Our previous idea to cut Rd for many reset cases cannot work if cr50
consistently resets the EC by asserting the reset pin shortly after
power-on. Therefore, make a decision based upon whether battery-backed
memory indicates we previously negotiated a PD power contract as a sink.
If we previously did not negotiate a contract, or if power was removed
from the device (causing battery-backed memory to wipe) then we can
assume that we don't have an active power contract.
BUG=chrome-os-partner:62952
BRANCH=reef
TEST=On reef, run "cutoff" on the console, reattach AC, and verify
device successfully wakes. Also verify Rp is dropped on console 'reboot'
and F3 + power from RW.
Change-Id: Ie300b9589cac6be7a69b77678bea6b1b6b25578c
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/443356
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
ROLLBACK region will be used to store rollback information, and
can be protected independently of RW (it can only be protected when
RO is protected, though).
This is only supported on stm32f0 currently.
BRANCH=none
BUG=chrome-os-partner:61671
TEST=on hammer (stm32f072)
flashinfo => RO+RW not protected
flashwp true; reboot => only RO protected
flashwp all; reboot => RO+RW+RB protected
flashwp noall; reboot => only RO protected
flashwp rw; reboot => only RO+RW protected
flashwp rb; reboot => RO+RW+RB protected
flashwp norb; reboot => RO+RW protected
flashwp all; reboot => RO+RW+RB protected
flashwp norw; reboot => RO+RB protected
TEST=on reef, rb/norb commands not available
Change-Id: I45ffc66d91cf3699ecff025e5114c59a73dc8274
Reviewed-on: https://chromium-review.googlesource.com/430519
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Add generic routines to read or write a byte to battery-backed RAM, and
implement vbnvcontext get/set using these routines.
BUG=chrome-os-partner:62952
BRANCH=reef
TEST=On reef, with subsequent commit, run "cutoff" on the console,
reattach AC, and verify device successfully wakes. Also verify Rp is
dropped on console 'reboot' and F3 + power from RW.
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: I14691923f2e5198e901b6b5199e92c58c68cd18d
Reviewed-on: https://chromium-review.googlesource.com/444444
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The GPIOs on npcx are handled in banks of 8, and when processing
an interrupt for a particular bank the ISR is executed for each
GPIO in the bank that has a pending bit set.
If an interrupt in a bank is not enabled (but has fired before so
the pending bit is set) but another one in the same bank is enabled
and asserts, then the ISR both of the GPIOs will be executed because
they both have pending bits set.
This results in the ISR for a disabled interrupt getting executed
when it should not and leads to unexpected behavior.
Masking the GPIOs that are not enabled means only the ISR for the
explicitly enabled GPIOs in that bank will be executed.
Example: With the Eve board we have PCH_SLP_SUS_L on GPIO(6,2) which
is enabled at init time and is in the same WKINTG_1 bank as
TRACKPAD_INT_L on GPIO(7,1) which is not enabled, but I am working
on a patch to enable it. When going into suspend PCH_SLP_SUS_L asserts,
and that is causing the ISR for both PCH_SLP_SUS_L and TRACKPAD_INT_L
to be executed. If I try to use TRACKPAD_INT_L as a wake source from
DeepS3 this means the system immediately wakes after going to sleep.
BUG=chrome-os-partner:62224
BRANCH=none
TEST=With an additional patch to enable trackpad wake from S3 on Eve,
observe that the system can enter S3 and stay there instead of immediately
waking up due to the TRACKPAD_INT_L ISR firing when it is not enabled.
Change-Id: Idc66e22c93756faf6c4319980cfb8dfe63e0dfaa
Signed-off-by: Duncan Laurie <dlaurie@google.com>
Reviewed-on: https://chromium-review.googlesource.com/446524
Reviewed-by: Mulin Chao <mlchao@nuvoton.com>
Reviewed-by: Shawn N <shawnn@chromium.org>
The idea of this flag is to be able to protect/unprotect only the
RW portion of the flash. In the (usual) case where ALL=RO+RW, with
no other region, this makes no difference compared to the existing
EC_FLASH_PROTECT_ALL_* flag, and this flag may not be supported.
This is necessary for futher work, where a ROLLBACK region is added,
so that RW/ROLLBACK can be protected/unprotected individually.
