1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Chromium OS cros_ec driver - sandbox emulation
4 *
5 * Copyright (c) 2013 The Chromium OS Authors.
6 */
7
8 #include <common.h>
9 #include <cros_ec.h>
10 #include <dm.h>
11 #include <ec_commands.h>
12 #include <errno.h>
13 #include <hash.h>
14 #include <malloc.h>
15 #include <os.h>
16 #include <u-boot/sha256.h>
17 #include <spi.h>
18 #include <asm/state.h>
19 #include <asm/sdl.h>
20 #include <linux/input.h>
21
22 /*
23 * Ultimately it shold be possible to connect an Chrome OS EC emulation
24 * to U-Boot and remove all of this code. But this provides a test
25 * environment for bringing up chromeos_sandbox and demonstrating its
26 * utility.
27 *
28 * This emulation includes the following:
29 *
30 * 1. Emulation of the keyboard, by converting keypresses received from SDL
31 * into key scan data, passed back from the EC as key scan messages. The
32 * key layout is read from the device tree.
33 *
34 * 2. Emulation of vboot context - so this can be read/written as required.
35 *
36 * 3. Save/restore of EC state, so that the vboot context, flash memory
37 * contents and current image can be preserved across boots. This is important
38 * since the EC is supposed to continue running even if the AP resets.
39 *
40 * 4. Some event support, in particular allowing Escape to be pressed on boot
41 * to enter recovery mode. The EC passes this to U-Boot through the normal
42 * event message.
43 *
44 * 5. Flash read/write/erase support, so that software sync works. The
45 * protect messages are supported but no protection is implemented.
46 *
47 * 6. Hashing of the EC image, again to support software sync.
48 *
49 * Other features can be added, although a better path is probably to link
50 * the EC image in with U-Boot (Vic has demonstrated a prototype for this).
51 */
52
53 #define KEYBOARD_ROWS 8
54 #define KEYBOARD_COLS 13
55
56 /* A single entry of the key matrix */
57 struct ec_keymatrix_entry {
58 int row; /* key matrix row */
59 int col; /* key matrix column */
60 int keycode; /* corresponding linux key code */
61 };
62
63 /**
64 * struct ec_state - Information about the EC state
65 *
66 * @vbnv_context: Vboot context data stored by EC
67 * @ec_config: FDT config information about the EC (e.g. flashmap)
68 * @flash_data: Contents of flash memory
69 * @flash_data_len: Size of flash memory
70 * @current_image: Current image the EC is running
71 * @matrix_count: Number of keys to decode in matrix
72 * @matrix: Information about keyboard matrix
73 * @keyscan: Current keyscan information (bit set for each row/column pressed)
74 * @recovery_req: Keyboard recovery requested
75 */
76 struct ec_state {
77 uint8_t vbnv_context[EC_VBNV_BLOCK_SIZE];
78 struct fdt_cros_ec ec_config;
79 uint8_t *flash_data;
80 int flash_data_len;
81 enum ec_current_image current_image;
82 int matrix_count;
83 struct ec_keymatrix_entry *matrix; /* the key matrix info */
84 uint8_t keyscan[KEYBOARD_COLS];
85 bool recovery_req;
86 } s_state, *g_state;
87
88 /**
89 * cros_ec_read_state() - read the sandbox EC state from the state file
90 *
91 * If data is available, then blob and node will provide access to it. If
92 * not this function sets up an empty EC.
93 *
94 * @param blob: Pointer to device tree blob, or NULL if no data to read
95 * @param node: Node offset to read from
96 */
cros_ec_read_state(const void * blob,int node)97 static int cros_ec_read_state(const void *blob, int node)
98 {
99 struct ec_state *ec = &s_state;
100 const char *prop;
101 int len;
102
103 /* Set everything to defaults */
104 ec->current_image = EC_IMAGE_RO;
105 if (!blob)
106 return 0;
107
108 /* Read the data if available */
109 ec->current_image = fdtdec_get_int(blob, node, "current-image",
110 EC_IMAGE_RO);
111 prop = fdt_getprop(blob, node, "vbnv-context", &len);
112 if (prop && len == sizeof(ec->vbnv_context))
113 memcpy(ec->vbnv_context, prop, len);
114
115 prop = fdt_getprop(blob, node, "flash-data", &len);
116 if (prop) {
117 ec->flash_data_len = len;
118 ec->flash_data = os_malloc(len);
119 if (!ec->flash_data)
120 return -ENOMEM;
121 memcpy(ec->flash_data, prop, len);
122 debug("%s: Loaded EC flash data size %#x\n", __func__, len);
123 }
124
125 return 0;
126 }
127
128 /**
129 * cros_ec_write_state() - Write out our state to the state file
130 *
131 * The caller will ensure that there is a node ready for the state. The node
132 * may already contain the old state, in which case it is overridden.
