Add enc_bootloader binary

You can now use `picotool encrypt --embed ...` to create a self-decrypting binary, using enc_bootloader

Author: will-v-pi

BUILD.bazel

@@ -17,6 +17,13 @@ picotool_binary_data_header(
     out = "xip_ram_perms_elf.h",
 )
 
+# TODO: Make it possible to build the prebuilt from source.
+picotool_binary_data_header(
+    name = "enc_bootloader_elf",
+    src = "//enc_bootloader:enc_bootloader_prebuilt",
+    out = "enc_bootloader_elf.h",
+)
+
 # TODO: Make it possible to build the prebuilt from source.
 picotool_binary_data_header(
     name = "flash_id_bin",
@@ -37,6 +44,19 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "enc_bootloader",
+    srcs = ["enc_bootloader.cpp"],
+    hdrs = [
+        "enc_bootloader.h",
+        "enc_bootloader_elf.h",
+    ],
+    deps = [
+        "//bazel:data_locs",
+        "//lib/whereami",
+    ],
+)
+
 filegroup(
     name = "data_locs_header",
     srcs = ["data_locs.h"],
@@ -62,6 +82,7 @@ cc_binary(
         "otp.h",
         "rp2350.rom.h",
         "xip_ram_perms.cpp",
+        "enc_bootloader.cpp",
     ] + select({
         # MSVC can't handle long strings, so use this manually generated
         # header instead.
@@ -97,6 +118,7 @@ cc_binary(
     }),
     deps = [
         ":xip_ram_perms",
+        ":enc_bootloader",
         "//bazel:data_locs",
         "//bintool",
         "//elf",

CMakeLists.txt

@@ -85,6 +85,33 @@ if (NOT PICOTOOL_NO_LIBUSB)
         DEPENDS xip_ram_perms
     )
 
+    # compile enc_bootloader.elf
+    if (NOT DEFINED USE_PRECOMPILED)
+        set(USE_PRECOMPILED true)
+    endif()
+    ExternalProject_Add(enc_bootloader
+            PREFIX enc_bootloader
+            SOURCE_DIR ${CMAKE_CURRENT_LIST_DIR}/enc_bootloader
+            BINARY_DIR ${CMAKE_BINARY_DIR}/enc_bootloader
+            CMAKE_ARGS 
+                "-DCMAKE_MAKE_PROGRAM:FILEPATH=${CMAKE_MAKE_PROGRAM}"
+                "-DPICO_SDK_PATH:FILEPATH=${PICO_SDK_PATH}"
+                "-DUSE_PRECOMPILED:BOOL=${USE_PRECOMPILED}"
+                "-DPICO_DEBUG_INFO_IN_RELEASE=OFF"
+            BUILD_ALWAYS 1 # todo remove this
+            INSTALL_COMMAND ""
+            )
+
+    set(ENC_BOOTLOADER_ELF ${CMAKE_BINARY_DIR}/enc_bootloader/enc_bootloader.elf)
+    add_executable(enc_bootloader_elf IMPORTED)
+    add_dependencies(enc_bootloader_elf enc_bootloader)
+    set_property(TARGET enc_bootloader_elf PROPERTY IMPORTED_LOCATION ${ENC_BOOTLOADER_ELF})
+    # copy enc_bootloader.elf into build directory
+    add_custom_command(TARGET enc_bootloader
+        COMMAND ${CMAKE_COMMAND} -E copy ${ENC_BOOTLOADER_ELF} ${CMAKE_BINARY_DIR}/enc_bootloader.elf
+        DEPENDS enc_bootloader
+    )
+
     # compile flash_id
     ExternalProject_Add(flash_id
             PREFIX picoboot_flash_id
@@ -172,6 +199,7 @@ endif()
 add_custom_target(binary_data DEPENDS
         ${CMAKE_CURRENT_BINARY_DIR}/rp2350.rom.h
         ${CMAKE_CURRENT_BINARY_DIR}/xip_ram_perms_elf.h
+        ${CMAKE_CURRENT_BINARY_DIR}/enc_bootloader_elf.h
         ${CMAKE_CURRENT_BINARY_DIR}/flash_id_bin.h)
 add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/rp2350.rom.h
         COMMAND ${CMAKE_COMMAND}
@@ -188,6 +216,14 @@ add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/xip_ram_perms_elf.h
         DEPENDS xip_ram_perms
         COMMENT "Configuring xip_ram_perms_elf.h"
         VERBATIM)
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/enc_bootloader_elf.h
+        COMMAND ${CMAKE_COMMAND}
+            -D BINARY_FILE=${ENC_BOOTLOADER_ELF}
+            -D OUTPUT_NAME=enc_bootloader_elf
+            -P ${CMAKE_CURRENT_LIST_DIR}/cmake/binh.cmake
+        DEPENDS enc_bootloader
+        COMMENT "Configuring enc_bootloader_elf.h"
+        VERBATIM)
 add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/flash_id_bin.h
         COMMAND ${CMAKE_COMMAND}
             -D BINARY_FILE=${FLASH_ID_BIN}
@@ -233,8 +269,10 @@ target_include_directories(regs_headers INTERFACE ${PICO_SDK_PATH}/src/rp2350/ha
 # Main picotool executable
 add_executable(picotool
     data_locs.cpp
+    enc_bootloader.cpp
     ${OTP_EXE}
     main.cpp)
+add_dependencies(picotool enc_bootloader_elf)
 if (NOT PICOTOOL_NO_LIBUSB)
     target_sources(picotool PRIVATE xip_ram_perms.cpp)
     add_dependencies(picotool generate_otp_header xip_ram_perms_elf binary_data)
@@ -328,6 +366,12 @@ install(FILES
     DESTINATION ${INSTALL_CONFIGDIR}
 )
 
