Add new GBB_FLAG_FORCE_MANUAL_RECOVERY

It seems like there are some testing use cases where we want the device
to boot into the recovery installer but it is impractical to fully
simulate a user-triggered recovery. This has become impossible with the
recent change to always require manual recovery to boot an image, even
when the developer mode switch is enabled (CL:924458).

This patch adds a new GBB flag to support this use case. When the flag
is set, all recovery mode is manual recovery mode, regardless of wheter
the developer mode switch is on or not.

Since the GBB_FLAG_ENABLE_SERIAL was killed off before it ever really
worked anyway, we can safely reuse the bit reserved for it.

BRANCH=None
BUG=None
TEST=make runtests, manually confirmed on Kevin

Change-Id: I4f51dfd20b4ff04c522f53596896dccbceee52dc
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/976660
Reviewed-by: Randall Spangler <rspangler@chromium.org>

10 files changed, 46 insertions, 14 deletions

diff --git a/firmware/2lib/include/2common.h b/firmware/2lib/include/2common.h
index 019a34ac..be5c484a 100644
--- a/firmware/2lib/include/2common.h
+++ b/firmware/2lib/include/2common.h
@@ -12,6 +12,7 @@
 #include "2return_codes.h"
 #include "2sha.h"
 #include "2struct.h"
+#include "2sysincludes.h"
 
 struct vb2_public_key;
 
diff --git a/firmware/2lib/include/2struct.h b/firmware/2lib/include/2struct.h
index 3411de77..d1185593 100644
--- a/firmware/2lib/include/2struct.h
+++ b/firmware/2lib/include/2struct.h
@@ -296,8 +296,8 @@ enum vb2_gbb_flag {
 	 */
 	VB2_GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP = (1 << 13),
 
-	/* Enable serial */
-	VB2_GBB_FLAG_ENABLE_SERIAL = (1 << 14),
+	/* Recovery mode always assumes manual recovery, even if EC_IN_RW=1 */
+	VB2_GBB_FLAG_FORCE_MANUAL_RECOVERY = (1 << 14),
 
 	/* Disable FWMP */
 	VB2_GBB_FLAG_DISABLE_FWMP = (1 << 15),
diff --git a/firmware/include/gbb_header.h b/firmware/include/gbb_header.h
index 4503ffaa..11586e92 100644
--- a/firmware/include/gbb_header.h
+++ b/firmware/include/gbb_header.h
@@ -72,8 +72,8 @@
  * dev_boot_fastboot_full_cap=0.
  */
 #define GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP	0x00002000
-/* Enable serial console */
-#define GBB_FLAG_ENABLE_SERIAL				0x00004000
+/* Recovery mode always assumes manual recovery, even if EC_IN_RW=1 */
+#define GBB_FLAG_FORCE_MANUAL_RECOVERY			0x00004000
 /* Disable using FWMP */
 #define GBB_FLAG_DISABLE_FWMP                           0x00008000
 
diff --git a/firmware/lib/include/vboot_common.h b/firmware/lib/include/vboot_common.h
index acfb58b7..44dba262 100644
--- a/firmware/lib/include/vboot_common.h
+++ b/firmware/lib/include/vboot_common.h
@@ -8,6 +8,7 @@
 #ifndef VBOOT_REFERENCE_VBOOT_COMMON_H_
 #define VBOOT_REFERENCE_VBOOT_COMMON_H_
 
+#include "2api.h"
 #include "vboot_struct.h"
 
 #ifndef ARRAY_SIZE
@@ -145,9 +146,9 @@ int VbSharedDataSetKernelKey(VbSharedDataHeader *header,
  * requests including manual recovery requested by a (compromised) host will
  * end up with 'broken' screen.
  *
- * @param flags Flags of VbSharedDataHeader.
+ * @param ctx vboot2 context pointer
  * @return 1: Yes. 0: No or not sure.
  */
-int vb2_allow_recovery(uint32_t flags);
+int vb2_allow_recovery(struct vb2_context *ctx);
 
 #endif  /* VBOOT_REFERENCE_VBOOT_COMMON_H_ */
diff --git a/firmware/lib/vboot_common.c b/firmware/lib/vboot_common.c
index d3851940..f336f2c0 100644
--- a/firmware/lib/vboot_common.c
+++ b/firmware/lib/vboot_common.c
@@ -10,6 +10,7 @@
 #include "2sysincludes.h"
 
