coreboot-libre-fam15h-rdimm/3rdparty/chromeec/common/rollback.c

/* Copyright 2017 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 */

/* Rollback protection logic. */

#include "common.h"
#include "console.h"
#include "cryptoc/util.h"
#include "flash.h"
#include "hooks.h"
#include "host_command.h"
#ifdef CONFIG_MPU
#include "mpu.h"
#endif
#include "rollback.h"
#include "sha256.h"
#include "system.h"
#include "task.h"
#include "trng.h"
#include "util.h"

/* Console output macros */
#define CPRINTS(format, args...) cprints(CC_SYSTEM, format, ## args)

/* Number of rollback regions */
#define ROLLBACK_REGIONS 2

/*
 * Note: Do not change this structure without also updating
 * common/firmware_image.S .image.ROLLBACK section.
 */
struct rollback_data {
	int32_t id; /* Incrementing number to indicate which region to use. */
	int32_t rollback_min_version;
#ifdef CONFIG_ROLLBACK_SECRET_SIZE
	uint8_t secret[CONFIG_ROLLBACK_SECRET_SIZE];
#endif
	/* cookie must always be last, as it validates the rest of the data. */
	uint32_t cookie;
};

static int get_rollback_offset(int region)
{
#ifdef CONFIG_FLASH_MULTIPLE_REGION
	int rv;
	int rollback_start_bank = flash_bank_index(CONFIG_ROLLBACK_OFF);

	rv = flash_bank_start_offset(rollback_start_bank + region);
	ASSERT(rv >= 0);
	return rv;
#else
	return CONFIG_ROLLBACK_OFF + region * CONFIG_FLASH_ERASE_SIZE;
#endif
}

#ifdef SECTION_IS_RO
static int get_rollback_erase_size_bytes(int region)
{
	int erase_size;

#ifndef CONFIG_FLASH_MULTIPLE_REGION
	erase_size = CONFIG_FLASH_ERASE_SIZE;
#else
	int rollback_start_bank = flash_bank_index(CONFIG_ROLLBACK_OFF);

	erase_size = flash_bank_erase_size(rollback_start_bank + region);
#endif
	ASSERT(erase_size > 0);
	ASSERT(ROLLBACK_REGIONS * erase_size <= CONFIG_ROLLBACK_SIZE);
	ASSERT(sizeof(struct rollback_data) <= erase_size);
	return erase_size;
}
#endif

/*
 * When MPU is available, read rollback with interrupts disabled, to minimize
 * time protection is left open.
 */
static void lock_rollback(void)
{
#ifdef CONFIG_ROLLBACK_MPU_PROTECT
	mpu_lock_rollback(1);
	interrupt_enable();
#endif
}

static void unlock_rollback(void)
{
#ifdef CONFIG_ROLLBACK_MPU_PROTECT
	interrupt_disable();
	mpu_lock_rollback(0);
#endif
}

static void clear_rollback(struct rollback_data *data)
{
#ifdef CONFIG_ROLLBACK_SECRET_SIZE
	always_memset(data->secret, 0, sizeof(data->secret));
#endif
}

static int read_rollback(int region, struct rollback_data *data)
{
	int offset;
	int ret = EC_SUCCESS;

	offset = get_rollback_offset(region);

	unlock_rollback();
	if (flash_read(offset, sizeof(*data), (char *)data))
		ret = EC_ERROR_UNKNOWN;
	lock_rollback();

	return ret;
}

/*
 * Get the most recent rollback information.
 *
 * @data: Returns most recent rollback data block. The data is filled
 *        with zeros if no valid rollback block is present
 *
 * Return most recent region index on success (>= 0, or 0 if no rollback
 * region is valid), negative value on error.
 */
static int get_latest_rollback(struct rollback_data *data)
{
	int ret = -1;
	int region;
	int min_region = -1;
	int max_id = -1;
	struct rollback_data tmp_data;

	for (region = 0; region < ROLLBACK_REGIONS; region++) {
		if (read_rollback(region, &tmp_data))
			goto failed;

		/* Check if not initialized or invalid cookie. */
		if (tmp_data.cookie != CROS_EC_ROLLBACK_COOKIE)
			continue;

		if (tmp_data.id > max_id) {
			min_region = region;
			max_id = tmp_data.id;
		}
	}

	if (min_region >= 0) {
		if (read_rollback(min_region, data))
			goto failed;
	} else {
		min_region = 0;
		clear_rollback(data);
	}
	ret = min_region;

failed:
	clear_rollback(&tmp_data);
	return ret;
}

int32_t rollback_get_minimum_version(void)
{
	struct rollback_data data;
	int32_t ret = -1;

	if (get_latest_rollback(&data) < 0)
		goto failed;
	ret = data.rollback_min_version;

failed:
	clear_rollback(&data);
	return ret;
}

#ifdef CONFIG_ROLLBACK_SECRET_SIZE
test_mockable int rollback_get_secret(uint8_t *secret)
{
	int ret = EC_ERROR_UNKNOWN;
	struct rollback_data data;
	uint8_t first;
	int i = 0;

	if (get_latest_rollback(&data) < 0)
		goto failed;

