g: improve update error reporting

When checking if the new contents are allowed the updater can reject
the image for different reasons, let's make it possible to pass the
actual rejection reason to the caller of the contents_allowed()
function.

BRANCH=cr50
BUG=none
TEST=verified that attempts to update to an older image are still
     being rejected with the proper error code (as generated by
     contents_allowed() now).

Change-Id: I24ac7671c4f461ec089f272581723ec2c3a232ff
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/650811
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
(cherry picked from commit 848cf8f7983bd1b7df3429de9b99124215de1539)
Reviewed-on: https://chromium-review.googlesource.com/656423
(cherry picked from commit b1083b2412b65fdc5f81ebf002812ed6c48dcf44)
Reviewed-on: https://chromium-review.googlesource.com/666535

2 files changed, 15 insertions, 8 deletions

diff --git a/chip/g/upgrade_fw.c b/chip/g/upgrade_fw.c
index c9c2176265..e2acd92203 100644
--- a/chip/g/upgrade_fw.c
+++ b/chip/g/upgrade_fw.c
@@ -178,14 +178,15 @@ static int new_is_older(const struct SignedHeader *new,
 }
 
 /*
- * Check if this chunk of data is a rollback attempt, or is unaligned and
+ * Check if this chunk of data is a rollback attempt, or is unaligned, or
  * overlaps RO or RW header.
  *
- * Return False if this is such an attempt or an overlap, when in prod mode;
- * otherwise return True.
+ * Return False if there is any of the above problems and set the passed in
+ * error_code pointer to the proper error_code.
  */
 static int contents_allowed(uint32_t block_offset,
-			    size_t body_size, void *upgrade_data)
+			    size_t body_size, void *upgrade_data,
+			    uint8_t *error_code)
 {
 	/* Pointer to RO or RW header in flash, to compare against. */
 	const struct SignedHeader *header;
@@ -220,6 +221,8 @@ static int contents_allowed(uint32_t block_offset,
 					CPRINTF("%s:"
 						" unaligned block overlaps\n",
 						__func__);
+					*error_code =
+						UPGRADE_UNALIGNED_BLOCK_ERROR;
 					return 0;
 				}
 			}
@@ -231,12 +234,14 @@ static int contents_allowed(uint32_t block_offset,
 	/* This block is a header (ro or rw) of the new image. */
 	if (body_size < sizeof(struct SignedHeader)) {
 		CPRINTF("%s: block too short\n", __func__);
+		*error_code = UPGRADE_TRUNCATED_HEADER_ERROR;
 		return 0;
 	}
 
 	/* upgrade_data is the new header. */
 	if (new_is_older(upgrade_data, header)) {
 		CPRINTF("%s: rejecting an older header.\n", __func__);
+		*error_code = UPGRADE_ROLLBACK_ERROR;
 		return 0;
 	}
 
@@ -278,7 +283,8 @@ static void new_chunk_written(uint32_t block_offset)
 }
 
 static int contents_allowed(uint32_t block_offset,
-			    size_t body_size, void *upgrade_data)
+			    size_t body_size, void *upgrade_data,
+			    uint8_t *error_code)
 {
 	return 1;
 }
@@ -368,10 +374,9 @@ void fw_upgrade_command_handler(void *body,
 	}
 
 	upgrade_data = cmd_body + 1;
-	if (!contents_allowed(block_offset, body_size, upgrade_data)) {
-		*error_code = UPGRADE_ROLLBACK_ERROR;
+	if (!contents_allowed(block_offset, body_size,
+			      upgrade_data, error_code))
 		return;
-	}
 
 	/* Check if the block will fit into the valid area. */
 	*error_code = check_update_chunk(block_offset, body_size);
diff --git a/chip/g/upgrade_fw.h b/chip/g/upgrade_fw.h
index 092f2812fa..11de5d52f0 100644
--- a/chip/g/upgrade_fw.h
+++ b/chip/g/upgrade_fw.h
@@ -138,6 +138,8 @@ enum return_value {
 	UPGRADE_MALLOC_ERROR = 7,
 	UPGRADE_ROLLBACK_ERROR = 8,
 	UPGRADE_RATE_LIMIT_ERROR = 9,
+	UPGRADE_UNALIGNED_BLOCK_ERROR = 10,
+	UPGRADE_TRUNCATED_HEADER_ERROR = 11,
 };
 
 /*