Only allow delta update if the sha digest of the base image matches the
expected value. This is to prevent the delta update from being applied
to an image that is not the expected base image, even if the version
matches.
The mismatch should never happen in real-life scenarios, but it is to check
for false positives during integration, testing and development.
* Initial draft with two test cases
* Added more unit tests. Found OOB access.
* Fix potential OOB access with too-large update img
* NO_FORK disabled by default
* Cover more corner cases
leave the encryption key for wolfBoot_success to erase.
FINAL_SWAP was also stopping the case where the partition was put into testing before the update sector status flags could be erased. now, don't erase the update sector flags. instead put the update partition in IMG_STATE_FINAL_FLAGS state before putting the boot partition in IMG_STATE_TESTING. Then only erase the update sector flags on wolfBoot_update_trigger. under this scheme, the sector flags are intact if the power failed before we could set IMG_STATE_TESTING but are wiped if we do need to swap over after after wolfBoot_success fails to be called
repeatable steps so that power failure wont erase the encryption key and wont cause skipping the testing phase of boot. this is done by marking the update partition as final swap when erasing the final sector and backing up the key in boot sector 0 after swaping the real boot sector 0 to swap. then when a power failure occurs the encryption key will be available in either boot sector 0 or the normal location. the intermediate phase also prevents skipping the testing phase since the last sector, which holds the boot state, is erased and then set repeatably, since the final swap state is set on the update partition
* Added new `WOLFBOOT_TPM_SEAL` and `WOLFBOOT_TPM_SEAL_NV_BASE` config options.
* Added new `tools/tpm/policy_create` tool for assisting with creation of a policy digest. The sign keytool `--policy=file` signs the policy.
* Added new `WOLFBOOT_TPM_VERIFY` option to enable offloading of the asymmetric verification to the TPM. By default wolfCrypt will be used.
* Added example seal/unseal to update_flash for ARCH_SIM.
* Renamed `WOLFBOOT_TPM_KEYSTORE_NV_INDEX` to `WOLFBOOT_TPM_KEYSTORE_NV_BASE` to support multiple public keys.
* Refactored most TPM code into tpm.c.
* Refactored the keystore ROT to use new `wolfBoot_check_rot` API.
* Refactored the sign keytool to have a sign_digest function to allow signing firmware and policy for sealing/unsealing.
* Fix for make distclean && make using the wrong key tools.
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on https://github.com/wolfSSL/wolfTPM/pull/276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
* Added ELF32 and ELF64 loader support (config `ELF=1` or build option `WOLFBOOT_ELF`).
* Add ELF support to `update_ram.c` loader.
* Add support for loading entire flash image to RAM when `EXT_FLASH=1` and `NO_XIP=1` (or `WOLFBOOT_USE_RAMBOOT`).
* Added QUICC Engine support to load microcode and enable.
* Add multiple core support for NXP P1021.
* Fixes to resolve first stage boot ROM relocation.
- Implemented temporary workaround to resolve stack traps.
* Added PPC GOT relocation support.
* Fix for the PPC `isr_empty` handler address.
* Fix to allow stack to use DDR by having assembly setup DDR TLB. After relocating wolfBoot use stack on DDR.
* Cleanup wolfBoot output.
- Only remove extra .bin/.elf created unless `make distclean` is used.
- Don't output the key grep test (only check result).
- Adjust build order (first stage, wolfboot, test app, key, sign test app and factory).
- Fix to make sure linker script is rebuilt before objects.
Sample NXP P1021 Output:
```
Relocating BOOT ROM to DDR
Loading wolfBoot to DDR
Jumping to full wolfBoot
wolfBoot HAL Init
Flash Init: Ret 0, ID 0x76207620
QE: Length 63732, Count 1
QE: uploading 'Microcode for P1021 r1.0' version 0.0.1
QE: Traps 0
MP: Starting core 2 (spin table 0xFFFFF240)
Versions: Boot 1, Update 0
Trying Boot partition at 0x200000
Loading header 512 bytes to 0x1DFFFE00
Loading image 3170724 bytes to 0x1E000000
Image size 3170724
Firmware Valid
Loading elf at 0x1E000000
Found valid elf32 (big endian)
Booting at 0x6000
```
```
wolfBoot HAL Init
Flash Init: Ret 0, ID 0x76207620
Part: Active 0, Address 0
Boot partition: 200000
Image size 3964
Firmware Valid
Loading 3964 bytes to RAM at 1E000000
Booting at 1E000000
```
this update uses the tpm to retreive the public key used to validate the image that will boot and restricts access to that key by tpm policy. when the image is updated it's signature is used to extend the PCR and when the image is loaded it's signature must match what was sealed in order to get the public key from the tpm. enabling this option is done by setting WOLFBOOT_TPM_KEYSTORE in .config
- Using two sectors to keep partition/sector flags
- Keep two redundant set of flags, update one at a time
- Erase is done when the sector is old
- Flags update is faster because Erase is done in advance
- Accessing trailer information (including encryption keys) is done by
selecting the newest information
Tested via renode, using nrf52 with NVM_FLASH_WRITEONCE flag on.
* Expanded the NXP QorIQ T2080 documentation in `docs/Targets.md`.
* T2080 fixes for boot code placement and generation of .bin.
* T2080 UART driver cleanup.
* Improve bin-assemble fill speed and report items added.
* Make portability fixes to enable building in `mingw32-make`.
* Cleanup the `docs/Targets.md` sections and links.
* Cleanup execute bits on code files.
Daniele Lacamera
jordan
David Garske
Daniele Lacamera
John Bland
Daniele Lacamera
Daniele Lacamera
Hideki Miyazaki
Lealem Amedie
Marco Oliverio