1 /* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
2  * Use of this source code is governed by a BSD-style license that can be
3  * found in the LICENSE file.
4  *
5  * Data structure definitions for verified boot, for on-disk / in-eeprom
6  * data.
7  */
8 
9 #ifndef VBOOT_REFERENCE_VBOOT_STRUCT_H_
10 #define VBOOT_REFERENCE_VBOOT_STRUCT_H_
11 #include <stdint.h>
12 
13 /* Public key data */
14 typedef struct VbPublicKey {
15 	/* Offset of key data from start of this struct */
16 	uint64_t key_offset;
17 	/* Size of key data in bytes (NOT strength of key in bits) */
18 	uint64_t key_size;
19 	/* Signature algorithm used by the key */
20 	uint64_t algorithm;
21 	/* Key version */
22 	uint64_t key_version;
23 } __attribute__((packed)) VbPublicKey;
24 
25 #define EXPECTED_VBPUBLICKEY_SIZE 32
26 
27 /* Signature data (a secure hash, possibly signed) */
28 typedef struct VbSignature {
29 	/* Offset of signature data from start of this struct */
30 	uint64_t sig_offset;
31 	/* Size of signature data in bytes */
32 	uint64_t sig_size;
33 	/* Size of the data block which was signed in bytes */
34 	uint64_t data_size;
35 } __attribute__((packed)) VbSignature;
36 
37 #define EXPECTED_VBSIGNATURE_SIZE 24
38 
39 #define KEY_BLOCK_MAGIC "CHROMEOS"
40 #define KEY_BLOCK_MAGIC_SIZE 8
41 
42 #define KEY_BLOCK_HEADER_VERSION_MAJOR 2
43 #define KEY_BLOCK_HEADER_VERSION_MINOR 1
44 
45 /* Flags for key_block_flags */
46 /* The following flags set where the key is valid */
47 #define KEY_BLOCK_FLAG_DEVELOPER_0  (0x01ULL) /* Developer switch off */
48 #define KEY_BLOCK_FLAG_DEVELOPER_1  (0x02ULL) /* Developer switch on */
49 #define KEY_BLOCK_FLAG_RECOVERY_0   (0x04ULL) /* Not recovery mode */
50 #define KEY_BLOCK_FLAG_RECOVERY_1   (0x08ULL) /* Recovery mode */
51 
52 /*
53  * Key block, containing the public key used to sign some other chunk of data.
54  *
55  * This should be followed by:
56  *   1) The data_key key data, pointed to by data_key.key_offset.
57  *   2) The checksum data for (VBKeyBlockHeader + data_key data), pointed to
58  *      by key_block_checksum.sig_offset.
59  *   3) The signature data for (VBKeyBlockHeader + data_key data), pointed to
60  *      by key_block_signature.sig_offset.
61  */
62 typedef struct VbKeyBlockHeader {
63 	/* Magic number */
64 	uint8_t magic[KEY_BLOCK_MAGIC_SIZE];
65 	/* Version of this header format */
66 	uint32_t header_version_major;
67 	/* Version of this header format */
68 	uint32_t header_version_minor;
69 	/*
70 	 * Length of this entire key block, including keys, signatures, and
71 	 * padding, in bytes
72 	 */
73 	uint64_t key_block_size;
74 	/*
75 	 * Signature for this key block (header + data pointed to by data_key)
76 	 * For use with signed data keys
77 	 */
78 	VbSignature key_block_signature;
79 	/*
80 	 * SHA-512 checksum for this key block (header + data pointed to by
81 	 * data_key) For use with unsigned data keys
82 	 */
83 	VbSignature key_block_checksum;
84 	/* Flags for key (KEY_BLOCK_FLAG_*) */
85 	uint64_t key_block_flags;
86 	/* Key to verify the chunk of data */
87 	VbPublicKey data_key;
88 } __attribute__((packed)) VbKeyBlockHeader;
89 
90 #define EXPECTED_VBKEYBLOCKHEADER_SIZE 112
91 
92 /****************************************************************************/
93 
94 #define FIRMWARE_PREAMBLE_HEADER_VERSION_MAJOR 2
95 #define FIRMWARE_PREAMBLE_HEADER_VERSION_MINOR 1
96 
97 /*
98  * Preamble block for rewritable firmware, version 2.0.  All 2.x versions of
99  * this struct must start with the same data, to be compatible with version 2.0
100  * readers.
