Skip to content

Add support for creating self-decrypting binaries, and use 4-way AES key shares instead of just the AES key #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 81 commits into
base: develop
Choose a base branch
from
Open

Add support for creating self-decrypting binaries, and use 4-way AES key shares instead of just the AES key #207

wants to merge 81 commits into from

Conversation

will-v-pi
Copy link
Contributor

@will-v-pi will-v-pi commented Feb 24, 2025
edited
Loading

This adds support for creating self-decrypting binaries, which can be created using

picotool encrypt --sign --embed hello_world.elf hello_world.enc.elf my_aesfile.bin my_iv_salt.bin my_sigfile.pem my_otp.json

This introduces a breaking change to picotool encrypt to take a 4-way AES key share, rather than just taking an AES key, as this makes it simpler to mask the power signature when decrypting the binary. The only difference from a user perspective is that they now need to use a 1024 bit binary file instead of the 256 bit file used before. The AES key is derived from the 4-way share as follows:

aes_key.words[i] = aes_key_share.words[i*4]
                 ^ aes_key_share.words[i*4 + 1]
                 ^ aes_key_share.words[i*4 + 2]
                 ^ aes_key_share.words[i*4 + 3];

This also introduces a breaking change that picotool encrypt now requires an IV salt binary to be passed to it as the 4th file, so the signing_key is now the 5th file and the OTP JSON is now the 6th file.

This PR should be merged in parallel with raspberrypi/pico-sdk#2315 and raspberrypi/pico-examples#619 to avoid breaking the pico-examples encrypted bootloader compilation

@will-v-pi will-v-pi added this to the 2.1.2 milestone Feb 24, 2025
@will-v-pi will-v-pi requested a review from kilograham February 24, 2025 15:20
This was referenced Feb 24, 2025
Open
Open
@will-v-pi will-v-pi force-pushed the encrypted-shares branch 2 times, most recently from 8ad52d7 to 28c0335 Compare February 26, 2025 12:30
@will-v-pi will-v-pi marked this pull request as ready for review February 26, 2025 13:00
@will-v-pi will-v-pi mentioned this pull request Feb 28, 2025
Open
@will-v-pi will-v-pi linked an issue Feb 28, 2025 that may be closed by this pull request
"ERROR: Found overlapping memory" on encrypted binary #210
Open
lurch
lurch reviewed Mar 10, 2025
View reviewed changes
lurch
lurch reviewed Mar 10, 2025
View reviewed changes
lurch
lurch reviewed Mar 10, 2025
View reviewed changes
lurch
lurch reviewed Mar 10, 2025
View reviewed changes
lurch
lurch reviewed Mar 19, 2025
View reviewed changes
lurch
lurch reviewed Mar 19, 2025
View reviewed changes
kilograham
kilograham reviewed Mar 22, 2025
View reviewed changes
kilograham
kilograham reviewed Mar 22, 2025
View reviewed changes
kilograham
kilograham reviewed Mar 22, 2025
View reviewed changes
kilograham
kilograham reviewed Mar 22, 2025
View reviewed changes
@kilograham
Copy link
Contributor

kilograham commented Mar 22, 2025
edited
Loading

  1. I had forgotten? that encrypt was already an available option. Was that used with the pre-existing pico-example? How does this change affect that example (is the encrypt command now backwards compatible? (edit: i guess i should read the PR description!)
  2. I worry about rollback versions (and indeed other versions) - we should probably copy that across to the decrypting header
  3. I believe the dealing with TBYB and friends IS handled (due to pico-sdk PR) just wanted to double check with you - i still need to delve into this PR more deeply

@will-v-pi
Copy link
Contributor Author

  1. I had forgotten? that encrypt was already an available option. Was that used with the pre-existing pico-example? How does this change affect that example (is the encrypt command now backwards compatible? (edit: i guess i should read the PR description!)
  2. I worry about rollback versions (and indeed other versions) - we should probably copy that across to the decrypting header
  3. I believe the dealing with TBYB and friends IS handled (due to pico-sdk PR) just wanted to double check with you - i still need to delve into this PR more deeply
  1. I've modified the example to use the new command Encrypted improvements pico-examples#619 - but yes, the SDK CMake function and the picotool command are not backwards compatible.
  2. They should have been copied across, along with TBYB - lines 5124-5139 in main.cpp - but this wasn't working as the block choice code would choose the first block to copy data from. I've changed this so it will now choose to copy the last block if it has an IMAGE_DEF, otherwise choose the first block, as the last block will be the better choice.
  3. For self-decrypting binaries, TBYB and everything else is handled entirely by the bootrom - the decryption stage shouldn't time out the watchdog, so the user binary can call explicit_buy as usual. The decryption stage just gets loaded into SRAM along with the encrypted binary by the bootrom, and decrypts it in place, so doesn't need any handling for TBYB etc. For encrypted binaries with a separate decrypting bootloader, the handling is improved by the rom_pick_ab_update_partition PR.

