[sw/silicon_creator] Replace romextimage with boot_policy
This commit replaces the romextimage module with the boot policy module
which provides functions for sorting ROM_EXTs according to their security
versions and checking their manifests.
Signed-off-by: Alphan Ulusoy <alphan@google.com>
diff --git a/sw/device/silicon_creator/lib/error.h b/sw/device/silicon_creator/lib/error.h
index f30a907..637f964 100644
--- a/sw/device/silicon_creator/lib/error.h
+++ b/sw/device/silicon_creator/lib/error.h
@@ -32,13 +32,13 @@
kModuleKeymgr = MODULE_CODE('K', 'M'),
kModuleManifest = MODULE_CODE('M', 'A'),
kModuleMaskRom = MODULE_CODE('M', 'R'),
- kModuleRomextimage = MODULE_CODE('R', 'E'),
kModuleInterrupt = MODULE_CODE('I', 'R'),
kModuleEpmp = MODULE_CODE('E', 'P'),
kModuleOtp = MODULE_CODE('O', 'P'),
kModuleOtbn = MODULE_CODE('B', 'N'),
kModuleFlashCtrl = MODULE_CODE('F', 'C'),
kModuleSecMmio = MODULE_CODE('I', 'O'),
+ kModuleBootPolicy = MODULE_CODE('B', 'P'),
// clang-format on
};
@@ -79,8 +79,6 @@
X(kErrorManifestBadLength, ERROR_(1, kModuleManifest, kInternal)), \
X(kErrorManifestBadEntryPoint, ERROR_(2, kModuleManifest, kInternal)), \
X(kErrorManifestBadCodeRegion, ERROR_(3, kModuleManifest, kInternal)), \
- X(kErrorRomextimageInvalidArgument, ERROR_(1, kModuleRomextimage, kInvalidArgument)), \
- X(kErrorRomextimageInternal, ERROR_(2, kModuleRomextimage, kInternal)), \
X(kErrorAlertBadIndex, ERROR_(1, kModuleAlertHandler, kInvalidArgument)), \
X(kErrorAlertBadClass, ERROR_(2, kModuleAlertHandler, kInvalidArgument)), \
X(kErrorAlertBadEnable, ERROR_(3, kModuleAlertHandler, kInvalidArgument)), \
@@ -102,6 +100,8 @@
X(kErrorSecMmioCheckIndexFault, ERROR_(4, kModuleSecMmio, kInternal)), \
X(kErrorSecMmioWriteCountFault, ERROR_(5, kModuleSecMmio, kInternal)), \
X(kErrorSecMmioCheckCountFault, ERROR_(6, kModuleSecMmio, kInternal)), \
+ X(kErrorBootPolicyBadIdentifier, ERROR_(1, kModuleBootPolicy, kInternal)), \
+ X(kErrorBootPolicyRollback, ERROR_(2, kModuleBootPolicy, kInternal)), \
X(kErrorUnknown, 0xFFFFFFFF)
// clang-format on
diff --git a/sw/device/silicon_creator/lib/manifest.h b/sw/device/silicon_creator/lib/manifest.h
index 9f449b7..e0fdfb4 100644
--- a/sw/device/silicon_creator/lib/manifest.h
+++ b/sw/device/silicon_creator/lib/manifest.h
@@ -150,6 +150,7 @@
#define MANIFEST_LENGTH_FIELD_MIN MANIFEST_SIZE
#define MANIFEST_LENGTH_FIELD_MAX 65536
+#ifndef OT_OFF_TARGET_TEST
/**
* Checks the fields of a manifest.
*
@@ -229,26 +230,15 @@
inline uintptr_t manifest_entry_point_get(const manifest_t *manifest) {
return (uintptr_t)manifest + manifest->entry_point;
}
-
-// TODO: Move this definition to a more suitable place. Defined here for now
-// until we implement the boot policy module or the flash driver.
+#else
/**
- * Flash slots.
