ap_ro_status: report the button status if verification is unsupported

Shimless RMA needs to know if the button combo triggered AP RO
verification even if AP RO verification isn't supported. This change
adds two new responses AP_RO_UNSUPPORTED_TRIGGERED(5) and
AP_RO_UNSUPPORTED_NOT_TRIGGERED(4) to tell if the button combo was
pressed on a board that doesn't support AP RO verification.

The old AP_RO_UNSUPPORTED value, 3, isn't returned by cr50 anymore.

AP_RO_PASS(1) and AP_RO_FAIL(2) are still used. They both mean the combo
was triggered.

AP_RO_NOT_RUN(0) is still used. It still means the combo wasn't
triggered.

Summary of the states
- pressed - AP_RO_PASS(1), AP_RO_FAIL(2), AP_RO_UNSUPPORTED_TRIGGERED(5)
- not pressed - AP_RO_NOT_RUN(0) and AP_RO_UNSUPPORTED_NOT_TRIGGERED(4)
- unknown - AP_RO_UNSUPPORTED_UNKNOWN(3)

BUG=b:181000999
TEST=use gsctool to get the AP RO verification status on cr50 images
with the new and old version of the get AP RO status vendor command.

Change-Id: Ib2b33e69a4d4165fc2c13437a919b8f2a83c1bba
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3213112
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>

3 files changed, 28 insertions, 18 deletions

diff --git a/common/ap_ro_integrity_check.c b/common/ap_ro_integrity_check.c
index 8465983eea..37e2a6311c 100644
--- a/common/ap_ro_integrity_check.c
+++ b/common/ap_ro_integrity_check.c
@@ -315,7 +315,7 @@ static const struct ap_ro_check *p_chk =
  * Track if the AP RO hash was validated this boot. Must be cleared every AP
  * reset.
  */
-static uint8_t validated_ap_ro_boot;
+static enum ap_ro_status apro_result = AP_RO_NOT_RUN;
 
 /*
  * In dev signed Cr50 images this is the hash of
@@ -488,9 +488,10 @@ static int verify_keyblock(const struct kb_container *kbc,
 /* Clear validate_ap_ro_boot state. */
 void ap_ro_device_reset(void)
 {
-	if (validated_ap_ro_boot)
-		CPRINTS("%s: clear validated state", __func__);
-	validated_ap_ro_boot = 0;
+	if (apro_result == AP_RO_NOT_RUN)
+		return;
+	CPRINTS("%s: clear apro result", __func__);
+	apro_result = AP_RO_NOT_RUN;
 }
 
 /* Erase flash page containing the AP RO verification data hash. */
@@ -1361,8 +1362,10 @@ static uint8_t do_ap_ro_check(void)
 
 	support_status = ap_ro_check_unsupported(true);
 	if ((support_status == ARCVE_BOARD_ID_BLOCKED) ||
-	    (support_status == ARCVE_FLASH_READ_FAILED))
+	    (support_status == ARCVE_FLASH_READ_FAILED)) {
+		apro_result = AP_RO_UNSUPPORTED_TRIGGERED;
 		return EC_ERROR_UNIMPLEMENTED;
+	}
 
 	enable_ap_spi_hash_shortcut();
 
@@ -1398,6 +1401,7 @@ static uint8_t do_ap_ro_check(void)
 	disable_ap_spi_hash_shortcut();
 
 	if (rv != EC_SUCCESS) {
+		apro_result = AP_RO_FAIL;
 		/* Failure reason has already been reported. */
 		ap_ro_add_flash_event(APROF_CHECK_FAILED);
 
@@ -1408,8 +1412,8 @@ static uint8_t do_ap_ro_check(void)
 		 */
 		rv = EC_ERROR_CRC;
 	} else {
+		apro_result = AP_RO_PASS;
 		ap_ro_add_flash_event(APROF_CHECK_SUCCEEDED);
-		validated_ap_ro_boot = 1;
 		CPRINTS("AP RO verification SUCCEEDED!");
 	}
 