133 *
134 * @param blob: Device tree blob holding state
135 * @param node: Node to write our state into
136 */
cros_ec_write_state(void * blob,int node)137 static int cros_ec_write_state(void *blob, int node)
138 {
139 struct ec_state *ec = g_state;
140
141 /* We are guaranteed enough space to write basic properties */
142 fdt_setprop_u32(blob, node, "current-image", ec->current_image);
143 fdt_setprop(blob, node, "vbnv-context", ec->vbnv_context,
144 sizeof(ec->vbnv_context));
145 return state_setprop(node, "flash-data", ec->flash_data,
146 ec->ec_config.flash.length);
147 }
148
149 SANDBOX_STATE_IO(cros_ec, "google,cros-ec", cros_ec_read_state,
150 cros_ec_write_state);
151
152 /**
153 * Return the number of bytes used in the specified image.
154 *
155 * This is the actual size of code+data in the image, as opposed to the
156 * amount of space reserved in flash for that image. This code is similar to
157 * that used by the real EC code base.
158 *
159 * @param ec Current emulated EC state
160 * @param entry Flash map entry containing the image to check
161 * @return actual image size in bytes, 0 if the image contains no content or
162 * error.
163 */
get_image_used(struct ec_state * ec,struct fmap_entry * entry)164 static int get_image_used(struct ec_state *ec, struct fmap_entry *entry)
165 {
166 int size;
167
168 /*
169 * Scan backwards looking for 0xea byte, which is by definition the
170 * last byte of the image. See ec.lds.S for how this is inserted at
171 * the end of the image.
172 */
173 for (size = entry->length - 1;
174 size > 0 && ec->flash_data[entry->offset + size] != 0xea;
175 size--)
176 ;
177
178 return size ? size + 1 : 0; /* 0xea byte IS part of the image */
179 }
180
181 /**
182 * Read the key matrix from the device tree
183 *
184 * Keymap entries in the fdt take the form of 0xRRCCKKKK where
185 * RR=Row CC=Column KKKK=Key Code
186 *
187 * @param ec Current emulated EC state
188 * @param node Keyboard node of device tree containing keyscan information
189 * @return 0 if ok, -1 on error
190 */
keyscan_read_fdt_matrix(struct ec_state * ec,ofnode node)191 static int keyscan_read_fdt_matrix(struct ec_state *ec, ofnode node)
192 {
193 const u32 *cell;
194 int upto;
195 int len;
196
197 cell = ofnode_get_property(node, "linux,keymap", &len);
198 ec->matrix_count = len / 4;
199 ec->matrix = calloc(ec->matrix_count, sizeof(*ec->matrix));
200 if (!ec->matrix) {
201 debug("%s: Out of memory for key matrix\n", __func__);
202 return -1;
203 }
204
205 /* Now read the data */
206 for (upto = 0; upto < ec->matrix_count; upto++) {
207 struct ec_keymatrix_entry *matrix = &ec->matrix[upto];
208 u32 word;
209
210 word = fdt32_to_cpu(*cell++);
211 matrix->row = word >> 24;
212 matrix->col = (word >> 16) & 0xff;
213 matrix->keycode = word & 0xffff;
214
215 /* Hard-code some sanity limits for now */
216 if (matrix->row >= KEYBOARD_ROWS ||
217 matrix->col >= KEYBOARD_COLS) {
218 debug("%s: Matrix pos out of range (%d,%d)\n",
219 __func__, matrix->row, matrix->col);
220 return -1;
221 }
222 }
223
224 if (upto != ec->matrix_count) {
225 debug("%s: Read mismatch from key matrix\n", __func__);
226 return -1;
227 }
228
229 return 0;
230 }
231
232 /**
233 * Return the next keyscan message contents
234 *
235 * @param ec Current emulated EC state
