| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'ec_comm corrupt' used to corrupt a copy of EC-RW hash in ec_efs.c for
test purpose. This patch makes it corrupt the copy stored in the TPM
NVMEM cache first, and then read it into the cache in ec_efs.c.
'corrupt' option is available for regular image as well onl if CCD is
opened.
'reload' option is obsolete.
BUG=b:150650877
TEST=checked the behavior in the sequence below:
0. program regular image
cr50> ec_comm corrupt
CCD is not opened
Access Denied
Usage: ec_comm [corrupt]
1. open ccd.
2. Checked the original hash code.
cr50> ec_comm
...
ec_hash_sec_data : /* original hash code, Hm. */
3. Corrupt the hash code.
cr50> ec_comm corrupt
...
ec_hash_sec_data : /* corrupted hash code, Hc. */
4. Reboot EC.
ec> reboot ap-off
5. Check the boot mode is NO_BOOT mode.
chroot$ gsctool --getbootmode
...
Boot mode = 0x01: NO_BOOT
6. Turn on AP by tapping the power button.
Check AP rewrites the secdata, and Cr50 reloads it.
cr50> ec_comm
...
ec_hash_sec_data : /* original hash code, Hm. */
Signed-off-by: Namyoon Woo <namyoon@google.com>
Change-Id: Id34239911da204e1eacd285fa601a9b5db03c4ee
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2119130
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Namyoon Woo <namyoon@chromium.org>
Tested-by: Namyoon Woo <namyoon@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch eliminates unnecessary legacy nvmem.c and nvmem_vars.c code
and brings the code base to the state where the new NVMEM layout is
fully functional.
BRANCH=cr50, cr50-mp
BUG=b:69907320, b:129710256
CQ-DEPEND=CL:1450278
TEST=the following tests pass:
- test cases in ./test/nvmem.c
- TCG suite (passes on par with the existing Cr50 code with the
reduced code footprint TPM2 library)
- Chrome OS device migrates from legacy to new implementation with
user account maintained.
- Chrome OS user account is maintained over AP and H1 reboots and
deep sleep cycles.
Change-Id: If4bc2dd125873a79dbe0e268eb32100a8b8b352d
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1496607
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mechanical replacement of bit operation where operand is a constant.
More bit operation exist, but prone to errors.
Reveal a bug in npcx:
chip/npcx/system-npcx7.c:114:54: error: conversion from 'long unsigned int' to 'uint8_t' {aka 'volatile unsigned char'} changes value from '16777215' to '255' [-Werror=overflow]
BUG=None
BRANCH=None
TEST=None
Change-Id: I006614026143fa180702ac0d1cc2ceb1b3c6eeb0
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1518660
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The declaration of nvmem_wipe_cache is now inside the extern "C"
section and a definition was added to cr50_fuzz.
BRANCH=None
BUG=None
TEST=make -j buildall
Change-Id: Ie7401d8880e7982c84fa6a5df5015cbd145fc6d1
Signed-off-by: Allen Webb <allenwebb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1370746
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Each time TPM is disabled for booting Alt OS, NVMEM cache needs to be
wiped out, only a few NV indices need to be preserved.
We also are making sure that wipeout is possible only if key ladder is
disabled.
CQ-DEPEND=CL:1362161
BRANCH=cr50, cr50-mp
BUG=b:119221935
TEST=on a dual boot machine observed that when booting ALT OS on
reboots, key ladder is disabled, but RW AP firmware rollback
indices at address 0x1007 are still read properly. Alt OS resume
happens pretty quickly.
Change-Id: I5326937d0a36b67ac848629faeee42aadcb9e64d
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1362203
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disabling TPM will do revoke H1 key laddder.
Querying TPM_MODE or enabling TPM_MODE will fail if H1 Key
Ladder is already revoked.
BUG=b:118504817
BRANCH=cr50
TEST=Manually tested with TPM disabling and Resume or Warm Reboot.
