vboot: Call check_boot_mode before vb2api_fw_phase1

Currently, check_boot_mode is called after vb2api_fw_phase1, which
makes verstage_main exit before reaching check_boot_mode if recovery
mode is manually requested. Thus, recovery mode isn't able to test
whether VB2_CONTEXT_EC_TRUSTED is set or not.

This patch makes verstage_main call check_boot_mode before
vb2api_fw_phase1 to fix the issue.

BUG=b:180927027, b:187871195
BRANCH=none
TEST=build

Change-Id: If8524d1513b13fd79320a116a83f6729a820f61f
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/57623
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>

src/security/vboot/vboot_logic.c

@@ -244,12 +244,7 @@ static void check_boot_mode(struct vb2_context *ctx)
 	default:
 		printk(BIOS_ERR,
 		       "Communication error in getting Cr50 boot mode.\n");
-		if (ctx->flags & VB2_CONTEXT_RECOVERY_MODE)
-			/* Continue to boot in recovery mode */
-			return;
 		vb2api_fail(ctx, VB2_RECOVERY_CR50_BOOT_MODE, rv);
-		vboot_save_data(ctx);
-		vboot_reboot();
 		return;
 	}
 
@@ -321,6 +316,17 @@ void verstage_main(void)
 	if (!CONFIG(VBOOT_MUST_REQUEST_DISPLAY) || CONFIG(VBOOT_ALWAYS_ENABLE_DISPLAY))
 		ctx->flags |= VB2_CONTEXT_DISPLAY_INIT;
 
+	/*
+	 * Get boot mode from GSC. This allows us to refuse to boot OS
+	 * (with VB2_CONTEXT_NO_BOOT) or to switch to developer mode (with
+	 * !VB2_CONTEXT_EC_TRUSTED).
+	 *
+	 * If there is an communication error, a recovery reason will be set and
+	 * vb2api_fw_phase1 will route us to recovery mode.
+	 */
+	if (CONFIG(TPM_CR50))
+		check_boot_mode(ctx);
+
 	/* Do early init (set up secdata and NVRAM, load GBB) */
 	printk(BIOS_INFO, "Phase 1\n");
 	rv = vb2api_fw_phase1(ctx);
@@ -391,9 +397,6 @@ void verstage_main(void)
 		timestamp_add_now(TS_END_TPMPCR);
 	}
 
-	if (CONFIG(TPM_CR50))
-		check_boot_mode(ctx);
-
 	/* Lock TPM */
 
 	timestamp_add_now(TS_START_TPMLOCK);