236 * @param scan Place to put keyscan bytes for the keyscan message (must hold
237 * enough space for a full keyscan)
238 * @return number of bytes of valid scan data
239 */
cros_ec_keyscan(struct ec_state * ec,uint8_t * scan)240 static int cros_ec_keyscan(struct ec_state *ec, uint8_t *scan)
241 {
242 const struct ec_keymatrix_entry *matrix;
243 int bytes = KEYBOARD_COLS;
244 int key[8]; /* allow up to 8 keys to be pressed at once */
245 int count;
246 int i;
247
248 memset(ec->keyscan, '\0', bytes);
249 count = sandbox_sdl_scan_keys(key, ARRAY_SIZE(key));
250
251 /* Look up keycode in matrix */
252 for (i = 0, matrix = ec->matrix; i < ec->matrix_count; i++, matrix++) {
253 bool found;
254 int j;
255
256 for (found = false, j = 0; j < count; j++) {
257 if (matrix->keycode == key[j])
258 found = true;
259 }
260
261 if (found) {
262 debug("%d: %d,%d\n", matrix->keycode, matrix->row,
263 matrix->col);
264 ec->keyscan[matrix->col] |= 1 << matrix->row;
265 }
266 }
267
268 memcpy(scan, ec->keyscan, bytes);
269 return bytes;
270 }
271
272 /**
273 * Process an emulated EC command
274 *
275 * @param ec Current emulated EC state
276 * @param req_hdr Pointer to request header
277 * @param req_data Pointer to body of request
278 * @param resp_hdr Pointer to place to put response header
279 * @param resp_data Pointer to place to put response data, if any
280 * @return length of response data, or 0 for no response data, or -1 on error
281 */
process_cmd(struct ec_state * ec,struct ec_host_request * req_hdr,const void * req_data,struct ec_host_response * resp_hdr,void * resp_data)282 static int process_cmd(struct ec_state *ec,
283 struct ec_host_request *req_hdr, const void *req_data,
284 struct ec_host_response *resp_hdr, void *resp_data)
285 {
286 int len;
287
288 /* TODO(sjg@chromium.org): Check checksums */
289 debug("EC command %#0x\n", req_hdr->command);
290
291 switch (req_hdr->command) {
292 case EC_CMD_HELLO: {
293 const struct ec_params_hello *req = req_data;
294 struct ec_response_hello *resp = resp_data;
295
296 resp->out_data = req->in_data + 0x01020304;
297 len = sizeof(*resp);
298 break;
299 }
300 case EC_CMD_GET_VERSION: {
301 struct ec_response_get_version *resp = resp_data;
302
303 strcpy(resp->version_string_ro, "sandbox_ro");
304 strcpy(resp->version_string_rw, "sandbox_rw");
305 resp->current_image = ec->current_image;
306 debug("Current image %d\n", resp->current_image);
307 len = sizeof(*resp);
308 break;
309 }
310 case EC_CMD_VBNV_CONTEXT: {
311 const struct ec_params_vbnvcontext *req = req_data;
312 struct ec_response_vbnvcontext *resp = resp_data;
313
314 switch (req->op) {
315 case EC_VBNV_CONTEXT_OP_READ:
316 memcpy(resp->block, ec->vbnv_context,
317 sizeof(resp->block));
318 len = sizeof(*resp);
319 break;
320 case EC_VBNV_CONTEXT_OP_WRITE:
321 memcpy(ec->vbnv_context, resp->block,
322 sizeof(resp->block));
323 len = 0;
324 break;
325 default:
326 printf(" ** Unknown vbnv_context command %#02x\n",
327 req->op);
328 return -1;
329 }
330 break;
331 }
332 case EC_CMD_REBOOT_EC: {
333 const struct ec_params_reboot_ec *req = req_data;
334
335 printf("Request reboot type %d\n", req->cmd);
336 switch (req->cmd) {
337 case EC_REBOOT_DISABLE_JUMP:
338 len = 0;
339 break;
340 case EC_REBOOT_JUMP_RW:
341 ec->current_image = EC_IMAGE_RW;
342 len = 0;
343 break;
