Fix back-end for keyvaults, minor delta trailing escape, TPM seal/unseal size, elf digest timing#725
Merged
dgarske merged 13 commits intowolfSSL:masterfrom Mar 16, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes several backend and validation edge-cases across keyvault storage, delta diff generation, TPM seal/unseal auth sizing, and ELF digest verification, with accompanying unit tests.
Changes:
- Centralize and bound
_sbrk()heap growth for PSA/PKCS11 keyvault backends via a newwolfboot_store_sbrk()helper. - Fix keyvault
delete_object()to skip the metadata prefix and adjust delta diff handling for trailing ESC escape margin. - Add TPM seal/unseal auth size validation and use constant-time digest comparison for ELF image verification.
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/unit-tests/unit-tpm-blob.c | Adds stubs and new tests covering oversized auth rejection for seal/unseal paths. |
| tools/unit-tests/unit-store-sbrk.c | New unit tests for the shared _sbrk helper behavior. |
| tools/unit-tests/unit-psa_store.c | Adds a regression test ensuring delete_object() ignores the metadata prefix. |
| tools/unit-tests/unit-pkcs11_store.c | Adds a similar regression test for PKCS11 keyvault delete_object(). |
| tools/unit-tests/unit-delta.c | Adds a regression test for preserving the trailing header margin when encountering ESC. |
| tools/unit-tests/Makefile | Builds and runs the new unit-store-sbrk test binary. |
| src/tpm.c | Adds auth buffer upper-bound checks for seal/unseal. |
| src/store_sbrk.h | New header for shared store allocator helper. |
| src/store_sbrk.c | New shared _sbrk helper implementing alignment and heap bounds checks. |
| src/psa_store.c | Uses wolfboot_store_sbrk() and fixes delete_object() header offset. |
| src/pkcs11_store.c | Uses wolfboot_store_sbrk() and fixes delete_object() header offset. |
| src/image.c | Uses constant-time digest comparison for ELF digest verification. |
| src/delta.c | Adds guard to avoid emitting an incomplete ESC escape when near the reserved header margin. |
| hal/stm32u5.c | Fixes OPT unlock wait loop to poll the OPTLOCK bit. |
| hal/stm32l5.c | Fixes OPT unlock wait loop to poll the OPTLOCK bit. |
| hal/stm32h5.c | Fixes OPT unlock wait loop to poll the OPTLOCK bit/register. |
| .gitignore | Extends ignored unit-test binaries list. |
Comments suppressed due to low confidence (1)
src/tpm.c:905
- wolfBoot_seal_auth() accepts
int authSzbut only checksauthSz > sizeof(buffer); a negativeauthSzwill pass these checks, be assigned intoseal_blob.handle.auth.size, and can lead to a hugeXMEMCPY()length after integer promotion. Add an explicitauthSz < 0rejection (and ideally apply the same validation to any downstream calls that acceptint authSz).
if (auth == NULL && authSz > 0)
return BAD_FUNC_ARG;
if (authSz > (int)sizeof(seal_blob.handle.auth.buffer))
return BAD_FUNC_ARG;
memset(&seal_blob, 0, sizeof(seal_blob));
seal_blob.handle.auth.size = authSz;
if (auth != NULL)
XMEMCPY(seal_blob.handle.auth.buffer, auth, authSz);
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses multiple backend correctness issues across TPM sealing/unsealing, keyvault object deletion, store allocator heap bounds, delta diff escaping margins, and improves ELF digest verification timing behavior.
Changes:
- Add heap-bounded
_sbrkhelper (store_sbrk) and wire it into PSA/PKCS11 store builds (Make + CMake). - Fix keyvault
delete_object()parsing by offsetting past the private header; add unit tests for both PSA and PKCS11 stores. - Add TPM auth-size validation (seal/unseal) and delta escape margin handling, with corresponding unit tests; switch ELF digest compare to constant-time.
