1 /* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
2  * Use of this source code is governed by a BSD-style license that can be
3  * found in the LICENSE file.
4  *
5  * High-level firmware wrapper API - entry points for kernel selection
6  */
7 
8 #include "sysincludes.h"
9 
10 #include "gbb_access.h"
11 #include "gbb_header.h"
12 #include "load_kernel_fw.h"
13 #include "region.h"
14 #include "rollback_index.h"
15 #include "utility.h"
16 #include "vboot_api.h"
17 #include "vboot_audio.h"
18 #include "vboot_common.h"
19 #include "vboot_display.h"
20 #include "vboot_kernel.h"
21 #include "vboot_nvstorage.h"
22 
23 /* Global variables */
24 static VbNvContext vnc;
25 
26 #ifdef CHROMEOS_ENVIRONMENT
27 /* Global variable accessor for unit tests */
28 
VbApiKernelGetVnc(void)29 VbNvContext *VbApiKernelGetVnc(void)
30 {
31 	return &vnc;
32 }
33 #endif
34 
35 /**
36  * Set recovery request (called from vboot_api_kernel.c functions only)
37  */
VbSetRecoveryRequest(uint32_t recovery_request)38 static void VbSetRecoveryRequest(uint32_t recovery_request)
39 {
40 	VBDEBUG(("VbSetRecoveryRequest(%d)\n", (int)recovery_request));
41 	VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, recovery_request);
42 }
43 
44 /**
45  * Checks GBB flags against VbExIsShutdownRequested() shutdown request to
46  * determine if a shutdown is required.
47  *
48  * Returns true if a shutdown is required and false if no shutdown is required.
49  */
VbWantShutdown(uint32_t gbb_flags)50 static int VbWantShutdown(uint32_t gbb_flags)
51 {
52 	uint32_t shutdown_request = VbExIsShutdownRequested();
53 
54 	/* If desired, ignore shutdown request due to lid closure. */
55 	if (gbb_flags & GBB_FLAG_DISABLE_LID_SHUTDOWN)
56 		shutdown_request &= ~VB_SHUTDOWN_REQUEST_LID_CLOSED;
57 
58 	return !!shutdown_request;
59 }
60 
61 /**
62  * Attempt loading a kernel from the specified type(s) of disks.
63  *
64  * If successful, sets p->disk_handle to the disk for the kernel and returns
65  * VBERROR_SUCCESS.
66  *
67  * Returns VBERROR_NO_DISK_FOUND if no disks of the specified type were found.
68  *
69  * May return other VBERROR_ codes for other failures.
70  */
VbTryLoadKernel(VbCommonParams * cparams,LoadKernelParams * p,uint32_t get_info_flags)71 uint32_t VbTryLoadKernel(VbCommonParams *cparams, LoadKernelParams *p,
72                          uint32_t get_info_flags)
73 {
74 	VbError_t retval = VBERROR_UNKNOWN;
75 	VbDiskInfo* disk_info = NULL;
76 	uint32_t disk_count = 0;
77 	uint32_t i;
78 
79 	VBDEBUG(("VbTryLoadKernel() start, get_info_flags=0x%x\n",
80 		 (unsigned)get_info_flags));
81 
82 	p->disk_handle = NULL;
83 
84 	/* Find disks */
85 	if (VBERROR_SUCCESS != VbExDiskGetInfo(&disk_info, &disk_count,
86 					       get_info_flags))
87 		disk_count = 0;
88 
89 	VBDEBUG(("VbTryLoadKernel() found %d disks\n", (int)disk_count));
90 	if (0 == disk_count) {
91 		VbSetRecoveryRequest(VBNV_RECOVERY_RW_NO_DISK);
92 		return VBERROR_NO_DISK_FOUND;
93 	}
94 
95 	/* Loop over disks */
96 	for (i = 0; i < disk_count; i++) {
97 		VBDEBUG(("VbTryLoadKernel() trying disk %d\n", (int)i));
98 		/*
99 		 * Sanity-check what we can. FWIW, VbTryLoadKernel() is always
100 		 * called with only a single bit set in get_info_flags.
101 		 *
102 		 * Ensure 512-byte sectors and non-trivially sized disk (for
103 		 * cgptlib) and that we got a partition with only the flags we
104 		 * asked for.
105 		 */
106 		if (512 != disk_info[i].bytes_per_lba ||
107 		    16 > disk_info[i].lba_count ||
108 		    get_info_flags != (disk_info[i].flags & ~VB_DISK_FLAG_EXTERNAL_GPT)) {
109 			VBDEBUG(("  skipping: bytes_per_lba=%" PRIu64
110 				 " lba_count=%" PRIu64 " flags=0x%x\n",
111 				 disk_info[i].bytes_per_lba,
112 				 disk_info[i].lba_count,
113 				 disk_info[i].flags));
114 			continue;
115 		}
116 		p->disk_handle = disk_info[i].handle;
117 		p->bytes_per_lba = disk_info[i].bytes_per_lba;
118 		p->gpt_lba_count = disk_info[i].lba_count;
119 		p->streaming_lba_count = disk_info[i].streaming_lba_count
120 						?: p->gpt_lba_count;
121 		p->boot_flags |= disk_info[i].flags & VB_DISK_FLAG_EXTERNAL_GPT
122 				? BOOT_FLAG_EXTERNAL_GPT : 0;
123 		retval = LoadKernel(p, cparams);
124 		VBDEBUG(("VbTryLoadKernel() LoadKernel() = %d\n", retval));
125 
126 		/*
127 		 * Stop now if we found a kernel.
128 		 *
129 		 * TODO: If recovery requested, should track the farthest we
130 		 * get, instead of just returning the value from the last disk
131 		 * attempted.
132 		 */
133 		if (VBERROR_SUCCESS == retval)
134 			break;
135 	}
136 
137 	/* If we didn't find any good kernels, don't return a disk handle. */
138 	if (VBERROR_SUCCESS != retval) {
139 		VbSetRecoveryRequest(VBNV_RECOVERY_RW_NO_KERNEL);
140 		p->disk_handle = NULL;
141 	}
142 
143 	VbExDiskFreeInfo(disk_info, p->disk_handle);
144 
145 	/*
146 	 * Pass through return code.  Recovery reason (if any) has already been
147 	 * set by LoadKernel().
