futility: updater: Check if target image is properly signed

In RO+RW update mode, we only check if the system will be doing re-key.
However, as Unibuild and White-label are becoming more popular today,
this may not be true when signer config has something wrong, or if the
patching of rootkey/vblock is broken.

As a result we should also check if the target image is looking good
before proceed to update in recovery mode.

BUG=b:126931606
TEST=make futil; tests/futility/run_test_scripts.sh $(pwd)/build/futility
BRANCH=none

Change-Id: I16c2f9b4fd886e15414de8fda7bd41813f3f8d83
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1496678
Reviewed-by: Julius Werner <jwerner@chromium.org>

1 files changed, 10 insertions, 1 deletions

diff --git a/futility/updater.c b/futility/updater.c
index e3f97277..42ae7707 100644
--- a/futility/updater.c
+++ b/futility/updater.c
@@ -1572,8 +1572,17 @@ static enum updater_error_codes update_whole_firmware(
 	if (check_compatible_tpm_keys(cfg, image_to))
 		return UPDATE_ERR_TPM_ROLLBACK;
 	if (!cfg->force_update) {
+		/* Check if the image_to itself is broken */
 		enum rootkey_compat_result r = check_compatible_root_key(
-				&cfg->image_current, image_to);
+				image_to, image_to);
+		if (r != ROOTKEY_COMPAT_OK) {
+			ERROR("Target image does not look valid. "
+			      "Add --force if you really want to use it.");
+			return UPDATE_ERR_ROOT_KEY;
+		}
+
+		/* Check if the system is going to re-key. */
+		r = check_compatible_root_key(&cfg->image_current, image_to);
 		/* We only allow re-key to non-dev keys. */
 		switch (r) {
 		case ROOTKEY_COMPAT_OK: