From 83cf8d0a7a3e952da34740b9a1e255eaa64395af Mon Sep 17 00:00:00 2001 From: Nicolas Boichat Date: Mon, 13 Feb 2017 17:17:01 +0800 Subject: flash: Add EC_FLASH_PROTECT_RW_[AT_BOOT|NOW] flags The idea of this flag is to be able to protect/unprotect only the RW portion of the flash. In the (usual) case where ALL=RO+RW, with no other region, this makes no difference compared to the existing EC_FLASH_PROTECT_ALL_* flag, and this flag may not be supported. This is necessary for futher work, where a ROLLBACK region is added, so that RW/ROLLBACK can be protected/unprotected individually. Only support for stm32f0 is added, as this is the target for hammer. BRANCH=none BUG=chrome-os-partner:61671 TEST=build and flash hammer (stm32f072) flashinfo => RO+RW not protected flashwp true; reboot => only RO protected flashwp all; reboot => RO+RW protected flashwp noall; reboot => only RO protected flashwp rw/norw not available TEST=enable CONFIG_FLASH_PROTECT_RW build and flash hammer (stm32f072) flashinfo => RO+RW not protected flashwp true; reboot => only RO protected flashwp all; reboot => RO+RW protected flashwp noall; reboot => only RO protected flashwp rw; reboot => RO+RW protected flashwp norw; reboot => only RO protected TEST=build and flash reef (npcx) flashinfo => RO+RW not protected flashwp true => RO protected flashwp all; flashinfo => all_now displayed reboot => RO protected flashwp rw/norw not available Change-Id: Ica6f499cf2e8a9345b08ef52c915655a983ffe3c Reviewed-on: https://chromium-review.googlesource.com/442265 Commit-Ready: Nicolas Boichat Tested-by: Nicolas Boichat Reviewed-by: Randall Spangler --- chip/stm32/flash-f.c | 13 +++++++ chip/stm32/flash-stm32f0.c | 86 +++++++++++++++++++++++++++++++++++++++++++--- common/flash.c | 77 +++++++++++++++++++++++++++++++++-------- include/config.h | 5 +++ include/ec_commands.h | 4 +++ include/flash.h | 7 ++++ util/ectool.c | 4 +++ 7 files changed, 177 insertions(+), 19 deletions(-) diff --git a/chip/stm32/flash-f.c b/chip/stm32/flash-f.c index 0c99ec398d..2ab05859fa 100644 --- a/chip/stm32/flash-f.c +++ b/chip/stm32/flash-f.c @@ -356,6 +356,10 @@ int flash_physical_protect_at_boot(uint32_t new_flags) if (block >= WP_BANK_OFFSET && block < WP_BANK_OFFSET + WP_BANK_COUNT) protect |= new_flags & EC_FLASH_PROTECT_RO_AT_BOOT; +#ifdef CONFIG_FLASH_PROTECT_RW + else + protect |= new_flags & EC_FLASH_PROTECT_RW_AT_BOOT; +#endif if (protect) val[byte_off] = val[byte_off] & (~(1 << (block % 8))); @@ -476,6 +480,15 @@ int flash_pre_init(void) need_reset = 1; } +#ifdef CONFIG_FLASH_PROTECT_RW + if ((flash_physical_get_valid_flags() & EC_FLASH_PROTECT_RW_AT_BOOT) && + (!!(prot_flags & EC_FLASH_PROTECT_RW_AT_BOOT) != + !!