Fixes 20260408

CMakeLists.txt

@@ -747,7 +747,20 @@ if(ARCH STREQUAL "AARCH64")
 
 endif()
 
+if(NOT DEFINED WOLFBOOT_ORIGIN)
+    set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET})
+endif()
+
+if(NOT DEFINED BOOTLOADER_PARTITION_SIZE)
+    math(EXPR BOOTLOADER_PARTITION_SIZE
+        "${WOLFBOOT_PARTITION_BOOT_ADDRESS} - ${ARCH_FLASH_OFFSET}"
+        OUTPUT_FORMAT HEXADECIMAL)
+endif()
+
 list(APPEND WOLFBOOT_DEFS ARCH_FLASH_OFFSET=${ARCH_FLASH_OFFSET})
+list(APPEND WOLFBOOT_DEFS
+    WOLFBOOT_ORIGIN=${WOLFBOOT_ORIGIN}
+    BOOTLOADER_PARTITION_SIZE=${BOOTLOADER_PARTITION_SIZE})
 
 if(${WOLFBOOT_TARGET} STREQUAL "x86_64_efi")
     if(NOT DEFINED GNU_EFI_LIB_PATH)
@@ -1139,7 +1152,7 @@ if(TZEN)
     endif()
 endif()
 
-target_sources(wolfboothal PRIVATE include/hal.h hal/${WOLFBOOT_TARGET}.c ${WOLFBOOT_FLASH_SOURCES}
+target_sources(wolfboothal PRIVATE include/hal.h hal/hal.c hal/${WOLFBOOT_TARGET}.c ${WOLFBOOT_FLASH_SOURCES}
                                    ${PARTITION_SOURCE} ${WOLFBOOT_TZ_HAL_SOURCES})
 
 

docs/compile.md

@@ -193,7 +193,9 @@ To circumvent the compile-time checks on the maximum allowed stack size, use `WO
 
 Optionally, it is possible to disable the backup copy of the current running firmware upon the installation of the
 update. This implies that no fall-back mechanism is protecting the target from a faulty firmware installation, but may be useful
-in some cases where it is not possible to write on the update partition from the bootloader.
+in some cases where it is not possible to write on the update partition from the bootloader. This also removes the
+power-fail-safe swap behavior: if power is lost while the update is being copied into the BOOT partition, the original
+firmware may already be partially overwritten and the device can be left unrecoverable.
 The associated compile-time option is
 
 `DISABLE_BACKUP=1`

hal/hal.c

@@ -281,6 +281,13 @@ int hal_flash_test_dualbank(void)
 
 #endif /* TEST_FLASH */
 
+WEAKFUNCTION int RAMFUNCTION hal_flash_protect(haladdr_t address, int len)
+{
+    (void)address;
+    (void)len;
+    return 0;
+}
+
 WEAKFUNCTION int hal_uds_derive_key(uint8_t *out, size_t out_len)
 {
     (void)out;

hal/nrf5340.c

@@ -827,7 +827,7 @@ void hal_init(void)
 
 #ifdef __WOLFBOOT
 /* enable write protection for the region of flash specified */
-int hal_flash_protect(uint32_t start, uint32_t len)
+int RAMFUNCTION hal_flash_protect(haladdr_t start, int len)
 {
     /* only application core supports SPU */
 #ifdef TARGET_nrf5340_app
@@ -884,14 +884,6 @@ static void periph_unsecure()
 
 void hal_prepare_boot(void)
 {
-    /* Write protect bootloader region of flash.
-     * Not needed in TrustZone configs because the application
-     * runs in non-secure mode and the bootloader partition is marked as
-     * secure. */
-#ifndef TZEN
-    hal_flash_protect(WOLFBOOT_ORIGIN, BOOTLOADER_PARTITION_SIZE);
-#endif
-
     if (enableShm) {
     #ifdef TARGET_nrf5340_net
         if (doUpdateNet) {

hal/skeleton.c

@@ -34,6 +34,12 @@ void hal_init(void)
 
 void hal_prepare_boot(void)
 {
+    /* wolfBoot calls hal_flash_protect() before this hook.
+     * Override int hal_flash_protect(haladdr_t address, int len) to lock
+     * the bootloader region on targets that support runtime write
+     * protection. Return 0 on success or a negative value on failure, and
+     * use this hook only for any remaining platform-specific handoff work.
+     */
 }
 
