10 files changed, 46 insertions, 14 deletions
diff --git a/firmware/2lib/include/2common.h b/firmware/2lib/include/2common.h
index 019a34ac..be5c484a 100644
--- a/firmware/2lib/include/2common.h
+++ b/firmware/2lib/include/2common.h
@@ -12,6 +12,7 @@
 #include "2return_codes.h"
 #include "2sha.h"
 #include "2struct.h"
+#include "2sysincludes.h"
 
 struct vb2_public_key;
 
diff --git a/firmware/2lib/include/2struct.h b/firmware/2lib/include/2struct.h
index 3411de77..d1185593 100644
--- a/firmware/2lib/include/2struct.h
+++ b/firmware/2lib/include/2struct.h
@@ -296,8 +296,8 @@ enum vb2_gbb_flag {
 	 */
 	VB2_GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP = (1 << 13),
 
-	/* Enable serial */
-	VB2_GBB_FLAG_ENABLE_SERIAL = (1 << 14),
+	/* Recovery mode always assumes manual recovery, even if EC_IN_RW=1 */
+	VB2_GBB_FLAG_FORCE_MANUAL_RECOVERY = (1 << 14),
 
 	/* Disable FWMP */
 	VB2_GBB_FLAG_DISABLE_FWMP = (1 << 15),
diff --git a/firmware/include/gbb_header.h b/firmware/include/gbb_header.h
index 4503ffaa..11586e92 100644
--- a/firmware/include/gbb_header.h
+++ b/firmware/include/gbb_header.h
@@ -72,8 +72,8 @@
  * dev_boot_fastboot_full_cap=0.
  */
 #define GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP	0x00002000
-/* Enable serial console */
-#define GBB_FLAG_ENABLE_SERIAL				0x00004000
+/* Recovery mode always assumes manual recovery, even if EC_IN_RW=1 */
+#define GBB_FLAG_FORCE_MANUAL_RECOVERY			0x00004000
 /* Disable using FWMP */
 #define GBB_FLAG_DISABLE_FWMP                           0x00008000
 
diff --git a/firmware/lib/include/vboot_common.h b/firmware/lib/include/vboot_common.h
index acfb58b7..44dba262 100644
--- a/firmware/lib/include/vboot_common.h
+++ b/firmware/lib/include/vboot_common.h
@@ -8,6 +8,7 @@
 #ifndef VBOOT_REFERENCE_VBOOT_COMMON_H_
 #define VBOOT_REFERENCE_VBOOT_COMMON_H_
 
+#include "2api.h"
 #include "vboot_struct.h"
 
 #ifndef ARRAY_SIZE
@@ -145,9 +146,9 @@ int VbSharedDataSetKernelKey(VbSharedDataHeader *header,
  * requests including manual recovery requested by a (compromised) host will
  * end up with 'broken' screen.
  *
- * @param flags Flags of VbSharedDataHeader.
+ * @param ctx vboot2 context pointer
  * @return 1: Yes. 0: No or not sure.
  */
-int vb2_allow_recovery(uint32_t flags);
+int vb2_allow_recovery(struct vb2_context *ctx);
 
 #endif  /* VBOOT_REFERENCE_VBOOT_COMMON_H_ */
diff --git a/firmware/lib/vboot_common.c b/firmware/lib/vboot_common.c
index d3851940..f336f2c0 100644
--- a/firmware/lib/vboot_common.c
+++ b/firmware/lib/vboot_common.c
@@ -10,6 +10,7 @@
 #include "2sysincludes.h"
 
 #include "2common.h"
+#include "2misc.h"
 #include "2rsa.h"
 #include "2sha.h"
 #include "vboot_api.h"
@@ -211,8 +212,12 @@ int VbSharedDataSetKernelKey(VbSharedDataHeader *header, const VbPublicKey *src)
 	return PublicKeyCopy(kdest, src);
 }
 
