEST_EQ(length, sizeof(mock_rsk), "TlclRead rsk size"); - memcpy(data, &mock_rsk, length); - } else if (FWMP_NV_INDEX == index) { - memset(data, 0, length); - if (length > sizeof(mock_fwmp)) - length = sizeof(mock_fwmp); - memcpy(data, &mock_fwmp, length); - } else { - memset(data, 0, length); - } - - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclWrite(uint32_t index, const void *data, uint32_t length) -{ - mock_cnext += sprintf(mock_cnext, "TlclWrite(%#x, %d)\n", - index, length); - - if (FIRMWARE_NV_INDEX == index) { - TEST_EQ(length, sizeof(mock_rsf), "TlclWrite rsf size"); - memcpy(&mock_rsf, data, length); - } else if (KERNEL_NV_INDEX == index) { - TEST_EQ(length, sizeof(mock_rsk), "TlclWrite rsk size"); - memcpy(&mock_rsk, data, length); - } - - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclDefineSpace(uint32_t index, uint32_t perm, uint32_t size) -{ - mock_cnext += sprintf(mock_cnext, "TlclDefineSpace(%#x, %#x, %d)\n", - index, perm, size); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclSelfTestFull(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclSelfTestFull()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclContinueSelfTest(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclContinueSelfTest()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclGetPermanentFlags(TPM_PERMANENT_FLAGS *pflags) -{ - mock_cnext += sprintf(mock_cnext, "TlclGetPermanentFlags()\n"); - memcpy(pflags, &mock_pflags, sizeof(mock_pflags)); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -/* TlclGetFlags() doesn't need mocking; it calls TlclGetPermanentFlags() */ - -uint32_t TlclAssertPhysicalPresence(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclAssertPhysicalPresence()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclPhysicalPresenceCMDEnable(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclPhysicalPresenceCMDEnable()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclSetGlobalLock(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclSetGlobalLock()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclLockPhysicalPresence(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclLockPhysicalPresence()\n"); - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -#ifndef TPM2_MODE -uint32_t TlclGetPermissions(uint32_t index, uint32_t* permissions) -{ - mock_cnext += sprintf(mock_cnext, "TlclGetPermissions(%#x)\n", index); - *permissions = mock_permissions; - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclFinalizePhysicalPresence(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclFinalizePhysicalPresence()\n"); - mock_pflags.physicalPresenceLifetimeLock = 1; - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} - -uint32_t TlclSetNvLocked(void) -{ - mock_cnext += sprintf(mock_cnext, "TlclSetNvLocked()\n"); - mock_pflags.nvLocked = 1; - return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS; -} -#endif - -/****************************************************************************/ -/* Tests for misc helper functions */ - -static void misc_tests(void) -{ - uint8_t buf[8]; - - reset_common_data(0, 0); - TEST_EQ(tlcl_clear_and_reenable(), 