The INFO1 mask field contents serves as input for the rollback
protection mechanism, when the RO decides if an RW is allowed to run
on the device.
The existing code updates INFO1 mask to match the lowest rollback
priority of the two images (RW_A and RW_B) present on the device.
INFO1 mask should be also updated when the current image is endorsed
by the host. In this case the alternative RW is destroyed, so the
INFO1 mask could be set based solely on the currently running image.
This patch refactors the code to allow setting INFO1 mask based on one
or both RW headers' contents.
BRANCH=cr50
BUG=b:62138152
TEST=verified that "normal" INFO1 mask updates still work as before,
the mask is modified to match the image with the lowest rollback
priority.
Also verified that when the VENDOR_CC_INVALIDATE_INACTIVE_RW
command is received the INFO1 mask is updated based on the
currently running image.
Change-Id: I23172388674e1f3a4c2489e139dd197a84029f54
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/541738
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
with the board ID match happening in the RW we need to be able to set
the rollback counter to a value which would guarantee a fallback
during the next boot.
BRANCH=cr50
BUG=b:35586335
TEST=with the rest of the patches verified the ability to set the
counter to trigger a fallback on the next reboot.
Change-Id: I161f39354e5523121e26e8ad84a791a8b06e5123
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/535976
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Implement system_get_chip_unique_id() for the g hardware.
It includes the hardware revision, the chip device id and
the read-only key id.
The key-id is included because this unique id is used as serial number
inside certificates and for security reason, we want a different id if
the RO has changed (e.g Node locked firmware).
The id is also 32-byte long for convenience reason when used for
certificates, but the high 16 bytes are currently zeros.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:35545754
TEST=dump the x.509 individual attestation certificate which includes
the unique id as serial number.
Change-Id: If24597d0de696d2700122d425724f14703fc5256
Reviewed-on: https://chromium-review.googlesource.com/536774
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
The contents of the board ID fields of the Cr50 image headers is an
important piece of information which determines if an image can run on
a particular H1 chip.
This patch adds this information to the output of the 'version'
command, printing both the contents of the fields of the RW images and
if the image would run with the current INFO1 board ID contents (Yes
or NO).
The board_id feature is in fact g chipset specific, this is why
board_id support files are being moved from the cr50 board scope to
the g chip scope.
BRANCH=cr50
BUG=b:35587387,b:35587053
TEST=observed expected output in the version command:
> bid
Board ID: 000000fa, flags 000000ff
> vers
Chip: g cr50 B2-C
Board: 0
RO_A: * 0.0.10/29d77172
RO_B: 0.0.10/c2a3f8f9
RW_A: * 0.0.20/DBG/cr50_v1.1.6542-856c3aff4
RW_B: 0.0.20/DBG/cr50_v1.1.6543-2c68a2630+
BID A: 00000000:00000000:00000000 Yes
BID B: 000000ea:0000fffc:000000ff No
Build: 0.0.20/DBG/cr50_v1.1.6542-856c3aff4
tpm2:v0.0.289-cb2de5a
cryptoc:v0.0.8-6283eee
2017-06-09 15:34:19 vbendeb@eskimo.mtv.corp.google.com
>
Change-Id: I5b283abf304a7408ca8f424407044fca238185e1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/530033
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
There many TODOs sprinkled in the code, some of them have been
addressed or do not apply any mode. This patch removes them.
BRANCH=cr50
BUG=none
TEST=built and ran cr50 on reef
Change-Id: Ica6edb204e5cc0cc9dc7f0d43fd39e7ddaf56809
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/506496
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This firmware supports a board used to initialize firmware on new cr50
parts.
BUG=b:36910757
BRANCH=None
TEST=boots on scribe board, spi/usb/uart/i2c functionality works.
TEST=cr50 boots on reef, CCD EC+AP SPI/UARTS work
Change-Id: I48818225393a6fc0db0c30bc79ad9787de608361
Reviewed-on: https://chromium-review.googlesource.com/437627
Commit-Ready: Nick Sanders <nsanders@chromium.org>
Tested-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Master chip/g FW still needs to support deprecated RO, so re-add support
for the old version_struct. This CL can be reverted once we no longer
need to support deprecated RO on master.
BUG=chromium:698881,chromium:698882
TEST=Flash old FW (f51fdf2) to RW_B slot and updated FW to RW_A. Verify
cr50 boots into RW_A, and "version" on the console prints RW_B version,
not "Error".
