Merge pull request #745 from danielinux/fixes-20260408

Fixes 20260408

Author: dgarske

.gitignore

@@ -86,6 +86,7 @@ tools/keytools/Debug
 tools/keytools/Release
 tools/keytools/otp/otp-keystore-primer
 
+
 # delta binaries
 tools/delta/bmdiff
 tools/delta/bmpatch
@@ -176,6 +177,10 @@ tools/unit-tests/unit-hal-otp
 tools/unit-tests/unit-rot-auth
 tools/unit-tests/unit-sdhci-response-bits
 tools/unit-tests/unit-tpm-check-rot-auth
+tools/unit-tests/unit-policy-create
+tools/unit-tests/unit-sign-encrypted-output
+tools/unit-tests/unit-update-flash-delta
+tools/unit-tests/unit-update-flash-self-update
 
 
 

CMakeLists.txt

@@ -747,7 +747,20 @@ if(ARCH STREQUAL "AARCH64")
 
 endif()
 
+if(NOT DEFINED WOLFBOOT_ORIGIN)
+    set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET})
+endif()
+
+if(NOT DEFINED BOOTLOADER_PARTITION_SIZE)
+    math(EXPR BOOTLOADER_PARTITION_SIZE
+        "${WOLFBOOT_PARTITION_BOOT_ADDRESS} - ${ARCH_FLASH_OFFSET}"
+        OUTPUT_FORMAT HEXADECIMAL)
+endif()
+
 list(APPEND WOLFBOOT_DEFS ARCH_FLASH_OFFSET=${ARCH_FLASH_OFFSET})
+list(APPEND WOLFBOOT_DEFS
+    WOLFBOOT_ORIGIN=${WOLFBOOT_ORIGIN}
+    BOOTLOADER_PARTITION_SIZE=${BOOTLOADER_PARTITION_SIZE})
 
 if(${WOLFBOOT_TARGET} STREQUAL "x86_64_efi")
     if(NOT DEFINED GNU_EFI_LIB_PATH)
@@ -1139,7 +1152,7 @@ if(TZEN)
     endif()
 endif()
 
-target_sources(wolfboothal PRIVATE include/hal.h hal/${WOLFBOOT_TARGET}.c ${WOLFBOOT_FLASH_SOURCES}
+target_sources(wolfboothal PRIVATE include/hal.h hal/hal.c hal/${WOLFBOOT_TARGET}.c ${WOLFBOOT_FLASH_SOURCES}
                                    ${PARTITION_SOURCE} ${WOLFBOOT_TZ_HAL_SOURCES})
 
 

docs/compile.md

@@ -193,7 +193,9 @@ To circumvent the compile-time checks on the maximum allowed stack size, use `WO
 
 Optionally, it is possible to disable the backup copy of the current running firmware upon the installation of the
 update. This implies that no fall-back mechanism is protecting the target from a faulty firmware installation, but may be useful
-in some cases where it is not possible to write on the update partition from the bootloader.
+in some cases where it is not possible to write on the update partition from the bootloader. This also removes the
+power-fail-safe swap behavior: if power is lost while the update is being copied into the BOOT partition, the original
+firmware may already be partially overwritten and the device can be left unrecoverable.
 The associated compile-time option is
 
 `DISABLE_BACKUP=1`

hal/hal.c

@@ -281,6 +281,13 @@ int hal_flash_test_dualbank(void)
 
 #endif /* TEST_FLASH */
 
+WEAKFUNCTION int RAMFUNCTION hal_flash_protect(haladdr_t address, int len)
+{
+    (void)address;
+    (void)len;
+    return 0;
+}
+
 WEAKFUNCTION int hal_uds_derive_key(uint8_t *out, size_t out_len)
 {
     (void)out;

hal/nrf5340.c

@@ -827,7 +827,7 @@ void hal_init(void)
 
 #ifdef __WOLFBOOT
 /* enable write protection for the region of flash specified */
-int hal_flash_protect(uint32_t start, uint32_t len)
+int RAMFUNCTION hal_flash_protect(haladdr_t start, int len)
 {
     /* only application core supports SPU */
 #ifdef TARGET_nrf5340_app
@@ -884,14 +884,6 @@ static void periph_unsecure()
 
 void hal_prepare_boot(void)
 {
-    /* Write protect bootloader region of flash.
-     * Not needed in TrustZone configs because the application
-     * runs in non-secure mode and the bootloader partition is marked as
-     * secure. */
-#ifndef TZEN
-    hal_flash_protect(WOLFBOOT_ORIGIN, BOOTLOADER_PARTITION_SIZE);
-#endif
-
     if (enableShm) {
     #ifdef TARGET_nrf5340_net
         if (doUpdateNet) {

hal/skeleton.c

@@ -34,6 +34,12 @@ void hal_init(void)
 
 void hal_prepare_boot(void)
 {
+    /* wolfBoot calls hal_flash_protect() before this hook.
+     * Override int hal_flash_protect(haladdr_t address, int len) to lock
+     * the bootloader region on targets that support runtime write
+     * protection. Return 0 on success or a negative value on failure, and
+     * use this hook only for any remaining platform-specific handoff work.
+     */
 }
 
 #endif
@@ -55,4 +61,3 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
 {
     return 0; /* on success. */
 }
-

include/hal.h

@@ -87,6 +87,11 @@ uint64_t hal_get_timer_us(void);
 #endif
 void hal_flash_unlock(void);
 void hal_flash_lock(void);
+/*
+ * Lock the flash region [address, address + len) against writes.
+ * Return 0 on success, or a negative value on failure.
+ */
+int hal_flash_protect(haladdr_t address, int len);
 void hal_prepare_boot(void);
 
