Verify (#16)

* Implement Verify

* Simplify a bit

Author: bugadani

Cargo.lock

@@ -5,7 +5,7 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-panic-never  = "0.1.0"
+panic-never = "0.1.0"
 ufmt = { version = "0.1.0", optional = true }
 
 

Cargo.toml

@@ -2,6 +2,7 @@ MEMORY {
     /* Middle of SRAM0 */
     IRAM : ORIGIN = 0x40090000, LENGTH = 0x10000
 }
+
 /*
 ESP32 ROM address table
 Generated for ROM with MD5sum:

ld/esp32.x

@@ -22,6 +22,11 @@ pub unsafe extern "C" fn ProgramPage(adr: u32, sz: u32, buf: *const u8) -> i32 {
     crate::ProgramPage_impl(adr, sz, buf)
 }
 
+#[no_mangle]
+pub unsafe extern "C" fn Verify(adr: u32, sz: u32, buf: *const u8) -> i32 {
+    crate::Verify_impl(adr, sz, buf)
+}
+
 #[no_mangle]
 pub unsafe extern "C" fn ReadFlash(adr: u32, sz: u32, buf: *mut u8) -> i32 {
     crate::ReadFlash_impl(adr, sz, buf)

src/api.rs

@@ -86,6 +86,23 @@ pub unsafe extern "C" fn ProgramPage(adr: u32, sz: u32, buf: *const u8) -> i32 {
     )
 }
 
+#[no_mangle]
+#[naked]
+pub unsafe extern "C" fn Verify(adr: u32, sz: u32, buf: *const u8) -> i32 {
+    asm!(
+        "
+        .global Verify_impl
+        l32r a1, STACK_PTR
+        mov.n a6, a2
+        mov.n a7, a3
+        mov.n a8, a4
+        call4 Verify_impl
+        mov.n a2, a6
+        ",
+        options(noreturn)
+    )
+}
+
 #[no_mangle]
 #[naked]
 pub unsafe extern "C" fn ReadFlash(adr: u32, sz: u32, buf: *mut u8) -> i32 {

src/api_xtensa.rs

@@ -178,7 +178,7 @@ pub unsafe extern "C" fn ProgramPage_impl(adr: u32, sz: u32, buf: *const u8) ->
 }
 
 #[no_mangle]
-pub unsafe extern "C" fn ReadFlash_impl(adr: u32, sz: u32, buf: *mut u8) -> i32 {
+pub unsafe extern "C" fn Verify_impl(adr: u32, sz: u32, buf: *const u8) -> i32 {
     if !is_inited() {
         return ERROR_BASE_INTERNAL - 1;
     };
@@ -188,26 +188,44 @@ pub unsafe extern "C" fn ReadFlash_impl(adr: u32, sz: u32, buf: *mut u8) -> i32
         return ERROR_BASE_INTERNAL - 5;
     }
 
-    dprintln!("READ FLASH {} bytes @ {}", sz, adr);
+    dprintln!("PROGRAM {} bytes @ {}", sz, adr);
 
-    let buffer = core::slice::from_raw_parts_mut(buf, sz as usize);
-    crate::flash::read_flash(adr, buffer)
+    let input = core::slice::from_raw_parts(buf, sz as usize);
+
+    (*DECOMPRESSOR).verify(adr, input)
 }
 
 #[no_mangle]
-pub unsafe extern "C" fn UnInit_impl(_fnc: u32) -> i32 {
+pub unsafe extern "C" fn ReadFlash_impl(adr: u32, sz: u32, buf: *mut u8) -> i32 {
     if !is_inited() {
         return ERROR_BASE_INTERNAL - 1;
     };
 
-    (*DECOMPRESSOR).flush();
+    if (buf as u32) % 4 != 0 {
+        dprintln!("ERROR buf not word aligned");
+        return ERROR_BASE_INTERNAL - 5;
+    }
+
+    dprintln!("READ FLASH {} bytes @ {}", sz, adr);
+
+    let buf = core::slice::from_raw_parts_mut(buf, sz as usize);
+    crate::flash::read_flash(adr, buf)
+}
 
-    // The flash ROM functions don't wait for the end of the last operation.
-    let r = flash::wait_for_idle();
+#[no_mangle]
+pub unsafe extern "C" fn UnInit_impl(fnc: u32) -> i32 {
+    if !is_inited() {
+        return ERROR_BASE_INTERNAL - 1;
+    };
 