148 	 */
149 	return retval;
150 }
151 
152 #define CONFIRM_KEY_DELAY 20  /* Check confirm screen keys every 20ms */
153 
VbUserConfirms(VbCommonParams * cparams,uint32_t confirm_flags)154 int VbUserConfirms(VbCommonParams *cparams, uint32_t confirm_flags)
155 {
156 	VbSharedDataHeader *shared =
157            (VbSharedDataHeader *)cparams->shared_data_blob;
158 	uint32_t key;
159 	uint32_t key_flags;
160         uint32_t button;
161 	int rec_button_was_pressed = 0;
162 
163 	VBDEBUG(("Entering %s(0x%x)\n", __func__, confirm_flags));
164 
165 	/* Await further instructions */
166 	while (1) {
167 		if (VbWantShutdown(cparams->gbb->flags))
168 			return -1;
169 		key = VbExKeyboardReadWithFlags(&key_flags);
170                 button = VbExGetSwitches(VB_INIT_FLAG_REC_BUTTON_PRESSED);
171 		switch (key) {
172 		case '\r':
173 			/* If we require a trusted keyboard for confirmation,
174 			 * but the keyboard may be faked (for instance, a USB
175 			 * device), beep and keep waiting.
176 			 */
177 			if (confirm_flags & VB_CONFIRM_MUST_TRUST_KEYBOARD &&
178 			    !(key_flags & VB_KEY_FLAG_TRUSTED_KEYBOARD)) {
179 				VbExBeep(120, 400);
180 				break;
181                         }
182 
183 			VBDEBUG(("%s() - Yes (1)\n", __func__));
184 			return 1;
185 			break;
186 		case ' ':
187 			VBDEBUG(("%s() - Space (%d)\n", __func__,
188 				 confirm_flags & VB_CONFIRM_SPACE_MEANS_NO));
189 			if (confirm_flags & VB_CONFIRM_SPACE_MEANS_NO)
190 				return 0;
191 			break;
192 		case 0x1b:
193 			VBDEBUG(("%s() - No (0)\n", __func__));
194 			return 0;
195 			break;
196 		default:
197 			/* If the recovery button is physical, and is pressed,
198 			 * this is also a YES, but must wait for release.
199 			 */
200 			if (!(shared->flags & VBSD_BOOT_REC_SWITCH_VIRTUAL)) {
201 				if (button) {
202 					VBDEBUG(("%s() - Rec button pressed\n",
203 						 __func__));
204 	                                rec_button_was_pressed = 1;
205 				} else if (rec_button_was_pressed) {
206 					VBDEBUG(("%s() - Rec button (1)\n",
207 					 __func__));
208 					return 1;
209 				}
210 			}
211 			VbCheckDisplayKey(cparams, key, &vnc);
212 		}
213 		VbExSleepMs(CONFIRM_KEY_DELAY);
214 	}
215 
216 	/* Not reached, but compiler will complain without it */
217 	return -1;
218 }
219 
VbBootNormal(VbCommonParams * cparams,LoadKernelParams * p)220 VbError_t VbBootNormal(VbCommonParams *cparams, LoadKernelParams *p)
221 {
222 	/* Boot from fixed disk only */
223 	VBDEBUG(("Entering %s()\n", __func__));
224 	return VbTryLoadKernel(cparams, p, VB_DISK_FLAG_FIXED);
225 }
226 
VbBootDeveloper(VbCommonParams * cparams,LoadKernelParams * p)227 VbError_t VbBootDeveloper(VbCommonParams *cparams, LoadKernelParams *p)
228 {
229 	GoogleBinaryBlockHeader *gbb = cparams->gbb;
230 	VbSharedDataHeader *shared =
231 		(VbSharedDataHeader *)cparams->shared_data_blob;
232 	uint32_t allow_usb = 0, allow_legacy = 0, ctrl_d_pressed = 0;
233 	VbAudioContext *audio = 0;
234 
235 	VBDEBUG(("Entering %s()\n", __func__));
236 
237 	/* Check if USB booting is allowed */
238 	VbNvGet(&vnc, VBNV_DEV_BOOT_USB, &allow_usb);
239 	VbNvGet(&vnc, VBNV_DEV_BOOT_LEGACY, &allow_legacy);
240 
241 	/* Handle GBB flag override */
242 	if (gbb->flags & GBB_FLAG_FORCE_DEV_BOOT_USB)
243 		allow_usb = 1;
244 	if (gbb->flags & GBB_FLAG_FORCE_DEV_BOOT_LEGACY)
245 		allow_legacy = 1;
246 
247 	/* Show the dev mode warning screen */
248 	VbDisplayScreen(cparams, VB_SCREEN_DEVELOPER_WARNING, 0, &vnc);
249 
250 	/* Get audio/delay context */
251 	audio = VbAudioOpen(cparams);
252 
253 	/* We'll loop until we finish the delay or are interrupted */
254 	do {
255 		uint32_t key;
256 
257 		if (VbWantShutdown(gbb->flags)) {
258 			VBDEBUG(("VbBootDeveloper() - shutdown requested!\n"));
259 			VbAudioClose(audio);
260 			return VBERROR_SHUTDOWN_REQUESTED;
261 		}
262 
263 		key = VbExKeyboardRead();
264 		switch (key) {
265 		case 0:
266 			/* nothing pressed */
267 			break;
268 		case '\r':
269 			/* Only disable virtual dev switch if allowed by GBB */
270 			if (!(gbb->flags & GBB_FLAG_ENTER_TRIGGERS_TONORM))
271 				break;
272 		case ' ':
273 			/* See if we should disable virtual dev-mode switch. */
274 			VBDEBUG(("%s shared->flags=0x%x\n",
275 				 __func__, shared->flags));
276 			if (shared->flags & VBSD_HONOR_VIRT_DEV_SWITCH &&
277 			    shared->flags & VBSD_BOOT_DEV_SWITCH_ON) {
278 				/* Stop the countdown while we go ask... */
279 				VbAudioClose(audio);
280 				if (gbb->flags & GBB_FLAG_FORCE_DEV_SWITCH_ON) {
281 					/*
282 					 * TONORM won't work (only for
283 					 * non-shipping devices).
