| /* Copyright 2017 The Chromium OS Authors. All rights reserved. |
| * Use of this source code is governed by a BSD-style license that can be |
| * found in the LICENSE file. |
| */ |
| /* Flash memory module for STM32L4 family */ |
| |
| #include "common.h" |
| #include "clock.h" |
| #include "flash.h" |
| #include "hooks.h" |
| #include "registers.h" |
| #include "panic.h" |
| #include "system.h" |
| #include "task.h" |
| #include "timer.h" |
| #include "util.h" |
| #include "watchdog.h" |
| |
| /* |
| * Approximate number of CPU cycles per iteration of the loop when polling |
| * the flash status |
| */ |
| #define CYCLE_PER_FLASH_LOOP 10 |
| |
| /* Flash page programming timeout. This is 2x the datasheet max. */ |
| #define FLASH_TIMEOUT_US 48000 |
| |
| static inline int calculate_flash_timeout(void) |
| { |
| return (FLASH_TIMEOUT_US * |
| (clock_get_freq() / SECOND) / CYCLE_PER_FLASH_LOOP); |
| } |
| |
| static int wait_while_busy(void) |
| { |
| int timeout = calculate_flash_timeout(); |
| |
| while (STM32_FLASH_SR & FLASH_SR_BUSY && timeout-- > 0) |
| ; |
| return (timeout > 0) ? EC_SUCCESS : EC_ERROR_TIMEOUT; |
| } |
| |
| static int unlock(int locks) |
| { |
| /* |
| * We may have already locked the flash module and get a bus fault |
| * in the attempt to unlock. Need to disable bus fault handler now. |
| */ |
| ignore_bus_fault(1); |
| |
| /* unlock CR if needed */ |
| if (STM32_FLASH_CR & FLASH_CR_LOCK) { |
| STM32_FLASH_KEYR = FLASH_KEYR_KEY1; |
| STM32_FLASH_KEYR = FLASH_KEYR_KEY2; |
| } |
| /* unlock option memory if required */ |
| if ((locks & FLASH_CR_OPTLOCK) && |
| (STM32_FLASH_CR & FLASH_CR_OPTLOCK)) { |
| STM32_FLASH_OPTKEYR = FLASH_OPTKEYR_KEY1; |
| STM32_FLASH_OPTKEYR = FLASH_OPTKEYR_KEY2; |
| } |
| |
| /* Re-enable bus fault handler */ |
| ignore_bus_fault(0); |
| |
| return (STM32_FLASH_CR & (locks | FLASH_CR_LOCK)) ? EC_ERROR_UNKNOWN |
| : EC_SUCCESS; |
| } |
| |
| static void lock(void) |
| { |
| STM32_FLASH_CR = FLASH_CR_LOCK; |
| } |
| |
| /* |
| * Option byte organization |
| * |
| * [63:56][55:48][47:40][39:32] [31:24][23:16][15: 8][ 7: 0] |
| * +--------------+-------------------+------+ +-------------------+------+ |
| * | 0x1FFF7800 | nUSER | nRDP | | USER | RDP | |
| * +--------------+------------+------+------+ +------------+------+------+ |
| * | 0x1FFF7808 | | nPCROP1_STRT| | | PCROP1_STRT | |
| * +--------------+------------+-------------+ +------------+-------------+ |
| * | 0x1FFF7810 | | nPCROP1_END | | | PCROP1_END | |
| * +--------------+------------+-------------+ +------------+-------------+ |
| * | 0x1FFF7818 | |nWRP1A| |nWRP1A| | | WRP1A| | WRP1A| |
| * | | |_END | |_STRT | | | _END | | _STRT| |
| * +--------------+------------+-------------+ +------------+-------------+ |
| * | 0x1FFF7820 | |nWRP1B| |nWRP1B| | | WRP1B| | WRP1B| |
| * | | |_END | |_STRT | | | _END | | _STRT| |
| * +--------------+------------+-------------+ +------------+-------------+ |
| * |
| * Note that the variable with n prefix means the complement. |
| */ |
