summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHung-Te Lin <hungte@chromium.org>2014-02-10 17:35:34 +0800
committerchrome-internal-fetch <chrome-internal-fetch@google.com>2014-02-11 05:40:14 +0000
commite8117120b677937902fc3c75ba3cee97e1fa0dc1 (patch)
tree64d60fe5825ea24dd2260722f923b6d1620af58d
parentbbc76063294f4b9fcca6b581d9831595d840a1a3 (diff)
downloadvboot-e8117120b677937902fc3c75ba3cee97e1fa0dc1.tar.gz
set_gbb_flags: Check write protection status before starting to flash.stabilize-5463.B
People trying to override GBB flags and not having write protection disabled may corrupt whole RW section of firmware. To avoid that, we should check write protection before starting to invoke flashrom commands. BUG=chromium:341242 TEST=./set_gbb_flags.sh 0x39 # Aborted on a write-protected system, as expected. BRANCH=none Change-Id: I6b2dcc75b87dc5ceace0d7caec62ded787b2b534 Signed-off-by: Hung-Te Lin <hungte@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/185653 Reviewed-by: Randall Spangler <rspangler@chromium.org> Commit-Queue: Hung-Te Lin <hungte@google.com>
-rwxr-xr-xscripts/image_signing/set_gbb_flags.sh27
1 files changed, 27 insertions, 0 deletions
diff --git a/scripts/image_signing/set_gbb_flags.sh b/scripts/image_signing/set_gbb_flags.sh
index e812dba3..157913aa 100755
--- a/scripts/image_signing/set_gbb_flags.sh
+++ b/scripts/image_signing/set_gbb_flags.sh
@@ -13,6 +13,7 @@ load_shflags || exit 1
# DEFINE_string name default_value description flag
DEFINE_string file "" "Path to firmware image. Default to system firmware." "f"
+DEFINE_boolean check_wp $FLAGS_TRUE "Check write protection states first." ""
# Globals
# ----------------------------------------------------------------------------
@@ -47,6 +48,24 @@ FLASHROM_COMMON_OPT="-p host"
FLASHROM_READ_OPT="$FLASHROM_COMMON_OPT -i GBB -r"
FLASHROM_WRITE_OPT="$FLASHROM_COMMON_OPT -i GBB --fast-verify -w"
+# Check write protection
+# ----------------------------------------------------------------------------
+check_write_protection() {
+ local ret=$FLAGS_TRUE
+ if ! crossystem "wpsw_boot?0"; then
+ echo "Hardware write protection must be disabled."
+ ret=$FLAGS_FALSE
+ fi
+ local wp_states="$(flashrom --wp-status 2>/dev/null | grep WP)"
+ local wp_disabled="$(echo "$wp_states" | grep "WP:.*is disabled.")"
+ local wp_zero_len="$(echo "$wp_states" | grep "WP:.*, len=0x00000000")"
+ if [ -z "$wp_disabled" -a -z "$wp_zero_len" ]; then
+ echo "Software write protection must be disabled."
+ ret=$FLAGS_FALSE
+ fi
+ return $ret
+}
+
# Main
# ----------------------------------------------------------------------------
main() {
@@ -69,6 +88,14 @@ main() {
gbb_utility -s --flags="$value" "$image_file"
if [ -z "$FLAGS_file" ]; then
+ if [ "$FLAGS_check_wp" = "$FLAGS_TRUE" ]; then
+ if ! check_write_protection; then
+ echo ""
+ echo "WARNING: System GBB Flags are NOT changed!!!"
+ echo "ERROR: You must disable write protection before setting flags."
+ exit 1
+ fi
+ fi
flashrom $FLASHROM_WRITE_OPT "$image_file"
fi
}