From 1badff120e930f66ecdfd388fd70dc2c86cd088d Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Wed, 5 Jul 2023 16:53:38 +0900 Subject: [PATCH] addressed review comments --- IDE/Renesas/e2studio/RA6M4/Readme.md | 42 +++++++++++++----- IDE/Renesas/e2studio/RA6M4/Readme_wSCE.md | 54 ++++++++++++++++------- 2 files changed, 69 insertions(+), 27 deletions(-) diff --git a/IDE/Renesas/e2studio/RA6M4/Readme.md b/IDE/Renesas/e2studio/RA6M4/Readme.md index 670a63629..eb7e3d312 100644 --- a/IDE/Renesas/e2studio/RA6M4/Readme.md +++ b/IDE/Renesas/e2studio/RA6M4/Readme.md @@ -2,12 +2,14 @@ ## 1. Overview -This example demonstrates simple secure firmware update by wolfBoot. A sample application v1 is securely updated to v2. Both versions behave the same except displaying its version of v1 or v2. They are compiled by e2Studio and running on the target board. +This example demonstrates simple secure firmware update by wolfBoot. +A sample application v1 is securely updated to v2. Both versions behave the same except displaying its version of v1 or v2. +They are compiled by e2Studio and running on the target board. -In this demo, you may download two versions of application binary file by Renesas Flash Programmer. You can download and excute wolfBoot by e2Studio debugger. Use a USB connection between PC and the board for the debugger and flash programmer. +In this demo, you may download two versions of the application binary file by Renesas Flash Programmer. +You can download and excute wolfBoot by e2Studio debugger. Use a USB connection between PC and the board for the debugger and flash programmer. Please see `Readme_wSCE.md` for Renesas SCE use case. - ## 2. Components and Tools @@ -62,7 +64,8 @@ Flash Allocation: This section describes about how to build wolfBoot and application and use them. ### 1) Key generation -It has key tools running under the host environment such as Linux, Windows or MacOS. For comiling the tools, follow the instruction described in the user manual. +It has key tools running under the host environment such as Linux, Windows or MacOS. +For compiling the tools, follow the instruction described in the user manual. ``` @@ -72,7 +75,10 @@ $ keygen --ecc256 -g ./pri-ecc256.der # ECC256 $ keygen --rsa2048 -g ./pri-rsa2048.der # RSA2048 ``` -The `keygen` tool generates a pair of private and public key with -g option. The private key is stored in the specified file. The public key is stored in a key store as a C source code in "src/keystore.c" so that it can be compiled and linked with wolfBoot. If you have an existing key pair, you can use -i option to import the pablic key to the store. +The `keygen` tool generates a pair of private and public key with -g option. +The private key is stored in the specified file. +The public key is stored in a key store as a C source code in "src/keystore.c" so that it can be compiled and linked with wolfBoot. +If you have an existing key pair, you can use -i option to import the public key to the store. You can specify various signature algorithms such as @@ -112,7 +118,8 @@ Modify `g_flash0 Flash(r_flash_hp)` properites as follows: + Build `wolfBoot` projet ### 3) Compile the sample application -Open project under IDE/Renesas/e2studio/RA6M4/app_RA with e2Studio, and build the project. Project properties are preset for the demo. +Open project under IDE/Renesas/e2studio/RA6M4/app_RA with e2Studio, and build the project. +Project properties are preset for the demo. #### 3-1). Prepare SEGGER_RTT for logging + Download J-Link software from [Segger](https://www.segger.com/downloads/jlink) @@ -167,7 +174,10 @@ You can derive bair binary file (app_RA.bin) by objcopy command as follows. $ aarch64-none-elf-objcopy.exe -O binary -j .text -j .data app_RA.elf app_RA.bin ``` -"sign" command under tools/keytools benerates a signature for the binary with a specified version. It generates a file contain a partition header and application image. The partition header contain generated signature and other control fields. Output file name is made up from the input file name and version like app_RenesasRx01_v1.0_signed.bin. +"sign" command under tools/keytools benerates a signature for the binary with a specified version. +It