diff options
| author | Craig Hesling <hesling@chromium.org> | 2019-10-17 17:28:41 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2019-10-23 21:08:20 +0000 |
| commit | d72b11faa9cefcd1039a50bcf71d50be3347109b (patch) | |
| tree | d1fa97d7bb3892f0e1be255d6ad1b341117524c7 /board/hatch_fp | |
| parent | 21394c99a5301e1b0be083dab77f03aefd2594ad (diff) | |
| download | chrome-ec-d72b11faa9cefcd1039a50bcf71d50be3347109b.tar.gz | |
fingerprint: Restrict md and rw console commands
This CL ultimately restricts access to the md and rw console
commands when the system is locked, when system_is_locked().
It does this by enabling and configuring the restricted console
command feature for nocturne_fp and hatch_fp.
This sets up the framework for more console commands to use the
restricted flag for fingerprint, but right now, only the md and rw
commands use the restricted console command flag.
The restricted flag for md and rw was introduced in crrev.com/c/1868430.
BRANCH=nocturne
BRANCH=hatch
BUG=b:142559996, b:142505927
TEST=# Test on nocturne_fp
make BOARD=nocturne_fp
scp build/nocturne_fp/ec.bin dut1:~/
ssh dut1 flash_fp_mcu ./ec.bin
# From FPMCU UART console
version
# Ensure that version is custom based on workstation
help
# Ensure that md and rw are not prefixed with "-"
help list
# Ensure that a "Flags" column exists and that
# md and rw both have a 1 in the column.
md 0x0
# Ensure that this successfully reads the word
rw 0x24000000
# Ensure that this successfully reads the word
syslock
md 0x0
# Ensure that this fails with "Access Denied"
rw 0x24000000
# Ensure that this fails with "Access Denied"
help
# Ensure that md and rw are now prefixed with "-"
Signed-off-by: Craig Hesling <hesling@chromium.org>
Change-Id: I1202a118b836ff2a2acc986f6f3b0f6e07b36894
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1867388
Reviewed-by: Tom Hughes <tomhughes@chromium.org>
Diffstat (limited to 'board/hatch_fp')
| -rw-r--r-- | board/hatch_fp/board.c | 10 | ||||
| -rw-r--r-- | board/hatch_fp/board.h | 9 |
2 files changed, 19 insertions, 0 deletions
diff --git a/board/hatch_fp/board.c b/board/hatch_fp/board.c index b86f0b8f46..2be0411e3f 100644 --- a/board/hatch_fp/board.c +++ b/board/hatch_fp/board.c @@ -14,6 +14,16 @@ #include "task.h" #include "util.h" +/** + * Disable restricted commands when the system is locked. + * + * @see console.h system.c + */ +int console_is_restricted(void) +{ + return system_is_locked(); +} + #ifndef HAS_TASK_FPSENSOR void fps_event(enum gpio_signal signal) { diff --git a/board/hatch_fp/board.h b/board/hatch_fp/board.h index c8b8bc726e..c5b875631c 100644 --- a/board/hatch_fp/board.h +++ b/board/hatch_fp/board.h @@ -11,6 +11,15 @@ #define CONFIG_SYSTEM_UNLOCKED /* + * These allow console commands to be flagged as restricted. + * Restricted commands will only be permitted to run when + * console_is_restricted() returns false. + * See console_is_restricted's definition in board.c. + */ +#define CONFIG_CONSOLE_COMMAND_FLAGS +#define CONFIG_RESTRICTED_CONSOLE_COMMANDS + +/* * Flash layout: we redefine the sections offsets and sizes as we want to * include a rollback region, and will use RO/RW regions of different sizes. */ |