September 2007 - OpenBIOS - mail.coreboot.org

r618 - cpu/x86/pc/olpc
by svn＠openbios.org Sept. 19, 2007

Sept. 19, 2007

Author: wmb Date: 2007-09-19 04:56:12 +0200 (Wed, 19 Sep 2007) New Revision: 618 Modified: cpu/x86/pc/olpc/crypto.bth Log: OLPC crypto - The build was pulling down the wrong lease and developer key files. Modified: cpu/x86/pc/olpc/crypto.bth =================================================================== --- cpu/x86/pc/olpc/crypto.bth 2007-09-19 02:55:36 UTC (rev 617) +++ cpu/x86/pc/olpc/crypto.bth 2007-09-19 02:56:12 UTC (rev 618) @@ -6,10 +6,10 @@ fload ${BP}/cpu/x86/pc/olpc/versions.fth " wget http://dev.laptop.org/pub/firmware/crypto/bios_verify-${CRYPTO_VERSION}.img -O verify.img" expand$ $sh -" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/os.public -O os.public" expand$ $sh -" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fw.public -O fw.public" expand$ $sh -" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/os.public -O lease.public" expand$ $sh -" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fw.public -O developer.public" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/os.public -O os.public" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fw.public -O fw.public" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/lease.public -O lease.public" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/developer.public -O developer.public" expand$ $sh \ This forces the creation of an crypto.log file, so we don't re-fetch writing crypto.version

1 0

r617 - cpu/x86
by svn＠openbios.org Sept. 19, 2007

Sept. 19, 2007

Author: wmb Date: 2007-09-19 04:55:36 +0200 (Wed, 19 Sep 2007) New Revision: 617 Modified: cpu/x86/adpcm.fth Log: WAV handler - Fixed some bugs with raw WAV handling so the new OLPC startup sound will work. Modified: cpu/x86/adpcm.fth =================================================================== --- cpu/x86/adpcm.fth 2007-09-19 02:27:06 UTC (rev 616) +++ cpu/x86/adpcm.fth 2007-09-19 02:55:36 UTC (rev 617) @@ -214,10 +214,10 @@ \ Collapse a sample array with "#output-ch" channels/sample into a smaller \ array with "wav-in-#ch" channels/sample, discarding the excess channels. -: condense-pcm ( adr -- ) - wav-in-#ch #output-ch - /w* to in-skip - #output-ch /w* to out-move - dup dup 4 - le-l@ bounds ?do ( out ) +: condense-pcm ( adr in-len -- ) + wav-in-#ch #output-ch - /w* to in-skip ( adr in-len ) + #output-ch /w* to out-move ( adr in-len ) + over swap bounds ?do ( out ) i over out-move move ( out ) out-move + ( out' ) in-skip +loop drop ( ) @@ -226,10 +226,9 @@ \ Spread a sample array with "wav-in-#ch" channels/sample into a larger \ array with "#output-ch" channels/sample, zeroing the new channels. -: expand-pcm ( adr -- ) - #output-ch wav-in-#ch - /w* to out-skip ( adr ) - wav-in-#ch /w* to out-move ( adr ) - dup /l - le-l@ ( adr in-len ) +: expand-pcm ( adr in-len -- ) + #output-ch wav-in-#ch - /w* to out-skip ( adr in-len ) + wav-in-#ch /w* to out-move ( adr in-len ) 2dup wav-in-#ch / #output-ch * ( adr in-len adr out-len ) + -rot ( out-adr in-start in-len ) over + out-move - do ( out-adr ) @@ -266,12 +265,14 @@ wav-data-adr 4 - le-l@ ( adr in-len ) dup wav-in-#ch / #output-ch * to /pcm-output ( adr in-len ) /pcm-output " dma-alloc" $call-audio to pcm-base ( adr in-len ) - - pcm-base swap move ( ) - #output-ch wav-in-#ch < if pcm-base condense-pcm then \ Skip extra channel data - #output-ch wav-in-#ch > if pcm-base expand-pcm then \ Convert mono to stereo + tuck pcm-base swap move ( in-len ) + #output-ch wav-in-#ch < if pcm-base over condense-pcm then \ Skip extra channel data + #output-ch wav-in-#ch > if pcm-base over expand-pcm then \ Spread out channel data + #output-ch 2 = wav-in-#ch 1 = and if pcm-base over 2* mono16>stereo16 then \ Stereo from mono + drop + pcm-base /pcm-output (play-pcm) false ; @@ -300,8 +301,10 @@ then parse-wav-ok? not if ." Not a .wav file" cr true exit then - " /audio" open-dev ?dup 0= if ." Cannot open audio device" cr true exit then - to audio-ih + audio-ih 0= if + " /audio" open-dev ?dup 0= if ." Cannot open audio device" cr true exit then + to audio-ih + then playback-volume set-volume set-sample-rate @@ -311,7 +314,7 @@ h# 11 of wav-data-adr play-ima-adpcm endof ( default ) ." Cannot play .wav format type: " dup .wav-cc true swap cr endcase - audio-ih close-dev + \ audio-ih close-dev ; : ($play-wav) ( file-str -- )

1 0

r616 - ofw/fs/jffs2
by svn＠openbios.org Sept. 19, 2007

Sept. 19, 2007

Author: wmb Date: 2007-09-19 04:27:06 +0200 (Wed, 19 Sep 2007) New Revision: 616 Modified: ofw/fs/jffs2/jffs2.fth Log: JFFS2 - OLPC trac #2818 - give up quickly when non-JFFS2-node data is found. Modified: ofw/fs/jffs2/jffs2.fth =================================================================== --- ofw/fs/jffs2/jffs2.fth 2007-09-18 01:23:25 UTC (rev 615) +++ ofw/fs/jffs2/jffs2.fth 2007-09-19 02:27:06 UTC (rev 616) @@ -633,7 +633,8 @@ \ This assumes that the entire erase block is in memory : another-node? ( adr -- false | adr' true ) - eb-end swap ?do + dup h# 100 + eb-end umin ( adr end-adr ) + swap ?do i w@ jffs2-magic = if i header-crc? if i +raw-node eb-end u<= if