Only support for stm32f0 is added, as this is the target for hammer.
BRANCH=none
BUG=chrome-os-partner:61671
TEST=build and flash hammer (stm32f072)
flashinfo => RO+RW not protected
flashwp true; reboot => only RO protected
flashwp all; reboot => RO+RW protected
flashwp noall; reboot => only RO protected
flashwp rw/norw not available
TEST=enable CONFIG_FLASH_PROTECT_RW
build and flash hammer (stm32f072)
flashinfo => RO+RW not protected
flashwp true; reboot => only RO protected
flashwp all; reboot => RO+RW protected
flashwp noall; reboot => only RO protected
flashwp rw; reboot => RO+RW protected
flashwp norw; reboot => only RO protected
TEST=build and flash reef (npcx)
flashinfo => RO+RW not protected
flashwp true => RO protected
flashwp all; flashinfo => all_now displayed
reboot => RO protected
flashwp rw/norw not available
Change-Id: Ica6f499cf2e8a9345b08ef52c915655a983ffe3c
Reviewed-on: https://chromium-review.googlesource.com/442265
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Add the option to use the PLL connected the 16Mhz HSI oscillator.
Fix the system timer pre-scaling when changing frequency:
- we need to generate an update event immediately as on a 32-bit timer it
might take a very long time before going an actual update event.
- we need to ensure that the OS timestamp is monotonic and sensible
across the frequency jump.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=none
BUG=chrome-os-partner:62893
TEST=manual, on STM32L4 console, do several gettime and compare against
wall time, switch to 80Mhz with 'clock pll', verify again gettime
against wall clock.
Change-Id: Ibddbd46173b7594d16fb07e4b57660a50c636568
Reviewed-on: https://chromium-review.googlesource.com/445776
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
The TPM SPI protocol adds flow control capability, but it is
impossible to enforce it by software, software implementations need
additional means of informing the master about the slave status.
Let's follow the i2c slave driver example and use the interrupt line
from the H1 to the SOC to generate a low level pulse every time
receive data processing is completed.
BRANCH=none
BUG=none
TEST=to benefit from this patch some changes on the SOC side will be
required.
Change-Id: I576233598e98e01a007dff6b973fd96ea5ea551c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/446048
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
This patch introduces a delay between accepted cr50 firmware upload
attempts. The next attempt to write into the same or lower address in
flash would be accepted no sooner than in 60 seconds after the
previous attempt.
This would prevent a rogue user from wearing the flash by repeated
uploads to the same address.
This limitation is not imposed by dev images (those compiled with
CR50_DEV=1).
BRANCH=none
BUG=chrome-os-partner:63098
TEST=verified that attempts to update soon after the previous update
result in the following error message issued by usb_updater:
sending 0x2d8b8 bytes to 0x4000
Error: status 0x9
Modified usb_updater to send one random pdu twice. Observed the
same error message.
Change-Id: Idca55ad091d09daaddd0a4cad5b1f871af1ede93
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/445496
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Let's not allow downloading older images when in prod mode.
When the received chunk is destined into RO or RW header, verify that
the chunk's version is not lower than the current running version.
Also, if the chunk is not properly aligned with the header, verify
that it does not overlap with the header in any way.
BRANCH=none
BUG=chrome-os-partner:63098
TEST=verified that older images are rejected by prod images, and newer
and current level are accepted.
Verified that dev images still allow to downgrade.
Change-Id: I19c74f1d1bb5469cc935293a5841405149a968f6
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/444831
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Presently the CR50_DEV make variable is loaded: it enables debug
extensions in the produced cr50 image AND requires that the image is
signed with the key from the signing fob.
In fact these are two independent requirements: it is possible to use
an image built with CR50_DEV set for a dev H1 which does not require
fob signing.
A proper indication of the need to use the signing fob would be the
fact that H1_DEVIDS is defined, as it means a that node locked image
is being produced.
Images built without H1_DEVIDS set can be used on H1s which run with
the dev RO and as such do not need to be node locked, they are
signed with a well known key from util/signer/loader-testkey-A.pem.
This patch also tweaks passing the H1_DEVIDS variable to the shell
when altering the manifest. Without this tweak H1_DEVIDS definition as
make command line argument (as opposed to environment variable) was
not making it into the subshell invoked by make.
