summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/security/vboot/secdata_mock.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/src/security/vboot/secdata_mock.c b/src/security/vboot/secdata_mock.c
index 78cb3e6063..5792b41633 100644
--- a/src/security/vboot/secdata_mock.c
+++ b/src/security/vboot/secdata_mock.c
@@ -28,7 +28,19 @@ vb2_error_t antirollback_write_space_firmware(struct vb2_context *ctx)
vb2_error_t antirollback_read_space_kernel(struct vb2_context *ctx)
{
- vb2api_secdata_kernel_create(ctx);
+ /*
+ * The new kernel secdata v1 stores the last read EC hash, and reboots the
+ * device during EC software sync when that hash didn't match the currently
+ * active hash on the EC (this is used with TPM_CR50 to support EC-EFS2 and
+ * pretty much a no-op for other devices). Generally, of course the whole
+ * point of secdata is always that it persists across reboots, but with
+ * MOCK_SECDATA we can't do that. Previously we always happened to somewhat
+ * get away with presenting freshly-reinitialized data for MOCK_SECDATA on
+ * every boot, but with the EC hash feature in secdata v1, that would cause
+ * a reboot loop. The simplest solution is to just pretend we're a secdata
+ * v0 device when using MOCK_SECDATA.
+ */
+ vb2api_secdata_kernel_create_v0(ctx);
return VB2_SUCCESS;
}