fw: Add pointer argument NULL checks

2025-08-08 22:52:24 -04:00 · 2025-04-09 15:22:33 +02:00 · 2025-04-09 15:22:33 +02:00 · b865111c0f
commit b865111c0f
parent e52b68650f
7 changed files with 97 additions and 0 deletions
--- a/hw/application_fpga/fw/tk1/auth_app.c
+++ b/hw/application_fpga/fw/tk1/auth_app.c
@ -3,6 +3,7 @@

 #include <stdbool.h>
 #include <stdint.h>
+#include <tkey/assert.h>
 #include <tkey/lib.h>
 #include <tkey/tk1_mem.h>

@ -17,6 +18,9 @@ static volatile uint32_t *cdi = (volatile uint32_t *)TK1_MMIO_TK1_CDI_FIRST;
 * Requires that the CDI is already calculated and stored */
 static void calculate_auth_digest(uint8_t *nonce, uint8_t *auth_digest)
 {
+	assert(nonce != NULL);
+	assert(auth_digest != NULL);
+
 	blake2s_ctx ctx = {0};

 	// Generate a 16 byte authentication digest
@ -29,6 +33,7 @@ static void calculate_auth_digest(uint8_t *nonce, uint8_t *auth_digest)
 /* Generates a 16 byte nonce */
 static void generate_nonce(uint32_t *nonce)
 {
+	assert(nonce != NULL);

 	for (uint8_t i = 0; i < 4; i++) {
 		nonce[i] = rng_get_word();
@ -39,6 +44,8 @@ static void generate_nonce(uint32_t *nonce)
 * already calculated and stored */
 void auth_app_create(struct auth_metadata *auth_table)
 {
+	assert(auth_table != NULL);
+
 	uint8_t nonce[16];
 	uint8_t auth_digest[16];

@ -54,6 +61,8 @@ void auth_app_create(struct auth_metadata *auth_table)

 bool auth_app_authenticate(struct auth_metadata *auth_table)
 {
+	assert(auth_table != NULL);
+
 	uint8_t auth_digest[16];

 	calculate_auth_digest(auth_table->nonce, auth_digest);
--- a/hw/application_fpga/fw/tk1/flash.c
+++ b/hw/application_fpga/fw/tk1/flash.c
@ -4,6 +4,7 @@
 #include <stdbool.h>
 #include <stddef.h>
 #include <stdint.h>
+#include <tkey/assert.h>
 #include <tkey/tk1_mem.h>

 #include "flash.h"
@ -128,6 +129,8 @@ void flash_powerdown(void)

 void flash_read_manufacturer_device_id(uint8_t *device_id)
 {
+	assert(device_id != NULL);
+
 	uint8_t tx_buf[4] = {0x00};
 	tx_buf[0] = READ_MANUFACTURER_ID;

@ -136,6 +139,8 @@ void flash_read_manufacturer_device_id(uint8_t *device_id)

 void flash_read_jedec_id(uint8_t *jedec_id)
 {
+	assert(jedec_id != NULL);
+
 	uint8_t tx_buf = READ_JEDEC_ID;

 	spi_transfer(&tx_buf, sizeof(tx_buf), NULL, 0, jedec_id, 3);
@ -143,6 +148,8 @@ void flash_read_jedec_id(uint8_t *jedec_id)

 void flash_read_unique_id(uint8_t *unique_id)
 {
+	assert(unique_id != NULL);
+
 	uint8_t tx_buf[5] = {0x00};
 	tx_buf[0] = READ_UNIQUE_ID;

@ -151,6 +158,8 @@ void flash_read_unique_id(uint8_t *unique_id)

 void flash_read_status(uint8_t *status_reg)
 {
+	assert(status_reg != NULL);
+
 	uint8_t tx_buf = READ_STATUS_REG_1;

 	spi_transfer(&tx_buf, sizeof(tx_buf), NULL, 0, status_reg, 1);
@ -161,6 +170,10 @@ void flash_read_status(uint8_t *status_reg)

