sync with upstream

gojimmypi · gojimmypi · commit 2e28ca9af726 · 2025-11-13T13:47:53.000-08:00
diff --git a/.github/workflows/test-sunnyday-simulator.yml b/.github/workflows/test-sunnyday-simulator.yml
@@ -90,6 +90,26 @@ jobs:
         run: |
           tools/scripts/sim-sunnyday-update.sh
 
+      - name: Cleanup before dualbank simulator test
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (dualbank simulator)
+        run: |
+          make clean
+          mv .config .config.orig
+          cp config/examples/sim-dualbank.config .config
+          make test-sim-internal-flash-with-update
+
+      - name: Run dualbank swap simulation
+        run: |
+          tools/scripts/sim-dualbank-swap-update.sh
+      
+      - name: Cleanup before WOLFBOOT_SMALL_STACK test
+        run: |
+          make keysclean
+          mv .config.orig .config
+      
       - name: Build wolfboot.elf (ECC256, WOLFBOOT_SMALL_STACK)
         run: |
           make clean && make test-sim-internal-flash-with-update SIGN=ECC256 WOLFBOOT_SMALL_STACK=1 SPMATH=1
diff --git a/config/examples/sim-dualbank.config b/config/examples/sim-dualbank.config
@@ -0,0 +1,18 @@
+ARCH=sim
+TARGET=sim
+SIGN?=ED25519
+HASH?=SHA256
+WOLFBOOT_SMALL_STACK?=0
+SPI_FLASH=0
+DEBUG=1
+DUALBANK_SWAP=1
+
+# sizes should be multiple of system page size
+WOLFBOOT_PARTITION_SIZE=0x40000
+WOLFBOOT_SECTOR_SIZE=0x1000
+WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x100000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x180000
+
+# required for keytools
+WOLFBOOT_FIXED_PARTITIONS=1
diff --git a/docs/Signing.md b/docs/Signing.md
@@ -31,6 +31,7 @@ The following options are supported:
 - `--der` save generated private key in DER format.
 - `--exportpubkey` to export the public key (corresponding to the private key generated with `-g`) to a DER file. This option only has an effect if used in conjunction with the `-g` option.
 - `--nolocalkeys` to generate a keystore entry with zeroized key material. This option is only useful on platforms that support using an external key by reference, such as wolfHSM. Only has an effect if used in conjunction with the `-g` option.
+- `--no-overwrite` to avoid prompt warning that keyfiles files already exist. This option ensures existing files are not overwritten.
 
 Arguments are not exclusive, and can be repeated more than once to populate a keystore with multiple keys.
 
@@ -185,7 +186,7 @@ Options:
     By default, the sign tool appends the sha of the base image to the manifest header,
     so wolfBoot will refuse to start a delta update if the sha does not match the
     one of the existing image. However, this takes up 32 to 48 bytes extra in the
-    manifest header, so this option is available to provide compatibility on 
+    manifest header, so this option is available to provide compatibility on
     existing installations without this feature, where the header size does not
     allow to accommodate the field
 
diff --git a/hal/sim.c b/hal/sim.c
@@ -73,6 +73,15 @@ int extFlashLocked = 1;
 #define INTERNAL_FLASH_FILE "./internal_flash.dd"
 #define EXTERNAL_FLASH_FILE "./external_flash.dd"
 
+#ifdef DUALBANK_SWAP
+#define SIM_REGISTER_FILE "./sim_registers.dd"
+#define SIM_FLASH_OPTR_SWAP_BANK (1U << 20)
+static uint32_t sim_flash_optr;
+static void sim_dualbank_register_load(void);
+static void sim_dualbank_register_store(void);
+uint32_t hal_sim_get_dualbank_state(void);
+#endif
+
 /* global used to store command line arguments to forward to the test
  * application */
 char **main_argv;
@@ -224,6 +233,57 @@ static int mmap_file(const char *path, uint8_t *address, uint8_t** ret_address)
     return 0;
 }
 
