Supervisor Calls

Add Supervise interrupts to allow to do privileged operations like flashing from application code.
2024-11-22 07:28:10 +00:00 · 2018-03-16 21:40:39 +01:00 · 2018-03-16 21:40:39 +01:00 · 25e824aaa3
commit 25e824aaa3
parent 068f013bc6
7 changed files with 236 additions and 73 deletions
--- a/1
+++ b/1
@ -14,6 +14,7 @@ endif

 OBJS += util.o
 OBJS += memory.o
+OBJS += supervise.o

 ifneq ($(EMULATOR),1)
 OBJS += timer.o
--- a/firmware/fsm.c
+++ b/firmware/fsm.c
@ -55,6 +55,7 @@
 #include "nem2.h"
 #include "rfc6979.h"
 #include "gettext.h"
+#include "supervise.h"

 // message methods

@ -1687,14 +1688,14 @@ void fsm_msgDebugLinkMemoryWrite(DebugLinkMemoryWrite *msg)
 {
 	uint32_t length = msg->memory.size;
 	if (msg->flash) {
-		flash_clear_status_flags();
-		flash_unlock();
+		svc_flash_unlock();
+		svc_flash_program(FLASH_CR_PROGRAM_X32);
 		for (uint32_t i = 0; i < length; i += 4) {
 			uint32_t word;
 			memcpy(&word, msg->memory.bytes + i, 4);
-			flash_program_word(msg->address + i, word);
+			flash_write32(msg->address + i, word);
 		}
-		flash_lock();
+		svc_flash_lock();
 	} else {
 #if !EMULATOR
 		memcpy((void *) msg->address, msg->memory.bytes, length);
@ -1704,9 +1705,8 @@ void fsm_msgDebugLinkMemoryWrite(DebugLinkMemoryWrite *msg)

 void fsm_msgDebugLinkFlashErase(DebugLinkFlashErase *msg)
 {
-	flash_clear_status_flags();
-	flash_unlock();
-	flash_erase_sector(msg->sector, FLASH_CR_PROGRAM_X32);
-	flash_lock();
+	svc_flash_unlock();
+	svc_flash_erase_sector(msg->sector);
+	svc_flash_lock();
 }
 #endif
--- a/firmware/storage.c
+++ b/firmware/storage.c
@ -43,6 +43,7 @@
 #include "gettext.h"
 #include "u2f.h"
 #include "memzero.h"
+#include "supervise.h"

 /* magic constant to check validity of storage block */
 static const uint32_t storage_magic = 0x726f7473;   // 'stor' as uint32_t
@ -119,11 +120,11 @@ void storage_show_error(void)
 	shutdown();
 }

-void storage_check_flash_errors(void)
+void storage_check_flash_errors(uint32_t status)
 {
 #if !EMULATOR
 	// flash operation failed
-	if (FLASH_SR & (FLASH_SR_PGAERR | FLASH_SR_PGPERR | FLASH_SR_PGSERR | FLASH_SR_WRPERR)) {
+	if (status & (FLASH_SR_PGAERR | FLASH_SR_PGPERR | FLASH_SR_PGSERR | FLASH_SR_WRPERR)) {
 		storage_show_error();
 	}
 #endif
@ -180,13 +181,12 @@ bool storage_from_flash(void)

 	// erase newly added fields
 	if (old_storage_size != sizeof(Storage)) {
-		flash_clear_status_flags();
-		flash_unlock();
+		svc_flash_unlock();
+		svc_flash_program(FLASH_CR_PROGRAM_X32);
 		for (uint32_t offset = old_storage_size; offset < sizeof(Storage); offset += sizeof(uint32_t)) {
-			flash_program_word(FLASH_STORAGE_START + sizeof(storage_magic) + sizeof(storage_uuid) + offset, 0);
+			flash_write32(FLASH_STORAGE_START + sizeof(storage_magic) + sizeof(storage_uuid) + offset, 0);
 		}
-		flash_lock();
-		storage_check_flash_errors();
+		storage_check_flash_errors(svc_flash_lock());
 	}