(1) Resume
$ trunks_send --raw 80 01 00 00 00 0c 00 00 01 45 00 01
80010000000A00000000
$ gsctool -a -m disable
TPM Mode: disabled (2)
$ echo mem > /sys/power/state
(press key on chromebook either after three seconds or in a second.)
(2) Warm Reboot
$ gsctool -a -m disable
(press refresh + power button or run kernel command 'reboot')
Check Chrome os boot ok.
No TPM command failures were observed (in CR50 console).
(3) Windows Warm Reboot or Resume are checked.
Change-Id: I32fffc432a9a6068ea324a97225974c581cb9359
Signed-off-by: Namyoon Woo <namyoon@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1312197
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=None
BUG=None
TEST=make -j buildall
Change-Id: Icf2cfb6a2657064c10721c0e527d24fbb3be6ab3
Signed-off-by: Allen Webb <allenwebb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1330102
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, wiping the TPM would wipe all of NvMem, however, it really
should only clear the TPM's NvMem space. This commit adds a function to
clear a given NvMem user's space and makes the TPM only clear its space.
BUG=chrome-os-partner:61597
BRANCH=None
TEST=Add code for using nvmem vars, create a test variable, add a user
to snappy, unlock the console, verify that the user is no longer present
on the system and the test nvmem var still exists.
TEST=make -j buildall
Change-Id: Ic98baa5166a1ef9ae76e910b1b9ab100300e947f
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Reviewed-on: https://chromium-review.googlesource.com/445803
Commit-Ready: Aseda Aboagye <aaboagye@chromium.org>
Tested-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With introduction of encryption it is becoming impossible to read
NVMEM contents directly from flash. Decrypting the contents each time
there is a read request creates a significant performance hit. NVMEM
needs to be rearchitecture such that there is no need to run
decryption each time NVMEM read is performed.
This patch does just that, implementation details are described in the
header comment in common/nvmem.c.
To reduce memory impact the size of NVMEM is being decreased from 16K
to 12K. This is acceptable because eviction objects stored in NVMEM
serialized now, which dramatically reduces NVMEM size requirements.
The TPM2 NVMEM size definition must be kept in sync.
Another optimization this change introduces is bypassing writing into
the flash if NVMEM contents did not change, which is verified by
examining the hash of the cached storage.
A test is added to verify that the new commit scheme works as
expected, and the nvmem test is re-introduced to the list of test ran
on each 'make buildall'.
CQ-DEPEND=CL:433839
BRANCH=none
BUG=chrome-os-partner:62260,chrome-os-partner:62421
BUG=chrome-os-partner:62437
TEST=ran the following tests, all succeeded
make buildall -j
TEST_LIST_HOST=nvmem make runtests
tcg test suite
corp enroll on reef, reboot a few times, verify that enrollment sticks
Change-Id: I177daa3ceb4fd7aac299ca26b4506b863e31b946
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/433184
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes incompatible changes to the nvmem layout: the header
is increased to accommodate a 16 byte sha ans a 16 byte padding for
future extensions.
The layout version field is also introduced to make it easier to track
changes in the future. When calculating SHA the entire partition above
the SHA field is processed. Encryption covers everything above the
header.
Introducing encryption makes it impossible to use flash contents
directly for read and compare operations.
The nvmem_setup function is modified to use the nvnem_save() instead
of writing into the flash directly.
BRANCH=none
BUG=chrome-os-partner:62260
TEST=ran the following tests, all succeeded
make buildall -j
TEST_LIST_HOST=nvmem make runtests
tcg test suite
corp enroll on reef, reboot a few times, verify that enrollment sticks
Change-Id: I50b148ac0dc6bc924f4d65c67bc6610100d9dfc0
Reviewed-on: https://chromium-review.googlesource.com/428691
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On boards based on the g chip cryptographic functions come from
hardware, they should be implemented in chip/g as opposed to a
particular board.
The common modules (like nvmem) should be using some generic API,
which hopefully will be implemented by other chips, or could be
replaced by a purely software implementation where crypto hardware
support is not available.
