chore(core): refactor boot_args

[no changelog]
trezor · Nov 14, 2023 · bb6f9d8 · bb6f9d8
1 parent 7c6a6b7
commit bb6f9d8
Show file tree

Hide file tree

Showing 30 changed files with 223 additions and 128 deletions.
diff --git a/core/SConscript.bootloader_emu b/core/SConscript.bootloader_emu
@@ -125,6 +125,7 @@ SOURCE_BOOTLOADER = [
 ]
 
 SOURCE_TREZORHAL = [
+    'embed/trezorhal/unix/boot_args.c',
     'embed/trezorhal/unix/display-unix.c',
     'embed/trezorhal/unix/flash.c',
     'embed/trezorhal/unix/common.c',

diff --git a/core/SConscript.unix b/core/SConscript.unix
@@ -372,6 +372,7 @@ SOURCE_MICROPYTHON = [
 ]
 
 SOURCE_UNIX = [
+    'embed/trezorhal/unix/boot_args.c',
     'embed/trezorhal/unix/common.c',
     'embed/trezorhal/unix/display-unix.c',
     'embed/trezorhal/unix/flash.c',

diff --git a/core/embed/boardloader/main.c b/core/embed/boardloader/main.c
@@ -300,7 +300,7 @@ int main(void) {
 
   mpu_config_off();
 
-  // g_boot_flag is preserved on STM32U5
+  // g_boot_command is preserved on STM32U5
   jump_to(BOOTLOADER_START + IMAGE_HEADER_SIZE);
 
   return 0;

diff --git a/core/embed/boardloader/memory_stm32u5a.ld b/core/embed/boardloader/memory_stm32u5a.ld
@@ -4,8 +4,8 @@ ENTRY(reset_handler)
 
 MEMORY {
   FLASH  (rx)  : ORIGIN = 0x0C004000, LENGTH = 48K
-  SRAM1  (wal) : ORIGIN = 0x30000000, LENGTH =  768K - (0x100 + 4)
-  BOOT_ARGS  (wal) : ORIGIN = 0x300BFEFC, LENGTH =  (0x100 + 4)
+  SRAM1  (wal) : ORIGIN = 0x30000000, LENGTH =  768K - 0x100
+  BOOT_ARGS  (wal) : ORIGIN = 0x300BFF00, LENGTH =  0x100
   SRAM2  (wal) : ORIGIN = 0x300C0000, LENGTH =  64K
   SRAM3  (wal) : ORIGIN = 0x300D0000, LENGTH =  832K
   SRAM5  (wal) : ORIGIN = 0x301A0000, LENGTH =  832K
@@ -44,8 +44,6 @@ sram6_end = ORIGIN(SRAM6) + LENGTH(SRAM6);
 /* reserve 256 bytes for bootloader arguments */
 boot_args_start = ORIGIN(BOOT_ARGS);
 boot_args_end = ORIGIN(BOOT_ARGS) + LENGTH(BOOT_ARGS);
-g_boot_args = (boot_args_start + 4);
-g_boot_flag = boot_args_start;
 
 SECTIONS {
   .vector_table : ALIGN(512) {
@@ -104,6 +102,14 @@ SECTIONS {
     . = ALIGN(4);
   } >SRAM5
 
+  .boot_args : ALIGN(8) {
+    *(.boot_command*);
+    . = ALIGN(8);
+    *(.boot_args*);
+    . = ALIGN(8);
+  } >BOOT_ARGS
+
+
   /* Hard-coded address for capabilities structure */
   .capabilities 0x0C00FF00 : {KEEP(*(.capabilities_section))}
 }
diff --git a/core/embed/bootloader/boot_internal.h b/core/embed/bootloader/boot_internal.h
diff --git a/core/embed/bootloader/emulator.c b/core/embed/bootloader/emulator.c
@@ -2,7 +2,7 @@
 #include <unistd.h>
 
 #include TREZOR_BOARD
-#include "boot_internal.h"
+#include "boot_args.h"
 #include "bootui.h"
 #include "common.h"
 #include "display.h"
@@ -19,11 +19,6 @@
 
 uint8_t *FIRMWARE_START = 0;
 