1 0

r615 - dev/olpc/keyboard
by svn＠openbios.org Sept. 18, 2007

Sept. 18, 2007

Author: wmb Date: 2007-09-18 03:23:25 +0200 (Tue, 18 Sep 2007) New Revision: 615 Modified: dev/olpc/keyboard/selftest.fth Log: OLPC keyboard selftest - fixed bug with test-all introduced by rev 611. Modified: dev/olpc/keyboard/selftest.fth =================================================================== --- dev/olpc/keyboard/selftest.fth 2007-09-17 23:40:58 UTC (rev 614) +++ dev/olpc/keyboard/selftest.fth 2007-09-18 01:23:25 UTC (rev 615) @@ -197,7 +197,6 @@ toss-keys " translation-off" $call-parent selftest-keys " translation-on" $call-parent toss-keys cursor-on - iunselect screen-ih iselect erase-screen iunselect page close

1 0

r614 - cpu/x86/pc/olpc
by svn＠openbios.org Sept. 17, 2007

Sept. 17, 2007

Author: wmb Date: 2007-09-18 01:40:58 +0200 (Tue, 18 Sep 2007) New Revision: 614 Added: cpu/x86/pc/olpc/life.fth Modified: cpu/x86/pc/olpc/fw.bth Log: OLPC load file changes in support of safer "flash" command. Also new Easter egg. Modified: cpu/x86/pc/olpc/fw.bth =================================================================== --- cpu/x86/pc/olpc/fw.bth 2007-09-17 23:37:47 UTC (rev 613) +++ cpu/x86/pc/olpc/fw.bth 2007-09-17 23:40:58 UTC (rev 614) @@ -330,7 +330,6 @@ fload ${BP}/cpu/x86/pc/olpc/suspend.fth \ Suspend/resume setup fload ${BP}/dev/olpc/keyboard/selftest.fth \ Keyboard diagnostic fload ${BP}/dev/olpc/touchpad/touchpad.fth \ Touchpad diagnostic -fload ${BP}/dev/olpc/kb3700/battery.fth \ Battery status reports fload ${BP}/cpu/x86/pc/olpc/copynand.fth fload ${BP}/cpu/x86/pc/olpc/nandstat.fth \ fload ${BP}/cpu/x86/pc/olpc/carousel.fth \ Carouseled NAND writing @@ -339,6 +338,13 @@ fload ${BP}/cpu/x86/pc/olpc/security.fth fload ${BP}/cpu/x86/pc/olpc/setwp.fth fload ${BP}/ofw/gui/ofpong.fth +fload ${BP}/cpu/x86/pc/olpc/life.fth +: olpc-power-off ( -- ) + gx-power-off \ Try the nice way first + d# 20 ms + ec-power-off \ Then try the hard way +; +' olpc-power-off to power-off [then] \ Eliminate 4 second delay in install console for the case where @@ -490,7 +496,9 @@ game-key-mask h# 40 and if start-sound then ; : ?games ( -- ) - game-key-mask h# 20 and if pong then + game-key-mask h# 20 and if + time&date 5drop 1 and if pong else d# 1200 life then + then ; : ?freeze ( -- ) game-key-mask h# 10 and if freeze then @@ -545,7 +553,7 @@ ; : newrom - " flash http:\\10.20.0.14\new.rom" eval + " flash! http:\\10.20.0.14\new.rom" eval \ " wifi media lab 802.11" eval \ " flash http:\\18.85.46.172\new.rom" eval ; Added: cpu/x86/pc/olpc/life.fth =================================================================== --- cpu/x86/pc/olpc/life.fth (rev 0) +++ cpu/x86/pc/olpc/life.fth 2007-09-17 23:40:58 UTC (rev 614) @@ -0,0 +1,192 @@ + +\ rgb color value +h# ff 0 0 rgb>565 constant xred \ red +h# 0 0 0 rgb>565 constant xblack \ black + +\ screen size constant +d# 128 constant lf_width +d# 95 constant lf_height + +\ board and working area +lf_width lf_height * constant /board +/board buffer: lf_board +/board buffer: lf_board_work + +\ some macros to get a linear address o a cell of board or working area +: >offset ( i j -- lin_addr ) swap lf_width * + ; +: >cell ( i j -- adr ) swap lf_width * + lf_board + ; +: >work ( i j -- adr ) swap lf_width * + lf_board_work + ; + +: show-cell ( state y x -- ) + >offset swap if xred else xblack then show-state +; + +\ display the board of life +: lf_board_print ( -- ) + lf_height 0 do + lf_width 0 do + j i >cell c@ j i show-cell + loop + loop +; + +\ working variable +variable cell-sum + +: xy+ ( x1 y1 x2 y2 -- x3 y3 ) rot + -rot + swap ; + +: +sum ( i j +i +j -- i j ) + 2over xy+ ( i j i' j' ) + >cell c@ cell-sum +! ( i j ) +; + +: lf_check_live_i_j ( i j -- ncell ) + cell-sum off ( i j ) + -1 -1 +sum + -1 0 +sum + -1 1 +sum + 0 -1 +sum + 0 1 +sum + 1 -1 +sum + 1 0 +sum + 1 1 +sum ( i j ) + 2drop cell-sum @ ( sum ) +; + +\ one step evolve the board +: lf_board_evolve + + \ copy the line before the last to the first one and the second to the last + lf_board lf_width lf_height 2 - * + lf_board lf_width move + lf_board lf_width + lf_board lf_width lf_height 1 - * + lf_width move + + \ copy the column before last to the first one and the second to the last + lf_height 0 do + i lf_width 2 - >cell @ i 0 >cell c! + i 1 >cell @ i lf_width 1 - >cell c! + loop + + lf_height 1 - 1 do + lf_width 1 - 1 do + j i lf_check_live_i_j ( sum1 ) + j i >cell c@ if ( sum1 ) + \ caso in cui nella cella c'e' 1 + 2 3 between ( 0|-1 ) + else ( sum1 ) + \ caso in cui nella cella c'e' 0 + 3 = ( 0|-1 ) + then + negate ( 0|1 ) + dup j i >work c! ( 0|1 ) + dup j i >cell c@ <> if ( 0|1 ) + j i show-cell + else + drop + then + loop + loop + lf_board_work lf_board /board move +; + +decimal +\ initialize data +: set-cell ( i j -- ) >cell 1 swap c! ; +: init-board ( -- ) + lf_board /board erase +[ifdef] notdef + 2 2 set-cell + 3 3 set-cell + 4 3 set-cell + 4 2 set-cell + 4 1 set-cell +[else] + + \ R-pentominos + \ This placement evolves nicely + \ 20 20 set-cell 20 21 set-cell 21 19 set-cell 21 20 set-cell 22 20 set-cell + + \ This placement is boring + \ 40 20 set-cell 40 21 set-cell 41 19 set-cell 41 20 set-cell 42 20 set-cell + + \ This one is excellent! + \ 20 40 set-cell 20 41 set-cell 21 39 set-cell 21 40 set-cell 22 40 set-cell + + \ This one almost dies out, then explodes into a complex arrangement with + \ stuff happening everywhere. + \ 20 60 set-cell 20 61 set-cell 21 59 set-cell 21 60 set-cell 22 60 set-cell + + \ This one takes a long time to kill off the glider gun, then lasts for a long time + \ 20 80 set-cell 20 81 set-cell 21 79 set-cell 21 80 set-cell 22 80 set-cell + + \ This one takes out the block at the right side of the glider gun, which + \ disperses in an interesting pattern, then the whole arena dies quickly + \ 20 78 set-cell 20 79 set-cell 21 77 set-cell 21 78 set-cell 22 78 set-cell + + \ This one is absolutely brilliant! It takes out the glider gun, which + \ disperse in a boring way, but then the rest of the pattern just keeps + \ changing and changing, after looking like it is about to die several times. + \ It eventually dies about about 5000 generations. + 20 79 set-cell 20 80 set-cell 21 78 set-cell 21 79 set-cell 22 79 set-cell + + \ Glider gun + 55 21 set-cell + 55 22 set-cell + 56 21 set-cell + 56 22 set-cell + 53 34 set-cell + 53 33 set-cell + 54 32 set-cell + 55 31 set-cell + 56 31 set-cell + 57 31 set-cell + 58 32 set-cell + 59 33 set-cell + 59 34 set-cell + 56 35 set-cell + 54 36 set-cell + 55 37 set-cell + 56 37 set-cell + 56 38 set-cell + 57 37 set-cell + 58 36 set-cell + + 55 41 set-cell + 54 41 set-cell + 53 41 set-cell + 55 42 set-cell + 54 42 set-cell + 53 42 set-cell + + 52 43 set-cell + 52 45 set-cell + 51 45 set-cell + 56 43 set-cell + 56 45 set-cell + 57 45 set-cell + + 53 55 set-cell + 53 56 set-cell + 54 55 set-cell + 54 56 set-cell + +[then] +; +hex + +: show-board ( -- ) + cursor-off " erase-screen" $call-screen + lf_board_print +; + +\ Version that displays the result in-place +: generations ( n -- ) + show-board + ( n ) 0 do lf_board_evolve loop +; +: life ( #generations -- ) + page + init-board + generations +; + +\ 500 generations

