diff options
author | Julius Werner <jwerner@chromium.org> | 2023-01-18 18:27:19 -0800 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-01-21 05:54:51 +0000 |
commit | 808624897ffcffd80136f1a72f0f7fb12211c18b (patch) | |
tree | 07b7b8870c5cb9906d014f32586b398df072c804 | |
parent | 3d647464a4e5fcd29779beb39b82251ee27dab08 (diff) | |
download | vboot-808624897ffcffd80136f1a72f0f7fb12211c18b.tar.gz |
firmware: kernel_phase1: Commit disable_dev_request if forbidden by FWMP
This patch makes kernel_phase1() check if developer mode is disabled by
FWMP and set the disable_dev_request nvdata flag right away in that
case.
This is a backport of CL:4178837 to the point before CL:3053541 and
CL:3041498 landed.
BRANCH=all
BUG=b:266013201
TEST=none
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I950b0dfe2fd5ce5c1fa8eb2efb128fa5d709343a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4178839
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Commit-Queue: Yu-Ping Wu <yupingso@chromium.org>
Tested-by: Yu-Ping Wu <yupingso@chromium.org>
-rw-r--r-- | firmware/2lib/2kernel.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/firmware/2lib/2kernel.c b/firmware/2lib/2kernel.c index 763214dd..43ea085a 100644 --- a/firmware/2lib/2kernel.c +++ b/firmware/2lib/2kernel.c @@ -157,6 +157,15 @@ vb2_error_t vb2api_kernel_phase1(struct vb2_context *ctx) vb2_secdata_kernel_get(ctx, VB2_SECDATA_KERNEL_VERSIONS); sd->kernel_version = sd->kernel_version_secdata; + /* If we're in developer mode when we shouldn't be, disable as soon as + possible and commit that decision right away (b/266013201). */ + if (vb2_secdata_fwmp_get_flag(ctx, VB2_SECDATA_FWMP_DEV_DISABLE_BOOT) && + !(vb2_get_gbb(ctx)->flags & VB2_GBB_FLAG_FORCE_DEV_SWITCH_ON) && + (ctx->flags & VB2_CONTEXT_DEVELOPER_MODE)) { + vb2_nv_set(ctx, VB2_NV_DISABLE_DEV_REQUEST, 1); + vb2ex_commit_data(ctx); + } + /* Find the key to use to verify the kernel keyblock */ if ((ctx->flags & VB2_CONTEXT_RECOVERY_MODE)) { /* Load recovery key from GBB. */ |