WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fixed NS flash access + flash write unlock + misc 

- non-secure flash area increased to cover BOOT+UPDATE partitions
- call unlock/lock functions before accessing pkcs11 store for writing
- Enabled more features in application wolfcrypt front-end
- Fixed compiler w4rnings
pull/275/head
Daniele Lacamera 2023-08-18 18:01:58 +02:00
parent 4205e3105d
commit ed0357289c
8 changed files with 33 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hal/stm32_tz.c
View File

@ -169,7 +169,7 @@ void hal_tz_sau_init(void)
sau_init_region(0, 0x0C038000, 0x0C040000, 1); sau_init_region(0, 0x0C038000, 0x0C040000, 1);
/* Non-secure: application flash area */ /* Non-secure: application flash area */
sau_init_region(1, 0x08040000, 0x0804FFFF, 0); sau_init_region(1, 0x08040000, 0x0807FFFF, 0);
/* Non-secure RAM region in SRAM1 */ /* Non-secure RAM region in SRAM1 */
sau_init_region(2, 0x20018000, 0x2002FFFF, 0); sau_init_region(2, 0x20018000, 0x2002FFFF, 0);

2
hal/stm32l5.c
View File

@ -328,12 +328,10 @@ static void periph_unsecure()
#endif #endif
#if 0
/* Unsecure LPUART1 */ /* Unsecure LPUART1 */
TZSC_PRIVCFGR1 &= ~(TZSC_PRIVCFG1_LPUARTPRIV); TZSC_PRIVCFGR1 &= ~(TZSC_PRIVCFG1_LPUARTPRIV);
GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_TX_PIN); GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_TX_PIN);
GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_RX_PIN); GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_RX_PIN);
#endif
} }
#endif #endif

2
hal/stm32l5.h
View File

@ -175,7 +175,7 @@
#define FLASH_NS_SR (*(volatile uint32_t *)(FLASH_NS_BASE + 0x20)) #define FLASH_NS_SR (*(volatile uint32_t *)(FLASH_NS_BASE + 0x20))
#define FLASH_NS_CR (*(volatile uint32_t *)(FLASH_NS_BASE + 0x28)) #define FLASH_NS_CR (*(volatile uint32_t *)(FLASH_NS_BASE + 0x28))
#define TZSC_PRIVCFGR1 *((uint32_t *)(0x500032020)) #define TZSC_PRIVCFGR1 *((uint32_t *)(0x50032420))
#define TZSC_PRIVCFG1_LPUARTPRIV (1 << 21) #define TZSC_PRIVCFG1_LPUARTPRIV (1 << 21)

6
include/user_settings.h
View File

@ -150,9 +150,9 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
# define NO_ECC256 # define NO_ECC256
# endif # endif
#endif #endif
# define NO_RSA # define NO_RSA
#endif
#endif /* WOLFBOOT_SIGN_ECC521 || WOLFBOOT_SIGN_ECC384 || WOLFBOOT_SIGN_ECC256 */
#ifdef WOLFBOOT_SIGN_RSA2048 #ifdef WOLFBOOT_SIGN_RSA2048
# define RSA_LOW_MEM # define RSA_LOW_MEM
@ -271,8 +271,6 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
# define NO_HMAC # define NO_HMAC
#endif #endif
#ifndef HAVE_PWDBASED #ifndef HAVE_PWDBASED
# define NO_PWDBASED # define NO_PWDBASED
#endif #endif

