Add new GBB_FLAG_FORCE_MANUAL_RECOVERY

It seems like there are some testing use cases where we want the device
to boot into the recovery installer but it is impractical to fully
simulate a user-triggered recovery. This has become impossible with the
recent change to always require manual recovery to boot an image, even
when the developer mode switch is enabled (CL:924458).

This patch adds a new GBB flag to support this use case. When the flag
is set, all recovery mode is manual recovery mode, regardless of wheter
the developer mode switch is on or not.

Since the GBB_FLAG_ENABLE_SERIAL was killed off before it ever really
worked anyway, we can safely reuse the bit reserved for it.

BRANCH=None
BUG=None
TEST=make runtests, manually confirmed on Kevin

Change-Id: I4f51dfd20b4ff04c522f53596896dccbceee52dc
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/976660
Reviewed-by: Randall Spangler <rspangler@chromium.org>

4 files changed, 15 insertions, 9 deletions

diff --git a/firmware/lib/include/vboot_common.h b/firmware/lib/include/vboot_common.h
index acfb58b7..44dba262 100644
--- a/firmware/lib/include/vboot_common.h
+++ b/firmware/lib/include/vboot_common.h
@@ -8,6 +8,7 @@
 #ifndef VBOOT_REFERENCE_VBOOT_COMMON_H_
 #define VBOOT_REFERENCE_VBOOT_COMMON_H_
 
+#include "2api.h"
 #include "vboot_struct.h"
 
 #ifndef ARRAY_SIZE
@@ -145,9 +146,9 @@ int VbSharedDataSetKernelKey(VbSharedDataHeader *header,
  * requests including manual recovery requested by a (compromised) host will
  * end up with 'broken' screen.
  *
- * @param flags Flags of VbSharedDataHeader.
+ * @param ctx vboot2 context pointer
  * @return 1: Yes. 0: No or not sure.
  */
-int vb2_allow_recovery(uint32_t flags);
+int vb2_allow_recovery(struct vb2_context *ctx);
 
 #endif  /* VBOOT_REFERENCE_VBOOT_COMMON_H_ */
diff --git a/firmware/lib/vboot_common.c b/firmware/lib/vboot_common.c
index d3851940..f336f2c0 100644
--- a/firmware/lib/vboot_common.c
+++ b/firmware/lib/vboot_common.c
@@ -10,6 +10,7 @@
 #include "2sysincludes.h"
 
 #include "2common.h"
+#include "2misc.h"
 #include "2rsa.h"
 #include "2sha.h"
 #include "vboot_api.h"
@@ -211,8 +212,12 @@ int VbSharedDataSetKernelKey(VbSharedDataHeader *header, const VbPublicKey *src)
 	return PublicKeyCopy(kdest, src);
 }
 
-int vb2_allow_recovery(uint32_t flags)
+int vb2_allow_recovery(struct vb2_context *ctx)
 {
+	/* GBB_FLAG_FORCE_MANUAL_RECOVERY forces this to always return true. */
+	if (vb2_get_sd(ctx)->gbb_flags & VB2_GBB_FLAG_FORCE_MANUAL_RECOVERY)
+		return 1;
+
 	/*
 	 * If EC is in RW, it implies recovery wasn't manually requested.
 	 * On some platforms, EC_IN_RW can't be reset by the EC, thus, this may
@@ -223,5 +228,5 @@ int vb2_allow_recovery(uint32_t flags)
 		return 0;
 
 	/* Now we confidently check the recovery switch state at boot */
-	return !!(flags & VBSD_BOOT_REC_SWITCH_ON);
+	return !!(vb2_get_sd(ctx)->vbsd->flags & VBSD_BOOT_REC_SWITCH_ON);
 }
diff --git a/firmware/lib/vboot_ui.c b/firmware/lib/vboot_ui.c
index 1db0e4a7..5eb78f0a 100644
--- a/firmware/lib/vboot_ui.c
+++ b/firmware/lib/vboot_ui.c
@@ -403,7 +403,7 @@ static VbError_t recovery_ui(struct vb2_context *ctx)
 
 	VB2_DEBUG("VbBootRecovery() start\n");
 
-	if (!vb2_allow_recovery(shared->flags)) {
+	if (!vb2_allow_recovery(ctx)) {
 		/*
 		 * We have to save the reason here so that it will survive
 		 * coming up three-finger-salute. We're saving it in
diff --git a/firmware/lib/vboot_ui_menu.c b/firmware/lib/vboot_ui_menu.c
index 050051ce..c050ec8e 100644
--- a/firmware/lib/vboot_ui_menu.c
+++ b/firmware/lib/vboot_ui_menu.c
@@ -231,7 +231,7 @@ static VbError_t enter_language_menu(struct vb2_context *ctx)
 
 static VbError_t enter_recovery_base_screen(struct vb2_context *ctx)
 {
-	if (!vb2_allow_recovery(vb2_get_sd(ctx)->vbsd->flags))
+	if (!vb2_allow_recovery(ctx))
 		vb2_change_menu(VB_MENU_RECOVERY_BROKEN, 0);
 	else if (usb_nogood)
 		vb2_change_menu(VB_MENU_RECOVERY_NO_GOOD, 0);
@@ -289,7 +289,7 @@ static VbError_t language_action(struct vb2_context *ctx)
 	 * Non-manual recovery mode is meant to be left via hard reset (into
 	 * manual recovery mode). Need to commit NVRAM changes immediately.
 	 */
-	if (vbsd->recovery_reason && !vb2_allow_recovery(vbsd->flags))
+	if (vbsd->recovery_reason && !vb2_allow_recovery(ctx))
 		vb2_nv_commit(ctx);
 
 	/* Return to previous menu. */
@@ -319,7 +319,7 @@ static VbError_t to_dev_action(struct vb2_context *ctx)
 	/* Sanity check, should never happen. */
 	if (!(vbsd_flags & VBSD_HONOR_VIRT_DEV_SWITCH) ||
 	    (vbsd_flags & VBSD_BOOT_DEV_SWITCH_ON) ||
-	    !vb2_allow_recovery(vbsd_flags))
+	    !vb2_allow_recovery(ctx))
 		return VBERROR_KEEP_LOOPING;
 
 	VB2_DEBUG("Enabling dev-mode...\n");
@@ -828,7 +828,7 @@ VbError_t VbBootRecoveryMenu(struct vb2_context *ctx)
 	VbError_t retval = vb2_init_menus(ctx);
 	if (VBERROR_SUCCESS != retval)
 		return retval;
-	if (vb2_allow_recovery(vb2_get_sd(ctx)->vbsd->flags))
+	if (vb2_allow_recovery(ctx))
 		retval = recovery_ui(ctx);
 	else
 		retval = broken_ui(ctx);