chore(core): remove unprivileged SAES on U5G models

[no changelog]
2025-08-05 05:15:27 +00:00 · 2025-03-07 09:42:59 +01:00 · 2025-03-07 09:42:59 +01:00 · 7fb272bade
commit 7fb272bade
parent 6bb3c0cf1d
18 changed files with 42 additions and 63 deletions
--- a/core/embed/models/D001/memory.ld
+++ b/core/embed/models/D001/memory.ld
@ -2,7 +2,7 @@

 FLASH_START = 0x8000000;
 NORCOW_SECTOR_SIZE = 0x10000;
-NORCOW_MIN_VERSION = 0x0;
+NORCOW_MIN_VERSION = 0x6;
 BOARDLOADER_START = 0x8000000;
 BOARDLOADER_MAXSIZE = 0xc000;
 BOARDLOADER_SECTOR_START = 0x0;
--- a/core/embed/models/D001/model_D001.h
+++ b/core/embed/models/D001/model_D001.h
@ -33,7 +33,7 @@

 #define FLASH_START 0x08000000
 #define NORCOW_SECTOR_SIZE (1 * 64 * 1024)  // 64 kB
-#define NORCOW_MIN_VERSION 0x00000000
+#define NORCOW_MIN_VERSION 0x00000006

 // FLASH layout
 #define BOARDLOADER_START 0x08000000
--- a/core/embed/models/D002/memory.ld
+++ b/core/embed/models/D002/memory.ld
@ -27,7 +27,6 @@ FIRMWARE_SECTOR_START = 0x22;
 FIRMWARE_SECTOR_END = 0x1cf;
 KERNEL_START = 0xc044000;
 KERNEL_MAXSIZE = 0x80000;
-KERNEL_U_FLASH_SIZE = 0x200;
 STORAGE_1_START = 0xc3a0000;
 STORAGE_1_MAXSIZE = 0x20000;
 STORAGE_1_SECTOR_START = 0x1d0;
@ -45,9 +44,7 @@ BOOTARGS_SIZE = 0x200;
 FB1_RAM_START = 0x30000200;
 FB1_RAM_SIZE = 0xbfe00;
 MAIN_RAM_START = 0x300c0000;
-MAIN_RAM_SIZE = 0xfe00;
-SAES_RAM_START = 0x300cfe00;
-SAES_RAM_SIZE = 0x200;
+MAIN_RAM_SIZE = 0x10000;
 FB2_RAM_START = 0x300d0000;
 FB2_RAM_SIZE = 0xc0000;
 AUX1_RAM_START = 0x30190000;
--- a/core/embed/models/D002/model_D002.h
+++ b/core/embed/models/D002/model_D002.h
@ -67,7 +67,6 @@
 #define FIRMWARE_SECTOR_END 0x1CF
 #define KERNEL_START 0x0C044000
 #define KERNEL_MAXSIZE (512 * 1024)  // 512 kB
-#define KERNEL_U_FLASH_SIZE 512

 #define STORAGE_1_START 0x0C3A0000
 #define STORAGE_1_MAXSIZE (16 * 8 * 1024)  // 128 kB
@ -92,10 +91,7 @@
 #define FB1_RAM_SIZE (768 * 1024 - 512)

 #define MAIN_RAM_START 0x300C0000
-#define MAIN_RAM_SIZE (64 * 1024 - 512)
-
-#define SAES_RAM_START 0x300CFE00
-#define SAES_RAM_SIZE 512
+#define MAIN_RAM_SIZE (64 * 1024)

 #define FB2_RAM_START 0x300D0000
 #define FB2_RAM_SIZE (768 * 1024)
--- a/core/embed/models/T2B1/memory.ld
+++ b/core/embed/models/T2B1/memory.ld
@ -2,7 +2,7 @@

