Fixes 20260408

.gitignore

@@ -86,6 +86,7 @@ tools/keytools/Debug
 tools/keytools/Release
 tools/keytools/otp/otp-keystore-primer
 
+
 # delta binaries
 tools/delta/bmdiff
 tools/delta/bmpatch
@@ -176,6 +177,10 @@ tools/unit-tests/unit-hal-otp
 tools/unit-tests/unit-rot-auth
 tools/unit-tests/unit-sdhci-response-bits
 tools/unit-tests/unit-tpm-check-rot-auth
+tools/unit-tests/unit-policy-create
+tools/unit-tests/unit-sign-encrypted-output
+tools/unit-tests/unit-update-flash-delta
+tools/unit-tests/unit-update-flash-self-update
 
 
 

CMakeLists.txt

@@ -747,7 +747,20 @@ if(ARCH STREQUAL "AARCH64")
 
 endif()
 
+if(NOT DEFINED WOLFBOOT_ORIGIN)
+    set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET})
+endif()
+
+if(NOT DEFINED BOOTLOADER_PARTITION_SIZE)
+    math(EXPR BOOTLOADER_PARTITION_SIZE
+        "${WOLFBOOT_PARTITION_BOOT_ADDRESS} - ${ARCH_FLASH_OFFSET}"
+        OUTPUT_FORMAT HEXADECIMAL)
+endif()
+
 list(APPEND WOLFBOOT_DEFS ARCH_FLASH_OFFSET=${ARCH_FLASH_OFFSET})
+list(APPEND WOLFBOOT_DEFS
+    WOLFBOOT_ORIGIN=${WOLFBOOT_ORIGIN}
+    BOOTLOADER_PARTITION_SIZE=${BOOTLOADER_PARTITION_SIZE})
 
 if(${WOLFBOOT_TARGET} STREQUAL "x86_64_efi")
     if(NOT DEFINED GNU_EFI_LIB_PATH)
@@ -1139,7 +1152,7 @@ if(TZEN)
     endif()
 endif()
 
-target_sources(wolfboothal PRIVATE include/hal.h hal/${WOLFBOOT_TARGET}.c ${WOLFBOOT_FLASH_SOURCES}
+target_sources(wolfboothal PRIVATE include/hal.h hal/hal.c hal/${WOLFBOOT_TARGET}.c ${WOLFBOOT_FLASH_SOURCES}
                                    ${PARTITION_SOURCE} ${WOLFBOOT_TZ_HAL_SOURCES})
 
 

docs/compile.md

@@ -193,7 +193,9 @@ To circumvent the compile-time checks on the maximum allowed stack size, use `WO
 
 Optionally, it is possible to disable the backup copy of the current running firmware upon the installation of the
 update. This implies that no fall-back mechanism is protecting the target from a faulty firmware installation, but may be useful
-in some cases where it is not possible to write on the update partition from the bootloader.
+in some cases where it is not possible to write on the update partition from the bootloader. This also removes the
+power-fail-safe swap behavior: if power is lost while the update is being copied into the BOOT partition, the original
+firmware may already be partially overwritten and the device can be left unrecoverable.
 The associated compile-time option is
 
 `DISABLE_BACKUP=1`

hal/hal.c

@@ -281,6 +281,13 @@ int hal_flash_test_dualbank(void)
 
 #endif /* TEST_FLASH */
 
+WEAKFUNCTION int RAMFUNCTION hal_flash_protect(haladdr_t address, int len)
+{
+    (void)address;
+    (void)len;
+    return 0;
+}
+
 WEAKFUNCTION int hal_uds_derive_key(uint8_t *out, size_t out_len)
 {
     (void)out;

hal/nrf5340.c

@@ -827,7 +827,7 @@ void hal_init(void)
 
