Commit Graph

525 Commits

Author SHA1 Message Date
Joachim Strömbergson
92712a11bf
fw: zeroise FW-RAM instead of RAM
Modify the loop to zeroise the FW-RAM instead of the
RAM. RAM is filled with random data at the start of main().

Changes firmware and bitstream digests.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-12 18:11:10 +02:00
Joachim Strömbergson
f61d254fda
Adding testbench and simulation targets for the SPI master. 2024-06-11 15:28:29 +02:00
Joachim Strömbergson
3bc2453287
A construction of a minimal SPI master.
- NOTE: This is an optional feature, not built by default. Not included
  in the tk1 for sale at Tillitis shop.
- This makes it possible to interface the SPI flash onboard TKey.
- To include the SPI master in the build, use `make application_fpga.bin
  YOSYS_FLAG=-DINCLUDE_SPI_MASTER`.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-11 15:28:29 +02:00
Joachim Strömbergson
eade3e11c5
Fill RAM with random data using xorwow.
xorwow provides significantly better random data, compared to previously
used function. Making it harder to predict what data RAM is filled with.
It adds a startup time of approx 80 ms, but can be compensated with
optimising other parts of the startup routine.

This changes both firmware and fpga hashes.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-11 11:15:00 +02:00
Joachim Strömbergson
09df7ae97f
FPGA: Fix linting of tk1 core
Add simultion models of udi_rom and sb_rbga_drv
      to lint-top target.

      Add ignore statements in tb_sb_rgba_drv to silence
      Verilator on parameters and signals not used in
      the sim model.

      Use RGBLEDEN in simulation model

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-10 14:22:59 +02:00
Joachim Strömbergson
cadf8e9849
FPGA: Add sim model of udi_rom
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-07 12:06:40 +02:00
Joachim Strömbergson
0454e023cd
Ignore application_fpga_par.json
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-04-25 11:29:47 +02:00
Joachim Strömbergson
e961f46e79
Update Verilog version to 2005 for linting
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-04-24 08:44:08 +02:00
Joachim Strömbergson
f655196af7
Clarify the functional description of the touch_sense core
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-04-22 16:03:08 +02:00
dehanj
a5e30f1203
CI: Divide into separate jobs.
- Gives a better overview of CI and the different checks, without going
  into the logs too deeply.
- Cache: use a unique key for each run, and remove 'restore key' since it
  could potentially retrieve the wrong bitstream. The stragegy should be
  to fail if a cache is not present, not fetch a bitstream from a
  different build.
2024-04-19 12:16:41 +02:00
dehanj
d7b8bb26a9
CI: move check-hash to separate job.
- This makes it easier to see if CI fails on hashes (which might be
  expected during development) or something else.
2024-04-17 12:10:28 +02:00
Michael Cardell Widerkrantz
3cf218469c
hw/tool: UDI/UDS storage
Describe how the UDI and UDS are actually stored in the FPGA, how they
are accessed, and how they are initialled by the patch_uds_udi.py
script.

Co-authored-by: Joachim Strömbergson <joachim@assured.se>
2024-04-03 11:27:00 +02:00
dehanj
1c90b1aa3d
Add release notes for TK1-24.03
Clarifying earlier release notes.
2024-03-26 13:34:54 +01:00
dehanj
574e17f26a
Update hash of bitstream and firmware 2024-03-26 13:09:06 +01:00
dehanj
4bd249816a
fw: Remove unused header includes 2024-03-26 13:09:06 +01:00
dehanj
3a6a60ff26
fw: Protect zeroisation against compiler optimisation.
The memset() responsible for the zeroisation of the secure_ctx under
the compute_cdi() function in FW's main.c, was optimised away by the
compiler. Instead of using memset(), secure_wipe() is introduced
which uses a volatile keyword to prevent the compiler to try to
optimise it. Secure_wipe() is now used on all locations handling
removal of sensitive data.
2024-03-26 13:09:01 +01:00
dehanj
c85b5311cd
Change filename personalize.py to patch_uds_udi.py
Also adding a more detailed explaination of what the script intends to
do
2024-03-26 13:07:11 +01:00
Michael Cardell Widerkrantz
88c6036215
Add mitigations to threat model
Describe under each release what kind of threat mitigations we have
added.
2024-03-25 17:27:00 +01:00
dehanj
0e166e4159
Build tp1 firmware in CI 2024-03-22 11:43:39 +01:00
dehanj
92136983c5
Update hash of bitstream and firmware 2024-03-22 11:25:40 +01:00
Michael Cardell Widerkrantz
09c1f3f549
Silence splint somewhat
The only real changes are some unitialized variables and that we now
make explicit that we don't care about the return value from memset().
2024-03-22 11:03:13 +01:00
Michael Cardell Widerkrantz
b0efcf019e
Include static analysis in CI
- Exclude splint from CI, so we make another target for it "splint",
  which we might include in the "check" target later.

- Move the analysis runs earlier in CI so they, including indentation
  checks, fail first.

