Commit Graph

135 Commits

Author SHA1 Message Date
Daniel Jobson
f62930984d
WIP app storage calls 2024-09-23 15:42:23 +02:00
Daniel Jobson
4770f18137
preload_add: only allow mgmt app to store or delete 2024-09-23 15:42:23 +02:00
Daniel Jobson
0669df4c27
WIP management app 2024-09-23 15:42:23 +02:00
Daniel Jobson
30f5d359ea
fw: remove address-of operator (&) where it is not needed
- `digest` is an array and hence the address of the first element is
  returned.
- This will keep it more consistent with the rest of the code base.
- Fixed misspelled comment.
2024-09-23 15:42:23 +02:00
Daniel Jobson
26045bfcd1
fw: use bool as return type for memeq 2024-09-23 15:42:23 +02:00
Daniel Jobson
80a155a1c2
Include authentication of preloaded app 2024-09-23 15:42:23 +02:00
Daniel Jobson
0abfdf592b
fw: break out trng and xorwow to rng.[ch] 2024-09-23 15:42:23 +02:00
Daniel Jobson
54b8b1cc4e
fw: Break out htif functions for qemu to separate files 2024-09-23 15:42:18 +02:00
Daniel Jobson
0bec032db3
temp commit: Expose write functions to make development easier 2024-09-23 15:37:14 +02:00
Daniel Jobson
534ac06e86
Add fw state and fw cmd to trigger a start of a preloaded app 2024-09-23 15:37:14 +02:00
Daniel Jobson
b52e57d4ea
WIP auth app 2024-09-23 15:37:14 +02:00
Daniel Jobson
af7df7c9e8
WIP preload_app 2024-09-23 15:37:13 +02:00
Daniel Jobson
c3baad9a23
WIP partition table 2024-09-23 15:37:13 +02:00
Daniel Jobson
a5c2d05cb1
Import spi.[ch] and flash.[ch] 2024-09-23 15:37:13 +02:00
Daniel Jobson
2246dbfa45
fw: Create compute_app_digest() function 2024-09-23 15:37:13 +02:00
Daniel Jobson
698b2796ee
Remove types.h in favor of standard libs such as stdint, stddef 2024-09-23 15:37:13 +02:00
Daniel Jobson
81950ef7b2
fw: remove warning of missing prototypes when building with QEMU console
enabled.
2024-09-19 16:52:04 +02:00
Daniel Jobson
613316f53e
fw: simplify how to enable QEMU debug in firmware.
- Remove the define `NOCONSOLE`, add define `QEMU_CONSOLE`
- Inverse the use of it, add the define to have QEMU debug output in fw.
- Add a make target `qemu_firmware.elf` which builds the firmware with
  QEMU console enabled.

Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2024-09-19 16:51:55 +02:00
Joachim Strömbergson
00599549e3
FPGA: Add system reset API
Add API address to trigger system reset.
      When written to will send system_reset signal
      to the reset generator, which then perform a complete
      reset cycle of the FPGA system.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-08-20 13:25:22 +02:00
Joachim Strömbergson
53c5e70795
FPGA: Update names for RAM randomization API
Update:
- README
- testbench
- Symbolic names and variables in fw
- registers
- port name and wires
- Update fpga and fw digests

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-07-10 13:45:26 +02:00
Michael Cardell Widerkrantz
f1534e5dad
doc: Update and expand firmware README
- Remove all text about other software than firmware.
- Remove the Reset section.
- Include a diagram and detailed explanation about the state machine
  in close vicinity.
- Describe the test firmware.

Co-authored-by: Joachim Strömbergson <joachim@assured.se>
2024-07-01 17:09:22 +02:00
Michael Cardell Widerkrantz
cc16c8481c
doc: Move software.md to fw/README 2024-06-27 22:22:14 +02:00
dehanj
b4c525695a
Remove redundant RAM address and data scrambling
The RAM address and data scrambling API was called twice, once before filling
RAM with random values, and once after. Since moving to a significantly
better PRNG (xorwow) this is now deemed unnecessary. See issue #225.

This changes both FPGA and firmware hashes.
2024-06-13 12:54:47 +02:00
Joachim Strömbergson
92712a11bf
fw: zeroise FW-RAM instead of RAM
Modify the loop to zeroise the FW-RAM instead of the
RAM. RAM is filled with random data at the start of main().

Changes firmware and bitstream digests.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-12 18:11:10 +02:00
Joachim Strömbergson
3bc2453287
A construction of a minimal SPI master.
- NOTE: This is an optional feature, not built by default. Not included
  in the tk1 for sale at Tillitis shop.
- This makes it possible to interface the SPI flash onboard TKey.
- To include the SPI master in the build, use `make application_fpga.bin
  YOSYS_FLAG=-DINCLUDE_SPI_MASTER`.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-11 15:28:29 +02:00
Joachim Strömbergson
eade3e11c5
Fill RAM with random data using xorwow.
xorwow provides significantly better random data, compared to previously
used function. Making it harder to predict what data RAM is filled with.
It adds a startup time of approx 80 ms, but can be compensated with
optimising other parts of the startup routine.

