From ae03ddda19777a401ad01686690f33ef674bb84b Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 28 Jun 2024 12:29:22 -0700 Subject: [PATCH] Switch to using a fixed flash location for wrapped public key, so it can be flash on its own. --- arch.mk | 3 --- docs/Renesas.md | 26 ++++++++++++++++++++++---- hal/rx65n.ld | 6 ++++++ hal/rx72n.ld | 6 ++++++ include/user_settings.h | 3 +-- 5 files changed, 35 insertions(+), 9 deletions(-) diff --git a/arch.mk b/arch.mk index 887e2dd7a..7668e0909 100644 --- a/arch.mk +++ b/arch.mk @@ -330,9 +330,6 @@ ifeq ($(ARCH),RENESAS_RX) ./lib/wolfssl/wolfcrypt/src/port/Renesas/renesas_common.o \ ./lib/wolfssl/wolfcrypt/src/port/Renesas/renesas_tsip_util.o - # Key Data from Security Key Management Tool (SKMT). See docs/Renesas.md - OBJS+=./include/key_data.o - # RX TSIP uses pre-compiled .a library by default ifeq ($(RX_TSIP_SRC),) ifeq ($(BIG_ENDIAN),1) diff --git a/docs/Renesas.md b/docs/Renesas.md index 7c0bcb29b..520a23215 100644 --- a/docs/Renesas.md +++ b/docs/Renesas.md @@ -69,7 +69,7 @@ Public key slot: 0 Done. ``` -6) Create wrapped public key +6) Create wrapped public key (code files) Use the Security Key Management Tool (SKMT) command line tool (CLI) to create a wrapped public key. @@ -86,11 +86,25 @@ IV: 6C296A040EEF5EDD687E8D3D98D146D0 Encrypted key: 5DD8D7E59E6AC85AE340BBA60AA8F8BE56C4C1FE02340C49EB8F36DA79B8D6640961FE9EAECDD6BADF083C5B6060C1D0309D28EFA25946F431979B9F9D21E77BDC5B1CC7165DE2F4AE51E418746260F518ED0C328BD3020DEC9B774DC00270B0CFBBE3DD738FDF715342CFBF2D461239 ``` -7) Edit .config `PKA?=1`. +7) Create wrapped public key (flash file) -8) Rebuild wolfBoot. `make clean && make wolfboot.srec` +Generate Motorola HEX file to write wrapped key to flash. -9) Sign application +``` +$ C:\Renesas\SecurityKeyManagementTool\cli\skmt.exe -genkey -ufpk file=./sample.key -wufpk file=./sample.key_enc.key -key file=./pub-ecc384.pem -mcu RX-TSIP -keytype secp384r1-public -output pub-ecc384.srec -filetype "mot" -address 0xFFFF0000 +``` + +The generated file is a Motorola HEX (S-Record) formatted image containing the wrapped public key with instructions to use the `0xFFFF0000` address. + +The flash memory address `0xFFFF0000` must be set in two places: +a) The `RENESAS_TSIP_INSTALLEDKEY_ADDR` macro in `user_settings.h` +b) The linker script .rot section in `hal/rx72n.ld` or `hal/rx65n.ld` + +8) Edit .config `PKA?=1`. + +9) Rebuild wolfBoot. `make clean && make wolfboot.srec` + +10) Sign application Sign application using the created private key above `pri-ecc384.der`: @@ -110,3 +124,7 @@ Calculating SHA256 digest... Signing the digest... Output image(s) successfully created. ``` + +11) Flash wolfboot.srec, pub-ecc384.srec and signed application binary + +Download files to flash using Renesas flash programmer. diff --git a/hal/rx65n.ld b/hal/rx65n.ld index 562a3edea..74b6599ec 100644 --- a/hal/rx65n.ld +++ b/hal/rx65n.ld @@ -23,6 +23,12 @@ SECTIONS KEEP(*(.fvectors)) } = 0x4 + .rot 0xFFFF0000 : + { + /* Reserved space for Wrapped Public Key (See docs/Renesas.md) */ + KEEP(*(.rot)) + } = 0x2000 /* 8KB (min sector size) */ + .rvectors ORIGIN(ROM) : { _rvectors_start = .; diff --git a/hal/rx72n.ld b/hal/rx72n.ld index 09833cfc6..6e632c01a 100644 --- a/hal/rx72n.ld +++ b/hal/rx72n.ld @@ -22,6 +22,12 @@ SECTIONS KEEP(*(.fvectors)) } = 0x4 + .rot 0xFFFF0000 : + { + /* Reserved space for Wrapped Public Key (See docs/Renesas.md) */ + KEEP(*(.rot)) + } = 0x2000 /* 8KB (min sector size) */ + .rvectors ORIGIN(ROM) : { _rvectors_start = .; diff --git a/include/user_settings.h b/include/user_settings.h index 7504105f5..712b54ce4 100755 --- a/include/user_settings.h +++ b/include/user_settings.h @@ -444,8 +444,7 @@ extern int tolower(int c); #define WOLFSSL_RENESAS_TSIP_CRYPT #define WOLFSSL_RENESAS_TSIP_CRYPTONLY #define NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH - /* from key_data.h */ - #define RENESAS_TSIP_INSTALLEDKEY_ADDR (&g_enc_pub_key) + #define RENESAS_TSIP_INSTALLEDKEY_ADDR 0xFFFF0000 #define ENCRYPTED_KEY_BYTE_SIZE ENC_PUB_KEY_SIZE #define RENESAS_DEVID 7890 #endif