Shelley Chen has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/46473 )
Change subject: Fixed feedback from generic functions ......................................................................
Fixed feedback from generic functions
Change-Id: I023145af34c223f8e95db7b92fedfcebd912af14 Signed-off-by: Shelley Chen shchen@google.com --- M src/security/vboot/antirollback.h M src/security/vboot/mrc_cache_hash_tpm.c M src/security/vboot/secdata_tpm.c M src/security/vboot/vboot_logic.c 4 files changed, 14 insertions(+), 10 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/73/46473/1
diff --git a/src/security/vboot/antirollback.h b/src/security/vboot/antirollback.h index d66281a..eb5978a 100644 --- a/src/security/vboot/antirollback.h +++ b/src/security/vboot/antirollback.h @@ -22,8 +22,10 @@ * want to use 0x1009 for something else. */ #define BACKUP_NV_INDEX 0x1009 #define FWMP_NV_INDEX 0x100a -#define REC_HASH_NV_INDEX 0x100b -/* 0x100c is used for OOBE autoconfig public key hashes */ +/* 0x100b: Hash of MRC_CACHE training data for recovery boot */ +#define MRC_REC_HASH_NV_INDEX 0x100b +/* 0x100c: OOBE autoconfig public key hashes */ +/* 0x100d: Hash of MRC_CACHE training data for normal boot */ #define MRC_RW_HASH_NV_INDEX 0x100d #define HASH_NV_SIZE VB2_SHA256_DIGEST_SIZE
diff --git a/src/security/vboot/mrc_cache_hash_tpm.c b/src/security/vboot/mrc_cache_hash_tpm.c index 525e97f..f5b3175 100644 --- a/src/security/vboot/mrc_cache_hash_tpm.c +++ b/src/security/vboot/mrc_cache_hash_tpm.c @@ -24,7 +24,7 @@ }; const uint8_t *hash_ptr = data_hash; uint32_t hash_idx = vboot_recovery_mode_enabled() ? - REC_HASH_NV_INDEX : MRC_RW_HASH_NV_INDEX; + MRC_REC_HASH_NV_INDEX : MRC_RW_HASH_NV_INDEX;
/* Initialize TPM driver. */ if (tlcl_lib_init() != VB2_SUCCESS) { @@ -62,9 +62,9 @@ uint8_t data_hash[VB2_SHA256_DIGEST_SIZE]; uint8_t tpm_hash[VB2_SHA256_DIGEST_SIZE]; uint32_t hash_idx = vboot_recovery_mode_enabled() ? - REC_HASH_NV_INDEX : MRC_RW_HASH_NV_INDEX; + MRC_REC_HASH_NV_INDEX : MRC_RW_HASH_NV_INDEX;
- /* Calculate hash of data read from RECOVERY_MRC_CACHE. */ + /* Calculate hash of data read from MRC_CACHE. */ if (vb2_digest_buffer(data, size, VB2_HASH_SHA256, data_hash, sizeof(data_hash))) { printk(BIOS_ERR, "MRC: SHA-256 calculation failed for data.\n"); diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index 0c3d9e7..2f819d7 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -164,10 +164,12 @@
static uint32_t set_hash_space(uint32_t index, const uint8_t *data) { + bool recovery_boot = (index == MRC_REC_HASH_NV_INDEX); return set_space("MRC Hash", index, data, HASH_NV_SIZE, - ro_space_attributes, pcr0_unchanged_policy, - sizeof(pcr0_unchanged_policy)); + recovery_boot ? ro_space_attributes : rw_space_attributes, + recovery_boot ? pcr0_unchanged_policy : NULL, + recovery_boot ? sizeof(pcr0_unchanged_policy) : 0); }
static uint32_t _factory_initialize_tpm(struct vb2_context *ctx) @@ -185,7 +187,7 @@ RETURN_ON_FAILURE(set_kernel_space(ctx->secdata_kernel));
if (CONFIG(VBOOT_HAS_REC_HASH_SPACE)) - RETURN_ON_FAILURE(set_hash_space(REC_HASH_NV_INDEX, rec_hash_data)); + RETURN_ON_FAILURE(set_hash_space(MRC_REC_HASH_NV_INDEX, rec_hash_data));
RETURN_ON_FAILURE(set_firmware_space(ctx->secdata_firmware));
@@ -307,7 +309,7 @@
/* Define and set rec hash space, if available. */ if (CONFIG(VBOOT_HAS_REC_HASH_SPACE)) - RETURN_ON_FAILURE(set_hash_space(REC_HASH_NV_INDEX, rec_hash_data)); + RETURN_ON_FAILURE(set_hash_space(MRC_REC_HASH_NV_INDEX, rec_hash_data));
return TPM_SUCCESS; } diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index 873e796..509a327 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -404,7 +404,7 @@
/* Lock rec hash space if available. */ if (CONFIG(VBOOT_HAS_REC_HASH_SPACE)) { - rv = antirollback_lock_space_hash(REC_HASH_NV_INDEX); + rv = antirollback_lock_space_hash(MRC_REC_HASH_NV_INDEX); if (rv) { printk(BIOS_INFO, "Failed to lock rec hash space(%x)\n", rv);