summaryrefslogtreecommitdiff
path: root/src/vboot
AgeCommit message (Collapse)Author
2017-10-22security/vboot: Move vboot2 to security kconfig sectionPhilipp Deppenwiese
This commit just moves the vboot sources into the security directory and fixes kconfig/makefile paths. Fix vboot2 headers Change-Id: Icd87f95640186f7a625242a3937e1dd13347eb60 Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/22074 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Martin Roth <martinroth@google.com>
2017-10-12vboot: Exclude platform specific files from RW cbfsMartin Roth
Add a Kconfig option to allow platforms to exclude specific files from being copied from RO into RW sections. BUG=b:65484600 TEST=Exclude apu/amdfw from the RW cbfs sections Change-Id: I7723b63392c1620b75ceb6d8e25fe1ce2c75cf18 Signed-off-by: Martin Roth <martinroth@google.com> Reviewed-on: https://review.coreboot.org/21899 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-10-10vboot: use cbfstool truncatePatrick Georgi
Instead of a shell based parser for cbfstool print -k output. BUG=b:65853903 BRANCH=none TEST=`abuild -x -t GOOGLE_KEVIN -p none` creates a valid-looking image. Change-Id: I33b7e1c483a69e66e82541c09582be2a71356a10 Signed-off-by: Patrick Georgi <pgeorgi@google.com> Reviewed-on: https://review.coreboot.org/21609 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2017-10-04chromeec: Remove checks for EC in RODaisuke Nojiri
This patch removes checks that ensure EC to be in RO for recovery boot. We do not need these checks because when recovery is requested automatically (as opposed to manually), we show 'broken' screen where users can only reboot the device or request recovery manually. If recovery is requested, Depthcharge will check whether EC is in RO or not and recovery switch was pressed or not. If it's a legitimate manual recovery, EC should be in RO. Thus, we can trust the recovery button state it reports. This patch removes all calls to google_chromeec_check_ec_image, which is called to avoid duplicate memory training when recovery is requested but EC is in RW. BUG=b:66516882 BRANCH=none CQ-DEPEND=CL:693008 TEST=Boot Fizz. Change-Id: I45a874b73c46ea88cb831485757d194faa9f4c99 Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Reviewed-on: https://review.coreboot.org/21711 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-09-20vboot: reset vbnv in cmos when cmos failure occursAaron Durbin
There's an occasional issue on machines which use CMOS for their vbnv storage. The machine that just powers up from complete G3 would have had their RTC rail not held up. The contents of vbnv in CMOS could pass the crc8 though the values could be bad. In order to fix this introduce two functions: 1. vbnv_init_cmos() 2. vbnv_cmos_failed() At the start of vboot the CMOS is queried for failure. If there is a failure indicated then the vbnv data is restored from flash backup or reset to known values when there is no flash backup. BUG=b:63054105 Change-Id: I8bd6f28f64a116b84a08ce4779cd4dc73c0f2f3d Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/21560 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Furquan Shaikh <furquan@google.com>
2017-09-20vboot: expose vbnv_reset() functionAaron Durbin
It's helpful to use the common vbnv_reset() function to initialize the vbnv contents when backing store failures occur. Therefore, allow that to happen. BUG=b:63054105 Change-Id: I990639e8c163469733fdab0d3c72e064acc9f8d8 Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/21559 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com>
2017-09-20vboot: introduce vbnv_init()Aaron Durbin
Add vbnv_init() which is responsible for doing any vbnv initialization and reading the vbnv contents. Having this function allows for putting vbnv backing store specific support in the main vboot logic path. BUG=b:63054105 Change-Id: Id8f0344e5de5338417ae2e353ae473d6909c860a Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/21550 Reviewed-by: Duncan Laurie <dlaurie@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com>
2017-09-20vboot: remove init_vbnv_cmos()Aaron Durbin
Instead of having each potential caller deal with the differences of cmos_init() and init_vbnv_cmos() when VBOOT is enabled put the correct logic within the callee, cmos_init(), for handling the vbnv in CMOS. The internal __cmos_init() routine returns when the CMOS area was cleared. BUG=b:63054105 Change-Id: Ia124bcd61d3ac03e899a4ecf3645fc4b7a558f03 Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/21549 Reviewed-by: Furquan Shaikh <furquan@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2017-09-13vboot: Add config to enable EC EFS supportDaisuke Nojiri
