vboot/firmware/include/vboot_api.h

/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 */

/* APIs provided by firmware to vboot_reference.
 *
 * General notes:
 *
 * All verified boot functions now start with "Vb" for namespace clarity.  This
 * fixes the problem where uboot and vboot both defined assert().
 *
 * Verified boot APIs to be implemented by the calling firmware and exported to
 * vboot_reference start with "VbEx".
 *
 * TODO: split this file into a vboot_entry_points.h file which contains the
 * entry points for the firmware to call vboot_reference, and a
 * vboot_firmware_exports.h which contains the APIs to be implemented by the
 * calling firmware and exported to vboot_reference.
 */

#ifndef VBOOT_REFERENCE_VBOOT_API_H_
#define VBOOT_REFERENCE_VBOOT_API_H_
#include <stdint.h>
#include <stdlib.h>

#include "gpt.h"

/*****************************************************************************/
/* Error codes */

/*
 * Functions which return an error all return this type.  This is a 32-bit
 * value rather than an int so it's consistent across UEFI, which is 32-bit
 * during PEI and 64-bit during DXE/BDS.
 */
typedef uint32_t VbError_t;

/*
 * Define test_mockable for mocking functions.
 */
#define test_mockable __attribute__((weak))

/*
 * Predefined error numbers.  Success is 0.  Errors are non-zero, but differ
 * between functions.  For example, the TPM functions may pass through TPM
 * error codes, some of which may be recoverable.
 */
enum VbErrorPredefined_t {
	/* No error; function completed successfully. */
	VBERROR_SUCCESS                       = 0,

	/*
	 * The verified boot entry points VbInit(), VbSelectFirmware(),
	 * VbSelectAndLoadKernel() may return the following errors.
	 */
	/* Unknown error */
	VBERROR_UNKNOWN                       = 0x10000,
	/* Unable to initialize shared data */
	VBERROR_INIT_SHARED_DATA              = 0x10001,
	/* Error resuming TPM during a S3 resume */
	VBERROR_TPM_S3_RESUME                 = 0x10002,
	/* VbSelectFirmware() failed to find a valid firmware */
	VBERROR_LOAD_FIRMWARE                 = 0x10003,
	/* Unable to write firmware versions to TPM */
	VBERROR_TPM_WRITE_FIRMWARE            = 0x10004,
	/* Unable to lock firmware versions in TPM */
	VBERROR_TPM_LOCK_FIRMWARE             = 0x10005,
	/* Unable to set boot mode state in TPM */
	VBERROR_TPM_SET_BOOT_MODE_STATE       = 0x10006,
	/* Calling firmware needs to perform a reboot. */
	VBERROR_REBOOT_REQUIRED               = 0x10007,
	/* Unable to set up TPM */
	VBERROR_TPM_FIRMWARE_SETUP            = 0x10008,
	/* Unable to read kernel versions from TPM */
	VBERROR_TPM_READ_KERNEL               = 0x10009,
	/* Attempt to load developer-only firmware with developer switch off */
	VBERROR_DEV_FIRMWARE_SWITCH_MISMATCH  = 0x1000A,
	/* Unable to write kernel versions to TPM */
	VBERROR_TPM_WRITE_KERNEL              = 0x1000B,
	/* Unable to lock kernel versions in TPM */
	VBERROR_TPM_LOCK_KERNEL               = 0x1000C,
	/* Calling firmware requested shutdown via VbExIsShutdownRequested() */
	VBERROR_SHUTDOWN_REQUESTED            = 0x1000D,
	/* Unable to find a boot device on which to look for a kernel */
	VBERROR_NO_DISK_FOUND                 = 0x1000E,
	/* No OS kernel found on any boot device */
	VBERROR_NO_KERNEL_FOUND               = 0x1000F,
	/* All OS kernels found were invalid (corrupt, improperly signed...) */
	VBERROR_INVALID_KERNEL_FOUND          = 0x10010,
	/* VbSelectAndLoadKernel() requested recovery mode */
	VBERROR_LOAD_KERNEL_RECOVERY          = 0x10011,
	/* Other error inside VbSelectAndLoadKernel() */
	VBERROR_LOAD_KERNEL                   = 0x10012,
	/* Invalid Google binary block */
	VBERROR_INVALID_GBB                   = 0x10013,
	/* Invalid bitmap volume */
	VBERROR_INVALID_BMPFV                 = 0x10014,
	/* Invalid screen index */
	VBERROR_INVALID_SCREEN_INDEX          = 0x10015,
	/* Simulated (test) error */
	VBERROR_SIMULATED                     = 0x10016,
	/* Invalid parameter */
	VBERROR_INVALID_PARAMETER             = 0x10017,
	/* VbExBeep() can't make sounds at all */
	VBERROR_NO_SOUND                      = 0x10018,
	/* VbExBeep() can't make sound in the background */
	VBERROR_NO_BACKGROUND_SOUND           = 0x10019,
	/* Developer has requested a BIOS shell */
	VBERROR_BIOS_SHELL_REQUESTED          = 0x10020,
	/* Need VGA and don't have it, or vice-versa */
	VBERROR_VGA_OPROM_MISMATCH            = 0x10021,
	/* Need EC to reboot to read-only code */
	VBERROR_EC_REBOOT_TO_RO_REQUIRED      = 0x10022,
	/* Invalid region read parameters */
	VBERROR_REGION_READ_INVALID           = 0x10023,
	/* Cannot read from region */
	VBERROR_REGION_READ_FAILED            = 0x10024,
	/* Unsupported region type */
	VBERROR_UNSUPPORTED_REGION            = 0x10025,
	/* No image present (returned from VbGbbReadImage() for missing image) */
	VBERROR_NO_IMAGE_PRESENT              = 0x10026,
	/* failed to draw screen */
	VBERROR_SCREEN_DRAW                   = 0x10027,
	/* failed to jump to RW image */
	VBERROR_RW_JUMP_FAILED                = 0x10028,
	/* Error reading FWMP from TPM (note: not present is not an error) */
	VBERROR_TPM_READ_FWMP                 = 0x10029,

