[rom_ext_e2e] Test rescue with a restricted command set

cfrantz · pamaury · commit 2f8f6ecb11a3 · 2026-02-05T17:22:21.000Z
Test that the rescue protocol is functional when the `RescueFirmware` mode is not in the list of allowed commands. Signed-off-by: Chris Frantz <cfrantz@google.com> (cherry picked from commit 23b5b87)
diff --git a/sw/device/silicon_creator/lib/ownership/test_owner.c b/sw/device/silicon_creator/lib/ownership/test_owner.c
@@ -71,6 +71,8 @@
   (owner_keydata_t) { .ecdsa = UNLOCK_ECDSA_P256 }
 #endif
 
+// The following preprocessor symbols are only relevant when
+// WITH_RESCUE_PROTOCOL is defined.
 #ifndef WITH_RESCUE_GPIO_PARAM
 #define WITH_RESCUE_GPIO_PARAM 0
 #endif
@@ -83,6 +85,15 @@
 #ifndef WITH_RESCUE_TRIGGER
 #define WITH_RESCUE_TRIGGER 1 /* default to UartBreak */
 #endif
+#ifndef WITH_RESCUE_COMMAND_ALLOW
+#define WITH_RESCUE_COMMAND_ALLOW                                            \
+  kRescueModeBootLog, kRescueModeBootSvcRsp, kRescueModeBootSvcReq,          \
+      kRescueModeOwnerBlock, kRescueModeOwnerPage0, kRescueModeOwnerPage1,   \
+      kRescueModeOpenTitanID, kRescueModeFirmware, kRescueModeFirmwareSlotB, \
+      kBootSvcEmptyReqType, kBootSvcNextBl0SlotReqType,                      \
+      kBootSvcMinBl0SecVerReqType, kBootSvcOwnershipActivateReqType,         \
+      kBootSvcOwnershipUnlockReqType,
+#endif
 
 rom_error_t sku_creator_owner_init(boot_data_t *bootdata) {
   owner_keydata_t owner = OWNER_KEYDATA;
@@ -231,22 +242,7 @@ rom_error_t sku_creator_owner_init(boot_data_t *bootdata) {
       .start = 32,
       .size = 224,
   };
-  const uint32_t commands[] = {
-      kRescueModeBootLog,
-      kRescueModeBootSvcRsp,
-      kRescueModeBootSvcReq,
-      kRescueModeOwnerBlock,
-      kRescueModeOwnerPage0,
-      kRescueModeOwnerPage1,
-      kRescueModeOpenTitanID,
-      kRescueModeFirmware,
-      kRescueModeFirmwareSlotB,
-      kBootSvcEmptyReqType,
-      kBootSvcNextBl0SlotReqType,
-      kBootSvcMinBl0SecVerReqType,
-      kBootSvcOwnershipActivateReqType,
-      kBootSvcOwnershipUnlockReqType,
-  };
+  const uint32_t commands[] = {WITH_RESCUE_COMMAND_ALLOW};
   memcpy(&rescue->command_allow, commands, sizeof(commands));
   rescue->header.length += sizeof(commands);
   end = (uintptr_t)rescue + rescue->header.length;
diff --git a/sw/device/silicon_creator/rom_ext/defs.bzl b/sw/device/silicon_creator/rom_ext/defs.bzl
@@ -86,4 +86,34 @@ TEST_OWNER_CONFIGS = {
         ],
         "rescue_module": ["//sw/device/silicon_creator/lib/rescue:rescue_xmodem"],
     },
+    "xmodem_restricted_commands": {
+        # Enable Xmodem rescue with enter-on-fail and a timeout.
+        "owner_defines": [
+            # 0x58 is 'X'modem.
+            "WITH_RESCUE_PROTOCOL=0x58",
+            # Restrict rescue to only one command
+            "WITH_RESCUE_COMMAND_ALLOW=kRescueModeOpenTitanID",
+        ],
+        "rescue_module": ["//sw/device/silicon_creator/lib/rescue:rescue_xmodem"],
+    },
+    "spidfu_restricted_commands": {
+        # Enable USB-DFU triggered by SW_STRAPS value 3.
+        "owner_defines": [
+            # 0x53 is 'S'pi.
+            "WITH_RESCUE_PROTOCOL=0x53",
+            # Trigger 3 is GPIO pin.
+            "WITH_RESCUE_TRIGGER=3",
+            # When the trigger is GPIO, the index is the MuxedPad to us as the sense
+            # input. Index 2 is kTopEarlgreyMuxedPadsIoa2.
+            "WITH_RESCUE_INDEX=2",
+            # GPIO param 3 means enable the internal pull resistor and trigger
+            # rescue when the GPIO is high.
+            "WITH_RESCUE_GPIO_PARAM=3",
+            # Timeout: 0x80=enter_on_fail, 0x00 = No timeout.
+            "WITH_RESCUE_TIMEOUT=0x80",
+            # Restrict rescue to only one command
+            "WITH_RESCUE_COMMAND_ALLOW=kRescueModeOpenTitanID",
+        ],
+        "rescue_module": ["//sw/device/silicon_creator/lib/rescue:rescue_spidfu"],
+    },
 }
diff --git a/sw/device/silicon_creator/rom_ext/e2e/rescue/BUILD b/sw/device/silicon_creator/rom_ext/e2e/rescue/BUILD
@@ -328,6 +328,74 @@ opentitan_test(
     ],
 )
 
