vboot: remove secdata TPM backend code
In vboot 2 design, secdata spaces are read/written by the vboot
caller, and not by vboot itself. We still need to maintain a
vb2ex_commit_data callback for edge cases, such as when the vboot
UI prompts the user to reboot.
BUG=b:124141368, chromium:972956
TEST=Build locally, flash and boot eve,
check logs for secdata writes and locks
TEST=make clean && make runtests
BRANCH=none
Change-Id: Ib3b628549185749a290dd65e297f2e19adecbc66
Cq-Depend: chromium:1958012
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1958070
Reviewed-by: Joel Kitching <kitching@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
Tested-by: Joel Kitching <kitching@chromium.org>
diff --git a/Makefile b/Makefile
index c71f5e3..b12029e 100644
--- a/Makefile
+++ b/Makefile
@@ -427,13 +427,9 @@
firmware/lib/tpm2_lite/marshaling.c
endif
-# Support real TPM unless BIOS sets MOCK_TPM
-ifeq (${MOCK_TPM},)
+# Support real TPM unless MOCK_TPM is set
+ifneq (${MOCK_TPM},)
FWLIB_SRCS += \
- firmware/lib/secdata_tpm.c
-else
-FWLIB_SRCS += \
- firmware/lib/mocked_secdata_tpm.c \
firmware/lib/tpm_lite/mocked_tlcl.c
endif
@@ -723,16 +719,12 @@
tests/vboot_kernel_tests \
tests/verify_kernel
-ifeq (${MOCK_TPM},)
-# secdata_tpm_tests and tlcl_tests only work when MOCK_TPM is disabled
-TEST_NAMES += \
- tests/secdata_tpm_tests
-ifeq (${TPM2_MODE},)
+ifeq (${MOCK_TPM}${TPM2_MODE},)
+# tlcl_tests only works when MOCK_TPM is disabled
# TODO(apronin): tests for TPM2 case?
TEST_NAMES += \
tests/tlcl_tests
endif
-endif
TEST_FUTIL_NAMES = \
tests/futility/binary_editor \
@@ -1284,15 +1276,11 @@
.PHONY: runmisctests
runmisctests: test_setup
-ifeq (${MOCK_TPM},)
-# secdata_tpm_tests and tlcl_tests only work when MOCK_TPM is disabled
- ${RUNTEST} ${BUILD_RUN}/tests/secdata_tpm_tests
-ifeq (${TPM2_MODE},)
-# TODO(apronin): tests for TPM2 case?
+ ${RUNTEST} ${BUILD_RUN}/tests/subprocess_tests
+ifeq (${MOCK_TPM}${TPM2_MODE},)
+# tlcl_tests only works when MOCK_TPM is disabled
${RUNTEST} ${BUILD_RUN}/tests/tlcl_tests
endif
-endif
- ${RUNTEST} ${BUILD_RUN}/tests/subprocess_tests
${RUNTEST} ${BUILD_RUN}/tests/utility_string_tests
${RUNTEST} ${BUILD_RUN}/tests/vboot_api_devmode_tests
${RUNTEST} ${BUILD_RUN}/tests/vboot_api_kernel2_tests
diff --git a/firmware/include/vboot_test.h b/firmware/include/vboot_test.h
index a6ed8c0..1f0a662 100644
--- a/firmware/include/vboot_test.h
+++ b/firmware/include/vboot_test.h
@@ -29,11 +29,4 @@
struct LoadKernelParams;
struct LoadKernelParams *VbApiKernelGetParams(void);
-/****************************************************************************
- * secdata_tpm.c */
-
-extern int secdata_kernel_locked;
-uint32_t tlcl_clear_and_reenable(void);
-uint32_t tlcl_safe_write(uint32_t index, const void *data, uint32_t length);
-
#endif /* VBOOT_REFERENCE_TEST_API_H_ */
diff --git a/firmware/lib/include/secdata_tpm.h b/firmware/lib/include/secdata_tpm.h
deleted file mode 100644
index 3cf1ae7..0000000
--- a/firmware/lib/include/secdata_tpm.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * Functions for querying, manipulating and locking secure data spaces
- * stored in the TPM NVRAM.
- */
-
-#ifndef VBOOT_REFERENCE_SECDATA_TPM_H_
-#define VBOOT_REFERENCE_SECDATA_TPM_H_
-
-#include "2api.h"
-
-/* TPM NVRAM location indices. */
-#define FIRMWARE_NV_INDEX 0x1007
-#define KERNEL_NV_INDEX 0x1008
-/* BACKUP_NV_INDEX (size 16) used to live at 0x1009; now deprecated */
-#define FWMP_NV_INDEX 0x100a
-#define REC_HASH_NV_INDEX 0x100b
-#define REC_HASH_NV_SIZE VB2_SHA256_DIGEST_SIZE
-/* Space to hold a temporary SHA256 digest of a public key for USB autoconfig;
- * see crbug.com/845589. */
-#define OOBE_USB_AUTOCONFIG_KEY_DIGEST_NV_INDEX 0x100c
-#define OOBE_USB_AUTOCONFIG_KEY_DIGEST_NV_SIZE VB2_SHA256_DIGEST_SIZE
-
-/* All functions return TPM_SUCCESS (zero) if successful, non-zero if error */
-uint32_t secdata_firmware_write(struct vb2_context *ctx);
-uint32_t secdata_kernel_read(struct vb2_context *ctx);
-uint32_t secdata_kernel_write(struct vb2_context *ctx);
-uint32_t secdata_kernel_lock(struct vb2_context *ctx);
-uint32_t secdata_fwmp_read(struct vb2_context *ctx);
-
-#endif /* VBOOT_REFERENCE_SECDATA_TPM_H_ */
diff --git a/firmware/lib/include/vboot_kernel.h b/firmware/lib/include/vboot_kernel.h
index 5337d0a..4754f6d 100644
--- a/firmware/lib/include/vboot_kernel.h
+++ b/firmware/lib/include/vboot_kernel.h
@@ -84,17 +84,6 @@
void vb2_init_ui(void);
/**
- * Locks secdata_kernel.
- *
- * Should be used right before attempting to leave vboot (by booting
- * an OS or chainloading to another firmware).
- *
- * @param ctx Vboot context
- * @returns VB2_SUCCESS, or non-zero error code.
- */
-vb2_error_t vb2_secdata_kernel_lock(struct vb2_context *ctx);
-
-/**
* Writes modified secdata spaces and nvdata.
*
* This is a temporary wrapper around vb2ex_commit_data, until secdata-writing
diff --git a/firmware/lib/mocked_secdata_tpm.c b/firmware/lib/mocked_secdata_tpm.c
deleted file mode 100644
index 373c494..0000000
--- a/firmware/lib/mocked_secdata_tpm.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * Functions for querying, manipulating and locking secure data spaces
- * stored in the TPM NVRAM (mock versions).
