WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #521 from danielinux/build-keytools-windows 

Remove compile-time dependencies from key tools
pull/525/head
Brett Nicholas 2024-12-05 16:56:42 -07:00 committed by GitHub
parent 06bbed4280 fae36f2adf
commit 21a4082952
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
56 changed files with 575 additions and 632 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
.github/workflows/build-keytools-windows.yml vendored 100644
View File

@ -0,0 +1,38 @@
name: Build Windows Keytools executables
on:
push:
branches:
- master
pull_request:
branches: [ '*' ]
jobs:
build-windows:
runs-on: windows-latest
steps:
# Step 1: Checkout the repository
- name: Checkout Code
uses: actions/checkout@v3
with:
submodules: true
# Step 2: Setup MSBuild
- name: Setup MSBuild
uses: microsoft/setup-msbuild@v1
# Step 3: Build the solution
- name: Build Solution
shell: cmd
run: |
echo #define WOLFBOOT_SECTOR_SIZE 1024 > include\target.h
MSBuild.exe tools\keytools\wolfBootKeyTools.sln /m /p:Configuration=Release /p:Platform="x64"
# Step 4: Upload executables as artifacts
- name: Upload EXE Artifacts
uses: actions/upload-artifact@v3
with:
name: windows-keytools
path: |
tools\keytools\x64\Release\*.exe

4
.github/workflows/footprint.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
- name: make clean
run: |
make keysclean && make -C tools/keytools clean && rm -f include/target.h
make keysclean && rm -f include/target.h
- name: Install wolfSSL
run: |
@ -34,7 +34,7 @@ jobs:
- name: Build key tools
run: |
make -C tools/keytools
make keytools
- name: Build wolfboot and test footprint
run: |

4
.github/workflows/test-build-sim-tpm.yml vendored
View File

@ -44,9 +44,9 @@ jobs:
with:
submodules: true
- name: make distclean
- name: make keysclean
run: |
make distclean
make keysclean
- name: Select config
run: |

74
.github/workflows/test-powerfail-simulator.yml vendored
View File

@ -17,7 +17,7 @@ jobs:
- name: make clean
run: |
make distclean
make keysclean
- name: Select config
run: |
@ -63,16 +63,12 @@ jobs:
# TEST with NVM_FLASH_WRITEONCE enabled
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with NVM_FLASH_WRITEONCE
run: |
cp config/examples/sim-nvm-writeonce.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-internal-flash-with-update
@ -109,16 +105,12 @@ jobs:
# TEST with NVM_FLASH_WRITEONCE AND FLAGS_HOME enabled
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with NVM_FLASH_WRITEONCE and FLAGS_HOME
run: |
cp config/examples/sim-nvm-writeonce-flags-home.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-internal-flash-with-update
@ -155,16 +147,12 @@ jobs:
# TEST with NVM_FLASH_WRITEONCE AND FLAGS_HOME AND FLAGS_INVERT enabled
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with NVM_FLASH_WRITEONCE and FLAGS_HOME and FLAGS_INVERT
run: |
cp config/examples/sim-nvm-writeonce-flags-home-invert.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-external-flash-with-update
@ -201,16 +189,12 @@ jobs:
# TEST with DELTA updates
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with DELTA updates
run: |
cp config/examples/sim-delta-update.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-internal-flash-with-delta-update
@ -254,16 +238,12 @@ jobs:
# TEST with encryption (aes128)
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with encrypted updates
run: |
cp config/examples/sim-encrypt-update.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-external-flash-with-enc-update
@ -299,15 +279,11 @@ jobs:
# TEST with encryption (aes128) and delta updates
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with encrypted updates
run: |
cp config/examples/sim-encrypt-delta-update.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-external-flash-with-enc-delta-update
@ -336,16 +312,12 @@ jobs:
# TEST with encryption (aes128) and NVM_FLASH_WRITEONCE
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with encrypted updates
run: |
cp config/examples/sim-encrypt-nvm-writeonce-update.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-external-flash-with-enc-update
@ -463,15 +435,11 @@ jobs:
# TEST with encryption (aes128) and NVM_FLASH_WRITEONCE and DELTA updates
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with encrypted updates
run: |
cp config/examples/sim-encrypt-delta-nvm-writeonce-update.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-external-flash-with-enc-delta-update
@ -499,15 +467,11 @@ jobs:
# TEST with backup disabled
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with backup disabled
run: |
cp config/examples/sim-nobackup.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-internal-flash-with-update
@ -527,15 +491,11 @@ jobs:
# TEST with backup disabled + NVM_FLASH_WRITEONCE
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with backup disabled + NVM WRITEONCE
run: |
cp config/examples/sim-nobackup-nvm-writeonce.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-internal-flash-with-update
@ -555,15 +515,11 @@ jobs:
# TEST with backup disabled + FLAGS_HOME
- name: make clean
run: |
make distclean
make keysclean
- name: Select config with backup disabled + FLAGS_HOME
run: |
cp config/examples/sim-nobackup-flags-home.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf
run: |
make clean && make test-sim-internal-flash-with-update
@ -584,16 +540,12 @@ jobs:
# TEST with FLASH_MULTI_SECTOR_ERASE
- name: make clean
run: |
make distclean
make keysclean
- name: Select config
run: |
cp config/examples/sim.config .config
- name: Build tools
run: |
make -C tools/keytools && make -C tools/bin-assemble
- name: Build wolfboot.elf (FLASH_MULTI_SECTOR_ERASE=1)
run: |
make clean && make test-sim-internal-flash-with-update FLASH_MULTI_SECTOR_ERASE=1

4
.github/workflows/test-renode-nrf52.yml vendored
View File

@ -23,12 +23,12 @@ jobs:
# SIGN=NONE TEST
- name: Renode Tests SIGN=NONE
run: ./tools/renode/docker-test.sh "SIGN=NONE"
run: ./tools/renode/docker-test.sh "SIGN=NONE V=1"
# ECC256 TEST
- name: Renode Tests ECC256
run: ./tools/renode/docker-test.sh "SIGN=ECC256"
run: ./tools/renode/docker-test.sh "SIGN=ECC256 V=1"
# ECC384 TEST
- name: Renode Tests ECC384

50
.github/workflows/test-sunnyday-simulator.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
#
- name: make clean
run: |
make distclean
make keysclean
- name: Select config (32 bit simulator)
run: |
@ -57,7 +57,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (ECC384)
run: |
@ -77,7 +77,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (ECC521)
run: |
@ -97,7 +97,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA2048)
run: |
@ -117,7 +117,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA3072)
run: |
@ -137,7 +137,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA4096)
run: |
@ -159,7 +159,7 @@ jobs:
#
- name: make clean
run: |
make distclean
make keysclean
- name: Select config (32 bit simulator)
run: |
@ -187,7 +187,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (ECC384, FASTMATH)
run: |
@ -207,7 +207,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (ECC521, FASTMATH)
run: |
@ -227,7 +227,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA2048, FASTMATH)
run: |
@ -247,7 +247,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA3072, FASTMATH)
run: |
@ -267,7 +267,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA4096, FASTMATH)
run: |
@ -290,7 +290,7 @@ jobs:
#
- name: make clean
run: |
make distclean
make keysclean
- name: Select config (64 bit simulator)
run: |
@ -318,7 +318,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (ECC384)
run: |
@ -338,7 +338,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (ECC521)
run: |
@ -358,7 +358,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA2048)
run: |
@ -378,7 +378,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA3072)
run: |
@ -398,7 +398,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA4096)
run: |
@ -420,7 +420,7 @@ jobs:
#
- name: make clean
run: |
make distclean
make keysclean
- name: Select config (64 bit simulator)
run: |
@ -448,7 +448,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (ECC384, FASTMATH)
run: |
@ -468,7 +468,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (ECC521, FASTMATH)
run: |
@ -488,7 +488,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA2048, FASTMATH)
run: |
@ -508,7 +508,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA3072, FASTMATH)
run: |
@ -528,7 +528,7 @@ jobs:
- name: Cleanup to change key type
run: |
make -C tools/keytools clean && make keysclean && make -C tools/keytools
make keysclean
- name: Build wolfboot.elf (RSA4096, FASTMATH)
run: |
@ -562,7 +562,7 @@ jobs:
#
- name: make clean
run: |
make distclean
make keysclean
- name: Select config (64 bit simulator) Hybrid ML_DSA + ECC
run: |

29
Makefile
View File

@ -85,6 +85,16 @@ ifeq ($(TARGET),ti_hercules)
LSCRIPT_FLAGS+=--run_linker $(LSCRIPT)
endif
# Environment variables for sign tool
SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) \
WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE) \
ML_DSA_LEVEL=$(ML_DSA_LEVEL) \
IMAGE_SIGNATURE_SIZE=$(IMAGE_SIGNATURE_SIZE) \
LMS_LEVELS=$(LMS_LEVELS) \
LMS_HEIGHT=$(LMS_HEIGHT) \
LMS_WINTERNITZ=$(LMS_WINTERNITZ) \
XMSS_PARAMS=$(XMSS_PARAMS)
MAIN_TARGET=factory.bin
TARGET_H_TEMPLATE:=include/target.h.in
@ -201,11 +211,11 @@ include tools/test-renode.mk
hal/$(TARGET).o:
keytools_check: keytools FORCE
keytools_check: keytools
$(PRIVATE_KEY):
$(Q)$(MAKE) keytools_check
$(Q)(test $(SIGN) = NONE) || ("$(KEYGEN_TOOL)" $(KEYGEN_OPTIONS) -g $(PRIVATE_KEY)) || true
$(Q)(test $(SIGN) = NONE) || ($(SIGN_ENV) "$(KEYGEN_TOOL)" $(KEYGEN_OPTIONS) -g $(PRIVATE_KEY)) || true
$(Q)(test $(SIGN) = NONE) && (echo "// SIGN=NONE" > src/keystore.c) || true
$(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true
@ -213,22 +223,21 @@ $(SECONDARY_PRIVATE_KEY): $(PRIVATE_KEY) keystore.der
$(Q)$(MAKE) keytools_check
$(Q)rm -f src/keystore.c
$(Q)dd if=keystore.der of=pubkey_1.der bs=1 skip=16
$(Q)(test $(SIGN_SECONDARY) = NONE) || ("$(KEYGEN_TOOL)" \
$(Q)(test $(SIGN_SECONDARY) = NONE) || ($(SIGN_ENV) "$(KEYGEN_TOOL)" \
$(KEYGEN_OPTIONS) -i pubkey_1.der $(SECONDARY_KEYGEN_OPTIONS) \
-g $(SECONDARY_PRIVATE_KEY)) || true
$(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true
keytools: include/target.h
keytools:
@echo "Building key tools"
@$(MAKE) -C tools/keytools -s clean
@$(MAKE) -C tools/keytools -j
tpmtools: keys
tpmtools: include/target.h keys
@echo "Building TPM tools"
@$(MAKE) -C tools/tpm -s clean
@$(MAKE) -C tools/tpm -j
swtpmtools:
swtpmtools: include/target.h
@echo "Building TPM tools"
@$(MAKE) -C tools/tpm -s clean
@$(MAKE) -C tools/tpm -j swtpm
@ -238,10 +247,10 @@ test-app/image_v1_signed.bin: $(BOOT_IMG)
@echo "\tSECONDARY_SIGN_OPTIONS=$(SECONDARY_SIGN_OPTIONS)"
@echo "\tSECONDARY_PRIVATE_KEY=$(SECONDARY_PRIVATE_KEY)"
$(Q)(test $(SIGN) = NONE) || "$(SIGN_TOOL)" $(SIGN_OPTIONS) \
$(Q)(test $(SIGN) = NONE) || $(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) \
$(SECONDARY_SIGN_OPTIONS) $(BOOT_IMG) $(PRIVATE_KEY) \
$(SECONDARY_PRIVATE_KEY) 1 || true
$(Q)(test $(SIGN) = NONE) && "$(SIGN_TOOL)" $(SIGN_OPTIONS) $(BOOT_IMG) 1 || true
$(Q)(test $(SIGN) = NONE) && $(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) $(BOOT_IMG) 1 || true
test-app/image.elf: wolfboot.elf
$(Q)$(MAKE) -C test-app WOLFBOOT_ROOT="$(WOLFBOOT_ROOT)" image.elf
@ -278,7 +287,7 @@ wolfboot_stage1.bin: wolfboot.elf stage1/loader_stage1.bin
wolfboot.elf: include/target.h $(LSCRIPT) $(OBJS) $(BINASSEMBLE) FORCE
$(Q)(test $(SIGN) = NONE) || (test $(FLASH_OTP_KEYSTORE) = 1) || (grep -q $(SIGN_ALG) src/keystore.c) || \
(echo "Key mismatch: please run 'make distclean' to remove all keys if you want to change algorithm" && false)
(echo "Key mismatch: please run 'make keysclean' to remove all keys if you want to change algorithm" && false)
@echo "\t[LD] $@"
@echo $(OBJS)
$(Q)$(LD) $(LDFLAGS) $(LSCRIPT_FLAGS) $(SECURE_LDFLAGS) $(LD_START_GROUP) $(OBJS) $(LIBS) $(LD_END_GROUP) -o $@