This patch makes coreboot set VBSD_EC_EFS flag if CONFIG_VBOOT_EC_EFS is set. Depthcharge/Vboot uses this flag to determine whether it can update EC when it's already running a RW copy. BUG=b:65028930 BRANCH=none TEST=Verify soft sync runs successfully on Fizz. Change-Id: Ic51ddd4819262162a8d8519461c4ace57ee01cb5 Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Reviewed-on: https://review.coreboot.org/21489 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2017-09-10vboot: Use "Google_" as VBOOT_FWID_MODEL prefix if CHROMEOS is setFurquan Shaikh
CONFIG_MAINBOARD_VENDOR is customizable by OEM for Chrome OS devices. However, VBOOT_FWID_MODEL indicates the firmware vendor and hence if CHROMEOS is selected, then VBOOT_FWID_MODEL should always prefix "Google_" instead of CONFIG_MAINBOARD_VENDOR. BUG=b:65493192 Change-Id: I0a2280bfd6d535586bc14d9a3c4a8198287f08bc Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/21458 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2017-07-18vboot: Remove get_sw_write_protect_state callbackJulius Werner
We've just decided to remove the only known use of the VBSD_SW_WP flag in vboot (https://chromium-review.googlesource.com/c/575389), since it was unused and never reliable on all platforms anyway. Therefore, we can now also remove the coreboot infrastructure that supported it. It doesn't really hurt anyone, but removing it saves a small bit of effort for future platforms. Change-Id: I6706eba2761a73482e03f3bf46343cf1d84f154b Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/20628 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-07-13Rename __attribute__((packed)) --> __packedStefan Reinauer
Also unify __attribute__ ((..)) to __attribute__((..)) and handle ((__packed__)) like ((packed)) Change-Id: Ie60a51c3fa92b5009724a5b7c2932e361bf3490c Signed-off-by: Stefan Reinauer <stefan.reinauer@coreboot.org> Reviewed-on: https://review.coreboot.org/15921 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-04-29vboot: Separate board name and version number in FWID with a dotJulius Werner
It's standard practice in vboot that the FWID consists of <board_name>.<version_number> (e.g. Google_Kevin.8785.57.0). In fact, some tools rely on this and cut the string at the first dot to separate the two. The current Kconfig default in coreboot instead leads to ugly, parser-breaking FWIDs like Google_Kevin4.5-1234-5678abcd. This patch fixes that. Change-Id: I65cd5285c69e2e485d55a41a65d735f6a2291c16 Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/19487 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-by: Patrick Georgi <pgeorgi@google.com>
2017-04-28vboot: Select CONFIG_{TPM,TPM2} only if MOCK_SECDATA is not selectedFurquan Shaikh
1. Select CONFIG_{TPM,TPM2} only when MOCK_SECDATA is not selected. 2. Provide tlcl_lib_init for mock TPM case. BUG=b:37682566 TEST=Verified that when mock TPM is used, CONFIG_TPM is not set anymore in coreboot config. Change-Id: If3bdd1528e153b164e9d62ee9cbcc4c3666b8b66 Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/19456 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2017-03-28Remove libverstage as separate library and source file classJulius Werner
In builds without CONFIG_VBOOT_SEPARATE_VERSTAGE, verstage files are linked directly into the bootblock or the romstage. However, they're still compiled with a separate "libverstage" source file class, linked into an intermediate library and then linked into the final destination stage. There is no obvious benefit to doing it this way and it's unclear why it was chosen in the first place... there are, however, obvious disadvantages: it can result in code that is used by both libverstage and the host stage to occur twice in the output binary. It also means that libverstage files have their separate compiler flags that are not necessarily aligned with the host stage, which can lead to weird effects like <rules.h> macros not being set the way you would expect. In fact, VBOOT_STARTS_IN_ROMSTAGE configurations are currently broken on x86 because their libverstage code that gets compiled into the romstage sets ENV_VERSTAGE, but CAR migration code expects all ENV_VERSTAGE code to run pre-migration. This patch resolves these problems by