diff --git a/Android.mk b/Android.mk index f12e51d7..806c68ea 100644 --- a/Android.mk +++ b/Android.mk @@ -34,6 +34,10 @@ ifeq ($(TARGET_USE_TRUSTY),true) KERNELFLINGER_CFLAGS += -DUSE_TRUSTY endif +ifeq ($(TARGET_USE_IVSHMEM),true) + KERNELFLINGER_CFLAGS += -DUSE_IVSHMEM +endif + ifeq ($(TARGET_USE_MULTIBOOT),true) KERNELFLINGER_CFLAGS += -DUSE_MULTIBOOT endif @@ -150,7 +154,9 @@ SHARED_STATIC_LIBRARIES := \ $(KERNELFLINGER_STATIC_LIBRARIES) \ libkernelflinger-$(TARGET_BUILD_VARIANT) -SHARED_STATIC_LIBRARIES += libedk2_tpm +ifeq ($(TARGET_USE_TPM),true) + SHARED_STATIC_LIBRARIES += libedk2_tpm +endif include $(CLEAR_VARS) LOCAL_MODULE := kernelflinger-$(TARGET_BUILD_VARIANT) @@ -249,7 +255,9 @@ LOCAL_STATIC_LIBRARIES := \ libxbc-$(TARGET_BUILD_VARIANT) -SHARED_STATIC_LIBRARIES += libedk2_tpm +ifeq ($(TARGET_USE_TPM),true) + SHARED_STATIC_LIBRARIES += libedk2_tpm +endif LOCAL_CFLAGS := $(SHARED_CFLAGS) LOCAL_SRC_FILES := installer.c diff --git a/avb/libavb_user/uefi_avb_ops.c b/avb/libavb_user/uefi_avb_ops.c index e19dacf9..729aed83 100644 --- a/avb/libavb_user/uefi_avb_ops.c +++ b/avb/libavb_user/uefi_avb_ops.c @@ -31,7 +31,9 @@ #include "lib.h" #include "log.h" #include "security.h" +#ifdef USE_TPM #include "tpm2_security.h" +#endif extern char _binary_avb_pk_start; extern char _binary_avb_pk_end; @@ -255,12 +257,11 @@ static AvbIOResult read_rollback_index(__attribute__((unused)) AvbOps* ops, if (is_live_boot()) ret = EFI_NOT_FOUND; else { - if (tee_tpm) - ret = tee_read_rollback_index_tpm2(rollback_index_slot, out_rollback_index); - else if (andr_tpm) - ret = read_rollback_index_tpm2(rollback_index_slot, out_rollback_index); - else - ret = read_efi_rollback_index(rollback_index_slot, out_rollback_index); +#ifdef USE_TPM + ret = read_rollback_index_tpm2(rollback_index_slot, out_rollback_index); +#else + ret = read_efi_rollback_index(rollback_index_slot, out_rollback_index); +#endif } if (ret == EFI_NOT_FOUND) { @@ -286,12 +287,11 @@ static AvbIOResult write_rollback_index(__attribute__((unused)) AvbOps* ops, if (is_live_boot()) ret = EFI_SUCCESS; else { - if (tee_tpm) - ret = tee_write_rollback_index_tpm2(rollback_index_slot, rollback_index); - else if (andr_tpm) - ret = write_rollback_index_tpm2(rollback_index_slot, rollback_index); - else - ret = write_efi_rollback_index(rollback_index_slot, rollback_index); +#ifdef USE_TPM + ret = write_rollback_index_tpm2(rollback_index_slot, rollback_index); +#else + ret = write_efi_rollback_index(rollback_index_slot, rollback_index); +#endif } if (EFI_ERROR(ret)) { efi_perror(ret, L"Couldn't write rollback index"); diff --git a/crashdump.c b/crashdump.c index bd58e930..9ff6b98a 100644 --- a/crashdump.c +++ b/crashdump.c @@ -39,9 +39,6 @@ #include "security_interface.h" #include "crashdump.h" -BOOLEAN tee_tpm = 0; -BOOLEAN andr_tpm = 0; - static struct gpt_partition_interface gparti; static UINT64 cur_offset; diff --git a/include/security.h b/include/security.h index 02f6bf03..92f40d97 100644 --- a/include/security.h +++ b/include/security.h @@ -98,8 +98,10 @@ EFI_STATUS init_rot_data( /* Return rot data instance pointer*/ struct rot_data_t *get_rot_data(); +#ifdef USE_IVSHMEM EFI_STATUS ivsh_send_rot_data(IN VOID *bootimage, IN UINT8 boot_state, IN VBDATA *vb_data); +#endif EFI_STATUS raw_pub_key_sha256( IN const UINT8 *pub_key, diff --git a/include/tpm2_security.h