	/* Check that secret is not full of 0x00 or 0xff */
	first = data.secret[0];
	if (first == 0x00 || first == 0xff) {
		for (i = 1; i < sizeof(data.secret); i++) {
			if (data.secret[i] != first)
				goto good;
		}
		goto failed;
	}

good:
	memcpy(secret, data.secret, sizeof(data.secret));
	ret = EC_SUCCESS;
failed:
	clear_rollback(&data);
	return ret;
}
#endif

int rollback_lock(void)
{
	int ret;

	/* Already locked */
	if (flash_get_protect() & EC_FLASH_PROTECT_ROLLBACK_NOW)
		return EC_SUCCESS;

	CPRINTS("Protecting rollback");

	/* This may do nothing if WP is not enabled, or RO is not protected. */
	ret = flash_set_protect(EC_FLASH_PROTECT_ROLLBACK_AT_BOOT, -1);

	if (!(flash_get_protect() & EC_FLASH_PROTECT_ROLLBACK_NOW) &&
	      flash_get_protect() & EC_FLASH_PROTECT_ROLLBACK_AT_BOOT) {
		/*
		 * If flash protection is still not enabled (some chips may
		 * be able to enable it immediately), reboot.
		 */
		cflush();
		system_reset(SYSTEM_RESET_HARD | SYSTEM_RESET_PRESERVE_FLAGS);
	}

	return ret;
}

#ifdef CONFIG_ROLLBACK_UPDATE

#ifdef CONFIG_ROLLBACK_SECRET_SIZE
static int add_entropy(uint8_t *dst, const uint8_t *src,
			uint8_t *add, unsigned int add_len)
{
	int ret = 0;
#ifdef CONFIG_SHA256
BUILD_ASSERT(SHA256_DIGEST_SIZE == CONFIG_ROLLBACK_SECRET_SIZE);
	struct sha256_ctx ctx;
	uint8_t *hash;
#ifdef CONFIG_ROLLBACK_SECRET_LOCAL_ENTROPY_SIZE
	uint8_t extra;
	int i;
#endif

	SHA256_init(&ctx);
	SHA256_update(&ctx, src, CONFIG_ROLLBACK_SECRET_SIZE);
	SHA256_update(&ctx, add, add_len);
#ifdef CONFIG_ROLLBACK_SECRET_LOCAL_ENTROPY_SIZE
	/* Add some locally produced entropy */
	for (i = 0; i < CONFIG_ROLLBACK_SECRET_LOCAL_ENTROPY_SIZE; i++) {
		if (!board_get_entropy(&extra, 1))
			goto failed;
		SHA256_update(&ctx, &extra, 1);
	}
#endif
	hash = SHA256_final(&ctx);

	memcpy(dst, hash, CONFIG_ROLLBACK_SECRET_SIZE);
	ret = 1;

#ifdef CONFIG_ROLLBACK_SECRET_LOCAL_ENTROPY_SIZE
failed:
#endif
	always_memset(&ctx, 0, sizeof(ctx));
#else
#error "Adding entropy to secret in rollback region requires SHA256."
#endif
	return ret;
}
#endif /* CONFIG_ROLLBACK_SECRET_SIZE */

/**
 * Update rollback block.
 *
 * @param next_min_version	Minimum version to update in rollback block. Can
 *				be a negative value if entropy is provided (in
 *				that case the current minimum version is kept).
 * @param entropy		Entropy to be added to rollback block secret
 *				(can be NULL, in that case no entropy is added).
 * @param len			entropy length
 *
 * @return EC_SUCCESS on success, EC_ERROR_* on error.
 */
static int rollback_update(int32_t next_min_version,
			   uint8_t *entropy, unsigned int length)
{
	/*
	 * When doing flash_write operation, the data needs to be in blocks
	 * of CONFIG_FLASH_WRITE_SIZE, pad rollback_data as required.
	 */
	uint8_t block[CONFIG_FLASH_WRITE_SIZE *
		DIV_ROUND_UP(sizeof(struct rollback_data),
			CONFIG_FLASH_WRITE_SIZE)];
	struct rollback_data *data = (struct rollback_data *)block;
	BUILD_ASSERT(sizeof(block) >= sizeof(*data));
	int erase_size, offset, region, ret;

	if (flash_get_protect() & EC_FLASH_PROTECT_ROLLBACK_NOW) {
		ret = EC_ERROR_ACCESS_DENIED;
		goto out;
	}

