itsscb/embassy
1
0
Fork 0
mirror of https://github.com/embassy-rs/embassy.git synced 2025-09-27 20:30:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

[embassy-usb-dfu] support ed25519 verification

Browse Source 
This commit adds the ability to verify that USB DFU updates are correctly signed using ed25519.
This required adding support to embassy-boot for reading from the DFU partition.
This commit is contained in:
Gerhard de Clercq 2025-04-15 20:16:09 +02:00
parent f7405493c1
commit 68a45490fc
13 changed files with 114 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ci.sh
View File

@ -282,6 +282,7 @@ cargo batch \
--- build --release --manifest-path examples/boot/bootloader/rp/Cargo.toml --target thumbv6m-none-eabi \
--- build --release --manifest-path examples/boot/bootloader/stm32/Cargo.toml --target thumbv7em-none-eabi --features embassy-stm32/stm32l496zg \
--- build --release --manifest-path examples/boot/bootloader/stm32wb-dfu/Cargo.toml --target thumbv7em-none-eabi --features embassy-stm32/stm32wb55rg \
--- build --release --manifest-path examples/boot/bootloader/stm32wb-dfu/Cargo.toml --target thumbv7em-none-eabi --features embassy-stm32/stm32wb55rg,verify \
--- build --release --manifest-path examples/boot/bootloader/stm32-dual-bank/Cargo.toml --target thumbv7em-none-eabi --features embassy-stm32/stm32h743zi \
--- build --release --manifest-path examples/wasm/Cargo.toml --target wasm32-unknown-unknown --artifact-dir out/examples/wasm \
--- build --release --manifest-path tests/stm32/Cargo.toml --target thumbv7m-none-eabi --features stm32f103c8 --artifact-dir out/tests/stm32f103c8 \

11
embassy-boot/src/firmware_updater/asynch.rs
View File

@ -161,6 +161,17 @@ impl<'d, DFU: NorFlash, STATE: NorFlash> FirmwareUpdater<'d, DFU, STATE> {
Ok(())
}
/// Read a slice of data from the DFU storage peripheral, starting the read
/// operation at the given address offset, and reading `buf.len()` bytes.
///
/// # Errors
///
/// Returns an error if the arguments are not aligned or out of bounds.
pub async fn read_dfu(&mut self, offset: u32, buf: &mut [u8]) -> Result<(), FirmwareUpdaterError> {
self.dfu.read(offset, buf).await?;
Ok(())
}
/// Mark to trigger firmware swap on next boot.
#[cfg(not(feature = "_verify"))]
pub async fn mark_updated(&mut self) -> Result<(), FirmwareUpdaterError> {

11
embassy-boot/src/firmware_updater/blocking.rs
View File

@ -196,6 +196,17 @@ impl<'d, DFU: NorFlash, STATE: NorFlash> BlockingFirmwareUpdater<'d, DFU, STATE>
Ok(())
}
/// Read a slice of data from the DFU storage peripheral, starting the read
/// operation at the given address offset, and reading `buf.len()` bytes.
///
/// # Errors
///
/// Returns an error if the arguments are not aligned or out of bounds.
pub fn read_dfu(&mut self, offset: u32, buf: &mut [u8]) -> Result<(), FirmwareUpdaterError> {
self.dfu.read(offset, buf)?;
Ok(())
}
/// Mark to trigger firmware swap on next boot.
#[cfg(not(feature = "_verify"))]
pub fn mark_updated(&mut self) -> Result<(), FirmwareUpdaterError> {

5
embassy-usb-dfu/Cargo.toml
View File

@ -43,3 +43,8 @@ esp32c3-hal = { version = "0.13.0", optional = true, default-features = false }
dfu = []
application = []
defmt = ["dep:defmt", "embassy-boot/defmt", "embassy-usb/defmt"]
ed25519-dalek = ["embassy-boot/ed25519-dalek", "_verify"]
ed25519-salty = ["embassy-boot/ed25519-salty", "_verify"]
# Internal features
_verify = []

6
embassy-usb-dfu/README.md
View File

@ -4,3 +4,9 @@ An implementation of the USB DFU 1.1 protocol using embassy-boot. It has 2 compo
* DFU protocol mode, enabled by the `dfu` feature. This mode corresponds to the transfer phase DFU protocol described by the USB IF. It supports DFU_DNLOAD requests if marked by the user, and will automatically reset the chip once a DFU transaction has been completed. It also responds to DFU_GETSTATUS, DFU_GETSTATE, DFU_ABORT, and DFU_CLRSTATUS with no user intervention.
* DFU runtime mode, enabled by the `application feature`. This mode allows users to expose a DFU interface on their USB device, informing the host of the capability to DFU over USB, and allowing the host to reset the device into its bootloader to complete a DFU operation. Supports DFU_GETSTATUS and DFU_DETACH. When detach/reset is seen by the device as described by the standard, will write a new DFU magic number into the bootloader state in flash, and reset the system.
## Verification
Embassy-boot provides functionality to verify that an update binary has been correctly signed using ed25519 as described in https://embassy.dev/book/#_verification. Even though the linked procedure describes the signature being concatenated to the end of the update binary, embassy-boot does not force this and is flexible in terms of how the signature for a binary is distributed. The current implementation in embassy-usb-dfu does however assume that the signature is 64 bytes long and concatenated to the end of the update binary since this is the simplest way to make it work with the usb-dfu mechanism. I.e. embassy-usb-dfu does not currently offer the same flexibility as embassy-boot.
To enable verification, you need to enable either the `ed25519-dalek` or the `ed25519-salty` feature with `ed25519-salty` being recommended.

