firmware: Clean up and deprecate recovery reasons

This patch deprecates a bunch of recovery reasons we no longer use and
removes the display strings associated with them.

BRANCH=None
BUG=None
TEST=make runtests

Change-Id: I0350784f810c68d52bc972575b8c3f57539b8094
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1863624
Reviewed-by: Joel Kitching <kitching@chromium.org>
diff --git a/firmware/2lib/include/2recovery_reasons.h b/firmware/2lib/include/2recovery_reasons.h
index 6d9a272..b409e95 100644
--- a/firmware/2lib/include/2recovery_reasons.h
+++ b/firmware/2lib/include/2recovery_reasons.h
@@ -10,6 +10,10 @@
 
 /* Recovery reason codes */
 enum vb2_nv_recovery {
+
+	/**********************************************************************/
+	/**** Uncategorized errors ********************************************/
+
 	/* Recovery not requested. */
 	VB2_RECOVERY_NOT_REQUESTED = 0x00,
 
@@ -24,29 +28,31 @@
 	/* User manually requested recovery via recovery button */
 	VB2_RECOVERY_RO_MANUAL = 0x02,
 
-	/*
-	 * RW firmware failed signature check (neither RW firmware slot was
-	 * valid)
-	 */
+
+
+	/**********************************************************************/
+	/**** Firmware verification (RO) errors (and some EC stuff???) ********/
+
+	/* Unspecified RW verification error (when none of 0x10-0x1f fit) */
 	VB2_RECOVERY_RO_INVALID_RW = 0x03,
 
-	/* S3 resume failed */
-	VB2_RECOVERY_RO_S3_RESUME = 0x04,
+	/* S3 resume failed (deprecated) */
+	VB2_RECOVERY_DEPRECATED_RO_S3_RESUME = 0x04,
 
-	/* TPM error in read-only firmware (deprecated) */
-	VB2_RECOVERY_DEP_RO_TPM_ERROR = 0x05,
+	/* TPM error in read-only firmware (deprecated, see 0x54+) */
+	VB2_RECOVERY_DEPRECATED_RO_TPM_ERROR = 0x05,
 
 	/* Shared data error in read-only firmware */
 	VB2_RECOVERY_RO_SHARED_DATA = 0x06,
 
-	/* Test error from S3Resume() */
-	VB2_RECOVERY_RO_TEST_S3 = 0x07,
+	/* Test error from S3Resume() (deprecated) */
+	VB2_RECOVERY_DEPRECATED_RO_TEST_S3 = 0x07,
 
 	/* Test error from LoadFirmwareSetup() (deprecated) */
-	VB2_RECOVERY_RO_TEST_LFS = 0x08,
+	VB2_RECOVERY_DEPRECATED_RO_TEST_LFS = 0x08,
 
 	/* Test error from LoadFirmware() (deprecated) */
-	VB2_RECOVERY_RO_TEST_LF = 0x09,
+	VB2_RECOVERY_DEPRECATED_RO_TEST_LF = 0x09,
 
 	/*
 	 * RW firmware failed signature check (neither RW firmware slot was
@@ -94,7 +100,7 @@
 	VB2_RECOVERY_EC_UNKNOWN_IMAGE = 0x23,
 
 	/* EC software sync - error obtaining EC image hash (deprecated) */
-	VB2_RECOVERY_DEP_EC_HASH = 0x24,
+	VB2_RECOVERY_DEPRECATED_EC_HASH = 0x24,
 
 	/* EC software sync - error obtaining expected EC image */
 	VB2_RECOVERY_EC_EXPECTED_IMAGE = 0x25,
@@ -111,11 +117,8 @@
 	/* EC software sync - error obtaining expected EC hash */
 	VB2_RECOVERY_EC_EXPECTED_HASH = 0x29,
 
