cr50: Add commands to get/set serial number bits.

Allocates 16 bytes of INFO1 space, in the 'board' section, and
after the current Board ID data, to store the serial number
data for use by zero-touch enrollment.

Adds a console command to read / set this data.

Adds TPM vendor commands to set initial sn data, and update it
during RMA.

CQ-DEPEND=CL:*657450
BUG=b:111195266
TEST=tested locally on soraka
BRANCH=none

Change-Id: I752aefad9654742b7719156202f29d635d2306df
Signed-off-by: Louis Collard <louiscollard@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1127574
Reviewed-by: Andrey Pronin <apronin@chromium.org>

7 files changed, 377 insertions, 27 deletions

diff --git a/chip/g/board_id.c b/chip/g/board_id.c
index 569540eb62..1c74184103 100644
--- a/chip/g/board_id.c
+++ b/chip/g/board_id.c
@@ -70,8 +70,8 @@ int read_board_id(struct board_id *id)
 	id_p = (uint32_t *)id;
 
 	/* Make sure INFO1 board ID space is readable */
-	if (flash_info_read_enable(INFO_BOARD_SPACE_OFFSET,
-				   INFO_BOARD_SPACE_PROTECT_SIZE) !=
+	if (flash_info_read_enable(INFO_BOARD_ID_OFFSET,
+				   INFO_BOARD_ID_PROTECT_SIZE) !=
 	    EC_SUCCESS) {
 		CPRINTS("%s: failed to enable read access to info", __func__);
 		return EC_ERROR_ACCESS_DENIED;
@@ -81,9 +81,7 @@ int read_board_id(struct board_id *id)
 		int rv;
 
 		rv = flash_physical_info_read_word
-			(INFO_BOARD_SPACE_OFFSET +
-			 offsetof(struct info1_board_space, bid) + i,
-			 id_p);
+			(INFO_BOARD_ID_OFFSET + i, id_p);
 		if (rv != EC_SUCCESS) {
 			CPRINTF("%s: failed to read word %d, error %d\n",
 				__func__, i, rv);
@@ -154,15 +152,15 @@ static int write_board_id(const struct board_id *id)
 	}
 
 	/* Enable write access */
-	if (flash_info_write_enable(INFO_BOARD_SPACE_OFFSET,
-				    INFO_BOARD_SPACE_PROTECT_SIZE) !=
+	if (flash_info_write_enable(INFO_BOARD_ID_OFFSET,
+				    INFO_BOARD_ID_PROTECT_SIZE) !=
 	    EC_SUCCESS) {
 		CPRINTS("%s: failed to enable write access", __func__);
 		return EC_ERROR_ACCESS_DENIED;
 	}
 
 	/* Write Board ID */
-	rv = flash_info_physical_write(INFO_BOARD_SPACE_OFFSET +
+	rv = flash_info_physical_write(INFO_BOARD_ID_OFFSET +
 			 offsetof(struct info1_board_space, bid),
 				       sizeof(*id), (const char *)id);
 	if (rv != EC_SUCCESS)
diff --git a/chip/g/board_id.h b/chip/g/board_id.h
index dda2302c14..5fc8af46ba 100644
--- a/chip/g/board_id.h
+++ b/chip/g/board_id.h
@@ -7,25 +7,11 @@
 #ifndef __EC_CHIP_G_BOARD_ID_H
 #define __EC_CHIP_G_BOARD_ID_H
 
+#include "board_space.h"
 #include "common.h"
 #include "signed_header.h"
 #include "util.h"
 
-/* Structure holding Board ID */
-struct board_id {
-	uint32_t type;		/* Board type */
-	uint32_t type_inv;	/* Board type (inverted) */
-	uint32_t flags;		/* Flags */
-};
-
-/* Info1 Board space contents. */
-struct info1_board_space {
-	struct board_id bid;
-};
-
-#define INFO_BOARD_ID_SIZE		sizeof(struct board_id)
-#define INFO_BOARD_SPACE_PROTECT_SIZE	16
-
 /**
  * Check the current header vs. the supplied Board ID
  *
@@ -61,8 +47,4 @@ const struct SignedHeader *get_current_image_header(void);
  */
 uint32_t board_id_mismatch(const struct SignedHeader *h);
 
