From b4b5c3e513cfea416461638e3ad7b5496ce3c552 Mon Sep 17 00:00:00 2001
From: William Vinnicombe <william.vinnicombe@raspberrypi.com>
Date: Wed, 29 Jan 2025 15:10:02 +0000
Subject: [PATCH] Add hello_encrypted example

---
 CMakeLists.txt                              |   1 +
 encrypted/CMakeLists.txt                    |   6 +
 encrypted/hello_encrypted/CMakeLists.txt    |  51 +++++++
 encrypted/hello_encrypted/hello_encrypted.c |  30 +++++
 encrypted/hello_encrypted/otp.json          | 141 ++++++++++++++++++++
 encrypted/hello_encrypted/private.pem       |   8 ++
 encrypted/hello_encrypted/privateaes.bin    | Bin 0 -> 128 bytes
 encrypted/hello_encrypted/update-key.cmake  |  23 ++++
 8 files changed, 260 insertions(+)
 create mode 100644 encrypted/CMakeLists.txt
 create mode 100644 encrypted/hello_encrypted/CMakeLists.txt
 create mode 100644 encrypted/hello_encrypted/hello_encrypted.c
 create mode 100644 encrypted/hello_encrypted/otp.json
 create mode 100644 encrypted/hello_encrypted/private.pem
 create mode 100644 encrypted/hello_encrypted/privateaes.bin
 create mode 100644 encrypted/hello_encrypted/update-key.cmake

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 597cb3e57..5fd8d09d0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -66,6 +66,7 @@ add_subdirectory(cmake)
 add_subdirectory(dcp)
 add_subdirectory(divider)
 add_subdirectory(dma)
+add_subdirectory(encrypted)
 add_subdirectory(flash)
 add_subdirectory(gpio)
 add_subdirectory(hstx)
diff --git a/encrypted/CMakeLists.txt b/encrypted/CMakeLists.txt
new file mode 100644
index 000000000..c7346d4ea
--- /dev/null
+++ b/encrypted/CMakeLists.txt
@@ -0,0 +1,6 @@
+if (TARGET pico_mbedtls)
+    add_subdirectory_exclude_platforms(hello_encrypted host rp2040 rp2350-riscv)
+else()
+    # Assume picotool has no signing support, if no pico_mbedtls available
+    message("Skipping encrypted example as pico_mbedtls unavailable")
+endif ()
diff --git a/encrypted/hello_encrypted/CMakeLists.txt b/encrypted/hello_encrypted/CMakeLists.txt
new file mode 100644
index 000000000..78225be50
--- /dev/null
+++ b/encrypted/hello_encrypted/CMakeLists.txt
@@ -0,0 +1,51 @@
+# Example encrypted binard
+add_executable(hello_encrypted
+        hello_encrypted.c
+        )
+
+# pull in common dependencies
+target_link_libraries(hello_encrypted pico_stdlib)
+
+# enable stdio_usb and stdio_uart
+pico_enable_stdio_uart(hello_encrypted 1)
+pico_enable_stdio_usb(hello_encrypted 1)
+
+# set as no_flash binary
+pico_set_binary_type(hello_encrypted no_flash)
+
+# set version (optional)
+pico_set_binary_version(hello_encrypted MAJOR 7 MINOR 3)
+
+# set tbyb (optional)
+# target_compile_definitions(hello_encrypted PRIVATE PICO_CRT0_IMAGE_TYPE_TBYB=1)
+
+# Add command to update otp.json if privateaes.bin changes
+add_custom_command(OUTPUT ${CMAKE_CURRENT_LIST_DIR}/otp.json
+    COMMAND ${CMAKE_COMMAND} -P "${CMAKE_CURRENT_LIST_DIR}/update-key.cmake"
+    DEPENDS ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin)
+# Copy that otp.json file to build directory
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/otp.json
+    COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_CURRENT_LIST_DIR}/otp.json" "${CMAKE_CURRENT_BINARY_DIR}/otp.json"
+    DEPENDS ${CMAKE_CURRENT_LIST_DIR}/otp.json)
+add_custom_target(hello_encrypted_otp_json DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/otp.json)
+add_dependencies(hello_encrypted hello_encrypted_otp_json)
+
+# configure otp output
+pico_set_otp_key_output_file(hello_encrypted ${CMAKE_CURRENT_BINARY_DIR}/otp.json)
+
+# sign, hash, and encrypt
+pico_sign_binary(hello_encrypted ${CMAKE_CURRENT_LIST_DIR}/private.pem)
+pico_hash_binary(hello_encrypted)
+pico_encrypt_binary(hello_encrypted
+    ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin
+    EMBED
+    OTP_KEY_PAGE 29)
+
+# package uf2 in flash
+pico_package_uf2_output(hello_encrypted 0x10000000)
+
+# create map/bin/hex/uf2 file etc.
