| /* Copyright (c) 2014 The Chromium OS Authors. All rights reserved. |
| * Use of this source code is governed by a BSD-style license that can be |
| * found in the LICENSE file. |
| * |
| * Data structure definitions for verified boot, for on-disk / in-eeprom |
| * data. |
| */ |
| |
| #ifndef VBOOT_REFERENCE_VBOOT_2STRUCT_H_ |
| #define VBOOT_REFERENCE_VBOOT_2STRUCT_H_ |
| #include <stdint.h> |
| |
| /****************************************************************************/ |
| /* GUID structure. Defined in appendix A of EFI standard. */ |
| |
| #define UUID_NODE_LEN 6 |
| #define GUID_SIZE 16 |
| |
| struct vb2_guid { |
| union { |
| struct { |
| uint32_t time_low; |
| uint16_t time_mid; |
| uint16_t time_high_and_version; |
| uint8_t clock_seq_high_and_reserved; |
| uint8_t clock_seq_low; |
| uint8_t node[UUID_NODE_LEN]; |
| } uuid; |
| uint8_t raw[GUID_SIZE]; |
| }; |
| } __attribute__((packed)); |
| |
| #define EXPECTED_GUID_SIZE GUID_SIZE |
| |
| /* Key GUIDs to use for VB2_SIG_NONE and hash algorithms */ |
| |
| #define VB2_GUID_NONE_SHA1 \ |
| {{{0xcfb5687a,0x6092,0x11e4,0x96,0xe1,{0x8f,0x3b,0x1a,0x60,0xa2,0x1d}}}} |
| |
| #define VB2_GUID_NONE_SHA256 \ |
| {{{0x0e4114e0,0x6093,0x11e4,0x9d,0xcb,{0x8f,0x8a,0xf4,0xca,0x2e,0x32}}}} |
| |
| #define VB2_GUID_NONE_SHA512 \ |
| {{{0x1c695960,0x6093,0x11e4,0x82,0x63,{0xdb,0xee,0xe9,0x3c,0xcd,0x7e}}}} |
| |
| /****************************************************************************/ |
| /* |
| * Vboot1-compatible data structures |
| * |
| * |
| * Note: Many of the structs have pairs of 32-bit fields and reserved fields. |
| * This is to be backwards-compatible with older verified boot data which used |
| * 64-bit fields (when we thought that hey, UEFI is 64-bit so all our fields |
| * should be too). |
| */ |
| |
| /* Packed public key data */ |
| struct vb2_packed_key { |
| /* Offset of key data from start of this struct */ |
| uint32_t key_offset; |
| uint32_t reserved0; |
| |
| /* Size of key data in bytes (NOT strength of key in bits) */ |
| uint32_t key_size; |
| uint32_t reserved1; |
| |
| /* Signature algorithm used by the key (enum vb2_crypto_algorithm) */ |
| uint32_t algorithm; |
| uint32_t reserved2; |
| |
| /* Key version */ |
| uint32_t key_version; |
| uint32_t reserved3; |
| |
| /* TODO: when redoing this struct, add a text description of the key */ |
| } __attribute__((packed)); |
| |
| #define EXPECTED_VB2_PACKED_KEY_SIZE 32 |
| |
| /* Signature data (a secure hash, possibly signed) */ |
| struct vb2_signature { |
| /* Offset of signature data from start of this struct */ |
| uint32_t sig_offset; |
| uint32_t reserved0; |
| |
| /* Size of signature data in bytes */ |
| uint32_t sig_size; |
| uint32_t reserved1; |
| |
| /* Size of the data block which was signed in bytes */ |
| uint32_t data_size; |
| uint32_t reserved2; |
| } __attribute__((packed)); |
| |
| #define EXPECTED_VB2_SIGNATURE_SIZE 24 |
| |
| #define KEY_BLOCK_MAGIC "CHROMEOS" |
| #define KEY_BLOCK_MAGIC_SIZE 8 |
| |
| #define KEY_BLOCK_HEADER_VERSION_MAJOR 2 |
| #define KEY_BLOCK_HEADER_VERSION_MINOR 1 |
| |
| /* |
| * The following flags set where the key is valid. Not used by firmware |
| * verification; only kernel verification. |
| */ |
| #define VB2_KEY_BLOCK_FLAG_DEVELOPER_0 0x01 /* Developer switch off */ |
| #define VB2_KEY_BLOCK_FLAG_DEVELOPER_1 0x02 /* Developer switch on */ |
| #define VB2_KEY_BLOCK_FLAG_RECOVERY_0 0x04 /* Not recovery mode */ |