101  */
102 typedef struct VbFirmwarePreambleHeader2_0 {
103 	/*
104 	 * Size of this preamble, including keys, signatures, and padding, in
105 	 * bytes
106 	 */
107 	uint64_t preamble_size;
108 	/*
109 	 * Signature for this preamble (header + kernel subkey + body
110 	 * signature)
111 	 */
112 	VbSignature preamble_signature;
113 	/* Version of this header format (= 2) */
114 	uint32_t header_version_major;
115 	/* Version of this header format (= 0) */
116 	uint32_t header_version_minor;
117 
118 	/* Firmware version */
119 	uint64_t firmware_version;
120 	/* Key to verify kernel key block */
121 	VbPublicKey kernel_subkey;
122 	/* Signature for the firmware body */
123 	VbSignature body_signature;
124 } __attribute__((packed)) VbFirmwarePreambleHeader2_0;
125 
126 #define EXPECTED_VBFIRMWAREPREAMBLEHEADER2_0_SIZE 104
127 
128 /* Flags for VbFirmwarePreambleHeader.flags */
129 /*
130  * Use the normal/dev boot path from the read-only firmware, instead of
131  * verifying the body signature.
132  */
133 #define VB_FIRMWARE_PREAMBLE_USE_RO_NORMAL 0x00000001
134 
135 /* Premable block for rewritable firmware, version 2.1.
136  *
137  * The firmware preamble header should be followed by:
138  *   1) The kernel_subkey key data, pointed to by kernel_subkey.key_offset.
139  *   2) The signature data for the firmware body, pointed to by
140  *      body_signature.sig_offset.
141  *   3) The signature data for (header + kernel_subkey data + body signature
142  *      data), pointed to by preamble_signature.sig_offset.
143  */
144 typedef struct VbFirmwarePreambleHeader {
145 	/*
146 	 * Size of this preamble, including keys, signatures, and padding, in
147 	 * bytes
148 	 */
149 	uint64_t preamble_size;
150 	/*
151 	 * Signature for this preamble (header + kernel subkey + body
152 	 * signature)
153 	 */
154 	VbSignature preamble_signature;
155 	/* Version of this header format */
156 	uint32_t header_version_major;
157 	/* Version of this header format */
158 	uint32_t header_version_minor;
159 
160 	/* Firmware version */
161 	uint64_t firmware_version;
162 	/* Key to verify kernel key block */
163 	VbPublicKey kernel_subkey;
164 	/* Signature for the firmware body */
165 	VbSignature body_signature;
166 
167 	/*
168 	 * Fields added in header version 2.1.  You must verify the header
169 	 * version before reading these fields!
170 	 */
171 	/*
172 	 * Flags; see VB_FIRMWARE_PREAMBLE_*.  Readers should return 0 for
173 	 * header version < 2.1.
174 	 */
175 	uint32_t flags;
176 } __attribute__((packed)) VbFirmwarePreambleHeader;
177 
178 #define EXPECTED_VBFIRMWAREPREAMBLEHEADER2_1_SIZE 108
179 
180 /****************************************************************************/
181 
182 #define KERNEL_PREAMBLE_HEADER_VERSION_MAJOR 2
183 #define KERNEL_PREAMBLE_HEADER_VERSION_MINOR 2
184 
185 /* Preamble block for kernel, version 2.0
186  *
187  * This should be followed by:
188  *   1) The signature data for the kernel body, pointed to by
189  *      body_signature.sig_offset.