Crypto API definition is being added in include/ and the g chip
implementation (a wrapper around dcrypto functions) is being added in
chip/g.
test/nvmem_vars.h needed to be edited to avoid conflict with
<string.h>.
BRANCH=none
BUG=chrome-os-partner:62260
TEST=make buildall -j still passes. Booting reef with the new image
works fine too.
Change-Id: Ifef281215f89239966882ecbe3e90c8351b9b91a
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/431313
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Nagendra Modadugu <ngm@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With upcoming versioning of NVMEM contents let's replace term
'version' with term 'generation' in the existing nvmem implementation.
Generation would allow to tell between two instances of NVMEM stored
in flash memory. The upcoming version field in the header will be used
to tell between different nvmem layouts.
This patch was created by invoking the following command:
sed -i 's/VERSION/GENERATION/g;s/version/generation/g' \
common/nvmem.c include/nvmem.h test/nvmem.c
and then editing a few remaining capitalized instances.
This also fixes nvmem test broken by an earlier patch.
BRANCH=none
BUG=chrome-os-partner:62260
TEST=the following tests succeed:
make buildall -j
TEST_LIST_HOST=nvmem make runtests
booitng reef with cr50
Change-Id: I96e52dc93ca7c52c55794ba3e8c2774571212de0
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/431312
Reviewed-by: Scott Collyer <scollyer@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch eliminates NVMEM commits at system startup, namely between
the moment the TPM is reset and the moment the AP is trying to read a
PCR (which is an indication of the AP having booted into OS).
To avoid losing NVMEM changes in case TPM is reset before PCR Read
command is issued, pending changes (if any) are saved before TPM reset
is processed.
For the same reason TPM reset invocation is being added to the hard
reboot path; this will kick in when there is a restart after cr50
firmware update.
BRANCH=none
BUG=chrome-os-partner:59873
TEST=with instrumented coreboot/depthcharge observed the following
execution times for various TPM command issued at startup
command 0x144, 15203 us
command 0x14e, 11814 us
command 0x182, 12461 us
command 0x182, 12456 us
command 0x138, 11503 us
command 0x138, 11512 us
command 0x14e, 14648 us
command 0x14e, 12597 us
command 0x121, 11353 us
which totals 113 ms and shaves more than 200 ms off the boot time.
Change-Id: Ic52309291fdb9c3ede96e0ad015ad9fc076bddc5
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/424063
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the console is unlocked, the function nvmem_wipe_or_reboot()
is called. This holds the EC in reset, clears nvmem, resets the
TPM task, then releases the EC. Nothing about that should cause
the Cr50 to reboot, but it was happening anyway.
This CL addresses several subtle problems.
First, holding the EC in reset invoked the sys_rst_asserted()
interrupt handler, triggering extra (and early) calls to
tpm_reset(). That should wait until after nvmem is cleared, and
only be called once.
Second, the intentional call to tpm_reset() caused the current
(HOOKS) task to wait for the operation to finish, but it didn't
wait long enough (recreating the endorsement certs can take over
a second). When the task_wake_event() returned, a timeout was
indicated in addition to the completion event.
Third, because we checked for the timeout first, we reported an
error even though tpm_reset() completed successfully, just slower
than we expected. We didn't get the timeout event before it
completed because the TPM task runs at a higher priority.
This CL addresses all of these cases, and makes wiping nvmem the
responsibility of the TPM task as well, so that it can do it when it's
ready.
Note that the EC (and thus AP too) will be held in reset while nvmem is
erased.
BUG=chrome-os-partner:59902
BRANCH=none
TEST=make buildall, manual tests
From the Cr50 console, run the "lock on" and "lock off" commands.
Try it both with and without the battery present. Observe that
the Cr50 no longer reboots just because the console unlocks.
Change-Id: I65a342502718acc5b9bda8c6f28dcd27e8f027f7
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/411379
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Cr50 console provides access to all sorts of dangerous
commands. To protect user secrets, we must erase the persistent
storage before unlocking the console.
Note that this will not powerwash the AP, leaving you with the
impression that you've just forgotten your password. You'll have
to manually powerwash (Ctrl+Alt+Shift+R) afterwards. That will be
addressed in a future CL.