- */
-
-#include "2api.h"
-#include "2secdata.h"
-#include "secdata_tpm.h"
-#include "tss_constants.h"
-
-int secdata_kernel_locked = 0;
-
-uint32_t secdata_firmware_write(struct vb2_context *ctx)
-{
- ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
- return TPM_SUCCESS;
-}
-
-uint32_t secdata_kernel_read(struct vb2_context *ctx)
-{
- vb2api_secdata_kernel_create(ctx);
- return TPM_SUCCESS;
-}
-
-uint32_t secdata_kernel_write(struct vb2_context *ctx)
-{
- ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED;
- return TPM_SUCCESS;
-}
-
-uint32_t secdata_kernel_lock(struct vb2_context *ctx)
-{
- secdata_kernel_locked = 1;
- return TPM_SUCCESS;
-}
-
-uint32_t secdata_fwmp_read(struct vb2_context *ctx)
-{
- ctx->flags |= VB2_CONTEXT_NO_SECDATA_FWMP;
- return TPM_SUCCESS;
-}
diff --git a/firmware/lib/secdata_tpm.c b/firmware/lib/secdata_tpm.c
deleted file mode 100644
index b8f3522..0000000
--- a/firmware/lib/secdata_tpm.c
+++ /dev/null
@@ -1,189 +0,0 @@
-/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * Functions for querying, manipulating and locking secure data spaces
- * stored in the TPM NVRAM.
- */
-
-#include "2api.h"
-#include "2common.h"
-#include "secdata_tpm.h"
-#include "tlcl.h"
-#include "tss_constants.h"
-#include "vboot_test.h"
-
-#define RETURN_ON_FAILURE(tpm_command) do { \
- uint32_t result_; \
- if ((result_ = (tpm_command)) != TPM_SUCCESS) { \
- VB2_DEBUG("TPM: %#x returned by " #tpm_command \
- "\n", (int)result_); \
- return result_; \
- } \
- } while (0)
-
-#define PRINT_BYTES(title, value) do { \
- int i; \
- VB2_DEBUG(title); \
- VB2_DEBUG_RAW(":"); \
- for (i = 0; i < sizeof(*(value)); i++) \
- VB2_DEBUG_RAW(" %02x", *((uint8_t *)(value) + i)); \
- VB2_DEBUG_RAW("\n"); \
- } while (0)
-
-/* Keeps track of whether the kernel space has already been locked or not. */
-int secdata_kernel_locked = 0;
-
-/**
- * Issue a TPM_Clear and reenable/reactivate the TPM.
- */
-uint32_t tlcl_clear_and_reenable(void)
-{
- VB2_DEBUG("TPM: clear_and_reenable\n");
- RETURN_ON_FAILURE(TlclForceClear());
- RETURN_ON_FAILURE(TlclSetEnable());
- RETURN_ON_FAILURE(TlclSetDeactivated(0));
-
- return TPM_SUCCESS;
-}
-
-/**
- * Like TlclWrite(), but checks for write errors due to hitting the 64-write
- * limit and clears the TPM when that happens. This can only happen when the
- * TPM is unowned, so it is OK to clear it (and we really have no choice).
- * This is not expected to happen frequently, but it could happen.
- */
-uint32_t tlcl_safe_write(uint32_t index, const void *data, uint32_t length)
-{
- uint32_t result = TlclWrite(index, data, length);
- if (result == TPM_E_MAXNVWRITES) {
- RETURN_ON_FAILURE(tlcl_clear_and_reenable());
- return TlclWrite(index, data, length);
- } else {
- return result;
- }
-}
-
-/* Functions to read and write firmware and kernel spaces. */
-
-uint32_t secdata_firmware_write(struct vb2_context *ctx)
-{
- if (!(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED)) {
- VB2_DEBUG("TPM: secdata_firmware unchanged\n");
- return TPM_SUCCESS;
- }
-
- if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) {
- VB2_DEBUG("Error: secdata_firmware modified "
- "in non-recovery mode?\n");
- return TPM_E_AREA_LOCKED;
- }
-
- PRINT_BYTES("TPM: write secdata_firmware", &ctx->secdata_firmware);
- RETURN_ON_FAILURE(tlcl_safe_write(FIRMWARE_NV_INDEX,
- ctx->secdata_firmware,
- VB2_SECDATA_FIRMWARE_SIZE));
-
- ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
- return TPM_SUCCESS;
-}
-
-uint32_t secdata_kernel_read(struct vb2_context *ctx)
-{
-#ifndef TPM2_MODE
- /*
- * Before reading the kernel space, verify its permissions. If the
- * kernel space has the wrong permission, we give up. This will need
- * to be fixed by the recovery kernel. We will have to worry about
- * this because at any time (even with PP turned off) the TPM owner can
- * remove and redefine a PP-protected space (but not write to it).
- */
- uint32_t perms;
-
- RETURN_ON_FAILURE(TlclGetPermissions(KERNEL_NV_INDEX, &perms));
- if (perms != TPM_NV_PER_PPWRITE) {
- VB2_DEBUG("TPM: invalid secdata_kernel permissions: %#x\n",
- perms);
- return TPM_E_CORRUPTED_STATE;
- }
-#endif
-
- RETURN_ON_FAILURE(TlclRead(KERNEL_NV_INDEX, ctx->secdata_kernel,
- VB2_SECDATA_KERNEL_SIZE));
-
- PRINT_BYTES("TPM: read secdata_kernel", &ctx->secdata_kernel);
-
- if (vb2api_secdata_kernel_check(ctx)) {
- VB2_DEBUG("TPM: secdata_kernel invalid (corrupted?)\n");
- return TPM_E_CORRUPTED_STATE;
- }
-
- return TPM_SUCCESS;
-}
-
-uint32_t secdata_kernel_write(struct vb2_context *ctx)
-{
- if (!(ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED)) {
- VB2_DEBUG("TPM: secdata_kernel unchanged\n");
- return TPM_SUCCESS;
- }
-
- PRINT_BYTES("TPM: write secdata_kernel", &ctx->secdata_kernel);
-
- RETURN_ON_FAILURE(tlcl_safe_write(KERNEL_NV_INDEX, ctx->secdata_kernel,
- VB2_SECDATA_KERNEL_SIZE));
-
- ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED;
- return TPM_SUCCESS;
-}
-
-uint32_t secdata_kernel_lock(struct vb2_context *ctx)
-{
- /* Skip if already locked */
- if (secdata_kernel_locked) {
- VB2_DEBUG("TPM: secdata_kernel already locked; skipping\n");
- return TPM_SUCCESS;
- }
-
- RETURN_ON_FAILURE(TlclLockPhysicalPresence());
-
- VB2_DEBUG("TPM: secdata_kernel locked\n");
- secdata_kernel_locked = 1;
- return TPM_SUCCESS;
-}
-
-uint32_t secdata_fwmp_read(struct vb2_context *ctx)
-{
- vb2_error_t rv;
- uint8_t size = VB2_SECDATA_FWMP_MIN_SIZE;
- uint32_t r;
-
- /* Try to read entire 1.0 struct */
- r = TlclRead(FWMP_NV_INDEX, ctx->secdata_fwmp, size);
- if (TPM_E_BADINDEX == r) {
- /* Missing space is not an error; tell vboot */
- VB2_DEBUG("TPM: no secdata_fwmp space\n");
- ctx->flags |= VB2_CONTEXT_NO_SECDATA_FWMP;
- return TPM_SUCCESS;
- } else if (TPM_SUCCESS != r) {
- VB2_DEBUG("TPM: read secdata_fwmp returned %#x\n", r);
- return r;
- }
-
- /* Re-read more data if necessary */
- rv = vb2api_secdata_fwmp_check(ctx, &size);
- if (rv == VB2_SUCCESS)
- return VB2_SUCCESS;
-
- if (rv == VB2_ERROR_SECDATA_FWMP_INCOMPLETE) {
- RETURN_ON_FAILURE(TlclRead(FWMP_NV_INDEX, ctx->secdata_fwmp,
- size));
-
- /* Check one more time */
- if (vb2api_secdata_fwmp_check(ctx, &size) == VB2_SUCCESS)
- return VB2_SUCCESS;
- }
-
- VB2_DEBUG("TPM: secdata_fwmp invalid (corrupted?)\n");
- return TPM_E_CORRUPTED_STATE;
-}
diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c
index 3416a6f..ef9cd4d 100644
--- a/firmware/lib/vboot_api_kernel.c
+++ b/firmware/lib/vboot_api_kernel.c
@@ -13,7 +13,6 @@
#include "2secdata.h"
#include "2sysincludes.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "utility.h"
#include "vb2_common.h"
#include "vboot_api.h"
@@ -228,7 +227,6 @@
VbSelectAndLoadKernelParams *kparams)
{
struct vb2_shared_data *sd = vb2_get_sd(ctx);
- uint32_t tpm_rv;
vb2_error_t rv;
/* Set selected boot mode in context object.
