vboot: Add firmware management parameters

This adds RW firmware support for the optional firmware management parameters TPM space. System-level tests require CL:339262 to add cryptohome support. BUG=chromium:601492 BRANCH=baytrail and newer platforms TEST=make -j runtests Or better, COV=1 make, and then make sure all new code is covered. Change-Id: Ifaf644c80809552d5961615be6017c2a332a034b Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/339234
2025-11-24 02:05:01 +00:00 · 2016-04-15 14:49:40 -07:00
parent 111c59b567
commit 946abf1439
12 changed files with 442 additions and 5 deletions
--- a/firmware/lib/include/rollback_index.h
+++ b/firmware/lib/include/rollback_index.h
@@ -18,7 +18,8 @@
 /* This is just an opaque space for backup purposes */
 #define BACKUP_NV_INDEX                 0x1009
 #define BACKUP_NV_SIZE 16
-
+#define FWMP_NV_INDEX			0x100a
+#define FWMP_NV_MAX_SIZE 128

 /* Structure definitions for TPM spaces */

@@ -70,6 +71,34 @@ typedef struct RollbackSpaceFirmware {
 	uint8_t crc8;
 } __attribute__((packed)) RollbackSpaceFirmware;

+#define FWMP_HASH_SIZE 32 /* Enough for SHA-256 */
+
+/* Firmware management parameters */
+struct RollbackSpaceFwmp {
+	/* CRC-8 of fields following struct_size */
+	uint8_t crc;
+	/* Structure size in bytes */
+	uint8_t struct_size;
+	/* Structure version */
+	uint8_t struct_version;
+	/* Reserved; ignored by current reader */
+	uint8_t reserved0;
+	/* Flags; see enum fwmp_flags */
+	uint32_t flags;
+	/* Hash of developer kernel key */
+	uint8_t dev_key_hash[FWMP_HASH_SIZE];
+} __attribute__((packed));
+
+#define ROLLBACK_SPACE_FWMP_VERSION 0x10  /* 1.0 */
+
+enum fwmp_flags {
+	FWMP_DEV_DISABLE_BOOT		= (1 << 0),
+	FWMP_DEV_DISABLE_RECOVERY	= (1 << 1),
+	FWMP_DEV_ENABLE_USB		= (1 << 2),
+	FWMP_DEV_ENABLE_LEGACY		= (1 << 3),
+	FWMP_DEV_ENABLE_OFFICIAL_ONLY	= (1 << 4),
+	FWMP_DEV_USE_KEY_HASH		= (1 << 5),
+};

 /* All functions return TPM_SUCCESS (zero) if successful, non-zero if error */

@@ -134,6 +163,15 @@ uint32_t RollbackBackupWrite(uint8_t *raw);
 */
 uint32_t RollbackKernelLock(int recovery_mode);

+/**
+ * Read and validate firmware management parameters.
+ *
+ * Absence of a FWMP is not an error; in this case, fwmp will be cleared.
+ *
+ * Returns non-zero if error.
+ */
+uint32_t RollbackFwmpRead(struct RollbackSpaceFwmp *fwmp);
+
 /****************************************************************************/

 /*