1 0

r613 - dev/usb2/device/wlan
by svn＠openbios.org Sept. 17, 2007

Sept. 17, 2007

Author: wmb Date: 2007-09-18 01:37:47 +0200 (Tue, 18 Sep 2007) New Revision: 613 Modified: dev/usb2/device/wlan/usb8388.fth Log: USB Wlan driver - Added support for disconnect-while-host-is-sleeping. Modified: dev/usb2/device/wlan/usb8388.fth =================================================================== --- dev/usb2/device/wlan/usb8388.fth 2007-09-17 23:34:55 UTC (rev 612) +++ dev/usb2/device/wlan/usb8388.fth 2007-09-17 23:37:47 UTC (rev 613) @@ -1105,7 +1105,49 @@ wait-cmd-resp if exit then ; +2 constant gpio-pin +d# 20 constant wake-gap +1 constant wake-on-broadcast +2 constant wake-on-unicast +4 constant wake-on-mac-event +-1 constant remove-wakeup +\ LED_GPIO_CTRL + +: host-sleep-activate ( -- ) + 0 h# 45 ( CMD_802_11_HOST_SLEEP_ACTIVATE ) prepare-cmd + 0 outbuf-bulk-out if exit then + wait-cmd-resp if exit then +; + +: host-sleep-config ( conditions -- ) + >r + 6 h# 43 ( CMD_802_11_HOST_SLEEP_CFG ) prepare-cmd +\ ACTION_SET +xw + + r> +xl + gpio-pin +xb + wake-gap +xb + + 6 outbuf-bulk-out if exit then + wait-cmd-resp if exit then +; + +: unicast-wakeup ( -- ) wake-on-unicast host-sleep-config ; +: broadcast-wakeup ( -- ) wake-on-unicast wake-on-broadcast or host-sleep-config ; +: sleep ( -- ) host-sleep-activate ; + +[ifdef] notdef \ This is test code that only works with a special debug version of the Libertas firmware +: autostart ( -- ) + h# 82 h# 9b ( CMD_MESH_ACCESS ) prepare-cmd + 5 +xw \ CMD_ACT_SET_ANYCAST + h# 700000 +xl + + h# 82 outbuf-bulk-out if exit then + wait-cmd-resp if exit then +; +[then] + \ LICENSE_BEGIN \ Copyright (c) 2007 FirmWorks \

1 0

r612 - cpu/x86/pc/olpc dev/geode dev/olpc/kb3700 dev/olpc/spiflash
by svn＠openbios.org Sept. 17, 2007

