0.23.81: Merge cros/firmware-ti50-prepvt-15086.B-gsc_utils^2 into firmware-ti50-mp-15224.B-gsc_utils

Generated by: update_branch.py --from_branch firmware-ti50-prepvt-15086.B-gsc_utils^2 --remote_prefix cros --version 0.23.81 --bug 333110964 firmware- ti50-mp-15224.B-gsc_utils Relevant changes: git log --oneline bec9eeb4a1..d8ed72020c d8ed72020c gsctool: Add command to get aprov_gsc_reset_counts c060a44d08 gsctool: Run cros format on gsctool.c 6b8caee7ff gsctool: Add metric prints for WP, IsProd, AllowUnverifedRO d431e2d47c rust: update zerocopy to 0.7 00a3533790 ti50: Update release notes for 0.2[34].71 e07f18bbd4 ti50: Update release notes for 0.23.70 d9db6f8d45 docs: update Ti50 firmware release notes BUG=b:320715931 b:254309086 b:333110964 b:318879846 b:325137320 Change-Id: I88cc385c07c54336d27082f34c13407fc05c6b96 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/5435645 Reviewed-by: Mary Ruthven <mruthven@chromium.org> Commit-Queue: Alyssa Haroldsen <kupiakos@google.com> Tested-by: Alyssa Haroldsen <kupiakos@google.com>
2024-04-08 10:47:53 -07:00 · 2024-04-08 10:47:53 -07:00 · 3a8e7c1e59
parent bec9eeb4a1 d8ed72020c
commit 3a8e7c1e59
5 changed files with 351 additions and 83 deletions
--- a/docs/ti50_firmware_releases.md
+++ b/docs/ti50_firmware_releases.md
@ -8,8 +8,9 @@ This document captures major feature differences between Ti50 firmware releases

