Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR is a security- and robustness-focused sweep across wolfBoot tooling and update paths, adding constant-time comparisons, zeroization of sensitive material, stricter bounds/validation, and expanding unit-test coverage for regressions and edge cases.
Changes:
- Add zeroization/scrubbing for signing/keygen/encryption-key material and convert several comparisons to constant-time.
- Harden update/self-update/delta flows (bounds checks, error propagation, bootloader flash protection hook).
- Add/extend unit tests for header sizing, encrypted-sign output error handling, PCR digest validation, delta/update edge cases, and keymask/auth-type behavior.
Reviewed changes
Copilot reviewed 39 out of 39 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tools/unit-tests/unit-update-ram.c | Adds an assertion validating the RAM-loaded image size metadata. |
| tools/unit-tests/unit-update-flash.c | Adds self-update tests, auth-type/size edge-case tests, and helpers for image payload construction. |
| tools/unit-tests/unit-update-disk.c | Adds monolithic/self-header config and a regression test for equal-version partition selection. |
| tools/unit-tests/unit-string.c | Adds a Linux-only regression test targeting large-length overlapping memmove. |
| tools/unit-tests/unit-sign-header-size.c | New unit test validating sign-tool manifest header-size enforcement logic. |
| tools/unit-tests/unit-sign-encrypted-output.mkfrag | Adds a source list fragment to build the encrypted-output sign-tool unit test. |
| tools/unit-tests/unit-sign-encrypted-output.c | New unit test exercising sign tool encrypted output error-handling and TLV/header roundtrips. |
| tools/unit-tests/unit-policy-create.c | New unit test covering PCR digest argument validation in policy_create tool. |
| tools/unit-tests/unit-keystore.c | Adjusts keystore slot mask to a restricted “app-only” verify mask for tests. |
| tools/unit-tests/unit-image.c | Adds authenticity tests for mismatched auth type and key mask restrictions. |
| tools/unit-tests/unit-enc-nvm.c | Adds tests ensuring flash write failures propagate for encrypt-key set/erase APIs. |
| tools/unit-tests/unit-delta.c | Adds delta offset-limit test and significantly expands roundtrip/diff/patch edge coverage. |
| tools/unit-tests/Makefile | Adds new unit-test targets and specialized build variants (delta/self-update/sign tests). |
| tools/tpm/policy_create.c | Fixes PCR digest length validation by correctly treating the size as signed for the check. |
| tools/keytools/sign.c | Enforces header-size match, adds header overflow checks, improves error handling, and scrubs key buffers. |
| tools/keytools/Makefile | Links header_size.o into the sign tool build. |
| tools/keytools/keygen.c | Scrubs keygen private buffers (RSA/ECC/EdDSA/ML-DSA) and improves cleanup paths. |
| tools/keytools/header_size.h | New helper API for enforcing manifest header-size alignment with compiled bootloader config. |
| tools/keytools/header_size.c | Implements manifest header-size enforcement helper. |
| tools/delta/bmdiff.c | Adds maximum input size validation to prevent oversized file processing. |
| src/x86/ahci.c | Uses constant-time comparison for TPM-sealed secret verification. |
| src/update_ram.c | Calls hal_flash_protect() before handoff (outside TrustZone) to protect bootloader region. |
| src/update_flash.c | Zeroizes encryption buffers, tightens delta edge-case handling, adds constant-time hash/secret checks, and adjusts total-size type. |
| src/update_flash_hwswap.c | Calls hal_flash_protect() before hal_prepare_boot() to protect bootloader region. |
| src/update_disk.c | Calls hal_flash_protect() before hal_prepare_boot() to protect bootloader region. |
| src/tpm.c | Exposes constant-time compare for TPM use-cases. |
| src/string.c | Fixes memmove backward-copy loop to correctly handle large size_t lengths. |
| src/libwolfboot.c | Improves encrypt-key validity/erased checks, propagates flash errors, and scrubs key/nonce buffers in init paths. |
| src/image.c | Exposes image_CT_compare() (noinline) for constant-time digest comparisons. |
| src/delta.c | Rejects delta match offsets beyond 24-bit limit. |
| options.mk | Enforces WOLFBOOT_SKIP_BOOT_VERIFY prerequisites and warns when DISABLE_BACKUP=1. |
| include/wolfboot/wolfboot.h | Adds compile-time enforcement of WOLFBOOT_SKIP_BOOT_VERIFY prerequisites. |
| include/tpm.h | Declares wolfBoot_constant_compare() when TPM seal/keystore is enabled. |
| include/image.h | Switches RSA/digest verification macros to use image_CT_compare() and adds its prototype. |
| include/hal.h | Adds hal_flash_protect() API to HAL interface. |
| hal/skeleton.c | Documents that hal_flash_protect() is invoked before hal_prepare_boot(). |
| hal/nrf5340.c | Removes duplicated bootloader flash-protect call now handled centrally. |
| hal/hal.c | Provides a weak default hal_flash_protect() implementation (no-op). |
| docs/compile.md | Documents unrecoverable power-loss implications when DISABLE_BACKUP=1. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Fix CI clean-workspace TPM tool builds by making the local keystore object depend on the generated root keystore source. F/CI
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 36 out of 36 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (3)
tools/unit-tests/unit-sign-encrypted-output.c:1
PATH_MAXanderrno/EACCESare used later in this file, but the required headers are not included here. This can cause compilation failures on platforms wherePATH_MAXis not indirectly defined. Add the appropriate includes (<limits.h>forPATH_MAXand<errno.h>forerrno/EACCES).
tools/unit-tests/unit-string.c:1- This test maps ~2GB+ of virtual address space and will be flaky or fail outright on some 32-bit userspaces (where
SIZE_MAX > INT_MAXcan still be true) or constrained CI environments. Consider restricting it to 64-bit processes (e.g.,UINTPTR_MAX > 0xFFFFFFFF) and/or gracefully skipping the test whenmmapfails instead of asserting, so the suite remains reliable across environments.
src/libwolfboot.c:1 - In the non-
MMU/non-fixed-partitions path, the function returnsretbefore the#endif, making the finalreturn 0;unreachable in that configuration (and likely generating warnings). Consider using a singleretvariable across all preprocessor branches and returning once at the end, or moving thereturn 0;into only the branches that need it.
