We support touchpad-specific debugging feature over the USB update
protocol. This will be used to fetch raw data from the sensor,
without requiring to remove the write-protect screw.
BRANCH=none
BUG=b:63993891
TEST=./usb_updater2 -g 00 -d 18d1:502b
Change-Id: I46dfd97aaa17b73a5893fe1e8c62327a302f829b
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/763574
Reviewed-by: Chun-ta Lin <itspeter@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
This will be used by the updater to first check that the touchpad
FW on AP side matches the one for which we stored hashes on EC
side.
This guarantee that we do not accidentally try to flash an
incorrect FW, which would render the touchpad non-functional.
BRANCH=none
BUG=b:63993173
TEST=make TOUCHPAD_FW=SA459C-1211_ForGoogleHammer_3.0.bin \
BOARD=hammer -j
TEST=./usb_updater2 -t
includes output of
sha256sum A459C-1211_ForGoogleHammer_3.0.bin
Change-Id: Id30ab2d7c7d7e2d0f25cc893f685d218c44c022e
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/641736
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
In the field, we want to update touchpad FW using the same USB
update protocol as the main EC FW.
To distinguish between EC FW update and touchpad FW update, we
use a virtual address, defined by CONFIG_TOUCHPAD_VIRTUAL_OFF,
that does not map to anything on the EC chip.
Also, this will allow us to verify hashes of each block of the
flashed touchpad firmware, so that we can ensure its integrity
before flashing it into the touchpad. A stub is implemented in
update_fw.c:contents_allowed.
BRANCH=none
BUG=b:63993173
TEST=With follow-up CLs, ./usb_updater2 -p 144.0_2.0.bin
Change-Id: I4de1d7d138fc01fe1552a4173c8ef208ecb834a7
Signed-off-by: Nicolas Boichat <drinkcat@google.com>
Reviewed-on: https://chromium-review.googlesource.com/593373
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Chun-ta Lin <itspeter@chromium.org>
We'd like to know touchpad vendor/product id, as well as currently
running FW version. This CL does that by adding a new
UPDATE_EXTRA_CMD_TOUCHPAD_INFO command.
We also make the interface more generic by adding a CONFIG_TOUCHPAD
configuration option, even though we only support Elan touchpads
currently.
BRANCH=none
BUG=b:63418037
TEST=Flash hammer, ./usb_updater -t
Change-Id: Icce3c785eb3235bcc50b2ae7c0227ce11cbc9f2b
Signed-off-by: Nicolas Boichat <drinkcat@google.com>
Reviewed-on: https://chromium-review.googlesource.com/593000
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Chun-ta Lin <itspeter@chromium.org>
Handle UPDATE_EXTRA_CMD_PAIR_CHALLENGE command, where the
lid sends a random x25519 public key, and nonce, and the base
replies with its own (stable) x25519 public key, and computes
a shared secret using its private key to verify its identity.
BRANCH=none
BUG=b:38486828
TEST=Flash hammer, ./usb_updater2 -c always reports the same
device public key, and authenticator is correct.
Change-Id: Ida60ffa7476794ee92669951c740dbe35950fb9c
Reviewed-on: https://chromium-review.googlesource.com/532475
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
As part of the pairing process, AP needs to be able to inject
some entropy into the base.
Let's also define PAIR_CHALLENGE, which will be implemented in
a later CL.
BRANCH=none
BUG=b:38487027
TEST=Flash hammer. On host, reboot hammer to RO:
usb_updater2 -r; sleep 0.5; usb_updater2 -s
usb_updater2 -e (adds entropy)
EC console: check that rollbackinfo shows secret is updated
Change-Id: I964bb578c6bfbb1ab5105a70b43682d51df4ed47
Reviewed-on: https://chromium-review.googlesource.com/513807
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
AP will use that command to tell base EC that it believe the current
FW is functionning correctly, and that the rollback region can
be unlocked for an update on the next reboot.
BRANCH=none
BUG=b:35586219
BUG=b:35587171
TEST=- Flash hammer ToT image with rollback version 0
> flashwp true; reboot
> flashinfo => all flash is protected
- Update CONFIG_ROLLBACK_VERSION to 1
$ make BOARD=hammer -j
- Flash new RW
$ sudo extra/usb_updater/usb_updater2 -w
$ sudo extra/usb_updater/usb_updater2 -r
$ sleep 0.5
$ sudo extra/usb_updater/usb_updater2 -s
$ sudo extra/usb_updater/usb_updater2 build/hammer/ec.bin
> rollbackinfo
rollback minimum version: 0
RW rollback version: 1
- Tell RW to unprotect rollback
$ sudo extra/usb_updater/usb_updater2 -u
$ sudo extra/usb_updater/usb_updater2 -r
> rollbackinfo
rollback minimum version: 1
RW rollback version: 1
Change-Id: Ib52253e9b8bba872688d6f601d9bfad8862be25f
Reviewed-on: https://chromium-review.googlesource.com/489889
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
There is a window where the rollback information in RW could
potentially be updated during RW signature verification. We make
sure this cannot happen by:
- Preventing update over USB while RWSIG is running
- When system is locked, only update rollback information if
RW region is locked: this guarantees that RW cannot be modified
from boot until RW is validated, and then until rollback
information is updated.
