int system_run_image_copy(enum system_image_copy_t copy)
{
uintptr_t base;
uintptr_t init_addr;
/* If system is already running the requested image, done */
if (system_get_image_copy() == copy)
return EC_SUCCESS;
if (system_is_locked()) {
/* System is locked, so disallow jumping between images unless
* this is the initial jump from RO to RW code. */
/* Must currently be running the RO image */
if (system_get_image_copy() != SYSTEM_IMAGE_RO)
return EC_ERROR_ACCESS_DENIED;
/* Target image must be RW image */
if (copy != SYSTEM_IMAGE_RW)
return EC_ERROR_ACCESS_DENIED;
/* Jumping must still be enabled */
if (disable_jump)
return EC_ERROR_ACCESS_DENIED;
}
/* Load the appropriate reset vector */
base = get_base(copy);
if (base == 0xffffffff)
return EC_ERROR_INVAL;
/* TODO: (ML) jump to little FW for code ram architecture */
#ifdef CONFIG_CODERAM_ARCH
init_addr = system_get_lfw_address(base);
#else
/* Make sure the reset vector is inside the destination image */
init_addr = *(uintptr_t *)(base + 4);
#ifndef EMU_BUILD
if (init_addr < base || init_addr >= base + get_size(copy))
return EC_ERROR_UNKNOWN;
#endif
#endif
CPRINTS("Jumping to image %s", system_image_copy_t_to_string(copy));
jump_to_image(init_addr);
/* Should never get here */
return EC_ERROR_UNKNOWN;
}
static int command_sysjump(int argc, char **argv)
{
uint32_t addr;
char *e;
if (argc < 2)
return EC_ERROR_PARAM_COUNT;
/* Handle named images */
if (!strcasecmp(argv[1], "RO"))
return system_run_image_copy(SYSTEM_IMAGE_RO);
else if (!strcasecmp(argv[1], "RW") || !strcasecmp(argv[1], "A")) {
/*
* TODO(crosbug.com/p/11149): remove "A" once all scripts are
* updated to use "RW".
*/
return system_run_image_copy(SYSTEM_IMAGE_RW);
} else if (!strcasecmp(argv[1], "disable")) {
system_disable_jump();
return EC_SUCCESS;
}
/* Arbitrary jumps are only allowed on an unlocked system */
if (system_is_locked())
return EC_ERROR_ACCESS_DENIED;
/* Check for arbitrary address */
addr = strtoi(argv[1], &e, 0);
if (*e)
return EC_ERROR_PARAM1;
ccprintf("Jumping to 0x%08x\n", addr);
cflush();
jump_to_image(addr);
return EC_SUCCESS;
}
/**
* @brief Stage 2 loader "C" entry point. Started from Stage 1
* bootloader. Primary function is to load, validate, and start
* executing a stage 3 image. Also will (when fully implemented)
* perform startup negotiations with AP, cryptographic initialzations
* and tests, module authentication, flash update, and other housekeeping.
* Image load and validation are essntially identical to the crresponding
* functions in stage 1, although different keys are used for signature
* validation.
*
* @param none
*
* @returns Nothing. Will launch/restart image if successful, halt if not.
*/
void bootrom_main(void) {
int rc;
/* TA-20 R/W data in bufRAM */
uint32_t boot_status = INIT_STATUS_OPERATING;
bool boot_from_spi = true;
bool fallback_boot_unipro = false;
uint32_t is_secure_image;
secondstage_cfgdata *cfgdata;
chip_init();
dbginit();
/* Ensure that we start each boot with an assumption of success */
init_last_error();
crypto_init();
dbgprint("\nHello world from s2fw\n");
if (!get_2ndstage_cfgdata(&cfgdata)) {
dbgprint("found valid config data\n");
if (cfgdata->use_fake_ims) {
/**
* We don't really need to handle all the efuses as boot ROM
* does. But we do want to update the EPUID according to the
* fake IMS. And the rest of the efuse handling do no harm
* anyway.