| static int unlock_optb(void) |
| { |
| int rv; |
| |
| rv = wait_while_busy(); |
| if (rv) |
| return rv; |
| |
| rv = unlock(FLASH_CR_OPTLOCK); |
| if (rv) |
| return rv; |
| |
| return EC_SUCCESS; |
| } |
| |
| static int commit_optb(void) |
| { |
| int rv; |
| |
| STM32_FLASH_CR |= FLASH_CR_OPTSTRT; |
| |
| rv = wait_while_busy(); |
| if (rv) |
| return rv; |
| lock(); |
| |
| return EC_SUCCESS; |
| } |
| |
| static void unprotect_all_blocks(void) |
| { |
| unlock_optb(); |
| STM32_FLASH_WRP1AR = FLASH_WRP_RANGE_DISABLED; |
| STM32_FLASH_WRP1BR = FLASH_WRP_RANGE_DISABLED; |
| commit_optb(); |
| } |
| |
| int flash_physical_protect_at_boot(uint32_t new_flags) |
| { |
| uint32_t ro_range = FLASH_WRP_RANGE_DISABLED; |
| uint32_t rb_rw_range = FLASH_WRP_RANGE_DISABLED; |
| /* |
| * WRP1AR is storing the write-protection range for the RO region. |
| * WRP1BR is storing the write-protection range for the |
| * rollback and RW regions. |
| */ |
| if (new_flags & (EC_FLASH_PROTECT_ALL_AT_BOOT | |
| EC_FLASH_PROTECT_RO_AT_BOOT)) |
| ro_range = FLASH_WRP_RANGE(WP_BANK_OFFSET, |
| WP_BANK_OFFSET + WP_BANK_COUNT); |
| |
| if (new_flags & EC_FLASH_PROTECT_ALL_AT_BOOT) { |
| rb_rw_range = FLASH_WRP_RANGE(WP_BANK_OFFSET + WP_BANK_COUNT, |
| PHYSICAL_BANKS); |
| } else { |
| uint8_t strt = WP_BANK_OFFSET + WP_BANK_COUNT; |
| uint8_t end = FLASH_WRP_END(FLASH_WRP_RANGE_DISABLED); |
| #ifdef CONFIG_ROLLBACK |
| if (new_flags & EC_FLASH_PROTECT_ROLLBACK_AT_BOOT) { |
| strt = ROLLBACK_BANK_OFFSET; |
| end = ROLLBACK_BANK_OFFSET + ROLLBACK_BANK_COUNT; |
| } else { |
| strt = ROLLBACK_BANK_OFFSET + ROLLBACK_BANK_COUNT; |
| } |
| #endif /* !CONFIG_ROLLBACK */ |
| #ifdef CONFIG_FLASH_PROTECT_RW |
| if (new_flags & EC_FLASH_PROTECT_RW_AT_BOOT) |
| end = PHYSICAL_BANKS; |
| #endif /* CONFIG_FLASH_PROTECT_RW */ |
| |
| if (end != FLASH_WRP_END(FLASH_WRP_RANGE_DISABLED)) |
| rb_rw_range = FLASH_WRP_RANGE(strt, end); |
| } |
| |
| unlock_optb(); |
| #ifdef CONFIG_WP_ALWAYS |
| /* |
| * Set a permanent protection by increasing RDP to level 1, |
| * trying to unprotected the flash will trigger a full erase. |
| */ |
| STM32_FLASH_OPTR = (STM32_FLASH_OPTR & ~0xff) | 0x11; |
| #endif |
| STM32_FLASH_WRP1AR = ro_range; |
| STM32_FLASH_WRP1BR = rb_rw_range; |
| commit_optb(); |
| |
| return EC_SUCCESS; |
| } |
| |
| /** |
| * Check if write protect register state is inconsistent with RO_AT_BOOT and |
| * ALL_AT_BOOT state. |
| * |
| * @return zero if consistent, non-zero if inconsistent. |
| */ |
| static int registers_need_reset(void) |
| { |
| uint32_t flags = flash_get_protect(); |
| int ro_at_boot = (flags & EC_FLASH_PROTECT_RO_AT_BOOT) ? 1 : 0; |
| /* |
| * The RO region is write-protected by the WRP1AR range, |
| * it starts at page WP_BANK_OFFSET for WP_BANK_COUNT pages. |
| */ |
| uint32_t wrp1ar = STM32_OPTB_WRP1AR; |
| uint32_t ro_range = ro_at_boot ? |
| FLASH_WRP_RANGE(WP_BANK_OFFSET, WP_BANK_OFFSET + WP_BANK_COUNT) |
| : FLASH_WRP_RANGE_DISABLED; |
| |
| return ro_range != (wrp1ar & FLASH_WRP_MASK); |
| } |
