Merge pull request #841 from betrusted-io/backup-regs

Backup register features & SPIM timeout fixes

Author: bunnie

bao1x-boot/boot1/src/main.rs

@@ -219,10 +219,10 @@ pub unsafe extern "C" fn rust_entry() -> ! {
     // needed after reset for the display to initialize
     if let Some(ref mut sh1107) = oled {
         // show the boot logo
-        sh1107.init();
+        sh1107.init().ok();
         delay(100);
         sh1107.blit_screen(&ux_api::bitmaps::baochip128x128::BITMAP);
-        sh1107.draw();
+        sh1107.draw().ok();
         delay(150);
     } else {
         delay(250);
@@ -450,5 +450,5 @@ pub fn marquee(sh1107: &mut Oled128x128, msg: &str) {
         bao1x_hal::sh1107::Mono::White.into(),
         bao1x_hal::sh1107::Mono::Black.into(),
     );
-    sh1107.draw();
+    sh1107.draw().ok();
 }

bao1x-boot/boot1/src/platform/bao1x/usb/handlers.rs

@@ -364,6 +364,7 @@ pub fn usb_ep1_bulk_out_complete(
                                             None,
                                         ),
                                         false,
+                                        ((100_000_000 / 2) / 2_000_000) as u8,
                                     ),
                                     &iox,
                                 )

libs/bao1x-api/src/lib.rs

@@ -18,7 +18,7 @@ pub mod signatures;
 pub use offsets::*;
 pub mod clocks;
 pub mod pubkeys;
-use arbitrary_int::u31;
+use arbitrary_int::u30;
 use bitbybit::bitfield;
 pub use clocks::*;
 pub mod bio;
@@ -65,8 +65,13 @@ pub const AUTO_AUDIT_LIMIT: u32 = 3;
 #[bitfield(u32)]
 #[derive(PartialEq, Eq, Debug)]
 pub struct BackupFlags {
-    #[bits(1..=31, rw)]
-    reserved: u31,
+    #[bits(2..=31, rw)]
+    reserved: u30,
+    /// When true, the system has previously booted. This is reserved for OS-level management. It is
+    /// not automatically managed by the bootloader. However, after an AORST_N, the flag should be `false`
+    /// by hardware design.
+    #[bit(1, rw)]
+    warm_boot: bool,
     /// When `false`, indicates that the time in the RTC register is not synchronized to the offset
     /// that is read from disk. Upon first encounter with an external time source, the offset should
     /// be captured and recorded to disk.

libs/bao1x-hal/src/buram.rs

@@ -1,7 +1,7 @@
 use core::ops::Range;
 
 const KEY_RANGE: Range<usize> = 2..8;
-const KEY_LEN: usize = range_len(KEY_RANGE) * size_of::<u32>();
+pub const KEY_LEN: usize = range_len(KEY_RANGE) * size_of::<u32>();
 const HASH_LOC: usize = 0;
 const FLAGS_LOC: usize = 1;
 

libs/bao1x-hal/src/sh1107.rs

@@ -183,6 +183,7 @@ pub struct Oled128x128<'a> {
     powerdown: bool,
     power_port: IoxPort,
     power_pin: u8,
+    clk_div: u8,
 }
 
 impl<'a> Oled128x128<'a> {
@@ -267,9 +268,19 @@ impl<'a> Oled128x128<'a> {
             power_port,
             power_pin,
             powerdown: false,
+            clk_div: ((perclk_freq / 2) / 2_000_000) as u8,
         }
     }
 
+    // used to recover a wedged SPI interface
+    pub fn reinit_spi(&mut self) {
+        self.spim.send_cmd_list(&[crate::udma::SpimCmd::Config(
+            SpimClkPol::LeadingEdgeRise,
+            SpimClkPha::CaptureOnLeading,
+            self.clk_div,
+        )]);
+    }
+
     /// This should only be called to initialize the panic handler with its own
     /// copy of hardware registers.
     ///
@@ -300,8 +311,9 @@ impl<'a> Oled128x128<'a> {
             Option<CommandSet>,
         ),
         bool,
+        u8,
     ) {
-        (self.spim.into_raw_parts(), self.powerdown)
+        (self.spim.into_raw_parts(), self.powerdown, self.clk_div)
     }
 
     /// Creates a clone of the display handle. This is only safe if the handles are used in a
@@ -331,6 +343,7 @@ impl<'a> Oled128x128<'a> {
                 Option<CommandSet>,
             ),
             bool,
+            u8,
         ),
         iox: &'a T,
     ) -> Self
@@ -354,6 +367,7 @@ impl<'a> Oled128x128<'a> {
                 command_set,
             ),
             powerdown,
+            clk_div,
         ) = display_parts;
         // compile them into a new object
         let mut spim = unsafe {
@@ -398,6 +412,7 @@ impl<'a> Oled128x128<'a> {
             powerdown,
             power_pin,
             power_port,
+            clk_div,
         }
     }
 