removing the separate library. There is no more difference between the 'verstage' and 'libverstage' classes, and the source files added to them are just treated the same way a bootblock or romstage source files in configurations where the verstage is linked into either of these respective stages (allowing for the normal object code deduplication and causing those files to be compiled with the same flags as the host stage's files). Tested this whole series by booting a Kevin, an Elm (both with and without SEPARATE_VERSTAGE) and a Falco in normal and recovery mode. Change-Id: I6bb84a9bf1cd54f2e02ca1f665740a9c88d88df4 Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/18302 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-03-28vboot: Move remaining features out of vendorcode/google/chromeosJulius Werner
This patch attempts to finish the separation between CONFIG_VBOOT and CONFIG_CHROMEOS by moving the remaining options and code (including image generation code for things like FWID and GBB flags, which are intrinsic to vboot itself) from src/vendorcode/google/chromeos to src/vboot. Also taking this opportunity to namespace all VBOOT Kconfig options, and clean up menuconfig visibility for them (i.e. some options were visible even though they were tied to the hardware while others were invisible even though it might make sense to change them). CQ-DEPEND=CL:459088 Change-Id: I3e2e31150ebf5a96b6fe507ebeb53a41ecf88122 Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/18984 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-03-28vboot: Disallow separate verstage after romstage, try to clarify logicJulius Werner
No board has ever tried to combine CONFIG_SEPARATE_VERSTAGE with CONFIG_VBOOT_STARTS_IN_ROMSTAGE. There are probably many reasons why this wouldn't work (e.g. x86 CAR migration logic currently always assumes verstage code to run pre-migration). It would also not really make sense: the reason we use separate verstages is to decrease bootblock size (mitigating the boot speed cost of slow boot ROM SPI drivers) and to allow the SRAM-saving RETURN_FROM_VERSTAGE trick, neither of which would apply to the after-romstage case. It is better to just forbid that case explicitly and give programmers more guarantees about what the verstage is (e.g. now the assumption that it runs pre-RAM is always valid). Since Kconfig dependencies aren't always guaranteed in the face of 'select' statements, also add some explicit compile-time assertions to the vboot code. We can simplify some of the loader logic which now no longer needs to provide for the forbidden case. In addition, also try to make some of the loader logic more readable by writing it in a more functional style that allows us to put more assertions about which cases should be unreachable in there, which will hopefully make it more robust and fail-fast with future changes (e.g. addition of new stages). Change-Id: Iaf60040af4eff711d9b80ee0e5950ce05958b3aa Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/18983 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins)
2017-03-28vboot: Compile bootmode.c conditionally based on CONFIG_VBOOTJulius Werner
Currently, src/vboot/bootmode.c gets compiled even if vboot is disabled. It seems that this was only done to support calling certain developer/recovery mode functions in this case. There is no reason to compile the whole file for that -- we can just differentiate with a stub in the header instead, which is what other parts of coreboot usually do for cases like this. Change-Id: If83e1b3e0f34f75c2395b4c464651e373724b2e6 Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/18982 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins)
2017-03-28vboot: Assume EC_SOFTWARE_SYNC and VIRTUAL_DEV_SWITCH by defaultJulius Werner