-BUILD_ASSERT((offsetof(struct info1_board_space, bid) & 3) == 0);
-BUILD_ASSERT((INFO_BOARD_ID_SIZE & 3) == 0);
-BUILD_ASSERT(sizeof(struct info1_board_space) <= INFO_BOARD_SPACE_PROTECT_SIZE);
-
 #endif  /* ! __EC_CHIP_G_BOARD_ID_H */
diff --git a/chip/g/board_space.h b/chip/g/board_space.h
new file mode 100644
index 0000000000..90b6c02287
--- /dev/null
+++ b/chip/g/board_space.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright 2018 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef __EC_CHIP_G_BOARD_SPACE_H
+#define __EC_CHIP_G_BOARD_SPACE_H
+
+#include "compile_time_macros.h"
+#include "flash_info.h"
+#include "stdint.h"
+
+/*
+ * Structures for data stored in the board space of INFO1.
+ */
+
+/* Structure holding Board ID */
+struct board_id {
+	uint32_t type;		/* Board type */
+	uint32_t type_inv;	/* Board type (inverted) */
+	uint32_t flags;		/* Flags */
+};
+
+/* Structure holding serial number data */
+struct sn_data {
+	uint8_t version;
+	uint8_t reserved[2];
+	uint8_t rma_status;
+	uint32_t sn_hash[3];
+};
+
+/* Current sn_data format version */
+#define SN_DATA_VERSION	0x0f
+/* Size of header elements (everything apart from sn_hash) */
+#define SN_HEADER_SIZE	offsetof(struct sn_data, sn_hash)
+/* Number of bits reserved for RMA counter */
+#define RMA_COUNT_BITS	7
+/* Value used to indicate device has been RMA'd */
+#define RMA_INDICATOR	((uint8_t) ~(1 << RMA_COUNT_BITS))
+
+/* Info1 Board space contents. */
+struct info1_board_space {
+	struct board_id bid;
+	/* Pad so that board_id occupies it's full 'protect' size */
+	uint8_t bid_padding[4];
+	struct sn_data sn;
+};
+
+#define INFO_BOARD_ID_SIZE		sizeof(struct board_id)
+#define INFO_BOARD_ID_OFFSET		(INFO_BOARD_SPACE_OFFSET + \
+					 offsetof(struct info1_board_space, \
+						  bid))
+
+#define INFO_SN_DATA_SIZE		 sizeof(struct sn_data)
+#define INFO_SN_DATA_OFFSET		 (INFO_BOARD_SPACE_OFFSET + \
+					  offsetof(struct info1_board_space, \
+						   sn))
+
+/*
+ * Write protection for the INFO1 space allows windows with sizes that are
+ * powers of 2 to be protected. Given the different write restrictions on
+ * the different spaces listed above, we keep them in separate windows.
+ * This implies that each space must occupy a space that has a size which
+ * is a power of two.
+ */
+#define INFO_BOARD_ID_PROTECT_SIZE	16
+#define INFO_SN_DATA_PROTECT_SIZE	16
+
+BUILD_ASSERT((INFO_BOARD_ID_SIZE & 3) == 0);
+BUILD_ASSERT((INFO_BOARD_ID_OFFSET & 3) == 0);
+BUILD_ASSERT(INFO_BOARD_ID_SIZE <= INFO_BOARD_ID_PROTECT_SIZE);
+
+BUILD_ASSERT((INFO_SN_DATA_SIZE & 3) == 0);
+BUILD_ASSERT((INFO_SN_DATA_OFFSET & 3) == 0);
+BUILD_ASSERT(INFO_SN_DATA_SIZE <= INFO_SN_DATA_PROTECT_SIZE);
+
+#endif  /* ! __EC_CHIP_G_BOARD_SPACE_H */
diff --git a/chip/g/build.mk b/chip/g/build.mk
index 8c8a27d822..77f8ea4a00 100644
--- a/chip/g/build.mk
+++ b/chip/g/build.mk
@@ -20,6 +20,7 @@ endif
 # Required chip modules
 chip-y = clock.o gpio.o hwtimer.o pre_init.o system.o
 chip-$(CONFIG_BOARD_ID_SUPPORT) += board_id.o
+chip-$(CONFIG_SN_BITS_SUPPORT) += sn_bits.o
 ifeq ($(CONFIG_POLLING_UART),y)
 chip-y += polling_uart.o
 else
diff --git a/chip/g/signed_header.h b/chip/g/signed_header.h
index c59909b958..3ee4085a14 100644
--- a/chip/g/signed_header.h
+++ b/chip/g/signed_header.h
@@ -6,6 +6,7 @@
 #define __CROS_EC_SIGNED_HEADER_H
 
 #include "compile_time_macros.h"
+#include "stdint.h"
 