-	/* EC software sync - expected EC image doesn't match hash */
-	VB2_RECOVERY_EC_HASH_MISMATCH = 0x2a,
-
-	/* New error codes from VB2 */
-	/* TODO: may need to add strings for these in the original fwlib */
+	/* EC software sync - expected EC image doesn't match hash (deprc.) */
+	VB2_RECOVERY_DEPRECATED_EC_HASH_MISMATCH = 0x2a,
 
 	/* Firmware secure data initialization error */
 	VB2_RECOVERY_SECDATA_FIRMWARE_INIT = 0x2b,
@@ -138,32 +141,38 @@
 	/* Unspecified/unknown error in read-only firmware */
 	VB2_RECOVERY_RO_UNSPECIFIED = 0x3f,
 
+
+
+	/**********************************************************************/
+	/**** Kernel verification (RW) errors *********************************/
+
 	/*
 	 * User manually requested recovery by pressing a key at developer
-	 * warning screen
+	 * warning screen (deprecated)
 	 */
-	VB2_RECOVERY_RW_DEV_SCREEN = 0x41,
+	VB2_RECOVERY_DEPRECATED_RW_DEV_SCREEN = 0x41,
 
-	/* No OS kernel detected */
-	VB2_RECOVERY_RW_NO_OS = 0x42,
+	/* No OS kernel detected (deprecated, now 0x5b) */
+	VB2_RECOVERY_DEPRECATED_RW_NO_OS = 0x42,
 
-	/* OS kernel failed signature check */
+	/* OS kernel failed signature check. Since the kernel corrupts itself
+	   (DMVERROR) on a verity failure, may also indicate corrupt rootfs. */
 	VB2_RECOVERY_RW_INVALID_OS = 0x43,
 
-	/* TPM error in rewritable firmware (deprecated) */
-	VB2_RECOVERY_DEP_RW_TPM_ERROR = 0x44,
+	/* TPM error in rewritable firmware (deprecated, see 0x54+) */
+	VB2_RECOVERY_DEPRECATED_RW_TPM_ERROR = 0x44,
 
-	/* RW firmware in dev mode, but dev switch is off */
-	VB2_RECOVERY_RW_DEV_MISMATCH = 0x45,
+	/* RW firmware in dev mode, but dev switch is off (deprecated) */
+	VB2_RECOVERY_DEPRECATED_RW_DEV_MISMATCH = 0x45,
 
 	/* Shared data error in rewritable firmware */
 	VB2_RECOVERY_RW_SHARED_DATA = 0x46,
 
-	/* Test error from LoadKernel() */
-	VB2_RECOVERY_RW_TEST_LK = 0x47,
+	/* Test error from LoadKernel() (deprecated) */
+	VB2_RECOVERY_DEPRECATED_RW_TEST_LK = 0x47,
 
-	/* No bootable disk found (deprecated)*/
-	VB2_RECOVERY_DEP_RW_NO_DISK = 0x48,
+	/* No bootable disk found (deprecated, see 0x5a) */
+	VB2_RECOVERY_DEPRECATED_RW_NO_DISK = 0x48,
 
 	/* Rebooting did not correct TPM_E_FAIL or TPM_E_FAILEDSELFTEST  */
 	VB2_RECOVERY_TPM_E_FAIL = 0x49,
@@ -193,28 +202,25 @@
 	VB2_RECOVERY_EC_HASH_FAILED = 0x57,
 
 	/* EC software sync invalid image hash size */
-	VB2_RECOVERY_EC_HASH_SIZE    = 0x58,
+	VB2_RECOVERY_EC_HASH_SIZE = 0x58,
 
 	/* Unspecified error while trying to load kernel */
-	VB2_RECOVERY_LK_UNSPECIFIED  = 0x59,
+	VB2_RECOVERY_LK_UNSPECIFIED = 0x59,
 
 	/* No bootable storage device in system */
-	VB2_RECOVERY_RW_NO_DISK      = 0x5a,
+	VB2_RECOVERY_RW_NO_DISK = 0x5a,
 
 	/* No bootable kernel found on disk */
-	VB2_RECOVERY_RW_NO_KERNEL    = 0x5b,
+	VB2_RECOVERY_RW_NO_KERNEL = 0x5b,
 
