diff --git a/doc/testplan-zephyr.rst b/doc/testplan-zephyr.rst new file mode 100644 index 00000000..8ea52742 --- /dev/null +++ b/doc/testplan-zephyr.rst @@ -0,0 +1,164 @@ +Zephyr Test Plan +================ + +The following roughly describes how mcuboot is tested on Zephyr. The +testing is done with the code in ``samples/zephyr``. These examples +were written using the FRDM-K64F, but other boards should be similar. +At this time, however, the partitions are hardcoded in the Makefile +targets to flash. + +Note that at the time of release of 0.9.0-rc2, the change `MPU flash +write`_ had not been merged. This change fixes a problem interaction +between the MPU and the flash drivers. Without this change, if the +MPU is enabled (the default), the bootloader will abort immediately on +boot, generally before printing any messages. + +.. _MPU flash write: https://github.com/zephyrproject-rtos/zephyr/pull/654 + +At this time, most of the test variants are done by modifying either +the code or Makefiles. A future goal is to automate this testing. + +Sanity Check +------------ + +Begin by running make in ``samples/zephyr``:: + + $ make clean + $ make all + +This will result in three binaries: ``mcuboot.bin``, +``signed-hello1.bin``, and ``signed-hello2.bin``. + +The second file is marked as an "upgrade" by the image tool, so +has an appended image trailer. + +Begin by doing a full erase, and programming the first image:: + + $ pyocd-flashtool -ce + $ make flash_boot + +After it resets, look for "main: Starting bootloader", a few debug +messages, and lastly: "main: Unable to find bootable image". + +Then, load hello1:: + + $ make flash_hello1 + +This should print "main: Jumping to the first image slot", and you +should get an image "Hello World number 1!". + +For kicks, program slot 2's image into slot one. This has to be done +manually, and it is good to verify these addresses in the Makefile:: + + $ pyocd-flashtool -a 0x20000 signed-hello1.bin + +This should boot, printing "Upgraded hello!". + +Now put back image 1, and put image 2 in as the upgrade:: + + $ make flash_hello1 + $ make flash_hello2 + +This should print a message: "boot_swap_type: Swap type: test", and +you should see "Upgraded hello!". + +Now reset the target:: + + $ pyocd-tool reset + +And you should see a revert and "Hello world number 1" running. + +Repeat this, to make sure we can mark the image as OK, and that a +revert doesn't happen:: + + $ make flash_hello1 + $ make flash_hello2 + +We should have just booted the Upgraded hello. Mark this as OK:: + + $ pyocd-flashtool -a 0x7ffe8 image_ok.bin + $ pyocd-tool reset + +And make sure this stays in the "Upgraded hello" image. + +Other Signature Combinations +---------------------------- + +.. note:: Make sure you don't have changes in your tree, as the + following step will undo them. + +As part of the above sanity check, we have tested the RSA signature +algorithm, along with the new RSA-PSS signature algorithm. To test +other configurations, we need to make some modifications to the code. +This is easiest to do by applying some patches (in +``testplan/zephyr``). For each of these patches, perform something +along the lines of:: + + $ cd ../.. + $ git apply testplan/zephyr/0001-try-rsa-pkcs1-v15.patch + $ cd samples/zephyr + $ make clean + $ make all + $ pyocd-flashtool -ce + $ make flash_boot + $ make flash_hello1 + +Make sure image one boots if it is supposed to (and doesn't if it is +not supposed to). Then try the upgrade:: + + $ make flash_hello2 + +After this, make sure that the the image does or doesn't perform the +upgrade (see test table below). + +After the upgrade runs, reset to make sure the revert works (or +doesn't for the noted cases below):: + + $ pyocd-tool reset + +Then undo the change:: + + $ cd ../.. + $ git checkout -- . + +and repeat the above steps for each patch. + +The following patches are