WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fixed NS flash access + flash write unlock + misc 

- non-secure flash area increased to cover BOOT+UPDATE partitions
- call unlock/lock functions before accessing pkcs11 store for writing
- Enabled more features in application wolfcrypt front-end
- Fixed compiler w4rnings
pull/275/head
Daniele Lacamera 2023-08-18 18:01:58 +02:00
parent 4205e3105d
commit ed0357289c
8 changed files with 33 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hal/stm32_tz.c
View File

@ -169,7 +169,7 @@ void hal_tz_sau_init(void)
sau_init_region(0, 0x0C038000, 0x0C040000, 1);
/* Non-secure: application flash area */
sau_init_region(1, 0x08040000, 0x0804FFFF, 0);
sau_init_region(1, 0x08040000, 0x0807FFFF, 0);
/* Non-secure RAM region in SRAM1 */
sau_init_region(2, 0x20018000, 0x2002FFFF, 0);

2
hal/stm32l5.c
View File

@ -328,12 +328,10 @@ static void periph_unsecure()
#endif
#if 0
/* Unsecure LPUART1 */
TZSC_PRIVCFGR1 &= ~(TZSC_PRIVCFG1_LPUARTPRIV);
GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_TX_PIN);
GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_RX_PIN);
#endif
}
#endif

2
hal/stm32l5.h
View File

@ -175,7 +175,7 @@
#define FLASH_NS_SR (*(volatile uint32_t *)(FLASH_NS_BASE + 0x20))
#define FLASH_NS_CR (*(volatile uint32_t *)(FLASH_NS_BASE + 0x28))
#define TZSC_PRIVCFGR1 *((uint32_t *)(0x500032020))
#define TZSC_PRIVCFGR1 *((uint32_t *)(0x50032420))
#define TZSC_PRIVCFG1_LPUARTPRIV (1 << 21)

6
include/user_settings.h
View File

@ -150,9 +150,9 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
# define NO_ECC256
# endif
#endif
# define NO_RSA
#endif
#endif /* WOLFBOOT_SIGN_ECC521 || WOLFBOOT_SIGN_ECC384 || WOLFBOOT_SIGN_ECC256 */
#ifdef WOLFBOOT_SIGN_RSA2048
# define RSA_LOW_MEM
@ -271,8 +271,6 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
# define NO_HMAC
#endif
#ifndef HAVE_PWDBASED
# define NO_PWDBASED
#endif

4
src/pkcs11_store.c
View File

@ -135,10 +135,12 @@ int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read,
obj->hdr.object_id = id2;
obj->hdr.size = 0;
obj->read = 0;
hal_flash_unlock();
hal_flash_erase((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE),
KEYVAULT_OBJ_SIZE);
hal_flash_write((uint32_t)(vault_base + vault_idx * KEYVAULT_OBJ_SIZE), (void *)obj,
sizeof(struct obj_hdr));
hal_flash_lock();
*store = obj;
}
hdr->off = 0;
@ -178,6 +180,7 @@ int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
if (obj->vault_idx > KEYVAULT_MAX_ITEMS)
return -1;
obj->hdr.size += len;
hal_flash_unlock();
if (obj->hdr.off == 0)
hal_flash_erase((uint32_t)(vault_base + obj->vault_idx * KEYVAULT_OBJ_SIZE),
KEYVAULT_OBJ_SIZE);
@ -194,6 +197,7 @@ int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
hal_flash_write(base + STORE_PRIV_HDR_SIZE + pos, buffer + pos + obj->hdr.off, sz);
pos += sz;
}
hal_flash_lock();
obj->hdr.off += len;
return len;
}

2
test-app/Makefile
View File

@ -84,7 +84,7 @@ ifeq ($(TZEN),1)
APP_OBJS+=./wcs/wc_encrypt.o
APP_OBJS+=./wcs/wc_port.o
endif
CFLAGS+=-DWOLFBOOT_SECURE_CALLS
CFLAGS+=-DWOLFBOOT_SECURE_CALLS -Wstack-usage=12940
endif
else
APP_OBJS+=../hal/$(TARGET).o

