1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
|
/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*
* APIs provided by firmware to vboot_reference.
*
* General notes:
*
* All verified boot functions now start with "Vb" for namespace clarity. This
* fixes the problem where uboot and vboot both defined assert().
*
* Verified boot APIs to be implemented by the calling firmware and exported to
* vboot_reference start with "VbEx".
*
* TODO: split this file into a vboot_entry_points.h file which contains the
* entry points for the firmware to call vboot_reference, and a
* vboot_firmware_exports.h which contains the APIs to be implemented by the
* calling firmware and exported to vboot_reference.
*/
#ifndef VBOOT_REFERENCE_VBOOT_API_H_
#define VBOOT_REFERENCE_VBOOT_API_H_
#include <stdint.h>
#include <stdlib.h>
#include "../2lib/include/2return_codes.h"
#include "gpt.h"
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
struct vb2_context;
typedef struct VbSharedDataHeader VbSharedDataHeader;
/*****************************************************************************/
/* Main entry points from firmware into vboot_reference */
/*
* We use disk handles rather than indices. Using indices causes problems if
* a disk is removed/inserted in the middle of processing.
*/
typedef void *VbExDiskHandle_t;
typedef struct VbSelectAndLoadKernelParams {
/* Inputs to VbSelectAndLoadKernel() */
/* Destination buffer for kernel (normally at 0x100000 on x86) */
void *kernel_buffer;
/* Size of kernel buffer in bytes */
uint32_t kernel_buffer_size;
/*
* Outputs from VbSelectAndLoadKernel(); valid only if it returns
* success.
*/
/* Handle of disk containing loaded kernel */
VbExDiskHandle_t disk_handle;
/* Partition number on disk to boot (1...M) */
uint32_t partition_number;
/* Address of bootloader image in RAM */
uint64_t bootloader_address;
/* Size of bootloader image in bytes */
uint32_t bootloader_size;
/* UniquePartitionGuid for boot partition */
uint8_t partition_guid[16];
/* Flags set by signer */
uint32_t flags;
} VbSelectAndLoadKernelParams;
/**
* Select and loads the kernel.
*
* Returns VB2_SUCCESS if success, non-zero if error; on error, caller
* should reboot. */
vb2_error_t VbSelectAndLoadKernel(struct vb2_context *ctx,
VbSelectAndLoadKernelParams *kparams);
/*****************************************************************************/
/* Disk access (previously in boot_device.h) */
/* Flags for VbDisk APIs */
/*
* Disk selection in the lower 16 bits (where the disk lives), and disk
* attributes in the higher 16 bits (extra information about the disk
* needed to access it correctly).
*/
#define VB_DISK_FLAG_SELECT_MASK 0xffff
#define VB_DISK_FLAG_ATTRIBUTE_MASK (0xffff << 16)
/* Disk is removable. Example removable disks: SD cards, USB keys. */
#define VB_DISK_FLAG_REMOVABLE (1 << 0)
/*
* Disk is fixed. If this flag is present, disk is internal to the system and
* not removable. Example fixed disks: internal SATA SSD, eMMC.
*/
#define VB_DISK_FLAG_FIXED (1 << 1)
/*
* Note that VB_DISK_FLAG_REMOVABLE and VB_DISK_FLAG_FIXED are
* mutually-exclusive for a single disk. VbExDiskGetInfo() may specify both
* flags to request disks of both types in a single call.
*
* At some point we could specify additional flags, but we don't currently
* have a way to make use of these:
*
* USB Device is known to be attached to USB. Note that the SD
* card reader inside x86 systems is attached to USB so this
* isn't super useful.
* SD Device is known to be a SD card. Note that external card
* readers might not return this information, so also of
* questionable use.
* READ_ONLY Device is known to be read-only. Could be used by recovery
* when processing read-only recovery image.
*/
/*
* Disks are used in two ways:
* - As a random-access device to read and write the GPT
* - As a streaming device to read the kernel
* These are implemented differently on raw NAND vs eMMC/SATA/USB
* - On eMMC/SATA/USB, both of these refer to the same underlying
* storage, so they have the same size and LBA size. In this case,
* the GPT should not point to the same address as itself.
* - On raw NAND, the GPT is held on a portion of the SPI flash.
* Random access GPT operations refer to the SPI and streaming
* operations refer to NAND. The GPT may therefore point into
* the same offsets as itself.
* These types are distinguished by the following flag and VbDiskInfo
* has separate fields to describe the random-access ("GPT") and
* streaming aspects of the disk. If a disk is random-access (i.e.
* not raw NAND) then these fields are equal.
*/
#define VB_DISK_FLAG_EXTERNAL_GPT (1 << 16)
/* Information on a single disk */
typedef struct VbDiskInfo {
/* Disk handle */
VbExDiskHandle_t handle;
/* Size of a random-access LBA sector in bytes */
uint64_t bytes_per_lba;
/* Number of random-access LBA sectors on the device.
* If streaming_lba_count is 0, this stands in for the size of the
* randomly accessed portion as well as the streaming portion.
* Otherwise, this is only the randomly-accessed portion. */
uint64_t lba_count;
/* Number of streaming sectors on the device */
uint64_t streaming_lba_count;
/* Flags (see VB_DISK_FLAG_* constants) */
uint32_t flags;
/*
* Optional name string, for use in debugging. May be empty or null if
* not available.
*/
const char *name;
} VbDiskInfo;
/**
* Store information into [info] for all disks (storage devices) attached to
* the system which match all of the disk_flags.
*
* On output, count indicates how many disks are present, and [infos_ptr]
* points to a [count]-sized array of VbDiskInfo structs with the information
* on those disks; this pointer must be freed by calling VbExDiskFreeInfo().
* If count=0, infos_ptr may point to NULL. If [infos_ptr] points to NULL
* because count=0 or error, it is not necessary to call VbExDiskFreeInfo().
*
* A multi-function device (such as a 4-in-1 card reader) should provide
* multiple disk handles.
*
* The firmware must not alter or free the list pointed to by [infos_ptr] until
* VbExDiskFreeInfo() is called.
*/
vb2_error_t VbExDiskGetInfo(VbDiskInfo **infos_ptr, uint32_t *count,
uint32_t disk_flags);
/**
* Free a disk information list [infos] previously returned by
* VbExDiskGetInfo(). If [preserve_handle] != NULL, the firmware must ensure
* that handle remains valid after this call; all other handles from the info
* list need not remain valid after this call.
*/
vb2_error_t VbExDiskFreeInfo(VbDiskInfo *infos,
VbExDiskHandle_t preserve_handle);
/**
* Read lba_count LBA sectors, starting at sector lba_start, from the disk,
* into the buffer.
*
* This is used for random access to the GPT. It is not for the partition
* contents. The upper limit is lba_count.
*
* If the disk handle is invalid (for example, the handle refers to a disk
* which as been removed), the function must return error but must not
* crash.
*/
vb2_error_t VbExDiskRead(VbExDiskHandle_t handle, uint64_t lba_start,
uint64_t lba_count, void *buffer);
/**
* Write lba_count LBA sectors, starting at sector lba_start, to the disk, from
* the buffer.
*
* This is used for random access to the GPT. It does not (necessarily) access
* the streaming portion of the device.
*
* If the disk handle is invalid (for example, the handle refers to a disk
* which as been removed), the function must return error but must not
* crash.
*/
vb2_error_t VbExDiskWrite(VbExDiskHandle_t handle, uint64_t lba_start,
uint64_t lba_count, const void *buffer);
/* Streaming read interface */
typedef void *VbExStream_t;
/**
* Open a stream on a disk
*
* @param handle Disk to open the stream against
* @param lba_start Starting sector offset within the disk to stream from
* @param lba_count Maximum extent of the stream in sectors
* @param stream out-paramter for the generated stream
*
* @return Error code, or VB2_SUCCESS.
*
* This is used for access to the contents of the actual partitions on the
* device. It is not used to access the GPT. The size of the content addressed
* is within streaming_lba_count.
*/
vb2_error_t VbExStreamOpen(VbExDiskHandle_t handle, uint64_t lba_start,
uint64_t lba_count, VbExStream_t *stream_ptr);
/**
* Read from a stream on a disk
*
* @param stream Stream to read from
* @param bytes Number of bytes to read
* @param buffer Destination to read into
*
* @return Error code, or VB2_SUCCESS. Failure to read as much data as
* requested is an error.
*
* This is used for access to the contents of the actual partitions on the
* device. It is not used to access the GPT.
