From e7531dab7c547a70d2a2de3d44b8f77a4c5a1fbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Th=C3=B6rnblad?= Date: Fri, 20 Dec 2024 10:38:17 +0100 Subject: [PATCH] Add complete checks for invalid memory accesses Also fix two typos for memory ranges that fortunately have no impact on functionality. --- .../application_fpga.bin.sha256 | 2 +- hw/application_fpga/core/tk1/README.md | 5 +- hw/application_fpga/core/tk1/rtl/tk1.v | 63 ++++++++++++++++++- hw/application_fpga/firmware.bin.sha512 | 2 +- hw/application_fpga/fw/tk1_mem.h | 4 +- hw/application_fpga/rtl/application_fpga.v | 2 +- hw/application_fpga/tb/application_fpga_sim.v | 2 +- 7 files changed, 71 insertions(+), 9 deletions(-) diff --git a/hw/application_fpga/application_fpga.bin.sha256 b/hw/application_fpga/application_fpga.bin.sha256 index 08caf501..929ff4b6 100644 --- a/hw/application_fpga/application_fpga.bin.sha256 +++ b/hw/application_fpga/application_fpga.bin.sha256 @@ -1 +1 @@ -44086edb70377991b57d3f1c231f743fcf0c2c9d2303843ec133f76cc42449a8 application_fpga.bin +d610fd2e21eabe6fd840cee9f2a9f5ec00be8b40fbdfd069232f6450cd108a96 application_fpga.bin diff --git a/hw/application_fpga/core/tk1/README.md b/hw/application_fpga/core/tk1/README.md index cd80f145..b53484b2 100644 --- a/hw/application_fpga/core/tk1/README.md +++ b/hw/application_fpga/core/tk1/README.md @@ -164,8 +164,9 @@ ADDR_CPU_MON_LAST: 0x62 Monitors events and state changes in the SoC and handles security violations. Currently checks for: -1. Trying to execute instructions in FW\_RAM. *Always enabled.* -2. Trying to access RAM outside of the physical memory. *Always enabled* +1. Trying to access memory that is outside of the defined size of the + defined memory areas. *Always enabled* +2. Trying to execute instructions in FW\_RAM. *Always enabled.* 3. Trying to execute instructions from a memory area in RAM defined by the application. diff --git a/hw/application_fpga/core/tk1/rtl/tk1.v b/hw/application_fpga/core/tk1/rtl/tk1.v index 7e39ce04..939897cf 100644 --- a/hw/application_fpga/core/tk1/rtl/tk1.v +++ b/hw/application_fpga/core/tk1/rtl/tk1.v @@ -381,7 +381,8 @@ module tk1 #( // Monitor events and state changes in the SoC, and handle // security violations. We currently check for: // - // Any access to RAM but outside of the size of the physical mem. + // Any memory access that is outside of the defined size of the + // defined memory areas. // // Trying to execute instructions in FW-RAM. // @@ -393,10 +394,70 @@ module tk1 #( force_trap_set = 1'h0; if (cpu_valid) begin + // Outside ROM area + if (cpu_addr[31 : 30] == 2'h0 & |cpu_addr[29 : 14]) begin + force_trap_set = 1'h1; + end + + // Outside RAM area if (cpu_addr[31 : 30] == 2'h1 & |cpu_addr[29 : 17]) begin force_trap_set = 1'h1; end + // In RESERVED area + if (cpu_addr[31 : 30] == 2'h2) begin + force_trap_set = 1'h1; + end + + // MMIO + if (cpu_addr[31 : 30] == 2'h3) begin + + // Outside TRNG + if (cpu_addr[29 : 24] == 6'h00 & |cpu_addr[23 : 