@@ -291,24 +289,6 @@
memset(kparams->partition_guid, 0, sizeof(kparams->partition_guid));
/*
- * Read secdata_kernel and secdata_fwmp spaces. No need to read
- * secdata_firmware, since it was already read during firmware
- * verification. Ignore errors in recovery mode.
- */
- tpm_rv = secdata_kernel_read(ctx);
- if (tpm_rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) {
- VB2_DEBUG("TPM: read secdata_kernel returned %#x\n", tpm_rv);
- vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_R_ERROR, tpm_rv);
- return VB2_ERROR_SECDATA_KERNEL_READ;
- }
- tpm_rv = secdata_fwmp_read(ctx);
- if (tpm_rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) {
- VB2_DEBUG("TPM: read secdata_fwmp returned %#x\n", tpm_rv);
- vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_R_ERROR, tpm_rv);
- return VB2_ERROR_SECDATA_FWMP_READ;
- }
-
- /*
* Init secdata_kernel and secdata_fwmp spaces. No need to init
* secdata_firmware, since it was already read during firmware
* verification. Ignore errors in recovery mode.
@@ -349,78 +329,48 @@
sizeof(kparams->partition_guid));
}
-vb2_error_t vb2_secdata_kernel_lock(struct vb2_context *ctx)
-{
- uint32_t tpm_rv;
-
- /* Skip if in recovery mode. */
- if (ctx->flags & VB2_CONTEXT_RECOVERY_MODE)
- return VB2_SUCCESS;
-
- tpm_rv = secdata_kernel_lock(ctx);
- if (tpm_rv) {
- VB2_DEBUG("TPM: lock secdata_kernel returned %#x\n", tpm_rv);
- vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_L_ERROR, tpm_rv);
- return VB2_ERROR_SECDATA_KERNEL_LOCK;
- }
-
- return VB2_SUCCESS;
-}
-
vb2_error_t vb2_commit_data(struct vb2_context *ctx)
{
- vb2_error_t call_rv;
- vb2_error_t rv = VB2_SUCCESS;
- uint32_t tpm_rv;
+ vb2_error_t rv = vb2ex_commit_data(ctx);
- /* Write secdata spaces. vboot never writes back to secdata_fwmp. */
- tpm_rv = secdata_firmware_write(ctx);
- if (tpm_rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) {
- VB2_DEBUG("TPM: write secdata_firmware returned %#x\n", tpm_rv);
- vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_W_ERROR, tpm_rv);
- rv = VB2_ERROR_SECDATA_FIRMWARE_WRITE;
- }
-
- tpm_rv = secdata_kernel_write(ctx);
- if (tpm_rv && !(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) {
- VB2_DEBUG("TPM: write secdata_kernel returned %#x\n", tpm_rv);
- vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_W_ERROR, tpm_rv);
- if (rv == VB2_SUCCESS)
- rv = VB2_ERROR_SECDATA_KERNEL_WRITE;
- }
-
- /* Always try to write nvdata, since it may have been changed by
- setting a recovery reason above. */
-
- /* TODO(chromium:972956, chromium:1006689): Currently only commits
- nvdata, but should eventually also commit secdata. */
- call_rv = vb2ex_commit_data(ctx);
- switch (call_rv) {
- case VB2_ERROR_NV_WRITE:
- /* Don't bother with vb2api_fail since we can't write
- nvdata anyways. */
- if (ctx->flags & VB2_CONTEXT_RECOVERY_MODE) {
- VB2_DEBUG("write nvdata failed\n");
- if (rv == VB2_SUCCESS)
- rv = call_rv;
- } else {
- /* Impossible to enter recovery mode */
- VB2_DIE("write nvdata failed\n");
- }
- break;
-
+ switch (rv) {
case VB2_SUCCESS:
break;
+ case VB2_ERROR_SECDATA_FIRMWARE_WRITE:
+ if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) {
+ vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_W_ERROR, rv);
+ /* Run again to set recovery reason in nvdata. */
+ vb2ex_commit_data(ctx);
+ return rv;
+ }
+ break;
+
+ case VB2_ERROR_SECDATA_KERNEL_WRITE:
+ if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) {
+ vb2api_fail(ctx, VB2_RECOVERY_RW_TPM_W_ERROR, rv);
+ /* Run again to set recovery reason in nvdata. */
+ vb2ex_commit_data(ctx);
+ return rv;
+ }
+ break;
+
default:
- VB2_DEBUG("unknown commit error: %#x\n", call_rv);
- if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE) &&
- rv == VB2_SUCCESS)
- rv = call_rv;
+ VB2_DEBUG("unknown commit error: %#x\n", rv);
+ VBOOT_FALLTHROUGH;
+
+ case VB2_ERROR_NV_WRITE:
+ if (!(ctx->flags & VB2_CONTEXT_RECOVERY_MODE))
+ /*
+ * We can't write to nvdata, so it's impossible to
+ * trigger recovery mode. Skip calling vb2api_fail
+ * and just die.
+ */
+ VB2_DIE("write nvdata failed\n");
break;
}
- return rv;
+ return VB2_SUCCESS;
}
vb2_error_t VbSelectAndLoadKernel(struct vb2_context *ctx,
@@ -498,11 +448,6 @@
if (rv == VB2_SUCCESS)
rv = call_rv;
- /* Lock secdata_kernel, but retain any previous errors */
- call_rv = vb2_secdata_kernel_lock(ctx);
- if (rv == VB2_SUCCESS)
- rv = call_rv;
-
/* Pass through return value from boot path */
VB2_DEBUG("Returning %#x\n", rv);
return rv;
diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c
index 4fc4d34..7821c41 100644
--- a/firmware/lib/vboot_kernel.c
+++ b/firmware/lib/vboot_kernel.c
@@ -17,7 +17,6 @@
#include "cgptlib_internal.h"
#include "gpt_misc.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "utility.h"
#include "vb2_common.h"
#include "vboot_api.h"
diff --git a/firmware/lib/vboot_ui.c b/firmware/lib/vboot_ui.c
index 2c99884..55b09e9 100644
--- a/firmware/lib/vboot_ui.c
+++ b/firmware/lib/vboot_ui.c
@@ -12,7 +12,6 @@
#include "2secdata.h"
#include "2sysincludes.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "tlcl.h"
#include "utility.h"
#include "vb2_common.h"
@@ -468,16 +467,7 @@
if (action_confirmed) {
VB2_DEBUG("Diagnostic requested, running\n");
- /*
- * The following helps avoid use of the TPM after
- * it's disabled (e.g., when vb2_try_altfw() calls
- * secdata_kernel_lock() ).
