1 /* Copyright 2017 The ChromiumOS Authors 2 * Use of this source code is governed by a BSD-style license that can be 3 * found in the LICENSE file. 4 * 5 * Case Closed Debugging configuration 6 */ 7 #ifndef __CROS_EC_CCD_CONFIG_H 8 #define __CROS_EC_CCD_CONFIG_H 9 10 #include <stdint.h> 11 #include "common.h" 12 #include "compile_time_macros.h" 13 14 /* Case-closed debugging state */ 15 enum ccd_state { 16 CCD_STATE_LOCKED = 0, 17 CCD_STATE_UNLOCKED, 18 CCD_STATE_OPENED, 19 20 /* Number of CCD states */ 21 CCD_STATE_COUNT 22 }; 23 24 /* Flags */ 25 enum ccd_flag { 26 /* Flags that can only be set internally; fill from bottom up */ 27 28 /* 29 * Test lab mode is enabled. This MUST be in the first byte so that 30 * it's in a constant position across all versions of CCD config. 31 * 32 * Note: This is used internally by CCD config. Do NOT test this 33 * to control other things; use capabilities for those. 34 */ 35 CCD_FLAG_TEST_LAB = BIT(0), 36 37 /* 38 * What state were we in when the password was set? 39 * (0=opened, 1=unlocked) 40 */ 41 CCD_FLAG_PASSWORD_SET_WHEN_UNLOCKED = BIT(1), 42 43 /* 44 * Factory mode state 45 */ 46 CCD_FLAG_FACTORY_MODE_ENABLED = BIT(2), 47 48 /* (flags in the middle are unused) */ 49 50 /* 51 * Flags that can be set via ccd_set_flags(); fill from top down. 52 * 53 * Note: To use ccd_set_flags a flag has to be a part of k_public_flags 54 * in ccd_config.c. 55 */ 56 57 /* Enable Rddkeepalive at boot */ 58 CCD_FLAG_RDDKEEPALIVE_AT_BOOT = BIT(19), 59 60 /* Override BATT_PRES_L at boot */ 61 CCD_FLAG_OVERRIDE_BATT_AT_BOOT = BIT(20), 62 63 /* 64 * If overriding BATT_PRES_L at boot, set it to what value 65 * (0=disconnect, 1=connected) 66 */ 67 CCD_FLAG_OVERRIDE_BATT_STATE_CONNECT = BIT(21), 68 69 /* Override write protect at boot */ 70 CCD_FLAG_OVERRIDE_WP_AT_BOOT = BIT(22), 71 72 /* 73 * If overriding WP at boot, set it to what value 74 * (0=disabled, 1=enabled) 75 */ 76 CCD_FLAG_OVERRIDE_WP_STATE_ENABLED = BIT(23), 77 }; 78 79 /* Capabilities */ 80 enum ccd_capability { 81 /* UARTs to/from AP and EC */ 82 CCD_CAP_GSC_RX_AP_TX = 0, 83 CCD_CAP_GSC_TX_AP_RX = 1, 84 CCD_CAP_GSC_RX_EC_TX = 2, 85 CCD_CAP_GSC_TX_EC_RX = 3, 86 87 /* Access to AP SPI flash */ 88 CCD_CAP_AP_FLASH = 4, 89 90 /* Access to EC flash (SPI or internal) */ 91 CCD_CAP_EC_FLASH = 5, 92 93 /* Override WP temporarily or at boot */ 94 CCD_CAP_OVERRIDE_WP = 6, 95 96 /* Reboot EC or AP */ 97 CCD_CAP_REBOOT_EC_AP = 7, 98 99 /* GSC restricted console commands */ 100 CCD_CAP_GSC_RESTRICTED_CONSOLE = 8, 101 102 /* Allow ccd-unlock or ccd-open without AP reboot */ 103 CCD_CAP_UNLOCK_WITHOUT_AP_REBOOT = 9, 104 105 /* Allow ccd-unlock or ccd-open without short physical presence */ 106 CCD_CAP_UNLOCK_WITHOUT_SHORT_PP = 10, 107 108 /* Allow ccd-open without wiping TPM data */ 109 CCD_CAP_OPEN_WITHOUT_TPM_WIPE = 11, 110 111 /* Allow ccd-open without long physical presence */ 112 CCD_CAP_OPEN_WITHOUT_LONG_PP = 12, 113 114 /* Allow removing the battery to bypass physical presence requirement */ 115 CCD_CAP_REMOVE_BATTERY_BYPASSES_PP = 13, 116 117 /* This was UpdateNoTPMWipe which didn't do anything. */ 118 CCD_CAP_UNUSED = 14, 119 120 /* Access to I2C via USB */ 121 CCD_CAP_I2C = 15, 122 123 /* Read-only access to hash or dump EC or AP flash */ 124 CCD_CAP_FLASH_READ = 16, 125 126 /* Allow ccd open without dev mode enabled */ 127 CCD_CAP_OPEN_WITHOUT_DEV_MODE = 17, 128 129 /* Allow ccd open from usb */ 130 CCD_CAP_OPEN_FROM_USB = 18, 131 132 /* Override battery presence temporarily or at boot */ 133 CCD_CAP_OVERRIDE_BATT_STATE = 19, 134 135 /* Allow AP RO verification check vendor command from the AP. */ 136 CCD_CAP_AP_RO_CHECK_VC = 20, 137 138 /* Number of currently defined capabilities */ 139 CCD_CAP_COUNT 140 }; 141 142 /* Capability states */ 143 enum ccd_capability_state { 144 /* Default value */ 145 CCD_CAP_STATE_DEFAULT = 0, 146 147 /* Always available (state >= CCD_STATE_LOCKED) */ 148 CCD_CAP_STATE_ALWAYS = 1, 149 150 /* Unless locked (state >= CCD_STATE_UNLOCKED) */ 151 CCD_CAP_STATE_UNLESS_LOCKED = 2, 152 153 /* Only if opened (state >= CCD_STATE_OPENED) */ 154 CCD_CAP_STATE_IF_OPENED = 3, 155 156 /* Number of capability states */ 157 CCD_CAP_STATE_COUNT 158 }; 159 160 struct ccd_capability_info { 161 /* Capability name */ 162 const char *name; 163 164 /* Default state, if config set to CCD_CAP_STATE_DEFAULT */ 165 enum ccd_capability_state default_state; 166 }; 167 168 #ifdef CONFIG_CCD_OPEN_PREPVT 169 /* In prepvt images always allow ccd open from the console without dev mode */ 170 #define CCD_CAP_STATE_OPEN_REQ CCD_CAP_STATE_ALWAYS 171 #else 172 /* In prod images restrict how ccd can be opened */ 173 #define CCD_CAP_STATE_OPEN_REQ CCD_CAP_STATE_IF_OPENED 174 #endif 175 176 #define CAP_INFO_DATA { \ 177 {"UartGscRxAPTx", CCD_CAP_STATE_ALWAYS}, \ 178 {"UartGscTxAPRx", CCD_CAP_STATE_ALWAYS}, \ 179 {"UartGscRxECTx", CCD_CAP_STATE_ALWAYS}, \ 180 {"UartGscTxECRx", CCD_CAP_STATE_IF_OPENED}, \ 181 \ 182 {"FlashAP", CCD_CAP_STATE_IF_OPENED}, \ 183 {"FlashEC", CCD_CAP_STATE_IF_OPENED}, \ 184 {"OverrideWP", CCD_CAP_STATE_IF_OPENED}, \ 185 {"RebootECAP", CCD_CAP_STATE_IF_OPENED}, \ 186 \ 187 {"GscFullConsole", CCD_CAP_STATE_IF_OPENED}, \ 188 {"UnlockNoReboot", CCD_CAP_STATE_ALWAYS}, \ 189 {"UnlockNoShortPP", CCD_CAP_STATE_ALWAYS}, \ 190 {"OpenNoTPMWipe", CCD_CAP_STATE_IF_OPENED}, \ 191 \ 192 {"OpenNoLongPP", CCD_CAP_STATE_IF_OPENED}, \ 193 {"BatteryBypassPP", CCD_CAP_STATE_ALWAYS}, \ 194 {"Unused", CCD_CAP_STATE_ALWAYS}, \ 195 {"I2C", CCD_CAP_STATE_IF_OPENED}, \ 196 {"FlashRead", CCD_CAP_STATE_ALWAYS}, \ 197 {"OpenNoDevMode", CCD_CAP_STATE_OPEN_REQ}, \ 198 {"OpenFromUSB", CCD_CAP_STATE_OPEN_REQ}, \ 199 {"OverrideBatt", CCD_CAP_STATE_IF_OPENED}, \ 200 {"APROCheckVC", CCD_CAP_STATE_IF_OPENED}, \ 201 } 202 203 #define CCD_STATE_NAMES { "Locked", "Unlocked", "Opened" } 204 #define CCD_CAP_STATE_NAMES { "Never", "Always", "UnlessLocked", "IfOpened" } 205 206 /* Macros regarding ccd_capabilities */ 207 #define CCD_CAP_BITS 2 208 #define CCD_CAP_BITMASK (BIT(CCD_CAP_BITS) - 1) 209 #define CCD_CAPS_PER_BYTE (8 / CCD_CAP_BITS) 210 211 /* 212 * Subcommand code, used to pass different CCD commands using the same TPM 213 * vendor command. 214 */ 215 enum ccd_vendor_subcommands { 216 CCDV_PASSWORD = 0, 217 CCDV_OPEN = 1, 218 CCDV_UNLOCK = 2, 219 CCDV_LOCK = 3, 220 CCDV_PP_POLL_UNLOCK = 4, 221 CCDV_PP_POLL_OPEN = 5, 222 CCDV_GET_INFO = 6, 223 CCDV_PP_POLL_SET_CAPABILITY = 7, 224 CCDV_PP_POLL_WP_DISABLE = 8, 225 }; 226 227 enum ccd_pp_state { 228 CCD_PP_CLOSED = 0, 229 CCD_PP_AWAITING_PRESS = 1, 230 CCD_PP_BETWEEN_PRESSES = 2, 231 CCD_PP_DONE = 3 232 }; 233 234 /* Structure to communicate information about CCD state. */ 235 #define CCD_CAPS_WORDS ((CCD_CAP_COUNT * 2 + 31)/32) 236 struct ccd_info_response { 237 uint32_t ccd_caps_current[CCD_CAPS_WORDS]; 238 uint32_t ccd_caps_defaults[CCD_CAPS_WORDS]; 239 uint32_t ccd_flags; 240 uint8_t ccd_state; 241 uint8_t ccd_force_disabled; 242 /* 243 * A bitmap indicating ccd internal state. 244 * See "enum ccd_indicator_bits" below. 245 */ 246 uint8_t ccd_indicator_bitmap; 247 } __packed; 248 249 enum ccd_indicator_bits { 250 /* Indicates there is a CCD password */ 251 CCD_INDICATOR_BIT_HAS_PASSWORD = BIT(0), 252 253 /* Indicates all CCD capabilities are in CCD_CAP_STATE_DEFAULT state */ 254 CCD_INDICATOR_BIT_ALL_CAPS_DEFAULT = BIT(1), 255 256 /* Indicates device is in initial factory mode (only applies to TI50) */ 257 CCD_INDICATOR_BIT_INITIAL_FACTORY_MODE = BIT(2), 258 }; 259 260 /** 261 * Initialize CCD configuration at boot. 262 * 263 * This must be called before any command which gets/sets the configuration. 