diff options
| author | Mary Ruthven <mruthven@chromium.org> | 2021-10-18 18:27:36 -0500 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-10-21 20:22:43 +0000 |
| commit | 5a705e76a4e7a3568159bd4459c562f9d6508f5b (patch) | |
| tree | e20e0691c7767b97d062391ef0fec461c94bfe80 | |
| parent | 4eb67c6f94af3beba1adc1bd02ca49e71eef1195 (diff) | |
| download | chrome-ec-5a705e76a4e7a3568159bd4459c562f9d6508f5b.tar.gz | |
ap_ro_integrity_check: add a ccd capability for the ap ro check vc
Use a ccd capability to restrict the VENDOR_CC_AP_RO_VALIDATE vendor
command from the AP. The AP should not be able to trigger the AP RO
check in normal mode. Restrict the command, so it's only available when
cr50 is in factory mode or the ccd capability is available.
This doesn't restrict VENDOR_CC_AP_RO_VALIDATE when it's called from the
ALT_IF interface. The button combo uses the ALT_IF interface, so it
always needs to be available.
If the command is from usb, it's still rejected in extension.c
BUG=b:141191727
TEST=manual
trigger from usb verify extension.c rejects the command
[3364.881973 extension_route_command: ignore 58: usb]
trigger with the button combo. Verify it's allowed even when
the ccd capability is not enabled.
Lock ccd. Verify the command from the AP is rejected
Error 7 trigger ap ro validate
Open ccd. Verify the command from the AP works
Change-Id: I3f644698deed38779e5fee82156e5077290c7d4f
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3237200
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
| -rw-r--r-- | common/ap_ro_integrity_check.c | 20 | ||||
| -rw-r--r-- | include/ccd_config.h | 4 |
2 files changed, 17 insertions, 7 deletions
diff --git a/common/ap_ro_integrity_check.c b/common/ap_ro_integrity_check.c index 22538c055d..23ecd14b0e 100644 --- a/common/ap_ro_integrity_check.c +++ b/common/ap_ro_integrity_check.c @@ -8,6 +8,7 @@ #include "ap_ro_integrity_check.h" #include "board_id.h" #include "byteorder.h" +#include "ccd_config.h" #include "console.h" #include "crypto_api.h" #include "extension.h" @@ -1392,17 +1393,22 @@ static uint8_t do_ap_ro_check(void) * amounts of stack, this is why this function must run on TPM task context. * */ -static enum vendor_cmd_rc ap_ro_check_callback(enum vendor_cmd_cc code, - void *buf, size_t input_size, - size_t *response_size) +static enum vendor_cmd_rc ap_ro_check_callback(struct vendor_cmd_params *p) { - *response_size = 1; - *((int8_t *)buf) = do_ap_ro_check(); + uint8_t *response = p->buffer; + + p->out_size = 0; + + if (!(p->flags & VENDOR_CMD_FROM_ALT_IF) && + !(ccd_is_cap_enabled(CCD_CAP_AP_RO_CHECK_VC))) + return VENDOR_RC_NOT_ALLOWED; + + p->out_size = 1; + response[0] = do_ap_ro_check(); return VENDOR_RC_SUCCESS; } - -DECLARE_VENDOR_COMMAND(VENDOR_CC_AP_RO_VALIDATE, ap_ro_check_callback); +DECLARE_VENDOR_COMMAND_P(VENDOR_CC_AP_RO_VALIDATE, ap_ro_check_callback); int validate_ap_ro(void) { diff --git a/include/ccd_config.h b/include/ccd_config.h index 87bebb9db3..1d67152d23 100644 --- a/include/ccd_config.h +++ b/include/ccd_config.h @@ -132,6 +132,9 @@ enum ccd_capability { /* Override battery presence temporarily or at boot */ CCD_CAP_OVERRIDE_BATT_STATE = 19, + /* Allow AP RO verification check vendor command from the AP. */ + CCD_CAP_AP_RO_CHECK_VC = 20, + /* Number of currently defined capabilities */ CCD_CAP_COUNT }; @@ -194,6 +197,7 @@ struct ccd_capability_info { {"OpenNoDevMode", CCD_CAP_STATE_OPEN_REQ}, \ {"OpenFromUSB", CCD_CAP_STATE_OPEN_REQ}, \ {"OverrideBatt", CCD_CAP_STATE_IF_OPENED}, \ + {"APROCheckVC", CCD_CAP_STATE_IF_OPENED}, \ } #define CCD_STATE_NAMES { "Locked", "Unlocked", "Opened" } |