This change creates a state machine to handle ap uart detection. It
removes all of the ap_uart stuff from ap_state.c and moves it to
ap_uart_state.c. All boards will now use ap_uart to enable/disable ap
uart and tpm_rst_l to detect the ap state.
Separate ap uart detection from ap detection, so we can disable the ap
uart without enabling deep sleep. If the ap is in S3 on ARM devices,
Cr50 wont be in deep sleep, but the AP UART RX signal wont be pulled up.
In this case we need cr50 ap rx to be disabled and deep sleep to be
disabled.
BUG=b:35647982
BRANCH=cr50
TEST=run firmware_Cr50DeviceState on scalet and electro
Change-Id: I81336a9e232df8d44b325eef59327a1c06a80cba
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/884307
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
- Add a vendor command that provides alert counter. Userspace can use
it e.g. for user metric analysis.
- Add 'alerts' debug console command. It provides information about
chip alerts: supported alerts, fuse status, interrupt status, alert
counter.
- Add 'alerts fire [INT]' command to fire a software defined alert
(globalsec/fwN where N is 0,1,2,3).
Signed-off-by: Anatol Pomazau <anatol@google.com>
BUG=b:63523947
TEST=ran the FW at Pyro and checked alerts data sent to host
Change-Id: I7cec0c451ed71076b44dad14a151b147ff1337e8
Reviewed-on: https://chromium-review.googlesource.com/817639
Commit-Ready: Anatol Pomazau <anatol@google.com>
Tested-by: Anatol Pomazau <anatol@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Add BOARD_DEEP_SLEEP_DISABLED and BOARD_DETECT_AP_WITH_UART to
BOARD_ALL_PROPERTIES, so they will be updated after cr50 reboots.
BUG=b:35647982
BRANCH=cr50
TEST=test deep sleep on scarlet
Change-Id: I8999ae7c6c1dad6799b5fdb99ebf5d7618a21c2b
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/882343
Reviewed-by: Randall Spangler <rspangler@chromium.org>
ap_state doesn't disable/enable the detect ap interrupt correctly. This
means cr50 is mostly just polling the AP state. Cr50 may not realize the
AP is up until almost a second after it first turned on. This change
reenables the detect ap on interrupt while debouncing the AP state or if
Cr50 thinks the AP is off, so cr50 can more quickly detect the
transition from off to on.
This issue doesn't affect devices that detect the AP with TPM_RST_L,
because we never disable the TPM_RST_L interrupt and that handler calls
ap_on_deferred directly.
BUG=b:71866206
BRANCH=cr50
TEST=run power_state:rec on Dru and make sure there are no tpm irq
timeouts.
Change-Id: I67388f9dce94fb22efe5755a0de563e5af42f8f5
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/869410
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Cr50 should not automatically touch the EC reset when enabling the
USB-EC SPI bridge. Otherwise, this could interefere with ECs that might
have internal SPI flash and need to have their resets deasserted in
order to access the internal SPI flash.
This commits simply removes the assertion of EC reset when enabling the
USB-EC SPI bridge. The user or external scripts should control the
resets as necessary using servo or the cr50 console.
BUG=b:71548795,b:71557464
BRANCH=None
TEST=Flash meowth cr50. Verify that I can flash the EC using a
servo_v4.
TEST=Repeat above test with a servo_micro.
TEST=Repeat above test with a SuzyQable.
Change-Id: I114c34df43cf1e8ba622e75c3e6ecf517afc40a4
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/850865
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Enable deep sleep on rk3399 devices and start using SYS_RST_L to track
the AP state.
We can only release this once the EC has the proper support. It needs to
assert SYS_RST_L in S5.
If we have an old EC and this change in the Cr50 firmware, Cr50 won't be
able to tell when the AP is off. I think this will just cause an
interrupt storm on the AP UART and might not go into regular sleep in
S5.
If the EC change gets released before Cr50, Cr50 won't go to sleep in
S5, because SYS_RST_L is a wake on low pin. Cr50 will immediately wake
up from the SYS_RST_L pin when it enters sleep.
BUG=b:35647982
BRANCH=cr50
TEST=run firmware_Cr50DeepSleepStress on Bob
Change-Id: Iaf46f46eb5963e9479bba40457253a6ccc91ad32
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/699295
Reviewed-by: Randall Spangler <rspangler@chromium.org>
We have a requirement that this signal is asserted whenever cr50 is in
deep sleep. It is deasserted on resume. This change configures sys_rst_l
as wake on high before deep sleep, so cr50 doesn't wake up
immediately after entering deep sleep. This is consistent with the
behavior of plt_rst_l when it's used to track the AP state and enable
deep sleep.
