cros_ec: Use boot mode to check if EC can be trusted
Currently, EC_IN_RW signal is used for the AP to decide whether EC is
running an RO copy or not.
coreboot will set VB2_CONTEXT_EC_TRUSTED based on the EC's boot mode
if supported. It means the EC is in RO and PD is disabled. This patch
makes vb2_allow_recovery check VB2_CONTEXT_EC_TRUSTED prior to
entering recovery mode.
BUG=b:180927027, b:187871195
BRANCH=none
TEST=build
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: Ie7fb337085f9c5f73ee82049d490a719f76a26bb
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2893095
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
diff --git a/firmware/2lib/2misc.c b/firmware/2lib/2misc.c
index 13cd35a..75a9f36 100644
--- a/firmware/2lib/2misc.c
+++ b/firmware/2lib/2misc.c
@@ -408,7 +408,7 @@
* return false (=RW). That's ok because if recovery is manual, we will
* get the right signal and that's the case we care about.
*/
- if (!vb2ex_ec_trusted())
+ if (!(ctx->flags & VB2_CONTEXT_EC_TRUSTED) && !vb2ex_ec_trusted())
return 0;
/* Now we confidently check the recovery switch state at boot */
diff --git a/firmware/2lib/include/2api.h b/firmware/2lib/include/2api.h
index fb8bc51..fb656da 100644
--- a/firmware/2lib/include/2api.h
+++ b/firmware/2lib/include/2api.h
@@ -233,6 +233,13 @@
* NO_BOOT means the OS is not allowed to boot. Only relevant for EFS2.
*/
VB2_CONTEXT_NO_BOOT = (1 << 23),
+
+ /*
+ * TRUSTED means EC is running an RO copy and PD isn't enabled. At
+ * least that was last known to the GSC. If EC RO is correctly behaving,
+ * it doesn't jump to RW when this flag is set.
+ */
+ VB2_CONTEXT_EC_TRUSTED = (1 << 24),
};
/* Helper for aligning fields in vb2_context. */
