Skip to content

Commit d78c625

Browse files
committed
update: propagate encrypt key persist errors
1 parent fff5222 commit d78c625

2 files changed

Lines changed: 61 additions & 6 deletions

File tree

src/update_flash.c

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -426,6 +426,7 @@ static int RAMFUNCTION wolfBoot_swap_and_final_erase(int resume)
426426
struct wolfBoot_image update[1];
427427
struct wolfBoot_image swap[1];
428428
uint8_t updateState = IMG_STATE_NEW;
429+
int ret = 0;
429430
int eraseLen = (WOLFBOOT_SECTOR_SIZE
430431
#ifdef NVM_FLASH_WRITEONCE /* need to erase the redundant sector too */
431432
* 2
@@ -499,8 +500,16 @@ static int RAMFUNCTION wolfBoot_swap_and_final_erase(int resume)
499500

500501
#ifdef EXT_ENCRYPTED
501502
/* Initialize encryption with the saved key */
502-
wolfBoot_set_encrypt_key((uint8_t*)tmpBuffer,
503-
(uint8_t*)&tmpBuffer[ENCRYPT_KEY_SIZE/sizeof(uint32_t)]);
503+
ret = wolfBoot_set_encrypt_key((uint8_t*)tmpBuffer,
504+
(uint8_t*)&tmpBuffer[ENCRYPT_KEY_SIZE / sizeof(uint32_t)]);
505+
if (ret != 0) {
506+
#ifdef EXT_FLASH
507+
ext_flash_lock();
508+
#endif
509+
hal_flash_lock();
510+
wolfBoot_zeroize(tmpBuffer, sizeof(tmpBuffer));
511+
return ret;
512+
}
504513
/* wolfBoot_set_encrypt_key calls hal_flash_unlock, need to unlock again */
505514
hal_flash_unlock();
506515
#endif
@@ -808,6 +817,7 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
808817
uint32_t total_size = 0;
809818
const uint32_t sector_size = WOLFBOOT_SECTOR_SIZE;
810819
uint32_t sector = 0;
820+
int ret = 0;
811821
/* we need to pre-set flag to SECT_FLAG_NEW in case magic hasn't been set
812822
* on the update partition as part of the delta update direction check. if
813823
* magic has not been set flag will have an un-determined value when we go
@@ -1128,7 +1138,9 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
11281138
#if !defined(CUSTOM_PARTITION_TRAILER)
11291139
/* start re-entrant final erase, return code is only for resumption in
11301140
* wolfBoot_start */
1131-
wolfBoot_swap_and_final_erase(0);
1141+
ret = wolfBoot_swap_and_final_erase(0);
1142+
if (ret != 0)
1143+
return ret;
11321144
#ifndef DISABLE_BACKUP
11331145
if (rollback_needed) {
11341146
hal_flash_unlock();
@@ -1205,16 +1217,19 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
12051217

12061218
/* Save the encryption key after swapping */
12071219
#ifdef EXT_ENCRYPTED
1208-
wolfBoot_set_encrypt_key(key, nonce);
1220+
ret = wolfBoot_set_encrypt_key(key, nonce);
12091221
wolfBoot_zeroize(key, sizeof(key));
12101222
wolfBoot_zeroize(nonce, sizeof(nonce));
1223+
if (ret != 0)
1224+
goto out;
12111225
#endif
12121226
#endif /* DISABLE_BACKUP */
1227+
out:
12131228
#ifdef EXT_ENCRYPTED
12141229
/* Make sure we leave the global IV offset in its normal state. */
12151230
wolfBoot_enable_fallback_iv(0);
12161231
#endif
1217-
return 0;
1232+
return ret;
12181233
}
12191234
#ifdef __CCRX__
12201235
#pragma section

tools/unit-tests/unit-update-flash.c

Lines changed: 41 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,9 @@ static int add_payload_type(uint8_t part, uint32_t version, uint32_t size,
5656
uint16_t img_type);
5757

