| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to make printf more standard, use %ph. Pass a pointer to
a struct describing the buffer, including its size. Add a convenience
macro so that conversion between the old style and new style is purely
mechanical. The old style of %h cannot be converted directly to %ph as-is
because the C standard doesn't allow flags, precision, or field width on
%p.
Ultimately the goal is to enable compile-time printf format checking.
This gets us one step closer to that.
BUG=chromium:984041
TEST=make -j buildall
BRANCH=None
Cq-Depend:chrome-internal:1559798,chrome-internal:1560598
Change-Id: I9c0ca124a048314c9b62d64bd55b36be55034e0e
Signed-off-by: Evan Green <evgreen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1730605
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CPRINTS already prints a new line, no need to add another one.
Spotted during boot on kukui, and then realized there are many
more instances:
""
[3.689239 Module 7 is not supported for clock disable
]
""
BRANCH=none
BUG=none
TEST=make buildall -j
TEST=`git grep CPRINTS | grep "\\\\n\""` shows nothing of
interest.
Change-Id: I4d2bbbc65a91fa56c6e6115aa5c353bfd2b384a1
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1660519
Tested-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cr50 may enter deep sleep while wiping the TPM. This change adds a sleep
delay before opening ccd.
BUG=b:130646257
BRANCH=cr50
TEST=manual
dut-control cold_reset:on
run ccd open
make sure ccd is open even after entering deep sleep
Change-Id: Id44b608702b664621bd2441f62a03ba6428135cf
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1585606
Reviewed-by: Namyoon Woo <namyoon@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now if 'ccd open' from the console fails, it pretty much always
fails with "nopwd". This error is pretty meaningless, because you can't
even set the password until you open ccd. This change suggests removing
the battery or sending the open command from the AP in dev mode if ccd
open fails. This error should help people remember their device needs to
be in dev mode and open needs to be sent from the AP.
BUG=b:73170050
BRANCH=cr50
TEST=try 'ccd open' from the console. Verify the error message is
changed.
Change-Id: I32ca72ed00e03e62d73942961137591dc69bc8fa
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1572156
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Namyoon Woo <namyoon@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were clearing the tpm in two different ways. There was one
implementation in factory_mode.c and one in wp.c. This change merges the
two, so there's only one board_wipe_tpm.
While modifying the wipe tpm code from factory_mode.c I noticed the
factory_enable_failed stuff is maybe a bit more complicated than
necessary. I opened a bug for cleaning that up(b/129956462). It wont be
addressed in this change.
BUG=none
BRANCH=none
TEST=Run the processes that wipe the tpm
open ccd.
enable factory mode from vendor command.
run rma open process
Change-Id: Ia76df19f7d9e4f308f3f1a7175f130f1ef7249a2
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1535156
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch eliminates unnecessary legacy nvmem.c and nvmem_vars.c code
and brings the code base to the state where the new NVMEM layout is
fully functional.
BRANCH=cr50, cr50-mp
BUG=b:69907320, b:129710256
CQ-DEPEND=CL:1450278
TEST=the following tests pass:
- test cases in ./test/nvmem.c
- TCG suite (passes on par with the existing Cr50 code with the
reduced code footprint TPM2 library)
- Chrome OS device migrates from legacy to new implementation with
user account maintained.
- Chrome OS user account is maintained over AP and H1 reboots and
deep sleep cycles.
Change-Id: If4bc2dd125873a79dbe0e268eb32100a8b8b352d
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1496607
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use BATT_PRES_L to determine if factory mode can be enabled. We need
to be able to control this for cr50 testing. Add a command that can be
used to override battery presence. This change also adds a ccd
capability to control access to this command. If this capability is
enabled, someone can easily use console commands and AP commands to
enable factory mode, so it should be controlled separately from WP and
GscFullConsole.
BUG=b:126197850
BRANCH=cr50
TEST=override battery presence using bpforce. Make sure the state lasts
through reboot, deep sleep, and power-on reset. When bp is forced
disabled you can do ccd open without physical presence and you can
enable factory mode.
Change-Id: I026a537142b6780824192caa2a147c7bdac1545c
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1505213
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Keith Short <keithshort@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During the first factory boot flow, the CCD flags are not read
correctly. In this boot path, the ccd_config_loaded flag is not set
until after the first calls to HOOK_CCD_CHANGE.
Changed ccd_load_config() to always call HOOK_CCD_CHANGE after setting
ccd_config_loaded flag.
Changed ccd_save_config() so that it doesn't call HOOK_CCD_CHANGE if the
ccd_config_loaded flag is not set.
BUG=b:126971514
BRANCH=cr50
TEST=Erase the board ID, peform rollback to 0.0.22, and then upgrade to
4.14 firmware. On Wilco, confirmed that
GPIO_FACTORY_MODE(GPIO_I2C_SCL_INA) is driven high during first factory
boot flow.
