Relocate temporary key slot to the end of the partition

Author: danielinux

src/libwolfboot.c

@@ -36,8 +36,10 @@
         #define XMEMCPY memcpy
         #define XMEMCMP memcmp
     #endif
+    #define ENCRYPT_TMP_SECRET_OFFSET (WOLFBOOT_PARTITION_SIZE - (TRAILER_SKIP + ENCRYPT_KEY_SIZE + ENCRYPT_NONCE_SIZE))
 #else
     #define XMEMCPY memcpy
+    #define ENCRYPT_TMP_SECRET_OFFSET (WOLFBOOT_PARTITION_SIZE - (TRAILER_SKIP))
 #endif
 
 #ifndef NULL
@@ -56,8 +58,8 @@ static const uint32_t wolfboot_magic_trail = WOLFBOOT_MAGIC_TRAIL;
 #ifndef TRAILER_SKIP
 #   define TRAILER_SKIP 0
 #endif
-#define PART_BOOT_ENDFLAGS   ((WOLFBOOT_PARTITION_BOOT_ADDRESS + WOLFBOOT_PARTITION_SIZE) - TRAILER_SKIP)
-#define PART_UPDATE_ENDFLAGS ((WOLFBOOT_PARTITION_UPDATE_ADDRESS + WOLFBOOT_PARTITION_SIZE) - TRAILER_SKIP)
+#define PART_BOOT_ENDFLAGS   (WOLFBOOT_PARTITION_BOOT_ADDRESS   + ENCRYPT_TMP_SECRET_OFFSET)
+#define PART_UPDATE_ENDFLAGS (WOLFBOOT_PARTITION_UPDATE_ADDRESS + ENCRYPT_TMP_SECRET_OFFSET)
 
 #ifdef NVM_FLASH_WRITEONCE
 #include <stddef.h>
@@ -507,7 +509,6 @@ int wolfBoot_fallback_is_possible(void)
 #error option EXT_ENCRYPTED requires EXT_FLASH
 #endif
 
-#define ENCRYPT_TMP_SECRET_OFFSET (WOLFBOOT_PARTITION_SIZE - (TRAILER_SKIP + (sizeof(uint32_t) + 1 + ((1 + WOLFBOOT_PARTITION_SIZE) / (WOLFBOOT_SECTOR_SIZE * 8)) + ENCRYPT_KEY_SIZE + ENCRYPT_NONCE_SIZE)))
 
 
 #ifdef NVM_FLASH_WRITEONCE
@@ -618,8 +619,8 @@ int ext_flash_encrypt_write(uintptr_t address, const uint8_t *data, int len)
     switch(part) {
         case PART_UPDATE:
             iv_counter = (address - WOLFBOOT_PARTITION_UPDATE_ADDRESS) / ENCRYPT_BLOCK_SIZE;
-            /* Do not encrypt last sector */
-            if (iv_counter == (WOLFBOOT_PARTITION_SIZE - 1) / ENCRYPT_BLOCK_SIZE) {
+            /* Do not encrypt last sectors */
+            if (iv_counter >= (ENCRYPT_TMP_SECRET_OFFSET - ENCRYPT_BLOCK_SIZE) / ENCRYPT_BLOCK_SIZE) {
                 return ext_flash_write(address, data, len);
             }
             break;
@@ -680,7 +681,7 @@ int ext_flash_decrypt_read(uintptr_t address, uint8_t *data, int len)
         case PART_UPDATE:
             iv_counter = (address - WOLFBOOT_PARTITION_UPDATE_ADDRESS) / ENCRYPT_BLOCK_SIZE;
             /* Do not decrypt last sector */
-            if (iv_counter == (WOLFBOOT_PARTITION_SIZE - 1) / ENCRYPT_BLOCK_SIZE) {
+            if (iv_counter >= (ENCRYPT_TMP_SECRET_OFFSET - ENCRYPT_BLOCK_SIZE) / ENCRYPT_BLOCK_SIZE) {
                 return ext_flash_read(address, data, len);
             }
             break;

