From 6260bf712a836762b18d80082505e981e040f4bc Mon Sep 17 00:00:00 2001 From: Hsuan Ting Chen Date: Thu, 12 Aug 2021 15:47:06 +0800 Subject: vboot_logic: Set VB2_CONTEXT_EC_TRUSTED in verstage_main vboot_reference is introducing a new field (ctx) to store the current boot mode in crrev/c/2944250 (ctx->bootmode), which will be leveraged in both vboot flow and elog_add_boot_reason in coreboot. In current steps of deciding bootmode, a function vb2ex_ec_trusted is required. This function checks gpio EC_IN_RW pin and will return 'trusted' only if EC is not in RW. Therefore, we need to implement similar utilities in coreboot. We will deprecate vb2ex_ec_trusted and use the flag, VB2_CONTEXT_EC_TRUSTED, in vboot, vb2api_fw_phase1 and set that flag in coreboot, verstage_main. Also add a help function get_ec_is_trusted which needed to be implemented per mainboard. BUG=b:177196147, b:181931817 BRANCH=none TEST=Test on trogdor if manual recovery works Signed-off-by: Hsuan Ting Chen Change-Id: I479c8f80e45cc524ba87db4293d19b29bdfa2192 Reviewed-on: https://review.coreboot.org/c/coreboot/+/57048 Reviewed-by: Yu-Ping Wu Reviewed-by: Tim Wawrzynczak Tested-by: build bot (Jenkins) --- src/security/vboot/bootmode.c | 10 ++++++++++ src/security/vboot/vboot_logic.c | 3 +++ 2 files changed, 13 insertions(+) (limited to 'src/security') diff --git a/src/security/vboot/bootmode.c b/src/security/vboot/bootmode.c index 6c051093ea..3c50e4ef83 100644 --- a/src/security/vboot/bootmode.c +++ b/src/security/vboot/bootmode.c @@ -57,6 +57,16 @@ int __weak get_recovery_mode_retrain_switch(void) return 0; } +int __weak get_ec_is_trusted(void) +{ + /* + * If board doesn't override this, by default we always assume EC is in + * RW and untrusted. However, newer platforms are supposed to use cr50 + * BOOT_MODE to report this and won't need to override this anymore. + */ + return 0; +} + #if CONFIG(VBOOT_NO_BOARD_SUPPORT) /** * TODO: Create flash protection interface which implements get_write_protect_state. diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index 10993d3548..ff93d0b764 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -327,6 +327,9 @@ void verstage_main(void) if (CONFIG(TPM_CR50)) check_boot_mode(ctx); + if (get_ec_is_trusted()) + ctx->flags |= VB2_CONTEXT_EC_TRUSTED; + /* Do early init (set up secdata and NVRAM, load GBB) */ printk(BIOS_INFO, "Phase 1\n"); rv = vb2api_fw_phase1(ctx); -- cgit v1.2.3