	/* Initialize the rest of the block. */
	memset(&block[sizeof(*data)], 0xff, sizeof(block)-sizeof(*data));

	region = get_latest_rollback(data);

	if (region < 0) {
		ret = EC_ERROR_UNKNOWN;
		goto out;
	}

#ifdef CONFIG_ROLLBACK_SECRET_SIZE
	if (entropy) {
		/* Do not accept to decrease the value. */
		if (next_min_version < data->rollback_min_version)
			next_min_version = data->rollback_min_version;
	} else
#endif
	{
		/* Do not accept to decrease the value. */
		if (next_min_version < data->rollback_min_version) {
			ret = EC_ERROR_INVAL;
			goto out;
		}

		/* No need to update if version is already correct. */
		if (next_min_version == data->rollback_min_version) {
			ret = EC_SUCCESS;
			goto out;
		}
	}

	/* Use the other region. */
	region = (region + 1) % ROLLBACK_REGIONS;

	offset = get_rollback_offset(region);

	data->id = data->id + 1;
	data->rollback_min_version = next_min_version;
#ifdef CONFIG_ROLLBACK_SECRET_SIZE
	/*
	 * If we are provided with some entropy, add it to secret. Otherwise,
	 * data.secret is left untouched and written back to the other region.
	 */
	if (entropy) {
		if (!add_entropy(data->secret, data->secret, entropy, length)) {
			ret = EC_ERROR_UNCHANGED;
			goto out;
		}
	}
#endif
	data->cookie = CROS_EC_ROLLBACK_COOKIE;

	erase_size = get_rollback_erase_size_bytes(region);

	if (erase_size < 0) {
		ret = EC_ERROR_UNKNOWN;
		goto out;
	}

	/* Offset should never be part of active image. */
	if (system_unsafe_to_overwrite(offset, erase_size)) {
		ret = EC_ERROR_UNKNOWN;
		goto out;
	}

	if (flash_erase(offset, erase_size)) {
		ret = EC_ERROR_UNKNOWN;
		goto out;
	}

	unlock_rollback();
	ret = flash_write(offset, sizeof(block), block);
	lock_rollback();

out:
	clear_rollback(data);
	return ret;
}

int rollback_update_version(int32_t next_min_version)
{
	return rollback_update(next_min_version, NULL, 0);
}

int rollback_add_entropy(uint8_t *data, unsigned int len)
{
	return rollback_update(-1, data, len);
}

static int command_rollback_update(int argc, char **argv)
{
	int32_t min_version;
	char *e;

	if (argc < 2)
		return EC_ERROR_PARAM_COUNT;

	min_version = strtoi(argv[1], &e, 0);

	if (*e || min_version < 0)
		return EC_ERROR_PARAM1;

	return rollback_update_version(min_version);
}
DECLARE_CONSOLE_COMMAND(rollbackupdate, command_rollback_update,
			"min_version",
			"Update rollback info");

#ifdef CONFIG_ROLLBACK_SECRET_SIZE
static int command_rollback_add_entropy(int argc, char **argv)
{
	int len;

	if (argc < 2)
		return EC_ERROR_PARAM_COUNT;

	len = strlen(argv[1]);

	return rollback_add_entropy(argv[1], len);
}
DECLARE_CONSOLE_COMMAND(rollbackaddent, command_rollback_add_entropy,
			"data",
			"Add entropy to rollback block");

#ifdef CONFIG_RNG
static int add_entropy_action;
static int add_entropy_rv = EC_RES_UNAVAILABLE;

static void add_entropy_deferred(void)
{
	uint8_t rand[CONFIG_ROLLBACK_SECRET_SIZE];
	int repeat = 1;

	/*
	 * If asked to reset the old secret, just add entropy multiple times,
	 * which will ping-pong between the blocks.
	 */
	if (add_entropy_action == ADD_ENTROPY_RESET_ASYNC)
		repeat = ROLLBACK_REGIONS;

	init_trng();
	do {
		rand_bytes(rand, sizeof(rand));
		if (rollback_add_entropy(rand, sizeof(rand)) != EC_SUCCESS) {
			add_entropy_rv = EC_RES_ERROR;
			goto out;
		}
	} while (--repeat);

	add_entropy_rv = EC_RES_SUCCESS;
out:
	exit_trng();
}
DECLARE_DEFERRED(add_entropy_deferred);

static enum ec_status
hc_rollback_add_entropy(struct host_cmd_handler_args *args)
{
	const struct ec_params_rollback_add_entropy *p = args->params;

