8000 boards: apollo3: Support loading signed applications by alistair23 · Pull Request #4232 · tock/tock · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

boards: apollo3: Support loading signed applications #4232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 15, 2024
Merged

boards: apollo3: Support loading signed applications #4232

merged 3 commits into from
Nov 15, 2024

Conversation

alistair23
Copy link
Contributor

Pull Request Overview

If the "atecc508a" feature is enabled we can do application signature verification.

The application is signed like this

elf2tab -n sensor-receive --stack 2048 --app-heap 1024 --kernel-heap 1024 \
    --kernel-major 2 --kernel-minor 0 --minimum-footer-size 3000 \
    -o build/sensor-receive.tab \
    build/cortex-m0/cortex-m0.elf \
    build/cortex-m3/cortex-m3.elf \
    build/cortex-m4/cortex-m4.elf \
    build/cortex-m7/cortex-m7.elf \
    build/rv32imac/rv32imac.0x20040080.0x80002800.elf \
    build/rv32imac/rv32imac.0x403B0080.0x3FCC0000.elf \
    build/rv32imc/rv32imc.0x41000080.0x42008000.elf \
    build/rv32imc/rv32imc.0x00080080.0x40008000.elf \
    build/rv32imc/rv32imc.0x20030080.0x10005000.elf \
    build/rv32imc/rv32imc.0x20030880.0x10008000.elf \
    build/rv32imc/rv32imc.0x20032080.0x10008000.elf \
    build/rv32imc/rv32imc.0x20034080.0x10008000.elf \
    build/rv32imac/rv32imac.0x40430080.0x80004000.elf \
    build/rv32imac/rv32imac.0x40440080.0x80007000.elf \
    --ecdsa-nist-p256-private p256-private-key.p8 \
    --verbose

Which then generates the following log with debug prints enabled

Initialization complete. Entering main loop
Looking for process binary in flash=0x00040000-0x000D5FFF
Checking: Checking Some("sensor-receive") footer 0
Checking: Integrity region is 40000-50798; footers at 50798-60000
Checking: Current footer slice 50798-60000
ProcessCheck: @50798 found a len 68 footer: EcdsaNistP256
Checking: Found 0, checking
Checking: Check status for process sensor-receive, footer 0: Checking
Checking: check_done gave result Ok(Accept(None))
Loading: Check succeeded for process sensor-receive
Looking for process binary in flash=0x00060000-0x000D5FFF
Loading: process flash=0x00040000-0x0005FFFF ram=0x100082B8-0x1005FFFF
Loading: sensor-receive [0] flash=0x00040000-0x00060000 ram=0x1000A000-0x1000DFFF
Loading: Loaded process sensor-receive

Testing Strategy

Loading a signed application, with this diff

diff --git a/boards/apollo3/lora_things_plus/Cargo.toml b/boards/apollo3/lora_things_plus/Cargo.toml
index
8000
 dccb1e2f6..e1023f1de 100644
--- a/boards/apollo3/lora_things_plus/Cargo.toml
+++ b/boards/apollo3/lora_things_plus/Cargo.toml
@@ -29,7 +29,7 @@ tock_build_scripts = { path = "../../build_scripts" }
 workspace = true
 
 [features]
-default = []
+default = ["atecc508a"]
 
 # This feature enables support for the ATECC508A Cryptographic Co-Processor
 # Breakout. If you connect one of these
diff --git a/kernel/src/config.rs b/kernel/src/config.rs
index 043d0c045..a0dd44e9e 100644
--- a/kernel/src/config.rs
+++ b/kernel/src/config.rs
@@ -89,7 +89,7 @@ pub(crate) struct Config {
 /// Cargo features.
 pub(crate) const CONFIG: Config = Config {
     trace_syscalls: cfg!(feature = "trace_syscalls"),
-    debug_load_processes: cfg!(feature = "debug_load_processes"),
+    debug_load_processes: true,
     debug_panics: !cfg!(feature = "no_debug_panics"),
-    debug_process_credentials: cfg!(feature = "debug_process_credentials"),
+    debug_process_credentials: true,
 };

TODO or Help Wanted

N/A

Documentation Updated

  • Updated the relevant files in /docs, or no updates are required.

