mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-12-26 00:08:10 +00:00
Supervisor Calls
Add Supervise interrupts to allow to do privileged operations like flashing from application code.
This commit is contained in:
parent
068f013bc6
commit
25e824aaa3
1
Makefile
1
Makefile
@ -14,6 +14,7 @@ endif
|
||||
|
||||
OBJS += util.o
|
||||
OBJS += memory.o
|
||||
OBJS += supervise.o
|
||||
|
||||
ifneq ($(EMULATOR),1)
|
||||
OBJS += timer.o
|
||||
|
@ -55,6 +55,7 @@
|
||||
#include "nem2.h"
|
||||
#include "rfc6979.h"
|
||||
#include "gettext.h"
|
||||
#include "supervise.h"
|
||||
|
||||
// message methods
|
||||
|
||||
@ -1687,14 +1688,14 @@ void fsm_msgDebugLinkMemoryWrite(DebugLinkMemoryWrite *msg)
|
||||
{
|
||||
uint32_t length = msg->memory.size;
|
||||
if (msg->flash) {
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
svc_flash_unlock();
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
for (uint32_t i = 0; i < length; i += 4) {
|
||||
uint32_t word;
|
||||
memcpy(&word, msg->memory.bytes + i, 4);
|
||||
flash_program_word(msg->address + i, word);
|
||||
flash_write32(msg->address + i, word);
|
||||
}
|
||||
flash_lock();
|
||||
svc_flash_lock();
|
||||
} else {
|
||||
#if !EMULATOR
|
||||
memcpy((void *) msg->address, msg->memory.bytes, length);
|
||||
@ -1704,9 +1705,8 @@ void fsm_msgDebugLinkMemoryWrite(DebugLinkMemoryWrite *msg)
|
||||
|
||||
void fsm_msgDebugLinkFlashErase(DebugLinkFlashErase *msg)
|
||||
{
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
flash_erase_sector(msg->sector, FLASH_CR_PROGRAM_X32);
|
||||
flash_lock();
|
||||
svc_flash_unlock();
|
||||
svc_flash_erase_sector(msg->sector);
|
||||
svc_flash_lock();
|
||||
}
|
||||
#endif
|
||||
|
@ -43,6 +43,7 @@
|
||||
#include "gettext.h"
|
||||
#include "u2f.h"
|
||||
#include "memzero.h"
|
||||
#include "supervise.h"
|
||||
|
||||
/* magic constant to check validity of storage block */
|
||||
static const uint32_t storage_magic = 0x726f7473; // 'stor' as uint32_t
|
||||
@ -119,11 +120,11 @@ void storage_show_error(void)
|
||||
shutdown();
|
||||
}
|
||||
|
||||
void storage_check_flash_errors(void)
|
||||
void storage_check_flash_errors(uint32_t status)
|
||||
{
|
||||
#if !EMULATOR
|
||||
// flash operation failed
|
||||
if (FLASH_SR & (FLASH_SR_PGAERR | FLASH_SR_PGPERR | FLASH_SR_PGSERR | FLASH_SR_WRPERR)) {
|
||||
if (status & (FLASH_SR_PGAERR | FLASH_SR_PGPERR | FLASH_SR_PGSERR | FLASH_SR_WRPERR)) {
|
||||
storage_show_error();
|
||||
}
|
||||
#endif
|
||||
@ -180,13 +181,12 @@ bool storage_from_flash(void)
|
||||
|
||||
// erase newly added fields
|
||||
if (old_storage_size != sizeof(Storage)) {
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
svc_flash_unlock();
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
for (uint32_t offset = old_storage_size; offset < sizeof(Storage); offset += sizeof(uint32_t)) {
|
||||
flash_program_word(FLASH_STORAGE_START + sizeof(storage_magic) + sizeof(storage_uuid) + offset, 0);
|
||||
flash_write32(FLASH_STORAGE_START + sizeof(storage_magic) + sizeof(storage_uuid) + offset, 0);
|
||||
}
|
||||
flash_lock();
|
||||
storage_check_flash_errors();
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
}
|
||||
|
||||
if (version <= 5) {
|
||||
@ -195,17 +195,14 @@ bool storage_from_flash(void)
|
||||
if (pinctr > 31) {
|
||||
pinctr = 31;
|
||||
}
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
svc_flash_unlock();
|
||||
// erase extra storage sector
|
||||
flash_erase_sector(FLASH_META_SECTOR_LAST, FLASH_CR_PROGRAM_X32);