284 					 */
285 					VBDEBUG(("%s() - TONORM rejected by "
286 						 "FORCE_DEV_SWITCH_ON\n",
287 						 __func__));
288 					VbExDisplayDebugInfo(
289 						"WARNING: TONORM prohibited by "
290 						"GBB FORCE_DEV_SWITCH_ON.\n\n");
291 					VbExBeep(120, 400);
292 					break;
293 				}
294 				VbDisplayScreen(cparams,
295 						VB_SCREEN_DEVELOPER_TO_NORM,
296 						0, &vnc);
297 				/* Ignore space in VbUserConfirms()... */
298 				switch (VbUserConfirms(cparams, 0)) {
299 				case 1:
300 					VBDEBUG(("%s() - leaving dev-mode.\n",
301 						 __func__));
302 					VbNvSet(&vnc, VBNV_DISABLE_DEV_REQUEST,
303 						1);
304 					VbDisplayScreen(
305 						cparams,
306 						VB_SCREEN_TO_NORM_CONFIRMED,
307 						0, &vnc);
308 					VbExSleepMs(5000);
309 					return VBERROR_TPM_REBOOT_REQUIRED;
310 				case -1:
311 					VBDEBUG(("%s() - shutdown requested\n",
312 						 __func__));
313 					return VBERROR_SHUTDOWN_REQUESTED;
314 				default:
315 					/* Stay in dev-mode */
316 					VBDEBUG(("%s() - stay in dev-mode\n",
317 						 __func__));
318 					VbDisplayScreen(
319 						cparams,
320 						VB_SCREEN_DEVELOPER_WARNING,
321 						0, &vnc);
322 					/* Start new countdown */
323 					audio = VbAudioOpen(cparams);
324 				}
325 			} else {
326 				/*
327 				 * No virtual dev-mode switch, so go directly
328 				 * to recovery mode.
329 				 */
330 				VBDEBUG(("%s() - going to recovery\n",
331 					 __func__));
332 				VbSetRecoveryRequest(
333 					VBNV_RECOVERY_RW_DEV_SCREEN);
334 				VbAudioClose(audio);
335 				return VBERROR_LOAD_KERNEL_RECOVERY;
336 			}
337 			break;
338 		case 0x04:
339 			/* Ctrl+D = dismiss warning; advance to timeout */
340 			VBDEBUG(("VbBootDeveloper() - "
341 				 "user pressed Ctrl+D; skip delay\n"));
342 			ctrl_d_pressed = 1;
343 			goto fallout;
344 			break;
345 		case 0x0c:
346 			VBDEBUG(("VbBootDeveloper() - "
347 				 "user pressed Ctrl+L; Try legacy boot\n"));
348 			/*
349 			 * If VbExLegacy() succeeds, it will never return.  If
350 			 * it returns, beep.
351 			 */
352 			if (allow_legacy)
353 				VbExLegacy();
354 			else
355 				VBDEBUG(("VbBootDeveloper() - "
356 					 "Legacy boot is disabled\n"));
357 
358 			VbExBeep(120, 400);
359 			VbExSleepMs(120);
360 			VbExBeep(120, 400);
361 			break;
362 
363 		case VB_KEY_CTRL_ENTER:
364 			/*
365 			 * The Ctrl-Enter is special for Lumpy test purpose;
366 			 * fall through to Ctrl+U handler.
367 			 */
368 		case 0x15:
369 			/* Ctrl+U = try USB boot, or beep if failure */
370 			VBDEBUG(("VbBootDeveloper() - "
371 				 "user pressed Ctrl+U; try USB\n"));
372 			if (!allow_usb) {
373 				VBDEBUG(("VbBootDeveloper() - "
374 					 "USB booting is disabled\n"));
375 				VbExDisplayDebugInfo(
376 					"WARNING: Booting from external media "
377 					"(USB/SD) has not been enabled. Refer "
378 					"to the developer-mode documentation "
379 					"for details.\n");
380 				VbExBeep(120, 400);
381 				VbExSleepMs(120);
382 				VbExBeep(120, 400);
383 			} else {
384 				/*
385 				 * Clear the screen to show we get the Ctrl+U
386 				 * key press.
387 				 */
388 				VbDisplayScreen(cparams, VB_SCREEN_BLANK, 0,
389 						&vnc);
390 				if (VBERROR_SUCCESS ==
391 				    VbTryLoadKernel(cparams, p,
392 						    VB_DISK_FLAG_REMOVABLE)) {
393 					VBDEBUG(("VbBootDeveloper() - "
394 						 "booting USB\n"));
395 					VbAudioClose(audio);
396 					return VBERROR_SUCCESS;
397 				} else {
398 					VBDEBUG(("VbBootDeveloper() - "
399 						 "no kernel found on USB\n"));
400 					VbExBeep(250, 200);
401 					VbExSleepMs(120);
402 					/*
403 					 * Clear recovery requests from failed
404 					 * kernel loading, so that powering off
405 					 * at this point doesn't put us into
406 					 * recovery mode.
407 					 */
408 					VbSetRecoveryRequest(
409 						VBNV_RECOVERY_NOT_REQUESTED);
410 					/* Show dev mode warning screen again */
411 					VbDisplayScreen(
412 						cparams,
413 						VB_SCREEN_DEVELOPER_WARNING,
414 						0, &vnc);
415 				}
416 			}
417 			break;
418 		default:
419 			VBDEBUG(("VbBootDeveloper() - pressed key %d\n", key));
420 			VbCheckDisplayKey(cparams, key, &vnc);
421 			break;
422 		}
423 	} while(VbAudioLooping(audio));
424 
425  fallout:
426 
427 	/* If defaulting to legacy boot, try that unless Ctrl+D was pressed */
428 	if ((gbb->flags & GBB_FLAG_DEFAULT_DEV_BOOT_LEGACY) &&
429 	    !ctrl_d_pressed) {
430 		VBDEBUG(("VbBootDeveloper() - defaulting to legacy\n"));
431 		VbExLegacy();
432 
433 		/* If that fails, beep and fall through to fixed disk */
434 		VbExBeep(120, 400);
435 		VbExSleepMs(120);
436 		VbExBeep(120, 400);
437 	}
438 
439 	/* Timeout or Ctrl+D; attempt loading from fixed disk */
440 	VBDEBUG(("VbBootDeveloper() - trying fixed disk\n"));
441 	VbAudioClose(audio);
442 	return VbTryLoadKernel(cparams, p, VB_DISK_FLAG_FIXED);
443 }
444 
445 /* Delay in recovery mode */
446 #define REC_DISK_DELAY       1000     /* Check disks every 1s */
447 #define REC_KEY_DELAY        20       /* Check keys every 20ms */
448 #define REC_MEDIA_INIT_DELAY 500      /* Check removable media every 500ms */
449 
VbBootRecovery(VbCommonParams * cparams,LoadKernelParams * p)450 VbError_t VbBootRecovery(VbCommonParams *cparams, LoadKernelParams *p)
451 {
452 	VbSharedDataHeader *shared =
453 		(VbSharedDataHeader *)cparams->shared_data_blob;
454 	uint32_t retval;
455 	uint32_t key;
456 	int i;
457 
458 	VBDEBUG(("VbBootRecovery() start\n"));
459 
460 	/*
461 	 * If the dev-mode switch is off and the user didn't press the recovery
462 	 * button, require removal of all external media.
