Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 33 out of 34 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (6)
tools/unit-tests/unit-update-flash.c:1
- In
test_diffbase_version_reads, the TLV header words (word) are written without converting to the image’s endianness:word_le = word;. On big-endian builds this will serialize the TLV tag/len word incorrectly and can make the test (and any header parsing it exercises) fail for the wrong reason. Convertwordviahost_to_img_u32(word)before writing, similar to howversion/delta_baseare handled.
tools/unit-tests/unit-update-flash.c:1 - In
test_diffbase_version_reads, the TLV header words (word) are written without converting to the image’s endianness:word_le = word;. On big-endian builds this will serialize the TLV tag/len word incorrectly and can make the test (and any header parsing it exercises) fail for the wrong reason. Convertwordviahost_to_img_u32(word)before writing, similar to howversion/delta_baseare handled.
tools/unit-tests/unit-update-flash.c:1 - In
test_diffbase_version_reads, the TLV header words (word) are written without converting to the image’s endianness:word_le = word;. On big-endian builds this will serialize the TLV tag/len word incorrectly and can make the test (and any header parsing it exercises) fail for the wrong reason. Convertwordviahost_to_img_u32(word)before writing, similar to howversion/delta_baseare handled.
tools/unit-tests/unit-update-flash.c:1 - The test payload writer converts
size,version, andimg_typeto image endianness, but writesmagicand the TLV header words (word) in host endianness. This makes the generated headers inconsistent on big-endian systems. To keep the test data format coherent, serializemagicand eachwordusing the same host→image conversion used by the other multi-byte fields (or write the magic as the explicit byte sequence if that’s the intended on-media representation).
tools/unit-tests/unit-update-flash.c:1 - The test payload writer converts
size,version, andimg_typeto image endianness, but writesmagicand the TLV header words (word) in host endianness. This makes the generated headers inconsistent on big-endian systems. To keep the test data format coherent, serializemagicand eachwordusing the same host→image conversion used by the other multi-byte fields (or write the magic as the explicit byte sequence if that’s the intended on-media representation).
tools/unit-tests/unit-update-flash.c:1 - The new boundary tests call
add_payload(...)without asserting success. If payload creation fails, the test may fail later with a misleading assertion. Capture and assert the return value (as done in other tests in this file) so failures are attributed correctly.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #748
Scan targets checked: wolfboot-bugs, wolfboot-consttime, wolfboot-defaults, wolfboot-mutation, wolfboot-proptest, wolfboot-src, wolfboot-zeroize
Findings: 4
4 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 33 out of 34 changed files in this pull request and generated 6 comments.
Comments suppressed due to low confidence (5)
tools/unit-tests/unit-update-flash.c:1
magicand the TLV header words (word = (len<<16)|tag) are written in native endianness, whilesize/version/img_typeare written using host-to-image conversions. On BIG_ENDIAN_ORDER hosts this will produce malformed headers (magic bytes and tag/len words will be byte-swapped relative to the expected on-flash format). To make the test data portable, write magic as"WOLF"again (endianness-agnostic) or convertWOLFBOOT_MAGICviahost_to_img_u32, and also writewordviahost_to_img_u32(or add a dedicated helper for TLV header words).
tools/unit-tests/unit-update-flash.c:1magicand the TLV header words (word = (len<<16)|tag) are written in native endianness, whilesize/version/img_typeare written using host-to-image conversions. On BIG_ENDIAN_ORDER hosts this will produce malformed headers (magic bytes and tag/len words will be byte-swapped relative to the expected on-flash format). To make the test data portable, write magic as"WOLF"again (endianness-agnostic) or convertWOLFBOOT_MAGICviahost_to_img_u32, and also writewordviahost_to_img_u32(or add a dedicated helper for TLV header words).
tools/unit-tests/unit-update-flash.c:1word_leis assigned but not actually endian-converted. If these unit tests are intended to validate big-endian handling, the TLV header word must be stored in image endianness as well (same issue as the payload writes you already converted). Replace theword_le = word;assignments with the appropriate host-to-image conversion (e.g.,word_le = host_to_img_u32(word);) so the on-flash TLV header fields are correct on big-endian hosts.
