mirror of
https://github.com/Telecominfraproject/OpenCellular.git
synced 2026-01-13 03:15:06 +00:00
ff4d22819a
This allows hashing or dumping SPI flash from the Cr50 console even on a locked device, so you can verify the RO Firmware on a system via CCD. See design doc: go/verify-ro-firmware (more specifically, "Cr50 console commands for option 1") BUG=chromium:804507 BRANCH=cr50 release (after testing) TEST=manual: # Sample sequence spihash ap -> requires physical presence; tap power button spihash 0 1024 -> gives a hash; compare with first 1KB of image.bin spihash 0 128 dump -> dumps first 128 bytes; compare with image.bin spihash 128 128 -> offset works spihash 0 0x100000 -> gives a hash; doesn't watchdog reset spihdev ec spihash 0 1024 -> compare with ec.bin spihash disable # Test timeout spihash ap # Wait 30 seconds spihash 0 1024 -> still works # Wait 60 seconds; goes back disabled automatically spihash 0 1024 -> fails because spihash is disabled # Presence not required when CCD opened ccd open spihash ap -> no PP required spihash 0 1024 -> works spihash disable # Possible for owner to disable via CCD config ccd -> HashFlash is "Always" ccd set HashFlash IfOpened ccd lock spihash ap -> access denied # Cleanup ccd open ccd reset ccd lock Change-Id: I27b5054730dea6b27fbad1b1c4aa0a650e3b4f99 Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/889725 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
209 lines
5.1 KiB
C
209 lines
5.1 KiB
C
/* Copyright 2017 The Chromium OS Authors. All rights reserved.
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
* found in the LICENSE file.
|
|
*
|
|
* Case Closed Debugging configuration
|
|
*/
|
|
#ifndef __CROS_EC_CCD_CONFIG_H
|
|
#define __CROS_EC_CCD_CONFIG_H
|
|
|
|
/* Case-closed debugging state */
|
|
enum ccd_state {
|
|
CCD_STATE_LOCKED = 0,
|
|
CCD_STATE_UNLOCKED,
|
|
CCD_STATE_OPENED,
|
|
|
|
/* Number of CCD states */
|
|
CCD_STATE_COUNT
|
|
};
|
|
|
|
/* Flags */
|
|
enum ccd_flag {
|
|
/* Flags that can only be set internally; fill from bottom up */
|
|
|
|
/*
|
|
* Test lab mode is enabled. This MUST be in the first byte so that
|
|
* it's in a constant position across all versions of CCD config.
|
|
*
|
|
* Note: This is used internally by CCD config. Do NOT test this
|
|
* to control other things; use capabilities for those.
|
|
*/
|
|
CCD_FLAG_TEST_LAB = (1 << 0),
|
|
|
|
/*
|
|
* What state were we in when the password was set?
|
|
* (0=opened, 1=unlocked)
|
|
*/
|
|
CCD_FLAG_PASSWORD_SET_WHEN_UNLOCKED = (1 << 1),
|
|
|
|
/* (flags in the middle are unused) */
|
|
|
|
/* Flags that can be set via ccd_set_flags(); fill from top down */
|
|
|
|
/* Override write protect at boot */
|
|
CCD_FLAG_OVERRIDE_WP_AT_BOOT = (1 << 22),
|
|
|
|
/*
|
|
* If overriding WP at boot, set it to what value
|
|
* (0=disabled, 1=enabled)
|
|
*/
|
|
CCD_FLAG_OVERRIDE_WP_STATE_ENABLED = (1 << 23),
|
|
};
|
|
|
|
/* Capabilities */
|
|
enum ccd_capability {
|
|
/* UARTs to/from AP and EC */
|
|
CCD_CAP_GSC_RX_AP_TX = 0,
|
|
CCD_CAP_GSC_TX_AP_RX = 1,
|
|
CCD_CAP_GSC_RX_EC_TX = 2,
|
|
CCD_CAP_GSC_TX_EC_RX = 3,
|
|
|
|
/* Access to AP SPI flash */
|
|
CCD_CAP_AP_FLASH = 4,
|
|
|
|
/* Access to EC flash (SPI or internal) */
|
|
CCD_CAP_EC_FLASH = 5,
|
|
|
|
/* Override WP temporarily or at boot */
|
|
CCD_CAP_OVERRIDE_WP = 6,
|
|
|
|
/* Reboot EC or AP */
|
|
CCD_CAP_REBOOT_EC_AP = 7,
|
|
|
|
/* GSC restricted console commands */
|
|
CCD_CAP_GSC_RESTRICTED_CONSOLE = 8,
|
|
|
|
/* Allow ccd-unlock or ccd-open without AP reboot */
|
|
CCD_CAP_UNLOCK_WITHOUT_AP_REBOOT = 9,
|
|
|
|
/* Allow ccd-unlock or ccd-open without short physical presence */
|
|
CCD_CAP_UNLOCK_WITHOUT_SHORT_PP = 10,
|
|
|
|
/* Allow ccd-open without wiping TPM data */
|
|
CCD_CAP_OPEN_WITHOUT_TPM_WIPE = 11,
|
|
|
|
/* Allow ccd-open without long physical presence */
|
|
CCD_CAP_OPEN_WITHOUT_LONG_PP = 12,
|
|
|
|
/* Allow removing the battery to bypass physical presence requirement */
|
|
CCD_CAP_REMOVE_BATTERY_BYPASSES_PP = 13,
|
|
|
|
/* Allow GSC firmware update without wiping TPM data */
|
|
CCD_CAP_GSC_FW_UPDATE_WITHOUT_TPM_WIPE = 14,
|
|
|
|
/* Access to I2C via USB */
|
|
CCD_CAP_I2C = 15,
|
|
|
|
/* Read-only access to hash or dump EC or AP flash */
|
|
CCD_CAP_FLASH_READ = 16,
|
|
|
|
/* Number of currently defined capabilities */
|
|
CCD_CAP_COUNT
|
|
};
|
|
|
|
/*
|
|
* Subcommand code, used to pass different CCD commands using the same TPM
|
|
* vendor command.