Sept. 17, 2007

Author: wmb Date: 2007-09-18 01:34:55 +0200 (Tue, 18 Sep 2007) New Revision: 612 Modified: cpu/x86/pc/olpc/devices.fth dev/geode/acpi.fth dev/olpc/kb3700/battery.fth dev/olpc/kb3700/ecio.fth dev/olpc/spiflash/spiui.fth Log: OLPC "flash" command - guard against common failure modes like power loss and premature power button pushes. Modified: cpu/x86/pc/olpc/devices.fth =================================================================== --- cpu/x86/pc/olpc/devices.fth 2007-09-17 23:32:59 UTC (rev 611) +++ cpu/x86/pc/olpc/devices.fth 2007-09-17 23:34:55 UTC (rev 612) @@ -124,6 +124,27 @@ [then] device-end +dev /8042/keyboard +0 value waiting-up? +: olpc-check-abort ( scan-code -- abort? ) \ Square pressed? + last-scan over to last-scan ( scan-code old-scan-code ) + h# e0 <> if drop false exit then ( scan-code ) + + check-abort? 0= if drop false exit then ( scan-code ) + + dup h# 7f and h# 5d <> if drop false exit then ( scan-code ) + + h# 80 and if \ Up + false to waiting-up? + false ( abort? ) + else + waiting-up? 0= ( abort? ) + true to waiting-up? + then +; +patch olpc-check-abort check-abort get-scan +dend + 0 0 " i70" " /isa" begin-package \ Real-time clock node fload ${BP}/dev/ds1385r.fth 8 encode-int 0 encode-int encode+ " interrupts" property @@ -233,6 +254,8 @@ \needs md5init fload ${BP}/ofw/ppp/md5.fth \ MD5 hash +fload ${BP}/dev/geode/acpi.fth \ Power management + fload ${BP}/dev/olpc/kb3700/ecspi.fth \ EC chip SPI FLASH access warning @ warning off @@ -275,6 +298,8 @@ fload ${BP}/cpu/x86/pc/olpc/mfgtree.fth \ Manufacturing data in device tree fload ${BP}/cpu/x86/pc/olpc/kbdtype.fth \ Export keyboard type +fload ${BP}/dev/olpc/kb3700/battery.fth \ Battery status reports + fload ${BP}/dev/olpc/spiflash/spiflash.fth \ SPI FLASH programming fload ${BP}/dev/olpc/spiflash/spiui.fth \ User interface for SPI FLASH programming fload ${BP}/dev/olpc/spiflash/recover.fth \ XO-to-XO SPI FLASH recovery @@ -304,8 +329,6 @@ devalias screen /display also hidden d# 34 to display-height previous \ For editing -fload ${BP}/dev/geode/acpi.fth \ Power management - fload ${BP}/cpu/x86/adpcm.fth \ ADPCM decoding [ifdef] rom-loaded Modified: dev/geode/acpi.fth =================================================================== --- dev/geode/acpi.fth 2007-09-17 23:32:59 UTC (rev 611) +++ dev/geode/acpi.fth 2007-09-17 23:34:55 UTC (rev 612) @@ -12,15 +12,11 @@ : pm@ ( offset -- n ) pm-base + pl@ ; : pm! ( n offset -- ) pm-base + pl! ; -: enable-power-button ( -- ) h# 100 2 acpi-w! ; +: enable-power-button ( -- ) 2 acpi-w@ h# 100 or 2 acpi-w! ; +: disable-power-button ( -- ) 2 acpi-w@ h# 100 invert and 2 acpi-w! ; h# 4000.0000 constant pm-enable : gx-power-off ( -- ) - \ If the keyboard controller is off (after "flash"), power off doesn't work. - \ I suspect that is because the EC doesn't notice the deassertion - \ of main_on and sus_on from the 5536. - ec-power-off - \ The rest of this will succeed in turning off the CPU, but the EC will \ stay on. The ec-power-off above turns off both the EC and CPU, so the \ rest of this is for historical interest only. Modified: dev/olpc/kb3700/battery.fth =================================================================== --- dev/olpc/kb3700/battery.fth 2007-09-17 23:32:59 UTC (rev 611) +++ dev/olpc/kb3700/battery.fth 2007-09-17 23:34:55 UTC (rev 612) @@ -77,7 +77,7 @@ dup abs d# 10,000 / <# u# u# [char] . hold u#s swap sign u#> type pop-base ; -: 2.d ( n -- ) push-decimal <# u# u#s u#> type pop-base ; +\needs 2.d : 2.d ( n -- ) push-decimal <# u# u#s u#> type pop-base ; : .% ( n -- ) 2.d ." %" ; : .bat ( -- ) bat-status@ ( stat ) @@ -101,11 +101,17 @@ then drop ; + +: ?enough-power ( ) + bat-status@ ( stat ) + dup h# 10 and 0= abort" AC not present" ( stat ) + dup 1 and 0= abort" Battery not present" ( stat ) + 4 and abort" Battery low" +; + : watch-battery ( -- ) - cursor-off begin (cr .bat kill-line d# 1000 ms key? until key drop - cursor-on ; \ send questions to andrew at gold peak Modified: dev/olpc/kb3700/ecio.fth =================================================================== --- dev/olpc/kb3700/ecio.fth 2007-09-17 23:32:59 UTC (rev 611) +++ dev/olpc/kb3700/ecio.fth 2007-09-17 23:34:55 UTC (rev 612) @@ -267,6 +267,7 @@ 7 to spi-us \ Measured time for "1 fea9 ec!" is 7.9 uS kbc-off + disable-power-button \ Guard against the user panicing ; : use-local-ec ( -- ) ['] io-spi-start to spi-start ; use-local-ec Modified: dev/olpc/spiflash/spiui.fth =================================================================== --- dev/olpc/spiflash/spiui.fth 2007-09-17 23:32:59 UTC (rev 611) +++ dev/olpc/spiflash/spiui.fth 2007-09-17 23:34:55 UTC (rev 612) @@ -241,7 +241,8 @@ $get-file ; -: flash ( ["filename"] -- ) get-file reflash ; +: flash ( ["filename"] -- ) get-file ?enough-power reflash ; +: flash! ( ["filename"] -- ) get-file reflash ; \ This is a slower version of "rom-va flash-buf /flash lmove" \ It works around the problem that continuous CPU access to the