This doesn't change anything right now, because no devices that use
sys_rst_l have deep sleep enabled.
BUG=b:35647982
BRANCH=cr50
TEST=none
Change-Id: Ie5c3a6bbf4d0a52c1f96a9b29ebd037104a8abc4
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/815335
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
The compiler marks data put into the TPM2_common.bss section as
PROGBITS, which the linker does not like. Changing the section name
prevents the marking and keeps linker happy.
BRANCH=cr50
BUG=chromium:799385
TEST=verified that local_state is still in where it belongs:
$ egrep '(local_state|__bss_libtpm2)' build/cr50/RW/ec.RW.smap
00010400 B __bss_libtpm2_start
00015d0c b local_state
00015d18 B __bss_libtpm2_end
Change-Id: I48f7d2cb08c7ccb2ef3b3159eaf4d66e2b8720b4
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/852793
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Add the flags for board_deep_sleep_allowed and
board_detect_ap_with_tpm_rst.
BUG=b:35647982
BRANCH=cr50
TEST=run firmware_DeepCr50SleepStress on electro. Make sure Bob can
still detect the AP state and doesn't enter deep sleep
Change-Id: I39e45f6eacc1cbdcb3ab1caaecd0836f8a2c073a
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/699294
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Setting password should be allowed only after the owner logged in for
the first time and before they log out or someone else logs in.
Once any other user but the owner logs in, it should become impossible
to set password until the device is reset.
As proposed here, this would apply to both attempts to set password
through crosh and Cr50 console.
Password handling on Cr50 passes the following states:
- password setting is not allowed after Cr50 reset until an upstart
(as opposed to resume) TPM startup happens, as signalled by the TPM
callback. After the proper TPM reset the state changes to
'POST_RESET_STATE' which means that the device was just
reset/rebooted (not resumed) and no user logged in yet.
- if the owner logs in in this state, the state changes to
'PASSWORD_ALLOWED_STATE'. The owner can open crosh session and set
the password.
- when the owner logs out or any user but the owner logs in, the state
changes to PASSWORD_NOT_ALLOWED_STATE and does not change until TPM
is reset. This makes sure that password can be set only by the owner
and only before anybody else logged in.
Separate changes to the TPM library code make sure that TPM reset is
reported through the platform layer, so that POST_RESET_STATE is
entered.
BRANCH=cr50
BUG=b:67007578
TEST=with the rest of the infrastructure in place verified that
password can be set only when the owner logged in for the first
time before anybody else logs in or the owner logs out.
Change-Id: Ieaa3dc8ff9d2e43ae11151eb31173220f5c75b58
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/804141
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Using FWMP for CCD management requires that FWMP contents could be
read even when the AP is not operational, i.e. before TPM2_Startup
command is issued.
A fix is added to the TPM2 library to allow access to FWMP contents
even if TPM is not used by the AP. With that in mind there is no need
to delay reading FWMP until TPM2_Startup command is issued. With the
console task stack increase FWMP contents can be read directly on the
console task context.
BRANCH=Cr50
BUG=b:62537474
TEST=with TPM patch applied verified that CCD can be opened when AP is
down (i.e. TPM2_Startup command was not issued).
Change-Id: Ibf4325917a512a855fc658edb9e51e4837328f43
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/817896
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The current console stack size prevents using it for even simpler TPM
library invocations. With this increase it is possible to invoke TPM
NV access API from console commands.
BRANCH=Cr50
BUG=b:62537474
TEST=with the rest of the patches verified that FWMP contents can be
read from a console command.
shmem console command output shows 6616 bytes of free SRAM space
when in prod mode and 6624 bytes when in dev mode.
Change-Id: I177af1abde422dab0a9fdb0f4619eaf0ffefa9f6
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/817895
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
ccdstate just prints state. It is very useful for debugging ccd/servo
contention issues. This change makes it a safe command so it is
accessible even when the console is locked.
BUG=none
BRANCH=cr50
TEST=make buildall
Change-Id: I2e754f5978c83fcaca737e7a590dcf5ee445522c
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/809864
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
These functions are not used by usb_i2c.c on chip/stm32, let's
move them to board/cr50 which is the only place where they are
used.
BRANCH=none
BUG=None
TEST=make buildall -j
Change-Id: I8c1b292838b8dbee9a9001add9332e0add80c342
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/778749
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
In DEV, it's necessary to rollback to reenter prod signed
images. Let's make this reasonably easy.
BUG=None
BRANCH=cr50
TEST=CR50_DEV fw does roll back to prod..
