Set PROD_DBG_UNLOCK_IN_PROGRESS bit in runtime handle_request() to match ROM behavior

Author: mhatrevi

runtime/src/debug_unlock.rs

@@ -52,7 +52,7 @@ impl ProductionDebugUnlock {
     pub fn handle_request(
         &mut self,
         trng: &mut caliptra_drivers::Trng,
-        soc_ifc: &caliptra_drivers::SocIfc,
+        soc_ifc: &mut caliptra_drivers::SocIfc,
         dma: &mut caliptra_drivers::Dma,
         cmd_bytes: &[u8],
         resp: &mut [u8],
@@ -73,20 +73,32 @@ impl ProductionDebugUnlock {
             return Err(CaliptraError::RUNTIME_DEBUG_UNLOCK_INVALID_LIFECYCLE);
         }
 
-        // Use common function to create challenge
-        let challenge =
-            caliptra_common::debug_unlock::create_debug_unlock_challenge(trng, soc_ifc, dma, &req)?;
+        // Set debug unlock in progress
+        soc_ifc.set_ss_dbg_unlock_in_progress(true);
+
+        let result = (|| -> CaliptraResult<usize> {
+            // Use common function to create challenge
+            let challenge = caliptra_common::debug_unlock::create_debug_unlock_challenge(
+                trng, soc_ifc, dma, &req,
+            )?;
+
+            // Store the challenge for future token validation
+            let stored_challenge = challenge.clone();
+            self.last_challenge = Some(stored_challenge);
+            self.last_request = Some(req);
 
-        // Store the challenge for future token validation
-        let stored_challenge = challenge.clone();
-        self.last_challenge = Some(stored_challenge);
-        self.last_request = Some(req);
+            cprintln!("[rt] Production debug unlock challenge generated");
 
-        cprintln!("[rt] Production debug unlock challenge generated");
+            let resp = mutrefbytes::<ProductionAuthDebugUnlockChallenge>(resp)?;
+            *resp = challenge;
+            Ok(core::mem::size_of::<ProductionAuthDebugUnlockChallenge>())
+        })();
 
-        let resp = mutrefbytes::<ProductionAuthDebugUnlockChallenge>(resp)?;
-        *resp = challenge;
-        Ok(core::mem::size_of::<ProductionAuthDebugUnlockChallenge>())
+        if result.is_err() {
+            soc_ifc.set_ss_dbg_unlock_in_progress(false);
+        }
+
+        result
     }
 
     /// Handle the production debug unlock token verification
@@ -127,9 +139,6 @@ impl ProductionDebugUnlock {
             .take()
             .ok_or(CaliptraError::RUNTIME_DEBUG_UNLOCK_NO_REQUEST)?;
 
-        // Set debug unlock in progress
-        soc_ifc.set_ss_dbg_unlock_in_progress(true);
-
         // Use the common validation logic
         let result = caliptra_common::debug_unlock::validate_debug_unlock_token(
             soc_ifc,

runtime/src/lib.rs

@@ -543,7 +543,7 @@ fn execute_command(
         }
         CommandId::PRODUCTION_AUTH_DEBUG_UNLOCK_REQ => drivers.debug_unlock.handle_request(
             &mut drivers.trng,
-            &drivers.soc_ifc,
+            &mut drivers.soc_ifc,
             &mut drivers.dma,
             cmd_bytes,
             resp,

runtime/tests/runtime_integration_tests/test_debug_unlock.rs

@@ -166,6 +166,13 @@ fn test_dbg_unlock_prod_success() {
         .unwrap()
         .unwrap();
 
+    // Verify in_progress bit is set after REQUEST completes
+    assert!(model
+        .soc_ifc()
+        .ss_dbg_service_reg_rsp()
+        .read()
+        .prod_dbg_unlock_in_progress());
+
     let challenge = ProductionAuthDebugUnlockChallenge::read_from_bytes(resp.as_slice()).unwrap();
     let reserved = [0u8; 3];