From 0f42a18674ab8ffcc8f2022feceabc47e0dc4f10 Mon Sep 17 00:00:00 2001
From: Mary Ruthven <mruthven@chromium.org>
Date: Wed, 30 Nov 2022 11:48:16 -0800
Subject: apro: check usb_spi_sha256_update return code

If usb_spi_sha256_update returns something other than EC_SUCCESS, fail
verification.

BUG=b:260878795
TEST=add a delay to make spi_hash timeout. Verify cr50 fails
verification.

Change-Id: I4ba750748eb131046828f642b9736ed62a781789
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4066233
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
---
 board/cr50/usb_spi.c           |  4 ++++
 common/ap_ro_integrity_check.c | 35 ++++++++++++++++++++++++-----------
 2 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/board/cr50/usb_spi.c b/board/cr50/usb_spi.c
index a16c2df3e5..68533ed286 100644
--- a/board/cr50/usb_spi.c
+++ b/board/cr50/usb_spi.c
@@ -709,6 +709,10 @@ int usb_spi_sha256_update(struct sha256_ctx *ctx, uint32_t offset,
 {
 	uint8_t data[SPI_HASH_CHUNK_SIZE];
 
+	if (get_spi_bus_user() != SPI_BUS_USER_HASH) {
+		CPRINTS("%s: disabled", __func__);
+		return VENDOR_RC_NOT_ALLOWED;
+	}
 	if (print_range) {
 		CPRINTS("%s: %x:%x", __func__, offset, size);
 		/* Make sure the message gets out before verification starts. */
diff --git a/common/ap_ro_integrity_check.c b/common/ap_ro_integrity_check.c
index 0c8f16ad18..d714e1d12c 100644
--- a/common/ap_ro_integrity_check.c
+++ b/common/ap_ro_integrity_check.c
@@ -541,12 +541,16 @@ static bool is_in_range(const struct ro_range part_range,
  * @param ctx pointer to the sha256 context to update
  * @param full_range range to include in hash calculation
  * @param gbbd the descriptor with the gbb flag information.
+ *
+ * @return EC_SUCCESS if updating the hash succeeded or the error if reading
+ *                     the ap ro flash failed.
  */
-static void update_sha_with_gbb_range(struct sha256_ctx *ctx,
-				      const struct ro_range full_range,
-				      const struct gbb_descriptor *gbbd)
+static int update_sha_with_gbb_range(struct sha256_ctx *ctx,
+				     const struct ro_range full_range,
+				     const struct gbb_descriptor *gbbd)
 {
 	struct ro_range range;
+	int rv;
 
 	/* Use the factory flags to calculate the hash. */
 	CPRINTS("Using %x for GBB flags.", gbbd->injected_flags);
@@ -554,9 +558,13 @@ static void update_sha_with_gbb_range(struct sha256_ctx *ctx,
 	range.flash_offset = full_range.flash_offset;
 	range.range_size = gbbd->gbb_flags.flash_offset -
 		full_range.flash_offset;
-	if (range.range_size > 0)
-		usb_spi_sha256_update(ctx, range.flash_offset,
-				      range.range_size, 1);
+	if (range.range_size > 0) {
+		rv = usb_spi_sha256_update(ctx, range.flash_offset,
+					   range.range_size, 1);
+		if (rv != EC_SUCCESS)
+			return rv;
+
+	}
 
 	/* Update hash with the injected gbb flags */
 	SHA256_update(ctx, &gbbd->injected_flags,
@@ -568,8 +576,9 @@ static void update_sha_with_gbb_range(struct sha256_ctx *ctx,
 	range.range_size = full_range.flash_offset +
 		full_range.range_size - range.flash_offset;
 	if (range.range_size > 0)
-		usb_spi_sha256_update(ctx, range.flash_offset,
-				      range.range_size, 1);
+		return usb_spi_sha256_update(ctx, range.flash_offset,
+					     range.range_size, 1);
+	return EC_SUCCESS;
 }
 
 /**
@@ -610,11 +619,15 @@ enum ap_ro_check_result validate_ranges_sha(const struct ro_range *ranges,
 		 */
 		if (gbbd->status & GS_INJECT_FLAGS &&
 		    is_in_range(gbbd->gbb_flags, ranges[i])) {
-			update_sha_with_gbb_range(&ctx, ranges[i], gbbd);
+			if (update_sha_with_gbb_range(&ctx, ranges[i], gbbd) !=
+			    EC_SUCCESS)
+				return ROV_FAILED;
 			continue;
 		}
-		usb_spi_sha256_update(&ctx, ranges[i].flash_offset,
-				      ranges[i].range_size, true);
+		if (usb_spi_sha256_update(&ctx, ranges[i].flash_offset,
+					  ranges[i].range_size, true) !=
+					  EC_SUCCESS)
+			return ROV_FAILED;
 	}
 
 	usb_spi_sha256_final(&ctx, digest, sizeof(digest));
-- 
cgit v1.2.1