Also, remove rollback_lock() in rwsig_check_signature:
rwsig_jump_now() protects all flash, which also protects rollback.
This reduces the number of required reboots on rollback update.
BRANCH=none
BUG=b:35586219
BUG=b:35587171
TEST=Add long delay in rwsig_check_signature, make sure EC cannot
be updated while verification is in progress.
Change-Id: I7a51fad8a64b7e258b3a7e15d75b3dab64ce1c94
Reviewed-on: https://chromium-review.googlesource.com/479176
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Add support for 4 extra commands that are required to update
hammer:
- UPDATE_EXTRA_CMD_IMMEDIATE_RESET
- UPDATE_EXTRA_CMD_JUMP_TO_RW: Tells the RWSIG task to jump
to RW as soon as possible (assuming the image verifies)
- UPDATE_EXTRA_CMD_STAY_IN_RO: Tells the RWSIG task to not
jump to RW, and stay in RO, to leave enough time for
AP to update RW.
- UPDATE_EXTRA_CMD_UNLOCK_RW: Tells EC to unlock the RW
section so that it can be updated (on next reboot).
BRANCH=none
BUG=b:35587171
TEST=Test RO+RW update
cd extra/usb_updater; make
# Jump to RW
sudo ./usb_updater2 -j
sleep 0.5
# Update RO, then reboot
sudo ./usb_updater2 ../../build/hammer/ec.bin
sleep 0.5
# Update RW (first tell RO to not jump to RW)
sudo ./usb_updater2 -s
sudo ./usb_updater2 ../../build/hammer/ec.bin
TEST=Test RW update only, with RO protected
On EC console: flashwp true; reboot
cd extra/usb_updater; make
# Tell RW to unprotect RW and jump back to RO
sudo ./usb_updater2 -w
sudo ./usb_updater2 -r
sleep 0.5
# Update RW, then reboot
sudo ./usb_updater2 -s
sudo ./usb_updater2 ../../build/hammer/ec.bin
Change-Id: I5e8df7bdb4f06f2ac7b47de53dcde69c5002f578
Reviewed-on: https://chromium-review.googlesource.com/458470
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
cr50 and hammer/common code are such different chips that reusing the
same first_response_pdu does not make much sense.
Instead, we can use 2 different headers, the updater knows which
response to expect based on USB product ID.
In the common code answer, we can reply with the EC version string,
as well as rollback information and key version ID, which will
be required for reliable updating.
BRANCH=none
BUG=b:35587171
BUG=b:36375666
TEST=usb_updater2 can update hammer, and read its version, rollback
version and key version.
Change-Id: I20b04070606767c71df3e6286d53e238e13375c0
Reviewed-on: https://chromium-review.googlesource.com/476452
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
rw_sections is defined in the exact same way on all common code
boards, let's remove it, and hard-code the values in update_fw.c
instead.
Take this as an opportunity to fold set_valid_section in
fw_update_start (this will be useful later on, as we also
want to return the inactive region version).
BRANCH=none
BUG=b:35587171
TEST=make buildall -j
TEST=Can update hammer over USB using usb_updater2
Change-Id: I4dd3224f17f89c1851c379255f1195dc54528b3d
Reviewed-on: https://chromium-review.googlesource.com/476451
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
Let's move to protocol version 6, which provides most of the new features
we want to update generic EC firmware.
Note that this matches chip/g version as of commit 0e5497db6,
plus the following uncommited chip/g patches (CL:458364):
c73af7dd2 chip/g/upgrade: Clarify pdu/frame terminology
baea0a8c7 chip/g/upgrade: Rename SIGNED_TRANSFER_SIZE to UPDATE_PDU_SIZE
d6e41b75c chip/g/upgrade: Remove cr50-specific upgrade subclass and
protocol
3dc0b9a25 chip/g/upgrade: Rename upgrade to update
13436f9b9 chip/g/upgrade: Split rdpu initialization to a separate function
fab9a0936 chip/g/upgrade: Minor formatting fixups
8161ef7c0 chip/g/upgrade: Fix valid_transfer_start logic
bd6d79434 chip/g/upgrade: Fix logic for short USB packets within frames
b09e252ed chip/g/upgrade: Improve error handling
Then:
diff -u include/update_fw.h chip/g/upgrade_fw.h
diff -u common/usb_update.c chip/g/usb_upgrade.c
diff -u common/update_fw.c chip/g/upgrade_fw.c
Only shows chip/g specific differences.
BRANCH=none
BUG=b:36375666
BUG=b:35587171
TEST=make buildall -j
TEST=Can update hammer over USB using usb_updater2
Change-Id: I5b0f0281d844972dab572955d5495f808127e523
Reviewed-on: https://chromium-review.googlesource.com/458321
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
This copies the generic USB update code into common
so it can be used on other platforms. There should be
no functional change. cr50 folks want no change to their
code so vbendeb@chomium.org will refactor this back
together at a later date.
BUG=chromium:571476
TEST=none
BRANCH=none
Change-Id: I710afb22940013e7db5d8694898b90c0ae245777
Signed-off-by: Nick Sanders <nsanders@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362131
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
