Plug in the AP RO verification implementation

This adds plumbing necessary to invoke the AP RO verification function
in response to the operator entering the 'magic sequence' of holding
the power button pressed and pressing/releasing the refresh button
three times within five seconds.

The code used during the 'Open box RMA' verification process is used,
with the physical presence confirmation phase bypassed.

This patch also makes sure that attempts to use CCD to program AP or
EC flash while AP RO verification is in progress would fail.

BUG=b:153764696, b:154966209
TEST=with the next patch applied, generated AP integrity verification
     data using the ap_ro_hash.py script and then ran the verification
     procedure, observing the 'hash match' message on the Cr50
     console.

     Also verified that the Open Box RMA procedure still succeeds.

Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Ic101fb892554ebb05f9ebe6d1546bfb439f74043
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2171399
Reviewed-by: Mary Ruthven <mruthven@chromium.org>

5 files changed, 68 insertions, 3 deletions

diff --git a/board/cr50/power_button.c b/board/cr50/power_button.c
index a7d3634a00..bff6c4890c 100644
--- a/board/cr50/power_button.c
+++ b/board/cr50/power_button.c
@@ -3,6 +3,7 @@
  * found in the LICENSE file.
  */
 
+#include "ap_ro_integrity_check.h"
 #include "console.h"
 #include "extension.h"
 #include "gpio.h"
@@ -145,11 +146,13 @@ static int rctd_poll_handler(void)
 	if (!ref_last_state)
 		return 1;
 
-	CPRINTS("Esc press registered");
-	if (++ref_press_count != PRESS_COUNT)
+	if (++ref_press_count != PRESS_COUNT) {
+		CPRINTS("Refresh press registered");
 		return 1;
+	}
 
 	CPRINTS("RO Validation triggered");
+	validate_ap_ro();
 	return 0;
 }
 
diff --git a/board/cr50/usb_spi.c b/board/cr50/usb_spi.c
index 9e40690c1a..316cb19409 100644
--- a/board/cr50/usb_spi.c
+++ b/board/cr50/usb_spi.c
@@ -68,6 +68,16 @@ static uint8_t new_gang_mode;
 static void spi_hash_inactive_timeout(void);
 DECLARE_DEFERRED(spi_hash_inactive_timeout);
 
+/*
+ * Set to true when AP RO verification shortcut is enabled. Helps to prevent
+ * concurrent USB SPI operations over CCD.
+ */
+static bool shortcut_active_;
+bool usb_spi_shortcut_active(void)
+{
+	return shortcut_active_;
+}
+
 /*****************************************************************************/
 /*
  * Mutex and variable for tracking whether the SPI bus is used by the USB
@@ -200,6 +210,12 @@ static void enable_spi_pinmux(void)
 		gpio_get_level(GPIO_AP_FLASH_SELECT) ? "AP" : "EC");
 
 	spi_enable(CONFIG_SPI_FLASH_PORT, 1);
+
+	/*
+	 * Need to provide enough time for the SPI bus to stabilize
+	 * (b/154966209).
+	 */
+	msleep(2);
 }
 
 /**
@@ -469,6 +485,39 @@ static void spi_hash_pp_done(void)
 		(spi_hash_device == USB_SPI_AP ? "AP" : "EC"));
 }
 
+void enable_ap_spi_hash_shortcut(void)
+{
+	/*
+	 * This is a big hammer, invoked when the Chrome OS device is
+	 * processing the EC reset. Even if SPI bus was in use when the
+	 * operator triggered the AP RO hash verification it should be
+	 * released and re-acquired now.
+	 */
+	enum spi_bus_user_t curr_user;
+
+	shortcut_active_ = true;
+
+	curr_user = get_spi_bus_user();
+	if (curr_user != SPI_BUS_USER_NONE)
+		set_spi_bus_user(curr_user, 0);
+
+	/*
+	 * Simulate successful completion of physical presence detection
+	 * required to allow the AP flash hash check. This function is invoked
+	 * when the operator entered the appropriate sequence on the device
+	 * keyboard, so physical presence is already established.
+	 */
+	new_device = USB_SPI_AP;
+	spi_hash_pp_done();
+}
+
+void disable_ap_spi_hash_shortcut(void)
+{
+	spi_hash_disable();
+
+	shortcut_active_ = false;
+}
+
 /* Process vendor subcommand dealing with Physical presence polling. */
 static enum vendor_cmd_rc spihash_pp_poll(void *buf,
 					  size_t input_size,
diff --git a/chip/g/usb_spi.c b/chip/g/usb_spi.c
index e41d9eab67..54f32fd553 100644
--- a/chip/g/usb_spi.c
+++ b/chip/g/usb_spi.c
@@ -106,7 +106,7 @@ void usb_spi_deferred(struct usb_spi_config const *config)
 	    (!write_count && read_count == (uint8_t)SPI_READBACK_ALL))
 		return;
 
-	if (!config->state->enabled) {
+	if (!config->state->enabled || usb_spi_shortcut_active()) {
 		res = USB_SPI_DISABLED;
 	} else if (write_count > USB_SPI_MAX_WRITE_COUNT ||
 		   write_count != (count - HEADER_SIZE)) {
diff --git a/chip/g/usb_spi.h b/chip/g/usb_spi.h
index 0c2707df4f..7a3d5652b3 100644
--- a/chip/g/usb_spi.h
+++ b/chip/g/usb_spi.h
@@ -243,6 +243,18 @@ int usb_spi_interface(struct usb_spi_config const *config,
 int usb_spi_board_enable(int host);
 void usb_spi_board_disable(void);
 
+#ifdef CONFIG_AP_RO_VERIFICATION
+/* Returns true if AP RO verification is in progress. */
+bool usb_spi_shortcut_active(void);
+#else
+/* Make sure other than Cr50 boards build fine. */
+static inline bool usb_spi_shortcut_active(void) { return false; }
+#endif
+
+/* Functions to use to fast track AP RO flash verification. */
+void enable_ap_spi_hash_shortcut(void);
+void disable_ap_spi_hash_shortcut(void);
+
 int usb_spi_sha256_start(HASH_CTX *ctx);
 int usb_spi_sha256_update(HASH_CTX *ctx, uint32_t offset, uint32_t size);
 void usb_spi_sha256_final(HASH_CTX *ctx, void *digest, size_t digest_size);
diff --git a/common/build.mk b/common/build.mk
index 095ad401a1..faa225328f 100644
--- a/common/build.mk
+++ b/common/build.mk
@@ -26,6 +26,7 @@ ifneq ($(CORE),cortex-m)
 common-$(CONFIG_AES)+=aes.o
 endif
 common-$(CONFIG_AES_GCM)+=aes-gcm.o
+common-$(CONFIG_AP_RO_VERIFICATION)+=ap_ro_integrity_check.o
 common-$(CONFIG_CMD_ADC)+=adc.o
 common-$(HAS_TASK_ALS)+=als.o
 common-$(CONFIG_AP_HANG_DETECT)+=ap_hang_detect.o