Change-Id: Ib6764085d2911abe330c7e580fd6b31bbfe6f89d
Signed-off-by: Keith Short <keithshort@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1496679
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drives OEM specific GPIOs to enable and disable factory mode to a closed
source EC.
BUG=b:118683718
BRANCH=none
TEST=make buildall. Verified GPIO states with scope in both factory mode
enable and disable conditions. Verified GPIO states are reapplied
correctly after reboot, deep sleep, and power cycle.
Change-Id: I9bc547504478fded5f95c515027e1da0f245d524
Signed-off-by: Keith Short <keithshort@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1358733
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CR50 provides whether CCD capabilities are default or not. Factory
process can utilize this value instead of CCD cap bitmap information.
Users can use either 'gsctool -I' or CR50 console command 'ccd'.
BRANCH=cr50_tools
BUG=b:117200472
TEST=manually set and clear the password using gsctool -a -F and
check the result of gsctool -I.
Change-Id: Ic6be2ce880476c3a73150fe0e29007dd6a7e328f
Signed-off-by: Namyoon Woo <namyoon@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1272190
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Defined "Number of bits in CCD cap expression", "Bitmask for a
CCD cap expression", and "Number of CCD cap expressions in a
Byte," and replaced constant uses with macros in CR50 and gsctool
codes.
No binary size changes in either CR50 or gsctool.
BRANCH=cr50_ccd
BUG=none
TEST=manually tested with gsctool -I and CR50 console command 'ccd'.
Signed-off-by: Namyoon Woo <namyoon@chromium.org>
Change-Id: If91305090444395b6a938f920f4e47e2acbba886
Reviewed-on: https://chromium-review.googlesource.com/1274007
Commit-Ready: Namyoon Woo <namyoon@chromium.org>
Tested-by: Namyoon Woo <namyoon@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Once RMA open is processed and CCD state is updated, the AP still
might require to perform some operations, even if TPM is not available
any more.
With this patch enable_ccd_factory_mode() does not trigger device
reset, if invoked by the RMA open handler.
Another modification is that WP is disabled immediately when factory
mode is enabled, there is no need to reset the H1 for WP status to
change.
BRANCH=cr50, cr50-mp
BUG=b:115495431
TEST=verified that running 'gsctool -a -r <authcode>' sets to 'Y' all
CCD properties, disables write protection, but does not reboot
the device.
Change-Id: I834a9e4b5ebbe4aaaf1caafad9c82424087d01f7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1250037
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a capability for opening cr50 without dev mode and a capability for
opening cr50 from the console. This will make it so cr50 can easily be
opened from the console after RMA open.
BUG=b:113266255,b:113267161
BRANCH=cr50
TEST=verify OpenFromConsole and OpenW/ODevMode are set to IfOpened with
CCD_OPEN_PREPVT isn't defined and set to Always when it is defined. Make
sure they are set to Always after factory mode is enabled.
Change-Id: Ic149b4163ee9a3ce5e0c051dc42634a31a4a0a7e
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1191386
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Queue: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On prePVT images we wan't to allow ccd open from the console without dev
mode enabled. This change adds a config option limiting ccd open.
BUG=b:112861587
BRANCH=cr50
TEST=ccd open is still disabled from the console unless the password is
set.
Change-Id: I2adbf9b0e900a693ab513a6bf6650b320b7320d4
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1188927
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handling an return value in ccd_command_wrapper has a bug.
It doesn't consider return code has VENDOR_RC_ERR value ORed, and
compare it directly to VENDOR_RC_IN_PROGRESS. As a result, it
treats VENDOR_RC_IN_PROGRESS as an unknown error.
BUG=b:112318448
BRANCH=cr50
TEST=manually on cr50 console.
(dut)
gsctool -a -P Password
[Before fix]
(cr50)
ccd open Password
Starting CCD open...
[2216.059745 PP start long]
Unknown error
Usage: ccd [help | ...]
>
Press the physical button now!
[After fix]
(cr50)
> ccd open Password
Starting CCD open...
[17.577850 PP start long]
>
Press the physical button now!
...
[Testing for error cases]
> ccd lock
CCD locked.
[3331.669830 CCD state: UARTAP UARTEC]
[3331.670883 I2C disconnect]
> ccd open
Wrong number of params
Usage: ccd [help | ...]
> ccd open hello
Access Denied
Usage: ccd [help | ...]
> ccd password hello
Access Denied
Usage: ccd [help | ...]
> ccd unlock
Wrong number of params
Usage: ccd [help | ...]
Change-Id: I56123e5fb8048cc8bea1bb7f6be104d4995fd311
Signed-off-by: Namyoon Woo <namyoon@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1166257
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The factory reset command can be used to enable ccd factory mode. The
command can open ccd if write protect is removed and ccd hasn't been
restricted. Right now we check FWMP and the ccd password before allowing
factory reset. Factory reset cannot be used to get around anything that
disables ccd.
This adds 72 bytes.