Formatting

  • Ran make prepush.

alevy
alevy reviewed Nov 15, 2024
View reviewed changes
Copy link
Member
@alevy alevy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good, but two of the under the radar changes warrant explanation or potentially better solution

boards/components/src/storage_permissions/tbf_header.rs
kernel::static_buf!(
capsules_system::storage_permissions::tbf_header::TbfHeaderStoragePermissions<
$C,
$D,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just fixing a missing parameter that wasn't working before this PR, yes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the current code doesn't compile, this just fixes it so it does compile when we go to use it

capsules/extra/src/atecc508a.rs
@@ -1016,7 +1016,7 @@ impl<'a> I2CClient for Atecc508a<'a> {
Operation::ShaEnd(run) => {
if status == Err(i2c::Error::DataNak) || status == Err(i2c::Error::AddressNak) {
// The device isn't ready yet, try again
if run == 50 {
if run == 500 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? Why was it working before but not now? Is this just a magic number that happens to sort of work? The datasheet seems to indicate a specific amount of time to wait until the device is ready (~600us it looks like)

Copy link
Contributor Author
@alistair23 alistair23 Nov 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It worked before, but only for small amounts of data (which is all the test cases do). When I tried to SHA an entire application it would timeout.

It's just a magic number that works

See the commit: 6aa39e0 for details

@alevy alevy assigned bradjc and unassigned lschuermann Nov 15, 2024
@alistair23
capsules: extra: atecc508a: Increase the SHA timeout
6aa39e0 
Increase the SHA timeout to ensure that if we are processing a lot of
data (like an entire application) the operation finishes within the
timeout.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
@alistair23
capsules: atecc508a: Add warning about a data race
04698eb 
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
@alistair23
boards: apollo3: Support loading signed applications
ed69bb0 
If the "atecc508a" feature is enabled we can do signature verification.

The application is signed like this

```shell
elf2tab -n sensor-receive --stack 2048 --app-heap 1024 --kernel-heap 1024 \
    --kernel-major 2 --kernel-minor 0 --minimum-footer-size 3000 \
    -o build/sensor-receive.tab \
    build/cortex-m0/cortex-m0.elf \
    build/cortex-m3/cortex-m3.elf \
    build/cortex-m4/cortex-m4.elf \
    build/cortex-m7/cortex-m7.elf \
    build/rv32imac/rv32imac.0x20040080.0x80002800.elf \
    build/rv32imac/rv32imac.0x403B0080.0x3FCC0000.elf \
    build/rv32imc/rv32imc.0x41000080.0x42008000.elf \
    build/rv32imc/rv32imc.0x00080080.0x40008000.elf \
    build/rv32imc/rv32imc.0x20030080.0x10005000.elf \
    build/rv32imc/rv32imc.0x20030880.0x10008000.elf \
    build/rv32imc/rv32imc.0x20032080.0x10008000.elf \
    build/rv32imc/rv32imc.0x20034080.0x10008000.elf \
    build/rv32imac/rv32imac.0x40430080.0x80004000.elf \
    build/rv32imac/rv32imac.0x40440080.0x80007000.elf \
    --ecdsa-nist-p256-private p256-private-key.p8 \
    --verbose
```

Which then generates the following log with debug prints enabled

```
Initialization complete. Entering main loop
Looking for process binary in flash=0x00040000-0x000D5FFF
Checking: Checking Some("sensor-receive") footer 0
Checking: Integrity region is 40000-50798; footers at 50798-60000
Checking: Current footer slice 50798-60000
ProcessCheck: @50798 found a len 68 footer: EcdsaNistP256
Checking: Found 0, checking
Checking: Check status for process sensor-receive, footer 0: Checking
Checking: check_done gave result Ok(Accept(None))
Loading: Check succeeded for process sensor-receive
Looking for process binary in flash=0x00060000-0x000D5FFF
Loading: process flash=0x00040000-0x0005FFFF ram=0x100082B8-0x1005FFFF
Loading: sensor-receive [0] flash=0x00040000-0x00060000 ram=0x1000A000-0x1000DFFF
Loading: Loaded process sensor-receive
```

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
@alistair23 alistair23 force-pushed the alistair/ecc-sig-support branch from acf968d to ed69bb0 Compare November 15, 2024 01:37
@alevy alevy added this pull request to the merge queue Nov 15, 2024
Merged via the queue into tock:master with commit 9d25711 Nov 15, 2024
12 checks passed
@alistair23 alistair23 deleted the alistair/ecc-sig-support branch November 17, 2024 22:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alevy alevy alevy approved these changes

@bradjc bradjc bradjc approved these changes

Assignees

@bradjc bradjc

Labels
component
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alistair23 @alevy @bradjc @lschuermann
0