mirror of
https://github.com/Telecominfraproject/OpenCellular.git
synced 2026-01-09 00:51:29 +00:00
dc66986d0a
The upcoming move of the Cr50 firmware update to the background
requires postponing the activation of the newly uploaded Cr50 image to
a later point in time, when the AP is ready to switch to start using
the new Cr50 image.
The suggested way of achieving it is as follows: when downloading the
new image, the current Cr50 code modifies the header's 'image_size'
field, setting its top bit to 1. This both makes the size invalid and
guarantees that the new image would not verify on the following Cr50
restarts.
When the AP is ready to switch to running the new Cr50 image, it will
send a vendor command, which would trigger the currently running Cr50
image to restore the other image's size field. This vendor command
would also communicate the timeout for the Cr50 to wait before
rebooting, if there has been at least one header (ro or rw) restored.
Rebooting the Cr50 would trigger rebooting the AP, resulting in the
entire system running the updated firmware.
Response sent to the AP will indicate if there has been a header
restored and the reboot is indeed upcoming, this would allow the AP to
quiesce the state of the device to handle the reboot gracefully.
BRANCH=cr50
BUG=b:35580805
TEST=with the rest of the patches applied observed the system properly
after the new header version was restored.
Change-Id: Ia1edee67b6aa8f458810d5dc2931477cfaab1566
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/457676
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
56 lines
2.1 KiB
C
56 lines
2.1 KiB
C
/* Copyright 2015 The Chromium OS Authors. All rights reserved.
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
* found in the LICENSE file.
|
|
*/
|
|
#ifndef __CROS_EC_SIGNED_HEADER_H
|
|
#define __CROS_EC_SIGNED_HEADER_H
|
|
|
|
#include "compile_time_macros.h"
|
|
|
|
#define FUSE_PADDING 0x55555555 /* baked in hw! */
|
|
#define FUSE_IGNORE 0xa3badaac /* baked in rom! */
|
|
#define FUSE_MAX 128 /* baked in rom! */
|
|
|
|
#define INFO_MAX 128 /* baked in rom! */
|
|
#define INFO_IGNORE 0xaa3c55c3 /* baked in rom! */
|
|
|
|
struct SignedHeader {
|
|
uint32_t magic; /* -1 (thanks, boot_sys!) */
|
|
uint32_t signature[96];
|
|
uint32_t img_chk_; /* top 32 bit of expected img_hash */
|
|
/* --------------------- everything below is part of img_hash */
|
|
uint32_t tag[7]; /* words 0-6 of RWR/FWR */
|
|
uint32_t keyid; /* word 7 of RWR */
|
|
uint32_t key[96]; /* public key to verify signature with */
|
|
uint32_t image_size;
|
|
uint32_t ro_base; /* readonly region */
|
|
uint32_t ro_max;
|
|
uint32_t rx_base; /* executable region */
|
|
uint32_t rx_max;
|
|
uint32_t fusemap[FUSE_MAX / (8 * sizeof(uint32_t))];
|
|
uint32_t infomap[INFO_MAX / (8 * sizeof(uint32_t))];
|
|
uint32_t epoch_; /* word 7 of FWR */
|
|
uint32_t major_; /* keyladder count */
|
|
uint32_t minor_;
|
|
uint64_t timestamp_; /* time of signing */
|
|
uint32_t p4cl_;
|
|
/* bits to and with FUSE_FW_DEFINED_BROM_APPLYSEC */
|
|
uint32_t applysec_;
|
|
/* bits to mesh with FUSE_FW_DEFINED_BROM_CONFIG1 */
|
|
uint32_t config1_;
|
|
/* bits to or with FUSE_FW_DEFINED_BROM_ERR_RESPONSE */
|
|
uint32_t err_response_;
|
|
/* action to take when expectation is violated */
|
|
uint32_t expect_response_;
|
|
uint32_t _pad[256 - 1 - 96 - 1 - 7 - 1 - 96 -
|
|
5*1 - 4 - 4 - 9*1 - 2 - 1];
|
|
uint32_t fuses_chk_; /* top 32 bit of expected fuses hash */
|
|
uint32_t info_chk_; /* top 32 bit of expected info hash */
|
|
};
|
|
|
|
BUILD_ASSERT(sizeof(struct SignedHeader) == 1024);
|
|
BUILD_ASSERT(offsetof(struct SignedHeader, info_chk_) == 1020);
|
|
#define TOP_IMAGE_SIZE_BIT (1 << \
|
|
(sizeof(((struct SignedHeader *)0)->image_size) * 8 - 1))
|
|
#endif /* __CROS_EC_SIGNED_HEADER_H */
|