Strip out vboot signature code and stay in RO for link

BUG=chrome-os-partner:10880
TEST=boot EC; should stay in RO and not do signature check
(verify via debug console output)

Signed-off-by: Randall Spangler <rspangler@chromium.org>

Change-Id: I831aa91f8273bc7fb1a624cf36d9f21d52d8f3d8
Reviewed-on: https://gerrit.chromium.org/gerrit/26115
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Tested-by: Randall Spangler <rspangler@chromium.org>
Commit-Ready: Randall Spangler <rspangler@chromium.org>

9 files changed, 265 insertions, 223 deletions

diff --git a/board/bds/board.h b/board/bds/board.h
index f9d1ef7751..7353cce42f 100644
--- a/board/bds/board.h
+++ b/board/bds/board.h
@@ -11,6 +11,8 @@
 /* Optional features */
 #define CONFIG_CONSOLE_CMDHELP
 #define CONFIG_SYSTEM_UNLOCKED  /* Allow dangerous commands */
+#define CONFIG_VBOOT
+#define CONFIG_VBOOT_SIG
 
 enum adc_channel
 {
diff --git a/board/bds/ec.tasklist b/board/bds/ec.tasklist
index c8cf1637e0..beaaec5552 100644
--- a/board/bds/ec.tasklist
+++ b/board/bds/ec.tasklist
@@ -15,6 +15,5 @@
  */
 #define CONFIG_TASK_LIST \
 	TASK(WATCHDOG, watchdog_task, NULL) \
-	TASK(VBOOTHASH, vboot_hash_task, NULL) \
 	TASK(LIGHTBAR, lightbar_task, NULL) \
 	TASK(CONSOLE, console_task, NULL)
diff --git a/board/link/board.h b/board/link/board.h
index 1d06681491..8886271b61 100644
--- a/board/link/board.h
+++ b/board/link/board.h
@@ -15,8 +15,9 @@
 #define CONFIG_CHARGER_BQ24725
 #define CONFIG_CONSOLE_CMDHELP
 #define CONFIG_EOPTION
-#define CONFIG_ONEWIRE
+#define CONFIG_IR357x
 #define CONFIG_LPC
+#define CONFIG_ONEWIRE
 #define CONFIG_PECI
 #define CONFIG_POWER_LED
 #define CONFIG_PSTORE
@@ -24,7 +25,8 @@
 #define CONFIG_TASK_PROFILING
 #define CONFIG_TMP006
 #define CONFIG_USB_CHARGE
-#define CONFIG_IR357x
+#define CONFIG_VBOOT
+#define CONFIG_VBOOT_HASH
 
 /* Enable the fake developer switch.  See crosbug.com/p/8884 */
 #define CONFIG_FAKE_DEV_SWITCH
diff --git a/chip/lm4/config.h b/chip/lm4/config.h
index 43d393304d..cfe09ca826 100644
--- a/chip/lm4/config.h
+++ b/chip/lm4/config.h
@@ -97,7 +97,6 @@
 #define CONFIG_ADC
 #define CONFIG_EEPROM
 #define CONFIG_FLASH
-#define CONFIG_VBOOT
 #define CONFIG_FPU
 #define CONFIG_I2C
 
diff --git a/common/build.mk b/common/build.mk
index ab44f4dddd..e4c1a23108 100644
--- a/common/build.mk
+++ b/common/build.mk
@@ -39,7 +39,9 @@ VBOOT_DEVKEYS?=/usr/share/vboot/devkeys
 CFLAGS_$(CONFIG_VBOOT)+= -DCHROMEOS_ENVIRONMENT -DCHROMEOS_EC
 # CFLAGS_$(CONFIG_VBOOT)+= -DVBOOT_DEBUG
 
