hwtimer ticks at 8 * 32768 Hz rather than 250 KHz, so adjust our timing
appropriately. Also ensure that udelay() will delay for at least the
requested time, taking into account our timer precision.
BUG=b:63858553
TEST=Generate square wave with 1000us udelay between GPIO edge toggle,
verify period is 1000us + code overhead. Also verify timer behavior on
overflow with 'forcetime' command. Also verify accuracy of system clock
to 0.2% with `timerinfo` and a stopwatch.
BRANCH=None
Change-Id: I5da41bd7250db87de5143cc54ebd0bb750fb7003
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/578551
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Split bn_modexp() into three variants:
bn_modexp() for large exponents (as before)
bn_modexp_word() for single word public exponents
bn_modexp_blinded() for large exponents w/ randomization
We randomize bn_modexp_blinded() with:
1) pick 64 bit random R1 and compute R1 ** -1 and R1 ** pubexp, mod N.
2) multiply input by R1 ** pubexp
3) pick 64 bit random R2 and add (e*d*R2 - R2) to private exponent (i.e.
a random multiple of phi(N))
4) exponentiate
5) multiply output w/ R1 ** -1 to obtain expected result
Since we enlarge the exponent, bn_modexp_blinded() is slower than
bn_modexp(). We only use bn_modexp_blinded() when private exponents are
in play and we have phi(N) available.
Also refactored the combined p256 and rsa dcrypto binary blob into two
parts. And added unique first word to each dcrypto blob to make code
caching reliable.
The TPM task stack maxes out at 8040/8192 in tcg_test due to increased
stack usage of bn_modexp_blinded() but is still within safe bounds,
with 88 byte redzone.
BRANCH=cr50
BUG=b:35587382,b:35587381
TEST=buildall, tcg_test (200+)
Change-Id: Ied1f908418f31f8025363179537aa4ebd2c80420
Reviewed-on: https://chromium-review.googlesource.com/540684
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
After entering prepare_to_sleep() and doing interrupt_disable(), if an
interrupt happens, it will stay pending (as the handler is masked).
Then, when calling 'wfi' in __idle(), we will go through the instruction
rather than entering deep-sleep (if requested) as we have a pending
interrupt.
The downside of this corner case is that we never undo the actions done
to prepare for deep-sleep in the IDLE_DEEP_SLEEP clause of
prepare_to_sleep(). For USB suspend, this means that on the subsequent
deep-sleep entry, we are going to try to save GR_USB_CFG/the USB
device address while the USB controller is already in reset/power-down,
recording a null value in SCRATCH18. Then, at resume time, we will
restore 0 in USB_CFG and the USB device will no longer work.
As the USB configuration is difficult to restore in case of deep-sleep
abortion, simply skip writing a bogus value in SCRATCH18 on the real
deep-sleep entry happening afterwards. This is good enough to resume
properly on USB.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:38160821
TEST=manual: add a (long) panic_printf trace in prepare_to_sleep() in
order to dramatically increase the probability of getting an
interruption pending after entering the function. On cr52, trigger USB
suspends by suspending the host, and see we no longer regularly get a
null USB device address at USB resume.
Change-Id: Ied3fc003eefe7fc164a320b15b5f9d400551198e
Reviewed-on: https://chromium-review.googlesource.com/559332
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Don't discard irqprio data when the IRQ_PRIORITY macro is used directly
(for watchdog / watchdog timer).
This change is probably a NOP for all platforms, since the power-on
default for the IRQ prio register seems to be zero, which is the same
priority we're setting in our direct use of IRQ_PRIORITY.
BUG=chromium:634701
BRANCH=None
TEST=Verify 'prio_44' entry exists in irqprio section by checking
ec.RO.map on kevin.
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: Idaffc484a2ce4749c18212f179b3951ff570aed0
Reviewed-on: https://chromium-review.googlesource.com/545201
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
The INFO1 mask field contents serves as input for the rollback
protection mechanism, when the RO decides if an RW is allowed to run
on the device.