(prot_flags & EC_FLASH_PROTECT_RW_NOW))) { + /* RW_AT_BOOT and RW_NOW do not match. */ + need_reset = 1; + } +#endif + if (need_reset) system_reset(SYSTEM_RESET_HARD | SYSTEM_RESET_PRESERVE_FLAGS); diff --git a/chip/stm32/flash-stm32f0.c b/chip/stm32/flash-stm32f0.c index 229fd108af..e047854d0a 100644 --- a/chip/stm32/flash-stm32f0.c +++ b/chip/stm32/flash-stm32f0.c @@ -8,6 +8,7 @@ #include "common.h" #include "flash.h" #include "registers.h" +#include "util.h" /*****************************************************************************/ /* Physical layer APIs */ @@ -17,6 +18,10 @@ int flash_physical_get_protect(int block) return !(STM32_FLASH_WRPR & (1 << block)); } +/* + * Note: This does not need to update _NOW flags, as get_protect_flags + * in common code already does so. + */ uint32_t flash_physical_get_protect_flags(void) { uint32_t flags = 0; @@ -25,8 +30,71 @@ uint32_t flash_physical_get_protect_flags(void) uint32_t wrp23 = REG32(STM32_OPTB_BASE + STM32_OPTB_WRP23); #endif - if (STM32_FLASH_WRPR == 0) - flags |= EC_FLASH_PROTECT_ALL_NOW; + /* + * We only need to return detailed flags if we want to protect RW or + * ROLLBACK independently (EC_FLASH_PROTECT_RO_AT_BOOT should be set + * by pstate logic). + */ +#if defined(CONFIG_FLASH_PROTECT_RW) + /* Flags that must be set for each region. */ + const int mask_flags[] = { + [FLASH_REGION_RW] = EC_FLASH_PROTECT_RW_AT_BOOT, + [FLASH_REGION_RO] = EC_FLASH_PROTECT_RO_AT_BOOT, + }; + /* + * Sets up required mask for wrp01/23 registers: for protection to be + * set, values set in the mask must be zeros, values in the mask << 8 + * must be ones. + * + * Note that these masks are actually static, and could be precomputed + * at build time to save flash space. + */ + uint32_t wrp_mask[FLASH_REGION_COUNT][2]; + int i; + int shift = 0; + int reg = 0; + + memset(wrp_mask, 0, sizeof(wrp_mask)); + + /* Scan flash protection */ + for (i = 0; i < PHYSICAL_BANKS; i++) { + /* Default: RW. */ + int region = FLASH_REGION_RW; + + if (i >= WP_BANK_OFFSET && + i < WP_BANK_OFFSET + WP_BANK_COUNT) + region = FLASH_REGION_RO; + + switch (i) { + case 8: +#if CONFIG_FLASH_SIZE > 64 * 1024 + case 24: +#endif + shift += 8; + break; +#if CONFIG_FLASH_SIZE > 64 * 1024 + case 16: + reg = 1; + shift = 0; + break; +#endif + } + + wrp_mask[region][reg] |= 1 << shift; + shift++; + } + + for (i = 0; i < FLASH_REGION_COUNT; i++) { + if (!(wrp01 & wrp_mask[i][0]) && + (wrp01 & wrp_mask[i][0] << 8) == (wrp_mask[i][0] << 8)) +#if CONFIG_FLASH_SIZE > 64 * 1024 + if (!