apro: generate the hash with possible factory flags

The AP RO flags may have been non-zero when the factory generated the
hash. The stored hash will not match finalized firmware since it was
generated with non-zero gbb flags and the gbb flags are set to 0 during
finalization.

Cr50 can try to match the saved hash by using factory flags to calculate
the AP RO hash. As long as the GBB flags are actually set to 0 it should
be ok to try calculating the hash with a limited set of possible factory
flags. Try to match the saved hash using GBB flags 0 to calculate the
hash. If that doesn't match, cycle through the rest of the possible
factory flags to see if any of them generate the saved hash. If none of
the factory flags work, fail verification.

This change adds 8 possible factory flag values: 0, 0x39, 0x239, 0x1039,
0x50b9, 0x40b9, 0x52b9, and 0x42b9

BUG=b:236844541,b:230071229
TEST=manual
	# add 0x42b9 possible_factory_flags
	# Set GBB flags to 0x42b9
	/usr/share/vboot/bin/set_gbb_flags.sh 0x42b9
	# save the hash with GBB 0x42b9
	ap_ro_hash.py FMAP GBB

	# Verify AP RO verification fails because flags are 0x42b9
	[349.029624 enable_spi_pinmux: AP]
	[349.030178 tpm_rst_asserted]
	[349.032382 spi_hash_pp_done: AP]
	[349.137962 validate_gbb: invalid flags 42b9]

	# reboot cr50 to release ec reset
	> reboot

	# Set GBB flags to 0
	/usr/share/vboot/bin/set_gbb_flags.sh 0

	# Verify ap ro verification passes.

Change-Id: I17d191abada342263ea246911ce47ac24dbb940c
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3840653
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

0 files changed, 0 insertions, 0 deletions