The existing code updates INFO1 mask to match the lowest rollback
priority of the two images (RW_A and RW_B) present on the device.
INFO1 mask should be also updated when the current image is endorsed
by the host. In this case the alternative RW is destroyed, so the
INFO1 mask could be set based solely on the currently running image.
This patch refactors the code to allow setting INFO1 mask based on one
or both RW headers' contents.
BRANCH=cr50
BUG=b:62138152
TEST=verified that "normal" INFO1 mask updates still work as before,
the mask is modified to match the image with the lowest rollback
priority.
Also verified that when the VENDOR_CC_INVALIDATE_INACTIVE_RW
command is received the INFO1 mask is updated based on the
currently running image.
Change-Id: I23172388674e1f3a4c2489e139dd197a84029f54
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/541738
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Reject updates for the first 60 seconds after a hard reboot. This should
prevent people from using the reboot at the end of an update to get
around the update rate limiting. Reboots don't happen during normal cr50
operation, so this should not prevent updates. It will just prevent
updating cr50 many times in a row.
This change does not limit updates after deep sleep or POR.
BUG=b:62097097
BRANCH=cr50
TEST=Try to update cr50 two times. Verify that on the second time the
update is rejected. Put cr50 into deep sleep, wake it up and verify it
can be updated immediately. Get cr50 to do a POR and verify it can be
updated immediately.
Change-Id: I828ef210e1c5bcf59d4753b8178ee4e1369d5d36
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/520727
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Add support for update related vendor commands in mn50 by relocating
relevant code from board/cr50 to chip/g.
BUG=b:36910757
BRANCH=None
TEST=./extra/usb_updater/usb_updater -d 18d1:502a build/mn50/ec.bin
Change-Id: Iec0fe5585b5b6eb099f9254dfb0e5b02d5106abc
Reviewed-on: https://chromium-review.googlesource.com/537999
Commit-Ready: Nick Sanders <nsanders@chromium.org>
Tested-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Holding the mutex just around the dcrypto_call is not enough: dcrypto
instruction memory content might change in presence of multiple calling
tasks.
Switching to broad acquire/release pattern instead.
Note to sub-projects: pair your dcrypto_init(_and_lock) w/ matching dcrypto_unlock
BUG=none
BRANCH=cr50
TEST=tcg_tests pass
Change-Id: Idb7f2d79ce533db95cab51d89e3869ecf9f3d499
Reviewed-on: https://chromium-review.googlesource.com/535916
Commit-Ready: Marius Schilder <mschilder@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Nadim Taha <ntaha@chromium.org>
with the board ID match happening in the RW we need to be able to set
the rollback counter to a value which would guarantee a fallback
during the next boot.
BRANCH=cr50
BUG=b:35586335
TEST=with the rest of the patches verified the ability to set the
counter to trigger a fallback on the next reboot.
Change-Id: I161f39354e5523121e26e8ad84a791a8b06e5123
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/535976
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Until the Board ID check is moved to RO, it is possible to start an RW
with a mismatching Board ID.
Let's add a function to check for mismatch and report the status.
Also eliminating the unnecessary check for empty header Board ID field
- it is going to match any board ID anyways and fixing a CPRINTF
statement in read_board_id().
BRANCH=cr50
BUG=b:35586335
TEST=verified that empty board ID header does not trigger a mismatch
on a board with a non-empty INFO1. With the rest of the patches
applied verified that board ID mismatch is reported properly.
Change-Id: Ie03f8137e494117b7a238e3af72527e0a46369e1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/535975
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
In the FIDO U2F Authenticator Transports Extension, the list of
transports will be extended to:
FIDOU2FTransports ::= BIT STRING {
bluetoothRadio(0), -- Bluetooth Classic
bluetoothLowEnergyRadio(1),
uSB(2),
nFC(3),
uSBInternal(4)
}
Given our implementation is internal, update the value from bit(2) uSB
to bit(4) uSBInternal.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:35545754
TEST=with follow-up CLs, run U2FTest on Eve
and manually verify the individual attestation certificate
with an ASN.1 parser.