0, "tlcl_clear_and_enable()"); - TEST_STR_EQ(mock_calls, - "TlclForceClear()\n" - "TlclSetEnable()\n" - "TlclSetDeactivated(0)\n", - " tlcl calls"); - - reset_common_data(0, 0); - TEST_EQ(tlcl_safe_write(0x123, buf, 8), 0, "tlcl_safe_write()"); - TEST_STR_EQ(mock_calls, - "TlclWrite(0x123, 8)\n", - " tlcl calls"); - - reset_common_data(1, TPM_E_BADINDEX); - TEST_EQ(tlcl_safe_write(0x123, buf, 8), TPM_E_BADINDEX, - "tlcl_safe_write() bad"); - TEST_STR_EQ(mock_calls, - "TlclWrite(0x123, 8)\n", - " tlcl calls"); - - reset_common_data(1, TPM_E_MAXNVWRITES); - TEST_EQ(tlcl_safe_write(0x123, buf, 8), 0, - "tlcl_safe_write() retry max writes"); - TEST_STR_EQ(mock_calls, - "TlclWrite(0x123, 8)\n" - "TlclForceClear()\n" - "TlclSetEnable()\n" - "TlclSetDeactivated(0)\n" - "TlclWrite(0x123, 8)\n", - " tlcl calls"); -} - -/****************************************************************************/ -/* Tests for firmware space functions */ - -static void secdata_firmware_tests(void) -{ - /* Write with no new changes */ - reset_common_data(0, 0); - ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED; - TEST_SUCC(secdata_firmware_write(ctx), - "secdata_firmware_write(), no changes, success"); - TEST_STR_EQ(mock_calls, - "", - " tlcl calls"); - - /* Write failure */ - reset_common_data(1, TPM_E_IOERROR); - TEST_EQ(secdata_firmware_write(ctx), TPM_E_IOERROR, - "secdata_firmware_write(), failure"); - TEST_STR_EQ(mock_calls, - "TlclWrite(0x1007, 10)\n", - " tlcl calls"); - TEST_NEQ(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED, 0, - " should leave SECDATA_FIRMWARE_CHANGED context flag"); - - /* Write in normal mode */ - reset_common_data(0, 0); - ctx->flags &= ~VB2_CONTEXT_RECOVERY_MODE; - TEST_EQ(secdata_firmware_write(ctx), TPM_E_AREA_LOCKED, - "secdata_firmware_write(), normal mode, failure"); - TEST_STR_EQ(mock_calls, - "", - " tlcl calls"); - TEST_NEQ(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED, 0, - " should leave SECDATA_FIRMWARE_CHANGED context flag"); - - /* Write success and readback */ - reset_common_data(0, 0); - memset(ctx->secdata_firmware, 0xaa, sizeof(ctx->secdata_firmware)); - TEST_SUCC(secdata_firmware_write(ctx), - "secdata_firmware_write(), success"); - TEST_STR_EQ(mock_calls, - "TlclWrite(0x1007, 10)\n", - " tlcl calls"); - memset(ctx->secdata_firmware, 0xaa, sizeof(ctx->secdata_firmware)); - TEST_EQ(memcmp(ctx->secdata_firmware, &mock_rsf, - sizeof(ctx->secdata_firmware)), 0, - " unchanged on readback"); - TEST_EQ(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED, 0, - " should reset SECDATA_FIRMWARE_CHANGED context flag"); -} - -/****************************************************************************/ -/* Tests for kernel space functions */ - -static void secdata_kernel_tests(void) -{ - /* Not present is an error */ - reset_common_data(1, TPM_E_BADINDEX); - TEST_EQ(secdata_kernel_read(ctx), TPM_E_BADINDEX, - "secdata_kernel_read(), not present"); - TEST_STR_EQ(mock_calls, -#ifndef TPM2_MODE - "TlclGetPermissions(0x1008)\n", -#else - "TlclRead(0x1008, 13)\n", -#endif - " tlcl calls"); - -#ifndef TPM2_MODE - /* Bad permissions */ - reset_common_data(0, 0); - mock_permissions = 0; - TEST_EQ(secdata_kernel_read(ctx), TPM_E_CORRUPTED_STATE, - "secdata_kernel_read(), bad