(wrp23 & wrp_mask[i][1]) && + (wrp23 & wrp_mask[i][1] << 8) == + (wrp_mask[i][1] << 8)) +#endif + flags |= mask_flags[i]; + } +#endif /* CONFIG_FLASH_PROTECT_RW */ if (wrp01 == 0xff00ff00) #if CONFIG_FLASH_SIZE > 64 * 1024 @@ -51,8 +119,12 @@ int flash_physical_restore_state(void) uint32_t flash_physical_get_valid_flags(void) { return EC_FLASH_PROTECT_RO_AT_BOOT | - EC_FLASH_PROTECT_ALL_AT_BOOT | EC_FLASH_PROTECT_RO_NOW | +#ifdef CONFIG_FLASH_PROTECT_RW + EC_FLASH_PROTECT_RW_AT_BOOT | + EC_FLASH_PROTECT_RW_NOW | +#endif + EC_FLASH_PROTECT_ALL_AT_BOOT | EC_FLASH_PROTECT_ALL_NOW; } @@ -65,12 +137,18 @@ uint32_t flash_physical_get_writable_flags(uint32_t cur_flags) ret |= EC_FLASH_PROTECT_RO_AT_BOOT; /* - * RW at-boot state can be set if WP GPIO is asserted and can always + * ALL/RW at-boot state can be set if WP GPIO is asserted and can always * be cleared. */ if (cur_flags & (EC_FLASH_PROTECT_ALL_AT_BOOT | EC_FLASH_PROTECT_GPIO_ASSERTED)) ret |= EC_FLASH_PROTECT_ALL_AT_BOOT; +#ifdef CONFIG_FLASH_PROTECT_RW + if (cur_flags & (EC_FLASH_PROTECT_RW_AT_BOOT | + EC_FLASH_PROTECT_GPIO_ASSERTED)) + ret |= EC_FLASH_PROTECT_RW_AT_BOOT; +#endif + return ret; } diff --git a/common/flash.c b/common/flash.c index 275e4692e8..673c962295 100644 --- a/common/flash.c +++ b/common/flash.c @@ -523,8 +523,12 @@ int flash_protect_at_boot(uint32_t new_flags) uint32_t flash_get_protect(void) { uint32_t flags = 0; - int not_protected[2] = {0}; int i; + /* Region protection status */ + int not_protected[FLASH_REGION_COUNT] = {0}; + /* Flags that must be set to set ALL_NOW flag. */ + const uint32_t all_flags = EC_FLASH_PROTECT_RO_NOW | + EC_FLASH_PROTECT_RW_NOW; /* Read write protect GPIO */ #ifdef CONFIG_WP_ALWAYS @@ -544,26 +548,29 @@ uint32_t flash_get_protect(void) /* Scan flash protection */ for (i = 0; i < PHYSICAL_BANKS; i++) { - /* Is this bank part of RO */ int is_ro = (i >= WP_BANK_OFFSET && - i < WP_BANK_OFFSET + WP_BANK_COUNT) ? 1 : 0; - - int bank_flag = (is_ro ? EC_FLASH_PROTECT_RO_NOW : - EC_FLASH_PROTECT_ALL_NOW); + i < WP_BANK_OFFSET + WP_BANK_COUNT); + enum flash_region region = is_ro ? FLASH_REGION_RO : + FLASH_REGION_RW; + int bank_flag = is_ro ? EC_FLASH_PROTECT_RO_NOW : + EC_FLASH_PROTECT_RW_NOW; if (flash_physical_get_protect(i)) { /* At least one bank in the region is protected */ flags |= bank_flag; - if (not_protected[is_ro]) + if (not_protected[region]) flags |= EC_FLASH_PROTECT_ERROR_INCONSISTENT; } else { /* At least one bank in the region is NOT protected */ - not_protected[is_ro] = 1; + not_protected[region] = 1; if (flags & bank_flag) flags |= EC_FLASH_PROTECT_ERROR_INCONSISTENT; } } + if ((flags & all_flags) == all_flags) + flags |= EC_FLASH_PROTECT_ALL_NOW; + /* * If the RW banks are protected but the RO banks aren't, that's * inconsistent. @@ -572,10 +579,14 @@ uint32_t flash_get_protect(void) * since some chips can also protect ALL_NOW for the current boot by * locking up the flash program-erase registers. */ - if ((flags & EC_FLASH_PROTECT_ALL_NOW) && - !(flags & EC_FLASH_PROTECT_RO_NOW)) + if ((flags & all_flags) && !