Change-Id: I62fe72ffed9b7eb34e31164fded46f458e5cbc16
Reviewed-on: https://chromium-review.googlesource.com/536775
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Implement system_get_chip_unique_id() for the g hardware.
It includes the hardware revision, the chip device id and
the read-only key id.
The key-id is included because this unique id is used as serial number
inside certificates and for security reason, we want a different id if
the RO has changed (e.g Node locked firmware).
The id is also 32-byte long for convenience reason when used for
certificates, but the high 16 bytes are currently zeros.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:35545754
TEST=dump the x.509 individual attestation certificate which includes
the unique id as serial number.
Change-Id: If24597d0de696d2700122d425724f14703fc5256
Reviewed-on: https://chromium-review.googlesource.com/536774
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Before this change, the current task id was cached in dcrypto_init() if
it hadn't already been called. This resulted in the task id of the first
caller to dcrypto_init() being cached until reset.
The cached task id was used when generating notifications that hardware
crypto operations were complete. This was fine as long as the task that
invoked dcrypto_init() was also the task that invoked dcrypto_call(). If
this wasn't the case, the task that invoked dcrypto_init() would be
notified of an event it wasn't expecting and the task that invoked
dcrypto_call() would not be notified and would time out.
This change locks a mutex and then caches the current task id in
dcrypto_call() before invoking the hardware operation so that the
correct task will be notified when the operation has completed.
BRANCH=none
BUG=none
TEST=make -j buildall
Change-Id: I30a920d85359cc990d77c88b1607bbe4cf674206
Reviewed-on: https://chromium-review.googlesource.com/522350
Commit-Ready: Carl Hamilton <carlh@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
Tested-by: Carl Hamilton <carlh@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
The contents of the board ID fields of the Cr50 image headers is an
important piece of information which determines if an image can run on
a particular H1 chip.
This patch adds this information to the output of the 'version'
command, printing both the contents of the fields of the RW images and
if the image would run with the current INFO1 board ID contents (Yes
or NO).
The board_id feature is in fact g chipset specific, this is why
board_id support files are being moved from the cr50 board scope to
the g chip scope.
BRANCH=cr50
BUG=b:35587387,b:35587053
TEST=observed expected output in the version command:
> bid
Board ID: 000000fa, flags 000000ff
> vers
Chip: g cr50 B2-C
Board: 0
RO_A: * 0.0.10/29d77172
RO_B: 0.0.10/c2a3f8f9
RW_A: * 0.0.20/DBG/cr50_v1.1.6542-856c3aff4
RW_B: 0.0.20/DBG/cr50_v1.1.6543-2c68a2630+
BID A: 00000000:00000000:00000000 Yes
BID B: 000000ea:0000fffc:000000ff No
Build: 0.0.20/DBG/cr50_v1.1.6542-856c3aff4
tpm2:v0.0.289-cb2de5a
cryptoc:v0.0.8-6283eee
2017-06-09 15:34:19 vbendeb@eskimo.mtv.corp.google.com
>
Change-Id: I5b283abf304a7408ca8f424407044fca238185e1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/530033
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
All other chips rely on gpio_enable_interrupt to enable interrupts. They
aren't enabled by default. This changes chip/g to match that.
If chip/g boards have interrupts, they also enable them in the
init_interrupts function in board.c. Nothing needs to be added to enable
interrupts.
BUG=b:35587228
BRANCH=cr50
TEST=use 'gpiocfg' to verify the setup hasn't changed.
Change-Id: I1e975999e0174b9dcbbe63c09c6110dc4161f8ff
Reviewed-on: https://chromium-review.googlesource.com/530006
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Invoking signer with sudo is required only when signing requires a USB
fob. Let's not use it in unless necessary.
BRANCH=cr50
BUG=chromium:728751
TEST=verified that Cr50 build succeeds when both using and not using
the signing fob.