	switch (p->action) {
	case ADD_ENTROPY_ASYNC:
	case ADD_ENTROPY_RESET_ASYNC:
		if (add_entropy_rv == EC_RES_BUSY)
			return EC_RES_BUSY;

		add_entropy_action = p->action;
		add_entropy_rv = EC_RES_BUSY;
		hook_call_deferred(&add_entropy_deferred_data, 0);

		return EC_RES_SUCCESS;

	case ADD_ENTROPY_GET_RESULT:
		return add_entropy_rv;
	}

	return EC_RES_INVALID_PARAM;
}
DECLARE_HOST_COMMAND(EC_CMD_ADD_ENTROPY,
		     hc_rollback_add_entropy,
		     EC_VER_MASK(0));
#endif /* CONFIG_RNG */
#endif /* CONFIG_ROLLBACK_SECRET_SIZE */
#endif /* CONFIG_ROLLBACK_UPDATE */

static int command_rollback_info(int argc, char **argv)
{
	int ret = EC_ERROR_UNKNOWN;
	int region, min_region;
	int32_t rw_rollback_version;
	struct rollback_data data;

	min_region = get_latest_rollback(&data);

	if (min_region < 0)
		goto failed;

	rw_rollback_version = system_get_rollback_version(SYSTEM_IMAGE_RW);

	ccprintf("rollback minimum version: %d\n", data.rollback_min_version);
	ccprintf("RW rollback version: %d\n", rw_rollback_version);

	for (region = 0; region < ROLLBACK_REGIONS; region++) {
		ret = read_rollback(region, &data);
		if (ret)
			goto failed;

		ccprintf("rollback %d: %08x %08x %08x",
			region, data.id, data.rollback_min_version,
			data.cookie);
#ifdef CONFIG_ROLLBACK_SECRET_SIZE
		if (!system_is_locked()) {
			/* If system is unlocked, show some of the secret. */
			ccprintf(" [%02x..%02x]", data.secret[0],
				data.secret[CONFIG_ROLLBACK_SECRET_SIZE-1]);
		}
#endif
		if (min_region == region)
			ccprintf(" *");
		ccprintf("\n");
	}
	ret = EC_SUCCESS;

failed:
	clear_rollback(&data);
	return ret;
}
DECLARE_SAFE_CONSOLE_COMMAND(rollbackinfo, command_rollback_info,
			     NULL,
			     "Print rollback info");

static enum ec_status
host_command_rollback_info(struct host_cmd_handler_args *args)
{
	int ret = EC_RES_UNAVAILABLE;
	struct ec_response_rollback_info *r = args->response;
	int min_region;
	struct rollback_data data;

	min_region = get_latest_rollback(&data);

	if (min_region < 0)
		goto failed;

	r->id = data.id;
	r->rollback_min_version = data.rollback_min_version;
	r->rw_rollback_version = system_get_rollback_version(SYSTEM_IMAGE_RW);

	args->response_size = sizeof(*r);
	ret = EC_RES_SUCCESS;

failed:
	clear_rollback(&data);
	return ret;
}
DECLARE_HOST_COMMAND(EC_CMD_ROLLBACK_INFO,
		     host_command_rollback_info,
		     EC_VER_MASK(0));
Initial commit 2024-03-04 11:14:53 +01:00			`/* Copyright 2017 The Chromium OS Authors. All rights reserved.`
			`* Use of this source code is governed by a BSD-style license that can be`
			`* found in the LICENSE file.`
			`*/`

			`/* Rollback protection logic. */`

			`#include "common.h"`
			`#include "console.h"`
			`#include "cryptoc/util.h"`
			`#include "flash.h"`
			`#include "hooks.h"`
			`#include "host_command.h"`
			`#ifdef CONFIG_MPU`
			`#include "mpu.h"`
			`#endif`
			`#include "rollback.h"`
			`#include "sha256.h"`
			`#include "system.h"`
			`#include "task.h"`
			`#include "trng.h"`
			`#include "util.h"`

			`/* Console output macros */`
			`#define CPRINTS(format, args...) cprints(CC_SYSTEM, format, ## args)`

			`/* Number of rollback regions */`
			`#define ROLLBACK_REGIONS 2`

			`/*`
			`* Note: Do not change this structure without also updating`
			`* common/firmware_image.S .image.ROLLBACK section.`
			`*/`
			`struct rollback_data {`
			`int32_t id; /* Incrementing number to indicate which region to use. */`
			`int32_t rollback_min_version;`
			`#ifdef CONFIG_ROLLBACK_SECRET_SIZE`
			`uint8_t secret[CONFIG_ROLLBACK_SECRET_SIZE];`
			`#endif`
			`/* cookie must always be last, as it validates the rest of the data. */`
			`uint32_t cookie;`
			`};`