(flags & EC_FLASH_PROTECT_RO_NOW)) flags |= EC_FLASH_PROTECT_ERROR_INCONSISTENT; +#ifndef CONFIG_FLASH_PROTECT_RW + /* RW flag was used for intermediate computations, clear it now. */ + flags &= ~EC_FLASH_PROTECT_RW_NOW; +#endif + /* Add in flags from physical layer */ return flags | flash_physical_get_protect_flags(); } @@ -585,7 +596,8 @@ int flash_set_protect(uint32_t mask, uint32_t flags) int retval = EC_SUCCESS; int rv; int old_flags_at_boot = flash_get_protect() & - (EC_FLASH_PROTECT_RO_AT_BOOT | EC_FLASH_PROTECT_ALL_AT_BOOT); + (EC_FLASH_PROTECT_RO_AT_BOOT | EC_FLASH_PROTECT_RW_AT_BOOT | + EC_FLASH_PROTECT_ALL_AT_BOOT); int new_flags_at_boot = old_flags_at_boot; /* Sanitize input flags */ @@ -618,9 +630,23 @@ int flash_set_protect(uint32_t mask, uint32_t flags) new_flags_at_boot &= ~(mask & EC_FLASH_PROTECT_RO_AT_BOOT); new_flags_at_boot |= flags & EC_FLASH_PROTECT_RO_AT_BOOT; + /* Removing ALL must also remove RW */ if ((mask & EC_FLASH_PROTECT_ALL_AT_BOOT) && - !(flags & EC_FLASH_PROTECT_ALL_AT_BOOT)) + !(flags & EC_FLASH_PROTECT_ALL_AT_BOOT)) { new_flags_at_boot &= ~EC_FLASH_PROTECT_ALL_AT_BOOT; +#ifdef CONFIG_FLASH_PROTECT_RW + new_flags_at_boot &= ~EC_FLASH_PROTECT_RW_AT_BOOT; +#endif + } + +#ifdef CONFIG_FLASH_PROTECT_RW + /* Removing RW must also remove ALL (otherwise nothing will happen). */ + if ((mask & EC_FLASH_PROTECT_RW_AT_BOOT) && + !(flags & EC_FLASH_PROTECT_RW_AT_BOOT)) { + new_flags_at_boot &= ~EC_FLASH_PROTECT_ALL_AT_BOOT; + new_flags_at_boot &= ~EC_FLASH_PROTECT_RW_AT_BOOT; + } +#endif if (new_flags_at_boot != old_flags_at_boot) { rv = flash_protect_at_boot(new_flags_at_boot); @@ -638,11 +664,15 @@ int flash_set_protect(uint32_t mask, uint32_t flags) return retval; /* - * The case where ALL_AT_BOOT is unset is already covered above, + * The case where ALL/RW_AT_BOOT is unset is already covered above, * so we do not need to mask it out. */ new_flags_at_boot |= flags & EC_FLASH_PROTECT_ALL_AT_BOOT; +#ifdef CONFIG_FLASH_PROTECT_RW + new_flags_at_boot |= flags & EC_FLASH_PROTECT_RW_AT_BOOT; +#endif + if (new_flags_at_boot != old_flags_at_boot) { rv = flash_protect_at_boot(new_flags_at_boot); if (rv) @@ -689,6 +719,12 @@ static int command_flash_info(int argc, char **argv) ccputs(" ro_now"); if (i & EC_FLASH_PROTECT_ALL_NOW) ccputs(" all_now"); +#ifdef CONFIG_FLASH_PROTECT_RW + if (i & EC_FLASH_PROTECT_RW_AT_BOOT) + ccputs(" rw_at_boot"); + if (i & EC_FLASH_PROTECT_RW_NOW) + ccputs(" rw_now"); +#endif if (i & EC_FLASH_PROTECT_ERROR_STUCK) ccputs(" STUCK"); if (i & EC_FLASH_PROTECT_ERROR_INCONSISTENT) @@ -838,6 +874,14 @@ static int command_flash_wp(int argc, char **argv) if (!strcasecmp(argv[1], "noall")) return flash_set_protect(EC_FLASH_PROTECT_ALL_AT_BOOT, 0); +#ifdef CONFIG_FLASH_PROTECT_RW + if (!strcasecmp(argv[1], "rw")) + return flash_set_protect(EC_FLASH_PROTECT_RW_AT_BOOT, -1); + + if (!strcasecmp(argv[1], "norw")) + return flash_set_protect(EC_FLASH_PROTECT_RW_AT_BOOT, 0); +#endif + /* Do this last, since anything starting with 'n' means "no" */ if (parse_bool(argv[1], &val)) return flash_set_protect(EC_FLASH_PROTECT_RO_AT_BOOT, @@ -846,8 +890,11 @@ static int command_flash_wp(int argc, char **argv) return EC_ERROR_PARAM1; } DECLARE_CONSOLE_COMMAND(flashwp, command_flash_wp, - " | now | all | noall", - "Modify flash write protect"); + " | now | all | noall" +#ifdef CONFIG_FLASH_PROTECT_RW + " | rw | norw" +#endif + , "Modify flash write protect"); /*****************************************************************************/ /* Host commands */ diff --git a/include/config.h b/include/config.h index cf3e6e19dd..129b1bd648 100644 --- a/include/config.h +++ b/include/config.h @@ -990,6 +990,11 @@ #undef CONFIG_FLASH_PROTECT_NEXT_BOOT +/* + * Some platforms need to write protect RW independently of all flash. + */ +#undef CONFIG_FLASH_PROTECT_RW + /* * Store persistent write protect for the flash inside the flash data itself. * This allows ECs with internal flash to emulate something closer to a SPI diff --git a/include/ec_commands.h b/include/ec_commands.h index cf3134cd66..2a44a7dded 100644 --- a/include/ec_commands.h +++ b/include/ec_commands.h @@ -1209,6 +1209,10 @@ struct __ec_align4 ec_params_flash_erase { #define EC_FLASH_PROTECT_ERROR_INCONSISTENT (1 << 5) /* Entire flash code protected when the EC boots */ #define EC_FLASH_PROTECT_ALL_AT_BOOT (1 << 6) +/* RW flash code protected when the EC boots */ +#define EC_FLASH_PROTECT_RW_AT_BOOT (1 << 7) +/* RW flash code protected now. */ +#define EC_FLASH_PROTECT_RW_NOW (1 << 8) struct __ec_align4 ec_params_flash_protect { uint32_t mask; /* Bits in flags to apply */ diff --git a/include/flash.h b/include/flash.h index caa6d0b897..548f889e72 100644 --- a/include/flash.h +++ b/include/flash.h @@ -26,6 +26,13 @@ #define PSTATE_BANK_COUNT 0 #endif +/* This enum is useful to identify different regions during verification. */ +enum flash_region { + FLASH_REGION_RW = 0, + FLASH_REGION_RO, + FLASH_REGION_COUNT +}; + /*****************************************************************************/ /* Low-level methods, for use by flash_common. */ diff --git a/util/ectool.c b/util/ectool.c index cb90d1af51..f2bf6662ce 100644 --- a/util/ectool.c +++ b/util/ectool.c @@ -907,10 +907,14 @@ static void print_flash_protect_flags(const char *desc, uint32_t flags) printf(" wp_gpio_asserted"); if (flags & EC_FLASH_PROTECT_RO_AT_BOOT) printf(" ro_at_boot"); + if (flags & EC_FLASH_PROTECT_RW_AT_BOOT) + printf(" rw_at_boot"); if (flags & EC_FLASH_PROTECT_ALL_AT_BOOT) printf(" all_at_boot"); if (flags & EC_FLASH_PROTECT_RO_NOW) printf(" ro_now"); + if (flags & EC_FLASH_PROTECT_RW_NOW) + printf(" rw_now"); if (flags & EC_FLASH_PROTECT_ALL_NOW) printf(" all_now"); if (flags & EC_FLASH_PROTECT_ERROR_STUCK) -- cgit v1.2.1