Implement persistent flash write protect settings

This uses the last bank of flash to hold persistent settings, and
looks at the write protect GPIO to decide whether to protect the chip
at boot (chrome-os-partner:7453).

For ease of debugging, I've temporarily hacked this so flash uses the
RECOVERYn signal (dut-control goog_rec_mode:on) to enable WP instead
of the write protect signal; this works around chrome-os-partner:8580.

Also note that if you write protect any blocks even temporarily,
you'll need to do a power-on reset to clear them before you can
reprogram the flash.  See chrome-os-partner:8632.  At the EC console,
"hibernate 1" will do that, or you can just yank the power.

This also fixes a bug in the flash write and erase commands, where
they weren't properly detecting failure if you attempted to modify a
protected block (missed an interrupt reason...)

New "flashwp" console commands work.  LPC commands need reworking.

Signed-off-by: Randall Spangler <rspangler@chromium.org>

BUG=chrome-os-partner:8448
TEST=manual

Change-Id: I49c38cc25c793094ae3331a4586fda0761b4bac6

1 files changed, 112 insertions, 51 deletions

diff --git a/include/flash.h b/include/flash.h
index 551068b2a9..9b0a60a5e2 100644
--- a/include/flash.h
+++ b/include/flash.h
@@ -11,12 +11,37 @@
 #include "common.h"
 
 
-#define FLASH_WRITE_BYTES      4
-#define FLASH_FWB_WORDS       32
-#define FLASH_FWB_BYTES (FLASH_FWB_WORDS * 4)
-#define FLASH_ERASE_BYTES   1024
-#define FLASH_PROTECT_BYTES 2048
+/*****************************************************************************/
+/* Low-level methods, for use by flash_common. */
 
+/* Return the write / erase / protect block size, in bytes.  Operations must be
+ * aligned to and multiples of the granularity.  For example, erase operations
+ * must have offset and size which are multiples of the erase block size. */
+int flash_get_write_block_size(void);
+int flash_get_erase_block_size(void);
+int flash_get_protect_block_size(void);
+
+/* Return the physical size of flash in bytes */
+int flash_physical_size(void);
+
+/* Read <size> bytes of data from offset <offset> into <data>. */
+int flash_physical_read(int offset, int size, char *data);
+
+/* Write <size> bytes of data to flash at byte offset <offset>.
+ * <data> must be 32-bit aligned. */
+int flash_physical_write(int offset, int size, const char *data);
+
+/* Erase <size> bytes of flash at byte offset <offset>. */
+int flash_physical_erase(int offset, int size);
+
+/* Return non-zero if block is protected until reboot. */
+int flash_physical_get_protect(int block);
+
+/* Protects the block until reboot. */
+void flash_physical_set_protect(int block);
+
+/*****************************************************************************/
+/* High-level interface for use by other modules. */
 
 /* Initializes the module. */
 int flash_pre_init(void);
@@ -25,14 +50,6 @@ int flash_pre_init(void);
  * smaller than the actual flash size, */
 int flash_get_size(void);
 
-/* Returns the write / erase / protect block size, in bytes.
- * Operations must be aligned to and multiples of the granularity.
- * For example, erase operations must have offset and size which are
- * multiples of the erase block size. */
-int flash_get_write_block_size(void);
-int flash_get_erase_block_size(void);
-int flash_get_protect_block_size(void);
-
 /* Reads <size> bytes of data from offset <offset> into <data>. */
 int flash_read(int offset, int size, char *data);
 
@@ -43,46 +60,90 @@ int flash_write(int offset, int size, const char *data);
 /* Erases <size> bytes of flash at byte offset <offset>. */
 int flash_erase(int offset, int size);
 
