summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuigi Semenzato <semenzato@chromium.org>2014-01-14 02:29:10 (GMT)
committerchrome-internal-fetch <chrome-internal-fetch@google.com>2014-02-21 02:36:40 (GMT)
commit12d9190f56854790f0c55e1481f23b49bb04d9fc (patch)
treecea390489431218d66c68b914d57ae2f8a7471d3
parentdb577abaf2f3843c5da3e49de5f478ab423354aa (diff)
downloaddepthcharge-firmware-monroe-4921.B.tar.gz
depthcharge-firmware-monroe-4921.B.tar.xz
depthcharge: add functions to improve dev mode switch securityfirmware-monroe-4921.B
Add VbExKeyboardReadWithFlags() and VbExGetSwitches() and read the recovery button state directly from hardware. Also pass the VB_INIT_FLAG_VIRTUAL_REC_SWITCH at init as appropriate. These changes make it possible for vboot to avoid some dangerous opportunistic exploits that could put the device in developer mode without the owner intending to do so. BUG=chrome-os-partner:21729 TEST=compiles BRANCH=none Change-Id: Ic34a0606ec93253303de9ca7adbdc37e0d2ccef9 Original-Change-Id: Ied1e59684517c0125be029f575be282fdb2db8a3 Reviewed-on: https://chromium-review.googlesource.com/187380 Reviewed-by: Shawn Nematbakhsh <shawnn@chromium.org> Commit-Queue: Shawn Nematbakhsh <shawnn@chromium.org> Tested-by: Shawn Nematbakhsh <shawnn@chromium.org>
-rw-r--r--board/beltino/defconfig1
-rw-r--r--board/monroe/defconfig1
-rw-r--r--board/panther/defconfig1
-rw-r--r--src/board/monroe/board.c6
-rw-r--r--src/board/panther/board.c6
-rw-r--r--src/vboot/Kconfig6
-rw-r--r--src/vboot/callbacks/Makefile.inc1
-rw-r--r--src/vboot/callbacks/keyboard.c14
-rw-r--r--src/vboot/callbacks/switches.c48
-rw-r--r--src/vboot/stages.c2
10 files changed, 86 insertions, 0 deletions
diff --git a/board/beltino/defconfig b/board/beltino/defconfig
index 2b09f1e..44d1d7d 100644
--- a/board/beltino/defconfig
+++ b/board/beltino/defconfig
@@ -9,6 +9,7 @@ CONFIG_FMAP_OFFSET=0x610000
# Vboot
CONFIG_OPROM_MATTERS=y
+CONFIG_PHYSICAL_REC_SWITCH=y
CONFIG_RO_NORMAL_SUPPORT=y
CONFIG_VIRTUAL_DEV_SWITCH=y
diff --git a/board/monroe/defconfig b/board/monroe/defconfig
index 98f06a7..28aeee5 100644
--- a/board/monroe/defconfig
+++ b/board/monroe/defconfig
@@ -9,6 +9,7 @@ CONFIG_FMAP_OFFSET=0x610000
# Vboot
CONFIG_OPROM_MATTERS=y
+CONFIG_PHYSICAL_REC_SWITCH=y
CONFIG_RO_NORMAL_SUPPORT=y
CONFIG_VIRTUAL_DEV_SWITCH=y
diff --git a/board/panther/defconfig b/board/panther/defconfig
index 5944658..d85652b 100644
--- a/board/panther/defconfig
+++ b/board/panther/defconfig
@@ -9,6 +9,7 @@ CONFIG_FMAP_OFFSET=0x610000
# Vboot
CONFIG_OPROM_MATTERS=y
+CONFIG_PHYSICAL_REC_SWITCH=y
CONFIG_RO_NORMAL_SUPPORT=y
CONFIG_VIRTUAL_DEV_SWITCH=y
diff --git a/src/board/monroe/board.c b/src/board/monroe/board.c
index d9c6d69..f8997a7 100644
--- a/src/board/monroe/board.c
+++ b/src/board/monroe/board.c
@@ -42,6 +42,12 @@ static int board_setup(void)
if (sysinfo_install_flags())
return 1;
+ // Read the current value of the recovery button instead of the
+ // value passed by coreboot.
+ LpPchGpio *rec_gpio = new_lp_pch_gpio_input(12);
+ if (flag_replace(FLAG_RECSW, new_gpio_not(&rec_gpio->ops)))
+ return 1;
+
MemMappedFlash *flash = new_mem_mapped_flash(0xff800000, 0x800000);
if (!flash || flash_set_ops(&flash->ops))
return 1;
diff --git a/src/board/panther/board.c b/src/board/panther/board.c
index d9c6d69..f8997a7 100644
--- a/src/board/panther/board.c
+++ b/src/board/panther/board.c
@@ -42,6 +42,12 @@ static int board_setup(void)
if (sysinfo_install_flags())
return 1;
+ // Read the current value of the recovery button instead of the
+ // value passed by coreboot.
