This change replaces all calls to the old vboot1 SHA library with their
vboot2 equivalents.
This is the first in a long series of changes to move the core vboot kernel
verification into vb2, and the control/display loop out to depthcharge.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; build samus firmware and boot it
Change-Id: I31986eb766176c0e39a192c5ce15730471c3cf94
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/344342
Tested-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
RollbackFwmpRead() assumed that a uint8[] array on the stack would be
aligned sufficiently for typecasting to struct RollbackSpaceFwmp and
accessing its members.
This was true on x86 (where unaligned accesses work fine) and probably
harmless on other platforms (since RollbackSpaceFwmp is
__attribute__(packed). But it's cleaner to switch to using a union of
the buffer and struct, since that will provide the proper alignment.
BUG=chromium:601492
BRANCH=baytrail and newer platforms
TEST=make -j runtests
Change-Id: I97077923ab5809c68510cbd382541bf2827aba6b
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362087
Commit-Ready: Dan Shi <dshi@google.com>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Let's use an earlier version of CL 360944 that relies on the
global flag to decide if the platform authorization is to
be used.
As it turned out, we can't read NVRAM with empty
password authorization if platform hierarchy is still enabled
(as it is in firmware), so we keep platform authorization for
firmware, and use empty password only for userland utilities,
like tpmc.
BRANCH=none
BUG=chrome-os-partner:55531
TEST=Run 'initctl stop trunksd; tpmc read 0x1008 0xd" on
kevin, verify that it returns the right output.
Change-Id: Ic878ebde9086e803d2487d90c55c0f19001cf94b
Signed-off-by: Andrey Pronin <apronin@google.com>
Reviewed-on: https://chromium-review.googlesource.com/362520
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Some scripts call 'tpmc setbgloballock' or 'tpmc block'. For tpm2
it should be equivalent to pplock, i.e. perform rollback protection
actions: writelock for NVRAM firmware index and disable platform
hierarchy.
BRANCH=none
BUG=chrome-os-partner:55210
TEST=run 'tpmc block' on kevin, check that it attempts pplock
Change-Id: I51fae6bd111cf3ff3c1dfbed7441868abad8fc15
Reviewed-on: https://chromium-review.googlesource.com/361381
Commit-Ready: Dan Shi <dshi@google.com>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
In TPM2 case, NVRAM must be read with empty password
authorization in tpmc, since platform hierarchy is
disabled by firmware or trunksd for rollback prevention.
Since all NVRAM indices are now defined with
AUTHREAD, switch to empty password authorization from
platform authorization for all NVRAM reads in Tlcl.
BRANCH=none
BUG=chrome-os-partner:55210
BUG=chrome-os-partner:55251
TEST=Run 'initctl stop trunksd; tpmc read 0x1008 0xd" on
kevin, verify that it returns the right output.
Change-Id: Ifb72ff5080a4ac5f8d63b5c0713e5bb184f176ca
Reviewed-on: https://chromium-review.googlesource.com/360944
Commit-Ready: Dan Shi <dshi@google.com>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
This allows properly detecting an armv7l host architecture and setting
the right ARCH value so that e.g. crossystem can build fine.
BRANCH=none
BUG=none
TEST=Build host_stuff on an armv7l machine
Change-Id: I6a6ac74477eff41e73eca671d9dac229888c4e77
Signed-off-by: Paul Kocialkowski <contact@paulk.fr>
Reviewed-on: https://chromium-review.googlesource.com/360160
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Build a special version of TPM Lightweight Command Library in
libvboot_host for TPM2. Create the framework for implementation, stub
functions for now. libvboot_host is used by tpmc and other user-space
utilities that talk directly to tpm bypassing trunks/trousers.
BRANCH=none
BUG=chrome-os-partner:54981
BUG=chrome-os-partner:55210
TEST=Boot on kevin, verify that 'tpmc read' works.
Change-Id: I4cc41028041193041defc319687697eb9edb1f3e
Reviewed-on: https://chromium-review.googlesource.com/358623
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
The firmware needs to lock the kernel rollback index before starting
up the kernel. The TPM2_NV_WriteLock command is used for that.
We also want to limit the amount of control the user space apps have
over TPM. With TPM1.2 it was achieved by deasserting physical
presence. TPM2 specification allows to achieve the same goal by
disabling Platform Hierarchy, which is active out of reset.