|
||||
flash_program_word(FLASH_STORAGE_PINAREA, 0xffffffff << pinctr);
|
||||
// erase storageRom.has_pin_failed_attempts and storageRom.pin_failed_attempts
|
||||
_Static_assert(((FLASH_STORAGE + offsetof(Storage, pin_failed_attempts)) & 3) == 0, "storage.pin_failed_attempts unaligned");
|
||||
flash_program_byte(FLASH_STORAGE + offsetof(Storage, has_pin_failed_attempts), 0);
|
||||
flash_program_word(FLASH_STORAGE + offsetof(Storage, pin_failed_attempts), 0);
|
||||
flash_lock();
|
||||
storage_check_flash_errors();
|
||||
svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(FLASH_STORAGE_PINAREA, 0xffffffff << pinctr);
|
||||
// storageRom.has_pin_failed_attempts and storageRom.pin_failed_attempts
|
||||
// are erased by storage_update below
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
}
|
||||
const uint32_t *u2fptr = (const uint32_t*) FLASH_PTR(FLASH_STORAGE_U2FAREA);
|
||||
while (*u2fptr == 0) {
|
||||
@ -257,7 +254,7 @@ void session_clear(bool clear_pin)
|
||||
|
||||
static uint32_t storage_flash_words(uint32_t addr, const uint32_t *src, int nwords) {
|
||||
for (int i = 0; i < nwords; i++) {
|
||||
flash_program_word(addr, *src++);
|
||||
flash_write32(addr, *src++);
|
||||
addr += sizeof(uint32_t);
|
||||
}
|
||||
return addr;
|
||||
@ -360,7 +357,8 @@ static void storage_commit_locked(bool update)
|
||||
memcpy(meta_backup, FLASH_PTR(FLASH_META_START), FLASH_META_DESC_LEN);
|
||||
|
||||
// erase storage
|
||||
flash_erase_sector(FLASH_META_SECTOR_FIRST, FLASH_CR_PROGRAM_X32);
|
||||
svc_flash_erase_sector(FLASH_META_SECTOR_FIRST);
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
|
||||
// copy meta back
|
||||
uint32_t flash = FLASH_META_START;
|
||||
@ -377,7 +375,7 @@ static void storage_commit_locked(bool update)
|
||||
|
||||
// fill remainder with zero for future extensions
|
||||
while (flash < FLASH_STORAGE_PINAREA) {
|
||||
flash_program_word(flash, 0);
|
||||
flash_write32(flash, 0);
|
||||
flash += sizeof(uint32_t);
|
||||
}
|
||||
}
|
||||
@ -389,11 +387,9 @@ void storage_clear_update(void)
|
||||
|
||||
void storage_update(void)
|
||||
{
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
svc_flash_unlock();
|
||||
storage_commit_locked(true);
|
||||
flash_lock();
|
||||
storage_check_flash_errors();
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
}
|
||||
|
||||
static void storage_setNode(const HDNodeType *node) {
|
||||
@ -732,11 +728,9 @@ bool session_isPinCached(void)
|
||||
|
||||
void storage_clearPinArea(void)
|
||||
{
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
flash_erase_sector(FLASH_META_SECTOR_LAST, FLASH_CR_PROGRAM_X32);
|
||||
flash_lock();
|
||||
storage_check_flash_errors();
|
||||
svc_flash_unlock();
|
||||
svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
storage_u2f_offset = 0;
|
||||
}
|
||||
|
||||
@ -745,39 +739,38 @@ static void storage_area_recycle(uint32_t new_pinfails)
|
||||
{
|
||||
// first clear storage marker. In case of a failure below it is better
|
||||
// to clear the storage than to allow restarting with zero PIN failures
|
||||
flash_program_word(FLASH_STORAGE_START, 0);
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(FLASH_STORAGE_START, 0);
|
||||
if (*(const uint32_t *)FLASH_PTR(FLASH_STORAGE_START) != 0) {
|
||||
storage_show_error();
|
||||
}
|
||||
|
||||
// erase storage sector
|
||||
flash_erase_sector(FLASH_META_SECTOR_LAST, FLASH_CR_PROGRAM_X32);
|
||||
