Adjust the behavior of 'crossystem cros_debug' for recovery mode
Previously, 'cros_debug' would ignore the kernel command line if
the system was booted in recovery mode. The check provided no
particular security benefit; it served only to complicate the work
of developers who wanted to boot debug images over USB with dev-key
signed firmware.
BUG=chromium-os:19236
TEST=Test 'crossystem cros_debug' on a system in the cited use case
Change-Id: Ie664c50984411340a10896137022d7d4ff503d0a
Reviewed-on: https://gerrit.chromium.org/gerrit/6663
Commit-Ready: Richard Barnette <jrbarnette@chromium.org>
Tested-by: Richard Barnette <jrbarnette@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
diff --git a/host/lib/crossystem.c b/host/lib/crossystem.c
index 5c2adde..27d45c3 100644
--- a/host/lib/crossystem.c
+++ b/host/lib/crossystem.c
@@ -123,20 +123,12 @@
char buf[4096] = "";
char *t, *saveptr;
- /* Try reading firmware type. */
- if (VbGetArchPropertyString("mainfw_type", buf, sizeof(buf))) {
- if (0 == strcmp(buf, "recovery"))
- return 0; /* Recovery mode never allows debug. */
- else if (0 == strcmp(buf, "developer"))
- return 1; /* Developer firmware always allows debug. */
- }
-
- /* Normal new firmware, older ChromeOS firmware, or non-Chrome firmware.
- * For all these cases, check /proc/cmdline for cros_[no]debug. */
- f = fopen(KERNEL_CMDLINE_PATH, "rt");
- if (f) {
+ /* If the currently running system specifies its debug status, use
+ * that in preference to other indicators. */
+ f = fopen(KERNEL_CMDLINE_PATH, "r");
+ if (NULL != f) {
if (NULL == fgets(buf, sizeof(buf), f))
- *buf = 0;
+ buf[0] = 0;
fclose(f);
}
for (t = strtok_r(buf, " ", &saveptr); t; t=strtok_r(NULL, " ", &saveptr)) {
@@ -146,8 +138,7 @@
return 0;
}
- /* Normal new firmware or older Chrome OS firmware allows debug if the
- * dev switch is on. */
+ /* Command line is silent; allow debug if the dev switch is on. */
if (1 == VbGetSystemPropertyInt("devsw_boot"))
return 1;