Change-Id: I8f40bd52f1752bfd88ec002f298b991faf7a2512
Reviewed-on: https://chromium-review.googlesource.com/528373
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
There are some useful UART bitbang commands, statistics, and logs and
such. These shouldn't be enabled by default, and this commit makes it
so.
BUG=b:35648297
BRANCH=cr50
TEST=Build an image that enables UART bit banging with BITBANG_DEBUG set
to 0. Verify that the associated debug commands and statistics are not
present.
Change-Id: Ic0348a6fb1620229e2ed601e0ff549596d814e1e
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/527605
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
When invoking vendor command handlers in try_vendor_command(), the
buffer containing the command is passed to the handler to communicate
the command contents and to hold the command execution return data. It
was fine when invoking vendor command handlers from the TPM stack, as
the receive buffer is 4K in size and is large enough for any expected
vendor command response.
It is different in case of USB: the command is in the receive buffer
of the USB queue, and the response data could easily exceed the
command size, which would cause corruption of the USB receive queue
contents when the response data is placed into the same buffer where
the command is.
Let's introduce a local storage to pass the command and receive the
response data from the handler. 32 bytes is enough for the foreseeable
future, should a need arise for a larger buffer, testing would result
in an error (a new error type is added to indicate insufficient buffer
space for command processing).
BRANCH=none
BUG=b:35587387,b:35587053
TEST=with the rest of the patches applied verified proper processing
of the 'Get Board ID' command for which response size exceeds the
request size.
Change-Id: I2131496f3a99c7f3a1869905120a453d75efbdce
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/525092
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Cr50 has different gpio configurations for different boards. They cannot
be determined until board_init. We want a way to delay enabling the gpio
interrupts until the board type can be determined.
This change adds a gpio flag, GPIO_INT_DISABLE. When set gpio_pre_init
will setup the interrupt, but not enable it. board_init then enables all
of the interrupts with init_interrupts.
BUG=b:35587228
BRANCH=cr50
TEST=use 'gpiocfg' to verify the setup hasn't changed. Add print
statements to verify that gpio_pre_init skips enabling the interrupt on
any gpio that has GPIO_INT_DISABLE set
Change-Id: I91f73297ab80781b99aa82eda479ae311c13cb77
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/523808
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
The UART block on the g chip has no functionality to adjust the parity.
Unfortunately, this feature is needed for certain applications.
This commit adds a UART bit bang driver with support for configuring the
baud rate and parity. It currently only supports 8 data bits.
BUG=b:35648297
BRANCH=cr50
TEST=make -j buildall
TEST=With some other patches, successfully flash rowan EC at 9600 baud.
Change-Id: I86a160c0960e46b3a8bb1057518f625aefb7d81f
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/503473
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
pinmux only prints uart and gpio information. This change makes pinmux
print i2c and spi connections too.
This does not handle the direct pin to peripheral mappings, so the spi0
and sps0 peripheral pins still won't show up.
BUG=none
BRANCH=cr50
TEST=run pinmux on reef
Change-Id: Iaa6204e2af7f018569b92280bd1367aef201cc28
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/501172
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Add primitives to build x.509 certificates encoded in ASN.1 DER,
as a building block for the U2F feature.
Mostly copied over from the cr52 code-base.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:35545754
TEST=with follow-up CLs, run U2FTest on Eve
and manually verify the individual attestation certificate with an ASN.1
parser.
Change-Id: Ie90730d8c401c661c8ab3b1b19631337b7390e9c
Reviewed-on: https://chromium-review.googlesource.com/518134
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
The code invoking vendor commands callbacks rightly passes the pointer
to the command payload as the address right after the subcommand
field, but does not deduct the size of the subcommand field from the
size of the payload passed to the handler.
This patch fixes the issue, the command handlers do not see two extra
bytes at the tail of the command any more.
BRANCH=cr50
BUG=b:62294740, b:35545754
TEST=verified that vendor commands sent over USB and TPM still work
properly (in particular the TURN_UPDATE_ON command).