 #define FUSE_PADDING 0x55555555  /* baked in hw! */
 #define FUSE_IGNORE 0xa3badaac   /* baked in rom! */
diff --git a/chip/g/sn_bits.c b/chip/g/sn_bits.c
new file mode 100644
index 0000000000..2e12db832f
--- /dev/null
+++ b/chip/g/sn_bits.c
@@ -0,0 +1,269 @@
+/* Copyright 2018 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "board_space.h"
+#include "console.h"
+#include "extension.h"
+#include "flash_info.h"
+#include "util.h"
+#include "wp.h"
+
+#define CPRINTS(format, args...) cprints(CC_SYSTEM, format, ## args)
+#define CPRINTF(format, args...) cprintf(CC_SYSTEM, format, ## args)
+
+int read_sn_data(struct sn_data *sn)
+{
+	uint32_t *id_p;
+	int i;
+
+	/*
+	 * SN Bits structure size is guaranteed to be divisible by 4, and it
+	 * is guaranteed to be aligned at 4 bytes.
+	 */
+
+	id_p = (uint32_t *)sn;
+
+	/* Make sure INFO1 sn bits space is readable */
+	if (flash_info_read_enable(INFO_SN_DATA_OFFSET,
+				   INFO_SN_DATA_PROTECT_SIZE) !=
+	    EC_SUCCESS) {
+		CPRINTS("%s: failed to enable read access to info", __func__);
+		return EC_ERROR_ACCESS_DENIED;
+	}
+
+	for (i = 0; i < sizeof(*sn); i += sizeof(uint32_t)) {
+		int rv;
+
+		rv = flash_physical_info_read_word
+			(INFO_SN_DATA_OFFSET + i, id_p);
+		if (rv != EC_SUCCESS) {
+			CPRINTF("%s: failed to read word %d, error %d\n",
+				__func__, i, rv);
+			return rv;
+		}
+		id_p++;
+	}
+	return EC_SUCCESS;
+}
+
+static int write_sn_data(struct sn_data *sn_data, int header_only)
+{
+	int rv = EC_SUCCESS;
+
+	/* Enable write access */
+	if (flash_info_write_enable(INFO_SN_DATA_OFFSET,
+				    INFO_SN_DATA_PROTECT_SIZE) !=
+	    EC_SUCCESS) {
+		CPRINTS("%s: failed to enable write access", __func__);
+		return EC_ERROR_ACCESS_DENIED;
+	}
+
+	/* Write sn bits */
+	rv = flash_info_physical_write(INFO_SN_DATA_OFFSET,
+				       header_only ?
+				       SN_HEADER_SIZE : sizeof(*sn_data),
+				       (const char *)sn_data);
+	if (rv != EC_SUCCESS)
+		CPRINTS("%s: write failed", __func__);
+
+	/* Disable write access */
+	flash_info_write_disable();
+
+	return rv;
+}
+/**
+ * Initialize SN data space in flash INFO1, and write sn hash. This can only
+ * be called once per device; subsequent calls on a device that has already
+ * had the sn hash written will fail.
+ *
+ * @param id	Pointer to a SN  structure to copy into INFO1
+ *
+ * @return EC_SUCCESS or an error code in cases of various failures to read or
+ *		if the space has been already initialized.
+ */
+static int write_sn_hash(const uint32_t sn_hash[3])
+{
+	int rv = EC_ERROR_PARAM_COUNT;
+	int i;
+	struct sn_data sn_data;
+
+	rv = read_sn_data(&sn_data);
+	if (rv != EC_SUCCESS)
+		return rv;
+
+	/* Check the sn data space is currently uninitialized */
+	for (i = 0; i < (sizeof(sn_data) / sizeof(uint32_t)); i++)
+		if (((uint32_t *) &sn_data)[i] != 0xffffffff)
+			return EC_ERROR_INVALID_CONFIG;
+
+	sn_data.version = SN_DATA_VERSION;
+	memcpy(sn_data.sn_hash, sn_hash, sizeof(sn_data.sn_hash));
+
+	rv = write_sn_data(&sn_data, 0);
+
+	return rv;
+}
+
+static int increment_rma_count(uint8_t inc)
+{
+	int rv = EC_ERROR_PARAM_COUNT;
+	struct sn_data sn_data;
+
+	rv = read_sn_data(&sn_data);
+	if (rv != EC_SUCCESS)
+		return rv;
+
+	/* Make sure we know how to update this data */
+	if (sn_data.version != SN_DATA_VERSION)
+		return EC_ERROR_INVALID_CONFIG;
+
+	/* Don't allow incrementing more than the number of bits */
+	if (inc > RMA_COUNT_BITS)
+		return EC_ERROR_INVAL;
+
+	/*
+	 * The RMA status is initially set to 0xff. We set bit 7
+	 * to 0 to indicate the device has been RMA'd at least once,
+	 * and use the remaining bits as a count of how many times