available: + +.. list-table:: Test configurations + :header-rows: 1 + + * - Patch + - hello1 boot? + - Upgrade? + * - 0001-bad-old-rsa-in-boot-not-in-image.patch + - no + - no + * - 0001-bad-old-RSA-no-slot0-check.patch + - yes + - no + * - 0001-good-rsa-pkcs-v1.5-good.patch + - yes + - yes + * - 0001-bad-ECDSA-P256-bootloader-not-in-images.patch + - no + - no + * - 0001-partial-ECDSA-P256-bootloader-slot0-ok-slot1-bad.patch + - yes + - no + * - 0001-good-ECDSA-P256-bootloader-images-signed.patch + - yes + - yes + * - 0001-partial-ECDSA-P256-bootloader-slot-0-bad-sig.patch + - no + - yes[1]_ + * - 0001-partial-ECDSA-P256-bootloader-slot-1-bad-sig.patch + - yes + - no + * - 0001-partial-ECDSA-P256-slot-0-bad-no-verification.patch + - no + - yes[1]_ + +.. [1] These tests with hello1 bad should perform an upgrade when + hello2 is flashed, but they should not revert the image + afterwards. diff --git a/testplan/zephyr/0001-bad-ECDSA-P256-bootloader-not-in-images.patch b/testplan/zephyr/0001-bad-ECDSA-P256-bootloader-not-in-images.patch new file mode 100644 index 00000000..68f4816a --- /dev/null +++ b/testplan/zephyr/0001-bad-ECDSA-P256-bootloader-not-in-images.patch @@ -0,0 +1,39 @@ +From 66f6f44bcea43ac991aa025d634fb98de964be05 Mon Sep 17 00:00:00 2001 +From: David Brown +Date: Thu, 27 Jul 2017 10:05:47 -0600 +Subject: [PATCH] bad: ECDSA P256 bootloader, not in images + +This configures the bootloader to require an ECDSA P256 signature, but +does not sign the images with it. Neither should boot. +--- + Makefile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 1e9ec42..b0adf05 100644 +--- a/Makefile ++++ b/Makefile +@@ -9,16 +9,16 @@ + # lines there, and comment out any other blocks. + + # RSA +-CONF_FILE = boot/zephyr/prj.conf +-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS ++#CONF_FILE = boot/zephyr/prj.conf ++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + + # Newer uses should use the RSA-PSS signature algorithm. This define + # enables (and requires) this type of signature. + #CFLAGS += -DMCUBOOT_RSA_PKCS1_15 + + # ECDSA P-256 +-#CONF_FILE = boot/zephyr/prj-p256.conf +-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT ++CONF_FILE = boot/zephyr/prj-p256.conf ++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT + + # Enable this option to have the bootloader verify the signature of + # the primary image upon every boot. Without it, signature +-- +2.11.0 + diff --git a/testplan/zephyr/0001-bad-old-RSA-no-slot0-check.patch b/testplan/zephyr/0001-bad-old-RSA-no-slot0-check.patch new file mode 100644 index 00000000..12e57aba --- /dev/null +++ b/testplan/zephyr/0001-bad-old-RSA-no-slot0-check.patch @@ -0,0 +1,37 @@ +From a170ab0b596e480445a9b9e2fca6ca937034192c Mon Sep 17 00:00:00 2001 +From: David Brown +Date: Thu, 27 Jul 2017 09:56:30 -0600 +Subject: [PATCH] bad: old RSA no slot0 check + +This builds the bootloader with the old RSA signature type, but not the +images. It also disables verification of slot 0, so the image in slot 0 +should boot, but it should not perform an upgrade. +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 1e9ec42..d6e5876 100644 +--- a/Makefile ++++ b/Makefile +@@ -14,7 +14,7 @@ CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + + # Newer uses should use the RSA-PSS signature algorithm. This define + # enables (and requires) this type of signature. +-#CFLAGS += -DMCUBOOT_RSA_PKCS1_15 ++CFLAGS += -DMCUBOOT_RSA_PKCS1_15 + + # ECDSA P-256 + #CONF_FILE = boot/zephyr/prj-p256.conf +@@ -23,7 +23,7 @@ CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + # Enable this option to have the bootloader verify the signature of + # the primary image upon every boot. Without it, signature + # verification only happens on upgrade. +-CFLAGS += -DMCUBOOT_VALIDATE_SLOT0 ++# CFLAGS += -DMCUBOOT_VALIDATE_SLOT0 + + # Enabling this option uses newer flash map APIs. This saves RAM and + # avoids deprecated API usage. +-- +2.11.0 + diff --git a/testplan/zephyr/0001-bad-old-rsa-in-boot-not-in-image.patch b/testplan/zephyr/0001-bad-old-rsa-in-boot-not-in-image.patch new file mode 100644 index 00000000..99d9d51f --- /dev/null +++ b/testplan/zephyr/0001-bad-old-rsa-in-boot-not-in-image.patch @@ -0,0 +1,28 @@ +From 8f3c2f2fe9ade9ff6fe2a37b39318b0186d08efb Mon Sep 17 00:00:00 2001 +From: David Brown +Date: Thu, 27 Jul 2017 09:50:48 -0600 +Subject: [PATCH] bad: old rsa in boot, not in image + +This patch makes the bootloader use the old signature style, but does +not modify the images. Neither image should boot. + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 1e9ec42..db97832 100644 +--- a/Makefile ++++ b/Makefile +@@ -14,7 +14,7 @@ CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + + # Newer uses should use the RSA-PSS signature algorithm. This define + # enables (and requires) this type of signature. +-#CFLAGS += -DMCUBOOT_RSA_PKCS1_15 ++CFLAGS += -DMCUBOOT_RSA_PKCS1_15 + + # ECDSA P-256 + #CONF_FILE = boot/zephyr/prj-p256.conf +-- +2.11.0 + diff --git a/testplan/zephyr/0001-good-ECDSA-P256-bootloader-images-signed.patch b/testplan/zephyr/0001-good-ECDSA-P256-bootloader-images-signed.patch new file mode 100644 index 00000000..80a4aa5b --- /dev/null +++ b/testplan/zephyr/0001-good-ECDSA-P256-bootloader-images-signed.patch @@ -0,0 +1,62 @@ +From 5c9fd9690623165c3d1be4d3d219bb0d0c57647d Mon Sep 17 00:00:00 2001 +From: David Brown +Date: Thu, 27 Jul 2017 10:05:47 -0600 +Subject: [PATCH] good: ECDSA P256 bootloader, images signed + +This configures the bootloader to require an ECDSA P256 signature, and +both images signed properly. Both should work. +--- + Makefile | 8 ++++---- + samples/zephyr/Makefile | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/Makefile b/Makefile +index 1e9ec42..b0adf05 100644 +--- a/Makefile ++++ b/Makefile +@@ -9,16 +9,16 @@ + # lines there, and comment out any other blocks. + + # RSA +-CONF_FILE = boot/zephyr/prj.conf +-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS ++#CONF_FILE = boot/zephyr/prj.conf ++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + + # Newer uses should use the RSA-PSS signature algorithm. This define + # enables (and requires) this type of signature. + #CFLAGS += -DMCUBOOT_RSA_PKCS1_15 + + # ECDSA P-256 +-#CONF_FILE = boot/zephyr/prj-p256.conf +-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT ++CONF_FILE = boot/zephyr/prj-p256.conf ++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT + + # Enable this option to have the bootloader verify the signature of + # the primary image upon every boot. Without it, signature +diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile +index 7678615..1b90b7e 100644 +--- a/samples/zephyr/Makefile ++++ b/samples/zephyr/Makefile +@@ -102,7 +102,7 @@ clean_boot: check + hello1: check + $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc) + $(IMGTOOL) sign \ +- --key $(SIGNING_KEY) \ ++ --key ../../root-ec-p256.pem \ + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ +@@ -121,7 +121,7 @@ clean_hello1: check + hello2: check + $(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc) + $(IMGTOOL) sign \ +- --key $(SIGNING_KEY) \ ++ --key ../../root-ec-p256.pem \ + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ +-- +2.11.0 + diff --git a/testplan/zephyr/0001-good-rsa-pkcs-v1.5-good.patch b/testplan/zephyr/0001-good-rsa-pkcs-v1.5-good.patch new file mode 100644 index 00000000..fa491f9d --- /dev/null +++ b/testplan/zephyr/0001-good-rsa-pkcs-v1.5-good.patch @@ -0,0 +1,48 @@ +From 950796d68430c2a2778689ee00560d2f455937d4 Mon Sep 17 00:00:00 2001 +From: David Brown +Date: Thu, 27 Jul 2017 10:01:23 -0600 +Subject: [PATCH] good: rsa pkcs v1.5 good + +This builds the bootloader and each image with the older PKCS v1.5 +signature format. Both the image and the upgrade should