Google Git
Sign in
fuchsia / third_party / vboot_reference / refs/heads/upstream/firmware-eve-campfire-9584.131.B / . / firmware / lib / vboot_api_kernel.c
blob: 48daa6b8542d7df93c3d5649f7c7d5bc8a91135a [file] [log] [blame]
/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*
* High-level firmware wrapper API - entry points for kernel selection
*/
#include "sysincludes.h"
#include "2sysincludes.h"
#include "2common.h"
#include "2misc.h"
#include "2nvstorage.h"
#include "2rsa.h"
#include "ec_sync.h"
#include "gbb_access.h"
#include "gbb_header.h"
#include "load_kernel_fw.h"
#include "region.h"
#include "rollback_index.h"
#include "utility.h"
#include "vb2_common.h"
#include "vboot_api.h"
#include "vboot_common.h"
#include "vboot_kernel.h"
#include "vboot_nvstorage.h"
/* Global variables */
static VbNvContext vnc;
static struct RollbackSpaceFwmp fwmp;
static LoadKernelParams lkp;
static struct vb2_context ctx;
static uint8_t *unaligned_workbuf;
#ifdef CHROMEOS_ENVIRONMENT
/* Global variable accessors for unit tests */
struct RollbackSpaceFwmp *VbApiKernelGetFwmp(void)
{
return &fwmp;
}
struct LoadKernelParams *VbApiKernelGetParams(void)
{
return &lkp;
}
#endif
/**
* Set recovery request (called from vboot_api_kernel.c functions only)
*/
static void VbSetRecoveryRequest(struct vb2_context *ctx,
uint32_t recovery_request)
{
VB2_DEBUG("VbSetRecoveryRequest(%d)\n", (int)recovery_request);
vb2_nv_set(ctx, VB2_NV_RECOVERY_REQUEST, recovery_request);
}
static void VbNvLoad(void)
{
VbExNvStorageRead(vnc.raw);
VbNvSetup(&vnc);
}
static void VbNvCommit(void)
{
VbNvTeardown(&vnc);
if (vnc.raw_changed)
VbExNvStorageWrite(vnc.raw);
}
void vb2_nv_commit(struct vb2_context *ctx)
{
/* Copy nvdata back to old vboot1 nv context if needed */
if (ctx->flags & VB2_CONTEXT_NVDATA_CHANGED) {
memcpy(vnc.raw, ctx->nvdata, VB2_NVDATA_SIZE);
vnc.raw_changed = 1;
ctx->flags &= ~VB2_CONTEXT_NVDATA_CHANGED;
}
VbNvCommit();
}
uint32_t vb2_get_fwmp_flags(void)
{
return fwmp.flags;
}
/**
* Attempt loading a kernel from the specified type(s) of disks.
*
* If successful, sets p->disk_handle to the disk for the kernel and returns
* VBERROR_SUCCESS.
*
* @param ctx Vboot context
* @param cparams Vboot common params
* @param p Parameters for loading kernel
* @param get_info_flags Flags to pass to VbExDiskGetInfo()
* @return VBERROR_SUCCESS, VBERROR_NO_DISK_FOUND if no disks of the specified
* type were found, or other non-zero VBERROR_ codes for other failures.
*/
uint32_t VbTryLoadKernel(struct vb2_context *ctx, VbCommonParams *cparams,
uint32_t get_info_flags)
{
VbError_t retval = VBERROR_UNKNOWN;
VbDiskInfo* disk_info = NULL;
uint32_t disk_count = 0;
uint32_t i;
VB2_DEBUG("VbTryLoadKernel() start, get_info_flags=0x%x\n",
(unsigned)get_info_flags);
lkp.fwmp = &fwmp;
lkp.nv_context = &vnc;
lkp.disk_handle = NULL;
/* Find disks */
if (VBERROR_SUCCESS != VbExDiskGetInfo(&disk_info, &disk_count,
get_info_flags))
disk_count = 0;
VB2_DEBUG("VbTryLoadKernel() found %d disks\n", (int)disk_count);
if (0 == disk_count) {
VbSetRecoveryRequest(ctx, VBNV_RECOVERY_RW_NO_DISK);
return VBERROR_NO_DISK_FOUND;
}
/* Loop over disks */
for (i = 0; i < disk_count; i++) {
VB2_DEBUG("VbTryLoadKernel() trying disk %d\n", (int)i);
/*
* Sanity-check what we can. FWIW, VbTryLoadKernel() is always
* called with only a single bit set in get_info_flags.