The virtualized developer switch was invented five years ago and has been used on every vboot system ever since. We shouldn't need to specify it again and again for every new board. This patch flips the Kconfig logic around and replaces CONFIG_VIRTUAL_DEV_SWITCH with CONFIG_PHYSICAL_DEV_SWITCH, so that only a few ancient boards need to set it and it fits better with CONFIG_PHYSICAL_REC_SWITCH. (Also set the latter for Lumpy which seems to have been omitted incorrectly, and hide it from menuconfig since it's a hardware parameter that shouldn't be configurable.) Since almost all our developer switches are virtual, it doesn't make sense for every board to pass a non-existent or non-functional developer mode switch in the coreboot tables, so let's get rid of that. It's also dangerously confusing for many boards to define a get_developer_mode() function that reads an actual pin (often from a debug header) which will not be honored by coreboot because CONFIG_PHYSICAL_DEV_SWITCH isn't set. Therefore, this patch removes all those non-functional instances of that function. In the future, either the board has a physical dev switch and must define it, or it doesn't and must not. In a similar sense (and since I'm touching so many board configs anyway), it's annoying that we have to keep selecting EC_SOFTWARE_SYNC. Instead, it should just be assumed by default whenever a Chrome EC is present in the system. This way, it can also still be overridden by menuconfig. CQ-DEPEND=CL:459701 Change-Id: If9cbaa7df530580a97f00ef238e3d9a8a86a4a7f Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/18980 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-03-28vboot: Remove VBOOT_DYNAMIC_WORK_BUFFER Kconfig optionJulius Werner
VBOOT_DYNAMIC_WORK_BUFFER and VBOOT_STARTS_IN_ROMSTAGE are equivalent in practice. We can't have a dynamic work buffer unless we start in/after romstage, and there'd be no reason to go with a static buffer if we do. Let's get rid of one extra option and merge the two. Change-Id: I3f953c8d2a8dcb3f65b07f548184d6dd0eb688fe Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/18979 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-03-28vboot: Remove CHIPSET_PROVIDES_VERSTAGE_MAIN_SYMBOL Kconfig optionJulius Werner
CHIPSET_PROVIDES_VERSTAGE_MAIN_SYMBOL allows the SoC directory to provide its own main() symbol that can execute code before the generic verstage code runs. We have now established in other places (e.g. T210 ramstage) a sort of convention that SoCs which need to run code in any stage before main() should just override stage_entry() instead. This patch aligns the verstage with that model and gets rid of the extra Kconfig option. This also removes the need for aliasing between main() and verstage(). Like other stages the main verstage code is now just in main() and can be called from stage_entry(). Change-Id: If42c9c4fbab51fbd474e1530023a30b69495d1d6 Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/18978 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins)
2017-03-23src/vboot: Add valid license headers to all filesMartin Roth
Change-Id: I77d7d6048fee9b378aa04c1a62b830e08f95ec22 Signed-off-by: Martin Roth <martinroth@google.com> Reviewed-on: https://review.coreboot.org/18407 Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Tested-by: build bot (Jenkins) Reviewed-by: Patrick Georgi <pgeorgi@google.com> Reviewed-by: Nico Huber <nico.h@gmx.de>
2017-03-14vboot: Allow other platforms to use soft reboot workaroundLee Leahy
Add a Kconfig value to enable other platforms to use the soft reboot workaround. TEST=Build and run on Galileo Gen2 Change-Id: I5a7ebd200229654128d367ecb50647ff69bb5258 Signed-off-by: Lee Leahy <leroy.p.leahy@intel.com> Reviewed-on: https://review.coreboot.org/18798 Tested-by: Martin Roth <martinroth@google.com> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-03-09vboot/tpm2: enable nvmem commits on cr50 when writing firmware secdataAaron Durbin
cr50 by default delays nvmem commits internally from the point of reset to accumulate change state. However, the factory process can put a board into dev mode through the recovery screen. This state is stored in the TPM's nvmem space. When the factory process is complete a disable_dev_request and battery_cutoff_request is performed. This leads to disabling the dev mode in TPM, but the battery is subsequently cut off so the nvmem contents never stick. Therefore, whenever antirollback_write_space_firmware() is called we know there was a change in secdata so request cr50 to immediately enable nvmem commits going forward. This allows state changes to happen immediately. The fallout from this is that when secdata is changed that current boot will take longer because every transaction that writes to TPM nvmem space will perform a write synchronously. All subsequent boots do not have that effect. It should also be noted that this approach to the implementation is a pretty severe layering violation. However, the current TPM APIs don't lend themselves well to extending commands or re-using code outside of the current routines which inherently assume all knowledge of every command (in conflict with vendor commands since those are vendor-specific by definition). BUG=b:35775104 BRANCH=reef TEST=Confirmed disablement of dev mode sticks in the presence of: crossystem disable_dev_request=1; crossystem battery_cutoff_request=1; reboot; Change-Id: I3395db9cbdfea45da1f5cb994c6570978593b944 Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/18681 Reviewed-by: Duncan Laurie <dlaurie@chromium.org> Tested-by: build bot (Jenkins)
