dasharo-deploy: Add sanity check before flash

3mkusiak · 3mkusiak · commit 2472a3b8b5b3 · 2025-12-19T15:01:01.000+01:00
This commit adds last resort check before performing any flashrom
commands. For heads update, we shall not proceed if FD or ME is locked.

Signed-off-by: Mateusz Kusiak &lt;mateusz.kusiak@3mdeb.com&gt;
diff --git a/include/dts-functions.sh b/include/dts-functions.sh
@@ -688,6 +688,41 @@ set_flashrom_update_params() {
   fi
 }
 
+# A final check for locked regions before flashing via flashrom.
+# Decide whether we can proceed if any regions are locked.
+flashrom_sanity_check() {
+  local locked_regions=()
+  local region_list verb
+
+  if [ "$BOARD_FD_REGION_RW" -eq 0 ]; then
+    locked_regions+=("FD")
+  fi
+
+  if [ "$BOARD_ME_REGION_RW" -eq 0 ]; then
+    locked_regions+=("ME")
+  fi
+
+  if [ "${#locked_regions[@]}" -eq 0 ]; then
+    return 0
+  fi
+
+  if [ "${#locked_regions[@]}" -eq 1 ]; then
+    region_list="${locked_regions[0]}"
+    verb="is"
+  else
+    region_list="${locked_regions[0]} and ${locked_regions[1]}"
+    verb="are"
+  fi
+
+  if [[ "$SWITCHING_TO" == "heads" ]]; then
+    print_error "Cannot proceed with heads update when $region_list $verb locked!"
+    return 1
+  fi
+
+  print_warning "Proceeding without $region_list $verb flashing, as they $verb not critical."
+  return 0
+}
+
 set_intel_regions_update_params() {
   local fd_me_locked="no"
   if [ $BOARD_HAS_FD_REGION -eq 0 ]; then
diff --git a/scripts/dasharo-deploy.sh b/scripts/dasharo-deploy.sh
@@ -1050,6 +1050,11 @@ deploy_firmware() {
     fi
   done
 
+  # Last restort check before flashing
+  if ! flashrom_sanity_check; then
+    return 1
+  fi
+
   _jobs_total=${#_jobs[@]}
 
   # Execute scheduled tasks
@@ -1245,7 +1250,10 @@ update_workflow() {
     display_warning
   fi
 
-  deploy_firmware update
+  # Check if update succeeded
+  if ! deploy_firmware update; then
+    return 1
+  fi
 
   # TODO: Could it be placed somewhere else?
   if [ ! -z "$SWITCHING_TO" ]; then
