security/vboot: Limit vboot verification code access to only verstage

Make vboot verification code accessible in only verstage. Vboot verification code in vboot_logic.c is being used in verstage. Due to support function vboot_save_data(), so core functionality in vboot_logic.c is made available in romstage. The patch decouples the support function frm vboot_logic.c to limit itself to verstage. BUG=b:155544643 TEST=Verified on hatch Signed-off-by: Sridhar Siricilla <sridhar.siricilla@intel.com> Change-Id: Id1ede45c4dffe90afcef210eabaa657cf92a9335 Reviewed-on: https://review.coreboot.org/c/coreboot/+/40562 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com> Reviewed-by: Rizwan Qureshi <rizwan.qureshi@intel.com>
2020-04-20 18:45:22 +05:30 · 2020-04-20 18:45:22 +05:30 · 89ac87a976
parent 7f9c064263
commit 89ac87a976
3 changed files with 27 additions and 23 deletions
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@ -112,16 +112,17 @@ verstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += verstage.c
 ifeq (${CONFIG_VBOOT_MOCK_SECDATA},y)
 verstage-y += secdata_mock.c
 romstage-y += secdata_mock.c
 ramstage-y += secdata_mock.c
 else
 verstage-y += secdata_tpm.c
 romstage-y += secdata_tpm.c
 ramstage-y += secdata_tpm.c
 endif
 ifneq ($(CONFIG_TPM1)$(CONFIG_TPM2),)
 verstage-y += tpm_common.c
 endif
 romstage-y += vboot_logic.c
 romstage-y += common.c
 ramstage-y += common.c
--- a/src/security/vboot/vboot_common.c
+++ b/src/security/vboot/vboot_common.c
@ -12,6 +12,31 @@
 #include <security/vboot/vbnv.h>
 #include <vb2_api.h>
 #include "antirollback.h"
 void vboot_save_data(struct vb2_context *ctx)
 {
 	if (ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED &&
 			(CONFIG(VBOOT_MOCK_SECDATA) || tlcl_lib_init() == VB2_SUCCESS)) {
 		printk(BIOS_INFO, "Saving secdata firmware\n");
 		antirollback_write_space_firmware(ctx);
 		ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
 	}
 	if (ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED &&
 			(CONFIG(VBOOT_MOCK_SECDATA) || tlcl_lib_init() == VB2_SUCCESS)) {
 		printk(BIOS_INFO, "Saving secdata kernel\n");
 		antirollback_write_space_kernel(ctx);
 		ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED;
 	}
 	if (ctx->flags & VB2_CONTEXT_NVDATA_CHANGED) {
 		printk(BIOS_INFO, "Saving nvdata\n");
 		save_vbnv(ctx->nvdata);
 		ctx->flags &= ~VB2_CONTEXT_NVDATA_CHANGED;
 	}
 }
 /* Check if it is okay to enable USB Device Controller (UDC). */
 int vboot_can_enable_udc(void)
 {
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@ -209,28 +209,6 @@ static vb2_error_t hash_body(struct vb2_context *ctx,
 	return VB2_SUCCESS;
 }
 void vboot_save_data(struct vb2_context *ctx)
 {
 	if (ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED &&
 	    (CONFIG(VBOOT_MOCK_SECDATA) || tlcl_lib_init() == VB2_SUCCESS)) {
 		printk(BIOS_INFO, "Saving secdata firmware\n");
 		antirollback_write_space_firmware(ctx);
 		ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
 	}
 	if (ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED &&
 	    (CONFIG(VBOOT_MOCK_SECDATA) || tlcl_lib_init() == VB2_SUCCESS)) {
 		printk(BIOS_INFO, "Saving secdata kernel\n");
 		antirollback_write_space_kernel(ctx);
 		ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED;
 	}
 	if (ctx->flags & VB2_CONTEXT_NVDATA_CHANGED) {
 		printk(BIOS_INFO, "Saving nvdata\n");
 		save_vbnv(ctx->nvdata);
 		ctx->flags &= ~VB2_CONTEXT_NVDATA_CHANGED;
 	}
 }
 static uint32_t extend_pcrs(struct vb2_context *ctx)
 {