Add recovery mode protection to new NVRAM locking scheme.

src/platform/vboot_reference/vboot_firmware/lib/firmware_image_fw.c

 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  *
  * Functions for verifying a verified boot firmware image.
  * (Firmware Portion)
  */
 
 #include "firmware_image_fw.h"
 
@@ skipping 234 matching lines @@
                            uint8_t* verification_headerB,
                            uint8_t* firmwareB) {
   /* Contains the logical firmware version (32-bit) which is calculated as
    * (firmware_key_version << 16 | firmware_version) where
    * [firmware_key_version] [firmware_version] are both 16-bit.
    */
   uint32_t firmwareA_lversion, firmwareB_lversion;
   uint8_t firmwareA_is_verified = 0;  /* Whether firmwareA verify succeeded. */
   uint32_t min_lversion;  /* Minimum of firmware A and firmware lversion. */
   uint32_t stored_lversion;  /* Stored logical version in the TPM. */
+  uint16_t version, key_version;  /* Temporary variables */
 
   /* Initialize the TPM since we'll be reading the rollback indices. */
   SetupTPM();
 
   /* We get the key versions by reading directly from the image blobs without
    * any additional (expensive) sanity checking on the blob since it's faster to
    * outright reject a firmware with an older firmware key version. A malformed
    * or corrupted firmware blob will still fail when VerifyFirmware() is called
    * on it.
    */
   firmwareA_lversion = GetLogicalFirmwareVersion(verification_headerA);
   firmwareB_lversion = GetLogicalFirmwareVersion(verification_headerB);
   min_lversion  = Min(firmwareA_lversion, firmwareB_lversion);
-  stored_lversion = CombineUint16Pair(GetStoredVersion(FIRMWARE_KEY_VERSION),
-                                      GetStoredVersion(FIRMWARE_VERSION));
+  GetStoredVersions(FIRMWARE_VERSIONS, &key_version, &version);
+  stored_lversion = CombineUint16Pair(key_version, version);
   /* Always try FirmwareA first. */
   if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob,
                                                 verification_headerA,
                                                 firmwareA))
     firmwareA_is_verified = 1;
   if (firmwareA_is_verified && (stored_lversion < firmwareA_lversion)) {
     /* Stored version may need to be updated but only if FirmwareB
      * is successfully verified and has a logical version greater than
      * the stored logical version. */
     if (stored_lversion < firmwareB_lversion) {
       if (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob,
                                                     verification_headerB,
                                                     firmwareB)) {
-        WriteStoredVersion(FIRMWARE_KEY_VERSION,
-                           (uint16_t) (min_lversion >> 16));
-        WriteStoredVersion(FIRMWARE_VERSION,
-                           (uint16_t) (min_lversion & 0x00FFFF));
+        WriteStoredVersions(FIRMWARE_VERSIONS,
+                            (uint16_t) (min_lversion >> 16),
+                            (uint16_t) (min_lversion & 0xFFFF));
         stored_lversion = min_lversion;  /* Update stored version as it's used
                                           * later. */
       }
     }
   }
   /* Lock Firmware TPM rollback indices from further writes.  In this design,
    * this is done by setting the globalLock bit, which is cleared only by
    * TPM_Init at reboot.
    */
   LockFirmwareVersions();
@@ skipping 22 matching lines @@
      */
     if (stored_lversion <= firmwareB_lversion &&
         (VERIFY_FIRMWARE_SUCCESS == VerifyFirmware(root_key_blob,
                                                    verification_headerB,
                                                    firmwareB)))
         return BOOT_FIRMWARE_B_CONTINUE;
   }
   /* D'oh: No bootable firmware. */
   return BOOT_FIRMWARE_RECOVERY_CONTINUE;
 }