Signed-off-by: Nick Sanders <nsanders@chromium.org>
Change-Id: Id39c3e501782da3f088760ec27d09f1ffc7b7f58
Reviewed-on: https://chromium-review.googlesource.com/734840
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
TPM reset sequence when TPM wipeout is requested has a side effect of
rebooting the entire device. This is not always desirable, in some
cases other actions need to happen before the device is rebooted.
This patch makes resetting the EC the TPM reset caller's responsibility,
BRANCH=cr50
BUG=none
TEST=verified that RMA reset and WP disable properly wipe out the TPM
and reboot the device.
Change-Id: I6e827ce923a2454ae5b2e2597d1a4c9390bbb8b6
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/733813
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Modules in board/cr50/tpm2 are part of the TPM task, and their .bss
segment needs to be wiped out along with other TPM modules' when TPM
is reset.
The only module from this directory which has static variables is
NVMem.c. This patch groups the variables into a structure, and makes
sure that the structure is stored in the part of .bss which is zeroed
when TPM is reset.
BRANCH=none
BUG=none
TEST=verified that TPM wipeout happening during RMA reset is
successful.
Change-Id: I5f80dc5e4f5f7cdce2d1a1ed59e0fbac354c5bf6
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/733814
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Scott Collyer <scollyer@chromium.org>
A couple of bugs have crept in with the latest series of patches:
- the board ID value endianness does not have to be changed
- the test RMA server public key value is wrong
BRANCH=cr50
BUG=b:67007905
TEST=the generated challenge is now accepted by the server, and the
generated auth code matches between the server and the Cr50.
Change-Id: I18f413ab0bcc14d9cc50b115ac3784fdfcd5851c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/700798
Reviewed-by: Michael Tang <ntang@chromium.org>
Enable necessary flags for the Cr50 to start supporting RMA
authentication. This also requires that the RMA server public key
definition is split between the actual and test. Even though they are
the same at this time, the actual public key would be defined in the
new future and it would be different from the test key.
BRANCH=cr50
BUG=b:65253310
TEST=make buildall -j passes. More tests were conducted on the full
patchset.
Change-Id: I5a3f9d8c71374d78192e3f0a2752391b842da962
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/691554
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Currently, when CCD is opened, there is no way to disable the EC
and/or AP UARTs. But if there is some problem with the EC and/or AP,
and their UARTs are spamming interrupts, it can make debugging more
difficult.
If servo detection malfunctions, then CCD may drive the ports and
interfere with servo.
Add a new ccdblock command to disable the AP UART, EC UART, or any
ports shared with servo, until the next cr50 reboot.
BUG=b:65639347
BRANCH=cr50
TEST=manual with CR50_DEV=1 image, AP/EC powered on, suzyq connected
ccdblock --> (none)
ccdstate --> UARTAP+TX UARTEC+TX I2C SPI
ccdblock AP on
ccdstate --> UARTEC+TX I2C SPI
ccdblock EC on
ccdstate --> I2C SPI
ccdblock -> AP EC
ccdblock AP off
ccdstate --> UARTAP+TX I2C SPI
ccdblock EC off --> (none)
ccdstate --> UARTAP+TX UARTEC+TX I2C SPI
ccdblock SERVO on
ccdstate --> UARTAP UARTEC
ccd lock
ccdblock AP on --> access denied
Change-Id: I3dcc8314fc98a17af57f2fe0d150ecd1a19ccf52
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/693041
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The hash test code memory management is somewhat loose: it does not
clean up allocated buffer, but then uses it to check for presence of
the previously created handles, which can result in false positives.
Let's zero the buffer each time it is allocated and let's use
hash_test_db.contexts as the indicator if the buffer is allocated or
not.
BRANCH=cr50
BUG=none
TEST=ran ./test/tpm_test/tpmtest.py, observed rsa tests pass.
Change-Id: Iad4b4e2662fc7266ee6f556f6ddfd0051e7172d7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/665321
Reviewed-by: Shawn N <shawnn@chromium.org>
For historical reasons, CCD, reset, and power button control were
scattered around several files. Consolidate the code in more sensible
(in retrospect) places.
No functional changes, just moving code.
BUG=none
BRANCH=cr50
TEST=make buildall; boot cr50
Change-Id: Ic381a5a5d0627753cc771189aa377e88b81b155e
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/653766
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Currently, the Cr50 state machines (EC, AP, RDD, bitbang, etc.) manage
their own enabling and disabling of the ports (UART, SPI, etc.) This
is tricky because the rules for when ports should be enabled are
non-trivial and must be applied in the correct order. In additionl
the changes all need to be serialized, so that the hardware ends up in
the correct state even if multiple state machines are changing
simultaneously.
