flash: Add EC_FLASH_PROTECT_RW_[AT_BOOT|NOW] flagsstabilize-9313.B

The idea of this flag is to be able to protect/unprotect only the
RW portion of the flash. In the (usual) case where ALL=RO+RW, with
no other region, this makes no difference compared to the existing
EC_FLASH_PROTECT_ALL_* flag, and this flag may not be supported.

This is necessary for futher work, where a ROLLBACK region is added,
so that RW/ROLLBACK can be protected/unprotected individually.

Only support for stm32f0 is added, as this is the target for hammer.

BRANCH=none
BUG=chrome-os-partner:61671
TEST=build and flash hammer (stm32f072)
     flashinfo => RO+RW not protected
     flashwp true; reboot => only RO protected
     flashwp all; reboot => RO+RW protected
     flashwp noall; reboot => only RO protected
     flashwp rw/norw not available
TEST=enable CONFIG_FLASH_PROTECT_RW
     build and flash hammer (stm32f072)
     flashinfo => RO+RW not protected
     flashwp true; reboot => only RO protected
     flashwp all; reboot => RO+RW protected
     flashwp noall; reboot => only RO protected
     flashwp rw; reboot => RO+RW protected
     flashwp norw; reboot => only RO protected
TEST=build and flash reef (npcx)
     flashinfo => RO+RW not protected
     flashwp true => RO protected
     flashwp all; flashinfo => all_now displayed
     reboot => RO protected
     flashwp rw/norw not available

Change-Id: Ica6f499cf2e8a9345b08ef52c915655a983ffe3c
Reviewed-on: https://chromium-review.googlesource.com/442265
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

7 files changed, 177 insertions, 19 deletions

diff --git a/chip/stm32/flash-f.c b/chip/stm32/flash-f.c
index 0c99ec398d..2ab05859fa 100644
--- a/chip/stm32/flash-f.c
+++ b/chip/stm32/flash-f.c
@@ -356,6 +356,10 @@ int flash_physical_protect_at_boot(uint32_t new_flags)
 		if (block >= WP_BANK_OFFSET &&
 		    block < WP_BANK_OFFSET + WP_BANK_COUNT)
 			protect |= new_flags & EC_FLASH_PROTECT_RO_AT_BOOT;
+#ifdef CONFIG_FLASH_PROTECT_RW
+		else
+			protect |= new_flags & EC_FLASH_PROTECT_RW_AT_BOOT;
+#endif
 
 		if (protect)
 			val[byte_off] = val[byte_off] & (~(1 << (block % 8)));
@@ -476,6 +480,15 @@ int flash_pre_init(void)
 		need_reset = 1;
 	}
 
+#ifdef CONFIG_FLASH_PROTECT_RW
+	if ((flash_physical_get_valid_flags() & EC_FLASH_PROTECT_RW_AT_BOOT) &&
+	    (!!(prot_flags & EC_FLASH_PROTECT_RW_AT_BOOT) !=
+	     !!(prot_flags & EC_FLASH_PROTECT_RW_NOW))) {
+		/* RW_AT_BOOT and RW_NOW do not match. */
+		need_reset = 1;
+	}
+#endif
+
 	if (need_reset)
 		system_reset(SYSTEM_RESET_HARD | SYSTEM_RESET_PRESERVE_FLAGS);
 
diff --git a/chip/stm32/flash-stm32f0.c b/chip/stm32/flash-stm32f0.c
index 229fd108af..e047854d0a 100644
--- a/chip/stm32/flash-stm32f0.c
+++ b/chip/stm32/flash-stm32f0.c
@@ -8,6 +8,7 @@
 #include "common.h"
 #include "flash.h"
 #include "registers.h"
+#include "util.h"
 
 /*****************************************************************************/
 /* Physical layer APIs */
@@ -17,6 +18,10 @@ int flash_physical_get_protect(int block)
 	return !(STM32_FLASH_WRPR & (1 << block));
 }
 
