[rescue,test] add new rescue error handling tests

This introduces new end-to-end tests for rescue error handling:
- Adds a usbdfu_in_transaction_cancel test to verify the device's
behavior when a USB DFU transaction is cancelled during an upload.
- Adds a rescue_image_too_big test for Xmodem to check the handling
of oversized firmware images during rescue, ensuring the device
correctly cancels the operation and remains functional.

Signed-off-by: Anthony Chen <[email protected]>

Author: anthonychen1251

sw/device/silicon_creator/rom_ext/e2e/rescue/BUILD

@@ -782,6 +782,7 @@ opentitan_test(
             "//sw/device/silicon_creator/rom_ext:rom_ext_dice_x509_slot_a": "romext",
             ":boot_test_slot_a": "firmware",
         },
+        timeout = "long",
         test_cmd = """
         --clear-bitstream
         --bootstrap={firmware}
@@ -878,6 +879,29 @@ opentitan_test(
     ),
 )
 
+opentitan_test(
+    name = "usbdfu_in_transaction_cancel",
+    exec_env = {
+        # Unsupported on cw310: USB control request with a minimal
+        # timeout does not cancel transactions on this platform.
+        "//hw/top_earlgrey:fpga_cw340_rom_ext": None,
+    },
+    fpga = fpga_params(
+        assemble = "{romext}@{rom_ext_slot_a} {firmware}@{owner_slot_a}",
+        binaries = {
+            "//sw/device/silicon_creator/rom_ext:rom_ext_usbdfu": "romext",
+            ":boot_test_slot_a": "firmware",
+        },
+        params = "-p usb-dfu -t strap -v 3",
+        test_cmd = """
+        --clear-bitstream
+        --bootstrap={firmware}
+        rescue {params} --action=usb-dfu-in-transaction-cancel
+        """,
+        test_harness = "//sw/host/tests/rescue:dfu_rescue_error_handling",
+    ),
+)
+
 # Check that when we are not configured to rescue on watchdog timeout that
 # a watchdog timeout event simply boots the firmware normally.
 opentitan_test(

sw/host/opentitanlib/src/rescue/usbdfu.rs

@@ -33,7 +33,7 @@ impl UsbDfu {
         }
     }
 
-    fn device(&self) -> Ref<'_, UsbBackend> {
+    pub fn device(&self) -> Ref<'_, UsbBackend> {
         let device = self.usb.borrow();
         Ref::map(device, |d| d.as_ref().expect("device handle"))
     }

sw/host/tests/rescue/dfu_rescue_error_handling.rs

@@ -11,7 +11,7 @@ use std::time::Duration;
 use opentitanlib::app::TransportWrapper;
 use opentitanlib::io::eeprom::{AddressMode, MODE_111, Transaction};
 use opentitanlib::io::spi::SpiParams;
-use opentitanlib::rescue::dfu::{DfuOperations, DfuRequestType};
+use opentitanlib::rescue::dfu::{DfuOperations, DfuRequest, DfuRequestType};
 use opentitanlib::rescue::{EntryMode, Rescue, RescueMode, RescueParams, SpiDfu, UsbDfu};
 use opentitanlib::spiflash::SpiFlash;
 use opentitanlib::test_utils::init::InitializeTest;
@@ -50,6 +50,7 @@ pub enum DfuRescueTestActions {
     InvalidSpiDfuRequests,
     InvalidSpiFlashTransaction,
     UsbDfuOutChunkTooBig,
+    UsbDfuInTransactionCancel,
 }
 
 const SET_INTERFACE: u8 = 0x0b;
@@ -327,6 +328,40 @@ fn usb_dfu_out_chunk_too_big(params: &RescueParams, transport: &TransportWrapper
     Ok(())
 }
 