-	/* BCB related error in RW firmware */
-	VB2_RECOVERY_RW_BCB_ERROR    = 0x5c,
-
-	/* New error codes from VB2 */
-	/* TODO: may need to add strings for these in the original fwlib */
+	/* BCB related error in RW firmware (deprecated) */
+	VB2_RECOVERY_DEPRECATED_RW_BCB_ERROR = 0x5c,
 
 	/* Kernel secure data initialization error */
 	VB2_RECOVERY_SECDATA_KERNEL_INIT = 0x5d,
 
-	/* Fastboot mode requested in firmware */
-	VB2_RECOVERY_DEPRECATED_FW_FASTBOOT     = 0x5e,
+	/* Fastboot mode requested in firmware (deprecated) */
+	VB2_RECOVERY_DEPRECATED_FW_FASTBOOT = 0x5e,
 
 	/* Recovery hash space lock error in RO firmware */
 	VB2_RECOVERY_RO_TPM_REC_HASH_L_ERROR = 0x5f,
@@ -226,28 +232,44 @@
 	VB2_RECOVERY_ALTFW_HASH_FAILED = 0x61,
 
 	/* Unspecified/unknown error in rewritable firmware */
-	VB2_RECOVERY_RW_UNSPECIFIED  = 0x7f,
+	VB2_RECOVERY_RW_UNSPECIFIED = 0x7f,
 
-	/* DM-verity error */
-	VB2_RECOVERY_KE_DM_VERITY    = 0x81,
 
-	/* Unspecified/unknown error in kernel */
-	VB2_RECOVERY_KE_UNSPECIFIED  = 0xbf,
+
+	/**********************************************************************/
+	/**** OS level (kernel) errors (deprecated) ***************************/
+
+	/*
+	 * Note: we want to avoid having the kernel touch vboot NVRAM directly
+	 * in the future, so this whole range is essentially deprecated until
+	 * further notice.
+	 */
+
+	/* DM-verity error (deprecated) */
+	VB2_RECOVERY_DEPRECATED_KE_DM_VERITY = 0x81,
+
+	/* Unspecified/unknown error in kernel (deprecated) */
+	VB2_RECOVERY_DEPRECATED_KE_UNSPECIFIED = 0xbf,
+
+
+
+	/**********************************************************************/
+	/**** OS level (userspace) errors *************************************/
 
 	/* Recovery mode test from user-mode */
-	VB2_RECOVERY_US_TEST         = 0xc1,
+	VB2_RECOVERY_US_TEST = 0xc1,
 
-	/* Recovery requested by user-mode via BCB */
-	VB2_RECOVERY_BCB_USER_MODE   = 0xc2,
+	/* Recovery requested by user-mode via BCB (deprecated) */
+	VB2_RECOVERY_DEPRECATED_BCB_USER_MODE = 0xc2,
 
-	/* Fastboot mode requested by user-mode */
-	VB2_RECOVERY_DEPRECATED_US_FASTBOOT     = 0xc3,
+	/* Fastboot mode requested by user-mode (deprecated) */
+	VB2_RECOVERY_DEPRECATED_US_FASTBOOT = 0xc3,
 
 	/* User requested recovery for training memory and rebooting. */
 	VB2_RECOVERY_TRAIN_AND_REBOOT = 0xc4,
 
 	/* Unspecified/unknown error in user-mode */
-	VB2_RECOVERY_US_UNSPECIFIED  = 0xff,
+	VB2_RECOVERY_US_UNSPECIFIED = 0xff,
 };
 
