You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
312 lines
9.0 KiB
312 lines
9.0 KiB
/*
|
|
* This file is part of the Trezor project, https://trezor.io/
|
|
*
|
|
* Copyright (c) SatoshiLabs
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include STM32_HAL_H
|
|
|
|
#include "lowlevel.h"
|
|
#include "common.h"
|
|
#include "flash.h"
|
|
#include "model.h"
|
|
#include TREZOR_BOARD
|
|
|
|
#pragma GCC optimize( \
|
|
"no-stack-protector") // applies to all functions in this file
|
|
|
|
#if PRODUCTION
|
|
#define WANT_RDP_LEVEL (OB_RDP_LEVEL_2)
|
|
#define WANT_WRP_PAGE_START 2
|
|
#define WANT_WRP_PAGE_END 7
|
|
#else
|
|
#define WANT_RDP_LEVEL (OB_RDP_LEVEL_0)
|
|
#endif
|
|
|
|
#ifdef VDD_3V3
|
|
// BOR LEVEL 0: Reset level threshold is around 2.8 V
|
|
#define WANT_BOR_LEVEL (OB_BOR_LEVEL_4)
|
|
#define USE_PVD 1
|
|
#elif VDD_1V8
|
|
// BOR LEVEL 0: Reset level threshold is around 1.7 V
|
|
#define WANT_BOR_LEVEL (OB_BOR_LEVEL_0)
|
|
#else
|
|
#error "VDD_3V3 or VDD_1V8 must be defined"
|
|
#endif
|
|
|
|
#if defined STM32U5A9xx | defined STM32U5G9xx
|
|
#define SEC_AREA_1_PAGE_START 0
|
|
#define HDP_AREA_1_PAGE_END 1
|
|
#define SEC_AREA_1_PAGE_END 0x07
|
|
#define SEC_AREA_2_PAGE_START 0xFF
|
|
#define SEC_AREA_2_PAGE_END 0x00
|
|
#elif define STM32U585xx
|
|
#define SEC_AREA_1_PAGE_START 0
|
|
#define HDP_AREA_1_PAGE_END 1
|
|
#define SEC_AREA_1_PAGE_END 0x07
|
|
#define SEC_AREA_2_PAGE_START 0x7F
|
|
#define SEC_AREA_2_PAGE_END 0x00
|
|
#else
|
|
#error Unknown MCU
|
|
#endif
|
|
|
|
#define FLASH_OPTR_VALUE \
|
|
(FLASH_OPTR_TZEN | FLASH_OPTR_PA15_PUPEN | FLASH_OPTR_nBOOT0 | \
|
|
FLASH_OPTR_SRAM3_ECC | FLASH_OPTR_BKPRAM_ECC | FLASH_OPTR_DUALBANK | \
|
|
FLASH_OPTR_WWDG_SW | FLASH_OPTR_IWDG_STOP | FLASH_OPTR_IWDG_STDBY | \
|
|
FLASH_OPTR_IWDG_SW | FLASH_OPTR_SRAM_RST | FLASH_OPTR_nRST_SHDW | \
|
|
FLASH_OPTR_nRST_STDBY | FLASH_OPTR_nRST_STOP | WANT_BOR_LEVEL | \
|
|
(WANT_RDP_LEVEL << FLASH_OPTR_RDP_Pos))
|
|
|
|
#define FALSH_SECBOOTADD0R_VALUE \
|
|
((BOARDLOADER_START & 0xFFFFFF80) | FLASH_SECBOOTADD0R_BOOT_LOCK | 0x7C)
|
|
#define FLASH_SECWM1R1_VALUE \
|
|
(SEC_AREA_1_PAGE_START << FLASH_SECWM1R1_SECWM1_PSTRT_Pos | \
|
|
SEC_AREA_1_PAGE_END << FLASH_SECWM1R1_SECWM1_PEND_Pos | 0xFF00FF00)
|
|
#define FLASH_SECWM1R2_VALUE \
|
|
(HDP_AREA_1_PAGE_END << FLASH_SECWM1R2_HDP1_PEND_Pos | \
|
|
FLASH_SECWM1R2_HDP1EN | 0x7F007F00)
|
|
#define FLASH_SECWM2R1_VALUE \
|
|
(SEC_AREA_2_PAGE_START << FLASH_SECWM1R1_SECWM1_PSTRT_Pos | \
|
|
SEC_AREA_2_PAGE_END << FLASH_SECWM1R1_SECWM1_PEND_Pos | 0xFF00FF00)
|
|
#define FLASH_SECWM2R2_VALUE (0x7F007F00)
|
|
|
|
secbool flash_check_option_bytes(void) {
|
|
flash_wait_and_clear_status_flags();
|
|
// check values stored in flash interface registers
|
|
if (FLASH->OPTR !=
|
|
FLASH_OPTR_VALUE) { // ignore bits 0 and 1 because they are control bits
|
|
return secfalse;
|
|
}
|
|
|
|
if (FLASH->SECBOOTADD0R != FALSH_SECBOOTADD0R_VALUE) {
|
|
return secfalse;
|
|
}
|
|
|
|
#if PRODUCTION
|
|
if (FLASH->WRP1AR != (WANT_WRP_PAGE_START | (WANT_WRP_PAGE_END << 16))) {
|
|
return secfalse;
|
|
}
|
|
#else
|
|
if (FLASH->WRP1AR != 0xFF00FFFF) {
|
|
return secfalse;
|
|
}
|
|
#endif
|
|
|
|
if (FLASH->WRP1BR != 0xFF00FFFF) {
|
|
return secfalse;
|
|
}
|
|
if (FLASH->WRP2AR != 0xFF00FFFF) {
|
|
return secfalse;
|
|
}
|
|
if (FLASH->WRP2BR != 0xFF00FFFF) {
|
|
return secfalse;
|
|
}
|
|
|
|
return sectrue;
|
|
}
|
|
|
|
void flash_lock_option_bytes(void) {
|
|
FLASH->NSCR |= FLASH_NSCR_OPTLOCK; // lock the option bytes
|
|
}
|
|
|
|
void flash_unlock_option_bytes(void) {
|
|
if ((FLASH->NSCR & FLASH_NSCR_OPTLOCK) == 0) {
|
|
return; // already unlocked
|
|
}
|
|
// reference RM0090 section 3.7.2
|
|
// write the special sequence to unlock
|
|
FLASH->OPTKEYR = FLASH_OPTKEY1;
|
|
FLASH->OPTKEYR = FLASH_OPTKEY2;
|
|
while (FLASH->NSCR & FLASH_NSCR_OPTLOCK)
|
|
; // wait until the flash option control register is unlocked
|
|
}
|
|
|
|
uint32_t flash_set_option_bytes(void) {
|
|
if (flash_unlock_write() != sectrue) {
|
|
return 0;
|
|
}
|
|
flash_wait_and_clear_status_flags();
|
|
flash_unlock_option_bytes();
|
|
flash_wait_and_clear_status_flags();
|
|
|
|
FLASH->OPTR =
|
|
FLASH_OPTR_VALUE; // WARNING: dev board safe unless you compile for
|
|
// PRODUCTION or change this value!!!
|
|
|
|
FLASH->SECBOOTADD0R = FALSH_SECBOOTADD0R_VALUE;
|
|
|
|
#if PRODUCTION
|
|
FLASH->WRP1AR = WANT_WRP_PAGE_START | (WANT_WRP_PAGE_END << 16);
|
|
FLASH->WRP1BR = 0xFF00FFFF;
|
|
FLASH->WRP2AR = 0xFF00FFFF;
|
|
FLASH->WRP2BR = 0xFF00FFFF;
|
|
#endif
|
|
|
|
FLASH_WaitForLastOperation(HAL_MAX_DELAY);
|
|
|
|
FLASH->NSCR |= FLASH_NSCR_OPTSTRT;
|
|
uint32_t result =
|
|
flash_wait_and_clear_status_flags(); // wait until changes are committed
|
|
|
|
FLASH_WaitForLastOperation(HAL_MAX_DELAY);
|
|
|
|
FLASH->NSCR |= FLASH_NSCR_OBL_LAUNCH; // begin committing changes to flash
|
|
result =
|
|
flash_wait_and_clear_status_flags(); // wait until changes are committed
|
|
flash_lock_option_bytes();
|
|
|
|
if (flash_lock_write() != sectrue) {
|
|
return 0;
|
|
}
|
|
return result;
|
|
}
|
|
|
|
void check_oem_keys(void) {
|
|
ensure(((FLASH_S->NSSR & FLASH_NSSR_OEM1LOCK) == 0) * sectrue,
|
|
"OEM1 KEY SET");
|
|
ensure(((FLASH_S->NSSR & FLASH_NSSR_OEM2LOCK) == 0) * sectrue,
|
|
"OEM2 KEY SET");
|
|
}
|
|
|
|
secbool flash_configure_option_bytes(void) {
|
|
if (sectrue == flash_check_option_bytes()) {
|
|
return sectrue; // we DID NOT have to change the option bytes
|
|
}
|
|
|
|
do {
|
|
flash_set_option_bytes();
|
|
} while (sectrue != flash_check_option_bytes());
|
|
|
|
check_oem_keys();
|
|
|
|
return secfalse; // notify that we DID have to change the option bytes
|
|
}
|
|
|
|
secbool flash_check_sec_area_ob(void) {
|
|
flash_wait_and_clear_status_flags();
|
|
// check values stored in flash interface registers
|
|
|
|
if (FLASH->SECWM1R1 != FLASH_SECWM1R1_VALUE) {
|
|
return secfalse;
|
|
}
|
|
if (FLASH->SECWM1R2 != FLASH_SECWM1R2_VALUE) {
|
|
return secfalse;
|
|
}
|
|
if (FLASH->SECWM2R1 != FLASH_SECWM2R1_VALUE) {
|
|
return secfalse;
|
|
}
|
|
if (FLASH->SECWM2R2 != FLASH_SECWM2R2_VALUE) {
|
|
return secfalse;
|
|
}
|
|
|
|
return sectrue;
|
|
}
|
|
|
|
uint32_t flash_set_sec_area_ob(void) {
|
|
if (flash_unlock_write() != sectrue) {
|
|
return 0;
|
|
}
|
|
flash_wait_and_clear_status_flags();
|
|
flash_unlock_option_bytes();
|
|
flash_wait_and_clear_status_flags();
|
|
|
|
FLASH->SECWM1R1 = FLASH_SECWM1R1_VALUE;
|
|
FLASH->SECWM1R2 = FLASH_SECWM1R2_VALUE;
|
|
|
|
FLASH->SECWM2R1 = FLASH_SECWM2R1_VALUE;
|
|
FLASH->SECWM2R2 = FLASH_SECWM2R2_VALUE;
|
|
|
|
FLASH_WaitForLastOperation(HAL_MAX_DELAY);
|
|
|
|
FLASH->NSCR |= FLASH_NSCR_OPTSTRT;
|
|
uint32_t result =
|
|
flash_wait_and_clear_status_flags(); // wait until changes are committed
|
|
|
|
FLASH_WaitForLastOperation(HAL_MAX_DELAY);
|
|
|
|
FLASH->NSCR |= FLASH_NSCR_OBL_LAUNCH; // begin committing changes to flash
|
|
result =
|
|
flash_wait_and_clear_status_flags(); // wait until changes are committed
|
|
flash_lock_option_bytes();
|
|
|
|
if (flash_lock_write() != sectrue) {
|
|
return 0;
|
|
}
|
|
return result;
|
|
}
|
|
|
|
secbool flash_configure_sec_area_ob(void) {
|
|
if (sectrue == flash_check_sec_area_ob()) {
|
|
return sectrue; // we DID NOT have to change the option bytes
|
|
}
|
|
|
|
do {
|
|
flash_set_sec_area_ob();
|
|
} while (sectrue != flash_check_sec_area_ob());
|
|
|
|
check_oem_keys();
|
|
|
|
return secfalse; // notify that we DID have to change the option bytes
|
|
}
|
|
|
|
void periph_init(void) {
|
|
// STM32U5xx HAL library initialization:
|
|
// - configure the Flash prefetch, instruction and data caches
|
|
// - configure the Systick to generate an interrupt each 1 msec
|
|
// - set NVIC Group Priority to 4
|
|
// - global MSP (MCU Support Package) initialization
|
|
HAL_Init();
|
|
|
|
// Enable GPIO clocks
|
|
__HAL_RCC_GPIOA_CLK_ENABLE();
|
|
__HAL_RCC_GPIOB_CLK_ENABLE();
|
|
__HAL_RCC_GPIOC_CLK_ENABLE();
|
|
__HAL_RCC_GPIOD_CLK_ENABLE();
|
|
|
|
#ifdef USE_PVD
|
|
// enable the PVD (programmable voltage detector).
|
|
// select the "2.8V" threshold (level 5).
|
|
// this detector will be active regardless of the
|
|
// flash option byte BOR setting.
|
|
__HAL_RCC_PWR_CLK_ENABLE();
|
|
PWR_PVDTypeDef pvd_config;
|
|
pvd_config.PVDLevel = PWR_PVDLEVEL_5;
|
|
pvd_config.Mode = PWR_PVD_MODE_IT_RISING_FALLING;
|
|
HAL_PWR_ConfigPVD(&pvd_config);
|
|
HAL_PWR_EnablePVD();
|
|
NVIC_EnableIRQ(PVD_PVM_IRQn);
|
|
#endif
|
|
}
|
|
|
|
secbool reset_flags_check(void) {
|
|
#if PRODUCTION
|
|
// this is effective enough that it makes development painful, so only use it
|
|
// for production. check the reset flags to assure that we arrive here due to
|
|
// a regular full power-on event, and not as a result of a lesser reset.
|
|
if ((RCC->CSR & (RCC_CSR_LPWRRSTF | RCC_CSR_WWDGRSTF | RCC_CSR_IWDGRSTF |
|
|
RCC_CSR_SFTRSTF | RCC_CSR_PINRSTF | RCC_CSR_BORRSTF |
|
|
RCC_CSR_OBLRSTF)) != (RCC_CSR_PINRSTF | RCC_CSR_BORRSTF)) {
|
|
return secfalse;
|
|
}
|
|
#endif
|
|
return sectrue;
|
|
}
|
|
|
|
void reset_flags_reset(void) {
|
|
RCC->CSR |= RCC_CSR_RMVF; // clear the reset flags
|
|
}
|