OAK-ONLY: firmware: Commit disable_dev_request if forbidden by FWMPfirmware-oak-8438.B

This patch makes VbSelectAndLoadKernel() check if developer mode is
disabled by FWMP and set the disable_dev_request nvdata flag right away
in that case.

BRANCH=all
BUG=b:266013201,b:268272051
TEST=none

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: If6518a86860f06a28e80ca6519b6fbe7a949a2cd
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4234303
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c
index 90703a90..92aaac7b 100644
--- a/firmware/lib/vboot_api_kernel.c
+++ b/firmware/lib/vboot_api_kernel.c
@@ -1169,6 +1169,17 @@ VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams,
 		}
 	}
 
+	/* If we're in developer mode when we shouldn't be, disable as soon as
+	   possible and commit that decision right away, unless WP is off.
+	   See b/266013201 and b/268272051 for context. */
+	if ((fwmp.flags & FWMP_DEV_DISABLE_BOOT) &&
+	    !(cparams->gbb->flags & GBB_FLAG_FORCE_DEV_SWITCH_ON) &&
+	    (shared->flags & VBSD_BOOT_DEV_SWITCH_ON) &&
+	    (shared->flags & VBSD_BOOT_FIRMWARE_WP_ENABLED)) {
+		VbNvSet(&vnc, VBNV_DISABLE_DEV_REQUEST, 1);
+		VbNvCommit();
+	}
+
 	/* Fill in params for calls to LoadKernel() */
 	Memset(&p, 0, sizeof(p));
 	p.shared_data_blob = cparams->shared_data_blob;