From e912c549b8cd7fde059cf494050b686207530675 Mon Sep 17 00:00:00 2001 From: Olivier BARS Date: Mon, 28 Jul 2025 12:16:08 +0200 Subject: [PATCH 01/35] adpat overlay and proj.conf to use mcuboot with signature and WL55. --- boot/zephyr/app.overlay | 12 +++++++++++ boot/zephyr/prj.conf | 44 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/boot/zephyr/app.overlay b/boot/zephyr/app.overlay index 74d3dfbfd2..40d0108ac2 100644 --- a/boot/zephyr/app.overlay +++ b/boot/zephyr/app.overlay @@ -3,3 +3,15 @@ zephyr,code-partition = &boot_partition; }; }; + +&boot_partition { + reg = <0x00000000 0x10000>; + read-only; +}; + +&lpuart1 { + pinctrl-0 = <&lpuart1_tx_pa2 &lpuart1_rx_pa3>; + pinctrl-names = "default"; + current-speed = <9600>; + status = "okay"; +}; diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index a82767187e..f08dd0d0cc 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -30,3 +30,47 @@ CONFIG_CBPRINTF_NANO=y CONFIG_PICOLIBC=y ### Disable malloc arena because we don't need it CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=0 + +#user +# CONFIG_BOOT_PREFER_SWAP_MOVE=y +# CONFIG_BOOT_USE_TINYCRYPT=y + +# CONFIG_SINGLE_APPLICATION_SLOT=y +CONFIG_BOOT_UPGRADE_ONLY=y +CONFIG_BOOT_ENCRYPT_IMAGE=y +CONFIG_BOOT_VALIDATE_SLOT0=y +CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y +CONFIG_BOOT_SIGNATURE_KEY_FILE="root-ec-p256.pem" + +# CONFIG_BOOT_MAX_IMG_SECTORS_AUTO=y +# CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_START=20000000 +# CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_SIZE=100000 +#define MCUBOOT_IMAGE_NUMBER 1 +# CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD=y + +#ifndef MCUBOOT_CONFIG_H +#define MCUBOOT_CONFIG_H + +#define MCUBOOT_IMAGE_NUMBER 1 +#define IMAGE_EXECUTABLE_RAM_START 0x20000000 +#define IMAGE_EXECUTABLE_RAM_SIZE 0x100000 + +# //#define MCUBOOT_OVERWRITE_ONLY 1 +# #undef MCUBOOT_RAM_LOAD +# //#define MCUBOOT_DIRECT_XIP 1 +# //#define MCUBOOT_DIRECT_XIP_REVERT 1 +# #define MCUBOOT_SWAP_USING_MOVE 1 +# //#define MCUBOOT_MODE_SWAP_USING_SCRATCH 1 + +# #define MCUBOOT_MAX_IMG_SECTORS 128 +# #define MCUBOOT_USE_TINYCRYPT +# //#define MCUBOOT_USE_MBED_TLS +# #define MCUBOOT_SIGNATURE_TYPE_ECDSA_P256 +# #define MCUBOOT_ENC_IMAGES +# #define MCUBOOT_SIGN_EC256 +# #define MCUBOOT_ENCRYPT_EC256 +# //#define MCUBOOT_AES_256 +# #define MCUBOOT_VALIDATE_PRIMARY_SLOT +# //#define MCUBOOT_SIGNATURE_KEY_NONE +# //#define MCUBOOT_VALIDATE_SLOT0 1 +# #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS 1 \ No newline at end of file From 13be7dead1d08c53a989ce1ca4dbde0c2c5cff0d Mon Sep 17 00:00:00 2001 From: Olivier BARS Date: Tue, 29 Jul 2025 11:57:15 +0200 Subject: [PATCH 02/35] Add boot/stm32 code --- boot/stm32/include/boot_log_uart.h | 17 ++ boot/stm32/include/flash_map/flash_map.h | 172 ++++++++++++++++++ .../flash_map_backend/flash_map_backend.h | 82 +++++++++ .../include/mcuboot_config/mcuboot_config.h | 39 ++++ .../include/mcuboot_config/mcuboot_logging.h | 14 ++ boot/stm32/include/sysflash/sysflash.h | 34 ++++ boot/stm32/src/boot_log_uart.c | 52 ++++++ boot/stm32/src/flash_map_backend.c | 149 +++++++++++++++ boot/stm32/src/key.c | 97 ++++++++++ 9 files changed, 656 insertions(+) create mode 100644 boot/stm32/include/boot_log_uart.h create mode 100644 boot/stm32/include/flash_map/flash_map.h create mode 100644 boot/stm32/include/flash_map_backend/flash_map_backend.h create mode 100644 boot/stm32/include/mcuboot_config/mcuboot_config.h create mode 100644 boot/stm32/include/mcuboot_config/mcuboot_logging.h create mode 100644 boot/stm32/include/sysflash/sysflash.h create mode 100644 boot/stm32/src/boot_log_uart.c create mode 100644 boot/stm32/src/flash_map_backend.c create mode 100644 boot/stm32/src/key.c diff --git a/boot/stm32/include/boot_log_uart.h b/boot/stm32/include/boot_log_uart.h new file mode 100644 index 0000000000..7e6b7d3c7c --- /dev/null +++ b/boot/stm32/include/boot_log_uart.h @@ -0,0 +1,17 @@ +#ifndef BOOT_LOG_UART_H +#define BOOT_LOG_UART_H + +#ifdef __cplusplus +extern "C" { +#endif + +void boot_log_info(const char *msg, ...); +void boot_log_err(const char *msg, ...); +void boot_log_warn(const char *msg, ...); +void boot_log_debug(const char *msg, ...); + +#ifdef __cplusplus +} +#endif + +#endif // BOOT_LOG_UART_H diff --git a/boot/stm32/include/flash_map/flash_map.h b/boot/stm32/include/flash_map/flash_map.h new file mode 100644 index 0000000000..b986228117 --- /dev/null +++ b/boot/stm32/include/flash_map/flash_map.h @@ -0,0 +1,172 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +#ifndef H_UTIL_FLASH_MAP_ +#define H_UTIL_FLASH_MAP_ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * + * Provides abstraction of flash regions for type of use. + * I.e. dude where's my image? + * + * System will contain a map which contains flash areas. Every + * region will contain flash identifier, offset within flash and length. + * + * 1. This system map could be in a file within filesystem (Initializer + * must know/figure out where the filesystem is at). + * 2. Map could be at fixed location for project (compiled to code) + * 3. Map could be at specific place in flash (put in place at mfg time). + * + * Note that the map you use must be valid for BSP it's for, + * match the linker scripts when platform executes from flash, + * and match the target offset specified in download script. + */ +#include + +/** + * @brief Structure describing an area on a flash device. + * + * Multiple flash devices may be available in the system, each of + * which may have its own areas. For this reason, flash areas track + * which flash device they are part of. + */ +struct flash_area { + /** + * This flash area's ID; unique in the system. + */ + uint8_t fa_id; + + /** + * ID of the flash device this area is a part of. + */ + uint8_t fa_device_id; + + uint16_t pad16; + + /** + * This area's offset, relative to the beginning of its flash + * device's storage. + */ + uint32_t fa_off; + + /** + * This area's size, in bytes. + */ + uint32_t fa_size; +}; + +/** + * @brief Structure describing a sector within a flash area. + * + * Each sector has an offset relative to the start of its flash area + * (NOT relative to the start of its flash device), and a size. A + * flash area may contain sectors with different sizes. + */ +struct flash_sector { + /** + * Offset of this sector, from the start of its flash area (not device). + */ + uint32_t fs_off; + + /** + * Size of this sector, in bytes. + */ + uint32_t fs_size; +}; + +/* + * Retrieve a memory-mapped flash device's base address. + * + * On success, the address will be stored in the value pointed to by + * ret. + * + * Returns 0 on success, or an error code on failure. + */ +int flash_device_base(uint8_t fd_id, uintptr_t *ret); + +/* + * Start using flash area. + */ +int flash_area_open(uint8_t id, const struct flash_area **); + +void flash_area_close(const struct flash_area *); + +/* + * Read/write/erase. Offset is relative from beginning of flash area. + */ +int flash_area_read(const struct flash_area *, uint32_t off, void *dst, + uint32_t len); +int flash_area_write(const struct flash_area *, uint32_t off, const void *src, + uint32_t len); +int flash_area_erase(const struct flash_area *, uint32_t off, uint32_t len); + +/* + * Alignment restriction for flash writes. + */ +uint32_t flash_area_align(const struct flash_area *); + +/* + * What is value is read from erased flash bytes. + */ +uint8_t flash_area_erased_val(const struct flash_area *); + +uint32_t flash_area_get_off(const struct flash_area *fa); +/* + * Given flash area ID, return info about sectors within the area. + */ +int flash_area_get_sectors(int fa_id, uint32_t *count, + struct flash_sector *sectors); + + +/* Retrieve the flash sector a given offset belongs to. + * + * Returns 0 on success, or an error code on failure. + */ +int flash_area_sector_from_off(uint32_t off, struct flash_sector *sector); + +/* Retrieve the flash sector a given offset, within flash area. + * + * @param fa flash area. + * @param off offset of sector. + * @param sector pointer to structure for obtained information. + * Returns 0 on success, or an error code on failure. + */ +int flash_area_get_sector(const struct flash_area *fa, uint32_t off, + struct flash_sector *sector); + +/* + * Similar to flash_area_get_sectors(), but return the values in an + * array of struct flash_area instead. + */ +__attribute__((deprecated)) +int flash_area_to_sectors(int idx, int *cnt, struct flash_area *ret); + +int flash_area_id_from_image_slot(int slot); +int flash_area_id_from_multi_image_slot(int image_index, int slot); +int flash_area_id_to_multi_image_slot(int image_index, int area_id); + +#ifdef __cplusplus +} +#endif + +#endif /* H_UTIL_FLASH_MAP_ */ diff --git a/boot/stm32/include/flash_map_backend/flash_map_backend.h b/boot/stm32/include/flash_map_backend/flash_map_backend.h new file mode 100644 index 0000000000..fb7f9b028f --- /dev/null +++ b/boot/stm32/include/flash_map_backend/flash_map_backend.h @@ -0,0 +1,82 @@ +#ifndef __FLASH_MAP_BACKEND_H__ +#define __FLASH_MAP_BACKEND_H__ + +#ifdef __cplusplus +extern "C" { +#endif + +#include + +struct flash_area { + uint8_t fa_id; + uint8_t fa_device_id; + uint16_t pad; + uint32_t fa_off; + uint32_t fa_size; +}; + +struct flash_sector { + uint32_t fs_off; + uint32_t fs_size; +}; + + +int flash_area_open(uint8_t id, const struct flash_area **fa); +void flash_area_close(const struct flash_area *fa); +int flash_area_read(const struct flash_area *fa, uint32_t off, void *dst, uint32_t len); +int flash_area_write(const struct flash_area *fa, uint32_t off, const void *src, uint32_t len); +int flash_area_erase(const struct flash_area *fa, uint32_t off, uint32_t len); + + + + + +int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors); +int flash_area_get_sector(const struct flash_area *fa, uint32_t off, struct flash_sector *sector); + + + +int flash_area_align(const struct flash_area *fa); +int flash_area_erased_val(const struct flash_area *fa); + +int flash_area_to_sectors(int idx, int *cnt, struct flash_area *fa); + +int flash_area_id_from_multi_image_slot(int image_index, int slot); +int flash_area_id_from_image_slot(int slot); + +static inline uint8_t flash_area_get_id(const struct flash_area *fa) +{ + return fa->fa_id; +} + +static inline uint8_t flash_area_get_device_id(const struct flash_area *fa) +{ + return fa->fa_device_id; +} + +static inline uint32_t flash_area_get_off(const struct flash_area *fa) +{ + return fa->fa_off; +} + +static inline uint32_t flash_sector_get_off(const struct flash_sector *fs) +{ + return fs->fs_off; +} + +static inline uint32_t flash_sector_get_size(const struct flash_sector *fs) +{ + return fs->fs_size; +} + +static inline uint32_t flash_area_get_size(const struct flash_area *fa) +{ + return fa->fa_size; +} + + +#ifdef __cplusplus +} +#endif + +#endif /* __FLASH_MAP_BACKEND_H__ */ diff --git a/boot/stm32/include/mcuboot_config/mcuboot_config.h b/boot/stm32/include/mcuboot_config/mcuboot_config.h new file mode 100644 index 0000000000..7bd11284b7 --- /dev/null +++ b/boot/stm32/include/mcuboot_config/mcuboot_config.h @@ -0,0 +1,39 @@ +#ifndef MCUBOOT_CONFIG_H +#define MCUBOOT_CONFIG_H + +#define MCUBOOT_IMAGE_NUMBER 1 +#define IMAGE_EXECUTABLE_RAM_START 0x20000000 +#define IMAGE_EXECUTABLE_RAM_SIZE 0x100000 + +//#define MCUBOOT_OVERWRITE_ONLY 1 +#undef MCUBOOT_RAM_LOAD +//#define MCUBOOT_DIRECT_XIP 1 +//#define MCUBOOT_DIRECT_XIP_REVERT 1 +#define MCUBOOT_SWAP_USING_MOVE 1 +//#define MCUBOOT_MODE_SWAP_USING_SCRATCH 1 + +#define MCUBOOT_MAX_IMG_SECTORS 128 +#define MCUBOOT_USE_TINYCRYPT +//#define MCUBOOT_USE_MBED_TLS +#define MCUBOOT_SIGNATURE_TYPE_ECDSA_P256 +#define MCUBOOT_ENC_IMAGES +#define MCUBOOT_SIGN_EC256 +#define MCUBOOT_ENCRYPT_EC256 +//#define MCUBOOT_AES_256 +#define MCUBOOT_VALIDATE_PRIMARY_SLOT +//#define MCUBOOT_SIGNATURE_KEY_NONE +//#define MCUBOOT_VALIDATE_SLOT0 1 +#define MCUBOOT_USE_FLASH_AREA_GET_SECTORS 1 + + +#define MCUBOOT_WATCHDOG_FEED() \ + do { \ + /* TODO: to be implemented */ \ + } while (0) + + +#define MCUBOOT_HAVE_LOGGING 1 + + + +#endif /* MCUBOOT_CONFIG_H */ diff --git a/boot/stm32/include/mcuboot_config/mcuboot_logging.h b/boot/stm32/include/mcuboot_config/mcuboot_logging.h new file mode 100644 index 0000000000..c1d393d4e0 --- /dev/null +++ b/boot/stm32/include/mcuboot_config/mcuboot_logging.h @@ -0,0 +1,14 @@ +#ifndef __MCUBOOT_LOGGING_H__ +#define __MCUBOOT_LOGGING_H__ + +#include "boot_log_uart.h" + +#define MCUBOOT_LOG_ERR(...) boot_log_err(__VA_ARGS__) +#define MCUBOOT_LOG_WRN(...) boot_log_warn(__VA_ARGS__) +#define MCUBOOT_LOG_INF(...) boot_log_info(__VA_ARGS__) +#define MCUBOOT_LOG_DBG(...) boot_log_debug(__VA_ARGS__) + +#define MCUBOOT_LOG_MODULE_DECLARE(...) +#define MCUBOOT_LOG_MODULE_REGISTER(...) + +#endif /* __MCUBOOT_LOGGING_H__ */ diff --git a/boot/stm32/include/sysflash/sysflash.h b/boot/stm32/include/sysflash/sysflash.h new file mode 100644 index 0000000000..7e26882be9 --- /dev/null +++ b/boot/stm32/include/sysflash/sysflash.h @@ -0,0 +1,34 @@ +#ifndef H_SYSFLASH_H__ +#define H_SYSFLASH_H__ + +#ifdef __cplusplus +extern "C" { +#endif + +#include +#include "mcuboot_config.h" +//#define FLASH_AREA_BOOTLOADER_ID 0 +#define FLASH_AREA_IMAGE_PRIMARY_ID 0 +#define FLASH_AREA_IMAGE_SECONDARY_ID 1 +#define FLASH_AREA_SCRATCH_ID 2 + + +#if (MCUBOOT_IMAGE_NUMBER == 1) + +#define FLASH_AREA_IMAGE_PRIMARY(x) FLASH_AREA_IMAGE_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) FLASH_AREA_IMAGE_SECONDARY_ID + +#else +#error "Image slot and flash area mapping is not defined" +#endif + +#define FLASH_AREA_IMAGE_SCRATCH FLASH_AREA_SCRATCH_ID + + +#define FLASH_AREA_REBOOT_LOG 255 + +#ifdef __cplusplus +} +#endif + +#endif /* H_SYSFLASH_H__ */ diff --git a/boot/stm32/src/boot_log_uart.c b/boot/stm32/src/boot_log_uart.c new file mode 100644 index 0000000000..8045048845 --- /dev/null +++ b/boot/stm32/src/boot_log_uart.c @@ -0,0 +1,52 @@ +#include "stm32wlxx_hal.h" +#include "bootutil_log.h" +#include +#include +#include + +extern UART_HandleTypeDef hlpuart1; + +static void boot_log_uart_send(const char *prefix, const char *msg, va_list args) { + char buffer[128]; + int len = snprintf(buffer, sizeof(buffer), "\r\n[%s] ", prefix); + vsnprintf(buffer + len, sizeof(buffer) - len, msg, args); + + + if (HAL_UART_GetState(&hlpuart1) == HAL_UART_STATE_READY) { + HAL_UART_Transmit(&hlpuart1, (uint8_t *)buffer, strlen(buffer), 10); + } +} + +void boot_log_info(const char *msg, ...) +{ + va_list args; + va_start(args, msg); + boot_log_uart_send("INFO", msg, args); + va_end(args); +} + + + +void boot_log_err(const char *msg, ...) +{ + va_list args; + va_start(args, msg); + boot_log_uart_send("ERR", msg, args); + va_end(args); +} + +void boot_log_warn(const char *msg, ...) +{ + va_list args; + va_start(args, msg); + boot_log_uart_send("WARN", msg, args); + va_end(args); +} + +void boot_log_debug(const char *msg, ...) +{ + va_list args; + va_start(args, msg); + boot_log_uart_send("DBG", msg, args); + va_end(args); +} diff --git a/boot/stm32/src/flash_map_backend.c b/boot/stm32/src/flash_map_backend.c new file mode 100644 index 0000000000..141821dd7e --- /dev/null +++ b/boot/stm32/src/flash_map_backend.c @@ -0,0 +1,149 @@ +#include "flash_map_backend.h" +#include "stm32wlxx_hal.h" +#include +#include +#include "bootutil_log.h" + +extern UART_HandleTypeDef hlpuart1; + +#define SLOT0_BASE 0x08010000 +#define SLOT1_BASE 0x08020000 +#define SCRATCH_BASE 0x08030000 + + +#define SLOT_SIZE 0x10000 // 128 Ko +#define SCRATCH_SIZE 0x10000 // 64 Ko +#define SECTOR_SIZE 0x4000 // 32 Ko +#define SECTOR_COUNT (SLOT_SIZE / SECTOR_SIZE) + +static struct flash_area slot0 = { + .fa_id = 0, + .fa_device_id = 0, + .fa_off = SLOT0_BASE, + .fa_size = SLOT_SIZE, +}; + +static struct flash_area slot1 = { + .fa_id = 1, + .fa_device_id = 0, + .fa_off = SLOT1_BASE, + .fa_size = SLOT_SIZE, +}; + +static struct flash_area slot2 = { + .fa_id = 2, + .fa_device_id = 0, + .fa_off = SCRATCH_BASE, + .fa_size = SCRATCH_SIZE, +}; + +int flash_area_open(uint8_t id, const struct flash_area **fa) { + switch (id) { + case 0: *fa = &slot0; return 0; + case 1: *fa = &slot1; return 0; + case 2: *fa = &slot2; return 0; + default: + char msg[64]; + snprintf(msg, sizeof(msg), "Unknown slot id (%d)\r\n", id); + HAL_UART_Transmit(&hlpuart1, (uint8_t*)msg, strlen(msg), HAL_MAX_DELAY); + return -1; + } +} + +void flash_area_close(const struct flash_area *fa) { + (void)fa; +} + +int flash_area_read(const struct flash_area *fa, uint32_t off, void *dst, uint32_t len) { + if ((off + len) > fa->fa_size) { + BOOT_LOG_ERR("Read out of bounds!, offset=%lu, len=%lu, fa_size=%lu\r\n", off, len, fa->fa_size); + return -1; + } + memcpy(dst, (const void *)(fa->fa_off + off), len); + return 0; +} + +int flash_area_write(const struct flash_area *fa, uint32_t off, const void *src, uint32_t len) { + HAL_FLASH_Unlock(); + const uint8_t *src_bytes = (const uint8_t *)src; + uint32_t addr = fa->fa_off + off; + for (uint32_t i = 0; i < len; i += 8) { + uint64_t data = 0xFFFFFFFFFFFFFFFF; + memcpy(&data, &src_bytes[i], (len - i >= 8) ? 8 : (len - i)); + + if (HAL_FLASH_Program(FLASH_TYPEPROGRAM_DOUBLEWORD, addr + i, data) != HAL_OK) { + HAL_FLASH_Lock(); + return -1; + } + } + + HAL_FLASH_Lock(); + return 0; +} + + +int flash_area_erase(const struct flash_area *fa, uint32_t off, uint32_t len) { + HAL_FLASH_Unlock(); + + FLASH_EraseInitTypeDef erase = { + .TypeErase = FLASH_TYPEERASE_PAGES, + .Page = (fa->fa_off + off - FLASH_BASE) / FLASH_PAGE_SIZE, + .NbPages = (len + FLASH_PAGE_SIZE - 1) / FLASH_PAGE_SIZE, + }; + uint32_t page_error; + if (HAL_FLASHEx_Erase(&erase, &page_error) != HAL_OK) { + HAL_FLASH_Lock(); + return -1; + } + HAL_FLASH_Lock(); + return 0; +} + +int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors) { + if (fa_id == 0 || fa_id == 1) { + *count = 4; + for (int i = 0; i < *count; i++) { + sectors[i].fs_off = i * SECTOR_SIZE; + sectors[i].fs_size = SECTOR_SIZE; + } + return 0; + } + return -1; +} + +int flash_area_align(const struct flash_area *fa) { + (void)fa; + return 8; +} + +int flash_area_erased_val(const struct flash_area *fa) { + (void)fa; + return 0xFF; +} + +int flash_area_id_from_multi_image_slot(int image_index, int slot) { + (void)image_index; + return slot; +} + +int flash_area_get_sector(const struct flash_area *fa, uint32_t off, struct flash_sector *sector) +{ + + sector->fs_off = (off / SECTOR_SIZE) * SECTOR_SIZE; + sector->fs_size = SECTOR_SIZE; + + return 0; +} + +int flash_area_id_to_multi_image_slot(int image_index, int area_id) +{ + switch (area_id) { + case 0: + return 0; + case 1: + return 1; + default: + return -1; + } +} + diff --git a/boot/stm32/src/key.c b/boot/stm32/src/key.c new file mode 100644 index 0000000000..4242418a3c --- /dev/null +++ b/boot/stm32/src/key.c @@ -0,0 +1,97 @@ +/* + * Copyright (c) 2021 Espressif Systems (Shanghai) Co., Ltd. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include + +#if !defined(MCUBOOT_HW_KEY) +#if defined(MCUBOOT_SIGN_RSA) +#define HAVE_KEYS +extern const unsigned char rsa_pub_key[]; +extern const unsigned int rsa_pub_key_len; +#elif defined(MCUBOOT_SIGN_EC256) +#define HAVE_KEYS +extern const unsigned char ecdsa_pub_key[]; +extern const unsigned int ecdsa_pub_key_len; +#elif defined(MCUBOOT_SIGN_ED25519) +#define HAVE_KEYS +extern const unsigned char ed25519_pub_key[]; +extern const unsigned int ed25519_pub_key_len; +#endif + +/* + * NOTE: *_pub_key and *_pub_key_len are autogenerated based on the provided + * key file. If no key file was configured, the array and length must be + * provided and added to the build manually. + */ +/* Autogenerated by imgtool.py, do not edit. */ +const unsigned char ecdsa_pub_key[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, + 0x42, 0x00, 0x04, 0x2a, 0xcb, 0x40, 0x3c, 0xe8, + 0xfe, 0xed, 0x5b, 0xa4, 0x49, 0x95, 0xa1, 0xa9, + 0x1d, 0xae, 0xe8, 0xdb, 0xbe, 0x19, 0x37, 0xcd, + 0x14, 0xfb, 0x2f, 0x24, 0x57, 0x37, 0xe5, 0x95, + 0x39, 0x88, 0xd9, 0x94, 0xb9, 0xd6, 0x5a, 0xeb, + 0xd7, 0xcd, 0xd5, 0x30, 0x8a, 0xd6, 0xfe, 0x48, + 0xb2, 0x4a, 0x6a, 0x81, 0x0e, 0xe5, 0xf0, 0x7d, + 0x8b, 0x68, 0x34, 0xcc, 0x3a, 0x6a, 0xfc, 0x53, + 0x8e, 0xfa, 0xc1, +}; +const unsigned int ecdsa_pub_key_len = 91; + +unsigned char enc_priv_key[] = { + 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, + 0xf6, 0x1e, 0x51, 0x9d, 0xf8, 0xfa, 0xdd, 0xa1, 0xb7, 0xd9, 0xa9, 0x64, + 0x64, 0x3b, 0x54, 0xd0, 0x3d, 0xd0, 0x1f, 0xe5, 0x78, 0xd9, 0x17, 0x98, + 0xa5, 0x28, 0xca, 0xcc, 0x6b, 0x67, 0x9e, 0x06, 0xa1, 0x44, 0x03, 0x42, + 0x00, 0x04, 0x8a, 0x44, 0x73, 0x00, 0x94, 0xc9, 0x80, 0x27, 0x31, 0x0d, + 0x23, 0x36, 0x6b, 0xe9, 0x69, 0x9f, 0xcb, 0xc5, 0x7c, 0xc8, 0x44, 0x1a, + 0x93, 0xe6, 0xee, 0x7d, 0x86, 0xa6, 0xae, 0x5e, 0x93, 0x72, 0x74, 0xd9, + 0xe1, 0x5a, 0x1c, 0x9b, 0x65, 0x1a, 0x2b, 0x61, 0x41, 0x28, 0x02, 0x73, + 0x84, 0x12, 0x97, 0x3a, 0x2d, 0xa2, 0xa0, 0x67, 0x77, 0x02, 0xda, 0x67, + 0x1a, 0x4b, 0xdd, 0xd7, 0x71, 0xcc, +}; +static unsigned int enc_priv_key_len = 138; +const struct bootutil_key bootutil_enc_key = { + .key = enc_priv_key, + .len = &enc_priv_key_len, +}; + +#if defined(HAVE_KEYS) +const struct bootutil_key bootutil_keys[] = { + { +#if defined(MCUBOOT_SIGN_RSA) + .key = rsa_pub_key, + .len = &rsa_pub_key_len, +#elif defined(MCUBOOT_SIGN_EC256) + .key = ecdsa_pub_key, + .len = &ecdsa_pub_key_len, +#elif defined(MCUBOOT_SIGN_ED25519) + .key = ed25519_pub_key, + .len = &ed25519_pub_key_len, +#endif + }, +}; +const int bootutil_key_cnt = 1; +#endif /* HAVE_KEYS */ +#else +unsigned int pub_key_len; +struct bootutil_key bootutil_keys[1] = { + { + .key = 0, + .len = &pub_key_len, + } +}; +const int bootutil_key_cnt = 1; +#endif /* !MCUBOOT_HW_KEY */ + + + + From 26a8b53fdf830c6879762de326ef70149615510a Mon Sep 17 00:00:00 2001 From: Olivier BARS Date: Wed, 30 Jul 2025 14:18:56 +0200 Subject: [PATCH 03/35] To permit to compile cause we are not windows or linux. Todo : to make rigth prng we need to use stm32 prng drivers. (hw drivers) --- ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h b/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h index e2c882356e..373773a9a3 100644 --- a/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h +++ b/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h @@ -74,7 +74,8 @@ * for some platforms, such as Unix and Linux. For other platforms, you may need * to provide another PRNG function. */ -#define default_RNG_defined 1 +//#define default_RNG_defined 1 +#define default_RNG_defined 0 int default_CSPRNG(uint8_t *dest, unsigned int size); From b7229826e665df16efb5d2176b711b7ea929c121 Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Thu, 4 Sep 2025 14:42:06 +0200 Subject: [PATCH 04/35] fix flash_map_backend --- boot/bootutil/src/image_validate.c | 2 + boot/bootutil/src/loader.c | 2 +- .../generate_key_pair/generate_key_pair.h | 23 ++++ .../include/mcuboot_config/mcuboot_config.h | 6 +- boot/stm32/src/boot_log_uart.c | 6 +- boot/stm32/src/flash_map_backend.c | 111 ++++++++++++--- boot/stm32/src/generate_key_pair.c | 130 ++++++++++++++++++ .../include/mbedtls/mbedtls_config.h | 130 +++++++++--------- 8 files changed, 321 insertions(+), 89 deletions(-) create mode 100644 boot/stm32/include/generate_key_pair/generate_key_pair.h create mode 100644 boot/stm32/src/generate_key_pair.c diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index eb5ce16ed7..92e4d1763b 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -570,6 +570,8 @@ bootutil_img_validate(struct boot_loader_state *state, img_sz = it.tlv_end; #endif BOOT_LOG_DBG("bootutil_img_validate: TLV off %u, end %u", it.tlv_off, it.tlv_end); + BOOT_LOG_DBG("bootutil_max_image_size = 0x%X, img_sz = 0x%X", + bootutil_max_image_size(state, fap), img_sz); if (img_sz > bootutil_max_image_size(state, fap)) { rc = -1; diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 37adc5faff..e568e1c3d7 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -55,7 +55,7 @@ #endif #if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) -#include +//#include #endif #include "mcuboot_config/mcuboot_config.h" diff --git a/boot/stm32/include/generate_key_pair/generate_key_pair.h b/boot/stm32/include/generate_key_pair/generate_key_pair.h new file mode 100644 index 0000000000..b12a20d70c --- /dev/null +++ b/boot/stm32/include/generate_key_pair/generate_key_pair.h @@ -0,0 +1,23 @@ +#ifndef __GENERATE_KEY_PAIR_H__ +#define __GENERATE_KEY_PAIR_H__ + +#ifdef __cplusplus +extern "C" { +#endif +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/pk.h" +#include "mbedtls/ecp.h" +#include "stm32wlxx_hal.h" + +extern RNG_HandleTypeDef hrng; +int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen); +int gen_p256_keypair(mbedtls_pk_context *pk); +void dump_p256(const mbedtls_pk_context *pk); + + +#ifdef __cplusplus +} +#endif + +#endif /* __GENERATE_KEY_PAIR_H__ */ diff --git a/boot/stm32/include/mcuboot_config/mcuboot_config.h b/boot/stm32/include/mcuboot_config/mcuboot_config.h index 7bd11284b7..75dd1b9949 100644 --- a/boot/stm32/include/mcuboot_config/mcuboot_config.h +++ b/boot/stm32/include/mcuboot_config/mcuboot_config.h @@ -13,13 +13,13 @@ //#define MCUBOOT_MODE_SWAP_USING_SCRATCH 1 #define MCUBOOT_MAX_IMG_SECTORS 128 -#define MCUBOOT_USE_TINYCRYPT -//#define MCUBOOT_USE_MBED_TLS +//#define MCUBOOT_USE_TINYCRYPT +#define MCUBOOT_USE_MBED_TLS #define MCUBOOT_SIGNATURE_TYPE_ECDSA_P256 #define MCUBOOT_ENC_IMAGES #define MCUBOOT_SIGN_EC256 #define MCUBOOT_ENCRYPT_EC256 -//#define MCUBOOT_AES_256 +#define MCUBOOT_AES_256 #define MCUBOOT_VALIDATE_PRIMARY_SLOT //#define MCUBOOT_SIGNATURE_KEY_NONE //#define MCUBOOT_VALIDATE_SLOT0 1 diff --git a/boot/stm32/src/boot_log_uart.c b/boot/stm32/src/boot_log_uart.c index 8045048845..1bb3e03ae9 100644 --- a/boot/stm32/src/boot_log_uart.c +++ b/boot/stm32/src/boot_log_uart.c @@ -4,7 +4,7 @@ #include #include -extern UART_HandleTypeDef hlpuart1; +extern UART_HandleTypeDef huart1; static void boot_log_uart_send(const char *prefix, const char *msg, va_list args) { char buffer[128]; @@ -12,8 +12,8 @@ static void boot_log_uart_send(const char *prefix, const char *msg, va_list args vsnprintf(buffer + len, sizeof(buffer) - len, msg, args); - if (HAL_UART_GetState(&hlpuart1) == HAL_UART_STATE_READY) { - HAL_UART_Transmit(&hlpuart1, (uint8_t *)buffer, strlen(buffer), 10); + if (HAL_UART_GetState(&huart1) == HAL_UART_STATE_READY) { + HAL_UART_Transmit(&huart1, (uint8_t *)buffer, strlen(buffer), 10); } } diff --git a/boot/stm32/src/flash_map_backend.c b/boot/stm32/src/flash_map_backend.c index 141821dd7e..8d7920ff03 100644 --- a/boot/stm32/src/flash_map_backend.c +++ b/boot/stm32/src/flash_map_backend.c @@ -4,16 +4,18 @@ #include #include "bootutil_log.h" -extern UART_HandleTypeDef hlpuart1; +extern UART_HandleTypeDef huart1; #define SLOT0_BASE 0x08010000 +//#define SLOT0_BASE 0x0800C000 +//#define SLOT1_BASE 0x08025000 #define SLOT1_BASE 0x08020000 -#define SCRATCH_BASE 0x08030000 +#define SCRATCH_BASE 0x0803F000 -#define SLOT_SIZE 0x10000 // 128 Ko -#define SCRATCH_SIZE 0x10000 // 64 Ko -#define SECTOR_SIZE 0x4000 // 32 Ko +#define SLOT_SIZE 0x19000 +#define SCRATCH_SIZE 0x1000 +#define SECTOR_SIZE 0x4000 #define SECTOR_COUNT (SLOT_SIZE / SECTOR_SIZE) static struct flash_area slot0 = { @@ -45,7 +47,7 @@ int flash_area_open(uint8_t id, const struct flash_area **fa) { default: char msg[64]; snprintf(msg, sizeof(msg), "Unknown slot id (%d)\r\n", id); - HAL_UART_Transmit(&hlpuart1, (uint8_t*)msg, strlen(msg), HAL_MAX_DELAY); + HAL_UART_Transmit(&huart1, (uint8_t*)msg, strlen(msg), HAL_MAX_DELAY); return -1; } } @@ -99,18 +101,56 @@ int flash_area_erase(const struct flash_area *fa, uint32_t off, uint32_t len) { return 0; } -int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors) { - if (fa_id == 0 || fa_id == 1) { - *count = 4; - for (int i = 0; i < *count; i++) { - sectors[i].fs_off = i * SECTOR_SIZE; - sectors[i].fs_size = SECTOR_SIZE; - } - return 0; +//int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors) { +// +// BOOT_LOG_INF("bg"); +// if (fa_id == 0 || fa_id == 1) { +// *count =7; +// for (int i = 0; i < *count; i++) { +// sectors[i].fs_off = i * SECTOR_SIZE; +// sectors[i].fs_size = SECTOR_SIZE; +// } +// return 0; +// } +// return -1; +//} + +int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors) +{ + const struct flash_area *fa; + if (flash_area_open(fa_id, &fa) != 0) { + BOOT_LOG_ERR("Can not open fa_id=%d", fa_id); + return -1; + } + + uint32_t size = fa->fa_size; + uint32_t offset = 0; + uint32_t idx = 0; + *count = 0; + + while (offset < size && idx < MCUBOOT_MAX_IMG_SECTORS) { + uint32_t remain = size - offset; + uint32_t chunk = (remain >= SECTOR_SIZE) ? SECTOR_SIZE : remain; + + sectors[idx].fs_off = offset; + sectors[idx].fs_size = chunk; + + offset += chunk; + (idx)++; + } + uint32_t expected = (size + SECTOR_SIZE -1)/ SECTOR_SIZE; + if (idx != expected){ + BOOT_LOG_WRN("get_sectors: MCUBOOT count %d sectors, correction in %d (size=0x%X)", idx, expected, size); } - return -1; + + *count = idx; + BOOT_LOG_INF("get_sectors: fa_id=%d => %d sectors dedected (taille=0x%X)", + fa_id, idx, size); + return 0; } + + int flash_area_align(const struct flash_area *fa) { (void)fa; return 8; @@ -126,15 +166,52 @@ int flash_area_id_from_multi_image_slot(int image_index, int slot) { return slot; } +//int flash_area_get_sector(const struct flash_area *fa, uint32_t off, struct flash_sector *sector) +//{ +// BOOT_LOG_INF("hello"); +// if (off >= fa->fa_size) { +// BOOT_LOG_INF("error"); +// return -1; +// } +// sector->fs_off = (off / SECTOR_SIZE) * SECTOR_SIZE; +// sector->fs_size = SECTOR_SIZE; +// +// return 0; +//} int flash_area_get_sector(const struct flash_area *fa, uint32_t off, struct flash_sector *sector) { + const struct flash_area *fa_ptr = fa; - sector->fs_off = (off / SECTOR_SIZE) * SECTOR_SIZE; - sector->fs_size = SECTOR_SIZE; + if (fa_ptr == NULL) { + uint8_t default_id = 0; // par défaut slot0 + if (flash_area_open(default_id, &fa_ptr) != 0) { + BOOT_LOG_ERR("get_sector: impossible d'ouvrir slot par défaut"); + return -1; + } + } + + + if (off >= fa_ptr->fa_size) { + BOOT_LOG_ERR("get_sector: offset 0x%X hors du slot (taille=0x%X)", off, fa_ptr->fa_size); + return -1; + } + + uint32_t index = off / SECTOR_SIZE; + uint32_t remain = fa_ptr->fa_size - (index * SECTOR_SIZE); + + sector->fs_off = index * SECTOR_SIZE; + sector->fs_size = (remain < SECTOR_SIZE) ? remain : SECTOR_SIZE; + + BOOT_LOG_INF("get_sector: index=%d fs_off=0x%X fs_size=0x%X", + index, sector->fs_off, sector->fs_size); return 0; } + + + + int flash_area_id_to_multi_image_slot(int image_index, int area_id) { switch (area_id) { diff --git a/boot/stm32/src/generate_key_pair.c b/boot/stm32/src/generate_key_pair.c new file mode 100644 index 0000000000..1280118852 --- /dev/null +++ b/boot/stm32/src/generate_key_pair.c @@ -0,0 +1,130 @@ +#include +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/pk.h" +#include "mbedtls/ecp.h" +#include "stm32wlxx_hal.h" +#include "generate_key_pair/generate_key_pair.h" + +//RNG_HandleTypeDef hrng; + +//void MX_RNG_Init(void) +//{ +// +// RCC_PeriphCLKInitTypeDef PeriphClkInit = {0}; +// PeriphClkInit.PeriphClockSelection = RCC_PERIPHCLK_RNG; +// PeriphClkInit.RngClockSelection = RCC_RNGCLKSOURCE_MSI; +// HAL_RCCEx_PeriphCLKConfig(&PeriphClkInit); +// +// __HAL_RCC_RNG_CLK_ENABLE(); +// +// hrng.Instance = RNG; +// if (HAL_RNG_Init(&hrng) != HAL_OK) { +// Error_Handler(); +// } +// +// +// uint32_t dummy; +// for (int i = 0; i < 4; i++) { +// HAL_RNG_GenerateRandomNumber(&hrng, &dummy); +// } +//} + +int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) +{ + + (void)data; + uint32_t val; + size_t produced = 0; + // Warm-up + for (int i = 0; i < 8; i++) { + HAL_RNG_GenerateRandomNumber(&hrng, &val); + } + + boot_log_info("mbedtls_hardware_poll: ask %lu bytes", (unsigned long)len); + + + while (produced < len) { + if (HAL_RNG_GenerateRandomNumber(&hrng, &val) != HAL_OK) { + boot_log_info("RNG lecture fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); + *olen = produced; + return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; + } + + size_t copy_len = (len - produced >= 4) ? 4 : (len - produced); + memcpy(output + produced, &val, copy_len); + produced += copy_len; + + boot_log_info("%08lX", + (unsigned long)val, + (unsigned long)produced, + (unsigned long)len); + + } + + *olen = produced; + boot_log_info("mbedtls_hardware_poll: total generate = %lu bytes", (unsigned long)*olen); + return 0; +} + +int gen_p256_keypair(mbedtls_pk_context *pk) +{ + int ret; + mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; + const unsigned char pers[] = "stm32-p256-keygenstm32-p256-keygen"; + + mbedtls_pk_init(pk); + mbedtls_entropy_init(&entropy); + mbedtls_ctr_drbg_init(&ctr_drbg); + + + ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_poll, NULL, + pers, sizeof(pers)-1); + if (ret != 0) { + boot_log_info("SEED FAIL ret=%d", ret); + goto cleanup; + } + + ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)); + if (ret != 0) { + boot_log_info("PK_SETUP FAIL ret=%d", ret); + goto cleanup; + } + + ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, + mbedtls_pk_ec(*pk), + mbedtls_ctr_drbg_random, &ctr_drbg); + if (ret != 0) { + boot_log_info("GEN_KEY FAIL ret=%d", ret); + goto cleanup; + } + + +cleanup: + mbedtls_ctr_drbg_free(&ctr_drbg); + mbedtls_entropy_free(&entropy); + return ret; +} + +void dump_p256(const mbedtls_pk_context *pk) +{ + const mbedtls_ecp_keypair *eckey = mbedtls_pk_ec(*pk); + unsigned char buf[32]; + memset(buf,0, sizeof buf); + mbedtls_mpi_write_binary(&eckey->private_d, buf, 32); + boot_log_info("Private key d = "); + for (int i = 0; i < 32; i++) boot_log_info("%02X", buf[i]); + boot_log_info("\n"); + + mbedtls_mpi_write_binary(&eckey->private_Q.private_X, buf, 32); + boot_log_info("Public key Q.X = "); + for (int i = 0; i < 32; i++) boot_log_info("%02X", buf[i]); + boot_log_info("\n"); + + mbedtls_mpi_write_binary(&eckey->private_Q.private_Y, buf, 32); + boot_log_info("Public key Q.Y = "); + for (int i = 0; i < 32; i++) boot_log_info("%02X", buf[i]); + boot_log_info("\n"); + +} diff --git a/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h b/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h index 2fa14ebc36..83297cdac9 100644 --- a/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h +++ b/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h @@ -1,5 +1,8 @@ -/** - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved +/* + * Minimal configuration for using TLS in the bootloader + * + * Copyright (C) 2006-2021, ARM Limited, All Rights Reserved + * Copyright (C) 2016, Linaro Ltd * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -17,80 +20,77 @@ * This file is part of mbed TLS (https://tls.mbed.org) */ -#ifndef MBEDTLS_CONFIG_H -#define MBEDTLS_CONFIG_H +/* + * Minimal configuration for using TLS in the bootloader + * + * - RSA or ECDSA signature verification + */ + +#ifndef MCUBOOT_MBEDTLS_CONFIG_ECDSA +#define MCUBOOT_MBEDTLS_CONFIG_ECDSA -#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) -#define _CRT_SECURE_NO_DEPRECATE 1 +#ifdef CONFIG_MCUBOOT_SERIAL +/* Mcuboot uses mbedts-base64 for serial protocol encoding. */ +#define MBEDTLS_BASE64_C #endif -//#define MBEDTLS_PLATFORM_MEMORY -#define MBEDTLS_FS_IO -//#define MBEDTLS_VERSION_FEATURES +/* System support */ +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_PLATFORM_MEMORY +#define MBEDTLS_MEMORY_BUFFER_ALLOC_C +#define MBEDTLS_NO_PLATFORM_ENTROPY +#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES + +/* STD functions */ +#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + +#define MBEDTLS_PLATFORM_EXIT_ALT +#define MBEDTLS_PLATFORM_PRINTF_ALT +#define MBEDTLS_PLATFORM_SNPRINTF_ALT + +#if !defined(CONFIG_ARM) +#define MBEDTLS_HAVE_ASM +#endif + +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECDH_C + +/* mbed TLS modules */ #define MBEDTLS_ASN1_PARSE_C -#define MBEDTLS_BASE64_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_NIST_OPTIM #define MBEDTLS_BIGNUM_C #define MBEDTLS_MD_C #define MBEDTLS_OID_C -#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SHA256_SMALLER +#define MBEDTLS_SHA224_C +#define MBEDTLS_AES_C -/** - * \def MBEDTLS_PLATFORM_C - * - * Enable the platform abstraction layer that allows you to re-assign - * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). - * - * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT - * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned - * above to be specified at runtime or compile time respectively. - * - * \note This abstraction layer must be enabled on Windows (including MSYS2) - * as other module rely on it for a fixed snprintf implementation. - * - * Module: library/platform.c - * Caller: Most other .c files - * - * This module enables abstraction of common (libc) functions. - */ -#define MBEDTLS_PLATFORM_C -/** - * \def MBEDTLS_TIMING_C - * - * Enable the semi-portable timing interface. - * - * \note The provided implementation only works on POSIX/Unix (including Linux, - * BSD and OS X) and Windows. On other platforms, you can either disable that - * module and provide your own implementations of the callbacks needed by - * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide - * your own implementation of the whole module by setting - * \c MBEDTLS_TIMING_ALT in the current file. - * - * \note See also our Knowledge Base article about porting to a new - * environment: - * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS - * - * Module: library/timing.c - * Caller: library/havege.c - * - * This module is used by the HAVEGE random number generator. - */ -#define MBEDTLS_TIMING_C +/* Bring in support for x509. */ +#define MBEDTLS_X509_USE_C +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#define MBEDTLS_X509_CRT_PARSE_C -//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */ -//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */ -//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */ +/* Save RAM by adjusting to our exact needs */ +//#define MBEDTLS_MPI_MAX_SIZE 32 -#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE) -#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE -#endif +//#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024 -#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) -#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE -#elif defined(MBEDTLS_USER_CONFIG_FILE) -#include MBEDTLS_USER_CONFIG_FILE -#endif +///* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */ +//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 + +/* If encryption is being used, also enable the features needed for + * that. */ + +#define MBEDTLS_CIPHER_MODE_CTR +#define MBEDTLS_CIPHER_C +#define MBEDTLS_NIST_KW_C +#define MBEDTLS_CTR_DRBG_C -#include "check_config.h" -#endif /* MBEDTLS_CONFIG_H */ +#endif /* MCUBOOT_MBEDTLS_CONFIG_ECDSA */ From e66119f6a3cadbfa8cb95fad1f02e2de05759e06 Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Thu, 4 Sep 2025 17:35:33 +0200 Subject: [PATCH 05/35] key generator --- boot/stm32/include/key/key.h | 7 +++++ boot/stm32/src/generate_key_pair.c | 47 ++++++++++++++++++++++++++++++ boot/stm32/src/key.c | 33 +++++++++++---------- 3 files changed, 72 insertions(+), 15 deletions(-) create mode 100644 boot/stm32/include/key/key.h diff --git a/boot/stm32/include/key/key.h b/boot/stm32/include/key/key.h new file mode 100644 index 0000000000..bacb836396 --- /dev/null +++ b/boot/stm32/include/key/key.h @@ -0,0 +1,7 @@ +#ifndef KEY_H_ +#define KEY_H_ + +extern unsigned char enc_priv_key[]; +extern unsigned int enc_priv_key_len; + +#endif /* KEY_KEY_H_ */ diff --git a/boot/stm32/src/generate_key_pair.c b/boot/stm32/src/generate_key_pair.c index 1280118852..98f87ae7fb 100644 --- a/boot/stm32/src/generate_key_pair.c +++ b/boot/stm32/src/generate_key_pair.c @@ -5,7 +5,10 @@ #include "mbedtls/ecp.h" #include "stm32wlxx_hal.h" #include "generate_key_pair/generate_key_pair.h" +#include "key/key.h" +extern unsigned char enc_priv_key[]; +extern unsigned int enc_priv_key_len; //RNG_HandleTypeDef hrng; //void MX_RNG_Init(void) @@ -101,12 +104,56 @@ int gen_p256_keypair(mbedtls_pk_context *pk) } + ret = extract_private_key_to_enc_buffer(pk); + if (ret != 0) { + boot_log_info("PRIV_KEY_EXTRACT FAIL ret=%d", ret); + goto cleanup; + } + cleanup: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); return ret; } +int extract_private_key_to_enc_buffer(const mbedtls_pk_context *pk) +{ + mbedtls_ecp_keypair *ec_key; + unsigned char priv_key_raw[32]; + int ret; + + + ec_key = mbedtls_pk_ec(*pk); + if (ec_key == NULL) { + return MBEDTLS_ERR_PK_TYPE_MISMATCH; + } + + + ret = mbedtls_mpi_write_binary(&(ec_key->private_d), priv_key_raw, 32); + if (ret != 0) { + boot_log_info("MPI write binary failed ret=%d", ret); + return ret; + } + + + if (enc_priv_key_len < 32) { + boot_log_info("enc_priv_key buffer too small: %d < 32", enc_priv_key_len); + return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; + } + + + memset(enc_priv_key, 0, enc_priv_key_len); + memcpy(enc_priv_key, priv_key_raw, 32); + + boot_log_info("Private key stored in enc_priv_key (32 bytes)"); + + + mbedtls_platform_zeroize(priv_key_raw, sizeof(priv_key_raw)); + + return 0; +} + + void dump_p256(const mbedtls_pk_context *pk) { const mbedtls_ecp_keypair *eckey = mbedtls_pk_ec(*pk); diff --git a/boot/stm32/src/key.c b/boot/stm32/src/key.c index 4242418a3c..41f8177564 100644 --- a/boot/stm32/src/key.c +++ b/boot/stm32/src/key.c @@ -6,6 +6,7 @@ #include #include +#include "key.h" #if !defined(MCUBOOT_HW_KEY) #if defined(MCUBOOT_SIGN_RSA) @@ -44,21 +45,23 @@ const unsigned char ecdsa_pub_key[] = { }; const unsigned int ecdsa_pub_key_len = 91; -unsigned char enc_priv_key[] = { - 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, - 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, - 0xf6, 0x1e, 0x51, 0x9d, 0xf8, 0xfa, 0xdd, 0xa1, 0xb7, 0xd9, 0xa9, 0x64, - 0x64, 0x3b, 0x54, 0xd0, 0x3d, 0xd0, 0x1f, 0xe5, 0x78, 0xd9, 0x17, 0x98, - 0xa5, 0x28, 0xca, 0xcc, 0x6b, 0x67, 0x9e, 0x06, 0xa1, 0x44, 0x03, 0x42, - 0x00, 0x04, 0x8a, 0x44, 0x73, 0x00, 0x94, 0xc9, 0x80, 0x27, 0x31, 0x0d, - 0x23, 0x36, 0x6b, 0xe9, 0x69, 0x9f, 0xcb, 0xc5, 0x7c, 0xc8, 0x44, 0x1a, - 0x93, 0xe6, 0xee, 0x7d, 0x86, 0xa6, 0xae, 0x5e, 0x93, 0x72, 0x74, 0xd9, - 0xe1, 0x5a, 0x1c, 0x9b, 0x65, 0x1a, 0x2b, 0x61, 0x41, 0x28, 0x02, 0x73, - 0x84, 0x12, 0x97, 0x3a, 0x2d, 0xa2, 0xa0, 0x67, 0x77, 0x02, 0xda, 0x67, - 0x1a, 0x4b, 0xdd, 0xd7, 0x71, 0xcc, -}; -static unsigned int enc_priv_key_len = 138; +//unsigned char enc_priv_key[] = { +// 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, +// 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, +// 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, +// 0xf6, 0x1e, 0x51, 0x9d, 0xf8, 0xfa, 0xdd, 0xa1, 0xb7, 0xd9, 0xa9, 0x64, +// 0x64, 0x3b, 0x54, 0xd0, 0x3d, 0xd0, 0x1f, 0xe5, 0x78, 0xd9, 0x17, 0x98, +// 0xa5, 0x28, 0xca, 0xcc, 0x6b, 0x67, 0x9e, 0x06, 0xa1, 0x44, 0x03, 0x42, +// 0x00, 0x04, 0x8a, 0x44, 0x73, 0x00, 0x94, 0xc9, 0x80, 0x27, 0x31, 0x0d, +// 0x23, 0x36, 0x6b, 0xe9, 0x69, 0x9f, 0xcb, 0xc5, 0x7c, 0xc8, 0x44, 0x1a, +// 0x93, 0xe6, 0xee, 0x7d, 0x86, 0xa6, 0xae, 0x5e, 0x93, 0x72, 0x74, 0xd9, +// 0xe1, 0x5a, 0x1c, 0x9b, 0x65, 0x1a, 0x2b, 0x61, 0x41, 0x28, 0x02, 0x73, +// 0x84, 0x12, 0x97, 0x3a, 0x2d, 0xa2, 0xa0, 0x67, 0x77, 0x02, 0xda, 0x67, +// 0x1a, 0x4b, 0xdd, 0xd7, 0x71, 0xcc, +//}; +//static unsigned int enc_priv_key_len = 138; +unsigned char enc_priv_key[]; +unsigned int enc_priv_key_len = 138; const struct bootutil_key bootutil_enc_key = { .key = enc_priv_key, .len = &enc_priv_key_len, From acff7241b30de21fa1750921215179b5444439c8 Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Mon, 29 Sep 2025 16:49:21 +0200 Subject: [PATCH 06/35] Add generation key and convert to pkcs8 --- .vscode/settings.json | 5 + .../generate_key_pair/generate_key_pair.h | 7 +- boot/stm32/src/flash_map_backend.c | 28 +- boot/stm32/src/generate_key_pair.c | 143 +++++----- boot/stm32/src/key.c | 53 +++- ext/mbedtls-pkcs8/pkcs8secp256write.c | 256 ++++++++++++++++++ 6 files changed, 395 insertions(+), 97 deletions(-) create mode 100644 .vscode/settings.json create mode 100644 ext/mbedtls-pkcs8/pkcs8secp256write.c diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000000..15a1618e47 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "files.associations": { + "sign_key.h": "c" + } +} \ No newline at end of file diff --git a/boot/stm32/include/generate_key_pair/generate_key_pair.h b/boot/stm32/include/generate_key_pair/generate_key_pair.h index b12a20d70c..b91e2dc986 100644 --- a/boot/stm32/include/generate_key_pair/generate_key_pair.h +++ b/boot/stm32/include/generate_key_pair/generate_key_pair.h @@ -14,7 +14,12 @@ extern RNG_HandleTypeDef hrng; int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen); int gen_p256_keypair(mbedtls_pk_context *pk); void dump_p256(const mbedtls_pk_context *pk); - +void show_public_key_formatted(const mbedtls_pk_context *pk); +int export_privkey_der(mbedtls_pk_context *pk, + unsigned char **der_ptr, + size_t *der_len); +export_pub_pem(mbedtls_pk_context *pk); +dump_pkcs8_der_as_c_array(const mbedtls_pk_context *pk); #ifdef __cplusplus } diff --git a/boot/stm32/src/flash_map_backend.c b/boot/stm32/src/flash_map_backend.c index 8d7920ff03..85f35aa0ec 100644 --- a/boot/stm32/src/flash_map_backend.c +++ b/boot/stm32/src/flash_map_backend.c @@ -6,16 +6,16 @@ extern UART_HandleTypeDef huart1; -#define SLOT0_BASE 0x08010000 +#define SLOT0_BASE 0x08011000 //#define SLOT0_BASE 0x0800C000 -//#define SLOT1_BASE 0x08025000 -#define SLOT1_BASE 0x08020000 -#define SCRATCH_BASE 0x0803F000 +#define SLOT1_BASE 0x08021000 +//#define SLOT1_BASE 0x08026000 +//#define SCRATCH_BASE 0x0803000 -#define SLOT_SIZE 0x19000 -#define SCRATCH_SIZE 0x1000 -#define SECTOR_SIZE 0x4000 +#define SLOT_SIZE 0x10000 +//#define SCRATCH_SIZE 0x1000 +#define SECTOR_SIZE 0x1000 #define SECTOR_COUNT (SLOT_SIZE / SECTOR_SIZE) static struct flash_area slot0 = { @@ -32,18 +32,18 @@ static struct flash_area slot1 = { .fa_size = SLOT_SIZE, }; -static struct flash_area slot2 = { - .fa_id = 2, - .fa_device_id = 0, - .fa_off = SCRATCH_BASE, - .fa_size = SCRATCH_SIZE, -}; +//static struct flash_area slot2 = { +// .fa_id = 2, +// .fa_device_id = 0, +// .fa_off = SCRATCH_BASE, +// .fa_size = SCRATCH_SIZE, +//}; int flash_area_open(uint8_t id, const struct flash_area **fa) { switch (id) { case 0: *fa = &slot0; return 0; case 1: *fa = &slot1; return 0; - case 2: *fa = &slot2; return 0; +// case 2: *fa = &slot2; return 0; default: char msg[64]; snprintf(msg, sizeof(msg), "Unknown slot id (%d)\r\n", id); diff --git a/boot/stm32/src/generate_key_pair.c b/boot/stm32/src/generate_key_pair.c index 98f87ae7fb..06309a74c8 100644 --- a/boot/stm32/src/generate_key_pair.c +++ b/boot/stm32/src/generate_key_pair.c @@ -6,32 +6,11 @@ #include "stm32wlxx_hal.h" #include "generate_key_pair/generate_key_pair.h" #include "key/key.h" +#include "bootutil_log.h" extern unsigned char enc_priv_key[]; extern unsigned int enc_priv_key_len; -//RNG_HandleTypeDef hrng; - -//void MX_RNG_Init(void) -//{ -// -// RCC_PeriphCLKInitTypeDef PeriphClkInit = {0}; -// PeriphClkInit.PeriphClockSelection = RCC_PERIPHCLK_RNG; -// PeriphClkInit.RngClockSelection = RCC_RNGCLKSOURCE_MSI; -// HAL_RCCEx_PeriphCLKConfig(&PeriphClkInit); -// -// __HAL_RCC_RNG_CLK_ENABLE(); -// -// hrng.Instance = RNG; -// if (HAL_RNG_Init(&hrng) != HAL_OK) { -// Error_Handler(); -// } -// -// -// uint32_t dummy; -// for (int i = 0; i < 4; i++) { -// HAL_RNG_GenerateRandomNumber(&hrng, &dummy); -// } -//} + int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) { @@ -49,7 +28,7 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t while (produced < len) { if (HAL_RNG_GenerateRandomNumber(&hrng, &val) != HAL_OK) { - boot_log_info("RNG lecture fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); + BOOT_LOG_ERR("RNG reads fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); *olen = produced; return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; } @@ -58,15 +37,12 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t memcpy(output + produced, &val, copy_len); produced += copy_len; - boot_log_info("%08lX", - (unsigned long)val, - (unsigned long)produced, - (unsigned long)len); + boot_log_info("%08lX",(unsigned long)val,(unsigned long)produced,(unsigned long)len); } *olen = produced; - boot_log_info("mbedtls_hardware_poll: total generate = %lu bytes", (unsigned long)*olen); + boot_log_info("mbedtls_hardware_poll: total generated = %lu bytes", (unsigned long)*olen); return 0; } @@ -81,97 +57,104 @@ int gen_p256_keypair(mbedtls_pk_context *pk) mbedtls_entropy_init(&entropy); mbedtls_ctr_drbg_init(&ctr_drbg); - - ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_poll, NULL, - pers, sizeof(pers)-1); + ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_poll, NULL,pers, sizeof(pers)-1); if (ret != 0) { - boot_log_info("SEED FAIL ret=%d", ret); + BOOT_LOG_ERR("SEED FAIL ret=%d", ret); goto cleanup; } ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)); if (ret != 0) { - boot_log_info("PK_SETUP FAIL ret=%d", ret); + BOOT_LOG_ERR("PK_SETUP FAIL ret=%d", ret); goto cleanup; } - ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, - mbedtls_pk_ec(*pk), - mbedtls_ctr_drbg_random, &ctr_drbg); + ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, mbedtls_pk_ec(*pk),mbedtls_ctr_drbg_random, &ctr_drbg); if (ret != 0) { - boot_log_info("GEN_KEY FAIL ret=%d", ret); + BOOT_LOG_ERR("GEN_KEY FAIL ret=%d", ret); goto cleanup; } - ret = extract_private_key_to_enc_buffer(pk); - if (ret != 0) { - boot_log_info("PRIV_KEY_EXTRACT FAIL ret=%d", ret); - goto cleanup; - } - cleanup: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); return ret; } -int extract_private_key_to_enc_buffer(const mbedtls_pk_context *pk) -{ - mbedtls_ecp_keypair *ec_key; - unsigned char priv_key_raw[32]; - int ret; - - ec_key = mbedtls_pk_ec(*pk); - if (ec_key == NULL) { - return MBEDTLS_ERR_PK_TYPE_MISMATCH; - } - - ret = mbedtls_mpi_write_binary(&(ec_key->private_d), priv_key_raw, 32); - if (ret != 0) { - boot_log_info("MPI write binary failed ret=%d", ret); - return ret; - } +int export_privkey_der(mbedtls_pk_context *pk, + unsigned char **der_ptr, + size_t *der_len) { + static unsigned char buf[800]; + int ret; - if (enc_priv_key_len < 32) { - boot_log_info("enc_priv_key buffer too small: %d < 32", enc_priv_key_len); - return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; + int len = mbedtls_pk_write_keypkcs8_der(pk, buf, sizeof(buf)); + if (len < 0) { + BOOT_LOG_ERR("fails write pkcs8 der"); + return len; } - - memset(enc_priv_key, 0, enc_priv_key_len); - memcpy(enc_priv_key, priv_key_raw, 32); - - boot_log_info("Private key stored in enc_priv_key (32 bytes)"); - - - mbedtls_platform_zeroize(priv_key_raw, sizeof(priv_key_raw)); + *der_ptr = buf + sizeof(buf) - len; + *der_len = (size_t)len; return 0; } + void dump_p256(const mbedtls_pk_context *pk) { const mbedtls_ecp_keypair *eckey = mbedtls_pk_ec(*pk); unsigned char buf[32]; memset(buf,0, sizeof buf); mbedtls_mpi_write_binary(&eckey->private_d, buf, 32); - boot_log_info("Private key d = "); - for (int i = 0; i < 32; i++) boot_log_info("%02X", buf[i]); - boot_log_info("\n"); + BOOT_LOG_DBG("Private key d = "); + for (int i = 0; i < 32; i++) BOOT_LOG_DBG("%02X", buf[i]); + BOOT_LOG_DBG("\n"); mbedtls_mpi_write_binary(&eckey->private_Q.private_X, buf, 32); - boot_log_info("Public key Q.X = "); - for (int i = 0; i < 32; i++) boot_log_info("%02X", buf[i]); - boot_log_info("\n"); + BOOT_LOG_DBG("Public key Q.X = "); + for (int i = 0; i < 32; i++) BOOT_LOG_DBG("%02X", buf[i]); + BOOT_LOG_DBG("\n"); mbedtls_mpi_write_binary(&eckey->private_Q.private_Y, buf, 32); - boot_log_info("Public key Q.Y = "); - for (int i = 0; i < 32; i++) boot_log_info("%02X", buf[i]); - boot_log_info("\n"); + BOOT_LOG_DBG("Public key Q.Y = "); + for (int i = 0; i < 32; i++) BOOT_LOG_DBG("%02X", buf[i]); + BOOT_LOG_DBG("\n"); } + +int export_pub_pem(mbedtls_pk_context *pk) { + unsigned char buf[800]; + unsigned char buf1[800]; + int ret; + + ret = mbedtls_pk_write_pubkey_pem(pk, buf, sizeof(buf)); + if (ret != 0) { + + return ret; + } + + ret = mbedtls_pk_write_key_pem(pk, buf1, sizeof(buf1)); + if (ret != 0) { + + return ret; + } + + char *line = strtok((char *)buf,"\n"); + while(line != NULL){ + BOOT_LOG_DBG("%s", line); + line = strtok(NULL,"\n"); + } + + char *line1 = strtok((char *)buf1,"\n"); + while(line1 != NULL){ + BOOT_LOG_DBG("%s", line1); + line1 = strtok(NULL,"\n"); + } + + return 0; +} diff --git a/boot/stm32/src/key.c b/boot/stm32/src/key.c index 41f8177564..2c1681a0c2 100644 --- a/boot/stm32/src/key.c +++ b/boot/stm32/src/key.c @@ -59,9 +59,58 @@ const unsigned int ecdsa_pub_key_len = 91; // 0x84, 0x12, 0x97, 0x3a, 0x2d, 0xa2, 0xa0, 0x67, 0x77, 0x02, 0xda, 0x67, // 0x1a, 0x4b, 0xdd, 0xd7, 0x71, 0xcc, //}; -//static unsigned int enc_priv_key_len = 138; -unsigned char enc_priv_key[]; +//unsigned int enc_priv_key_len = 138; + +//unsigned char enc_priv_key[] = { +// 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, +// 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, +// 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, +// 0x7a, 0xcf, 0xe8, 0xe1, 0x96, 0x48, 0xc3, 0x7f, 0x37, 0x18, 0x17, 0x1f, +// 0x4d, 0x01, 0xf6, 0x31, 0xfc, 0x6c, 0x85, 0x55, 0x56, 0xf1, 0x93, 0xd0, +// 0x0d, 0x3a, 0xc0, 0xc6, 0xf8, 0x81, 0xfc, 0x33, 0xa1, 0x44, 0x03, 0x42, +// 0x00, 0x04, 0x92, 0xcc, 0x03, 0xdf, 0xd2, 0xc4, 0x05, 0xa0, 0x65, 0x36, +// 0x89, 0xaa, 0x66, 0xf1, 0x11, 0xf0, 0x0d, 0x83, 0x13, 0x14, 0x22, 0xb3, +// 0x0b, 0xc9, 0x88, 0xf9, 0x47, 0xc4, 0x7a, 0x28, 0xf5, 0xe8, 0x42, 0x30, +// 0xfb, 0xeb, 0x5d, 0x47, 0x2a, 0x74, 0x3f, 0xd5, 0xbd, 0x2c, 0xe1, 0xb5, +// 0x13, 0xf8, 0x78, 0x69, 0x53, 0x58, 0x0d, 0xf1, 0x24, 0xe3, 0x5e, 0x5c, +// 0x7c, 0x1a, 0xe5, 0xe4, 0xf4, 0xa7 +//}; +// unsigned int enc_priv_key_len = 138; + +// unsigned char enc_priv_key[] = { +// 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, +// 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, +// 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02, 0x01, 0x00, 0x04, 0x20, +// 0x0E, 0x5C, 0xB2, 0xD9, 0x8A, 0x66, 0xC7, 0xF8, 0x32, 0xCD, 0x82, 0x04, +// 0xF4, 0x5C, 0x52, 0x0C, 0x19, 0xC8, 0xF8, 0xB5, 0x44, 0x8B, 0xD7, 0x9D, +// 0x1A, 0x19, 0x6D, 0x37, 0x85, 0x4F, 0xB5, 0xDB, 0xA1, 0x44, 0x03, 0x42, +// 0x00, 0x04, 0xD3, 0x68, 0x53, 0xB8, 0x72, 0xFA, 0x9B, 0x35, 0xF9, 0xCC, +// 0x08, 0x78, 0x40, 0x4A, 0xCB, 0x3B, 0xDB, 0xA0, 0xAC, 0xE5, 0x8A, 0x42, +// 0xBA, 0x9E, 0x2F, 0x64, 0x06, 0x6D, 0x98, 0xFC, 0xA3, 0x8A, 0x47, 0x5A, +// 0x93, 0x8D, 0xF4, 0xEF, 0xBE, 0xEE, 0x68, 0xA2, 0x09, 0x02, 0xA8, 0xB2, +// 0xEB, 0x42, 0xC8, 0x12, 0xE6, 0x45, 0x14, 0x23, 0x66, 0x43, 0x50, 0x8A, +// 0x13, 0x70, 0xA6, 0xBB, 0x1E, 0xF2 +// }; +// unsigned int enc_priv_key_len = 138; + +unsigned char enc_priv_key[] = { + 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, + 0x0e, 0x5c, 0xb2, 0xd9, 0x8a, 0x66, 0xc7, 0xf8, 0x32, 0xcd, 0x82, 0x04, + 0xf4, 0x5c, 0x52, 0x0c, 0x19, 0xc8, 0xf8, 0xb5, 0x44, 0x8b, 0xd7, 0x9d, + 0x1a, 0x19, 0x6d, 0x37, 0x85, 0x4f, 0xb5, 0xdb, 0xa1, 0x44, 0x03, 0x42, + 0x00, 0x04, 0xd3, 0x68, 0x53, 0xb8, 0x72, 0xfa, 0x9b, 0x35, 0xf9, 0xcc, + 0x08, 0x78, 0x40, 0x4a, 0xcb, 0x3b, 0xdb, 0xa0, 0xac, 0xe5, 0x8a, 0x42, + 0xba, 0x9e, 0x2f, 0x64, 0x06, 0x6d, 0x98, 0xfc, 0xa3, 0x8a, 0x47, 0x5a, + 0x93, 0x8d, 0xf4, 0xef, 0xbe, 0xee, 0x68, 0xa2, 0x09, 0x02, 0xa8, 0xb2, + 0xeb, 0x42, 0xc8, 0x12, 0xe6, 0x45, 0x14, 0x23, 0x66, 0x43, 0x50, 0x8a, + 0x13, 0x70, 0xa6, 0xbb, 0x1e, 0xf2 +}; unsigned int enc_priv_key_len = 138; + +//unsigned char enc_priv_key[]; +//unsigned int enc_priv_key_len = 138; const struct bootutil_key bootutil_enc_key = { .key = enc_priv_key, .len = &enc_priv_key_len, diff --git a/ext/mbedtls-pkcs8/pkcs8secp256write.c b/ext/mbedtls-pkcs8/pkcs8secp256write.c new file mode 100644 index 0000000000..d37301e023 --- /dev/null +++ b/ext/mbedtls-pkcs8/pkcs8secp256write.c @@ -0,0 +1,256 @@ +#include "common.h" + +#if defined(MBEDTLS_PK_WRITE_C) + +#include "mbedtls/pk.h" +#include "mbedtls/asn1write.h" +#include "mbedtls/oid.h" +#include "mbedtls/platform_util.h" +#include "mbedtls/error.h" +#include "pk_internal.h" + +#endif +#include + +#if defined(MBEDTLS_ECP_C) +#include "mbedtls/bignum.h" +#include "mbedtls/ecp.h" +#include "mbedtls/platform_util.h" +#endif +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) +#include "pk_internal.h" +#endif +#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_HAVE_ECC_KEYS) +#include "pkwrite.h" +#endif +#if defined(MBEDTLS_PEM_WRITE_C) +#include "mbedtls/pem.h" +#endif + +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) +#define PK_MAX_EC_PUBLIC_KEY_SIZE PSA_EXPORT_PUBLIC_KEY_MAX_SIZE +#define PK_MAX_EC_KEY_PAIR_SIZE MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH +#elif defined(MBEDTLS_USE_PSA_CRYPTO) +#define PK_MAX_EC_PUBLIC_KEY_SIZE PSA_EXPORT_PUBLIC_KEY_MAX_SIZE +#define PK_MAX_EC_KEY_PAIR_SIZE MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH +#else +#define PK_MAX_EC_PUBLIC_KEY_SIZE MBEDTLS_ECP_MAX_PT_LEN +#define PK_MAX_EC_KEY_PAIR_SIZE MBEDTLS_ECP_MAX_BYTES +#endif + +static mbedtls_pk_type_t pk_get_type_ext(const mbedtls_pk_context *pk) +{ + mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk); + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if (pk_type == MBEDTLS_PK_OPAQUE) { + psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT; + psa_key_type_t opaque_key_type; + + if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) { + return MBEDTLS_PK_NONE; + } + opaque_key_type = psa_get_key_type(&opaque_attrs); + psa_reset_key_attributes(&opaque_attrs); + + if (PSA_KEY_TYPE_IS_ECC(opaque_key_type)) { + return MBEDTLS_PK_ECKEY; + } else if (PSA_KEY_TYPE_IS_RSA(opaque_key_type)) { + return MBEDTLS_PK_RSA; + } else { + return MBEDTLS_PK_NONE; + } + } else +#endif + return pk_type; +} + +static int pk_write_ec_private(unsigned char **p, unsigned char *start, + const mbedtls_pk_context *pk) +{ + size_t byte_length; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char tmp[PK_MAX_EC_KEY_PAIR_SIZE]; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; + if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) { + status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length); + if (status != PSA_SUCCESS) { + ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); + return ret; + } + } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + { + mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk); + byte_length = (ec->grp.pbits + 7) / 8; + + ret = mbedtls_ecp_write_key_ext(ec, &byte_length, tmp, sizeof(tmp)); + if (ret != 0) { + goto exit; + } + } + ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length); +exit: + mbedtls_platform_zeroize(tmp, sizeof(tmp)); + return ret; +} + +static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start, + const mbedtls_pk_context *pk) +{ + size_t len = 0; + unsigned char buf[PK_MAX_EC_PUBLIC_KEY_SIZE]; + mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk); + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) { + if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) { + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + } + *p -= len; + memcpy(*p, buf, len); + return (int) len; + } else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + { + if ((ret = mbedtls_ecp_point_write_binary(&ec->grp, &ec->Q, + MBEDTLS_ECP_PF_UNCOMPRESSED, + &len, buf, sizeof(buf))) != 0) { + return ret; + } + } + + if (*p < start || (size_t) (*p - start) < len) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + + *p -= len; + memcpy(*p, buf, len); + + return (int) len; +} + + +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) +/*=====Encodes an EC private key into PKCS#8 DER format.=====*/ +static int pk_write_ecpkcs8_der(unsigned char **p, unsigned char *buf, + const mbedtls_pk_context *pk) +{ + + + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + size_t pubkey_raw_len = 0; + size_t pubkey_bitstring_len = 0; + size_t pubkey_block_len = 0; + size_t ec_privkey_len = 0; + size_t alg_id_len = 0; + + /* ========publicKey========= */ + MBEDTLS_ASN1_CHK_ADD(pubkey_raw_len, pk_write_ec_pubkey(p, buf, pk)); + + if (*p - buf < 1) + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + + (*p)--; + **p = 0; + pubkey_raw_len += 1; + + /*bit string publicKey*/ + MBEDTLS_ASN1_CHK_ADD(pubkey_bitstring_len, mbedtls_asn1_write_len(p, buf, pubkey_raw_len)); + MBEDTLS_ASN1_CHK_ADD(pubkey_bitstring_len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_BIT_STRING)); + + pubkey_block_len = pubkey_raw_len + pubkey_bitstring_len; + + /*bit string publicKey in a specific tag 1 */ + MBEDTLS_ASN1_CHK_ADD(pubkey_block_len, mbedtls_asn1_write_len(p, buf, pubkey_block_len)); + MBEDTLS_ASN1_CHK_ADD(pubkey_block_len, mbedtls_asn1_write_tag(p, buf, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1)); + + len += pubkey_block_len; + + /* ======privateKey====== */ + MBEDTLS_ASN1_CHK_ADD(ec_privkey_len, pk_write_ec_private(p, buf, pk)); + + /* version privateKey */ + MBEDTLS_ASN1_CHK_ADD(ec_privkey_len, mbedtls_asn1_write_int(p, buf, 1)); + + ec_privkey_len += pubkey_block_len; + + /* sequence privateKey */ + MBEDTLS_ASN1_CHK_ADD(ec_privkey_len, mbedtls_asn1_write_len(p, buf, ec_privkey_len)); + MBEDTLS_ASN1_CHK_ADD(ec_privkey_len, mbedtls_asn1_write_tag(p, buf, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)); + + /* octet string privateKey */ + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, ec_privkey_len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_OCTET_STRING)); + + + len += ec_privkey_len - pubkey_block_len; + + /*======AlgotithmIdentifier=====*/ + MBEDTLS_ASN1_CHK_ADD(alg_id_len, mbedtls_asn1_write_oid(p, buf, + MBEDTLS_OID_EC_GRP_SECP256R1, + MBEDTLS_OID_SIZE(MBEDTLS_OID_EC_GRP_SECP256R1))); + + /*id-ecPublicKey*/ + const char oid_ec_public_key[] = MBEDTLS_OID_EC_ALG_UNRESTRICTED; + MBEDTLS_ASN1_CHK_ADD(alg_id_len, mbedtls_asn1_write_oid(p, buf, + oid_ec_public_key, strlen(oid_ec_public_key))); + + /*oid sequence*/ + MBEDTLS_ASN1_CHK_ADD(alg_id_len, mbedtls_asn1_write_len(p, buf, alg_id_len)); + MBEDTLS_ASN1_CHK_ADD(alg_id_len, mbedtls_asn1_write_tag(p, buf, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)); + /* version */ + size_t version_len = 0; + MBEDTLS_ASN1_CHK_ADD(version_len, mbedtls_asn1_write_int(p, buf, 0)); + + /*SEQUENCE*/ + size_t total_len = version_len + alg_id_len + len; + + MBEDTLS_ASN1_CHK_ADD(total_len, mbedtls_asn1_write_len(p, buf, total_len)); + MBEDTLS_ASN1_CHK_ADD(total_len, mbedtls_asn1_write_tag(p, buf, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)); + + len += total_len - len; + + + return (int) len; +} +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ + + +int mbedtls_pk_write_keypkcs8_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size) +{ + unsigned char *c; + + if (size == 0) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + + c = buf + size; + +#if defined(MBEDTLS_RSA_C) + if (pk_get_type_ext(key) == MBEDTLS_PK_RSA) { + return pk_write_rsa_der(&c, buf, key); + } else +#endif /* MBEDTLS_RSA_C */ +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) + if (pk_get_type_ext(key) == MBEDTLS_PK_ECKEY) { +#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) + if (mbedtls_pk_is_rfc8410(key)) { + return pk_write_ec_rfc8410_der(&c, buf, key); + } +#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */ + return pk_write_ecpkcs8_der(&c, buf, key); + } else +#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ + return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; +} + + From f3fee2269fb36d5472d4c828e1a72bb2497219a0 Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Mon, 6 Oct 2025 09:32:41 +0200 Subject: [PATCH 07/35] Add macro --- .../include/flash_map_backend/flash_map_backend.h | 2 +- boot/stm32/include/mcuboot_config/mcuboot_logging.h | 2 +- boot/stm32/include/mcuboot_config/mcuboot_rng.h | 9 +++++++++ boot/stm32/include/rng_stm32/rng_stm32.h | 10 ++++++++++ boot/stm32/src/generate_key_pair.c | 4 +++- boot/stm32/src/rng_stm32.c | 9 +++++++++ 6 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 boot/stm32/include/mcuboot_config/mcuboot_rng.h create mode 100644 boot/stm32/include/rng_stm32/rng_stm32.h create mode 100644 boot/stm32/src/rng_stm32.c diff --git a/boot/stm32/include/flash_map_backend/flash_map_backend.h b/boot/stm32/include/flash_map_backend/flash_map_backend.h index fb7f9b028f..bf5b4f85ed 100644 --- a/boot/stm32/include/flash_map_backend/flash_map_backend.h +++ b/boot/stm32/include/flash_map_backend/flash_map_backend.h @@ -43,7 +43,7 @@ int flash_area_to_sectors(int idx, int *cnt, struct flash_area *fa); int flash_area_id_from_multi_image_slot(int image_index, int slot); int flash_area_id_from_image_slot(int slot); - +int flash_area_id_to_multi_image_slot(int image_index, int area_id); static inline uint8_t flash_area_get_id(const struct flash_area *fa) { return fa->fa_id; diff --git a/boot/stm32/include/mcuboot_config/mcuboot_logging.h b/boot/stm32/include/mcuboot_config/mcuboot_logging.h index c1d393d4e0..68abfdff61 100644 --- a/boot/stm32/include/mcuboot_config/mcuboot_logging.h +++ b/boot/stm32/include/mcuboot_config/mcuboot_logging.h @@ -11,4 +11,4 @@ #define MCUBOOT_LOG_MODULE_DECLARE(...) #define MCUBOOT_LOG_MODULE_REGISTER(...) -#endif /* __MCUBOOT_LOGGING_H__ */ +#endif /* __MCUBOOT_LOGGING_H__ */ \ No newline at end of file diff --git a/boot/stm32/include/mcuboot_config/mcuboot_rng.h b/boot/stm32/include/mcuboot_config/mcuboot_rng.h new file mode 100644 index 0000000000..db677df176 --- /dev/null +++ b/boot/stm32/include/mcuboot_config/mcuboot_rng.h @@ -0,0 +1,9 @@ +#ifndef __MCUBOOT_RNG_H__ +#define __MCUBOOT_RNG_H__ + +#include "rng_stm32.h" + +#define MCUBOOT_RNG_STM32(...) generator_rng_stm32(__VA_ARGS__) + + +#endif /* __MCUBOOT_RNG_H__ */ diff --git a/boot/stm32/include/rng_stm32/rng_stm32.h b/boot/stm32/include/rng_stm32/rng_stm32.h new file mode 100644 index 0000000000..bdb481c851 --- /dev/null +++ b/boot/stm32/include/rng_stm32/rng_stm32.h @@ -0,0 +1,10 @@ +#ifndef _STM32_RNG_H_ +#define _STM32_RNG_H_ + +#include "stm32wlxx_hal.h" + +extern RNG_HandleTypeDef hrng; + +HAL_StatusTypeDef generator_rng_stm32( uint32_t* val); + +#endif /*_STM32_RNG_H_*/ diff --git a/boot/stm32/src/generate_key_pair.c b/boot/stm32/src/generate_key_pair.c index 06309a74c8..c845363a9a 100644 --- a/boot/stm32/src/generate_key_pair.c +++ b/boot/stm32/src/generate_key_pair.c @@ -7,6 +7,7 @@ #include "generate_key_pair/generate_key_pair.h" #include "key/key.h" #include "bootutil_log.h" +#include "mcuboot_rng.h" extern unsigned char enc_priv_key[]; extern unsigned int enc_priv_key_len; @@ -20,7 +21,8 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t size_t produced = 0; // Warm-up for (int i = 0; i < 8; i++) { - HAL_RNG_GenerateRandomNumber(&hrng, &val); +// HAL_RNG_GenerateRandomNumber(&hrng, &val); + MCUBOOT_RNG(&val); } boot_log_info("mbedtls_hardware_poll: ask %lu bytes", (unsigned long)len); diff --git a/boot/stm32/src/rng_stm32.c b/boot/stm32/src/rng_stm32.c new file mode 100644 index 0000000000..ad485b2a0b --- /dev/null +++ b/boot/stm32/src/rng_stm32.c @@ -0,0 +1,9 @@ +#include "stm32wlxx_hal.h" + +RNG_HandleTypeDef hhrng; + +HAL_StatusTypeDef generator_rng_stm32(uint32_t* val){ + + return HAL_RNG_GenerateRandomNumber(&hhrng, val); +} + From 94481f3d567e4774dc8f3a899f6848867c628bfc Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Mon, 6 Oct 2025 17:17:22 +0200 Subject: [PATCH 08/35] Add comments generate_key --- boot/stm32/src/generate_key_pair.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/boot/stm32/src/generate_key_pair.c b/boot/stm32/src/generate_key_pair.c index c845363a9a..68ac82071a 100644 --- a/boot/stm32/src/generate_key_pair.c +++ b/boot/stm32/src/generate_key_pair.c @@ -1,3 +1,9 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: Apache-2.0 + */ + #include #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" @@ -12,7 +18,13 @@ extern unsigned char enc_priv_key[]; extern unsigned int enc_priv_key_len; - +/* + * Generate random data using the hardware random number generator. + * + * @param data (short description) + * + * @return 0 on success or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED on RNG failure. + */ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) { @@ -48,6 +60,11 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t return 0; } +/* + * Generate an EC-P256 key pair using the mbedTLS library + * + * @return 0 on success, or a negative mbedTLS error code on failure. + */ int gen_p256_keypair(mbedtls_pk_context *pk) { int ret; @@ -59,18 +76,28 @@ int gen_p256_keypair(mbedtls_pk_context *pk) mbedtls_entropy_init(&entropy); mbedtls_ctr_drbg_init(&ctr_drbg); + + /* + * Seeds the random number generator using a hardware entropy source + */ ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_poll, NULL,pers, sizeof(pers)-1); if (ret != 0) { BOOT_LOG_ERR("SEED FAIL ret=%d", ret); goto cleanup; } + /* + * Sets up the public key context for key generation + */ ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)); if (ret != 0) { BOOT_LOG_ERR("PK_SETUP FAIL ret=%d", ret); goto cleanup; } + /* + * + */ ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, mbedtls_pk_ec(*pk),mbedtls_ctr_drbg_random, &ctr_drbg); if (ret != 0) { BOOT_LOG_ERR("GEN_KEY FAIL ret=%d", ret); From 38e51c36cfd72a5c322b367932c8b347d1a28bf5 Mon Sep 17 00:00:00 2001 From: WIKA IIoT RD <60038@wika.com> Date: Mon, 6 Oct 2025 17:22:23 +0200 Subject: [PATCH 09/35] EXAMPLE --- boot/stm32/src/generate_key_pair.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/boot/stm32/src/generate_key_pair.c b/boot/stm32/src/generate_key_pair.c index 68ac82071a..f5a040aaa9 100644 --- a/boot/stm32/src/generate_key_pair.c +++ b/boot/stm32/src/generate_key_pair.c @@ -18,11 +18,14 @@ extern unsigned char enc_priv_key[]; extern unsigned int enc_priv_key_len; -/* - * Generate random data using the hardware random number generator. - * - * @param data (short description) - * +/** + * @brief Generate random data using the hardware random number generator. + * + * @param data Not used. + * @param output Buffer to fill with random data. + * @param len Number of random bytes to generate. + * @param olen Number of random bytes actually generated. + * * @return 0 on success or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED on RNG failure. */ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) From 1980cc9ef3f47ad9592e16fbdbfeb6cf65b9fd51 Mon Sep 17 00:00:00 2001 From: WIKA IIoT RD <60038@wika.com> Date: Mon, 6 Oct 2025 17:32:18 +0200 Subject: [PATCH 10/35] update --- .gitignore | 1 + .vscode/settings.json | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 79866888ec..422ec24362 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,7 @@ target.sh *.pyc tags rusty-tags.* +.vscode # mynewt /repos/ diff --git a/.vscode/settings.json b/.vscode/settings.json index 15a1618e47..3a65f4323d 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,5 +1,6 @@ { "files.associations": { "sign_key.h": "c" - } + }, + "iis.configDir": "" } \ No newline at end of file From f1b4ba266fc584b26df16ba2875b33636401f591 Mon Sep 17 00:00:00 2001 From: WIKA IIoT RD <60038@wika.com> Date: Mon, 6 Oct 2025 17:38:44 +0200 Subject: [PATCH 11/35] Remove .vscode from tracking --- .vscode/settings.json | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 3a65f4323d..0000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "files.associations": { - "sign_key.h": "c" - }, - "iis.configDir": "" -} \ No newline at end of file From 8a0902c920d8aea73395bed4b5de0817981e4803 Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Wed, 8 Oct 2025 11:42:48 +0200 Subject: [PATCH 12/35] Move generation key file to bootutil, add bootutil_hw_rng, add macro for hwrng and gen key --- .../include/bootutil/bootutil_hwrng.h | 27 +++++++++++++++++++ .../include/bootutil}/generate_key_pair.h | 0 .../src/generate_key_pair.c | 10 ++++--- .../include/mcuboot_config/mcuboot_config.h | 2 ++ .../include/mcuboot_config/mcuboot_rng.h | 2 +- 5 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 boot/bootutil/include/bootutil/bootutil_hwrng.h rename boot/{stm32/include/generate_key_pair => bootutil/include/bootutil}/generate_key_pair.h (100%) rename boot/{stm32 => bootutil}/src/generate_key_pair.c (92%) diff --git a/boot/bootutil/include/bootutil/bootutil_hwrng.h b/boot/bootutil/include/bootutil/bootutil_hwrng.h new file mode 100644 index 0000000000..236b5dea25 --- /dev/null +++ b/boot/bootutil/include/bootutil/bootutil_hwrng.h @@ -0,0 +1,27 @@ +#ifndef H_BOOTUTIL_HWRNG_H_ +#define H_BOOTUTIL_HWRNG_H_ + +#include "ignore.