4
src/pkcs11_store.c
View File

@ -135,10 +135,12 @@ int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read,
obj->hdr.object_id = id2; obj->hdr.object_id = id2;
obj->hdr.size = 0; obj->hdr.size = 0;
obj->read = 0; obj->read = 0;
hal_flash_unlock();
hal_flash_erase((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE), hal_flash_erase((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE),
KEYVAULT_OBJ_SIZE); KEYVAULT_OBJ_SIZE);
hal_flash_write((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE), (void *)obj, hal_flash_write((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE), (void *)obj,
sizeof(struct obj_hdr)); sizeof(struct obj_hdr));
hal_flash_lock();
*store = obj; *store = obj;
} }
hdr->off = 0; hdr->off = 0;
@ -178,6 +180,7 @@ int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
if (obj->vault_idx > KEYVAULT_MAX_ITEMS) if (obj->vault_idx > KEYVAULT_MAX_ITEMS)
return -1; return -1;
obj->hdr.size += len; obj->hdr.size += len;
hal_flash_unlock();
if (obj->hdr.off == 0) if (obj->hdr.off == 0)
hal_flash_erase((uint32_t)(vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE), hal_flash_erase((uint32_t)(vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE),
KEYVAULT_OBJ_SIZE); KEYVAULT_OBJ_SIZE);
@ -194,6 +197,7 @@ int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
hal_flash_write(base + STORE_PRIV_HDR_SIZE + pos, buffer + pos + obj->hdr.off, sz); hal_flash_write(base + STORE_PRIV_HDR_SIZE + pos, buffer + pos + obj->hdr.off, sz);
pos += sz; pos += sz;
} }
hal_flash_lock();
obj->hdr.off += len; obj->hdr.off += len;
return len; return len;
} }

2
test-app/Makefile
View File

@ -84,7 +84,7 @@ ifeq ($(TZEN),1)
APP_OBJS+=./wcs/wc_encrypt.o APP_OBJS+=./wcs/wc_encrypt.o
APP_OBJS+=./wcs/wc_port.o APP_OBJS+=./wcs/wc_port.o
endif endif
CFLAGS+=-DWOLFBOOT_SECURE_CALLS CFLAGS+=-DWOLFBOOT_SECURE_CALLS -Wstack-usage=12940
endif endif
else else
APP_OBJS+=../hal/$(TARGET).o APP_OBJS+=../hal/$(TARGET).o

13
test-app/app_stm32l5.c
View File

@ -127,13 +127,14 @@ void main(void)
Pkcs11Token token; Pkcs11Token token;
Pkcs11Dev PKCS11_d; Pkcs11Dev PKCS11_d;
unsigned long session; unsigned long session;
const char TokenPin[] = "0123456789ABCDEF"; char TokenPin[] = "0123456789ABCDEF";
const char UserPin[] = "ABCDEF0123456789"; char UserPin[] = "ABCDEF0123456789";
char SoPinName[] = "SO-PIN";
wolfCrypt_Init(); wolfCrypt_Init();
PKCS11_d.heap = NULL, PKCS11_d.heap = NULL,
PKCS11_d.func = &wolfpkcs11nsFunctionList; PKCS11_d.func = (CK_FUNCTION_LIST *)&wolfpkcs11nsFunctionList;
ret = wc_Pkcs11Token_Init(&token, &PKCS11_d, 1, "EccKey", ret = wc_Pkcs11Token_Init(&token, &PKCS11_d, 1, "EccKey",
(const byte*)TokenPin, strlen(TokenPin)); (const byte*)TokenPin, strlen(TokenPin));
@ -145,17 +146,17 @@ void main(void)
} }
if (ret == 0) { if (ret == 0) {
ret = wolfpkcs11nsFunctionList.C_InitToken(1, ret = wolfpkcs11nsFunctionList.C_InitToken(1,
(const byte *)TokenPin, strlen(TokenPin), "SO-PIN"); (byte *)TokenPin, strlen(TokenPin), (byte *)SoPinName);
} }
if (ret == 0) { if (ret == 0) {
ret = wolfpkcs11nsFunctionList.C_Login(session, CKU_SO, ret = wolfpkcs11nsFunctionList.C_Login(session, CKU_SO,
TokenPin, (byte *)TokenPin,
strlen(TokenPin)); strlen(TokenPin));
} }
if (ret == 0) { if (ret == 0) {
ret = wolfpkcs11nsFunctionList.C_InitPIN(session, ret = wolfpkcs11nsFunctionList.C_InitPIN(session,
TokenPin, (byte *)TokenPin,
strlen(TokenPin)); strlen(TokenPin));
} }
if (ret == 0) { if (ret == 0) {