- */
-
- if (secdata_kernel_lock(ctx)) {
- VB2_DEBUG("Failed to lock TPM PP\n");
- vb2api_fail(ctx, VB2_RECOVERY_TPM_DISABLE_FAILED, 0);
- } else if (vb2ex_tpm_set_mode(VB2_TPM_MODE_DISABLED) !=
+ if (vb2ex_tpm_set_mode(VB2_TPM_MODE_DISABLED) !=
VB2_SUCCESS) {
VB2_DEBUG("Failed to disable TPM\n");
vb2api_fail(ctx, VB2_RECOVERY_TPM_DISABLE_FAILED, 0);
diff --git a/firmware/lib/vboot_ui_common.c b/firmware/lib/vboot_ui_common.c
index 5bd0500..49e20fd 100644
--- a/firmware/lib/vboot_ui_common.c
+++ b/firmware/lib/vboot_ui_common.c
@@ -7,7 +7,6 @@
#include "2common.h"
#include "2sysincludes.h"
-#include "secdata_tpm.h"
#include "vboot_api.h"
#include "vboot_kernel.h"
#include "vboot_ui_common.h"
@@ -73,12 +72,6 @@
return;
}
- if (secdata_kernel_lock(ctx)) {
- vb2_error_notify("Error locking kernel versions on legacy "
- "boot.\n", NULL, VB_BEEP_FAILED);
- return;
- }
-
/* Will not return if successful */
VbExLegacy(altfw_num);
diff --git a/firmware/lib/vboot_ui_menu.c b/firmware/lib/vboot_ui_menu.c
index 31ab3c1..d090fc0 100644
--- a/firmware/lib/vboot_ui_menu.c
+++ b/firmware/lib/vboot_ui_menu.c
@@ -12,7 +12,6 @@
#include "2secdata.h"
#include "2sysincludes.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "utility.h"
#include "vb2_common.h"
#include "vboot_api.h"
diff --git a/firmware/stub/vboot_api_stub_init.c b/firmware/stub/vboot_api_stub_init.c
index d533325..4688a7e 100644
--- a/firmware/stub/vboot_api_stub_init.c
+++ b/firmware/stub/vboot_api_stub_init.c
@@ -5,12 +5,9 @@
* Stub implementations of firmware-provided API functions.
*/
-
#include <stdarg.h>
#include <stdint.h>
-#include <stdio.h>
#include <stdlib.h>
-#include <string.h>
#include <sys/time.h>
#include "2common.h"
@@ -25,6 +22,8 @@
vb2_error_t vb2ex_commit_data(struct vb2_context *ctx)
{
+ ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
+ ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED;
ctx->flags &= ~VB2_CONTEXT_NVDATA_CHANGED;
return VB2_SUCCESS;
}
diff --git a/tests/secdata_tpm_tests.c b/tests/secdata_tpm_tests.c
deleted file mode 100644
index 32285de..0000000
--- a/tests/secdata_tpm_tests.c
+++ /dev/null
@@ -1,587 +0,0 @@
-/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * Tests for TPM secure data space functions
- */
-
-#include "2api.h"
-#include "2secdata.h"
-#include "secdata_tpm.h"
-#include "test_common.h"
-#include "tlcl.h"
-#include "tss_constants.h"
-#include "vboot_test.h"
-
-/*
- * Buffer to hold accumulated list of calls to mocked Tlcl functions.
- * Each function appends itself to the buffer and updates mock_cnext.
- *
- * Size of mock_calls[] should be big enough to handle all expected
- * call sequences; 16KB should be plenty since none of the sequences
- * below is more than a few hundred bytes. We could be more clever
- * and use snprintf() with length checking below, at the expense of
- * making all the mock implementations bigger. If this were code used
- * outside of unit tests we'd want to do that, but here if we did
- * overrun the buffer the worst that's likely to happen is we'll crash
- * the test, and crash = failure anyway.
- */
-static char mock_calls[16384];
-static char *mock_cnext = mock_calls;
-
-/*
- * Variables to support mocked error values from Tlcl functions. Each
- * call, mock_count is incremented. If mock_count==fail_at_count, return
- * fail_with_error instead of the normal return value.
- */
-static int mock_count = 0;
-static int fail_at_count = 0;
-static uint32_t fail_with_error = TPM_SUCCESS;
-static int mock_bad_crc = 0;
-
-/* Params / backing store for mocked Tlcl functions. */
-static TPM_PERMANENT_FLAGS mock_pflags;
-static uint8_t mock_rsf[VB2_SECDATA_FIRMWARE_SIZE];
-static uint8_t mock_rsk[VB2_SECDATA_KERNEL_SIZE];
-static uint8_t mock_fwmp[VB2_SECDATA_FWMP_MAX_SIZE];
-static uint32_t mock_fwmp_real_size;
-static uint32_t mock_permissions;
-
-static uint8_t workbuf[VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE]
- __attribute__ ((aligned (VB2_WORKBUF_ALIGN)));
-static struct vb2_context *ctx;
-
-/* Reset the variables for the Tlcl mock functions. */
-static void reset_common_data(int fail_on_call, uint32_t fail_with_err)
-{
- *mock_calls = 0;
- mock_cnext = mock_calls;
- mock_count = 0;
- fail_at_count = fail_on_call;
- fail_with_error = fail_with_err;
- mock_bad_crc = 0;
-
- memset(&mock_pflags, 0, sizeof(mock_pflags));
-
- /* Use value other than 0 for memcmp() checks */
- memset(&mock_rsf, 0xa6, sizeof(mock_rsf));
- memset(&mock_rsk, 0xa7, sizeof(mock_rsk));
- memset(&mock_fwmp, 0xa8, sizeof(mock_fwmp));
-
- mock_fwmp_real_size = VB2_SECDATA_FWMP_MIN_SIZE;
-
- /* Note: only used when TPM2_MODE is disabled. */
-#ifndef TPM2_MODE
- mock_permissions = TPM_NV_PER_PPWRITE;
-#else
- mock_permissions = 0;
-#endif
-
- secdata_kernel_locked = 0;
-
- TEST_SUCC(vb2api_init(workbuf, sizeof(workbuf), &ctx),
- "vb2api_init failed");
-
- ctx->flags |= VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
- ctx->flags |= VB2_CONTEXT_SECDATA_KERNEL_CHANGED;
- ctx->flags |= VB2_CONTEXT_RECOVERY_MODE;
-}
-
-/* Mock functions */
-
-vb2_error_t vb2api_secdata_firmware_check(struct vb2_context *c)
-{
- if (mock_bad_crc)
- return VB2_ERROR_SECDATA_FIRMWARE_CRC;
-
- return VB2_SUCCESS;
-}
-
-vb2_error_t vb2api_secdata_kernel_check(struct vb2_context *c)
-{
- if (mock_bad_crc)
- return VB2_ERROR_SECDATA_FIRMWARE_CRC;
-
- return VB2_SUCCESS;
-}
-
-vb2_error_t vb2api_secdata_fwmp_check(struct vb2_context *c, uint8_t *size)
-{
- if (*size < mock_fwmp_real_size) {
- *size = mock_fwmp_real_size;
- return VB2_ERROR_SECDATA_FWMP_INCOMPLETE;
- }
-
- if (mock_bad_crc)
- return VB2_ERROR_SECDATA_FIRMWARE_CRC;
-
- return VB2_SUCCESS;
-}
-
-/****************************************************************************/