     *INITED = 0;
 
-    r
+    if fnc == 2 {
+        // The flash ROM functions don't wait for the end of the last operation.
+        flash::wait_for_idle()
+    } else {
+        0
+    }
 }
 
 pub struct Decompressor {
@@ -239,7 +257,7 @@ impl Decompressor {
         self.output.take(|_| {});
     }
 
-    fn decompress(&mut self, input: &[u8]) -> i32 {
+    fn decompress(&mut self, input: &[u8], process: fn(u32, &[u8]) -> i32) -> i32 {
         if self.remaining_compressed == 0 {
             return ERROR_BASE_INTERNAL - 3;
         }
@@ -262,7 +280,7 @@ impl Decompressor {
             if status == TINFL_STATUS_DONE as i32 || self.output.full() {
                 // We're either finished or the decompressor can't continue
                 // until we flush the buffer.
-                let flush_status = self.flush();
+                let flush_status = self.flush(process);
 
                 if flush_status < 0 {
                     return ERROR_BASE_FLASH + flush_status;
@@ -277,26 +295,29 @@ impl Decompressor {
         }
     }
 
-    pub fn flush(&mut self) -> i32 {
+    pub fn flush(&mut self, process: fn(address: u32, data: &[u8]) -> i32) -> i32 {
         let mut offset = self.offset;
         let address = self.image_start + offset;
 
         // Take buffer contents, write to flash and update offset.
         let status = self.output.take(|data| {
             offset += data.len() as u32;
-            crate::flash::write_flash(address, data)
+
+            process(address, data)
         });
 
         self.offset = offset;
 
         status
     }
 
-    pub fn program(&mut self, address: u32, mut data: &[u8]) -> i32 {
+    fn handle_compressed(
+        &mut self,
+        address: u32,
+        mut data: &[u8],
+        process: fn(u32, &[u8]) -> i32,
+    ) -> i32 {
         if self.image_start != address {
-            // Finish previous image
-            self.flush();
-
             if data.len() < 4 {
                 // We don't have enough bytes to read the length
                 return ERROR_BASE_INTERNAL - 4;
@@ -315,6 +336,70 @@ impl Decompressor {
 
             self.reinit(address, compressed_length);
         }
-        self.decompress(data)
+        self.decompress(data, process)
+    }
+
+    pub fn program(&mut self, address: u32, data: &[u8]) -> i32 {
+        self.handle_compressed(address, data, write_to_flash)
+    }
+
+    pub fn verify(&mut self, address: u32, data: &[u8]) -> i32 {
+        // We're supposed to return the address up to which we've verified.
+        // However, we process compressed data and the caller expects us to respond in terms of
+        // compressed offsets, so we don't actually know where comparison fails.
+        let status = if self.handle_compressed(address, data, verify_flash) == 0 {
+            address + data.len() as u32
+        } else {
+            address
+        };
+
+        status as i32
+    }
+}
+
+fn write_to_flash(address: u32, data: &[u8]) -> i32 {
+    let status = crate::flash::write_flash(address, data);
+
+    if status < 0 {
+        return ERROR_BASE_FLASH + status;
+    }
+
+    0
+}
+
+fn verify_flash(mut address: u32, mut data: &[u8]) -> i32 {
+    const READBACK_BUFFER: usize = 256;
+    let mut readback = unsafe {
+        let mut buf = core::mem::MaybeUninit::<[u8; READBACK_BUFFER]>::uninit();
+        for i in 0..READBACK_BUFFER {
+            buf.as_mut_ptr().cast::<u8>().write_volatile(i as u8);
+        }
+        buf.assume_init()
+    };
+
+    while !data.is_empty() {
+        let chunk_size = READBACK_BUFFER.min(data.len());
+        let (slice, rest) = unsafe {
+            // SAFETY: skip is always at most `data.len()`
+            data.split_at_unchecked(chunk_size)
+        };
+        data = rest;
+
+        let readback_slice = &mut readback[..chunk_size];
+
+        let status = crate::flash::read_flash(address, readback_slice);
+        if status < 0 {
+            return -1;
+        }
+
+        for (a, b) in slice.iter().zip(readback_slice.iter()) {
+            if a != b {
+                return -1;
+            }
+        }
+
+        address += chunk_size as u32;
     }
+
+    0
 }