344 default:
345 puts(" ** Unknown type");
346 return -1;
347 }
348 break;
349 }
350 case EC_CMD_HOST_EVENT_GET_B: {
351 struct ec_response_host_event_mask *resp = resp_data;
352
353 resp->mask = 0;
354 if (ec->recovery_req) {
355 resp->mask |= EC_HOST_EVENT_MASK(
356 EC_HOST_EVENT_KEYBOARD_RECOVERY);
357 }
358
359 len = sizeof(*resp);
360 break;
361 }
362 case EC_CMD_VBOOT_HASH: {
363 const struct ec_params_vboot_hash *req = req_data;
364 struct ec_response_vboot_hash *resp = resp_data;
365 struct fmap_entry *entry;
366 int ret, size;
367
368 entry = &ec->ec_config.region[EC_FLASH_REGION_RW];
369
370 switch (req->cmd) {
371 case EC_VBOOT_HASH_RECALC:
372 case EC_VBOOT_HASH_GET:
373 size = SHA256_SUM_LEN;
374 len = get_image_used(ec, entry);
375 ret = hash_block("sha256",
376 ec->flash_data + entry->offset,
377 len, resp->hash_digest, &size);
378 if (ret) {
379 printf(" ** hash_block() failed\n");
380 return -1;
381 }
382 resp->status = EC_VBOOT_HASH_STATUS_DONE;
383 resp->hash_type = EC_VBOOT_HASH_TYPE_SHA256;
384 resp->digest_size = size;
385 resp->reserved0 = 0;
386 resp->offset = entry->offset;
387 resp->size = len;
388 len = sizeof(*resp);
389 break;
390 default:
391 printf(" ** EC_CMD_VBOOT_HASH: Unknown command %d\n",
392 req->cmd);
393 return -1;
394 }
395 break;
396 }
397 case EC_CMD_FLASH_PROTECT: {
398 const struct ec_params_flash_protect *req = req_data;
399 struct ec_response_flash_protect *resp = resp_data;
400 uint32_t expect = EC_FLASH_PROTECT_ALL_NOW |
401 EC_FLASH_PROTECT_ALL_AT_BOOT;
402
403 printf("mask=%#x, flags=%#x\n", req->mask, req->flags);
404 if (req->flags == expect || req->flags == 0) {
405 resp->flags = req->flags ? EC_FLASH_PROTECT_ALL_NOW :
406 0;
407 resp->valid_flags = EC_FLASH_PROTECT_ALL_NOW;
408 resp->writable_flags = 0;
409 len = sizeof(*resp);
410 } else {
411 puts(" ** unexpected flash protect request\n");
412 return -1;
413 }
414 break;
415 }
416 case EC_CMD_FLASH_REGION_INFO: {
417 const struct ec_params_flash_region_info *req = req_data;
418 struct ec_response_flash_region_info *resp = resp_data;
419 struct fmap_entry *entry;
420
421 switch (req->region) {
422 case EC_FLASH_REGION_RO:
423 case EC_FLASH_REGION_RW:
424 case EC_FLASH_REGION_WP_RO:
425 entry = &ec->ec_config.region[req->region];
426 resp->offset = entry->offset;
427 resp->size = entry->length;
428 len = sizeof(*resp);
429 printf("EC flash region %d: offset=%#x, size=%#x\n",
430 req->region, resp->offset, resp->size);
431 break;
432 default:
433 printf("** Unknown flash region %d\n", req->region);
434 return -1;
435 }
436 break;
437 }
438 case EC_CMD_FLASH_ERASE: {
439 const struct ec_params_flash_erase *req = req_data;
440
441 memset(ec->flash_data + req->offset,
442 ec->ec_config.flash_erase_value,
443 req->size);
444 len = 0;
445 break;
446 }
447 case EC_CMD_FLASH_WRITE: {
448 const struct ec_params_flash_write *req = req_data;
449
450 memcpy(ec->flash_data + req->offset, req + 1, req->size);
451 len = 0;
452 break;
453 }
454 case EC_CMD_MKBP_STATE:
455 len = cros_ec_keyscan(ec, resp_data);
456 break;
457 case EC_CMD_ENTERING_MODE:
458 len = 0;
459 break;
460 default:
461 printf(" ** Unknown EC command %#02x\n", req_hdr->command);
462 return -1;
463 }
464
465 return len;
466 }
467
