diff options
Diffstat (limited to 'firmware/lib/vboot_kernel.c')
-rw-r--r-- | firmware/lib/vboot_kernel.c | 40 |
1 files changed, 6 insertions, 34 deletions
diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c index 34a8a426..2c71d163 100644 --- a/firmware/lib/vboot_kernel.c +++ b/firmware/lib/vboot_kernel.c @@ -6,6 +6,7 @@ * (Firmware portion) */ +#include "2api.h" #include "2common.h" #include "2misc.h" #include "2nvstorage.h" @@ -31,34 +32,6 @@ enum vb2_load_partition_flags { #define LOWEST_TPM_VERSION 0xffffffff -enum vb2_boot_mode { - /* Normal boot: kernel must be verified. */ - VB2_BOOT_MODE_NORMAL = 0, - - /* Recovery boot, regardless of dev mode state. */ - VB2_BOOT_MODE_RECOVERY = 1, - - /* Developer boot: self-signed kernel okay. */ - VB2_BOOT_MODE_DEVELOPER = 2, -}; - -/** - * Return the current boot mode (normal, recovery, or dev). - * - * @param ctx Vboot context - * @return Current boot mode (see vb2_boot_mode enum). - */ -static enum vb2_boot_mode get_boot_mode(struct vb2_context *ctx) -{ - if (ctx->flags & VB2_CONTEXT_RECOVERY_MODE) - return VB2_BOOT_MODE_RECOVERY; - - if (ctx->flags & VB2_CONTEXT_DEVELOPER_MODE) - return VB2_BOOT_MODE_DEVELOPER; - - return VB2_BOOT_MODE_NORMAL; -} - /** * Check if a valid keyblock is required. * @@ -69,7 +42,7 @@ static enum vb2_boot_mode get_boot_mode(struct vb2_context *ctx) static int need_valid_keyblock(struct vb2_context *ctx) { /* Normal and recovery modes always require official OS */ - if (get_boot_mode(ctx) != VB2_BOOT_MODE_DEVELOPER) + if (ctx->boot_mode != VB2_BOOT_MODE_DEVELOPER) return 1; /* FWMP can require developer mode to use signed kernels */ @@ -264,9 +237,8 @@ static vb2_error_t vb2_verify_kernel_vblock( } /* Check for rollback of key version except in recovery mode. */ - enum vb2_boot_mode boot_mode = get_boot_mode(ctx); uint32_t key_version = keyblock->data_key.key_version; - if (boot_mode != VB2_BOOT_MODE_RECOVERY) { + if (ctx->boot_mode != VB2_BOOT_MODE_MANUAL_RECOVERY) { if (key_version < (sd->kernel_version_secdata >> 16)) { keyblock_valid = 0; if (need_keyblock_valid) { @@ -288,7 +260,7 @@ static vb2_error_t vb2_verify_kernel_vblock( } /* If in developer mode and using key hash, check it. */ - if (boot_mode == VB2_BOOT_MODE_DEVELOPER && + if (ctx->boot_mode == VB2_BOOT_MODE_DEVELOPER && vb2_secdata_fwmp_get_flag(ctx, VB2_SECDATA_FWMP_DEV_USE_KEY_HASH)) { VB2_TRY(vb2_verify_kernel_dev_key_hash(ctx, keyblock)); } @@ -356,7 +328,7 @@ static vb2_error_t vb2_verify_kernel_vblock( /* If not in recovery mode, check for rollback of the kernel version. */ if (need_keyblock_valid && - boot_mode != VB2_BOOT_MODE_RECOVERY && + ctx->boot_mode != VB2_BOOT_MODE_MANUAL_RECOVERY && sd->kernel_version < sd->kernel_version_secdata) { VB2_DEBUG("Kernel version too low.\n"); return VB2_ERROR_KERNEL_PREAMBLE_VERSION_ROLLBACK; @@ -739,7 +711,7 @@ vb2_error_t LoadKernel(struct vb2_context *ctx, * non-officially-signed kernel, there's no rollback * protection, so we can stop at the first valid kernel. */ - if (get_boot_mode(ctx) == VB2_BOOT_MODE_RECOVERY || + if (ctx->boot_mode == VB2_BOOT_MODE_MANUAL_RECOVERY || !keyblock_valid) { VB2_DEBUG("In recovery mode or dev-signed kernel\n"); break; |