This patch shuffles around most of the detachable UI code to try to make
it more readable and maintainable. The goal is to get the business logic
out of the main UI loop functions as much as possible, and concentrate
the code handling each individual menu option in a single location.
This is a pure refactor and should not change behavior in any
(important) way. The adjustments to unit tests are only needed since the
old code displayed the same screen twice in certain circumstances, and
returning from the LANGUAGE menu to DEVELOPER selected the default
option Power Off, although other transitions to that screen select the
current default boot target.
BRANCH=None
BUG=None
TEST=make runtests, boot Scarlet and play with all screens.
Change-Id: Ibe05cbcb23c964d81f80de741bbd6f2231a2522d
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/888082
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Shelley Chen <shchen@chromium.org>
This menu will be used by any of the legacy screens.
The idea is that when the user hits volume up/down, then
they will enter this options menu, which will allow the user
to change languages or show debug info.
BUG=b:67371896, b:64400036
BRANCH=None
TEST=None
Change-Id: I31d3e312388b56613368276ec72e5c68ded2264e
Signed-off-by: Shelley Chen <shchen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/770257
Commit-Ready: Benjamin Gordon <bmgordon@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Now that vb2_shared_data / vb2_context provides all the same data to
lower-level kernel verification code that cparams did, stop passing
cparams down to those functions.
No change in functionality.
BUG=chromium:611535
BRANCH=none
TEST=make -j runtests; build bob firmware and boot it
Change-Id: I86eb1801ee96d8b56404b74843a8d09e3122567f
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/852814
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
The region API was a way for firmware and kernel verification to get
at various blocks of caller-provided data. In practice, we only used
it internally as a way to get at parts of the GBB. Prune it down to
access only the bits of GBB we still need, from the buffer we already
know we have.
In the long run we should use the same vb2ex_read_resource() API that
vb2 firmware verification does, but that should be done in a follow-up
CL since it'll need to be coordinated with support in depthcharge.
No change in functionality.
BUG=chromium:611535
BRANCH=none
TEST=make -j runtests; build bob firmware and boot it
Change-Id: I5715cb8d88274164a1a73ed4a56bbd93af46f9bf
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/852798
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
All screens are now drawn by depthcharge. ToT firmware does not
include a bmpblk / bmpfv section in the GBB. Remove the code paths
which are no longer used.
Also drop a few cparams parameters from functions that no longer use
it, now that those functions don't need to access the GBB.
BUG=chromium:502066
BRANCH=none
TEST=make -j runtests; build bob firmware and check recovery screens
Change-Id: I4d2d0a3ba57c34151e65c6f42581df823192a4ae
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/852371
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
Vboot firmware previously supported a rather complex audio looping
library. Our original intent was to allow developers to flash a
custom beep sequence / tune as an easter egg. We never fully
supported that, but the code to allow it lived on. Get rid of that.
Vboot also previously made no assumptions about the frequency of
VbExGetTimer(), which was only used by the vboot_audio library. So it
spent 10ms every boot measuring the frequency. Which is silly now,
because depthcharge implements that as a microsecond timer. Get rid
of that measurement and define the timer as a microsecond timer.
BUG=chromium:611535
BRANCH=none
TEST=make -j runtests; build bob firmware and boot it
Change-Id: I350246874fb36b00149423696285cfcaca0fc526
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/847311
Reviewed-by: Shelley Chen <shchen@chromium.org>
Remove the old vboot1 vboot_nvstorage library (VbNv*() functions) and
use the vboot2 library (vb2_nv_*()) instead. This is needed in
preparation for moving to 64-byte records; no sense in implementing
that change twice...
Should be (better be) no change in system behavior.
BUG=chromium:789276
BRANCH=none
TEST=make runtests
compare output of crossystem before/after change (should be identical)
Change-Id: I10f9975b0824263064b9a74a3c6daadcecc085d3
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/794732
Depthcharge currently includes vboot_nvstorage.h directly, instead of
including only the API header files directly. Add 2nvstorage.h to the
list of headers which can be requested impolitely.
Also fix the definition of ARRAY_SIZE to match exactly what
depthcharge and coreboot provide, so that the compiler does not get
sad when it's included from both libpayload.h and 2common.h.
BUG=chromium:789276
BRANCH=none
TEST=make runtests; emerge-reef depthcharge coreboot
Change-Id: Idc0390eaf813c3079df1676781e8bf5bc9b46450
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/802176
Reviewed-by: Shelley Chen <shchen@chromium.org>
This just adds the kernel_max_rollforward field to the nvstorage
libraries and crossystem. The firmware does not use it yet; that's
coming in a subsequent CL.
16 of the fields's 32 bits are taken from unused bytes of the kernel
field. This has no effect on existing usage.
