3.8 CRC-32 Code Validation

Cyclic Redundancy Check is a way to do error detection and correction. I have already met CRC when dealing with the DS18B20 sensor where CRC-8 is used during the scratchpad 9 bytes transmission.

The STM32 CRC calculation unit has the following default characteristic:

POLY32 is 0x04C11DB7.
Initialisation 0xFFFFFFFF.
High bit first (left shift).
32 bit word input, little endian.

I don't plan to write a self-signing executable, so on top of the STM32 startup code validation, I will also write a sign32 command to sign binary files during build.

Implementation Steps

Update stm32f030xx.h with the CRC calculation unit definitions.
Update startup with `check_flash()` to be tested before `init()` is called.
Update generic.ld with a new section used as placeholder for the CRC sum at the end of the flashable content.
Write `sign32` command to sign a binary file.
Update Makefile to sign the binary executable and create an intel hex version out of it.

1. stm32f030xx.h

The CRC calculation unit is on the AHB bus and its clock need to be enabled before use.

#define RCC_AHBENR_CRCEN        (1 << 6)    /*  6: CRC clock enable */

I will make use of the default setup so I only need to refer to the Data Register and the Control Register. I create all register definitions as there is a gap in the memory layout.

#define CRC             ((volatile unsigned *) 0x40023000)
#define CRC_DR          CRC[ 0]
#define CRC_IDR         CRC[ 1]
#define CRC_CR          CRC[ 2]
#define CRC_INIT        CRC[ 4]

2. startup.crc.c

I make a copy of startup.ram.c into startup.crc.c.

I use conditional compilation, the build option `CRC32SIGN` will be defined in the Makefile.

The constant variable `crcsum` is a placeholder with the hexadecimal value DEADC0DE in byte order. This value will be overriden by the computed CRC value during build. The linker will put `crcsum` at the end of the used FLASH.

`check_flash()` use the CRC calculation unit to compute the CRC value from beginning of FLASH `isr_vector` to end of FLASH `crcsum`. If `crcsum` value is the correct CRC, the computed result will be 0.

#ifdef CRC32SIGN
const unsigned crcsum __attribute__((section(".crc_chk"))) = 0xDEC0ADDE ;

static int check_flash( void) {
    int ret = 0 ;

/* Flash CRC validation */
    RCC_AHBENR |= RCC_AHBENR_CRCEN ;  /* Enable CRC periph */
    CRC_CR = 1 ;                      /* Reset */
    if( CRC_DR == 0xFFFFFFFF) {       /* CRC periph is alive and resetted */
        const unsigned *wp = (const unsigned *) isr_vector ;
        while( wp <= &crcsum)
            CRC_DR = *wp++ ;

        ret = CRC_DR == 0 ;
    }

    RCC_AHBENR &= ~RCC_AHBENR_CRCEN ; /* Disable CRC periph */
    return ret ;
}
#endif

Flash content is checked before calling `init()`. This means the check is done using the default clock setup of HSI 8 MHz.

    if(
#ifdef CRC32SIGN
      check_flash() &&
#endif
      init() == 0)
        main() ;

3. generic.ld

I add a new section to hold the CRC value placeholder. This needs to be DWORD aligned and at the end of the used FLASH area.

    .crc __etext + SIZEOF(.data) :
    {
        KEEP(*(.crc_chk))
    } > FLASH

4. sign32

The command `sign32` creates a signed.bin file from it's input file specified as parameter.

$ touch empty.bin

$ ./sign32 empty.bin
FFFFFFFF empty.bin: 0, signed.bin: 4

If the input file is already signed, the output signed.bin is identical to the input.

$ mv signed.bin FFFFFFFF.bin

$ ./sign32 FFFFFFFF.bin
00000000 FFFFFFFF.bin: 4, signed.bin: 4

Padding with null is done on the input to insure the calculation is DWORD aligned.

$ echo > nl.bin

$ ./sign32 nl.bin
E88E0BAD nl.bin: 1, signed.bin: 8

$ hexdump -C signed.bin
00000000  0a 00 00 00 ad 0b 8e e8                           |........|
00000008

Calculation stops when the placeholder DEADC0DE is found or the end of the input file is reached.

I create a folder crc32/ for sign32.c and its Makefile.

The core of sign32.c is customizable to do CRC calculation bitwise, unrolled bitwise, tablewise or to generate the CRC table.

5. Makefile

The build option `CRC32SIGN` controls the signature of the binary file and the generation of the intel hex version from the signed binary using `objcopy`.

