scottk/OpenCellular
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/OpenCellular.git synced 2025-11-25 18:55:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

VbVerifyMemoryBootImage: Allow integrity-only check in dev mode with

Browse Source 
FASTBOOT_FULL_CAP set

This change allows developers to boot dev-signed boot images in
unlocked mode if DEV_BOOT_FASTBOOT_FULL_CAP is set in VbNvStorage or
GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set.

BUG=chrome-os-partner:47002
BRANCH=None
TEST=Compiles successfully. make -j runtests

Change-Id: I56e3879594da1b57051dfe242ff347ac970c96bb
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/309606
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This commit is contained in:
Furquan Shaikh
2015-10-28 13:01:27 -07:00
committed by chrome-bot
parent d6723ed12b
commit 55484550bc
2 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
firmware/lib/vboot_api_kernel.c
View File

@@ -1226,6 +1226,7 @@ VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams,
uint64_t body_offset;
int hash_only = 0;
int dev_switch;
uint32_t allow_fastboot_full_cap = 0;
if ((boot_image == NULL) || (image_size == 0))
return VBERROR_INVALID_PARAMETER;
@@ -1252,13 +1253,24 @@ VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams,
/*
* We don't care verifying the image if:
* 1. dev-mode switch is on and
* 2. GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set.
* 2a. GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set, or
* 2b. DEV_BOOT_FASTBOOT_FULL_CAP flag is set in NvStorage
*
* Check only the integrity of the image.
*/
dev_switch = shared->flags & VBSD_BOOT_DEV_SWITCH_ON;
if (dev_switch && (cparams->gbb->flags &
GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP)) {
VbExNvStorageRead(vnc.raw);
VbNvSetup(&vnc);
VbNvGet(&vnc, VBNV_DEV_BOOT_FASTBOOT_FULL_CAP,
&allow_fastboot_full_cap);
if (0 == allow_fastboot_full_cap) {
allow_fastboot_full_cap = !!(cparams->gbb->flags &
GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP);
}
if (dev_switch && allow_fastboot_full_cap) {
VBDEBUG(("Only performing integrity-check.\n"));
hash_only = 1;
} else {

17
tests/vboot_api_kernel5_tests.c
View File

@@ -145,6 +145,12 @@ int VerifyData(const uint8_t *data, uint64_t size, const VbSignature *sig,
return VBERROR_SUCCESS;
}
VbError_t VbExNvStorageRead(uint8_t *buf)
{
Memcpy(buf, vnc.raw, sizeof(vnc.raw));
return VBERROR_SUCCESS;
}
static void VerifyMemoryBootImageTest(void)
{
uint32_t u;
@@ -200,6 +206,17 @@ static void VerifyMemoryBootImageTest(void)
VBERROR_INVALID_KERNEL_FOUND, "Key verify failed");
TEST_EQ(hash_only_check, 1, " hash check");
/* Key Block Hash Failure -- VBNV */
ResetMocks();
shared->flags = VBSD_BOOT_DEV_SWITCH_ON;
key_block_verify_fail = 1;
VbNvSet(&vnc, VBNV_DEV_BOOT_FASTBOOT_FULL_CAP, 1);
VbNvTeardown(&vnc);
TEST_EQ(VbVerifyMemoryBootImage(&cparams, &kparams, kernel_buffer,
kernel_buffer_size),
VBERROR_INVALID_KERNEL_FOUND, "Key verify failed");
TEST_EQ(hash_only_check, 1, " hash check -- VBNV flag");
/* Developer flag mismatch - dev switch on */
ResetMocks();
kbh.key_block_flags = KEY_BLOCK_FLAG_DEVELOPER_0 |