Flash ctrl changes #28617
Closed
Flash ctrl changes #28617
+272,703
−146,376
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `keymgr_wait_until_done()` function should be only called after an operation has been started by the caller. This commit removes the `IDLE` status check from the switch-case in `keymgr_wait_until_done()` to enforce this invariant. If the keymgr is found to be `IDLE` the execution will now proceed to the default error-handling case and trigger a trap. Change-Id: I35b5107174796e9a52eff7ab33bdc2260453a73b Signed-off-by: Yi-Hsuan Deng <[email protected]>
The `OWNER_SW` is not intended to return control to the `ROM_EXT`; if it does, the `ROM_EXT` should report an error. This commit introduces a new fault test, `return_boot_failed`, which simulates the `OWNER_SW` returning to `ROM_EXT` (e.g., via a `ret` instruction) to verify that `ROM_EXT` correctly handles this unexpected scenario. This test can make sure the `ROM_EXT` handles this error situation correctly. Change-Id: I741557b00cea523bb46b96c375b95740e0e65372 Signed-off-by: Yi-Hsuan Deng <[email protected]>
This commit introduces a new test case for SPI DFU rescue mode to verify the correctness of DFU state machine transitions. A new ROM_EXT configuration, `rom_ext_spidfu_flash_limit_zero`, is intended to trigger a corner case where a write is attempted past the end of the flash. Signed-off-by: Anthony Chen <[email protected]>
This adds a new test case, `spidfu_invalid_dfu_requests`, to verify that the SPI DFU implementation correctly handles various invalid requests. Signed-off-by: Anthony Chen <[email protected]>
This introduces the `spidfu_invalid_flash_transaction` test to verify the robustness of the SPI DFU rescue mode against invalid flash operations. Signed-off-by: Anthony Chen <[email protected]>
This change introduces the `usb_dfu_out_chunk_too_big` test to verify that the USB DFU implementation correctly rejects download requests where the data chunk size exceeds the allowed maximum. Signed-off-by: Anthony Chen <[email protected]>
This updates the immutable section version number. Signed-off-by: Anthony Chen <[email protected]>
Most algorithms in cryptolib already do this, and it's necessary to update checksums. Signed-off-by: Jade Philipoom <[email protected]> (cherry picked from commit 583d8c4)
Most algorithms in cryptolib already do this, and it's necessary to update checksums. Signed-off-by: Jade Philipoom <[email protected]> (cherry picked from commit ce51e86)
Most algorithms in cryptolib already do this, and it's necessary to update checksums. Signed-off-by: Jade Philipoom <[email protected]> (cherry picked from commit 69abb4b)
Most algorithms in cryptolib already do this, and it's necessary to update checksums. Signed-off-by: Jade Philipoom <[email protected]>
Re-mask non-keymgr AES and KMAC keys before use. For HMAC, we have to unmask the keys anyway before passing to the hardware, so it doesn't make sense to re-mask them. Signed-off-by: Jade Philipoom <[email protected]> (cherry picked from commit 6987fa9)
As the API has changed, adapt it accordingly for the crypto/pentestes. Signed-off-by: Pascal Nasahl <[email protected]>
Removes the legacy coverage collection utilities. The new framework will be integrated with the `bazel coverage` subcommand. Change-Id: I1123e9a6ea293130e6a72d95f91b7c6864228446 Signed-off-by: Yi-Hsuan Deng <[email protected]>
This change removes code for the old LLVM compiler_rt based coverage runtime on the device, which will be replaced by a in-house custom runtime developed for OpenTitan. Change-Id: Ic35f61ad941b64f54602a78f1aaa90a61c0aa98a Signed-off-by: Yi-Hsuan Deng <[email protected]>
This change allows users to disable coverage collection for particular Bazel targets. This can be useful for targets like metal ROM, which are sensitive to changes in code size. Support for ROM/ROM_EXT coverage will be added in later PRs; to ensure the minimal framework works, ROM/ROM_EXT coverage collection is explicitly disabled in this commit. Change-Id: Icbfa8f64fa8a580d6f595046035a25731d5dc6af Signed-off-by: Yi-Hsuan Deng <[email protected]>
Initial coverage values should typically be set to "uncovered." Consequently, the array storing these initial values is not required in the final firmware, and can be initialized programmatically. This change introduces a check to verify that a section is entirely "uncovered," and then removes it from the final firmware. Change-Id: I0f4da48a1eb0ceac726d70e3843e299d3d692fa5 Signed-off-by: Yi-Hsuan Deng <[email protected]>
