If both e, and MOD are even, then no modular
inverse exists. This change adds handling
for this set of inputs. Adding this change
for completeness (there are no dcrypto library
call paths that generate both e and N as even).
BRANCH=none
BUG=chrome-os-partner:47524
TEST=bn_test passes
Change-Id: Ide64f980501175e9b6078efff92086d12bc1ae2d
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/376180
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
If the firmware was just updated clear the reset counter before
rebooting. This will ensure that the update can complete even if the TPM
isn't being used.
BUG=chrome-os-partner:56864
BRANCH=none
TEST=Set the reset counter to 7 by running 'rw 0x40000128 1' and
'rw 0x4000012c 7'. Then make sure cr50 can still be updated
Change-Id: Ic304fc7a20a4f2af7792f80e970d28e0eb10967e
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/380235
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
The high speed clock does not run when cr50 is in sleep. The low speed
timers do run in sleep and deep sleep. This change modifies the hwtimer
to use the low speed timers instead of the high speed ones.
With this change the system timer frequency is reduced and will only
tick once every 4 mircoseconds. Now the system will resume from sleep
whenever an event is scheduled, but still wont resume from deep sleep.
BUG=chromium:635620
BRANCH=none
TEST=manual
Disable sleep
add a function that prints something every second.
Verify the rollover works at ~4295s.
Change the system time using force_time.
Re-enable sleep and reduce the sleep delays in
board/cr50/board.c and chip/g/idle.ci so cr50 will go to
sleep more quickly. Verify the rollover and changing system
time works.
check that cr50 can go into deep sleep and that the print
statement wont wake it up.
Put the system into deep sleep. Use a wake pin to make it
resume. Verify it can be put back into deep sleep without the
wakepin interrupt constantly triggering.
Change-Id: I70bbc9312cd172661de53334d256949ebab6b5e9
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/376800
UART0 RX only needs to be disabled on reef. This change uses a system
property instead of a #define to disable UART0 RX that way it can just
be done on Reef not Gru or the dev board.
BUG=chrome-os-partner:55510
BRANCH=none
TEST=manual
rw 0x4060000c shows a value of 1 for reef and 3 for gru
gru kevin and reef still boot.
Connect DIOA13 to DIOA1 on the dev board and verify the console
can be used.
Change-Id: I5ee3559c2b35f959c0d67f233d1dfa40743b4064
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/378336
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Scott Collyer <scollyer@chromium.org>
There is leakage on SYS_RST_ODL from the internal pullup cr50 has on
DIOM0. This change removes the internal pullup.
Without the internal pull up SYS_RST_ODL is asserted when the EC is off.
This change modifies how sys_rst_asserted is handled so cr50 will ignore
the sys_rst interrupt whenever rbox asserts EC_RST to make sure cr50
doesn't reset itself every time it resets the EC. If the EC resets
itself and sys_rst_l is no longer pulled up, it is fine if cr50 resets.
BUG=chrome-os-partner:53544
CQ-DEPEND=CL:377504
BRANCH=none
TEST=manual
'rw 0x40550010 1' causes the EC to reset but not cr50
On the development board verify DIOM0 is not pulled up.
Test cr50 boots normally on reef, gru and kevin dvt1
Change-Id: Id8e8f6f7bb91741da34bdd6fec89eb841dd94f35
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/376886
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
In order to disable the restricted console lock, the user has to
poke the power button repeatedly for some time. This CL
implements the logic to tell when this is happening, and whether
it is successful or not.
With this CL, unlocking only takes 10 seconds. This period will
be extended for production use. Right now we're just testing.
BUG=chrome-os-partner:55322
BUG=chrome-os-partner:55510
BRANCH=none
TEST=make buildall; test on cr50 hardware
At the console, run the "lock" command to see if it's already
disabled. If it is, run "lock enable" to lock it.
To unlock it, run "lock disable". A countdown will appear, after
which you will need to poke the Power button every 2 seconds for
10 seconds. If you do so, the console will be unlocked.
Change-Id: Ib5a94172080e627f3268d50d2587ec58bf8d9473
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/377621
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Even when CONFIG_RESTRICTED_CONSOLE_COMMANDS is enabled, there
are many commands that can't do anything dangerous. This marks
some of those commands as safe to use, even when restrictions are
enforced.
I'm only marking commands that are used by the Cr50, since that's
the only board that has restrictions.
BUG=chrome-os-partner:55322
BRANCH=none
TEST=make buildall, test on Cr50 hardware
Change-Id: I6289d332830175b6adcb6b20cb4c21d01d27a25e
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/376188
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Version 4 of the update protocol provides the host with version
numbers of currently running RO and RW.
Another enhancement is that flash erase is postponed til the moment
the first chunk of data for the section arrives. This allows to quiry
running firmware versions in a non-destructive fashion.
