Add complete checks for invalid memory accesses

Also fix two typos for memory ranges that fortunately have no impact on functionality.
tillitis · Dec 20, 2024 · a5bee4f · a5bee4f
1 parent 66888a3
commit a5bee4f
Show file tree

Hide file tree

Showing 6 changed files with 68 additions and 7 deletions.
diff --git a/hw/application_fpga/application_fpga.bin.sha256 b/hw/application_fpga/application_fpga.bin.sha256
@@ -1 +1 @@
-44086edb70377991b57d3f1c231f743fcf0c2c9d2303843ec133f76cc42449a8  application_fpga.bin
+d610fd2e21eabe6fd840cee9f2a9f5ec00be8b40fbdfd069232f6450cd108a96  application_fpga.bin
diff --git a/hw/application_fpga/core/tk1/rtl/tk1.v b/hw/application_fpga/core/tk1/rtl/tk1.v
@@ -381,7 +381,8 @@ module tk1 #(
   // Monitor events and state changes in the SoC, and handle
   // security violations. We currently check for:
   //
-  // Any access to RAM but outside of the size of the physical mem.
+  // Any memory access that is outside of the defined size of the
+  // defined memory areas.
   //
   // Trying to execute instructions in FW-RAM.
   //
@@ -393,10 +394,70 @@ module tk1 #(
     force_trap_set = 1'h0;
 
     if (cpu_valid) begin
+      // Outside ROM area
+      if (cpu_addr[31 : 30] == 2'h0 & |cpu_addr[29 : 14]) begin
+        force_trap_set = 1'h1;
+      end
+
+      // Outside RAM area
       if (cpu_addr[31 : 30] == 2'h1 & |cpu_addr[29 : 17]) begin
         force_trap_set = 1'h1;
       end
 
+      // In RESERVED area
+      if (cpu_addr[31 : 30] == 2'h2) begin
+        force_trap_set = 1'h1;
+      end
+
+      // MMIO
+      if (cpu_addr[31 : 30] == 2'h3) begin
+
+        // Outside TRNG
+        if (cpu_addr[29 : 24] == 6'h00 & |cpu_addr[23 : 10]) begin
+          force_trap_set = 1'h1;
+        end
+
+        // Outside TIMER
+        if (cpu_addr[29 : 24] == 6'h01 & |cpu_addr[23 : 10]) begin
+          force_trap_set = 1'h1;
+        end
+
+        // Outside UDS
+        if (cpu_addr[29 : 24] == 6'h02 & |cpu_addr[23 : 5]) begin
+          force_trap_set = 1'h1;
+        end
+
+        // Outside UART
+        if (cpu_addr[29 : 24] == 6'h03 & |cpu_addr[23 : 10]) begin
+          force_trap_set = 1'h1;
+        end
+
+        // Outside TOUCH_SENSE
+        if (cpu_addr[29 : 24] == 6'h04 & |cpu_addr[23 : 10]) begin
+          force_trap_set = 1'h1;
+        end
+
+        // In unused space
+        if ((cpu_addr[29 : 24] > 6'h04) && (cpu_addr[29 : 24] < 6'h10)) begin
+          force_trap_set = 1'h1;
+        end
+
+        // Outside FW_RAM
+        if (cpu_addr[29 : 24] == 6'h10 & |cpu_addr[23 : 11]) begin
+          force_trap_set = 1'h1;
+        end
+
+        // In unused space
+        if ((cpu_addr[29 : 24] > 6'h10) && (cpu_addr[29 : 24] < 6'h3f)) begin
+          force_trap_set = 1'h1;
+        end
+
+        // Outside TK1
+        if (cpu_addr[29 : 24] == 6'h3f & |cpu_addr[23 : 10]) begin
+          force_trap_set = 1'h1;
+        end
+      end
+
       if (cpu_instr) begin
         if ((cpu_addr >= FW_RAM_FIRST) && (cpu_addr <= FW_RAM_LAST)) begin
           force_trap_set = 1'h1;

diff --git a/hw/application_fpga/firmware.bin.sha512 b/hw/application_fpga/firmware.bin.sha512
@@ -1 +1 @@
-edb39fca7dafb8ea0b89fdeecd960d7656e14ce461e49af97160a8bd6e67d9987e816adad37ba0fcfa63d107c3160988e4c3423ce4a71c39544bc0045888fec1  firmware.bin
+f3fb427da67af21ccb9ceb6f95224e4649eadcd8fd7b93d46ff4cf8f10f6731168abb6403a9c1a4afe914fd065a131c056e1fa9a0bb00358f5e1a48a642c95b8  firmware.elf
diff --git a/hw/application_fpga/fw/tk1_mem.h b/hw/application_fpga/fw/tk1_mem.h
@@ -82,8 +82,8 @@
 #define TK1_MMIO_TIMER_TIMER 0xc100002c
 
 #define TK1_MMIO_UDS_BASE 0xc2000000
-#define TK1_MMIO_UDS_FIRST 0xc2000040
-#define TK1_MMIO_UDS_LAST 0xc200005c
+#define TK1_MMIO_UDS_FIRST 0xc2000000
+#define TK1_MMIO_UDS_LAST 0xc200001c
 
 #define TK1_MMIO_UART_BASE 0xc3000000
 #define TK1_MMIO_UART_RX_STATUS 0xc3000080

diff --git a/hw/application_fpga/rtl/application_fpga.v b/hw/application_fpga/rtl/application_fpga.v
@@ -392,7 +392,7 @@ module application_fpga (
 
     ram_cs              = 1'h0;
     ram_we              = 4'h0;
-    ram_address         = cpu_addr[17 : 2];
+    ram_address         = cpu_addr[16 : 2];
     ram_write_data      = cpu_wdata;
 
     fw_ram_cs           = 1'h0;

diff --git a/hw/application_fpga/tb/application_fpga_sim.v b/hw/application_fpga/tb/application_fpga_sim.v
@@ -406,7 +406,7 @@ module application_fpga_sim (
 
     ram_cs              = 1'h0;
     ram_we              = 4'h0;
-    ram_address         = cpu_addr[17 : 2];
+    ram_address         = cpu_addr[16 : 2];
     ram_write_data      = cpu_wdata;
 
     fw_ram_cs           = 1'h0;
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		44086edb70377991b57d3f1c231f743fcf0c2c9d2303843ec133f76cc42449a8 application_fpga.bin
		d610fd2e21eabe6fd840cee9f2a9f5ec00be8b40fbdfd069232f6450cd108a96 application_fpga.bin
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		edb39fca7dafb8ea0b89fdeecd960d7656e14ce461e49af97160a8bd6e67d9987e816adad37ba0fcfa63d107c3160988e4c3423ce4a71c39544bc0045888fec1 firmware.bin
		f3fb427da67af21ccb9ceb6f95224e4649eadcd8fd7b93d46ff4cf8f10f6731168abb6403a9c1a4afe914fd065a131c056e1fa9a0bb00358f5e1a48a642c95b8 firmware.elf