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#include + +#ifdef MCUBOOT_HAVE_HWRNG +#include + +#define BOOT_RNG(...) MCUBOOT_RNG(__VA_ARGS__) + +#else + +#define BOOT_RNG(...) IGNORE(__VA_ARGS__) + +#endif /* MCUBOOT_HAVE_RNG */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/boot/stm32/include/generate_key_pair/generate_key_pair.h b/boot/bootutil/include/bootutil/generate_key_pair.h similarity index 100% rename from boot/stm32/include/generate_key_pair/generate_key_pair.h rename to boot/bootutil/include/bootutil/generate_key_pair.h diff --git a/boot/stm32/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c similarity index 92% rename from boot/stm32/src/generate_key_pair.c rename to boot/bootutil/src/generate_key_pair.c index f5a040aaa9..81c164d7e5 100644 --- a/boot/stm32/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -3,17 +3,19 @@ * * SPDX-License-Identifier: Apache-2.0 */ +#include "mcuboot_config/mcuboot_config.h" +#if defined(MCUBOOT_GEN_KEY) #include #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/pk.h" #include "mbedtls/ecp.h" #include "stm32wlxx_hal.h" -#include "generate_key_pair/generate_key_pair.h" +#include "generate_key_pair.h" #include "key/key.h" #include "bootutil_log.h" -#include "mcuboot_rng.h" +#include "bootutil_hwrng.h" extern unsigned char enc_priv_key[]; extern unsigned int enc_priv_key_len; @@ -37,7 +39,7 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t // Warm-up for (int i = 0; i < 8; i++) { // HAL_RNG_GenerateRandomNumber(&hrng, &val); - MCUBOOT_RNG(&val); + BOOT_RNG(&val); } boot_log_info("mbedtls_hardware_poll: ask %lu bytes", (unsigned long)len); @@ -190,3 +192,5 @@ int export_pub_pem(mbedtls_pk_context *pk) { return 0; } + +#endif /* MCUBOOT_GEN_KEY */ diff --git a/boot/stm32/include/mcuboot_config/mcuboot_config.h b/boot/stm32/include/mcuboot_config/mcuboot_config.h index 75dd1b9949..5e04bc5d3c 100644 --- a/boot/stm32/include/mcuboot_config/mcuboot_config.h +++ b/boot/stm32/include/mcuboot_config/mcuboot_config.h @@ -24,6 +24,8 @@ //#define MCUBOOT_SIGNATURE_KEY_NONE //#define MCUBOOT_VALIDATE_SLOT0 1 #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS 1 +#define MCUBOOT_HAVE_HWRNG +#define MCUBOOT_GEN_KEY #define MCUBOOT_WATCHDOG_FEED() \ diff --git a/boot/stm32/include/mcuboot_config/mcuboot_rng.h b/boot/stm32/include/mcuboot_config/mcuboot_rng.h index db677df176..1e6b72fd23 100644 --- a/boot/stm32/include/mcuboot_config/mcuboot_rng.h +++ b/boot/stm32/include/mcuboot_config/mcuboot_rng.h @@ -3,7 +3,7 @@ #include "rng_stm32.h" -#define MCUBOOT_RNG_STM32(...) generator_rng_stm32(__VA_ARGS__) +#define MCUBOOT_RNG(...) generator_rng_stm32(__VA_ARGS__) #endif /* __MCUBOOT_RNG_H__ */ From ad90028328d003c391c5606c709da0242f603749 Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Wed, 8 Oct 2025 13:40:17 +0200 Subject: [PATCH 13/35] Modify name macro --- boot/bootutil/src/generate_key_pair.c | 2 +- boot/stm32/include/mcuboot_config/mcuboot_config.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index 81c164d7e5..eb8c902b1d 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -5,7 +5,7 @@ */ #include "mcuboot_config/mcuboot_config.h" -#if defined(MCUBOOT_GEN_KEY) +#if defined(MCUBOOT_ENC_GEN_KEY) #include #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" diff --git a/boot/stm32/include/mcuboot_config/mcuboot_config.h b/boot/stm32/include/mcuboot_config/mcuboot_config.h index 5e04bc5d3c..cb934ffacb 100644 --- a/boot/stm32/include/mcuboot_config/mcuboot_config.h +++ b/boot/stm32/include/mcuboot_config/mcuboot_config.h @@ -19,13 +19,13 @@ #define MCUBOOT_ENC_IMAGES #define MCUBOOT_SIGN_EC256 #define MCUBOOT_ENCRYPT_EC256 -#define MCUBOOT_AES_256 +//#define MCUBOOT_AES_256 #define MCUBOOT_VALIDATE_PRIMARY_SLOT //#define MCUBOOT_SIGNATURE_KEY_NONE //#define MCUBOOT_VALIDATE_SLOT0 1 #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS 1 -#define MCUBOOT_HAVE_HWRNG -#define MCUBOOT_GEN_KEY +//#define MCUBOOT_HAVE_HWRNG +//#define MCUBOOT_ENC_GEN_KEY #define MCUBOOT_WATCHDOG_FEED() \ From 6e99db42eee65f939ac9cfcdc7dc5805b497cbf1 Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Tue, 21 Oct 2025 15:29:02 +0200 Subject: [PATCH 14/35] zephyr implementation --- .../include/bootutil/generate_key_pair.h | 4 +- boot/bootutil/src/generate_key_pair.c | 50 +++++++++---------- boot/zephyr/CMakeLists.txt | 13 ++++- boot/zephyr/Kconfig | 21 ++++++++ boot/zephyr/app.overlay | 6 +++ boot/zephyr/boards/lora_e5_mini.overlay | 25 ++++++++++ .../include/mcuboot_config/mcuboot_config.h | 8 +++ .../include/mcuboot_config/mcuboot_rng.h | 9 ++++ boot/zephyr/include/rng_stm32.h | 13 +++++ boot/zephyr/main.c | 41 ++++++++++++++- boot/zephyr/prj.conf | 4 +- boot/zephyr/rng_stm32.c | 13 +++++ 12 files changed, 176 insertions(+), 31 deletions(-) create mode 100644 boot/zephyr/boards/lora_e5_mini.overlay create mode 100644 boot/zephyr/include/mcuboot_config/mcuboot_rng.h create mode 100644 boot/zephyr/include/rng_stm32.h create mode 100644 boot/zephyr/rng_stm32.c diff --git a/boot/bootutil/include/bootutil/generate_key_pair.h b/boot/bootutil/include/bootutil/generate_key_pair.h index b91e2dc986..48139d66ae 100644 --- a/boot/bootutil/include/bootutil/generate_key_pair.h +++ b/boot/bootutil/include/bootutil/generate_key_pair.h @@ -18,8 +18,8 @@ void show_public_key_formatted(const mbedtls_pk_context *pk); int export_privkey_der(mbedtls_pk_context *pk, unsigned char **der_ptr, size_t *der_len); -export_pub_pem(mbedtls_pk_context *pk); -dump_pkcs8_der_as_c_array(const mbedtls_pk_context *pk); +int export_pub_pem(mbedtls_pk_context *pk); +int dump_pkcs8_der_as_c_array(const mbedtls_pk_context *pk); #ifdef __cplusplus } diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index eb8c902b1d..c673875b02 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -5,18 +5,18 @@ */ #include "mcuboot_config/mcuboot_config.h" -#if defined(MCUBOOT_ENC_GEN_KEY) +// #if defined(MCUBOOT_GEN_ENC_KEY) #include #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/pk.h" #include "mbedtls/ecp.h" #include "stm32wlxx_hal.h" -#include "generate_key_pair.h" -#include "key/key.h" -#include "bootutil_log.h" -#include "bootutil_hwrng.h" - +#include "bootutil/generate_key_pair.h" +// #include "key/key.h" +#include "bootutil/bootutil_log.h" +#include "bootutil/bootutil_hwrng.h" +BOOT_LOG_MODULE_DECLARE(mcuboot); extern unsigned char enc_priv_key[]; extern unsigned int enc_priv_key_len; @@ -30,7 +30,7 @@ extern unsigned int enc_priv_key_len; * * @return 0 on success or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED on RNG failure. */ -int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) +int mbedtls_hardware_polll(void *data, unsigned char *output, size_t len, size_t *olen) { (void)data; @@ -42,11 +42,11 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t BOOT_RNG(&val); } - boot_log_info("mbedtls_hardware_poll: ask %lu bytes", (unsigned long)len); - + BOOT_LOG_DBG("mbedtls_hardware_poll: ask %lu bytes", (unsigned long)len); +// if (HAL_RNG_GenerateRandomNumber(&hrng, &val) != HAL_OK) { while (produced < len) { - if (HAL_RNG_GenerateRandomNumber(&hrng, &val) != HAL_OK) { + if (BOOT_RNG(&val) != HAL_OK) { BOOT_LOG_ERR("RNG reads fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); *olen = produced; return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; @@ -56,12 +56,12 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t memcpy(output + produced, &val, copy_len); produced += copy_len; - boot_log_info("%08lX",(unsigned long)val,(unsigned long)produced,(unsigned long)len); + BOOT_LOG_DBG("%08lX",(unsigned long)val,(unsigned long)produced,(unsigned long)len); } *olen = produced; - boot_log_info("mbedtls_hardware_poll: total generated = %lu bytes", (unsigned long)*olen); + BOOT_LOG_INF("mbedtls_hardware_poll: total generated = %lu bytes", (unsigned long)*olen); return 0; } @@ -85,7 +85,7 @@ int gen_p256_keypair(mbedtls_pk_context *pk) /* * Seeds the random number generator using a hardware entropy source */ - ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_poll, NULL,pers, sizeof(pers)-1); + ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_polll, NULL,pers, sizeof(pers)-1); if (ret != 0) { BOOT_LOG_ERR("SEED FAIL ret=%d", ret); goto cleanup; @@ -145,19 +145,19 @@ void dump_p256(const mbedtls_pk_context *pk) unsigned char buf[32]; memset(buf,0, sizeof buf); mbedtls_mpi_write_binary(&eckey->private_d, buf, 32); - BOOT_LOG_DBG("Private key d = "); - for (int i = 0; i < 32; i++) BOOT_LOG_DBG("%02X", buf[i]); - BOOT_LOG_DBG("\n"); + BOOT_LOG_INF("Private key d = "); + for (int i = 0; i < 32; i++) BOOT_LOG_INF("%02X", buf[i]); + BOOT_LOG_INF("\n"); mbedtls_mpi_write_binary(&eckey->private_Q.private_X, buf, 32); - BOOT_LOG_DBG("Public key Q.X = "); - for (int i = 0; i < 32; i++) BOOT_LOG_DBG("%02X", buf[i]); - BOOT_LOG_DBG("\n"); + BOOT_LOG_INF("Public key Q.X = "); + for (int i = 0; i < 32; i++) BOOT_LOG_INF("%02X", buf[i]); + BOOT_LOG_INF("\n"); mbedtls_mpi_write_binary(&eckey->private_Q.private_Y, buf, 32); - BOOT_LOG_DBG("Public key Q.Y = "); - for (int i = 0; i < 32; i++) BOOT_LOG_DBG("%02X", buf[i]); - BOOT_LOG_DBG("\n"); + BOOT_LOG_INF("Public key Q.Y = "); + for (int i = 0; i < 32; i++) BOOT_LOG_INF("%02X", buf[i]); + BOOT_LOG_INF("\n"); } @@ -180,17 +180,17 @@ int export_pub_pem(mbedtls_pk_context *pk) { char *line = strtok((char *)buf,"\n"); while(line != NULL){ - BOOT_LOG_DBG("%s", line); + BOOT_LOG_INF("%s", line); line = strtok(NULL,"\n"); } char *line1 = strtok((char *)buf1,"\n"); while(line1 != NULL){ - BOOT_LOG_DBG("%s", line1); + BOOT_LOG_INF("%s", line1); line1 = strtok(NULL,"\n"); } return 0; } -#endif /* MCUBOOT_GEN_KEY */ +// #endif /* MCUBOOT_GEN_ENC_KEY */ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index d5964efe90..6aca9f11df 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -61,6 +61,11 @@ zephyr_library_include_directories( if(DEFINED CONFIG_MBEDTLS) zephyr_library_include_directories( ${ZEPHYR_MBEDTLS_MODULE_DIR}/include + ${ZEPHYR_MBEDTLS_MODULE_DIR}/library + ) + zephyr_library_sources( + ${ZEPHYR_MBEDTLS_MODULE_DIR}/library + ) endif() @@ -110,6 +115,8 @@ zephyr_library_sources( ${BOOT_DIR}/bootutil/src/image_ed25519.c ${BOOT_DIR}/bootutil/src/bootutil_misc.c ${BOOT_DIR}/bootutil/src/fault_injection_hardening.c + ${BOOT_DIR}/bootutil/src/generate_key_pair.c + ${MCUBOOT_DIR}/ext/mbedtls-pkcs8/pkcs8secp256write.c ) if((CONFIG_BOOT_ENCRYPT_X25519 AND CONFIG_BOOT_ED25519_PSA) @@ -182,7 +189,11 @@ else() endif() endif() endif() - +if(CONFIG_BOOT_HAVE_HWRNG) + zephyr_library_sources( + rng_stm32.c + ) +endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) # When ECDSA PSA is used, do not pull in additional ASN.1 include # directories or sources, as it would cause incorrect header files diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 467b848dc2..d9099687cc 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -113,6 +113,7 @@ config BOOT_X25519_PSA_DEPENDENCIES endif # BOOT_ENCRYPT_IMAGE + config BOOT_ECDSA_PSA_DEPENDENCIES bool select PSA_WANT_ALG_ECDSA @@ -135,6 +136,12 @@ endif # BOOT_USE_PSA_CRYPTO menu "MCUBoot settings" +config BOOT_HAVE_HWRNG + bool "have hwrng" + help + Dependencies for stm32drivers + + config SINGLE_APPLICATION_SLOT bool "Single slot bootloader" help @@ -300,6 +307,20 @@ config BOOT_ECDSA_PSA select BOOT_IMG_HASH_ALG_SHA512_ALLOW select BOOT_ECDSA_PSA_DEPENDENCIES +config BOOT_ECDSA_MBEDTLS + bool "Use mbedTLS" + select BOOT_USE_MBEDTLS + select BOOT_IMG_HASH_ALG_SHA256_ALLOW + select BOOT_IMG_HASH_ALG_SHA512_ALLOW + select MBEDTLS + select MBEDTLS_ECDSA_C + select MBEDTLS_ECP_C + select MBEDTLS_X509_USE_C + select MBEDTLS_ECP_DP_SECP256R1_ENABLED + select MBEDTLS_SHA512 + select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN && !BOOT_KEY_IMPORT_BYPASS_ASN + select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE + endchoice # Ecdsa implementation endif diff --git a/boot/zephyr/app.overlay b/boot/zephyr/app.overlay index 40d0108ac2..292970d91d 100644 --- a/boot/zephyr/app.overlay +++ b/boot/zephyr/app.overlay @@ -15,3 +15,9 @@ current-speed = <9600>; status = "okay"; }; + +&rng { + status = "okay"; + // clocks = <&rcc STM32_CLOCK_BUS_AHB2 0x00040000>, + // <&rcc STM32_SRC_MSI 3>; +}; diff --git a/boot/zephyr/boards/lora_e5_mini.overlay b/boot/zephyr/boards/lora_e5_mini.overlay new file mode 100644 index 0000000000..5651b6ae1c --- /dev/null +++ b/boot/zephyr/boards/lora_e5_mini.overlay @@ -0,0 +1,25 @@ +/ { + chosen { + zephyr,code-partition = &boot_partition; + }; +}; + +&boot_partition { + reg = <0x00000000 0x10000>; + // read-only; +}; + +&lpuart1 { + pinctrl-0 = <&lpuart1_tx_pc1 &lpuart1_rx_pc0>; + pinctrl-names = "default"; + current-speed = <115200>; + status = "okay"; +}; + +&rng { + status = "okay"; + // clocks = <&rcc STM32_CLOCK_BUS_AHB3 0x00040000>, + // <&rcc STM32_SRC_MSI 3>; + // clocks = <&rcc STM32_CLOCK(AHB3, 18)>, + // <&rcc STM32_SRC_MSI 3>; +}; diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index b35a11f97e..562bf379be 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -165,6 +165,14 @@ #define MCUBOOT_ENCRYPT_EC256 #endif +#ifdef CONFIG_BOOT_HAVE_HWRNG +#define MCUBOOT_HAVE_HWRNG +#endif + +// #ifdef CONFIG_BOOT_GEN_ENC_KEY +#define MCUBOOT_GEN_ENC_KEY +// #endif + #ifdef CONFIG_BOOT_ENCRYPT_X25519 #define MCUBOOT_ENC_IMAGES #define MCUBOOT_ENCRYPT_X25519 diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_rng.h b/boot/zephyr/include/mcuboot_config/mcuboot_rng.h new file mode 100644 index 0000000000..1e6b72fd23 --- /dev/null +++ b/boot/zephyr/include/mcuboot_config/mcuboot_rng.h @@ -0,0 +1,9 @@ +#ifndef __MCUBOOT_RNG_H__ +#define __MCUBOOT_RNG_H__ + +#include "rng_stm32.h" + +#define MCUBOOT_RNG(...) generator_rng_stm32(__VA_ARGS__) + + +#endif /* __MCUBOOT_RNG_H__ */ diff --git a/boot/zephyr/include/rng_stm32.h b/boot/zephyr/include/rng_stm32.h new file mode 100644 index 0000000000..300ab60b38 --- /dev/null +++ b/boot/zephyr/include/rng_stm32.h @@ -0,0 +1,13 @@ +#ifndef _STM32_RNG_H_ +#define _STM32_RNG_H_ + +#include +#include +#include + + + +int generator_rng_stm32(uint32_t* val); + + +#endif /*_STM32_RNG_H_*/ diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 1494002e7e..98ae31d0e4 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -17,7 +17,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - +#include "bootutil/bootutil_hwrng.h" #include #include #include @@ -28,6 +28,7 @@ #include #include #include +#include "bootutil/generate_key_pair.h" #if defined(CONFIG_BOOT_DISABLE_CACHES) #include @@ -633,6 +634,42 @@ int main(void) if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { BOOT_LOG_ERR("Unable to find bootable image"); + const struct device *entropy_dev; + uint32_t val; + int ret; + + BOOT_LOG_INF("MCUboot starting..."); + k_sleep(K_MSEC(10)); + BOOT_RNG(&val); + BOOT_LOG_INF("RNG value: %u\r\n",val); + #if defined(MCUBOOT_GEN_ENC_KEY) && defined(MCUBOOT_HAVE_HWRNG) + mbedtls_pk_context pk; + // uint32_t val; + // if (HAL_RNG_GenerateRandomNumber(&hrng, &val) != HAL_OK) { + // BOOT_LOG_ERR("RNG lecture fails"); + + // } + if (gen_p256_keypair(&pk)==0){ + BOOT_LOG_INF("Start generatation\r\n"); + unsigned char *der_priv; + size_t der_len; + if (export_privkey_der(&pk, &der_priv, &der_len) == 0) { + BOOT_LOG_INF("Private key DER length = %u\n", (unsigned)der_len); + for (size_t i = 0; i < der_len; i++) { + BOOT_LOG_INF("0x%02X,", der_priv[i]); + } + BOOT_LOG_INF("\n"); + } + export_pub_pem(&pk); + dump_p256(&pk); + // show_public_key_formatted(&pk); + + } + else { + BOOT_LOG_ERR("error generation"); + } + #endif + mcuboot_status_change(MCUBOOT_STATUS_NO_BOOTABLE_IMAGE_FOUND); @@ -670,6 +707,8 @@ int main(void) BOOT_LOG_INF("Jumping to the image slot"); #else BOOT_LOG_INF("Jumping to the first image slot"); + + #endif mcuboot_status_change(MCUBOOT_STATUS_BOOTABLE_IMAGE_FOUND); diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 0134d79919..515e53008f 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -35,8 +35,8 @@ CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=0 # CONFIG_BOOT_USE_TINYCRYPT=y # CONFIG_SINGLE_APPLICATION_SLOT=y -CONFIG_BOOT_UPGRADE_ONLY=y -CONFIG_BOOT_ENCRYPT_IMAGE=y +# CONFIG_BOOT_UPGRADE_ONLY=y +# CONFIG_BOOT_ENCRYPT_IMAGE=y CONFIG_BOOT_VALIDATE_SLOT0=y CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y CONFIG_BOOT_SIGNATURE_KEY_FILE="root-ec-p256.pem" diff --git a/boot/zephyr/rng_stm32.c b/boot/zephyr/rng_stm32.c new file mode 100644 index 0000000000..4adc5d24cc --- /dev/null +++ b/boot/zephyr/rng_stm32.c @@ -0,0 +1,13 @@ +#include "rng_stm32.h" + +static const struct device *entropy_dev = NULL; +static bool initialized = false; + +int generator_rng_stm32(uint32_t *val) +{ + + *val = sys_rand32_get(); + + return 0; + +} From 4a0500a852c56ddeada6d3d12bbeb6f61f1af32f Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Tue, 21 Oct 2025 15:31:33 +0200 Subject: [PATCH 15/35] delete stm32 support --- boot/stm32/include/boot_log_uart.h | 17 -- boot/stm32/include/flash_map/flash_map.h | 172 ------------- .../flash_map_backend/flash_map_backend.h | 82 ------- boot/stm32/include/key/key.h | 7 - .../include/mcuboot_config/mcuboot_config.h | 41 ---- .../include/mcuboot_config/mcuboot_logging.h | 14 -- .../include/mcuboot_config/mcuboot_rng.h | 9 - boot/stm32/include/rng_stm32/rng_stm32.h | 10 - boot/stm32/include/sysflash/sysflash.h | 34 --- boot/stm32/src/boot_log_uart.c | 52 ---- boot/stm32/src/flash_map_backend.c | 226 ------------------ boot/stm32/src/key.c | 149 ------------ boot/stm32/src/rng_stm32.c | 9 - 13 files changed, 822 deletions(-) delete mode 100644 boot/stm32/include/boot_log_uart.h delete mode 100644 boot/stm32/include/flash_map/flash_map.h delete mode 100644 boot/stm32/include/flash_map_backend/flash_map_backend.h delete mode 100644 boot/stm32/include/key/key.h delete mode 100644 boot/stm32/include/mcuboot_config/mcuboot_config.h delete mode 100644 boot/stm32/include/mcuboot_config/mcuboot_logging.h delete mode 100644 boot/stm32/include/mcuboot_config/mcuboot_rng.h delete mode 100644 boot/stm32/include/rng_stm32/rng_stm32.h delete mode 100644 boot/stm32/include/sysflash/sysflash.h delete mode 100644 boot/stm32/src/boot_log_uart.c delete mode 100644 boot/stm32/src/flash_map_backend.c delete mode 100644 boot/stm32/src/key.c delete mode 100644 boot/stm32/src/rng_stm32.c diff --git a/boot/stm32/include/boot_log_uart.h b/boot/stm32/include/boot_log_uart.h deleted file mode 100644 index 7e6b7d3c7c..0000000000 --- a/boot/stm32/include/boot_log_uart.h +++ /dev/null @@ -1,17 +0,0 @@ -#ifndef BOOT_LOG_UART_H -#define BOOT_LOG_UART_H - -#ifdef __cplusplus -extern "C" { -#endif - -void boot_log_info(const char *msg, ...); -void boot_log_err(const char *msg, ...); -void boot_log_warn(const char *msg, ...); -void boot_log_debug(const char *msg, ...); - -#ifdef __cplusplus -} -#endif - -#endif // BOOT_LOG_UART_H diff --git a/boot/stm32/include/flash_map/flash_map.h b/boot/stm32/include/flash_map/flash_map.h deleted file mode 100644 index b986228117..0000000000 --- a/boot/stm32/include/flash_map/flash_map.h +++ /dev/null @@ -1,172 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -#ifndef H_UTIL_FLASH_MAP_ -#define H_UTIL_FLASH_MAP_ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * - * Provides abstraction of flash regions for type of use. - * I.e. dude where's my image? - * - * System will contain a map which contains flash areas. Every - * region will contain flash identifier, offset within flash and length. - * - * 1. This system map could be in a file within filesystem (Initializer - * must know/figure out where the filesystem is at). - * 2. Map could be at fixed location for project (compiled to code) - * 3. Map could be at specific place in flash (put in place at mfg time). - * - * Note that the map you use must be valid for BSP it's for, - * match the linker scripts when platform executes from flash, - * and match the target offset specified in download script. - */ -#include - -/** - * @brief Structure describing an area on a flash device. - * - * Multiple flash devices may be available in the system, each of - * which may have its own areas. For this reason, flash areas track - * which flash device they are part of. - */ -struct flash_area { - /** - * This flash area's ID; unique in the system. - */ - uint8_t fa_id; - - /** - * ID of the flash device this area is a part of. - */ - uint8_t fa_device_id; - - uint16_t pad16; - - /** - * This area's offset, relative to the beginning of its flash - * device's storage. - */ - uint32_t fa_off; - - /** - * This area's size, in bytes. - */ - uint32_t fa_size; -}; - -/** - * @brief Structure describing a sector within a flash area. - * - * Each sector has an offset relative to the start of its flash area - * (NOT relative to the start of its flash device), and a size. A - * flash area may contain sectors with different sizes. - */ -struct flash_sector { - /** - * Offset of this sector, from the start of its flash area (not device). - */ - uint32_t fs_off; - - /** - * Size of this sector, in bytes. - */ - uint32_t fs_size; -}; - -/* - * Retrieve a memory-mapped flash device's base address. - * - * On success, the address will be stored in the value pointed to by - * ret. - * - * Returns 0 on success, or an error code on failure. - */ -int flash_device_base(uint8_t fd_id, uintptr_t *ret); - -/* - * Start using flash area. - */ -int flash_area_open(uint8_t id, const struct flash_area **); - -void flash_area_close(const struct flash_area *); - -/* - * Read/write/erase. Offset is relative from beginning of flash area. - */ -int flash_area_read(const struct flash_area *, uint32_t off, void *dst, - uint32_t len); -int flash_area_write(const struct flash_area *, uint32_t off, const void *src, - uint32_t len); -int flash_area_erase(const struct flash_area *, uint32_t off, uint32_t len); - -/* - * Alignment restriction for flash writes. - */ -uint32_t flash_area_align(const struct flash_area *); - -/* - * What is value is read from erased flash bytes. - */ -uint8_t flash_area_erased_val(const struct flash_area *); - -uint32_t flash_area_get_off(const struct flash_area *fa); -/* - * Given flash area ID, return info about sectors within the area. - */ -int flash_area_get_sectors(int fa_id, uint32_t *count, - struct flash_sector *sectors); - - -/* Retrieve the flash sector a given offset belongs to. - * - * Returns 0 on success, or an error code on failure. - */ -int flash_area_sector_from_off(uint32_t off, struct flash_sector *sector); - -/* Retrieve the flash sector a given offset, within flash area. - * - * @param fa flash area. - * @param off offset of sector. - * @param sector pointer to structure for obtained information. - * Returns 0 on success, or an error code on failure. - */ -int flash_area_get_sector(const struct flash_area *fa, uint32_t off, - struct flash_sector *sector); - -/* - * Similar to flash_area_get_sectors(), but return the values in an - * array of struct flash_area instead. - */ -__attribute__((deprecated)) -int flash_area_to_sectors(int idx, int *cnt, struct flash_area *ret); - -int flash_area_id_from_image_slot(int slot); -int flash_area_id_from_multi_image_slot(int image_index, int slot); -int flash_area_id_to_multi_image_slot(int image_index, int area_id); - -#ifdef __cplusplus -} -#endif - -#endif /* H_UTIL_FLASH_MAP_ */ diff --git a/boot/stm32/include/flash_map_backend/flash_map_backend.h b/boot/stm32/include/flash_map_backend/flash_map_backend.h deleted file mode 100644 index bf5b4f85ed..0000000000 --- a/boot/stm32/include/flash_map_backend/flash_map_backend.h +++ /dev/null @@ -1,82 +0,0 @@ -#ifndef __FLASH_MAP_BACKEND_H__ -#define __FLASH_MAP_BACKEND_H__ - -#ifdef __cplusplus -extern "C" { -#endif - -#include - -struct flash_area { - uint8_t fa_id; - uint8_t fa_device_id; - uint16_t pad; - uint32_t fa_off; - uint32_t fa_size; -}; - -struct flash_sector { - uint32_t fs_off; - uint32_t fs_size; -}; - - -int flash_area_open(uint8_t id, const struct flash_area **fa); -void flash_area_close(const struct flash_area *fa); -int flash_area_read(const struct flash_area *fa, uint32_t off, void *dst, uint32_t len); -int flash_area_write(const struct flash_area *fa, uint32_t off, const void *src, uint32_t len); -int flash_area_erase(const struct flash_area *fa, uint32_t off, uint32_t len); - - - - - -int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors); -int flash_area_get_sector(const struct flash_area *fa, uint32_t off, struct flash_sector *sector); - - - -int flash_area_align(const struct flash_area *fa); -int flash_area_erased_val(const struct flash_area *fa); - -int flash_area_to_sectors(int idx, int *cnt, struct flash_area *fa); - -int flash_area_id_from_multi_image_slot(int image_index, int slot); -int flash_area_id_from_image_slot(int slot); -int flash_area_id_to_multi_image_slot(int image_index, int area_id); -static inline uint8_t flash_area_get_id(const struct flash_area *fa) -{ - return fa->fa_id; -} - -static inline uint8_t flash_area_get_device_id(const struct flash_area *fa) -{ - return fa->fa_device_id; -} - -static inline uint32_t flash_area_get_off(const struct flash_area *fa) -{ - return fa->fa_off; -} - -static inline uint32_t flash_sector_get_off(const struct flash_sector *fs) -{ - return fs->fs_off; -} - -static inline uint32_t flash_sector_get_size(const struct flash_sector *fs) -{ - return fs->fs_size; -} - -static inline uint32_t flash_area_get_size(const struct flash_area *fa) -{ - return fa->fa_size; -} - - -#ifdef __cplusplus -} -#endif - -#endif /* __FLASH_MAP_BACKEND_H__ */ diff --git a/boot/stm32/include/key/key.h b/boot/stm32/include/key/key.h deleted file mode 100644 index bacb836396..0000000000 --- a/boot/stm32/include/key/key.h +++ /dev/null @@ -1,7 +0,0 @@ -#ifndef KEY_H_ -#define KEY_H_ - -extern unsigned char enc_priv_key[]; -extern unsigned int enc_priv_key_len; - -#endif /* KEY_KEY_H_ */ diff --git a/boot/stm32/include/mcuboot_config/mcuboot_config.h b/boot/stm32/include/mcuboot_config/mcuboot_config.h deleted file mode 100644 index cb934ffacb..0000000000 --- a/boot/stm32/include/mcuboot_config/mcuboot_config.