This patch makes EC read the slot to verify and jump to from the
battery backed up RAM (BBRAM).
BUG=b:38462249
BRANCH=none
TEST=Boot Fizz
Change-Id: I0c78861ea3ccdc45d0aa08e690e3a68f53658409
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/518255
similar to the USB_PD_TCPC case, add release/init operations when the
pd_task enters/leaves the PD_STATE_SUSPENDED state. one use case for
PD_SUSPEND is to get exlusive access to the TCPC for things like
firmware update, so the release/init operation is needed to get the
TCPC and driver into a good state.
updated all tcpm_drv style drivers. for backward compatibility, "old"
drivers that may not handle init/release properly simply return
EC_ERROR_UNIMPLEMENTED for tcpm_release(). pd_task() uses this as a
signal that it should not try to re-init() the driver.
TEST=tested in combination with follow-on CLs to do TCPC firmware
update on electro. also built for kevin, eve, sand which are
some of the other boards using these drivers.
"make buildall -j" passes.
BRANCH=none
BUG=b:35586896
Change-Id: I3d2964a79e710428f7a6e7004d68ab424af85be8
Signed-off-by: Caveh Jalali <caveh@google.com>
Reviewed-on: https://chromium-review.googlesource.com/544660
Reviewed-by: Shawn N <shawnn@chromium.org>
This patch sets/clears RESET_FLAG_AP_OFF on S5<->S3 transitions.
It's set when the system gracefully shuts down and cleared when the
system boots up. The result is EC tries to go back to the
previous state upon AC plug-in on battery-less systems.
This is required for digital signage and kiosk.
This also reverts: CL 514209, 486946, and 486945.
BUG=b:37536389
BRANCH=none
TEST=Tested as follows:
A. Boot to S0
A.1. Unplug AC while system is in S0 then plug in - PASS
A.2. Unplug AC while system is in S3 then plug in - PASS
A.3. Press recovery+power in S0 - PASS
A.4. Press recovery+power in G3 - FAIL (To be fixed)
A.5. Execute reboot console command - PASS
A.6. Execute reboot OS command - PASS
A.7. Execute reboot console command in G3 - PASS
B. Boot to G3
B.1 Unplug AC while system is in G3 then plug in - PASS
B.2 Unplug AC after B.1 then plug in - PASS
B.3 Shutdown by power button on recovery screen then unplug
plug in AC - PASS
B.4 Execute reboot ap-off console command - PASS
B.5 Execute shutdown command from OS then plug in AC - PASS
Change-Id: Iaa6f930585050fdd3511c711b449dff47525066d
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/517287
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This patch adds vboot for EC by EC (vboot EC) for x86 systems.
When ec is transitioning s5->s3, it checks the power supply is
enough to boot AP or not. If not, it runs other checks and may
finally validate and jump to a RW image.
BUG=b:38462249
BRANCH=none
TEST=Boot Fizz on barrel jack and type-c charger.
Change-Id: I5988b0595976370c5303c45541702ae89d86fc97
Reviewed-on: https://chromium-review.googlesource.com/518254
Commit-Ready: Daisuke Nojiri <dnojiri@chromium.org>
Tested-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
looks like we had a bit of a race condition: set_state() was
effectively just an assignment opration to pd[port].task_state. it's
called asynchronously from pd_set_suspend() in response to a
PD_SUSPEND message from the AP as well as from pd_task() before it
enters its main event loop. this can take a long time because
tcpci_tcpm_init() has a 300ms timeout. last one wins.
similarly, when pd_task() is running its main loop, pd_set_suspend()
really needs to wait for pd_task() to actually enter the
PD_STATE_SUSPENDED state before the caller can assume that the
pd_task() has stopped accessing the TCPC.
the particular failure case was when depthcharge would decide to do a
TCPC firmware update. it starts by sending a PD_SUSPEND to the EC,
then accessing the TCPC. unfortunately, the pd_task() hadn't gotten
out of the way yet, thus causing TCPC access chaos.
so, i'm adding a req_suspend_state flag to the pd_protocol struct so
we can tell pd_task() to suspend itself in a controlled manner. when
pd_task() is ready to do a state change - basically at the top of the
main event loop - it'll change to PD_STATE_SUSPENDED and clear the
req_suspend_state flag.
in any case, pd_set_suspend() still needs to wait around for pd_task()
to enter the suspended state as we don't have a fancy handshake
mechanism between these tasks.
