From 35c8f62480ec47dac9825e1fc0fdf6a59b47df8f Mon Sep 17 00:00:00 2001
From: Vadim Bendebury <vbendeb@chromium.org>
Date: Wed, 10 Jan 2018 11:31:53 -0800
Subject: [PATCH] ccd: do not allow 'unlock' from console unless password is
 set

CCD management policies explicitly prohibit running the 'unlock'
command from the Cr50 CLI unless CCD password is set.

This patch enforces the policy.

BRANCH=cr50
BUG=b:62537474
TEST=ran the following commands on the Cr50 console:
  > ccd
  State: Locked
  Password: none
  ...
  > ccd unlock
  Cann't unlock without password
  Access Denied
  Usage: ccd [help | ...]
  >

Change-Id: I5a14a54049a233e86e097064ff235e9b7a8bbb86
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/861000
Reviewed-by: Randall Spangler <rspangler@chromium.org>
---
 common/ccd_config.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/common/ccd_config.c b/common/ccd_config.c
index 185b29278a..12885926dd 100644
--- a/common/ccd_config.c
+++ b/common/ccd_config.c
@@ -1182,8 +1182,13 @@ static int command_ccd_body(int argc, char **argv)
 	/* Commands to set state */
 	if (!strcasecmp(argv[1], "lock"))
 		return ccd_command_wrapper(0, NULL, CCDV_LOCK);
-	if (!strcasecmp(argv[1], "unlock"))
+	if (!strcasecmp(argv[1], "unlock")) {
+		if (!raw_has_password()) {
+			ccprintf("Unlock only allowed after password is set\n");
+			return EC_ERROR_ACCESS_DENIED;
+		}
 		return ccd_command_wrapper(argc - 1, argv[2], CCDV_UNLOCK);
+	}
 	if (!strcasecmp(argv[1], "open"))
 		return ccd_command_wrapper(argc - 1, argv[2], CCDV_OPEN);