Some tests cannot be built on some boards (not enough SRAM,
unusual configuration, etc.). Instead of the long list of
exceptions in test/build.mk that we currently use, allow
each board (or chip) build.mk to set test-list-y, and
only use the default list if it is unset.
BRANCH=poppy
BUG=b:80167548
TEST=make buildalltests -j
Change-Id: I803c691f419451aad4396529302a4805cbe3f9b5
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1074572
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
This makes it easier to add params or flags for vendor commands
without changing all of the command handlers. It also reduces code
size by 56 bytes.
For now, existing command handlers continue to use
DECLARE_VENDOR_COMMAND(). Added DECLARE_VENDOR_COMMAND_P() for
handlers which take the params struct directly. The CCD command will
be the first user of that, since it will have different rules for
'open' based on where the command comes from.
No change to existing command behavior.
BUG=b:79983505
BRANCH=cr50
TEST=gsctool -I still works
Change-Id: I7ed288a9c45e381162e246b50ae88cf76e67490d
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1069538
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Added flags parameter to extension_route_command(). The caller now
specifies whether the command comes from the USB interface or the AP.
Moved USB-specific shuffling of response to embed result code into
usb_upgrade.c, so extension_route_command() can be more generic.
No change to permissions/behavior for existing commands.
ccd_command_wrapper() still sends vendor commands as if they come from
the AP. That's fixed in the next CL.
Reduces code size by 128 bytes
BUG=b:79983505
BRANCH=cr50
TEST=manual
Build with DEBUG_EXTENSION defined, to turn on printing each command
'ccd lock' comes from AP and works
From host, 'gscutil -I' comes from USB and fails
From AP, 'gscutil -t -I' comes from AP and works
Change-Id: I7136bb54073de9c5951a174c308151b1871c56f3
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1068101
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
AP and EC consoles may generate a lot of bursty traffic, and cr50 UART
console to USB processing is very slow: when characters become
available, a hooks task callback is invoked, which retrieves received
characters one at a time and queues them up to the appropriate USB
transmit queue.
This patch speeds up things as follows:
- increases the seize of USB transmit queues for AP and EC console
channels to 512 bytes. Experiments supported by code
instrumentation has shown that even this is not enough to avoid
underruns, but this is a good compromise between memory use and
performance, these sizes could be revisited later,
- raises UART RX interrupt priority from level 1 to 0
- moving bytes from UART TX FIFO to USB queue happens on the
interrupt context when UART TX interrupt is asserted
- as many characters as possible are read from the UART first,
before queuing function is called, and the entire received batch
is passed to the queuing function.
It has to be mentioned here that presently batch processing is not
necessarily much more efficient, because queuing function becomes
more complicated when multiple objects are passed to it, this will
have to be dealt with in a separate patch.
There is still a lot of room for improvement:
- functions used to queue up data are very generic, dedicated code
could help a lot.
- UART drivers should have methods for collecting all bytes
available in receive FIFO in one invocation,
- USB side of things (dequeuing data and passing it to the
controller.
BRANCH=cr50, cr50mp
BUG=b:38448364
TEST=ran 'chargen' application on both AP and EC to flood the console
channels and observed the flow of characters on the host site, it
is pretty smooth with occasional hiccups, especially when TPM is
active, before this patch it was impossible to have both stream
up, both were garbled.
- Verified that new account can be created and user logged in on
restarts while chargen is running, i.e. TPM task gets enough
processing bandwidth.
- When EC is reset, there seem to be no lost characters on the
console (it used to cause some garbled console output before this
patch). The below output was collected on Coral:
> reboot
Rebooting!
--- UART initialized after reboot ---
[Reset cause: soft]
[Image: RO, coral_v1.1.8363+2cc945d5a 2018-05-15 17:41:57 ...
[0.003605 init buttons]
[0.003826 Inits done]
[0.004094 tablet mode disabled
]
[0.008272 found batt:SMP]
[0.022278 SW 0x01]
[0.042247 hash start 0x00040000 0x00021994]
[0.045823 Battery FET: reg 0x0018 mask 0x0018 disc 0x0000]
[0.071136 kblight registered]
[0.071544 PB init-on]
[0.071818 USB charge p0 m0]
[0.073670 ID/SKU ADC 4 = 1309 mV]
[0.075630 ID/SKU ADC 3 = 852 mV]
[0.076077 SKU ID: 71]
[0.076335 Motion Sensor Count = 3]
[0.083594 PD comm enabled]
...
- did not test bitbang programming mode, it is in line for
reworking for speeding up as well.
