codesigner: Update to haven's tip-of-tree

This version supports dauntless, which we need going forward.

Bug: 119527023, 123093961
Test: rebuilt an image which successfully signed
Signed-off-by: Garret Kelly <gdk@google.com>
Change-Id: I6458ecb46757622e795391d970bebdc0374d2a8e

2 files changed, 94 insertions, 39 deletions

diff --git a/citadel/updater/updater.cpp b/citadel/updater/updater.cpp
index c506327..8a3b3a4 100644
--- a/citadel/updater/updater.cpp
+++ b/citadel/updater/updater.cpp
@@ -529,7 +529,7 @@ static void show_ro_string(const char *name, const uint8_t *ptr)
   hdr = reinterpret_cast<const struct SignedHeader*>(ptr);
   printf("%s:    %d.%d.%d/%08x %s\n", name,
          hdr->epoch_, hdr->major_, hdr->minor_, be32toh(hdr->img_chk_),
-         hdr->magic == MAGIC_VALID ? "ok" : "--");
+         hdr->magic == SIGNED_HEADER_MAGIC_CITADEL ? "ok" : "--");
 }
 
 static void show_rw_string(const char *name, const uint8_t *ptr)
@@ -539,10 +539,11 @@ static void show_rw_string(const char *name, const uint8_t *ptr)
 
   if (v->cookie1 == CROS_EC_VERSION_COOKIE1 &&
       v->cookie2 == CROS_EC_VERSION_COOKIE2 &&
-      (v->hdr.magic == MAGIC_DEFAULT || v->hdr.magic == MAGIC_VALID)) {
+      (v->hdr.magic == SIGNED_HEADER_MAGIC_HAVEN ||
+       v->hdr.magic == SIGNED_HEADER_MAGIC_CITADEL)) {
     printf("%s:    %d.%d.%d/%s %s\n", name,
            v->hdr.epoch_, v->hdr.major_, v->hdr.minor_, v->version,
-           v->hdr.magic == MAGIC_VALID ? "ok" : "--");
+           v->hdr.magic == SIGNED_HEADER_MAGIC_CITADEL ? "ok" : "--");
   } else {
     printf("<invalid>\n");
   }
diff --git a/nugget/include/signed_header.h b/nugget/include/signed_header.h
index 37cae8d..612d22e 100644
--- a/nugget/include/signed_header.h
+++ b/nugget/include/signed_header.h
@@ -1,15 +1,10 @@
-/* Copyright 2017 The Chromium OS Authors. All rights reserved.
+/* Copyright 2015 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 #ifndef __EC_UTIL_SIGNER_COMMON_SIGNED_HEADER_H
 #define __EC_UTIL_SIGNER_COMMON_SIGNED_HEADER_H
 
-/* This is citadel */
-#define CHIP_C
-#define MAGIC_DEFAULT (-1u)
-#define MAGIC_VALID  (-2u)
-
 #ifdef __cplusplus
 #include <endian.h>
 #include <stdio.h>
@@ -18,7 +13,6 @@
 
 #include <assert.h>
 #include <inttypes.h>
-#include <stdint.h>
 #include <string.h>
 
 #define FUSE_MAX 128
@@ -26,14 +20,21 @@
 #define FUSE_PADDING 0x55555555
 
 // B chips
-#define FUSE_IGNORE_B 0xa3badaac   // baked in rom!
+#define FUSE_IGNORE_B 0xa3badaac  // baked in rom!
 #define INFO_IGNORE_B 0xaa3c55c3  // baked in rom!
 
 // Citadel chips
-#define FUSE_IGNORE_C 0x3aabadac   // baked in rom!
+#define FUSE_IGNORE_C 0x3aabadac  // baked in rom!
 #define INFO_IGNORE_C 0xa5c35a3c  // baked in rom!
 