+#ifdef DUALBANK_SWAP
+static void sim_dualbank_register_store(void)
+{
+    int fd = open(SIM_REGISTER_FILE, O_RDWR | O_CREAT, 0644);
+    if (fd == -1) {
+        wolfBoot_printf("Failed to open %s: %s\n", SIM_REGISTER_FILE, strerror(errno));
+        return;
+    }
+
+    if (pwrite(fd, &sim_flash_optr, sizeof(sim_flash_optr), 0) !=
+            (ssize_t)sizeof(sim_flash_optr)) {
+        wolfBoot_printf("Failed to store dualbank swap state: %s\n",
+            strerror(errno));
+    }
+
+    close(fd);
+}
+
+static void sim_dualbank_register_load(void)
+{
+    int fd = open(SIM_REGISTER_FILE, O_RDWR | O_CREAT, 0644);
+    uint32_t value = 0;
+    int rd;
+    if (fd == -1) {
+        wolfBoot_printf("Failed to open %s: %s\n", SIM_REGISTER_FILE,
+            strerror(errno));
+        exit(-1);
+    }
+
+    rd = pread(fd, &value, sizeof(value), 0);
+
+    if (rd == (int)sizeof(value)) {
+        sim_flash_optr = value;
+    } else {
+        sim_flash_optr = 0;
+        if (pwrite(fd, &sim_flash_optr, sizeof(sim_flash_optr), 0) !=
+                sizeof(sim_flash_optr)) {
+            wolfBoot_printf("Failed to initialize dualbank swap state: %s\n",
+                strerror(errno));
+        }
+    }
+
+    close(fd);
+}
+
+uint32_t hal_sim_get_dualbank_state(void)
+{
+    return (sim_flash_optr & SIM_FLASH_OPTR_SWAP_BANK) ? 1U : 0U;
+}
+#endif
+
 void hal_flash_unlock(void)
 {
     flashLocked = 0;
@@ -234,6 +294,46 @@ void hal_flash_lock(void)
     flashLocked = 1;
 }
 
+#ifdef DUALBANK_SWAP
+void hal_flash_dualbank_swap(void)
+{
+    uint8_t *boot = (uint8_t *)WOLFBOOT_PARTITION_BOOT_ADDRESS;
+    uint8_t *update = (uint8_t *)WOLFBOOT_PARTITION_UPDATE_ADDRESS;
+    uint8_t *buffer;
+    int was_locked = flashLocked;
+
+    buffer = (uint8_t *)malloc(WOLFBOOT_PARTITION_SIZE);
+    if (buffer == NULL) {
+        wolfBoot_printf("Simulator dualbank swap failed: out of memory\n");
+        exit(-1);
+    }
+
+    if (was_locked)
+        hal_flash_unlock();
+
+    memcpy(buffer, boot, WOLFBOOT_PARTITION_SIZE);
+    memcpy(boot, update, WOLFBOOT_PARTITION_SIZE);
+    memcpy(update, buffer, WOLFBOOT_PARTITION_SIZE);
+
+    if (msync(boot, WOLFBOOT_PARTITION_SIZE, MS_SYNC) != 0) {
+        wolfBoot_printf("msync boot partition failed: %s\n", strerror(errno));
+    }
+    if (msync(update, WOLFBOOT_PARTITION_SIZE, MS_SYNC) != 0) {
+        wolfBoot_printf("msync update partition failed: %s\n", strerror(errno));
+    }
+
+    free(buffer);
+
+    sim_flash_optr ^= SIM_FLASH_OPTR_SWAP_BANK;
+    sim_dualbank_register_store();
+    wolfBoot_printf("Simulator dualbank swap complete, register=%u\n",
+        hal_sim_get_dualbank_state());
+
+    if (was_locked)
+        hal_flash_lock();
+}
+#endif
+
 void hal_prepare_boot(void)
 {
     /* no op */
@@ -312,6 +412,10 @@ void hal_init(void)
     }
 #endif /* EXT_FLASH */
 
+#ifdef DUALBANK_SWAP
+    sim_dualbank_register_load();
+#endif
+
     for (i = 1; i < main_argc; i++) {
         if (strcmp(main_argv[i], "powerfail") == 0) {
             erasefail_address = strtol(main_argv[++i], NULL,  16);
@@ -480,6 +584,7 @@ void do_boot(const uint32_t *app_offset)
 #endif
 #endif
 
+#if !defined(WOLFBOOT_DUALBOOT)
 int wolfBoot_fallback_is_possible(void)
 {
     return 0;
@@ -489,6 +594,7 @@ int wolfBoot_dualboot_candidate(void)
 {
     return 0;
 }
+#endif
 
 #ifdef WOLFBOOT_ENABLE_WOLFHSM_CLIENT
 
diff --git a/hal/stm32c0.c b/hal/stm32c0.c
@@ -95,8 +95,8 @@
 #define FLASH_CR_PG                           (1 << 0)  /* RM0490 - 3.7.5 - FLASH_CR */
 #define FLASH_CR_SEC_PROT                     (1 << 28) /* RM0490 - 3.7.5 - FLASH_CR */
 
