PoC: Make sensitive assets only readable/writable before system_mode is set

After the first time system_mode is set to one, the assets will no longer be read- or writeable, even if system_mode is set to zero at a later syscall. This is to make sure syscalls does not have the same privilege as the firmware has at first boot. We need to monitor when system_mode is set to one, otherwise we might accedentially lock the assets before actually leaving firmware, for example if firmware would use a function set in any of the registers used in system_mode_ctrl. Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2025-11-25 18:06:35 -05:00 · 2024-11-15 11:19:40 +01:00 · 2024-11-15 11:19:40 +01:00 · 2ec2196e92
commit 2ec2196e92
parent 7f34f5db91
5 changed files with 44 additions and 24 deletions
--- a/hw/application_fpga/core/tk1/rtl/tk1.v
+++ b/hw/application_fpga/core/tk1/rtl/tk1.v
@ -20,7 +20,7 @@ module tk1 #(
    input wire reset_n,

    input  wire cpu_trap,
-    output wire system_mode,
+    output wire rw_locked,

    input  wire [31 : 0] cpu_addr,
    input  wire          cpu_instr,
@ -185,14 +185,14 @@ module tk1 #(

  wire          rom_exec_en;

+  wire          system_mode;
+
  //----------------------------------------------------------------
  // Concurrent connectivity for ports etc.
  //----------------------------------------------------------------
  assign read_data     = tmp_read_data;
  assign ready         = tmp_ready;

-  assign system_mode   = system_mode_reg;
-
  assign force_trap    = force_trap_reg;

  assign gpio3         = gpio3_reg;
@ -203,9 +203,12 @@ module tk1 #(

  assign system_reset  = system_reset_reg;

+  assign system_mode   = system_mode_reg;
+
  assign rom_exec_en   = !system_mode | access_level_hi;
  assign fw_ram_en     = !system_mode | access_level_hi;
  assign spi_access_en = !system_mode | access_level_hi;
+  assign rw_locked     = system_mode;

  //----------------------------------------------------------------
  // Module instance.
@ -478,13 +481,13 @@ module tk1 #(
        end

        if (address == ADDR_APP_START) begin
-          if (!system_mode_reg) begin
+          if (!rw_locked) begin
            app_start_we = 1'h1;
          end
        end

        if (address == ADDR_APP_SIZE) begin
-          if (!system_mode_reg) begin
+          if (!rw_locked) begin
            app_size_we = 1'h1;
          end
        end
@ -494,19 +497,19 @@ module tk1 #(
        end

        if ((address >= ADDR_CDI_FIRST) && (address <= ADDR_CDI_LAST)) begin
-          if (!system_mode_reg) begin
+          if (!rw_locked) begin
            cdi_mem_we = 1'h1;
          end
        end

        if (address == ADDR_RAM_ADDR_RAND) begin
-          if (!system_mode_reg) begin
+          if (!rw_locked) begin
            ram_addr_rand_we = 1'h1;
          end
        end

        if (address == ADDR_RAM_DATA_RAND) begin
-          if (!system_mode_reg) begin
+          if (!rw_locked) begin
            ram_data_rand_we = 1'h1;
          end
        end
@ -584,7 +587,7 @@ module tk1 #(
        end

        if ((address >= ADDR_UDI_FIRST) && (address <= ADDR_UDI_LAST)) begin
-          if (!system_mode_reg) begin
+          if (!rw_locked) begin
            tmp_read_data = udi_rdata;
          end
        end