+/*
+ * Note: This does not need to update _NOW flags, as get_protect_flags
+ * in common code already does so.
+ */
 uint32_t flash_physical_get_protect_flags(void)
 {
 	uint32_t flags = 0;
@@ -25,8 +30,71 @@ uint32_t flash_physical_get_protect_flags(void)
 	uint32_t wrp23 = REG32(STM32_OPTB_BASE + STM32_OPTB_WRP23);
 #endif
 
-	if (STM32_FLASH_WRPR == 0)
-		flags |= EC_FLASH_PROTECT_ALL_NOW;
+	/*
+	 * We only need to return detailed flags if we want to protect RW or
+	 * ROLLBACK independently (EC_FLASH_PROTECT_RO_AT_BOOT should be set
+	 * by pstate logic).
+	 */
+#if defined(CONFIG_FLASH_PROTECT_RW)
+	/* Flags that must be set for each region. */
+	const int mask_flags[] = {
+		[FLASH_REGION_RW] = EC_FLASH_PROTECT_RW_AT_BOOT,
+		[FLASH_REGION_RO] = EC_FLASH_PROTECT_RO_AT_BOOT,
+	};
+	/*
+	 * Sets up required mask for wrp01/23 registers: for protection to be
+	 * set, values set in the mask must be zeros, values in the mask << 8
+	 * must be ones.
+	 *
+	 * Note that these masks are actually static, and could be precomputed
+	 * at build time to save flash space.
+	 */
+	uint32_t wrp_mask[FLASH_REGION_COUNT][2];
+	int i;
+	int shift = 0;
+	int reg = 0;
+
+	memset(wrp_mask, 0, sizeof(wrp_mask));
+
+	/* Scan flash protection */
+	for (i = 0; i < PHYSICAL_BANKS; i++) {
+		/* Default: RW. */
+		int region = FLASH_REGION_RW;
+
+		if (i >= WP_BANK_OFFSET &&
+		    i < WP_BANK_OFFSET + WP_BANK_COUNT)
+			region = FLASH_REGION_RO;
+
+		switch (i) {
+		case 8:
+#if CONFIG_FLASH_SIZE > 64 * 1024
+		case 24:
+#endif
+			shift += 8;
+			break;
+#if CONFIG_FLASH_SIZE > 64 * 1024
+		case 16:
+			reg = 1;
+			shift = 0;
+			break;
+#endif
+		}
+
+		wrp_mask[region][reg] |= 1 << shift;
+		shift++;
+	}
+
+	for (i = 0; i < FLASH_REGION_COUNT; i++) {
+		if (!(wrp01 & wrp_mask[i][0]) &&
+			(wrp01 & wrp_mask[i][0] << 8) == (wrp_mask[i][0] << 8))
+#if CONFIG_FLASH_SIZE > 64 * 1024
+			if (!(wrp23 & wrp_mask[i][1]) &&
+			     (wrp23 & wrp_mask[i][1] << 8) ==
+							 (wrp_mask[i][1] << 8))
+#endif
+				flags |= mask_flags[i];
+	}
+#endif /* CONFIG_FLASH_PROTECT_RW */
 
 	if (wrp01 == 0xff00ff00)
 #if CONFIG_FLASH_SIZE > 64 * 1024
@@ -51,8 +119,12 @@ int flash_physical_restore_state(void)
 uint32_t flash_physical_get_valid_flags(void)
 {
 	return EC_FLASH_PROTECT_RO_AT_BOOT |
-	       EC_FLASH_PROTECT_ALL_AT_BOOT |
 	       EC_FLASH_PROTECT_RO_NOW |
+#ifdef CONFIG_FLASH_PROTECT_RW
+	       EC_FLASH_PROTECT_RW_AT_BOOT |
+	       EC_FLASH_PROTECT_RW_NOW |
+#endif
+	       EC_FLASH_PROTECT_ALL_AT_BOOT |
 	       EC_FLASH_PROTECT_ALL_NOW;
 }
 
@@ -65,12 +137,18 @@ uint32_t flash_physical_get_writable_flags(uint32_t cur_flags)
 		ret |= EC_FLASH_PROTECT_RO_AT_BOOT;
 