permissions"); - TEST_STR_EQ(mock_calls, - "TlclGetPermissions(0x1008)\n", - " tlcl calls"); -#endif - - /* Good permissions, read failure */ -#ifndef TPM2_MODE - int read_failure_on_call = 2; -#else - int read_failure_on_call = 1; -#endif - reset_common_data(read_failure_on_call, TPM_E_IOERROR); - TEST_EQ(secdata_kernel_read(ctx), TPM_E_IOERROR, - "secdata_kernel_read(), good permissions, failure"); - TEST_STR_EQ(mock_calls, -#ifndef TPM2_MODE - "TlclGetPermissions(0x1008)\n" -#endif - "TlclRead(0x1008, 13)\n", - " tlcl calls"); - - /* Good permissions, read success, bad CRC */ - reset_common_data(0, 0); - mock_bad_crc = 1; - TEST_EQ(secdata_kernel_read(ctx), TPM_E_CORRUPTED_STATE, - "secdata_kernel_read(), read success, bad CRC"); - TEST_STR_EQ(mock_calls, -#ifndef TPM2_MODE - "TlclGetPermissions(0x1008)\n" -#endif - "TlclRead(0x1008, 13)\n", - " tlcl calls"); - - /* Good permissions, read success */ - reset_common_data(0, 0); - TEST_SUCC(secdata_kernel_read(ctx), - "secdata_kernel_read(), good permissions, success"); - TEST_STR_EQ(mock_calls, -#ifndef TPM2_MODE - "TlclGetPermissions(0x1008)\n" -#endif - "TlclRead(0x1008, 13)\n", - " tlcl calls"); - TEST_EQ(memcmp(ctx->secdata_kernel, &mock_rsk, - sizeof(ctx->secdata_kernel)), 0, " data"); - - /* Write with no new changes */ - reset_common_data(0, 0); - ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED; - TEST_SUCC(secdata_kernel_write(ctx), - "secdata_kernel_write(), no changes, success"); - TEST_STR_EQ(mock_calls, - "", - " tlcl calls"); - - /* Write failure */ - reset_common_data(1, TPM_E_IOERROR); - TEST_EQ(secdata_kernel_write(ctx), TPM_E_IOERROR, - "secdata_kernel_write(), failure"); - TEST_STR_EQ(mock_calls, - "TlclWrite(0x1008, 13)\n", - " tlcl calls"); - TEST_NEQ(ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED, 0, - " should leave SECDATA_KERNEL_CHANGED context flag"); - - /* Write success and readback */ - reset_common_data(0, 0); - memset(ctx->secdata_kernel, 0xaa, sizeof(ctx->secdata_kernel)); - TEST_SUCC(secdata_kernel_write(ctx), - "secdata_kernel_write(), failure"); - TEST_STR_EQ(mock_calls, - "TlclWrite(0x1008, 13)\n", - " tlcl calls"); - memset(ctx->secdata_kernel, 0xaa, sizeof(ctx->secdata_kernel)); - TEST_EQ(memcmp(ctx->secdata_kernel, &mock_rsk, - sizeof(ctx->secdata_kernel)), 0, - " unchanged on readback"); - TEST_EQ(ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED, 0, - " should reset SECDATA_KERNEL_CHANGED context flag"); - - /* Lock in normal mode with failure */ - reset_common_data(1, TPM_E_AREA_LOCKED); - TEST_EQ(secdata_kernel_lock(ctx), TPM_E_AREA_LOCKED, - "secdata_kernel_lock(), lock failure"); - TEST_STR_EQ(mock_calls, - "TlclLockPhysicalPresence()\n", - " tlcl calls"); - - /* Lock in normal mode */ - reset_common_data(0, 0); - TEST_SUCC(secdata_kernel_lock(ctx), - "secdata_kernel_lock(), success (locked)"); - TEST_STR_EQ(mock_calls, - "TlclLockPhysicalPresence()\n", - " tlcl calls"); - - /* Lock after already locked (only one TlclLockPhysicalPresence). */ - reset_common_data(0, 0); - TEST_SUCC(secdata_kernel_lock(ctx), - "secdata_kernel_lock(), lock first