33
embassy-usb-dfu/src/dfu.rs
View File

@ -19,11 +19,19 @@ pub struct Control<'d, DFU: NorFlash, STATE: NorFlash, RST: Reset, const BLOCK_S
offset: usize,
buf: AlignedBuffer<BLOCK_SIZE>,
reset: RST,
#[cfg(feature = "_verify")]
public_key: &'static [u8; 32],
}
impl<'d, DFU: NorFlash, STATE: NorFlash, RST: Reset, const BLOCK_SIZE: usize> Control<'d, DFU, STATE, RST, BLOCK_SIZE> {
/// Create a new DFU instance to handle DFU transfers.
pub fn new(updater: BlockingFirmwareUpdater<'d, DFU, STATE>, attrs: DfuAttributes, reset: RST) -> Self {
pub fn new(
updater: BlockingFirmwareUpdater<'d, DFU, STATE>,
attrs: DfuAttributes,
reset: RST,
#[cfg(feature = "_verify")] public_key: &'static [u8; 32],
) -> Self {
Self {
updater,
attrs,
@ -32,6 +40,9 @@ impl<'d, DFU: NorFlash, STATE: NorFlash, RST: Reset, const BLOCK_SIZE: usize> Co
offset: 0,
buf: AlignedBuffer([0; BLOCK_SIZE]),
reset,
#[cfg(feature = "_verify")]
public_key,
}
}
@ -102,7 +113,23 @@ impl<'d, DFU: NorFlash, STATE: NorFlash, RST: Reset, const BLOCK_SIZE: usize> Ha
if final_transfer {
debug!("Receiving final transfer");
match self.updater.mark_updated() {
#[cfg(feature = "_verify")]
let update_res: Result<(), FirmwareUpdaterError> = {
const SIGNATURE_LEN: usize = 64;
let mut signature = [0; SIGNATURE_LEN];
let update_len = (self.offset - SIGNATURE_LEN) as u32;
self.updater.read_dfu(update_len, &mut signature).and_then(|_| {
self.updater
.verify_and_mark_updated(self.public_key, &signature, update_len)
})
};
#[cfg(not(feature = "_verify"))]
let update_res = self.updater.mark_updated();
match update_res {
Ok(_) => {
self.status = Status::Ok;
self.state = State::ManifestSync;
@ -168,7 +195,7 @@ impl<'d, DFU: NorFlash, STATE: NorFlash, RST: Reset, const BLOCK_SIZE: usize> Ha
Some(InResponse::Accepted(&buf[0..1]))
}
Ok(Request::Upload) if self.attrs.contains(DfuAttributes::CAN_UPLOAD) => {
//TODO: FirmwareUpdater does not provide a way of reading the active partition, can't upload.
//TODO: FirmwareUpdater provides a way of reading the active partition so we could in theory add functionality to upload firmware.
Some(InResponse::Rejected)
}
_ => None,

8
examples/boot/application/stm32wb-dfu/memory.x
View File

@ -1,10 +1,10 @@
MEMORY
{
/* NOTE 1 K = 1 KiBi = 1024 bytes */
BOOTLOADER : ORIGIN = 0x08000000, LENGTH = 24K
BOOTLOADER_STATE : ORIGIN = 0x08006000, LENGTH = 4K
FLASH : ORIGIN = 0x08008000, LENGTH = 128K
DFU : ORIGIN = 0x08028000, LENGTH = 132K
BOOTLOADER : ORIGIN = 0x08000000, LENGTH = 48K
BOOTLOADER_STATE : ORIGIN = 0x0800C000, LENGTH = 4K
FLASH : ORIGIN = 0x0800D000, LENGTH = 120K
DFU : ORIGIN = 0x0802B000, LENGTH = 120K
RAM (rwx) : ORIGIN = 0x20000000, LENGTH = 32K
}

2
examples/boot/application/stm32wb-dfu/secrets/key.sec Normal file
View File

@ -0,0 +1,2 @@
untrusted comment: signify secret key
RWRCSwAAAAATdHQF3B4jEIoNZrjADRp2LbjJjNdNNzKwTCe4IB6mDNq96pe53nbNxwbdCc/T4hrz7W+Kx1MwrZ0Yz5xebSK5Z0Kh/3Cdf039U5f+eoTDS2fIGbohyUbrtwKzjyE0qXI=

