For pairing purpose, we want to store some secret random number in
the base. The most convenient location for this is the rollback
region.
Since the rollback region can now be updated without incrementing
rollback_min_version (when we add entropy to the secret), we need
to add an increasing id to tell the code which rollback region is
the latest.
We also add console commands to manually add entropy.
BRANCH=none
BUG=b:38486828
TEST=Flash hammer (with or without CONFIG_ROLLBACK_ENTROPY_SIZE set)
rollbackinfo => 1 version 0 block, 1 empty block, RW verifies
correctly.
rollbackupdate 0; rollbackinfo => No change
rollbackupdate 1; reboot => RO refuses to jump to RW
only when CONFIG_ROLLBACK_ENTROPY_SIZE is set:
rollbackinfo => Secret is [00..00] on both blocks (so the data
was copied correctly)
rollbackupdate 2, 3, 4; rollbackinfo => Writes alternate
between the 2 blocks.
rollbackupdate 2 => Refuses to downgrade version
TEST=From blank secret [00..00], 'rollbackaddent Hello' updates it
to [ba..fa], which matches the output of:
(dd if=/dev/zero bs=1 count=32; echo -n Hello) | sha256sum
Change-Id: I79c3e790e56e21958cc1b4ba05bd4e5f359d3090
Reviewed-on: https://chromium-review.googlesource.com/511985
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Implement actual rollback protection. First, we add a new field
in the version structure, which is an incrementing integer
(we'll start by shipping images with version 0, and gradually
increase the number as required). This allows us to release
new versions of the EC without necessarily bumping the rollback
protection.
For the rollback protection block itself, it contains 2 sub-blocks
of equal size (normally, 2k), that are individually erasable.
The rollback code looks at both, and takes the most restrictive one
to determine the desired rollback minimum version. The blocks
are also allowed to be erased (full of 1's), in which case the
rollback minimum version is assumed to be 0.
We also add an FMAP entry, in case we later decide to allow the
signer to increment the rollback version.
Also note that, like any version_data struct change, this change
breaks compatibility between old and new RO/RW.
Follow-up code will take care of auto-updating the rollback block
as required, and properly manage block protection.
BRANCH=none
BUG=b:35586219
TEST=Flash hammer
rollbackinfo => 1 version 0 block, 1 empty block, RW verifies
correctly.
rollbackupdate 0; rollbackinfo => No change
rollbackupdate 1; reboot => RO refuses to jump to RW
rollbackupdate 2, 3, 4; rollbackinfo => Writes alternate
between the 2 blocks.
rollbackupdate 2 => Refuses to downgrade version
Change-Id: Ia969afb481a93deb912b9153bdd95ace01ad8fa7
Reviewed-on: https://chromium-review.googlesource.com/452815
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
usbpd1 futility image type is deprecated and should not be used for
new designs. This adds proper support for rwsig image type.
Key and signatures are added at linker stage step (futility cannot
directly create such signed images). Thanks to VB21 header, rwsig.c
can now tell how many bytes of the RW image need to be
cryptographically verified, and ensure that the rest is blank (0xff).
BRANCH=none
BUG=chromium:690773
TEST=make BOARD=hammer; flash, RW image is verified correctly.
TEST=make runtests -j
TEST=For the rest of the tests:
Change config option to CONFIG_RWSIG_TYPE_RWSIG
TEST=make BOARD=hammer; flash, hammer still verifies correctly.
TEST=cp build/hammer/ec.RW.bin build/hammer/ec.RW.bin.orig;
futility sign --type rwsig --prikey build/hammer/key.vbprik2 \
build/hammer/ec.RW.bin
diff build/hammer/ec.RW.bin build/hammer/ec.RW.bin.orig
=> Same file
TEST=Add CONFIG_CMD_FLASH, flashwrite 0x1e000, reboot, EC does
not verify anymore.
TEST=dump_fmap build/hammer/ec.bin shows KEY_RO and SIG_RW at
correct locations.