- *
- * OpenTitan's flash is split into two slots: A and B. Each stage in the boot
- * chain is responsible for choosing and verifying the slot from which the next
- * stage in the boot chain is executed.
+ * Declarations for the functions above that should be defined in tests.
*/
-typedef enum flash_slot {
- /**
- * Flash slot A.
- */
- kFlashSlotA,
- /**
- * Flash slot B.
- */
- kFlashSlotB,
-} flash_slot_t;
+rom_error_t manifest_check(const manifest_t *manifest);
+manifest_signed_region_t manifest_signed_region_get(const manifest_t *manifest);
+epmp_region_t manifest_code_region_get(const manifest_t *manifest);
+uintptr_t manifest_entry_point_get(const manifest_t *manifest);
+#endif
#ifdef __cplusplus
} // extern "C"
diff --git a/sw/device/silicon_creator/lib/mock_manifest.h b/sw/device/silicon_creator/lib/mock_manifest.h
new file mode 100644
index 0000000..40be0cb
--- /dev/null
+++ b/sw/device/silicon_creator/lib/mock_manifest.h
@@ -0,0 +1,51 @@
+// Copyright lowRISC contributors.
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_MOCK_MANIFEST_H_
+#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_MOCK_MANIFEST_H_
+
+#include "sw/device/lib/testing/mask_rom_test.h"
+#include "sw/device/silicon_creator/lib/manifest.h"
+
+namespace mask_rom_test {
+namespace internal {
+
+/**
+ * Mock class for manifest.h.
+ */
+class MockManifest : public GlobalMock<MockManifest> {
+ public:
+ MOCK_METHOD(rom_error_t, Check, (const manifest_t *));
+ MOCK_METHOD(manifest_signed_region_t, SignedRegion, (const manifest_t *));
+ MOCK_METHOD(epmp_region_t, CodeRegion, (const manifest_t *));
+ MOCK_METHOD(uintptr_t, EntryPoint, (const manifest_t *));
+};
+
+} // namespace internal
+
+using MockManifest = testing::StrictMock<internal::MockManifest>;
+
+extern "C" {
+
+rom_error_t manifest_check(const manifest_t *manifest) {
+ return MockManifest::Instance().Check(manifest);
+}
+
+manifest_signed_region_t manifest_signed_region_get(
+ const manifest_t *manifest) {
+ return MockManifest::Instance().SignedRegion(manifest);
+}
+
+epmp_region_t manifest_code_region_get(const manifest_t *manifest) {
+ return MockManifest::Instance().CodeRegion(manifest);
+}
+
+uintptr_t manifest_entry_point_get(const manifest_t *manifest) {
+ return MockManifest::Instance().EntryPoint(manifest);
+}
+
+} // extern "C"
+} // namespace mask_rom_test
+
+#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_MOCK_MANIFEST_H_
diff --git a/sw/device/silicon_creator/mask_rom/boot_policy.c b/sw/device/silicon_creator/mask_rom/boot_policy.c
new file mode 100644
index 0000000..7e9e7d5
--- /dev/null
+++ b/sw/device/silicon_creator/mask_rom/boot_policy.c
@@ -0,0 +1,37 @@
+// Copyright lowRISC contributors.
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#include "sw/device/silicon_creator/mask_rom/boot_policy.h"
+
+#include "sw/device/silicon_creator/lib/error.h"
+#include "sw/device/silicon_creator/mask_rom/boot_policy_ptrs.h"
+
+boot_policy_manifests_t boot_policy_manifests_get(void) {
+ const manifest_t *slot_a = boot_policy_manifest_a_get();
+ const manifest_t *slot_b = boot_policy_manifest_b_get();
+ if (slot_a->security_version >= slot_b->security_version) {
+ return (boot_policy_manifests_t){
+ .ordered = {slot_a, slot_b},
+ };
+ }
+ return (boot_policy_manifests_t){
+ .ordered = {slot_b, slot_a},
+ };
+}
+
+rom_error_t boot_policy_manifest_check(const manifest_t *manifest) {
+ RETURN_IF_ERROR(manifest_check(manifest));
+ if (manifest->identifier != kBootPolicyRomExtIdentifier) {
+ return kErrorBootPolicyBadIdentifier;
+ }
+ // TODO(#7879): Implement anti-rollback.
