Skip to content

Fenrir fixes 2026 06 11 #795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mattia-moffa merged 23 commits into from
Jun 11, 2026
Merged

Fenrir fixes 2026 06 11 #795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
2ee4108
F-4411: fix uint32_t->int cast bypassing anti-rollback in hwswap wolf…
danielinux Jun 11, 2026
1016c4d
F-4410: fix uint32_t->int cast bypassing anti-rollback in update_ram …
danielinux Jun 11, 2026
e81f262
F-3974: zero ENCRYPT_CACHE stack buffer before return in hal_set_key
danielinux Jun 11, 2026
108a33c
F-3973: validate in_vec[N].len before dereferencing typed PS IPC poin…
danielinux Jun 11, 2026
61dbd25
F-3972: add direction-sensitive unit tests for wolfBoot_dualboot_cand…
danielinux Jun 11, 2026
1690522
F-3970: serialise custom TLV integer values through header_store_u64_le
danielinux Jun 11, 2026
889788d
F-3968: emit build-time warning when ALLOW_DOWNGRADE=1 is set
danielinux Jun 11, 2026
2f53d0d
F-3966: fix hal_flash_erase loop bound in stm32wb.c skipping final pa…
danielinux Jun 11, 2026
15e4b81
F-3965: fix hal_flash_erase loop bound in stm32l0.c skipping final pa…
danielinux Jun 11, 2026
2f8f0c6
F-3964: fix hal_flash_erase loop bound in stm32g0.c skipping final pa…
danielinux Jun 11, 2026
4b95dc2
F-3963: fix hal_flash_erase loop bound in stm32c0.c skipping final pa…
danielinux Jun 11, 2026
ef85a1e
F-3962: fix hal_flash_erase loop bound in stm32u3.c skipping final pa…
danielinux Jun 11, 2026
a10a993
F-3741: zeroize digest and hash in uds_from_uid for stm32l5/stm32h5
danielinux Jun 11, 2026
ddf05a9
F-3738: fix policySz uint16_t underflow in wolfBoot_unseal_blob for s…
danielinux Jun 11, 2026
2365e45
F-3736: fix pA_ver/pB_ver int/uint32_t mismatch in update_disk wolfBo…
danielinux Jun 11, 2026
5cec621
F-3735: fix EndingAddress uint32_t* arithmetic in x86_64_efi_do_boot
danielinux Jun 11, 2026
524397d
F-5675: fix signed-overflow UB from uint8_t<<24 in serve_update versi…
danielinux Jun 11, 2026
f600fe9
F-4968: fix wc_FreeRsaKey missing on early-return paths in wolfHSM RS…
danielinux Jun 11, 2026
e9b70fe
F-3969: warn when WOLFBOOT_UDS_UID_FALLBACK_FORTEST=1 weakens UDS to …
danielinux Jun 11, 2026
333055d
F-3967: propagate HAL_Spi_Transmit errors in FRAM_Write and FRAM_Init
danielinux Jun 11, 2026
405a142
F-3740: add roundtrip test for shrinking firmware delta (size_a > siz…
danielinux Jun 11, 2026
809b98d
F-3734: add unit tests for magic check and item_count boundary in fla…
danielinux Jun 11, 2026
fe934ff
Fix two regressions after the fenrir changes
danielinux Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,8 @@ tools/unit-tests/unit-update-flash-self-update
tools/unit-tests/unit-update-flash-hook
tools/unit-tests/unit-loader-tpm-init
tools/unit-tests/unit-update-ram-nofixed
tools/unit-tests/unit-update-ram-noramboot
tools/unit-tests/unit-update-flash-hwswap
tools/unit-tests/unit-uart-flash
tools/unit-tests/unit-max-space
tools/unit-tests/unit-sdhci-disk-unaligned
Expand All @@ -200,6 +202,15 @@ tools/unit-tests/unit-mpusize
tools/unit-tests/unit-otp-keystore
tools/unit-tests/unit-tpm-api-names
tools/unit-tests/unit-elf-bss-guard
tools/unit-tests/unit-fit-fpga
tools/unit-tests/unit-flash-erase-c0
tools/unit-tests/unit-flash-erase-g0
tools/unit-tests/unit-flash-erase-l0
tools/unit-tests/unit-flash-erase-u3
tools/unit-tests/unit-flash-erase-wb
tools/unit-tests/unit-fwtpm-nv-oob
tools/unit-tests/unit-x86-paging-oob



# Elf preprocessing tools
Expand Down
14 changes: 13 additions & 1 deletion hal/stm32c0.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,18 +20,24 @@
*/

#include <stdint.h>
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#include <image.h>
#endif

#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#ifndef NVM_FLASH_WRITEONCE
# error "wolfBoot STM32C0 HAL: no WRITEONCE support detected. Please define NVM_FLASH_WRITEONCE"
#endif
#endif

/* STM32 C0 register configuration */

/* Assembly helpers */
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#define DMB() __asm__ volatile ("dmb")
#define ISB() __asm__ volatile ("isb")
#define DSB() __asm__ volatile ("dsb")
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */


/*** RCC ***/
Expand Down Expand Up @@ -65,12 +71,14 @@
#define SYSCFG_APB2_CLOCK_ER_VAL (1 << 0) /* RM0490 - 5.4.14 - RCC_APBENR2 - SYSCFGEN */

#define FLASH_BASE (0x40022000) /*FLASH_R_BASE = 0x40000000UL + 0x00020000UL + 0x00002000UL */
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#define FLASH_ACR (*(volatile uint32_t *)(FLASH_BASE + 0x00)) /* RM0490 - 3.7.1 - FLASH_ACR */
#define FLASH_KEY (*(volatile uint32_t *)(FLASH_BASE + 0x08)) /* RM0490 - 3.7.2 - FLASH_KEYR */
#define FLASH_OPTKEY (*(volatile uint32_t *)(FLASH_BASE + 0x0C)) /* RM0490 - 3.7.3 - FLASH_OPTKEYR */
#define FLASH_SR (*(volatile uint32_t *)(FLASH_BASE + 0x10)) /* RM0490 - 3.7.4 - FLASH_SR */
#define FLASH_CR (*(volatile uint32_t *)(FLASH_BASE + 0x14)) /* RM0490 - 3.7.5 - FLASH_CR */
#define FLASH_SECR (*(volatile uint32_t *)(FLASH_BASE + 0x80)) /* RM0490 - 3.7.13 - FLASH_SECR */
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */

#define FLASHMEM_ADDRESS_SPACE (0x08000000)
#define FLASH_PAGE_SIZE (0x800) /* 2KB */
Expand Down Expand Up @@ -108,6 +116,7 @@
#define FLASH_OPTKEY2 (0x4C5D6E7F)


#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
static void RAMFUNCTION flash_set_waitstates(unsigned int waitstates)
{
uint32_t reg, mask_val, set_val;
Expand Down Expand Up @@ -191,6 +200,7 @@ void RAMFUNCTION hal_flash_lock(void)
if ((FLASH_CR & FLASH_CR_LOCK) == 0)
FLASH_CR |= FLASH_CR_LOCK;
}
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */


int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
Expand All @@ -199,7 +209,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
uint32_t p;
if (len == 0)
return -1;
end_address = address + len - 1;
end_address = address + len;
for (p = address; p < end_address; p += FLASH_PAGE_SIZE) {
uint32_t reg = FLASH_CR & (~(FLASH_CR_PNB_MASK << FLASH_CR_PNB_SHIFT));
FLASH_CR = reg | ((p >> FLASH_PAGE_SIZE_SHIFT) << FLASH_CR_PNB_SHIFT) | FLASH_CR_PER;
Expand All @@ -211,6 +221,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
return 0;
}

#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
static void clock_pll_off(void)
{
uint32_t reg32;
Expand Down Expand Up @@ -308,3 +319,4 @@ void RAMFUNCTION hal_prepare_boot(void)
do_secure_boot();
#endif
}
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */
14 changes: 13 additions & 1 deletion hal/stm32g0.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,18 +20,24 @@
*/

#include <stdint.h>
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#include <image.h>
#endif

#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#ifndef NVM_FLASH_WRITEONCE
# error "wolfBoot STM32G0 HAL: no WRITEONCE support detected. Please define NVM_FLASH_WRITEONCE"
#endif
#endif

/* STM32 G0 register configuration */

/* Assembly helpers */
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#define DMB() __asm__ volatile ("dmb")
#define ISB() __asm__ volatile ("isb")
#define DSB() __asm__ volatile ("dsb")
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */


/*** RCC ***/
Expand Down Expand Up @@ -63,11 +69,13 @@
#define SYSCFG_APB2_CLOCK_ER_VAL (1 << 0) /* RM0444 - 5.4.15 - RCC_APBENR2 - SYSCFGEN */

