| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the interest of making long-term branch maintenance incur as little
technical debt on us as possible, we should not maintain any files on
the branch we are not actually using.
This has the added effect of making it extremely clear when merging CLs
from the main branch when changes have the possibility to affect us.
The follow-on CL adds a convenience script to actually pull updates from
the main branch and generate a CL for the update.
BUG=b:204206272
BRANCH=ish
TEST=make BOARD=arcada_ish && make BOARD=drallion_ish
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Change-Id: I17e4694c38219b5a0823e0a3e55a28d1348f4b18
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3262038
Reviewed-by: Jett Rink <jettrink@chromium.org>
Reviewed-by: Tom Hughes <tomhughes@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The names conflict when enabling both Zephyr's flash driver and
CONFIG_FLASH_CROS option. Rename all the APIs in include/flash.h
BUG=b:187192628
BRANCH=none
TEST=make buildall -j4
Signed-off-by: Tim Lin <tim2.lin@ite.corp-partner.google.com>
Change-Id: If1fd0ea28fa9f5cec1c1daa8f72f63eb7a0e6500
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2931749
Commit-Queue: Keith Short <keithshort@chromium.org>
Reviewed-by: Keith Short <keithshort@chromium.org>
Reviewed-by: Denis Brockus <dbrockus@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change simply moves the include/version.h file over to avoid
a naming collision with zephyr's version.h.
BRANCH=none
BUG=b:167392037
TEST=make buildall -j
Signed-off-by: Yuval Peress <peress@chromium.org>
Change-Id: Ib41b3c21817d5f81e713d3b550bc46a0d1c55cf8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2612772
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
Commit-Queue: Jack Rosenthal <jrosenth@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is an option in the task_set_event function which force
the calling task to wait for an event. However, the option is never
used thus remove it.
This also will help in the Zephyr migration process.
BUG=b:172360521
BRANCH=none
TEST=make buildall
Signed-off-by: Dawid Niedzwiecki <dn@semihalf.com>
Change-Id: Ic152fd3d6862d487bcc0024c48d136556c0b81bc
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2521599
Reviewed-by: Jett Rink <jettrink@chromium.org>
Reviewed-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
Commit-Queue: Jack Rosenthal <jrosenth@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Google is working to change its source code to use more inclusive
language. To that end, replace the terms "sane", "sanity check", and
similar with inclusive/non-stigmatizing alternatives.
BUG=b:161832469
BRANCH=None
TEST=`make buildall -j` succeeds. `grep -Eir "sane|sanity" .` shows
results only in third-party code or documentation.
Signed-off-by: Paul Fagerburg <pfagerburg@chromium.org>
Change-Id: I29e78ab27f84f17b1ded75cfa10868fa4e5ae88c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2311169
Reviewed-by: Jett Rink <jettrink@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=none
BUG=b:156401765
TEST=make buildall -j
TEST=On bloonchipper console:
> reboot ro
=> stays in RO
TEST=On bloonchipper console:
> reboot
=> jumps to RW after RO
Signed-off-by: Tom Hughes <tomhughes@chromium.org>
Change-Id: I44faa6ed85a671db3d7217562adfd49650229147
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2197622
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Craig Hesling <hesling@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"enum ec_current_image" is exposed in ec_commands.h (and used by non-EC
code, such as biod).
We also have an "enum system_image_copy_t" that is the exact same thing
(though has a few more definitions).
A followup CL (I714b6bd8c0d7192386404c25a831e38438fa5238) adds the
"sysinfo" host command, so we want to be able to expose all the
potential image variants. Rather than maintain two enums that can
potentially get out of sync, unify the code to use a single enum. We
choose to keep the "enum ec_current_image", since external code depends
on it.
To verify that this change results in no changes to the generated
binaries:
./util/compare_build.sh --board all
BRANCH=none
BUG=b:146447208
TEST=./util/compare_build.sh --board=all
Change-Id: I13776bc3fd6e6ad635980476a35571c52b1767ac
Signed-off-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2036599
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Namyoon Woo <namyoon@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The rwsig info command provides additional details on the verified boot
key used to sign the RW firmware. The information about the key can be
used by factory tests to validate that the factory is flashing firmware
that is signed by the expected key.
In addition, we refactor the "rwsig"-related commands into a generic
"rwsig" command that takes additional subcommands. This allows adding an
"rwsig dump" command that allows displaying individual fields, which is
useful in scripts and tests.