2017-01-31build system: mark sub-make invocations as parallelizablePatrick Georgi
We rely on gnu make, so we can expect the jobserver to be around in parallel builds, too. Avoids some make warnings and slightly speeds up the build if those sub-makes are executed (eg for arm-trusted-firmware and vboot). Change-Id: I0e6a77f2813f7453d53e88e0214ad8c1b8689042 Signed-off-by: Patrick Georgi <pgeorgi@google.com> Reviewed-on: https://review.coreboot.org/18263 Tested-by: build bot (Jenkins) Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Martin Roth <martinroth@google.com>
2017-01-30vboot: Add mock functions for recovery space read/writeFurquan Shaikh
For the boards that intend to use mock tpm and have recovery mrc cache support enabled, provide mock functions to read and write mrc hash space. Reading MRC hash space returns TPM_SUCCESS as later checks take care of comparing the hash value and retraining if hash comparison fails. Thus, in case of mock tpm, device would always end up doing the memory retraining in recovery mode. BUG=chrome-os-partner:62413 BRANCH=None TEST=Verified that eve builds with mock tpm selected. Change-Id: I7817cda7821fadeea0e887cb9860804256dabfd9 Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/18248 Tested-by: build bot (Jenkins) Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
2017-01-24vboot: vb2ex_printf() ignores null function nameRandall Spangler
Currently, it will print the function name as a prefix to the debug output. Make it so that a null function name won't get printed, so that it's possible to print little bits of debug output. BUG=chromium:683391 BRANCH=none TEST=build_packages --board=reef chromeos-firmware Change-Id: I046fa766773fc08a29460db1f884d7902692d182 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 853ff7176e97e5e1ab664d094e1914c9c94510aa Original-Change-Id: I1dff38e4d8ab03118e5f8832a16d82c2d2116ec9 Original-Signed-off-by: Randall Spangler <rspangler@chromium.org> Original-Reviewed-on: https://chromium-review.googlesource.com/431111 Original-Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/18204 Tested-by: build bot (Jenkins) Reviewed-by: Martin Roth <martinroth@google.com>
2017-01-04vboot: Remove rmu.bin from FW_MAIN_A and FW_MAIN_BLee Leahy
Add rmu.bin to the list of files that exist only in the read-only section (COREBOOT) of the SPI flash. TEST=Build and run on Galileo Gen2. Change-Id: I30cbd3fb2ef1848807e4de4c479dc7a561c1faba Signed-off-by: Lee Leahy <leroy.p.leahy@intel.com> Reviewed-on: https://review.coreboot.org/18031 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-01-03vboot: Clear battery cutoff flags when vbnv_cmos loads backup VBNV.Hung-Te Lin
When CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH is set, vbnv_cmos will try to load VBNV from flash if the VBNV in CMOS is invalid. This is usually correct, except the case of battery cut-off. CMOS will always be invalid after battery cut-off if there is no RTC battery (or if that is dead). However, in current implementation the backup in flash is only updated in coreboot, while the real battery cutoff (and the clearing of cutoff flags in VBNV) is done in payload (Depthcharge) stage. This will create an endless reboot loop that: 1. crossystem sets battery cutoff flag in VBNV_CMOS then reboot. 2. coreboot backs-up VBNV_CMOS to VBNV_flash. 3. Depthcharge sees cutoff flag in VBNV_CMOS. 4. Depthcharge clears cutoff flag in VBNV_CMOS. 5. Depthcharge performs battery cutoff (CMOS data is lost). 6. (Plug AC adapter) Reboot. 7. Coreboot sees invalid VBNV_CMOS, load backup from VBNV_flash. 8. Jump to 3. As a result, we should always clear battery cutoff flags when loading backups from VBNV_flash. BRANCH=glados,reef BUG=chrome-os-partner:61365,chrome-os-partner:59615 TEST=emerge-reef coreboot bootimage; Change-Id: I3250a3a179a7b0de9c6e401e4a94dcd23920e473 Signed-off-by: Hung-Te Lin <hungte@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/423460 Reviewed-by: Duncan Laurie <dlaurie@google.com> Reviewed-on: https://review.coreboot.org/18008 Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Tested-by: build bot (Jenkins) Reviewed-by: Martin Roth <martinroth@google.com>