+ uint32_t min_security_version = 0;
+ if (manifest->security_version < min_security_version) {
+ return kErrorBootPolicyRollback;
+ }
+ return kErrorOk;
+}
+
+extern const manifest_t *boot_policy_manifest_a_get(void);
+extern const manifest_t *boot_policy_manifest_b_get(void);
diff --git a/sw/device/silicon_creator/mask_rom/boot_policy.h b/sw/device/silicon_creator/mask_rom/boot_policy.h
new file mode 100644
index 0000000..0021002
--- /dev/null
+++ b/sw/device/silicon_creator/mask_rom/boot_policy.h
@@ -0,0 +1,70 @@
+// Copyright lowRISC contributors.
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_BOOT_POLICY_H_
+#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_BOOT_POLICY_H_
+
+#include "sw/device/silicon_creator/lib/error.h"
+#include "sw/device/silicon_creator/lib/manifest.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif // __cplusplus
+
+enum {
+ /**
+ * ROM_EXT manifest identifier (ASCII "OTRE").
+ */
+ kBootPolicyRomExtIdentifier = 0x4552544f,
+};
+
+/**
+ * Type alias for the ROM_EXT entry point.
+ *
+ * The entry point address obtained from the ROM_EXT manifest must be cast to a
+ * pointer to this type before being called.
+ */
+typedef void rom_ext_entry_point(void);
+
+/**
+ * Manifests of ROM_EXTs in descending order according to their security
+ * versions.
+ *
+ * These ROM_EXTs must be verified prior to handing over execution.
+ */
+typedef struct boot_policy_manifests {
+ /**
+ * ROM_EXT manifests in descending order according to their security versions.
+ */
+ const manifest_t *ordered[2];
+} boot_policy_manifests_t;
+
+/**
+ * Returns the manifests of ROM_EXTs that should be attempted to boot in
+ * descending order according to their security versions.
+ *
+ * These ROM_EXTs must be verified prior to handing over execution.
+ *
+ * @return Manifests of ROM_EXTs in descending order according to their
+ * security versions.
+ */
+boot_policy_manifests_t boot_policy_manifests_get(void);
+
+/**
+ * Checks the fields of a ROM_EXT manifest.
+ *
+ * This function performs bounds checks on the fields of the manifest, checks
+ * that its `identifier` is correct, and its `security_version` is greater than
+ * or equal to the minimum required security version.
+ *
+ * @param manifest A ROM_EXT manifest.
+ * @return Result of the operation.
+ */
+rom_error_t boot_policy_manifest_check(const manifest_t *manifest);
+
+#ifdef __cplusplus
+} // extern "C"
+#endif // __cplusplus
+
+#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_BOOT_POLICY_H_
diff --git a/sw/device/silicon_creator/mask_rom/romextimage_ptrs.h b/sw/device/silicon_creator/mask_rom/boot_policy_ptrs.h
similarity index 70%
rename from sw/device/silicon_creator/mask_rom/romextimage_ptrs.h
rename to sw/device/silicon_creator/mask_rom/boot_policy_ptrs.h
index 7360ed6..18ad318 100644
--- a/sw/device/silicon_creator/mask_rom/romextimage_ptrs.h
+++ b/sw/device/silicon_creator/mask_rom/boot_policy_ptrs.h
@@ -2,8 +2,8 @@
// Licensed under the Apache License, Version 2.0, see LICENSE for details.
// SPDX-License-Identifier: Apache-2.0
-#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_ROMEXTIMAGE_PTRS_H_
-#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_ROMEXTIMAGE_PTRS_H_
+#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_BOOT_POLICY_PTRS_H_
+#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_BOOT_POLICY_PTRS_H_
#include "sw/device/silicon_creator/lib/manifest.h"
@@ -23,7 +23,8 @@
*
* @return Pointer to the manifest of the ROM_EXT image in slot A.
*/
-inline const manifest_t *romextimage_slot_a_manifest_ptr_get(void) {
+// TODO(#7893): Should these be volatile?
+inline const manifest_t *boot_policy_manifest_a_get(void) {
return (const manifest_t *)TOP_EARLGREY_EFLASH_BASE_ADDR;
}
@@ -33,7 +34,7 @@
*
* @return Pointer to the manifest of the ROM_EXT image in slot B.
*/
-inline const manifest_t *romextimage_slot_b_manifest_ptr_get(void) {
+inline const manifest_t *boot_policy_manifest_b_get(void) {
return (const manifest_t *)(TOP_EARLGREY_EFLASH_BASE_ADDR +
(TOP_EARLGREY_EFLASH_SIZE_BYTES / 2));
}
@@ -41,12 +42,12 @@
/**
* Declarations for the functions above that should be defined in tests.
*/
-const manifest_t *romextimage_slot_a_manifest_ptr_get(void);
-const manifest_t *romextimage_slot_b_manifest_ptr_get(void);
+const manifest_t *boot_policy_manifest_a_get(void);
+const manifest_t *boot_policy_manifest_b_get(void);
#endif
#ifdef __cplusplus
} // extern "C"
#endif // __cplusplus
-#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_ROMEXTIMAGE_PTRS_H_
+#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_BOOT_POLICY_PTRS_H_
diff --git a/sw/device/silicon_creator/mask_rom/boot_policy_unittest.cc b/sw/device/silicon_creator/mask_rom/boot_policy_unittest.cc
new file mode 100644
index 0000000..4c93ec6
--- /dev/null
+++ b/sw/device/silicon_creator/mask_rom/boot_policy_unittest.cc
@@ -0,0 +1,104 @@
+// Copyright lowRISC contributors.
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#include "sw/device/silicon_creator/mask_rom/boot_policy.h"
+
+#include "gtest/gtest.h"
+#include "sw/device/lib/testing/mask_rom_test.h"
+#include "sw/device/silicon_creator/lib/mock_manifest.h"
+#include "sw/device/silicon_creator/mask_rom/mock_boot_policy_ptrs.h"
+
+namespace manifest_unittest {
+namespace {
+using ::testing::Return;
+
+class BootPolicyTest : public mask_rom_test::MaskRomTest {
+ protected:
+ mask_rom_test::MockBootPolicyPtrs boot_policy_ptrs_;
+ mask_rom_test::MockManifest mock_manifest_;
+};
+
+TEST_F(BootPolicyTest, ManifestCheck) {
+ manifest_t manifest{};
+ manifest.identifier = kBootPolicyRomExtIdentifier;
+
+ EXPECT_CALL(mock_manifest_, Check(&manifest)).WillOnce(Return(kErrorOk));
+
+ EXPECT_EQ(boot_policy_manifest_check(&manifest), kErrorOk);
+}
+
+TEST_F(BootPolicyTest, ManifestCheckOutOfBounds) {
+ manifest_t manifest{};
+
+ EXPECT_CALL(mock_manifest_, Check(&manifest))
+ .WillOnce(Return(kErrorManifestBadLength));
+
+ EXPECT_EQ(boot_policy_manifest_check(&manifest), kErrorManifestBadLength);
