1 files changed, 468 insertions, 0 deletions
diff --git a/chip/stm32/flash-stm32h7.c b/chip/stm32/flash-stm32h7.c
new file mode 100644
index 0000000000..d697faf4dd
--- /dev/null
+++ b/chip/stm32/flash-stm32h7.c
@@ -0,0 +1,468 @@
+/* Copyright 2018 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+/* Flash memory module for STM32H7 family */
+
+#include "common.h"
+#include "clock.h"
+#include "flash.h"
+#include "hooks.h"
+#include "registers.h"
+#include "panic.h"
+#include "system.h"
+#include "task.h"
+#include "timer.h"
+#include "util.h"
+#include "watchdog.h"
+
+/*
+ * Approximate number of CPU cycles per iteration of the loop when polling
+ * the flash status
+ */
+#define CYCLE_PER_FLASH_LOOP 2
+
+/* Flash 256-bit word programming timeout. */
+#define FLASH_TIMEOUT_US 600
+
+/*
+ * Flash 128-KB block erase timeout.
+ * Datasheet says maximum is about 4 seconds in x8.
+ * Real delay seems to be: < 1 second in x64, < 2 seconds in x8.
+ */
+#define FLASH_ERASE_TIMEOUT_US (4200 * MSEC)
+
+/*
+ * Option bytes programming timeout.
+ * No specification, real delay seems to be around 300ms.
+ */
+#define FLASH_OPT_PRG_TIMEOUT_US (1000 * MSEC)
+
+/*
+ * All variants have 2 banks (as in parallel hardware / controllers)
+ * not what is called 'bank' in the common code (ie Write-Protect sectors)
+ * both have the same number of 128KB blocks.
+ */
+#define HWBANK_SIZE  (CONFIG_FLASH_SIZE / 2)
+#define BLOCKS_PER_HWBANK (HWBANK_SIZE / CONFIG_FLASH_ERASE_SIZE)
+#define BLOCKS_HWBANK_MASK ((1 << BLOCKS_PER_HWBANK) - 1)
+
+/*
+ * We can tune the power consumption vs erase/write speed
+ * by default, go fast (and consume current)
+ */
+#define DEFAULT_PSIZE FLASH_CR_PSIZE_DWORD
+
+/* Can no longer write/erase flash until next reboot */
+static int access_disabled;
+/* Can no longer modify write-protection in option bytes until next reboot */
+static int option_disabled;
+/* Is physical flash stuck protected? (avoid reboot loop) */
+static int stuck_locked;
+
+static inline int calculate_flash_timeout(void)
+{
+	return (FLASH_TIMEOUT_US *
+		(clock_get_freq() / SECOND) / CYCLE_PER_FLASH_LOOP);
+}
+
+static int unlock(int bank)
+{
+	/* unlock CR only if needed */
+	if (STM32_FLASH_CR(bank) & FLASH_CR_LOCK) {
+		/*
+		 * We may have already locked the flash module and get a bus
+		 * fault in the attempt to unlock. Need to disable bus fault
+		 * handler now.
+		 */
+		ignore_bus_fault(1);
+
+		STM32_FLASH_KEYR(bank) = FLASH_KEYR_KEY1;
+		STM32_FLASH_KEYR(bank) = FLASH_KEYR_KEY2;
+		ignore_bus_fault(0);
+	}
+
+	return (STM32_FLASH_CR(bank) & FLASH_CR_LOCK) ? EC_ERROR_UNKNOWN
+						      : EC_SUCCESS;
+}
+
+static void lock(int bank)
+{
+	STM32_FLASH_CR(bank) |= FLASH_CR_LOCK;
+}
+
+static int unlock_optb(void)
+{
+	if (option_disabled)
+		return EC_ERROR_ACCESS_DENIED;
+
+	if (unlock(0))
+		return EC_ERROR_UNKNOWN;
+
+	/*
+	 * Always use bank 0 flash controller as there is only one option bytes
+	 * set for both banks.
+	 */
+	if (STM32_FLASH_OPTCR(0) & FLASH_OPTCR_OPTLOCK) {
+		/*
+		 * We may have already locked the flash module and get a bus
+		 * fault in the attempt to unlock. Need to disable bus fault
+		 * handler now.