@kilograham kilograham mentioned this pull request Mar 24, 2025
Open
@kilograham
Copy link
Contributor

A few other random thoughts

  1. I think we should support passing a 256 bit AES key and generating 4 shares (I dont think this tells you much if the AES key is secure random even if picotool does less well -though it should be using dev/random already, right via c++ lib if i reacll)
  2. I think we should support passing the AES key and the IV salt as a hex on the command line too. could probably live with just treating anything starting with 0x as hex not filename, and check it is the right length.
  3. Can we lose the -t on the AES key and salt unless there are useful different file types

@kilograham
Copy link
Contributor

I wonder if we should explicitly zero unused RAM in the LOAD_MAP of the self-encrypting binary (probably)

lurch
lurch reviewed Mar 31, 2025
View reviewed changes
will-v-pi added 15 commits April 22, 2025 18:09
@will-v-pi
Remove OTP key workaround
04d8819
@will-v-pi
Remove load_map, hash and signature from chosen ELF blocks
90ddbc4 
These would mess up signing/encryption of an already signed/encrypted binary
@will-v-pi
Clear SRAM in load_map of self-decrypting binary
e370a20
@will-v-pi
Add ability to generate key share from 256 bit key
33419cf
@will-v-pi
Remove -t argument when not needed
b35d9a9 
Remove they -t argument from all key files (bin & pem) and JSON files, as they should always have the correct extension so it's not necessary
@will-v-pi
Support passing AES key and IV salt as hex strings instead of files
4adbf75
@will-v-pi
Improve encrypt docs
cbfab7c 
Implement suggested changes, and add note about IV salt
@will-v-pi
Review fixups
eb5c981 
Specify file types where useful for untyped files (json, pem, bin)
Expand IV salt description
Abstract filename_to_hex_array into separate function
@will-v-pi
Improve external project inclusion
ba3bf03 
Remove uneccessary extra setup, which isn't actually required and throws deprecation warnings in CMake 4.0.0
@will-v-pi
Use named_untyped_file_selection for coprodis as well
954120f
@will-v-pi
Implement FIB workaround by storing inverse of row n in row n+32 of e…
1ff20e0 
…ach OTP page

Disabled for now behind `#if FIB_WORKAROUND`, until the bootloader change to handle this is implemented
@will-v-pi
Only delete existing load_maps when encrypting
d6c5171 
These only cause issues when encrypting, as the old block needs to be included in the new load_map

When signing, the old load_map can be used again without issue
@will-v-pi
Tidy up string_to_hex_array function
61bf7c3
@will-v-pi
Add permission handling to OTP dump
f018f89 
Prints XXs for any rows with permissions failures

Also, add `--pages` option to index by page & row (eg 63:56) rather than hex (eg 0ff8)
@will-v-pi
Modify bootloader to work with FIB workaround
6743582 
Modify aes.S init_key_4way to skip the 64 byte gap in the middle of the otp key share

Uses 5 words of space
@will-v-pi
Copy link
Contributor Author

See the encrypted-shares-ci branch for passing CI, which now requires different SDK and examples branches due to the examples build test

lurch
lurch reviewed Apr 24, 2025
View reviewed changes
lurch
lurch reviewed Apr 24, 2025
View reviewed changes
lurch
lurch reviewed Apr 24, 2025
View reviewed changes
@lurch
Copy link
Contributor

lurch commented Apr 24, 2025

See the encrypted-shares-ci branch for passing CI, which now requires different SDK and examples branches due to the examples build test

Perhaps the original comment in this PR ought to be updated to say which other pico-sdk and pico-examples PRs ought to be merged before (or in parallel with?) this PR.

@will-v-pi
Review fixups
f9bf5e7 
Add more notes to AES readme, fix error message, and remove commented CMake line
@will-v-pi
Mention mbedtls is "faster but less secure" in help text
861a153 
More details will be in the C SDK book
@will-v-pi
Merge branch 'develop' into encrypted-shares
9ea5a40
@will-v-pi
Update README help text
b637421
lurch
lurch reviewed Apr 28, 2025
View reviewed changes
README.md
Comment on lines +651 to +652
picotool encrypt [--quiet] [--verbose] [--embed] [--fast-rosc] [--use-mbedtls] [--otp-key-page <page>] [--hash] [--sign] <infile> [-t
<type>] [-o <offset>] <outfile> [-t <type>] <aes_key> <iv_salt> <signing_key> <otp>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How hard would it be to modify the line-wrapping to prevent a line-break getting inserted in the middle of e.g. [-t <type>] ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's handled by the CLIPP library, so probably a question for @kilograham whether we want to change that code?

picotool/clipp/clipp.h

Lines 317 to 363 in c56c005

/** @brief handle line wrapping due to column constraints */
template<class Iter>
void write_line(Iter first, Iter last)
{
if(first == last) return;
if(only_whitespace(first, last)) return;
if(right_of_text_area()) wrap_soft();
if(at_begin_of_line()) {
//discard whitespace, it we start a new line
first = std::find_if(first, last,
[](char_type c) { return !std::isspace(c); });
if(first == last) return;
}
const auto n = int(std::distance(first,last));
const auto m = columns_left_in_line();
//if text to be printed is too long for one line -> wrap
if(n > m) {
//break before word, if break is mid-word
auto breakat = first + m;
while(breakat > first && !std::isspace(*breakat)) --breakat;
//could not find whitespace before word -> try after the word
if(!std::isspace(*breakat) && breakat == first) {
breakat = std::find_if(first+m, last,
[](char_type c) { return std::isspace(c); });
}
if(breakat > first) {
if(curCol_ < 1) ++totalNonBlankLines_;
fix_indent();
std::copy(first, breakat, std::ostream_iterator<char_type>(os_));
curBlankLines_ = 0;
}
if(breakat < last) {
wrap_soft();
write_line(breakat, last);
}
}
else {
if(curCol_ < 1) ++totalNonBlankLines_;
fix_indent();
std::copy(first, last, std::ostream_iterator<char_type>(os_));
curCol_ += n;
curBlankLines_ = 0;
}
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, sounds like There Be Dragons 🐉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lurch lurch lurch left review comments

@kilograham kilograham kilograham left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.1.2
Development

Successfully merging this pull request may close these issues.

"ERROR: Found overlapping memory" on encrypted binary
3 participants
@will-v-pi @kilograham @lurch