264 * 265 * @param state Initial case-closed debugging state. This should be 266 * CCD_STATE_LOCKED unless this is a debug build, or if 267 * a previous value is being restored after a low-power 268 * resume. 269 */ 270 void ccd_config_init(enum ccd_state state); 271 272 /** 273 * Get a single CCD flag. 274 * 275 * @param flag Flag to get 276 * @return 1 if flag is set, 0 if flag is clear 277 */ 278 int ccd_get_flag(enum ccd_flag flag); 279 280 /** 281 * Set a single CCD flag. 282 * 283 * @param flag Flag to set 284 * @param value New value for flag (0=clear, non-zero=set) 285 * @return EC_SUCCESS or non-zero error code. 286 */ 287 int ccd_set_flag(enum ccd_flag flag, int value); 288 289 /** 290 * Check if a CCD capability is enabled in the current CCD mode. 291 * 292 * @param cap Capability to check 293 * @return 1 if capability is enabled, 0 if disabled 294 */ 295 int ccd_is_cap_enabled(enum ccd_capability cap); 296 297 /** 298 * Get the current CCD state. 299 * 300 * This is intended for use by the board if it needs to back up the CCD state 301 * across low-power states and then restore it when calling ccd_config_init(). 302 * Do NOT use this to gate debug capabilities; use ccd_is_cap_enabled() or 303 * ccd_get_flag() instead. 304 * 305 * @return The current CCD state. 306 */ 307 enum ccd_state ccd_get_state(void); 308 309 /** 310 * Force CCD disabled. 311 * 312 * This should be called if security checks fail and for some reason the board 313 * can't immediately reboot. It locks CCD and disables all CCD capabilities 314 * until reboot. 315 */ 316 void ccd_disable(void); 317 318 /** 319 * Get the factory mode state. 320 * 321 * @return 0 if factory mode is disabled, !=0 if factory mode is enabled. 322 */ 323 int ccd_get_factory_mode(void); 324 325 /* Flags for ccd_reset_config() */ 326 enum ccd_reset_config_flags { 327 /* Also reset test lab flag */ 328 CCD_RESET_TEST_LAB = BIT(0), 329 330 /* Only reset Always/UnlessLocked settings */ 331 CCD_RESET_UNLOCKED_ONLY = BIT(1), 332 333 /* 334 * Do a factory reset to enable factory mode. Factory mode sets all ccd 335 * capabilities to always and disables write protect 336 */ 337 CCD_RESET_FACTORY = BIT(2) 338 }; 339 340 /** 341 * Reset CCD config to the desired state. 342 * 343 * @param flags Reset flags (see enum ccd_reset_config_flags) 344 * @return EC_SUCCESS, or non-zero if error. 345 */ 346 int ccd_reset_config(unsigned int flags); 347 348 /** 349 * Inform CCD about TPM reset so that the password management state machine 350 * can be restarted. 351 */ 352 void ccd_tpm_reset_callback(void); 353 354 /** 355 * Return True if the ccd password is set. It is possible that a pending ccd 356 * change would set or clear the password, but we don't think this is a big 357 * issue or risk for now. 358 * 359 * @return 1 if password is set, 0 if it's not 360 */ 361 int ccd_has_password(void); 362 363 /** 364 * Enter CCD factory mode. This will clear the TPM, update the ccd config, and 365 * then do a hard reboot if 'reset_required' is True. 366 */ 367 void enable_ccd_factory_mode(int reset_required); 368 369 /* 370 * Enable factory mode but not necessarily rebooting the device. This will 371 * clear the TPM and disable flash write protection. Will trigger system reset 372 * only if 'reset_required' is True. 373 */ 374 void factory_enable(int reset_required); 375 376 #endif /* __CROS_EC_CCD_CONFIG_H */ 377