10
config/examples/sim-ml-dsa.config
View File

@ -25,8 +25,8 @@
ARCH=sim
TARGET=sim
SIGN?=ML_DSA
HASH?=SHA256
SIGN=ML_DSA
HASH=SHA256
WOLFBOOT_SMALL_STACK=0
SPI_FLASH=0
DEBUG=0
@ -38,17 +38,17 @@ DELTA_UPDATES=0
# Category 2:
ML_DSA_LEVEL=2
IMAGE_SIGNATURE_SIZE=2420
IMAGE_HEADER_SIZE?=8192
IMAGE_HEADER_SIZE=8192
#
# Category 3:
# ML_DSA_LEVEL=3
# IMAGE_SIGNATURE_SIZE=3309
# IMAGE_HEADER_SIZE?=8192
# IMAGE_HEADER_SIZE=8192
#
# Category 5:
# ML_DSA_LEVEL=5
# IMAGE_SIGNATURE_SIZE=4627
# IMAGE_HEADER_SIZE?=12288
# IMAGE_HEADER_SIZE=12288
# This example needsd larger sector size.
# WOLFBOOT_SECTOR_SIZE=0x3000
#

36
docs/Signing.md
View File

@ -4,39 +4,18 @@
server) environment to manage wolfBoot private keys and sign the initial
firmware and all the updates for the target.
## C or Python
The tools are distributed in two versions, using the same command line syntax,
for portability reasons.
By default, C keytools are compiled. The makefiles and scripts in this
repository will use the C tools.
### C Key Tools
## C Key Tools
A standalone C version of the key tools is available in: `./tools/keytools`.
These can be built in `tools/keytools` using `make` or from the wolfBoot root using `make keytools`.
If the C version of the key tools exists they will be used by wolfBoot's makefile and scripts.
#### Windows Visual Studio
Use the `wolfBootSignTool.vcxproj` Visual Studio project to build the `sign.exe` and `keygen.exe` tools for use on Windows.
If you see any error about missing `target.h` this is a generated file based on your .config using the make process. It is needed for `WOLFBOOT_SECTOR_SIZE` used in delta updates.
### Python key tools
**Please note that the Python tools are deprecated and will be removed in future versions.**
In order to use the python key tools, ensure that the `wolfcrypt` package is
installed in your python environment. In most systems it's sufficient to run a
command similar to:
`pip install wolfcrypt`
to ensure that the dependencies are met.
## Command Line Usage
@ -78,6 +57,19 @@ Usage: `sign [OPTIONS] IMAGE.BIN KEY.DER VERSION`
`VERSION`: The version associated with this signed software
`OPTIONS`: Zero or more options, described below
#### Image header size
By default, the manifest header size used by SIGN tool depends on the ideal
value for the configuration chosen. In some cases however, it is necessary to use
a different value than the default. To override the `IMAGE_HEADER_SIZE` value,
set an environment variable with the same name and the desired value, via `setenv`,
`export`, or simply inlining it with the sign command:
```
IMAGE_HEADER_SIZE=2048 sign [OPTIONS] IMAGE.BIN KEY.DER VERSION
```
#### Public key signature options
If none of the following arguments is given, the tool will try to guess the key

6
include/delta.h
View File

@ -34,9 +34,12 @@
*/
#ifndef WOLFBOOT_DELTA_H
#define WOLFBOOT_DELTA_H
#include "target.h"
#include <stdint.h>
#ifndef DELTA_PATCH_BLOCK_SIZE
#define DELTA_PATCH_BLOCK_SIZE 1024
#endif
struct wb_patch_ctx {
uint8_t *src_base;
@ -69,6 +72,7 @@ int wb_patch_init(WB_PATCH_CTX *bm, uint8_t *src, uint32_t ssz, uint8_t *patch,
int wb_patch(WB_PATCH_CTX *ctx, uint8_t *dst, uint32_t len);
int wolfBoot_get_delta_info(uint8_t part, int inverse, uint32_t **img_offset,
uint32_t **img_size, uint8_t **base_hash, uint16_t *base_hash_size);
int wb_diff_get_sector_size(void);
#endif

33
include/wolfboot/wolfboot.h
View File

@ -30,7 +30,9 @@ extern "C" {
#endif
#include <stdint.h>
#ifdef __WOLFBOOT
#include "target.h"
#endif
#include "wolfboot/version.h"
#ifdef WOLFCRYPT_SECURE_MODE
@ -133,20 +135,23 @@ extern "C" {
#define KEYSTORE_PUBKEY_SIZE_LMS 60
#define KEYSTORE_PUBKEY_SIZE_XMSS 68
/* ML-DSA pub key size is a function of parameters.
* This needs to be configurable. Default to security
* category 2. */
#ifdef ML_DSA_LEVEL
#if ML_DSA_LEVEL == 2
#define KEYSTORE_PUBKEY_SIZE_ML_DSA 1312
#elif ML_DSA_LEVEL == 3
#define KEYSTORE_PUBKEY_SIZE_ML_DSA 1952
#elif ML_DSA_LEVEL == 5
#define KEYSTORE_PUBKEY_SIZE_ML_DSA 2592
#else
#error "Invalid ML_DSA_LEVEL!"
#endif
#endif /* ML_DSA_LEVEL */
/* ML-DSA pub key size is a function of parameters. */
#define ML_DSA_L2_PUBKEY_SIZE 1312
#define ML_DSA_L3_PUBKEY_SIZE 1952
#define ML_DSA_L5_PUBKEY_SIZE 2592
/* Configure using ML_DSA_LEVEL: Default is security category 2. */
#ifndef ML_DSA_LEVEL
#define ML_DSA_LEVEL 2
#endif
#if ML_DSA_LEVEL == 2
#define KEYSTORE_PUBKEY_SIZE_ML_DSA ML_DSA_L2_PUBKEY_SIZE
#elif ML_DSA_LEVEL == 3
#define KEYSTORE_PUBKEY_SIZE_ML_DSA ML_DSA_L3_PUBKEY_SIZE
#elif ML_DSA_LEVEL == 5
#define KEYSTORE_PUBKEY_SIZE_ML_DSA ML_DSA_L5_PUBKEY_SIZE
#endif
/* Mask for key permissions */
#define KEY_VERIFY_ALL (0xFFFFFFFFU)

2
lib/wolfssl

@ -1 +1 @@
Subproject commit bdd62314f00fca0e216bf8c963c8eeff6327e0cb
Subproject commit 1bfbdb6c7f5976d4242279c3cd166f1a8e0f965f

48
src/delta.c
View File

@ -26,6 +26,7 @@
#define ESC 0x7f
#if (defined(__IAR_SYSTEMS_ICC__) && (__IAR_SYSTEMS_ICC__ > 8)) || \
defined(__GNUC__)
#define BLOCK_HDR_PACKED __attribute__ ((packed))
@ -45,7 +46,7 @@ struct BLOCK_HDR_PACKED block_hdr {
#include "encrypt.h"
#define ext_flash_check_write ext_flash_encrypt_write
#define ext_flash_check_read ext_flash_decrypt_read
#else
#elif defined(__WOLFBOOT)
#include "hal.h"
#define ext_flash_check_write ext_flash_write
#define ext_flash_check_read ext_flash_read
@ -168,6 +169,36 @@ int wb_patch(WB_PATCH_CTX *ctx, uint8_t *dst, uint32_t len)
return dst_off;
}
#ifndef __WOLFBOOT
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
static uint32_t wolfboot_sector_size = 0;
int wb_diff_get_sector_size(void)
{
uint32_t sec_sz = 0;
char *env_sector_size = NULL;
env_sector_size = getenv("WOLFBOOT_SECTOR_SIZE");
if (!env_sector_size) {
fprintf(stderr, "Please set the WOLFBOOT_SECTOR_SIZE environment variable in\n"
"order to sign a delta update.\n");
exit(6);
} else {
sec_sz = atoi(env_sector_size);
if (sec_sz == 0) {
errno = 0;
sec_sz = strtol(env_sector_size, NULL, 16);
if (errno != 0) {
fprintf(stderr, "Invalid WOLFBOOT_SECTOR_SIZE value\n");
exit(6);
}
}
}
return sec_sz;
}
int wb_diff_init(WB_DIFF_CTX *ctx, uint8_t *src_a, uint32_t len_a, uint8_t *src_b, uint32_t len_b)
{
@ -178,6 +209,8 @@ int wb_diff_init(WB_DIFF_CTX *ctx, uint8_t *src_a, uint32_t len_a, uint8_t *src_
ctx->src_b = src_b;
ctx->size_a = len_a;
ctx->size_b = len_b;
wolfboot_sector_size = wb_diff_get_sector_size();
printf("WOLFBOOT_SECTOR_SIZE: %u\n", wolfboot_sector_size);
return 0;
}
@ -195,7 +228,7 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
return -1;
while ((ctx->off_b + BLOCK_HDR_SIZE < ctx->size_b) && (len > p_off + BLOCK_HDR_SIZE)) {
uintptr_t page_start = ctx->off_b / WOLFBOOT_SECTOR_SIZE;
uintptr_t page_start = ctx->off_b / wolfboot_sector_size;
uintptr_t pa_start;
found = 0;
if (p_off + BLOCK_HDR_SIZE > len)
@ -209,14 +242,14 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
* base for the sectors that have already been updated.
*/
pa_start = WOLFBOOT_SECTOR_SIZE * page_start;
pa_start = wolfboot_sector_size * page_start;
pa = ctx->src_a + pa_start;
while (((uintptr_t)(pa - ctx->src_a) < (uintptr_t)ctx->size_a) && (p_off < len)) {
if ((uintptr_t)(ctx->size_a - (pa - ctx->src_a)) < BLOCK_HDR_SIZE)
break;
if ((ctx->size_b - ctx->off_b) < BLOCK_HDR_SIZE)
break;
if ((WOLFBOOT_SECTOR_SIZE - (ctx->off_b % WOLFBOOT_SECTOR_SIZE)) < BLOCK_HDR_SIZE)
if ((wolfboot_sector_size - (ctx->off_b % wolfboot_sector_size)) < BLOCK_HDR_SIZE)
break;
if ((memcmp(pa, (ctx->src_b + ctx->off_b), BLOCK_HDR_SIZE) == 0)) {
uintptr_t b_start;
@ -237,7 +270,7 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
/* Stop matching if the source image size limit is hit. */
break;
}
if ((b_start / WOLFBOOT_SECTOR_SIZE) < ((ctx->off_b + 1) / WOLFBOOT_SECTOR_SIZE)) {
if ((b_start / wolfboot_sector_size) < ((ctx->off_b + 1) / wolfboot_sector_size)) {
/* Stop matching when the sector bound is hit. */
break;
}
@ -261,7 +294,7 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
}
if (!found) {
/* Try matching an earlier section in the resulting image */
uintptr_t pb_end = page_start * WOLFBOOT_SECTOR_SIZE;
uintptr_t pb_end = page_start * wolfboot_sector_size;
pb = ctx->src_b;
while (((uintptr_t)(pb - ctx->src_b) < pb_end) && (p_off < len)) {
/* Check image boundary */
@ -273,7 +306,7 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
/* Don't try matching backwards if the distance between the two
* blocks is smaller than one sector.
*/
if (WOLFBOOT_SECTOR_SIZE > (page_start * WOLFBOOT_SECTOR_SIZE)
if (wolfboot_sector_size > (page_start * wolfboot_sector_size)
- (pb - ctx->src_b))
break;
@ -337,5 +370,6 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
}
return (int)p_off;
}
#endif /* __WOLFBOOT */
#endif /* DELTA_UPDATES */

5
src/image.c
View File

@ -593,6 +593,7 @@ static void wolfBoot_verify_signature_xmss(uint8_t key_slot,
#ifdef WOLFBOOT_SIGN_ML_DSA
#include <wolfssl/wolfcrypt/dilithium.h>
static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot,
struct wolfBoot_image *img, uint8_t *sig)
{
@ -636,9 +637,9 @@ static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot,
wolfBoot_printf("error: wc_MlDsaKey_GetPubLen returned %d\n", ret);
ret = -1;
}
else if (pub_len != KEYSTORE_PUBKEY_SIZE_ML_DSA) {
else if (pub_len > KEYSTORE_PUBKEY_SIZE) {
wolfBoot_printf("error: ML-DSA pub key mismatch: got %d bytes " \
"expected %d\n", pub_len, KEYSTORE_PUBKEY_SIZE_ML_DSA);
"max %d\n", pub_len, KEYSTORE_PUBKEY_SIZE);
ret = -1;
}
}

4
src/libwolfboot.c
View File

@ -117,8 +117,10 @@ static uint32_t ext_cache;
#endif
#if defined(__WOLFBOOT) || defined (UNIT_TEST)
#if defined(__WOLFBOOT) || defined(UNIT_TEST)
#define WOLFSSL_MISC_INCLUDED /* allow misc.c code to be inlined */
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/wc_port.h>
#include <wolfcrypt/src/misc.c> /* for ByteReverseWord32 */
#if defined(EXT_ENCRYPTED) || defined(UNIT_TEST)
static uint32_t wb_reverse_word32(uint32_t x)

