Merge remote-tracking branch 'goog/upstream-master' into ngm-nos-merge-upstream

* goog/upstream-master:
  keymaster: return color and digest in ProvisionPresharedSecret
  keymaster: convert HardwareAuthType from enum to int
  keymaster: add missing Tag to keymaster_defs.proto
  keymaster.proto: Added additional comments.
  Definitions for slave implementation of v1 transport protocol
  keymaster: add error code KEY_UPGRADE_NOT_REQUIRED

Bug: 110301629

Change-Id: I782e3f1257b86012c8acca2eea5ef014ff8d81df

7 files changed, 110 insertions, 24 deletions

diff --git a/BUILD b/BUILD
index 0124b2d..9c8b007 100644
--- a/BUILD
+++ b/BUILD
@@ -2,6 +2,7 @@ cc_library(
     name = "nos_headers",
     hdrs = [
         "nugget/include/app_nugget.h",
+        "nugget/include/app_transport_test.h",
         "nugget/include/application.h",
         "nugget/include/avb.h",
         "nugget/include/flash_layout.h",
diff --git a/nugget/include/app_transport_test.h b/nugget/include/app_transport_test.h
new file mode 100644
index 0000000..0c0b4ba
--- /dev/null
+++ b/nugget/include/app_transport_test.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __CROS_EC_INCLUDE_APP_TRANSPORT_TEST_H
+#define __CROS_EC_INCLUDE_APP_TRANSPORT_TEST_H
+
+/* App commands */
+#define TRANSPORT_TEST_NOP  5    /* Does nothing successfully */
+#define TRANSPORT_TEST_1234 8    /* Returns 0x01020304 successfully */
+#define TRANSPORT_TEST_9876 9    /* Only successful if the arg is 0x09080706 */
+#define TRANSPORT_TEST_HANG 12   /* Forgets to call app_reply() */
+
+#endif /* __CROS_EC_INCLUDE_APP_TRANSPORT_TEST_H */
diff --git a/nugget/include/application.h b/nugget/include/application.h
index 45824b3..9c7f2f6 100644
--- a/nugget/include/application.h
+++ b/nugget/include/application.h
@@ -75,6 +75,7 @@ typedef const void * const __private;
 
 /* Fake apps used only for testing */
 #define APP_ID_AVB_TEST          0x11
+#define APP_ID_TRANSPORT_TEST    0x12
 
