WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix for Renesas TSIP key types. Fix for Renesas RX .keystore location in linker script. Fix for wolfBoot as library with Renesas to make sure crypto hardware is initialized and setup. Add forced alignment on additional buffers used for flash read/write.

master
David Garske 2025-06-02 13:19:10 -07:00 committed by Daniele Lacamera
parent 4787d70cd8
commit 9451b47628
8 changed files with 164 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
hal/renesas-ra.c
View File

@ -54,29 +54,19 @@ static inline void hal_panic(void)
extern flash_ctrl_t g_flash0_ctrl;
extern flash_cfg_t g_flash0_cfg;
void hal_init(void)
#if defined(WOLFBOOT_RENESAS_SCEPROTECT) && !defined(WOLFBOOT_RENESAS_APP)
static int sipInitDone = 0;
int hal_renesas_init(void)
{
fsp_err_t err;
uint32_t *pubkey;
if (sipInitDone)
return 0;
#if defined(WOLFBOOT_RENESAS_SCEPROTECT) && !defined(WOLFBOOT_RENESAS_APP)
/* retrieve installed pubkey from flash */
uint32_t *pubkey = keystore_get_buffer(0);
#endif
err = R_FLASH_HP_Close(&g_flash0_ctrl);
err = R_FLASH_HP_Open(&g_flash0_ctrl, &g_flash0_cfg);
pubkey = keystore_get_buffer(0);
if(err != FSP_ERR_ALREADY_OPEN && err != FSP_SUCCESS){
printf("ERROR: %d\n", err);
hal_panic();
}
/* Setup Default Block 0 as Startup Setup Block */
err = R_FLASH_HP_StartUpAreaSelect(&g_flash0_ctrl, FLASH_STARTUP_AREA_BLOCK0, true);
if(err != FSP_SUCCESS){
printf("ERROR: %d\n", err);
hal_panic();
}
#if defined(WOLFBOOT_RENESAS_SCEPROTECT) && !defined(WOLFBOOT_RENESAS_APP)
err = wolfCrypt_Init();
if (err != 0) {
printf("ERROR: wolfCrypt_Init %d\n", err);
@ -93,12 +83,39 @@ void hal_init(void)
pkInfo.keyflgs_crypt.bits.rsapub2048_installedkey_set = 1;
pkInfo.keyflgs_crypt.bits.message_type = 1;
err = wc_CryptoCb_CryptInitRenesasCmn(NULL, &pkInfo);
if (err < 0) {
printf("ERROR: wc_CryptoCb_CryptInitRenesasCmn %d\n", err);
hal_panic();
return err;
}
sipInitDone = 1;
return 0;
}
#endif
void hal_init(void)
{
fsp_err_t err;
err = R_FLASH_HP_Close(&g_flash0_ctrl);
err = R_FLASH_HP_Open(&g_flash0_ctrl, &g_flash0_cfg);
if (err != FSP_ERR_ALREADY_OPEN && err != FSP_SUCCESS){
wolfBoot_printf("ERROR: %d\n", err);
hal_panic();
}
/* Setup Default Block 0 as Startup Setup Block */
err = R_FLASH_HP_StartUpAreaSelect(&g_flash0_ctrl, FLASH_STARTUP_AREA_BLOCK0, true);
if (err != FSP_SUCCESS){
wolfBoot_printf("ERROR: %d\n", err);
hal_panic();
}
#if defined(WOLFBOOT_RENESAS_SCEPROTECT) && !defined(WOLFBOOT_RENESAS_APP)
err = hal_renesas_init();
if (err != 0) {
wolfBoot_printf("ERROR: hal_renesas_init %d\n", err);
hal_panic();
}
#endif
}

149
hal/renesas-rx.c
View File

@ -367,14 +367,90 @@ void hal_clk_init(void)
PROTECT_ON(); /* write protect on */
}
void hal_init(void)
#if defined(WOLFBOOT_RENESAS_TSIP) && !defined(WOLFBOOT_RENESAS_APP)
static int sipInitDone = 0;
int hal_renesas_init(void)
{
#if defined(WOLFBOOT_RENESAS_TSIP) && \
!defined(WOLFBOOT_RENESAS_APP)
int err;
uint32_t key_type = 0;
int tsip_key_type = -1;
struct enc_pub_key *encrypted_user_key_data;
if (sipInitDone)
return 0;
err = wolfCrypt_Init();
if (err != 0) {
return err;
}
/* retrive installed pubkey data from flash */
encrypted_user_key_data = (struct enc_pub_key*)keystore_get_buffer(0);
key_type = keystore_get_key_type(0);
switch (key_type) {
case AUTH_KEY_RSA2048:
tsip_key_type = TSIP_KEY_TYPE_RSA2048;
break;
case AUTH_KEY_RSA3072:
tsip_key_type = TSIP_KEY_TYPE_RSA3072;
break;
case AUTH_KEY_RSA4096:
tsip_key_type = TSIP_KEY_TYPE_RSA4096;
break;
case AUTH_KEY_ECC256:
tsip_key_type = TSIP_KEY_TYPE_ECDSAP256;
break;
case AUTH_KEY_ECC384:
tsip_key_type = TSIP_KEY_TYPE_ECDSAP384;
break;
case AUTH_KEY_ECC521:
case AUTH_KEY_ED25519:
case AUTH_KEY_ED448:
default:
tsip_key_type = -1;
break;
}
if (tsip_key_type == -1) {
wolfBoot_printf("key type (%d) not supported\n", key_type);
return -1;
}
/* Load encrypted UFPK (User Factory Programming Key) */
tsip_inform_user_keys_ex(
(byte*)&encrypted_user_key_data->wufpk,
(byte*)&encrypted_user_key_data->initial_vector,
(byte*)&encrypted_user_key_data->encrypted_user_key,
0/* dummy */
);
/* Load a wrapped public key into TSIP */
if (tsip_use_PublicKey_buffer_crypt(&pkInfo,
(const char*)&encrypted_user_key_data->encrypted_user_key,
sizeof(encrypted_user_key_data->encrypted_user_key),
tsip_key_type) != 0) {
wolfBoot_printf("ERROR tsip_use_PublicKey_buffer\n");
return -1;
}
/* Init Crypt Callback */
pkInfo.sign_hash_type = sha256_mac; /* TSIP does not support SHA2-384/512 */
pkInfo.keyflgs_crypt.bits.message_type = 1;
err = wc_CryptoCb_CryptInitRenesasCmn(NULL, &pkInfo);
if (err < 0) {
wolfBoot_printf("ERROR: wc_CryptoCb_CryptInitRenesasCmn %d\n", err);
return -1;
}
sipInitDone = 1;
return 0;
}
#endif /* TSIP */
void hal_init(void)
{
#if defined(WOLFBOOT_RENESAS_TSIP) && !defined(WOLFBOOT_RENESAS_APP)
int err;
#endif
/* For CCRX, mcu_clock_setup() in resetprg.c will set up clocks. */
@ -393,72 +469,13 @@ void hal_init(void)
hal_flash_init();
#if defined(WOLFBOOT_RENESAS_TSIP) && \
!defined(WOLFBOOT_RENESAS_APP)
err = wolfCrypt_Init();
#if defined(WOLFBOOT_RENESAS_TSIP) && !defined(WOLFBOOT_RENESAS_APP)
err = hal_renesas_init();
if (err != 0) {
wolfBoot_printf("ERROR: wolfCrypt_Init %d\n", err);
hal_panic();
}
/* retrive installed pubkey data from flash */
encrypted_user_key_data = (struct enc_pub_key*)keystore_get_buffer(0);
key_type = keystore_get_key_type(0);
switch (key_type) {
case AUTH_KEY_RSA2048:
tsip_key_type = TSIP_RSA2048;
break;
case AUTH_KEY_RSA3072:
tsip_key_type = TSIP_RSA3072;
break;
case AUTH_KEY_RSA4096:
tsip_key_type = TSIP_RSA4096;
break;
case AUTH_KEY_ECC256:
tsip_key_type = TSIP_ECCP256;
break;
case AUTH_KEY_ECC384:
tsip_key_type = TSIP_ECCP384;
break;
case AUTH_KEY_ECC521:
case AUTH_KEY_ED25519:
case AUTH_KEY_ED448:
default:
tsip_key_type = -1;
break;
}
if (tsip_key_type == -1) {
wolfBoot_printf("key type (%d) not supported\n", key_type);
wolfBoot_printf("ERROR: hal_renesas_init %d\n", err);
hal_panic();
}
/* Load encrypted UFPK (User Factory Programming Key) */
tsip_inform_user_keys_ex(
(byte*)&encrypted_user_key_data->wufpk,
(byte*)&encrypted_user_key_data->initial_vector,
(byte*)&encrypted_user_key_data->encrypted_user_key,
0/* dummy */
);
/* Load a wrapped public key into TSIP */
if (tsip_use_PublicKey_buffer_crypt(&pkInfo,
(const char*)&encrypted_user_key_data->encrypted_user_key,
sizeof(encrypted_user_key_data->encrypted_user_key),
tsip_key_type) != 0) {
wolfBoot_printf("ERROR tsip_use_PublicKey_buffer\n");
hal_panic();
}
/* Init Crypt Callback */
pkInfo.sign_hash_type = sha256_mac; /* TSIP does not support SHA2-384/512 */
pkInfo.keyflgs_crypt.bits.message_type = 1;
err = wc_CryptoCb_CryptInitRenesasCmn(NULL, &pkInfo);
if (err < 0) {
wolfBoot_printf("ERROR: wc_CryptoCb_CryptInitRenesasCmn %d\n", err);
hal_panic();
}
#endif /* TSIP */
#endif
}
void hal_prepare_boot(void)