BRANCH=None
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: I3c255afcd12da5694ca128960de8d2abe41686dc
Reviewed-on: https://chromium-review.googlesource.com/450860
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Store our image size (known at build time) in our version struct (now
renamed to image_data). This will allow us to more efficiently determine
the size of an image in a follow-up CL.
Note that compatibility is broken for old ROs that do not include this
CL.
BUG=chromium:577915
TEST=Verify on kevin + lars + lars_pd that stored image size matches
output of system_get_image_used() for both RO and RW images.
BRANCH=None
Change-Id: I7b8dc3ac8cf2df3184d0701a0e0ec8032de8d81b
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/450858
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
With enabling INFO1 map based rollback protection it is important to
be able to tell the state of the flash map and the currently installed
images' infomap header field.
The new function counts number of zero words in the info map and zero
bits in both RW headers, and returns them in a string printed out by
the sysinfo command.
BRANCH=cr50
BUG=b:35774863
TEST=built images with different manifest info field contents and
verified that the string printed by the sysinfo command makes sense.
Change-Id: If633a6c678dc34197b2dad116b6180b2d549e089
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/450905
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The cr50 RO image compares INFO rollback map space against the
contents of the RW image's infomap field.
To ensure that no rollback is possible, the RW should verify that the
INFO space state is consistent with the current RW and RW_B headers,
and if not, update the INFO state to comply.
This should happen only when running prod images, so that debug images
could be rolled back if so desired.
Also fixed the bug in functions enabling read and write access to the
INFO1 region. Write access is now a superset of read access setting.
BRANCH=cr50
BUG=b:35774863
TEST=as follows:
- built and ran a new image, observed it start successfully;
- modified the manifest to erase the first map location, built and
ran a new image, observed it start successfully
- restored the manifest, built and tried running a new image,
observed that the earlier version is starting.
Change-Id: I62253c3e98cd24ed24424b8bb9de22692a262d89
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/447966
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Add generic routines to read or write a byte to battery-backed RAM, and
implement vbnvcontext get/set using these routines.
BUG=chrome-os-partner:62952
BRANCH=reef
TEST=On reef, with subsequent commit, run "cutoff" on the console,
reattach AC, and verify device successfully wakes. Also verify Rp is
dropped on console 'reboot' and F3 + power from RW.
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: I14691923f2e5198e901b6b5199e92c58c68cd18d
Reviewed-on: https://chromium-review.googlesource.com/444444
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Currently, manually triggered reboots cause the retry counter to be
incremented. However, if the system is responsive enough to process the
reboot commands from either the console or TPM vendor command, we can
assume that the image is "ok". This commit changes the Cr50 behaviour
to decrement the retry counter when a reboot is issued on the console or
the TPM vendor command is received.
BUG=chrome-os-partner:62687
BRANCH=None
TEST=Flash cr50. Flash an older image in the other slot. Enter the
reboot command on the console over 10 times and verify that retry
counter never exceeds RW_BOOT_MAX_RETRY_COUNT and older image is never
executed.
CQ-DEPEND=CL:444264
Change-Id: Ic35bdc63c4141834584a00a7ecceab2abe8dfc21
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/443330
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Store our image size (known at build time) in our version struct (now
renamed to image_data). This will allow us to more efficiently determine
the size of an image in a follow-up CL.
Note that compatibility is broken for old ROs that do not include this
CL.
BUG=chromium:577915
TEST=Verify on kevin + lars + lars_pd that stored image size matches
output of system_get_image_used() for both RO and RW images.
BRANCH=None
Change-Id: I49ea5fc27a7f11f66daba485a87d0dfe7d0c770f
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/427408
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Detachable devices need firmware help to process battery disconnect
requests promptly.
The request happens when the user keeps pressed both power and "volume
up" buttons and yanks the charger cable.
Once this condition is detected a 5 s timeout is started, and if the
charger cable is not plugged back in during this interval, the code
initiates a low polarity pulse on both EC_RST_L and BAT_EN outputs.
Lowering BAT_EN level will cause the battery cut off which is supposed
to cause an immediate system power down.
BRANCH=none
BUG=chrome-os-partner:59833
TEST=verified desired behavior on an H1 dev board with a H1B2-D chip.