BRANCH=none
BUG=chrome-os-partner:49954
TEST=ran usb_update on a Reef with an old cr50 image on it. Observed
it complete once with exit code of 2 (RO could not be updated),
ran it again, observed it succeed, and verified that both RO and
RW on the Reef got updated.
Change-Id: I27841c464cd0a414fa8959b686b59d8f07765387
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/374760
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Trying to use usb_updater in the upstart script made its shortcomings
very obvious: it is difficult to tell if the cr50 needs to have both
RO and RW updated, and if so - if it is even capable of updating RW.
Also, it is not clear that the target should erase its backup sections
as soon as it receives the transfer originating PDU. It is not known
in advance if the host has a newer RW section, of if the host is even
going to transfer the RO section.
These issues are addressed by version 4 of the image transfer
protocol.
The target now reports versions of its currently active RO and RW
sections back to the host. The host compares versions running on the
target with the versions retrieved from the image prepared for the
update and decides which sections, if any, need to be transferred.
The host also takes into account protocol version currently running by
the target's RW: versions below 3 do not allow RO updates.
In the development environment USB transfer ends with the target
reset. This is not desirable when the update is happening on a
Chromebook running production code. Also, in the development
environment there could exist multiple versions of the image with the
same signer header version fields, with only difference in the
timestamp. We want to be able to update using these images in
development environment, but in production we want to rely to the
header version fields.
These two mode (dev versus production) are now controlled by the
-u/--upstart command line flag.
The updater now can return four different exit values:
- 0 means that the update was not required, the device is already
running the current code.
- 1 means update was completed, the target must be reset for the
update to kick in.
- 2 means that the RW transfer was completed, but the RO transfer
could bot be attempted, because the target is running an early
protocol version and is not capable of the RO updates.
This exit value is the indicator that the utility needs to be run
again after target restated, so that the new RW version can accept
an RO update.
- 3 means the update failed due to some internal error.
BRANCH=none
BUG=chrome-os-partner:49954
TEST=updates of targets running earlier protocol version still work
fine.
Change-Id: Ia56f63072eaf88dcdefebf621b7341535748c7d7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/374759
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Cr50 needs to connect to the AP phy when not in ccd so cr50 can be
updated and used as a gnubby. This change uses the strapping options
to detect when it is on reef and modifies the ccd behavior to
initialize usb on the AP phy when ccd is disabled. On gru the cr50
behavior is unchanged.
In RDD this change removes the checks that the current_map is the
correct one based on the detected debug state. rdd_init calls
rdd_interrupt to set up the usb and ccd state correctly. Having that
check prevents that initial rdd_interrupt from calling rdd_detached.
Before rdd_detached just disabled usb and we knew during init it
would already be disabled. Now we want to make sure it is called if a
debug accessory is not attached to initialize usb on the AP PHY.
BUG=chrome-os-partner:56098
BRANCH=none
TEST=manual
verify ccd still works on gru
disconnect suzyq and reset reef.
run lsusb on the AP and verify it shows cr50 as a device.
connect suzyq and check that the AP no longer sees cr50.
disconnect suzyq and verify the AP sees it again
Change-Id: I3c1ccc54895835bce12302f3ea43fc2e751b4c97
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/372920
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
* Added MACRO for specifying row size of flash device.
* Set chip/g specific values for flash row size.
The flash API for g/chip will segment large write operations into a
maximum of 32 word blocks for batch writes to flash memory. Prior to
the change in this commit, the segmentation will adhere to avoiding
crossing page boundaries (2048B) but will not respect row boundaries
(256B). The flash controller will reject any write op that crosses a
row boundary and set a row boundary violation code on its error
register.
BRANCH=none
BUG=b:30819377
TEST=make BOARD=haven_dev
Change-Id: I489122ec0f0db6374dd373a1385c3012bdface20
Reviewed-on: https://chromium-review.googlesource.com/371003
Commit-Ready: Bill Richardson <wfrichar@chromium.org>
Commit-Ready: Johnnie Chan <johnniec@google.com>
Tested-by: Johnnie Chan <johnniec@google.com>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Since pretty much always, we've declared console commands to take
a "longhelp" argument with detailed explanations of what the
command does. But since almost as long, we've never actually used
that argument for anything - we just silently throw it away in
the macro. There's only one command (usbchargemode) that even
thinks it defines that argument.
We're never going to use this, let's just get rid of it.
BUG=none
BRANCH=none
CQ-DEPEND=CL:*279060
CQ-DEPEND=CL:*279158
CQ-DEPEND=CL:*279037
TEST=make buildall; tested on Cr50 hardware
Everything builds. Since we never used this arg anyway, there had
better not be any difference in the result.