cros_ec_sandbox_packet(struct udevice * udev,int out_bytes,int in_bytes)468 int cros_ec_sandbox_packet(struct udevice *udev, int out_bytes, int in_bytes)
469 {
470 struct cros_ec_dev *dev = dev_get_uclass_priv(udev);
471 struct ec_state *ec = dev_get_priv(dev->dev);
472 struct ec_host_request *req_hdr = (struct ec_host_request *)dev->dout;
473 const void *req_data = req_hdr + 1;
474 struct ec_host_response *resp_hdr = (struct ec_host_response *)dev->din;
475 void *resp_data = resp_hdr + 1;
476 int len;
477
478 len = process_cmd(ec, req_hdr, req_data, resp_hdr, resp_data);
479 if (len < 0)
480 return len;
481
482 resp_hdr->struct_version = 3;
483 resp_hdr->result = EC_RES_SUCCESS;
484 resp_hdr->data_len = len;
485 resp_hdr->reserved = 0;
486 len += sizeof(*resp_hdr);
487 resp_hdr->checksum = 0;
488 resp_hdr->checksum = (uint8_t)
489 -cros_ec_calc_checksum((const uint8_t *)resp_hdr, len);
490
491 return in_bytes;
492 }
493
cros_ec_check_keyboard(struct cros_ec_dev * dev)494 void cros_ec_check_keyboard(struct cros_ec_dev *dev)
495 {
496 struct ec_state *ec = dev_get_priv(dev->dev);
497 ulong start;
498
499 printf("Press keys for EC to detect on reset (ESC=recovery)...");
500 start = get_timer(0);
501 while (get_timer(start) < 1000)
502 ;
503 putc('\n');
504 if (!sandbox_sdl_key_pressed(KEY_ESC)) {
505 ec->recovery_req = true;
506 printf(" - EC requests recovery\n");
507 }
508 }
509
cros_ec_probe(struct udevice * dev)510 int cros_ec_probe(struct udevice *dev)
511 {
512 struct ec_state *ec = dev->priv;
513 struct cros_ec_dev *cdev = dev->uclass_priv;
514 struct udevice *keyb_dev;
515 ofnode node;
516 int err;
517
518 memcpy(ec, &s_state, sizeof(*ec));
519 err = cros_ec_decode_ec_flash(dev, &ec->ec_config);
520 if (err) {
521 debug("%s: Cannot device EC flash\n", __func__);
522 return err;
523 }
524
525 node = ofnode_null();
526 for (device_find_first_child(dev, &keyb_dev);
527 keyb_dev;
528 device_find_next_child(&keyb_dev)) {
529 if (device_get_uclass_id(keyb_dev) == UCLASS_KEYBOARD) {
530 node = dev_ofnode(keyb_dev);
531 break;
532 }
533 }
534 if (!ofnode_valid(node)) {
535 debug("%s: No cros_ec keyboard found\n", __func__);
536 } else if (keyscan_read_fdt_matrix(ec, node)) {
537 debug("%s: Could not read key matrix\n", __func__);
538 return -1;
539 }
540
541 /* If we loaded EC data, check that the length matches */
542 if (ec->flash_data &&
543 ec->flash_data_len != ec->ec_config.flash.length) {
544 printf("EC data length is %x, expected %x, discarding data\n",
545 ec->flash_data_len, ec->ec_config.flash.length);
546 os_free(ec->flash_data);
547 ec->flash_data = NULL;
548 }
549
550 /* Otherwise allocate the memory */
551 if (!ec->flash_data) {
552 ec->flash_data_len = ec->ec_config.flash.length;
553 ec->flash_data = os_malloc(ec->flash_data_len);
554 if (!ec->flash_data)
555 return -ENOMEM;
556 }
557
558 cdev->dev = dev;
559 g_state = ec;
560 return cros_ec_register(dev);
561 }
562
563 struct dm_cros_ec_ops cros_ec_ops = {
564 .packet = cros_ec_sandbox_packet,
565 };
566
567 static const struct udevice_id cros_ec_ids[] = {
568 { .compatible = "google,cros-ec-sandbox" },
569 { }
570 };
571
572 U_BOOT_DRIVER(cros_ec_sandbox) = {
573 .name = "cros_ec_sandbox",
574 .id = UCLASS_CROS_EC,
575 .of_match = cros_ec_ids,
576 .probe = cros_ec_probe,
577 .priv_auto_alloc_size = sizeof(struct ec_state),
578 .ops = &cros_ec_ops,
579 };
580