BUG=b:77543904
BRANCH=cr50
TEST=Try enabling factory mode using factory reset. Verify setting write
protect, setting the FWMP disable ccd bit, or setting a ccd password
prevents factory reset from enabling factory mode.
Change-Id: I6e203bf6068250f009881aa95c13bc56cb2aa9e7
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1069369
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're doing a bit of refactoring to break out factory mode into its own
file. Now factory reset and rma reset will be two methods of entering
factory mode. Factory mode can be disabled with the disable_factory
vendor command.
Factory mode means all ccd capabilities are set to Always and WP is
permanently disabled. When factory mode is disabled, all capabilities
are reset to Default and WP is reset to follow battery presence.
This adds 56 bytes.
BUG=none
BRANCH=cr50
TEST=verify rma reset will enable factory mode.
Change-Id: I21c6f7b4341e3a18e213e438bbd17c67739b85fa
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1069789
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have determined the checks to run for board_is_first_factory_boot.
This change updates cr50 to check for those conditions and enable ccd
when the system determines that it is first boot in the factory. This
will check that the board id is erased and the inactive image is a GUC
image.
The factory updates Cr50 from the GUC image, because those GUC images
don't have support for everything they need to do in the factory. To
determine that cr50 just recovered from that factory update, it will
check that the GUC image is still in the inactive region and no board id
is set.
There are 2 images installed in GUC 0.0.13 and 0.0.22, so cr50 will
check these versions. Future GUC images will have a field in the header
declaring that they are a GUC image. I still need to create the GUC
field in the header and check that in inactive_image_is_guc_image.
Factory mode can't be enabled on deep sleep resume. It is only enabled
after power-on reset or hard reset.
This change also moves factory stuff into a factory_mode file instead of
keeping it in board.c
This adds 200 bytes.
BUG=b:77543904
BRANCH=cr50
TEST=Verify factory mode is only enabled when cr50 recovered from
reboot not deep sleep resume, 0.0.13 or 0.0.22 are in the inactive
region, and the board id is erased.
Change-Id: Ibece878049658493e8ad159121ada63d7a6f6b79
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1059864
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow setting password from the AP, but not from USB. Remove the old
password control logic, which is no longer needed.
Allow open if:
- Not explicitly blocked
- Not blocked via FWMP
- One of the following is true:
- A password is set
- Battery is removed (also doesn't require physical presence)
- Dev mode is on, and request came from the AP
Reduces cr50 binary by 152 bytes.
BUG=b:79983505
BRANCH=cr50
TEST=manual, with a CR50_DEV=1 build
ccd oops
ccd lock
ccd unlock -> fails
gsctool -U -> fails from host
gsctool -t -U -> fails from AP
ccd oops
ccd password foo -> fails from console
gsctool -P -> fails from host
gsctool -t -P -> works from AP
ccd get -> confirms password set
ccd lock
ccd unlock foo -> works
ccd lock
gsctool -U -> works from host, if correct password supplied
ccd lock
gsctool -t -U -> works from AP, if correct password supplied
ccd open foo -> works
ccd lock
gsctool -O -> works from host, if correct password supplied
ccd lock
gsctool -t -O -> works from AP, if correct password supplied
ccd oops
ccd lock
(remove battery)
ccd open -> works without physical presence
(reattach battery)
ccd lock
gsctool -O -> works from host
ccd lock
gsctool -t -O -> works from AP, if dev mode is enabled
Change-Id: I364b322d03db250e7dd140767d7a22dbb3ac1eef
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1072957
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is needed so ccd_open() can see p->flags, for a subsequent
change. No change to existing command behavior or binary size.
BUG=b:79983505
BRANCH=cr50
TEST=gsctool -I still works
Change-Id: I614d8c410e8bc55a5045e253469b2ec222078684
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1072500
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, calls to tpm_alt_extension() were treated as if they came
from the AP via the TPM interface, even though they actually
originated from the cr50 console, which is accessible via the USB
interface.
This affects the following console commands:
spi_hash - was already allowed as both a safe console command and via
the USB vendor command interface. No change.
rma_auth - was allowed as a safe console command, but not via the USB
vendor command interface. Now allowed from both. No change in
security, since anyone could already do it via the console.
Unfortunately, getting a challenge fails because commands issued via
the USB vendor command interface have a maximum payload of 32 bytes
and the challenge is bigger than that; that's tracked in b:80098603.
ccd - was already allowed as a safe console command. This directly
called ccd_command_wrapper() for lock, open, and password subcommands.
It made an extra check for password set for the unlock subcommand.
Moved the unlock check to the vendor command handler. Also changed
the order of checks so that FWMP disabling unlock and open supersedes
an existing password; this matches go/ccd-open-simple. (That has no
effect on existing systems, because CCD is disabled at a higher
level.)
Reduces code size by 8 bytes.
