diff options
author | Ji Luo <ji.luo@nxp.com> | 2018-08-26 10:09:14 +0800 |
---|---|---|
committer | faqiang.zhu <faqiang.zhu@nxp.com> | 2018-11-12 09:18:37 +0800 |
commit | aebefa8046bb01b9a4f0f86e2c34bec2847a287a (patch) | |
tree | d86254887fec69137a38c83916c1fec838bd976f /drivers | |
parent | c14e9d4e276c408db200a632029a8193944348f3 (diff) |
[iot] Support command 'oem at-disable-unlock-vboot'
Device will be locked permanently after disabling the unlcok vboot, store
the disable unlock vboot status into fuse. Since the fuse write operation
is irreversible so config 'CONFIG_AVB_FUSE' is disabled by default, user
need to add this config manually and run this command again.
Test: Disable unlock vboot bit is set after enabling "CONFIG_AVB_FUSE",
device was locked permanently after running this command. This is
verified on both imx7d_pico and AIY.
Change-Id: Iad8991a238763b1d662e33cba65f0b9eb44e97ef
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/usb/gadget/f_fastboot.c | 43 |
1 files changed, 32 insertions, 11 deletions
diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c index 4a2cde2bfd..1374bbfcbd 100644 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -3333,20 +3333,25 @@ static void cb_flashing(struct usb_ep *ep, struct usb_request *req) else strcpy(response, "OKAY"); } else if (endswith(cmd, FASTBOOT_AT_UNLOCK_VBOOT)) { + if (at_unlock_vboot_is_disabled()) { + printf("unlock vboot already disabled, can't unlock the device!\n"); + strcpy(response, "FAILunlock vboot already disabled!."); + } else { #ifdef CONFIG_AT_AUTHENTICATE_UNLOCK - if (avb_atx_verify_unlock_credential(fsl_avb_ops.atx_ops, - interface.transfer_buffer)) - strcpy(response, "FAILIncorrect unlock credential!"); - else { -#endif - status = do_fastboot_unlock(true); - if (status != FASTBOOT_LOCK_ERROR) - strcpy(response, "OKAY"); - else - strcpy(response, "FAILunlock device failed."); + if (avb_atx_verify_unlock_credential(fsl_avb_ops.atx_ops, + interface.transfer_buffer)) + strcpy(response, "FAILIncorrect unlock credential!"); + else { +#endif + status = do_fastboot_unlock(true); + if (status != FASTBOOT_LOCK_ERROR) + strcpy(response, "OKAY"); + else + strcpy(response, "FAILunlock device failed."); #ifdef CONFIG_AT_AUTHENTICATE_UNLOCK - } + } #endif + } } else if (endswith(cmd, FASTBOOT_AT_LOCK_VBOOT)) { if (perm_attr_are_fused()) { status = do_fastboot_lock(); @@ -3356,6 +3361,22 @@ static void cb_flashing(struct usb_ep *ep, struct usb_request *req) strcpy(response, "FAILlock device failed."); } else strcpy(response, "FAILpermanent attributes not fused!"); + } else if (endswith(cmd, FASTBOOT_AT_DISABLE_UNLOCK_VBOOT)) { + /* This command can only be called after 'oem at-lock-vboot' */ + status = fastboot_get_lock_stat(); + if (status == FASTBOOT_LOCK) { + if (at_unlock_vboot_is_disabled()) { + printf("unlock vboot already disabled!\n"); + strcpy(response, "OKAY"); + } + else { + if (!at_disable_vboot_unlock()) + strcpy(response, "OKAY"); + else + strcpy(response, "FAILdisable unlock vboot fail!"); + } + } else + strcpy(response, "FAILplease lock the device first!"); } #endif /* CONFIG_AVB_ATX */ #ifdef CONFIG_ANDROID_THINGS_SUPPORT |