Add support for creating self-decrypting binaries, and use 4-way AES key shares instead of just the AES key (#207)

Note: this is not the final commit for this functionality, so use with caution for now

* Use 4-way key shares for AES private keys

The privateaes.bin key file is now 4x256bit numbers (A,B,C,D), and the AES key X is A^B^C^D

* Remove check that ELF segments are between metadata blocks

This is not required, as you can still load data outside of the region between the metadata blocks which contain the binary - for example, loading code into scratch memory.

* Add enc_bootloader binary

You can now use `picotool encrypt --embed ...` to create a self-decrypting binary, using enc_bootloader

* Specify file types where useful for untyped files (json, pem, bin)

* Implement FIB workaround by storing inverse of row n in row n+32 of each OTP page

* Only delete existing load_maps when encrypting

These only cause issues when encrypting, as the old block needs to be included in the new load_map

When signing, the old load_map can be used again without issue


* Throw clearer error when using picotool >2.1.1 with SDK <=2.1.1

This is required due to 2.1.0 and 2.1.1 SDK releases pointing at picotool develop branch rather than the respective picotool releases (raspberrypi/pico-sdk#2401)

---------

Co-authored-by: Graham Sanderson <graham.sanderson@raspberrypi.com>

Author: will-v-pi

.github/workflows/test.yml

@@ -73,6 +73,9 @@ jobs:
           picotool info -a flash_nuke.uf2
 
   test-examples:
+    # Prevent running twice for PRs from same repo
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    name: Test Build Examples
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

BUILD.bazel

@@ -17,6 +17,20 @@ picotool_binary_data_header(
     out = "xip_ram_perms_elf.h",
 )
 
+# TODO: Make it possible to build the prebuilt from source.
+picotool_binary_data_header(
+    name = "enc_bootloader_elf",
+    src = "//enc_bootloader:enc_bootloader_prebuilt",
+    out = "enc_bootloader_elf.h",
+)
+
+# TODO: Make it possible to build the prebuilt from source.
+picotool_binary_data_header(
+    name = "enc_bootloader_mbedtls_elf",
+    src = "//enc_bootloader:enc_bootloader_mbedtls_prebuilt",
+    out = "enc_bootloader_mbedtls_elf.h",
+)
+
 # TODO: Make it possible to build the prebuilt from source.
 picotool_binary_data_header(
     name = "flash_id_bin",
@@ -26,9 +40,9 @@ picotool_binary_data_header(
 
 cc_library(
     name = "xip_ram_perms",
-    srcs = ["xip_ram_perms.cpp"],
+    srcs = ["get_xip_ram_perms.cpp"],
     hdrs = [
-        "xip_ram_perms.h",
+        "get_xip_ram_perms.h",
         "xip_ram_perms_elf.h",
     ],
     deps = [
@@ -37,6 +51,20 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "enc_bootloader",
+    srcs = ["get_enc_bootloader.cpp"],
+    hdrs = [
+        "get_enc_bootloader.h",
+        "enc_bootloader_elf.h",
+        "enc_bootloader_mbedtls_elf.h",
+    ],
+    deps = [
+        "//bazel:data_locs",
+        "//lib/whereami",
+    ],
+)
+
 filegroup(
     name = "data_locs_header",
     srcs = ["data_locs.h"],
@@ -61,7 +89,8 @@ cc_binary(
         "otp.cpp",
         "otp.h",
         "rp2350.rom.h",
-        "xip_ram_perms.cpp",
+        "get_xip_ram_perms.cpp",
+        "get_enc_bootloader.cpp",
     ] + select({
         # MSVC can't handle long strings, so use this manually generated
         # header instead.
@@ -97,6 +126,7 @@ cc_binary(
     }),
     deps = [
         ":xip_ram_perms",
+        ":enc_bootloader",
         "//bazel:data_locs",
         "//bintool",
         "//elf",

CMakeLists.txt

@@ -42,7 +42,6 @@ endif()
 
 # todo better install paths for this
 set(DATA_LOCS "./" "${CMAKE_INSTALL_PREFIX}/${INSTALL_DATADIR}/")
-message(${DATA_LOCS})
 string(REGEX REPLACE ";" "\",\"" DATA_LOCS_VEC "${DATA_LOCS}")
 configure_file(data_locs.template.cpp ${CMAKE_CURRENT_BINARY_DIR}/data_locs.cpp)
 
@@ -57,11 +56,49 @@ endif()
 
 list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_LIST_DIR}/cmake)
 
