Commit Graph

185 Commits

Author SHA1 Message Date
Daniel Lublin
9aece67a41
testfw: test read bytes from CDI
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:44:13 +02:00
Daniel Lublin
eeed342b96
testfw: make output slightly more readable
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:32:56 +02:00
Daniel Lublin
aa86c9d58c
testfw: compare UDS correctly, correct byte-order
Also don't let fwram success overwrite anyfailed

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:32:56 +02:00
Daniel Lublin
dcc6351f79
testfw: use a func for fail prints
Now testfw fits again (when built with -Os)

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:32:56 +02:00
Daniel Lublin
bcac8eeaf4
testfw: update check for new known UDS; correctly and always print UDS
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:32:56 +02:00
Joachim Strömbergson
688910bee4
Use different byte values in test UDS words
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2023-03-28 09:26:23 +02:00
Michael Cardell Widerkrantz
c126199a41
fw: UDS not byte-readable
Since UDS is not byte-readable we copy it by word to local_uds. Now
UDS lives for a short while in local_uds on the stack in FW_RAM and in
the internal buffer of the blake2s context (also in FW_RAM) but is
very soon overwritten.
2023-03-27 16:24:02 +02:00
Michael Cardell Widerkrantz
fae2447344
testfw: Test UDS against known good 2023-03-27 16:24:02 +02:00
Michael Cardell Widerkrantz
cefb6ca9c1
fw: Change max frame size to 128 bytes 2023-03-27 10:58:16 +02:00
Michael Cardell Widerkrantz
c443ef8a3e
fw: clang-tidy and splint: New make target: check
Add clang-tidy and splint static analytics check. For now, we use only
the cert-* warnings on clang-tidy and run splint with a lot of flags
to allow more things.

Changes to silence these analytics:

- Stop returning stuff from our debug print functions. We don't check
  them anyway and we don't have any way of detecting transmission
  failure.

- Declare more things static that isn't used outside of a file.

- Change types to be more consistent, typically to size_t or
  something or to uint32_t.
2023-03-22 11:05:32 +01:00
Michael Cardell Widerkrantz
f622937918
fw: Don't use reserved or reserved-looking names 2023-03-22 11:05:26 +01:00
Michael Cardell Widerkrantz
709a4449ff
testfw: clang format 2023-03-16 15:08:36 +01:00
Michael Cardell Widerkrantz
9488f0633d
fw: Hide *led in led.c 2023-03-16 14:26:20 +01:00
Michael Cardell Widerkrantz
8665031bb4
fw/testfw: Simplify hexdump 2023-03-16 14:26:13 +01:00
Michael Cardell Widerkrantz
7ce1d9fe06
fw: Remove forgotten hexdump 2023-03-16 14:03:11 +01:00
Michael Cardell Widerkrantz
1f10c8e2db
fw: Initialize automatic variables 2023-03-16 13:51:24 +01:00
Michael Cardell Widerkrantz
226bcbaed1
fw: Update comments 2023-03-16 13:30:56 +01:00
Michael Cardell Widerkrantz
00d806df10
fw: Rename variable rnd to rnd_sleep to indicate what it's for 2023-03-16 13:17:42 +01:00
Michael Cardell Widerkrantz
cd2dc55371
fw: Add function declaration for static functions 2023-03-14 11:31:48 +01:00
Michael Cardell Widerkrantz
0a1e1db40e
fw: Init stack pointer to end of fw_ram 2023-03-14 11:31:48 +01:00
Daniel Lublin
2b9bfc0eff
Consistently set any new state and do break out of case/default
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 11:31:48 +01:00
Michael Cardell Widerkrantz
f9960de506
fw: Re-introduce print_hw_version() - simplify namever handling 2023-03-14 11:31:48 +01:00
Michael Cardell Widerkrantz
78eb472ac9
fw: Go to state fail on bad command lengths 2023-03-14 11:31:48 +01:00
Michael Cardell Widerkrantz
ebf8a11ed0
fw: Move all variable declaration to first in scope 2023-03-14 11:31:48 +01:00
Michael Cardell Widerkrantz
9c766794db
fw: Move scramble RAM to own function 2023-03-14 11:31:47 +01:00
Michael Cardell Widerkrantz
9de7f294df
fw: Move all command switches to their own functions 2023-03-14 11:31:47 +01:00
Michael Cardell Widerkrantz
4e3f5469ef
fw: Simplify logic
Switch on state, then read commands specifically in the states that
allow reading of commands, then switch on specific command.
2023-03-14 11:31:47 +01:00
Daniel Lublin
7a97f1ee5f
Add more complete fw_ram test; let testfw have stack in RAM
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 11:21:47 +01:00
Daniel Lublin
5fe7ba7f9d
fw: optimize for speed (-O2) instead of size (-Os)
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:05 +01:00
Daniel Lublin
957df5e6b4
fw: enable addr & data scrambling; fill RAM with random data
Use a rnd_word() func

