diff options
| author | Julius Werner <jwerner@chromium.org> | 2022-08-08 18:08:35 -0700 |
|---|---|---|
| committer | Julius Werner <jwerner@chromium.org> | 2022-09-02 23:51:29 +0000 |
| commit | d96ca2465227f29354b41ce2ea7a17f1c5b8f1c1 (patch) | |
| tree | 835f9410585448932b2195bfdb7b4066204411f3 /src/lib | |
| parent | b45b48de739ebaf52584bc23797869028950a535 (diff) | |
cbfs/vboot: Adapt to new vb2_digest API
CL:3825558 changes all vb2_digest and vb2_hash functions to take a new
hwcrypto_allowed argument, to potentially let them try to call the
vb2ex_hwcrypto API for hash calculation. This change will open hardware
crypto acceleration up to all hash calculations in coreboot (most
notably CBFS verification). As part of this change, the
vb2_digest_buffer() function has been removed, so replace existing
instances in coreboot with the newer vb2_hash_calculate() API.
Due to the circular dependency of these changes with vboot, this patch
also needs to update the vboot submodule:
Updating from commit id 18cb85b5:
2load_kernel.c: Expose load kernel as vb2_api
to commit id b827ddb9:
tests: Ensure auxfw sync runs after EC sync
This brings in 15 new commits.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I287d8dac3c49ad7ea3e18a015874ce8d610ec67e
Reviewed-on: https://review.coreboot.org/c/coreboot/+/66561
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Jakub Czapiga <jacz@semihalf.com>
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/cbfs.c | 14 | ||||
| -rw-r--r-- | src/lib/metadata_hash.c | 3 |
2 files changed, 11 insertions, 6 deletions
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c index e1334f4152..4f2d9caea9 100644 --- a/src/lib/cbfs.c +++ b/src/lib/cbfs.c @@ -12,7 +12,7 @@ #include <list.h> #include <metadata_hash.h> #include <security/tpm/tspi/crtm.h> -#include <security/vboot/vboot_common.h> +#include <security/vboot/misc.h> #include <stdlib.h> #include <string.h> #include <symbols.h> @@ -160,7 +160,7 @@ static bool cbfs_file_hash_mismatch(const void *buffer, size_t size, ERROR("'%s' does not have a file hash!\n", mdata->h.filename); return true; } - if (vb2_hash_verify(buffer, size, hash) != VB2_SUCCESS) { + if (vb2_hash_verify(vboot_hwcrypto_allowed(), buffer, size, hash)) { ERROR("'%s' file hash mismatch!\n", mdata->h.filename); return true; } @@ -171,11 +171,15 @@ static bool cbfs_file_hash_mismatch(const void *buffer, size_t size, /* No need to re-hash file if we already have it from verification. */ if (!hash || hash->algo != TPM_MEASURE_ALGO) { - vb2_hash_calculate(buffer, size, TPM_MEASURE_ALGO, &calculated_hash); - hash = &calculated_hash; + if (vb2_hash_calculate(vboot_hwcrypto_allowed(), buffer, size, + TPM_MEASURE_ALGO, &calculated_hash)) + hash = NULL; + else + hash = &calculated_hash; } - if (tspi_cbfs_measurement(mdata->h.filename, be32toh(mdata->h.type), hash)) + if (!hash || + tspi_cbfs_measurement(mdata->h.filename, be32toh(mdata->h.type), hash)) ERROR("failed to measure '%s' into TCPA log\n", mdata->h.filename); /* We intentionally continue to boot on measurement errors. */ } diff --git a/src/lib/metadata_hash.c b/src/lib/metadata_hash.c index e10f6ffee5..8779b7c032 100644 --- a/src/lib/metadata_hash.c +++ b/src/lib/metadata_hash.c @@ -2,6 +2,7 @@ #include <assert.h> #include <metadata_hash.h> +#include <security/vboot/misc.h> #include <symbols.h> #if !CONFIG(COMPRESS_BOOTBLOCK) || ENV_DECOMPRESSOR @@ -46,5 +47,5 @@ vb2_error_t metadata_hash_verify_fmap(const void *fmap_buffer, size_t fmap_size) struct vb2_hash hash = { .algo = get_anchor()->cbfs_hash.algo }; memcpy(hash.raw, metadata_hash_anchor_fmap_hash(get_anchor()), vb2_digest_size(hash.algo)); - return vb2_hash_verify(fmap_buffer, fmap_size, &hash); + return vb2_hash_verify(vboot_hwcrypto_allowed(), fmap_buffer, fmap_size, &hash); } |