 	/*
-	 * RW at-boot state can be set if WP GPIO is asserted and can always
+	 * ALL/RW at-boot state can be set if WP GPIO is asserted and can always
 	 * be cleared.
 	 */
 	if (cur_flags & (EC_FLASH_PROTECT_ALL_AT_BOOT |
 			 EC_FLASH_PROTECT_GPIO_ASSERTED))
 		ret |= EC_FLASH_PROTECT_ALL_AT_BOOT;
 
+#ifdef CONFIG_FLASH_PROTECT_RW
+	if (cur_flags & (EC_FLASH_PROTECT_RW_AT_BOOT |
+			 EC_FLASH_PROTECT_GPIO_ASSERTED))
+		ret |= EC_FLASH_PROTECT_RW_AT_BOOT;
+#endif
+
 	return ret;
 }
diff --git a/common/flash.c b/common/flash.c
index 275e4692e8..673c962295 100644
--- a/common/flash.c
+++ b/common/flash.c
@@ -523,8 +523,12 @@ int flash_protect_at_boot(uint32_t new_flags)
 uint32_t flash_get_protect(void)
 {
 	uint32_t flags = 0;
-	int not_protected[2] = {0};
 	int i;
+	/* Region protection status */
+	int not_protected[FLASH_REGION_COUNT] = {0};
+	/* Flags that must be set to set ALL_NOW flag. */
+	const uint32_t all_flags = EC_FLASH_PROTECT_RO_NOW |
+				   EC_FLASH_PROTECT_RW_NOW;
 
 	/* Read write protect GPIO */
 #ifdef CONFIG_WP_ALWAYS
@@ -544,26 +548,29 @@ uint32_t flash_get_protect(void)
 
 	/* Scan flash protection */
 	for (i = 0; i < PHYSICAL_BANKS; i++) {
-		/* Is this bank part of RO */
 		int is_ro = (i >= WP_BANK_OFFSET &&
-			     i < WP_BANK_OFFSET + WP_BANK_COUNT) ? 1 : 0;
-
-		int bank_flag = (is_ro ? EC_FLASH_PROTECT_RO_NOW :
-				EC_FLASH_PROTECT_ALL_NOW);
+			i < WP_BANK_OFFSET + WP_BANK_COUNT);
+		enum flash_region region = is_ro ? FLASH_REGION_RO :
+			FLASH_REGION_RW;
+		int bank_flag = is_ro ? EC_FLASH_PROTECT_RO_NOW :
+			EC_FLASH_PROTECT_RW_NOW;
 
 		if (flash_physical_get_protect(i)) {
 			/* At least one bank in the region is protected */
 			flags |= bank_flag;
-			if (not_protected[is_ro])
+			if (not_protected[region])
 				flags |= EC_FLASH_PROTECT_ERROR_INCONSISTENT;
 		} else {
 			/* At least one bank in the region is NOT protected */
-			not_protected[is_ro] = 1;
+			not_protected[region] = 1;
 			if (flags & bank_flag)
 				flags |= EC_FLASH_PROTECT_ERROR_INCONSISTENT;
 		}
 	}
 
+	if ((flags & all_flags) == all_flags)
+		flags |= EC_FLASH_PROTECT_ALL_NOW;
+
 	/*
 	 * If the RW banks are protected but the RO banks aren't, that's
 	 * inconsistent.
@@ -572,10 +579,14 @@ uint32_t flash_get_protect(void)
 	 * since some chips can also protect ALL_NOW for the current boot by
 	 * locking up the flash program-erase registers.
 	 */
-	if ((flags & EC_FLASH_PROTECT_ALL_NOW) &&
-	    !(flags & EC_FLASH_PROTECT_RO_NOW))
+	if ((flags & all_flags) && !(flags & EC_FLASH_PROTECT_RO_NOW))
 		flags |= EC_FLASH_PROTECT_ERROR_INCONSISTENT;
 