 	if (version <= 5) {
@ -195,17 +195,14 @@ bool storage_from_flash(void)
 		if (pinctr > 31) {
 			pinctr = 31;
 		}
-		flash_clear_status_flags();
-		flash_unlock();
+		svc_flash_unlock();
 		// erase extra storage sector
-		flash_erase_sector(FLASH_META_SECTOR_LAST, FLASH_CR_PROGRAM_X32);
-		flash_program_word(FLASH_STORAGE_PINAREA, 0xffffffff << pinctr);
-		// erase storageRom.has_pin_failed_attempts and storageRom.pin_failed_attempts
-		_Static_assert(((FLASH_STORAGE + offsetof(Storage, pin_failed_attempts)) & 3) == 0, "storage.pin_failed_attempts unaligned");
-		flash_program_byte(FLASH_STORAGE + offsetof(Storage, has_pin_failed_attempts), 0);
-		flash_program_word(FLASH_STORAGE + offsetof(Storage, pin_failed_attempts), 0);
-		flash_lock();
-		storage_check_flash_errors();
+		svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
+		svc_flash_program(FLASH_CR_PROGRAM_X32);
+		flash_write32(FLASH_STORAGE_PINAREA, 0xffffffff << pinctr);
+		// storageRom.has_pin_failed_attempts and storageRom.pin_failed_attempts
+		// are erased by storage_update below
+		storage_check_flash_errors(svc_flash_lock());
 	}
 	const uint32_t *u2fptr = (const uint32_t*) FLASH_PTR(FLASH_STORAGE_U2FAREA);
 	while (*u2fptr == 0) {
@ -257,7 +254,7 @@ void session_clear(bool clear_pin)

 static uint32_t storage_flash_words(uint32_t addr, const uint32_t *src, int nwords) {
 	for (int i = 0; i < nwords; i++) {
-		flash_program_word(addr, *src++);
+		flash_write32(addr, *src++);
 		addr += sizeof(uint32_t);
 	}
 	return addr;
@ -360,7 +357,8 @@ static void storage_commit_locked(bool update)
 	memcpy(meta_backup, FLASH_PTR(FLASH_META_START), FLASH_META_DESC_LEN);

 	// erase storage
-	flash_erase_sector(FLASH_META_SECTOR_FIRST, FLASH_CR_PROGRAM_X32);
+	svc_flash_erase_sector(FLASH_META_SECTOR_FIRST);
+	svc_flash_program(FLASH_CR_PROGRAM_X32);

 	// copy meta back
 	uint32_t flash = FLASH_META_START;
@ -377,7 +375,7 @@ static void storage_commit_locked(bool update)

 	// fill remainder with zero for future extensions
 	while (flash < FLASH_STORAGE_PINAREA) {
-		flash_program_word(flash, 0);
+		flash_write32(flash, 0);
 		flash += sizeof(uint32_t);
 	}
 }
@ -389,11 +387,9 @@ void storage_clear_update(void)

 void storage_update(void)
 {
-	flash_clear_status_flags();
-	flash_unlock();
+	svc_flash_unlock();
 	storage_commit_locked(true);
-	flash_lock();
-	storage_check_flash_errors();
+	storage_check_flash_errors(svc_flash_lock());
 }

 static void storage_setNode(const HDNodeType *node) {
@ -732,11 +728,9 @@ bool session_isPinCached(void)

 void storage_clearPinArea(void)
 {
-	flash_clear_status_flags();
-	flash_unlock();
-	flash_erase_sector(FLASH_META_SECTOR_LAST, FLASH_CR_PROGRAM_X32);
-	flash_lock();
-	storage_check_flash_errors();
+	svc_flash_unlock();
+	svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
+	storage_check_flash_errors(svc_flash_lock());
 	storage_u2f_offset = 0;
 }

@ -745,39 +739,38 @@ static void storage_area_recycle(uint32_t new_pinfails)
 {
 	// first clear storage marker.  In case of a failure below it is better
 	// to clear the storage than to allow restarting with zero PIN failures
-	flash_program_word(FLASH_STORAGE_START, 0);
+	svc_flash_program(FLASH_CR_PROGRAM_X32);
+	flash_write32(FLASH_STORAGE_START, 0);
 	if (*(const uint32_t *)FLASH_PTR(FLASH_STORAGE_START) != 0) {
 		storage_show_error();
 	}

-	// erase storage sector
-	flash_erase_sector(FLASH_META_SECTOR_LAST, FLASH_CR_PROGRAM_X32);
-	flash_program_word(FLASH_STORAGE_PINAREA, new_pinfails);
-	if (*(const uint32_t *)FLASH_PTR(FLASH_STORAGE_PINAREA) != new_pinfails) {
+	// erase pinarea/u2f sector
+	svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
+	flash_write32(FLASH_STORAGE_PINAREA, new_pinfails);
+	if (*(const volatile uint32_t *)FLASH_PTR(FLASH_STORAGE_PINAREA) != new_pinfails) {
 		storage_show_error();
 	}

