From 700fc49a7e38531745f1afd7d7fb714e51ec92d4 Mon Sep 17 00:00:00 2001 From: Randall Spangler Date: Sun, 17 Apr 2011 10:48:10 -0700 Subject: [PATCH] Do not advance kernel version in TPM if we are in firmware B trying a new firmware Change-Id: If5b6390d011d743689cf96e49202358397663651 R=bleung@chromium.org,dlaurie@chromium.org,sumit@chromium.org BUG=chrome-os-partner:3367 TEST=make && make runtests Review URL: http://codereview.chromium.org/6871044 --- firmware/lib/vboot_kernel.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c index cfdd9b4c0b..0e9c15ba7e 100644 --- a/firmware/lib/vboot_kernel.c +++ b/firmware/lib/vboot_kernel.c @@ -597,13 +597,12 @@ int LoadKernel(LoadKernelParams* params) { shcall->check_result = VBSD_LKC_CHECK_GOOD_PARTITION; /* See if we need to update the TPM */ - if (kBootRecovery != boot_mode && good_partition_key_block_valid) { - /* We only update the TPM in normal and developer boot modes. In - * developer mode, we only advanced lowest_version for kernels with valid - * key blocks, and didn't count self-signed key blocks. In recovery - * mode, the TPM stays PP-unlocked, so anything we write gets blown away - * by the firmware when we go back to normal mode. */ - VBDEBUG(("Boot_flags = not recovery\n")); + if ((kBootNormal == boot_mode) && + !((1 == shared->firmware_index) && (shared->flags & VBSD_FWB_TRIED))) { + /* We only update the TPM in normal mode. We don't advance the + * TPM if we're trying a new firmware B, because that firmware + * may have a key change and roll forward the TPM too soon. */ + VBDEBUG(("Checking if TPM kernel version needs advancing\n")); if ((lowest_version > tpm_version) && (lowest_version != LOWEST_TPM_VERSION)) {