diff options
| author | Mary Ruthven <mruthven@chromium.org> | 2016-12-14 16:45:22 -0800 |
|---|---|---|
| committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2017-02-07 12:15:29 +0000 |
| commit | aabd550984d20403e9c68ae007c03e79e47451de (patch) | |
| tree | d7d15dfe1fcc1b5975e255364adc306d59e60c22 | |
| parent | baa900d6a880062c1b809fe50ae8e5577a5b5ba2 (diff) | |
| download | chrome-ec-aabd550984d20403e9c68ae007c03e79e47451de.tar.gz | |
cr50: add vendor command to invalidate inactive rw
This adds a vendor command to invalidate the old rw. It should be used
when the tpm has been validated.
BUG=chrome-os-partner:55667
BRANCH=none
TEST=manual
run the vendor command
run 'ver' on the cr50 console and verify the inactive RW version
is Error
reboot cr50 10 times and make sure there is no rollback.
Change-Id: Ibec3dde77d6b1ab921e43613d54638b7318f3f57
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/420407
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/439097
Reviewed-by: Youcheng Syu <youcheng@google.com>
Commit-Queue: Youcheng Syu <youcheng@google.com>
Tested-by: Youcheng Syu <youcheng@google.com>
| -rw-r--r-- | board/cr50/board.c | 53 | ||||
| -rw-r--r-- | include/tpm_vendor_cmds.h | 1 |
2 files changed, 54 insertions, 0 deletions
diff --git a/board/cr50/board.c b/board/cr50/board.c index 0f801de447..c625be6090 100644 --- a/board/cr50/board.c +++ b/board/cr50/board.c @@ -12,6 +12,7 @@ #include "device_state.h" #include "ec_version.h" #include "extension.h" +#include "flash.h" #include "flash_config.h" #include "gpio.h" #include "hooks.h" @@ -801,3 +802,55 @@ static enum vendor_cmd_rc vc_sysinfo(enum vendor_cmd_cc code, return VENDOR_RC_SUCCESS; } DECLARE_VENDOR_COMMAND(VENDOR_CC_SYSINFO, vc_sysinfo); + +static enum vendor_cmd_rc vc_invalidate_inactive_rw(enum vendor_cmd_cc code, + void *buf, + size_t input_size, + size_t *response_size) +{ + struct SignedHeader *header; + uint32_t ctrl; + uint32_t base_addr; + uint32_t size; + const char zero[4] = {}; /* value to write to magic. */ + + if (system_get_image_copy() == SYSTEM_IMAGE_RW) { + header = (struct SignedHeader *) + get_program_memory_addr(SYSTEM_IMAGE_RW_B); + } else { + header = (struct SignedHeader *) + get_program_memory_addr(SYSTEM_IMAGE_RW); + } + + /* save the original flash region6 register values */ + ctrl = GREAD(GLOBALSEC, FLASH_REGION6_CTRL); + base_addr = GREG32(GLOBALSEC, FLASH_REGION6_BASE_ADDR); + size = GREG32(GLOBALSEC, FLASH_REGION6_SIZE); + + /* Enable RW access to the other header. */ + GREG32(GLOBALSEC, FLASH_REGION6_BASE_ADDR) = (uint32_t) header; + GREG32(GLOBALSEC, FLASH_REGION6_SIZE) = 1023; + GWRITE_FIELD(GLOBALSEC, FLASH_REGION6_CTRL, EN, 1); + GWRITE_FIELD(GLOBALSEC, FLASH_REGION6_CTRL, RD_EN, 1); + GWRITE_FIELD(GLOBALSEC, FLASH_REGION6_CTRL, WR_EN, 1); + + CPRINTS("%s: TPM verified corrupting inactive image, magic before %x", + __func__, header->magic); + + flash_physical_write((intptr_t)&header->magic - + CONFIG_PROGRAM_MEMORY_BASE, + sizeof(zero), zero); + + CPRINTS("%s: magic after: %x", __func__, header->magic); + + /* Restore original values */ + GREG32(GLOBALSEC, FLASH_REGION6_BASE_ADDR) = base_addr; + GREG32(GLOBALSEC, FLASH_REGION6_SIZE) = size; + GREG32(GLOBALSEC, FLASH_REGION6_CTRL) = ctrl; + + *response_size = 0; + + return VENDOR_RC_SUCCESS; +} +DECLARE_VENDOR_COMMAND(VENDOR_CC_INVALIDATE_INACTIVE_RW, + vc_invalidate_inactive_rw); diff --git a/include/tpm_vendor_cmds.h b/include/tpm_vendor_cmds.h index dcab2dbdad..4e49455369 100644 --- a/include/tpm_vendor_cmds.h +++ b/include/tpm_vendor_cmds.h @@ -31,6 +31,7 @@ enum vendor_cmd_cc { VENDOR_CC_SET_LOCK = 17, VENDOR_CC_SYSINFO = 18, VENDOR_CC_IMMEDIATE_RESET = 19, + VENDOR_CC_INVALIDATE_INACTIVE_RW = 20, LAST_VENDOR_COMMAND = 65535, }; |