Core firmware split #4188

cepetr · 2024-09-18T07:33:47Z

This PR introduces a significant conceptual change to our Trezor firmware. It divides the firmware into two parts: a privileged and an unprivileged section. We refer to these as the kernel and the coreapp.

The kernel includes all hardware drivers, storage management, and necessary cryptographic functions. It operates in privileged mode, providing interfaces to the less trusted coreapp via approximately 100 syscalls.

The coreapp contains the MicroPython core, MicroPython applications, and the Rust-based UI. It runs entirely in unprivileged mode, with no direct access to hardware, except for DMA2D in its current implementation.

Kernel and coreapp are built as two separate applications but eventually glued together by build scripts as a single binary. So you can make firmware as before with no change at the first glance.

Benefits:

Enhanced security by separating the trusted kernel from the untrusted coreapp.
Enhanced security by enabling access to specific memory regions (storage, OTP, secrets) only on demand, reducing the risk of random overwrites).
Improved maintainability, with a clearer separation of concerns between hardware-level operations and application logic.

Known issues:

Syscall arguments are currently not verified.
TrustZone settings need to be updated to reflect the new architecture.

These issues need to be resolved soon, but they do not have a significant impact on security at the moment, as they have not been addressed in the firmware until now.

This PR brings also a lot of changes and improvements to drivers code:

Improved display driver API (preparation for init/deinit sequence)
Refactored interrupt handling routines API, reduced number of used priorities.
New systick driver that offer more precise time measurement.
New systimer for scheduling timer callbacks for background operations.
New i2c_bus driver, enabling non-blocking i2c operations
New mpu driver for region banking, that overcomes cortex-m cpu limitations.
New systask module, which allows manuall switching between privileged and unprivileged tasks
New system module with more reliable error handling (emergency mode)
Completely refactored and simplified linker scripts and startup codes.

TychoVrahe

First part of the review, focusing mainly on drivers up to introduction of non-blocking i2c driver, of which the review is not yet complete.

core/embed/bootloader/main.c

core/site_scons/models/T3B1/trezor_t3b1_revB.py

core/embed/trezorhal/stm32u5/xdisplay/stm32u5a9j-dk/display_ltdc_dsi.c

core/embed/trezorhal/xdisplay.h

core/embed/trezorhal/stm32f4/systick.c

core/embed/trezorhal/stm32f4/i2c_bus.c

core/embed/trezorhal/stm32u5/i2c_bus.c

TychoVrahe

some more stuff related to drivers part, up to and excluding the new mpu driver.

core/embed/trezorhal/stm32f4/i2c_bus.c

core/embed/trezorhal/stm32f4/systimer.c

core/embed/trezorhal/stm32u5/i2c_bus.c

core/embed/extmod/modtrezorutils/modtrezorutils.c

core/embed/trezorhal/stm32f4/bootutils.c

core/embed/trezorhal/bootargs.h

core/embed/trezorhal/bootutils.h

core/embed/trezorhal/stm32f4/fwutils.c

core/embed/trezorhal/secure_aes.h

core/embed/trezorhal/stm32u5/secure_aes.c

core/embed/trezorhal/stm32f4/linker/boardloader.ld

core/embed/kernel/main.c

core/site_scons/tools.py

core/embed/trezorhal/stm32f4/startup_stage_2.S

core/embed/models/T2B1/model_T2B1.h

TychoVrahe

some more issues/questions related to the last part - mpu, split and tasks+etc.

core/embed/lib/flash_utils.c

core/embed/lib/flash_utils.h

core/embed/trezorhal/stm32f4/applet.c

core/embed/trezorhal/stm32f4/system.c

core/embed/trezorhal/stm32f4/systask.c

[no changelog]

…mode [no changelog]

…factoring [no changelog]

[no changelog]

bosomt · 2024-09-29T19:40:16Z

QA OK

been using 2.8.4 FW for some time without any issue
https://www.notion.so/satoshilabs/Core-firmware-split-dff3e35ff0ea4614b4559dac8c485d3d?pvs=4

cepetr added T2B1 Trezor Safe 3 (F4) T3W1 T3T1 Trezor Safe 5 T3B1 Trezor Safe 3 (U5) labels Sep 18, 2024

cepetr requested a review from TychoVrahe September 18, 2024 07:33

cepetr self-assigned this Sep 18, 2024

cepetr requested review from andrewkozlik, matejcik and prusnak as code owners September 18, 2024 07:33

cepetr force-pushed the cepetr/core-split branch 4 times, most recently from 26d1025 to 3c561cf Compare September 18, 2024 12:34