| |
| /*****************************************************************************/ |
| /* Physical layer APIs */ |
| |
| int flash_physical_write(int offset, int size, const char *data) |
| { |
| uint32_t *address = (void *)(CONFIG_PROGRAM_MEMORY_BASE + offset); |
| int res = EC_SUCCESS; |
| int timeout = calculate_flash_timeout(); |
| int i; |
| int unaligned = (uint32_t)data & (CONFIG_FLASH_WRITE_SIZE - 1); |
| uint32_t *data32 = (void *)data; |
| |
| if (unlock(FLASH_CR_LOCK) != EC_SUCCESS) |
| return EC_ERROR_UNKNOWN; |
| |
| /* Clear previous error status */ |
| STM32_FLASH_SR = FLASH_SR_ERR_MASK; |
| |
| /* set PG bit */ |
| STM32_FLASH_CR |= FLASH_CR_PG; |
| |
| for (; size > 0; size -= CONFIG_FLASH_WRITE_SIZE) { |
| /* |
| * Reload the watchdog timer to avoid watchdog reset when doing |
| * long writing. |
| */ |
| watchdog_reload(); |
| |
| /* wait to be ready */ |
| for (i = 0; (STM32_FLASH_SR & FLASH_SR_BUSY) && (i < timeout); |
| i++) |
| ; |
| if (STM32_FLASH_SR & FLASH_SR_BUSY) { |
| res = EC_ERROR_TIMEOUT; |
| goto exit_wr; |
| } |
| |
| /* write the 2 words */ |
| if (unaligned) { |
| *address++ = (uint32_t)data[0] | (data[1] << 8) |
| | (data[2] << 16) | (data[3] << 24); |
| *address++ = (uint32_t)data[4] | (data[5] << 8) |
| | (data[6] << 16) | (data[7] << 24); |
| data += CONFIG_FLASH_WRITE_SIZE; |
| } else { |
| *address++ = *data32++; |
| *address++ = *data32++; |
| } |
| |
| /* Wait for writes to complete */ |
| for (i = 0; (STM32_FLASH_SR & FLASH_SR_BUSY) && (i < timeout); |
| i++) |
| ; |
| |
| if (STM32_FLASH_SR & FLASH_SR_BUSY) { |
| res = EC_ERROR_TIMEOUT; |
| goto exit_wr; |
| } |
| |
| /* |
| * Check for error conditions - erase failed, voltage error, |
| * protection error. |
| */ |
| if (STM32_FLASH_SR & FLASH_SR_ERR_MASK) { |
| res = EC_ERROR_UNKNOWN; |
| goto exit_wr; |
| } |
| } |
| |
| exit_wr: |
| /* Disable PG bit */ |
| STM32_FLASH_CR &= ~FLASH_CR_PG; |
| |
| lock(); |
| |
| return res; |
| } |
| |
| int flash_physical_erase(int offset, int size) |
| { |
| int res = EC_SUCCESS; |
| int pg; |
| int last; |
| |
| if (unlock(FLASH_CR_LOCK) != EC_SUCCESS) |
| return EC_ERROR_UNKNOWN; |
| |
| /* Clear previous error status */ |
| STM32_FLASH_SR = FLASH_SR_ERR_MASK; |
| |
| last = (offset + size) / CONFIG_FLASH_ERASE_SIZE; |
| for (pg = offset / CONFIG_FLASH_ERASE_SIZE; pg < last; pg++) { |
| timestamp_t deadline; |
| |
| /* select page to erase and PER bit */ |
| STM32_FLASH_CR = (STM32_FLASH_CR & ~FLASH_CR_PNB_MASK) |
| | FLASH_CR_PER | FLASH_CR_PNB(pg); |
| |
| /* set STRT bit : start erase */ |
| STM32_FLASH_CR |= FLASH_CR_STRT; |
| |
| /* |
| * Reload the watchdog timer to avoid watchdog reset during a |
| * long erase operation. |
| */ |
| watchdog_reload(); |
| |
| deadline.val = get_time().val + FLASH_TIMEOUT_US; |
| /* Wait for erase to complete */ |
| while ((STM32_FLASH_SR & FLASH_SR_BUSY) && |
| (get_time().val < deadline.val)) { |
| usleep(300); |
| } |
| if (STM32_FLASH_SR & FLASH_SR_BUSY) { |
| res = EC_ERROR_TIMEOUT; |
| goto exit_er; |