run"); - TEST_SUCC(secdata_kernel_lock(ctx), - "secdata_kernel_lock(), already locked"); - TEST_STR_EQ(mock_calls, - "TlclLockPhysicalPresence()\n", - " tlcl calls"); -} - -/****************************************************************************/ -/* Tests for fwmp space functions */ - -static void secdata_fwmp_tests(void) -{ - /* Read failure */ - reset_common_data(1, TPM_E_IOERROR); - TEST_EQ(secdata_fwmp_read(ctx), TPM_E_IOERROR, - "secdata_fwmp_read(), failure"); - TEST_STR_EQ(mock_calls, - "TlclRead(0x100a, 40)\n", - " tlcl calls"); - TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0, - " should leave NO_SECDATA_FWMP context flag"); - - /* Normal read, bad CRC */ - reset_common_data(0, 0); - mock_bad_crc = 1; - TEST_EQ(secdata_fwmp_read(ctx), TPM_E_CORRUPTED_STATE, - "secdata_fwmp_read(), success, bad CRC"); - TEST_STR_EQ(mock_calls, - "TlclRead(0x100a, 40)\n", - " tlcl calls"); - TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0, - " should leave NO_SECDATA_FWMP context flag"); - - /* Normal read */ - reset_common_data(0, 0); - TEST_SUCC(secdata_fwmp_read(ctx), - "secdata_fwmp_read(), success"); - TEST_STR_EQ(mock_calls, - "TlclRead(0x100a, 40)\n", - " tlcl calls"); - TEST_EQ(memcmp(ctx->secdata_fwmp, &mock_fwmp, - mock_fwmp_real_size), 0, " data"); - TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0, - " should leave NO_SECDATA_FWMP context flag"); - - /* Read error */ - reset_common_data(1, TPM_E_IOERROR); - TEST_EQ(secdata_fwmp_read(ctx), TPM_E_IOERROR, - "secdata_fwmp_read(), error"); - TEST_STR_EQ(mock_calls, - "TlclRead(0x100a, 40)\n", - " tlcl calls"); - TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0, - " should leave NO_SECDATA_FWMP context flag"); - - /* Not present isn't an error; just sets context flag */ - reset_common_data(1, TPM_E_BADINDEX); - TEST_SUCC(secdata_fwmp_read(ctx), "secdata_fwmp_read(), not present"); - TEST_STR_EQ(mock_calls, - "TlclRead(0x100a, 40)\n", - " tlcl calls"); - TEST_NEQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0, - " should set NO_SECDATA_FWMP context flag"); - - /* Struct size too large, then bad CRC */ - reset_common_data(0, 0); - mock_fwmp_real_size += 4; - mock_bad_crc = 1; - TEST_EQ(secdata_fwmp_read(ctx), TPM_E_CORRUPTED_STATE, - "secdata_fwmp_read(), bigger, bad CRC"); - TEST_STR_EQ(mock_calls, - "TlclRead(0x100a, 40)\n" - "TlclRead(0x100a, 44)\n", - " tlcl calls"); - TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0, - " should leave NO_SECDATA_FWMP context flag"); - - /* Struct size too large */ - reset_common_data(0, 0); - mock_fwmp_real_size += 4; - TEST_SUCC(secdata_fwmp_read(ctx), "secdata_fwmp_read(), bigger"); - TEST_STR_EQ(mock_calls, - "TlclRead(0x100a, 40)\n" - "TlclRead(0x100a, 44)\n", - " tlcl calls"); - TEST_EQ(memcmp(ctx->secdata_fwmp, &mock_fwmp, - mock_fwmp_real_size), 0, " data"); - TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0, - " should leave NO_SECDATA_FWMP context flag"); -} - -int main(int argc, char* argv[]) -{ - misc_tests(); - secdata_firmware_tests(); - secdata_kernel_tests(); - secdata_fwmp_tests(); - - return gTestSuccess ? 