flash_program_word(FLASH_STORAGE_PINAREA, new_pinfails);
|
||||
if (*(const uint32_t *)FLASH_PTR(FLASH_STORAGE_PINAREA) != new_pinfails) {
|
||||
// erase pinarea/u2f sector
|
||||
svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
|
||||
flash_write32(FLASH_STORAGE_PINAREA, new_pinfails);
|
||||
if (*(const volatile uint32_t *)FLASH_PTR(FLASH_STORAGE_PINAREA) != new_pinfails) {
|
||||
storage_show_error();
|
||||
}
|
||||
|
||||
if (storage_u2f_offset > 0) {
|
||||
storageUpdate.has_u2f_counter = true;
|
||||
storageUpdate.u2f_counter += storage_u2f_offset;
|
||||
storage_u2f_offset = 0;
|
||||
storage_commit_locked(true);
|
||||
}
|
||||
// restore storage sector
|
||||
storageUpdate.has_u2f_counter = true;
|
||||
storageUpdate.u2f_counter += storage_u2f_offset;
|
||||
storage_u2f_offset = 0;
|
||||
storage_commit_locked(true);
|
||||
}
|
||||
|
||||
void storage_resetPinFails(uint32_t flash_pinfails)
|
||||
{
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
svc_flash_unlock();
|
||||
if (flash_pinfails + sizeof(uint32_t)
|
||||
>= FLASH_STORAGE_PINAREA + FLASH_STORAGE_PINAREA_LEN) {
|
||||
// recycle extra storage sector
|
||||
storage_area_recycle(0xffffffff);
|
||||
} else {
|
||||
flash_program_word(flash_pinfails, 0);
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(flash_pinfails, 0);
|
||||
}
|
||||
flash_lock();
|
||||
storage_check_flash_errors();
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
}
|
||||
|
||||
bool storage_increasePinFails(uint32_t flash_pinfails)
|
||||
@ -788,11 +781,10 @@ bool storage_increasePinFails(uint32_t flash_pinfails)
|
||||
if (!newctr)
|
||||
return true;
|
||||
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
flash_program_word(flash_pinfails, newctr);
|
||||
flash_lock();
|
||||
storage_check_flash_errors();
|
||||
svc_flash_unlock();
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(flash_pinfails, newctr);
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
|
||||
return *(const uint32_t*)FLASH_PTR(flash_pinfails) == newctr;
|
||||
}
|
||||
@ -860,16 +852,15 @@ uint32_t storage_nextU2FCounter(void)
|
||||
sizeof(uint32_t) * (storage_u2f_offset / 32);
|
||||
uint32_t newval = 0xfffffffe << (storage_u2f_offset & 31);
|
||||
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
flash_program_word(flash_u2f_offset, newval);
|
||||
svc_flash_unlock();
|
||||
svc_flash_program(FLASH_CR_PROGRAM_X32);
|
||||
flash_write32(flash_u2f_offset, newval);
|
||||
storage_u2f_offset++;
|
||||
if (storage_u2f_offset >= 8 * FLASH_STORAGE_U2FAREA_LEN) {
|
||||
storage_area_recycle(*(const uint32_t*)
|
||||
FLASH_PTR(storage_getPinFailsOffset()));
|
||||
}
|
||||
flash_lock();
|
||||
storage_check_flash_errors();
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
return storageRom->u2f_counter + storage_u2f_offset;
|
||||
}
|
||||
|
||||
@ -884,11 +875,9 @@ void storage_wipe(void)
|
||||
session_clear(true);
|
||||
storage_generate_uuid();
|
||||
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
svc_flash_unlock();
|
||||
storage_commit_locked(false);
|
||||
flash_lock();
|
||||
storage_check_flash_errors();
|
||||
storage_check_flash_errors(svc_flash_lock());
|
||||
|
||||
storage_clearPinArea();
|
||||
}
|
||||
|
12
startup.s
12
startup.s
@ -60,4 +60,16 @@ shutdown:
|
||||
bl memset_reg
|
||||
b . // loop forever
|
||||
|
||||
.ltorg // dump literal pool (for the ldr ...,=... commands above)
|
||||
|
||||
.global sv_call_handler
|
||||
.type sv_call_handler, STT_FUNC
|
||||
|
||||
sv_call_handler:
|
||||
tst lr, #4
|
||||
ite eq
|
||||
mrseq r0, msp
|
||||
mrsne r0, psp
|
||||
b svc_handler_main
|
||||
|
||||
.end
|
||||
|
88
supervise.c
Normal file
88
supervise.c
Normal file
@ -0,0 +1,88 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (C) 2018 Jochen Hoenicke <hoenicke@gmail.com>
|
||||
*
|
||||
* This library is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public License
|
||||
* along with this library. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include <libopencm3/stm32/flash.h>
|
||||
#include <stdint.h>
|
||||
#include "supervise.h"
|
||||
#include "memory.h"
|
||||
|
||||
static void svhandler_flash_unlock(void) {
|
||||
flash_clear_status_flags();
|
||||
flash_unlock();
|
||||
}
|
||||
|
||||
static void svhandler_flash_program(uint32_t psize) {
|
||||
/* Wait for any write operation to complete. */
|
||||
flash_wait_for_last_operation();
|
||||
/* check program size argument */
|
||||
if (psize != FLASH_CR_PROGRAM_X8
|
||||
&& psize != FLASH_CR_PROGRAM_X16
|
||||
&& psize != FLASH_CR_PROGRAM_X32
|
||||
&& psize != FLASH_CR_PROGRAM_X64)
|
||||
return;
|
||||
FLASH_CR = (FLASH_CR & ~(FLASH_CR_PROGRAM_MASK << FLASH_CR_PROGRAM_SHIFT))
|
||||
| (psize << FLASH_CR_PROGRAM_SHIFT);
|
||||
FLASH_CR |= FLASH_CR_PG;
|
||||
}
|
||||
|
||||
static void svhandler_flash_erase_sector(uint16_t sector) {
|
||||
/* we only allow erasing meta sectors 2 and 3. */
|
||||
if (sector < FLASH_META_SECTOR_FIRST ||
|
||||
sector > FLASH_META_SECTOR_LAST) {
|
||||
return;
|
||||
}
|
||||
flash_erase_sector(sector, FLASH_CR_PROGRAM_X32);
|
||||
}
|
||||
|
||||
static uint32_t svhandler_flash_lock(void) {
|
||||
/* Wait for any write operation to complete. */
|
||||
flash_wait_for_last_operation();
|
||||
/* Disable writes to flash. */
|
||||
FLASH_CR &= ~FLASH_CR_PG;
|
||||
/* lock flash register */
|
||||
FLASH_CR |= FLASH_CR_LOCK;
|
||||
/* return flash status register */
|
||||
return FLASH_SR;
|
||||
}
|
||||
|
||||
extern volatile uint32_t system_millis;
|
||||
|
||||
void svc_handler_main(uint32_t *stack) {
|
||||
uint8_t svc_number = ((uint8_t*) stack[6])[-2];
|
||||
switch (svc_number) {
|
||||
case SVC_FLASH_UNLOCK:
|
||||
svhandler_flash_unlock();
|
||||
break;
|
||||
case SVC_FLASH_PROGRAM:
|
||||
svhandler_flash_program(stack[0]);
|
||||
break;
|
||||
case SVC_FLASH_ERASE:
|
||||
svhandler_flash_erase_sector(stack[0]);
|
||||
break;
|
||||
case SVC_FLASH_LOCK:
|
||||
stack[0] = svhandler_flash_lock();
|
||||
break;
|
||||
case SVC_TIMER_MS:
|
||||
stack[0] = system_millis;
|
||||
break;
|
||||
default:
|
||||
stack[0] = 0xffffffff;
|
||||
break;
|
||||
}
|
||||
}
|
77
supervise.h
Normal file
77
supervise.h
Normal file
@ -0,0 +1,77 @@
|
||||
/*
|
||||
* This file is part of the TREZOR project, https://trezor.io/
|
||||
*
|
||||
* Copyright (C) 2018 Jochen Hoenicke <hoenicke@gmail.com>
|
||||
*
|
||||
* This library is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public License
|
||||
* along with this library. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#ifndef __SUPERVISE_H__
|
||||
#define __SUPERVISE_H__
|
||||
|
||||
#define SVC_FLASH_UNLOCK 0
|
||||
#define SVC_FLASH_ERASE 1
|
||||
#define SVC_FLASH_PROGRAM 2
|
||||
#define SVC_FLASH_LOCK 3
|
||||
#define SVC_TIMER_MS 4
|
||||
|
||||
/* Unlocks flash. This function needs to be called before programming
|
||||
* or erasing. Multiple calls of flash_program and flash_erase can
|
||||
* follow and should be completed with flash_lock().