+		 */
+		ignore_bus_fault(1);
+
+		STM32_FLASH_OPTKEYR(0) = FLASH_OPTKEYR_KEY1;
+		STM32_FLASH_OPTKEYR(0) = FLASH_OPTKEYR_KEY2;
+		ignore_bus_fault(0);
+	}
+
+	return STM32_FLASH_OPTCR(0) & FLASH_OPTCR_OPTLOCK ? EC_ERROR_UNKNOWN
+							  : EC_SUCCESS;
+}
+
+static int commit_optb(void)
+{
+	/* might use this before timer_init, cannot use get_time/usleep */
+	int timeout = (FLASH_OPT_PRG_TIMEOUT_US *
+		(clock_get_freq() / SECOND) / CYCLE_PER_FLASH_LOOP);
+
+	STM32_FLASH_OPTCR(0) |= FLASH_OPTCR_OPTSTART;
+
+	while (STM32_FLASH_OPTSR_CUR(0) & FLASH_OPTSR_BUSY && timeout-- > 0)
+		;
+
+	STM32_FLASH_OPTCR(0) |= FLASH_OPTCR_OPTLOCK;
+	lock(0);
+
+	return (timeout > 0) ? EC_SUCCESS : EC_ERROR_TIMEOUT;
+}
+
+static void protect_blocks(uint32_t blocks)
+{
+	if (unlock_optb())
+		return;
+	STM32_FLASH_WPSN_PRG(0) |= blocks & BLOCKS_HWBANK_MASK;
+	STM32_FLASH_WPSN_PRG(1) |= (blocks >> BLOCKS_PER_HWBANK)
+				& BLOCKS_HWBANK_MASK;
+	commit_optb();
+}
+
+/* use the option bytes RSS1 bit as 'Write Protect enabled' flag. */
+static int is_wp_enabled(void)
+{
+	return !!(STM32_FLASH_OPTSR_CUR(0) & FLASH_OPTSR_RSS1);
+}
+
+static int set_wp(int enabled)
+{
+	int rv;
+
+	rv = unlock_optb();
+	if (rv)
+		return rv;
+	if (enabled)
+		STM32_FLASH_OPTSR_PRG(0) |= FLASH_OPTSR_RSS1;
+	else
+		STM32_FLASH_OPTSR_PRG(0) &= ~FLASH_OPTSR_RSS1;
+
+	return commit_optb();
+}
+
+/*****************************************************************************/
+/* Physical layer APIs */
+
+int flash_physical_write(int offset, int size, const char *data)
+{
+	int res = EC_SUCCESS;
+	int bank = offset / HWBANK_SIZE;
+	uint32_t *address = (void *)(CONFIG_PROGRAM_MEMORY_BASE + offset);
+	int timeout = calculate_flash_timeout();
+	int i;
+	int unaligned = (uint32_t)data & (CONFIG_FLASH_WRITE_SIZE - 1);
+	uint32_t *data32 = (void *)data;
+
+	if (access_disabled)
+		return EC_ERROR_ACCESS_DENIED;
+
+	/* work on a single hardware bank at a time */
+	if ((offset + size) / HWBANK_SIZE != bank)
+		return EC_ERROR_INVAL;
+
+	if (unlock(bank) != EC_SUCCESS)
+		return EC_ERROR_UNKNOWN;
+
+	/* Clear previous error status */
+	STM32_FLASH_CCR(bank) = FLASH_CCR_ERR_MASK;
+
+	/* select write parallelism */
+	STM32_FLASH_CR(bank) = (STM32_FLASH_CR(bank) & ~FLASH_CR_PSIZE_MASK)
+			| DEFAULT_PSIZE;
+
+	/* set PG bit */
+	STM32_FLASH_CR(bank) |= FLASH_CR_PG;
+
+	for (; size > 0; size -= CONFIG_FLASH_WRITE_SIZE) {
+		/*
+		 * Reload the watchdog timer to avoid watchdog reset when doing
+		 * long writing.
