From eb0574bda7cd4b859c5ae8728ff9c16695088b5e Mon Sep 17 00:00:00 2001
From: Pavol Rusnak <stick@gk2.sk>
Date: Fri, 15 Dec 2017 15:49:02 +0100
Subject: [PATCH] bootloader: don't restore storage from unofficial firmware

---
 bootloader/usb.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/bootloader/usb.c b/bootloader/usb.c
index ee007c665c..e6d17789dd 100644
--- a/bootloader/usb.c
+++ b/bootloader/usb.c
@@ -42,6 +42,7 @@
 #define ENDPOINT_ADDRESS_OUT        (0x01)
 
 static bool brand_new_firmware;
+static bool old_was_unsigned;
 
 static const struct usb_device_descriptor dev_descr = {
 	.bLength = USB_DT_DEVICE_SIZE,
@@ -437,8 +438,14 @@ static void hid_rx_callback(usbd_device *dev, uint8_t ep)
 				} while (!button.YesUp && !button.NoUp);
 			}
 			if (brand_new_firmware || button.YesUp) {
-				// backup metadata
-				backup_metadata(meta_backup);
+				// check whether current firmware is signed
+				if (signatures_ok(NULL)) {
+					old_was_unsigned = false;
+					// backup metadata
+					backup_metadata(meta_backup);
+				} else {
+					old_was_unsigned = true;
+				}
 				flash_wait_for_last_operation();
 				flash_clear_status_flags();
 				flash_unlock();
@@ -587,8 +594,11 @@ static void hid_rx_callback(usbd_device *dev, uint8_t ep)
 
 		layoutProgress("INSTALLING ... Please wait", 1000);
 		uint8_t flags = *((uint8_t *)FLASH_META_FLAGS);
-		// wipe storage if signatures are not ok or the firmware flag isn't set.
-		if ((flags & 0x01) == 0 || !signatures_ok(NULL)) {
+		// wipe storage if:
+		// 1) old firmware was unsigned
+		// 2) firmware restore flag isn't set
+		// 3) signatures are not ok
+		if (old_was_unsigned || (flags & 0x01) == 0 || !signatures_ok(NULL)) {
 			memset(meta_backup, 0, sizeof(meta_backup));
 		}
 		// copy new firmware header