| OLD | NEW |
|---|
| 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 2 * Use of this source code is governed by a BSD-style license that can be | 2 * Use of this source code is governed by a BSD-style license that can be |
| 3 * found in the LICENSE file. | 3 * found in the LICENSE file. |
| 4 * | 4 * |
| 5 * Functions for verifying a verified boot firmware image. | 5 * Functions for verifying a verified boot firmware image. |
| 6 * (Firmware Portion) | 6 * (Firmware Portion) |
| 7 */ | 7 */ |
| 8 | 8 |
| 9 #include "firmware_image_fw.h" | 9 #include "firmware_image_fw.h" |
| 10 | 10 |
| (...skipping 271 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 282 firmwareB)) { | 282 firmwareB)) { |
| 283 WriteStoredVersion(FIRMWARE_KEY_VERSION, | 283 WriteStoredVersion(FIRMWARE_KEY_VERSION, |
| 284 (uint16_t) (min_lversion >> 16)); | 284 (uint16_t) (min_lversion >> 16)); |
| 285 WriteStoredVersion(FIRMWARE_VERSION, | 285 WriteStoredVersion(FIRMWARE_VERSION, |
| 286 (uint16_t) (min_lversion & 0x00FFFF)); | 286 (uint16_t) (min_lversion & 0x00FFFF)); |
| 287 stored_lversion = min_lversion; /* Update stored version as it's used | 287 stored_lversion = min_lversion; /* Update stored version as it's used |
| 288 * later. */ | 288 * later. */ |
| 289 } | 289 } |
| 290 } | 290 } |
| 291 } | 291 } |
| 292 /* Lock Firmware TPM rollback indices from further writes. */ | 292 /* Lock Firmware TPM rollback indices from further writes. In this design, |
| 293 /* TODO(gauravsh): Figure out if these can be combined into one | 293 * this is done by setting the globalLock bit, which is cleared only by |
| 294 * 32-bit location since we seem to always use them together. This can help | 294 * TPM_Init at reboot. |
| 295 * us minimize the number of NVRAM writes/locks (which are limited over flash | |
| 296 * memory lifetimes. | |
| 297 */ | 295 */ |
| 298 LockStoredVersion(FIRMWARE_KEY_VERSION); | 296 LockFirmwareVersions(); |
| 299 LockStoredVersion(FIRMWARE_VERSION); | |
| 300 | 297 |
| 301 /* Determine which firmware (if any) to jump to. | 298 /* Determine which firmware (if any) to jump to. |
| 302 * | 299 * |
| 303 * We always attempt to jump to FirmwareA first. If verification of FirmwareA | 300 * We always attempt to jump to FirmwareA first. If verification of FirmwareA |
| 304 * fails, we try FirmwareB. In all cases, if the firmware successfully | 301 * fails, we try FirmwareB. In all cases, if the firmware successfully |
| 305 * verified but is a rollback, we jump to recovery. | 302 * verified but is a rollback, we jump to recovery. |
| 306 * | 303 * |
| 307 * Note: This means that if FirmwareA verified successfully and is a | 304 * Note: This means that if FirmwareA verified successfully and is a |
| 308 * rollback, then no attempt is made to check FirmwareB. We still jump to | 305 * rollback, then no attempt is made to check FirmwareB. We still jump to |
| 309 * recovery. FirmwareB is only used as a backup in case FirmwareA gets | 306 * recovery. FirmwareB is only used as a backup in case FirmwareA gets |
| (...skipping 12 matching lines...) Expand all Loading... |
| 322 */ | 319 */ |
| 323 if (stored_lversion <= firmwareB_lversion && | 320 if (stored_lversion <= firmwareB_lversion && |
| 324 (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, | 321 (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob, |
| 325 verification_headerB, | 322 verification_headerB, |
| 326 firmwareB))) | 323 firmwareB))) |
| 327 return BOOT_FIRMWARE_B_CONTINUE; | 324 return BOOT_FIRMWARE_B_CONTINUE; |
| 328 } | 325 } |
| 329 /* D'oh: No bootable firmware. */ | 326 /* D'oh: No bootable firmware. */ |
| 330 return BOOT_FIRMWARE_RECOVERY_CONTINUE; | 327 return BOOT_FIRMWARE_RECOVERY_CONTINUE; |
| 331 } | 328 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2225005:
New anti-rollback strategy (no TPM NVRAM write cycles for locking). (Closed)
Base URL: ssh://git@chromiumos-git/chromeos