BUG=b:79983505
BRANCH=cr50
TEST=manual, on a CR50_DEV=1 build
Compile with DEBUG_EXTENSION defined to print extra debug output
'ccd lock' now shows as coming from USB
'ccd unlock' fails because no password is set
'ccd unlock' and 'ccd open' fail if FWMP disallows unlock
'rma_auth' prints a challenge
'gsctool -t -r' prints a challenge from AP root shell
'gsctool -r 12345678' returns error 6 (incorrect challenge), rather
than error 127 (no such command).
'gsctool -I' works from the host
'gsctool -t -I' still works from AP root shell
Change-Id: I2cd1027f5135b9c336df97ee4b1b1a15354728b4
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1068102
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will be used as part of the checks for when to allow CCD open.
Add check for firmware space dev mode bit, based on the similar code
which reads the FWMP. Print the state of both bits in 'ccd get'.
BUG=b:79983505
BRANCH=cr50
TEST=With dev mode off, 'ccd get' does not report TPM: dev_mode.
Turn on dev mode via the recovery screen, and it does.
Change-Id: I6af78bb104004323cd377ed996e1db94bc36fc62
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1066391
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is important for the OS to be able to find out the state of CCD and
current capabilities settings of the device.
This patch defines a structure to use to report information about CCD
state from Cr50 to the host and adds a CCD vendor subcommand to allow
to retrieve the information from Cr50.
Some structure and variable definitions had to be moved into the .h
file to make it possible to share them between Cr50 and gsctool.
BRANCH=cr50, cr50-mp
BUG=b:72718383
TEST=with the following patch applied verified that CCD info is
properly reported. Also verified that other CCD subcommands still
work as advertised.
Change-Id: I4a783e6817ed364b9e64522ebbe968d4a657a84c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/999825
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set GscFullConsole to Always in RMA open. We need this to be accessible
after rma open, so that we can use RMA open as a ccd open testlab
replacement.
Commands like rddkeepalive and bitbang are needed for testlab use, so
they should be accessible after open.
BUG=b:74019846
BRANCH=cr50, cr50-mp
TEST=build, do rma open, verify commands are not locked out, and do rma
disable
Change-Id: Iaeb89cea94d478dc0eb25c92bb09d488d14cad41
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/942309
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows hashing or dumping SPI flash from the Cr50 console even on
a locked device, so you can verify the RO Firmware on a system via CCD.
See design doc: go/verify-ro-firmware
(more specifically, "Cr50 console commands for option 1")
BUG=chromium:804507
BRANCH=cr50 release (after testing)
TEST=manual:
# Sample sequence
spihash ap -> requires physical presence; tap power button
spihash 0 1024 -> gives a hash; compare with first 1KB of image.bin
spihash 0 128 dump -> dumps first 128 bytes; compare with image.bin
spihash 128 128 -> offset works
spihash 0 0x100000 -> gives a hash; doesn't watchdog reset
spihdev ec
spihash 0 1024 -> compare with ec.bin
spihash disable
# Test timeout
spihash ap
# Wait 30 seconds
spihash 0 1024 -> still works
# Wait 60 seconds; goes back disabled automatically
spihash 0 1024 -> fails because spihash is disabled
# Presence not required when CCD opened
ccd open
spihash ap -> no PP required
spihash 0 1024 -> works
spihash disable
# Possible for owner to disable via CCD config
ccd -> HashFlash is "Always"
ccd set HashFlash IfOpened
ccd lock
spihash ap -> access denied
# Cleanup
ccd open
ccd reset
ccd lock
Change-Id: I27b5054730dea6b27fbad1b1c4aa0a650e3b4f99
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/889725
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When RMA procedure is completed WP needs to be enabled back.
BRANCH=cr50, cr50-mp
BUG=b:37952913, b:73075443
TEST=on a Robo device, verified that WP is enabled, took the device
through RMA unlock, verified that WP is disabled, took the device
through RMA disable, verified that WP is enabled again.
Also confirmed that after RMA is disabled WP status follows the
battery.
Change-Id: Iad6af7d16aadcd10d580f709aeb942cf508a8489
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/905926
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Automated code scanner highlighted a few problems in the recent ode
additions. This patch fixes the problems.
BRANCH=cr50
BUG=none
TEST=none
Change-Id: I1f199eb5d2af992384ab04f3010b4b646464a70f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/897993
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When user is trying to execute 'ccd open' or 'ccd unlock' and password
is set, the return error code does not allow to tell the reason for
the command failure.
Let's add a distinct return code to indicate this condition so that
the user can supply password.
BRANCH=cr50
BUG=b:62537474
TEST=verified along with the accompanying gsctool modifications.
Change-Id: I286f87ab12114cd7dd7ebcdf0e321f7a24723367
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/861208
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When TPM is wiped out on 'ccd open', the TPM reset could be invoked on
the TPM task context, if physical presence verification was not
required, or on the hooks task context, if PP was required.
This patch makes sure that the proper TPM reset is invoked depending
on the context. Also fixing the return value in ccd_command_wrapper(),
because it is expected to be from the ec_error_list enun, and this is
what is returned in the vendor command error response payload.
