Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / 352976720d9d5b13f8ec6faadfdb1cd87120971e^! / . / app / aboot / aboot.c
commit352976720d9d5b13f8ec6faadfdb1cd87120971e[log] [tgz]
authorChannagoud Kadabi <ckadabi@codeaurora.org>Sat Jun 13 11:09:49 2015 -0700
committerChannagoud Kadabi <ckadabi@codeaurora.org>Sat Jun 13 11:15:06 2015 -0700
treeeeb1a43b4c0932ae3bdf87f84f2a262e08a4e7c4
parent415db62447af2c75aaa1aae4f4b3b3e9f1a81e3b [diff] [blame]
app: aboot: Enforce flashing restriction only for user builds

Enable flashing restriction only for user builds and make the device
locked by default. With this configuration device would be locked by
default and user builds ensure that we are enforcing flashing
restrictions.

Change-Id: I1a76d72cea898cbea7af4a4c224fa07ba71872bb

diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 83d1531..bfd6b5f 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c

@@ -1715,10 +1715,7 @@
 		if (memcmp(info->magic, DEVICE_MAGIC, DEVICE_MAGIC_SIZE))
 		{
 			memcpy(info->magic, DEVICE_MAGIC, DEVICE_MAGIC_SIZE);
-			if (is_secure_boot_enable())
-				info->is_unlocked = 0;
-			else
-				info->is_unlocked = 1;
+			info->is_unlocked = 0;
 			info->is_verified = 0;
 			info->is_tampered = 0;
 #if USER_BUILD_VARIANT
@@ -2103,18 +2100,21 @@
 void cmd_erase(const char *arg, void *data, unsigned sz)
 {
 #if VERIFIED_BOOT
-	if(!device.is_unlocked && !device.is_verified)
+	if (target_build_variant_user())
 	{
-		fastboot_fail("device is locked. Cannot erase");
-		return;
-	}
-	if(!device.is_unlocked && device.is_verified)
-	{
-		if(!boot_verify_flash_allowed(arg))
+		if(!device.is_unlocked && !device.is_verified)
 		{
-			fastboot_fail("cannot flash this partition in verified state");
+			fastboot_fail("device is locked. Cannot erase");
 			return;
 		}
+		if(!device.is_unlocked && device.is_verified)
+		{
+			if(!boot_verify_flash_allowed(arg))
+			{
+				fastboot_fail("cannot flash this partition in verified state");
+				return;
+			}
+		}
 	}
 #endif
 
@@ -2537,18 +2537,21 @@
 #endif /* SSD_ENABLE */
 
 #if VERIFIED_BOOT
-	if(!device.is_unlocked)
+	if (target_build_variant_user())
 	{
-		fastboot_fail("device is locked. Cannot flash images");
-		return;
-	}
-	if(!device.is_unlocked && device.is_verified)
-	{
-		if(!boot_verify_flash_allowed(arg))
+		if(!device.is_unlocked)
 		{
-			fastboot_fail("cannot flash this partition in verified state");
+			fastboot_fail("device is locked. Cannot flash images");
 			return;
 		}
+		if(!device.is_unlocked && device.is_verified)
+		{
+			if(!boot_verify_flash_allowed(arg))
+			{
+				fastboot_fail("cannot flash this partition in verified state");
+				return;
+			}
+		}
 	}
 #endif