463 	 */
464 	if (!(shared->flags & VBSD_BOOT_DEV_SWITCH_ON) &&
465 	    !(shared->flags & VBSD_BOOT_REC_SWITCH_ON)) {
466 		VbDiskInfo *disk_info = NULL;
467 		uint32_t disk_count = 0;
468 
469 		VBDEBUG(("VbBootRecovery() forcing device removal\n"));
470 
471 		/* If no media is detected initially, delay and make one extra
472 		 * attempt, in case devices appear later than expected. */
473 		if (VBERROR_SUCCESS != VbExDiskGetInfo(&disk_info, &disk_count,
474 						       VB_DISK_FLAG_REMOVABLE))
475 			disk_count = 0;
476 
477 		VbExDiskFreeInfo(disk_info, NULL);
478 		if (0 == disk_count)
479 			VbExSleepMs(REC_MEDIA_INIT_DELAY);
480 
481 		while (1) {
482 			disk_info = NULL;
483 			disk_count = 0;
484 			if (VBERROR_SUCCESS !=
485 			    VbExDiskGetInfo(&disk_info, &disk_count,
486 					    VB_DISK_FLAG_REMOVABLE))
487 				disk_count = 0;
488 
489 			VbExDiskFreeInfo(disk_info, NULL);
490 
491 			if (0 == disk_count) {
492 				VbDisplayScreen(cparams, VB_SCREEN_BLANK,
493 						0, &vnc);
494 				break;
495 			}
496 
497 			VBDEBUG(("VbBootRecovery() "
498 				 "waiting for %d disks to be removed\n",
499 				 (int)disk_count));
500 
501 			VbDisplayScreen(cparams, VB_SCREEN_RECOVERY_REMOVE,
502 					0, &vnc);
503 
504 			/*
505 			 * Scan keyboard more frequently than media, since x86
506 			 * platforms don't like to scan USB too rapidly.
507 			 */
508 			for (i = 0; i < REC_DISK_DELAY; i += REC_KEY_DELAY) {
509 				VbCheckDisplayKey(cparams, VbExKeyboardRead(),
510 						  &vnc);
511 				if (VbWantShutdown(cparams->gbb->flags))
512 					return VBERROR_SHUTDOWN_REQUESTED;
513 				VbExSleepMs(REC_KEY_DELAY);
514 			}
515 		}
516 	}
517 
518 	/* Loop and wait for a recovery image */
519 	while (1) {
520 		VBDEBUG(("VbBootRecovery() attempting to load kernel2\n"));
521 		retval = VbTryLoadKernel(cparams, p, VB_DISK_FLAG_REMOVABLE);
522 
523 		/*
524 		 * Clear recovery requests from failed kernel loading, since
525 		 * we're already in recovery mode.  Do this now, so that
526 		 * powering off after inserting an invalid disk doesn't leave
527 		 * us stuck in recovery mode.
528 		 */
529 		VbSetRecoveryRequest(VBNV_RECOVERY_NOT_REQUESTED);
530 
531 		if (VBERROR_SUCCESS == retval)
532 			break; /* Found a recovery kernel */
533 
534 		VbDisplayScreen(cparams, VBERROR_NO_DISK_FOUND == retval ?
535 				VB_SCREEN_RECOVERY_INSERT :
536 				VB_SCREEN_RECOVERY_NO_GOOD,
537 				0, &vnc);
538 
539 		/*
540 		 * Scan keyboard more frequently than media, since x86
541 		 * platforms don't like to scan USB too rapidly.
542 		 */
543 		for (i = 0; i < REC_DISK_DELAY; i += REC_KEY_DELAY) {
544 			key = VbExKeyboardRead();
545 			/*
546 			 * We might want to enter dev-mode from the Insert
547 			 * screen if all of the following are true:
548 			 *   - user pressed Ctrl-D
549 			 *   - we can honor the virtual dev switch
550 			 *   - not already in dev mode
551 			 *   - user forced recovery mode
552 			 *   - EC isn't pwned
553 			 */
554 			if (key == 0x04 &&
555 			    shared->flags & VBSD_HONOR_VIRT_DEV_SWITCH &&
556 			    !(shared->flags & VBSD_BOOT_DEV_SWITCH_ON) &&
557 			    (shared->flags & VBSD_BOOT_REC_SWITCH_ON) &&
558 			    VbExTrustEC(0)) {
559                                 if (!(shared->flags &
560 				      VBSD_BOOT_REC_SWITCH_VIRTUAL) &&
561 				    VbExGetSwitches(
562 					     VB_INIT_FLAG_REC_BUTTON_PRESSED)) {
563 					/*
564 					 * Is the recovery button stuck?  In
565 					 * any case we don't like this.  Beep
566 					 * and ignore.
567 					 */
568 					VBDEBUG(("%s() - ^D but rec switch "
569 						 "is pressed\n", __func__));
570 					VbExBeep(120, 400);
571 					continue;
572 				}
573 
574 				/* Ask the user to confirm entering dev-mode */
575 				VbDisplayScreen(cparams,
576 						VB_SCREEN_RECOVERY_TO_DEV,
577 						0, &vnc);
578 				/* SPACE means no... */
579 				uint32_t vbc_flags =
580 					VB_CONFIRM_SPACE_MEANS_NO |
581 					VB_CONFIRM_MUST_TRUST_KEYBOARD;
582 				switch (VbUserConfirms(cparams, vbc_flags)) {
583 				case 1:
584 					VBDEBUG(("%s() Enabling dev-mode...\n",
585 						 __func__));
586 					if (TPM_SUCCESS != SetVirtualDevMode(1))
587 						return VBERROR_TPM_SET_BOOT_MODE_STATE;
588 					VBDEBUG(("%s() Reboot so it will take "
589 						 "effect\n", __func__));
590 					return VBERROR_TPM_REBOOT_REQUIRED;
591 				case -1:
592 					VBDEBUG(("%s() - Shutdown requested\n",
593 						 __func__));
594 					return VBERROR_SHUTDOWN_REQUESTED;
595 				default: /* zero, actually */
596 					VBDEBUG(("%s() - Not enabling "
597 						 "dev-mode\n", __func__));
598 					/*
599 					 * Jump out of the outer loop to
600 					 * refresh the display quickly.
601 					 */
602 					i = 4;
603 					break;
604 				}
605 			} else {
606 				VbCheckDisplayKey(cparams, key, &vnc);
607 			}
608 			if (VbWantShutdown(cparams->gbb->flags))
609 				return VBERROR_SHUTDOWN_REQUESTED;
610 			VbExSleepMs(REC_KEY_DELAY);
611 		}
612 	}
613 
614 	return VBERROR_SUCCESS;
615 }
616 
617 /**
618  * Wrapper around VbExEcProtectRW() which sets recovery reason on error.
