VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams, VbSelectAndLoadKernelParams *kparams) { VbSharedDataHeader *shared = (VbSharedDataHeader *)cparams->shared_data_blob; VbError_t retval = VBERROR_SUCCESS; LoadKernelParams p; uint32_t tpm_status = 0; /* Start timer */ shared->timer_vb_select_and_load_kernel_enter = VbExGetTimer(); VbExNvStorageRead(vnc.raw); VbNvSetup(&vnc); /* Clear output params in case we fail */ kparams->disk_handle = NULL; kparams->partition_number = 0; kparams->bootloader_address = 0; kparams->bootloader_size = 0; kparams->flags = 0; Memset(kparams->partition_guid, 0, sizeof(kparams->partition_guid)); cparams->bmp = NULL; cparams->gbb = VbExMalloc(sizeof(*cparams->gbb)); retval = VbGbbReadHeader_static(cparams, cparams->gbb); if (VBERROR_SUCCESS != retval) goto VbSelectAndLoadKernel_exit; /* Do EC software sync if necessary */ if ((shared->flags & VBSD_EC_SOFTWARE_SYNC) && !(cparams->gbb->flags & GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC)) { int oprom_mismatch = 0; retval = VbEcSoftwareSync(0, cparams); /* Save reboot requested until after possible PD sync */ if (retval == VBERROR_VGA_OPROM_MISMATCH) oprom_mismatch = 1; else if (retval != VBERROR_SUCCESS) goto VbSelectAndLoadKernel_exit; #ifdef PD_SYNC if (!(cparams->gbb->flags & GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC)) { retval = VbEcSoftwareSync(1, cparams); if (retval == VBERROR_VGA_OPROM_MISMATCH) oprom_mismatch = 1; else if (retval != VBERROR_SUCCESS) goto VbSelectAndLoadKernel_exit; } #endif /* Request reboot to unload VGA Option ROM */ if (oprom_mismatch) { retval = VBERROR_VGA_OPROM_MISMATCH; goto VbSelectAndLoadKernel_exit; } } /* Read kernel version from the TPM. Ignore errors in recovery mode. */ tpm_status = RollbackKernelRead(&shared->kernel_version_tpm); if (0 != tpm_status) { VBDEBUG(("Unable to get kernel versions from TPM\n")); if (!shared->recovery_reason) { VbSetRecoveryRequest(VBNV_RECOVERY_RW_TPM_R_ERROR); retval = VBERROR_TPM_READ_KERNEL; goto VbSelectAndLoadKernel_exit; } } shared->kernel_version_tpm_start = shared->kernel_version_tpm; /* Fill in params for calls to LoadKernel() */ Memset(&p, 0, sizeof(p)); p.shared_data_blob = cparams->shared_data_blob; p.shared_data_size = cparams->shared_data_size; p.gbb_data = cparams->gbb_data; p.gbb_size = cparams->gbb_size; /* * This could be set to NULL, in which case the vboot header * information about the load address and size will be used. */ p.kernel_buffer = kparams->kernel_buffer; p.kernel_buffer_size = kparams->kernel_buffer_size; p.nv_context = &vnc; p.boot_flags = 0; if (shared->flags & VBSD_BOOT_DEV_SWITCH_ON) p.boot_flags |= BOOT_FLAG_DEVELOPER; /* Handle separate normal and developer firmware builds. */ #if defined(VBOOT_FIRMWARE_TYPE_NORMAL) /* Normal-type firmware always acts like the dev switch is off. */ p.boot_flags &= ~BOOT_FLAG_DEVELOPER; #elif defined(VBOOT_FIRMWARE_TYPE_DEVELOPER) /* Developer-type firmware fails if the dev switch is off. */ if (!(p.boot_flags & BOOT_FLAG_DEVELOPER)) { /* * Dev firmware should be signed with a key that only verifies * when the dev switch is on, so we should never get here. */ VBDEBUG(("Developer firmware called with dev switch off!