Change-Id: Iecdcc93e228f4bc18734569bd896b0afa4bb752a
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/426345
Reviewed-by: Marius Schilder <mschilder@chromium.org>
There are three different H1 B2 chips SKUs in the wild now, one
version is for clamshell Chromebooks, one is for experimental build of
Poppy and one for detachable devices.
The SKUs differ by some fuse settings, as outlined by the comment in
the code.
This patch maps fuse settings into the chip revision string and also
makes sure that the revision is determined once and then used for all
following invocations of system_get_chip_revision().
BRANCH=none
BUG=chrome-os-partner:59833
TEST=verified that on dev boards with three different H1 B2 SKUs the
revision is reported as expected (B2-C, B2-D and B2-P).
Change-Id: I7d588d7326c28e9fa4921351254ad60a21c3f6b8
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/426344
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Carl Hamilton <carlh@chromium.org>
After every reboot, we were resetting the write protect and console
lock states back to default. With this change the wp and lock states
will be preserved through deep sleep. They will still be reset on any
other type of reboot (like Power On reset or panic).
The states are also cleared if the system detects a rollback even when
booting from the deep sleep.
With this patch it is going to be impossible to remove hardware write
protection guarding writes into AP and EC firmware flash, unless the
cr50 console is unlocked.
Locking the console would reinstate hardware write protection
automatically even if it was disabled when the console was unlocked.
Two long life scratch register 1 bits are used to keep the console and
write protect states over resets. To make code cleaner bitmap
assignments of the long life scratch register is put in its own
include file.
BUG=chrome-os-partner:58961
BRANCH=none
TEST=manual
On prod/dev images verify that the default wp and console lock
states are still correct.
change the lock and write protect states from the default and
verify they are preserved through deep sleep.
reboot cr50 and make sure that they are reset.
unlock the console and enable flash writes, then set fallback
counter on cr50 to the value of 6 (rw 0x40000128 1; rw
0x4000012c 6) and put the AP into deep sleep by hitting
Alt-H-VolUp.
In five minutes press the power button on the device to bring
it back from s5. Observe cr50 fall back to an older image and
console lock and wp disabled.
Change-Id: Ie7e62cb0b2eda49b04a592ee1d0903e83246b045
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/420812
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
There are plans to extend use of the LONG_LIFE_SCRATCH1 register for
other purposes than keeping board properties. Just as the board
properties, the new use is also very board specific. This patch moves
the board properties code from chip/g to board/cr50, where it belongs.
Instead of reading board properties bitmap and checking if various
bits are set, api functions are now provided to allow determining
various properties settings without actually looking at the properties
bitmap.
CQ-DEPEND=CL:*313057
BRANCH=none
BUG=chrome-os-partner:58961
TEST=verified that both Gru and Reef boot with the new image,
additionally, on Reef confirmed that it is possible to
communicate with the H1 over USB, and that plt_reset signal is
handled properly.
Change-Id: Id0dd2dc16389f773a149fb01eee1ce7bb99c4547
Reviewed-on: https://chromium-review.googlesource.com/422081
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Scott Collyer <scollyer@chromium.org>
Deep sleep needs to be considered a normal behavior and should not add
to the rollback count. This change subtracts one from the reset count
when the system sees that it just resumed from deep sleep.
Ideally the rollback counter would be able to verify the TPM
functionality and detect rolling reboots. With this change the rollback
counter will only be able to detect rolling reboots, but it fixes the
false positives for rolling reboots we were seeing before.
BUG=chrome-os-partner:60449
BRANCH=none
TEST=manual
check the reset counter
turn off the AP
wait for cr50 to enter deep sleep
plug in suzyq
check it resumes from deep sleep and that the reset counter
still has the same value
Change-Id: Ie8490c29636403b409b2a3f0912a5b312d23bc24
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/418321
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
When cr50 rollback happens, the newer header's magic field is set to
zero to prevent it from ever running again.
Take this into consideration when displaying versions of the inactive
RW image.
BRANCH=none
BUG=none
TEST=loaded two versions of the new code on a cr50 and then modified
the fallback counter to force it to boot the older version and
reboot a Reef. Once Reef fully boots to chrome os examine CR50
version report:
Before:
> vers
...
RW_A: 0.0.9/DEV/cr50_v1.1.5654-2228b76+
RW_B: * 0.0.11/DEV/cr50_v1.1.5654-2228b76+
...
After:
> vers
...