190  *   2) The signature data for (VBFirmwarePreambleHeader + body signature
191  *      data), pointed to by preamble_signature.sig_offset.
192  */
193 typedef struct VbKernelPreambleHeader2_0 {
194 	/*
195 	 * Size of this preamble, including keys, signatures, and padding, in
196 	 * bytes
197 	 */
198 	uint64_t preamble_size;
199 	/* Signature for this preamble (header + body signature) */
200 	VbSignature preamble_signature;
201 	/* Version of this header format */
202 	uint32_t header_version_major;
203 	/* Version of this header format */
204 	uint32_t header_version_minor;
205 
206 	/* Kernel version */
207 	uint64_t kernel_version;
208 	/* Load address for kernel body */
209 	uint64_t body_load_address;
210 	/* Address of bootloader, after body is loaded at body_load_address */
211 	uint64_t bootloader_address;
212 	/* Size of bootloader in bytes */
213 	uint64_t bootloader_size;
214 	/* Signature for the kernel body */
215 	VbSignature body_signature;
216 } __attribute__((packed)) VbKernelPreambleHeader2_0;
217 
218 #define EXPECTED_VBKERNELPREAMBLEHEADER2_0_SIZE 96
219 
220 /* Preamble block for kernel, version 2.1
221  *
222  * This should be followed by:
223  *   1) The signature data for the kernel body, pointed to by
224  *      body_signature.sig_offset.
225  *   2) The signature data for (VBFirmwarePreambleHeader + body signature
226  *      data), pointed to by preamble_signature.sig_offset.
227  *   3) The 16-bit vmlinuz header, which is used for reconstruction of
228  *      vmlinuz image.
229  */
230 typedef struct VbKernelPreambleHeader {
231 	/*
232 	 * Size of this preamble, including keys, signatures, vmlinuz header,
233 	 * and padding, in bytes
234 	 */
235 	uint64_t preamble_size;
236 	/* Signature for this preamble (header + body signature) */
237 	VbSignature preamble_signature;
238 	/* Version of this header format */
239 	uint32_t header_version_major;
240 	/* Version of this header format */
241 	uint32_t header_version_minor;
242 
243 	/* Kernel version */
244 	uint64_t kernel_version;
245 	/* Load address for kernel body */
246 	uint64_t body_load_address;
247 	/* Address of bootloader, after body is loaded at body_load_address */
248 	uint64_t bootloader_address;
249 	/* Size of bootloader in bytes */
250 	uint64_t bootloader_size;
251 	/* Signature for the kernel body */
252 	VbSignature body_signature;
253 	/*
254 	 * Fields added in header version 2.1.  You must verify the header
255 	 * version before reading these fields!
256 	 */
257 	/* Address of 16-bit header for vmlinuz reassembly.  Readers should
258 	   return 0 for header version < 2.1 */
259 	uint64_t vmlinuz_header_address;
260 	/* Size of 16-bit header for vmlinuz in bytes.  Readers should return 0
261 	   for header version < 2.1 */
262 	uint64_t vmlinuz_header_size;
263 	/*
264 	 * Flags passed in by the signer. Readers should return 0 for header
265 	 * version < 2.2. Flags field is currently defined as:
266 	 * [31:2] - Reserved (for future use)
267 	 * [1:0]  - Kernel image type (0b00 - CrOS, 0b01 - bootimg)
268 	 */
269 	uint32_t flags;
270 } __attribute__((packed)) VbKernelPreambleHeader;
271 
272 #define EXPECTED_VBKERNELPREAMBLEHEADER2_1_SIZE 112
273 #define EXPECTED_VBKERNELPREAMBLEHEADER2_2_SIZE 116
274 
275 /****************************************************************************/
276 
277 /* Constants and sub-structures for VbSharedDataHeader */
278 
279 /* Magic number for recognizing VbSharedDataHeader ("VbSD") */
280 #define VB_SHARED_DATA_MAGIC 0x44536256
281 
282 /* Minimum and recommended size of shared_data_blob in bytes. */
283 #define VB_SHARED_DATA_MIN_SIZE 3072
284 #define VB_SHARED_DATA_REC_SIZE 16384
285 
286 /* Flags for VbSharedDataHeader */
287 /* LoadFirmware() tried firmware B because of VbNvStorage firmware B tries */
288 #define VBSD_FWB_TRIED                  0x00000001
289 /*
290  * LoadKernel() verified the good kernel keyblock using the kernel subkey from
291  * the firmware.  If this flag is not present, it just used the hash of the
292  * kernel keyblock.
