x86: ahci: make freeze optional in sata_unlock_disk

2023-12-20 08:55:29 +00:00 · 2023-12-20 08:55:29 +00:00 · 2d67742be9
parent b6217444bd
commit 2d67742be9
3 changed files with 24 additions and 10 deletions
--- a/include/x86/ahci.h
+++ b/include/x86/ahci.h
@ -174,6 +174,6 @@ struct ahci_received_fis {
 uint32_t ahci_enable(uint32_t bus, uint32_t dev, uint32_t fun);
 void sata_enable(uint32_t base);
 void sata_disable(uint32_t base);
-int sata_unlock_disk(int drv);
+int sata_unlock_disk(int drv, int freeze);

 #endif /* AHCI_H */
--- a/src/update_disk.c
+++ b/src/update_disk.c
@ -97,7 +97,7 @@ void RAMFUNCTION wolfBoot_start(void)
    if (ret != 0)
        panic();
 #if defined(WOLFBOOT_ATA_DISK_LOCK)
-    ret = sata_unlock_disk(BOOT_DISK);
+    ret = sata_unlock_disk(BOOT_DISK, 1);
    if (ret != 0)
        panic();
 #endif /* WOLFBOOT_ATA_DISK_LOCK */
--- a/src/x86/ahci.c
+++ b/src/x86/ahci.c
@ -387,7 +387,7 @@ static int sata_get_unlock_secret(uint8_t *secret, int *secret_size)
 }
 #endif /* WOLFBOOT_TPM_SEAL */

-int sata_unlock_disk(int drv)
+int sata_unlock_disk(int drv, int freeze)
 {
    int secret_size = ATA_UNLOCK_DISK_KEY_SZ;
    uint8_t secret[ATA_UNLOCK_DISK_KEY_SZ];
@ -404,9 +404,15 @@ int sata_unlock_disk(int drv)
    ata_st = ata_security_get_state(drv);
    wolfBoot_printf("ATA: Security state SEC%d\r\n", ata_st);
    if (ata_st == ATA_SEC1) {
+        if (freeze) {
            AHCI_DEBUG_PRINTF("ATA identify: calling freeze lock\r\n", r);
            r = ata_security_freeze_lock(drv);
            AHCI_DEBUG_PRINTF("ATA security freeze lock: returned %d\r\n", r);
+            if (r != 0)
+                return -1;
+        } else {
+            AHCI_DEBUG_PRINTF("ATA security freeze skipped\r\n");
+        }
        r = ata_identify_device(drv);
        AHCI_DEBUG_PRINTF("ATA identify: returned %d\r\n", r);
        ata_st = ata_security_get_state(drv);
@ -420,14 +426,22 @@ int sata_unlock_disk(int drv)
        AHCI_DEBUG_PRINTF("ATA identify: returned %d\r\n", r);
        ata_st = ata_security_get_state(drv);
        if (ata_st == ATA_SEC5) {
-            AHCI_DEBUG_PRINTF("ATA identify: calling device freeze\r\n", r);
+            if (freeze) {
+                AHCI_DEBUG_PRINTF("ATA identify: calling freeze lock\r\n", r);
                r = ata_security_freeze_lock(drv);
-            AHCI_DEBUG_PRINTF("ATA device freeze: returned %d\r\n", r);
+                AHCI_DEBUG_PRINTF("ATA security freeze lock: returned %d\r\n",
+                                  r);
+                if (r != 0)
+                    return -1;
+            } else {
+                AHCI_DEBUG_PRINTF("ATA security freeze skipped\r\n");
+            }
            r = ata_identify_device(drv);
            AHCI_DEBUG_PRINTF("ATA identify: returned %d\r\n", r);
        }
        ata_st = ata_security_get_state(drv);
-        if (ata_st != ATA_SEC6) {
+        AHCI_DEBUG_PRINTF("ATA: Security enabled. State SEC%d\r\n", ata_st);
+        if ((freeze && ata_st != ATA_SEC6) || (!freeze && ata_st != ATA_SEC5)) {
            panic();
        }
        ata_st = ata_security_get_state(drv);