TEST=in combination with some follow-on CLs, ps8751 firmware update
works properly where previously it needed a ~2 second delay
for the EC pd_task() to settle. the way to trigger the
failure was to insert or remove the power brick.
BRANCH=none
BUG=b:62356808
Change-Id: I363803ff60db31ccf84d592f8c9d1610fbe0f9ce
Signed-off-by: Caveh Jalali <caveh@google.com>
Reviewed-on: https://chromium-review.googlesource.com/544659
Reviewed-by: Shawn N <shawnn@chromium.org>
Recovery mode can be triggered with or without hw reinit. And both the
modes are triggered using the same button combination held down for
different amount of time. For recovery mode with hw reinit (>30
seconds), LED blinks for 4 seconds. However, for recovery mode without
hw reinit(>10 seconds), there is no user indication. This change turns
on the LED as soon as the >10 second condition is satisfied. This
provides an indication to the user that recovery mode is triggered.
BUG=b:62886608
BRANCH=None
TEST=make -j buildall
Change-Id: I949c3e7e98441131df987b6351c1f614f3b4831c
Signed-off-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/549775
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
If we have requested the host to go to recovery mode, the host will
usually not need an RW hash because it won't do EC SW sync. Therefore,
do not auto-start calculation of our hash if we've requested recovery.
This may avoid past recovery-breaking bugs due to unexpected RW contents.
If the host does need the hash after all, it will manually request that
the computation start.
BUG=chromium:612966
BRANCH=None
TEST=Boot to recovery mode on kevin, verify that "hash start" print is
not seen on UART.
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: I66d2d74398357dfe30e39882feec8cfba4cc945c
Reviewed-on: https://chromium-review.googlesource.com/540695
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Add a delay before flash_erase deferred started so the task does not halt
CPU, and cause the response of EC_CMD_FLASH_ERASE to not be delivered.
When the above situation happens the host I2C controller will timeout.
A 100ms delay should be long enough on any board to allow the response
to be sent.
BRANCH=none
BUG=b:38018926
TEST=on eve units where flashrom always fail:
`flashrom -p ec:type=tp -w ec.bin` succeeds.
Change-Id: I399a60064392da41a3e27f8630175ab427047ab7
Signed-off-by: Wei-Ning Huang <wnhuang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/547375
Commit-Ready: Wei-Ning Huang <wnhuang@chromium.org>
Tested-by: Wei-Ning Huang <wnhuang@chromium.org>
Reviewed-by: Gwendal Grignou <gwendal@google.com>
On a keyboard-less, volume-button-less board, we support simplified
sysrq handling.
For Fizz, we use the recovery button to trigger sysrq event and
holding it down to trigger warm reset.
BUG=b:38418116,b:38417391
BRANCH=none
TEST=On Fizz, try
1. Press recovery button and release -> sysrq sent
2. Press and hold recovery button -> warm reset
3. Press recovery button and power button -> enter recovery mode
Change-Id: If8760319dba3df4545e9805b396ac89c241dae80
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/537817
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Mapped reads are relative to CONFIG_EC_*_STORAGE_OFF, not
CONFIG_R*_MEM_OFF. The previous implementation happened to work for
internal mapped storage (eg. stm32) but failed for external mapped
storage which is copied to SRAM before execution (eg. npcx).
BUG=b:62841029
TEST=Verify sysjump works again on eve/poppy/soraka. Verify sysjump
and sig verification continues to work on fizz and stm32.
