5 files changed, 153 insertions, 117 deletions
diff --git a/nugget/include/app_nugget.h b/nugget/include/app_nugget.h
index 2e96c97..14191df 100644
--- a/nugget/include/app_nugget.h
+++ b/nugget/include/app_nugget.h
@@ -16,7 +16,6 @@
 #ifndef __CROS_EC_INCLUDE_APP_NUGGET_H
 #define __CROS_EC_INCLUDE_APP_NUGGET_H
 #include "application.h"
-#include "flash_layout.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -28,7 +27,7 @@ extern "C" {
  */
 /****************************************************************************/
 
-/* App-specific errors */
+/* App-specific errors (across all commands) */
 enum {
   NUGGET_ERROR_LOCKED = APP_SPECIFIC_ERROR,
   NUGGET_ERROR_RETRY,
@@ -52,10 +51,11 @@ enum {
 /****************************************************************************/
 /* Firmware upgrade stuff */
 
+#define NP_FLASH_BLOCK_SIZE 2048
 struct nugget_app_flash_block {
   uint32_t block_digest;                 /* first 4 bytes of sha1 of the rest */
   uint32_t offset;                       /* from start of flash */
-  uint8_t payload[CHIP_FLASH_BANK_SIZE]; /* data to write */
+  uint8_t payload[NP_FLASH_BLOCK_SIZE];  /* data to write */
 } __packed;
 
 #define NUGGET_PARAM_FLASH_BLOCK 0x0001
@@ -323,6 +323,15 @@ struct nugget_app_board_id {
  * @param reply_len    sizeof(uint32_t)
  */
 
+enum nugget_app_selftest_cmd {
+	/* Generic */
+	NUGGET_APP_SELFTEST_CMD_DEFAULT = 0,
+	NUGGET_APP_SELFTEST_CMD_HELP,
+
+	/* Application SelfTests */
+	NUGGET_APP_SELFTEST_CMD_TRNG = 0x10,
+};
+
 #define NUGGET_PARAM_SELFTEST 0x0101
 /*
  * Run an intentionally vaguely specified internal test.
@@ -377,6 +386,30 @@ struct nugget_app_low_power_stats {
 /* UNIMPLEMENTED */
 
 /****************************************************************************/
+/* Commands for code coverage and quality assurance */
+
+#define NUGGET_GET_COVERAGE_COUNTERS 0x0300
+/**
+ * Returns the counters back to the master
+ *
+ * @param args         module counter
+ * @param arg_len      1
+ * @param reply        buffer containing coverage data in utf-8 format
+ * @param reply_len    depends on the counters in the file
+ */
+
+/*
+ * Error returned if coverage data didn't fit in the buffer.
+ *
+ * TODO: Should really have a second arg which is an offset in the coverage
+ * data.  That way we could call repeatedly to return data too big to return in
+ * a single command.
+ */
+enum {
+  NUGGET_ERROR_COVERAGE_OVERFLOW = APP_SPECIFIC_ERROR + 0x300,
+};
+
+/****************************************************************************/
 /* These are bringup / debug functions only. */
 
 #define NUGGET_PARAM_READ32 0xF000
@@ -420,6 +453,53 @@ struct nugget_app_write32 {
  * @param reply_len    len(recent console output)
  */
 
