19010: bootloaders/riotboot: add tinyUSB DFU support r=benpicco a=gschorcht
### Contribution description
This PR provides
- the tinyUSB DFU and DFU Runtime support and
- the `riotboot_tinyusb_dfu` bootloader that uses the tinyUSB DFU mode to flash new application images.
~This PR includes PR #18983 for now to be compilable.~
### Testing procedure
1. Use any board that supports the `riotboot´ and `tinyusb_device` features and flash the bootloader first, for example
```
BOARD=nucleo-f767zi make -C bootloaders/riotboot_tinyusb_dfu flash
```
and check that the `riotboot_tinyusb_dfu` bootloader is in DFU mode:
```
dfu-util --list
```
3. Flash a first application using the following command:
```
FEATURES_REQUIRED=riotboot USEMODULE=tinyusb_dfu BOARD=nucleo-f767zi \
make -C tests/saul PROGRAMMER=dfu-util riotboot/flash-slot0
```
and check that the application starts and is seen as upgradable:
```
dfu-util --list
```
4. Restart the node in bootloader DFU mode by:
```
dfu-util -e
```
Flash a second application, for example
```
FEATURES_REQUIRED=riotboot USEMODULE=tinyusb_dfu BOARD=nucleo-f767zi \
make -C tests/shell PROGRAMMER=dfu-util riotboot/flash-slot1
```
and check that the second application starts and is seen as upgradable:
```
dfu-util --list
```
### Issues/PRs references
~Depends on PR #18983~
19149: SECURITY: Describe that declassification is an option r=benpicco a=chrysn
### Contribution description
Our security policy does not contain provisions for the case when what is reported is not what we consider an actual security issue. As it is described now, everything reported through security@ would go through the full treatment, including a point release.
I'm not sure it belongs into the text itself (as it's more about how security reporters interact with the project than internals), but declassification should IMO be backed at least by 3 maintainers, and no strong NACK.
### Issues/PRs references
#19141 followed that procedure after some chat on it on the maintainers channel. (In the discussion, I proposed declassification, with 2.5 people supporting it and one "I was about to, but can we be sure nobody is using it?" voice).
Co-authored-by: Gunar Schorcht <gunar@schorcht.net>
Co-authored-by: chrysn <chrysn@fsfe.org>
The board reset function can be used on any CDC ACM interface. It is not necessary that the tinyUSB CDC ACM STDIO is used. Therefore, the board reset function is now a feature of the CDC ACM interface that don't require any other functionality.
An alternative device configuration descriptor is required if multiple protocols, e.g. CDC ECM and RNDIS, should be used with same device interface. This commit is a prerequisite for the support of tinyusb netdev driver.
The commit includes the following changes:
- Remaining CONFIG_* symbols are moved to tinyusb_descriptors.h to be visible in all source files.
- Debug output is added to some descriptor callbacks.
- The conditional definitions of CFG_* symbols are changed to unconditional definitions to ensure that Kconfig CONFIG_* symbols are always used.
If the STM32 MCU does not have an internal D+ pullup and there is no dedicated GPIO on the board to simulate a USB disconnect, the D+ GPIO
has to be temporarily configured as an output and pushed down to simulate a disconnect/connect cycle to allow the host to recognize the device. This is done correctly in `cpu/stm32/periph/usbdev_fs.c` but not in tinyUSB STM32 hardware driver. That is, pressing the RESET button doesn't reset the USB connection.
fixup! pkg/tinyusb: fix reset for STM32 boards without internal D+ pullup
The commit 98478e02fe removed the setting of the CFG_TUD_MAX_SPEED define to OPT_MODE_DEFAULT_SPEED. This setting is usually not required since CFG_TUD_MAX_SPEED is determined from CFG_TUSB_RHPORT{0,1}_MODE. However, this does not work for STM32F429I-DISC1 where the HS port is used via the internal FS-PHY. Therefore the default speed setting is added again.
`CFG_TUD_MAX_SPEED` definition isn't required since tinyUSB derives it from `TUD_RHPORT_MODE` if not defined or uses the maximum speed the MCU supports by default.