Change-Id: Ic9f3972f585dd1976169965c2a2422253aeac87a
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1016037
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
gcc 8.1 complains about duplicate const, and while some of these really
are duplicate, others look like they were supposed to tighten the API
contract so that variables are "const pointer to const data", but didn't
have that effect.
BUG=b:65441143
BRANCH=none
TEST=building Chrome EC as part of upstream coreboot's build with a
gcc 8.1 compiler now works (better. there are other issues left)
Change-Id: I6016c5f282516471746f08d5714ea07ebdd10331
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1039812
Commit-Ready: Patrick Georgi <pgeorgi@chromium.org>
Tested-by: Patrick Georgi <pgeorgi@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@google.com>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Before:
*** 4560 bytes still available in flash ****
After:
*** 4696 bytes still available in flash ****
BRANCH=none
BUG=b:65253310
TEST=Update Cr50 with this image and verify the keys are the same.
Change-Id: I1c722ced185c41f732ce0ed5236db01401f21dfc
Signed-off-by: Allen Webb <allenwebb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1031058
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
When running signed with dev keys and the fallback certificate is not
available, proceed installing unverified root certificate. This at
least allows to keep basic TPM functions like storing objects in NVMEM
to keep going. Added a new return value to indicate this condition.
BRANCH=cr50, cr50-mp
BUG=none
TEST=verified that it is possible to switch chromebook between prod
and dev modes when running with a dev signed Cr50.
Change-Id: I5b16d0bcbcfb25368f65075e1d2d485a69cb729f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1054990
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
AES-CMAC implementation based on extant 128-bit AES, following closely
to the description in RFC 4493. Timing depends only on the length of the
message, not the content or the keys.
Signed-off-by: Jade Philipoom <jadep@google.com>
BRANCH=cr50
BUG=b:72788497
TEST=Passed the four test vectors provided in the RFC; these tests are defined as commands in aes_cmac.c and can be run with
"test_cmac 1 2 3 4" when CRYPTO_TEST_SETUP is defined.
Change-Id: I96fb4f29927c11970a6a17c0fd583694aa945c91
Reviewed-on: https://chromium-review.googlesource.com/975181
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
This adds some of the ground work for hardware backed brute force
resistance on Cr50. The feature is called Pinweaver. It will
initially be used to enable PIN authentication on CrOS devices
without reducing the security of the platform. A Merkle tree is
used to validate encrypted metadata used to track login attempts.
The metadata tracks counts of failed attempts, a timestamp of the
last failed attempt, the secrets, and any associated parameters.
Instead of storing the metadata on Cr50 an AES-CTR is used with an
HMAC to encrypt the data so it can be stored off-chip and loaded
when needed.
The Merkle tree is used to track the current state of all the
metadata to prevent replay attacks of previously exported copies.
It is a tree of hashes whose root hash is stored on Cr50, and whose
leaves are the HMACs of the encrypted metadata.
BRANCH=none
BUG=chromium:809730, chromium:809741, chromium:809743, chromium:809747
TEST=cd ~/src/platform/ec && V=1 make run-pinweaver -j
Change-Id: Id10bb49d8ebc5a487dd90c6093bc0f51dadbd124
Signed-off-by: Allen Webb <allenwebb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/895395
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Since the proper signer utility has been introduced in the chroot,
there is no need in generating reduced command option set when
building a self signed image.
Also, the same manifest can be used for all images, self signed or
signed using a fob. The manifest needs to be tweaked for the self
signed images to match the test Key ID.
Since the same base manifest is used for all signings, there is no
need to support the "poor man's json parser" any more.
Rearranged build.mk to accommodate new logic, and added some comments.
BRANCH=cr50, cr50-mp
BUG=b:78212718
TEST=verified that images with proper header version are created when
both self signed and signed with a private key coming from the
signing fob.
Change-Id: I5a1f8a223098b0a6c830ef24ffe380fc0badcafa
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1017238
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
When building EC targets in the setups where the Cr50 codesigner
utility is not present let's just bypass the signing step.
Also removing bitrotten source code of the old codesigner.
BRANCH=none
BUG=chromium:830302
TEST='make buildall' succeeds even if cr50-codesigner is not available.
Change-Id: Ic6c4988455bcee6c45504e1fe781f6e03636d57a
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1005401
Reviewed-by: Allen Webb <allenwebb@google.com>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
The upcoming cr50-codesigner change will allow to use it for swapping
arbitrary blobs in the Cr50 image before signing.
