From a865ec4e8080322799c655358ddfd735d6a952fb Mon Sep 17 00:00:00 2001 From: Bill Richardson Date: Thu, 21 Jul 2016 18:34:06 -0700 Subject: Cr50: Rearrange flash to allow dual RO images We had been putting the NVMEM flash where the boot rom would expect to find RO_B, preventing us from ever being able to update the bootloader. With this CL, we're rearranging the flash to support both RO_A and RO_B. The current flash layout now looks like this: 0x40000 RO_A 0x44000 RW_A 0x7c000 TOP_A 0x80000 RO_B 0x84000 RW_B 0xbc000 NVMEM 0xbffff BUG=chrome-os-partner:44803 BRANCH=none TEST=make buildall, also manual tests on Cr50 boards First, check that our current process still works: make BOARD=cr50 CR50_RO_KEY=cr50_rom0-dev-blsign.pem.pub spiflash -i -v build/cr50/ec.hex Yep, it does, but that only produces RO_A, not RO_B. To test the dual RO behavior, I used prebuilt RO_A and RO_B blobs for the bootloaders, signed using Marius' new scheme. Build the unsigned image, then sign it using Vadim's scripts: make BOARD=cr50 -j30 ~/bin/bs hex We'll garble various bits of the full image to invalidate each of the four RO/RW/A/B parts. Find lines common to both ROs and common to both RWs: sort B1*.hex | uniq -c | grep ' 2 ' | \ awk '{print $2}' | sort > tmp.ro2 sort build/cr50/RW/ec.RW*.signed.hex | uniq -c | grep ' 2 ' | \ awk '{print $2}' | sort > tmp.rw2 ro=$(diff tmp.ro2 tmp.rw2 | grep '<' | head -1 | awk '{print $2}') rw=$(diff tmp.ro2 tmp.rw2 | grep '>' | head -1 | awk '{print $2}') Double-check to be sure we don't have any false matches: grep -l $ro build/cr50/RW/ec.RW*.signed.hex B1_*.hex grep -l $rw build/cr50/RW/ec.RW*.signed.hex B1_*.hex The pre-signed RO_A image is older than RO_B, but both have the same epoch/major/minor, which is all that the bootrom checks for. It doesn't look at the timestamp. The RW_A is older than RW_B because of the sequential signing process. The RO bootloaders will check their timestamp, so RW_B should be preferred. RO_A RO_B RW_A RW_B good good good good cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex spiflash -v -i foo.hex jump @00040400 jump @00084000 => boots RO_A -> RW_B RO_A RO_B RW_A RW_B good good good bad cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex ln=$(grep -n $rw foo.hex | awk -F: 'NR==2 {print $1}') sed -i "${ln}d" foo.hex spiflash -v -i foo.hex jump @00040400 jump @00044000 => boots RO_A -> RW_A RO_A RO_B RW_A RW_B bad good good good cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex ln=$(grep -n $ro foo.hex | awk -F: 'NR==1 {print $1}') sed -i "${ln}d" foo.hex spiflash -v -i foo.hex jump @00080400 jump @00084000 => boots RO_B -> RW_B RO_A RO_B RW_A RW_B bad good good bad cat build/cr50/RW/ec.RW*.signed.hex B1_*.hex > foo.hex ln=$(grep -n $ro foo.hex | awk -F: 'NR==1 {print $1}') sed -i "${ln}d" foo.hex ln=$(grep -n $rw foo.hex | awk -F: 'NR==2 {print $1}') sed -i "${ln}d" foo.hex spiflash -v -i foo.hex jump @00080400 jump @00044000 => boots RO_B -> RW_A Yay. Now make sure RW_A and RW_B can be updated using usb_updater. \rm -rf build make BOARD=cr50 -j30 ~/bin/bs ./extra/usb_updater/usb_updater build/cr50/ec.bin I'm running RW_A, it updates and reboots into RW_B. Good. reboot 5 times, and it reverts to RW_A. Power cycle and it goes to RW_B again. Update to RW_A. \rm -rf build make BOARD=cr50 -j30 ~/bin/bs ./extra/usb_updater/usb_updater build/cr50/ec.bin I'm running RW_B, it updates and reboots into RW_A. Good. reboot 5 times, and it reverts to RW_B. Power cycle and it goes to RW_A again. Cool. Change-Id: I6c1689920de06c72c69f58ad2ef1059d9ee0d75f Signed-off-by: Bill Richardson Reviewed-on: https://chromium-review.googlesource.com/362521 Reviewed-by: Vadim Bendebury --- board/cr50/board.c | 53 +++++++++++++++++---------------- board/cr50/board.h | 5 ++-- chip/g/config_chip.h | 83 ++++++++++++++++++++++++++++++++++++++++++---------- chip/g/flash.c | 4 +-- chip/g/loader/main.c | 4 +-- 5 files changed, 102 insertions(+), 47 deletions(-) diff --git a/board/cr50/board.c b/board/cr50/board.c index f2c1b99569..daaaf6b87a 100644 --- a/board/cr50/board.c +++ b/board/cr50/board.c @@ -171,35 +171,38 @@ const unsigned int spi_devices_used = ARRAY_SIZE(spi_devices); int flash_regions_to_enable(struct g_flash_region *regions, int max_regions) { - uint32_t half = CONFIG_FLASH_SIZE / 2; + /* + * This needs to account for two regions: the "other" RW partition and + * the NVRAM in TOP_B. + * + * When running from RW_A the two regions are adjacent, but it is + * simpler to keep function logic the same and always configure two + * separate regions. + */ - if (max_regions < 1) + if (max_regions < 2) return 0; - if ((uint32_t)flash_regions_to_enable < - (CONFIG_MAPPED_STORAGE_BASE + half)) - /* - * Running from RW_A. Need to enable writes into the top half, - * which consists of NV_RAM and RW_B sections. - */ - regions->reg_base = CONFIG_MAPPED_STORAGE_BASE + half; + /* Enable access to the other RW image... */ + if (system_get_image_copy() == SYSTEM_IMAGE_RW) + /* Running RW_A, enable RW_B */ + regions[0].reg_base = CONFIG_MAPPED_STORAGE_BASE + + CONFIG_RW_B_MEM_OFF; else - /* - * Running from RW_B, need to enable access to both program - * memory in the lower half and the NVRAM space in the top - * half. - * - * NVRAM space in the top half by design is at the same offset - * and of the same size as the RO section in the lower half. - */ - regions->reg_base = CONFIG_MAPPED_STORAGE_BASE + - CONFIG_RO_SIZE; - - /* The size of the write enable area is the same in both cases. */ - regions->reg_size = half; - regions->reg_perms = FLASH_REGION_EN_ALL; - - return 1; /* One region is enough. */ + /* Running RW_B, enable RW_A */ + regions[0].reg_base = CONFIG_MAPPED_STORAGE_BASE + + CONFIG_RW_MEM_OFF; + /* Size is the same */ + regions[0].reg_size = CONFIG_RW_SIZE; + regions[0].reg_perms = FLASH_REGION_EN_ALL; + + /* Enable access to the NVRAM region */ + regions[1].reg_base = CONFIG_MAPPED_STORAGE_BASE + + CONFIG_FLASH_NVMEM_OFFSET; + regions[1].reg_size = CONFIG_FLASH_NVMEM_SIZE; + regions[1].reg_perms = FLASH_REGION_EN_ALL; + + return 2; } #define CPRINTS(format, args...) cprints(CC_SYSTEM, format, ## args) diff --git a/board/cr50/board.h