# build options
CRC32SIGN := 1

ifdef CRC32SIGN
 CDEFINES += -DCRC32SIGN=$(CRC32SIGN)
endif

%.$(BINLOC).bin: %.elf
    @echo $@
    $(OBJCOPY) -O binary $< $@
ifdef CRC32SIGN
    crc32/sign32 $@
    mv signed.bin $@

%.hex: %.$(BINLOC).bin
    @echo $@
    $(OBJCOPY) --change-address=$(BINLOC) -I binary -O ihex $< $@
endif

Building and testing

If I build an executable, I can see that the binary file is CRC-32 signed. In the example below, the CRC-32 signature is 0xBC689506 and the total binary image is 2680 bytes long.

$ make
f030f4.elf
Memory region         Used Size  Region Size  %age Used
           FLASH:        2680 B        16 KB     16.36%
             RAM:          24 B         4 KB      0.59%
   text    data     bss     dec     hex filename
   2673       4      20    2697     a89 f030f4.elf
f030f4.0x08000000.bin
crc32/sign32 f030f4.0x08000000.bin
BC689506 f030f4.0x08000000.bin: 2676, signed.bin: 2680
mv signed.bin f030f4.0x08000000.bin
f030f4.hex

I can double check that the value at the end of the binary file matches.

$ hexdump -C f030f4.0x08000000.bin | tail
000009f0  01 46 63 46 52 41 5b 10  10 46 01 d3 40 42 00 2b  |.FcFRA[..F..@B.+|
00000a00  00 d5 49 42 70 47 63 46  5b 10 00 d3 40 42 01 b5  |..IBpGcF[...@B..|
00000a10  00 20 00 f0 05 f8 02 bd  00 29 f8 d0 16 e7 70 47  |. .......)....pG|
00000a20  70 47 c0 46 50 4c 4c 48  53 49 0a 00 20 25 64 20  |pG.FPLLHSI.. %d |
00000a30  25 73 25 73 00 75 70 00  77 65 65 6b 00 64 61 79  |%s%s.up.week.day|
00000a40  00 68 6f 75 72 00 6d 69  6e 75 74 65 00 73 65 63  |.hour.minute.sec|
00000a50  6f 6e 64 00 30 31 32 33  34 35 36 37 38 39 41 42  |ond.0123456789AB|
00000a60  43 44 45 46 00 00 20 2b  2b 10 0a 02 08 00 00 00  |CDEF.. ++.......|
00000a70  ef 00 00 00 06 95 68 bc                           |......h.|
00000a78

I can flash the resulting intel hex file and see that it executes.

$ stm32flash -x f030f4.hex COM3
stm32flash 0.6-patch-hex

http://stm32flash.sourceforge.net/

Using Parser : Intel HEX
Location     : 0x8000000
Size         : 2680
Interface serial_w32: 57600 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0444 (STM32F03xx4/6)
- RAM        : Up to 4KiB  (2048b reserved by bootloader)
- Flash      : Up to 32KiB (size first sector: 4x1024)
- Option RAM : 16b
- System RAM : 3KiB
Write to memory
Erasing memory
Wrote address 0x08000a78 (100.00%) Done.

Starting execution at address 0x08000000... done.

I can use stm32flash to compute the CRC-32 checksum on the first 2680 bytes of FLASH, the result is 0 as this covers both the payload AND the CRC-32 checksum value.

$ stm32flash -C -S 0x08000000:2680 COM3
stm32flash 0.6-patch-hex

http://stm32flash.sourceforge.net/

Interface serial_w32: 57600 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0444 (STM32F03xx4/6)
- RAM        : Up to 4KiB  (2048b reserved by bootloader)
- Flash      : Up to 32KiB (size first sector: 4x1024)
- Option RAM : 16b
- System RAM : 3KiB
CRC computation
CRC address 0x08000a78 (100.00%) Done.
CRC(0x08000000-0x08000a78) = 0x00000000

If I ask stm32flash to compute the CRC-32 checksum on the first 2676 bytes (payload excluding CRC-32 checksum value), it returns 0xbc689506, which is the value computed at build time.

$ stm32flash -C -S 0x08000000:2676 COM3
stm32flash 0.6-patch-hex

http://stm32flash.sourceforge.net/

Interface serial_w32: 57600 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0444 (STM32F03xx4/6)
- RAM        : Up to 4KiB  (2048b reserved by bootloader)
- Flash      : Up to 32KiB (size first sector: 4x1024)
- Option RAM : 16b
- System RAM : 3KiB
CRC computation
CRC address 0x08000a74 (100.00%) Done.
CRC(0x08000000-0x08000a74) = 0xbc689506

Because STM32F030 USART bootloader is v3.1, it doesn't implement the CRC checksum command included in v3.3. This means that in this case stm32flash computes the CRC checksum value on its own. You can check the sources of stm32flash for its implementation of the CRC-32 calculation.

Checkpoint

There is variation in the functionality of the CRC calculation unit among different STM32 chipset family. The check_flash() implementation I just made relying on the default settings for polynomial, initial value, polynomial length and shift direction should be common.

Next, I will use the ADC to read a resistor value.