 #include "2common.h"
+#include "2misc.h"
 #include "2rsa.h"
 #include "2sha.h"
 #include "vboot_api.h"
@@ -211,8 +212,12 @@ int VbSharedDataSetKernelKey(VbSharedDataHeader *header, const VbPublicKey *src)
 	return PublicKeyCopy(kdest, src);
 }
 
-int vb2_allow_recovery(uint32_t flags)
+int vb2_allow_recovery(struct vb2_context *ctx)
 {
+	/* GBB_FLAG_FORCE_MANUAL_RECOVERY forces this to always return true. */
+	if (vb2_get_sd(ctx)->gbb_flags & VB2_GBB_FLAG_FORCE_MANUAL_RECOVERY)
+		return 1;
+
 	/*
 	 * If EC is in RW, it implies recovery wasn't manually requested.
 	 * On some platforms, EC_IN_RW can't be reset by the EC, thus, this may
@@ -223,5 +228,5 @@ int vb2_allow_recovery(uint32_t flags)
 		return 0;
 
 	/* Now we confidently check the recovery switch state at boot */
-	return !!(flags & VBSD_BOOT_REC_SWITCH_ON);
+	return !!(vb2_get_sd(ctx)->vbsd->flags & VBSD_BOOT_REC_SWITCH_ON);
 }
diff --git a/firmware/lib/vboot_ui.c b/firmware/lib/vboot_ui.c
index 1db0e4a7..5eb78f0a 100644
--- a/firmware/lib/vboot_ui.c
+++ b/firmware/lib/vboot_ui.c
@@ -403,7 +403,7 @@ static VbError_t recovery_ui(struct vb2_context *ctx)
 
 	VB2_DEBUG("VbBootRecovery() start\n");
 
-	if (!vb2_allow_recovery(shared->flags)) {
+	if (!vb2_allow_recovery(ctx)) {
 		/*
 		 * We have to save the reason here so that it will survive
 		 * coming up three-finger-salute. We're saving it in
diff --git a/firmware/lib/vboot_ui_menu.c b/firmware/lib/vboot_ui_menu.c
index 050051ce..c050ec8e 100644
--- a/firmware/lib/vboot_ui_menu.c
+++ b/firmware/lib/vboot_ui_menu.c
@@ -231,7 +231,7 @@ static VbError_t enter_language_menu(struct vb2_context *ctx)
 
 static VbError_t enter_recovery_base_screen(struct vb2_context *ctx)
 {
-	if (!vb2_allow_recovery(vb2_get_sd(ctx)->vbsd->flags))
+	if (!vb2_allow_recovery(ctx))
 		vb2_change_menu(VB_MENU_RECOVERY_BROKEN, 0);
 	else if (usb_nogood)
 		vb2_change_menu(VB_MENU_RECOVERY_NO_GOOD, 0);
@@ -289,7 +289,7 @@ static VbError_t language_action(struct vb2_context *ctx)
 	 * Non-manual recovery mode is meant to be left via hard reset (into
 	 * manual recovery mode). Need to commit NVRAM changes immediately.
 	 */
-	if (vbsd->recovery_reason && !vb2_allow_recovery(vbsd->flags))
+	if (vbsd->recovery_reason && !vb2_allow_recovery(ctx))
 		vb2_nv_commit(ctx);
 
 	/* Return to previous menu. */
@@ -319,7 +319,7 @@ static VbError_t to_dev_action(struct vb2_context *ctx)
 	/* Sanity check, should never happen. */
 	if (!(vbsd_flags & VBSD_HONOR_VIRT_DEV_SWITCH) ||
 	    (vbsd_flags & VBSD_BOOT_DEV_SWITCH_ON) ||
-	    !vb2_allow_recovery(vbsd_flags))
+	    !vb2_allow_recovery(ctx))
 		return VBERROR_KEEP_LOOPING;
 