			`static int get_rollback_offset(int region)`
			`{`
			`#ifdef CONFIG_FLASH_MULTIPLE_REGION`
			`int rv;`
			`int rollback_start_bank = flash_bank_index(CONFIG_ROLLBACK_OFF);`

			`rv = flash_bank_start_offset(rollback_start_bank + region);`
			`ASSERT(rv >= 0);`
			`return rv;`
			`#else`
			`return CONFIG_ROLLBACK_OFF + region * CONFIG_FLASH_ERASE_SIZE;`
			`#endif`
			`}`

			`#ifdef SECTION_IS_RO`
			`static int get_rollback_erase_size_bytes(int region)`
			`{`
			`int erase_size;`

			`#ifndef CONFIG_FLASH_MULTIPLE_REGION`
			`erase_size = CONFIG_FLASH_ERASE_SIZE;`
			`#else`
			`int rollback_start_bank = flash_bank_index(CONFIG_ROLLBACK_OFF);`

			`erase_size = flash_bank_erase_size(rollback_start_bank + region);`
			`#endif`
			`ASSERT(erase_size > 0);`
			`ASSERT(ROLLBACK_REGIONS * erase_size <= CONFIG_ROLLBACK_SIZE);`
			`ASSERT(sizeof(struct rollback_data) <= erase_size);`
			`return erase_size;`
			`}`
			`#endif`

			`/*`
			`* When MPU is available, read rollback with interrupts disabled, to minimize`
			`* time protection is left open.`
			`*/`
			`static void lock_rollback(void)`
			`{`
			`#ifdef CONFIG_ROLLBACK_MPU_PROTECT`
			`mpu_lock_rollback(1);`
			`interrupt_enable();`
			`#endif`
			`}`

			`static void unlock_rollback(void)`
			`{`
			`#ifdef CONFIG_ROLLBACK_MPU_PROTECT`
			`interrupt_disable();`
			`mpu_lock_rollback(0);`
			`#endif`
			`}`

			`static void clear_rollback(struct rollback_data *data)`
			`{`
			`#ifdef CONFIG_ROLLBACK_SECRET_SIZE`
			`always_memset(data->secret, 0, sizeof(data->secret));`
			`#endif`
			`}`

			`static int read_rollback(int region, struct rollback_data *data)`
			`{`
			`int offset;`
			`int ret = EC_SUCCESS;`

			`offset = get_rollback_offset(region);`

			`unlock_rollback();`
			`if (flash_read(offset, sizeof(data), (char )data))`
			`ret = EC_ERROR_UNKNOWN;`
			`lock_rollback();`

			`return ret;`
			`}`

			`/*`
			`* Get the most recent rollback information.`
			`*`
			`* @data: Returns most recent rollback data block. The data is filled`
			`* with zeros if no valid rollback block is present`
			`*`
			`* Return most recent region index on success (>= 0, or 0 if no rollback`
			`* region is valid), negative value on error.`
			`*/`
			`static int get_latest_rollback(struct rollback_data *data)`
			`{`
			`int ret = -1;`
			`int region;`
			`int min_region = -1;`
			`int max_id = -1;`
			`struct rollback_data tmp_data;`

			`for (region = 0; region < ROLLBACK_REGIONS; region++) {`
			`if (read_rollback(region, &tmp_data))`
			`goto failed;`

			`/* Check if not initialized or invalid cookie. */`
			`if (tmp_data.cookie != CROS_EC_ROLLBACK_COOKIE)`
			`continue;`

			`if (tmp_data.id > max_id) {`
			`min_region = region;`
			`max_id = tmp_data.id;`
			`}`
			`}`

			`if (min_region >= 0) {`
			`if (read_rollback(min_region, data))`
			`goto failed;`
			`} else {`
			`min_region = 0;`
			`clear_rollback(data);`
			`}`
			`ret = min_region;`

			`failed:`
			`clear_rollback(&tmp_data);`
			`return ret;`
			`}`

			`int32_t rollback_get_minimum_version(void)`
			`{`
			`struct rollback_data data;`
			`int32_t ret = -1;`

			`if (get_latest_rollback(&data) < 0)`
			`goto failed;`
			`ret = data.rollback_min_version;`

			`failed:`
			`clear_rollback(&data);`
			`return ret;`
			`}`

			`#ifdef CONFIG_ROLLBACK_SECRET_SIZE`
			`test_mockable int rollback_get_secret(uint8_t *secret)`
			`{`
			`int ret = EC_ERROR_UNKNOWN;`
			`struct rollback_data data;`
			`uint8_t first;`
			`int i = 0;`