BUG=chromium:783997
BRANCH=none
TEST=make runtests
Also manual testing. In a root shell:
crossystem kernel_max_rollforward --> Should default to 0
crossystem kernel_max_rollforward=0xfffffffe
crossystem kernel_max_rollforward --> Should be 0xfffffffe
(Note that setting it to 0xffffffff is indistinguishable from the
-1 value that the crossystem library uses to indicate error, so
0xffffffff isn't actually usable as a max rollforward limit. But
0xfffffffe is, and if we ever get so close to the limit that we
need to use 0xffffffff, something has already gone horribly wrong
with our versioning strategy...)
Change-Id: I008f412e6ed3c0b59beb9881268585af69d1ff2e
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/765572
Reviewed-by: Julius Werner <jwerner@chromium.org>
1. Differentiate button codes for short press and long press of volume
up and volume down.
2. Add a new code for volume up-down combo press since it is expected
to be used for one of the firmware screens.
3. Treat volume down long press as Ctrl-D on developer screen.
4. Treat volume up long press as Ctrl-U on developer screen.
CQ-DEPEND=CL:756254
BUG=b:64992445,b:65013794
BRANCH=None
TEST=Verified that buttons work as expected on Soraka.
Change-Id: I5d443f43f785b973f3ff4aeaac52b152ed2fe0bd
Signed-off-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/757123
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Chromebox ECs perform EFS: verifying firmware before the AP boots.
This patch adds support for EC EFS.
EC EFS uses two slots: one is active slot and one is used for update.
AP is agnostic about which slot is active and which slot is for
update. Instead, AP recognizes one slot as 'active' and the other
as 'update' (or non active) slot.
After update is successful, AP issues a cold reboot command to
activate the new slot.
BUG=b:65028930,b:65264494
BRANCH=none
CQ-DEPEND=CL:616248
TEST=buildall. On Fizz, verify:
1. RW_B is old and updated by soft sync. RW_B is activated and
executed after reboot. System continues to boot to OS.
2. RW_A is old and updated by soft sync. RW_A is activated and
executed after reboot. System continues to boot to OS.
Change-Id: I6ca7686eb28b0b548785cf2c02eca1b67018f469
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/616346
Add tpm_lite library support for the IFX specific TPM_FieldUpgrade
subcommand "FieldUpgradeInfoRequest2". Expose this via tpmc so it can
be used from shell scripts.
BRANCH=none
BUG=chromium:728130
TEST=Builds and tpmc ifxfieldupgradeinfo prints plausible results.
Change-Id: Ie58ebccef7fe90f7fca65d7cd9c78e1f16f9f29a
Reviewed-on: https://chromium-review.googlesource.com/562772
Commit-Ready: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
When DUT is already in dev mode, don't let user select the "Enable
Developer Mode" selection in the menu. Add disabled_idx_mask to
VbExDisplayMenu API to allow for disabling of menu items in the future
if needed.
BUG=b:63078243, b:35585623
BRANCH=None
TEST=reboot into recovery with DUT already in dev mode. Make sure
can't scroll to "Enable Developer Mode: entry.
reboot into recovery with DUT in normal mode. Make sure
"Enable Developer Mode" entry is selectable.
CQ-DEPEND=CL:565335
Change-Id: Ic71fe6aa2e41337787a0c2278f729356edb155fd
Signed-off-by: Shelley Chen <shchen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/598430
Reviewed-by: Julius Werner <jwerner@chromium.org>
Some tests mock library functions. This previously worked due to adding
CFLAGS += -Xlinker --allow-multiple-definition
to the test binaries. But the new version of binutils seems to need
the default implementation to be weak if compiled with -O2 in some
cases. Add test_mockable for use with functions where this is now
needed.
BUG=chromium:723906
BRANCH=none
TEST=Add CFLAGS += -O2 to the makefile, then make -j runtests
Tests break before this change with -O2, and work afterwards
Change-Id: I95996a3e1086251442055765295a75de4c20ee3c
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/527601
Commit-Ready: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Rahul Chaudhry <rahulchaudhry@chromium.org>
Reviewed-by: Rahul Chaudhry <rahulchaudhry@chromium.org>
Add a kernel type for signing multiboot kernel images.
BUG=b:38040849
BRANCH=none
TEST=properly sign a multiboot kernel image and then verify
the resulting image.
Change-Id: If00e7c85244bc59853c305e42543f34c5fabf356
Signed-off-by: Duncan Laurie <dlaurie@google.com>
Reviewed-on: https://chromium-review.googlesource.com/497933
Reviewed-by: Randall Spangler <rspangler@chromium.org>
BUG=chrome-os-partner:61275
BRANCH=None
TEST=reboot and try to make selections in detachable
UI with power button.
