Working PKCS11 test.

Temporarily removed some features so the image fits in 64Kb

arch.mk

@@ -160,24 +160,31 @@ ifeq ($(ARCH),ARM)
   endif
 
   ## Cortex-M CPU
-  ifeq ($(CORTEX_M33),1)
-    CFLAGS+=-mcpu=cortex-m33 -DCORTEX_M33
-    LDFLAGS+=-mcpu=cortex-m33
-    ifeq ($(TZEN),1)
-      OBJS+=hal/stm32_tz.o
-      CFLAGS+=-mcmse
-      ifeq ($(WCSM),1)
-        SECURE_OBJS+=./src/wc_callable.o
-        SECURE_OBJS+=./lib/wolfssl/wolfcrypt/src/random.o
-        SECURE_OBJS+=./lib/wolfssl/wolfcrypt/src/asn.o
-        CFLAGS+=-DWOLFCRYPT_SECURE_MODE
-        SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wc_secure_calls.o
-      endif
+ifeq ($(CORTEX_M33),1)
+  CFLAGS+=-mcpu=cortex-m33 -DCORTEX_M33
+  LDFLAGS+=-mcpu=cortex-m33
+  ifeq ($(TZEN),1)
+    OBJS+=hal/stm32_tz.o
+    CFLAGS+=-mcmse
+    ifeq ($(WCSM),1)
+      SECURE_OBJS+=./src/wc_callable.o
+      SECURE_OBJS+=./lib/wolfssl/wolfcrypt/src/random.o
+      SECURE_OBJS+=./lib/wolfssl/wolfcrypt/src/asn.o
+      CFLAGS+=-DWOLFCRYPT_SECURE_MODE
+      SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wc_secure_calls.o
     endif
+  endif
+  ifeq ($(NO_ASM),1)
     ifeq ($(SPMATH),1)
       MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_c32.o
     endif
   else
+    ifeq ($(SPMATH),1)
+      CFLAGS+=-DWOLFSSL_SP_ASM -DWOLFSSL_SP_ARM_CORTEX_M_ASM
+      MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_cortexm.o
+    endif
+  endif
+else
   ifeq ($(CORTEX_M7),1)
     CFLAGS+=-mcpu=cortex-m7
     LDFLAGS+=-mcpu=cortex-m7
@@ -190,36 +197,36 @@ ifeq ($(ARCH),ARM)
       endif
     endif
   else
-  ifeq ($(CORTEX_M0),1)
-    CFLAGS+=-mcpu=cortex-m0
-    LDFLAGS+=-mcpu=cortex-m0
-    ifeq ($(SPMATH),1)
-      ifeq ($(NO_ASM),1)
-        MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_c32.o
-      else
-        CFLAGS+=-DWOLFSSL_SP_ASM -DWOLFSSL_SP_ARM_THUMB_ASM
-        MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_armthumb.o
-      endif
-    endif
-  else
-    ifeq ($(NO_ASM),1)
+    ifeq ($(CORTEX_M0),1)
+      CFLAGS+=-mcpu=cortex-m0
+      LDFLAGS+=-mcpu=cortex-m0
       ifeq ($(SPMATH),1)
-        MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_c32.o
+        ifeq ($(NO_ASM),1)
+          MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_c32.o
+        else
+          CFLAGS+=-DWOLFSSL_SP_ASM -DWOLFSSL_SP_ARM_THUMB_ASM
+          MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_armthumb.o
+        endif
       endif
-      CFLAGS+=-mcpu=cortex-m3
-      LDFLAGS+=-mcpu=cortex-m3
     else
-      CFLAGS+=-mcpu=cortex-m3 -fomit-frame-pointer
-      LDFLAGS+=-mcpu=cortex-m3
-      ifeq ($(SPMATH),1)
-        CFLAGS+=-DWOLFSSL_SP_ASM -DWOLFSSL_SP_ARM_CORTEX_M_ASM
-        MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_cortexm.o
+        ifeq ($(NO_ASM),1)
+          ifeq ($(SPMATH),1)
+            MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_c32.o
+          endif
+          CFLAGS+=-mcpu=cortex-m3
+          LDFLAGS+=-mcpu=cortex-m3
+        else
+          CFLAGS+=-mcpu=cortex-m3 -fomit-frame-pointer
+          LDFLAGS+=-mcpu=cortex-m3
+          ifeq ($(SPMATH),1)
+            CFLAGS+=-DWOLFSSL_SP_ASM -DWOLFSSL_SP_ARM_CORTEX_M_ASM
+            MATH_OBJS += ./lib/wolfssl/wolfcrypt/src/sp_cortexm.o
+          endif
+        endif
       endif
     endif
   endif
 endif
-endif
-endif
 
 ifeq ($(TZEN),1)
   CFLAGS+=-DTZEN

hal/stm32l5.c

@@ -327,10 +327,14 @@ static void periph_unsecure()
     GPIO_SECCFGR(GPIOC_BASE) &= ~(1<<LED_EXTRA_PIN);
 #endif
 
