Fixes 20260330

.github/workflows/trustzone-emulator-tests.yml

@@ -8,7 +8,7 @@ jobs:
   trustzone-emulator-tests:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/wolfssl/wolfboot-ci-m33mu:v1.0
+      image: ghcr.io/wolfssl/wolfboot-ci-m33mu:latest
     steps:
       - uses: actions/checkout@v4
 

.gitignore

@@ -171,6 +171,11 @@ tools/unit-tests/unit-store-sbrk
 tools/unit-tests/unit-tpm-blob
 tools/unit-tests/unit-update-disk
 tools/unit-tests/unit-policy-sign
+tools/unit-tests/unit-fdt
+tools/unit-tests/unit-hal-otp
+tools/unit-tests/unit-rot-auth
+tools/unit-tests/unit-sdhci-response-bits
+tools/unit-tests/unit-tpm-check-rot-auth
 
 
 
@@ -362,3 +367,5 @@ image.ub
 system-default.dtb
 test_output/
 sdcard.img
+
+

hal/stm32h5.c

@@ -25,6 +25,7 @@
 #include <string.h>
 
 #include "hal.h"
+#include "hal_otp.h"
 #include "hal/stm32h5.h"
 #include "hal/armv8m_tz.h"
 
@@ -764,20 +765,15 @@ void hal_prepare_boot(void)
 int hal_flash_otp_set_readonly(uint32_t flashAddress, uint16_t length)
 {
     uint32_t start_block = (flashAddress - FLASH_OTP_BASE) / FLASH_OTP_BLOCK_SIZE;
-    uint32_t count = length / FLASH_OTP_BLOCK_SIZE;
+    uint32_t count = hal_otp_blocks_for_length(length, FLASH_OTP_BLOCK_SIZE);
     uint32_t bmap = 0;
     unsigned int i;
     if (start_block + count > 32)
         return -1;
 
-    if ((length % FLASH_OTP_BLOCK_SIZE) != 0)
-    {
-        count++;
-    }
-
     /* Turn on the bits */
     for (i = start_block; i < (start_block + count); i++) {
-        bmap |= (1 << i);
+        bmap |= (1U << i);
     }
     /* Enable OTP write protection for the selected blocks */
     while ((bmap & FLASH_OTPBLR_CUR) != bmap) {

include/hal_otp.h

@@ -0,0 +1,35 @@
+/* hal_otp.h
+ *
+ * OTP helper definitions.
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFBOOT_HAL_OTP_H
+#define WOLFBOOT_HAL_OTP_H
+
+#include <stdint.h>
+
+static inline uint32_t hal_otp_blocks_for_length(uint32_t length,
+    uint32_t block_size)
+{
+    return (length + block_size - 1U) / block_size;
+}
+
+#endif /* WOLFBOOT_HAL_OTP_H */

src/fdt.c

@@ -522,9 +522,26 @@ const char* fdt_get_name(const void *fdt, int nodeoffset, int *len)
 
 const char* fdt_get_string(const void *fdt, int stroffset, int *lenp)
 {
-    const char *s = (const char*)fdt + fdt_off_dt_strings(fdt) + stroffset;
+    uint32_t strsize = fdt_size_dt_strings(fdt);
+    const char *s;
+    const char *end;
+
+    if ((stroffset < 0) || ((uint32_t)stroffset >= strsize)) {
+        if (lenp)
+            *lenp = -FDT_ERR_BADOFFSET;
+        return NULL;
+    }
+
+    s = (const char*)fdt + fdt_off_dt_strings(fdt) + stroffset;
+    end = memchr(s, '\0', strsize - (uint32_t)stroffset);
+    if (end == NULL) {
+        if (lenp)
+            *lenp = -FDT_ERR_BADSTRUCTURE;
+        return NULL;
+    }
+
     if (lenp) {
-        *lenp = (int)strlen(s);
+        *lenp = (int)(end - s);
     }
     return s;
 }

src/libwolfboot.c

@@ -1882,7 +1882,7 @@ int pkcs11_crypto_init(void)
     };
     CK_ULONG search_attr_count = sizeof(search_attr) / sizeof(*search_attr);
     CK_ULONG obj_count = 0;
-    int pkcs11_intiialized = 0, session_opened = 0, logged_in = 0;
+    int pkcs11_initialized = 0, session_opened = 0, logged_in = 0;
 
     if (encrypt_initialized)
         return 0;