-#if defined(CHIP_C)
+// Dauntless chips
+#define FUSE_IGNORE_D 0xdaa3baca  // baked in rom!
+#define INFO_IGNORE_D 0x5a3ca5c3  // baked in rom!
+
+#if defined(CHIP_D)
+#define FUSE_IGNORE FUSE_IGNORE_D
+#define INFO_IGNORE INFO_IGNORE_D
+#elif defined(CHIP_C)
 #define FUSE_IGNORE FUSE_IGNORE_C
 #define INFO_IGNORE INFO_IGNORE_C
 #else
@@ -41,13 +42,17 @@
 #define INFO_IGNORE INFO_IGNORE_B
 #endif
 
+#define SIGNED_HEADER_MAGIC_HAVEN (-1u)
+#define SIGNED_HEADER_MAGIC_CITADEL (-2u)
+#define SIGNED_HEADER_MAGIC_DAUNTLESS (-3u)
+
 /* Default value for _pad[] words */
 #define SIGNED_HEADER_PADDING 0x33333333
 
 typedef struct SignedHeader {
 #ifdef __cplusplus
   SignedHeader()
-      : magic(-1),
+      : magic(SIGNED_HEADER_MAGIC_HAVEN),
         image_size(0),
         epoch_(0x1337),
         major_(0),
@@ -57,13 +62,19 @@ typedef struct SignedHeader {
         config1_(0),
         err_response_(0),
         expect_response_(0),
+        swap_mark({0, 0}),
         dev_id0_(0),
         dev_id1_(0) {
     memset(signature, 'S', sizeof(signature));
     memset(tag, 'T', sizeof(tag));
     memset(fusemap, 0, sizeof(fusemap));
     memset(infomap, 0, sizeof(infomap));
-    memset(&_pad, '3', sizeof(_pad));
+    memset(&_pad, SIGNED_HEADER_PADDING, sizeof(_pad));
+    // Below all evolved out of _pad, thus must also be initialized to '3'
+    // for backward compatibility.
+    memset(&rw_product_family_, SIGNED_HEADER_PADDING,
+           sizeof(rw_product_family_));
+    memset(&u, SIGNED_HEADER_PADDING, sizeof(u));
     memset(&board_id_, SIGNED_HEADER_PADDING, sizeof(board_id_));
   }
 
@@ -77,16 +88,48 @@ typedef struct SignedHeader {
     infomap[n / 32] |= 1 << (n & 31);
   }
 
-  static uint32_t fuseIgnore(bool c) {
-    return c ? FUSE_IGNORE_C : FUSE_IGNORE_B;
+  static uint32_t fuseIgnore(bool c, bool d) {
+    return d ? FUSE_IGNORE_D : c ? FUSE_IGNORE_C : FUSE_IGNORE_B;
   }
 
-  static uint32_t infoIgnore(bool c) {
-    return c ? INFO_IGNORE_C : INFO_IGNORE_B;
+  static uint32_t infoIgnore(bool c, bool d) {
+    return d ? INFO_IGNORE_D : c ? INFO_IGNORE_C : INFO_IGNORE_B;
+  }
+
+  bool plausible() const {
+    switch (magic) {
+      case SIGNED_HEADER_MAGIC_HAVEN:
+      case SIGNED_HEADER_MAGIC_CITADEL:
+      case SIGNED_HEADER_MAGIC_DAUNTLESS:
+        break;
+      default:
+        return false;
+    }
+    if (keyid == -1u) return false;
+    if (ro_base >= ro_max) return false;
+    if (rx_base >= rx_max) return false;
+    if (_pad[0] != SIGNED_HEADER_PADDING) return false;
+    return true;
   }
 
   void print() const {
-    printf("hdr.magic          : %08x\n", magic);
+    printf("hdr.magic          : %08x (", magic);
+    switch (magic) {
+      case SIGNED_HEADER_MAGIC_HAVEN:
+        printf("Haven B");
+        break;
+      case SIGNED_HEADER_MAGIC_CITADEL:
+        printf("Citadel");
+        break;
+      case SIGNED_HEADER_MAGIC_DAUNTLESS:
+        printf("Dauntless");
+        break;
+      default:
+        printf("?");
+        break;
+    }
+    printf(")\n");
+    printf("hdr.ro_base        : %08x\n", ro_base);
     printf("hdr.keyid          : %08x\n", keyid);
     printf("hdr.tag            : ");
     const uint8_t* p = reinterpret_cast<const uint8_t*>(&tag);
@@ -99,11 +142,6 @@ typedef struct SignedHeader {
     printf("hdr.minor          : %08x\n", minor_);
     printf("hdr.timestamp      : %016" PRIx64 ", %s", timestamp_,
            asctime(localtime(reinterpret_cast<const time_t*>(&timestamp_))));
-    printf("hdr.image_size     : %08x\n", image_size);
-    printf("hdr.ro_base        : %08x\n", ro_base);
-    printf("hdr.ro_max         : %08x\n", ro_max);
-    printf("hdr.rx_base        : %08x\n", rx_base);
-    printf("hdr.rx_max         : %08x\n", rx_max);
     printf("hdr.img_chk        : %08x\n", be32toh(img_chk_));
     printf("hdr.fuses_chk      : %08x\n", be32toh(fuses_chk_));
     printf("hdr.info_chk       : %08x\n", be32toh(info_chk_));
@@ -112,8 +150,8 @@ typedef struct SignedHeader {
     printf("hdr.err_response   : %08x\n", err_response_);
     printf("hdr.expect_response: %08x\n", expect_response_);
 
