flash: Set CBI EEPROM WP immediately if SW WP set

With `CONFIG_EEPROM_CBI_WP`, the EC will set the the CBI EEPROM WP
according to `system_is_locked`.  The system lock status is also cached.
In order to prevent requiring an EC reboot after setting the software
write protect status, this commit will set the CBI EEPROM WP status when
the SW WP is asserted along with the HW WP.  This is the same criteria
that `system_is_locked` would use when deciding if the system is locked.

BUG=b:181769483
BRANCH=None
TEST=Build and flash a reworked lalala, enable HW WP, enable SW WP via
`flashrom -p ec --wp-enable` and verify that EC_CBI_WP is asserted
immediately without requiring an EC reboot.

Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Change-Id: I987a5b7652134be11c82855aab9ed4eb1442b57c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3058077
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Commit-Queue: Aseda Aboagye <aaboagye@chromium.org>

3 files changed, 50 insertions, 0 deletions

diff --git a/baseboard/dedede/baseboard.c b/baseboard/dedede/baseboard.c
index 3754f04b36..2f71f03068 100644
--- a/baseboard/dedede/baseboard.c
+++ b/baseboard/dedede/baseboard.c
@@ -16,6 +16,7 @@
 #include "gpio.h"
 #include "hooks.h"
 #include "host_command.h"
+#include "power/icelake.h"
 #include "power/intel_x86.h"
 #include "system.h"
 #include "usb_pd.h"
diff --git a/common/flash.c b/common/flash.c
index 779fbe24db..c8f58a82af 100644
--- a/common/flash.c
+++ b/common/flash.c
@@ -7,6 +7,7 @@
 
 #include "common.h"
 #include "console.h"
+#include "cros_board_info.h"
 #include "flash.h"
 #include "gpio.h"
 #include "hooks.h"
@@ -945,6 +946,15 @@ int crec_flash_set_protect(uint32_t mask, uint32_t flags)
 		rv = crec_flash_physical_protect_now(0);
 		if (rv)
 			retval = rv;
+
+		/*
+		 * Latch the CBI EEPROM WP immediately if HW WP is asserted and
+		 * we're now protecting the RO region with SW WP.
+		 */
+		if (IS_ENABLED(CONFIG_EEPROM_CBI_WP) &&
+		    (EC_FLASH_PROTECT_GPIO_ASSERTED &
+		     crec_flash_get_protect()))
+			cbi_latch_eeprom_wp();
 	}
 
 	/* 5 - Commit ALL_NOW. */
diff --git a/test/flash_write_protect.c b/test/flash_write_protect.c
index 2bf801c9b0..df20ede3fd 100644
--- a/test/flash_write_protect.c
+++ b/test/flash_write_protect.c
@@ -79,16 +79,55 @@ test_static void run_test_step2(void)
 
 	if (test_get_error_count())
 		test_reboot_to_next_step(TEST_STATE_FAILED);
+	else if (IS_ENABLED(CONFIG_EEPROM_CBI_WP))
+		test_reboot_to_next_step(TEST_STATE_STEP_3);
 	else
 		test_reboot_to_next_step(TEST_STATE_PASSED);
 }
 
+#ifdef CONFIG_EEPROM_CBI_WP
+test_static int test_cbi_wb_asserted_immediately(void)
+{
+	int rv;
+
+	TEST_EQ(check_image_and_hardware_write_protect(), EC_SUCCESS, "%d");
+
+	/* Ensure that EC_CBI_WP is not asserted. */
+	TEST_EQ(gpio_get_level(GPIO_EC_CBI_WP), 0, "%d");
+
+	/* Equivalent of ectool --name=cros_fp flashprotect disable */
+	rv = crec_flash_set_protect(EC_FLASH_PROTECT_RO_NOW, 0);
+	TEST_EQ(rv, EC_SUCCESS, "%d");
+
+	/* Now make sure EC_CBI_WP is asserted immediately. */
+	TEST_EQ(gpio_get_level(GPIO_EC_CBI_WP), 1, "%d");
+
+
+	return EC_SUCCESS;
+}
+
+test_static void run_test_step3(void)
+{
+	ccprintf("Step 3: Flash write protect test\n");
+	RUN_TEST(test_cbi_wb_asserted_immediately);
+
+	if (test_get_error_count())
+		test_reboot_to_next_step(TEST_STATE_FAILED);
+	else
+		test_reboot_to_next_step(TEST_STATE_PASSED);
+}
+#endif /* CONFIG_EEPROM_CBI_WP */
+
 void test_run_step(uint32_t state)
 {
 	if (state & TEST_STATE_MASK(TEST_STATE_STEP_1))
 		run_test_step1();
 	else if (state & TEST_STATE_MASK(TEST_STATE_STEP_2))
 		run_test_step2();
+#ifdef CONFIG_EEPROM_CBI_WP
+	else if (state & TEST_STATE_MASK(TEST_STATE_STEP_3))
+		run_test_step3();
+#endif /* CONFIG_EEPROM_CBI_WP */
 }
 
 int task_test(void *unused)