+}
+
+TEST_F(BootPolicyTest, ManifestCheckBadIdentifier) {
+ manifest_t manifest{};
+
+ EXPECT_CALL(mock_manifest_, Check(&manifest)).WillOnce(Return(kErrorOk));
+
+ EXPECT_EQ(boot_policy_manifest_check(&manifest),
+ kErrorBootPolicyBadIdentifier);
+}
+
+struct ManifestOrderTestCase {
+ uint32_t version_a;
+ uint32_t version_b;
+ bool is_a_first;
+};
+
+class ManifestOrderTest
+ : public BootPolicyTest,
+ public testing::WithParamInterface<ManifestOrderTestCase> {};
+
+TEST_P(ManifestOrderTest, ManifestsGet) {
+ manifest_t manifest_a{};
+ manifest_t manifest_b{};
+ manifest_a.security_version = GetParam().version_a;
+ manifest_b.security_version = GetParam().version_b;
+
+ EXPECT_CALL(boot_policy_ptrs_, ManifestA).WillOnce(Return(&manifest_a));
+ EXPECT_CALL(boot_policy_ptrs_, ManifestB).WillOnce(Return(&manifest_b));
+
+ boot_policy_manifests_t res = boot_policy_manifests_get();
+ if (GetParam().is_a_first) {
+ EXPECT_EQ(res.ordered[0], &manifest_a);
+ EXPECT_EQ(res.ordered[1], &manifest_b);
+ } else {
+ EXPECT_EQ(res.ordered[0], &manifest_b);
+ EXPECT_EQ(res.ordered[1], &manifest_a);
+ }
+}
+
+INSTANTIATE_TEST_SUITE_P(
+ SecurityVersionCases, ManifestOrderTest,
+ testing::Values(
+ ManifestOrderTestCase{
+ .version_a = 0,
+ .version_b = 0,
+ .is_a_first = true,
+ },
+ ManifestOrderTestCase{
+ .version_a = 1,
+ .version_b = 0,
+ .is_a_first = true,
+ },
+ ManifestOrderTestCase{
+ .version_a = 0,
+ .version_b = 1,
+ .is_a_first = false,
+ },
+ ManifestOrderTestCase{
+ .version_a = std::numeric_limits<int32_t>::max(),
+ .version_b =
+ static_cast<uint32_t>(std::numeric_limits<int32_t>::max()) + 1,
+ .is_a_first = false,
+ }));
+
+} // namespace
+} // namespace manifest_unittest
diff --git a/sw/device/silicon_creator/mask_rom/mask_rom.c b/sw/device/silicon_creator/mask_rom/mask_rom.c
index cd99b42..775b3f6 100644
--- a/sw/device/silicon_creator/mask_rom/mask_rom.c
+++ b/sw/device/silicon_creator/mask_rom/mask_rom.c
@@ -22,8 +22,8 @@
#include "sw/device/silicon_creator/lib/error.h"
#include "sw/device/silicon_creator/lib/shutdown.h"
#include "sw/device/silicon_creator/lib/sigverify.h"
+#include "sw/device/silicon_creator/mask_rom/boot_policy.h"
#include "sw/device/silicon_creator/mask_rom/mask_rom_epmp.h"
-#include "sw/device/silicon_creator/mask_rom/romextimage.h"
#include "sw/device/silicon_creator/mask_rom/sigverify_keys.h"
#include "hw/top_earlgrey/sw/autogen/top_earlgrey.h"
@@ -127,10 +127,9 @@
// break
//}
- const manifest_t *manifest;
+ const manifest_t *manifest = boot_policy_manifests_get().ordered[0];
const sigverify_rsa_key_t *key;
- RETURN_IF_ERROR(romextimage_manifest_get(kFlashSlotA, &manifest));
- RETURN_IF_ERROR(manifest_check(manifest));
+ RETURN_IF_ERROR(boot_policy_manifest_check(manifest));
manifest_signed_region_t signed_region =
manifest_signed_region_get(manifest);
RETURN_IF_ERROR(sigverify_rsa_key_get(
@@ -196,7 +195,7 @@
// Jump to ROM_EXT entry point.
uintptr_t entry_point = manifest_entry_point_get(manifest);
base_printf("rom_ext_entry: %p\r\n", entry_point);
- ((romextimage_entry_point *)entry_point)();
+ ((rom_ext_entry_point *)entry_point)();
// NOTE: never expecting a return, but if something were to go wrong
// in the real `jump` implementation, we need to enter a failure case.
diff --git a/sw/device/silicon_creator/mask_rom/meson.build b/sw/device/silicon_creator/mask_rom/meson.build
index 1b069a2..aa3fd75 100644
--- a/sw/device/silicon_creator/mask_rom/meson.build
+++ b/sw/device/silicon_creator/mask_rom/meson.build
@@ -31,11 +31,11 @@
)
# ROM_EXT image.
-sw_silicon_creator_mask_rom_romextimage = declare_dependency(
+sw_silicon_creator_mask_rom_boot_policy = declare_dependency(
link_with: static_library(
- 'sw_silicon_creator_mask_rom_romextimage',
+ 'sw_silicon_creator_mask_rom_boot_policy',
sources: [
- 'romextimage.c',
+ 'boot_policy.c',
],
),
)
@@ -180,7 +180,7 @@
sw_silicon_creator_lib_shutdown,
sw_silicon_creator_mask_rom_epmp,
sw_silicon_creator_mask_rom_sigverify,
- sw_silicon_creator_mask_rom_romextimage,
+ sw_silicon_creator_mask_rom_boot_policy,
sw_lib_crt,
sw_lib_runtime_print,
],
@@ -261,11 +261,11 @@
)
endforeach
-test('sw_silicon_creator_mask_rom_romextimage_unittest', executable(
- 'sw_silicon_creator_mask_rom_romextimage_unittest',
+test('sw_silicon_creator_mask_rom_boot_policy_unittest', executable(
+ 'sw_silicon_creator_mask_rom_boot_policy_unittest',
sources: [
- 'romextimage_unittest.cc',
- 'romextimage.c',
+ 'boot_policy_unittest.cc',
+ 'boot_policy.c',
],
dependencies: [
sw_vendor_gtest,
diff --git a/sw/device/silicon_creator/mask_rom/mock_boot_policy_ptrs.h b/sw/device/silicon_creator/mask_rom/mock_boot_policy_ptrs.h
new file mode 100644
index 0000000..e577962
--- /dev/null
+++ b/sw/device/silicon_creator/mask_rom/mock_boot_policy_ptrs.h
@@ -0,0 +1,40 @@
+// Copyright lowRISC contributors.
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_MOCK_BOOT_POLICY_PTRS_H_
+#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_MOCK_BOOT_POLICY_PTRS_H_
+
+#include "sw/device/lib/testing/mask_rom_test.h"
+#include "sw/device/silicon_creator/mask_rom/boot_policy_ptrs.h"
+
+namespace mask_rom_test {
+namespace internal {
+
+/**
+ * Mock class for boot_policy_ptrs.h
+ */
+class MockBootPolicyPtrs : public GlobalMock<MockBootPolicyPtrs> {
+ public:
+ MOCK_METHOD(const manifest_t *, ManifestA, ());
+ MOCK_METHOD(const manifest_t *, ManifestB, ());
+};
+
+} // namespace internal
+
+using MockBootPolicyPtrs = testing::StrictMock<internal::MockBootPolicyPtrs>;
+
+extern "C" {
+
+const manifest_t *boot_policy_manifest_a_get() {
+ return MockBootPolicyPtrs::Instance().ManifestA();
+}
+
+const manifest_t *boot_policy_manifest_b_get() {
+ return MockBootPolicyPtrs::Instance().ManifestB();
+}
+
+} // extern "C"
+} // namespace mask_rom_test
+
+#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_MOCK_BOOT_POLICY_PTRS_H_
diff --git a/sw/device/silicon_creator/mask_rom/mock_romextimage_ptrs.h b/sw/device/silicon_creator/mask_rom/mock_romextimage_ptrs.h
deleted file mode 100644
index 5baca31..0000000
--- a/sw/device/silicon_creator/mask_rom/mock_romextimage_ptrs.h
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright lowRISC contributors.
-// Licensed under the Apache License, Version 2.0, see LICENSE for details.
-// SPDX-License-Identifier: Apache-2.0
-
-#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_MOCK_ROMEXTIMAGE_PTRS_H_
-#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_MOCK_ROMEXTIMAGE_PTRS_H_
-
-#include "sw/device/lib/testing/mask_rom_test.h"
-#include "sw/device/silicon_creator/mask_rom/romextimage_ptrs.h"
-
-namespace mask_rom_test {
-namespace internal {
-
-/**
- * Mock class for romextimage_ptrs.h
- */
-class MockRomextimagePtrs : public GlobalMock<MockRomextimagePtrs> {
- public:
- MOCK_METHOD(const manifest_t *, slot_a_manifest_ptr_get, ());
- MOCK_METHOD(const manifest_t *, slot_b_manifest_ptr_get, ());
-};
-
-} // namespace internal
-
-using MockRomextimagePtrs = testing::StrictMock<internal::MockRomextimagePtrs>;
-
-extern "C" {
-
-const manifest_t *romextimage_slot_a_manifest_ptr_get() {
- return MockRomextimagePtrs::Instance().slot_a_manifest_ptr_get();
-}
-
-const manifest_t *romextimage_slot_b_manifest_ptr_get() {
- return MockRomextimagePtrs::Instance().slot_b_manifest_ptr_get();
-}
-
-} // extern "C"
-} // namespace mask_rom_test
-
-#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_MOCK_ROMEXTIMAGE_PTRS_H_
diff --git a/sw/device/silicon_creator/mask_rom/romextimage.c b/sw/device/silicon_creator/mask_rom/romextimage.c
deleted file mode 100644
index 5ab9a63..0000000
--- a/sw/device/silicon_creator/mask_rom/romextimage.c
+++ /dev/null
@@ -1,31 +0,0 @@
-// Copyright lowRISC contributors.
-// Licensed under the Apache License, Version 2.0, see LICENSE for details.
-// SPDX-License-Identifier: Apache-2.0
-
-#include "sw/device/silicon_creator/mask_rom/romextimage.h"
-
-#include "sw/device/silicon_creator/lib/error.h"
-#include "sw/device/silicon_creator/mask_rom/romextimage_ptrs.h"
-
-rom_error_t romextimage_manifest_get(flash_slot_t slot,
- const manifest_t **manifest) {
- const manifest_t *ptr;
- switch (slot) {
- case kFlashSlotA:
- ptr = romextimage_slot_a_manifest_ptr_get();
- break;
- case kFlashSlotB:
- ptr = romextimage_slot_b_manifest_ptr_get();
- break;
- default:
- return kErrorRomextimageInvalidArgument;
- }
- if (ptr->identifier != kRomextimageManifestIdentifier) {
- return kErrorRomextimageInternal;
- }
- *manifest = ptr;
- return kErrorOk;
-}
-
-extern const manifest_t *romextimage_slot_a_manifest_ptr_get(void);
-extern const manifest_t *romextimage_slot_b_manifest_ptr_get(void);
diff --git a/sw/device/silicon_creator/mask_rom/romextimage.h b/sw/device/silicon_creator/mask_rom/romextimage.h
deleted file mode 100644
index b5f0578..0000000
--- a/sw/device/silicon_creator/mask_rom/romextimage.h
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright lowRISC contributors.
-// Licensed under the Apache License, Version 2.0, see LICENSE for details.
-// SPDX-License-Identifier: Apache-2.0
-
-#ifndef OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_ROMEXTIMAGE_H_
-#define OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_ROMEXTIMAGE_H_
-
-#include "sw/device/silicon_creator/lib/error.h"
-#include "sw/device/silicon_creator/lib/manifest.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif // __cplusplus
-
-/**
- * Type alias for the ROM_EXT entry point.
