Git-Mirrors/tillitis-key
1
0
Fork 0
mirror of https://github.com/tillitis/tillitis-key1.git synced 2025-03-12 18:16:55 -04:00
Code Issues Packages Projects Releases Wiki Activity

PoC: Remove low privilege syscall

Browse Source
This commit is contained in:
Mikael Ågren 2024-12-16 13:00:54 +01:00
parent beb325b683
commit eacfd6eddc
No known key found for this signature in database
GPG Key ID: E02DA3D397792C46
4 changed files with 16 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
hw/application_fpga/README.md
View File

@ -35,7 +35,6 @@ Rough memory map:
| UART | 0xc3 | | UART | 0xc3 |
| Touch | 0xc4 | | Touch | 0xc4 |
| FW\_RAM | 0xd0 | | FW\_RAM | 0xd0 |
| IRQ30\_SET | 0xe0 |
| IRQ31\_SET | 0xe1 | | IRQ31\_SET | 0xe1 |
| TK1 | 0xff | | TK1 | 0xff |
@ -99,11 +98,6 @@ hours, days) there is also a 32 bit prescaler.
The timer is available to use by firmware and applications. The timer is available to use by firmware and applications.
## `irq30_set`
Interrupt 30 trigger area. A 32-bit write to the IRQ30\_SET memory
area will trigger interrupt 30.
## `irq31_set` ## `irq31_set`
Interrupt 31 trigger area. A 32-bit write to the IRQ31\_SET memory Interrupt 31 trigger area. A 32-bit write to the IRQ31\_SET memory
@ -114,15 +108,14 @@ area will trigger interrupt 31.
Triggering an interrupt will cause the CPU to execute the interrupt Triggering an interrupt will cause the CPU to execute the interrupt
handler att address 0x10. handler att address 0x10.
The interrupt handler is shared by IRQ30 and IRQ31. Register `x4` can The interrupt handler is shared by all PicoRV32 interrupts but only
be inspected to determine the interrupt source. Each interrupt source interrupt 31 is enabled on the Tkey. Register `x4` can be inspected to
is assigned one bit in x4. Triggered interrupts have their bit set to determine the interrupt source. Each interrupt source is assigned one
`1`. bit in x4. Triggered interrupts have their bit set to `1`.
| *Interrupt Name* | *Source* | *x4 Bit* | | *Interrupt Name* | *Source* | *x4 Bit* |
|------------------|------------|----------| |------------------|------------|----------|
| IRQ_SYSCALL_LO | IRQ30\_SET | 30 | | IRQ_SYSCALL | IRQ31\_SET | 31 |
| IRQ_SYSCALL_HI | IRQ31\_SET | 31 |
The return address is located in register `x3`. Calling the PicoRV32 The return address is located in register `x3`. Calling the PicoRV32
specific instruction `retirq` exits the interrupt handler and clears specific instruction `retirq` exits the interrupt handler and clears
@ -142,9 +135,8 @@ mode:
| *Execution Mode* | *ROM* | *FW RAM* | *SPI* | | *Execution Mode* | *ROM* | *FW RAM* | *SPI* |
|---------------------|--------|----------|-------| |---------------------|--------|----------|-------|
| Firmware mode | r/x | r/w | r/w | | Firmware mode | r/x | r/w | r/w |
| App mode | r | i | i | | IRQ_SYSCALL | r/x | r/w | r/w |
| IRQ_SYSCALL_LO | r/x | i | i | | Application mode | r | i | i |
| IRQ_SYSCALL_HI | r/x | r/w | r/w |
Legend: Legend:
r = readable r = readable

3
hw/application_fpga/core/tk1/rtl/tk1.v
View File

@ -46,7 +46,6 @@ module tk1 #(
output wire gpio4, output wire gpio4,
input wire access_level_hi, input wire access_level_hi,
input wire access_level_med,
output wire fw_ram_en, output wire fw_ram_en,
@ -204,7 +203,7 @@ module tk1 #(
assign system_reset = system_reset_reg; assign system_reset = system_reset_reg;
assign rom_exec_en = !system_mode | access_level_med | access_level_hi; assign rom_exec_en = !system_mode | access_level_hi;
assign fw_ram_en = !system_mode | access_level_hi; assign fw_ram_en = !system_mode | access_level_hi;
assign spi_access_en = !system_mode | access_level_hi; assign spi_access_en = !system_mode | access_level_hi;

