lowRISC · pamaury · Feb 9, 2026 · Jun 16, 2025
@@ -214,10 +214,20 @@ rom_error_t rescue_validate_mode(uint32_t mode, rescue_state_t *state) {
 }
 
 rom_error_t rescue_send_handler(rescue_state_t *state) {
-  if (state->mode == kRescueModeNoOp) {
-    // The No-Op mode is always allowed and does nothing.
-    return kErrorOk;
+  // The following commands are always allowed and are not subject to
+  // the "command allowed" check.
+  switch (state->mode) {
+    case kRescueModeReboot:
+      // If a reboot was requested, return an error and go through the normal
+      // shutdown process.
+      return kErrorRescueReboot;
+    case kRescueModeNoOp:
+      // The No-Op mode is always allowed and does nothing.
+      return kErrorOk;
+    default:
+        /* do nothing */;
   }
+
   hardened_bool_t allow =
       owner_rescue_command_allowed(state->config, state->mode);
   if (allow != kHardenedBoolTrue) {
@@ -255,10 +265,6 @@ rom_error_t rescue_send_handler(rescue_state_t *state) {
     case kRescueModeFirmwareSlotB:
       // Nothing to do for receive modes.
       return kErrorOk;
-    case kRescueModeReboot:
-      // If a reboot was requested, return an error and go through the normal
-      // shutdown process.
-      return kErrorRescueReboot;
     default:
       // This state should be impossible.
       return kErrorRescueBadMode;

diff --git a/sw/device/silicon_creator/rom_ext/e2e/rescue/BUILD b/sw/device/silicon_creator/rom_ext/e2e/rescue/BUILD
@@ -351,6 +351,8 @@ opentitan_test(
             --exec="rescue get-device-id --reboot=false"
             # Try the `RESQ` mode and make sure we get an error message.
             --exec="console --non-interactive --send='RESQ\r' --exit-success='{exit_success}' --exit-failure='{exit_failure}'"
+            # Try the `REBO` mode and make sure we reboot without crash.
+            --exec="console --non-interactive --send='REBO\r' --exit-success='ROM:' --exit-failure='BFV:.*\r\n'"
             no-op
         """,
     ),