1 /* 2 * Chromium OS cros_ec driver - sandbox emulation 3 * 4 * Copyright (c) 2013 The Chromium OS Authors. 5 * 6 * SPDX-License-Identifier: GPL-2.0+ 7 */ 8 9 #include <common.h> 10 #include <cros_ec.h> 11 #include <ec_commands.h> 12 #include <errno.h> 13 #include <hash.h> 14 #include <malloc.h> 15 #include <os.h> 16 #include <sha256.h> 17 #include <spi.h> 18 #include <asm/state.h> 19 #include <asm/sdl.h> 20 #include <linux/input.h> 21 22 /* 23 * Ultimately it shold be possible to connect an Chrome OS EC emulation 24 * to U-Boot and remove all of this code. But this provides a test 25 * environment for bringing up chromeos_sandbox and demonstrating its 26 * utility. 27 * 28 * This emulation includes the following: 29 * 30 * 1. Emulation of the keyboard, by converting keypresses received from SDL 31 * into key scan data, passed back from the EC as key scan messages. The 32 * key layout is read from the device tree. 33 * 34 * 2. Emulation of vboot context - so this can be read/written as required. 35 * 36 * 3. Save/restore of EC state, so that the vboot context, flash memory 37 * contents and current image can be preserved across boots. This is important 38 * since the EC is supposed to continue running even if the AP resets. 39 * 40 * 4. Some event support, in particular allowing Escape to be pressed on boot 41 * to enter recovery mode. The EC passes this to U-Boot through the normal 42 * event message. 43 * 44 * 5. Flash read/write/erase support, so that software sync works. The 45 * protect messages are supported but no protection is implemented. 46 * 47 * 6. Hashing of the EC image, again to support software sync. 48 * 49 * Other features can be added, although a better path is probably to link 50 * the EC image in with U-Boot (Vic has demonstrated a prototype for this). 51 */ 52 53 DECLARE_GLOBAL_DATA_PTR; 54 55 #define KEYBOARD_ROWS 8 56 #define KEYBOARD_COLS 13 57 58 /* A single entry of the key matrix */ 59 struct ec_keymatrix_entry { 60 int row; /* key matrix row */ 61 int col; /* key matrix column */ 62 int keycode; /* corresponding linux key code */ 63 }; 64 65 /** 66 * struct ec_state - Information about the EC state 67 * 68 * @vbnv_context: Vboot context data stored by EC 69 * @ec_config: FDT config information about the EC (e.g. flashmap) 70 * @flash_data: Contents of flash memory 71 * @flash_data_len: Size of flash memory 72 * @current_image: Current image the EC is running 73 * @matrix_count: Number of keys to decode in matrix 74 * @matrix: Information about keyboard matrix 75 * @keyscan: Current keyscan information (bit set for each row/column pressed) 76 * @recovery_req: Keyboard recovery requested 77 */ 78 struct ec_state { 79 uint8_t vbnv_context[EC_VBNV_BLOCK_SIZE]; 80 struct fdt_cros_ec ec_config; 81 uint8_t *flash_data; 82 int flash_data_len; 83 enum ec_current_image current_image; 84 int matrix_count; 85 struct ec_keymatrix_entry *matrix; /* the key matrix info */ 86 uint8_t keyscan[KEYBOARD_COLS]; 87 bool recovery_req; 88 } s_state, *state; 89 90 /** 91 * cros_ec_read_state() - read the sandbox EC state from the state file 92 * 93 * If data is available, then blob and node will provide access to it. If 94 * not this function sets up an empty EC. 95 * 96 * @param blob: Pointer to device tree blob, or NULL if no data to read 97 * @param node: Node offset to read from 98 */ 99 static int cros_ec_read_state(const void *blob, int node) 100 { 101 struct ec_state *ec = &s_state; 102 const char *prop; 103 int len; 104 105 /* Set everything to defaults */ 106 ec->current_image = EC_IMAGE_RO; 107 if (!blob) 108 return 0; 109 110 /* Read the data if available */ 111 ec->current_image = fdtdec_get_int(blob, node, "current-image", 112 EC_IMAGE_RO); 113 prop = fdt_getprop(blob, node, "vbnv-context", &len); 114 if (prop && len == sizeof(ec->vbnv_context)) 115 memcpy(ec->vbnv_context, prop, len); 116 117 prop = fdt_getprop(blob, node, "flash-data", &len); 118 if (prop) { 119 ec->flash_data_len = len; 120 ec->flash_data = os_malloc(len); 121 if (!ec->flash_data) 122 return -ENOMEM; 123 memcpy(ec->flash_data, prop, len); 124 debug("%s: Loaded EC flash data size %#x\n", __func__, len); 125 } 126 127 return 0; 128 } 129 130 /** 131 * cros_ec_write_state() - Write out our state to the state file 132 * 133 * The caller will ensure that there is a node ready for the state. The node 134 * may already contain the old state, in which case it is overridden. 135 * 136 * @param blob: Device tree blob holding state 137 * @param node: Node to write our state into 138 */ 139 static int cros_ec_write_state(void *blob, int node) 140 { 141 struct ec_state *ec = &s_state; 142 143 /* We are guaranteed enough space to write basic properties */ 144 fdt_setprop_u32(blob, node, "current-image", ec->current_image); 145 fdt_setprop(blob, node, "vbnv-context", ec->vbnv_context, 146 sizeof(ec->vbnv_context)); 147 return state_setprop(node, "flash-data", ec->flash_data, 148 ec->ec_config.flash.length); 149 } 150 151 SANDBOX_STATE_IO(cros_ec, "google,cros-ec", cros_ec_read_state, 152 cros_ec_write_state); 153 154 /** 155 * Return the number of bytes used in the specified image. 156 * 157 * This is the actual size of code+data in the image, as opposed to the 158 * amount of space reserved in flash for that image. This code is similar to 159 * that used by the real EC code base. 160 * 161 * @param ec Current emulated EC state 162 * @param entry Flash map entry containing the image to check 163 * @return actual image size in bytes, 0 if the image contains no content or 164 * error. 165 */ 166 static int get_image_used(struct ec_state *ec, struct fmap_entry *entry) 167 { 168 int size; 169 170 /* 171 * Scan backwards looking for 0xea byte, which is by definition the 172 * last byte of the image. See ec.lds.S for how this is inserted at 173 * the end of the image. 174 */ 175 for (size = entry->length - 1; 176 size > 0 && ec->flash_data[entry->offset + size] != 0xea; 177 size--) 178 ; 179 180 return size ? size + 1 : 0; /* 0xea byte IS part of the image */ 181 } 182 183 /** 184 * Read the key matrix from the device tree 185 * 186 * Keymap entries in the fdt take the form of 0xRRCCKKKK where 187 * RR=Row CC=Column KKKK=Key Code 188 * 189 * @param ec Current emulated EC state 190 * @param blob Device tree blob containing keyscan information 191 * @param node Keyboard node of device tree containing keyscan information 192 * @return 0 if ok, -1 on error 193 */ 194 static int keyscan_read_fdt_matrix(struct ec_state *ec, const void *blob, 195 int node) 196 { 197 const u32 *cell; 198 int upto; 199 int len; 200 201 cell = fdt_getprop(blob, node, "linux,keymap", &len); 202 ec->matrix_count = len / 4; 203 ec->matrix = calloc(ec->matrix_count, sizeof(*ec->matrix)); 204 if (!ec->matrix) { 205 debug("%s: Out of memory for key matrix\n", __func__); 206 return -1; 207 } 208 209 /* Now read the data */ 210 for (upto = 0; upto < ec->matrix_count; upto++) { 211 struct ec_keymatrix_entry *matrix = &ec->matrix[upto]; 212 u32 word; 213 214 word = fdt32_to_cpu(*cell++); 215 matrix->row = word >> 24; 216 matrix->col = (word >> 16) & 0xff; 217 matrix->keycode = word & 0xffff; 218 219 /* Hard-code some sanity limits for now */ 220 if (matrix->row >= KEYBOARD_ROWS || 221 matrix->col >= KEYBOARD_COLS) { 222 debug("%s: Matrix pos out of range (%d,%d)\n", 223 __func__, matrix->row, matrix->col); 224 return -1; 225 } 226 } 227 228 if (upto != ec->matrix_count) { 229 debug("%s: Read mismatch from key matrix\n", __func__); 230 return -1; 231 } 232 233 return 0; 234 } 235 236 /** 237 * Return the next keyscan message contents 238 * 239 * @param ec Current emulated EC state 240 * @param scan Place to put keyscan bytes for the keyscan message (must hold 241 * enough space for a full keyscan) 242 * @return number of bytes of valid scan data 243 */ 244 static int cros_ec_keyscan(struct ec_state *ec, uint8_t *scan) 245 { 246 const struct ec_keymatrix_entry *matrix; 247 int bytes = KEYBOARD_COLS; 248 int key[8]; /* allow up to 8 keys to be pressed at once */ 249 int count; 250 int i; 251 252 memset(ec->keyscan, '\0', bytes); 253 count = sandbox_sdl_scan_keys(key, ARRAY_SIZE(key)); 254 255 /* Look up keycode in matrix */ 256 for (i = 0, matrix = ec->matrix; i < ec->matrix_count; i++, matrix++) { 257 bool found; 258 int j; 259 260 for (found = false, j = 0; j < count; j++) { 261 if (matrix->keycode == key[j]) 262 found = true; 263 } 264 265 if (found) { 266 debug("%d: %d,%d\n", matrix->keycode, matrix->row, 267 matrix->col); 268 ec->keyscan[matrix->col] |= 1 << matrix->row; 269 } 270 } 271 272 memcpy(scan, ec->keyscan, bytes); 273 return bytes; 274 } 275 276 /** 277 * Process an emulated EC command 278 * 279 * @param ec Current emulated EC state 280 * @param req_hdr Pointer to request header 281 * @param req_data Pointer to body of request 282 * @param resp_hdr Pointer to place to put response header 283 * @param resp_data Pointer to place to put response data, if any 284 * @return length of response data, or 0 for no response data, or -1 on error 285 */ 286 static int process_cmd(struct ec_state *ec, 287 struct ec_host_request *req_hdr, const void *req_data, 288 struct ec_host_response *resp_hdr, void *resp_data) 289 { 290 int len; 291 292 /* TODO(sjg@chromium.org): Check checksums */ 293 debug("EC command %#0x\n", req_hdr->command); 294 295 switch (req_hdr->command) { 296 case EC_CMD_HELLO: { 297 const struct ec_params_hello *req = req_data; 298 struct ec_response_hello *resp = resp_data; 299 300 resp->out_data = req->in_data + 0x01020304; 301 len = sizeof(*resp); 302 break; 303 } 304 case EC_CMD_GET_VERSION: { 305 struct ec_response_get_version *resp = resp_data; 306 307 strcpy(resp->version_string_ro, "sandbox_ro"); 308 strcpy(resp->version_string_rw, "sandbox_rw"); 309 resp->current_image = ec->current_image; 310 debug("Current image %d\n", resp->current_image); 311 len = sizeof(*resp); 312 break; 313 } 314 