Add support flash for write protection and readout protection for STM32F4 #52980
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
duda-patryk
requested review from
MaureenHelm,
carlescufi,
de-nordic,
erwango,
galak and
nashif
as code owners
zephyrbot
added
platform: STM32
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
from
174df94 to
99a1a12
Compare
erwango
requested changes
Dec 13, 2022
Member
erwango
left a comment
erwango
left a comment
There was a problem hiding this comment.
Some preliminary requests about API introduction.
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
from
99a1a12 to
904cf55
Compare
Contributor
Author
|
Make |
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
from
904cf55 to
b90150e
Compare
Member
|
Since this PR introduces changes to Flash API (which I guess is a stable API), you need first to get the API change approved. This would be faster to do so by splitting API changes in a dedicated PR. |
Contributor
Author
|
PR for flash API changes #53441 |
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
from
b90150e to
dc2a265
Compare
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
from
dc2a265 to
145d3e1
Compare
Contributor
Author
|
Modified implementation of WP and RDP to work with "extended operations" API (PR #53441). |
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
from
145d3e1 to
26a711b
Compare
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
from
26a711b to
3bf0dfb
Compare
de-nordic
reviewed
Mar 21, 2023
Contributor
de-nordic
left a comment
de-nordic
left a comment
There was a problem hiding this comment.
Looks pretty.
Some minor comments SMT32 maintainer may disagree with.
Contributor
There was a problem hiding this comment.
Just a note, no change required: the header may provide flash_stm32_ex_op_sector_wp_get() flash_stm32_ex_op_sector_wp_set() inline functions in this header that will be passing reduced set of parameters to flash_ex_op, users may appreciate.
This would probably work for all the others FLASH_STM32_EX commands provided.
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
3 times, most recently
from
bc5d7fa to
9bb767b
Compare
de-nordic
reviewed
Mar 23, 2023
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
from
9bb767b to
58ebef1
Compare
Contributor
Author
|
Changed |
Contributor
Author
|
|
Contributor
Try rebasing, maybe main has been fixed. |
Contributor
Author
|
Created #56181 for |
This patch adds sector write protection support for STM32F4 devices family. These devices can protect flash content with sector precision. Write protection functionality was exposed as vendor extended operation. To change write protection state, caller should provide mask of enabled and disabled sectors. Function responsible for locking/unlocking option bytes was implemented for all STM32 devices supported by this driver. Signed-off-by: Patryk Duda <[email protected]>
This patch adds flash readout protection support for STM32F4 devices family. These devices can enable protection on entire flash content. Readout protection functionality was exposed as vendor extended operation. To change readout protection state, caller should provide a structure which describes desired RDP state. Enabling readout protection permanently or disabling readout protection (changing from level 1 to level 0) is guarded by CONFIG_FLASH_STM32_READOUT_PROTECTION_PERMANENT_ALLOW and CONFIG_FLASH_STM32_READOUT_PROTECTION_DISABLE_ALLOW respectively. Signed-off-by: Patryk Duda <[email protected]>
This patch makes possible to choose custom byte which should be used to enable non-permanent readout protection (RDP1). Actually, any byte except 0xAA and 0xCC (which are used by RDP0 and RDP2 respectively) can be used to enable RDP1 but in multi-image environment, some other image could check if RDP1 is enabled by comparing it to some hardcoded value. If property is not defined, 0x55 will be used to enable RDP1. The default value comes from STM32 HAL. Signed-off-by: Patryk Duda <[email protected]>
Introduce flash extended operations that can be used to disable access to option and control registers until reset. Disabling access to these registers improves system security, because flash content (or protection settings) can't be changed even when exploit was found. On STM32 devices, registers can be locked until reset by writing wrong key during unlock procedure. It triggers a bus fault, so during the procedure we need to ignore faults and clear bus fault pending bit. Please note that option register disabling was implemented for devices that have OPTCR register (F2, F4, F7 and H7). Implementation on other devices requires more testing, since documentation is not precise enough. Disabling control register was implemented for devices that have CR register. Signed-off-by: Patryk Duda <[email protected]>
After 'flash_ex_op' syscall was added we are able to expose vendor specific features to the user. This patch moves existing tests to 'tests/drivers/common'. New tests for vendor specific operations should go to vendor directory under 'tests/drivers/flash'. Signed-off-by: Patryk Duda <[email protected]>
Introduced tests covers following features: - Write protection - enabling, disabling, confirming that it works. - Readout protection - checking current status. These features are implemented on STM32F4 boards, so we only allow these boards. Signed-off-by: Patryk Duda <[email protected]>
duda-patryk
force-pushed
the
pdk_stm32_flash_wp_rdp
branch
from
58ebef1 to
42cdf72
Compare
Contributor
Author
|
Patches were rebased and the tests are passing now. @de-nordic, @erwango could you approve it once again? |
erwango
approved these changes
Mar 28, 2023
de-nordic
approved these changes
Mar 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces support for STM32F4 flash write protection (persistent across reboots) and readout protection (temporary or permanent).
The flash API was extended by functions responsible for checking and changing WP and RDP state. Enabling RDP permanently is guarded by FLASH_ALLOW_PERMANENT_READOUT_PROTECTION option. Disabling RDP (which triggers mass erase) is guarded by FLASH_ALLOW_DISABLING_READOUT_PROTECTION.
I guess that the most controversial part is API change, so any remarks are welcome!
Best regards,
Patryk