26
hw/application_fpga/rtl/application_fpga.v
View File

@ -57,14 +57,12 @@ module application_fpga (
localparam UART_PREFIX = 6'h03; localparam UART_PREFIX = 6'h03;
localparam TOUCH_SENSE_PREFIX = 6'h04; localparam TOUCH_SENSE_PREFIX = 6'h04;
localparam FW_RAM_PREFIX = 6'h10; localparam FW_RAM_PREFIX = 6'h10;
localparam IRQ30_PREFIX = 6'h20;
localparam IRQ31_PREFIX = 6'h21; localparam IRQ31_PREFIX = 6'h21;
localparam TK1_PREFIX = 6'h3f; localparam TK1_PREFIX = 6'h3f;
// Instruction used to cause a trap. // Instruction used to cause a trap.
localparam ILLEGAL_INSTRUCTION = 32'h0; localparam ILLEGAL_INSTRUCTION = 32'h0;
localparam IRQ30_IRQ_MASK = 2 ** 30;
localparam IRQ31_IRQ_MASK = 2 ** 31; localparam IRQ31_IRQ_MASK = 2 ** 31;
//---------------------------------------------------------------- //----------------------------------------------------------------
@ -146,10 +144,6 @@ module application_fpga (
wire [31 : 0] touch_sense_read_data; wire [31 : 0] touch_sense_read_data;
wire touch_sense_ready; wire touch_sense_ready;
reg irq30_cs;
reg irq30_we;
reg irq30_eoi;
reg irq31_cs; reg irq31_cs;
reg irq31_we; reg irq31_we;
reg irq31_eoi; reg irq31_eoi;
@ -190,8 +184,8 @@ module application_fpga (
.ENABLE_IRQ (1), .ENABLE_IRQ (1),
.ENABLE_IRQ_QREGS(0), .ENABLE_IRQ_QREGS(0),
.ENABLE_IRQ_TIMER(0), .ENABLE_IRQ_TIMER(0),
.MASKED_IRQ (~(IRQ31_IRQ_MASK | IRQ30_IRQ_MASK)), .MASKED_IRQ (~IRQ31_IRQ_MASK),
.LATCHED_IRQ (IRQ31_IRQ_MASK | IRQ30_IRQ_MASK) .LATCHED_IRQ (IRQ31_IRQ_MASK)
) cpu ( ) cpu (
.clk(clk), .clk(clk),
.resetn(reset_n), .resetn(reset_n),
@ -374,8 +368,7 @@ module application_fpga (
.gpio3(app_gpio3), .gpio3(app_gpio3),
.gpio4(app_gpio4), .gpio4(app_gpio4),
.access_level_hi (irq31_eoi), .access_level_hi(irq31_eoi),
.access_level_med(irq30_eoi),
.fw_ram_en(fw_ram_en), .fw_ram_en(fw_ram_en),
@ -411,14 +404,11 @@ module application_fpga (
//---------------------------------------------------------------- //----------------------------------------------------------------
always @* begin : irq_ctrl always @* begin : irq_ctrl
reg irq31_set; reg irq31_set;
reg irq30_set;
irq31_set = irq31_cs & irq31_we; irq31_set = irq31_cs & irq31_we;
irq30_set = irq30_cs & irq30_we; cpu_irq = {irq31_set, 31'h0};
cpu_irq = {irq31_set, irq30_set, 30'h0};
irq31_eoi = cpu_eoi[31]; irq31_eoi = cpu_eoi[31];
irq30_eoi = cpu_eoi[30];
end end
@ -471,9 +461,6 @@ module application_fpga (
touch_sense_we = |cpu_wstrb; touch_sense_we = |cpu_wstrb;
touch_sense_address = cpu_addr[9 : 2]; touch_sense_address = cpu_addr[9 : 2];
irq30_cs = 1'h0;
irq30_we = |cpu_wstrb;
irq31_cs = 1'h0; irq31_cs = 1'h0;
irq31_we = |cpu_wstrb; irq31_we = |cpu_wstrb;
@ -549,11 +536,6 @@ module application_fpga (
muxed_ready_new = fw_ram_ready; muxed_ready_new = fw_ram_ready;
end end
IRQ30_PREFIX: begin
irq30_cs = 1'h1;
muxed_ready_new = 1'h1;
end
IRQ31_PREFIX: begin IRQ31_PREFIX: begin
irq31_cs = 1'h1; irq31_cs = 1'h1;
muxed_ready_new = 1'h1; muxed_ready_new = 1'h1;

