From 829dc3be90b947fff17c00d7612d0b48cce4da34 Mon Sep 17 00:00:00 2001 From: Julius Werner Date: Thu, 19 Jan 2023 16:57:00 -0800 Subject: OAK-ONLY: firmware: Commit disable_dev_request if forbidden by FWMP This patch makes VbSelectAndLoadKernel() check if developer mode is disabled by FWMP and set the disable_dev_request nvdata flag right away in that case. BRANCH=all BUG=b:266013201,b:268272051 TEST=none Signed-off-by: Julius Werner Change-Id: If6518a86860f06a28e80ca6519b6fbe7a949a2cd Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4234303 Reviewed-by: Andrey Pronin Reviewed-by: Yu-Ping Wu --- firmware/lib/vboot_api_kernel.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c index 90703a90..92aaac7b 100644 --- a/firmware/lib/vboot_api_kernel.c +++ b/firmware/lib/vboot_api_kernel.c @@ -1169,6 +1169,17 @@ VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams, } } + /* If we're in developer mode when we shouldn't be, disable as soon as + possible and commit that decision right away, unless WP is off. + See b/266013201 and b/268272051 for context. */ + if ((fwmp.flags & FWMP_DEV_DISABLE_BOOT) && + !(cparams->gbb->flags & GBB_FLAG_FORCE_DEV_SWITCH_ON) && + (shared->flags & VBSD_BOOT_DEV_SWITCH_ON) && + (shared->flags & VBSD_BOOT_FIRMWARE_WP_ENABLED)) { + VbNvSet(&vnc, VBNV_DISABLE_DEV_REQUEST, 1); + VbNvCommit(); + } + /* Fill in params for calls to LoadKernel() */ Memset(&p, 0, sizeof(p)); p.shared_data_blob = cparams->shared_data_blob; -- cgit v1.2.1