| } |
| |
| /* |
| * Check for error conditions - erase failed, voltage error, |
| * protection error |
| */ |
| if (STM32_FLASH_SR & FLASH_SR_ERR_MASK) { |
| res = EC_ERROR_UNKNOWN; |
| goto exit_er; |
| } |
| } |
| |
| exit_er: |
| /* reset PER bit */ |
| STM32_FLASH_CR &= ~(FLASH_CR_PER | FLASH_CR_PNB_MASK); |
| |
| lock(); |
| |
| return res; |
| } |
| |
| int flash_physical_get_protect(int block) |
| { |
| uint32_t wrp1ar = STM32_FLASH_WRP1AR; |
| uint32_t wrp1br = STM32_FLASH_WRP1BR; |
| |
| return ((block >= FLASH_WRP_START(wrp1ar)) && |
| (block < FLASH_WRP_END(wrp1ar))) || |
| ((block >= FLASH_WRP_START(wrp1br)) && |
| (block < FLASH_WRP_END(wrp1br))); |
| } |
| |
| /* |
| * Note: This does not need to update _NOW flags, as get_protect_flags |
| * in common code already does so. |
| */ |
| uint32_t flash_physical_get_protect_flags(void) |
| { |
| uint32_t flags = 0; |
| uint32_t wrp1ar = STM32_OPTB_WRP1AR; |
| uint32_t wrp1br = STM32_OPTB_WRP1BR; |
| |
| /* RO region protection range is in WRP1AR range */ |
| if (wrp1ar == FLASH_WRP_RANGE(WP_BANK_OFFSET, |
| WP_BANK_OFFSET + WP_BANK_COUNT)) |
| flags |= EC_FLASH_PROTECT_RO_AT_BOOT; |
| /* Rollback and RW regions protection range is in WRP1BR range */ |
| if (wrp1br != FLASH_WRP_RANGE_DISABLED) { |
| int end = FLASH_WRP_END(wrp1br); |
| int strt = FLASH_WRP_START(wrp1br); |
| |
| #ifdef CONFIG_ROLLBACK |
| if (strt <= ROLLBACK_BANK_OFFSET && |
| end >= ROLLBACK_BANK_OFFSET + ROLLBACK_BANK_COUNT) |
| flags |= EC_FLASH_PROTECT_ROLLBACK_AT_BOOT; |
| #endif /* CONFIG_ROLLBACK */ |
| #ifdef CONFIG_FLASH_PROTECT_RW |
| if (end == PHYSICAL_BANKS) |
| flags |= EC_FLASH_PROTECT_RW_AT_BOOT; |
| #endif /* CONFIG_FLASH_PROTECT_RW */ |
| if (end == PHYSICAL_BANKS && |
| strt == WP_BANK_OFFSET + WP_BANK_COUNT && |
| flags & EC_FLASH_PROTECT_RO_AT_BOOT) |
| flags |= EC_FLASH_PROTECT_ALL_AT_BOOT; |
| } |
| |
| return flags; |
| } |
| |
| int flash_physical_protect_now(int all) |
| { |
| return EC_ERROR_INVAL; |
| } |
| |
| uint32_t flash_physical_get_valid_flags(void) |
| { |
| return EC_FLASH_PROTECT_RO_AT_BOOT | |
| EC_FLASH_PROTECT_RO_NOW | |
| #ifdef CONFIG_FLASH_PROTECT_RW |
| EC_FLASH_PROTECT_RW_AT_BOOT | |
| EC_FLASH_PROTECT_RW_NOW | |
| #endif |
| #ifdef CONFIG_ROLLBACK |
| EC_FLASH_PROTECT_ROLLBACK_AT_BOOT | |
| EC_FLASH_PROTECT_ROLLBACK_NOW | |
| #endif |
| EC_FLASH_PROTECT_ALL_AT_BOOT | |
| EC_FLASH_PROTECT_ALL_NOW; |
| } |
| |
| uint32_t flash_physical_get_writable_flags(uint32_t cur_flags) |
| { |
| uint32_t ret = 0; |
| |
| /* If RO protection isn't enabled, its at-boot state can be changed. */ |
| if (!(cur_flags & EC_FLASH_PROTECT_RO_NOW)) |
| ret |= EC_FLASH_PROTECT_RO_AT_BOOT; |
| |
| /* |
| * ALL/RW at-boot state can be set if WP GPIO is asserted and can always |
| * be cleared. |
| */ |
| if (cur_flags & (EC_FLASH_PROTECT_ALL_AT_BOOT | |
| EC_FLASH_PROTECT_GPIO_ASSERTED)) |
| ret |= EC_FLASH_PROTECT_ALL_AT_BOOT; |
| |
| #ifdef CONFIG_FLASH_PROTECT_RW |
| if (cur_flags & (EC_FLASH_PROTECT_RW_AT_BOOT | |
