Add recovery mode protection to new NVRAM locking scheme.

src/platform/vboot_reference/vboot_firmware/lib/kernel_image_fw.c

 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  *
  * Functions for verifying a verified boot kernel image.
  * (Firmware portion)
  */
 
 #include "kernel_image_fw.h"
 
@@ skipping 348 matching lines @@
   /* Contains the logical kernel version (32-bit) which is calculated as
    * (kernel_key_version << 16 | kernel_version) where
    * [kernel_key_version], [firmware_version] are both 16-bit.
    */
   uint32_t kernelA_lversion, kernelB_lversion;
   uint32_t min_lversion;  /* Minimum of kernel A and kernel B lversion. */
   uint32_t stored_lversion;  /* Stored logical version in the TPM. */
   kernel_entry* try_kernel[2];  /* Kernel in try order. */
   int try_kernel_which[2];  /* Which corresponding kernel in the try order */
   uint32_t try_kernel_lversion[2];  /* Their logical versions. */
+  uint16_t kernel_version, kernel_key_version;  /* Temporary variables */
 
   /* [kernel_to_boot] will eventually contain the boot path to follow
    * and is returned to the caller. Initially, we set it to recovery. If
    * a valid bootable kernel is found, it will be set to that. */
   int kernel_to_boot = BOOT_KERNEL_RECOVERY_CONTINUE;
 
 
   /* The TPM must already have be initialized, so no need to call SetupTPM(). */
 
   /* We get the key versions by reading directly from the image blobs without
    * any additional (expensive) sanity checking on the blob since it's faster to
    * outright reject a kernel with an older kernel key version. A malformed
    * or corrupted kernel blob will still fail when VerifyKernel() is called
    * on it.
    */
   kernelA_lversion = GetLogicalKernelVersion(kernelA->kernel_blob);
   kernelB_lversion = GetLogicalKernelVersion(kernelB->kernel_blob);
   min_lversion  = Min(kernelA_lversion, kernelB_lversion);
-  stored_lversion = CombineUint16Pair(GetStoredVersion(KERNEL_KEY_VERSION),
-                                      GetStoredVersion(KERNEL_VERSION));
+  GetStoredVersions(KERNEL_VERSIONS, &kernel_key_version, &kernel_version);
+  stored_lversion = CombineUint16Pair(kernel_key_version, kernel_version);
 
   /* TODO(gauravsh): The kernel entries kernelA and kernelB come from the
    * partition table - verify its signature/checksum before proceeding
    * further. */
 
   /* The logic for deciding which kernel to boot from is taken from the
    * the Chromium OS Drive Map design document.
    *
    * We went to consider the kernels in their according to their boot
    * priority attribute value.
@@ skipping 27 matching lines @@
       if (try_kernel[i]->boot_tries_remaining > 0)
         try_kernel[i]->boot_tries_remaining--;
       if (stored_lversion > try_kernel_lversion[i])
         continue;  /* Rollback: I am afraid I can't let you do that Dave. */
       if (i == 0 && (stored_lversion < try_kernel_lversion[1])) {
         /* The higher priority kernel is valid and bootable, See if we
          * need to update the stored version for rollback prevention. */
         if (VERIFY_KERNEL_SUCCESS == VerifyKernel(firmware_key_blob,
                                                   try_kernel[1]->kernel_blob,
                                                   dev_mode)) {
-          WriteStoredVersion(KERNEL_KEY_VERSION,
-                             (uint16_t) (min_lversion >> 16));
-          WriteStoredVersion(KERNEL_VERSION,
-                             (uint16_t) (min_lversion & 0xFFFF));
+          WriteStoredVersions(KERNEL_VERSIONS,
+                              (uint16_t) (min_lversion >> 16),
+                                (uint16_t) (min_lversion & 0xFFFF));
           stored_lversion = min_lversion;  /* Update stored version as it's
                                             * used later. */
         }
       }
       kernel_to_boot = try_kernel_which[i];
       break;  /* We found a valid kernel. */
     }
     try_kernel[i]->boot_priority = 0;
     }  /* for loop. */
 
   /* Lock Kernel TPM rollback indices from further writes.  In this design,
    * this is tied to locking physical presence---so (software) physical
    * presence cannot be asserted after this point.  This is a big side effect,
    * so we want to make it clear in the function name.
    * TODO(gauravsh): figure out better abstractions.
    */
   LockKernelVersionsByLockingPP();
   return kernel_to_boot;
 }