diff options
author | Nicolas Boichat <drinkcat@chromium.org> | 2018-09-12 14:39:39 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-09-22 08:30:10 -0700 |
commit | c98ea9a60abaa3bf3a4ca96e0c047e7512e6ec2f (patch) | |
tree | 00efc49c62da19b5f1f1f590ee239fb9d6b72855 /include | |
parent | 078ec24008684e855dc3d62b41623bfbbec893dc (diff) | |
download | chrome-ec-c98ea9a60abaa3bf3a4ca96e0c047e7512e6ec2f.tar.gz |
stm32h7/nocturne_fp: Enable RDP level 1, tie it to flash protection status
Prevent flash readout, using RDP field in option byte.
When RDP is defined, it makes no sense to be able to unlock
RO, as that'd allow flashing arbitrary RO that could read
back the rest of the flash, so we just tie
EC_FLASH_PROTECT_RO_AT_BOOT and RDP protection. This also
means we can't unlock the flash after it has been finalized
(without removing WP and using BOOT0/stm32mon to mass erase
the chip).
Also, in flash_mp_mcu, call stm32mon with -U, to unlock
flash for read-back first (which disables RDP and triggers
a mass erase if RDP was enabled). Finally, load spidev
before putting releasing reset, which makes reflashing
more reliable.
BRANCH=nocturne
BUG=b:111330723
TEST=cp flash_mp_mcu read_mp_mcu, replace stm32mon line with:
"stm32mon -u -p -s ${SPIDEV} -r rb.bin"
dut-control fw_wp_state:force_off
=> Check that read_mp_mcu works
dut-control fw_wp_state:force_on
ectool --name=cros_fp flashprotect enable
ectool --name=cros_fp reboot_ec
=> RDP is now on
dut-control fw_wp_state:force_off
=> Check that read_mp_mcu does not work anymore
TEST=Add -U to stm32mon line above in read_mp_mcu, check that
readback only gets blank data.
TEST=In EC console, check that RDP bits are indeed not 0xaa:
Before: rw 0x5200201c => 0x07d6aaf0
After: rw 0x5200201c => 0x07d600f0
TEST=flash_mp_mcu still works (does a flash erase that removes
RDP protection)
Change-Id: Ifbe37ecafbf23f48d4a3cc17933130b7b104b728
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1222094
Commit-Ready: Nicolas Norvez <norvez@chromium.org>
Tested-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/config.h | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/include/config.h b/include/config.h index 0d1fa01bc5..7ac08ad6b1 100644 --- a/include/config.h +++ b/include/config.h @@ -1452,6 +1452,23 @@ #undef CONFIG_FLASH_READOUT_PROTECTION /* + * Use Read-out protection status as PSTATE, i.e. after RDP is enabled, we never + * allow RO protection to be disabled. + * + * This is used when we want to prevent read-back of some critical region (e.g. + * rollback), even in DFU/BOOT0 mode. + * + * Note that this significantly changes the behaviour or flash protection, + * as this tie EC_FLASH_PROTECT_RO_AT_BOOT with RDP status: it makes no + * sense to be able to unlock RO protection if RDP is enabled, as a custom RO + * could allow protected regions readback. + * + * TODO(crbug.com/888109): Implementation is currently only available on + * STM32H7, and requires more documentation. + */ +#undef CONFIG_FLASH_READOUT_PROTECTION_AS_PSTATE + +/* * For flash that is segemented in different regions. */ #undef CONFIG_FLASH_MULTIPLE_REGION @@ -4036,5 +4053,20 @@ #ifdef CONFIG_MAG_BMI160_BMM150 #define CONFIG_BMI160_SEC_I2C #endif + +/* + * TODO(crbug.com/888109): Makes sure RDP as PSTATE is only enabled where it + * makes sense. + */ +#ifdef CONFIG_FLASH_READOUT_PROTECTION_AS_PSTATE +#ifdef CONFIG_FLASH_PSTATE +#error "Flash readout protection and PSTATE may not work as intended." +#endif + +#ifndef CHIP_FAMILY_STM32H7 +#error "Flash readout protection only implemented on STM32H7." +#endif +#endif /* CONFIG_FLASH_READOUT_PROTECTION_AS_PSTATE */ + #endif /* __CROS_EC_CONFIG_H */ |