	/* VbExEcGetExpectedRWHash() may return the following codes */
	/* Compute expected RW hash from the EC image; BIOS doesn't have it */
	VBERROR_EC_GET_EXPECTED_HASH_FROM_IMAGE = 0x20000,
};


/*****************************************************************************/
/* Main entry points from firmware into vboot_reference */

/*
 * Minimum and recommended size of shared_data_blob in bytes.  Shared data blob
 * is used to communicate data between calls to VbInit(), VbSelectFirmware(),
 * the OS.  Minimum size is enough to hold all required data for verified boot
 * but may not be able to hold debug output.
 */
#define VB_SHARED_DATA_MIN_SIZE 3072
#define VB_SHARED_DATA_REC_SIZE 16384

/*
 * Data passed by firmware to VbInit(), VbSelectFirmware() and
 * VbSelectAndLoadKernel().
 *
 * Note that in UEFI, these are called by different phases in different
 * processor modes (VbInit() and VbSelectFirmware() = 32-bit PEI,
 * VbSelectAndLoadKernel() = 64-bit BDS), so the data may be at a different
 * location between calls.
 */
typedef struct VbCommonParams {
	/* Pointer to GBB data */
	void *gbb_data;
	/* Size of GBB data in bytes */
	uint32_t gbb_size;

	/*
	 * Shared data blob for data shared between verified boot entry points.
	 * This should be at least VB_SHARED_DATA_MIN_SIZE bytes long, and
	 * ideally is VB_SHARED_DATA_REC_SIZE bytes long.
	 */
	/* Pointer to shared data blob buffer */
	void *shared_data_blob;
	/*
	 * On input, set to size of shared data blob buffer, in bytes.  On
	 * output, this will contain the actual data size placed into the
	 * buffer.
	 */
	uint32_t shared_data_size;

	/*
	 * Internal context/data for verified boot, to maintain state during
	 * calls to other API functions such as VbExHashFirmwareBody().
	 * Allocated and freed inside the entry point; firmware should not look
	 * at this.
	 */
	void *vboot_context;

	/*
	 * Internal context/data for firmware / VbExHashFirmwareBody().  Needed
	 * because the PEI phase of UEFI boot runs out of ROM and thus can't
	 * modify global variables; everything needs to get passed around on
	 * the stack.
	 */
	void *caller_context;

	/* For internal use of Vboot - do not examine or modify! */
	struct GoogleBinaryBlockHeader *gbb;
	struct BmpBlockHeader *bmp;
} VbCommonParams;

/* Flags for VbInitParams.flags */
/* Developer switch was on at boot time. */
#define VB_INIT_FLAG_DEV_SWITCH_ON       0x00000001
/* Recovery button was pressed at boot time. */
#define VB_INIT_FLAG_REC_BUTTON_PRESSED  0x00000002
/* Hardware write protect was enabled at boot time. */
#define VB_INIT_FLAG_WP_ENABLED          0x00000004
/* This is a S3 resume, not a normal boot. */
#define VB_INIT_FLAG_S3_RESUME           0x00000008
/*
 * Previous boot attempt failed for reasons external to verified boot (RAM
 * init failure, SSD missing, etc.).
 *
 * TODO: add a field to VbInitParams which holds a reason code, and report
 * that via VbSharedData.
 */
#define VB_INIT_FLAG_PREVIOUS_BOOT_FAIL  0x00000010
/*
 * Calling firmware supports read only firmware for normal/developer boot path.
 */
#define VB_INIT_FLAG_RO_NORMAL_SUPPORT   0x00000020
/*
 * This platform does not have a physical dev-switch, so we must rely on a
 * virtual switch (kept in the TPM) instead. When this flag is set,
 * VB_INIT_FLAG_DEV_SWITCH_ON is ignored.
 */
#define VB_INIT_FLAG_VIRTUAL_DEV_SWITCH  0x00000040
/* Set when the VGA Option ROM has been loaded already. */
#define VB_INIT_FLAG_OPROM_LOADED        0x00000080
/* Set if we care about the VGA Option ROM - some platforms don't. */
#define VB_INIT_FLAG_OPROM_MATTERS       0x00000100
/* EC on this platform supports EC software sync. */
#define VB_INIT_FLAG_EC_SOFTWARE_SYNC    0x00000200
/* EC on this platform is slow to update. */
#define VB_INIT_FLAG_EC_SLOW_UPDATE      0x00000400
/*
 * Software write protect was enabled at boot time. This is separate from the
 * HW write protect. Both must be set for flash write protection to work.
 */
#define VB_INIT_FLAG_SW_WP_ENABLED       0x00000800
/*
 * This platform does not have a physical recovery switch which, when present,
 * can (and should) be used for additional physical presence checks.
 */
#define VB_INIT_FLAG_VIRTUAL_REC_SWITCH  0x00001000
/* Set when we are calling VbInit() before loading Option ROMs */
#define VB_INIT_FLAG_BEFORE_OPROM_LOAD   0x00002000
/* Allow USB boot on transition to dev */
#define VB_INIT_FLAG_ALLOW_USB_BOOT	 0x00004000
/* Set when we can't reliably identify boot failures. This prevents
 * the boot-try counters from decrementing.
 */
#define VB_INIT_FLAG_NOFAIL_BOOT         0x00008000