BRANCH=none
BUG=chrome-os-partner:50465
TEST=verified that all commands succeed and chrome OS boots up fine.
Change-Id: Ia5893460e0b29f1945cb2aae45a5f10b08fe1ed1
Reviewed-on: https://chromium-review.googlesource.com/358351
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
The code guarded by this compilation flag is not supposed to kick in
on gru/kevin, this is how the typo went unnoticed.
BRANCH=none
BUG=none
TEST=kevin still boots into chrome os
Change-Id: Ic12aacb7ad9b2361666e719a50597d3836d5212a
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/358493
Reviewed-by: Julius Werner <jwerner@chromium.org>
Extending tpm PCRs in case of TPM2 requires 32 bit values, some
digests pre-calculated in vboot source code are 20 bytes in size. To
make sure that PCR extension is consistent, pad remaining buffer space
when a 20 byte digest is returned in a 32 byte buffer.
BRANCH=none
BUG=chrome-os-partner:50645
TEST=did not verify much, made sure that PCR extension commands
triggered by coreboot succeed.
Change-Id: Ib16bdf782f18a6106eadb4b880cd1e67b56ad6db
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/358175
Reviewed-by: Randall Spangler <rspangler@chromium.org>
There is no point in checking and reporting error code in each
function calling tpm_process_command(), let's do it in one place for
all commands.
BRANCH=none
BUG=chrome-os-partner:50645
TEST=Kevin still boots to chrome os
Change-Id: I10f45bd15df293f63401c295c5dce833543c50da
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/358174
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
The marshaling code is a port of the coreboot patch
https://chromium-review.googlesource.com/353915. The only supported
commands at this time are NV_read and NV_write.
The tlcl layer includes functions necessary to satisfy compilation
requirements of rollback_index.c, functions to lock spaces and clear
TPM are not yet implemented, they just report being invoked.
The missing functions implementation is coming, but even without it it
is possible to boot Chrome OS with firmware and kernel rollback
counters maintained in the TPM NVRAM.
BRANCH=none
BUG=chrome-os-partner:50645
TEST=with depthcharge patches applied kevin/gru boards boot into
chrome OS with rollback counters read from/written to TPM2
Change-Id: I29fe9069d7c37c33d354f36c93bda15d439bf74f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356753
Reviewed-by: Randall Spangler <rspangler@chromium.org>
On the systems using TPM2 this rollback index check will run only for
the kernel space. This means that TPM initialization is guaranteed to
be completed by the time this code runs.
The exact ways of verifying the space settings and locking it are
still being designed, this functionality is temporarily excluded in
this patch.
BRANCH=none
BUG=chrome-os-partner:50645
TEST=with the rest of the patches applied kevin/gru boards boot into
chrome OS with rollback counters read from/written to TPM2
Change-Id: Ie4e22886493404f538b2b3ae6f8c2bdca5f7ab22
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356752
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The latest TPM specification uses different command codes, command
structures and return codes.
Let's put definitions for different TPM versions into different
include files.
CQ-DEPEND=CL:357831
BRANCH=none
BUG=chrome-os-partner:50645
TEST=with the rest of the patches applied kevin/gru boards boot into
chrome OS with rollback counters read from/written to TPM2
Change-Id: Ie13696d4e5098a4ea5e338e84334d257e5c704a7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356751
Reviewed-by: Randall Spangler <rspangler@chromium.org>
TPM2 will have to use a different tlcl layer, the configuration option
will be provided by depthcharge at build time.
BRANCH=none
BUG=chrome-os-partner:50645
TEST=with the rest of the patches applied kevin/gru boards boot into
chrome OS with rollback counters read from/written to TPM2
Change-Id: I0694741f5317da2c3268ee9edfdf29caff2fc26c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356750
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The secrets library clears, extends, and derives secrets which are used
by vboot SoC.
BUG=chrome-os-partner:51907
BRANCH=tot
TEST=make runtests
Change-Id: I38c93fd450364792cebc942694f848e10d0e9502
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/349252
Reviewed-by: Randall Spangler <rspangler@chromium.org>
vba_update_buc writes a BUC (boot unlock code) to NVM-RW. It will be called
by AP-RW to update a BUC.
