Change in coreboot[master]: vboot/secdata_mock: Make v0 kernel secdata context - coreboot-gerrit

14 May 2021

Aseda Aboagye has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/54304 )
Change subject: vboot/secdata_mock: Make v0 kernel secdata context
......................................................................
vboot/secdata_mock: Make v0 kernel secdata context
Vboot implicitly assumes that EFS2 (Early Firmware Selection v2) is
supported on systems which do _NOT_ have a v0 secdata kernel context.
For MOCK_SECDATA, we cannot retain data across a reboot (which is what
EFS2 needs in order to use Hmir, the mirrored EC hash). Therefore, in
order for vboot to skip the Hmir sync while using MOCK_SECDATA, we need
to have MOCK_SECDATA create a v0 secdata kernel context.  Otherwise,
this would result in a reboot loop where vboot attempts to set Hmir and
retrieve it after a reboot, but the value is not expected.
This was encountered on using a firmware built with MOCK_SECDATA but had
EC software sync enabled.
BUG=b:187843114
BRANCH=None
TEST=`USE=mocktpm cros build-ap -b keeby`; Flash keeby device, verify
that DUT does not continuously reboot with EC software sync enabled.
Signed-off-by: Aseda Aboagye aaboagye@google.com
Change-Id: Id8e81afcddadf27d9eec274f7f85ff1520315aaa
---
M src/security/vboot/secdata_mock.c
1 file changed, 10 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/04/54304/1

diff --git a/src/security/vboot/secdata_mock.c b/src/security/vboot/secdata_mock.c
index 78cb3e6..f640f92 100644
--- a/src/security/vboot/secdata_mock.c
+++ b/src/security/vboot/secdata_mock.c
@@ -28,7 +28,16 @@
vb2_error_t antirollback_read_space_kernel(struct vb2_context *ctx)
 {
-	vb2api_secdata_kernel_create(ctx);
+	/* Vboot implicitly assumes that EFS2 (Early Firmware Selection v2) is
+	 * supported on systems which do _NOT_ have a v0 secdata kernel context.
+	 * For MOCK_SECDATA, we cannot retain data across a reboot (which is what
+	 * EFS2 needs in order to use Hmir, the mirrored EC hash). Therefore, in
+	 * order for vboot to skip the Hmir sync while using MOCK_SECDATA, we need
+	 * to have MOCK_SECDATA create a v0 secdata kernel context.  Otherwise,
+	 * this would result in a reboot loop where vboot attempts to set Hmir and
+	 * retrieve it after a reboot, but the value is not expected.
+	 */
+	vb2api_secdata_kernel_create_v0(ctx);
    return VB2_SUCCESS;
 }
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/54304
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Id8e81afcddadf27d9eec274f7f85ff1520315aaa
Gerrit-Change-Number: 54304
Gerrit-PatchSet: 1
Gerrit-Owner: Aseda Aboagye aaboagye@google.com
Gerrit-MessageType: newchange



    