Let's use this feature to replace test RMA public key with the prod
one.
BRANCH=cr50, cr50-mp
BUG=b:73296144
TEST=with the rest of the patches in place verified that invoking make
with CR50_SWAP_RMA_KEYS=1 causes swapping the RMA public key in
the generated image.
Change-Id: I4c9994c1a542f456b24d2066ecada9f92f1bfaf3
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/996514
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Source code for Cr50 codesigner has been added to the chroot and the
executable is installed as /usr/bin/cr50-codesigner when cros sdk is
created/updated.
Let's use the 'official' version instead of outdated local one.
BRANCH=cr50,cr50-mp
BUG=b:73296144
TEST=verified that properly signed Cr50 images can be built.
Change-Id: Ibc68340a26011c7d5ac028bbee73cd0f2c39c291
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/996512
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Use the reset count to determine if there was a rollback in
system_rollback_detected. Before system.c was checking if the inactive
header was newer than active one to determine if the system rolled back.
This wasn't accurate. Cr50 rollback isn't the only reason why a newer
image may be rejected. The image may have been rejected because it
wasn't signed correctly or it's corrupted, so we shouldn't be using the
newer header as a sign that there was a rollback.
The reset count is cleared when the AP boots. This means the rollback
state will be lost the first deep sleep resume after the AP has booted.
BUG=none
BRANCH=cr50
TEST=manual
flash a dbg image with version 4.0 that has two infomap bits
erased.
Check sysinfo to see that it doesn't think cr50 rolledback
flash a dbg image with version 4.4 that has one infomap bit
erased.
Make sure that 4.4 image is rejected and cr50 is still running
4.0
Check sysinfo to see that it doesn't think cr50 rolledback
flash a dbg image with version 4.4 that has two infomap bits
erased.
Make sure cr50 jumps to that image
rollback to the 4.0 image
Make sure sysinfo shows there was a rollback.
Boot the system
Make sure sysinfo shows there was a rollback.
Change-Id: I85f2e001ffed9e2185a276dfa916e9b0a05ff7bf
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/985029
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
This field allows multiple product families to be independently versioned
and released, without risk of having one product family's image flashed
to another product family's chip.
BUG=b:73728151
BRANCH=none
TEST=make buildall -J
Change-Id: I53f5e5b1e9ac7ea19997f8d1228a568e66c43d39
Reviewed-on: https://chromium-review.googlesource.com/935759
Commit-Ready: Jeff Andersen <jeffandersen@google.com>
Tested-by: Jeff Andersen <jeffandersen@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Nadim Taha <ntaha@google.com>
CONFIG_IGNORE_G_UPDATE_CHECKS currently drops all upgrade checks.
Now with CONFIG_BOARD_ID_SUPPORT only check for board_id match.
CR50_DEV still retains full no check behavior.
TEST=buildall -j8
BRANCH=none
BUG=none
Change-Id: I0d085a26c814cd0f35450f0a0db06fe8525ab896
Reviewed-on: https://chromium-review.googlesource.com/933589
Commit-Ready: Marius Schilder <mschilder@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Various parts of Cr50 code and Cr50 related utilities duplicate
definition of __packed available in include/common.h. Let's use the
same definition everywhere.
BRANCH=cr50, cr50-mp
BUG=none
TEST=make buildall succeeds
verified that linker generated map files for Cr50 RW are the same
before and after this change.
built and used gsctoo and rma_reset
Change-Id: Ib91f9bbad1f6822b347f32b393630f592df80d60
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/931929
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Cr50 cannot override the state of the power button. It was possible with
dev cr50 chips, but the capability was removed in prod chips. Change the
console command, so it is only used to get the state of the power
button.
Remove all of the commands used to override the power button.
BUG=b:73557298
BRANCH=none
TEST=none
Change-Id: I99cb5e8a18dd972fba460c434364702f06a26305
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/926964
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Flash operations in do_flash_op() involve waiting polling for the chip
to complete the operation. If a concurrent operation is started while
another operation is in progress, flash gets confused and locks up.
Let's add a mutex to ensure that flash operation runs to completion
before another operation starts.
BRANCH=cr50
BUG=b:67651754
TEST=multiple times ran firmware update while the device was coming up
and saving TPM status in NVMEM. Observed no failures.
Change-Id: I777a38f8a63cf17d60edb11cc3f916a4ea904741
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/894180
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
- Add a vendor command that provides alert counter. Userspace can use
it e.g. for user metric analysis.
