support rsa-pss in ARMORED mode

bigbrett · bigbrett · commit fc3185b01735 · 2026-03-26T14:26:15.000-06:00
diff --git a/include/image.h b/include/image.h
@@ -478,6 +478,67 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
         asm volatile("nop"); \
     }
 
+/**
+ * Second part of RSA-PSS verification.
+ *
+ * Call wc_RsaPSS_CheckPadding twice, then confirm via
+ * wolfBoot_image_confirm_signature_ok();
+ */
+#define RSA_PSS_VERIFY_HASH(img, pss_data, pss_data_sz, hash_type) \
+    { \
+        volatile int pss_res; \
+        if (!img || !pss_data)    \
+            asm volatile("b pnope"); \
+        /* Redundant set of r0=50*/ \
+        asm volatile("mov r0, #50":::"r0"); \
+        asm volatile("mov r0, #50":::"r0"); \
+        asm volatile("mov r0, #50":::"r0"); \
+        pss_res = wc_RsaPSS_CheckPadding(img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, \
+            pss_data, pss_data_sz, hash_type); \
+        /* Redundant checks that ensure the function actually returned 0 */ \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("bne pnope":::"cc"); \
+        asm volatile("cmp r0, #0"); \
+        asm volatile("cmp r0, #0"); \
+        asm volatile("cmp r0, #0"); \
+        asm volatile("bne pnope":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("bne pnope"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("bne pnope"); \
+        /* Repeat wc_RsaPSS_CheckPadding call */ \
+        pss_res = wc_RsaPSS_CheckPadding(img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, \
+            pss_data, pss_data_sz, hash_type); \
+        pss_res; \
+        /* Redundant checks that ensure the function actually returned 0 */ \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("bne pnope"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("bne pnope"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("bne pnope"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("cmp r0, #0":::"cc"); \
+        asm volatile("bne pnope"); \
+        /* Confirm that the signature is OK */ \
+        wolfBoot_image_confirm_signature_ok(img); \
+        asm volatile("pnope:"); \
+        asm volatile("nop"); \
+    }
+
 /**
  * ECC / Ed / PQ signature verification.
  * Those verify functions set an additional value 'p_res'
@@ -1247,6 +1308,11 @@ static void UNUSEDFUNCTION wolfBoot_image_clear_signature_ok(
     if (XMEMCMP(img->sha_hash, digest, WOLFBOOT_SHA_DIGEST_SIZE) == 0) \
         wolfBoot_image_confirm_signature_ok(img);
 
+#define RSA_PSS_VERIFY_HASH(img, pss_data, pss_data_sz, hash_type) \
+    if (wc_RsaPSS_CheckPadding(img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, \
+            pss_data, pss_data_sz, hash_type) == 0) \
+        wolfBoot_image_confirm_signature_ok(img);
+
 #define PART_SANITY_CHECK(p) \
     if (((p)->hdr_ok != 1) || ((p)->sha_ok != 1) || ((p)->signature_ok != 1)) \
         wolfBoot_panic()
diff --git a/src/image.c b/src/image.c
@@ -601,34 +601,29 @@ static void wolfBoot_verify_signature_rsa_pss(uint8_t key_slot,
         return;
     }
 
-    /* wolfCrypt software RSA-PSS verify */
+    /* wolfCrypt software RSA-PSS verify (two-step)
+     *
+     * Step 1 (RSA_VERIFY_FN): wc_RsaPSS_VerifyInline performs the RSA
+     * operation and PSS unmasking, returning a pointer to the PSS data and
+     * its length.
+     *
+     * Step 2 (RSA_PSS_VERIFY_HASH): wc_RsaPSS_CheckPadding verifies the PSS
+     * padding against img->sha_hash. Returns 0 on success. Both steps are
+     * armored when WOLFBOOT_ARMORED is enabled. */
     ret = wc_InitRsaKey(&rsa, NULL);
     if (ret == 0) {
         /* Import public key */
         ret = wc_RsaPublicKeyDecode((byte*)pubkey, &inOutIdx, &rsa, pubkey_sz);
         if (ret >= 0) {
             XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE);
             RSA_VERIFY_FN(ret,
-                wc_RsaPSS_VerifyCheckInline, output, RSA_IMAGE_SIGNATURE_SIZE,
-                    &digest_out, img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE,
-                    hash_type, mgf, &rsa);
+                wc_RsaPSS_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE,
+                    &digest_out, hash_type, mgf, &rsa);
         }
     }
     wc_FreeRsaKey(&rsa);
-    /* wc_RsaPSS_VerifyCheckInline returns the PSS-verified data length on
-     * success (>= digest size), or a negative error code on failure.
-     * The hash comparison is performed internally by the function.
-     *
-     * Note: uses '>=' rather than '==' because PSS verify returns the digest
-     * size on success, unlike PKCS#1 v1.5 which returns exact decoded length.
-     *
-     * ARMORED limitation: the PKCS#1 v1.5 path uses both RSA_VERIFY_FN and
-     * RSA_VERIFY_HASH armored macros (two hardened gates), but PSS only uses
-     * RSA_VERIFY_FN because wc_RsaPSS_VerifyCheckInline performs the hash
-     * comparison internally. The branch below is not armored. Full armored
-     * hardening for PSS would require a new macro or restructuring. */
-    if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img) {
-        wolfBoot_image_confirm_signature_ok(img);
+    if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img && digest_out) {
+        RSA_PSS_VERIFY_HASH(img, digest_out, ret, hash_type);
     }
 }
 