/*
 * Output flags for VbInitParams.out_flags.  Used to indicate potential boot
 * paths and configuration to the calling firmware early in the boot process,
 * so that it can properly configure itself for the capabilities subsequently
 * required by VbSelectFirmware() and VbSelectAndLoadKernel().
 */
/*
 * Enable recovery path.  Do not rely on any rewritable data (cached RAM
 * timings, etc.).  Reliable operation is more important than boot speed.
 */
#define VB_INIT_OUT_ENABLE_RECOVERY      0x00000001
/* RAM must be cleared before calling VbSelectFirmware(). */
#define VB_INIT_OUT_CLEAR_RAM            0x00000002
/*
 * Load display drivers; VbExDisplay*() functions may be called.  If this flag
 * is not present, VbExDisplay*() functions will not be called this boot.
 */
#define VB_INIT_OUT_ENABLE_DISPLAY       0x00000004
/*
 * Load USB storage drivers; VbExDisk*() functions may be called with the
 * VB_DISK_FLAG_REMOVABLE flag.  If this flag is not present, VbExDisk*()
 * functions will only be called for fixed disks.
 */
#define VB_INIT_OUT_ENABLE_USB_STORAGE   0x00000008
/* If this is a S3 resume, do a debug reset boot instead */
#define VB_INIT_OUT_S3_DEBUG_BOOT        0x00000010
/* BIOS should load any PCI option ROMs it finds, not just internal video */
#define VB_INIT_OUT_ENABLE_OPROM         0x00000020
/* BIOS may be asked to boot something other than ChromeOS */
#define VB_INIT_OUT_ENABLE_ALTERNATE_OS  0x00000040
/* Enable developer path. */
#define VB_INIT_OUT_ENABLE_DEVELOPER     0x00000080

/* Data only used by VbInit() */
typedef struct VbInitParams {
	/* Inputs to VbInit() */
	/* Flags (see VB_INIT_FLAG_*) */
	uint32_t flags;

	/* Outputs from VbInit(); valid only if it returns success. */
	/* Output flags for firmware; see VB_INIT_OUT_*) */
	uint32_t out_flags;
} VbInitParams;

/*
 * Firmware types for VbHashFirmwareBody() and
 * VbSelectFirmwareParams.selected_firmware.  Note that we store these in a
 * uint32_t because enum maps to int, which isn't fixed-size.
 */
enum VbSelectFirmware_t {
	/* Recovery mode */
	VB_SELECT_FIRMWARE_RECOVERY = 0,
	/* Rewritable firmware A/B for normal or developer path */
	VB_SELECT_FIRMWARE_A = 1,
	VB_SELECT_FIRMWARE_B = 2,
	/* Read only firmware for normal or developer path. */
	VB_SELECT_FIRMWARE_READONLY = 3,
        VB_SELECT_FIRMWARE_COUNT,
};

/* Data only used by VbSelectFirmware() */
typedef struct VbSelectFirmwareParams {
	/* Inputs to VbSelectFirmware() */
	/* Key block + preamble for firmware A */
	void *verification_block_A;
	/* Key block + preamble for firmware B */
	void *verification_block_B;
	/* Verification block A size in bytes */
	uint32_t verification_size_A;
	/* Verification block B size in bytes */
	uint32_t verification_size_B;

	/* Outputs from VbSelectFirmware(); valid only if it returns success. */
	/* Main firmware to run; see VB_SELECT_FIRMWARE_*. */
	uint32_t selected_firmware;
} VbSelectFirmwareParams;

/*
 * We use disk handles rather than indices.  Using indices causes problems if
 * a disk is removed/inserted in the middle of processing.
 */
typedef void *VbExDiskHandle_t;

/* Data used only by VbSelectAndLoadKernel() */
typedef struct VbSelectAndLoadKernelParams {
	/* Inputs to VbSelectAndLoadKernel() */
	/* Destination buffer for kernel (normally at 0x100000 on x86) */
	void *kernel_buffer;
	/* Size of kernel buffer in bytes */
	uint32_t kernel_buffer_size;
	/* input flags.  Currently used for detachables */
	uint32_t inflags;

	/*
	 * Outputs from VbSelectAndLoadKernel(); valid only if it returns
	 * success.
	 */
	/* Handle of disk containing loaded kernel */
	VbExDiskHandle_t disk_handle;
	/* Partition number on disk to boot (1...M) */
	uint32_t partition_number;
	/* Address of bootloader image in RAM */
	uint64_t bootloader_address;
	/* Size of bootloader image in bytes */
	uint32_t bootloader_size;
	/* UniquePartitionGuid for boot partition */
	uint8_t partition_guid[16];
	/* Flags set by signer */
	uint32_t flags;
	/*
	 * TODO: in H2C, all that pretty much just gets passed to the
	 * bootloader as KernelBootloaderOptions, though the disk handle is
	 * passed as an index instead of a handle.  Is that used anymore now
	 * that we're passing partition_guid?
	 */
} VbSelectAndLoadKernelParams;

