diff options
| author | Bill Richardson <wfrichar@chromium.org> | 2013-08-21 08:59:53 -0700 |
|---|---|---|
| committer | Dave Parker <dparker@chromium.org> | 2013-08-23 16:47:39 -0700 |
| commit | 0c9339bb952283cc92c5a84f0388d8d78a9cc27a (patch) | |
| tree | af147c1f09774ee53d49e64385848050723b05a1 | |
| parent | f3ff9373571fadd5ce058fb7a7dbb5537e8bec16 (diff) | |
| download | chrome-ec-0c9339bb952283cc92c5a84f0388d8d78a9cc27a.tar.gz | |
CHERRY-PICK:Lock BOOTCFG to safe values for all LM4s
The BOOTCFG register configures a couple of important things: whether to
allow jumping into the builtin ROM bootloader at reset, and whether or not
to allow JTAG access for programing and debugging.
The default is "no" and "yes". But the BOOTCFG register can be locked so
that it can't be changed again, which means that if the wrong values are put
into it, the system is pretty much bricked.
On Link, we wrote a BOOTCFG value that allowed a GPIO to be used as a bypass
to optionally trigger the ROM bootloader, but on Slippy and its derivatives
that GPIO is not pulled up. If you program the Link values into BOOTCFG on a
Slippy, the system is stuck in the ROM bootloader more or less forever.
This change disables that GPIO, keeps JTAG enabled, and locks those settings
for all LM4 chips (it's a chip config now, not a board config). We've never
actually used the GPIO to invoke the ROM bootloader, but we have managed to
brick a number of systems just by having it enabled, so we're going to lock
it into a safe configuration now.
BUG=chrome-os-partner:19247
BRANCH=falco,peppy
TEST=manual
Reflash, boot, power cycle (actually unplug the EC from AC and battery) a
few times. It should continue to work.
Change-Id: Idadfe7f638d0ea64090d97ca97ec162339757be3
Original-Change-Id: Iaf1a81d6814104421a56425490e3d5164ea9b617
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/66538
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/66867
Tested-by: Dave Parker <dparker@chromium.org>
| -rw-r--r-- | board/bds/board.h | 4 | ||||
| -rw-r--r-- | board/bolt/board.h | 7 | ||||
| -rw-r--r-- | board/falco/board.h | 6 | ||||
| -rw-r--r-- | board/link/board.h | 5 | ||||
| -rw-r--r-- | board/peppy/board.h | 6 | ||||
| -rw-r--r-- | board/slippy/board.h | 6 | ||||
| -rw-r--r-- | board/wolf/board.h | 5 | ||||
| -rw-r--r-- | chip/lm4/config_chip.h | 11 | ||||
| -rw-r--r-- | chip/lm4/registers.h | 1 | ||||
| -rw-r--r-- | chip/lm4/system.c | 10 | ||||
| -rw-r--r-- | include/config.h | 3 |
11 files changed, 19 insertions, 45 deletions
diff --git a/board/bds/board.h b/board/bds/board.h index 9d4672a34d..b35cf0445b 100644 --- a/board/bds/board.h +++ b/board/bds/board.h @@ -66,10 +66,6 @@ enum gpio_signal { #define EEPROM_BLOCK_START_PSTORE 16 /* Host persistent storage */ #define EEPROM_BLOCK_COUNT_PSTORE 16 -/* Target value for BOOTCFG. This currently toggles the polarity bit without - * enabling the boot loader, simply to prove we can program it. */ -#define BOOTCFG_VALUE 0xfffffdfe - #endif /* !