*
* Ensure 512-byte sectors and non-trivially sized disk (for
* cgptlib) and that we got a partition with only the flags we
* asked for.
*/
if (512 != disk_info[i].bytes_per_lba ||
16 > disk_info[i].lba_count ||
get_info_flags != (disk_info[i].flags &
~VB_DISK_FLAG_EXTERNAL_GPT)) {
VB2_DEBUG(" skipping: bytes_per_lba=%" PRIu64
" lba_count=%" PRIu64 " flags=0x%x\n",
disk_info[i].bytes_per_lba,
disk_info[i].lba_count,
disk_info[i].flags);
continue;
}
lkp.disk_handle = disk_info[i].handle;
lkp.bytes_per_lba = disk_info[i].bytes_per_lba;
lkp.gpt_lba_count = disk_info[i].lba_count;
lkp.streaming_lba_count = disk_info[i].streaming_lba_count
?: lkp.gpt_lba_count;
lkp.boot_flags |= disk_info[i].flags & VB_DISK_FLAG_EXTERNAL_GPT
? BOOT_FLAG_EXTERNAL_GPT : 0;
retval = LoadKernel(ctx, &lkp, cparams);
VB2_DEBUG("VbTryLoadKernel() LoadKernel() = %d\n", retval);
/*
* Stop now if we found a kernel.
*
* TODO: If recovery requested, should track the farthest we
* get, instead of just returning the value from the last disk
* attempted.
*/
if (VBERROR_SUCCESS == retval)
break;
}
/* If we didn't find any good kernels, don't return a disk handle. */
if (VBERROR_SUCCESS != retval) {
VbSetRecoveryRequest(ctx, VBNV_RECOVERY_RW_NO_KERNEL);
lkp.disk_handle = NULL;
}
VbExDiskFreeInfo(disk_info, lkp.disk_handle);
/*
* Pass through return code. Recovery reason (if any) has already been
* set by LoadKernel().
*/
return retval;
}
VbError_t VbBootNormal(struct vb2_context *ctx, VbCommonParams *cparams)
{
VbSharedDataHeader *shared =
(VbSharedDataHeader *)cparams->shared_data_blob;
/* Boot from fixed disk only */
VB2_DEBUG("Entering\n");
VbError_t rv = VbTryLoadKernel(ctx, cparams, VB_DISK_FLAG_FIXED);
VB2_DEBUG("Checking if TPM kernel version needs advancing\n");
if ((1 == shared->firmware_index) && (shared->flags & VBSD_FWB_TRIED)) {
/*
* Special cases for when we're trying a new firmware B. These
* are needed because firmware updates also usually change the
* kernel key, which means that the B firmware can only boot a
* new kernel, and the old firmware in A can only boot the
* previous kernel.
*
* Don't advance the TPM if we're trying a new firmware B,
* because we don't yet know if the new kernel will
* successfully boot. We still want to be able to fall back to
* the previous firmware+kernel if the new firmware+kernel
* fails.
*
* If we found only invalid kernels, reboot and try again.
* This allows us to fall back to the previous firmware+kernel
* instead of giving up and going to recovery mode right away.
* We'll still go to recovery mode if we run out of tries and
* the old firmware can't find a kernel it likes.