Change-Id: I0a3178eb3fa2c8c1ed77d96fdefa948eaea508e5
Signed-off-by: Shelley Chen <shchen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/427220
Enables easy printing of text to display.
Will be used for detachable UI.
BUG=chrome-os-partner:61275
BRANCH=None
TEST=Tested from new vboot_ui_menu.c file
CQ-DEPEND=CL:424357
Change-Id: I668dd57eaafa02fb31f6ac479bcd03a613323f14
Signed-off-by: Shelley Chen <shchen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/424090
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Previously, the EC software sync process called VbDisplayScreen() from
several function calls deep. Refactor software sync so that the UI
decisions are at a higher level (in ec_sync_all.c) and isolated from
the low-level EC software sync functionality (in ec_sync.c).
This is one in a series of changes which are more clearly separating
out the UI, to make it easier to support multiple UI across a range of
devices.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; build_packages --board=reef chromeos-firmware; boot reef
Change-Id: I40597abeb5b0cc8f5d8fc2098e4acbed4bf59bf6
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/411921
Reviewed-by: Shelley Chen <shchen@chromium.org>
Implement TlclGetPermissions, which sends a TPM2_NV_ReadPublic command
and returns the attributes of the NV Index (TPM2 Spec, Part 3, Section 31.6).
BUG=chrome-os-partner:58873
BUG=chrome-os-partner:55210
BRANCH=none
TEST=Run "tpmc def" with various permissions to define new indexes,
verify that "tpmc getp" returns matching permissions for them.
Change-Id: I2ad7163332ae8793cd717875645f19baef513b26
Reviewed-on: https://chromium-review.googlesource.com/409618
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Implement TlclDefineSpace, which sends a TPM2_NV_DefineSpace command
to define the attributes of an NV Index and cause the TPM to reserve
space to hold the data associated with the NV Index (TPM2 Spec, Part 2,
Section 31.3.1).
Also, update TlclWrite and TlclWriteLock calls to use the platform
authorization only for NV Indexes in TPM and Platform ranges, and
use empty password authorization otherwise. This allows (1) working with
the Off-Disk Early-Access Key Storage used by mount-encrypted through
Tlcl API; and (2) testing Tlcl NV define/write/write-lock operations
with platform hierarchy disabled.
BUG=chrome-os-partner:55210
BUG=chrome-os-partner:59361
BRANCH=none
TEST=After clearing the TPM owner run "tpmc def 0x800001 0x3 0x0" to
create a TPM index of size 3, which can be read and written to
with empty password. Verify that "tpmc write 0x800001 12 34 56"
succeeds and "tpmc read 0x800001 0x3" prints "12 34 56" as NVRAM
space contents.
Change-Id: I185cf8380ef1579d0e9e4d8cead5a30ceda3ead9
Reviewed-on: https://chromium-review.googlesource.com/405792
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@google.com>
This new recovery reason will instruct the calling firmware in
vboot_select_and_load_kernel to reboot the device (under the assumption
that training of memory has already been performed by the firmware). On
seeing the return code VBERROR_REBOOT_REQUESTED, calling firmware should
perform a reboot.
BUG=chrome-os-partner:59352
BRANCH=None
TEST=make -j runtests successful
Change-Id: I110a735e612665cb2378bd71ca01a111edaf58e3
Signed-off-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/407656
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Originally, vboot1 code used VbExMalloc() and VbExFree() since it needed
to talk to EFI firmware that didn't have standard malloc() and free().
Now, coreboot and depthcharge implement them as wrappers around those
standard calls. vboot2 code already calls them directly, so let vboot1
code do that too.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: I49ad0e32e38d278dc3589bfaf494bcf0e4b0a4bd
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400905
Bit 2 in the GPT partition attributes has been allocated as the legacy
bios boot (equivalent to the "active" or "boot" flag in MBR). If we
try to boot images on newer x86 systems, syslinux dies because it can't
find any GPT partition marked bootable.
Update the various parts of cgpt add & show to manage this bit. Now we
can run:
cgpt add -i 12 -B 1 chromiumos_image.bin
And the EFI partition will be marked bootable.
BUG=chromium:644845
TEST=vboot_reference unittests pass
TEST=booted an amd64-generic disk image via USB on a generic laptop
BRANCH=None
Change-Id: I78e17b8df5b0c61e9e2d8a3c703e6d5ad230fe92
Reviewed-on: https://chromium-review.googlesource.com/382411
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
mount-encrypted needs to be aware of TPM ownership status, and
will also want to issue a read lock for the early access NVRAM
index.
BRANCH=none
BUG=chromium:625037
TEST=mount-encrypted shows ownership at boot with kevin
Change-Id: I42f43f91d892137e1c46c7cacd88e3b749ce7f04
Reviewed-on: https://chromium-review.googlesource.com/366443
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
As discussed in https://chromium-review.googlesource.com/#/c/361381/,
instead of being a synonym to 'tpmc pplock', the 'tpmc block' command
should protect just the FW index using WriteLock.
