Skip to content

Commit 1d24d32

Browse files
danielinuxdanielinux
committed
Experimental: chacha20 encryption for external partitions
1 parent 938919e commit 1d24d32

8 files changed

Lines changed: 261 additions & 22 deletions

File tree

Makefile

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,11 @@ ifeq ($(UART_FLASH),1)
125125
EXT_FLASH=1
126126
endif
127127

128+
ifeq ($(ENCRYPT),1)
129+
CFLAGS+=-DEXT_ENCRYPTED=1
130+
WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/chacha.o
131+
endif
132+
128133
ifeq ($(EXT_FLASH),1)
129134
CFLAGS+= -DEXT_FLASH=1 -DPART_UPDATE_EXT=1 -DPART_SWAP_EXT=1
130135
ifeq ($(NO_XIP),1)
@@ -303,6 +308,10 @@ include/target.h: include/target.h.in FORCE
303308
config: FORCE
304309
make -C config
305310

311+
../src/libwolfboot.o: ../src/libwolfboot.c FORCE
312+
@echo "\t[CC-$(ARCH)] $@"
313+
$(Q)$(CC) $(CFLAGS) -c -o $@ ../src/libwolfboot.c
314+
306315
%.o:%.c
307316
@echo "\t[CC-$(ARCH)] $@"
308317
$(Q)$(CC) $(CFLAGS) -c -o $@ $^

include/encrypt.h

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
/* encrypt.h
2+
*
3+
* Functions to encrypt/decrypt external flash content
4+
*
5+
* Copyright (C) 2020 wolfSSL Inc.
6+
*
7+
* This file is part of wolfBoot.
8+
*
9+
* wolfBoot is free software; you can redistribute it and/or modify
10+
* it under the terms of the GNU General Public License as published by
11+
* the Free Software Foundation; either version 2 of the License, or
12+
* (at your option) any later version.
13+
*
14+
* wolfBoot is distributed in the hope that it will be useful,
15+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17+
* GNU General Public License for more details.
18+
*
19+
* You should have received a copy of the GNU General Public License
20+
* along with this program; if not, write to the Free Software
21+
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
22+
*/
23+
24+
#ifndef ENCRYPT_H_INCLUDED
25+
#define ENCRYPT_H_INCLUDED
26+
#include <stdint.h>
27+
#include <wolfssl/wolfcrypt/settings.h>
28+
#include <wolfssl/wolfcrypt/sha256.h>
29+
30+
#include "target.h"
31+
#include "wolfboot/wolfboot.h"
32+
33+
#include <wolfssl/wolfcrypt/chacha.h>
34+
#include <wolfssl/wolfcrypt/pwdbased.h>
35+
36+
#define ENCRYPT_BLOCK_SIZE 16
37+
#define ENCRYPT_KEY_SIZE 32 /* Chacha20-256 */
38+
39+
int ext_flash_set_encrypt_key(const uint8_t *key, int len);
40+
int ext_flash_set_encrypt_password(const uint8_t *pwd, int len);
41+
int ext_flash_encrypt_write(uintptr_t address, const uint8_t *data, int len);
42+
int ext_flash_decrypt_read(uintptr_t address, uint8_t *data, int len);
43+
44+
#endif /* ENCRYPT_H_INCLUDED */

include/image.h

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,16 @@ uint16_t wolfBoot_find_header(uint8_t *haystack, uint16_t type, uint8_t **ptr);
9898
# define PART_IS_EXT(x) PARTN_IS_EXT(((x)->part))
9999
#include "hal.h"
100100

101+
102+
#ifdef EXT_ENCRYPTED
103+
#include "encrypt.h"
104+
#define ext_flash_check_write ext_flash_encrypt_write
105+
#define ext_flash_check_read ext_flash_decrypt_read
106+
#else
107+
#define ext_flash_check_write ext_flash_write
108+
#define ext_flash_check_read ext_flash_read
109+
#endif
110+
101111
static inline int wb_flash_erase(struct wolfBoot_image *img, uint32_t off, uint32_t size)
102112
{
103113
if (PART_IS_EXT(img))
@@ -109,7 +119,7 @@ static inline int wb_flash_erase(struct wolfBoot_image *img, uint32_t off, uint3
109119
static inline int wb_flash_write(struct wolfBoot_image *img, uint32_t off, const void *data, uint32_t size)
110120
{
111121
if (PART_IS_EXT(img))
112-
return ext_flash_write((uintptr_t)(img->hdr) + off, data, size);
122+
return ext_flash_check_write((uintptr_t)(img->hdr) + off, data, size);
113123
else
114124
return hal_flash_write((uintptr_t)(img->hdr) + off, data, size);
115125
}
@@ -120,12 +130,12 @@ static inline int wb_flash_write_verify_word(struct wolfBoot_image *img, uint32_
120130
volatile uint32_t copy;
121131
if (PART_IS_EXT(img))
122132
{
123-
ext_flash_read((uintptr_t)(img->hdr) + off, (void *)&copy, sizeof(uint32_t));
133+
ext_flash_check_read((uintptr_t)(img->hdr) + off, (void *)&copy, sizeof(uint32_t));
124134
while (copy != word) {
125-
ret = ext_flash_write((uintptr_t)(img->hdr) + off, (void *)&word, sizeof(uint32_t));
135+
ret = ext_flash_check_write((uintptr_t)(img->hdr) + off, (void *)&word, sizeof(uint32_t));
126136
if (ret < 0)
127137
return ret;
128-
ext_flash_read((uintptr_t)(img->hdr) + off, (void *)&copy, sizeof(uint32_t));
138+
ext_flash_check_read((uintptr_t)(img->hdr) + off, (void *)&copy, sizeof(uint32_t));
129139
}
130140
} else {
131141
volatile uint32_t *pcopy = (volatile uint32_t*)(img->hdr + off);
@@ -154,5 +164,11 @@ static inline int wb_flash_write_verify_word(struct wolfBoot_image *img, uint32_
154164
/* --- Flattened Device Tree Blob */
155165
#define UBOOT_FDT_MAGIC 0xEDFE0DD0UL
156166