1
test-app/Makefile
View File

@ -215,6 +215,7 @@ ifeq ($(TARGET),stm32u5)
endif
ifeq ($(TARGET),nrf5340_net)
APP_OBJS:=app_$(TARGET).o ../test-app/libwolfboot.o
LSCRIPT_TEMPLATE=ARM-nrf5340_net.ld
endif

1
test-app/app_hifive1.c
View File

@ -24,6 +24,7 @@
#include <string.h>
#include "hal.h"
#include "wolfboot/wolfboot.h"
#include "target.h"
/* Change to '1' to enable uart update */
#define UART_UPDATE 0

1
test-app/app_imx_rt.c
View File

@ -17,6 +17,7 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include "target.h"
#include "wolfboot/wolfboot.h"
#include <stdint.h>
#include "fsl_common.h"

1
test-app/app_kinetis.c
View File

@ -27,6 +27,7 @@
#include "fsl_gpio.h"
#include "fsl_clock.h"
#include "wolfboot/wolfboot.h"
#include "target.h"
/* FRDM-K64 board */
#if defined(CPU_MK64FN1M0VLL12)

1
test-app/app_mcxa.c
View File

@ -31,6 +31,7 @@
#include "fsl_clock.h"
#include "wolfboot/wolfboot.h"
#include "target.h"
extern void hal_init(void);

1
test-app/app_nrf52.c
View File

@ -22,6 +22,7 @@
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include "target.h"
#include "wolfboot/wolfboot.h"
#include "hal/nrf52.h"
#include "printf.h"

1
test-app/app_nrf5340.c
View File

@ -22,6 +22,7 @@
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include "target.h"
#include "wolfboot/wolfboot.h"
#include "hal/nrf5340.h"
#include "printf.h"

1
test-app/app_nrf5340_net.c
View File

@ -22,6 +22,7 @@
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include "target.h"
#include "wolfboot/wolfboot.h"
#include "hal/nrf5340.h"
#include "printf.h"

1
test-app/app_renesas_rx.c
View File

@ -28,6 +28,7 @@
#include "hal.h"
#include "printf.h"
#include "wolfboot/wolfboot.h"
#include "target.h"
/* route stdout to UART */
int write(int fileno, char *buf, int count)

1
test-app/app_sim.c
View File

@ -26,6 +26,7 @@
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include "target.h"
#include "wolfboot/wolfboot.h"

3
test-app/app_stm32f4.c
View File

@ -30,6 +30,7 @@
#include "hal.h"
#include "wolfboot/wolfboot.h"
#include "spi_flash.h"
#include "target.h"
#ifdef TARGET_stm32f4
@ -77,6 +78,8 @@ static const char UPDATE='U';
static const char ACK='#';
static uint8_t msg[MSGSIZE];
extern void flash_set_waitstates(void);
#ifdef WOLFBOOT_NO_SIGN

1
test-app/app_stm32f7.c
View File

@ -25,6 +25,7 @@
#include <stdint.h>
#include <string.h>
#include "system.h"
#include "target.h"
#include "wolfboot/wolfboot.h"
#include "hal.h"

3
test-app/app_stm32h5.c
View File

@ -32,6 +32,7 @@
#include "uart_drv.h"
#include "wolfboot/wolfboot.h"
#include "keystore.h"
#include "target.h"
#ifdef SECURE_PKCS11
#include "wcs/user_settings.h"
@ -867,4 +868,4 @@ void * _sbrk(unsigned int incr)
}
return old_heap;
}
#endif
#endif

1
test-app/app_stm32h7.c
View File

@ -38,6 +38,7 @@
#include "system.h"
#include "hal.h"
#include "wolfboot/wolfboot.h"
#include "target.h"
#define SET_BIT(REG, BIT) ((REG) |= (BIT))
#define CLEAR_BIT(REG, BIT) ((REG) &= ~(BIT))

1
test-app/app_stm32l0.c
View File

@ -25,6 +25,7 @@
#include <stdint.h>
#include <string.h>
#include "led.h"
#include "target.h"
#include "wolfboot/wolfboot.h"
#ifdef SPI_FLASH
#include "spi_flash.h"

1
test-app/app_stm32l4.c
View File

@ -25,6 +25,7 @@
#include "led.h"
#include "hal.h"
#include "wolfboot/wolfboot.h"
#include "target.h"
#ifdef TARGET_stm32l4

1
test-app/app_stm32l5.c
View File

@ -30,6 +30,7 @@
#include "uart_drv.h"
#include "wolfboot/wolfboot.h"
#include "wolfboot/wc_secure.h"
#include "target.h"
#ifdef SECURE_PKCS11
#include "wcs/user_settings.h"

1
test-app/app_stm32u5.c
View File

@ -28,6 +28,7 @@
#include "system.h"
#include "hal.h"
#include "wolfboot/wolfboot.h"
#include "target.h"
#define LED_BOOT_PIN (7) /* PH7 - Discovery - Green Led */
#define LED_USR_PIN (6) /* PH6 - Discovery - Red Led */

1
test-app/app_stm32wb.c
View File

@ -28,6 +28,7 @@
#include "hal.h"
#include "wolfboot/wolfboot.h"
#include "uart_drv.h"
#include "target.h"
#ifdef TARGET_stm32wb

6
tools/efi/compile_efi_linux.sh
View File

@ -4,6 +4,7 @@ WORK_DIR=/tmp/wolfBoot_efi
BR_VER=2022.08.3
BR_DIR=buildroot-$BR_VER
IMAGE_DIR=$WORK_DIR/output
. .config
if (test ! -d $WORK_DIR);then
mkdir -p $WORK_DIR
@ -17,10 +18,7 @@ fi
BR2_EXTERNAL=$(pwd)/tools/efi/br_ext_dir make -C $WORK_DIR/$BR_DIR tiny_defconfig O=$IMAGE_DIR
make -C $WORK_DIR/$BR_DIR O=$IMAGE_DIR
SIGN_TOOL="python3 ./tools/keytools/sign.py"
if [ -f "./tools/keytools/sign" ]; then
SIGN_TOOL="./tools/keytools/sign"
fi
SIGN_TOOL="./tools/keytools/sign"
$SIGN_TOOL --ed25519 $IMAGE_DIR/images/bzImage wolfboot_signing_private_key.der 1
$SIGN_TOOL --ed25519 $IMAGE_DIR/images/bzImage wolfboot_signing_private_key.der 2

128
tools/keytools/Makefile
View File

@ -12,54 +12,27 @@ LD = gcc
WOLFBOOTDIR = ../..
WOLFDIR = $(WOLFBOOTDIR)/lib/wolfssl
CFLAGS = -Wall -Wextra -Werror
CFLAGS += -I. -DWOLFSSL_USER_SETTINGS -I$(WOLFDIR) -I$(WOLFBOOTDIR)/include -DWOLFBOOT_KEYTOOLS
CFLAGS += -I. -DWOLFSSL_USER_SETTINGS -I$(WOLFDIR) -I$(WOLFBOOTDIR)/include
LDFLAGS =
OBJDIR = ./
LIBS =
ML_DSA_LEVEL?=2
CFLAGS+=-DML_DSA_LEVEL=$(ML_DSA_LEVEL)
LMS_LEVELS?=1
LMS_HEIGHT?=10
LMS_WINTERNITZ?=8
# Common to wc_lms and ext_lms.
ifneq (,$(filter $(SIGN), LMS ext_LMS))
CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \
-D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
-D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)"
endif
CFLAGS +=-D"LMS_LEVELS=$(LMS_LEVELS)" \
-D"LMS_HEIGHT=$(LMS_HEIGHT)" \
-D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)"
# Specific to ext_lms.
ifeq ($(SIGN),ext_LMS)
LMSDIR = $(WOLFBOOTDIR)/lib/hash-sigs
LIBS += $(LMSDIR)/lib/hss_lib.a
CFLAGS +=-DHAVE_LIBLMS -I$(LMSDIR)/src
endif
# Specific to wc_lms.
ifeq ($(SIGN),LMS)
CFLAGS +=-DWOLFSSL_WC_LMS
endif
# Common to wc_xmss and ext_xmss.
ifneq (,$(filter $(SIGN), XMSS ext_XMSS))
$(info xmss params: $(XMSS_PARAMS))
CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \
-D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
-DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
endif
# Specific to ext_xmss.
ifeq ($(SIGN),ext_XMSS)
XMSSDIR = $(WOLFBOOTDIR)/lib/xmss
CFLAGS +=-DHAVE_LIBXMSS -I$(XMSSDIR)
endif
# Specific to wc_xmss.
ifeq ($(SIGN),XMSS)
CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32"
endif
# Only needed if using 3rd party integration. This can be
# removed if ext_lms and ext_xmss are deprecated.
ifneq (,$(filter $(SIGN), ext_LMS ext_XMSS))
CFLAGS +=-DWOLFSSL_EXPERIMENTAL_SETTINGS
endif
# XMSS flags
XMSS_PARAMS?='XMSS-SHA2_10_256'
CFLAGS +=-D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
-DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
# When WOLFBOOT_UNIVERSAL_KEYSTORE is defined, pad store_sizes in keystore.der
ifeq ($(WOLFBOOT_UNIVERSAL_KEYSTORE),1)
@ -79,11 +52,6 @@ else
CFLAGS+=$(OPTIMIZE)
endif
ifeq ($(IMAGE_HEADER_SIZE),)
IMAGE_HEADER_SIZE=256
endif
CFLAGS+=-DIMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE)
CFLAGS+=-DDELTA_UPDATES
ifneq ($(RENESAS_KEY),)
@ -129,78 +97,27 @@ OBJS_REAL=\
OBJS_REAL+=\
$(WOLFBOOTDIR)/src/delta.o
# Add wolfcrypt lms implementation.
ifeq ($(SIGN),LMS)
OBJS_REAL+=\
$(WOLFDIR)/wolfcrypt/src/wc_lms.o \
$(WOLFDIR)/wolfcrypt/src/wc_lms_impl.o
endif
# Add external lms integration.
ifeq ($(SIGN),ext_LMS)
OBJS_REAL+= $(WOLFDIR)/wolfcrypt/src/ext_lms.o
endif
# Add wolfcrypt xmss implementation.
ifeq ($(SIGN),XMSS)
OBJS_REAL+=\
$(WOLFDIR)/wolfcrypt/src/wc_xmss.o \
$(WOLFDIR)/wolfcrypt/src/wc_xmss_impl.o
endif
# Add external xmss integration.
ifeq ($(SIGN),ext_XMSS)
OBJS_REAL+=\
$(WOLFDIR)/wolfcrypt/src/ext_xmss.o \
$(XMSSDIR)/params.o \
$(XMSSDIR)/thash.o \
$(XMSSDIR)/hash_address.o \
$(XMSSDIR)/wots.o \
$(XMSSDIR)/xmss.o \
$(XMSSDIR)/xmss_core_fast.o \
$(XMSSDIR)/xmss_commons.o \
$(XMSSDIR)/utils.o
endif
# Add wolfcrypt ML-DSA (dilithium) implementation.
ifeq ($(SIGN),ML_DSA)
OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o
CFLAGS += -D"WOLFBOOT_SIGN_ML_DSA" \
-D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
-D"ML_DSA_LEVEL"=$(ML_DSA_LEVEL)
endif
OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o
OBJS_VIRT=$(addprefix $(OBJDIR), $(notdir $(OBJS_REAL)))
vpath %.c $(WOLFDIR)/wolfcrypt/src/
vpath %.c $(WOLFBOOTDIR)/src/
vpath %.c ./
ifeq ($(SIGN),ext_XMSS)
vpath %.c $(XMSSDIR)/
endif
.PHONY: clean all
all: $(WOLFBOOTDIR)/include/target.h sign keygen
all: sign keygen
debug: CFLAGS+=$(DEBUG_FLAGS)
debug: all
# Target.h is required for key tools
$(WOLFBOOTDIR)/include/target.h: $(WOLFBOOTDIR)/include/target.h.in
@cat $(WOLFBOOTDIR)/include/target.h.in | \
sed -e "s/@WOLFBOOT_PARTITION_SIZE@/$(WOLFBOOT_PARTITION_SIZE)/g" | \
sed -e "s/@WOLFBOOT_SECTOR_SIZE@/$(WOLFBOOT_SECTOR_SIZE)/g" | \
sed -e "s/@WOLFBOOT_PARTITION_BOOT_ADDRESS@/$(WOLFBOOT_PARTITION_BOOT_ADDRESS)/g" | \
sed -e "s/@WOLFBOOT_PARTITION_UPDATE_ADDRESS@/$(WOLFBOOT_PARTITION_UPDATE_ADDRESS)/g" | \
sed -e "s/@WOLFBOOT_PARTITION_SWAP_ADDRESS@/$(WOLFBOOT_PARTITION_SWAP_ADDRESS)/g" | \
sed -e "s/@WOLFBOOT_DTS_BOOT_ADDRESS@/$(WOLFBOOT_DTS_BOOT_ADDRESS)/g" | \
sed -e "s/@WOLFBOOT_DTS_UPDATE_ADDRESS@/$(WOLFBOOT_DTS_UPDATE_ADDRESS)/g" | \
sed -e "s/@WOLFBOOT_LOAD_ADDRESS@/$(WOLFBOOT_LOAD_ADDRESS)/g" | \
sed -e "s/@WOLFBOOT_LOAD_DTS_ADDRESS@/$(WOLFBOOT_LOAD_DTS_ADDRESS)/g" \
> $@
# build objects
$(OBJDIR)/%.o: %.c
$(Q)$(CC) $(CFLAGS) -c -o $@ $<
@ -209,9 +126,6 @@ $(OBJDIR)/%.o: $(WOLFBOOTDIR)/src/%.c
$(OBJDIR)/%.o: $(WOLFDIR)/wolfcrypt/src/%.c
$(Q)$(CC) $(CFLAGS) -c -o $@ $<
$(XMSSDIR)/src/%.o: $(XMSSDIR)/src/%.c
$(Q)$(CC) $(CFLAGS) -c -o $@ $<
# build templates
sign: $(OBJS_VIRT) $(LIBS) sign.o
@echo "Building signing tool"
@ -224,11 +138,3 @@ keygen: $(OBJS_VIRT) $(LIBS) keygen.o
clean:
rm -f sign keygen *.o
# The final make clean is to ensure a subsequent LMS wolfboot
# hash-sigs build is separate from keytools.
$(LMSDIR)/lib/hss_lib.a:
@echo "Building hss_lib.a"
$(Q)@$(MAKE) -C $(LMSDIR)/src/ -s clean
$(Q)@$(MAKE) -C $(LMSDIR)/src/ hss_lib.a
$(Q)cp $(LMSDIR)/src/hss_lib.a $(LMSDIR)/lib/
$(Q)@$(MAKE) -C $(LMSDIR)/src/ -s clean