src/pkcs11_store.c

@@ -244,7 +244,7 @@ static uint8_t *find_object_buffer(int32_t type, uint32_t tok_id, uint32_t obj_i
 {
     struct obj_hdr *hdr = NODES_TABLE;
     uint32_t *tok_obj_stored = NULL;
-    while ((uintptr_t)hdr < ((uintptr_t)NODES_TABLE + WOLFBOOT_SECTOR_SIZE)) {
+    while ((uintptr_t)hdr < ((uintptr_t)vault_base + WOLFBOOT_SECTOR_SIZE)) {
         if ((hdr->token_id == tok_id) && (hdr->object_id == obj_id)
                 && (hdr->type == type)) {
             tok_obj_stored = (uint32_t *) (vault_base + (2 * WOLFBOOT_SECTOR_SIZE) + (hdr->pos * KEYVAULT_OBJ_SIZE));
@@ -275,7 +275,7 @@ static struct obj_hdr *find_object_header(int32_t type, uint32_t tok_id,
         uint32_t obj_id)
 {
     struct obj_hdr *hdr = NODES_TABLE;
-    while ((uintptr_t)hdr < ((uintptr_t)NODES_TABLE + WOLFBOOT_SECTOR_SIZE)) {
+    while ((uintptr_t)hdr < ((uintptr_t)vault_base + WOLFBOOT_SECTOR_SIZE)) {
         if ((hdr->token_id == tok_id) && (hdr->object_id == obj_id)
                 && (hdr->type == type)) {
             return hdr;

src/psa_store.c

@@ -243,7 +243,7 @@ static uint8_t *find_object_buffer(int32_t type, uint32_t tok_id, uint32_t obj_i
 {
     struct obj_hdr *hdr = NODES_TABLE;
     uint32_t *tok_obj_stored = NULL;
-    while ((uintptr_t)hdr < ((uintptr_t)NODES_TABLE + WOLFBOOT_SECTOR_SIZE)) {
+    while ((uintptr_t)hdr < ((uintptr_t)vault_base + WOLFBOOT_SECTOR_SIZE)) {
         if ((hdr->token_id == tok_id) && (hdr->object_id == obj_id)
                 && (hdr->type == type)) {
             tok_obj_stored = (uint32_t *) (vault_base + (2 * WOLFBOOT_SECTOR_SIZE) + (hdr->pos * KEYVAULT_OBJ_SIZE));
@@ -274,7 +274,7 @@ static struct obj_hdr *find_object_header(int32_t type, uint32_t tok_id,
         uint32_t obj_id)
 {
     struct obj_hdr *hdr = NODES_TABLE;
-    while ((uintptr_t)hdr < ((uintptr_t)NODES_TABLE + WOLFBOOT_SECTOR_SIZE)) {
+    while ((uintptr_t)hdr < ((uintptr_t)vault_base + WOLFBOOT_SECTOR_SIZE)) {
         if ((hdr->token_id == tok_id) && (hdr->object_id == obj_id)
                 && (hdr->type == type)) {
             return hdr;

src/sdhci.c

@@ -565,7 +565,7 @@ static uint32_t sdhci_get_response_bits(int from, int count)
     resp[3] = SDHCI_REG(SDHCI_SRS07);
 
     ret = resp[off] >> shft;
-    if ((from + shft) > 32) {
+    if ((shft + count) > 32) {
         ret |= resp[off + 1] << ((32 - shft) % 32);
     }
     return ret & mask;

src/tpm.c

@@ -1546,7 +1546,11 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
     memset(&nv, 0, sizeof(nv));
     nv.handle.hndl = WOLFBOOT_TPM_KEYSTORE_NV_BASE + key_slot;
 #ifdef WOLFBOOT_TPM_KEYSTORE_AUTH
-    nv.handle.auth.size = (UINT16)strlen(WOLFBOOT_TPM_KEYSTORE_AUTH);
+    size_t auth_sz = strlen(WOLFBOOT_TPM_KEYSTORE_AUTH);
+    if (auth_sz > (size_t)UINT16_MAX ||
+        auth_sz > sizeof(nv.handle.auth.buffer))
+        return BAD_FUNC_ARG;
+    nv.handle.auth.size = (UINT16)auth_sz;
     memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH,
         nv.handle.auth.size);
 #endif

tools/tpm/rot.c

@@ -148,6 +148,10 @@ static int TPM2_Boot_SecureROT_Example(TPMI_RH_NV_AUTH authHandle, word32 nvBase
         /* Setup a read/lock structure */
         XMEMSET(&nv, 0, sizeof(nv));
         nv.handle.hndl = handle;
+        if (authBufSz > (int)sizeof(nv.handle.auth.buffer)) {
+            rc = BAD_FUNC_ARG;
+            goto exit;
+        }
         nv.handle.auth.size = authBufSz;
         XMEMCPY(nv.handle.auth.buffer, authBuf, nv.handle.auth.size);
 

tools/unit-tests/Makefile

@@ -42,14 +42,15 @@ endif
 
 
 
-TESTS:=unit-parser unit-extflash unit-string unit-spi-flash unit-aes128 \
+TESTS:=unit-parser unit-fdt unit-extflash unit-string unit-spi-flash unit-aes128 \
        unit-aes256 unit-chacha20 unit-pci unit-mock-state unit-sectorflags \
        unit-image unit-image-rsa unit-nvm unit-nvm-flagshome unit-enc-nvm \
        unit-enc-nvm-flagshome unit-delta unit-update-flash \
        unit-update-flash-enc unit-update-ram unit-pkcs11_store unit-psa_store unit-disk \
        unit-update-disk unit-multiboot unit-boot-x86-fsp unit-qspi-flash unit-tpm-rsa-exp \
        unit-image-nopart unit-image-sha384 unit-image-sha3-384 unit-store-sbrk \
-       unit-tpm-blob unit-policy-sign
+       unit-tpm-blob unit-policy-sign unit-rot-auth unit-sdhci-response-bits unit-hal-otp
+TESTS+=unit-tpm-check-rot-auth
 
 all: $(TESTS)
 
@@ -78,6 +79,7 @@ unit-aes128:CFLAGS+=-DEXT_ENCRYPTED -DENCRYPT_WITH_AES128
 unit-aes256:CFLAGS+=-DEXT_ENCRYPTED -DENCRYPT_WITH_AES256
 unit-chacha20:CFLAGS+=-DEXT_ENCRYPTED -DENCRYPT_WITH_CHACHA
 unit-parser:CFLAGS+=-DNVM_FLASH_WRITEONCE
+unit-fdt:CFLAGS+=-DWOLFBOOT_FDT
 unit-nvm:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS
 unit-nvm-flagshome:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS -DFLAGS_HOME
 unit-enc-nvm:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS -DEXT_ENCRYPTED \
@@ -111,6 +113,10 @@ unit-extflash.o: FORCE
 unit-parser: ../../include/target.h unit-parser.c
 	gcc -o $@ $^ $(CFLAGS) $(LDFLAGS)
 
+unit-fdt: ../../include/target.h unit-fdt.c ../../src/fdt.c
+	gcc -o $@ $^ $(CFLAGS) -ffunction-sections -fdata-sections $(LDFLAGS) \
+		-Wl,--gc-sections
+
 unit-extflash: ../../include/target.h unit-extflash.c
 	gcc -o $@ $^ $(CFLAGS) $(LDFLAGS)
 
@@ -126,6 +132,12 @@ unit-tpm-rsa-exp: ../../include/target.h unit-tpm-rsa-exp.c
 		-DWOLFBOOT_HASH_SHA256 \
 		-ffunction-sections -fdata-sections $(LDFLAGS) -Wl,--gc-sections
 
+unit-tpm-check-rot-auth: ../../include/target.h unit-tpm-check-rot-auth.c
+	gcc -o $@ $^ $(CFLAGS) -I$(WOLFBOOT_LIB_WOLFTPM) -DWOLFBOOT_TPM \
+		-DWOLFTPM_USER_SETTINGS -DWOLFBOOT_TPM_VERIFY -DWOLFBOOT_SIGN_RSA2048 \
+		-DWOLFBOOT_HASH_SHA256 \
+		-ffunction-sections -fdata-sections $(LDFLAGS) -Wl,--gc-sections
+
 unit-tpm-blob: ../../include/target.h unit-tpm-blob.c
 	gcc -o $@ $^ $(CFLAGS) -I$(WOLFBOOT_LIB_WOLFTPM) -DWOLFBOOT_TPM \
 		-DWOLFTPM_USER_SETTINGS -DWOLFBOOT_TPM_SEAL -DWOLFBOOT_SIGN_RSA2048 \
@@ -139,12 +151,25 @@ unit-policy-sign: ../../include/target.h unit-policy-sign.c \
 		-DHAVE_ECC_KEY_IMPORT \
 		-ffunction-sections -fdata-sections $(LDFLAGS) -Wl,--gc-sections
 
