Pass measurement token between RoT and SP (#2138)

This PR implements RFD 568: SP resets and
measurement (https://rfd.shared.oxide.computer/rfd/0568)

The goal of the RFD is to solve the cold boot problem, where the RoT
takes several seconds to start, but must measure the SP at reset. For
reasons described in the RFD, we choose to have the SP reset itself at
startup, giving the RoT a chance to catch it. More specifically:

- The RoT can detect an SP reset, hold it in reset, and measure it.
  After measuring it, the RoT deposits a token at a particular location in
  the SP's RAM.
- When the SP boots, it checks for this token. If the token is present,
  then it continues booting. Otherwise, it sleeps for a little while, then
  resets itself. This occurs a limited number of times; if we exceed a
  maximum retry count, then the SP continues to boot, feeling vaguely
  guilty about not having been measured.

Together, these changes mean that if we power on a system, the SP will
reset itself about about 12 times over the course of 2.5 seconds (with
200ms pauses in between) before the RoT boots up. It will then be
measured by the RoT, and continue to boot normally. If the RoT isn't
present, the SP stops resetting after about 4 seconds (20 resets).

There are a bunch of changes to make this possible!

- The `kernel` now knows about `extern-region`s and generates `BASE` /
  `END` symbols in its linker script. This lets us specify a `handoff`
  region from which it reads the tokens. Unfortunately, this address has
  to be hard-coded in the RoT, since the RoT doesn't have a way of
  determining its location from the SP.
- I refactored `lpc55-swd` to extract `reset_into_debug_halt` into a
  standalone function, because it's now used for both measurements and to
  reset the SP before depositing the token into memory. There are various
  other cleanups here; in particular, I removed the stateful `Undo`
  bitfield in favor of smaller functions which cleaning up before
  returning.

Author: mkeeter

Cargo.lock

@@ -151,6 +151,7 @@ hubtools = { git = "https://github.com/oxidecomputer/hubtools", default-features
 idol = { git = "https://github.com/oxidecomputer/idolatry.git", default-features = false }
 idol-runtime = { git = "https://github.com/oxidecomputer/idolatry.git", default-features = false }
 lpc55_sign = { git = "https://github.com/oxidecomputer/lpc55_support", default-features = false }
+measurement-token = { git = "https://github.com/oxidecomputer/lpc55_support", default-features = false }
 ordered-toml = { git = "https://github.com/oxidecomputer/ordered-toml", default-features = false }
 pmbus = { git = "https://github.com/oxidecomputer/pmbus", default-features = false }
 salty = { version = "0.3", default-features = false }

Cargo.toml

@@ -6,6 +6,7 @@ version = "0.1.0"
 
 [features]
 dump = ["kern/dump"]
+measurement-handoff = ["drv-stm32h7-startup/measurement-handoff"]
 
 [dependencies]
 cortex-m = { workspace = true }

app/grapefruit/Cargo.toml

@@ -14,7 +14,8 @@ register-map = "../../drv/spartan7-loader/grapefruit/gfruit_top.json"
 [kernel]
 name = "grapefruit"
 requires = {flash = 32768, ram = 8192}
-features = ["dump"]
+features = ["dump", "measurement-handoff"]
+extern-regions = ["dtcm"]
 
 [caboose]
 tasks = ["control_plane_agent"]

app/grapefruit/base.toml

@@ -8,6 +8,12 @@ use std::collections::{BTreeMap, BTreeSet};
 /// Application configuration passed into the kernel build.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct KernelConfig {
+    /// Features enabled in the kernel
+    pub features: Vec<String>,
+
+    /// External regions used in the kernel
+    pub extern_regions: BTreeMap<String, std::ops::Range<u32>>,
+
     /// Tasks in the app image. The order of tasks is significant.
     pub tasks: Vec<TaskConfig>,
 

build/kconfig/src/lib.rs

@@ -581,10 +581,27 @@ impl Config {
         task: &str,
         image_name: &str,
     ) -> Result<IndexMap<String, Range<u32>>> {
-        self.tasks
+        let extern_regions = &self
+            .tasks
             .get(task)
             .ok_or_else(|| anyhow!("no such task {task}"))?
-            .extern_regions
+            .extern_regions;
+        self.get_extern_regions(extern_regions, image_name)
+    }
+
+    pub fn kernel_extern_regions(
+        &self,
+        image_name: &str,
+    ) -> Result<IndexMap<String, Range<u32>>> {
+        self.get_extern_regions(&self.kernel.extern_regions, image_name)
+    }
+
+    fn get_extern_regions(
+        &self,
+        extern_regions: &Vec<String>,
+        image_name: &str,
+    ) -> Result<IndexMap<String, Range<u32>>> {
+        extern_regions
             .iter()
             .map(|r| {
                 let mut regions = self
@@ -710,6 +727,8 @@ pub struct Kernel {
     pub features: Vec<String>,
     #[serde(default)]
     pub no_default_features: bool,
+    #[serde(default)]
+    pub extern_regions: Vec<String>,
 }
 
 fn default_name() -> String {

build/xtask/src/config.rs

@@ -42,7 +42,13 @@ pub const DEFAULT_KERNEL_STACK: u32 = 1024;
 /// that generates the Humility binary necessary for Hubris's CI has run.
 /// Once that binary is in place, you should be able to bump this version
 /// without breaking CI.
-const HUBRIS_ARCHIVE_VERSION: u32 = 9;
+///
+/// # Changelog
+/// Version 10 requires Humility to be aware of the `handoff` kernel feature,
+/// which lets the RoT inform the SP when measurements have been taken.  If
+/// Humility is unaware of this feature, the SP will reset itself repeatedly,
+/// which interferes with subsequent programming of auxiliary flash.
+const HUBRIS_ARCHIVE_VERSION: u32 = 10;
 
