Lock BOOTCFG to safe values for all LM4s

The BOOTCFG register configures a couple of important things: whether to allow jumping into the builtin ROM bootloader at reset, and whether or not to allow JTAG access for programing and debugging. The default is "no" and "yes". But the BOOTCFG register can be locked so that it can't be changed again, which means that if the wrong values are put into it, the system is pretty much bricked. On Link, we wrote a BOOTCFG value that allowed a GPIO to be used as a bypass to optionally trigger the ROM bootloader, but on Slippy and its derivatives that GPIO is not pulled up. If you program the Link values into BOOTCFG on a Slippy, the system is stuck in the ROM bootloader more or less forever. This change disables that GPIO, keeps JTAG enabled, and locks those settings for all LM4 chips (it's a chip config now, not a board config). We've never actually used the GPIO to invoke the ROM bootloader, but we have managed to brick a number of systems just by having it enabled, so we're going to lock it into a safe configuration now. BUG=chrome-os-partner:19247 BRANCH=falco,peppy TEST=manual Reflash, boot, power cycle (actually unplug the EC from AC and battery) a few times. It should continue to work. Change-Id: Iaf1a81d6814104421a56425490e3d5164ea9b617 Signed-off-by: Bill Richardson <wfrichar@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/66538 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-by: Duncan Laurie <dlaurie@chromium.org> Reviewed-by: Randall Spangler <rspangler@chromium.org>
2025-12-27 18:25:05 +00:00 · 2013-08-21 08:59:53 -07:00
parent 046d625671
commit 5d1eeefdbc
10 changed files with 19 additions and 40 deletions
--- a/board/bds/board.h
+++ b/board/bds/board.h
@@ -66,10 +66,6 @@ enum gpio_signal {
 #define EEPROM_BLOCK_START_PSTORE 16  /* Host persistent storage */
 #define EEPROM_BLOCK_COUNT_PSTORE 16

-/* Target value for BOOTCFG.  This currently toggles the polarity bit without
- * enabling the boot loader, simply to prove we can program it. */
-#define BOOTCFG_VALUE 0xfffffdfe
-
 #endif /* !__ASSEMBLER__ */

 #endif /* __BOARD_H */
--- a/board/bolt/board.h
+++ b/board/bolt/board.h
@@ -196,13 +196,6 @@ enum temp_sensor_id {
 	TEMP_SENSOR_COUNT
 };

-/* HEY: The below stuff is for Link. Pick a different pin for bolt */
-/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external
- * pullup. If this signal is pulled to ground when the EC boots, the EC will get
- * into the boot loader and we can recover bricked EC. */
-/* #define BOOTCFG_VALUE 0x7fff88fe -- as used on slippy */
-#define BOOTCFG_VALUE 0xfffffffe  /* TODO: not configured */
-
 /* Known board versions for system_get_board_version(). */
 enum board_version {
 	BOARD_VERSION_PROTO1 = 0,
--- a/board/falco/board.h
+++ b/board/falco/board.h
@@ -191,12 +191,6 @@ enum temp_sensor_id {
 */
 int board_g781_has_power(void);

-/* HEY: The below stuff is for Link. Pick a different pin for Falco */
-/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external
- * pullup. If this signal is pulled to ground when the EC boots, the EC will get
- * into the boot loader and we can recover bricked EC. */
-#define BOOTCFG_VALUE 0x7fff88fe
-
 /* Wireless signals */
 #define WIRELESS_GPIO_WLAN GPIO_WLAN_OFF_L
 #define WIRELESS_GPIO_WWAN GPIO_PP3300_LTE_EN
--- a/board/link/board.h
+++ b/board/link/board.h
@@ -207,11 +207,6 @@ enum temp_sensor_id {
 /* The number of TMP006 sensor chips on the board. */
 #define TMP006_COUNT 4

-/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external
- * pullup. If this signal is pulled to ground when the EC boots, the EC will get
- * into the boot loader and we can recover bricked EC. */
-#define BOOTCFG_VALUE 0x7fff88fe
-
 /* Wireless signals */
 #define WIRELESS_GPIO_WLAN GPIO_RADIO_ENABLE_WLAN
 #define WIRELESS_GPIO_BLUETOOTH GPIO_RADIO_ENABLE_BT
--- a/board/peppy/board.h
+++ b/board/peppy/board.h
@@ -195,12 +195,6 @@ enum temp_sensor_id {
 */
 int board_g781_has_power(void);