Change-Id: Id3f71a53d02e3dc625cfcc12aa71ecb50e35eb9f
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/374163
Reviewed-by: Myles Watson <mylesgw@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
There is leakage on SYS_RST_ODL from the internal pullup cr50 has on
DIOM0. This change removes the internal pullup.
Without the internal pull up SYS_RST_ODL is not pulled up whenever the
EC is off. I changed how sys_rst_asserted is handled so it will ignore
the sys_rst interrupt whenever rbox asserts EC_RST to make sure cr50
doesn't reset itself every time it resets the EC. If the EC resets
itself and sys_rst_l is no longer pulled up, it is fine if cr50 resets.
BUG=chrome-os-partner:53544
BRANCH=none
TEST=manual
'rw 0x40550010 1' causes the EC to reset but not cr50
On the development board verify DIOM0 is not pulled up.
Test cr50 boots normally on reef and gru
Change-Id: Ic1d4d160ddb0d69081cb1f194d50939dac6fc5c2
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/373838
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
The parse_bool() function exists so we don't have to litter our
console commands with stuff like this:
if (!strncasecmp(argv[1], "on") ||
!strncasecmp(argv[1], "enable" ||
!strncasecmp(argv[1], "true" ||
[...]
This CL uses parse_bool instead of that kind of thing so I don't
have to remember which commands use "enable" and which use "on"
and so forth.
I only changed the commands that Cr50 uses.
BUG=none
BRANCH=none
TEST=make buildall; test on Cr50 hardware
I tested all the affected commands to ensure that they still work
correctly: usb, ccd, flashwp (which doesn't do anything anyway).
Change-Id: I7d875ab22934fb4b500e3d0f62ebe3e04101272d
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/373658
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This patch modifies CR50 code to switch to firmware update protocol
version 3. In this version both SPI and USB updates use exactly the
same messages (apart from the size field added by USB to help
reassembly of the fragmented frames).
Bot unused RO and RW sections can be now programmed.
BRANCH=none
BUG=chrome-os-partner:55789
TEST=on a Kevin running the existing cr50 image programmed the new
cr50 image, restarted the device, programmed the cr50 image again
(this time using version 3), restarted the device, then
programmed both RO and RW images and restarted the device. Each
time verified that the proper image is running.
Change-Id: I0cf196ec6de1786510433f8252164a33ccdc6dec
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/371941
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
I don't think that the received_data pointer in sps_rx_interrupt can
actually be used without initialization in the current code flow, but
GCC 5.3 thinks that it can, and throws an error.
sps_check_rx() always sets the pointer or returns 0. In either case
we should be ok, but initializing it to null here won't hurt anything
since it's not masking an actual error.
BUG=None
BRANCH=None
TEST=Build all boards successfully.
Change-Id: Idaea7efd1af3067c492a3ade4c89104e975f4c1d
Signed-off-by: Martin Roth <martinroth@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/370663
Reviewed-by: David Hendricks <dhendrix@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
This feature is not enabled, is awkwardly written, and shouldn't
be left lying around to use as a bad example. This CL doesn't
change any compiled code.
A followup CL will add a working RBOX interrupt handler.
BUG=none
BRANCH=none
TEST=make buildall; test on Cr50 hardware
Change-Id: I5d0701f55ab9521bf1f29e7ec18994c4401d68fb
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/373600
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
At one time we could switch between TPM and HC protocols on the
SPI slave bus. We disabled the HC protocol long ago with commit
e4690f6152. This CL removes the spstpm command, since there's
no longer any point to having a console command to disable the
TPM protocol too (which would leave us with nothing listening to
incoming traffic on the SPI bus).
BUG=none
BRANCH=none
TEST=make buildall; test on Cr50 hardware
Change-Id: Ic5028dfc1631fab4ddf2584635cb48be50d05d4d
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/373638
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
This patch introduces support for the cr50 firmware update protocol
version 3. It is described in more details in the comment in the
patch, the bottom line is that both RO and RW updates are supported,
and SPI and USB modes use the same protocol now.
The notions of PDU (protocol data unit) passed between the host and
the programming function on the CR50 is introduced, and USB mode
framing is described.
BRANCH=none
BUG=chrome-os-partner:55789
TEST=verified that version 1 and 2 updates still work. Version 3 mode
was tested later, when the device side patches were applied.
Change-Id: If51854b6a0b140730e85853bc42039233550fe8c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/371509
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
In preparation of introducing new update protocol version this patch
cleans up the existing implementation.
The receive and transmit PDU headers are separated into their own
structures and are now shared between the server and client sides.
Some comments have been added to better explain different protocol
versions' details.
BRANCH=none
BUG=chrome-os-partner:55789
TEST=verified that it is still possible to update RW_A and RW_B on a
Kevin CR50, works using both USB and SPI.