 int flash_read_data(uint32_t address, uint8_t *dest_buf, size_t size)
 {
+	if (dest_buf == NULL) {
+		return -1;
+	}
+
 	uint8_t tx_buf[4] = {0x00};
 	tx_buf[0] = READ_DATA;
 	tx_buf[1] = (address >> ADDR_BYTE_3_BIT) & 0xFF;
@ -174,6 +187,10 @@ int flash_read_data(uint32_t address, uint8_t *dest_buf, size_t size)
 // zero.
 int flash_write_data(uint32_t address, uint8_t *data, size_t size)
 {
+	if (data == NULL) {
+		return -1;
+	}
+
 	if (size <= 0 || size > 4096) {
 		return -1;
 	}
--- a/hw/application_fpga/fw/tk1/mgmt_app.c
+++ b/hw/application_fpga/fw/tk1/mgmt_app.c
@ -21,6 +21,10 @@ static const uint8_t allowed_app_digest[32] = {
 static uint8_t current_app_digest[32];

 int mgmt_app_init(uint8_t app_digest[32]) {
+	if (app_digest == NULL) {
+		return -1;
+	}
+
 	if (memeq(app_digest, allowed_app_digest, 32)) {
 		memcpy_s(current_app_digest, sizeof(current_app_digest), app_digest, 32);
 		return 0;
--- a/hw/application_fpga/fw/tk1/partition_table.c
+++ b/hw/application_fpga/fw/tk1/partition_table.c
@ -23,6 +23,10 @@ void part_digest(struct partition_table *part_table, uint8_t *out_digest, size_t
 		0, 0, 0, 0, 0, 0, 0, 0,
 		0, 0, 0, 0, 0, 0, 0, 0,
 	};
+
+	assert(part_table != NULL);
+	assert(out_digest != NULL);
+
 	blake2err = blake2s(out_digest, out_len,
 	key, sizeof(key), part_table, sizeof(struct partition_table));

@ -43,6 +47,10 @@ int part_table_read(struct partition_table_storage *storage)
 	};
 	uint8_t check_digest[PART_DIGEST_SIZE];

+	if (storage == NULL) {
+		return -1;
+	}
+
 	flash_release_powerdown();
 	memset(storage, 0x00, sizeof(*storage));

@ -70,6 +78,10 @@ int part_table_write(struct partition_table_storage *storage)
 		ADDR_PARTITION_TABLE_1,
 	};

+	if (storage == NULL) {
+		return -1;
+	}
+
 	part_digest(&storage->table, storage->check_digest, sizeof(storage->check_digest));

 	for (int i = 0; i < 2; i ++) {
--- a/hw/application_fpga/fw/tk1/preload_app.c
+++ b/hw/application_fpga/fw/tk1/preload_app.c
@ -20,6 +20,10 @@ static uint32_t slot_to_start_address(uint8_t slot) {
 /* Loads a preloaded app from flash to app RAM */
 int preload_load(struct partition_table *part_table, uint8_t from_slot)
 {
+	if (part_table == NULL) {
+		return -5;
+	}
+
 	if (from_slot >= N_PRELOADED_APP) {
 		return -4;
 	}
@ -44,6 +48,10 @@ int preload_load(struct partition_table *part_table, uint8_t from_slot)
 int preload_store(struct partition_table *part_table, uint32_t offset,
 		  uint8_t *data, size_t size, uint8_t to_slot)
 {
+	if (part_table == NULL || data == NULL) {
+		return -5;
+	}
+
 	if (to_slot >= N_PRELOADED_APP) {
 		return -4;
 	}
@ -78,6 +86,10 @@ int preload_store_finalize(struct partition_table_storage *part_table_storage, s
 {
 	struct partition_table *part_table = &part_table_storage->table;

+	if (part_table == NULL || app_digest == NULL || app_signature == NULL) {
+		return -5;
+	}
+
 	if (to_slot >= N_PRELOADED_APP) {
 		return -4;
 	}
@ -116,6 +128,10 @@ int preload_delete(struct partition_table_storage *part_table_storage, uint8_t s
 {
 	struct partition_table *part_table = &part_table_storage->table;

+	if (part_table_storage == NULL) {
+		return -5;
+	}
+
 	if (slot >= N_PRELOADED_APP) {
 		return -4;
 	}
@ -149,6 +165,10 @@ int preload_delete(struct partition_table_storage *part_table_storage, uint8_t s
 }

 int preload_get_digsig(struct partition_table *part_table, uint8_t app_digest[32], uint8_t app_signature[64], uint8_t slot) {
+	if (part_table == NULL || app_digest == NULL || app_signature == NULL) {
+		return -5;
+	}
+
 	if (slot >= N_PRELOADED_APP) {
 		return -4;
 	}
--- a/hw/application_fpga/fw/tk1/spi.c
+++ b/hw/application_fpga/fw/tk1/spi.c
@ -2,6 +2,7 @@
 // SPDX-License-Identifier: GPL-2.0-only

