diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2021-10-15 15:17:01 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-10-25 21:16:19 +0000 |
| commit | 4b9ea3ee28cefa233221d711c027eb192b9550f9 (patch) | |
| tree | b166e785a286d97d46a66e610f03928ca7f0e387 /chip | |
| parent | 5a705e76a4e7a3568159bd4459c562f9d6508f5b (diff) | |
| download | chrome-ec-4b9ea3ee28cefa233221d711c027eb192b9550f9.tar.gz | |
ap_ro_verification: do not fail if verification is not supportedstabilize-14312.B-cr50_stab
The decision of when to refuse to boot the device needs to be refined.
We should never allow booting a device which ever passed a V2
verification. To reliably keep track of successful V2 validations in
the past let's allocate a word in the INFO space which is write only,
once written to 0 it will never change, value of 0 will be the
indication of previous V2 verification success.
The below table describes when booting should be allowed or blocked.
Cache GSCVD Verification |
version present Info result | Block boot
--------- --------- ------ --------------|------------------
none no 0 n/a | yes
none no 1 n/a | no
none yes n/a fail | yes
none yes n/a pass | no, update cache, info
v1 n/a n/a pass | no
v1 n/a n/a fail | check v2
v2 n/a n/a fail | yes
v2 yes n/a pass | no
This patch implements the above table, fixing the case where Cr50 was
refusing to boot if neither local cache nor AP flash structures were
present.
BUG=b:203212461, b:141191727
TEST=tried running AP RO verification on a device without local cache
and RO_GSCVD not in AP flash. The device booted successfully.
Verified that both V1 and V2 validation works as expected, and
fallback from V1 to V2 happens if V1 fails and RO_GSCVD is found
in AP flash.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I1f64123a3631932d142662a76deaf6ef6fee47fa
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3229981
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Diffstat (limited to 'chip')
| -rw-r--r-- | chip/g/board_space.h | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/chip/g/board_space.h b/chip/g/board_space.h index 68e67e78ec..2081f0dda8 100644 --- a/chip/g/board_space.h +++ b/chip/g/board_space.h @@ -46,6 +46,11 @@ struct info1_board_space { /* Pad so that board_id occupies it's full 'protect' size */ uint8_t bid_padding[4]; struct sn_data sn; + /* + * Unless this field is set to zero, AP RO verification does not have + * to be enforced. + */ + uint32_t aprv_not_needed; }; /* @@ -67,15 +72,16 @@ struct info1_layout { }; BUILD_ASSERT(sizeof(struct info1_layout) == FLASH_INFO_SIZE); +#define INFO_SPACE_OFFSET(field) (INFO_BOARD_SPACE_OFFSET + \ + offsetof(struct info1_board_space, field)) #define INFO_BOARD_ID_SIZE sizeof(struct board_id) -#define INFO_BOARD_ID_OFFSET (INFO_BOARD_SPACE_OFFSET + \ - offsetof(struct info1_board_space, \ - bid)) +#define INFO_BOARD_ID_OFFSET INFO_SPACE_OFFSET(bid) -#define INFO_SN_DATA_SIZE sizeof(struct sn_data) -#define INFO_SN_DATA_OFFSET (INFO_BOARD_SPACE_OFFSET + \ - offsetof(struct info1_board_space, \ - sn)) +#define INFO_SN_DATA_SIZE sizeof(struct sn_data) +#define INFO_SN_DATA_OFFSET INFO_SPACE_OFFSET(sn) + +#define INFO_APRV_DATA_SIZE sizeof(uint32_t) +#define INFO_APRV_DATA_OFFSET INFO_SPACE_OFFSET(aprv_not_needed) /* * Write protection for the INFO1 space allows windows with sizes that are @@ -95,4 +101,7 @@ BUILD_ASSERT((INFO_SN_DATA_SIZE & 3) == 0); BUILD_ASSERT((INFO_SN_DATA_OFFSET & 3) == 0); BUILD_ASSERT(INFO_SN_DATA_SIZE <= INFO_SN_DATA_PROTECT_SIZE); +BUILD_ASSERT((INFO_APRV_DATA_SIZE & 3) == 0); +BUILD_ASSERT((INFO_APRV_DATA_OFFSET & 3) == 0); + #endif /* ! __EC_CHIP_G_BOARD_SPACE_H */ |