+		 */
+		watchdog_reload();
+
+		/* write a 256-bit flash word */
+		if (unaligned) {
+			for (i = 0; i < CONFIG_FLASH_WRITE_SIZE / 4; i++,
+								     data += 4)
+				*address++ = (uint32_t)data[0] | (data[1] << 8)
+					   | (data[2] << 16) | (data[3] << 24);
+		} else {
+			for (i = 0; i < CONFIG_FLASH_WRITE_SIZE / 4; i++)
+				*address++ = *data32++;
+		}
+
+		/* Wait for writes to complete */
+		for (i = 0; (STM32_FLASH_SR(bank) &
+		     (FLASH_SR_WBNE | FLASH_SR_QW)) && (i < timeout); i++)
+			;
+
+		if (STM32_FLASH_SR(bank) & (FLASH_SR_WBNE | FLASH_SR_QW)) {
+			res = EC_ERROR_TIMEOUT;
+			goto exit_wr;
+		}
+
+		if (STM32_FLASH_SR(bank) & FLASH_CCR_ERR_MASK) {
+			res = EC_ERROR_UNKNOWN;
+			goto exit_wr;
+		}
+	}
+
+exit_wr:
+	/* Disable PG bit */
+	STM32_FLASH_CR(bank) &= ~FLASH_CR_PG;
+
+	lock(bank);
+
+	return res;
+}
+
+int flash_physical_erase(int offset, int size)
+{
+	int res = EC_SUCCESS;
+	int bank = offset / HWBANK_SIZE;
+	int last = (offset + size) / CONFIG_FLASH_ERASE_SIZE;
+	int sect;
+
+	if (access_disabled)
+		return EC_ERROR_ACCESS_DENIED;
+
+	/* work on a single hardware bank at a time */
+	if ((offset + size) / HWBANK_SIZE != bank)
+		return EC_ERROR_INVAL;
+
+	if (unlock(bank) != EC_SUCCESS)
+		return EC_ERROR_UNKNOWN;
+
+	/* Clear previous error status */
+	STM32_FLASH_CCR(bank) = FLASH_CCR_ERR_MASK;
+
+	/* select erase parallelism */
+	STM32_FLASH_CR(bank) = (STM32_FLASH_CR(bank) & ~FLASH_CR_PSIZE_MASK)
+			| DEFAULT_PSIZE;
+
+	for (sect = offset / CONFIG_FLASH_ERASE_SIZE; sect < last; sect++) {
+		timestamp_t deadline;
+
+		/* select page to erase and PER bit */
+		STM32_FLASH_CR(bank) = (STM32_FLASH_CR(bank)
+					& ~FLASH_CR_SNB_MASK)
+				| FLASH_CR_SER | FLASH_CR_SNB(sect);
+
+		/* set STRT bit : start erase */
+		STM32_FLASH_CR(bank) |= FLASH_CR_STRT;
+
+		/*
+		 * Reload the watchdog timer to avoid watchdog reset during a
+		 * long erase operation.
+		 */
+		watchdog_reload();
+
+		deadline.val = get_time().val + FLASH_ERASE_TIMEOUT_US;
+		/* Wait for erase to complete */
+		while ((STM32_FLASH_SR(bank) & FLASH_SR_BUSY) &&
+		       (get_time().val < deadline.val)) {
+			usleep(5000);
+		}
+		if (STM32_FLASH_SR(bank) & FLASH_SR_BUSY) {
+			res = EC_ERROR_TIMEOUT;
+			goto exit_er;
+		}
+
+		/*
+		 * Check for error conditions - erase failed, voltage error,
+		 * protection error
+		 */
+		if (STM32_FLASH_SR(bank) & FLASH_CCR_ERR_MASK) {
+			res = EC_ERROR_UNKNOWN;
+			goto exit_er;
+		}
+	}
+
+exit_er:
+	/* reset SER bit */
+	STM32_FLASH_CR(bank) &= ~(FLASH_CR_SER | FLASH_CR_SNB_MASK);
+
+	lock(bank);
+
+	return res;
+}
+
+int flash_physical_get_protect(int block)
+{
+	int bank = block / BLOCKS_PER_HWBANK;
+	int index = block % BLOCKS_PER_HWBANK;
+
+	return !(STM32_FLASH_WPSN_CUR(bank) & (1 << index));
+}
+
+/*
+ * Note: This does not need to update _NOW flags, as flash_get_protect
+ * in common code already does so.
+ */
+uint32_t flash_physical_get_protect_flags(void)
+{
+	uint32_t flags = 0;
+
+	if (access_disabled)
+		flags |= EC_FLASH_PROTECT_ALL_NOW;
+
+	if (is_wp_enabled())
+		flags |= EC_FLASH_PROTECT_RO_AT_BOOT;
+
+	/* Check if blocks were stuck locked at pre-init */
+	if (stuck_locked)
+		flags |= EC_FLASH_PROTECT_ERROR_STUCK;
+
+	return flags;
+}
+
+#define WP_RANGE(start, count) (((1 << (count)) - 1) << (start))
+#define RO_WP_RANGE WP_RANGE(WP_BANK_OFFSET, WP_BANK_COUNT)
+
+int flash_physical_protect_now(int all)
+{
+	protect_blocks(RO_WP_RANGE);
+
+	/*
+	 * Lock the option bytes or the full access by writing a wrong
+	 * key to FLASH_*KEYR. This triggers a bus fault, so we need to
+	 * disable bus fault handler while doing this.