619  */
EcProtectRW(int devidx)620 static VbError_t EcProtectRW(int devidx)
621 {
622 	int rv = VbExEcProtectRW(devidx);
623 
624 	if (rv == VBERROR_EC_REBOOT_TO_RO_REQUIRED) {
625 		VBDEBUG(("VbExEcProtectRW() needs reboot\n"));
626 	} else if (rv != VBERROR_SUCCESS) {
627 		VBDEBUG(("VbExEcProtectRW() returned %d\n", rv));
628 		VbSetRecoveryRequest(VBNV_RECOVERY_EC_PROTECT);
629 	}
630 	return rv;
631 }
632 
VbEcSoftwareSync(int devidx,VbCommonParams * cparams)633 VbError_t VbEcSoftwareSync(int devidx, VbCommonParams *cparams)
634 {
635 	VbSharedDataHeader *shared =
636 		(VbSharedDataHeader *)cparams->shared_data_blob;
637 	int in_rw = 0;
638 	int rv;
639 	const uint8_t *ec_hash = NULL;
640 	int ec_hash_size;
641 	const uint8_t *rw_hash = NULL;
642 	int rw_hash_size;
643 	const uint8_t *expected = NULL;
644 	int expected_size;
645 	uint8_t expected_hash[SHA256_DIGEST_SIZE];
646 	int need_update = 0;
647 	int i;
648 
649 	VBDEBUG(("VbEcSoftwareSync(devidx=%d)\n", devidx));
650 
651 	/* Determine whether the EC is in RO or RW */
652 	rv = VbExEcRunningRW(devidx, &in_rw);
653 
654 	if (shared->recovery_reason) {
655 		/* Recovery mode; just verify the EC is in RO code */
656 		if (rv == VBERROR_SUCCESS && in_rw == 1) {
657 			/*
658 			 * EC is definitely in RW firmware.  We want it in
659 			 * read-only code, so preserve the current recovery
660 			 * reason and reboot.
661 			 *
662 			 * We don't reboot on error or unknown EC code, because
663 			 * we could end up in an endless reboot loop.  If we
664 			 * had some way to track that we'd already rebooted for
665 			 * this reason, we could retry only once.
666 			 */
667 			VBDEBUG(("VbEcSoftwareSync() - "
668 				 "want recovery but got EC-RW\n"));
669 			VbSetRecoveryRequest(shared->recovery_reason);
670 			return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
671 		}
672 
673 		VBDEBUG(("VbEcSoftwareSync() in recovery; EC-RO\n"));
674 		return VBERROR_SUCCESS;
675 	}
676 
677 	/*
678 	 * Not in recovery.  If we couldn't determine where the EC was,
679 	 * reboot to recovery.
680 	 */
681 	if (rv != VBERROR_SUCCESS) {
682 		VBDEBUG(("VbEcSoftwareSync() - "
683 			 "VbExEcRunningRW() returned %d\n", rv));
684 		VbSetRecoveryRequest(VBNV_RECOVERY_EC_UNKNOWN_IMAGE);
685 		return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
686 	}
687 
688 	/* If AP is read-only normal, EC should be in its RO code also. */
689 	if (shared->flags & VBSD_LF_USE_RO_NORMAL) {
690 		/* If EC is in RW code, request reboot back to RO */
691 		if (in_rw == 1) {
692 			VBDEBUG(("VbEcSoftwareSync() - "
693 				 "want RO-normal but got EC-RW\n"));
694 			return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
695 		}
696 
697 		/* Protect the RW flash and stay in EC-RO */
698 		rv = EcProtectRW(devidx);
699 		if (rv != VBERROR_SUCCESS)
700 			return rv;
701 
702 		rv = VbExEcDisableJump(devidx);
703 		if (rv != VBERROR_SUCCESS) {
704 			VBDEBUG(("VbEcSoftwareSync() - "
705 				 "VbExEcDisableJump() returned %d\n", rv));
706 			VbSetRecoveryRequest(VBNV_RECOVERY_EC_SOFTWARE_SYNC);
707 			return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
708 		}
709 
710 		VBDEBUG(("VbEcSoftwareSync() in RO-Normal; EC-RO\n"));
711 		return VBERROR_SUCCESS;
712 	}
713 
714 	/* Get hash of EC-RW */
715 	rv = VbExEcHashRW(devidx, &ec_hash, &ec_hash_size);
716 	if (rv) {
717 		VBDEBUG(("VbEcSoftwareSync() - "
718 			 "VbExEcHashRW() returned %d\n", rv));
719 		VbSetRecoveryRequest(VBNV_RECOVERY_EC_HASH_FAILED);
720 		return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
721 	}
722 	if (ec_hash_size != SHA256_DIGEST_SIZE) {
723 		VBDEBUG(("VbEcSoftwareSync() - "
724 			 "VbExEcHashRW() says size %d, not %d\n",
725 			 ec_hash_size, SHA256_DIGEST_SIZE));
726 		VbSetRecoveryRequest(VBNV_RECOVERY_EC_HASH_SIZE);
727 		return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
728 	}
729 
730 	VBDEBUG(("EC hash:"));
731 	for (i = 0; i < SHA256_DIGEST_SIZE; i++)
732 		VBDEBUG(("%02x", ec_hash[i]));
733 	VBDEBUG(("\n"));
734 
735 	/*
736 	 * Get expected EC-RW hash. Note that we've already checked for
737 	 * RO_NORMAL, so we know that the BIOS must be RW-A or RW-B, and
738 	 * therefore the EC must match.
739 	 */
740 	rv = VbExEcGetExpectedRWHash(devidx, shared->firmware_index ?
741 				 VB_SELECT_FIRMWARE_B : VB_SELECT_FIRMWARE_A,
742 				 &rw_hash, &rw_hash_size);
743 
744 	if (rv == VBERROR_EC_GET_EXPECTED_HASH_FROM_IMAGE) {
745 		/*
746 		 * BIOS has verified EC image but doesn't have a precomputed
747 		 * hash for it, so we must compute the hash ourselves.
748 		 */
749 		rw_hash = NULL;
750 	} else if (rv) {
751 		VBDEBUG(("VbEcSoftwareSync() - "
752 			 "VbExEcGetExpectedRWHash() returned %d\n", rv));
753 		VbSetRecoveryRequest(VBNV_RECOVERY_EC_EXPECTED_HASH);
754 		return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
755 	} else if (rw_hash_size != SHA256_DIGEST_SIZE) {
756 		VBDEBUG(("VbEcSoftwareSync() - "
757 			 "VbExEcGetExpectedRWHash() says size %d, not %d\n",
758 			 rw_hash_size, SHA256_DIGEST_SIZE));
759 		VbSetRecoveryRequest(VBNV_RECOVERY_EC_EXPECTED_HASH);
760 		return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
761 	} else {
762 		VBDEBUG(("Expected hash:"));
763 		for (i = 0; i < SHA256_DIGEST_SIZE; i++)
764 			VBDEBUG(("%02x", rw_hash[i]));
765 		VBDEBUG(("\n"));
766 
767 		need_update = SafeMemcmp(ec_hash, rw_hash, SHA256_DIGEST_SIZE);
768 	}
769 
770 	/*
771 	 * Get expected EC-RW image if we're sure we need to update (because the
772 	 * expected hash didn't match the EC) or we still don't know (because
773 	 * there was no expected hash and we need the image to compute one
774 	 * ourselves).