-int vb2_allow_recovery(uint32_t flags)
+int vb2_allow_recovery(struct vb2_context *ctx)
 {
+	/* GBB_FLAG_FORCE_MANUAL_RECOVERY forces this to always return true. */
+	if (vb2_get_sd(ctx)->gbb_flags & VB2_GBB_FLAG_FORCE_MANUAL_RECOVERY)
+		return 1;
+
 	/*
 	 * If EC is in RW, it implies recovery wasn't manually requested.
 	 * On some platforms, EC_IN_RW can't be reset by the EC, thus, this may
@@ -223,5 +228,5 @@ int vb2_allow_recovery(uint32_t flags)
 		return 0;
 
 	/* Now we confidently check the recovery switch state at boot */
-	return !!(flags & VBSD_BOOT_REC_SWITCH_ON);
+	return !!(vb2_get_sd(ctx)->vbsd->flags & VBSD_BOOT_REC_SWITCH_ON);
 }
diff --git a/firmware/lib/vboot_ui.c b/firmware/lib/vboot_ui.c
index 1db0e4a7..5eb78f0a 100644
--- a/firmware/lib/vboot_ui.c
+++ b/firmware/lib/vboot_ui.c
@@ -403,7 +403,7 @@ static VbError_t recovery_ui(struct vb2_context *ctx)
 
 	VB2_DEBUG("VbBootRecovery() start\n");
 
-	if (!vb2_allow_recovery(shared->flags)) {
+	if (!vb2_allow_recovery(ctx)) {
 		/*
 		 * We have to save the reason here so that it will survive
 		 * coming up three-finger-salute. We're saving it in
diff --git a/firmware/lib/vboot_ui_menu.c b/firmware/lib/vboot_ui_menu.c
index 050051ce..c050ec8e 100644
--- a/firmware/lib/vboot_ui_menu.c
+++ b/firmware/lib/vboot_ui_menu.c
@@ -231,7 +231,7 @@ static VbError_t enter_language_menu(struct vb2_context *ctx)
 
 static VbError_t enter_recovery_base_screen(struct vb2_context *ctx)
 {
-	if (!vb2_allow_recovery(vb2_get_sd(ctx)->vbsd->flags))
+	if (!vb2_allow_recovery(ctx))
 		vb2_change_menu(VB_MENU_RECOVERY_BROKEN, 0);
 	else if (usb_nogood)
 		vb2_change_menu(VB_MENU_RECOVERY_NO_GOOD, 0);
@@ -289,7 +289,7 @@ static VbError_t language_action(struct vb2_context *ctx)
 	 * Non-manual recovery mode is meant to be left via hard reset (into
 	 * manual recovery mode). Need to commit NVRAM changes immediately.
 	 */
-	if (vbsd->recovery_reason && !vb2_allow_recovery(vbsd->flags))
+	if (vbsd->recovery_reason && !vb2_allow_recovery(ctx))
 		vb2_nv_commit(ctx);
 
 	/* Return to previous menu. */
@@ -319,7 +319,7 @@ static VbError_t to_dev_action(struct vb2_context *ctx)
 	/* Sanity check, should never happen. */
 	if (!(vbsd_flags & VBSD_HONOR_VIRT_DEV_SWITCH) ||
 	    (vbsd_flags & VBSD_BOOT_DEV_SWITCH_ON) ||
-	    !vb2_allow_recovery(vbsd_flags))
+	    !vb2_allow_recovery(ctx))
 		return VBERROR_KEEP_LOOPING;
 