 /// `PackageConfig` contains a bundle of data that's commonly used when
 /// building a full app image, grouped together to avoid passing a bunch
@@ -445,6 +451,18 @@ pub fn package(
                 }
             }
         }
+        // Same check for the kernel.  This may be overly conservative, because
+        // the kernel is special, but we can always make it less strict later.
+        for r in &cfg.toml.kernel.extern_regions {
+            if let Some(v) = alloc_regions.get(r) {
+                bail!(
+                    "cannot use region '{r}' as extern region in \
+                    the kernel because it's used as a normal region by \
+                    [{}]",
+                    v.join(", ")
+                );
+            }
+        }
 
         let mut extern_regions = MultiMap::new();
         for (task_name, task) in cfg.toml.tasks.iter() {
@@ -1529,11 +1547,13 @@ fn build_kernel(
     kconfig.hash(&mut image_id);
     allocs.hash(&mut image_id);
 
+    let extern_regions = cfg.toml.kernel_extern_regions(image_name)?;
     generate_kernel_linker_script(
         "memory.x",
         &allocs.kernel,
         cfg.toml.kernel.stacksize.unwrap_or(DEFAULT_KERNEL_STACK),
         &cfg.toml.all_regions("flash".to_string())?,
+        &extern_regions,
         image_name,
     )?;
 
@@ -1812,7 +1832,6 @@ fn generate_task_linker_script(
 
 fn append_image_names(
     linkscr: &mut std::fs::File,
-
     images: &IndexMap<String, Range<u32>>,
     image_name: &str,
 ) -> Result<()> {
@@ -1882,6 +1901,7 @@ fn generate_kernel_linker_script(
     map: &BTreeMap<String, Range<u32>>,
     stacksize: u32,
     images: &IndexMap<String, Range<u32>>,
+    extern_regions: &IndexMap<String, Range<u32>>,
     image_name: &str,
 ) -> Result<()> {
     // Put the linker script somewhere the linker can find it
@@ -1948,6 +1968,7 @@ fn generate_kernel_linker_script(
     .unwrap();
 
     append_image_names(&mut linkscr, images, image_name)?;
+    append_extern_regions(&mut linkscr, extern_regions)?;
     Ok(())
 }
 
@@ -2859,6 +2880,11 @@ pub fn make_kconfig(
     flat_shared.retain(|name, _v| used_shared_regions.contains(name.as_str()));
 
     Ok(build_kconfig::KernelConfig {
+        features: toml.kernel.features.clone(),
+        extern_regions: toml
+            .kernel_extern_regions(image_name)?
+            .into_iter()
+            .collect(),
         irqs,
         tasks,
         shared_regions: flat_shared,

build/xtask/src/dist.rs

@@ -14,6 +14,19 @@ read = true
 write = true
 execute = false  # let's assume XN until proven otherwise
 
+# Data tightly-coupled memory
+#
+# This region is used in production images to pass a token from the RoT to the
+# SP indicating that measurement has happened.  Using this region (and specific
+# token values) is hard-coded in the `measurement-token` crate, which is shared
+# between Hubris and Humility.
+[[dtcm]]
+address = 0x20000000
+size = 131072
+read = true
+write = true
+execute = false
+
 # Network buffers are placed in sram1, which is directly accessible by the
 # Ethernet MAC.  We limit this use of sram1 to 64 KiB, and preserve the
 # remainder to be used for disjoint purposes (e.g., as an external region).

chips/stm32h7/memory-large.toml

@@ -13,6 +13,7 @@ zerocopy = { workspace = true }
 zerocopy-derive = { workspace = true }
 bitflags = { workspace = true }
 static_assertions = { workspace = true }
+measurement-token = { workspace = true }
 
 attest-api = { path = "../../task/attest-api" }
 drv-lpc55-gpio-api = { path = "../lpc55-gpio-api" }

drv/lpc55-swd/Cargo.toml

@@ -15,21 +15,6 @@ pub trait DpAddressable {
     const ADDRESS: u32;
 }
 
-// For keeping track of unwinding debug actions
-bitflags! {
-    #[derive(PartialEq, Eq, Copy, Clone)]
-    pub struct Undo: u8 {
-        // Need self.swd_finish()
-        const SWD = 1 << 0;
-        // Need self.sp_reset_leave(true)
-        const RESET = 1 << 1;
-        // Need DEMCR = 0
-        const VC_CORERESET = 1 << 2;
-        // Need to clear debug enable.
-        const DEBUGEN = 1 << 3;
-    }
-}
-
 // RW   0x00000000    Debug Halting Control and Status Register
 // Some DHCSR bits have different read vs. write meanings
 // Specifically, the MAGIC value enables writing other control bits