b/include/tpm2_security.h index 10c8c467..2647dffe 100644 --- a/include/tpm2_security.h +++ b/include/tpm2_security.h @@ -38,14 +38,14 @@ #include #define TRUSTY_SEED_SIZE 32 -extern BOOLEAN tee_tpm; -extern BOOLEAN andr_tpm; EFI_STATUS tpm2_init(void); EFI_STATUS tpm2_end(void); +#ifndef USE_IVSHMEM EFI_STATUS tpm2_fuse_trusty_seed(void); EFI_STATUS tpm2_read_trusty_seed(UINT8 seed[TRUSTY_SEED_SIZE]); +#endif EFI_STATUS tpm2_fuse_perm_attr(void *data, uint32_t size); @@ -66,22 +66,4 @@ EFI_STATUS tpm2_delete_index(UINT32 index); EFI_STATUS tpm2_fuse_lock_owner(void); EFI_STATUS tpm2_fuse_provision_seed(void); - -EFI_STATUS tee_tpm2_init(void); -EFI_STATUS tee_tpm2_end(void); - -EFI_STATUS tee_read_device_state_tpm2(UINT8 *state); -EFI_STATUS tee_write_device_state_tpm2(UINT8 state); -EFI_STATUS tee_read_rollback_index_tpm2(size_t rollback_index_slot, uint64_t *out_rollback_index); -EFI_STATUS tee_write_rollback_index_tpm2(size_t rollback_index_slot, uint64_t rollback_index); -BOOLEAN tee_tpm2_bootloader_need_init(void); - -#ifndef USER -EFI_STATUS tee_tpm2_show_index(UINT32 index, uint8_t *out_buffer, UINTN out_buffer_size); -EFI_STATUS tee_tpm2_delete_index(UINT32 index); -#endif - -EFI_STATUS tee_tpm2_fuse_lock_owner(void); -EFI_STATUS tee_tpm2_fuse_provision_seed(void); - #endif /* _TPM2_SECURITY_H_ */ diff --git a/installer.c b/installer.c index 19483ac1..f7bb37e2 100644 --- a/installer.c +++ b/installer.c @@ -55,7 +55,9 @@ #include "installer_ui.h" #include "ui.h" #endif +#ifdef USE_TPM #include "tpm2_security.h" +#endif static BOOLEAN last_cmd_succeeded; static fastboot_handle fastboot_flash_cmd; @@ -69,14 +71,6 @@ static char command_buffer[256]; /* Large enough to fit long filename on flash command. */ static struct download_buffer *dl; -BOOLEAN tee_tpm = false; - -#ifdef USE_TPM -BOOLEAN andr_tpm = true; -#else -BOOLEAN andr_tpm = false; -#endif - #define inst_perror(ret, x, ...) do { \ fastboot_fail(x ": %r", ##__VA_ARGS__, ret); \ } while (0) diff --git a/kernelflinger.c b/kernelflinger.c index 2744162e..52ad84f0 100644 --- a/kernelflinger.c +++ b/kernelflinger.c @@ -69,15 +69,11 @@ #include "uefi_utils.h" #include "security_interface.h" #include "security_efi.h" +#ifdef USE_TPM #include "tpm2_security.h" +#endif +#ifdef USE_IVSHMEM #include "ivshmem.h" - -BOOLEAN tee_tpm = false; - -#ifdef USE_TPM -BOOLEAN andr_tpm = true; -#else -BOOLEAN andr_tpm = false; #endif /* Ensure this is embedded in the EFI binary somewhere */ @@ -541,8 +537,6 @@ static enum boot_target check_command_line() FIRMWARE_BOOTTIME, BOOTREASON, FIRMWARE_STATUS, - OPTEE, - TPM }; struct Cmdline @@ -598,17 +592,6 @@ static enum boot_target check_command_line() strlen((CHAR8 *)"fw.status="), FIRMWARE_STATUS }, - { - (CHAR8 *)"tee=", - strlen((CHAR8 *)"tee="), - OPTEE - }, - { - (CHAR8 *)"tpm=", - strlen((CHAR8 *)"tpm="), - TPM - }, - }; CHAR8 *nptr = NULL; @@ -728,29 +711,7 @@ static enum boot_target check_command_line() /* Parse "androidboot.bootreason=xxxxx " */ case BOOTREASON: continue; - case OPTEE: { - UINT8 val; - nptr = (CHAR8 *)(arg8 + CmdlineArray[j].length); - val = (UINT8)strtoul((char *)nptr, 0, 10); - debug(L"optee TPM = %u\n", val); - if (val) - tee_tpm = true; - else - tee_tpm = false; - continue; - } - case TPM: { - UINT8 val; - nptr = (CHAR8 *)(arg8 + CmdlineArray[j].length); - val = (UINT8)strtoul((char *)nptr, 0, 