TychoVrahe requested changes Sep 19, 2024

View reviewed changes

TychoVrahe reviewed Sep 19, 2024

View reviewed changes

cepetr commented Sep 19, 2024

View reviewed changes

cepetr commented Sep 20, 2024

View reviewed changes

TychoVrahe reviewed Sep 20, 2024

View reviewed changes

TychoVrahe approved these changes Sep 23, 2024

View reviewed changes

refactor(core/embed): remove unnecessary pendsv exception handling

6f762a0

[no changelog]

cepetr added 10 commits September 23, 2024 15:49

refactor(core/embed): use new i2c driver in drv2625 driver

0b4dbe1

[no changelog]

refactor(core/embed): use new i2c driver in optiga driver

bb3b00c

[no changelog]

refactor(core/embed): use new i2c driver in sitronix touch driver

a3f2b5b

[no changelog]

refactor(core/embed): use new i2c driver in stmpe811 touch driver

ac8ed8d

[no changelog]

chore(core/embed): remove unused legacy i2c driver

694ac20

[no changelog]

refactor(core/embed): simplify bootutils api

ba25763

[no changelog]

refactor(core/embed): moving specific algorithms into fwutils

e6bacff

[no changelog]

refactor(core/embed): introduce new mpu driver

3f8166d

[no changelog]

refactor(core/embed): split firmware into kernel & coreapp

52cbd29

[no changelog]

refactor(core/embed): introduce system, tasks, applets and emergency …

813aa0b

…mode [no changelog]

cepetr force-pushed the cepetr/core-split branch 2 times, most recently from 5a2da1e to 6075662 Compare September 24, 2024 08:32

TychoVrahe and others added 7 commits September 24, 2024 11:33

refactor(core): combined build of coreapp + kernel, linker scripts re…

5b0dd36

…factoring [no changelog]

fix(core): use secure-unprivileged SAES XOR key for storage encryption

36140cd

[no changelog]

fix(core): fix storage offsets

924904f

[no changelog]

chore(core): remove flash otp interface from python

686861a

[no changelog]

fix(core): support 32 bit colors in terminal

9750b70

[no changelog]

refactor(core): migrate coreapp into firmware

97b3836

[no changelog]

fix(core/embed): fix firmware invalidation

23ff195

[no changelog]

cepetr force-pushed the cepetr/core-split branch from e39ede7 to 23ff195 Compare September 24, 2024 09:34

cepetr merged commit ab96ce7 into main Sep 24, 2024
85 checks passed

cepetr deleted the cepetr/core-split branch September 24, 2024 10:21

Hannsek mentioned this pull request Sep 24, 2024

[Epic] Port Core codebase to Trezor One hardware #24

Closed

14 tasks

cepetr mentioned this pull request Sep 25, 2024

fix(core): fix handover to bootloader #4221

Merged

This was referenced Sep 30, 2024

TS5 framerate fix #4231

Merged

fix(core): fix interaction-less update #4232

Merged

fix(core): ensure proper handling of vendor string #4239

Merged

Fix emulator build on MacOS #4242

Merged

cepetr mentioned this pull request Nov 4, 2024

CPUID READ not working #4310

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Core firmware split #4188

Core firmware split #4188

cepetr commented Sep 18, 2024 •

edited

Loading

TychoVrahe left a comment

TychoVrahe left a comment

TychoVrahe left a comment

bosomt commented Sep 29, 2024

Core firmware split #4188

Core firmware split #4188

Conversation

cepetr commented Sep 18, 2024 • edited Loading

TychoVrahe left a comment

Choose a reason for hiding this comment

TychoVrahe left a comment

Choose a reason for hiding this comment

TychoVrahe left a comment

Choose a reason for hiding this comment

bosomt commented Sep 29, 2024

cepetr commented Sep 18, 2024 •

edited

Loading