+#define NUGGET_PARAM_MODULE_TEST 0xF003
+/**
+ * Run a module test based on a provided command.
+ *
+ * A default command is afforded (0x00), which runs each module test that is
+ * currently enabled. Specific tests can be specified, but are not enumerated
+ * here.
+ *
+ * The return code of the command (enum app_status) encodes the success state of
+ * the tests. A result of `APP_SUCCESS` is, unsurprisingly, a success for all
+ * specified tests. A failure of a given test is encoded using the
+ * `APP_SPECIFIC_ERROR` values. This allows a given test to not only report that
+ * an error has occured, but also to report which test threw the error, and in
+ * what point of the test the error was thrown.
+ * The encoding is as follows:
+ * `rv = (APP_SPECIFIC_ERROR + command + test_step)`
+ * where `command` is the 4-byte test value (in steps of 0x10), and where the
+ * test_step is a subdivision of the test, valued from 0-15.
+ *
+ * The return string will describe each test that passes, and each test that
+ * fails, and how it failed. Tests should abort after the first failure.
+ *
+ * @param args         uint32_t command
+ * @param arg_len      sizeof(uint32_t)
+ * @param reply        null-terminated string (usually)
+ * @param reply_len    number of bytes in reply (including trailing '\0')
+ */
+
+enum nugget_app_sleep_mode {
+	NUGGET_APP_SLEEP_MODE_DEFAULT,
+	NUGGET_APP_SLEEP_MODE_WFI,
+	NUGGET_APP_SLEEP_MODE_SLEEP
+};
+#define NUGGET_PARAM_SET_SLEEP_MODE 0xF004
+/**
+ * Set the Sleep mode of the GSC.
+ *
+ * In certain tests, we expect the GSC to be in either WFI mode, or in deep
+ * sleep mode. The sleep state should be provided by the host to the GSC, to
+ * ensure that the test is performed in the correct circumstances.
+ *
+ * @param args         enum nugget_app_sleep_mode selection
+ * @param arg_len      4
+ * @param reply        <none>
+ * @param reply_len    0
+ */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/nugget/include/application.h b/nugget/include/application.h
index ddc7600..ef70754 100644
--- a/nugget/include/application.h
+++ b/nugget/include/application.h
@@ -72,6 +72,7 @@ typedef const void * const __private;
 #define APP_ID_KEYMASTER         0x02
 #define APP_ID_WEAVER            0x03
 #define APP_ID_PROTOBUF          0x04
+#define APP_ID_IDENTITY          0x05
 
 /* Fake apps used only for testing */
 #define APP_ID_AVB_TEST          0x11
@@ -168,15 +169,17 @@ typedef void (write_to_app_fn_t)(uint32_t command,
  * @param  Id        The Application ID, defined above
  * @param  Name      A human-readable string identifying the application
  * @param  Version   An app-specific uint32_t number, for compability purposes
- * @param  From_fn   A pointer to the app's read_from_app_fnt_t handler
+ * @param  From_fn   A pointer to the app's read_from_app_fn_t handler
  * @param  To_fn     A pointer to the app's write_to_app_fn_t handler
+ * @param  Data      App's private data
  */
-#define DECLARE_APPLICATION_DATAGRAM(Id, Name, Version, From_fn, To_fn) \
-    const struct app_info __keep CONCAT2(app_, Id)                      \
-      __attribute__((section(".rodata.app_info")))                      \
-      = { .api = { .id = Id,                                            \
-             .from_fn = From_fn, .to_fn = To_fn},                       \
-          .version = Version, .name = Name }
+#define DECLARE_APPLICATION_DATAGRAM(Id, Name, Version, From_fn, To_fn, Data) \
+  const struct app_info __keep CONCAT2(app_, Id)                        \
+    __attribute__((section(".rodata.app_info")))                        \
+    = { .api = { .id = Id,                                              \
+                 .from_fn = From_fn, .to_fn = To_fn,                    \
+                 .data = Data},                                         \
+        .version = Version, .name = Name }
 
 /****************************************************************************/
 /* Transport API */
@@ -240,7 +243,7 @@ struct transport_status {
 /* Flags used in the status message */
 #define STATUS_FLAG_WORKING 0x0001 /* added in v1 */
 
-/* Pre-calculated CRCs for different status responses set by in the interrupt
+/* Pre-calculated CRCs for different status responses set in the interrupt
  * context where the CRC would otherwise not be calculated. */
 #define STATUS_CRC_FOR_IDLE              0x54c1
 #define STATUS_CRC_FOR_WORKING           0x2101
@@ -303,18 +306,29 @@ void app_reply(struct app_transport *st, uint32_t status, uint16_t reply_len);
 enum app_status {
   /* A few values are common to all applications */
   APP_SUCCESS = 0,
-  APP_ERROR_BOGUS_ARGS,      /* caller being stupid */
-  APP_ERROR_INTERNAL,        /* application being stupid */
-  APP_ERROR_TOO_MUCH,        /* caller sent too much data */
-  APP_ERROR_IO,              /* problem sending or receiving data */
-  APP_ERROR_RPC,             /* problem during RPC communication */
-  APP_ERROR_CHECKSUM,        /* checksum failed, only used within protocol */
-  APP_ERROR_BUSY,            /* the app is already working on a commnad */
-  APP_ERROR_TIMEOUT,         /* the app took too long to respond */
+  APP_ERROR_BOGUS_ARGS, /* caller being stupid */
+  APP_ERROR_INTERNAL,   /* application being stupid */
+  APP_ERROR_TOO_MUCH,   /* caller sent too much data */
+  APP_ERROR_IO,         /* problem sending or receiving data */
+  APP_ERROR_RPC,        /* problem during RPC communication */
+  APP_ERROR_CHECKSUM,   /* checksum failed, only used within protocol */
+  APP_ERROR_BUSY,       /* the app is already working on a commnad */
+  APP_ERROR_TIMEOUT,    /* the app took too long to respond */
   /* more? */
 
+  /*
+   * Applications can define their own app-specific error codes.  For example,
+   * app_foobar.h can do:
+   *
+   *	#define APP_ERROR_FOOBAR_BAZ (APP_SPECIFIC_ERROR + 0)
+   *
+   * Do not use (APP_SPECIFIC_ERROR + N) directly in your code, because the
+   * error definition, firmware which generates it, and host code which
+   * interprets it are all in different repos.  You'll never be able to keep
+   * the constants straight without using a #define or enum in your app's
+   * header file that everyone can share.
+   */
   APP_SPECIFIC_ERROR = 0x20, /* "should be enough for anybody" */
-  /* App-specific error codes can use APP_SPECIFIC_ERROR+0, +1, +2, ... */
 
   /* For debugging, returning a line number might be helpful */
   APP_LINE_NUMBER_BASE = 0x70000000,
diff --git a/nugget/include/citadel_events.h b/nugget/include/citadel_events.h
index 154e638..02653b0 100644
--- a/nugget/include/citadel_events.h
+++ b/nugget/include/citadel_events.h
@@ -63,6 +63,7 @@ enum event_id {
   EVENT_ALERT = 1,     // Globalsec alert fired.
   EVENT_REBOOTED = 2,  // Device rebooted.
   EVENT_UPGRADED = 3,  // Device has upgraded.
+  EVENT_ALERT_V2 = 4,  // Globalsec Alertv2 fired
 };
 
 /* Please do not change the size of this struct */
@@ -83,6 +84,13 @@ struct event_record {
       uint32_t which0;
       uint32_t which1;
     } rebooted;
+    struct {
+      uint32_t alert_grp[4];
+      uint16_t camo_breaches[2];
+      uint16_t temp_min;
+      uint16_t temp_max;
+      uint32_t bus_err;
+    } alert_v2;
 
     /* uninterpreted */
     union {
diff --git a/nugget/include/flash_layout.h b/nugget/include/flash_layout.h
index 7d65705..13c00ef 100644
--- a/nugget/include/flash_layout.h
+++ b/nugget/include/flash_layout.h
@@ -17,81 +17,22 @@
  * from the RW images.
  */
 
