libpayload/libcbfs: Add VBOOT_CBFS_INTEGRATION support

If LP_VBOOT_CBFS_INTEGRATION is enabled, then libcbfs will reboot with
vboot failure in non-recovery mode on CBFS file hash mismatch.

BUg=b:197114807
TEST=Build with VBOOT_CBFS_INTEGRATION enabled and boot on
google/ovis4es device

Change-Id: Ic0f62212b7217b384e8c4cbd9535fe4243301f8c
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/77726
Reviewed-by: Eric Lai <eric_lai@quanta.corp-partner.google.com>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Jakub Czapiga 2023-09-08 13:23:59 +00:00 committed by Martin L Roth
parent b2163ea84b
commit 34ec32d54b
2 changed files with 11 additions and 1 deletions

View file

@ -90,8 +90,11 @@ static bool cbfs_file_hash_mismatch(const void *buffer, size_t size,
ERROR("'%s' does not have a file hash!\n", mdata->h.filename);
return true;
}
if (vb2_hash_verify(cbfs_hwcrypto_allowed(), buffer, size, hash) != VB2_SUCCESS) {
vb2_error_t rv = vb2_hash_verify(cbfs_hwcrypto_allowed(), buffer, size, hash);
if (rv != VB2_SUCCESS) {
ERROR("'%s' file hash mismatch!\n", mdata->h.filename);
if (CONFIG(LP_VBOOT_CBFS_INTEGRATION) && !vboot_recovery_mode_enabled())
vboot_fail_and_reboot(vboot_get_context(), VB2_RECOVERY_FW_BODY, rv);
return true;
}

View file

@ -9,6 +9,13 @@ config VBOOT_LIB
if VBOOT_LIB
config VBOOT_CBFS_INTEGRATION
bool "Enable vboot and CBFS integration"
default n
depends on CBFS_VERIFICATION
help
Say yes to request reboot on CBFS file hash mismatch in non-recovery mode.
config VBOOT_TPM2_MODE
bool "TPM2 Mode"
default y