Fenrir fixes#790
Merged
Merged
Conversation
Fixes F#4332, F#4336, F#4709
Fixes F#4333-4335
Fixes F#5345
Fixes F#4259 cmse_nonsecure_entry doesn't intrinsically validate NS-supplied pointers, so the veneers let a hostile NS caller aim them into Secure SRAM and make wolfPKCS11 read/write secure memory. Validate every NS pointer with cmse_check_address_range() (recursing into nested pointers) and pass wolfPKCS11 only secure copies, so it never dereferences NS memory -- deep and TOCTOU-safe. Also stop leaking the secure function table via C_GetFunctionList.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR appears to address a batch of “Fenrir” issues by hardening TrustZone-M non-secure-callable boundaries (pointer/range validation and overflow-safe bounds checks), tightening update/flash boundary checks, fixing a flash write bug, and expanding unit-test coverage around update verification failure paths.
Changes:
- Add extensive TrustZone-M NSC pointer sanitization for PKCS#11 callable veneers (deep-copying mechanisms/templates, length snapshotting to avoid TOCTOU).
- Add overflow-safe bounds checks and non-secure address validation for NSC update write/erase and PSA IPC vector handling.
- Fix XSPI flash write pointer increment bug and add/update unit tests for integrity/signature rejection in update-disk flow.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/unit-tests/unit-update-disk.c | Adds integrity/signature failure tests; updates verify stubs to set status bits on success. |
| src/pkcs11_callable.c | Implements NSC pointer validation and deep-copy/bounce-buffer logic for PKCS#11 calls. |
| src/libwolfboot.c | Adds overflow-safe partition bounds checks and validates NS buffer pointers for NSC update writes. |
| src/elf.c | Adds overflow-safe range validation for ELF segment destination address calculations. |
| src/arm_tee_psa_ipc.c | Adds NS pointer/range checks for PSA IPC vectors before dispatch. |
| hal/nxp_ls1028a.c | Fixes XSPI flash write buffer pointer arithmetic; minor loop/local variable adjustments. |
| hal/mpfs250.c | Reworks partition boundary checks to avoid overflow in UART QSPI programmer. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
mattia-moffa
force-pushed
the
20260529-fenrir-fixes
branch
from
a34e2d7 to
5042e46
Compare
(Copilot suggestion)
danielinux
approved these changes
Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes F#4257, F#4259, F#4332-4336, F#4709, F#5128, F#5345-5347, F#5350