/* Flag to indicate using detachable menu ui (arrow up/down+power)
 * instead of traditional FW screens with ctrl+D, ctrl+U, etc.
 */
#define VB_SALK_INFLAGS_ENABLE_DETACHABLE_UI (1 << 0)

/**
 * Select and loads the kernel.
 *
 * Returns VBERROR_SUCCESS if success, non-zero if error; on error, caller
 * should reboot. */
VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams,
                                VbSelectAndLoadKernelParams *kparams);

/**
 * Verify Kernel Image loaded in memory.
 *
 * This routine is used by fastboot boot command to verify the kernel image in
 * memory sent by the host device using fastboot protocol. It checks if the
 * image in memory is signed using official recovery keys. In case of GBB
 * override to allow full fastboot functionality, it checks image integrity, but
 * does not check the image signature.
 *
 * @param cparams	Common parameters, e.g. use member caller_context
 *			to point to useful context data
 * @param kparams	kernel params
 * @param boot_image	Image in memory that needs to be verified
 * @param image_size	Size of the image in memory
 * @return VBERROR_... error, VBERROR_SUCCESS on success.
 */
VbError_t VbVerifyMemoryBootImage(VbCommonParams *cparams,
				  VbSelectAndLoadKernelParams *kparams,
				  void *boot_image,
				  size_t image_size);

/**
 * Fastboot API to enter dev mode.
 *
 * This routine is used by fastboot oem unlock command to switch the device into
 * dev mode.
 *
 * NOTE: The caller MUST be in read-only firmware, and MUST have just obtained
 * explicit physical confirmation from the user via a trusted input method
 * before calling this function! Also, on successful return from this function,
 * the caller needs to reboot the device immediately for changes to take effect.
 *
 * @return VBERROR_... error, VBERROR_SUCCESS on success.
 */
VbError_t VbUnlockDevice(void);

/**
 * Fastboot API to enter normal mode.
 *
 * This routine is used by fastboot oem lock command to switch the device into
 * normal mode.
 *
 * NOTE: On successful return from this function, the caller needs to reboot the
 * device immediately for changes to take effect. This routine just stores a
 * request, which will be handled by RO firmware on next reboot.
 *
 * @return VBERROR_... error, VBERROR_SUCCESS on success.
 */
VbError_t VbLockDevice(void);

/*****************************************************************************/
/* Debug output (from utility.h) */

/**
 * Output an error message and quit.  Does not return.  Supports
 * printf()-style formatting.
 */
void VbExError(const char *format, ...);

/**
 * Output a debug message.  Supports printf()-style formatting.
 */
void VbExDebug(const char *format, ...)
	__attribute__ ((format (__printf__, 1, 2)));

/*****************************************************************************/
/* Timer and delay (first two from utility.h) */

/**
 * Read a high-resolution timer.  Returns the current timer value in arbitrary
 * units.
 *
 * This is intended for benchmarking, so this call MUST be fast.  The timer
 * frequency must be >1 KHz (preferably >1 MHz), and the timer must not wrap
 * around for at least 10 minutes.  It is preferable (but not required) that
 * the timer be initialized to 0 at boot.
 *
 * It is assumed that the firmware has some other way of communicating the
 * timer frequency to the OS.  For example, on x86 we use TSC, and the OS
 * kernel reports the initial TSC value at kernel-start and calculates the
 * frequency. */
uint64_t VbExGetTimer(void);

/**
 * Delay for at least the specified number of milliseconds.  Should be accurate
 * to within 10% (a requested delay of 1000 ms should result in an actual delay
 * of between 1000 - 1100 ms).
 */
void VbExSleepMs(uint32_t msec);

/**
 * Play a beep tone of the specified frequency in Hz and duration in msec.
 * This is effectively a VbSleep() variant that makes noise.
 *
 * If the audio codec can run in the background, then:
 *   zero frequency means OFF, non-zero frequency means ON
 *   zero msec means return immediately, non-zero msec means delay (and
 *     then OFF if needed)
 * otherwise,
 *   non-zero msec and non-zero frequency means ON, delay, OFF, return
 *   zero msec or zero frequency means do nothing and return immediately
 *
 * The return value is used by the caller to determine the capabilities. The
 * implementation should always do the best it can if it cannot fully support
 * all features - for example, beeping at a fixed frequency if frequency
 * support is not available.  At a minimum, it must delay for the specified
 * non-zero duration.
 */
VbError_t VbExBeep(uint32_t msec, uint32_t frequency);

/*****************************************************************************/
/* TPM (from tlcl_stub.h) */

/**
 * Initialize the stub library. */
VbError_t VbExTpmInit(void);

/**
 * Close and open the device.  This is needed for running more complex commands
 * at user level, such as TPM_TakeOwnership, since the TPM device can be opened
 * only by one process at a time.
 */
VbError_t VbExTpmClose(void);
VbError_t VbExTpmOpen(void);

/**
 * Send a request_length-byte request to the TPM and receive a response.  On
 * input, response_length is the size of the response buffer in bytes.  On
 * exit, response_length is set to the actual received response length in
 * bytes. */
VbError_t VbExTpmSendReceive(const uint8_t *request, uint32_t request_length,
                             uint8_t *response, uint32_t *response_length);

/*****************************************************************************/
/* Non-volatile storage */