*/
if (rv == VBERROR_INVALID_KERNEL_FOUND) {
VB2_DEBUG("Trying FW B; only found invalid kernels.\n");
VbSetRecoveryRequest(ctx, VBNV_RECOVERY_NOT_REQUESTED);
}
return rv;
}
if ((shared->kernel_version_tpm > shared->kernel_version_tpm_start) &&
RollbackKernelWrite(shared->kernel_version_tpm)) {
VB2_DEBUG("Error writing kernel versions to TPM.\n");
VbSetRecoveryRequest(ctx, VBNV_RECOVERY_RW_TPM_W_ERROR);
return VBERROR_TPM_WRITE_KERNEL;
}
return rv;
}
/* This function is also used by tests */
void VbApiKernelFree(VbCommonParams *cparams)
{
/* VbSelectAndLoadKernel() always allocates this, tests don't */
if (cparams->gbb) {
free(cparams->gbb);
cparams->gbb = NULL;
}
if (cparams->bmp) {
free(cparams->bmp);
cparams->bmp = NULL;
}
}
static VbError_t vb2_kernel_setup(VbCommonParams *cparams,
VbSelectAndLoadKernelParams *kparams)
{
VbSharedDataHeader *shared =
(VbSharedDataHeader *)cparams->shared_data_blob;
/* Start timer */
shared->timer_vb_select_and_load_kernel_enter = VbExGetTimer();
/*
* Set up vboot context.
*
* TODO: Propagate this up to higher API levels, and use more of the
* context fields (e.g. secdatak) and flags.
*/
memset(&ctx, 0, sizeof(ctx));
VbNvLoad();
memcpy(ctx.nvdata, vnc.raw, VB2_NVDATA_SIZE);
if (shared->recovery_reason)
ctx.flags |= VB2_CONTEXT_RECOVERY_MODE;
if (shared->flags & VBSD_BOOT_DEV_SWITCH_ON)
ctx.flags |= VB2_CONTEXT_DEVELOPER_MODE;
ctx.workbuf_size = VB2_KERNEL_WORKBUF_RECOMMENDED_SIZE +
VB2_WORKBUF_ALIGN;
unaligned_workbuf = ctx.workbuf = malloc(ctx.workbuf_size);
if (!unaligned_workbuf) {
VB2_DEBUG("Can't allocate work buffer\n");
VbSetRecoveryRequest(&ctx, VB2_RECOVERY_RW_SHARED_DATA);
return VBERROR_INIT_SHARED_DATA;
}
if (VB2_SUCCESS != vb2_align(&ctx.workbuf, &ctx.workbuf_size,
VB2_WORKBUF_ALIGN,
VB2_KERNEL_WORKBUF_RECOMMENDED_SIZE)) {
VB2_DEBUG("Can't align work buffer\n");
VbSetRecoveryRequest(&ctx, VB2_RECOVERY_RW_SHARED_DATA);
return VBERROR_INIT_SHARED_DATA;
}
if (VB2_SUCCESS != vb2_init_context(&ctx)) {
VB2_DEBUG("Can't init vb2_context\n");
free(unaligned_workbuf);
VbSetRecoveryRequest(&ctx, VB2_RECOVERY_RW_SHARED_DATA);
return VBERROR_INIT_SHARED_DATA;
}
struct vb2_shared_data *sd = vb2_get_sd(&ctx);
sd->recovery_reason = shared->recovery_reason;
/*
* If we're in recovery mode just to do memory retraining, all we
* need to do is reboot.
