cros_ec: Use boot mode to check if EC can be trustedstabilize-14013.B

Currently, EC_IN_RW signal is used for the AP to decide whether EC is
running an RO copy or not.

coreboot will set VB2_CONTEXT_EC_TRUSTED based on the EC's boot mode
if supported. It means the EC is in RO and PD is disabled. This patch
makes vb2_allow_recovery check VB2_CONTEXT_EC_TRUSTED prior to
entering recovery mode.

BUG=b:180927027, b:187871195
BRANCH=none
TEST=build

Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: Ie7fb337085f9c5f73ee82049d490a719f76a26bb
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2893095
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>

2 files changed, 8 insertions, 1 deletions

diff --git a/firmware/2lib/2misc.c b/firmware/2lib/2misc.c
index 13cd35a2..75a9f360 100644
--- a/firmware/2lib/2misc.c
+++ b/firmware/2lib/2misc.c
@@ -408,7 +408,7 @@ int vb2_allow_recovery(struct vb2_context *ctx)
 	 * return false (=RW). That's ok because if recovery is manual, we will
 	 * get the right signal and that's the case we care about.
 	 */
-	if (!vb2ex_ec_trusted())
+	if (!(ctx->flags & VB2_CONTEXT_EC_TRUSTED) && !vb2ex_ec_trusted())
 		return 0;
 
 	/* Now we confidently check the recovery switch state at boot */
diff --git a/firmware/2lib/include/2api.h b/firmware/2lib/include/2api.h
index fb8bc51b..fb656da9 100644
--- a/firmware/2lib/include/2api.h
+++ b/firmware/2lib/include/2api.h
@@ -233,6 +233,13 @@ enum vb2_context_flags {
 	 * NO_BOOT means the OS is not allowed to boot. Only relevant for EFS2.
 	 */
 	VB2_CONTEXT_NO_BOOT = (1 << 23),
+
+	/*
+	 * TRUSTED means EC is running an RO copy and PD isn't enabled. At
+	 * least that was last known to the GSC. If EC RO is correctly behaving,
+	 * it doesn't jump to RW when this flag is set.
+	 */
+	VB2_CONTEXT_EC_TRUSTED = (1 << 24),
 };
 
 /* Helper for aligning fields in vb2_context. */