-/* Flash is directly addressable */
-#if defined(CHIP_H1D1)
-#define CHIP_FLASH_BASE              0x80000
-#define CHIP_FLASH_SIZE              (1024 * 1024)
-#else
-#define CHIP_FLASH_BASE              0x40000
-#define CHIP_FLASH_SIZE              (512 * 1024)
-#endif
-#define CHIP_FLASH_HALF              (CHIP_FLASH_SIZE >> 1)
-
-/* Each half has to leave room for the image's signed header */
-#define CHIP_SIG_HEADER_SIZE	     1024
-
-/* This isn't optional, since the bootrom will always look for both */
-#define CHIP_HAS_RO_B
-
-/* The RO images start at the very beginning of each flash half */
-#define CHIP_RO_A_MEM_OFF 0
-#define CHIP_RO_B_MEM_OFF CHIP_FLASH_HALF
-
-/* Size reserved for each RO image */
-#define CHIP_RO_SIZE 0x4000
-
-/*
- * RW images start right after the reserved-for-RO areas in each half, but only
- * because that's where the RO images look for them. It's not a HW constraint.
- */
-#define CHIP_RW_A_MEM_OFF CHIP_RO_SIZE
-#define CHIP_RW_B_MEM_OFF (CHIP_FLASH_HALF + CHIP_RW_A_MEM_OFF)
-
-/*
- * Any reserved flash storage is placed after the RW image. It makes A/B
- * updates MUCH simpler if both RW images are the same size, so we reserve the
- * same amount in each half.
- */
-#define CHIP_RW_SIZE							\
-	(CHIP_FLASH_HALF - CHIP_RW_A_MEM_OFF - CONFIG_FLASH_TOP_SIZE)
-
-/* Reserved flash offset starts here. */
-#define CHIP_FLASH_TOP_A_OFF (CHIP_FLASH_HALF - CONFIG_FLASH_TOP_SIZE)
-#define CHIP_FLASH_TOP_B_OFF (CHIP_FLASH_SIZE - CONFIG_FLASH_TOP_SIZE)
-
-
-/* Internal flash specifics */
-#define CHIP_FLASH_BANK_SIZE         0x800	/* protect bank size */
-#define CHIP_FLASH_ERASE_SIZE        0x800	/* erase bank size */
-
-/* This flash can only be written as 4-byte words (aligned properly, too). */
-#define CHIP_FLASH_ERASED_VALUE32    0xffffffff
-#define CHIP_FLASH_WRITE_SIZE        4	/* min write size (bytes) */
-
-/* But we have a 32-word buffer for writing multiple adjacent cells */
-#define CHIP_FLASH_WRITE_IDEAL_SIZE  128	/* best write size (bytes) */
-
-/* The flash controller prevents bulk writes that cross row boundaries */
-#define CHIP_FLASH_ROW_SIZE          256	/* row size */
-
-/* Manufacturing related data. */
-/* Certs in the RO region are written as 4-kB + 3-kB blocks to the A &
- * B banks respectively.
- */
-#define RO_CERTS_A_OFF                     (CHIP_RO_A_MEM_OFF + 0x2800)
-#define RO_CERTS_B_OFF                     (CHIP_RO_B_MEM_OFF + 0x2800)
-#define RO_CERTS_A_SIZE                     0x01000
-#define RO_CERTS_B_SIZE                     0x00c00
-/*
- * Flash erases must be multiples of CHIP_FLASH_ERASE_SIZE, so in
- * order to rewrite CERTS_B, we need wipe RO_CERTS_ERASE_SIZE rather
- * than CERTS_B_SIZE.
- */
-#define RO_CERTS_ERASE_SIZE                 0x01000
-/* We have an unused 3-kB region in the B bank, for future proofing. */
-#define RO_CERTS_PAD_B_SIZE                 0x00c00
-/* Factory provision data is written as a 2-kB block to the A bank. */
-#define RO_PROVISION_DATA_A_OFF             0x3800
-#define RO_PROVISION_DATA_A_SIZE            0x0800
+#define CITADEL_FLASH_BASE     0x40000
+#define CITADEL_FLASH_SIZE     (512 * 1024)
+#define CITADEL_FLASH_HALF     (CITADEL_FLASH_SIZE >> 1)
+#define CITADEL_RO_SIZE        0x4000
+#define CITADEL_RO_A_MEM_OFF   0
+#define CITADEL_RO_B_MEM_OFF   CITADEL_FLASH_HALF
+#define CITADEL_RW_A_MEM_OFF   CITADEL_RO_SIZE
+#define CITADEL_RW_B_MEM_OFF   (CITADEL_FLASH_HALF + CITADEL_RW_A_MEM_OFF)
+
+#define DAUNTLESS_FLASH_BASE   0x80000
+#define DAUNTLESS_FLASH_SIZE   (1024 * 1024)
+#define DAUNTLESS_FLASH_HALF   (DAUNTLESS_FLASH_SIZE >> 1)
+#define DAUNTLESS_RO_SIZE      0x4000
+#define DAUNTLESS_RO_A_MEM_OFF 0
+#define DAUNTLESS_RO_B_MEM_OFF DAUNTLESS_FLASH_HALF
+#define DAUNTLESS_RW_A_MEM_OFF DAUNTLESS_RO_SIZE
+#define DAUNTLESS_RW_B_MEM_OFF (DAUNTLESS_FLASH_HALF + DAUNTLESS_RW_A_MEM_OFF)
 
 #endif	/* __CROS_EC_FLASH_LAYOUT_H */
diff --git a/nugget/include/signed_header.h b/nugget/include/signed_header.h
index b5bf879..abeb1e0 100644
--- a/nugget/include/signed_header.h
+++ b/nugget/include/signed_header.h
@@ -27,7 +27,7 @@
 #define FUSE_IGNORE_C 0x3aabadac  // baked in rom!
 #define INFO_IGNORE_C 0xa5c35a3c  // baked in rom!
 
-// D2 chips
+// Dauntless chips
 #define FUSE_IGNORE_D 0xdaa3baca  // baked in rom!
 #define INFO_IGNORE_D 0x5a3ca5c3  // baked in rom!
 