Change-Id: I50ec828284c2d1eca67fa8cbddaf6f3b06606c82
Reviewed-on: https://chromium-review.googlesource.com/441546
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
A typical EC image includes two similar in their functionality
subsections, RO and RW. CR50 has a small RO subsection, all it does -
detects a proper RW image to run and starts it up. To provide for
reliable firmware updates, the CR50 image needs to include two RW
sections, while the code is running from one RW subsection, the other
one can be upgraded.
This patch adds the ability to generate two identical RW sections,
mapped half flash size apart, and include them into the resulting EC
image.
To keep things simple the previously existing RW section's name is not
being changed, while the new (identical) RW section is named RW_B.
Two configuration options need to be defined to enable building of the
new image type: CONFIG_RW_B to enable the feature and
CONFIG_RW_B_MEM_OFF to define where RW_B should be mapped into the
flash.
A new rule added to Makefile.rules allows to generate a different lds
file from the same source (core/cortex-m/ec.lds.S) by defining a
compile time variable to pick a different base address for the
rewritable section, when RW_B is built.
BRANCH=none
BUG=chromium:43025
TEST=as follows:
- make buildall -j still succeeds
- verified that regular CR50 image starts successfully
- modified chip/g/loader/main.c to launch RW_B first, re-built and
re-run the image, observed on the console:
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
cr50 bootloader, 20151118_11218@80881, no USB, full crypto
Valid image found at 0x00084000, jumping
--- UART initialized after reboot ---
[Reset cause: power-on]
[Image: unknown, cr50_v1.1.4160-4c8a789-dirty 2015-12-07 18:54:27 vbendeb@eskimo.mtv.corp.google.com]
[0.001148 Inits done]
This FPGA image has no USB support
Console is enabled; type HELP for help.
> [0.002212 task 2 waiting for events...]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(note that the image base address is 0x840000, which is RW_B).
Change-Id: Ia2f90d5e5b7a9f252ea3ecf3ff5babfad8a97444
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/316703
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This commit introduces the build infrastructure changes needed for
creating a shared RO library. (libsharedobjs). The end goal is for the
library to contain various objects that can be shared with both the RO
and RW EC images.
Now, there are 3 make goals: ro, rw, and libsharedobjs.
In order for changes that are only specific to a single image (ie: RW
only) to be applied correctly, the object files are now built separately
for the RO, RW, shared objects library targets.
NOTE: Certain EC targets are incompatible with this model due to the
fact that only one image is present within flash at a time.
BRANCH=none
BUG=None
TEST=make -j buildall tests
TEST=make -j BOARD=cr50 xrefs
TEST=make BOARD=samus dis
TEST=Built samus EC image and compared that the final EC image was
identical to the upstream version (except for the git SHAs & version
strings).
CQ-DEPEND=CL:285934
Change-Id: I8e67f089710be9c6d7017718109262394bdad2f5
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/274079
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Commit-Queue: Aseda Aboagye <aaboagye@chromium.org>
Ryu sensor hub has asymectric RO/RW images. The first one is very limited
(not i2c master, no sensor drivers, gesture recognition).
Image size is alter to offer more space for the RW firmware image,
compiled with ryu_sh board.
To write RO image and basic RW image:
flashrom -V -p ec:type=sh,block=0x800 --fast-verify -w /tmp/ryu_sh_loader/ec.bin
To write the expected RW image:
flashrom -V -p ec:type=sh,block=0x800 --fast-verify -w -i EC_RW:/tmp/ryu_sh/ec.bin
BRANCH=ToT
BUG=chrome-os-partner:33908
CQ-DEPEND=CL:231970,CL:233233
TEST=load on Ryu, confirmed limited operation.
Change-Id: Ib976e2b048935adfb9b2b072c071db5be2bc1c09
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/231984
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
EAh is used at the end marker for calculating hash in EC.
The extra EAh make hash calculated by EC different from calculated in host
by sha256sum for the RW image. The RO image is fine.
Fix a comment, no A,B images anymore.
BUG=chromium:438326
TEST=Check sha256sum is similar for Ryu EC image.
