By not checking/updating sector flags during copies from UPDATE to
BOOT partitions, a copy operation getting interrupted by power failure
will be less likely to cause problems to the integrity of the BOOT
image. This is because in case of interruptions, the copy operation
will be restarted from the first sector.
- img_size: use 32-bit variable
- remove '+1' from pa_start calculation
- fix broken delta.c wb_diff check for distance between matching
patterns (root cause for the delta+encrypt bug)
leave the encryption key for wolfBoot_success to erase.
FINAL_SWAP was also stopping the case where the partition was put into testing before the update sector status flags could be erased. now, don't erase the update sector flags. instead put the update partition in IMG_STATE_FINAL_FLAGS state before putting the boot partition in IMG_STATE_TESTING. Then only erase the update sector flags on wolfBoot_update_trigger. under this scheme, the sector flags are intact if the power failed before we could set IMG_STATE_TESTING but are wiped if we do need to swap over after after wolfBoot_success fails to be called
repeatable steps so that power failure wont erase the encryption key and wont cause skipping the testing phase of boot. this is done by marking the update partition as final swap when erasing the final sector and backing up the key in boot sector 0 after swaping the real boot sector 0 to swap. then when a power failure occurs the encryption key will be available in either boot sector 0 or the normal location. the intermediate phase also prevents skipping the testing phase since the last sector, which holds the boot state, is erased and then set repeatably, since the final swap state is set on the update partition
* Added new `WOLFBOOT_TPM_SEAL` and `WOLFBOOT_TPM_SEAL_NV_BASE` config options.
* Added new `tools/tpm/policy_create` tool for assisting with creation of a policy digest. The sign keytool `--policy=file` signs the policy.
* Added new `WOLFBOOT_TPM_VERIFY` option to enable offloading of the asymmetric verification to the TPM. By default wolfCrypt will be used.
* Added example seal/unseal to update_flash for ARCH_SIM.
* Renamed `WOLFBOOT_TPM_KEYSTORE_NV_INDEX` to `WOLFBOOT_TPM_KEYSTORE_NV_BASE` to support multiple public keys.
* Refactored most TPM code into tpm.c.
* Refactored the keystore ROT to use new `wolfBoot_check_rot` API.
* Refactored the sign keytool to have a sign_digest function to allow signing firmware and policy for sealing/unsealing.
* Fix for make distclean && make using the wrong key tools.
* Added TPM SPI wait state support and debug logging.
* Added platform auth ownership (change platform password to random value before boot). Can be disabled using `WOLFBOOT_TPM_NO_CHG_PLAT_AUTH`.
* Added parameter encryption support.
* Added TPM based root of trust based on https://github.com/wolfSSL/wolfTPM/pull/276
* Removed the TPM hashing feature (not practical).
* Fixed RSA with wolfTPM build.
* Fixed cleanup wolfTPM objects on make clean.
is called for NVM_FLASH_WRITEONCE and WOLFBOOT_FLAGS_INVERT since NVM_FLASH_WRITEONCE relies on finding non-erased flags to determine which sector is fresh and since WOLFBOOT_FLAGS_INVERT may use a different fill byte than what bin-assemble was compiled with
* Added simulator support for Mac.
* Fix for simulator to properly assemble wolfboot.bin + signedtestapp + update + swap.
* Fixes for handling 64-bit assigned mmap virtual addresses. Added hal_flash_write and hal_flash_erase support for 64-bit address using uintptr_t. Enabled if platform is 64-bit and `FORCE_32BIT` is not defined
* Fix simulator conflict with src/libwolfboot.o object in test-app.
* Cleanup test-app linker flags.
powerfail and add an exception to wolfBoot_delta_update when a revert gets
interrupted since the version will change in the middle of the update process
0th sector has been changed with the update partition still being in
IMG_STATE_UPDATING state. the state still being IMG_STATE_UPDATING means that a
delta update started and that the version may have been switched over, in which
case wolfBoot_current_firmware_version() >= wolfBoot_update_firmware_version()
no longer tells us if we need to perform an inverse operation on it's own.
also removes part of the update powerfail test that does checks for the
previous version without triggering a rollback
this update uses the tpm to retreive the public key used to validate the image that will boot and restricts access to that key by tpm policy. when the image is updated it's signature is used to extend the PCR and when the image is loaded it's signature must match what was sealed in order to get the public key from the tpm. enabling this option is done by setting WOLFBOOT_TPM_KEYSTORE in .config
- Using two sectors to keep partition/sector flags
- Keep two redundant set of flags, update one at a time
- Erase is done when the sector is old
- Flags update is faster because Erase is done in advance
- Accessing trailer information (including encryption keys) is done by
selecting the newest information
Tested via renode, using nrf52 with NVM_FLASH_WRITEONCE flag on.
New update logic when using encrypted external flash:
- an update sector is copied to swap. No decryption and re-encryption is done in
this step. This is important, because the swap address never changes and
otherwise the data will be encrypted, one sector at the time, with the same
IV. It's also a performance improvement.
- a boot sector is copied to update. In this step the boot sector is encrypted
- the swap sector is copied into boot. In this step the swap sector is decrypted
This commit moves the set_iv logic into wolfBoot_copy_sector to account for
this.
- cleanup warnings and rework exceptions to be more robust
- CORTEX R5: Initialization of stack pointer
- updates to F021 flash from testing
- sync options for command line build with IDE
John Bland
Daniele Lacamera
David Garske
Marco Oliverio
Elms