-/* Mocks for tlcl functions which log the calls made to mock_calls[]. */
-
-uint32_t TlclLibInit(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclLibInit()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclStartup(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclStartup()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclResume(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclResume()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclForceClear(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclForceClear()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclSetEnable(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclSetEnable()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclSetDeactivated(uint8_t flag)
-{
- mock_cnext += sprintf(mock_cnext, "TlclSetDeactivated(%d)\n", flag);
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclRead(uint32_t index, void* data, uint32_t length)
-{
- mock_cnext += sprintf(mock_cnext, "TlclRead(%#x, %d)\n",
- index, length);
-
- if (FIRMWARE_NV_INDEX == index) {
- TEST_EQ(length, sizeof(mock_rsf), "TlclRead rsf size");
- memcpy(data, &mock_rsf, length);
- } else if (KERNEL_NV_INDEX == index) {
- TEST_EQ(length, sizeof(mock_rsk), "TlclRead rsk size");
- memcpy(data, &mock_rsk, length);
- } else if (FWMP_NV_INDEX == index) {
- memset(data, 0, length);
- if (length > sizeof(mock_fwmp))
- length = sizeof(mock_fwmp);
- memcpy(data, &mock_fwmp, length);
- } else {
- memset(data, 0, length);
- }
-
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclWrite(uint32_t index, const void *data, uint32_t length)
-{
- mock_cnext += sprintf(mock_cnext, "TlclWrite(%#x, %d)\n",
- index, length);
-
- if (FIRMWARE_NV_INDEX == index) {
- TEST_EQ(length, sizeof(mock_rsf), "TlclWrite rsf size");
- memcpy(&mock_rsf, data, length);
- } else if (KERNEL_NV_INDEX == index) {
- TEST_EQ(length, sizeof(mock_rsk), "TlclWrite rsk size");
- memcpy(&mock_rsk, data, length);
- }
-
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclDefineSpace(uint32_t index, uint32_t perm, uint32_t size)
-{
- mock_cnext += sprintf(mock_cnext, "TlclDefineSpace(%#x, %#x, %d)\n",
- index, perm, size);
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclSelfTestFull(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclSelfTestFull()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclContinueSelfTest(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclContinueSelfTest()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclGetPermanentFlags(TPM_PERMANENT_FLAGS *pflags)
-{
- mock_cnext += sprintf(mock_cnext, "TlclGetPermanentFlags()\n");
- memcpy(pflags, &mock_pflags, sizeof(mock_pflags));
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-/* TlclGetFlags() doesn't need mocking; it calls TlclGetPermanentFlags() */
-
-uint32_t TlclAssertPhysicalPresence(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclAssertPhysicalPresence()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclPhysicalPresenceCMDEnable(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclPhysicalPresenceCMDEnable()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclSetGlobalLock(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclSetGlobalLock()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclLockPhysicalPresence(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclLockPhysicalPresence()\n");
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-#ifndef TPM2_MODE
-uint32_t TlclGetPermissions(uint32_t index, uint32_t* permissions)
-{
- mock_cnext += sprintf(mock_cnext, "TlclGetPermissions(%#x)\n", index);
- *permissions = mock_permissions;
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclFinalizePhysicalPresence(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclFinalizePhysicalPresence()\n");
- mock_pflags.physicalPresenceLifetimeLock = 1;
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
-uint32_t TlclSetNvLocked(void)
-{
- mock_cnext += sprintf(mock_cnext, "TlclSetNvLocked()\n");
- mock_pflags.nvLocked = 1;
- return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-#endif
-
-/****************************************************************************/
-/* Tests for misc helper functions */
-
-static void misc_tests(void)
-{
- uint8_t buf[8];
-
- reset_common_data(0, 0);
- TEST_EQ(tlcl_clear_and_reenable(), 0, "tlcl_clear_and_enable()");
- TEST_STR_EQ(mock_calls,
- "TlclForceClear()\n"
- "TlclSetEnable()\n"
- "TlclSetDeactivated(0)\n",
- " tlcl calls");
-
- reset_common_data(0, 0);
- TEST_EQ(tlcl_safe_write(0x123, buf, 8), 0, "tlcl_safe_write()");
- TEST_STR_EQ(mock_calls,
- "TlclWrite(0x123, 8)\n",
- " tlcl calls");
-
- reset_common_data(1, TPM_E_BADINDEX);
- TEST_EQ(tlcl_safe_write(0x123, buf, 8), TPM_E_BADINDEX,
- "tlcl_safe_write() bad");
- TEST_STR_EQ(mock_calls,
- "TlclWrite(0x123, 8)\n",
- " tlcl calls");
-
- reset_common_data(1, TPM_E_MAXNVWRITES);
- TEST_EQ(tlcl_safe_write(0x123, buf, 8), 0,
- "tlcl_safe_write() retry max writes");
- TEST_STR_EQ(mock_calls,
- "TlclWrite(0x123, 8)\n"
- "TlclForceClear()\n"
- "TlclSetEnable()\n"
- "TlclSetDeactivated(0)\n"
- "TlclWrite(0x123, 8)\n",
- " tlcl calls");
-}
-
-/****************************************************************************/
-/* Tests for firmware space functions */
-
-static void secdata_firmware_tests(void)
-{
- /* Write with no new changes */
- reset_common_data(0, 0);
- ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
- TEST_SUCC(secdata_firmware_write(ctx),
- "secdata_firmware_write(), no changes, success");
- TEST_STR_EQ(mock_calls,
- "",
- " tlcl calls");
-
- /* Write failure */
- reset_common_data(1, TPM_E_IOERROR);
- TEST_EQ(secdata_firmware_write(ctx), TPM_E_IOERROR,
- "secdata_firmware_write(), failure");
- TEST_STR_EQ(mock_calls,
- "TlclWrite(0x1007, 10)\n",
