1 files changed, 17 insertions, 7 deletions

diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c
index e38c4704..83c5eca2 100644
--- a/firmware/lib/vboot_kernel.c
+++ b/firmware/lib/vboot_kernel.c
@@ -121,6 +121,7 @@ int WriteAndFreeGptData(VbExDiskHandle_t disk_handle, GptData* gptdata) {
 /* disable MSVC warning on const logical expression (as in } while(0);) */
 __pragma(warning(disable: 4127))
 
+
 VbError_t LoadKernel(LoadKernelParams* params) {
   VbSharedDataHeader* shared = (VbSharedDataHeader*)params->shared_data_blob;
   VbSharedDataKernelCall* shcall = NULL;
@@ -139,6 +140,7 @@ VbError_t LoadKernel(LoadKernelParams* params) {
   int rec_switch, dev_switch;
   BootMode boot_mode;
   uint32_t test_err = 0;
+  uint32_t allow_self_signed = 0;
 
   VbError_t retval = VBERROR_UNKNOWN;
   int recovery = VBNV_RECOVERY_RO_UNSPECIFIED;
@@ -162,12 +164,14 @@ VbError_t LoadKernel(LoadKernelParams* params) {
   /* Calculate switch positions and boot mode */
   rec_switch = (BOOT_FLAG_RECOVERY & params->boot_flags ? 1 : 0);
   dev_switch = (BOOT_FLAG_DEVELOPER & params->boot_flags ? 1 : 0);
-  if (rec_switch)
+  if (rec_switch) {
     boot_mode = kBootRecovery;
-  else if (dev_switch)
+  } else if (dev_switch) {
     boot_mode = kBootDev;
-  else
+    VbNvGet(vnc, VBNV_DEV_BOOT_CUSTOM, &allow_self_signed);
+  } else {
     boot_mode = kBootNormal;
+  }
 
   /* Set up tracking for this call.  This wraps around if called many times,
    * so we need to initialize the call entry each time. */
@@ -250,7 +254,7 @@ VbError_t LoadKernel(LoadKernelParams* params) {
       int key_block_valid = 1;
 
       VBDEBUG(("Found kernel entry at %" PRIu64 " size %" PRIu64 "\n",
-              part_start, part_size));
+               part_start, part_size));
 
       /* Set up tracking for this partition.  This wraps around if called
        * many times, so initialize the partition entry each time. */
@@ -293,8 +297,14 @@ VbError_t LoadKernel(LoadKernelParams* params) {
         if (kBootDev != boot_mode)
           goto bad_kernel;
 
-        /* In developer mode, we can continue if the SHA-512 hash of the key
-         * block is valid. */
+        /* In developer mode, we have to explictly allow self-signed kernels */
+        if (!allow_self_signed) {
+          VBDEBUG(("Self-signed custom kernels are not enabled.\n"));
+          shpart->check_result = VBSD_LKP_CHECK_SELF_SIGNED;
+          goto bad_kernel;
+        }
+
+        /* Allow the kernel if the SHA-512 hash of the key block is valid. */
         if (0 != KeyBlockVerify(key_block, KBUF_SIZE, kernel_subkey, 1)) {
           VBDEBUG(("Verifying key block hash failed.\n"));
           shpart->check_result = VBSD_LKP_CHECK_KEY_BLOCK_HASH;
@@ -489,7 +499,7 @@ VbError_t LoadKernel(LoadKernelParams* params) {
       /* Continue, so that we skip the error handling code below */
       continue;
 
-   bad_kernel:
+    bad_kernel:
       /* Handle errors parsing this kernel */
       if (NULL != data_key)
         RSAPublicKeyFree(data_key);