\n")); VbSetRecoveryRequest(VBNV_RECOVERY_RW_DEV_MISMATCH); retval = VBERROR_DEV_FIRMWARE_SWITCH_MISMATCH; goto VbSelectAndLoadKernel_exit; } #else /* * Recovery firmware, or merged normal+developer firmware. No need to * override flags. */ #endif /* Select boot path */ if (shared->recovery_reason) { /* Recovery boot */ p.boot_flags |= BOOT_FLAG_RECOVERY; retval = VbBootRecovery(cparams, &p); VbExEcEnteringMode(0, VB_EC_RECOVERY); VbDisplayScreen(cparams, VB_SCREEN_BLANK, 0, &vnc); } else if (p.boot_flags & BOOT_FLAG_DEVELOPER) { /* Developer boot */ retval = VbBootDeveloper(cparams, &p); VbExEcEnteringMode(0, VB_EC_DEVELOPER); VbDisplayScreen(cparams, VB_SCREEN_BLANK, 0, &vnc); } else { /* Normal boot */ VbExEcEnteringMode(0, VB_EC_NORMAL); retval = VbBootNormal(cparams, &p); if ((1 == shared->firmware_index) && (shared->flags & VBSD_FWB_TRIED)) { /* * Special cases for when we're trying a new firmware * B. These are needed because firmware updates also * usually change the kernel key, which means that the * B firmware can only boot a new kernel, and the old * firmware in A can only boot the previous kernel. * * Don't advance the TPM if we're trying a new firmware * B, because we don't yet know if the new kernel will * successfully boot. We still want to be able to fall * back to the previous firmware+kernel if the new * firmware+kernel fails. * * If we found only invalid kernels, reboot and try * again. This allows us to fall back to the previous * firmware+kernel instead of giving up and going to * recovery mode right away. We'll still go to * recovery mode if we run out of tries and the old * firmware can't find a kernel it likes. */ if (VBERROR_INVALID_KERNEL_FOUND == retval) { VBDEBUG(("Trying firmware B, " "and only found invalid kernels.\n")); VbSetRecoveryRequest(VBNV_RECOVERY_NOT_REQUESTED); goto VbSelectAndLoadKernel_exit; } } else { /* Not trying a new firmware B. */ /* See if we need to update the TPM. */ VBDEBUG(("Checking if TPM kernel version needs " "advancing\n")); if (shared->kernel_version_tpm > shared->kernel_version_tpm_start) { tpm_status = RollbackKernelWrite( shared->kernel_version_tpm); if (0 != tpm_status) { VBDEBUG(("Error writing kernel " "versions to TPM.\n")); VbSetRecoveryRequest(VBNV_RECOVERY_RW_TPM_W_ERROR); retval = VBERROR_TPM_WRITE_KERNEL; goto VbSelectAndLoadKernel_exit; } } } } if (VBERROR_SUCCESS != retval) goto VbSelectAndLoadKernel_exit; /* Save disk parameters */ kparams->disk_handle = p.disk_handle; kparams->partition_number = (uint32_t)p.partition_number; kparams->bootloader_address = p.bootloader_address; kparams->bootloader_size = (uint32_t)p.bootloader_size; kparams->flags = p.flags; Memcpy(kparams->partition_guid, p.partition_guid, sizeof(kparams->partition_guid)); /* Lock the kernel versions. Ignore errors in recovery mode. */ tpm_status = RollbackKernelLock(shared->recovery_reason); if (0 != tpm_status) { VBDEBUG(("Error locking kernel versions.\n")); if (!shared->recovery_reason) { VbSetRecoveryRequest(VBNV_RECOVERY_RW_TPM_L_ERROR); retval = VBERROR_TPM_LOCK_KERNEL; goto VbSelectAndLoadKernel_exit; } } VbSelectAndLoadKernel_exit: VbApiKernelFree(cparams); VbNvTeardown(&vnc); if (vnc.raw_changed) VbExNvStorageWrite(vnc.raw); /* Stop timer */ shared->timer_vb_select_and_load_kernel_exit = VbExGetTimer(); kparams->kernel_buffer = p.kernel_buffer; kparams->kernel_buffer_size = p.kernel_buffer_size; VBDEBUG(("VbSelectAndLoadKernel() returning %d\n", (int)retval)); /* Pass through return value from boot path */ return retval; }
VbError_t VbInit(VbCommonParams *cparams, VbInitParams *iparams) { VbSharedDataHeader *shared = (VbSharedDataHeader *)cparams->shared_data_blob; GoogleBinaryBlockHeader gbb; VbNvContext vnc; VbError_t retval = VBERROR_SUCCESS; uint32_t recovery = VBNV_RECOVERY_NOT_REQUESTED; int is_s3_resume = 0; uint32_t s3_debug_boot = 0; uint32_t require_official_os = 0; uint32_t tpm_version = 0; uint32_t tpm_status = 0; int has_virt_dev_switch = 0; int is_hw_dev = 0; int is_virt_dev = 0; uint32_t disable_dev_request = 0; uint32_t clear_tpm_owner_request = 0; int is_dev = 0; uint32_t backup_requested = 0; uint32_t backup_for_safety = 0; int lost_nvram; /* Initialize output flags */ iparams->out_flags = 0; retval = VbGbbReadHeader_static(cparams, &gbb); if (retval) return retval; VBDEBUG(("VbInit() input flags 0x%x gbb flags 0x%x\n", iparams->flags, gbb.flags)); /* Set up NV storage */ VbExNvStorageRead(vnc.raw); VbNvSetup(&vnc); lost_nvram = vnc.regenerate_crc; /* Initialize shared data structure */ if (0 != VbSharedDataInit(shared, cparams->shared_data_size)) { VBDEBUG(("Shared data init error\n")); return VBERROR_INIT_SHARED_DATA; } shared->timer_vb_init_enter = VbExGetTimer(); /* Copy some boot switch flags */ /* TODO: in next refactor, just save in/out flags in VbSharedData */ shared->flags = 0; if (iparams->flags & VB_INIT_FLAG_REC_BUTTON_PRESSED) shared->flags |= VBSD_BOOT_REC_SWITCH_ON; if (iparams->flags & VB_INIT_FLAG_WP_ENABLED) shared->flags |= VBSD_BOOT_FIRMWARE_WP_ENABLED; if (iparams->flags & VB_INIT_FLAG_SW_WP_ENABLED) shared->flags |= VBSD_BOOT_FIRMWARE_SW_WP_ENABLED; if (iparams->flags & VB_INIT_FLAG_S3_RESUME) shared->flags |= VBSD_BOOT_S3_RESUME; if (iparams->flags & VB_INIT_FLAG_RO_NORMAL_SUPPORT) shared->flags |= VBSD_BOOT_RO_NORMAL_SUPPORT; if (iparams->flags & VB_INIT_FLAG_EC_SOFTWARE_SYNC) shared->flags |= VBSD_EC_SOFTWARE_SYNC; if (iparams->flags & VB_INIT_FLAG_EC_SLOW_UPDATE) shared->flags |= VBSD_EC_SLOW_UPDATE; if (iparams->flags & VB_INIT_FLAG_VIRTUAL_REC_SWITCH) shared->flags |= VBSD_BOOT_REC_SWITCH_VIRTUAL; if (iparams->flags & VB_INIT_FLAG_OPROM_MATTERS) shared->flags |= VBSD_OPROM_MATTERS; if (iparams->flags & VB_INIT_FLAG_OPROM_LOADED) shared->flags |= VBSD_OPROM_LOADED; is_s3_resume = (iparams->flags & VB_INIT_FLAG_S3_RESUME ? 1 : 0); /* Check if the OS is requesting a debug S3 reset */ VbNvGet(&vnc, VBNV_DEBUG_RESET_MODE, &s3_debug_boot); if (s3_debug_boot) { if (is_s3_resume) { VBDEBUG(("VbInit() requesting S3 debug boot\n")); iparams->out_flags |= VB_INIT_OUT_S3_DEBUG_BOOT; is_s3_resume = 0; /* Proceed as if normal boot */ } /* * Clear the request even if this is a normal boot, since we * don't want the NEXT S3 resume to be a debug reset unless the * OS asserts the request again. */ VbNvSet(&vnc, VBNV_DEBUG_RESET_MODE, 0); } /* * If this isn't a S3 resume, read the current recovery request, then * clear it so we don't get stuck in recovery mode. */ if (!is_s3_resume) { VbNvGet(&vnc, VBNV_RECOVERY_REQUEST, &recovery); VBDEBUG(("VbInit sees recovery request = %d\n", recovery)); if (VBNV_RECOVERY_NOT_REQUESTED != recovery) VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, VBNV_RECOVERY_NOT_REQUESTED); } /* * If the previous boot failed in the firmware somewhere outside of * verified boot, and recovery is not requested for our own reasons, * request recovery mode. This gives the calling firmware a way to * request recovery if it finds something terribly wrong. */ if (VBNV_RECOVERY_NOT_REQUESTED == recovery && iparams->flags & VB_INIT_FLAG_PREVIOUS_BOOT_FAIL) { recovery = VBNV_RECOVERY_RO_FIRMWARE; } /* * If recovery button is pressed, override recovery reason. Note that * we do this in the S3 resume path also. */ if (iparams->flags & VB_INIT_FLAG_REC_BUTTON_PRESSED) recovery = VBNV_RECOVERY_RO_MANUAL; /* * Copy current recovery reason to shared data. If we fail later on, it * won't matter, since we'll just reboot. */ shared->recovery_reason = (uint8_t)recovery; VBDEBUG(("VbInit now sets shared->recovery_reason = %d\n", recovery)); /* * If this is a S3 resume, resume the TPM. * * FIXME: I think U-Boot won't ever ask us to do this. Can we remove * it? */ if (is_s3_resume) { if (TPM_SUCCESS != RollbackS3Resume()) { /* * If we can't resume, just do a full reboot. No need * to go to recovery mode here, since if the TPM is * really broken we'll catch it on the next boot. */ retval = VBERROR_TPM_S3_RESUME; } } else { /* Should we pay attention to the TPM's virtual dev-switch? */ if (iparams->flags & VB_INIT_FLAG_VIRTUAL_DEV_SWITCH) { shared->flags |= VBSD_HONOR_VIRT_DEV_SWITCH; has_virt_dev_switch = 1; } /* * We always believe the HW dev-switch, since there's one * attached to servo which may be active even on systems * without a physical switch. The EC may also implement a fake * dev-switch for testing. */ if (iparams->flags & VB_INIT_FLAG_DEV_SWITCH_ON) is_hw_dev = 1; /* We may be asked to clear the virtual dev-switch at boot. */ VbNvGet(&vnc, VBNV_DISABLE_DEV_REQUEST, &disable_dev_request); /* Allow GBB flag to override dev switch */ if (gbb.flags & GBB_FLAG_FORCE_DEV_SWITCH_ON) is_hw_dev = 1; /* Have we been explicitly asked to clear the TPM owner? */ VbNvGet(&vnc, VBNV_CLEAR_TPM_OWNER_REQUEST, &clear_tpm_owner_request); /* * Initialize the TPM. If the developer mode state has changed * since the last boot, we need to clear TPM ownership. If the * TPM space is initialized by this call, the virtual * dev-switch will be disabled by default) */ VBDEBUG(("TPM: Call RollbackFirmwareSetup(r%d, d%d)\n", recovery, is_hw_dev)); tpm_status = RollbackFirmwareSetup(is_hw_dev, disable_dev_request, clear_tpm_owner_request, /* two outputs on success */ &is_virt_dev, &tpm_version); if (0 != tpm_status) { VBDEBUG(("Unable to setup TPM and read " "firmware version (0x%x)\n", tpm_status)); if (TPM_E_MUST_REBOOT == tpm_status) { /* * TPM wants to reboot into the same mode we're * in now */ VBDEBUG(("TPM requires a reboot.\n")); if (!recovery) { /* * Not recovery mode. Just reboot (not * into recovery). */ retval = VBERROR_TPM_REBOOT_REQUIRED; goto VbInit_exit; } else if (VBNV_RECOVERY_RO_TPM_REBOOT != shared->recovery_reason) { /* * In recovery mode now, and we haven't * requested a TPM reboot yet, so * request one. */ VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, VBNV_RECOVERY_RO_TPM_REBOOT); retval = VBERROR_TPM_REBOOT_REQUIRED; goto VbInit_exit; } } if (!recovery) { VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, VBNV_RECOVERY_RO_TPM_S_ERROR); VbNvSet(&vnc, VBNV_RECOVERY_SUBCODE, tpm_status); retval = VBERROR_TPM_FIRMWARE_SETUP; goto VbInit_exit; } } /* TPM setup succeeded, or we're in recovery mode and ignoring * errors. What did we learn? */ shared->fw_version_tpm_start = tpm_version; shared->fw_version_tpm = tpm_version; if (is_hw_dev || (has_virt_dev_switch && is_virt_dev)) { is_dev = 1; shared->flags |= VBSD_BOOT_DEV_SWITCH_ON; } if (disable_dev_request && !is_virt_dev) VbNvSet(&vnc, VBNV_DISABLE_DEV_REQUEST, 0); if (clear_tpm_owner_request) { VbNvSet(&vnc, VBNV_CLEAR_TPM_OWNER_REQUEST, 0); VbNvSet(&vnc, VBNV_CLEAR_TPM_OWNER_DONE, 1); } } /* * If the nvram state was lost, try to restore the bits we care about * from the backup in the TPM. It's okay if we can't, though. * Note: None of the bits that we back up should have been referenced * before this point. Otherwise, they'll just be overwritten here. * All the other bits will be unchanged from whatever has happened to * them since VbNvSetup() reinitialized the VbNvContext. */ if (lost_nvram) RestoreNvFromBackup(&vnc); /* Allow BIOS to load arbitrary option ROMs? */ if (gbb.flags & GBB_FLAG_LOAD_OPTION_ROMS) iparams->out_flags |= VB_INIT_OUT_ENABLE_OPROM; /* Factory may need to boot custom OSes when the dev-switch is on */ if (is_dev && (gbb.flags & GBB_FLAG_ENABLE_ALTERNATE_OS)) iparams->out_flags |= VB_INIT_OUT_ENABLE_ALTERNATE_OS; /* Set output flags */ if (VBNV_RECOVERY_NOT_REQUESTED != recovery) { /* Requesting recovery mode */ iparams->out_flags |= (VB_INIT_OUT_ENABLE_RECOVERY | VB_INIT_OUT_CLEAR_RAM | VB_INIT_OUT_ENABLE_DISPLAY | VB_INIT_OUT_ENABLE_USB_STORAGE); } else if (is_dev) { /* Developer switch is on, so need to support dev mode */ iparams->out_flags |= (VB_INIT_OUT_ENABLE_DEVELOPER | VB_INIT_OUT_CLEAR_RAM | VB_INIT_OUT_ENABLE_DISPLAY | VB_INIT_OUT_ENABLE_USB_STORAGE); /* ... which may or may not include custom OSes */ VbNvGet(&vnc, VBNV_DEV_BOOT_SIGNED_ONLY, &require_official_os); if (!require_official_os) iparams->out_flags |= VB_INIT_OUT_ENABLE_ALTERNATE_OS; /* * Dev-mode needs the VGA option ROM to be loaded so it can * display the scary boot screen. If we don't have it, we need * to request it and reboot so it can be loaded. */ if ((iparams->flags & VB_INIT_FLAG_OPROM_MATTERS) && !(iparams->flags & VB_INIT_FLAG_OPROM_LOADED)) { VbNvSet(&vnc, VBNV_OPROM_NEEDED, 1); /* * If VbInit() is run before Option ROMs are run it * can still respond to the VbNv flag and does not * need to reboot here. */ if (!(iparams->flags & VB_INIT_FLAG_BEFORE_OPROM_LOAD)) retval = VBERROR_VGA_OPROM_MISMATCH; VBDEBUG(("VbInit() needs oprom, doesn't have it\n")); } } else { /* * Normal mode, so disable dev_boot_* flags. This ensures they * will be initially disabled if the user later transitions * back into developer mode. */ VbNvSet(&vnc, VBNV_DEV_BOOT_USB, 0); VbNvSet(&vnc, VBNV_DEV_BOOT_LEGACY, 0); VbNvSet(&vnc, VBNV_DEV_BOOT_SIGNED_ONLY, 0); /* * Back up any changes now, so these values can't be forgotten * by draining the battery. We really only care about these * three fields, but it's uncommon for any others to change so * this is an easier test than checking each one. */ if (vnc.regenerate_crc) backup_for_safety = 1; /* * If we don't need the VGA option ROM but got it anyway, stop * asking for it and reboot in case there's some vulnerability * in using it. */ if ((iparams->flags & VB_INIT_FLAG_OPROM_MATTERS) && (iparams->flags & VB_INIT_FLAG_OPROM_LOADED)) { VbNvSet(&vnc, VBNV_OPROM_NEEDED, 0); /* * If VbInit() is run before Option ROMs are run it * can still respond to the VbNv flag and does not * need to reboot here. */ if (!(iparams->flags & VB_INIT_FLAG_BEFORE_OPROM_LOAD)) retval = VBERROR_VGA_OPROM_MISMATCH; VBDEBUG(("VbInit() has oprom, doesn't need it\n")); } } VbInit_exit: /* * If we successfully backup the NV storage, it will clear the * VBNV_BACKUP_NVRAM_REQUEST field, so we want to do it before * calling VbNvTeardown(). It's okay if we can't backup, though. */ VbNvGet(&vnc, VBNV_BACKUP_NVRAM_REQUEST, &backup_requested); if (backup_requested || backup_for_safety) SaveNvToBackup(&vnc); /* Tear down NV storage */ VbNvTeardown(&vnc); if (vnc.raw_changed) VbExNvStorageWrite(vnc.raw); VBDEBUG(("VbInit() output flags 0x%x\n", iparams->out_flags)); shared->timer_vb_init_exit = VbExGetTimer(); VBDEBUG(("VbInit() returning 0x%x\n", retval)); return retval; }
VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams, VbSelectAndLoadKernelParams *kparams, void *boot_image, size_t image_size) { VbError_t retval; VbPublicKey* kernel_subkey = NULL; uint8_t *kbuf; VbKeyBlockHeader *key_block; VbSharedDataHeader *shared = (VbSharedDataHeader *)cparams->shared_data_blob; RSAPublicKey *data_key = NULL; VbKernelPreambleHeader *preamble; uint64_t body_offset; int hash_only = 0; int dev_switch; if ((boot_image == NULL) || (image_size == 0)) return VBERROR_INVALID_PARAMETER; /* Clear output params in case we fail. */ kparams->disk_handle = NULL; kparams->partition_number = 0; kparams->bootloader_address = 0; kparams->bootloader_size = 0; kparams->flags = 0; Memset(kparams->partition_guid, 0, sizeof(kparams->partition_guid)); kbuf = boot_image; /* Read GBB Header */ cparams->bmp = NULL; cparams->gbb = VbExMalloc(sizeof(*cparams->gbb)); retval = VbGbbReadHeader_static(cparams, cparams->gbb); if (VBERROR_SUCCESS != retval) { VBDEBUG(("Gbb read header failed.\n")); return retval; } /* * We don't care verifying the image if: * 1. dev-mode switch is on and * 2. GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP is set. * * Check only the integrity of the image. */ dev_switch = shared->flags & VBSD_BOOT_DEV_SWITCH_ON; if (dev_switch && (cparams->gbb->flags & GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP)) { VBDEBUG(("Only performing integrity-check.\n")); hash_only = 1; } else { /* Get recovery key. */ retval = VbGbbReadRecoveryKey(cparams, &kernel_subkey); if (VBERROR_SUCCESS != retval) { VBDEBUG(("Gbb Read Recovery key failed.\n")); return retval; } } /* If we fail at any step, retval returned would be invalid kernel. */ retval = VBERROR_INVALID_KERNEL_FOUND; /* Verify the key block. */ key_block = (VbKeyBlockHeader *)kbuf; if (0 != KeyBlockVerify(key_block, image_size, kernel_subkey, hash_only)) { VBDEBUG(("Verifying key block signature/hash failed.\n")); goto fail; } /* Check the key block flags against the current boot mode. */ if (!(key_block->key_block_flags & (dev_switch ? KEY_BLOCK_FLAG_DEVELOPER_1 : KEY_BLOCK_FLAG_DEVELOPER_0))) { VBDEBUG(("Key block developer flag mismatch.\n")); if (hash_only == 0) goto fail; } if (!(key_block->key_block_flags & KEY_BLOCK_FLAG_RECOVERY_1)) { VBDEBUG(("Key block recovery flag mismatch.\n")); if (hash_only == 0) goto fail; } /* Get key for preamble/data verification from the key block. */ data_key = PublicKeyToRSA(&key_block->data_key); if (!data_key) { VBDEBUG(("Data key bad.\n")); goto fail; } /* Verify the preamble, which follows the key block */ preamble = (VbKernelPreambleHeader *)(kbuf + key_block->key_block_size); if ((0 != VerifyKernelPreamble(preamble, image_size - key_block->key_block_size, data_key))) { VBDEBUG(("Preamble verification failed.\n")); goto fail; } VBDEBUG(("Kernel preamble is good.\n")); /* Verify kernel data */ body_offset = key_block->key_block_size + preamble->preamble_size; if (0 != VerifyData((const uint8_t *)(kbuf + body_offset), image_size - body_offset, &preamble->body_signature, data_key)) { VBDEBUG(("Kernel data verification failed.\n")); goto fail; } VBDEBUG(("Kernel is good.\n")); /* Fill in output parameters. */ kparams->kernel_buffer = kbuf + body_offset; kparams->kernel_buffer_size = image_size - body_offset; kparams->bootloader_address = preamble->bootloader_address; kparams->bootloader_size = preamble->bootloader_size; if (VbKernelHasFlags(preamble) == VBOOT_SUCCESS) kparams->flags = preamble->flags; retval = VBERROR_SUCCESS; fail: VbApiKernelFree(cparams); if (NULL != data_key) RSAPublicKeyFree(data_key); if (NULL != kernel_subkey) VbExFree(kernel_subkey); return retval; }