[sw,rom_ext] Add boot log events field to track boot data redundancy fix

This change adds an `events` field to the `boot_log_t` structure to track
specific events during the boot process. Specifically, it introduces a
`kBootLogEventRedundancy` flag that indicates if the boot data redundancy
was fixed by the ROM_EXT.

The `events` field is populated in `rom_ext_start` based on the
`boot_data_validity` check. A new end-to-end test is added to verify that
the redundancy fix is correctly signaled on the first boot after a
bitstream load and not on subsequent resets.

Change-Id: I2a3417d4e588f916bdb1ca4127a2bf0e4917d8a1
Signed-off-by: Yi-Hsuan Deng <yhdeng@google.com>

Author: sasdf

sw/device/silicon_creator/lib/BUILD

@@ -97,6 +97,7 @@ cc_library(
     deps = [
         ":boot_data",
         ":nonce",
+        "//sw/device/lib/base:bitfield",
         "//sw/device/lib/base:macros",
         "//sw/device/silicon_creator/lib:build_info",
         "//sw/device/silicon_creator/lib:error",

sw/device/silicon_creator/lib/boot_log.h

@@ -7,6 +7,7 @@
 
 #include <stdint.h>
 
+#include "sw/device/lib/base/bitfield.h"
 #include "sw/device/lib/base/macros.h"
 #include "sw/device/silicon_creator/lib/boot_data.h"
 #include "sw/device/silicon_creator/lib/build_info.h"
@@ -53,8 +54,10 @@ typedef struct boot_log {
   uint32_t primary_bl0_slot;
   /** Whether the RET-RAM was initialized on this boot (hardened_bool_t). */
   uint32_t retention_ram_initialized;
+  /** Signals of events during boot. */
+  uint32_t events;
   /** Pad to 128 bytes. */
-  uint32_t reserved[8];
+  uint32_t reserved[7];
 } boot_log_t;
 
 OT_ASSERT_MEMBER_OFFSET(boot_log_t, digest, 0);
@@ -72,7 +75,8 @@ OT_ASSERT_MEMBER_OFFSET(boot_log_t, rom_ext_min_sec_ver, 80);
 OT_ASSERT_MEMBER_OFFSET(boot_log_t, bl0_min_sec_ver, 84);
 OT_ASSERT_MEMBER_OFFSET(boot_log_t, primary_bl0_slot, 88);
 OT_ASSERT_MEMBER_OFFSET(boot_log_t, retention_ram_initialized, 92);
-OT_ASSERT_MEMBER_OFFSET(boot_log_t, reserved, 96);
+OT_ASSERT_MEMBER_OFFSET(boot_log_t, events, 96);
+OT_ASSERT_MEMBER_OFFSET(boot_log_t, reserved, 100);
 
 enum {
   /**
@@ -81,6 +85,14 @@ enum {
   kBootLogIdentifier = 0x474f4c42,
 };
 
+/**
+ * Boot log event (bit 0): Boot data redundancy fixed.
+ *
+ * This bit will be set to 1 if the boot data was corrupted and has been
+ * repaired by the ROM_EXT during this boot.
+ */
+#define BOOT_LOG_EVENT_REDUNDANCY 0
+
 /**
  * Updates the digest of the boot_log.
  *

sw/device/silicon_creator/rom_ext/e2e/boot_data/BUILD

@@ -0,0 +1,40 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load(
+    "//rules/opentitan:defs.bzl",
+    "fpga_params",
+    "opentitan_test",
+)
+
+package(default_visibility = ["//visibility:public"])
+
+opentitan_test(
+    name = "redundancy_fix_test",
+    srcs = ["redundancy_fix_test.c"],
+    exec_env = {
+        "//hw/top_earlgrey:fpga_cw310_rom_ext": None,
+        "//hw/top_earlgrey:fpga_cw340_rom_ext": None,
+    },
+    fpga = fpga_params(
+        # Clear the FPGA so the boot data is empty which needs redundancy fix.
+        test_cmd = """
+            --exec="transport init"
+            --exec="fpga clear-bitstream"
+            --exec="fpga load-bitstream {bitstream}"
+            --exec="bootstrap --clear-uart=true {firmware}"
+            --exec="console --non-interactive --exit-success='{exit_success}' --exit-failure='{exit_failure}'"
+            no-op
+        """,
+    ),
+    deps = [
+        "//sw/device/lib/base:bitfield",
+        "//sw/device/lib/base:status",
+        "//sw/device/lib/runtime:log",
+        "//sw/device/lib/testing/test_framework:check",
+        "//sw/device/lib/testing/test_framework:ottf_main",
+        "//sw/device/silicon_creator/lib/drivers:retention_sram",
+        "//sw/device/silicon_creator/lib/drivers:rstmgr",
+    ],
+)

sw/device/silicon_creator/rom_ext/e2e/boot_data/redundancy_fix_test.c

@@ -0,0 +1,31 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#include "sw/device/lib/base/bitfield.h"
+#include "sw/device/lib/base/status.h"
+#include "sw/device/lib/runtime/log.h"
+#include "sw/device/lib/testing/test_framework/check.h"
+#include "sw/device/lib/testing/test_framework/ottf_main.h"
+#include "sw/device/silicon_creator/lib/drivers/retention_sram.h"
+#include "sw/device/silicon_creator/lib/drivers/rstmgr.h"
+
+OTTF_DEFINE_TEST_CONFIG();
+
+bool test_main(void) {
+  retention_sram_t *retram = retention_sram_get();
+
+  bool redundancy_fixed = bitfield_bit32_read(retram->creator.boot_log.events,
+                                              BOOT_LOG_EVENT_REDUNDANCY);
+  LOG_INFO("Redundancy fix event: %d", redundancy_fixed);
+
+  if (bitfield_bit32_read(retram->creator.reset_reasons,
+                          kRstmgrReasonPowerOn)) {
+    CHECK(redundancy_fixed, "ROM_EXT should fix redundancy on first boot");
+    rstmgr_reset();
+    return false;
+  } else {
+    CHECK(!redundancy_fixed, "It should already be fixed on the second boot");
+    return true;
+  }
+}

sw/device/silicon_creator/rom_ext/rom_ext.c

@@ -548,6 +548,9 @@ static rom_error_t rom_ext_start(boot_data_t *boot_data, boot_log_t *boot_log) {
   // it here so the "SetNextBl0" can do a one-time override of the RAM copy
   // of `boot_data`.
   boot_log->primary_bl0_slot = boot_data->primary_bl0_slot;
+  boot_log->events =
+      bitfield_bit32_write(boot_log->events, BOOT_LOG_EVENT_REDUNDANCY,
+                           boot_data_validity != kErrorOk);
 
   // Protect the flash pages where the ROM_EXT is located.
   rom_ext_flash_protect_self(boot_log->rom_ext_slot);