BRANCH=None
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: Id51ce5697555eea38b246b58dbf47f22d4befaa7
Reviewed-on: https://chromium-review.googlesource.com/541861
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
This API checks battery charge level and current power supply
to determine whether the AP has enough power to boot or not.
BUG=b:38462249
BRANCH=none
TEST=make buildall
Change-Id: I489f7ea92f230701b8f18c94d3e698aad90b4a03
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/517272
This patch adds wait between DSW_PWROK and PWRBTN assert. It is
required to be 95 msec or longer for Kaby Lake and Sky Lake.
Refer to the timing diagram for G3 to S0 on Sky Lake or Kaby Lake
platform design guide for details.
BUG=b:62584658
BRANCH=none
TEST=On Fizz, measured time between DSW_PWROK high and PWRBTN assert
for 1:AC plug-in, 2:recovery+power press, 3: reboot ec command.
Change-Id: I89a14ac9a49e20a332bd662d90be62f8ea23b003
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/534901
Until HOOK_INIT has completed, do not allow any tasks other than HOOKS
or IDLE to be scheduled. Programmers often make the assumption that
a HOOK_INIT function is guaranteed to be run before task code that depends
on it, so let's make it so.
BUG=chromium:649398
BRANCH=None
TEST=Manual on kevin, compare boot without patch:
...
[0.004 power state 0 = G3, in 0x0008] <-- from chipset task
RTC: 0x00000000 (0.00 s)
[0.004 power state 4 = G3->S5, in 0x0008]
RTC: 0x00000000 (0.00 s)
[0.005 clear MKBP fifo]
[0.006 clear MKBP fifo]
[0.006 KB init state: ... <-- from keyscan task
[0.012 SW 0x05]
[0.155 hash start 0x00020000 0x00019a38]
[0.158 HOOK_INIT DONE!]
... to boot with patch:
...
RTC: 0x58cc614c (1489789260.00 s)
[0.004 clear MKBP fifo]
[0.005 clear MKBP fifo]
[0.010 SW 0x05]
[0.155 hash start 0x00020000 0x000198e0]
[0.157 HOOK_INIT DONE!]
...
Also, verify kevin boots to OS and is generally functional through
sysjump and basic tasks, and verify elm (stm32f0 / cortex-m0) boots.
Change-Id: If56fab05ce9b9650feb93c5cfc2d084aa281e622
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/456628
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Cortex-M4 supports a floating point square root function that takes 14
cycles to execute, which is a speed improvement over the existing binary
search, and saves flash space.
BUG=chromium:687624
BRANCH=None
TEST=On kevin, verify that both sqrtf methods (binary search vs HW
instruction) have identical results for fractional input (eg.
sqrt(15.999999) = 3), except when floating point representation of
square root rounds up to an integer. Verify identical results for all
integers [-100, 16793602). Note that 16793602 is the first integer for
which the floating point representation of sqrt rounds up to an integer.
Also verify basic motion sense functions on kevin.
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: I8521c9a28c958b340ca83c37342253e424df0c91
Reviewed-on: https://chromium-review.googlesource.com/537734
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Shawn N <shawnn@chromium.org>
If Cr50 happens to start on a chip where Board ID programmed in INFO1
does not match the contents of the RW header, it means that for some
reason the other RW is not operational and the current image is the
only viable one.
In this case the Cr50 starts but operates in limited mode (only
commands for updating the image and reporting state are handled). In
this case the reason for recovery could be seen on the Recovery
screen, and the update could be done once Chrome OS boots in recovery
mode.
BRANCH=none
BUG=b:35586335
TEST=verified the following:
- if an image with wrong board ID is started, it tries to fall back
(sets the counter to a value above threshold and reboots)
- if the fallback fails, the image keeps running in the limited
capabilities mode but the update is possible, observed that the
new image took over worked after powercycling the device.