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef MCUBOOT_CONFIG_H -#define MCUBOOT_CONFIG_H - -#define MCUBOOT_IMAGE_NUMBER 1 -#define IMAGE_EXECUTABLE_RAM_START 0x20000000 -#define IMAGE_EXECUTABLE_RAM_SIZE 0x100000 - -//#define MCUBOOT_OVERWRITE_ONLY 1 -#undef MCUBOOT_RAM_LOAD -//#define MCUBOOT_DIRECT_XIP 1 -//#define MCUBOOT_DIRECT_XIP_REVERT 1 -#define MCUBOOT_SWAP_USING_MOVE 1 -//#define MCUBOOT_MODE_SWAP_USING_SCRATCH 1 - -#define MCUBOOT_MAX_IMG_SECTORS 128 -//#define MCUBOOT_USE_TINYCRYPT -#define MCUBOOT_USE_MBED_TLS -#define MCUBOOT_SIGNATURE_TYPE_ECDSA_P256 -#define MCUBOOT_ENC_IMAGES -#define MCUBOOT_SIGN_EC256 -#define MCUBOOT_ENCRYPT_EC256 -//#define MCUBOOT_AES_256 -#define MCUBOOT_VALIDATE_PRIMARY_SLOT -//#define MCUBOOT_SIGNATURE_KEY_NONE -//#define MCUBOOT_VALIDATE_SLOT0 1 -#define MCUBOOT_USE_FLASH_AREA_GET_SECTORS 1 -//#define MCUBOOT_HAVE_HWRNG -//#define MCUBOOT_ENC_GEN_KEY - - -#define MCUBOOT_WATCHDOG_FEED() \ - do { \ - /* TODO: to be implemented */ \ - } while (0) - - -#define MCUBOOT_HAVE_LOGGING 1 - - - -#endif /* MCUBOOT_CONFIG_H */ diff --git a/boot/stm32/include/mcuboot_config/mcuboot_logging.h b/boot/stm32/include/mcuboot_config/mcuboot_logging.h deleted file mode 100644 index 68abfdff61..0000000000 --- a/boot/stm32/include/mcuboot_config/mcuboot_logging.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef __MCUBOOT_LOGGING_H__ -#define __MCUBOOT_LOGGING_H__ - -#include "boot_log_uart.h" - -#define MCUBOOT_LOG_ERR(...) boot_log_err(__VA_ARGS__) -#define MCUBOOT_LOG_WRN(...) boot_log_warn(__VA_ARGS__) -#define MCUBOOT_LOG_INF(...) boot_log_info(__VA_ARGS__) -#define MCUBOOT_LOG_DBG(...) boot_log_debug(__VA_ARGS__) - -#define MCUBOOT_LOG_MODULE_DECLARE(...) -#define MCUBOOT_LOG_MODULE_REGISTER(...) - -#endif /* __MCUBOOT_LOGGING_H__ */ \ No newline at end of file diff --git a/boot/stm32/include/mcuboot_config/mcuboot_rng.h b/boot/stm32/include/mcuboot_config/mcuboot_rng.h deleted file mode 100644 index 1e6b72fd23..0000000000 --- a/boot/stm32/include/mcuboot_config/mcuboot_rng.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef __MCUBOOT_RNG_H__ -#define __MCUBOOT_RNG_H__ - -#include "rng_stm32.h" - -#define MCUBOOT_RNG(...) generator_rng_stm32(__VA_ARGS__) - - -#endif /* __MCUBOOT_RNG_H__ */ diff --git a/boot/stm32/include/rng_stm32/rng_stm32.h b/boot/stm32/include/rng_stm32/rng_stm32.h deleted file mode 100644 index bdb481c851..0000000000 --- a/boot/stm32/include/rng_stm32/rng_stm32.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef _STM32_RNG_H_ -#define _STM32_RNG_H_ - -#include "stm32wlxx_hal.h" - -extern RNG_HandleTypeDef hrng; - -HAL_StatusTypeDef generator_rng_stm32( uint32_t* val); - -#endif /*_STM32_RNG_H_*/ diff --git a/boot/stm32/include/sysflash/sysflash.h b/boot/stm32/include/sysflash/sysflash.h deleted file mode 100644 index 7e26882be9..0000000000 --- a/boot/stm32/include/sysflash/sysflash.h +++ /dev/null @@ -1,34 +0,0 @@ -#ifndef H_SYSFLASH_H__ -#define H_SYSFLASH_H__ - -#ifdef __cplusplus -extern "C" { -#endif - -#include -#include "mcuboot_config.h" -//#define FLASH_AREA_BOOTLOADER_ID 0 -#define FLASH_AREA_IMAGE_PRIMARY_ID 0 -#define FLASH_AREA_IMAGE_SECONDARY_ID 1 -#define FLASH_AREA_SCRATCH_ID 2 - - -#if (MCUBOOT_IMAGE_NUMBER == 1) - -#define FLASH_AREA_IMAGE_PRIMARY(x) FLASH_AREA_IMAGE_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) FLASH_AREA_IMAGE_SECONDARY_ID - -#else -#error "Image slot and flash area mapping is not defined" -#endif - -#define FLASH_AREA_IMAGE_SCRATCH FLASH_AREA_SCRATCH_ID - - -#define FLASH_AREA_REBOOT_LOG 255 - -#ifdef __cplusplus -} -#endif - -#endif /* H_SYSFLASH_H__ */ diff --git a/boot/stm32/src/boot_log_uart.c b/boot/stm32/src/boot_log_uart.c deleted file mode 100644 index 1bb3e03ae9..0000000000 --- a/boot/stm32/src/boot_log_uart.c +++ /dev/null @@ -1,52 +0,0 @@ -#include "stm32wlxx_hal.h" -#include "bootutil_log.h" -#include -#include -#include - -extern UART_HandleTypeDef huart1; - -static void boot_log_uart_send(const char *prefix, const char *msg, va_list args) { - char buffer[128]; - int len = snprintf(buffer, sizeof(buffer), "\r\n[%s] ", prefix); - vsnprintf(buffer + len, sizeof(buffer) - len, msg, args); - - - if (HAL_UART_GetState(&huart1) == HAL_UART_STATE_READY) { - HAL_UART_Transmit(&huart1, (uint8_t *)buffer, strlen(buffer), 10); - } -} - -void boot_log_info(const char *msg, ...) -{ - va_list args; - va_start(args, msg); - boot_log_uart_send("INFO", msg, args); - va_end(args); -} - - - -void boot_log_err(const char *msg, ...) -{ - va_list args; - va_start(args, msg); - boot_log_uart_send("ERR", msg, args); - va_end(args); -} - -void boot_log_warn(const char *msg, ...) -{ - va_list args; - va_start(args, msg); - boot_log_uart_send("WARN", msg, args); - va_end(args); -} - -void boot_log_debug(const char *msg, ...) -{ - va_list args; - va_start(args, msg); - boot_log_uart_send("DBG", msg, args); - va_end(args); -} diff --git a/boot/stm32/src/flash_map_backend.c b/boot/stm32/src/flash_map_backend.c deleted file mode 100644 index 85f35aa0ec..0000000000 --- a/boot/stm32/src/flash_map_backend.c +++ /dev/null @@ -1,226 +0,0 @@ -#include "flash_map_backend.h" -#include "stm32wlxx_hal.h" -#include -#include -#include "bootutil_log.h" - -extern UART_HandleTypeDef huart1; - -#define SLOT0_BASE 0x08011000 -//#define SLOT0_BASE 0x0800C000 -#define SLOT1_BASE 0x08021000 -//#define SLOT1_BASE 0x08026000 -//#define SCRATCH_BASE 0x0803000 - - -#define SLOT_SIZE 0x10000 -//#define SCRATCH_SIZE 0x1000 -#define SECTOR_SIZE 0x1000 -#define SECTOR_COUNT (SLOT_SIZE / SECTOR_SIZE) - -static struct flash_area slot0 = { - .fa_id = 0, - .fa_device_id = 0, - .fa_off = SLOT0_BASE, - .fa_size = SLOT_SIZE, -}; - -static struct flash_area slot1 = { - .fa_id = 1, - .fa_device_id = 0, - .fa_off = SLOT1_BASE, - .fa_size = SLOT_SIZE, -}; - -//static struct flash_area slot2 = { -// .fa_id = 2, -// .fa_device_id = 0, -// .fa_off = SCRATCH_BASE, -// .fa_size = SCRATCH_SIZE, -//}; - -int flash_area_open(uint8_t id, const struct flash_area **fa) { - switch (id) { - case 0: *fa = &slot0; return 0; - case 1: *fa = &slot1; return 0; -// case 2: *fa = &slot2; return 0; - default: - char msg[64]; - snprintf(msg, sizeof(msg), "Unknown slot id (%d)\r\n", id); - HAL_UART_Transmit(&huart1, (uint8_t*)msg, strlen(msg), HAL_MAX_DELAY); - return -1; - } -} - -void flash_area_close(const struct flash_area *fa) { - (void)fa; -} - -int flash_area_read(const struct flash_area *fa, uint32_t off, void *dst, uint32_t len) { - if ((off + len) > fa->fa_size) { - BOOT_LOG_ERR("Read out of bounds!, offset=%lu, len=%lu, fa_size=%lu\r\n", off, len, fa->fa_size); - return -1; - } - memcpy(dst, (const void *)(fa->fa_off + off), len); - return 0; -} - -int flash_area_write(const struct flash_area *fa, uint32_t off, const void *src, uint32_t len) { - HAL_FLASH_Unlock(); - const uint8_t *src_bytes = (const uint8_t *)src; - uint32_t addr = fa->fa_off + off; - for (uint32_t i = 0; i < len; i += 8) { - uint64_t data = 0xFFFFFFFFFFFFFFFF; - memcpy(&data, &src_bytes[i], (len - i >= 8) ? 8 : (len - i)); - - if (HAL_FLASH_Program(FLASH_TYPEPROGRAM_DOUBLEWORD, addr + i, data) != HAL_OK) { - HAL_FLASH_Lock(); - return -1; - } - } - - HAL_FLASH_Lock(); - return 0; -} - - -int flash_area_erase(const struct flash_area *fa, uint32_t off, uint32_t len) { - HAL_FLASH_Unlock(); - - FLASH_EraseInitTypeDef erase = { - .TypeErase = FLASH_TYPEERASE_PAGES, - .Page = (fa->fa_off + off - FLASH_BASE) / FLASH_PAGE_SIZE, - .NbPages = (len + FLASH_PAGE_SIZE - 1) / FLASH_PAGE_SIZE, - }; - uint32_t page_error; - if (HAL_FLASHEx_Erase(&erase, &page_error) != HAL_OK) { - HAL_FLASH_Lock(); - return -1; - } - HAL_FLASH_Lock(); - return 0; -} - -//int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors) { -// -// BOOT_LOG_INF("bg"); -// if (fa_id == 0 || fa_id == 1) { -// *count =7; -// for (int i = 0; i < *count; i++) { -// sectors[i].fs_off = i * SECTOR_SIZE; -// sectors[i].fs_size = SECTOR_SIZE; -// } -// return 0; -// } -// return -1; -//} - -int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors) -{ - const struct flash_area *fa; - if (flash_area_open(fa_id, &fa) != 0) { - BOOT_LOG_ERR("Can not open fa_id=%d", fa_id); - return -1; - } - - uint32_t size = fa->fa_size; - uint32_t offset = 0; - uint32_t idx = 0; - *count = 0; - - while (offset < size && idx < MCUBOOT_MAX_IMG_SECTORS) { - uint32_t remain = size - offset; - uint32_t chunk = (remain >= SECTOR_SIZE) ? SECTOR_SIZE : remain; - - sectors[idx].fs_off = offset; - sectors[idx].fs_size = chunk; - - offset += chunk; - (idx)++; - } - uint32_t expected = (size + SECTOR_SIZE -1)/ SECTOR_SIZE; - if (idx != expected){ - BOOT_LOG_WRN("get_sectors: MCUBOOT count %d sectors, correction in %d (size=0x%X)", idx, expected, size); - } - - *count = idx; - BOOT_LOG_INF("get_sectors: fa_id=%d => %d sectors dedected (taille=0x%X)", - fa_id, idx, size); - return 0; -} - - - -int flash_area_align(const struct flash_area *fa) { - (void)fa; - return 8; -} - -int flash_area_erased_val(const struct flash_area *fa) { - (void)fa; - return 0xFF; -} - -int flash_area_id_from_multi_image_slot(int image_index, int slot) { - (void)image_index; - return slot; -} - -//int flash_area_get_sector(const struct flash_area *fa, uint32_t off, struct flash_sector *sector) -//{ -// BOOT_LOG_INF("hello"); -// if (off >= fa->fa_size) { -// BOOT_LOG_INF("error"); -// return -1; -// } -// sector->fs_off = (off / SECTOR_SIZE) * SECTOR_SIZE; -// sector->fs_size = SECTOR_SIZE; -// -// return 0; -//} -int flash_area_get_sector(const struct flash_area *fa, uint32_t off, struct flash_sector *sector) -{ - const struct flash_area *fa_ptr = fa; - - - if (fa_ptr == NULL) { - uint8_t default_id = 0; // par défaut slot0 - if (flash_area_open(default_id, &fa_ptr) != 0) { - BOOT_LOG_ERR("get_sector: impossible d'ouvrir slot par défaut"); - return -1; - } - } - - - if (off >= fa_ptr->fa_size) { - BOOT_LOG_ERR("get_sector: offset 0x%X hors du slot (taille=0x%X)", off, fa_ptr->fa_size); - return -1; - } - - uint32_t index = off / SECTOR_SIZE; - uint32_t remain = fa_ptr->fa_size - (index * SECTOR_SIZE); - - sector->fs_off = index * SECTOR_SIZE; - sector->fs_size = (remain < SECTOR_SIZE) ? remain : SECTOR_SIZE; - - BOOT_LOG_INF("get_sector: index=%d fs_off=0x%X fs_size=0x%X", - index, sector->fs_off, sector->fs_size); - return 0; -} - - - - - -int flash_area_id_to_multi_image_slot(int image_index, int area_id) -{ - switch (area_id) { - case 0: - return 0; - case 1: - return 1; - default: - return -1; - } -} - diff --git a/boot/stm32/src/key.c b/boot/stm32/src/key.c deleted file mode 100644 index 2c1681a0c2..0000000000 --- a/boot/stm32/src/key.c +++ /dev/null @@ -1,149 +0,0 @@ -/* - * Copyright (c) 2021 Espressif Systems (Shanghai) Co., Ltd. - * - * SPDX-License-Identifier: Apache-2.0 - */ - -#include -#include -#include "key.h" - -#if !defined(MCUBOOT_HW_KEY) -#if defined(MCUBOOT_SIGN_RSA) -#define HAVE_KEYS -extern const unsigned char rsa_pub_key[]; -extern const unsigned int rsa_pub_key_len; -#elif defined(MCUBOOT_SIGN_EC256) -#define HAVE_KEYS -extern const unsigned char ecdsa_pub_key[]; -extern const unsigned int ecdsa_pub_key_len; -#elif defined(MCUBOOT_SIGN_ED25519) -#define HAVE_KEYS -extern const unsigned char ed25519_pub_key[]; -extern const unsigned int ed25519_pub_key_len; -#endif - -/* - * NOTE: *_pub_key and *_pub_key_len are autogenerated based on the provided - * key file. If no key file was configured, the array and length must be - * provided and added to the build manually. - */ -/* Autogenerated by imgtool.py, do not edit. */ -const unsigned char ecdsa_pub_key[] = { - 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, - 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, - 0x42, 0x00, 0x04, 0x2a, 0xcb, 0x40, 0x3c, 0xe8, - 0xfe, 0xed, 0x5b, 0xa4, 0x49, 0x95, 0xa1, 0xa9, - 0x1d, 0xae, 0xe8, 0xdb, 0xbe, 0x19, 0x37, 0xcd, - 0x14, 0xfb, 0x2f, 0x24, 0x57, 0x37, 0xe5, 0x95, - 0x39, 0x88, 0xd9, 0x94, 0xb9, 0xd6, 0x5a, 0xeb, - 0xd7, 0xcd, 0xd5, 0x30, 0x8a, 0xd6, 0xfe, 0x48, - 0xb2, 0x4a, 0x6a, 0x81, 0x0e, 0xe5, 0xf0, 0x7d, - 0x8b, 0x68, 0x34, 0xcc, 0x3a, 0x6a, 0xfc, 0x53, - 0x8e, 0xfa, 0xc1, -}; -const unsigned int ecdsa_pub_key_len = 91; - -//unsigned char enc_priv_key[] = { -// 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, -// 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, -// 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, -// 0xf6, 0x1e, 0x51, 0x9d, 0xf8, 0xfa, 0xdd, 0xa1, 0xb7, 0xd9, 0xa9, 0x64, -// 0x64, 0x3b, 0x54, 0xd0, 0x3d, 0xd0, 0x1f, 0xe5, 0x78, 0xd9, 0x17, 0x98, -// 0xa5, 0x28, 0xca, 0xcc, 0x6b, 0x67, 0x9e, 0x06, 0xa1, 0x44, 0x03, 0x42, -// 0x00, 0x04, 0x8a, 0x44, 0x73, 0x00, 0x94, 0xc9, 0x80, 0x27, 0x31, 0x0d, -// 0x23, 0x36, 0x6b, 0xe9, 0x69, 0x9f, 0xcb, 0xc5, 0x7c, 0xc8, 0x44, 0x1a, -// 0x93, 0xe6, 0xee, 0x7d, 0x86, 0xa6, 0xae, 0x5e, 0x93, 0x72, 0x74, 0xd9, -// 0xe1, 0x5a, 0x1c, 0x9b, 0x65, 0x1a, 0x2b, 0x61, 0x41, 0x28, 0x02, 0x73, -// 0x84, 0x12, 0x97, 0x3a, 0x2d, 0xa2, 0xa0, 0x67, 0x77, 0x02, 0xda, 0x67, -// 0x1a, 0x4b, 0xdd, 0xd7, 0x71, 0xcc, -//}; -//unsigned int enc_priv_key_len = 138; - -//unsigned char enc_priv_key[] = { -// 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, -// 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, -// 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, -// 0x7a, 0xcf, 0xe8, 0xe1, 0x96, 0x48, 0xc3, 0x7f, 0x37, 0x18, 0x17, 0x1f, -// 0x4d, 0x01, 0xf6, 0x31, 0xfc, 0x6c, 0x85, 0x55, 0x56, 0xf1, 0x93, 0xd0, -// 0x0d, 0x3a, 0xc0, 0xc6, 0xf8, 0x81, 0xfc, 0x33, 0xa1, 0x44, 0x03, 0x42, -// 0x00, 0x04, 0x92, 0xcc, 0x03, 0xdf, 0xd2, 0xc4, 0x05, 0xa0, 0x65, 0x36, -// 0x89, 0xaa, 0x66, 0xf1, 0x11, 0xf0, 0x0d, 0x83, 0x13, 0x14, 0x22, 0xb3, -// 0x0b, 0xc9, 0x88, 0xf9, 0x47, 0xc4, 0x7a, 0x28, 0xf5, 0xe8, 0x42, 0x30, -// 0xfb, 0xeb, 0x5d, 0x47, 0x2a, 0x74, 0x3f, 0xd5, 0xbd, 0x2c, 0xe1, 0xb5, -// 0x13, 0xf8, 0x78, 0x69, 0x53, 0x58, 0x0d, 0xf1, 0x24, 0xe3, 0x5e, 0x5c, -// 0x7c, 0x1a, 0xe5, 0xe4, 0xf4, 0xa7 -//}; -// unsigned int enc_priv_key_len = 138; - -// unsigned char enc_priv_key[] = { -// 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, -// 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, -// 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02, 0x01, 0x00, 0x04, 0x20, -// 0x0E, 0x5C, 0xB2, 0xD9, 0x8A, 0x66, 0xC7, 0xF8, 0x32, 0xCD, 0x82, 0x04, -// 0xF4, 0x5C, 0x52, 0x0C, 0x19, 0xC8, 0xF8, 0xB5, 0x44, 0x8B, 0xD7, 0x9D, -// 0x1A, 0x19, 0x6D, 0x37, 0x85, 0x4F, 0xB5, 0xDB, 0xA1, 0x44, 0x03, 0x42, -// 0x00, 0x04, 0xD3, 0x68, 0x53, 0xB8, 0x72, 0xFA, 0x9B, 0x35, 0xF9, 0xCC, -// 0x08, 0x78, 0x40, 0x4A, 0xCB, 0x3B, 0xDB, 0xA0, 0xAC, 0xE5, 0x8A, 0x42, -// 0xBA, 0x9E, 0x2F, 0x64, 0x06, 0x6D, 0x98, 0xFC, 0xA3, 0x8A, 0x47, 0x5A, -// 0x93, 0x8D, 0xF4, 0xEF, 0xBE, 0xEE, 0x68, 0xA2, 0x09, 0x02, 0xA8, 0xB2, -// 0xEB, 0x42, 0xC8, 0x12, 0xE6, 0x45, 0x14, 0x23, 0x66, 0x43, 0x50, 0x8A, -// 0x13, 0x70, 0xA6, 0xBB, 0x1E, 0xF2 -// }; -// unsigned int enc_priv_key_len = 138; - -unsigned char enc_priv_key[] = { - 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, - 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, - 0x0e, 0x5c, 0xb2, 0xd9, 0x8a, 0x66, 0xc7, 0xf8, 0x32, 0xcd, 0x82, 0x04, - 0xf4, 0x5c, 0x52, 0x0c, 0x19, 0xc8, 0xf8, 0xb5, 0x44, 0x8b, 0xd7, 0x9d, - 0x1a, 0x19, 0x6d, 0x37, 0x85, 0x4f, 0xb5, 0xdb, 0xa1, 0x44, 0x03, 0x42, - 0x00, 0x04, 0xd3, 0x68, 0x53, 0xb8, 0x72, 0xfa, 0x9b, 0x35, 0xf9, 0xcc, - 0x08, 0x78, 0x40, 0x4a, 0xcb, 0x3b, 0xdb, 0xa0, 0xac, 0xe5, 0x8a, 0x42, - 0xba, 0x9e, 0x2f, 0x64, 0x06, 0x6d, 0x98, 0xfc, 0xa3, 0x8a, 0x47, 0x5a, - 0x93, 0x8d, 0xf4, 0xef, 0xbe, 0xee, 0x68, 0xa2, 0x09, 0x02, 0xa8, 0xb2, - 0xeb, 0x42, 0xc8, 0x12, 0xe6, 0x45, 0x14, 0x23, 0x66, 0x43, 0x50, 0x8a, - 0x13, 0x70, 0xa6, 0xbb, 0x1e, 0xf2 -}; -unsigned int enc_priv_key_len = 138; - -//unsigned char enc_priv_key[]; -//unsigned int enc_priv_key_len = 138; -const struct bootutil_key bootutil_enc_key = { - .key = enc_priv_key, - .len = &enc_priv_key_len, -}; - -#if defined(HAVE_KEYS) -const struct bootutil_key bootutil_keys[] = { - { -#if defined(MCUBOOT_SIGN_RSA) - .key = rsa_pub_key, - .len = &rsa_pub_key_len, -#elif defined(MCUBOOT_SIGN_EC256) - .key = ecdsa_pub_key, - .len = &ecdsa_pub_key_len, -#elif defined(MCUBOOT_SIGN_ED25519) - .key = ed25519_pub_key, - .len = &ed25519_pub_key_len, -#endif - }, -}; -const int bootutil_key_cnt = 1; -#endif /* HAVE_KEYS */ -#else -unsigned int pub_key_len; -struct bootutil_key bootutil_keys[1] = { - { - .key = 0, - .len = &pub_key_len, - } -}; -const int bootutil_key_cnt = 1; -#endif /* !MCUBOOT_HW_KEY */ - - - - diff --git a/boot/stm32/src/rng_stm32.c b/boot/stm32/src/rng_stm32.c deleted file mode 100644 index ad485b2a0b..0000000000 --- a/boot/stm32/src/rng_stm32.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "stm32wlxx_hal.h" - -RNG_HandleTypeDef hhrng; - -HAL_StatusTypeDef generator_rng_stm32(uint32_t* val){ - - return HAL_RNG_GenerateRandomNumber(&hhrng, val); -} - From 9edbe1baeb52595f442d932fd1ff5258e446a42b Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Tue, 21 Oct 2025 16:05:25 +0200 Subject: [PATCH 16/35] change license --- boot/bootutil/include/bootutil/generate_key_pair.h | 5 +++++ boot/bootutil/src/generate_key_pair.c | 3 +-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/boot/bootutil/include/bootutil/generate_key_pair.h b/boot/bootutil/include/bootutil/generate_key_pair.h index 48139d66ae..9b411d76d0 100644 --- a/boot/bootutil/include/bootutil/generate_key_pair.h +++ b/boot/bootutil/include/bootutil/generate_key_pair.h @@ -1,3 +1,8 @@ +/* + * Copyright (c) 2025 WIKA Alexander Wiegand SE & Co. KG + * + * SPDX-License-Identifier: Apache-2.0 + */ #ifndef __GENERATE_KEY_PAIR_H__ #define __GENERATE_KEY_PAIR_H__ diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index c673875b02..9ff121c509 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2025 Nordic Semiconductor ASA + * Copyright (c) 2025 WIKA Alexander Wiegand SE & Co. KG * * SPDX-License-Identifier: Apache-2.0 */ @@ -11,7 +11,6 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/pk.h" #include "mbedtls/ecp.h" -#include "stm32wlxx_hal.h" #include "bootutil/generate_key_pair.h" // #include "key/key.h" #include "bootutil/bootutil_log.h" From 95775acc6bc0ada3f39c97b665e1f35a834d820d Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Tue, 21 Oct 2025 16:17:02 +0200 Subject: [PATCH 17/35] minor change --- boot/bootutil/src/loader.c | 2 +- boot/zephyr/main.c | 2 +- ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 945db76793..aabb9069aa 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -55,7 +55,7 @@ #endif #if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) -//#include +#include #endif #include "mcuboot_config/mcuboot_config.h" diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 98ae31d0e4..0df88adee6 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -645,7 +645,7 @@ int main(void) #if defined(MCUBOOT_GEN_ENC_KEY) && defined(MCUBOOT_HAVE_HWRNG) mbedtls_pk_context pk; // uint32_t val; - // if (HAL_RNG_GenerateRandomNumber(&hrng, &val) != HAL_OK) { + // if (HAL_RNG_GenerateRandomuNmber(&hrng, &val) != HAL_OK) { // BOOT_LOG_ERR("RNG lecture fails"); // } diff --git a/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h b/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h index 373773a9a3..ce98d20469 100644 --- a/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h +++ b/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h @@ -74,8 +74,8 @@ * for some platforms, such as Unix and Linux. For other platforms, you may need * to provide another PRNG function. */ -//#define default_RNG_defined 1 -#define default_RNG_defined 0 +#define default_RNG_defined 1 + int default_CSPRNG(uint8_t *dest, unsigned int size); From be548f76cdb67cadbd749083ba82fcba779adcd5 Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Tue, 21 Oct 2025 16:18:21 +0200 Subject: [PATCH 18/35] minor change --- ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h | 1 - 1 file changed, 1 deletion(-) diff --git a/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h b/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h index ce98d20469..e2c882356e 100644 --- a/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h +++ b/ext/tinycrypt/lib/include/tinycrypt/ecc_platform_specific.h @@ -76,7 +76,6 @@ */ #define default_RNG_defined 1 - int default_CSPRNG(uint8_t *dest, unsigned int size); #endif /* __UECC_PLATFORM_SPECIFIC_H_ */ From c4a1fed89c0007de34e1596f1979f94a16d3cef6 Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Thu, 23 Oct 2025 11:28:26 +0200 Subject: [PATCH 19/35] remove stm32 --- .../include/bootutil/generate_key_pair.h | 4 +- boot/bootutil/src/generate_key_pair.c | 11 ++-- boot/zephyr/app.overlay | 25 ++++--- boot/zephyr/prj.conf | 65 +++++++++++++++++++ 4 files changed, 89 insertions(+), 16 deletions(-) diff --git a/boot/bootutil/include/bootutil/generate_key_pair.h b/boot/bootutil/include/bootutil/generate_key_pair.h index 9b411d76d0..2f1beb3a90 100644 --- a/boot/bootutil/include/bootutil/generate_key_pair.h +++ b/boot/bootutil/include/bootutil/generate_key_pair.h @@ -13,9 +13,9 @@ extern "C" { #include "mbedtls/ctr_drbg.h" #include "mbedtls/pk.h" #include "mbedtls/ecp.h" -#include "stm32wlxx_hal.h" -extern RNG_HandleTypeDef hrng; + + int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen); int gen_p256_keypair(mbedtls_pk_context *pk); void dump_p256(const mbedtls_pk_context *pk); diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index 9ff121c509..eeaa03def2 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -29,6 +29,7 @@ extern unsigned int enc_priv_key_len; * * @return 0 on success or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED on RNG failure. */ +// #if defined(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR) int mbedtls_hardware_polll(void *data, unsigned char *output, size_t len, size_t *olen) { @@ -45,11 +46,11 @@ int mbedtls_hardware_polll(void *data, unsigned char *output, size_t len, size_t // if (HAL_RNG_GenerateRandomNumber(&hrng, &val) != HAL_OK) { while (produced < len) { - if (BOOT_RNG(&val) != HAL_OK) { - BOOT_LOG_ERR("RNG reads fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); - *olen = produced; - return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; - } + // if (BOOT_RNG(&val) != HAL_OK) { + // BOOT_LOG_ERR("RNG reads fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); + // *olen = produced; + // return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; + // } size_t copy_len = (len - produced >= 4) ? 