| EC_FLASH_PROTECT_GPIO_ASSERTED)) |
| ret |= EC_FLASH_PROTECT_RW_AT_BOOT; |
| #endif |
| |
| #ifdef CONFIG_ROLLBACK |
| if (cur_flags & (EC_FLASH_PROTECT_ROLLBACK_AT_BOOT | |
| EC_FLASH_PROTECT_GPIO_ASSERTED)) |
| ret |= EC_FLASH_PROTECT_ROLLBACK_AT_BOOT; |
| #endif |
| |
| return ret; |
| } |
| |
| int flash_pre_init(void) |
| { |
| uint32_t reset_flags = system_get_reset_flags(); |
| uint32_t prot_flags = flash_get_protect(); |
| int need_reset = 0; |
| |
| /* |
| * If we have already jumped between images, an earlier image could |
| * have applied write protection. Nothing additional needs to be done. |
| */ |
| if (reset_flags & RESET_FLAG_SYSJUMP) |
| return EC_SUCCESS; |
| |
| if (prot_flags & EC_FLASH_PROTECT_GPIO_ASSERTED) { |
| if ((prot_flags & EC_FLASH_PROTECT_RO_AT_BOOT) && |
| !(prot_flags & EC_FLASH_PROTECT_RO_NOW)) { |
| /* |
| * Pstate wants RO protected at boot, but the write |
| * protect register wasn't set to protect it. Force an |
| * update to the write protect register and reboot so |
| * it takes effect. |
| */ |
| flash_physical_protect_at_boot( |
| EC_FLASH_PROTECT_RO_AT_BOOT); |
| need_reset = 1; |
| } |
| |
| if (registers_need_reset()) { |
| /* |
| * Write protect register was in an inconsistent state. |
| * Set it back to a good state and reboot. |
| * |
| * TODO(crosbug.com/p/23798): this seems really similar |
| * to the check above. One of them should be able to |
| * go away. |
| */ |
| flash_protect_at_boot( |
| prot_flags & EC_FLASH_PROTECT_RO_AT_BOOT); |
| need_reset = 1; |
| } |
| } else { |
| if (prot_flags & EC_FLASH_PROTECT_RO_NOW) { |
| /* |
| * Write protect pin unasserted but some section is |
| * protected. Drop it and reboot. |
| */ |
| unprotect_all_blocks(); |
| need_reset = 1; |
| } |
| } |
| |
| if ((flash_physical_get_valid_flags() & EC_FLASH_PROTECT_ALL_AT_BOOT) && |
| (!!(prot_flags & EC_FLASH_PROTECT_ALL_AT_BOOT) != |
| !!(prot_flags & EC_FLASH_PROTECT_ALL_NOW))) { |
| /* |
| * ALL_AT_BOOT and ALL_NOW should be both set or both unset |
| * at boot. If they are not, it must be that the chip requires |
| * OBL_LAUNCH to be set to reload option bytes. Let's reset |
| * the system with OBL_LAUNCH set. |
| * This assumes OBL_LAUNCH is used for hard reset in |
| * chip/stm32/system.c. |
| */ |
| need_reset = 1; |
| } |
| |
| #ifdef CONFIG_FLASH_PROTECT_RW |
| if ((flash_physical_get_valid_flags() & EC_FLASH_PROTECT_RW_AT_BOOT) && |
| (!!(prot_flags & EC_FLASH_PROTECT_RW_AT_BOOT) != |
| !!(prot_flags & EC_FLASH_PROTECT_RW_NOW))) { |
| /* RW_AT_BOOT and RW_NOW do not match. */ |
| need_reset = 1; |
| } |
| #endif |
| |
| #ifdef CONFIG_ROLLBACK |
| if ((flash_physical_get_valid_flags() & |
| EC_FLASH_PROTECT_ROLLBACK_AT_BOOT) && |
| (!!(prot_flags & EC_FLASH_PROTECT_ROLLBACK_AT_BOOT) != |
| !!(prot_flags & EC_FLASH_PROTECT_ROLLBACK_NOW))) { |
| /* ROLLBACK_AT_BOOT and ROLLBACK_NOW do not match. */ |
| need_reset = 1; |
| } |
| #endif |
| |
| if (need_reset) |
| system_reset(SYSTEM_RESET_HARD | SYSTEM_RESET_PRESERVE_FLAGS); |
| |
| return EC_SUCCESS; |
| } |