 FLASH_START = 0x8000000;
 NORCOW_SECTOR_SIZE = 0x10000;
-NORCOW_MIN_VERSION = 0x0;
+NORCOW_MIN_VERSION = 0x3;
 BOARDLOADER_START = 0x8000000;
 BOARDLOADER_MAXSIZE = 0xc000;
 BOARDLOADER_SECTOR_START = 0x0;
--- a/core/embed/models/T2B1/model_T2B1.h
+++ b/core/embed/models/T2B1/model_T2B1.h
@ -34,7 +34,7 @@

 #define FLASH_START 0x08000000
 #define NORCOW_SECTOR_SIZE (1 * 64 * 1024)  // 64 kB
-#define NORCOW_MIN_VERSION 0x00000000
+#define NORCOW_MIN_VERSION 0x00000003

 // FLASH layout
 #define BOARDLOADER_START 0x08000000
--- a/core/embed/models/T3B1/memory.ld
+++ b/core/embed/models/T3B1/memory.ld
@ -2,7 +2,7 @@

 FLASH_START = 0xc004000;
 NORCOW_SECTOR_SIZE = 0x10000;
-NORCOW_MIN_VERSION = 0x0;
+NORCOW_MIN_VERSION = 0x5;
 SECRET_START = 0xc000000;
 SECRET_MAXSIZE = 0x4000;
 SECRET_SECTOR_START = 0x0;
--- a/core/embed/models/T3B1/model_T3B1.h
+++ b/core/embed/models/T3B1/model_T3B1.h
@ -34,7 +34,7 @@
 // misc
 #define FLASH_START 0x0C004000
 #define NORCOW_SECTOR_SIZE (8 * 8 * 1024)  // 64 kB
-#define NORCOW_MIN_VERSION 0x00000000
+#define NORCOW_MIN_VERSION 0x00000005

 // FLASH layout
 #define SECRET_START 0x0C000000
--- a/core/embed/models/T3T1/memory.ld
+++ b/core/embed/models/T3T1/memory.ld
@ -2,7 +2,7 @@

 FLASH_START = 0xc004000;
 NORCOW_SECTOR_SIZE = 0x10000;
-NORCOW_MIN_VERSION = 0x0;
+NORCOW_MIN_VERSION = 0x4;
 SECRET_START = 0xc000000;
 SECRET_MAXSIZE = 0x4000;
 SECRET_SECTOR_START = 0x0;
--- a/core/embed/models/T3T1/model_T3T1.h
+++ b/core/embed/models/T3T1/model_T3T1.h
@ -34,7 +34,7 @@
 // misc
 #define FLASH_START 0x0C004000
 #define NORCOW_SECTOR_SIZE (8 * 8 * 1024)  // 64 kB
-#define NORCOW_MIN_VERSION 0x00000000
+#define NORCOW_MIN_VERSION 0x00000004

 // FLASH layout
 #define SECRET_START 0x0C000000
--- a/core/embed/models/T3W1/memory.ld
+++ b/core/embed/models/T3W1/memory.ld
@ -27,7 +27,6 @@ FIRMWARE_SECTOR_START = 0x22;
 FIRMWARE_SECTOR_END = 0x1cf;
 KERNEL_START = 0xc044000;
 KERNEL_MAXSIZE = 0x80000;
-KERNEL_U_FLASH_SIZE = 0x200;
 STORAGE_1_START = 0xc3a0000;
 STORAGE_1_MAXSIZE = 0x20000;
 STORAGE_1_SECTOR_START = 0x1d0;
@ -45,9 +44,7 @@ BOOTARGS_SIZE = 0x200;
 FB1_RAM_START = 0x30000200;
 FB1_RAM_SIZE = 0xbfe00;
 MAIN_RAM_START = 0x300c0000;
-MAIN_RAM_SIZE = 0xfe00;
-SAES_RAM_START = 0x300cfe00;
-SAES_RAM_SIZE = 0x200;
+MAIN_RAM_SIZE = 0x10000;
 FB2_RAM_START = 0x300d0000;
 FB2_RAM_SIZE = 0xc0000;
 AUX1_RAM_START = 0x30190000;
--- a/core/embed/models/T3W1/model_T3W1.h
+++ b/core/embed/models/T3W1/model_T3W1.h
@ -66,7 +66,6 @@
 #define FIRMWARE_SECTOR_END 0x1CF
 #define KERNEL_START 0x0C044000
 #define KERNEL_MAXSIZE (512 * 1024)  // 512 kB
-#define KERNEL_U_FLASH_SIZE 512