|
||||
*/
|
||||
inline void svc_flash_unlock(void) {
|
||||
__asm__ __volatile__ ("svc %0" :: "i" (SVC_FLASH_UNLOCK) : "memory");
|
||||
}
|
||||
|
||||
/* Enable flash write operations.
|
||||
* @param program_size (8-bit, 16-bit, 32-bit or 64-bit)
|
||||
* should be one of the FLASH_CR_PROGRAM_X.. constants
|
||||
*/
|
||||
inline void svc_flash_program(uint32_t program_size) {
|
||||
register uint32_t r0 __asm__("r0") = program_size;
|
||||
__asm__ __volatile__ ("svc %0" :: "i" (SVC_FLASH_PROGRAM), "r" (r0) : "memory");
|
||||
}
|
||||
|
||||
/* Erase a flash sector.
|
||||
* @param sector sector number 0..11
|
||||
* (this only allows erasing meta sectors 2 and 3 though).
|
||||
*/
|
||||
inline void svc_flash_erase_sector(uint8_t sector) {
|
||||
register uint32_t r0 __asm__("r0") = sector;
|
||||
__asm__ __volatile__ ("svc %0" :: "i" (SVC_FLASH_ERASE), "r" (r0) : "memory");
|
||||
}
|
||||
|
||||
/* Lock flash after programming or erasing.
|
||||
* @return flash status register (FLASH_SR)
|
||||
*/
|
||||
inline uint32_t svc_flash_lock(void) {
|
||||
register uint32_t r0 __asm__("r0");
|
||||
__asm__ __volatile__ ("svc %1" : "=r" (r0) : "i" (SVC_FLASH_LOCK) : "memory");
|
||||
return r0;
|
||||
}
|
||||
|
||||
inline uint32_t svc_timer_ms(void) {
|
||||
register uint32_t r0 __asm__("r0");
|
||||
__asm__ __volatile__ ("svc %1" : "=r" (r0) : "i" (SVC_TIMER_MS) : "memory");
|
||||
return r0;
|
||||
}
|
||||
|
||||
inline void flash_write32(uint32_t addr, uint32_t word) {
|
||||
*((volatile uint32_t *) addr) = word;
|
||||
}
|
||||
inline void flash_write8(uint32_t addr, uint8_t byte) {
|
||||
*((volatile uint8_t *) addr) = byte;
|
||||
}
|
||||
|
||||
#endif
|
8
timer.h
8
timer.h
@ -21,18 +21,14 @@
|
||||
#define __TIMER_H__
|
||||
|
||||
#include <stdint.h>
|
||||
#include "supervise.h"
|
||||
|
||||
void timer_init(void);
|
||||
|
||||
#if EMULATOR
|
||||
uint32_t timer_ms(void);
|
||||
#else
|
||||
static inline uint32_t timer_ms(void) {
|
||||
/* 1 tick = 1 ms */
|
||||
extern volatile uint32_t system_millis;
|
||||
|
||||
return system_millis;
|
||||
}
|
||||
#define timer_ms svc_timer_ms
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user