| #define VB2_KEY_BLOCK_FLAG_RECOVERY_1 0x08 /* Recovery mode */ |
| |
| /* |
| * Key block, containing the public key used to sign some other chunk of data. |
| * |
| * This should be followed by: |
| * 1) The data_key key data, pointed to by data_key.key_offset. |
| * 2) The checksum data for (vb2_keyblock + data_key data), pointed to |
| * by keyblock_checksum.sig_offset. |
| * 3) The signature data for (vb2_keyblock + data_key data), pointed to |
| * by keyblock_signature.sig_offset. |
| */ |
| struct vb2_keyblock { |
| /* Magic number */ |
| uint8_t magic[KEY_BLOCK_MAGIC_SIZE]; |
| |
| /* Version of this header format */ |
| uint32_t header_version_major; |
| |
| /* Version of this header format */ |
| uint32_t header_version_minor; |
| |
| /* |
| * Length of this entire key block, including keys, signatures, and |
| * padding, in bytes |
| */ |
| uint32_t keyblock_size; |
| uint32_t reserved0; |
| |
| /* |
| * Signature for this key block (header + data pointed to by data_key) |
| * For use with signed data keys |
| */ |
| struct vb2_signature keyblock_signature; |
| |
| /* |
| * SHA-512 checksum for this key block (header + data pointed to by |
| * data_key) For use with unsigned data keys. |
| * |
| * Note that the vb2 lib currently only supports signed blocks. |
| */ |
| struct vb2_signature keyblock_checksum_unused; |
| |
| /* Flags for key (VB2_KEY_BLOCK_FLAG_*) */ |
| uint32_t keyblock_flags; |
| uint32_t reserved1; |
| |
| /* Key to verify the chunk of data */ |
| struct vb2_packed_key data_key; |
| } __attribute__((packed)); |
| |
| #define EXPECTED_VB2_KEYBLOCK_SIZE 112 |
| |
| |
| /* Firmware preamble header */ |
| #define FIRMWARE_PREAMBLE_HEADER_VERSION_MAJOR 2 |
| #define FIRMWARE_PREAMBLE_HEADER_VERSION_MINOR 1 |
| |
| /* Flags for VbFirmwarePreambleHeader.flags */ |
| /* Reserved; do not use */ |
| #define VB2_FIRMWARE_PREAMBLE_RESERVED0 0x00000001 |
| |
| /* Premable block for rewritable firmware, version 2.1. |
| * |
| * The firmware preamble header should be followed by: |
| * 1) The kernel_subkey key data, pointed to by kernel_subkey.key_offset. |
| * 2) The signature data for the firmware body, pointed to by |
| * body_signature.sig_offset. |
| * 3) The signature data for (header + kernel_subkey data + body signature |
| * data), pointed to by preamble_signature.sig_offset. |
| */ |
| struct vb2_fw_preamble { |
| /* |
| * Size of this preamble, including keys, signatures, and padding, in |
| * bytes |
| */ |
| uint32_t preamble_size; |
| uint32_t reserved0; |
| |
| /* |
| * Signature for this preamble (header + kernel subkey + body |
| * signature) |
| */ |
| struct vb2_signature preamble_signature; |
| |
| /* Version of this header format */ |
| uint32_t header_version_major; |
| uint32_t header_version_minor; |
| |
| /* Firmware version */ |
| uint32_t firmware_version; |
| uint32_t reserved1; |
| |
| /* Key to verify kernel key block */ |
| struct vb2_packed_key kernel_subkey; |
| |
| /* Signature for the firmware body */ |
| struct vb2_signature body_signature; |
| |
| /* |
| * Fields added in header version 2.1. You must verify the header |
| * version before reading these fields! |
| */ |
| |
| /* |
| * Flags; see VB2_FIRMWARE_PREAMBLE_*. Readers should return 0 for |
| * header version < 2.1. |
| */ |
| uint32_t flags; |
| } __attribute__((packed)); |
| |
| #define EXPECTED_VB2_FW_PREAMBLE_SIZE 108 |
| |