generates a file contain a partition header and application image. +The partition header contain generated signature and other control fields. +Output file name is made up from the input file name and version like app_RenesasRx01_v1.0_signed.bin. ``` $ sign --ecc256 app_RA.bin ../../../../../pri-ecc256.der 1.0 @@ -196,7 +206,9 @@ $ aarch64-none-elf-objcopy.exe -I binary -O srec --change-addresses=0x00010000 a ### 6) Execute inital boot -Now, you can download and start wolfBoot program by e2Studio debugger. After starting the program, you can see the partition information as follows. If the boot program succeeds integrity and authenticity check, it initiate the application V1. To initially run `wolfBoot` project, +Now, you can download and start wolfBoot program by e2Studio debugger. +After starting the program, you can see the partition information as follows. +If the boot program succeeds integrity and authenticity check, it initiate the application V1. To initially run `wolfBoot` project, 1.) Right-Click the Project name. 2.) Select `Debug As` -> `Renesas GDB Hardware Debugging` 3.) Select `J-Link ARM`. Click OK. @@ -248,11 +260,15 @@ Status: FF Tail Mgc: ``` -You can see the state is Success("00") and Tail Magic number becomes "BOOT". You can also see flashing each LED light in 1 second. Notable things about V1 application, it will also call wolfBoot_update_trigger() so that it tells wolfBoot that new version exists. We are going to generate and download V2 application into "Update pertition". +You can see the state is Success("00") and Tail Magic number becomes "BOOT". +You can also see flashing each LED light in 1 second. Notable things about V1 application, +it will also call wolfBoot_update_trigger() so that it tells wolfBoot that new version exists. +We are going to generate and download V2 application into "Update partition". ### 7) Generate Signed app V2 and download it -Similar to V1, you can signe and generate a binary of V2. The update partition starts at "0x00080000". You can download it by the flash programmer. +Similar to V1, you can signe and generate a binary of V2. The update partition starts at "0x00080000". +You can download it by the flash programmer. Updtate partition: -change-addresses=0x00080000 @@ -266,7 +282,8 @@ $ aarch64-none-elf-objcopy.exe -I binary -O srec --change-addresses=0x00080000 a ### 8) Re-boot and secure update to V2 -The boot program checks integrity and authenticity of V2, swap the partition safely and initiates V2. You will see following message after the partition +The boot program checks integrity and authenticity of V2, swap the partition safely and initiates V2. +You will see following message after the partition information. You can also see flashing each LED light in 5 second. ``` @@ -310,4 +327,5 @@ Status: FF Tail Mgc: ``` -You can see "Current Firmware Version : 2". The state is Success("00") and Tail Magic number becomes "BOOT". You can also see flashing each LED light in 5 second at this new version. \ No newline at end of file +You can see "Current Firmware Version : 2". The state is Success("00") and Tail Magic number becomes "BOOT". +You can also see flashing each LED light in 5 second at this new version. \ No newline at end of file diff --git a/IDE/Renesas/e2studio/RA6M4/Readme_wSCE.md b/IDE/Renesas/e2studio/RA6M4/Readme_wSCE.md index b52ca4131..efaf433ce 100644 --- a/IDE/Renesas/e2studio/RA6M4/Readme_wSCE.md +++ b/IDE/Renesas/e2studio/RA6M4/Readme_wSCE.md @@ -2,9 +2,10 @@ ## 1. Overview -This example demonstrates simple secure firmware update by wolfBoot and uses Renesas SCE. A sample application v1 is securely updated to v2. Both versions behave the same except displaying its version of v1 or v2. They are compiled by e2Studio and running on the target board. +This example demonstrates simple secure firmware update by wolfBoot and uses Renesas SCE. +A sample application v1 is securely updated to v2. Both versions behave the same except displaying its version of v1 or v2. They are compiled by e2Studio and running on the target board. -In this demo, you may download two versions of application binary file by Renesas Flash Programmer. You can download and excute wolfBoot by