Change-Id: Ied65b2c2a7800bae045f1d2dd64e58dd5e793d27
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/368989
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Header version fields are instrumental when determining which of the
available images is started by the RO. Let's include the header
version when reporting the RW images' version as well as RO.
BRANCH=none
BUG=none
TEST=verified that RW header information is now included in the
version command output:
> vers
Chip: g cr50 B2
Board: 0
RO_A: * 0.0.8/8755904e
RO_B: -1.-1.-1/ffffffff
RW_A: 0.0.1/cr50_v1.1.5093-751a584+
RW_B: * 0.0.1/cr50_v1.1.5093-d27f65f
Build: 0.0.1/cr50_v1.1.5093-d27f65f
...
Change-Id: I675c473a277e272f55670324fafdab8a6e6edd78
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/370939
Reviewed-by: Scott Collyer <scollyer@chromium.org>
Disable sleep for the first 3 minutes after initializing cr50 and
disable sleep for 3 minutes after a wakepin interrupt has been received.
BUG=none
BRANCH=none
TEST=manual
on a development board pull up dioa3 and dioa12 then verify cr50
does goes to sleep after 3 minutes.
on gru see sleep is delayed by 3 minutes when the wakeup
interrupt is called.
enable deep sleep and check cr50 does not go to sleep for 3
minutes after resuming.
Change-Id: I28ec3c2f5f86326b926d403ad52ffb4fc108e7ec
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/367880
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Adding a lowest priority hook init function, guaranteed to run after
all other initialization is completed, which is a good time to take
the EC out of reset.
Also moving pin hold release into the same function.
BRANCH=none
BUG=chrome-os-partner:55797
TEST=verified proper reset pulse generated on reef
verified that reef, kevin and gru all boot up as expected
Change-Id: Ic91e871f5040b9aa02a2f11cf76d2d596c48a04c
Signed-off-by: Timothy Chen <timothytim@google.com>
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/367410
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Sometimes a perfectly sane image enters rolling reboot mode in case
some data change triggered a bug which prevents the normal startup and
causes a reset.
The most likely task causing in in case of cr50 would be the tpm task.
Let's add another check of the restart counter: should it reach the
value of 50, do not start the TPM task.
BRANCH=none
BUG=chrome-os-partner:55708
TEST=with this code plus an unaligned access introduced in tpm
initialization sequence in both RW_A and RW_B, program the full
image on the dev board.
Observe the device reset 50 time is rapid succession and then
stop with the following message on the console:
Bldr |511709
retry|50
Himg =4F992103..408D193E
Hfss =384E4655..EE13EBD0
Hinf =44D21600..B70529BD
jump @00044000
--- UART initialized after reboot ---
[Reset cause: rtc-alarm]
[Image: RW, cr50_v1.1.5044-8d6f7a2+ private-cr51:v0.0.68-633229c ...
+ cryptoc:v0.0.4-5319e83 2016-08-07 19:37:16 vbendeb@kvasha]
[0.004130 Inits done]
[0.006919 Active NVram partition set to 0]
Console is enabled; type HELP for help.
> system_rolling_reboot_suspected: roling reboots suspected. Try \
powercycling to clear
this condition.
[0.010502 Task 2 (TPM) exited!]
Change-Id: I6b08c5c1a02da9edf9bdf394e57cc56d2e595ad1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366892
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
The nvmem space defined in the ec code base for the cr50 board is used
by the TPM2 library, which has its own nvram size definition. The two
definitions must match.
On top of the fact that the definitions are not locked to each other,
there is a third completely unrelated nvram size definition in
board/cr50/board.c.
This patch unifies nvmem size definitions between cr50 and tpm2
repositories by adding a compile time check for the size to be the
same on both sides.
Also, it turns out that two certificates (RSA and ECC) together do not
quite fit into the cr50 TPM nvram. Hence the total allocated nvmem
space is being increased to 20K (note that the actual nvram size
available to the TPM is less than half of this).
BRANCH=none
BUG=chrome-os-partner:55898
TEST=tpm does not lock up any more when 'tpm_client --own' is ran on the
Kevin-tpm2 command line
CQ-DEPEND=CL:367010
Change-Id: I20b4f54118bd2fa12e5bd5741d6c58fbe91f65d1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366796
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Servo_micro sets usb config maxpower to 100mA.
Servo_v4 is set to self powered as it's powered by a
shared vbus and not be the bub it's connected to.
cr50 is self powered as no power is transmitted as part of CCD.
* Add CONFIG_USB_MAXPOWER_MA to define USB maximum power draw requested
per board.
* Add CONFIG_USB_SELF_POWERED to indicate that a device is not
powered by allocated USB power.