BRANCH=none
BUG=chrome-os-partner:62457
TEST=ran the following:
- built cr50 images with H1_DEVIDS defined in the environment and
in the command line, observed that the properly signed prod
image is produced (boots on a prod H1 in node locked mode).
- verified that adding CR50_DEV=1 to H1_DEVIDS in either
environment or the command line produces a properly signed
DEV image.
- verified that specifying CR50_DEV=1 alone in either environment
of command line produces a DEV image which does not require fob
signing.
Change-Id: Ied65a0bc50926aa5b6fa65e51805c2368522dcf2
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/434926
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The USB FW upgrade endpoint should really only accept vendor commands
required to perform the firmware update. This commit adds a whitelist
that is checked whenever a vendor command is received over this
endpoint.
The allowed commands over USB are the following:
- EXTENSION_POST_RESET
- VENDOR_CC_IMMEDIATE_RESET (only for dev images)
There is also functionality to have a whitelist for vendor commands that
come over the TPM interface.
BUG=chrome-os-partner:62815
BRANCH=None
TEST=Flash Cr50 with image containing this change. Verify that an
upgrade over USB to newer image works.
TEST=Try using usb_updater to send a vendor command that's not in the
whitelist. Verify that the vendor command is dropped.
Change-Id: I71f8ba090a1cc6c9e7c30ce0dd3c25259e8f292f
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/443447
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Currently, manually triggered reboots cause the retry counter to be
incremented. However, if the system is responsive enough to process the
reboot commands from either the console or TPM vendor command, we can
assume that the image is "ok". This commit changes the Cr50 behaviour
to decrement the retry counter when a reboot is issued on the console or
the TPM vendor command is received.
BUG=chrome-os-partner:62687
BRANCH=None
TEST=Flash cr50. Flash an older image in the other slot. Enter the
reboot command on the console over 10 times and verify that retry
counter never exceeds RW_BOOT_MAX_RETRY_COUNT and older image is never
executed.
CQ-DEPEND=CL:444264
Change-Id: Ic35bdc63c4141834584a00a7ecceab2abe8dfc21
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/443330
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Should be close to the STM32L476 in the STM32L4 family.
Slightly different flash/RAM.
It's currently running from the internal clock (HSI) at 16Mhz,
we need to upgrade to 80Mhz (or 48Mhz if this is fast enough to save us
the PLL locking time).
The internal flash write/erase/protection is still not implemented for
the whole STM32L4 family.
Upgrade the SPI master support and verify that the TX works.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=none
BUG=chrome-os-partner:62893
TEST=make BOARD=eve_fp
run it on Nucleo-L432KC (STM32L432KC is mostly the same MCU without AES)
Change-Id: I87be7d4461aedfbd683ff7bb639c3a6005ee171e
Reviewed-on: https://chromium-review.googlesource.com/442466
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
In preparation for adding the rollback protection block, pass
EC_FLASH_PROTECT_RO/ALL_AT_BOOT to flash_[physical_]protect_at_boot,
instead of an enumeration no protection/RO/ALL.
This will later allow us to protect/unprotect the rollback region only,
by adding a EC_FLASH_PROTECT_ROLLBACK_AT_BOOT flag.
BRANCH=none
BUG=chrome-os-partner:61671
TEST=Build hammer with CONFIG_CMD_FLASH command, so that write protection
can be checked with flasherase/flashwrite.
TEST=On hammer (stm32f072):
flashinfo => RO+RW not protected
flashwp true; reboot => only RO protected
flashwp rw; reboot => RO+RW protected
flashwp norw; reboot => only RO protected
TEST=On reef (npcx):
deassert WP, flashwp false; flashinfo => RO+RW not protected
flashwp true => only RO protected
reboot => only RO protected
flashwp rw => RO+RW protected
reboot => only RO protected
Change-Id: Iec96a7377baabc9100fc59de0a31505095a3499f
Reviewed-on: https://chromium-review.googlesource.com/430518
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
In case there is a sudden power loss to PCH, then there are no eSPI VW
messages sent from the PCH to EC indicating power state transition into
S5. Instead, the eSPI compatibility spec defines such events as global
reset events. For global reset events, eSPI_Reset# signal is asserted
without SLP_SUS# being asserted. This acts as an indication to the EC
that there was a global reset event.
