enc_bootloader/hard_entry_point.S - third_party/github/raspberrypi/picotool - Git at Google

 /*
  * Copyright (c) 2020 Raspberry Pi (Trading) Ltd.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */

 #include "pico.h"
 #include "pico/asm_helper.S"
 #include "pico/platform/cpu_regs.h"
 #include "boot/bootrom_constants.h"
 #include "hardware/rcp.h"
 #include "hardware/regs/bootram.h"
 #include "hardware/regs/resets.h"
 #include "hard_entry_point.h"

 pico_default_asm_setup

 #if !PICO_NO_FLASH
 #error expected PICO_NO_FLASH
 #endif
 // ELF entry point:
 .type _entry_point,%function
 .type _reset_handler,%function
 .thumb_func
 .global _entry_point, _reset_handler
 _entry_point:
 _reset_handler:
 #if !ALLOW_DEBUGGING
     // note we assume that RCP is already initialized by bootrom
 #else
     // just enable the RCP which is fine if it already was (we assume no other co-processors are enabled at this point to save space)
     ldr r0, = PPB_BASE + M33_CPACR_OFFSET
     movs r1, #ARM_CPU_PREFIXED(CPACR_CP7_BITS)
     str r1, [r0]
     // only initialize canary seeds if they haven't been (as to do so twice is a fault)
     mrc p7, #1, apsr_nzcv, c0, c0, #0
     bmi 1f
     // i dont think it much matters what we initialized to, as to have gotten here we must have not
     // gone thru the bootrom (which a secure boot would have)
     mcrr p7, #8, r0, r0, c0
     mcrr p7, #8, r0, r0, c1
     sev
 1:
     ldr r0, =__StackTop
     msr msp, r0
     ldr r0, =__vectors
     ldr r1, =(PPB_BASE + ARM_CPU_PREFIXED(VTOR_OFFSET))
     str r0, [r1]
 #endif

     ldr r0, =PPB_BASE + M33_MPU_CTRL_OFFSET
     adr r6, mpu_regions
     // set region 7 (flash)
     ldmia r6!, {r1, r2, r3, r4}
     stmia r0!, {r1, r2, r3, r4}
     // sp should have low 3 bits == 0 (which is all the bits RNR is)
     str sp, [r0, #M33_MPU_RNR_OFFSET - (M33_MPU_CTRL_OFFSET + 16)]
 #if HARDENING
     sub lr, lr // we don't need lr and it is unlikely to be something that ww will read from memory if this is skipped
     ldr r1, [r0, #M33_MPU_RNR_OFFSET - (M33_MPU_CTRL_OFFSET + 16)]
     // RNR should read back as zero
     rcp_iequal_nodelay r1, lr
     adds r0, r1
 #endif
     subs r0, #8
 #ifdef HARDENING
     rcp_iequal_nodelay lr, r1
 #endif
     ldmia r6!, {r1, r2, r3, r4, r5, r8, r9, r10}
     stmia r0!, {r1, r2, r3, r4, r5, r8, r9, r10}
 #if HARDENING
     ldr r1, = PPB_BASE + M33_MPU_RLAR_A3_OFFSET + 4
     rcp_iequal_nodelay r0, r1
     adr r7, mpu_regions + 48
     rcp_iequal_nodelay r6, r7
     // check this again for good measure
     // todo can remove if we do some tt checks
     rcp_iequal_nodelay r1, r0
     // todo this is less useful, because if we laoded garbage into the MPU it may cause a fault anyway,
     //      however it is only one bit for enabling, so we definitely should do some tt to prove it is enabled
     rcp_iequal_nodelay r7, r6
 #endif

     // todo is this also part of ALLOW_DEBUGGING (is it done by LOAD_MAP?, or indeed by later code)
     // Zero out the BSS
     ldr r1, =__bss_start__
     ldr r2, =__bss_end__
     movs r0, #0
     b bss_fill_test
 bss_fill_loop:
     stm r1!, {r0}
 bss_fill_test:
     cmp r1, r2
     bne bss_fill_loop
 #if HARDENING
     rcp_iequal_nodelay r1, r2
 #endif
     // runtime_init is inlined here, to avoid a bunch of ROP attackable functions (note
     // runtime_run_initializers is particularly bad as it calls a list of function pointers)
     //
     // can revisit this when we have a hardened SDK option
 #if 0
     bl runtime_init
 #else
 #if !PICO_RP2350
 #error RP2350 init only supported
 #endif
     rcp_count_set_nodelay STEP_RUNTIME_CLOCKS_INIT
     // runtime_init_install_stack_guard
     ldr r1, =__StackBottom
     // todo harden
     msr msplim, r1

