gpg-gui, oem-factory-reset, config-gui: add --no-backup to trusted flash calls

tlaurion · tlaurion · commit 6bc673dba245 · 2026-03-19T00:43:17.000-04:00
These callers write only CBFS-level changes (GPG keys, user config,
OEM setup image) rather than user-selected firmware updates.  Saving a
rollback backup before these writes is incorrect: the backup would
contain the same firmware the caller is about to re-flash with minor
CBFS modifications, and the pending_rollback marker would spuriously
trigger the auto-rollback countdown on the next boot.

Add --no-backup to suppress both the backup read and the
pending_rollback marker for:
  gpg-gui.sh          gpg_flash_rom() - GPG key reflash
  oem-factory-reset   OEM setup image reflash
  config-gui.sh       save-config reflash (3 call sites: save user
                      config, factory reset, disable restricted boot)

Signed-off-by: Thierry Laurion &lt;insurgo@riseup.net&gt;
diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh
@@ -175,7 +175,7 @@ while true; do
 
 		if (whiptail --title 'Update ROM?' \
 			--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80); then
-			/bin/flash.sh /tmp/config-gui.rom
+			/bin/flash.sh --no-backup /tmp/config-gui.rom
 			whiptail --title 'BIOS Updated Successfully' \
 				--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80
 			/bin/reboot
@@ -205,7 +205,7 @@ while true; do
 				cbfs.sh -o /tmp/config-gui.rom -d $i
 			done
 			# flash cleared ROM
-			/bin/flash.sh -c /tmp/config-gui.rom
+			/bin/flash.sh -c --no-backup /tmp/config-gui.rom
 
 			# reset TPM if present
 			if [ "$CONFIG_TPM" = "y" ]; then
@@ -394,7 +394,7 @@ while true; do
 
 				replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" "$FLASH_USER_CONFIG"
 
-				/bin/flash.sh /tmp/config-gui.rom
+				/bin/flash.sh --no-backup /tmp/config-gui.rom
 				whiptail --title 'BIOS Updated Successfully' \
 					--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80
 				/bin/reboot
diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh
@@ -60,7 +60,7 @@ gpg_flash_rom() {
   if [ -e /etc/config.user ]; then
     cbfs.sh -o /tmp/gpg-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
   fi
-  /bin/flash.sh /tmp/gpg-gui.rom
+  /bin/flash.sh --no-backup /tmp/gpg-gui.rom
 
   if (whiptail --title 'BIOS Flashed Successfully' \
       --yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 0 80) then
diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
@@ -1415,7 +1415,7 @@ else
 
 	# flash updated firmware image
 	echo -e "\nAdding generated key to current firmware and re-flashing...\n"
-	if ! /bin/flash.sh /tmp/oem-setup.rom 2>/tmp/error; then
+	if ! /bin/flash.sh --no-backup /tmp/oem-setup.rom 2>/tmp/error; then
 		ERROR=$(tail -n 1 /tmp/error | fold -s)
 		whiptail_error_die "Error flashing updated firmware image:\n\n$ERROR"
 	fi
