New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 888104 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
norvez@chromium.org
drinkcat@chromium.org
rspangler@chromium.org
adurbin@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

ec: chip/stm32/flash-stm32h7.c: Verify/clarify if using RSS1 as WP bit is safe and correct

Project Member Reported by drinkcat@chromium.org, Sep 21 
On STM32H7, if CONFIG_FLASH_READOUT_PROTECTION is not set, we use a bit in option flags (RSS1) as 'Write Protect enabled' flag.

The intent was documented in this CL (https://chromium-review.googlesource.com/901423):
"""
    For the flash write-protection, we cannot use our 'classical' PSTATE
    scheme as the erase-blocks are too large (128-kB) to dedicate one to
    this and the embedded word in the RO partition would not work as the
    flash has ECC and triggers bus-fault when the ECC is incorrect (which
    includes the case where the 256-bit word is written a second time).
    So we will do the following:
    - use the RSS1 bit in the option bytes as the Write-Protect enabled bit.
    - if the WP GPIO is set, lock at startup the option bytes until next
      reboot.
"""

But we are not 100% certain that this works as intended.

Also, there is a slight issue that RSS1 is marked as reserved in more recent STM32H7 datasheet (some of this was talked about in https://b.corp.google.com/issues/114262223#comment2, and subsequent email thread).

We do not plan to ship any STM32H7 without CONFIG_FLASH_READOUT_PROTECTION, at least for now, so this is low priority, unless somebody decides to copy-paste the code, or use STM32H7 without CONFIG_FLASH_READOUT_PROTECTION.

Sign in to add a comment