775 	 */
776 	if (need_update || !rw_hash) {
777 		/* Get expected EC-RW image */
778 		rv = VbExEcGetExpectedRW(devidx, shared->firmware_index ?
779 					 VB_SELECT_FIRMWARE_B :
780 					 VB_SELECT_FIRMWARE_A,
781 					 &expected, &expected_size);
782 		if (rv) {
783 			VBDEBUG(("VbEcSoftwareSync() - "
784 				 "VbExEcGetExpectedRW() returned %d\n", rv));
785 			VbSetRecoveryRequest(VBNV_RECOVERY_EC_EXPECTED_IMAGE);
786 			return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
787 		}
788 		VBDEBUG(("VbEcSoftwareSync() - expected len = %d\n",
789 			 expected_size));
790 
791 		/* Hash expected image */
792 		internal_SHA256(expected, expected_size, expected_hash);
793 		VBDEBUG(("Computed hash of expected image:"));
794 		for (i = 0; i < SHA256_DIGEST_SIZE; i++)
795 			VBDEBUG(("%02x", expected_hash[i]));
796 		VBDEBUG(("\n"));
797 	}
798 
799 	if (!rw_hash) {
800 		/*
801 		 * BIOS didn't have expected EC hash, so check if we need
802 		 * update by comparing EC hash to the one we just computed.
803 		 */
804 		need_update = SafeMemcmp(ec_hash, expected_hash,
805 					 SHA256_DIGEST_SIZE);
806 	} else if (need_update &&
807 		   SafeMemcmp(rw_hash, expected_hash, SHA256_DIGEST_SIZE)) {
808 		/*
809 		 * We need to update, but the expected EC image doesn't match
810 		 * the expected EC hash we were given.
811 		 */
812 		VBDEBUG(("VbEcSoftwareSync() - "
813 			 "VbExEcGetExpectedRW() returned %d\n", rv));
814 		VbSetRecoveryRequest(VBNV_RECOVERY_EC_HASH_MISMATCH);
815 		return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
816 	}
817 
818 	/*
819 	 * TODO: GBB flag to override whether we need update; needed for EC
820 	 * development.
821 	 */
822 
823 	if (in_rw) {
824 		if (need_update) {
825 			/*
826 			 * Check if BIOS should also load VGA Option ROM when
827 			 * rebooting to save another reboot if possible.
828 			 */
829 			if ((shared->flags & VBSD_EC_SLOW_UPDATE) &&
830 			    (shared->flags & VBSD_OPROM_MATTERS) &&
831 			    !(shared->flags & VBSD_OPROM_LOADED)) {
832 				VBDEBUG(("VbEcSoftwareSync() - Reboot to "
833 					 "load VGA Option ROM\n"));
834 				VbNvSet(&vnc, VBNV_OPROM_NEEDED, 1);
835 			}
836 
837 			/*
838 			 * EC is running the wrong RW image.  Reboot the EC to
839 			 * RO so we can update it on the next boot.
840 			 */
841 			VBDEBUG(("VbEcSoftwareSync() - "
842 				 "in RW, need to update RW, so reboot\n"));
843 			return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
844 		}
845 
846 		VBDEBUG(("VbEcSoftwareSync() in EC-RW and it matches\n"));
847 		return VBERROR_SUCCESS;
848 	}
849 
850 	/* Update EC if necessary */
851 	if (need_update) {
852 		VBDEBUG(("VbEcSoftwareSync() updating EC-RW...\n"));
853 
854 		if (shared->flags & VBSD_EC_SLOW_UPDATE) {
855 			VBDEBUG(("VbEcSoftwareSync() - "
856 				 "EC is slow. Show WAIT screen.\n"));
857 
858 			/* Ensure the VGA Option ROM is loaded */
859 			if ((shared->flags & VBSD_OPROM_MATTERS) &&
860 			    !(shared->flags & VBSD_OPROM_LOADED)) {
861 				VBDEBUG(("VbEcSoftwareSync() - Reboot to "
862 					 "load VGA Option ROM\n"));
863 				VbNvSet(&vnc, VBNV_OPROM_NEEDED, 1);
864 				return VBERROR_VGA_OPROM_MISMATCH;
865 			}
866 
867 			VbDisplayScreen(cparams, VB_SCREEN_WAIT, 0, &vnc);
868 		}
869 
870 		rv = VbExEcUpdateRW(devidx, expected, expected_size);
871 
872 		if (rv != VBERROR_SUCCESS) {
873 			VBDEBUG(("VbEcSoftwareSync() - "
874 				 "VbExEcUpdateRW() returned %d\n", rv));
875 
876 			/*
877 			 * The EC may know it needs a reboot.  It may need to
878 			 * unprotect RW before updating, or may need to reboot
879 			 * after RW updated.  Either way, it's not an error
880 			 * requiring recovery mode.
881 			 *
882 			 * If we fail for any other reason, trigger recovery
883 			 * mode.
884 			 */
885 			if (rv != VBERROR_EC_REBOOT_TO_RO_REQUIRED)
886 				VbSetRecoveryRequest(VBNV_RECOVERY_EC_UPDATE);
887 
888 			return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
889 		}
890 
891 		/*
892 		 * TODO: should ask EC to recompute its hash to verify it's
893 		 * correct before continuing?
894 		 */
895 	}
896 
897 	/* Protect EC-RW flash */
898 	rv = EcProtectRW(devidx);
899 	if (rv != VBERROR_SUCCESS)
900 		return rv;
901 
902 	/* Tell EC to jump to its RW image */
903 	VBDEBUG(("VbEcSoftwareSync() jumping to EC-RW\n"));
904 	rv = VbExEcJumpToRW(devidx);
905 	if (rv != VBERROR_SUCCESS) {
906 		VBDEBUG(("VbEcSoftwareSync() - "
907 			 "VbExEcJumpToRW() returned %d\n", rv));
908 
909 		/*
910 		 * If the EC booted RO-normal and a previous AP boot has called
911 		 * VbExEcStayInRO(), we need to reboot the EC to unlock the
912 		 * ability to jump to the RW firmware.
