summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMary Ruthven <mruthven@chromium.org>2016-12-14 16:45:22 -0800
committerChromeOS Commit Bot <chromeos-commit-bot@chromium.org>2016-12-25 14:54:54 +0000
commite35a5a16a19cd62d70353f85247372199bd43c5c (patch)
treef549d69d001d225cf28c564e30594cfad7465eea
parent394b8cd73a30c5f52a5fb70d96c28878066c0e5e (diff)
downloadchrome-ec-e35a5a16a19cd62d70353f85247372199bd43c5c.tar.gz
cr50: add vendor command to invalidate inactive rw
This adds a vendor command to invalidate the old rw. It should be used when the tpm has been validated. BUG=chrome-os-partner:55667 BRANCH=none TEST=manual run the vendor command run 'ver' on the cr50 console and verify the inactive RW version is Error reboot cr50 10 times and make sure there is no rollback. Change-Id: Ibec3dde77d6b1ab921e43613d54638b7318f3f57 Signed-off-by: Mary Ruthven <mruthven@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/420407 Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/423289 Reviewed-by: Hung-Te Lin <hungte@chromium.org> Commit-Queue: Hung-Te Lin <hungte@chromium.org> Tested-by: Hung-Te Lin <hungte@chromium.org> Trybot-Ready: Hung-Te Lin <hungte@chromium.org>
-rw-r--r--board/cr50/board.c55
-rw-r--r--include/tpm_vendor_cmds.h1
2 files changed, 56 insertions, 0 deletions
diff --git a/board/cr50/board.c b/board/cr50/board.c
index c80c2f3930..20c36eb60a 100644
--- a/board/cr50/board.c
+++ b/board/cr50/board.c
@@ -9,6 +9,8 @@
#include "dcrypto/dcrypto.h"
#include "device_state.h"
#include "ec_version.h"
+#include "extension.h"
+#include "flash.h"
#include "flash_config.h"
#include "gpio.h"
#include "hooks.h"
@@ -671,3 +673,56 @@ void i2cs_set_pinmux(void)
/* TODO(scollyer): Do we need to add wake on SCL activity here? */
}
+DECLARE_VENDOR_COMMAND(VENDOR_CC_SYSINFO, vc_sysinfo);
+
+static enum vendor_cmd_rc vc_invalidate_inactive_rw(enum vendor_cmd_cc code,
+ void *buf,
+ size_t input_size,
+ size_t *response_size)
+{
+ struct SignedHeader *header;
+ uint32_t ctrl;
+ uint32_t base_addr;
+ uint32_t size;
+ const char zero[4] = {}; /* value to write to magic. */
+
+ if (system_get_image_copy() == SYSTEM_IMAGE_RW) {
+ header = (struct SignedHeader *)
+ get_program_memory_addr(SYSTEM_IMAGE_RW_B);
+ } else {
+ header = (struct SignedHeader *)
+ get_program_memory_addr(SYSTEM_IMAGE_RW);
+ }
+
+ /* save the original flash region6 register values */
+ ctrl = GREAD(GLOBALSEC, FLASH_REGION6_CTRL);
+ base_addr = GREG32(GLOBALSEC, FLASH_REGION6_BASE_ADDR);
+ size = GREG32(GLOBALSEC, FLASH_REGION6_SIZE);
+
+ /* Enable RW access to the other header. */
+ GREG32(GLOBALSEC, FLASH_REGION6_BASE_ADDR) = (uint32_t) header;
+ GREG32(GLOBALSEC, FLASH_REGION6_SIZE) = 1023;
+ GWRITE_FIELD(GLOBALSEC, FLASH_REGION6_CTRL, EN, 1);
+ GWRITE_FIELD(GLOBALSEC, FLASH_REGION6_CTRL, RD_EN, 1);
+ GWRITE_FIELD(GLOBALSEC, FLASH_REGION6_CTRL, WR_EN, 1);
+
+ CPRINTS("%s: TPM verified corrupting inactive image, magic before %x",
+ __func__, header->magic);
+
+ flash_physical_write((intptr_t)&header->magic -
+ CONFIG_PROGRAM_MEMORY_BASE,
+ sizeof(zero), zero);
+
+ CPRINTS("%s: magic after: %x", __func__, header->magic);
+
+ /* Restore original values */
+ GREG32(GLOBALSEC, FLASH_REGION6_BASE_ADDR) = base_addr;
+ GREG32(GLOBALSEC, FLASH_REGION6_SIZE) = size;
+ GREG32(GLOBALSEC, FLASH_REGION6_CTRL) = ctrl;
+
+ *response_size = 0;
+
+ return VENDOR_RC_SUCCESS;
+}
+DECLARE_VENDOR_COMMAND(VENDOR_CC_INVALIDATE_INACTIVE_RW,
+ vc_invalidate_inactive_rw);
diff --git a/include/tpm_vendor_cmds.h b/include/tpm_vendor_cmds.h
index dcab2dbdad..4e49455369 100644
--- a/include/tpm_vendor_cmds.h
+++ b/include/tpm_vendor_cmds.h
@@ -31,6 +31,7 @@ enum vendor_cmd_cc {
VENDOR_CC_SET_LOCK = 17,
VENDOR_CC_SYSINFO = 18,
VENDOR_CC_IMMEDIATE_RESET = 19,
+ VENDOR_CC_INVALIDATE_INACTIVE_RW = 20,
LAST_VENDOR_COMMAND = 65535,
};