-// Simulation of a boot command normally grabbed during reset processing
-boot_command_t g_boot_command = BOOT_COMMAND_NONE;
-// Simulation of a boot args normally sitting at the BOOT_ARGS region
-uint8_t g_boot_args[BOOT_ARGS_SIZE];
-
 void set_core_clock(int) {}
 
 int bootloader_main(void);
@@ -55,7 +50,7 @@ void usage(void) {
   printf("  -h  show this help\n");
 }
 
-bool load_firmware(const char *filename) {
+bool load_firmware(const char *filename, uint8_t *hash) {
   // read the first 6 kB of firmware file into a buffer
   FILE *file = fopen(filename, "rb");
   if (!file) {
@@ -87,7 +82,8 @@ bool load_firmware(const char *filename) {
   BLAKE2S_CTX ctx;
   blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH);
   blake2s_Update(&ctx, buffer, vhdr.hdrlen + hdr->hdrlen);
-  blake2s_Final(&ctx, g_boot_args, BLAKE2S_DIGEST_LENGTH);
+  blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
+
   return true;
 }
 
@@ -131,7 +127,7 @@ __attribute__((noreturn)) int main(int argc, char **argv) {
   while ((opt = getopt(argc, argv, "hslec:b:f:")) != -1) {
     switch (opt) {
       case 's':
-        g_boot_command = BOOT_COMMAND_STOP_AND_WAIT;
+        bootargs_set(BOOT_COMMAND_STOP_AND_WAIT, NULL, 0);
         break;
       case 'e':
         display_error = true;
@@ -145,10 +141,11 @@ __attribute__((noreturn)) int main(int argc, char **argv) {
         bitcoin_only = atoi(optarg);
         break;
       case 'f':
-        g_boot_command = BOOT_COMMAND_INSTALL_UPGRADE;
-        if (!load_firmware(optarg)) {
+        uint8_t hash[BLAKE2S_DIGEST_LENGTH];
+        if (!load_firmware(optarg, hash)) {
           exit(1);
         }
+        bootargs_set(BOOT_COMMAND_INSTALL_UPGRADE, hash, sizeof(hash));
         break;
 #ifdef USE_OPTIGA
       case 'l':

diff --git a/core/embed/bootloader/main.c b/core/embed/bootloader/main.c
@@ -20,7 +20,7 @@
 #include <string.h>
 #include <sys/types.h>
 
-#include "boot_internal.h"
+#include "boot_args.h"
 #include "common.h"
 #include "display.h"
 #include "flash.h"
@@ -512,7 +512,7 @@ int bootloader_main(void) {
   check_bootloader_version();
 #endif
 
-  switch (g_boot_command) {
+  switch (bootargs_get_command()) {
     case BOOT_COMMAND_STOP_AND_WAIT:
       // firmare requested to stay in bootloader
       stay_in_bootloader = sectrue;

diff --git a/core/embed/bootloader/memory_stm32f4.ld b/core/embed/bootloader/memory_stm32f4.ld
@@ -29,7 +29,6 @@ sram_end = ORIGIN(SRAM) + LENGTH(SRAM);
 /* reserve 256 bytes for bootloader arguments */
 boot_args_start = ORIGIN(BOOT_ARGS);
 boot_args_end = ORIGIN(BOOT_ARGS) + LENGTH(BOOT_ARGS);
-g_boot_args = boot_args_start;
 
 _codelen = SIZEOF(.flash) + SIZEOF(.data);
 
@@ -70,4 +69,9 @@ SECTIONS {
     . = ALIGN(4);
   } >SRAM
 
+  .boot_args : ALIGN(8) {
+    *(.boot_args*);
+    . = ALIGN(8);
+  } >BOOT_ARGS
+
 }
diff --git a/core/embed/bootloader/memory_stm32u5a.ld b/core/embed/bootloader/memory_stm32u5a.ld
@@ -4,8 +4,8 @@ ENTRY(reset_handler)
 
