diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/security/vboot/common.c | 10 | ||||
-rw-r--r-- | src/security/vboot/misc.h | 5 | ||||
-rw-r--r-- | src/security/vboot/vboot_loader.c | 2 | ||||
-rw-r--r-- | src/security/vboot/vboot_logic.c | 35 |
4 files changed, 22 insertions, 30 deletions
diff --git a/src/security/vboot/common.c b/src/security/vboot/common.c index c21fe155a5..214f6fa208 100644 --- a/src/security/vboot/common.c +++ b/src/security/vboot/common.c @@ -68,8 +68,7 @@ struct vb2_context *vboot_get_context(void) return vboot_ctx; } -int vboot_locate_firmware(const struct vb2_context *ctx, - struct region_device *fw) +int vboot_locate_firmware(struct vb2_context *ctx, struct region_device *fw) { const char *name; @@ -78,7 +77,12 @@ int vboot_locate_firmware(const struct vb2_context *ctx, else name = "FW_MAIN_B"; - return fmap_locate_area_as_rdev(name, fw); + int ret = fmap_locate_area_as_rdev(name, fw); + if (ret) + return ret; + + /* Truncate area to the size that was actually signed by vboot. */ + return rdev_chain(fw, fw, 0, vb2api_get_firmware_size(ctx)); } static void vboot_setup_cbmem(int unused) diff --git a/src/security/vboot/misc.h b/src/security/vboot/misc.h index 1fda8b42b2..0b2c8e54a9 100644 --- a/src/security/vboot/misc.h +++ b/src/security/vboot/misc.h @@ -30,7 +30,7 @@ struct vb2_context *vboot_get_context(void); /* * Returns 1 if firmware slot A is used, 0 if slot B is used. */ -static inline int vboot_is_firmware_slot_a(const struct vb2_context *ctx) +static inline int vboot_is_firmware_slot_a(struct vb2_context *ctx) { return !(ctx->flags & VB2_CONTEXT_FW_SLOT_B); } @@ -49,8 +49,7 @@ static inline bool vboot_is_gbb_flag_set(enum vb2_gbb_flag flag) /* * Locates firmware as a region device. Returns 0 on success, -1 on failure. */ -int vboot_locate_firmware(const struct vb2_context *ctx, - struct region_device *fw); +int vboot_locate_firmware(struct vb2_context *ctx, struct region_device *fw); /* * Source: security/vboot/bootmode.c diff --git a/src/security/vboot/vboot_loader.c b/src/security/vboot/vboot_loader.c index 9aaaff2f32..b72c82ba4a 100644 --- a/src/security/vboot/vboot_loader.c +++ b/src/security/vboot/vboot_loader.c @@ -72,7 +72,7 @@ void vboot_run_logic(void) static int vboot_locate(struct region_device *rdev) { - const struct vb2_context *ctx; + struct vb2_context *ctx; /* Don't honor vboot results until the vboot logic has run. */ if (!vboot_logic_executed()) diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index 6c4f8fd2a8..1d17a17657 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -173,10 +173,10 @@ static int handle_digest_result(void *slot_hash, size_t slot_hash_sz) } static vb2_error_t hash_body(struct vb2_context *ctx, - struct region_device *fw_main) + struct region_device *fw_body) { uint64_t load_ts; - uint32_t expected_size; + uint32_t remaining; uint8_t block[TODO_BLOCK_SIZE]; uint8_t hash_digest[VBOOT_MAX_HASH_SIZE]; const size_t hash_digest_sz = sizeof(hash_digest); @@ -197,33 +197,22 @@ static vb2_error_t hash_body(struct vb2_context *ctx, load_ts = timestamp_get(); timestamp_add(TS_START_HASH_BODY, load_ts); - expected_size = region_device_sz(fw_main); + remaining = region_device_sz(fw_body); offset = 0; /* Start the body hash */ - rv = vb2api_init_hash(ctx, VB2_HASH_TAG_FW_BODY, &expected_size); + rv = vb2api_init_hash(ctx, VB2_HASH_TAG_FW_BODY); if (rv) return rv; - /* - * Honor vboot's RW slot size. The expected size is pulled out of - * the preamble and obtained through vb2api_init_hash() above. By - * creating sub region the RW slot portion of the boot media is - * limited. - */ - if (rdev_chain(fw_main, fw_main, 0, expected_size)) { - printk(BIOS_ERR, "Unable to restrict CBFS size.\n"); - return VB2_ERROR_UNKNOWN; - } - /* Extend over the body */ - while (expected_size) { + while (remaining) { uint64_t temp_ts; - if (block_size > expected_size) - block_size = expected_size; + if (block_size > remaining) + block_size = remaining; temp_ts = timestamp_get(); - if (rdev_readat(fw_main, block, offset, block_size) < 0) + if (rdev_readat(fw_body, block, offset, block_size) < 0) return VB2_ERROR_UNKNOWN; load_ts += timestamp_get() - temp_ts; @@ -231,7 +220,7 @@ static vb2_error_t hash_body(struct vb2_context *ctx, if (rv) return rv; - expected_size -= block_size; + remaining -= block_size; offset += block_size; } @@ -309,7 +298,7 @@ ROMSTAGE_CBMEM_INIT_HOOK(vboot_log_and_clear_recovery_mode_switch) void verstage_main(void) { struct vb2_context *ctx; - struct region_device fw_main; + struct region_device fw_body; vb2_error_t rv; timestamp_add_now(TS_START_VBOOT); @@ -405,12 +394,12 @@ void verstage_main(void) } printk(BIOS_INFO, "Phase 4\n"); - rv = vboot_locate_firmware(ctx, &fw_main); + rv = vboot_locate_firmware(ctx, &fw_body); if (rv) die_with_post_code(POST_INVALID_ROM, "Failed to read FMAP to locate firmware"); - rv = hash_body(ctx, &fw_main); + rv = hash_body(ctx, &fw_body); vboot_save_data(ctx); if (rv) { printk(BIOS_INFO, "Reboot requested (%x)\n", rv); |