 ChromeOS Version    | PrePVT version | Prod Version
 ------------------- | -------------- | ------------
-[ToT][ToT ebuild]   | 0.24.62        | 0.23.62
-M121                | 0.24.62        | 0.23.62
+[ToT][ToT ebuild]   | 0.24.71        | 0.23.71
+M122                | 0.24.71        | 0.23.71
+[M121][121 release] | 0.24.62        | 0.23.62
 [M120][120 release] | 0.24.60        | 0.23.60
 [M119][119 release] | 0.24.51        | 0.23.51
 [M118][118 release] | 0.24.30        | 0.23.30
@ -560,6 +561,89 @@ Build:   ti50_common_mp-15224.B:v0.0.732-7f94b899
         @chromeos-ci-firmware-us-central2-d-x32-0-e2uq 2023-11-30 07:33:10
 ```

+### 0.23.70 Released on 1/17/2024 in M122
+
+Release
+[CL](https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/5207755)
+
+Builder
+[52](https://ci.chromium.org/ui/p/chromeos/builders/firmware/firmware-ti50-mp-15224.B-branch/52/overview)
+
+Artifacts:
+[15224.49.0](https://pantheon.corp.google.com/storage/browser/chromeos-releases/canary-channel/betty/15224.49.0)
+
+**Features**
+
+*   rsu: Increase key generation limit from 10 to 100.
+    [b/301156378](https://b.corp.google.com/issues/301156378)
+*   ap-ro: Add exception for Frostflow RLZ codes.
+    [b/309473916](https://b.corp.google.com/issues/309473916)
+*   tpm2: Allow platform read for virtual nvmem.
+
+**Bug Fixes**
+
+*   usb_spi: handle setup packet errors properly.
+    [b/302691530](https://b.corp.google.com/issues/302691530)
+*   usb_client: prevent lockups when users don't consume RX data.
+    [b/302691530](https://b.corp.google.com/issues/302691530)
+*   wp: do not set at_boot setting for WP TPMV Cmd disable.
+    [b/257255419](https://b.corp.google.com/issues/257255419)
+*   tpm2: Fix the wrong signature of widevine cert.
+    [b/248610274](https://b.corp.google.com/issues/248610274)
+*   cryptolib: adjust CIK & CEK key gen and certs to match actuals.
+    [b/308473146](https://b.corp.google.com/issues/308473146)
+*   flog: Recover from corrupted entries.
+    [b/302383688](https://b.corp.google.com/issues/302383688)
+*   fwmp: Reload WP setting when TPM is wiped.
+    [b/312396594](https://b.corp.google.com/issues/312396594)
+*   ap_ro_verification: Always re-check verification if cached failed.
+    [b/315341905](https://b.corp.google.com/issues/315341905)
+*   rbox: Do not reset GSC on power button push during ccd open.
+    [b/314185172](https://b.corp.google.com/issues/314185172)
+*   capsules/i2c_programmer.rs: Respect I2C CCD capability.
+    [b/317087536](https://b.corp.google.com/issues/317087536)
+*   sys_mgr.rs: Advertise SPI/I2C in board properties.
+    [b/307539350](https://b.corp.google.com/issues/307539350)
+*   tpm: Save PCR values to NV.
+    [b/316884342](https://b.corp.google.com/issues/316884342)
+*   tpm_vendor: some commands are disallowed over USB in non DBG mode.
+    [b/318518004](https://b.corp.google.com/issues/318518004)
+
+```
+Build:   ti50_common_mp-15224.B:v0.0.876-5b460716
+         libtock-rs:v0.0.929-0b84d08
+         tock:v0.0.9663-71efb979a
+         ms-tpm-20-ref:v0.0.331-6f7f352
+         @chromeos-ci-firmware-us-east1-d-x32-0-z9ng 2024-01-12 12:55:08
+```
+
+### 0.23.71 Released on 1/19/2024 in M122
+
+Release
+[CL](https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/5217758)
+
+Builder
+[53](https://ci.chromium.org/ui/p/chromeos/builders/firmware/firmware-ti50-mp-15224.B-branch/53/overview)
+
+Artifacts:
+[15224.50.0](https://pantheon.corp.google.com/storage/browser/chromeos-releases/canary-channel/betty/15224.50.0)
+
+**Features**
+
+*   Change default write protect setting to force enabled (does not follow
+    chassis open gpio by default)
+    [b/257255419](https://b.corp.google.com/issues/257255419)
+*   Enforce system reset upon AP RO verification failure.
+    [b/259098185](https://b.corp.google.com/issues/259098185)
+
+```
+Build:   ti50_common_mp-15224.B:v0.0.879-637bdde3
+         libtock-rs:v0.0.929-0b84d08
+         tock:v0.0.9663-71efb979a
+         ms-tpm-20-ref:v0.0.331-6f7f352
+         @chromeos-ci-firmware-us-central1-b-x32-0-e7r7 2024-01-17 14:47:03
+```
+
 ## PrePVT images

 ### 0.22.0 Released 06/21/22
@ -1323,6 +1407,87 @@ Build:   ti50_common_prepvt-15086.B:v0.0.787-ab6858a7
         @chromeos-ci-firmware-us-east1-d-x32-0-o01k 2023-11-30 07:32:57
 ```

