libpayload/vboot: Add vboot context initialization and management code

To fully and easily implement fallback/recovery in libcbfs with vboot support the codebase requires access to vboot context. Moving context management to libpayload allows to avoid unnecessary overhead and code complication and still allows payloads to access it in a way it was designed. Access to this codebase will also allow implementation of e.g. vboot_fail_and_reboot() and other helpful utilities used by coreboot and depthcharge. BUG=b:197114807 TEST=make unit-tests TEST=Build and boot on google/ovis4es with CL:4839296 and VBOOT_CBFS_INTEGRATION enabled Change-Id: Id719be7c4f07251201424b7dc6c1125c6b5756d8 Signed-off-by: Jakub Czapiga <jacz@semihalf.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/77635 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Eric Lai <eric_lai@quanta.corp-partner.google.com> Reviewed-by: Yu-Ping Wu <yupingso@google.com>
2023-09-08 13:17:21 +00:00 · 2023-09-08 13:17:21 +00:00 · f64f3d0048
parent 58c2efc8e2
commit f64f3d0048
5 changed files with 58 additions and 1 deletions
--- a/payloads/libpayload/include/lp_vboot.h
+++ b/payloads/libpayload/include/lp_vboot.h
@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+
+#ifndef _LP_VBOOT_H_
+#define _LP_VBOOT_H_
+
+#include <vb2_api.h>
+
+struct vb2_context *vboot_get_context(void);
+
+#endif /* _LP_VBOOT_H_ */
--- a/payloads/libpayload/libc/Makefile.inc
+++ b/payloads/libpayload/libc/Makefile.inc
@ -40,6 +40,10 @@ libc-$(CONFIG_LP_LIBC) += coreboot.c
 libc-$(CONFIG_LP_LIBC) += fmap.c
 libc-$(CONFIG_LP_LIBC) += fpmath.c

+ifeq ($(CONFIG_LP_VBOOT_LIB),y)
+libc-$(CONFIG_LP_LIBC) += lp_vboot.c
+endif
+
 ifeq ($(CONFIG_LP_LIBC),y)
 libc-srcs += $(coreboottop)/src/commonlib/bsd/elog.c
 endif
--- a/payloads/libpayload/libc/lp_vboot.c
+++ b/payloads/libpayload/libc/lp_vboot.c
@ -0,0 +1,28 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+
+#include <libpayload-config.h>
+#include <arch/virtual.h>
+#include <assert.h>
+#include <libpayload.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sysinfo.h>
+#include <vb2_api.h>
+#include <lp_vboot.h>
+
+struct vb2_context *vboot_get_context(void)
+{
+	static struct vb2_context *ctx;
+
+	if (ctx)
+		return ctx;
+
+	die_if(lib_sysinfo.vboot_workbuf == 0, "vboot workbuf pointer is not set\n");
+
+	/* Use the firmware verification workbuf from coreboot. */
+	vb2_error_t rv = vb2api_reinit(phys_to_virt(lib_sysinfo.vboot_workbuf), &ctx);
+
+	die_if(rv, "vboot workbuf could not be initialized, error: %#x\n", rv);
+
+	return ctx;
+}
--- a/payloads/libpayload/libcbfs/cbfs.c
+++ b/payloads/libpayload/libcbfs/cbfs.c
@ -8,6 +8,7 @@
 #include <commonlib/bsd/cbfs_private.h>
 #include <commonlib/bsd/fmap_serialized.h>
 #include <libpayload.h>
+#include <lp_vboot.h>
 #include <lz4.h>
 #include <lzma.h>
 #include <string.h>
@ -232,5 +233,9 @@ void *_cbfs_unverified_area_load(const char *area, const char *name, void *buf,
   policy on using HW crypto. */
 __weak bool cbfs_hwcrypto_allowed(void)
 {
-	return true;
+	/* Avoid compiling vboot calls to prevent linker errors. */
+	if (!CONFIG(LP_CBFS_VERIFICATION))
+		return true;
+
+	return vb2api_hwcrypto_allowed(vboot_get_context());
 }
--- a/payloads/libpayload/tests/libcbfs/cbfs-verification-test.c
+++ b/payloads/libpayload/tests/libcbfs/cbfs-verification-test.c
@ -42,6 +42,16 @@ vb2_error_t vb2_hash_verify(bool allow_hwcrypto, const void *buf, uint32_t size,
 	return VB2_ERROR_SHA_MISMATCH;
 }

+bool vb2api_hwcrypto_allowed(struct vb2_context *ctx)
+{
+	return true;
+}
+
+struct vb2_context *vboot_get_context(void)
+{
+	return NULL;
+}
+
 unsigned long ulzman(const unsigned char *src, unsigned long srcn, unsigned char *dst,
 		     unsigned long dstn)
 {