Add some checking if partition size is too large

dgarske · dgarske · commit a2d630fc6ea8 · 2026-02-10T12:39:55.000-08:00
diff --git a/Makefile b/Makefile
@@ -202,6 +202,7 @@ endif
 
 # Environment variables for sign tool
 SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) \
+		 WOLFBOOT_PARTITION_SIZE=$(WOLFBOOT_PARTITION_SIZE) \
 		 WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE) \
 		 ML_DSA_LEVEL=$(ML_DSA_LEVEL) \
 		 IMAGE_SIGNATURE_SIZE=$(IMAGE_SIGNATURE_SIZE) \
diff --git a/src/update_flash.c b/src/update_flash.c
@@ -639,11 +639,13 @@ static int wolfBoot_delta_update(struct wolfBoot_image *boot,
 #    endif
 #endif
 
-/* Reserve space for two sectors in case of NVM_FLASH_WRITEONCE, for redundancy */
+/* Max firmware size: partition must hold header + fw + trailer sector(s) */
 #ifndef NVM_FLASH_WRITEONCE
-    #define MAX_UPDATE_SIZE (size_t)((WOLFBOOT_PARTITION_SIZE - WOLFBOOT_SECTOR_SIZE))
+    #define MAX_UPDATE_SIZE (size_t)((WOLFBOOT_PARTITION_SIZE - \
+        IMAGE_HEADER_SIZE - WOLFBOOT_SECTOR_SIZE))
 #else
-    #define MAX_UPDATE_SIZE (size_t)((WOLFBOOT_PARTITION_SIZE - (2 *WOLFBOOT_SECTOR_SIZE)))
+    #define MAX_UPDATE_SIZE (size_t)((WOLFBOOT_PARTITION_SIZE - \
+        IMAGE_HEADER_SIZE - (2 * WOLFBOOT_SECTOR_SIZE)))
 #endif
 
 static int wolfBoot_get_total_size(struct wolfBoot_image* boot,
diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
@@ -1739,6 +1739,30 @@ static int make_header_ex(int is_diff, uint8_t *pubkey, uint32_t pubkey_sz,
         header[header_idx++] = 0xFF;
     }
 
+    /* Check if signed image fits in partition */
+    {
+        const char *env_psize = getenv("WOLFBOOT_PARTITION_SIZE");
+        const char *env_ssize = getenv("WOLFBOOT_SECTOR_SIZE");
+        if (env_psize) {
+            uint32_t partition_sz = (uint32_t)strtol(env_psize, NULL, 0);
+            uint32_t sector_sz = env_ssize ?
+                (uint32_t)strtol(env_ssize, NULL, 0) : 0;
+            uint32_t total_img_sz = CMD.header_sz + image_sz;
+            /* Only subtract sector for trailer when sector < partition.
+             * When sector >= partition (e.g. update_ram targets), the
+             * entire partition is available for the image. */
+            uint32_t max_img_sz = (sector_sz < partition_sz) ?
+                (partition_sz - sector_sz) : partition_sz;
+            if (total_img_sz > max_img_sz) {
+                printf("Error: Image size %u (header %u + firmware %u) "
+                    "exceeds max %u (partition %u - sector %u)\n",
+                    total_img_sz, CMD.header_sz, image_sz,
+                    max_img_sz, partition_sz, sector_sz);
+                goto failure;
+            }
+        }
+    }
+
     /* Create output image */
     f = fopen(outfile, "w+b");
     if (f == NULL) {
diff --git a/tools/keytools/sign.py b/tools/keytools/sign.py
@@ -72,6 +72,8 @@
 HDR_IMG_TYPE_APP          = 0x0001
 
 WOLFBOOT_HEADER_SIZE = 256
+WOLFBOOT_PARTITION_SIZE = 0
+WOLFBOOT_SECTOR_SIZE = 0
 
 sign="auto"
 self_update=False
@@ -386,6 +388,12 @@ def make_header(image_file, fw_version, extra_fields=[]):
             val=l.split('=')[1].rstrip('\n')
             WOLFBOOT_HEADER_SIZE = int(val,0)
             print("IMAGE_HEADER_SIZE (from .config): " + str(WOLFBOOT_HEADER_SIZE))
+        if "WOLFBOOT_PARTITION_SIZE" in l and "ADDRESS" not in l:
+            val=l.split('=')[1].rstrip('\n')
+            WOLFBOOT_PARTITION_SIZE = int(val,0)
+        if "WOLFBOOT_SECTOR_SIZE" in l:
+            val=l.split('=')[1].rstrip('\n')
+            WOLFBOOT_SECTOR_SIZE = int(val,0)
 
         l = cfile.readline()
     cfile.close()
@@ -704,6 +712,24 @@ def make_header(image_file, fw_version, extra_fields=[]):
 infile.close()
 outfile.close()
 