-common-$(CONFIG_VBOOT)+= vboot.o vboot_stub.o vboot_hash.o
+common-$(CONFIG_VBOOT)+=vboot.o vboot_stub.o
+common-$(CONFIG_VBOOT_HASH)+=vboot_hash.o
+common-$(CONFIG_VBOOT_SIG)+=vboot_sig.o
 
 includes-$(CONFIG_VBOOT)+= \
 	$(VBOOT_SOURCE)/include \
@@ -50,13 +52,15 @@ dirs-$(CONFIG_VBOOT)+= \
 	vboot/lib vboot/lib/cryptolib
 
 vboot-$(CONFIG_VBOOT)+= \
+	lib/cryptolib/padding.o \
+	lib/cryptolib/sha_utility.o \
+	lib/cryptolib/sha256.o
+
+vboot-$(CONFIG_VBOOT_SIG)+= \
 	lib/vboot_common.o \
 	lib/utility.o \
-	lib/cryptolib/padding.o \
 	lib/cryptolib/rsa_utility.o \
 	lib/cryptolib/rsa.o \
-	lib/cryptolib/sha_utility.o \
-	lib/cryptolib/sha256.o \
 	lib/stateful_util.o
 
-sign-$(CONFIG_VBOOT)+=sign_image
+sign-$(CONFIG_VBOOT_SIG)+=sign_image
diff --git a/common/main.c b/common/main.c
index 0feefee7e9..de54b6bbbb 100644
--- a/common/main.c
+++ b/common/main.c
@@ -25,19 +25,23 @@
 
 int main(void)
 {
-	/* Pre-initialization (pre-verified boot) stage.  Initialization at
+	/*
+	 * Pre-initialization (pre-verified boot) stage.  Initialization at
 	 * this level should do as little as possible, because verified boot
 	 * may need to jump to another image, which will repeat this
 	 * initialization.  In particular, modules should NOT enable
-	 * interrupts.*/
+	 * interrupts.
+	 */
 
 	/* Configure the pin multiplexers and GPIOs */
 	configure_board();
 	jtag_pre_init();
 	gpio_pre_init();
 
-	/* Initialize interrupts, but don't enable any of them.  Note that
-	 * task scheduling is not enabled until task_start() below. */
+	/*
+	 * Initialize interrupts, but don't enable any of them.  Note that
+	 * task scheduling is not enabled until task_start() below.
+	 */
 	task_pre_init();
 
 #ifdef CONFIG_FLASH
@@ -45,24 +49,30 @@ int main(void)
 #endif
 
 #ifdef CONFIG_VBOOT
-	/* Verified boot pre-init.  This write-protects flash if necessary.
-	 * Flash and GPIOs must be initialized first. */
+	/*
+	 * Verified boot pre-init.  This write-protects flash if necessary.
+	 * Flash and GPIOs must be initialized first.
+	 */
 	vboot_pre_init();
 #endif
 
-	/* Initialize the system module.  This enables the hibernate clock
-	 * source we need to calibrate the internal oscillator. */
+	/*
+	 * Initialize the system module.  This enables the hibernate clock
+	 * source we need to calibrate the internal oscillator.
+	 */
 	system_pre_init();
 	system_common_pre_init();
 
 	/* Set the CPU clocks / PLLs.  System is now running at full speed. */
 	clock_init();
 
-	/* Initialize timer.  Everything after this can be benchmarked.
+	/*
+	 * Initialize timer.  Everything after this can be benchmarked.
 	 * get_time() and udelay() may now be used.  usleep() requires task
 	 * scheduling, so cannot be used yet.  Note that interrupts declared
 	 * via DECLARE_IRQ() call timer routines when profiling is enabled, so
-	 * timer init() must be before uart_init(). */
+	 * timer init() must be before uart_init().
+	 */
 	timer_init();
 
 	/* Main initialization stage.  Modules may enable interrupts here. */
@@ -83,17 +93,21 @@ int main(void)
 