0 : 255; -} diff --git a/tests/vb2_auxfw_sync_tests.c b/tests/vb2_auxfw_sync_tests.c index 48cb206a..622b3030 100644 --- a/tests/vb2_auxfw_sync_tests.c +++ b/tests/vb2_auxfw_sync_tests.c @@ -15,7 +15,6 @@ #include "2sysincludes.h" #include "host_common.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "test_common.h" #include "vboot_audio.h" #include "vboot_display.h" diff --git a/tests/vb2_ec_sync_tests.c b/tests/vb2_ec_sync_tests.c index 085cefba..a4449308 100644 --- a/tests/vb2_ec_sync_tests.c +++ b/tests/vb2_ec_sync_tests.c @@ -11,7 +11,6 @@ #include "2sysincludes.h" #include "host_common.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "test_common.h" #include "vboot_audio.h" #include "vboot_display.h" diff --git a/tests/vboot_api_devmode_tests.c b/tests/vboot_api_devmode_tests.c index a26b9f67..3706dbe7 100644 --- a/tests/vboot_api_devmode_tests.c +++ b/tests/vboot_api_devmode_tests.c @@ -18,7 +18,6 @@ #include "crc32.h" #include "host_common.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "test_common.h" #include "vboot_display.h" #include "vboot_kernel.h" diff --git a/tests/vboot_api_kernel2_tests.c b/tests/vboot_api_kernel2_tests.c index 81db3958..14843fe1 100644 --- a/tests/vboot_api_kernel2_tests.c +++ b/tests/vboot_api_kernel2_tests.c @@ -12,7 +12,6 @@ #include "2secdata_struct.h" #include "host_common.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "test_common.h" #include "tss_constants.h" #include "vboot_audio.h" @@ -133,11 +132,6 @@ static void ResetMocks(void) /* Mock functions */ -uint32_t secdata_kernel_lock(struct vb2_context *c) -{ - return TPM_SUCCESS; -} - struct vb2_gbb_header *vb2_get_gbb(struct vb2_context *c) { return &gbb; diff --git a/tests/vboot_api_kernel4_tests.c b/tests/vboot_api_kernel4_tests.c index d413024e..cbae595c 100644 --- a/tests/vboot_api_kernel4_tests.c +++ b/tests/vboot_api_kernel4_tests.c @@ -13,7 +13,6 @@ #include "2sysincludes.h" #include "host_common.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "test_common.h" #include "tlcl.h" #include "tss_constants.h" @@ -34,17 +33,15 @@ static struct vb2_gbb_header gbb; static uint32_t kernel_version; static uint32_t new_version; -static uint8_t fwmp_buf[VB2_SECDATA_FWMP_MIN_SIZE]; -static uint32_t kernel_read_retval; -static uint32_t kernel_write_retval; -static uint32_t kernel_lock_retval; -static uint32_t fwmp_read_retval; static vb2_error_t vbboot_retval; +static vb2_error_t commit_data_retval; +static int commit_data_called; +static vb2_error_t secdata_kernel_init_retval; +static vb2_error_t secdata_fwmp_init_retval; static uint32_t mock_switches[8]; static uint32_t mock_switches_count; static int mock_switches_are_stuck; -static int commit_data_called; /* Reset mock data (for use before each test) */ static void ResetMocks(void) @@ -68,14 +65,11 @@ static void ResetMocks(void) memset(&shared_data, 0, sizeof(shared_data)); - memset(&fwmp_buf, 0, sizeof(fwmp_buf)); - fwmp_read_retval = TPM_SUCCESS; - kernel_version = new_version = 0x10002; - kernel_read_retval = TPM_SUCCESS; - kernel_write_retval = TPM_SUCCESS; - kernel_lock_retval = TPM_SUCCESS; + commit_data_retval = VB2_SUCCESS; vbboot_retval = VB2_SUCCESS; + secdata_kernel_init_retval = VB2_SUCCESS; + secdata_fwmp_init_retval = VB2_SUCCESS; memset(mock_switches, 