Consolidate all of that into chip/g/rdd.c. The debug command for it
is now 'ccdstate', which just prints the state machines. This will
allow subsequent renaming of the 'ccdopen', etc. commands to 'ccd
open', etc.
Also include UART bit-banging into that state which must be
consistent. Previously, it was possible for bit-banging to leave UART
TX connected, instead of returning it to the previous state.
Use better names for CCD config fields for UART. I'd had them backwards.
BUG=b:62537474
BRANCH=cr50
TEST=manual, with a CR50_DEV=1 image
1) No servo or CCD
Pull SERVO_DETECT low (disconnected)
Pull CCD_MODE_L high (disabled)
Pull EC_DETECT and AP_DETECT high (on)
Reboot. RX is enabled even if cables are disconnected so we buffer.
ccdstate -> UARTAP UARTEC
Pull EC_DETECT low.
ccdstate -> UARTAP
Pull EC_DETECT high and AP_DETECT low.
ccdstate -> UARTEC
Pull AP_DETECT high.
ccdstate -> UARTAP UARTEC
2) Servo only still allows UART RX
Pull SERVO_DETECT high (connected).
ccdstate -> UARTAP UARTEC
3) Both servo and CCD prioritizes servo.
Pull CCD_MODE_L low (enabled).
ccdstate -> UARTAP UARTEC
Reboot, to make sure servo wins at boot time.
ccdstate -> UARTAP UARTEC
Bit-banging doesn't work when servo is connected.
bitbang 2 9600 even -> superseded by servo
bitbang -> disabled
ccdstate -> UARTAP UARTEC
4) CCD only allows more ports and remembers we wanted to bit-bang
Pull SERVO_DETECT low.
ccdstate --> UARTAP+TX UARTEC+BB I2C SPI
bitbang 2 disable
ccdstate --> UARTAP+TX UARTEC+TX I2C SPI
Reboot and see we don't take over servo ports until we're
sure servo isn't present.
ccdstate --> UARTAP UARTEC (for first second)
ccdstate --> UARTAP+TX UARTEC+TX I2C SPI (after that)
5) Bit-banging takes over ECTX
bitbang 2 9600 even
bitbang -> baud rate 9600, parity even
ccdstate -> UARTAP+TX UARTEC+BB I2C SPI
bitbang 2 disable
ccdstate -> UARTAP+TX UARTEC+TX I2C SPI
6) Permissions work. Allow easy access to full console and ccdopen:
ccdset OpenNoTPMWipe always
ccdset OpenNoLongPP always
ccdset GscFullConsole always
Default when locked is full AP UART EC RO, no I2C or SPI
ccdlock
ccdstate -> UARTAP+TX UARTEC
No EC transmit permission means no bit-banging
bitbang 2 9600 even
bitbang -> disabled
ccdstate -> UARTAP+TX UARTEC
But it remembers that we wanted to
ccdopen
ccdstate -> UARTAP+TX UARTEC+BB I2C SPI
bitbang 2 disable
ccdstate -> UARTAP+TX UARTEC+TX I2C SPI
Try turning on/off permissions
ccdset UartGscTxECRx always
ccdlock
ccdstate -> UARTAP+TX UARTEC+TX
No read means no write either
ccdset UartGscRxECTx ifopened
ccdlock
ccdstate -> UARTAP+TX
ccdopen
ccdset UartGscRXAPTx ifopened
ccdlock
ccdstate -> (nothing)
Check AP transmit permissions too
ccdopen
ccdset UartGscRxAPTx always
ccdset UartGscTxAPRx ifopened
ccdlock
ccdstate -> UARTAP
Check I2C
ccdopen
ccdset I2C always
ccdlock
ccdstate -> UARTAP I2C
SPI port is enabled if either EC or AP flash is allowed
ccdopen
ccdset flashap always
ccdlock
ccdstate -> UARTAP I2C SPI
ccdopen
ccdset flashec always
ccdset flashap ifopened
ccdlock
ccdstate -> UARTAP I2C SPI
Back to defaults
ccdoops
Change-Id: I641f7ab2354570812e3fb37b470de32e5bd10db7
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/615928
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
There is no point in updating the Cr50 to an image which will not be
allowed to run due to board ID settings mismatch.
This patch modifies the prototype of check_board_id_mismatch() to
allow to pass to this function an arbitrary pointer to an image
header, so that the function can check not only the image in the flash
memory, but also the image which just arrived over the line.
The contents_allowed() function now checks if the new image is
compatible with the Board ID value in Info1 and rejects the new image
if there is a mismatch.