Change-Id: I11a45f65163044f808a82b214f9c5faf775f9020
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/522943
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
This patch adds vendor and console commands to read and write the
board ID space in the INFO1 block.
Current image's board ID settings are saved in the image header by the
latest codesigner.
Board ID write attempts are rejected if the board ID space is already
initialized, or if the currently running image will not be allowed to
run with the new board ID space settings.
Error codes are returned to the caller as a single byte value.
Successful read command returns 12 bytes of the board ID space
contents.
The console command always allows to read the board ID value, and
allows to write it if the image was built with debug enabled.
BUG=b:35586335
BRANCH=cr50
TEST=as follows:
- verified that board ID can be read by any image and set by debug
images.
- with the upcoming patches verified the ability to set and read
board ID values using vendor commands.
Change-Id: I35a3e2db92175a29de8011172b80091065b27414
Signed-off-by: Philip Chen <philipchen@google.com>
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/522234
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Add the robust non-volatile counter provided by CONFIG_FLASH_NVCOUNTER
in order to support the U2F implementation.
The counter implementation needs 2 (raw) pages of flash for its
underlying storage.
In order to try to avoid disrupting the existing machines by
invalidating the nvmem if we touch its mapping, those pages are placed
in each RW between the code/read-only and the read-write nvmem area by
shrinking the code/read-only by one page, so the nvmem mapping should be
untouched.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=cr50
BUG=b:35545754
TEST=with follow-up CLs, run U2FTest on Eve.
Change-Id: Ib3d7dcb9a1b13cff74b56461332937e3a4cc9ae1
Reviewed-on: https://chromium-review.googlesource.com/518137
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
This change configures the SHA engine to
a) enable random stalls at 12% during regular
operation through SHA API's, and b) enables
random stalls at 25% when doing key-ladder
operations.
TCG tests continue to complete in ~20 minutes
(i.e. no noticeable slowdown).
BRANCH=none
BUG=b:38315169
TEST=TCG tests pass
Change-Id: Id4b541cdd3d51c57979a93f71a6291cca8eb1844
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/508172
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Add console and usb_spi commands to enable or disable IOs
to the socket, so that it will not be powered if a chip is inserted,
and control reset and boot_cfg.
BUG=b:36910757
BRANCH=None
TEST=Check no voltage when socket is disabled. Full spiflash compatibility.
Change-Id: Ie4ce0613a868030833abfdccd827acce2753dc6f
Reviewed-on: https://chromium-review.googlesource.com/509072
Commit-Ready: Nick Sanders <nsanders@chromium.org>
Tested-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Make the dcrypto ecdsa verify code check that r,s are in range, and
not depend on the caller C code to have done so.
For instance, s equal to 0 would result in infinite loop during
computation of its modular inverse.
BRANCH=none
BUG=b:35587381
TEST=TCG tests pass
Change-Id: I13f7811be030aed9feaa11c45dc68d4bfd08fb76
Reviewed-on: https://chromium-review.googlesource.com/508819
Commit-Ready: Marius Schilder <mschilder@chromium.org>
Tested-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Cr50 holds the EC in reset when it wants to flash the EC or AP. This
will trigger a pulse on the tpm reset signal. In early Cr50 versions
when the tpm was reset we would reboot cr50, so we added some code to
prevent cr50 from resetting itself when the update was going on.
sys_rst_asserted would check if there was an update going on and ignore
the signal if update in progress was true. At the end of the update the
deferred function was used to reset Cr50 after the update was complete.
None of this is needed anymore. We can just release the EC from reset at
the end of the update. This change removes usb_spi_update_in_progress
and the deferred update_finished.
BUG=b:35571516
BRANCH=none
TEST=flash the bob ec and ap using ccd.
Change-Id: I79416dba178c06bbc7289ad96968ee4e61947c4c
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/506571
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
There many TODOs sprinkled in the code, some of them have been
addressed or do not apply any mode. This patch removes them.
