Add an nvram flag to block the use of dev mode

Currently, this does nothing. It just sets a flag that nothing looks at.

Don't get all wound up - we haven't abandoned our principles. This will
eventually be used to allow enterprise-enrolled customers to prevent
unauthorized use of developer mode in the Chrome OS devices that THEY OWN.

This is not Google deciding to turn a feature off, it's allowing the OWNER
to control the use of the feature. In some situations, the owner can be held
liable for what others do with the owner's equipment. This will help the
owner avoid those situations while their device is out of their immediate
control.

BUG=none
BRANCH=ToT
TEST=manual

Set the flag with:

  crossystem block_devmode=1

Clear it with:

  crossystem block_devmode=0

Retrieve the value ("0" or "1") like so:

  val=$(crossystem block_devmode)
  echo "the flag is $val"

or just test it directly like so:

  if crossystem 'block_devmode?1' ; then
    echo "devmode is blocked"
  else
    echo "devmode is allowed"
  fi

It should be persistent across reboots.

Change-Id: I097f15b307e1c3a2a9db595e9495028a2eea6309
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/197771
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

1 files changed, 1 insertions, 0 deletions

diff --git a/utility/crossystem.c b/utility/crossystem.c
index 520f7fdf..9a55d17e 100644
--- a/utility/crossystem.c
+++ b/utility/crossystem.c
@@ -32,6 +32,7 @@ typedef struct Param {
 /* List of parameters, terminated with a param with NULL name */
 const Param sys_param_list[] = {
   {"arch", IS_STRING, "Platform architecture"},
+  {"block_devmode", CAN_WRITE, "Block all use of developer mode"},
   {"clear_tpm_owner_request", CAN_WRITE, "Clear TPM owner on next boot"},
   {"clear_tpm_owner_done", CAN_WRITE, "Clear TPM owner done"},
   {"cros_debug", 0, "OS should allow debug features"},