10]) begin + force_trap_set = 1'h1; + end + + // Outside TIMER + if (cpu_addr[29 : 24] == 6'h01 & |cpu_addr[23 : 10]) begin + force_trap_set = 1'h1; + end + + // Outside UDS + if (cpu_addr[29 : 24] == 6'h02 & |cpu_addr[23 : 5]) begin + force_trap_set = 1'h1; + end + + // Outside UART + if (cpu_addr[29 : 24] == 6'h03 & |cpu_addr[23 : 10]) begin + force_trap_set = 1'h1; + end + + // Outside TOUCH_SENSE + if (cpu_addr[29 : 24] == 6'h04 & |cpu_addr[23 : 10]) begin + force_trap_set = 1'h1; + end + + // In unused space + if ((cpu_addr[29 : 24] > 6'h04) && (cpu_addr[29 : 24] < 6'h10)) begin + force_trap_set = 1'h1; + end + + // Outside FW_RAM + if (cpu_addr[29 : 24] == 6'h10 & |cpu_addr[23 : 11]) begin + force_trap_set = 1'h1; + end + + // In unused space + if ((cpu_addr[29 : 24] > 6'h10) && (cpu_addr[29 : 24] < 6'h3f)) begin + force_trap_set = 1'h1; + end + + // Outside TK1 + if (cpu_addr[29 : 24] == 6'h3f & |cpu_addr[23 : 10]) begin + force_trap_set = 1'h1; + end + end + if (cpu_instr) begin if ((cpu_addr >= FW_RAM_FIRST) && (cpu_addr <= FW_RAM_LAST)) begin force_trap_set = 1'h1; diff --git a/hw/application_fpga/firmware.bin.sha512 b/hw/application_fpga/firmware.bin.sha512 index c5e51a0f..22483e00 100644 --- a/hw/application_fpga/firmware.bin.sha512 +++ b/hw/application_fpga/firmware.bin.sha512 @@ -1 +1 @@ -edb39fca7dafb8ea0b89fdeecd960d7656e14ce461e49af97160a8bd6e67d9987e816adad37ba0fcfa63d107c3160988e4c3423ce4a71c39544bc0045888fec1 firmware.bin +39d5aee11b8553544ba9171f83fbe6f5b7546a15c70d03325e72a2b0ca86c8f7a2b5b6bf121d1d3ffc84a502a2a1a6f3ea140d1424cd424336e055be2f394f83 firmware.bin diff --git a/hw/application_fpga/fw/tk1_mem.h b/hw/application_fpga/fw/tk1_mem.h index 246097b7..89d6b7dc 100644 --- a/hw/application_fpga/fw/tk1_mem.h +++ b/hw/application_fpga/fw/tk1_mem.h @@ -82,8 +82,8 @@ #define TK1_MMIO_TIMER_TIMER 0xc100002c #define TK1_MMIO_UDS_BASE 0xc2000000 -#define TK1_MMIO_UDS_FIRST 0xc2000040 -#define TK1_MMIO_UDS_LAST 0xc200005c +#define TK1_MMIO_UDS_FIRST 0xc2000000 +#define TK1_MMIO_UDS_LAST 0xc200001c #define TK1_MMIO_UART_BASE 0xc3000000 #define TK1_MMIO_UART_RX_STATUS 0xc3000080 diff --git a/hw/application_fpga/rtl/application_fpga.v b/hw/application_fpga/rtl/application_fpga.v index 39650d88..12781a82 100644 --- a/hw/application_fpga/rtl/application_fpga.v +++ b/hw/application_fpga/rtl/application_fpga.v @@ -392,7 +392,7 @@ module application_fpga ( ram_cs = 1'h0; ram_we = 4'h0; - ram_address = cpu_addr[17 : 2]; + ram_address = cpu_addr[16 : 2]; ram_write_data = cpu_wdata; fw_ram_cs = 1'h0; diff --git a/hw/application_fpga/tb/application_fpga_sim.v b/hw/application_fpga/tb/application_fpga_sim.v index 00da22d0..0211ce1c 100644 --- a/hw/application_fpga/tb/application_fpga_sim.v +++ b/hw/application_fpga/tb/application_fpga_sim.v @@ -406,7 +406,7 @@ module application_fpga_sim ( ram_cs = 1'h0; ram_we = 4'h0; - ram_address = cpu_addr[17 : 2]; + ram_address = cpu_addr[16 : 2]; ram_write_data = cpu_wdata; fw_ram_cs = 1'h0;