*/
if (shared->recovery_reason == VBNV_RECOVERY_TRAIN_AND_REBOOT) {
VB2_DEBUG("Reboot after retraining in recovery.\n");
return VBERROR_REBOOT_REQUIRED;
}
/* Fill in params for calls to LoadKernel() */
memset(&lkp, 0, sizeof(lkp));
lkp.kernel_buffer = kparams->kernel_buffer;
lkp.kernel_buffer_size = kparams->kernel_buffer_size;
/* Clear output params in case we fail */
kparams->disk_handle = NULL;
kparams->partition_number = 0;
kparams->bootloader_address = 0;
kparams->bootloader_size = 0;
kparams->flags = 0;
memset(kparams->partition_guid, 0, sizeof(kparams->partition_guid));
/* Read GBB header, since we'll needs flags from it */
cparams->bmp = NULL;
cparams->gbb = malloc(sizeof(*cparams->gbb));
uint32_t retval = VbGbbReadHeader_static(cparams, cparams->gbb);
if (retval)
return retval;
/* Read kernel version from the TPM. Ignore errors in recovery mode. */
if (RollbackKernelRead(&shared->kernel_version_tpm)) {
VB2_DEBUG("Unable to get kernel versions from TPM\n");
if (!shared->recovery_reason) {
VbSetRecoveryRequest(&ctx,
VBNV_RECOVERY_RW_TPM_R_ERROR);
return VBERROR_TPM_READ_KERNEL;
}
}
shared->kernel_version_tpm_start = shared->kernel_version_tpm;
/* Read FWMP. Ignore errors in recovery mode. */
if (cparams->gbb->flags & GBB_FLAG_DISABLE_FWMP) {
memset(&fwmp, 0, sizeof(fwmp));
} else if (RollbackFwmpRead(&fwmp)) {
VB2_DEBUG("Unable to get FWMP from TPM\n");
if (!shared->recovery_reason) {
VbSetRecoveryRequest(&ctx,
VBNV_RECOVERY_RW_TPM_R_ERROR);
return VBERROR_TPM_READ_FWMP;
}
}
return VBERROR_SUCCESS;
}
static VbError_t vb2_kernel_phase4(VbCommonParams *cparams,
VbSelectAndLoadKernelParams *kparams)
{
VbSharedDataHeader *shared =
(VbSharedDataHeader *)cparams->shared_data_blob;
/* Save disk parameters */
kparams->disk_handle = lkp.disk_handle;
kparams->partition_number = lkp.partition_number;
kparams->bootloader_address = lkp.bootloader_address;
kparams->bootloader_size = lkp.bootloader_size;
kparams->flags = lkp.flags;
kparams->kernel_buffer = lkp.kernel_buffer;
kparams->kernel_buffer_size = lkp.kernel_buffer_size;
memcpy(kparams->partition_guid, lkp.partition_guid,
sizeof(kparams->partition_guid));
/* Lock the kernel versions if not in recovery mode */
if (!shared->recovery_reason &&
RollbackKernelLock(shared->recovery_reason)) {
VB2_DEBUG("Error locking kernel versions.\n");
VbSetRecoveryRequest(&ctx, VBNV_RECOVERY_RW_TPM_L_ERROR);
return VBERROR_TPM_LOCK_KERNEL;
}
return VBERROR_SUCCESS;
}
static void vb2_kernel_cleanup(struct vb2_context *ctx, VbCommonParams *cparams)
{
VbSharedDataHeader *shared =
(VbSharedDataHeader *)cparams->shared_data_blob;
/*
* Clean up vboot context.
*
* TODO: This should propagate up to higher levels
*/
/* Free buffers */
free(unaligned_workbuf);
VbApiKernelFree(cparams);
vb2_nv_commit(ctx);
/* Stop timer */
shared->timer_vb_select_and_load_kernel_exit = VbExGetTimer();
}
VbError_t vb2_post_ec_sync_hooks(struct vb2_context *ctx,
VbCommonParams *cparams) {
/*
* Pause for any events to be sent to EC-RW, after it is guaranteed
* to be running. Can be used for simulating boot hotkeys.
*
* TODO(b/117140648): Accept keyboard input to skip/disable the delay.