work. +--- + Makefile | 2 +- + samples/zephyr/Makefile | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 1e9ec42..db97832 100644 +--- a/Makefile ++++ b/Makefile +@@ -14,7 +14,7 @@ CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + + # Newer uses should use the RSA-PSS signature algorithm. This define + # enables (and requires) this type of signature. +-#CFLAGS += -DMCUBOOT_RSA_PKCS1_15 ++CFLAGS += -DMCUBOOT_RSA_PKCS1_15 + + # ECDSA P-256 + #CONF_FILE = boot/zephyr/prj-p256.conf +diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile +index 7678615..07bb71c 100644 +--- a/samples/zephyr/Makefile ++++ b/samples/zephyr/Makefile +@@ -106,6 +106,7 @@ hello1: check + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ ++ --rsa-pkcs1-15 \ + --included-header \ + hello1/outdir/$(BOARD)/zephyr.bin \ + signed-hello1.bin +@@ -125,6 +126,7 @@ hello2: check + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ ++ --rsa-pkcs1-15 \ + --included-header \ + --pad 0x60000 \ + hello2/outdir/$(BOARD)/zephyr.bin \ +-- +2.11.0 + diff --git a/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-0-bad-sig.patch b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-0-bad-sig.patch new file mode 100644 index 00000000..1188bef0 --- /dev/null +++ b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-0-bad-sig.patch @@ -0,0 +1,76 @@ +From 26115ff2752b40a5727bc9cf5c76300b30e04d09 Mon Sep 17 00:00:00 2001 +From: David Brown +Date: Thu, 27 Jul 2017 10:05:47 -0600 +Subject: [PATCH] partial: ECDSA P256 bootloader, slot 0 bad sig + +This configures the bootloader to require an ECDSA P256 signature, with +hello1 having an invalid signature. Slot 0 should fail to boot, but the +upgrade should work. +--- + Makefile | 8 ++++---- + bad-ec-p256.pem | 5 +++++ + samples/zephyr/Makefile | 4 ++-- + 3 files changed, 11 insertions(+), 6 deletions(-) + create mode 100644 bad-ec-p256.pem + +diff --git a/Makefile b/Makefile +index 1e9ec42..b0adf05 100644 +--- a/Makefile ++++ b/Makefile +@@ -9,16 +9,16 @@ + # lines there, and comment out any other blocks. + + # RSA +-CONF_FILE = boot/zephyr/prj.conf +-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS ++#CONF_FILE = boot/zephyr/prj.conf ++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + + # Newer uses should use the RSA-PSS signature algorithm. This define + # enables (and requires) this type of signature. + #CFLAGS += -DMCUBOOT_RSA_PKCS1_15 + + # ECDSA P-256 +-#CONF_FILE = boot/zephyr/prj-p256.conf +-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT ++CONF_FILE = boot/zephyr/prj-p256.conf ++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT + + # Enable this option to have the bootloader verify the signature of + # the primary image upon every boot. Without it, signature +diff --git a/bad-ec-p256.pem b/bad-ec-p256.pem +new file mode 100644 +index 0000000..333f41f +--- /dev/null ++++ b/bad-ec-p256.pem +@@ -0,0 +1,5 @@ ++-----BEGIN EC PRIVATE KEY----- ++MHcCAQEEILmqmiH6y3EGhLkTcnNtU7hZ1wnc51MIL53npseRX7vJoAoGCCqGSM49 ++AwEHoUQDQgAEcX9ExNjZfsckp6AdutjPjVJsvP6ZZkKfLsGnRpKR+9OpO9/qmJHs ++ks+ZXo70SEANjWnNlxKNAVci8aUm8UskLw== ++-----END EC PRIVATE KEY----- +diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile +index 7678615..f84314d 100644 +--- a/samples/zephyr/Makefile ++++ b/samples/zephyr/Makefile +@@ -102,7 +102,7 @@ clean_boot: check + hello1: check + $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc) + $(IMGTOOL) sign \ +- --key $(SIGNING_KEY) \ ++ --key ../../bad-ec-p256.pem \ + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ +@@ -121,7 +121,7 @@ clean_hello1: check + hello2: check + $(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc) + $(IMGTOOL) sign \ +- --key $(SIGNING_KEY) \ ++ --key ../../root-ec-p256.pem \ + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ +-- +2.11.0 + diff --git a/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-1-bad-sig.patch