Author: wmb Date: Sun Jun 12 10:58:36 2011 New Revision: 2265 URL: http://tracker.coreboot.org/trac/openfirmware/changeset/2265

Log: OLPC XO-1.75 trac #10951 - added code for secure reflash of EC code. Compiles cleanly but as yet untested. The code closely parallels the existing code for secure firmware reflashing.

Modified: cpu/x86/pc/olpc/security.fth

Modified: cpu/x86/pc/olpc/security.fth ============================================================================== --- cpu/x86/pc/olpc/security.fth Sun Jun 12 10:52:58 2011 (r2264) +++ cpu/x86/pc/olpc/security.fth Sun Jun 12 10:58:36 2011 (r2265) @@ -877,7 +877,7 @@ ofw-version$ drop 1+ ((fw-version)) ;

-: firmware-up-to-date? ( img$ -- ) +: firmware-up-to-date? ( img$ -- flag ) /flash <> if show-x " Invalid Firmware image" .security-failure then ( adr ) h# f.ffc7 + ((fw-version)) ( file-version# ) ofw-version-int ( file-version# rom-version# ) @@ -892,13 +892,76 @@ drop ;

+[ifdef] reflash-ec +: ec-up-to-date? ( img$ -- flag ) + /ec-flash <> if show-x " Invalid EC Firmware image" .security-failure then ( adr ) + /ec-flash + h# 100 - cscount ( version&date$ ) + \ If the new image has an invalid signature, the old one is considered up to date + dup d# 25 < if 2drop true exit then ( version&date$ ) + over " XO-EC 4 " comp if 2drop true exit then ( version&date$ ) + bl right-split-string 2drop ( date$ ) + d# 16 <> if 2drop true exit then ( date-adr ) + ec-date$ comp 0<= ( flag ) +; + +defer ec-reflash-off? ' false to ec-reflash-off? +: do-ec-update ( img$ -- ) + +\ Keep .error from printing an input stream position report +\ which makes a buffer@<address> show up in the error message + ['] noop to show-error + + visible + + tuck load-base swap move ( len ) + load-base swap ( adr len ) + + ['] ?ec-image-valid catch ?dup if ( x x ) + 2drop + visible + red-letters + ." Bad EC firmware image file - " .error + ." Continuing with old EC firmware" cr + black-letters + exit + then + + d# 12,000 wait-until \ Wait for EC to notice the battery + + ['] ?enough-power catch ?dup if + visible + red-letters + ." Unsafe to update EC firmware now - " .error + ." Continuing with old EC firmware" cr + black-letters + exit + then + + " Updating EC firmware" ?lease-debug-cr + + ec-indexed-io-off? if + visible + ." Restarting to enable EC FLASH writing." cr + d# 3000 ms + ec-ixio-reboot + security-failure + then + + \ Latch alternate? flag for next startup + alternate? if [char] A h# 82 cmos! then + + reflash-ec \ Should power-off and reboot + show-x + " EC reflash returned, unexpectedly" .security-failure +; +[then] : do-firmware-update ( img$ -- )

-\ Keep .error from printing an input sream position report +\ Keep .error from printing an input stream position report \ which makes a buffer@<address> show up in the error message - ['] noop to show-error + ['] noop to show-error

- visible + visible

tuck flash-buf swap move ( len )

@@ -1053,9 +1116,29 @@ r> close-file drop false ( false ) ;

-: load-from-device ( devname$ -- done? ) +[ifdef] reflash-ec +: ?ec-update ( -- ) + null$ cn-buf place + " ecfw" bundle-present? if + " EC FW found - " ?lease-debug

- show-dot + img$ ec-up-to-date? if + show-plus + " current EC FW is up-to-date" ?lease-debug-cr + else + show-minus + " new - " ?lease-debug + fwkey$ to pubkey$ + img$ sig$ fw-valid? if + img$ do-ec-update + then + show-lock + then + then +; +[then] + +: ?fw-update ( -- ) null$ cn-buf place " bootfw" bundle-present? if " FW found - " ?lease-debug @@ -1073,7 +1156,11 @@ show-lock then then - +; +: load-from-device ( -- done? ) + show-dot + ?ec-update ( devnam) + ?fw-update ( ) ?rtc-update

show-dot