+	 *
+	 * This incorrect key fault causes the flash to become
+	 * permanently locked until reset, a correct keyring write
+	 * will not unlock it.
+	 */
+	ignore_bus_fault(1);
+
+	if (all) {
+		/* cannot do any write/erase access until next reboot */
+		STM32_FLASH_KEYR(0) = 0xffffffff;
+		STM32_FLASH_KEYR(1) = 0xffffffff;
+		access_disabled = 1;
+	}
+	/* cannot modify the WP bits in the option bytes until reboot */
+	STM32_FLASH_OPTKEYR(0) = 0xffffffff;
+	option_disabled = 1;
+	ignore_bus_fault(0);
+
+	return EC_SUCCESS;
+}
+
+int flash_physical_protect_at_boot(uint32_t new_flags)
+{
+	int new_wp_enable = !!(new_flags & EC_FLASH_PROTECT_RO_AT_BOOT);
+
+	if (is_wp_enabled() != new_wp_enable)
+		return set_wp(new_wp_enable);
+
+	return EC_SUCCESS;
+}
+
+uint32_t flash_physical_get_valid_flags(void)
+{
+	return EC_FLASH_PROTECT_RO_AT_BOOT |
+	       EC_FLASH_PROTECT_RO_NOW |
+	       EC_FLASH_PROTECT_ALL_NOW;
+}
+
+uint32_t flash_physical_get_writable_flags(uint32_t cur_flags)
+{
+	uint32_t ret = 0;
+
+	/* If RO protection isn't enabled, its at-boot state can be changed. */
+	if (!(cur_flags & EC_FLASH_PROTECT_RO_NOW))
+		ret |= EC_FLASH_PROTECT_RO_AT_BOOT;
+
+	/*
+	 * If entire flash isn't protected at this boot, it can be enabled if
+	 * the WP GPIO is asserted.
+	 */
+	if (!(cur_flags & EC_FLASH_PROTECT_ALL_NOW) &&
+	    (cur_flags & EC_FLASH_PROTECT_GPIO_ASSERTED))
+		ret |= EC_FLASH_PROTECT_ALL_NOW;
+
+	return ret;
+}
+
+int flash_pre_init(void)
+{
+	uint32_t reset_flags = system_get_reset_flags();
+	uint32_t prot_flags = flash_get_protect();
+	uint32_t unwanted_prot_flags = EC_FLASH_PROTECT_ALL_NOW |
+		EC_FLASH_PROTECT_ERROR_INCONSISTENT;
+
+	/*
+	 * If we have already jumped between images, an earlier image could
+	 * have applied write protection. Nothing additional needs to be done.
+	 */
+	if (reset_flags & RESET_FLAG_SYSJUMP)
+		return EC_SUCCESS;
+
+	if (prot_flags & EC_FLASH_PROTECT_GPIO_ASSERTED) {
+		/*
+		 * Write protect is asserted.  If we want RO flash protected,
+		 * protect it now.
+		 */
+		if ((prot_flags & EC_FLASH_PROTECT_RO_AT_BOOT) &&
+		    !(prot_flags & EC_FLASH_PROTECT_RO_NOW)) {
+			int rv = flash_set_protect(EC_FLASH_PROTECT_RO_NOW,
+						   EC_FLASH_PROTECT_RO_NOW);
+			if (rv)
+				return rv;
+
+			/* Re-read flags */
+			prot_flags = flash_get_protect();
+		}
+	} else {
+		/* Don't want RO flash protected */
+		unwanted_prot_flags |= EC_FLASH_PROTECT_RO_NOW;
+	}
+
+	/* If there are no unwanted flags, done */
+	if (!(prot_flags & unwanted_prot_flags))
+		return EC_SUCCESS;
+
+	/*
+	 * If the last reboot was a power-on reset, it should have cleared
+	 * write-protect.  If it didn't, then the flash write protect registers
+	 * have been permanently committed and we can't fix that.
+	 */
+	if (reset_flags & RESET_FLAG_POWER_ON) {
+		stuck_locked = 1;
+		return EC_ERROR_ACCESS_DENIED;
+	}
+
+	/* Otherwise, do a hard boot to clear the flash protection registers */
+	system_reset(SYSTEM_RESET_HARD | SYSTEM_RESET_PRESERVE_FLAGS);
+
+	/* That doesn't return, so if we're still here that's an error */
+	return EC_ERROR_UNKNOWN;
+}