From bc856a1e292a287962d629a074260a4cebcb000d Mon Sep 17 00:00:00 2001
From: Andrew Leech <andrew.leech@planetinnovation.com.au>
Date: Thu, 17 Jun 2021 12:51:37 +1000
Subject: [PATCH] stm32/mboot: Verify signature of fsload packed DFU files
 before writing.

When verifying the DFU contents, the signature of signed/encrypted files is
also now checked in this initial, dry-run stage.
---
 ports/stm32/mboot/fsload.c | 10 ++++------
 ports/stm32/mboot/main.c   | 16 ++++++++++------
 ports/stm32/mboot/mboot.h  |  2 +-
 ports/stm32/mboot/pack.c   |  5 ++++-
 ports/stm32/mboot/pack.h   |  2 +-
 5 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/ports/stm32/mboot/fsload.c b/ports/stm32/mboot/fsload.c
index 14864bb8956b..a54cfe4c73d3 100644
--- a/ports/stm32/mboot/fsload.c
+++ b/ports/stm32/mboot/fsload.c
@@ -151,13 +151,11 @@ static int fsload_program_file(bool write_to_flash) {
             if (res != l) {
                 return -MBOOT_ERRNO_DFU_READ_ERROR;
             }
-            if (write_to_flash) {
-                res = do_write(elem_addr, buf, l);
-                if (res != 0) {
-                    return res;
-                }
-                elem_addr += l;
+            res = do_write(elem_addr, buf, l, !write_to_flash);
+            if (res != 0) {
+                return res;
             }
+            elem_addr += l;
             s -= l;
         }
 
diff --git a/ports/stm32/mboot/main.c b/ports/stm32/mboot/main.c
index 976f0e54d27a..10a09fe3e15b 100644
--- a/ports/stm32/mboot/main.c
+++ b/ports/stm32/mboot/main.c
@@ -715,11 +715,15 @@ void do_read(mboot_addr_t addr, size_t len, uint8_t *buf) {
     #endif
 }
 
-int do_write(uint32_t addr, const uint8_t *src8, size_t len) {
+int do_write(uint32_t addr, const uint8_t *src8, size_t len, bool dry_run) {
     #if MBOOT_ENABLE_PACKING
-    return mboot_pack_write(addr, src8, len);
+    return mboot_pack_write(addr, src8, len, dry_run);
     #else
-    return hw_write(addr, src8, len);
+    if (dry_run) {
+        return 0;
+    } else {
+        return hw_write(addr, src8, len);
+    }
     #endif
 }
 
@@ -844,7 +848,7 @@ void i2c_slave_process_rx_end(i2c_slave_t *i2c) {
             // Mark the 2 lower bits to indicate invalid app firmware
             buf[1] |= APP_VALIDITY_BITS;
         }
-        int ret = do_write(i2c_obj.cmd_wraddr, buf + 1, len);
+        int ret = do_write(i2c_obj.cmd_wraddr, buf + 1, len, false);
         if (ret < 0) {
             len = ret;
         } else {
@@ -866,7 +870,7 @@ void i2c_slave_process_rx_end(i2c_slave_t *i2c) {
             len = -1;
         } else {
             buf &= ~APP_VALIDITY_BITS;
-            int ret = do_write(APPLICATION_ADDR, (void*)&buf, 4);
+            int ret = do_write(APPLICATION_ADDR, (void*)&buf, 4, false);
             if (ret < 0) {
                 len = ret;
             } else {
@@ -940,7 +944,7 @@ static int dfu_process_dnload(void) {
     } else if (dfu_context.wBlockNum > 1) {
         // write data to memory
         uint32_t addr = (dfu_context.wBlockNum - 2) * DFU_XFER_SIZE + dfu_context.addr;
-        ret = do_write(addr, dfu_context.buf, dfu_context.wLength);
+        ret = do_write(addr, dfu_context.buf, dfu_context.wLength, false);
     }
     if (ret == 0) {
         return DFU_STATE_DNLOAD_IDLE;
diff --git a/ports/stm32/mboot/mboot.h b/ports/stm32/mboot/mboot.h
index 36acb313b6bf..e64835bb44cd 100644
--- a/ports/stm32/mboot/mboot.h
+++ b/ports/stm32/mboot/mboot.h
@@ -113,7 +113,7 @@ int hw_write(uint32_t addr, const uint8_t *src8, size_t len);
 
 int do_page_erase(uint32_t addr, uint32_t *next_addr);
 void do_read(mboot_addr_t addr, size_t len, uint8_t *buf);
-int do_write(uint32_t addr, const uint8_t *src8, size_t len);
+int do_write(uint32_t addr, const uint8_t *src8, size_t len, bool dry_run);
 
 const uint8_t *elem_search(const uint8_t *elem, uint8_t elem_id);
 int fsload_process(void);
diff --git a/ports/stm32/mboot/pack.c b/ports/stm32/mboot/pack.c
index 88529ec50a5e..03ac6a4dc55a 100644
--- a/ports/stm32/mboot/pack.c
+++ b/ports/stm32/mboot/pack.c
@@ -206,7 +206,7 @@ static int mboot_pack_handle_firmware(void) {
     }
 }
 
-int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len) {
+int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len, bool dry_run) {
     if (addr == APPLICATION_ADDR) {
         // Base address of main firmware, reset any previous state
         firmware_chunk_base_addr = 0;
@@ -274,6 +274,9 @@ int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len) {
     }
 
     // Signature passed, we have valid chunk.
+    if (dry_run) {
+        return 0;
+    }
 
     if (firmware_chunk_buf.header.format == MBOOT_PACK_CHUNK_META) {
         // Ignore META chunks.
diff --git a/ports/stm32/mboot/pack.h b/ports/stm32/mboot/pack.h
index 195f297ca177..3578d9d12784 100644
--- a/ports/stm32/mboot/pack.h
+++ b/ports/stm32/mboot/pack.h
@@ -75,7 +75,7 @@ extern const uint8_t mboot_pack_secretbox_key[hydro_secretbox_KEYBYTES];
 // Implementation
 
 void mboot_pack_init(void);
-int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len);
+int mboot_pack_write(uint32_t addr, const uint8_t *src8, size_t len, bool dry_run);
 
 #endif // MBOOT_ENABLE_PACKING