update: propagate encrypt key persist errors

Author: danielinux

src/update_flash.c

@@ -426,6 +426,7 @@ static int RAMFUNCTION wolfBoot_swap_and_final_erase(int resume)
     struct wolfBoot_image update[1];
     struct wolfBoot_image swap[1];
     uint8_t updateState = IMG_STATE_NEW;
+    int ret = 0;
     int eraseLen = (WOLFBOOT_SECTOR_SIZE
 #ifdef NVM_FLASH_WRITEONCE /* need to erase the redundant sector too */
         * 2
@@ -499,8 +500,16 @@ static int RAMFUNCTION wolfBoot_swap_and_final_erase(int resume)
 
 #ifdef EXT_ENCRYPTED
     /* Initialize encryption with the saved key */
-    wolfBoot_set_encrypt_key((uint8_t*)tmpBuffer,
-            (uint8_t*)&tmpBuffer[ENCRYPT_KEY_SIZE/sizeof(uint32_t)]);
+    ret = wolfBoot_set_encrypt_key((uint8_t*)tmpBuffer,
+        (uint8_t*)&tmpBuffer[ENCRYPT_KEY_SIZE / sizeof(uint32_t)]);
+    if (ret != 0) {
+#ifdef EXT_FLASH
+        ext_flash_lock();
+#endif
+        hal_flash_lock();
+        wolfBoot_zeroize(tmpBuffer, sizeof(tmpBuffer));
+        return ret;
+    }
     /* wolfBoot_set_encrypt_key calls hal_flash_unlock, need to unlock again */
     hal_flash_unlock();
 #endif
@@ -808,6 +817,7 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
     uint32_t total_size = 0;
     const uint32_t sector_size = WOLFBOOT_SECTOR_SIZE;
     uint32_t sector = 0;
+    int ret = 0;
     /* we need to pre-set flag to SECT_FLAG_NEW in case magic hasn't been set
      * on the update partition as part of the delta update direction check. if
      * magic has not been set flag will have an un-determined value when we go
@@ -1128,7 +1138,9 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
 #if !defined(CUSTOM_PARTITION_TRAILER)
     /* start re-entrant final erase, return code is only for resumption in
      * wolfBoot_start */
-    wolfBoot_swap_and_final_erase(0);
+    ret = wolfBoot_swap_and_final_erase(0);
+    if (ret != 0)
+        return ret;
 #ifndef DISABLE_BACKUP
     if (rollback_needed) {
         hal_flash_unlock();
@@ -1205,16 +1217,19 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
 
     /* Save the encryption key after swapping */
 #ifdef EXT_ENCRYPTED
-    wolfBoot_set_encrypt_key(key, nonce);
+    ret = wolfBoot_set_encrypt_key(key, nonce);
     wolfBoot_zeroize(key, sizeof(key));
     wolfBoot_zeroize(nonce, sizeof(nonce));
+    if (ret != 0)
+        goto out;
 #endif
 #endif /* DISABLE_BACKUP */
+out:
 #ifdef EXT_ENCRYPTED
     /* Make sure we leave the global IV offset in its normal state. */
     wolfBoot_enable_fallback_iv(0);
 #endif
-    return 0;
+    return ret;
 }
 #ifdef __CCRX__
 #pragma section

tools/unit-tests/unit-update-flash.c

@@ -56,6 +56,9 @@ static int add_payload_type(uint8_t part, uint32_t version, uint32_t size,
     uint16_t img_type);
 
 #ifdef CUSTOM_ENCRYPT_KEY
+static int mock_set_encrypt_key_ret = 0;
+static int mock_set_encrypt_key_calls = 0;
+
 int wolfBoot_get_encrypt_key(uint8_t *k, uint8_t *nonce)
 {
     int i;
@@ -72,7 +75,8 @@ int wolfBoot_set_encrypt_key(const uint8_t *key, const uint8_t *nonce)
 {
     (void)key;
     (void)nonce;
-    return 0;
+    mock_set_encrypt_key_calls++;
+    return mock_set_encrypt_key_ret;
 }
 
 int wolfBoot_erase_encrypt_key(void)
@@ -133,6 +137,8 @@ int hal_flash_protect(haladdr_t address, int len)
 static void reset_mock_stats(void)
 {
     wolfBoot_staged_ok = 0;
+    mock_set_encrypt_key_ret = 0;
+    mock_set_encrypt_key_calls = 0;
 #ifndef ARCH_SIM
     wolfBoot_panicked = 0;
 #endif
@@ -520,6 +526,38 @@ START_TEST (test_fallback_image_verification_rejects_corruption)
     cleanup_flash();
 }
 END_TEST
+
+START_TEST (test_final_swap_propagates_encrypt_key_persist_failure)
+{
+    int ret;
+    int erase_len = WOLFBOOT_SECTOR_SIZE;
+    uintptr_t tmp_boot_pos = WOLFBOOT_PARTITION_SIZE - erase_len -
+        WOLFBOOT_SECTOR_SIZE;
+    uint32_t tmp_buffer[TRAILER_OFFSET_WORDS + 1];
+
+    reset_mock_stats();
+    prepare_flash();
+
+    add_payload(PART_BOOT, 1, TEST_SIZE_SMALL);
+    add_payload(PART_UPDATE, 2, TEST_SIZE_SMALL);
+
+    memset(tmp_buffer, 0, sizeof(tmp_buffer));
+    tmp_buffer[TRAILER_OFFSET_WORDS] = WOLFBOOT_MAGIC_TRAIL;
+
+    hal_flash_unlock();
+    hal_flash_write(WOLFBOOT_PARTITION_BOOT_ADDRESS + tmp_boot_pos,
+        (const uint8_t *)tmp_buffer, sizeof(tmp_buffer));
+    hal_flash_lock();
+
+    mock_set_encrypt_key_ret = -5;
+    ret = wolfBoot_swap_and_final_erase(1);
+
+    ck_assert_int_eq(ret, -5);
+    ck_assert_int_eq(mock_set_encrypt_key_calls, 1);
+
+    cleanup_flash();
+}
+END_TEST
 #endif
 
 START_TEST (test_sunnyday_noupdate)
@@ -973,6 +1011,7 @@ Suite *wolfboot_suite(void)
 #ifdef UNIT_TEST_FALLBACK_ONLY
 #ifdef EXT_ENCRYPTED
     tcase_add_test(fallback_verify, test_fallback_image_verification_rejects_corruption);
+    tcase_add_test(fallback_verify, test_final_swap_propagates_encrypt_key_persist_failure);
     suite_add_tcase(s, fallback_verify);
 #endif
     return s;
@@ -1009,6 +1048,7 @@ Suite *wolfboot_suite(void)
 #endif
 #ifdef EXT_ENCRYPTED
     tcase_add_test(fallback_verify, test_fallback_image_verification_rejects_corruption);
+    tcase_add_test(fallback_verify, test_final_swap_propagates_encrypt_key_persist_failure);
 #endif
 
     suite_add_tcase(s, empty_panic);