-    if (dev_id0_) printf("hdr.dev_id0        : %08x\n", dev_id0_);
-    if (dev_id1_) printf("hdr.dev_id1        : %08x\n", dev_id1_);
+    if (dev_id0_) printf("hdr.dev_id0        : %08x (%d)\n", dev_id0_, dev_id0_);
+    if (dev_id1_) printf("hdr.dev_id1        : %08x (%d)\n", dev_id1_, dev_id1_);
 
     printf("hdr.fusemap        : ");
     for (size_t i = 0; i < sizeof(fusemap) / sizeof(fusemap[0]); ++i) {
@@ -125,14 +163,6 @@ typedef struct SignedHeader {
       printf("%08X", infomap[i]);
     }
     printf("\n");
-    printf("hdr.dev_id0        : %08x\n", dev_id0_);
-    printf("hdr.dev_id1        : %08x\n", dev_id1_);
-    printf("hdr.brd.type       : %08x\n",
-           SIGNED_HEADER_PADDING ^ board_id_.type);
-    printf("hdr.brd.type_mask  : %08x\n",
-           SIGNED_HEADER_PADDING ^ board_id_.type_mask);
-    printf("hdr.brd.flags      : %08x\n",
-           SIGNED_HEADER_PADDING ^ board_id_.flags);
   }
 #endif  // __cplusplus
 
@@ -159,16 +189,40 @@ typedef struct SignedHeader {
   uint32_t config1_;       // bits to mesh with FUSE_FW_DEFINED_BROM_CONFIG1
   uint32_t err_response_;  // bits to or with FUSE_FW_DEFINED_BROM_ERR_RESPONSE
   uint32_t expect_response_;  // action to take when expectation is violated
+
   union {
-    uint32_t
-        _pad[256 - 1 - 96 - 1 - 7 - 1 - 96 - 5 * 1 - 4 - 4 - 9 * 1 - 2 - 1 - 2 - 3];
+    // 2nd FIPS signature (gnubby RW)
     struct {
-      // 2nd FIPS signature (gnubby RW)
       uint32_t keyid;
       uint32_t r[8];
       uint32_t s[8];
     } ext_sig;
-  } _pad;
+
+    // FLASH trim override (Dauntless RO)
+    // iff config1_ & 65536
+    struct {
+      uint32_t FSH_SMW_SETTING_OPTION3;
+      uint32_t FSH_SMW_SETTING_OPTION2;
+      uint32_t FSH_SMW_SETTING_OPTIONA;
+      uint32_t FSH_SMW_SETTING_OPTIONB;
+      uint32_t FSH_SMW_SMP_WHV_OPTION1;
+      uint32_t FSH_SMW_SMP_WHV_OPTION0;
+      uint32_t FSH_SMW_SME_WHV_OPTION1;
+      uint32_t FSH_SMW_SME_WHV_OPTION0;
+    } fsh;
+  } u;
+
+  // Spare space
+  uint32_t _pad[5];
+
+  struct {
+    unsigned size : 12;
+    unsigned offset : 20;
+  } swap_mark;
+  uint32_t rw_product_family_;  // 0 == PRODUCT_FAMILY_ANY
+                                // Stored as (^SIGNED_HEADER_PADDING)
+                                // TODO(ntaha): add reference to product family
+                                // enum when available.
 
   struct {
     // CR50 board class locking