39
hal/renesas-rz.c
View File

@ -34,7 +34,7 @@
#include "wolfssl/wolfcrypt/wc_port.h"
#include "wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-crypt.h"
#include "wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-types.h"
FSPSM_ST pkInfo;
uint8_t wrapped_public_key[RSIP_BYTE_SIZE_WRAPPED_KEY_VALUE_RSA_2048_PUBLIC];
rsip_wrapped_key_t *p_wrapped_public_key = (rsip_wrapped_key_t *) wrapped_public_key;
@ -125,20 +125,22 @@ void ext_flash_unlock(void)
#endif
void hal_init(void)
{
#if defined(WOLFBOOT_RENESAS_RSIP) && !defined(WOLFBOOT_RENESAS_APP)
static int sipInitDone = 0;
int hal_renesas_init(void)
{
fsp_err_t err;
int ret;
rsa_public_t rsip_pub_key;
const size_t key_size = sizeof(rsip_pub_key);
err = wolfCrypt_Init();
if (err != 0) {
printf("ERROR: wolfCrypt_Init %d\n", err);
hal_panic();
if (sipInitDone)
reutrn 0;
ret = wolfCrypt_Init();
if (ret != 0) {
wolfBoot_printf("ERROR: wolfCrypt_Init %d\n", ret);
return ret;
}
/* copy the key from ext flash to RAM */
@ -146,8 +148,8 @@ void hal_init(void)
(uint8_t*)RENESAS_RSIP_INSTALLEDKEY_RAM_ADDR, key_size);
if (ret != key_size){
wolfBoot_printf("Error reading public key at %lx\n",
RENESAS_RSIP_INSTALLEDKEY_FLASH_ADDR);
hal_panic();
RENESAS_RSIP_INSTALLEDKEY_FLASH_ADDR);
return -1;
}
/* import enrypted key */
XMEMCPY(&rsip_pub_key, (const void*)RENESAS_RSIP_INSTALLEDKEY_RAM_ADDR, key_size);
@ -166,12 +168,23 @@ void hal_init(void)
pkInfo.keyflgs_crypt.bits.message_type = 1;
pkInfo.hash_type = RSIP_HASH_TYPE_SHA256;
err = wc_CryptoCb_CryptInitRenesasCmn(NULL, &pkInfo);
if (err < 0) {
wolfBoot_printf("ERROR: wc_CryptoCb_CryptInitRenesasCmn %d\n", err);
return err;
}
sipInitDone = 1;
return 0;
}
#endif
void hal_init(void)
{
#if defined(WOLFBOOT_RENESAS_RSIP) && !defined(WOLFBOOT_RENESAS_APP)
int err = hal_renesas_init();
if (err != 0) {
printf("ERROR: hal_renesas_init %d\n", err);
hal_panic();
}
#endif
}

1
include/user_settings.h
View File

@ -501,6 +501,7 @@ extern int tolower(int c);
#define WOLF_CRYPTO_CB_ONLY_ECC
#define WOLF_CRYPTO_CB_ONLY_RSA
#define WOLFSSL_NO_SW_MATH
#define MAX_CRYPTO_DEVID_CALLBACKS 2
#ifdef WOLFBOOT_RENESAS_TSIP
#define WOLFSSL_RENESAS_TSIP

2
include/wolfboot/wolfboot.h
View File

@ -208,7 +208,7 @@ extern "C" {
#include "wolfssl/wolfcrypt/types.h"
#include "wolfssl/wolfcrypt/sha3.h"
# ifndef WOLFBOOT_SHA_BLOCK_SIZE
# define WOLFBOOT_SHA_BLOCK_SIZE (128)
# define WOLFBOOT_SHA_BLOCK_SIZE (256)
# endif
# define WOLFBOOT_SHA_HDR HDR_SHA3_384
# define WOLFBOOT_SHA_DIGEST_SIZE (48)

