1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-26 00:08:10 +00:00

Supervisor Calls

Add Supervise interrupts to allow to do privileged operations like
flashing from application code.
This commit is contained in:
Jochen Hoenicke 2018-03-16 21:40:39 +01:00 committed by Pavol Rusnak
parent 068f013bc6
commit 25e824aaa3
No known key found for this signature in database
GPG Key ID: 91F3B339B9A02A3D
7 changed files with 236 additions and 73 deletions

View File

@ -14,6 +14,7 @@ endif
OBJS += util.o
OBJS += memory.o
OBJS += supervise.o
ifneq ($(EMULATOR),1)
OBJS += timer.o

View File

@ -55,6 +55,7 @@
#include "nem2.h"
#include "rfc6979.h"
#include "gettext.h"
#include "supervise.h"
// message methods
@ -1687,14 +1688,14 @@ void fsm_msgDebugLinkMemoryWrite(DebugLinkMemoryWrite *msg)
{
uint32_t length = msg->memory.size;
if (msg->flash) {
flash_clear_status_flags();
flash_unlock();
svc_flash_unlock();
svc_flash_program(FLASH_CR_PROGRAM_X32);
for (uint32_t i = 0; i < length; i += 4) {
uint32_t word;
memcpy(&word, msg->memory.bytes + i, 4);
flash_program_word(msg->address + i, word);
flash_write32(msg->address + i, word);
}
flash_lock();
svc_flash_lock();
} else {
#if !EMULATOR
memcpy((void *) msg->address, msg->memory.bytes, length);
@ -1704,9 +1705,8 @@ void fsm_msgDebugLinkMemoryWrite(DebugLinkMemoryWrite *msg)
void fsm_msgDebugLinkFlashErase(DebugLinkFlashErase *msg)
{
flash_clear_status_flags();
flash_unlock();
flash_erase_sector(msg->sector, FLASH_CR_PROGRAM_X32);
flash_lock();
svc_flash_unlock();
svc_flash_erase_sector(msg->sector);
svc_flash_lock();
}
#endif

View File

@ -43,6 +43,7 @@
#include "gettext.h"
#include "u2f.h"
#include "memzero.h"
#include "supervise.h"
/* magic constant to check validity of storage block */
static const uint32_t storage_magic = 0x726f7473; // 'stor' as uint32_t
@ -119,11 +120,11 @@ void storage_show_error(void)
shutdown();
}
void storage_check_flash_errors(void)
void storage_check_flash_errors(uint32_t status)
{
#if !EMULATOR
// flash operation failed
if (FLASH_SR & (FLASH_SR_PGAERR | FLASH_SR_PGPERR | FLASH_SR_PGSERR | FLASH_SR_WRPERR)) {
if (status & (FLASH_SR_PGAERR | FLASH_SR_PGPERR | FLASH_SR_PGSERR | FLASH_SR_WRPERR)) {
storage_show_error();
}
#endif
@ -180,13 +181,12 @@ bool storage_from_flash(void)
// erase newly added fields
if (old_storage_size != sizeof(Storage)) {
flash_clear_status_flags();
flash_unlock();
svc_flash_unlock();
svc_flash_program(FLASH_CR_PROGRAM_X32);
for (uint32_t offset = old_storage_size; offset < sizeof(Storage); offset += sizeof(uint32_t)) {
flash_program_word(FLASH_STORAGE_START + sizeof(storage_magic) + sizeof(storage_uuid) + offset, 0);
flash_write32(FLASH_STORAGE_START + sizeof(storage_magic) + sizeof(storage_uuid) + offset, 0);
}
flash_lock();
storage_check_flash_errors();
storage_check_flash_errors(svc_flash_lock());
}
if (version <= 5) {
@ -195,17 +195,14 @@ bool storage_from_flash(void)
if (pinctr > 31) {
pinctr = 31;
}
flash_clear_status_flags();
flash_unlock();
svc_flash_unlock();
// erase extra storage sector
flash_erase_sector(FLASH_META_SECTOR_LAST, FLASH_CR_PROGRAM_X32);
flash_program_word(FLASH_STORAGE_PINAREA, 0xffffffff << pinctr);
// erase storageRom.has_pin_failed_attempts and storageRom.pin_failed_attempts
_Static_assert(((FLASH_STORAGE + offsetof(Storage, pin_failed_attempts)) & 3) == 0, "storage.pin_failed_attempts unaligned");
flash_program_byte(FLASH_STORAGE + offsetof(Storage, has_pin_failed_attempts), 0);
flash_program_word(FLASH_STORAGE + offsetof(Storage, pin_failed_attempts), 0);
flash_lock();
storage_check_flash_errors();
svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
svc_flash_program(FLASH_CR_PROGRAM_X32);
flash_write32(FLASH_STORAGE_PINAREA, 0xffffffff << pinctr);
// storageRom.has_pin_failed_attempts and storageRom.pin_failed_attempts
// are erased by storage_update below
storage_check_flash_errors(svc_flash_lock());
}
const uint32_t *u2fptr = (const uint32_t*) FLASH_PTR(FLASH_STORAGE_U2FAREA);
while (*u2fptr == 0) {
@ -257,7 +254,7 @@ void session_clear(bool clear_pin)
static uint32_t storage_flash_words(uint32_t addr, const uint32_t *src, int nwords) {
for (int i = 0; i < nwords; i++) {
flash_program_word(addr, *src++);
flash_write32(addr, *src++);
addr += sizeof(uint32_t);
}
return addr;
@ -360,7 +357,8 @@ static void storage_commit_locked(bool update)
memcpy(meta_backup, FLASH_PTR(FLASH_META_START), FLASH_META_DESC_LEN);
// erase storage
flash_erase_sector(FLASH_META_SECTOR_FIRST, FLASH_CR_PROGRAM_X32);
svc_flash_erase_sector(FLASH_META_SECTOR_FIRST);
svc_flash_program(FLASH_CR_PROGRAM_X32);
// copy meta back
uint32_t flash = FLASH_META_START;
@ -377,7 +375,7 @@ static void storage_commit_locked(bool update)
// fill remainder with zero for future extensions
while (flash < FLASH_STORAGE_PINAREA) {
flash_program_word(flash, 0);
flash_write32(flash, 0);
flash += sizeof(uint32_t);
}
}
@ -389,11 +387,9 @@ void storage_clear_update(void)
void storage_update(void)
{
flash_clear_status_flags();
flash_unlock();
svc_flash_unlock();
storage_commit_locked(true);
flash_lock();
storage_check_flash_errors();
storage_check_flash_errors(svc_flash_lock());
}
static void storage_setNode(const HDNodeType *node) {