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/unit-tests/unit-tpm-blob.c | Adds unit tests and TPM stubs to verify oversized auth is rejected for seal/unseal paths. |
| tools/unit-tests/unit-store-sbrk.c | Introduces unit tests for the new bounded/aligned store _sbrk helper. |
| tools/unit-tests/unit-psa_store.c | Adds regression test ensuring delete_object() does not treat metadata prefix as an object header. |
| tools/unit-tests/unit-pkcs11_store.c | Same regression coverage as PSA store for keyvault delete behavior. |
| tools/unit-tests/unit-delta.c | Adds tests validating diff output preserves header margin when escaping is required. |
| tools/unit-tests/Makefile | Builds and runs the new unit-store-sbrk test binary. |
| src/tpm.c | Validates TPM auth size against buffer bounds for seal/unseal APIs. |
| src/store_sbrk.h | New header for store _sbrk helper API. |
| src/store_sbrk.c | Implements aligned, heap-bounded _sbrk helper for store backends. |
| src/psa_store.c | Uses wolfboot_store_sbrk() and fixes delete_object() header offset. |
| src/pkcs11_store.c | Uses wolfboot_store_sbrk() and fixes delete_object() header offset. |
| src/image.c | Replaces memcmp with constant-time digest comparison for ELF verification. |
| src/delta.c | Prevents writing incomplete ESC escape sequences when patch buffer is near header margin. |
| options.mk | Ensures store_sbrk.o is linked in relevant TZ PSA/PKCS11 builds. |
| lib/CMakeLists.txt | Adds WOLFBOOT_DEFS to wolfcrypt compile definitions. |
| hal/stm32u5.c | Fixes option unlock wait loop to poll OPTLOCK rather than LOCK. |
| hal/stm32l5.c | Fixes option unlock wait loop to poll OPTLOCK rather than LOCK. |
| hal/stm32h5.c | Fixes option unlock wait loop to poll OPTLOCK in OPTCR. |
| CMakeLists.txt | Conditionally includes src/store_sbrk.c for TZ PSA/PKCS11 builds. |
| .gitignore | Ignores additional unit test binaries now produced by the unit-tests Makefile. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
dgarske
requested changes
Mar 16, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes multiple backend edge cases across keyvault storage, TPM auth handling, delta diff escaping, and ELF digest comparison timing, with added/updated unit tests and build integration for a shared _sbrk helper.
Changes:
- Add TPM seal/unseal auth size validation and corresponding unit tests.
- Fix keyvault
delete_objectto account for a private header offset; add regression tests for PSA + PKCS#11 stores. - Introduce shared
store_sbrkhelper and wire it into PSA/PKCS#11 builds and unit tests; harden delta diff escape margin handling and switch ELF digest compare to constant-time.
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/unit-tests/unit-tpm-blob.c | Adds unit tests for TPM auth size validation and test stubs. |
| tools/unit-tests/unit-store-sbrk.c | New unit coverage for shared sbrk helper behavior. |
| tools/unit-tests/unit-psa_store.c | Adds regression test for delete_object metadata prefix handling. |
| tools/unit-tests/unit-pkcs11_store.c | Adds same delete_object regression test for PKCS#11 store. |
| tools/unit-tests/unit-delta.c | Adds tests for diff escape header margin handling. |
| tools/unit-tests/Makefile | Builds new unit-store-sbrk test binary. |
| src/tpm.c | Adds auth size validation and copies auth into fixed buffer. |
| src/store_sbrk.h | Declares shared sbrk helper API. |
| src/store_sbrk.c | Implements shared sbrk helper with alignment + bounds checks. |
| src/psa_store.c | Uses shared sbrk helper; fixes delete_object header offset. |
| src/pkcs11_store.c | Uses shared sbrk helper; fixes delete_object header offset. |
| src/image.c | Uses constant-time digest comparison for ELF validation. |
| src/delta.c | Prevents diff from consuming header margin when escaping ESC. |
| options.mk | Adds store_sbrk.o to relevant secure build object lists. |
| lib/CMakeLists.txt | Propagates WOLFBOOT_DEFS into wolfcrypt compilation. |
| hal/stm32u5.c | Fixes OPT unlock wait condition to check OPTLOCK bit. |
| hal/stm32l5.c | Same OPT unlock wait condition fix. |
| hal/stm32h5.c | Same OPT unlock wait condition fix, using OPTCR/OPTLOCK. |
| CMakeLists.txt | Conditionally includes store_sbrk.c when TZ PKCS11/PSA enabled. |
| .gitignore | Ignores additional unit-test binaries including new unit-store-sbrk. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
dgarske
approved these changes
Mar 16, 2026
danielinux
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
F/723 - option unlock wait condition (f94d9d2)
F/724 - store delete_object header offset (3e706be)
F/725 - store _sbrk heap bounds handling (73b5ad4)
F/727 - delta trailing escape margin handling (953c9be)
F/728 - TPM seal auth size validation (7631649)
F/729 - TPM unseal auth size validation (b250d78)
F/730 - ELF image digest comparison timing (d3c47d1)