			`if (get_latest_rollback(&data) < 0)`
			`goto failed;`

			`/* Check that secret is not full of 0x00 or 0xff */`
			`first = data.secret[0];`
			`if (first == 0x00 \|\| first == 0xff) {`
			`for (i = 1; i < sizeof(data.secret); i++) {`
			`if (data.secret[i] != first)`
			`goto good;`
			`}`
			`goto failed;`
			`}`

			`good:`
			`memcpy(secret, data.secret, sizeof(data.secret));`
			`ret = EC_SUCCESS;`
			`failed:`
			`clear_rollback(&data);`
			`return ret;`
			`}`
			`#endif`

			`int rollback_lock(void)`
			`{`
			`int ret;`

			`/* Already locked */`
			`if (flash_get_protect() & EC_FLASH_PROTECT_ROLLBACK_NOW)`
			`return EC_SUCCESS;`

			`CPRINTS("Protecting rollback");`

			`/* This may do nothing if WP is not enabled, or RO is not protected. */`
			`ret = flash_set_protect(EC_FLASH_PROTECT_ROLLBACK_AT_BOOT, -1);`

			`if (!(flash_get_protect() & EC_FLASH_PROTECT_ROLLBACK_NOW) &&`
			`flash_get_protect() & EC_FLASH_PROTECT_ROLLBACK_AT_BOOT) {`
			`/*`
			`* If flash protection is still not enabled (some chips may`
			`* be able to enable it immediately), reboot.`
			`*/`
			`cflush();`
			`system_reset(SYSTEM_RESET_HARD \| SYSTEM_RESET_PRESERVE_FLAGS);`
			`}`

			`return ret;`
			`}`

			`#ifdef CONFIG_ROLLBACK_UPDATE`

			`#ifdef CONFIG_ROLLBACK_SECRET_SIZE`
			`static int add_entropy(uint8_t dst, const uint8_t src,`
			`uint8_t *add, unsigned int add_len)`
			`{`
			`int ret = 0;`
			`#ifdef CONFIG_SHA256`
			`BUILD_ASSERT(SHA256_DIGEST_SIZE == CONFIG_ROLLBACK_SECRET_SIZE);`
			`struct sha256_ctx ctx;`
			`uint8_t *hash;`
			`#ifdef CONFIG_ROLLBACK_SECRET_LOCAL_ENTROPY_SIZE`
			`uint8_t extra;`
			`int i;`
			`#endif`

			`SHA256_init(&ctx);`
			`SHA256_update(&ctx, src, CONFIG_ROLLBACK_SECRET_SIZE);`
			`SHA256_update(&ctx, add, add_len);`
			`#ifdef CONFIG_ROLLBACK_SECRET_LOCAL_ENTROPY_SIZE`
			`/* Add some locally produced entropy */`
			`for (i = 0; i < CONFIG_ROLLBACK_SECRET_LOCAL_ENTROPY_SIZE; i++) {`
			`if (!board_get_entropy(&extra, 1))`
			`goto failed;`
			`SHA256_update(&ctx, &extra, 1);`
			`}`
			`#endif`
			`hash = SHA256_final(&ctx);`

			`memcpy(dst, hash, CONFIG_ROLLBACK_SECRET_SIZE);`
			`ret = 1;`

			`#ifdef CONFIG_ROLLBACK_SECRET_LOCAL_ENTROPY_SIZE`
			`failed:`
			`#endif`
			`always_memset(&ctx, 0, sizeof(ctx));`
			`#else`
			`#error "Adding entropy to secret in rollback region requires SHA256."`
			`#endif`
			`return ret;`
			`}`
			`#endif /* CONFIG_ROLLBACK_SECRET_SIZE */`

			`/**`
			`* Update rollback block.`
			`*`
			`* @param next_min_version Minimum version to update in rollback block. Can`
			`* be a negative value if entropy is provided (in`
			`* that case the current minimum version is kept).`
			`* @param entropy Entropy to be added to rollback block secret`
			`* (can be NULL, in that case no entropy is added).`
			`* @param len entropy length`
			`*`
			`* @return EC_SUCCESS on success, EC_ERROR_* on error.`
			`*/`
			`static int rollback_update(int32_t next_min_version,`
			`uint8_t *entropy, unsigned int length)`
			`{`
			`/*`
			`* When doing flash_write operation, the data needs to be in blocks`
			`* of CONFIG_FLASH_WRITE_SIZE, pad rollback_data as required.`
			`*/`
			`uint8_t block[CONFIG_FLASH_WRITE_SIZE *`
			`DIV_ROUND_UP(sizeof(struct rollback_data),`
			`CONFIG_FLASH_WRITE_SIZE)];`
			`struct rollback_data data = (struct rollback_data )block;`
			`BUILD_ASSERT(sizeof(block) >= sizeof(*data));`
			`int erase_size, offset, region, ret;`