RW_A: * 0.0.9/DEV/cr50_v1.1.5654-2228b76+
RW_B: Error
Change-Id: I2a9ee13117a0bc91710226cd733c5c484c6d0595
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/413089
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
cr50 should pretty much never reset, but when it does, for whatever
reason, the device it is running on must reset as well.
This patch makes every cr50 reset (be it command line induced, or
caused by an exception) a hard reset, such that it re-initializes the
R-box, which in turn causes reset of the entire platform.
CQ-DEPEND=CL:361680
BRANCH=none
BUG=chrome-os-partner:55948
TEST=verified that running commands like 'reset' or 'md 0xf0000'
(which triggers an exception) causes the entire chromebook to reboot.
Change-Id: Ifa160450b9b4c5ef25e512caf1ffdced9c97acd6
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/388007
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
There is no point in waiting for a reset to clear the fallback
counter, it can be cleared as soon as USB update is finished.
BRANCH=none
BUG=chrome-os-partner:56864
TEST=on a kevin-tpm2 device: set the reset counter to 7 by running
> rw 0x40000128 1
> rw 0x4000012c 7
on the cr50 console. Then try uploading a new RW image over Suzy-Q
and verify that it is running after reset.
Then verify that cr50 can still be updated
Change-Id: I098a87c48b2fe864143715b1e90d4bb2409b9eae
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/383077
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
If the firmware was just updated clear the reset counter before
rebooting. This will ensure that the update can complete even if the TPM
isn't being used.
BUG=chrome-os-partner:56864
BRANCH=none
TEST=Set the reset counter to 7 by running 'rw 0x40000128 1' and
'rw 0x4000012c 7'. Then make sure cr50 can still be updated
Change-Id: Ic304fc7a20a4f2af7792f80e970d28e0eb10967e
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/380235
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
UART0 RX only needs to be disabled on reef. This change uses a system
property instead of a #define to disable UART0 RX that way it can just
be done on Reef not Gru or the dev board.
BUG=chrome-os-partner:55510
BRANCH=none
TEST=manual
rw 0x4060000c shows a value of 1 for reef and 3 for gru
gru kevin and reef still boot.
Connect DIOA13 to DIOA1 on the dev board and verify the console
can be used.
Change-Id: I5ee3559c2b35f959c0d67f233d1dfa40743b4064
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/378336
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Scott Collyer <scollyer@chromium.org>
Header version fields are instrumental when determining which of the
available images is started by the RO. Let's include the header
version when reporting the RW images' version as well as RO.
BRANCH=none
BUG=none
TEST=verified that RW header information is now included in the
version command output:
> vers
Chip: g cr50 B2
Board: 0
RO_A: * 0.0.8/8755904e
RO_B: -1.-1.-1/ffffffff
RW_A: 0.0.1/cr50_v1.1.5093-751a584+
RW_B: * 0.0.1/cr50_v1.1.5093-d27f65f
Build: 0.0.1/cr50_v1.1.5093-d27f65f
...
Change-Id: I675c473a277e272f55670324fafdab8a6e6edd78
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/370939
Reviewed-by: Scott Collyer <scollyer@chromium.org>
Sometimes a perfectly sane image enters rolling reboot mode in case
some data change triggered a bug which prevents the normal startup and
causes a reset.
The most likely task causing in in case of cr50 would be the tpm task.
Let's add another check of the restart counter: should it reach the
value of 50, do not start the TPM task.
BRANCH=none
BUG=chrome-os-partner:55708
TEST=with this code plus an unaligned access introduced in tpm
initialization sequence in both RW_A and RW_B, program the full
image on the dev board.
Observe the device reset 50 time is rapid succession and then
stop with the following message on the console:
Bldr |511709
retry|50
Himg =4F992103..408D193E
Hfss =384E4655..EE13EBD0
Hinf =44D21600..B70529BD
jump @00044000
--- UART initialized after reboot ---
[Reset cause: rtc-alarm]
[Image: RW, cr50_v1.1.5044-8d6f7a2+ private-cr51:v0.0.68-633229c ...
+ cryptoc:v0.0.4-5319e83 2016-08-07 19:37:16 vbendeb@kvasha]
[0.004130 Inits done]
[0.006919 Active NVram partition set to 0]
Console is enabled; type HELP for help.
> system_rolling_reboot_suspected: roling reboots suspected. Try \
powercycling to clear
this condition.
[0.010502 Task 2 (TPM) exited!]
