cr50: Disallow console unlocking for prod images.

With this change, only DEV images will have the capability to unlock the Cr50 console. BUG=chrome-os-partner:62727 BRANCH=None TEST=Build a prod image, flash Cr50, try to unlock the console. Verify that access is denied and console remains locked. TEST=Attempt to read EC and AP flash over ccd. Verify that it fails. TEST=Remove AC and battery. Plug in AC. Verify that console is still locked. TEST=Plug in AC, unplug battery, verify that write protect is disabled. Verify that console is still locked and cannot be unlocked. TEST=Build a dev image, verify that console can be locked and unlocked. Change-Id: Ic47aa34f42ee295e74ba3a40b709ac42c34a30b7 Signed-off-by: Aseda Aboagye <aaboagye@google.com> Reviewed-on: https://chromium-review.googlesource.com/439764 Commit-Ready: Aseda Aboagye <aaboagye@chromium.org> Tested-by: Aseda Aboagye <aaboagye@chromium.org> Reviewed-by: Randall Spangler <rspangler@chromium.org> Reviewed-by: Mary Ruthven <mruthven@chromium.org>
2026-01-08 08:31:52 +00:00 · 2017-02-08 13:21:43 -08:00
parent d910997f6a
commit 46891544f2
1 changed files with 9 additions and 1 deletions
--- a/board/cr50/wp.c
+++ b/board/cr50/wp.c
@@ -263,7 +263,6 @@ static void power_button_poked(void)
 }
 DECLARE_IRQ(GC_IRQNUM_RBOX0_INTR_PWRB_IN_FED_INT, power_button_poked, 1);

-
 static void start_unlock_process(int total_poking_time, int max_poke_interval)
 {
 	unlock_in_progress = 1;
@@ -356,6 +355,15 @@ static int command_lock(int argc, char **argv)
 	int enabled;
 	int i;

+#ifndef CR50_DEV
+	/* Don't allow the console to be unlocked at all for prod images. */
+	ASSERT(console_is_restricted() == 1);
+	if (argc > 1)
+		return EC_ERROR_ACCESS_DENIED;
+
+	goto out;
+#endif /* !defined(CR50_DEV) */
+
 	if (argc > 1) {
 		if (!parse_bool(argv[1], &enabled))
 			return EC_ERROR_PARAM1;