+### 0.24.70 Released on 1/11/2024 in M122
+
+Release
+[CL](https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/5187955)
+
+Builder
+[77](https://ci.chromium.org/ui/p/chromeos/builders/firmware/firmware-ti50-prepvt-15086.B-branch/77/overview)
+
+Artifacts:
+[15086.72.0](https://pantheon.corp.google.com/storage/browser/chromeos-releases/canary-channel/betty/15086.72.0)
+
+**Features**
+
+*   rsu: Increase key generation limit from 10 to 100.
+    [b/301156378](https://b.corp.google.com/issues/301156378)
+*   ap-ro: Add exception for Frostflow RLZ codes.
+    [b/309473916](https://b.corp.google.com/issues/309473916)
+*   tpm2: Allow platform read for virtual nvmem.
+
+**Bug Fixes**
+
+*   usb_spi: handle setup packet errors properly.
+    [b/302691530](https://b.corp.google.com/issues/302691530)
+*   usb_client: prevent lockups when users don't consume RX data.
+    [b/302691530](https://b.corp.google.com/issues/302691530)
+*   wp: do not set at_boot setting for WP TPMV Cmd disable.
+    [b/257255419](https://b.corp.google.com/issues/257255419)
+*   tpm2: Fix the wrong signature of widevine cert.
+    [b/248610274](https://b.corp.google.com/issues/248610274)
+*   cryptolib: adjust CIK & CEK key gen and certs to match actuals.
+    [b/308473146](https://b.corp.google.com/issues/308473146)
+*   flog: Recover from corrupted entries.
+    [b/302383688](https://b.corp.google.com/issues/302383688)
+*   fwmp: Reload WP setting when TPM is wiped.
+    [b/312396594](https://b.corp.google.com/issues/312396594)
+*   ap_ro_verification: Always re-check verification if cached failed.
+    [b/315341905](https://b.corp.google.com/issues/315341905)
+*   rbox: Do not reset GSC on power button push during ccd open.
+    [b/314185172](https://b.corp.google.com/issues/314185172)
+*   capsules/i2c_programmer.rs: Respect I2C CCD capability.
+    [b/317087536](https://b.corp.google.com/issues/317087536)
+*   sys_mgr.rs: Advertise SPI/I2C in board properties.
+    [b/307539350](https://b.corp.google.com/issues/307539350)
+*   tpm: Save PCR values to NV.
+    [b/316884342](https://b.corp.google.com/issues/316884342)
+*   tpm_vendor: some commands are disallowed over USB in non DBG mode.
+    [b/318518004](https://b.corp.google.com/issues/318518004)
+
+```
+Build:   ti50_common_prepvt-15086.B:v0.0.931-91dec51b
+         libtock-rs:v0.0.929-ecde39c
+         tock:v0.0.9662-478a746e5
+         ms-tpm-20-ref:v0.0.329-138a187
+         @chromeos-ci-firmware-us-central1-b-x32-0-j5k1 2024-01-05 19:41:43
+```
+
+### 0.24.71 Released on 1/19/2024 in M122
+
+Release
+[CL](https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/5217757)
+
+Builder
+[79](https://ci.chromium.org/ui/p/chromeos/builders/firmware/firmware-ti50-prepvt-15086.B-branch/79/overview)
+
+Artifacts:
+[15086.74.0](https://pantheon.corp.google.com/storage/browser/chromeos-releases/canary-channel/betty/15086.74.0)
+
+**Features**
+
+*   Change default write protect setting to force enabled (does not follow
+    chassis open gpio by default)
+    [b/257255419](https://b.corp.google.com/issues/257255419)
+
+```
+Build:   ti50_common_prepvt-15086.B:v0.0.934-720e4c92
+         libtock-rs:v0.0.929-ecde39c
+         tock:v0.0.9662-478a746e5
+         ms-tpm-20-ref:v0.0.329-138a187
+         @chromeos-ci-firmware-us-central1-b-x32-0-e7r7 2024-01-17 13:26:11
+```
+
 <!-- Links -->

 [105 release]: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/release-R105-14989.B/chromeos-base/chromeos-ti50/chromeos-ti50-0.0.1.ebuild
@ -1341,4 +1506,5 @@ Build:   ti50_common_prepvt-15086.B:v0.0.787-ab6858a7
 [118 release]: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/release-R118-15604.B/chromeos-base/chromeos-ti50/chromeos-ti50-0.0.1.ebuild
 [119 release]: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/release-R119-15633.B/chromeos-base/chromeos-ti50/chromeos-ti50-0.0.1.ebuild
 [120 release]: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/release-R120-15662.B/chromeos-base/chromeos-ti50/chromeos-ti50-0.0.1.ebuild
+[121 release]: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/release-R121-15699.B/chromeos-base/chromeos-ti50/chromeos-ti50-0.0.1.ebuild
 [ToT ebuild]: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/main/chromeos-base/chromeos-ti50/chromeos-ti50-0.0.1.ebuild
--- a/extra/usb_updater/gsctool.c
+++ b/extra/usb_updater/gsctool.c
@ -15,6 +15,7 @@
 #include <openssl/sha.h>
 #include <stdarg.h>
 #include <stdbool.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@ -542,8 +543,7 @@ static const struct option_container cmd_line_options[] = {
 	{ { "verbose", no_argument, NULL, 'V' }, "Enable debug messages" },
 	{ { "version", no_argument, NULL, 'v' },
 	  "Report this utility version" },
-	{ { "metrics", no_argument, NULL, 'W' },
-	  "Get GSC metrics"},
+	{ { "metrics", no_argument, NULL, 'W' }, "Get GSC metrics" },
 	{ { "wp", optional_argument, NULL, 'w' },
 	  "[enable|disable|follow]%Get or set the write protect setting" },
 	{ { "clog", no_argument, NULL, 'x' },
@ -3038,6 +3038,65 @@ static enum exit_values process_get_dev_ids(struct transfer_descriptor *td,
 	return noop;
 }