tools/unit-tests/unit-update-flash.c:1word_leis assigned but not actually endian-converted. If these unit tests are intended to validate big-endian handling, the TLV header word must be stored in image endianness as well (same issue as the payload writes you already converted). Replace theword_le = word;assignments with the appropriate host-to-image conversion (e.g.,word_le = host_to_img_u32(word);) so the on-flash TLV header fields are correct on big-endian hosts.
tools/unit-tests/unit-update-flash.c:1word_leis assigned but not actually endian-converted. If these unit tests are intended to validate big-endian handling, the TLV header word must be stored in image endianness as well (same issue as the payload writes you already converted). Replace theword_le = word;assignments with the appropriate host-to-image conversion (e.g.,word_le = host_to_img_u32(word);) so the on-flash TLV header fields are correct on big-endian hosts.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #748
Scan targets checked: wolfboot-bugs, wolfboot-consttime, wolfboot-defaults, wolfboot-mutation, wolfboot-proptest, wolfboot-src, wolfboot-zeroize
Findings: 6
6 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 33 out of 34 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (4)
tools/unit-tests/unit-update-flash.c:1
- This replaces the previous endian-agnostic
\"WOLF\"byte write with a 32-bit word write ofWOLFBOOT_MAGIC, which can become host-endian dependent. On big-endian builds, this risks writing the magic bytes in the wrong order and breaking image detection. Prefer writing the literal 4-byte sequence (as before) or explicitly encodingmagicto little-endian bytes before writing.
tools/unit-tests/unit-update-flash.c:1 - This replaces the previous endian-agnostic
\"WOLF\"byte write with a 32-bit word write ofWOLFBOOT_MAGIC, which can become host-endian dependent. On big-endian builds, this risks writing the magic bytes in the wrong order and breaking image detection. Prefer writing the literal 4-byte sequence (as before) or explicitly encodingmagicto little-endian bytes before writing.
tools/unit-tests/unit-update-flash.c:1 - The TLV header words (
len << 16 | tag) are still written using native endianness. With this PR making header/TLV consumers more endian-sensitive (and tooling encoding values as little-endian), these header words should be emitted in the image's byte order as well (typically little-endian). Consider using the existing little-endian write helpers for thesewordwrites, or applying the same host→image conversion used forsize/version/img_type.
tools/unit-tests/unit-update-flash.c:1 - The TLV header words (
len << 16 | tag) are still written using native endianness. With this PR making header/TLV consumers more endian-sensitive (and tooling encoding values as little-endian), these header words should be emitted in the image's byte order as well (typically little-endian). Consider using the existing little-endian write helpers for thesewordwrites, or applying the same host→image conversion used forsize/version/img_type.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #748
Scan targets checked: wolfboot-bugs, wolfboot-consttime, wolfboot-defaults, wolfboot-mutation, wolfboot-proptest, wolfboot-src, wolfboot-zeroize
Findings: 5
5 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 34 out of 35 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (8)
tools/unit-tests/unit-update-flash.c:1
- The test payload writer converts value fields to image endianness, but still writes the magic and TLV tag/len words (
word) in host endianness. On big-endian hosts this will emit incorrect on-flash bytes and can make tests non-portable/flaky. Consider writingmagicand each TLV header word using an explicit little-endian writer (similar toext_flash_write_le32) or converting them viahost_to_img_u32()beforehal_flash_write().
tools/unit-tests/unit-update-flash.c:1 - The test payload writer converts value fields to image endianness, but still writes the magic and TLV tag/len words (
word) in host endianness. On big-endian hosts this will emit incorrect on-flash bytes and can make tests non-portable/flaky. Consider writingmagicand each TLV header word using an explicit little-endian writer (similar toext_flash_write_le32) or converting them viahost_to_img_u32()beforehal_flash_write().
tools/unit-tests/unit-update-flash.c:1 - The test payload writer converts value fields to image endianness, but still writes the magic and TLV tag/len words (
word) in host endianness. On big-endian hosts this will emit incorrect on-flash bytes and can make tests non-portable/flaky. Consider writingmagicand each TLV header word using an explicit little-endian writer (similar toext_flash_write_le32) or converting them viahost_to_img_u32()beforehal_flash_write().