 /* This app ID should only be used by tests. */
 #define APP_ID_TEST              0xff
@@ -199,20 +200,72 @@ typedef void (write_to_app_fn_t)(uint32_t command,
  * then performs the requested operation and transititions to a "done" state.
  * The Master will retrieve the application status and any reply data from
  * Nugget OS, after which the application is ready to handle the next command.
- *
+ */
+
+#define TRANSPORT_V0    0x0000
+#define TRANSPORT_V1    0x0001
+
+/* Command information for the transport protocol. */
+struct transport_command_info {
+  /* v1 fields */
+  uint16_t length;           /* length of this message */
+  uint16_t version;          /* max version used by master */
+  uint16_t crc;              /* CRC of some command fields */
+  uint16_t reply_len_hint;   /* max that the master will read */
+} __packed;
+
+#define COMMAND_INFO_MIN_LENGTH 8
+#define COMMAND_INFO_MAX_LENGTH 32
+/* If more data needs to be sent, chain a new struct to the end of this one. It
+ * will require its own CRC for data integrity and something to signify the
+ * presence of the extra data. */
+
+struct transport_status {
+  /* v0 fields */
+  uint32_t status;         /* status of the app */
+  uint16_t reply_len;      /* length of available response data */
+  /* v1 fields */
+  uint16_t length;         /* length of this message */
+  uint16_t version;        /* max version used by slave */
+  uint16_t flags;          /* space for more protocol state flags */
+  uint16_t crc;            /* CRC of this status with crc set to 0 */
+  uint16_t reply_crc;      /* CRC of the reply data */
+} __packed;
+
+/* Valid range of lengths for the status message */
+#define STATUS_MIN_LENGTH 0x10
+#define STATUS_MAX_LENGTH 0xff
+
+/* Flags used in the status message */
+#define STATUS_FLAG_WORKING 0x0001 /* added in v1 */
+
+/* Pre-calculated CRCs for different status responses set by in the interrupt
+ * context where the CRC would otherwise not be calculated. */
+#define STATUS_CRC_FOR_IDLE              0x54c1
+#define STATUS_CRC_FOR_WORKING           0x2101
+#define STATUS_CRC_FOR_ERROR_TOO_MUCH    0x97c0
+
+/*
  * Applications that wish to use this transport API will need to declare a
  * private struct app_transport which Nugget OS can use to maintain the state:
  */
-
 struct app_transport {
-  uint32_t command;                           /* from master */
-  volatile uint32_t status;                   /* current application status */
-  uint8_t *request, *response;                /* input/output data buffer */
-  uint16_t max_request_len, max_response_len; /* data buffer sizes */
-  uint16_t request_len, response_len;         /* current buffer count */
-  uint16_t request_idx, response_idx;         /* used internally */
   void (*done_fn)(struct app_transport *);    /* optional cleanup function */
   /* Note: Any done_fn() is called in interrupt context. Be quick. */
+  uint8_t *const request;                     /* input data buffer */
+  uint8_t *const response;                    /* output data buffer */
+  const uint16_t max_request_len;             /* input data buffer size */
+  const uint16_t max_response_len;            /* output data buffer size */
+  /* The following are used for the incoming command. */
+  uint32_t command;                           /* from master */
+  union {
+    struct transport_command_info info;
+    uint8_t data[COMMAND_INFO_MAX_LENGTH];    /* space for future growth */
+  } command_info;                             /* extra info about the command */
+  uint16_t request_len;                       /* command data buffer size */
+  uint16_t response_idx;                      /* current index into response */
+  struct transport_status status[2];          /* current transport_status */
+  volatile uint8_t status_idx;                /* index of active status */
 };
 
 /*
@@ -224,18 +277,24 @@ struct app_transport {
  */
 #define __TRANSPORT_ALIGNED__ __attribute__((aligned(8)))
 
-/* For debugging if needed */
-extern void dump_transport_state(const struct app_transport *s);
-
 /*
  * The application will need to provide a write_to_app_fn_t function that will
  * be invoked when a new request is ready to be processed. All command and data
  * parameters will already be present in the app's struct app_transport, so it
  * just needs to awaken the application task to do the work.
  *
+ * When awakened, the application task must check that there were no errors in
+ * the transmission of the request by calling this function. If it returns
+ * true, the task should go back to sleep until the next request arrives.
+ */
+int request_is_invalid(struct app_transport *s);
+/*
  * When processing is finished, the app should call the app_reply() function to
- * return its status code and specify length of any data it has placed into the
- * response buffer, and then it can go back to sleep until its next invocation.
+ * return its status code and specify the length of any data it has placed into
+ * the response buffer, and then it can go back to sleep until its next
+ * invocation. CAUTION: The Master polls for app completion independently, so
+ * it may immediately begin retrieving the results as soon as this function
+ * is called *without* waiting for the Nugget OS app to go to sleep.
  */
 void app_reply(struct app_transport *st, uint32_t status, uint16_t reply_len);
 
@@ -248,6 +307,7 @@ enum app_status {
   APP_ERROR_TOO_MUCH,        /* caller sent too much data */
   APP_ERROR_IO,              /* problem sending or receiving data */
   APP_ERROR_RPC,             /* problem during RPC communication */
+  APP_ERROR_CHECKSUM,        /* checksum failed, only used within protocol */
   /* more? */
 
   APP_SPECIFIC_ERROR = 0x20, /* "should be enough for anybody" */
@@ -314,6 +374,7 @@ extern write_to_app_fn_t transaction_api_to_fn;
 