4 : (len - produced); memcpy(output + produced, &val, copy_len); diff --git a/boot/zephyr/app.overlay b/boot/zephyr/app.overlay index 292970d91d..7f540cc2ed 100644 --- a/boot/zephyr/app.overlay +++ b/boot/zephyr/app.overlay @@ -9,15 +9,22 @@ read-only; }; -&lpuart1 { - pinctrl-0 = <&lpuart1_tx_pa2 &lpuart1_rx_pa3>; - pinctrl-names = "default"; - current-speed = <9600>; - status = "okay"; +&uart20 { + current-speed = <115200>; + pinctrl-0 = <&uart20_default>; + pinctrl-1 = <&uart20_sleep>; + pinctrl-names = "default", "sleep"; }; -&rng { - status = "okay"; - // clocks = <&rcc STM32_CLOCK_BUS_AHB2 0x00040000>, - // <&rcc STM32_SRC_MSI 3>; +&uart30 { + current-speed = <115200>; + pinctrl-0 = <&uart30_default>; + pinctrl-1 = <&uart30_sleep>; + pinctrl-names = "default", "sleep"; }; + +// &rng { +// status = "okay"; +// // clocks = <&rcc STM32_CLOCK_BUS_AHB2 0x00040000>, +// // <&rcc STM32_SRC_MSI 3>; +// }; diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 515e53008f..6ae1b11b29 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -61,6 +61,71 @@ CONFIG_BOOT_SIGNATURE_KEY_FILE="root-ec-p256.pem" # #define MCUBOOT_SWAP_USING_MOVE 1 # //#define MCUBOOT_MODE_SWAP_USING_SCRATCH 1 +# #define MCUBOOT_MAX_IMG_SECTORS 128 +# #define MCUBOOT_USE_TINYCRYPT +# //#define MCUBOOT_USE_MBED_TLS +# #define MCUBOOT_SIGNATURE_TYPE_ECDSA_P256 +# #define MCUBOOT_ENC_IMAGES +# #define MCUBOOT_SIGN_EC256 +# #define MCUBOOT_ENCRYPT_EC256 +# //#define MCUBOOT_AES_256 +# #define MCUBOOT_VALIDATE_PRIMARY_SLOT +# //#define MCUBOOT_SIGNATURE_KEY_NONE +# //#define MCUBOOT_VALIDATE_SLOT0 1 +# #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS 1 +#user +# CONFIG_BOOT_USE_TINYCRYPT=y + +# CONFIG_SINGLE_APPLICATION_SLOT=y +# CONFIG_BOOT_UPGRADE_ONLY=y +# CONFIG_BOOT_ENCRYPT_IMAGE=y +CONFIG_BOOT_VALIDATE_SLOT0=y +CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y +CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y +CONFIG_MBEDTLS_PK_WRITE_C=y +CONFIG_MBEDTLS_ENTROPY_C=y +CONFIG_MBEDTLS_ECDSA_C=y +CONFIG_BOOT_SIGNATURE_KEY_FILE="root-ec-p256.pem" +# CONFIG_BOOT_PREFER_SWAP_MOVE=y +CONFIG_BOOT_ECDSA_MBEDTLS=y +CONFIG_BOOT_HAVE_HWRNG=y +# CONFIG_BOOT_GEN_ENC_KEY=y +# CONFIG_ENTROPY_GENERATOR=y +# CONFIG_ENTROPY_STM32_RNG=y +# CONFIG_HARDWARE_DEVICE_CS_GENERATOR=y +# CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y +# CONFIG_ENTROPY_STM32_RNG=y +# CONFIG_ENTROPY_GENERATOR=y +# CONFIG_STACK_POINTER_RANDOM=0 +CONFIG_TEST_RANDOM_GENERATOR=y +CONFIG_TIMER_RANDOM_GENERATOR=y +# CONFIG_TEST_CSPRNG_GENERATOR=y +# CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y +# if needed for debug +CONFIG_LOG=y +CONFIG_MCUBOOT_LOG_LEVEL_INF=y +CONFIG_LOG_DEFAULT_LEVEL=4 + +# CONFIG_BOOT_MAX_IMG_SECTORS_AUTO=y +# CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_START=20000000 +# CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_SIZE=100000 +#define MCUBOOT_IMAGE_NUMBER 1 +# CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD=y + +#ifndef MCUBOOT_CONFIG_H +#define MCUBOOT_CONFIG_H + +#define MCUBOOT_IMAGE_NUMBER 1 +#define IMAGE_EXECUTABLE_RAM_START 0x20000000 +#define IMAGE_EXECUTABLE_RAM_SIZE 0x100000 + +# //#define MCUBOOT_OVERWRITE_ONLY 1 +# #undef MCUBOOT_RAM_LOAD +# //#define MCUBOOT_DIRECT_XIP 1 +# //#define MCUBOOT_DIRECT_XIP_REVERT 1 +# #define MCUBOOT_SWAP_USING_MOVE 1 +# //#define MCUBOOT_MODE_SWAP_USING_SCRATCH 1 + # #define MCUBOOT_MAX_IMG_SECTORS 128 # #define MCUBOOT_USE_TINYCRYPT # //#define MCUBOOT_USE_MBED_TLS From fcb06370a190f01ca7317bfeee7310bb7c66b04d Mon Sep 17 00:00:00 2001 From: "le noa, emilien" Date: Fri, 24 Oct 2025 11:55:57 +0200 Subject: [PATCH 20/35] Replace stm32 by generic and define zephyrpoll --- boot/bootutil/src/generate_key_pair.c | 21 ++++++++++----------- boot/zephyr/app.overlay | 6 +----- boot/zephyr/{rng_stm32.c => boot_rng.c} | 4 ++-- boot/zephyr/include/boot_rng.h | 13 +++++++++++++ boot/zephyr/include/rng_stm32.h | 13 ------------- boot/zephyr/mbedtls.conf | 14 ++++++++++++++ boot/zephyr/prj.conf | 2 -- 7 files changed, 40 insertions(+), 33 deletions(-) rename boot/zephyr/{rng_stm32.c => boot_rng.c} (63%) create mode 100644 boot/zephyr/include/boot_rng.h delete mode 100644 boot/zephyr/include/rng_stm32.h create mode 100644 boot/zephyr/mbedtls.conf diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index eeaa03def2..0bb79430d9 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -29,28 +29,27 @@ extern unsigned int enc_priv_key_len; * * @return 0 on success or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED on RNG failure. */ -// #if defined(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR) -int mbedtls_hardware_polll(void *data, unsigned char *output, size_t len, size_t *olen) +#if !defined(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR) +#define NBR_WARM_UP 8 +int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) { (void)data; uint32_t val; size_t produced = 0; // Warm-up - for (int i = 0; i < 8; i++) { -// HAL_RNG_GenerateRandomNumber(&hrng, &val); + for (int i = 0; i < NBR_WARM_UP ; i++) { BOOT_RNG(&val); } BOOT_LOG_DBG("mbedtls_hardware_poll: ask %lu bytes", (unsigned long)len); -// if (HAL_RNG_GenerateRandomNumber(&hrng, &val) != HAL_OK) { while (produced < len) { - // if (BOOT_RNG(&val) != HAL_OK) { - // BOOT_LOG_ERR("RNG reads fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); - // *olen = produced; - // return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; - // } + if (BOOT_RNG(&val) != HAL_OK) { + BOOT_LOG_ERR("RNG reads fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); + *olen = produced; + return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; + } size_t copy_len = (len - produced >= 4) ? 4 : (len - produced); memcpy(output + produced, &val, copy_len); @@ -64,7 +63,7 @@ int mbedtls_hardware_polll(void *data, unsigned char *output, size_t len, size_t BOOT_LOG_INF("mbedtls_hardware_poll: total generated = %lu bytes", (unsigned long)*olen); return 0; } - +#endif /* * Generate an EC-P256 key pair using the mbedTLS library * diff --git a/boot/zephyr/app.overlay b/boot/zephyr/app.overlay index 7f540cc2ed..28d691f8d6 100644 --- a/boot/zephyr/app.overlay +++ b/boot/zephyr/app.overlay @@ -23,8 +23,4 @@ pinctrl-names = "default", "sleep"; }; -// &rng { -// status = "okay"; -// // clocks = <&rcc STM32_CLOCK_BUS_AHB2 0x00040000>, -// // <&rcc STM32_SRC_MSI 3>; -// }; + diff --git a/boot/zephyr/rng_stm32.c b/boot/zephyr/boot_rng.c similarity index 63% rename from boot/zephyr/rng_stm32.c rename to boot/zephyr/boot_rng.c index 4adc5d24cc..fcd2127d51 100644 --- a/boot/zephyr/rng_stm32.c +++ b/boot/zephyr/boot_rng.c @@ -1,9 +1,9 @@ -#include "rng_stm32.h" +#include "boot_rng.h" static const struct device *entropy_dev = NULL; static bool initialized = false; -int generator_rng_stm32(uint32_t *val) +int generator_hw_rng(uint32_t *val) { *val = sys_rand32_get(); diff --git a/boot/zephyr/include/boot_rng.h b/boot/zephyr/include/boot_rng.h new file mode 100644 index 0000000000..a54c4ec2c4 --- /dev/null +++ b/boot/zephyr/include/boot_rng.h @@ -0,0 +1,13 @@ +#ifndef _BOOT_RNG_H_ +#define _BOOT_RNG_H_ + +#include +#include +#include + + + +int generator_hw_rng(uint32_t* val); + + +#endif /*_BOOT_RNG_H_*/ diff --git a/boot/zephyr/include/rng_stm32.h b/boot/zephyr/include/rng_stm32.h deleted file mode 100644 index 300ab60b38..0000000000 --- a/boot/zephyr/include/rng_stm32.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef _STM32_RNG_H_ -#define _STM32_RNG_H_ - -#include -#include -#include - - - -int generator_rng_stm32(uint32_t* val); - - -#endif /*_STM32_RNG_H_*/ diff --git a/boot/zephyr/mbedtls.conf b/boot/zephyr/mbedtls.conf new file mode 100644 index 0000000000..43eab76e50 --- /dev/null +++ b/boot/zephyr/mbedtls.conf @@ -0,0 +1,14 @@ +# config for ecdsa gen keys and encryption +CONFIG_MBEDTLS_ECDSA_C=y +CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y +CONFIG_MBEDTLS_PK_WRITE_C=y +CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y +CONFIG_MBEDTLS_CIPHER_MODE_CTR_ENABLED=y +CONFIG_MBEDTLS_CIPHER=y +CONFIG_MBEDTLS_ECP_C=y +CONFIG_MBEDTLS_NIST_KW_C=y +CONFIG_MBEDTLS_CTR_DRBG_ENABLED=y +CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y +CONFIG_MBEDTLS_ASN1_PARSE_C=y +CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y +CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y \ No newline at end of file diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 6ae1b11b29..fed9c6616e 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -91,10 +91,8 @@ CONFIG_BOOT_ECDSA_MBEDTLS=y CONFIG_BOOT_HAVE_HWRNG=y # CONFIG_BOOT_GEN_ENC_KEY=y # CONFIG_ENTROPY_GENERATOR=y -# CONFIG_ENTROPY_STM32_RNG=y # CONFIG_HARDWARE_DEVICE_CS_GENERATOR=y # CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y -# CONFIG_ENTROPY_STM32_RNG=y # CONFIG_ENTROPY_GENERATOR=y # CONFIG_STACK_POINTER_RANDOM=0 CONFIG_TEST_RANDOM_GENERATOR=y From 3eec1a8c45f95d87b3d4f45738d679e19933d65a Mon Sep 17 00:00:00 2001 From: "emilien.lenoa" Date: Wed, 29 Oct 2025 15:59:06 +0100 Subject: [PATCH 21/35] nrf port and mbedtls conf --- .gitignore | 6 + boot/bootutil/src/generate_key_pair.c | 43 ++++--- boot/zephyr/CMakeLists.txt | 2 +- boot/zephyr/Kconfig | 19 ++- boot/zephyr/app.overlay | 2 + .../include/mcuboot_config/mcuboot_rng.h | 4 +- boot/zephyr/main.c | 12 +- boot/zephyr/prj.conf | 108 +++--------------- zephyr/module.yml | 6 +- 9 files changed, 66 insertions(+), 136 deletions(-) diff --git a/.gitignore b/.gitignore index 422ec24362..c53469c1d1 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,9 @@ rusty-tags.* # The target directory from Rust development /target/ + +build* +_build* + +west.yml +module.yml \ No newline at end of file diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index 0bb79430d9..d9352c6c8d 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -7,6 +7,7 @@ // #if defined(MCUBOOT_GEN_ENC_KEY) #include +#include #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/pk.h" @@ -41,11 +42,12 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t for (int i = 0; i < NBR_WARM_UP ; i++) { BOOT_RNG(&val); } + BOOT_LOG_INF("RNG value: %u\r\n",val); - BOOT_LOG_DBG("mbedtls_hardware_poll: ask %lu bytes", (unsigned long)len); - + BOOT_LOG_INF("mbedtls_hardware_poll: ask %lu bytes", (unsigned long)len); + while (produced < len) { - if (BOOT_RNG(&val) != HAL_OK) { + if (BOOT_RNG(&val) != 0) { BOOT_LOG_ERR("RNG reads fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); *olen = produced; return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; @@ -54,16 +56,21 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t size_t copy_len = (len - produced >= 4) ? 4 : (len - produced); memcpy(output + produced, &val, copy_len); produced += copy_len; - - BOOT_LOG_DBG("%08lX",(unsigned long)val,(unsigned long)produced,(unsigned long)len); + BOOT_LOG_INF("%08lX",(unsigned long)val,(unsigned long)produced,(unsigned long)len); } - *olen = produced; BOOT_LOG_INF("mbedtls_hardware_poll: total generated = %lu bytes", (unsigned long)*olen); return 0; } #endif + +int mbedtls_hardware_polll_full(void *data, unsigned char *output, size_t len){ + + size_t dummy; + return mbedtls_hardware_poll(data, output, len, &dummy); + +} /* * Generate an EC-P256 key pair using the mbedTLS library * @@ -84,7 +91,7 @@ int gen_p256_keypair(mbedtls_pk_context *pk) /* * Seeds the random number generator using a hardware entropy source */ - ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_polll, NULL,pers, sizeof(pers)-1); + ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_polll_full, NULL,pers, sizeof(pers)-1); if (ret != 0) { BOOT_LOG_ERR("SEED FAIL ret=%d", ret); goto cleanup; @@ -161,34 +168,24 @@ void dump_p256(const mbedtls_pk_context *pk) } int export_pub_pem(mbedtls_pk_context *pk) { - unsigned char buf[800]; - unsigned char buf1[800]; + unsigned char buf_pub[800]; + unsigned char buf_priv[800]; int ret; - ret = mbedtls_pk_write_pubkey_pem(pk, buf, sizeof(buf)); + ret = mbedtls_pk_write_pubkey_pem(pk, buf_pub, sizeof(buf_pub)); if (ret != 0) { return ret; } - ret = mbedtls_pk_write_key_pem(pk, buf1, sizeof(buf1)); + ret = mbedtls_pk_write_key_pem(pk, buf_priv, sizeof(buf_priv)); if (ret != 0) { return ret; } - char *line = strtok((char *)buf,"\n"); - while(line != NULL){ - BOOT_LOG_INF("%s", line); - line = strtok(NULL,"\n"); - } - - char *line1 = strtok((char *)buf1,"\n"); - while(line1 != NULL){ - BOOT_LOG_INF("%s", line1); - line1 = strtok(NULL,"\n"); - } - + BOOT_LOG_INF("\n%s", buf_pub); + BOOT_LOG_INF("\n%s", buf_priv); return 0; } diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 57e46b29d8..999527e3b7 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -193,7 +193,7 @@ else() endif() if(CONFIG_BOOT_HAVE_HWRNG) zephyr_library_sources( - rng_stm32.c + boot_rng.c ) endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 0376e7bf06..7ff402ae85 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -314,16 +314,25 @@ config BOOT_ECDSA_MBEDTLS select BOOT_IMG_HASH_ALG_SHA512_ALLOW select MBEDTLS select MBEDTLS_ECDSA_C - select MBEDTLS_ECP_C - select MBEDTLS_X509_USE_C select MBEDTLS_ECP_DP_SECP256R1_ENABLED - select MBEDTLS_SHA512 - select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN && !BOOT_KEY_IMPORT_BYPASS_ASN - select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE + select MBEDTLS_ECP_DP_SECP521R1_ENABLED + select MBEDTLS_ECDH_C + select MBEDTLS_PEM_FORMAT + + + endchoice # Ecdsa implementation endif +# config CONFIG_MBEDTLS_PEM_FORMAT +# bool +# select MBEDTLS +# select MBEDTLS_PEM_FORMAT + + + + config BOOT_SIGNATURE_TYPE_ED25519 bool "Edwards curve digital signatures using ed25519" select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE diff --git a/boot/zephyr/app.overlay b/boot/zephyr/app.overlay index 28d691f8d6..72c8d71215 100644 --- a/boot/zephyr/app.overlay +++ b/boot/zephyr/app.overlay @@ -24,3 +24,5 @@ }; + + diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_rng.h b/boot/zephyr/include/mcuboot_config/mcuboot_rng.h index 1e6b72fd23..9c5610acf7 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_rng.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_rng.h @@ -1,9 +1,9 @@ #ifndef __MCUBOOT_RNG_H__ #define __MCUBOOT_RNG_H__ -#include "rng_stm32.h" +#include "boot_rng.h" -#define MCUBOOT_RNG(...) generator_rng_stm32(__VA_ARGS__) +#define MCUBOOT_RNG(...) generator_hw_rng(__VA_ARGS__) #endif /* __MCUBOOT_RNG_H__ */ diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 0df88adee6..1b72e533f1 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -642,13 +642,13 @@ int main(void) k_sleep(K_MSEC(10)); BOOT_RNG(&val); BOOT_LOG_INF("RNG value: %u\r\n",val); - #if defined(MCUBOOT_GEN_ENC_KEY) && defined(MCUBOOT_HAVE_HWRNG) + // #if defined(MCUBOOT_GEN_ENC_KEY) && defined(MCUBOOT_HAVE_HWRNG) mbedtls_pk_context pk; - // uint32_t val; - // if (HAL_RNG_GenerateRandomuNmber(&hrng, &val) != HAL_OK) { - // BOOT_LOG_ERR("RNG lecture fails"); + // // uint32_t val; + // // if (HAL_RNG_GenerateRandomuNmber(&hrng, &val) != HAL_OK) { + // // BOOT_LOG_ERR("RNG lecture fails"); - // } + // // } if (gen_p256_keypair(&pk)==0){ BOOT_LOG_INF("Start generatation\r\n"); unsigned char *der_priv; @@ -668,7 +668,7 @@ int main(void) else { BOOT_LOG_ERR("error generation"); } - #endif + // #endif mcuboot_status_change(MCUBOOT_STATUS_NO_BOOTABLE_IMAGE_FOUND); diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index fed9c6616e..3cbb9de352 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -30,109 +30,29 @@ CONFIG_PICOLIBC=y ### Disable malloc arena because we don't need it CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=0 -#user -# CONFIG_BOOT_PREFER_SWAP_MOVE=y -# CONFIG_BOOT_USE_TINYCRYPT=y -# CONFIG_SINGLE_APPLICATION_SLOT=y -# CONFIG_BOOT_UPGRADE_ONLY=y -# CONFIG_BOOT_ENCRYPT_IMAGE=y -CONFIG_BOOT_VALIDATE_SLOT0=y -CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y -CONFIG_BOOT_SIGNATURE_KEY_FILE="root-ec-p256.pem" - -# CONFIG_BOOT_MAX_IMG_SECTORS_AUTO=y -# CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_START=20000000 -# CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_SIZE=100000 -#define MCUBOOT_IMAGE_NUMBER 1 -# CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD=y -#ifndef MCUBOOT_CONFIG_H -#define MCUBOOT_CONFIG_H - -#define MCUBOOT_IMAGE_NUMBER 1 -#define IMAGE_EXECUTABLE_RAM_START 0x20000000 -#define IMAGE_EXECUTABLE_RAM_SIZE 0x100000 - -# //#define MCUBOOT_OVERWRITE_ONLY 1 -# #undef MCUBOOT_RAM_LOAD -# //#define MCUBOOT_DIRECT_XIP 1 -# //#define MCUBOOT_DIRECT_XIP_REVERT 1 -# #define MCUBOOT_SWAP_USING_MOVE 1 -# //#define MCUBOOT_MODE_SWAP_USING_SCRATCH 1 - -# #define MCUBOOT_MAX_IMG_SECTORS 128 -# #define MCUBOOT_USE_TINYCRYPT -# //#define MCUBOOT_USE_MBED_TLS -# #define MCUBOOT_SIGNATURE_TYPE_ECDSA_P256 -# #define MCUBOOT_ENC_IMAGES -# #define MCUBOOT_SIGN_EC256 -# #define MCUBOOT_ENCRYPT_EC256 -# //#define MCUBOOT_AES_256 -# #define MCUBOOT_VALIDATE_PRIMARY_SLOT -# //#define MCUBOOT_SIGNATURE_KEY_NONE -# //#define MCUBOOT_VALIDATE_SLOT0 1 -# #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS 1 -#user -# CONFIG_BOOT_USE_TINYCRYPT=y +# CONFIG_TEST_CSPRNG_GENERATOR=y +# CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y +# if needed for debug +CONFIG_LOG=y +CONFIG_MCUBOOT_LOG_LEVEL_INF=y +CONFIG_LOG_DEFAULT_LEVEL=4 -# CONFIG_SINGLE_APPLICATION_SLOT=y -# CONFIG_BOOT_UPGRADE_ONLY=y -# CONFIG_BOOT_ENCRYPT_IMAGE=y CONFIG_BOOT_VALIDATE_SLOT0=y CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y + +CONFIG_BOOT_SIGNATURE_KEY_FILE="root-ec-p256.pem" +# generated key enc +CONFIG_BOOT_ECDSA_MBEDTLS=y +CONFIG_MBEDTLS_ECP_C=y +CONFIG_MBEDTLS_ENTROPY_C=y +CONFIG_MBEDTLS_CTR_DRBG_ENABLED=y CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y CONFIG_MBEDTLS_PK_WRITE_C=y -CONFIG_MBEDTLS_ENTROPY_C=y CONFIG_MBEDTLS_ECDSA_C=y -CONFIG_BOOT_SIGNATURE_KEY_FILE="root-ec-p256.pem" -# CONFIG_BOOT_PREFER_SWAP_MOVE=y -CONFIG_BOOT_ECDSA_MBEDTLS=y +CONFIG_MBEDTLS_DEBUG=y CONFIG_BOOT_HAVE_HWRNG=y -# CONFIG_BOOT_GEN_ENC_KEY=y -# CONFIG_ENTROPY_GENERATOR=y -# CONFIG_HARDWARE_DEVICE_CS_GENERATOR=y -# CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y -# CONFIG_ENTROPY_GENERATOR=y -# CONFIG_STACK_POINTER_RANDOM=0 CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_TIMER_RANDOM_GENERATOR=y -# CONFIG_TEST_CSPRNG_GENERATOR=y -# CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y -# if needed for debug -CONFIG_LOG=y -CONFIG_MCUBOOT_LOG_LEVEL_INF=y -CONFIG_LOG_DEFAULT_LEVEL=4 - -# CONFIG_BOOT_MAX_IMG_SECTORS_AUTO=y -# CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_START=20000000 -# CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_SIZE=100000 -#define MCUBOOT_IMAGE_NUMBER 1 -# CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD=y - -#ifndef MCUBOOT_CONFIG_H -#define MCUBOOT_CONFIG_H - -#define MCUBOOT_IMAGE_NUMBER 1 -#define IMAGE_EXECUTABLE_RAM_START 0x20000000 -#define IMAGE_EXECUTABLE_RAM_SIZE 0x100000 - -# //#define MCUBOOT_OVERWRITE_ONLY 1 -# #undef MCUBOOT_RAM_LOAD -# //#define MCUBOOT_DIRECT_XIP 1 -# //#define MCUBOOT_DIRECT_XIP_REVERT 1 -# #define MCUBOOT_SWAP_USING_MOVE 1 -# //#define MCUBOOT_MODE_SWAP_USING_SCRATCH 1 -# #define MCUBOOT_MAX_IMG_SECTORS 128 -# #define MCUBOOT_USE_TINYCRYPT -# //#define MCUBOOT_USE_MBED_TLS -# #define MCUBOOT_SIGNATURE_TYPE_ECDSA_P256 -# #define MCUBOOT_ENC_IMAGES -# #define MCUBOOT_SIGN_EC256 -# #define MCUBOOT_ENCRYPT_EC256 -# //#define MCUBOOT_AES_256 -# #define MCUBOOT_VALIDATE_PRIMARY_SLOT -# //#define MCUBOOT_SIGNATURE_KEY_NONE -# //#define MCUBOOT_VALIDATE_SLOT0 1 -# #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS 1 \ No newline at end of file diff --git a/zephyr/module.yml b/zephyr/module.yml index d2af55384c..fe1a2949b5 100644 --- a/zephyr/module.yml +++ b/zephyr/module.yml @@ -2,8 +2,4 @@ samples: - boot/zephyr build: cmake: ./boot/bootutil/zephyr - sysbuild-cmake: boot/zephyr/sysbuild -package-managers: - pip: - requirement-files: - - zephyr/requirements.txt + From 128a57e1443c81317244058fd93890e46aa3df48 Mon Sep 17 00:00:00 2001 From: "emilien.lenoa" Date: Wed, 29 Oct 2025 15:04:09 +0000 Subject: [PATCH 22/35] minor change --- boot/zephyr/Kconfig | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 7ff402ae85..00ee5a25bd 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -317,22 +317,10 @@ config BOOT_ECDSA_MBEDTLS select MBEDTLS_ECP_DP_SECP256R1_ENABLED select MBEDTLS_ECP_DP_SECP521R1_ENABLED select MBEDTLS_ECDH_C - select MBEDTLS_PEM_FORMAT - - - endchoice # Ecdsa implementation endif -# config CONFIG_MBEDTLS_PEM_FORMAT -# bool -# select MBEDTLS -# select MBEDTLS_PEM_FORMAT - - - - config BOOT_SIGNATURE_TYPE_ED25519 bool "Edwards curve digital signatures using ed25519" select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE From 5483392622e243fc189a11062a4d03c20522a232 Mon Sep 17 00:00:00 2001 From: "emilien.lenoa" Date: Thu, 30 Oct 2025 12:51:59 +0000 Subject: [PATCH 23/35] mbedtls, modify generation enc key --- .../include/bootutil/generate_key_pair.h | 8 +- boot/bootutil/src/generate_key_pair.c | 103 +++++++++++++----- boot/zephyr/CMakeLists.txt | 9 +- boot/zephyr/Kconfig | 21 ++-- boot/zephyr/include/config-ec.h | 10 ++ .../include/mcuboot_config/mcuboot_config.h | 4 +- boot/zephyr/main.c | 41 +------ boot/zephyr/prj.conf | 11 +- 8 files changed, 115 insertions(+), 92 deletions(-) diff --git a/boot/bootutil/include/bootutil/generate_key_pair.h b/boot/bootutil/include/bootutil/generate_key_pair.h index 2f1beb3a90..7df8dd61ab 100644 --- a/boot/bootutil/include/bootutil/generate_key_pair.h +++ b/boot/bootutil/include/bootutil/generate_key_pair.h @@ -15,16 +15,12 @@ extern "C" { #include "mbedtls/ecp.h" - +void generate_enc_key_pair(); int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen); int gen_p256_keypair(mbedtls_pk_context *pk); void dump_p256(const mbedtls_pk_context *pk); -void show_public_key_formatted(const mbedtls_pk_context *pk); -int export_privkey_der(mbedtls_pk_context *pk, - unsigned char **der_ptr, - size_t *der_len); +int export_privkey_der(mbedtls_pk_context *pk); int export_pub_pem(mbedtls_pk_context *pk); -int dump_pkcs8_der_as_c_array(const mbedtls_pk_context *pk); #ifdef __cplusplus } diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index d9352c6c8d..a9eacde362 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -5,7 +5,7 @@ */ #include "mcuboot_config/mcuboot_config.h" -// #if defined(MCUBOOT_GEN_ENC_KEY) +#if defined(MCUBOOT_GEN_ENC_KEY) #include #include #include "mbedtls/entropy.h" @@ -13,9 +13,9 @@ #include "mbedtls/pk.h" #include "mbedtls/ecp.h" #include "bootutil/generate_key_pair.h" -// #include "key/key.h" #include "bootutil/bootutil_log.h" #include "bootutil/bootutil_hwrng.h" + BOOT_LOG_MODULE_DECLARE(mcuboot); extern unsigned char enc_priv_key[]; extern unsigned int enc_priv_key_len; @@ -115,7 +115,6 @@ int gen_p256_keypair(mbedtls_pk_context *pk) goto cleanup; } - cleanup: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); @@ -124,12 +123,12 @@ int gen_p256_keypair(mbedtls_pk_context *pk) -int export_privkey_der(mbedtls_pk_context *pk, - unsigned char **der_ptr, - size_t *der_len) { - static unsigned char buf[800]; - int ret; - +int export_privkey_der(mbedtls_pk_context *pk) { + unsigned char buf[800]; + unsigned char *der_ptr; + size_t der_len; + char line [160]; + int pos = 0; int len = mbedtls_pk_write_keypkcs8_der(pk, buf, sizeof(buf)); if (len < 0) { @@ -137,13 +136,57 @@ int export_privkey_der(mbedtls_pk_context *pk, return len; } - *der_ptr = buf + sizeof(buf) - len; - *der_len = (size_t)len; + der_ptr = buf + sizeof(buf) - len; + der_len = (size_t)len; + + BOOT_LOG_INF("Private key DER length = %u\n", (unsigned int)der_len); + + for(size_t i = 0; i < der_len; i++){ + unsigned int val = (unsigned int)der_ptr[i]; + if (val < 0x10) + { + pos += snprintk(&line[pos], sizeof(line)-pos, "0x0%X", val ); + }else{ + pos += snprintk(&line[pos], sizeof(line)-pos, "0x%X", val ); + } + + if (isizeof(line)-8 || i == der_len -1) + { + BOOT_LOG_INF("%s", line); + pos=0; + } + + } return 0; } +int export_pub_pem(mbedtls_pk_context *pk) { + unsigned char buf_pub[800]; + unsigned char buf_priv[800]; + int ret; + + ret = mbedtls_pk_write_pubkey_pem(pk, buf_pub, sizeof(buf_pub)); + if (ret != 0) { + return ret; + } + + ret = mbedtls_pk_write_key_pem(pk, buf_priv, sizeof(buf_priv)); + if (ret != 0) { + + return ret; + } + + BOOT_LOG_INF("\n%s", buf_pub); + BOOT_LOG_INF("\n%s", buf_priv); + return 0; +} void dump_p256(const mbedtls_pk_context *pk) { @@ -167,26 +210,26 @@ void dump_p256(const mbedtls_pk_context *pk) } -int export_pub_pem(mbedtls_pk_context *pk) { - unsigned char buf_pub[800]; - unsigned char buf_priv[800]; - int ret; - - ret = mbedtls_pk_write_pubkey_pem(pk, buf_pub, sizeof(buf_pub)); - if (ret != 0) { +void generate_enc_key_pair(){ + mbedtls_pk_context pk; + int rc = -1; + BOOT_LOG_INF("Generate enc key pair starting..."); + rc=gen_p256_keypair(&pk); + rc=export_privkey_der(&pk); + rc=export_pub_pem(&pk); + dump_p256(&pk); + + if (rc !