diff --git a/hal/renesas-ra.c b/hal/renesas-ra.c index 4e90ff86..ed36e57b 100644 --- a/hal/renesas-ra.c +++ b/hal/renesas-ra.c @@ -54,29 +54,19 @@ static inline void hal_panic(void) extern flash_ctrl_t g_flash0_ctrl; extern flash_cfg_t g_flash0_cfg; -void hal_init(void) +#if defined(WOLFBOOT_RENESAS_SCEPROTECT) && !defined(WOLFBOOT_RENESAS_APP) +static int sipInitDone = 0; +int hal_renesas_init(void) { fsp_err_t err; + uint32_t *pubkey; + + if (sipInitDone) + return 0; -#if defined(WOLFBOOT_RENESAS_SCEPROTECT) && !defined(WOLFBOOT_RENESAS_APP) /* retrieve installed pubkey from flash */ - uint32_t *pubkey = keystore_get_buffer(0); -#endif - err = R_FLASH_HP_Close(&g_flash0_ctrl); - err = R_FLASH_HP_Open(&g_flash0_ctrl, &g_flash0_cfg); + pubkey = keystore_get_buffer(0); - if(err != FSP_ERR_ALREADY_OPEN && err != FSP_SUCCESS){ - printf("ERROR: %d\n", err); - hal_panic(); - } - - /* Setup Default Block 0 as Startup Setup Block */ - err = R_FLASH_HP_StartUpAreaSelect(&g_flash0_ctrl, FLASH_STARTUP_AREA_BLOCK0, true); - if(err != FSP_SUCCESS){ - printf("ERROR: %d\n", err); - hal_panic(); - } -#if defined(WOLFBOOT_RENESAS_SCEPROTECT) && !defined(WOLFBOOT_RENESAS_APP) err = wolfCrypt_Init(); if (err != 0) { printf("ERROR: wolfCrypt_Init %d\n", err); @@ -93,12 +83,39 @@ void hal_init(void) pkInfo.keyflgs_crypt.bits.rsapub2048_installedkey_set = 1; pkInfo.keyflgs_crypt.bits.message_type = 1; err = wc_CryptoCb_CryptInitRenesasCmn(NULL, &pkInfo); - if (err < 0) { printf("ERROR: wc_CryptoCb_CryptInitRenesasCmn %d\n", err); - hal_panic(); + return err; } + sipInitDone = 1; + return 0; +} +#endif +void hal_init(void) +{ + fsp_err_t err; + + err = R_FLASH_HP_Close(&g_flash0_ctrl); + err = R_FLASH_HP_Open(&g_flash0_ctrl, &g_flash0_cfg); + + if (err != FSP_ERR_ALREADY_OPEN && err != FSP_SUCCESS){ + wolfBoot_printf("ERROR: %d\n", err); + hal_panic(); + } + + /* Setup Default Block 0 as Startup Setup Block */ + err = R_FLASH_HP_StartUpAreaSelect(&g_flash0_ctrl, FLASH_STARTUP_AREA_BLOCK0, true); + if (err != FSP_SUCCESS){ + wolfBoot_printf("ERROR: %d\n", err); + hal_panic(); + } +#if defined(WOLFBOOT_RENESAS_SCEPROTECT) && !defined(WOLFBOOT_RENESAS_APP) + err = hal_renesas_init(); + if (err != 0) { + wolfBoot_printf("ERROR: hal_renesas_init %d\n", err); + hal_panic(); + } #endif } diff --git a/hal/renesas-rx.c b/hal/renesas-rx.c index 01417903..66527b5f 100644 --- a/hal/renesas-rx.c +++ b/hal/renesas-rx.c @@ -367,14 +367,90 @@ void hal_clk_init(void) PROTECT_ON(); /* write protect on */ } -void hal_init(void) +#if defined(WOLFBOOT_RENESAS_TSIP) && !defined(WOLFBOOT_RENESAS_APP) +static int sipInitDone = 0; +int hal_renesas_init(void) { -#if defined(WOLFBOOT_RENESAS_TSIP) && \ - !defined(WOLFBOOT_RENESAS_APP) int err; uint32_t key_type = 0; int tsip_key_type = -1; struct enc_pub_key *encrypted_user_key_data; + + if (sipInitDone) + return 0; + + err = wolfCrypt_Init(); + if (err != 0) { + return err; + } + + /* retrive installed pubkey data from flash */ + encrypted_user_key_data = (struct enc_pub_key*)keystore_get_buffer(0); + + key_type = keystore_get_key_type(0); + switch (key_type) { + case AUTH_KEY_RSA2048: + tsip_key_type = TSIP_KEY_TYPE_RSA2048; + break; + case AUTH_KEY_RSA3072: + tsip_key_type = TSIP_KEY_TYPE_RSA3072; + break; + case AUTH_KEY_RSA4096: + tsip_key_type = TSIP_KEY_TYPE_RSA4096; + break; + case AUTH_KEY_ECC256: + tsip_key_type = TSIP_KEY_TYPE_ECDSAP256; + break; + case AUTH_KEY_ECC384: + tsip_key_type = TSIP_KEY_TYPE_ECDSAP384; + break; + case AUTH_KEY_ECC521: + case AUTH_KEY_ED25519: + case AUTH_KEY_ED448: + default: + tsip_key_type = -1; + break; + } + if (tsip_key_type == -1) { + wolfBoot_printf("key type (%d) not supported\n", key_type); + return -1; + } + + /* Load encrypted UFPK (User Factory Programming Key) */ + tsip_inform_user_keys_ex( + (byte*)&encrypted_user_key_data->wufpk, + (byte*)&encrypted_user_key_data->initial_vector, + (byte*)&encrypted_user_key_data->encrypted_user_key, + 0/* dummy */ + ); + + /* Load a wrapped public key into TSIP */ + if (tsip_use_PublicKey_buffer_crypt(&pkInfo, + (const char*)&encrypted_user_key_data->encrypted_user_key, + sizeof(encrypted_user_key_data->encrypted_user_key), + tsip_key_type) != 0) { + wolfBoot_printf("ERROR tsip_use_PublicKey_buffer\n"); + return -1; + } + + /* Init Crypt Callback */ + pkInfo.sign_hash_type = sha256_mac; /* TSIP does not support SHA2-384/512 */ + pkInfo.keyflgs_crypt.bits.message_type = 1; + err = wc_CryptoCb_CryptInitRenesasCmn(NULL, &pkInfo); + if (err < 0) { + wolfBoot_printf("ERROR: wc_CryptoCb_CryptInitRenesasCmn %d\n", err); + return -1; + } + sipInitDone = 1; + return 0; +} +#endif /* TSIP */ + + +void hal_init(void) +{ +#if defined(WOLFBOOT_RENESAS_TSIP) && !defined(WOLFBOOT_RENESAS_APP) + int err; #endif /* For CCRX, mcu_clock_setup() in resetprg.c will set up clocks. */ @@ -393,72 +469,13 @@ void hal_init(void) hal_flash_init(); -#if defined(WOLFBOOT_RENESAS_TSIP) && \ - !defined(WOLFBOOT_RENESAS_APP) - err = wolfCrypt_Init(); +#if defined(WOLFBOOT_RENESAS_TSIP) && !defined(WOLFBOOT_RENESAS_APP) + err = hal_renesas_init(); if (err != 0) { - wolfBoot_printf("ERROR: wolfCrypt_Init %d\n", err); - hal_panic(); - } - - /* retrive installed pubkey data from flash */ - encrypted_user_key_data = (struct enc_pub_key*)keystore_get_buffer(0); - - key_type = keystore_get_key_type(0); - switch (key_type) { - case AUTH_KEY_RSA2048: - tsip_key_type = TSIP_RSA2048; - break; - case AUTH_KEY_RSA3072: - tsip_key_type = TSIP_RSA3072; - break; - case AUTH_KEY_RSA4096: - tsip_key_type = TSIP_RSA4096; - break; - case AUTH_KEY_ECC256: - tsip_key_type = TSIP_ECCP256; - break; - case AUTH_KEY_ECC384: - tsip_key_type = TSIP_ECCP384; - break; - case AUTH_KEY_ECC521: - case AUTH_KEY_ED25519: - case AUTH_KEY_ED448: - default: - tsip_key_type = -1; - break; - } - if (tsip_key_type == -1) { - wolfBoot_printf("key type (%d) not supported\n", key_type); + wolfBoot_printf("ERROR: hal_renesas_init %d\n", err); hal_panic(); } - - /* Load encrypted UFPK (User Factory Programming Key) */ - tsip_inform_user_keys_ex( - (byte*)&encrypted_user_key_data->wufpk, - (byte*)&encrypted_user_key_data->initial_vector, - (byte*)&encrypted_user_key_data->encrypted_user_key, - 0/* dummy */ - ); - - /* Load a wrapped public key into TSIP */ - if (tsip_use_PublicKey_buffer_crypt(&pkInfo, - (const char*)&encrypted_user_key_data->encrypted_user_key, - sizeof(encrypted_user_key_data->encrypted_user_key), - tsip_key_type) != 0) { - wolfBoot_printf("ERROR tsip_use_PublicKey_buffer\n"); - hal_panic(); - } - - /* Init Crypt Callback */ - pkInfo.sign_hash_type = sha256_mac; /* TSIP does not support SHA2-384/512 */ - pkInfo.keyflgs_crypt.bits.message_type = 1; - err = wc_CryptoCb_CryptInitRenesasCmn(NULL, &pkInfo); - if (err < 0) { - wolfBoot_printf("ERROR: wc_CryptoCb_CryptInitRenesasCmn %d\n", err); - hal_panic(); - } -#endif /* TSIP */ +#endif } void hal_prepare_boot(void) diff --git a/hal/renesas-rz.c b/hal/renesas-rz.c index f4a31240..d1dc82d8 100644 --- a/hal/renesas-rz.c +++ b/hal/renesas-rz.c @@ -34,7 +34,7 @@ #include "wolfssl/wolfcrypt/wc_port.h" #include "wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-crypt.h" #include "wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-types.h" - + FSPSM_ST pkInfo; uint8_t wrapped_public_key[RSIP_BYTE_SIZE_WRAPPED_KEY_VALUE_RSA_2048_PUBLIC]; rsip_wrapped_key_t *p_wrapped_public_key = (rsip_wrapped_key_t *) wrapped_public_key; @@ -125,20 +125,22 @@ void ext_flash_unlock(void) #endif -void hal_init(void) -{ - #if defined(WOLFBOOT_RENESAS_RSIP) && !defined(WOLFBOOT_RENESAS_APP) - +static int sipInitDone = 0; +int hal_renesas_init(void) +{ fsp_err_t err; int ret; rsa_public_t rsip_pub_key; const size_t key_size = sizeof(rsip_pub_key); - err = wolfCrypt_Init(); - if (err != 0) { - printf("ERROR: wolfCrypt_Init %d\n", err); - hal_panic(); + if (sipInitDone) + reutrn 0; + + ret = wolfCrypt_Init(); + if (ret != 0) { + wolfBoot_printf("ERROR: wolfCrypt_Init %d\n", ret); + return ret; } /* copy the key from ext flash to RAM */ @@ -146,8 +148,8 @@ void hal_init(void) (uint8_t*)RENESAS_RSIP_INSTALLEDKEY_RAM_ADDR, key_size); if (ret != key_size){ wolfBoot_printf("Error reading public key at %lx\n", - RENESAS_RSIP_INSTALLEDKEY_FLASH_ADDR); - hal_panic(); + RENESAS_RSIP_INSTALLEDKEY_FLASH_ADDR); + return -1; } /* import enrypted key */ XMEMCPY(&rsip_pub_key, (const void*)RENESAS_RSIP_INSTALLEDKEY_RAM_ADDR, key_size); @@ -166,12 +168,23 @@ void hal_init(void) pkInfo.keyflgs_crypt.bits.message_type = 1; pkInfo.hash_type = RSIP_HASH_TYPE_SHA256; err = wc_CryptoCb_CryptInitRenesasCmn(NULL, &pkInfo); - if (err < 0) { wolfBoot_printf("ERROR: wc_CryptoCb_CryptInitRenesasCmn %d\n", err); + return err; + } + sipInitDone = 1; + return 0; +} +#endif + +void hal_init(void) +{ +#if defined(WOLFBOOT_RENESAS_RSIP) && !defined(WOLFBOOT_RENESAS_APP) + int err = hal_renesas_init(); + if (err != 0) { + printf("ERROR: hal_renesas_init %d\n", err); hal_panic(); } - #endif } diff --git a/include/user_settings.h b/include/user_settings.h index 2c7ca462..b1c0d524 100644 --- a/include/user_settings.h +++ b/include/user_settings.h @@ -501,6 +501,7 @@ extern int tolower(int c); #define WOLF_CRYPTO_CB_ONLY_ECC #define WOLF_CRYPTO_CB_ONLY_RSA #define WOLFSSL_NO_SW_MATH + #define MAX_CRYPTO_DEVID_CALLBACKS 2 #ifdef WOLFBOOT_RENESAS_TSIP #define WOLFSSL_RENESAS_TSIP diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h index 09b72452..6a91b734 100644 --- a/include/wolfboot/wolfboot.h +++ b/include/wolfboot/wolfboot.h @@ -208,7 +208,7 @@ extern "C" { #include "wolfssl/wolfcrypt/types.h" #include "wolfssl/wolfcrypt/sha3.h" # ifndef WOLFBOOT_SHA_BLOCK_SIZE -# define WOLFBOOT_SHA_BLOCK_SIZE (128) +# define WOLFBOOT_SHA_BLOCK_SIZE (256) # endif # define WOLFBOOT_SHA_HDR HDR_SHA3_384 # define WOLFBOOT_SHA_DIGEST_SIZE (48) diff --git a/src/image.c b/src/image.c index e287bd46..5a6fbd88 100644 --- a/src/image.c +++ b/src/image.c @@ -53,7 +53,7 @@ #endif /* Globals */ -static uint8_t digest[WOLFBOOT_SHA_DIGEST_SIZE]; +static uint8_t XALIGNED(4) digest[WOLFBOOT_SHA_DIGEST_SIZE]; #if defined(WOLFBOOT_CERT_CHAIN_VERIFY) && \ defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) @@ -813,7 +813,7 @@ uint16_t wolfBoot_get_header(struct wolfBoot_image *img, uint16_t type, } #ifdef EXT_FLASH -static uint8_t ext_hash_block[WOLFBOOT_SHA_BLOCK_SIZE]; +static uint8_t XALIGNED(4) ext_hash_block[WOLFBOOT_SHA_BLOCK_SIZE]; #endif /** * @brief Get a block of data to be hashed. @@ -1565,7 +1565,7 @@ static int update_hash_flash_fwimg(wolfBoot_hash_t* ctx, { uint32_t current_offset = offset; uint32_t remaining_size = size; - uint8_t read_buf[WOLFBOOT_SHA_BLOCK_SIZE]; /* Use local buffer */ + uint8_t XALIGNED(4) read_buf[WOLFBOOT_SHA_BLOCK_SIZE]; /* Use local buffer */ while (remaining_size > 0) { uint32_t read_size = (remaining_size > WOLFBOOT_SHA_BLOCK_SIZE) @@ -1594,7 +1594,7 @@ static int update_hash_flash_fwimg(wolfBoot_hash_t* ctx, static int update_hash_flash_addr(wolfBoot_hash_t* ctx, uintptr_t addr, uint32_t size, int src_ext) { - uint8_t buffer[WOLFBOOT_SHA_BLOCK_SIZE]; + uint8_t XALIGNED(4) buffer[WOLFBOOT_SHA_BLOCK_SIZE]; uint32_t remaining_size = size; uintptr_t current_addr = addr; @@ -1633,7 +1633,7 @@ int wolfBoot_check_flash_image_elf(uint8_t part, unsigned long* entry_out) size_t ph_size = 0; size_t current_ph_offset = 0; int64_t final_offset = -1; - uint8_t calc_digest[WOLFBOOT_SHA_DIGEST_SIZE]; + uint8_t XALIGNED(4) calc_digest[WOLFBOOT_SHA_DIGEST_SIZE]; uint8_t* exp_digest; int32_t stored_sha_len; int i; @@ -1988,7 +1988,14 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img) * TSIP encrypted key is installed at * RENESAS_TSIP_INSTALLEDKEY_ADDR */ + extern int hal_renesas_init(void); + int rc = hal_renesas_init(); + if (rc != 0) { + wolfBoot_printf("hal_renesas_init failed! %d\n", rc); + return rc; + } key_slot = 0; + #elif defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) /* Don't care about the key slot, we are using a fixed wolfHSM keyId */ diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c index cf720426..5e54c925 100644 --- a/tools/keytools/keygen.c +++ b/tools/keytools/keygen.c @@ -168,8 +168,8 @@ const char Cfile_Banner[]= const char Store_hdr[] = "\n" "#if defined(__APPLE__) && defined(__MACH__)\n" "#define KEYSTORE_SECTION __attribute__((section (\"__KEYSTORE,__keystore\")))\n" - "#elif defined(__CCRX__) /* Renesas RX */\n" - "#define KEYSTORE_SECTION\n" + "#elif defined(__CCRX__) || defined(WOLFBOOT_RENESAS_RSIP) || defined(WOLFBOOT_RENESAS_TSIP) || defined(WOLFBOOT_RENESAS_SCEPROTECT)\n" + "#define KEYSTORE_SECTION /* Renesas RX */\n" "#elif defined(TARGET_x86_64_efi)\n" "#define KEYSTORE_SECTION\n" "#else\n" @@ -258,7 +258,7 @@ const char Keystore_API[] = "{\n" " if (id >= keystore_num_pubkeys())\n" " return 0;\n" - " return (int)PubKeys[id].part_id_mask;\n" + " return PubKeys[id].part_id_mask;\n" "}\n" "\n" "uint32_t keystore_get_key_type(int id)\n" diff --git a/tools/keytools/keygen.py b/tools/keytools/keygen.py old mode 100755 new mode 100644 index 8e2b6376..46c6a002 --- a/tools/keytools/keygen.py +++ b/tools/keytools/keygen.py @@ -172,7 +172,7 @@ Keystore_API += "uint32_t keystore_get_mask(int id)\n" Keystore_API += "{\n" Keystore_API += " if (id >= keystore_num_pubkeys())\n" Keystore_API += " return -1;\n" -Keystore_API += " return (int)PubKeys[id].part_id_mask;\n" +Keystore_API += " return PubKeys[id].part_id_mask;\n" Keystore_API += "}\n\n" Keystore_API += "#endif /* Keystore public key size check */\n" Keystore_API += "#endif /* WOLFBOOT_NO_SIGN */\n"