We don't use any .data or .bss segment at all to keep all the firmware
variables in the stack in protected fw_ram.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
This means firmware's stack shouldn't be accessible to programs
running in app_mode.
It also means we don't need to take special care of secure_ctx which
can now be an ordinary stack variable.
Nonetheless we zero out secure_ctx after final use and inline some
assembler to zero out the entire fw_ram after use, just before
switching to app_mode.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
For every state, define a constant bitstring with allowed commands and
check incoming command agains that.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
- We always assert on allowed commands in a state.
- We don't allow FW_CMD_LOAD_APP to be used twice.
- Enter fail state on read buffer overrun, header endpoint not for us,
header parse error, and unknown firmware command.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
UDS is now byte readable (but not writable).
Use UDS and USS directly in a blake2s_update() instead of
concatenating them into fw_ram. UDS will still live for a short while
in fw_ram in the blake2s context buffer but will soon be overwritten.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
Use new wordcpy_s() and memcpy_s() functions from lib.c.
Add a local memcpy() which compiling with -Os seems to demand. Why?
Signed-off-by: Daniel Lublin <daniel@lublin.se>
We define macros for them that expand to nothing or to a constant to
avoid any extra function calls to dummy functions when running on real
hardware with no console.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
Introduce memcpy_s() and wordcpy_s() that takes the destination buffer
size as an argument. Use assert() which aborts our program to an
eternal loop if we hit problems.
Sprinkle asserts elsewhere as well.
Signed-off-by: Daniel Lublin <daniel@lublin.se>
Introduces offsets for setting addresses to check for execution and
offset for controlling the execution monitor.
- TK1_MMIO_TK1_CPU_MON_CTRL
- TK1_MMIO_TK1_CPU_MON_FIRST
- TK1_MMIO_TK1_CPU_MON_LAST
* ch552 firmware: add ch55x support files directly
* Add sdcc compiler to docker image, for building CH552 firmware
* Rework production test script
* Add menu-based test runner
* Rewrite production test flows as lists of individual tests
* Add both production flows and manual tests to menu
* Switch to using included binaries
* production test: Update message format
* test_txrx_touchpad: Retry if device communications fail
* production test: put all binaries in binaries/ folder
* binaries/top.bin: replace broken binary
* flash_check: Check for explicit flash IDs
* Document most test procedures
* Test plan documentation
* Sample udev rules
* Production test: allow external references to be overridden
* Remove outdated descriptions
* Correct shebang
* Update shebangs to comply with PEP 394
Change the python scripts to call python instead of python3, as this
works cross platform. See:
https://peps.python.org/pep-0394/#for-python-script-publishers
* Move production test to higher-level directory
* Clarify production test setup
* Move USB C connector test to separate directory
Co-authored-by: Michael Cardell Widerkrantz <mc@tillitis.se>
* Add kicad library for flat programming clip
* Add descriptions to part symbols
* Add extended values, manufacturer/distributor info to components in mta1
* Add new board entry for TK1
* Add TP1 programmer design
* Update MTA1-USB-V1 release files to match production
* Change SPI flash memory type to XT25F08BDFIGT-S
* Change touch sensor feedback cap to 1uF
* Add manufacturer, manufacturer part number, distributor, distributor part number
* Update component values for TK1 PCB
* Use specific part # for C8
* Change flash back to Winbond part, for easier sourcing
* Change C1 to 1pF
* Fixes for production programmer PCB
* Swap GND and 5V on J3
* Replace graphic logo with text
* Rename part to 'TP-1'
* TK-1 release
* Add dimensions for PCB
* Add layer stackup for PCB
* Change PCB component origin to match expanded board
* Change schematic title to 'TK-1', update release date
* mta1-usb-v1-programmer: Add corrected part numbers for OSFC production
* Q1, Q2, F1 part subsititutions
* add mfr/supplier info for all parts
* PCB library: add parts
* Rectangular footprint for TK-1 test pads
* BOM generation script used for TK-1 and TP-1 releases
* TP-1 release
* Schematic: Add manufacturer, supplier information for all parts
* Schematic: Update name and release date
* PCB: Add PCB fabrication information
* PCB: Correct pinouts on silkscreen
* PCB library: add 'screw' and 'foot' symbols
* Screw is a schematic-only part, for including mechanical screws in the
BOM
* Foot is for self-adhesive rubber mounting feet that can be stuck to
the bottom of a PCB
* TP-1 release: Add screws, feet to the BOM
* Pico library: Add footprint for RPi Pico w/solder paste
* TP-1 RevA release updates:
* Add fiducials in 3 corners (1mm exposed copper ring w/2mm soldermask opening)
* Add solder paste openings to Raspberry Pi Pico pads
* TK-1: RevA.1 release
* Add two fiducials to TK-1 board
* TP-1: Update fuse type to match actual part
* Make placement diagrams for TP-1, TK-1
* Update BC-1-xxx footprints to include placement outlines
* Update TP-1 PCB with new footprints, clean up top fab layer
* Take screenshots of top layers of both boards
* tk-1: fix placement footprints
* Add pin1 marking for ncp footprint
* Add refdes for w25q80 footprint
* Update board with new footprints, clear extraneous text on fab layer
In firmware we store the address to firmware blake2s() function at
TK1_MMIO_TK1_BLAKE2S so app can use this firmware function sort of
like a system call but without context switch.
We introduce an explicit state machine (see README).
With the new states we:
- combine setting size and USS to a single command.
- start the device app immediatiely when having receceived the last
data chunk and returning the digest.
- Loop forever and wait for the stick to be removed if we end up in
unknown state.
Signed-off-by: Michael Cardell Widerkrantz <mc@tillitis.se>
Since SRAM has some data remanence even without power it seems good
hygien to clear all RAM when starting the device so as not to leak
potential sensitive data between device apps.