 #define STORAGE_1_START 0x0C3A0000
 #define STORAGE_1_MAXSIZE (16 * 8 * 1024)  // 128 kB
@ -91,10 +90,7 @@
 #define FB1_RAM_SIZE (768 * 1024 - 512)

 #define MAIN_RAM_START 0x300C0000
-#define MAIN_RAM_SIZE (64 * 1024 - 512)
-
-#define SAES_RAM_START 0x300CFE00
-#define SAES_RAM_SIZE 512
+#define MAIN_RAM_SIZE (64 * 1024)

 #define FB2_RAM_START 0x300D0000
 #define FB2_RAM_SIZE (768 * 1024)
--- a/core/embed/sec/secure_aes/stm32u5/secure_aes.c
+++ b/core/embed/sec/secure_aes/stm32u5/secure_aes.c
@ -24,12 +24,6 @@
 #include <stm32u5xx_hal_cryp.h>

 #include <sec/secure_aes.h>
-#include <sys/mpu.h>
-#include <sys/syscall.h>
-
-#ifdef USE_TRUSTZONE
-#include <sys/trustzone.h>
-#endif

 #include "memzero.h"

@ -38,8 +32,6 @@

 #ifdef KERNEL_MODE

-#include <sys/irq.h>
-
 static void secure_aes_load_bhk(void) {
  TAMP->BKP0R;
  TAMP->BKP1R;
@ -76,8 +68,18 @@ static secbool is_key_supported(secure_aes_keysel_t key) {
  }
 }

+#if NORCOW_MIN_VERSION <= 5
 #ifdef SYSCALL_DISPATCH

+#include <sys/mpu.h>
+#include <sys/syscall.h>
+
+#ifdef USE_TRUSTZONE
+#include <sys/trustzone.h>
+#endif
+
+#include <sys/irq.h>
+
 __attribute__((section(".udata")))
 uint32_t saes_input[SAES_DATA_SIZE_WITH_UPRIV_KEY / sizeof(uint32_t)];

@ -220,13 +222,16 @@ secbool unpriv_encrypt(const uint8_t* input, size_t size, uint8_t* output,
  return retval;
 }
 #endif
+#endif

 secbool secure_aes_ecb_encrypt_hw(const uint8_t* input, size_t size,
                                  uint8_t* output, secure_aes_keysel_t key) {
+#if NORCOW_MIN_VERSION <= 5
 #ifdef SYSCALL_DISPATCH
  if (key == SECURE_AES_KEY_XORK_SN) {
    return unpriv_encrypt(input, size, output, key);
  }
+#endif
 #endif