Additionally, both TlclSetGlobalLock and TlclLockPhysicalPresence in
tlcl (which are used by 'tpmc block' and 'tpmc pplock') are updated
to first check if the platform hierarchy is already disabled and
return success, if so. That's needed to prevent command failures
when rollback protection is already on.
BRANCH=none
BUG=chrome-os-partner:55210
BUG=chrome-os-partner:55250
TEST=boot on kevin, verify that 'tpmc block' and 'tpmc pplock'
work as expected:
- pplock is possible after block
- pplock and block succeed both for enabled and disabled PH
- block locks FW index
- pplock disables PH
Change-Id: I32bff2b590a51315b11da361b97c684dcce8ab36
Reviewed-on: https://chromium-review.googlesource.com/362772
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
And nuke all the underlying code that is unused once those APIs are
gone. These APIs are not used by any project in ToT, having been
superseded last year by the vboot2 APIs.
No functional changes to live code, just lots of deletes.
CQ-DEPEND=CL:347414
BUG=chromium:611535
BRANCH=none
TEST=make runtests; build samus
Change-Id: I05ac752d74d1343dd03600b1c5e6ed22822e2802
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/347257
Let's use an earlier version of CL 360944 that relies on the
global flag to decide if the platform authorization is to
be used.
As it turned out, we can't read NVRAM with empty
password authorization if platform hierarchy is still enabled
(as it is in firmware), so we keep platform authorization for
firmware, and use empty password only for userland utilities,
like tpmc.
BRANCH=none
BUG=chrome-os-partner:55531
TEST=Run 'initctl stop trunksd; tpmc read 0x1008 0xd" on
kevin, verify that it returns the right output.
Change-Id: Ic878ebde9086e803d2487d90c55c0f19001cf94b
Signed-off-by: Andrey Pronin <apronin@google.com>
Reviewed-on: https://chromium-review.googlesource.com/362520
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Build a special version of TPM Lightweight Command Library in
libvboot_host for TPM2. Create the framework for implementation, stub
functions for now. libvboot_host is used by tpmc and other user-space
utilities that talk directly to tpm bypassing trunks/trousers.
BRANCH=none
BUG=chrome-os-partner:54981
BUG=chrome-os-partner:55210
TEST=Boot on kevin, verify that 'tpmc read' works.
Change-Id: I4cc41028041193041defc319687697eb9edb1f3e
Reviewed-on: https://chromium-review.googlesource.com/358623
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
The firmware needs to lock the kernel rollback index before starting
up the kernel. The TPM2_NV_WriteLock command is used for that.
We also want to limit the amount of control the user space apps have
over TPM. With TPM1.2 it was achieved by deasserting physical
presence. TPM2 specification allows to achieve the same goal by
disabling Platform Hierarchy, which is active out of reset.
BRANCH=none
BUG=chrome-os-partner:50465
TEST=verified that all commands succeed and chrome OS boots up fine.
Change-Id: Ia5893460e0b29f1945cb2aae45a5f10b08fe1ed1
Reviewed-on: https://chromium-review.googlesource.com/358351
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
The marshaling code is a port of the coreboot patch
https://chromium-review.googlesource.com/353915. The only supported
commands at this time are NV_read and NV_write.
The tlcl layer includes functions necessary to satisfy compilation
requirements of rollback_index.c, functions to lock spaces and clear
TPM are not yet implemented, they just report being invoked.
The missing functions implementation is coming, but even without it it
is possible to boot Chrome OS with firmware and kernel rollback
counters maintained in the TPM NVRAM.
BRANCH=none
BUG=chrome-os-partner:50645
TEST=with depthcharge patches applied kevin/gru boards boot into
chrome OS with rollback counters read from/written to TPM2
Change-Id: I29fe9069d7c37c33d354f36c93bda15d439bf74f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356753
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The latest TPM specification uses different command codes, command
structures and return codes.
Let's put definitions for different TPM versions into different
include files.
CQ-DEPEND=CL:357831
BRANCH=none
BUG=chrome-os-partner:50645
TEST=with the rest of the patches applied kevin/gru boards boot into
chrome OS with rollback counters read from/written to TPM2
Change-Id: Ie13696d4e5098a4ea5e338e84334d257e5c704a7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356751
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This adds RW firmware support for the optional firmware management
parameters TPM space.
System-level tests require CL:339262 to add cryptohome support.
BUG=chromium:601492
BRANCH=baytrail and newer platforms
TEST=make -j runtests
Or better, COV=1 make, and then make sure all new code is covered.
Change-Id: Ifaf644c80809552d5961615be6017c2a332a034b
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/339234