293  */
294 #define VBSD_KERNEL_KEY_VERIFIED         0x00000002
295 /* LoadFirmware() was told the developer switch was on */
296 #define VBSD_LF_DEV_SWITCH_ON            0x00000004
297 /* LoadFirmware() is requesting the read only normal/dev code path */
298 #define VBSD_LF_USE_RO_NORMAL            0x00000008
299 /* Developer switch was enabled at boot time */
300 #define VBSD_BOOT_DEV_SWITCH_ON          0x00000010
301 /* Recovery switch was enabled at boot time */
302 #define VBSD_BOOT_REC_SWITCH_ON          0x00000020
303 /* Firmware write protect was enabled at boot time */
304 #define VBSD_BOOT_FIRMWARE_WP_ENABLED    0x00000040
305 /* Boot is a S3->S0 resume, not a S5->S0 normal boot */
306 #define VBSD_BOOT_S3_RESUME              0x00000100
307 /* Read-only firmware supports the normal/developer code path */
308 #define VBSD_BOOT_RO_NORMAL_SUPPORT      0x00000200
309 /* VbInit() was told that the system has a virtual dev-switch */
310 #define VBSD_HONOR_VIRT_DEV_SWITCH       0x00000400
311 /* VbInit() was told the system supports EC software sync */
312 #define VBSD_EC_SOFTWARE_SYNC            0x00000800
313 /* VbInit() was told that the EC firmware is slow to update */
314 #define VBSD_EC_SLOW_UPDATE              0x00001000
315 /* Firmware software write protect was enabled at boot time */
316 #define VBSD_BOOT_FIRMWARE_SW_WP_ENABLED 0x00002000
317 /* VbInit() was told that the recovery button is a virtual one */
318 #define VBSD_BOOT_REC_SWITCH_VIRTUAL     0x00004000
319 /* Firmware used vboot2 for firmware selection */
320 #define VBSD_BOOT_FIRMWARE_VBOOT2        0x00008000
321 /* Firmware needs VGA Option ROM to display screens */
322 #define VBSD_OPROM_MATTERS               0x00010000
323 /* Firmware has loaded the VGA Option ROM */
324 #define VBSD_OPROM_LOADED                0x00020000
325 
326 /*
327  * Supported flags by header version.  It's ok to add new flags while keeping
328  * struct version 2 as long as flag-NOT-present is the correct value for
329  * existing hardware (Stumpy/Lumpy).
330  */
331 #define VBSD_FLAGS_VERSION_1            0x00000007  /* Alex, ZGB */
332 #define VBSD_FLAGS_VERSION_2            0x00000F7F
333 
334 /* Result codes for VbSharedDataHeader.check_fw_a_result (and b_result) */
335 #define VBSD_LF_CHECK_NOT_DONE          0
336 #define VBSD_LF_CHECK_DEV_MISMATCH      1
337 #define VBSD_LF_CHECK_REC_MISMATCH      2
338 #define VBSD_LF_CHECK_VERIFY_KEYBLOCK   3
339 #define VBSD_LF_CHECK_KEY_ROLLBACK      4
340 #define VBSD_LF_CHECK_DATA_KEY_PARSE    5
341 #define VBSD_LF_CHECK_VERIFY_PREAMBLE   6
342 #define VBSD_LF_CHECK_FW_ROLLBACK       7
343 #define VBSD_LF_CHECK_HEADER_VALID      8
344 #define VBSD_LF_CHECK_GET_FW_BODY       9
345 #define VBSD_LF_CHECK_HASH_WRONG_SIZE   10
346 #define VBSD_LF_CHECK_VERIFY_BODY       11
347 #define VBSD_LF_CHECK_VALID             12
348 /*
349  * Read-only normal path requested by firmware preamble, but unsupported by
350  * firmware.
