Fixes to delta updates, reinforced size checks, improved hardening#716
Merged
dgarske merged 22 commits intowolfSSL:masterfrom Mar 9, 2026
Merged
Fixes to delta updates, reinforced size checks, improved hardening#716dgarske merged 22 commits intowolfSSL:masterfrom
dgarske merged 22 commits intowolfSSL:masterfrom
Conversation
F/222
Add a maximum size check for fw_size against the expected bootloader partition size F/230
Prevent loops on malformed PCI trees F/232
danielinux
requested review from
Copilot and
dgarske
and removed request for
Copilot
Contributor
There was a problem hiding this comment.
Pull request overview
Improves robustness and hardening across delta updates, storage writes, TPM/GPT handling, and self-update validation, with new/updated unit tests to cover regressions.
Changes:
- Adds/expands unit tests covering TPM RSA exponent decoding, QSPI page writes, PSA/PKCS11 cross-sector writes, GPT CRC validation, PCI capability loop protection, and delta escape corner cases.
- Hardens runtime code paths: CRC32 verification for GPT headers, constant-time key hint matching, safer ASN.1 tag decoding bounds, improved size checks for self header, and secure zeroization of encryption material.
- Fixes concrete bugs in tools/runtime (e.g.,
bmdiffmmap error check, UART printf maxdigits parsing, QSPI remaining-byte calculation).
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/unit-tests/unit-tpm-rsa-exp.c | Adds a unit test validating DER exponent byte decoding for TPM RSA public key loading. |
| tools/unit-tests/unit-qspi-flash.c | Adds unit test ensuring QSPI writes split the last page based on remaining bytes. |
| tools/unit-tests/unit-psa_store.c | Adds PSA store cross-sector write test to verify size/offset bookkeeping. |
| tools/unit-tests/unit-pkcs11_store.c | Tightens read-length expectations and adds PKCS11 cross-sector write size test. |
| tools/unit-tests/unit-image.c | Adds self-header oversize rejection test and guards tests by signing configuration; adds RSA ASN.1 bounds test. |
| tools/unit-tests/unit-disk.c | Adds helpers and tests to validate GPT header CRC behavior in parser. |
| tools/unit-tests/unit-delta.c | Adds regression test for trailing escape byte in delta patch stream. |
| tools/unit-tests/unit-boot-x86_fsp.c | Adds tests for PCI capability traversal (find target, reject cycles/loops). |
| tools/unit-tests/Makefile | Adds new unit test targets and a wolfPSA include path configuration. |
| tools/delta/test-bmdiff.c | Adds a standalone test to validate bmdiff behavior on mmap failure. |
| tools/delta/bmdiff.c | Fixes incorrect variable used in mmap failure check. |
| tools/delta/Makefile | Adds build/run targets for bmdiff-test and updates clean. |
| src/update_flash.c | Ensures encryption secrets are zeroed on all exits; refactors returns via goto out. |
| src/tpm.c | Safely decodes RSA exponent bytes into a uint32_t (avoids unaligned dereference). |
| src/string.c | Fixes digit parsing logic for UART printf width/maxdigits calculation. |
| src/qspi_flash.c | Fixes per-page transfer sizing to use remaining bytes, not total length. |
| src/psa_store.c | Fixes in-sector write length computation using remaining bytes (len - written). |
| src/pkcs11_store.c | Fixes in-sector write length computation using remaining bytes (len - written). |
| src/libwolfboot.c | Adds parentheses to macro to avoid precedence surprises. |
| src/image.c | Adds constant-time comparisons, improves ASN.1 tag bounds check, and adds self-header size enforcement under fixed partitions. |
| src/gpt.c | Adds GPT header CRC32 verification to reject corrupted headers. |
| src/delta.c | Adds bounds checks to prevent reading past end of patch stream on escape sequences. |
| src/boot_x86_fsp.c | Recomputes hash before PCR extend and caps PCI capability traversal to prevent loops. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 25 out of 25 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
F/220 - Improved PSA & PKCS11 store write boundary checks
F/222 - Fixed bug in bmdiff
F/229 - GPT: Verify CRC32 in header
F/230 - Self update improved size check
F/231 - Constant time public key lookup
F/235 - Fix delta wb_patch double escape corner case
F/93 - RSA: validate key size buffer when decoding signature
F/233 - Re-calculate hash before extending PCR
F/445 - Forcezero secrets from stack
F/232 - PCI: prevent loops on malformed trees
F/436 - NIT: parentheses around macro
F/368 - Fix uart printf digit count on large representation
F/221 - Fix QSPI write page, enforcing actual remaining bytes count
F/369 - Don't rely on assumption of alignment when loading RSA exponent