monolithic self-updates: force DISABLE_BACKUP=1, eliminate swap, eliminate update code

Author: bigbrett

Makefile

@@ -463,7 +463,7 @@ assemble_internal_flash.dd: FORCE
 		0 wolfboot.bin \
 		$$(($(WOLFBOOT_PARTITION_BOOT_ADDRESS) - $(ARCH_FLASH_OFFSET))) test-app/image_v1_signed.bin \
 		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS)-$(ARCH_FLASH_OFFSET))) /tmp/swap \
-		$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS)-$(ARCH_FLASH_OFFSET))) /tmp/swap
+		$(if $(DISABLE_BACKUP),,$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS)-$(ARCH_FLASH_OFFSET))) /tmp/swap) # swap unused with DISABLE_BACKUP
 
 internal_flash.dd: $(BINASSEMBLE) wolfboot.bin $(BOOT_IMG) $(PRIVATE_KEY) test-app/image_v1_signed.bin
 	@echo "\t[MERGE] internal_flash.dd"

config/examples/sim-self-update-monolithic.config

@@ -14,7 +14,6 @@ WOLFBOOT_PARTITION_SIZE=0x40000
 WOLFBOOT_SECTOR_SIZE=0x1000
 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x20000
 WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x60000
-WOLFBOOT_PARTITION_SWAP_ADDRESS=0xA0000
 
 # required for keytools
 WOLFBOOT_FIXED_PARTITIONS=1

include/wolfboot/wolfboot.h

@@ -464,6 +464,22 @@ extern "C" {
 
 #endif /* defined WOLFBOOT */
 
+/* Monolithic self-update: imply DISABLE_BACKUP and enforce prerequisites */
+#ifdef WOLFBOOT_SELF_UPDATE_MONOLITHIC
+  #ifndef DISABLE_BACKUP
+    #define DISABLE_BACKUP
+  #endif
+  #ifdef DELTA_UPDATES
+    #error "DELTA_UPDATES is not compatible with WOLFBOOT_SELF_UPDATE_MONOLITHIC"
+  #endif
+  #ifdef NVM_FLASH_WRITEONCE
+    #error "NVM_FLASH_WRITEONCE is not compatible with WOLFBOOT_SELF_UPDATE_MONOLITHIC"
+  #endif
+  #ifndef RAM_CODE
+    #error "WOLFBOOT_SELF_UPDATE_MONOLITHIC requires RAM_CODE"
+  #endif
+#endif
+
 #define PART_BOOT   0
 #define PART_UPDATE 1
 #define PART_SWAP   2

options.mk

@@ -92,6 +92,7 @@ endif
 ## the bootloader region into the contiguous boot partition.
 ifeq ($(SELF_UPDATE_MONOLITHIC),1)
   CFLAGS+=-DWOLFBOOT_SELF_UPDATE_MONOLITHIC
+  DISABLE_BACKUP=1
 endif
 
 ## Persist wolfBoot self header at fixed address
@@ -719,6 +720,7 @@ endif
 
 ifeq ($(DISABLE_BACKUP),1)
   CFLAGS+= -D"DISABLE_BACKUP"
+  WOLFBOOT_PARTITION_SWAP_ADDRESS?=0
 endif
 
 DEBUG_SYMBOLS?=0

src/update_flash.c

@@ -233,6 +233,10 @@ void RAMFUNCTION wolfBoot_check_self_update(void)
 }
 #endif /* RAM_CODE for self_update */
 
+#ifndef WOLFBOOT_SELF_UPDATE_MONOLITHIC
+/* The swap-based update machinery (wolfBoot_copy_sector, wolfBoot_update, etc.)
+ * is not used in monolithic self-update mode. */
+
 static int RAMFUNCTION wolfBoot_copy_sector(struct wolfBoot_image *src,
     struct wolfBoot_image *dst, uint32_t sector)
 {
@@ -804,7 +808,10 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
      * magic has not been set flag will have an un-determined value when we go
      * to check it */
     uint8_t flag = SECT_FLAG_NEW;
-    struct wolfBoot_image boot, update, swap;
+    struct wolfBoot_image boot, update;
+#ifndef DISABLE_BACKUP
+    struct wolfBoot_image swap;
+#endif
     uint16_t update_type;
     uint32_t fw_size;
     uint32_t size;
@@ -856,7 +863,9 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
             return -1;
 #endif
         wolfBoot_open_image(&boot, PART_BOOT);
+#ifndef DISABLE_BACKUP
         wolfBoot_open_image(&swap, PART_SWAP);
+#endif
 
 #if defined(EXT_ENCRYPTED) && defined(DELTA_UPDATES)
         wolfBoot_printf("Update partition fallback image: %d\n", fallback_image);
@@ -1208,6 +1217,7 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
 #ifdef __CCRX__
 #pragma section
 #endif
+#endif /* !WOLFBOOT_SELF_UPDATE_MONOLITHIC */
 
