From aa8cbb1ccd3856fd5e0437b0e24cfd7a3b794b8e Mon Sep 17 00:00:00 2001
From: Tim Newsome <tim@sifive.com>
Date: Tue, 27 Feb 2018 12:30:46 -0800
Subject: [PATCH] Add debug module authentication.

Off by default, enabled with --debug-auth.
The protocol is very simple (definitely not secure) to allow debuggers
to test their authentication feature. To authenticate a debugger must:
1. Read authdata
2. Write to authdata the value that it just read, plus 1
---
 riscv/debug_module.cc | 30 ++++++++++++++++++++++++++++--
 riscv/debug_module.h  | 15 +++++++++++++--
 riscv/jtag_dtm.cc     | 10 +++++++---
 riscv/sim.cc          |  5 +++--
 riscv/sim.h           |  2 +-
 spike_main/spike.cc   | 10 +++++++---
 6 files changed, 59 insertions(+), 13 deletions(-)

diff --git a/riscv/debug_module.cc b/riscv/debug_module.cc
index 12956a5..f10c866 100644
--- a/riscv/debug_module.cc
+++ b/riscv/debug_module.cc
@@ -16,10 +16,12 @@
 
 ///////////////////////// debug_module_t
 
-debug_module_t::debug_module_t(sim_t *sim, unsigned progbufsize, unsigned max_bus_master_bits) :
+debug_module_t::debug_module_t(sim_t *sim, unsigned progbufsize, unsigned max_bus_master_bits,
+    bool require_authentication) :
   progbufsize(progbufsize),
   program_buffer_bytes(4 + 4*progbufsize),
   max_bus_master_bits(max_bus_master_bits),
+  require_authentication(require_authentication),
   debug_progbuf_start(debug_data_start - program_buffer_bytes),
   debug_abstract_start(debug_progbuf_start - debug_abstract_size*4),
   sim(sim)
@@ -61,7 +63,7 @@ void debug_module_t::reset()
 
   dmstatus = {0};
   dmstatus.impebreak = true;
-  dmstatus.authenticated = 1;
+  dmstatus.authenticated = !require_authentication;
   dmstatus.version = 2;
 
   abstractcs = {0};
@@ -83,6 +85,8 @@ void debug_module_t::reset()
     sbcs.access16 = true;
   if (max_bus_master_bits >= 8)
     sbcs.access8 = true;
+
+  challenge = random();
 }
 
 void debug_module_t::add_device(bus_t *bus) {
@@ -458,6 +462,9 @@ bool debug_module_t::dmi_read(unsigned address, uint32_t *value)
       case DMI_SBDATA3:
         result = sbdata[3];
         break;
+      case DMI_AUTHDATA:
+        result = challenge;
+        break;
       default:
         result = 0;
         D(fprintf(stderr, "Unexpected. Returning Error."));
@@ -548,6 +555,11 @@ bool debug_module_t::perform_abstract_command()
 bool debug_module_t::dmi_write(unsigned address, uint32_t value)
 {
   D(fprintf(stderr, "dmi_write(0x%x, 0x%x)\n", address, value));
+
+  if (!dmstatus.authenticated && address != DMI_AUTHDATA &&
+      address != DMI_DMCONTROL)
+    return false;
+
   if (address >= DMI_DATA0 && address < DMI_DATA0 + abstractcs.datacount) {
     unsigned i = address - DMI_DATA0;
     if (!abstractcs.busy)
@@ -580,6 +592,8 @@ bool debug_module_t::dmi_write(unsigned address, uint32_t value)
           if (!dmcontrol.dmactive && get_field(value, DMI_DMCONTROL_DMACTIVE))
             reset();
           dmcontrol.dmactive = get_field(value, DMI_DMCONTROL_DMACTIVE);
+          if (!dmstatus.authenticated)
+            return true;
           if (dmcontrol.dmactive) {
             dmcontrol.haltreq = get_field(value, DMI_DMCONTROL_HALTREQ);
             dmcontrol.resumereq = get_field(value, DMI_DMCONTROL_RESUMEREQ);
@@ -662,6 +676,18 @@ bool debug_module_t::dmi_write(unsigned address, uint32_t value)
       case DMI_SBDATA3:
         sbdata[3] = value;
         return true;
+      case DMI_AUTHDATA:
+        D(fprintf(stderr, "debug authentication: got 0x%x; 0x%x unlocks\n", value,
+            challenge + secret));
+        if (require_authentication) {
+          if (value == challenge + secret) {
+            dmstatus.authenticated = true;
+          } else {
+            dmstatus.authenticated = false;
+            challenge = random();
+          }
+        }
+        return true;
     }
   }
   return false;
diff --git a/riscv/debug_module.h b/riscv/debug_module.h
index 36037b4..e554ffc 100644
--- a/riscv/debug_module.h
+++ b/riscv/debug_module.h
@@ -74,7 +74,14 @@ typedef struct {
 class debug_module_t : public abstract_device_t
 {
   public:
-    debug_module_t(sim_t *sim, unsigned progbufsize, unsigned max_bus_master_bits);
+    /*
+     * If require_authentication is true, then a debugger must authenticate as
+     * follows:
+     * 1. Read a 32-bit value from authdata:
+     * 2. Write the value that was read back, plus one, to authdata.
+     */
+    debug_module_t(sim_t *sim, unsigned progbufsize, unsigned max_bus_master_bits,
+        bool require_authentication);
     ~debug_module_t();
 
     void add_device(bus_t *bus);
@@ -96,7 +103,8 @@ class debug_module_t : public abstract_device_t
     // Actual size of the program buffer, which is 1 word bigger than we let on
     // to implement the implicit ebreak at the end.
     unsigned program_buffer_bytes;
-    unsigned max_bus_master_bits ;
+    unsigned max_bus_master_bits;
+    bool require_authentication;
     static const unsigned debug_data_start = 0x380;
     unsigned debug_progbuf_start;
 
