Merge branch 'enable_flash_elf_sha_tests_v5.1' into 'release/v5.1'

Enable SHA256 coredump flash integrity verification for all targets (v5.1)

See merge request espressif/esp-idf!29039
This commit is contained in:
Roland Dobai 2024-03-06 22:48:52 +08:00
commit 10a0dd5322
12 changed files with 264 additions and 207 deletions

View File

@ -1,9 +1,10 @@
set(srcs "src/core_dump_common.c"
"src/core_dump_checksum.c"
"src/core_dump_flash.c"
"src/core_dump_uart.c"
"src/core_dump_elf.c"
"src/core_dump_binary.c")
"src/core_dump_binary.c"
"src/core_dump_sha.c"
"src/core_dump_crc.c")
set(includes "include")
set(priv_includes "include_core_dump")

View File

@ -46,7 +46,7 @@ menu "Core dump"
bool "Use CRC32 for integrity verification"
config ESP_COREDUMP_CHECKSUM_SHA256
bool "Use SHA256 for integrity verification"
depends on ESP_COREDUMP_DATA_FORMAT_ELF && IDF_TARGET_ESP32
depends on ESP_COREDUMP_DATA_FORMAT_ELF
endchoice
config ESP_COREDUMP_CHECK_BOOT

View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -34,7 +34,7 @@ extern "C" {
* @brief Type describing a checksum context. It is an abstract type as it is
* implementation independent, it is defined in the C source counterpart.
*/
typedef struct core_dump_checksum_ctx core_dump_checksum_ctx;
typedef void* core_dump_checksum_ctx;
/**
* @brief Type returned by `esp_core_dump_checksum_finish()`. It describes a
@ -42,7 +42,6 @@ typedef struct core_dump_checksum_ctx core_dump_checksum_ctx;
*/
typedef uint8_t* core_dump_checksum_bytes;
/**
* @brief Get ELF core dump version.
*
@ -58,7 +57,7 @@ uint32_t esp_core_dump_elf_version(void);
*
* @param wr_data Core dump checksum context to fill.
*/
void esp_core_dump_checksum_init(core_dump_checksum_ctx** wr_data);
void esp_core_dump_checksum_init(void ** wr_data);
/**
* @brief Update checksum calculation by integrating the given data in the context.
@ -68,20 +67,19 @@ void esp_core_dump_checksum_init(core_dump_checksum_ctx** wr_data);
* This is usually the new data to write (or already written) on
* the flash.
*/
void esp_core_dump_checksum_update(core_dump_checksum_ctx* wr_data, void* data, size_t data_len);
void esp_core_dump_checksum_update(void* wr_data, void* data, size_t data_len);
/**
* @brief Terminate and return checksum calculated for the given context.
*
* @param wr_data Core dump checksum context. It can be NULL only if chs_ptr is
* also NULL.
* @param wr_data Core dump checksum context.
* @param chs_ptr Pointer used to return the checksum calculated. It can be
* NULL, in this case, it will be ignored but the correct size
* of the checksum will be returned.
*
* @return The size, in bytes, of the checksum.
*/
uint32_t esp_core_dump_checksum_finish(core_dump_checksum_ctx* wr_data, core_dump_checksum_bytes* chs_ptr);
uint32_t esp_core_dump_checksum_finish(void* wr_data, core_dump_checksum_bytes* chs_ptr);
/**
* @brief Return the size of the checksums.

