vboot: Clear secdata change flags after factory init

factory_initialize_tpm() calls secdata_xxx_create() (for both firmware
and kernel space) and then immediately writes those spaces out to the
TPM. The create() functions make vboot think it just changed the secdata
(because it reinitialized the byte arrays in the context), so we also
need to clear the VB2_CONTEXT_SECDATA_xxx_CHANGED flags again, otherwise
vboot thinks it still needs to flush the spaces out to the TPM even
though we already did that.

Also clean up some minor related stuff (VB2_CONTEXT_SECDATA_CHANGED
notation is deprecated, and secdata space intialization should use the
same write-and-readback function we use for updates).

Change-Id: I231fadcf7b35a1aec3b39254e7e41c3d456d4911
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37471
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This commit is contained in:
Julius Werner 2019-12-04 12:50:43 -08:00
parent 1debc0c101
commit 683657e93a
2 changed files with 9 additions and 7 deletions

View file

@ -188,7 +188,7 @@ static uint32_t set_space(const char *name, uint32_t index, const void *data,
if (rv != TPM_SUCCESS) if (rv != TPM_SUCCESS)
return rv; return rv;
return safe_write(index, data, length); return write_secdata(index, data, length);
} }
static uint32_t set_firmware_space(const void *firmware_blob) static uint32_t set_firmware_space(const void *firmware_blob)
@ -398,6 +398,11 @@ static uint32_t factory_initialize_tpm(struct vb2_context *ctx)
if (result != TPM_SUCCESS) if (result != TPM_SUCCESS)
return result; return result;
/* _factory_initialize_tpm() writes initial secdata values to TPM
immediately, so let vboot know that it's up to date now. */
ctx->flags &= ~(VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED |
VB2_CONTEXT_SECDATA_KERNEL_CHANGED);
VBDEBUG("TPM: factory initialization successful\n"); VBDEBUG("TPM: factory initialization successful\n");
return TPM_SUCCESS; return TPM_SUCCESS;
@ -410,14 +415,11 @@ uint32_t antirollback_read_space_firmware(struct vb2_context *ctx)
/* Read the firmware space. */ /* Read the firmware space. */
rv = read_space_firmware(ctx); rv = read_space_firmware(ctx);
if (rv == TPM_E_BADINDEX) { if (rv == TPM_E_BADINDEX) {
/* /* This seems the first time we've run. Initialize the TPM. */
* This seems the first time we've run. Initialize the TPM.
*/
VBDEBUG("TPM: Not initialized yet.\n"); VBDEBUG("TPM: Not initialized yet.\n");
RETURN_ON_FAILURE(factory_initialize_tpm(ctx)); RETURN_ON_FAILURE(factory_initialize_tpm(ctx));
} else if (rv != TPM_SUCCESS) { } else if (rv != TPM_SUCCESS) {
VBDEBUG("TPM: Firmware space in a bad state; giving up.\n"); VBDEBUG("TPM: Firmware space in a bad state; giving up.\n");
//RETURN_ON_FAILURE(factory_initialize_tpm(ctx));
return TPM_E_CORRUPTED_STATE; return TPM_E_CORRUPTED_STATE;
} }

View file

@ -265,10 +265,10 @@ void vboot_save_nvdata_only(struct vb2_context *ctx)
void vboot_save_data(struct vb2_context *ctx) void vboot_save_data(struct vb2_context *ctx)
{ {
if (ctx->flags & VB2_CONTEXT_SECDATA_CHANGED) { if (ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED) {
printk(BIOS_INFO, "Saving secdata\n"); printk(BIOS_INFO, "Saving secdata\n");
antirollback_write_space_firmware(ctx); antirollback_write_space_firmware(ctx);
ctx->flags &= ~VB2_CONTEXT_SECDATA_CHANGED; ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
} }
vboot_save_nvdata_only(ctx); vboot_save_nvdata_only(ctx);