Skip to content

armored: harden image integrity check against fault injections#812

Merged
dgarske merged 3 commits into
wolfSSL:masterfrom
danielinux:improve-armored-digest
Jul 1, 2026
Merged

armored: harden image integrity check against fault injections#812
dgarske merged 3 commits into
wolfSSL:masterfrom
danielinux:improve-armored-digest

Conversation

@danielinux

@danielinux danielinux commented Jul 1, 2026

Copy link
Copy Markdown
Member

zd22067

Copilot AI review requested due to automatic review settings July 1, 2026 17:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR strengthens wolfBoot’s image integrity verification against fault-injection attacks by adding redundant digest comparison logic and additional hardened sanity checks to ensure integrity is confirmed before signature verification proceeds.

Changes:

  • Replace the single digest compare in wolfBoot_verify_integrity() with a hardened comparison macro and a hardened success condition.
  • Add new ARMORED integrity state redundancy (not_sha_ok, canary_FEEDCAFE) plus helper setters/clearers in struct wolfBoot_image.
  • Add SHA_SANITY_CHECK() in wolfBoot_verify_authenticity() to assert integrity in a fault-hardened way before signature verification.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/image.c Switch integrity verification to a redundant/hardened comparison flow and add an integrity sanity check before authenticity verification continues.
include/image.h Extend ARMORED integrity state with redundant flags/canaries and add hardened macros for integrity verification and integrity sanity checking.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/image.c
Comment thread include/image.h
@dgarske dgarske merged commit 221f2db into wolfSSL:master Jul 1, 2026
387 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants