Add an image access abstraction to RoT update_server

[lzrd]

The upcoming rollback protection feature needs to access partial or complete
images in flash, ram, or a mix.
The ImageAccess abstraction makes these operations more readable.

[aapoalas]

Comments from the peanut gallery. Looks like a very nice abstraction layer in general.

[aapoalas]

nitpick: Here and also on line 153 were using exec.start while other lines use the image_start alias. Could maybe unify to image_start to avoid confusion on the offsetting.

[labbott]

Do you have stats on how much this changes flash size?

[lzrd]

This change adds 768 bytes to the image flash size

          master/xtask-oxide-rot-1_app-dev.log.ok:  flash:   0x39c80 (90%)
rot-image-access/xtask-oxide-rot-1_app-dev.log.ok:  flash:   0x39f80 (90%)
echo $(( 0x39f80 - 0x39c80 ))
768

              master/xtask-rot-carrier_app.log.ok:  flash:   0x35aa0 (83%)
    rot-image-access/xtask-rot-carrier_app.log.ok:  flash:   0x35da0 (84%)

echo $(( 0x35da0 - 0x35aa0 ))
768

New sizes for oxide-rot-1

flash   = 0x00050000..0x00090000
ram     = 0x20004000..0x2001c000
sram2   = 0x20020000..0x20030000
usbsram = 0x40102000..0x40103000
dice_certs = 0x40100000..0x40100a00
dice_alias = 0x40100a00..0x40101200
Used:
  flash:   0x39f80 (90%)
  ram:     0x13d20 (82%)
  sram2:   0x0 (0%)
  usbsram: 0x1000 (100%)
  dice_certs: extern region (attest)
  dice_alias: extern region (attest)
warning: memory allocation is sub-optimal
Suggested improvements:
kernel:
  ram:    3040  (currently 4096)
warning: memory allocation is sub-optimal
Suggested improvements:
kernel:
  ram:    3040  (currently 4096)
APP=app/oxide-rot-1/app-dev.toml

[lzrd]

There is work to do to clear fmt and panics out of the the update_server:

On master:

$ arm-none-eabi-objdump -C -d target/oxide-rot-1-dev/dist/a/update_server  | tee update_server.s
$ grep '   b.*panic' update_server.s  | wc -l
50

On this PR:

$ arm-none-eabi-objdump -C -d target/oxide-rot-1-dev/dist/a/update_server  | tee update_server.s
$ grep '   b.*panic' update_server.s  | wc -l
59

[labbott]

This change adds 768 bytes to the image flash size

I consider this reasonable

[cbiffle]

I'm concerned about the image validation logic, would it be possible to pull this into a no_std crate so we can have unit tests?

[cbiffle]

So, a number of places in the access code below appear to rely on buffer.len() being equal to the length of this span. How is this invariant maintained? Would it make more sense to have span be a base address instead, so that the len isn't duplicated (and thus doesn't have to be kept in sync)?

[cbiffle]

(Here is a place where the length-matches invariant is definitely not maintained, fwiw.)

[lzrd]

Unless all of a slot is in use, it is expected that buffer.len() would always be less than the length of one of the spans.

Perhaps I should change span to slot_range (since Slot is already in use).
Suggestions welcome.

Span is a FlashRange which describes both the stored and the at_runtime address ranges of the slot that the image can occupy.
buffer here is a portion of the image that currently resides in RAM. The rest of the image may not be present.
In the case of a Accessor::Ram variant, the entire image resides in ram. It's destination slot is described by span.stored and its runtime slot is described by span.at_runtime (new names).

[lzrd]

I'm concerned about the image validation logic, would it be possible to pull this into a no_std crate so we can have unit tests?

I would like to have a no_std library in the hubtools repo that can be used by any code concerned with Oxide LPC55 images. That would include Hubris lib/lpc55-rot-startup/src/images.rs if practical. Tests would be included there.

I'd rather not refactor that now and the sprot-e2e tests are successful for upgrade and rollback to and from the current master branch and the rot-image-access branch.

Created oxidecomputer/hubtools#34

[cbiffle]

Looks like all the saturating arithmetic is still in place. I need convincing that this handles bounds cases correctly. Tests would be the fastest way, short of that I'd like to see a laaaaarge rationale comment explaining why the arithmetic isn't checked instead.

[aapoalas]

I sort of accidentally came to read this PR anew and found some questions that I thought were interesting. Feel free to ignore these if need or want be; i ended up sitting on these questions for several days but figured eh, let's ask. They're just curiosity, basically.

[lzrd]

The active image could be modified by the update_server task if there were a code path to do that.
There is a check testing to see if the slot to be updated is the currently executing Hubris slot. If so, the request is rejected.

[lzrd]

The early versions of the bootloader did not have the header and we have had discussions in the past about removing the need for the header. update_server tolerates a missing ImageHeader.