diff options
| -rw-r--r-- | common/ap_ro_integrity_check.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/common/ap_ro_integrity_check.c b/common/ap_ro_integrity_check.c index 7724ae2585..8c12e851a4 100644 --- a/common/ap_ro_integrity_check.c +++ b/common/ap_ro_integrity_check.c @@ -537,11 +537,23 @@ static enum vendor_cmd_rc vc_seed_ap_ro_check(enum vendor_cmd_cc code, *response_size = 1; /* Just in case there is an error. */ - /* Neither write nor erase are allowed once Board ID is programmed. */ + /* + * Neither write nor erase are allowed once Board ID type is programmed. + * + * Check the board id type insead of board_id_is_erased, because the + * board id flags may be written before finalization. Board id type is + * a better indicator for when RO is finalized and when to lock out + * setting the hash. + */ #ifndef CR50_DEV - if (!board_id_is_erased()) { - *response = ARCVE_BID_PROGRAMMED; - return VENDOR_RC_NOT_ALLOWED; + { + struct board_id bid; + + if (read_board_id(&bid) != EC_SUCCESS || + !board_id_type_is_blank(&bid)) { + *response = ARCVE_BID_PROGRAMMED; + return VENDOR_RC_NOT_ALLOWED; + } } #endif |