BRANCH=cr50
BUG=none
TEST=tried updating a Cr50 to an image which is incompatible with the
Info1 fields contents. The update attempt is rejected. Verified
that updating to a compatible image still works as designed.
Change-Id: I3d6c16df11fcabd05888f3cbf5e9a81dc51fe66f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/650812
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The state machine in common/case_closed_debug.c only handles a subset
of what we need to do for Cr50 external case closed debugging, and
also supports a 'partial' CCD state that doesn't exist for Cr50. Move
the few lines of code from that we actually need into our file.
BUG=none
BRANCH=cr50
TEST=manual
Assert CCD_MODE_L
See 'CCD EXT enable'
Confirm Cr50 console appears as a RW /dev/ttyUSBn endpoint
Confirm firmware update over USB works
Deassert CCD_MODE_L
See 'CCD EXT disable'
Confirm Cr50 console appears as a RW /dev/ttyUSBn endpoint
Confirm firmware update over USB does not work (can't find device)
Change-Id: Id96f2770632839a9690740ece54bc2eb71d39a38
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/647909
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Currently, only usb_pd_protocol.c cares about the actual ccd mode
(disabled/partial/enabled). Everything else just cares whether it's
enabled or not. So promote the boolean ccd_is_connected() from
board/cr50 up to chip/g, and rename it to ccd_ext_is_enabled() to
match the new nomenclature (since 'CCD' itself is now too overloaded).
This will make it easier to handle CCD state directly in board/cr50
after we split it from common/case_closed_debug.c
BUG=none
BRANCH=cr50
TEST=make buildall; boot cr50; make sure USB endpoints still work
Change-Id: Ic3df7467bfe29f1c5d7060cac1309a1f0e090d9e
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/648212
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Previously, chip/g/rdd provided a method for an external console
command to override the Rdd cable detect state. But since we'll be
refactoring the 'ccd' command, it's tidier to move this to a console
command inside the rdd driver itself.
BUG=none
BRANCH=cr50
TEST=manual, with no debug cable present
rdd enable -> Rdd connect
rdd -> keepalive
rdd disable
rdd -> connected (hasn't had a chance to run state machine)
(wait <1 sec)
rdd -> debouncing
(wait 1 sec) -> Rdd disconnect
Change-Id: I141eedf8070b4ad2c96cc5a364f4e37dc29bed70
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/647991
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
This is the last state machine which used common/device_state.c. But
servo is more complex than that, because it needs to differentiate
state-isn't-known (debouncing) from state-isn't-knowable (Cr50 driving
EC TX), so it's cleaner to split it out the way we did AP and EC state
machines in previous CLs.
BUG=b:35587387
BRANCH=cr50
TEST=manual with CR50_DEV=1 build
// Test detect at boot, even with CCD connected
Pull CCD_MODE_L low
Pull DETECT_SERVO high
Pull DETECT_EC high
reboot -> 'Servo connect'
// CCD is not driving EC UART TX
ccd -> EC on, Servo connected, CCD enabled, EC UART RX
// When servo disconnects CCD can drive EC TX
Pull DETECT_SERVO low --> 'Servo disconnect'
ccd -> EC on, Servo undetectable, CCD enabled, EC UART RX+TX
// Can't detect servo reconnecting if we're driving EC TX
Pull DETECT_SERVO high --> (no change)
ccd -> EC on, Servo undetectable, CCD enabled, EC UART RX+TX
// When we stop driving EC TX, can redetect servo
Pull EC_DETECT low --> See 'EC off', 'Servo connected'
ccd -> EC off, Servo connected, CCD enabled, EC UART disabled
// Test debouncing at boot
Pull DETECT_EC high
Pull DETECT_SERVO low
Pull CCD_MODE_L high
reboot
Within 1 sec, pull DETECT_SERVO high --> 'Servo connected'
// Test debouncing after boot
Pull DETECT_SERVO low then high < 1 sec --> (no message)
Change-Id: I964bd36c35f52c8ef7b3ea3793b6e0764e93587c
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/636047
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The device state machines aren't quite similar enough to use common
code. Split the AP state machine out, the way we split out the EC
state machine in the previous CL.
BUG=b:35587387
BRANCH=cr50
TEST=manual, with Cr50 strapped (or hard-coded) not to use platform reset
and not to use TPM reset to detect the AP:
Pull CCD_MODE_L low, so Cr50 detects/enables CCD
Pull AP_DETECT high.
Pull INT_AP_L low (with resistor).