| /****************************************************************************/ |
| /* |
| * Vboot2 data structures |
| * |
| * |
| * Offsets should be padded to 32-bit boundaries, since some architectures |
| * have trouble with accessing unaligned integers. |
| */ |
| |
| /* |
| * Magic numbers used by vb2_struct_common.magic. |
| * |
| * All valid numbers should be listed here to avoid accidental overlap. |
| * Numbers start at a large value, so that previous parsers (which stored |
| * things like lengths and offsets at that field) will detect and reject new |
| * structs as invalid. |
| */ |
| enum vb2_struct_common_magic { |
| /* "Vb2B" = vb2_keyblock2.c.magic */ |
| VB2_MAGIC_KEYBLOCK2 = 0x42326256, |
| |
| /* "Vb2F" = vb2_fw_preamble.c.magic */ |
| VB2_MAGIC_FW_PREAMBLE2 = 0x46326256, |
| |
| /* "Vb2K" = vb2_kernel_preamble.c.magic */ |
| VB2_MAGIC_KERNEL_PREAMBLE2 = 0x4b326256, |
| |
| /* "Vb2P" = vb2_packed_key2.c.magic */ |
| VB2_MAGIC_PACKED_KEY2 = 0x50326256, |
| |
| /* "Vb2S" = vb2_signature.c.magic */ |
| VB2_MAGIC_SIGNATURE2 = 0x53326256, |
| }; |
| |
| |
| /* |
| * Generic struct header for all vboot2 structs. This makes it easy to |
| * automatically parse and identify vboot structs (e.g., in futility). This |
| * must be the first member of the parent vboot2 struct. |
| */ |
| struct vb2_struct_common { |
| /* Magic number; see vb2_struct_common_magic for expected values */ |
| uint32_t magic; |
| |
| /* |
| * Parent struct version; see each struct for the expected value. |
| * |
| * How to handle struct version mismatches, if the parser is version |
| * A.b and the data is version C.d: |
| * 1) If A.b == C.d, we're good. |
| * 2) If A != C, the data cannot be parsed at all. |
| * 3) If b < d, C.d is a newer version of data which is backwards- |
| * compatible to old parsers. We're good. |
| * 4) If b > d, C.d is an older version of data. The parser should |
| * use default values for fields added after version d. We're |
| * good. |
| * |
| * Struct versions start at 3.0, since the highest version of the old |
| * structures was 2.1. This way, there is no possibility of collision |
| * for old code which depends on the version number. |
| */ |
| uint16_t struct_version_major; |
| uint16_t struct_version_minor; |
| |
| /* |
| * Size of the parent structure and all its data, including the |
| * description and any necessary padding. That is, all data must lie |
| * in a contiguous region of <total_size> bytes starting at the first |
| * byte of this header. |
| */ |
| uint32_t total_size; |
| |
| /* |
| * Size of the fixed portion of the parent structure. If a description |
| * is present, it must start at this offset. |
| */ |
| uint32_t fixed_size; |
| |
| /* |
| * The object may contain an ASCII description following the fixed |
| * portion of the structure. If it is present, it must be |
| * null-terminated, and padded with 0 (null) bytes to a multiple of 32 |
| * bits. |
| * |
| * Size of ASCII description in bytes, counting null terminator and |
| * padding (if any). Set 0 if no description is present. If non-zero, |
| * there must be a null terminator (0) at offset (fixed_size + |
| * desc_size - 1). |
| */ |
| uint32_t desc_size; |
| } __attribute__((packed)); |
| |
| #define EXPECTED_VB2_STRUCT_COMMON_SIZE 20 |
| |
| /* Algorithm types for signatures */ |
| enum vb2_signature_algorithm { |
| /* Invalid or unsupported signature type */ |
| VB2_SIG_INVALID = 0, |
| |
| /* |