"rwsigstatus" becomes "rwsig status"
"rwsigaction" becomes "rwsig action"
The old commands are preserved for backward compatibility.
BRANCH=none
BUG=b:144958737
TEST=(kohaku) $ ectool --name=cros_fp rwsig info
TEST=(kohaku) $ ectool --name=cros_fp rwsig dump key_id
TEST=(kohaku) $ ectool --name=cros_fp reboot_ec; sleep 0.5;
ectool --name=cros_fp rwsig action abort; sleep 2;
ectool --name=cros_fp version | grep "Firmware copy"
=> Firmware copy: RO
TEST=On dragonclaw v0.2 console: rwsiginfo
Change-Id: Ib0ee4be33e6636ff702eeaef941cc3abed0594cb
Signed-off-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1999607
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Denis Brockus <dbrockus@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the host command handler callback function returns an int, it's easy
to accidentally mix up the enum ec_error_list and enum ec_status types.
The host commands always expect an enum ec_status type, so we change the
return value to be of that explicit type. Compilation will then fail if
you accidentally try to return an enum ec_error_list value.
Ran the following commands and then manually fixed up a few remaining
instances that were not caught:
git grep --name-only 'static int .*(struct host_cmd_handler_args \*args)' |\
xargs sed -i 's#static int \(.*\)(struct host_cmd_handler_args \*args)#\
static enum ec_status \1(struct host_cmd_handler_args \*args)##'
git grep --name-only 'int .*(struct host_cmd_handler_args \*args)' |\
xargs sed -i 's#int \(.*\)(struct host_cmd_handler_args \*args)#\
enum ec_status \1(struct host_cmd_handler_args \*args)##'
BRANCH=none
BUG=chromium:1004831
TEST=make buildall -j
Cq-Depend: chrome-internal:1872675
Change-Id: Id93df9387ac53d016a1594dba86c6642babbfd1e
Signed-off-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1816865
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ran the following command:
git grep -l 'Copyright (c)' | \
xargs sed -i 's/Copyright (c)/Copyright/g'
BRANCH=none
BUG=none
TEST=make buildall -j
Change-Id: I6cc4a0f7e8b30d5b5f97d53c031c299f3e164ca7
Signed-off-by: Tom Hughes <tomhughes@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1663262
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We should ensure that all custom task definition are non-zero and fit
with the globally defined events. Add compile time check and change
semantics to specify bit number (instead of making all callers use the
BIT macro).
This also fixes an error with TASK_EVENT_PHY_TX_DONE for ITE being 0.
The bug that made that happen hasn't landed on any firmware branches
that use it though.
BRANCH=none
BUG=none
TEST=builds
Cq-Depend:chrome-internal:1178968,chrome-internal:1178952
Change-Id: I5e1d1312382d200280c548e9128e53f4eddd3e61
Signed-off-by: Jett Rink <jettrink@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1570607
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If RW region is being erased/written to, make sure RO does not
automatically jump to RW after the timeout: RO would normally
verify RW, then wait for 1 second before jumping to RW, to
allow host to issue host commands in the mean time. The problem
is that some of these host commands may modify the RW, which
would essentially bypass the signature check.
This was not important on hammer, as STM32F0 does not support
EC_FLASH_PROTECT_ALL_NOW, and would force another reboot after
an update to lock the flash again, and verification would run
again.
Other STM32 variants are able to immediately lock the flash, so
no reboot is required, and there is therefore a risk that the EC
would jump to an RW image that is not signed.
BRANCH=none
BUG=b:111190988
TEST=./ectool --name=cros_fp reboot_ec
Then, quickly (while EC still in RO)
./ectool --name=cros_fp flasherase 0x120000 131072
Succeeds, and EC does not jump to RW.
TEST=Increment rollback number in RW (CONFIG_ROLLBACK_VERSION), see
that update works, and rollbackinfo shows updated version.
Change-Id: Iaf8e1802cf5c67cafbfda575d7202e00068c6f9b
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1139952
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=none
BUG=b:111190988
TEST=Lock RO, flash RW images of increasing CONFIG_ROLLBACK_VERSION,
see that rollback minimum version is incremented in
rollbackinfo.
