summaryrefslogtreecommitdiff
path: root/src/security/vboot
diff options
context:
space:
mode:
Diffstat (limited to 'src/security/vboot')
-rw-r--r--src/security/vboot/common.c10
-rw-r--r--src/security/vboot/misc.h5
-rw-r--r--src/security/vboot/vboot_loader.c2
-rw-r--r--src/security/vboot/vboot_logic.c35
4 files changed, 22 insertions, 30 deletions
diff --git a/src/security/vboot/common.c b/src/security/vboot/common.c
index c21fe155a5..214f6fa208 100644
--- a/src/security/vboot/common.c
+++ b/src/security/vboot/common.c
@@ -68,8 +68,7 @@ struct vb2_context *vboot_get_context(void)
return vboot_ctx;
}
-int vboot_locate_firmware(const struct vb2_context *ctx,
- struct region_device *fw)
+int vboot_locate_firmware(struct vb2_context *ctx, struct region_device *fw)
{
const char *name;
@@ -78,7 +77,12 @@ int vboot_locate_firmware(const struct vb2_context *ctx,
else
name = "FW_MAIN_B";
- return fmap_locate_area_as_rdev(name, fw);
+ int ret = fmap_locate_area_as_rdev(name, fw);
+ if (ret)
+ return ret;
+
+ /* Truncate area to the size that was actually signed by vboot. */
+ return rdev_chain(fw, fw, 0, vb2api_get_firmware_size(ctx));
}
static void vboot_setup_cbmem(int unused)
diff --git a/src/security/vboot/misc.h b/src/security/vboot/misc.h
index 1fda8b42b2..0b2c8e54a9 100644
--- a/src/security/vboot/misc.h
+++ b/src/security/vboot/misc.h
@@ -30,7 +30,7 @@ struct vb2_context *vboot_get_context(void);
/*
* Returns 1 if firmware slot A is used, 0 if slot B is used.
*/
-static inline int vboot_is_firmware_slot_a(const struct vb2_context *ctx)
+static inline int vboot_is_firmware_slot_a(struct vb2_context *ctx)
{
return !(ctx->flags & VB2_CONTEXT_FW_SLOT_B);
}
@@ -49,8 +49,7 @@ static inline bool vboot_is_gbb_flag_set(enum vb2_gbb_flag flag)
/*
* Locates firmware as a region device. Returns 0 on success, -1 on failure.
*/
-int vboot_locate_firmware(const struct vb2_context *ctx,
- struct region_device *fw);
+int vboot_locate_firmware(struct vb2_context *ctx, struct region_device *fw);
/*
* Source: security/vboot/bootmode.c
diff --git a/src/security/vboot/vboot_loader.c b/src/security/vboot/vboot_loader.c
index 9aaaff2f32..b72c82ba4a 100644
--- a/src/security/vboot/vboot_loader.c
+++ b/src/security/vboot/vboot_loader.c
@@ -72,7 +72,7 @@ void vboot_run_logic(void)
static int vboot_locate(struct region_device *rdev)
{
- const struct vb2_context *ctx;
+ struct vb2_context *ctx;
/* Don't honor vboot results until the vboot logic has run. */
if (!vboot_logic_executed())
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index 6c4f8fd2a8..1d17a17657 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -173,10 +173,10 @@ static int handle_digest_result(void *slot_hash, size_t slot_hash_sz)
}
static vb2_error_t hash_body(struct vb2_context *ctx,
- struct region_device *fw_main)
+ struct region_device *fw_body)
{
uint64_t load_ts;
- uint32_t expected_size;
+ uint32_t remaining;
uint8_t block[TODO_BLOCK_SIZE];
uint8_t hash_digest[VBOOT_MAX_HASH_SIZE];
const size_t hash_digest_sz = sizeof(hash_digest);
@@ -197,33 +197,22 @@ static vb2_error_t hash_body(struct vb2_context *ctx,
load_ts = timestamp_get();
timestamp_add(TS_START_HASH_BODY, load_ts);
- expected_size = region_device_sz(fw_main);
+ remaining = region_device_sz(fw_body);
offset = 0;
/* Start the body hash */
- rv = vb2api_init_hash(ctx, VB2_HASH_TAG_FW_BODY, &expected_size);
+ rv = vb2api_init_hash(ctx, VB2_HASH_TAG_FW_BODY);
if (rv)
return rv;
- /*
- * Honor vboot's RW slot size. The expected size is pulled out of
- * the preamble and obtained through vb2api_init_hash() above. By
- * creating sub region the RW slot portion of the boot media is
- * limited.
- */
- if (rdev_chain(fw_main, fw_main, 0, expected_size)) {
- printk(BIOS_ERR, "Unable to restrict CBFS size.\n");
- return VB2_ERROR_UNKNOWN;
- }
-
/* Extend over the body */
- while (expected_size) {
+ while (remaining) {
uint64_t temp_ts;
- if (block_size > expected_size)
- block_size = expected_size;
+ if (block_size > remaining)
+ block_size = remaining;
temp_ts = timestamp_get();
- if (rdev_readat(fw_main, block, offset, block_size) < 0)
+ if (rdev_readat(fw_body, block, offset, block_size) < 0)
return VB2_ERROR_UNKNOWN;
load_ts += timestamp_get() - temp_ts;
@@ -231,7 +220,7 @@ static vb2_error_t hash_body(struct vb2_context *ctx,
if (rv)
return rv;
- expected_size -= block_size;
+ remaining -= block_size;
offset += block_size;
}
@@ -309,7 +298,7 @@ ROMSTAGE_CBMEM_INIT_HOOK(vboot_log_and_clear_recovery_mode_switch)
void verstage_main(void)
{
struct vb2_context *ctx;
- struct region_device fw_main;
+ struct region_device fw_body;
vb2_error_t rv;
timestamp_add_now(TS_START_VBOOT);
@@ -405,12 +394,12 @@ void verstage_main(void)
}
printk(BIOS_INFO, "Phase 4\n");
- rv = vboot_locate_firmware(ctx, &fw_main);
+ rv = vboot_locate_firmware(ctx, &fw_body);
if (rv)
die_with_post_code(POST_INVALID_ROM,
"Failed to read FMAP to locate firmware");
- rv = hash_body(ctx, &fw_main);
+ rv = hash_body(ctx, &fw_body);
vboot_save_data(ctx);
if (rv) {
printk(BIOS_INFO, "Reboot requested (%x)\n", rv);