apro: clear AP_RO_FAIL on combo0

There are a couple of known issues saving the AP RO verification hash in
cr50, so it's possible AP RO verification will fail even if the AP RO is
ok. Add support for releasing the EC from reset with PWRB + refresh
after AP RO verification fails. This just makes it easier to recover the
device. If the device is released from reset, the status is set to
AP_RO_FAIL_CLEARED and a APROF_FAIL_CLEARED flog event is logged.

This only releases EC reset if the device failed AP RO verification. Any
other verification status won't get cleared by the key combo.

BUG=b:240530668
TEST=trigger verification on a device with a bad hash. Verify the EC is
held in reset until PWRB + refresh is pressed.
make -C extra/usb_updater gsctool

Change-Id: I03a02501e7c91a41374816d82f48a5289f289c39
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3805820
Reviewed-by: Andrey Pronin <apronin@chromium.org>

4 files changed, 28 insertions, 1 deletions

diff --git a/board/cr50/board.c b/board/cr50/board.c
index bc19800758..2ddc4ae2dd 100644
--- a/board/cr50/board.c
+++ b/board/cr50/board.c
@@ -2,6 +2,7 @@
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
+#include "ap_ro_integrity_check.h"
 #include "board_id.h"
 #include "ccd_config.h"
 #include "clock.h"
@@ -1240,6 +1241,10 @@ static void key_combo0_irq(void)
 		hook_call_deferred(&board_reboot_ec_data, 0);
 	}
 
+#ifdef CONFIG_AP_RO_VERIFICATION
+	ap_ro_clear_ec_rst_override();
+#endif
+
 	CPRINTS("Recovery Requested");
 }
 DECLARE_IRQ(GC_IRQNUM_RBOX0_INTR_BUTTON_COMBO0_RDY_INT, key_combo0_irq, 0);
diff --git a/common/ap_ro_integrity_check.c b/common/ap_ro_integrity_check.c
index 44d7145b4f..c08faa3eeb 100644
--- a/common/ap_ro_integrity_check.c
+++ b/common/ap_ro_integrity_check.c
@@ -325,6 +325,8 @@ static const struct ap_ro_check *p_chk =
  * reset.
  */
 static enum ap_ro_status apro_result = AP_RO_NOT_RUN;
+static uint8_t apro_fail_status_cleared;
+
 
 /*
  * In dev signed Cr50 images this is the hash of
@@ -501,6 +503,7 @@ void ap_ro_device_reset(void)
 	    ec_rst_override())
 		return;
 	CPRINTS("%s: clear apro result", __func__);
+	apro_fail_status_cleared = 0;
 	apro_result = AP_RO_NOT_RUN;
 }
 
@@ -1408,9 +1411,20 @@ static void release_ec_reset_override(void)
 	enable_sleep(SLEEP_MASK_AP_RO_VERIFICATION);
 }
 
+/* Only call this through a key combo. */
+void ap_ro_clear_ec_rst_override(void)
+{
+	if (!ec_rst_override())
+		return;
+	apro_fail_status_cleared = 1;
+	release_ec_reset_override();
+	ap_ro_add_flash_event(APROF_FAIL_CLEARED);
+	CPRINTS("%s: done", __func__);
+}
+
 int ec_rst_override(void)
 {
-	return apro_result == AP_RO_FAIL;
+	return !apro_fail_status_cleared && apro_result == AP_RO_FAIL;
 }
 
 
@@ -1421,6 +1435,7 @@ static uint8_t do_ap_ro_check(void)
 	bool v1_record_found;
 
 	apro_result = AP_RO_IN_PROGRESS;
+	apro_fail_status_cleared = 0;
 	support_status = ap_ro_check_unsupported(true);
 	if ((support_status == ARCVE_BOARD_ID_BLOCKED) ||
 	    (support_status == ARCVE_FLASH_READ_FAILED)) {
diff --git a/include/ap_ro_integrity_check.h b/include/ap_ro_integrity_check.h
index cb01017dcc..dbc6644d47 100644
--- a/include/ap_ro_integrity_check.h
+++ b/include/ap_ro_integrity_check.h
@@ -41,4 +41,10 @@ int ap_ro_board_id_blocked(void);
  */
 void ap_ro_device_reset(void);
 
+/*
+ * Clear the AP RO result and release the EC from reset. This should only be
+ * done through a key combo.
+ */
+void ap_ro_clear_ec_rst_override(void);
+
 #endif /* ! __CR50_INCLUDE_AP_RO_INTEGRITY_CHECK_H */
diff --git a/include/flash_log.h b/include/flash_log.h
index 30bd326712..0ece03415d 100644
--- a/include/flash_log.h
+++ b/include/flash_log.h
@@ -101,6 +101,7 @@ enum ap_ro_verification_ev {
 	APROF_CHECK_FAILED = 6,
 	APROF_CHECK_SUCCEEDED = 7,
 	APROF_CHECK_UNSUPPORTED = 8,
+	APROF_FAIL_CLEARED = 9,
 };
 
 struct ap_ro_entry_payload {