From 46891544f22614a44798f0f2a1872dfa2729ea46 Mon Sep 17 00:00:00 2001 From: Aseda Aboagye Date: Wed, 8 Feb 2017 13:21:43 -0800 Subject: [PATCH] cr50: Disallow console unlocking for prod images. With this change, only DEV images will have the capability to unlock the Cr50 console. BUG=chrome-os-partner:62727 BRANCH=None TEST=Build a prod image, flash Cr50, try to unlock the console. Verify that access is denied and console remains locked. TEST=Attempt to read EC and AP flash over ccd. Verify that it fails. TEST=Remove AC and battery. Plug in AC. Verify that console is still locked. TEST=Plug in AC, unplug battery, verify that write protect is disabled. Verify that console is still locked and cannot be unlocked. TEST=Build a dev image, verify that console can be locked and unlocked. Change-Id: Ic47aa34f42ee295e74ba3a40b709ac42c34a30b7 Signed-off-by: Aseda Aboagye Reviewed-on: https://chromium-review.googlesource.com/439764 Commit-Ready: Aseda Aboagye Tested-by: Aseda Aboagye Reviewed-by: Randall Spangler Reviewed-by: Mary Ruthven --- board/cr50/wp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/board/cr50/wp.c b/board/cr50/wp.c index 01fdf2e116..eb1d01155e 100644 --- a/board/cr50/wp.c +++ b/board/cr50/wp.c @@ -263,7 +263,6 @@ static void power_button_poked(void) } DECLARE_IRQ(GC_IRQNUM_RBOX0_INTR_PWRB_IN_FED_INT, power_button_poked, 1); - static void start_unlock_process(int total_poking_time, int max_poke_interval) { unlock_in_progress = 1; @@ -356,6 +355,15 @@ static int command_lock(int argc, char **argv) int enabled; int i; +#ifndef CR50_DEV + /* Don't allow the console to be unlocked at all for prod images. */ + ASSERT(console_is_restricted() == 1); + if (argc > 1) + return EC_ERROR_ACCESS_DENIED; + + goto out; +#endif /* !defined(CR50_DEV) */ + if (argc > 1) { if (!parse_bool(argv[1], &enabled)) return EC_ERROR_PARAM1;