Pull AP_DETECT low --> See 'AP off' message
gpioget --> INT_AP_L=0
ccd --> AP UART disabled
Pull AP_DETECT high --> See 'AP on' message
gpioget --> INT_AP_L=1
ccd --> AP UART RX+TX
Pull AP_DETECT low for <1 sec then back high
(don't see AP off/on message)
gpioget --> INT_AP_L=1
ccd --> AP UART RX+TX
Reboot with AP_DETECT still low -> AP off at 1 second
Reboot with AP_DETECT still low and then assert AP_DETECT
within a second -> AP on immediately
Repeat with Cr50 strapped/hard coded to use platform reset, but
using TPM_RST_L instead of AP_DETECT. Note that this will also
show TPM reset debugging output when TPM_RST_L is asserted.
Change-Id: Ief9e4e5f2585ff925de1595cc8fbd5306c94a806
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/634248
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Previously, some code paths such as CCD permissions change could
result in enabling EC or AP UART RX when the EC or AP is off. This
could result in interrupt storms.
BUG=none
BRANCH=cr50
TEST=manual
// Initial conditions
Assert CCD_MODE_L
Deassert DETECT_SERVO
// Both RX and TX disabled when processor turns off
// and re-enabled when it turns back on
Deassert DETECT_EC
ccd -> EC UART disabled
Assert DETECT_EC
ccd --> EC UART RX+TX
Deassert DETECT_AP
ccd -> AP UART disabled
Assert DETECT_AP
ccd --> AP UART RX+TX
// TX disabled when CCD disabled
Deassert CCD_MODE_L
ccd --> EC UART RX, AP UART RX
Assert DETECT_SERVO
ccd --> EC UART RX, AP UART RX
// Don't enable TX when detecting EC, if servo is connected
Deassert DETECT_EC
ccd -> EC UART disabled
Assert DETECT_EC
ccd --> EC UART RX
// Don't enable TX when detecting CCD, if servo is connected
Assert CCD_MODE_L
ccd --> EC UART RX, AP UART RX
// When servo disconnects, enable TX if CCD is connected
Deassert DETECT_SERVO
ccd --> EC UART RX+TX, AP UART RX+TX
Change-Id: Icb144c23e949afb0384c242965aa729b078b03eb
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/642349
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
In order to test certain devices in the test lab using cased closed
debugging (CCD), we need a mechanism to programmatically "press" the
recovery button. Even though this signal is being buffered through the
EC to the AP, and the EC could theoretically set it if needed, we cannot
trust the EC in its RO image since it may speak to the outside world
over USB PD.
Instead, this commit introduces a console command on cr50 that can be
used to force the recovery button state to be pressed. However, it is
gated behind the CCD capabilities defaulting to the IfOpened state.
Additionally, a new vendor command is added to query the trusted state
of the recovery button. The AP should use this command instead of
trusting the GPIO connected to it.
BUG=b:37751915, b:64146626
BRANCH=cr50
TEST=Flash cr50. Press KEY0, verify that reported rec btn follows the
state of the button.
TEST=`recbtnforce enable` causes the button to be reported as pressed.
Physical presses of the button do not alter the reported state.
TEST=`recbtnforce disable` causes the reported state to follow that of
the physical button.
TEST=The `recbtnforce` command is set to the IfOpened capability by
default.
TEST=CCD locking the DUT and attempting to force the recovery button
results in an error of access denied. The physical state is reported.
TEST=From the AP, issue the vendor command to retrieve the button state
and verify that it behaves as expected.
Change-Id: Ib8c2928e75e5f9a1a83c5361664efc3fa0ae2ddb
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/635955
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Add a function to translate device_state enum into a string, then use
it for printing the ec and RDD state.
Refactor ec_state so that all state transitions go through a
set_state() function, which makes it easier to turn on debugging all
state transitions. That's normally not compiled in because it would
be spammy during debouncing.
BUG=none
BRANCH=cr50
TEST=ccd command prints EC and RDD states
Change-Id: Ie7bc56c7b66beee23d1d1989711c640e5e39ce43
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/642121
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Now that there are separate board config functions, use
!board_detect_ap_with_tpm_rst() to decide whether to configure
DETECT_AP on DIOA3, not board_use_plt_rst().
BUG=none
BRANCH=cr50
TEST=Boot cr50 strapped to use platform reset. See that 'gpioget'
shows DETECT_AP does not respond to changes on the DIOA3 pin.
Boot cr50 strapped not to use platform reset. See that 'gpioget'
shows DETECT_AP responds to changes on DIOA3.
Change-Id: Ieb05015c948b2bbafa744f00a11e6b3da143ca5b
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/642120
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The device state machines aren't quite similar enough to use common
code. Split the EC state machine out, the way we split out BattPrsnt
and CCD_MODE.
