diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2020-05-14 18:55:42 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-05-29 21:49:56 +0000 |
| commit | fb3eb55a5bb8f619ada8b46f5a219ff239fe215c (patch) | |
| tree | d9426ac6a20f327c87b33c5e67141270b3f9edef | |
| parent | 160f0f9f632e5a64527753d8c17399ab1ae0ff2b (diff) | |
| download | chrome-ec-fb3eb55a5bb8f619ada8b46f5a219ff239fe215c.tar.gz | |
ap_ro_integrity_check: allow gsctool erasing AP RO hash
This patch extends the VENDOR_CC_SEED_AP_RO_CHECK handler to erase the
AP RO hash space if two requirements are met:
- the vendor command payload is empty
- the board ID space in INFO1 is not programmed
Also, after this patch it would be impossible to program the AP RO
hash if the Board ID INFO1 field is set. This will prevent attempts to
write the hash by the users of existing devices.
BUG=b:153764696
TEST=after expanding gsctool was able to verify AP RO hash space erase
when allowed. Was able to write the hash when board ID space is
uninitialized, and was not able to write the hash when the Board
ID space is set.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I0d2409cb0a97bf98f52e7f10fd41660305638122
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2204975
Reviewed-by: Namyoon Woo <namyoon@chromium.org>
| -rw-r--r-- | common/ap_ro_integrity_check.c | 43 |
1 files changed, 36 insertions, 7 deletions
diff --git a/common/ap_ro_integrity_check.c b/common/ap_ro_integrity_check.c index 0606415a62..2732052dd8 100644 --- a/common/ap_ro_integrity_check.c +++ b/common/ap_ro_integrity_check.c @@ -6,6 +6,7 @@ */ #include "ap_ro_integrity_check.h" +#include "board_id.h" #include "console.h" #include "crypto_api.h" #include "extension.h" @@ -77,8 +78,25 @@ enum ap_ro_check_vc_errors { ARCVE_BAD_RANGE_SIZE = 4, ARCVE_ALREADY_PROGRAMMED = 5, ARCVE_FLASH_WRITE_FAILED = 6, + ARCVE_BID_PROGRAMMED = 7, + ARCVE_FLASH_ERASE_FAILED = 8, }; +static int ap_ro_erase_hash(void) +{ + int rv; + + /* + * TODO(vbendeb): Make this a partial erase, use refactored + * Board ID space partial erase. + */ + flash_open_ro_window(h1_flash_offset_, AP_RO_DATA_SPACE_SIZE); + rv = flash_physical_erase(h1_flash_offset_, AP_RO_DATA_SPACE_SIZE); + flash_close_ro_window(); + + return rv; +} + static enum vendor_cmd_rc vc_seed_ap_ro_check(enum vendor_cmd_cc code, void *buf, size_t input_size, size_t *response_size) @@ -93,6 +111,23 @@ static enum vendor_cmd_rc vc_seed_ap_ro_check(enum vendor_cmd_cc code, *response_size = 1; /* Just in case there is an error. */ + /* Neither write nor erase are allowed once Board ID is programmed. */ + if (!board_id_is_erased()) { + *response = ARCVE_BID_PROGRAMMED; + return VENDOR_RC_NOT_ALLOWED; + } + + if (input_size == 0) { + /* Empty payload is a request to erase the hash. */ + if (ap_ro_erase_hash() != EC_SUCCESS) { + *response = ARCVE_FLASH_ERASE_FAILED; + return VENDOR_RC_INTERNAL_ERROR; + } + + *response_size = 0; + return EC_SUCCESS; + } + /* There should be at least one range and the hash. */ if (input_size < (SHA256_DIGEST_SIZE + sizeof(struct flash_range))) { *response = ARCVE_TOO_SHORT; @@ -254,13 +289,7 @@ static int ap_ro_info_cmd(int argc, char **argv) if (argc == max_args) { if (strcasecmp(argv[1], "erase")) return EC_ERROR_PARAM1; - /* - * TODO(vbendeb): Make this a partial erase, use refactored - * Board ID space partial erase. - */ - flash_open_ro_window(h1_flash_offset_, AP_RO_DATA_SPACE_SIZE); - flash_physical_erase(h1_flash_offset_, AP_RO_DATA_SPACE_SIZE); - flash_close_ro_window(); + ap_ro_erase_hash(); } #endif if ((p_chk->header.num_ranges == (uint16_t)~0) && |