0, sizeof(mock_switches)); mock_switches_count = 0; @@ -87,43 +81,12 @@ static void ResetMocks(void) vb2_error_t vb2ex_commit_data(struct vb2_context *c) { commit_data_called = 1; - return VB2_SUCCESS; -} - -uint32_t secdata_firmware_write(struct vb2_context *c) -{ - return TPM_SUCCESS; -} - -uint32_t secdata_kernel_read(struct vb2_context *c) -{ - return kernel_read_retval; -} - -uint32_t secdata_kernel_write(struct vb2_context *c) -{ - return kernel_write_retval; -} - -uint32_t secdata_kernel_lock(struct vb2_context *c) -{ - return kernel_lock_retval; -} - -uint32_t secdata_fwmp_read(struct vb2_context *c) -{ - memcpy(&c->secdata_fwmp, &fwmp_buf, sizeof(fwmp_buf)); - return fwmp_read_retval; -} - -vb2_error_t vb2_secdata_firmware_init(struct vb2_context *c) -{ - return VB2_SUCCESS; + return commit_data_retval; } vb2_error_t vb2_secdata_kernel_init(struct vb2_context *c) { - return VB2_SUCCESS; + return secdata_kernel_init_retval; } uint32_t vb2_secdata_kernel_get(struct vb2_context *c, @@ -132,6 +95,11 @@ uint32_t vb2_secdata_kernel_get(struct vb2_context *c, return kernel_version; } +vb2_error_t vb2_secdata_fwmp_init(struct vb2_context *c) +{ + return secdata_fwmp_init_retval; +} + void vb2_secdata_kernel_set(struct vb2_context *c, enum vb2_secdata_kernel_param param, uint32_t value) @@ -222,12 +190,6 @@ static void VbSlkTest(void) gbb.flags |= VB2_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC; test_slk(0, 0, "EC sync disabled by GBB"); - /* Rollback kernel version */ - ResetMocks(); - kernel_read_retval = 123; - test_slk(VB2_ERROR_SECDATA_KERNEL_READ, - VB2_RECOVERY_RW_TPM_R_ERROR, "Read kernel rollback"); - ResetMocks(); new_version = 0x20003; test_slk(0, 0, "Roll forward"); @@ -254,15 +216,10 @@ static void VbSlkTest(void) ResetMocks(); new_version = 0x20003; - kernel_write_retval = 123; + commit_data_retval = VB2_ERROR_SECDATA_KERNEL_WRITE; test_slk(VB2_ERROR_SECDATA_KERNEL_WRITE, VB2_RECOVERY_RW_TPM_W_ERROR, "Write kernel rollback"); - ResetMocks(); - kernel_lock_retval = 123; - test_slk(VB2_ERROR_SECDATA_KERNEL_LOCK, - VB2_RECOVERY_RW_TPM_L_ERROR, "Lock kernel rollback"); - /* Boot normal */ ResetMocks(); vbboot_retval = -1; @@ -282,6 +239,32 @@ static void VbSlkTest(void) " didn't commit nvdata"); } + /* Boot normal - secdata init failures */ + ResetMocks(); + secdata_kernel_init_retval = VB2_ERROR_UNKNOWN; + test_slk(secdata_kernel_init_retval, VB2_RECOVERY_SECDATA_KERNEL_INIT, + "Normal secdata_kernel init error triggers recovery"); + + ResetMocks(); + secdata_fwmp_init_retval = VB2_ERROR_UNKNOWN; + test_slk(secdata_fwmp_init_retval, VB2_RECOVERY_SECDATA_FWMP_INIT, + "Normal secdata_fwmp init error triggers recovery"); + + /* Boot normal - commit data failures */ + ResetMocks(); + commit_data_retval = VB2_ERROR_SECDATA_FIRMWARE_WRITE; + test_slk(commit_data_retval, VB2_RECOVERY_RW_TPM_W_ERROR, + "Normal secdata_firmware write error triggers recovery"); + commit_data_retval = VB2_ERROR_SECDATA_KERNEL_WRITE; + test_slk(commit_data_retval, VB2_RECOVERY_RW_TPM_W_ERROR, + "Normal secdata_kernel write error triggers recovery"); + commit_data_retval = VB2_ERROR_NV_WRITE; + TEST_ABORT(VbSelectAndLoadKernel(ctx, shared, &kparams), + "Normal