When invoking vendor command handlers in try_vendor_command(), the
buffer containing the command is passed to the handler to communicate
the command contents and to hold the command execution return data. It
was fine when invoking vendor command handlers from the TPM stack, as
the receive buffer is 4K in size and is large enough for any expected
vendor command response.
It is different in case of USB: the command is in the receive buffer
of the USB queue, and the response data could easily exceed the
command size, which would cause corruption of the USB receive queue
contents when the response data is placed into the same buffer where
the command is.
Let's introduce a local storage to pass the command and receive the
response data from the handler. 32 bytes is enough for the foreseeable
future, should a need arise for a larger buffer, testing would result
in an error (a new error type is added to indicate insufficient buffer
space for command processing).
BRANCH=none
BUG=b:35587387,b:35587053
TEST=with the rest of the patches applied verified proper processing
of the 'Get Board ID' command for which response size exceeds the
request size.
Change-Id: I2131496f3a99c7f3a1869905120a453d75efbdce
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/525092
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
This patch adds vendor and console commands to read and write the
board ID space in the INFO1 block.
Current image's board ID settings are saved in the image header by the
latest codesigner.
Board ID write attempts are rejected if the board ID space is already
initialized, or if the currently running image will not be allowed to
run with the new board ID space settings.
Error codes are returned to the caller as a single byte value.
Successful read command returns 12 bytes of the board ID space
contents.
The console command always allows to read the board ID value, and
allows to write it if the image was built with debug enabled.
BUG=b:35586335
BRANCH=cr50
TEST=as follows:
- verified that board ID can be read by any image and set by debug
images.
- with the upcoming patches verified the ability to set and read
board ID values using vendor commands.
Change-Id: I35a3e2db92175a29de8011172b80091065b27414
Signed-off-by: Philip Chen <philipchen@google.com>
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/522234
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
The upcoming move of the Cr50 firmware update to the background
requires postponing the activation of the newly uploaded Cr50 image to
a later point in time, when the AP is ready to switch to start using
the new Cr50 image.
The suggested way of achieving it is as follows: when downloading the
new image, the current Cr50 code modifies the header's 'image_size'
field, setting its top bit to 1. This both makes the size invalid and
guarantees that the new image would not verify on the following Cr50
restarts.
When the AP is ready to switch to running the new Cr50 image, it will
send a vendor command, which would trigger the currently running Cr50
image to restore the other image's size field. This vendor command
would also communicate the timeout for the Cr50 to wait before
rebooting, if there has been at least one header (ro or rw) restored.
Rebooting the Cr50 would trigger rebooting the AP, resulting in the
entire system running the updated firmware.
Response sent to the AP will indicate if there has been a header
restored and the reboot is indeed upcoming, this would allow the AP to
quiesce the state of the device to handle the reboot gracefully.
BRANCH=cr50
BUG=b:35580805
TEST=with the rest of the patches applied observed the system properly
after the new header version was restored.
Change-Id: Ia1edee67b6aa8f458810d5dc2931477cfaab1566
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/457676
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This vendor command allows the host to retrieve the internal TPM
state. The first version of the command will return the failure
information collected during assert, if it ever happened, retry
counter value and the maximum retry counter value to be able to detect
if TPM is in lockout.
The structure is packed, it is serialized before being sent to the
host.
BRANCH=none
BUG=chrome-os-partner:60555
TEST=when running on a reef with a depthcharge image capable of
displaying TPM state on errors observed state information added
to the recovery screen text display.
Change-Id: I9d37f7a971013ce802f63218d43697fab68276c9
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/430952
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
TPM NVMEM commits are reenabled as soon as the system boots into
Chrome OS. However, sometimes the device does not boot into Chrome OS,
in which case it is necessary to be able to reinstate NVMEM commits
explicitly.
The new vendor command will provide this functionality.
BRANCH=none
BUG=chrome-os-partner:59873
TEST=added code to depthcharge to issue the new vendor command if the
system falls into recovery mode, verify that commits are
re-instated once the command is issued.
Change-Id: I3c06b27175751dc2c095911441935eee62ed9c50
Reviewed-on: https://chromium-review.googlesource.com/424064
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This adds a vendor command to invalidate the old rw. It should be used
when the tpm has been validated.
BUG=chrome-os-partner:55667
BRANCH=none
TEST=manual
run the vendor command
run 'ver' on the cr50 console and verify the inactive RW version
is Error
reboot cr50 10 times and make sure there is no rollback.
Change-Id: Ibec3dde77d6b1ab921e43613d54638b7318f3f57
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/420407
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Let's make sure that both embedded and host side use the same command
definitions. To avoid host compilation problems move the definitions
into a separate file.
BRANCH=none
BUG=none
TEST=compilation still works.
Change-Id: Id0d85a51aebabed0637965b3b19d7ed42c46e75e
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/414945
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