-/* TODO: not super happy about the following APIs yet.
+/* Flash protection APIs
  *
- * The theory of operation is that we'll use the last page of flash to
- * hold the write protect range, and the flag for whether the last
- * page itself should be protected.  Then when flash_init() is called,
- * it checks if the write protect pin is asserted, and if so, it
- * writes (but does not commit) the flash protection registers.
+ * Flash can be protected on a per-block basis at any point by calling
+ * flash_protect_until_reboot().  Once a block is protected, it will stay
+ * protected until reboot.  This function may be called at any time, regardless
+ * of the persistent flash protection state, and protection will be applied
+ * immediately.
  *
- * This simulates what a SPI flash does, where the status register
- * holds the write protect range, and a bit which protects the status
- * register itself.  The bit is only obeyed if the write protect pin
- * is enabled.
+ * Flash may also be protected in a persistent fashion by calling
+ * flash_set_protect().  This sets a persistent flag for each block which is
+ * checked at boot time and applied if the hardware write protect pin is
+ * enabled.
  *
- * It's an imperfect simulation, because in a SPI flash, as soon as
- * you deassert the pin you can alter the status register, where here
- * it'll take a cold boot to clear protection.  Also, here protection
- * gets written to the registers as soon as you set the write protect
- * lock, which is different than SPI, where it's effective as soon as
- * you set the write protect range. */
-
-/* Gets or sets the write protect range in bytes.  This setting is
- * stored in flash, and persists across reboots.  If size is non-zero,
- * the write protect range is also locked, and may not be subsequently
- * altered until after a cold boot with the write protect pin
- * deasserted. */
-int flash_get_write_protect_range(uint32_t *offset, uint32_t *size);
-int flash_set_write_protect_range(uint32_t offset, uint32_t size);
-
-/* The write protect range has been stored into the chip registers
- * this boot.  The flash is write protected and the range cannot be
- * changed without rebooting. */
-#define EC_FLASH_WP_RANGE_LOCKED         0x01
-/* The write protect pin was asserted at init time. */
-#define EC_FLASH_WP_PIN_ASSERTED_AT_INIT 0x02
-/* The write protect pin is asserted now. */
-#define EC_FLASH_WP_PIN_ASSERTED_NOW     0x04
-
-/* Returns the current write protect status; see EC_FLASH_WP_*
- * for valid flags. */
-int flash_get_write_protect_status(void);
-
+ * The flash persistent protection settings are themselves protected by a lock,
+ * which can be set via flash_lock_protect().  Once the protection settings are
+ * locked:
+ *
+ *   (1) They will be immediately applied (as if flash_protect_until_reboot()
+ *   had been called).
+ *
+ *   (2) The persistent settings cannot be changed.  That is, subsequent calls
+ *   to flash_set_protect() and flash_lock_protect() will fail.
+ *
+ * The lock can be bypassed by cold-booting the system with the hardware write
+ * protect pin deasserted.  In this case, the persistent settings and lock
+ * state may be changed until flash_lock_protect(non-zero) is called, or until
+ * the system is rebooted with the write protect pin asserted - at which point,
+ * protection is re-applied. */
+
+/* Write-protect <size> bytes of flash at byte offset <offset> until next
+ * reboot. */
+int flash_protect_until_reboot(int offset, int size);
+
+/* Higher-level APIs to emulate SPI write protect */
+
+/* Set (enable=1) or clear (enable=0) the persistent write protect setting for
+ * the specified range.  This will only succeed if write protect is unlocked.
+ * This will take effect on the next boot, or when flash_lock_protect(1) is
+ * called. */
+int flash_set_protect(int offset, int size, int enable);
+
+/* Lock or unlock the persistent write protect settings.  Once the write
+ * protect settings are locked, they will STAY locked until the system is
+ * cold-booted with the hardware write protect pin disabled.
+ *
+ * If called with lock!=0, this will also immediately protect all
+ * persistently-protected blocks. */
+int flash_lock_protect(int lock);
+
+/* Flags for flash_get_protect() and flash_get_protect_array(). */
+/* Protected persistently.  Note that if the write protect pin was deasserted
+ * at boot time, a block may have the FLASH_PROTECT_PERSISTENT flag indicating
+ * the block would be protected on a normal boot, but may not have the
+ * FLASH_PROTECT_UNTIL_REBOOT flag indicating it's actually protected right
+ * now. */
+#define FLASH_PROTECT_PERSISTENT   0x01
+/* Protected until reboot.  This will be set for persistently-protected blocks
+ * as soon as the flash module protects them, and for non-persistent protection
+ * after flash_protect_until_reboot() is called on a block. */
+#define FLASH_PROTECT_UNTIL_REBOOT 0x02
+
+/* Return a copy of the current write protect state.  This is an array of
+ * per-protect-block flags.  The data is valid until the next call to a flash
+ * function. */
+const uint8_t *flash_get_protect_array(void);
+
+/* Return the lowest amount of protection for any flash block in the specified
+ * range.  That is, if any byte in the range is not protected until reboot,
+ * FLASH_PROTECT_UNTIL_REBOOT will not be set. */
+int flash_get_protect(int offset, int size);
+
+/* Flags for flash_get_protect_lock() */
+/* Flash protection lock has been set.  Note that if the write protect pin was
+ * deasserted at boot time, this simply indicates the state of the lock
+ * setting, and not whether blocks are actually protected. */
+#define FLASH_PROTECT_LOCK_SET     0x01
+/* Flash protection lock has actually been applied.  All blocks with
+   FLASH_PROTECT_PERSISTENT have been protected, and flash protection cannot be
+   unlocked. */
+#define FLASH_PROTECT_LOCK_APPLIED 0x02
+/* Write protect pin is currently asserted */
+#define FLASH_PROTECT_PIN_ASSERTED 0x04
+
+/* Return the flash protect lock status. */
+int flash_get_protect_lock(void);
 
 #endif  /* __CROS_EC_FLASH_H */