 	VB2_DEBUG("Enabling dev-mode...\n");
@@ -828,7 +828,7 @@ VbError_t VbBootRecoveryMenu(struct vb2_context *ctx)
 	VbError_t retval = vb2_init_menus(ctx);
 	if (VBERROR_SUCCESS != retval)
 		return retval;
-	if (vb2_allow_recovery(vb2_get_sd(ctx)->vbsd->flags))
+	if (vb2_allow_recovery(ctx))
 		retval = recovery_ui(ctx);
 	else
 		retval = broken_ui(ctx);
diff --git a/scripts/image_signing/gbb_flags_common.sh b/scripts/image_signing/gbb_flags_common.sh
index 9a8d1cb4..fed7ac61 100644
--- a/scripts/image_signing/gbb_flags_common.sh
+++ b/scripts/image_signing/gbb_flags_common.sh
@@ -33,7 +33,7 @@ GBBFLAGS_LIST="
   GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC          0x00000800
   GBB_FLAG_DISABLE_LID_SHUTDOWN              0x00001000
   GBB_FLAG_FORCE_DEV_BOOT_FASTBOOT_FULL_CAP  0x00002000
-  GBB_FLAG_ENABLE_SERIAL                     0x00004000
+  GBB_FLAG_FORCE_MANUAL_RECOVERY             0x00004000
   "
 
 GBBFLAGS_DESCRIPTION_SUFFIX="
diff --git a/tests/vboot_api_kernel2_tests.c b/tests/vboot_api_kernel2_tests.c
index 2a714baa..b9e05157 100644
--- a/tests/vboot_api_kernel2_tests.c
+++ b/tests/vboot_api_kernel2_tests.c
@@ -605,6 +605,17 @@ static void VbBootRecTest(void)
 	TEST_EQ(screens_displayed[0], VB_SCREEN_OS_BROKEN,
 		"  broken screen");
 
+	/* Force insert screen with GBB flag */
+	ResetMocks();
+	shutdown_request_calls_left = 100;
+	sd->gbb_flags |= VB2_GBB_FLAG_FORCE_MANUAL_RECOVERY;
+	vbtlk_retval = VBERROR_NO_DISK_FOUND - VB_DISK_FLAG_REMOVABLE;
+	TEST_EQ(VbBootRecovery(&ctx),
+		VBERROR_SHUTDOWN_REQUESTED,
+		"Insert (forced by GBB)");
+	TEST_EQ(screens_displayed[0], VB_SCREEN_RECOVERY_INSERT,
+		"  insert screen");
+
 	/* No removal if recovery button physically pressed */
 	ResetMocks();
 	shutdown_request_calls_left = 100;
diff --git a/tests/vboot_detach_menu_tests.c b/tests/vboot_detach_menu_tests.c
index 3d30683a..f494dc91 100644
--- a/tests/vboot_detach_menu_tests.c
+++ b/tests/vboot_detach_menu_tests.c
@@ -1333,6 +1333,20 @@ static void VbBootRecTest(void)
 	TEST_EQ(screens_count, 2, "  no extra screens");
 	TEST_EQ(beeps_count, 0, "  no beep on shutdown");
 
+	/* go to INSERT if forced by GBB flag */
+	ResetMocks();
+	vbtlk_retval[0] = VBERROR_NO_DISK_FOUND - VB_DISK_FLAG_REMOVABLE;
+	sd->gbb_flags |= GBB_FLAG_FORCE_MANUAL_RECOVERY;
+	TEST_EQ(VbBootRecoveryMenu(&ctx), VBERROR_SHUTDOWN_REQUESTED,
+		"Shutdown requested in INSERT forced by GBB flag");
+	TEST_EQ(vb2_nv_get(&ctx, VB2_NV_RECOVERY_REQUEST), 0, "  no recovery");
+	TEST_EQ(debug_info_displayed, 0, "  no debug info");
+	TEST_EQ(screens_displayed[0], VB_SCREEN_RECOVERY_INSERT,
+		"  insert screen");
+	TEST_EQ(screens_displayed[1], VB_SCREEN_BLANK, "  final blank screen");
+	TEST_EQ(screens_count, 2, "  no extra screens");
+	TEST_EQ(beeps_count, 0, "  no beep on shutdown");
+
 	/* Stay at BROKEN if recovery button not physically pressed */
 	ResetMocksForManualRecovery();
 	vbtlk_retval[0] = VBERROR_NO_DISK_FOUND - VB_DISK_FLAG_REMOVABLE;