351  */
352 #define VBSD_LF_CHECK_NO_RO_NORMAL      13
353 
354 /* Boot mode for VbSharedDataHeader.lk_boot_mode */
355 #define VBSD_LK_BOOT_MODE_RECOVERY      0
356 #define VBSD_LK_BOOT_MODE_NORMAL        1
357 #define VBSD_LK_BOOT_MODE_DEVELOPER     2
358 
359 /* Flags for VbSharedDataKernelPart.flags */
360 #define VBSD_LKP_FLAG_KEY_BLOCK_VALID   0x01
361 
362 /* Result codes for VbSharedDataKernelPart.check_result */
363 #define VBSD_LKP_CHECK_NOT_DONE           0
364 #define VBSD_LKP_CHECK_TOO_SMALL          1
365 #define VBSD_LKP_CHECK_READ_START         2
366 #define VBSD_LKP_CHECK_KEY_BLOCK_SIG      3
367 #define VBSD_LKP_CHECK_KEY_BLOCK_HASH     4
368 #define VBSD_LKP_CHECK_DEV_MISMATCH       5
369 #define VBSD_LKP_CHECK_REC_MISMATCH       6
370 #define VBSD_LKP_CHECK_KEY_ROLLBACK       7
371 #define VBSD_LKP_CHECK_DATA_KEY_PARSE     8
372 #define VBSD_LKP_CHECK_VERIFY_PREAMBLE    9
373 #define VBSD_LKP_CHECK_KERNEL_ROLLBACK    10
374 #define VBSD_LKP_CHECK_PREAMBLE_VALID     11
375 /*
376  * Body load address check is omitted; this result code is deprecated and not
377  * used anywhere in the codebase.
378  */
379 #define VBSD_LKP_CHECK_BODY_ADDRESS       12
380 #define VBSD_LKP_CHECK_BODY_OFFSET        13
381 #define VBSD_LKP_CHECK_SELF_SIGNED        14
382 #define VBSD_LKP_CHECK_BODY_EXCEEDS_MEM   15
383 #define VBSD_LKP_CHECK_BODY_EXCEEDS_PART  16
384 #define VBSD_LKP_CHECK_READ_DATA          17
385 #define VBSD_LKP_CHECK_VERIFY_DATA        18
386 #define VBSD_LKP_CHECK_KERNEL_GOOD        19
387 
388 /* Information about a single kernel partition check in LoadKernel() */
389 typedef struct VbSharedDataKernelPart {
390 	uint64_t sector_start;     /* Start sector of partition */
391 	uint64_t sector_count;     /* Sector count of partition */
392 	uint32_t combined_version; /* Combined key+kernel version */
393 	uint8_t gpt_index;         /* Index of partition in GPT */
394 	uint8_t check_result;      /* Check result; see VBSD_LKP_CHECK_* */
395 	uint8_t flags;             /* Flags (see VBSD_LKP_FLAG_* */
396 	uint8_t reserved0;         /* Reserved for padding */
397 } VbSharedDataKernelPart;
398 
399 /* Number of kernel partitions to track per call.  Must be power of 2. */
400 #define VBSD_MAX_KERNEL_PARTS 8
401 
402 /* Flags for VbSharedDataKernelCall.flags */