@@ -44,7 +44,7 @@
 
 #define SIGNED_HEADER_MAGIC_HAVEN (-1u)
 #define SIGNED_HEADER_MAGIC_CITADEL (-2u)
-#define SIGNED_HEADER_MAGIC_D2 (-3u)
+#define SIGNED_HEADER_MAGIC_DAUNTLESS (-3u)
 
 /* Default value for _pad[] words */
 #define SIGNED_HEADER_PADDING 0x33333333
@@ -100,7 +100,7 @@ typedef struct SignedHeader {
     switch (magic) {
       case SIGNED_HEADER_MAGIC_HAVEN:
       case SIGNED_HEADER_MAGIC_CITADEL:
-      case SIGNED_HEADER_MAGIC_D2:
+      case SIGNED_HEADER_MAGIC_DAUNTLESS:
         break;
       default:
         return false;
@@ -121,8 +121,8 @@ typedef struct SignedHeader {
       case SIGNED_HEADER_MAGIC_CITADEL:
         printf("Citadel");
         break;
-      case SIGNED_HEADER_MAGIC_D2:
-        printf("D2");
+      case SIGNED_HEADER_MAGIC_DAUNTLESS:
+        printf("Dauntless");
         break;
       default:
         printf("?");
@@ -142,6 +142,7 @@ typedef struct SignedHeader {
     printf("hdr.minor          : %08x\n", minor_);
     printf("hdr.timestamp      : %016" PRIx64 ", %s", timestamp_,
            asctime(localtime(reinterpret_cast<const time_t*>(&timestamp_))));
+    printf("hdr.img_size       : %08x\n", image_size);
     printf("hdr.img_chk        : %08x\n", be32toh(img_chk_));
     printf("hdr.fuses_chk      : %08x\n", be32toh(fuses_chk_));
     printf("hdr.info_chk       : %08x\n", be32toh(info_chk_));
@@ -150,8 +151,10 @@ typedef struct SignedHeader {
     printf("hdr.err_response   : %08x\n", err_response_);
     printf("hdr.expect_response: %08x\n", expect_response_);
 
-    if (dev_id0_) printf("hdr.dev_id0        : %08x (%d)\n", dev_id0_, dev_id0_);
-    if (dev_id1_) printf("hdr.dev_id1        : %08x (%d)\n", dev_id1_, dev_id1_);
+    if (dev_id0_)
+      printf("hdr.dev_id0        : %08x (%d)\n", dev_id0_, dev_id0_);
+    if (dev_id1_)
+      printf("hdr.dev_id1        : %08x (%d)\n", dev_id1_, dev_id1_);
 
     printf("hdr.fusemap        : ");
     for (size_t i = 0; i < sizeof(fusemap) / sizeof(fusemap[0]); ++i) {
@@ -196,25 +199,12 @@ typedef struct SignedHeader {
   uint32_t expect_response_;  // action to take when expectation is violated
 
   union {
-    // 2nd FIPS signature (gnubby RW)
+    // 2nd FIPS signature (cr51/cr52 RW)
     struct {
       uint32_t keyid;
       uint32_t r[8];
       uint32_t s[8];
     } ext_sig;
-
-    // FLASH trim override (D2 RO)
-    // iff config1_ & 65536
-    struct {
-      uint32_t FSH_SMW_SETTING_OPTION3;
-      uint32_t FSH_SMW_SETTING_OPTION2;
-      uint32_t FSH_SMW_SETTING_OPTIONA;
-      uint32_t FSH_SMW_SETTING_OPTIONB;
-      uint32_t FSH_SMW_SMP_WHV_OPTION1;
-      uint32_t FSH_SMW_SMP_WHV_OPTION0;
-      uint32_t FSH_SMW_SME_WHV_OPTION1;
-      uint32_t FSH_SMW_SME_WHV_OPTION0;
-    } fsh;
   } u;
 
   // Spare space
@@ -249,6 +239,9 @@ static_assert(sizeof(SignedHeader) == 1024,
 static_assert(offsetof(SignedHeader, info_chk_) == 1020,
               "SignedHeader should be 1024 bytes");
 #endif  // GOOGLE3
+#else
+_Static_assert(sizeof(SignedHeader) == 1024,
+              "SignedHeader should be 1024 bytes");
 #endif  // __cplusplus
 
 #endif  // __EC_UTIL_SIGNER_COMMON_SIGNED_HEADER_H