diff options
author | Mary Ruthven <mruthven@chromium.org> | 2022-02-11 14:03:31 -0600 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2022-02-12 00:19:02 +0000 |
commit | 4df609d502d97de73416d6378e71330a4f0a4ba9 (patch) | |
tree | 4c864e2f33309c1d8459715e2252a6e6e71998d8 /common | |
parent | ff49166b382db46f31b8bf1be12196439bc90d02 (diff) | |
download | chrome-ec-4df609d502d97de73416d6378e71330a4f0a4ba9.tar.gz |
ccd_config: treat ALT_IF commands the same as USB commands
Reject VENDOR_CMD_FROM_ALT_IF commands everywhere VENDOR_CMD_FROM_USB
commands are rejected. ccd_config generates ALT_IF tpm commands from the
'ccd' console command. Treat these the same as VENDOR_CMD_FROM_USB
commands. Reject setting the ccd password and ccd open from the console
unless usb commands are allowed.
BUG=b:219075883
TEST=run firmware_Cr50Open.ccd_open_restricted and firmware_Cr50Password
grep for VENDOR_CMD_FROM_USB in platform/cr50 to make sure all flags
checks have been updated.
Change-Id: I69590a55d14745fd14d813b0adfa555ec40f0229
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3456708
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Diffstat (limited to 'common')
-rw-r--r-- | common/ccd_config.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/common/ccd_config.c b/common/ccd_config.c index 0189bef185..4412415406 100644 --- a/common/ccd_config.c +++ b/common/ccd_config.c @@ -952,11 +952,15 @@ static enum vendor_cmd_rc ccd_open(struct vendor_cmd_params *p) } else if ((ccd_is_cap_enabled(CCD_CAP_OPEN_WITHOUT_DEV_MODE) || (board_vboot_dev_mode_enabled())) && (ccd_is_cap_enabled(CCD_CAP_OPEN_FROM_USB) || - !(p->flags & VENDOR_CMD_FROM_USB))) { + !(p->flags & (VENDOR_CMD_FROM_USB | + VENDOR_CMD_FROM_ALT_IF)))) { /* * Open allowed with no password if dev mode enabled and * command came from the AP. CCD capabilities can be used to * bypass these checks. + * VENDOR_CMD_FROM_USB is set for vendor commands sent over usb. + * VENDOR_CMD_FROM_ALT_IF is set for commands sent from the + * console. Reject both unless CCD_CAP_OPEN_FROM_USB is enabled. */ } else { #ifndef CONFIG_CCD_OPEN_PREPVT @@ -1289,14 +1293,15 @@ static enum vendor_cmd_rc ccd_password(struct vendor_cmd_params *p) char *response = p->buffer; /* - * Only allow setting a password from the AP, not USB. This increases - * the effort required for an attacker to set one externally, even if - * they have access to a system someone left in the opened state. + * Only allow setting a password from the AP, not USB, or the console. + * This increases the effort required for an attacker to set one + * externally, even if they have access to a system someone left in the + * opened state. * * An attacker can still set testlab mode or open up the CCD config, * but those changes are reversible by the device owner. */ - if (p->flags & VENDOR_CMD_FROM_USB) { + if (p->flags & (VENDOR_CMD_FROM_USB | VENDOR_CMD_FROM_ALT_IF)) { p->out_size = 1; *response = EC_ERROR_ACCESS_DENIED; return VENDOR_RC_NOT_ALLOWED; |