 #ifdef __WOLFBOOT
 /* enable write protection for the region of flash specified */
-int hal_flash_protect(uint32_t start, uint32_t len)
+int RAMFUNCTION hal_flash_protect(haladdr_t start, int len)
 {
     /* only application core supports SPU */
 #ifdef TARGET_nrf5340_app
@@ -884,14 +884,6 @@ static void periph_unsecure()
 
 void hal_prepare_boot(void)
 {
-    /* Write protect bootloader region of flash.
-     * Not needed in TrustZone configs because the application
-     * runs in non-secure mode and the bootloader partition is marked as
-     * secure. */
-#ifndef TZEN
-    hal_flash_protect(WOLFBOOT_ORIGIN, BOOTLOADER_PARTITION_SIZE);
-#endif
-
     if (enableShm) {
     #ifdef TARGET_nrf5340_net
         if (doUpdateNet) {

hal/skeleton.c

@@ -34,6 +34,12 @@ void hal_init(void)
 
 void hal_prepare_boot(void)
 {
+    /* wolfBoot calls hal_flash_protect() before this hook.
+     * Override int hal_flash_protect(haladdr_t address, int len) to lock
+     * the bootloader region on targets that support runtime write
+     * protection. Return 0 on success or a negative value on failure, and
+     * use this hook only for any remaining platform-specific handoff work.
+     */
 }
 
 #endif
@@ -55,4 +61,3 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
 {
     return 0; /* on success. */
 }
-

include/hal.h

@@ -87,6 +87,11 @@ uint64_t hal_get_timer_us(void);
 #endif
 void hal_flash_unlock(void);
 void hal_flash_lock(void);
+/*
+ * Lock the flash region [address, address + len) against writes.
+ * Return 0 on success, or a negative value on failure.
+ */
+int hal_flash_protect(haladdr_t address, int len);
 void hal_prepare_boot(void);
 
 #ifdef DUALBANK_SWAP

include/image.h

@@ -166,7 +166,7 @@ struct wolfBoot_image {
  * With ARMORED setup, the flag is redundant, and the information is wrapped in
  * between canary variables, to mitigate attacks based on memory corruptions.
  */
-static void __attribute__((noinline)) wolfBoot_image_confirm_signature_ok(
+static void NOINLINEFUNCTION wolfBoot_image_confirm_signature_ok(
     struct wolfBoot_image *img)
 {
     img->canary_FEED4567 = 0xFEED4567UL;
@@ -176,7 +176,7 @@ static void __attribute__((noinline)) wolfBoot_image_confirm_signature_ok(
     img->canary_FEED89AB = 0xFEED89ABUL;
 }
 
-static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
+static void NOINLINEFUNCTION wolfBoot_image_clear_signature_ok(
 	struct wolfBoot_image *img)
 {
 	img->canary_FEED4567 = 0xFEED4567UL;
@@ -424,7 +424,8 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
         asm volatile("mov r0, #50":::"r0"); \
         asm volatile("mov r0, #50":::"r0"); \
         asm volatile("mov r0, #50":::"r0"); \
-        compare_res = XMEMCMP(digest, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE); \
+        compare_res = image_CT_compare(digest, img->sha_hash, \
+            WOLFBOOT_SHA_DIGEST_SIZE); \
         /* Redundant checks that ensure the function actually returned 0 */ \
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("cmp r0, #0":::"cc"); \
@@ -442,8 +443,9 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("bne hnope"); \
-        /* Repeat memcmp call */ \
-        compare_res = XMEMCMP(digest, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE); \
+        /* Repeat comparison call */ \
+        compare_res = image_CT_compare(digest, img->sha_hash, \
+            WOLFBOOT_SHA_DIGEST_SIZE); \
         compare_res; \
         /* Redundant checks that ensure the function actually returned 0 */ \
         asm volatile("cmp r0, #0":::"cc"); \
@@ -1234,7 +1236,7 @@ static void UNUSEDFUNCTION wolfBoot_image_clear_signature_ok(
     ret = fn(__VA_ARGS__);
 
 #define RSA_VERIFY_HASH(img,digest) \
-    if (XMEMCMP(img->sha_hash, digest, WOLFBOOT_SHA_DIGEST_SIZE) == 0) \
+    if (image_CT_compare(img->sha_hash, digest, WOLFBOOT_SHA_DIGEST_SIZE) == 0) \
         wolfBoot_image_confirm_signature_ok(img);
 
