Added ENCRYPT_CACHE= config option

danielinux · danielinux · commit 3dc152cf1d39 · 2025-02-12T10:48:23.000+01:00
diff --git a/docs/encrypted_partitions.md b/docs/encrypted_partitions.md
@@ -179,6 +179,13 @@ as template. The file `hal/stm32l0_chacha_ram.ld` contains the changes described
 all the needed symbols in RAM.
 
 
+### Using a custom buffer as encrypt/decrypt cache
+
+By default, encryption support requires a buffer of the same size as the external flash page size to be allocated in RAM.
+You can provide a custom pre-allocated buffer by passing its address via the option `ENCRYPT_CACHE`, e.g.:
+
+`ENCRYPT_CACHE=0x20010000`
+
 ### API usage in the application
 
 When transferring the image, the application can still use the libwolfboot API functions to store the encrypted firmware. When called from the application,
diff --git a/options.mk b/options.mk
@@ -766,6 +766,14 @@ ifeq ($(RAM_CODE),1)
   endif
 endif
 
+# Support external encryption cache
+#
+ifeq ($(ENCRYPT),1)
+  ifeq ($(ENCRYPT_CACHE),1)
+	CFLAGS+=-D"WOLFBOOT_ENCRYPT_CACHE=$(ENCRYPT_CACHE)"
+  endif
+endif
+
 # support for elf32 or elf64 loader
 ifeq ($(ELF),1)
   CFLAGS+=-DWOLFBOOT_ELF
diff --git a/src/libwolfboot.c b/src/libwolfboot.c
@@ -1334,17 +1334,21 @@ int wolfBoot_fallback_is_possible(void)
 
 #ifdef EXT_ENCRYPTED
 #include "encrypt.h"
+
 #if !defined(EXT_FLASH) && !defined(MMU)
-#error option EXT_ENCRYPTED requires EXT_FLASH or MMU mode
+    #error option EXT_ENCRYPTED requires EXT_FLASH or MMU mode
 #endif
 
-
-#ifdef NVM_FLASH_WRITEONCE
-#define ENCRYPT_CACHE NVM_CACHE
+#ifndef WOLFBOOT_ENCRYPT_CACHE
+    #ifdef NVM_FLASH_WRITEONCE
+        #define ENCRYPT_CACHE NVM_CACHE
+    #else
+        #ifdef WOLFBOOT_SMALL_STACK
+        static uint8_t ENCRYPT_CACHE[NVM_CACHE_SIZE] __attribute__((aligned(32)));
+        #endif
+    #endif
 #else
-#ifdef WOLFBOOT_SMALL_STACK
-static uint8_t ENCRYPT_CACHE[NVM_CACHE_SIZE] __attribute__((aligned(32)));
-#endif
+    #define ENCRYPT_CACHE (WOLFBOOT_ENCRYPT_CACHE)
 #endif
 
 #if defined(EXT_ENCRYPTED) && defined(MMU)
@@ -1358,7 +1362,7 @@ static int RAMFUNCTION hal_set_key(const uint8_t *k, const uint8_t *nonce)
     int sel_sec = 0;
     uint32_t trailer_relative_off = 4;
 
-#if !defined(WOLFBOOT_SMALL_STACK) && !defined(NVM_FLASH_WRITEONCE)
+#if !defined(WOLFBOOT_SMALL_STACK) && !defined(NVM_FLASH_WRITEONCE) && !defined(WOLFBOOT_ENCRYPT_CACHE)
     uint8_t ENCRYPT_CACHE[NVM_CACHE_SIZE] __attribute__((aligned(32)));
 #endif
 
diff --git a/tools/config.mk b/tools/config.mk
@@ -111,4 +111,5 @@ CONFIG_VARS:= ARCH TARGET SIGN HASH MCUXSDK MCUXPRESSO MCUXPRESSO_CPU MCUXPRESSO
 	NO_ARM_ASM \
 	SIGN_SECONDARY \
 	WOLFHSM_CLIENT \
-	WOLFHSM_CLIENT_LOCAL_KEYS
+	WOLFHSM_CLIENT_LOCAL_KEYS \
+	ENCRYPT_CACHE