BUG=b:35587387
BRANCH=cr50
TEST=manual
Pull CCD_MODE_L high, so Cr50 detects/enables CCD
Pull EC_DETECT high.
reboot -> 'EC RX only', then 'EC on' at 1 second
Pull EC_DETECT low --> See 'EC off' message
ccd --> EC UART disabled
Pull EC_DETECT high --> See 'EC on' message
ccd --> EC UART RX+TX
Pull EC_DETECT low for <1 sec then back high
(don't see EC off/on messages)
ccd --> EC UART RX+TX
Reboot with EC_DETECT still low -> EC off at 1 second
Reboot with EC_DETECT still low and then assert EC_DETECT
within a second -> EC RX only, then EC connect at 1 second.
Change-Id: I71687e651d625cadd656934f4cb2bbadc0b58816
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/619750
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Add some board property functions that describe what behavior we are
checking instead of just using board_use_plt_rst. More devices are
getting deep sleep support. This changes some function names to make the
transition easier.
This change adds board_use_deep_sleep and board_detect_ap_with_tpm_rst.
Right now both of these just call board_use_plt_rst. This will
eventually change with the expansion of deep sleep to new devices.
BUG=none
BRANCH=cr50
TEST=run firmware_Cr50DeepSleepStress with 10 suspend/resume cycles
Change-Id: I8d9ef23f686dea788d26ac4973054ad027fdd3a4
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/633891
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Each GPIO interrupt should only be enabled after its state machine is
ready to accept interrupts. Enabling them all by default may cause
undefined behavior if an interrupt occurs before state machine init.
Also, EC_TX_CR50_RX was enabled, and then explicitly disabled in
board_init() because we didn't want it. Simpler only to enable the
interrupts we do.
BUG=b:35587228
BRANCH=cr50
TEST=boot cr50; manually wiggle platform reset and the detect GPIOs
and see that interrupts are still generated.
Change-Id: If810eb6fee9945f0c6dfe0d4b592bdc5ff4be6e7
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/619749
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Use the previously introduced TPM logging framework to log TPM reset
events. The two lowest data field bits are used to communicate the
type of reset passed to tpm_reset_request(),
BRANCH=cr50
BUG=b:63760920
TEST=with the upcoming patches verified that TPM initialization is
logged as expected
Change-Id: Ic0874723ec6df616a8237b036542398b29fe5ccc
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/620113
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Shawn N <shawnn@chromium.org>
Currently, we only use the AC detect interrupt for battery cutoff
support on detachable devices, and we use the RDD detect interrupt for
waking Cr50 from deep sleep. However, Eve accidentally detects RDD
when the EC is off, so this is not a reliable signal - particularly if
Cr50 is explicitly driving EC reset.
Enable the AC detect interrupt all the time, and defer sleep for 5
seconds when it transitions. This will have a negligible effect on
overall power (since AC is not normally transitioning) and will allow
the RDD detect code to be simplified.
BUG=b:64799106
BRANCH=cr50
TEST=manually pull DIOR5 up and down; see AC interrupt debug output.
idle d, wait for sleep, then wiggle DIOR5 and see that cr50 wakes.
Change-Id: I7551f25e27a79573bf4527d8c38994634df621ec
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/619319
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
A common failure condition on the i2c bus is when the master
unexpectedly stops clocking the bus while the slave is driving the SDA
line low. In this case the master is not able to issue Stop or Start
sequences, which makes the bus unusable.
Good slave controllers are able to detect this condition and recover
from it by removing the pull down from the SDA line. This patch adds
this capability to the g chip i2c slave controller.
A new timer function is created which samples the SDA line twice a
second. If it detects that SDA is low in two consecutive invocations
and the number of i2cs read interrupts has not advanced, it decides
that the "hosed slave" condition is happening and reinitializes the
i2c driver, which removes the hold from the SDA line.
Even though the state of the SDA line is supposed to be accessible
through the I2CS_READVAL register, it in fact is not, reads always
return zero in the SDA bit. To work around this a GPIO (port 0, bit
14) is being allocated to allow to monitor the state of the line, it
is multiplexed to the same pin the SDA line uses.
When the AP is in low power modes the SDA line is held low, this state
should not trigger i2c reinitializations.
CQ-DEPEND=CL:616300
BRANCH=none
BUG=b:35648537
TEST=connected H1 on the test board to an I2c master capable of
stopping clocking mid byte. Observed that the existing code would
just sit in the "hosed" state indefinitely. The code with the fix
recovers from the condition (drives the SDA line high) 500ms to
1s after the failure condition is created.