__ASSEMBLER__ */ #endif /* __BOARD_H */ diff --git a/board/bolt/board.h b/board/bolt/board.h index 7216774ff8..426c74883b 100644 --- a/board/bolt/board.h +++ b/board/bolt/board.h @@ -197,13 +197,6 @@ enum temp_sensor_id { TEMP_SENSOR_COUNT }; -/* HEY: The below stuff is for Link. Pick a different pin for bolt */ -/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external - * pullup. If this signal is pulled to ground when the EC boots, the EC will get - * into the boot loader and we can recover bricked EC. */ -/* #define BOOTCFG_VALUE 0x7fff88fe -- as used on slippy */ -#define BOOTCFG_VALUE 0xfffffffe /* TODO: not configured */ - /* Known board versions for system_get_board_version(). */ enum board_version { BOARD_VERSION_PROTO1 = 0, diff --git a/board/falco/board.h b/board/falco/board.h index 07bc699b2c..4b770d6c4d 100644 --- a/board/falco/board.h +++ b/board/falco/board.h @@ -191,12 +191,6 @@ enum temp_sensor_id { */ int board_g781_has_power(void); -/* HEY: The below stuff is for Link. Pick a different pin for Falco */ -/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external - * pullup. If this signal is pulled to ground when the EC boots, the EC will get - * into the boot loader and we can recover bricked EC. */ -#define BOOTCFG_VALUE 0x7fff88fe - /* Wireless signals */ #define WIRELESS_GPIO_WLAN GPIO_WLAN_OFF_L #define WIRELESS_GPIO_WWAN GPIO_PP3300_LTE_EN diff --git a/board/link/board.h b/board/link/board.h index 34e55cdd90..b757ff8bf6 100644 --- a/board/link/board.h +++ b/board/link/board.h @@ -208,11 +208,6 @@ enum temp_sensor_id { /* The number of TMP006 sensor chips on the board. */ #define TMP006_COUNT 4 -/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external - * pullup. If this signal is pulled to ground when the EC boots, the EC will get - * into the boot loader and we can recover bricked EC. */ -#define BOOTCFG_VALUE 0x7fff88fe - /* Wireless signals */ #define WIRELESS_GPIO_WLAN GPIO_RADIO_ENABLE_WLAN #define WIRELESS_GPIO_BLUETOOTH GPIO_RADIO_ENABLE_BT diff --git a/board/peppy/board.h b/board/peppy/board.h index 2e4f392842..94ea1ba40e 100644 --- a/board/peppy/board.h +++ b/board/peppy/board.h @@ -194,12 +194,6 @@ enum temp_sensor_id { */ int board_g781_has_power(void); -/* HEY: The below stuff is for Link. Pick a different pin for Peppy */ -/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external - * pullup. If this signal is pulled to ground when the EC boots, the EC will get - * into the boot loader and we can recover bricked EC. */ -#define BOOTCFG_VALUE 0x7fff88fe - /* Wireless signals */ #define WIRELESS_GPIO_WLAN GPIO_WLAN_OFF_L #define WIRELESS_GPIO_WWAN GPIO_PP3300_LTE_EN diff --git a/board/slippy/board.h b/board/slippy/board.h index 6d048503fe..19c741a0cc 100644 --- a/board/slippy/board.h +++ b/board/slippy/board.h @@ -189,12 +189,6 @@ enum temp_sensor_id { */ int board_g781_has_power(void); -/* HEY: The below stuff is for Link. Pick a different pin for Slippy */ -/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external - * pullup. If this signal is pulled to ground when the EC boots, the EC will get - * into the boot loader and we can recover bricked EC. */ -#define BOOTCFG_VALUE 0x7fff88fe - /* Wireless signals */ #define WIRELESS_GPIO_WLAN GPIO_WLAN_OFF_L #define WIRELESS_GPIO_WWAN