e2Studio debugger. Use a USB connection between PC and the board for the debugger and flash programmer.It is only available RSA with Renesas SCE now. +In this demo, you may download two versions of the application binary file by Renesas Flash Programmer. You can download and excute wolfBoot by e2Studio debugger. Use a USB connection between PC and the board for the debugger and flash programmer.It is only available RSA with Renesas SCE now. ## 2. Components and Tools @@ -56,7 +57,8 @@ Flash Allocation: This section describes about how to build wolfBoot and application and use them. ### 1) Key generation -It has key tools running under the host environment such as Linux, Windows or MacOS. For comiling the tools, follow the instruction described in the user manual. +It has key tools running under the host environment such as Linux, Windows or MacOS. +For compiling the tools, follow the instruction described in the user manual. ``` @@ -66,11 +68,16 @@ $ export PATH=$PATH:/tools/keytools $ keygen --rsa2048 -g ./pri-rsa2048.der # RSA2048 ``` -The `keygen` tool generates a pair of private and public key with -g option. The private key is stored in the specified file. The public key is stored in a key store as a C source code in "src/keystore.c" so that it can be compiled and linked with wolfBoot. If you have an existing key pair, you can use -i option to import the pablic key to the store. +The `keygen` tool generates a pair of private and public key with -g option. +The private key is stored in the specified file. +The public key is stored in a key store as a C source code in "src/keystore.c" so that it can be compiled and linked with wolfBoot. +If you have an existing key pair, you can use -i option to import the public key to the store. ### 2) Compile wolfBoot -Open project under IDE/Renesas/e2studio/RA6M4/wolfBoot with e2Studio, and build the project. Project properties are preset for the demo. `WOLFBOOT_PARTION_INFO` is for debug information about partitions. Eliminate them for operational use. +Open project under IDE/Renesas/e2studio/RA6M4/wolfBoot with e2Studio, and build the project. +Project properties are preset for the demo. `WOLFBOOT_PARTION_INFO` is for debug information about partitions. +Eliminate them for operational use. Enabled `WOLFBOOT_RENESAS_SCEPROTECT` expects to use Renesas SCE. @@ -153,7 +160,11 @@ Modify `g_flash0 Flash(r_flash_hp)` properites as follows: Code Origin and entry point is "0x00020200". app_RA.elf is gnerated under Debug. ### 4) Generate Wrapped Key for SCE -SCE needs to have a wrapped key for sign verification installed in advance. This section describes how to use wolfBoot with SCE. Current version supports RSA2048. SCE RSA Signature supports #PKCS 1, v1.5. You can generate a RSA key pair by wolfBoot "keygen" command along with Renesas Security Key Management Tool `skmt`. `skmt` command wraps the RAW key and generates C language initial data and a header file for an application program with SCE. +SCE needs to have a wrapped key for sign verification installed in advance. +This section describes how to use wolfBoot with SCE. Current version supports RSA2048. +SCE RSA Signature supports #PKCS 1, v1.5. You can generate a RSA key pair by +wolfBoot "keygen" command along with Renesas Security Key Management Tool `skmt`. +`skmt` command wraps the RAW key and generates C language initial data and a header file for an application program with SCE. Please refer SCE User Manual for generating product provisioning. @@ -168,7 +179,8 @@ $ skmt.exe /genkey /ufpk file=./ufpk.key /wufpk file=./ufpk.key_enc.key -key fil Please refer Renesas Manual to generate ufpk.key and upfk.key_enc.key. -After generating "rfp" format key, you can download it to flash data area by using Renesas flash programmer. The default address for "rfp" key is `0x08001000U` which is set at `user_settings.h`. +After generating "rfp" format key, you can download it to flash data area by using Renesas flash programmer. +The default address for "rfp" key is `0x08001000U` which is set at `user_settings.h`. ### 4) Generate Signature for app V1 You can derive bair binary file (app_RA.bin) by objcopy command as follows. @@ -177,7 +189,11 @@ You can derive bair