+pico_add_extra_outputs(hello_encrypted)
+
+# add url via pico_set_program_url
+example_auto_set_url(hello_encrypted)
diff --git a/encrypted/hello_encrypted/hello_encrypted.c b/encrypted/hello_encrypted/hello_encrypted.c
new file mode 100644
index 000000000..90a3db199
--- /dev/null
+++ b/encrypted/hello_encrypted/hello_encrypted.c
@@ -0,0 +1,30 @@
+/**
+ * Copyright (c) 2020 Raspberry Pi (Trading) Ltd.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "pico/stdlib.h"
+#include "pico/bootrom.h"
+#include "hardware/sync.h"
+
+int main() {
+    restore_interrupts_from_disabled(0);
+    stdio_init_all();
+
+#if PICO_CRT0_IMAGE_TYPE_TBYB
+    // If TBYB image, then buy it
+    uint8_t* buffer = malloc(4096);
+    rom_explicit_buy(buffer, 4096);
+    free(buffer);
+#endif
+
+    while (true) {
+        printf("Hello, world!\n");
+        printf("I'm a self-decrypting binary\n");
+        printf("My secret is...\n");
+        sleep_ms(1000);
+    }
+}
diff --git a/encrypted/hello_encrypted/otp.json b/encrypted/hello_encrypted/otp.json
new file mode 100644
index 000000000..466b7d85d
--- /dev/null
+++ b/encrypted/hello_encrypted/otp.json
@@ -0,0 +1,141 @@
+{
+  "29:0" : 
+  {
+    "ecc" : true,
+    "value" : 
+    [
+      "0x31",
+      "0xb6",
+      "0xd8",
+      "0x18",
+      "0x23",
+      "0x2e",
+      "0x7b",
+      "0x7c",
+      "0xa3",
+      "0xb1",
+      "0xb7",
+      "0x90",
+      "0x7b",
+      "0x2f",
+      "0x41",
+      "0xd2",
+      "0x51",
+      "0xb5",
+      "0x03",
+      "0x62",
+      "0xd6",
+      "0x21",
+      "0x0c",
+      "0xb5",
+      "0x8d",
+      "0x17",
+      "0xe6",
+      "0xd5",
+      "0x6b",
+      "0x0d",
+      "0x87",
+      "0x8d",
+      "0x2b",
+      "0x74",
+      "0xa4",
+      "0xba",
+      "0xb9",
+      "0x14",
+      "0x75",
+      "0x88",
+      "0x9b",
+      "0x05",
+      "0x2d",
+      "0x32",
+      "0x51",
+      "0xc1",
+      "0x35",
+      "0x09",
+      "0x78",
+      "0xbb",
+      "0x6d",
+      "0xc2",
+      "0xbb",
+      "0xa6",
+      "0x5e",
+      "0x95",
+      "0xa2",
+      "0x29",
+      "0x32",
+      "0x34",
+      "0x5b",
+      "0x2c",
+      "0xd3",
+      "0xf8",
+      "0x5d",
+      "0xe2",
+      "0x5f",
+      "0x23",
+      "0xeb",
+      "0x27",
+      "0xa4",
+      "0xcd",
+      "0xb0",
+      "0x8e",
+      "0xf4",
+      "0x6e",
+      "0x94",
+      "0x86",
+      "0x19",
+      "0x93",
+      "0x3a",
+      "0xd8",
+      "0x97",
+      "0x65",
+      "0x29",
+      "0x25",
+      "0x57",
+      "0x65",
+      "0x49",
+      "0x03",
+      "0xfe",
+      "0xc6",
+      "0xe9",
+      "0x8b",
+      "0xa3",
+      "0x7e",
+      "0x2b",
+      "0x53",
+      "0x80",
+      "0x68",
+      "0xdd",
+      "0x05",
+      "0x10",
+      "0x17",
+      "0xca",
+      "0xc3",
+      "0xa8",
+      "0x04",
+      "0x8d",
+      "0x12",
+      "0xaf",