+static enum exit_values process_get_aprov_reset_counts(
+	struct transfer_descriptor *td)
+{
+	/*
+	 * We shouldn't need a version for this command since the entire
+	 * command should be removed after feature launch. However, if we
+	 * did need a version, the upper 7 bits of allow_unverified_ro are
+	 * unused.
+	 */
+	struct aprov_reset_counts {
+		uint8_t allow_unverified_ro;
+		uint8_t settings_change;
+		uint8_t external_wp;
+		uint8_t internal_wp;
+	} response;
+	size_t response_size;
+	int rv;
+	int32_t allow_unverified_sign = 1;
+
+	response_size = sizeof(response);
+
+	rv = send_vendor_command(td, VENDOR_CC_GET_AP_RO_RESET_COUNTS, NULL, 0,
+				 &response, &response_size);
+
+	if (rv != VENDOR_RC_SUCCESS) {
+		fprintf(stderr, "Error %d getting reset counts\n", rv);
+		return update_error;
+	}
+	if (response_size != sizeof(response)) {
+		fprintf(stderr,
+			"Unexpected response size %zd while getting "
+			"reset counts\n",
+			response_size);
+		return update_error;
+	}
+
+	/* Change all of the values to negative if unverified RO is allowed. */
+	if (response.allow_unverified_ro != 0)
+		allow_unverified_sign = -1;
+
+	const uint32_t combined = response.settings_change +
+				  (response.external_wp << 8) +
+				  (response.internal_wp << 16);
+
+	/*
+	 * The `cr50-metrics.conf` file depends on these string names. Do
+	 * not change without updated that file.
+	 */
+	print_machine_output("COMBINED", "0x%08x",
+			     allow_unverified_sign * combined);
+	print_machine_output("SETTINGS_CHANGE", "0x%08x",
+			     allow_unverified_sign * response.settings_change);
+	print_machine_output("EXTERNAL_WP", "0x%08x",
+			     allow_unverified_sign * response.external_wp);
+	print_machine_output("INTERNAL_WP", "0x%08x",
+			     allow_unverified_sign * response.internal_wp);
+	return noop;
+}
+
 static int process_get_apro_hash(struct transfer_descriptor *td)
 {
 	size_t response_size;
@ -4317,77 +4376,97 @@ static int process_get_time(struct transfer_descriptor *td)
 	return 0;
 }

-static int print_ti50_stats(struct ti50_stats_v0 *stats, size_t size)
+static int print_ti50_stats(struct ti50_stats_v0 *stats_v0, size_t size)
 {
-	stats->fs_init_time = be32toh(stats->fs_init_time);
-	stats->fs_usage = be32toh(stats->fs_usage);
-	stats->aprov_time = be32toh(stats->aprov_time);
-	stats->expanded_aprov_status = be32toh(stats->expanded_aprov_status);
+	stats_v0->fs_init_time = be32toh(stats_v0->fs_init_time);
+	stats_v0->fs_usage = be32toh(stats_v0->fs_usage);
+	stats_v0->aprov_time = be32toh(stats_v0->aprov_time);
+	stats_v0->expanded_aprov_status =
+		be32toh(stats_v0->expanded_aprov_status);

-	printf("fs_init_time:          %d\n", stats->fs_init_time);
-	printf("fs_usage:              %d\n", stats->fs_usage);
-	printf("aprov_time:            %d\n", stats->aprov_time);
-	printf("expanded_aprov_status: %X\n", stats->expanded_aprov_status);
+	printf("fs_init_time:          %d\n", stats_v0->fs_init_time);
+	printf("fs_usage:              %d\n", stats_v0->fs_usage);
+	printf("aprov_time:            %d\n", stats_v0->aprov_time);
+	printf("expanded_aprov_status: %X\n", stats_v0->expanded_aprov_status);

 	if (size >= sizeof(struct ti50_stats_v1)) {
-		struct ti50_stats_v1 *stats_v1 = (struct ti50_stats_v1 *) stats;
+		struct ti50_stats_v1 *stats_v1 =
+			(struct ti50_stats_v1 *)stats_v0;