2016-12-15lib/cbmem: allow anyone to use cbmem_possibly_online()Aaron Durbin
The cbmem_possibly_online() is a helpful construct. Therefore, push it into cbmem.h so other users can take advantage of it. BUG=chrome-os-partner:60592 BRANCH=reef Change-Id: If5a1c7815ed03874dcf141014b8ffefb82b7cc92 Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/17868 Tested-by: build bot (Jenkins) Reviewed-by: Furquan Shaikh <furquan@google.com> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
2016-11-19commonlib/include: remove NEED_VB20_INTERNALSAaron Durbin
vboot_handoff.c is the only place that needs the vb2 internals. Provide it in the one place it is actually required instead of pulling in the headers unnecessarily in common code. There is, however, still a need to get the vb2 hashing types for a function declaration. Change-Id: I038fda68b1cd05fa2e66135158e5e2d18567563a Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/17475 Tested-by: build bot (Jenkins) Reviewed-by: Furquan Shaikh <furquan@google.com>
2016-11-16vboot: make TPM factory init sequence more robust.Vadim Bendebury
Currently the code considers the absence of the NVRAM firmware rollback space a a trigger for invoking the TPM factory initialization sequence. Note that the kernel rollback and MRC cache hash spaces are created after the firmware rollback space. This opens an ever so narrow window of opportunity for bricking the device, in case a startup is interrupted after firmware space has been created, but before kernel and MRC hash spaces are created. The suggested solution is to create the firmware space last, and to allow for kernel and MRC cache spaces to exist during TPM factory initialization. BRANCH=none BUG=chrome-os-partner:59654 TEST=odified the code not to create the firmware space, wiped out the TPM NVRAM and booted the device. Observed it create kernel and MRC cache spaces on the first run, and then reporting return code 0x14c for already existing spaces on the following restarts. Verified that the device boots fine in normal and recovery modes and TPM NVRAM spaces are writeable in recovery mode. Change-Id: Id0e772448d6af1340e800ec3b78ec67913aa6289 Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://review.coreboot.org/17398 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins)
2016-11-14vboot: Add new function for logging recovery mode switchesFurquan Shaikh
BUG=chrome-os-partner:59352 BRANCH=None TEST=Compiles successfully Change-Id: I87cd675ea45a8b05a178cf64119bf5f9d8d218ca Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/17408 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2016-11-11src/vboot: mark factory_initialze_tpm() as staticVadim Bendebury
This function is not used anywhere else in the code. BRANCH=none BUG=none TEST=reef and kevin boards (using tpm1.2 and tpm2.0 respectively) build successfully. Change-Id: Ifcc345ae9c22b25fdcfc2e547e70766021d27e32 Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://review.coreboot.org/17387 Reviewed-by: Furquan Shaikh <furquan@google.com> Tested-by: build bot (Jenkins)
2016-11-10vboot: Add support for recovery hash space in TPMFurquan Shaikh
1. Add a new index for recovery hash space in TPM - 0x100b 2. Add helper functions to read/write/lock recovery hash space in TPM 3. Add Kconfig option that can be selected by mainboards that want to define this space. 4. Lock this new space while jumping from RO to RW. BUG=chrome-os-partner:59355 BRANCH=None TEST=Verified use of recovery hash space on reef. Change-Id: I1cacd54f0a896d0f2af32d4b7c9ae581a918f9bb Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/17273 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2016-11-10TPM: Add TPM driver files to romstageFurquan Shaikh
This driver is required for reading and updating TPM space for recovery MRC data hash in romstage. BUG=chrome-os-partner:59355 BRANCH=None TEST=Compiles successfully for reef. Change-Id: I8edb7af13285a7a192e3d55fc6a11cfe12654bf9 Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/17270 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins)
2016-11-10vboot: Add support for recovery mode with forced memory retrainingFurquan Shaikh