+# Check that xmodem rescue is functional when the `RESQ` mode is disabled.
+opentitan_test(
+    name = "xmodem_restricted_commands",
+    srcs = [
+        "//sw/device/silicon_creator/rom_ext/e2e/verified_boot:boot_test",
+    ],
+    exec_env = {
+        "//hw/top_earlgrey:fpga_cw310_rom_ext": None,
+    },
+    fpga = fpga_params(
+        changes_otp = True,
+        exit_failure = "ok: ",
+        exit_success = "error: mode not allowed",
+        rom_ext = "//sw/device/silicon_creator/rom_ext:rom_ext_xmodem_restricted_commands",
+        test_cmd = """
+            --exec="transport init"
+            --exec="fpga clear-bitstream"
+            --exec="fpga load-bitstream {bitstream}"
+            --exec="bootstrap --clear-uart=true {firmware}"
+            # Trigger rescue and make sure we can get the device ID.
+            --exec="rescue get-device-id --reboot=false"
+            # Try the `RESQ` mode and make sure we get an error message.
+            --exec="console --non-interactive --send='RESQ\r' --exit-success='{exit_success}' --exit-failure='{exit_failure}'"
+            no-op
+        """,
+    ),
+    deps = [
+        "//sw/device/lib/base:status",
+        "//sw/device/lib/testing/test_framework:ottf_main",
+        "//sw/device/silicon_creator/lib:boot_log",
+        "//sw/device/silicon_creator/lib/drivers:retention_sram",
+    ],
+)
+
+# Check that DFU rescue is functional when the `RESQ` mode is disabled.
+# TODO: Add a test to try to perform a firmware rescue and ensure that it fails.
+opentitan_test(
+    name = "spidfu_restricted_commands",
+    srcs = [
+        "//sw/device/silicon_creator/rom_ext/e2e/verified_boot:boot_test",
+    ],
+    exec_env = {
+        "//hw/top_earlgrey:fpga_cw310_rom_ext": None,
+    },
+    fpga = fpga_params(
+        changes_otp = True,
+        params = "-p spi-dfu -t gpio -v +Ioa2",
+        rom_ext = "//sw/device/silicon_creator/rom_ext:rom_ext_spidfu_restricted_commands",
+        setup = "--exec=\"gpio set --mode OpenDrain Ioa2\"",
+        test_cmd = """
+            --exec="transport init"
+            --exec="fpga clear-bitstream"
+            --exec="fpga load-bitstream {bitstream}"
+            {setup}
+            --exec="bootstrap --clear-uart=true {firmware}"
+            # Trigger rescue and make sure we can get the device ID.
+            --exec="rescue {params} get-device-id --reboot=false"
+            no-op
+        """,
+    ),
+    deps = [
+        "//sw/device/lib/base:status",
+        "//sw/device/lib/testing/test_framework:ottf_main",
+        "//sw/device/silicon_creator/lib:boot_log",
+        "//sw/device/silicon_creator/lib/drivers:retention_sram",
+    ],
+)
+
 [
     opentitan_test(
         name = "rescue_enter_on_fail_{}".format(name),