- " tlcl calls");
- TEST_NEQ(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED, 0,
- " should leave SECDATA_FIRMWARE_CHANGED context flag");
-
- /* Write in normal mode */
- reset_common_data(0, 0);
- ctx->flags &= ~VB2_CONTEXT_RECOVERY_MODE;
- TEST_EQ(secdata_firmware_write(ctx), TPM_E_AREA_LOCKED,
- "secdata_firmware_write(), normal mode, failure");
- TEST_STR_EQ(mock_calls,
- "",
- " tlcl calls");
- TEST_NEQ(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED, 0,
- " should leave SECDATA_FIRMWARE_CHANGED context flag");
-
- /* Write success and readback */
- reset_common_data(0, 0);
- memset(ctx->secdata_firmware, 0xaa, sizeof(ctx->secdata_firmware));
- TEST_SUCC(secdata_firmware_write(ctx),
- "secdata_firmware_write(), success");
- TEST_STR_EQ(mock_calls,
- "TlclWrite(0x1007, 10)\n",
- " tlcl calls");
- memset(ctx->secdata_firmware, 0xaa, sizeof(ctx->secdata_firmware));
- TEST_EQ(memcmp(ctx->secdata_firmware, &mock_rsf,
- sizeof(ctx->secdata_firmware)), 0,
- " unchanged on readback");
- TEST_EQ(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED, 0,
- " should reset SECDATA_FIRMWARE_CHANGED context flag");
-}
-
-/****************************************************************************/
-/* Tests for kernel space functions */
-
-static void secdata_kernel_tests(void)
-{
- /* Not present is an error */
- reset_common_data(1, TPM_E_BADINDEX);
- TEST_EQ(secdata_kernel_read(ctx), TPM_E_BADINDEX,
- "secdata_kernel_read(), not present");
- TEST_STR_EQ(mock_calls,
-#ifndef TPM2_MODE
- "TlclGetPermissions(0x1008)\n",
-#else
- "TlclRead(0x1008, 13)\n",
-#endif
- " tlcl calls");
-
-#ifndef TPM2_MODE
- /* Bad permissions */
- reset_common_data(0, 0);
- mock_permissions = 0;
- TEST_EQ(secdata_kernel_read(ctx), TPM_E_CORRUPTED_STATE,
- "secdata_kernel_read(), bad permissions");
- TEST_STR_EQ(mock_calls,
- "TlclGetPermissions(0x1008)\n",
- " tlcl calls");
-#endif
-
- /* Good permissions, read failure */
-#ifndef TPM2_MODE
- int read_failure_on_call = 2;
-#else
- int read_failure_on_call = 1;
-#endif
- reset_common_data(read_failure_on_call, TPM_E_IOERROR);
- TEST_EQ(secdata_kernel_read(ctx), TPM_E_IOERROR,
- "secdata_kernel_read(), good permissions, failure");
- TEST_STR_EQ(mock_calls,
-#ifndef TPM2_MODE
- "TlclGetPermissions(0x1008)\n"
-#endif
- "TlclRead(0x1008, 13)\n",
- " tlcl calls");
-
- /* Good permissions, read success, bad CRC */
- reset_common_data(0, 0);
- mock_bad_crc = 1;
- TEST_EQ(secdata_kernel_read(ctx), TPM_E_CORRUPTED_STATE,
- "secdata_kernel_read(), read success, bad CRC");
- TEST_STR_EQ(mock_calls,
-#ifndef TPM2_MODE
- "TlclGetPermissions(0x1008)\n"
-#endif
- "TlclRead(0x1008, 13)\n",
- " tlcl calls");
-
- /* Good permissions, read success */
- reset_common_data(0, 0);
- TEST_SUCC(secdata_kernel_read(ctx),
- "secdata_kernel_read(), good permissions, success");
- TEST_STR_EQ(mock_calls,
-#ifndef TPM2_MODE
- "TlclGetPermissions(0x1008)\n"
-#endif
- "TlclRead(0x1008, 13)\n",
- " tlcl calls");
- TEST_EQ(memcmp(ctx->secdata_kernel, &mock_rsk,
- sizeof(ctx->secdata_kernel)), 0, " data");
-
- /* Write with no new changes */
- reset_common_data(0, 0);
- ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED;
- TEST_SUCC(secdata_kernel_write(ctx),
- "secdata_kernel_write(), no changes, success");
- TEST_STR_EQ(mock_calls,
- "",
- " tlcl calls");
-
- /* Write failure */
- reset_common_data(1, TPM_E_IOERROR);
- TEST_EQ(secdata_kernel_write(ctx), TPM_E_IOERROR,
- "secdata_kernel_write(), failure");
- TEST_STR_EQ(mock_calls,
- "TlclWrite(0x1008, 13)\n",
- " tlcl calls");
- TEST_NEQ(ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED, 0,
- " should leave SECDATA_KERNEL_CHANGED context flag");
-
- /* Write success and readback */
- reset_common_data(0, 0);
- memset(ctx->secdata_kernel, 0xaa, sizeof(ctx->secdata_kernel));
- TEST_SUCC(secdata_kernel_write(ctx),
- "secdata_kernel_write(), failure");
- TEST_STR_EQ(mock_calls,
- "TlclWrite(0x1008, 13)\n",
- " tlcl calls");
- memset(ctx->secdata_kernel, 0xaa, sizeof(ctx->secdata_kernel));
- TEST_EQ(memcmp(ctx->secdata_kernel, &mock_rsk,
- sizeof(ctx->secdata_kernel)), 0,
- " unchanged on readback");
- TEST_EQ(ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED, 0,
- " should reset SECDATA_KERNEL_CHANGED context flag");
-
- /* Lock in normal mode with failure */
- reset_common_data(1, TPM_E_AREA_LOCKED);
- TEST_EQ(secdata_kernel_lock(ctx), TPM_E_AREA_LOCKED,
- "secdata_kernel_lock(), lock failure");
- TEST_STR_EQ(mock_calls,
- "TlclLockPhysicalPresence()\n",
- " tlcl calls");
-
- /* Lock in normal mode */
- reset_common_data(0, 0);
- TEST_SUCC(secdata_kernel_lock(ctx),
- "secdata_kernel_lock(), success (locked)");
- TEST_STR_EQ(mock_calls,
- "TlclLockPhysicalPresence()\n",
- " tlcl calls");
-
- /* Lock after already locked (only one TlclLockPhysicalPresence). */
- reset_common_data(0, 0);
- TEST_SUCC(secdata_kernel_lock(ctx),
- "secdata_kernel_lock(), lock first run");
- TEST_SUCC(secdata_kernel_lock(ctx),
- "secdata_kernel_lock(), already locked");
- TEST_STR_EQ(mock_calls,
- "TlclLockPhysicalPresence()\n",
- " tlcl calls");
-}
-
-/****************************************************************************/
-/* Tests for fwmp space functions */
-
-static void secdata_fwmp_tests(void)
-{
- /* Read failure */
- reset_common_data(1, TPM_E_IOERROR);
- TEST_EQ(secdata_fwmp_read(ctx), TPM_E_IOERROR,
- "secdata_fwmp_read(), failure");
- TEST_STR_EQ(mock_calls,
- "TlclRead(0x100a, 40)\n",
- " tlcl calls");
- TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
- " should leave NO_SECDATA_FWMP context flag");
-
- /* Normal read, bad CRC */
- reset_common_data(0, 0);
- mock_bad_crc = 1;
- TEST_EQ(secdata_fwmp_read(ctx), TPM_E_CORRUPTED_STATE,
- "secdata_fwmp_read(), success, bad CRC");
- TEST_STR_EQ(mock_calls,