 MEMORY {
   FLASH  (rx)  : ORIGIN = 0x0C010000, LENGTH = 128K
-  SRAM1  (wal) : ORIGIN = 0x30000000, LENGTH =  768K - (0x100 + 4)
-  BOOT_ARGS  (wal) : ORIGIN = 0x300BFEFC, LENGTH =  (0x100 + 4)
+  SRAM1  (wal) : ORIGIN = 0x30000000, LENGTH =  768K - 0x100
+  BOOT_ARGS  (wal) : ORIGIN = 0x300BFF00, LENGTH =  0x100
   SRAM2  (wal) : ORIGIN = 0x300C0000, LENGTH =  64K
   SRAM3  (wal) : ORIGIN = 0x300D0000, LENGTH =  832K
   SRAM5  (wal) : ORIGIN = 0x301A0000, LENGTH =  832K
@@ -44,8 +44,6 @@ sram6_end = ORIGIN(SRAM6) + LENGTH(SRAM6);
 /* reserve 256 bytes for bootloader arguments */
 boot_args_start = ORIGIN(BOOT_ARGS);
 boot_args_end = ORIGIN(BOOT_ARGS) + LENGTH(BOOT_ARGS);
-g_boot_args = (boot_args_start + 4);
-g_boot_flag = boot_args_start;
 
 _codelen = SIZEOF(.flash) + SIZEOF(.data) + SIZEOF(.sensitive);
 
@@ -104,4 +102,11 @@ SECTIONS {
    __fb_end = .;
     . = ALIGN(4);
   } >SRAM5
+
+  .boot_args : ALIGN(8) {
+    *(.boot_command*);
+    . = ALIGN(8);
+    *(.boot_args*);
+    . = ALIGN(8);
+  } >BOOT_ARGS
 }
diff --git a/core/embed/bootloader/messages.c b/core/embed/bootloader/messages.c
@@ -24,7 +24,7 @@
 #include <pb_encode.h>
 #include "messages.pb.h"
 
-#include "boot_internal.h"
+#include "boot_args.h"
 #include "common.h"
 #include "flash.h"
 #include "image.h"
@@ -598,7 +598,7 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
 
       secbool is_ilu = secfalse;  // interaction-less update
 
-      if (g_boot_command == BOOT_COMMAND_INSTALL_UPGRADE) {
+      if (bootargs_get_command() == BOOT_COMMAND_INSTALL_UPGRADE) {
         BLAKE2S_CTX ctx;
         uint8_t hash[BLAKE2S_DIGEST_LENGTH];
         blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH);
@@ -607,7 +607,7 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
         blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
 
         // the firmware must be the same as confirmed by the user
-        if (memcmp(&g_boot_args[0], hash, sizeof(hash)) != 0) {
+        if (memcmp(bootargs_get_args()->hash, hash, sizeof(hash)) != 0) {
           MSG_SEND_INIT(Failure);
           MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
           MSG_SEND_ASSIGN_STRING(message, "Firmware mismatch");

diff --git a/core/embed/bootloader/startup_stm32f4.s b/core/embed/bootloader/startup_stm32f4.s
@@ -33,22 +33,15 @@ reset_handler:
   // subsequent operations, it is not necessary to insert a memory barrier instruction."
   cpsie f
 
-  // r11 contains argument passed to reboot_to_bootloader()
+  // r11 contains the command passed to bootargs_set()
   // function called when the firmware rebooted to the bootloader
-  ldr r0, =g_boot_command
+  ldr r0, =g_boot_command_shadow
   str r11, [r0]
 
   // enter the application code
   bl main
 
   b shutdown_privileged
 
-  .bss
-
-  .global g_boot_command
-g_boot_command:
-  .word  0
-
-
   .end
 
diff --git a/core/embed/bootloader/startup_stm32u5.s b/core/embed/bootloader/startup_stm32u5.s
@@ -49,12 +49,12 @@ reset_handler:
   ldr r1, = __stack_chk_guard
   str r0, [r1]
 
-  //
-  ldr r0, =g_boot_flag
-  ldr r1, [r0]
+  // copy & clear g_boot_command
   ldr r0, =g_boot_command
+  ldr r1, [r0]
+  ldr r0, =g_boot_command_shadow
   str r1, [r0]
-  ldr r0, =g_boot_flag
+  ldr r0, =g_boot_command
   mov r1, #0
   str r1, [r0]
 