-/* HEY: The below stuff is for Link. Pick a different pin for Peppy */
-/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external
- * pullup. If this signal is pulled to ground when the EC boots, the EC will get
- * into the boot loader and we can recover bricked EC. */
-#define BOOTCFG_VALUE 0x7fff88fe
-
 /* Wireless signals */
 #define WIRELESS_GPIO_WLAN GPIO_WLAN_OFF_L
 #define WIRELESS_GPIO_WWAN GPIO_PP3300_LTE_EN
--- a/board/slippy/board.h
+++ b/board/slippy/board.h
@@ -189,12 +189,6 @@ enum temp_sensor_id {
 */
 int board_g781_has_power(void);

-/* HEY: The below stuff is for Link. Pick a different pin for Slippy */
-/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external
- * pullup. If this signal is pulled to ground when the EC boots, the EC will get
- * into the boot loader and we can recover bricked EC. */
-#define BOOTCFG_VALUE 0x7fff88fe
-
 /* Wireless signals */
 #define WIRELESS_GPIO_WLAN GPIO_WLAN_OFF_L
 #define WIRELESS_GPIO_WWAN GPIO_PP3300_LTE_EN
--- a/chip/lm4/config_chip.h
+++ b/chip/lm4/config_chip.h
@@ -96,6 +96,17 @@
 #define CONFIG_FW_WP_RO_OFF		CONFIG_FW_RO_OFF
 #define CONFIG_FW_WP_RO_SIZE		CONFIG_FW_RO_SIZE

+/****************************************************************************/
+/* Lock the boot configuration to prevent brickage. */
+
+/*
+ * No GPIO trigger for ROM bootloader.
+ * Keep JTAG debugging enabled.
+ * Use 0xA442 flash write key.
+ * Lock it this way.
+ */
+#define CONFIG_BOOTCFG_VALUE 0x7ffffffe
+
 /****************************************************************************/
 /* Customize the build */

--- a/chip/lm4/registers.h
+++ b/chip/lm4/registers.h
@@ -248,6 +248,7 @@ static inline int lm4_fan_addr(int ch, int offset)
 #define LM4_SYSTEM_PIOSCSTAT   REG32(0x400fe154)
 #define LM4_SYSTEM_PLLSTAT     REG32(0x400fe168)
 #define LM4_SYSTEM_BOOTCFG     REG32(0x400fe1d0)
+#define LM4_SYSTEM_BOOTCFG_MASK 0x7fff00ec /* Reserved bits of BOOTCFG reg */
 /* Note: USER_REG3 is used to hold pre-programming process data and should not
 * be modified by EC code.  See crosbug.com/p/8889. */
 #define LM4_SYSTEM_USER_REG3   REG32(0x400fe1ec)
--- a/chip/lm4/system.c
+++ b/chip/lm4/system.c
@@ -341,18 +341,16 @@ void system_pre_init(void)

 	check_reset_cause();

-	/* HEY: read LM4_SYSTEM_BOOTCFG bit 4 to determine WRKEY value */
-
-#ifdef BOARD_link			     /* FIXME: crosbug.com/p/19366 */
 	/* Initialize bootcfg if needed */
-	if (LM4_SYSTEM_BOOTCFG != BOOTCFG_VALUE) {
-		LM4_FLASH_FMD = BOOTCFG_VALUE;
+	if (LM4_SYSTEM_BOOTCFG != CONFIG_BOOTCFG_VALUE) {
+		/* read-modify-write */
+		LM4_FLASH_FMD = (LM4_SYSTEM_BOOTCFG_MASK & LM4_SYSTEM_BOOTCFG)
+			| (~LM4_SYSTEM_BOOTCFG_MASK & CONFIG_BOOTCFG_VALUE);
 		LM4_FLASH_FMA = 0x75100000;
 		LM4_FLASH_FMC = 0xa4420008;  /* WRKEY | COMT */
 		while (LM4_FLASH_FMC & 0x08)
 			;
 	}
-#endif

 	/* Brown-outs should trigger a reset */
 	LM4_SYSTEM_PBORCTL |= 0x02;
--- a/include/config.h
+++ b/include/config.h
@@ -92,6 +92,9 @@
 /* EC has GPIOs attached to board version stuffing resistors */
 #undef CONFIG_BOARD_VERSION

+/* Permanent LM4 boot configuration */
+#undef CONFIG_BOOTCFG_VALUE
+
 /*****************************************************************************/
 /* Charger config */