diff options
| author | Nicolas Boichat <drinkcat@chromium.org> | 2018-07-16 15:59:44 +0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-07-25 00:14:49 -0700 |
| commit | a820cb1255c995f0d95a15de0134f6b0cf895c64 (patch) | |
| tree | 243ed715efc338dfd7774f460f226491e0bdaef0 /common/flash.c | |
| parent | 30b2d3917316970182c8ada8ac6d95f8ae631838 (diff) | |
| download | chrome-ec-a820cb1255c995f0d95a15de0134f6b0cf895c64.tar.gz | |
common/flash: Abort rwsig when RW is erased/written to
If RW region is being erased/written to, make sure RO does not
automatically jump to RW after the timeout: RO would normally
verify RW, then wait for 1 second before jumping to RW, to
allow host to issue host commands in the mean time. The problem
is that some of these host commands may modify the RW, which
would essentially bypass the signature check.
This was not important on hammer, as STM32F0 does not support
EC_FLASH_PROTECT_ALL_NOW, and would force another reboot after
an update to lock the flash again, and verification would run
again.
Other STM32 variants are able to immediately lock the flash, so
no reboot is required, and there is therefore a risk that the EC
would jump to an RW image that is not signed.
BRANCH=none
BUG=b:111190988
TEST=./ectool --name=cros_fp reboot_ec
Then, quickly (while EC still in RO)
./ectool --name=cros_fp flasherase 0x120000 131072
Succeeds, and EC does not jump to RW.
TEST=Increment rollback number in RW (CONFIG_ROLLBACK_VERSION), see
that update works, and rollbackinfo shows updated version.
Change-Id: Iaf8e1802cf5c67cafbfda575d7202e00068c6f9b
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1139952
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Diffstat (limited to 'common/flash.c')
| -rw-r--r-- | common/flash.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/common/flash.c b/common/flash.c index 6e7d8dba6b..f98bf95a1e 100644 --- a/common/flash.c +++ b/common/flash.c @@ -12,6 +12,7 @@ #include "hooks.h" #include "host_command.h" #include "otp.h" +#include "rwsig.h" #include "shared_mem.h" #include "system.h" #include "util.h" @@ -505,6 +506,20 @@ static void flash_abort_or_invalidate_hash(int offset, int size) /* If EC executes in place, we need to invalidate the cached hash. */ vboot_hash_invalidate(offset, size); #endif + +#ifdef HAS_TASK_RWSIG + /* + * If RW flash has been written to, make sure we do not automatically + * jump to RW after the timeout. + */ + if ((offset >= CONFIG_RW_MEM_OFF && + offset < (CONFIG_RW_MEM_OFF + CONFIG_RW_SIZE)) || + ((offset + size) > CONFIG_RW_MEM_OFF && + (offset + size) <= (CONFIG_RW_MEM_OFF + CONFIG_RW_SIZE)) || + (offset < CONFIG_RW_MEM_OFF && + (offset + size) > (CONFIG_RW_MEM_OFF + CONFIG_RW_SIZE))) + rwsig_abort(); +#endif } int flash_write(int offset, int size, const char *data) |