Change-Id: I48ee68d37098b74478432db9bf84dc96d1ef2dd8
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1137981
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We add a configuration option to set the minimum shared memory
size (CONFIG_SHAREDMEM_MINIMUM_SIZE), so that the link will fail
if there is not enough IRAM left.
Also, we add 2 macros around shared_mem_acquire, that check, at
build time, that the shared memory size is sufficient for the
allocation:
- SHARED_MEM_ACQUIRE_CHECK should be used instead of
shared_mem_acquire, when size is known in advance.
- SHARED_MEM_CHECK_SIZE should be used when only a maximum size
is known.
This does not account for "jump tags" that boards often add on
jump from RO to RW. Luckily, RW usually does not do verification,
and does not need as much shared memory.
BRANCH=none
BUG=chromium:739771
TEST=make buildall -j, no error
Change-Id: Ic4c72938affe65fe8f8bc17ee5111c1798fc536f
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1002713
Reviewed-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tasks are defined inconsistently across the code base.
Signed-off-by: Stefan Reinauer <reinauer@google.com>
BRANCH=none
TEST=make buildall -j, also verify kevin boots to OS
BUG=none
Change-Id: I19a076395a9a8ee1e457e67a89d80d2f70277c97
Reviewed-on: https://chromium-review.googlesource.com/602739
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mapped reads are relative to CONFIG_EC_*_STORAGE_OFF, not
CONFIG_R*_MEM_OFF. The previous implementation happened to work for
internal mapped storage (eg. stm32) but failed for external mapped
storage which is copied to SRAM before execution (eg. npcx).
BUG=b:62841029
TEST=Verify sysjump works again on eve/poppy/soraka. Verify sysjump
and sig verification continues to work on fizz and stm32.
BRANCH=None
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: Id51ce5697555eea38b246b58dbf47f22d4befaa7
Reviewed-on: https://chromium-review.googlesource.com/541861
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For pairing purpose, we want to store some secret random number in
the base. The most convenient location for this is the rollback
region.
Since the rollback region can now be updated without incrementing
rollback_min_version (when we add entropy to the secret), we need
to add an increasing id to tell the code which rollback region is
the latest.
We also add console commands to manually add entropy.
BRANCH=none
BUG=b:38486828
TEST=Flash hammer (with or without CONFIG_ROLLBACK_ENTROPY_SIZE set)
rollbackinfo => 1 version 0 block, 1 empty block, RW verifies
correctly.
rollbackupdate 0; rollbackinfo => No change
rollbackupdate 1; reboot => RO refuses to jump to RW
only when CONFIG_ROLLBACK_ENTROPY_SIZE is set:
rollbackinfo => Secret is [00..00] on both blocks (so the data
was copied correctly)
rollbackupdate 2, 3, 4; rollbackinfo => Writes alternate
between the 2 blocks.
rollbackupdate 2 => Refuses to downgrade version
TEST=From blank secret [00..00], 'rollbackaddent Hello' updates it
to [ba..fa], which matches the output of:
(dd if=/dev/zero bs=1 count=32; echo -n Hello) | sha256sum
Change-Id: I79c3e790e56e21958cc1b4ba05bd4e5f359d3090
Reviewed-on: https://chromium-review.googlesource.com/511985
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use EC_FLASH_PROTECT_ALL_NOW to protect all flash before jump if
posisble. If EC_FLASH_PROTECT_ALL_NOW does not work, try
EC_FLASH_PROTECT_ALL_AT_BOOT next.
BUG=b:37584134
TEST=on rose:
1) `flashwp enable`
2) `reboot`
3) `flashinfo` flags contains 'all_now'
Change-Id: I2773410e97fae082fc6c20d47bdae3d991c57063
Reviewed-on: https://chromium-review.googlesource.com/497155
Commit-Ready: Wei-Ning Huang <wnhuang@chromium.org>
Tested-by: Wei-Ning Huang <wnhuang@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new host command EC_CMD_RWSIG_ACTION for controlling rwsig task.
This allow us to make firmware stay at RO without toggling reset pin.
flashrom can use this host command and removed the need to use any
out-of-band pin to toggle the reset pin (and make RWSIG stay in RO).
BRANCH=none
BUG=b:37584134
TEST=on eve, `ectool --name=cros_tp rwsigaction abort` should prevent EC
from jumpping to RW after RWSIG check.
