fix(core): clear memory when not going to use copy firmware header for bootloader

2024-11-20 14:39:22 +00:00 · 2023-08-16 16:31:04 +02:00 · 2023-08-16 16:31:04 +02:00 · 75a148e414
commit 75a148e414
parent c0c544b7d8
3 changed files with 20 additions and 5 deletions
--- a/core/embed/firmware/main.c
+++ b/core/embed/firmware/main.c
@ -88,9 +88,6 @@
 // from util.s
 extern void shutdown_privileged(void);

-// from linker script
-extern uint8_t firmware_header_start;
-
 int main(void) {
  random_delays_init();

@ -247,6 +244,7 @@ void copy_image_header_for_bootloader(const uint8_t *image_header) {

 void SVC_C_Handler(uint32_t *stack) {
  uint8_t svc_number = ((uint8_t *)stack[6])[-2];
+  bool clear_firmware_header = true;
  switch (svc_number) {
    case SVC_ENABLE_IRQ:
      HAL_NVIC_EnableIRQ(stack[0]);
@ -269,11 +267,14 @@ void SVC_C_Handler(uint32_t *stack) {
      break;
    case SVC_REBOOT_COPY_IMAGE_HEADER:
      copy_image_header_for_bootloader((uint8_t *)stack[0]);
+      clear_firmware_header = false;
      // break is omitted here because we want to continue to reboot below
    case SVC_REBOOT_TO_BOOTLOADER:
+      // if not going from copy image header & reboot, clean preventively this part of CCMRAM
+      if (clear_firmware_header) {
+        explicit_bzero(&firmware_header_start, IMAGE_HEADER_SIZE);
+      }

-      ensure_compatible_settings();
-      mpu_config_bootloader();
      __asm__ volatile("msr control, %0" ::"r"(0x0));
      __asm__ volatile("isb");
      // See stack layout in
--- a/core/embed/trezorhal/common.h
+++ b/core/embed/trezorhal/common.h
@ -53,6 +53,12 @@

 #define STAY_IN_BOOTLOADER_FLAG 0x0FC35A96

+// from linker script
+extern uint8_t firmware_header_start;
+extern uint8_t  ccmram_start;
+extern uint8_t  ccmram_end;
+
+
 void __attribute__((noreturn)) trezor_shutdown(void);

 void __attribute__((noreturn))
--- a/core/embed/trezorhal/stm32f4/supervise.h
+++ b/core/embed/trezorhal/stm32f4/supervise.h
@ -7,10 +7,15 @@
 #define SVC_REBOOT_TO_BOOTLOADER 5
 #define SVC_REBOOT_COPY_IMAGE_HEADER 6

+#include <string.h>
+#include "common.h"
+#include "image.h"
+
 // from util.s
 extern void shutdown_privileged(void);
 extern void reboot_to_bootloader(void);
 extern void copy_image_header_for_bootloader(const uint8_t *image_header);
+extern void ensure_compatible_settings(void);

 static inline uint32_t is_mode_unprivileged(void) {
  uint32_t r0;
@ -62,9 +67,11 @@ static inline void svc_shutdown(void) {
 }

 static inline void svc_reboot_to_bootloader(void) {
+  explicit_bzero(&firmware_header_start, IMAGE_HEADER_SIZE);
  if (is_mode_unprivileged() && !is_mode_handler()) {
    __asm__ __volatile__("svc %0" ::"i"(SVC_REBOOT_TO_BOOTLOADER) : "memory");
  } else {
+    ensure_compatible_settings();
    reboot_to_bootloader();
  }
 }
@ -76,6 +83,7 @@ static inline void svc_reboot_copy_image_header(const uint8_t *image_address) {
                         : "memory");
  } else {
    copy_image_header_for_bootloader(image_address);
+    ensure_compatible_settings();
    reboot_to_bootloader();
  }
 }