109
tools/keytools/keygen.c
View File

@ -123,14 +123,8 @@ static int exportPubKey = 0;
static WC_RNG rng;
static int noLocalKeys = 0;
#ifndef KEYSLOT_MAX_PUBKEY_SIZE
#if defined(KEYSTORE_PUBKEY_SIZE_ML_DSA)
/* ML-DSA pub keys are big. */
#define KEYSLOT_MAX_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ML_DSA
#else
#define KEYSLOT_MAX_PUBKEY_SIZE 576
#endif
#endif
/* ML-DSA pub keys are big. */
#define KEYSLOT_MAX_PUBKEY_SIZE ML_DSA_L5_PUBKEY_SIZE
struct keystore_slot {
uint32_t slot_id;
@ -457,15 +451,35 @@ static uint32_t get_pubkey_size(uint32_t keyType)
case KEYGEN_XMSS:
size = KEYSTORE_PUBKEY_SIZE_XMSS;
break;
#ifdef KEYSTORE_PUBKEY_SIZE_ML_DSA
case KEYGEN_ML_DSA:
size = KEYSTORE_PUBKEY_SIZE_ML_DSA;
{
char *env_ml_dsa_level = getenv("ML_DSA_LEVEL");
if (env_ml_dsa_level == NULL) {
fprintf(stderr, "warning: ML_DSA_LEVEL environment variable"
" not set, assuming level 2\n");
size = ML_DSA_L2_PUBKEY_SIZE;
} else {
int level = atoi(env_ml_dsa_level);
switch (level) {
case 2:
size = ML_DSA_L2_PUBKEY_SIZE;
break;
case 3:
size = ML_DSA_L3_PUBKEY_SIZE;
break;
case 5:
size = ML_DSA_L5_PUBKEY_SIZE;
break;
default:
fprintf(stderr, "error: invalid ML_DSA_LEVEL: %d\n", level);
exit(1);
}
}
break;
#endif
default:
size = 0;
}
}
return size;
}
@ -526,7 +540,6 @@ void keystore_add(uint32_t ktype, uint8_t *key, uint32_t sz, const char *keyfile
}
#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN)
static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask)
{
RsaKey k;
@ -576,9 +589,7 @@ static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask)
else if (kbits == 4096)
keystore_add(KEYGEN_RSA4096, pub_der, publen, keyfile, id_mask);
}
#endif
#ifdef HAVE_ECC
#define MAX_ECC_KEY_SIZE 66
static void keygen_ecc(const char *priv_fname, uint16_t ecc_key_size,
@ -682,10 +693,8 @@ static void keygen_ecc(const char *priv_fname, uint16_t ecc_key_size,
else if (ecc_key_size == 66)
keystore_add(KEYGEN_ECC521, k_buffer, 2 * ecc_key_size, priv_fname, id_mask);
}
#endif
#ifdef HAVE_ED25519
static void keygen_ed25519(const char *privkey, uint32_t id_mask)
{
ed25519_key k;
@ -722,9 +731,7 @@ static void keygen_ed25519(const char *privkey, uint32_t id_mask)
keystore_add(KEYGEN_ED25519, pub, ED25519_PUB_KEY_SIZE, privkey, id_mask);
}
#endif
#ifdef HAVE_ED448
static void keygen_ed448(const char *privkey, uint32_t id_mask)
{
ed448_key k;
@ -761,9 +768,7 @@ static void keygen_ed448(const char *privkey, uint32_t id_mask)
keystore_add(KEYGEN_ED448, pub, ED448_PUB_KEY_SIZE, privkey, id_mask);
}
#endif
#if defined(WOLFSSL_HAVE_LMS)
#include "../lms/lms_common.h"
static void keygen_lms(const char *priv_fname, uint32_t id_mask)
@ -773,6 +778,22 @@ static void keygen_lms(const char *priv_fname, uint32_t id_mask)
int ret;
byte lms_pub[HSS_MAX_PUBLIC_KEY_LEN];
word32 pub_len = sizeof(lms_pub);
int lms_levels, lms_height, lms_winternitz;
char *env_lms_levels, *env_lms_height, *env_lms_winternitz;
lms_levels = LMS_LEVELS;
lms_height = LMS_HEIGHT;
lms_winternitz = LMS_WINTERNITZ;
env_lms_levels = getenv("LMS_LEVELS");
env_lms_height = getenv("LMS_HEIGHT");
env_lms_winternitz = getenv("LMS_WINTERNITZ");
if (env_lms_levels != NULL)
lms_levels = atoi(env_lms_levels);
if (env_lms_height != NULL)
lms_height = atoi(env_lms_height);
if (env_lms_winternitz != NULL)
lms_winternitz = atoi(env_lms_winternitz);
ret = wc_LmsKey_Init(&key, NULL, INVALID_DEVID);
if (ret != 0) {
@ -780,16 +801,16 @@ static void keygen_lms(const char *priv_fname, uint32_t id_mask)
exit(1);
}
ret = wc_LmsKey_SetParameters(&key, LMS_LEVELS, LMS_HEIGHT, LMS_WINTERNITZ);
ret = wc_LmsKey_SetParameters(&key, lms_levels, lms_height, lms_winternitz);
if (ret != 0) {
fprintf(stderr, "error: wc_LmsKey_SetParameters(%d, %d, %d)" \
" returned %d\n", LMS_LEVELS, LMS_HEIGHT,
LMS_WINTERNITZ, ret);
" returned %d\n", lms_levels, lms_height,
lms_winternitz, ret);
exit(1);
}
printf("info: using LMS parameters: L%d-H%d-W%d\n", LMS_LEVELS,
LMS_HEIGHT, LMS_WINTERNITZ);
printf("info: using LMS parameters: L%d-H%d-W%d\n", lms_levels,
lms_height, lms_winternitz);
ret = wc_LmsKey_SetWriteCb(&key, lms_write_key);
if (ret != 0) {
@ -850,9 +871,7 @@ static void keygen_lms(const char *priv_fname, uint32_t id_mask)
wc_LmsKey_Free(&key);
}
#endif /* if defined(WOLFSSL_HAVE_LMS) */
#if defined(WOLFSSL_HAVE_XMSS)
#include "../xmss/xmss_common.h"
static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
@ -862,6 +881,7 @@ static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
int ret;
word32 priv_sz = 0;
byte xmss_pub[XMSS_SHA256_PUBLEN];
char *xmss_params = getenv("XMSS_PARAMS");
word32 pub_len = sizeof(xmss_pub);
ret = wc_XmssKey_Init(&key, NULL, INVALID_DEVID);
@ -870,14 +890,17 @@ static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
exit(1);
}
ret = wc_XmssKey_SetParamStr(&key, WOLFBOOT_XMSS_PARAMS);
if (xmss_params != NULL)
xmss_params = WOLFBOOT_XMSS_PARAMS;
ret = wc_XmssKey_SetParamStr(&key, xmss_params);
if (ret != 0) {
fprintf(stderr, "error: wc_XmssKey_SetParamStr(%s)" \
" returned %d\n", WOLFBOOT_XMSS_PARAMS, ret);
" returned %d\n", xmss_params, ret);
exit(1);
}
printf("info: using XMSS parameters: %s\n", WOLFBOOT_XMSS_PARAMS);
printf("info: using XMSS parameters: %s\n", xmss_params);
ret = wc_XmssKey_SetWriteCb(&key, xmss_write_key);
if (ret != 0) {
@ -948,9 +971,7 @@ static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
wc_XmssKey_Free(&key);
}
#endif /* if defined(WOLFSSL_HAVE_XMSS) */
#if defined(WOLFSSL_WC_DILITHIUM)
static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
{
@ -958,11 +979,18 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
MlDsaKey key;
int ret;
byte * priv = NULL;
byte pub[KEYSTORE_PUBKEY_SIZE_ML_DSA];
byte pub[ML_DSA_L5_PUBKEY_SIZE]; /* max size */
word32 priv_len = 0;
word32 pub_len = 0;
int ml_dsa_priv_len = 0;
int ml_dsa_pub_len = 0;
int ml_dsa_level = ML_DSA_LEVEL;
char * env_ml_dsa_level = getenv("ML_DSA_LEVEL");
if (env_ml_dsa_level != NULL) {
ml_dsa_level = atoi(env_ml_dsa_level);
}
fprintf(stderr, "info: using DSA level %d\n", ml_dsa_level);
ret = wc_MlDsaKey_Init(&key, NULL, INVALID_DEVID);
if (ret != 0) {
@ -970,10 +998,10 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
exit(1);
}
ret = wc_MlDsaKey_SetParams(&key, ML_DSA_LEVEL);
ret = wc_MlDsaKey_SetParams(&key, ml_dsa_level);
if (ret != 0) {
fprintf(stderr, "error: wc_MlDsaKey_SetParams(%d) returned %d\n",
ML_DSA_LEVEL, ret);
ml_dsa_level, ret);
exit(1);
}
@ -991,6 +1019,7 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
ret);
exit(1);
}
printf("info: ml-dsa public key length: %d\n", ml_dsa_pub_len);
/* Get the ML-DSA private key length. This API returns
* the public + private length. */
@ -1000,6 +1029,7 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
ret);
exit(1);
}
printf("info: ml-dsa private key length: %d\n", ml_dsa_priv_len);
if (ml_dsa_priv_len <= ml_dsa_pub_len) {
printf("error: ml-dsa: unexpected key lengths: %d, %d",
@ -1032,9 +1062,9 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
exit(1);
}
if (pub_len != sizeof(pub)) {
if ((int)pub_len != ml_dsa_pub_len) {
fprintf(stderr, "error: wc_MlDsaKey_ExportPubRaw returned pub_len=%d, " \
"expected %zu\n", pub_len, sizeof(pub));
"expected %d\n", pub_len, ml_dsa_pub_len);
exit(1);
}
@ -1056,14 +1086,13 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
fwrite(pub, pub_len, 1, fpriv);
fclose(fpriv);
keystore_add(KEYGEN_ML_DSA, pub, KEYSTORE_PUBKEY_SIZE_ML_DSA,
keystore_add(KEYGEN_ML_DSA, pub, pub_len,
priv_fname, id_mask);
wc_MlDsaKey_Free(&key);
free(priv);
priv = NULL;
}
#endif /* if defined(WOLFSSL_WC_DILITHIUM) */
static void key_gen_check(const char *kfilename)
{