BUG=chromium:631302
TEST=lsusb reports 100mA bMaxPower (micro), Self powered (v4)
BRANCH=None
Change-Id: I79b8ce46f32d94f16104a4a8080104e30dce7f2c
Signed-off-by: Nick Sanders <nsanders@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/363153
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
This change disables sleep only when a cable is actually detected.
Before it would disable sleep no matter what and if a debug cable was
not plugged in and then deteached then it would never enable it.
BUG=none
BRANCH=none
TEST=manual
update cr50
unplug suzyq
boot to kernel
verify cr50 is asleep
run 'powerd_dbus_suspend'
cr50 will wake up for like a second then go back to sleep
run 'apreset' on EC console
boot to kernel
verify cr50 is asleep
run 'powerd_dbus_suspend'
cr50 will wake up for like a second then go back to sleep
Change-Id: I8337f694853b7840ef932b38bd0fa6453d31cb3d
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366861
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
There are few reasons why the SoC may reboot which we haven't
been reporting (they just show up as "[Reset cause: other]").
This adds a bit of decoding to explain some of those "other"
reasons.
BUG=none
BRANCH=none
TEST=make buildall; try on Cr50
I tested one of the new reasons using "crash hang". It shows up
correctly as "{Reset cause: security]". I haven't specifically
tested all of the new reasons, but since this is basically just a
change to console message they should work too. I'll double-check
those cases once some blocking bugs are fixed.
Change-Id: I46daed29d7e37bda9034a3486127bed0ea25f803
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366400
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
This change fixes two issues. The first issue is that during rdd_init
debug_detect is set to the value of DEBUG_STATE_MAP. Debug_detect should
be the default map value of 0x420 which triggers an rdd interrupt when
cc1 and cc2 both have a value of 011 or 001. This will detect when a
debug cable is attached. ~debug_detect should detect when the cable is
detached.
The issue is after a soft reset DEBUG_STATE_MAP is not reset to the
default value so on the next rdd_init debug_detect was set to whatever
was DEBUG_STATE_MAP was last set to. If the debug cable is detected
before the soft reset then DEBUG_STATE_MAP will have a value of
~debug_detect and when rdd_init is called then debug_detect will be
initialized to that value of ~0x420. Now debug_detect does the opposite
of what we expect it to do. debug_detect detects when the cable is
detached and ~debug_detect detects when it is attached.
rdd_interrupt is called cr50 reads cc1 and cc2 and sees that a debug
accessory is attached so it sets DEBUG_STATE_MAP to ~debug_detect.
Because debug_detect does the opposite of what is expected then it will
trigger an interrupt when it detects a debug accessory. The debug
accessory is already attached so an interrupt is triggered. It reads cc1
and cc2 sees the debug_accessory attached resets the map to
~debug_detect. This cycle continues until the watchdog resets the
system. After this reset rdd_init reads the map to get debug_detect and
it is 0x420 because that is how it was last set and then rdd works
again.
This change fixes this issue by defining DEBUG_DETECT to be 0x420 and
not using the STATE_MAP value to do it.
It also looks like when the EC is off and we change the value of the
debug map, another RDD interrupt is triggered. Then it reads the debug
state and resets the map again another interrupt is triggered. It
continuously does this.
This change adds a check to see that the RDD was trying to detect the
state it currently senses before doing anything so the second interrupt
will be ignored.
BUG=chrome-os-partner:55793
BRANCH=none
TEST=manual
plug in a reworked suzyq
Flash the EC
verify a bunch of RDD interrupts aren't triggered and the
reworked suzyq can be used.
plug it in and out a couple of times to make sure everything
works.
Change-Id: I6f4e7b15cf9c53b965533df7fe23fae5b340f70d
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364724
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
There is just one version of Cr50 firmware for all boards
that it's used on. However, on some boards the AP communicates
to the TPM via a SPI interface (i.e. Kevin) and on others, the
AP communicates via an I2C interface (i.e. Reef). In order to
dynamically discover which interface to configure, there are
strapping resistors added to the board which enables the Cr50
to detect which configuration to implement.
This CL is a first pass and is only looking at DIOA1 which is
pulled high for SPI and pulled low for I2C configurations.
The strapping resistor should be read when the AP is in reset
prior to it attempting to drive any of the lines used for
strapping. To ensure this condition is met, Cr50 will only
check the strapping options following a POR (power on reset).
Once the configuration type is discovered, a 'long_life'
register is used to hold the result so that the result can
always be available. The long_life register contents remain
unchanged until a subsequent power down event.
BRANCH=none
BUG=chrome-os-partner:50728
TEST=manual
Tested on Kevin and Reef. Verfifed by reading the stored value
that the SPI configuraiton is detected for Kevin and the I2C
interface is detected on Reef. In addition, verified on Kevin
that the Cr50 FW version is correctly reported to the AP which
means that TPM register reads via the slave SPI are functioning.
