- Revise firmware implementation notes
- Document how to do fw syscalls
- Document how to trigger a syscall function in the firmware, how to
pass arguments, what the caller is responsible for and what is
returned.
- Describe hardware syscall implementation
- how the syscall interrupts are triggered,
- the hardware privilege escalation,
- the UDS protection.
Co-authored-by: Daniel Jobson <jobson@tillitis.se>
Co-authored-by: Michael Cardell Widerkrantz <mc@tillitis.se>
Fixing tests that broke when adding interrupt based syscalls
- Removing the blake2s test since the blake2s registers are removed.
- Instead of writing to ADDR_SYSTEM_MODE_CTRL, app mode is now entered
automatically when executing outside of ROM.
- The SPI loop-back test need to clean up after the previous test. We
reset the memory bus to a known idle state. We also reset the DUT to
make the SPI master visible.
Only allow executing from ROM when in one of the following execution
contexts:
- Firmware mode
- Syscall
Co-authored-by: Daniel Jobson <jobson@tillitis.se>
Since the introduction of the syscall mechanism we don't allow
execution in ROM anymore so it's impossible to call the firmware's
blake2s() function.
Co-authored-by: Mikael Ågren <mikael@tillitis.se>
Instead of manually switching to app mode using the APP_MODE register,
app mode will be enabled when the CPU fetches an instruction outside of
firmware ROM.
Co-authored-by: Mikael Ågren <mikael@tillitis.se>
Add syscall interrupt to be used for syscalls. The interrupt is
triggered by writing to an address in the 0xe1000000-0xe1ffffff
The PicoRV32 core is configured to use its minimal, non RISCV-standard,
interrupt implementation.
In order to be able to leave data for firmware signalling the
intention with a reset or to leave data for the next app in a chain of
apps, we introduce a part of FW_RAM that can be used to store this
data. In order to do this, we:
- Change size of ROM from 6 KB to 8 KB.
- Change size of FW_RAM, from 2 KB to 4 KB.
- Add RESETINFO memory partition inside FW_RAM.
- Add generation of map file.
- Change CFLAGS from using -O2 to using -Os.
- Update address ranges for valid access to ROM and FW_RAM.
- Move stack to be located before data+bss and the RESETINFO data
above them. This also means we introduce hardware stack overflow
protection through the Security Monitor.
- Revise firmware README to the new use of FW_RAM.
- Extend hardware checks for invalid memory accesses to include
checking more address space.
- In fw include file: fix two typos for memory ranges that relates to
above that fortunately have no impact on functionality.
- The API changes name from `_SWITCH_APP` to `_SYSTEM_MODE_CTRL`.
- The registers and wires changes name to `system_mode_*`, instead of a
mix of `switch_app_*` and `fw_app_mode`.
The removal is coordinated and approved by YosysHQ, and are removed
to keep our headers uniform. These files were written on behalf of
Tillitis.
Two typos was corrected as well.
Add API address to trigger system reset.
When written to will send system_reset signal
to the reset generator, which then perform a complete
reset cycle of the FPGA system.
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
- Remove DUT variables from state display that was removed as part of
performance fix
- Corrected some incorrect display statements for expected unique ID and
byte counters
Co-authored-by: Daniel Jobson <jobson@tillitis.se>
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
Update:
- README
- testbench
- Symbolic names and variables in fw
- registers
- port name and wires
- Update fpga and fw digests
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
Remove the preceeding zero in the constant expression
that cause the simulator to warn about incorrect
bit size.
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
- Change SPI clock from 16 CPU cyles/flank to one cycle/flank
- Remove separate flank length wait states in the FSM
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
- Changed FSM states to localparams
- Added localparam for SPI clock divisor
- Added internal signal for divisor reached
- Improved comments to clarify code
- Fixed some minor textual nits
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
- NOTE: This is an optional feature, not built by default. Not included
in the tk1 for sale at Tillitis shop.
- This makes it possible to interface the SPI flash onboard TKey.
- To include the SPI master in the build, use `make application_fpga.bin
YOSYS_FLAG=-DINCLUDE_SPI_MASTER`.
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
Add simultion models of udi_rom and sb_rbga_drv
to lint-top target.
Add ignore statements in tb_sb_rgba_drv to silence
Verilator on parameters and signals not used in
the sim model.
Use RGBLEDEN in simulation model
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
Describe how the UDI and UDS are actually stored in the FPGA, how they
are accessed, and how they are initialled by the patch_uds_udi.py
script.
Co-authored-by: Joachim Strömbergson <joachim@assured.se>
By patching the UDS and UDI into an already built bitstream, it is now
not necessary to rebuild the entire build flow when changing the UDS
and the UDI. This lowers re-build times significantly.
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
Change name of cpu_monitor to security_monitor and increase its
functionality to include RAM access violations. If addresses in RAM
but outside of physical RAM is accessed in any way the
security_monitor traps the CPU in the same way as it already did for
execution violations.
