Plug in the AP RO verification implementation

This adds plumbing necessary to invoke the AP RO verification function
in response to the operator entering the 'magic sequence' of holding
the power button pressed and pressing/releasing the refresh button
three times within five seconds.

The code used during the 'Open box RMA' verification process is used,
with the physical presence confirmation phase bypassed.

This patch also makes sure that attempts to use CCD to program AP or
EC flash while AP RO verification is in progress would fail.

BUG=b:153764696, b:154966209
TEST=with the next patch applied, generated AP integrity verification
     data using the ap_ro_hash.py script and then ran the verification
     procedure, observing the 'hash match' message on the Cr50
     console.

     Also verified that the Open Box RMA procedure still succeeds.

Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Ic101fb892554ebb05f9ebe6d1546bfb439f74043
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2171399
Reviewed-by: Mary Ruthven <mruthven@chromium.org>

2 files changed, 54 insertions, 2 deletions

diff --git a/board/cr50/power_button.c b/board/cr50/power_button.c
index a7d3634a00..bff6c4890c 100644
--- a/board/cr50/power_button.c
+++ b/board/cr50/power_button.c
@@ -3,6 +3,7 @@
  * found in the LICENSE file.
  */
 
+#include "ap_ro_integrity_check.h"
 #include "console.h"
 #include "extension.h"
 #include "gpio.h"
@@ -145,11 +146,13 @@ static int rctd_poll_handler(void)
 	if (!ref_last_state)
 		return 1;
 
-	CPRINTS("Esc press registered");
-	if (++ref_press_count != PRESS_COUNT)
+	if (++ref_press_count != PRESS_COUNT) {
+		CPRINTS("Refresh press registered");
 		return 1;
+	}
 
 	CPRINTS("RO Validation triggered");
+	validate_ap_ro();
 	return 0;
 }
 
diff --git a/board/cr50/usb_spi.c b/board/cr50/usb_spi.c
index 9e40690c1a..316cb19409 100644
--- a/board/cr50/usb_spi.c
+++ b/board/cr50/usb_spi.c
@@ -68,6 +68,16 @@ static uint8_t new_gang_mode;
 static void spi_hash_inactive_timeout(void);
 DECLARE_DEFERRED(spi_hash_inactive_timeout);
 
+/*
+ * Set to true when AP RO verification shortcut is enabled. Helps to prevent
+ * concurrent USB SPI operations over CCD.
+ */
+static bool shortcut_active_;
+bool usb_spi_shortcut_active(void)
+{
+	return shortcut_active_;
+}
+
 /*****************************************************************************/
 /*
  * Mutex and variable for tracking whether the SPI bus is used by the USB
@@ -200,6 +210,12 @@ static void enable_spi_pinmux(void)
 		gpio_get_level(GPIO_AP_FLASH_SELECT) ? "AP" : "EC");
 
 	spi_enable(CONFIG_SPI_FLASH_PORT, 1);
+
+	/*
+	 * Need to provide enough time for the SPI bus to stabilize
+	 * (b/154966209).
+	 */
+	msleep(2);
 }
 
 /**
@@ -469,6 +485,39 @@ static void spi_hash_pp_done(void)
 		(spi_hash_device == USB_SPI_AP ? "AP" : "EC"));
 }
 
+void enable_ap_spi_hash_shortcut(void)
+{
+	/*
+	 * This is a big hammer, invoked when the Chrome OS device is
+	 * processing the EC reset. Even if SPI bus was in use when the
+	 * operator triggered the AP RO hash verification it should be
+	 * released and re-acquired now.
+	 */
+	enum spi_bus_user_t curr_user;
+
+	shortcut_active_ = true;
+
+	curr_user = get_spi_bus_user();
+	if (curr_user != SPI_BUS_USER_NONE)
+		set_spi_bus_user(curr_user, 0);
+
+	/*
+	 * Simulate successful completion of physical presence detection
+	 * required to allow the AP flash hash check. This function is invoked
+	 * when the operator entered the appropriate sequence on the device
+	 * keyboard, so physical presence is already established.
+	 */
+	new_device = USB_SPI_AP;
+	spi_hash_pp_done();
+}
+
+void disable_ap_spi_hash_shortcut(void)
+{
+	spi_hash_disable();
+
+	shortcut_active_ = false;
+}
+
 /* Process vendor subcommand dealing with Physical presence polling. */
 static enum vendor_cmd_rc spihash_pp_poll(void *buf,
 					  size_t input_size,