View File

@ -96,16 +96,14 @@ extern "C" {
*/
#define COREDUMP_VERSION_CHIP CONFIG_IDF_FIRMWARE_CHIP_ID
typedef struct _core_dump_write_data_t
{
uint32_t off; /*!< Current offset of data being written */
uint8_t cached_data[COREDUMP_CACHE_SIZE]; /*!< Cache used to write to flash */
uint8_t cached_bytes; /*!< Number of bytes filled in the cached */
core_dump_checksum_ctx* checksum_ctx; /*!< Checksum context */
void *checksum_ctx; /*!< Checksum context */
} core_dump_write_data_t;
/**
* @brief Types below define the signatures of the callbacks that are used
* to output a core dump. The destination of the dump is implementation

View File

@ -42,8 +42,11 @@ entries:
core_dump_common (noflash)
core_dump_port (noflash)
core_dump_elf (noflash)
core_dump_checksum (noflash)
core_dump_binary (noflash)
core_dump_crc (noflash)
# ESP32 uses mbedtls for the sha and mbedtls is in the flash
if IDF_TARGET_ESP32 = n:
core_dump_sha (noflash)
else:
* (default)

View File

@ -1,183 +0,0 @@
/*
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
/**
* @file
* @brief Checksum interface implemetation
*
* This file is an implementation for the coredump checksum interface defined
* in "core_dump_checksum.h".
* Please refer to this file for more information about the functions.
*/
#include <stddef.h>
#include "esp_core_dump_port_impl.h"
#include "esp_core_dump_types.h"
#include "core_dump_checksum.h"
#include "esp_attr.h"
#if CONFIG_ESP_COREDUMP_CHECKSUM_CRC32
#include "esp_rom_crc.h"
#elif CONFIG_ESP_COREDUMP_CHECKSUM_SHA256
#include "mbedtls/sha256.h"
#endif
#if CONFIG_ESP_COREDUMP_ENABLE
const static char TAG[] __attribute__((unused)) = "esp_core_dump_checksum";
#define COREDUMP_SHA256_LEN 32
typedef uint32_t core_dump_crc_t;
struct core_dump_checksum_ctx {
#if CONFIG_ESP_COREDUMP_CHECKSUM_SHA256
mbedtls_sha256_context ctx;
uint8_t sha_output[COREDUMP_SHA256_LEN];
#elif CONFIG_ESP_COREDUMP_CHECKSUM_CRC32
core_dump_crc_t crc;
#endif
/* Number of bytes used to calculate the checksum */
uint32_t total_bytes_checksum;
};
static core_dump_checksum_ctx s_checksum_context = { 0 };
/**
* Get ELF core dump version.
* Please check esp checksum interface for more details.
*/
uint32_t esp_core_dump_elf_version(void)
{
#if CONFIG_ESP_COREDUMP_CHECKSUM_CRC32
return COREDUMP_VERSION_ELF_CRC32;
#elif CONFIG_ESP_COREDUMP_CHECKSUM_SHA256
return COREDUMP_VERSION_ELF_SHA256;
#endif
}
void esp_core_dump_checksum_init(core_dump_checksum_ctx** out_ctx)
{
if (out_ctx) {
#if CONFIG_ESP_COREDUMP_CHECKSUM_CRC32
s_checksum_context.crc = 0;
#elif CONFIG_ESP_COREDUMP_CHECKSUM_SHA256
mbedtls_sha256_init(&s_checksum_context.ctx);
(void)mbedtls_sha256_starts(&s_checksum_context.ctx, 0);
#endif
s_checksum_context.total_bytes_checksum = 0;
*out_ctx = &s_checksum_context;
}
}
void esp_core_dump_checksum_update(core_dump_checksum_ctx* cks_ctx, void* data, size_t data_len)