- Add 'alerts' debug console command. It provides information about
chip alerts: supported alerts, fuse status, interrupt status, alert
counter.
- Add 'alerts fire [INT]' command to fire a software defined alert
(globalsec/fwN where N is 0,1,2,3).
Signed-off-by: Anatol Pomazau <anatol@google.com>
BUG=b:63523947
TEST=ran the FW at Pyro and checked alerts data sent to host
Change-Id: I7cec0c451ed71076b44dad14a151b147ff1337e8
Reviewed-on: https://chromium-review.googlesource.com/817639
Commit-Ready: Anatol Pomazau <anatol@google.com>
Tested-by: Anatol Pomazau <anatol@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Typically this routine runs on low priority hook task.
A pre-emption by a higher priority task might be mistaken for timeout.
Double check the transfer done status after the timeout time has passed.
Also clear the TXDONE status before starting a fresh transaction to make sure
we wait for the current transaction to complete; an errand TXDONE status
at start of the transaction will pre-empt waiting for the current transaction
and return stale data.
BRANCH=none
TEST=mn50 stress test fails within minutes vs. now stable.
Main test component is higher priority console task
that does intermittent compute during usb-spi transfers.
Change-Id: Ide4390e42d3957bc45eea8160617a52dd31ed866
Reviewed-on: https://chromium-review.googlesource.com/849662
Commit-Ready: Marius Schilder <mschilder@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Some upcoming designs based on the g chip require GPIOs connected to
open drain circuits.
Even though the chip explicitly provides only two open drain GPIOs,
the desired behavior of the rest of the pins when configured as 'open
drain' could be simulated by software if when 'high' is required the
output is disabled instead of driving the pin value.
To make sure there is no fallout from RO driving the pins, also add an
explicit 'disable output' initialization in case a GPIO is configured
for open drain and the initial output value is 'high'.
BRANCH=cr50
BUG=none
TEST=verified that Cr50 booted successfully, also confirmed that on
the test board that GPIOs defined as Open Drain allow we set
output to 1 only if pulled up.
Change-Id: Id2daa19b992bab7fb01148b6fa7b57fd0728b33d
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/848152
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Nobody is calling the flush function for consumer_ops structure,
so let's remove it to save flash space, until we find a use for it.
CQ-DEPEND=CL:*529221
BRANCH=none
BUG=chromium:795624
TEST=make buildall -j, saves from 40 to 128 bytes on some boards.
Change-Id: Iad18b30f419ccebc54a90914ec46da84b8d19601
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/826905
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Stalling reset during when CS is asserted is useful to start with, it
was added before out of abundance of caution, but come to think of it,
should the reset happen asynchronously driven be the EC, the AP would
be reset too. And when AP is reset on its own accord, it would not be
transmitting anything on the SPI interface.
On top of that it turns out that in some cases reset on ARM platforms
is accompanied by the CS line driven low, which causes infinite loop
if Cr50 is waiting for CS to deassert before proceeding.
BRANCH=cr50
BUG=b:67008109
TEST=verified that RMA reset operates properly on both ARM and x86
platforms.
Change-Id: I43efd0cefa5d6eb543dfd27e3c9fb3b4bf1a8ea6
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/791818
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
We were using bn_modexp() to perform a simple modular square.
A bn_modexp_word() does this faster.
BRANCH=none
BUG=b:68167013
TEST=generate 128 primes from prng seed and verify they're same as before; tcg_test passes
Change-Id: I411a7d3fe2d68f93dc40bf74b941a637f9aa20ed
Reviewed-on: https://chromium-review.googlesource.com/778057
Commit-Ready: Marius Schilder <mschilder@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Sometimes the AP will generate a short 'wake' pulse on the SPS CS line
just in case the chip is in the sleep state. This pulse is supposed to
wake up the chip and prepare it to process the actual SPS transaction
which follows the wake pulse in 100 us.
It turns out that under certain conditions it takes the Cr50 longer
than 100 us to react to the wake pulse, for instance when it writing
into flash which is in the same bank the code is running from, there
is no way to avoid stalling in this case.
What happens then is that the 'CS deasserted' interrupt for the wake
pulse comes while the actual SPS transaction is in progress. In this
case when processing the CS deassertion interrupt the Cr50 should not
consider it an end of a transaction, but just ignore it making sure
that the next CS deassertion still would trigger an interrupt.
BRANCH=none
BUG=b:68012381
TEST=verified that this patch helps the AP firmware test case which
was often failing due to TPM getting out of sync.