BUG=chrome-os-partner:51907
BRANCH=tot
TEST=make runtests
Change-Id: Ic91f34b60b11ebce948bce01993ddb44519a59b8
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/346233
With newer PD chips and different update mechanisms, we can no longer
guarantee that the "hash" (really just a sort of version identifier) of
an EC-RW image will always be a SHA256. This patch removes any hardcoded
assumptions about that from vboot, and instead accepts any hash size
returned by VbExEcHashImage() and VbExEcGetExpectedImageHash().
It also removes the assumption that the hash can be regenerated by
running SHA256 over the full image returned by VbExEcGetExpectedImage().
We can thus no longer support VBERROR_EC_GET_EXPECTED_HASH_FROM_IMAGE,
which is fine since that functionality hasn't been needed for years and
there would be no reason why we might need it in the future. This also
allows simplifying the code flow of EcUpdateImage() a bit (since you can
really just return very early if you already figured out that you don't
need to update).
BRANCH=None
BUG=chrome-os-partner:53780
TEST=Tested software sync on Oak both after cold and warm boot.
Change-Id: I498f3d39085a38740734fff9f2d1a186a0801489
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/348001
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This patch converts TEST_* functions to macros, which print file name
and line # of the check. This will allow us to locate a failed test
quickly.
New TEST_* macros also automatically generate a test name if
testname == NULL. This will save us time to think of a name for
every single check we write in a test.
BUG=none
BRANCH=tot
TEST=make runtests
Change-Id: Ibdeb99681985c3f348836d256fa3484f2f0c315f
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/343233
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This patch adds HMAC. HMAC will be used to sign/verify NVM structures.
Hash algorithms can be selected from those supported
by enum vb2_hash_algorithm (i.e. SHA1, SHA256, or SHA512).
BUG=chrome-os-partner:51907
BRANCH=tot
TEST=make runtests
Change-Id: I6d349bc807874fe2a5512aabcd7fbf67a4eaa40a
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/342880
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The MOCK_TPM build flag caused link to fail because RollbackFwmpRead()
was missing its mock.
BUG=chromium:601492
BRANCH=baytrail and newer platforms
TEST=make -j runtests
Hack makefile to add MOCK_TPM := 1 and make -j; no link errors.
Change-Id: I3885d6b6c627bf475f4da33ef67f31aec2159799
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/343920
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
This adds RW firmware support for the optional firmware management
parameters TPM space.
System-level tests require CL:339262 to add cryptohome support.
BUG=chromium:601492
BRANCH=baytrail and newer platforms
TEST=make -j runtests
Or better, COV=1 make, and then make sure all new code is covered.
Change-Id: Ifaf644c80809552d5961615be6017c2a332a034b
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/339234
vba_bdb_init initializes the vboot context and decides what to do next
based on the vboot register content. Possible actions are:
1. proceed to verify the current slot
2. reset to try the other slot
3. reset to recovery mode
bdb_sprw_test demonstrates these actions.
BUG=chrome-os-partner:51907
BRANCH=tot
TEST=make runtests
Change-Id: If72cdd575d09b9162a871f088064ca853b7fd74d
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/342604
Reviewed-by: Randall Spangler <rspangler@chromium.org>
vboot_register.h lists definitions for vboot registers. Vboot registers
are used to transfer information between modules (coreboot & depthcharge)
or boots.
BUG=chrome-os-partner:51907
BRANCH=tot
TEST=make runtests
Change-Id: Ie0876fefb43d3e79a8f96e8f25f99f798892a056
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/342603
This patch replaces subkey with datakey to make name use consistent
with the design document.
BUG=chrome-os-partner:51908
BRANCH=tot
TEST=make runtests
Change-Id: I3690abd51e6c18c5a1094a8449f375d803c7e0b2
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/342199
Reviewed-by: Randall Spangler <rspangler@chromium.org>
BDB has its own implementation of SHA256. This patch replaces it with
the one implemented in vb2 library.
BUG=chrome-os-partner:51908
BRANCH=tot
TEST=build runtests
Change-Id: Ida19dd49153a038fc2b2ce481cedf828818aaeaa
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/342121
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This reverts commit f482470b72.
The original change is the suspected root cause of chromium:606738.