| * No signature algorithm. The digest is unsigned. See |
| * VB2_GUID_NONE_* above for key GUIDs to use with this algorithm. |
| */ |
| VB2_SIG_NONE = 1, |
| |
| /* RSA algorithms of the given length in bits (1024-8192) */ |
| VB2_SIG_RSA1024 = 2, /* Warning! This is likely to be deprecated! */ |
| VB2_SIG_RSA2048 = 3, |
| VB2_SIG_RSA4096 = 4, |
| VB2_SIG_RSA8192 = 5, |
| }; |
| |
| /* Algorithm types for hash digests */ |
| enum vb2_hash_algorithm { |
| /* Invalid or unsupported digest type */ |
| VB2_HASH_INVALID = 0, |
| |
| /* SHA-1. Warning: This is likely to be deprecated soon! */ |
| VB2_HASH_SHA1 = 1, |
| |
| /* SHA-256 and SHA-512 */ |
| VB2_HASH_SHA256 = 2, |
| VB2_HASH_SHA512 = 3, |
| }; |
| |
| /* Current version of vb2_packed_key2 struct */ |
| #define VB2_PACKED_KEY2_VERSION_MAJOR 3 |
| #define VB2_PACKED_KEY2_VERSION_MINOR 0 |
| |
| /* |
| * Packed public key data, version 2 |
| * |
| * The key data must be arranged like this: |
| * 1) vb2_packed_key2 header struct h |
| * 2) Key description (pointed to by h.c.fixed_size) |
| * 3) Key data key (pointed to by h.key_offset) |
| */ |
| struct vb2_packed_key2 { |
| /* Common header fields */ |
| struct vb2_struct_common c; |
| |
| /* Offset of key data from start of this struct */ |
| uint32_t key_offset; |
| |
| /* Size of key data in bytes (NOT strength of key in bits) */ |
| uint32_t key_size; |
| |
| /* Signature algorithm used by the key (enum vb2_signature_algorithm) */ |
| uint16_t sig_alg; |
| |
| /* |
| * Hash digest algorithm used with the key (enum vb2_hash_algorithm). |
| * This is explicitly specified as part of the key to prevent use of a |
| * strong key with a weak hash. |
| */ |
| uint16_t hash_alg; |
| |
| /* Key version */ |
| uint32_t key_version; |
| |
| /* Key GUID */ |
| struct vb2_guid guid; |
| } __attribute__((packed)); |
| |
| #define EXPECTED_VB2_PACKED_KEY2_SIZE \ |
| (EXPECTED_VB2_STRUCT_COMMON_SIZE + EXPECTED_GUID_SIZE + 16) |
| |
| /* Current version of vb2_signature2 struct */ |
| #define VB2_SIGNATURE2_VERSION_MAJOR 3 |
| #define VB2_SIGNATURE2_VERSION_MINOR 0 |
| |
| /* |
| * Signature data, version 2 |
| * |
| * The signature data must be arranged like this: |
| * 1) vb2_signature2 header struct h |
| * 2) Signature description (pointed to by h.c.fixed_size) |
| * 3) Signature data (pointed to by h.sig_offset) |
| */ |
| struct vb2_signature2 { |
| /* Common header fields */ |
| struct vb2_struct_common c; |
| |
| /* Offset of signature data from start of this struct */ |
| uint32_t sig_offset; |
| |
| /* Size of signature data in bytes */ |
| uint32_t sig_size; |
| |
| /* Size of the data block which was signed in bytes */ |
| uint32_t data_size; |
| |
| /* Signature algorithm used (enum vb2_signature_algorithm) */ |
| uint16_t sig_alg; |
| |
| /* Hash digest algorithm used (enum vb2_hash_algorithm) */ |
| uint16_t hash_alg; |
| |
| /* |
| * GUID for the signature. |
| * |
| * If this is a keyblock signature entry, this is the GUID of the key |
| * used to generate this signature. This allows the firmware to |
| * quickly determine which signature block (if any) goes with the key |
| * being used by the firmware. |
| * |
| * If this is a preamble hash entry, this is the GUID of the data type |
| * being hashed. There is no key GUID, because sig_alg=VB2_ALG_NONE. |
| */ |
| struct vb2_guid guid; |
| } __attribute__((packed)); |
| |
| #define EXPECTED_VB2_SIGNATURE2_SIZE \ |