GPIO_PP3300_LTE_EN diff --git a/board/wolf/board.h b/board/wolf/board.h index 5b208bd50c..d8a66a1a90 100644 --- a/board/wolf/board.h +++ b/board/wolf/board.h @@ -185,11 +185,6 @@ enum temp_sensor_id { */ int board_g781_has_power(void); -/* Target value for BOOTCFG. This is set to PE2/USB1_CTL1, which has an external - * pullup. If this signal is pulled to ground when the EC boots, the EC will get - * into the boot loader and we can recover bricked EC. */ -#define BOOTCFG_VALUE 0x7fff88fe - /* Wireless signals */ #define WIRELESS_GPIO_WLAN GPIO_WLAN_OFF_L #define WIRELESS_GPIO_WWAN GPIO_PP3300_LTE_EN diff --git a/chip/lm4/config_chip.h b/chip/lm4/config_chip.h index 004d98b09a..9fbda8d970 100644 --- a/chip/lm4/config_chip.h +++ b/chip/lm4/config_chip.h @@ -97,6 +97,17 @@ #define CONFIG_FW_WP_RO_SIZE CONFIG_FW_RO_SIZE /****************************************************************************/ +/* Lock the boot configuration to prevent brickage. */ + +/* + * No GPIO trigger for ROM bootloader. + * Keep JTAG debugging enabled. + * Use 0xA442 flash write key. + * Lock it this way. + */ +#define CONFIG_BOOTCFG_VALUE 0x7ffffffe + +/****************************************************************************/ /* Customize the build */ /* Optional features present on this chip */ diff --git a/chip/lm4/registers.h b/chip/lm4/registers.h index 30332d792b..c463fe41cc 100644 --- a/chip/lm4/registers.h +++ b/chip/lm4/registers.h @@ -248,6 +248,7 @@ static inline int lm4_fan_addr(int ch, int offset) #define LM4_SYSTEM_PIOSCSTAT REG32(0x400fe154) #define LM4_SYSTEM_PLLSTAT REG32(0x400fe168) #define LM4_SYSTEM_BOOTCFG REG32(0x400fe1d0) +#define LM4_SYSTEM_BOOTCFG_MASK 0x7fff00ec /* Reserved bits of BOOTCFG reg */ /* Note: USER_REG3 is used to hold pre-programming process data and should not * be modified by EC code. See crosbug.com/p/8889. */ #define LM4_SYSTEM_USER_REG3 REG32(0x400fe1ec) diff --git a/chip/lm4/system.c b/chip/lm4/system.c index 3f0e990e16..46d2fa68da 100644 --- a/chip/lm4/system.c +++ b/chip/lm4/system.c @@ -341,18 +341,16 @@ void system_pre_init(void) check_reset_cause(); - /* HEY: read LM4_SYSTEM_BOOTCFG bit 4 to determine WRKEY value */ - -#ifdef BOARD_link /* FIXME: crosbug.com/p/19366 */ /* Initialize bootcfg if needed */ - if (LM4_SYSTEM_BOOTCFG != BOOTCFG_VALUE) { - LM4_FLASH_FMD = BOOTCFG_VALUE; + if (LM4_SYSTEM_BOOTCFG != CONFIG_BOOTCFG_VALUE) { + /* read-modify-write */ + LM4_FLASH_FMD = (LM4_SYSTEM_BOOTCFG_MASK & LM4_SYSTEM_BOOTCFG) + | (~LM4_SYSTEM_BOOTCFG_MASK & CONFIG_BOOTCFG_VALUE); LM4_FLASH_FMA = 0x75100000; LM4_FLASH_FMC = 0xa4420008; /* WRKEY | COMT */ while (LM4_FLASH_FMC & 0x08) ; } -#endif /* Brown-outs should trigger a reset */ LM4_SYSTEM_PBORCTL |= 0x02; diff --git a/include/config.h b/include/config.h index edecb25c89..2fad02cd1c 100644 --- a/include/config.h +++ b/include/config.h @@ -92,6 +92,9 @@ /* EC has GPIOs attached to board version stuffing resistors */ #undef CONFIG_BOARD_VERSION +/* Permanent LM4 boot configuration */ +#undef CONFIG_BOOTCFG_VALUE + /*****************************************************************************/ /* Charger config */ |