28
hw/application_fpga/tb/application_fpga_sim.v
View File

@ -70,14 +70,12 @@ module application_fpga_sim (
localparam UART_PREFIX = 6'h03; localparam UART_PREFIX = 6'h03;
localparam TOUCH_SENSE_PREFIX = 6'h04; localparam TOUCH_SENSE_PREFIX = 6'h04;
localparam FW_RAM_PREFIX = 6'h10; localparam FW_RAM_PREFIX = 6'h10;
localparam IRQ30_PREFIX = 6'h20;
localparam IRQ31_PREFIX = 6'h21; localparam IRQ31_PREFIX = 6'h21;
localparam TK1_PREFIX = 6'h3f; localparam TK1_PREFIX = 6'h3f;
// Instruction used to cause a trap. // Instruction used to cause a trap.
localparam ILLEGAL_INSTRUCTION = 32'h0; localparam ILLEGAL_INSTRUCTION = 32'h0;
localparam IRQ30_IRQ_MASK = 2 ** 30;
localparam IRQ31_IRQ_MASK = 2 ** 31; localparam IRQ31_IRQ_MASK = 2 ** 31;
//---------------------------------------------------------------- //----------------------------------------------------------------
@ -158,10 +156,6 @@ module application_fpga_sim (
wire [31 : 0] touch_sense_read_data; wire [31 : 0] touch_sense_read_data;
wire touch_sense_ready; wire touch_sense_ready;
reg irq30_cs;
reg irq30_we;
reg irq30_eoi;
reg irq31_cs; reg irq31_cs;
reg irq31_we; reg irq31_we;
reg irq31_eoi; reg irq31_eoi;
@ -201,8 +195,8 @@ module application_fpga_sim (
.ENABLE_IRQ (1), .ENABLE_IRQ (1),
.ENABLE_IRQ_QREGS(0), .ENABLE_IRQ_QREGS(0),
.ENABLE_IRQ_TIMER(0), .ENABLE_IRQ_TIMER(0),
.MASKED_IRQ (~(IRQ31_IRQ_MASK | IRQ30_IRQ_MASK)), .MASKED_IRQ (~IRQ31_IRQ_MASK),
.LATCHED_IRQ (IRQ31_IRQ_MASK | IRQ30_IRQ_MASK) .LATCHED_IRQ (IRQ31_IRQ_MASK)
) cpu ( ) cpu (
.clk(clk), .clk(clk),
.resetn(reset_n), .resetn(reset_n),
@ -386,8 +380,7 @@ module application_fpga_sim (
.gpio3(app_gpio3), .gpio3(app_gpio3),
.gpio4(app_gpio4), .gpio4(app_gpio4),
.access_level_hi (irq31_eoi), .access_level_hi(irq31_eoi),
.access_level_med(irq30_eoi),
.fw_ram_en(fw_ram_en), .fw_ram_en(fw_ram_en),
@ -422,14 +415,11 @@ module application_fpga_sim (
//---------------------------------------------------------------- //----------------------------------------------------------------
always @* begin : irq_ctrl always @* begin : irq_ctrl
reg irq31_set; reg irq31_set;
reg irq30_set;
irq31_set = irq31_cs & irq31_we; irq31_set = irq31_cs & irq31_we;
irq30_set = irq30_cs & irq30_we; cpu_irq = {irq31_set, 31'h0};
cpu_irq = {irq31_set, irq30_set, 30'h0};
irq31_eoi = cpu_eoi[31]; irq31_eoi = cpu_eoi[31];
irq30_eoi = cpu_eoi[30];
end end
@ -484,9 +474,6 @@ module application_fpga_sim (
touch_sense_we = |cpu_wstrb; touch_sense_we = |cpu_wstrb;
touch_sense_address = cpu_addr[9 : 2]; touch_sense_address = cpu_addr[9 : 2];
irq30_cs = 1'h0;
irq30_we = |cpu_wstrb;
irq31_cs = 1'h0; irq31_cs = 1'h0;
irq31_we = |cpu_wstrb; irq31_we = |cpu_wstrb;
@ -582,13 +569,6 @@ module application_fpga_sim (
muxed_ready_new = fw_ram_ready; muxed_ready_new = fw_ram_ready;
end end
IRQ30_PREFIX: begin
`verbose($display("Access to blake2s interrupt trigger");)
ascii_state = "Blake2s IRQ trigger";
irq30_cs = 1'h1;
muxed_ready_new = 1'h1;
end
IRQ31_PREFIX: begin IRQ31_PREFIX: begin
`verbose($display("Access to syscall interrupt trigger");) `verbose($display("Access to syscall interrupt trigger");)
ascii_state = "Syscall IRQ trigger"; ascii_state = "Syscall IRQ trigger";