ccd: do not allow 'unlock' from console unless password is set

CCD management policies explicitly prohibit running the 'unlock' command from the Cr50 CLI unless CCD password is set. This patch enforces the policy. BRANCH=cr50 BUG=b:62537474 TEST=ran the following commands on the Cr50 console: > ccd State: Locked Password: none ... > ccd unlock Cann't unlock without password Access Denied Usage: ccd [help | ...] > Change-Id: I5a14a54049a233e86e097064ff235e9b7a8bbb86 Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/861000 Reviewed-by: Randall Spangler <rspangler@chromium.org>
2026-01-11 18:35:28 +00:00 · 2018-01-10 11:31:53 -08:00
parent 88c5e62f89
commit 35c8f62480
1 changed files with 6 additions and 1 deletions
--- a/common/ccd_config.c
+++ b/common/ccd_config.c
@@ -1182,8 +1182,13 @@ static int command_ccd_body(int argc, char **argv)
 	/* Commands to set state */
 	if (!strcasecmp(argv[1], "lock"))
 		return ccd_command_wrapper(0, NULL, CCDV_LOCK);
-	if (!strcasecmp(argv[1], "unlock"))
+	if (!strcasecmp(argv[1], "unlock")) {
+		if (!raw_has_password()) {
+			ccprintf("Unlock only allowed after password is set\n");
+			return EC_ERROR_ACCESS_DENIED;
+		}
 		return ccd_command_wrapper(argc - 1, argv[2], CCDV_UNLOCK);
+	}
 	if (!strcasecmp(argv[1], "open"))
 		return ccd_command_wrapper(argc - 1, argv[2], CCDV_OPEN);