diff options
| author | Hung-Te Lin <hungte@chromium.org> | 2014-02-10 17:35:34 +0800 |
|---|---|---|
| committer | chrome-internal-fetch <chrome-internal-fetch@google.com> | 2014-02-11 05:40:14 +0000 |
| commit | e8117120b677937902fc3c75ba3cee97e1fa0dc1 (patch) | |
| tree | 64d60fe5825ea24dd2260722f923b6d1620af58d | |
| parent | bbc76063294f4b9fcca6b581d9831595d840a1a3 (diff) | |
| download | vboot-e8117120b677937902fc3c75ba3cee97e1fa0dc1.tar.gz | |
set_gbb_flags: Check write protection status before starting to flash.stabilize-5463.B
People trying to override GBB flags and not having write protection disabled may
corrupt whole RW section of firmware.
To avoid that, we should check write protection before starting to invoke
flashrom commands.
BUG=chromium:341242
TEST=./set_gbb_flags.sh 0x39 # Aborted on a write-protected system, as expected.
BRANCH=none
Change-Id: I6b2dcc75b87dc5ceace0d7caec62ded787b2b534
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/185653
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Queue: Hung-Te Lin <hungte@google.com>
| -rwxr-xr-x | scripts/image_signing/set_gbb_flags.sh | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/scripts/image_signing/set_gbb_flags.sh b/scripts/image_signing/set_gbb_flags.sh index e812dba3..157913aa 100755 --- a/scripts/image_signing/set_gbb_flags.sh +++ b/scripts/image_signing/set_gbb_flags.sh @@ -13,6 +13,7 @@ load_shflags || exit 1 # DEFINE_string name default_value description flag DEFINE_string file "" "Path to firmware image. Default to system firmware." "f" +DEFINE_boolean check_wp $FLAGS_TRUE "Check write protection states first." "" # Globals # ---------------------------------------------------------------------------- @@ -47,6 +48,24 @@ FLASHROM_COMMON_OPT="-p host" FLASHROM_READ_OPT="$FLASHROM_COMMON_OPT -i GBB -r" FLASHROM_WRITE_OPT="$FLASHROM_COMMON_OPT -i GBB --fast-verify -w" +# Check write protection +# ---------------------------------------------------------------------------- +check_write_protection() { + local ret=$FLAGS_TRUE + if ! crossystem "wpsw_boot?0"; then + echo "Hardware write protection must be disabled." + ret=$FLAGS_FALSE + fi + local wp_states="$(flashrom --wp-status 2>/dev/null | grep WP)" + local wp_disabled="$(echo "$wp_states" | grep "WP:.*is disabled.")" + local wp_zero_len="$(echo "$wp_states" | grep "WP:.*, len=0x00000000")" + if [ -z "$wp_disabled" -a -z "$wp_zero_len" ]; then + echo "Software write protection must be disabled." + ret=$FLAGS_FALSE + fi + return $ret +} + # Main # ---------------------------------------------------------------------------- main() { @@ -69,6 +88,14 @@ main() { gbb_utility -s --flags="$value" "$image_file" if [ -z "$FLAGS_file" ]; then + if [ "$FLAGS_check_wp" = "$FLAGS_TRUE" ]; then + if ! check_write_protection; then + echo "" + echo "WARNING: System GBB Flags are NOT changed!!!" + echo "ERROR: You must disable write protection before setting flags." + exit 1 + fi + fi flashrom $FLASHROM_WRITE_OPT "$image_file" fi } |