-	if (storage_u2f_offset > 0) {
-		storageUpdate.has_u2f_counter = true;
-		storageUpdate.u2f_counter += storage_u2f_offset;
-		storage_u2f_offset = 0;
-		storage_commit_locked(true);
-	}
+	// restore storage sector
+	storageUpdate.has_u2f_counter = true;
+	storageUpdate.u2f_counter += storage_u2f_offset;
+	storage_u2f_offset = 0;
+	storage_commit_locked(true);
 }

 void storage_resetPinFails(uint32_t flash_pinfails)
 {
-	flash_clear_status_flags();
-	flash_unlock();
+	svc_flash_unlock();
 	if (flash_pinfails + sizeof(uint32_t)
 		>= FLASH_STORAGE_PINAREA + FLASH_STORAGE_PINAREA_LEN) {
 		// recycle extra storage sector
 		storage_area_recycle(0xffffffff);
 	} else {
-		flash_program_word(flash_pinfails, 0);
+		svc_flash_program(FLASH_CR_PROGRAM_X32);
+		flash_write32(flash_pinfails, 0);
 	}
-	flash_lock();
-	storage_check_flash_errors();
+	storage_check_flash_errors(svc_flash_lock());
 }

 bool storage_increasePinFails(uint32_t flash_pinfails)
@ -788,11 +781,10 @@ bool storage_increasePinFails(uint32_t flash_pinfails)
 	if (!newctr)
 		return true;

-	flash_clear_status_flags();
-	flash_unlock();
-	flash_program_word(flash_pinfails, newctr);
-	flash_lock();
-	storage_check_flash_errors();
+	svc_flash_unlock();
+	svc_flash_program(FLASH_CR_PROGRAM_X32);
+	flash_write32(flash_pinfails, newctr);
+	storage_check_flash_errors(svc_flash_lock());

 	return *(const uint32_t*)FLASH_PTR(flash_pinfails) == newctr;
 }
@ -860,16 +852,15 @@ uint32_t storage_nextU2FCounter(void)
 		sizeof(uint32_t) * (storage_u2f_offset / 32);
 	uint32_t newval = 0xfffffffe << (storage_u2f_offset & 31);

-	flash_clear_status_flags();
-	flash_unlock();
-	flash_program_word(flash_u2f_offset, newval);
+	svc_flash_unlock();
+	svc_flash_program(FLASH_CR_PROGRAM_X32);
+	flash_write32(flash_u2f_offset, newval);
 	storage_u2f_offset++;
 	if (storage_u2f_offset >= 8 * FLASH_STORAGE_U2FAREA_LEN) {
 		storage_area_recycle(*(const uint32_t*)
 							 FLASH_PTR(storage_getPinFailsOffset()));
 	}
-	flash_lock();
-	storage_check_flash_errors();
+	storage_check_flash_errors(svc_flash_lock());
 	return storageRom->u2f_counter + storage_u2f_offset;
 }

@ -884,11 +875,9 @@ void storage_wipe(void)
 	session_clear(true);
 	storage_generate_uuid();

-	flash_clear_status_flags();
-	flash_unlock();
+	svc_flash_unlock();
 	storage_commit_locked(false);
-	flash_lock();
-	storage_check_flash_errors();
+	storage_check_flash_errors(svc_flash_lock());

 	storage_clearPinArea();
 }
--- a/startup.s
+++ b/startup.s
@ -60,4 +60,16 @@ shutdown:
  bl memset_reg
  b . // loop forever

