Skip to content

Improve ARMORED code + minor fixes #665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dgarske merged 12 commits into from
Jan 14, 2026
Merged

Improve ARMORED code + minor fixes #665

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
08692b1
Fix handling rollback when ARMORED=1 and FLASH_TOP
danielinux Jan 11, 2026
50d8aed
[ARMORED] Improved redundancy of verification
danielinux Jan 11, 2026
12f99a8
Silencing compiler warning
danielinux Jan 11, 2026
22d2024
Update size limits
danielinux Jan 12, 2026
7efb613
Adjusted size limits for gcc 13.2 (CI)
danielinux Jan 12, 2026
d4e66e5
Update src/image.c: remove duplicated code
danielinux Jan 12, 2026
5ac5191
Uniform STM32L5 flash write hal
danielinux Jan 13, 2026
22fbc78
Simplified/fixed SAU setup
danielinux Jan 13, 2026
fdf241d
Addressed reviewer's comments.
danielinux Jan 13, 2026
da35fd5
Made all cmp/flag checks more redundant in ARMORED
danielinux Jan 13, 2026
224d0ea
Removed leftover debug traces for rng testing
danielinux Jan 14, 2026
847f1f1
Fix incorrectly mapped SAU for NS-RAM
danielinux Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions hal/stm32_tz.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -301,11 +301,18 @@ void hal_tz_sau_init(void)
sau_init_region(0, WOLFBOOT_NSC_ADDRESS,
WOLFBOOT_NSC_ADDRESS + WOLFBOOT_NSC_SIZE - 1, 1);

/* Secure: application flash area (first bank) */
sau_init_region(1, WOLFBOOT_PARTITION_BOOT_ADDRESS, FLASH_BANK2_BASE - 1, 0);

/* Secure: application flash area (second bank) */
sau_init_region(2, WOLFBOOT_PARTITION_UPDATE_ADDRESS, FLASH_TOP, 0);
/* Non-secure flash alias (entire NS flash window) */
sau_init_region(1, 0x08000000, FLASH_TOP, 0);

/* Secure: update partition in secure alias (use matching FLASH_TOP base) */
uint32_t flash_top_secure = FLASH_TOP;
if ((WOLFBOOT_PARTITION_UPDATE_ADDRESS & 0xFF000000u) !=
(FLASH_TOP & 0xFF000000u)) {
flash_top_secure =
(WOLFBOOT_PARTITION_UPDATE_ADDRESS & 0xFF000000u) |
(FLASH_TOP & 0x00FFFFFFu);
}
sau_init_region(2, WOLFBOOT_PARTITION_UPDATE_ADDRESS, flash_top_secure, 1);

/* Secure RAM regions in SRAM1/SRAM2 */
sau_init_region(3, 0x30000000, 0x3004FFFF, 1);
Expand Down Expand Up @@ -435,4 +442,3 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len)
}

#endif

245 changes: 144 additions & 101 deletions include/image.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -419,15 +419,27 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
asm volatile("ldr r2, [%0]" ::"r"(p_res)); \
asm volatile("cmp r2, #1":::"cc"); \
asm volatile("bne nope"); \
asm volatile("mvn r3, r2":::"r3"); \
asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \
asm volatile("bne nope"); \
asm volatile("ldr r2, [%0]" ::"r"(p_res)); \
asm volatile("cmp r2, #1":::"cc"); \
asm volatile("bne nope"); \
asm volatile("mvn r3, r2":::"r3"); \
asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \
asm volatile("bne nope"); \
asm volatile("ldr r2, [%0]" ::"r"(p_res)); \
asm volatile("cmp r2, #1":::"cc"); \
asm volatile("bne nope"); \
asm volatile("mvn r3, r2":::"r3"); \
asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \
asm volatile("bne nope"); \
asm volatile("ldr r2, [%0]" ::"r"(p_res)); \
asm volatile("cmp r2, #1":::"cc"); \
asm volatile("bne nope"); \
asm volatile("mvn r3, r2":::"r3"); \
asm volatile("cmp r3, #0xFFFFFFFE":::"cc"); \
asm volatile("bne nope"); \
/* Confirm that the signature is OK */ \
wolfBoot_image_confirm_signature_ok(img); \
asm volatile("nope:"); \
Expand Down Expand Up @@ -460,15 +472,27 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
"ldr r2, [%0]\n" \
"cmp r2, #1\n" \
"bne 1f\n" \
"mvn r3, r2\n" \
"cmp r3, #0xFFFFFFFE\n" \
"bne 1f\n" \
"ldr r2, [%0]\n" \
"cmp r2, #1\n" \
"bne 1f\n" \
"mvn r3, r2\n" \
"cmp r3, #0xFFFFFFFE\n" \
"bne 1f\n" \
"ldr r2, [%0]\n" \
"cmp r2, #1\n" \
"bne 1f\n" \
"mvn r3, r2\n" \
"cmp r3, #0xFFFFFFFE\n" \
"bne 1f\n" \
"ldr r2, [%0]\n" \
"cmp r2, #1\n" \
"bne 1f\n" \
"mvn r3, r2\n" \
"cmp r3, #0xFFFFFFFE\n" \
"bne 1f\n" \
/* Load 'img' into r0 (first argument to the function) */ \
"mov r0, %1\n" \
/* Load the function pointer into r3 */ \
Expand All @@ -480,7 +504,7 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
"2:\n" \
: /* No output operands */ \
: "r"(p_res), "r"(img), "r"(confirm_func) /* Input operands */ \
: "r0", "r2", "lr" /* Clobbered registers */ \
: "r0", "r2", "r3", "lr" /* Clobbered registers */ \
); \
} while (0)
#endif
Expand All @@ -507,93 +531,94 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
#if defined(__GNUC__)