     // runtime_init_early_resets - note we actually reset more than the standard runtime_init
     // as we know more about our environment
     ldr r1, =RESETS_BASE + RESETS_RESET_OFFSET + REG_ALIAS_SET_BITS
 #if ALLOW_DEBUGGING
     ldr r0, =~(RESETS_RESET_SYSCFG_BITS | RESETS_RESET_PLL_SYS_BITS | RESETS_RESET_PLL_USB_BITS) // include USB PLL in case we are running from it
 #else
     ldr r0, =~(RESETS_RESET_SYSCFG_BITS | RESETS_RESET_PLL_SYS_BITS)
 #endif
     str r0, [r1]

     bl runtime_init_clocks
     rcp_count_check_nodelay STEP_RUNTIME_CLOCKS_INIT_DONE

     // note: there is no runtime_init_post_clocks_reset as there are no peripherals that need turning on
     // all we really care about is lock BOOTROM_LOCK_ENABLE for now, because we don't want bootrom locking enabled
     // and without it, the bootrom will ignore the reset
     ldr r1, =BOOTRAM_BASE + BOOTRAM_BOOTLOCK0_OFFSET + BOOTROM_LOCK_ENABLE * 4
     str r1, [r1] // any write unlocks

     // note: there is no runtime_init_bootrom_reset as we will have ome in via the bootrom
     // todo however think about somehow being watchdogged back in?

     // note there is no runtime_init_per_corebootrom_reset as it is a no-op on Arm
 #endif

     bl main
 #if ALLOW_DEBUGGING
     bkpt #0
 #endif
     rcp_panic
 #if HARDENING
     rcp_panic
 //#if DOUBLE_HARDENING
     rcp_panic
 //#endif
 #endif

 .p2align 2
 .global data_cpy_table
 data_cpy_table:
 .word 0

 #define MPU_REGION_RW_XN(n, rbar, rlar) \
    .word rbar + M33_MPU_RBAR_XN_BITS + (0 << M33_MPU_RBAR_AP_LSB), \
     (rlar) + M33_MPU_RLAR_EN_BITS + 0x10 // note 0x10 will be written but not read back

 #define MPU_REGION_RO_XN(n, rbar, rlar) \
    .word rbar + M33_MPU_RBAR_XN_BITS + (2 << M33_MPU_RBAR_AP_LSB), \
     (rlar) + M33_MPU_RLAR_EN_BITS + 0x10 // note 0x10 will be written but not read back

 #define MPU_REGION_RO(n, rbar, rlar) \
    .word rbar + (2 << M33_MPU_RBAR_AP_LSB), \
     (rlar) + M33_MPU_RLAR_EN_BITS + 0x10 // note 0x10 will be written but not read back

 .p2align 2
 mpu_regions:
     /* ctrl */ .word M33_MPU_CTRL_PRIVDEFENA_BITS | M33_MPU_CTRL_ENABLE_BITS
     /* rnr */  .word 7 // set for thie initial load
 #if MPU_REGION_FLASH != 7 || \
     MPU_REGION_RAM != 0 || \
     MPU_REGION_SCRATCH_X != 1 || \
     MPU_REGION_SCRATCH_Y_DATA != 2
     MPU_REGION_SCRATCH_Y_CODE != 3
 #error MPU regions should be in order
 #endif
     // todo what about XIP_CACHE binaries?
     MPU_REGION_RO_XN(MPU_REGION_FLASH,
                      XIP_BASE,
                      XIP_END - 0x20)
 mpu_regions_middle:
     MPU_REGION_RW_XN(MPU_REGION_RAM,
                      SRAM_BASE,
                      SRAM_SCRATCH_X_BASE - 0x20)
     MPU_REGION_RO(MPU_REGION_SCRATCH_X,
                      SRAM_SCRATCH_X_BASE,
                      SRAM_SCRATCH_Y_BASE - 0x20)
     MPU_REGION_RW_XN(MPU_REGION_SCRATCH_Y_DATA,
                      SRAM_SCRATCH_Y_BASE,
                      __text_start - 0x20)
     MPU_REGION_RO(MPU_REGION_SCRATCH_Y_CODE,
                      __text_start,
                      __data_start__ - 0x20)
 mpu_regions_end:

