vboot2: Split keyblock checking and signature validation

This is necessary for the next change, which adds keyblock hash checking. Also clean up some other assorted comments, and move the diagnostic check of root key to see if it's the checked-in one earlier in firmware preamble validation so it's closer to where the root key is loaded. No functional or higher-level API changes; just shuffling around code under the covers. BUG=chromium:487699 BRANCH=none TEST=make -j runtests Change-Id: Ibc3960a4d882dc2ad8684e235db4b9d066eac080 Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/272223 Reviewed-by: Bill Richardson <wfrichar@chromium.org>
2025-11-24 10:14:55 +00:00 · 2015-05-19 12:45:20 -07:00
parent 2d25e837cc
commit b87d1ec118
7 changed files with 204 additions and 99 deletions
--- a/firmware/lib20/include/vb2_struct.h
+++ b/firmware/lib20/include/vb2_struct.h
@@ -97,12 +97,12 @@ struct vb2_keyblock {
 	struct vb2_signature keyblock_signature;

 	/*
-	 * SHA-512 checksum for this key block (header + data pointed to by
+	 * SHA-512 hash for this key block (header + data pointed to by
 	 * data_key) For use with unsigned data keys.
 	 *
-	 * Note that the vb2 lib currently only supports signed blocks.
+	 * Only supported for kernel keyblocks, not firmware keyblocks.
 	 */
-	struct vb2_signature keyblock_checksum_unused;
+	struct vb2_signature keyblock_hash;

 	/* Flags for key (VB2_KEY_BLOCK_FLAG_*) */
 	uint32_t keyblock_flags;