#define VBNV_BLOCK_SIZE 16  /* Size of NV storage block in bytes */

/**
 * Read the VBNV_BLOCK_SIZE-byte non-volatile storage into buf.
 */
VbError_t VbExNvStorageRead(uint8_t *buf);

/**
 * Write the VBNV_BLOCK_SIZE-byte non-volatile storage from buf.
 */
VbError_t VbExNvStorageWrite(const uint8_t *buf);

/*****************************************************************************/
/* Firmware / EEPROM access (previously in load_firmware_fw.h) */

/**
 * Calculate the hash of the firmware body data for [firmware_index], which is
 * either VB_SELECT_FIRMWARE_A or VB_SELECT_FIRMWARE B.
 *
 * This function must call VbUpdateFirmwareBodyHash() before returning, to
 * update the secure hash for the firmware image.  For best performance, the
 * implementation should call VbUpdateFirmwareBodyHash() periodically during
 * the read, so that updating the hash can be pipelined with the read.  If the
 * reader cannot update the hash during the read process, it should call
 * VbUpdateFirmwareBodyHash() on the entire firmware data after the read,
 * before returning.
 *
 * It is recommended that the firmware use this call to copy the requested
 * firmware body from EEPROM into RAM, so that it doesn't need to do a second
 * slow copy from EEPROM to RAM if this firmware body is selected.
 *
 * Note this function doesn't actually pass the firmware body data to verified
 * boot, because verified boot doesn't actually need the firmware body, just
 * its hash.  This is important on x86, where the firmware is stored
 * compressed.  We hash the compressed data, but the BIOS decompresses it
 * during read.  Simply updating a hash is compatible with the x86
 * read-and-decompress pipeline.
 */
VbError_t VbExHashFirmwareBody(VbCommonParams *cparams,
                               uint32_t firmware_index);

/*****************************************************************************/
/* Disk access (previously in boot_device.h) */

/* Flags for VbDisk APIs */
/* Disk is removable.  Example removable disks: SD cards, USB keys.  */
#define VB_DISK_FLAG_REMOVABLE 0x00000001
/*
 * Disk is fixed.  If this flag is present, disk is internal to the system and
 * not removable.  Example fixed disks: internal SATA SSD, eMMC.
 */
#define VB_DISK_FLAG_FIXED     0x00000002
/*
 * Note that VB_DISK_FLAG_REMOVABLE and VB_DISK_FLAG_FIXED are
 * mutually-exclusive for a single disk.  VbExDiskGetInfo() may specify both
 * flags to request disks of both types in a single call.
 *
 * At some point we could specify additional flags, but we don't currently
 * have a way to make use of these:
 *
 * USB              Device is known to be attached to USB.  Note that the SD
 *                  card reader inside x86 systems is attached to USB so this
 *                  isn't super useful.
 * SD               Device is known to be a SD card.  Note that external card
 *                  readers might not return this information, so also of
 *                  questionable use.
 * READ_ONLY        Device is known to be read-only.  Could be used by recovery
 *                  when processing read-only recovery image.
 */

/*
 * Disks are used in two ways:
 * - As a random-access device to read and write the GPT
 * - As a streaming device to read the kernel
 * These are implemented differently on raw NAND vs eMMC/SATA/USB
 * - On eMMC/SATA/USB, both of these refer to the same underlying
 *   storage, so they have the same size and LBA size. In this case,
 *   the GPT should not point to the same address as itself.
 * - On raw NAND, the GPT is held on a portion of the SPI flash.
 *   Random access GPT operations refer to the SPI and streaming
 *   operations refer to NAND. The GPT may therefore point into
 *   the same offsets as itself.
 * These types are distinguished by the following flag and VbDiskInfo
 * has separate fields to describe the random-access ("GPT") and
 * streaming aspects of the disk. If a disk is random-access (i.e.
 * not raw NAND) then these fields are equal.
 */
#define VB_DISK_FLAG_EXTERNAL_GPT	0x00000004

/* Information on a single disk */
typedef struct VbDiskInfo {
	/* Disk handle */
	VbExDiskHandle_t handle;
	/* Size of a random-access LBA sector in bytes */
	uint64_t bytes_per_lba;
	/* Number of random-access LBA sectors on the device.
	 * If streaming_lba_count is 0, this stands in for the size of the
	 * randomly accessed portion as well as the streaming portion.
	 * Otherwise, this is only the randomly-accessed portion. */
	uint64_t lba_count;
	/* Number of streaming sectors on the device */
	uint64_t streaming_lba_count;
	/* Flags (see VB_DISK_FLAG_* constants) */
	uint32_t flags;
	/*
	 * Optional name string, for use in debugging.  May be empty or null if
	 * not available.
	 */
	const char *name;
} VbDiskInfo;

/**
 * Store information into [info] for all disks (storage devices) attached to
 * the system which match all of the disk_flags.
 *
 * On output, count indicates how many disks are present, and [infos_ptr]
 * points to a [count]-sized array of VbDiskInfo structs with the information
 * on those disks; this pointer must be freed by calling VbExDiskFreeInfo().
 * If count=0, infos_ptr may point to NULL.  If [infos_ptr] points to NULL
 * because count=0 or error, it is not necessary to call VbExDiskFreeInfo().
 *
 * A multi-function device (such as a 4-in-1 card reader) should provide
 * multiple disk handles.
 *
 * The firmware must not alter or free the list pointed to by [infos_ptr] until
 * VbExDiskFreeInfo() is called.
 */
VbError_t VbExDiskGetInfo(VbDiskInfo **infos_ptr, uint32_t *count,
                          uint32_t disk_flags);