Add a callback chipset_handle_espi_reset_assert that takes any necessary
action whenever eSPI_Reset# pin is asserted. On skylake, it would check
if power button was being pressed and release the button.
BUG=chrome-os-partner:62014
BRANCH=None
TEST=Verified that apshutdown works as expected.
Change-Id: I409afa0d00faca55ae3aa577743cedac58d4d877
Signed-off-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/438935
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
There is no point in keeping in one file multiple hooks task callbacks
to handle chipset shutdown and resume conditions.
Also, the policy of disabling deep sleep needs to be decided in the
board level hooks.
BRANCH=none
BUG=chrome-os-partner:59007
TEST=ran reef through 200 cycles of suspend/resume
Change-Id: I4d30cd04b986b243a5bea44c6978a5f82f8f62a7
Reviewed-on: https://chromium-review.googlesource.com/437729
Reviewed-by: Scott Collyer <scollyer@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Trybot-Ready: Vadim Bendebury <vbendeb@chromium.org>
Being able to determine what sleep state the system is in is very
handy, and reading the state is pretty safe.
Let's declare the idle console command safe and disallow its
parameters when console is locked.
BRANCH=none
BUG=none
TEST=verified that it is possible to read the idle state when console
is locked, but not possible to set it.
Change-Id: I97f680bf033290220a4fa7fd5a7af170736443d8
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/436905
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The output of pinmux command is garbled (it probably was OK until the
console UART TX buffer was significantly reduced in size by
https://chromium-review.googlesource.com/418948).
Let's flush the console every so often.
Also, fixed the bug where the second GPIO port base address in PIMUX
was off, and added a newline to separate UART section of the output.
BRANCH=none
BUG=none
TEST=ran pinmux command successfully. make -j buildall passes
Change-Id: Iae0dcbbd0a55d704ffe2296d6e0e81b2c6aec527
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/436765
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The commit changes the behaviour to block accesses over the USB-SPI
bridge while the console is restricted.
BUG=chrome-os-partner:62340
BRANCH=None
TEST=Build and flash cr50 on snappy; lock console; try to flash EC bin
using CCD. Verify that it fails with flashrom not able to find a flash
chip.
TEST=Disable console lock; Try to flash EC bin; verify it succeeds.
TEST=Repeat above tests but trying to read AP flash instead.
TEST=make -j buildall
Change-Id: Ib69af1a7372d841783acee2262efbf995d031234
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/435437
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
The cipher command implementation had to change to account for reduced
heap size and to improve coverage.
Note that the goal of this command is not to verify correctness of the
encryption services provided by the dcrypto, but to allow to exercise
the crypto engine on multiple passes, each time using the same clear
text but different initialization vector.
BRANCH=none
BUG=chrome-os-partner:62260
TEST=ran cipher command on a few devices:
> cip
Will wait up to 4074 ms
running 1000 iterations
blob size 7111 at 1e020
original data 8f3d99fbfcbd26dd0c4d8dc444d106ee
hashed data 826a4e9b04d214fbbd5fbf4e0fba8068
Encryption results: min 1128 us, max 1456 us, average 1180 us
Decryption results: min 1124 us, max 7348 us, average 1193 us
>
Change-Id: Idf72b355dce0f288d4a3d8a065bc08eb9c4f6bc3
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/434167
Reviewed-by: Nagendra Modadugu <ngm@google.com>
We wanted to reduce the number of interrupts that uart was producing so
we increased the number of characters needed in the fifos before it
would trigger an interrupt. Right now it needs 4 characters. If you
aren't printing a multiple of four characters, then not all text will be
printed.
This change changes the rxilvl back to 1. This will make using the
consoles and testing cr50 functionality more reliable.
BUG=chrome-os-partner:62158
BRANCH=none
TEST=login and boot still work fine. The AP and EC consoles print all
output correctly.
Change-Id: I2d48d02a275173d560c03e5363845a5afc94df7a
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/434891
Reviewed-by: Scott Collyer <scollyer@chromium.org>
Store our image size (known at build time) in our version struct (now
renamed to image_data). This will allow us to more efficiently determine
the size of an image in a follow-up CL.
Note that compatibility is broken for old ROs that do not include this
CL.
BUG=chromium:577915
TEST=Verify on kevin + lars + lars_pd that stored image size matches
output of system_get_image_used() for both RO and RW images.