TEST=signing_unittests.py in cros-signing passes (with updated
vboot_stable_hash).
BUG=chromium:606738
BRANCH=None
Change-Id: I21ea027bbda123ee26c6deb4437b07d2fc6e8575
Reviewed-on: https://chromium-review.googlesource.com/340895
Commit-Ready: Amey Deshpande <ameyd@google.com>
Tested-by: Amey Deshpande <ameyd@google.com>
Reviewed-by: Amey Deshpande <ameyd@google.com>
Now that we have support for the IGNOREME signature in cgpt, we need a
way to set it on an existing disk. The easiest option is to shoehorn
this into the cgpt legacy command, because that's already made to modify
GPT header signatures (really, it would be nice to rename it to cgpt
signature or something, but let's not break existing uses for now).
BRANCH=None
BUG=chrome-os-partner:52595
TEST=unit tests
Change-Id: If2835fec28a9c39373abd050e2e057f73e5ec700
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/340073
Reviewed-by: Nam Nguyen <namnguyen@google.com>
This patch makes cgpt aware of a special "IGNOREME" GPT header signature
string that may appear in either the primary or the secondary GPT and
cause cgpt (and other cgptlib clients) to completely ignore that GPT. It
will continue to function correctly for all other purposes (using the
data from the non-ignored GPT), but never write any data back to the
ignored GPT.
BRANCH=None
BUG=chrome-os-partner:52595
TEST=unit tests
Change-Id: I7e53542385ae9d8d24dc25b75e91f4ff4917f66f
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/340072
Reviewed-by: Nam Nguyen <namnguyen@google.com>
The point of having two GPTs is to always have a known good one if one
of them gets corrupted. One of the most obvious ways that could happen
is if the write stopped half-way through (e.g. due to a crash or random
power loss).
Unfortunately, the way we currently save modified GPTs can leave both
copies invalid if we stop writing at just the wrong time. Since a GPT
header contains a checksum over the GPT entries, we need to write both
the header and entries for one GPT (and make sure they're synced to
disk) before we start writing the other.
BRANCH=None
BUG=chrome-os-partner:52595
TEST=None
Change-Id: I2d4b56bcfba9a94395af5896f274ebade9e39081
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/340071
Reviewed-by: Nam Nguyen <namnguyen@google.com>
This patch makes VbDisplayScreen remember the last successfully displayed
screen and skip rendering if the same screen is requested.
When locale is changed, VbCheckDisplayKey calls VbDisplayScreen with force=1,
which makes VbDisplayScreen render the requested screen regardless of the
saved screen ID.
BUG=chromium:602793
BRANCH=tot
TEST=emerge-veyron_jerry vboot_reference chromeos-bootimage
Change-Id: I31c4dde4ff060081f14224a93d57e9b76fcac1db
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/340264
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
The major() func is defined in the sys/sysmacros.h header, so include it
explicitly for the prototype. Upstream C libs are moving away from having
sys/types.h include it all the time implicitly.
BUG=None
TEST=precq passes
BRANCH=None
Change-Id: I56b84138f08ded2376193403f9c9db22c5f24f71
Reviewed-on: https://chromium-review.googlesource.com/339680
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@google.com>
Add a new crossystem value "battery_cutoff_request" to indicate that
next reboot should cut-off battery and shutdown during firmware stage.
This request is primarily for factories to ship devices in an safe
state. Previously we have done same thing by running "ectool battery-cutoff"
but that creates a problem which "ectool" (and the one to request for
cut-off) must live in developer mode while the device must be shipped
in normal mode. The mode transition was solved by setting
"disable_dev_request=1", but that flag is may get lost on x86 systems
(having NV storage in CMOS) when the battery is cut-off .
From the experience from Ryu, such settings (dev mode transition and
battery cut-off) should be done together inside firmware execution so we
can create a new flag, battery_cutoff_request, to finalize device
properly.
BRANCH=none
BUG=chromium:601705
TEST=emerge-chell depthcharge vboot_reference chromeos-bootimage
crossystem battery_cutoff_request=1
# Unplug AC adapter
reboot
# See device rebooted and then shutdown immediately.
# Press power button and system won't boot.
# Attach AC adapter and now system boots.
CQ-DEPEND=CL:337596,CL:338193
Change-Id: I73ccae15b337cd65786106646546c67c155b8fa6
Reviewed-on: https://chromium-review.googlesource.com/337602
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
If this is an x86 system using vboot2 then write VbNv data
to CMOS and also use mosys to write it directly to flash.