/**
 * Free a disk information list [infos] previously returned by
 * VbExDiskGetInfo().  If [preserve_handle] != NULL, the firmware must ensure
 * that handle remains valid after this call; all other handles from the info
 * list need not remain valid after this call.
 */
VbError_t VbExDiskFreeInfo(VbDiskInfo *infos,
                           VbExDiskHandle_t preserve_handle);

/**
 * Read lba_count LBA sectors, starting at sector lba_start, from the disk,
 * into the buffer.
 *
 * This is used for random access to the GPT. It is not for the partition
 * contents. The upper limit is lba_count.
 *
 * If the disk handle is invalid (for example, the handle refers to a disk
 * which as been removed), the function must return error but must not
 * crash.
 */
VbError_t VbExDiskRead(VbExDiskHandle_t handle, uint64_t lba_start,
                       uint64_t lba_count, void *buffer);

/**
 * Write lba_count LBA sectors, starting at sector lba_start, to the disk, from
 * the buffer.
 *
 * This is used for random access to the GPT. It does not (necessarily) access
 * the streaming portion of the device.
 *
 * If the disk handle is invalid (for example, the handle refers to a disk
 * which as been removed), the function must return error but must not
 * crash.
 */
VbError_t VbExDiskWrite(VbExDiskHandle_t handle, uint64_t lba_start,
                        uint64_t lba_count, const void *buffer);

/* Streaming read interface */
typedef void *VbExStream_t;

/**
 * Open a stream on a disk
 *
 * @param handle	Disk to open the stream against
 * @param lba_start	Starting sector offset within the disk to stream from
 * @param lba_count	Maximum extent of the stream in sectors
 * @param stream	out-paramter for the generated stream
 *
 * @return Error code, or VBERROR_SUCCESS.
 *
 * This is used for access to the contents of the actual partitions on the
 * device. It is not used to access the GPT. The size of the content addressed
 * is within streaming_lba_count.
 */
VbError_t VbExStreamOpen(VbExDiskHandle_t handle, uint64_t lba_start,
			 uint64_t lba_count, VbExStream_t *stream_ptr);

/**
 * Read from a stream on a disk
 *
 * @param stream	Stream to read from
 * @param bytes		Number of bytes to read
 * @param buffer	Destination to read into
 *
 * @return Error code, or VBERROR_SUCCESS. Failure to read as much data as
 * requested is an error.
 *
 * This is used for access to the contents of the actual partitions on the
 * device. It is not used to access the GPT.
 */
VbError_t VbExStreamRead(VbExStream_t stream, uint32_t bytes, void *buffer);

/**
 * Close a stream
 *
 * @param stream	Stream to close
 */
void VbExStreamClose(VbExStream_t stream);


/*****************************************************************************/
/* Display */

/* Predefined (default) screens for VbExDisplayScreen(). */
enum VbScreenType_t {
	/* Blank (clear) screen */
	VB_SCREEN_BLANK = 0,
	/* Developer - warning */
	VB_SCREEN_DEVELOPER_WARNING = 0x101,
	/* Developer - easter egg */
	VB_SCREEN_DEVELOPER_EGG     = 0x102,
	/* Recovery - remove inserted devices */
	VB_SCREEN_RECOVERY_REMOVE   = 0x201,
	/* Recovery - insert recovery image */
	VB_SCREEN_RECOVERY_INSERT   = 0x202,
	/* Recovery - inserted image invalid */
	VB_SCREEN_RECOVERY_NO_GOOD  = 0x203,
	/* Recovery - confirm dev mode */
	VB_SCREEN_RECOVERY_TO_DEV   = 0x204,
	/* Developer - confirm normal mode */
	VB_SCREEN_DEVELOPER_TO_NORM = 0x205,
	/* Please wait - programming EC */
	VB_SCREEN_WAIT              = 0x206,
	/* Confirm after DEVELOPER_TO_NORM */
	VB_SCREEN_TO_NORM_CONFIRMED = 0x207,
	/* Broken screen shown after verification failure */
	VB_SCREEN_OS_BROKEN         = 0x208,
};

/**
 * Initialize and clear the display.  Set width and height to the screen
 * dimensions in pixels.
 */
VbError_t VbExDisplayInit(uint32_t *width, uint32_t *height);

/**
 * Enable (enable!=0) or disable (enable=0) the display backlight.
 */
VbError_t VbExDisplayBacklight(uint8_t enable);

/**
 * Sets the logical dimension to display.
 *
 * If the physical display is larger or smaller than given dimension, display
 * provider may decide to scale or shift images (from VbExDisplayImage)to proper
 * location.
 */
VbError_t VbExDisplaySetDimension(uint32_t width, uint32_t height);

/**
 * Display a predefined screen; see VB_SCREEN_* for valid screens.
 *
 * This is a backup method of screen display, intended for use if the GBB does
 * not contain a full set of bitmaps.  It is acceptable for the backup screen
 * to be simple ASCII text such as "NO GOOD" or "INSERT"; these screens should
 * only be seen during development.
 */
VbError_t VbExDisplayScreen(uint32_t screen_type, uint32_t locale);

