diff options
| author | Furquan Shaikh <furquan@google.com> | 2015-09-08 12:25:33 -0700 |
|---|---|---|
| committer | ChromeOS bot <3su6n15k.default@developer.gserviceaccount.com> | 2015-09-08 21:27:06 +0000 |
| commit | 03fb701fc07658c5d5ae8a293244502d17063077 (patch) | |
| tree | cf9c2e6a6d575071a70423f6db4a743a4bb6be6b | |
| parent | 5193c174de6d5f1683a1ef6f7daf3b6f1cb605b9 (diff) | |
| download | vboot-03fb701fc07658c5d5ae8a293244502d17063077.tar.gz | |
VerifyMemoryBootImage: Allow caller to request integrity_only check
Currently, VerifyMemoryBootImage performs integrity-only check only if
GBB flag is set to FULL_FASTBOOT_CAP. Allow caller to request an
integrity-only check. This can be used by fastboot boot to request
integrity-only check for images in unlocked mode.
BUG=chrome-os-partner:44929
BRANCH=None
TEST=Compiles successully and "fastboot boot" works in unlocked mode
even for images with flag mismatch.
Change-Id: Ib6e55c5c50eecdbea99f7cf67dc61711761c9ebb
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/298090
Trybot-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Commit-Queue: Furquan Shaikh <furquan@chromium.org>
| -rw-r--r-- | firmware/include/vboot_api.h | 14 | ||||
| -rw-r--r-- | firmware/lib/vboot_api_kernel.c | 12 |
2 files changed, 17 insertions, 9 deletions
diff --git a/firmware/include/vboot_api.h b/firmware/include/vboot_api.h index 04d2d889..8ac062fa 100644 --- a/firmware/include/vboot_api.h +++ b/firmware/include/vboot_api.h @@ -1033,17 +1033,19 @@ VbError_t VbExRegionRead(VbCommonParams *cparams, * override to allow full fastboot functionality, it checks image integrity, but * does not check the image signature. * - * @param cparams Common parameters, e.g. use member caller_context - * to point to useful context data - * @param kparams kernel params - * @param boot_image Image in memory that needs to be verified - * @param image_size Size of the image in memory + * @param cparams Common parameters, e.g. use member + * caller_context to point to useful context data + * @param kparams kernel params + * @param boot_image Image in memory that needs to be verified + * @param image_size Size of the image in memory + * @param integrity_only Request integrity-only check * @return VBERROR_... error, VBERROR_SUCCESS on success. */ VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams, VbSelectAndLoadKernelParams *kparams, void *boot_image, - size_t image_size); + size_t image_size, + int integrity_only); /** * Fastboot API to enter dev mode. diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c index 312014bd..13a394ce 100644 --- a/firmware/lib/vboot_api_kernel.c +++ b/firmware/lib/vboot_api_kernel.c @@ -1199,7 +1199,8 @@ VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams, VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams, VbSelectAndLoadKernelParams *kparams, void *boot_image, - size_t image_size) + size_t image_size, + int integrity_only) { VbError_t retval; VbPublicKey* kernel_subkey = NULL; @@ -1240,11 +1241,16 @@ VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams, * 1. dev-mode switch is on and * 2. GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set. * + * OR + * + * 1. integrity_only check is requested. + * * Check only the integrity of the image. */ dev_switch = shared->flags & VBSD_BOOT_DEV_SWITCH_ON; - if (dev_switch && (cparams->gbb->flags & - GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP)) { + if ((dev_switch && (cparams->gbb->flags & + GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP)) || + integrity_only) { VBDEBUG(("Only performing integrity-check.\n")); hash_only = 1; } else { |