summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--firmware/2lib/2ec_sync.c4
-rw-r--r--tests/vb2_ec_sync_tests.c17
2 files changed, 21 insertions, 0 deletions
diff --git a/firmware/2lib/2ec_sync.c b/firmware/2lib/2ec_sync.c
index 9c49cebc..20490e08 100644
--- a/firmware/2lib/2ec_sync.c
+++ b/firmware/2lib/2ec_sync.c
@@ -212,6 +212,10 @@ static vb2_error_t sync_ec(struct vb2_context *ctx)
return VB2_REQUEST_REBOOT_EC_TO_RO;
}
+ /* We no longer trust the EC once it is already in RW or tries to jump
+ to RW. */
+ ctx->flags &= ~VB2_CONTEXT_EC_TRUSTED;
+
/* Tell EC to jump to RW. It should already be in RW for EFS2. */
if (!(sd->flags & VB2_SD_FLAG_ECSYNC_EC_IN_RW)) {
VB2_DEBUG("jumping to EC-RW\n");
diff --git a/tests/vb2_ec_sync_tests.c b/tests/vb2_ec_sync_tests.c
index ea0dbf11..16496e44 100644
--- a/tests/vb2_ec_sync_tests.c
+++ b/tests/vb2_ec_sync_tests.c
@@ -96,6 +96,13 @@ static void ResetMocks(void)
memset(hmir, 0, sizeof(hmir));
hmir[0] = 42;
vb2_secdata_kernel_set_ec_hash(ctx, hmir);
+
+ /*
+ * This flag should not involve in the steps deciding whether EC is
+ * running RW. The only concern here is we need to clear this flag after
+ * attempting a jump to RW.
+ */
+ ctx->flags |= VB2_CONTEXT_EC_TRUSTED;
}
/* Mock functions */
@@ -515,6 +522,8 @@ static void VbSoftwareSyncTest(void)
TEST_EQ(ec_ro_protected, 1, "ec ro protected");
TEST_EQ(ec_rw_protected, 1, "ec rw protected");
TEST_EQ(ec_run_image, 1, "ec run image");
+ TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+ " VB2_CONTEXT_EC_TRUSTED is cleared");
ResetMocks();
test_ssync(0, 0, "AP-RW, EC-RO -> EC-RW");
@@ -523,6 +532,8 @@ static void VbSoftwareSyncTest(void)
TEST_EQ(ec_ro_protected, 1, " ec ro protected");
TEST_EQ(ec_rw_protected, 1, " ec rw protected");
TEST_EQ(ec_run_image, 1, " ec run image");
+ TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+ " VB2_CONTEXT_EC_TRUSTED is cleared");
ResetMocks();
jump_retval = VB2_ERROR_MOCK;
@@ -533,6 +544,8 @@ static void VbSoftwareSyncTest(void)
TEST_EQ(ec_ro_protected, 0, " ec ro protected");
TEST_EQ(ec_rw_protected, 0, " ec rw protected");
TEST_EQ(ec_run_image, 0, " ec run image");
+ TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+ " VB2_CONTEXT_EC_TRUSTED is cleared");
ResetMocks();
jump_retval = VB2_REQUEST_REBOOT_EC_TO_RO;
@@ -543,6 +556,8 @@ static void VbSoftwareSyncTest(void)
TEST_EQ(ec_ro_protected, 0, " ec ro protected");
TEST_EQ(ec_rw_protected, 0, " ec rw protected");
TEST_EQ(ec_run_image, 0, " ec run image");
+ TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+ " VB2_CONTEXT_EC_TRUSTED is cleared");
ResetMocks();
protect_retval = VB2_ERROR_MOCK;
@@ -552,6 +567,8 @@ static void VbSoftwareSyncTest(void)
TEST_EQ(ec_ro_protected, 0, "ec ro protected");
TEST_EQ(ec_rw_protected, 0, "ec rw protected");
TEST_EQ(ec_run_image, 1, "ec run image");
+ TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED,
+ " VB2_CONTEXT_EC_TRUSTED is cleared");
/* No longer check for shutdown requested */
ResetMocks();
View Lorry Controller Status