5858
#ifdef CUSTOM_ENCRYPT_KEY
59+
static int mock_set_encrypt_key_ret = 0;
60+
static int mock_set_encrypt_key_calls = 0;
61+
5962
int wolfBoot_get_encrypt_key(uint8_t *k, uint8_t *nonce)
6063
{
6164
int i;
@@ -72,7 +75,8 @@ int wolfBoot_set_encrypt_key(const uint8_t *key, const uint8_t *nonce)
7275
{
7376
(void)key;
7477
(void)nonce;
75-
return 0;
78+
mock_set_encrypt_key_calls++;
79+
return mock_set_encrypt_key_ret;
7680
}
7781

7882
int wolfBoot_erase_encrypt_key(void)
@@ -133,6 +137,8 @@ int hal_flash_protect(haladdr_t address, int len)
133137
static void reset_mock_stats(void)
134138
{
135139
wolfBoot_staged_ok = 0;
140+
mock_set_encrypt_key_ret = 0;
141+
mock_set_encrypt_key_calls = 0;
136142
#ifndef ARCH_SIM
137143
wolfBoot_panicked = 0;
138144
#endif
@@ -520,6 +526,38 @@ START_TEST (test_fallback_image_verification_rejects_corruption)
520526
cleanup_flash();
521527
}
522528
END_TEST
529+
530+
START_TEST (test_final_swap_propagates_encrypt_key_persist_failure)
531+
{
532+
int ret;
533+
int erase_len = WOLFBOOT_SECTOR_SIZE;
534+
uintptr_t tmp_boot_pos = WOLFBOOT_PARTITION_SIZE - erase_len -
535+
WOLFBOOT_SECTOR_SIZE;
536+
uint32_t tmp_buffer[TRAILER_OFFSET_WORDS + 1];
537+
538+
reset_mock_stats();
539+
prepare_flash();
540+
541+
add_payload(PART_BOOT, 1, TEST_SIZE_SMALL);
542+
add_payload(PART_UPDATE, 2, TEST_SIZE_SMALL);
543+
544+
memset(tmp_buffer, 0, sizeof(tmp_buffer));
545+
tmp_buffer[TRAILER_OFFSET_WORDS] = WOLFBOOT_MAGIC_TRAIL;
546+
547+
hal_flash_unlock();
548+
hal_flash_write(WOLFBOOT_PARTITION_BOOT_ADDRESS + tmp_boot_pos,
549+
(const uint8_t *)tmp_buffer, sizeof(tmp_buffer));
550+
hal_flash_lock();
551+
552+
mock_set_encrypt_key_ret = -5;
553+
ret = wolfBoot_swap_and_final_erase(1);
554+
555+
ck_assert_int_eq(ret, -5);
556+
ck_assert_int_eq(mock_set_encrypt_key_calls, 1);
557+
558+
cleanup_flash();
559+
}
560+
END_TEST
523561
#endif
524562

525563
START_TEST (test_sunnyday_noupdate)
@@ -973,6 +1011,7 @@ Suite *wolfboot_suite(void)
9731011
#ifdef UNIT_TEST_FALLBACK_ONLY
9741012
#ifdef EXT_ENCRYPTED
9751013
tcase_add_test(fallback_verify, test_fallback_image_verification_rejects_corruption);
1014+
tcase_add_test(fallback_verify, test_final_swap_propagates_encrypt_key_persist_failure);
9761015
suite_add_tcase(s, fallback_verify);
9771016
#endif
9781017
return s;
@@ -1009,6 +1048,7 @@ Suite *wolfboot_suite(void)
10091048
#endif
10101049
#ifdef EXT_ENCRYPTED
10111050
tcase_add_test(fallback_verify, test_fallback_image_verification_rejects_corruption);
1051+
tcase_add_test(fallback_verify, test_final_swap_propagates_encrypt_key_persist_failure);
10121052
#endif
10131053

10141054
suite_add_tcase(s, empty_panic);

0 commit comments

Comments
 (0)