From 5b57d2d08f76e6d74d95ac21a7fc93a8ab9f1316 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Fri, 12 May 2023 19:33:01 +0200 Subject: [PATCH] PKCS11 store functions using wolfBoot hal --- Makefile | 1 - arch.mk | 2 +- lib/wolfPKCS11 | 2 +- options.mk | 3 +- src/pkcs11_store.c | 126 ++++++++++++++++++++++++++++++++++++++++++--- 5 files changed, 122 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index bd39f5c8..7f34cd20 100644 --- a/Makefile +++ b/Makefile @@ -52,7 +52,6 @@ include options.mk OBJS+=$(WOLFCRYPT_OBJS) OBJS+=$(PUBLIC_KEY_OBJS) -OBJS+=$(UPDATE_OBJS) CFLAGS+= \ -I"." -I"include/" -I"lib/wolfssl" \ diff --git a/arch.mk b/arch.mk index f3390287..b125ba92 100644 --- a/arch.mk +++ b/arch.mk @@ -721,7 +721,7 @@ ifeq ($(DUALBANK_SWAP),1) UPDATE_OBJS:=src/update_flash_hwswap.o endif -ifeq ("$(UPDATE_OBJS)","") +ifeq ($(UPDATE_OBJS),) UPDATE_OBJS:=./src/update_flash.o endif diff --git a/lib/wolfPKCS11 b/lib/wolfPKCS11 index eca242ea..5bd3f2e4 160000 --- a/lib/wolfPKCS11 +++ b/lib/wolfPKCS11 @@ -1 +1 @@ -Subproject commit eca242ea16d77d698a61eb4a9b20dca0853da20e +Subproject commit 5bd3f2e4bcfd085b3a9bad965fa4f758c5180719 diff --git a/options.mk b/options.mk index 5159133b..929bc921 100644 --- a/options.mk +++ b/options.mk @@ -543,11 +543,11 @@ ifeq ($(SECURE_PKCS11),1) CFLAGS+=-DWOLFPKCS11_CUSTOM_STORE CFLAGS+=-DWOLFBOOT_SECURE_PKCS11 -Ilib/wolfPKCS11 CFLAGS+=-DWOLFPKCS11_USER_SETTINGS + CFLAGS+=-DWOLFPKCS11_NO_TIME CFLAGS+=-DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_AES_GCM CFLAGS+=-DENCRYPT_WITH_AES128 -DWOLFSSL_AES_128 CFLAGS+=-DHAVE_SCRYPT CFLAGS+=-DHAVE_AESGCM - CFLAGS+=-DNO_PKCS11_TIME OBJS+=src/pkcs11_store.o OBJS+=src/pkcs11_callable.o WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/aes.o @@ -625,7 +625,6 @@ ifeq ($(HASH),SHA3) endif CFLAGS+=-DIMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) -OBJS+=$(WOLFCRYPT_OBJS) OBJS+=$(SECURE_OBJS) # check if both encryption and self update are on diff --git a/src/pkcs11_store.c b/src/pkcs11_store.c index 74a3a704..dcf45a28 100644 --- a/src/pkcs11_store.c +++ b/src/pkcs11_store.c @@ -21,30 +21,142 @@ +#include +#include #include "wolfpkcs11/pkcs11.h" #include "wolfpkcs11/store.h" +#include "hal.h" + +extern uint32_t *_flash_keyvault; /* From linker script: origin of vault flash */ +extern uint32_t *_flash_keyvault_size; /* From linker script: size of vault */ + +#define KEYVAULT_OBJ_SIZE 0x1000 /* 4KB per object */ +#define KEYVAULT_MAX_ITEMS 0x18 /* Total memory: 0x18000, 24 items */ + +/* Internal errors from wolfPKCS11 */ +#define PIN_INVALID_E -1 +#define PIN_NOT_SET_E -2 +#define READ_ONLY_E -3 +#define NOT_AVAILABLE_E -4 +#define FIND_FULL_E -5 +#define FIND_NO_MORE_E -6 +#define SESSION_EXISTS_E -7 +#define SESSION_COUNT_E -8 +#define LOGGED_IN_E -9 +#define OBJ_COUNT_E -10 + +static uint8_t *vault_base = (uint8_t *)&_flash_keyvault; +static int vault_idx = -1; + + +struct obj_hdr +{ + uint32_t token_id; + uint32_t object_id; + int type; + uint32_t size; +}; +#define STORE_PRIV_HDR_SIZE 16 + +struct store_object +{ + struct obj_hdr hdr; + int vault_idx; + int read; +}; + +static struct store_object *vault_descriptors[KEYVAULT_MAX_ITEMS]; + int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read, void** store) { - /* Stub */ - return -1; + unsigned int i; + int found = -1; + struct obj_hdr *hdr; + struct store_object *obj; + + for (i = 0; i < KEYVAULT_MAX_ITEMS; i++) { + hdr = (struct obj_hdr*)(vault_base + i * KEYVAULT_OBJ_SIZE); + if ((type == hdr->type) && (id1 == hdr->token_id) && + (id2 == hdr->object_id)) { + found = i; + break; + } + } + if (!found && read) { + *store = NULL; + return NOT_AVAILABLE_E; + } else if (found) { + *store = vault_descriptors[found]; + obj = vault_descriptors[found]; + memcpy(&obj->hdr, vault_base + found * KEYVAULT_OBJ_SIZE, sizeof(struct obj_hdr)); + obj->vault_idx = found; + obj->read = read; + } else if ((!found) && (!read)) { + if (vault_idx++ >= KEYVAULT_MAX_ITEMS) { + vault_idx--; + *store = NULL; + return FIND_FULL_E; + } + obj = vault_descriptors[vault_idx]; + obj->vault_idx = vault_idx; + obj->hdr.type = type; + obj->hdr.token_id = id1; + obj->hdr.object_id = id2; + obj->hdr.size = 0; + obj->read = 0; + hal_flash_erase((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE), + KEYVAULT_OBJ_SIZE); + hal_flash_write((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE), (void *)obj, + sizeof(struct obj_hdr)); + } + return 0; } void wolfPKCS11_Store_Close(void* store) { /* Stub */ - } int wolfPKCS11_Store_Read(void* store, unsigned char* buffer, int len) { - /* Stub */ - return -1; + struct store_object *obj = store; + if ((uint32_t)len > obj->hdr.size) { + len = obj->hdr.size; + } + if (len > 0) { + memcpy(buffer, vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE + + STORE_PRIV_HDR_SIZE, len); + } + return len; } int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len) { - /* Stub */ - return -1; + struct store_object *obj = store; + int pos = 0; + if (len > (KEYVAULT_OBJ_SIZE - STORE_PRIV_HDR_SIZE)) { + return -1; + } + if (obj->read) + return -1; + if (obj->vault_idx > KEYVAULT_MAX_ITEMS) + return -1; + obj->hdr.size = len; + hal_flash_erase((uint32_t)(vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE), + KEYVAULT_OBJ_SIZE); + hal_flash_write((uint32_t)(vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE), + (void *)obj, sizeof(struct obj_hdr)); + while (pos < len) { + uint32_t base = (uint32_t)(vault_base + + obj->vault_idx * KEYVAULT_OBJ_SIZE); + uint32_t sz = len; + if (sz > WOLFBOOT_SECTOR_SIZE) { + sz = WOLFBOOT_SECTOR_SIZE; + } + hal_flash_write(base + STORE_PRIV_HDR_SIZE + pos, buffer + pos, sz); + pos += sz; + } + return len; }