tools/scripts/prepare_encrypted_update.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
-# SIZE is WOLFBOOT_PARTITION_SIZE - 5
-SIZE=131067 
+# SIZE is WOLFBOOT_PARTITION_SIZE - 49 (44B: key + nonce, 5B: "pBOOT")
+SIZE=131023
 VERSION=8
 APP=test-app/image_v"$VERSION"_signed_and_encrypted.bin
 

tools/uart-flash-server/ufserver.c

@@ -65,6 +65,7 @@ const char msgEraseSwap[]   = "Erase swap blocks      ";
 extern uint16_t wolfBoot_find_header(uint8_t *haystack, uint16_t type, uint8_t **ptr);
 
 const char blinker[]="-\\|/";
+static int valid_update = 1;
 
 void printmsg(const char *msg)
 {
@@ -178,6 +179,7 @@ uint8_t *mmap_firmware(const char *fname)
     uint8_t *base_fw;
     struct stat st;
     int fd;
+    uint32_t signature_word;
     if (stat(fname, &st) != 0) {
         perror ("stat");
         return (void *)-1;
@@ -188,19 +190,32 @@ uint8_t *mmap_firmware(const char *fname)
         perror("open");
         return (void *)-1;
     }
-    if (st.st_size <= FIRMWARE_PARTITION_SIZE) {
+    if (read(fd, &signature_word, sizeof(uint32_t)) != (sizeof(uint32_t))) {
+        perror("read");
+        return (void *)-1;
+    }
+    if ((st.st_size <= FIRMWARE_PARTITION_SIZE)) {
         uint8_t pad = 0xFF;
         int i;
-        const char update_flags[] = "pBOOT";
         int fsize = st.st_size;
-        lseek(fd, FIRMWARE_PARTITION_SIZE + SWAP_SIZE, SEEK_SET);
         lseek(fd, fsize, SEEK_SET);
-        for (i = 0; i < (FIRMWARE_PARTITION_SIZE - (fsize + 5)); i++)
+        for (i = 0; i < (FIRMWARE_PARTITION_SIZE - (fsize)); i++)
             write(fd, &pad, 1);
-        write(fd, update_flags, 5);
+        lseek(fd, FIRMWARE_PARTITION_SIZE, SEEK_SET);
         for (i = 0; i < SWAP_SIZE; i++)
             write(fd, &pad, 1);
     }
+    if (strncmp((char *)&signature_word, "WOLF", 4) != 0) {
+        fprintf(stderr, "Warning: the binary file provided does not appear to contain a valid firmware partition file. (If the update is encrypted, this is OK)\n");
+        valid_update = 0;
+    } else {
+        int i;
+        const char update_flags[] = "pBOOT";
+        lseek(fd, FIRMWARE_PARTITION_SIZE - 5, SEEK_SET);
+        write(fd, update_flags, 5);
+        for (i = 0; i < SWAP_SIZE; i++)
+            write(fd, update_flags, 5);
+    }
     base_fw = mmap(NULL, FIRMWARE_PARTITION_SIZE + SWAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
     if (base_fw == (void *)(-1)) {
         perror("mmap");
@@ -415,9 +430,7 @@ int main(int argc, char *argv[])
         fprintf(stderr, "Error opening binary file '%s'.\n", argv[1]);
         exit(2);
     }
-    if (strncmp((char *)base_fw, "WOLF", 4) != 0) {
-        fprintf(stderr, "Warning: the binary file provided does not appear to contain a valid firmware partition file.\n");
-    } else {
+    if (valid_update) {
         printf("%s has a wolfboot manifest header\n", basename(argv[1]));
         base_fw_ver = fw_version(base_fw);
         printf("%s contains version %u\n", basename(argv[1]), base_fw_ver);