10); - debug(L"Android TPM = %u\n", val); - if (val) - andr_tpm = true; - else - andr_tpm = false; - continue; - } default: continue; } @@ -1212,13 +1173,15 @@ static EFI_STATUS load_image(VOID *bootimage, VOID *vendorbootimage, UINT8 boot_ efi_perror(ret, L"Failed to set os secure boot"); #endif - if (tee_tpm && is_bootimg_target(boot_target)) { +#ifdef USE_IVSHMEM + if (is_bootimg_target(boot_target)) { ret = ivsh_send_rot_data(bootimage, boot_state, vb_data); if (EFI_ERROR(ret)) { debug(L"Unable to send the root of trust data to optee"); die(); } } +#endif /* install acpi tables before starting trusty */ ret = setup_acpi_table(bootimage, boot_target); @@ -1267,11 +1230,10 @@ static EFI_STATUS load_image(VOID *bootimage, VOID *vendorbootimage, UINT8 boot_ } #endif +#ifdef USE_TPM // Make sure the TPM2 is ended - if (tee_tpm) - tee_tpm2_end(); - else if (andr_tpm) - tpm2_end(); + tpm2_end(); +#endif debug(L"chainloading boot image, boot state is %s", boot_state_to_string(boot_state)); @@ -1496,9 +1458,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) VOID *bootimage = NULL; BOOLEAN oneshot = FALSE; BOOLEAN lock_prompted = FALSE; -#ifndef USE_SBL BOOLEAN need_lock; -#endif enum boot_target boot_target = NORMAL_BOOT; UINT8 boot_state = BOOT_STATE_GREEN; VBDATA *vb_data = NULL; @@ -1548,6 +1508,38 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) uefi_check_upgrade(g_loaded_image, BOOTLOADER_LABEL, KFUPDATE_FILE, BOOTLOADER_FILE, BOOTLOADER_FILE_BAK, KFSELF_FILE, KFBACKUP_FILE); +#ifdef USE_IVSHMEM + ret = ivshmem_init(); + if (EFI_ERROR(ret) && ret != EFI_NOT_FOUND) { + efi_perror(ret, L"Failed to init ivshmem, enter fastboot mode"); + boot_target = FASTBOOT; + } +#endif + +#ifdef USE_TPM + if (!is_live_boot()) { + ret = tpm2_init(); + if (EFI_ERROR(ret) && ret != EFI_NOT_FOUND) { + efi_perror(ret, L"Failed to init TPM, enter fastboot mode"); + boot_target = FASTBOOT; + } + } +#endif + + need_lock = device_need_locked(); + +#ifndef USER + /* WA patch to set device as unlocked by default for userdebug build + */ + set_current_state(UNLOCKED); +#else + /* For civ, flash images to disk is not MUST. So set device to LOCKED + * state by default on the first boot. + */ + if (need_lock) + set_current_state(LOCKED); +#endif + ret = set_device_security_info(NULL); if (EFI_ERROR(ret)) { efi_perror(ret, L"Failed to init security info, enter fastboot mode"); @@ -1593,42 +1585,6 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) #endif } - if (tee_tpm) { - debug(L"tee tpm enable, ivshmem_init#############"); - ret = ivshmem_init(); - if (EFI_ERROR(ret) && ret != EFI_NOT_FOUND) { - efi_perror(ret, L"Failed to init ivshmem, enter fastboot mode"); - boot_target = FASTBOOT; - } - } - - if (!is_live_boot() && (tee_tpm || andr_tpm)) { - if (tee_tpm) - ret = tee_tpm2_init(); - else if (andr_tpm) - ret = tpm2_init(); - if (EFI_ERROR(ret) && ret != EFI_NOT_FOUND) { - efi_perror(ret, L"Failed to init TPM, enter fastboot mode"); - boot_target = FASTBOOT; - } - } - -#ifndef USE_SBL - need_lock = device_need_locked(); - -#ifndef USER - /* WA patch to set device as unlocked by default for userdebug build - */ - set_current_state(UNLOCKED); -#else - /* For civ, flash images to disk is not MUST. So set device to LOCKED - * state by default on the first boot. - */ - if (need_lock) - set_current_state(LOCKED); -#endif -#endif - if (boot_target == POWER_OFF) halt_system(); diff --git a/libadb/reader.c b/libadb/reader.c index 1f0fdadc..870f2120 100644 --- a/libadb/reader.c +++ b/libadb/reader.c @@ -523,6 +523,7 @@ static EFI_STATUS vmcore_build_header(reader_ctx_t *ctx, void *priv_p) if (priv->m.end && end > priv->m.end) { length -= end - priv->m.end; + end = priv->m.end; } priv->hdr.phnum++; @@ -580,7 +581,7 @@ static EFI_STATUS vmcore_read(reader_ctx_t *ctx, unsigned char **buf, UINT64 *le /* Start new memory region */ if (priv->m.cur == priv->m.cur_end) { - if (priv->cur_phdr >= priv->hdr.phnum - 1) { + if (priv->cur_phdr == priv->hdr.phnum - 1) { error(L"Invalid parameter in %a", __func__); return EFI_INVALID_PARAMETER; } diff --git a/libfastboot/Android.mk b/libfastboot/Android.mk index 42b7bd3c..d31dc011 100644 --- a/libfastboot/Android.mk +++ b/libfastboot/Android.mk @@ -16,7 +16,9 @@ SHARED_STATIC_LIBRARIES := \ libkernelflinger-$(TARGET_BUILD_VARIANT) \ libavb_kernelflinger-$(TARGET_BUILD_VARIANT) -SHARED_STATIC_LIBRARIES += libedk2_tpm +ifeq ($(TARGET_USE_TPM),true) + SHARED_STATIC_LIBRARIES += libedk2_tpm +endif SHARED_SRC_FILES := \ fastboot.c \ diff --git a/libfastboot/fastboot_flashing.c b/libfastboot/fastboot_flashing.c index 3719b9c9..b1b6fcd4 100644 --- a/libfastboot/fastboot_flashing.c +++ b/libfastboot/fastboot_flashing.c @@ -124,28 +124,21 @@ EFI_STATUS change_device_state(enum device_state new_state, BOOLEAN interactive) */ for (int slot = 0; slot < 2; slot++) { uint64_t idx; - if (tee_tpm) { - ret = tee_read_rollback_index_tpm2(slot, &idx); - if (EFI_SUCCESS == ret) { - ret = tee_write_rollback_index_tpm2(slot, 0); - if (EFI_ERROR(ret)) - return ret; - } - } else if (andr_tpm) { - ret = read_rollback_index_tpm2(slot, &idx); - if (EFI_SUCCESS == ret) { - ret = write_rollback_index_tpm2(slot, 0); - if (EFI_ERROR(ret)) - return ret; - } - } else { - ret = read_efi_rollback_index(slot, &idx); - if (EFI_SUCCESS == ret) { - ret = write_efi_rollback_index(slot, 0); - if (EFI_ERROR(ret)) - return ret; - } +#ifdef USE_TPM + ret = read_rollback_index_tpm2(slot, &idx); + if (EFI_SUCCESS == ret) { + ret = write_rollback_index_tpm2(slot, 0); + if (EFI_ERROR(ret)) + return ret; } +#else + ret = read_efi_rollback_index(slot, &idx); + if (EFI_SUCCESS == ret) { + ret = write_efi_rollback_index(slot, 0); + if (EFI_ERROR(ret)) + return ret; + } +#endif } } diff --git a/libfastboot/fastboot_oem.c b/libfastboot/fastboot_oem.c index 82237df9..2308df17 100644 --- a/libfastboot/fastboot_oem.c +++ b/libfastboot/fastboot_oem.c @@ -51,7 +51,9 @@ #include "text_parser.h" #include "libavb/libavb.h" #include "libavb_user/uefi_avb_ops.h" +#ifdef USE_TPM #include "tpm2_security.h" +#endif #include "security.h" #include "vars.h" #include "security_interface.h" @@ -61,7 +63,9 @@ #define SLOT_FALLBACK "slot-fallback" static cmdlist_t cmdlist; +#ifdef USE_TPM static cmdlist_t cmdlist_fuse; +#endif static EFI_STATUS fastboot_oem_publish(void) { @@ -439,12 +443,10 @@ static void cmd_oem_set_storage(INTN argc, CHAR8 **argv) set_device_security_info(NULL); - if (!is_live_boot() && (tee_tpm || andr_tpm)) { - if (tee_tpm) - tee_tpm2_init(); - else if (andr_tpm) - tpm2_init(); - } +#ifdef USE_TPM + if (!is_live_boot()) + tpm2_init(); +#endif ret = gpt_refresh(); if (EFI_ERROR(ret)) { @@ -620,6 +622,7 @@ static void cmd_oem(INTN argc, CHAR8 **argv) fastboot_run_cmd(cmdlist, (char *)argv[1], argc - 1, argv + 1); } +#ifdef USE_TPM #ifndef USER static void cmd_oem_tpm_show_index(INTN argc, __attribute__((__unused__)) CHAR8 **argv) { @@ -750,6 +753,8 @@ static void cmd_fuse_tpm2_provision_trusty_seed(INTN argc, __attribute__((__unus fastboot_okay(""); } +#endif + static CHAR16 *saved_vm_label; static void cmd_oem_set_vm(INTN argc, CHAR8 **argv) { @@ -809,19 +814,23 @@ static struct fastboot_cmd COMMANDS[] = { { "get-provisioning-logs", LOCKED, cmd_oem_get_logs }, { "setvm", LOCKED, cmd_oem_set_vm }, { "unsetvm", LOCKED, cmd_oem_unset_vm }, +#ifdef USE_TPM #ifndef USER { "tpm-show-index", LOCKED, cmd_oem_tpm_show_index }, { "tpm-delete-index", LOCKED, cmd_oem_tpm_delete_index }, #endif // USER { "fuse", LOCKED, cmd_fuse } +#endif }; +#ifdef USE_TPM static struct fastboot_cmd COMMANDS_FUSE[] = { { "vbmeta-key-hash", UNLOCKED, cmd_fuse_vbmeta_key_hash }, { "bootloader-policy", UNLOCKED, cmd_fuse_bootloader_policy }, { "lock-tpm2-owner", UNLOCKED, cmd_fuse_tpm2_lock_owner }, { "provision-trusty-seed", UNLOCKED, cmd_fuse_tpm2_provision_trusty_seed } }; +#endif static struct fastboot_cmd oem = { "oem", LOCKED, cmd_oem }; @@ -840,13 +849,13 @@ EFI_STATUS fastboot_oem_init(void) return ret; } - if (andr_tpm) { - for (i = 0; i < ARRAY_SIZE(COMMANDS_FUSE); i++) { - ret = fastboot_register_into(&cmdlist_fuse, &COMMANDS_FUSE[i]); - if (EFI_ERROR(ret)) - return ret; - } +#ifdef USE_TPM + for (i = 0; i < ARRAY_SIZE(COMMANDS_FUSE); i++) { + ret = fastboot_register_into(&cmdlist_fuse, &COMMANDS_FUSE[i]); + if (EFI_ERROR(ret)) + return ret; } +#endif fastboot_register(&oem); @@ -856,7 +865,9 @@ EFI_STATUS fastboot_oem_init(void) void fastboot_oem_free(void) { fastboot_cmdlist_unregister(&cmdlist); - if (andr_tpm) - fastboot_cmdlist_unregister(&cmdlist_fuse); + +#ifdef USE_TPM + fastboot_cmdlist_unregister(&cmdlist_fuse); +#endif } diff --git a/libfastboot/flash.c b/libfastboot/flash.c index e80f3dda..2072e3d5 100644 --- a/libfastboot/flash.c +++ b/libfastboot/flash.c @@ -659,12 +659,10 @@ EFI_STATUS erase_by_label(CHAR16 *label) if (!CompareGuid(&p_gparti->part.type, &EfiPartTypeSystemPartitionGuid)) return gpt_refresh(); -#ifdef USER if (is_data) userdata_erased = TRUE; if (is_share_data) share_data_erased = TRUE; -#endif return EFI_SUCCESS; } diff --git a/libkernelflinger/Android.mk b/libkernelflinger/Android.mk index 584638e4..b0a9b325 100755 --- a/libkernelflinger/Android.mk +++ b/libkernelflinger/Android.mk @@ -66,7 +66,9 @@ LOCAL_CFLAGS := $(KERNELFLINGER_CFLAGS) \ -DTARGET_BOOTLOADER_BOARD_NAME=\"$(TARGET_BOOTLOADER_BOARD_NAME)\" LOCAL_STATIC_LIBRARIES := $(KERNELFLINGER_STATIC_LIBRARIES) -LOCAL_STATIC_LIBRARIES += libedk2_tpm +ifeq ($(TARGET_USE_TPM),true) + LOCAL_STATIC_LIBRARIES += libedk2_tpm +endif ifeq ($(KERNELFLINGER_ALLOW_UNSUPPORTED_ACPI_TABLE),true) LOCAL_CFLAGS += -DALLOW_UNSUPPORTED_ACPI_TABLE @@ -165,7 +167,9 @@ else LOCAL_SRC_FILES += slot.c endif -LOCAL_SRC_FILES += tpm2_security.c +ifeq ($(TARGET_USE_TPM),true) + LOCAL_SRC_FILES += tpm2_security.c +endif ifneq ($(strip $(KERNELFLINGER_USE_UI)),false) LOCAL_SRC_FILES += \ diff --git a/libkernelflinger/fatfs/source/ff.c b/libkernelflinger/fatfs/source/ff.c index de8d9b0c..6d659071 100644 --- a/libkernelflinger/fatfs/source/ff.c +++ b/libkernelflinger/fatfs/source/ff.c @@ -5171,7 +5171,7 @@ FRESULT f_mkdir ( res = sync_fs(fs); } } else { - res = remove_chain(&sobj, dcl, 0); /* Could not register, remove the allocated cluster */ + remove_chain(&sobj, dcl, 0); /* Could not register, remove the allocated cluster */ } } FREE_NAMBUF(); diff --git a/libkernelflinger/gpt.c b/libkernelflinger/gpt.c index 9717abed..07a6fdff 100644 --- a/libkernelflinger/gpt.c +++ b/libkernelflinger/gpt.c @@ -401,6 +401,13 @@ static CHAR16 *make_android_label(const CHAR16 *label) return (ret == EFI_SUCCESS) ? (android_label) : (NULL); } +void log_uid(EFI_GUID *uid) +{ + CHAR16 outString[100]; + GuidToString (outString, uid); + debug(L"UID: %s ", outString); +} + static struct gpt_partition *gpt_find_partition(const CHAR16 *label) { UINTN p; @@ -417,8 +424,10 @@ static struct gpt_partition *gpt_find_partition(const CHAR16 *label) if (StrCmp(part->name, label) && (!android_label || StrCmp(part->name, android_label))) { + debug(L"label %s in partition %d", part->name, p); + log_uid(&part->unique); continue; - } + } debug(L"Found label %s in partition %d", label, p); return part; diff --git a/libkernelflinger/security.c b/libkernelflinger/security.c index 4ae586b0..ce3d3a8f 100644 --- a/libkernelflinger/security.c +++ b/libkernelflinger/security.c @@ -48,9 +48,11 @@ #include "life_cycle.h" #include "uefi_utils.h" +#ifdef USE_IVSHMEM #include "ivshmem.h" extern UINT64 g_ivshmem_rot_addr; +#endif /* OsSecureBoot is *not* a standard EFI_GLOBAL variable * @@ -198,6 +200,7 @@ EFI_STATUS update_rot_data(IN VOID *bootimage, IN UINT8 boot_state, return ret; } +#ifdef USE_IVSHMEM EFI_STATUS ivsh_send_rot_data(IN VOID *bootimage, IN UINT8 boot_state, IN VBDATA *vb_data) { @@ -206,7 +209,6 @@ EFI_STATUS ivsh_send_rot_data(IN VOID *bootimage, IN UINT8 boot_state, if (!g_ivshmem_rot_addr) return EFI_NOT_READY; - debug(L"use tee ROT\n"); ret = update_rot_data(bootimage, boot_state, vb_data); if (EFI_ERROR(ret)) { efi_perror(ret, L"Unable to update the root of trust data"); @@ -221,6 +223,7 @@ EFI_STATUS ivsh_send_rot_data(IN VOID *bootimage, IN UINT8 boot_state, return ret; } +#endif /* initialize the struct rot_data for startup_information */ EFI_STATUS init_rot_data(UINT32 boot_state) diff --git a/libkernelflinger/security_efi.c b/libkernelflinger/security_efi.c index 0602c2ce..1498611c 100755 --- a/libkernelflinger/security_efi.c +++ b/libkernelflinger/security_efi.c @@ -34,7 +34,9 @@ #include "storage.h" #include "security_efi.h" #include "protocol/BootloaderSeedProtocol.h" +#ifdef USE_TPM #include "tpm2_security.h" +#endif #define BOOTLOADER_SEED_MAX_ENTRIES 10 @@ -195,6 +197,7 @@ static EFI_STATUS bls_get_seed(VOID *seed) return ret; } +#ifdef USE_TPM static EFI_STATUS tpm2_get_seed(VOID *seed) { EFI_STATUS ret = EFI_SUCCESS; @@ -211,6 +214,7 @@ static EFI_STATUS tpm2_get_seed(VOID *seed) return ret; } +#endif EFI_STATUS get_seed(OUT VOID *seed) { @@ -221,10 +225,11 @@ EFI_STATUS get_seed(OUT VOID *seed) memset_s(seed, SECURITY_EFI_TRUSTY_SEED_LEN, 0, SECURITY_EFI_TRUSTY_SEED_LEN); - if (andr_tpm) - ret = tpm2_get_seed(seed); - else - ret = bls_get_seed(seed); +#ifdef USE_TPM + ret = tpm2_get_seed(seed); +#else + ret = bls_get_seed(seed); +#endif if (EFI_ERROR(ret)) { efi_perror(ret, L"Failed to read trusty seed"); diff --git a/libkernelflinger/tpm2_security.c b/libkernelflinger/tpm2_security.c index 7108d266..77415003 100644 --- a/libkernelflinger/tpm2_security.c +++ b/libkernelflinger/tpm2_security.c @@ -54,6 +54,8 @@ EFI_STATUS tpm2_fuse_bootloader_policy( return EFI_UNSUPPORTED; } +#ifndef USE_IVSHMEM + enum NV_INDEX { NV_INDEX_TRUSTYOS_SEED = 0x01500080, NV_INDEX_OPTEEOS_SEED = 0x01500081, @@ -830,9 +832,9 @@ EFI_STATUS tpm2_init(void) return ret; if (is_platform_secure_boot_enabled()) - debug(L"Android TPM init OK. Secure boot ENABLED."); + debug(L"TPM init OK. Secure boot ENABLED."); else - debug(L"Android TPM init OK. Secure boot DISABLED."); + debug(L"TPM init OK. Secure boot DISABLED."); return ret; } @@ -847,9 +849,10 @@ EFI_STATUS tpm2_end(void) return EFI_SUCCESS; } +#else //USE_IVSHMEM ////////////////////////////TPM Requests are forwared to OPTEE///////////////////////////// -EFI_STATUS tee_tpm2_init(void) +EFI_STATUS tpm2_init(void) { struct tpm2_int_req req = {0}; req.cmd = TEE_TPM2_INIT; @@ -861,14 +864,14 @@ EFI_STATUS tee_tpm2_init(void) } if (is_platform_secure_boot_enabled()) - debug(L"TEE TPM init OK. Secure boot ENABLED."); + debug(L"TPM init OK. Secure boot ENABLED."); else - debug(L"TEE TPM init OK. Secure boot DISABLED."); + debug(L"TPM init OK. Secure boot DISABLED."); return req.ret; } -EFI_STATUS tee_tpm2_end(void) +EFI_STATUS tpm2_end(void) { struct tpm2_int_req req = {0}; req.cmd = TEE_TPM2_END; @@ -877,7 +880,7 @@ EFI_STATUS tee_tpm2_end(void) return req.ret; } -EFI_STATUS tee_read_device_state_tpm2(UINT8 *state) +EFI_STATUS read_device_state_tpm2(UINT8 *state) { struct tpm2_int_req *req = (struct tpm2_int_req *)AllocateZeroPool(sizeof(struct tpm2_int_req) + sizeof(state)); if (!req) @@ -895,7 +898,7 @@ EFI_STATUS tee_read_device_state_tpm2(UINT8 *state) return ret; } -EFI_STATUS tee_write_device_state_tpm2(UINT8 state) +EFI_STATUS write_device_state_tpm2(UINT8 state) { struct tpm2_int_req *req = (struct tpm2_int_req *)AllocateZeroPool(sizeof(struct tpm2_int_req) + sizeof(state)); if (!req) @@ -912,7 +915,7 @@ EFI_STATUS tee_write_device_state_tpm2(UINT8 state) return ret; } -EFI_STATUS tee_read_rollback_index_tpm2(size_t rollback_index_slot, uint64_t *out_rollback_index) +EFI_STATUS read_rollback_index_tpm2(size_t rollback_index_slot, uint64_t *out_rollback_index) { uint32_t payload_len = sizeof(rollback_index_slot) + sizeof(*out_rollback_index); struct tpm2_int_req *req = (struct tpm2_int_req *)AllocateZeroPool(sizeof(struct tpm2_int_req) + payload_len); @@ -933,7 +936,7 @@ EFI_STATUS tee_read_rollback_index_tpm2(size_t rollback_index_slot, uint64_t *ou return ret; } -EFI_STATUS tee_write_rollback_index_tpm2(size_t rollback_index_slot, uint64_t rollback_index) +EFI_STATUS write_rollback_index_tpm2(size_t rollback_index_slot, uint64_t rollback_index) { uint32_t payload_len = sizeof(rollback_index_slot) + sizeof(rollback_index); struct tpm2_int_req *req = (struct tpm2_int_req *)AllocateZeroPool(sizeof(struct tpm2_int_req) + payload_len); @@ -952,7 +955,7 @@ EFI_STATUS tee_write_rollback_index_tpm2(size_t rollback_index_slot, uint64_t ro return ret; } -BOOLEAN tee_tpm2_bootloader_need_init(void) +BOOLEAN tpm2_bootloader_need_init(void) { struct tpm2_int_req req = {0}; req.cmd = TEE_TPM2_BOOTLOADER_NEED_INIT; @@ -962,19 +965,19 @@ BOOLEAN tee_tpm2_bootloader_need_init(void) } #ifndef USER -EFI_STATUS tee_tpm2_show_index(__attribute__((unused)) UINT32 index, __attribute__((unused)) uint8_t *out_buffer, __attribute__((unused)) UINTN out_buffer_size) +EFI_STATUS