*/
if (efuse_init() != 0) {
halt_and_catch_fire(boot_status);
}
}
}
uint8_t ims[TSB_ISAA_NUM_IMS_BYTES];
tsb_get_ims(ims, TSB_ISAA_NUM_IMS_BYTES);
key_generation(ims);
chip_unipro_init();
boot_control(&boot_from_spi);
/* Advertise our boot status */
chip_advertise_boot_status(boot_status);
/* Advertise our initialization type */
rc = chip_advertise_boot_type();
if (rc) {
halt_and_catch_fire(boot_status);
}
if (boot_from_spi) {
dbgprint("Boot from SPIROM\n");
spi_ops.init();
/**
* Call locate_ffff_element_on_storage to locate next stage FW.
* Do not care about the image length here so pass NULL.
*/
if (locate_ffff_element_on_storage(&spi_ops,
FFFF_ELEMENT_STAGE_3_FW,
NULL) == 0) {
boot_status = INIT_STATUS_SPI_BOOT_STARTED;
chip_advertise_boot_status(boot_status);
if (!load_tftf_image(&spi_ops, &is_secure_image)) {
spi_ops.finish(true, is_secure_image);
if (is_secure_image) {
boot_status = INIT_STATUS_TRUSTED_SPI_FLASH_BOOT_FINISHED;
dbgprintx32("SPI Trusted: (",
merge_errno_with_boot_status(boot_status),
")\n");
} else {
boot_status = INIT_STATUS_UNTRUSTED_SPI_FLASH_BOOT_FINISHED;
dbgprintx32("SPI Untrusted: (",
merge_errno_with_boot_status(boot_status),
")\n");
/*
* Disable IMS, CMS access before starting untrusted image.
* NB. JTAG continues to be not enabled at this point
*/
efuse_rig_for_untrusted();
}
/* Log that we're starting the boot-from-SPIROM */
chip_advertise_boot_status(merge_errno_with_boot_status(boot_status));
/* TA-16 jump to SPI code (BOOTRET_o = 0 && SPIBOOT_N = 0) */
jump_to_image();
}
}
spi_ops.finish(false, false);
/* Fallback to UniPro boot */
boot_from_spi = false;
fallback_boot_unipro = true;
chip_clear_image_loading_ram();
} else {
/* (Not boot-from-spi, */
fallback_boot_unipro = false;
}
if (greybus_init()) {
set_last_error(BRE_BOU_GBCTRL_CPORT);
halt_and_catch_fire(boot_status);
}
/* Boot-Over-UniPro...
* We get here if directed to do so by the bootselector, or as a fallback
* for a failed SPIROM boot.
*/
if (!boot_from_spi) {
/* Boot over Unipro */
if (fallback_boot_unipro) {
boot_status = merge_errno_with_boot_status(
INIT_STATUS_FALLLBACK_UNIPRO_BOOT_STARTED);
dbgprintx32("Spi boot failed (", boot_status, "), ");
} else {
boot_status = INIT_STATUS_UNIPRO_BOOT_STARTED;
}
chip_advertise_boot_status(boot_status);
dbgprintx32("Boot over UniPro (",
merge_errno_with_boot_status(boot_status),
")\n");
advertise_ready();
#if RUN_SPI_TEST
spi_gb_init();
dbgprint("Running in loop to perform as SPI over Greybus\n");
while (1) {
if (greybus_loop()) {
dbgprint("ERROR in greuybus loop\n");
halt_and_catch_fire(boot_status);
}
}
#endif
dbgprint("Ready-poked; download-ready\n");
if (greybus_ops.init() != 0) {
halt_and_catch_fire(boot_status);
}
if (!load_tftf_image(&greybus_ops, &is_secure_image)) {
if (greybus_ops.finish(true, is_secure_image) != 0) {
halt_and_catch_fire(boot_status);
}
if (is_secure_image) {
boot_status = fallback_boot_unipro ?
INIT_STATUS_FALLLBACK_TRUSTED_UNIPRO_BOOT_FINISHED :
INIT_STATUS_TRUSTED_UNIPRO_BOOT_FINISHED;
dbgprintx32("UP Trusted: (",
merge_errno_with_boot_status(boot_status),
")\n");
} else {
boot_status = fallback_boot_unipro ?