{
ESP_COREDUMP_DEBUG_ASSERT(cks_ctx);
if (data) {
#if CONFIG_ESP_COREDUMP_CHECKSUM_CRC32
cks_ctx->crc = esp_rom_crc32_le(cks_ctx->crc, data, data_len);
#elif CONFIG_ESP_COREDUMP_CHECKSUM_SHA256
#if CONFIG_MBEDTLS_HARDWARE_SHA
// set software mode of SHA calculation
cks_ctx->ctx.mode = ESP_MBEDTLS_SHA256_SOFTWARE;
#endif
(void)mbedtls_sha256_update(&cks_ctx->ctx, data, data_len);
#endif
// keep counter of cashed bytes
cks_ctx->total_bytes_checksum += data_len;
} else {
ESP_COREDUMP_LOGE("Empty data to add to checksum calculation!");
}
}
uint32_t esp_core_dump_checksum_finish(core_dump_checksum_ctx* cks_ctx, core_dump_checksum_bytes* chs_ptr)
{
uint32_t chs_len = 0;
/* cks_ctx pointer can be NULL only if chs_ptr is also NULL. */
ESP_COREDUMP_DEBUG_ASSERT(cks_ctx != NULL || chs_ptr == NULL);
#if CONFIG_ESP_COREDUMP_CHECKSUM_CRC32
if (chs_ptr != NULL) {
*chs_ptr = (core_dump_checksum_bytes) &cks_ctx->crc;
}
chs_len = sizeof(cks_ctx->crc);
#elif CONFIG_ESP_COREDUMP_CHECKSUM_SHA256
if (chs_ptr != NULL) {
(void)mbedtls_sha256_finish(&cks_ctx->ctx, (uint8_t*)&cks_ctx->sha_output);
*chs_ptr = &cks_ctx->sha_output[0];
mbedtls_sha256_free(&cks_ctx->ctx);
}
chs_len = sizeof(cks_ctx->sha_output);
#endif
if (cks_ctx) {
ESP_COREDUMP_LOG_PROCESS("Total length of hashed data: %d", cks_ctx->total_bytes_checksum);
}
return chs_len;
}
/**
* Returns the size, in bytes, of the checksums.
* Currently, this function is just an alias to esp_core_dump_checksum_finish
* function, which can return the size of the checksum if given parameters
* are NULL. However, the implementation can evolve in the future independently
* from esp_core_dump_checksum_finish function.
*/
uint32_t esp_core_dump_checksum_size(void)
{
return esp_core_dump_checksum_finish(NULL, NULL);
}
#if CONFIG_ESP_COREDUMP_CHECKSUM_SHA256
static void esp_core_dump_print_sha256(const char* msg, const uint8_t* sha_output)
{
/* As this function is only called by `esp_core_dump_print_checksum`, we
* have the guarantee that sha_output is not NULL. */
if (msg != NULL) {
ESP_COREDUMP_PRINT("%s='", msg);
}
for (int i = 0; i < COREDUMP_SHA256_LEN; i++) {
ESP_COREDUMP_PRINT("%02x", sha_output[i]);
}
ESP_COREDUMP_PRINT("'\r\n");
}
#endif
/**
* Prints a message and a checksum given as parameters.
* This function is useful when the caller isn't explicitly aware of which
* checksum type (CRC32, SHA256, etc) is being used.
*/
void esp_core_dump_print_checksum(const char* msg, core_dump_checksum_bytes checksum)
{
ESP_COREDUMP_DEBUG_ASSERT(checksum != NULL);
#if CONFIG_ESP_COREDUMP_CHECKSUM_CRC32
if (msg != NULL) {
ESP_COREDUMP_PRINT("%s='", msg);
}
ESP_COREDUMP_PRINT("%08x", *((const uint32_t*) checksum));
ESP_COREDUMP_PRINT("'\r\n");
#elif CONFIG_ESP_COREDUMP_CHECKSUM_SHA256
esp_core_dump_print_sha256(msg, (const uint8_t*) checksum);
#endif
}
#endif