BRANCH=cr50
BUG=none
TEST=built and ran cr50 on reef
Change-Id: Ica6edb204e5cc0cc9dc7f0d43fd39e7ddaf56809
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/506496
Reviewed-by: Randall Spangler <rspangler@chromium.org>
always_memset() implements a version of memset
that survives compiler optimization. This change
replaces instances of the (placeholder) call
dcrypto_memset() with always_memset().
Also add a couple of missing memsets and
fix related TODOs by replacing memset()
with always_memset().
BRANCH=none
BUG=none
TEST=TCG tests pass
Change-Id: I742393852ed5be9f74048eea7244af7be027dd0e
Signed-off-by: nagendra modadugu <ngm@google.com>
Reviewed-on: https://chromium-review.googlesource.com/501368
Commit-Ready: Nagendra Modadugu <ngm@google.com>
Tested-by: Nagendra Modadugu <ngm@google.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
When (USB-)resuming from deep-sleep, ensure that we avoid switching back
and forth the selected USB PHY at boot, in order to avoid having a
short disconnection at resume.
To achieve this, allow the board configuration to select the PHY it is
really using with the CONFIG_USB_SELECT_PHY_DEFAULT configuration
variable, still keep the default USB_SEL_PHY1 as before.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=none
BUG=b:38160821
TEST=manual: build 'proto2' firmware with CONFIG_LOW_POWER_IDLE defined,
with the chip connected to the host on PHY A, make the host issue a USB
Suspend then resume and see no disconnection.
Change-Id: I7abd5e338e5c688c2dd486293f520049cdfd273b
Reviewed-on: https://chromium-review.googlesource.com/501947
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
This firmware supports a board used to initialize firmware on new cr50
parts.
BUG=b:36910757
BRANCH=None
TEST=boots on scribe board, spi/usb/uart/i2c functionality works.
TEST=cr50 boots on reef, CCD EC+AP SPI/UARTS work
Change-Id: I48818225393a6fc0db0c30bc79ad9787de608361
Reviewed-on: https://chromium-review.googlesource.com/437627
Commit-Ready: Nick Sanders <nsanders@chromium.org>
Tested-by: Nick Sanders <nsanders@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
When releasing the PINMUX hold, some of the output levels may change.
Therefore, it's probably best to let those outputs stabilize before
letting the EC out of reset and sample them.
BUG=b:36659750
BRANCH=master,cr50
TEST=Flash Cr50. Verify that WP_L is stable before EC is released from
reset.
Change-Id: Ie2967c5e97f28240e1724b4531655c5dd08a3f29
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/464257
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
With the rest of support in place, this patch adds code which would
corrupt the headers received during firmware updates.
The VENDOR_CC_TURN_UPDATE_ON vendor command will be required to enable
the new images.
Care should be taken that other commands operating on the inactive
image header do not do anything with it before it was enabled, some
code is being added for that.
The minor RW version is being bumped up to 19 to clearly indicate that
the device is expecting the vendor command to enable the new image
(this is used by usb_updater when downloading the image without the -p
or -u command line options).
BRANCH=cr50
BUG=b:35580805
TEST=verified that the new image can be installed and started by the
new usb_updater.
- the inactive header after uploading with the -p option (the
image_size field's offset is 0x32c):
> md 0x84320 4
00084320: 00000000 00000000 80033800 00084000
rebooting the device does not start the new image.
- the inactive header after uploading without the -p option:
> md 0x84320 4
00084320: 00000000 00000000 00033800 00084000
the device running a DBG image reports the following in the end of
the image update:
[64.176780 FW update: done]
turn_update_on: rebooting in 100 ms
Change-Id: I4d763eb89c8b1a43a13697033201066779826e85
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/457678
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
The upcoming move of the Cr50 firmware update to the background
requires postponing the activation of the newly uploaded Cr50 image to
a later point in time, when the AP is ready to switch to start using
the new Cr50 image.