| (EXPECTED_VB2_STRUCT_COMMON_SIZE + EXPECTED_GUID_SIZE + 16) |
| |
| |
| /* Current version of vb2_keyblock2 struct */ |
| #define VB2_KEYBLOCK2_VERSION_MAJOR 3 |
| #define VB2_KEYBLOCK2_VERSION_MINOR 0 |
| |
| /* |
| * Key block. This contains a signed, versioned key for use in the next stage |
| * of verified boot. |
| * |
| * The key block data must be arranged like this: |
| * 1) vb2_keyblock2 header struct h |
| * 2) Keyblock description (pointed to by h.c.fixed_size) |
| * 3) Data key (pointed to by h.data_key_offset) |
| * 4) Signatures (first signature pointed to by h.sig_offset) |
| * |
| * The signatures from 4) must cover all the data from 1), 2), 3). That is, |
| * signatures must sign all data up to sig_offset. |
| */ |
| struct vb2_keyblock2 { |
| /* Common header fields */ |
| struct vb2_struct_common c; |
| |
| /* Flags (VB2_KEY_BLOCK_FLAG_*) */ |
| uint32_t flags; |
| |
| /* |
| * Offset of key (struct vb2_packed_key2) to use in next stage of |
| * verification, from start of the keyblock. |
| */ |
| uint32_t key_offset; |
| |
| /* Number of keyblock signatures which follow */ |
| uint32_t sig_count; |
| |
| /* |
| * Offset of the first signature (struct vb2_signature2) from the start |
| * of the keyblock. |
| * |
| * Signatures sign the contents of this struct and the data pointed to |
| * by data_key_offset, but not themselves or other signatures. |
| * |
| * For the firmware, there may be only one signature. |
| * |
| * Kernels often have at least two signatures - one using the kernel |
| * subkey from the RW firmware (for signed kernels) and one which is |
| * simply a SHA-512 hash (for unsigned developer kernels). |
| * |
| * The GUID for each signature indicates which key was used to generate |
| * the signature. |
| */ |
| uint32_t sig_offset; |
| } __attribute__((packed)); |
| |
| #define EXPECTED_VB2_KEYBLOCK2_SIZE (EXPECTED_VB2_STRUCT_COMMON_SIZE + 16) |
| |
| |
| /* Current version of vb2_preamble2 struct */ |
| #define VB2_PREAMBLE2_VERSION_MAJOR 3 |
| #define VB2_PREAMBLE2_VERSION_MINOR 0 |
| |
| /* |
| * Firmware preamble |
| * |
| * The preamble data must be arranged like this: |
| * 1) vb2_fw_preamble2 header struct h |
| * 2) Preamble description (pointed to by h.c.fixed_size) |
| * 3) Hash table (pointed to by h.hash_table_offset) |
| * 4) Signature (pointed to by h.sig_offset) |
| * |
| * The signature 4) must cover all the data from 1), 2), 3). |
| */ |
| struct vb2_fw_preamble2 { |
| /* Common header fields */ |
| struct vb2_struct_common c; |
| |
| /* Flags; see VB2_FIRMWARE_PREAMBLE_* */ |
| uint32_t flags; |
| |
| /* Firmware version */ |
| uint32_t firmware_version; |
| |
| /* Offset of signature (struct vb2_signature2) for this preamble */ |
| uint32_t sig_offset; |
| |
| /* |
| * The preamble contains a list of hashes (struct vb2_signature2) for |
| * the various firmware components. These have sig_alg=VB2_SIG_NONE, |
| * and the GUID for each hash identifies the component being hashed. |
| * The calling firmware is responsible for knowing where to find those |
| * components, which may be on a different storage device than this |
| * preamble. |
| */ |
| |
| /* Number of hash entries */ |
| uint32_t hash_count; |
| |
| /* Offset of first hash entry from start of preamble */ |
| uint32_t hash_offset; |
| } __attribute__((packed)); |
| |
| #define EXPECTED_VB2_FW_PREAMBLE2_SIZE (EXPECTED_VB2_STRUCT_COMMON_SIZE + 20) |
| |
