| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use BATT_PRES_L to determine if factory mode can be enabled. We need
to be able to control this for cr50 testing. Add a command that can be
used to override battery presence. This change also adds a ccd
capability to control access to this command. If this capability is
enabled, someone can easily use console commands and AP commands to
enable factory mode, so it should be controlled separately from WP and
GscFullConsole.
BUG=b:126197850
BRANCH=cr50
TEST=override battery presence using bpforce. Make sure the state lasts
through reboot, deep sleep, and power-on reset. When bp is forced
disabled you can do ccd open without physical presence and you can
enable factory mode.
Change-Id: I026a537142b6780824192caa2a147c7bdac1545c
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1505213
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Keith Short <keithshort@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mechanical replacement of bit operation where operand is a constant.
More bit operation exist, but prone to errors.
Reveal a bug in npcx:
chip/npcx/system-npcx7.c:114:54: error: conversion from 'long unsigned int' to 'uint8_t' {aka 'volatile unsigned char'} changes value from '16777215' to '255' [-Werror=overflow]
BUG=None
BRANCH=None
TEST=None
Change-Id: I006614026143fa180702ac0d1cc2ceb1b3c6eeb0
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1518660
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requested for linux integration, use BIT instead of 1 <<
First step replace bit operation with operand containing only digits.
Fix an error in motion_lid try to set bit 31 of a signed integer.
BUG=None
BRANCH=None
TEST=compile
Change-Id: Ie843611f2f68e241f0f40d4067f7ade726951d29
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1518659
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Include compile_time_macros.h to files that will use BIT macro.
BUG=None
BRANCH=None
TEST=unit tests.
Change-Id: I9d44f4b588620f6770f8d522d422f5dd0d237903
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1525156
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drives OEM specific GPIOs to enable and disable factory mode to a closed
source EC.
BUG=b:118683718
BRANCH=none
TEST=make buildall. Verified GPIO states with scope in both factory mode
enable and disable conditions. Verified GPIO states are reapplied
correctly after reboot, deep sleep, and power cycle.
Change-Id: I9bc547504478fded5f95c515027e1da0f245d524
Signed-off-by: Keith Short <keithshort@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1358733
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CR50 provides whether CCD capabilities are default or not. Factory
process can utilize this value instead of CCD cap bitmap information.
Users can use either 'gsctool -I' or CR50 console command 'ccd'.
BRANCH=cr50_tools
BUG=b:117200472
TEST=manually set and clear the password using gsctool -a -F and
check the result of gsctool -I.
Change-Id: Ic6be2ce880476c3a73150fe0e29007dd6a7e328f
Signed-off-by: Namyoon Woo <namyoon@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1272190
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Defined "Number of bits in CCD cap expression", "Bitmask for a
CCD cap expression", and "Number of CCD cap expressions in a
Byte," and replaced constant uses with macros in CR50 and gsctool
codes.
No binary size changes in either CR50 or gsctool.
BRANCH=cr50_ccd
BUG=none
TEST=manually tested with gsctool -I and CR50 console command 'ccd'.
Signed-off-by: Namyoon Woo <namyoon@chromium.org>
Change-Id: If91305090444395b6a938f920f4e47e2acbba886
Reviewed-on: https://chromium-review.googlesource.com/1274007
Commit-Ready: Namyoon Woo <namyoon@chromium.org>
Tested-by: Namyoon Woo <namyoon@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Once RMA open is processed and CCD state is updated, the AP still
might require to perform some operations, even if TPM is not available
any more.
With this patch enable_ccd_factory_mode() does not trigger device
reset, if invoked by the RMA open handler.
Another modification is that WP is disabled immediately when factory
mode is enabled, there is no need to reset the H1 for WP status to
change.
BRANCH=cr50, cr50-mp
BUG=b:115495431
TEST=verified that running 'gsctool -a -r <authcode>' sets to 'Y' all
CCD properties, disables write protection, but does not reboot
the device.
Change-Id: I834a9e4b5ebbe4aaaf1caafad9c82424087d01f7
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1250037
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a capability for opening cr50 without dev mode and a capability for
opening cr50 from the console. This will make it so cr50 can easily be
opened from the console after RMA open.