913 		 *
914 		 * All other errors trigger recovery mode.
915 		 */
916 		if (rv != VBERROR_EC_REBOOT_TO_RO_REQUIRED)
917 			VbSetRecoveryRequest(VBNV_RECOVERY_EC_JUMP_RW);
918 
919 		return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
920 	}
921 
922 	VBDEBUG(("VbEcSoftwareSync() jumped to EC-RW\n"));
923 
924 	rv = VbExEcDisableJump(devidx);
925 	if (rv != VBERROR_SUCCESS) {
926 		VBDEBUG(("VbEcSoftwareSync() - "
927 			"VbExEcDisableJump() returned %d\n", rv));
928 		VbSetRecoveryRequest(VBNV_RECOVERY_EC_SOFTWARE_SYNC);
929 		return VBERROR_EC_REBOOT_TO_RO_REQUIRED;
930 	}
931 
932 	/*
933 	 * Reboot to unload VGA Option ROM if:
934 	 * - RW update was done
935 	 * - the system is NOT in developer mode
936 	 * - the system has slow EC update flag set
937 	 * - the VGA Option ROM was needed and loaded
938 	 */
939 	if (need_update &&
940 	    !(shared->flags & VBSD_BOOT_DEV_SWITCH_ON) &&
941 	    (shared->flags & VBSD_EC_SLOW_UPDATE) &&
942 	    (shared->flags & VBSD_OPROM_MATTERS) &&
943 	    (shared->flags & VBSD_OPROM_LOADED)) {
944 		VBDEBUG(("VbEcSoftwareSync() - Reboot to "
945 			 "unload VGA Option ROM\n"));
946 		return VBERROR_VGA_OPROM_MISMATCH;
947 	}
948 
949 	VBDEBUG(("VbEcSoftwareSync() in RW; done\n"));
950 	return VBERROR_SUCCESS;
951 }
952 
953 /* This function is also used by tests */
VbApiKernelFree(VbCommonParams * cparams)954 void VbApiKernelFree(VbCommonParams *cparams)
955 {
956 	/* VbSelectAndLoadKernel() always allocates this, tests don't */
957 	if (cparams->gbb) {
958 		VbExFree(cparams->gbb);
959 		cparams->gbb = NULL;
960 	}
961 	if (cparams->bmp) {
962 		VbExFree(cparams->bmp);
963 		cparams->bmp = NULL;
964 	}
965 }
966 
VbSelectAndLoadKernel(VbCommonParams * cparams,VbSelectAndLoadKernelParams * kparams)967 VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams,
968                                 VbSelectAndLoadKernelParams *kparams)
969 {
970 	VbSharedDataHeader *shared =
971 		(VbSharedDataHeader *)cparams->shared_data_blob;
972 	VbError_t retval = VBERROR_SUCCESS;
973 	LoadKernelParams p;
974 	uint32_t tpm_status = 0;
975 
976 	/* Start timer */
977 	shared->timer_vb_select_and_load_kernel_enter = VbExGetTimer();
978 
979 	VbExNvStorageRead(vnc.raw);
980 	VbNvSetup(&vnc);
981 
982 	/* Clear output params in case we fail */
983 	kparams->disk_handle = NULL;
984 	kparams->partition_number = 0;
985 	kparams->bootloader_address = 0;
986 	kparams->bootloader_size = 0;
987 	kparams->flags = 0;
988 	Memset(kparams->partition_guid, 0, sizeof(kparams->partition_guid));
989 
990 	cparams->bmp = NULL;
991 	cparams->gbb = VbExMalloc(sizeof(*cparams->gbb));
992 	retval = VbGbbReadHeader_static(cparams, cparams->gbb);
993 	if (VBERROR_SUCCESS != retval)
994 		goto VbSelectAndLoadKernel_exit;
995 
996 	/* Do EC software sync if necessary */
997 	if ((shared->flags & VBSD_EC_SOFTWARE_SYNC) &&
998 	    !(cparams->gbb->flags & GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC)) {
999 		int oprom_mismatch = 0;
1000 
1001 		retval = VbEcSoftwareSync(0, cparams);
1002 		/* Save reboot requested until after possible PD sync */
1003 		if (retval == VBERROR_VGA_OPROM_MISMATCH)
1004 			oprom_mismatch = 1;
1005 		else if (retval != VBERROR_SUCCESS)
1006 			goto VbSelectAndLoadKernel_exit;
1007 
1008 #ifdef PD_SYNC
1009 		if (!(cparams->gbb->flags &
1010 		      GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC)) {
1011 			retval = VbEcSoftwareSync(1, cparams);
1012 			if (retval == VBERROR_VGA_OPROM_MISMATCH)
1013 				oprom_mismatch = 1;
1014 			else if (retval != VBERROR_SUCCESS)
1015 				goto VbSelectAndLoadKernel_exit;
1016 		}
1017 #endif
1018 
1019 		/* Request reboot to unload VGA Option ROM */
1020 		if (oprom_mismatch) {
1021 			retval = VBERROR_VGA_OPROM_MISMATCH;
1022 			goto VbSelectAndLoadKernel_exit;
1023 		}
1024 	}
1025 
1026 	/* Read kernel version from the TPM.  Ignore errors in recovery mode. */
1027 	tpm_status = RollbackKernelRead(&shared->kernel_version_tpm);
1028 	if (0 != tpm_status) {
1029 		VBDEBUG(("Unable to get kernel versions from TPM\n"));
1030 		if (!shared->recovery_reason) {
1031 			VbSetRecoveryRequest(VBNV_RECOVERY_RW_TPM_R_ERROR);
1032 			retval = VBERROR_TPM_READ_KERNEL;
1033 			goto VbSelectAndLoadKernel_exit;
1034 		}
1035 	}
1036 	shared->kernel_version_tpm_start = shared->kernel_version_tpm;
1037 
1038 	/* Fill in params for calls to LoadKernel() */
1039 	Memset(&p, 0, sizeof(p));
1040 	p.shared_data_blob = cparams->shared_data_blob;
1041 	p.shared_data_size = cparams->shared_data_size;
1042 	p.gbb_data = cparams->gbb_data;
1043 	p.gbb_size = cparams->gbb_size;
1044 
1045 	/*
1046 	 * This could be set to NULL, in which case the vboot header
1047 	 * information about the load address and size will be used.
