This fixes a build issue when building mcuboot for zephyr with image
encryption support enabled using tinycrypt.
Signed-off-by: Jamie McCrae <jamie.mccrae@lairdconnect.com>
The magic value applies to images built with maximum write alignment
values other than 8 bytes, whose trailer region is generated in a
different layout.
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
Count is initialized before it is passed to flash_area_get_sectors. The
flash driver should use count to ensure an overrun does not occur.
Signed-off-by: Kristine Jassmann <kristine.jassmann@renesas.com>
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
Update `boot_status_off` to take into consideration that scratch only
has to store status for one swap of sectors, thus requiring much less
flash space than what is required in the primary slot.
This commits does a bit of refactoring on the functions that return
parts of trailer size to make the code clearer.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Definition is used (and redefined) by boot_serial.c module as well.
Let's allow to use one definition for all.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
In a multi image context it is possible for a user to upload an image
to the wrong secondary slot. As the same key is used for both images
MCUboot will overwrite image 0 with a variant of image 1.
If direct overwrite is enabled it is not trivial to recover from this.
To mitigate this issue we introduce a check of the reset address within
the vector table.
If the reset address in the new image is not contained within the
primary slot the image is deemed incorrect and is deleted from the
secondary slot
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Introduced mediate variable for express data chunk offset
from the beginning of the region.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
boot_copy_region() was written so it assumes that the image header
must fit int the intermediary buffer of 1 KB size. A bigger header
will cause a overflow in calculation of size of data chunk to be
decrypted.
This patch allow to use header bigger than that buffer size and
mitigate the limitation described above.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The commit fixes issue where failed flash_area_open in
boot_write_status would result in flash_area_close call on
uninitialized flash_area object.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The error path of boot_read_image_header could invoke
flash_area_close on uninitialized flash_area object.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
This patch adds the possibility to boot using ram-load with an
encrypted image. This is enabled when both the flags MCUBOOT_RAM_LOAD
and MCUBOOT_ENC_IMAGES are defined.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Hugo L'Hostis <hugo.lhostis@arm.com>
Signed-off-by: Salome Thirot <salome.thirot@arm.com>
Change-Id: I7756c2c634d90a2e726117d6cfc5650653cf1b51
This commit fixes following issue:
One of parameters in comparison using fih_eq() was not of fih_int
type which caused build error when medium or higher FIH mode is enabled.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This patch make possible MCUBOOT_BOOTUTIL to integrate the
hook file on their own. This is intended to support hook while
the library is just part of the application.
The hooks file for the MCUboot build is now included in the same manner.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Introduced boot_img_install_stat_hook() hook fuinction for fetch
the image's slot installation status.
The image's slot installation status is custom property.
It's detailed definition depends on user implementation. It is only
defined that the status will be set to 0 if this hook not provides
another value.
Inserted available hook for read image header as well.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Added hook for: read image header, validate the image and hook
which is called after image was uploaded completely.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Added hook which allows to override boot_read_swap_state_by_id()
routine for the primary slot.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Added hook for read image header.
Added hook which is for inject an image check implementation which can
be used instead of boot_image_check() internal implementation on a primary
slot.
This is usefully especially when primary has to be checked by other entity
on MCUboot's demand.
Added hook which allow to implement image update process
differently.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This commit adds an include clause to "boot_record.h" to include the stddef.h header that contains the declaration of the "size_t" type.
Attempting to include "boot_record.h" in a build for Mbed-OS would throw an error complaining "size_t" was unknown, adding a note to inculde "stddef.h"
Signed-off-by: George Beckstein <george.beckstein@gmail.com>
When no dynamic memory is used, there is no need for include "os/malloc.h",
and do so will force the user to create an empty "os/malloc.h" file.
Signed-off-by: Carlos Falgueras García <carlos.falgueras@wslw.es>
This frees the user from the need of create an empty "mcuboot_logging.h"
when the logging is disabled.
Signed-off-by: Carlos Falgueras García <carlos.falgueras@wslw.es>
The "MCUBOOT_LOG_MODULE_(DECLARE|REGISTER)" macros should have a name
coherent with the rest of the logs macors, ie "BOOT_LOG_*". Also,
"bootutil_log.h" should define them as empty when the logs are disabled and
as "MCUBOOT_LOG_MODULE_*" when they are not.