Change-Id: Ibd7624ad8e3b4126f6346dce0bc72f62a3cc6d18
Signed-off-by: Scott <scollyer@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/363014
Commit-Ready: Scott Collyer <scollyer@chromium.org>
Tested-by: Scott Collyer <scollyer@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Watchdog events are delivered as internal ARM interrupts, so we
can print a crash dump and then reboot. However, if interrupts
are disabled when the watchdog triggers, it just hangs forever.
This CL configures the watchdog and processor lockup events to
trigger a hard reboot through a security alert. This is the only
way to make these events non-maskable.
BUG=chrome-os-partner:52597
BRANCH=none
TEST=manual
I added this console command:
static int command_hang(int argc, char **argv)
{
interrupt_disable();
while (1)
;
return EC_ERROR_UNKNOWN; /* Not reached */
}
DECLARE_CONSOLE_COMMAND(hang, command_hang, NULL, "Hang", NULL);
Without this CL, that command locked the SoC up until it was
reset from outside. With this CL, it reboots after a couple of
seconds.
Change-Id: I773c0138fd2243cdbcdd86b2c7138520155d7920
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/365531
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Cr50 cant retain the TPM state in deep sleep so it wont be enabled until
it knows that the AP is off. If the AP is off it wont be asserting
SPS_CS_L, but it may be low because the AP isn't pulling it up.
This change disables it as a wake source in deep sleep.
BUG=chrome-os-partner:54796
BRANCH=none
TEST=run 'idle d'. Make sure cr50 goes into deep sleep and only resumes
due to a rdd event or when sys_rst_l is asserted.
Change-Id: Idf3ded6b439b71a27ac7eb4682a65dcdd6342cb9
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364864
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Increasing the USB console TX buffer size allows to see pretty much
all early startup messages generated before USB console is
initialized.
There is still plenty of room left in SRAM, 23K on cr50, much more on
all other g based boards.
BRANCH=none
BUG=none
TEST=observed better USB console output on cr50 restarts.
Change-Id: I82f37ee7f3aecd8b7e95f3d421789c11375b2fd4
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364811
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Nadim Taha <ntaha@chromium.org>
The only place where two separate buffers for the RO version strings
is required is the tpm_registers.c:set_version_string() function.
In preparation of reporting the build string along with the version
string, let's rearrange the function not to require separate buffers
for the RO versions.
BRANCH=none
BUG=chrome-os-partner:55558
TEST=verified that version reported by the TPM driver on Kevin is
still correct:
localhost ~ # grep cr50 /sys/firmware/log
Firmware version: RO_A: 0.0.1/84e2dde7 RO_B:* 0.0.2/13eda43f RW_A:*...
Change-Id: I8924ac48bd838851670f0d659e95aa92a8524665
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364587
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
As a temp measure until a proper solution is implemented, reset the
restart counter when the PCR_Read command is issued by the host.
This is a good indication that Chrome OS is through the boot process,
as PCR value is used to determine the boot mode.
BRANCH=none
BUG=chrome-os-partner:55667
TEST=installed the new image on a Kevin cr50 and rebooted it in normal
and recovery modes, observed on the cr50 console the message like
> system_process_retry_counter:retry counter 1
Change-Id: Ib55e161d5edbf8f6e2d387fd756b94aa53c20ed8
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364311
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Whether the bootrom locks the bootloader or not is deteremined by
fuses and/or flags in the bootloader's signed header. This CL
locks the active bootloader, just case those aren't configured to
do so.
BUG=chrome-os-partner:55261
BRANCH=none
TEST=manual
On an unlocked bootloader, I see this after booting:
> rw 0x40090100
read 0x40090100 = 0x00000001
With this CL applied, I see this instead:
> rw 0x40090100
read 0x40090100 = 0x00000000
Change-Id: I2e1396b7d7e71c8633d97d3cb573e9468eeb51e7
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364280
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
We need to ignore sys_rst_l right now when we use the usb spi endpoint
to update the AP or EC. We hold the EC and AP in reset and this causes
sys_rst_l to be asserted at the start of updating the AP and when the EC
comes out of reset.
Using the USB SPI endpoint may require doing a bunch of transactions
back to back. Cr50 should not reset itself between each one.
This change postpones the reset until we're done using the usb spi
endpoint. Once sys_rst_l just resets the TPM we can remove all of this.
BUG=chrome-os-partner:52366
BUG=chrome-os-partner:54982
BRANCH=none
TEST=manual
verify 'util/flash_ec --board=kevin --raiden' updates the EC
'sudo flashrom -p raiden_debug_spi:target=AP -w $IMG' updates
the AP
The AP and cr50 reset after usb_spi is disabled.
