From 85e59417a304f7409f53a5a25d86d8a773968c24 Mon Sep 17 00:00:00 2001
From: Gabriel Valcazar <gabriel.valcazar@digi.com>
Date: Mon, 1 Jul 2024 10:35:58 +0200
Subject: [PATCH] recovery: prevent partition encryption when singlemtdsys is
 enabled

In legacy NAND platforms like the ccimx6ul, it's possible to use a single-MTD
configuration with dualboot disabled, which allows access to the functionality
provided by the recovery partition. However, the partition encryption feature
requires a multi-MTD configuation, so said feature shouldn't be accessible in
this case.

Prevent access to partition encryption in a single-MTD system by:

    * Adding the "system" partition to the partition blacklist in both the
      recovery-utils library and the recovery initscript.
    * Checking the "singlemtdsys" environment variable before using any
      functionality related to partition encryption.

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
---
 .../recovery-initramfs-init                   | 27 +++++++++++++------
 .../recovery-utils/lib/recovery.c             | 13 +++++++++
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/meta-digi-dey/recipes-core/recovery/recovery-initramfs/recovery-initramfs-init b/meta-digi-dey/recipes-core/recovery/recovery-initramfs/recovery-initramfs-init
index 4a77b1094..51798585e 100644
--- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs/recovery-initramfs-init
+++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs/recovery-initramfs-init
@@ -30,11 +30,12 @@ ROOTFS_IMAGE_IN_PACKAGE="no"
 ENCRYPT_ROOTFS="no"
 SWUPDATE_OUTPUT="swupdate_output.txt"
 
+ALLOW_ENC="yes"
 PART_LIST=""
 ENC_PARTS=""
 DEFAULT_ENC_PARTS="yes"
 
-NAND_PARTS_BLACKLIST="bootloader environment linux recovery safe"
+NAND_PARTS_BLACKLIST="bootloader environment linux recovery safe system"
 EMMC_PARTS_BLACKLIST="linux recovery safe"
 
 ENC_DIFF=""
@@ -418,7 +419,7 @@ check_swu_package() {
 	fi
 
 	# Check if the rootfs is meant to be encrypted
-	if [ "${ROOTFS_IMAGE_IN_PACKAGE}" = "yes" ]; then
+	if [ "${ROOTFS_IMAGE_IN_PACKAGE}" = "yes"  -a "${ALLOW_ENC}" = "yes" ]; then
 		grep "Description" "${SWUPDATE_OUTPUT}" | grep -qs "Encrypted rootfs" && ENCRYPT_ROOTFS="yes"
 	fi
 }
@@ -552,6 +553,10 @@ psplash_message "Starting recovery..."
 # Read the recovery command.
 read_uboot_var "${ENV_RECOVERY_COMMAND}" COMMAND
 
+# Check if system is single-MTD to allow partition encryption or not
+read_uboot_var singlemtdsys singlemtdsys
+[ "$(is_nand)" = "yes" -a "${singlemtdsys}" = "yes" ] && ALLOW_ENC="no"
+
 # Check if there is any command.
 if [ -z "${COMMAND}" ]; then
 	quit_with_error "No command found"
@@ -563,8 +568,11 @@ for arg in ${COMMAND}; do
 		wipe_update)
 			wipe_update_bool=true;;
 		encryption_key=*)
-			encryption_key_bool=true;
-			eval "${arg}";;
+			if [ "${ALLOW_ENC}" = "yes" ]; then
+				encryption_key_bool=true;
+				eval "${arg}";
+			fi
+			;;
 		update_package=*)
 			update_package_bool=true;
 			eval "${arg}";;
@@ -572,10 +580,13 @@ for arg in ${COMMAND}; do
 			update_image_set_bool=true;
 			eval "${arg}";;
 		encrypt_partitions=*)
-			eval "${arg}";
-			DEFAULT_ENC_PARTS="no";
-			encrypt_partitions=$(echo ${encrypt_partitions} | tr "," " ");
-			encrypt_partitions=$(remove_duplicates "${encrypt_partitions}");;
+			if [ "${ALLOW_ENC}" = "yes" ]; then
+				eval "${arg}";
+				DEFAULT_ENC_PARTS="no";
+				encrypt_partitions=$(echo ${encrypt_partitions} | tr "," " ");
+				encrypt_partitions=$(remove_duplicates "${encrypt_partitions}");
+			fi
+			;;
 		wipe_ubi_partitions=*)
 			eval "${arg}";
 			wipe_ubi_partitions=$(echo ${wipe_ubi_partitions} | tr "," " ");
diff --git a/meta-digi-dey/recipes-core/recovery/recovery-utils/recovery-utils/lib/recovery.c b/meta-digi-dey/recipes-core/recovery/recovery-utils/recovery-utils/lib/recovery.c
index 5e9833e15..64b1c1270 100644
--- a/meta-digi-dey/recipes-core/recovery/recovery-utils/recovery-utils/lib/recovery.c
+++ b/meta-digi-dey/recipes-core/recovery/recovery-utils/recovery-utils/lib/recovery.c
@@ -61,6 +61,7 @@ static char *nand_parts_blacklist[] = {
 	"linux",
 	"recovery",
 	"safe",
+	"system",
 	NULL
 };
 
@@ -758,6 +759,12 @@ int set_encryption_key(char *key, unsigned char force)
 		return ret;
 	}
 
+	/* Check if we are in singlemtdsys mode */
+	if (is_device_nand() && check_uboot_var("singlemtdsys", "yes")) {
+		fprintf(stderr, "Error: partition encryption unavailable in singlemtdsys mode\n");
+		return ret;
+	}
+
 	/* Initialize arrays */
 	parts[0] = NULL;
 	encrypted[0] = NULL;
@@ -862,6 +869,12 @@ int encrypt_partitions(char *to_encrypt, char *to_unencrypt, unsigned char force
 		return 1;
 	}
 
+	/* Check if we are in singlemtdsys mode */
+	if (is_device_nand() && check_uboot_var("singlemtdsys", "yes")) {
+		fprintf(stderr, "Error: partition encryption unavailable in singlemtdsys mode\n");
+		return 1;
+	}
+
 	/* If both lists are empty, we have nothing to do */
 	if (!to_encrypt && !to_unencrypt)
 		return 1;