 #include "spi.h"
+#include <tkey/assert.h>
 #include <tkey/tk1_mem.h>

 #include <stddef.h>
@ -33,6 +34,8 @@ static void spi_disable(void)

 static void spi_write(uint8_t *cmd, size_t size)
 {
+	assert(cmd != NULL);
+
 	for (size_t i = 0; i < size; i++) {
 		while (!spi_ready()) {
 		}
@ -47,6 +50,7 @@ static void spi_write(uint8_t *cmd, size_t size)

 static void spi_read(uint8_t *buf, size_t size)
 {
+	assert(buf != NULL);

 	while (!spi_ready()) {
 	}
--- a/hw/application_fpga/fw/tk1/storage.c
+++ b/hw/application_fpga/fw/tk1/storage.c
@ -16,6 +16,9 @@
 * returned. */
 static int get_first_empty(struct partition_table *part_table)
 {
+	if (part_table == NULL) {
+		return -4;
+	}

 	for (uint8_t i = 0; i < N_STORAGE_AREA; i++) {
 		if (part_table->app_storage[i].status == 0x00) {
@ -26,6 +29,10 @@ static int get_first_empty(struct partition_table *part_table)
 }

 static int index_to_address(int index, uint32_t *address) {
+	if (address == NULL) {
+		return -4;
+	}
+
 	if ((index < 0) || (index >= N_STORAGE_AREA)) {
 		return -1;
 	}
@ -39,6 +46,10 @@ static int index_to_address(int index, uint32_t *address) {
 * authenticated -1 is returned. */
 static int storage_get_area(struct partition_table *part_table)
 {
+	if (part_table == NULL) {
+		return -4;
+	}
+
 	for (uint8_t i = 0; i < N_STORAGE_AREA; i++) {
 		if (part_table->app_storage[i].status != 0x00) {
 			if (auth_app_authenticate(
@ -54,6 +65,10 @@ static int storage_get_area(struct partition_table *part_table)
 * if an area already was allocated, and negative values for errors. */
 int storage_allocate_area(struct partition_table_storage *part_table_storage)
 {
+	if (part_table_storage == NULL) {
+		return -4;
+	}
+
 	struct partition_table *part_table = &part_table_storage->table;

 	if (storage_get_area(part_table) != -1) {
@ -93,6 +108,10 @@ int storage_allocate_area(struct partition_table_storage *part_table_storage)
 * non-zero on errors. */
 int storage_deallocate_area(struct partition_table_storage *part_table_storage)
 {
+	if (part_table_storage == NULL) {
+		return -4;
+	}
+
 	struct partition_table *part_table = &part_table_storage->table;

 	int index = storage_get_area(part_table);
@ -134,6 +153,10 @@ int storage_deallocate_area(struct partition_table_storage *part_table_storage)
 int storage_erase_sector(struct partition_table *part_table, uint32_t offset,
 			 size_t size)
 {
+	if (part_table == NULL) {
+		return -4;
+	}
+
 	int index = storage_get_area(part_table);
 	if (index == -1) {
 		/* No allocated area */
@ -182,6 +205,10 @@ int storage_erase_sector(struct partition_table *part_table, uint32_t offset,
 int storage_write_data(struct partition_table *part_table, uint32_t offset,
 		       uint8_t *data, size_t size)
 {
+	if (part_table == NULL || data == NULL) {
+		return -4;
+	}
+
 	int index = storage_get_area(part_table);
 	if (index == -1) {
 		/* No allocated area */
@ -215,6 +242,10 @@ int storage_write_data(struct partition_table *part_table, uint32_t offset,
 int storage_read_data(struct partition_table *part_table, uint32_t offset,
 		      uint8_t *data, size_t size)
 {
+	if (part_table == NULL || data == NULL) {
+		return -4;
+	}
+
 	int index = storage_get_area(part_table);
 	if (index == -1) {
 		/* No allocated area */