+# Check if signed image fits in partition
+if WOLFBOOT_PARTITION_SIZE > 0:
+    img_size = os.path.getsize(image_file)
+    total_img_sz = WOLFBOOT_HEADER_SIZE + img_size
+    # Only subtract sector for trailer when sector < partition.
+    # When sector >= partition (e.g. update_ram targets), the
+    # entire partition is available for the image.
+    if WOLFBOOT_SECTOR_SIZE < WOLFBOOT_PARTITION_SIZE:
+        max_img_sz = WOLFBOOT_PARTITION_SIZE - WOLFBOOT_SECTOR_SIZE
+    else:
+        max_img_sz = WOLFBOOT_PARTITION_SIZE
+    if total_img_sz > max_img_sz:
+        print("Error: Image size %d (header %d + firmware %d) "
+            "exceeds max %d (partition %d - sector %d)" %
+            (total_img_sz, WOLFBOOT_HEADER_SIZE, img_size,
+            max_img_sz, WOLFBOOT_PARTITION_SIZE, WOLFBOOT_SECTOR_SIZE))
+        sys.exit(1)
+
 if (encrypt):
     delta_align=64
 else:
diff --git a/tools/scripts/va416x0/build_test.sh b/tools/scripts/va416x0/build_test.sh
@@ -38,6 +38,8 @@ get_config_value() {
 # Extract values from .config
 BOOT_ADDRESS=$(get_config_value "WOLFBOOT_PARTITION_BOOT_ADDRESS")
 UPDATE_ADDRESS=$(get_config_value "WOLFBOOT_PARTITION_UPDATE_ADDRESS")
+PARTITION_SIZE=$(get_config_value "WOLFBOOT_PARTITION_SIZE")
+SECTOR_SIZE=$(get_config_value "WOLFBOOT_SECTOR_SIZE")
 IMAGE_HEADER_SIZE=$(get_config_value "IMAGE_HEADER_SIZE")
 SIGN=$(get_config_value "SIGN")
 HASH=$(get_config_value "HASH")
@@ -49,7 +51,10 @@ make clean && make wolfboot.bin && make test-app/image.bin
 
 # Function to sign image
 sign_image() {
-    IMAGE_HEADER_SIZE=${IMAGE_HEADER_SIZE} ./tools/keytools/sign ${SIGN_ARG} ${HASH_ARG} test-app/image.bin wolfboot_signing_private_key.der "$1"
+    IMAGE_HEADER_SIZE=${IMAGE_HEADER_SIZE} \
+    WOLFBOOT_PARTITION_SIZE=${PARTITION_SIZE} \
+    WOLFBOOT_SECTOR_SIZE=${SECTOR_SIZE} \
+    ./tools/keytools/sign ${SIGN_ARG} ${HASH_ARG} test-app/image.bin wolfboot_signing_private_key.der "$1"
 }
 
 # Function to print summary
@@ -74,7 +79,6 @@ if [ "$MODE" = "clean" ]; then
     ${JLINK} -CommanderScript tools/scripts/va416x0/flash_va416xx.jlink
     print_summary
 else
-    PARTITION_SIZE=$(get_config_value "WOLFBOOT_PARTITION_SIZE")
     TRIGGER_ADDRESS=$(printf "0x%X" $((${UPDATE_ADDRESS} + ${PARTITION_SIZE} - 5)))
     PREV_VERSION=$((${VERSION} - 1))
     sign_image ${PREV_VERSION} && sign_image ${VERSION}
diff --git a/tools/test.mk b/tools/test.mk
@@ -1048,5 +1048,5 @@ test-size-all:
 		LIMIT=8560 NO_ARM_ASM=1
 	make keysclean
 	make clean
-	make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=19354 \
+	make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=19362 \
 		IMAGE_SIGNATURE_SIZE=2420 IMAGE_HEADER_SIZE?=8192