This change adds a new on-device coverage runtime with OTTF transport. When coverage is enabled, the runtime can collect profile counter data from the device and send it over the console. On the host, these raw counter values can be combined with static profile data to recreate the full LLVM profile. The coverage runtime consists of the following components: * `api.h`: Provides a set of shared C APIs implemented by transport runtimes. * `api_asm.h`: Provides APIs for assembly code. * `printer.h`/`printer.c`: Implements the shared logic for different runtimes. * Linker scripts (`bss.ld`, `info.ld`, `rodata.ld`): Define special sections for LLVM profile data, counters, and build ID. OTTF transport implementation is also included: * `ottf_runtime.c`: Integrates the coverage printer with the OTTF console for data output. * `ottf_runtime_skip.c`: A no-op version of the runtime for builds where coverage is enabled but not instrumented. Change-Id: I2e4b135a58b93a257fc37880700e23f4b99defc4 Signed-off-by: Yi-Hsuan Deng <[email protected]>
This change integrates the new coverage runtime into the OTTF framework. Change-Id: I507a1b40b2b76e5fe4309607ede1288a46a23835 Signed-off-by: Yi-Hsuan Deng <[email protected]>
Heap size is reduced in coverage mode to free up RAM for the coverage profile counters. Change-Id: Ifc9d1ba43be26e8a04572d47adc381e625da365f Signed-off-by: Yi-Hsuan Deng <[email protected]>
The LLVM sections like `__llvm_prf_cnts` contain profile counter information. Ignore them in `extract_sw_logs` to avoid parsing errors. Change-Id: I61a36e75aba2c1ffd22b798b169edc659be2e132 Signed-off-by: Yi-Hsuan Deng <[email protected]>
This change adds a feature to opentitantool's `UartConsole` that allows saving device-side coverage reports. The new implementation parses coverage data embedded in the console output, validates it using CRC, and then saves it to a `.xprofraw` file. This is part of Bazel coverage integration to collect reports for tests running directly on the OpenTitan device. It follows LLVM's convention for saving to the path specified by the `LLVM_PROFILE_FILE` environment variable, which Bazel will set. Additionally, a new `wait_for_coverage` function is introduced, allowing `opentitantool` to block until coverage data is received or skipped. Change-Id: I682655aeeb3c16228036ad58fb41187f7eb932cb Signed-off-by: Yi-Hsuan Deng <[email protected]>
This change implements the `collect_cc_coverage` tool for `opentitan_test`. The coverage collection process now works as follows: 1. A new `collect_cc_coverage` tool (written in Rust) is invoked for each test that produces coverage data. This tool is responsible for converting the compressed coverage counters (`.xprofraw`) saved by opentitantool's UartConsole into the standard LLVM profraw format. It achieves this by correlating the `.xprofraw` data with the metadata extracted from the ELF files of the device's firmware. 2. The `collect_cc_coverage` tool then uses llvm tools to export an LCOV (`.dat`) file, which is the format expected by Bazel's coverage reporting. This integration allows OpenTitan's C++ code coverage to be collected and reported consistently within the Bazel build system, making it possible to combined with other test coverage (unit test / OTBN test). Change-Id: I8717ec315e8bf30e0b09bdc72a9ff86857034151 Signed-off-by: Yi-Hsuan Deng <[email protected]>
This is a lightweight protection against downgrades, where an attacker could use a signed but vulnerable older version of the crypto library to attack keys generated with a newer version. Signed-off-by: Jade Philipoom <[email protected]> (cherry picked from commit f9e96d7)
Add versions where they were previously omitted, use key import/unmask primitives in a few places, and fix a couple of bugs caught by the cryptotest suite. Signed-off-by: Jade Philipoom <[email protected]> (cherry picked from commit 2c6a5e8)
Helps when debugging things such as opendrain not being available on FPGAs. Without this log, it's not obvious from the error code which attributes were not set. Have to configure it for RISC-V only because this library is built for the host by bindgen. Signed-off-by: James Wainwright <[email protected]>
Only enabled on silicon because our FPGAs do not support opendrain. Signed-off-by: James Wainwright <[email protected]>
HyperDebug firmware seems to be able to handle these pins now. `VBUS_EN_SENSE` is still not usable with the teacup board, however. Signed-off-by: James Wainwright <[email protected]>
