mirror of
https://github.com/Telecominfraproject/OpenCellular.git
synced 2026-01-10 17:41:54 +00:00
a865ec4e80
We had been putting the NVMEM flash where the boot rom would
expect to find RO_B, preventing us from ever being able to update
the bootloader.
With this CL, we're rearranging the flash to support both RO_A
and RO_B. The current flash layout now looks like this:
0x40000 RO_A
0x44000 RW_A
0x7c000 TOP_A
0x80000 RO_B
0x84000 RW_B
0xbc000 NVMEM
0xbffff <end of flash>
BUG=chrome-os-partner:44803
BRANCH=none
TEST=make buildall, also manual tests on Cr50 boards
First, check that our current process still works:
make BOARD=cr50 CR50_RO_KEY=cr50_rom0-dev-blsign.pem.pub
spiflash -i -v build/cr50/ec.hex
Yep, it does, but that only produces RO_A, not RO_B.
To test the dual RO behavior, I used prebuilt RO_A and RO_B blobs
for the bootloaders, signed using Marius' new scheme.
Build the unsigned image, then sign it using Vadim's scripts:
make BOARD=cr50 -j30
~/bin/bs hex
We'll garble various bits of the full image to invalidate each of
the four RO/RW/A/B parts.
Find lines common to both ROs and common to both RWs:
sort B1*.hex | uniq -c | grep ' 2 ' | \
awk '{print $2}' | sort > tmp.ro2
sort build/cr50/RW/ec.RW*.signed.hex | uniq -c | grep ' 2 ' | \
awk '{print $2}' | sort > tmp.rw2
ro=$(diff tmp.ro2 tmp.rw2 | grep '<' | head -1 | awk '{print $2}')
rw=$(diff tmp.ro2 tmp.rw2 | grep '>' | head -1 | awk '{print $2}')
Double-check to be sure we don't have any false matches:
grep -l $ro build/cr50/RW/ec.RW*.signed.hex B1_*.hex
grep -l $rw build/cr50/RW/ec.RW*.signed.hex B1_*.hex
The pre-signed RO_A image is older than RO_B, but both have the
same epoch/major/minor, which is all that the bootrom checks for.
It doesn't look at the timestamp.
The RW_A is older than RW_B because of the sequential signing
process. The RO bootloaders will check their timestamp, so RW_B
should be preferred.
RO_A RO_B RW_A RW_B
good good good good
cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex
spiflash -v -i foo.hex
jump @00040400
jump @00084000
=> boots RO_A -> RW_B
RO_A RO_B RW_A RW_B
good good good bad
cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex
ln=$(grep -n $rw foo.hex | awk -F: 'NR==2 {print $1}')
sed -i "${ln}d" foo.hex
spiflash -v -i foo.hex
jump @00040400
jump @00044000
=> boots RO_A -> RW_A
RO_A RO_B RW_A RW_B
bad good good good
cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex
ln=$(grep -n $ro foo.hex | awk -F: 'NR==1 {print $1}')
sed -i "${ln}d" foo.hex
spiflash -v -i foo.hex
jump @00080400
jump @00084000
=> boots RO_B -> RW_B
RO_A RO_B RW_A RW_B
bad good good bad
cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex
ln=$(grep -n $ro foo.hex | awk -F: 'NR==1 {print $1}')
sed -i "${ln}d" foo.hex
ln=$(grep -n $rw foo.hex | awk -F: 'NR==2 {print $1}')
sed -i "${ln}d" foo.hex
spiflash -v -i foo.hex
jump @00080400
jump @00044000
=> boots RO_B -> RW_A
Yay.
Now make sure RW_A and RW_B can be updated using usb_updater.
\rm -rf build
make BOARD=cr50 -j30
~/bin/bs
./extra/usb_updater/usb_updater build/cr50/ec.bin
I'm running RW_A, it updates and reboots into RW_B. Good.
reboot 5 times, and it reverts to RW_A.
Power cycle and it goes to RW_B again.
Update to RW_A.
\rm -rf build
make BOARD=cr50 -j30
~/bin/bs
./extra/usb_updater/usb_updater build/cr50/ec.bin
I'm running RW_B, it updates and reboots into RW_A. Good.
reboot 5 times, and it reverts to RW_B.
Power cycle and it goes to RW_A again.
Cool.
Change-Id: I6c1689920de06c72c69f58ad2ef1059d9ee0d75f
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362521
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
134 lines
3.1 KiB
C
134 lines
3.1 KiB
C
/* Copyright 2015 The Chromium OS Authors. All rights reserved.