=0) + { + BOOT_LOG_ERR("Error during the generation enc key pair\n"); + }else + { + BOOT_LOG_INF("Success key is generated"); - return ret; } - - ret = mbedtls_pk_write_key_pem(pk, buf_priv, sizeof(buf_priv)); - if (ret != 0) { - - return ret; - } - - BOOT_LOG_INF("\n%s", buf_pub); - BOOT_LOG_INF("\n%s", buf_priv); - return 0; + + } -// #endif /* MCUBOOT_GEN_ENC_KEY */ + +#endif /* MCUBOOT_GEN_ENC_KEY */ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 999527e3b7..de53eae490 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -117,8 +117,6 @@ zephyr_library_sources( ${BOOT_DIR}/bootutil/src/bootutil_area.c ${BOOT_DIR}/bootutil/src/bootutil_loader.c ${BOOT_DIR}/bootutil/src/fault_injection_hardening.c - ${BOOT_DIR}/bootutil/src/generate_key_pair.c - ${MCUBOOT_DIR}/ext/mbedtls-pkcs8/pkcs8secp256write.c ) if((CONFIG_BOOT_ENCRYPT_X25519 AND CONFIG_BOOT_ED25519_PSA) @@ -191,11 +189,18 @@ else() endif() endif() endif() + if(CONFIG_BOOT_HAVE_HWRNG) zephyr_library_sources( boot_rng.c ) endif() +if(CONFIG_BOOT_GEN_ENC_KEY) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/generate_key_pair.c + ${MCUBOOT_DIR}/ext/mbedtls-pkcs8/pkcs8secp256write.c + ) +endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) # When ECDSA PSA is used, do not pull in additional ASN.1 include # directories or sources, as it would cause incorrect header files diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 00ee5a25bd..58648ac8be 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -139,7 +139,12 @@ menu "MCUBoot settings" config BOOT_HAVE_HWRNG bool "have hwrng" help - Dependencies for stm32drivers + Dependencies RNG drivers + +config BOOT_GEN_ENC_KEY + bool "generate encryption key" + + config SINGLE_APPLICATION_SLOT @@ -310,13 +315,13 @@ config BOOT_ECDSA_PSA config BOOT_ECDSA_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS - select BOOT_IMG_HASH_ALG_SHA256_ALLOW - select BOOT_IMG_HASH_ALG_SHA512_ALLOW - select MBEDTLS - select MBEDTLS_ECDSA_C - select MBEDTLS_ECP_DP_SECP256R1_ENABLED - select MBEDTLS_ECP_DP_SECP521R1_ENABLED - select MBEDTLS_ECDH_C + # select BOOT_IMG_HASH_ALG_SHA256_ALLOW + # select BOOT_IMG_HASH_ALG_SHA512_ALLOW + # select MBEDTLS + # select MBEDTLS_ECDSA_C + # select MBEDTLS_ECP_DP_SECP256R1_ENABLED + # select MBEDTLS_ECP_DP_SECP521R1_ENABLED + # select MBEDTLS_ECDH_C endchoice # Ecdsa implementation endif diff --git a/boot/zephyr/include/config-ec.h b/boot/zephyr/include/config-ec.h index f6c690b8c5..8b04278511 100644 --- a/boot/zephyr/include/config-ec.h +++ b/boot/zephyr/include/config-ec.h @@ -91,4 +91,14 @@ #define MBEDTLS_NIST_KW_C #endif /* MCUBOOT_ENC_IMAGES */ +#if defined(CONFIG_BOOT_HAVE_HWRNG) +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_PEM_WRITE_C +#define MBEDTLS_BASE64_C +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ERROR_C +#define MBEDTLS_PK_WRITE_C +#endif /*CONFIG_BOOT_HAVE_HWRNG*/ + #endif /* MCUBOOT_MBEDTLS_CONFIG_ECDSA */ diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index fd98c334ff..bb5d500433 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -165,9 +165,9 @@ #define MCUBOOT_HAVE_HWRNG #endif -// #ifdef CONFIG_BOOT_GEN_ENC_KEY +#ifdef CONFIG_BOOT_GEN_ENC_KEY #define MCUBOOT_GEN_ENC_KEY -// #endif +#endif #ifdef CONFIG_BOOT_ENCRYPT_X25519 #define MCUBOOT_ENC_IMAGES diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 1b72e533f1..c657b93dcb 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -633,43 +633,10 @@ int main(void) #endif if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { - BOOT_LOG_ERR("Unable to find bootable image"); - const struct device *entropy_dev; - uint32_t val; - int ret; - - BOOT_LOG_INF("MCUboot starting..."); - k_sleep(K_MSEC(10)); - BOOT_RNG(&val); - BOOT_LOG_INF("RNG value: %u\r\n",val); - // #if defined(MCUBOOT_GEN_ENC_KEY) && defined(MCUBOOT_HAVE_HWRNG) - mbedtls_pk_context pk; - // // uint32_t val; - // // if (HAL_RNG_GenerateRandomuNmber(&hrng, &val) != HAL_OK) { - // // BOOT_LOG_ERR("RNG lecture fails"); - - // // } - if (gen_p256_keypair(&pk)==0){ - BOOT_LOG_INF("Start generatation\r\n"); - unsigned char *der_priv; - size_t der_len; - if (export_privkey_der(&pk, &der_priv, &der_len) == 0) { - BOOT_LOG_INF("Private key DER length = %u\n", (unsigned)der_len); - for (size_t i = 0; i < der_len; i++) { - BOOT_LOG_INF("0x%02X,", der_priv[i]); - } - BOOT_LOG_INF("\n"); - } - export_pub_pem(&pk); - dump_p256(&pk); - // show_public_key_formatted(&pk); - - } - else { - BOOT_LOG_ERR("error generation"); - } - // #endif - + BOOT_LOG_ERR("Unable to find bootable image"); + #if defined(MCUBOOT_GEN_ENC_KEY) && defined(MCUBOOT_HAVE_HWRNG) + generate_enc_key_pair(); + #endif mcuboot_status_change(MCUBOOT_STATUS_NO_BOOTABLE_IMAGE_FOUND); diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 3cbb9de352..51c38d2a86 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -44,14 +44,11 @@ CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y CONFIG_BOOT_SIGNATURE_KEY_FILE="root-ec-p256.pem" # generated key enc +CONFIG_MBEDTLS=y +CONFIG_CUSTOM_MBEDTLS_CFG_FILE=y +CONFIG_MBEDTLS_CFG_FILE="config-ec.h" CONFIG_BOOT_ECDSA_MBEDTLS=y -CONFIG_MBEDTLS_ECP_C=y -CONFIG_MBEDTLS_ENTROPY_C=y -CONFIG_MBEDTLS_CTR_DRBG_ENABLED=y -CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y -CONFIG_MBEDTLS_PK_WRITE_C=y -CONFIG_MBEDTLS_ECDSA_C=y -CONFIG_MBEDTLS_DEBUG=y +CONFIG_BOOT_GEN_ENC_KEY=y CONFIG_BOOT_HAVE_HWRNG=y CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_TIMER_RANDOM_GENERATOR=y From 70489abc402bcebcfc02a97fc8cf3966dbb18a53 Mon Sep 17 00:00:00 2001 From: "emilien.lenoa" Date: Thu, 30 Oct 2025 13:09:48 +0000 Subject: [PATCH 24/35] minor change --- .../include/mbedtls/mbedtls_config.h | 130 +++++++++--------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h b/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h index 83297cdac9..d8d81525be 100644 --- a/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h +++ b/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h @@ -1,8 +1,5 @@ -/* - * Minimal configuration for using TLS in the bootloader - * - * Copyright (C) 2006-2021, ARM Limited, All Rights Reserved - * Copyright (C) 2016, Linaro Ltd +/** + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -20,77 +17,80 @@ * This file is part of mbed TLS (https://tls.mbed.org) */ -/* - * Minimal configuration for using TLS in the bootloader - * - * - RSA or ECDSA signature verification - */ - -#ifndef MCUBOOT_MBEDTLS_CONFIG_ECDSA -#define MCUBOOT_MBEDTLS_CONFIG_ECDSA +#ifndef MBEDTLS_CONFIG_H +#define MBEDTLS_CONFIG_H -#ifdef CONFIG_MCUBOOT_SERIAL -/* Mcuboot uses mbedts-base64 for serial protocol encoding. */ -#define MBEDTLS_BASE64_C +#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) +#define _CRT_SECURE_NO_DEPRECATE 1 #endif -/* System support */ -#define MBEDTLS_PLATFORM_C -#define MBEDTLS_PLATFORM_MEMORY -#define MBEDTLS_MEMORY_BUFFER_ALLOC_C -#define MBEDTLS_NO_PLATFORM_ENTROPY -#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES - -/* STD functions */ -#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS - -#define MBEDTLS_PLATFORM_EXIT_ALT -#define MBEDTLS_PLATFORM_PRINTF_ALT -#define MBEDTLS_PLATFORM_SNPRINTF_ALT - -#if !defined(CONFIG_ARM) -#define MBEDTLS_HAVE_ASM -#endif - -#define MBEDTLS_ECDSA_C -#define MBEDTLS_ECDH_C - -/* mbed TLS modules */ +//#define MBEDTLS_PLATFORM_MEMORY +#define MBEDTLS_FS_IO +//#define MBEDTLS_VERSION_FEATURES #define MBEDTLS_ASN1_PARSE_C -#define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_ECP_C -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#define MBEDTLS_ECP_NIST_OPTIM +#define MBEDTLS_BASE64_C #define MBEDTLS_BIGNUM_C #define MBEDTLS_MD_C #define MBEDTLS_OID_C -#define MBEDTLS_SHA256_C -#define MBEDTLS_SHA256_SMALLER -#define MBEDTLS_SHA224_C -#define MBEDTLS_AES_C - - -/* Bring in support for x509. */ -#define MBEDTLS_X509_USE_C -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_PEM_PARSE_C -/* Save RAM by adjusting to our exact needs */ -//#define MBEDTLS_MPI_MAX_SIZE 32 +/** + * \def MBEDTLS_PLATFORM_C + * + * Enable the platform abstraction layer that allows you to re-assign + * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). + * + * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT + * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned + * above to be specified at runtime or compile time respectively. + * + * \note This abstraction layer must be enabled on Windows (including MSYS2) + * as other module rely on it for a fixed snprintf implementation. + * + * Module: library/platform.c + * Caller: Most other .c files + * + * This module enables abstraction of common (libc) functions. + */ +#define MBEDTLS_PLATFORM_C -//#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024 +/** + * \def MBEDTLS_TIMING_C + * + * Enable the semi-portable timing interface. + * + * \note The provided implementation only works on POSIX/Unix (including Linux, + * BSD and OS X) and Windows. On other platforms, you can either disable that + * module and provide your own implementations of the callbacks needed by + * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide + * your own implementation of the whole module by setting + * \c MBEDTLS_TIMING_ALT in the current file. + * + * \note See also our Knowledge Base article about porting to a new + * environment: + * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS + * + * Module: library/timing.c + * Caller: library/havege.c + * + * This module is used by the HAVEGE random number generator. + */ +#define MBEDTLS_TIMING_C -///* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */ -//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 +//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */ +//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */ +//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */ -/* If encryption is being used, also enable the features needed for - * that. */ +#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE) +#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE +#endif -#define MBEDTLS_CIPHER_MODE_CTR -#define MBEDTLS_CIPHER_C -#define MBEDTLS_NIST_KW_C -#define MBEDTLS_CTR_DRBG_C +#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) +#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE +#elif defined(MBEDTLS_USER_CONFIG_FILE) +#include MBEDTLS_USER_CONFIG_FILE +#endif +#include "check_config.h" -#endif /* MCUBOOT_MBEDTLS_CONFIG_ECDSA */ +#endif /* MBEDTLS_CONFIG_H */ \ No newline at end of file From 0de7a10ea4d4e6825197844d32f2d359f59f5d65 Mon Sep 17 00:00:00 2001 From: "emilien.lenoa" Date: Thu, 30 Oct 2025 13:25:14 +0000 Subject: [PATCH 25/35] remove last stm32 word --- boot/bootutil/src/generate_key_pair.c | 2 +- boot/zephyr/boards/lora_e5_mini.overlay | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index a9eacde362..17da4dd29d 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -81,7 +81,7 @@ int gen_p256_keypair(mbedtls_pk_context *pk) int ret; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; - const unsigned char pers[] = "stm32-p256-keygenstm32-p256-keygen"; + const unsigned char pers[] = "keyge-p256-keygenkeyge-p256-keygen"; mbedtls_pk_init(pk); mbedtls_entropy_init(&entropy); diff --git a/boot/zephyr/boards/lora_e5_mini.overlay b/boot/zephyr/boards/lora_e5_mini.overlay index 5651b6ae1c..f7f793833a 100644 --- a/boot/zephyr/boards/lora_e5_mini.overlay +++ b/boot/zephyr/boards/lora_e5_mini.overlay @@ -15,11 +15,3 @@ current-speed = <115200>; status = "okay"; }; - -&rng { - status = "okay"; - // clocks = <&rcc STM32_CLOCK_BUS_AHB3 0x00040000>, - // <&rcc STM32_SRC_MSI 3>; - // clocks = <&rcc STM32_CLOCK(AHB3, 18)>, - // <&rcc STM32_SRC_MSI 3>; -}; From 358e0963d6b8642cd0c9be0d0d5d6c1e85c5ece7 Mon Sep 17 00:00:00 2001 From: "emilien.lenoa" Date: Thu, 30 Oct 2025 13:28:13 +0000 Subject: [PATCH 26/35] minor change --- boot/bootutil/src/image_validate.c | 2 -- boot/zephyr/Kconfig | 4 ---- 2 files changed, 6 deletions(-) diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index f5a63e648d..0639aac10d 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -295,8 +295,6 @@ bootutil_img_validate(struct boot_loader_state *state, img_sz = it.tlv_end; #endif BOOT_LOG_DBG("bootutil_img_validate: TLV off %u, end %u", it.tlv_off, it.tlv_end); - BOOT_LOG_DBG("bootutil_max_image_size = 0x%X, img_sz = 0x%X", - bootutil_max_image_size(state, fap), img_sz); if (img_sz > bootutil_max_image_size(state, fap)) { rc = -1; diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 58648ac8be..3479534353 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -113,7 +113,6 @@ config BOOT_X25519_PSA_DEPENDENCIES endif # BOOT_ENCRYPT_IMAGE - config BOOT_ECDSA_PSA_DEPENDENCIES bool select PSA_WANT_ALG_ECDSA @@ -144,9 +143,6 @@ config BOOT_HAVE_HWRNG config BOOT_GEN_ENC_KEY bool "generate encryption key" - - - config SINGLE_APPLICATION_SLOT bool "Single slot bootloader" help From bf6faef5490499971b2cecb733e583bd23ba7ded Mon Sep 17 00:00:00 2001 From: "emilien.lenoa" Date: Thu, 30 Oct 2025 14:49:43 +0000 Subject: [PATCH 27/35] coding-styles and headers --- .../include/bootutil/generate_key_pair.h | 3 +- boot/bootutil/src/generate_key_pair.c | 121 +++++------ boot/zephyr/boot_rng.c | 14 +- boot/zephyr/include/boot_rng.h | 10 +- .../include/mcuboot_config/mcuboot_rng.h | 10 +- boot/zephyr/main.c | 197 +++++++++--------- boot/zephyr/prj.conf | 1 - 7 files changed, 187 insertions(+), 169 deletions(-) diff --git a/boot/bootutil/include/bootutil/generate_key_pair.h b/boot/bootutil/include/bootutil/generate_key_pair.h index 7df8dd61ab..7b22af1e86 100644 --- a/boot/bootutil/include/bootutil/generate_key_pair.h +++ b/boot/bootutil/include/bootutil/generate_key_pair.h @@ -14,7 +14,6 @@ extern "C" { #include "mbedtls/pk.h" #include "mbedtls/ecp.h" - void generate_enc_key_pair(); int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen); int gen_p256_keypair(mbedtls_pk_context *pk); @@ -26,4 +25,4 @@ int export_pub_pem(mbedtls_pk_context *pk); } #endif -#endif /* __GENERATE_KEY_PAIR_H__ */ +#endif /* __GENERATE_KEY_PAIR_H__ */ \ No newline at end of file diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index 17da4dd29d..d95bb8d6c1 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -22,33 +22,34 @@ extern unsigned int enc_priv_key_len; /** * @brief Generate random data using the hardware random number generator. - * + * * @param data Not used. * @param output Buffer to fill with random data. * @param len Number of random bytes to generate. * @param olen Number of random bytes actually generated. - * + * * @return 0 on success or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED on RNG failure. */ #if !defined(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR) #define NBR_WARM_UP 8 -int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) +int +mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) { - (void)data; uint32_t val; size_t produced = 0; // Warm-up - for (int i = 0; i < NBR_WARM_UP ; i++) { - BOOT_RNG(&val); + for (int i = 0; i < NBR_WARM_UP; i++) { + BOOT_RNG(&val); } - BOOT_LOG_INF("RNG value: %u\r\n",val); + BOOT_LOG_INF("RNG value: %u\r\n", val); BOOT_LOG_INF("mbedtls_hardware_poll: ask %lu bytes", (unsigned long)len); - + while (produced < len) { if (BOOT_RNG(&val) != 0) { - BOOT_LOG_ERR("RNG reads fails at %lu/%lu bytes", (unsigned long)produced, (unsigned long)len); + BOOT_LOG_ERR("RNG reads fails at %lu/%lu bytes", + (unsigned long)produced, (unsigned long)len); *olen = produced; return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; } @@ -56,27 +57,30 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t size_t copy_len = (len - produced >= 4) ? 4 : (len - produced); memcpy(output + produced, &val, copy_len); produced += copy_len; - BOOT_LOG_INF("%08lX",(unsigned long)val,(unsigned long)produced,(unsigned long)len); - + BOOT_LOG_INF("%08lX", (unsigned long)val, (unsigned long)produced, + (unsigned long)len); } *olen = produced; - BOOT_LOG_INF("mbedtls_hardware_poll: total generated = %lu bytes", (unsigned long)*olen); + BOOT_LOG_INF("mbedtls_hardware_poll: total generated = %lu bytes", + (unsigned long)*olen); return 0; } #endif -int mbedtls_hardware_polll_full(void *data, unsigned char *output, size_t len){ +int +mbedtls_hardware_polll_full(void *data, unsigned char *output, size_t len) +{ size_t dummy; return mbedtls_hardware_poll(data, output, len, &dummy); - } /* * Generate an EC-P256 key pair using the mbedTLS library * * @return 0 on success, or a negative mbedTLS error code on failure. */ -int gen_p256_keypair(mbedtls_pk_context *pk) +int +gen_p256_keypair(mbedtls_pk_context *pk) { int ret; mbedtls_entropy_context entropy; @@ -87,11 +91,11 @@ int gen_p256_keypair(mbedtls_pk_context *pk) mbedtls_entropy_init(&entropy); mbedtls_ctr_drbg_init(&ctr_drbg); - /* * Seeds the random number generator using a hardware entropy source */ - ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_polll_full, NULL,pers, sizeof(pers)-1); + ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_polll_full, NULL, + pers, sizeof(pers) - 1); if (ret != 0) { BOOT_LOG_ERR("SEED FAIL ret=%d", ret); goto cleanup; @@ -102,16 +106,17 @@ int gen_p256_keypair(mbedtls_pk_context *pk) */ ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)); if (ret != 0) { - BOOT_LOG_ERR("PK_SETUP FAIL ret=%d", ret); + BOOT_LOG_ERR("PK_SETUP FAIL ret=%d", ret); goto cleanup; } /* * */ - ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, mbedtls_pk_ec(*pk),mbedtls_ctr_drbg_random, &ctr_drbg); + ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, mbedtls_pk_ec(*pk), + mbedtls_ctr_drbg_random, &ctr_drbg); if (ret != 0) { - BOOT_LOG_ERR("GEN_KEY FAIL ret=%d", ret); + BOOT_LOG_ERR("GEN_KEY FAIL ret=%d", ret); goto cleanup; } @@ -121,18 +126,18 @@ int gen_p256_keypair(mbedtls_pk_context *pk) return ret; } - - -int export_privkey_der(mbedtls_pk_context *pk) { +int +export_privkey_der(mbedtls_pk_context *pk) +{ unsigned char buf[800]; unsigned char *der_ptr; size_t der_len; - char line [160]; + char line[160]; int pos = 0; int len = mbedtls_pk_write_keypkcs8_der(pk, buf, sizeof(buf)); if (len < 0) { - BOOT_LOG_ERR("fails write pkcs8 der"); + BOOT_LOG_ERR("fails write pkcs8 der"); return len; } @@ -141,32 +146,30 @@ int export_privkey_der(mbedtls_pk_context *pk) { BOOT_LOG_INF("Private key DER length = %u\n", (unsigned int)der_len); - for(size_t i = 0; i < der_len; i++){ + for (size_t i = 0; i < der_len; i++) { unsigned int val = (unsigned int)der_ptr[i]; - if (val < 0x10) - { - pos += snprintk(&line[pos], sizeof(line)-pos, "0x0%X", val ); - }else{ - pos += snprintk(&line[pos], sizeof(line)-pos, "0x%X", val ); + if (val < 0x10) { + pos += snprintk(&line[pos], sizeof(line) - pos, "0x0%X", val); + } else { + pos += snprintk(&line[pos], sizeof(line) - pos, "0x%X", val); } - if (isizeof(line)-8 || i == der_len -1) - { + + if (pos > sizeof(line) - 8 || i == der_len - 1) { BOOT_LOG_INF("%s", line); - pos=0; + pos = 0; } - } return 0; } -int export_pub_pem(mbedtls_pk_context *pk) { +int +export_pub_pem(mbedtls_pk_context *pk) +{ unsigned char buf_pub[800]; unsigned char buf_priv[800]; int ret; @@ -188,48 +191,50 @@ int export_pub_pem(mbedtls_pk_context *pk) { return 0; } -void dump_p256(const mbedtls_pk_context *pk) +void +dump_p256(const mbedtls_pk_context *pk) { const mbedtls_ecp_keypair *eckey = mbedtls_pk_ec(*pk); unsigned char buf[32]; - memset(buf,0, sizeof buf); + memset(buf, 0, sizeof buf); mbedtls_mpi_write_binary(&eckey->private_d, buf, 32); BOOT_LOG_INF("Private key d = "); - for (int i = 0; i < 32; i++) BOOT_LOG_INF("%02X", buf[i]); + for (int i = 0; i < 32; i++) { + BOOT_LOG_INF("%02X", buf[i]); + } BOOT_LOG_INF("\n"); mbedtls_mpi_write_binary(&eckey->private_Q.private_X, buf, 32); BOOT_LOG_INF("Public key Q.X = "); - for (int i = 0; i < 32; i++) BOOT_LOG_INF("%02X", buf[i]); + for (int i = 0; i < 32; i++) { + BOOT_LOG_INF("%02X", buf[i]); + } BOOT_LOG_INF("\n"); mbedtls_mpi_write_binary(&eckey->private_Q.private_Y, buf, 32); BOOT_LOG_INF("Public key Q.Y = "); - for (int i = 0; i < 32; i++) BOOT_LOG_INF("%02X", buf[i]); + for (int i = 0; i < 32; i++) { + BOOT_LOG_INF("%02X", buf[i]); + } BOOT_LOG_INF("\n"); - } -void generate_enc_key_pair(){ +void +generate_enc_key_pair() +{ mbedtls_pk_context pk; int rc = -1; BOOT_LOG_INF("Generate enc key pair starting..."); - rc=gen_p256_keypair(&pk); - rc=export_privkey_der(&pk); - rc=export_pub_pem(&pk); + rc = gen_p256_keypair(&pk); + rc = export_privkey_der(&pk); + rc = export_pub_pem(&pk); dump_p256(&pk); - if (rc !=0) - { + if (rc != 0) { BOOT_LOG_ERR("Error during the generation enc key pair\n"); - }else - { + } else { BOOT_LOG_INF("Success key is generated"); - } - - } - #endif /* MCUBOOT_GEN_ENC_KEY */ diff --git a/boot/zephyr/boot_rng.c b/boot/zephyr/boot_rng.c index fcd2127d51..d40dce2288 100644 --- a/boot/zephyr/boot_rng.c +++ b/boot/zephyr/boot_rng.c @@ -1,13 +1,17 @@ +/* + * Copyright (c) 2025 WIKA Alexander Wiegand SE & Co. KG + * + * SPDX-License-Identifier: Apache-2.0 + */ #include "boot_rng.h" static const struct device *entropy_dev = NULL; static bool initialized = false; -int generator_hw_rng(uint32_t *val) +int +generator_hw_rng(uint32_t *val) { + *val = sys_rand32_get(); - *val = sys_rand32_get(); - - return 0; - + return 0; } diff --git a/boot/zephyr/include/boot_rng.h b/boot/zephyr/include/boot_rng.h index a54c4ec2c4..c97a773dad 100644 --- a/boot/zephyr/include/boot_rng.h +++ b/boot/zephyr/include/boot_rng.h @@ -1,3 +1,8 @@ +/* + * Copyright (c) 2025 WIKA Alexander Wiegand SE & Co. KG + * + * SPDX-License-Identifier: Apache-2.0 + */ #ifndef _BOOT_RNG_H_ #define _BOOT_RNG_H_ @@ -5,9 +10,6 @@ #include #include - - -int generator_hw_rng(uint32_t* val); - +int generator_hw_rng(uint32_t *val); #endif /*_BOOT_RNG_H_*/ diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_rng.h b/boot/zephyr/include/mcuboot_config/mcuboot_rng.h index 9c5610acf7..7cfee393a6 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_rng.