Update RoT bootloader, a.k.a. stage0 #1675
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
See https://github.com/oxidecomputer/sprot-e2e for test scripts |
lzrd
commented
Mar 21, 2024
hawkw
reviewed
Mar 21, 2024
mkeeter
reviewed
Mar 27, 2024
mkeeter
reviewed
Mar 27, 2024
mkeeter
reviewed
Mar 27, 2024
mkeeter
reviewed
Mar 27, 2024
mkeeter
reviewed
Mar 27, 2024
labbott
reviewed
Mar 28, 2024
labbott
reviewed
Apr 15, 2024
aapoalas
reviewed
Apr 16, 2024
| // NXP LPC55's mixed header/vector table offsets | ||
| const RESET_VECTOR_OFFSET: usize = 0x04; | ||
| pub const LENGTH_OFFSET: usize = 0x20; | ||
| pub const HEADER_OFFSET: u32 = 0x130; |
There was a problem hiding this comment.
question: This is used in the main file for len >= HEADER_OFFSET but around it len as usize is used, suggesting that len as usize >= HEADER_OFFSET would be okay as well. Would it then make more sense to just use usize for memory offsets?
There was a problem hiding this comment.
This should be using ImageVectorsLpc55 which should be pulled out and made more available.
|
LGTM! I'll give the final approval once the MGS portion is merged |
lzrd
force-pushed
the
update-stage0
branch
6 times, most recently
from
e746839
to
549564a
Compare
Split the RoT bootloader flash slot into stage0 and stage0next.
Always calculate the firmware measurement even if there is no valid image.
Add Stage0 and Stage0Next boot-time information to RotBootInfo.
lib/lpc55-rot-startup/src/{lib,images}.rs:
Refactored startup code to distinguish between a flash slot that is always measured
and the image it contains being valid or not.
Update the Update APIs and messages to accommodate update of the RoT's bootloader
while maintaining backward compatibility for Hubris updates.
An older control plane should be able to use its known update APIs
to bring a newer RoT or SP Hubris image back into conformance (roll-back).
Use conversion functions to isolate SP to MGS data structure conversion code.
Treat the boot loader as a separate component located in the RoT.
Add Stage0 and Stage0Next boot-time information to RotBootInfo.
Add Stage0 and Stage0Next to update-api.
lpc55-update-server: moving image format and location knowledge to images.rs
Add a versioned rot boot info request so that an older control plane can
upgrade/rollback newer images.
The existing rot_state and rot_boot_info need to remain stable for roll forward
and roll back to work when RoT version is newer than SP version.
Add Component* versions of APIs to allow selection of boot loader component.
Use Fwid type to represent the SHA3_256 digest in case we change digest algo someday.
Fwid includes padding bytes and any subsequent programmed pages in a flash slot,
so don't just call it a digest which can be misleading to people who might expect that
a hash of the bytes of an image would match the RoT report.
Old messages are still supported, e.g.:
$ faux-mgs ... --log-level=CRITICAL state
hubris archive: 8be7b8a5ebfc9313
serial number:
model:
revision: 0
base MAC address: 0e:1d:62:cd:cc:62
power state: A2
RotStateV2 {
active: A,
persistent_boot_preference: A,
pending_persistent_boot_preference: None,
transient_boot_preference: None
slot_a_sha3_256_digest: 004fec2b8f77c091384b6c506230f18f24fc1db6c4de91a18e01ac3a244f015d,
slot_b_sha3_256_digest: 6161bfd3b013e18fd45b539a5ddc9faafe2f3a43882832e49db3dffe58c36eb5,
}
New messages provide information needed to drive bootloader updates (see rot-boot-info below).
Image status has a more descriptive error code enum.
$ faux-mgs ... --log-level=CRITICAL rot-boot-info
RotBootInfo {V3(RotStateV3 {
active: A,
persistent_boot_preference: A,
pending_persistent_boot_preference: None,
transient_boot_preference: None
slot_a_fwid: Sha3_256( 004fec2b8f77c091384b6c506230f18f24fc1db6c4de91a18e01ac3a244f015d ),
slot_b_fwid: Sha3_256( 6161bfd3b013e18fd45b539a5ddc9faafe2f3a43882832e49db3dffe58c36eb5 ),
stage0_fwid: Sha3_256( 62ebe27addfd99e6f6e2ba75302bbb96f8a2d4b2d01b270cbff2ee4e4a2c1280 ),
stage0next_fwid: Sha3_256( 62ebe27addfd99e6f6e2ba75302bbb96f8a2d4b2d01b270cbff2ee4e4a2c1280 ),
slot_a_status: Ok(()),
slot_b_status: Ok(()),
stage0_status: Ok(()),
stage0next_status: Ok(()),
})}
The `stage0next` contents is not copied to `stage0` unless its current hash matches
the hash of a valid signed image found at boot time.
Stage0 cache size is 8192 to accommodate previous 6000+ byte bootloaders.
That can be reduced when rollback protection is implemented and old bootloaders
are expunged from any spares and systems in use.
Remove #[derive(Debug) statements whose deletion does not cause compile errors.
labbott
approved these changes
Apr 30, 2024
This was referenced May 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR has four commits to simplify reviewing.
Before merging this PR, Cargo.toml needs to be edited to reference the gateway-message-service main branch.
Merging needs to be coordinated with an MGS merge.
Closes #1043, #1404, #1548, #1353,