#define FLASH_BASE (0x40022000) /*FLASH_R_BASE = 0x40000000UL + 0x00020000UL + 0x00002000UL */
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#define FLASH_ACR (*(volatile uint32_t *)(FLASH_BASE + 0x00)) /* RM0444 - 3.7.1 - FLASH_ACR */
#define FLASH_KEY (*(volatile uint32_t *)(FLASH_BASE + 0x08)) /* RM0444 - 3.7.2 - FLASH_KEYR */
#define FLASH_SR (*(volatile uint32_t *)(FLASH_BASE + 0x10)) /* RM0444 - 3.7.4 - FLASH_SR */
#define FLASH_CR (*(volatile uint32_t *)(FLASH_BASE + 0x14)) /* RM0444 - 3.7.5 - FLASH_CR */
#define FLASH_SECR (*(volatile uint32_t *)(FLASH_BASE + 0x80)) /* RM0444 - 3.7.12 - FLASH_SECR */
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */

#define FLASHMEM_ADDRESS_SPACE (0x08000000)
#define FLASH_PAGE_SIZE (0x800) /* 2KB */
Expand Down Expand Up @@ -103,6 +111,7 @@
#define FLASH_KEY2 (0xCDEF89AB)


#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
static void RAMFUNCTION flash_set_waitstates(unsigned int waitstates)
{
uint32_t reg = FLASH_ACR;
Expand Down Expand Up @@ -181,6 +190,7 @@ void RAMFUNCTION hal_flash_lock(void)
if ((FLASH_CR & FLASH_CR_LOCK) == 0)
FLASH_CR |= FLASH_CR_LOCK;
}
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */


int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
Expand All @@ -190,7 +200,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
if (len == 0)
return -1;
address -= FLASHMEM_ADDRESS_SPACE;
end_address = address + len - 1;
end_address = address + len;
for (p = address; p < end_address; p += FLASH_PAGE_SIZE) {
while (FLASH_SR & (FLASH_SR_BSY1 | FLASH_SR_BSY2));
flash_clear_errors();
Expand All @@ -210,6 +220,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
return 0;
}

#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
static void clock_pll_off(void)
{
uint32_t reg32;
Expand Down Expand Up @@ -356,3 +367,4 @@ void RAMFUNCTION hal_prepare_boot(void)
do_secure_boot();
#endif
}
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */
18 changes: 10 additions & 8 deletions hal/stm32h5.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,14 @@ __attribute__((weak)) int stm32h5_obkeys_read_uds(uint8_t *out, size_t out_len)
#endif

#if defined(WOLFCRYPT_TZ_PSA)
static NOINLINEFUNCTION void hal_secret_zeroize(void *ptr, size_t len)
{
volatile uint8_t *p = (volatile uint8_t *)ptr;
while (len-- > 0U) {
*p++ = 0U;
}
}

static int uds_from_uid(uint8_t *out, size_t out_len)
{
uint8_t uid[12];
Expand Down Expand Up @@ -231,6 +239,8 @@ static int uds_from_uid(uint8_t *out, size_t out_len)
copy_len = out_len;
}
memcpy(out, digest, copy_len);
hal_secret_zeroize(digest, sizeof(digest));
hal_secret_zeroize(&hash, sizeof(hash));
return 0;
}

Expand All @@ -246,14 +256,6 @@ static int buffer_is_all_value(const uint8_t *buf, size_t len, uint8_t value)
return 1;
}

static NOINLINEFUNCTION void hal_secret_zeroize(void *ptr, size_t len)
{
volatile uint8_t *p = (volatile uint8_t *)ptr;
while (len-- > 0U) {
*p++ = 0U;
}
}

int hal_uds_derive_key(uint8_t *out, size_t out_len)
{
#if defined(FLASH_OTP_KEYSTORE)
Expand Down
15 changes: 13 additions & 2 deletions hal/stm32l0.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,15 @@
*/

#include <stdint.h>
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#include <image.h>
#endif
/* STM32 L0 register configuration */

/* Assembly helpers */
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#define DMB() __asm__ volatile ("dmb")
#endif

/*** RCC ***/

Expand All @@ -49,11 +53,13 @@
#define PWR_APB1_CLOCK_ER_VAL (1 << 28)
#define FLASH_BASE (0x40022000)
#define FLASH_ACR (*(volatile uint32_t *)(FLASH_BASE + 0x00))
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#define FLASH_PECR (*(volatile uint32_t *)(FLASH_BASE + 0x04))
#define FLASH_PEKEY (*(volatile uint32_t *)(FLASH_BASE + 0x0c))
#define FLASH_PRGKEY (*(volatile uint32_t *)(FLASH_BASE + 0x10))
#define FLASH_SR (*(volatile uint32_t *)(FLASH_BASE + 0x18))
#define FLASHMEM_ADDRESS_SPACE (0x08000000)
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */
#define FLASH_PAGE_SIZE (128)

/* Register values */
Expand All @@ -73,6 +79,7 @@
#define FLASH_PECR_ERASE (1 << 9)


