From 850728b8673116b4e9aa679679370a277f082722 Mon Sep 17 00:00:00 2001 From: Daisuke Nojiri Date: Wed, 12 May 2021 12:50:41 -0700 Subject: [PATCH] vboot: Call check_boot_mode before vb2api_fw_phase1 Currently, check_boot_mode is called after vb2api_fw_phase1, which makes verstage_main exit before reaching check_boot_mode if recovery mode is manually requested. Thus, recovery mode isn't able to test whether VB2_CONTEXT_EC_TRUSTED is set or not. This patch makes verstage_main call check_boot_mode before vb2api_fw_phase1 to fix the issue. BUG=b:180927027, b:187871195 BRANCH=none TEST=build Change-Id: If8524d1513b13fd79320a116a83f6729a820f61f Signed-off-by: Daisuke Nojiri Reviewed-on: https://review.coreboot.org/c/coreboot/+/57623 Tested-by: build bot (Jenkins) Reviewed-by: Julius Werner --- src/security/vboot/vboot_logic.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index 5ea49165f2..10993d3548 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -244,12 +244,7 @@ static void check_boot_mode(struct vb2_context *ctx) default: printk(BIOS_ERR, "Communication error in getting Cr50 boot mode.\n"); - if (ctx->flags & VB2_CONTEXT_RECOVERY_MODE) - /* Continue to boot in recovery mode */ - return; vb2api_fail(ctx, VB2_RECOVERY_CR50_BOOT_MODE, rv); - vboot_save_data(ctx); - vboot_reboot(); return; } @@ -321,6 +316,17 @@ void verstage_main(void) if (!CONFIG(VBOOT_MUST_REQUEST_DISPLAY) || CONFIG(VBOOT_ALWAYS_ENABLE_DISPLAY)) ctx->flags |= VB2_CONTEXT_DISPLAY_INIT; + /* + * Get boot mode from GSC. This allows us to refuse to boot OS + * (with VB2_CONTEXT_NO_BOOT) or to switch to developer mode (with + * !VB2_CONTEXT_EC_TRUSTED). + * + * If there is an communication error, a recovery reason will be set and + * vb2api_fw_phase1 will route us to recovery mode. + */ + if (CONFIG(TPM_CR50)) + check_boot_mode(ctx); + /* Do early init (set up secdata and NVRAM, load GBB) */ printk(BIOS_INFO, "Phase 1\n"); rv = vb2api_fw_phase1(ctx); @@ -391,9 +397,6 @@ void verstage_main(void) timestamp_add_now(TS_END_TPMPCR); } - if (CONFIG(TPM_CR50)) - check_boot_mode(ctx); - /* Lock TPM */ timestamp_add_now(TS_START_TPMLOCK);