commit 829dc3be90b947fff17c00d7612d0b48cce4da34
author Julius Werner <jwerner@chromium.org> Thu Jan 19 16:57:00 2023 -0800
committer Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Feb 13 23:26:25 2023 +0000
tree a3b53394b319ea81c544ae3418ff99ce2c2edb5b
parent 05cd8ce75f97a76c4ef155734d191cd275bac231

OAK-ONLY: firmware: Commit disable_dev_request if forbidden by FWMP

This patch makes VbSelectAndLoadKernel() check if developer mode is
disabled by FWMP and set the disable_dev_request nvdata flag right away
in that case.

BRANCH=all
BUG=b:266013201,b:268272051
TEST=none

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: If6518a86860f06a28e80ca6519b6fbe7a949a2cd
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4234303
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>

firmware/lib/vboot_api_kernel.c

diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c
index 90703a9..92aaac7 100644
--- a/firmware/lib/vboot_api_kernel.c
+++ b/firmware/lib/vboot_api_kernel.c
@@ -1169,6 +1169,17 @@
 		}
 	}
 
+	/* If we're in developer mode when we shouldn't be, disable as soon as
+	   possible and commit that decision right away, unless WP is off.
+	   See b/266013201 and b/268272051 for context. */
+	if ((fwmp.flags & FWMP_DEV_DISABLE_BOOT) &&
+	    !(cparams->gbb->flags & GBB_FLAG_FORCE_DEV_SWITCH_ON) &&
+	    (shared->flags & VBSD_BOOT_DEV_SWITCH_ON) &&
+	    (shared->flags & VBSD_BOOT_FIRMWARE_WP_ENABLED)) {
+		VbNvSet(&vnc, VBNV_DISABLE_DEV_REQUEST, 1);
+		VbNvCommit();
+	}
+
 	/* Fill in params for calls to LoadKernel() */
 	Memset(&p, 0, sizeof(p));
 	p.shared_data_blob = cparams->shared_data_blob;