View File

@ -0,0 +1,88 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include "sdkconfig.h"
#if CONFIG_ESP_COREDUMP_CHECKSUM_CRC32
#include "esp_rom_crc.h"
#include "esp_core_dump_types.h"
const static char TAG[] __attribute__((unused)) = "esp_core_dump_crc";
typedef uint32_t core_dump_crc_t;
typedef struct {
core_dump_crc_t crc;
uint32_t total_bytes_checksum; /* Number of bytes used to calculate the checksum */
} core_dump_crc_ctx_t;
static core_dump_crc_ctx_t s_core_dump_crc_ctx = { 0 };
void esp_core_dump_checksum_init(core_dump_checksum_ctx *out_ctx) __attribute__((alias("core_dump_crc_init")));
void esp_core_dump_checksum_update(core_dump_checksum_ctx cks_ctx, void* data, size_t data_len) __attribute__((alias("core_dump_crc_update")));
uint32_t esp_core_dump_checksum_finish(core_dump_checksum_ctx cks_ctx, core_dump_checksum_bytes* chs_ptr) __attribute__((alias("core_dump_crc_finish")));
void esp_core_dump_print_checksum(const char* msg, core_dump_checksum_bytes checksum) __attribute__((alias("core_dump_crc_print")));
uint32_t esp_core_dump_checksum_size(void) __attribute__((alias("core_dump_crc_size")));
uint32_t esp_core_dump_elf_version(void) __attribute__((alias("core_dump_crc_version")));
static void core_dump_crc_print(const char *msg, const uint8_t *checksum)
{
ESP_COREDUMP_DEBUG_ASSERT(checksum != NULL);
if (msg != NULL) {
ESP_COREDUMP_PRINT("%s=", msg);
}
ESP_COREDUMP_PRINT("'%08x'\r\n", *((const uint32_t*)checksum));
}
static uint32_t core_dump_crc_size(void)
{
return sizeof(core_dump_crc_t);
}
static uint32_t core_dump_crc_version(void)
{
return COREDUMP_VERSION_ELF_CRC32;
}
static void core_dump_crc_init(core_dump_checksum_ctx *out_ctx)
{
if (out_ctx) {
s_core_dump_crc_ctx.crc = 0;
s_core_dump_crc_ctx.total_bytes_checksum = 0;
*out_ctx = &s_core_dump_crc_ctx;
}
}
static void core_dump_crc_update(core_dump_checksum_ctx cks_ctx, void* data, size_t data_len)
{
if (data) {
core_dump_crc_ctx_t *crc_ctx = cks_ctx;
crc_ctx->crc = esp_rom_crc32_le(crc_ctx->crc, data, data_len);
// keep counter of cashed bytes
crc_ctx->total_bytes_checksum += data_len;
} else {
ESP_COREDUMP_LOGE("Empty data to add to checksum calculation!");
}
}
static uint32_t core_dump_crc_finish(core_dump_checksum_ctx cks_ctx, core_dump_checksum_bytes* chs_ptr)
{
if (cks_ctx) {
core_dump_crc_ctx_t *crc_ctx = cks_ctx;
if (chs_ptr) {
*chs_ptr = (core_dump_checksum_bytes)&crc_ctx->crc;
}
ESP_COREDUMP_LOG_PROCESS("Total length of hashed data: %d", crc_ctx->total_bytes_checksum);
}
return core_dump_crc_size();
}
#endif /* CONFIG_ESP_COREDUMP_CHECKSUM_CRC32 */