 #if defined(ARCH_SIM) && defined(WOLFBOOT_TPM) && defined(WOLFBOOT_TPM_SEAL)
 int wolfBoot_unlock_disk(void)
@@ -1319,12 +1329,14 @@ int wolfBoot_unlock_disk(void)
 void RAMFUNCTION wolfBoot_start(void)
 {
     int bootRet;
+#ifndef WOLFBOOT_SELF_UPDATE_MONOLITHIC
     int updateRet;
 #ifndef DISABLE_BACKUP
     int resumedFinalErase;
 #endif
     uint8_t bootState;
     uint8_t updateState;
+#endif /* !WOLFBOOT_SELF_UPDATE_MONOLITHIC */
     struct wolfBoot_image boot;
 
 #if defined(ARCH_SIM) && defined(WOLFBOOT_TPM) && defined(WOLFBOOT_TPM_SEAL)
@@ -1335,6 +1347,8 @@ void RAMFUNCTION wolfBoot_start(void)
     wolfBoot_check_self_update();
 #endif
 
+#ifndef WOLFBOOT_SELF_UPDATE_MONOLITHIC
+
 #ifdef NVM_FLASH_WRITEONCE
     /* nvm_select_fresh_sector needs unlocked flash in cases where the unused
      * sector needs to be erased */
@@ -1393,6 +1407,12 @@ void RAMFUNCTION wolfBoot_start(void)
         }
     }
 
+#else /* WOLFBOOT_SELF_UPDATE_MONOLITHIC */
+#ifdef SECURE_PKCS11
+    WP11_Library_Init();
+#endif
+#endif /* !WOLFBOOT_SELF_UPDATE_MONOLITHIC */
+
     bootRet = wolfBoot_open_image(&boot, PART_BOOT);
     wolfBoot_printf("Booting version: 0x%x\n",
         wolfBoot_get_blob_version(boot.hdr));
@@ -1404,6 +1424,7 @@ void RAMFUNCTION wolfBoot_start(void)
     ) {
         wolfBoot_printf("Boot failed: Hdr %d, Hash %d, Sig %d\n",
             boot.hdr_ok, boot.sha_ok, boot.signature_ok);
+#ifndef WOLFBOOT_SELF_UPDATE_MONOLITHIC
         wolfBoot_printf("Trying emergency update\n");
         if (likely(wolfBoot_update(1) < 0)) {
             /* panic: no boot option available. */
@@ -1427,6 +1448,13 @@ void RAMFUNCTION wolfBoot_start(void)
                 wolfBoot_panic();
             }
         }
+#else
+        /* Monolithic mode: no emergency update path available */
+    #ifdef WOLFBOOT_TPM
+        wolfBoot_tpm2_deinit();
+    #endif
+        wolfBoot_panic();
+#endif /* !WOLFBOOT_SELF_UPDATE_MONOLITHIC */
     }
     PART_SANITY_CHECK(&boot);
 #else

tools/test.mk

@@ -282,15 +282,13 @@ test-sim-self-update-monolithic: wolfboot.bin test-app/image_v1_signed.bin FORCE
 	$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_PARTITION_SIZE))) count=1 2>/dev/null | tr '\000' '\377' > update_part.dd
 	$(Q)dd if=monolithic_payload_v2_signed.bin of=update_part.dd bs=1 conv=notrunc
 	$(Q)printf "pBOOT" | dd of=update_part.dd bs=1 seek=$$(($(WOLFBOOT_PARTITION_SIZE) - 5)) conv=notrunc
-	@# Create erased boot and swap partitions
+	@# Create erased boot partition
 	$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_PARTITION_SIZE))) count=1 2>/dev/null | tr '\000' '\377' > boot_part.dd
-	$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_SECTOR_SIZE))) count=1 2>/dev/null | tr '\000' '\377' > erased_sec.dd
-	@# Assemble flash: wolfboot.bin at 0, empty boot partition, update partition, swap
+	@# Assemble flash: wolfboot.bin at 0, empty boot partition, update partition
 	$(Q)$(BINASSEMBLE) internal_flash.dd \
 		0 wolfboot.bin \
 		$$(($(WOLFBOOT_PARTITION_BOOT_ADDRESS) - $(ARCH_FLASH_OFFSET))) boot_part.dd \
-		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS) - $(ARCH_FLASH_OFFSET))) update_part.dd \
-		$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS) - $(ARCH_FLASH_OFFSET))) erased_sec.dd
+		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS) - $(ARCH_FLASH_OFFSET))) update_part.dd
 	@# Run simulator - self-update fires, copies monolithic payload to offset 0
 	$(Q)./wolfboot.elf get_version || true
 	@# Verify bootloader region contains 0xAA pattern (dummy bootloader was written)