From 34ec32d54bcaa5337e067b6d4dd1a12c187240d9 Mon Sep 17 00:00:00 2001 From: Jakub Czapiga Date: Fri, 8 Sep 2023 13:23:59 +0000 Subject: [PATCH] libpayload/libcbfs: Add VBOOT_CBFS_INTEGRATION support If LP_VBOOT_CBFS_INTEGRATION is enabled, then libcbfs will reboot with vboot failure in non-recovery mode on CBFS file hash mismatch. BUg=b:197114807 TEST=Build with VBOOT_CBFS_INTEGRATION enabled and boot on google/ovis4es device Change-Id: Ic0f62212b7217b384e8c4cbd9535fe4243301f8c Signed-off-by: Jakub Czapiga Reviewed-on: https://review.coreboot.org/c/coreboot/+/77726 Reviewed-by: Eric Lai Reviewed-by: Yu-Ping Wu Tested-by: build bot (Jenkins) --- payloads/libpayload/libcbfs/cbfs.c | 5 ++++- payloads/libpayload/vboot/Kconfig | 7 +++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/payloads/libpayload/libcbfs/cbfs.c b/payloads/libpayload/libcbfs/cbfs.c index 08e312a08d..0cee9145df 100644 --- a/payloads/libpayload/libcbfs/cbfs.c +++ b/payloads/libpayload/libcbfs/cbfs.c @@ -90,8 +90,11 @@ static bool cbfs_file_hash_mismatch(const void *buffer, size_t size, ERROR("'%s' does not have a file hash!\n", mdata->h.filename); return true; } - if (vb2_hash_verify(cbfs_hwcrypto_allowed(), buffer, size, hash) != VB2_SUCCESS) { + vb2_error_t rv = vb2_hash_verify(cbfs_hwcrypto_allowed(), buffer, size, hash); + if (rv != VB2_SUCCESS) { ERROR("'%s' file hash mismatch!\n", mdata->h.filename); + if (CONFIG(LP_VBOOT_CBFS_INTEGRATION) && !vboot_recovery_mode_enabled()) + vboot_fail_and_reboot(vboot_get_context(), VB2_RECOVERY_FW_BODY, rv); return true; } diff --git a/payloads/libpayload/vboot/Kconfig b/payloads/libpayload/vboot/Kconfig index 3b02155fc3..25ca35ea19 100644 --- a/payloads/libpayload/vboot/Kconfig +++ b/payloads/libpayload/vboot/Kconfig @@ -9,6 +9,13 @@ config VBOOT_LIB if VBOOT_LIB +config VBOOT_CBFS_INTEGRATION + bool "Enable vboot and CBFS integration" + default n + depends on CBFS_VERIFICATION + help + Say yes to request reboot on CBFS file hash mismatch in non-recovery mode. + config VBOOT_TPM2_MODE bool "TPM2 Mode" default y