From ed0357289c952e5e55feb0d63e8def834b99fdeb Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Fri, 18 Aug 2023 18:01:58 +0200
Subject: [PATCH] Fixed NS flash access + flash write unlock + misc

- non-secure flash area increased to cover BOOT+UPDATE partitions
- call unlock/lock functions before accessing pkcs11 store for writing
- Enabled more features in application wolfcrypt front-end
- Fixed compiler w4rnings
---
 hal/stm32_tz.c               |  2 +-
 hal/stm32l5.c                |  2 --
 hal/stm32l5.h                |  2 +-
 include/user_settings.h      |  6 ++----
 src/pkcs11_store.c           |  4 ++++
 test-app/Makefile            |  2 +-
 test-app/app_stm32l5.c       | 13 +++++------
 test-app/wcs/user_settings.h | 42 +++++++++++++++---------------------
 8 files changed, 33 insertions(+), 40 deletions(-)

diff --git a/hal/stm32_tz.c b/hal/stm32_tz.c
index f8fcffac..0288067b 100644
--- a/hal/stm32_tz.c
+++ b/hal/stm32_tz.c
@@ -169,7 +169,7 @@ void hal_tz_sau_init(void)
     sau_init_region(0, 0x0C038000, 0x0C040000, 1);
 
     /* Non-secure: application flash area */
-    sau_init_region(1, 0x08040000, 0x0804FFFF, 0);
+    sau_init_region(1, 0x08040000, 0x0807FFFF, 0);
 
     /* Non-secure RAM region in SRAM1 */
     sau_init_region(2, 0x20018000, 0x2002FFFF, 0);
diff --git a/hal/stm32l5.c b/hal/stm32l5.c
index f21a2334..246034a6 100644
--- a/hal/stm32l5.c
+++ b/hal/stm32l5.c
@@ -328,12 +328,10 @@ static void periph_unsecure()
 #endif
 
 
-#if 0
     /* Unsecure LPUART1 */
     TZSC_PRIVCFGR1 &= ~(TZSC_PRIVCFG1_LPUARTPRIV);
     GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_TX_PIN);
     GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_RX_PIN);
-#endif
 
 }
 #endif
diff --git a/hal/stm32l5.h b/hal/stm32l5.h
index e944cc03..793a082b 100644
--- a/hal/stm32l5.h
+++ b/hal/stm32l5.h
@@ -175,7 +175,7 @@
 #define FLASH_NS_SR          (*(volatile uint32_t *)(FLASH_NS_BASE + 0x20))
 #define FLASH_NS_CR          (*(volatile uint32_t *)(FLASH_NS_BASE + 0x28))
 
-#define TZSC_PRIVCFGR1   *((uint32_t *)(0x500032020))
+#define TZSC_PRIVCFGR1   *((uint32_t *)(0x50032420))
 #define TZSC_PRIVCFG1_LPUARTPRIV (1 << 21)
 
 
diff --git a/include/user_settings.h b/include/user_settings.h
index 4ba66bf2..ec78d1f4 100644
--- a/include/user_settings.h
+++ b/include/user_settings.h
@@ -150,9 +150,9 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
 #       define NO_ECC256
 #   endif
 #endif
-
 #   define NO_RSA
-#endif
+
+#endif /* WOLFBOOT_SIGN_ECC521 || WOLFBOOT_SIGN_ECC384 || WOLFBOOT_SIGN_ECC256 */
 
 #ifdef WOLFBOOT_SIGN_RSA2048
 #   define RSA_LOW_MEM
@@ -271,8 +271,6 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
 #   define NO_HMAC
 #endif
 
-
-
 #ifndef HAVE_PWDBASED
 #   define NO_PWDBASED
 #endif
diff --git a/src/pkcs11_store.c b/src/pkcs11_store.c
index 434bbc40..4a34e4b3 100644
--- a/src/pkcs11_store.c
+++ b/src/pkcs11_store.c
@@ -135,10 +135,12 @@ int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read,
         obj->hdr.object_id = id2;
         obj->hdr.size = 0;
         obj->read = 0;
+        hal_flash_unlock();
         hal_flash_erase((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE),
                 KEYVAULT_OBJ_SIZE);
         hal_flash_write((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE), (void *)obj,
                 sizeof(struct obj_hdr));
+        hal_flash_lock();
         *store = obj;
     }
     hdr->off = 0;
@@ -178,6 +180,7 @@ int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
     if (obj->vault_idx > KEYVAULT_MAX_ITEMS)
         return -1;
     obj->hdr.size += len;
+    hal_flash_unlock();
     if (obj->hdr.off == 0) 
         hal_flash_erase((uint32_t)(vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE),
             KEYVAULT_OBJ_SIZE);
@@ -194,6 +197,7 @@ int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
         hal_flash_write(base + STORE_PRIV_HDR_SIZE + pos, buffer + pos + obj->hdr.off, sz);
         pos += sz;
     }
+    hal_flash_lock();
     obj->hdr.off += len;
     return len;
 }
diff --git a/test-app/Makefile b/test-app/Makefile
index f8fb757c..dc186a41 100644
--- a/test-app/Makefile
+++ b/test-app/Makefile
@@ -84,7 +84,7 @@ ifeq ($(TZEN),1)
             APP_OBJS+=./wcs/wc_encrypt.o
             APP_OBJS+=./wcs/wc_port.o
         endif
-        CFLAGS+=-DWOLFBOOT_SECURE_CALLS
+        CFLAGS+=-DWOLFBOOT_SECURE_CALLS -Wstack-usage=12940
     endif
 else
     APP_OBJS+=../hal/$(TARGET).o
diff --git a/test-app/app_stm32l5.c b/test-app/app_stm32l5.c
index cdbcc33f..332c772a 100644
--- a/test-app/app_stm32l5.c
+++ b/test-app/app_stm32l5.c
@@ -127,13 +127,14 @@ void main(void)
     Pkcs11Token token;
     Pkcs11Dev PKCS11_d;
     unsigned long session;
-    const char TokenPin[] = "0123456789ABCDEF";
-    const char UserPin[] = "ABCDEF0123456789";
+    char TokenPin[] = "0123456789ABCDEF";
+    char UserPin[] = "ABCDEF0123456789";
+    char SoPinName[] = "SO-PIN";
 