+#ifndef CONFIG_FLASH_PROTECT_RW
+	/* RW flag was used for intermediate computations, clear it now. */
+	flags &= ~EC_FLASH_PROTECT_RW_NOW;
+#endif
+
 	/* Add in flags from physical layer */
 	return flags | flash_physical_get_protect_flags();
 }
@@ -585,7 +596,8 @@ int flash_set_protect(uint32_t mask, uint32_t flags)
 	int retval = EC_SUCCESS;
 	int rv;
 	int old_flags_at_boot = flash_get_protect() &
-		(EC_FLASH_PROTECT_RO_AT_BOOT | EC_FLASH_PROTECT_ALL_AT_BOOT);
+		(EC_FLASH_PROTECT_RO_AT_BOOT | EC_FLASH_PROTECT_RW_AT_BOOT |
+			EC_FLASH_PROTECT_ALL_AT_BOOT);
 	int new_flags_at_boot = old_flags_at_boot;
 
 	/* Sanitize input flags */
@@ -618,9 +630,23 @@ int flash_set_protect(uint32_t mask, uint32_t flags)
 	new_flags_at_boot &= ~(mask & EC_FLASH_PROTECT_RO_AT_BOOT);
 	new_flags_at_boot |= flags & EC_FLASH_PROTECT_RO_AT_BOOT;
 
+	/* Removing ALL must also remove RW */
 	if ((mask & EC_FLASH_PROTECT_ALL_AT_BOOT) &&
-	    !(flags & EC_FLASH_PROTECT_ALL_AT_BOOT))
+	    !(flags & EC_FLASH_PROTECT_ALL_AT_BOOT)) {
 		new_flags_at_boot &= ~EC_FLASH_PROTECT_ALL_AT_BOOT;
+#ifdef CONFIG_FLASH_PROTECT_RW
+		new_flags_at_boot &= ~EC_FLASH_PROTECT_RW_AT_BOOT;
+#endif
+	}
+
+#ifdef CONFIG_FLASH_PROTECT_RW
+	/* Removing RW must also remove ALL (otherwise nothing will happen). */
+	if ((mask & EC_FLASH_PROTECT_RW_AT_BOOT) &&
+	    !(flags & EC_FLASH_PROTECT_RW_AT_BOOT)) {
+		new_flags_at_boot &= ~EC_FLASH_PROTECT_ALL_AT_BOOT;
+		new_flags_at_boot &= ~EC_FLASH_PROTECT_RW_AT_BOOT;
+	}
+#endif
 
 	if (new_flags_at_boot != old_flags_at_boot) {
 		rv = flash_protect_at_boot(new_flags_at_boot);
@@ -638,11 +664,15 @@ int flash_set_protect(uint32_t mask, uint32_t flags)
 		return retval;
 
 	/*
-	 * The case where ALL_AT_BOOT is unset is already covered above,
+	 * The case where ALL/RW_AT_BOOT is unset is already covered above,
 	 * so we do not need to mask it out.
 	 */
 	new_flags_at_boot |= flags & EC_FLASH_PROTECT_ALL_AT_BOOT;
 
+#ifdef CONFIG_FLASH_PROTECT_RW
+	new_flags_at_boot |= flags & EC_FLASH_PROTECT_RW_AT_BOOT;
+#endif
+
 	if (new_flags_at_boot != old_flags_at_boot) {
 		rv = flash_protect_at_boot(new_flags_at_boot);
 		if (rv)
@@ -689,6 +719,12 @@ static int command_flash_info(int argc, char **argv)
 		ccputs(" ro_now");
 	if (i & EC_FLASH_PROTECT_ALL_NOW)
 		ccputs(" all_now");
+#ifdef CONFIG_FLASH_PROTECT_RW
+	if (i & EC_FLASH_PROTECT_RW_AT_BOOT)
+		ccputs(" rw_at_boot");
+	if (i & EC_FLASH_PROTECT_RW_NOW)
+		ccputs(" rw_now");
+#endif
 	if (i & EC_FLASH_PROTECT_ERROR_STUCK)
 		ccputs(" STUCK");
 	if (i & EC_FLASH_PROTECT_ERROR_INCONSISTENT)
@@ -838,6 +874,14 @@ static int command_flash_wp(int argc, char **argv)
 	if (!strcasecmp(argv[1], "noall"))
 		return flash_set_protect(EC_FLASH_PROTECT_ALL_AT_BOOT, 0);
 