 #endif  /* VBOOT_REFERENCE_2RECOVERY_REASONS_H_ */
diff --git a/firmware/lib/vboot_display.c b/firmware/lib/vboot_display.c
index eb47148..218d66f 100644
--- a/firmware/lib/vboot_display.c
+++ b/firmware/lib/vboot_display.c
@@ -118,46 +118,18 @@
 		return "recovery button pressed";
 	case VB2_RECOVERY_RO_INVALID_RW:
 		return "RW firmware failed signature check";
-	case VB2_RECOVERY_RO_S3_RESUME:
-		return "S3 resume failed";
-	case VB2_RECOVERY_DEP_RO_TPM_ERROR:
-		return "TPM error in read-only firmware";
 	case VB2_RECOVERY_RO_SHARED_DATA:
 		return "Shared data error in read-only firmware";
-	case VB2_RECOVERY_RO_TEST_S3:
-		return "Test error from S3Resume()";
-	case VB2_RECOVERY_RO_TEST_LFS:
-		return "Test error from LoadFirmwareSetup()";
-	case VB2_RECOVERY_RO_TEST_LF:
-		return "Test error from LoadFirmware()";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN + VBSD_LF_CHECK_NOT_DONE:
-		return "RW firmware check not done";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN + VBSD_LF_CHECK_DEV_MISMATCH:
-		return "RW firmware developer flag mismatch";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN + VBSD_LF_CHECK_REC_MISMATCH:
-		return "RW firmware recovery flag mismatch";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN +
-		VBSD_LF_CHECK_VERIFY_KEYBLOCK:
+	case VB2_RECOVERY_FW_KEYBLOCK:
 		return "RW firmware unable to verify key block";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN + VBSD_LF_CHECK_KEY_ROLLBACK:
+	case VB2_RECOVERY_FW_KEY_ROLLBACK:
 		return "RW firmware key version rollback detected";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN +
-		VBSD_LF_CHECK_DATA_KEY_PARSE:
-		return "RW firmware unable to parse data key";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN +
-		VBSD_LF_CHECK_VERIFY_PREAMBLE:
+	case VB2_RECOVERY_FW_PREAMBLE:
 		return "RW firmware unable to verify preamble";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN + VBSD_LF_CHECK_FW_ROLLBACK:
+	case VB2_RECOVERY_FW_ROLLBACK:
 		return "RW firmware version rollback detected";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN + VBSD_LF_CHECK_GET_FW_BODY:
-		return "RW firmware unable to get firmware body";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN +
-		VBSD_LF_CHECK_HASH_WRONG_SIZE:
-		return "RW firmware hash is wrong size";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN + VBSD_LF_CHECK_VERIFY_BODY:
+	case VB2_RECOVERY_FW_BODY:
 		return "RW firmware unable to verify firmware body";
-	case VB2_RECOVERY_RO_INVALID_RW_CHECK_MIN + VBSD_LF_CHECK_NO_RO_NORMAL:
-		return "RW firmware read-only normal path is not supported";
 	case VB2_RECOVERY_RO_FIRMWARE:
 		return "Firmware problem outside of verified boot";
 	case VB2_RECOVERY_RO_TPM_REBOOT:
@@ -166,23 +138,18 @@
 		return "EC software sync error";
 	case VB2_RECOVERY_EC_UNKNOWN_IMAGE:
 		return "EC software sync unable to determine active EC image";
-	case VB2_RECOVERY_DEP_EC_HASH:
-		return "EC software sync error obtaining EC image hash";
 	case VB2_RECOVERY_EC_EXPECTED_IMAGE:
 		return "EC software sync error "