13
test-app/app_stm32l5.c
View File

@ -127,13 +127,14 @@ void main(void)
Pkcs11Token token;
Pkcs11Dev PKCS11_d;
unsigned long session;
const char TokenPin[] = "0123456789ABCDEF";
const char UserPin[] = "ABCDEF0123456789";
char TokenPin[] = "0123456789ABCDEF";
char UserPin[] = "ABCDEF0123456789";
char SoPinName[] = "SO-PIN";
wolfCrypt_Init();
PKCS11_d.heap = NULL,
PKCS11_d.func = &wolfpkcs11nsFunctionList;
PKCS11_d.func = (CK_FUNCTION_LIST *)&wolfpkcs11nsFunctionList;
ret = wc_Pkcs11Token_Init(&token, &PKCS11_d, 1, "EccKey",
(const byte*)TokenPin, strlen(TokenPin));
@ -145,17 +146,17 @@ void main(void)
}
if (ret == 0) {
ret = wolfpkcs11nsFunctionList.C_InitToken(1,
(const byte *)TokenPin, strlen(TokenPin), "SO-PIN");
(byte *)TokenPin, strlen(TokenPin), (byte *)SoPinName);
}
if (ret == 0) {
ret = wolfpkcs11nsFunctionList.C_Login(session, CKU_SO,
TokenPin,
(byte *)TokenPin,
strlen(TokenPin));
}
if (ret == 0) {
ret = wolfpkcs11nsFunctionList.C_InitPIN(session,
TokenPin,
(byte *)TokenPin,
strlen(TokenPin));
}
if (ret == 0) {

42
test-app/wcs/user_settings.h
View File

@ -26,6 +26,7 @@
#define H_USER_SETTINGS_
#include <target.h>
#include "wolfboot/wc_secure.h"
#define WOLFCRYPT_ONLY
#define WOLFSSL_SMALL_CERT_VERIFY
@ -48,27 +49,17 @@ extern int tolower(int c);
#define HAVE_PKCS11_STATIC
#define WOLF_CRYPTO_CB
#define NO_RSA
#define NO_HMAC
#define NO_PWDBASED
/* ECC */
#define HAVE_ECC
//#define ECC_TIMING_RESISTANT
//#define ECC_USER_CURVES /* enables only 256-bit by default */
//#define HAVE_ECC_SIGN
//#define HAVE_ECC_CDH
#define HAVE_ECC256
//#define HAVE_ECC384
//#define HAVE_ECC521
#define HAVE_ECC384
#ifndef NO_RSA
/* RSA */
#define WOLFSSL_KEY_GEN
#define HAVE_RSA
#define WOLFSSL_KEY_GEN
#define RSA_LOW_MEM
#define WOLFSSL_RSA_VERIFY_INLINE
#define WC_ASN_HASH_SHA256
@ -77,43 +68,41 @@ extern int tolower(int c);
/* SHA */
//#define WOLFSSL_SHA3
//#define WOLFSSL_SHA384
#define WOLFSSL_SHA3
#define WOLFSSL_SHA384
/* HMAC */
//#define WOLFSSL_HMAC
//#define HAVE_HKDF
#define WOLFSSL_HMAC
#define HAVE_HKDF
/* PWDBASED */
//#define HAVE_PWDBASED
#define HAVE_PWDBASED
/* BASE64 */
#define WOLFSSL_BASE64_DECODE
#define WOLFSSL_BASE64_ENCODE
#if 0
/* AES */
#ifndef WOLFSSL_AES_128
#define WOLFSSL_AES_128
#endif
//#ifndef WOLFSSL_AES_256
//#define WOLFSSL_AES_256
//#endif
#ifndef WOLFSSL_AES_256
#define WOLFSSL_AES_256
#endif
#ifndef WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_COUNTER
#endif
#ifndef WOLFSSL_AES_DIRECT
#define WOLFSSL_AES_DIRECT
#endif
#endif
/* Hardening */
//#define TFM_TIMING_RESISTANT
//#define ECC_TIMING_RESISTANT
//#define WC_RSA_BLINDING
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* Exclude */
#define NO_CMAC
@ -147,6 +136,9 @@ extern int tolower(int c);
#define CUSTOM_RAND_GENERATE_BLOCK wcs_get_random
/* Disable VLAs */
#define WOLFSSL_SP_NO_DYN_STACK
#endif /* !H_USER_SETTINGS_ */