From 4df609d502d97de73416d6378e71330a4f0a4ba9 Mon Sep 17 00:00:00 2001 From: Mary Ruthven Date: Fri, 11 Feb 2022 14:03:31 -0600 Subject: ccd_config: treat ALT_IF commands the same as USB commands Reject VENDOR_CMD_FROM_ALT_IF commands everywhere VENDOR_CMD_FROM_USB commands are rejected. ccd_config generates ALT_IF tpm commands from the 'ccd' console command. Treat these the same as VENDOR_CMD_FROM_USB commands. Reject setting the ccd password and ccd open from the console unless usb commands are allowed. BUG=b:219075883 TEST=run firmware_Cr50Open.ccd_open_restricted and firmware_Cr50Password grep for VENDOR_CMD_FROM_USB in platform/cr50 to make sure all flags checks have been updated. Change-Id: I69590a55d14745fd14d813b0adfa555ec40f0229 Signed-off-by: Mary Ruthven Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3456708 Reviewed-by: Andrey Pronin --- common/ccd_config.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/common/ccd_config.c b/common/ccd_config.c index 0189bef185..4412415406 100644 --- a/common/ccd_config.c +++ b/common/ccd_config.c @@ -952,11 +952,15 @@ static enum vendor_cmd_rc ccd_open(struct vendor_cmd_params *p) } else if ((ccd_is_cap_enabled(CCD_CAP_OPEN_WITHOUT_DEV_MODE) || (board_vboot_dev_mode_enabled())) && (ccd_is_cap_enabled(CCD_CAP_OPEN_FROM_USB) || - !(p->flags & VENDOR_CMD_FROM_USB))) { + !(p->flags & (VENDOR_CMD_FROM_USB | + VENDOR_CMD_FROM_ALT_IF)))) { /* * Open allowed with no password if dev mode enabled and * command came from the AP. CCD capabilities can be used to * bypass these checks. + * VENDOR_CMD_FROM_USB is set for vendor commands sent over usb. + * VENDOR_CMD_FROM_ALT_IF is set for commands sent from the + * console. Reject both unless CCD_CAP_OPEN_FROM_USB is enabled. */ } else { #ifndef CONFIG_CCD_OPEN_PREPVT @@ -1289,14 +1293,15 @@ static enum vendor_cmd_rc ccd_password(struct vendor_cmd_params *p) char *response = p->buffer; /* - * Only allow setting a password from the AP, not USB. This increases - * the effort required for an attacker to set one externally, even if - * they have access to a system someone left in the opened state. + * Only allow setting a password from the AP, not USB, or the console. + * This increases the effort required for an attacker to set one + * externally, even if they have access to a system someone left in the + * opened state. * * An attacker can still set testlab mode or open up the CCD config, * but those changes are reversible by the device owner. */ - if (p->flags & VENDOR_CMD_FROM_USB) { + if (p->flags & (VENDOR_CMD_FROM_USB | VENDOR_CMD_FROM_ALT_IF)) { p->out_size = 1; *response = EC_ERROR_ACCESS_DENIED; return VENDOR_RC_NOT_ALLOWED; -- cgit v1.2.1