BUG=b:113266255,b:113267161
BRANCH=cr50
TEST=verify OpenFromConsole and OpenW/ODevMode are set to IfOpened with
CCD_OPEN_PREPVT isn't defined and set to Always when it is defined. Make
sure they are set to Always after factory mode is enabled.
Change-Id: Ic149b4163ee9a3ce5e0c051dc42634a31a4a0a7e
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1191386
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Queue: Mary Ruthven <mruthven@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The factory reset command can be used to enable ccd factory mode. The
command can open ccd if write protect is removed and ccd hasn't been
restricted. Right now we check FWMP and the ccd password before allowing
factory reset. Factory reset cannot be used to get around anything that
disables ccd.
This adds 72 bytes.
BUG=b:77543904
BRANCH=cr50
TEST=Try enabling factory mode using factory reset. Verify setting write
protect, setting the FWMP disable ccd bit, or setting a ccd password
prevents factory reset from enabling factory mode.
Change-Id: I6e203bf6068250f009881aa95c13bc56cb2aa9e7
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1069369
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're doing a bit of refactoring to break out factory mode into its own
file. Now factory reset and rma reset will be two methods of entering
factory mode. Factory mode can be disabled with the disable_factory
vendor command.
Factory mode means all ccd capabilities are set to Always and WP is
permanently disabled. When factory mode is disabled, all capabilities
are reset to Default and WP is reset to follow battery presence.
This adds 56 bytes.
BUG=none
BRANCH=cr50
TEST=verify rma reset will enable factory mode.
Change-Id: I21c6f7b4341e3a18e213e438bbd17c67739b85fa
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1069789
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is important for the OS to be able to find out the state of CCD and
current capabilities settings of the device.
This patch defines a structure to use to report information about CCD
state from Cr50 to the host and adds a CCD vendor subcommand to allow
to retrieve the information from Cr50.
Some structure and variable definitions had to be moved into the .h
file to make it possible to share them between Cr50 and gsctool.
BRANCH=cr50, cr50-mp
BUG=b:72718383
TEST=with the following patch applied verified that CCD info is
properly reported. Also verified that other CCD subcommands still
work as advertised.
Change-Id: I4a783e6817ed364b9e64522ebbe968d4a657a84c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/999825
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows hashing or dumping SPI flash from the Cr50 console even on
a locked device, so you can verify the RO Firmware on a system via CCD.
See design doc: go/verify-ro-firmware
(more specifically, "Cr50 console commands for option 1")
BUG=chromium:804507
BRANCH=cr50 release (after testing)
TEST=manual:
# Sample sequence
spihash ap -> requires physical presence; tap power button
spihash 0 1024 -> gives a hash; compare with first 1KB of image.bin
spihash 0 128 dump -> dumps first 128 bytes; compare with image.bin
spihash 128 128 -> offset works
spihash 0 0x100000 -> gives a hash; doesn't watchdog reset
spihdev ec
spihash 0 1024 -> compare with ec.bin
spihash disable
# Test timeout
spihash ap
# Wait 30 seconds
spihash 0 1024 -> still works
# Wait 60 seconds; goes back disabled automatically
spihash 0 1024 -> fails because spihash is disabled
# Presence not required when CCD opened
ccd open
spihash ap -> no PP required
spihash 0 1024 -> works
spihash disable
# Possible for owner to disable via CCD config
ccd -> HashFlash is "Always"
ccd set HashFlash IfOpened
ccd lock
spihash ap -> access denied
# Cleanup
ccd open
ccd reset
ccd lock
Change-Id: I27b5054730dea6b27fbad1b1c4aa0a650e3b4f99
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/889725
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When implementing 'ccd open' and 'ccd unlock' through gsctool, we need
to be able to pass to the host the state of the physical presences
state machine regarding the expected user action (pressing the PP
button).