     wolfCrypt_Init();
 
     PKCS11_d.heap = NULL,
-    PKCS11_d.func = &wolfpkcs11nsFunctionList;
+    PKCS11_d.func = (CK_FUNCTION_LIST *)&wolfpkcs11nsFunctionList;
 
     ret = wc_Pkcs11Token_Init(&token, &PKCS11_d, 1, "EccKey",
             (const byte*)TokenPin, strlen(TokenPin));
@@ -145,17 +146,17 @@ void main(void)
     }
     if (ret == 0) {
         ret = wolfpkcs11nsFunctionList.C_InitToken(1,
-                (const byte *)TokenPin, strlen(TokenPin), "SO-PIN");
+                (byte *)TokenPin, strlen(TokenPin), (byte *)SoPinName);
     }
 
     if (ret == 0) {
         ret = wolfpkcs11nsFunctionList.C_Login(session, CKU_SO,
-                TokenPin,
+                (byte *)TokenPin,
                 strlen(TokenPin));
     }
     if (ret == 0) {
         ret = wolfpkcs11nsFunctionList.C_InitPIN(session,
-                TokenPin,
+                (byte *)TokenPin,
                 strlen(TokenPin));
     }
     if (ret == 0) {
diff --git a/test-app/wcs/user_settings.h b/test-app/wcs/user_settings.h
index 2091c649..412def77 100644
--- a/test-app/wcs/user_settings.h
+++ b/test-app/wcs/user_settings.h
@@ -26,6 +26,7 @@
 #define H_USER_SETTINGS_
 
 #include <target.h>
+#include "wolfboot/wc_secure.h"
 
 #define WOLFCRYPT_ONLY
 #define WOLFSSL_SMALL_CERT_VERIFY
@@ -48,27 +49,17 @@ extern int tolower(int c);
 #define HAVE_PKCS11_STATIC
 #define WOLF_CRYPTO_CB
 
-#define NO_RSA
-#define NO_HMAC
-#define NO_PWDBASED
-
-
 
 /* ECC */
 #define HAVE_ECC
-//#define ECC_TIMING_RESISTANT
-//#define ECC_USER_CURVES /* enables only 256-bit by default */
-//#define HAVE_ECC_SIGN
-//#define HAVE_ECC_CDH
 #define HAVE_ECC256
-//#define HAVE_ECC384
-//#define HAVE_ECC521
+#define HAVE_ECC384
 
 
 #ifndef NO_RSA
   /* RSA */
-  #define WOLFSSL_KEY_GEN
   #define HAVE_RSA
+  #define WOLFSSL_KEY_GEN
   #define RSA_LOW_MEM
   #define WOLFSSL_RSA_VERIFY_INLINE
   #define WC_ASN_HASH_SHA256
@@ -77,43 +68,41 @@ extern int tolower(int c);
 
 
 /* SHA */
-//#define WOLFSSL_SHA3
-//#define WOLFSSL_SHA384
+#define WOLFSSL_SHA3
+#define WOLFSSL_SHA384
 
 /* HMAC */
-//#define WOLFSSL_HMAC
-//#define HAVE_HKDF
+#define WOLFSSL_HMAC
+#define HAVE_HKDF
 
 
 /* PWDBASED */
-//#define HAVE_PWDBASED
+#define HAVE_PWDBASED
 
 /* BASE64 */
 #define WOLFSSL_BASE64_DECODE
 #define WOLFSSL_BASE64_ENCODE
 
 
-#if 0
 /* AES */
 #ifndef WOLFSSL_AES_128
 #define WOLFSSL_AES_128
 #endif
 
-//#ifndef WOLFSSL_AES_256
-//#define WOLFSSL_AES_256
-//#endif
+#ifndef WOLFSSL_AES_256
+#define WOLFSSL_AES_256
+#endif
 #ifndef WOLFSSL_AES_COUNTER
 #define WOLFSSL_AES_COUNTER
 #endif
 #ifndef WOLFSSL_AES_DIRECT
 #define WOLFSSL_AES_DIRECT
 #endif
-#endif
 
 /* Hardening */
-//#define TFM_TIMING_RESISTANT
-//#define ECC_TIMING_RESISTANT
-//#define WC_RSA_BLINDING
+#define TFM_TIMING_RESISTANT
+#define ECC_TIMING_RESISTANT
+#define WC_RSA_BLINDING
 
 /* Exclude */
 #define NO_CMAC
@@ -147,6 +136,9 @@ extern int tolower(int c);
 
 #define CUSTOM_RAND_GENERATE_BLOCK wcs_get_random
 
+/* Disable VLAs */
+#define WOLFSSL_SP_NO_DYN_STACK
+
 
 
 #endif /* !H_USER_SETTINGS_ */