 .if mpu_regions_middle - mpu_regions != 16
 .err unexpected region size
 .endif
 .if mpu_regions_end - mpu_regions_middle != 32
 .err unexpected region size
 .endif
	/*
	* Copyright (c) 2020 Raspberry Pi (Trading) Ltd.
	*
	* SPDX-License-Identifier: BSD-3-Clause
	*/

	#include "pico.h"
	#include "pico/asm_helper.S"
	#include "pico/platform/cpu_regs.h"
	#include "boot/bootrom_constants.h"
	#include "hardware/rcp.h"
	#include "hardware/regs/bootram.h"
	#include "hardware/regs/resets.h"
	#include "hard_entry_point.h"

	pico_default_asm_setup

	#if !PICO_NO_FLASH
	#error expected PICO_NO_FLASH
	#endif
	// ELF entry point:
	.type _entry_point,%function
	.type _reset_handler,%function
	.thumb_func
	.global _entry_point, _reset_handler
	_entry_point:
	_reset_handler:
	#if !ALLOW_DEBUGGING
	// note we assume that RCP is already initialized by bootrom
	#else
	// just enable the RCP which is fine if it already was (we assume no other co-processors are enabled at this point to save space)
	ldr r0, = PPB_BASE + M33_CPACR_OFFSET
	movs r1, #ARM_CPU_PREFIXED(CPACR_CP7_BITS)
	str r1, [r0]
	// only initialize canary seeds if they haven't been (as to do so twice is a fault)
	mrc p7, #1, apsr_nzcv, c0, c0, #0
	bmi 1f
	// i dont think it much matters what we initialized to, as to have gotten here we must have not
	// gone thru the bootrom (which a secure boot would have)
	mcrr p7, #8, r0, r0, c0
	mcrr p7, #8, r0, r0, c1
	sev
	1:
	ldr r0, =__StackTop
	msr msp, r0
	ldr r0, =__vectors
	ldr r1, =(PPB_BASE + ARM_CPU_PREFIXED(VTOR_OFFSET))
	str r0, [r1]
	#endif

	ldr r0, =PPB_BASE + M33_MPU_CTRL_OFFSET
	adr r6, mpu_regions
	// set region 7 (flash)
	ldmia r6!, {r1, r2, r3, r4}
	stmia r0!, {r1, r2, r3, r4}
	// sp should have low 3 bits == 0 (which is all the bits RNR is)
	str sp, [r0, #M33_MPU_RNR_OFFSET - (M33_MPU_CTRL_OFFSET + 16)]
	#if HARDENING
	sub lr, lr // we don't need lr and it is unlikely to be something that ww will read from memory if this is skipped
	ldr r1, [r0, #M33_MPU_RNR_OFFSET - (M33_MPU_CTRL_OFFSET + 16)]
	// RNR should read back as zero
	rcp_iequal_nodelay r1, lr
	adds r0, r1
	#endif
	subs r0, #8
	#ifdef HARDENING
	rcp_iequal_nodelay lr, r1
	#endif
	ldmia r6!, {r1, r2, r3, r4, r5, r8, r9, r10}
	stmia r0!, {r1, r2, r3, r4, r5, r8, r9, r10}
	#if HARDENING
	ldr r1, = PPB_BASE + M33_MPU_RLAR_A3_OFFSET + 4
	rcp_iequal_nodelay r0, r1
	adr r7, mpu_regions + 48
	rcp_iequal_nodelay r6, r7
	// check this again for good measure
	// todo can remove if we do some tt checks
	rcp_iequal_nodelay r1, r0
	// todo this is less useful, because if we laoded garbage into the MPU it may cause a fault anyway,
	// however it is only one bit for enabling, so we definitely should do some tt to prove it is enabled
	rcp_iequal_nodelay r7, r6
	#endif

	// todo is this also part of ALLOW_DEBUGGING (is it done by LOAD_MAP?, or indeed by later code)
	// Zero out the BSS
	ldr r1, =__bss_start__
	ldr r2, =__bss_end__
	movs r0, #0
	b bss_fill_test
	bss_fill_loop:
	stm r1!, {r0}
	bss_fill_test:
	cmp r1, r2
	bne bss_fill_loop
	#if HARDENING
	rcp_iequal_nodelay r1, r2
	#endif
	// runtime_init is inlined here, to avoid a bunch of ROP attackable functions (note
	// runtime_run_initializers is particularly bad as it calls a list of function pointers)
	//
	// can revisit this when we have a hardened SDK option
	#if 0
	bl runtime_init
	#else
	#if !PICO_RP2350
	#error RP2350 init only supported
	#endif
	rcp_count_set_nodelay STEP_RUNTIME_CLOCKS_INIT
	// runtime_init_install_stack_guard
	ldr r1, =__StackBottom
	// todo harden
	msr msplim, r1