@@ -69,10 +69,4 @@ reset_handler:
 
   b shutdown_privileged
 
-  .bss
-
-  .global g_boot_command
-g_boot_command:
-  .word  0
-
   .end
diff --git a/core/embed/bootloader_ci/memory_stm32f4.ld b/core/embed/bootloader_ci/memory_stm32f4.ld
@@ -69,4 +69,8 @@ SECTIONS {
     . = ALIGN(4);
   } >SRAM
 
+  .boot_args : ALIGN(8) {
+    *(.boot_args*);
+    . = ALIGN(8);
+  } >BOOT_ARGS
 }
diff --git a/core/embed/bootloader_ci/memory_stm32u5a.ld b/core/embed/bootloader_ci/memory_stm32u5a.ld
@@ -4,8 +4,8 @@ ENTRY(reset_handler)
 
 MEMORY {
   FLASH  (rx)  : ORIGIN = 0x0C010000, LENGTH = 128K
-  SRAM1  (wal) : ORIGIN = 0x30000000, LENGTH =  768K - (0x100 + 4)
-  BOOT_ARGS  (wal) : ORIGIN = 0x300BFEFC, LENGTH =  (0x100 + 4)
+  SRAM1  (wal) : ORIGIN = 0x30000000, LENGTH =  768K - 0x100
+  BOOT_ARGS  (wal) : ORIGIN = 0x300BFF00, LENGTH =  0x100
   SRAM2  (wal) : ORIGIN = 0x300C0000, LENGTH =  64K
   SRAM3  (wal) : ORIGIN = 0x300D0000, LENGTH =  832K
   SRAM5  (wal) : ORIGIN = 0x301A0000, LENGTH =  832K
@@ -44,8 +44,6 @@ sram6_end = ORIGIN(SRAM6) + LENGTH(SRAM6);
 /* reserve 256 bytes for bootloader arguments */
 boot_args_start = ORIGIN(BOOT_ARGS);
 boot_args_end = ORIGIN(BOOT_ARGS) + LENGTH(BOOT_ARGS);
-g_boot_args = (boot_args_start + 4);
-g_boot_flag = boot_args_start;
 
 _codelen = SIZEOF(.flash) + SIZEOF(.data) + SIZEOF(.sensitive);
 
@@ -104,4 +102,11 @@ SECTIONS {
    __fb_end = .;
     . = ALIGN(4);
   } >SRAM5
+
+  .boot_args : ALIGN(8) {
+    *(.boot_command*);
+    . = ALIGN(8);
+    *(.boot_args*);
+    . = ALIGN(8);
+  } >BOOT_ARGS
 }
diff --git a/core/embed/bootloader_ci/startup_stm32u5.s b/core/embed/bootloader_ci/startup_stm32u5.s
@@ -49,15 +49,6 @@ reset_handler:
   ldr r1, = __stack_chk_guard
   str r0, [r1]
 
-  //
-  ldr r0, =g_boot_flag
-  ldr r1, [r0]
-  ldr r0, =g_boot_command
-  str r1, [r0]
-  ldr r0, =g_boot_flag
-  mov r1, #0
-  str r1, [r0]
-
   // re-enable exceptions
   // according to "ARM Cortex-M Programming Guide to Memory Barrier Instructions" Application Note 321, section 4.7:
   // "If it is not necessary to ensure that a pended interrupt is recognized immediately before
@@ -69,10 +60,4 @@ reset_handler:
 
   b shutdown_privileged
 
-  .bss
-
-  .global g_boot_command
-g_boot_command:
-  .word  0
-
   .end
diff --git a/core/embed/extmod/modtrezorutils/modtrezorutils.c b/core/embed/extmod/modtrezorutils/modtrezorutils.c
@@ -283,7 +283,8 @@ STATIC mp_obj_t mod_trezorutils_reboot_to_bootloader(size_t n_args,
     mp_get_buffer_raise(args[1], &boot_args, MP_BUFFER_READ);
   }
 
-  svc_reboot_to_bootloader(boot_command, boot_args.buf, boot_args.len);
+  bootargs_set(boot_command, boot_args.buf, boot_args.len);
+  svc_reboot_to_bootloader();
 #endif
   return mp_const_none;
 }