BRANCH=cr50
BUG=b:62537474
TEST=verified that TPM and device reset happen smoothly in both cases
when 'ccd open' requires and does not require PP.
Change-Id: I1935fc90b386bb8f2158001e153da371fca22d03
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/861206
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When implementing 'ccd open' and 'ccd unlock' through gsctool, we need
to be able to pass to the host the state of the physical presences
state machine regarding the expected user action (pressing the PP
button).
Two new VENDOR_CC_CCD subcommands are being added: CCDV_PP_POLL_OPEN
and CCDV_PP_UNLOCK. In response to these commands, the Cr50 always
returns VENDOR_RC_SUCCESS return code and a single byte payload
showing the CCD and PP state:
- CCDPP_CLOSED - PP process is not running, CCD closed. Maybe user
missed a button press deadline.
- CCDPP_AWAITING_PRESS (self explanatory)
- CCDPP_BETWEEN_PRESSES (self explanatory)
- CCDPP_PP_DONE - CCD is opened/unlocked (as per user request), PP
process succeeded.
BRANCH=cr50
BUG=b:62537474
TEST=with the upcoming change to gsctool verified that PP states are
properly conveyed to the user.
Change-Id: I97b1fef4440eea93c5c5ac01b7c60bfce9a4595c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/861001
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CCD management policies explicitly prohibit running the 'unlock'
command from the Cr50 CLI unless CCD password is set.
This patch enforces the policy.
BRANCH=cr50
BUG=b:62537474
TEST=ran the following commands on the Cr50 console:
> ccd
State: Locked
Password: none
...
> ccd unlock
Cann't unlock without password
Access Denied
Usage: ccd [help | ...]
>
Change-Id: I5a14a54049a233e86e097064ff235e9b7a8bbb86
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/861000
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on device configuration and compile time options, CCD
commands 'open' and 'unlock' could either be executed immediately, or
require the user to take the device through physical presence state
machine.
As these commands execute through TPM vendor commands, there needs to
be a different return value indicating that the command action is not
finished and PP process is in progress.
Let's add another vendor command return value, and do not consider it
a failure if vendor command returns this value in response to 'ccd
open' or 'ccd unlock'.
BRANCH=cr50
BUG=b:62537474
TEST=took an Eve through 'ccd open' sequence
Change-Id: Ie62ccfb4319a13b6fb6c1c854a0ea26beb9f517c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/860999
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to be able to tell between cases when a CCD command executed
on the TPM vendor command context was invoked through CLI or received
over /dev/tpm0.
Let's add a flag set for the duration of execution of the CLI command.
BRANCH=cr50
BUG=b:62537474
TEST=none, this is not used yet.
Change-Id: I309b4364285816a5f54522b00c93a4bf5025e2c4
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/860913
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using and extending the existing framework, move ccd commands
'password, lock, open, and unlock to the same processing path.
The first three commands accept a single parameter, password. It is
required for the password command and optional for unlock and open.
The lock command does not require any parameters.
Wiping the TPM, if necessary, now happens on the same context where
CCD command is executed, i.e. the TPM task context. This is why the
same context TPM reset function needs to be exported and used here.
ccd_open() and ccd_unlock() could be further refactored, this would
require a bit more effort to find appropriate balance between
commonalities and differences.
BRANCH=cr50
BUG=b:62537474
TEST=verified that ccd commands to open, unlock, lock and set and
clear password all work.
Change-Id: I2b9f2b550347b590a55bfaef262a4f050d3f4c1c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/854709
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently only 'ccd password' command is processed using TPM vendor
command. More CCD commands are going to be processed the same way.
This patch refactors the code to make it easier to add more
subcommands.
BRANCH=cr50
BUG=b:62537474
TEST=verified that 'ccd password' still works both from crosh and CLI.
Change-Id: Id55da51d6edc5652591ad30160a4102b3026a186
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/854708
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want CCD commands lock, open, password, and unlock (at least to
start with) to be available over both CLI and through crosh (i.e.
coming over /dev/tpm0).
Let's allocate a TPM vendor command for handling all CCD subcommands,
and move to this new framework the 'ccd password' command, which
already is available over vendor command.
BRANCH=cr50
BUG=b:62537474
TEST=verified that 'ccd password' still works both over Suzy-Q CLI and
using gsctool on the target.
Change-Id: I2d06230b762f47af7e580b188a587bc5678ca169
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/853280
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Setting password should be allowed only after the owner logged in for
the first time and before they log out or someone else logs in.
Once any other user but the owner logs in, it should become impossible
to set password until the device is reset.
As proposed here, this would apply to both attempts to set password
through crosh and Cr50 console.
Password handling on Cr50 passes the following states:
- password setting is not allowed after Cr50 reset until an upstart
(as opposed to resume) TPM startup happens, as signalled by the TPM
callback. After the proper TPM reset the state changes to
'POST_RESET_STATE' which means that the device was just
reset/rebooted (not resumed) and no user logged in yet.
