Use VbSharedData instead of VbNvStorage for fwb_tries and kernkey_vfy
Change-Id: I5ed3509a9d4e578cd2e98f493dab59bc2fbd5827
R=dlaurie@chromium.org
BUG=chrome-os-partner:2748
TEST=manual
crossystem fwb_tries=3
(reboot)
crossystem tried_fwb
(should print 1)
crossystem fwb_tries=0
(reboot)
crossystem tried_fwb
(should print 0)
In dev mode...
Boot a kernel signed with the same key as in the firmware
crossystem kernkey_vfy
(should print sig)
Boot a kernel signed with a different key than the firmware
crossystem kernkey_vfy
(should print hash)
Review URL: http://codereview.chromium.org/6711045
diff --git a/firmware/include/vboot_nvstorage.h b/firmware/include/vboot_nvstorage.h
index 350a789..c2a722f 100644
--- a/firmware/include/vboot_nvstorage.h
+++ b/firmware/include/vboot_nvstorage.h
@@ -47,13 +47,6 @@
VBNV_LOCALIZATION_INDEX,
/* Field reserved for kernel/user-mode use; 32-bit value. */
VBNV_KERNEL_FIELD,
- /* Firmware checked RW slot B before slot A on the current boot because
- * VBNV_TRY_B_COUNT was non-zero at that time. 0=no; 1=yes. */
- VBNV_TRIED_FIRMWARE_B,
- /* Firmware verified the kernel key block signature using the key stored
- * in the firmware. 0=no, just used the key block hash; 1=yes, used the
- * key block signature. */
- VBNV_FW_VERIFIED_KERNEL_KEY,
/* Verified boot API function which should generate a test error, if
* error number (below) is non-zero. */
VBNV_TEST_ERROR_FUNC,
diff --git a/firmware/lib/vboot_firmware.c b/firmware/lib/vboot_firmware.c
index 6c895e9..4be4cb2 100644
--- a/firmware/lib/vboot_firmware.c
+++ b/firmware/lib/vboot_firmware.c
@@ -134,7 +134,6 @@
VbNvSet(vnc, VBNV_TRY_B_COUNT, try_b_count - 1);
shared->flags |= VBSD_FWB_TRIED;
}
- VbNvSet(vnc, VBNV_TRIED_FIRMWARE_B, try_b_count ? 1 : 0);
/* Allocate our internal data */
lfi = (VbLoadFirmwareInternal*)Malloc(sizeof(VbLoadFirmwareInternal));
diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c
index 302a7f6..cfdd9b4 100644
--- a/firmware/lib/vboot_kernel.c
+++ b/firmware/lib/vboot_kernel.c
@@ -651,9 +651,6 @@
LoadKernelExit:
- /* Save whether the good partition's key block was fully verified */
- VbNvSet(vnc, VBNV_FW_VERIFIED_KERNEL_KEY, good_partition_key_block_valid);
-
/* Store recovery request, if any, then tear down non-volatile storage */
VbNvSet(vnc, VBNV_RECOVERY_REQUEST, LOAD_KERNEL_RECOVERY == retval ?
recovery : VBNV_RECOVERY_NOT_REQUESTED);
diff --git a/firmware/lib/vboot_nvstorage.c b/firmware/lib/vboot_nvstorage.c
index 83f6ef5..575fcb9 100644
--- a/firmware/lib/vboot_nvstorage.c
+++ b/firmware/lib/vboot_nvstorage.c
@@ -27,8 +27,6 @@
#define LOCALIZATION_OFFSET 3
#define FIRMWARE_FLAGS_OFFSET 5
-#define FIRMWARE_TRIED_FIRMWARE_B 0x80
-#define FIRMWARE_FW_VERIFIED_KERNEL_KEY 0x40
#define FIRMWARE_TEST_ERR_FUNC_MASK 0x38
#define FIRMWARE_TEST_ERR_FUNC_SHIFT 3
#define FIRMWARE_TEST_ERR_NUM_MASK 0x07
@@ -128,15 +126,6 @@
| (raw[KERNEL_FIELD_OFFSET + 3] << 24));
return 0;
- case VBNV_TRIED_FIRMWARE_B:
- *dest = (raw[FIRMWARE_FLAGS_OFFSET] & FIRMWARE_TRIED_FIRMWARE_B ? 1 : 0);
- return 0;
-
- case VBNV_FW_VERIFIED_KERNEL_KEY:
- *dest = (raw[FIRMWARE_FLAGS_OFFSET] & FIRMWARE_FW_VERIFIED_KERNEL_KEY ?
