diff options
-rw-r--r-- | common/ap_ro_integrity_check.c | 20 | ||||
-rw-r--r-- | include/ccd_config.h | 4 |
2 files changed, 17 insertions, 7 deletions
diff --git a/common/ap_ro_integrity_check.c b/common/ap_ro_integrity_check.c index 22538c055d..23ecd14b0e 100644 --- a/common/ap_ro_integrity_check.c +++ b/common/ap_ro_integrity_check.c @@ -8,6 +8,7 @@ #include "ap_ro_integrity_check.h" #include "board_id.h" #include "byteorder.h" +#include "ccd_config.h" #include "console.h" #include "crypto_api.h" #include "extension.h" @@ -1392,17 +1393,22 @@ static uint8_t do_ap_ro_check(void) * amounts of stack, this is why this function must run on TPM task context. * */ -static enum vendor_cmd_rc ap_ro_check_callback(enum vendor_cmd_cc code, - void *buf, size_t input_size, - size_t *response_size) +static enum vendor_cmd_rc ap_ro_check_callback(struct vendor_cmd_params *p) { - *response_size = 1; - *((int8_t *)buf) = do_ap_ro_check(); + uint8_t *response = p->buffer; + + p->out_size = 0; + + if (!(p->flags & VENDOR_CMD_FROM_ALT_IF) && + !(ccd_is_cap_enabled(CCD_CAP_AP_RO_CHECK_VC))) + return VENDOR_RC_NOT_ALLOWED; + + p->out_size = 1; + response[0] = do_ap_ro_check(); return VENDOR_RC_SUCCESS; } - -DECLARE_VENDOR_COMMAND(VENDOR_CC_AP_RO_VALIDATE, ap_ro_check_callback); +DECLARE_VENDOR_COMMAND_P(VENDOR_CC_AP_RO_VALIDATE, ap_ro_check_callback); int validate_ap_ro(void) { diff --git a/include/ccd_config.h b/include/ccd_config.h index 87bebb9db3..1d67152d23 100644 --- a/include/ccd_config.h +++ b/include/ccd_config.h @@ -132,6 +132,9 @@ enum ccd_capability { /* Override battery presence temporarily or at boot */ CCD_CAP_OVERRIDE_BATT_STATE = 19, + /* Allow AP RO verification check vendor command from the AP. */ + CCD_CAP_AP_RO_CHECK_VC = 20, + /* Number of currently defined capabilities */ CCD_CAP_COUNT }; @@ -194,6 +197,7 @@ struct ccd_capability_info { {"OpenNoDevMode", CCD_CAP_STATE_OPEN_REQ}, \ {"OpenFromUSB", CCD_CAP_STATE_OPEN_REQ}, \ {"OverrideBatt", CCD_CAP_STATE_IF_OPENED}, \ + {"APROCheckVC", CCD_CAP_STATE_IF_OPENED}, \ } #define CCD_STATE_NAMES { "Locked", "Unlocked", "Opened" } |