INIT_STATUS_FALLLBACK_UNTRUSTED_UNIPRO_BOOT_FINISHED :
INIT_STATUS_UNTRUSTED_UNIPRO_BOOT_FINISHED;
dbgprintx32("UP Trusted: (",
merge_errno_with_boot_status(boot_status),
")\n");
/*
* Disable IMS, CMS access before starting
* untrusted image
* NB. JTAG continues to be not enabled at this point
*/
efuse_rig_for_untrusted();
}
/* Log that we're starting the boot-from-UniPro */
chip_advertise_boot_status(boot_status);
/* TA-17 jump to Workram code (BOOTRET_o = 0 && SPIM_BOOT_N = 1) */
jump_to_image();
}
if (greybus_ops.finish(false, is_secure_image) != 0) {
halt_and_catch_fire(boot_status);
}
}
/* If we reach here, we didn't find an image to boot - stop while we're
* ahead...
*/
halt_and_catch_fire(boot_status);
}
int system_run_image_copy(enum system_image_copy_t copy)
{
uintptr_t base;
uintptr_t init_addr;
#ifdef CONFIG_REPLACE_LOADER_WITH_BSS_SLOW
uint8_t *buf;
uint32_t offset;
uint32_t bytes_to_load;
int rv;
#endif /* defined(CONFIG_REPLACE_LOADER_WITH_BSS_SLOW) */
/* If system is already running the requested image, done */
if (system_get_image_copy() == copy)
return EC_SUCCESS;
if (system_is_locked()) {
/* System is locked, so disallow jumping between images unless
* this is the initial jump from RO to RW code. */
/* Must currently be running the RO image */
if (system_get_image_copy() != SYSTEM_IMAGE_RO)
return EC_ERROR_ACCESS_DENIED;
/* Target image must be RW image */
if (copy != SYSTEM_IMAGE_RW)
return EC_ERROR_ACCESS_DENIED;
/* Jumping must still be enabled */
if (disable_jump)
return EC_ERROR_ACCESS_DENIED;
}
/* Load the appropriate reset vector */
base = get_program_memory_addr(copy);
if (base == 0xffffffff)
return EC_ERROR_INVAL;
#ifdef CONFIG_EXTERNAL_STORAGE
#ifdef CONFIG_REPLACE_LOADER_WITH_BSS_SLOW
/*
* We've used the region in which the loader resided as data space for
* the .bss.slow section. Therefore, we need to reload the loader from
* the external storage back into program memory so that we can load a
* different image.
*/
buf = (uint8_t *)(CONFIG_PROGRAM_MEMORY_BASE + CONFIG_LOADER_MEM_OFF);
bytes_to_load = CONFIG_LOADER_SIZE;
offset = CONFIG_EC_PROTECTED_STORAGE_OFF + CONFIG_LOADER_STORAGE_OFF;
rv = flash_read(offset, bytes_to_load, buf);
if (rv)
return rv;
#endif /* defined(CONFIG_REPLACE_LOADER_WITH_BSS_SLOW) */
/* Jump to loader */
init_addr = system_get_lfw_address();
system_set_image_copy(copy);
#else
#ifdef CONFIG_FW_RESET_VECTOR
/* Get reset vector */
init_addr = system_get_fw_reset_vector(base);
#else
#if defined(CONFIG_RO_HEAD_ROOM)
/* Skip any head room in the RO image */
if (copy == SYSTEM_IMAGE_RO)
/* Don't change base, though! */
init_addr = *(uintptr_t *)(base + CONFIG_RO_HEAD_ROOM + 4);
else
#endif
init_addr = *(uintptr_t *)(base + 4);
#endif
#ifndef EMU_BUILD
/* Make sure the reset vector is inside the destination image */
if (init_addr < base || init_addr >= base + get_size(copy))
return EC_ERROR_UNKNOWN;
#endif
#endif
CPRINTS("Jumping to image %s", system_image_copy_t_to_string(copy));
jump_to_image(init_addr);
/* Should never get here */
return EC_ERROR_UNKNOWN;
}