BRANCH=None
Change-Id: I49ea5fc27a7f11f66daba485a87d0dfe7d0c770f
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/427408
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The previous implementation of DCRYPTO_app_cipher
consumed roughly 16ms to cipher a 16kB buffer
(i.e. performance that is far worse than the
hardware is capable of).
This change speeds up the implementation by about
85%, to the tune of roughly 2.2ms for a 16kB buffer.
The gains originate from various sources: loop
unrolling, data-pipelining, eliminating local
variables (to reduce register pressure), eliminating
support for unaligned input/output data, compiling
hot code with -O (rather the default -Os), and
using the hidden key-ladder, which need only be
setup once per reset.
This change also switches from AES-128 to AES-256.
BRANCH=none
BUG=chrome-os-partner:62260
TEST=make buildall succeeds;
cipher command succeeds;
TCG tests pass
Change-Id: I133741be6d9f1353d6ae732d0e863b4b18cc8c9e
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/433359
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Add support for verifying messages signed
with 4096-bit RSA keys. Such messages may
be generated by host side applications.
Also update tpmtest.py to test 4k verification.
BRANCH=none
BUG=none
TEST=added new tests to tpmtest.py; TCG tests pass
Change-Id: I7450bd710c154c68c030ce176bfe7becbfbcb729
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/428220
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Marius Schilder <mschilder@chromium.org>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
With introduction of encryption it is becoming impossible to read
NVMEM contents directly from flash. Decrypting the contents each time
there is a read request creates a significant performance hit. NVMEM
needs to be rearchitecture such that there is no need to run
decryption each time NVMEM read is performed.
This patch does just that, implementation details are described in the
header comment in common/nvmem.c.
To reduce memory impact the size of NVMEM is being decreased from 16K
to 12K. This is acceptable because eviction objects stored in NVMEM
serialized now, which dramatically reduces NVMEM size requirements.
The TPM2 NVMEM size definition must be kept in sync.
Another optimization this change introduces is bypassing writing into
the flash if NVMEM contents did not change, which is verified by
examining the hash of the cached storage.
A test is added to verify that the new commit scheme works as
expected, and the nvmem test is re-introduced to the list of test ran
on each 'make buildall'.
CQ-DEPEND=CL:433839
BRANCH=none
BUG=chrome-os-partner:62260,chrome-os-partner:62421
BUG=chrome-os-partner:62437
TEST=ran the following tests, all succeeded
make buildall -j
TEST_LIST_HOST=nvmem make runtests
tcg test suite
corp enroll on reef, reboot a few times, verify that enrollment sticks
Change-Id: I177daa3ceb4fd7aac299ca26b4506b863e31b946
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/433184
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Enable the Clock Recovery Subsystem to automatically adjust the internal
HSI48 clock for proper USB operation on the STM32F0.
BUG=chrome-os-partner:34160
TEST=Manual testing on STM32F072B-DISCOVERY
Plugged in board and verified that device was detected with dmesg.
[1400698.702999] usb 3-10: new full-speed USB device number 47 using xhci_hcd
[1400698.720063] usb 3-10: New USB device found, idVendor=18d1, idProduct=500f
[1400698.720069] usb 3-10: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[1400698.720072] usb 3-10: Product: PDeval-stm32f072
[1400698.720075] usb 3-10: Manufacturer: Google Inc.
BRANCH=none
Change-Id: I496a9a121a4b1a0009fe04cfe24aaa693ada9236
Reviewed-on: https://chromium-review.googlesource.com/433059
Commit-Ready: Sam Hurst <shurst@google.com>
Tested-by: Sam Hurst <shurst@google.com>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
If common layer called i2c_xfer() with only one byte read length and the
flag is I2C_XFER_STOP, the npcx's i2c driver will return error directly.
The reason is once ec read last byte of previous transaction, hardware
will release SCL and i2c slave start to send following byte. Ec might
not have chance to generate NACK in time. A additional dummy byte is
necessary to make sure ec generate NACK before STOP condition.
BRANCH=none
BUG=chrome-os-partner:60266
TEST=make BOARD=pyro; test battery command on pyro with CONFIG_CRC8 and
CONFIG_SMBUS.
