4 files changed, 15 insertions, 9 deletions

diff --git a/firmware/lib/include/vboot_common.h b/firmware/lib/include/vboot_common.h
index acfb58b7..44dba262 100644
--- a/firmware/lib/include/vboot_common.h
+++ b/firmware/lib/include/vboot_common.h
@@ -8,6 +8,7 @@
 #ifndef VBOOT_REFERENCE_VBOOT_COMMON_H_
 #define VBOOT_REFERENCE_VBOOT_COMMON_H_
 
+#include "2api.h"
 #include "vboot_struct.h"
 
 #ifndef ARRAY_SIZE
@@ -145,9 +146,9 @@ int VbSharedDataSetKernelKey(VbSharedDataHeader *header,
  * requests including manual recovery requested by a (compromised) host will
  * end up with 'broken' screen.
  *
- * @param flags Flags of VbSharedDataHeader.
+ * @param ctx vboot2 context pointer
  * @return 1: Yes. 0: No or not sure.
  */
-int vb2_allow_recovery(uint32_t flags);
+int vb2_allow_recovery(struct vb2_context *ctx);
 
 #endif  /* VBOOT_REFERENCE_VBOOT_COMMON_H_ */
diff --git a/firmware/lib/vboot_common.c b/firmware/lib/vboot_common.c
index d3851940..f336f2c0 100644
--- a/firmware/lib/vboot_common.c
+++ b/firmware/lib/vboot_common.c
@@ -10,6 +10,7 @@
 #include "2sysincludes.h"
 
 #include "2common.h"
+#include "2misc.h"
 #include "2rsa.h"
 #include "2sha.h"
 #include "vboot_api.h"
@@ -211,8 +212,12 @@ int VbSharedDataSetKernelKey(VbSharedDataHeader *header, const VbPublicKey *src)
 	return PublicKeyCopy(kdest, src);
 }
 
-int vb2_allow_recovery(uint32_t flags)
+int vb2_allow_recovery(struct vb2_context *ctx)
 {
+	/* GBB_FLAG_FORCE_MANUAL_RECOVERY forces this to always return true. */
+	if (vb2_get_sd(ctx)->gbb_flags & VB2_GBB_FLAG_FORCE_MANUAL_RECOVERY)
+		return 1;
+
 	/*
 	 * If EC is in RW, it implies recovery wasn't manually requested.
 	 * On some platforms, EC_IN_RW can't be reset by the EC, thus, this may
@@ -223,5 +228,5 @@ int vb2_allow_recovery(uint32_t flags)
 		return 0;
 
 	/* Now we confidently check the recovery switch state at boot */
-	return !!(flags & VBSD_BOOT_REC_SWITCH_ON);
+	return !!(vb2_get_sd(ctx)->vbsd->flags & VBSD_BOOT_REC_SWITCH_ON);
 }
diff --git a/firmware/lib/vboot_ui.c b/firmware/lib/vboot_ui.c
index 1db0e4a7..5eb78f0a 100644
--- a/firmware/lib/vboot_ui.c
+++ b/firmware/lib/vboot_ui.c
@@ -403,7 +403,7 @@ static VbError_t recovery_ui(struct vb2_context *ctx)
 
 	VB2_DEBUG("VbBootRecovery() start\n");
 
-	if (!vb2_allow_recovery(shared->flags)) {
+	if (!vb2_allow_recovery(ctx)) {
 		/*
 		 * We have to save the reason here so that it will survive
 		 * coming up three-finger-salute. We're saving it in
diff --git a/firmware/lib/vboot_ui_menu.c b/firmware/lib/vboot_ui_menu.c
index 050051ce..c050ec8e 100644
--- a/firmware/lib/vboot_ui_menu.c
+++ b/firmware/lib/vboot_ui_menu.c
@@ -231,7 +231,7 @@ static VbError_t enter_language_menu(struct vb2_context *ctx)
 
 static VbError_t enter_recovery_base_screen(struct vb2_context *ctx)
 {
-	if (!vb2_allow_recovery(vb2_get_sd(ctx)->vbsd->flags))
+	if (!vb2_allow_recovery(ctx))
 		vb2_change_menu(VB_MENU_RECOVERY_BROKEN, 0);
 	else if (usb_nogood)
 		vb2_change_menu(VB_MENU_RECOVERY_NO_GOOD, 0);
@@ -289,7 +289,7 @@ static VbError_t language_action(struct vb2_context *ctx)
 	 * Non-manual recovery mode is meant to be left via hard reset (into
 	 * manual recovery mode). Need to commit NVRAM changes immediately.
 	 */
-	if (vbsd->recovery_reason && !vb2_allow_recovery(vbsd->flags))
+	if (vbsd->recovery_reason && !vb2_allow_recovery(ctx))
 		vb2_nv_commit(ctx);
 
 	/* Return to previous menu. */
@@ -319,7 +319,7 @@ static VbError_t to_dev_action(struct vb2_context *ctx)
 	/* Sanity check, should never happen. */
 	if (!(vbsd_flags & VBSD_HONOR_VIRT_DEV_SWITCH) ||
 	    (vbsd_flags & VBSD_BOOT_DEV_SWITCH_ON) ||
-	    !vb2_allow_recovery(vbsd_flags))
+	    !vb2_allow_recovery(ctx))
 		return VBERROR_KEEP_LOOPING;
 
 	VB2_DEBUG("Enabling dev-mode...\n");
@@ -828,7 +828,7 @@ VbError_t VbBootRecoveryMenu(struct vb2_context *ctx)
 	VbError_t retval = vb2_init_menus(ctx);
 	if (VBERROR_SUCCESS != retval)
 		return retval;
-	if (vb2_allow_recovery(vb2_get_sd(ctx)->vbsd->flags))
+	if (vb2_allow_recovery(ctx))
 		retval = recovery_ui(ctx);
 	else
 		retval = broken_ui(ctx);