*/
const int post_ec_sync_delay_msec = 5 * 1000;
if (vb2_nv_get(ctx, VB2_NV_POST_EC_SYNC_DELAY)) {
VB2_DEBUG("vb2_post_ec_sync_hooks: "
"post_ec_sync_delay %d ms...\n",
post_ec_sync_delay_msec);
VbExSleepMs(post_ec_sync_delay_msec);
}
return VBERROR_SUCCESS;
}
#ifdef ALT_OS
int VbAltOSForceChromeOS(void) {
return 0;
}
VbError_t VbCheckAltOS(struct vb2_context *ctx, VbCommonParams *cparams,
int trusted_ec) {
VbSharedDataHeader *shared =
(VbSharedDataHeader *)cparams->shared_data_blob;
int req_enable = vb2_nv_get(ctx, VB2_NV_ENABLE_ALT_OS_REQUEST);
int req_disable = vb2_nv_get(ctx, VB2_NV_DISABLE_ALT_OS_REQUEST);
/* Reset enable/disable requests right away to prevent cycles. */
vb2_nv_set(ctx, VB2_NV_ENABLE_ALT_OS_REQUEST, 0);
vb2_nv_set(ctx, VB2_NV_DISABLE_ALT_OS_REQUEST, 0);
uint8_t kflags;
uint8_t kflags_set;
int rv;
rv = GetAltOSFlags(&kflags);
if (rv) {
VB2_DEBUG("Unable to read Alt OS flags from TPM\n");
return rv;
}
kflags_set = kflags;
int need_oprom = 0;
int oprom_loaded = !(shared->flags & VBSD_OPROM_MATTERS) ||
shared->flags & VBSD_OPROM_LOADED;
int hotkey_after_sync = vb2ex_get_alt_os_hotkey();
int hotkey_last_boot = !!(kflags & ALT_OS_HOTKEY);
int enabled = !!(kflags & ALT_OS_ENABLE);
int force_cros = VbAltOSForceChromeOS();
/* Case 1: Disable Alt OS mode. Does not need UI. */
if (enabled && req_disable) {
VB2_DEBUG("Disabling Alt OS mode...\n");
/* Disable has priority over enable. */
req_enable = 0;
enabled = 0;
kflags_set &= ~ALT_OS_ENABLE;
}
/* Case 2: Enable Alt OS mode. Needs UI. */
if (!enabled && ((req_enable && hotkey_after_sync && trusted_ec) ||
hotkey_last_boot)) {
VB2_DEBUG("Setting flag to show confirm Alt OS mode\n");
shared->flags |= VBSD_ALT_OS_CONFIRM_ENABLE;
need_oprom = 1;
/* If we need to reboot to load VGA Option ROM, save Alt OS
* hotkey state in TPM for next boot. */
kflags_set |= ALT_OS_HOTKEY;
}
/* Case 3: Show Alt OS picker. Needs UI. */
if (enabled && !force_cros) {
VB2_DEBUG("Setting flag to show Alt OS picker\n");
shared->flags |= VBSD_ALT_OS_SHOW_PICKER;
need_oprom = 1;
}
/* If we don't need to store Alt OS hotkey state, then remove it. */
if (!need_oprom || oprom_loaded)
kflags_set &= ~ALT_OS_HOTKEY;
if (kflags_set != kflags) {
rv = SetAltOSFlags(kflags_set);
if (rv) {
VB2_DEBUG("Unable to write Alt OS flags to TPM\n");
return rv;
}
}
VB2_DEBUG("Alt OS: kflags=%d\n", kflags);
VB2_DEBUG("Alt OS: kflags_set=%d\n", kflags_set);
VB2_DEBUG("Alt OS: hotkey_after_sync=%d\n", hotkey_after_sync);
VB2_DEBUG("Alt OS: hotkey_last_boot=%d\n", hotkey_last_boot);
VB2_DEBUG("Alt OS: need_oprom=%d\n", need_oprom);
VB2_DEBUG("Alt OS: oprom_loaded=%d\n", oprom_loaded);
