Revert "vboot/vboot_kernel: update keyblock flag mismatch logic"
This reverts commit 0902a08d74f090b747f59de616abfdf2131b1ae3.
Reason for revert: This causes issues with booting, at least on the guybrush platform.
BUG=b:187953058
TEST=See OS boot failures with this patch in place. Remove patch and guybrush boots fine again.
Original change's description:
> vboot/vboot_kernel: update keyblock flag mismatch logic
>
> A keyblock flag mismatch should cause keyblock verification to
> fail regardless of whether a valid keyblock is required (i.e.
> self-signed keyblock case).
>
> This CL is part of a series to merge vboot1 and vboot2.0
> kernel verification code; see b/181739551.
>
> BUG=b:181739551
> TEST=make clean && make runtests
> BRANCH=none
>
> Signed-off-by: Joel Kitching <kitching@google.com>
> Change-Id: I47096ab7fcf0fbd47a46a9a92a5406e9aa9b3596
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2846251
> Reviewed-by: Julius Werner <jwerner@chromium.org>
> Tested-by: Joel Kitching <kitching@chromium.org>
> Commit-Queue: Joel Kitching <kitching@chromium.org>
Bug: b:181739551
Change-Id: Ie778fd669bc072ba526d2082a3418208d6b28472
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2891607
Auto-Submit: Martin Roth <martinroth@google.com>
Tested-by: Martin Roth <martinroth@google.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Julius Werner <jwerner@chromium.org>
diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c
index bf91990..8703697 100644
--- a/firmware/lib/vboot_kernel.c
+++ b/firmware/lib/vboot_kernel.c
@@ -232,14 +232,18 @@
VB2_KEYBLOCK_FLAG_DEVELOPER_1 :
VB2_KEYBLOCK_FLAG_DEVELOPER_0))) {
VB2_DEBUG("Keyblock developer flag mismatch.\n");
- return VB2_ERROR_KERNEL_KEYBLOCK_DEV_FLAG;
+ keyblock_valid = 0;
+ if (need_keyblock_valid)
+ return VB2_ERROR_KERNEL_KEYBLOCK_DEV_FLAG;
}
if (!(keyblock->keyblock_flags &
((ctx->flags & VB2_CONTEXT_RECOVERY_MODE) ?
VB2_KEYBLOCK_FLAG_RECOVERY_1 :
VB2_KEYBLOCK_FLAG_RECOVERY_0))) {
VB2_DEBUG("Keyblock recovery flag mismatch.\n");
- return VB2_ERROR_KERNEL_KEYBLOCK_REC_FLAG;
+ keyblock_valid = 0;
+ if (need_keyblock_valid)
+ return VB2_ERROR_KERNEL_KEYBLOCK_REC_FLAG;
}
/* Check for rollback of key version except in recovery mode. */
diff --git a/tests/vboot_kernel_tests.c b/tests/vboot_kernel_tests.c
index 2cae6d1..01b8b34 100644
--- a/tests/vboot_kernel_tests.c
+++ b/tests/vboot_kernel_tests.c
@@ -705,15 +705,7 @@
TestLoadKernel(VB2_ERROR_LK_INVALID_KERNEL_FOUND,
"Keyblock rec!dev flag mismatch");
- /* Check keyblock flag mismatch (dev mode) */
- ResetMocks();
- ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE;
- kbh.keyblock_flags =
- VB2_KEYBLOCK_FLAG_RECOVERY_1 | VB2_KEYBLOCK_FLAG_DEVELOPER_0;
- TestLoadKernel(VB2_ERROR_LK_INVALID_KERNEL_FOUND,
- "Keyblock dev flag mismatch");
-
- /* Check keyblock flag mismatch (dev mode + signed kernel required) */
+ /* Check keyblock flag mismatches (dev mode + signed kernel required) */
ResetMocks();
ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE;
vb2_nv_set(ctx, VB2_NV_DEV_BOOT_SIGNED_ONLY, 1);