Change-Id: I68a76012bc7bf6d3abd073a70f0b90e440d72c49
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364051
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
It is useful to be able to see which pins are set as wake pins and what
type they are. This change adds prints to show_pinmux to describe the
wake pins.
BUG=none
BRANCH=none
TEST='pinmux' should show DIOA12 as a wake_low source.
Change-Id: I2a0ccdbf9b07abb627c3d52c7dd28433a2beff3c
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/363494
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Cr50 was not waking up long enough after SPS_CS_L was asserted for the
spi slave transactions to start and disable sleep. It also was not
handling SYS_RST_L properly when it was asleep.
This change sets SPS_CS_L to be an edge triggered wake up source instead
of level triggered, because cr50 should just wake up on the edge and
disable sleep until the spi transaction is done.
It also adds sys_rst_l as a wakeup source. The sys_rst_asserted
interrupt cannot be triggered while cr50 is asleep, so the
pmu_wakeup_interrupt will call sys_rst_asserted if SYS_RST_L is low at
resume. This change relies on the EC extending the delay in
chipset_reset to be long enough for SYS_RST_L to still be asserted when
cr50 resumes.
BUG=chrome-os-partner:54331
BRANCH=none
TEST=manual
make sure suzyq is disconnected.
verify ap boots up to the kernel after running
'gpioset SYS_RST_L 0' then 'gpioset SYS_RST_L 1' on the ec
console.
Check that cr50 goes to sleep when the AP is not trying to use
the TPM.
When cr50 is asleep pwrbtn + refresh still resets the system.
Disable SYS_RST_L_IN as a wake source and verify the system
verification fails and requests a recovery image.
Change-Id: I807b1918842d96c9d2922aa33404d87ab28b9906
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/363606
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
A recent cr50 loader modification introduced a counter in a scratch
register which is incremented on every startup. The idea is that valid
RW would decrement the counter, signaling that the start was
successful.
Should the counter exceed the value of 5, the loader assumes that the
RW being started is not fit to run, and picks the older RW to run, if
available.
This patch adds a function to process the startup retry counter.
First of all the counter is zeroed, as this function is supposed to be
called only once the RW run is considered successful and reliable.
Then the current situation is examined. If the counter value read from
the scratch register exceeds 5 AND running image is not the newer of A
and B, it is considered an indication of a fallback from a bad newer
image.
To prevent the newer image from being considered a contender on the
following startups, its header is corrupted.
BRANCH=none
BUG=chrome-os-partner:55151, chrome-os-partner:55667
TEST=modified code for testing purposes, by adding a call to
system_process_retry_counter() to tpm_task() after line 534, which
would cause the new function to be called soon after boot.
built a new image and installed it on the debug board. Then
modified the image to throw an exception early in the boot up
sequence, and installed it as a newer image on the debug board.
Observed the debug board restart the new image several time and
then fall back to the older image, printing the following on the
console:
system_process_retry_counter:retry counter 7
corrupt_other_header: RW fallback must have happened, magic at 44000 before: ffffffff
corrupt_other_header: magic after: 0
The following restarts start the older image without trying to run
the failing newer image.
Change-Id: Ia7497401e38fe2c3957af910cf745e45da985245
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362776
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The SoC looks for two RO images at reset, and is typically
configured for two RW images as well. This CL reports version
strings for all those images, as well as identifying the active
RO and RW copies.
Since the RO image doesn't contain a version string, we create
one using the epoch_, major_, minor_, and img_chk_ members of its
signed header.
BUG=chrome-os-partner:55558
BRANCH=none
TEST=make buildall; run on Cr50 hardware
The "version" command now includes information like this:
RO_A: * 0.0.2/a3c3d5ea
RO_B: 0.0.2/8895c9eb
RW_A: cr50_v1.1.4965-a6c1c73-dirty
RW_B: * cr50_v1.1.4959-2f49d5c
The '*' indicates the active image.
The test/tpm_test/tpmtest.py program has been updated to request
the version information at startup, and it also now reports
similar information, just all on one line:
RO_A:* 0.0.2/a3c3d5ea RO_B: 0.0.2/8895c9eb RW_A: cr50_v1.1 ...
The active images are marked with a '*' following the ':', so
that the same regexp can match either format:
($ro, $rw) = m/RO_[AB]:\s*\*\s+(\S+).*RW_[AB]:\s*\*\s+(\S+)/s;
Change-Id: Ic27e295d9122045b2ec5a638933924b65ecc8e43
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362861
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
There are two g chip versions in circulation currently, B1 and B2.
Make the 'version' command properly report it.
BRANCH=none
BUG=none
TEST=verified that both B1 and B2 report versions properly
Change-Id: I1c5b9f0da0170cda2c636b857e92b9d3de165422
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362643
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
This change implements logic for installing
endorsement certificates in the RW section.