Change-Id: Iafc7433bbae9e49975a72ef032a923274f8aab3b
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/614391
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
We previously disabled the USB PHY to the AP. But the BOARD_AP_USB
property lingered on. Remove the property.
Also clean up the idle task deciding when to do utmi wakes. With the
AP USB connection disabled, that's only necessary when the debug cable
is attached, so we can check that explicitly.
BUG=none
BRANCH=cr50
TEST=make buildall; boot CR50_DEV=1 image
Change-Id: If81a7bcfe845d9d70dcc7e16239244a4f5f2427b
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/616301
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
A subsequent CL will massively refactor the device state machines.
Add the helper functions which will be used by that CL, so that
the refactoring touches fewer files.
No change in functionality.
BUG=none
BRANCH=cr50
TEST=make buildall; boot cr50 with a CR50_DEV=1 image
Change-Id: I3499d45e93fa15b6de9c04ce398d1c5bfbbc01e9
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/616300
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Printing dots each time device wakes up from sleep causes the terminal
to be overflown with dots, especially in cases when interrupts are
generated at high rate.
Let's replace printing dots with a rotating wheel, the screen is not
going to be wiped out, and one still can tell the rate the wake
interrupts are coming at.
Also, each time the wake source changes, print its hex value.
BRANCH=none
BUG=none
TEST=verified proper printing of the spinning wheel and wake interrupt
sources.
Change-Id: Ic32466234f91b4a19b6186f74296dc6dd765a8fa
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/611962
Tested-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
The device_state module is used for debouncing GPIO inputs to
determine device state. It was overkill for managing the battery
present state as forwarded to the write protect pin, and split that
handling between 3 files (board.c, wp.c, device_state.c). Move all of
that logic into wp.c so it's easier to maintain.
BUG=none
BRANCH=cr50
TEST=manual
plug in battery (or ground DIOM2)
wp command reports WP enabled
unplug battery (or pull DIOM2 high)
wp command reports WP disabled
Change-Id: I71ab9ce5766ecddae430c63a8b31388935a46180
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/604500
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
The device_state module is used for debouncing GPIO inputs to
determine device sstate. It was overkill for managing the CCD cable
(RDD) attach/detach state, and split that handling between 3 files
(board.c, rdd.c, device_state.c). Move all of that logic into rdd.c
so it's easier to maintain.
BUG=none
BRANCH=cr50
TEST=manual
plug in CCD cable (or ground DIOM1)
ccd command reports cable connected and AP UART TX+RX
unplug CCD cable (or un-ground DIOM1)
ccd command reports cable disconnected and AP UART disabled
Change-Id: Id8fcd3a51605ae7a4843668ea18dd0ef84aceb2c
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/604499
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
This mostly adds a bunch of comments, but does make a few changes to
the code:
1) The devices console command now prints both the current device
state and the last known state.
2) servo_state_unknown() also checks if we're bit-banging the EC UART,
since that could also cause EC_DETECT to go high.
BUG=none
BRANCH=cr50
TEST=make buildall; use 'devices' command
Change-Id: I73e7524545ef49494eb36155b99f4042c1fd466d
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/602695
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
We need to ensure that the NVMEM variable containing the seed is properly
saved to flash, so we can restore it later whatever happens.
Add a call to writevars() which triggers the NVMEM commit rather than
accidentally waiting for it.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:35545754
TEST=run twice 'trunks_send --u2f_cert --crt=/tmp/mycert.crt' and
hard-reboot the cr50 in between and see both certificates are
fully identical.
Change-Id: Iea4f9fdede4c0a2eeae1c59633caa16dbf70a66f
Reviewed-on: https://chromium-review.googlesource.com/602241
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Implement the RFC 6979 to get a deterministic integer k when doing the
ECDSA signing of the x.509 certificates used by U2F and particularly
individual attestation mechanism, rather than using the random generator
as per the original ECDSA algorithm.
So the generated certs have bit-for-bit identical signatures when the
content is identical.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:35545754
TEST=pass U2FTest and manually dump several individual attestation certs,
run the "rfc6779" console command when enabled.
Change-Id: I7b73eee6d5a863aae9a7eec49db884151bad5ab4
Reviewed-on: https://chromium-review.googlesource.com/558073
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Remove the code switching between PHY0 and PHY1. We now only use the CCD
PHY on all boards.
BUG=b:36488273
BRANCH=cr50
TEST=ccd works fine. cr50 usb doesn't show up on the AP. You cannot
switch the PHY on cr50.
Change-Id: I6ff641af9d7129daa8592f952f9df97c3862395b
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/595201
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