+  .ltorg // dump literal pool (for the ldr ...,=... commands above)
+
+  .global sv_call_handler
+  .type sv_call_handler, STT_FUNC
+
+sv_call_handler:
+  tst lr, #4
+  ite eq
+  mrseq r0, msp
+  mrsne r0, psp
+  b svc_handler_main
+
  .end
--- a/supervise.c
+++ b/supervise.c
@ -0,0 +1,88 @@
+/*
+ * This file is part of the TREZOR project, https://trezor.io/
+ *
+ * Copyright (C) 2018 Jochen Hoenicke <hoenicke@gmail.com>
+ *
+ * This library is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <libopencm3/stm32/flash.h>
+#include <stdint.h>
+#include "supervise.h"
+#include "memory.h"
+
+static void svhandler_flash_unlock(void) {
+	flash_clear_status_flags();
+	flash_unlock();
+}
+
+static void svhandler_flash_program(uint32_t psize) {
+	/* Wait for any write operation to complete. */
+	flash_wait_for_last_operation();
+	/* check program size argument */
+	if (psize != FLASH_CR_PROGRAM_X8
+		&& psize != FLASH_CR_PROGRAM_X16
+		&& psize != FLASH_CR_PROGRAM_X32
+		&& psize != FLASH_CR_PROGRAM_X64)
+		return;
+	FLASH_CR = (FLASH_CR & ~(FLASH_CR_PROGRAM_MASK << FLASH_CR_PROGRAM_SHIFT))
+		| (psize << FLASH_CR_PROGRAM_SHIFT);
+	FLASH_CR |= FLASH_CR_PG;
+}
+
+static void svhandler_flash_erase_sector(uint16_t sector) {
+	/* we  only allow erasing meta sectors 2 and 3. */
+	if (sector < FLASH_META_SECTOR_FIRST ||
+		sector > FLASH_META_SECTOR_LAST) {
+		return;
+	}
+	flash_erase_sector(sector, FLASH_CR_PROGRAM_X32);
+}
+
+static uint32_t svhandler_flash_lock(void) {
+	/* Wait for any write operation to complete. */
+	flash_wait_for_last_operation();
+	/* Disable writes to flash. */
+	FLASH_CR &= ~FLASH_CR_PG;
+	/* lock flash register */
+	FLASH_CR |= FLASH_CR_LOCK;
+	/* return flash status register */
+	return FLASH_SR;
+}
+
+extern volatile uint32_t system_millis;
+
+void svc_handler_main(uint32_t *stack) {
+	uint8_t svc_number = ((uint8_t*) stack[6])[-2];
+	switch (svc_number) {
+	case SVC_FLASH_UNLOCK:
+		svhandler_flash_unlock();
+		break;
+	case SVC_FLASH_PROGRAM:
+		svhandler_flash_program(stack[0]);
+		break;
+	case SVC_FLASH_ERASE:
+		svhandler_flash_erase_sector(stack[0]);
+		break;
+	case SVC_FLASH_LOCK:
+		stack[0] = svhandler_flash_lock();
+		break;
+	case SVC_TIMER_MS:
+		stack[0] = system_millis;
+		break;
+	default:
+		stack[0] = 0xffffffff;
+		break;
+	}
+}
--- a/supervise.h
+++ b/supervise.h
@ -0,0 +1,77 @@
+/*
+ * This file is part of the TREZOR project, https://trezor.io/
+ *
+ * Copyright (C) 2018 Jochen Hoenicke <hoenicke@gmail.com>
+ *
+ * This library is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __SUPERVISE_H__
+#define __SUPERVISE_H__
+
+#define SVC_FLASH_UNLOCK  0
+#define SVC_FLASH_ERASE   1
+#define SVC_FLASH_PROGRAM 2
+#define SVC_FLASH_LOCK    3
+#define SVC_TIMER_MS      4
+
+/* Unlocks flash.  This function needs to be called before programming
+ * or erasing. Multiple calls of flash_program and flash_erase can
+ * follow and should be completed with flash_lock().
+ */
+inline void svc_flash_unlock(void) {
+	__asm__ __volatile__ ("svc %0" :: "i" (SVC_FLASH_UNLOCK) : "memory");
+}
+
+/* Enable flash write operations.
+ * @param program_size (8-bit, 16-bit, 32-bit or 64-bit)
+ *       should be one of the FLASH_CR_PROGRAM_X.. constants
+ */
+inline void svc_flash_program(uint32_t program_size) {
+	register uint32_t r0 __asm__("r0") = program_size;
+	__asm__ __volatile__ ("svc %0" :: "i" (SVC_FLASH_PROGRAM), "r" (r0) : "memory");
+}
+
+/* Erase a flash sector.
+ * @param sector sector number 0..11 
+ *    (this only allows erasing meta sectors 2 and 3 though).
+ */
+inline void svc_flash_erase_sector(uint8_t sector) {
+	register uint32_t r0 __asm__("r0") = sector;
+	__asm__ __volatile__ ("svc %0" :: "i" (SVC_FLASH_ERASE), "r" (r0) : "memory");
+}
+
+/* Lock flash after programming or erasing.
+ * @return flash status register (FLASH_SR)
+ */
+inline uint32_t svc_flash_lock(void) {
+	register uint32_t r0 __asm__("r0");
+	__asm__ __volatile__ ("svc %1" : "=r" (r0) : "i" (SVC_FLASH_LOCK) : "memory");
+	return r0;
+}
+
+inline uint32_t svc_timer_ms(void) {
+	register uint32_t r0 __asm__("r0");
+	__asm__ __volatile__ ("svc %1" : "=r" (r0) : "i" (SVC_TIMER_MS) : "memory");
+	return r0;
+}
+
+inline void flash_write32(uint32_t addr, uint32_t word) {
+	*((volatile uint32_t *) addr) = word;
+}
+inline void flash_write8(uint32_t addr, uint8_t byte) {
+	*((volatile uint8_t *) addr) = byte;
+}
+
+#endif
--- a/timer.h
+++ b/timer.h
@ -21,18 +21,14 @@
 #define __TIMER_H__

 #include <stdint.h>
+#include "supervise.h"

 void timer_init(void);

 #if EMULATOR
 uint32_t timer_ms(void);
 #else
-static inline uint32_t timer_ms(void) {
-        /* 1 tick = 1 ms */
-        extern volatile uint32_t system_millis;
-
-        return system_millis;
-}
+#define timer_ms svc_timer_ms
 #endif

 #endif