 		stats_v1->misc_status = be32toh(stats_v1->misc_status);
 		uint32_t bits_used = stats_v1->misc_status >>
-			METRICSV_BITS_USED_SHIFT;
+				     METRICSV_BITS_USED_SHIFT;
 		if (bits_used >= 4) {
 			printf("rdd_keepalive:         %d\n",
-				stats_v1->misc_status &
-				METRICSV_RDD_KEEP_ALIVE_MASK);
+			       stats_v1->misc_status &
+				       METRICSV_RDD_KEEP_ALIVE_MASK);
 			printf("rdd_keepalive_at_boot: %d\n",
-				(stats_v1->misc_status &
-				METRICSV_RDD_KEEP_ALIVE_AT_BOOT_MASK)
-				>> METRICSV_RDD_KEEP_ALIVE_AT_BOOT_SHIFT);
+			       (stats_v1->misc_status &
+				METRICSV_RDD_KEEP_ALIVE_AT_BOOT_MASK) >>
+				       METRICSV_RDD_KEEP_ALIVE_AT_BOOT_SHIFT);
 			printf("ccd_mode:              %d\n",
-				(stats_v1->misc_status & METRICSV_CCD_MODE_MASK)
-				>> METRICSV_CCD_MODE_SHIFT);
+			       (stats_v1->misc_status &
+				METRICSV_CCD_MODE_MASK) >>
+				       METRICSV_CCD_MODE_SHIFT);
 		}
 	}
-	if (size >= sizeof(struct ti50_stats_v2)) {
-		struct ti50_stats_v2 *stats_v2 = (struct ti50_stats_v2 *) stats;
+	if (size >= sizeof(struct ti50_stats)) {
+		struct ti50_stats *stats = (struct ti50_stats *)stats_v0;

 		/* Version was added with v2 and therefore must be >= 2. */
-		if (stats_v2->version < 2) {
-			printf("Invalid stats version %d.", stats_v2->version);
+		if (stats->version < 2) {
+			printf("Invalid stats version %d.", stats->version);
 			return 1;
 		}

-		stats_v2->filesystem_busy_count =
-		    be32toh(stats_v2->filesystem_busy_count);
-		stats_v2->crypto_busy_count =
-		    be32toh(stats_v2->crypto_busy_count);
-		stats_v2->dispatcher_busy_count =
-		    be32toh(stats_v2->dispatcher_busy_count);
-		stats_v2->timeslices_expired =
-		    be32toh(stats_v2->timeslices_expired);
-		stats_v2->crypto_init_time =
-		    be32toh(stats_v2->crypto_init_time);
+		stats->filesystem_busy_count =
+			be32toh(stats->filesystem_busy_count);
+		stats->crypto_busy_count = be32toh(stats->crypto_busy_count);
+		stats->dispatcher_busy_count =
+			be32toh(stats->dispatcher_busy_count);
+		stats->timeslices_expired = be32toh(stats->timeslices_expired);
+		stats->crypto_init_time = be32toh(stats->crypto_init_time);

 		printf("filesystem_busy_count: %d\n",
-			stats_v2->filesystem_busy_count);
-		printf("crypto_busy_count:     %d\n",
-			stats_v2->crypto_busy_count);
+		       stats->filesystem_busy_count);
+		printf("crypto_busy_count:     %d\n", stats->crypto_busy_count);
 		printf("dispatcher_busy_count: %d\n",
-			stats_v2->dispatcher_busy_count);
+		       stats->dispatcher_busy_count);
 		printf("timeslices_expired:    %d\n",
-			stats_v2->timeslices_expired);
-		printf("crypto_init_time:      %d\n",
-			stats_v2->crypto_init_time);
+		       stats->timeslices_expired);
+		printf("crypto_init_time:      %d\n", stats->crypto_init_time);
+
+		/* Display version 3 metrics */
+		if (stats->version >= 3) {
+			/*
+			 * Note that
+			 * `stats->v1.misc_status >> METRICSV_BITS_USED_SHIFT`
+			 * value should also be >= 7, but version 3 >= should be
+			 * enough to know that these fields are present.
+			 */
+			printf("wp_asserted:           %d\n",
+			       (stats->v1.misc_status &
+				METRICSV_WP_ASSERTED_MASK) >>
+				       METRICSV_WP_ASSERTED_SHIFT);
+			printf("allow_unverified_ro:   %d\n",
+			       (stats->v1.misc_status &
+				METRICSV_ALLOW_UNVERIFIED_RO_MASK) >>
+				       METRICSV_ALLOW_UNVERIFIED_RO_SHIFT);
+			printf("is_prod:               %d\n",
+			       (stats->v1.misc_status &
+				METRICSV_IS_PROD_MASK) >>
+				       METRICSV_IS_PROD_SHIFT);
+		}
 	}
 	return 0;
 }

