diff options
author | Alec Berg <alecaberg@chromium.org> | 2015-02-14 10:19:55 -0800 |
---|---|---|
committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-02-18 04:53:59 +0000 |
commit | 02d0ce1526f844020b8a8fbed2987a8d5efba481 (patch) | |
tree | a1a80d729986dde597c2a2620c83075d04b302e8 | |
parent | d00847782480e492401ba3bc5a8a8e6f026b08ba (diff) | |
download | chrome-ec-02d0ce1526f844020b8a8fbed2987a8d5efba481.tar.gz |
samus: panic reboot EC if PD MCU crashes
Use the EC to check if PD MCU has crashed. The EC knows this
by checking the PD status bits: if PD MCU was in RW, and is
now in RO, AND it did not get to RO via a sysjump, then it
must have crashed. When the EC detects this, the EC will also
panic and reboot the entire system, so that we can software
sync to a known good state.
Also, when EC panics due to PD crash, it will log panic info.
BUG=chrome-os-partner:36636
BRANCH=samus
TEST=load onto samus EC and PD, try sysjump'ing back and forth
on PD MCU console and verify EC does not do anything. Crash
the PD MCU when in RW by reboot command and crash divzero command,
and make sure the EC panics with PD crash panic message. Crash
the PD MCU when in RO (before sysjumping to RW) and make sure
EC does not panic.
Change-Id: I57961028e6b23a878b8e477a9d8e180cb121a742
Signed-off-by: Alec Berg <alecaberg@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/250100
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Shawn N <shawnn@chromium.org>
-rw-r--r-- | board/samus/board.h | 1 | ||||
-rw-r--r-- | board/samus_pd/board.c | 6 | ||||
-rw-r--r-- | common/host_command_pd.c | 20 | ||||
-rw-r--r-- | include/config.h | 3 | ||||
-rw-r--r-- | include/ec_commands.h | 4 | ||||
-rw-r--r-- | include/software_panic.h | 1 |
6 files changed, 34 insertions, 1 deletions
diff --git a/board/samus/board.h b/board/samus/board.h index 05bb3c6961..dc70ca9b34 100644 --- a/board/samus/board.h +++ b/board/samus/board.h @@ -60,6 +60,7 @@ #define CONFIG_HIBERNATE_DELAY_SEC (3600 * 24 * 7) #define CONFIG_HIBERNATE_BATT_PCT 10 #define CONFIG_HIBERNATE_BATT_SEC (3600 * 24) +#define CONFIG_HOSTCMD_PD_PANIC #define CONFIG_PECI_TJMAX 105 #define CONFIG_PWM #define CONFIG_PWM_KBLIGHT diff --git a/board/samus_pd/board.c b/board/samus_pd/board.c index 942a0092cd..e25693599c 100644 --- a/board/samus_pd/board.c +++ b/board/samus_pd/board.c @@ -471,6 +471,12 @@ static void board_init(void) /* Initialize active charge port to none */ pd_status.active_charge_port = CHARGE_PORT_NONE; + /* Set PD MCU system status bits */ + if (system_jumped_to_this_image()) + pd_status.status |= PD_STATUS_JUMPED_TO_IMAGE; + if (system_get_image_copy() == SYSTEM_IMAGE_RW) + pd_status.status |= PD_STATUS_IN_RW; + /* * Do not enable PD communication in RO as a security measure. * We don't want to allow communication to outside world until diff --git a/common/host_command_pd.c b/common/host_command_pd.c index ca315c574f..140c71ea4e 100644 --- a/common/host_command_pd.c +++ b/common/host_command_pd.c @@ -10,6 +10,8 @@ #include "console.h" #include "host_command.h" #include "lightbar.h" +#include "panic.h" +#include "system.h" #include "task.h" #include "timer.h" #include "util.h" @@ -43,6 +45,9 @@ static void pd_exchange_status(void) struct ec_params_pd_status ec_status; struct ec_response_pd_status pd_status; int rv = 0; +#ifdef CONFIG_HOSTCMD_PD_PANIC + static int pd_in_rw; +#endif /* Send PD charge state and battery state of charge */ ec_status.charge_state = charge_state; @@ -66,6 +71,21 @@ static void pd_exchange_status(void) return; } +#ifdef CONFIG_HOSTCMD_PD_PANIC + /* + * Check if PD MCU is in RW. If PD MCU was in RW and is now in RO + * AND it did not sysjump to RO, then it must have crashed, and + * therefore we should panic as well. + */ + if (pd_status.status & PD_STATUS_IN_RW) { + pd_in_rw = 1; + } else if (pd_in_rw && + !(pd_status.status & PD_STATUS_JUMPED_TO_IMAGE)) { + panic_printf("PD crash"); + software_panic(PANIC_SW_PD_CRASH, 0); + } +#endif + #ifdef HAS_TASK_LIGHTBAR /* * If charge port has changed, and it was initialized, then show diff --git a/include/config.h b/include/config.h index 5f30ba31f3..5ea6e7e4f7 100644 --- a/include/config.h +++ b/include/config.h @@ -708,6 +708,9 @@ #define CONFIG_HOSTCMD_RATE_LIMITING_MIN_REST (3 * MSEC) #define CONFIG_HOSTCMD_RATE_LIMITING_RECESS (20 * MSEC) +/* Panic when status of PD MCU reflects that it has crashed */ +#undef CONFIG_HOSTCMD_PD_PANIC + /*****************************************************************************/ /* Enable debugging and profiling statistics for hook functions */ diff --git a/include/ec_commands.h b/include/ec_commands.h index edf9f4fa6b..df16a557e9 100644 --- a/include/ec_commands.h +++ b/include/ec_commands.h @@ -2694,7 +2694,9 @@ struct ec_params_pd_status { } __packed; /* Status of PD being sent back to EC */ -#define PD_STATUS_HOST_EVENT (1 << 0) +#define PD_STATUS_HOST_EVENT (1 << 0) /* Forward host event to AP */ +#define PD_STATUS_IN_RW (1 << 1) /* Running RW image */ +#define PD_STATUS_JUMPED_TO_IMAGE (1 << 2) /* Current image was jumped to */ struct ec_response_pd_status { uint32_t status; /* PD MCU status */ uint32_t curr_lim_ma; /* input current limit */ diff --git a/include/software_panic.h b/include/software_panic.h index 9dc6d5a394..15070f95ed 100644 --- a/include/software_panic.h +++ b/include/software_panic.h @@ -17,6 +17,7 @@ /* Software panic reasons */ #define PANIC_SW_DIV_ZERO (PANIC_SW_BASE + 0) #define PANIC_SW_STACK_OVERFLOW (PANIC_SW_BASE + 1) +#define PANIC_SW_PD_CRASH (PANIC_SW_BASE + 2) #define PANIC_SW_ASSERT (PANIC_SW_BASE + 3) #define PANIC_SW_WATCHDOG (PANIC_SW_BASE + 4) |