Measure the SP on SP_RESET signal interrupt

[lzrd]

This is a work in progress. Measurement currently takes 12.8s about 0.482 and we'd like to improve that or accommodate that delay before merging.
That's in addition to any feedback that people may have.

On SP_RESET asserted, the RoT will measure the entire active SP Hubris bank (Hubris plus 0xff padding from 0x800_0000 to 0x80f_ffff).
The measurement reliably takes about 0.482 seconds since neither the SP nor the RoT are doing anything else during this time. This low measurement time and the existing timeouts and retries used by the control plane mitigate concerns that were present when the measurement time was measured in multiple seconds.

This time could be further reduced. It is currently taking 0.245 seconds to inject the measurement program into the SP. Each u32 is being sent and read back separately and retried if there is any error (no errors have been seen as of yet).

If all is well with the SP, the measurement will match the Sha3_256 value represented in the SP Hubris archive in the file named "img/final.fwid".

Testing SP measurement

Checkout hubris branch attest-sp

APP=$PWD/app/oxide-rot-1/app-dev.toml
ARCHIVE=$(cargo -q xtask print --archive --image-name a $APP)
cargo xtask flash $APP

Measure on SP Reset:

Hit the reset button on the SP or use the SpCtrl.db_reset_sp function:

humility --archive=$ARCHIVE hiffy -c SpCtrl.db_reset_sp -a delay_ms=10
sleep 13

See traces

The ringbuf trace in swd and attest tasks have the interesting information including the time expended:

humility --archive=$ARCHIVE ringbuf

Dump the attestation log:

humility --archive=$ARCHIVE hiffy -c Attest.log -a offset=0 -n 256 -o out
hexdump -C out

The hexdump is not hard to read directly. The first four bytes are a LE u32 giving
the number of valid entries. Each entry is a 1-byte discriminator that is 0_u8 for Sha3_256 followed by the 32-byte measurement (FWID). There is space for 16 measurements.

Notes

• The RoT only attempts a measurement if it detects an SP reset.
• Existing measurements are cleared if an STLINK power-on is detected or if an STLINK is on during a measurement attempt. It is observed that powered-off STLINKs have no effect.
• No SP reset can be captured until the swd task has initialized. If needed, the control plane can request the SP to reset itself which will result in the RoT measuring the SP.
• The attest task needs has a reset_log_and_record function usable only by the swd task (and hiffy for debug builds).

[github-actions]

license-eye has totally checked 554 files.

Valid	Invalid	Ignored	Fixed
552	2	0	0

Click to see the invalid file list

• lib/endoscope/src/main.rs
• lib/endoscope/src/shared.rs

[labbott]

This looks really nice. Thanks for putting in the work to finally make the RoT a reality!

Either before we merge or right afterwards I think we should makes sure this gets run through a sample manufacturing flow to make sure we don't have any surprises there.

[labbott]

What do we observe if endoscope either loops forever or hits a fault?

[labbott]

I think I confused myself because halt_wait means wait for the system to halt, not attempt to halt and then wait. Can you either add a comment to this effect or change the name?

[lzrd]

wait_for_sp_halt would be better.

[mkeeter]

Vibes: should we make the enum Reg include all of these values? Then, we could make this function take a register: Reg instead of having to check here.

[labbott]

I like this idea. I found it difficult to reason about the switch statement.

[mkeeter]

Nit: should we do this check before starting a read transaction, to avoid leaving the SP in a weird state?

[mkeeter]

I'm confused by squelch_notify here; wouldn't the IRQ have already fired in sp_reset_enter?

[lzrd]

We're re-asserting SP_RESET and don't want to be notified about the reset that we caused. This removes the interrupt that we would have gotten on return from the handler.

[mkeeter]

Doesn't the kernel queue the notification as soon as the pin changes state? I would expect that we need a call to sys_irq_control_clear_pending here as well.

[mkeeter]

These lines make me nervous: do_setup_swd itself sets self.init = true on success, but here we unconditionally set it. I feel like init: bool is too ambiguous; we're using it both for "are pins configured" and "are we controlling the SP over SWD". Should it instead be an enum type?

[mkeeter]

Nit: you can capture need_undo automatically and don't need to pass it as an argument (so *undo in the function body would just become need_undo)

[mkeeter]

Nit: you can remove duplicate code by capturing the result, then setting undo, then checking it.

Suggested change

	if self
	.dp_write_bitflags::<Demcr>(Demcr::VC_CORERESET)
	.is_err()
	{
	ringbuf_entry!(Trace::DemcrWriteError);
	*undo |= Undo::VC_CORERESET;
	return Err(());
	}
	*undo |= Undo::VC_CORERESET;
	let r = self.dp_write_bitflags::<Demcr>(Demcr::VC_CORERESET);
	*undo |= Undo::VC_CORERESET;
	if r.is_err() {
	ringbuf_entry!(Trace::DemcrWriteError);
	return Err(());
	}

[mkeeter]

resume() is a confusing name for the function which sets debug enable

[mkeeter]

Suggested change

	let digest = if prep(&mut need_undo).is_ok() {
	self.do_measure_sp()
	} else {
	Err(())
	};
	let digest = prep().and_then(|()| self.do_measure_sp());

(this assumes you take my suggestion above of capturing need_undo instead of passing it in)

[mkeeter]

Is it time to remove this?

[mkeeter]

It would also be nice to leave a comment here explaining that the caller is responsible for clearing the pending IRQ, so we don't measure it again.

[mkeeter]

Why did this change? I found the previous version to be more clear:

let sp_reset_vector =
    u32::from_le_bytes(ENDOSCOPE_BYTES[4..=7].try_into().unwrap_lite());

versus the new code, which hides the unreachable! in the else of a conditional which is always taken