 static int process_ti50_get_metrics(struct transfer_descriptor *td,
-		bool show_machine_output)
+				    bool show_machine_output)
 {
 	uint32_t rv;
 	/* Allocate extra space in case future versions add more data. */
-	struct ti50_stats_v2 response[4];
+	struct ti50_stats response[4];
 	size_t response_size = sizeof(response);

 	rv = send_vendor_command(td, VENDOR_CC_GET_TI50_STATS, NULL, 0,
@ -4408,14 +4487,14 @@ static int process_ti50_get_metrics(struct transfer_descriptor *td,
 		for (size_t i = 0; i < response_size; i++)
 			printf("%02X", raw_response[i]);
 	} else {
-		return print_ti50_stats((struct ti50_stats_v0 *) response,
+		return print_ti50_stats((struct ti50_stats_v0 *)response,
 					response_size);
 	}
 	return 0;
 }

 static int process_cr50_get_metrics(struct transfer_descriptor *td,
-		bool show_machine_output)
+				    bool show_machine_output)
 {
 	/* Allocate extra space in case future versions add more data. */
 	struct cr50_stats_response response[4] = {};
@ -4423,8 +4502,8 @@ static int process_cr50_get_metrics(struct transfer_descriptor *td,
 	struct cr50_stats_response stats;
 	uint32_t rv;

-	rv = send_vendor_command(td, VENDOR_CC_GET_CR50_METRICS, NULL,
-				 0, (uint8_t *) &response, &response_size);
+	rv = send_vendor_command(td, VENDOR_CC_GET_CR50_METRICS, NULL, 0,
+				 (uint8_t *)&response, &response_size);
 	if (rv != VENDOR_RC_SUCCESS) {
 		printf("Get stats failed. (%X)\n", rv);
 		return 1;
@ -4441,43 +4520,33 @@ static int process_cr50_get_metrics(struct transfer_descriptor *td,
 	stats.version = be32toh(stats.version);
 	stats.reset_src = be32toh(stats.reset_src);
 	stats.brdprop = be32toh(stats.brdprop);
-	stats.reset_time_s =
-		be64toh(stats.reset_time_s);
-	stats.cold_reset_time_s =
-		be32toh(stats.cold_reset_time_s);
+	stats.reset_time_s = be64toh(stats.reset_time_s);
+	stats.cold_reset_time_s = be32toh(stats.cold_reset_time_s);
 	stats.misc_status = be32toh(stats.misc_status);

 	if (stats.version > CR50_METRICSV_STATS_VERSION) {
 		fprintf(stderr, "unsupported ver - %d. supports up to %d\n",
 			stats.version, CR50_METRICSV_STATS_VERSION);
 	}
-	printf("version:           %10u\n",
-			stats.version);
-	printf("reset_src:       0x%010x\n",
-			stats.reset_src);
-	printf("brdprop:         0x%010x\n",
-			stats.brdprop);
-	printf("cold_reset_time_s: %10u\n",
-			stats.cold_reset_time_s);
-	printf("reset_time_s:      %10u\n",
-			stats.reset_time_s);
-	printf("misc_status:     0x%010x\n",
-			stats.misc_status);
+	printf("version:           %10u\n", stats.version);
+	printf("reset_src:       0x%010x\n", stats.reset_src);
+	printf("brdprop:         0x%010x\n", stats.brdprop);
+	printf("cold_reset_time_s: %10u\n", stats.cold_reset_time_s);
+	printf("reset_time_s:      %10u\n", stats.reset_time_s);
+	printf("misc_status:     0x%010x\n", stats.misc_status);