 /* Command flags used internally by Transport API messages */
 #define CMD_TRANSPORT       0x40000000    /* 1=Transport API message */
+/* When CMD_TRANSPORT is set, the following bits have meaning */
 #define CMD_IS_DATA         0x20000000    /* 1=data msg 0=status msg */
 #define CMD_MORE_TO_COME    0x10000000    /* 1=continued 0=new */
 
diff --git a/nugget/proto/nugget/app/keymaster/keymaster.options b/nugget/proto/nugget/app/keymaster/keymaster.options
index 554b2dc..a96c584 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster.options
+++ b/nugget/proto/nugget/app/keymaster/keymaster.options
@@ -15,3 +15,4 @@ nugget.app.keymaster.GetBootInfoResponse.boot_hash max_size:32
 nugget.app.keymaster.ProvisionPresharedSecretRequest.preshared_secret max_size:32
 nugget.app.keymaster.StartAttestKeyRequest.not_before max_size:13
 nugget.app.keymaster.StartAttestKeyRequest.not_after max_size:13
+nugget.app.keymaster.ProvisionPresharedSecretResponse.digest max_size:32
diff --git a/nugget/proto/nugget/app/keymaster/keymaster.proto b/nugget/proto/nugget/app/keymaster/keymaster.proto
index 705bc85..69056e8 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster.proto
@@ -346,8 +346,8 @@ message SetBootStateRequest {
   bool is_unlocked = 1;
   bytes public_key = 2;              // This is a SHA256 digest.
   BootColor color = 3;
-  uint32 system_version = 4;
-  uint32 system_security_level = 5;
+  uint32 system_version = 4;         // Deprecated.
+  uint32 system_security_level = 5;  // Patch level of the boot partition.
   bytes boot_hash = 6;               // This is a SHA256 digest.
 }
 message SetBootStateResponse {
@@ -430,4 +430,6 @@ message ProvisionPresharedSecretRequest {
 message ProvisionPresharedSecretResponse {
   ErrorCode error_code = 1;
   PresharedSecretStatus status = 2;
+  BootColor color = 3;
+  bytes digest = 4;
 }
diff --git a/nugget/proto/nugget/app/keymaster/keymaster_defs.proto b/nugget/proto/nugget/app/keymaster/keymaster_defs.proto
index 2555c49..88ee2e5 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster_defs.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster_defs.proto
@@ -69,6 +69,7 @@ enum Tag {
   ALLOW_WHILE_ON_BODY = 0x701fa; // (TagType:BOOL | 506)
   TRUSTED_USER_PRESENCE_REQUIRED = 0x701fb; // (TagType:BOOL | 507)
   TRUSTED_CONFIRMATION_REQUIRED = 0x701fc;  // (TagType:BOOL | 508)
+  UNLOCKED_DEVICE_REQUIRED = 0x701fd;  //  (TagType:BOOL | 509)
   /* RESERVED: ALL_APPLICATIONS = 0x70258; // (TagType:BOOL | 600) */
   APPLICATION_ID = 0x90259; // (TagType:BYTES | 601)
   /* RESERVED: EXPORTABLE = 0x7025a; // (TagType:BOOL | 602) */
@@ -247,14 +248,7 @@ enum ErrorCode {
   INVALID_DEVICE_IDS = 72;                // Vendor specific.
   PRODUCTION_MODE_PROVISIONING = 73;      // Vendor specific.
   NO_USER_CONFIRMATION = 74;
-};
-
-enum HardwareAuthenticatorType {
-  AUTH_NONE = 0;
-  AUTH_PASSWORD = 1; // (1 << 0)
-  AUTH_FINGERPRINT = 2; // (1 << 1)
-  AUTH_ANY = 3;
-  AUTH_MAX = 4;
+  KEY_UPGRADE_NOT_REQUIRED = 75;          // Vendor specific.
 };
 
 enum SecurityLevel {
diff --git a/nugget/proto/nugget/app/keymaster/keymaster_types.proto b/nugget/proto/nugget/app/keymaster/keymaster_types.proto
index d56ff16..7e1d7b7 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster_types.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster_types.proto
@@ -63,9 +63,11 @@ message HardwareAuthToken {
   uint64 challenge = 1;
   uint64 user_id = 2;
   uint64 authenticator_id = 3;
-  HardwareAuthenticatorType authenticator_type = 4;
+  // Deprecated in favor of tag 7.
+  // HardwareAuthenticatorType authenticator_type = 4;
   uint64 timestamp = 5;
   bytes mac = 6;
+  uint32 authenticator_type = 7;
 }
 
 message VerificationToken {