/**
 * Write an image to the display, with the upper left corner at the specified
 * pixel coordinates.  The bitmap buffer is a pointer to the platform-dependent
 * uncompressed binary blob with dimensions and format specified internally
 * (for example, a raw BMP, GIF, PNG, whatever). We pass the size just for
 * convenience.
 */
VbError_t VbExDisplayImage(uint32_t x, uint32_t y,
                           void *buffer, uint32_t buffersize);

/**
 * Display a string at coordinate x,y
 */
VbError_t VbExDisplayText(uint32_t x, uint32_t y,
			  const char *info_str);

/**
 * Display a string containing debug information on the screen, rendered in a
 * platform-dependent font.  Should be able to handle newlines '\n' in the
 * string.  Firmware must support displaying at least 20 lines of text, where
 * each line may be at least 80 characters long.  If the firmware has its own
 * debug state, it may display it to the screen below this information.
 *
 * NOTE: This is what we currently display when TAB is pressed.  Some
 * information (HWID, recovery reason) is ours; some (CMOS breadcrumbs) is
 * platform-specific.  If we decide to soft-render the HWID string
 * (chrome-os-partner:3693), we'll need to maintain our own fonts, so we'll
 * likely display it via VbExDisplayImage() above.
 */
VbError_t VbExDisplayDebugInfo(const char *info_str);

/*****************************************************************************/
/* Keyboard and switches */

/* Key codes for required non-printable-ASCII characters. */
enum VbKeyCode_t {
	VB_KEY_UP = 0x100,
	VB_KEY_DOWN = 0x101,
	VB_KEY_LEFT = 0x102,
	VB_KEY_RIGHT = 0x103,
	VB_KEY_CTRL_ENTER = 0x104,
};

/* Flags for additional information.
 * TODO(semenzato): consider adding flags for modifiers instead of
 * making up some of the key codes above.
 */
enum VbKeyFlags_t {
	VB_KEY_FLAG_TRUSTED_KEYBOARD = 1 << 0,
};

/**
 * Read the next keypress from the keyboard buffer.
 *
 * Returns the keypress, or zero if no keypress is pending or error.
 *
 * The following keys must be returned as ASCII character codes:
 *    0x08          Backspace
 *    0x09          Tab
 *    0x0D          Enter (carriage return)
 *    0x01 - 0x1A   Ctrl+A - Ctrl+Z (yes, those alias with backspace/tab/enter)
 *    0x1B          Esc
 *    0x20          Space
 *    0x30 - 0x39   '0' - '9'
 *    0x60 - 0x7A   'a' - 'z'
 *
 * Some extended keys must also be supported; see the VB_KEY_* defines above.
 *
 * Keys ('/') or key-chords (Fn+Q) not defined above may be handled in any of
 * the following ways:
 *    1. Filter (don't report anything if one of these keys is pressed).
 *    2. Report as ASCII (if a well-defined ASCII value exists for the key).
 *    3. Report as any other value in the range 0x200 - 0x2FF.
 * It is not permitted to report a key as a multi-byte code (for example,
 * sending an arrow key as the sequence of keys '\x1b', '[', '1', 'A'). */
uint32_t VbExKeyboardRead(void);

/**
 * Same as VbExKeyboardRead(), but return extra information.
 */
uint32_t VbExKeyboardReadWithFlags(uint32_t *flags_ptr);

/**
 * Return the current state of the switches specified in request_mask
 */
uint32_t VbExGetSwitches(uint32_t request_mask);

/*****************************************************************************/
/* Embedded controller (EC) */

/*
 * All these functions take a devidx parameter, which indicates which embedded
 * processor the call applies to.  At present, only devidx=0 is valid, but
 * upcoming CLs will add support for multiple devices.
 */

/**
 * This is called only if the system implements a keyboard-based (virtual)
 * developer switch. It must return true only if the system has an embedded
 * controller which is provably running in its RO firmware at the time the
 * function is called.
 */
int VbExTrustEC(int devidx);

/**
 * Check if the EC is currently running rewritable code.
 *
 * If the EC is in RO code, sets *in_rw=0.
 * If the EC is in RW code, sets *in_rw non-zero.
 * If the current EC image is unknown, returns error. */
VbError_t VbExEcRunningRW(int devidx, int *in_rw);

/**
 * Request the EC jump to its rewritable code.  If successful, returns when the
 * EC has booting its RW code far enough to respond to subsequent commands.
 * Does nothing if the EC is already in its rewritable code.
 */
VbError_t VbExEcJumpToRW(int devidx);

/**
 * Tell the EC to refuse another jump until it reboots. Subsequent calls to
 * VbExEcJumpToRW() in this boot will fail.
 */
VbError_t VbExEcDisableJump(int devidx);

/**
 * Read the SHA-256 hash of the selected EC image.
 */
VbError_t VbExEcHashImage(int devidx, enum VbSelectFirmware_t select,
			  const uint8_t **hash, int *hash_size);

/**
 * Get the expected contents of the EC image associated with the main firmware
 * specified by the "select" argument.
 */
VbError_t VbExEcGetExpectedImage(int devidx, enum VbSelectFirmware_t select,
				 const uint8_t **image, int *image_size);

/**
 * Read the SHA-256 hash of the expected contents of the EC image associated
 * with the main firmware specified by the "select" argument.
 */
VbError_t VbExEcGetExpectedImageHash(int devidx, enum VbSelectFirmware_t select,
				     const uint8_t **hash, int *hash_size);

/**
 * Update the selected EC image.
 */
VbError_t VbExEcUpdateImage(int devidx, enum VbSelectFirmware_t select,
			    const uint8_t *image, int image_size);