246
tools/keytools/sign.c
View File

@ -42,13 +42,9 @@
#include <fcntl.h>
#include <stddef.h>
#include <inttypes.h>
/* target.h is a generated file based on .config (see target.h.in)
* Provides: WOLFBOOT_SECTOR_SIZE */
#include <target.h>
#include <delta.h>
#include "wolfboot/version.h"
#include "wolfboot/wolfboot.h"
#ifdef DEBUG_SIGNTOOL
#define DEBUG_PRINT(...) fprintf(stderr, __VA_ARGS__)
@ -147,9 +143,6 @@ static inline int fp_truncate(FILE *f, size_t len)
#define PATH_MAX 256
#endif
#ifndef IMAGE_HEADER_SIZE
#define IMAGE_HEADER_SIZE 256
#endif
#define WOLFBOOT_MAGIC 0x464C4F57 /* WOLF */
@ -235,39 +228,20 @@ static void header_append_tag(uint8_t* header, uint32_t* idx, uint16_t tag,
*idx += len;
}
#ifdef WOLFSSL_HAVE_LMS
#include "../lms/lms_common.h"
#endif
#ifdef WOLFSSL_HAVE_XMSS
#include "../xmss/xmss_common.h"
#endif
/* Globals */
static const char wolfboot_delta_file[] = "/tmp/wolfboot-delta.bin";
static struct {
#ifdef HAVE_ED25519
ed25519_key ed;
#endif
#ifdef HAVE_ED448
ed448_key ed4;
#endif
#ifdef HAVE_ECC
ecc_key ecc;
#endif
#ifndef NO_RSA
RsaKey rsa;
#endif
#ifdef WOLFSSL_HAVE_LMS
LmsKey lms;
#endif
#ifdef WOLFSSL_HAVE_XMSS
XmssKey xmss;
#endif
#ifdef WOLFSSL_WC_DILITHIUM
MlDsaKey ml_dsa;
#endif
} key;
struct cmd_options {
@ -314,7 +288,6 @@ static struct cmd_options CMD = {
.sign = SIGN_AUTO,
.encrypt = ENC_OFF,
.hash_algo = HASH_SHA256,
.header_sz = IMAGE_HEADER_SIZE,
.partition_id = HDR_IMG_TYPE_APP,
.hybrid = 0
};
@ -324,7 +297,7 @@ static uint16_t sign_tool_find_header(uint8_t *haystack, uint16_t type, uint8_t
uint8_t *p = haystack;
uint16_t len, htype;
const volatile uint8_t *max_p = (haystack - IMAGE_HEADER_OFFSET) +
IMAGE_HEADER_SIZE;
CMD.header_sz;
*ptr = NULL;
if (p > max_p) {
fprintf(stderr, "Illegal address (too high)\n");
@ -344,16 +317,16 @@ static uint16_t sign_tool_find_header(uint8_t *haystack, uint16_t type, uint8_t
len = p[2] | (p[3] << 8);
/* check len */
if ((4 + len) > (uint16_t)(IMAGE_HEADER_SIZE - IMAGE_HEADER_OFFSET)) {
fprintf(stderr, "This field is too large (bigger than the space available "
"in the current header)\n");
//fprintf(stderr, "%d %d %d\n", len, IMAGE_HEADER_SIZE, IMAGE_HEADER_OFFSET);
if ((4 + len) > (uint16_t)(CMD.header_sz - IMAGE_HEADER_OFFSET)) {
fprintf(stderr, "This field too large to fit into header "
"(%d > %d)\n",
(int)(4 + len), (int)(CMD.header_sz - IMAGE_HEADER_OFFSET));
break;
}
/* check max pointer */
if (p + 4 + len > max_p) {
fprintf(stderr, "This field is too large and would overflow the image "
"header\n");
fprintf(stderr, "This field is too large and would overflow the "
"image header pointer\n");
break;
}
@ -371,7 +344,7 @@ static uint16_t sign_tool_find_header(uint8_t *haystack, uint16_t type, uint8_t
}
static int load_key_ecc(int sign_type, uint32_t curve_sz, int curve_id,
int header_sz,
uint32_t header_sz,
uint8_t **key_buffer, uint32_t *key_buffer_sz,
uint8_t **pubkey, uint32_t *pubkey_sz, int secondary)
{
@ -456,7 +429,8 @@ static int load_key_ecc(int sign_type, uint32_t curve_sz, int curve_id,
free(*pubkey);
if (ret == 0 || CMD.sign != SIGN_AUTO) {
CMD.header_sz = header_sz;
if (CMD.header_sz < header_sz)
CMD.header_sz = header_sz;
if (secondary) {
CMD.secondary_sign = sign_type;
CMD.secondary_signature_sz = (curve_sz * 2);
@ -471,7 +445,7 @@ static int load_key_ecc(int sign_type, uint32_t curve_sz, int curve_id,
}
static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz,
int header_sz,
uint32_t header_sz,
uint8_t **key_buffer, uint32_t *key_buffer_sz,
uint8_t **pubkey, uint32_t *pubkey_sz, int secondary)
{
@ -487,12 +461,6 @@ static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz
if (*pubkey_sz <= rsa_pubkeysz) {
CMD.header_sz = header_sz;
if (CMD.policy_sign) {
CMD.header_sz += 512;
}
else if (sign_type == SIGN_RSA3072 && CMD.hash_algo != HASH_SHA256) {
CMD.header_sz += 512;
}
if (secondary) {
CMD.secondary_signature_sz = rsa_keysz;
CMD.secondary_sign = sign_type;
@ -530,13 +498,8 @@ static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz
}
if (ret == 0 || CMD.sign != SIGN_AUTO) {
CMD.header_sz = header_sz;
if (CMD.policy_sign) {
CMD.header_sz += 512;
}
else if (sign_type == SIGN_RSA3072 && CMD.hash_algo != HASH_SHA256) {
CMD.header_sz += 512;
}
if (CMD.header_sz < header_sz)
CMD.header_sz = header_sz;
if (secondary) {
CMD.secondary_sign = sign_type;
CMD.secondary_signature_sz = keySzOut;
@ -558,13 +521,8 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
uint32_t idx = 0;
int io_sz;
FILE *f;
#if defined(WOLFSSL_HAVE_XMSS)
word32 priv_sz = 0;
#endif
#if defined(WOLFSSL_WC_DILITHIUM)
int priv_sz = 0;
int pub_sz = 0;
#endif
word32 pub_sz = 0;
int sign = CMD.sign;
const char *key_file = CMD.key_file;
@ -765,7 +723,6 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
if (ret == 0)
break;
#ifdef WOLFSSL_HAVE_LMS
FALL_THROUGH; /* we didn't solve the key, keep trying */
case SIGN_LMS:
ret = -1;
@ -805,9 +762,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
printf("error: unrecognized LMS key size: %d\n",
*key_buffer_sz);
}
#endif /* WOLFSSL_HAVE_LMS */
#ifdef WOLFSSL_HAVE_XMSS
FALL_THROUGH; /* we didn't solve the key, keep trying */
case SIGN_XMSS:
ret = -1;
@ -855,12 +810,9 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
printf("error: unrecognized XMSS key size: %d\n",
*key_buffer_sz);
}
#endif /* WOLFSSL_HAVE_XMSS */
#ifdef WOLFSSL_WC_DILITHIUM
FALL_THROUGH; /* we didn't solve the key, keep trying */
case SIGN_ML_DSA:
ret = wc_MlDsaKey_GetPubLen(&key.ml_dsa, &pub_sz);
ret = wc_MlDsaKey_GetPubLen(&key.ml_dsa, (int *)&pub_sz);
if (ret != 0 || pub_sz <= 0) {
printf("error: wc_MlDsaKey_GetPubLen returned %d\n", ret);
@ -869,7 +821,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
/* Get the ML-DSA private key length. This API returns
* the public + private length. */
ret = wc_MlDsaKey_GetPrivLen(&key.ml_dsa, &priv_sz);
ret = wc_MlDsaKey_GetPrivLen(&key.ml_dsa, (int*)&priv_sz);
if (ret != 0 || priv_sz <= 0) {
printf("error: wc_MlDsaKey_GetPrivLen returned %d\n", ret);
@ -888,7 +840,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
DEBUG_PRINT("info: ml-dsa priv len: %d\n", priv_sz);
DEBUG_PRINT("info: ml-dsa pub len: %d\n", pub_sz);
if ((int)*key_buffer_sz == (priv_sz + pub_sz)) {
if (*key_buffer_sz == (priv_sz + pub_sz)) {
/* priv + pub */
ret = wc_MlDsaKey_ImportPrivRaw(&key.ml_dsa, *key_buffer,
priv_sz);
@ -898,7 +850,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
printf("Found ml-dsa key\n");
break;
}
else if ((int)*key_buffer_sz == pub_sz) {
else if (*key_buffer_sz == pub_sz) {
/* pub only */
*pubkey = (*key_buffer);
*pubkey_sz = pub_sz;
@ -912,8 +864,6 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
*key_buffer_sz);
ret = -1;
}
#endif /* WOLFSSL_WC_DILITHIUM */
break;
} /* end switch (sign) */
@ -923,13 +873,6 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
goto failure;
}
if (CMD.header_sz < IMAGE_HEADER_SIZE) {
printf("image header size overridden by config value (%u bytes)\n", IMAGE_HEADER_SIZE);
CMD.header_sz = IMAGE_HEADER_SIZE;
} else {
printf("image header size calculated at runtime (%u bytes)\n", CMD.header_sz);
}
DEBUG_PRINT("Pubkey %d\n", *pubkey_sz);
DEBUG_BUFFER(*pubkey, *pubkey_sz);
return *key_buffer;
@ -956,21 +899,16 @@ static int sign_digest(int sign, int hash_algo,
return ret;
}
#ifdef HAVE_ED25519
if (sign == SIGN_ED25519) {
ret = wc_ed25519_sign_msg(digest, digest_sz, signature,
signature_sz, &key.ed);
}
else
#endif
#ifdef HAVE_ED448
if (sign == SIGN_ED448) {
ret = wc_ed448_sign_msg(digest, digest_sz, signature,
signature_sz, &key.ed4, NULL, 0);
}
else
#endif
#ifdef HAVE_ECC
if (sign == SIGN_ECC256 ||
sign == SIGN_ECC384 ||
sign == SIGN_ECC521)
@ -998,8 +936,6 @@ static int sign_digest(int sign, int hash_algo,
mp_clear(&r); mp_clear(&s);
}
else
#endif
#ifndef NO_RSA
if (sign == SIGN_RSA2048 ||
sign == SIGN_RSA3072 ||
sign == SIGN_RSA4096)
@ -1030,8 +966,6 @@ static int sign_digest(int sign, int hash_algo,
}
}
else
#endif
#ifdef WOLFSSL_HAVE_LMS
if (sign == SIGN_LMS) {
const char *key_file = CMD.key_file;
if (secondary) {
@ -1057,8 +991,6 @@ static int sign_digest(int sign, int hash_algo,
}
}
else
#endif /* WOLFSSL_HAVE_LMS */
#ifdef WOLFSSL_HAVE_XMSS
if (sign == SIGN_XMSS) {
const char *key_file = CMD.key_file;
if (secondary) {
@ -1090,8 +1022,6 @@ static int sign_digest(int sign, int hash_algo,
}
}
else
#endif /* WOLFSSL_HAVE_XMSS */
#ifdef WOLFSSL_WC_DILITHIUM
if (sign == SIGN_ML_DSA) {
/* Nothing else to do, ready to sign. */
if (ret == 0) {
@ -1103,7 +1033,6 @@ static int sign_digest(int sign, int hash_algo,
}
}
else
#endif /* WOLFSSL_WC_DILITHIUM */
{
ret = NOT_COMPILED_IN;
}
@ -1809,10 +1738,9 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
struct stat st;
void *base = NULL;
void *buffer = NULL;
uint8_t dest[WOLFBOOT_SECTOR_SIZE];
uint8_t *dest = NULL;
uint8_t ff = 0xff;
int r;
uint32_t blksz = WOLFBOOT_SECTOR_SIZE;
uint32_t patch_sz, patch_inv_sz;
uint32_t patch_inv_off;
uint32_t delta_base_version = 0;
@ -1822,6 +1750,17 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
int io_sz;
uint8_t *base_hash = NULL;
uint32_t base_hash_sz = 0;
uint32_t wolfboot_sector_size = 0;
uint32_t blksz;
wolfboot_sector_size = wb_diff_get_sector_size();
printf("delta update: WOLFBOOT_SECTOR_SIZE: %u\n", wolfboot_sector_size);
blksz = wolfboot_sector_size;
dest = malloc(wolfboot_sector_size);
if (!dest) {
printf("Error allocating memory to prepare patch sectors\n");
goto cleanup;
}
/* Get source file size */
if (stat(f_base, &st) < 0) {
@ -1887,11 +1826,11 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
/* Retrieve the hash digest of the base image */
if (CMD.hash_algo == HASH_SHA256)
base_hash_sz = sign_tool_find_header(base + 8, HDR_SHA256, &base_hash);
base_hash_sz = sign_tool_find_header((uint8_t*)base + 8, HDR_SHA256, &base_hash);
else if (CMD.hash_algo == HASH_SHA384)
base_hash_sz = sign_tool_find_header(base + 8, HDR_SHA384, &base_hash);
base_hash_sz = sign_tool_find_header((uint8_t*)base + 8, HDR_SHA384, &base_hash);
else if (CMD.hash_algo == HASH_SHA3)
base_hash_sz = sign_tool_find_header(base + 8, HDR_SHA3_384, &base_hash);
base_hash_sz = sign_tool_find_header((uint8_t*)base + 8, HDR_SHA3_384, &base_hash);
#if HAVE_MMAP
/* Open second image file */
@ -2050,6 +1989,10 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
delta_base_version, patch_sz, patch_inv_off, patch_inv_sz, base_hash, base_hash_sz);
cleanup:
if (dest) {
free(dest);
dest = NULL;
}
/* Unlink output file */
unlink(wolfboot_delta_file);
#if HAVE_MMAP
@ -2112,6 +2055,8 @@ static void set_signature_sizes(int secondary)
{
uint32_t *sz = &CMD.signature_sz;
int *sign = &CMD.sign;
uint32_t suggested_sz = 0;
char *env_image_header_size;
if (secondary) {
sz = &CMD.secondary_signature_sz;
sign = &CMD.secondary_sign;
@ -2159,28 +2104,44 @@ static void set_signature_sizes(int secondary)
CMD.header_sz = 1024;
*sz = 512;
}
#ifdef WOLFSSL_HAVE_LMS
else if (*sign == SIGN_LMS) {
int lms_ret = 0;
word32 sig_sz = 0;
char *lms_levels_str, *lms_height_str, *lms_winternitz_str;
int lms_levels, lms_height, lms_winternitz;
lms_levels_str = getenv("LMS_LEVELS");
lms_height_str = getenv("LMS_HEIGHT");
lms_winternitz_str = getenv("LMS_WINTERNITZ");
if (!lms_levels_str)
lms_levels = LMS_LEVELS;
else
lms_levels = atoi(lms_levels_str);
if (!lms_height_str)
lms_height = LMS_HEIGHT;
else
lms_height = atoi(lms_height_str);
if (!lms_winternitz_str)
lms_winternitz = LMS_WINTERNITZ;
else
lms_winternitz = atoi(lms_winternitz_str);
lms_ret = wc_LmsKey_Init(&key.lms, NULL, INVALID_DEVID);
if (lms_ret != 0) {
fprintf(stderr, "error: wc_LmsKey_Init returned %d\n", lms_ret);
exit(1);
}
lms_ret = wc_LmsKey_SetParameters(&key.lms, LMS_LEVELS,
LMS_HEIGHT, LMS_WINTERNITZ);
lms_ret = wc_LmsKey_SetParameters(&key.lms, lms_levels, lms_height,
lms_winternitz);
if (lms_ret != 0) {
fprintf(stderr, "error: wc_LmsKey_SetParameters(%d, %d, %d)" \
" returned %d\n", LMS_LEVELS, LMS_HEIGHT,
LMS_WINTERNITZ, lms_ret);
" returned %d\n", lms_levels, lms_height,
lms_winternitz, lms_ret);
exit(1);
}
printf("info: using LMS parameters: L%d-H%d-W%d\n", LMS_LEVELS,
LMS_HEIGHT, LMS_WINTERNITZ);
printf("info: using LMS parameters: L%d-H%d-W%d\n", lms_levels,
lms_height, lms_winternitz);
lms_ret = wc_LmsKey_GetSigLen(&key.lms, &sig_sz);
if (lms_ret != 0) {
@ -2191,14 +2152,20 @@ static void set_signature_sizes(int secondary)
DEBUG_PRINT("info: LMS signature size: %d\n", sig_sz);
CMD.header_sz = 2 * sig_sz;
if (CMD.header_sz < 2 * sig_sz)
CMD.header_sz = 2 * sig_sz;
*sz = sig_sz;
}
#endif /* WOLFSSL_HAVE_LMS */
#ifdef WOLFSSL_HAVE_XMSS
else if (*sign == SIGN_XMSS) {
int xmss_ret = 0;
word32 sig_sz = 0;
char *xmss_params = NULL;
xmss_params = getenv("XMSS_PARAMS");
if (!xmss_params)
xmss_params = WOLFBOOT_XMSS_PARAMS;
printf("info: using XMSS parameters: %s\n", xmss_params);
xmss_ret = wc_XmssKey_Init(&key.xmss, NULL, INVALID_DEVID);
if (xmss_ret != 0) {
@ -2206,14 +2173,13 @@ static void set_signature_sizes(int secondary)
exit(1);
}
xmss_ret = wc_XmssKey_SetParamStr(&key.xmss, WOLFBOOT_XMSS_PARAMS);
xmss_ret = wc_XmssKey_SetParamStr(&key.xmss, xmss_params);
if (xmss_ret != 0) {
fprintf(stderr, "error: wc_XmssKey_SetParamStr(%s)" \
" returned %d\n", WOLFBOOT_XMSS_PARAMS, xmss_ret);
" returned %d\n", xmss_params, xmss_ret);
exit(1);
}
printf("info: using XMSS parameters: %s\n", WOLFBOOT_XMSS_PARAMS);
xmss_ret = wc_XmssKey_GetSigLen(&key.xmss, &sig_sz);
if (xmss_ret != 0) {
@ -2224,14 +2190,18 @@ static void set_signature_sizes(int secondary)
DEBUG_PRINT("info: XMSS signature size: %d\n", sig_sz);
CMD.header_sz = 2 * sig_sz;
if (CMD.header_sz < 2 * sig_sz)
CMD.header_sz = 2 * sig_sz;
*sz = sig_sz;
}
#endif /* WOLFSSL_HAVE_XMSS */
#ifdef WOLFSSL_WC_DILITHIUM
else if (*sign == SIGN_ML_DSA) {
int ml_dsa_ret = 0;
int sig_sz = 0;
uint32_t sig_sz = 0;
char *env_ml_dsa_level = NULL;
int ml_dsa_level = ML_DSA_LEVEL;
env_ml_dsa_level = getenv("ML_DSA_LEVEL");
if (env_ml_dsa_level)
ml_dsa_level = atoi(env_ml_dsa_level);
ml_dsa_ret = wc_MlDsaKey_Init(&key.ml_dsa, NULL, INVALID_DEVID);
if (ml_dsa_ret != 0) {
@ -2239,16 +2209,16 @@ static void set_signature_sizes(int secondary)
exit(1);
}
ml_dsa_ret = wc_MlDsaKey_SetParams(&key.ml_dsa, ML_DSA_LEVEL);
ml_dsa_ret = wc_MlDsaKey_SetParams(&key.ml_dsa, ml_dsa_level);
if (ml_dsa_ret != 0) {
fprintf(stderr, "error: wc_MlDsaKey_SetParamStr(%d)" \
" returned %d\n", ML_DSA_LEVEL, ml_dsa_ret);
" returned %d\n", ml_dsa_level, ml_dsa_ret);
exit(1);
}
printf("info: using ML-DSA parameters: %d\n", ML_DSA_LEVEL);
printf("info: using ML-DSA parameters: %d\n", ml_dsa_level);
ml_dsa_ret = wc_MlDsaKey_GetSigLen(&key.ml_dsa, &sig_sz);
ml_dsa_ret = wc_MlDsaKey_GetSigLen(&key.ml_dsa, (int *)&sig_sz);
if (ml_dsa_ret != 0) {
fprintf(stderr, "error: wc_MlDsaKey_GetSigLen returned %d\n",
ml_dsa_ret);
@ -2257,10 +2227,26 @@ static void set_signature_sizes(int secondary)
DEBUG_PRINT("info: ML-DSA signature size: %d\n", sig_sz);
CMD.header_sz = 2 * sig_sz;
if (CMD.header_sz < 2 * sig_sz)
CMD.header_sz = 2 * sig_sz;
*sz = sig_sz;
}
#endif /* WOLFSSL_WC_DILITHIUM */
env_image_header_size = getenv("IMAGE_HEADER_SIZE");
if (env_image_header_size) {
suggested_sz = atoi(env_image_header_size);
}
if (suggested_sz != 0) {
if (CMD.header_sz <= suggested_sz)
CMD.header_sz = suggested_sz;
else
printf("Environment variable IMAGE_HEADER_SIZE=%u overridden.\n", suggested_sz);
}
if ((CMD.header_sz == 256) && (CMD.delta)) {
printf("Adjusting header size to fit base image of delta update \n");
CMD.header_sz <<= 1;
}
printf("Manifest header size: %u\n", CMD.header_sz);
}
int main(int argc, char** argv)
@ -2291,6 +2277,9 @@ int main(int argc, char** argv)
exit(1);
}
/* Set initial manifest header size to a minimum default value */
CMD.header_sz = 256;
/* Parse Arguments */
for (i=1; i<argc; i++) {
if (strcmp(argv[i], "--no-sign") == 0) {
@ -2408,7 +2397,6 @@ int main(int argc, char** argv)
sign_str = "RSA4096";
}
}
#ifdef WOLFSSL_HAVE_LMS
else if (strcmp(argv[i], "--lms") == 0) {
if (CMD.sign != SIGN_AUTO) {
CMD.hybrid = 1;
@ -2419,8 +2407,6 @@ int main(int argc, char** argv)
sign_str = "LMS";
}
}
#endif
#ifdef WOLFSSL_HAVE_XMSS
else if (strcmp(argv[i], "--xmss") == 0) {
if (CMD.sign != SIGN_AUTO) {
CMD.hybrid = 1;
@ -2431,8 +2417,6 @@ int main(int argc, char** argv)
sign_str = "XMSS";
}
}
#endif
#ifdef HAVE_DILITHIUM
else if (strcmp(argv[i], "--ml_dsa") == 0) {
if (CMD.sign != SIGN_AUTO) {
CMD.hybrid = 1;
@ -2443,7 +2427,6 @@ int main(int argc, char** argv)
sign_str = "ML-DSA";
}
}
#endif
else if (strcmp(argv[i], "--sha256") == 0) {
CMD.hash_algo = HASH_SHA256;
hash_str = "SHA256";
@ -2656,6 +2639,7 @@ int main(int argc, char** argv)
CMD.fw_version = argv[i+2];
}
memset(buf, 0, sizeof(buf));
strncpy((char*)buf, CMD.image_file, sizeof(buf)-1);
tmpstr = strrchr((char*)buf, '.');
if (tmpstr) {
@ -2790,43 +2774,29 @@ int main(int argc, char** argv)
if (kbuf)
free(kbuf);
if (CMD.sign == SIGN_ED25519) {
#ifdef HAVE_ED25519
wc_ed25519_free(&key.ed);
#endif
}
else if (CMD.sign == SIGN_ED448) {
#ifdef HAVE_ED448
wc_ed448_free(&key.ed4);
#endif
}
else if (CMD.sign == SIGN_ECC256 ||
CMD.sign == SIGN_ECC384 ||
CMD.sign == SIGN_ECC521) {
#ifdef HAVE_ECC
wc_ecc_free(&key.ecc);
#endif
}
else if (CMD.sign == SIGN_RSA2048 ||
CMD.sign == SIGN_RSA3072 ||
CMD.sign == SIGN_RSA4096) {
#ifndef NO_RSA
wc_FreeRsaKey(&key.rsa);
#endif
}
else if (CMD.sign == SIGN_LMS) {
#ifdef WOLFSSL_HAVE_LMS
wc_LmsKey_Free(&key.lms);
#endif
}
else if (CMD.sign == SIGN_XMSS) {
#ifdef WOLFSSL_HAVE_XMSS
wc_XmssKey_Free(&key.xmss);
#endif
}
else if (CMD.sign == SIGN_ML_DSA) {
#ifdef WOLFSSL_WC_DILITHIUM
wc_MlDsaKey_Free(&key.ml_dsa);
#endif
}
return ret;
}

