Fixed encryption alignment and signing tool IV

Author: danielinux

src/libwolfboot.c

@@ -631,6 +631,8 @@ int ext_flash_encrypt_write(uintptr_t address, const uint8_t *data, int len)
         if (ext_flash_read(row_address, block, ENCRYPT_BLOCK_SIZE) != ENCRYPT_BLOCK_SIZE)
             return -1;
         XMEMCPY(block + row_offset, data, step);
+        iv[0] = row_number;
+        wc_Chacha_SetIV(&chacha, (byte *)iv, ENCRYPT_BLOCK_SIZE);
         wc_Chacha_Process(&chacha, enc_block, block, ENCRYPT_BLOCK_SIZE);
         ext_flash_write(row_address, enc_block, ENCRYPT_BLOCK_SIZE);
         address += step;
@@ -690,6 +692,8 @@ int ext_flash_decrypt_read(uintptr_t address, uint8_t *data, int len)
         int step = ENCRYPT_BLOCK_SIZE - row_offset;
         if (ext_flash_read(row_address, block, ENCRYPT_BLOCK_SIZE) != ENCRYPT_BLOCK_SIZE)
             return -1;
+        iv[0] = row_number;
+        wc_Chacha_SetIV(&chacha, (byte *)iv, ENCRYPT_BLOCK_SIZE);
         wc_Chacha_Process(&chacha, dec_block, block, ENCRYPT_BLOCK_SIZE);
         XMEMCPY(data, dec_block + row_offset, step);
         address += step;

src/update_flash.c

@@ -60,7 +60,7 @@ static void RAMFUNCTION wolfBoot_self_update(struct wolfBoot_image *src)
         while (pos < src->fw_size) {
             uint8_t buffer[FLASHBUFFER_SIZE];
             if (src_offset + pos < (src->fw_size + IMAGE_HEADER_SIZE + FLASHBUFFER_SIZE))  {
-                ext_flash_read((uintptr_t)(src->hdr) + src_offset + pos, (void *)buffer, FLASHBUFFER_SIZE);
+                ext_flash_check_read((uintptr_t)(src->hdr) + src_offset + pos, (void *)buffer, FLASHBUFFER_SIZE);
                 hal_flash_write(pos + (uint32_t)&_start_text, buffer, FLASHBUFFER_SIZE);
             }
             pos += FLASHBUFFER_SIZE;
@@ -129,7 +129,7 @@ static int wolfBoot_copy_sector(struct wolfBoot_image *src, struct wolfBoot_imag
         wb_flash_erase(dst, dst_sector_offset, WOLFBOOT_SECTOR_SIZE);
         while (pos < WOLFBOOT_SECTOR_SIZE)  {
             if (src_sector_offset + pos < (src->fw_size + IMAGE_HEADER_SIZE + FLASHBUFFER_SIZE))  {
-                ext_flash_read((uintptr_t)(src->hdr) + src_sector_offset + pos, (void *)buffer, FLASHBUFFER_SIZE);
+                ext_flash_check_read((uintptr_t)(src->hdr) + src_sector_offset + pos, (void *)buffer, FLASHBUFFER_SIZE);
                 wb_flash_write(dst, dst_sector_offset + pos, buffer, FLASHBUFFER_SIZE);
             }
             pos += FLASHBUFFER_SIZE;

test-app/app_stm32wb.c

@@ -47,14 +47,6 @@ void main(void) {
     if ((version == 1) && (updv != 8)) {
         uint32_t sz;
         boot_led_off();
-        ext_flash_erase(WOLFBOOT_PARTITION_UPDATE_ADDRESS, WOLFBOOT_PARTITION_SIZE);
-        while (l < firmware_update_len) {
-            sz = firmware_update_len - l;
-            if (sz > WOLFBOOT_SECTOR_SIZE)
-                sz = WOLFBOOT_SECTOR_SIZE;
-            ext_flash_write(WOLFBOOT_PARTITION_UPDATE_ADDRESS + l, firmware_update + l, sz);
-            l += sz;
-        }
 #if EXT_ENCRYPTED
         wolfBoot_set_encrypt_key((uint8_t *)enc_key, 32);
 #endif

tools/keytools/sign.py

@@ -393,7 +393,8 @@
     enc_outfile = open(encrypted_output_image_file, 'wb')
     cha = ciphers.ChaCha(key, 32)
     while(True):
-        cha.set_iv(off)
+        iv = struct.pack('<LLLL', off, 0, 0, 0)
+        cha.set_iv(iv)
         buf = outfile.read(16)
         if len(buf) == 0:
             break