42
test-app/wcs/user_settings.h
View File

@ -26,6 +26,7 @@
#define H_USER_SETTINGS_ #define H_USER_SETTINGS_
#include <target.h> #include <target.h>
#include "wolfboot/wc_secure.h"
#define WOLFCRYPT_ONLY #define WOLFCRYPT_ONLY
#define WOLFSSL_SMALL_CERT_VERIFY #define WOLFSSL_SMALL_CERT_VERIFY
@ -48,27 +49,17 @@ extern int tolower(int c);
#define HAVE_PKCS11_STATIC #define HAVE_PKCS11_STATIC
#define WOLF_CRYPTO_CB #define WOLF_CRYPTO_CB
#define NO_RSA
#define NO_HMAC
#define NO_PWDBASED
/* ECC */ /* ECC */
#define HAVE_ECC #define HAVE_ECC
//#define ECC_TIMING_RESISTANT
//#define ECC_USER_CURVES /* enables only 256-bit by default */
//#define HAVE_ECC_SIGN
//#define HAVE_ECC_CDH
#define HAVE_ECC256 #define HAVE_ECC256
//#define HAVE_ECC384 #define HAVE_ECC384
//#define HAVE_ECC521
#ifndef NO_RSA #ifndef NO_RSA
/* RSA */ /* RSA */
#define WOLFSSL_KEY_GEN
#define HAVE_RSA #define HAVE_RSA
#define WOLFSSL_KEY_GEN
#define RSA_LOW_MEM #define RSA_LOW_MEM
#define WOLFSSL_RSA_VERIFY_INLINE #define WOLFSSL_RSA_VERIFY_INLINE
#define WC_ASN_HASH_SHA256 #define WC_ASN_HASH_SHA256
@ -77,43 +68,41 @@ extern int tolower(int c);
/* SHA */ /* SHA */
//#define WOLFSSL_SHA3 #define WOLFSSL_SHA3
//#define WOLFSSL_SHA384 #define WOLFSSL_SHA384
/* HMAC */ /* HMAC */
//#define WOLFSSL_HMAC #define WOLFSSL_HMAC
//#define HAVE_HKDF #define HAVE_HKDF
/* PWDBASED */ /* PWDBASED */
//#define HAVE_PWDBASED #define HAVE_PWDBASED
/* BASE64 */ /* BASE64 */
#define WOLFSSL_BASE64_DECODE #define WOLFSSL_BASE64_DECODE
#define WOLFSSL_BASE64_ENCODE #define WOLFSSL_BASE64_ENCODE
#if 0
/* AES */ /* AES */
#ifndef WOLFSSL_AES_128 #ifndef WOLFSSL_AES_128
#define WOLFSSL_AES_128 #define WOLFSSL_AES_128
#endif #endif
//#ifndef WOLFSSL_AES_256 #ifndef WOLFSSL_AES_256
//#define WOLFSSL_AES_256 #define WOLFSSL_AES_256
//#endif #endif
#ifndef WOLFSSL_AES_COUNTER #ifndef WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_COUNTER #define WOLFSSL_AES_COUNTER
#endif #endif
#ifndef WOLFSSL_AES_DIRECT #ifndef WOLFSSL_AES_DIRECT
#define WOLFSSL_AES_DIRECT #define WOLFSSL_AES_DIRECT
#endif #endif
#endif
/* Hardening */ /* Hardening */
//#define TFM_TIMING_RESISTANT #define TFM_TIMING_RESISTANT
//#define ECC_TIMING_RESISTANT #define ECC_TIMING_RESISTANT
//#define WC_RSA_BLINDING #define WC_RSA_BLINDING
/* Exclude */ /* Exclude */
#define NO_CMAC #define NO_CMAC
@ -147,6 +136,9 @@ extern int tolower(int c);
#define CUSTOM_RAND_GENERATE_BLOCK wcs_get_random #define CUSTOM_RAND_GENERATE_BLOCK wcs_get_random
/* Disable VLAs */
#define WOLFSSL_SP_NO_DYN_STACK
#endif /* !H_USER_SETTINGS_ */ #endif /* !H_USER_SETTINGS_ */