+add_subdirectory(lib)
+
+if (NOT DEFINED USE_PRECOMPILED)
+    set(USE_PRECOMPILED true)
+endif()
+
+# compile enc_bootloader.elf
+ExternalProject_Add(enc_bootloader
+        PREFIX enc_bootloader
+        SOURCE_DIR ${CMAKE_CURRENT_LIST_DIR}/enc_bootloader
+        BINARY_DIR ${CMAKE_BINARY_DIR}/enc_bootloader
+        CMAKE_ARGS 
+            "-DCMAKE_MAKE_PROGRAM:FILEPATH=${CMAKE_MAKE_PROGRAM}"
+            "-DPICO_SDK_PATH:FILEPATH=${PICO_SDK_PATH}"
+            "-DUSE_PRECOMPILED:BOOL=${USE_PRECOMPILED}"
+            "-DUSE_MBEDTLS=0"
+            "-DPICO_DEBUG_INFO_IN_RELEASE=OFF"
+        BUILD_ALWAYS 1 # todo remove this
+        INSTALL_COMMAND ""
+        )
+
+set(ENC_BOOTLOADER_ELF ${CMAKE_BINARY_DIR}/enc_bootloader/enc_bootloader.elf)
+
+if (TARGET mbedtls)
+    ExternalProject_Add(enc_bootloader_mbedtls
+            PREFIX enc_bootloader_mbedtls
+            SOURCE_DIR ${CMAKE_CURRENT_LIST_DIR}/enc_bootloader
+            BINARY_DIR ${CMAKE_BINARY_DIR}/enc_bootloader_mbedtls
+            CMAKE_ARGS 
+                "-DCMAKE_MAKE_PROGRAM:FILEPATH=${CMAKE_MAKE_PROGRAM}"
+                "-DPICO_SDK_PATH:FILEPATH=${PICO_SDK_PATH}"
+                "-DUSE_PRECOMPILED:BOOL=${USE_PRECOMPILED}"
+                "-DUSE_MBEDTLS=1"
+                "-DPICO_DEBUG_INFO_IN_RELEASE=OFF"
+            BUILD_ALWAYS 1 # todo remove this
+            INSTALL_COMMAND ""
+            )
+
+    set(ENC_BOOTLOADER_MBEDTLS_ELF ${CMAKE_BINARY_DIR}/enc_bootloader_mbedtls/enc_bootloader.elf)
+endif()
+
 if (NOT PICOTOOL_NO_LIBUSB)
     # compile xip_ram_perms.elf
-    if (NOT DEFINED USE_PRECOMPILED)
-        set(USE_PRECOMPILED true)
-    endif()
     ExternalProject_Add(xip_ram_perms
             PREFIX xip_ram_perms
             SOURCE_DIR ${CMAKE_CURRENT_LIST_DIR}/xip_ram_perms
@@ -76,14 +113,6 @@ if (NOT PICOTOOL_NO_LIBUSB)
             )
 
     set(XIP_RAM_PERMS_ELF ${CMAKE_BINARY_DIR}/xip_ram_perms/xip_ram_perms.elf)
-    add_executable(xip_ram_perms_elf IMPORTED)
-    add_dependencies(xip_ram_perms_elf xip_ram_perms)
-    set_property(TARGET xip_ram_perms_elf PROPERTY IMPORTED_LOCATION ${XIP_RAM_PERMS_ELF})
-    # copy xip_ram_perms.elf into build directory
-    add_custom_command(TARGET xip_ram_perms
-        COMMAND ${CMAKE_COMMAND} -E copy ${XIP_RAM_PERMS_ELF} ${CMAKE_BINARY_DIR}/xip_ram_perms.elf
-        DEPENDS xip_ram_perms
-    )
 
     # compile flash_id
     ExternalProject_Add(flash_id
@@ -100,14 +129,6 @@ if (NOT PICOTOOL_NO_LIBUSB)
             )
 
     set(FLASH_ID_BIN ${CMAKE_BINARY_DIR}/picoboot_flash_id/flash_id.bin)
-    add_executable(flash_id_bin IMPORTED)
-    add_dependencies(flash_id_bin flash_id)
-    set_property(TARGET flash_id_bin PROPERTY IMPORTED_LOCATION ${FLASH_ID_BIN})
-    # copy flash_id.bin into build directory
-    add_custom_command(TARGET flash_id
-        COMMAND ${CMAKE_COMMAND} -E copy ${FLASH_ID_BIN} ${CMAKE_BINARY_DIR}/flash_id.bin
-        DEPENDS flash_id
-    )
 