The endorsement certificates are initially
provisioned in a fixed RO flash region and
are copied in the RW TPM data region (once
this region has been initialized).
Also add code for reading from the info bank,
which is where the endorsement seed is
initially stored.
BRANCH=none
BUG=chrome-os-partner:43025,chrome-os-partner:47524
BUG=chrome-os-partner:50115
TEST=TCG tests running
Change-Id: Id8c16d399202eee4ac0c4e397bdd29641ff9d2f3
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/362402
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
We had been putting the NVMEM flash where the boot rom would
expect to find RO_B, preventing us from ever being able to update
the bootloader.
With this CL, we're rearranging the flash to support both RO_A
and RO_B. The current flash layout now looks like this:
0x40000 RO_A
0x44000 RW_A
0x7c000 TOP_A
0x80000 RO_B
0x84000 RW_B
0xbc000 NVMEM
0xbffff <end of flash>
BUG=chrome-os-partner:44803
BRANCH=none
TEST=make buildall, also manual tests on Cr50 boards
First, check that our current process still works:
make BOARD=cr50 CR50_RO_KEY=cr50_rom0-dev-blsign.pem.pub
spiflash -i -v build/cr50/ec.hex
Yep, it does, but that only produces RO_A, not RO_B.
To test the dual RO behavior, I used prebuilt RO_A and RO_B blobs
for the bootloaders, signed using Marius' new scheme.
Build the unsigned image, then sign it using Vadim's scripts:
make BOARD=cr50 -j30
~/bin/bs hex
We'll garble various bits of the full image to invalidate each of
the four RO/RW/A/B parts.
Find lines common to both ROs and common to both RWs:
sort B1*.hex | uniq -c | grep ' 2 ' | \
awk '{print $2}' | sort > tmp.ro2
sort build/cr50/RW/ec.RW*.signed.hex | uniq -c | grep ' 2 ' | \
awk '{print $2}' | sort > tmp.rw2
ro=$(diff tmp.ro2 tmp.rw2 | grep '<' | head -1 | awk '{print $2}')
rw=$(diff tmp.ro2 tmp.rw2 | grep '>' | head -1 | awk '{print $2}')
Double-check to be sure we don't have any false matches:
grep -l $ro build/cr50/RW/ec.RW*.signed.hex B1_*.hex
grep -l $rw build/cr50/RW/ec.RW*.signed.hex B1_*.hex
The pre-signed RO_A image is older than RO_B, but both have the
same epoch/major/minor, which is all that the bootrom checks for.
It doesn't look at the timestamp.
The RW_A is older than RW_B because of the sequential signing
process. The RO bootloaders will check their timestamp, so RW_B
should be preferred.
RO_A RO_B RW_A RW_B
good good good good
cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex
spiflash -v -i foo.hex
jump @00040400
jump @00084000
=> boots RO_A -> RW_B
RO_A RO_B RW_A RW_B
good good good bad
cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex
ln=$(grep -n $rw foo.hex | awk -F: 'NR==2 {print $1}')
sed -i "${ln}d" foo.hex
spiflash -v -i foo.hex
jump @00040400
jump @00044000
=> boots RO_A -> RW_A
RO_A RO_B RW_A RW_B
bad good good good
cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex
ln=$(grep -n $ro foo.hex | awk -F: 'NR==1 {print $1}')
sed -i "${ln}d" foo.hex
spiflash -v -i foo.hex
jump @00080400
jump @00084000
=> boots RO_B -> RW_B
RO_A RO_B RW_A RW_B
bad good good bad
cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex
ln=$(grep -n $ro foo.hex | awk -F: 'NR==1 {print $1}')
sed -i "${ln}d" foo.hex
ln=$(grep -n $rw foo.hex | awk -F: 'NR==2 {print $1}')
sed -i "${ln}d" foo.hex
spiflash -v -i foo.hex
jump @00080400
jump @00044000
=> boots RO_B -> RW_A
Yay.
Now make sure RW_A and RW_B can be updated using usb_updater.
\rm -rf build
make BOARD=cr50 -j30
~/bin/bs
./extra/usb_updater/usb_updater build/cr50/ec.bin
I'm running RW_A, it updates and reboots into RW_B. Good.
reboot 5 times, and it reverts to RW_A.
Power cycle and it goes to RW_B again.
Update to RW_A.
\rm -rf build
make BOARD=cr50 -j30
~/bin/bs
./extra/usb_updater/usb_updater build/cr50/ec.bin
I'm running RW_B, it updates and reboots into RW_A. Good.
reboot 5 times, and it reverts to RW_B.
Power cycle and it goes to RW_A again.
Cool.
Change-Id: I6c1689920de06c72c69f58ad2ef1059d9ee0d75f
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362521
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