+unit-rot-auth: ../../include/target.h unit-rot-auth.c \
+		$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/memory.c
+	gcc -o $@ $^ -I../tpm $(CFLAGS) -I$(WOLFBOOT_LIB_WOLFTPM) -DWOLFBOOT_TPM \
+		-DWOLFTPM_USER_SETTINGS -DWOLFBOOT_SIGN_ECC256 -DWOLFBOOT_HASH_SHA256 \
+		-ffunction-sections -fdata-sections $(LDFLAGS) -Wl,--gc-sections
+
 unit-store-sbrk: unit-store-sbrk.c ../../src/store_sbrk.c
 	gcc -o $@ $^ $(CFLAGS) $(LDFLAGS)
 
 unit-string: ../../include/target.h unit-string.c
 	gcc -o $@ $^ $(CFLAGS) -DDEBUG_UART -DPRINTF_ENABLED $(LDFLAGS)
 
+unit-sdhci-response-bits: ../../include/target.h unit-sdhci-response-bits.c
+	gcc -o $@ $^ $(CFLAGS) -ffunction-sections -fdata-sections $(LDFLAGS) \
+		-Wl,--gc-sections
+
+unit-hal-otp: ../../include/target.h unit-hal-otp.c
+	gcc -o $@ $^ $(CFLAGS) $(LDFLAGS)
+
 unit-aes128: ../../include/target.h unit-extflash.c
 	gcc -o $@ $^ $(CFLAGS) $(LDFLAGS)
 

tools/unit-tests/unit-fdt.c

@@ -0,0 +1,104 @@
+/* unit-fdt.c
+ *
+ * Unit tests for flattened device tree helpers.
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <check.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "../../include/fdt.h"
+
+void wolfBoot_printf(const char *fmt, ...)
+{
+    (void)fmt;
+}
+
+START_TEST(test_fdt_get_string_rejects_out_of_range_offset)
+{
+    struct {
+        struct fdt_header hdr;
+        char strings[8];
+        char after[4];
+    } blob;
+    int len = 1234;
+    const char *s;
+
+    memset(&blob, 0, sizeof(blob));
+    fdt_set_off_dt_strings(&blob, sizeof(blob.hdr));
+    fdt_set_size_dt_strings(&blob, sizeof(blob.strings));
+    memcpy(blob.strings, "chosen", sizeof("chosen"));
+    blob.after[0] = 'X';
+    blob.after[1] = '\0';
+
+    s = fdt_get_string(&blob, (int)sizeof(blob.strings), &len);
+
+    ck_assert_ptr_null(s);
+    ck_assert_int_eq(len, -FDT_ERR_BADOFFSET);
+}
+END_TEST
+
+START_TEST(test_fdt_get_string_returns_string_with_valid_offset)
+{
+    struct {
+        struct fdt_header hdr;
+        char strings[16];
+    } blob;
+    int len = -1;
+    const char *s;
+
+    memset(&blob, 0, sizeof(blob));
+    fdt_set_off_dt_strings(&blob, sizeof(blob.hdr));
+    fdt_set_size_dt_strings(&blob, sizeof(blob.strings));
+    memcpy(blob.strings, "serial\0console\0", 15);
+
+    s = fdt_get_string(&blob, 7, &len);
+
+    ck_assert_ptr_nonnull(s);
+    ck_assert_str_eq(s, "console");
+    ck_assert_int_eq(len, 7);
+}
+END_TEST
+
+static Suite *fdt_suite(void)
+{
+    Suite *s = suite_create("fdt");
+    TCase *tc = tcase_create("fdt");
+
+    tcase_add_test(tc, test_fdt_get_string_rejects_out_of_range_offset);
+    tcase_add_test(tc, test_fdt_get_string_returns_string_with_valid_offset);
+    suite_add_tcase(s, tc);
+
+    return s;
+}
+
+int main(void)
+{
+    int fails;
+    Suite *s = fdt_suite();
+    SRunner *sr = srunner_create(s);
+
+    srunner_run_all(sr, CK_NORMAL);
+    fails = srunner_ntests_failed(sr);
+    srunner_free(sr);
+
+    return fails;
+}