PKCS11 store functions using wolfBoot hal

2023-05-12 19:33:01 +02:00 · 2023-05-12 19:33:01 +02:00 · 5b57d2d08f
parent f7d6c17685
commit 5b57d2d08f
5 changed files with 122 additions and 12 deletions
--- a/1
+++ b/1
@ -52,7 +52,6 @@ include options.mk

 OBJS+=$(WOLFCRYPT_OBJS)
 OBJS+=$(PUBLIC_KEY_OBJS)
-OBJS+=$(UPDATE_OBJS)

 CFLAGS+= \
  -I"." -I"include/" -I"lib/wolfssl" \
--- a/arch.mk
+++ b/arch.mk
@ -721,7 +721,7 @@ ifeq ($(DUALBANK_SWAP),1)
  UPDATE_OBJS:=src/update_flash_hwswap.o
 endif

-ifeq ("$(UPDATE_OBJS)","")
+ifeq ($(UPDATE_OBJS),)
  UPDATE_OBJS:=./src/update_flash.o
 endif

--- a/lib/wolfPKCS11
+++ b/lib/wolfPKCS11
@ -1 +1 @@
-Subproject commit eca242ea16d77d698a61eb4a9b20dca0853da20e
+Subproject commit 5bd3f2e4bcfd085b3a9bad965fa4f758c5180719
--- a/options.mk
+++ b/options.mk
@ -543,11 +543,11 @@ ifeq ($(SECURE_PKCS11),1)
  CFLAGS+=-DWOLFPKCS11_CUSTOM_STORE
  CFLAGS+=-DWOLFBOOT_SECURE_PKCS11 -Ilib/wolfPKCS11
  CFLAGS+=-DWOLFPKCS11_USER_SETTINGS
+  CFLAGS+=-DWOLFPKCS11_NO_TIME
  CFLAGS+=-DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_AES_GCM
  CFLAGS+=-DENCRYPT_WITH_AES128 -DWOLFSSL_AES_128
  CFLAGS+=-DHAVE_SCRYPT
  CFLAGS+=-DHAVE_AESGCM
-  CFLAGS+=-DNO_PKCS11_TIME
  OBJS+=src/pkcs11_store.o
  OBJS+=src/pkcs11_callable.o
  WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/aes.o
@ -625,7 +625,6 @@ ifeq ($(HASH),SHA3)
 endif

 CFLAGS+=-DIMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE)
-OBJS+=$(WOLFCRYPT_OBJS)
 OBJS+=$(SECURE_OBJS)

 # check if both encryption and self update are on
--- a/src/pkcs11_store.c
+++ b/src/pkcs11_store.c
@ -21,30 +21,142 @@



+#include <stdint.h>
+#include <string.h>
 #include "wolfpkcs11/pkcs11.h"
 #include "wolfpkcs11/store.h"
+#include "hal.h"
+
+extern uint32_t *_flash_keyvault; /* From linker script: origin of vault flash */
+extern uint32_t *_flash_keyvault_size; /* From linker script: size of vault */
+
+#define KEYVAULT_OBJ_SIZE 0x1000 /* 4KB per object */
+#define KEYVAULT_MAX_ITEMS 0x18 /* Total memory: 0x18000, 24 items */
+
+/* Internal errors from wolfPKCS11 */
+#define PIN_INVALID_E                  -1
+#define PIN_NOT_SET_E                  -2
+#define READ_ONLY_E                    -3
+#define NOT_AVAILABLE_E                -4
+#define FIND_FULL_E                    -5
+#define FIND_NO_MORE_E                 -6
+#define SESSION_EXISTS_E               -7
+#define SESSION_COUNT_E                -8
+#define LOGGED_IN_E                    -9
+#define OBJ_COUNT_E                    -10
+
+static uint8_t *vault_base = (uint8_t *)&_flash_keyvault;
+static int vault_idx = -1;
+
+
+struct obj_hdr
+{
+    uint32_t token_id;
+    uint32_t object_id;
+    int type;
+    uint32_t size;
+};
+#define STORE_PRIV_HDR_SIZE 16
+
+struct store_object
+{
+    struct obj_hdr hdr;
+    int vault_idx;
+    int read;
+};
+
+static struct store_object *vault_descriptors[KEYVAULT_MAX_ITEMS];
+

 int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read,
    void** store)
 {
-    /* Stub */
-    return -1;
+    unsigned int i;
+    int found = -1;
+    struct obj_hdr *hdr;
+    struct store_object *obj;
+
+    for (i = 0; i < KEYVAULT_MAX_ITEMS; i++) {
+        hdr = (struct obj_hdr*)(vault_base + i * KEYVAULT_OBJ_SIZE);
+        if ((type == hdr->type) && (id1 == hdr->token_id) &&
+                (id2 == hdr->object_id)) {
+            found = i;
+            break;
+        }
+    }
+    if (!found && read) {
+        *store = NULL;
+        return NOT_AVAILABLE_E;
+    } else if (found) {
+        *store = vault_descriptors[found];
+        obj = vault_descriptors[found];
+        memcpy(&obj->hdr, vault_base + found * KEYVAULT_OBJ_SIZE, sizeof(struct obj_hdr));
+        obj->vault_idx = found;
+        obj->read = read;
+    } else if ((!found) && (!read)) {
+        if (vault_idx++ >= KEYVAULT_MAX_ITEMS) {
+            vault_idx--;
+            *store = NULL;
+            return FIND_FULL_E;
+        }
+        obj = vault_descriptors[vault_idx];
+        obj->vault_idx = vault_idx;
+        obj->hdr.type = type;
+        obj->hdr.token_id = id1;
+        obj->hdr.object_id = id2;
+        obj->hdr.size = 0;
+        obj->read = 0;
+        hal_flash_erase((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE),
+                KEYVAULT_OBJ_SIZE);
+        hal_flash_write((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE), (void *)obj,
+                sizeof(struct obj_hdr));
+    }
+    return 0;
 }

 void wolfPKCS11_Store_Close(void* store)
 {
    /* Stub */
-
 }

 int wolfPKCS11_Store_Read(void* store, unsigned char* buffer, int len)
 {
-    /* Stub */
-    return -1;
+    struct store_object *obj = store;
+    if ((uint32_t)len > obj->hdr.size) {
+        len = obj->hdr.size;
+    }
+    if (len > 0) {
+        memcpy(buffer, vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE +
+                STORE_PRIV_HDR_SIZE, len);
+    }
+    return len;
 }

 int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
 {
-    /* Stub */
-    return -1;
+    struct store_object *obj = store;
+    int pos = 0;
+    if (len > (KEYVAULT_OBJ_SIZE - STORE_PRIV_HDR_SIZE)) {
+        return -1;
+    }
+    if (obj->read)
+        return -1;
+    if (obj->vault_idx > KEYVAULT_MAX_ITEMS)
+        return -1;
+    obj->hdr.size = len;
+    hal_flash_erase((uint32_t)(vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE),
+            KEYVAULT_OBJ_SIZE);
+    hal_flash_write((uint32_t)(vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE),
+            (void *)obj, sizeof(struct obj_hdr));
+    while (pos < len) {
+        uint32_t base = (uint32_t)(vault_base +
+                obj->vault_idx * KEYVAULT_OBJ_SIZE);
+        uint32_t sz = len;
+        if (sz > WOLFBOOT_SECTOR_SIZE) {
+            sz = WOLFBOOT_SECTOR_SIZE;
+        }
+        hal_flash_write(base + STORE_PRIV_HDR_SIZE + pos, buffer + pos, sz);
+        pos += sz;
+    }
+    return len;
 }