search

tillitis / tillitis-key1

Board designs, FPGA verilog, firmware for TKey, the flexible and open USB security key 🔑
https://www.tillitis.se
395 stars 24 forks source link

Prevent wraparound in SPRAM data access #158

Closed mchack-work closed 6 months ago

mchack-work commented 7 months ago

QEMU and real hardware behave differently if you access RAM. If you access higher than 0x4001ffff real hardware wraps around to the beginning of RAM.

secworks commented 7 months ago

Added an experimental filter to the RAM access in branch https://github.com/tillitis/tillitis-key1/tree/match_qemu_ram_mem The fix needs testing from SW. The expected behaviour now is that 0xdeadbeef is returned for addresses larger than max ram, but within the RAM prefix.

secworks commented 7 months ago

Ready for testing, se PR https://github.com/tillitis/tillitis-key1/pull/160

dehanj commented 6 months ago

Confirming that QEMU detects a read/write outside of RAM as an invalid operation and rejects it. Does seem as it tries to reset, and gets stuck trying to access FW in app-mode. 

Invalid write at addr 0x4011FF00, size 4, region '(null)', reason: rejected
tk1_mmio_write: bad write: addr=0xd00007fc size=4 val=0x60 msg='write to FW_RAM in app-mode'
tk1_mmio_write: bad write: addr=0xd00007f8 size=4 val=0x0 msg='write to FW_RAM in app-mode'
tk1_mmio_write: bad write: addr=0xd00007f4 size=4 val=0x0 msg='write to FW_RAM in app-mode'
tk1_mmio_write: bad write: addr=0xd00007f0 size=4 val=0x0 msg='write to FW_RAM in app-mode'
tk1_mmio_write: bad write: addr=0xd00007ec size=4 val=0x0 msg='write to FW_RAM in app-mod