pd: dingdong/hoho: Enable flash write-protection

These USB type-C accessories don't have a write-protect GPIO.
Add a configure flag (CONFIG_WP_ALWAYS) to force the flash
write-protection on the dongles.

Also set the read protection (by elevating RDP to level 1),
so trying to unprotect the flash will trigger a full erase.

Signed-off-by: Vincent Palatin <vpalatin@chromium.org>

BRANCH=samus
BUG=chrome-os-partner:35088
TEST=boot Hoho,
check the flash OBR and WRPR registers:
"rw 0x4002201c" / "rw 0x40022020"
and the option bytes write-protect bits: "rw 0x1FFFF808"
dump the logical state with "flashinfo" command.
> rw 0x4002201c
read 0x40022020 = 0xffff0002
> rw 0x40022020
read 0x40022020 = 0xffff0000
> rw 0x1FFFF808
read 0x1ffff808 = 0xff00ff00
> flashinfo
Physical: 128 KB
Usable:   128 KB
Write:      2 B (ideal 2 B)
Erase:   2048 B (to 1-bits)
Protect: 4096 B
Flags:   wp_gpio_asserted ro_at_boot ro_now
Protected now:
    YYYYYYYY YYYYYYYY ........ ........

Change-Id: I45bbc0bce40ecc174b6b8a1ebacf4f53d2fd372d
Reviewed-on: https://chromium-review.googlesource.com/238893
Trybot-Ready: Vincent Palatin <vpalatin@chromium.org>
Commit-Queue: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Todd Broch <tbroch@chromium.org>
Tested-by: Todd Broch <tbroch@chromium.org>

6 files changed, 31 insertions, 13 deletions

diff --git a/board/dingdong/board.h b/board/dingdong/board.h
index 4ac7294c73..6247ae5fcc 100644
--- a/board/dingdong/board.h
+++ b/board/dingdong/board.h
@@ -28,7 +28,7 @@
 #define CONFIG_USB_POWER_DELIVERY
 #define CONFIG_USB_PD_ALT_MODE
 #define CONFIG_USB_PD_HW_DEV_ID_BOARD_MAJOR USB_PD_HW_DEV_ID_DINGDONG
-#define CONFIG_USB_PD_HW_DEV_ID_BOARD_MINOR 1
+#define CONFIG_USB_PD_HW_DEV_ID_BOARD_MINOR 2
 #define CONFIG_USB_PD_DUAL_ROLE
 #define CONFIG_USB_PD_CUSTOM_VDM
 #define CONFIG_USB_PD_FLASH
@@ -44,11 +44,8 @@
 #define CONFIG_USB_PID 0x5011
 #define CONFIG_USB_BCD_DEV 0x0001 /* v 0.01 */
 
-/*
- * Allow dangerous commands all the time, since we don't have a write protect
- * switch.
- */
-#define CONFIG_SYSTEM_UNLOCKED
+/* No Write-protect GPIO, force the write-protection */
+#define CONFIG_WP_ALWAYS
 
 #ifndef __ASSEMBLER__
 
diff --git a/board/hoho/board.h b/board/hoho/board.h
index 1b43a4fe5a..74e3951b53 100644
--- a/board/hoho/board.h
+++ b/board/hoho/board.h
@@ -35,7 +35,7 @@
 #define CONFIG_USB_POWER_DELIVERY
 #define CONFIG_USB_PD_ALT_MODE
 #define CONFIG_USB_PD_HW_DEV_ID_BOARD_MAJOR USB_PD_HW_DEV_ID_HOHO
-#define CONFIG_USB_PD_HW_DEV_ID_BOARD_MINOR 1
+#define CONFIG_USB_PD_HW_DEV_ID_BOARD_MINOR 2
 #define CONFIG_USB_PD_DUAL_ROLE
 #define CONFIG_USB_PD_CUSTOM_VDM
 #define CONFIG_USB_PD_FLASH
@@ -56,11 +56,8 @@
 #define CONFIG_USB_PID 0x5010
 #define CONFIG_USB_BCD_DEV 0x0001 /* v 0.01 */
 
-/*
- * Allow dangerous commands all the time, since we don't have a write protect
- * switch.
- */
-#define CONFIG_SYSTEM_UNLOCKED
+/* No Write-protect GPIO, force the write-protection */
+#define CONFIG_WP_ALWAYS
 
 #ifndef __ASSEMBLER__
 
diff --git a/chip/stm32/flash-f.c b/chip/stm32/flash-f.c
index e457aea8ce..6f334b94a2 100644
--- a/chip/stm32/flash-f.c
+++ b/chip/stm32/flash-f.c
@@ -362,6 +362,14 @@ int flash_physical_protect_at_boot(enum flash_wp_range range)
 		if (original_val[i] != val[i])
 			write_optb(i * 2 + 8, val[i]);
 
+#ifdef CONFIG_WP_ALWAYS
+	/*
+	 * Set a permanent protection by increasing RDP to level 1,
+	 * trying to unprotected the flash will trigger a full erase.
+	 */
+	write_optb(0, 0x11);
+#endif
+
 	return EC_SUCCESS;
 }
 
diff --git a/common/flash.c b/common/flash.c
index b6001751d5..3b269deb46 100644
--- a/common/flash.c
+++ b/common/flash.c
@@ -65,6 +65,9 @@ static void flash_read_pstate(struct persist_state *pstate)
 	if (pstate->version != PERSIST_STATE_VERSION) {
 		memset(pstate, 0, sizeof(*pstate));
 		pstate->version = PERSIST_STATE_VERSION;
+#ifdef CONFIG_WP_ALWAYS
+		pstate->flags |= PERSIST_FLAG_PROTECT_RO;
+#endif
 	}
 }
 
@@ -202,7 +205,9 @@ uint32_t flash_get_protect(void)
 	int i;
 
 	/* Read write protect GPIO */
-#ifdef CONFIG_WP_ACTIVE_HIGH
+#ifdef CONFIG_WP_ALWAYS
+	flags |= EC_FLASH_PROTECT_GPIO_ASSERTED;
+#elif defined(CONFIG_WP_ACTIVE_HIGH)
 	if (gpio_get_level(GPIO_WP))
 		flags |= EC_FLASH_PROTECT_GPIO_ASSERTED;
 #else
diff --git a/include/config.h b/include/config.h
index 852ebf7e19..e1ae4750d4 100644
--- a/include/config.h
+++ b/include/config.h
@@ -1302,6 +1302,12 @@
  */
 #undef CONFIG_WP_ACTIVE_HIGH
 
+/*
+ * The write protect signal is always asserted,
+ * independantly of the GPIO existence or current value.
+ */
+#undef CONFIG_WP_ALWAYS
+
 /*****************************************************************************/
 /*
  * Include board and core configs, since those hold the CONFIG_ constants for a
diff --git a/util/flash_ec b/util/flash_ec
index 3278f1d8fd..0d840a9ae4 100755
--- a/util/flash_ec
+++ b/util/flash_ec
@@ -353,6 +353,11 @@ function flash_stm32_dfu() {
 	fi
 
 	SIZE=$(wc -c ${IMG} | cut -d' ' -f1)
+	# Remove read protection
+	sudo $DFU_UTIL -a 0 -s ${ADDR}:${SIZE}:force:unprotect -D "${IMG}"
+	# Wait for mass-erase and reboot after unprotection
+	sleep 1
+	# Actual image flashing
 	sudo $DFU_UTIL -a 0 -s ${ADDR}:${SIZE} -D "${IMG}"
 }