- observed proper error message on the recovery screen showing where
the error comes from
Change-Id: I46ba75392f8e891bb8503fb15aea2c56b5805e83
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/535978
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Handle UPDATE_EXTRA_CMD_PAIR_CHALLENGE command, where the
lid sends a random x25519 public key, and nonce, and the base
replies with its own (stable) x25519 public key, and computes
a shared secret using its private key to verify its identity.
BRANCH=none
BUG=b:38486828
TEST=Flash hammer, ./usb_updater2 -c always reports the same
device public key, and authenticator is correct.
Change-Id: Ida60ffa7476794ee92669951c740dbe35950fb9c
Reviewed-on: https://chromium-review.googlesource.com/532475
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
This change ensures that the power button pulse setting is saved and
restored across a sysjump. It uses the SYSJUMP_TAG "PB" (0x5042).
BUG=b:62445190
BRANCH=None
TEST=The condition mentioned in the bug could be reproduced using
following steps:
1. reboot on EC console
2. Use Vup/Vdn to select any option other than Power off.
3. Press power button
After step #3 above, device would shut down instead of selecting the
option. Verified that with this change, the device does not power off
anymore at step #3.
Change-Id: Icebe9c17d39a82fc3854dd75cc3a1dea032a234a
Signed-off-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/533921
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
The contents of the board ID fields of the Cr50 image headers is an
important piece of information which determines if an image can run on
a particular H1 chip.
This patch adds this information to the output of the 'version'
command, printing both the contents of the fields of the RW images and
if the image would run with the current INFO1 board ID contents (Yes
or NO).
The board_id feature is in fact g chipset specific, this is why
board_id support files are being moved from the cr50 board scope to
the g chip scope.
BRANCH=cr50
BUG=b:35587387,b:35587053
TEST=observed expected output in the version command:
> bid
Board ID: 000000fa, flags 000000ff
> vers
Chip: g cr50 B2-C
Board: 0
RO_A: * 0.0.10/29d77172
RO_B: 0.0.10/c2a3f8f9
RW_A: * 0.0.20/DBG/cr50_v1.1.6542-856c3aff4
RW_B: 0.0.20/DBG/cr50_v1.1.6543-2c68a2630+
BID A: 00000000:00000000:00000000 Yes
BID B: 000000ea:0000fffc:000000ff No
Build: 0.0.20/DBG/cr50_v1.1.6542-856c3aff4
tpm2:v0.0.289-cb2de5a
cryptoc:v0.0.8-6283eee
2017-06-09 15:34:19 vbendeb@eskimo.mtv.corp.google.com
>
Change-Id: I5b283abf304a7408ca8f424407044fca238185e1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/530033
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Adds a mechanism that allows a board to disable interrupting the AP /
kernel when the status of any one of the EC_HOST_EVENTS included in
CONFIG_HOST_EVENT_REPORT_MASK changes state. Default state enables
reporting of all events; a board can override this by defining
CONFIG_HOST_EVENT_REPORT_MASK in its board.h file.
NOTE: The host_set_events() and host_clear_events() routines no longer
interrupt the AP if none of the host events the AP is interested in
changed state.
BRANCH=none
BUG=chromium:637061
TEST=make buildall passes
Signed-off-by: Nick Vaccaro <nvaccaro@chromium.org>
Change-Id: I678fb9d9dab6890848b94b314efd711842b1fd48
Reviewed-on: https://chromium-review.googlesource.com/502078
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
The upcoming changes in usb_updater will allow to issue vendor
commands to set and get board ID value. It is also useful to be able
to corrupt the alternative RW header over Suzy-Q when Cr50 is running
a debug image.
BRANCH=cr50
BUG=b:35587387,b:35587053
TEST=not yet.
Change-Id: I54ac6eb4cebd85f97407211c5212b868d61e560f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/524894
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
When vendor commands are processed by the TPM device, the result of
the command execution is communicated through the TPM response header.
