diff options
-rw-r--r-- | firmware/2lib/2ec_sync.c | 4 | ||||
-rw-r--r-- | tests/vb2_ec_sync_tests.c | 17 |
2 files changed, 21 insertions, 0 deletions
diff --git a/firmware/2lib/2ec_sync.c b/firmware/2lib/2ec_sync.c index 9c49cebc..20490e08 100644 --- a/firmware/2lib/2ec_sync.c +++ b/firmware/2lib/2ec_sync.c @@ -212,6 +212,10 @@ static vb2_error_t sync_ec(struct vb2_context *ctx) return VB2_REQUEST_REBOOT_EC_TO_RO; } + /* We no longer trust the EC once it is already in RW or tries to jump + to RW. */ + ctx->flags &= ~VB2_CONTEXT_EC_TRUSTED; + /* Tell EC to jump to RW. It should already be in RW for EFS2. */ if (!(sd->flags & VB2_SD_FLAG_ECSYNC_EC_IN_RW)) { VB2_DEBUG("jumping to EC-RW\n"); diff --git a/tests/vb2_ec_sync_tests.c b/tests/vb2_ec_sync_tests.c index ea0dbf11..16496e44 100644 --- a/tests/vb2_ec_sync_tests.c +++ b/tests/vb2_ec_sync_tests.c @@ -96,6 +96,13 @@ static void ResetMocks(void) memset(hmir, 0, sizeof(hmir)); hmir[0] = 42; vb2_secdata_kernel_set_ec_hash(ctx, hmir); + + /* + * This flag should not involve in the steps deciding whether EC is + * running RW. The only concern here is we need to clear this flag after + * attempting a jump to RW. + */ + ctx->flags |= VB2_CONTEXT_EC_TRUSTED; } /* Mock functions */ @@ -515,6 +522,8 @@ static void VbSoftwareSyncTest(void) TEST_EQ(ec_ro_protected, 1, "ec ro protected"); TEST_EQ(ec_rw_protected, 1, "ec rw protected"); TEST_EQ(ec_run_image, 1, "ec run image"); + TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED, + " VB2_CONTEXT_EC_TRUSTED is cleared"); ResetMocks(); test_ssync(0, 0, "AP-RW, EC-RO -> EC-RW"); @@ -523,6 +532,8 @@ static void VbSoftwareSyncTest(void) TEST_EQ(ec_ro_protected, 1, " ec ro protected"); TEST_EQ(ec_rw_protected, 1, " ec rw protected"); TEST_EQ(ec_run_image, 1, " ec run image"); + TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED, + " VB2_CONTEXT_EC_TRUSTED is cleared"); ResetMocks(); jump_retval = VB2_ERROR_MOCK; @@ -533,6 +544,8 @@ static void VbSoftwareSyncTest(void) TEST_EQ(ec_ro_protected, 0, " ec ro protected"); TEST_EQ(ec_rw_protected, 0, " ec rw protected"); TEST_EQ(ec_run_image, 0, " ec run image"); + TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED, + " VB2_CONTEXT_EC_TRUSTED is cleared"); ResetMocks(); jump_retval = VB2_REQUEST_REBOOT_EC_TO_RO; @@ -543,6 +556,8 @@ static void VbSoftwareSyncTest(void) TEST_EQ(ec_ro_protected, 0, " ec ro protected"); TEST_EQ(ec_rw_protected, 0, " ec rw protected"); TEST_EQ(ec_run_image, 0, " ec run image"); + TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED, + " VB2_CONTEXT_EC_TRUSTED is cleared"); ResetMocks(); protect_retval = VB2_ERROR_MOCK; @@ -552,6 +567,8 @@ static void VbSoftwareSyncTest(void) TEST_EQ(ec_ro_protected, 0, "ec ro protected"); TEST_EQ(ec_rw_protected, 0, "ec rw protected"); TEST_EQ(ec_run_image, 1, "ec run image"); + TEST_FALSE(ctx->flags & VB2_CONTEXT_EC_TRUSTED, + " VB2_CONTEXT_EC_TRUSTED is cleared"); /* No longer check for shutdown requested */ ResetMocks(); |