			`if (flash_get_protect() & EC_FLASH_PROTECT_ROLLBACK_NOW) {`
			`ret = EC_ERROR_ACCESS_DENIED;`
			`goto out;`
			`}`

			`/* Initialize the rest of the block. */`
			`memset(&block[sizeof(data)], 0xff, sizeof(block)-sizeof(data));`

			`region = get_latest_rollback(data);`

			`if (region < 0) {`
			`ret = EC_ERROR_UNKNOWN;`
			`goto out;`
			`}`

			`#ifdef CONFIG_ROLLBACK_SECRET_SIZE`
			`if (entropy) {`
			`/* Do not accept to decrease the value. */`
			`if (next_min_version < data->rollback_min_version)`
			`next_min_version = data->rollback_min_version;`
			`} else`
			`#endif`
			`{`
			`/* Do not accept to decrease the value. */`
			`if (next_min_version < data->rollback_min_version) {`
			`ret = EC_ERROR_INVAL;`
			`goto out;`
			`}`

			`/* No need to update if version is already correct. */`
			`if (next_min_version == data->rollback_min_version) {`
			`ret = EC_SUCCESS;`
			`goto out;`
			`}`
			`}`

			`/* Use the other region. */`
			`region = (region + 1) % ROLLBACK_REGIONS;`

			`offset = get_rollback_offset(region);`

			`data->id = data->id + 1;`
			`data->rollback_min_version = next_min_version;`
			`#ifdef CONFIG_ROLLBACK_SECRET_SIZE`
			`/*`
			`* If we are provided with some entropy, add it to secret. Otherwise,`
			`* data.secret is left untouched and written back to the other region.`
			`*/`
			`if (entropy) {`
			`if (!add_entropy(data->secret, data->secret, entropy, length)) {`
			`ret = EC_ERROR_UNCHANGED;`
			`goto out;`
			`}`
			`}`
			`#endif`
			`data->cookie = CROS_EC_ROLLBACK_COOKIE;`

			`erase_size = get_rollback_erase_size_bytes(region);`

			`if (erase_size < 0) {`
			`ret = EC_ERROR_UNKNOWN;`
			`goto out;`
			`}`

			`/* Offset should never be part of active image. */`
			`if (system_unsafe_to_overwrite(offset, erase_size)) {`
			`ret = EC_ERROR_UNKNOWN;`
			`goto out;`
			`}`

			`if (flash_erase(offset, erase_size)) {`
			`ret = EC_ERROR_UNKNOWN;`
			`goto out;`
			`}`

			`unlock_rollback();`
			`ret = flash_write(offset, sizeof(block), block);`
			`lock_rollback();`

			`out:`
			`clear_rollback(data);`
			`return ret;`
			`}`

			`int rollback_update_version(int32_t next_min_version)`
			`{`
			`return rollback_update(next_min_version, NULL, 0);`
			`}`

			`int rollback_add_entropy(uint8_t *data, unsigned int len)`
			`{`
			`return rollback_update(-1, data, len);`
			`}`

			`static int command_rollback_update(int argc, char **argv)`
			`{`
			`int32_t min_version;`
			`char *e;`

			`if (argc < 2)`
			`return EC_ERROR_PARAM_COUNT;`

			`min_version = strtoi(argv[1], &e, 0);`

			`if (*e \|\| min_version < 0)`
			`return EC_ERROR_PARAM1;`

			`return rollback_update_version(min_version);`
			`}`
			`DECLARE_CONSOLE_COMMAND(rollbackupdate, command_rollback_update,`
			`"min_version",`
			`"Update rollback info");`

			`#ifdef CONFIG_ROLLBACK_SECRET_SIZE`
			`static int command_rollback_add_entropy(int argc, char **argv)`
			`{`
			`int len;`

			`if (argc < 2)`
			`return EC_ERROR_PARAM_COUNT;`

			`len = strlen(argv[1]);`

			`return rollback_add_entropy(argv[1], len);`
			`}`
			`DECLARE_CONSOLE_COMMAND(rollbackaddent, command_rollback_add_entropy,`
			`"data",`
			`"Add entropy to rollback block");`

			`#ifdef CONFIG_RNG`
			`static int add_entropy_action;`
			`static int add_entropy_rv = EC_RES_UNAVAILABLE;`

			`static void add_entropy_deferred(void)`
			`{`
			`uint8_t rand[CONFIG_ROLLBACK_SECRET_SIZE];`
			`int repeat = 1;`

