Implement transient override for RoT Hubris boot selection.

lzrd · lzrd · commit 537adb7d8cf4 · 2025-04-28T10:40:41.000-07:00
See bootleby:src/lib.rs for the receiving end of the override selection.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -82,6 +82,7 @@ getrandom = { version = "0.2", default-features = false }
 goblin = { version = "0.4.3", default-features = true } # goblin::Object doesn't work without everything enabled
 heapless = { version = "0.7.17", default-features = false }
 heck = { version = "0.5.0", default-features = false }
+hex-literal = { version = "0.4.1" }
 hkdf = { version = "0.12", default-features = false }
 hmac = { version = "0.12.1", default-features = false }
 hubpack = { version = "0.1.2", default-features = false }
diff --git a/app/rot-carrier/app.toml b/app/rot-carrier/app.toml
@@ -49,7 +49,7 @@ priority = 3
 # TODO size this appropriately
 stacksize = 8192
 start = true
-sections = {bootstate = "usbsram"}
+sections = {bootstate = "usbsram", transient_override = "override"}
 uses = ["flash_controller", "hash_crypt"]
 notifications = ["flash-irq", "hashcrypt-irq"]
 interrupts = {"flash_controller.irq" = "flash-irq", "hash_crypt.irq" = "hashcrypt-irq"}
diff --git a/chips/lpc55/memory.toml b/chips/lpc55/memory.toml
@@ -93,6 +93,22 @@ write = true
 execute = false
 dma = true
 
+[[override]]
+name = "a"
+address = 0x3003ffe0
+size = 32
+read = true
+write = true
+execute = false
+
+[[override]]
+name = "b"
+address = 0x3003ffe0
+size = 32
+read = true
+write = true
+execute = false
+
 # Info about the images loaded into flash and dumped by stage0 into USB SRAM
 # for hubris use.
 [[usbsram]]
diff --git a/drv/lpc55-update-server/Cargo.toml b/drv/lpc55-update-server/Cargo.toml
@@ -21,6 +21,7 @@ mutable-statics = { path = "../../lib/mutable-statics" }
 
 cfg-if.workspace = true
 hubpack.workspace = true
+hex-literal.workspace = true
 idol-runtime.workspace = true
 lpc55-pac.workspace = true
 num-traits.workspace = true
diff --git a/drv/lpc55-update-server/src/main.rs b/drv/lpc55-update-server/src/main.rs
@@ -18,6 +18,7 @@ use drv_lpc55_update_api::{
     SlotId, SwitchDuration, UpdateTarget, VersionedRotBootInfo,
 };
 use drv_update_api::UpdateError;
+use hex_literal::hex;
 use idol_runtime::{
     ClientError, Leased, LenLimit, NotificationHandler, RequestError, R, W,
 };
@@ -40,6 +41,10 @@ const PAGE_SIZE: u32 = BYTES_PER_FLASH_PAGE as u32;
 #[link_section = ".bootstate"]
 static BOOTSTATE: MaybeUninit<[u8; 0x1000]> = MaybeUninit::uninit();
 
+#[used]
+#[link_section = ".transient_override"]
+static mut TRANSIENT_OVERRIDE: MaybeUninit<[u8; 32]> = MaybeUninit::uninit();
+
 #[derive(Copy, Clone, PartialEq)]
 enum UpdateState {
     NoUpdate,
@@ -503,6 +508,12 @@ impl idl::InOrderUpdateImpl for ServerImpl<'_> {
         ringbuf_entry!(Trace::State(self.state));
         self.next_block = None;
         self.fw_cache.fill(0);
+        // The sequence: [update, set transient preference, update] is legal.
+        // Clear any stale transient preference before update.
+        // Stage0 doesn't support transient override.
+        if component == RotComponent::Hubris {
+            set_hubris_transient_override(None);
+        }
         Ok(())
     }
 
@@ -907,8 +918,11 @@ impl ServerImpl<'_> {
     ) -> Result<(), RequestError<UpdateError>> {
         match duration {
             SwitchDuration::Once => {
-                // TODO deposit command token into buffer
-                return Err(UpdateError::NotImplemented.into());
+                // TODO check Rollback policy vs epoch before activating.
+                // TODO: prep-image-update should clear transient selection.
+                //   e.g. update, activate, update, reboot should not have
+                //   transient boot set.
+                set_hubris_transient_override(Some(slot));
             }
             SwitchDuration::Forever => {
                 // Locate and return the authoritative CFPA flash word number
@@ -1337,6 +1351,35 @@ fn bootstate() -> Result<RotBootStateV2, HandoffDataLoadError> {
     RotBootStateV2::load_from_addr(addr)
 }
 
+fn set_transient_override(preference: [u8; 32]) {
+    // Safety: Data is consumed by Bootleby on next boot.
+    // There are no concurrent writers possible.
+    // Calling this function multiple times is ok.
+    // Bootleby is careful to vet contents before acting.
+    unsafe {
+        TRANSIENT_OVERRIDE.write(preference);
+    }
+}
+
+pub fn set_hubris_transient_override(bank: Option<SlotId>) {
+    // Preference constants are taken from bootleby:src/lib.rs
+    const PREFER_SLOT_A: [u8; 32] = hex!(
+        "edb23f2e9b399c3d57695262f29615910ed10c8d9b261bfc2076b8c16c84f66d"
+    );
+    const PREFER_SLOT_B: [u8; 32] = hex!(
+        "70ed2914e6fdeeebbb02763b96da9faa0160b7fc887425f4d45547071d0ce4ba"
+    );
+    // Bootleby writes all zeros after reading. We write all ones to reset.
+    const PREFER_NOTHING: [u8; 32] = [0xffu8; 32];
+
+    match bank {
+        // Do we need a  value that says we were here and cleared?
+        None => set_transient_override(PREFER_NOTHING),
+        Some(SlotId::A) => set_transient_override(PREFER_SLOT_A),
+        Some(SlotId::B) => set_transient_override(PREFER_SLOT_B),
+    }
+}
+
 fn round_up_to_flash_page(offset: u32) -> Option<u32> {
     offset.checked_next_multiple_of(BYTES_PER_FLASH_PAGE as u32)
 }