- "TlclRead(0x100a, 40)\n",
- " tlcl calls");
- TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
- " should leave NO_SECDATA_FWMP context flag");
-
- /* Normal read */
- reset_common_data(0, 0);
- TEST_SUCC(secdata_fwmp_read(ctx),
- "secdata_fwmp_read(), success");
- TEST_STR_EQ(mock_calls,
- "TlclRead(0x100a, 40)\n",
- " tlcl calls");
- TEST_EQ(memcmp(ctx->secdata_fwmp, &mock_fwmp,
- mock_fwmp_real_size), 0, " data");
- TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
- " should leave NO_SECDATA_FWMP context flag");
-
- /* Read error */
- reset_common_data(1, TPM_E_IOERROR);
- TEST_EQ(secdata_fwmp_read(ctx), TPM_E_IOERROR,
- "secdata_fwmp_read(), error");
- TEST_STR_EQ(mock_calls,
- "TlclRead(0x100a, 40)\n",
- " tlcl calls");
- TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
- " should leave NO_SECDATA_FWMP context flag");
-
- /* Not present isn't an error; just sets context flag */
- reset_common_data(1, TPM_E_BADINDEX);
- TEST_SUCC(secdata_fwmp_read(ctx), "secdata_fwmp_read(), not present");
- TEST_STR_EQ(mock_calls,
- "TlclRead(0x100a, 40)\n",
- " tlcl calls");
- TEST_NEQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
- " should set NO_SECDATA_FWMP context flag");
-
- /* Struct size too large, then bad CRC */
- reset_common_data(0, 0);
- mock_fwmp_real_size += 4;
- mock_bad_crc = 1;
- TEST_EQ(secdata_fwmp_read(ctx), TPM_E_CORRUPTED_STATE,
- "secdata_fwmp_read(), bigger, bad CRC");
- TEST_STR_EQ(mock_calls,
- "TlclRead(0x100a, 40)\n"
- "TlclRead(0x100a, 44)\n",
- " tlcl calls");
- TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
- " should leave NO_SECDATA_FWMP context flag");
-
- /* Struct size too large */
- reset_common_data(0, 0);
- mock_fwmp_real_size += 4;
- TEST_SUCC(secdata_fwmp_read(ctx), "secdata_fwmp_read(), bigger");
- TEST_STR_EQ(mock_calls,
- "TlclRead(0x100a, 40)\n"
- "TlclRead(0x100a, 44)\n",
- " tlcl calls");
- TEST_EQ(memcmp(ctx->secdata_fwmp, &mock_fwmp,
- mock_fwmp_real_size), 0, " data");
- TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
- " should leave NO_SECDATA_FWMP context flag");
-}
-
-int main(int argc, char* argv[])
-{
- misc_tests();
- secdata_firmware_tests();
- secdata_kernel_tests();
- secdata_fwmp_tests();
-
- return gTestSuccess ? 0 : 255;
-}
diff --git a/tests/vb2_auxfw_sync_tests.c b/tests/vb2_auxfw_sync_tests.c
index 48cb206..622b303 100644
--- a/tests/vb2_auxfw_sync_tests.c
+++ b/tests/vb2_auxfw_sync_tests.c
@@ -15,7 +15,6 @@
#include "2sysincludes.h"
#include "host_common.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "test_common.h"
#include "vboot_audio.h"
#include "vboot_display.h"
diff --git a/tests/vb2_ec_sync_tests.c b/tests/vb2_ec_sync_tests.c
index 085cefb..a444930 100644
--- a/tests/vb2_ec_sync_tests.c
+++ b/tests/vb2_ec_sync_tests.c
@@ -11,7 +11,6 @@
#include "2sysincludes.h"
#include "host_common.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "test_common.h"
#include "vboot_audio.h"
#include "vboot_display.h"
diff --git a/tests/vboot_api_devmode_tests.c b/tests/vboot_api_devmode_tests.c
index a26b9f6..3706dbe 100644
--- a/tests/vboot_api_devmode_tests.c
+++ b/tests/vboot_api_devmode_tests.c
@@ -18,7 +18,6 @@
#include "crc32.h"
#include "host_common.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "test_common.h"
#include "vboot_display.h"
#include "vboot_kernel.h"
diff --git a/tests/vboot_api_kernel2_tests.c b/tests/vboot_api_kernel2_tests.c
index 81db395..14843fe 100644
--- a/tests/vboot_api_kernel2_tests.c
+++ b/tests/vboot_api_kernel2_tests.c
@@ -12,7 +12,6 @@
#include "2secdata_struct.h"
#include "host_common.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "test_common.h"
#include "tss_constants.h"
#include "vboot_audio.h"
@@ -133,11 +132,6 @@
/* Mock functions */
-uint32_t secdata_kernel_lock(struct vb2_context *c)
-{
- return TPM_SUCCESS;
-}
-
struct vb2_gbb_header *vb2_get_gbb(struct vb2_context *c)
{
return &gbb;
diff --git a/tests/vboot_api_kernel4_tests.c b/tests/vboot_api_kernel4_tests.c
index d413024..cbae595 100644
--- a/tests/vboot_api_kernel4_tests.c
+++ b/tests/vboot_api_kernel4_tests.c
@@ -13,7 +13,6 @@
#include "2sysincludes.h"
#include "host_common.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "test_common.h"
#include "tlcl.h"
#include "tss_constants.h"
@@ -34,17 +33,15 @@
static uint32_t kernel_version;
static uint32_t new_version;
-static uint8_t fwmp_buf[VB2_SECDATA_FWMP_MIN_SIZE];
-static uint32_t kernel_read_retval;
-static uint32_t kernel_write_retval;
-static uint32_t kernel_lock_retval;
-static uint32_t fwmp_read_retval;
static vb2_error_t vbboot_retval;
+static vb2_error_t commit_data_retval;
+static int commit_data_called;
+static vb2_error_t secdata_kernel_init_retval;
+static vb2_error_t secdata_fwmp_init_retval;
static uint32_t mock_switches[8];
static uint32_t mock_switches_count;
static int mock_switches_are_stuck;
-static int commit_data_called;
/* Reset mock data (for use before each test) */
static void ResetMocks(void)
@@ -68,14 +65,11 @@
memset(&shared_data, 0, sizeof(shared_data));
- memset(&fwmp_buf, 0, sizeof(fwmp_buf));
- fwmp_read_retval = TPM_SUCCESS;
-
kernel_version = new_version = 0x10002;
- kernel_read_retval = TPM_SUCCESS;
- kernel_write_retval = TPM_SUCCESS;
- kernel_lock_retval = TPM_SUCCESS;
+ commit_data_retval = VB2_SUCCESS;
vbboot_retval = VB2_SUCCESS;
+ secdata_kernel_init_retval = VB2_SUCCESS;
+ secdata_fwmp_init_retval = VB2_SUCCESS;
memset(mock_switches, 0, sizeof(mock_switches));
mock_switches_count = 0;
@@ -87,43 +81,12 @@
vb2_error_t vb2ex_commit_data(struct vb2_context *c)
{
commit_data_called = 1;
- return VB2_SUCCESS;
-}
-
-uint32_t secdata_firmware_write(struct vb2_context *c)
-{
- return TPM_SUCCESS;
-}
-
-uint32_t secdata_kernel_read(struct vb2_context *c)
-{
- return kernel_read_retval;
-}