+      "0xd9",
+      "0x49",
+      "0xa9",
+      "0x6d",
+      "0x90",
+      "0x7c",
+      "0xb3",
+      "0x63",
+      "0x4f",
+      "0x36",
+      "0xc5",
+      "0x00",
+      "0xb5",
+      "0x71",
+      "0x74",
+      "0xe6",
+      "0x9a"
+    ]
+  },
+  "OTP_DATA_KEY1" : [ 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7 ],
+  "OTP_DATA_KEY1_VALID" : "0x010101",
+  "PAGE29_LOCK0" : "0x494949",
+  "PAGE29_LOCK1" : "0x3d3d3d"
+}
\ No newline at end of file
diff --git a/encrypted/hello_encrypted/private.pem b/encrypted/hello_encrypted/private.pem
new file mode 100644
index 000000000..bf777d897
--- /dev/null
+++ b/encrypted/hello_encrypted/private.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQACg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEIAXAdiilH8wT07TESUzWPt+BY9+NcchvYU3xbnpK+CBNoAcGBSuBBAAK
+oUQDQgAEYYJtMQFGW4AB94tU3u/Qir5sRcYjBYMqCa+8gxsYd9OwMS3dqWKsnVBz
+dyy7bFWdJzXDMb9o20xRRd57Q9xSYw==
+-----END EC PRIVATE KEY-----
diff --git a/encrypted/hello_encrypted/privateaes.bin b/encrypted/hello_encrypted/privateaes.bin
new file mode 100644
index 0000000000000000000000000000000000000000..21a47756d7b947b1e8a7c3a74b0ef5edc3984f87
GIT binary patch
literal 128
zcmV-`0Du26w%8aWE_-~VvA2+WFG12#wF6?-Aq=&R7v|M#4Tp^@bfmhu6m^K31uZgB
z!8HkZyKTa|re2kzDKa!$EYtX1;$I`{C#21=j`VJnh8dGO*q3D~C0Auh1OCS8i=%!k
iQ-EmQ1rQg?!>9y}60g}wscn#avtv&-#Q?Q&bmp4XE<5l5

literal 0
HcmV?d00001

diff --git a/encrypted/hello_encrypted/update-key.cmake b/encrypted/hello_encrypted/update-key.cmake
new file mode 100644
index 000000000..40b6750fe
--- /dev/null
+++ b/encrypted/hello_encrypted/update-key.cmake
@@ -0,0 +1,23 @@
+if (CMAKE_VERSION VERSION_LESS 3.19)
+    # Check if keyfile is not the default, and print warning
+    file(READ ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin key_file HEX)
+    if (NOT ${key_file} STREQUAL "31b6d818232e7b7ca3b1b7907b2f41d251b50362d6210cb58d17e6d56b0d878d2b74a4bab91475889b052d3251c1350978bb6dc2bba65e95a22932345b2cd3f85de25f23eb27a4cdb08ef46e948619933ad89765292557654903fec6e98ba37e2b538068dd051017cac3a8048d12afd949a96d907cb3634f36c500b57174e69a")
+        message(WARNING
+            "AES key not updated in otp.json file, as CMake version is < 3.19"
+            " - you will need to change the key in otp.json manually and re-run the build"
+        )
+    endif()
+else()
+    # Read the JSON file.
+    file(READ ${CMAKE_CURRENT_LIST_DIR}/otp.json json_string)
+    # Read the key file
+    file(READ ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin key_file HEX)
+
+    # adds '0x' prefix, comma suffix, and quotes for every byte
+    string(REGEX REPLACE "([0-9a-f][0-9a-f])" "\"0x\\1\", " key_file ${key_file})
+    set(key_file_json "[${key_file}]")
+
+    string(JSON json_string SET ${json_string} "29:0" "value" ${key_file_json})
+
+    file(WRITE ${CMAKE_CURRENT_LIST_DIR}/otp.json ${json_string})
+endif()