 #endif
@@ -55,4 +61,3 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
 {
     return 0; /* on success. */
 }
-

include/hal.h

@@ -87,6 +87,11 @@ uint64_t hal_get_timer_us(void);
 #endif
 void hal_flash_unlock(void);
 void hal_flash_lock(void);
+/*
+ * Lock the flash region [address, address + len) against writes.
+ * Return 0 on success, or a negative value on failure.
+ */
+int hal_flash_protect(haladdr_t address, int len);
 void hal_prepare_boot(void);
 
 #ifdef DUALBANK_SWAP

include/image.h

@@ -424,8 +424,9 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
         asm volatile("mov r0, #50":::"r0"); \
         asm volatile("mov r0, #50":::"r0"); \
         asm volatile("mov r0, #50":::"r0"); \
-        compare_res = XMEMCMP(digest, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE); \
-        /* Redundant checks that ensure the function actually returned 0 */ \
+        compare_res = image_CT_compare(digest, img->sha_hash, \
+            WOLFBOOT_SHA_DIGEST_SIZE); \
+        /* Redundant checks that ensure the function actually returned 1 */ \
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("cmp r0, #0":::"cc"); \
@@ -442,10 +443,11 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("bne hnope"); \
-        /* Repeat memcmp call */ \
-        compare_res = XMEMCMP(digest, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE); \
+        /* Repeat comparison call */ \
+        compare_res = image_CT_compare(digest, img->sha_hash, \
+            WOLFBOOT_SHA_DIGEST_SIZE); \
         compare_res; \
-        /* Redundant checks that ensure the function actually returned 0 */ \
+        /* Redundant checks that ensure the function actually returned 1 */ \
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("cmp r0, #0":::"cc"); \
         asm volatile("cmp r0, #0":::"cc"); \
@@ -1234,7 +1236,7 @@ static void UNUSEDFUNCTION wolfBoot_image_clear_signature_ok(
     ret = fn(__VA_ARGS__);
 
 #define RSA_VERIFY_HASH(img,digest) \
-    if (XMEMCMP(img->sha_hash, digest, WOLFBOOT_SHA_DIGEST_SIZE) == 0) \
+    if (image_CT_compare(img->sha_hash, digest, WOLFBOOT_SHA_DIGEST_SIZE)) \
         wolfBoot_image_confirm_signature_ok(img);
 
 #define PART_SANITY_CHECK(p) \
@@ -1250,6 +1252,8 @@ static void UNUSEDFUNCTION wolfBoot_image_clear_signature_ok(
 #endif
 
 /* Defined in image.c */
+int image_CT_compare(const uint8_t *expected, const uint8_t *actual,
+    uint32_t len);
 int wolfBoot_open_image(struct wolfBoot_image *img, uint8_t part);
 #ifdef EXT_FLASH
 int wolfBoot_open_image_external(struct wolfBoot_image* img, uint8_t part, uint8_t* addr);

include/tpm.h

@@ -79,6 +79,10 @@ int wolfBoot_load_pubkey(const uint8_t* pubkey_hint, WOLFTPM2_KEY* pubKey,
     TPM_ALG_ID* pAlg);
 #endif
 
+#if defined(WOLFBOOT_TPM_KEYSTORE) || defined(WOLFBOOT_TPM_SEAL)
+int wolfBoot_constant_compare(const uint8_t* a, const uint8_t* b, uint32_t len);
+#endif
+
 #ifdef WOLFBOOT_TPM_KEYSTORE
 int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint);
 #endif