1048 	 */
1049 	p.kernel_buffer = kparams->kernel_buffer;
1050 	p.kernel_buffer_size = kparams->kernel_buffer_size;
1051 
1052 	p.nv_context = &vnc;
1053 	p.boot_flags = 0;
1054 	if (shared->flags & VBSD_BOOT_DEV_SWITCH_ON)
1055 		p.boot_flags |= BOOT_FLAG_DEVELOPER;
1056 
1057 	/* Handle separate normal and developer firmware builds. */
1058 #if defined(VBOOT_FIRMWARE_TYPE_NORMAL)
1059 	/* Normal-type firmware always acts like the dev switch is off. */
1060 	p.boot_flags &= ~BOOT_FLAG_DEVELOPER;
1061 #elif defined(VBOOT_FIRMWARE_TYPE_DEVELOPER)
1062 	/* Developer-type firmware fails if the dev switch is off. */
1063 	if (!(p.boot_flags & BOOT_FLAG_DEVELOPER)) {
1064 		/*
1065 		 * Dev firmware should be signed with a key that only verifies
1066 		 * when the dev switch is on, so we should never get here.
1067 		 */
1068 		VBDEBUG(("Developer firmware called with dev switch off!\n"));
1069 		VbSetRecoveryRequest(VBNV_RECOVERY_RW_DEV_MISMATCH);
1070 		retval = VBERROR_DEV_FIRMWARE_SWITCH_MISMATCH;
1071 		goto VbSelectAndLoadKernel_exit;
1072 	}
1073 #else
1074 	/*
1075 	 * Recovery firmware, or merged normal+developer firmware.  No need to
1076 	 * override flags.
1077 	 */
1078 #endif
1079 
1080 	/* Select boot path */
1081 	if (shared->recovery_reason) {
1082 		/* Recovery boot */
1083 		p.boot_flags |= BOOT_FLAG_RECOVERY;
1084 		retval = VbBootRecovery(cparams, &p);
1085 		VbExEcEnteringMode(0, VB_EC_RECOVERY);
1086 		VbDisplayScreen(cparams, VB_SCREEN_BLANK, 0, &vnc);
1087 
1088 	} else if (p.boot_flags & BOOT_FLAG_DEVELOPER) {
1089 		/* Developer boot */
1090 		retval = VbBootDeveloper(cparams, &p);
1091 		VbExEcEnteringMode(0, VB_EC_DEVELOPER);
1092 		VbDisplayScreen(cparams, VB_SCREEN_BLANK, 0, &vnc);
1093 
1094 	} else {
1095 		/* Normal boot */
1096 		VbExEcEnteringMode(0, VB_EC_NORMAL);
1097 		retval = VbBootNormal(cparams, &p);
1098 
1099 		if ((1 == shared->firmware_index) &&
1100 		    (shared->flags & VBSD_FWB_TRIED)) {
1101 			/*
1102 			 * Special cases for when we're trying a new firmware
1103 			 * B.  These are needed because firmware updates also
1104 			 * usually change the kernel key, which means that the
1105 			 * B firmware can only boot a new kernel, and the old
1106 			 * firmware in A can only boot the previous kernel.
1107 			 *
1108 			 * Don't advance the TPM if we're trying a new firmware
1109 			 * B, because we don't yet know if the new kernel will
1110 			 * successfully boot.  We still want to be able to fall
1111 			 * back to the previous firmware+kernel if the new
1112 			 * firmware+kernel fails.
1113 			 *
1114 			 * If we found only invalid kernels, reboot and try
1115 			 * again.  This allows us to fall back to the previous
1116 			 * firmware+kernel instead of giving up and going to
1117 			 * recovery mode right away.  We'll still go to
1118 			 * recovery mode if we run out of tries and the old
1119 			 * firmware can't find a kernel it likes.
1120 			 */
1121 			if (VBERROR_INVALID_KERNEL_FOUND == retval) {
1122 				VBDEBUG(("Trying firmware B, "
1123 					 "and only found invalid kernels.\n"));
1124 				VbSetRecoveryRequest(VBNV_RECOVERY_NOT_REQUESTED);
1125 				goto VbSelectAndLoadKernel_exit;
1126 			}
1127 		} else {
1128 			/* Not trying a new firmware B. */
1129 
1130 			/* See if we need to update the TPM. */
1131 			VBDEBUG(("Checking if TPM kernel version needs "
1132 				 "advancing\n"));
1133 			if (shared->kernel_version_tpm >
1134 			    shared->kernel_version_tpm_start) {
1135 				tpm_status = RollbackKernelWrite(
1136 						shared->kernel_version_tpm);
1137 				if (0 != tpm_status) {
1138 					VBDEBUG(("Error writing kernel "
1139 						 "versions to TPM.\n"));
1140 					VbSetRecoveryRequest(VBNV_RECOVERY_RW_TPM_W_ERROR);
1141 					retval = VBERROR_TPM_WRITE_KERNEL;
1142 					goto VbSelectAndLoadKernel_exit;
1143 				}
1144 			}
1145 		}
1146 	}
1147 
1148 	if (VBERROR_SUCCESS != retval)
1149 		goto VbSelectAndLoadKernel_exit;
1150 
1151 	/* Save disk parameters */
1152 	kparams->disk_handle = p.disk_handle;
1153 	kparams->partition_number = (uint32_t)p.partition_number;
1154 	kparams->bootloader_address = p.bootloader_address;
1155 	kparams->bootloader_size = (uint32_t)p.bootloader_size;
1156 	kparams->flags = p.flags;
1157 	Memcpy(kparams->partition_guid, p.partition_guid,
1158 	       sizeof(kparams->partition_guid));
1159 
1160 	/* Lock the kernel versions.  Ignore errors in recovery mode. */
1161 	tpm_status = RollbackKernelLock(shared->recovery_reason);
1162 	if (0 != tpm_status) {
1163 		VBDEBUG(("Error locking kernel versions.\n"));
1164 		if (!shared->recovery_reason) {
1165 			VbSetRecoveryRequest(VBNV_RECOVERY_RW_TPM_L_ERROR);
1166 			retval = VBERROR_TPM_LOCK_KERNEL;
1167 			goto VbSelectAndLoadKernel_exit;
1168 		}
1169 	}
1170 
1171  VbSelectAndLoadKernel_exit:
1172 
1173 	VbApiKernelFree(cparams);
1174 
1175 	VbNvTeardown(&vnc);
1176 	if (vnc.raw_changed)
1177 		VbExNvStorageWrite(vnc.raw);
1178 
1179 	/* Stop timer */
1180 	shared->timer_vb_select_and_load_kernel_exit = VbExGetTimer();
1181 
1182 	kparams->kernel_buffer = p.kernel_buffer;
1183 	kparams->kernel_buffer_size = p.kernel_buffer_size;
1184 
1185 	VBDEBUG(("VbSelectAndLoadKernel() returning %d\n", (int)retval));
1186 
1187 	/* Pass through return value from boot path */
1188 	return retval;
1189 }
1190