VB2_DEBUG("Alt OS: enabled=%d\n", enabled);
VB2_DEBUG("Alt OS: force_cros=%d\n", force_cros);
VB2_DEBUG("Alt OS: req_enable=%d\n", req_enable);
VB2_DEBUG("Alt OS: req_disable=%d\n", req_disable);
VB2_DEBUG("Alt OS: trusted_ec=%d\n", trusted_ec);
if (need_oprom && !oprom_loaded) {
VB2_DEBUG("Reboot to load VGA Option ROM\n");
vb2_nv_set(ctx, VB2_NV_OPROM_NEEDED, 1);
return VBERROR_VGA_OPROM_MISMATCH;
}
return VBERROR_SUCCESS;
}
VbError_t VbCheckTPM(void)
{
const int cr50_reset_delay_msec = 500;
enum vb2_tpm_mode tpm_mode;
int ret;
int need_reset = 0;
VB2_DEBUG("Checking if TPM needs resetting (TPM_MODE)\n");
ret = vb2ex_tpm_get_mode(&tpm_mode);
if (ret == VB2_ERROR_EX_TPM_NO_SUCH_COMMAND) {
VB2_DEBUG("TPM does not support command, assume good state\n");
} else if (ret != VB2_SUCCESS) {
VB2_DEBUG("TPM encountered some error; reset Cr50\n");
need_reset = 1;
} else if (tpm_mode != VB2_TPM_MODE_ENABLED_TENTATIVE) {
VB2_DEBUG("Invalid TPM mode (%d, expected: %d); reset Cr50\n",
tpm_mode, VB2_TPM_MODE_ENABLED_TENTATIVE);
need_reset = 1;
} else {
VB2_DEBUG("TPM is in good state\n");
}
if (!need_reset)
return VBERROR_SUCCESS;
if (vb2ex_tpm_cr50_reset(cr50_reset_delay_msec)) {
VB2_DEBUG("Reset Cr50 failed\n");
return VBERROR_UNKNOWN;
} else {
VB2_DEBUG("Shut down AP and wait for Cr50 reset\n");
return VBERROR_SHUTDOWN_REQUESTED;
}
}
#endif /* ALT_OS */
VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams,
VbSelectAndLoadKernelParams *kparams)
{
VbSharedDataHeader *shared =
(VbSharedDataHeader *)cparams->shared_data_blob;
VbError_t retval;
#ifdef ALT_OS
/*
* TPM may be disabled from a previous untrusted Alt OS boot.
* Check the TPM state and request a Cr50 reset if necessary.
*/
retval = VbCheckTPM();
if (retval)
goto VbSelectAndLoadKernel_exit;
#endif /* ALT_OS */
retval = vb2_kernel_setup(cparams, kparams);
if (retval)
goto VbSelectAndLoadKernel_exit;
#ifdef ALT_OS
/*
* Determine whether the EC is in RO or RW. This information
* will be used later on in Alt OS boot flow.
*/
int trusted_ec = VbExTrustEC(0);
#endif /* ALT_OS */
/*
* Do EC software sync if necessary. This has UI, but it's just a
* single non-interactive WAIT screen. Perform any post-EC software
* sync hooks, if early interaction with EC-RW is necessary.
*/
retval = ec_sync_all(&ctx, cparams);
if (retval)
goto VbSelectAndLoadKernel_exit;
retval = vb2_post_ec_sync_hooks(&ctx, cparams);
if (retval)
goto VbSelectAndLoadKernel_exit;
#ifdef ALT_OS
/*
* Check whether confirmation screen or picker screen need to be
* shown for Alt OS. Ignore return value, and in the case of failure,
* continue to a normal boot.