@@ -407,7 +422,7 @@ impl<'a> Oled128x128<'a> {
 
     pub fn screen_size(&self) -> Point { Point::new(WIDTH, LINES) }
 
-    pub fn redraw(&mut self) { self.draw(); }
+    pub fn redraw(&mut self) -> Result<(), xous::Error> { self.draw() }
 
     pub fn blit_screen(&mut self, bmp: &[u32]) { self.buffer.copy_from_slice(bmp); }
 
@@ -417,21 +432,21 @@ impl<'a> Oled128x128<'a> {
 
     pub fn stash(&mut self) { self.stash.copy_from_slice(&self.buffer); }
 
-    pub fn pop(&mut self) {
+    pub fn pop(&mut self) -> Result<(), xous::Error> {
         self.buffer.copy_from_slice(&self.stash);
-        self.redraw();
+        self.redraw()
     }
 
     fn set_data(&self) { self.iox.set_gpio_pin_value(self.cd_port, self.cd_pin, IoxValue::High); }
 
     fn set_command(&self) { self.iox.set_gpio_pin_value(self.cd_port, self.cd_pin, IoxValue::Low); }
 
-    pub fn send_command<'b, U>(&'b mut self, cmd: U)
+    pub fn send_command<'b, U>(&'b mut self, cmd: U) -> Result<(), xous::Error>
     where
         U: IntoIterator<Item = u8> + 'b,
     {
         if self.powerdown {
-            return;
+            return Ok(());
         }
         self.set_command();
         let total_buf_len = self.buffer.len() * size_of::<u32>();
@@ -451,16 +466,18 @@ impl<'a> Oled128x128<'a> {
                 .txrx_data_async_from_parts::<u8>(total_buf_len, len, true, false)
                 .expect("Couldn't initiate oled command");
         }
-        self.spim.txrx_await(false).unwrap_or_else(|_e| {
-            #[cfg(feature = "std")]
-            log::error!("txrx err {:?}", _e);
-            &[]
-        });
+        self.spim
+            .txrx_await(false)
+            .inspect_err(|_| {
+                #[cfg(feature = "std")]
+                log::error!("timeout in send_command");
+            })
+            .map(|_| ())
     }
 
-    pub fn init(&mut self) {
+    pub fn init(&mut self) -> Result<(), xous::Error> {
         if self.powerdown {
-            return;
+            return Ok(());
         }
         use Command::*;
         let init_sequence = [
@@ -483,17 +500,18 @@ impl<'a> Oled128x128<'a> {
 
         for command in init_sequence {
             let bytes = command.encode();
-            self.send_command(bytes);
+            self.send_command(bytes)?;
         }
         // clear the frame buffer
         self.buffer_mut().fill(0xFFFF_FFFF);
-        self.draw();
+        self.draw()?;
 
         let display_on = [DisplayOnOff(DisplayState::On)];
         for command in display_on {
             let bytes = command.encode();
-            self.send_command(bytes);
+            self.send_command(bytes)?;
         }
+        Ok(())
     }
 
     pub fn powerdown(&mut self) {
@@ -516,9 +534,9 @@ impl<'a> Oled128x128<'a> {
         self.powerdown = false;
     }
 
-    pub fn brightness(&mut self, level: u8) {
+    pub fn brightness(&mut self, level: u8) -> Result<(), xous::Error> {
         let bytes = Command::SetContrastControl(level).encode();
-        self.send_command(bytes);
+        self.send_command(bytes)
     }
 
     #[cfg(feature = "std")]
@@ -574,10 +592,10 @@ impl<'a> Oled128x128<'a> {
 
 impl<'a> FrameBuffer for Oled128x128<'a> {
     /// Copies the SRAM buffer to IFRAM and then transfers that over SPI
-    fn draw(&mut self) {
+    fn draw(&mut self) -> Result<(), xous::Error> {
         self.hw_buf.copy_from_slice(&self.buffer);
         if self.powerdown {
-            return;
+            return Ok(());
         }
         let chunk_size = 16;
         let chunks = self.buffer().len() * size_of::<u32>() / chunk_size;
@@ -588,8 +606,8 @@ impl<'a> FrameBuffer for Oled128x128<'a> {
             // the transaction is done before the data is done transmitting, and we have to
             // toggle set_data() only after the physical transaction is done, not after the
             // the last UDMA action has been queued.
-            self.send_command(Command::SetPageAddress(0).encode());
-            self.send_command(Command::SetColumnAddress(page as u8).encode());
+            self.send_command(Command::SetPageAddress(0).encode())?;
+            self.send_command(Command::SetColumnAddress(page as u8).encode())?;
             // wait for commands to finish before toggling set_data
             // self.spim.tx_data_await(false);
             // crate::println!("Send page {}, offset {:x}", page, page * chunk_size);
@@ -600,12 +618,12 @@ impl<'a> FrameBuffer for Oled128x128<'a> {
                     .txrx_data_async_from_parts::<u8>(page * chunk_size, chunk_size, true, false)
                     .expect("Couldn't initiate oled data transfer");
             }
-            self.spim.txrx_await(false).unwrap_or_else(|_e| {
+            self.spim.txrx_await(false).inspect_err(|_| {
                 #[cfg(feature = "std")]
-                log::error!("txrx err {:?}", _e);
-                &[]
-            });
+                log::error!("timeout in draw");
+            })?;
         }
+        Ok(())
     }
 
     fn clear(&mut self) { self.buffer_mut().fill(0xFFFF_FFFF); }

libs/bao1x-hal/src/udma/spim.rs

@@ -476,7 +476,7 @@ impl Spim {
         &self.ifram.as_phys_slice()[..self.tx_buf_len_bytes / size_of::<T>()]
     }
 
-    fn send_cmd_list(&mut self, cmds: &[SpimCmd]) {
+    pub fn send_cmd_list(&mut self, cmds: &[SpimCmd]) {
         for cmd_chunk in cmds.chunks(SPIM_CMD_BUF_LEN_BYTES / size_of::<u32>()) {
             for (src, dst) in cmd_chunk.iter().zip(self.cmd_buf_mut().iter_mut()) {
                 *dst = (*src).into();

libs/keystore-api/src/gen2_api.rs

@@ -15,8 +15,15 @@ pub enum Opcode {
     AesOracle = 4,
     /// initiate key wrapper operation
     AesKwp = 5,
-    /// Ephemeral secret operations
-    EphemeralOp = 256,
+    /// Ephemeral secret operations. Split into MSB/LSB pairs, because we want to strictly use
+    /// scalar messages only for this. This helps to ensure to leakage of secrets to memory pages
+    /// (there is some risk of stack spillage, but this at least reduces the attack surface).
+    /// The ephemeral secret is 192 bits long - so the `Scalar` operation is split into 1x control
+    /// word, and 3x 32 bit words that transmit the secret.
+    Ephemeral = 256,
+    /// Flag operations
+    GetFlags = 512,
+    SetFlags = 513,
 
     // ----- below are non-cryptographic opcodes but used to manipulate sensitive state -----
     /// Set bootwait parameters
@@ -26,3 +33,11 @@ pub enum Opcode {
     /// Used to map unknown opcodes
     InvalidCall = 65535,
 }
+
+#[derive(num_derive::FromPrimitive, num_derive::ToPrimitive, Debug)]
+pub enum EphemeralOp {
+    GetLsb,
+    SetLsb,
+    GetMsb,
+    SetMsb,
+}

libs/ux-api/src/minigfx/mod.rs

@@ -47,7 +47,7 @@ pub trait FrameBuffer {
     /// and background colors for a color theme.
     fn xor_pixel(&mut self, p: Point);
     /// Swaps the drawable buffer to the screen and sends it to the hardware
-    fn draw(&mut self);
+    fn draw(&mut self) -> Result<(), xous::Error>;
     /// Clears the drawable buffer
     fn clear(&mut self);
     /// Returns the size of the frame buffer as a Point
@@ -68,7 +68,7 @@ impl FrameBuffer for DynFb<'_> {
 
     fn get_pixel(&self, p: Point) -> Option<ColorNative> { self.0.get_pixel(p) }
 
-    fn draw(&mut self) { self.0.draw(); }
+    fn draw(&mut self) -> Result<(), xous::Error> { self.0.draw() }
 
     fn clear(&mut self) { self.0.clear(); }
 

loader/src/platform/bao1x/bao1x.rs

@@ -168,10 +168,10 @@ pub fn early_init_hw() -> u32 {
             &mut iox,
             &mut udma_global,
         );
-        sh1107.init();
+        sh1107.init().ok();
         sh1107.buffer_mut().fill(0xFFFF_FFFF);
         sh1107.blit_screen(&ux_api::bitmaps::baochip128x128::BITMAP);
-        sh1107.draw();
+        sh1107.draw().ok();
     }
 
     #[cfg(feature = "board-dabao")]
@@ -228,10 +228,10 @@ pub fn oled_init<'a>(
         iox,
         udma_global,
     );
-    sh1107.init();
+    sh1107.init().ok();
     sh1107.buffer_mut().fill(0xFFFF_FFFF);
     sh1107.blit_screen(&ux_api::bitmaps::baochip128x128::BITMAP);
-    sh1107.draw();
+    sh1107.draw().ok();
     sh1107
 }
 
@@ -415,5 +415,5 @@ pub fn progress_bar(fb: &mut dyn FrameBuffer, progress: usize) {
             false,
         );
     }
-    fb.0.draw();
+    fb.0.draw().ok();
 }