Google Git
Sign in
fuchsia / third_party / vboot_reference / refs/heads/upstream/factory-nissa-15199.B^! / .
commit24195b9f621d7548b3ffabbc0d601cfd1d99ffe1[log] [tgz]
authorHung-Te Lin <hungte@chromium.org>Wed Oct 18 10:14:46 2023 +0800
committerChromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Oct 25 09:42:55 2023 +0000
tree04e5c159a2648141d018df0e3070faf82098852a
parent0c86125cff5bef9b13081623b1c1cb1561420700 [diff]
futility: updater: Abort if the unlock_csme_* is used on a locked device

If --quirk unlock_csme_* (or the legacy param --unlock_me) is enabled,
the expected new image will have an unlocked SI_DESC, and that would
cause AP RO verification check to fail if the device is already locked.

Previously, this will cause the updater to switch to RW-only mode.
However, if the factory is always applying the unlock_csme_* quirk then
the RO may be not properly updated in the whole process.

As a result, we should abort if the device is locked and quirk
unlock_csme_* was enabled.

BUG=b:284913015
TEST=FEATURES=test emerge vboot_reference
BRANCH=None

Change-Id: I929b180b3c6b13dd96a4708c1be52bc876c845e6
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4951472
Reviewed-by: Reka Norman <rekanorman@chromium.org>
Reviewed-by: Phoebe Wang <phoebewang@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
(cherry picked from commit 2850244ed1d98e92056bf3e3a739291c266d19c5)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4976475
Tested-by: Phoebe Wang <phoebewang@chromium.org>
Reviewed-by: Cheng Yueh <cyueh@chromium.org>
Commit-Queue: Cheng Yueh <cyueh@chromium.org>
Auto-Submit: Phoebe Wang <phoebewang@chromium.org>

diff --git a/futility/updater.c b/futility/updater.c
index c39bc13..6c1abad 100644
--- a/futility/updater.c
+++ b/futility/updater.c

@@ -588,6 +588,15 @@
 	return is_flash_descriptor_locked(current);
 }
 
+/* Returns true if the UNLOCK_CSME_* quirks were requested, otherwise false. */
+static bool is_unlock_csme_requested(struct updater_config *cfg)
+{
+	if (get_config_quirk(QUIRK_UNLOCK_CSME_NISSA, cfg) ||
+	    get_config_quirk(QUIRK_UNLOCK_CSME_EVE, cfg))
+		return true;
+	return false;
+}
+
 /*
  * Checks if the given firmware images are compatible with current platform.
  * In current implementation (following Chrome OS style), we assume the platform
@@ -922,6 +931,7 @@
 	[UPDATE_ERR_ROOT_KEY] = "RW signed by incompatible root key "
 			        "(different from RO).",
 	[UPDATE_ERR_TPM_ROLLBACK] = "RW not usable due to TPM anti-rollback.",
+	[UPDATE_ERR_UNLOCK_CSME] = "The CSME was already locked (b/284913015).",
 	[UPDATE_ERR_UNKNOWN] = "Unknown error.",
 };
 
@@ -1230,6 +1240,8 @@
 
 	if (!done) {
 		if (!wp_enabled && is_ap_ro_locked_with_verification(cfg)) {
+			if (is_unlock_csme_requested(cfg))
+				return UPDATE_ERR_UNLOCK_CSME;
 			WARN("The AP RO is locked with verification turned on so we can't do "
 			     "full update (b/284913015). Fall back to RW-only update.\n");
 			wp_enabled = 1;

diff --git a/futility/updater.h b/futility/updater.h
index 6208296..1d79abb 100644
--- a/futility/updater.h
+++ b/futility/updater.h

@@ -185,6 +185,7 @@
 	UPDATE_ERR_TARGET,
 	UPDATE_ERR_ROOT_KEY,
 	UPDATE_ERR_TPM_ROLLBACK,
+	UPDATE_ERR_UNLOCK_CSME,
 	UPDATE_ERR_UNKNOWN,
 };