tools/unit-tests/unit-update-flash.c:1 word_leis assigned without any endian conversion, but the test name/intent implies constructing little-endian header bytes. If the header TLV word is intended to be encoded as little-endian on disk,word_leshould be written in little-endian form (e.g., via the same conversion approach used forversion_le/delta_base_le). As written, this behaves differently on big-endian hosts and may not actually test the intended encoding.
tools/unit-tests/unit-update-flash.c:1word_leis assigned without any endian conversion, but the test name/intent implies constructing little-endian header bytes. If the header TLV word is intended to be encoded as little-endian on disk,word_leshould be written in little-endian form (e.g., via the same conversion approach used forversion_le/delta_base_le). As written, this behaves differently on big-endian hosts and may not actually test the intended encoding.
tools/unit-tests/unit-update-flash.c:1word_leis assigned without any endian conversion, but the test name/intent implies constructing little-endian header bytes. If the header TLV word is intended to be encoded as little-endian on disk,word_leshould be written in little-endian form (e.g., via the same conversion approach used forversion_le/delta_base_le). As written, this behaves differently on big-endian hosts and may not actually test the intended encoding.
tools/unit-tests/unit-update-ram-nofixed.c:1- In
add_payload(), several early-return error paths occur afterwc_InitSha256_ex()succeeds but beforewc_Sha256Free(&sha)is called (e.g., failedwc_Sha256Update). This leaks the SHA context in error cases and can hide resource-management regressions. Consider using a singlecleanup:path that callswc_Sha256Free(&sha)(andext_flash_lock()if needed) before returning.
tools/unit-tests/unit-update-ram-nofixed.c:1 - In
add_payload(), several early-return error paths occur afterwc_InitSha256_ex()succeeds but beforewc_Sha256Free(&sha)is called (e.g., failedwc_Sha256Update). This leaks the SHA context in error cases and can hide resource-management regressions. Consider using a singlecleanup:path that callswc_Sha256Free(&sha)(andext_flash_lock()if needed) before returning.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
F/2565 - Harden constant-time compare accumulators (42c312e)
F/2566 - Clamp unaligned SDHCI disk I/O spans (00892c2)
F/2567 - Fix RAM fallback partition reselection (e10d9c1)
F/2568 - Fix TPM unseal handle cleanup (dc7309c)
F/2569 - loader: panic on TPM init failure (9265fe7)
F/2570 - Add final sanity checks to boot paths (f8cbad0)
F/2571 - Add partition overlap guards (41ffb2c)
F/2572 - fix inverted emergency update branch hint (6ce320e)
F/2573 - Add final sanity check in library boot path (6c9a0a0)
F/2574 - Add rollback state assertion (b4b9ba3)
F/2575 - Add update-size boundary coverage tests (7048dd6)
F/2576 - Add erased-trailer partition state regression test (c8a94d8)
F/2577 - Add delta base-version unit coverage (9421355)
F/2578 - Reset hdr_ok when image open fails (194b363)
F/2579 - test nvm sector flag invalid magic guard (6ef9e02)
F/2580 - Fix external image hdr_ok state on open failure (871f03c)
F/2581 - Fix endian handling for delta TLV consumers (2bd6274)
F/2582 - delta: reject sector sizes that overflow 16-bit match length (bc4ec50)
F/2583 - Reject oversized cert-chain TLVs in sign tool (657e337)
F/2584 - sign tool: encode header fields as little-endian (46645a0)
F/2585 - Reject oversized signature TLV lengths (cc7c3bb)
F/2586 - Fix update sector flag index truncation (af24164)
F/2587 - Fix WOLFBOOT_MAX_SPACE precedence and test (4c0f425)
F/2588 - x86: zero ATA unlock secret on all sata_unlock_disk exits (dd6444b)
F/2590 - keygen_xmss: zeroize XmssKey after free (76f0b3c)
F/2591 - dice: zero IAK stack key on all exits (84562a4)
F/2592 - dice: scrub non-IAK UDS buffer (8dbc7d6)
F/2593 - dice: zero ECC signing key context on cleanup (da2c3dd)
F/2594 - zeroize OTP UDS in stm32h5 derive path (25668dd)
F/2595 - zero entropy buffer in sata_get_random_base64 (e48c1eb)