#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
static void RAMFUNCTION flash_set_waitstates(unsigned int waitstates)
{
if (waitstates && ((FLASH_ACR & 1) == 0))
Expand All @@ -82,6 +89,7 @@ static void RAMFUNCTION flash_set_waitstates(unsigned int waitstates)
while ((FLASH_ACR & 1) != waitstates)
;
}
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */

static RAMFUNCTION void flash_wait_complete(void)
{
Expand All @@ -94,6 +102,7 @@ static void RAMFUNCTION clear_errors(void)
FLASH_SR |= ( FLASH_SR_SIZERR | FLASH_SR_PGAERR | FLASH_SR_WRPERR | FLASH_SR_EOP );
}

#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
int RAMFUNCTION hal_flash_write(uint32_t address, const uint8_t *data, int len)
{
int i = 0;
Expand Down Expand Up @@ -151,6 +160,7 @@ void RAMFUNCTION hal_flash_lock(void)
if ((FLASH_PECR & FLASH_PECR_PRGLOCK) == 0)
FLASH_PECR |= FLASH_PECR_PRGLOCK;
}
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */


int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
Expand All @@ -159,7 +169,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
uint32_t p;
if (len == 0)
return -1;
end_address = address + len - 1;
end_address = address + len;
for (p = address; p < end_address; p += FLASH_PAGE_SIZE) {
FLASH_PECR |= FLASH_PECR_PROG | FLASH_PECR_ERASE;
*(volatile uint32_t *)(p + FLASHMEM_ADDRESS_SPACE) = 0xFFFFFFFF;
Expand All @@ -169,6 +179,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
return 0;
}

#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
static void clock_pll_off(void)
{
uint32_t reg32;
Expand Down Expand Up @@ -270,4 +281,4 @@ void hal_prepare_boot(void)
clock_pll_off();
#endif
}

#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */
10 changes: 10 additions & 0 deletions hal/stm32l5.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,14 @@ int RAMFUNCTION hal_flash_write(uint32_t address, const uint8_t *data, int len)
#define STM32L5_UID2 (*(volatile uint32_t *)(STM32L5_UID_BASE + 0x8))

#if defined(WOLFCRYPT_TZ_PSA)
static NOINLINEFUNCTION void hal_secret_zeroize(void *ptr, size_t len)
{
volatile uint8_t *p = (volatile uint8_t *)ptr;
while (len-- > 0U) {
*p++ = 0U;
}
}

static int uds_from_uid(uint8_t *out, size_t out_len)
{
uint8_t uid[12];
Expand Down Expand Up @@ -173,6 +181,8 @@ static int uds_from_uid(uint8_t *out, size_t out_len)
copy_len = out_len;
}
memcpy(out, digest, copy_len);
hal_secret_zeroize(digest, sizeof(digest));
hal_secret_zeroize(&hash, sizeof(hash));
return 0;
}

Expand Down
10 changes: 8 additions & 2 deletions hal/stm32u3.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,16 @@
*/

#include <stdint.h>
#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
#include <image.h>
#include <string.h>
#include "hal/stm32u3.h"
#include "hal.h"
#include "printf.h"
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */
#include "hal/stm32u3.h"


#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
static void RAMFUNCTION flash_set_waitstates(unsigned int waitstates)
{
uint32_t reg = FLASH_ACR;
Expand Down Expand Up @@ -148,6 +151,7 @@ void RAMFUNCTION hal_flash_opt_lock(void)
if ((FLASH_NS_CR & FLASH_CR_OPTLOCK) == 0)
FLASH_NS_CR |= FLASH_CR_OPTLOCK;
}
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */

/* Erase — matches STM32U5 hal pattern exactly (same Cortex-M33 flash controller) */
int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
Expand All @@ -161,7 +165,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
if (address < ARCH_FLASH_OFFSET)
return -1;

end_address = address + len - 1;
end_address = address + len;
for (p = address; p < end_address; p += FLASH_PAGE_SIZE) {
uint32_t reg;
uint32_t bker = 0;
Expand Down Expand Up @@ -194,6 +198,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
return 0;
}

#ifndef WOLFBOOT_UNIT_TEST_FLASH_ERASE
/* --- UART: USART1 on PA9 (TX) / PA10 (RX), AF7 --- */

#define USART1_BASE (0x40013800U)
Expand Down Expand Up @@ -356,3 +361,4 @@ void RAMFUNCTION hal_cache_invalidate(void)
;
ICACHE_SR |= ICACHE_SR_BSYENDF;
}
#endif /* !WOLFBOOT_UNIT_TEST_FLASH_ERASE */
Loading
Loading