Signed-off-by: James Wainwright <[email protected]>
Signed-off-by: James Wainwright <[email protected]>
Signed-off-by: James Wainwright <[email protected]>
Signed-off-by: James Wainwright <[email protected]>
QEMU does not currently model the TAP straps and enables the RV_DM JTAG port unconditionally. This strap is added to satisfy tests, but it has no pins so is a no-op to apply and remove. Signed-off-by: James Wainwright <[email protected]>
Add a `sim_qemu_sival` environment for running tests with the SiVal lockdowns but without going through `ROM_EXT` to run owner code. Useful for e.g. OTP testing. Signed-off-by: Alex Jones <[email protected]>
Demonstrates the RV_DM interface working over OpenOCD. Signed-off-by: James Wainwright <[email protected]>
Initial customers requested that boot services not run when the ROM_EXT detects a low-power wakeup. A new customer has requested the opposite behavior. 1. Add a configuration item to the ownership config to enable or disable boot_svc on low-power wakeups. Default to `False` (disabled). 2. Use a weak function to retrieve the ownership configuration value. This allows a down-stream ROM_EXT build to override this function with their preferred behavior (to account for chips that don't have the setting in their ownership config). Signed-off-by: Chris Frantz <[email protected]>
Even though opentitanlib supports asking QEMU to shutdown, it is (1) optional, (2) relies on the test harness stopping cleanly. One may argue that it is not really the responsability of the test harness to shutdown QEMU anyway since it is not spawn by the harness but rather by the qemu_test.sh script. This commit makes the qemu_test.sh script always shutdown QEMU on exit. It first sends a SIGINT and after one second a SIGKILL. Signed-off-by: Amaury Pouly <[email protected]>
Signed-off-by: Douglas Reis <[email protected]>
To allow for more general OpenTitan QEMU documentation, move the current setup / build system documentation to its own separate `setup.md` page. Make a new general QEMU `README.md` containing documentation not specific to setup / using a local build override. Signed-off-by: Alex Jones <[email protected]>
Add the new `bootstrap` parameter to the existing documentation, and also add a link to better explain the `traces` parameter. Signed-off-by: Alex Jones <[email protected]>
Now that we're adding more centralized OpenTitan QEMU documentation, document the newly support command-line argument format here. Signed-off-by: Alex Jones <[email protected]>
Add a short section on the QEMU tessting documentation that describes how the QEMU UART console output and log output are muxed into stdout without line buffering, to avoid confusion about interleaving of characters from both inputs. Signed-off-by: Alex Jones <[email protected]>
Add some introductory documentation to explain QEMU, it's integration into OpenTitan itself, and caveats that users should be aware of. The focus of these docs are primarily on introducing the basic concepts of QEMU, explaining the integration with OpenTitan, and noting any caveats that are useful to be aware of when testing or developing software stacks. Where possible, detailed explanations of QEMU's internals or explanations of how OpenTitan emulation works is delegated to the existing QEMU / QEMU fork documentation, to avoid replication and docs getting out of date. The one exception is the list of unemulated features - a short non-comprehensive list is reproduced as it is probably useful that anyone who wants to use QEMU is aware of some of the major caveats, even if the list is not complete / comprehensive. Signed-off-by: Alex Jones <[email protected]>
This bumps the ROM_EXT and perso version numbers to prepare for the next signing operation. Signed-off-by: Tim Trippel <[email protected]>
Signed-off-by: Alex Jones <[email protected]>
Signed-off-by: Ramesh Prakash <[email protected]>
rprakas-gsc
requested review from
a team,
cfrantz,
msfschaffner,
rswarbrick and
vogelpi
as code owners
rprakas-gsc
requested review from
luismarques and
pamaury
and removed request for
a team
|
Crikey! I think this might need rebasing (I don't believe you really intend to change > 200k lines of code...) |
Yep! That was a mistake. I will close this PR. Submitted a new PR - want to merge on earlgrey_1.0.0 branch |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
23 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updated flash_ctrl_test programs to check for unlocked regions before read/write operations