mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-11-13 19:18:56 +00:00
boardloader: flash option bytes, production changes
This commit is contained in:
mcudev
Pavol Rusnak
parent
15bdc59b46
commit
1737f17f43
@ -1,53 +1,107 @@
|
||||
#include STM32_HAL_H
|
||||
|
||||
#include "flash.h"
|
||||
#include "lowlevel.h"
|
||||
|
||||
#define WANTED_WRP (OB_WRP_SECTOR_0 | OB_WRP_SECTOR_1 | OB_WRP_SECTOR_2)
|
||||
#define WANTED_RDP (OB_RDP_LEVEL_2)
|
||||
#pragma GCC optimize("no-stack-protector") // applies to all functions in this file
|
||||
|
||||
void flash_set_option_bytes(void)
|
||||
#if PRODUCTION
|
||||
#define WANT_RDP_LEVEL (OB_RDP_LEVEL_2)
|
||||
#define WANT_WRP_SECTORS (OB_WRP_SECTOR_0 | OB_WRP_SECTOR_1 | OB_WRP_SECTOR_2)
|
||||
#else
|
||||
#define WANT_RDP_LEVEL (OB_RDP_LEVEL_0)
|
||||
#define WANT_WRP_SECTORS (0)
|
||||
#endif
|
||||
|
||||
#define WANT_BOR_LEVEL (OB_BOR_LEVEL3)
|
||||
|
||||
// reference RM0090 section 3.9.10; SPRMOD is 0 meaning PCROP disabled.; DB1M is 0 because we use 2MB dual-bank; BFB2 is 0 allowing boot from flash;
|
||||
#define FLASH_OPTCR_VALUE ( (((~WANT_WRP_SECTORS) << FLASH_OPTCR_nWRP_Pos) & FLASH_OPTCR_nWRP_Msk) | \
|
||||
(WANT_RDP_LEVEL << FLASH_OPTCR_RDP_Pos) | FLASH_OPTCR_nRST_STDBY | FLASH_OPTCR_nRST_STOP | FLASH_OPTCR_WDG_SW | WANT_BOR_LEVEL )
|
||||
|
||||
// reference RM0090 section 3.7.1 table 16
|
||||
#define OPTION_BYTES_RDP_USER_VALUE ((uint16_t) ((WANT_RDP_LEVEL << FLASH_OPTCR_RDP_Pos) | FLASH_OPTCR_nRST_STDBY | FLASH_OPTCR_nRST_STOP | FLASH_OPTCR_WDG_SW | WANT_BOR_LEVEL))
|
||||
#define OPTION_BYTES_BANK1_WRP_VALUE ((uint16_t) ((~WANT_WRP_SECTORS) & 0xFFFU))
|
||||
#define OPTION_BYTES_BANK2_WRP_VALUE ((uint16_t) 0xFFFU)
|
||||
|
||||
// reference RM0090 section 3.7.1 table 16. use 16 bit pointers because the top 48 bits are all reserved.
|
||||
#define OPTION_BYTES_RDP_USER (*(volatile uint16_t * const) 0x1FFFC000U)
|
||||
#define OPTION_BYTES_BANK1_WRP (*(volatile uint16_t * const) 0x1FFFC008U)
|
||||
#define OPTION_BYTES_BANK2_WRP (*(volatile uint16_t * const) 0x1FFEC008U)
|
||||
|
||||
uint32_t flash_wait_and_clear_status_flags(void)
|
||||
{
|
||||
FLASH_OBProgramInitTypeDef opts;
|
||||
|
||||
HAL_FLASHEx_OBGetConfig(&opts);
|
||||
|
||||
opts.OptionType = 0;
|
||||
|
||||
if (opts.WRPSector != WANTED_WRP) {
|
||||
opts.OptionType |= OPTIONBYTE_WRP;
|
||||
opts.WRPState = OB_WRPSTATE_ENABLE;
|
||||
opts.WRPSector = WANTED_WRP;
|
||||
opts.Banks = FLASH_BANK_1;
|
||||
}
|
||||
|
||||
if (opts.RDPLevel != WANTED_RDP) {
|
||||
opts.OptionType |= OPTIONBYTE_RDP;
|
||||
opts.RDPLevel = WANTED_RDP;
|
||||
}
|
||||
|
||||
if (opts.OptionType == 0) {
|
||||
return; // protections are configured
|
||||
}
|
||||
|
||||
// attempt to lock down the boardloader sectors
|
||||
HAL_FLASH_Unlock();
|
||||
HAL_FLASH_OB_Unlock();
|
||||
HAL_FLASHEx_OBProgram(&opts);
|
||||
HAL_FLASH_OB_Launch();
|
||||
HAL_FLASH_OB_Lock();
|
||||
HAL_FLASH_Lock();
|
||||
while(FLASH->SR & FLASH_SR_BSY); // wait for all previous flash operations to complete
|
||||
const uint32_t result = FLASH->SR & FLASH_STATUS_ALL_FLAGS; // get the current status flags
|
||||
FLASH->SR |= FLASH_STATUS_ALL_FLAGS; // clear all status flags
|
||||
return result;
|
||||
}
|