1 0

r611 - dev/olpc/keyboard
by svn＠openbios.org Sept. 17, 2007

Sept. 17, 2007

Author: wmb Date: 2007-09-18 01:32:59 +0200 (Tue, 18 Sep 2007) New Revision: 611 Modified: dev/olpc/keyboard/selftest.fth Log: OLPC keyboard selftest - use "open/close" instead of iselect so the selftest method is independent of the value of "stdin". Modified: dev/olpc/keyboard/selftest.fth =================================================================== --- dev/olpc/keyboard/selftest.fth 2007-09-17 23:30:12 UTC (rev 610) +++ dev/olpc/keyboard/selftest.fth 2007-09-17 23:32:59 UTC (rev 611) @@ -191,7 +191,7 @@ : toss-keys ( -- ) begin key? while key drop repeat ; : selftest ( -- error? ) - stdin @ iselect + open 0= if true exit then make-keys cursor-off draw-keyboard toss-keys " translation-off" $call-parent @@ -200,6 +200,7 @@ iunselect screen-ih iselect erase-screen iunselect page + close false ;

1 0

r610 - dev/usb2/device/storage
by svn＠openbios.org Sept. 17, 2007

Sept. 17, 2007

Author: wmb Date: 2007-09-18 01:30:12 +0200 (Tue, 18 Sep 2007) New Revision: 610 Modified: dev/usb2/device/storage/scsidisk.fth Log: USB mass storage driver - removed spinner from the read routine. Modified: dev/usb2/device/storage/scsidisk.fth =================================================================== --- dev/usb2/device/storage/scsidisk.fth 2007-09-17 23:29:26 UTC (rev 609) +++ dev/usb2/device/storage/scsidisk.fth 2007-09-17 23:30:12 UTC (rev 610) @@ -149,10 +149,7 @@ \ These three methods are called by the deblocker. : max-transfer ( -- n ) parent-max-transfer ; -: read-blocks ( addr block# #blocks -- #read ) - " show-progress" evaluate - true d# 8 r/w-blocks -; +: read-blocks ( addr block# #blocks -- #read ) true d# 8 r/w-blocks ; : write-blocks ( addr block# #blocks -- #written ) false d# 10 r/w-blocks ; \ Methods used by external clients