+
+#if 0
     /* Unsecure LPUART1 */
     TZSC_PRIVCFGR1 &= ~(TZSC_PRIVCFG1_LPUARTPRIV);
     GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_TX_PIN);
     GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_RX_PIN);
+#endif
+
 }
 #endif
 

hal/stm32l5.ld

@@ -1,8 +1,9 @@
 MEMORY
 {
-    FLASH (rx) : ORIGIN = @WOLFBOOT_ORIGIN@, LENGTH = @BOOTLOADER_PARTITION_SIZE@
-    RAM (rwx) : ORIGIN = 0x30000000, LENGTH = 0x00016000
-    RAM_KV (rw): ORIGIN = 0x30016000, LENGTH = 0x2000
+    FLASH (rx) :    ORIGIN = @WOLFBOOT_ORIGIN@, LENGTH = @BOOTLOADER_PARTITION_SIZE@ - 0x20000
+    RAM (rwx) :     ORIGIN = 0x30000000, LENGTH = 0x00012000
+    RAM_HEAP (rw):  ORIGIN = 0x30012000, LENGTH = 0x4000
+    RAM_KV (rw):    ORIGIN = 0x30016000, LENGTH = 0x2000
     FLASH_KEYVAULT(rw): ORIGIN = @WOLFBOOT_ORIGIN@ + 0x20000, LENGTH = 0x18000
     FLASH_NSC(rx): ORIGIN = @WOLFBOOT_ORIGIN@ + 0x38000, LENGTH = 0x8000
 }
@@ -66,4 +67,5 @@ _keyvault_size = LENGTH(RAM_KV);
 _flash_keyvault = ORIGIN(FLASH_KEYVAULT);
 _flash_keyvault_size = LENGTH(FLASH_KEYVAULT);
 
-
+_start_heap = ORIGIN(RAM_HEAP);
+_heap_size = LENGTH(RAM_HEAP);

include/user_settings.h

@@ -101,22 +101,20 @@ extern int tolower(int c);
 
 /* ECC options disabled to reduce size */
 #ifndef WOLFCRYPT_SECURE_MODE
+#   define HAVE_ECC
 #   define NO_ECC_SIGN
 #   define NO_ECC_EXPORT
-#   define NO_ECC_DHE
 #   define NO_ECC_KEY_EXPORT
 #   define NO_ASN
 #else
-
-
 #   define HAVE_ECC_SIGN
-#   define HAVE_ECC_CDH
+//#   define HAVE_ECC_CDH
 #   define WOLFSSL_SP
 #   define WOLFSSL_SP_MATH
 #   define WOLFSSL_SP_SMALL
 #   define SP_WORD_SIZE 32
 #   define WOLFSSL_HAVE_SP_ECC
-#   define WOLFSSL_SP_MATH_ALL
+//#   define WOLFSSL_SP_MATH_ALL
 
 int hal_trng_get_entropy(unsigned char *out, unsigned len);
 #   define CUSTOM_RAND_GENERATE_SEED hal_trng_get_entropy
@@ -245,9 +243,32 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
 #   endif
 #endif
 
-#if defined(EXT_ENCRYPTED) || defined(SECURE_PKCS11)
+#if defined(EXT_ENCRYPTED)
+#   define HAVE_PWDBASED
+#endif
+
+#if defined(SECURE_PKCS11)
 #   define HAVE_PWDBASED
+#	define HAVE_PBKDF2
+#	define WOLFPKCS11_CUSTOM_STORE
+# 	define WOLFBOOT_SECURE_PKCS11
+#	define WOLFPKCS11_USER_SETTINGS
+# 	define WOLFPKCS11_NO_TIME
+# 	define WOLFSSL_AES_COUNTER
+#   define WOLFSSL_AES_DIRECT
+#   define WOLFSSL_AES_GCM
+# 	define ENCRYPT_WITH_AES128
+#   define WOLFSSL_AES_128
+# 	define HAVE_SCRYPT
+# 	define HAVE_AESGCM
+	typedef unsigned long time_t;
 #else
+#   define NO_HMAC
+#endif
+
+
+
+#ifndef HAVE_PWDBASED
 #   define NO_PWDBASED
 #endif
 
@@ -301,9 +322,6 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
 #   if !defined(ENCRYPT_WITH_AES128) && !defined(ENCRYPT_WITH_AES256) && !defined(WOLFCRYPT_SECURE_MODE)
 #       define NO_AES
 #   endif
-#   if !defined(SECURE_PKCS11)
-#       define NO_HMAC
-#   endif
 #endif
 