@ -732,11 +728,9 @@ bool session_isPinCached(void)
void storage_clearPinArea(void)
{
flash_clear_status_flags();
flash_unlock();
flash_erase_sector(FLASH_META_SECTOR_LAST, FLASH_CR_PROGRAM_X32);
flash_lock();
storage_check_flash_errors();
svc_flash_unlock();
svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
storage_check_flash_errors(svc_flash_lock());
storage_u2f_offset = 0;
}
@ -745,39 +739,38 @@ static void storage_area_recycle(uint32_t new_pinfails)
{
// first clear storage marker. In case of a failure below it is better
// to clear the storage than to allow restarting with zero PIN failures
flash_program_word(FLASH_STORAGE_START, 0);
svc_flash_program(FLASH_CR_PROGRAM_X32);
flash_write32(FLASH_STORAGE_START, 0);
if (*(const uint32_t *)FLASH_PTR(FLASH_STORAGE_START) != 0) {
storage_show_error();
}
// erase storage sector
flash_erase_sector(FLASH_META_SECTOR_LAST, FLASH_CR_PROGRAM_X32);
flash_program_word(FLASH_STORAGE_PINAREA, new_pinfails);
if (*(const uint32_t *)FLASH_PTR(FLASH_STORAGE_PINAREA) != new_pinfails) {
// erase pinarea/u2f sector
svc_flash_erase_sector(FLASH_META_SECTOR_LAST);
flash_write32(FLASH_STORAGE_PINAREA, new_pinfails);
if (*(const volatile uint32_t *)FLASH_PTR(FLASH_STORAGE_PINAREA) != new_pinfails) {
storage_show_error();
}
if (storage_u2f_offset > 0) {
storageUpdate.has_u2f_counter = true;
storageUpdate.u2f_counter += storage_u2f_offset;
storage_u2f_offset = 0;
storage_commit_locked(true);
}
// restore storage sector
storageUpdate.has_u2f_counter = true;
storageUpdate.u2f_counter += storage_u2f_offset;
storage_u2f_offset = 0;
storage_commit_locked(true);
}
void storage_resetPinFails(uint32_t flash_pinfails)
{
flash_clear_status_flags();
flash_unlock();
svc_flash_unlock();
if (flash_pinfails + sizeof(uint32_t)
>= FLASH_STORAGE_PINAREA + FLASH_STORAGE_PINAREA_LEN) {
// recycle extra storage sector
storage_area_recycle(0xffffffff);
} else {
flash_program_word(flash_pinfails, 0);
svc_flash_program(FLASH_CR_PROGRAM_X32);
flash_write32(flash_pinfails, 0);
}
flash_lock();
storage_check_flash_errors();
storage_check_flash_errors(svc_flash_lock());
}
bool storage_increasePinFails(uint32_t flash_pinfails)
@ -788,11 +781,10 @@ bool storage_increasePinFails(uint32_t flash_pinfails)
if (!newctr)
return true;
flash_clear_status_flags();
flash_unlock();
flash_program_word(flash_pinfails, newctr);
flash_lock();
storage_check_flash_errors();
svc_flash_unlock();
svc_flash_program(FLASH_CR_PROGRAM_X32);
flash_write32(flash_pinfails, newctr);
storage_check_flash_errors(svc_flash_lock());
return *(const uint32_t*)FLASH_PTR(flash_pinfails) == newctr;
}
@ -860,16 +852,15 @@ uint32_t storage_nextU2FCounter(void)
sizeof(uint32_t) * (storage_u2f_offset / 32);
uint32_t newval = 0xfffffffe << (storage_u2f_offset & 31);
flash_clear_status_flags();
flash_unlock();
flash_program_word(flash_u2f_offset, newval);
svc_flash_unlock();
svc_flash_program(FLASH_CR_PROGRAM_X32);
flash_write32(flash_u2f_offset, newval);
storage_u2f_offset++;
if (storage_u2f_offset >= 8 * FLASH_STORAGE_U2FAREA_LEN) {
storage_area_recycle(*(const uint32_t*)
FLASH_PTR(storage_getPinFailsOffset()));
}
flash_lock();
storage_check_flash_errors();
storage_check_flash_errors(svc_flash_lock());
return storageRom->u2f_counter + storage_u2f_offset;
}
@ -884,11 +875,9 @@ void storage_wipe(void)
session_clear(true);
storage_generate_uuid();
flash_clear_status_flags();
flash_unlock();
svc_flash_unlock();
storage_commit_locked(false);
flash_lock();
storage_check_flash_errors();
storage_check_flash_errors(svc_flash_lock());
storage_clearPinArea();
}