nvdata write error aborts"); + commit_data_retval = VB2_ERROR_UNKNOWN; + TEST_ABORT(VbSelectAndLoadKernel(ctx, shared, &kparams), + "Normal unknown commit error aborts"); + /* Boot dev */ ResetMocks(); sd->flags |= VB2_SD_FLAG_DEV_MODE_ENABLED; @@ -306,12 +289,17 @@ static void VbSlkTest(void) test_slk(0, 0, "Recovery doesn't roll forward"); TEST_EQ(kernel_version, 0x10002, " version"); + /* Boot recovery - commit data failures */ ResetMocks(); sd->recovery_reason = 123; - kernel_read_retval = TPM_E_IOERROR; - kernel_write_retval = TPM_E_IOERROR; - kernel_lock_retval = TPM_E_IOERROR; - test_slk(0, 0, "Recovery ignore TPM errors"); + commit_data_retval = VB2_ERROR_SECDATA_FIRMWARE_WRITE; + test_slk(0, 0, "Recovery ignore secdata_firmware write error"); + commit_data_retval = VB2_ERROR_SECDATA_KERNEL_WRITE; + test_slk(0, 0, "Recovery ignore secdata_kernel write error"); + commit_data_retval = VB2_ERROR_NV_WRITE; + test_slk(0, 0, "Recovery return nvdata write error"); + commit_data_retval = VB2_ERROR_UNKNOWN; + test_slk(0, 0, "Recovery return unknown write error"); ResetMocks(); sd->recovery_reason = VB2_RECOVERY_TRAIN_AND_REBOOT; diff --git a/tests/vboot_api_kernel_tests.c b/tests/vboot_api_kernel_tests.c index 61077227..d7c32357 100644 --- a/tests/vboot_api_kernel_tests.c +++ b/tests/vboot_api_kernel_tests.c @@ -10,7 +10,6 @@ #include "2nvstorage.h" #include "2sysincludes.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "test_common.h" #include "utility.h" #include "vboot_api.h" diff --git a/tests/vboot_detach_menu_tests.c b/tests/vboot_detach_menu_tests.c index 41c89dd5..8f839e9d 100644 --- a/tests/vboot_detach_menu_tests.c +++ b/tests/vboot_detach_menu_tests.c @@ -12,7 +12,6 @@ #include "2secdata_struct.h" #include "host_common.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "test_common.h" #include "tss_constants.h" #include "vboot_api.h" @@ -126,11 +125,6 @@ static void ResetMocksForManualRecovery(void) /* Mock functions */ -uint32_t secdata_kernel_lock(struct vb2_context *c) -{ - return TPM_SUCCESS; -} - struct vb2_gbb_header *vb2_get_gbb(struct vb2_context *c) { return &gbb; diff --git a/tests/vboot_display_tests.c b/tests/vboot_display_tests.c index 2fa5ac97..970025b9 100644 --- a/tests/vboot_display_tests.c +++ b/tests/vboot_display_tests.c @@ -16,7 +16,6 @@ #include "2struct.h" #include "2sysincludes.h" #include "host_common.h" -#include "secdata_tpm.h" #include "test_common.h" #include "vboot_display.h" #include "vboot_kernel.h" diff --git a/tests/vboot_kernel_tests.c b/tests/vboot_kernel_tests.c index 9063aeb6..fd0ccfd1 100644 --- a/tests/vboot_kernel_tests.c +++ b/tests/vboot_kernel_tests.c @@ -19,7 +19,6 @@ #include "gpt.h" #include "host_common.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "test_common.h" #include "vb2_common.h" #include "vboot_api.h" diff --git a/utility/load_kernel_test.c b/utility/load_kernel_test.c index 89de19e8..cde3f610 100644 --- a/utility/load_kernel_test.c +++ b/utility/load_kernel_test.c @@ -15,7 +15,6 @@ #include "2sysincludes.h" #include "host_common.h" #include "load_kernel_fw.h" -#include "secdata_tpm.h" #include "vboot_kernel.h" #define LBA_BYTES 512 -- cgit v1.2.1