 #define PART_SANITY_CHECK(p) \
@@ -1250,6 +1252,8 @@ static void UNUSEDFUNCTION wolfBoot_image_clear_signature_ok(
 #endif
 
 /* Defined in image.c */
+int image_CT_compare(const uint8_t *expected, const uint8_t *actual,
+    uint32_t len);
 int wolfBoot_open_image(struct wolfBoot_image *img, uint8_t part);
 #ifdef EXT_FLASH
 int wolfBoot_open_image_external(struct wolfBoot_image* img, uint8_t part, uint8_t* addr);

include/tpm.h

@@ -79,6 +79,10 @@ int wolfBoot_load_pubkey(const uint8_t* pubkey_hint, WOLFTPM2_KEY* pubKey,
     TPM_ALG_ID* pAlg);
 #endif
 
+#if defined(WOLFBOOT_TPM_KEYSTORE) || defined(WOLFBOOT_TPM_SEAL)
+int wolfBoot_constant_compare(const uint8_t* a, const uint8_t* b, uint32_t len);
+#endif
+
 #ifdef WOLFBOOT_TPM_KEYSTORE
 int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint);
 #endif

include/wolfboot/wolfboot.h

@@ -83,6 +83,20 @@ extern "C" {
 #  endif
 #endif
 
+#ifndef NOINLINEFUNCTION
+#  if defined(__has_attribute)
+#    if __has_attribute(noinline)
+#      define NOINLINEFUNCTION __attribute__((noinline))
+#    else
+#      define NOINLINEFUNCTION
+#    endif
+#  elif defined(__GNUC__) || defined(__CC_ARM)
+#    define NOINLINEFUNCTION __attribute__((noinline))
+#  else
+#    define NOINLINEFUNCTION
+#  endif
+#endif
+
 
 /* Helpers for memory alignment */
 #ifndef XALIGNED
@@ -185,6 +199,15 @@ extern "C" {
 #endif
 #endif /* WOLFBOOT_SELF_HEADER */
 
+#if defined(WOLFBOOT_SKIP_BOOT_VERIFY) && !defined(WOLFBOOT_SELF_HEADER)
+#error "WOLFBOOT_SKIP_BOOT_VERIFY requires WOLFBOOT_SELF_HEADER"
+#endif
+
+#if defined(WOLFBOOT_SKIP_BOOT_VERIFY) && \
+    !defined(WOLFBOOT_SELF_UPDATE_MONOLITHIC)
+#error "WOLFBOOT_SKIP_BOOT_VERIFY requires WOLFBOOT_SELF_UPDATE_MONOLITHIC"
+#endif
+
 #ifdef BIG_ENDIAN_ORDER
 #    define WOLFBOOT_MAGIC          0x574F4C46 /* WOLF */
 #    define WOLFBOOT_MAGIC_TRAIL    0x424F4F54 /* BOOT */

options.mk

@@ -90,6 +90,9 @@ endif
 
 ## Monolithic self-update: erase covers fw_size so the payload can span
 ## the bootloader region into the contiguous boot partition.
+ifeq ($(WOLFBOOT_SELF_UPDATE_MONOLITHIC),1)
+  SELF_UPDATE_MONOLITHIC:=1
+endif
 ifeq ($(SELF_UPDATE_MONOLITHIC),1)
   CFLAGS+=-DWOLFBOOT_SELF_UPDATE_MONOLITHIC
 endif
@@ -710,6 +713,12 @@ ifeq ($(ALLOW_DOWNGRADE),1)
 endif
 
 ifeq ($(WOLFBOOT_SKIP_BOOT_VERIFY),1)
+  ifneq ($(WOLFBOOT_SELF_HEADER),1)
+    $(error WOLFBOOT_SKIP_BOOT_VERIFY=1 requires WOLFBOOT_SELF_HEADER=1)
+  endif
+  ifneq ($(SELF_UPDATE_MONOLITHIC),1)
+    $(error WOLFBOOT_SKIP_BOOT_VERIFY=1 requires WOLFBOOT_SELF_UPDATE_MONOLITHIC (set SELF_UPDATE_MONOLITHIC=1))
+  endif
   CFLAGS+=-D"WOLFBOOT_SKIP_BOOT_VERIFY"
 endif
 