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:03 +01:00
Daniel Lublin
4afdc1cd1f
fw: Steady white led while waiting cmd; led off while loading app
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:03 +01:00
Daniel Lublin
7eb4d0304b
fw: load app at the start of RAM
Since app is always loaded at the start of RAM, the TK1_APP_ADDR define
is no longer needed.

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:03 +01:00
Daniel Lublin
425fdb4b90
fw: adjust for 2 KB of FW_RAM
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:02 +01:00
Daniel Lublin
c1fffcb70b
Keep uninitialized var in main, not globally, preventing any BSS
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:02 +01:00
Daniel Lublin
3ddd6e83a3
Refuse to produce a .bin if .elf has non-empty data or bss section
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:02 +01:00
Michael Cardell Widerkrantz
d77654bb8e
fw: No .data or .bss segment
We don't use any .data or .bss segment at all to keep all the firmware
variables in the stack in protected fw_ram.

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:02 +01:00
Michael Cardell Widerkrantz
56e34b3add
fw/testfw: Use fw_ram for firmware stack
This means firmware's stack shouldn't be accessible to programs
running in app_mode.

It also means we don't need to take special care of secure_ctx which
can now be an ordinary stack variable.

Nonetheless we zero out secure_ctx after final use and inline some
assembler to zero out the entire fw_ram after use, just before
switching to app_mode.

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:02 +01:00
Michael Cardell Widerkrantz
d2240b3e0f
fw: Use a bit string for allowed_commands
For every state, define a constant bitstring with allowed commands and
check incoming command agains that.

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:02 +01:00
Michael Cardell Widerkrantz
8edfdf9c36
fw: Remove state init_loading, introduce state fail
- We always assert on allowed commands in a state.
- We don't allow FW_CMD_LOAD_APP to be used twice.
- Enter fail state on read buffer overrun, header endpoint not for us,
  header parse error, and unknown firmware command.

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:02 +01:00
Michael Cardell Widerkrantz
65f100a3c0
fw: Use byte readable UDS
UDS is now byte readable (but not writable).

Use UDS and USS directly in a blake2s_update() instead of
concatenating them into fw_ram. UDS will still live for a short while
in fw_ram in the blake2s context buffer but will soon be overwritten.

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:01 +01:00
Michael Cardell Widerkrantz
b34fdbcd37
testfw: Use wordcpy_s() and memcpy_s()
Use new wordcpy_s() and memcpy_s() functions from lib.c.

Add a local memcpy() which compiling with -Os seems to demand. Why?

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:01 +01:00
Michael Cardell Widerkrantz
cc032d9883
fw: Hide HTIF functions better when using NOCONSOLE
We define macros for them that expand to nothing or to a constant to
avoid any extra function calls to dummy functions when running on real
hardware with no console.

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:01 +01:00
Michael Cardell Widerkrantz
3a7ec9b9a0
fw: Run forever_redflash() when aborting from asserts
Should be more vissible than an eternal loop.

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:01 +01:00
Michael Cardell Widerkrantz
bbbe1e2f31
fw: Move LED defines and function to own files
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:01 +01:00
Michael Cardell Widerkrantz
ccc3b16569
fw: Safer memory functions + asserts
Introduce memcpy_s() and wordcpy_s() that takes the destination buffer
size as an argument. Use assert() which aborts our program to an
eternal loop if we hit problems.

Sprinkle asserts elsewhere as well.

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:01 +01:00
Michael Cardell Widerkrantz
f386cec1ed
fw: Add destination buffer size to read()
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:00 +01:00
Michael Cardell Widerkrantz
b292c72534
fw: Remove unnecessary memcpy() from putinthex()
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-14 10:25:00 +01:00
Joachim Strömbergson
b9c415f5d6
bank1 access should also be disabled by default.
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2023-03-13 12:43:07 +01:00
Joachim Strömbergson
000b7644b5
Update fw ram last address to match new mem size
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2023-03-08 13:31:45 +01:00
Daniel Lublin
5f4f5c6584
Correct for new fw-ram size
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-08 12:34:34 +01:00