b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-1-bad-sig.patch new file mode 100644 index 00000000..3d836588 --- /dev/null +++ b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-1-bad-sig.patch @@ -0,0 +1,76 @@ +From f261e0e1c7e0876094ed688f5f0923590aca3739 Mon Sep 17 00:00:00 2001 +From: David Brown +Date: Thu, 27 Jul 2017 10:05:47 -0600 +Subject: [PATCH] partial: ECDSA P256 bootloader, slot 1 bad sig + +This configures the bootloader to require an ECDSA P256 signature, with +hello2 having an invalid signature. Slot 0 should boot, but the upgrade +should not work. +--- + Makefile | 8 ++++---- + bad-ec-p256.pem | 5 +++++ + samples/zephyr/Makefile | 4 ++-- + 3 files changed, 11 insertions(+), 6 deletions(-) + create mode 100644 bad-ec-p256.pem + +diff --git a/Makefile b/Makefile +index 1e9ec42..b0adf05 100644 +--- a/Makefile ++++ b/Makefile +@@ -9,16 +9,16 @@ + # lines there, and comment out any other blocks. + + # RSA +-CONF_FILE = boot/zephyr/prj.conf +-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS ++#CONF_FILE = boot/zephyr/prj.conf ++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + + # Newer uses should use the RSA-PSS signature algorithm. This define + # enables (and requires) this type of signature. + #CFLAGS += -DMCUBOOT_RSA_PKCS1_15 + + # ECDSA P-256 +-#CONF_FILE = boot/zephyr/prj-p256.conf +-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT ++CONF_FILE = boot/zephyr/prj-p256.conf ++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT + + # Enable this option to have the bootloader verify the signature of + # the primary image upon every boot. Without it, signature +diff --git a/bad-ec-p256.pem b/bad-ec-p256.pem +new file mode 100644 +index 0000000..333f41f +--- /dev/null ++++ b/bad-ec-p256.pem +@@ -0,0 +1,5 @@ ++-----BEGIN EC PRIVATE KEY----- ++MHcCAQEEILmqmiH6y3EGhLkTcnNtU7hZ1wnc51MIL53npseRX7vJoAoGCCqGSM49 ++AwEHoUQDQgAEcX9ExNjZfsckp6AdutjPjVJsvP6ZZkKfLsGnRpKR+9OpO9/qmJHs ++ks+ZXo70SEANjWnNlxKNAVci8aUm8UskLw== ++-----END EC PRIVATE KEY----- +diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile +index 7678615..02a54da 100644 +--- a/samples/zephyr/Makefile ++++ b/samples/zephyr/Makefile +@@ -102,7 +102,7 @@ clean_boot: check + hello1: check + $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc) + $(IMGTOOL) sign \ +- --key $(SIGNING_KEY) \ ++ --key ../../root-ec-p256.pem \ + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ +@@ -121,7 +121,7 @@ clean_hello1: check + hello2: check + $(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc) + $(IMGTOOL) sign \ +- --key $(SIGNING_KEY) \ ++ --key ../../bad-ec-p256.pem \ + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ +-- +2.11.0 + diff --git a/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot0-ok-slot1-bad.patch b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot0-ok-slot1-bad.patch new file mode 100644 index 00000000..a879119d --- /dev/null +++ b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot0-ok-slot1-bad.patch @@ -0,0 +1,54 @@ +From 86f857cafbdd40d1ba158028e142c8cdf5c56e0d Mon Sep 17 00:00:00 2001 +From: David Brown +Date: Thu, 27 Jul 2017 10:05:47 -0600 +Subject: [PATCH] partial: ECDSA P256 bootloader, slot0 ok slot1 bad + +This configures the bootloader to require an ECDSA P256 signature, and +the slot 0 image as good. This should boot slot 0, but not perform the +upgrade in slot 1. +--- + Makefile | 8 ++++---- + samples/zephyr/Makefile | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index 1e9ec42..b0adf05 100644 +--- a/Makefile ++++ b/Makefile +@@ -9,16 +9,16 @@ + # lines there, and comment out any other blocks. + + # RSA +-CONF_FILE = boot/zephyr/prj.conf +-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS ++#CONF_FILE = boot/zephyr/prj.conf ++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + + # Newer uses should use the RSA-PSS signature algorithm. This define + # enables (and requires) this type of signature. + #CFLAGS += -DMCUBOOT_RSA_PKCS1_15 + + # ECDSA P-256 +-#CONF_FILE = boot/zephyr/prj-p256.conf +-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT ++CONF_FILE = boot/zephyr/prj-p256.conf ++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT + + # Enable this option to have the bootloader verify the signature of + # the primary image upon every boot. Without it, signature +diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile +index 7678615..b62e966 100644 +--- a/samples/zephyr/Makefile ++++ b/samples/zephyr/Makefile +@@ -102,7 +102,7 @@ clean_boot: check + hello1: check + $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc) + $(IMGTOOL) sign \ +- --key $(SIGNING_KEY) \ ++ --key ../../root-ec-p256.pem \ + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ +-- +2.11.0 + diff --git a/testplan/zephyr/0001-partial-ECDSA-P256-slot-0-bad-no-verification.patch b/testplan/zephyr/0001-partial-ECDSA-P256-slot-0-bad-no-verification.patch new file mode 100644 index 00000000..dead2c23 --- /dev/null +++ b/testplan/zephyr/0001-partial-ECDSA-P256-slot-0-bad-no-verification.patch @@ -0,0 +1,82 @@ +From b2d9560f05fabdcfdff549ccc361d9dfbe74735b Mon Sep 17 00:00:00 2001 +From: David Brown +Date: Thu, 27 Jul 2017 10:05:47 -0600 +Subject: [PATCH] partial ECDSA P256 slot 0 bad, no verification + +This has a badly signed image in slot 0, which should boot because +checking is off. It should perform the upgrade in slot 1, and not +revert, because the old image is not valid. +--- + Makefile | 10 +++++----- + bad-ec-p256.pem | 5 +++++ + samples/zephyr/Makefile | 4 ++-- + 3 files changed, 12 insertions(+), 7 deletions(-) + create mode 100644 bad-ec-p256.pem + +diff --git a/Makefile b/Makefile +index 1e9ec42..3f875a2 100644 +--- a/Makefile ++++ b/Makefile +@@ -9,21 +9,21 @@ + # lines there, and comment out any other blocks. + + # RSA +-CONF_FILE = boot/zephyr/prj.conf +-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS ++#CONF_FILE = boot/zephyr/prj.conf ++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS + + # Newer uses should use the RSA-PSS signature algorithm. This define + # enables (and requires) this type of signature. + #CFLAGS += -DMCUBOOT_RSA_PKCS1_15 + + # ECDSA P-256 +-#CONF_FILE = boot/zephyr/prj-p256.conf +-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT ++CONF_FILE = boot/zephyr/prj-p256.conf ++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT + + # Enable this option to have the bootloader verify the signature of + # the primary image upon every boot. Without it, signature + # verification only happens on upgrade. +-CFLAGS += -DMCUBOOT_VALIDATE_SLOT0 ++#CFLAGS += -DMCUBOOT_VALIDATE_SLOT0 + + # Enabling this option uses newer flash map APIs. This saves RAM and + # avoids deprecated API usage. +diff --git a/bad-ec-p256.pem b/bad-ec-p256.pem +new file mode 100644 +index 0000000..333f41f +--- /dev/null ++++ b/bad-ec-p256.pem +@@ -0,0 +1,5 @@ ++-----BEGIN EC PRIVATE KEY----- ++MHcCAQEEILmqmiH6y3EGhLkTcnNtU7hZ1wnc51MIL53npseRX7vJoAoGCCqGSM49 ++AwEHoUQDQgAEcX9ExNjZfsckp6AdutjPjVJsvP6ZZkKfLsGnRpKR+9OpO9/qmJHs ++ks+ZXo70SEANjWnNlxKNAVci8aUm8UskLw== ++-----END EC PRIVATE KEY----- +diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile +index 7678615..f84314d 100644 +--- a/samples/zephyr/Makefile ++++ b/samples/zephyr/Makefile +@@ -102,7 +102,7 @@ clean_boot: check + hello1: check + $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc) + $(IMGTOOL) sign \ +- --key $(SIGNING_KEY) \ ++ --key ../../bad-ec-p256.pem \ + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ +@@ -121,7 +121,7 @@ clean_hello1: check + hello2: check + $(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc) + $(IMGTOOL) sign \ +- --key $(SIGNING_KEY) \ ++ --key ../../root-ec-p256.pem \ + --header-size $(BOOT_HEADER_LEN) \ + --align $(FLASH_ALIGNMENT) \ + --version 1.2 \ +-- +2.11.0 +