Sync with upstream for week ending 2025-12-05 #164
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously `set_break` needs to be on `ConsoleDevice` because `UartConsole` expects it to be there, so it can turn stdin breaks into console breaks. This feature is now moved to `opentitantool console` (which was the only place this feature was used), so the `set_break` doesn't need to be on `ConsoleDevice` anymore (and also this capability is only available on `Uart` impls anyway). Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
This can allow multiple concurrent readers to all receive all data. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Reduce nesting level by 1. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
We always use `stdout` if it's not `None`, so just use a boolean quiet flag instead. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Douglas Reis <doreis@lowrisc.org> (cherry picked from commit 268c62267e28d7ee1210952f66e03522f8153513)
Signed-off-by: Douglas Reis <doreis@lowrisc.org> (cherry picked from commit 6e1731e075f418f93b3cf9bee3cf24f042130852)
Opentitanlib was computing the SHA256 hash and storing it in a fixed-sized bigint. This led to various problems dealing with the endianness of the resulting digest, including emitting digest in "little-endian" order. A SHA256 digest _is not_ an integer; it is a sequence of bytes. 1. Eliminate the bigint representation of the SHA256 digest. Give the digest struct serialization, display and parsing traits to eliminate the need for dealing with conversions for those ues cases. Add `to_vec` and `to_vec_rev` to produce the raw bytes when needed. 2. Add a `--spx-hash-reversal-bug` switch to opentitantool spx commands for cases where firmware erroneously uses a reversed digest. 3. Eliminate the copious digest reversals present in hsmtool. Add a `Sha256HashReversed` input format for cases where firmware erroneously uses a reversed digest. 4. Fix the signing rules to use the reversed format only for keys tied to a firmware implementation with the reversal bug. Signed-off-by: Chris Frantz <cfrantz@google.com> (cherry picked from commit 51e6a41)
1. Add tests that check that signatures generated with opentitantool can be verified by hsmtool. 2. Add tests that check that signatures generated with hsmtool can be verified by opentitantool. 3. Verify the correctness of the manifest digest calculcated by opentitantool. Signed-off-by: Chris Frantz <cfrantz@google.com> (cherry picked from commit 12467bb)
Make the DEV key valid in TEST and RMA. Because of the limited number of key slots in OTP, we allow the DEV key to be valid in DEV, TEST and RMA. This will allow a single set of keys (e.g. 3xPROD + 1xDEV) to be viable for devices provisioned to PROD and DEV mission mode states while still allowing the use of the DEV key for TEST and RMA states. Signed-off-by: Chris Frantz <cfrantz@google.com> (cherry picked from commit 35ec68c)
The hmac peripheral produces the SHA256 hash in reversed byte order. We need to byte-reverse the hash to put it into natural byte order before passing it to the `spx_verify` function. Signed-off-by: Chris Frantz <cfrantz@google.com> (cherry picked from commit 4184d0f)
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
…reading Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
|
Welcome! Before accepting your contribution, the expo project requires you to sign the Contributor License Agreement. To indicate your agreement, please post a comment on this Pull Request with the message below. I certify that I have read and agree that my contributions will be bound by the expo CLA. 0 out of 12 committers have signed the CLA. |
This allows an user to bypass `UartConsole` and call it directly on any console. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
This temporarily removes the nonblocking mechanism, which allows significant code cleanup. The mechanism is going to be added later in a different form. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
With the `AsyncData` removed, we can now covert ot_transport_proxy to receive using a tokio task. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
…erver The previous code is a direct translation from mio to tokio. This is now refactored to proper async. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
With the previous commit, we have detangled `Connection` with the actual socket handling. This allows us to keep `Connection` staying on the main thread, so we can store structures to it that is not `Send`. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
This uses the broadcaster to implement the same feature previously implemented using the "nonblocking_uart` registry mechanism. A "WeakBroadcaster" is added as the proxy's copy of `Broadcaster` is never read from. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
This is used for proxy transport as `wait_for_line` is doing 1-byte read and this can be detrimental for a longer-latency transport like proxy. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
This eliminates the special `dispatch` mechanism for FPGA programming. Signed-off-by: Gary Guo <gary.guo@lowrisc.org>
Previously the package ID was defined in the HJSON SKU configuration file. This updates the orchestrator.py script to enable overriding this field via a command line arg. Signed-off-by: Tim Trippel <ttrippel@google.com> (cherry picked from commit c564ac4)
The "enable-alerts" and "use-ext-clk" flags of the orchestrator.py script are already tested in a separate test. Signed-off-by: Tim Trippel <ttrippel@google.com> (cherry picked from commit eaf6c7e)
This test was temporarily disabled to deal with CI issues that have now been resolved. Signed-off-by: Tim Trippel <ttrippel@google.com> (cherry picked from commit 922fc1b)
Signed-off-by: Tim Trippel <ttrippel@google.com> (cherry picked from commit ae75936)
The ROM e2e plan captures the expected behavior of the clock jitter enable flow: > `CREATOR_SW_CFG_JITTER_EN`: `kMultiBitBool4False` disables, all other values > enables. `CREATOR_SW_CFG_AST_INIT_EN` must also be `kMultiBitBool4True` to enable. This change refactors the code in `rom_start.S` and `test_rom_start.S` to explicitly reduce any value different than MubiFalse to MubiTrue. The implementation relies on the register to be reset to MubiFalse by default. Signed-off-by: Miguel Osorio <miguelosorio@google.com> (cherry picked from commit 288b998)