include/wolfboot/wolfboot.h

@@ -185,6 +185,15 @@ extern "C" {
 #endif
 #endif /* WOLFBOOT_SELF_HEADER */
 
+#if defined(WOLFBOOT_SKIP_BOOT_VERIFY) && !defined(WOLFBOOT_SELF_HEADER)
+#error "WOLFBOOT_SKIP_BOOT_VERIFY requires WOLFBOOT_SELF_HEADER"
+#endif
+
+#if defined(WOLFBOOT_SKIP_BOOT_VERIFY) && \
+    !defined(WOLFBOOT_SELF_UPDATE_MONOLITHIC)
+#error "WOLFBOOT_SKIP_BOOT_VERIFY requires WOLFBOOT_SELF_UPDATE_MONOLITHIC"
+#endif
+
 #ifdef BIG_ENDIAN_ORDER
 #    define WOLFBOOT_MAGIC          0x574F4C46 /* WOLF */
 #    define WOLFBOOT_MAGIC_TRAIL    0x424F4F54 /* BOOT */

options.mk

@@ -90,6 +90,9 @@ endif
 
 ## Monolithic self-update: erase covers fw_size so the payload can span
 ## the bootloader region into the contiguous boot partition.
+ifeq ($(WOLFBOOT_SELF_UPDATE_MONOLITHIC),1)
+  SELF_UPDATE_MONOLITHIC:=1
+endif
 ifeq ($(SELF_UPDATE_MONOLITHIC),1)
   CFLAGS+=-DWOLFBOOT_SELF_UPDATE_MONOLITHIC
 endif
@@ -710,6 +713,12 @@ ifeq ($(ALLOW_DOWNGRADE),1)
 endif
 
 ifeq ($(WOLFBOOT_SKIP_BOOT_VERIFY),1)
+  ifneq ($(WOLFBOOT_SELF_HEADER),1)
+    $(error WOLFBOOT_SKIP_BOOT_VERIFY=1 requires WOLFBOOT_SELF_HEADER=1)
+  endif
+  ifneq ($(SELF_UPDATE_MONOLITHIC),1)
+    $(error WOLFBOOT_SKIP_BOOT_VERIFY=1 requires WOLFBOOT_SELF_UPDATE_MONOLITHIC (set SELF_UPDATE_MONOLITHIC=1))
+  endif
   CFLAGS+=-D"WOLFBOOT_SKIP_BOOT_VERIFY"
 endif
 
@@ -718,6 +727,7 @@ ifeq ($(NVM_FLASH_WRITEONCE),1)
 endif
 
 ifeq ($(DISABLE_BACKUP),1)
+  $(warning DISABLE_BACKUP=1 disables power-fail-safe updates; losing power during an update can leave BOOT partially written and unrecoverable)
   CFLAGS+= -D"DISABLE_BACKUP"
 endif
 

src/delta.c

@@ -40,6 +40,7 @@ struct BLOCK_HDR_PACKED block_hdr {
 };
 
 #define BLOCK_HDR_SIZE (sizeof (struct block_hdr))
+#define BLOCK_OFF_MAX 0xFFFFFFU
 
 #if defined(EXT_ENCRYPTED) && defined(__WOLFBOOT)
 #include "image.h"
@@ -300,6 +301,8 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
                  */
                 match_len = BLOCK_HDR_SIZE;
                 blk_start = pa - ctx->src_a;
+                if (blk_start > BLOCK_OFF_MAX)
+                    return -1;
                 b_start = ctx->off_b;
                 pa+= BLOCK_HDR_SIZE;
                 ctx->off_b += BLOCK_HDR_SIZE;
@@ -362,6 +365,8 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
                      */
                     match_len = BLOCK_HDR_SIZE;
                     blk_start = pb - ctx->src_b;
+                    if (blk_start > BLOCK_OFF_MAX)
+                        return -1;
                     pb+= BLOCK_HDR_SIZE;
                     ctx->off_b += BLOCK_HDR_SIZE;
                     while ((pb < pb_limit) &&

src/image.c

@@ -58,8 +58,8 @@
 /* Globals */
 static uint8_t digest[WOLFBOOT_SHA_DIGEST_SIZE] XALIGNED(4);
 
-static int image_CT_compare(const uint8_t *expected, const uint8_t *actual,
-    uint32_t len)
+int __attribute__((noinline)) image_CT_compare(
+    const uint8_t *expected, const uint8_t *actual, uint32_t len)
 {
     uint8_t diff = 0;
     uint32_t i;