#define VERIFY_VERSION_ALLOWED(fb_ok) \
/* Stash the registry values */ \
asm volatile("push {r4, r5, r6, r7}"); \
/* Redundant initialization with 'failure' values */ \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("mov r4, #1":::"r4"); \
asm volatile("mov r5, #0":::"r5"); \
asm volatile("mov r6, #2":::"r6"); \
asm volatile("mov r7, #0":::"r7"); \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("mov r4, #1":::"r4"); \
asm volatile("mov r5, #0":::"r5"); \
asm volatile("mov r6, #2":::"r6"); \
asm volatile("mov r7, #0":::"r7"); \
/* Read the fb_ok flag, jump to end_check \
* if proven fb_ok == 1 */ \
asm volatile("mov r0, %0" ::"r"(fb_ok):"r0"); \
asm volatile("cmp r0, #1":::"cc"); \
asm volatile("bne do_check"); \
asm volatile("cmp r0, #1":::"cc"); \
asm volatile("bne do_check"); \
asm volatile("cmp r0, #1":::"cc"); \
asm volatile("bne do_check"); \
asm volatile("b end_check"); \
/* Do the actual version check: */ \
asm volatile("do_check:"); \
/* Read update versions to reg r5 and r7 */ \
asm volatile("mov r0, #1":::"r0"); \
asm volatile("mov r0, #1":::"r0"); \
asm volatile("mov r0, #1":::"r0"); \
asm volatile("bl wolfBoot_get_image_version"); \
asm volatile("mov r5, r0":::"r5"); \
asm volatile("mov r5, r0":::"r5"); \
asm volatile("mov r5, r0":::"r5"); \
asm volatile("mov r0, #1":::"r0"); \
asm volatile("mov r0, #1":::"r0"); \
asm volatile("mov r0, #1":::"r0"); \
asm volatile("bl wolfBoot_get_image_version"); \
asm volatile("mov r7, r0":::"r7"); \
asm volatile("mov r7, r0":::"r7"); \
asm volatile("mov r7, r0":::"r7"); \
/* Compare r5 and r7, if not equal, something went very wrong, */ \
asm volatile("cmp r5, r7":::"cc"); \
asm volatile("bne ."); \
asm volatile("cmp r5, r7":::"cc"); \
asm volatile("bne .-4"); \
asm volatile("cmp r5, r7":::"cc"); \
asm volatile("bne .-8"); \
asm volatile("cmp r5, r7":::"cc"); \
asm volatile("bne .-12"); \
/* Read current versions to reg r4 and r6 */ \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("bl wolfBoot_get_image_version"); \
asm volatile("mov r4, r0":::"r4"); \
asm volatile("mov r4, r0":::"r4"); \
asm volatile("mov r4, r0":::"r4"); \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("bl wolfBoot_get_image_version"); \
asm volatile("mov r6, r0":::"r6"); \
asm volatile("mov r6, r0":::"r6"); \
asm volatile("mov r6, r0":::"r6"); \
asm volatile("cmp r4, r6":::"cc"); \
asm volatile("bne ."); \
asm volatile("cmp r4, r6":::"cc"); \
asm volatile("bne .-4"); \
asm volatile("cmp r4, r6":::"cc"); \
asm volatile("bne .-8"); \
asm volatile("cmp r4, r6":::"cc"); \
asm volatile("bne .-12"); \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("mov r0, #0":::"r0"); \
asm volatile("mov r0, #0":::"r0"); \
/* Compare the two versions in registries */ \
asm volatile("cmp r4, r5":::"cc"); \
asm volatile("bge ."); \
asm volatile("cmp r6, r7":::"cc"); \
asm volatile("bge .-4"); \
asm volatile("cmp r4, r5":::"cc"); \
asm volatile("bge .-8"); \
asm volatile("cmp r6, r7":::"cc"); \
asm volatile("bge .-12"); \
asm volatile("end_check:"); \
/* Restore previously saved registry values */ \
asm volatile("pop {r4, r5, r6, r7}":::"r4", "r5", "r6", "r7")
asm volatile( \
"push {r4, r5, r6, r7}\n" \
"mov r0, #0\n" \
"mov r4, #1\n" \
"mov r5, #0\n" \
"mov r6, #2\n" \
"mov r7, #0\n" \
"mov r0, #0\n" \
"mov r4, #1\n" \
"mov r5, #0\n" \
"mov r6, #2\n" \
"mov r7, #0\n" \
"mov r0, %0\n" \
"mov r4, %0\n" \
"cmp r0, #1\n" \
"bne do_check\n" \
"cmp r4, #1\n" \
"bne do_check\n" \
"cmp r0, r4\n" \
"bne do_check\n" \
"cmp r0, #1\n" \
"bne do_check\n" \
"b end_check\n" \
"do_check:\n" \
"mov r0, #1\n" \
"mov r0, #1\n" \
"mov r0, #1\n" \
"bl wolfBoot_get_image_version\n" \
"mov r5, r0\n" \
"mov r5, r0\n" \
"mov r5, r0\n" \
"mov r0, #1\n" \
"mov r0, #1\n" \
"mov r0, #1\n" \
"bl wolfBoot_get_image_version\n" \
"mov r7, r0\n" \
"mov r7, r0\n" \
"mov r7, r0\n" \
"cmp r5, r7\n" \
"bne ver_panic\n" \
"cmp r5, r7\n" \
"bne ver_panic\n" \
"cmp r5, r7\n" \
"bne ver_panic\n" \
"cmp r5, r7\n" \
"bne ver_panic\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
"bl wolfBoot_get_image_version\n" \
"mov r4, r0\n" \
"mov r4, r0\n" \
"mov r4, r0\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
"bl wolfBoot_get_image_version\n" \
"mov r6, r0\n" \
"mov r6, r0\n" \
"mov r6, r0\n" \
"cmp r4, r6\n" \
"bne ver_panic\n" \
"cmp r4, r6\n" \
"bne ver_panic\n" \
"cmp r4, r6\n" \
"bne ver_panic\n" \
"cmp r4, r6\n" \
"bne ver_panic\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
"cmp r4, r5\n" \
"bhs ver_panic\n" \
"cmp r6, r7\n" \
"bhs ver_panic\n" \
"cmp r4, r5\n" \
"bhs ver_panic\n" \
"cmp r6, r7\n" \
"bhs ver_panic\n" \
"b end_check\n" \
"ver_panic:\n" \
"b .\n" \
"end_check:\n" \
"pop {r4, r5, r6, r7}\n" \
: \
: "r"(fb_ok) \
: "r0", "r4", "r5", "r6", "r7", "lr", "cc", "memory" \
)