|
|
*/
|
|
enum ccd_vendor_subcommands {
|
|
CCDV_PASSWORD = 0,
|
|
CCDV_OPEN = 1,
|
|
CCDV_UNLOCK = 2,
|
|
CCDV_LOCK = 3,
|
|
CCDV_PP_POLL_UNLOCK = 4,
|
|
CCDV_PP_POLL_OPEN = 5,
|
|
};
|
|
|
|
enum ccd_pp_state {
|
|
CCD_PP_CLOSED = 0,
|
|
CCD_PP_AWAITING_PRESS = 1,
|
|
CCD_PP_BETWEEN_PRESSES = 2,
|
|
CCD_PP_DONE = 3
|
|
};
|
|
|
|
/**
|
|
* Initialize CCD configuration at boot.
|
|
*
|
|
* This must be called before any command which gets/sets the configuration.
|
|
*
|
|
* @param state Initial case-closed debugging state. This should be
|
|
* CCD_STATE_LOCKED unless this is a debug build, or if
|
|
* a previous value is being restored after a low-power
|
|
* resume.
|
|
*/
|
|
void ccd_config_init(enum ccd_state state);
|
|
|
|
/**
|
|
* Get a single CCD flag.
|
|
*
|
|
* @param flag Flag to get
|
|
* @return 1 if flag is set, 0 if flag is clear
|
|
*/
|
|
int ccd_get_flag(enum ccd_flag flag);
|
|
|
|
/**
|
|
* Set a single CCD flag.
|
|
*
|
|
* @param flag Flag to set
|
|
* @param value New value for flag (0=clear, non-zero=set)
|
|
* @return EC_SUCCESS or non-zero error code.
|
|
*/
|
|
int ccd_set_flag(enum ccd_flag flag, int value);
|
|
|
|
/**
|
|
* Check if a CCD capability is enabled in the current CCD mode.
|
|
*
|
|
* @param cap Capability to check
|
|
* @return 1 if capability is enabled, 0 if disabled
|
|
*/
|
|
int ccd_is_cap_enabled(enum ccd_capability cap);
|
|
|
|
/**
|
|
* Get the current CCD state.
|
|
*
|
|
* This is intended for use by the board if it needs to back up the CCD state
|
|
* across low-power states and then restore it when calling ccd_config_init().
|
|
* Do NOT use this to gate debug capabilities; use ccd_is_cap_enabled() or
|
|
* ccd_get_flag() instead.
|
|
*
|
|
* @return The current CCD state.
|
|
*/
|
|
enum ccd_state ccd_get_state(void);
|
|
|
|
/**
|
|
* Force CCD disabled.
|
|
*
|
|
* This should be called if security checks fail and for some reason the board
|
|
* can't immediately reboot. It locks CCD and disables all CCD capabilities
|
|
* until reboot.
|
|
*/
|
|
void ccd_disable(void);
|
|
|
|
/* Flags for ccd_reset_config() */
|
|
enum ccd_reset_config_flags {
|
|
/* Also reset test lab flag */
|
|
CCD_RESET_TEST_LAB = (1 << 0),
|
|
|
|
/* Only reset Always/UnlessLocked settings */
|
|
CCD_RESET_UNLOCKED_ONLY = (1 << 1),
|
|
|
|
/* Use RMA/factory defaults */
|
|
CCD_RESET_RMA = (1 << 2)
|
|
};
|
|
|
|
/**
|
|
* Reset CCD config to the desired state.
|
|
*
|
|
* @param flags Reset flags (see enum ccd_reset_config_flags)
|
|
* @return EC_SUCCESS, or non-zero if error.
|
|
*/
|
|
int ccd_reset_config(unsigned int flags);
|
|
|
|
/**
|
|
* Inform CCD about TPM reset so that the password management state machine
|
|
* can be restarted.
|
|
*/
|
|
void ccd_tpm_reset_callback(void);
|
|
|
|
#endif /* __CROS_EC_CCD_CONFIG_H */
|