init: Check VPD for block_devmode during startup. [chromiumos/platform2 : master]
29 views
Skip to first unread message
ChromeOS Commit Bot (Gerrit)
Feb 27, 2016, 5:36:44 PM2/27/16
to Thiemo Nagel, Will Drewry, Mattias Nissler, Wei-Ning Huang, ChromeOS bot, Randall Spangler, Hung-Te Lin
ChromeOS Commit Bot has submitted this change and it was merged.
Change subject: init: Check VPD for block_devmode during startup.
......................................................................
init: Check VPD for block_devmode during startup.
Treat the presence of block_devmode in the VPD the same way as the
eponymous crossystem flag.
BUG=chrome-os-partner:50142
TEST=verified that dev mode is blocked when VPD block_devmode is set
Change-Id: I942a16281a5b2ba4e460fe88972543f0f1cd2e80
Reviewed-on: https://chromium-review.googlesource.com/329092
Commit-Ready: Thiemo Nagel <tna...@chromium.org>
Tested-by: Thiemo Nagel <tna...@chromium.org>
Reviewed-by: Hung-Te Lin <hun...@chromium.org>
Reviewed-by: Randall Spangler <rspa...@chromium.org>
---
M init/chromeos_startup
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/init/chromeos_startup b/init/chromeos_startup
index 0ccd406..25ee2b5 100755
--- a/init/chromeos_startup
+++ b/init/chromeos_startup
@@ -136,8 +136,23 @@
#
# The up-front CROS_DEBUG check avoids forking a crossystem process in
verified
# mode, thus keeping the check as lightweight as possible for normal boot.
-if [ $CROS_DEBUG -eq 1 ]; then
- if crossystem "block_devmode?1" "debug_build?0" "devsw_boot?1"; then
+if [ $CROS_DEBUG -eq 1 ] && crossystem "devsw_boot?1" "debug_build?0"; then
+ # Checks ordered by run time: First try reading VPD through sysfs.
+ if [ -f /sys/firmware/vpd/rw/block_devmode ]; then
+ BLOCK_DEVMODE=1
+ # Second try crossystem.
+ elif crossystem "block_devmode?1"; then
+ BLOCK_DEVMODE=1
+ # Third re-read VPD directly from SPI flash (slow!) but only for systems
that
+ # don't have VPD in sysfs and only when NVRAM indicates that it has been
+ # cleared.
+ elif [ ! -d /sys/firmware/vpd/rw ] &&
+ crossystem "nvram_cleared?1" &&
+ [ "$(vpd -i RW_VPD -g block_devmode)" = "1" ]; then
+ BLOCK_DEVMODE=1
+ fi
+
+ if [ -n "${BLOCK_DEVMODE}" ]; then
# Put a flag file into place that will trigger a stateful partition
wipe
# after reboot in verified mode.
touch ${BLOCKED_DEV_MODE_FILE}
--
To view, visit https://chromium-review.googlesource.com/329092
To unsubscribe, visit https://chromium-review.googlesource.com/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I942a16281a5b2ba4e460fe88972543f0f1cd2e80
Gerrit-PatchSet: 9
Gerrit-Project: chromiumos/platform2
Gerrit-Branch: master
Gerrit-Owner: Thiemo Nagel <tna...@chromium.org>
Gerrit-Reviewer: ChromeOS Commit Bot <chromeos-...@chromium.org>
Gerrit-Reviewer: ChromeOS bot
<3su6n15k...@developer.gserviceaccount.com>
Gerrit-Reviewer: Hung-Te Lin <hun...@chromium.org>
Gerrit-Reviewer: Mattias Nissler <mnis...@chromium.org>
Gerrit-Reviewer: Randall Spangler <rspa...@chromium.org>
Gerrit-Reviewer: Thiemo Nagel <tna...@chromium.org>
Gerrit-Reviewer: Wei-Ning Huang <wnh...@chromium.org>
Gerrit-Reviewer: Will Drewry <w...@chromium.org>
Change subject: init: Check VPD for block_devmode during startup.
......................................................................
init: Check VPD for block_devmode during startup.
Treat the presence of block_devmode in the VPD the same way as the
eponymous crossystem flag.
BUG=chrome-os-partner:50142
TEST=verified that dev mode is blocked when VPD block_devmode is set
Change-Id: I942a16281a5b2ba4e460fe88972543f0f1cd2e80
Reviewed-on: https://chromium-review.googlesource.com/329092
Commit-Ready: Thiemo Nagel <tna...@chromium.org>
Tested-by: Thiemo Nagel <tna...@chromium.org>
Reviewed-by: Hung-Te Lin <hun...@chromium.org>
Reviewed-by: Randall Spangler <rspa...@chromium.org>
---
M init/chromeos_startup
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/init/chromeos_startup b/init/chromeos_startup
index 0ccd406..25ee2b5 100755
--- a/init/chromeos_startup
+++ b/init/chromeos_startup
@@ -136,8 +136,23 @@
#
# The up-front CROS_DEBUG check avoids forking a crossystem process in
verified
# mode, thus keeping the check as lightweight as possible for normal boot.
-if [ $CROS_DEBUG -eq 1 ]; then
- if crossystem "block_devmode?1" "debug_build?0" "devsw_boot?1"; then
+if [ $CROS_DEBUG -eq 1 ] && crossystem "devsw_boot?1" "debug_build?0"; then
+ # Checks ordered by run time: First try reading VPD through sysfs.
+ if [ -f /sys/firmware/vpd/rw/block_devmode ]; then
+ BLOCK_DEVMODE=1
+ # Second try crossystem.
+ elif crossystem "block_devmode?1"; then
+ BLOCK_DEVMODE=1
+ # Third re-read VPD directly from SPI flash (slow!) but only for systems
that
+ # don't have VPD in sysfs and only when NVRAM indicates that it has been
+ # cleared.
+ elif [ ! -d /sys/firmware/vpd/rw ] &&
+ crossystem "nvram_cleared?1" &&
+ [ "$(vpd -i RW_VPD -g block_devmode)" = "1" ]; then
+ BLOCK_DEVMODE=1
+ fi
+
+ if [ -n "${BLOCK_DEVMODE}" ]; then
# Put a flag file into place that will trigger a stateful partition
wipe
# after reboot in verified mode.
touch ${BLOCKED_DEV_MODE_FILE}
--
To view, visit https://chromium-review.googlesource.com/329092
To unsubscribe, visit https://chromium-review.googlesource.com/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I942a16281a5b2ba4e460fe88972543f0f1cd2e80
Gerrit-PatchSet: 9
Gerrit-Project: chromiumos/platform2
Gerrit-Branch: master
Gerrit-Owner: Thiemo Nagel <tna...@chromium.org>
Gerrit-Reviewer: ChromeOS Commit Bot <chromeos-...@chromium.org>
Gerrit-Reviewer: ChromeOS bot
<3su6n15k...@developer.gserviceaccount.com>
Gerrit-Reviewer: Hung-Te Lin <hun...@chromium.org>
Gerrit-Reviewer: Mattias Nissler <mnis...@chromium.org>
Gerrit-Reviewer: Randall Spangler <rspa...@chromium.org>
Gerrit-Reviewer: Thiemo Nagel <tna...@chromium.org>
Gerrit-Reviewer: Wei-Ning Huang <wnh...@chromium.org>
Gerrit-Reviewer: Will Drewry <w...@chromium.org>
Reply all
Reply to author
Forward
0 new messages