From d13f3260abd734be2d9388e3c8da709e61688912 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 24 Mar 2025 14:51:30 -0700 Subject: [PATCH] Documentation cleanups. Renamed zynqmp CSU `PKA` to `HW_SHA3`. Disabled CSU PUF code, since it is only supported with eFuses (it cannot be used adhoc). --- arch.mk | 4 ++-- config/examples/zynqmp.config | 9 +++++---- docs/Targets.md | 36 ++--------------------------------- hal/zynq.c | 27 ++++++++------------------ options.mk | 2 +- 5 files changed, 18 insertions(+), 60 deletions(-) diff --git a/arch.mk b/arch.mk index 5cb404ea..0e74a917 100644 --- a/arch.mk +++ b/arch.mk @@ -76,9 +76,9 @@ ifeq ($(ARCH),AARCH64) CFLAGS+=-DWOLFBOOT_UBOOT_LEGACY CFLAGS+=-DWOLFBOOT_DUALBOOT - ifeq ($(PKA),1) + ifeq ($(HW_SHA3),1) # Use HAL for hash (see zynqmp.c) - PKA_HASH_HAL=1 + HASH_HAL=1 CFLAGS+=-DWOLFBOOT_ZYNQMP_CSU endif else diff --git a/config/examples/zynqmp.config b/config/examples/zynqmp.config index 39e80494..d04a233f 100644 --- a/config/examples/zynqmp.config +++ b/config/examples/zynqmp.config @@ -9,11 +9,11 @@ HASH?=SHA3 IMAGE_HEADER_SIZE?=1024 # Hashing Option -# 1. ARMv8+Crypto Assembly: PKA=0 and NO_ARM_ASM=0 (default) -# 2. CSU SHA3 hardware acceleration PKA=1 and NO_ARM_ASM=1 -# 3. C Only PKA=0 and NO_ARM_ASM=1 +# 1. ARMv8+Crypto Assembly: HW_SHA3=0 and NO_ARM_ASM=0 (default) +# 2. CSU SHA3 hardware acceleration HW_SHA3=1 and NO_ARM_ASM=1 +# 3. C Only HW_SHA3=0 and NO_ARM_ASM=1 NO_ARM_ASM?=0 -PKA?=0 +HW_SHA3?=0 # XMSS/XMSS^MT is a post-quantum, stateful, hash-based signature scheme. # Use the helper script `tools/xmss/xmss_siglen.sh` @@ -49,6 +49,7 @@ V?=0 SPMATH?=1 RAM_CODE?=0 DUALBANK_SWAP?=0 +PKA?=0 WOLFTPM?=0 EXT_FLASH?=1 SPI_FLASH?=0 diff --git a/docs/Targets.md b/docs/Targets.md index 7cd79bef..0a50cd9c 100644 --- a/docs/Targets.md +++ b/docs/Targets.md @@ -19,7 +19,7 @@ This README describes configuration of supported targets. * [NXP LPC54xxx](#nxp-lpc54xxx) * [NXP LS1028A](#nxp-ls1028a) * [NXP MCXA153](#nxp-mcxa153) -* [NXP MCXW716C](#nxp-mcxw716c) +* [NXP MCXW716](#nxp-mcxw716) * [NXP P1021 PPC](#nxp-qoriq-p1021-ppc) * [NXP T1024 PPC](#nxp-qoriq-t1024-ppc) * [NXP T2080 PPC](#nxp-qoriq-t2080-ppc) @@ -1296,7 +1296,7 @@ My board version is: 0xA020D3 Trying partition 0 at 0x140000 Boot partition: 0x140000 (size 14901760, version 0x1) .... -```` +``` Note: Now, integrity-check takes 2 - 3 minutes to complete before running Linux kernel. o Kernel panic after wolfboot message @@ -1399,38 +1399,6 @@ qemu-system-aarch64 -machine xlnx-zcu102 -cpu cortex-a53 -serial stdio -display ``` -### Testing with qemu-system-aarch64 - -* Build wolfboot using the example configuration (RSA4096, SHA3) - -``` -cp config/examples/raspi3.config .config -make clean -make wolfboot.bin CROSS_COMPILE=aarch64-linux-gnu- -``` - -* Sign