- if the owner logs in in this state, the state changes to
'PASSWORD_ALLOWED_STATE'. The owner can open crosh session and set
the password.
- when the owner logs out or any user but the owner logs in, the state
changes to PASSWORD_NOT_ALLOWED_STATE and does not change until TPM
is reset. This makes sure that password can be set only by the owner
and only before anybody else logged in.
Separate changes to the TPM library code make sure that TPM reset is
reported through the platform layer, so that POST_RESET_STATE is
entered.
BRANCH=cr50
BUG=b:67007578
TEST=with the rest of the infrastructure in place verified that
password can be set only when the owner logged in for the first
time before anybody else logs in or the owner logs out.
Change-Id: Ieaa3dc8ff9d2e43ae11151eb31173220f5c75b58
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/804141
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's not allow the user to clear or change CCD password without
specifying the old password.
To keep things simple, two changes are being made:
- do not allow setting password if password is already set
- when clearing the password require user to enter
'clear:<password>' instead of just 'clear'
BRANCH=cr50
BUG=b:70029808
TEST=verified that setting password is possible only if there is no
password set currently, and that invoking 'ccd password
clear:<old password>' indeed clears the password.
Change-Id: I3753c2701e224ef89b25ad68c1b47b54eef9cdb1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/813098
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new vendor command takes the CCD state machine through necessary
transitions leaving it in the CCD locked state.
It succeeds only if user password is not set and CCD capabilities are
right, which is guaranteed to be the case after an RMA unlock.
BRANCH=cr50
BUG=b:68213540
TEST=tested using the modified gsctool utility.
Change-Id: Ic2cce34e74b1ff476841cfa1a99f50d6a947c315
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/784352
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is necessary to be able to set password both from the Cr50 console
and through a vendor command.
This patch moves all password management logic to the TPM task context
using the alternative vendor command path.
BRANCH=cr50
BUG=b:62537474
TEST=verified that using Cr50 console CCD password still can be set
and cleared as before.
Change-Id: I0574caf931e3717567fdb270e406643eac47764b
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/740914
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When RMA process has been initialized and the user entered the
expected authentication code value, the Cr50 needs to wipe out TPM
memory, open and unlock CCD and reboot the device.
This patch adds a function to accomplish that. User response is
validated on the TPM task context, and TPM reset request also requires
TPM task processing. To decouple response processing from the
following reset, the response processing is handled by a hook task
callback, delayed for 1s to make sure that user receives the response.
After TPM has successfully reset the CCD is reinitialized with RMA
'opened' and the device is rebooted.
Just in case something goes wrong with the unlock and the hook is not
invoked, add a 10s deferred function to take the EC out of reset so
that the device still can reboot.
BRANCH=none
BUG=b:67007905
TEST=on a Bob device:
- on the Cr50 console enter 'ccd lock', verify that ccd is locked
(by examining output of the 'ccd' command)
- at the bash prompt enter gsctool -r -s -t, copy the
authentication code from the Cr50 console and pass it to gsctool.
- observe the device reset TPM wiping out its memory, enable CCD
and reboot.
Change-Id: I6fafb5e642cb2b6f2040507a7f1989607fd31316
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/729983
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=none
BRANCH=cr50
TEST=ccd testlab enable/disable works ok
Change-Id: I2414c8b588d7ba78926e7a7aef3459ac7b974d42
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/665991
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Minor cleanup to the 'ccd help' command.
Add 'ccd get' as a clearer alias to print the config.
Change CONFIG_CMD_CCDDISABLE to CONFIG_CMD_CCD_DISABLE to indicate
that it's a sub-command for 'ccd'.
BUG=b:65407395
BRANCH=cr50
TEST=manual
ccd -> see clue for 'ccd help'
ccd help -> see 'get' command
ccd get -> prints config
ccd disable -> error (config option isn't defined by default)
Change-Id: Icbcaa178171ca948cfaae58ab1a1e73ab3d95243
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/654380
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For historical reasons, CCD, reset, and power button control were
scattered around several files. Consolidate the code in more sensible
(in retrospect) places.
No functional changes, just moving code.
BUG=none
BRANCH=cr50
TEST=make buildall; boot cr50
Change-Id: Ic381a5a5d0627753cc771189aa377e88b81b155e
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/653766
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Somewhere this lost a call to ccd_save_config(). Put that back.
Also, make it so 'ccd testlab' prints the current state.
BUG=b:65407184
BRANCH=cr50
TEST=manual with CR50_DEV=1 image
ccd oops
ccd testlab -> disabled
ccd testlab enable
ppresence (or tap power button)
ppresence
ppresence
ccd testlab -> enabled
reboot
ccd testlab -> enabled
ccd lock
ccd -> state=locked
ccd testlab open
ccd -> state=opened
ccd testlab disable
ppresence (or tap power button)
ppresence
ppresence
ccd testlab -> disabled
reboot
ccd testlab -> disabled
ccd testlab open -> acces denied
Change-Id: Iffdd84e8e0df3222b8762638b8a613f146c15f13
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/653765
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, all CCD config commands were their own distinct commands.
