soc/amd/common/block/gfx: Re-add signature check for vbios cache

Commit c7b8809f155a ("soc/amd/common/block/gfx: Use TPM-stored hash
for vbios cache validation") replaced checking the vbios signature
(first two bytes) with checking against a TPM-stored hash, but there
exists an edge case where the empty cache can be hashed and therefore
never updated with the correct vbios data. To mitigate this, re-add
the signature check to ensure that an empty cache will never be hashed
to TPM.

BUG=b:255812886

BRANCH=skyrim

TEST=build/boot skyrim w/selective GOP enabled, flash full firmware
image, ensure GOP driver is run until cache updated with valid data
and hashed to TPM.

Change-Id: Id06a8cfaa44d346fb2eece53dcf74ee46f4a5352
Signed-off-by: Matt DeVillier <matt.devillier@amd.corp-partner.google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/74525
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Jason Glenesk <jason.glenesk@gmail.com>
Reviewed-by: Martin Roth <martin.roth@amd.corp-partner.google.com>
This commit is contained in:
Matt DeVillier 2023-04-19 12:13:29 -05:00 committed by Martin Roth
parent 26c571cff9
commit b1e1b2ce08
1 changed files with 4 additions and 2 deletions

View File

@ -257,11 +257,13 @@ void vbios_load_from_cache(void)
/* /*
* Return true if VBIOS cache data is valid * Return true if VBIOS cache data is valid
* *
* Compare hash of data with hash stored in TPM NVRAM * Compare first 2 bytes of data with known signature
* and hash of data with hash stored in TPM NVRAM
*/ */
bool vbios_cache_is_valid(void) bool vbios_cache_is_valid(void)
{ {
return vbios_cache_verify_hash(vbios_data, VBIOS_CACHE_FMAP_SIZE) == CB_SUCCESS; bool sig_valid = vbios_data[0] == 0x55 && vbios_data[1] == 0xaa;
return sig_valid && vbios_cache_verify_hash(vbios_data, VBIOS_CACHE_FMAP_SIZE) == CB_SUCCESS;
} }
BOOT_STATE_INIT_ENTRY(BS_PRE_DEVICE, BS_ON_EXIT, read_vbios_cache_from_fmap, NULL); BOOT_STATE_INIT_ENTRY(BS_PRE_DEVICE, BS_ON_EXIT, read_vbios_cache_from_fmap, NULL);