167+
#ifndef EXT_ENCRYPTED
168+
#define WOLFBOOT_MAX_SPACE (WOLFBOOT_PARTITION_SIZE - (TRAILER_SKIP + sizeof(uint32_t) + (WOLFBOOT_PARTITION_SIZE + 1 / (WOLFBOOT_SECTOR_SIZE * 8))))
169+
#else
170+
#include "encrypt.h"
171+
#define WOLFBOOT_MAX_SPACE (WOLFBOOT_PARTITION_SIZE - ENCRYPT_TMP_SECRET_OFFSET)
172+
#endif
157173

158174
#endif /* !IMAGE_H */

include/user_settings.h

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,13 @@
114114
# define NO_SHA256
115115
#endif
116116

117+
#ifdef EXT_ENCRYPTED
118+
# define HAVE_CHACHA
119+
# define HAVE_PWDBASED
120+
#else
121+
# define NO_PWDBASED
122+
#endif
123+
117124
/* Disables - For minimum wolfCrypt build */
118125
#define NO_AES
119126
#define NO_CMAC
@@ -133,7 +140,6 @@
133140
#define NO_SESSION_CACHE
134141
#define NO_HC128
135142
#define NO_DES3
136-
#define NO_PWDBASED
137143
#define WC_NO_RNG
138144
#define WC_NO_HASHDRBG
139145
#define NO_WRITEV

include/wolfboot/wolfboot.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,7 @@
7878
#define PART_BOOT 0
7979
#define PART_UPDATE 1
8080
#define PART_SWAP 2
81+
#define PART_NONE 0xFF
8182

8283
#define PART_DTS (0x10)
8384
#define PART_DTS_BOOT (PART_DTS | PART_BOOT)

src/image.c

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -178,29 +178,28 @@ static uint16_t get_header(struct wolfBoot_image *img, uint16_t type, uint8_t **
178178
}
179179

180180
static uint8_t ext_hash_block[WOLFBOOT_SHA_BLOCK_SIZE];
181-
181+
static uint8_t digest[WOLFBOOT_SHA_DIGEST_SIZE];
182182
static uint8_t *get_sha_block(struct wolfBoot_image *img, uint32_t offset)
183183
{
184184
if (offset > img->fw_size)
185185
return NULL;
186+
#ifdef EXT_FLASH
186187
if (PART_IS_EXT(img)) {
187-
ext_flash_read((uintptr_t)(img->fw_base) + offset, ext_hash_block, WOLFBOOT_SHA_BLOCK_SIZE);
188+
ext_flash_check_read((uintptr_t)(img->fw_base) + offset, ext_hash_block, WOLFBOOT_SHA_BLOCK_SIZE);
188189
return ext_hash_block;
189190
} else
191+
#endif
190192
return (uint8_t *)(img->fw_base + offset);
191193
}
192194

193-
static uint8_t digest[WOLFBOOT_SHA_DIGEST_SIZE];
194-
195195
#ifdef EXT_FLASH
196-
197196
static uint8_t hdr_cpy[IMAGE_HEADER_SIZE];
198197
static int hdr_cpy_done = 0;
199198

200199
static uint8_t *fetch_hdr_cpy(struct wolfBoot_image *img)
201200
{
202201
if (!hdr_cpy_done) {
203-
ext_flash_read((uintptr_t)img->hdr, hdr_cpy, IMAGE_HEADER_SIZE);
202+
ext_flash_check_read((uintptr_t)img->hdr, hdr_cpy, IMAGE_HEADER_SIZE);
204203
hdr_cpy_done = 1;
205204
}
206205
return hdr_cpy;

0 commit comments

Comments
 (0)