This adds weak hook functions to OTP sub operations to enable tests, and provisioning firmware, to insert debug functionality before and after functions. Signed-off-by: Tim Trippel <ttrippel@google.com> (cherry picked from commit 58b9e53)
This will optimize test time and code size. Signed-off-by: Tim Trippel <ttrippel@google.com> (cherry picked from commit 57f56b0)
This updates the FT individualization firmware to use GPIO toggles during OTP operations to aid in debugging during silicon bringup. Signed-off-by: Tim Trippel <ttrippel@google.com> (cherry picked from commit dc33214)
This is a TL-specific item, which means it only really applies to comportable IP, and belongs in the CIP layer, rather than the DV base layer. Signed-off-by: Rupert Swarbrick <rswarbrick@lowrisc.org>
This is specific to alert handling, so belongs in the CIP layer, rather than the DV base layer. Signed-off-by: Rupert Swarbrick <rswarbrick@lowrisc.org>
This (somewhat dubious) functionality is only used in the CIP layer, so probably belongs there. Signed-off-by: Rupert Swarbrick <rswarbrick@lowrisc.org>
This is a chip-level item, so doesn't really belong in dv_base_env_cfg. Signed-off-by: Rupert Swarbrick <rswarbrick@lowrisc.org>
The function that was called create_ral_models can be dramatically simplified by defining a create_ral_model function to do the body and looping with that. Unfortunately, the name is a bit close to create_ral_by_name, so I've renamed the two local functions to make_ral_model(s). Also note that some of the documented items currently only apply to CIP-related objects. For example, en_scb_mem_chk is only used for TL transactions. But the general config option might make sense more generally, so it probably still belongs in this config object. Signed-off-by: Rupert Swarbrick <rswarbrick@lowrisc.org>
The RX clearing mechanism is implemented (in a slightly different improved way) in `target_reset` so it's okay to defer that to `reset_target(true)`. Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit 839803e6a05f986c3d77f32b3056f1c3ba9beb78)
This allows us to have one function using a default configured reset and another one that allows specifying the reset. Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit 4fcf7454b2f95c488b9c47f2387ea15b535e929c)
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit f8ba7c7b4fd82a3a10c01fabe8d1ef374d0a54c7)
Reset delays are now configured once in configuration files and cannot be changed per-test on the command line. This commit switches all uses of the `reset_target` function to use either `reset` or `reset_with_delay` where appropriate. All delays should be exactly the same after this commit. Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> (cherry picked from commit 472c31f491d24a0492f97cd877310176aa7e18af)
… folders Not all tops require or provide an additional attestation key seed, make the function a top specific implementation. This removes the flash controller dependency from the OTBN boot services library. Partly fixes #28438 Signed-off-by: Samuel Ortiz <sameo@rivosinc.com>
The documentation was probably copy-paste: the digest is not actually an OTP address but a CSR. Rename the field to make it clearer. Signed-off-by: Amaury Pouly <amaury.pouly@lowrisc.org>
Signed-off-by: Amaury Pouly <amaury.pouly@lowrisc.org>
This removes a duplicate function prototype for the `otbn_boot_attestation_keygen()` that is unneeded. Signed-off-by: Tim Trippel <ttrippel@google.com> (cherry picked from commit 69e7d4a)
This changes solves an issue that caused larger programs to return the following linker error: ``` relocation truncated to fit: R_RISCV_GPREL_I against symbol `_stack_end' defined in .sram_start ``` Using the `norelax` option avoids the use of compressed instructions which was causing the `_stack_end` address calculation error. Patch submitted by cfrantz@google.com. Signed-off-by: Miguel Osorio <miguelosorio@google.com> (cherry picked from commit 5b072fc)
Signed-off-by: Tim Trippel <ttrippel@google.com> (cherry picked from commit 05e45b2) Signed-off-by: Amaury Pouly <amaury.pouly@lowrisc.org>
Ownership flash lockdown was protecting and locking all regions in the same slot that booted the owner code. However, the ROM_EXT and owner code don't have to boot from the same side of the flash. 1. Disallow ownership configurations that have flash regions that overlap with the ROM_EXT region. It is an error to upload such a configuration, but if one already exists in the chip, the owner-specified ROM_EXT regions are ignored in favor of the self-protection. 2. Always protect the ROM_EXT by using flash regions 0 and 1. 3. Update ownership tests. 4. Update SiVAL tests that used flash MP regions 0 & 1, as the ROM_EXT now uses them. Fixes #25435. Signed-off-by: Chris Frantz <cfrantz@google.com> (cherry picked from commit d28f9e4)
Signed-off-by: Amaury Pouly <amaury.pouly@lowrisc.org>
Previously, both EDN instances were instantiated with 8 endpoints and 7 of the endpoints for EDN1 were tied off. This allowed reducing the number of DV configs but led to an area increase as the tied off endpoint ports could not be optimized away entirely due to prim_buf cells and the like. Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
This interface adds considerable design and verification complexity without substantial gain: The two crypto primitives serialized by this interface (unmasked AES core inside CSRNG, unmasked SHA3 inside ENTROPY_SRC) amount to less than 40 kGE together. Much more logic than this got removed through the CSRNG restructuring effort. At the same time, the interface is the main source of back pressure inside the ENTROPY_SRC thereby introducing the need for additional logic to aborb this back pressure. For this reason, the interface was anyway disabled for Darjeeling which uses a high-rate noise source. This commit removes the interface completely from the top levels and the two involved hardware block IPs CSRNG and ENTROPY_SRC in order to reduce complexity. This resolves lowRISC/opentitan#28819. Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
This is a follow-up of 357d41aec26dbea832e7dafd29d56365be0d8015 . Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>
qmn
force-pushed
the
auto/qmn/2025-12-05-upstream-sync
branch
from
c130880 to
ae198c4
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.