6 files changed, 34 insertions, 1 deletions
diff --git a/board/samus/board.h b/board/samus/board.h
index 05bb3c6961..dc70ca9b34 100644
--- a/board/samus/board.h
+++ b/board/samus/board.h
@@ -60,6 +60,7 @@
 #define CONFIG_HIBERNATE_DELAY_SEC (3600 * 24 * 7)
 #define CONFIG_HIBERNATE_BATT_PCT 10
 #define CONFIG_HIBERNATE_BATT_SEC (3600 * 24)
+#define CONFIG_HOSTCMD_PD_PANIC
 #define CONFIG_PECI_TJMAX 105
 #define CONFIG_PWM
 #define CONFIG_PWM_KBLIGHT
diff --git a/board/samus_pd/board.c b/board/samus_pd/board.c
index 942a0092cd..e25693599c 100644
--- a/board/samus_pd/board.c
+++ b/board/samus_pd/board.c
@@ -471,6 +471,12 @@ static void board_init(void)
 	/* Initialize active charge port to none */
 	pd_status.active_charge_port = CHARGE_PORT_NONE;
 
+	/* Set PD MCU system status bits */
+	if (system_jumped_to_this_image())
+		pd_status.status |= PD_STATUS_JUMPED_TO_IMAGE;
+	if (system_get_image_copy() == SYSTEM_IMAGE_RW)
+		pd_status.status |= PD_STATUS_IN_RW;
+
 	/*
 	 * Do not enable PD communication in RO as a security measure.
 	 * We don't want to allow communication to outside world until
diff --git a/common/host_command_pd.c b/common/host_command_pd.c
index ca315c574f..140c71ea4e 100644
--- a/common/host_command_pd.c
+++ b/common/host_command_pd.c
@@ -10,6 +10,8 @@
 #include "console.h"
 #include "host_command.h"
 #include "lightbar.h"
+#include "panic.h"
+#include "system.h"
 #include "task.h"
 #include "timer.h"
 #include "util.h"
@@ -43,6 +45,9 @@ static void pd_exchange_status(void)
 	struct ec_params_pd_status ec_status;
 	struct ec_response_pd_status pd_status;
 	int rv = 0;
+#ifdef CONFIG_HOSTCMD_PD_PANIC
+	static int pd_in_rw;
+#endif
 
 	/* Send PD charge state and battery state of charge */
 	ec_status.charge_state = charge_state;
@@ -66,6 +71,21 @@ static void pd_exchange_status(void)
 		return;
 	}
 
+#ifdef CONFIG_HOSTCMD_PD_PANIC
+	/*
+	 * Check if PD MCU is in RW. If PD MCU was in RW and is now in RO
+	 * AND it did not sysjump to RO, then it must have crashed, and
+	 * therefore we should panic as well.
+	 */
+	if (pd_status.status & PD_STATUS_IN_RW) {
+		pd_in_rw = 1;
+	} else if (pd_in_rw &&
+		   !(pd_status.status & PD_STATUS_JUMPED_TO_IMAGE)) {
+		panic_printf("PD crash");
+		software_panic(PANIC_SW_PD_CRASH, 0);
+	}
+#endif
+
 #ifdef HAS_TASK_LIGHTBAR
 	/*
 	 * If charge port has changed, and it was initialized, then show
diff --git a/include/config.h b/include/config.h
index 5f30ba31f3..5ea6e7e4f7 100644
--- a/include/config.h
+++ b/include/config.h
@@ -708,6 +708,9 @@
 #define CONFIG_HOSTCMD_RATE_LIMITING_MIN_REST (3   * MSEC)
 #define CONFIG_HOSTCMD_RATE_LIMITING_RECESS   (20  * MSEC)
 
+/* Panic when status of PD MCU reflects that it has crashed */
+#undef CONFIG_HOSTCMD_PD_PANIC
+
 /*****************************************************************************/
 
 /* Enable debugging and profiling statistics for hook functions */
diff --git a/include/ec_commands.h b/include/ec_commands.h
index edf9f4fa6b..df16a557e9 100644
--- a/include/ec_commands.h
+++ b/include/ec_commands.h
@@ -2694,7 +2694,9 @@ struct ec_params_pd_status {
 } __packed;
 
 /* Status of PD being sent back to EC */
-#define PD_STATUS_HOST_EVENT (1 << 0)
+#define PD_STATUS_HOST_EVENT      (1 << 0) /* Forward host event to AP */
+#define PD_STATUS_IN_RW           (1 << 1) /* Running RW image */
+#define PD_STATUS_JUMPED_TO_IMAGE (1 << 2) /* Current image was jumped to */
 struct ec_response_pd_status {
 	uint32_t status;      /* PD MCU status */
 	uint32_t curr_lim_ma; /* input current limit */
diff --git a/include/software_panic.h b/include/software_panic.h
index 9dc6d5a394..15070f95ed 100644
--- a/include/software_panic.h
+++ b/include/software_panic.h
@@ -17,6 +17,7 @@
 /* Software panic reasons */
 #define PANIC_SW_DIV_ZERO		(PANIC_SW_BASE + 0)
 #define PANIC_SW_STACK_OVERFLOW		(PANIC_SW_BASE + 1)
+#define PANIC_SW_PD_CRASH		(PANIC_SW_BASE + 2)
 #define PANIC_SW_ASSERT			(PANIC_SW_BASE + 3)
 #define PANIC_SW_WATCHDOG		(PANIC_SW_BASE + 4)