56
tools/keytools/user_settings.h
View File

@ -29,6 +29,7 @@
#include <stdint.h>
/* System */
#define WOLFBOOT_KEYTOOLS
#define SINGLE_THREADED
#define WOLFCRYPT_ONLY
@ -73,20 +74,51 @@
#define WOLFSSL_SHA3
#undef NO_SHA256
/* Enable experimental PQ algos */
#define WOLFSSL_EXPERIMENTAL_SETTINGS
/* ML-DSA (dilithium) */
#if defined(WOLFBOOT_SIGN_ML_DSA)
# define HAVE_DILITHIUM
# define WOLFSSL_WC_DILITHIUM
# define WOLFSSL_EXPERIMENTAL_SETTINGS
/* Wolfcrypt builds ML-DSA (dilithium) to the FIPS 204 final
* standard by default. Uncomment this if you want the draft
* version instead. */
#if 0
#define HAVE_DILITHIUM
#define WOLFSSL_WC_DILITHIUM
/* Wolfcrypt builds ML-DSA (dilithium) to the FIPS 204 final
* standard by default. Uncomment this if you want the draft
* version instead. */
#if 0
#define WOLFSSL_DILITHIUM_FIPS204_DRAFT
#endif
/* dilithium needs these sha functions. */
# define WOLFSSL_SHAKE128
#endif /* WOLFBOOT_SIGN_ML_DSA */
#endif
/* Default the keygen/sign tool to use ML-DSA level 2 */
#ifndef ML_DSA_LEVEL
#define ML_DSA_LEVEL 2
#endif
/* Dilithium needs SHAKE128 */
#define WOLFSSL_SHAKE128
/* LMS */
#define WOLFBOOT_SIGN_LMS
#define WOLFSSL_HAVE_LMS
#define WOLFSSL_WC_LMS
#ifndef LMS_LEVELS
#define LMS_LEVELS 1
#endif
#ifndef LMS_HEIGHT
#define LMS_HEIGHT 10
#endif
#ifndef LMS_WINTERNITZ
#define LMS_WINTERNITZ 8
#endif
/* XMSS */
#define WOLFBOOT_SIGN_XMSS
#define WOLFSSL_HAVE_XMSS
#define WOLFSSL_WC_XMSS
#ifndef WOLFBOOT_XMSS_PARAMS
#define WOLFBOOT_XMSS_PARAMS "XMSS-SHA2_10_256"
#endif
#ifndef WOLFSSL_XMSS_MAX_HEIGHT
#define WOLFSSL_XMSS_MAX_HEIGHT 32
#endif
/* ASN */
#define WOLFSSL_ASN_TEMPLATE