 			"obtaining expected EC image from BIOS";
-	case VB2_RECOVERY_EC_EXPECTED_HASH:
-		return "EC software sync error "
-			"obtaining expected EC hash from BIOS";
-	case VB2_RECOVERY_EC_HASH_MISMATCH:
-		return "EC software sync error "
-			"comparing expected EC hash and image";
 	case VB2_RECOVERY_EC_UPDATE:
 		return "EC software sync error updating EC";
 	case VB2_RECOVERY_EC_JUMP_RW:
 		return "EC software sync unable to jump to EC-RW";
 	case VB2_RECOVERY_EC_PROTECT:
 		return "EC software sync protection error";
+	case VB2_RECOVERY_EC_EXPECTED_HASH:
+		return "EC software sync error "
+			"obtaining expected EC hash from BIOS";
 	case VB2_RECOVERY_SECDATA_FIRMWARE_INIT:
 		return "Firmware secure NVRAM (TPM) initialization error";
 	case VB2_RECOVERY_GBB_HEADER:
@@ -197,22 +164,10 @@
 		return "Error updating AUX firmware";
 	case VB2_RECOVERY_RO_UNSPECIFIED:
 		return "Unspecified/unknown error in RO firmware";
-	case VB2_RECOVERY_RW_DEV_SCREEN:
-		return "User requested recovery from dev-mode warning screen";
-	case VB2_RECOVERY_RW_NO_OS:
-		return "No OS kernel detected (or kernel rollback attempt?)";
 	case VB2_RECOVERY_RW_INVALID_OS:
-		return "OS kernel failed signature check";
-	case VB2_RECOVERY_DEP_RW_TPM_ERROR:
-		return "TPM error in rewritable firmware";
-	case VB2_RECOVERY_RW_DEV_MISMATCH:
-		return "RW firmware in dev mode, but dev switch is off";
+		return "OS kernel or rootfs failed signature check";
 	case VB2_RECOVERY_RW_SHARED_DATA:
 		return "Shared data error in rewritable firmware";
-	case VB2_RECOVERY_RW_TEST_LK:
-		return "Test error from LoadKernel()";
-	case VB2_RECOVERY_DEP_RW_NO_DISK:
-		return "No bootable disk found";
 	case VB2_RECOVERY_TPM_E_FAIL:
 		return "TPM error that was not fixed by reboot";
 	case VB2_RECOVERY_RO_TPM_S_ERROR:
@@ -239,28 +194,24 @@
 		return "No bootable storage device in system";
 	case VB2_RECOVERY_RW_NO_KERNEL:
 		return "No bootable kernel found on disk";
-	case VB2_RECOVERY_RW_BCB_ERROR:
-		return "BCB partition error on disk";
 	case VB2_RECOVERY_SECDATA_KERNEL_INIT:
 		return "Kernel secure NVRAM (TPM) initialization error";
 	case VB2_RECOVERY_RO_TPM_REC_HASH_L_ERROR:
 		return "Recovery hash space lock error in RO firmware";
+	case VB2_RECOVERY_TPM_DISABLE_FAILED:
+		return "Failed to disable TPM before running untrusted code";
+	case VB2_RECOVERY_ALTFW_HASH_FAILED:
+		return "Verification of alternative firmware payload failed";
 	case VB2_RECOVERY_RW_UNSPECIFIED:
 		return "Unspecified/unknown error in RW firmware";
-	case VB2_RECOVERY_KE_DM_VERITY:
-		return "DM-verity error";
-	case VB2_RECOVERY_KE_UNSPECIFIED:
-		return "Unspecified/unknown error in kernel";
 	case VB2_RECOVERY_US_TEST:
 		return "Recovery mode test from user-mode";
-	case VB2_RECOVERY_BCB_USER_MODE:
-		return "User-mode requested recovery via BCB";
 	case VB2_RECOVERY_TRAIN_AND_REBOOT:
 		return "User-mode requested DRAM train and reboot";
 	case VB2_RECOVERY_US_UNSPECIFIED:
 		return "Unspecified/unknown error in user-mode";
 	}
-	return "We have no idea what this means";
+	return "Unknown or deprecated error code";
 }
 