@@ -718,6 +727,7 @@ ifeq ($(NVM_FLASH_WRITEONCE),1)
 endif
 
 ifeq ($(DISABLE_BACKUP),1)
+  $(warning DISABLE_BACKUP=1 disables power-fail-safe updates; losing power during an update can leave BOOT partially written and unrecoverable)
   CFLAGS+= -D"DISABLE_BACKUP"
 endif
 

src/delta.c

@@ -40,6 +40,7 @@ struct BLOCK_HDR_PACKED block_hdr {
 };
 
 #define BLOCK_HDR_SIZE (sizeof (struct block_hdr))
+#define BLOCK_OFF_MAX 0xFFFFFFU
 
 #if defined(EXT_ENCRYPTED) && defined(__WOLFBOOT)
 #include "image.h"
@@ -300,6 +301,8 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
                  */
                 match_len = BLOCK_HDR_SIZE;
                 blk_start = pa - ctx->src_a;
+                if (blk_start > BLOCK_OFF_MAX)
+                    return -1;
                 b_start = ctx->off_b;
                 pa+= BLOCK_HDR_SIZE;
                 ctx->off_b += BLOCK_HDR_SIZE;
@@ -362,6 +365,8 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
                      */
                     match_len = BLOCK_HDR_SIZE;
                     blk_start = pb - ctx->src_b;
+                    if (blk_start > BLOCK_OFF_MAX)
+                        return -1;
                     pb+= BLOCK_HDR_SIZE;
                     ctx->off_b += BLOCK_HDR_SIZE;
                     while ((pb < pb_limit) &&

src/image.c

@@ -58,8 +58,8 @@
 /* Globals */
 static uint8_t digest[WOLFBOOT_SHA_DIGEST_SIZE] XALIGNED(4);
 
-static int image_CT_compare(const uint8_t *expected, const uint8_t *actual,
-    uint32_t len)
+int NOINLINEFUNCTION image_CT_compare(
+    const uint8_t *expected, const uint8_t *actual, uint32_t len)
 {
     uint8_t diff = 0;
     uint32_t i;
@@ -68,7 +68,7 @@ static int image_CT_compare(const uint8_t *expected, const uint8_t *actual,
         diff |= expected[i] ^ actual[i];
     }
 
-    return diff == 0;
+    return diff;
 }
 
 #if defined(WOLFBOOT_CERT_CHAIN_VERIFY) && \
@@ -1551,7 +1551,7 @@ int wolfBoot_verify_integrity(struct wolfBoot_image *img)
         return -1;
     if (image_hash(img, digest) != 0)
         return -1;
-    if (!image_CT_compare(digest, stored_sha, stored_sha_len))
+    if (image_CT_compare(digest, stored_sha, stored_sha_len) != 0)
         return -1;
     img->sha_ok = 1;
     img->sha_hash = stored_sha;
@@ -1990,7 +1990,7 @@ int wolfBoot_check_flash_image_elf(uint8_t part, unsigned long* entry_out)
 
     /* Finalize SHA calculation */
     final_hash(&ctx, calc_digest);
-    if (!image_CT_compare(exp_digest, calc_digest, WOLFBOOT_SHA_DIGEST_SIZE)) {
+    if (image_CT_compare(exp_digest, calc_digest, WOLFBOOT_SHA_DIGEST_SIZE) != 0) {
         wolfBoot_printf("ELF: [CHECK] SHA verification FAILED\n");
         wolfBoot_printf(
             "ELF: [CHECK] Expected   %02x%02x%02x%02x%02x%02x%02x%02x\n",