WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Documentation cleanups. Renamed zynqmp CSU `PKA` to `HW_SHA3`. Disabled CSU PUF code, since it is only supported with eFuses (it cannot be used adhoc).

pull/568/head
David Garske 2025-03-24 14:51:30 -07:00 committed by Daniele Lacamera
parent 5e9cc8c603
commit d13f3260ab
5 changed files with 18 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
arch.mk
View File

@ -76,9 +76,9 @@ ifeq ($(ARCH),AARCH64)
CFLAGS+=-DWOLFBOOT_UBOOT_LEGACY CFLAGS+=-DWOLFBOOT_UBOOT_LEGACY
CFLAGS+=-DWOLFBOOT_DUALBOOT CFLAGS+=-DWOLFBOOT_DUALBOOT
ifeq ($(PKA),1) ifeq ($(HW_SHA3),1)
# Use HAL for hash (see zynqmp.c) # Use HAL for hash (see zynqmp.c)
PKA_HASH_HAL=1 HASH_HAL=1
CFLAGS+=-DWOLFBOOT_ZYNQMP_CSU CFLAGS+=-DWOLFBOOT_ZYNQMP_CSU
endif endif
else else

9
config/examples/zynqmp.config
View File

@ -9,11 +9,11 @@ HASH?=SHA3
IMAGE_HEADER_SIZE?=1024 IMAGE_HEADER_SIZE?=1024
# Hashing Option # Hashing Option
# 1. ARMv8+Crypto Assembly: PKA=0 and NO_ARM_ASM=0 (default) # 1. ARMv8+Crypto Assembly: HW_SHA3=0 and NO_ARM_ASM=0 (default)
# 2. CSU SHA3 hardware acceleration PKA=1 and NO_ARM_ASM=1 # 2. CSU SHA3 hardware acceleration HW_SHA3=1 and NO_ARM_ASM=1
# 3. C Only PKA=0 and NO_ARM_ASM=1 # 3. C Only HW_SHA3=0 and NO_ARM_ASM=1
NO_ARM_ASM?=0 NO_ARM_ASM?=0
PKA?=0 HW_SHA3?=0
# XMSS/XMSS^MT is a post-quantum, stateful, hash-based signature scheme. # XMSS/XMSS^MT is a post-quantum, stateful, hash-based signature scheme.
# Use the helper script `tools/xmss/xmss_siglen.sh` # Use the helper script `tools/xmss/xmss_siglen.sh`
@ -49,6 +49,7 @@ V?=0
SPMATH?=1 SPMATH?=1
RAM_CODE?=0 RAM_CODE?=0
DUALBANK_SWAP?=0 DUALBANK_SWAP?=0
PKA?=0
WOLFTPM?=0 WOLFTPM?=0
EXT_FLASH?=1 EXT_FLASH?=1
SPI_FLASH?=0 SPI_FLASH?=0

36
docs/Targets.md
View File

@ -19,7 +19,7 @@ This README describes configuration of supported targets.
* [NXP LPC54xxx](#nxp-lpc54xxx) * [NXP LPC54xxx](#nxp-lpc54xxx)
* [NXP LS1028A](#nxp-ls1028a) * [NXP LS1028A](#nxp-ls1028a)
* [NXP MCXA153](#nxp-mcxa153) * [NXP MCXA153](#nxp-mcxa153)
* [NXP MCXW716C](#nxp-mcxw716c) * [NXP MCXW716](#nxp-mcxw716)
* [NXP P1021 PPC](#nxp-qoriq-p1021-ppc) * [NXP P1021 PPC](#nxp-qoriq-p1021-ppc)
* [NXP T1024 PPC](#nxp-qoriq-t1024-ppc) * [NXP T1024 PPC](#nxp-qoriq-t1024-ppc)
* [NXP T2080 PPC](#nxp-qoriq-t2080-ppc) * [NXP T2080 PPC](#nxp-qoriq-t2080-ppc)
@ -1296,7 +1296,7 @@ My board version is: 0xA020D3
Trying partition 0 at 0x140000 Trying partition 0 at 0x140000
Boot partition: 0x140000 (size 14901760, version 0x1) Boot partition: 0x140000 (size 14901760, version 0x1)
.... ....
```` ```
Note: Now, integrity-check takes 2 - 3 minutes to complete before running Linux kernel. Note: Now, integrity-check takes 2 - 3 minutes to complete before running Linux kernel.
o Kernel panic after wolfboot message o Kernel panic after wolfboot message
@ -1399,38 +1399,6 @@ qemu-system-aarch64 -machine xlnx-zcu102 -cpu cortex-a53 -serial stdio -display
``` ```
### Testing with qemu-system-aarch64
* Build wolfboot using the example configuration (RSA4096, SHA3)
```
cp config/examples/raspi3.config .config
make clean
make wolfboot.bin CROSS_COMPILE=aarch64-linux-gnu-
```
* Sign Linux kernel image
```
make keytools
./tools/keytools/sign --rsa4096 --sha3 Image wolfboot_signing_private_key.der 1
```
* Compose the image
```
tools/bin-assemble/bin-assemble wolfboot_linux_raspi.bin 0x0 wolfboot.bin \
0xc0000 Image_v1_signed.bin
dd if=bcm2710-rpi-3-b.dtb of=wolfboot_linux_raspi.bin bs=1 seek=128K conv=notrunc
```
* Test boot using qemu
```
qemu-system-aarch64 -M raspi3b -m 1024 -serial stdio -kernel wolfboot_linux_raspi.bin -cpu cortex-a53
```
#### Signing Zynq #### Signing Zynq
`tools/keytools/sign --rsa4096 --sha3 /srv/linux-rpi4/vmlinux.bin wolfboot_signing_private_key.der 1` `tools/keytools/sign --rsa4096 --sha3 /srv/linux-rpi4/vmlinux.bin wolfboot_signing_private_key.der 1`