BUG=chrome-os-partner:51846
BRANCH=none
TEST=emerge-chell vboot_reference; emerge-oak vboot_reference
verify on chell that "crossystem dev_disable_request=1" is
written to both CMOS and flash.
Change-Id: Ifd5dcee4d401f8de36801c5c0a7db3255e618e28
Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/336311
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
The code to read/write vbnv with mosys was implemented in the
ARM specific code so move it to the generic crosystem code
so it can be used on x86.
No functional changes in this commit.
BUG=chrome-os-partner:51846
BRANCH=none
TEST=emerge-chell vboot_reference; emerge-oak vboot_reference
Change-Id: I3fe18fadb924094e710427208976328caf12a009
Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/336310
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
In order to support slots, we need to update behavior of
GptUpdateKernelWithEntry so that:
1. Invalid - Marks kernel entry as invalid
2. Active - Marks kernel entry as active
CQ-DEPEND=CL:336906
BUG=chrome-os-partner:51807
BRANCH=None
TEST=Compiles successfully "sudo emerge vboot_reference" "emerge-smaug
vboot_reference". "make -j runtests" successful.
Change-Id: If248b3c6bdd23d03cb1dd24f4e21cacef5cc3f26
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/335942
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Often the partitions we extract have extra space in them, but the dd
utility will still write out the excess zeros. That can mean we write
out hundreds of megs of data which could otherwise be skipped. We thus
waste a good amount of I/O and storage.
For now, only use this flag when extracting a partition to a new file
as this should be safe (there's no pre-existing data to clobber/merge).
Now that the signers have been upgraded to Trusty, we can land this.
BUG=chromium:530730
TEST=`./signing_unittests.py` passes
BRANCH=None
Change-Id: I275973ebfc028c15a8d1ef33dd9b3dcf6ca726a2
Reviewed-on: https://chromium-review.googlesource.com/306420
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Amey Deshpande <ameyd@google.com>
If a platform does verification of memory init then it must be careful
to use the same slot for resume that it booted from. This is
accomplished by adding a context flag to indicate this is an S3 resume
and that vboot should treat it differently than a normal boot.
When this flag is set then the same slot that was booted is read from
VBNV and re-used for the resume path, without adjusting any try flags.
If this slot is B then the related context flag is set.
This will allow the firmware updater to update the other (non-booted)
slot and set flags indicating that on the next boot the updated slot
should be tried, while still allowing suspend/resume to work with the
existing firmware slot.
This assumes that the last tried slot was successfully booted, which
should be a safe assumption since the system was able to boot and then
suspend. It isn't reliable to check last_fw_result for "success"
status because that status is only set some time after boot when
chromeos-setgoodkernel calls chromeos-firmwareupdate --mode=bootok
and so it may still report a status of "trying" on resume depending
on how soon after boot the suspend happened.
It also avoids setting the vboot flag indicating that a slot choice
was made in order to avoid altering the try counter on failure since
this is explicitly not attempting to boot the new slot.
BUG=chromium:577269
BRANCH=glados
TEST=manually tested on chell:
1) ensure that booting from slot A resumes from slot A.
2) ensure that booting from slot B resumes from slot B.
3) do RW update while booted from slot A (so the flags are set to try
slot B) and ensure that suspend/resume still functions properly using
current slot A.
4) do RW update while booted from slot B (so the flags are set to try
slot A) and ensure that suspend/resume still functions properly using
current slot B.
Change-Id: I500faef2b5d19a02f32839976354abf6d551c9f6
Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/328812
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Vboot needs to track the currently displayed screen so when it needs to
change the locale or display the debug overlay it knows which screen to
redraw. Currently only the legacy path is doing this so change the new
path to update the current screen if it is successfully drawn.
BUG=chrome-os-partner:49766
BRANCH=glados
TEST=boot on glados in dev mode, hit tab and ensure screen does not go black
Change-Id: I4a2bf028275db57b2d0469fc1cb574e871820713
Signed-off-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/324549
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