tpm2_show_index(__attribute__((unused)) UINT32 index, __attribute__((unused)) uint8_t *out_buffer, __attribute__((unused)) UINTN out_buffer_size) { return EFI_UNSUPPORTED; } -EFI_STATUS tee_tpm2_delete_index(__attribute__((unused)) UINT32 index) +EFI_STATUS tpm2_delete_index(__attribute__((unused)) UINT32 index) { return EFI_UNSUPPORTED; } #endif // USER -EFI_STATUS tee_tpm2_fuse_lock_owner(void) +EFI_STATUS tpm2_fuse_lock_owner(void) { struct tpm2_int_req req = {0}; req.cmd = TEE_TPM2_FUSE_LOCK_OWNER; @@ -983,7 +986,10 @@ EFI_STATUS tee_tpm2_fuse_lock_owner(void) return req.ret; } -EFI_STATUS tee_tpm2_fuse_provision_seed(void) +EFI_STATUS tpm2_fuse_provision_seed(void) { return EFI_UNSUPPORTED; } + + +#endif //USE_IVSHMEM diff --git a/libkernelflinger/vars.c b/libkernelflinger/vars.c index c653fc2d..c1315c6f 100644 --- a/libkernelflinger/vars.c +++ b/libkernelflinger/vars.c @@ -41,7 +41,9 @@ #include "life_cycle.h" #include "storage.h" #include "security.h" +#ifdef USE_TPM #include "tpm2_security.h" +#endif #define OFF_MODE_CHARGE L"off-mode-charge" #define OEM_LOCK L"OEMLock" @@ -293,14 +295,11 @@ enum device_state get_current_state(void) current_state = UNLOCKED; goto exit; } - - if (tee_tpm) - ret = tee_read_device_state_tpm2(&stored_state); - else if (andr_tpm) - ret = read_device_state_tpm2(&stored_state); - else - ret = read_device_state_efi(&stored_state); - +#ifdef USE_TPM + ret = read_device_state_tpm2(&stored_state); +#else + ret = read_device_state_efi(&stored_state); +#endif if (ret == EFI_NOT_FOUND && !is_boot_device_virtual()) { set_provisioning_mode(FALSE); @@ -329,13 +328,8 @@ enum device_state get_current_state(void) /* If we can't read the state, be safe and assume locked. */ if (EFI_ERROR(ret)) { -#ifdef USER current_state = LOCKED; - efi_perror(ret, L"Read device state failed, assuming locked in user build"); -#else - current_state = UNLOCKED; - efi_perror(ret, L"Read device state failed, assuming unlocked in userdebug build"); -#endif + efi_perror(ret, L"Read device state failed, assuming locked"); goto exit; } @@ -368,12 +362,11 @@ EFI_STATUS set_current_state(enum device_state state) } if (!is_live_boot()) { - if (tee_tpm) - ret = tee_write_device_state_tpm2(stored_state); - else if (andr_tpm) - ret = write_device_state_tpm2(stored_state); - else - ret = write_device_state_efi(stored_state); +#ifdef USE_TPM + ret = write_device_state_tpm2(stored_state); +#else + ret = write_device_state_efi(stored_state); +#endif } if (EFI_ERROR(ret)) { efi_perror(ret, L"Failed to set device state to %d", stored_state); @@ -395,28 +388,28 @@ EFI_STATUS refresh_current_state(void) BOOLEAN device_need_locked(void) { +#ifndef USE_TPM UINT8 stored_state; EFI_STATUS ret = EFI_SUCCESS; +#endif if (is_live_boot()) return FALSE; - if (tee_tpm) - return tee_tpm2_bootloader_need_init(); - if (andr_tpm) - return tpm2_bootloader_need_init(); - else { - - ret = read_device_state_efi(&stored_state); - if (EFI_NOT_FOUND == ret) - return TRUE; +#ifdef USE_TPM + return tpm2_bootloader_need_init(); +#else - if (EFI_ERROR(ret)) { - efi_perror(ret, L"Read device state failed, assuming locked"); - } + ret = read_device_state_efi(&stored_state); + if (EFI_NOT_FOUND == ret) + return TRUE; - return FALSE; + if (EFI_ERROR(ret)) { + efi_perror(ret, L"Read device state failed, assuming locked"); } + + return FALSE; +#endif } #ifndef USER