Change-Id: I6b08c5c1a02da9edf9bdf394e57cc56d2e595ad1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366892
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
There are few reasons why the SoC may reboot which we haven't
been reporting (they just show up as "[Reset cause: other]").
This adds a bit of decoding to explain some of those "other"
reasons.
BUG=none
BRANCH=none
TEST=make buildall; try on Cr50
I tested one of the new reasons using "crash hang". It shows up
correctly as "{Reset cause: security]". I haven't specifically
tested all of the new reasons, but since this is basically just a
change to console message they should work too. I'll double-check
those cases once some blocking bugs are fixed.
Change-Id: I46daed29d7e37bda9034a3486127bed0ea25f803
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366400
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
There is just one version of Cr50 firmware for all boards
that it's used on. However, on some boards the AP communicates
to the TPM via a SPI interface (i.e. Kevin) and on others, the
AP communicates via an I2C interface (i.e. Reef). In order to
dynamically discover which interface to configure, there are
strapping resistors added to the board which enables the Cr50
to detect which configuration to implement.
This CL is a first pass and is only looking at DIOA1 which is
pulled high for SPI and pulled low for I2C configurations.
The strapping resistor should be read when the AP is in reset
prior to it attempting to drive any of the lines used for
strapping. To ensure this condition is met, Cr50 will only
check the strapping options following a POR (power on reset).
Once the configuration type is discovered, a 'long_life'
register is used to hold the result so that the result can
always be available. The long_life register contents remain
unchanged until a subsequent power down event.
BRANCH=none
BUG=chrome-os-partner:50728
TEST=manual
Tested on Kevin and Reef. Verfifed by reading the stored value
that the SPI configuraiton is detected for Kevin and the I2C
interface is detected on Reef. In addition, verified on Kevin
that the Cr50 FW version is correctly reported to the AP which
means that TPM register reads via the slave SPI are functioning.
Change-Id: Ibd7624ad8e3b4126f6346dce0bc72f62a3cc6d18
Signed-off-by: Scott <scollyer@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/363014
Commit-Ready: Scott Collyer <scollyer@chromium.org>
Tested-by: Scott Collyer <scollyer@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Watchdog events are delivered as internal ARM interrupts, so we
can print a crash dump and then reboot. However, if interrupts
are disabled when the watchdog triggers, it just hangs forever.
This CL configures the watchdog and processor lockup events to
trigger a hard reboot through a security alert. This is the only
way to make these events non-maskable.
BUG=chrome-os-partner:52597
BRANCH=none
TEST=manual
I added this console command:
static int command_hang(int argc, char **argv)
{
interrupt_disable();
while (1)
;
return EC_ERROR_UNKNOWN; /* Not reached */
}
DECLARE_CONSOLE_COMMAND(hang, command_hang, NULL, "Hang", NULL);
Without this CL, that command locked the SoC up until it was
reset from outside. With this CL, it reboots after a couple of
seconds.
Change-Id: I773c0138fd2243cdbcdd86b2c7138520155d7920
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/365531
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
The only place where two separate buffers for the RO version strings
is required is the tpm_registers.c:set_version_string() function.
In preparation of reporting the build string along with the version
string, let's rearrange the function not to require separate buffers
for the RO versions.
BRANCH=none
BUG=chrome-os-partner:55558
TEST=verified that version reported by the TPM driver on Kevin is
still correct:
localhost ~ # grep cr50 /sys/firmware/log
Firmware version: RO_A: 0.0.1/84e2dde7 RO_B:* 0.0.2/13eda43f RW_A:*...
Change-Id: I8924ac48bd838851670f0d659e95aa92a8524665
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364587
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
As a temp measure until a proper solution is implemented, reset the
restart counter when the PCR_Read command is issued by the host.
This is a good indication that Chrome OS is through the boot process,
as PCR value is used to determine the boot mode.
BRANCH=none
BUG=chrome-os-partner:55667
TEST=installed the new image on a Kevin cr50 and rebooted it in normal
and recovery modes, observed on the cr50 console the message like
> system_process_retry_counter:retry counter 1
Change-Id: Ib55e161d5edbf8f6e2d387fd756b94aa53c20ed8
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364311
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Whether the bootrom locks the bootloader or not is deteremined by
fuses and/or flags in the bootloader's signed header. This CL
locks the active bootloader, just case those aren't configured to
do so.
