summaryrefslogtreecommitdiff
path: root/src/security
diff options
context:
space:
mode:
Diffstat (limited to 'src/security')
-rw-r--r--src/security/vboot/bootmode.c10
-rw-r--r--src/security/vboot/vboot_logic.c3
2 files changed, 13 insertions, 0 deletions
diff --git a/src/security/vboot/bootmode.c b/src/security/vboot/bootmode.c
index 6c051093ea..3c50e4ef83 100644
--- a/src/security/vboot/bootmode.c
+++ b/src/security/vboot/bootmode.c
@@ -57,6 +57,16 @@ int __weak get_recovery_mode_retrain_switch(void)
return 0;
}
+int __weak get_ec_is_trusted(void)
+{
+ /*
+ * If board doesn't override this, by default we always assume EC is in
+ * RW and untrusted. However, newer platforms are supposed to use cr50
+ * BOOT_MODE to report this and won't need to override this anymore.
+ */
+ return 0;
+}
+
#if CONFIG(VBOOT_NO_BOARD_SUPPORT)
/**
* TODO: Create flash protection interface which implements get_write_protect_state.
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index 10993d3548..ff93d0b764 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -327,6 +327,9 @@ void verstage_main(void)
if (CONFIG(TPM_CR50))
check_boot_mode(ctx);
+ if (get_ec_is_trusted())
+ ctx->flags |= VB2_CONTEXT_EC_TRUSTED;
+
/* Do early init (set up secdata and NVRAM, load GBB) */
printk(BIOS_INFO, "Phase 1\n");
rv = vb2api_fw_phase1(ctx);