28
tools/keytools/wolfBootKeygenTool.vcxproj
View File

@ -22,32 +22,32 @@
<ProjectGuid>{599F7765-B224-41D4-AA56-597FFA9763BC}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>wolfBootKeygenTool</RootNamespace>
<WindowsTargetPlatformVersion>10.0.16299.0</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
@ -72,6 +72,7 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<TargetName>keygen</TargetName>
<IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
@ -81,10 +82,12 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<TargetName>keygen</TargetName>
<IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<TargetName>keygen</TargetName>
<IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@ -93,7 +96,7 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -107,7 +110,7 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -123,7 +126,7 @@
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -141,7 +144,7 @@
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -154,6 +157,7 @@
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\asn.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\chacha.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\coding.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\dilithium.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ecc.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ed25519.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ed448.c" />
@ -174,10 +178,14 @@
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\sp_int.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\tfm.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_port.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_lms.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_lms_impl.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_xmss.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_xmss_impl.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wolfmath.c" />
<ClCompile Include="keygen.c" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

38
tools/keytools/wolfBootSignTool.vcxproj
View File

@ -22,32 +22,32 @@
<ProjectGuid>{0E5B9C81-CA2B-47CA-BA83-074078CF3393}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>wolfBootSignTool</RootNamespace>
<WindowsTargetPlatformVersion>10.0.16299.0</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
@ -72,6 +72,7 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<TargetName>sign</TargetName>
<IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
@ -81,10 +82,12 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<TargetName>sign</TargetName>
<IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<TargetName>sign</TargetName>
<IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@ -92,8 +95,8 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -106,8 +109,8 @@
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -122,8 +125,8 @@
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -140,8 +143,8 @@
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -151,10 +154,11 @@
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\aes.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\aes.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\asn.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\chacha.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\coding.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\dilithium.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ecc.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ed25519.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ed448.c" />
@ -175,6 +179,10 @@
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\sp_int.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\tfm.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_port.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_lms.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_lms_impl.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_xmss.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_xmss_impl.c" />
<ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wolfmath.c" />
<ClCompile Include="..\..\src\delta.c" />
<ClCompile Include="sign.c">
@ -187,4 +195,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

13
tools/scripts/nrf5340/build_flash.sh
View File

@ -15,6 +15,9 @@
# Build dela update version 3 and flash to external (also reprograms internal flash)
# ./tools/scripts/nrf5340/build_flash.sh --delta
#import config for IMAGE_HEADER_SIZE and WOLFBOOT_SECTOR_SIZE
. config/examples/nrf5340.config
# Defaults
MAKE_ARGS=" DEBUG_SYMBOLS=1"
DO_CLEAN=0
@ -28,6 +31,8 @@ DO_PROGRAM_EXT=0
DO_DELTA=0
UPDATE_VERSION=1
SIGN_ENV=IMAGE_HEADER_SIZE=$IMAGE_HEADER_SIZE WOLFBOOT_SECTOR_SIZE=$WOLFBOOT_SECTOR_SIZE
SIGN_TOOL=tools/keytools/sign
SIGN_ARGS="--ecc384 --sha384"
#SIGN_ARGS="--ecc256 --sha256"
@ -161,8 +166,8 @@ fi
if [[ $DO_UPDATE == 1 ]]; then
# Sign flash update for testing (for network partition using --id 2)
tools/keytools/sign $SIGN_ARGS --id 2 tools/scripts/nrf5340/image_net.bin wolfboot_signing_private_key.der $UPDATE_VERSION
tools/keytools/sign $SIGN_ARGS tools/scripts/nrf5340/image_app.bin wolfboot_signing_private_key.der $UPDATE_VERSION
$SIGN_ENV $SIGN_TOOL $SIGN_ARGS --id 2 tools/scripts/nrf5340/image_net.bin wolfboot_signing_private_key.der $UPDATE_VERSION
$SIGN_ENV $SIGN_TOOL $SIGN_ARGS tools/scripts/nrf5340/image_app.bin wolfboot_signing_private_key.der $UPDATE_VERSION
# Create a bin footer with wolfBoot trailer "BOOT" and "p" (ASCII for 0x70 == IMG_STATE_UPDATING):
echo -n "pBOOT" > tools/scripts/nrf5340/trigger_magic.bin
@ -177,8 +182,8 @@ fi
if [[ $DO_DELTA == 1 ]]; then
# Sign flash update for testing (for network partition using --id 2) delta between v1 and v3
tools/keytools/sign $SIGN_ARGS --id 2 --delta tools/scripts/nrf5340/image_net_v1_signed.bin tools/scripts/nrf5340/image_net.bin wolfboot_signing_private_key.der $UPDATE_VERSION
tools/keytools/sign $SIGN_ARGS --delta tools/scripts/nrf5340/image_app_v1_signed.bin tools/scripts/nrf5340/image_app.bin wolfboot_signing_private_key.der $UPDATE_VERSION
$SIGN_ENV $SIGN_TOOL $SIGN_ARGS --id 2 --delta tools/scripts/nrf5340/image_net_v1_signed.bin tools/scripts/nrf5340/image_net.bin wolfboot_signing_private_key.der $UPDATE_VERSION
$SIGN_ENV $SIGN_TOOL $SIGN_ARGS --delta tools/scripts/nrf5340/image_app_v1_signed.bin tools/scripts/nrf5340/image_app.bin wolfboot_signing_private_key.der $UPDATE_VERSION
# Create a bin footer with wolfBoot trailer "BOOT" and "p" (ASCII for 0x70 == IMG_STATE_UPDATING):
echo -n "pBOOT" > tools/scripts/nrf5340/trigger_magic.bin

22
tools/scripts/prepare_encrypted_delta_update.sh
View File

@ -1,22 +0,0 @@
#!/bin/bash
SIGN_TOOL="python3 ./tools/keytools/sign.py"
if [ -f "./tools/keytools/sign" ]; then
SIGN_TOOL="./tools/keytools/sign"
fi
# SIZE is WOLFBOOT_PARTITION_SIZE - 49 (44B: key + nonce, 5B: "pBOOT")
SIZE=131023
VERSION=7
APP=test-app/image_v"$VERSION"_signed_diff_encrypted.bin
# Create test key
echo -n "0123456789abcdef0123456789abcdef0123456789ab" > enc_key.der
$SIGN_TOOL --ecc256 \
--encrypt enc_key.der \
--delta test-app/image_v1_signed.bin \
test-app/image.bin wolfboot_signing_private_key.der $VERSION
dd if=/dev/zero bs=$SIZE count=1 2>/dev/null | tr "\000" "\377" > update.bin
dd if=$APP of=update.bin bs=1 conv=notrunc
printf "pBOOT" >> update.bin

26
tools/scripts/prepare_encrypted_update.sh
View File

@ -1,26 +0,0 @@
#!/bin/bash
SIGN_TOOL="python3 ./tools/keytools/sign.py"
if [ -f "./tools/keytools/sign" ]; then
SIGN_TOOL="./tools/keytools/sign"
fi
# SIZE is WOLFBOOT_PARTITION_SIZE - 49 (44B: key + nonce, 5B: "pBOOT")
SIZE=131023
#SIZE=65487
VERSION=8
APP=test-app/image_v"$VERSION"_signed_and_encrypted.bin
# Create test key
echo -n "0123456789abcdef0123456789abcdef0123456789ab" > enc_key.der
$SIGN_TOOL --ecc256 --encrypt enc_key.der test-app/image.bin wolfboot_signing_private_key.der $VERSION
dd if=/dev/zero bs=$SIZE count=1 2>/dev/null | tr "\000" "\377" > update.bin
dd if=$APP of=update.bin bs=1 conv=notrunc
printf "pBOOT" >> update.bin
#Make a 1MB rom image for SPI
rm -f update.rom
dd if=/dev/zero bs=1M count=1 2>/dev/null | tr "\000" "\377" > update.rom
dd if=update.bin of=update.rom bs=1 conv=notrunc

6
tools/scripts/prepare_update.sh
View File

@ -1,9 +1,7 @@
#!/bin/bash
SIGN_TOOL="python3 ./tools/keytools/sign.py"
if [ -f "./tools/keytools/sign" ]; then
SIGN_TOOL="./tools/keytools/sign"
fi
. .config
SIGN_TOOL="./tools/keytools/sign"
# SIZE is WOLFBOOT_PARTITION_SIZE - 5
SIZE=131067

6
tools/scripts/prepare_update_l5.sh
View File

@ -1,9 +1,7 @@
#!/bin/bash
SIGN_TOOL="python3 ./tools/keytools/sign.py"
if [ -f "./tools/keytools/sign" ]; then
SIGN_TOOL="./tools/keytools/sign"
fi
. ./.config
SIGN_TOOL="./tools/keytools/sign"
# SIZE is WOLFBOOT_PARTITION_SIZE - 5
SIZE=129019

8
tools/scripts/prepare_update_l5_dualbank.sh
View File

@ -1,9 +1,9 @@
#!/bin/bash
SIGN_TOOL="python3 ./tools/keytools/sign.py"
if [ -f "./tools/keytools/sign" ]; then
SIGN_TOOL="./tools/keytools/sign"
fi
. .config
echo IMAGE_HEADER_SIZE= $IMAGE_HEADER_SIZE
echo WOLFBOOT_SECTOR_SIZE= $WOLFBOOT_SECTOR_SIZE
SIGN_TOOL="./tools/keytools/sign"
# SIZE is WOLFBOOT_PARTITION_SIZE - 5
SIZE=229371

7
tools/scripts/prepare_update_u5.sh
View File

@ -1,9 +1,6 @@
#!/bin/bash
SIGN_TOOL="python3 ./tools/keytools/sign.py"
if [ -f "./tools/keytools/sign" ]; then
SIGN_TOOL="./tools/keytools/sign"
fi
. .config
SIGN_TOOL="./tools/keytools/sign"
# SIZE is WOLFBOOT_PARTITION_SIZE - 5
SIZE=131067

6
tools/scripts/prepare_update_u5_dualbank.sh
View File

@ -1,9 +1,7 @@
#!/bin/bash
SIGN_TOOL="python3 ./tools/keytools/sign.py"
if [ -f "./tools/keytools/sign" ]; then
SIGN_TOOL="./tools/keytools/sign"
fi
. .config
SIGN_TOOL="./tools/keytools/sign"
# SIZE is WOLFBOOT_PARTITION_SIZE - 5
SIZE=229371

4
tools/scripts/renode-test-update.sh
View File

@ -48,8 +48,8 @@ if (echo $TEST_OPTIONS | grep "ext_XMSS" &>/dev/null); then
cd ../../ || exit 2
fi
make distclean
make -C tools/keytools
make keysclean
make keytools
make -C tools/test-expect-version
make clean && make $TEST_OPTIONS || exit 2
make /tmp/renode-test-update.bin $TEST_OPTIONS || exit 2

2
tools/scripts/sim-pq-sunnyday-update.sh
View File

@ -29,7 +29,7 @@ fi
cp $sim_pq .config || err_and_die "cp $sim_pq"
make distclean; make clean;
make keysclean; make clean;
make keytools || err_and_die "keytools build failed"

14
tools/test-delta.mk
View File

@ -14,7 +14,7 @@ test-delta-enc-update-ext:EXPVER=tools/test-expect-version/test-expect-version /
test-delta-enc-update-ext:PART_SIZE=131023
test-delta-enc-update-ext:APP=test-app/image_v7_signed_diff_encrypted.bin
test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
test-delta-update: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
@killall ufserver || true
@st-flash reset
@sleep 2
@ -26,9 +26,9 @@ test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-ser
@st-flash erase || st-flash erase
@rm -f zero.bin
@diff .config config/examples/stm32wb-delta.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-delta.config to .config to run this test\n\n" && exit 1)
$(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
$(PRIVATE_KEY) 7
$(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
$(PRIVATE_KEY) 2
@st-flash write factory.bin 0x08000000
@echo Expecting version '1'
@ -68,7 +68,7 @@ test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-ser
@(test `$(EXPVER)` -eq 2)
@echo "TEST SUCCESSFUL"
test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
test-delta-update-ext: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
@killall ufserver || true
@st-flash reset
@dd if=/dev/zero of=zero.bin bs=4096 count=1
@ -79,7 +79,7 @@ test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash
@st-flash erase || st-flash erase
@rm -f zero.bin
@diff .config config/examples/stm32wb-delta-ext.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-delta-ext.config to .config to run this test\n\n" && exit 1)
$(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
$(PRIVATE_KEY) 7
@(tools/uart-flash-server/ufserver test-app/image_v7_signed_diff.bin $(USBTTY))&
@st-flash reset
@ -110,7 +110,7 @@ test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash
@rm boot.bin boot_full.bin
@echo "TEST SUCCESSFUL"
test-delta-enc-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
test-delta-enc-update-ext: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
@killall ufserver || true
@st-flash reset
@dd if=/dev/zero of=zero.bin bs=4096 count=1
@ -121,7 +121,7 @@ test-delta-enc-update-ext: distclean factory.bin test-app/image.bin tools/uart-f
@st-flash erase || st-flash erase
@rm -f zero.bin
@diff .config config/examples/stm32wb-delta-enc-ext.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-delta-enc-ext.config to .config to run this test\n\n" && exit 1)
$(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin \
$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin \
$(ENCRYPT_STRING) --encrypt /tmp/enc_key.der \
test-app/image.bin \
$(PRIVATE_KEY) 7