 
 #ifdef CONFIG_TASK_WATCHDOG
-	/* Intialize watchdog timer.  All lengthy operations between now and
+	/*
+	 * Intialize watchdog timer.  All lengthy operations between now and
 	 * task_start() must periodically call watchdog_reload() to avoid
 	 * triggering a watchdog reboot.  (This pretty much applies only to
 	 * verified boot, because all *other* lengthy operations should be done
-	 * by tasks.) */
+	 * by tasks.)
+	 */
 	watchdog_init();
 #endif
 
-	/* Verified boot needs to read the initial keyboard state and EEPROM
+	/*
+	 * Verified boot needs to read the initial keyboard state and EEPROM
 	 * contents.  EEPROM must be up first, so keyboard_scan can toggle
-	 * debugging settings via keys held at boot. */
+	 * debugging settings via keys held at boot.
+	 */
 #ifdef CONFIG_EEPROM
 	eeprom_init();
 #endif
@@ -104,33 +118,41 @@ int main(void)
 	keyboard_scan_init();
 #endif
 
-#ifdef CONFIG_VBOOT
-	/* Verified boot initialization.  This may jump to another image, which
+#ifdef CONFIG_VBOOT_SIG
+	/*
+	 * Verified boot signature check.  This may jump to another image, which
 	 * will need to reconfigure / reinitialize the system, so as little as
 	 * possible should be done above this step.
 	 *
 	 * Note that steps above here may be done TWICE per boot, once in the
-	 * RO image and once in the RW image. */
-	vboot_init();
+	 * RO image and once in the RW image.
+	 */
+	vboot_check_signature();
+#endif
 
-	/* If system is locked, disable system jumps now that vboot has had its
-	 * chance to jump to a RW image. */
+	/*
+	 * If system is locked, disable system jumps now that vboot has had its
+	 * chance to jump to a RW image.
+	 */
 	if (system_is_locked())
 		system_disable_jump();
-#endif
 
-	/* Initialize other driver modules.  These can occur in any order.
+	/*
+	 * Initialize other driver modules.  These can occur in any order.
 	 * Non-driver modules with tasks do their inits from their task
-	 * functions, not here. */
+	 * functions, not here.
+	 */
 	hook_notify(HOOK_INIT, 0);
 
 #ifdef BOARD_link
 	/* Reduce core clock now that init is done */
 	clock_enable_pll(0);
 #endif
-	/* Print the init time.  Not completely accurate because it can't take
-	 * into account the time for the first few module inits, but it'll at
-	 * least catch the majority of them. */
+	/*
+	 * Print the init time.  Not completely accurate because it can't take
+	 * into account the time before timer_init(), but it'll at least catch
+	 * the majority of the time.
+	 */
 	uart_printf("[%T Inits done]\n");
 
 	/* Launch task scheduling (never returns) */
diff --git a/common/vboot.c b/common/vboot.c
index c5c0243f6b..5bb13624ed 100644
--- a/common/vboot.c
+++ b/common/vboot.c
@@ -6,203 +6,23 @@
 /* Verified boot module for Chrome EC */
 
 #include "console.h"
-#include "cryptolib.h"
 #include "eoption.h"
-#include "gpio.h"
 #include "host_command.h"
-#include "power_button.h"
 #include "system.h"
-#include "timer.h"
-#include "util.h"
 #include "vboot.h"
-#include "vboot_api.h"
-#include "vboot_common.h"
-#include "vboot_struct.h"
-#include "watchdog.h"
 
 /* Console output macros */
 #define CPUTS(outstr) cputs(CC_VBOOT, outstr)
 #define CPRINTF(format, args...) cprintf(CC_VBOOT, format, ## args)
 