Change-Id: I372ff494b49656cbfbd4044b99b00b13daf0b741
Signed-off-by: Mulin Chao <mlchao@nuvoton.com>
Reviewed-on: https://chromium-review.googlesource.com/430569
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Shawn N <shawnn@chromium.org>
On boards based on the g chip cryptographic functions come from
hardware, they should be implemented in chip/g as opposed to a
particular board.
The common modules (like nvmem) should be using some generic API,
which hopefully will be implemented by other chips, or could be
replaced by a purely software implementation where crypto hardware
support is not available.
Crypto API definition is being added in include/ and the g chip
implementation (a wrapper around dcrypto functions) is being added in
chip/g.
test/nvmem_vars.h needed to be edited to avoid conflict with
<string.h>.
BRANCH=none
BUG=chrome-os-partner:62260
TEST=make buildall -j still passes. Booting reef with the new image
works fine too.
Change-Id: Ifef281215f89239966882ecbe3e90c8351b9b91a
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/431313
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Nagendra Modadugu <ngm@google.com>
This change introduces DCRYPTO_app_cipher(), an encrypt/decrypt
function that accepts an IV and corresponding data. Typical
restrictions on IV reuse apply. The key is derived from the hardware
based on the type of the RW image signature (dev vs prod).
A console command is added to exercise the cipher function.
Since stack requirements of the dcrypto code exceed the console task
allowance, the actual command is executed on the HOOKs task context.
BRANCH=none
BUG=chrome-os-partner:55331
TEST=make buildall -j passes. Running the cipher command from the
console succeeds:
> cipher
original data ad67d44cb4feffff6b3b334635eb9612
rv 0x01, out data 861dc395a2fc745ca886a703cb02a897, time 16636 us
rv 0x01, orig. data ad67d44cb4feffff6b3b334635eb9612, time 17004 us
sha1 before and after match!
>
Change-Id: I7686d8c8489c1b8a984859c3be4f82c338573c6f
Signed-off-by: nagendra modadugu <ngm@google.com>
Signed-off-by: Marius Schilder <mschilder@chromium.org>
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/428171
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Add and export chip_save_reset_flags to allow boards to use this
function when required.
BUG=chrome-os-partner:61883
BRANCH=None
TEST=Compiles successfully for poppy.
Change-Id: I6f96bc61135fc4e3abb62a01d47c2cba8eb45b60
Signed-off-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/431191
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
Add functions that derive application specific keys based
on FRK2. For the moment, derived keys need to be manually
copied into the AES engine. Since key-ladder state depends
on the code-signer (prod vs. dev), application derived keys
are also different in the two modes. Thus ciphertext blobs
produced by prod-signed code cannot be decrypted by dev-signed
code.
To minimize stack requirements on the hook_task, the SHA
context in DCRYPTO_appkey_init() is placed in allocated/freed
memory. This SHA object will become unnecessary once the
AES engine is seeded directly from the key-ladder.
BRANCH=none
BUG=chrome-os-partner:55331
TEST=pending
Change-Id: Ifb274b15e61be317e02ec31fc52f9a41e06dcba3
Signed-off-by: nagendra modadugu <ngm@google.com>
Signed-off-by: Marius Schilder <mschilder@chromium.org>
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/428170
Reviewed-by: Nagendra Modadugu <ngm@google.com>
There's no indication that the h/w AES function fails,
but checking the return value prevents applications
from silently proceeding and failing at a future time
(e.g. NVMEM encryption).
BRANCH=none
BUG=chrome-os-partner:55331
TEST=tpmtest.py passes
Change-Id: I8e3a9426ec31a1b0798aface55c636dc1c707b34
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/430371
Commit-Ready: Marius Schilder <mschilder@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
3 minutes is too long to delay sleep after init and resume from wake
pin. This change decreases the delay to 20 seconds
BUG=none
BRANCH=none
TEST=manual
Use the cr50 power consumption to verify the sleep state
active 50mW
sleep 7mW
deep sleep 1mW
make sure suzyq is disconnected
use uart to reboot cr50
run 'reboot ap-off' on the EC console
make sure cr50 enters deep sleep at second 20
use uart to wakeup cr50 make sure it stays awake for 20 seconds
and then enters deep sleep.
wake it up again using uart and run 'idle s'
verify it enters regular sleep after 20 seconds
use uart to wake it up, make sure it does a regular sleep resume
and then goes back into regular sleep after 20 seconds
Change-Id: I65791bd3d915ceda11dc29b74e150ba589f2fa9e
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/430388
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Similarly to eve, we have a problem where the EC is not able to
distinguish between power up and reset, as VCC1_RST is simply
tied to PP3300_DSW.