/* libwolfboot.c
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Ensure tmpBuffer is zeroized on the common exit path in wolfBoot_swap_and_final_erase, not only in EXT_ENCRYPTED builds. F/CI
Move wolfBoot_constant_compare out of TPM-only code so AHCI and update paths can use it without TPM feature gating. F/CI
Clear refactored keygen file handles after the normal close so ECC and ML-DSA generation do not hit cleanup-time double fclose. F/CI
Make wolfBoot_zeroize unconditional in update_flash.c so the common final-swap scrub compiles in non-encrypted builds. F/CI
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 36 out of 36 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (2)
tools/unit-tests/unit-sign-encrypted-output.c:1
PATH_MAXis used but this file doesn’t include<limits.h>, which can cause build failures on platforms/toolchains wherePATH_MAXis not implicitly available. Add an explicit#include <limits.h>(or another portable approach used in the repo) near the other standard includes.
tools/unit-tests/unit-string.c:1- This test requires mapping >2GiB and will fail (hard) on systems without sufficient virtual memory/overcommit, making CI potentially flaky across environments. Consider turning the
MAP_FAILEDcase into a test skip (or gating behind an additional env flag/capability check) rather than asserting, so the suite remains reliable on constrained runners.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Use image_CT_compare directly in the protected RSA_VERIFY_HASH macro so signature confirmation only follows a real digest match. F/CI
Return a consistent failure code on encrypt-key short reads and initialize final-swap ret to 0. F/CI
Fix ML-DSA key generation cleanup in footprint builds and raise the ED448 footprint threshold by 2 bytes to match current output. F/CI
Add src/string.c to TPM unit targets that compile tpm.c inline so wolfBoot_constant_compare resolves after its move out of TPM-only code. F/CI
Restore wolfBoot_constant_compare to TPM-local code and use file-local helpers in update_flash and AHCI instead of a shared cross-module symbol. F/CI
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 38 out of 38 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (2)
tools/unit-tests/unit-sign-encrypted-output.c:1
- This file uses
errnoandEACCESbut does not include<errno.h>, which can fail compilation (or at least produce implicit-declaration warnings promoted to errors). Add the missing header include.
tools/unit-tests/unit-sign-encrypted-output.c:1 PATH_MAXis used but there is no include guaranteeing it is defined (commonly<limits.h>). Add<limits.h>(or otherwise avoidPATH_MAX) so this unit test builds portably.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
F/2273 - sign: scrub key buffers before free (
1c824539)F/2274 - Scrub RSA keygen private material (
87d5a7fc)F/2275 - Zero ECC keygen private buffers (
114140c2)F/2276 - Zero EdDSA keygen private data (
6f40afae)F/2277 - zero ML-DSA private key buffer (
32783034)F/2258 - Add restricted key mask authenticity tests (
8399e3ed)F/1892 - Propagate encrypt key flash errors (
afef21fe)F/1893 - Propagate erase encrypt key write failures (
13370613)F/1894 - Fix policy_create PCR digest validation (
6b8ade6b)F/1895 - Fix sign encrypted output open failure (
34438999)F/1898 - Check image reopen failures in sign tool (
5fd09eed)F/2247 - Use constant-time RSA hash comparison (
9a7930dd)F/2255 - Protect bootloader before application boot (
f32c275d)F/2259 - Add auth type coverage for unit-image (
644e70e7)F/2260 - Add auth-only invalid update test (
ff60286e)F/2261 - Add RAM_CODE self-update unit coverage (
3659d210)F/2262 - Strengthen same-version RAM update test (
1353e933)F/2266 - Fix sign header TLV overflow sizing (
ea6700f1)F/2267 - Reject oversized delta source offsets (
fefd74e0)F/1897 - fix memmove large-length backward copy (
7526fd23)F/2248 - Use constant-time TPM secret checks (
78de4a79)F/2249 - Use constant-time encryption key validation (
56c46be7)F/2252 - Use fixed-length erased-key check (
830869c3)F/2256 - enforce skip-verify prerequisites (
a09babb5)F/2264 - Add equal-version update-disk regression test (
395202bb)F/2268 - Reject valid zero-size delta images (
29367f81)F/2269 - Fix total size type in update flash (
fffd8543)F/1888 - zeroize update key material (
05823677)F/1889 - zero custom encrypt stack buffers (
7c1c8631)F/1890 - zeroize swap trailer key buffer (
a870af20)F/1891 - Scrub sign-tool encryption material (
3f1906fa)F/2253 - Use constant-time delta base hash compare (
10035dbc)F/2257 - Warn when DISABLE_BACKUP is enabled (
13d232c4)F/2270 - Add sign/parser roundtrip tests (
fb9faffc)F/2271 - Add delta roundtrip edge-case coverage (
08d39cf4)