This led to accidental side-effects when someone would type 'ccdlock'
thinking it would print the lock state when it would actually lock the
device.
Make them all sub-commands of 'ccd'. So, 'ccd lock', not 'ccdlock'.
Just 'ccd' by itself will print the current config.
No changes to how the sub-commands themselves work.
BUG=b:65407395
BRANCH=cr50
TEST=manual with CR50_DEV=1 build
gpioget # make sure GPIO_BATT_PRES_L=0
ccd help # prints help
ccd lock # lock, because CR50_DEV=1 builds start unlocked
ccd # locked, flags=0, all capabilities default
ccd pass # access denied (we're locked)
ccd reset # access denied
ccd set flashap always # access denied
ccd unlock
ccd # unlocked
ccd pass foo
ccd # flags=2 (password set when unlocked)
ccd set flashap always # access denied
ccd set uartectx unlesslocked
ccd # yes, uartectx permission changed
ccd lock
ccd unlock # fails without password
ccd unlock bar # wrong password
ccd unlock foo # busy
(wait 3 sec)
ccd unlock foo
ccd reset
ccd # no password, flags 0, capabilities all default
ccd open # requires physical presence; tap power or use 'pp'
ccd set uartgsctxecrx unlesslocked
ccd set batterybypasspp ifopened
ccd pass baz
ccd # password set, flag 0, ccdset changes worked
ccd unlock
ccd reset
ccd # uartgsctxecrx back to ifopened, password still set
ccd open baz # still requires physical presence
ccd set opennolongpp always
ccd lock
ccd open baz # no pp required
ccd set unlocknoshortpp unlesslocked
ccd lock
ccd open baz # short pp sequence required (3 taps)
ccd lock
ccd unlock baz # short pp sequence required
ccd open baz # pp not required
ccd set unlocknoshortpp always
ccd lock
ccd testlab open # access denied
ccd testlab enable # access denied
ccd unlock baz
ccd testlab open # access denied
ccd testlab enable # access denied
ccd open baz
ccd testlab enable # requires short pp
ccd # flags 1
ccd reset
ccd # no password, flags=1, caps all default
ccd lock
ccd testlab open
ccd # opened
ccd testlab disable # requires short pp; let it time out
ccd # still opened, flags=1
ccd lock
ccd oops # backdoor in CR50_DEV images to force-reset CCD
ccd # opened, flags=0, all defaults (yes, oops wipes out testlab)
ccd reset rma
ccd # flags = 0x400000, everything but GscFullConsole always
ccd reset # back to flags=0, all default
Change-Id: Ib2905cb7cbeb79a7f4d0fb44151bfd53af361e2e
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/653719
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the Cr50 state machines (EC, AP, RDD, bitbang, etc.) manage
their own enabling and disabling of the ports (UART, SPI, etc.) This
is tricky because the rules for when ports should be enabled are
non-trivial and must be applied in the correct order. In additionl
the changes all need to be serialized, so that the hardware ends up in
the correct state even if multiple state machines are changing
simultaneously.
Consolidate all of that into chip/g/rdd.c. The debug command for it
is now 'ccdstate', which just prints the state machines. This will
allow subsequent renaming of the 'ccdopen', etc. commands to 'ccd
open', etc.
Also include UART bit-banging into that state which must be
consistent. Previously, it was possible for bit-banging to leave UART
TX connected, instead of returning it to the previous state.
Use better names for CCD config fields for UART. I'd had them backwards.
BUG=b:62537474
BRANCH=cr50
TEST=manual, with a CR50_DEV=1 image
1) No servo or CCD
Pull SERVO_DETECT low (disconnected)
Pull CCD_MODE_L high (disabled)
Pull EC_DETECT and AP_DETECT high (on)
Reboot. RX is enabled even if cables are disconnected so we buffer.
ccdstate -> UARTAP UARTEC
Pull EC_DETECT low.
ccdstate -> UARTAP
Pull EC_DETECT high and AP_DETECT low.
ccdstate -> UARTEC
Pull AP_DETECT high.
ccdstate -> UARTAP UARTEC
2) Servo only still allows UART RX
Pull SERVO_DETECT high (connected).
ccdstate -> UARTAP UARTEC
3) Both servo and CCD prioritizes servo.