1
examples/boot/bootloader/stm32wb-dfu/Cargo.toml
View File

@ -30,6 +30,7 @@ defmt = [
"embassy-usb/defmt",
"embassy-usb-dfu/defmt"
]
verify = ["embassy-usb-dfu/ed25519-salty"]
[profile.dev]
debug = 2

26
examples/boot/bootloader/stm32wb-dfu/README.md
View File

@ -28,6 +28,32 @@ cargo objcopy --release -- -O binary fw.bin
dfu-util -d c0de:cafe -w -D fw.bin
```
### 3. Sign Updates Before Flashing (Optional)
Currently, embassy-usb-dfu only supports a limited implementation of the generic support for ed25519-based update verfication in embassy-boot. This implementation assumes that a signature is simply concatenated to the end of an update binary. For more details, please see https://embassy.dev/book/#_verification and/or refer to the documentation for embassy-boot-dfu.
To sign (and then verify) application updates, you will first need to generate a key pair:
```
signify-openbsd -G -n -p secrets/key.pub -s secrets/key.sec
tail -n1 secrets/key.pub | base64 -d -i - | dd ibs=10 skip=1 > secrets/key.pub.short
```
Then you will need to sign all you binaries with the private key:
```
cargo objcopy --release -- -O binary fw.bin
shasum -a 512 -b fw.bin | head -c128 | xxd -p -r > target/fw-hash.txt
signify-openbsd -S -s secrets/key.sec -m target/fw-hash.txt -x target/fw-hash.sig
cp fw.bin fw-signed.bin
tail -n1 target/fw-hash.sig | base64 -d -i - | dd ibs=10 skip=1 >> fw-signed.bin
dfu-util -d c0de:cafe -w -D fw-signed.bin
```
Finally, as shown in this example with the `verify` feature flag enabled, you then need to embed the public key into your bootloader so that it can verify update signatures.
N.B. Please note that the exact steps above are NOT a good example of how to manage your keys securely. In a production environment, you should take great care to ensure that (at least the private key) is protected and not leaked into your version control system.
## Troubleshooting
- Make sure your device is in DFU mode before flashing

8
examples/boot/bootloader/stm32wb-dfu/memory.x
View File

@ -1,10 +1,10 @@
MEMORY
{
/* NOTE 1 K = 1 KiBi = 1024 bytes */
FLASH : ORIGIN = 0x08000000, LENGTH = 24K
BOOTLOADER_STATE : ORIGIN = 0x08006000, LENGTH = 4K
ACTIVE : ORIGIN = 0x08008000, LENGTH = 128K
DFU : ORIGIN = 0x08028000, LENGTH = 132K
FLASH : ORIGIN = 0x08000000, LENGTH = 48K
BOOTLOADER_STATE : ORIGIN = 0x0800C000, LENGTH = 4K
ACTIVE : ORIGIN = 0x0800D000, LENGTH = 120K
DFU : ORIGIN = 0x0802B000, LENGTH = 120K
RAM (rwx) : ORIGIN = 0x20000000, LENGTH = 16K
}

1
examples/boot/bootloader/stm32wb-dfu/secrets/key.pub.short Normal file
View File

@ -0,0 +1 @@
gB<EFBFBD><EFBFBD>p<EFBFBD>M<EFBFBD>S<EFBFBD><EFBFBD>z<EFBFBD><EFBFBD>Kg<EFBFBD><19>!<21>F<EFBFBD><46><02><>!4<>r

12
examples/boot/bootloader/stm32wb-dfu/src/main.rs
View File

@ -25,6 +25,12 @@ bind_interrupts!(struct Irqs {
// N.B. update to a custom GUID for your own device!
const DEVICE_INTERFACE_GUIDS: &[&str] = &["{EAA9A5DC-30BA-44BC-9232-606CDC875321}"];
// This is a randomly generated example key.
//
// N.B. Please replace with your own!
#[cfg(feature = "verify")]
static PUBLIC_SIGNING_KEY: &[u8; 32] = include_bytes!("../secrets/key.pub.short");
#[entry]
fn main() -> ! {
let mut config = embassy_stm32::Config::default();
@ -57,7 +63,13 @@ fn main() -> ! {
let mut config_descriptor = [0; 256];
let mut bos_descriptor = [0; 256];
let mut control_buf = [0; 4096];
#[cfg(not(feature = "verify"))]
let mut state = Control::new(updater, DfuAttributes::CAN_DOWNLOAD, ResetImmediate);
#[cfg(feature = "verify")]
let mut state = Control::new(updater, DfuAttributes::CAN_DOWNLOAD, ResetImmediate, PUBLIC_SIGNING_KEY);
let mut builder = Builder::new(
driver,
config,