Google Git
Sign in
cos / mirrors / cros / chromiumos / platform / vboot_reference / refs/heads/stabilize-5463.B^! / .
commite8117120b677937902fc3c75ba3cee97e1fa0dc1[log] [tgz]
authorHung-Te Lin <hungte@chromium.org>Mon Feb 10 17:35:34 2014 +0800
committerchrome-internal-fetch <chrome-internal-fetch@google.com>Tue Feb 11 05:40:14 2014 +0000
tree64d60fe5825ea24dd2260722f923b6d1620af58d
parentbbc76063294f4b9fcca6b581d9831595d840a1a3 [diff]
set_gbb_flags: Check write protection status before starting to flash.

People trying to override GBB flags and not having write protection disabled may
corrupt whole RW section of firmware.

To avoid that, we should check write protection before starting to invoke
flashrom commands.

BUG=chromium:341242
TEST=./set_gbb_flags.sh 0x39 # Aborted on a write-protected system, as expected.
BRANCH=none

Change-Id: I6b2dcc75b87dc5ceace0d7caec62ded787b2b534
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/185653
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Queue: Hung-Te Lin <hungte@google.com>

diff --git a/scripts/image_signing/set_gbb_flags.sh b/scripts/image_signing/set_gbb_flags.sh
index e812dba..157913a 100755
--- a/scripts/image_signing/set_gbb_flags.sh
+++ b/scripts/image_signing/set_gbb_flags.sh

@@ -13,6 +13,7 @@
 
 # DEFINE_string name default_value description flag
 DEFINE_string file "" "Path to firmware image. Default to system firmware." "f"
+DEFINE_boolean check_wp $FLAGS_TRUE "Check write protection states first." ""
 
 # Globals
 # ----------------------------------------------------------------------------
@@ -47,6 +48,24 @@
 FLASHROM_READ_OPT="$FLASHROM_COMMON_OPT -i GBB -r"
 FLASHROM_WRITE_OPT="$FLASHROM_COMMON_OPT -i GBB --fast-verify -w"
 
+# Check write protection
+# ----------------------------------------------------------------------------
+check_write_protection() {
+  local ret=$FLAGS_TRUE
+  if ! crossystem "wpsw_boot?0"; then
+    echo "Hardware write protection must be disabled."
+    ret=$FLAGS_FALSE
+  fi
+  local wp_states="$(flashrom --wp-status 2>/dev/null | grep WP)"
+  local wp_disabled="$(echo "$wp_states" | grep "WP:.*is disabled.")"
+  local wp_zero_len="$(echo "$wp_states" | grep "WP:.*, len=0x00000000")"
+  if [ -z "$wp_disabled" -a -z "$wp_zero_len" ]; then
+    echo "Software write protection must be disabled."
+    ret=$FLAGS_FALSE
+  fi
+  return $ret
+}
+
 # Main
 # ----------------------------------------------------------------------------
 main() {
@@ -69,6 +88,14 @@
   gbb_utility -s --flags="$value" "$image_file"
 
   if [ -z "$FLAGS_file" ]; then
+    if [ "$FLAGS_check_wp" = "$FLAGS_TRUE" ]; then
+      if ! check_write_protection; then
+        echo ""
+        echo "WARNING: System GBB Flags are NOT changed!!!"
+        echo "ERROR: You must disable write protection before setting flags."
+        exit 1
+      fi
+    fi
     flashrom $FLASHROM_WRITE_OPT "$image_file"
   fi
 }