binary file (app_RA.bin) by objcopy command as follows. $ aarch64-none-elf-objcopy.exe -O binary -j .text -j .data app_RA.elf app_RA.bin ``` -`sign` command under tools/keytools benerates a signature for the binary with a specified version. It generates a file contain a partition header and application image. The partition header contain generated signature and other control fields. Output file name is made up from the input file name and version like app_RenesasRx01_v1.0_signed.bin. It needs to specify `--rsa2048enc` option to sign the image because SCE assumes to have DigestInfo structure before hashed data. +`sign` command under tools/keytools benerates a signature for the binary with a specified version. +It generates a file contain a partition header and application image. +The partition header contain generated signature and other control fields. +Output file name is made up from the input file name and version like app_RenesasRx01_v1.0_signed.bin. +It needs to specify `--rsa2048enc` option to sign the image because SCE assumes to have DigestInfo structure before hashed data. ``` $ sign --rsa2048enc app_RA.bin ../../../../../pri-rsa2048.der 1.0 @@ -204,8 +220,10 @@ $ aarch64-none-elf-objcopy.exe -I binary -O srec --change-addresses=0x00020000 a ``` ### 6) Execute inital boot -Now, you can download and start wolfBoot program by e2Studio debugger. After starting the program, you can see the partition information as follows. -If the boot program succeeds integlity and authenticity check, it initiate the application V1. To initially run `wolfBoot` project, +Now, you can download and start wolfBoot program by e2Studio debugger. +After starting the program, you can see the partition information as follows. +If the boot program succeeds integlity and authenticity check, it initiate the application V1. +To initially run `wolfBoot` project, 1.) Right-Click the Project name. 2.) Select `Debug As` -> `Renesas GDB Hardware Debugging` 3.) Select `J-Link ARM`. Click OK. @@ -258,11 +276,15 @@ Status: FF Tail Mgc: ``` -You can see the state is Success("00") and Tail Magic number becomes "BOOT". You can also see flashing each LED light in 1 second. Notable things about V1 application, it will also call wolfBoot_update_trigger() so that it tells wolfBoot that new version exists. We are going to generate and download V2 application into "Update partition". +You can see the state is Success("00") and Tail Magic number becomes "BOOT". +You can also see flashing each LED light in 1 second. Notable things about V1 application, +it will also call wolfBoot_update_trigger() so that it tells wolfBoot that new version exists. +We are going to generate and download V2 application into "Update partition". ### 7) Generate Signed app V2 and download it -Similar to V1, you can sign and generate a binary of V2. The update partition starts at "0x00090000". You can download it by the flash programmer. +Similar to V1, you can sign and generate a binary of V2. The update partition starts at "0x00090000". +You can download it by the flash programmer. Updtate partition: -change-addresses=0x00090000 @@ -274,8 +296,9 @@ $ aarch64-none-elf-objcopy.exe -I binary -O srec --change-addresses=0x00090000 a ### 8) Reboot and secure update to V2 -The boot program checks integlity and authenticity of V2, swap the partition safely and initiates V2. You will see following message after the partition -information. You can also see flashing each LED light in 5 second. +The boot program checks integlity and authenticity of V2, swap the partition safely and initiates V2. +You will see following message after the partition information. +You can also see flashing each LED light in 5 second. ``` | ----------------------------------------------------------------------- | @@ -316,4 +339,5 @@ Version: 01 Status: 70 Tail Mgc: BOOT ``` -You can see "Current Firmware Version : 2". The state is Success("00") and Tail Magic number becomes "BOOT". You can also see flashing each LED light in 5 second at this new version. +You can see "Current Firmware Version : 2". The state is Success("00") and Tail Magic number becomes "BOOT". +You can also see flashing each LED light in 5 second at this new version.