27
hal/zynq.c
View File

@ -338,7 +338,7 @@ void wc_Sha3_384_Free(wc_Sha3* sha)
(void)sha; (void)sha;
} }
#else #else
# error PKA=1 only supported with HASH=SHA3 # error HW_SHA3=1 only supported with HASH=SHA3
#endif #endif
/* CSU PUF */ /* CSU PUF */
@ -573,34 +573,18 @@ int csu_aes_key_zero(void)
return ret; return ret;
} }
#ifdef CSU_PUF_ROT
#define KEY_WRAP_SZ 32
/* Red (sensitive key), Black (protected key), Grey (unknown) */
/* Example key to encrypt */
static const uint8_t XALIGNED(32) redKey[KEY_WRAP_SZ] = {
0x64, 0xF0, 0x3A, 0xFD, 0x7D, 0x0C, 0x70, 0xD2,
0x59, 0x1C, 0xDF, 0x34, 0x30, 0x5F, 0x7B, 0x8A,
0x5B, 0xA4, 0x59, 0x3C, 0x0A, 0x0E, 0x1B, 0x8C,
0x5E, 0xCD, 0xFF, 0x9F, 0x59, 0x00, 0x19, 0x2C
};
/* Example IV to use for wrapping */
static const uint8_t XALIGNED(32) blackIv[AES_GCM_TAG_SZ] = {
0xD1, 0x42, 0xAC, 0x7C, 0x56, 0x0F, 0x15, 0x8B,
0xA9, 0x5A, 0x21, 0x31
};
static uint8_t XALIGNED(32) blackKey[KEY_WRAP_SZ+AES_GCM_TAG_SZ];
#endif
int csu_init(void) int csu_init(void)
{ {
int ret = 0; int ret = 0;
#ifdef CSU_PUF_ROT #ifdef CSU_PUF_ROT
#if 0
uint32_t syndrome[CSU_PUF_SYNDROME_WORDS]; uint32_t syndrome[CSU_PUF_SYNDROME_WORDS];
uint32_t chash=0, aux=0; uint32_t chash=0, aux=0;
#if defined(DEBUG_CSU) && DEBUG_CSU >= 1 #if defined(DEBUG_CSU) && DEBUG_CSU >= 1
uint32_t idx; uint32_t idx;
#endif #endif
#endif #endif
#endif
uint32_t reg1 = pmu_mmio_read(CSU_IDCODE); uint32_t reg1 = pmu_mmio_read(CSU_IDCODE);
uint32_t reg2 = pmu_mmio_read(CSU_VERSION); uint32_t reg2 = pmu_mmio_read(CSU_VERSION);
uint64_t ms; uint64_t ms;
@ -637,6 +621,10 @@ int csu_init(void)
pmu_efuse_read(ZYNQMP_EFUSE_PUF_AUX, &reg2, sizeof(reg2)); pmu_efuse_read(ZYNQMP_EFUSE_PUF_AUX, &reg2, sizeof(reg2));
wolfBoot_printf("eFuse PUF CHASH 0x%08x, AUX 0x%08x\n", reg1, reg2); wolfBoot_printf("eFuse PUF CHASH 0x%08x, AUX 0x%08x\n", reg1, reg2);
/* CSU PUF only supported with eFuses */
/* Keeping code for reference in future generations like Versal */
/* Red (sensitive key), Black (protected key), Grey (unknown) */
#if 0
memset(syndrome, 0, sizeof(syndrome)); memset(syndrome, 0, sizeof(syndrome));
ms = hal_timer_ms(); ms = hal_timer_ms();
ret = csu_puf_register(syndrome, &chash, &aux); ret = csu_puf_register(syndrome, &chash, &aux);
@ -676,6 +664,7 @@ int csu_init(void)
} }
wolfBoot_printf("\n"); wolfBoot_printf("\n");
#endif #endif
#endif
} }
#endif #endif

2
options.mk
View File

@ -748,7 +748,7 @@ ifeq ($(WOLFBOOT_NO_PARTITIONS),1)
endif endif
ifeq ($(HASH),SHA3) ifeq ($(HASH),SHA3)
ifeq ($(PKA_HASH_HAL),) ifeq ($(HASH_HAL),)
WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/sha3.o WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/sha3.o
endif endif
CFLAGS+=-D"WOLFBOOT_HASH_SHA3_384" CFLAGS+=-D"WOLFBOOT_HASH_SHA3_384"