*/
retval = VbCheckAltOS(&ctx, cparams, trusted_ec);
if (retval == VBERROR_VGA_OPROM_MISMATCH)
goto VbSelectAndLoadKernel_exit;
#endif /* ALT_OS */
/* Select boot path */
if (shared->recovery_reason) {
/* Recovery boot. This has UI. */
if (kparams->inflags & VB_SALK_INFLAGS_ENABLE_DETACHABLE_UI)
retval = VbBootRecoveryMenu(&ctx, cparams);
else
retval = VbBootRecovery(&ctx, cparams);
VbExEcEnteringMode(0, VB_EC_RECOVERY);
} else if (shared->flags & VBSD_BOOT_DEV_SWITCH_ON) {
/* Developer boot. This has UI. */
if (kparams->inflags & VB_SALK_INFLAGS_ENABLE_DETACHABLE_UI)
retval = VbBootDeveloperMenu(&ctx, cparams);
else
retval = VbBootDeveloper(&ctx, cparams);
VbExEcEnteringMode(0, VB_EC_DEVELOPER);
#ifdef ALT_OS
} else if (shared->flags & VBSD_ALT_OS_CONFIRM_ENABLE ||
shared->flags & VBSD_ALT_OS_SHOW_PICKER) {
/* Alt OS boot. This has UI. */
retval = VbBootAltOS(&ctx, cparams);
/* Report as normal mode to the EC. */
VbExEcEnteringMode(0, VB_EC_NORMAL);
#endif /* ALT_OS */
} else {
/* Normal boot */
retval = VbBootNormal(&ctx, cparams);
VbExEcEnteringMode(0, VB_EC_NORMAL);
}
VbSelectAndLoadKernel_exit:
if (VBERROR_SUCCESS == retval)
retval = vb2_kernel_phase4(cparams, kparams);
vb2_kernel_cleanup(&ctx, cparams);
/* Pass through return value from boot path */
VB2_DEBUG("Returning %d\n", (int)retval);
return retval;
}
VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams,
VbSelectAndLoadKernelParams *kparams,
void *boot_image,
size_t image_size)
{
VbError_t retval;
VbPublicKey* kernel_subkey = NULL;
uint8_t *kbuf;
VbKeyBlockHeader *key_block;
VbSharedDataHeader *shared =
(VbSharedDataHeader *)cparams->shared_data_blob;
VbKernelPreambleHeader *preamble;
uint64_t body_offset;
int hash_only = 0;
int dev_switch;
uint32_t allow_fastboot_full_cap = 0;
uint8_t *workbuf = NULL;
struct vb2_workbuf wb;
if ((boot_image == NULL) || (image_size == 0))
return VBERROR_INVALID_PARAMETER;
/* Clear output params in case we fail. */
kparams->disk_handle = NULL;
kparams->partition_number = 0;
kparams->bootloader_address = 0;
kparams->bootloader_size = 0;
kparams->flags = 0;
memset(kparams->partition_guid, 0, sizeof(kparams->partition_guid));
kbuf = boot_image;
/* Read GBB Header */
cparams->bmp = NULL;
cparams->gbb = malloc(sizeof(*cparams->gbb));
retval = VbGbbReadHeader_static(cparams, cparams->gbb);
if (VBERROR_SUCCESS != retval) {
VB2_DEBUG("Gbb read header failed.\n");
return retval;
}
/*
* We don't care verifying the image if:
* 1. dev-mode switch is on and
* 2a. GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set, or
* 2b. DEV_BOOT_FASTBOOT_FULL_CAP flag is set in NvStorage
*
* Check only the integrity of the image.
*/
dev_switch = shared->flags & VBSD_BOOT_DEV_SWITCH_ON;
VbNvLoad();
VbNvGet(&vnc, VB2_NV_DEV_BOOT_FASTBOOT_FULL_CAP,
&allow_fastboot_full_cap);
if (0 == allow_fastboot_full_cap) {
allow_fastboot_full_cap = !!(cparams->gbb->flags &
GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP);
}
if (dev_switch && allow_fastboot_full_cap) {
VB2_DEBUG("Only performing integrity-check.\n");
hash_only = 1;
} else {
/* Get recovery key. */
retval = VbGbbReadRecoveryKey(cparams, &kernel_subkey);
if (VBERROR_SUCCESS != retval) {
VB2_DEBUG("Gbb Read Recovery key failed.\n");
return retval;
}
}
/* If we fail at any step, retval returned would be invalid kernel. */
