[cov,test] Fix hardcoded flash layout constants

sw/device/silicon_creator/lib/base/chip.h

@@ -70,10 +70,12 @@
  * Allowed bounds for the `length` field of a ROM_EXT manifest.
  */
 #define CHIP_ROM_EXT_SIZE_MIN CHIP_MANIFEST_SIZE
-#ifndef OT_COVERAGE_ENABLED
-#define CHIP_ROM_EXT_SIZE_MAX 0x10000
+#define CHIP_ROM_EXT_SIZE_MAX_PRODUCTION_BUILD 0x10000
+#define CHIP_ROM_EXT_SIZE_MAX_COVERAGE_BUILD 0x20000
+#ifdef OT_COVERAGE_ENABLED
+#define CHIP_ROM_EXT_SIZE_MAX CHIP_ROM_EXT_SIZE_MAX_COVERAGE_BUILD
 #else  // OT_COVERAGE_ENABLED
-#define CHIP_ROM_EXT_SIZE_MAX 0x20000
+#define CHIP_ROM_EXT_SIZE_MAX CHIP_ROM_EXT_SIZE_MAX_PRODUCTION_BUILD
 #endif  // OT_COVERAGE_ENABLED
 #define CHIP_ROM_EXT_RESIZABLE_SIZE_MAX \
   (CHIP_ROM_EXT_SIZE_MAX + CHIP_BL0_SIZE_MAX)

sw/device/silicon_creator/lib/ownership/BUILD

@@ -256,7 +256,9 @@ cc_library(
         ":datatypes",
         ":owner_block",
         ":ownership",
+        "//hw/top_earlgrey/ip_autogen/flash_ctrl:flash_ctrl_c_regs",
         "//sw/device/silicon_creator/lib:boot_data",
+        "//sw/device/silicon_creator/lib/base:chip",
         "//sw/device/silicon_creator/lib/boot_svc:boot_svc_msg",
         "//sw/device/silicon_creator/lib/drivers:flash_ctrl",
         "//sw/device/silicon_creator/lib/ownership/keys/fake:includes",
@@ -275,7 +277,9 @@ cc_library(
             ":datatypes",
             ":owner_block",
             ":ownership",
+            "//hw/top_earlgrey/ip_autogen/flash_ctrl:flash_ctrl_c_regs",
             "//sw/device/silicon_creator/lib:boot_data",
+            "//sw/device/silicon_creator/lib/base:chip",
             "//sw/device/silicon_creator/lib/boot_svc:boot_svc_msg",
             "//sw/device/silicon_creator/lib/drivers:flash_ctrl",
             "//sw/device/silicon_creator/lib/ownership/keys/fake:includes",

sw/device/silicon_creator/lib/ownership/owner_block.c

@@ -23,6 +23,12 @@
 owner_block_t owner_page[2];
 owner_page_status_t owner_page_valid[2];
 
+// Force production flash layout for unit test coverage
+#if defined(OT_COVERAGE_ENABLED) && !defined(OT_PLATFORM_RV32)
+#undef CHIP_ROM_EXT_SIZE_MAX
+#define CHIP_ROM_EXT_SIZE_MAX CHIP_ROM_EXT_SIZE_MAX_PRODUCTION_BUILD
+#endif  // defined(OT_COVERAGE_ENABLED) && !defined(OT_PLATFORM_RV32)
+
 enum {
   kFlashBankSize = FLASH_CTRL_PARAM_REG_PAGES_PER_BANK,
   kFlashPageSize = FLASH_CTRL_PARAM_BYTES_PER_PAGE,

sw/device/silicon_creator/lib/ownership/test_owner.c

@@ -5,6 +5,7 @@
 #include "sw/device/lib/base/hardened_memory.h"
 #include "sw/device/lib/base/macros.h"
 #include "sw/device/lib/base/memory.h"
+#include "sw/device/silicon_creator/lib/base/chip.h"
 #include "sw/device/silicon_creator/lib/boot_svc/boot_svc_msg.h"
 #include "sw/device/silicon_creator/lib/dbg_print.h"
 #include "sw/device/silicon_creator/lib/drivers/flash_ctrl.h"
@@ -26,6 +27,8 @@
 #include "sw/device/silicon_creator/lib/ownership/ownership_key.h"
 #include "sw/device/silicon_creator/lib/rescue/rescue.h"
 
+#include "flash_ctrl_regs.h"
+
 /*
  * This module overrides the weak `sku_creator_owner_init` symbol in
  * ownership.c, thus allowing FPGA builds to boot in the `LockedOwner` state
@@ -136,12 +139,16 @@
       kBootSvcOwnershipUnlockReqType,
 #endif
 #ifndef WITH_RESCUE_START
-#define WITH_RESCUE_START (32)
+#define WITH_RESCUE_START (kRomExtSizeInPages)
 #endif
 #ifndef WITH_RESCUE_SIZE
-#define WITH_RESCUE_SIZE (224)
+#define WITH_RESCUE_SIZE (256 - kRomExtSizeInPages)
 #endif
 
