[rom_e2e] Add tests for a bad immutable section

Add tests that check if a valid signed ROM_EXT with an invalid immutable
section can boot.  The correct behavior is that the ROM should determine
that the immutable section is invalid and try the other slot.

Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit f17d30f)

Author: cfrantz

sw/device/silicon_creator/rom/e2e/immutable_rom_ext_section/BUILD

@@ -36,21 +36,25 @@ ROM_EXT_SLOTS = [
         "name": "a",
         "slot": "a",
         "offset": SLOTS["a"],
+        "linker_script": "//sw/device/lib/testing/test_framework:ottf_ld_silicon_creator_slot_a",
     },
     {
         "name": "virtual_a",
         "slot": "a",
         "offset": SLOTS["a"],
+        "linker_script": "//sw/device/lib/testing/test_framework:ottf_ld_silicon_creator_slot_virtual",
     },
     {
         "name": "b",
         "slot": "b",
         "offset": SLOTS["b"],
+        "linker_script": "//sw/device/lib/testing/test_framework:ottf_ld_silicon_creator_slot_b",
     },
     {
         "name": "virtual_b",
         "slot": "b",
         "offset": SLOTS["b"],
+        "linker_script": "//sw/device/lib/testing/test_framework:ottf_ld_silicon_creator_slot_virtual",
     },
 ]
 
@@ -195,7 +199,7 @@ IMMUTABLE_PARTITION_TEST_CASES = [
         exec_env = [
             "//hw/top_earlgrey:fpga_cw310_sival",
         ],
-        linker_script = "//sw/device/lib/testing/test_framework:ottf_ld_silicon_creator_slot_{}".format(s["slot"]),
+        linker_script = s["linker_script"],
         deps = [
             "//hw/top:otp_ctrl_c_regs",
             "//hw/top_earlgrey/sw/autogen:top_earlgrey",
@@ -249,3 +253,101 @@ test_suite(
         for t in IMMUTABLE_PARTITION_TEST_CASES
     ],
 )
+
+BAD_SECTION_BINS = {
+    "invalid": {
+        #              l b a t u m m i
+        "message": "0x6c626174756d6d69",
+    },
+    "valid": {
+        #              l b a t u m m I
+        "message": "0x6c626174756d6d49",
+    },
+}
+
+# Both `imm_section_{valid,invalid}` are valid signed ROM_EXTs.  There is a
+# single bit difference in the immutable section ("Immutable" vs "immutable").
+# The former produces an immutable section with a valid hash, whereas the
+# later produces an invalid hash.
+[
+    opentitan_binary(
+        name = "imm_section_{}".format(name),
+        testonly = True,
+        srcs = ["immutable_rom_ext_section_test.c"],
+        defines = [
+            "IMMUTABLE_MESSAGE={}".format(param["message"]),
+        ],
+        exec_env = [
+            "//hw/top_earlgrey:fpga_cw310_sival",
+        ],
+        linker_script = "//sw/device/lib/testing/test_framework:ottf_ld_silicon_creator_slot_virtual",
+        manifest = ":manifest",
+        deps = [
+            "//hw/top:otp_ctrl_c_regs",
+            "//hw/top_earlgrey/sw/autogen:top_earlgrey",
+            "//sw/device/lib/base:hardened",
+            "//sw/device/lib/base:status",
+            "//sw/device/lib/testing/test_framework:ottf_main",
+            "//sw/device/silicon_creator/lib/drivers:otp",
+            "//sw/device/silicon_creator/lib/drivers:retention_sram",
+            "//sw/device/silicon_creator/lib/drivers:uart",
+        ],
+    )
+    for name, param in BAD_SECTION_BINS.items()
+]
+
+# Tests that "imm_section_invalid" is functional when OTP disabled the immutable
+# section.  This test proves that `imm_section_invalid` is a valid signed
+# ROM_EXT stage.
+opentitan_test(
+    name = "immutable_section_invalid_ok_when_disabled",
+    exec_env = {
+        "//hw/top_earlgrey:fpga_cw310_sival": None,
+    },
+    fpga = fpga_params(
+        assemble = "{invalid}@0",
+        binaries = {
+            ":imm_section_invalid": "invalid",
+        },
+        otp = ":otp_img_immutable_rom_ext_exec_disabled_hash_valid_virtual_a",
+    ),
+)
+
+# Tests that we can boot "imm_section_valid" when there is a valid signed
+# ROM_EXT with an invalid immutable section in the primary slot.
+# The ROM should skip the primary slot and boot the secondary slot.
+opentitan_test(
+    name = "immutable_section_a_bad_b_good",
+    exec_env = {
+        "//hw/top_earlgrey:fpga_cw310_sival": None,
+    },
+    fpga = fpga_params(
+        assemble = "{invalid}@0 {valid}@0x80000",
+        binaries = {
+            ":imm_section_invalid": "invalid",
+            ":imm_section_valid": "valid",
+        },
+        exit_failure = DEFAULT_TEST_FAILURE_MSG,
+        exit_success = "(?msR)Immutable$.*PASS!$",
+        otp = ":otp_img_immutable_rom_ext_exec_enabled_hash_valid_virtual_a",
+    ),
+)
+
+# Test that the ROM fails to boot when both slots have valid signatures
+# and invalid immutable sections.
+opentitan_test(
+    name = "immutable_section_a_bad_b_bad",
+    exec_env = {
+        "//hw/top_earlgrey:fpga_cw310_sival": None,
+    },
+    fpga = fpga_params(
+        assemble = "{invalid}@0 {invalid}@0x80000",
+        binaries = {
+            ":imm_section_invalid": "invalid",
+        },
+        exit_failure = DEFAULT_TEST_SUCCESS_MSG,
+        # This fault code is kErrorRomImmSection.
+        exit_success = "BFV:034d5203$",
+        otp = ":otp_img_immutable_rom_ext_exec_enabled_hash_valid_virtual_a",
+    ),
+)

sw/device/silicon_creator/rom/e2e/immutable_rom_ext_section/immutable_rom_ext_section_test.c

@@ -17,6 +17,11 @@
 
 OTTF_DEFINE_TEST_CONFIG();
 
+#ifndef IMMUTABLE_MESSAGE
+//                           l b a t u m m I
+#define IMMUTABLE_MESSAGE 0x6c626174756d6d49;
+#endif
+
 enum {
   kImmutableRomExtSectionHashSizeIn32BitWords =
       OTP_CTRL_PARAM_CREATOR_SW_CFG_IMMUTABLE_ROM_EXT_SHA256_HASH_SIZE /
@@ -26,8 +31,7 @@ enum {
 
 OT_USED OT_SECTION(".rom_ext_immutable") void rom_ext_non_mutable(void) {
   // Print "Immutable" to the UART console.
-  //                        l b a t u m m I
-  const uint64_t kStr1 = 0x6c626174756d6d49;
+  const uint64_t kStr1 = IMMUTABLE_MESSAGE;
   //                        e
   const uint32_t kStr2 = 0x65;
   const uint32_t kNewline = 0x0a0d;