17
src/image.c
View File

@ -53,7 +53,7 @@
#endif
/* Globals */
static uint8_t digest[WOLFBOOT_SHA_DIGEST_SIZE];
static uint8_t XALIGNED(4) digest[WOLFBOOT_SHA_DIGEST_SIZE];
#if defined(WOLFBOOT_CERT_CHAIN_VERIFY) && \
defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT)
@ -813,7 +813,7 @@ uint16_t wolfBoot_get_header(struct wolfBoot_image *img, uint16_t type,
}
#ifdef EXT_FLASH
static uint8_t ext_hash_block[WOLFBOOT_SHA_BLOCK_SIZE];
static uint8_t XALIGNED(4) ext_hash_block[WOLFBOOT_SHA_BLOCK_SIZE];
#endif
/**
* @brief Get a block of data to be hashed.
@ -1565,7 +1565,7 @@ static int update_hash_flash_fwimg(wolfBoot_hash_t* ctx,
{
uint32_t current_offset = offset;
uint32_t remaining_size = size;
uint8_t read_buf[WOLFBOOT_SHA_BLOCK_SIZE]; /* Use local buffer */
uint8_t XALIGNED(4) read_buf[WOLFBOOT_SHA_BLOCK_SIZE]; /* Use local buffer */
while (remaining_size > 0) {
uint32_t read_size = (remaining_size > WOLFBOOT_SHA_BLOCK_SIZE)
@ -1594,7 +1594,7 @@ static int update_hash_flash_fwimg(wolfBoot_hash_t* ctx,
static int update_hash_flash_addr(wolfBoot_hash_t* ctx, uintptr_t addr,
uint32_t size, int src_ext)
{
uint8_t buffer[WOLFBOOT_SHA_BLOCK_SIZE];
uint8_t XALIGNED(4) buffer[WOLFBOOT_SHA_BLOCK_SIZE];
uint32_t remaining_size = size;
uintptr_t current_addr = addr;
@ -1633,7 +1633,7 @@ int wolfBoot_check_flash_image_elf(uint8_t part, unsigned long* entry_out)
size_t ph_size = 0;
size_t current_ph_offset = 0;
int64_t final_offset = -1;
uint8_t calc_digest[WOLFBOOT_SHA_DIGEST_SIZE];
uint8_t XALIGNED(4) calc_digest[WOLFBOOT_SHA_DIGEST_SIZE];
uint8_t* exp_digest;
int32_t stored_sha_len;
int i;
@ -1988,7 +1988,14 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img)
* TSIP encrypted key is installed at
* RENESAS_TSIP_INSTALLEDKEY_ADDR
*/
extern int hal_renesas_init(void);
int rc = hal_renesas_init();
if (rc != 0) {
wolfBoot_printf("hal_renesas_init failed! %d\n", rc);
return rc;
}
key_slot = 0;
#elif defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID)
/* Don't care about the key slot, we are using a fixed wolfHSM keyId */

6
tools/keytools/keygen.c
View File

@ -168,8 +168,8 @@ const char Cfile_Banner[]=
const char Store_hdr[] = "\n"
"#if defined(__APPLE__) && defined(__MACH__)\n"
"#define KEYSTORE_SECTION __attribute__((section (\"__KEYSTORE,__keystore\")))\n"
"#elif defined(__CCRX__) /* Renesas RX */\n"
"#define KEYSTORE_SECTION\n"
"#elif defined(__CCRX__) || defined(WOLFBOOT_RENESAS_RSIP) || defined(WOLFBOOT_RENESAS_TSIP) || defined(WOLFBOOT_RENESAS_SCEPROTECT)\n"
"#define KEYSTORE_SECTION /* Renesas RX */\n"
"#elif defined(TARGET_x86_64_efi)\n"
"#define KEYSTORE_SECTION\n"
"#else\n"
@ -258,7 +258,7 @@ const char Keystore_API[] =
"{\n"
" if (id >= keystore_num_pubkeys())\n"
" return 0;\n"
" return (int)PubKeys[id].part_id_mask;\n"
" return PubKeys[id].part_id_mask;\n"
"}\n"
"\n"
"uint32_t keystore_get_key_type(int id)\n"

2
tools/keytools/keygen.py 100755 → 100644
View File

@ -172,7 +172,7 @@ Keystore_API += "uint32_t keystore_get_mask(int id)\n"
Keystore_API += "{\n"
Keystore_API += " if (id >= keystore_num_pubkeys())\n"
Keystore_API += " return -1;\n"
Keystore_API += " return (int)PubKeys[id].part_id_mask;\n"
Keystore_API += " return PubKeys[id].part_id_mask;\n"
Keystore_API += "}\n\n"
Keystore_API += "#endif /* Keystore public key size check */\n"
Keystore_API += "#endif /* WOLFBOOT_NO_SIGN */\n"