[runtime] Start recovery flow in the runtime #1904
Conversation
swenson
requested review from
jhand2,
fdamato,
rusty1968,
bluegate010,
mhatrevi,
vsonims,
ajisaxena,
korran and
JohnTraverAmd
as code owners
| @@ -62,7 +106,7 @@ pub struct DmaWriteTransaction { | |||
|
|
|||
| /// Dma Widget | |||
| pub struct Dma { | |||
| dma: AxiDmaReg, | |||
| dma: Cell<Option<AxiDmaReg>>, | |||
There was a problem hiding this comment.
We have to switch to a Cell because the Mmio and MmioMut interfaces require that the methods use &self instead of &mut self, so we need interior mutability.
For safety, I used a with_dma() to ensure that the AxiDmaReg is only used by one function at a time, though this is probably overkill since Caliptra is single-threaded.
There was a problem hiding this comment.
Suggest simplifying the code (if possible) with the single-threaded execution assumption.
swenson
force-pushed
the
download-manifest-mcu-fw
branch
2 times, most recently
from
9152e52 to
c9b226d
Compare
swenson
requested review from
jlmahowa-amd,
wmaroneAMD and
nquarton
as code owners
drivers/src/dma.rs
Outdated
| self.dma.set(Some(dma)); | ||
| Ok(result) | ||
| } else { | ||
| Err(CaliptraError::RUNTIME_INTERNAL) // should never happen |
There was a problem hiding this comment.
Suggest renaming this to something like 'DRIVERS_INTERNAL' to disambiguate from a Runtime app error.
runtime/src/recovery_flow.rs
Outdated
| .auth_manifest_image_metadata_col = image_metadata_collection; | ||
| // [TODO][CAP2]: capture measurement of Soc manifest? | ||
| // [TODO][CAP2]: this should be writing to MCU SRAM directly via AXI | ||
| let _mcu_size_bytes = dma_recovery.download_image_to_mbox(SOC_MANIFEST_INDEX)?; |
There was a problem hiding this comment.
This should use the MCU_FIRMWARE_INDEX.
| @@ -171,6 +176,9 @@ impl Drivers { | |||
| ResetReason::ColdReset => { | |||
| cfi_assert_eq(self.soc_ifc.reset_reason(), ResetReason::ColdReset); | |||
| Self::initialize_dpe(self)?; | |||
| if self.soc_ifc.active_mode() { | |||
There was a problem hiding this comment.
I wonder if this should be a build-time flag since for a given integration it's either active or not. Otoh, it's probably easier to have a less complicated test matrix for RT.
There was a problem hiding this comment.
Would we plan on building a separate active mode ROM then?
runtime/src/recovery_flow.rs
Outdated
| let _soc_size_bytes = dma_recovery.download_image_to_mbox(SOC_MANIFEST_INDEX)?; | ||
| let Some(preamble) = AuthManifestPreamble::read_from_prefix(drivers.mbox.raw_mailbox_contents()) else { | ||
| return Err(CaliptraError::IMAGE_VERIFIER_ERR_MANIFEST_SIZE_MISMATCH); | ||
| }; | ||
| let Some(image_metadata_collection) = AuthManifestImageMetadataCollection::read_from_prefix(&drivers.mbox.raw_mailbox_contents()[AUTH_MANIFEST_PREAMBLE_SIZE..]) else { | ||
| return Err(CaliptraError::IMAGE_VERIFIER_ERR_MANIFEST_SIZE_MISMATCH); | ||
| }; |
There was a problem hiding this comment.
nit: can probably simplify this by making a single stuct that contains AuthManifestPreamble and AuthManifestImageMetadataCollection and then doing a single read.
ureg/src/lib.rs
Outdated
| fn from_u32(val: u32) -> Self { | ||
| (val & 0xff) as u8 | ||
| } |
There was a problem hiding this comment.
Is this needed for multiple types? I think I would prefer to the the truncation closer to the specific register that needs it so that we can review specific usages as not dropping any meaningful bytes.
There was a problem hiding this comment.
It's not truly needed except on paper, as we don't have any 8- or 16-bit registers.
There was a problem hiding this comment.
I think we can drop this and replace it with TryFrom<u32>.
|
|
||
| // // download SoC manifest | ||
| let _soc_size_bytes = dma_recovery.download_image_to_mbox(SOC_MANIFEST_INDEX)?; | ||
| let Some(manifest) = AuthorizationManifest::read_from_prefix(drivers.mbox.raw_mailbox_contents()) else { |
There was a problem hiding this comment.
This is not efficient. AuthorizationManifest is of 14284 bytes; most of the time there will only be a handful of image digests in it. I would simply add a TODO here to call the existing set_manifest_code.
swenson
force-pushed
the
download-manifest-mcu-fw
branch
from
0eade71 to
c56a00d
Compare
|
PR updated and rebased. PTAL |
swenson
force-pushed
the
download-manifest-mcu-fw
branch
from
c56a00d to
029bf2a
Compare
This stubs out the recovery flow in the runtime. We also update the DMA peripheral so that it can be used as a `ureg::Mmio`, which will allow us to use the autogenerated I3C recovery register interface instead of hardcoding offsets. We also had to modify `ureg` slightly to remove the unused `impl Uint` for `u64` (because we don't don't support 64-bit AXI transfers) and add a `from_u32()` method for the (unused) `u8` and `u16` implementations. This builds on #1867 and rewrites it to use the updated DMA interface.
swenson
force-pushed
the
download-manifest-mcu-fw
branch
from
029bf2a to
020f2a3
Compare
This stubs out the recovery flow in the runtime.
We also update the DMA peripheral so that it can be used as a
ureg::Mmio, which will allow us to use the autogenerated I3C recoveryregister interface instead of hardcoding offsets.
We also had to modify
uregslightly to addDefault,TryFrom<u32>,and
TryInto<u32>constraints toUintto make it simpler to use with theDMA interface.
This builds on #1867 and rewrites it to use the updated DMA interface.