When vendor commands are sent through USB the command execution result
value is lost, as the USB reply includes only the response payload,
(if any), but not the result value.
With this patch the single byte result value is prepended to the USB
response payload. The recipient will always look for the value in the
first byte of the response to find the vendor command execution
status.
The corresponding change to the Cr50 usb_updater will remove the
response code from the payload before considering the command's return
data.
BRANCH=cr50
BUG=b:35587387,b:35587053
TEST=verified proper existing extension commands processing (post
reset, turn update on) by the new version of usb_updater and
backwards compatibility with earlier Cr50 RW version (down to
0.0.13).
Change-Id: I5c8b3ea71d3cbbaccc06c909754944b3ab04675d
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/525093
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Mix in board-generated entropy with the externally provided one,
which should help make the per-device secret stronger.
BRANCH=none
BUG=b:38486828
TEST=reboot; rollbackaddent Hello => works fine when USB is connected,
fails otherwise, as board-generated entropy relies on USB timing.
Change-Id: I314f44759c5f8b859913a748db95e9d42b5cdd11
Reviewed-on: https://chromium-review.googlesource.com/518609
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
The default USB packet has a maximum size of 64 bytes, however, we need
to support some USB over I2C write transaction that exceed this default.
To support so with protocol backwards-compatible in mind, we enable a
config option CONFIG_USB_I2C_MAX_WRITE_COUNT that will enlarge the USB
RX queue.
BRANCH=none
BUG=b:35587174
TEST=Complete presubmit test.
TEST=Manually update elan trackpad firmware with interrupt disabled.
Change-Id: Ia8983b036b7297f7ca673459ae34b7e5ecd2ee01
Reviewed-on: https://chromium-review.googlesource.com/513642
Commit-Ready: Chun-ta Lin <itspeter@chromium.org>
Tested-by: Chun-ta Lin <itspeter@chromium.org>
Reviewed-by: Chun-ta Lin <itspeter@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
Some device has large pages that take up to 2s to erase.
Add support to send a deferred erase command, that willi
be processed on HOOK task.
It can leave the other tasks (HOST_CMD) responsive.
If the whole EC can stall on flash erase, like the STM32F4 do,
at least the command FLASH_ERASE_GET_RESULT can be retried when it times
out.
BRANCH=none
TEST=Check with flashrom doing a loop of overwrites.
BUG=b:38018926
Change-Id: I8ce8e901172843d00aac0d8d59a84cbd13f58a10
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/510012
Reviewed-by: Alexandru M Stan <amstan@chromium.org>
Add the implementation of a robust non-volatile incrementing counter
using 2 pages from the underlying flash.
It is used to implement the U2F functionality.
The main goal of the counter is providing a strictly incrementing value
whatever adverse events (malicious or not) happen as it is used to
prevent rollback attacks in the U2F protocol.
Given the limitation of the flash process: ie wear-out endurance and
2kB-page erase granularity only and possible isolated bit-flips
(accentuated by power losses), the counting is done by pulling down
several bits at a time from their erased state (1) to 0.
The counting is implemented this way with 2 pages called LOW and HIGH:
The LOW page is implemented in a strike style, with each "strike" zero-ing
out 4 bits at a time, meaning each word can be struck a total of 8
times.
Once the LOW page is completely struck, the HIGH page is incremented by 2.
The even increment is for the value, the odd increment is a guard signal
that the LOW page must be erased. So as an example:
If HIGH is 2, the LOW page would increment to 3, erase itself, and then
increment to 4. If this process is interrupted for some reason (power loss
or user intervention) and the HIGH left at 3, on next resume, the HI page
will recognize something was left pending and erase again.
For a platform with 2-kB flash pages, it can count up to 8388608, then
it is stuck at 0xFFFFFFF indefinitely.
Mostly copied over from Marius code in cr52 code-base.