+#Install enc_bootloader.elf
+install(FILES
+${ENC_BOOTLOADER_ELF}
+DESTINATION ${INSTALL_DATADIR}
+)
+
 if (NOT PICOTOOL_NO_LIBUSB)
     if (NOT PICOTOOL_CODE_OTP)
         #Install the otp json

bintool/bintool.cpp

@@ -869,8 +869,7 @@ void verify_block(std::vector<uint8_t> bin, uint32_t storage_addr, uint32_t runt
 }
 
 
-int encrypt(elf_file *elf, block *new_block, const aes_key_t aes_key, const public_t public_key, const private_t private_key, bool hash_value, bool sign) {
-
+void encrypt_guts(elf_file *elf, block *new_block, const aes_key_t aes_key, std::vector<uint8_t> &iv_data, std::vector<uint8_t> &enc_data) {
     std::vector<uint8_t> to_enc = get_lm_hash_data(elf, new_block);
 
     std::random_device rand{};
@@ -886,13 +885,21 @@ int encrypt(elf_file *elf, block *new_block, const aes_key_t aes_key, const publ
         e = rand();
     }
 
-    std::vector<uint8_t> iv_data(iv.bytes, iv.bytes + sizeof(iv.bytes));
+    iv_data.resize(sizeof(iv.bytes));
+    memcpy(iv_data.data(), iv.bytes, sizeof(iv.bytes));
 
-    std::vector<uint8_t> enc_data;
     enc_data.resize(to_enc.size());
 
     aes256_buffer(to_enc.data(), to_enc.size(), enc_data.data(), &aes_key, &iv);
+}
 
+
+int encrypt(elf_file *elf, block *new_block, const aes_key_t aes_key, const public_t public_key, const private_t private_key, bool hash_value, bool sign) {
+
+    std::vector<uint8_t> iv_data;
+    std::vector<uint8_t> enc_data;
+    encrypt_guts(elf, new_block, aes_key, iv_data, enc_data);
+    
     unsigned int i=0;
     for(const auto &seg : sorted_segs(elf)) {
         if (!seg->is_load()) continue;

bintool/bintool.h

@@ -25,6 +25,7 @@ std::unique_ptr<block> find_first_block(elf_file *elf);
 block place_new_block(elf_file *elf, std::unique_ptr<block> &first_block);
 #if HAS_MBEDTLS
     int hash_andor_sign(elf_file *elf, block *new_block, const public_t public_key, const private_t private_key, bool hash_value, bool sign, bool clear_sram = false);
+    void encrypt_guts(elf_file *elf, block *new_block, const aes_key_t aes_key, std::vector<uint8_t> &iv_data, std::vector<uint8_t> &enc_data);
     int encrypt(elf_file *elf, block *new_block, const aes_key_t aes_key, const public_t public_key, const private_t private_key, bool hash_value, bool sign);
 #endif
 

