Use _RAM_ADDR_RAND instead of _RAM_ASLR since this is not OS-level
ASLR we're talking about. It's address randomization as seen from
outside of the CPU, not from the process running inside it. Ordinary
ASLR is visible from the CPU.
This file is also included in at least qemu (GPL-2.0-or-later) besides
tillitis-key1 (GPL-2.0-only) and tkey-libs (GPL-2.0-only) so it's
licensed as GPL v2 or later even if the rest of the project is -only.
Instead of putting memory constant into an enum we use defines.
Use the direct memory address instead of ORing constants together to
compute the address.
An enum in ISO C is a signed int. Some of are memory addresses are to
large to fit in a signed int. This is not a problem since we're not
using ISO C (-std=gnu99) but it doesn't look very nice if you turn on
pedantic warnings. Also, if someone would use another compiler which
at least supports the inline assembly we use, but possible not other
GNU extensions, things would probably break.
Instead of putting memory constant into an enum we use defines.
Use the direct memory address instead of ORing constants together to
compute the address.
An enum in ISO C is a signed int. Some of are memory addresses are to
large to fit in a signed int. This is not a problem since we're not
using ISO C (-std=gnu99) but it doesn't look very nice if you turn on
pedantic warnings. Also, if someone would use another compiler which
at least supports the inline assembly we use, but possible not other
GNU extensions, things would probably break.
Since UDS is not byte-readable we copy it by word to local_uds. Now
UDS lives for a short while in local_uds on the stack in FW_RAM and in
the internal buffer of the blake2s context (also in FW_RAM) but is
very soon overwritten.
Add clang-tidy and splint static analytics check. For now, we use only
the cert-* warnings on clang-tidy and run splint with a lot of flags
to allow more things.
Changes to silence these analytics:
- Stop returning stuff from our debug print functions. We don't check
them anyway and we don't have any way of detecting transmission
failure.
- Declare more things static that isn't used outside of a file.
- Change types to be more consistent, typically to size_t or
something or to uint32_t.
We don't use any .data or .bss segment at all to keep all the firmware
variables in the stack in protected fw_ram.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
This means firmware's stack shouldn't be accessible to programs
running in app_mode.
It also means we don't need to take special care of secure_ctx which
can now be an ordinary stack variable.
Nonetheless we zero out secure_ctx after final use and inline some
assembler to zero out the entire fw_ram after use, just before
switching to app_mode.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
For every state, define a constant bitstring with allowed commands and
check incoming command agains that.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
- We always assert on allowed commands in a state.
- We don't allow FW_CMD_LOAD_APP to be used twice.
- Enter fail state on read buffer overrun, header endpoint not for us,
header parse error, and unknown firmware command.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
UDS is now byte readable (but not writable).
Use UDS and USS directly in a blake2s_update() instead of
concatenating them into fw_ram. UDS will still live for a short while
in fw_ram in the blake2s context buffer but will soon be overwritten.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
Use new wordcpy_s() and memcpy_s() functions from lib.c.
Add a local memcpy() which compiling with -Os seems to demand. Why?
Signed-off-by: Daniel Lublin <daniel@lublin.se>
We define macros for them that expand to nothing or to a constant to
avoid any extra function calls to dummy functions when running on real
hardware with no console.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
Introduce memcpy_s() and wordcpy_s() that takes the destination buffer
size as an argument. Use assert() which aborts our program to an
eternal loop if we hit problems.
Sprinkle asserts elsewhere as well.
Signed-off-by: Daniel Lublin <daniel@lublin.se>