     # We want to generate headers from WELCOME.HTM etc.
     ExternalProject_Add(otp_header_parser
@@ -169,7 +190,16 @@ if (NOT PICOTOOL_NO_LIBUSB)
     endif()
 endif()
 
-add_custom_target(binary_data DEPENDS
+if (TARGET mbedtls)
+    add_custom_target(embedded_data_no_libusb DEPENDS
+            ${CMAKE_CURRENT_BINARY_DIR}/enc_bootloader_elf.h
+            ${CMAKE_CURRENT_BINARY_DIR}/enc_bootloader_mbedtls_elf.h)
+else()
+    add_custom_target(embedded_data_no_libusb DEPENDS
+            ${CMAKE_CURRENT_BINARY_DIR}/enc_bootloader_elf.h)
+endif()
+
+add_custom_target(embedded_data DEPENDS
         ${CMAKE_CURRENT_BINARY_DIR}/rp2350.rom.h
         ${CMAKE_CURRENT_BINARY_DIR}/xip_ram_perms_elf.h
         ${CMAKE_CURRENT_BINARY_DIR}/flash_id_bin.h)
@@ -188,6 +218,22 @@ add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/xip_ram_perms_elf.h
         DEPENDS xip_ram_perms
         COMMENT "Configuring xip_ram_perms_elf.h"
         VERBATIM)
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/enc_bootloader_elf.h
+        COMMAND ${CMAKE_COMMAND}
+            -D BINARY_FILE=${ENC_BOOTLOADER_ELF}
+            -D OUTPUT_NAME=enc_bootloader_elf
+            -P ${CMAKE_CURRENT_LIST_DIR}/cmake/binh.cmake
+        DEPENDS enc_bootloader
+        COMMENT "Configuring enc_bootloader_elf.h"
+        VERBATIM)
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/enc_bootloader_mbedtls_elf.h
+        COMMAND ${CMAKE_COMMAND}
+            -D BINARY_FILE=${ENC_BOOTLOADER_MBEDTLS_ELF}
+            -D OUTPUT_NAME=enc_bootloader_mbedtls_elf
+            -P ${CMAKE_CURRENT_LIST_DIR}/cmake/binh.cmake
+        DEPENDS enc_bootloader_mbedtls
+        COMMENT "Configuring enc_bootloader_mbedtls_elf.h"
+        VERBATIM)
 add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/flash_id_bin.h
         COMMAND ${CMAKE_COMMAND}
             -D BINARY_FILE=${FLASH_ID_BIN}
@@ -203,8 +249,6 @@ add_subdirectory(picoboot_connection)
 add_subdirectory(elf)
 add_subdirectory(elf2uf2)
 
-add_subdirectory(lib)
-
 add_subdirectory(bintool)
 
 if (NOT PICOTOOL_NO_LIBUSB)
@@ -228,11 +272,13 @@ target_include_directories(regs_headers INTERFACE ${PICO_SDK_PATH}/src/rp2350/ha
 # Main picotool executable
 add_executable(picotool
     data_locs.cpp
+    get_enc_bootloader.cpp
     ${OTP_EXE}
     main.cpp)
+add_dependencies(picotool embedded_data_no_libusb)
 if (NOT PICOTOOL_NO_LIBUSB)
-    target_sources(picotool PRIVATE xip_ram_perms.cpp)
-    add_dependencies(picotool generate_otp_header xip_ram_perms_elf binary_data)
+    target_sources(picotool PRIVATE get_xip_ram_perms.cpp)
+    add_dependencies(picotool generate_otp_header embedded_data)
 endif()
 set(PROJECT_VERSION 2.1.2-develop)
 set(PICOTOOL_VERSION 2.1.2-develop)
@@ -327,6 +373,21 @@ install(FILES
     DESTINATION ${INSTALL_CONFIGDIR}
 )
 
+#Install enc_bootloader.elf
+install(FILES
+    ${ENC_BOOTLOADER_ELF}
+    DESTINATION ${INSTALL_DATADIR}
+)
+
+if (TARGET mbedtls)
+    #Install enc_bootloader_mbedtls.elf
+    install(FILES
+        ${ENC_BOOTLOADER_MBEDTLS_ELF}
+        DESTINATION ${INSTALL_DATADIR}
+        RENAME enc_bootloader_mbedtls.elf
+    )
+endif()
+
 if (NOT PICOTOOL_NO_LIBUSB)
     if (NOT PICOTOOL_CODE_OTP)
         #Install the otp json