The INFO1 mask field contents serves as input for the rollback
protection mechanism, when the RO decides if an RW is allowed to run
on the device.
The existing code updates INFO1 mask to match the lowest rollback
priority of the two images (RW_A and RW_B) present on the device.
INFO1 mask should be also updated when the current image is endorsed
by the host. In this case the alternative RW is destroyed, so the
INFO1 mask could be set based solely on the currently running image.
This patch refactors the code to allow setting INFO1 mask based on one
or both RW headers' contents.
BRANCH=cr50
BUG=b:62138152
TEST=verified that "normal" INFO1 mask updates still work as before,
the mask is modified to match the image with the lowest rollback
priority.
Also verified that when the VENDOR_CC_INVALIDATE_INACTIVE_RW
command is received the INFO1 mask is updated based on the
currently running image.
Change-Id: I23172388674e1f3a4c2489e139dd197a84029f54
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/541738
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
with the board ID match happening in the RW we need to be able to set
the rollback counter to a value which would guarantee a fallback
during the next boot.
BRANCH=cr50
BUG=b:35586335
TEST=with the rest of the patches verified the ability to set the
counter to trigger a fallback on the next reboot.
Change-Id: I161f39354e5523121e26e8ad84a791a8b06e5123
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/535976
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
With enabling INFO1 map based rollback protection it is important to
be able to tell the state of the flash map and the currently installed
images' infomap header field.
The new function counts number of zero words in the info map and zero
bits in both RW headers, and returns them in a string printed out by
the sysinfo command.
BRANCH=cr50
BUG=b:35774863
TEST=built images with different manifest info field contents and
verified that the string printed by the sysinfo command makes sense.
Change-Id: If633a6c678dc34197b2dad116b6180b2d549e089
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/450905
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The cr50 RO image compares INFO rollback map space against the
contents of the RW image's infomap field.
To ensure that no rollback is possible, the RW should verify that the
INFO space state is consistent with the current RW and RW_B headers,
and if not, update the INFO state to comply.
This should happen only when running prod images, so that debug images
could be rolled back if so desired.
Also fixed the bug in functions enabling read and write access to the
INFO1 region. Write access is now a superset of read access setting.
BRANCH=cr50
BUG=b:35774863
TEST=as follows:
- built and ran a new image, observed it start successfully;
- modified the manifest to erase the first map location, built and
ran a new image, observed it start successfully
- restored the manifest, built and tried running a new image,
observed that the earlier version is starting.
Change-Id: I62253c3e98cd24ed24424b8bb9de22692a262d89
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/447966
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Currently, manually triggered reboots cause the retry counter to be
incremented. However, if the system is responsive enough to process the
reboot commands from either the console or TPM vendor command, we can
assume that the image is "ok". This commit changes the Cr50 behaviour
to decrement the retry counter when a reboot is issued on the console or
the TPM vendor command is received.
BUG=chrome-os-partner:62687
BRANCH=None
TEST=Flash cr50. Flash an older image in the other slot. Enter the
reboot command on the console over 10 times and verify that retry
counter never exceeds RW_BOOT_MAX_RETRY_COUNT and older image is never
executed.
CQ-DEPEND=CL:444264
Change-Id: Ic35bdc63c4141834584a00a7ecceab2abe8dfc21
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/443330
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