Pull CCD_MODE_L low (enabled).
ccdstate -> UARTAP UARTEC
Reboot, to make sure servo wins at boot time.
ccdstate -> UARTAP UARTEC
Bit-banging doesn't work when servo is connected.
bitbang 2 9600 even -> superseded by servo
bitbang -> disabled
ccdstate -> UARTAP UARTEC
4) CCD only allows more ports and remembers we wanted to bit-bang
Pull SERVO_DETECT low.
ccdstate --> UARTAP+TX UARTEC+BB I2C SPI
bitbang 2 disable
ccdstate --> UARTAP+TX UARTEC+TX I2C SPI
Reboot and see we don't take over servo ports until we're
sure servo isn't present.
ccdstate --> UARTAP UARTEC (for first second)
ccdstate --> UARTAP+TX UARTEC+TX I2C SPI (after that)
5) Bit-banging takes over ECTX
bitbang 2 9600 even
bitbang -> baud rate 9600, parity even
ccdstate -> UARTAP+TX UARTEC+BB I2C SPI
bitbang 2 disable
ccdstate -> UARTAP+TX UARTEC+TX I2C SPI
6) Permissions work. Allow easy access to full console and ccdopen:
ccdset OpenNoTPMWipe always
ccdset OpenNoLongPP always
ccdset GscFullConsole always
Default when locked is full AP UART EC RO, no I2C or SPI
ccdlock
ccdstate -> UARTAP+TX UARTEC
No EC transmit permission means no bit-banging
bitbang 2 9600 even
bitbang -> disabled
ccdstate -> UARTAP+TX UARTEC
But it remembers that we wanted to
ccdopen
ccdstate -> UARTAP+TX UARTEC+BB I2C SPI
bitbang 2 disable
ccdstate -> UARTAP+TX UARTEC+TX I2C SPI
Try turning on/off permissions
ccdset UartGscTxECRx always
ccdlock
ccdstate -> UARTAP+TX UARTEC+TX
No read means no write either
ccdset UartGscRxECTx ifopened
ccdlock
ccdstate -> UARTAP+TX
ccdopen
ccdset UartGscRXAPTx ifopened
ccdlock
ccdstate -> (nothing)
Check AP transmit permissions too
ccdopen
ccdset UartGscRxAPTx always
ccdset UartGscTxAPRx ifopened
ccdlock
ccdstate -> UARTAP
Check I2C
ccdopen
ccdset I2C always
ccdlock
ccdstate -> UARTAP I2C
SPI port is enabled if either EC or AP flash is allowed
ccdopen
ccdset flashap always
ccdlock
ccdstate -> UARTAP I2C SPI
ccdopen
ccdset flashec always
ccdset flashap ifopened
ccdlock
ccdstate -> UARTAP I2C SPI
Back to defaults
ccdoops
Change-Id: I641f7ab2354570812e3fb37b470de32e5bd10db7
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/615928
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This way, when HOOK_CCD_CHANGE triggers, the debug message is printed
before any of the effects of the change due to other hooks.
No effect on the rest of the code.
BUG=none
BRANCH=cr50
TEST=manual in CR50_DEV=1 image
ccdlock
ccdoops
"CCD change hook called" should be seen before "Enabling I2C" or
"Disabling I2C" messages.
Change-Id: I2e083b70fe8ac3938abc56e14b5e50fe9e237752
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/616179
Reviewed-by: Vadim Bendebury <vbendeb@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add usb_i2c_board_is_enabled().
On Cr50, this is now also connected to the I2C CCD capability. The
USB-I2C bridge can only be used when the capability is available.
On other platforms (Servo V4, etc.) where usb_i2c_board_enable() is
a no-op, add a dummy implementation which always returns true.
See go/cr50-ccd-wp for more information.
BUG=b:62537474
BRANCH=cr50
TEST=manual with CR50_DEV=1
Connect host PC to dev board USB port
On host PC:
sudo servod -c ccd_cr50.xml -c reef_r1_inas.xml
dut-control pp3300_ec_shv_reg --> fail, error 0x8001
ccdoops --> reset I2C config
ccd i2c disable --> I2C disabled
On host PC:
sudo servod -c ccd_cr50.xml -c reef_r1_inas.xml
dut-control pp3300_ec_shv_reg --> fail, error 0x0006
ccd i2c enable --> I2C enabled
ccdunlock --> I2C disabled
ccdoops --> I2C enabled
ccdset i2c unlesslocked
ccdlock --> I2C disabled
ccdunlock --> I2C enabled
Change-Id: Ia3df32e239a5f7c5915bc6c7e408ce0dc8b26c89
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/590577
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If there is a board ID mismatch and rollback is not possible Cr50
firmware will enter a limited mode which only support Cr50 firmware
upgrade. All other features must be disabled, because it is not
possible to know which features should be allowed on the mismatched
board.
See go/cr50-ccd-wp for more information.
BUG=b:62537474
BRANCH=cr50
TEST=manual with CR50_DEV=1 build, define CONFIG_CMD_CCDDISABLE
ccdinfo --> state=opened
ccddisable --> state=locked(disabled), all capabilities disabled
ccdunlock --> access denied
ccdopen --> access denied
ccdreset --> access denied
ccdpassword --> access denied
ccdset --> access denied
ccdoops
ccdinfo --> state=opened, back to defaults
Change-Id: Idb66fb1f3d5106aa0c2cb6addf2404ea9942b0d6
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/590070
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|