b/board/cr50/board.h index b8fcf710f9..c3b9066730 100644 --- a/board/cr50/board.h +++ b/board/cr50/board.h @@ -21,14 +21,15 @@ /* TODO(crosbug.com/p/44745): For debugging only */ #define CONFIG_CMD_FLASH +/* We're using all of TOP_B for NVMEM. TOP_A is unused as yet. */ #define CONFIG_FLASH_NVMEM /* Offset to start of NvMem area from base of flash */ -#define CONFIG_FLASH_NVMEM_OFFSET (CONFIG_FLASH_SIZE>>1) +#define CONFIG_FLASH_NVMEM_OFFSET (CFG_TOP_B_OFF) /* Address of start of Nvmem area */ #define CONFIG_FLASH_NVMEM_BASE (CONFIG_PROGRAM_MEMORY_BASE + \ CONFIG_FLASH_NVMEM_OFFSET) /* Size in bytes of NvMem area */ -#define CONFIG_FLASH_NVMEM_SIZE CONFIG_RW_MEM_OFF +#define CONFIG_FLASH_NVMEM_SIZE CFG_TOP_SIZE /* Size partition in NvMem */ #define NVMEM_PARTITION_SIZE (CONFIG_FLASH_NVMEM_SIZE / NVMEM_NUM_PARTITIONS) diff --git a/chip/g/config_chip.h b/chip/g/config_chip.h index 1f67678d71..99b9195b8b 100644 --- a/chip/g/config_chip.h +++ b/chip/g/config_chip.h @@ -36,11 +36,6 @@ /* Program is run directly from storage */ #define CONFIG_MAPPED_STORAGE_BASE CONFIG_PROGRAM_MEMORY_BASE -#if defined(BOARD) -/* Compute the rest of the flash params from these */ -#include "config_std_internal_flash.h" -#endif - /* Interval between HOOK_TICK notifications */ #define HOOK_TICK_INTERVAL_MS 500 #define HOOK_TICK_INTERVAL (HOOK_TICK_INTERVAL_MS * MSEC) @@ -67,17 +62,73 @@ /* Number of IRQ vectors on the NVIC */ #define CONFIG_IRQ_COUNT (GC_INTERRUPTS_COUNT - 15) -#undef CONFIG_RW_MEM_OFF -#undef CONFIG_RW_SIZE - -/* Leaving 16K for the RO aka loader. */ -#define CONFIG_RW_MEM_OFF 0x4000 -#define CONFIG_RW_B_MEM_OFF (CONFIG_RW_MEM_OFF + (CONFIG_FLASH_SIZE>>1)) -#define CONFIG_RW_SIZE ((CONFIG_FLASH_SIZE>>1) - CONFIG_RW_MEM_OFF) -#define CONFIG_CUSTOMIZED_RO +/* We'll have some special commands of our own */ #define CONFIG_EXTENSION_COMMAND 0xbaccd00a -#undef CONFIG_RO_SIZE -#define CONFIG_RO_SIZE CONFIG_RW_MEM_OFF +/* + * The flash memory is implemented in two halves. The SoC bootrom will look for + * the first-stage bootloader at the beginning of each of the two halves and + * prefer the newer one if both are valid. In EC terminology the bootloader + * would be called the RO firmware, so we actually have two, not one. The + * bootloader also looks in each half of the flash for a valid RW firmware, so + * we have two possible RW images as well. The RO and RW images are not tightly + * coupled, so either RO image can choose to boot either RW image. + * + * The EC firmware configuration is not (yet?) prepared to handle multiple, + * non-contiguous, RO/RW combinations, so there's a bit of hackery to make this + * work. + * + * The following macros try to make this all work. + */ + +/* It's easier for us to consider each half as having its own RO and RW */ +#define CFG_FLASH_HALF (CONFIG_FLASH_SIZE >> 1) + +/* + * We'll reserve some space at the top of each flash half for persistent + * storage and other stuff that's not part of the RW image. We don't promise to + * use these two areas for the same thing, it's just more convenient to make + * them