-
-uint32_t secdata_kernel_write(struct vb2_context *c)
-{
- return kernel_write_retval;
-}
-
-uint32_t secdata_kernel_lock(struct vb2_context *c)
-{
- return kernel_lock_retval;
-}
-
-uint32_t secdata_fwmp_read(struct vb2_context *c)
-{
- memcpy(&c->secdata_fwmp, &fwmp_buf, sizeof(fwmp_buf));
- return fwmp_read_retval;
-}
-
-vb2_error_t vb2_secdata_firmware_init(struct vb2_context *c)
-{
- return VB2_SUCCESS;
+ return commit_data_retval;
}
vb2_error_t vb2_secdata_kernel_init(struct vb2_context *c)
{
- return VB2_SUCCESS;
+ return secdata_kernel_init_retval;
}
uint32_t vb2_secdata_kernel_get(struct vb2_context *c,
@@ -132,6 +95,11 @@
return kernel_version;
}
+vb2_error_t vb2_secdata_fwmp_init(struct vb2_context *c)
+{
+ return secdata_fwmp_init_retval;
+}
+
void vb2_secdata_kernel_set(struct vb2_context *c,
enum vb2_secdata_kernel_param param,
uint32_t value)
@@ -222,12 +190,6 @@
gbb.flags |= VB2_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC;
test_slk(0, 0, "EC sync disabled by GBB");
- /* Rollback kernel version */
- ResetMocks();
- kernel_read_retval = 123;
- test_slk(VB2_ERROR_SECDATA_KERNEL_READ,
- VB2_RECOVERY_RW_TPM_R_ERROR, "Read kernel rollback");
-
ResetMocks();
new_version = 0x20003;
test_slk(0, 0, "Roll forward");
@@ -254,15 +216,10 @@
ResetMocks();
new_version = 0x20003;
- kernel_write_retval = 123;
+ commit_data_retval = VB2_ERROR_SECDATA_KERNEL_WRITE;
test_slk(VB2_ERROR_SECDATA_KERNEL_WRITE,
VB2_RECOVERY_RW_TPM_W_ERROR, "Write kernel rollback");
- ResetMocks();
- kernel_lock_retval = 123;
- test_slk(VB2_ERROR_SECDATA_KERNEL_LOCK,
- VB2_RECOVERY_RW_TPM_L_ERROR, "Lock kernel rollback");
-
/* Boot normal */
ResetMocks();
vbboot_retval = -1;
@@ -282,6 +239,32 @@
" didn't commit nvdata");
}
+ /* Boot normal - secdata init failures */
+ ResetMocks();
+ secdata_kernel_init_retval = VB2_ERROR_UNKNOWN;
+ test_slk(secdata_kernel_init_retval, VB2_RECOVERY_SECDATA_KERNEL_INIT,
+ "Normal secdata_kernel init error triggers recovery");
+
+ ResetMocks();
+ secdata_fwmp_init_retval = VB2_ERROR_UNKNOWN;
+ test_slk(secdata_fwmp_init_retval, VB2_RECOVERY_SECDATA_FWMP_INIT,
+ "Normal secdata_fwmp init error triggers recovery");
+
+ /* Boot normal - commit data failures */
+ ResetMocks();
+ commit_data_retval = VB2_ERROR_SECDATA_FIRMWARE_WRITE;
+ test_slk(commit_data_retval, VB2_RECOVERY_RW_TPM_W_ERROR,
+ "Normal secdata_firmware write error triggers recovery");
+ commit_data_retval = VB2_ERROR_SECDATA_KERNEL_WRITE;
+ test_slk(commit_data_retval, VB2_RECOVERY_RW_TPM_W_ERROR,
+ "Normal secdata_kernel write error triggers recovery");
+ commit_data_retval = VB2_ERROR_NV_WRITE;
+ TEST_ABORT(VbSelectAndLoadKernel(ctx, shared, &kparams),
+ "Normal nvdata write error aborts");
+ commit_data_retval = VB2_ERROR_UNKNOWN;
+ TEST_ABORT(VbSelectAndLoadKernel(ctx, shared, &kparams),
+ "Normal unknown commit error aborts");
+
/* Boot dev */
ResetMocks();
sd->flags |= VB2_SD_FLAG_DEV_MODE_ENABLED;
@@ -306,12 +289,17 @@
test_slk(0, 0, "Recovery doesn't roll forward");
TEST_EQ(kernel_version, 0x10002, " version");
+ /* Boot recovery - commit data failures */
ResetMocks();
sd->recovery_reason = 123;
- kernel_read_retval = TPM_E_IOERROR;
- kernel_write_retval = TPM_E_IOERROR;
- kernel_lock_retval = TPM_E_IOERROR;
- test_slk(0, 0, "Recovery ignore TPM errors");
+ commit_data_retval = VB2_ERROR_SECDATA_FIRMWARE_WRITE;
+ test_slk(0, 0, "Recovery ignore secdata_firmware write error");
+ commit_data_retval = VB2_ERROR_SECDATA_KERNEL_WRITE;
+ test_slk(0, 0, "Recovery ignore secdata_kernel write error");
+ commit_data_retval = VB2_ERROR_NV_WRITE;
+ test_slk(0, 0, "Recovery return nvdata write error");
+ commit_data_retval = VB2_ERROR_UNKNOWN;
+ test_slk(0, 0, "Recovery return unknown write error");
ResetMocks();
sd->recovery_reason = VB2_RECOVERY_TRAIN_AND_REBOOT;
diff --git a/tests/vboot_api_kernel_tests.c b/tests/vboot_api_kernel_tests.c
index 6107722..d7c3235 100644
--- a/tests/vboot_api_kernel_tests.c
+++ b/tests/vboot_api_kernel_tests.c
@@ -10,7 +10,6 @@
#include "2nvstorage.h"
#include "2sysincludes.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "test_common.h"
#include "utility.h"
#include "vboot_api.h"
diff --git a/tests/vboot_detach_menu_tests.c b/tests/vboot_detach_menu_tests.c
index 41c89dd..8f839e9 100644
--- a/tests/vboot_detach_menu_tests.c
+++ b/tests/vboot_detach_menu_tests.c
@@ -12,7 +12,6 @@
#include "2secdata_struct.h"
#include "host_common.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "test_common.h"
#include "tss_constants.h"
#include "vboot_api.h"
@@ -126,11 +125,6 @@
/* Mock functions */
-uint32_t secdata_kernel_lock(struct vb2_context *c)
-{
- return TPM_SUCCESS;
-}
-
struct vb2_gbb_header *vb2_get_gbb(struct vb2_context *c)
{
return &gbb;
diff --git a/tests/vboot_display_tests.c b/tests/vboot_display_tests.c
index 2fa5ac9..970025b 100644
--- a/tests/vboot_display_tests.c
+++ b/tests/vboot_display_tests.c
@@ -16,7 +16,6 @@
#include "2struct.h"
#include "2sysincludes.h"
#include "host_common.h"
-#include "secdata_tpm.h"
#include "test_common.h"
#include "vboot_display.h"
#include "vboot_kernel.h"
diff --git a/tests/vboot_kernel_tests.c b/tests/vboot_kernel_tests.c
index 9063aeb..fd0ccfd 100644
--- a/tests/vboot_kernel_tests.c
+++ b/tests/vboot_kernel_tests.c
@@ -19,7 +19,6 @@
#include "gpt.h"
#include "host_common.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "test_common.h"
#include "vb2_common.h"
#include "vboot_api.h"
diff --git a/utility/load_kernel_test.c b/utility/load_kernel_test.c
index 89de19e..cde3f61 100644
--- a/utility/load_kernel_test.c
+++ b/utility/load_kernel_test.c
@@ -15,7 +15,6 @@
#include "2sysincludes.h"
#include "host_common.h"
#include "load_kernel_fw.h"
-#include "secdata_tpm.h"
#include "vboot_kernel.h"
#define LBA_BYTES 512