12
tools/test-enc.mk
View File

@ -24,8 +24,8 @@ tools/uart-flash-server/ufserver: FORCE
test-enc-update: factory.bin test-app/image.bin tools/uart-flash-server/ufserver
@diff .config config/examples/stm32wb-uart-flash-encryption.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-uart-flash-encryption.config to .config to run this test\n\n" && exit 1)
@printf "0123456789abcdef0123456789abcdef0123456789ab" > /tmp/enc_key.der
@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@$(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@(tools/uart-flash-server/ufserver test-app/image_v$(ENC_TEST_UPDATE_VERSION)_signed_and_encrypted.bin $(USBTTY))&
@st-flash erase
@st-flash write factory.bin 0x08000000
@ -47,8 +47,8 @@ test-enc-update: factory.bin test-app/image.bin tools/uart-flash-server/ufserver
test-enc-aes128-update: factory.bin test-app/image.bin tools/uart-flash-server/ufserver
@diff .config config/examples/stm32wb-uart-flash-encryption-aes128.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-uart-flash-encryption-aes128.config to .config to run this test\n\n" && exit 1)
@printf "0123456789abcdef0123456789abcdef" > /tmp/enc_key.der
@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@$(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@(tools/uart-flash-server/ufserver test-app/image_v$(ENC_TEST_UPDATE_VERSION)_signed_and_encrypted.bin $(USBTTY))&
@st-flash erase
@st-flash write factory.bin 0x08000000
@ -70,8 +70,8 @@ test-enc-aes128-update: factory.bin test-app/image.bin tools/uart-flash-server/u
test-enc-aes256-update: factory.bin test-app/image.bin tools/uart-flash-server/ufserver
@diff .config config/examples/stm32wb-uart-flash-encryption-aes256.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-uart-flash-encryption-aes256.config to .config to run this test\n\n" && exit 1)
@printf "0123456789abcdef0123456789abcdef0123456789abcdef" > /tmp/enc_key.der
@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@$(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
@(tools/uart-flash-server/ufserver test-app/image_v$(ENC_TEST_UPDATE_VERSION)_signed_and_encrypted.bin $(USBTTY))&
@st-flash erase
@st-flash write factory.bin 0x08000000

41
tools/test-renode.mk
View File

@ -24,27 +24,18 @@ LMS_OPTS=LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 \
XMSS_OPTS=WOLFBOOT_XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 \
IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE=5000
# python version only supported using
# KEYGEN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/keygen.py"
ifeq ("$(KEYGEN_TOOL)","")
ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/keygen.exe)","")
KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen.exe
else
KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen
endif
ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/keygen.exe)","")
KEYGEN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/keygen.exe
else
KEYGEN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/keygen
endif
# python version only supported using
# SIGN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/sign.py"
ifeq ("$(SIGN_TOOL)","")
ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/sign.exe)","")
SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign.exe
else
SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign
endif
ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/sign.exe)","")
SIGN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/sign.exe
else
SIGN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/sign
endif
ifeq ($(TARGET),stm32f7)
RENODE_CONFIG=tools/renode/stm32f746_wolfboot.resc
POFF=393211
@ -140,7 +131,7 @@ renode-off: FORCE
$(RENODE_UPDATE_FILE): test-app/image.bin FORCE
${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
$(TEST_UPDATE_VERSION)
${Q}dd if=/dev/zero bs=$(POFF) count=1 2>/dev/null | tr "\000" "\377" \
> $@
@ -150,7 +141,7 @@ $(RENODE_UPDATE_FILE): test-app/image.bin FORCE
renode-factory: factory.bin test-app/image.bin $(RENODE_UPDATE_FILE) $(EXPVER) FORCE
${Q}rm -f $(RENODE_UART)
${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
${Q}cp test-app/image_v1_signed.bin $(TMP)/renode-test-v1.bin
${Q}cp wolfboot.elf $(TMP)/renode-wolfboot.elf
${Q}make renode-on
@ -175,8 +166,8 @@ renode-update: factory.bin test-app/image.bin $(EXPVER) FORCE
${Q}rm -f $(RENODE_UART)
${Q}dd if=/dev/zero bs=$(POFF) count=1 2>/dev/null | tr "\000" "\377" \
> $(RENODE_UPDATE_FILE)
${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
$(TEST_UPDATE_VERSION)
${Q}dd if=test-app/image_v$(TEST_UPDATE_VERSION)_signed.bin \
of=$(RENODE_UPDATE_FILE) bs=1 conv=notrunc
@ -201,8 +192,8 @@ renode-no-downgrade: factory.bin test-app/image.bin $(EXPVER) FORCE
${Q}rm -f $(RENODE_UART)
${Q}dd if=/dev/zero bs=$(POFF) count=1 2>/dev/null | tr "\000" "\377" \
> $(RENODE_UPDATE_FILE)
${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 7
${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 5
${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 7
${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 5
${Q}dd if=test-app/image_v5_signed.bin \
of=$(RENODE_UPDATE_FILE) bs=1 conv=notrunc
${Q}printf "pBOOT" >> $(RENODE_UPDATE_FILE)
@ -225,8 +216,8 @@ renode-corrupted: factory.bin test-app/image.bin $(EXPVER) FORCE
${Q}rm -f $(RENODE_UART)
${Q}dd if=/dev/zero bs=$(POFF) count=1 2>/dev/null | tr "\000" "\377" \
> $(RENODE_UPDATE_FILE)
${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
$(TEST_UPDATE_VERSION)
${Q}dd if=test-app/image_v$(TEST_UPDATE_VERSION)_signed.bin \
of=$(RENODE_UPDATE_FILE) bs=1 conv=notrunc

57
tools/test.mk
View File

@ -9,24 +9,16 @@ SIGN_ARGS=
SIGN_ENC_ARGS=
DELTA_DATA_SIZE?=2000
# python version only supported using
# KEYGEN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/keygen.py"
ifeq ("$(KEYGEN_TOOL)","")
ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/keygen.exe)","")
KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen.exe
else
KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen
endif
ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/keygen.exe)","")
KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen.exe
else
KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen
endif
# python version only supported using
# SIGN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/sign.py"
ifeq ("$(SIGN_TOOL)","")
ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/sign.exe)","")
SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign.exe
else
SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign
endif
ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/sign.exe)","")
SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign.exe
else
SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign
endif
# Make sign algorithm argument
@ -146,7 +138,7 @@ test-spi-off: FORCE
test-update: test-app/image.bin FORCE
@dd if=/dev/zero bs=131067 count=1 2>/dev/null $(INVERSION) > test-update.bin
@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
@dd if=test-app/image_v$(TEST_UPDATE_VERSION)_signed.bin of=test-update.bin bs=1 conv=notrunc
@printf "pBOOT" >> test-update.bin
@make test-reset
@ -158,10 +150,10 @@ test-update: test-app/image.bin FORCE
test-sim-external-flash-with-update: wolfboot.bin test-app/image.elf FORCE
$(Q)cp test-app/image.elf test-app/image.bak.elf
$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1K count=16 oflag=append conv=notrunc
$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
$(Q)cp test-app/image.bak.elf test-app/image.elf
$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1K count=16 oflag=append conv=notrunc
$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
# Assembling internal flash image
#
$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_PARTITION_SIZE))) count=1 2>/dev/null $(INVERSION) > v1_part.dd
@ -176,13 +168,13 @@ test-sim-external-flash-with-enc-delta-update-extradata:DELTA_UPDATE_OPTIONS=--d
test-sim-external-flash-with-enc-delta-update-extradata:SIGN_ENC_ARGS=--encrypt /tmp/enc_key.der --aes128
test-sim-external-flash-with-enc-delta-update-extradata: wolfboot.bin test-app/image.elf FORCE
@printf "0123456789abcdef0123456789abcdef0123456789abcdef" > /tmp/enc_key.der
$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
$(Q)cp test-app/image_v1_signed.bin test-app/image_v1_signed.bak
$(Q)rm -f test-app/image.elf test-app/app_sim.o
$(Q)make -C test-app delta-extra-data DELTA_DATA_SIZE=$(DELTA_DATA_SIZE)
$(Q)cp test-app/image_v1_signed.bak test-app/image_v1_signed.bin
$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
$(Q)$(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) $(SIGN_ENC_ARGS) \
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) $(SIGN_ENC_ARGS) \
test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_PARTITION_SIZE))) count=1 2>/dev/null $(INVERSION) > v1_part.dd
$(Q)dd if=test-app/image_v1_signed.bin bs=256 of=v1_part.dd conv=notrunc
@ -200,11 +192,11 @@ test-sim-external-flash-with-enc-update: wolfboot.bin test-app/image.elf FORCE
$(Q)cp test-app/image.elf test-app/image.bak.elf
$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1k count=16 oflag=append conv=notrunc
@printf "0123456789abcdef0123456789abcdef0123456789abcdef" > /tmp/enc_key.der
$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) 1
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) 1
$(Q)cp test-app/image.bak.elf test-app/image.elf
$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1k count=16 oflag=append conv=notrunc
$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
$(Q)$(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) $(SIGN_ENC_ARGS) \
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) $(SIGN_ENC_ARGS) \
test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
# Assembling internal flash image
#
@ -225,12 +217,12 @@ test-sim-external-flash-with-enc-delta-update:
test-sim-internal-flash-with-update: wolfboot.bin test-app/image.elf FORCE
$(Q)cp test-app/image.elf test-app/image.bak.elf
$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1k count=16 oflag=append conv=notrunc
$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
$(Q)cp test-app/image.bak.elf test-app/image.elf
$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1k count=16 oflag=append conv=notrunc
$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_SECTOR_SIZE))) count=1 2>/dev/null $(INVERSION) > erased_sec.dd
$(Q)$(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) \
$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) \
test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
$(Q)$(BINASSEMBLE) internal_flash.dd \
0 wolfboot.bin \
@ -276,12 +268,12 @@ test-sim-rollback-flash: wolfboot.elf test-sim-internal-flash-with-update FORCE
test-self-update: FORCE
@mv $(PRIVATE_KEY) private_key.old
@make clean factory.bin RAM_CODE=1 WOLFBOOT_VERSION=1 SIGN=$(SIGN)
@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
@st-flash --reset write test-app/image_v2_signed.bin 0x08020000 || \
(make test-reset && sleep 1 && st-flash --reset write test-app/image_v2_signed.bin 0x08020000) || \
(make test-reset && sleep 1 && st-flash --reset write test-app/image_v2_signed.bin 0x08020000)
@dd if=/dev/zero bs=131067 count=1 2>/dev/null $(INVERSION) > test-self-update.bin
@$(SIGN_TOOL) $(SIGN_ARGS) --wolfboot-update wolfboot.bin private_key.old $(WOLFBOOT_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --wolfboot-update wolfboot.bin private_key.old $(WOLFBOOT_VERSION)
@dd if=wolfboot_v$(WOLFBOOT_VERSION)_signed.bin of=test-self-update.bin bs=1 conv=notrunc
@printf "pBOOT" >> test-self-update.bin
@st-flash --reset write test-self-update.bin 0x08040000 || \
@ -289,7 +281,7 @@ test-self-update: FORCE
(make test-reset && sleep 1 && st-flash --reset write test-self-update.bin 0x08040000)
test-update-ext: test-app/image.bin FORCE
@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
@(dd if=/dev/zero bs=1M count=1 | tr '\000' '\377' > test-update.rom)
@dd if=test-app/image_v$(TEST_UPDATE_VERSION)_signed.bin of=test-update.rom bs=1 count=524283 conv=notrunc
@printf "pBOOT" | dd of=test-update.rom obs=1 seek=524283 count=5 conv=notrunc
@ -1028,3 +1020,6 @@ test-size-all:
IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE?=4096 \
LIMIT=8232 NO_ARM_ASM=1
make keysclean
make clean
make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=20148 \
IMAGE_SIGNATURE_SIZE=2420 IMAGE_HEADER_SIZE?=8192

2
tools/unit-tests/Makefile
View File

@ -35,7 +35,7 @@ cov:
run: $(TESTS)
for unit in $(TESTS); do \
./$$unit || exit 1; \
WOLFBOOT_SECTOR_SIZE=0x400 ./$$unit || exit 1; \
done