Change-Id: Ia435e4e3ea8ed612a1250d3bf755ca50e5db9d37
Signed-off-by: Wei-Ning Huang <wnhuang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/497787
Commit-Ready: Wei-Ning Huang <wnhuang@chromium.org>
Tested-by: Wei-Ning Huang <wnhuang@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new host command EC_CMD_RWSIG_CHECK_STATUS for getting rwsig
status and rw firmware hash. This command is used to check the RW
signature of newly updated RW image.
A new subcommand is also added to ectool.
BRANCH=none
BUG=b:37584134
TEST=on rose board `ectool rwsigstatus` works
Change-Id: I33d8709f5248d3a4b8bedb36ded84a93dc8c971f
Signed-off-by: Wei-Ning Huang <wnhuang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/485079
Commit-Ready: Wei-Ning Huang <wnhuang@chromium.org>
Tested-by: Wei-Ning Huang <wnhuang@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a window where the rollback information in RW could
potentially be updated during RW signature verification. We make
sure this cannot happen by:
- Preventing update over USB while RWSIG is running
- When system is locked, only update rollback information if
RW region is locked: this guarantees that RW cannot be modified
from boot until RW is validated, and then until rollback
information is updated.
Also, remove rollback_lock() in rwsig_check_signature:
rwsig_jump_now() protects all flash, which also protects rollback.
This reduces the number of required reboots on rollback update.
BRANCH=none
BUG=b:35586219
BUG=b:35587171
TEST=Add long delay in rwsig_check_signature, make sure EC cannot
be updated while verification is in progress.
Change-Id: I7a51fad8a64b7e258b3a7e15d75b3dab64ce1c94
Reviewed-on: https://chromium-review.googlesource.com/479176
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On "normal" EC, we do protect RW as part of software sync, which would
call flash_command_protect (which indirectly calls flash_protect_at_boot).
Here, we don't want to (and can't) rely on the host to tell us to protect
the RW, so we need to protect it ourselves before jumping to RW.
This does feel a little redundant with rollback_lock though, since ALL
will protect both RW and ROLLBACK: a later CL will fix that up.
BRANCH=none
BUG=b:35587171
TEST=flashwp true; reboot; RO protects all flash before booting to RW
Change-Id: I820cabb01d1ca4aa47b81fc013a1670134a6be09
Reviewed-on: https://chromium-review.googlesource.com/476453
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(Optionally) split rwsig verification into a separate task. This
allows us to initialize other components (e.g. USB) while the
verification is in progress, speeding up the boot process to active
USB in RO case.
After CONFIG_RWSIG_JUMP_TIMEOUT, the EC will jump to the RW section
if no action is taken by the AP (such as a forced request to jump
to RW, or starting an update).
Note: This comes with a ~36ms boot time regression, as other code
gets to run before verification starts.
BRANCH=none
BUG=b:35587171
TEST=Flash, board boots to RW after 1s
TEST=Change jump timeout to 5s, add 5s delay in check_signature,
add console command to manually abort/continue rwsig verification.
'rwsig continue' works => Board jumps to RW after check_signature
is completed (or immediately while waiting for timeout)
'rwsig abort' works => Board does not jump to RW.
Change-Id: Ica5732b9298bb4d3b743cae2ba78df259db915ef
Reviewed-on: https://chromium-review.googlesource.com/468709
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're going to add more rwsig-related functions, and adding them
to rsa.h seems increasingly incorrect.
BRANCH=none
BUG=b:35587171
TEST=make buildall -j
Change-Id: I334c1774ce9a6ed8e219140f65ebe94d653e22d2
Reviewed-on: https://chromium-review.googlesource.com/468708
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done at RO stage. If the rollback region is unprotected, update
it to match the version in the RW image.
If the rollback region is protected, we can't do that update, so we wait
for RW to unlock that region (presumably after AP has verified that image
is somewhat functional) before updating it.
BRANCH=none
BUG=b:35586219
TEST=flashwp true; reboot => hammer reboots twice
flashinfo shows RO+rollback protected:
Flags: wp_gpio_asserted ro_at_boot ro_now rollback_at_boot rollback_now
Protected now:
YYYYYYYY YYYYYYYY Y....... ........
TEST=Hack version.c to add "+1" to rollback_version, check that RO updates
ROLLBACK info block on first boot.