#elif defined(__ICCARM__) && defined(__IAR_SYSTEMS_ICC__)

Expand All @@ -612,10 +637,25 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
"mov r6, #2\n" \
"mov r7, #0\n" \
"mov r0, %0\n" \
"mov r4, %0\n" \
"cmp r0, #0\n" \
"beq 4f\n" \
"cmp r0, #1\n" \
"bne 1f\n" \
"beq 4f\n" \
"bkpt 0xE1\n" \
"4:\n" \
"cmp r4, #0\n" \
"beq 5f\n" \
"cmp r4, #1\n" \
"beq 5f\n" \
"bkpt 0xE1\n" \
"5:\n" \
"cmp r0, #1\n" \
"bne 1f\n" \
"cmp r4, #1\n" \
"bne 1f\n" \
"cmp r0, r4\n" \
"bne 1f\n" \
"cmp r0, #1\n" \
"bne 1f\n" \
"b 2f\n" \
Expand All @@ -635,13 +675,13 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
"mov r7, r0\n" \
"mov r7, r0\n" \
"cmp r5, r7\n" \
"bne .\n" \
"bne 3f\n" \
"cmp r5, r7\n" \
"bne .-4\n" \
"bne 3f\n" \
"cmp r5, r7\n" \
"bne .-8\n" \
"bne 3f\n" \
"cmp r5, r7\n" \
"bne .-12\n" \
"bne 3f\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
Expand All @@ -657,24 +697,27 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
"mov r6, r0\n" \
"mov r6, r0\n" \
"cmp r4, r6\n" \
"bne .\n" \
"bne 3f\n" \
"cmp r4, r6\n" \
"bne .-4\n" \
"bne 3f\n" \
"cmp r4, r6\n" \
"bne .-8\n" \
"bne 3f\n" \
"cmp r4, r6\n" \
"bne .-12\n" \
"bne 3f\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
"mov r0, #0\n" \
"cmp r4, r5\n" \
"bge .\n" \
"bhs 3f\n" \
"cmp r6, r7\n" \
"bge .-4\n" \
"bhs 3f\n" \
"cmp r4, r5\n" \
"bge .-8\n" \
"bhs 3f\n" \
"cmp r6, r7\n" \
"bge .-12\n" \
"bhs 3f\n" \
"b 2f\n" \
"3:\n" \
"b .\n" \
"2:\n" \
"pop {r4, r5, r6, r7}\n" \
: /* No output operands */ \
Expand Down
Loading