View File

@ -60,4 +60,16 @@ shutdown:
bl memset_reg
b . // loop forever
.ltorg // dump literal pool (for the ldr ...,=... commands above)
.global sv_call_handler
.type sv_call_handler, STT_FUNC
sv_call_handler:
tst lr, #4
ite eq
mrseq r0, msp
mrsne r0, psp
b svc_handler_main
.end

88
supervise.c Normal file
View File

@ -0,0 +1,88 @@
/*
* This file is part of the TREZOR project, https://trezor.io/
*
* Copyright (C) 2018 Jochen Hoenicke <hoenicke@gmail.com>
*
* This library is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this library. If not, see <http://www.gnu.org/licenses/>.
*/
#include <libopencm3/stm32/flash.h>
#include <stdint.h>
#include "supervise.h"
#include "memory.h"
static void svhandler_flash_unlock(void) {
flash_clear_status_flags();
flash_unlock();
}
static void svhandler_flash_program(uint32_t psize) {
/* Wait for any write operation to complete. */
flash_wait_for_last_operation();
/* check program size argument */
if (psize != FLASH_CR_PROGRAM_X8
&& psize != FLASH_CR_PROGRAM_X16
&& psize != FLASH_CR_PROGRAM_X32
&& psize != FLASH_CR_PROGRAM_X64)
return;
FLASH_CR = (FLASH_CR & ~(FLASH_CR_PROGRAM_MASK << FLASH_CR_PROGRAM_SHIFT))
| (psize << FLASH_CR_PROGRAM_SHIFT);
FLASH_CR |= FLASH_CR_PG;
}
static void svhandler_flash_erase_sector(uint16_t sector) {
/* we only allow erasing meta sectors 2 and 3. */
if (sector < FLASH_META_SECTOR_FIRST ||
sector > FLASH_META_SECTOR_LAST) {
return;
}
flash_erase_sector(sector, FLASH_CR_PROGRAM_X32);
}
static uint32_t svhandler_flash_lock(void) {
/* Wait for any write operation to complete. */
flash_wait_for_last_operation();
/* Disable writes to flash. */
FLASH_CR &= ~FLASH_CR_PG;
/* lock flash register */
FLASH_CR |= FLASH_CR_LOCK;
/* return flash status register */
return FLASH_SR;
}
extern volatile uint32_t system_millis;
void svc_handler_main(uint32_t *stack) {
uint8_t svc_number = ((uint8_t*) stack[6])[-2];
switch (svc_number) {
case SVC_FLASH_UNLOCK:
svhandler_flash_unlock();
break;
case SVC_FLASH_PROGRAM:
svhandler_flash_program(stack[0]);
break;
case SVC_FLASH_ERASE:
svhandler_flash_erase_sector(stack[0]);
break;
case SVC_FLASH_LOCK:
stack[0] = svhandler_flash_lock();
break;
case SVC_TIMER_MS:
stack[0] = system_millis;
break;
default:
stack[0] = 0xffffffff;
break;
}
}

77
supervise.h Normal file
View File

@ -0,0 +1,77 @@
/*
* This file is part of the TREZOR project, https://trezor.io/
*
* Copyright (C) 2018 Jochen Hoenicke <hoenicke@gmail.com>
*
* This library is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this library. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef __SUPERVISE_H__
#define __SUPERVISE_H__
#define SVC_FLASH_UNLOCK 0
#define SVC_FLASH_ERASE 1
#define SVC_FLASH_PROGRAM 2
#define SVC_FLASH_LOCK 3
#define SVC_TIMER_MS 4
/* Unlocks flash. This function needs to be called before programming
* or erasing. Multiple calls of flash_program and flash_erase can
* follow and should be completed with flash_lock().
*/
inline void svc_flash_unlock(void) {
__asm__ __volatile__ ("svc %0" :: "i" (SVC_FLASH_UNLOCK) : "memory");
}
/* Enable flash write operations.
* @param program_size (8-bit, 16-bit, 32-bit or 64-bit)
* should be one of the FLASH_CR_PROGRAM_X.. constants
*/
inline void svc_flash_program(uint32_t program_size) {
register uint32_t r0 __asm__("r0") = program_size;
__asm__ __volatile__ ("svc %0" :: "i" (SVC_FLASH_PROGRAM), "r" (r0) : "memory");
}
/* Erase a flash sector.
* @param sector sector number 0..11
* (this only allows erasing meta sectors 2 and 3 though).
*/
inline void svc_flash_erase_sector(uint8_t sector) {
register uint32_t r0 __asm__("r0") = sector;
__asm__ __volatile__ ("svc %0" :: "i" (SVC_FLASH_ERASE), "r" (r0) : "memory");
}
/* Lock flash after programming or erasing.
* @return flash status register (FLASH_SR)
*/
inline uint32_t svc_flash_lock(void) {
register uint32_t r0 __asm__("r0");
__asm__ __volatile__ ("svc %1" : "=r" (r0) : "i" (SVC_FLASH_LOCK) : "memory");
return r0;
}
inline uint32_t svc_timer_ms(void) {
register uint32_t r0 __asm__("r0");
__asm__ __volatile__ ("svc %1" : "=r" (r0) : "i" (SVC_TIMER_MS) : "memory");
return r0;
}
inline void flash_write32(uint32_t addr, uint32_t word) {
*((volatile uint32_t *) addr) = word;
}
inline void flash_write8(uint32_t addr, uint8_t byte) {
*((volatile uint8_t *) addr) = byte;
}
#endif

View File

@ -21,18 +21,14 @@
#define __TIMER_H__
#include <stdint.h>
#include "supervise.h"
void timer_init(void);
#if EMULATOR
uint32_t timer_ms(void);
#else
static inline uint32_t timer_ms(void) {
/* 1 tick = 1 ms */
extern volatile uint32_t system_millis;
return system_millis;
}
#define timer_ms svc_timer_ms
#endif
#endif