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
* found in the LICENSE file.
|
|
*/
|
|
|
|
#include "common.h"
|
|
#include "debug_printf.h"
|
|
#include "printf.h"
|
|
#include "registers.h"
|
|
#include "setup.h"
|
|
#include "signed_header.h"
|
|
#include "system.h"
|
|
#include "trng.h"
|
|
#include "uart.h"
|
|
|
|
/*
|
|
* This file is a proof of concept stub which will be extended and split into
|
|
* appropriate pieces sortly, when full blown support for cr50 bootrom is
|
|
* introduced.
|
|
*/
|
|
uint32_t sleep_mask;
|
|
|
|
timestamp_t get_time(void)
|
|
{
|
|
timestamp_t ret;
|
|
|
|
ret.val = 0;
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int panic_txchar(void *context, int c)
|
|
{
|
|
if (c == '\n')
|
|
panic_txchar(context, '\r');
|
|
|
|
/* Wait for space in transmit FIFO */
|
|
while (!uart_tx_ready())
|
|
;
|
|
|
|
/* Write the character directly to the transmit FIFO */
|
|
uart_write_char(c);
|
|
|
|
return 0;
|
|
}
|
|
|
|
void panic_puts(const char *outstr)
|
|
{
|
|
/* Put all characters in the output buffer */
|
|
while (*outstr)
|
|
panic_txchar(NULL, *outstr++);
|
|
}
|
|
|
|
void panic_printf(const char *format, ...)
|
|
{
|
|
va_list args;
|
|
|
|
va_start(args, format);
|
|
vfnprintf(panic_txchar, NULL, format, args);
|
|
va_end(args);
|
|
}
|
|
|
|
/* Returns 1 if version a is newer, 0 otherwise. */
|
|
int is_newer_than(const struct SignedHeader *a, const struct SignedHeader *b)
|
|
{
|
|
if (a->epoch_ != b->epoch_)
|
|
return a->epoch_ > b->epoch_;
|
|
if (a->major_ != b->major_)
|
|
return a->major_ > b->major_;
|
|
if (a->minor_ != b->minor_)
|
|
return a->minor_ > b->minor_;
|
|
if (a->timestamp_ != b->timestamp_)
|
|
return a->timestamp_ > b->timestamp_;
|
|
|
|
return 1; /* All else being equal, consider A to be newer. */
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
const struct SignedHeader *a, *b, *first, *second;
|
|
init_trng();
|
|
uart_init();
|
|
debug_printf("\n\n%s bootloader, %8u_%u@%u\n",
|
|
STRINGIFY(BOARD), GREG32(SWDP, BUILD_DATE),
|
|
GREG32(SWDP, BUILD_TIME), GREG32(SWDP, P4_LAST_SYNC));
|
|
unlockFlashForRW();
|
|
|
|
a = (const struct SignedHeader *)(CONFIG_PROGRAM_MEMORY_BASE +
|
|
CONFIG_RW_MEM_OFF);
|
|
b = (const struct SignedHeader *)(CONFIG_PROGRAM_MEMORY_BASE +
|
|
CONFIG_RW_B_MEM_OFF);
|
|
/* Default to loading the older version first.
|
|
* Run from bank a if the versions are equal.
|
|
*/
|
|
if (is_newer_than(a, b)) {
|
|
first = a;
|
|
second = b;
|
|
} else {
|
|
first = b;
|
|
second = a;
|
|
}
|
|
if (GREG32(PMU, PWRDN_SCRATCH30) == 0xcafebabe) {
|
|
/* Launch from the alternate bank first.
|
|
* This knob will be used to attempt to load the newer version
|
|
* after an update and to run from bank b in the face of flash
|
|
* integrity issues.
|
|
*/
|
|
debug_printf("PWRDN_SCRATCH30 set to magic value\n");
|
|
GREG32(PMU, PWRDN_SCRATCH30) = 0x0;
|
|
a = first;
|
|
first = second;
|
|
second = a;
|
|
}
|
|
tryLaunch((uint32_t)first, CONFIG_RW_SIZE);
|
|
debug_printf("Failed to launch.\n");
|
|
debug_printf("Attempting to load the alternate image.\n");
|
|
tryLaunch((uint32_t)second, CONFIG_RW_SIZE);
|
|
debug_printf("No valid image found, not sure what to do...\n");
|
|
/* TODO: Some applications might want to reboot instead. */
|
|
halt();
|
|
return 1;
|
|
}
|
|
|
|
void panic_reboot(void)
|
|
{
|
|
panic_puts("\n\nRebooting...\n");
|
|
system_reset(0);
|
|
}
|
|
|
|
void interrupt_disable(void)
|
|
{
|
|
asm("cpsid i");
|
|
}
|