vboot2: Add routines to load and verify kernel keyblock

These are slightly more complex than the firmware versions, because they need to deal with developer-signed keyblocks and keyblock flags. BUG=chromium:487699 BRANCH=none TEST=make -j runtests Change-Id: I682c14ddfe729984f2629dfbe66750e5cd5ab75e Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/272541 Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
2025-12-24 16:57:21 +00:00 · 2015-05-20 17:22:17 -07:00
parent b87d1ec118
commit 3d5cd88f90
8 changed files with 717 additions and 3 deletions
--- a/firmware/2lib/include/2api.h
+++ b/firmware/2lib/include/2api.h
@@ -177,17 +177,27 @@ struct vb2_context {
 	uint8_t secdatak[VB2_SECDATAK_SIZE];
 };

+/* Resource index for vb2ex_read_resource() */
 enum vb2_resource_index {

 	/* Google binary block */
 	VB2_RES_GBB,

 	/*
-	 * Verified boot block (keyblock+preamble).  Use VB2_CONTEXT_FW_SLOT_B
-	 * to determine whether this refers to slot A or slot B; vboot will
-	 * set that flag to the proper state before reading the vblock.
+	 * Firmware verified boot block (keyblock+preamble).  Use
+	 * VB2_CONTEXT_FW_SLOT_B to determine whether this refers to slot A or
+	 * slot B; vboot will set that flag to the proper state before reading
+	 * the vblock.
 	 */
 	VB2_RES_FW_VBLOCK,
+
+	/*
+	 * Kernel verified boot block (keyblock+preamble) for the current
+	 * kernel partition.  Used only by vb2api_kernel_load_vblock().
+	 * Contents are allowed to change between calls to that function (to
+	 * allow multiple kernels to be examined).
+	 */
+	VB2_RES_KERNEL_VBLOCK,
 };

 /* Digest ID for vbapi_get_pcr_digest() */
--- a/firmware/2lib/include/2misc.h
+++ b/firmware/2lib/include/2misc.h
@@ -141,4 +141,14 @@ int vb2_load_fw_keyblock(struct vb2_context *ctx);
 */
 int vb2_load_fw_preamble(struct vb2_context *ctx);

+/**
+ * Verify the kernel keyblock using the previously-loaded kernel key.
+ *
+ * After this call, the data key is stored in the work buffer.
+ *
+ * @param ctx		Vboot context
+ * @return VB2_SUCCESS, or error code on error.
+ */
+int vb2_load_kernel_keyblock(struct vb2_context *ctx);
+
 #endif  /* VBOOT_REFERENCE_VBOOT_2MISC_H_ */
--- a/firmware/2lib/include/2return_codes.h
+++ b/firmware/2lib/include/2return_codes.h
@@ -406,6 +406,27 @@ enum vb2_return_code {
 	/* Not enough space in work buffer for resource object */
 	VB2_ERROR_READ_RESOURCE_OBJECT_BUF,

+	/* Work buffer too small for header in vb2_load_kernel_keyblock() */
+	VB2_ERROR_KERNEL_KEYBLOCK_WORKBUF_HEADER,
+
+	/* Work buffer too small for keyblock in vb2_load_kernel_keyblock() */
+	VB2_ERROR_KERNEL_KEYBLOCK_WORKBUF,
+
+	/* Keyblock version out of range in vb2_load_kernel_keyblock() */
+	VB2_ERROR_KERNEL_KEYBLOCK_VERSION_RANGE,
+
+	/* Keyblock version rollback in vb2_load_kernel_keyblock() */
+	VB2_ERROR_KERNEL_KEYBLOCK_VERSION_ROLLBACK,
+
+	/*
+	 * Keyblock flags don't match current mode in
+	 * vb2_load_kernel_keyblock().
+	 */
+	VB2_ERROR_KERNEL_KEYBLOCK_DEV_FLAG,
+	VB2_ERROR_KERNEL_KEYBLOCK_REC_FLAG,
+
+
+
        /**********************************************************************
 	 * API-level errors
 	 */
--- a/firmware/2lib/include/2struct.h
+++ b/firmware/2lib/include/2struct.h
@@ -31,12 +31,16 @@ enum vb2_shared_data_flags {
 	VB2_SD_FLAG_MANUAL_RECOVERY = (1 << 0),

 	/* Developer mode is enabled */
+	/* TODO: should have been VB2_SD_FLAG_DEV_MODE_ENABLED */
 	VB2_SD_DEV_MODE_ENABLED = (1 << 1),

 	/*
 	 * TODO: might be nice to add flags for why dev mode is enabled - via
 	 * gbb, virtual dev switch, or forced on for testing.
 	 */
+
+	/* Kernel keyblock was verified by signature (not just hash) */
+	VB2_SD_FLAG_KERNEL_SIGNED = (1 << 2),
 };

 /* Flags for vb2_shared_data.status */
@@ -100,6 +104,25 @@ struct vb2_shared_data {
 	 */
 	uint32_t status;

+	/**********************************************************************
+	 * Data from kernel verification stage.
+	 *
+	 * TODO: shouldn't be part of the main struct, since that needlessly
+	 * uses more memory during firmware verification.
+	 */
+
+	/*
+	 * Version for the current kernel (top 16 bits = key, lower 16 bits =
+	 * kernel preamble).
+	 *
+	 * TODO: Make this a union to allow getting/setting those versions
+	 * separately?
+	 */
+	uint32_t kernel_version;
+
+	/* Kernel version from secdatak (must be <= kernel_version to boot) */
+	uint32_t kernel_version_secdatak;
+
 	/**********************************************************************
 	 * Temporary variables used during firmware verification.  These don't
 	 * really need to persist through to the OS, but there's nowhere else
@@ -151,6 +174,25 @@ struct vb2_shared_data {
 	/* Amount of data we still expect to hash */
 	uint32_t hash_remaining_size;

+	/**********************************************************************
+	 * Temporary variables used during kernel verification.  These don't
+	 * really need to persist through to the OS, but there's nowhere else
+	 * we can put them.
+	 *
+	 * TODO: make a union with the firmware verification temp variables,
+	 * or make both of them workbuf-allocated sub-structs, so that we can
+	 * overlap them so kernel variables don't bloat firmware verification
+	 * stage memory requirements.
+	 */
+
+	/*
+	 * Offset and size of packed kernel key in work buffer.  Size is 0 if
+	 * subkey is not stored in the work buffer.  Note that kernel key may
+	 * be inside the firmware preamble.
+	 */
+	uint32_t workbuf_kernel_key_offset;
+	uint32_t workbuf_kernel_key_size;
+
 } __attribute__((packed));

 /****************************************************************************/