Cherry-pick to earlgrey_1.0.0: immutable rom ext implementation & size reduction #26295
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change-Id: I079340c3df0380ce2404defb8f79430bdea0db62 Signed-off-by: Yi-Hsuan Deng <[email protected]>
This change enables Oz for rom_ext to reduce code size (43084B -> 41868B). Since some targets can't be built with LLD, this commit introduces a new attribute, `with_features`, to the `opentitan_binary` rule to allow specifying additional features for the target. LTO is also ready to be enabled for those targets, but we found no size improvement (41868B v.s. 41896B), so we keep it off at the moment. Change-Id: I5a8e7e7fcbb7d1e435b987d955a3e5ff8e4b7383 Signed-off-by: Yi-Hsuan Deng <[email protected]> (cherry picked from commit 80f1a08)
sasdf
force-pushed
the
cp-imm2
branch
2 times, most recently
from
3b25576 to
e918a51
Compare
* Add a nop.o IM_EXT file, which is built by `./riscv32-unknown-elf-as -march=rv32i nop.S -o nop.o` The IM_EXT only contains a section called `.rom_ext_immutable`, and a single "ret" command. * Add a new ROM_EXT target to link the nop IM_EXT * Add a new test case in `rom_ext/e2e/verified_boot`, which enable the immutable ROM extension and use the new target to execute the test. * Add `*.o` as the file extensions allowed to have non-ASCII chars. Signed-off-by: Chia-Wei Liu <[email protected]> (cherry picked from commit 2cf0b0e) Change-Id: I0ef5aa157b197bb0fa852b5afe3268e7c41e5c09
* Add minimized C code, startup asm and linker script for a standalone IM_EXT build target. * Add a bazel rule `imm_rom_ext_section`, which will transform binaries into object files and turn it to a target that can be directly used as deps of ROM_EXT's bazel targets. * Add a map for all IM_EXT target that can be used and make the ROM_EXT targets iterate the map to generate multiple targets. * Update the ROM_EXT to use in e2e verified boot test. Test: String `Immutable` appears in the UART output of the test target `verified_boot:position_romext_virtual_a_with_hello_world_imm_romext_enabled_fpga_cw340_rom_ext`: ``` OpenTitan:4001-0002-01 ROM:0a7a997f bootstrap:1 OpenTitan:4001-0002-01 ROM:0a7a997f Immutable Starting ROM_EXT 0.1 ``` Signed-off-by: Chia-Wei Liu <[email protected]> (cherry picked from commit ee4a828) Change-Id: I81ad8cd635e6d82a9fa43f4989102af9964df1eb
Since CDI_0 attests the integrity of rom_ext, this PR moves the UDS & CDI_0 stage to the immutable rom_ext part, which will be executed before mutable rom_ext, to establish root trust in hardware. SKU owners can choose whether the immutability should be enforced using the `CREATOR_SW_CFG_IMMUTABLE_ROM_EXT_EN` OTP field. Change-Id: If971654a27ea32eaf74d20d385e48801d28e1da5 Signed-off-by: Yi-Hsuan Deng <[email protected]> (cherry picked from commit 7501199)
Reconfigure ePMP in immutable ROM_EXT to remove executable permission on the immutable data segment. Now, ePMP will be reconfigured to the following layout before jumping to the mutable ROM_EXT: ``` * 6: MU_EXT ----- ---- * 7: MU_EXT TOR LX-R * 8: IM_EXT ----- ---- * 9: IM_EXT TOR LX-R * 10: VIRTUAL NAPOT L--R * 11: STACK NA4 L--- ``` MU_EXT stands for mutable part of rom_ext, and IM_EXT is the immutable part. Slot 10 will be empty if address translation is not enabled, and stack guard is added back to slot 11. Before jumping to Owner SW, all lock bits will be cleared, so all entries can be recycled by Owner SW. Owner SW will be placed at the same entries as before (2, 3, 4). Change-Id: Id9b6cd68cc24a5816d3e3dc8374b5533a7c6eb75 Signed-off-by: Yi-Hsuan Deng <[email protected]> (cherry picked from commit 437e299)
This change relaxes some non-critical hardened checks to save space. If any of these checks are skipped by glitching, the device would either get the old DICE cert chain unrelated to current identity, corrupted chain that won't verify, or the correct one. Attackers will not have any gain in all these cases. The key ladder stepping, signing and slot cleanup routines are still kept hardened as before, ensuring the device won't sign anything unexpected. Change-Id: If4eb292d95f39c29b0ab2c632324dd609aeca70d Signed-off-by: Yi-Hsuan Deng <[email protected]> (cherry picked from commit 89d805b)
Since immutable rom_ext only prints string literals, this commit replaced the `dbg_printf` by a simplified `dbg_puts` version. It saves about 480 Bytes. Change-Id: Ic214aa8e2e69973f18302948311324d6556d8cf1 Signed-off-by: Yi-Hsuan Deng <[email protected]> (cherry picked from commit ed3e118)
Our ROM_EXT is close to the limit, and future changes (e.g. immutable rom_ext) will likely introduce 10~20k more bytes. This refactor moves the error propagation to the end of asn1 builder, reducing a huge amount of branches to save firmware size. This patch reduced 1860 bytes from the ROM_EXT. (45884 to 44024) Change-Id: I295fd36ea1cf125a3c875b12000177b6a3ec826b Signed-off-by: Yi-Hsuan Deng <[email protected]> (cherry picked from commit f6a1c8d)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR manually cherrypicks the commits about implementing immutable rom ext to earlgrey_1.0.0 branch.
Due to firmware size limit, the last PR (#25686) that enables the immutable section is not cherrypicked. We'll create another cherrypick after all the size reduction changes are merged.
Includes