  if (sectrue != is_key_supported(key)) {
--- a/core/embed/sys/linker/stm32u5g/boardloader.ld
+++ b/core/embed/sys/linker/stm32u5g/boardloader.ld
@ -9,7 +9,6 @@ MEMORY {
  MAIN_RAM (wal) : ORIGIN = MAIN_RAM_START, LENGTH = MAIN_RAM_SIZE
  AUX1_RAM (wal) : ORIGIN = AUX1_RAM_START, LENGTH = AUX1_RAM_SIZE
  BOOT_ARGS (wal) : ORIGIN = BOOTARGS_START, LENGTH = BOOTARGS_SIZE
-  SAES_RAM (wal) : ORIGIN = SAES_RAM_START, LENGTH = SAES_RAM_SIZE
  FB1_RAM (wal) : ORIGIN = FB1_RAM_START, LENGTH = FB1_RAM_SIZE
  FB2_RAM (wal) : ORIGIN = FB2_RAM_START, LENGTH = FB2_RAM_SIZE
 }
--- a/core/embed/sys/linker/stm32u5g/bootloader.ld
+++ b/core/embed/sys/linker/stm32u5g/bootloader.ld
@ -8,7 +8,6 @@ MEMORY {
  MAIN_RAM (wal) : ORIGIN = MAIN_RAM_START, LENGTH = MAIN_RAM_SIZE
  AUX1_RAM (wal) : ORIGIN = AUX1_RAM_START, LENGTH = AUX1_RAM_SIZE
  BOOT_ARGS (wal) : ORIGIN = BOOTARGS_START, LENGTH = BOOTARGS_SIZE
-  SAES_RAM (wal) : ORIGIN = SAES_RAM_START, LENGTH = SAES_RAM_SIZE
  FB1_RAM (wal) : ORIGIN = FB1_RAM_START, LENGTH = FB1_RAM_SIZE
  FB2_RAM (wal) : ORIGIN = FB2_RAM_START, LENGTH = FB2_RAM_SIZE
 }
--- a/core/embed/sys/linker/stm32u5g/kernel.ld
+++ b/core/embed/sys/linker/stm32u5g/kernel.ld
@ -7,7 +7,6 @@ MEMORY {

  MAIN_RAM (wal) : ORIGIN = MAIN_RAM_START, LENGTH = MAIN_RAM_SIZE
  BOOT_ARGS (wal) : ORIGIN = BOOTARGS_START, LENGTH = BOOTARGS_SIZE
-  SAES_RAM (wal) : ORIGIN = SAES_RAM_START, LENGTH = SAES_RAM_SIZE
  FB1_RAM (wal) : ORIGIN = FB1_RAM_START, LENGTH = FB1_RAM_SIZE
  FB2_RAM (wal) : ORIGIN = FB2_RAM_START, LENGTH = FB2_RAM_SIZE
 }
@ -15,11 +14,6 @@ MEMORY {
 _stack_section_start = ADDR(.stack);
 _stack_section_end = ADDR(.stack) + SIZEOF(.stack);

-
-ustack_base = ADDR(.udata) + 512;
-_sustack = ADDR(.udata) + 256;
-_eustack = ustack_base;
-
 _data_section_loadaddr = LOADADDR(.data);
 _data_section_start = ADDR(.data);
 _data_section_end = ADDR(.data) + SIZEOF(.data);
@ -39,13 +33,10 @@ _accessible_ram_1_end = MCU_SRAM4 + MCU_SRAM4_SIZE;
 _bootargs_ram_start = BOOTARGS_START;
 _bootargs_ram_end = BOOTARGS_START + BOOTARGS_SIZE;

-_codelen = SIZEOF(.vendorheader) + SIZEOF(.header) + SIZEOF(.flash)  + SIZEOF(.uflash) + SIZEOF(.data) + SIZEOF(.confidential);
+_codelen = SIZEOF(.vendorheader) + SIZEOF(.header) + SIZEOF(.flash) + SIZEOF(.data) + SIZEOF(.confidential);
 _flash_start = ORIGIN(FLASH);
 _flash_end = ORIGIN(FLASH) + LENGTH(FLASH);

-_uflash_start = ADDR(.uflash);
-_uflash_end = ADDR(.uflash) + SIZEOF(.uflash);
-
 SECTIONS {
  .vendorheader : ALIGN(4) {
    KEEP(*(.vendorheader))
@ -87,23 +78,11 @@ SECTIONS {
    . = ALIGN(4);
  } >MAIN_RAM