	// runtime_init_early_resets - note we actually reset more than the standard runtime_init
	// as we know more about our environment
	ldr r1, =RESETS_BASE + RESETS_RESET_OFFSET + REG_ALIAS_SET_BITS
	#if ALLOW_DEBUGGING
	ldr r0, =~(RESETS_RESET_SYSCFG_BITS \| RESETS_RESET_PLL_SYS_BITS \| RESETS_RESET_PLL_USB_BITS) // include USB PLL in case we are running from it
	#else
	ldr r0, =~(RESETS_RESET_SYSCFG_BITS \| RESETS_RESET_PLL_SYS_BITS)
	#endif
	str r0, [r1]

	bl runtime_init_clocks
	rcp_count_check_nodelay STEP_RUNTIME_CLOCKS_INIT_DONE

	// note: there is no runtime_init_post_clocks_reset as there are no peripherals that need turning on
	// all we really care about is lock BOOTROM_LOCK_ENABLE for now, because we don't want bootrom locking enabled
	// and without it, the bootrom will ignore the reset
	ldr r1, =BOOTRAM_BASE + BOOTRAM_BOOTLOCK0_OFFSET + BOOTROM_LOCK_ENABLE * 4
	str r1, [r1] // any write unlocks

	// note: there is no runtime_init_bootrom_reset as we will have ome in via the bootrom
	// todo however think about somehow being watchdogged back in?

	// note there is no runtime_init_per_corebootrom_reset as it is a no-op on Arm
	#endif

	bl main
	#if ALLOW_DEBUGGING
	bkpt #0
	#endif
	rcp_panic
	#if HARDENING
	rcp_panic
	//#if DOUBLE_HARDENING
	rcp_panic
	//#endif
	#endif

	.p2align 2
	.global data_cpy_table
	data_cpy_table:
	.word 0

	#define MPU_REGION_RW_XN(n, rbar, rlar) \
	.word rbar + M33_MPU_RBAR_XN_BITS + (0 << M33_MPU_RBAR_AP_LSB), \
	(rlar) + M33_MPU_RLAR_EN_BITS + 0x10 // note 0x10 will be written but not read back

	#define MPU_REGION_RO_XN(n, rbar, rlar) \
	.word rbar + M33_MPU_RBAR_XN_BITS + (2 << M33_MPU_RBAR_AP_LSB), \
	(rlar) + M33_MPU_RLAR_EN_BITS + 0x10 // note 0x10 will be written but not read back

	#define MPU_REGION_RO(n, rbar, rlar) \
	.word rbar + (2 << M33_MPU_RBAR_AP_LSB), \
	(rlar) + M33_MPU_RLAR_EN_BITS + 0x10 // note 0x10 will be written but not read back

	.p2align 2
	mpu_regions:
	/* ctrl */ .word M33_MPU_CTRL_PRIVDEFENA_BITS \| M33_MPU_CTRL_ENABLE_BITS
	/* rnr */ .word 7 // set for thie initial load
	#if MPU_REGION_FLASH != 7 \|\| \
	MPU_REGION_RAM != 0 \|\| \
	MPU_REGION_SCRATCH_X != 1 \|\| \
	MPU_REGION_SCRATCH_Y_DATA != 2
	MPU_REGION_SCRATCH_Y_CODE != 3
	#error MPU regions should be in order
	#endif
	// todo what about XIP_CACHE binaries?
	MPU_REGION_RO_XN(MPU_REGION_FLASH,
	XIP_BASE,
	XIP_END - 0x20)
	mpu_regions_middle:
	MPU_REGION_RW_XN(MPU_REGION_RAM,
	SRAM_BASE,
	SRAM_SCRATCH_X_BASE - 0x20)
	MPU_REGION_RO(MPU_REGION_SCRATCH_X,
	SRAM_SCRATCH_X_BASE,
	SRAM_SCRATCH_Y_BASE - 0x20)
	MPU_REGION_RW_XN(MPU_REGION_SCRATCH_Y_DATA,
	SRAM_SCRATCH_Y_BASE,
	__text_start - 0x20)
	MPU_REGION_RO(MPU_REGION_SCRATCH_Y_CODE,
	__text_start,
	__data_start__ - 0x20)
	mpu_regions_end:

	.if mpu_regions_middle - mpu_regions != 16
	.err unexpected region size
	.endif
	.if mpu_regions_end - mpu_regions_middle != 32
	.err unexpected region size
	.endif