 	VB2_DEBUG("Enabling dev-mode...\n");
@@ -828,7 +828,7 @@ VbError_t VbBootRecoveryMenu(struct vb2_context *ctx)
 	VbError_t retval = vb2_init_menus(ctx);
 	if (VBERROR_SUCCESS != retval)
 		return retval;
-	if (vb2_allow_recovery(vb2_get_sd(ctx)->vbsd->flags))
+	if (vb2_allow_recovery(ctx))
 		retval = recovery_ui(ctx);
 	else
 		retval = broken_ui(ctx);
diff --git a/scripts/image_signing/gbb_flags_common.sh b/scripts/image_signing/gbb_flags_common.sh
index 9a8d1cb4..fed7ac61 100644
--- a/scripts/image_signing/gbb_flags_common.sh
+++ b/scripts/image_signing/gbb_flags_common.sh
@@ -33,7 +33,7 @@ GBBFLAGS_LIST="
   GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC          0x00000800
   GBB_FLAG_DISABLE_LID_SHUTDOWN              0x00001000
   GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP  0x00002000
-  GBB_FLAG_ENABLE_SERIAL                     0x00004000
+  GBB_FLAG_FORCE_MANUAL_RECOVERY             0x00004000
   "
 
 GBBFLAGS_DESCRIPTION_SUFFIX="
diff --git a/tests/vboot_api_kernel2_tests.c b/tests/vboot_api_kernel2_tests.c
index 2a714baa..b9e05157 100644
--- a/tests/vboot_api_kernel2_tests.c
+++ b/tests/vboot_api_kernel2_tests.c
@@ -605,6 +605,17 @@ static void VbBootRecTest(void)
 	TEST_EQ(screens_displayed[0], VB_SCREEN_OS_BROKEN,
 		"  broken screen");
 
+	/* Force insert screen with GBB flag */
+	ResetMocks();
+	shutdown_request_calls_left = 100;
+	sd->gbb_flags |= VB2_GBB_FLAG_FORCE_MANUAL_RECOVERY;
+	vbtlk_retval = VBERROR_NO_DISK_FOUND - VB_DISK_FLAG_REMOVABLE;
+	TEST_EQ(VbBootRecovery(&ctx),
+		VBERROR_SHUTDOWN_REQUESTED,
+		"Insert (forced by GBB)");
+	TEST_EQ(screens_displayed[0], VB_SCREEN_RECOVERY_INSERT,
+		"  insert screen");
+
 	/* No removal if recovery button physically pressed */
 	ResetMocks();
 	shutdown_request_calls_left = 100;
diff --git a/tests/vboot_detach_menu_tests.c b/tests/vboot_detach_menu_tests.c
index 3d30683a..f494dc91 100644
--- a/tests/vboot_detach_menu_tests.c
+++ b/tests/vboot_detach_menu_tests.c
@@ -1333,6 +1333,20 @@ static void VbBootRecTest(void)
 	TEST_EQ(screens_count, 2, "  no extra screens");
 	TEST_EQ(beeps_count, 0, "  no beep on shutdown");
 
+	/* go to INSERT if forced by GBB flag */
+	ResetMocks();
+	vbtlk_retval[0] = VBERROR_NO_DISK_FOUND - VB_DISK_FLAG_REMOVABLE;
+	sd->gbb_flags |= GBB_FLAG_FORCE_MANUAL_RECOVERY;
+	TEST_EQ(VbBootRecoveryMenu(&ctx), VBERROR_SHUTDOWN_REQUESTED,
+		"Shutdown requested in INSERT forced by GBB flag");
+	TEST_EQ(vb2_nv_get(&ctx, VB2_NV_RECOVERY_REQUEST), 0, "  no recovery");
+	TEST_EQ(debug_info_displayed, 0, "  no debug info");
+	TEST_EQ(screens_displayed[0], VB_SCREEN_RECOVERY_INSERT,
+		"  insert screen");
+	TEST_EQ(screens_displayed[1], VB_SCREEN_BLANK, "  final blank screen");
+	TEST_EQ(screens_count, 2, "  no extra screens");
+	TEST_EQ(beeps_count, 0, "  no beep on shutdown");
+
 	/* Stay at BROKEN if recovery button not physically pressed */
 	ResetMocksForManualRecovery();
 	vbtlk_retval[0] = VBERROR_NO_DISK_FOUND - VB_DISK_FLAG_REMOVABLE;