+ LpPchGpio *rec_gpio = new_lp_pch_gpio_input(12);
+ if (flag_replace(FLAG_RECSW, new_gpio_not(&rec_gpio->ops)))
+ return 1;
+
MemMappedFlash *flash = new_mem_mapped_flash(0xff800000, 0x800000);
if (!flash || flash_set_ops(&flash->ops))
return 1;
diff --git a/src/vboot/Kconfig b/src/vboot/Kconfig
index 9225a52..3ee3d5d 100644
--- a/src/vboot/Kconfig
+++ b/src/vboot/Kconfig
@@ -29,6 +29,12 @@ config VIRTUAL_DEV_SWITCH
help
Whether this platform has a virtual developer switch.
+config PHYSICAL_REC_SWITCH
+ bool "Physical recovery switch is present"
+ default n
+ help
+ Informs vboot that a physical recovery switch is present
+
config OPROM_MATTERS
bool "Video option ROM matters"
default n
diff --git a/src/vboot/callbacks/Makefile.inc b/src/vboot/callbacks/Makefile.inc
index 158e167..919caed 100644
--- a/src/vboot/callbacks/Makefile.inc
+++ b/src/vboot/callbacks/Makefile.inc
@@ -28,6 +28,7 @@ depthcharge-y += misc.c
depthcharge-$(CONFIG_NV_STORAGE_CMOS) += nvstorage_cmos.c
depthcharge-$(CONFIG_NV_STORAGE_DISK) += nvstorage_disk.c
depthcharge-$(CONFIG_NV_STORAGE_CROS_EC) += nvstorage_cros_ec.c
+depthcharge-y += switches.c
depthcharge-y += time.c
depthcharge-y += tpm.c
diff --git a/src/vboot/callbacks/keyboard.c b/src/vboot/callbacks/keyboard.c
index d54f35d..20c23ee 100644
--- a/src/vboot/callbacks/keyboard.c
+++ b/src/vboot/callbacks/keyboard.c
@@ -61,3 +61,17 @@ uint32_t VbExKeyboardRead(void)
return ch;
}
}
+
+uint32_t VbExKeyboardReadWithFlags(uint32_t *flags_ptr)
+{
+ uint32_t c = VbExKeyboardRead();
+ if (flags_ptr) {
+ *flags_ptr = 0;
+ // USB keyboards definitely cannot be trusted (assuming they
+ // are even keyboards). There are other devices that also
+ // cannot be trusted, but this is the best we can do for now.
+ if (last_key_input_type() != CONSOLE_INPUT_TYPE_USB)
+ *flags_ptr |= VB_KEY_FLAG_TRUSTED_KEYBOARD;
+ }
+ return c;
+}
diff --git a/src/vboot/callbacks/switches.c b/src/vboot/callbacks/switches.c
new file mode 100644
index 0000000..e07ae88
--- /dev/null
+++ b/src/vboot/callbacks/switches.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2014 Google Inc.
+ *
+ * See file CREDITS for list of people who contributed to this
+ * project.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but without any warranty; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#include <libpayload.h>
+#include <vboot_api.h>
+#include <vboot/util/flag.h>
+
+/*
+ * Return the state of the switches specified in request_mask.
+ * TODO(semenzato): find a better interface than the INIT_FLAGS.
+ */
+uint32_t VbExGetSwitches(uint32_t request_mask)
+{
+ uint32_t result = 0;
+
+ if ((request_mask & VB_INIT_FLAG_DEV_SWITCH_ON) &&
+ flag_fetch(FLAG_DEVSW))
+ result |= VB_INIT_FLAG_DEV_SWITCH_ON;
+
+ if ((request_mask & VB_INIT_FLAG_REC_BUTTON_PRESSED) &&
+ flag_fetch(FLAG_RECSW))
+ result |= VB_INIT_FLAG_REC_BUTTON_PRESSED;
+
+ if ((request_mask & VB_INIT_FLAG_WP_ENABLED) &&
+ flag_fetch(FLAG_WPSW))
+ result |= VB_INIT_FLAG_WP_ENABLED;
+
+ return result;
+}
diff --git a/src/vboot/stages.c b/src/vboot/stages.c
index 20366b3..f4c4039 100644
--- a/src/vboot/stages.c
+++ b/src/vboot/stages.c
@@ -78,6 +78,8 @@ int vboot_init(void)
iparams.flags |= VB_INIT_FLAG_VIRTUAL_DEV_SWITCH;
if (CONFIG_EC_SOFTWARE_SYNC)
iparams.flags |= VB_INIT_FLAG_EC_SOFTWARE_SYNC;
+ if (!CONFIG_PHYSICAL_REC_SWITCH)
+ iparams.flags |= VB_INIT_FLAG_VIRTUAL_REC_SWITCH;
printf("Calling VbInit().\n");
VbError_t res = VbInit(&cparams, &iparams);