 	printf("   rdd detected:      %7d\n",
-		(stats.misc_status >> CR50_METRICSV_RDD_IS_DETECTED_SHIFT) & 1);
+	       (stats.misc_status >> CR50_METRICSV_RDD_IS_DETECTED_SHIFT) & 1);
 	printf("   rddkeeplive en:    %7d\n",
-		(stats.misc_status >>
-		 CR50_METRICSV_RDD_KEEPALIVE_EN_SHIFT) & 1);
+	       (stats.misc_status >> CR50_METRICSV_RDD_KEEPALIVE_EN_SHIFT) & 1);
 	printf("   rddkeeplive en atboot: %3d\n",
-		(stats.misc_status >>
-		 CR50_METRICSV_RDD_KEEPALIVE_EN_ATBOOT_SHIFT) & 1);
+	       (stats.misc_status >>
+		CR50_METRICSV_RDD_KEEPALIVE_EN_ATBOOT_SHIFT) &
+		       1);
 	printf("   ccd_mode en:       %7d\n",
-		(stats.misc_status >>
-		 CR50_METRICSV_CCD_MODE_EN_SHIFT) & 1);
+	       (stats.misc_status >> CR50_METRICSV_CCD_MODE_EN_SHIFT) & 1);
 	printf("   ambigous straps:   %7d\n",
-		(stats.misc_status >>
-		 CR50_METRICSV_AMBIGUOUS_STRAP_SHIFT) & 1);
+	       (stats.misc_status >> CR50_METRICSV_AMBIGUOUS_STRAP_SHIFT) & 1);

 	return 0;
 }
@ -4492,8 +4561,9 @@ static int process_cr50_get_metrics(struct transfer_descriptor *td,
 #define MAX_TIME_MS	    (1 << TIME_SHIFT)
 static const char *const boot_tracer_stages[] = {
 	"Timespan", /* This one will not be displayed separately. */
-	"ProjectStart",	   "EcRstAsserted", "EcRstDeasserted", "TpmRstAsserted",
-	"TpmRstDeasserted", "FirstApComms",  "PcrExtension",    "TpmAppReady"
+	"ProjectStart",	  "EcRstAsserted",    "EcRstDeasserted",
+	"TpmRstAsserted", "TpmRstDeasserted", "FirstApComms",
+	"PcrExtension",	  "TpmAppReady"
 };

 static int process_get_boot_trace(struct transfer_descriptor *td, bool erase,
@ -4647,6 +4717,7 @@ int main(int argc, char *argv[])
 	bool get_metrics = false;
 	bool get_chassis_open = false;
 	bool get_dev_ids = false;
+	bool get_aprov_reset_counts = false;

 	/*
 	 * All options which result in setting a Boolean flag to True, along
@ -4821,13 +4892,27 @@ int main(int argc, char *argv[])
 			erase_boot_trace = true;
 			break;
 		case 'K':
-			/* We only support a single get_value option as of now*/
 			if (!strncasecmp(optarg, "chassis_open",
 					 strlen(optarg))) {
 				get_chassis_open = true;
 			} else if (!strncasecmp(optarg, "dev_ids",
 						strlen(optarg))) {
 				get_dev_ids = true;
+			} else if (!strncasecmp(optarg,
+						"aprov_gsc_reset_counts",
+						strlen(optarg))) {
+				/*
+				 * Note: This is a temporary command that allows
+				 * us to collect UMA metrics for how many times
+				 * the GSC would have been reset due to the AP
+				 * RO verification feature.
+				 *
+				 * Once the feature is rolled out, remove this
+				 * command line option. That is also why this
+				 * sub-command is not advertised in the help
+				 * menu.
+				 */
+				get_aprov_reset_counts = true;
 			} else {
 				fprintf(stderr,
 					"Invalid get_value argument: "
@ -4990,7 +5075,7 @@ int main(int argc, char *argv[])
 	    !password && !reboot_gsc && !rma && !set_capability &&
 	    !show_fw_ver && !sn_bits && !sn_inc_rma && !start_apro_verify &&
 	    !openbox_desc_file && !tstamp && !tpm_mode && (wp == WP_NONE) &&
-	    !get_chassis_open && !get_dev_ids) {
+	    !get_chassis_open && !get_dev_ids && !get_aprov_reset_counts) {
 		if (optind >= argc) {
 			fprintf(stderr,
 				"\nERROR: Missing required <binary image>\n\n");
@ -5130,6 +5215,9 @@ int main(int argc, char *argv[])
 	if (get_dev_ids)
 		exit(process_get_dev_ids(&td, show_machine_output));