This changes both firmware and fpga hashes.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-11 11:15:00 +02:00
dehanj
4bd249816a
fw: Remove unused header includes 2024-03-26 13:09:06 +01:00
dehanj
3a6a60ff26
fw: Protect zeroisation against compiler optimisation.
The memset() responsible for the zeroisation of the secure_ctx under
the compute_cdi() function in FW's main.c, was optimised away by the
compiler. Instead of using memset(), secure_wipe() is introduced
which uses a volatile keyword to prevent the compiler to try to
optimise it. Secure_wipe() is now used on all locations handling
removal of sensitive data.
2024-03-26 13:09:01 +01:00
Michael Cardell Widerkrantz
09c1f3f549
Silence splint somewhat
The only real changes are some unitialized variables and that we now
make explicit that we don't care about the return value from memset().
2024-03-22 11:03:13 +01:00
dehanj
2ff2e9a91d
fw: remove duplicate defines in tk1_mem.h 2024-03-21 10:28:51 +01:00
Michael Cardell Widerkrantz
661a6458c8
fw: Add missing TK1_MMIO_BASE
TK1_MMIO_BASE and _SIZE needed by at least qemu.
2024-03-21 10:09:38 +01:00
Michael Cardell Widerkrantz
4d4db70590
fw: Change ASLR name in MMIO
Use _RAM_ADDR_RAND instead of _RAM_ASLR since this is not OS-level
ASLR we're talking about. It's address randomization as seen from
outside of the CPU, not from the process running inside it. Ordinary
ASLR is visible from the CPU.
2024-03-19 14:36:31 +01:00
Michael Cardell Widerkrantz
f40987b138
fw: Change license for use with qemu
This file is also included in at least qemu (GPL-2.0-or-later) besides
tillitis-key1 (GPL-2.0-only) and tkey-libs (GPL-2.0-only) so it's
licensed as GPL v2 or later even if the rest of the project is -only.
2024-03-19 14:36:31 +01:00
Michael Cardell Widerkrantz
c48724e115
fw: Change memory constants to defines
Instead of putting  memory constant into an enum we use defines.

Use the direct memory address instead of ORing constants together to
compute the address.

An enum in ISO C is a signed int. Some of are memory addresses are to
large to fit in a signed int. This is not a problem since we're not
using ISO C (-std=gnu99) but it doesn't look very nice if you turn on
pedantic warnings. Also, if someone would use another compiler which
at least supports the inline assembly we use, but possible not other
GNU extensions, things would probably break.
2024-03-19 14:36:20 +01:00
Michael Cardell Widerkrantz
e085d0ebd0
Add void to function signatures meant to be used without args 2024-03-19 08:41:39 +01:00
Michael Cardell Widerkrantz
046343e525
Change memory constants to defines
Instead of putting  memory constant into an enum we use defines.

Use the direct memory address instead of ORing constants together to
compute the address.

An enum in ISO C is a signed int. Some of are memory addresses are to
large to fit in a signed int. This is not a problem since we're not
using ISO C (-std=gnu99) but it doesn't look very nice if you turn on
pedantic warnings. Also, if someone would use another compiler which
at least supports the inline assembly we use, but possible not other
GNU extensions, things would probably break.
2024-03-19 08:40:04 +01:00
Michael Cardell Widerkrantz
e2bd38c540
fw: Remove unusued forever_redflash()
Since we now use assert() and feed the CPU an unimplemented
instruction we have no need for this.
2024-03-18 16:19:59 +01:00
dehanj
9d36acde08
FW: Force the CPU to hang on errors 2024-03-14 15:48:10 +01:00
Joachim Strömbergson
6d0a761e65
Make memeq function side channel silent
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2023-07-04 09:04:23 +02:00
Daniel Lublin
9aece67a41
testfw: test read bytes from CDI
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:44:13 +02:00
Daniel Lublin
eeed342b96
testfw: make output slightly more readable
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:32:56 +02:00
Daniel Lublin
aa86c9d58c
testfw: compare UDS correctly, correct byte-order
Also don't let fwram success overwrite anyfailed

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:32:56 +02:00
Daniel Lublin
dcc6351f79
testfw: use a func for fail prints
Now testfw fits again (when built with -Os)

Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:32:56 +02:00
Daniel Lublin
bcac8eeaf4
testfw: update check for new known UDS; correctly and always print UDS
Signed-off-by: Daniel Lublin <daniel@lublin.se>
2023-03-28 11:32:56 +02:00
Michael Cardell Widerkrantz
c126199a41
fw: UDS not byte-readable
Since UDS is not byte-readable we copy it by word to local_uds. Now
UDS lives for a short while in local_uds on the stack in FW_RAM and in
the internal buffer of the blake2s context (also in FW_RAM) but is
very soon overwritten.
2023-03-27 16:24:02 +02:00
Michael Cardell Widerkrantz
fae2447344
testfw: Test UDS against known good 2023-03-27 16:24:02 +02:00
Michael Cardell Widerkrantz
cefb6ca9c1
fw: Change max frame size to 128 bytes 2023-03-27 10:58:16 +02:00
Michael Cardell Widerkrantz
c443ef8a3e
fw: clang-tidy and splint: New make target: check
Add clang-tidy and splint static analytics check. For now, we use only
the cert-* warnings on clang-tidy and run splint with a lot of flags
to allow more things.

Changes to silence these analytics:

- Stop returning stuff from our debug print functions. We don't check
  them anyway and we don't have any way of detecting transmission
  failure.

- Declare more things static that isn't used outside of a file.

- Change types to be more consistent, typically to size_t or
  something or to uint32_t.
2023-03-22 11:05:32 +01:00
Michael Cardell Widerkrantz
f622937918
fw: Don't use reserved or reserved-looking names 2023-03-22 11:05:26 +01:00
Michael Cardell Widerkrantz
709a4449ff
testfw: clang format 2023-03-16 15:08:36 +01:00