From fc53dc0926a6bc90cddececcd69d7b358e0f9bb3 Mon Sep 17 00:00:00 2001 From: Kelvin Cao Date: Mon, 28 Aug 2023 02:47:17 -0700 Subject: [PATCH 1/2] Reject duplicate KMSK key programming Adding the same KMSK key twice will cause the KMSK entry unable to be revoked. Give error message and quit in this case, instead of allowing the programming with warnings. --- cli/mfg.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/cli/mfg.c b/cli/mfg.c index 9ba34b71..878a68e1 100644 --- a/cli/mfg.c +++ b/cli/mfg.c @@ -1151,13 +1151,9 @@ static int kmsk_entry_add(int argc, char **argv) } if (switchtec_security_state_has_kmsk(&state, &kmsk)) { - if (!cfg.assume_yes) - fprintf(stderr, - "WARNING: the specified KMSK entry already exists on the device.\n" - "Writing duplicate KMSK entries could make your device unbootable!\n"); - ret = ask_if_sure(cfg.assume_yes); - if (ret) - return ret; + fprintf(stderr, + "REJECTED: the specified KMSK entry already exists on the device!\n"); + return -8; } if (state.secure_state == SWITCHTEC_INITIALIZED_SECURED && From a2a45f3fb8a267efc2ffcbe1b12c36557fe10df5 Mon Sep 17 00:00:00 2001 From: Kelvin Cao Date: Tue, 5 Sep 2023 06:44:16 -0700 Subject: [PATCH 2/2] cli: Add option [-s | --show-settings-only] to mfg config-set Add this option to decode and display secure settings of a setting file. No programming will be performed with this option on. --- cli/mfg.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/cli/mfg.c b/cli/mfg.c index 878a68e1..a45dfd7e 100644 --- a/cli/mfg.c +++ b/cli/mfg.c @@ -975,6 +975,7 @@ static int config_set(int argc, char **argv) char *setting_file; FILE *uds_fimg; char *uds_file; + int show_only; int assume_yes; } cfg = {}; const struct argconfig_options opts[] = { @@ -987,6 +988,8 @@ static int config_set(int argc, char **argv) .value_addr=&cfg.uds_fimg, .argument_type=required_argument, .help="UDS file"}, + {"show-settings-only", 's', "", CFG_NONE, &cfg.show_only, no_argument, + "Show secure settings without programming"}, {"yes", 'y', "", CFG_NONE, &cfg.assume_yes, no_argument, "assume yes when prompted"}, {NULL} @@ -1054,9 +1057,15 @@ static int config_set(int argc, char **argv) } } - printf("Writing the below settings to device: \n"); + if (cfg.show_only) + printf("Secure settings for device: \n"); + else + printf("Writing the below settings to device: \n"); print_security_cfg_set(&settings); + if (cfg.show_only) + return 0; + if (!cfg.assume_yes) fprintf(stderr, "\nWARNING: This operation makes changes to the device OTP memory and is IRREVERSIBLE!\n");