vboot2: Add routines to load and verify kernel keyblock

These are slightly more complex than the firmware versions, because they need to deal with developer-signed keyblocks and keyblock flags. BUG=chromium:487699 BRANCH=none TEST=make -j runtests Change-Id: I682c14ddfe729984f2629dfbe66750e5cd5ab75e Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/272541 Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
2025-11-24 02:05:01 +00:00 · 2015-05-20 17:22:17 -07:00
parent b87d1ec118
commit 3d5cd88f90
8 changed files with 717 additions and 3 deletions
--- a/firmware/2lib/include/2api.h
+++ b/firmware/2lib/include/2api.h
@@ -177,17 +177,27 @@ struct vb2_context {
 	uint8_t secdatak[VB2_SECDATAK_SIZE];
 };

+/* Resource index for vb2ex_read_resource() */
 enum vb2_resource_index {

 	/* Google binary block */
 	VB2_RES_GBB,

 	/*
-	 * Verified boot block (keyblock+preamble).  Use VB2_CONTEXT_FW_SLOT_B
-	 * to determine whether this refers to slot A or slot B; vboot will
-	 * set that flag to the proper state before reading the vblock.
+	 * Firmware verified boot block (keyblock+preamble).  Use
+	 * VB2_CONTEXT_FW_SLOT_B to determine whether this refers to slot A or
+	 * slot B; vboot will set that flag to the proper state before reading
+	 * the vblock.
 	 */
 	VB2_RES_FW_VBLOCK,
+
+	/*
+	 * Kernel verified boot block (keyblock+preamble) for the current
+	 * kernel partition.  Used only by vb2api_kernel_load_vblock().
+	 * Contents are allowed to change between calls to that function (to
+	 * allow multiple kernels to be examined).
+	 */
+	VB2_RES_KERNEL_VBLOCK,
 };

 /* Digest ID for vbapi_get_pcr_digest() */