1 0

r609 - cpu/x86/pc/olpc
by svn＠openbios.org Sept. 17, 2007

Sept. 17, 2007

Author: wmb Date: 2007-09-18 01:29:26 +0200 (Tue, 18 Sep 2007) New Revision: 609 Modified: cpu/x86/pc/olpc/crypto.bth cpu/x86/pc/olpc/crypto.fth cpu/x86/pc/olpc/loaddropins.fth cpu/x86/pc/olpc/security.fth Log: OLPC firmware security - use 4 keys in the firmware. Modified: cpu/x86/pc/olpc/crypto.bth =================================================================== --- cpu/x86/pc/olpc/crypto.bth 2007-09-17 23:15:36 UTC (rev 608) +++ cpu/x86/pc/olpc/crypto.bth 2007-09-17 23:29:26 UTC (rev 609) @@ -5,9 +5,11 @@ fload ${BP}/cpu/x86/pc/olpc/versions.fth -" wget http://dev.laptop.org/pub/firmware/crypto/bios_crypto-${CRYPTO_VERSION}.img -O crypto.img" expand$ $sh -" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/os.public -O os.public" expand$ $sh -" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fw.public -O fw.public" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/bios_verify-${CRYPTO_VERSION}.img -O verify.img" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/os.public -O os.public" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fw.public -O fw.public" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/os.public -O lease.public" expand$ $sh +" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fw.public -O developer.public" expand$ $sh \ This forces the creation of an crypto.log file, so we don't re-fetch writing crypto.version Modified: cpu/x86/pc/olpc/crypto.fth =================================================================== --- cpu/x86/pc/olpc/crypto.fth 2007-09-17 23:15:36 UTC (rev 608) +++ cpu/x86/pc/olpc/crypto.fth 2007-09-17 23:29:26 UTC (rev 609) @@ -1,9 +1,9 @@ purpose: Interface to cryptographic code for firmware image validation \ See license at end of file -h# c0000 constant crypto-base \ The address the code is linked to run at -h# d0000 constant crypto-bss \ The address the code is linked to run at -h# 10000 constant /crypto-bss +h# c0000 constant verify-base \ The address the code is linked to run at +h# d0000 constant verify-bss \ The address the code is linked to run at +h# 10000 constant /verify-bss 0 [if] h# c0000 constant hasher-base \ The address the code is linked to run at @@ -25,34 +25,17 @@ 0 value crypto-loaded? : load-crypto ( -- error? ) crypto-loaded? if false exit then - " crypto" find-drop-in 0= if true exit then ( prog$ ) - 2dup crypto-base swap move free-mem ( ) + " verify" find-drop-in 0= if true exit then ( prog$ ) + 2dup verify-base swap move free-mem ( ) true to crypto-loaded? false ; -h# 200 buffer: pubkey -0 value /pubkey -: load-key ( name$ -- error? ) - find-drop-in 0= if true exit then ( key$ ) - dup h# 200 > if free-mem true exit then ( key$ ) - dup to /pubkey ( key$ ) - 2dup pubkey swap move ( key$ ) - free-mem - false -; +: signature-bad? ( data$ sig$ key$ hashname$ -- mismatch? ) + $cstr + verify-bss /verify-bss erase ( data$ sig$ key$ 'hashname ) + verify-base dup h# 10 - sp-call >r 3drop 4drop r> ( result ) -: signature-bad? ( data$ sig$ hashname$ -- mismatch? ) - $cstr >r ( data$ sig$ r: 'hashname ) - - swap 2swap swap ( siglen sigadr datalen dataadr ) - /pubkey pubkey 2swap ( siglen sigadr keylen keyadr datalen dataadr ) - r> ( siglen sigadr keylen keyadr datalen dataadr 'hashname ) - - - crypto-bss /crypto-bss erase - crypto-base dup h# 10 - sp-call >r 3drop 4drop r> ( result ) - \ XXX free-mem in suspend.fth and fw.bth after find-drop-in \ XXX clean out dead code in usb.fth ; Modified: cpu/x86/pc/olpc/loaddropins.fth =================================================================== --- cpu/x86/pc/olpc/loaddropins.fth 2007-09-17 23:15:36 UTC (rev 608) +++ cpu/x86/pc/olpc/loaddropins.fth 2007-09-17 23:29:26 UTC (rev 609) @@ -38,6 +38,8 @@ " ${BP}/ofw/termemu/gallant.obf" " font" $add-deflated-dropin - " crypto.img" " crypto" $add-deflated-dropin - " os.public" " oskey" $add-dropin \ Incompressible - " fw.public" " fwkey" $add-dropin \ Incompressible + " verify.img" " verify" $add-deflated-dropin + " os.public" " ospubkey" $add-dropin \ Incompressible + " fw.public" " fwpubkey" $add-dropin \ Incompressible + " lease.public" " leasepubkey" $add-dropin \ Incompressible + " developer.public" " develpubkey" $add-dropin \ Incompressible Modified: cpu/x86/pc/olpc/security.fth =================================================================== --- cpu/x86/pc/olpc/security.fth 2007-09-17 23:15:36 UTC (rev 608) +++ cpu/x86/pc/olpc/security.fth 2007-09-17 23:29:26 UTC (rev 609) @@ -3,6 +3,7 @@ \ Specs at http://wiki.laptop.org/go/Firmware_Security +: developer-device-list " disk sd nand" ; : boot-device-list " disk sd nand" ; true value debug-security? @@ -34,9 +35,44 @@ : PN pn-buf count ; previous definitions +\ key: is a defining word whose children return key strings. +\ Each child word has the name of its key stored in the dictionary. +\ The first time that a child word executes, it uses the key name +\ to find the key value and caches the key value in RAM so subsequent +\ uses are faster. + +: key: ( name$ "name" -- key$ ) + create 0 , 0 , ", \ adr len name + does> ( apf -- key$ ) + dup @ if 2@ exit then ( apf ) + dup 2 na+ count ( apf name$ ) + 2dup find-drop-in if ( apf name$ key$ ) + 2nip + else ( apf name$ ) + ." Can't load key " type cr + " Missing Key" ( apf bad-key$ ) + then + rot >r 2dup r> 2! ( key$ ) +; +" ospubkey" key: oskey$ +" fwpubkey" key: fwkey$ +" develpubkey" key: develkey$ +" leasepubkey" key: leasekey$ + +\ pubkey$ is a global variable that points to the currently-selected +\ public key string. It simplifies the stack manipulations for other +\ words, since the same key string is often used multiple times. +0 0 2value pubkey$ + +\ sig-buf is used for storing the binary version of signature strings +\ that have been decoded from the hex representation. + d# 256 constant /sig /sig buffer: sig-buf +\ hex-decode decodes a hexadecimal signature string, storing it in +\ binary form at sig-buf. It returns the adr,len of the binary string. + : hex-decode ( hex$ -- true | sig$ false ) dup /sig 2* <> if ( ." Bad signature length" cr ) @@ -52,6 +88,10 @@ sig-buf tuck - false ( sig$ false ) ; +\ parse-sig parses a "sig01:" format signature string, returning its +\ hashname and signature substrings. It converts the signature +\ substring from ASCII hex to binary bytes. + : parse-sig ( sig01$ -- true | hashname$ sig$ false ) dup d# 89 < if 2drop true exit then bl left-parse-string " sig01:" $= 0= if 2drop true exit then ( rem$ ) @@ -61,6 +101,12 @@ hex-decode if 2drop true else false then ; +\ zip-extent looks inside a memory-resident ZIP archive and returns +\ the address,length of a given component of that archive. This +\ assumes that the components are "stored", not "deflated". It +\ depends on the existence of a support package named "/lzip" to +\ do the work. + : zip-extent ( name$ -- adr len ) expand$ open-dev ?dup 0= if " " exit then >r @@ -68,10 +114,23 @@ " size" r@ $call-method drop r> close-dev ; + +\ sig$ and img$ find the signature and signed-image components of +\ a ZIP bundle image that is already in memory. + : sig$ ( -- adr len ) " /lzip:\data.sig" zip-extent ; : img$ ( -- adr len ) " /lzip:\data.img" zip-extent ; + +\ bundle-name$ returns the full OFW pathname of a signed image +\ bundle, piecing it together from the device (DN), path (PN), +\ filename head (CN), and filename body (FN) macros. + : bundle-name$ ( -- $ ) " ${DN}:${PN}\${CN}${FN}.zip" expand$ ; +\ bundle-present? determines the existence (or not) of a signed image +\ bundle whose name is constructed from the current settings of the +\ device (DN), path (PN), filename head (CN), and filename body (FN). + : bundle-present? ( -- flag ) bundle-name$ " Trying " ?lease-debug 2dup ?lease-debug-cr @@ -79,32 +138,53 @@ true ; +\ hashname remembers the most recently used hashname to guard against +\ attacks based on reuse of the same (presumably compromized) hash. + d# 32 buffer: hashname -\ fn-buf and pn-buf must contain the base file name and path -: valid? ( data$ sig$ -- okay? ) + +\ valid? checks the validity of data$ against the ASCII signature +\ record sig01$, using the public key that pubkey$ points to. +\ It also verifies that the hashname contained in sig01$ is not +\ the same one that was last used (for verification of firmware +\ images against two different hashes). + +: valid? ( data$ sig01$ -- okay? ) parse-sig if ." Bad signature format in " bundle-name$ type cr false exit then ( data$ hashname$ sig$ ) + 2swap d# 31 min ( data$ sig$ hashname$' ) + \ Check for duplicate hashname attacks - 2swap 2dup hashname count $= if ( data$ sig$ hashname$ ) + 2dup hashname count $= if ( data$ sig$ hashname$ ) ." Duplicate hash name in " bundle-name$ type cr 4drop false exit - then + then ( data$ sig$ hashname$ ) - d# 31 min hashname place ( data$ sig$ ) + hashname place ( data$ sig$ ) - hashname count signature-bad? 0= + pubkey$ hashname count signature-bad? 0= ( okay? ) ; +\ earliest is the earliest acceptable date value (in seconds). +\ It is the date that the first test version of this code was +\ deployed. If a laptop has any earlier date that than, that +\ date is presumed bogus. + d# 2007 d# 12 * 8 1- + d# 31 * d# 27 + constant earliest + 0. 2value current-seconds -\ This isn't an accurate calculation of seconds, but it -\ is sufficient for comparison purposes so long as we -\ use the same calculation in all cases. It is not good -\ if we need to do arithmetic on dates. +\ get-date reads the date and time from the real time clock +\ and converts it to seconds. + +\ The seconds conversion uses a simplified approach that ignores +\ leap years and the like - it assumes that all months are 31 days. +\ This is sufficient for comparison purposes so long as we use the +\ same calculation in all cases. It is not good for doing +\ arithmetic on dates. : get-date ( -- error? ) time&date ( s m h d m y ) d# 12 * swap 1- + ( s m h d m' ) \ Months start at 1 @@ -121,17 +201,24 @@ false ; +\ break$ splits a string into an initial substring of length n +\ (head$) and the residual substring (tail$). If the input +\ string is shorter than n, head$ is the input string and tail$ is +\ the null string. + : break$ ( $ n -- tail$ head$ ) + 2dup < if drop null$ 2swap exit then dup >r /string ( tail$ ) over r@ - r> ( tail$ head$ ) ; 0. 2value exp-seconds \ Accumulator for parsing data/time strings -\ This is a factor used for parsing 2-digit fields from date/time strings. +\ numfield is a factor used for parsing 2-digit fields from date/time strings. \ Radix is the number to scale the result by, i.e. one more than the maximum \ value of the field. Adjust is 0 for fields whose first valid value is 0 \ (hours, minutes, seconds) or 1 for fields that start at 1 (month,day). + : numfield ( exp$ adjust radix -- exp$' ) >r >r ( exp$ r: radix adjust ) 2 break$ $number throw ( exp$' num r: radix adjust ) @@ -144,6 +231,10 @@ rot 0 d+ to exp-seconds ( exp$ ) ; +\ expiration-to-seconds parses an expiration date string like +\ "20070820T130401Z", converting it to (double precision) seconds +\ according to the simplified calculation described above for "get-date" + : (expiration-to-seconds) ( expiration$ -- true | d.seconds false ) 4 break$ $number throw ( exp$' year ) dup d# 2999 u> throw ( exp$' year ) @@ -169,6 +260,9 @@ dup if nip nip then ; +\ expired? determines whether or not the expiration time string is +\ earlier than this machine's current time (from the real time clock). + : expired? ( expiration$ -- bad? ) expiration-to-seconds if true exit then current-seconds d< @@ -177,15 +271,24 @@ d# 1024 constant /sec-line-max /sec-line-max buffer: sec-line-buf -\ Remove bogus null characters from the end of tags on old machines +\ Remove bogus null characters from the end of mfg data tags (old machines +\ have malformed tags) : ?-null ( adr len -- adr' len' ) dup if 2dup + 1- c@ 0= if 1- then ( adr len' ) then ; +\ machine-id-buf is a buffer into which the machine signature string, +\ including serial number, UUID, and expiration time, is place. +\ That string is the signed object for lease and developer key verification. + d# 65 buffer: machine-id-buf +\ get-my-sn get the machine identification info including serial number +\ and UUID from the manufacturing data, placing it into machine-id-buf +\ for later use. The expiration time is added later. + : get-my-sn ( -- error? ) " SN" find-tag 0= if @@ -214,18 +317,33 @@ false ; + +\ my-sn$ returns the serial number portion of the machine identification. +\ get-my-sn must be called before my-sn$ will be valid. + : my-sn$ ( -- adr len ) machine-id-buf d# 11 ; + +\ check-machine-signature verifies the signed object consisting +\ of the machine identification info (SN + UUID) plus the expiration +\ time "expiration$" against the crypto signature string sig$, +\ returning 1 if valid, -1 if invalid. (The unusual return value +\ encoding is because the caller of check-machine-signature returns +\ a tree-state flag; see