+enum {
+  kRomExtSizeInPages = CHIP_ROM_EXT_SIZE_MAX / FLASH_CTRL_PARAM_BYTES_PER_PAGE,
+};
+
 rom_error_t sku_creator_owner_init(boot_data_t *bootdata) {
 #ifdef TEST_FAULT_NO_OWNER
   return kErrorOwnershipNoOwner;

sw/device/silicon_creator/rom/e2e/boot_policy_flash_ecc_error/defs.bzl

@@ -70,9 +70,9 @@ BOOT_POLICY_FLASH_ECC_ERROR_TESTS = [
         "name": "a_corrupt_b_valid_{}",
         "a": ":flash_ecc_self_corruption_slot_a_{}",
         "b": ":uncorrupted_test_slot_b",
-        # The regex allows either 8 or 1 in the address, which accomodates the test program
-        # being linked as either a ROM_EXT or application.
-        "exit_success": "Booted slot=0x200[89]0000; Cause={}",
+        # The regex allows either 8, 9, a in the address, which accomodates the test program
+        # being linked as either a ROM_EXT or application normal or coverage builds.
+        "exit_success": "Booted slot=0x200[89a]0000; Cause={}",
         # When running under the ROM_EXT, we want to try SlotA first and make sure that
         # we handle the corrupted flash properly.
         "primary": "SlotA",
@@ -81,9 +81,9 @@ BOOT_POLICY_FLASH_ECC_ERROR_TESTS = [
         "name": "a_valid_b_corrupt_{}",
         "a": ":uncorrupted_test_slot_a",
         "b": ":flash_ecc_self_corruption_slot_b_{}",
-        # The regex allows either 0 or 1 in the address, which accomodates the test program
-        # being linked as either a ROM_EXT or application.
-        "exit_success": "Booted slot=0x200[01]0000; Cause={}",
+        # The regex allows either 0, 1, 2 in the address, which accomodates the test program
+        # being linked as either a ROM_EXT or application in normal or coverage builds.
+        "exit_success": "Booted slot=0x200[012]0000; Cause={}",
         # When running under the ROM_EXT, we want to try SlotB first and make sure that
         # we handle the corrupted flash properly.
         "primary": "SlotB",

sw/device/silicon_creator/rom/e2e/boot_policy_flash_ecc_error/flash_ecc_error_test.c

@@ -309,8 +309,7 @@ bool test_main(void) {
   if (kBootStage == kBootStageOwner) {
     // If we're running at the owner stage, we want to compute a location
     // inside the owner code, which starts after the ROM_EXT.
-    // The ROM_EXT is 64K.
-    addr_of_corruption += 0x10000;
+    addr_of_corruption += CHIP_ROM_EXT_SIZE_MAX;
   }
 
   // Corrupt the ECC of a targeted flash word by performing a double write.

sw/host/tests/ownership/flash_permission_test.rs

@@ -18,7 +18,10 @@ use opentitanlib::rescue::serial::RescueSerial;
 use opentitanlib::rescue::{EntryMode, Rescue};
 use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::uart::console::UartConsole;
-use transfer_lib::HybridPair;
+use transfer_lib::{
+    HybridPair, OWNER_FLASH_FILE_SIZE, OWNER_FLASH_FILE_START, OWNER_FLASH_OWNER_SIZE,
+    OWNER_FLASH_OWNER_START, OWNER_FLASH_ROM_EXT_SIZE, OWNER_FLASH_ROM_EXT_START,
+};
 
 #[derive(Debug, Parser)]
 struct Opts {
@@ -247,11 +250,25 @@ fn flash_permission_test(opts: &Opts, transport: &TransportWrapper) -> Result<()
         // The ROM_EXT always protects itself in regions 0 and 1.
         assert_eq!(
             region[0],
-            FlashRegion("data", 0, 0, 32, romext_region[0], "LK")
+            FlashRegion(
+                "data",
+                0,
+                OWNER_FLASH_ROM_EXT_START as u32,
+                OWNER_FLASH_ROM_EXT_SIZE as u32,
+                romext_region[0],
+                "LK"
+            )
         );
         assert_eq!(
             region[1],
-            FlashRegion("data", 1, 256, 32, romext_region[1], "LK")
+            FlashRegion(
+                "data",
+                1,
+                256 + OWNER_FLASH_ROM_EXT_START as u32,
+                OWNER_FLASH_ROM_EXT_SIZE as u32,
+                romext_region[1],
+                "LK"
+            )
         );
 
