Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/54099 )
Change subject: vboot: Add VB2_CONTEXT_EC_TRUSTED ......................................................................
vboot: Add VB2_CONTEXT_EC_TRUSTED
This patch makes coreboot set VB2_CONTEXT_EC_TRUSTED based on the EC"s boot mode. Vboot will check VB2_CONTEXT_EC_TRUSTED to determine whether it can enter recovery mode or not.
BUG=b:180927027, b:187871195 BRANCH=none TEST=build
Signed-off-by: Daisuke Nojiri dnojiri@chromium.org Change-Id: I9fa09dd7ae5baa1efb4e1ed4f0fe9a6803167c93 Reviewed-on: https://review.coreboot.org/c/coreboot/+/54099 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Julius Werner jwerner@chromium.org Reviewed-by: Furquan Shaikh furquan@google.com --- M src/security/vboot/vboot_logic.c 1 file changed, 12 insertions(+), 7 deletions(-)
Approvals: build bot (Jenkins): Verified Furquan Shaikh: Looks good to me, approved Julius Werner: Looks good to me, approved
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index 70c7d77..c257d22 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -212,15 +212,18 @@ vboot_extend_pcr(ctx, 1, HWID_DIGEST_PCR); }
-#define EC_EFS_BOOT_MODE_NORMAL 0x00 -#define EC_EFS_BOOT_MODE_NO_BOOT 0x01 +#define EC_EFS_BOOT_MODE_TRUSTED_RO 0x00 +#define EC_EFS_BOOT_MODE_UNTRUSTED_RO 0x01 +#define EC_EFS_BOOT_MODE_VERIFIED_RW 0x02
static const char *get_boot_mode_string(uint8_t boot_mode) { - if (boot_mode == EC_EFS_BOOT_MODE_NORMAL) - return "NORMAL"; - else if (boot_mode == EC_EFS_BOOT_MODE_NO_BOOT) - return "NO_BOOT"; + if (boot_mode == EC_EFS_BOOT_MODE_TRUSTED_RO) + return "TRUSTED_RO"; + else if (boot_mode == EC_EFS_BOOT_MODE_UNTRUSTED_RO) + return "UNTRUSTED_RO"; + else if (boot_mode == EC_EFS_BOOT_MODE_VERIFIED_RW) + return "VERIFIED_RW"; else return "UNDEFINED"; } @@ -253,8 +256,10 @@ printk(BIOS_INFO, "Cr50 says boot_mode is %s(0x%02x).\n", get_boot_mode_string(boot_mode), boot_mode);
- if (boot_mode == EC_EFS_BOOT_MODE_NO_BOOT) + if (boot_mode == EC_EFS_BOOT_MODE_UNTRUSTED_RO) ctx->flags |= VB2_CONTEXT_NO_BOOT; + else if (boot_mode == EC_EFS_BOOT_MODE_TRUSTED_RO) + ctx->flags |= VB2_CONTEXT_EC_TRUSTED; }
/**