scottk/OpenCellular
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/OpenCellular.git synced 2025-11-24 18:25:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

VbVerifyMemoryBootImage: Allow integrity-only check in dev mode with

Browse Source 
FASTBOOT_FULL_CAP set

This change allows developers to boot dev-signed boot images in
unlocked mode if DEV_BOOT_FASTBOOT_FULL_CAP is set in VbNvStorage or
GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set.

BUG=chrome-os-partner:47002
BRANCH=None
TEST=Compiles successfully. make -j runtests

Change-Id: I56e3879594da1b57051dfe242ff347ac970c96bb
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/309606
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This commit is contained in:
Furquan Shaikh
2015-10-28 13:01:27 -07:00
committed by chrome-bot
parent d6723ed12b
commit 55484550bc
2 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
firmware/lib/vboot_api_kernel.c
View File

@@ -1226,6 +1226,7 @@ VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams,
uint64_t body_offset; uint64_t body_offset;
int hash_only = 0; int hash_only = 0;
int dev_switch; int dev_switch;
uint32_t allow_fastboot_full_cap = 0;
if ((boot_image == NULL) || (image_size == 0)) if ((boot_image == NULL) || (image_size == 0))
return VBERROR_INVALID_PARAMETER; return VBERROR_INVALID_PARAMETER;
@@ -1252,13 +1253,24 @@ VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams,
/* /*
* We don't care verifying the image if: * We don't care verifying the image if:
* 1. dev-mode switch is on and * 1. dev-mode switch is on and
* 2. GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set. * 2a. GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set, or
* 2b. DEV_BOOT_FASTBOOT_FULL_CAP flag is set in NvStorage
* *
* Check only the integrity of the image. * Check only the integrity of the image.
*/ */
dev_switch = shared->flags & VBSD_BOOT_DEV_SWITCH_ON; dev_switch = shared->flags & VBSD_BOOT_DEV_SWITCH_ON;
if (dev_switch && (cparams->gbb->flags &
GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP)) { VbExNvStorageRead(vnc.raw);
VbNvSetup(&vnc);
VbNvGet(&vnc, VBNV_DEV_BOOT_FASTBOOT_FULL_CAP,
&allow_fastboot_full_cap);
if (0 == allow_fastboot_full_cap) {
allow_fastboot_full_cap = !!(cparams->gbb->flags &
GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP);
}
if (dev_switch && allow_fastboot_full_cap) {
VBDEBUG(("Only performing integrity-check.\n")); VBDEBUG(("Only performing integrity-check.\n"));
hash_only = 1; hash_only = 1;
} else { } else {

17
tests/vboot_api_kernel5_tests.c
View File

@@ -145,6 +145,12 @@ int VerifyData(const uint8_t *data, uint64_t size, const VbSignature *sig,
return VBERROR_SUCCESS; return VBERROR_SUCCESS;
} }
VbError_t VbExNvStorageRead(uint8_t *buf)
{
Memcpy(buf, vnc.raw, sizeof(vnc.raw));
return VBERROR_SUCCESS;
}
static void VerifyMemoryBootImageTest(void) static void VerifyMemoryBootImageTest(void)
{ {
uint32_t u; uint32_t u;
@@ -200,6 +206,17 @@ static void VerifyMemoryBootImageTest(void)
VBERROR_INVALID_KERNEL_FOUND, "Key verify failed"); VBERROR_INVALID_KERNEL_FOUND, "Key verify failed");
TEST_EQ(hash_only_check, 1, " hash check"); TEST_EQ(hash_only_check, 1, " hash check");
/* Key Block Hash Failure -- VBNV */
ResetMocks();
shared->flags = VBSD_BOOT_DEV_SWITCH_ON;
key_block_verify_fail = 1;
VbNvSet(&vnc, VBNV_DEV_BOOT_FASTBOOT_FULL_CAP, 1);
VbNvTeardown(&vnc);
TEST_EQ(VbVerifyMemoryBootImage(&cparams, &kparams, kernel_buffer,
kernel_buffer_size),
VBERROR_INVALID_KERNEL_FOUND, "Key verify failed");
TEST_EQ(hash_only_check, 1, " hash check -- VBNV flag");
/* Developer flag mismatch - dev switch on */ /* Developer flag mismatch - dev switch on */
ResetMocks(); ResetMocks();
kbh.key_block_flags = KEY_BLOCK_FLAG_DEVELOPER_0 | kbh.key_block_flags = KEY_BLOCK_FLAG_DEVELOPER_0 |