TEST=Use hack above, convert rwsig to separate task, add 5000 ms delay in
rwsig just before rollback information is updated. Then:
Quickly type: flashwp true; reboot; flashwp all; reboot
=> Wait for system to jump to RW
rollbackinfo => minimum version 0
flashwp norb; reboot; wait for jump to RW
rollbackinfo => minimum version 1
Change-Id: I78e502315c611c5edaf34b8d70a12fedd3e57bdf
Reviewed-on: https://chromium-review.googlesource.com/452816
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement actual rollback protection. First, we add a new field
in the version structure, which is an incrementing integer
(we'll start by shipping images with version 0, and gradually
increase the number as required). This allows us to release
new versions of the EC without necessarily bumping the rollback
protection.
For the rollback protection block itself, it contains 2 sub-blocks
of equal size (normally, 2k), that are individually erasable.
The rollback code looks at both, and takes the most restrictive one
to determine the desired rollback minimum version. The blocks
are also allowed to be erased (full of 1's), in which case the
rollback minimum version is assumed to be 0.
We also add an FMAP entry, in case we later decide to allow the
signer to increment the rollback version.
Also note that, like any version_data struct change, this change
breaks compatibility between old and new RO/RW.
Follow-up code will take care of auto-updating the rollback block
as required, and properly manage block protection.
BRANCH=none
BUG=b:35586219
TEST=Flash hammer
rollbackinfo => 1 version 0 block, 1 empty block, RW verifies
correctly.
rollbackupdate 0; rollbackinfo => No change
rollbackupdate 1; reboot => RO refuses to jump to RW
rollbackupdate 2, 3, 4; rollbackinfo => Writes alternate
between the 2 blocks.
rollbackupdate 2 => Refuses to downgrade version
Change-Id: Ia969afb481a93deb912b9153bdd95ace01ad8fa7
Reviewed-on: https://chromium-review.googlesource.com/452815
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
usbpd1 futility image type is deprecated and should not be used for
new designs. This adds proper support for rwsig image type.
Key and signatures are added at linker stage step (futility cannot
directly create such signed images). Thanks to VB21 header, rwsig.c
can now tell how many bytes of the RW image need to be
cryptographically verified, and ensure that the rest is blank (0xff).
BRANCH=none
BUG=chromium:690773
TEST=make BOARD=hammer; flash, RW image is verified correctly.
TEST=make runtests -j
TEST=For the rest of the tests:
Change config option to CONFIG_RWSIG_TYPE_RWSIG
TEST=make BOARD=hammer; flash, hammer still verifies correctly.
TEST=cp build/hammer/ec.RW.bin build/hammer/ec.RW.bin.orig;
futility sign --type rwsig --prikey build/hammer/key.vbprik2 \
build/hammer/ec.RW.bin
diff build/hammer/ec.RW.bin build/hammer/ec.RW.bin.orig
=> Same file
TEST=Add CONFIG_CMD_FLASH, flashwrite 0x1e000, reboot, EC does
not verify anymore.
TEST=dump_fmap build/hammer/ec.bin shows KEY_RO and SIG_RW at
correct locations.
Change-Id: I50ec828284c2d1eca67fa8cbddaf6f3b06606c82
Reviewed-on: https://chromium-review.googlesource.com/441546
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For signed EC RW images (CONFIG_RWSIG), there's no point in
embedding the public key or signature into the image itself since
it will just be replaced by the signer (either as the next step
in the build process, or after the fact for MP releases). This
takes that out and just points to where the pubkey and signature
will be placed.
BUG=none
BRANCH=none
TEST=make buildall
I also checked the signatures with
futility show -t build/*/ec.bin
They still look good, and the one signed image I booted (Cr50)
works as before.
Change-Id: Ib39b7c508914851f81a1bebb2450e08ef0def76c
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/302630
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename and add geometry constants to match spec doc -
https://goo.gl/fnzTvr.
CONFIG_FLASH_BASE becomes CONFIG_PROGRAM_MEMORY_BASE
CONFIG_FLASH_MAPPED becomes CONFIG_MAPPED_STORAGE
Add CONFIG_INTERNAL_STORAGE, CONFIG_EXTERNAL_STORAGE and
CONFIG_MAPPED_STORAGE_BASE where appropriate.
This CL leaves chip/npcx in a broken state -- it's fixed in a follow-up
CL.