-/****************************************************************************/
-
-enum howgood {
-	IMAGE_IS_BAD,
-	IMAGE_IS_GOOD,
-	IMAGE_IS_GOOD_BUT_USE_RO_ANYWAY,
-};
-
-static enum howgood good_image(uint8_t *key_data,
-			       uint8_t *vblock_data, uint32_t vblock_size,
-			       uint8_t *fv_data, uint32_t fv_size) {
-	VbPublicKey *sign_key;
-	VbKeyBlockHeader *key_block;
-	VbECPreambleHeader *preamble;
-	uint32_t now = 0;
-	RSAPublicKey *rsa;
-
-	key_block = (VbKeyBlockHeader *)vblock_data;
-	sign_key = (VbPublicKey *)key_data;
-
-	watchdog_reload();
-	if (0 != KeyBlockVerify(key_block, vblock_size, sign_key, 0)) {
-		CPRINTF("[Error verifying key block]\n");
-		return IMAGE_IS_BAD;
-	}
-
-	now += key_block->key_block_size;
-	rsa = PublicKeyToRSA(&key_block->data_key);
-	if (!rsa) {
-		CPRINTF("[Error parsing data key]\n");
-		return IMAGE_IS_BAD;
-	}
-
-	watchdog_reload();
-	preamble = (VbECPreambleHeader *)(vblock_data + now);
-	if (0 != VerifyECPreamble(preamble, vblock_size - now, rsa)) {
-		CPRINTF("[Error verifying preamble]\n");
-		RSAPublicKeyFree(rsa);
-		return IMAGE_IS_BAD;
-	}
-
-	if (preamble->flags & VB_FIRMWARE_PREAMBLE_USE_RO_NORMAL) {
-		CPRINTF("[Flags says USE_RO_NORMAL]\n");
-		RSAPublicKeyFree(rsa);
-		return IMAGE_IS_GOOD_BUT_USE_RO_ANYWAY;
-	}
-
-	watchdog_reload();
-	if (0 != EqualData(fv_data, fv_size, &preamble->body_digest, rsa)) {
-		CPRINTF("Error verifying firmware body]\n");
-		RSAPublicKeyFree(rsa);
-		return IMAGE_IS_BAD;
-	}
-
-	RSAPublicKeyFree(rsa);
-
-	watchdog_reload();
-	CPRINTF("[Verified!]\n");
-	return IMAGE_IS_GOOD;
-}
-
-/****************************************************************************/
-
-/* Might I want to jump to one of the RW images? */
-static int maybe_jump_to_other_image(void)
-{
-	/* We'll only jump to another image if we're currently in RO */
-	if (system_get_image_copy() != SYSTEM_IMAGE_RO)
-		return 0;
-
-#ifdef CONFIG_TASK_POWERBTN
-	/* Don't jump if recovery requested */
-	if (power_recovery_pressed()) {
-		CPUTS("[Vboot staying in RO because recovery key pressed]\n");
-		return 0;
-	}
-#endif
-
-	/* Don't jump if we're in RO becuase we jumped there (this keeps us
-	 * from jumping to RO only to jump right back). */
-	if (system_jumped_to_this_image())
-		return 0;
-
-#if !defined(CHIP_stm32)
-	/* TODO: (crosbug.com/p/8572) Daisy and Snow don't define a GPIO
-	 * for the recovery signal from servo, so we can't check it.
-	 * BDS uses the DOWN button. */
-	if (gpio_get_level(GPIO_RECOVERYn) == 0) {
-		CPUTS("[Vboot staying in RO due to recovery signal]\n");
-		return 0;
-	}
-#endif
-
-	/* Okay, we might want to jump to a RW image. */
-	return 1;
-}
-
-/*****************************************************************************/
-/* Initialization */
-
 int vboot_pre_init(void)
 {
 	/* FIXME(wfrichar): crosbug.com/p/7453: should protect flash */
 	return EC_SUCCESS;
 }
 