- Include printouts of hashen in check-binary-hashes to easier see
  what the digest are if it fails in CI.
2024-03-22 11:03:13 +01:00
Michael Cardell Widerkrantz
d10c4972d7
Use tkey-builder:4 2024-03-22 10:54:33 +01:00
Michael Cardell Widerkrantz
da40edfc51
tkey-builder: Include clang-tidy & splint
To be able to run statical analysis on source, include clang-tidy and
splint (see make check) in tkey-builder.
2024-03-21 15:03:08 +01:00
Michael Cardell Widerkrantz
48324fe5b3
tp1 fw: Update pico-sdk to 1.5.1 2024-03-21 14:17:01 +01:00
dehanj
2ff2e9a91d
fw: remove duplicate defines in tk1_mem.h 2024-03-21 10:28:51 +01:00
Michael Cardell Widerkrantz
661a6458c8
fw: Add missing TK1_MMIO_BASE
TK1_MMIO_BASE and _SIZE needed by at least qemu.
2024-03-21 10:09:38 +01:00
dehanj
57a6ee2a12
Use tkey-builder:3 as default when building 2024-03-20 17:19:59 +01:00
dehanj
8ca4241ade
Disable non-zero exit for verilog linter in CI, see issue 182. 2024-03-20 16:39:53 +01:00
Joachim Strömbergson
de668a0244
Clean up code and silence warnings after linting
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 16:39:53 +01:00
Joachim Strömbergson
f364b523cf
Change UDS address to three bits to match input port connection 'addr'
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 16:39:53 +01:00
Joachim Strömbergson
bbde62d3f5
Add PINMISSING lint ignore for I1 and I2 SB_LUT4 cells
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 16:39:52 +01:00
Joachim Strömbergson
8731908cb1
Support incremental builds for the bitstream.
By patching the UDS and UDI into an already built bitstream, it is now
not necessary to rebuild the entire build flow when changing the UDS
and the UDI. This lowers re-build times significantly.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 16:39:45 +01:00
Joachim Strömbergson
29fd8338a7
Update the bitstream hash
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 14:36:56 +01:00
Joachim Strömbergson
8784a24b33
Change cpu_monitor to security_monitor and to also check RAM
Change name of cpu_monitor to security_monitor and increase its
functionality to include RAM access violations. If addresses in RAM
but outside of physical RAM is accessed in any way the
security_monitor traps the CPU in the same way as it already did for
execution violations.
2024-03-20 14:36:55 +01:00
Joachim Strömbergson
3fb6d66cf3
Add set-only register for the force_trap signal to ensure
that the device must be reset to get out of trap. This
change also breaks a critical path.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 14:36:55 +01:00
Joachim Strömbergson
4c3e210a00
Only set ram_we to cpu_wstrb in RAM_PREFIX
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 14:36:55 +01:00
Joachim Strömbergson
e48c0fc7d9
Implement cs0 and cs1 as logic equations, not muxes
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 14:36:55 +01:00
Michael Cardell Widerkrantz
0590445f3d
Add testbench targets on top-level
The testbenches live in their own Makefiles under
hw/application_fpga/core/*/toolruns (except picorv32). Let's add a
top-level target to build and run them.

In order to run core testbenches, use

  cd hw/application_fpga
  make tb

or if using Podman:

  cd contrib
  make run-tb

to run the same target in a container.
2024-03-20 13:47:12 +01:00
Joachim Strömbergson
ea9271292c
Add Icarus Verilog compiler, simulator used by testbenches
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-03-20 13:47:12 +01:00
dehanj
159b5b052b
Updated readme and docs to point at dev.tillitis.se. 2024-03-19 17:06:34 +01:00
Michael Cardell Widerkrantz
4d4db70590
fw: Change ASLR name in MMIO
Use _RAM_ADDR_RAND instead of _RAM_ASLR since this is not OS-level
ASLR we're talking about. It's address randomization as seen from
outside of the CPU, not from the process running inside it. Ordinary
ASLR is visible from the CPU.
2024-03-19 14:36:31 +01:00
Michael Cardell Widerkrantz
f40987b138
fw: Change license for use with qemu
This file is also included in at least qemu (GPL-2.0-or-later) besides
tillitis-key1 (GPL-2.0-only) and tkey-libs (GPL-2.0-only) so it's
licensed as GPL v2 or later even if the rest of the project is -only.
2024-03-19 14:36:31 +01:00
Michael Cardell Widerkrantz
c48724e115
fw: Change memory constants to defines
Instead of putting  memory constant into an enum we use defines.

Use the direct memory address instead of ORing constants together to
compute the address.

An enum in ISO C is a signed int. Some of are memory addresses are to
large to fit in a signed int. This is not a problem since we're not
using ISO C (-std=gnu99) but it doesn't look very nice if you turn on
pedantic warnings. Also, if someone would use another compiler which
at least supports the inline assembly we use, but possible not other
GNU extensions, things would probably break.
2024-03-19 14:36:20 +01:00
dehanj
1e34ddcfa6
Update linter to Verilog-2005 2024-03-19 10:45:37 +01:00
Michael Cardell Widerkrantz
746d7f0e0d
Use pedantic warnings
Use pedantic warnings but still allow inline assembly, so turn off
language-extension-token warnings.
2024-03-19 09:25:37 +01:00
Michael Cardell Widerkrantz
e085d0ebd0
Add void to function signatures meant to be used without args 2024-03-19 08:41:39 +01:00
Michael Cardell Widerkrantz
046343e525
Change memory constants to defines
Instead of putting  memory constant into an enum we use defines.

Use the direct memory address instead of ORing constants together to
compute the address.

An enum in ISO C is a signed int. Some of are memory addresses are to
large to fit in a signed int. This is not a problem since we're not
using ISO C (-std=gnu99) but it doesn't look very nice if you turn on
pedantic warnings. Also, if someone would use another compiler which
at least supports the inline assembly we use, but possible not other
GNU extensions, things would probably break.
2024-03-19 08:40:04 +01:00
Michael Cardell Widerkrantz
e2bd38c540
fw: Remove unusued forever_redflash()
Since we now use assert() and feed the CPU an unimplemented
instruction we have no need for this.
2024-03-18 16:19:59 +01:00
dehanj
9d36acde08
FW: Force the CPU to hang on errors 2024-03-14 15:48:10 +01:00