summaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorJulius Werner <jwerner@chromium.org>2022-08-08 18:08:35 -0700
committerJulius Werner <jwerner@chromium.org>2022-09-02 23:51:29 +0000
commitd96ca2465227f29354b41ce2ea7a17f1c5b8f1c1 (patch)
tree835f9410585448932b2195bfdb7b4066204411f3 /src/lib
parentb45b48de739ebaf52584bc23797869028950a535 (diff)
downloadcoreboot-d96ca2465227f29354b41ce2ea7a17f1c5b8f1c1.tar.gz
coreboot-d96ca2465227f29354b41ce2ea7a17f1c5b8f1c1.tar.bz2
coreboot-d96ca2465227f29354b41ce2ea7a17f1c5b8f1c1.zip
cbfs/vboot: Adapt to new vb2_digest API
CL:3825558 changes all vb2_digest and vb2_hash functions to take a new hwcrypto_allowed argument, to potentially let them try to call the vb2ex_hwcrypto API for hash calculation. This change will open hardware crypto acceleration up to all hash calculations in coreboot (most notably CBFS verification). As part of this change, the vb2_digest_buffer() function has been removed, so replace existing instances in coreboot with the newer vb2_hash_calculate() API. Due to the circular dependency of these changes with vboot, this patch also needs to update the vboot submodule: Updating from commit id 18cb85b5: 2load_kernel.c: Expose load kernel as vb2_api to commit id b827ddb9: tests: Ensure auxfw sync runs after EC sync This brings in 15 new commits. Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: I287d8dac3c49ad7ea3e18a015874ce8d610ec67e Reviewed-on: https://review.coreboot.org/c/coreboot/+/66561 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Jakub Czapiga <jacz@semihalf.com>
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/cbfs.c14
-rw-r--r--src/lib/metadata_hash.c3
2 files changed, 11 insertions, 6 deletions
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c
index e1334f415281..4f2d9caea9d7 100644
--- a/src/lib/cbfs.c
+++ b/src/lib/cbfs.c
@@ -12,7 +12,7 @@
#include <list.h>
#include <metadata_hash.h>
#include <security/tpm/tspi/crtm.h>
-#include <security/vboot/vboot_common.h>
+#include <security/vboot/misc.h>
#include <stdlib.h>
#include <string.h>
#include <symbols.h>
@@ -160,7 +160,7 @@ static bool cbfs_file_hash_mismatch(const void *buffer, size_t size,
ERROR("'%s' does not have a file hash!\n", mdata->h.filename);
return true;
}
- if (vb2_hash_verify(buffer, size, hash) != VB2_SUCCESS) {
+ if (vb2_hash_verify(vboot_hwcrypto_allowed(), buffer, size, hash)) {
ERROR("'%s' file hash mismatch!\n", mdata->h.filename);
return true;
}
@@ -171,11 +171,15 @@ static bool cbfs_file_hash_mismatch(const void *buffer, size_t size,
/* No need to re-hash file if we already have it from verification. */
if (!hash || hash->algo != TPM_MEASURE_ALGO) {
- vb2_hash_calculate(buffer, size, TPM_MEASURE_ALGO, &calculated_hash);
- hash = &calculated_hash;
+ if (vb2_hash_calculate(vboot_hwcrypto_allowed(), buffer, size,
+ TPM_MEASURE_ALGO, &calculated_hash))
+ hash = NULL;
+ else
+ hash = &calculated_hash;
}
- if (tspi_cbfs_measurement(mdata->h.filename, be32toh(mdata->h.type), hash))
+ if (!hash ||
+ tspi_cbfs_measurement(mdata->h.filename, be32toh(mdata->h.type), hash))
ERROR("failed to measure '%s' into TCPA log\n", mdata->h.filename);
/* We intentionally continue to boot on measurement errors. */
}
diff --git a/src/lib/metadata_hash.c b/src/lib/metadata_hash.c
index e10f6ffee569..8779b7c03221 100644
--- a/src/lib/metadata_hash.c
+++ b/src/lib/metadata_hash.c
@@ -2,6 +2,7 @@
#include <assert.h>
#include <metadata_hash.h>
+#include <security/vboot/misc.h>
#include <symbols.h>
#if !CONFIG(COMPRESS_BOOTBLOCK) || ENV_DECOMPRESSOR
@@ -46,5 +47,5 @@ vb2_error_t metadata_hash_verify_fmap(const void *fmap_buffer, size_t fmap_size)
struct vb2_hash hash = { .algo = get_anchor()->cbfs_hash.algo };
memcpy(hash.raw, metadata_hash_anchor_fmap_hash(get_anchor()),
vb2_digest_size(hash.algo));
- return vb2_hash_verify(fmap_buffer, fmap_size, &hash);
+ return vb2_hash_verify(vboot_hwcrypto_allowed(), fmap_buffer, fmap_size, &hash);
}