+	if (get_aprov_reset_counts)
+		exit(process_get_aprov_reset_counts(&td));
+
 	if (corrupt_inactive_rw)
 		invalidate_inactive_rw(&td);

--- a/include/tpm_vendor_cmds.h
+++ b/include/tpm_vendor_cmds.h
@ -212,6 +212,12 @@ enum vendor_cmd_cc {
 	 */
 	VENDOR_CC_GET_CR50_METRICS = 73,

+	/*
+	 * Used for UMA collection for feature launch. After feature launch,
+	 * this can be removed as long as the value is reserved.
+	 */
+	VENDOR_CC_GET_AP_RO_RESET_COUNTS = 74,
+
 	LAST_VENDOR_COMMAND = 65535,
 };

@ -359,8 +365,9 @@ struct ti50_stats_v1 {
 /*
 * Keep in sync with
 * ti50/common/applications/sys_mgr/src/tpm_vendor/metrics.rs
+ * The latest time new fields were added as version 2.
 */
-struct ti50_stats_v2 {
+struct ti50_stats {
 	struct ti50_stats_v1 v1;
 	uint32_t version;
 	uint32_t filesystem_busy_count;
@ -377,6 +384,13 @@ struct ti50_stats_v2 {
 	(1 << METRICSV_RDD_KEEP_ALIVE_AT_BOOT_SHIFT)
 #define METRICSV_CCD_MODE_SHIFT 3
 #define METRICSV_CCD_MODE_MASK	(1 << METRICSV_CCD_MODE_SHIFT)
+#define METRICSV_WP_ASSERTED_SHIFT 4
+#define METRICSV_WP_ASSERTED_MASK (1 << METRICSV_WP_ASSERTED_SHIFT)
+#define METRICSV_ALLOW_UNVERIFIED_RO_SHIFT 5
+#define METRICSV_ALLOW_UNVERIFIED_RO_MASK \
+	(1 << METRICSV_ALLOW_UNVERIFIED_RO_SHIFT)
+#define METRICSV_IS_PROD_SHIFT 6
+#define METRICSV_IS_PROD_MASK (1 << METRICSV_IS_PROD_SHIFT)

 /* End Ti50 Specific Structs */
 /*****************************************************************************/
--- a/rust/ap_ro_errs/Cargo.toml
+++ b/rust/ap_ro_errs/Cargo.toml
@ -4,6 +4,6 @@ version = "0.1.0"
 edition = "2021"

 [dependencies]
-zerocopy = "0.6"
+zerocopy = { version = "0.7", features = ["derive"] }
 enum_utils = { path = "../enum_utils" }

--- a/rust/ap_ro_errs/src/lib.rs
+++ b/rust/ap_ro_errs/src/lib.rs
@ -5,7 +5,7 @@

 use core::fmt;
 use enum_utils::enum_as;
-use zerocopy::{transmute, AsBytes, FromBytes};
+use zerocopy::{transmute, AsBytes, FromBytes, FromZeroes};

 /// The result type used throughout AP RO verification.
 pub type Result<T> = core::result::Result<T, VerifyError>;
@ -424,7 +424,7 @@ pub enum StatusRegister {
 }

 #[repr(C, align(4))]
-#[derive(AsBytes, FromBytes, Clone, Copy)]
+#[derive(AsBytes, FromBytes, FromZeroes, Clone, Copy)]
 pub struct WriteProtectDescriptor {
    expected_value: ByteWithInverse,
    mask: ByteWithInverse,
@ -436,7 +436,7 @@ pub struct WriteProtectDescriptor {
 /// since writes can only clear bits.
 /// It also allows for more flexible filling in of individual values than a checksum.
 #[repr(C)]
-#[derive(AsBytes, FromBytes, Clone, Copy)]
+#[derive(AsBytes, FromBytes, FromZeroes, Clone, Copy)]
 struct ByteWithInverse {
    value: u8,