| /* |
| * Copyright (c) 2019 The Fuchsia Authors |
| * |
| * SPDX-License-Identifier: BSD-3-Clause |
| */ |
| |
| #ifndef _ZIRCON_VBOOT_H_ |
| #define _ZIRCON_VBOOT_H_ |
| |
| #include <abr/abr.h> |
| #include <libavb/libavb.h> |
| #include <libavb_atx/libavb_atx.h> |
| |
| typedef enum { |
| AVB_ATX_LOCKED, |
| AVB_ATX_UNLOCKED, |
| } AvbAtxLockState; |
| |
| typedef enum { |
| AVB_ATX_SLOT_MARKED_SUCCESSFUL, |
| AVB_ATX_SLOT_NOT_MARKED_SUCCESSFUL, |
| } AvbAtxSlotState; |
| |
| /* Add extra zbi items from vbmeta into |zbi| container */ |
| int zircon_vboot_add_extra_zbi_items(zbi_header_t *zbi, size_t capacity); |
| |
| /** |
| * Loads zircon image using A/B/R scheme. |
| * |
| * @loadaddr: address at which to load the Zircon image. |
| * @loadsize: size of the load buffer. |
| * @force_recovery: trigger a force boot into recovery (R slot). |
| * |
| * Return: 0 if successful, negative value on failure. |
| */ |
| int zircon_vboot_img_load(unsigned char *loadaddr, size_t loadsize, |
| bool force_recovery); |
| |
| /** |
| * Loads and verifies a preloaded zbi + vbmeta. |
| * |
| * The validation is done in-place, so loadaddr is not touched until the |
| * validation has completed successfully. This function also sets some global |
| * state required to correctly extract items from vbmeta. |
| * |
| * @loadaddr: address to load the validated zbi. |
| * @loadsize: size of the load buffer. |
| * @zbi: address of the preloaded zbi. |
| * @zbi_size: size of the preloaded zbi. |
| * @vbmeta: address of the preloaded vbmeta. |
| * @vbmeta_size: size of the preloaded vbmeta. |
| * |
| * Return: 0 if successful, non-zero value on failure. |
| */ |
| int zircon_vboot_preloaded_img_load(unsigned char *loadaddr, size_t loadsize, |
| unsigned char *zbi, size_t zbi_size, |
| unsigned char *vbmeta, size_t vbmeta_size); |
| |
| /* Performs a full load + verification of the indicated slot. |
| * |
| * @loadaddr: address at which to load the Zircon image. |
| * @loadsize: size of the load buffer. |
| * @requested_partitions: partitions to verify. |
| * @ab_suffix: slot suffix to load and verify. |
| * @lock_state: if AVB_ATX_UNLOCKED, verification errors will be allowed (see |
| * AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR for details). |
| * @slot_state: if AVB_ATX_SLOT_MARKED_SUCCESSFUL, minimum rollback index values |
| * will be bumped to match the values in the verified slot (on |
| * success). |
| * @verify_data: see |out_data| for avb_slot_verify(). |
| */ |
| AvbSlotVerifyResult |
| zircon_vboot_slot_verify(unsigned char *loadaddr, size_t loadsize, |
| const char *const *requested_partitions, |
| const char *ab_suffix, AvbAtxLockState lock_state, |
| AvbAtxSlotState slot_state, |
| AvbSlotVerifyData **verify_data); |
| |
| /** |
| * Verifies a preloaded zbi + vbmeta. |
| * |
| * @zbi: address of the preloaded zbi. |
| * @zbi_size: size of the preloaded zbi. |
| * @vbmeta: address of the preloaded vbmeta. |
| * @vbmeta_size: size of the preloaded vbmeta. |
| * @verify_data: verification data, will be allocated and filled if vbmeta |
| * verification succeeds; note that this can still be NULL even |
| * if the function succeeds if we're booting unlocked and no |
| * vbmeta was provided. |
| * |
| * Return: true if either the ZBI verified successfully, or we're unlocked. |
| */ |
| bool zircon_vboot_preloaded_img_verify(unsigned char *zbi, size_t zbi_size, |
| unsigned char *vbmeta, |
| size_t vbmeta_size, |
| AvbSlotVerifyData **verify_data); |
| |
| /* Get current slot to boot */ |
| const char *zircon_vboot_get_current_slot(void); |
| |
| /* Get slot last set active */ |
| const char *zircon_vboot_get_slot_last_set_active(void); |
| |
| /* Get slot info for |slot_number| slot. |
| * |
| * Returns > 0 if an error occured. |
| */ |
| int zircon_vboot_get_slot_info(int slot_number, AbrSlotInfo *info); |
| |
| /* Set slot active */ |
| int zircon_vboot_set_slot_active(int slot_number); |
| |
| /* Generate unlock challenge */ |
| int zircon_vboot_generate_unlock_challenge(AvbAtxUnlockChallenge *out); |
| |
| /* Validate unlock credential */ |
| int zircon_vboot_validate_unlock_credential(AvbAtxUnlockCredential *in, |
| bool *out_is_trusted); |
| |
| /* True if ZVB is enabled */ |
| bool zircon_is_vboot_enabled(void); |
| |
| /* Fills |hash| with the permanent attributes SHA256 hash. */ |
| AvbIOResult |
| avb_read_permanent_attributes_hash(AvbAtxOps *atx_ops, |
| uint8_t hash[AVB_SHA256_DIGEST_SIZE]); |
| |
| /* Unlocks verified boot, allowing unsigned Zircon images to boot. |
| * |
| * Since we lack the VX TA on this board, we can't easily disable sensitive |
| * TA operations (e.g. zxcrypt key access), so instead BL31 will disable OP-TEE |
| * SMC calls until reboot. This will likely cause some runtime errors in |
| * Fuchsia, but should be fine for loading a simple diagnostic image. |
| * |
| * Re-locking is not supported; once OP-TEE routing has been disabled the |
| * device must be rebooted to return to normal operation. |
| * |
| * The calling code MUST have successfully authenticated an unlock token before |
| * calling this. |
| * |
| * Returns 0 on success. |
| */ |
| int zircon_vboot_unlock(void); |
| |
| #endif // _ZIRCON_VBOOT_H_ |