BRANCH=none
BUG=chrome-os-partner:61028
BUG=chrome-os-partner:61930
TEST=Press Power+Volume Up+Volume Down, poppy enters recovery
Change-Id: Id0d89b56058e288c14e10eee7656965eee75047a
Reviewed-on: https://chromium-review.googlesource.com/428532
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Shawn N <shawnn@chromium.org>
On tablet platform, ec isn't in charge of keyboard and KSI pins are free
to use. This CL adds MIWU group and GPIO's ISR for KSI pins if there is
no keyboard scan task.
BRANCH=none
BUG=none
TEST=test all KSI pins for GPIO_INT on npcx_evb.
Change-Id: I76c8e48c067b6cb84e483eb94b104eb1998987be
Signed-off-by: Mulin Chao <mlchao@nuvoton.com>
Reviewed-on: https://chromium-review.googlesource.com/430554
Reviewed-by: Randall Spangler <rspangler@chromium.org>
In rare case, if a bus error indicates a conflict on the data
line (SDA) is detected during transmission of the byte. (i.e.,
SDA is toggling during holding data period.) and SDAST are
set at the same time, the i2c driver is not good enough to handle
it. Ec will get stuck in i2c ISR forever since SDAST util
watchdog reset occurs.
This CL includes:
1. Do a dummy read to make sure i2c slave doesn't hold i2c bus.
It makes sure i2c master can generate STOP successfully.
2. Disable smb's interrupts in "A Bus Error has been identified".
Once bus error occurred, it's better to forbid ec to enter
ISR again. Let i2c_recovery() disable the module and reset
hardware state machine to the default.
BRANCH=none
BUG=chrome-os-partner:59294
TEST=test i2c console commands on wheatley for hours.
Change-Id: Iecadcd866e115e31b18dfd68359a018867cac40e
Signed-off-by: Mulin Chao <mlchao@nuvoton.com>
Reviewed-on: https://chromium-review.googlesource.com/428482
Reviewed-by: Shawn N <shawnn@chromium.org>
DCRYPTO_HMAC_SHA256_init makes two calls to DCRYPTO_SHA256_init()
without an intervening HASH_final() call. This is incorrect usage
of the the hashing API, and results in the hardware SHA engine
getting locked for the life-time of the process (and resulting
in all future hash calls falling back to the software implementation).
This bug manifested itself when introducing NVRAM encryption, which
requires the hardware SHA engine to be available for key generation.
BRANCH=none
BUG=chrome-os-partner:55331
TEST=TCG tests pass
Change-Id: Ia4ccb6a6d64636c4618ef775291442975f3f1f92
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/430154
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
When debug enabled cr50 image is signed, the default manifest passed
to the signer is util/signer/ec_RW-manifest-dev.json. Images signed
with this manifest will not run on devices where the RO part is fused
for production.
It is possible to build node locked images for such devices, but the
manifest must include the lines
"DEV_ID0": <value>.
"DEV_ID1": <value>,
with the values matching the chip the image is built for.
This patch allows to pass the values in the make command line or the
environment, defined as follows:
H1_DEVIDS='<num 1> <num 2>'
When this value is defined, the default manifest is edited to add the
required lines.
One side effect of this patch is that the temp file where the edited
manifest is placed to is not deleted.
BRANCH=none
BUG=none
TEST=verified that images still can be built for both dev RW and prod
RO (node locked) with both debug features enabled and disabled
(CR50_DEV set and not set)
Change-Id: I0e81fc9aa65aa4d239e60de6047e2470f6eeaf50
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/428337
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This function belongs in dcrypto as it relies heavily on the crypto
hardware; also, it will be handy to be able to use this function in
other cases.
BRANCH=none
BUG=chrome-os-partner:55331
TEST=buildall still builds. TPM manufacturing still works too.
Change-Id: If2e70eaa71a76e8374b98f4667cb54ea6253b760
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/428169
Reviewed-by: Marius Schilder <mschilder@chromium.org>
