g: upgrade_fw: limit updates after a hard reset

Reject updates for the first 60 seconds after a hard reboot. This should
prevent people from using the reboot at the end of an update to get
around the update rate limiting. Reboots don't happen during normal cr50
operation, so this should not prevent updates. It will just prevent
updating cr50 many times in a row.

This change does not limit updates after deep sleep or POR.

BUG=b:62097097
BRANCH=cr50
TEST=Try to update cr50 two times. Verify that on the second time the
update is rejected. Put cr50 into deep sleep, wake it up and verify it
can be updated immediately. Get cr50 to do a POR and verify it can be
updated immediately.

Change-Id: I828ef210e1c5bcf59d4753b8178ee4e1369d5d36
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/520727
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

1 files changed, 19 insertions, 2 deletions

diff --git a/chip/g/upgrade_fw.c b/chip/g/upgrade_fw.c
index c9c2176265..c21e847685 100644
--- a/chip/g/upgrade_fw.c
+++ b/chip/g/upgrade_fw.c
@@ -250,10 +250,27 @@ static uint64_t prev_timestamp;
 
 static int chunk_came_too_soon(uint32_t block_offset)
 {
-	if (!prev_timestamp ||
-	    ((get_time().val - prev_timestamp) > BACKOFF_TIME))
+	int hard_reset = system_get_reset_flags() & RESET_FLAG_HARD;
+
+	/*
+	 * If it has been BACKOFF_TIME since the last time we wrote to a block
+	 * or since the last boot, the write is ok.
+	 */
+	if ((get_time().val - prev_timestamp) > BACKOFF_TIME)
 		return 0;
 
+	if (!prev_timestamp) {
+		/*
+		 * If we just recovered from a hard reset, we have to wait until
+		 * backoff time to accept an update. All other resets can accept
+		 * updates immediately.
+		 */
+		if (hard_reset)
+			CPRINTF("%s: rejecting a write after hard reset\n",
+				__func__);
+		return hard_reset;
+	}
+
 	if (!prev_offset ||
 	    (block_offset >= (prev_offset + SIGNED_TRANSFER_SIZE)))
 		return 0;