Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/40562 )
Change subject: security/vboot: Limit vboot verification code access to only verstage ......................................................................
security/vboot: Limit vboot verification code access to only verstage
Make vboot verification code accessible in only verstage. Vboot verification code in vboot_logic.c is being used in verstage. Due to support function vboot_save_data(), so core functionality in vboot_logic.c is made available in romstage. The patch decouples the support function frm vboot_logic.c to limit itself to verstage.
BUG=b:155544643 TEST=Verified on hatch
Signed-off-by: Sridhar Siricilla sridhar.siricilla@intel.com Change-Id: Id1ede45c4dffe90afcef210eabaa657cf92a9335 Reviewed-on: https://review.coreboot.org/c/coreboot/+/40562 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Furquan Shaikh furquan@google.com Reviewed-by: Rizwan Qureshi rizwan.qureshi@intel.com --- M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.c M src/security/vboot/vboot_logic.c 3 files changed, 27 insertions(+), 23 deletions(-)
Approvals: build bot (Jenkins): Verified Furquan Shaikh: Looks good to me, approved Rizwan Qureshi: Looks good to me, approved
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 67ee0f5..b452e93 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -112,16 +112,17 @@ ifeq (${CONFIG_VBOOT_MOCK_SECDATA},y) verstage-y += secdata_mock.c romstage-y += secdata_mock.c +ramstage-y += secdata_mock.c else verstage-y += secdata_tpm.c romstage-y += secdata_tpm.c +ramstage-y += secdata_tpm.c endif
ifneq ($(CONFIG_TPM1)$(CONFIG_TPM2),) verstage-y += tpm_common.c endif
-romstage-y += vboot_logic.c romstage-y += common.c
ramstage-y += common.c diff --git a/src/security/vboot/vboot_common.c b/src/security/vboot/vboot_common.c index 36cd1ad..049b4a9 100644 --- a/src/security/vboot/vboot_common.c +++ b/src/security/vboot/vboot_common.c @@ -12,6 +12,31 @@ #include <security/vboot/vbnv.h> #include <vb2_api.h>
+#include "antirollback.h" + +void vboot_save_data(struct vb2_context *ctx) +{ + if (ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED && + (CONFIG(VBOOT_MOCK_SECDATA) || tlcl_lib_init() == VB2_SUCCESS)) { + printk(BIOS_INFO, "Saving secdata firmware\n"); + antirollback_write_space_firmware(ctx); + ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED; + } + + if (ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED && + (CONFIG(VBOOT_MOCK_SECDATA) || tlcl_lib_init() == VB2_SUCCESS)) { + printk(BIOS_INFO, "Saving secdata kernel\n"); + antirollback_write_space_kernel(ctx); + ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED; + } + + if (ctx->flags & VB2_CONTEXT_NVDATA_CHANGED) { + printk(BIOS_INFO, "Saving nvdata\n"); + save_vbnv(ctx->nvdata); + ctx->flags &= ~VB2_CONTEXT_NVDATA_CHANGED; + } +} + /* Check if it is okay to enable USB Device Controller (UDC). */ int vboot_can_enable_udc(void) { diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index e1c77b6..a8a7be5 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -209,28 +209,6 @@ return VB2_SUCCESS; }
-void vboot_save_data(struct vb2_context *ctx) -{ - if (ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED && - (CONFIG(VBOOT_MOCK_SECDATA) || tlcl_lib_init() == VB2_SUCCESS)) { - printk(BIOS_INFO, "Saving secdata firmware\n"); - antirollback_write_space_firmware(ctx); - ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED; - } - - if (ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED && - (CONFIG(VBOOT_MOCK_SECDATA) || tlcl_lib_init() == VB2_SUCCESS)) { - printk(BIOS_INFO, "Saving secdata kernel\n"); - antirollback_write_space_kernel(ctx); - ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED; - } - - if (ctx->flags & VB2_CONTEXT_NVDATA_CHANGED) { - printk(BIOS_INFO, "Saving nvdata\n"); - save_vbnv(ctx->nvdata); - ctx->flags &= ~VB2_CONTEXT_NVDATA_CHANGED; - } -}
static uint32_t extend_pcrs(struct vb2_context *ctx) {