-int vboot_init(void)
-{
-	enum howgood r;
-	timestamp_t ts1, ts2;
-
-	CPRINTF("[%T Vboot init]\n");
-
-	if (!maybe_jump_to_other_image())
-		return EC_SUCCESS;
-
-	CPRINTF("[%T Vboot check image A...]\n");
-
-	ts1 = get_time();
-	r = good_image((uint8_t *)CONFIG_VBOOT_ROOTKEY_OFF,
-		       (uint8_t *)CONFIG_VBLOCK_A_OFF, CONFIG_VBLOCK_SIZE,
-		       (uint8_t *)CONFIG_FW_A_OFF, CONFIG_FW_A_SIZE);
-	ts2 = get_time();
-
-	CPRINTF("[%T Vboot result=%d, elapsed time=%ld us]\n",
-		r, ts2.val - ts1.val);
-
-	switch (r) {
-	case IMAGE_IS_GOOD:
-		CPRINTF("[Image A verified]\n");
-		system_run_image_copy(SYSTEM_IMAGE_RW_A);
-		CPRINTF("[ERROR: Unable to jump to image A]\n");
-		goto bad;
-	case IMAGE_IS_GOOD_BUT_USE_RO_ANYWAY:
-		CPRINTF("[Image A verified]\n");
-		CPRINTF("[Staying in RO mode]\n");
-		return EC_SUCCESS;
-	default:
-		CPRINTF("[Image A is invalid]\n");
-	}
-
-#ifdef CONFIG_NO_RW_B
-	CPRINTF("[Vboot no image B to check]\n");
-#else
-	CPRINTF("[%T Vboot check image B...]\n");
-
-	ts1 = get_time();
-	r = good_image((uint8_t *)CONFIG_VBOOT_ROOTKEY_OFF,
-		       (uint8_t *)CONFIG_VBLOCK_B_OFF, CONFIG_VBLOCK_SIZE,
-		       (uint8_t *)CONFIG_FW_B_OFF, CONFIG_FW_B_SIZE);
-	ts2 = get_time();
-
-	CPRINTF("[%T Vboot result=%d, elapsed time=%ld us]\n",
-		r, ts2.val - ts1.val);
-
-	switch (r) {
-	case IMAGE_IS_GOOD:
-		CPRINTF("[Image B verified]\n");
-		system_run_image_copy(SYSTEM_IMAGE_RW_B);
-		CPRINTF("[ERROR: Unable to jump to image B]\n");
-		goto bad;
-	case IMAGE_IS_GOOD_BUT_USE_RO_ANYWAY:
-		CPRINTF("[Image B verified]\n");
-		CPRINTF("[Staying in RO mode]\n");
-		return EC_SUCCESS;
-	default:
-		CPRINTF("[Image B is invalid]\n");
-	}
-#endif
-
-bad:
-	CPRINTF("[Staying in RO mode]\n");
-	CPRINTF("[FIXME: How to trigger recovery mode?]\n");
-	return EC_ERROR_UNKNOWN;
-}
-
-/****************************************************************************/
-/* Host commands via LPC bus */
 /****************************************************************************/
+/* Host commands */
 