BUG=chrome-os-partner:55261
BRANCH=none
TEST=manual
On an unlocked bootloader, I see this after booting:
> rw 0x40090100
read 0x40090100 = 0x00000001
With this CL applied, I see this instead:
> rw 0x40090100
read 0x40090100 = 0x00000000
Change-Id: I2e1396b7d7e71c8633d97d3cb573e9468eeb51e7
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/364280
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
A recent cr50 loader modification introduced a counter in a scratch
register which is incremented on every startup. The idea is that valid
RW would decrement the counter, signaling that the start was
successful.
Should the counter exceed the value of 5, the loader assumes that the
RW being started is not fit to run, and picks the older RW to run, if
available.
This patch adds a function to process the startup retry counter.
First of all the counter is zeroed, as this function is supposed to be
called only once the RW run is considered successful and reliable.
Then the current situation is examined. If the counter value read from
the scratch register exceeds 5 AND running image is not the newer of A
and B, it is considered an indication of a fallback from a bad newer
image.
To prevent the newer image from being considered a contender on the
following startups, its header is corrupted.
BRANCH=none
BUG=chrome-os-partner:55151, chrome-os-partner:55667
TEST=modified code for testing purposes, by adding a call to
system_process_retry_counter() to tpm_task() after line 534, which
would cause the new function to be called soon after boot.
built a new image and installed it on the debug board. Then
modified the image to throw an exception early in the boot up
sequence, and installed it as a newer image on the debug board.
Observed the debug board restart the new image several time and
then fall back to the older image, printing the following on the
console:
system_process_retry_counter:retry counter 7
corrupt_other_header: RW fallback must have happened, magic at 44000 before: ffffffff
corrupt_other_header: magic after: 0
The following restarts start the older image without trying to run
the failing newer image.
Change-Id: Ia7497401e38fe2c3957af910cf745e45da985245
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362776
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The SoC looks for two RO images at reset, and is typically
configured for two RW images as well. This CL reports version
strings for all those images, as well as identifying the active
RO and RW copies.
Since the RO image doesn't contain a version string, we create
one using the epoch_, major_, minor_, and img_chk_ members of its
signed header.
BUG=chrome-os-partner:55558
BRANCH=none
TEST=make buildall; run on Cr50 hardware
The "version" command now includes information like this:
RO_A: * 0.0.2/a3c3d5ea
RO_B: 0.0.2/8895c9eb
RW_A: cr50_v1.1.4965-a6c1c73-dirty
RW_B: * cr50_v1.1.4959-2f49d5c
The '*' indicates the active image.
The test/tpm_test/tpmtest.py program has been updated to request
the version information at startup, and it also now reports
similar information, just all on one line:
RO_A:* 0.0.2/a3c3d5ea RO_B: 0.0.2/8895c9eb RW_A: cr50_v1.1 ...
The active images are marked with a '*' following the ':', so
that the same regexp can match either format:
($ro, $rw) = m/RO_[AB]:\s*\*\s+(\S+).*RW_[AB]:\s*\*\s+(\S+)/s;
Change-Id: Ic27e295d9122045b2ec5a638933924b65ecc8e43
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362861
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
There are two g chip versions in circulation currently, B1 and B2.
Make the 'version' command properly report it.
BRANCH=none
BUG=none
TEST=verified that both B1 and B2 report versions properly
Change-Id: I1c5b9f0da0170cda2c636b857e92b9d3de165422
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362643
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Some of the reset causes are found in another register when
resuming from a low-power state. We know we'll need to
distinguish among them eventually, so we might as well decode
them now.
BUG=chrome-os-partner:49955
BRANCH=none
TEST=make buildall; test on Cr50
I forced the system into deep sleep and observed that the reset
cause is accurately recorded on resume. Doing that requires a
fair amount of hacks and manual effort, and can't happen by
accident. Future CLs will make use of this.
The current, normal behavior is completely unaffected.
Change-Id: I5a7b19dee8bff1ff1703fbbcc84cff4e374cf872
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/336314
Reviewed-by: Randall Spangler <rspangler@chromium.org>
There were some unnecessary shifts and conditionals. This just
makes the code a little more readable.
BUG=none
BRANCH=none
TEST=make buildall; test on Cr50 hw
Change-Id: I084f191675d1b51101e9dc55c2e5a12b0b345d33
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/334870
Reviewed-by: Scott Collyer <scollyer@chromium.org>
When we lower the runlevel for security purposes, the standard
ARM watchdog interrupt is no longer enough to cause a full
reboot. We'll manually trigger a system reset instead. For now,
it's a soft reset. Should it be hard?