- 1 : 0);
- return 0;
-
case VBNV_TEST_ERROR_FUNC:
*dest = (raw[FIRMWARE_FLAGS_OFFSET] & FIRMWARE_TEST_ERR_FUNC_MASK)
>> FIRMWARE_TEST_ERR_FUNC_SHIFT;
@@ -213,20 +202,6 @@
raw[KERNEL_FIELD_OFFSET + 3] = (uint8_t)(value >> 24);
break;
- case VBNV_TRIED_FIRMWARE_B:
- if (value)
- raw[FIRMWARE_FLAGS_OFFSET] |= FIRMWARE_TRIED_FIRMWARE_B;
- else
- raw[FIRMWARE_FLAGS_OFFSET] &= ~FIRMWARE_TRIED_FIRMWARE_B;
- break;
-
- case VBNV_FW_VERIFIED_KERNEL_KEY:
- if (value)
- raw[FIRMWARE_FLAGS_OFFSET] |= FIRMWARE_FW_VERIFIED_KERNEL_KEY;
- else
- raw[FIRMWARE_FLAGS_OFFSET] &= ~FIRMWARE_FW_VERIFIED_KERNEL_KEY;
- break;
-
case VBNV_TEST_ERROR_FUNC:
raw[FIRMWARE_FLAGS_OFFSET] &= ~FIRMWARE_TEST_ERR_FUNC_MASK;
raw[FIRMWARE_FLAGS_OFFSET] |= (value << FIRMWARE_TEST_ERR_FUNC_SHIFT)
diff --git a/host/lib/crossystem.c b/host/lib/crossystem.c
index ca61f74..e841bad 100644
--- a/host/lib/crossystem.c
+++ b/host/lib/crossystem.c
@@ -101,9 +101,12 @@
/* Fields that GetVdatInt() can get */
typedef enum VdatIntField {
- VDAT_INT_FLAGS = 0, /* Flags */
- VDAT_INT_FW_VERSION_TPM, /* Current firmware version in TPM */
- VDAT_INT_KERNEL_VERSION_TPM /* Current kernel version in TPM */
+ VDAT_INT_FLAGS = 0, /* Flags */
+ VDAT_INT_FW_VERSION_TPM, /* Current firmware version in TPM */
+ VDAT_INT_KERNEL_VERSION_TPM, /* Current kernel version in TPM */
+ VDAT_INT_TRIED_FIRMWARE_B, /* Tried firmware B due to fwb_tries */
+ VDAT_INT_KERNEL_KEY_VERIFIED /* Kernel key verified using
+ * signature, not just hash */
} VdatIntField;
@@ -678,6 +681,12 @@
case VDAT_INT_KERNEL_VERSION_TPM:
value = (int)sh->kernel_version_tpm;
break;
+ case VDAT_INT_TRIED_FIRMWARE_B:
+ value = (sh->flags & VBSD_FWB_TRIED ? 1 : 0);
+ break;
+ case VDAT_INT_KERNEL_KEY_VERIFIED:
+ value = (sh->flags & VBSD_KERNEL_KEY_VERIFIED ? 1 : 0);
+ break;
}
Free(ab);
@@ -719,9 +728,7 @@
return (-1 == ReadFileInt(ACPI_CHSW_PATH) ? -1 : 0x00100000);
}
/* NV storage values with no defaults for older BIOS. */
- else if (!strcasecmp(name,"tried_fwb")) {
- value = VbGetNvStorage(VBNV_TRIED_FIRMWARE_B);
- } else if (!strcasecmp(name,"kern_nv")) {
+ else if (!strcasecmp(name,"kern_nv")) {
value = VbGetNvStorage(VBNV_KERNEL_FIELD);
} else if (!strcasecmp(name,"nvram_cleared")) {
value = VbGetNvStorage(VBNV_KERNEL_SETTINGS_RESET);
@@ -758,6 +765,8 @@
value = GetVdatInt(VDAT_INT_FW_VERSION_TPM);
} else if (!strcasecmp(name,"tpm_kernver")) {
value = GetVdatInt(VDAT_INT_KERNEL_VERSION_TPM);
+ } else if (!strcasecmp(name,"tried_fwb")) {
+ value = GetVdatInt(VDAT_INT_TRIED_FIRMWARE_B);
}
return value;
@@ -798,7 +807,7 @@
return NULL;
}
} else if (!strcasecmp(name,"kernkey_vfy")) {
- switch(VbGetNvStorage(VBNV_FW_VERIFIED_KERNEL_KEY)) {
+ switch(GetVdatInt(VDAT_INT_KERNEL_KEY_VERIFIED)) {
case 0:
return "hash";
case 1:
diff --git a/tests/vboot_nvstorage_test.c b/tests/vboot_nvstorage_test.c
index 3d16b9f..5306a64 100644
--- a/tests/vboot_nvstorage_test.c
+++ b/tests/vboot_nvstorage_test.c
@@ -29,8 +29,6 @@
{VBNV_RECOVERY_REQUEST, 0, 0x42, 0xED, "recovery request"},
{VBNV_LOCALIZATION_INDEX, 0, 0x69, 0xB0, "localization index"},
{VBNV_KERNEL_FIELD, 0, 0x12345678, 0xFEDCBA98, "kernel field"},
- {VBNV_TRIED_FIRMWARE_B, 0, 1, 0, "tried firmware B"},
- {VBNV_FW_VERIFIED_KERNEL_KEY, 0, 1, 0, "firmware verified kernel key"},
{VBNV_TEST_ERROR_FUNC, 0, 1, 7, "verified boot test error func"},
{VBNV_TEST_ERROR_NUM, 0, 3, 6, "verified boot test error number"},
{0, 0, 0, 0, NULL}