 #ifdef DUALBANK_SWAP

include/image.h

@@ -166,7 +166,7 @@ struct wolfBoot_image {
  * With ARMORED setup, the flag is redundant, and the information is wrapped in
  * between canary variables, to mitigate attacks based on memory corruptions.
  */
-static void __attribute__((noinline)) wolfBoot_image_confirm_signature_ok(
+static void NOINLINEFUNCTION wolfBoot_image_confirm_signature_ok(
     struct wolfBoot_image *img)
 {
     img->canary_FEED4567 = 0xFEED4567UL;
@@ -176,7 +176,7 @@ static void __attribute__((noinline)) wolfBoot_image_confirm_signature_ok(
     img->canary_FEED89AB = 0xFEED89ABUL;
 }
 
-static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
+static void NOINLINEFUNCTION wolfBoot_image_clear_signature_ok(
 	struct wolfBoot_image *img)
 {
 	img->canary_FEED4567 = 0xFEED4567UL;
@@ -424,7 +424,8 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
         asm volatile("mov r0, #50":::"r0"); \
         asm volatile("mov r0, #50":::"r0"); \
         asm volatile("mov r0, #50":::"r0"); \
-        compare_res = XMEMCMP(digest, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE); \
+        compare_res = image_CT_compare(digest, img->sha_hash, \
+            WOLFBOOT_SHA_DIGEST_SIZE); \
         /* Redundant checks that ensure the function actually returned 0 */ \
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("cmp r0, #0":::"cc"); \
@@ -442,8 +443,9 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("bne hnope"); \
-        /* Repeat memcmp call */ \
-        compare_res = XMEMCMP(digest, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE); \
+        /* Repeat comparison call */ \
+        compare_res = image_CT_compare(digest, img->sha_hash, \
+            WOLFBOOT_SHA_DIGEST_SIZE); \
         compare_res; \
         /* Redundant checks that ensure the function actually returned 0 */ \
         asm volatile("cmp r0, #0":::"cc"); \
@@ -1234,7 +1236,7 @@ static void UNUSEDFUNCTION wolfBoot_image_clear_signature_ok(
     ret = fn(__VA_ARGS__);
 
 #define RSA_VERIFY_HASH(img,digest) \
-    if (XMEMCMP(img->sha_hash, digest, WOLFBOOT_SHA_DIGEST_SIZE) == 0) \
+    if (image_CT_compare(img->sha_hash, digest, WOLFBOOT_SHA_DIGEST_SIZE) == 0) \
         wolfBoot_image_confirm_signature_ok(img);
 
 #define PART_SANITY_CHECK(p) \
@@ -1250,6 +1252,8 @@ static void UNUSEDFUNCTION wolfBoot_image_clear_signature_ok(
 #endif
 
 /* Defined in image.c */
+int image_CT_compare(const uint8_t *expected, const uint8_t *actual,
+    uint32_t len);
 int wolfBoot_open_image(struct wolfBoot_image *img, uint8_t part);
 #ifdef EXT_FLASH
 int wolfBoot_open_image_external(struct wolfBoot_image* img, uint8_t part, uint8_t* addr);

include/tpm.h

@@ -79,6 +79,10 @@ int wolfBoot_load_pubkey(const uint8_t* pubkey_hint, WOLFTPM2_KEY* pubKey,
     TPM_ALG_ID* pAlg);
 #endif
 
+#if defined(WOLFBOOT_TPM_KEYSTORE) || defined(WOLFBOOT_TPM_SEAL)
+int wolfBoot_constant_compare(const uint8_t* a, const uint8_t* b, uint32_t len);
+#endif
+
 #ifdef WOLFBOOT_TPM_KEYSTORE
 int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint);
 #endif

include/wolfboot/wolfboot.h

@@ -83,6 +83,20 @@ extern "C" {
 #  endif
 #endif
 
+#ifndef NOINLINEFUNCTION
+#  if defined(__has_attribute)
+#    if __has_attribute(noinline)
+#      define NOINLINEFUNCTION __attribute__((noinline))
+#    else
+#      define NOINLINEFUNCTION
+#    endif
+#  elif defined(__GNUC__) || defined(__CC_ARM)
+#    define NOINLINEFUNCTION __attribute__((noinline))
+#  else
+#    define NOINLINEFUNCTION
+#  endif
+#endif
+
 
 /* Helpers for memory alignment */
 #ifndef XALIGNED
@@ -185,6 +199,15 @@ extern "C" {
 #endif
 #endif /* WOLFBOOT_SELF_HEADER */
 
+#if defined(WOLFBOOT_SKIP_BOOT_VERIFY) && !defined(WOLFBOOT_SELF_HEADER)
+#error "WOLFBOOT_SKIP_BOOT_VERIFY requires WOLFBOOT_SELF_HEADER"
+#endif
+
+#if defined(WOLFBOOT_SKIP_BOOT_VERIFY) && \
+    !defined(WOLFBOOT_SELF_UPDATE_MONOLITHIC)
+#error "WOLFBOOT_SKIP_BOOT_VERIFY requires WOLFBOOT_SELF_UPDATE_MONOLITHIC"
+#endif
+
 #ifdef BIG_ENDIAN_ORDER
 #    define WOLFBOOT_MAGIC          0x574F4C46 /* WOLF */
 #    define WOLFBOOT_MAGIC_TRAIL    0x424F4F54 /* BOOT */