Change-Id: I412459552f4b2d13cd72800c1af7d583226e8466
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/754505
TPM reset processing takes certain time, and conceivably the AP could
start SPI transactions before TPM reset is finished. If the SPS
interface comes up while the CS line is active, the H1 controller
considers this a start of the SPI cycle, even though it is not - the
AP has already transferred the header and is waiting for the flow
control.
Let's not complete SPS interface initialization while the CS line is
kept active.
BRANCH=cr50
BUG=b:68012381
TEST=verified that the AP firmware test passes
Change-Id: I53cd49c6139f3c29c4b6d234c7ee4d527c8282f6
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/754504
Reviewed-by: Randall Spangler <rspangler@chromium.org>
There is no point in invoking SPS receive handler if there has been no
data transferred while CS was asserted, as would be the case when the
AP generates the wake up pulse.
Also, make sure that the flag indicating that data was seen is cleared
when the interface is reinitialized, as TPM reset could come during an
SPS transaction.
BRANCH=cr50
BUG=b:68012381
TEST=verified that the AP firmware test passes
Change-Id: I82d63d257b67a715d6dbc540c2d7480e5ff718ff
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/754503
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Events used when TPM task is running are defined in two different
places, one of them shared with other boards running on H1.
Let's avoid collision by redefining Cr50 only events to be different
from shared ones used by dcrypto.
BRANCH=cr50
BUG=b:68729265
TEST=verified that there is no more 'tpm_reset_request: already
scheduled' messages generated when TPM is reset when performing
long dcrypto operation.
Change-Id: Ic9517fa98be21f3ef5f19b82c593d96b0ddbaf6b
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/756914
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Duncan Laurie <dlaurie@google.com>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Currently the Cr50 code resets TPM communications layer at a certain
point during TPM reset process.
It turns out that this is not sufficient - the comms layer keeps
receiving and trying to invoke TPM layer, which does not mesh well
with TPM reset.
Let's provide two callbacks for each comms layer - to shut it down and
to bring it back up. We shut down the comms when starting TPM reset
and bring them back up when reset is completed.
BRANCH=cr50
BUG=b:68012381
TEST=ran AP firmware test suite on both SPI and I2C based devices.
Change-Id: I7caf4a09b9a5c6e5fc6bfe60eae1c0d64ab24904
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/754502
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
gcc 6.3 (as provided by coreboot-sdk) needs that to know which code
paths end early.
Also add a loop after the command that is "supposed" to reset the
machine so that the compiler believes it (and in case that assumption
fails).
BRANCH=none
BUG=b:65441143
TEST=none
Change-Id: Idb87253ec7880d66ffec30d75f4d007f02f63aab
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-on: https://chromium-review.googlesource.com/742916
Commit-Ready: Patrick Georgi <pgeorgi@chromium.org>
Tested-by: Patrick Georgi <pgeorgi@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
In some scenarios we want to take RW updates w/o taking version numbers into consideration,
much like the behavior we get w/ CR50_DEV.
But then without the additional CR50_DEV features enabled for the rest of the code.
BRANCH=none
BUG=none
TEST=compiles
Change-Id: I7dd946ab77bbdc35850ed934cd53735418e13845
Reviewed-on: https://chromium-review.googlesource.com/724967
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
Trybot-Ready: Marius Schilder <mschilder@chromium.org>
It turns out the code logic is not exactly correct: the range for
coarse trim values is 0..0xFF.
Use the fixed top of the range value and do not print messages if the
value is at the range boundary.
BRANCH=cr50
BUG=b:67788437
TEST=Observed occasional messages on the Cr50 console when
plugging/unplugging Suzy-Q, but not the constant spew.
Change-Id: I94ab581769ba8326346b636b1342136e98d61ff1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/723981
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Previously, an error reading Board ID would prevent any image from
running, even a wildcard (unrestricted) image with mask=flags=0 which
would match any Board ID.
Now, if Board ID can't be read, match the image against
type=type_inv=flags=0. This will match only an unrestricted image.
(This is better than checking directly for an unrestricted image,
because that check is more susceptible to clock-jitter-induced errors.)
BUG=b:67651806
BRANCH=cr50
TEST=Hack read_board_id() to return error. See that an unrestricted
image will now boot.
Change-Id: I1071e146b4541e8efd50c8409b8f76012a107731
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/713574
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Add a PERSO_AUTH appid to sign data passed through the
AUTH mn50.
Add a signer command to start and generate signatures.
Clean UART init to avoid spurious nonprinting characters
that will contaminate the siugnature.
