soc/amd/common/block/gfx: Re-add signature check for vbios cache

Commit c7b8809f155a ("soc/amd/common/block/gfx: Use TPM-stored hash
for vbios cache validation") replaced checking the vbios signature
(first two bytes) with checking against a TPM-stored hash, but there
exists an edge case where the empty cache can be hashed and therefore
never updated with the correct vbios data. To mitigate this, re-add
the signature check to ensure that an empty cache will never be hashed
to TPM.

BUG=b:255812886

BRANCH=skyrim

TEST=build/boot skyrim w/selective GOP enabled, flash full firmware
image, ensure GOP driver is run until cache updated with valid data
and hashed to TPM.

Change-Id: Id06a8cfaa44d346fb2eece53dcf74ee46f4a5352
Signed-off-by: Matt DeVillier <matt.devillier@amd.corp-partner.google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/74525
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Jason Glenesk <jason.glenesk@gmail.com>
Reviewed-by: Martin Roth <martin.roth@amd.corp-partner.google.com>

src/soc/amd/common/block/graphics/graphics.c

@@ -257,11 +257,13 @@ void vbios_load_from_cache(void)
 /*
  * Return true if VBIOS cache data is valid
  *
- * Compare hash of data with hash stored in TPM NVRAM
+ * Compare first 2 bytes of data with known signature
+ * and hash of data with hash stored in TPM NVRAM
  */
 bool vbios_cache_is_valid(void)
 {
-	return vbios_cache_verify_hash(vbios_data, VBIOS_CACHE_FMAP_SIZE) == CB_SUCCESS;
+	bool sig_valid = vbios_data[0] == 0x55 && vbios_data[1] == 0xaa;
+	return sig_valid && vbios_cache_verify_hash(vbios_data, VBIOS_CACHE_FMAP_SIZE) == CB_SUCCESS;
 }
 
 BOOT_STATE_INIT_ENTRY(BS_PRE_DEVICE, BS_ON_EXIT, read_vbios_cache_from_fmap, NULL);