Linux kernel image -``` -make keytools -./tools/keytools/sign --rsa4096 --sha3 Image wolfboot_signing_private_key.der 1 -``` - -* Compose the image - -``` -tools/bin-assemble/bin-assemble wolfboot_linux_raspi.bin 0x0 wolfboot.bin \ - 0xc0000 Image_v1_signed.bin -dd if=bcm2710-rpi-3-b.dtb of=wolfboot_linux_raspi.bin bs=1 seek=128K conv=notrunc -``` - -* Test boot using qemu - -``` -qemu-system-aarch64 -M raspi3b -m 1024 -serial stdio -kernel wolfboot_linux_raspi.bin -cpu cortex-a53 -``` - - - #### Signing Zynq `tools/keytools/sign --rsa4096 --sha3 /srv/linux-rpi4/vmlinux.bin wolfboot_signing_private_key.der 1` diff --git a/hal/zynq.c b/hal/zynq.c index 6658ae16..b73ecb61 100644 --- a/hal/zynq.c +++ b/hal/zynq.c @@ -338,7 +338,7 @@ void wc_Sha3_384_Free(wc_Sha3* sha) (void)sha; } #else -# error PKA=1 only supported with HASH=SHA3 +# error HW_SHA3=1 only supported with HASH=SHA3 #endif /* CSU PUF */ @@ -573,33 +573,17 @@ int csu_aes_key_zero(void) return ret; } -#ifdef CSU_PUF_ROT -#define KEY_WRAP_SZ 32 -/* Red (sensitive key), Black (protected key), Grey (unknown) */ -/* Example key to encrypt */ -static const uint8_t XALIGNED(32) redKey[KEY_WRAP_SZ] = { - 0x64, 0xF0, 0x3A, 0xFD, 0x7D, 0x0C, 0x70, 0xD2, - 0x59, 0x1C, 0xDF, 0x34, 0x30, 0x5F, 0x7B, 0x8A, - 0x5B, 0xA4, 0x59, 0x3C, 0x0A, 0x0E, 0x1B, 0x8C, - 0x5E, 0xCD, 0xFF, 0x9F, 0x59, 0x00, 0x19, 0x2C -}; -/* Example IV to use for wrapping */ -static const uint8_t XALIGNED(32) blackIv[AES_GCM_TAG_SZ] = { - 0xD1, 0x42, 0xAC, 0x7C, 0x56, 0x0F, 0x15, 0x8B, - 0xA9, 0x5A, 0x21, 0x31 -}; -static uint8_t XALIGNED(32) blackKey[KEY_WRAP_SZ+AES_GCM_TAG_SZ]; -#endif - int csu_init(void) { int ret = 0; #ifdef CSU_PUF_ROT + #if 0 uint32_t syndrome[CSU_PUF_SYNDROME_WORDS]; uint32_t chash=0, aux=0; #if defined(DEBUG_CSU) && DEBUG_CSU >= 1 uint32_t idx; #endif + #endif #endif uint32_t reg1 = pmu_mmio_read(CSU_IDCODE); uint32_t reg2 = pmu_mmio_read(CSU_VERSION); @@ -637,6 +621,10 @@ int csu_init(void) pmu_efuse_read(ZYNQMP_EFUSE_PUF_AUX, ®2, sizeof(reg2)); wolfBoot_printf("eFuse PUF CHASH 0x%08x, AUX 0x%08x\n", reg1, reg2); + /* CSU PUF only supported with eFuses */ + /* Keeping code for reference in future generations like Versal */ + /* Red (sensitive key), Black (protected key), Grey (unknown) */ + #if 0 memset(syndrome, 0, sizeof(syndrome)); ms = hal_timer_ms(); ret = csu_puf_register(syndrome, &chash, &aux); @@ -676,6 +664,7 @@ int csu_init(void) } wolfBoot_printf("\n"); #endif + #endif } #endif diff --git a/options.mk b/options.mk index adfd3a13..cb62b922 100644 --- a/options.mk +++ b/options.mk @@ -748,7 +748,7 @@ ifeq ($(WOLFBOOT_NO_PARTITIONS),1) endif ifeq ($(HASH),SHA3) - ifeq ($(PKA_HASH_HAL),) + ifeq ($(HASH_HAL),) WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/sha3.o endif CFLAGS+=-D"WOLFBOOT_HASH_SHA3_384"