+#ifdef CONFIG_FLASH_PROTECT_RW
+	if (!strcasecmp(argv[1], "rw"))
+		return flash_set_protect(EC_FLASH_PROTECT_RW_AT_BOOT, -1);
+
+	if (!strcasecmp(argv[1], "norw"))
+		return flash_set_protect(EC_FLASH_PROTECT_RW_AT_BOOT, 0);
+#endif
+
 	/* Do this last, since anything starting with 'n' means "no" */
 	if (parse_bool(argv[1], &val))
 		return flash_set_protect(EC_FLASH_PROTECT_RO_AT_BOOT,
@@ -846,8 +890,11 @@ static int command_flash_wp(int argc, char **argv)
 	return EC_ERROR_PARAM1;
 }
 DECLARE_CONSOLE_COMMAND(flashwp, command_flash_wp,
-			"<BOOLEAN> | now | all | noall",
-			"Modify flash write protect");
+			"<BOOLEAN> | now | all | noall"
+#ifdef CONFIG_FLASH_PROTECT_RW
+			" | rw | norw"
+#endif
+			, "Modify flash write protect");
 
 /*****************************************************************************/
 /* Host commands */
diff --git a/include/config.h b/include/config.h
index cf3e6e19dd..129b1bd648 100644
--- a/include/config.h
+++ b/include/config.h
@@ -991,6 +991,11 @@
 #undef CONFIG_FLASH_PROTECT_NEXT_BOOT
 
 /*
+ * Some platforms need to write protect RW independently of all flash.
+ */
+#undef CONFIG_FLASH_PROTECT_RW
+
+/*
  * Store persistent write protect for the flash inside the flash data itself.
  * This allows ECs with internal flash to emulate something closer to a SPI
  * flash write protect register.  If this is not defined, write protect state
diff --git a/include/ec_commands.h b/include/ec_commands.h
index cf3134cd66..2a44a7dded 100644
--- a/include/ec_commands.h
+++ b/include/ec_commands.h
@@ -1209,6 +1209,10 @@ struct __ec_align4 ec_params_flash_erase {
 #define EC_FLASH_PROTECT_ERROR_INCONSISTENT (1 << 5)
 /* Entire flash code protected when the EC boots */
 #define EC_FLASH_PROTECT_ALL_AT_BOOT        (1 << 6)
+/* RW flash code protected when the EC boots */
+#define EC_FLASH_PROTECT_RW_AT_BOOT         (1 << 7)
+/* RW flash code protected now. */
+#define EC_FLASH_PROTECT_RW_NOW             (1 << 8)
 
 struct __ec_align4 ec_params_flash_protect {
 	uint32_t mask;   /* Bits in flags to apply */
diff --git a/include/flash.h b/include/flash.h
index caa6d0b897..548f889e72 100644
--- a/include/flash.h
+++ b/include/flash.h
@@ -26,6 +26,13 @@
 #define PSTATE_BANK_COUNT	0
 #endif
 
+/* This enum is useful to identify different regions during verification. */
+enum flash_region {
+	FLASH_REGION_RW = 0,
+	FLASH_REGION_RO,
+	FLASH_REGION_COUNT
+};
+
 /*****************************************************************************/
 /* Low-level methods, for use by flash_common. */
 
diff --git a/util/ectool.c b/util/ectool.c
index cb90d1af51..f2bf6662ce 100644
--- a/util/ectool.c
+++ b/util/ectool.c
@@ -907,10 +907,14 @@ static void print_flash_protect_flags(const char *desc, uint32_t flags)
 		printf(" wp_gpio_asserted");
 	if (flags & EC_FLASH_PROTECT_RO_AT_BOOT)
 		printf(" ro_at_boot");
+	if (flags & EC_FLASH_PROTECT_RW_AT_BOOT)
+		printf(" rw_at_boot");
 	if (flags & EC_FLASH_PROTECT_ALL_AT_BOOT)
 		printf(" all_at_boot");
 	if (flags & EC_FLASH_PROTECT_RO_NOW)
 		printf(" ro_now");
+	if (flags & EC_FLASH_PROTECT_RW_NOW)
+		printf(" rw_now");
 	if (flags & EC_FLASH_PROTECT_ALL_NOW)
 		printf(" all_now");
 	if (flags & EC_FLASH_PROTECT_ERROR_STUCK)