/**
 * Lock the selected EC code to prevent updates until the EC is rebooted.
 * Subsequent calls to VbExEcUpdateImage() with the same region this boot will
 * fail.
 */
VbError_t VbExEcProtect(int devidx, enum VbSelectFirmware_t select);

/**
 * Info the EC of the boot mode selected by the AP.
 * mode: Normal, Developer, or Recovery
 */
enum VbEcBootMode_t {VB_EC_NORMAL, VB_EC_DEVELOPER, VB_EC_RECOVERY };
VbError_t VbExEcEnteringMode(int devidx, enum VbEcBootMode_t mode);

/**
 * Perform EC post-verification / updating / jumping actions.
 *
 * This routine is called to perform certain actions that must wait until
 * after the EC resides in its `final` image (the image the EC will
 * run for the duration of boot). These actions include verifying that
 * enough power is available to continue with boot.
 *
 * @param in_recovery	1 if recovery mode is selected by the AP, 0 otherwise.
 * @return VBERROR_... error, VBERROR_SUCCESS on success.
 */
VbError_t VbExEcVbootDone(int in_recovery);

/**
 * Request EC to stop discharging and cut-off battery.
 */
VbError_t VbExEcBatteryCutOff(void);

/*****************************************************************************/
/* Misc */

/* Args to VbExProtectFlash() */
enum VbProtectFlash_t { VBPROTECT_RW_A, VBPROTECT_RW_B, VBPROTECT_RW_DEVKEY };

/**
 * Lock a section of the BIOS flash address space to prevent updates until the
 * host is rebooted. Subsequent attempts to erase or modify the specified BIOS
 * image will fail. If this function is called more than once each call should
 * be cumulative.
 */
VbError_t VbExProtectFlash(enum VbProtectFlash_t region);

/**
 * Check if the firmware needs to shut down the system.
 *
 * Returns a non-zero VB_SHUTDOWN_REQUEST mask indicating the reason(s) for
 * shutdown if a shutdown is being requested (see VB_SHUTDOWN_REQUEST_*), or 0
 * if a shutdown is not being requested.
 *
 * NOTE: When we're displaying a screen, pressing the power button should shut
 * down the computer.  We need a way to break out of our control loop so this
 * can occur cleanly.
 */
uint32_t VbExIsShutdownRequested(void);

/*
 * Shutdown requested for a reason which is not defined among other
 * VB_SHUTDOWN_REQUEST_* values. This must be defined as 1 for backward
 * compatibility with old versions of the API.
 */
#define VB_SHUTDOWN_REQUEST_OTHER		0x00000001
/* Shutdown requested due to a lid switch being closed. */
#define VB_SHUTDOWN_REQUEST_LID_CLOSED		0x00000002
/* Shutdown requested due to a power button being pressed. */
#define VB_SHUTDOWN_REQUEST_POWER_BUTTON	0x00000004

/**
 * Expose the BIOS' built-in decompression routine to the vboot wrapper. The
 * caller must know how large the uncompressed data will be and must manage
 * that memory. The decompression routine just puts the uncompressed data into
 * the specified buffer. We pass in the size of the outbuf, and get back the
 * actual size used.
 */
VbError_t VbExDecompress(void *inbuf, uint32_t in_size,
                         uint32_t compression_type,
                         void *outbuf, uint32_t *out_size);

/* Constants for compression_type */
enum {
	COMPRESS_NONE = 0,
	COMPRESS_EFIv1,           /* The x86 BIOS only supports this */
	COMPRESS_LZMA1,           /* The ARM BIOS supports LZMA1 */
	MAX_COMPRESS,
};

/**
 * Execute legacy boot option.
 */
int VbExLegacy(void);

/* Regions for VbExRegionRead() */
enum vb_firmware_region {
	VB_REGION_GBB,	/* Google Binary Block - see gbbheader.h */

	VB_REGION_COUNT,
};

/**
 * Read data from a region of the firmware image
 *
 * Vboot wants access to a region, to read data from it. This function
 * reads it (typically from the firmware image such as SPI flash) and
 * returns the data.
 *
 * cparams is passed so that the boot loader has some context for the
 * operation.
 *
 * @param cparams	Common parameters, e.g. use member caller_context
 *			to point to useful context data
 * @param region	Firmware region to read
 * @param offset	Start offset within region
 * @param size		Number of bytes to read
 * @param buf		Place to put data
 * @return VBERROR_... error, VBERROR_SUCCESS on success,
 */
VbError_t VbExRegionRead(VbCommonParams *cparams,
			 enum vb_firmware_region region, uint32_t offset,
			 uint32_t size, void *buf);

/**
 * Check if the firmware wants to override GPT entry priority.
 *
 * In case of kernel entry, check if there is an override of priority
 * available. This is used to select a particular partition to boot in the
 * current boot cycle. Rollback protection, image verification and all other
 * checks in LoadKernel still remain the same.
 *
 * @param e	Gpt Entry to check for priority override.
 * @return 0 if no override, 1-15 for override priority.
 */
uint8_t VbExOverrideGptEntryPriority(const GptEntry *e);

/**
 * Return number of locales supported
 *
 * @param count		Pointer to the number of locales.
 * @return VBERROR_... error, VBERROR_SUCCESS on success.
 */
VbError_t VbExGetLocalizationCount(uint32_t *count);
#endif  /* VBOOT_REFERENCE_VBOOT_API_H_ */