 static int host_cmd_vboot(uint8_t *data, int *resp_size)
 {
diff --git a/common/vboot_sig.c b/common/vboot_sig.c
new file mode 100644
index 0000000000..f7eccc2593
--- /dev/null
+++ b/common/vboot_sig.c
@@ -0,0 +1,187 @@
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+/* Verified boot module for Chrome EC */
+
+#include "console.h"
+#include "cryptolib.h"
+#include "gpio.h"
+#include "power_button.h"
+#include "system.h"
+#include "timer.h"
+#include "util.h"
+#include "vboot.h"
+#include "vboot_api.h"
+#include "vboot_common.h"
+#include "vboot_struct.h"
+#include "watchdog.h"
+
+/* Console output macros */
+#define CPUTS(outstr) cputs(CC_VBOOT, outstr)
+#define CPRINTF(format, args...) cprintf(CC_VBOOT, format, ## args)
+
+enum howgood {
+	IMAGE_IS_BAD,
+	IMAGE_IS_GOOD,
+	IMAGE_IS_GOOD_BUT_USE_RO_ANYWAY,
+};
+
+static enum howgood good_image(uint8_t *key_data,
+			       uint8_t *vblock_data, uint32_t vblock_size,
+			       uint8_t *fv_data, uint32_t fv_size) {
+	VbPublicKey *sign_key;
+	VbKeyBlockHeader *key_block;
+	VbECPreambleHeader *preamble;
+	uint32_t now = 0;
+	RSAPublicKey *rsa;
+
+	key_block = (VbKeyBlockHeader *)vblock_data;
+	sign_key = (VbPublicKey *)key_data;
+
+	watchdog_reload();
+	if (0 != KeyBlockVerify(key_block, vblock_size, sign_key, 0)) {
+		CPRINTF("[Error verifying key block]\n");
+		return IMAGE_IS_BAD;
+	}
+
+	now += key_block->key_block_size;
+	rsa = PublicKeyToRSA(&key_block->data_key);
+	if (!rsa) {
+		CPRINTF("[Error parsing data key]\n");
+		return IMAGE_IS_BAD;
+	}
+
+	watchdog_reload();
+	preamble = (VbECPreambleHeader *)(vblock_data + now);
+	if (0 != VerifyECPreamble(preamble, vblock_size - now, rsa)) {
+		CPRINTF("[Error verifying preamble]\n");
+		RSAPublicKeyFree(rsa);
+		return IMAGE_IS_BAD;
+	}
+
+	if (preamble->flags & VB_FIRMWARE_PREAMBLE_USE_RO_NORMAL) {
+		CPRINTF("[Flags says USE_RO_NORMAL]\n");
+		RSAPublicKeyFree(rsa);
+		return IMAGE_IS_GOOD_BUT_USE_RO_ANYWAY;
+	}
+
+	watchdog_reload();
+	if (0 != EqualData(fv_data, fv_size, &preamble->body_digest, rsa)) {
+		CPRINTF("Error verifying firmware body]\n");
+		RSAPublicKeyFree(rsa);
+		return IMAGE_IS_BAD;
+	}
+
+	RSAPublicKeyFree(rsa);
+
+	watchdog_reload();
+	CPRINTF("[Verified!]\n");
+	return IMAGE_IS_GOOD;
+}
+
+/* Might I want to jump to one of the RW images? */
+static int maybe_jump_to_other_image(void)
+{
+	/* We'll only jump to another image if we're currently in RO */
+	if (system_get_image_copy() != SYSTEM_IMAGE_RO)
+		return 0;
+
+#ifdef CONFIG_TASK_POWERBTN
+	/* Don't jump if recovery requested */
+	if (power_recovery_pressed()) {
+		CPUTS("[Vboot staying in RO because recovery key pressed]\n");
+		return 0;
+	}
+#endif
+
+	/* Don't jump if we're in RO becuase we jumped there (this keeps us
+	 * from jumping to RO only to jump right back). */
+	if (system_jumped_to_this_image())
+		return 0;
+
+#if !defined(CHIP_stm32)
+	/* TODO: (crosbug.com/p/8572) Daisy and Snow don't define a GPIO
+	 * for the recovery signal from servo, so we can't check it.
+	 * BDS uses the DOWN button. */
+	if (gpio_get_level(GPIO_RECOVERYn) == 0) {
+		CPUTS("[Vboot staying in RO due to recovery signal]\n");
+		return 0;
+	}
+#endif
+