retval = VBERROR_INVALID_KERNEL_FOUND;
/* Allocate work buffer */
workbuf = (uint8_t *)malloc(VB2_KERNEL_WORKBUF_RECOMMENDED_SIZE);
if (!workbuf)
goto fail;
vb2_workbuf_init(&wb, workbuf, VB2_KERNEL_WORKBUF_RECOMMENDED_SIZE);
/* Verify the key block. */
key_block = (VbKeyBlockHeader *)kbuf;
struct vb2_keyblock *keyblock2 = (struct vb2_keyblock *)kbuf;
int rv;
if (hash_only) {
rv = vb2_verify_keyblock_hash(keyblock2, image_size, &wb);
} else {
/* Unpack kernel subkey */
struct vb2_public_key kernel_subkey2;
if (VB2_SUCCESS !=
vb2_unpack_key(&kernel_subkey2,
(struct vb2_packed_key *)kernel_subkey)) {
VB2_DEBUG("Unable to unpack kernel subkey\n");
goto fail;
}
rv = vb2_verify_keyblock(keyblock2, image_size,
&kernel_subkey2, &wb);
}
if (VB2_SUCCESS != rv) {
VB2_DEBUG("Verifying key block signature/hash failed.\n");
goto fail;
}
/* Check the key block flags against the current boot mode. */
if (!(key_block->key_block_flags &
(dev_switch ? KEY_BLOCK_FLAG_DEVELOPER_1 :
KEY_BLOCK_FLAG_DEVELOPER_0))) {
VB2_DEBUG("Key block developer flag mismatch.\n");
if (hash_only == 0)
goto fail;
}
if (!(key_block->key_block_flags & KEY_BLOCK_FLAG_RECOVERY_1)) {
VB2_DEBUG("Key block recovery flag mismatch.\n");
if (hash_only == 0)
goto fail;
}
/* Get key for preamble/data verification from the key block. */
struct vb2_public_key data_key2;
if (VB2_SUCCESS != vb2_unpack_key(&data_key2, &keyblock2->data_key)) {
VB2_DEBUG("Unable to unpack kernel data key\n");
goto fail;
}
/* Verify the preamble, which follows the key block */
preamble = (VbKernelPreambleHeader *)(kbuf + key_block->key_block_size);
struct vb2_kernel_preamble *preamble2 =
(struct vb2_kernel_preamble *)
(kbuf + key_block->key_block_size);
if (VB2_SUCCESS != vb2_verify_kernel_preamble(
preamble2,
image_size - key_block->key_block_size,
&data_key2,
&wb)) {
VB2_DEBUG("Preamble verification failed.\n");
goto fail;
}
VB2_DEBUG("Kernel preamble is good.\n");
/* Verify kernel data */
body_offset = key_block->key_block_size + preamble->preamble_size;
if (VB2_SUCCESS != vb2_verify_data(
(const uint8_t *)(kbuf + body_offset),
image_size - body_offset,
(struct vb2_signature *)&preamble->body_signature,
&data_key2, &wb)) {
VB2_DEBUG("Kernel data verification failed.\n");
goto fail;
}
VB2_DEBUG("Kernel is good.\n");
/* Fill in output parameters. */
kparams->kernel_buffer = kbuf + body_offset;
kparams->kernel_buffer_size = image_size - body_offset;
kparams->bootloader_address = preamble->bootloader_address;
kparams->bootloader_size = preamble->bootloader_size;
if (VbKernelHasFlags(preamble) == VBOOT_SUCCESS)
kparams->flags = preamble->flags;
retval = VBERROR_SUCCESS;
fail:
VbApiKernelFree(cparams);
if (NULL != kernel_subkey)
free(kernel_subkey);
if (NULL != workbuf)
free(workbuf);
return retval;
}
VbError_t VbUnlockDevice(void)
{
VB2_DEBUG("Enabling dev-mode...\n");
if (TPM_SUCCESS != SetVirtualDevMode(1))
return VBERROR_TPM_SET_BOOT_MODE_STATE;
VB2_DEBUG("Mode change will take effect on next reboot.\n");
return VBERROR_SUCCESS;
}
VbError_t VbLockDevice(void)
{
VbNvLoad();
VB2_DEBUG("Storing request to leave dev-mode.\n");
VbNvSet(&vnc, VBNV_DISABLE_DEV_REQUEST, 1);
VbNvCommit();
VB2_DEBUG("Mode change will take effect on next reboot.\n");
return VBERROR_SUCCESS;
}