Signed-off-by: Marius Schilder <mschilder@google.com>
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:35545754
TEST=with follow-up CLs, run U2FTest on Eve
Change-Id: Idd0756078e3641c4a24f9c4ccf6611909bd5f00f
Reviewed-on: https://chromium-review.googlesource.com/518135
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
The previous boards that used double tap both used lightbar
sequence. Eve, also needs double tap, but doens't have lightbar. Added
a board specific call when processing the double tap event to allow
more flexibility.
BUG=b:35584895
BRANCH=none
TEST=Manual tested double tap and verified it was detected based on
the console print.
Change-Id: I73d8669803e7dcbbbac00de09822f4a286965fce
Signed-off-by: Scott Collyer <scollyer@google.com>
Reviewed-on: https://chromium-review.googlesource.com/516546
Commit-Ready: Scott Collyer <scollyer@chromium.org>
Tested-by: Scott Collyer <scollyer@chromium.org>
Reviewed-by: Gwendal Grignou <gwendal@chromium.org>
It needs to be possible to prevent unlocking of CCD on enterprise
enrolled devices, in particular to prevent users from moving into dev
mode.
A bit in the FWMP structure flags field was allocated for the purposes
of preventing console unlock in those cases.
This patch adds code to read the FWMP structure from the TPM NVMEM,
verify it and determine if it should be possible to unlock the
console. The restriction is not honored by Cr50 DBG images.
The FWMP value is read only once per TPM reset, this means each time
the admin console changes the relevant flag bit, the Chrome OS device
has to be rebooted to pick up the new flag value.
BRANCH=cr50
BUG=b:35587387,b:35587053
TEST=verified that FWMP is properly read and acted upon.
Change-Id: I17e15ea2b2293a0c096858fba3ccc389452caede
Reviewed-on: https://chromium-review.googlesource.com/457824
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
This patch sets the initial power button state to on if recovery
mode is requested.
BUG=b:37274183
BRANCH=none
TEST=Verify EC boots AP immediately in recovery mode on Fizz.
Verify EC doesn't boot AP immediately in normal mode.
Change-Id: Ib24eb6c6b7e9200cf7ba6af3e486337da3c68355
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/514209
Reviewed-by: Randall Spangler <rspangler@chromium.org>
As part of the pairing process, AP needs to be able to inject
some entropy into the base.
Let's also define PAIR_CHALLENGE, which will be implemented in
a later CL.
BRANCH=none
BUG=b:38487027
TEST=Flash hammer. On host, reboot hammer to RO:
usb_updater2 -r; sleep 0.5; usb_updater2 -s
usb_updater2 -e (adds entropy)
EC console: check that rollbackinfo shows secret is updated
Change-Id: I964bb578c6bfbb1ab5105a70b43682d51df4ed47
Reviewed-on: https://chromium-review.googlesource.com/513807
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Previously, result codes were being stored as `enum ec_status` values.
The compiler was forcing this value to only be one byte large, since
that's all that was necessary to represent all the values of that
enum.
This change fixes this bug by switching result code variable types from
`enum ec_status` to `uint16_t`.
BRANCH=none
BUG=none
TEST=make buildall -j
Change-Id: Iacdca51dc6c1de677d2fbb59ad6dd2572d21ea7f
Reviewed-on: https://chromium-review.googlesource.com/513609
Commit-Ready: Jeff Andersen <jeffandersen@google.com>
Tested-by: Jeff Andersen <jeffandersen@google.com>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
For pairing purpose, we want to store some secret random number in
the base. The most convenient location for this is the rollback
region.
Since the rollback region can now be updated without incrementing
rollback_min_version (when we add entropy to the secret), we need
to add an increasing id to tell the code which rollback region is
the latest.
We also add console commands to manually add entropy.