         // Current owner (fake_owner in flash SideA) doesn't have a configuration,
@@ -260,11 +277,25 @@ fn flash_permission_test(opts: &Opts, transport: &TransportWrapper) -> Result<()
         // Next owner (dummy_owner in Flash SideB) is the next owner configuration.
         assert_eq!(
             region[2],
-            FlashRegion("data", 2, 288, 192, "RD-WR-ER-SC-EC-xx", "UN")
+            FlashRegion(
+                "data",
+                2,
+                256 + OWNER_FLASH_OWNER_START as u32,
+                OWNER_FLASH_OWNER_SIZE as u32,
+                "RD-WR-ER-SC-EC-xx",
+                "UN"
+            )
         );
         assert_eq!(
             region[3],
-            FlashRegion("data", 3, 480, 32, "RD-WR-ER-xx-xx-HE", "UN")
+            FlashRegion(
+                "data",
+                3,
+                256 + OWNER_FLASH_FILE_START as u32,
+                OWNER_FLASH_FILE_SIZE as u32,
+                "RD-WR-ER-xx-xx-HE",
+                "UN"
+            )
         );
 
         // The remaining flash regions are unused.
@@ -338,29 +369,99 @@ fn flash_permission_test(opts: &Opts, transport: &TransportWrapper) -> Result<()
     let app_region = match opts.rescue_slot {
         BootSlot::SlotA => [
             // Slot A protected, Slot B writable.
-            FlashRegion("data", 2, 32, 192, "RD-xx-xx-SC-EC-xx", locked),
-            FlashRegion("data", 3, 224, 32, "RD-WR-ER-xx-xx-HE", locked),
-            FlashRegion("data", 4, 288, 192, "RD-WR-ER-SC-EC-xx", locked),
-            FlashRegion("data", 5, 480, 32, "RD-WR-ER-xx-xx-HE", locked),
+            FlashRegion(
+                "data",
+                2,
+                OWNER_FLASH_OWNER_START as u32,
+                OWNER_FLASH_OWNER_SIZE as u32,
+                "RD-xx-xx-SC-EC-xx",
+                locked,
+            ),
+            FlashRegion(
+                "data",
+                3,
+                OWNER_FLASH_FILE_START as u32,
+                OWNER_FLASH_FILE_SIZE as u32,
+                "RD-WR-ER-xx-xx-HE",
+                locked,
+            ),
+            FlashRegion(
+                "data",
+                4,
+                256 + OWNER_FLASH_OWNER_START as u32,
+                OWNER_FLASH_OWNER_SIZE as u32,
+                "RD-WR-ER-SC-EC-xx",
+                locked,
+            ),
+            FlashRegion(
+                "data",
+                5,
+                256 + OWNER_FLASH_FILE_START as u32,
+                OWNER_FLASH_FILE_SIZE as u32,
+                "RD-WR-ER-xx-xx-HE",
+                locked,
+            ),
         ],
         BootSlot::SlotB => [
             // Slot A writable, Slot B protected.
-            FlashRegion("data", 2, 32, 192, "RD-WR-ER-SC-EC-xx", locked),
-            FlashRegion("data", 3, 224, 32, "RD-WR-ER-xx-xx-HE", locked),
-            FlashRegion("data", 4, 288, 192, "RD-xx-xx-SC-EC-xx", locked),
-            FlashRegion("data", 5, 480, 32, "RD-WR-ER-xx-xx-HE", locked),
+            FlashRegion(
+                "data",
+                2,
+                OWNER_FLASH_OWNER_START as u32,
+                OWNER_FLASH_OWNER_SIZE as u32,
+                "RD-WR-ER-SC-EC-xx",
+                locked,
+            ),
+            FlashRegion(
+                "data",
+                3,
+                OWNER_FLASH_FILE_START as u32,
+                OWNER_FLASH_FILE_SIZE as u32,
+                "RD-WR-ER-xx-xx-HE",
+                locked,
+            ),
+            FlashRegion(
+                "data",
+                4,
+                256 + OWNER_FLASH_OWNER_START as u32,
+                OWNER_FLASH_OWNER_SIZE as u32,
+                "RD-xx-xx-SC-EC-xx",
+                locked,
+            ),
+            FlashRegion(
+                "data",
+                5,
+                256 + OWNER_FLASH_FILE_START as u32,
+                OWNER_FLASH_FILE_SIZE as u32,
+                "RD-WR-ER-xx-xx-HE",
+                locked,
+            ),
         ],
         _ => return Err(anyhow!("Unknown boot slot {}", data.bl0_slot)),
     };
 
     // The ROM_EXT always protects itself in regions 0 and 1.
     assert_eq!(
         region[0],
-        FlashRegion("data", 0, 0, 32, romext_region[0], "LK")
+        FlashRegion(
+            "data",
+            0,
+            OWNER_FLASH_ROM_EXT_START as u32,
+            OWNER_FLASH_ROM_EXT_SIZE as u32,
+            romext_region[0],
+            "LK"
+        )
     );
     assert_eq!(
         region[1],
-        FlashRegion("data", 1, 256, 32, romext_region[1], "LK")
+        FlashRegion(
+            "data",
+            1,
+            256 + OWNER_FLASH_ROM_EXT_START as u32,
+            OWNER_FLASH_ROM_EXT_SIZE as u32,
+            romext_region[1],
+            "LK"
+        )
     );
     // Flash Slot A:
     assert_eq!(region[2], app_region[0]);