diff options
author | Randall Spangler <rspangler@chromium.org> | 2017-07-11 16:30:27 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-07-20 15:00:40 -0700 |
commit | 4809c70bbea8743cc7c1d382d7510ed937dce914 (patch) | |
tree | d4e36de78e911f9a6bbbef6ad6abf31c8717b0f9 /board/cr50/board.h | |
parent | 2ef78186c980120560123b149d7092a51edbeb98 (diff) | |
download | chrome-ec-4809c70bbea8743cc7c1d382d7510ed937dce914.tar.gz |
cr50: Add case closed debugging V1 configuration
This adds the CCD configuration module, and the console commands to
control it. It is not wired up to any of the CCD capabilities; that's
coming in the next CL.
Briefly:
* CCD configuration is persistently stored in nvmem_vars. Use ccdinfo to
print it.
* CCD can be Locked, Unlocked (some capabilities), or Opened
(all capabilities), using the ccdlock / ccdunlock / ccdopen commands.
* CCD config can be restricted by setting a password via ccdpass.
* Individual config capabilities can be set via ccdset. Some of those will
be used to gate access to things like write protect and UARTs. Others
affect the requirements for ccdunlock / ccdopen (for example, is physical
presenc required).
* The entire config can be reset via ccdreset. If only unlocked, config
that is restricted to Opened is not reset.
* If CR50_DEV=1, ccdoops will force-reset and open the config.
See go/cr50-ccd-wp for more information.
BUG=b:62537474
BRANCH=none
TEST=manual with CR50_DEV=1 build
gpioget # make sure GPIO_BATT_PRES_L=0
ccdlock # lock, because CR50_DEV=1 builds start unlocked
ccdinfo # locked, flags=0, all capabilities default
ccdpass # access denied (we're locked)
ccdreset # access denied
ccdset flashap always # access denied
ccdunlock
ccdinfo # unlocked
ccdpass foo
ccdinfo # flags=2 (password set when unlocked)
ccdset flashap always # access denied
ccdset uartectx unlesslocked
ccdinfo # yes, uartectx permission changed
ccdlock
ccdunlock # fails without password
ccdunlock bar # wrong password
ccdunlock foo # busy
(wait 3 sec)
ccdunlock foo
ccdreset
ccdinfo # no password, flags 0, capabilities all default
ccdopen # requires physical presence; tap power or use 'pp'
ccdset uartectx unlesslocked
ccdset batterybypasspp ifopened
ccdpass baz
ccdinfo # password set, flag 0, ccdset changes worked
ccdunlock
ccdreset
ccdinfo # uartectx back to ifopened, password still set
ccdopen baz # still requires physical presence
ccdset opennolongpp always
ccdlock
ccdopen baz # no pp required
ccdset unlocknoshortpp unlesslocked
ccdlock
ccdopen baz # short pp sequence required (3 taps)
ccdlock
ccdunlock baz # short pp sequence required
ccdopen baz # pp not required
ccdset unlocknoshortpp always
ccdlock
testlab open # access denied
testlab enable # access denied
ccdunlock baz
testlab open # access denied
testlab enable # access denied
ccdopen baz
testlab enable # requires short pp
ccdinfo # flags 1
ccdreset
ccdinfo # no password, flags=1, caps all default
ccdlock
testlab open
ccdinfo # opened
testlab disable # requires short pp; let it time out
ccdinfo # still opened, flags=1
ccdlock
ccdoops # backdoor in CR50_DEV images to force-reset CCD
ccdinfo # opened, flags=0, all defaults (yes, oops wipes out testlab)
ccdreset rma
ccdinfo # flags = 0x400000, everything but Cr50FullConsole always
ccdreset # back to flags=0, all default
Change-Id: I24e8d8f361874671e6e94f27492ae00db919bea9
Reviewed-on: https://chromium-review.googlesource.com/569439
Commit-Ready: Randall Spangler <rspangler@chromium.org>
Tested-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Diffstat (limited to 'board/cr50/board.h')
-rw-r--r-- | board/cr50/board.h | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/board/cr50/board.h b/board/cr50/board.h index b6ebedd7b0..758d8cdc3c 100644 --- a/board/cr50/board.h +++ b/board/cr50/board.h @@ -102,10 +102,12 @@ /* Enable Case Closed Debugging */ #define CONFIG_CASE_CLOSED_DEBUG +#define CONFIG_CASE_CLOSED_DEBUG_V1 #define CONFIG_PHYSICAL_PRESENCE #ifdef CR50_DEV -/* Enable unsafe dev features for physical presence in dev builds */ +/* Enable unsafe dev features for CCD in dev builds */ +#define CONFIG_CASE_CLOSED_DEBUG_V1_UNSAFE #define CONFIG_PHYSICAL_PRESENCE_DEBUG_UNSAFE #endif @@ -181,6 +183,7 @@ enum nvmem_vars { NVMEM_VAR_CONSOLE_LOCKED = 0, NVMEM_VAR_TEST_VAR, NVMEM_VAR_U2F_SALT, + NVMEM_VAR_CCD_CONFIG, NVMEM_VARS_COUNT }; @@ -209,6 +212,13 @@ int board_id_is_mismatched(void); void power_button_record(void); +/* Functions needed by CCD config */ +int board_battery_is_present(void); +int board_fwmp_allows_unlock(void); +void board_reboot_ap(void); +int board_wipe_tpm(void); +int board_is_first_factory_boot(void); + #endif /* !__ASSEMBLER__ */ /* USB interface indexes (use define rather than enum to expand them) */ |