+	 * the device has been RMA'd. The number of 0s represents
+	 * the number of RMAs. As there are only 7 bits available
+	 * for the count, a value of 0x00 means the device has
+	 * been RMA'd at least 7 times (but we do not know how many).
+	 *
+	 * We allow incrementing by 0 or n (rather than 0 or 1) so
+	 * that a device in any state can be put into the RMA'd with
+	 * unknown count (0x00) state with a single call to this
+	 * function.
+	 */
+	sn_data.rma_status <<= inc;
+	sn_data.rma_status &= RMA_INDICATOR;
+
+	rv = write_sn_data(&sn_data, 1);
+
+	return rv;
+}
+
+static enum vendor_cmd_rc vc_sn_set_hash(enum vendor_cmd_cc code,
+					 void *buf,
+					 size_t input_size,
+					 size_t *response_size)
+{
+	uint32_t sn_hash[3];
+	uint8_t *pbuf = buf;
+
+	*response_size = 1;
+
+	if (input_size != sizeof(sn_hash)) {
+		*pbuf = VENDOR_RC_BOGUS_ARGS;
+		return VENDOR_RC_BOGUS_ARGS;
+	}
+
+	memcpy(&sn_hash, pbuf, sizeof(sn_hash));
+
+	/* We care about the LSB only. */
+	*pbuf = (uint8_t) write_sn_hash(sn_hash);
+
+	return *pbuf;
+}
+DECLARE_VENDOR_COMMAND(VENDOR_CC_SN_SET_HASH, vc_sn_set_hash);
+
+static enum vendor_cmd_rc vc_sn_inc_rma(enum vendor_cmd_cc code,
+					void *buf,
+					size_t input_size,
+					size_t *response_size)
+{
+	uint8_t *pbuf = buf;
+
+	if (wp_is_asserted())
+		return EC_ERROR_ACCESS_DENIED;
+
+	*response_size = 1;
+
+	if (input_size != sizeof(*pbuf)) {
+		*pbuf = VENDOR_RC_BOGUS_ARGS;
+		return VENDOR_RC_BOGUS_ARGS;
+	}
+
+	/* We care about the LSB only. */
+	*pbuf = (uint8_t) increment_rma_count(*pbuf);
+
+	return *pbuf;
+}
+DECLARE_VENDOR_COMMAND(VENDOR_CC_SN_INC_RMA, vc_sn_inc_rma);
+
+static int command_sn(int argc, char **argv)
+{
+	int rv = EC_ERROR_PARAM_COUNT;
+	struct sn_data sn;
+
+	switch (argc) {
+#ifdef CR50_DEV
+	case 4:
+	{
+		char *e;
+
+		sn.sn_hash[0] = strtoi(argv[1], &e, 0);
+		if (*e)
+			return EC_ERROR_PARAM1;
+
+		sn.sn_hash[1] = strtoi(argv[2], &e, 0);
+		if (*e)
+			return EC_ERROR_PARAM2;
+
+		sn.sn_hash[2] = strtoi(argv[3], &e, 0);
+		if (*e)
+			return EC_ERROR_PARAM3;
+
+		rv = write_sn_hash(sn.sn_hash);
+		if (rv != EC_SUCCESS)
+			return rv;
+
+		goto print_sn_data;
+	}
+	case 3:
+	{
+		int count;
+		char *e;
+
+		if (strcasecmp(argv[1], "rmainc") != 0)
+			return EC_ERROR_PARAM1;
+
+		count = strtoi(argv[2], &e, 0);
+		if (*e || count > 7)
+			return EC_ERROR_PARAM2;
+
+		rv = increment_rma_count(count);
+		if (rv != EC_SUCCESS)
+			return rv;
+	}
+	/* fall through */
+print_sn_data:
+#endif
+	case 1:
+		rv = read_sn_data(&sn);
+		if (rv == EC_SUCCESS)
+			CPRINTF("Version: %02x\n"
+				"RMA: %02x\n"
+				"SN: %08x %08x %08x\n",
+				sn.version, sn.rma_status,
+				sn.sn_hash[0], sn.sn_hash[1], sn.sn_hash[2]);
+
+		break;
+	default:
+		rv = EC_ERROR_PARAM_COUNT;
+	}
+
+	return rv;
+}
+DECLARE_SAFE_CONSOLE_COMMAND(sn,
+			     command_sn, ""
+#ifdef CR50_DEV
+			     "[(sn0 sn1 sn2) | (rmainc n)]"
+#endif
+			     , "Get"
+#ifdef CR50_DEV
+			     "/Set"
+#endif
+			     " Serial Number Data");
diff --git a/chip/g/sn_bits.h b/chip/g/sn_bits.h
new file mode 100644
index 0000000000..547ac1b938
--- /dev/null
+++ b/chip/g/sn_bits.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright 2018 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef __EC_CHIP_G_SN_BITS_H
+#define __EC_CHIP_G_SN_BITS_H
+
+#include "board_space.h"
+
+/**
+ * Reads the SN data from the flash INFO1 space.
+ *
+ * @param id    Pointer to a sn_data structure to fill
+ *
+ * @return      EC_SUCCESS or an error code in case of failure.
+ */
+int read_sn_data(struct sn_data *sn);
+
+#endif  /* ! __EC_CHIP_G_SN_BITS_H */