bootloader: Add fault injection resistance to Secure Boot bootloader verification

Goal is that multiple faults would be required to bypass a boot-time signature check. - Also strengthens some address range checks for safe app memory addresses - Change pre-enable logic to also check the bootloader signature before enabling SBV2 on ESP32 Add some additional checks for invalid sections: - Sections only partially in DRAM or IRAM are invalid - If a section is in D/IRAM, allow the possibility only some is in D/IRAM - Only pass sections that are entirely in the same type of RTC memory region
2025-08-10 04:43:33 +00:00 · 2020-02-16 16:51:42 +11:00
parent 0dacff4df4
commit d40c69375c
21 changed files with 712 additions and 119 deletions
--- a/components/heap/heap_caps.c
+++ b/components/heap/heap_caps.c
@@ -39,17 +39,16 @@ possible. This should optimize the amount of RAM accessible to the code without
 IRAM_ATTR static void *dram_alloc_to_iram_addr(void *addr, size_t len)
 {
    uintptr_t dstart = (uintptr_t)addr; //First word
-    uintptr_t dend = dstart + len; //Last word + 4
+    uintptr_t dend = dstart + len - 4; //Last word
    assert(esp_ptr_in_diram_dram((void *)dstart));
    assert(esp_ptr_in_diram_dram((void *)dend));
    assert((dstart & 3) == 0);
    assert((dend & 3) == 0);
-#if SOC_DIRAM_INVERTED
-    uint32_t istart = SOC_DIRAM_IRAM_LOW + (SOC_DIRAM_DRAM_HIGH - dend);
+#ifdef SOC_DIRAM_INVERTED // We want the word before the result to hold the DRAM address
+    uint32_t *iptr = esp_ptr_diram_dram_to_iram((void *)dend);
 #else
-    uint32_t istart = SOC_DIRAM_IRAM_LOW + (dstart - SOC_DIRAM_DRAM_LOW);
+    uint32_t *iptr = esp_ptr_diram_dram_to_iram((void *)dstart);
 #endif
-    uint32_t *iptr = (uint32_t *)istart;
    *iptr = dstart;
    return iptr + 1;
 }
--- a/components/heap/test/test_diram.c
+++ b/components/heap/test/test_diram.c
@@ -0,0 +1,74 @@
+/*
+ Tests for D/IRAM support in heap capability allocator
+*/
+
+#include <esp_types.h>
+#include <stdio.h>
+#include "unity.h"
+#include "esp_heap_caps.h"
+#include "soc/soc_memory_layout.h"
+
+#define ALLOC_SZ 1024
+
+static void *malloc_block_diram(uint32_t caps)
+{
+    void *attempts[256] = { 0 }; // Allocate up to 256 ALLOC_SZ blocks to exhaust all non-D/IRAM memory temporarily
+    int count = 0;
+    void *result;
+
+    while(count < sizeof(attempts)/sizeof(void *)) {
+        result = heap_caps_malloc(ALLOC_SZ, caps);
+        TEST_ASSERT_NOT_NULL_MESSAGE(result, "not enough free heap to perform test");
+
+        if (esp_ptr_in_diram_dram(result) || esp_ptr_in_diram_iram(result)) {
+            break;
+        }
+
+        attempts[count] = result;
+        result = NULL;
+        count++;
+    }
+
+    for (int i = 0; i < count; i++) {
+        free(attempts[i]);
+    }
+
+    TEST_ASSERT_NOT_NULL_MESSAGE(result, "not enough D/IRAM memory is free");
+    return result;
+}
+
+TEST_CASE("Allocate D/IRAM as DRAM", "[heap]")
+{
+    uint32_t *dram = malloc_block_diram(MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
+
+    for (int i = 0; i < ALLOC_SZ / sizeof(uint32_t); i++) {
+        uint32_t v = i + 0xAAAA;
+        dram[i] = v;
+        volatile uint32_t *iram = esp_ptr_diram_dram_to_iram(dram + i);
+        TEST_ASSERT_EQUAL(v, dram[i]);
+        TEST_ASSERT_EQUAL(v, *iram);
+        *iram = UINT32_MAX;
+        TEST_ASSERT_EQUAL(UINT32_MAX, *iram);
+        TEST_ASSERT_EQUAL(UINT32_MAX, dram[i]);
+    }
+
+    free(dram);
+}
+
+TEST_CASE("Allocate D/IRAM as IRAM", "[heap]")
+{
+    uint32_t *iram = malloc_block_diram(MALLOC_CAP_EXEC);
+
+    for (int i = 0; i < ALLOC_SZ / sizeof(uint32_t); i++) {
+        uint32_t v = i + 0xEEE;
+        iram[i] = v;
+        volatile uint32_t *dram = esp_ptr_diram_iram_to_dram(iram + i);
+        TEST_ASSERT_EQUAL_HEX32(v, iram[i]);
+        TEST_ASSERT_EQUAL_HEX32(v, *dram);
+        *dram = UINT32_MAX;
+        TEST_ASSERT_EQUAL_HEX32(UINT32_MAX, *dram);
+        TEST_ASSERT_EQUAL_HEX32(UINT32_MAX, iram[i]);
+    }
+
+    free(iram);
+}