+fn usb_dfu_in_transaction_cancel(
+    params: &RescueParams,
+    transport: &TransportWrapper,
+) -> Result<()> {
+    let rescue = UsbDfu::new(params.clone());
+    rescue.enter(transport, EntryMode::Reset)?;
+    rescue.set_mode(RescueMode::DeviceId)?;
+    let usb = rescue.device();
+    let mut data = vec![0u8; 2048];
+    // Issue a USB control request with minimal timeout to cancel the transaction.
+    let result = usb.handle().read_control(
+        DfuRequestType::In.into(),
+        DfuRequest::UpLoad.into(),
+        0,
+        rescue.get_interface() as u16,
+        &mut data,
+        Duration::from_millis(1),
+    );
+
+    if result.is_ok() {
+        return Err(anyhow!("Invalid read control should fail"));
+    }
+
+    rescue.reboot()?;
+
+    let uart = transport.uart("console")?;
+    UartConsole::wait_for(&*uart, r"Finished", Duration::from_secs(5))?;
+
+    #[cfg(feature = "ot_coverage_enabled")]
+    UartConsole::wait_for_coverage(&*uart, Duration::from_secs(5))?;
+
+    Ok(())
+}
+
 fn main() -> Result<()> {
     let opts = Opts::parse();
     opts.init.init_logging();
@@ -346,6 +381,9 @@ fn main() -> Result<()> {
             DfuRescueTestActions::UsbDfuOutChunkTooBig => {
                 usb_dfu_out_chunk_too_big(&rescue.params, &transport)?
             }
+            DfuRescueTestActions::UsbDfuInTransactionCancel => {
+                usb_dfu_in_transaction_cancel(&rescue.params, &transport)?
+            }
         },
     }
 

sw/host/tests/rescue/xmodem_rescue_error_handling.rs

@@ -3,13 +3,14 @@
 // SPDX-License-Identifier: Apache-2.0
 
 #![allow(clippy::bool_assert_comparison)]
-use anyhow::Result;
+use anyhow::{anyhow, Result};
 use clap::Parser;
 
 use std::rc::Rc;
 use std::time::Duration;
 
 use opentitanlib::app::TransportWrapper;
+use opentitanlib::chip::boot_svc::BootSlot;
 use opentitanlib::io::uart::Uart;
 use opentitanlib::rescue::xmodem::XmodemError;
 use opentitanlib::rescue::{EntryMode, Rescue, RescueMode, RescueSerial};
@@ -343,6 +344,32 @@ fn recv_finish_nak(
     Ok(())
 }
 
+fn rescue_image_too_big(
+    transport: &TransportWrapper,
+    uart: &dyn Uart,
+    rescue: &RescueSerial,
+) -> Result<()> {
+    rescue.enter(transport, EntryMode::Reset)?;
+    let image_too_big = [0u8; 1026*1024];
+    match rescue.update_firmware(BootSlot::SlotB, &image_too_big) {
+        Ok(_) => {
+            return Err(anyhow!("Expects cancel during firmware rescue, but got OK."));
+        }
+        Err(e) => {
+            if e.to_string().contains("Cancelled") {
+                log::info!("Operation cancelled by device as expected");
+            } else {
+                return Err(e);
+            }
+        }
+    };
+    // Check for kErrorRescueImageTooBig.
+    UartConsole::wait_for(uart, r"BFV:02525309", Duration::from_secs(5))?;
+    // Ensure we can still boot into Owner SW.
+    UartConsole::wait_for(uart, r"Finished", Duration::from_secs(5))?;
+    Ok(())
+}
+
 fn main() -> Result<()> {
     let opts = Opts::parse();
     opts.init.init_logging();
@@ -361,5 +388,6 @@ fn main() -> Result<()> {
     recv_data_cancel(&transport, &*uart, &rescue)?;
     recv_data_nak(&transport, &*uart, &rescue)?;
     recv_finish_nak(&transport, &*uart, &rescue)?;
+    rescue_image_too_big(&transport, &*uart, &rescue)?;
     Ok(())
 }