Two new VENDOR_CC_CCD subcommands are being added: CCDV_PP_POLL_OPEN
and CCDV_PP_UNLOCK. In response to these commands, the Cr50 always
returns VENDOR_RC_SUCCESS return code and a single byte payload
showing the CCD and PP state:
- CCDPP_CLOSED - PP process is not running, CCD closed. Maybe user
missed a button press deadline.
- CCDPP_AWAITING_PRESS (self explanatory)
- CCDPP_BETWEEN_PRESSES (self explanatory)
- CCDPP_PP_DONE - CCD is opened/unlocked (as per user request), PP
process succeeded.
BRANCH=cr50
BUG=b:62537474
TEST=with the upcoming change to gsctool verified that PP states are
properly conveyed to the user.
Change-Id: I97b1fef4440eea93c5c5ac01b7c60bfce9a4595c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/861001
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want CCD commands lock, open, password, and unlock (at least to
start with) to be available over both CLI and through crosh (i.e.
coming over /dev/tpm0).
Let's allocate a TPM vendor command for handling all CCD subcommands,
and move to this new framework the 'ccd password' command, which
already is available over vendor command.
BRANCH=cr50
BUG=b:62537474
TEST=verified that 'ccd password' still works both over Suzy-Q CLI and
using gsctool on the target.
Change-Id: I2d06230b762f47af7e580b188a587bc5678ca169
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/853280
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Setting password should be allowed only after the owner logged in for
the first time and before they log out or someone else logs in.
Once any other user but the owner logs in, it should become impossible
to set password until the device is reset.
As proposed here, this would apply to both attempts to set password
through crosh and Cr50 console.
Password handling on Cr50 passes the following states:
- password setting is not allowed after Cr50 reset until an upstart
(as opposed to resume) TPM startup happens, as signalled by the TPM
callback. After the proper TPM reset the state changes to
'POST_RESET_STATE' which means that the device was just
reset/rebooted (not resumed) and no user logged in yet.
- if the owner logs in in this state, the state changes to
'PASSWORD_ALLOWED_STATE'. The owner can open crosh session and set
the password.
- when the owner logs out or any user but the owner logs in, the state
changes to PASSWORD_NOT_ALLOWED_STATE and does not change until TPM
is reset. This makes sure that password can be set only by the owner
and only before anybody else logged in.
Separate changes to the TPM library code make sure that TPM reset is
reported through the platform layer, so that POST_RESET_STATE is
entered.
BRANCH=cr50
BUG=b:67007578
TEST=with the rest of the infrastructure in place verified that
password can be set only when the owner logged in for the first
time before anybody else logs in or the owner logs out.
Change-Id: Ieaa3dc8ff9d2e43ae11151eb31173220f5c75b58
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/804141
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When RMA process has been initialized and the user entered the
expected authentication code value, the Cr50 needs to wipe out TPM
memory, open and unlock CCD and reboot the device.
This patch adds a function to accomplish that. User response is
validated on the TPM task context, and TPM reset request also requires
TPM task processing. To decouple response processing from the
following reset, the response processing is handled by a hook task
callback, delayed for 1s to make sure that user receives the response.
After TPM has successfully reset the CCD is reinitialized with RMA
'opened' and the device is rebooted.
Just in case something goes wrong with the unlock and the hook is not
invoked, add a 10s deferred function to take the EC out of reset so
that the device still can reboot.
BRANCH=none
BUG=b:67007905
TEST=on a Bob device:
- on the Cr50 console enter 'ccd lock', verify that ccd is locked
(by examining output of the 'ccd' command)
- at the bash prompt enter gsctool -r -s -t, copy the
authentication code from the Cr50 console and pass it to gsctool.
- observe the device reset TPM wiping out its memory, enable CCD
and reboot.
Change-Id: I6fafb5e642cb2b6f2040507a7f1989607fd31316
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/729983
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|
|
For historical reasons, CCD, reset, and power button control were
scattered around several files. Consolidate the code in more sensible
(in retrospect) places.
No functional changes, just moving code.
BUG=none
BRANCH=cr50
TEST=make buildall; boot cr50
Change-Id: Ic381a5a5d0627753cc771189aa377e88b81b155e
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/653766
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
|