BRANCH=none
BUG=b:38486828
TEST=Flash hammer (with or without CONFIG_ROLLBACK_ENTROPY_SIZE set)
rollbackinfo => 1 version 0 block, 1 empty block, RW verifies
correctly.
rollbackupdate 0; rollbackinfo => No change
rollbackupdate 1; reboot => RO refuses to jump to RW
only when CONFIG_ROLLBACK_ENTROPY_SIZE is set:
rollbackinfo => Secret is [00..00] on both blocks (so the data
was copied correctly)
rollbackupdate 2, 3, 4; rollbackinfo => Writes alternate
between the 2 blocks.
rollbackupdate 2 => Refuses to downgrade version
TEST=From blank secret [00..00], 'rollbackaddent Hello' updates it
to [ba..fa], which matches the output of:
(dd if=/dev/zero bs=1 count=32; echo -n Hello) | sha256sum
Change-Id: I79c3e790e56e21958cc1b4ba05bd4e5f359d3090
Reviewed-on: https://chromium-review.googlesource.com/511985
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
This change sets the initial power button state to init-on
if the power button is pressed.
BUG=b:37274183
BRANCH=none
TEST=Enter recovery mode by power+recovery button press.
Change-Id: I6ed849bc303e7cdbcb975ae2a6ff278093c86088
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/486946
Reviewed-by: Duncan Laurie <dlaurie@google.com>
Typically, we do not need RW section to be able to update rollback
information (rollback block should be protected when RW is running),
so we can save some flash space by undefining this option.
BRANCH=none
BUG=b:35586219
TEST=make newsizes saves ~420 bytes on hammer and staff.
Change-Id: Ic457673e56ace083f2ebb1ca0f37f54bf125bfa4
Reviewed-on: https://chromium-review.googlesource.com/511983
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
We want to always be able to update cr50 image to a newer version,
even if the AP is not cooperating.
BRANCH=cr50
BUG=b:35580805
TEST=verified that update of a prod image is possible
Change-Id: I3bbe2c4aca8bf0c3129f4495db0e76405a2ed189
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/511285
Reviewed-by: Nick Sanders <nsanders@chromium.org>
Adds min_frequency and max_frequency to struct motion_sensor_t.
New attributes min_frequency and max_frequency are now returned in
ectool's MOTIONSENSE_CMD_INFO response.
Incremented ectool's MOTIONSENSE_CMD_INFO version to version 3.
Add constants for MIN_FREQUENCY and MAX_FREQUENCY to each sensor's
header file.
BRANCH=none
BUG=chromium:615059
TEST=build/boot and verify MOTIONSENSE_CMD_INFO response on kevin,
make buildall -j passes.
Change-Id: I66db9715c122ef6bb4665ad5d086a9ecc9c7c93a
Signed-off-by: Nick Vaccaro <nvaccaro@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/482703
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
This change adds CONFIG_POWER_BUTTON_INIT_IDLE. When it's set,
the system starts with the power button state idle. It means
when the board boots from power-off, it stays at G3.
BUG=b:37536389
BRANCH=none
TEST=Power on Fizz. Verify it stays at G3. Verify it boots
by pressing power button.
Change-Id: I09a62a69d9f201b2dc261838cc9b4425fe3a8dc1
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/486945
Reviewed-by: Duncan Laurie <dlaurie@google.com>
Add an option to allow the scancode sets to be mutable. The only
reason to use this is to allow a scancode to be changed at runtime,
for instance to support different keyboards in one image.
The side effect of this is the scancode sets are moved out of the
shared RO section.
BUG=b:36735408
BRANCH=none
TEST=make -j buildall
Change-Id: Iefb97691d1f295411d7b5db603d9214d41af49fd
Signed-off-by: Duncan Laurie <dlaurie@google.com>
Reviewed-on: https://chromium-review.googlesource.com/506717
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
When AP boots and FW screen is shown (e.g. in developer mode),
AP FW is querying MKBP status in a loop, leading to a lot of "+"
being printed in the EC console.
To avoid this issue, let's print "(++)" after a command is received
5 times in a row.