the same size. + */ +#define CFG_TOP_SIZE 0x4000 +#define CFG_TOP_A_OFF (CFG_FLASH_HALF - CFG_TOP_SIZE) +#define CFG_TOP_B_OFF (CONFIG_FLASH_SIZE - CFG_TOP_SIZE) + +/* The RO images start at the very beginning of each flash half */ +#define CONFIG_RO_MEM_OFF 0 + +/* Size reserved for each RO image */ +#define CONFIG_RO_SIZE 0x4000 + +/* RW images start right after the reserved-for-RO areas in each half */ +#define CONFIG_RW_MEM_OFF CONFIG_RO_SIZE +#define CONFIG_RW_B_MEM_OFF (CFG_FLASH_HALF + CONFIG_RW_MEM_OFF) + +/* Size reserved for each RW image */ +#define CONFIG_RW_SIZE (CFG_FLASH_HALF - CONFIG_RW_MEM_OFF - CFG_TOP_SIZE) + +/* + * These are needed in a couple of places, but aren't very meaningful. Because + * we have two RO and two RW images, these values don't really match what's + * described in the EC Image Geometry Spec at www.chromium.org. + */ +/* TODO(wfrichar): Make them meaningful or learn to do without */ +#define CONFIG_EC_PROTECTED_STORAGE_OFF 0 +#define CONFIG_EC_PROTECTED_STORAGE_SIZE CONFIG_FLASH_SIZE +#define CONFIG_EC_WRITABLE_STORAGE_OFF 0 +#define CONFIG_EC_WRITABLE_STORAGE_SIZE CONFIG_FLASH_SIZE +#define CONFIG_RO_STORAGE_OFF 0 +#define CONFIG_RW_STORAGE_OFF 0 +#define CONFIG_WP_STORAGE_OFF 0 +#define CONFIG_WP_STORAGE_SIZE CONFIG_EC_PROTECTED_STORAGE_SIZE + +/* + * Note: early versions of the SoC would let us build and manually sign our own + * bootloaders, and the RW images could be self-signed. Production SoCs require + * officially-signed binary blobs to use for the RO bootloader(s), and the RW + * images that we build must be manually signed. So even though we generate RO + * firmware images, they may not be useful. + */ +#define CONFIG_CUSTOMIZED_RO -#endif /* __CROS_EC_CONFIG_CHIP_H */ +#endif /* __CROS_EC_CONFIG_CHIP_H */ diff --git a/chip/g/flash.c b/chip/g/flash.c index 7ed7cb61f8..d77ad0ad35 100644 --- a/chip/g/flash.c +++ b/chip/g/flash.c @@ -155,8 +155,8 @@ static int do_flash_op(enum flash_op op, int is_info_bank, if (is_info_bank) { /* Only INFO bank operations are supported. */ fsh_pe_control = GREG32_ADDR(FLASH, FSH_PE_CONTROL1); - } else if (byte_offset >= CONFIG_FLASH_SIZE / 2) { - byte_offset -= CONFIG_FLASH_SIZE / 2; + } else if (byte_offset >= CFG_FLASH_HALF) { + byte_offset -= CFG_FLASH_HALF; fsh_pe_control = GREG32_ADDR(FLASH, FSH_PE_CONTROL1); } else { fsh_pe_control = GREG32_ADDR(FLASH, FSH_PE_CONTROL0); diff --git a/chip/g/loader/main.c b/chip/g/loader/main.c index 7381e52471..e560c9b8b5 100644 --- a/chip/g/loader/main.c +++ b/chip/g/loader/main.c @@ -111,10 +111,10 @@ int main(void) first = second; second = a; } - tryLaunch((uint32_t)first, CONFIG_FLASH_SIZE/2 - CONFIG_RW_MEM_OFF); + tryLaunch((uint32_t)first, CONFIG_RW_SIZE); debug_printf("Failed to launch.\n"); debug_printf("Attempting to load the alternate image.\n"); - tryLaunch((uint32_t)second, CONFIG_FLASH_SIZE/2 - CONFIG_RW_MEM_OFF); + tryLaunch((uint32_t)second, CONFIG_RW_SIZE); debug_printf("No valid image found, not sure what to do...\n"); /* TODO: Some applications might want to reboot instead. */ halt(); -- cgit v1.2.1