||||
|
||||
#define FLASH_OPTION_BYTES_1 (*(const uint64_t *)0x1FFFC000)
|
||||
#define FLASH_OPTION_BYTES_2 (*(const uint64_t *)0x1FFFC008)
|
||||
|
||||
secbool flash_check_option_bytes(void)
|
||||
{
|
||||
// RDP level 2 WRP for sectors 0, 1 and 2 flash option control register matches
|
||||
if (((FLASH_OPTION_BYTES_1 & 0xFFEC) == 0xCCEC) && ((FLASH_OPTION_BYTES_2 & 0x0FFF) == 0x0FF8) && (FLASH->OPTCR == 0x0FF8CCED)) {
|
||||
return sectrue;
|
||||
flash_wait_and_clear_status_flags();
|
||||
// check values stored in flash interface registers
|
||||
if ((FLASH->OPTCR & ~3) != FLASH_OPTCR_VALUE) { // ignore bits 0 and 1 because they are control bits
|
||||
return secfalse;
|
||||
}
|
||||
return secfalse;
|
||||
if (FLASH->OPTCR1 != FLASH_OPTCR1_nWRP) {
|
||||
return secfalse;
|
||||
}
|
||||
// check values stored in flash memory
|
||||
if ((OPTION_BYTES_RDP_USER & ~3) != OPTION_BYTES_RDP_USER_VALUE) { // bits 0 and 1 are unused
|
||||
return secfalse;
|
||||
}
|
||||
if ((OPTION_BYTES_BANK1_WRP & 0xCFFFU) != OPTION_BYTES_BANK1_WRP_VALUE) { // bits 12 and 13 are unused
|
||||
return secfalse;
|
||||
}
|
||||
if ((OPTION_BYTES_BANK2_WRP & 0xFFFU) != OPTION_BYTES_BANK2_WRP_VALUE) { // bits 12, 13, 14, and 15 are unused
|
||||
return secfalse;
|
||||
}
|
||||
return sectrue;
|
||||
}
|
||||
|
||||
void flash_lock_option_bytes(void)
|
||||
{
|
||||
FLASH->OPTCR |= FLASH_OPTCR_OPTLOCK; // lock the option bytes
|
||||
}
|
||||
|
||||
void flash_unlock_option_bytes(void)
|
||||
{
|
||||
if ((FLASH->OPTCR & FLASH_OPTCR_OPTLOCK) == 0) {
|
||||
return; // already unlocked
|
||||
}
|
||||
// reference RM0090 section 3.7.2
|
||||
// write the special sequence to unlock
|
||||
FLASH->OPTKEYR = FLASH_OPT_KEY1;
|
||||
FLASH->OPTKEYR = FLASH_OPT_KEY2;
|
||||
while (FLASH->OPTCR & FLASH_OPTCR_OPTLOCK); // wait until the flash option control register is unlocked
|
||||
}
|
||||
|
||||
uint32_t flash_set_option_bytes(void)
|
||||
{
|
||||
// reference RM0090 section 3.7.2
|
||||
flash_wait_and_clear_status_flags();
|
||||
flash_unlock_option_bytes();
|
||||
flash_wait_and_clear_status_flags();
|
||||
FLASH->OPTCR1 = FLASH_OPTCR1_nWRP; // no write protection on any sectors in bank 2
|
||||
FLASH->OPTCR = FLASH_OPTCR_VALUE; // WARNING: dev board safe unless you compile for PRODUCTION or change this value!!!
|
||||
FLASH->OPTCR |= FLASH_OPTCR_OPTSTRT; // begin committing changes to flash
|
||||
const uint32_t result = flash_wait_and_clear_status_flags(); // wait until changes are committed
|
||||
flash_lock_option_bytes();
|
||||
return result;
|
||||
}
|
||||
|
||||
secbool flash_configure_option_bytes(void)
|
||||
{
|
||||
if (sectrue == flash_check_option_bytes()) {
|
||||
return sectrue; // we DID NOT have to change the option bytes
|
||||
}
|
||||
|
||||
do {
|
||||
flash_set_option_bytes();
|
||||
} while(sectrue != flash_check_option_bytes());
|
||||
|
||||
return secfalse; // notify that we DID have to change the option bytes
|
||||
}
|
||||
|
||||
void periph_init(void)
|
||||
@ -80,7 +134,6 @@ void periph_init(void)
|
||||
|
||||
secbool reset_flags_init(void)
|
||||
{
|
||||
/*
|
||||
#if PRODUCTION
|
||||
// this is effective enough that it makes development painful, so only use it for production.