*/
vb2_error_t VbExStreamRead(VbExStream_t stream, uint32_t bytes, void *buffer);
/**
* Close a stream
*
* @param stream Stream to close
*/
void VbExStreamClose(VbExStream_t stream);
/*****************************************************************************/
/* Keyboard and switches */
/* Key code for CTRL + letter */
#define VB_KEY_CTRL(letter) (letter & 0x1f)
/* Key code for fn keys */
#define VB_KEY_F(num) (num + 0x108)
/* Key codes for required non-printable-ASCII characters. */
enum VbKeyCode_t {
VB_KEY_ENTER = '\r',
VB_KEY_ESC = 0x1b,
VB_KEY_BACKSPACE = 0x8,
VB_KEY_UP = 0x100,
VB_KEY_DOWN = 0x101,
VB_KEY_LEFT = 0x102,
VB_KEY_RIGHT = 0x103,
VB_KEY_CTRL_ENTER = 0x104,
};
/*
* WARNING!!! Before updating the codes in enum VbButtonCode_t, ensure that the
* code does not overlap the values in VbKeyCode_t unless the button action is
* the same as key action.
*/
enum VbButtonCode_t {
/* Volume up/down short press match the values in 8042 driver. */
VB_BUTTON_VOL_UP_SHORT_PRESS = 0x62,
VB_BUTTON_VOL_DOWN_SHORT_PRESS = 0x63,
/* Dummy values used below. */
VB_BUTTON_POWER_SHORT_PRESS = 0x90,
VB_BUTTON_VOL_UP_LONG_PRESS = 0x91,
VB_BUTTON_VOL_DOWN_LONG_PRESS = 0x92,
VB_BUTTON_VOL_UP_DOWN_COMBO_PRESS = 0x93,
};
/* Flags for additional information.
* TODO(semenzato): consider adding flags for modifiers instead of
* making up some of the key codes above.
*/
enum VbKeyFlags_t {
VB_KEY_FLAG_TRUSTED_KEYBOARD = 1 << 0,
};
/**
* Read the next keypress from the keyboard buffer.
*
* Returns the keypress, or zero if no keypress is pending or error.
*
* The following keys must be returned as ASCII character codes:
* 0x08 Backspace
* 0x09 Tab
* 0x0D Enter (carriage return)
* 0x01 - 0x1A Ctrl+A - Ctrl+Z (yes, those alias with backspace/tab/enter)
* 0x1B Esc (VB_KEY_ESC)
* 0x20 Space
* 0x30 - 0x39 '0' - '9'
* 0x60 - 0x7A 'a' - 'z'
*
* Some extended keys must also be supported; see the VB_KEY_* defines above.
*
* Keys ('/') or key-chords (Fn+Q) not defined above may be handled in any of
* the following ways:
* 1. Filter (don't report anything if one of these keys is pressed).
* 2. Report as ASCII (if a well-defined ASCII value exists for the key).
* 3. Report as any other value in the range 0x200 - 0x2FF.
* It is not permitted to report a key as a multi-byte code (for example,
* sending an arrow key as the sequence of keys '\x1b', '[', '1', 'A'). */
uint32_t VbExKeyboardRead(void);
/**
* Same as VbExKeyboardRead(), but return extra information.
*/
uint32_t VbExKeyboardReadWithFlags(uint32_t *flags_ptr);
/*****************************************************************************/
/* Misc */
/**
* Check if the firmware needs to shut down the system.
*
* Returns a non-zero VB_SHUTDOWN_REQUEST mask indicating the reason(s) for
* shutdown if a shutdown is being requested (see VB_SHUTDOWN_REQUEST_*), or 0
* if a shutdown is not being requested.
*
* NOTE: When we're displaying a screen, pressing the power button should shut
* down the computer. We need a way to break out of our control loop so this
* can occur cleanly.
*/
uint32_t VbExIsShutdownRequested(void);
/*
* Shutdown requested for a reason which is not defined among other
* VB_SHUTDOWN_REQUEST_* values. This must be defined as 1 for backward
* compatibility with old versions of the API.
*/
#define VB_SHUTDOWN_REQUEST_OTHER 0x00000001
/* Shutdown requested due to a lid switch being closed. */
#define VB_SHUTDOWN_REQUEST_LID_CLOSED 0x00000002
/* Shutdown requested due to a power button being pressed. */
#define VB_SHUTDOWN_REQUEST_POWER_BUTTON 0x00000004
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* VBOOT_REFERENCE_VBOOT_API_H_ */
|