View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/

View File

@ -0,0 +1,145 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include "sdkconfig.h"
#if CONFIG_ESP_COREDUMP_CHECKSUM_SHA256
#include <string.h>
#include "esp_core_dump_types.h"
#if CONFIG_IDF_TARGET_ESP32
#include "mbedtls/sha256.h" /* mbedtls_sha256_context */
#else
#include "hal/sha_types.h" /* SHA_CTX */
#endif
const static char TAG[] __attribute__((unused)) = "esp_core_dump_sha";
#define COREDUMP_SHA256_LEN 32
typedef struct {
#if CONFIG_IDF_TARGET_ESP32
mbedtls_sha256_context ctx;
#else
SHA_CTX ctx;
#endif
uint8_t result[COREDUMP_SHA256_LEN];
uint32_t total_bytes_checksum; /* Number of bytes used to calculate the checksum */
} core_dump_sha_ctx_t;
static core_dump_sha_ctx_t s_core_dump_sha_ctx = { 0 };
void esp_core_dump_checksum_init(core_dump_checksum_ctx *cks_ctx) __attribute__((alias("core_dump_sha_init")));
void esp_core_dump_checksum_update(core_dump_checksum_ctx cks_ctx, void* data, size_t data_len) __attribute__((alias("core_dump_sha_update")));
uint32_t esp_core_dump_checksum_finish(core_dump_checksum_ctx cks_ctx, core_dump_checksum_bytes* chs_ptr) __attribute__((alias("core_dump_sha_finish")));
void esp_core_dump_print_checksum(const char* msg, core_dump_checksum_bytes checksum) __attribute__((alias("core_dump_sha256_print")));
uint32_t esp_core_dump_checksum_size(void) __attribute__((alias("core_dump_sha_size")));
uint32_t esp_core_dump_elf_version(void) __attribute__((alias("core_dump_sha_version")));
#if CONFIG_IDF_TARGET_ESP32
static void core_dump_sha256_start(core_dump_sha_ctx_t *sha_ctx)
{
mbedtls_sha256_init(&sha_ctx->ctx);
mbedtls_sha256_starts(&sha_ctx->ctx, false);
}
static void core_dump_sha256_update(core_dump_sha_ctx_t *sha_ctx, const void *data, size_t data_len)
{
// set software mode of SHA calculation
sha_ctx->ctx.mode = ESP_MBEDTLS_SHA256_SOFTWARE;
mbedtls_sha256_update(&sha_ctx->ctx, data, data_len);
}
static void core_dump_sha256_finish(core_dump_sha_ctx_t *sha_ctx)
{
mbedtls_sha256_finish(&sha_ctx->ctx, sha_ctx->result);
mbedtls_sha256_free(&sha_ctx->ctx);
}
#else
static void core_dump_sha256_start(core_dump_sha_ctx_t *sha_ctx)
{
/* Enable SHA hardware */
ets_sha_enable();
ets_sha_init(&sha_ctx->ctx, SHA2_256);
}
static void core_dump_sha256_update(core_dump_sha_ctx_t *sha_ctx, const void *data, size_t data_len)
{
ets_sha_update(&sha_ctx->ctx, data, data_len, false);
}
static void core_dump_sha256_finish(core_dump_sha_ctx_t *sha_ctx)
{
ets_sha_finish(&sha_ctx->ctx, sha_ctx->result);
ets_sha_disable();
}
#endif
static void core_dump_sha256_print(const char* msg, const uint8_t *checksum)
{
/* As this function is only called by `esp_core_dump_print_checksum`, we
* have the guarantee that checksum is not NULL. */
if (msg != NULL) {
ESP_COREDUMP_PRINT("%s=", msg);
}
ESP_COREDUMP_PRINT("'");
for (int i = 0; i < COREDUMP_SHA256_LEN; i++) {
ESP_COREDUMP_PRINT("%02x", checksum[i]);
}
ESP_COREDUMP_PRINT("'\r\n");
}
static uint32_t core_dump_sha_size(void)
{
return COREDUMP_SHA256_LEN;
}
static uint32_t core_dump_sha_version(void)
{
return COREDUMP_VERSION_ELF_SHA256;
}
static void core_dump_sha_init(core_dump_checksum_ctx *out_ctx)
{
if (out_ctx) {
core_dump_sha256_start(&s_core_dump_sha_ctx);
s_core_dump_sha_ctx.total_bytes_checksum = 0;
*out_ctx = &s_core_dump_sha_ctx;
}
}
static void core_dump_sha_update(core_dump_checksum_ctx cks_ctx, void* data, size_t data_len)
{
if (data) {
core_dump_sha_ctx_t *sha_ctx = cks_ctx;
core_dump_sha256_update(sha_ctx, data, data_len);
// keep counter of cashed bytes
sha_ctx->total_bytes_checksum += data_len;
} else {
ESP_COREDUMP_LOGE("Empty data to add to checksum calculation!");
}
}
static uint32_t core_dump_sha_finish(core_dump_checksum_ctx cks_ctx, core_dump_checksum_bytes* chs_ptr)
{
if (cks_ctx) {
core_dump_sha_ctx_t *sha_ctx = cks_ctx;
core_dump_sha256_finish(sha_ctx);
if (chs_ptr) {
*chs_ptr = (core_dump_checksum_bytes)&sha_ctx->result;
}
ESP_COREDUMP_LOG_PROCESS("Total length of hashed data: %d", sha_ctx->total_bytes_checksum);
}
return core_dump_sha_size();
}
#endif /* CONFIG_ESP_COREDUMP_CHECKSUM_SHA256 */