BRANCH=none
BUG=b:37925684
TEST=Set GBB flags to 0x4a38, reasonable number of "+" is printed
on EC console on boot, which firmware screen is being shown.
Change-Id: I8368c558b97e7a2513b979322bd4bba442626b27
Reviewed-on: https://chromium-review.googlesource.com/505948
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Add the new scan codes for the updated keyboard matrix:
R0,C3 = Search (in addition to existing location at R1,C0)
R0,C5 = New key using code 0[e0 58] and 1[e0 07]
There are no changes to existing scan codes.
BUG=b:36735408
BRANCH=none
TEST=make -j buildall
Change-Id: Ieba22eacd21a5c2dde3c7c43eb62b767fc0db42e
Signed-off-by: Duncan Laurie <dlaurie@google.com>
Reviewed-on: https://chromium-review.googlesource.com/506716
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
The assert in the charge state machine when there is no battery and no AC
is causing a lot of headaches during development, and I don't believe it
adds any value to panic the EC like this as it prevents the system from
coming up and any debug from happening. This is especially bad with H1
locking out any useful debug by preventing flashing the EC.
On Eve EVT we have some 'bad' batteries that are not correctly asserting
presence pin, and when powering with adapter this this check happens before
AC_PRESENT asserts because the USB PD negotiation is still happening so the
EC gets stuck in a reboot loop.
Similarly we had issues with the Krill board in the Whale BFT station that
was triggering the same assert.
In both cases there is an underlying hardware issue which is being
investigated separately, but it is impossible to debug these systems
because the EC will not come up.
With this assert removed the EC and AP can boot and the LED blinks red to
indicate there is battery a problem and the OS also reports a problem that
the battery cannot be found, and we are able to do further debug without
having to open the case. Additionally the error message is printed every
~second and it is very obvious from the EC console that there is a problem.
Similar issues were reported at various points on Glados, Chell, Kevin,
Elm, and Reef.
BUG=b:35563537
BRANCH=none
TEST=successfully boot and debug a failing Eve system
Change-Id: I002b26d54428d29192a7097f1aae18f3223c5707
Signed-off-by: Duncan Laurie <dlaurie@google.com>
Reviewed-on: https://chromium-review.googlesource.com/477733
Reviewed-by: Scott Collyer <scollyer@chromium.org>
In order to support write-protect mechanism for the internal flash
of npcx7 ec, WP_IF, bit 5 of DEV_CTL4, is used to achieve this by
controlling the WP_L pin of internal flash. During ec initialization
or any utilities related to access status registers, we'll protect them
if WP_L is active. Please notice the type of WP_IF is R/W1S. It means we
only can unlock write protection of internal flash by rebooting ec.
This CL also includes:
1. Add protect_range array of npcx7's internal flash (W25Q80) for
write-protect mechanism.
2. Add bypass of bit 7 of DEVCNT.
BRANCH=none
BUG=none
TEST=No build errors for all boards using npcx5 series. (Besides gru)
Build poppy board and upload FW to platform. No issues found.
Passed flash write-protect checking on npcx796f evb.
Change-Id: I0e669ce8b6eaebd85e062c6751e1f3dd809e21e2
Signed-off-by: Mulin Chao <mlchao@nuvoton.com>
Reviewed-on: https://chromium-review.googlesource.com/501727
Reviewed-by: Randall Spangler <rspangler@chromium.org>
When cr50 detects recovery button (not keyboard) combo:
recovery+power, volume-up+down+power, etc., it should
(ideally) hard-reset the EC.
This patch allows power-on reset in addition to reset-pin reset
to enter recovery mode when recovery button combo is pressed.
BUG=b:35585326
BRANCH=none
TEST=make buildall. Tested on Poppy.
Change-Id: I15aeef99d21ddc774441ead56fba56d459595cc9
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/503573
Reviewed-by: Randall Spangler <rspangler@chromium.org>