| /****************************************************************************/ |
| |
| /* Flags for vb2_shared_data.flags */ |
| enum vb2_shared_data_flags { |
| /* User has explicitly and physically requested recovery */ |
| VB2_SD_FLAG_MANUAL_RECOVERY = (1 << 0), |
| |
| /* Developer mode is enabled */ |
| VB2_SD_DEV_MODE_ENABLED = (1 << 1), |
| |
| /* |
| * TODO: might be nice to add flags for why dev mode is enabled - via |
| * gbb, virtual dev switch, or forced on for testing. |
| */ |
| }; |
| |
| /* Flags for vb2_shared_data.status */ |
| enum vb2_shared_data_status { |
| /* Reinitialized NV data due to invalid checksum */ |
| VB2_SD_STATUS_NV_REINIT = (1 << 0), |
| |
| /* NV data has been initialized */ |
| VB2_SD_STATUS_NV_INIT = (1 << 1), |
| |
| /* Secure data initialized */ |
| VB2_SD_STATUS_SECDATA_INIT = (1 << 2), |
| |
| /* Chose a firmware slot */ |
| VB2_SD_STATUS_CHOSE_SLOT = (1 << 3), |
| }; |
| |
| /* |
| * Data shared between vboot API calls. Stored at the start of the work |
| * buffer. |
| */ |
| struct vb2_shared_data { |
| /* Flags; see enum vb2_shared_data_flags */ |
| uint32_t flags; |
| |
| /* Flags from GBB header */ |
| uint32_t gbb_flags; |
| |
| /* |
| * Reason we are in recovery mode this boot (enum vb2_nv_recovery), or |
| * 0 if we aren't. |
| */ |
| uint32_t recovery_reason; |
| |
| /* Firmware slot used last boot (0=A, 1=B) */ |
| uint32_t last_fw_slot; |
| |
| /* Result of last boot (enum vb2_fw_result) */ |
| uint32_t last_fw_result; |
| |
| /* Firmware slot used this boot */ |
| uint32_t fw_slot; |
| |
| /* |
| * Version for this slot (top 16 bits = key, lower 16 bits = firmware). |
| * |
| * TODO: Make this a union to allow getting/setting those versions |
| * separately? |
| */ |
| uint32_t fw_version; |
| |
| /* |
| * Status flags for this boot; see enum vb2_shared_data_status. Status |
| * is "what we've done"; flags above are "decisions we've made". |
| */ |
| uint32_t status; |
| |
| /********************************************************************** |
| * Temporary variables used during firmware verification. These don't |
| * really need to persist through to the OS, but there's nowhere else |
| * we can put them. |
| */ |
| |
| /* Root key offset and size from GBB header */ |
| uint32_t gbb_rootkey_offset; |
| uint32_t gbb_rootkey_size; |
| |
| /* Offset of preamble from start of vblock */ |
| uint32_t vblock_preamble_offset; |
| |
| /* |
| * Offset and size of packed data key in work buffer. Size is 0 if |
| * data key is not stored in the work buffer. |
| */ |
| uint32_t workbuf_data_key_offset; |
| uint32_t workbuf_data_key_size; |
| |
| /* |
| * Offset and size of firmware preamble in work buffer. Size if 0 if |
| * preamble is not stored in the work buffer. |
| */ |
| uint32_t workbuf_preamble_offset; |
| uint32_t workbuf_preamble_size; |
| |
| /* |
| * Offset and size of hash context in work buffer. Size if 0 if |
| * hash context is not stored in the work buffer. |
| */ |
| uint32_t workbuf_hash_offset; |
| uint32_t workbuf_hash_size; |
| |
| /* Current tag we're hashing */ |
| uint32_t hash_tag; |
| |
| /* Amount of data we still expect to hash */ |
| uint32_t hash_remaining_size; |
| |
| } __attribute__((packed)); |
| |
| /****************************************************************************/ |
| |
| /* Signature at start of the GBB |
| * Note that if you compile in the signature as is, you are likely to break any |
| * tools that search for the signature. */ |