@@ -134,6 +142,9 @@ class debug_module_t : public abstract_device_t
     uint32_t sbaddress[4];
     uint32_t sbdata[4];
 
+    uint32_t challenge;
+    const uint32_t secret = 1;
+
     processor_t *current_proc() const;
     void reset();
     bool perform_abstract_command();
diff --git a/riscv/jtag_dtm.cc b/riscv/jtag_dtm.cc
index 3a0e8d2..365528a 100644
--- a/riscv/jtag_dtm.cc
+++ b/riscv/jtag_dtm.cc
@@ -14,7 +14,8 @@
 enum {
   IR_IDCODE=1,
   IR_DTMCONTROL=0x10,
-  IR_DBUS=0x11
+  IR_DBUS=0x11,
+  IR_RESET=0x1c
 };
 
 #define DTMCONTROL_VERSION      0xf
@@ -104,8 +105,11 @@ void jtag_dtm_t::set_pins(bool tck, bool tms, bool tdi) {
       case SHIFT_IR:
         _tdo = ir & 1;
         break;
-      case UPDATE_IR:
-        break;
+      //case UPDATE_IR:
+        //if (ir == IR_RESET) {
+          // Make a reset happen
+        //}
+        //break;
       default:
         break;
     }
diff --git a/riscv/sim.cc b/riscv/sim.cc
index 009bb98..0e38c53 100644
--- a/riscv/sim.cc
+++ b/riscv/sim.cc
@@ -27,10 +27,11 @@ sim_t::sim_t(const char* isa, size_t nprocs, bool halted, reg_t start_pc,
              std::vector<std::pair<reg_t, mem_t*>> mems,
              const std::vector<std::string>& args,
              std::vector<int> const hartids, unsigned progsize,
-             unsigned max_bus_master_bits)
+             unsigned max_bus_master_bits, bool require_authentication)
   : htif_t(args), mems(mems), procs(std::max(nprocs, size_t(1))),
     start_pc(start_pc), current_step(0), current_proc(0), debug(false),
-    remote_bitbang(NULL), debug_module(this, progsize, max_bus_master_bits)
+    remote_bitbang(NULL),
+    debug_module(this, progsize, max_bus_master_bits, require_authentication)
 {
   signal(SIGINT, &handle_signal);
 
diff --git a/riscv/sim.h b/riscv/sim.h
index 47f3a45..6c6e435 100644
--- a/riscv/sim.h
+++ b/riscv/sim.h
@@ -22,7 +22,7 @@ public:
   sim_t(const char* isa, size_t _nprocs,  bool halted, reg_t start_pc,
         std::vector<std::pair<reg_t, mem_t*>> mems,
         const std::vector<std::string>& args, const std::vector<int> hartids,
-        unsigned progsize, unsigned max_bus_master_bits);
+        unsigned progsize, unsigned max_bus_master_bits, bool require_authentication);
   ~sim_t();
 
   // run the simulation to completion
diff --git a/spike_main/spike.cc b/spike_main/spike.cc
index f77d488..eb57baf 100644
--- a/spike_main/spike.cc
+++ b/spike_main/spike.cc
@@ -36,9 +36,10 @@ static void help()
   fprintf(stderr, "  --extlib=<name>       Shared library to load\n");
   fprintf(stderr, "  --rbb-port=<port>     Listen on <port> for remote bitbang connection\n");
   fprintf(stderr, "  --dump-dts            Print device tree string and exit\n");
-  fprintf(stderr, "  --progsize=<words>    progsize for the debug module [default 2]\n");
-  fprintf(stderr, "  --debug-sba=<bits>    debug bus master supports up to "
+  fprintf(stderr, "  --progsize=<words>    Progsize for the debug module [default 2]\n");
+  fprintf(stderr, "  --debug-sba=<bits>    Debug bus master supports up to "
       "<bits> wide accesses [default 0]\n");
+  fprintf(stderr, "  --debug-auth          Debug module requires debugger to authenticate\n");
   exit(1);
 }
 
@@ -92,6 +93,7 @@ int main(int argc, char** argv)
   bool use_rbb = false;
   unsigned progsize = 2;
   unsigned max_bus_master_bits = 0;
+  bool require_authentication = false;
   std::vector<int> hartids;
 
   auto const hartids_parser = [&](const char *s) {
@@ -135,6 +137,8 @@ int main(int argc, char** argv)
   parser.option(0, "progsize", 1, [&](const char* s){progsize = atoi(s);});
   parser.option(0, "debug-sba", 1,
       [&](const char* s){max_bus_master_bits = atoi(s);});
+  parser.option(0, "debug-auth", 0,
+      [&](const char* s){require_authentication = true;});
 
   auto argv1 = parser.parse(argv);
   std::vector<std::string> htif_args(argv1, (const char*const*)argv + argc);
@@ -142,7 +146,7 @@ int main(int argc, char** argv)
     mems = make_mems("2048");
 
   sim_t s(isa, nprocs, halted, start_pc, mems, htif_args, std::move(hartids),
-      progsize, max_bus_master_bits);
+      progsize, max_bus_master_bits, require_authentication);
   std::unique_ptr<remote_bitbang_t> remote_bitbang((remote_bitbang_t *) NULL);
   std::unique_ptr<jtag_dtm_t> jtag_dtm(new jtag_dtm_t(&s.debug_module));
   if (use_rbb) {
-- 
2.30.2