wolfSSL · dgarske · Dec 31, 2025 · Dec 31, 2025 · Dec 31, 2025 · Dec 31, 2025
diff --git a/.gitignore b/.gitignore
@@ -297,3 +297,6 @@ language.settings.xml
 .cproject
 .project
 .settings/
+
+# PolarFire SoC Device Tree Binary
+hal/mpfs.dtb
diff --git a/config/examples/polarfire_mpfs250.config b/config/examples/polarfire_mpfs250.config
@@ -31,6 +31,10 @@ NO_ARM_ASM?=0
 # Optional: Use smaller SHA512
 #CFLAGS_EXTRA+=-DUSE_SLOW_SHA512
 
+# SDCard or eMMC support via SDHCI driver
+DISK_SDCARD?=1
+DISK_EMMC?=0
+
 # DDR Address for wolfBoot to start from
 WOLFBOOT_ORIGIN?=0x80000000
 
@@ -45,20 +49,23 @@ WOLFBOOT_LOAD_ADDRESS?=0x8E000000
 WOLFBOOT_NO_PARTITIONS=1
 CFLAGS_EXTRA+=-DBOOT_PART_A=1
 CFLAGS_EXTRA+=-DBOOT_PART_B=2
-# Speed up disk partition read (512KB chunks)
+# Speed up disk partition read (512KB chunks - max DMA size)
 CFLAGS_EXTRA+=-DDISK_BLOCK_SIZE=0x80000
 
 # DTS (Device Tree)
 WOLFBOOT_LOAD_DTS_ADDRESS?=0x8A000000
 
 # Optional Encryption
+#CUSTOM_ENCRYPT_KEY=1
 #ENCRYPT=1
 #ENCRYPT_WITH_AES256=1
+#OBJS_EXTRA=src/my_custom_encrypt_key.o
 
 # Optional EMMC_SD debugging logs
 #CFLAGS_EXTRA+=-DDEBUG_MMC
 # Optional disk debugging logs
 #CFLAGS_EXTRA+=-DDEBUG_DISK
+#CFLAGS_EXTRA+=-DDISK_TEST
 
 # Used by test-application for ELF
 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80200000

diff --git a/docs/Targets.md b/docs/Targets.md
@@ -1047,23 +1047,20 @@ int wolfBoot_get_encrypt_key(uint8_t *key, uint8_t *nonce);
 int wolfBoot_erase_encrypt_key(void);  /* called automatically by wolfBoot_success() */
 ```
 
+To use your own implementation for getting the encryption key use `CUSTOM_ENCRYPT_KEY` and `OBJS_EXTRA=src/my_custom_encrypt_key.o`. Then provide your own implementation of `int wolfBoot_get_encrypt_key(uint8_t *key, uint8_t *nonce);`
+
 To sign and encrypt an image, create a key file with the concatenated key and nonce, then use the sign tool:
 
 ```sh
-# Create key file (32-byte key + 16-byte IV for AES-256)
-echo -n "0123456789abcdef0123456789abcdef0123456789abcdef" > enc_key.der
+# Create key file (32-byte key + 16-byte nonce for AES-256)
+printf "0123456789abcdef0123456789abcdef0123456789abcdef" > /tmp/enc_key.der
 
 # Sign and encrypt
-./tools/keytools/sign --ecc384 --sha384 --aes256 --encrypt enc_key.der \
+./tools/keytools/sign --ecc384 --sha384 --aes256 --encrypt /tmp/enc_key.der \
     fitImage wolfboot_signing_private_key.der 1
 ```
 
-In your application, set the encryption key before triggering an update:
-
-```c
-wolfBoot_set_encrypt_key(enc_key, enc_iv);
-wolfBoot_update_trigger();
-```
+The result is `fitImage_v1_signed_and_encrypted.bin`, which gets placed into your OFP_A or OFP_B partitions.
 
 During boot, wolfBoot decrypts the image headers from disk to select the best candidate, loads and decrypts the full image to RAM, then verifies integrity and authenticity before booting. On successful boot, `wolfBoot_success()` clears the key from RAM.
 
@@ -1097,7 +1094,8 @@ set architecture riscv:rv64
 ### PolarFire Example Boot Output
 
 ```
-wolfBoot Version: 2.7.0 (Dec 29 2025 11:34:01)
+wolfBoot Version: 2.7.0 (Dec 31 2025 15:33:35)
+Disk encryption enabled
 Reading MBR...
 Found GPT PTE at sector 1
 Found valid boot signature in MBR
@@ -1114,12 +1112,13 @@ disk0.p3 (7_65AFFE00h@ 0_8900000)
 Total partitions on disk0: 4
 Checking primary OS image in 0,1...
 Checking secondary OS image in 0,2...
-Versions, A:1 B:1
+Versions, A:1 B:0
 Load address 0x8E000000
 Attempting boot from P:A
-Boot partition: 0x801FFD80 (sz 19767004, ver 0x1, type 0x601)
-Loading image from disk...done. (846 ms)
-Boot partition: 0x8E000000 (sz 19767004, ver 0x1, type 0x601)
+Boot partition: 0x801FFD90 (sz 19767004, ver 0x0, type 0x0)
+Loading image from disk...done. (877 ms)
+Decrypting image...done. (2894 ms)
+Boot partition: 0x8E000000 (sz 19767004, ver 0x0, type 0x0)
 Checking image integrity...done. (1507 ms)
 Verifying image signature...done. (68 ms)
 Firmware Valid.
@@ -1131,6 +1130,11 @@ Image fdt-1: 0x8A000000 (19897 bytes)
 Loading DTS: 0x8A000000 -> 0x8A000000 (19897 bytes)
 Invalid elf, falling back to raw binary
 Booting at 80200000
+FDT: Version 17, Size 19897
+FDT: Set chosen (13840), bootargs=earlycon root=/dev/mmcblk0p4 rootwait uio_pdrv_genirq.of_id=generic-uio
+FDT: Device serial: 219A437C-6AE1F1C2-8EDC4324-685B2288
+FDT: MAC0 = 00:04:A3:5B:22:88
+FDT: MAC1 = 00:04:A3:5B:22:89
 [    0.000000] Linux version 6.12.22-linux4microchip+fpga-2025.07-g032a7095303a (oe-user@oe-host) (riscv64-oe-linux-gcc (GCC) 13.3.0, GNU ld (GNU Binutils) 2.42.0.20240723) #1 SMP Tue Jul 22 10:04:20 UTC 2025
 [    0.000000] Machine model: Microchip PolarFire-SoC VIDEO Kit
 [    0.000000] SBI specification v1.0 detected
@@ -1196,9 +1200,6 @@ Benchmark complete
 
 ### PolarFire TODO
 
-* Add eMMC/SD features:
-  - eMMC support (not just SD)
-* Add support for reading serial number and modifying ethernet MAC in device tree
 * Add support for QSPI NOR flash
 * Add support for full HSS replacement using wolfboot
   - Machine level assembly startup

diff --git a/docs/encrypted_partitions.md b/docs/encrypted_partitions.md
@@ -36,6 +36,55 @@ wolfBoot upon next boot.
 Aside from setting the temporary key, the update mechanism remains the same for distributing, uploading and
 installing firmware updates through wolfBoot.
 
+### Custom encryption key storage
+
+You can use the `CUSTOM_ENCRYPT_KEY` option to implement your own functions for:
+`wolfBoot_get_encrypt_key`, `wolfBoot_set_encrypt_key` and
+`wolfBoot_erase_encrypt_key`.
+
+To enable:
+
+1) Add `CUSTOM_ENCRYPT_KEY=1` to your `.config`
+2) Add your own .c file using `OBJS_EXTRA`. For example, for your own
+   `src/custom_encrypt_key.c` add this to your `.config`:
+   `OBJS_EXTRA=src/custom_encrypt_key.o`
+
+Your custom implementation must provide these functions:
+
+```c
+int wolfBoot_set_encrypt_key(const uint8_t *key, const uint8_t *nonce);
+int wolfBoot_get_encrypt_key(uint8_t *key, uint8_t *nonce);
+int wolfBoot_erase_encrypt_key(void);
+```
+
+Example custom function for testing:
+
+```c
+#include "wolfboot/wolfboot.h"
+#include "image.h"
+
+int RAMFUNCTION wolfBoot_get_encrypt_key(uint8_t *key, uint8_t *nonce)
+{
+    int i;
+    /* Test key: "0123456789abcdef0123456789abcdef" (32 bytes for AES-256) */
+    const char test_key[] = "0123456789abcdef0123456789abcdef";
+    /* Test nonce: "0123456789abcdef" (16 bytes) */
+    const char test_nonce[] = "0123456789abcdef";
+
+    for (i = 0; i < ENCRYPT_KEY_SIZE && i < (int)sizeof(test_key); i++) {
+        key[i] = (uint8_t)test_key[i];
+    }
+    for (i = 0; i < ENCRYPT_NONCE_SIZE && i < (int)sizeof(test_nonce); i++) {
+        nonce[i] = (uint8_t)test_nonce[i];
+    }
+    return 0;
+}
+```
+
+Note: On platforms that use the src/update_disk.c loader it only reads from a
+GPT partition and with ENCRYPT=1 it only needs `wolfBoot_get_encrypt_key` implemented.
+
+
 ### Libwolfboot API
 
 The API to communicate with the bootloader from the application is expanded when this feature is enabled,