-  /* unprivileged data and stack for SAES */
-  .udata : ALIGN(512) {
-    *(.udata*);
-    . = ALIGN(256);
-    . = 256; /* Overflow causes UsageFault */
-  } >SAES_RAM
-
  .confidential : ALIGN(512) {
    *(.confidential*);
    . = ALIGN(512);
  } >MAIN_RAM AT>FLASH

-  .uflash : ALIGN(512) {
-    *(.uflash*);
-    . = ALIGN(COREAPP_ALIGNMENT);
-  } >FLASH AT>FLASH
-
  .fb1 : ALIGN(4) {
    *(.fb1*);
    . = ALIGN(4);
--- a/core/embed/sys/linker/stm32u5g/prodtest.ld
+++ b/core/embed/sys/linker/stm32u5g/prodtest.ld
@ -8,7 +8,6 @@ MEMORY {
  MAIN_RAM (wal) : ORIGIN = MAIN_RAM_START, LENGTH = MAIN_RAM_SIZE
  AUX1_RAM (wal) : ORIGIN = AUX1_RAM_START, LENGTH = AUX1_RAM_SIZE
  BOOT_ARGS (wal) : ORIGIN = BOOTARGS_START, LENGTH = BOOTARGS_SIZE
-  SAES_RAM (wal) : ORIGIN = SAES_RAM_START, LENGTH = SAES_RAM_SIZE
  FB1_RAM (wal) : ORIGIN = FB1_RAM_START, LENGTH = FB1_RAM_SIZE
  FB2_RAM (wal) : ORIGIN = FB2_RAM_START, LENGTH = FB2_RAM_SIZE
 }
--- a/core/embed/sys/mpu/stm32u5/mpu.c
+++ b/core/embed/sys/mpu/stm32u5/mpu.c
@ -143,19 +143,29 @@ _Static_assert(NORCOW_SECTOR_SIZE == STORAGE_2_MAXSIZE, "norcow misconfigured");

 #ifdef KERNEL

+extern uint32_t _codelen;
+#define KERNEL_SIZE (uint32_t) & _codelen
+#define KERNEL_FLASH_START KERNEL_START
+
+#if NORCOW_MIN_VERSION <= 5
 extern uint8_t _uflash_start;
 extern uint8_t _uflash_end;
 #define KERNEL_FLASH_U_START (uint32_t) & _uflash_start
 #define KERNEL_FLASH_U_SIZE ((uint32_t) & _uflash_end - KERNEL_FLASH_U_START)

-extern uint32_t _codelen;
-#define KERNEL_SIZE (uint32_t) & _codelen
-
-#define KERNEL_FLASH_START KERNEL_START
 #define KERNEL_FLASH_SIZE (KERNEL_SIZE - KERNEL_FLASH_U_SIZE)

 #define COREAPP_FLASH_START \
  (COREAPP_CODE_ALIGN(KERNEL_FLASH_START + KERNEL_SIZE) - KERNEL_FLASH_U_SIZE)
+
+#else
+
+#define KERNEL_FLASH_SIZE KERNEL_SIZE
+
+#define COREAPP_FLASH_START \
+  (COREAPP_CODE_ALIGN(KERNEL_FLASH_START + KERNEL_SIZE))
+#endif
+
 #define COREAPP_FLASH_SIZE \
  (FIRMWARE_MAXSIZE - (COREAPP_FLASH_START - FIRMWARE_START))

@ -401,7 +411,9 @@ mpu_mode_t mpu_reconfig(mpu_mode_t mode) {
      //      REGION   ADDRESS                 SIZE                TYPE       WRITE   UNPRIV
 #ifdef KERNEL
    case MPU_MODE_SAES:
+#ifdef SAES_RAM_START
      SET_REGION( 7, SAES_RAM_START,           SAES_RAM_SIZE,      SRAM,        YES,   YES ); // Unprivileged kernel SRAM
+#endif
      break;
 #endif
    default: