[sw/silicon_creator] Implement ROM_EXT bootstrap library #18929
Conversation
dmcardle
force-pushed
the
dmcardle/rom-ext-recovery
branch
3 times, most recently
from
0efa623
to
9c9e807
Compare
dmcardle
force-pushed
the
dmcardle/rom-ext-recovery
branch
3 times, most recently
from
65971c4
to
c62ba6a
Compare
dmcardle
force-pushed
the
dmcardle/rom-ext-recovery
branch
from
c62ba6a
to
db2451d
Compare
dmcardle
force-pushed
the
dmcardle/rom-ext-recovery
branch
5 times, most recently
from
f198b7c
to
6315069
Compare
dmcardle
changed the title
dmcardle
force-pushed
the
dmcardle/rom-ext-recovery
branch
3 times, most recently
from
296ff41
to
a276bc9
Compare
There was a problem hiding this comment.
Thanks a lot for putting this together @dmcardle ! I'm just not sure about the following points:
- Can we try splitting this into two implementations like rom and rom_ext so that we don't have to cache and pass
protect_rom_extto the functions? - I think we should enhance the flash_ctrl.c driver and add a function for setting mp_region_cfg registers for enabling erase over an arbitrary region instead of enabling it for a bank -- this would handle protecting rom_ext as well.
- We should double-check with rom_ext is at a page boundary. If not, we will need to read-modify-write since we can only erase at page boundaries.
I'll send an invite to chat about this tomorrow.
| // If the boot failed, check whether we should enter bootstrap mode. | ||
| if (error != kErrorOk && rom_ext_bootstrap_enabled() == kHardenedBoolTrue) { | ||
| HARDENED_CHECK_EQ(rom_ext_bootstrap_enabled(), kHardenedBoolTrue); | ||
| OT_DISCARD(rom_printf("Entering ROM_EXT bootstrap\r\n")); |
There was a problem hiding this comment.
| OT_DISCARD(rom_printf("Entering ROM_EXT bootstrap\r\n")); |
There was a problem hiding this comment.
So this printf is not strictly necessary, but I figured it simplifies testing rom_ext_bootstrap_enabled() via a functest, since we can set the exit_success to "Entering ROM_EXT bootstrap\r\n".
Deleting is fine as well — e2e tests can just test the observable behavior, such as whether the requested pages were written to flash.
There was a problem hiding this comment.
So this printf is not strictly necessary, but I figured it simplifies testing
rom_ext_bootstrap_enabled()via a functest, since we can set theexit_successto"Entering ROM_EXT bootstrap\r\n".
I see.
Deleting is fine as well — e2e tests can just test the observable behavior, such as whether the requested pages were written to flash.
I think we can also send jedec_id or read_sfdp commands and check the response.
If you prefer to include this please feel free to add a fpga-specific function implementation in device_fpga_cw310.c. You might also want to convert the existing function to a generic fpga_rom_printf(). But please note that if you use it in tests those tests would pass only on FPGA.
dmcardle
force-pushed
the
dmcardle/rom-ext-recovery
branch
2 times, most recently
from
0eb14ee
to
503a09a
Compare
|
Hey @alphan, this is ready to review whenever you get a chance!
Done.
Per our chat, I'll enhance the flash_ctrl driver in a followup PR. This PR has unit tests that verify/document the non-bounds-checking behavior. I've left TODO comments (linking to #19151) about making use of the flash_ctrl memory protection features. I'll sweep through and clean out those TODOs in the followup PR.
Good point. The ROM_EXT regions in slot A and slot B definitely lie on page boundaries. I'll plan on adding a static_assert in the followup PR.
$ python
>>> 524288 % 2048
0
>>> 0x10000 % 2048
0
>>> (524288 + 0x10000) % 2048
0 |
Signed-off-by: Dan McArdle <dmcardle@opentitan.org>
dmcardle
force-pushed
the
dmcardle/rom-ext-recovery
branch
3 times, most recently
from
0b864cd
to
81e5a3c
Compare
Issue lowRISC#19151 Signed-off-by: Dan McArdle <dmcardle@opentitan.org>
dmcardle
force-pushed
the
dmcardle/rom-ext-recovery
branch
from
81e5a3c
to
0826752
Compare
No description provided.