Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-04-16 09:54:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

cmd: avb: rework do_avb_verify_part

Browse source 
Use existing str_avb_slot_error() function for obtaining
verification fail reason details.
Take into account device lock state for setting correct
androidboot.verifiedbootstate kernel cmdline parameter.

Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Link: https://lore.kernel.org/r/20240209192045.3961832-7-igor.opaniuk@foundries.io
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
This commit is contained in:
Igor Opaniuk 2024-02-09 20:20:44 +01:00 committed by Mattijs Korpershoek
parent fc7ef0f9e7
commit df3cfceeb1
1 changed files with 17 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
cmd/avb.c
View file

@ -250,6 +250,7 @@ int do_avb_verify_part(struct cmd_tbl *cmdtp, int flag,
const char * const requested_partitions[] = {"boot", NULL}; const char * const requested_partitions[] = {"boot", NULL};
AvbSlotVerifyResult slot_result; AvbSlotVerifyResult slot_result;
AvbSlotVerifyData *out_data; AvbSlotVerifyData *out_data;
enum avb_boot_state boot_state;
char *cmdline; char *cmdline;
char *extra_args; char *extra_args;
char *slot_suffix = ""; char *slot_suffix = "";
@ -287,18 +288,23 @@ int do_avb_verify_part(struct cmd_tbl *cmdtp, int flag,
AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
&out_data); &out_data);
switch (slot_result) { /*
case AVB_SLOT_VERIFY_RESULT_OK: * LOCKED devices with custom root of trust setup is not supported (YELLOW)
/* Until we don't have support of changing unlock states, we
* assume that we are by default in locked state.
* So in this case we can boot only when verification is
* successful; we also supply in cmdline GREEN boot state
*/ */
if (slot_result == AVB_SLOT_VERIFY_RESULT_OK) {
printf("Verification passed successfully\n"); printf("Verification passed successfully\n");
/* export additional bootargs to AVB_BOOTARGS env var */ /*
* ORANGE state indicates that device may be freely modified.
* Device integrity is left to the user to verify out-of-band.
*/
if (unlocked)
boot_state = AVB_ORANGE;
else
boot_state = AVB_GREEN;
extra_args = avb_set_state(avb_ops, AVB_GREEN); /* export boot state to AVB_BOOTARGS env var */
extra_args = avb_set_state(avb_ops, boot_state);
if (extra_args) if (extra_args)
cmdline = append_cmd_line(out_data->cmdline, cmdline = append_cmd_line(out_data->cmdline,
extra_args); extra_args);
@ -308,30 +314,8 @@ int do_avb_verify_part(struct cmd_tbl *cmdtp, int flag,
env_set(AVB_BOOTARGS, cmdline); env_set(AVB_BOOTARGS, cmdline);
res = CMD_RET_SUCCESS; res = CMD_RET_SUCCESS;
break; } else {
case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: printf("Verification failed, reason: %s\n", str_avb_slot_error(slot_result));
printf("Verification failed\n");
break;
case AVB_SLOT_VERIFY_RESULT_ERROR_IO:
printf("I/O error occurred during verification\n");
break;
case AVB_SLOT_VERIFY_RESULT_ERROR_OOM:
printf("OOM error occurred during verification\n");
break;
case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA:
printf("Corrupted dm-verity metadata detected\n");
break;
case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION:
printf("Unsupported version of avbtool was used\n");
break;
case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX:
printf("Rollback index check failed\n");
break;
case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED:
printf("Public key was rejected\n");
break;
default:
printf("Unknown error occurred\n");
} }
if (out_data) if (out_data)