diff options
author | Mary Ruthven <mruthven@chromium.org> | 2016-12-14 16:45:22 -0800 |
---|---|---|
committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2016-12-25 14:54:54 +0000 |
commit | e35a5a16a19cd62d70353f85247372199bd43c5c (patch) | |
tree | f549d69d001d225cf28c564e30594cfad7465eea | |
parent | 394b8cd73a30c5f52a5fb70d96c28878066c0e5e (diff) | |
download | chrome-ec-e35a5a16a19cd62d70353f85247372199bd43c5c.tar.gz |
cr50: add vendor command to invalidate inactive rw
This adds a vendor command to invalidate the old rw. It should be used
when the tpm has been validated.
BUG=chrome-os-partner:55667
BRANCH=none
TEST=manual
run the vendor command
run 'ver' on the cr50 console and verify the inactive RW version
is Error
reboot cr50 10 times and make sure there is no rollback.
Change-Id: Ibec3dde77d6b1ab921e43613d54638b7318f3f57
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/420407
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/423289
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Commit-Queue: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
Trybot-Ready: Hung-Te Lin <hungte@chromium.org>
-rw-r--r-- | board/cr50/board.c | 55 | ||||
-rw-r--r-- | include/tpm_vendor_cmds.h | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/board/cr50/board.c b/board/cr50/board.c index c80c2f3930..20c36eb60a 100644 --- a/board/cr50/board.c +++ b/board/cr50/board.c @@ -9,6 +9,8 @@ #include "dcrypto/dcrypto.h" #include "device_state.h" #include "ec_version.h" +#include "extension.h" +#include "flash.h" #include "flash_config.h" #include "gpio.h" #include "hooks.h" @@ -671,3 +673,56 @@ void i2cs_set_pinmux(void) /* TODO(scollyer): Do we need to add wake on SCL activity here? */ } +DECLARE_VENDOR_COMMAND(VENDOR_CC_SYSINFO, vc_sysinfo); + +static enum vendor_cmd_rc vc_invalidate_inactive_rw(enum vendor_cmd_cc code, + void *buf, + size_t input_size, + size_t *response_size) +{ + struct SignedHeader *header; + uint32_t ctrl; + uint32_t base_addr; + uint32_t size; + const char zero[4] = {}; /* value to write to magic. */ + + if (system_get_image_copy() == SYSTEM_IMAGE_RW) { + header = (struct SignedHeader *) + get_program_memory_addr(SYSTEM_IMAGE_RW_B); + } else { + header = (struct SignedHeader *) + get_program_memory_addr(SYSTEM_IMAGE_RW); + } + + /* save the original flash region6 register values */ + ctrl = GREAD(GLOBALSEC, FLASH_REGION6_CTRL); + base_addr = GREG32(GLOBALSEC, FLASH_REGION6_BASE_ADDR); + size = GREG32(GLOBALSEC, FLASH_REGION6_SIZE); + + /* Enable RW access to the other header. */ + GREG32(GLOBALSEC, FLASH_REGION6_BASE_ADDR) = (uint32_t) header; + GREG32(GLOBALSEC, FLASH_REGION6_SIZE) = 1023; + GWRITE_FIELD(GLOBALSEC, FLASH_REGION6_CTRL, EN, 1); + GWRITE_FIELD(GLOBALSEC, FLASH_REGION6_CTRL, RD_EN, 1); + GWRITE_FIELD(GLOBALSEC, FLASH_REGION6_CTRL, WR_EN, 1); + + CPRINTS("%s: TPM verified corrupting inactive image, magic before %x", + __func__, header->magic); + + flash_physical_write((intptr_t)&header->magic - + CONFIG_PROGRAM_MEMORY_BASE, + sizeof(zero), zero); + + CPRINTS("%s: magic after: %x", __func__, header->magic); + + /* Restore original values */ + GREG32(GLOBALSEC, FLASH_REGION6_BASE_ADDR) = base_addr; + GREG32(GLOBALSEC, FLASH_REGION6_SIZE) = size; + GREG32(GLOBALSEC, FLASH_REGION6_CTRL) = ctrl; + + *response_size = 0; + + return VENDOR_RC_SUCCESS; +} +DECLARE_VENDOR_COMMAND(VENDOR_CC_INVALIDATE_INACTIVE_RW, + vc_invalidate_inactive_rw); diff --git a/include/tpm_vendor_cmds.h b/include/tpm_vendor_cmds.h index dcab2dbdad..4e49455369 100644 --- a/include/tpm_vendor_cmds.h +++ b/include/tpm_vendor_cmds.h @@ -31,6 +31,7 @@ enum vendor_cmd_cc { VENDOR_CC_SET_LOCK = 17, VENDOR_CC_SYSINFO = 18, VENDOR_CC_IMMEDIATE_RESET = 19, + VENDOR_CC_INVALIDATE_INACTIVE_RW = 20, LAST_VENDOR_COMMAND = 65535, }; |