diff options
author | Hung-Te Lin <hungte@chromium.org> | 2019-03-02 10:36:49 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-03-02 23:42:37 -0800 |
commit | 638b79822725ae41072a3342b796d333c1f0f23e (patch) | |
tree | 3263d3116146c68cbe4f26f74d0054218342bab3 /futility | |
parent | 99a0f5bf78126a145fe15670040dce7d81843223 (diff) | |
download | vboot-638b79822725ae41072a3342b796d333c1f0f23e.tar.gz |
futility: updater: Check if target image is properly signed
In RO+RW update mode, we only check if the system will be doing re-key.
However, as Unibuild and White-label are becoming more popular today,
this may not be true when signer config has something wrong, or if the
patching of rootkey/vblock is broken.
As a result we should also check if the target image is looking good
before proceed to update in recovery mode.
BUG=b:126931606
TEST=make futil; tests/futility/run_test_scripts.sh $(pwd)/build/futility
BRANCH=none
Change-Id: I16c2f9b4fd886e15414de8fda7bd41813f3f8d83
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1496678
Reviewed-by: Julius Werner <jwerner@chromium.org>
Diffstat (limited to 'futility')
-rw-r--r-- | futility/updater.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/futility/updater.c b/futility/updater.c index e3f97277..42ae7707 100644 --- a/futility/updater.c +++ b/futility/updater.c @@ -1572,8 +1572,17 @@ static enum updater_error_codes update_whole_firmware( if (check_compatible_tpm_keys(cfg, image_to)) return UPDATE_ERR_TPM_ROLLBACK; if (!cfg->force_update) { + /* Check if the image_to itself is broken */ enum rootkey_compat_result r = check_compatible_root_key( - &cfg->image_current, image_to); + image_to, image_to); + if (r != ROOTKEY_COMPAT_OK) { + ERROR("Target image does not look valid. " + "Add --force if you really want to use it."); + return UPDATE_ERR_ROOT_KEY; + } + + /* Check if the system is going to re-key. */ + r = check_compatible_root_key(&cfg->image_current, image_to); /* We only allow re-key to non-dev keys. */ switch (r) { case ROOTKEY_COMPAT_OK: |