 #define NO_CMAC
@@ -361,7 +379,7 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
 #       define WOLFSSL_SP_NO_MALLOC
 #       define WOLFSSL_SP_NO_DYN_STACK
 #   endif
-#   ifndef ARCH_SIM
+#   if !defined(ARCH_SIM) && !defined(SECURE_PKCS11)
 #       define WOLFSSL_NO_MALLOC
 #   endif
 #else

options.mk

@@ -446,15 +446,7 @@ endif
 ifeq ($(SECURE_PKCS11),1)
   CFLAGS+=-DSECURE_PKCS11
   CFLAGS+=-DCK_CALLABLE="__attribute__((cmse_nonsecure_entry))"
-  CFLAGS+=-DHAVE_PBKDF2
-  CFLAGS+=-DWOLFPKCS11_CUSTOM_STORE
-  CFLAGS+=-DWOLFBOOT_SECURE_PKCS11 -Ilib/wolfPKCS11
-  CFLAGS+=-DWOLFPKCS11_USER_SETTINGS
-  CFLAGS+=-DWOLFPKCS11_NO_TIME
-  CFLAGS+=-DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_AES_GCM
-  CFLAGS+=-DENCRYPT_WITH_AES128 -DWOLFSSL_AES_128
-  CFLAGS+=-DHAVE_SCRYPT
-  CFLAGS+=-DHAVE_AESGCM
+  CFLAGS+=-Ilib/wolfPKCS11
   OBJS+=src/pkcs11_store.o
   OBJS+=src/pkcs11_callable.o
   WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/aes.o

src/pkcs11_store.c

@@ -30,6 +30,9 @@
 extern uint32_t *_flash_keyvault; /* From linker script: origin of vault flash */
 extern uint32_t *_flash_keyvault_size; /* From linker script: size of vault */
 
+extern unsigned int _start_heap; /* From linker script: heap memory */
+extern unsigned int _heap_size;  /* From linker script: heap limit */
+
 #define KEYVAULT_OBJ_SIZE 0x1000 /* 4KB per object */
 #define KEYVAULT_MAX_ITEMS 0x18 /* Total memory: 0x18000, 24 items */
 
@@ -49,6 +52,26 @@ static uint8_t *vault_base = (uint8_t *)&_flash_keyvault;
 static int vault_idx = -1;
 
 
+/* Back-end for malloc, used for token handling */
+void * _sbrk(unsigned int incr)
+{
+    static unsigned char *heap = (unsigned char *)&_start_heap;
+    static uint32_t heapsize = (uint32_t)(&_heap_size);
+    void *old_heap = heap;
+    if (((incr >> 2) << 2) != incr)
+        incr = ((incr >> 2) + 1) << 2;
+
+    if (heap == NULL)
+        heap = (unsigned char *)&_start_heap;
+    else
+        heap += incr;
+    if (((uint32_t)heap - (uint32_t)(&_start_heap)) > heapsize) {
+        heap -= incr;
+        return NULL;
+    }
+    return old_heap;
+}
+
 struct obj_hdr
 {
     uint32_t token_id;
@@ -72,19 +95,19 @@ int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read,
     void** store)
 {
     unsigned int i;
-    int found = -1;
+    unsigned int found = 0;
     struct obj_hdr *hdr;
     struct store_object *obj;
 
-    for (i = 0; i < KEYVAULT_MAX_ITEMS; i++) {
+    for (i = 1; i < KEYVAULT_MAX_ITEMS; i++) {
         hdr = (struct obj_hdr*)(vault_base + i * KEYVAULT_OBJ_SIZE);
         if ((type == hdr->type) && (id1 == hdr->token_id) &&
                 (id2 == hdr->object_id)) {
             found = i;
             break;
         }
     }
-    if (!found && read) {
+    if ((!found) && read) {
         *store = NULL;
         return NOT_AVAILABLE_E;
     } else if (found) {

src/update_flash.c

@@ -28,8 +28,12 @@
 #include "hal.h"
 #include "spi_flash.h"
 #include "wolfboot/wolfboot.h"
+
 #include "delta.h"
 #include "printf.h"
+#ifdef SECURE_PKCS11
+int WP11_Library_Init(void);
+#endif
 
 
 #ifdef RAM_CODE
@@ -628,6 +632,11 @@ void RAMFUNCTION wolfBoot_start(void)
 #ifdef WOLFBOOT_TPM
     wolfBoot_tpm2_deinit();
 #endif
+
+#ifdef SECURE_PKCS11
+    WP11_Library_Init();
+#endif
+
     hal_prepare_boot();
     do_boot((void *)boot.fw_base);
 }

test-app/Makefile

@@ -8,6 +8,7 @@ ARCH?=ARM
 MCUXPRESSO_CMSIS?=$(MCUXPRESSO)/CMSIS
 CFLAGS+=-I.
 CFLAGS+=-I./wcs
+DEBUG=0
 
 ifeq ($(SIGN),RSA2048)
   IMAGE_HEADER_SIZE:=512