case EC_CMD_VBNV_CONTEXT: { 315 const struct ec_params_vbnvcontext *req = req_data; 316 struct ec_response_vbnvcontext *resp = resp_data; 317 318 switch (req->op) { 319 case EC_VBNV_CONTEXT_OP_READ: 320 memcpy(resp->block, ec->vbnv_context, 321 sizeof(resp->block)); 322 len = sizeof(*resp); 323 break; 324 case EC_VBNV_CONTEXT_OP_WRITE: 325 memcpy(ec->vbnv_context, resp->block, 326 sizeof(resp->block)); 327 len = 0; 328 break; 329 default: 330 printf(" ** Unknown vbnv_context command %#02x\n", 331 req->op); 332 return -1; 333 } 334 break; 335 } 336 case EC_CMD_REBOOT_EC: { 337 const struct ec_params_reboot_ec *req = req_data; 338 339 printf("Request reboot type %d\n", req->cmd); 340 switch (req->cmd) { 341 case EC_REBOOT_DISABLE_JUMP: 342 len = 0; 343 break; 344 case EC_REBOOT_JUMP_RW: 345 ec->current_image = EC_IMAGE_RW; 346 len = 0; 347 break; 348 default: 349 puts(" ** Unknown type"); 350 return -1; 351 } 352 break; 353 } 354 case EC_CMD_HOST_EVENT_GET_B: { 355 struct ec_response_host_event_mask *resp = resp_data; 356 357 resp->mask = 0; 358 if (ec->recovery_req) { 359 resp->mask |= EC_HOST_EVENT_MASK( 360 EC_HOST_EVENT_KEYBOARD_RECOVERY); 361 } 362 363 len = sizeof(*resp); 364 break; 365 } 366 case EC_CMD_VBOOT_HASH: { 367 const struct ec_params_vboot_hash *req = req_data; 368 struct ec_response_vboot_hash *resp = resp_data; 369 struct fmap_entry *entry; 370 int ret, size; 371 372 entry = &state->ec_config.region[EC_FLASH_REGION_RW]; 373 374 switch (req->cmd) { 375 case EC_VBOOT_HASH_RECALC: 376 case EC_VBOOT_HASH_GET: 377 size = SHA256_SUM_LEN; 378 len = get_image_used(ec, entry); 379 ret = hash_block("sha256", 380 ec->flash_data + entry->offset, 381 len, resp->hash_digest, &size); 382 if (ret) { 383 printf(" ** hash_block() failed\n"); 384 return -1; 385 } 386 resp->status = EC_VBOOT_HASH_STATUS_DONE; 387 resp->hash_type = EC_VBOOT_HASH_TYPE_SHA256; 388 resp->digest_size = size; 389 resp->reserved0 = 0; 390 resp->offset = entry->offset; 391 resp->size = len; 392 len = sizeof(*resp); 393 break; 394 default: 395 printf(" ** EC_CMD_VBOOT_HASH: Unknown command %d\n", 396 req->cmd); 397 return -1; 398 } 399 break; 400 } 401 case EC_CMD_FLASH_PROTECT: { 402 const struct ec_params_flash_protect *req = req_data; 403 struct ec_response_flash_protect *resp = resp_data; 404 uint32_t expect = EC_FLASH_PROTECT_ALL_NOW | 405 EC_FLASH_PROTECT_ALL_AT_BOOT; 406 407 printf("mask=%#x, flags=%#x\n", req->mask, req->flags); 408 if (req->flags == expect || req->flags == 0) { 409 resp->flags = req->flags ? EC_FLASH_PROTECT_ALL_NOW : 410 0; 411 resp->valid_flags = EC_FLASH_PROTECT_ALL_NOW; 412 resp->writable_flags = 0; 413 len = sizeof(*resp); 414 } else { 415 puts(" ** unexpected flash protect request\n"); 416 return -1; 417 } 418 break; 419 } 420 case EC_CMD_FLASH_REGION_INFO: { 421 const struct ec_params_flash_region_info *req = req_data; 422 struct ec_response_flash_region_info *resp = resp_data; 423 struct fmap_entry *entry; 424 425 switch (req->region) { 426 case EC_FLASH_REGION_RO: 427 case EC_FLASH_REGION_RW: 428 case EC_FLASH_REGION_WP_RO: 429 entry = &state->ec_config.region[req->region]; 430 resp->offset = entry->offset; 431 resp->size = entry->length; 432 len = sizeof(*resp); 433 printf("EC flash region %d: offset=%#x, size=%#x\n", 434 req->region, resp->offset, resp->size); 