| #define VB2_GBB_SIGNATURE "$GBB" |
| #define VB2_GBB_SIGNATURE_SIZE 4 |
| #define VB2_GBB_XOR_CHARS "****" |
| /* TODO: can we write a macro to produce this at compile time? */ |
| #define VB2_GBB_XOR_SIGNATURE { 0x0e, 0x6d, 0x68, 0x68 } |
| |
| /* VB2 GBB struct version */ |
| #define VB2_GBB_MAJOR_VER 1 |
| #define VB2_GBB_MINOR_VER 2 |
| /* v1.2 - added fields for sha256 digest of the HWID */ |
| |
| /* Flags for vb2_gbb_header.flags */ |
| enum vb2_gbb_flag { |
| /* |
| * Reduce the dev screen delay to 2 sec from 30 sec to speed up |
| * factory. |
| */ |
| VB2_GBB_FLAG_DEV_SCREEN_SHORT_DELAY = (1 << 0), |
| |
| /* |
| * BIOS should load option ROMs from arbitrary PCI devices. We'll never |
| * enable this ourselves because it executes non-verified code, but if |
| * a customer wants to void their warranty and set this flag in the |
| * read-only flash, they should be able to do so. |
| */ |
| VB2_GBB_FLAG_LOAD_OPTION_ROMS = (1 << 1), |
| |
| /* |
| * The factory flow may need the BIOS to boot a non-ChromeOS kernel if |
| * the dev-switch is on. This flag allows that. |
| */ |
| VB2_GBB_FLAG_ENABLE_ALTERNATE_OS = (1 << 2), |
| |
| /* |
| * Force dev switch on, regardless of physical/keyboard dev switch |
| * position. |
| */ |
| VB2_GBB_FLAG_FORCE_DEV_SWITCH_ON = (1 << 3), |
| |
| /* Allow booting from USB in dev mode even if dev_boot_usb=0. */ |
| VB2_GBB_FLAG_FORCE_DEV_BOOT_USB = (1 << 4), |
| |
| /* Disable firmware rollback protection. */ |
| VB2_GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK = (1 << 5), |
| |
| /* Allow Enter key to trigger dev->tonorm screen transition */ |
| VB2_GBB_FLAG_ENTER_TRIGGERS_TONORM = (1 << 6), |
| |
| /* Allow booting Legacy OSes in dev mode even if dev_boot_legacy=0. */ |
| VB2_GBB_FLAG_FORCE_DEV_BOOT_LEGACY = (1 << 7), |
| |
| /* Allow booting using alternate keys for FAFT servo testing */ |
| VB2_GBB_FLAG_FAFT_KEY_OVERIDE = (1 << 8), |
| |
| /* Disable EC software sync */ |
| VB2_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC = (1 << 9), |
| |
| /* Default to booting legacy OS when dev screen times out */ |
| VB2_GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY = (1 << 10), |
| |
| /* Disable PD software sync */ |
| VB2_GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC = (1 << 11), |
| }; |
| |
| struct vb2_gbb_header { |
| /* Fields present in version 1.1 */ |
| uint8_t signature[VB2_GBB_SIGNATURE_SIZE]; /* VB2_GBB_SIGNATURE */ |
| uint16_t major_version; /* See VB2_GBB_MAJOR_VER */ |
| uint16_t minor_version; /* See VB2_GBB_MINOR_VER */ |
| uint32_t header_size; /* Size of GBB header in bytes */ |
| uint32_t flags; /* Flags (see enum vb2_gbb_flag) */ |
| |
| /* Offsets (from start of header) and sizes (in bytes) of components */ |
| uint32_t hwid_offset; /* HWID */ |
| uint32_t hwid_size; |
| uint32_t rootkey_offset; /* Root key */ |
| uint32_t rootkey_size; |
| uint32_t bmpfv_offset; /* BMP FV */ |
| uint32_t bmpfv_size; |
| uint32_t recovery_key_offset; /* Recovery key */ |
| uint32_t recovery_key_size; |
| |
| /* Added in version 1.2 */ |
| uint8_t hwid_digest[32]; /* SHA-256 of HWID */ |
| |
| /* Pad to match EXPECETED_VB2_GBB_HEADER_SIZE. Initialize to 0. */ |
| uint8_t pad[48]; |
| } __attribute__((packed)); |
| |
| /* The GBB is used outside of vboot_reference, so this size is important. */ |
| #define EXPECTED_VB2_GBB_HEADER_SIZE 128 |
| |
| #endif /* VBOOT_REFERENCE_VBOOT_2STRUCT_H_ */ |