On EC console
> hash rw
[28.740271 hash start 0x00010000 0x0000ea24]
> [28.938875 hash done e2c40d0168ce4b20e8320438c7fc719d2188d7f88d9cb7ca694527b3f507e534]
sha256sum of built image:
sha256sum build/ryu_p1/ec.RW.flat
e2c40d0168ce4b20e8320438c7fc719d2188d7f88d9cb7ca694527b3f507e534
build/ryu_p1/ec.RW.flat
TEST=Check firmware upgrade still works:
Using a modify version of coreboot with
- ryu_p1 as main ec firmware
- code to reenable SW sync: CL:233222
Ryu with an older image:
cros_ec_init: CrosEC protocol v3 supported (128, 128)
Google ChromeOS EC driver ready, id 'ryu_p1_v1.1.2570-942248a'
Clearing the recovery request.
VbEcSoftwareSync(devidx=0)
EC hash:e2c40d0168ce4b20e8320438c7fc719d2188d7f88d9cb7ca694527b3f507e534
EC-RW hash address, size are 0x835b4ff8, 32.
Hash = b183cd58d668d3d42a7cec95f2dcbb8ddee33f6a42d873f4b78106f85d341b46
Expected hash:b183cd58d668d3d42a7cec95f2dcbb8ddee33f6a42d873f4b78106f85d341b46
EC-RW firmware address, size are 0x837f9374, 59924.
VbEcSoftwareSync() - expected len = 59924
Computed hash of expected
image:b183cd58d668d3d42a7cec95f2dcbb8ddee33f6a42d873f4b78106f85d341b46
VbEcSoftwareSync() updating EC-RW...
VbEcSoftwareSync() jumping to EC-RW
VbEcSoftwareSync() jumped to EC-RW
VbEcSoftwareSync() in RW; done
Check that at next reboot the firmware is not upgraded:
cros_ec_init: CrosEC protocol v3 supported (128, 128)
Google ChromeOS EC driver ready, id 'ryu_p1_no_version'
Clearing the recovery request.
VbEcSoftwareSync(devidx=0)
EC hash:b183cd58d668d3d42a7cec95f2dcbb8ddee33f6a42d873f4b78106f85d341b46
EC-RW hash address, size are 0x835b4ff8, 32.
Hash = b183cd58d668d3d42a7cec95f2dcbb8ddee33f6a42d873f4b78106f85d341b46
Expected hash:b183cd58d668d3d42a7cec95f2dcbb8ddee33f6a42d873f4b78106f85d341b46
VbEcSoftwareSync() in EC-RW and it matches
BRANCH=ToT
Change-Id: I2db275a16b16fbcea95f53287e95104ba921593e
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/232952
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
This file will soon contain the exhaustive list of all CONFIG defines
and their descriptions.
Chip-level configs are renamed to config_chip.h to avoid naming
conflicts.
BUG=chrome-os-partner:18343
BRANCH=none
TEST=build all platforms
Change-Id: I9e94146f5b4c016894bd3ae3d371c4b9f3f69afe
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/62122
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
All of our current EC configs have RO and a single RW image. Calling
that image 'A' is confusing, particularly when combined with EC
software sync (where the RW image is updated from either the A or B AP
RW firmware). So, rename it.
This changes all the build artifacts and constants. Internal EC
commands and host commands still refer to A/B; that will be fixed in
part 2.
BUG=none
TEST=build link, snow, bds
Change-Id: Icfed4914745f0799bb71befb6a6563cfd8bc90ab
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/27649
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
And if RW B isn't enabled, it's not even linked.
BUG=chrome-os-partner:10881
TEST=on link, should be no B image, and 'sysjump B' should fail
On BDS, still should be A and B images
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Change-Id: Icb2af07881cc7e28b9b877f45824486a22fde8d7
Reviewed-on: https://gerrit.chromium.org/gerrit/26116
To accomodate our growing code, image RW.B is removed so that RO and
RW.A can both have 60K space. This is just a temporary solution. Add
RW.B back when we have enough space for all three images.
Also add license header to firmware_image.lds.S so that repo does not
complain about it.
BUG=chrome-os-partner:8079
TEST=build image and run on proto-0.
Change-Id: I85b723f3e645c12fd89b189263ca44d58c4621eb
Signed-off-by: Vic Yang <victoryang@chromium.org>