435 break; 436 default: 437 printf("** Unknown flash region %d\n", req->region); 438 return -1; 439 } 440 break; 441 } 442 case EC_CMD_FLASH_ERASE: { 443 const struct ec_params_flash_erase *req = req_data; 444 445 memset(ec->flash_data + req->offset, 446 ec->ec_config.flash_erase_value, 447 req->size); 448 len = 0; 449 break; 450 } 451 case EC_CMD_FLASH_WRITE: { 452 const struct ec_params_flash_write *req = req_data; 453 454 memcpy(ec->flash_data + req->offset, req + 1, req->size); 455 len = 0; 456 break; 457 } 458 case EC_CMD_MKBP_STATE: 459 len = cros_ec_keyscan(ec, resp_data); 460 break; 461 default: 462 printf(" ** Unknown EC command %#02x\n", req_hdr->command); 463 return -1; 464 } 465 466 return len; 467 } 468 469 int cros_ec_sandbox_packet(struct cros_ec_dev *dev, int out_bytes, 470 int in_bytes) 471 { 472 struct ec_host_request *req_hdr = (struct ec_host_request *)dev->dout; 473 const void *req_data = req_hdr + 1; 474 struct ec_host_response *resp_hdr = (struct ec_host_response *)dev->din; 475 void *resp_data = resp_hdr + 1; 476 int len; 477 478 len = process_cmd(&s_state, req_hdr, req_data, resp_hdr, resp_data); 479 if (len < 0) 480 return len; 481 482 resp_hdr->struct_version = 3; 483 resp_hdr->result = EC_RES_SUCCESS; 484 resp_hdr->data_len = len; 485 resp_hdr->reserved = 0; 486 len += sizeof(*resp_hdr); 487 resp_hdr->checksum = 0; 488 resp_hdr->checksum = (uint8_t) 489 -cros_ec_calc_checksum((const uint8_t *)resp_hdr, len); 490 491 return in_bytes; 492 } 493 494 int cros_ec_sandbox_decode_fdt(struct cros_ec_dev *dev, const void *blob) 495 { 496 return 0; 497 } 498 499 void cros_ec_check_keyboard(struct cros_ec_dev *dev) 500 { 501 struct ec_state *ec = &s_state; 502 ulong start; 503 504 printf("Press keys for EC to detect on reset (ESC=recovery)..."); 505 start = get_timer(0); 506 while (get_timer(start) < 1000) 507 ; 508 putc('\n'); 509 if (!sandbox_sdl_key_pressed(KEY_ESC)) { 510 ec->recovery_req = true; 511 printf(" - EC requests recovery\n"); 512 } 513 } 514 515 /** 516 * Initialize sandbox EC emulation. 517 * 518 * @param dev CROS_EC device 519 * @param blob Device tree blob 520 * @return 0 if ok, -1 on error 521 */ 522 int cros_ec_sandbox_init(struct cros_ec_dev *dev, const void *blob) 523 { 524 struct ec_state *ec = &s_state; 525 int node; 526 int err; 527 528 state = &s_state; 529 err = cros_ec_decode_ec_flash(blob, &ec->ec_config); 530 if (err) 531 return err; 532 533 node = fdtdec_next_compatible(blob, 0, COMPAT_GOOGLE_CROS_EC_KEYB); 534 if (node < 0) { 535 debug("%s: No cros_ec keyboard found\n", __func__); 536 } else if (keyscan_read_fdt_matrix(ec, blob, node)) { 537 debug("%s: Could not read key matrix\n", __func__); 538 return -1; 539 } 540 541 /* If we loaded EC data, check that the length matches */ 542 if (ec->flash_data && 543 ec->flash_data_len != ec->ec_config.flash.length) { 544 printf("EC data length is %x, expected %x, discarding data\n", 545 ec->flash_data_len, ec->ec_config.flash.length); 546 os_free(ec->flash_data); 547 ec->flash_data = NULL; 548 } 549 550 /* Otherwise allocate the memory */ 551 if (!ec->flash_data) { 552 ec->flash_data_len = ec->ec_config.flash.length; 553 ec->flash_data = os_malloc(ec->flash_data_len); 554 if (!ec->flash_data) 555 return -ENOMEM; 556 } 557 558 return 0; 559 } 560