1. Add new function vboot_recovery_mode_memory_retrain that indicates if recovery mode requires memory retraining to be performed. 2. Add helper function get_recovery_mode_retrain_switch to read memory retrain switch. This is provided as weak function which should be implemented by mainboard just like {get,clear}_recovery_mode_switch. BUG=chrome-os-partner:59352 BRANCH=None TEST=Verified behavior of recovery mode with forced memory retraining on reef Change-Id: I46c10fbf25bc100d9f562c36da3ac646c9dae7d1 Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/17241 Tested-by: build bot (Jenkins) Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2016-11-10Revert "vboot: Add vboot library to romstage"Furquan Shaikh
This reverts commit 21fdd8d0b2206be85dd920e94fb9657a22ab5226. I meant to abandon the original change and clicked submit instead. Change-Id: I1db29b62c5c071113d308583f094f77285c9ba1e Reviewed-on: https://review.coreboot.org/17346 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins) Reviewed-by: Martin Roth <martinroth@google.com>
2016-11-10vboot: Add vboot library to romstageFurquan Shaikh
This library is needed for calculating sha-256 of recovery mrc data in romstage. BUG=chrome-os-partner:59355 BRANCH=None TEST=Compiles succesfully for reef. Change-Id: Ie257208c7b3ad07d00e4eb777debf19c42a2fc0c Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/17271 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2016-11-08vboot: Wrap line in comment longer than 80 charactersNaresh G Solanki
Fix comment greater than 80 columns. Change-Id: Ie0be96868e8a99f79781c6bafc8991a955f37ffa Signed-off-by: Naresh G Solanki <naresh.solanki@intel.com> Reviewed-on: https://review.coreboot.org/17265 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins) Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
2016-11-07vboot: Disable vboot verification when Chrome EC disabledNaresh G Solanki
When Chrome EC is disabled, vboot hash is not available during S3 resume Hence disable vboot verification when Chrome EC is not available. Change-Id: I665f5f0e2e53da7b735de30443d323572d8a1a9c Signed-off-by: Naresh G Solanki <naresh.solanki@intel.com> Reviewed-on: https://review.coreboot.org/17246 Tested-by: build bot (Jenkins) Reviewed-by: Martin Roth <martinroth@google.com>
2016-10-13vboot: Stop creating backup space in TPMDaisuke Nojiri
There is no code which uses the backup space in TPM created for vboot nvram. All chromebooks currently supported at the trunk store vboot nvram in flash directly or as a backup. BUG=chrome-os-partner:47915 BRANCH=none TEST=emerge-samus coreboot Change-Id: I9445dfd822826d668b3bfed8ca50dc9386f2b2b0 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5cee2d54c96ad7952af2a2c1f773ba09c5248f41 Original-Change-Id: Ied0cec0ed489df3b39f6b9afd3941f804557944f Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chromium-review.googlesource.com/395507 Original-Reviewed-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://review.coreboot.org/16997 Tested-by: build bot (Jenkins) Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Martin Roth <martinroth@google.com>
2016-09-30vboot: clear tpm when requiredVadim Bendebury
Function which invoked when TPM clear is requested was left empty, this patch fixes it. BRANCH=gru BUG=chrome-os-partner:57411 TEST=verified on a chromeos device that tpm is in fact cleared when CLEAR_TPM_OWNER_REQUEST is set by userland. Change-Id: I4370792afd512309ecf7f4961ed4d44a04a3e2aa Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://review.coreboot.org/16805 Tested-by: build bot (Jenkins) Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@googlemail.com>
2016-09-20vboot/vbnv_flash: Binary search to find last used entryRandall Spangler
This improves the previous linear search to O(log n). No change in storage format. BUG=chromium:640656 BRANCH=none TEST=Manual (test empty) flashrom -i RW_NVRAM -e Reboot; device should boot normally. (start using records) crossystem kern_nv=0xaab0 crossystem recovery_request=1 && reboot Device should go into recovery mode with reason 1 Reboot again; it should boot normally. crossystem kern_nv (should still contain 0xaab0) Repeat steps several times with request=2, 3, etc. flashrom -i RW_NVRAM -r nvdata Modify nvdata to copy the first record across all valid records flashrom -i RW_NVRAM -w nvdata Reboot; device should boot normally. Change-Id: Ieb97563ab92bd1d18a4f6a9e1d20157efe311fb4 Signed-off-by: Martin Roth <martinroth@chromium.org> Original-Commit-Id: db9bb2d3927ad57270d7acfd42cf0652102993b1 Original-Change-Id: I1eb5fd9fa6b2ae56833f024bcd3c250147bcc7a1 Original-Signed-off-by: Randall Spangler <rspangler@chromium.org> Original-Reviewed-on: https://chromium-review.googlesource.com/376928 Original-Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/16577 Tested-by: build bot (Jenkins) Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: Patrick Georgi <pgeorgi@google.com>