The suggested way of achieving it is as follows: when downloading the
new image, the current Cr50 code modifies the header's 'image_size'
field, setting its top bit to 1. This both makes the size invalid and
guarantees that the new image would not verify on the following Cr50
restarts.
When the AP is ready to switch to running the new Cr50 image, it will
send a vendor command, which would trigger the currently running Cr50
image to restore the other image's size field. This vendor command
would also communicate the timeout for the Cr50 to wait before
rebooting, if there has been at least one header (ro or rw) restored.
Rebooting the Cr50 would trigger rebooting the AP, resulting in the
entire system running the updated firmware.
Response sent to the AP will indicate if there has been a header
restored and the reboot is indeed upcoming, this would allow the AP to
quiesce the state of the device to handle the reboot gracefully.
BRANCH=cr50
BUG=b:35580805
TEST=with the rest of the patches applied observed the system properly
after the new header version was restored.
Change-Id: Ia1edee67b6aa8f458810d5dc2931477cfaab1566
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/457676
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
For the upcoming header restore vendor command implementation there is
a need to allow rw access to the alternative RO area.
A static function for this is available in upgrade_fw.c, let's make it
available to other users.
BRANCH=cr50
BUG=b:35580805
TEST=verified that it is still possible to update the RO.
Change-Id: I879804ff180c5d00cf6860ce5669f2fe48731832
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/457501
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Let's split the usb headers in 3 different parts, instead of having
usb_descriptor.h pull in usb_hw.h and usb_api.h.
- usb_api.h: EC functions related to usb (e.g. connect/disconnect)
- usb_descriptor.h: common USB names and structures
- usb_hw.h: Functions required for interactive with EC's USB HW
BRANCH=none
BUG=b:35587171
TEST=make buildall -j
Change-Id: I37ead61e3be5e7ae464f1c9137cf02eaab0ff92e
Reviewed-on: https://chromium-review.googlesource.com/454861
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Master chip/g FW still needs to support deprecated RO, so re-add support
for the old version_struct. This CL can be reverted once we no longer
need to support deprecated RO on master.
BUG=chromium:698881,chromium:698882
TEST=Flash old FW (f51fdf2) to RW_B slot and updated FW to RW_A. Verify
cr50 boots into RW_A, and "version" on the console prints RW_B version,
not "Error".
BRANCH=None
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: I3c255afcd12da5694ca128960de8d2abe41686dc
Reviewed-on: https://chromium-review.googlesource.com/450860
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Store our image size (known at build time) in our version struct (now
renamed to image_data). This will allow us to more efficiently determine
the size of an image in a follow-up CL.
Note that compatibility is broken for old ROs that do not include this
CL.
BUG=chromium:577915
TEST=Verify on kevin + lars + lars_pd that stored image size matches
output of system_get_image_used() for both RO and RW images.
BRANCH=None
Change-Id: I7b8dc3ac8cf2df3184d0701a0e0ec8032de8d81b
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/450858
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The SPI initialization interrupt needs to be generated only when there
was actual data received while CS was asserted and after transaction
finished (i.e. CS is de-asserted).
BRANCH=cr50
BUG=b:35774896
TEST=verified on a bob with updated AP firmware
Change-Id: Ifc4b11870d511d47e9607a2001d845ee1e153f7f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/452792
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
This command is handy in debug images when rollback protection needs
to be reset.
Manufacturing data stored in the last quarter of the INFO1 space is
preserved across the erase session.
BRANCH=cr50
BUG=b:35774863
TEST=built a non-debug image with the first map location in the
manifest set to zero, booted the new image. Then built and booted
a debug image with this patch included. Using sysinfo command
verified that the info map has one location zeroed, then ran
eraseflashinfo command and checked sysinfo output again. The info
map shows no more zeroed locations, and tpm still reports statues
as "manufacutred"
Change-Id: I58e2a6f6371b6ce656c1d6cc373dfdc6f9d9f5be
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/450906
Reviewed-by: Marius Schilder <mschilder@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