- *
- * The entry point address obtained from the ROM_EXT manifest must be cast to a
- * pointer to this type before being called.
- */
-typedef void romextimage_entry_point(void);
-
-enum {
- /**
- * ROM_EXT manifest identifier (ASCII "OTRE").
- */
- kRomextimageManifestIdentifier = 0x4552544f,
-};
-
-/**
- * Gets the manifest of the ROM_EXT image in the given slot.
- *
- * This function also checks that the manifest's identifier field has the
- * expected value.
- *
- * @param slot A flash slot.
- * @param[out] The manifest of the ROM_EXT image in the given slot.
- * @return The result of the operation.
- */
-rom_error_t romextimage_manifest_get(flash_slot_t slot,
- const manifest_t **manifest);
-
-#ifdef __cplusplus
-} // extern "C"
-#endif // __cplusplus
-
-#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_MASK_ROM_ROMEXTIMAGE_H_
diff --git a/sw/device/silicon_creator/mask_rom/romextimage_unittest.cc b/sw/device/silicon_creator/mask_rom/romextimage_unittest.cc
deleted file mode 100644
index 725a222..0000000
--- a/sw/device/silicon_creator/mask_rom/romextimage_unittest.cc
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright lowRISC contributors.
-// Licensed under the Apache License, Version 2.0, see LICENSE for details.
-// SPDX-License-Identifier: Apache-2.0
-
-#include "sw/device/silicon_creator/mask_rom/romextimage.h"
-
-#include "gtest/gtest.h"
-#include "sw/device/lib/testing/mask_rom_test.h"
-#include "sw/device/silicon_creator/lib/error.h"
-#include "sw/device/silicon_creator/mask_rom/mock_romextimage_ptrs.h"
-
-namespace manifest_unittest {
-namespace {
-using ::testing::Return;
-
-class RomExtImage : public mask_rom_test::MaskRomTest {
- protected:
- mask_rom_test::MockRomextimagePtrs romextimage_ptrs_;
- manifest_t manifest_{};
-};
-
-TEST_F(RomExtImage, ManifestGet) {
- const manifest_t *act_manifest;
- manifest_.identifier = kRomextimageManifestIdentifier;
-
- EXPECT_CALL(romextimage_ptrs_, slot_a_manifest_ptr_get)
- .WillOnce(Return(&manifest_));
- EXPECT_EQ(romextimage_manifest_get(kFlashSlotA, &act_manifest), kErrorOk);
- EXPECT_EQ(act_manifest, &manifest_);
-
- act_manifest = nullptr;
- EXPECT_CALL(romextimage_ptrs_, slot_b_manifest_ptr_get)
- .WillOnce(Return(&manifest_));
- EXPECT_EQ(romextimage_manifest_get(kFlashSlotB, &act_manifest), kErrorOk);
- EXPECT_EQ(act_manifest, &manifest_);
-}
-
-TEST_F(RomExtImage, ManifestGetBadIdentifier) {
- const manifest_t *act_manifest;
-
- EXPECT_CALL(romextimage_ptrs_, slot_a_manifest_ptr_get)
- .WillOnce(Return(&manifest_));
- EXPECT_EQ(romextimage_manifest_get(kFlashSlotA, &act_manifest),
- kErrorRomextimageInternal);
-
- EXPECT_CALL(romextimage_ptrs_, slot_b_manifest_ptr_get)
- .WillOnce(Return(&manifest_));
- EXPECT_EQ(romextimage_manifest_get(kFlashSlotB, &act_manifest),
- kErrorRomextimageInternal);
-}
-
-TEST_F(RomExtImage, ManifestGetBadSlot) {
- const manifest_t *act_manifest;
-
- EXPECT_EQ(romextimage_manifest_get(static_cast<flash_slot_t>(kFlashSlotB + 1),
- &act_manifest),
- kErrorRomextimageInvalidArgument);
-}
-
-} // namespace
-} // namespace manifest_unittest