403 /* Error initializing TPM in recovery mode */
404 #define VBSD_LK_FLAG_REC_TPM_INIT_ERROR 0x00000001
405 
406 /* Result codes for VbSharedDataKernelCall.check_result */
407 #define VBSD_LKC_CHECK_NOT_DONE            0
408 #define VBSD_LKC_CHECK_DEV_SWITCH_MISMATCH 1
409 #define VBSD_LKC_CHECK_GPT_READ_ERROR      2
410 #define VBSD_LKC_CHECK_GPT_PARSE_ERROR     3
411 #define VBSD_LKC_CHECK_GOOD_PARTITION      4
412 #define VBSD_LKC_CHECK_INVALID_PARTITIONS  5
413 #define VBSD_LKC_CHECK_NO_PARTITIONS       6
414 
415 /* Information about a single call to LoadKernel() */
416 typedef struct VbSharedDataKernelCall {
417 	/* Bottom 32 bits of flags passed in LoadKernelParams.boot_flags */
418 	uint32_t boot_flags;
419 	/* Debug flags; see VBSD_LK_FLAG_* */
420 	uint32_t flags;
421 	/* Number of sectors on drive */
422 	uint64_t sector_count;
423 	/* Sector size in bytes */
424 	uint32_t sector_size;
425 	/* Check result; see VBSD_LKC_CHECK_* */
426 	uint8_t check_result;
427 	/* Boot mode for LoadKernel(); see VBSD_LK_BOOT_MODE_* constants */
428 	uint8_t boot_mode;
429 	/* Test error number, if non-zero */
430 	uint8_t test_error_num;
431 	/* Return code from LoadKernel() */
432 	uint8_t return_code;
433 	/* Number of kernel partitions found */
434 	uint8_t kernel_parts_found;
435 	/* Reserved for padding */
436 	uint8_t reserved0[7];
437 	/* Data on kernels */
438 	VbSharedDataKernelPart parts[VBSD_MAX_KERNEL_PARTS];
439 } VbSharedDataKernelCall;
440 
441 /* Number of kernel calls to track.  Must be power of 2. */
442 #define VBSD_MAX_KERNEL_CALLS 4
443 
444 /*
445  * Data shared between LoadFirmware(), LoadKernel(), and OS.
446  *
447  * The boot process is:
448  *   1) Caller allocates buffer, at least VB_SHARED_DATA_MIN bytes, ideally
449  *      VB_SHARED_DATA_REC_SIZE bytes.
450  *   2) If non-recovery boot, this is passed to LoadFirmware(), which
451  *      initializes the buffer, adding this header and some data.
452  *   3) Buffer is passed to LoadKernel().  If this is a recovery boot,
453  *      LoadKernel() initializes the buffer, adding this header.  Regardless
454  *      of boot type, LoadKernel() adds some data to the buffer.
455  *   4) Caller makes data available to the OS in a platform-dependent manner.
456  *      For example, via ACPI or ATAGs.
