vboot: Add VB2_CONTEXT_EC_TRUSTED
This patch makes coreboot set VB2_CONTEXT_EC_TRUSTED based on the EC"s
boot mode. Vboot will check VB2_CONTEXT_EC_TRUSTED to determine
whether it can enter recovery mode or not.
BUG=b:180927027, b:187871195
BRANCH=none
TEST=build
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: I9fa09dd7ae5baa1efb4e1ed4f0fe9a6803167c93
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54099
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index 70c7d77..c257d22 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -212,15 +212,18 @@
vboot_extend_pcr(ctx, 1, HWID_DIGEST_PCR);
}
-#define EC_EFS_BOOT_MODE_NORMAL 0x00
-#define EC_EFS_BOOT_MODE_NO_BOOT 0x01
+#define EC_EFS_BOOT_MODE_TRUSTED_RO 0x00
+#define EC_EFS_BOOT_MODE_UNTRUSTED_RO 0x01
+#define EC_EFS_BOOT_MODE_VERIFIED_RW 0x02
static const char *get_boot_mode_string(uint8_t boot_mode)
{
- if (boot_mode == EC_EFS_BOOT_MODE_NORMAL)
- return "NORMAL";
- else if (boot_mode == EC_EFS_BOOT_MODE_NO_BOOT)
- return "NO_BOOT";
+ if (boot_mode == EC_EFS_BOOT_MODE_TRUSTED_RO)
+ return "TRUSTED_RO";
+ else if (boot_mode == EC_EFS_BOOT_MODE_UNTRUSTED_RO)
+ return "UNTRUSTED_RO";
+ else if (boot_mode == EC_EFS_BOOT_MODE_VERIFIED_RW)
+ return "VERIFIED_RW";
else
return "UNDEFINED";
}
@@ -253,8 +256,10 @@
printk(BIOS_INFO, "Cr50 says boot_mode is %s(0x%02x).\n",
get_boot_mode_string(boot_mode), boot_mode);
- if (boot_mode == EC_EFS_BOOT_MODE_NO_BOOT)
+ if (boot_mode == EC_EFS_BOOT_MODE_UNTRUSTED_RO)
ctx->flags |= VB2_CONTEXT_NO_BOOT;
+ else if (boot_mode == EC_EFS_BOOT_MODE_TRUSTED_RO)
+ ctx->flags |= VB2_CONTEXT_EC_TRUSTED;
}
/**