enc_bootloader.cpp

@@ -0,0 +1,39 @@
+
+#include <algorithm>
+#include <memory>
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "enc_bootloader.h"
+#include "enc_bootloader_elf.h"
+
+#include "data_locs.h"
+
+#include "whereami++.h"
+
+
+std::shared_ptr<std::iostream> get_enc_bootloader() {
+    // search same directory as executable
+    whereami::whereami_path_t executablePath = whereami::getExecutablePath();
+    std::string local_loc = executablePath.dirname() + "/";
+    if (std::find(data_locs.begin(), data_locs.end(), local_loc) == data_locs.end()) {
+        data_locs.insert(data_locs.begin(), local_loc);
+    }
+
+    for (auto loc : data_locs) {
+        std::string filename = loc + "enc_bootloader.elf";
+        std::ifstream i(filename);
+        if (i.good()) {
+            printf("Picking file %s\n", filename.c_str());
+            auto file = std::make_shared<std::fstream>(filename, std::ios::in|std::ios::binary);
+            return file;
+        }
+    }
+
+    // fall back to embedded enc_bootloader.elf file
+    printf("Could not find enc_bootloader.elf file - using embedded binary\n");
+    auto tmp = std::make_shared<std::stringstream>();
+    tmp->write(reinterpret_cast<const char*>(enc_bootloader_elf), enc_bootloader_elf_SIZE);
+    return tmp;
+}

enc_bootloader.h

@@ -0,0 +1,12 @@
+/*
+ * Copyright (c) 2020 Raspberry Pi (Trading) Ltd.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#pragma once
+
+#include <memory>
+#include <fstream>
+
+std::shared_ptr<std::iostream> get_enc_bootloader();

enc_bootloader/BUILD.bazel

@@ -0,0 +1,18 @@
+package(default_visibility = ["//visibility:public"])
+
+filegroup(
+    name = "enc_bootloader_prebuilt",
+    srcs = ["enc_bootloader.elf"],
+)
+
+# TODO: Make this work.
+cc_library(
+    name = "enc_bootloader",
+    srcs = ["enc_bootloader.c"],
+    tags = ["manual"],
+    deps = [
+        "//:enc_bootloader",
+        "@pico-sdk//src/rp2_common/pico_stdlib",
+        "@pico-sdk//src/rp2_common/pico_rand",
+    ],
+)

enc_bootloader/CMakeLists.txt

@@ -0,0 +1,55 @@
+cmake_minimum_required(VERSION 3.12)
+
+if (NOT USE_PRECOMPILED)
+    set(PICO_PLATFORM rp2350-arm-s)
+    
+    set(PICO_NO_PICOTOOL 1)
+
+    # If the user set these environment variables to influence the picotool
+    # build, unset them here so that they do not influence the pico-sdk
+    # build. This is especially required for flags that are not supported
+    # by arm-none-eabi compilers.
+    unset(ENV{CFLAGS})
+    unset(ENV{CXXFLAGS})
+    unset(ENV{LDFLAGS})
+
+    # Pull in SDK (must be before project)
+    include(${PICO_SDK_PATH}/external/pico_sdk_import.cmake)
+
+    project(enc_bootloader C CXX ASM)
+    set(CMAKE_C_STANDARD 11)
+    set(CMAKE_CXX_STANDARD 17)
+
+    if (PICO_SDK_VERSION_STRING VERSION_LESS "2.0.0")
+        message(FATAL_ERROR "Raspberry Pi Pico SDK version 2.0.0 (or later) required. Your version is ${PICO_SDK_VERSION_STRING}")
+    endif()
+
+    # Initialize the SDK
+    pico_sdk_init()
+
+    # Encrypted Bootloader
+    add_executable(enc_bootloader
+        enc_bootloader.c
+        aes.S
+    )
+
+    target_link_libraries(enc_bootloader
+        pico_stdlib
+        pico_rand
+    )
+
+    pico_set_binary_type(enc_bootloader no_flash)
+    # create linker script to run from 0x20070000
+    file(READ ${PICO_LINKER_SCRIPT_PATH}/memmap_no_flash.ld LINKER_SCRIPT)
+    string(REPLACE "RAM(rwx) : ORIGIN =  0x20000000, LENGTH = 512k" "RAM(rwx) : ORIGIN =  0x20078000, LENGTH = 32k" LINKER_SCRIPT "${LINKER_SCRIPT}")
+    file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/memmap_enc_bootloader.ld "${LINKER_SCRIPT}")
+    pico_set_linker_script(enc_bootloader ${CMAKE_CURRENT_BINARY_DIR}/memmap_enc_bootloader.ld)
+else()
+    project(enc_bootloader C CXX ASM)
+    message("Using precompiled enc_bootloader.elf")
+    configure_file(${CMAKE_CURRENT_LIST_DIR}/enc_bootloader.elf ${CMAKE_CURRENT_BINARY_DIR}/enc_bootloader.elf COPYONLY)
+    # Use manually specified variables
+    set(NULL ${CMAKE_MAKE_PROGRAM})
+    set(NULL ${PICO_SDK_PATH})
+    set(NULL ${PICO_DEBUG_INFO_IN_RELEASE})
+endif()