+	/* Okay, we might want to jump to a RW image. */
+	return 1;
+}
+
+int vboot_check_signature(void)
+{
+	enum howgood r;
+	timestamp_t ts1, ts2;
+
+	CPRINTF("[%T Vboot init]\n");
+
+	if (!maybe_jump_to_other_image())
+		return EC_SUCCESS;
+
+	CPRINTF("[%T Vboot check image A...]\n");
+
+	ts1 = get_time();
+	r = good_image((uint8_t *)CONFIG_VBOOT_ROOTKEY_OFF,
+		       (uint8_t *)CONFIG_VBLOCK_A_OFF, CONFIG_VBLOCK_SIZE,
+		       (uint8_t *)CONFIG_FW_A_OFF, CONFIG_FW_A_SIZE);
+	ts2 = get_time();
+
+	CPRINTF("[%T Vboot result=%d, elapsed time=%ld us]\n",
+		r, ts2.val - ts1.val);
+
+	switch (r) {
+	case IMAGE_IS_GOOD:
+		CPRINTF("[Image A verified]\n");
+		system_run_image_copy(SYSTEM_IMAGE_RW_A);
+		CPRINTF("[ERROR: Unable to jump to image A]\n");
+		goto bad;
+	case IMAGE_IS_GOOD_BUT_USE_RO_ANYWAY:
+		CPRINTF("[Image A verified]\n");
+		CPRINTF("[Staying in RO mode]\n");
+		return EC_SUCCESS;
+	default:
+		CPRINTF("[Image A is invalid]\n");
+	}
+
+#ifdef CONFIG_NO_RW_B
+	CPRINTF("[Vboot no image B to check]\n");
+#else
+	CPRINTF("[%T Vboot check image B...]\n");
+
+	ts1 = get_time();
+	r = good_image((uint8_t *)CONFIG_VBOOT_ROOTKEY_OFF,
+		       (uint8_t *)CONFIG_VBLOCK_B_OFF, CONFIG_VBLOCK_SIZE,
+		       (uint8_t *)CONFIG_FW_B_OFF, CONFIG_FW_B_SIZE);
+	ts2 = get_time();
+
+	CPRINTF("[%T Vboot result=%d, elapsed time=%ld us]\n",
+		r, ts2.val - ts1.val);
+
+	switch (r) {
+	case IMAGE_IS_GOOD:
+		CPRINTF("[Image B verified]\n");
+		system_run_image_copy(SYSTEM_IMAGE_RW_B);
+		CPRINTF("[ERROR: Unable to jump to image B]\n");
+		goto bad;
+	case IMAGE_IS_GOOD_BUT_USE_RO_ANYWAY:
+		CPRINTF("[Image B verified]\n");
+		CPRINTF("[Staying in RO mode]\n");
+		return EC_SUCCESS;
+	default:
+		CPRINTF("[Image B is invalid]\n");
+	}
+#endif
+
+bad:
+	CPRINTF("[Staying in RO mode]\n");
+	CPRINTF("[FIXME: How to trigger recovery mode?]\n");
+	return EC_ERROR_UNKNOWN;
+}
+
diff --git a/include/vboot.h b/include/vboot.h
index 48d626c0c7..0e884606a7 100644
--- a/include/vboot.h
+++ b/include/vboot.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
@@ -10,11 +10,16 @@
 
 #include "common.h"
 
-/* Pre-initializes the module.  This occurs before clocks or tasks are
- * set up. */
+/* Pre-initialize the module.  This occurs before clocks or tasks are set up. */
 int vboot_pre_init(void);
 
-/* Initializes the module. */
+/*
+ * Check verified boot signatures, and jump to one of the RW images if
+ * necessary.
+ */
+int vboot_check_signature(void);
+
+/* Initialize the module. */
 int vboot_init(void);
 
 /* These are the vboot commands available via LPC. */
@@ -24,9 +29,11 @@ enum vboot_command {
 	VBOOT_NUM_CMDS,
 };
 
-/* These are the flags transferred across LPC. At the moment, only the devmode
-   flag can be set, and only because it's faked. Ultimately this functionality
-   will be moved elsewhere.  */
+/*
+ * These are the flags transferred across LPC. At the moment, only the devmode
+ * flag can be set, and only because it's faked. Ultimately this functionality
+ * will be moved elsewhere.
+ */
 #define VBOOT_FLAGS_IMAGE_MASK       0x03   /* enum system_image_copy_t */
 #define VBOOT_FLAGS_FAKE_DEVMODE     0x04   /* fake dev-mode bit */