|
||||
// check the reset flags to assure that we arrive here due to a regular full power-on event,
|
||||
@ -89,7 +142,6 @@ secbool reset_flags_init(void)
|
||||
return secfalse;
|
||||
}
|
||||
#endif
|
||||
*/
|
||||
|
||||
RCC->CSR |= RCC_CSR_RMVF; // clear the reset flags
|
||||
|
||||
|
||||
@ -1,11 +1,15 @@
|
||||
#ifndef __BOARDLOADER_LOWLEVEL_H__
|
||||
#define __BOARDLOADER_LOWLEVEL_H__
|
||||
#ifndef BOARDLOADER_LOWLEVEL_H
|
||||
#define BOARDLOADER_LOWLEVEL_H
|
||||
|
||||
#include "secbool.h"
|
||||
|
||||
void flash_set_option_bytes(void);
|
||||
uint32_t flash_wait_and_clear_status_flags(void);
|
||||
secbool flash_check_option_bytes(void);
|
||||
void flash_lock_option_bytes(void);
|
||||
void flash_unlock_option_bytes(void);
|
||||
uint32_t flash_set_option_bytes(void);
|
||||
secbool flash_configure_option_bytes(void);
|
||||
void periph_init(void);
|
||||
secbool reset_flags_init(void);
|
||||
|
||||
#endif
|
||||
#endif // BOARDLOADER_LOWLEVEL_H
|
||||
|
||||
@ -146,23 +146,22 @@ static secbool copy_sdcard(void)
|
||||
|
||||
int main(void)
|
||||
{
|
||||
periph_init(); // need the systick timer running before the production flash (and many other HAL) operations
|
||||
|
||||
if (sectrue != reset_flags_init()) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
#if PRODUCTION
|
||||
flash_set_option_bytes();
|
||||
if (sectrue != flash_check_option_bytes()) {
|
||||
uint8_t sectors[] = {
|
||||
// need the systick timer running before many HAL operations.
|
||||
// want the PVD enabled before flash operations too.
|
||||
periph_init();
|
||||
|
||||
if (sectrue != flash_configure_option_bytes()) {
|
||||
const uint8_t sectors[] = {
|
||||
FLASH_SECTOR_STORAGE_1,
|
||||
FLASH_SECTOR_STORAGE_2,
|
||||
};
|
||||
flash_erase_sectors(sectors, 2, NULL);
|
||||
return 2;
|
||||
}
|
||||
#endif
|
||||
|
||||
clear_otg_hs_memory();
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@ const uint32_t FLASH_SECTOR_TABLE[FLASH_SECTOR_COUNT + 1] = {
|
||||
secbool flash_unlock(void)
|
||||
{
|
||||
HAL_FLASH_Unlock();
|
||||
__HAL_FLASH_CLEAR_FLAG(FLASH_FLAG_EOP | FLASH_FLAG_OPERR | FLASH_FLAG_WRPERR | FLASH_FLAG_PGAERR | FLASH_FLAG_PGPERR | FLASH_FLAG_PGSERR);
|
||||
FLASH->SR |= FLASH_STATUS_ALL_FLAGS; // clear all status flags
|
||||
return sectrue;
|
||||
}
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#ifndef __TREZORHAL_FLASH_H__
|
||||
#define __TREZORHAL_FLASH_H__
|
||||
#ifndef TREZORHAL_FLASH_H
|
||||
#define TREZORHAL_FLASH_H
|
||||
|
||||
#include <stdint.h>
|
||||
#include "secbool.h"
|
||||
@ -40,9 +40,10 @@
|
||||
|
||||
#define FLASH_SECTOR_COUNT 24
|
||||
|
||||
extern const uint32_t FLASH_SECTOR_TABLE[FLASH_SECTOR_COUNT + 1];
|
||||
// note: FLASH_SR_RDERR is STM32F42xxx and STM32F43xxx specific (STM32F427) (reference RM0090 section 3.7.5)
|
||||
#define FLASH_STATUS_ALL_FLAGS (FLASH_SR_RDERR | FLASH_SR_PGSERR | FLASH_SR_PGPERR | FLASH_SR_PGAERR | FLASH_SR_WRPERR | FLASH_SR_SOP | FLASH_SR_EOP)
|
||||
|
||||
void flash_set_option_bytes(void);
|
||||
extern const uint32_t FLASH_SECTOR_TABLE[FLASH_SECTOR_COUNT + 1];
|
||||
|
||||
secbool flash_unlock(void);
|
||||
secbool flash_lock(void);
|
||||
@ -59,4 +60,4 @@ secbool flash_otp_write(uint8_t block, uint8_t offset, const uint8_t *data, uint
|
||||
secbool flash_otp_lock(uint8_t block);
|
||||
secbool flash_otp_is_locked(uint8_t block);
|
||||
|
||||
#endif
|
||||
#endif // TREZORHAL_FLASH_H
|
||||
|
||||
Loading…
Reference in New Issue
Block a user