Debug box: Do not reboot by default

The `debug_halt_error` handler should not implicitly infer a reboot of
the system.

The debug box handler can reboot, if it thinks it's necessary. The newly
introduced vIRQ_SystemReset API can be used for this purpose.

By default, the debug handler will trigger a call to `uvisor_error`, a
user-level API to trigger a halt. The halt will have the newly
introduced reason `DEBUG_BOX_HALT`.

Author: AlessandroA

api/inc/halt_exports.h

@@ -29,6 +29,7 @@
 
 typedef enum {
     USER_NOT_ALLOWED = 1,
+    DEBUG_BOX_HALT,
 } THaltUserError;
 
 typedef enum {

core/debug/src/debug.c

@@ -156,20 +156,15 @@ void debug_fault(THaltError reason, uint32_t lr, uint32_t sp)
     DEBUG_PRINT_END();
 }
 
-static void __debug_reboot(void)
+static void debug_die(void)
 {
-    UVISOR_SVC(UVISOR_SVC_ID_DEBUG_REBOOT, "");
+    UVISOR_SVC(UVISOR_SVC_ID_HALT_USER_ERR, "", DEBUG_BOX_HALT);
 }
 
-/* This function must be called as an SVCall handler.
- * All debug handlers that are required to reboot upon exit should use the
- * __debug_reboot function as return value, which triggers the SVCall. This note
- * applies to uVisor internally, as the actual debug box does not need to care
- * about this. */
+/* FIXME: The halt will be replaced with a proper return code. An ACL will be
+ *        created to allow single boxes to reset the device. */
 void debug_reboot(void)
 {
-    /* FIXME: The halt will be replaced with a proper return code. An ACL will
-     *        be created to allow single boxes to reset the device. */
     if (!g_debug_box.initialized || g_active_box != g_debug_box.box_id) {
         HALT_ERROR(NOT_ALLOWED, "This function can only be called from the context of an initialized debug box.\n\r");
     }
@@ -180,8 +175,7 @@ void debug_reboot(void)
 }
 
 /* FIXME: Currently it is not possible to return to a regular execution flow
- *        after the execution of the debug box handler. It is possible to
- *        reboot, though. */
+ *        after the execution of the debug box handler. */
 static void debug_deprivilege_and_return(void * debug_handler, void * return_handler,
                                          uint32_t a0, uint32_t a1, uint32_t a2, uint32_t a3)
 {
@@ -230,7 +224,7 @@ void debug_halt_error(THaltError reason)
     /* If the debug box does not exist (or it has not been initialized yet), or
      * the debug box was already called once, just loop forever. */
     if (!g_debug_box.initialized || debugged_once_before) {
-        while(1);
+        while (1);
     } else {
         /* Remember that debug_deprivilege_and_return() has been called once.
          * We'll reboot after the debug handler is run, so this will go back to
@@ -239,8 +233,8 @@ void debug_halt_error(THaltError reason)
 
         /* The following arguments are passed to the destination function:
          *   1. reason
-         * Upon return from the debug handler, the system will reboot. */
-        debug_deprivilege_and_return(g_debug_box.driver->halt_error, __debug_reboot, reason, 0, 0, 0);
+         * Upon return from the debug handler, we will die. */
+        debug_deprivilege_and_return(g_debug_box.driver->halt_error, debug_die, reason, 0, 0, 0);
     }
 }