soc/amd/common/block/gfx: Re-add signature check for vbios cache

Commit c7b8809f155a ("soc/amd/common/block/gfx: Use TPM-stored hash for vbios cache validation") replaced checking the vbios signature (first two bytes) with checking against a TPM-stored hash, but there exists an edge case where the empty cache can be hashed and therefore never updated with the correct vbios data. To mitigate this, re-add the signature check to ensure that an empty cache will never be hashed to TPM. BUG=b:255812886 BRANCH=skyrim TEST=build/boot skyrim w/selective GOP enabled, flash full firmware image, ensure GOP driver is run until cache updated with valid data and hashed to TPM. Change-Id: Id06a8cfaa44d346fb2eece53dcf74ee46f4a5352 Signed-off-by: Matt DeVillier <matt.devillier@amd.corp-partner.google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/74525 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Jason Glenesk <jason.glenesk@gmail.com> Reviewed-by: Martin Roth <martin.roth@amd.corp-partner.google.com>
2023-04-19 12:13:29 -05:00 · 2023-04-19 12:13:29 -05:00 · b1e1b2ce08
parent 26c571cff9
commit b1e1b2ce08
1 changed files with 4 additions and 2 deletions
--- a/src/soc/amd/common/block/graphics/graphics.c
+++ b/src/soc/amd/common/block/graphics/graphics.c
@ -257,11 +257,13 @@ void vbios_load_from_cache(void)
 /*
 * Return true if VBIOS cache data is valid
 *
- * Compare hash of data with hash stored in TPM NVRAM
+ * Compare first 2 bytes of data with known signature
+ * and hash of data with hash stored in TPM NVRAM
 */
 bool vbios_cache_is_valid(void)
 {
-	return vbios_cache_verify_hash(vbios_data, VBIOS_CACHE_FMAP_SIZE) == CB_SUCCESS;
+	bool sig_valid = vbios_data[0] == 0x55 && vbios_data[1] == 0xaa;
+	return sig_valid && vbios_cache_verify_hash(vbios_data, VBIOS_CACHE_FMAP_SIZE) == CB_SUCCESS;
 }

 BOOT_STATE_INIT_ENTRY(BS_PRE_DEVICE, BS_ON_EXIT, read_vbios_cache_from_fmap, NULL);