check-lease.) + : check-machine-signature ( sig$ expiration$ -- -1|1 ) 0 hashname c! machine-id-buf d# 49 + swap move ( sig$ ) machine-id-buf d# 65 2swap valid? if 1 else -1 then ; +\ check-lease checks a lease signature record in act01: format + \ -1 means lease is for this machine and is invalid \ 1 means lease is for this machine and is valid \ 0 means lease is not for this machine -: check-lease ( lease$ -- -1|0|1 ) + +: check-lease ( act01-lease$ -- -1|0|1 ) bl left-parse-string " act01:" $= 0= if " Not act01:" ?lease-debug-cr 2drop -1 exit @@ -253,12 +371,18 @@ then ; -: lease-valid? ( -- flag ) +\ lease-valid? tries to read a lease file from the currently-selected +\ device, searches it for a lease record corresponding to this machine, +\ and checks that record for validity. The return value is true if +\ a valid lease was found. + +: lease-valid? ( -- valid? ) " ${DN}:\security\lease.sig" expand$ ( name$ ) " Trying " ?lease-debug 2dup ?lease-debug-cr r/o open-file if drop false exit then ( ih ) >r ( r: ih ) " Lease " ?lease-debug ( r: ih ) + leasekey$ to pubkey$ ( r: ih ) begin sec-line-buf /sec-line-max r@ read-line if ( actual -eof? ) 2drop r> close-file drop false exit @@ -272,11 +396,25 @@ r> close-file drop false ; +\ ?leased checks the currently-selected device for a valid lease +\ (see lease-valid?), setting the CN macro to "run" if one was +\ found or to "act" otherwise. CN is used to construct a filename +\ like "runos.zip" (the normal OS, used when an valid lease is +\ present) or "actos.zip" (the activation version of the OS). + : ?leased ( -- ) lease-valid? if " run" else " act" then cn-buf place ; -: olpc-load-image ( list$ pathname$ -- okay? ) +\ olpc-load-image is factor that is close the top level of the +\ secure boot process. Given a directory prefix (e.g. "\boot") +\ and a space-delimited list of device names, it searches +\ each device in that list for an OS bundle in that directory. +\ The name of the OS bundle file is either "actos.zip" or +\ "runos.zip" according to whether or not a valid lease for +\ this machine is present on the same device. + +: olpc-load-image ( list$ dirname$ -- okay? ) pn-buf place ( list$ ) begin dup while ( list$ ) bl left-parse-string ( list$ devname$ ) @@ -285,6 +423,7 @@ bundle-present? if ( list$ ) " OS found - " ?lease-debug 0 hashname c! + oskey$ to pubkey$ img$ sig$ valid? if " Signature valid" ?lease-debug-cr img$ tuck load-base swap move !load-size @@ -297,20 +436,20 @@ 2drop false ; +\ secure-load is the top level of the secure OS loading process. +\ It searches for lease files and signed OS image bundles on several +\ different devices. If an OS bundle is not found, it then searches +\ the NAND FLASH for an alternate OS image. + : secure-load ( -- okay? ) load-crypto if ( ) - ." Can't get crypt code" cr ( ) + ." Can't get crypto code" cr ( ) false exit then ( ) get-my-sn if false exit then get-date if false exit then - " oskey" load-key if ( ) - ." Can't find OS public key" cr ( ) - false exit - then ( ) - " os" fn-buf place boot-device-list " \boot" olpc-load-image if true exit then @@ -318,8 +457,19 @@ false ; +\ secure-load-ramdisk is called during the process of preparing an +\ OS image for execution. It looks for an initrd bundle file on +\ the same device where the OS image was found, in a file named +\ either "runrd.zip" or "actrd.zip" depending on the presence of +\ a valid lease. + +\ If no such bundle is found, the OS is booted without a ramdisk. +\ If a valid bundle is found, the OS is booted with that ramdisk. +\ If a bundle is found but it is not valid, the booting process aborts. + \ Call this after the kernel has already been moved away from load-base \ We assume that pn-buf already has the path prefix string + : secure-load-ramdisk ( -- ) \ Bad idea, because the cmdline would need to be signed too \ " /lzip:\cmdline" zip-extent to cmdline @@ -338,14 +488,47 @@ then ; -: check-devel-key ( adr len -- -1|0|1 ) + +\ secure-boot performs the secure boot process + +: secure-boot ( -- ) + debug-security? if screen-ih stdout ! then + ['] secure-load-ramdisk to load-ramdisk + secure-load 0= if fail-load then + loaded sync-cache " init-program" $find if execute else 2drop then + go +; + +\ wp? returns true if a "wp" manufacturing data tag is present + +: wp? ( -- flag ) " wp" find-tag dup if nip nip then ; + +\ ?secure-boot performs either the secure boot algorithm or the +\ historical boot algorithm depending on the presence of a "wp" +\ manufacturing data tag. + +: ?secure-boot ( -- ) wp? if secure-boot else boot then ; +" ?secure-boot" ' boot-command set-config-string-default + + +\ check-devel-key tests the developer signature string "dev01$". + +\ -1 means the signature is for this machine and is invalid +\ 1 means the signature is for this machine and is valid +\ 0 means the signature is not for this machine + +: check-devel-key ( dev01$ -- -1|0|1 ) bl left-parse-string " dev01:" $= 0= if 2drop -1 exit then ( rem$ ) bl left-parse-string ( rem$ serial$ ) - my-sn$ $= 0= if 2drop 0 exit then ( rem$ ) + my-sn$ $= 0= if 2drop 0 exit then ( rem$ ) + develkey$ to pubkey$ " 00000000T000000Z" check-machine-signature ; +\ has-developer-key? searches for a valid developer key on the +\ device given by the DN macro. + : has-developer-key? ( -- flag ) " ${DN}:\security\develop.sig" expand$ ( name$ ) r/o open-file if drop false exit then ( ih ) @@ -363,22 +546,18 @@ r> close-file drop false ; -: developer-device-list " disk sd nand" ; +\ developer? searches a list of devices (given by "developer-device-list") +\ for a valid developer key : developer? ( -- flag ) - get-my-sn if false exit then + get-my-sn if false exit then load-crypto if ( ) ." Can't get crypt code" cr ( ) false exit then ( ) - " fwkey" load-key if ( ) - ." Can't find firmware public key" cr ( ) - false exit - then ( ) - - developer-device-list + developer-device-list ( list$ ) begin dup while ( list$ ) bl left-parse-string dn-buf place ( list$' ) has-developer-key? if ( list$' ) @@ -388,22 +567,7 @@ 2drop false ; -: secure-boot ( -- ) - debug-security? if screen-ih stdout ! then - ['] secure-load-ramdisk to load-ramdisk - secure-load 0= if fail-load then - loaded sync-cache " init-program" $find if execute else 2drop then - go -; -: wp? ( -- flag ) " wp" find-tag dup if nip nip then ; - -: ?secure-boot ( -- ) wp? if secure-boot else boot then ; -" ?secure-boot" ' boot-command set-config-string-default - -\ For dn in boot-device-list -\ if - fexit Firmware security use cases:

1 0