Software APIs
rom_ext_boot_policy.c
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/silicon_creator/rom_ext/rom_ext_boot_policy.h"
6 
7 #include "sw/device/silicon_creator/lib/boot_data.h"
8 #include "sw/device/silicon_creator/lib/error.h"
9 #include "sw/device/silicon_creator/lib/manifest.h"
10 #include "sw/device/silicon_creator/rom_ext/rom_ext_boot_policy_ptrs.h"
11 
12 rom_ext_boot_policy_manifests_t rom_ext_boot_policy_manifests_get(
13  const boot_data_t *boot_data) {
14  const manifest_t *slot_a = rom_ext_boot_policy_manifest_a_get();
15  const manifest_t *slot_b = rom_ext_boot_policy_manifest_b_get();
16  uint32_t slot = boot_data->primary_bl0_slot;
17  switch (launder32(slot)) {
18  case kBootSlotB:
19  HARDENED_CHECK_EQ(slot, kBootSlotB);
20  return (rom_ext_boot_policy_manifests_t){
21  .ordered = {slot_b, slot_a},
22  };
23  case kBootSlotA:
24  OT_FALLTHROUGH_INTENDED;
25  default:
26  return (rom_ext_boot_policy_manifests_t){
27  .ordered = {slot_a, slot_b},
28  };
29  }
30 }
31 
32 // TODO(#21204): Refactor to use `manifest_check` from `lib/manifest.h`.
33 OT_WARN_UNUSED_RESULT
34 static inline rom_error_t manifest_check_rom_ext(const manifest_t *manifest) {
35  // Major version must be `kManifestVersionMajor2`.
36  if (manifest->manifest_version.major != kManifestVersionMajor2) {
37  return kErrorManifestBadVersionMajor;
38  }
39 
40  // Signed region must be inside the image.
41  if (manifest->signed_region_end > manifest->length) {
42  return kErrorManifestBadSignedRegion;
43  }
44 
45  // Executable region must be non-empty, inside the signed region, located
46  // after the manifest, and word aligned.
47  if (manifest->code_start >= manifest->code_end ||
48  manifest->code_start < sizeof(manifest_t) ||
49  manifest->code_end > manifest->signed_region_end ||
50  (manifest->code_start & 0x3) != 0 || (manifest->code_end & 0x3) != 0) {
51  return kErrorManifestBadCodeRegion;
52  }
53 
54  // Entry point must be inside the executable region and word aligned.
55  if (manifest->entry_point < manifest->code_start ||
56  manifest->entry_point >= manifest->code_end ||
57  (manifest->entry_point & 0x3) != 0) {
58  return kErrorManifestBadEntryPoint;
59  }
60 
61  return kErrorOk;
62 }
63 
64 rom_error_t rom_ext_boot_policy_manifest_check(const manifest_t *manifest,
65  const boot_data_t *boot_data) {
66  if (manifest->identifier != CHIP_BL0_IDENTIFIER) {
67  return kErrorBootPolicyBadIdentifier;
68  }
69  if (manifest->length < CHIP_BL0_SIZE_MIN ||
70  manifest->length > CHIP_BL0_SIZE_MAX) {
71  return kErrorBootPolicyBadLength;
72  }
73  if (manifest->security_version < boot_data->min_security_version_bl0) {
74  return kErrorBootPolicyRollback;
75  }
76  HARDENED_CHECK_GE(manifest->security_version,
77  boot_data->min_security_version_bl0);
78 
79  RETURN_IF_ERROR(manifest_check_rom_ext(manifest));
80  return kErrorOk;
81 }
82 
83 extern const manifest_t *rom_ext_boot_policy_manifest_a_get(void);
84 extern const manifest_t *rom_ext_boot_policy_manifest_b_get(void);
Return to OpenTitan Documentation