samus: panic reboot EC if PD MCU crashes

Use the EC to check if PD MCU has crashed. The EC knows this by checking the PD status bits: if PD MCU was in RW, and is now in RO, AND it did not get to RO via a sysjump, then it must have crashed. When the EC detects this, the EC will also panic and reboot the entire system, so that we can software sync to a known good state. Also, when EC panics due to PD crash, it will log panic info. BUG=chrome-os-partner:36636 BRANCH=samus TEST=load onto samus EC and PD, try sysjump'ing back and forth on PD MCU console and verify EC does not do anything. Crash the PD MCU when in RW by reboot command and crash divzero command, and make sure the EC panics with PD crash panic message. Crash the PD MCU when in RO (before sysjumping to RW) and make sure EC does not panic. Change-Id: I57961028e6b23a878b8e477a9d8e180cb121a742 Signed-off-by: Alec Berg <alecaberg@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/250100 Tested-by: Shawn N <shawnn@chromium.org> Reviewed-by: Shawn N <shawnn@chromium.org>
2026-01-07 16:11:43 +00:00 · 2015-02-14 10:19:55 -08:00
parent d008477824
commit 02d0ce1526
6 changed files with 34 additions and 1 deletions
--- a/board/samus/board.h
+++ b/board/samus/board.h
@@ -60,6 +60,7 @@
 #define CONFIG_HIBERNATE_DELAY_SEC (3600 * 24 * 7)
 #define CONFIG_HIBERNATE_BATT_PCT 10
 #define CONFIG_HIBERNATE_BATT_SEC (3600 * 24)
+#define CONFIG_HOSTCMD_PD_PANIC
 #define CONFIG_PECI_TJMAX 105
 #define CONFIG_PWM
 #define CONFIG_PWM_KBLIGHT
--- a/board/samus_pd/board.c
+++ b/board/samus_pd/board.c
@@ -471,6 +471,12 @@ static void board_init(void)
 	/* Initialize active charge port to none */
 	pd_status.active_charge_port = CHARGE_PORT_NONE;

+	/* Set PD MCU system status bits */
+	if (system_jumped_to_this_image())
+		pd_status.status |= PD_STATUS_JUMPED_TO_IMAGE;
+	if (system_get_image_copy() == SYSTEM_IMAGE_RW)
+		pd_status.status |= PD_STATUS_IN_RW;
+
 	/*
 	 * Do not enable PD communication in RO as a security measure.
 	 * We don't want to allow communication to outside world until
--- a/common/host_command_pd.c
+++ b/common/host_command_pd.c
@@ -10,6 +10,8 @@
 #include "console.h"
 #include "host_command.h"
 #include "lightbar.h"
+#include "panic.h"
+#include "system.h"
 #include "task.h"
 #include "timer.h"
 #include "util.h"
@@ -43,6 +45,9 @@ static void pd_exchange_status(void)
 	struct ec_params_pd_status ec_status;
 	struct ec_response_pd_status pd_status;
 	int rv = 0;
+#ifdef CONFIG_HOSTCMD_PD_PANIC
+	static int pd_in_rw;
+#endif

 	/* Send PD charge state and battery state of charge */
 	ec_status.charge_state = charge_state;
@@ -66,6 +71,21 @@ static void pd_exchange_status(void)
 		return;
 	}

+#ifdef CONFIG_HOSTCMD_PD_PANIC
+	/*
+	 * Check if PD MCU is in RW. If PD MCU was in RW and is now in RO
+	 * AND it did not sysjump to RO, then it must have crashed, and
+	 * therefore we should panic as well.
+	 */
+	if (pd_status.status & PD_STATUS_IN_RW) {
+		pd_in_rw = 1;
+	} else if (pd_in_rw &&
+		   !(pd_status.status & PD_STATUS_JUMPED_TO_IMAGE)) {
+		panic_printf("PD crash");
+		software_panic(PANIC_SW_PD_CRASH, 0);
+	}
+#endif
+
 #ifdef HAS_TASK_LIGHTBAR
 	/*
 	 * If charge port has changed, and it was initialized, then show
--- a/include/config.h
+++ b/include/config.h
@@ -708,6 +708,9 @@
 #define CONFIG_HOSTCMD_RATE_LIMITING_MIN_REST (3   * MSEC)
 #define CONFIG_HOSTCMD_RATE_LIMITING_RECESS   (20  * MSEC)

+/* Panic when status of PD MCU reflects that it has crashed */
+#undef CONFIG_HOSTCMD_PD_PANIC
+
 /*****************************************************************************/

 /* Enable debugging and profiling statistics for hook functions */
--- a/include/ec_commands.h
+++ b/include/ec_commands.h
@@ -2694,7 +2694,9 @@ struct ec_params_pd_status {
 } __packed;

 /* Status of PD being sent back to EC */
-#define PD_STATUS_HOST_EVENT (1 << 0)
+#define PD_STATUS_HOST_EVENT      (1 << 0) /* Forward host event to AP */
+#define PD_STATUS_IN_RW           (1 << 1) /* Running RW image */
+#define PD_STATUS_JUMPED_TO_IMAGE (1 << 2) /* Current image was jumped to */
 struct ec_response_pd_status {
 	uint32_t status;      /* PD MCU status */
 	uint32_t curr_lim_ma; /* input current limit */
--- a/include/software_panic.h
+++ b/include/software_panic.h
@@ -17,6 +17,7 @@
 /* Software panic reasons */
 #define PANIC_SW_DIV_ZERO		(PANIC_SW_BASE + 0)
 #define PANIC_SW_STACK_OVERFLOW		(PANIC_SW_BASE + 1)
+#define PANIC_SW_PD_CRASH		(PANIC_SW_BASE + 2)
 #define PANIC_SW_ASSERT			(PANIC_SW_BASE + 3)
 #define PANIC_SW_WATCHDOG		(PANIC_SW_BASE + 4)