-#define FLASH_CR_PNB_SHIFT                     3        /* RM0490 - 3.7.5 - FLASH_CR - PNB bits 8:3 */
-#define FLASH_CR_PNB_MASK                      0x3f     /* RM0490 - 3.7.5 - FLASH_CR  - PNB bits 8:3 - 6 bits */
+#define FLASH_CR_PNB_SHIFT                     3        /* RM0490 - 4.7.5 - FLASH_CR - PNB bits 9:3 */
+#define FLASH_CR_PNB_MASK                      0x7f     /* RM0490 - 4.7.5 - FLASH_CR - PNB bits 9:3 - 7 bits */
 
 #define FLASH_SECR_SEC_SIZE_POS               (0U)
 #define FLASH_SECR_SEC_SIZE_MASK              (0xFF)
diff --git a/hal/stm32g0.c b/hal/stm32g0.c
@@ -87,8 +87,8 @@
 #define FLASH_CR_PG                           (1 << 0)  /* RM0444 - 3.7.5 - FLASH_CR */
 #define FLASH_CR_SEC_PROT                     (1 << 28) /* RM0444 - 3.7.5 - FLASH_CR */
 
-#define FLASH_CR_PNB_SHIFT                     3        /* RM0444 - 3.7.5 - FLASH_CR - PNB bits 8:3 */
-#define FLASH_CR_PNB_MASK                      0x3f     /* RM0444 - 3.7.5 - FLASH_CR  - PNB bits 8:3 - 6 bits */
+#define FLASH_CR_PNB_SHIFT                     3        /* RM0444 - 3.7.5 - FLASH_CR - PNB bits 9:3 */
+#define FLASH_CR_PNB_MASK                      0x7f     /* RM0444 - 3.7.5 - FLASH_CR - PNB bits 9:3 - 7 bits */
 
 #define FLASH_SECR_SEC_SIZE_POS               (0U)
 #define FLASH_SECR_SEC_SIZE_MASK              (0xFF)
diff --git a/hal/stm32h5.h b/hal/stm32h5.h
@@ -302,6 +302,10 @@
 #define FLASH_CR_BER                        (1 << 3)
 #define FLASH_CR_FW                         (1 << 4)
 #define FLASH_CR_STRT                       (1 << 5)
+/* Page number selection:
+ * Up to  31 pages: H523/33xx
+ * Up to 127 pages: All others
+ */
 #define FLASH_CR_PNB_SHIFT                  6
 #define FLASH_CR_PNB_MASK                   0x7F
 #define FLASH_CR_MER                        (1 << 15)
diff --git a/hal/stm32l5.h b/hal/stm32l5.h
@@ -203,7 +203,7 @@
 #define FLASH_CR_PER                        (1 << 1)
 #define FLASH_CR_MER1                       (1 << 2)
 #define FLASH_CR_PNB_SHIFT                  3
-#define FLASH_CR_PNB_MASK                   0x7F
+#define FLASH_CR_PNB_MASK                   0x7F /* up to 127 pages */
 #define FLASH_CR_BKER                       (1 << 11)
 #define FLASH_CR_MER2                       (1 << 15)
 #define FLASH_CR_STRT                       (1 << 16)
diff --git a/hal/stm32u5.h b/hal/stm32u5.h
@@ -209,8 +209,13 @@
 #define FLASH_CR_PG                         (1 << 0)
 #define FLASH_CR_PER                        (1 << 1)
 #define FLASH_CR_MER1                       (1 << 2)
+/* Page number selection:
+ * Up to  31 pages: U535/U545
+ * Up to 127 pages: U575/U585
+ * Up to 255 pages: U59x/5Ax/5Fx/5Gx
+ */
 #define FLASH_CR_PNB_SHIFT                  3
-#define FLASH_CR_PNB_MASK                   0x7F
+#define FLASH_CR_PNB_MASK                   0xFF /* support up to 255 pages */
 #define FLASH_CR_BKER                       (1 << 11)
 #define FLASH_CR_MER2                       (1 << 15)
 #define FLASH_CR_STRT                       (1 << 16)
diff --git a/test-app/app_sim.c b/test-app/app_sim.c
@@ -30,6 +30,10 @@
 
 #include "wolfboot/wolfboot.h"
 
+#ifdef DUALBANK_SWAP
+uint32_t hal_sim_get_dualbank_state(void);
+#endif
+
 #ifdef TARGET_sim
 
 /* Matches all keys:
@@ -72,6 +76,12 @@ int do_cmd(const char *cmd)
         wolfBoot_success();
         return 0;
     }
+#ifdef DUALBANK_SWAP
+    if (strcmp(cmd, "get_swap_state") == 0) {
+        printf("%u\n", hal_sim_get_dualbank_state());
+        return 0;
+    }
+#endif
     if (strcmp(cmd, "update_trigger") == 0) {
 #if EXT_ENCRYPTED
         wolfBoot_set_encrypt_key((uint8_t *)enc_key,(uint8_t *)(enc_key +  32));
diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c
@@ -112,6 +112,7 @@
 /* Globals */
 static FILE *fpub, *fpub_image;
 static int force = 0;
+static int no_overwrite = 0; /* when set, avoids prompt if !force and files exist */
 #if defined(WOLFBOOT_RENESAS_RSIP) || \
     defined(WOLFBOOT_RENESAS_TSIP) || \
     defined(WOLFBOOT_RENESAS_SCEPROTECT)
@@ -1155,18 +1156,24 @@ static void key_gen_check(const char *kfilename)
     FILE *f;
     f = fopen(kfilename, "rb");
     if (!force && (f != NULL)) {
-        char reply[40];
-        int replySz;
-        printf("** Warning: key file already exists! Are you sure you want to generate a new key and overwrite the existing key? [Type 'Yes']: ");
-        fflush(stdout);
-        replySz = scanf("%s", reply);
-        printf("Reply is [%s]\n", reply);
-        fclose(f);
-        if (replySz < 0 || strcmp(reply, "Yes") != 0) {
-            printf("Operation aborted by user.");
-            exit(5);
-        } else {
-            unlink(kfilename);
+        if (no_overwrite) {
+            printf("** Warning: key file already exists and will not be overwritten!");
+        }
+        else {
+            char reply[40];
+            int replySz;
+            printf("** Warning: key file already exists! Are you sure you want to generate a new key and overwrite the existing key? [Type 'Yes']: ");
+            fflush(stdout);
+            replySz = scanf("%s", reply);
+            printf("Reply is [%s]\n", reply);
+            fclose(f);
+            if (replySz < 0 || strcmp(reply, "Yes") != 0) {
+                printf("Operation aborted by user.");
+                exit(5);
+            }
+            else {
+                unlink(kfilename);
+            }
         }
     }
 }
@@ -1402,6 +1409,9 @@ int main(int argc, char** argv)
         else if (strcmp(argv[i], "--force") == 0) {
             force = 1;
         }
+        else if (strcmp(argv[i], "--no-overwrite") == 0) {
+            no_overwrite = 1;
+        }
         else if (strcmp(argv[i], "--der") == 0) {
             saveAsDer = 1;
         }
@@ -1436,6 +1446,7 @@ int main(int argc, char** argv)
             i++;
             sprintf(pubkeyfile,"%s%s", argv[i], "/keystore.c");
             sprintf(pubkeyimg, "%s%s", argv[i], "/keystore.der");
+            printf("keystore file: %s\n", pubkeyfile);
             i++;
             continue;
         }
@@ -1458,15 +1469,20 @@ int main(int argc, char** argv)
         exit(0);
     fpub = fopen(pubkeyfile, "rb");
     if (!force && (fpub != NULL)) {
+        if (no_overwrite) {
+            printf("** Not overwriting existing keystore file: %s\n", pubkeyfile);
+            exit(0);
+        }
         char reply[40];
         int replySz;
-        printf("** Warning: keystore already exists! Are you sure you want to generate a new key and overwrite the existing key? [Type 'Yes']: ");
+        printf("** Warning: keystore file already exists! %s\n", pubkeyfile);
+        printf("Are you sure you want to generate a new key and overwrite the existing key ? [Type 'Yes'] : ");
         fflush(stdout);
         replySz = scanf("%s", reply);
         printf("Reply is [%s]\n", reply);
         fclose(fpub);
         if (replySz < 0 || strcmp(reply, "Yes") != 0) {
-            printf("Operation aborted by user.");
+            printf("Operation aborted by user.\n");
             exit(5);
         } else {
             unlink(pubkeyfile);
diff --git a/tools/scripts/sim-dualbank-swap-update.sh b/tools/scripts/sim-dualbank-swap-update.sh