BUG=chrome-os-partner:55728
BRANCH=none
TEST=make buildall, test on Gru
Lock the console if it's not already ("lock enable"), then unlock
it with "lock disable". Confirm that the NVMEM region is erased
following a successful unlock process.
Change-Id: Iebcd69c9f757f5ab5d496218f065197d3f1f746c
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/382666
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TPM2.0 needs more NvMem space and currently the whole block is
contiguous in memory with 2 partitions. This CL removes the
requirement that the partitions are in contiguous which allows for 1
partition to placed at top of RW_A and the other at RW_B.
This CL does not change the size of each partition as that will be
done in a subsequent CL.
BRANCH=none
BUG=chrome-os-partner:56798
TEST=manual
Tested with the unit test 'make runtests TEST_LIST_HOST=nvmem' and
verified that all tests pass.
Tested on Kevin, erased the existing NvMem area and verified that TPM
was still manufactured and executed the command: trunks_client --own
Erased parition 0 and 1 in the new locations and repeated the tests.
Change-Id: I295441f94dccdf5a152c32603c2638ffac23f471
Signed-off-by: Scott <scollyer@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/378675
Commit-Ready: Bill Richardson <wfrichar@chromium.org>
Tested-by: Bill Richardson <wfrichar@chromium.org>
Tested-by: Scott Collyer <scollyer@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nvmem space defined in the ec code base for the cr50 board is used
by the TPM2 library, which has its own nvram size definition. The two
definitions must match.
On top of the fact that the definitions are not locked to each other,
there is a third completely unrelated nvram size definition in
board/cr50/board.c.
This patch unifies nvmem size definitions between cr50 and tpm2
repositories by adding a compile time check for the size to be the
same on both sides.
Also, it turns out that two certificates (RSA and ECC) together do not
quite fit into the cr50 TPM nvram. Hence the total allocated nvmem
space is being increased to 20K (note that the actual nvram size
available to the TPM is less than half of this).
BRANCH=none
BUG=chrome-os-partner:55898
TEST=tpm does not lock up any more when 'tpm_client --own' is ran on the
Kevin-tpm2 command line
CQ-DEPEND=CL:367010
Change-Id: I20b4f54118bd2fa12e5bd5741d6c58fbe91f65d1
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366796
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Used #define CONFIG_FLASH_NVMEM to have functions in
/board/tpm2/NVMem.c utlitize on chip Nvmem functions.
On chip NV Memory availability is tied to an internal nvmem
error state which itself only depends on finding at least one
valid partition.
Added nvmem_is_different and nvmem_move functions which were
needed to complete the tpm2 platform interface. In addition,
added unit tests to support these two new functions.
BUG=chrome-os-partner:44745
BRANCH=none
TEST=manual
make runtests TEST_LIST_HOST=nvmem and verify that all tests pass.
Tested with tcg_test utility to test reads/writes using the
command "build/test-tpm2/install/bin/compliance --ntpm
localhost:9883 --select CPCTPM_TC2_3_33_07_01".
Change-Id: I475fdd1331e28ede00f9b674c7bee1536fa9ea48
Signed-off-by: Scott <scollyer@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/346236
Commit-Ready: Scott Collyer <scollyer@chromium.org>
Tested-by: Scott Collyer <scollyer@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
|
|
Full implementation of NvMem read, write, and commit functions.
Includes partition definitions, shared memory allocation, and
initialization function.
Includes a set of unit tests located in ec/test/nvmem.c which
verify functionality.
This module is required by Cr50, however this CL does not
include any Cr50 specific code.
BUG=chrome-os-partner:44745
BRANCH=none
TEST=manual
make runtests TEST_LIST_HOST=nvmem and verify that all tests pass
Change-Id: I515b094f2179dbcb75dd11ab5b14434caad37edd
Signed-off-by: Scott <scollyer@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/345632
Commit-Ready: Scott Collyer <scollyer@chromium.org>
Tested-by: Scott Collyer <scollyer@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
|