457  */
458 typedef struct VbSharedDataHeader {
459 	/* Fields present in version 1 */
460 	/* Magic number for struct (VB_SHARED_DATA_MAGIC) */
461 	uint32_t magic;
462 	/* Version of this structure */
463 	uint32_t struct_version;
464 	/* Size of this structure in bytes */
465 	uint64_t struct_size;
466 	/* Size of shared data buffer in bytes */
467 	uint64_t data_size;
468 	/* Amount of shared data used so far */
469 	uint64_t data_used;
470 	/* Flags */
471 	uint32_t flags;
472 	/* Reserved for padding */
473 	uint32_t reserved0;
474 	/* Kernel subkey, from firmware */
475 	VbPublicKey kernel_subkey;
476 	/* Offset of kernel subkey data from start of this struct */
477 	uint64_t kernel_subkey_data_offset;
478 	/* Size of kernel subkey data */
479 	uint64_t kernel_subkey_data_size;
480 
481 	/*
482 	 * Timer values from VbExGetTimer().  Unused values are set to 0.  Note
483 	 * that these are now the enter/exit times for the wrapper API entry
484 	 * points; see crosbug.com/17018. */
485 	/* VbInit() enter/exit */
486 	uint64_t timer_vb_init_enter;
487 	uint64_t timer_vb_init_exit;
488 	/* VbSelectFirmware() enter/exit */
489 	uint64_t timer_vb_select_firmware_enter;
490 	uint64_t timer_vb_select_firmware_exit;
491 	/* VbSelectAndLoadKernel() enter/exit */
492 	uint64_t timer_vb_select_and_load_kernel_enter;
493 	uint64_t timer_vb_select_and_load_kernel_exit;
494 
495 	/* Information stored in TPM, as retrieved by firmware */
496 	/* Current firmware version in TPM */
497 	uint32_t fw_version_tpm;
498 	/* Current kernel version in TPM */
499 	uint32_t kernel_version_tpm;
500 
501 	/* Debugging information from LoadFirmware() */
502 	/* Result of checking RW firmware A and B */
503 	uint8_t check_fw_a_result;
504 	uint8_t check_fw_b_result;
505 	/* Firmware index returned by LoadFirmware() or 0xFF if failure */
506 	uint8_t firmware_index;
507 	/* Reserved for padding */
508 	uint8_t reserved1;
509 	/* Firmware TPM version at start of VbSelectFirmware() */
510 	uint32_t fw_version_tpm_start;
511 	/* Firmware lowest version found */
512 	uint32_t fw_version_lowest;
513 
514 	/* Debugging information from LoadKernel() */
515 	/* Number of times LoadKernel() called */
516 	uint32_t lk_call_count;
517 	/* Info on calls */
518 	VbSharedDataKernelCall lk_calls[VBSD_MAX_KERNEL_CALLS];
519 
520 	/*
521 	 * Offset and size of supplemental kernel data.  Reserve space for
522 	 * these fields now, so that future LoadKernel() versions can store
523 	 * information there without needing to shift down whatever data the
524 	 * original LoadFirmware() might have put immediately following its
525 	 * VbSharedDataHeader.
526 	 */
527 	uint64_t kernel_supplemental_offset;
528 	uint64_t kernel_supplemental_size;
529 
530 	/*
531 	 * Fields added in version 2.  Before accessing, make sure that
532 	 * struct_version >= 2
533 	 */
534 	/* Recovery reason for current boot */
535 	uint8_t recovery_reason;
536 	/* Reserved for padding */
537 	uint8_t reserved2[7];
538 	/* Flags from firmware keyblock */
539 	uint64_t fw_keyblock_flags;
540 	/* Kernel TPM version at start of VbSelectAndLoadKernel() */
541 	uint32_t kernel_version_tpm_start;
542 	/* Kernel lowest version found */
543 	uint32_t kernel_version_lowest;
544 
545 	/*
546 	 * After read-only firmware which uses version 2 is released, any
547 	 * additional fields must be added below, and the struct version must
548 	 * be increased.  Before reading/writing those fields, make sure that
549 	 * the struct being accessed is at least version 3.
550 	 *
551 	 * It's always ok for an older firmware to access a newer struct, since
552 	 * all the fields it knows about are present.  Newer firmware needs to
553 	 * use reasonable defaults when accessing older structs.
554 	 */
555 } __attribute__((packed)) VbSharedDataHeader;
556 
557 /*
558  * Size of VbSharedDataheader for each version
559  *
560  * TODO: crossystem needs not to fail if called on a v1 system where
561  * sizeof(VbSharedDataHeader) was smaller
562  */
563 #define VB_SHARED_DATA_HEADER_SIZE_V1 1072
564 #define VB_SHARED_DATA_HEADER_SIZE_V2 1096
565 
566 #define VB_SHARED_DATA_VERSION 2      /* Version for struct_version */
567 
568 #endif  /* VBOOT_REFERENCE_VBOOT_STRUCT_H_ */
569