			`/*`
			`* If asked to reset the old secret, just add entropy multiple times,`
			`* which will ping-pong between the blocks.`
			`*/`
			`if (add_entropy_action == ADD_ENTROPY_RESET_ASYNC)`
			`repeat = ROLLBACK_REGIONS;`

			`init_trng();`
			`do {`
			`rand_bytes(rand, sizeof(rand));`
			`if (rollback_add_entropy(rand, sizeof(rand)) != EC_SUCCESS) {`
			`add_entropy_rv = EC_RES_ERROR;`
			`goto out;`
			`}`
			`} while (--repeat);`

			`add_entropy_rv = EC_RES_SUCCESS;`
			`out:`
			`exit_trng();`
			`}`
			`DECLARE_DEFERRED(add_entropy_deferred);`

			`static enum ec_status`
			`hc_rollback_add_entropy(struct host_cmd_handler_args *args)`
			`{`
			`const struct ec_params_rollback_add_entropy *p = args->params;`

			`switch (p->action) {`
			`case ADD_ENTROPY_ASYNC:`
			`case ADD_ENTROPY_RESET_ASYNC:`
			`if (add_entropy_rv == EC_RES_BUSY)`
			`return EC_RES_BUSY;`

			`add_entropy_action = p->action;`
			`add_entropy_rv = EC_RES_BUSY;`
			`hook_call_deferred(&add_entropy_deferred_data, 0);`

			`return EC_RES_SUCCESS;`

			`case ADD_ENTROPY_GET_RESULT:`
			`return add_entropy_rv;`
			`}`

			`return EC_RES_INVALID_PARAM;`
			`}`
			`DECLARE_HOST_COMMAND(EC_CMD_ADD_ENTROPY,`
			`hc_rollback_add_entropy,`
			`EC_VER_MASK(0));`
			`#endif /* CONFIG_RNG */`
			`#endif /* CONFIG_ROLLBACK_SECRET_SIZE */`
			`#endif /* CONFIG_ROLLBACK_UPDATE */`

			`static int command_rollback_info(int argc, char **argv)`
			`{`
			`int ret = EC_ERROR_UNKNOWN;`
			`int region, min_region;`
			`int32_t rw_rollback_version;`
			`struct rollback_data data;`

			`min_region = get_latest_rollback(&data);`

			`if (min_region < 0)`
			`goto failed;`

			`rw_rollback_version = system_get_rollback_version(SYSTEM_IMAGE_RW);`

			`ccprintf("rollback minimum version: %d\n", data.rollback_min_version);`
			`ccprintf("RW rollback version: %d\n", rw_rollback_version);`

			`for (region = 0; region < ROLLBACK_REGIONS; region++) {`
			`ret = read_rollback(region, &data);`
			`if (ret)`
			`goto failed;`

			`ccprintf("rollback %d: %08x %08x %08x",`
			`region, data.id, data.rollback_min_version,`
			`data.cookie);`
			`#ifdef CONFIG_ROLLBACK_SECRET_SIZE`
			`if (!system_is_locked()) {`
			`/* If system is unlocked, show some of the secret. */`
			`ccprintf(" [%02x..%02x]", data.secret[0],`
			`data.secret[CONFIG_ROLLBACK_SECRET_SIZE-1]);`
			`}`
			`#endif`
			`if (min_region == region)`
			`ccprintf(" *");`
			`ccprintf("\n");`
			`}`
			`ret = EC_SUCCESS;`

			`failed:`
			`clear_rollback(&data);`
			`return ret;`
			`}`
			`DECLARE_SAFE_CONSOLE_COMMAND(rollbackinfo, command_rollback_info,`
			`NULL,`
			`"Print rollback info");`

			`static enum ec_status`
			`host_command_rollback_info(struct host_cmd_handler_args *args)`
			`{`
			`int ret = EC_RES_UNAVAILABLE;`
			`struct ec_response_rollback_info *r = args->response;`
			`int min_region;`
			`struct rollback_data data;`

			`min_region = get_latest_rollback(&data);`

			`if (min_region < 0)`
			`goto failed;`

			`r->id = data.id;`
			`r->rollback_min_version = data.rollback_min_version;`
			`r->rw_rollback_version = system_get_rollback_version(SYSTEM_IMAGE_RW);`

			`args->response_size = sizeof(*r);`
			`ret = EC_RES_SUCCESS;`

			`failed:`
			`clear_rollback(&data);`
			`return ret;`
			`}`
			`DECLARE_HOST_COMMAND(EC_CMD_ROLLBACK_INFO,`
			`host_command_rollback_info,`
			`EC_VER_MASK(0));`