stm32/mboot: Verify signature of fsload packed DFU files before writing.

When verifying the DFU contents, the signature of signed/encrypted files is
also now checked in this initial, dry-run stage.
This commit is contained in:
Andrew Leech 2021-06-17 12:51:37 +10:00 committed by Damien George
parent 80055c2cdc
commit bc856a1e29
5 changed files with 20 additions and 15 deletions

View File

@ -151,13 +151,11 @@ static int fsload_program_file(bool write_to_flash) {
if (res != l) {
return -MBOOT_ERRNO_DFU_READ_ERROR;
}
if (write_to_flash) {
res = do_write(elem_addr, buf, l);
if (res != 0) {
return res;
}
elem_addr += l;
res = do_write(elem_addr, buf, l, !write_to_flash);
if (res != 0) {
return res;
}
elem_addr += l;
s -= l;
}

View File

@ -715,11 +715,15 @@ void do_read(mboot_addr_t addr, size_t len, uint8_t *buf) {
#endif
}
int do_write(uint32_t addr, const uint8_t *src8, size_t len) {
int do_write(uint32_t addr, const uint8_t *src8, size_t len, bool dry_run) {
#if MBOOT_ENABLE_PACKING
return mboot_pack_write(addr, src8, len);
return mboot_pack_write(addr, src8, len, dry_run);
#else
return hw_write(addr, src8, len);
if (dry_run) {
return 0;
} else {
return hw_write(addr, src8, len);
}
#endif
}
@ -844,7 +848,7 @@ void i2c_slave_process_rx_end(i2c_slave_t *i2c) {
// Mark the 2 lower bits to indicate invalid app firmware
buf[1] |= APP_VALIDITY_BITS;
}
int ret = do_write(i2c_obj.cmd_wraddr, buf + 1, len);
int ret = do_write(i2c_obj.cmd_wraddr, buf + 1, len, false);
if (ret < 0) {
len = ret;
} else {
@ -866,7 +870,7 @@ void i2c_slave_process_rx_end(i2c_slave_t *i2c) {
len = -1;
} else {
buf &= ~APP_VALIDITY_BITS;
int ret = do_write(APPLICATION_ADDR, (void*)&buf, 4);
int ret = do_write(APPLICATION_ADDR, (void*)&buf, 4, false);
if (ret < 0) {
len = ret;
} else {
@ -940,7 +944,7 @@ static int dfu_process_dnload(void) {
} else if (dfu_context.wBlockNum > 1) {
// write data to memory
uint32_t addr = (dfu_context.wBlockNum - 2) * DFU_XFER_SIZE + dfu_context.addr;
ret = do_write(addr, dfu_context.buf, dfu_context.wLength);
ret = do_write(addr, dfu_context.buf, dfu_context.wLength, false);
}
if (ret == 0) {
return DFU_STATE_DNLOAD_IDLE;

View File

@ -113,7 +113,7 @@ int hw_write(uint32_t addr, const uint8_t *src8, size_t len);
int do_page_erase(uint32_t addr, uint32_t *next_addr);
void do_read(mboot_addr_t addr, size_t len, uint8_t *buf);
int do_write(uint32_t addr, const uint8_t *src8, size_t len);
int do_write(uint32_t addr, const uint8_t *src8, size_t len, bool dry_run);
const uint8_t *elem_search(const uint8_t *elem, uint8_t elem_id);
int fsload_process(void);

View File

@ -206,7 +206,7 @@ static int mboot_pack_handle_firmware(void) {
}
}
int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len) {
int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len, bool dry_run) {
if (addr == APPLICATION_ADDR) {
// Base address of main firmware, reset any previous state
firmware_chunk_base_addr = 0;
@ -274,6 +274,9 @@ int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len) {
}
// Signature passed, we have valid chunk.
if (dry_run) {
return 0;
}
if (firmware_chunk_buf.header.format == MBOOT_PACK_CHUNK_META) {
// Ignore META chunks.

View File

@ -75,7 +75,7 @@ extern const uint8_t mboot_pack_secretbox_key[hydro_secretbox_KEYBYTES];
// Implementation
void mboot_pack_init(void);
int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len);
int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len, bool dry_run);
#endif // MBOOT_ENABLE_PACKING