View File

@ -32,8 +32,15 @@ if(NOT CONFIG_TEST_MEMPROT)
# Only enable UBSAN for a few components related to the panic test,
# due to RAM size limitations.
foreach(component main espcoredump esp_system spi_flash
esp_common esp_hw_support soc hal freertos)
set(ubsan_components main espcoredump esp_system spi_flash
esp_common esp_hw_support soc hal freertos)
if(CONFIG_ESP_COREDUMP_CHECKSUM_SHA256)
if(CONFIG_IDF_TARGET_ESP32S2)
# due to the ram limitation, coredump is removed from esp32s2 built
list(REMOVE_ITEM ubsan_components espcoredump)
endif()
endif()
foreach(component IN LISTS ubsan_components)
idf_component_get_property(lib ${component} COMPONENT_LIB)
target_compile_options(${lib} PRIVATE ${ubsan_options})
endforeach()

View File

@ -1,8 +1,9 @@
# SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
# SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
# SPDX-License-Identifier: CC0-1.0
import re
from typing import List, Optional, Union
from typing import List
from typing import Optional
from typing import Union
import pexpect
import pytest
@ -25,7 +26,7 @@ TARGETS_TESTED = [
# with some exceptions.
CONFIGS = [
pytest.param('coredump_flash_bin_crc', marks=TARGETS_TESTED),
pytest.param('coredump_flash_elf_sha', marks=[pytest.mark.esp32]), # sha256 only supported on esp32, IDF-1820
pytest.param('coredump_flash_elf_sha', marks=TARGETS_TESTED),
pytest.param('coredump_uart_bin_crc', marks=TARGETS_TESTED),
pytest.param('coredump_uart_elf_crc', marks=TARGETS_TESTED),
pytest.param('gdbstub', marks=TARGETS_TESTED),
@ -36,7 +37,7 @@ CONFIGS = [
TARGETS_DUAL_CORE = [pytest.mark.esp32, pytest.mark.esp32s3]
CONFIGS_DUAL_CORE = [
pytest.param('coredump_flash_bin_crc', marks=TARGETS_DUAL_CORE),
pytest.param('coredump_flash_elf_sha', marks=[pytest.mark.esp32]), # sha256 only supported on esp32, IDF-1820
pytest.param('coredump_flash_elf_sha', marks=TARGETS_DUAL_CORE),
pytest.param('coredump_uart_bin_crc', marks=TARGETS_DUAL_CORE),
pytest.param('coredump_uart_elf_crc', marks=TARGETS_DUAL_CORE),
pytest.param('gdbstub', marks=TARGETS_DUAL_CORE),

View File

@ -1,4 +1,3 @@
CONFIG_IDF_TARGET="esp32"
CONFIG_ESP_COREDUMP_ENABLE_TO_FLASH=y
CONFIG_ESP_COREDUMP_DATA_FORMAT_ELF=y
CONFIG_ESP_COREDUMP_CHECKSUM_SHA256=y