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_rng.h @@ -1,9 +1,13 @@ +/* + * Copyright (c) 2025 WIKA Alexander Wiegand SE & Co. KG + * + * SPDX-License-Identifier: Apache-2.0 + */ #ifndef __MCUBOOT_RNG_H__ #define __MCUBOOT_RNG_H__ #include "boot_rng.h" -#define MCUBOOT_RNG(...) generator_hw_rng(__VA_ARGS__) +#define MCUBOOT_RNG(...) generator_hw_rng(__VA_ARGS__) - -#endif /* __MCUBOOT_RNG_H__ */ +#endif /* __MCUBOOT_RNG_H__ */ \ No newline at end of file diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index c657b93dcb..b04189c89b 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -59,21 +59,21 @@ #include #include -#define IMAGE_INDEX_0 0 -#define IMAGE_INDEX_1 1 +#define IMAGE_INDEX_0 0 +#define IMAGE_INDEX_1 1 -#define PRIMARY_SLOT 0 -#define SECONDARY_SLOT 1 +#define PRIMARY_SLOT 0 +#define SECONDARY_SLOT 1 -#define IMAGE0_PRIMARY_START_ADDRESS \ - DT_PROP_BY_IDX(DT_NODE_BY_FIXED_PARTITION_LABEL(image_0), reg, 0) -#define IMAGE0_PRIMARY_SIZE \ - DT_PROP_BY_IDX(DT_NODE_BY_FIXED_PARTITION_LABEL(image_0), reg, 1) +#define IMAGE0_PRIMARY_START_ADDRESS \ + DT_PROP_BY_IDX(DT_NODE_BY_FIXED_PARTITION_LABEL(image_0), reg, 0) +#define IMAGE0_PRIMARY_SIZE \ + DT_PROP_BY_IDX(DT_NODE_BY_FIXED_PARTITION_LABEL(image_0), reg, 1) -#define IMAGE1_PRIMARY_START_ADDRESS \ - DT_PROP_BY_IDX(DT_NODE_BY_FIXED_PARTITION_LABEL(image_1), reg, 0) -#define IMAGE1_PRIMARY_SIZE \ - DT_PROP_BY_IDX(DT_NODE_BY_FIXED_PARTITION_LABEL(image_1), reg, 1) +#define IMAGE1_PRIMARY_START_ADDRESS \ + DT_PROP_BY_IDX(DT_NODE_BY_FIXED_PARTITION_LABEL(image_1), reg, 0) +#define IMAGE1_PRIMARY_SIZE \ + DT_PROP_BY_IDX(DT_NODE_BY_FIXED_PARTITION_LABEL(image_1), reg, 1) #endif /* CONFIG_SOC_FAMILY_ESPRESSIF_ESP32 */ @@ -81,10 +81,8 @@ #include "boot_serial/boot_serial.h" #include "serial_adapter/serial_adapter.h" -const struct boot_uart_funcs boot_funcs = { - .read = console_read, - .write = console_write -}; +const struct boot_uart_funcs boot_funcs = { .read = console_read, + .write = console_write }; #endif #if defined(CONFIG_BOOT_USB_DFU_WAIT) || defined(CONFIG_BOOT_USB_DFU_GPIO) @@ -95,7 +93,7 @@ const struct boot_uart_funcs boot_funcs = { #include #endif -#if defined(CONFIG_LOG) && !defined(CONFIG_LOG_MODE_IMMEDIATE) && \ +#if defined(CONFIG_LOG) && !defined(CONFIG_LOG_MODE_IMMEDIATE) && \ !defined(CONFIG_LOG_MODE_MINIMAL) #ifdef CONFIG_LOG_PROCESS_THREAD #warning "The log internal thread for log processing can't transfer the log"\ @@ -112,16 +110,20 @@ volatile bool boot_log_stop = false; K_SEM_DEFINE(boot_log_sem, 1, 1); /* log processing need to be initalized by the application */ -#define ZEPHYR_BOOT_LOG_START() zephyr_boot_log_start() -#define ZEPHYR_BOOT_LOG_STOP() zephyr_boot_log_stop() +#define ZEPHYR_BOOT_LOG_START() zephyr_boot_log_start() +#define ZEPHYR_BOOT_LOG_STOP() zephyr_boot_log_stop() #endif /* CONFIG_LOG_PROCESS_THREAD */ #else /* synchronous log mode doesn't need to be initalized by the application */ -#define ZEPHYR_BOOT_LOG_START() do { } while (false) -#define ZEPHYR_BOOT_LOG_STOP() do { } while (false) -#endif /* defined(CONFIG_LOG) && !defined(CONFIG_LOG_MODE_IMMEDIATE) && \ - * !defined(CONFIG_LOG_MODE_MINIMAL) - */ +#define ZEPHYR_BOOT_LOG_START() \ + do { \ + } while (false) +#define ZEPHYR_BOOT_LOG_STOP() \ + do { \ + } while (false) +#endif /* defined(CONFIG_LOG) && !defined(CONFIG_LOG_MODE_IMMEDIATE) && \ + * !defined(CONFIG_LOG_MODE_MINIMAL) \ + */ BOOT_LOG_MODULE_REGISTER(mcuboot); @@ -149,7 +151,8 @@ struct arm_vector_table { #endif }; -static void do_boot(struct boot_rsp *rsp) +static void +do_boot(struct boot_rsp *rsp) { /* vt is static as it shall not land on the stack, * as this procedure modifies stack pointer before usage of *vt @@ -172,8 +175,7 @@ static void do_boot(struct boot_rsp *rsp) rc = flash_device_base(rsp->br_flash_dev_id, &flash_base); assert(rc == 0); - vt = (struct arm_vector_table *)(flash_base + - rsp->br_image_off + + vt = (struct arm_vector_table *)(flash_base + rsp->br_image_off + rsp->br_hdr->ih_hdr_size); #endif @@ -200,8 +202,7 @@ static void do_boot(struct boot_rsp *rsp) z_arm_clear_arm_mpu_config(); #endif -#if defined(CONFIG_BUILTIN_STACK_GUARD) && \ - defined(CONFIG_CPU_CORTEX_M_HAS_SPLIM) +#if defined(CONFIG_BUILTIN_STACK_GUARD) && defined(CONFIG_CPU_CORTEX_M_HAS_SPLIM) /* Reset limit registers to avoid inflicting stack overflow on image * being booted. */ @@ -222,7 +223,7 @@ static void do_boot(struct boot_rsp *rsp) #elif defined(CONFIG_CPU_CORTEX_M_HAS_VTOR) SCB->VTOR = (uint32_t)vt; #endif /* CONFIG_SW_VECTOR_RELAY */ -#else /* CONFIG_BOOT_INTR_VEC_RELOC */ +#else /* CONFIG_BOOT_INTR_VEC_RELOC */ #if defined(CONFIG_CPU_CORTEX_M_HAS_VTOR) && defined(CONFIG_SW_VECTOR_RELAY) _vector_table_pointer = _vector_start; SCB->VTOR = (uint32_t)__vector_relay_table; @@ -240,23 +241,22 @@ static void do_boot(struct boot_rsp *rsp) #else /* Set mode to supervisor and A, I and F bit as described in the * Cortex R5 TRM */ - __asm__ volatile( - " mrs r0, CPSR\n" - /* change mode bits to supervisor */ - " bic r0, #0x1f\n" - " orr r0, #0x13\n" - /* set the A, I and F bit */ - " mov r1, #0b111\n" - " lsl r1, #0x6\n" - " orr r0, r1\n" - - " msr CPSR, r0\n" - ::: "r0", "r1"); + __asm__ volatile(" mrs r0, CPSR\n" + /* change mode bits to supervisor */ + " bic r0, #0x1f\n" + " orr r0, #0x13\n" + /* set the A, I and F bit */ + " mov r1, #0b111\n" + " lsl r1, #0x6\n" + " orr r0, r1\n" + + " msr CPSR, r0\n" :: + : "r0", "r1"); #endif /* CONFIG_CPU_CORTEX_M */ #endif #if CONFIG_MCUBOOT_CLEANUP_RAM - __asm__ volatile ( + __asm__ volatile( /* vt->reset -> r0 */ " mov r0, %0\n" /* base to write -> r1 */ @@ -279,21 +279,20 @@ static void do_boot(struct boot_rsp *rsp) /* jump to reset vector of an app */ " bx r0\n" : - : "r" (vt->reset), "i" (CONFIG_SRAM_BASE_ADDRESS), - "i" (CONFIG_SRAM_SIZE * 1024), "i" (0) - : "r0", "r1", "r2", "r3", "memory" - ); + : "r"(vt->reset), "i"(CONFIG_SRAM_BASE_ADDRESS), + "i"(CONFIG_SRAM_SIZE * 1024), "i"(0) + : "r0", "r1", "r2", "r3", "memory"); #else #ifdef CONFIG_CPU_CORTEX_M ((void (*)(void))vt->reset)(); #else - /* Some ARM CPUs like the Cortex-R5 can run in thumb mode but reset into ARM - * mode (depending on a CPU signal configurations). To do the switch into ARM - * mode, if needed, an explicit branch with exchange instruction set - * instruction is needed + /* Some ARM CPUs like the Cortex-R5 can run in thumb mode but reset into + * ARM mode (depending on a CPU signal configurations). To do the switch + * into ARM mode, if needed, an explicit branch with exchange instruction + * set instruction is needed */ - __asm__("bx %0\n" : : "r" (&vt->reset)); + __asm__("bx %0\n" : : "r"(&vt->reset)); #endif #endif @@ -303,9 +302,10 @@ static void do_boot(struct boot_rsp *rsp) #ifndef CONFIG_SOC_FAMILY_ESPRESSIF_ESP32 -#define SRAM_BASE_ADDRESS 0xBE030000 +#define SRAM_BASE_ADDRESS 0xBE030000 -static void copy_img_to_SRAM(int slot, unsigned int hdr_offset) +static void +copy_img_to_SRAM(int slot, unsigned int hdr_offset) { const struct flash_area *fap; int area_id; @@ -335,7 +335,8 @@ static void copy_img_to_SRAM(int slot, unsigned int hdr_offset) /* Entry point (.ResetVector) is at the very beginning of the image. * Simply copy the image to a suitable location and jump there. */ -static void do_boot(struct boot_rsp *rsp) +static void +do_boot(struct boot_rsp *rsp) { #ifndef CONFIG_SOC_FAMILY_ESPRESSIF_ESP32 void *start; @@ -345,8 +346,8 @@ static void do_boot(struct boot_rsp *rsp) BOOT_LOG_INF("ih_hdr_size = 0x%x\n", rsp->br_hdr->ih_hdr_size); #ifdef CONFIG_SOC_FAMILY_ESPRESSIF_ESP32 - int slot = (rsp->br_image_off == IMAGE0_PRIMARY_START_ADDRESS) ? - PRIMARY_SLOT : SECONDARY_SLOT; + int slot = (rsp->br_image_off == IMAGE0_PRIMARY_START_ADDRESS) ? PRIMARY_SLOT + : SECONDARY_SLOT; /* Load memory segments and start from entry point */ start_cpu0_image(IMAGE_INDEX_0, slot, rsp->br_hdr->ih_hdr_size); #else @@ -366,7 +367,8 @@ static void do_boot(struct boot_rsp *rsp) * in the vector table. Assume the vector table is at the start of the image, * and jump to reset */ -static void do_boot(struct boot_rsp *rsp) +static void +do_boot(struct boot_rsp *rsp) { struct arc_vector_table { void (*reset)(void); /* Reset vector */ @@ -382,7 +384,7 @@ static void do_boot(struct boot_rsp *rsp) assert(rc == 0); vt = (struct arc_vector_table *)(flash_base + rsp->br_image_off + - rsp->br_hdr->ih_hdr_size); + rsp->br_hdr->ih_hdr_size); #endif /* Lock interrupts and dive into the entry point */ @@ -395,7 +397,8 @@ static void do_boot(struct boot_rsp *rsp) * lock interrupts and jump there. This is the right thing to do for X86 and * possibly other platforms. */ -static void do_boot(struct boot_rsp *rsp) +static void +do_boot(struct boot_rsp *rsp) { void *start; @@ -408,8 +411,7 @@ static void do_boot(struct boot_rsp *rsp) rc = flash_device_base(rsp->br_flash_dev_id, &flash_base); assert(rc == 0); - start = (void *)(flash_base + rsp->br_image_off + - rsp->br_hdr->ih_hdr_size); + start = (void *)(flash_base + rsp->br_image_off + rsp->br_hdr->ih_hdr_size); #endif /* Lock interrupts and dive into the entry point */ @@ -418,17 +420,17 @@ static void do_boot(struct boot_rsp *rsp) } #endif -#if defined(CONFIG_LOG) && !defined(CONFIG_LOG_MODE_IMMEDIATE) && \ +#if defined(CONFIG_LOG) && !defined(CONFIG_LOG_MODE_IMMEDIATE) && \ !defined(CONFIG_LOG_PROCESS_THREAD) && !defined(CONFIG_LOG_MODE_MINIMAL) -/* The log internal thread for log processing can't transfer log well as has too - * low priority. - * Dedicated thread for log processing below uses highest application - * priority. This allows to transmit all logs without adding k_sleep/k_yield - * anywhere else int the code. +/* The log internal thread for log processing can't transfer log well as has + * too low priority. Dedicated thread for log processing below uses highest + * application priority. This allows to transmit all logs without adding + * k_sleep/k_yield anywhere else int the code. */ /* most simple log processing theread */ -void boot_log_thread_func(void *dummy1, void *dummy2, void *dummy3) +void +boot_log_thread_func(void *dummy1, void *dummy2, void *dummy3) { (void)dummy1; (void)dummy2; @@ -448,19 +450,20 @@ void boot_log_thread_func(void *dummy1, void *dummy2, void *dummy3) k_sem_give(&boot_log_sem); } -void zephyr_boot_log_start(void) +void +zephyr_boot_log_start(void) { /* start logging thread */ k_thread_create(&boot_log_thread, boot_log_stack, - K_THREAD_STACK_SIZEOF(boot_log_stack), - boot_log_thread_func, NULL, NULL, NULL, - K_HIGHEST_APPLICATION_THREAD_PRIO, 0, + K_THREAD_STACK_SIZEOF(boot_log_stack), boot_log_thread_func, + NULL, NULL, NULL, K_HIGHEST_APPLICATION_THREAD_PRIO, 0, BOOT_LOG_PROCESSING_INTERVAL); k_thread_name_set(&boot_log_thread, "logging"); } -void zephyr_boot_log_stop(void) +void +zephyr_boot_log_stop(void) { boot_log_stop = true; @@ -471,13 +474,16 @@ void zephyr_boot_log_stop(void) */ (void)k_sem_take(&boot_log_sem, K_FOREVER); } -#endif /* defined(CONFIG_LOG) && !defined(CONFIG_LOG_MODE_IMMEDIATE) && \ - * !defined(CONFIG_LOG_PROCESS_THREAD) && !defined(CONFIG_LOG_MODE_MINIMAL) +#endif /* defined(CONFIG_LOG) && !defined(CONFIG_LOG_MODE_IMMEDIATE) && \ + * !defined(CONFIG_LOG_PROCESS_THREAD) && !defined(CONFIG_LOG_MODE_MINIMAL) \ */ -#if defined(CONFIG_BOOT_SERIAL_ENTRANCE_GPIO) || defined(CONFIG_BOOT_SERIAL_PIN_RESET) \ - || defined(CONFIG_BOOT_SERIAL_BOOT_MODE) || defined(CONFIG_BOOT_SERIAL_NO_APPLICATION) -static void boot_serial_enter() +#if defined(CONFIG_BOOT_SERIAL_ENTRANCE_GPIO) || \ + defined(CONFIG_BOOT_SERIAL_PIN_RESET) || \ + defined(CONFIG_BOOT_SERIAL_BOOT_MODE) || \ + defined(CONFIG_BOOT_SERIAL_NO_APPLICATION) +static void +boot_serial_enter() { int rc; @@ -495,7 +501,8 @@ static void boot_serial_enter() } #endif -int main(void) +int +main(void) { struct boot_rsp rsp; int rc; @@ -536,8 +543,7 @@ int main(void) #ifdef CONFIG_BOOT_SERIAL_ENTRANCE_GPIO BOOT_LOG_DBG("Checking GPIO for serial recovery"); - if (io_detect_pin() && - !io_boot_skip_serial_recovery()) { + if (io_detect_pin() && !io_boot_skip_serial_recovery()) { boot_serial_enter(); } #endif @@ -575,7 +581,8 @@ int main(void) BOOT_LOG_INF("Waiting for USB DFU"); #if defined(CONFIG_BOOT_USB_DFU_WAIT) - BOOT_LOG_DBG("Waiting for USB DFU for %dms", CONFIG_BOOT_USB_DFU_WAIT_DELAY_MS); + BOOT_LOG_DBG("Waiting for USB DFU for %dms", + CONFIG_BOOT_USB_DFU_WAIT_DELAY_MS); mcuboot_status_change(MCUBOOT_STATUS_USB_DFU_WAITING); wait_for_usb_dfu(K_MSEC(CONFIG_BOOT_USB_DFU_WAIT_DELAY_MS)); BOOT_LOG_INF("USB DFU wait time elapsed"); @@ -595,6 +602,7 @@ int main(void) * initial mcumgr command(s) into our buffers */ rc = boot_console_init(); + int timeout_in_ms = CONFIG_BOOT_SERIAL_WAIT_FOR_DFU_TIMEOUT; uint32_t start = k_uptime_get_32(); @@ -607,7 +615,8 @@ int main(void) if (FIH_EQ(fih_rc, FIH_BOOT_HOOK_REGULAR)) { FIH_CALL(boot_go, fih_rc, &rsp); } - BOOT_LOG_DBG("Left boot_go with success == %d", FIH_EQ(fih_rc, FIH_SUCCESS) ? 1 : 0); + BOOT_LOG_DBG("Left boot_go with success == %d", + FIH_EQ(fih_rc, FIH_SUCCESS) ? 1 : 0); #ifdef CONFIG_BOOT_SERIAL_BOOT_MODE if (io_detect_boot_mode()) { @@ -621,11 +630,11 @@ int main(void) #ifdef CONFIG_BOOT_SERIAL_WAIT_FOR_DFU timeout_in_ms -= (k_uptime_get_32() - start); - if( timeout_in_ms <= 0 ) { + if (timeout_in_ms <= 0) { /* at least one check if time was expired */ timeout_in_ms = 1; } - boot_serial_check_start(&boot_funcs,timeout_in_ms); + boot_serial_check_start(&boot_funcs, timeout_in_ms); #ifdef CONFIG_MCUBOOT_INDICATION_LED io_led_set(0); @@ -633,10 +642,10 @@ int main(void) #endif if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { - BOOT_LOG_ERR("Unable to find bootable image"); - #if defined(MCUBOOT_GEN_ENC_KEY) && defined(MCUBOOT_HAVE_HWRNG) + BOOT_LOG_ERR("Unable to find bootable image"); +#if defined(MCUBOOT_GEN_ENC_KEY) && defined(MCUBOOT_HAVE_HWRNG) generate_enc_key_pair(); - #endif +#endif mcuboot_status_change(MCUBOOT_STATUS_NO_BOOTABLE_IMAGE_FOUND); @@ -659,23 +668,19 @@ int main(void) } #ifdef MCUBOOT_RAM_LOAD - BOOT_LOG_INF("Bootloader chainload address offset: 0x%x", - rsp.br_hdr->ih_load_addr); + BOOT_LOG_INF("Bootloader chainload address offset: 0x%x", rsp.br_hdr->ih_load_addr); #else - BOOT_LOG_INF("Bootloader chainload address offset: 0x%x", - rsp.br_image_off); + BOOT_LOG_INF("Bootloader chainload address offset: 0x%x", rsp.br_image_off); #endif BOOT_LOG_INF("Image version: v%d.%d.%d", rsp.br_hdr->ih_ver.iv_major, - rsp.br_hdr->ih_ver.iv_minor, - rsp.br_hdr->ih_ver.iv_revision); + rsp.br_hdr->ih_ver.iv_minor, rsp.br_hdr->ih_ver.iv_revision); #if defined(MCUBOOT_DIRECT_XIP) BOOT_LOG_INF("Jumping to the image slot"); #else BOOT_LOG_INF("Jumping to the first image slot"); - #endif mcuboot_status_change(MCUBOOT_STATUS_BOOTABLE_IMAGE_FOUND); diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 51c38d2a86..105525b3da 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -52,4 +52,3 @@ CONFIG_BOOT_GEN_ENC_KEY=y CONFIG_BOOT_HAVE_HWRNG=y CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_TIMER_RANDOM_GENERATOR=y - From 45ae1ff6a7720cd9518493d0df1a92632e0ff265 Mon Sep 17 00:00:00 2001 From: "emilien.lenoa" Date: Fri, 31 Oct 2025 08:03:50 +0000 Subject: [PATCH 28/35] Add comments --- boot/bootutil/src/generate_key_pair.c | 62 +++++++++++++++++++-------- boot/zephyr/boot_rng.c | 3 -- 2 files changed, 45 insertions(+), 20 deletions(-) diff --git a/boot/bootutil/src/generate_key_pair.c b/boot/bootutil/src/generate_key_pair.c index d95bb8d6c1..ab05336869 100644 --- a/boot/bootutil/src/generate_key_pair.c +++ b/boot/bootutil/src/generate_key_pair.c @@ -17,8 +17,6 @@ #include "bootutil/bootutil_hwrng.h" BOOT_LOG_MODULE_DECLARE(mcuboot); -extern unsigned char enc_priv_key[]; -extern unsigned int enc_priv_key_len; /** * @brief Generate random data using the hardware random number generator. @@ -38,7 +36,7 @@ mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *ole (void)data; uint32_t val; size_t produced = 0; - // Warm-up + for (int i = 0; i < NBR_WARM_UP; i++) { BOOT_RNG(&val); } @@ -57,8 +55,8 @@ mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *ole size_t copy_len = (len - produced >= 4) ? 4 : (len - produced); memcpy(output + produced, &val, copy_len); produced += copy_len; - BOOT_LOG_INF("%08lX", (unsigned long)val, (unsigned long)produced, - (unsigned long)len); + BOOT_LOG_INF("val=0x%lX producted=%lu len=%lu", (unsigned long)val, + (unsigned long)produced, (unsigned long)len); } *olen = produced; BOOT_LOG_INF("mbedtls_hardware_poll: total generated = %lu bytes", @@ -67,6 +65,11 @@ mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *ole } #endif +/** + * @brief Wrap mbedtls_hardware_poll + * + * @return Function to generate random data using the hardware random number generator + */ int mbedtls_hardware_polll_full(void *data, unsigned char *output, size_t len) { @@ -74,10 +77,14 @@ mbedtls_hardware_polll_full(void *data, unsigned char *output, size_t len) size_t dummy; return mbedtls_hardware_poll(data, output, len, &dummy); } -/* - * Generate an EC-P256 key pair using the mbedTLS library + +/** + * @brief Generate public and private key and contain in mbedtls_pk_context. + * + * @param pk Initialize mbedtls_pk_context and contains the generate key pair. * - * @return 0 on success, or a negative mbedTLS error code on failure. + * @return 0 for Success. + * @return Not equal to zero, therefore failure. */ int gen_p256_keypair(mbedtls_pk_context *pk) @@ -91,9 +98,6 @@ gen_p256_keypair(mbedtls_pk_context *pk) mbedtls_entropy_init(&entropy); mbedtls_ctr_drbg_init(&ctr_drbg); - /* - * Seeds the random number generator using a hardware entropy source - */ ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_hardware_polll_full, NULL, pers, sizeof(pers) - 1); if (ret != 0) { @@ -101,18 +105,12 @@ gen_p256_keypair(mbedtls_pk_context *pk) goto cleanup; } - /* - * Sets up the public key context for key generation - */ ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)); if (ret != 0) { BOOT_LOG_ERR("PK_SETUP FAIL ret=%d", ret); goto cleanup; } - /* - * - */ ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, mbedtls_pk_ec(*pk), mbedtls_ctr_drbg_random, &ctr_drbg); if (ret != 0) { @@ -126,6 +124,14 @@ gen_p256_keypair(mbedtls_pk_context *pk) return ret; } +/** + * @brief Export private key in PKCS8 format. + * + * @param pk Initialize mbedtls_pk_context and contains the generate key pair. + * + * @return 0 for Success. + * @return Not equal to zero, therefore failure. + */ int export_privkey_der(mbedtls_pk_context *pk) { @@ -167,6 +173,14 @@ export_privkey_der(mbedtls_pk_context *pk) return 0; } +/** + * @brief Export private and public key in PEM format. + * + * @param pk Initialize mbedtls_pk_context and contains the generate key pair. + * + * @return 0 for Success. + * @return Not equal to zero, therefore failure. + */ int export_pub_pem(mbedtls_pk_context *pk) { @@ -191,6 +205,12 @@ export_pub_pem(mbedtls_pk_context *pk) return 0; } +/** + * @brief Print private and public key + * + * @param pk Initialize mbedtls_pk_context and contains the generate key pair. + * + */ void dump_p256(const mbedtls_pk_context *pk) { @@ -219,6 +239,14 @@ dump_p256(const mbedtls_pk_context *pk) BOOT_LOG_INF("\n"); } +/** + * @brief Generate public and private key for encryption in (PKCS8 and PEM format). + * + * @param pk Initialize mbedtls_pk_context and contains the generate key pair. + * + * @note On failure, print error message. + * @note On success, print success message. + */ void generate_enc_key_pair() { diff --git a/boot/zephyr/boot_rng.c b/boot/zephyr/boot_rng.c index d40dce2288..6a9d7c8f1d 100644 --- a/boot/zephyr/boot_rng.c +++ b/boot/zephyr/boot_rng.c @@ -5,9 +5,6 @@ */ #include "boot_rng.h" -static const struct device *entropy_dev = NULL; -static bool initialized = false; - int generator_hw_rng(uint32_t *val) { From c2f863fde398e91df89fb5bfff11a580656d7661 Mon Sep 17 00:00:00 2001 From: "LeNoa, Emilien" Date: Thu, 13 Nov 2025 20:16:58 +0100 Subject: [PATCH 29/35] remove overlay --- boot/zephyr/boards/lora_e5_mini.overlay | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 boot/zephyr/boards/lora_e5_mini.overlay diff --git a/boot/zephyr/boards/lora_e5_mini.overlay b/boot/zephyr/boards/lora_e5_mini.overlay deleted file mode 100644 index f7f793833a..0000000000 --- a/boot/zephyr/boards/lora_e5_mini.overlay +++ /dev/null @@ -1,17 +0,0 @@ -/ { - chosen { - zephyr,code-partition = &boot_partition; - }; -}; - -&boot_partition { - reg = <0x00000000 0x10000>; - // read-only; -}; - -&lpuart1 { - pinctrl-0 = <&lpuart1_tx_pc1 &lpuart1_rx_pc0>; - pinctrl-names = "default"; - current-speed = <115200>; - status = "okay"; -}; From f69b51949d46b9ec28c452320e4532804b0654e7 Mon Sep 17 00:00:00 2001 From: "LeNoa, Emilien" Date: Thu, 13 Nov 2025 20:18:51 +0100 Subject: [PATCH 30/35] remove usseless prj --- boot/zephyr/prj.conf | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 105525b3da..13610806fa 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -30,15 +30,6 @@ CONFIG_PICOLIBC=y ### Disable malloc arena because we don't need it CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=0 - - -# CONFIG_TEST_CSPRNG_GENERATOR=y -# CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y -# if needed for debug -CONFIG_LOG=y -CONFIG_MCUBOOT_LOG_LEVEL_INF=y -CONFIG_LOG_DEFAULT_LEVEL=4 - CONFIG_BOOT_VALIDATE_SLOT0=y CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y @@ -51,4 +42,4 @@ CONFIG_BOOT_ECDSA_MBEDTLS=y CONFIG_BOOT_GEN_ENC_KEY=y CONFIG_BOOT_HAVE_HWRNG=y CONFIG_TEST_RANDOM_GENERATOR=y -CONFIG_TIMER_RANDOM_GENERATOR=y +CONFIG_TIMER_RANDOM_GENERATOR=y \ No newline at end of file From 60ce76f483b5047e356937809da6bbb9bf99d057 Mon Sep 17 00:00:00 2001 From: "LeNoa, Emilien" Date: Thu, 13 Nov 2025 20:22:28 +0100 Subject: [PATCH 31/35] minor change --- boot/zephyr/app.overlay | 18 ------------------ .../include/mbedtls/mbedtls_config.h | 1 - 2 files changed, 19 deletions(-) diff --git a/boot/zephyr/app.overlay b/boot/zephyr/app.overlay index 72c8d71215..fcf8d220b7 100644 --- a/boot/zephyr/app.overlay +++ b/boot/zephyr/app.overlay @@ -4,24 +4,6 @@ }; }; -&boot_partition { - reg = <0x00000000 0x10000>; - read-only; -}; - -&uart20 { - current-speed = <115200>; - pinctrl-0 = <&uart20_default>; - pinctrl-1 = <&uart20_sleep>; - pinctrl-names = "default", "sleep"; -}; - -&uart30 { - current-speed = <115200>; - pinctrl-0 = <&uart30_default>; - pinctrl-1 = <&uart30_sleep>; - pinctrl-names = "default", "sleep"; -}; diff --git a/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h b/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h index d8d81525be..cf60f4df61 100644 --- a/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h +++ b/ext/mbedtls-asn1/include/mbedtls/mbedtls_config.h @@ -92,5 +92,4 @@ #endif #include "check_config.h" - #endif /* MBEDTLS_CONFIG_H */ \ No newline at end of file From 37ad36fe16e70d6c4691ff9e2189df64c52059e6 Mon Sep 17 00:00:00 2001 From: "LeNoa, Emilien" Date: Thu, 13 Nov 2025 20:23:11 +0100 Subject: [PATCH 32/35] minor change --- boot/zephyr/app.overlay | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/boot/zephyr/app.overlay b/boot/zephyr/app.overlay index fcf8d220b7..0d1cd902cd 100644 --- a/boot/zephyr/app.overlay +++ b/boot/zephyr/app.overlay @@ -2,9 +2,4 @@ chosen { zephyr,code-partition = &boot_partition; }; -}; - - - - - +}; \ No newline at end of file From 911b30d1d6a223552c39befcf0d07f0fa02d2089 Mon Sep 17 00:00:00 2001 From: "LeNoa, Emilien" Date: Thu, 13 Nov 2025 20:26:10 +0100 Subject: [PATCH 33/35] mbedtls --- boot/zephyr/mbedtls.conf | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 boot/zephyr/mbedtls.conf diff --git a/boot/zephyr/mbedtls.conf b/boot/zephyr/mbedtls.conf deleted file mode 100644 index 43eab76e50..0000000000 --- a/boot/zephyr/mbedtls.conf +++ /dev/null @@ -1,14 +0,0 @@ -# config for ecdsa gen keys and encryption -CONFIG_MBEDTLS_ECDSA_C=y -CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y -CONFIG_MBEDTLS_PK_WRITE_C=y -CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y -CONFIG_MBEDTLS_CIPHER_MODE_CTR_ENABLED=y -CONFIG_MBEDTLS_CIPHER=y -CONFIG_MBEDTLS_ECP_C=y -CONFIG_MBEDTLS_NIST_KW_C=y -CONFIG_MBEDTLS_CTR_DRBG_ENABLED=y -CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y -CONFIG_MBEDTLS_ASN1_PARSE_C=y -CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y -CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y \ No newline at end of file From 6d63351e505e2e49f14dfcee9ec4bb2b05028154 Mon Sep 17 00:00:00 2001 From: "LeNoa, Emilien" Date: Thu, 13 Nov 2025 20:36:55 +0100 Subject: [PATCH 34/35] marktdown --- docs/key_generation.md | 53 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 docs/key_generation.md diff --git a/docs/key_generation.md b/docs/key_generation.md new file mode 100644 index 0000000000..d434475afc --- /dev/null +++ b/docs/key_generation.md @@ -0,0 +1,53 @@ +# Key Generation for Firmware Encryption with Mcuboot + +## Context + +Mcuboot supports firmware encryption using the Elliptic Curve Integrated Encryption Scheme (ECIES). This mechanism requires a key pair based on the SECP256R1 elliptic curve. + +- The private key is securely generated and stored within the microcontroller. +- The public key is used to encrypt firmware updates before transmission. + +## Current Implementation + +In the default Mcuboot implementation, the private key used for firmware decryption is compiled directly into the bootloader binary. + +- The key pair is generated externally (e.g, on a production machine). +- The public is used to encrypt the firmware image. +- The private key is embedded in the bootloader and used to decrypt and verify the firmware during boot. + + +## Implemented Functionality + +During the first boot, the microcontroller automatically generates a key pair. The process includes: + +1. Secure random number generation using STM32 hardware TRNG (True Random Generator). +2. ECC key pair creation (SECP256R1) using the mbedTLS library. +3. Conversion of the private key to DER format following the PKCS#8 standard. +4. Conversion of the public key to PEM format for export. + +The private key remains stored in a secure area of the microcontroller and is never exposed. The public key can be retrived during the update. + +## Process Steps + +1. Verify the integrity of the current firmware. +2. Generate a secure random number. +3. Create ECC key pair (SECP256R1). +4. Convert the private key to DER format (PKCS#8). +5. Convert the public key to PEM format. + +## PKCS#8 standard + +PrivateKeyInfo ::= SEQUENCE { + version Version, + privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, + privateKey PrivateKey, + attributes [0] IMPLICIT Attributes OPTIONAL } + +## SEC1 standard + +ECPrivateKey ::= SEQUENCE { + version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), + privateKey OCTET STRING, + parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, + publicKey [1] BIT STRING OPTIONAL +} From 195a53daaa72f1ba824c5042088609749f7d332a Mon Sep 17 00:00:00 2001 From: "LeNoa, Emilien" Date: Tue, 18 Nov 2025 10:54:27 +0100 Subject: [PATCH 35/35] restore module --- zephyr/module.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/zephyr/module.yml b/zephyr/module.yml index fe1a2949b5..2148831dd7 100644 --- a/zephyr/module.yml +++ b/zephyr/module.yml @@ -2,4 +2,8 @@ samples: - boot/zephyr build: cmake: ./boot/bootutil/zephyr - + sysbuild-cmake: boot/zephyr/sysbuild +package-managers: + pip: + requirement-files: + - zephyr/requirements.txt \ No newline at end of file