BRANCH=None
BUG=chrome-os-partner:23796
TEST=With entire patch series, on both Samus and Glados:
- Verify 'version' EC console command is correct
- Verify 'flashrom -p ec -r read.bin' reads back EC image
- Verify software sync correctly flashes both EC and PD RW images
Change-Id: Idb3c4ed9f7f6edd0a6d49ad11753eba713e67a80
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/297484
Commit-Ready: Shawn N <shawnn@chromium.org>
Tested-by: Shawn N <shawnn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chrome-os-partner:44803
BRANCH=none
TEST=make buildall
Comment change only.
Change-Id: I68c2fba64b7f613e3936f4e7ddf6b48430c7b858
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/297021
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename image geometry configs with a uniform naming scheme to make their
purposes more clear.
CONFIG_RO_MEM_OFF (was CONFIG_FW_RO_OFF) - RO image offset in program memory
CONFIG_RO_STORAGE_OFF (was CONFIG_RO_SPI_OFF) - RO image offset on storage
CONFIG_RO_SIZE (was CONFIG_FW_RO_SIZE) - Size of RO image
CONFIG_RW_MEM_OFF (was CONFIG_FW_RW_OFF) - RW image offset in program memory
CONFIG_RW_STORAGE_OFF (was CONFIG_RW_SPI_OFF) - RW image offset on storage
CONFIG_RW_SIZE (was CONFIG_FW_RW_SIZE) - Size of RW image
CONFIG_WP_OFF (was CONFIG_FW_WP_RO_OFF) - Offset of WP region on storage
CONFIG_WP_SIZE (was CONFIG_FW_WP_RO_SIZE) - Size of WP region on storage
BUG=chrome-os-partner:39741,chrome-os-partner:23796
TEST=Set date / version strings to constants then `make buildall -j`.
Verify that each ec.bin image is identical pre- and post-change.
BRANCH=None
Signed-off-by: Shawn Nematbakhsh <shawnn@chromium.org>
Change-Id: I6ea0a4e456dae71c266fa917a309b9f6fa4b50cd
Reviewed-on: https://chromium-review.googlesource.com/270189
Reviewed-by: Anton Staaf <robotboy@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This signs the RW firmware (with a non-secret key). The RO
firmware will verify the RW firmware and jump to it if it's good.
Note that this isn't the final solution, just the beginning.
BUG=chrome-os-partner:37071
BRANCH=none
TEST=manual
Build and install it. You'll see something like this:
--- UART initialized after reboot ---
[Reset cause: reset-pin hard]
[Image: RO, cr50_v1.1.2929-27e1b82-dirty 2015-02-24 14:36:29 wfrichar@wfrichar-glaptop]
[0.000444 Verifying RW image...]
[0.423742 RW image verified]
[0.423946 Jumping to image RW[0.428492 UART initialized after sysjump]
[Image: RW, cr50_v1.1.2929-27e1b82-dirty 2015-02-24 14:36:29 wfrichar@wfrichar-glaptop]
[0.428931 Inits done]
Console is enabled; type HELP for help.
>
> sysinfo
Reset flags: 0x00000c02 (reset-pin sysjump hard)
Copy: RW
Jumped: yes
Flags: unlocked
>
Change-Id: Icafa554baca135ff1f80cbce4dad5f980e7fc122
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/253081
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Record in the PD log when we fail to verify the RW signature and when
the RW partition is erased.
Also log the faults on the power supplies.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=samus
BUG=chrome-os-partner:32785
TEST=flash a bad rw on Zinger.
Change-Id: Ib62dcb0d407867151af0aaecc405533e894d773e
Reviewed-on: https://chromium-review.googlesource.com/239913
Reviewed-by: Alec Berg <alecaberg@chromium.org>
Commit-Queue: Vincent Palatin <vpalatin@chromium.org>
Trybot-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
|
|
For accessories without software-sync mechanism, add the option to do a
RSA-based signature verification of the Read-Write firmware.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=samus
BUG=chrome-os-partner:31192
TEST=enable the configuration on Fruitpie and see the RW firmware
validated and jump to. Tried with good and bad RW images.
Change-Id: I3c886c2cbe17ca9543e19bf8599061c3f9751d4f
Reviewed-on: https://chromium-review.googlesource.com/229594
Reviewed-by: Todd Broch <tbroch@chromium.org>
Commit-Queue: Todd Broch <tbroch@chromium.org>
Tested-by: Todd Broch <tbroch@chromium.org>
|