 #define DEBUG_INFO_SIZE 512
diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c
index e2075e2..1866116 100644
--- a/firmware/lib/vboot_kernel.c
+++ b/firmware/lib/vboot_kernel.c
@@ -651,7 +651,7 @@
 		retval = VBERROR_INVALID_KERNEL_FOUND;
 	} else {
 		shcall->check_result = VBSD_LKC_CHECK_NO_PARTITIONS;
-		recovery = VB2_RECOVERY_RW_NO_OS;
+		recovery = VB2_RECOVERY_RW_NO_KERNEL;
 		retval = VBERROR_NO_KERNEL_FOUND;
 	}
 
diff --git a/firmware/lib/vboot_ui.c b/firmware/lib/vboot_ui.c
index 2b2c08a..a2cdab4 100644
--- a/firmware/lib/vboot_ui.c
+++ b/firmware/lib/vboot_ui.c
@@ -655,13 +655,10 @@
 					vb2_audio_start(ctx);
 				}
 			} else {
-				/*
-				 * No virtual dev-mode switch, so go directly
-				 * to recovery mode.
-				 */
+				/* This should never happen. */
 				VB2_DEBUG("going to recovery\n");
 				vb2_nv_set(ctx, VB2_NV_RECOVERY_REQUEST,
-					   VB2_RECOVERY_RW_DEV_SCREEN);
+					   VB2_RECOVERY_RW_UNSPECIFIED);
 				return VBERROR_LOAD_KERNEL_RECOVERY;
 			}
 			break;
diff --git a/host/arch/x86/lib/crossystem_arch.c b/host/arch/x86/lib/crossystem_arch.c
index c745e0b..0f3ea8d 100644
--- a/host/arch/x86/lib/crossystem_arch.c
+++ b/host/arch/x86/lib/crossystem_arch.c
@@ -467,12 +467,10 @@
 			return VB2_RECOVERY_NOT_REQUESTED;
 		case BINF0_RECOVERY_BUTTON:
 			return VB2_RECOVERY_RO_MANUAL;
-		case BINF0_RECOVERY_DEV_SCREEN_KEY:
-			return VB2_RECOVERY_RW_DEV_SCREEN;
 		case BINF0_RECOVERY_RW_FW_BAD:
 			return VB2_RECOVERY_RO_INVALID_RW;
 		case BINF0_RECOVERY_NO_OS:
-			return VB2_RECOVERY_RW_NO_OS;
+			return VB2_RECOVERY_RW_NO_KERNEL;
 		case BINF0_RECOVERY_BAD_OS:
 			return VB2_RECOVERY_RW_INVALID_OS;
 		case BINF0_RECOVERY_OS_INITIATED:
diff --git a/tests/vboot_api_kernel2_tests.c b/tests/vboot_api_kernel2_tests.c
index a5c5863..3e2ae04 100644
--- a/tests/vboot_api_kernel2_tests.c
+++ b/tests/vboot_api_kernel2_tests.c
@@ -585,15 +585,6 @@
 		VBERROR_SHUTDOWN_REQUESTED,
 		"Shutdown requested by keyboard");
 
-	/* Space goes straight to recovery if no virtual dev switch */
-	ResetMocks();
-	mock_keypress[0] = ' ';
-	TEST_EQ(VbBootDeveloper(&ctx),
-		VBERROR_LOAD_KERNEL_RECOVERY,
-		"Space = recovery");
-	TEST_EQ(vb2_nv_get(&ctx, VB2_NV_RECOVERY_REQUEST),
-		VB2_RECOVERY_RW_DEV_SCREEN, "  recovery reason");
-
 	/* Space asks to disable virtual dev switch */
 	ResetMocks();
 	shared->flags = VBSD_BOOT_DEV_SWITCH_ON;
diff --git a/tests/vboot_kernel_tests.c b/tests/vboot_kernel_tests.c
index c3ccb34..b43d68b 100644
--- a/tests/vboot_kernel_tests.c
+++ b/tests/vboot_kernel_tests.c
@@ -631,7 +631,7 @@
 	mock_parts[0].size = 0;
 	TestLoadKernel(VBERROR_NO_KERNEL_FOUND, "No kernels");
 	TEST_EQ(vb2_nv_get(&ctx, VB2_NV_RECOVERY_REQUEST),
-		VB2_RECOVERY_RW_NO_OS, "  recovery request");
+		VB2_RECOVERY_RW_NO_KERNEL, "  recovery request");
 
 	/* Skip kernels which are too small */
 	ResetMocks();