@@ -1507,13 +1511,14 @@ static int ap_ro_info_cmd(int argc, char **argv)
 	}
 #endif
 	rv = ap_ro_check_unsupported(false);
+	ccprintf("result    : %d\n", apro_result);
+	ccprintf("supported : %s\n", rv ? "no" : "yes");
 	if (rv == ARCVE_FLASH_READ_FAILED)
 		return EC_ERROR_CRC; /* No verification possible. */
 	/* All other AP RO verificaiton unsupported reasons are fine */
 	if (rv)
 		return EC_SUCCESS;
 
-	ccprintf("boot validated: %s\n", validated_ap_ro_boot ? "yes" : "no");
 	ccprintf("sha256 hash %ph\n",
 		 HEX_BUF(p_chk->payload.digest, sizeof(p_chk->payload.digest)));
 	ccprintf("Covered ranges:\n");
@@ -1538,7 +1543,7 @@ static enum vendor_cmd_rc vc_get_ap_ro_status(enum vendor_cmd_cc code,
 					      void *buf, size_t input_size,
 					      size_t *response_size)
 {
-	uint8_t rv = AP_RO_NOT_RUN;
+	uint8_t rv = apro_result;
 	uint8_t *response = buf;
 
 	CPRINTS("Check AP RO status");
@@ -1547,12 +1552,9 @@ static enum vendor_cmd_rc vc_get_ap_ro_status(enum vendor_cmd_cc code,
 	if (input_size)
 		return VENDOR_RC_BOGUS_ARGS;
 
-	if (ap_ro_check_unsupported(false))
-		rv = AP_RO_UNSUPPORTED;
-	else if (ec_rst_override())
-		rv = AP_RO_FAIL;
-	else if (validated_ap_ro_boot)
-		rv = AP_RO_PASS;
+	if ((apro_result != AP_RO_UNSUPPORTED_TRIGGERED) &&
+	    (ap_ro_check_unsupported(false) != ARCVE_OK))
+		rv = AP_RO_UNSUPPORTED_NOT_TRIGGERED;
 
 	*response_size = 1;
 	response[0] = rv;
diff --git a/extra/usb_updater/gsctool.c b/extra/usb_updater/gsctool.c
index fed12126df..cf28976755 100644
--- a/extra/usb_updater/gsctool.c
+++ b/extra/usb_updater/gsctool.c
@@ -2306,7 +2306,7 @@ static int process_get_apro_boot_status(struct transfer_descriptor *td)
 	}
 
 	/* Print the response and meaning, as in 'enum ap_ro_status'. */
-	printf("AP RO status = %d: ", response);
+	printf("apro result (%d) : ", response);
 	switch (response) {
 	case AP_RO_NOT_RUN:
 		printf("not run\n");
@@ -2317,8 +2317,14 @@ static int process_get_apro_boot_status(struct transfer_descriptor *td)
 	case AP_RO_FAIL:
 		printf("FAIL\n");
 		break;
-	case AP_RO_UNSUPPORTED:
-		printf("unsupported\n");
+	case AP_RO_UNSUPPORTED_TRIGGERED:
+		printf("not supported\ntriggered: yes\n");
+		break;
+	case AP_RO_UNSUPPORTED_UNKNOWN:
+		printf("not supported\ntriggered: unknown\n");
+		break;
+	case AP_RO_UNSUPPORTED_NOT_TRIGGERED:
+		printf("not supported\ntriggered: no\n");
 		break;
 	default:
 		fprintf(stderr, "unknown status\n");
diff --git a/include/ap_ro_integrity_check.h b/include/ap_ro_integrity_check.h
index b07e4b71c7..12d701c44b 100644
--- a/include/ap_ro_integrity_check.h
+++ b/include/ap_ro_integrity_check.h
@@ -12,7 +12,9 @@ enum ap_ro_status {
 	AP_RO_NOT_RUN = 0,
 	AP_RO_PASS,
 	AP_RO_FAIL,
-	AP_RO_UNSUPPORTED,
+	AP_RO_UNSUPPORTED_UNKNOWN, /* Deprecated */
+	AP_RO_UNSUPPORTED_NOT_TRIGGERED,
+	AP_RO_UNSUPPORTED_TRIGGERED,
 };
 /*
  * validate_ap_ro: based on information saved in an H1 RO flash page verify