2016-08-25vboot: consolidate google_chromeec_early_init() callsAaron Durbin
On x86 platforms, google_chromeec_early_init() is used to put the EC into RO mode when there's a recovery request. This is to avoid training memory multiple times when the recovery request is through an EC host event while the EC is running RW code. Under that condition the EC will be reset (along with the rest of the system) when the kernel verification happens. This leads to an execessively long recovery path because of the double reboot performing full memory training each time. By putting this logic into the verstage program this reduces the bootblock size on the skylake boards. Additionally, this provides the the correct logic for all future boards since it's not tied to FSP nor the mainboard itself. Lastly, this double memory training protection works only for platforms which verify starting from bootblock. The platforms which don't start verifying until after romstage need to have their own calls (such as haswell and baytrail). Change-Id: Ia8385dfc136b09fb20bd3519f3cc621e540b11a5 Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/16318 Tested-by: build bot (Jenkins) Reviewed-by: Furquan Shaikh <furquan@google.com>
2016-08-24vboot/vbnv_flash: fix return value check for rdev_writeat()Aaron Durbin
The return value check was incorect and checking for failure in the success path. Fix the return value check so that it actually checks for success. BUG=chrome-os-partner:56151 Change-Id: Ie7960b89a916dec261015c97c3e0552be56b5b5d Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/16303 Tested-by: build bot (Jenkins) Reviewed-by: Furquan Shaikh <furquan@google.com> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
2016-08-24vboot/vboot_common: actually provide a writable region_deviceAaron Durbin
vboot_named_region_device_rw() is supposed to provide a writable region_device. However, it was calling fmap_locate_area_as_rdev() which only provides a read-only one. Fix this. BUG=chrome-os-partner:56151 Change-Id: I6279fde32132b1b6138292c3ef771c59709e00c6 Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/16302 Tested-by: build bot (Jenkins) Reviewed-by: Furquan Shaikh <furquan@google.com> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
2016-08-19vboot/vbnv_flash: make I/O connection agnosticAaron Durbin
There's no need to be SPI specific w.r.t. how the flash is connected. Therefore, use the RW boot device to write the contents of VBNV. The erasable check was dropped because that information isn't available. All regions should be aligned accordingly on the platform for the underlying hardware implementation. And once the VBNV region fills the erase will fail. BUG=chrome-os-partner:56151 Change-Id: I07fdc8613e0b3884e132a2f158ffeabeaa6da6ce Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/16206 Tested-by: build bot (Jenkins) Reviewed-by: Duncan Laurie <dlaurie@chromium.org> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Furquan Shaikh <furquan@google.com>
2016-08-19vboot: provide RW region device supportAaron Durbin
Explicitly provide a RW view of an vboot FMAP region. This is required for platforms which have separate implementations of a RO boot device and a RW boot device. BUG=chrome-os-partner:56151 Change-Id: If8bf2e1c7ca9bff536fc5c578fe0cf92ccbd2ebc Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/16205 Reviewed-by: Furquan Shaikh <furquan@google.com> Tested-by: build bot (Jenkins)
2016-08-18Kconfig: rename BOOT_MEDIA_SPI_BUS to BOOT_DEVICE_SPI_FLASH_BUSAaron Durbin
Provide a default value of 0 in drivers/spi as there weren't default values aside from specific mainboards and arch/x86. Remove any default 0 values while noting to keep the option's default to 0. BUG=chrome-os-partner:56151 Change-Id: If9ef585e011a46b5cd152a03e41d545b36355a61 Signed-off-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: https://review.coreboot.org/16192 Tested-by: build bot (Jenkins) Reviewed-by: Furquan Shaikh <furquan@google.com> Reviewed-by: Martin Roth <martinroth@google.com>