BUG=chrome-os-partner:47289
BRANCH=none
CQ-DEPEND=CL:310975
TEST=make buildall, manual
From the console, run "crash watchdog". After a second or to,
the watchdog trace dump appears and the system reboots.
Change-Id: I99fcaf19b32728563e3b051755d65267cc11156c
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/311298
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Permission registers only reset on power cycle,
so a soft reboot will fail unless a minimum power
cycle is performed.
BRANCH=none
BUG=chrome-os-partner:47289,chrome-os-partner:43025
TEST=hard / soft reboot from ec shell
Signed-off-by: nagendra modadugu <ngm@google.com>
Change-Id: I8f0f1bc80a2748b031a9b7a3715485577f2b5b3b
Reviewed-on: https://chromium-review.googlesource.com/310975
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Tested-by: Nagendra Modadugu <ngm@google.com>
Commit-Queue: Nagendra Modadugu <ngm@google.com>
Trybot-Ready: Nagendra Modadugu <ngm@google.com>
The new FPGA version adds a lot of few features, while temporarily
cutting off some existing capabilities like clocking configuration
(hardwared clocks used instead), pinmux assignment for SPS interface
(hardwared connections used), etc.
This patch removes some now unused code, modifies some configuration
items and adds TODO_FGPA comment blocks highlighting code which needs
to be reviews next time FPGA version changes).
The new register definitions file is derived from hardware
description.
BRANCH=none
BUG=chrome-os-partner:43791
TEST=with these changes in place the B1 board boots to the console
prompt.
Change-Id: I78ec6b2831a44cbfd40ee726a5d3c2cc11bf2cfa
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/291855
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Build the hardware version string from the register definitions,
so I no longer forget to update it.
Check it at runtime against the build version registers.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=none
BUG=none
TEST=On the console command line,
type "version" and see the following string:
"Chip: g cr50 A1 20141203_224409"
Change-Id: I6d902780d42f2dd18a57ccc08fd4ba4fee5ebc7c
Reviewed-on: https://chromium-review.googlesource.com/233582
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Commit-Queue: Vincent Palatin <vpalatin@chromium.org>
Trybot-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
- record and display reset cause
- add the hard reset option
- add the scratchpad to store values across reboots.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=none
BUG=chrome-os-partner:33818
TEST=On the console command line, chech the "[Reset cause: xxx]" string
- for the initial reset cause
- use "waitms 4000" to trigger a watchdog reset
- use "reboot soft"
- use "reboot hard"
The "utils" test is now building and passing.
Change-Id: I68c7096e5b7bfd102be89fd8eef6fe20da37a6f8
Reviewed-on: https://chromium-review.googlesource.com/233581
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Commit-Queue: Vincent Palatin <vpalatin@chromium.org>
Trybot-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Until we implement a proper reset of the microcontroller,
add a reset of the Cortex-M3 CPU core in system_reset() in order to
avoid getting stuck in a weird loop if we get a panic.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=none
BUG=none
TEST=trigger a data abort and verify we are not going into a panic loop.
Change-Id: Ie046379e6a9469bd683fa774cdc9abb10a14e8f1
Reviewed-on: https://chromium-review.googlesource.com/233109
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Commit-Queue: Vincent Palatin <vpalatin@chromium.org>
This is fairly large change set to accomodate a new hardware
release. There are enough differences to require refactoring the
registers.h file. Autogenerated constants are now in gc_regdefs.h
and all constant names begin with GC_, while register names are
defined in registers.h and begin with GR_.
Yes, I know the new header files are wider than 80 chars, but we
agreed that was okay in some cases if it makes them more readable
(see commit 3500c28).
BUG=chrome-os-partner:33423
BRANCH=none
TEST=make buildall -j
Build and run on the development board.
Change-Id: I21bd88c490f4f359ad17b5af9d17d8caca8dc9e4
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/230513
Reviewed-by: Sheng-liang Song <ssl@chromium.org>
The serial console works. Nothing else is implemented yet.
BUG=none
BRANCH=ToT
TEST=make buildall -j
To build,
make BOARD=cr50 hex
Testing the result requires a development board. I have one. It
works with HW revision m3.dist_20140918_094011
Change-Id: I718d93572d315d13e96ef6f296c3c2796e928e66
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/226268
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