BUG=b:36910757
BRANCH=None
TEST=generates signature for uart and spi
Signed-off-by: Nick Sanders <nsanders@chromium.org>
Change-Id: I5fc3c4ee34898421060b57b774a09734f6a1bae5
Reviewed-on: https://chromium-review.googlesource.com/670984
Reviewed-by: Marius Schilder <mschilder@chromium.org>
To aid with severe flash space shortage, let's enable
CRYPTO_TEST_SETUP only if CR50_DEV is set to a value exceeding 1.
board/mn50/board.h used to define CR50_DEV without any value assigned
to it, correct this so that the check in dcrypto.h works when mn50 is
built.
BRANCH=cr50
BUG=b:65253310
TEST=compiling with CR50-DEV=1 vs CR50_DEV=2 saves more than
17.5 Kbytes per RW image.
Change-Id: Ic77fa45b1a8f7631efa91c08e63438d412196eed
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/690993
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The array storing deltas between sequential prime numbers could be
compressed, as the vast majority of the values in the array does not
require more than 4 buts to store.
The new storage format is as follows:
- each differential value (difference between two consecutive primes)
is halved and stored in 4 bits, two halved values are packed per
byte.
- I the first one of of the two sequential halved values exceeds 0xf,
it is stored in the array followed by a zero, stored as is (without
halving), thus taking two bytes.
- if the second one of the two sequential halved values exceeds 0xf,
both values are stored in the array as is, both prepended by zeros,
thus taking 4 bytes.
The code calculating the sequential primes parses the array according
to this format. Storing the primes in this format allows to shave from
the image size 1848 bytes.
BRANCH=cr50
BUG=b:65253310, b:65287300
TEST=verified that test_rsa test from the tpmtest suite passes.
verified that the list of prime numbers printed out when
PRINT_PRIMES is defined and test_rsa is ran is the same before
and after this patch.
Change-Id: Ifdc2858a48f868ef816ccb4e351d9f60703d16e7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/664253
Reviewed-by: Nagendra Modadugu <ngm@google.com>
This change is required to reboot the chip without bringing down the
entire platform on boards where GPIOs are wired to external active reset
signals.
BRANCH=none
BUG=none
TEST=Scoped a pin across a reset.
Change-Id: I58d93697d39a8adcdac9324d5dd9da00745aec9a
Signed-off-by: Nadim Taha <ntaha@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/644179
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
When compilation is enabled, this function prints all prime numbers
generated using the PRIME_DELTAS array.
BRANCH=cr50
BUG=none
TEST=verified that prime numbers are printed out when running rsa_test.py
Change-Id: I37961aad146c4aeecca9a84550f313450e6c5853
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/683074
Reviewed-by: Shawn N <shawnn@chromium.org>
The WebUSB specification defines a specific Platform Descriptor in the
Binary Object Store:
https://wicg.github.io/webusb/#webusb-platform-capability-descriptor
This descriptor provides a special 'Landing page' URL to the host
browser and associated privileges for it.
Bump the USB version for BOS descriptors to 2.1 to be compatible with
Chrome implementation.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BUG=none
BRANCH=twinkie
TEST=manual: on Twinkie (chip/stm32) and HG proto2 (chip/g), enumerate
WebUSB descriptors with lsusb and connect to a WebUSB page in Chrome
R61+.
Change-Id: I7211ab554f4a6c156c1e8e79a3d9f0d6644217c6
Reviewed-on: https://chromium-review.googlesource.com/664813
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
In the USB 2.0 specification, the "8.5.3 Control Transfers"
chapter says that "When all of the data structure is returned to the host,
the function should indicate that the Data stage is ended by returning a
packet that is shorter than the MaxPacketSize for the pipe. If the data
structure is an exact multiple of wMaxPacketSize for the pipe, the function
will return a zero-length packet to indicate the end of the Data stage."
When doing a 'Control Read' transfer and the returned data (in IN
packets) was a multiple of MaxPacketSize, we were omitting the
zero-length packet and so the host was blocked waiting for a successful
IN transaction.
This corner-case was a regression introduced by the re-writing of the
control transfer handling done by CL 318864. So the STM32 USB code which
is similar to the former code is dealing properly with this case.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=none
TEST=manual, extend the configuration descriptor to be exactly 64 bytes,
and see the enumeration is no longer failing.
Change-Id: I108e8c6bb9eb727c41f3e1c607f0919fa1192d5a
Reviewed-on: https://chromium-review.googlesource.com/664814
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Shawn N <shawnn@chromium.org>