With this change, the mcuboot user doesn't have to define
MCUBOOT_LOG_MODULE_* macros if the logs don't going to be used.
Signed-off-by: Carlos Falgueras García <carlos.falgueras@wslw.es>
The commit "boot: Check shared area more carefully before init" adds
the support that the shared area can be used by other boot stages.
Before this commit, MCUboot initialize the shared memory based on a
global variable which indicates whether the shared memory has been
initialized by MCUboot. After this commit, MCUboot also checks the magic
value as well as the sanity check before initialization. So if the data
in shared memory retains after a reset, MCUboot does not initialize the
shared memory thus 'SHARED_MEMORY_OVERWRITE' error happens in
'boot_add_data_to_shared_area'.
So reverted this commit temporarily.
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: I1fc390bc17f90c2624024bc101ba8b4d5a75fe23
Test the basic configuration for ram loading. Instead of a fixed
address for RAM, the values come dynamically from a thread-local
variable (allowing the tests to run in parallel). The size of the ram
along with the address of the buffer in the test address space are
passed in this way.
This tests the single-image configurations of ram loading. Testing
multi-image will take additional work, as the RAM will need to be large
enough for both images, and the second image will need a meaningful
offset address in RAM.
Signed-off-by: David Brown <david.brown@linaro.org>
This change introduced a few warnings that weren't caught until enabling
simulator builds with these features enabled. Add some simple
workarounds to avoid the warnings.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a macro `IMAGE_RAM_BASE` that will support a simulated device RAM
that can be different per test. This will be zero on targets. Define
an invalid value (3) in the simulator environment. As there are not yet
tests of this configuration, all tests will continue to pass.
Signed-off-by: David Brown <david.brown@linaro.org>
The function `boot_erase_region` is used in some cases when DIRECT_XIP
or RAM_LOAD are defined, however it is specifically not compiled in in
these cases. Correct the ifdefs so this function will be available.
Signed-off-by: David Brown <david.brown@linaro.org>
The MCUBOOT_RAM_LOAD feature supports configurations where code is
loaded from flash into RAM before execution. As such, it is not
necessary for upgrades to move data around in flash.
Signed-off-by: David Brown <david.brown@linaro.org>
In MCUBOOT_RAM_LOAD mode, bootutil_img_hash has some arguments that end
up being unused, which creates warnings. Add these to the list of
variables intentionally unused.
Signed-off-by: David Brown <david.brown@linaro.org>
Change fixes memory alignment of the RAM buffer that is used to
temporarily store data during swap. Some FLASH drivers require
word-aligned input data buffer. Using unaligned buffer results
in FLASH write error.
Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no>
It is required to include "mcuboot_config.h" header for the evaluation
of the MCUBOOT_HAVE_ASSERT_H definition. Otherwise it will implicitly
depend on that header being included somewhere else.
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
The commit changes direct access to flash_area, and flash_structure,
objects via filed names to access via getter functions
Purpose of this change is to make common code agnostic to internal
implementation of flash_area, and flash_sector, objects.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Treat state of unreachable image device as if it is empty image.
This is required for boot the primary image if it is still available.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Let's distinguish a case when secondary image device has a malfunction
from case when primary has a such.
It might be still possible to boot the primary image.
This make sens especially if the secondary image resides in an
external flash which might be damaged while SoC is still working.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
To avoid potential errors caused by misconfiguration make sure the
conditionally compiled snippets of code surrounded by the
MCUBOOT_DIRECT_XIP_REVERT macro are only used when direct-xip mode
is selected.
Change-Id: I6178d8186a7ca05887bc7590f5fa0c8f83f3d731
Signed-off-by: David Vincze <david.vincze@arm.com>
When the shared data area is not exclusively used by MCUboot, but also
by other boot stages it is inappropriate to initialize (erase) the
shared area based on a global variable. It must check the magic value
at the beginning of the area plus it should sanity-check other
available values for a case when memory garbage matches the magic
value.
Change-Id: I3a4552ad2863a61d81de9374ef6302ae0609f7bf
Signed-off-by: David Vincze <david.vincze@arm.com>
The commit removes implementation of boot_initialize_area
specific for flash_area_to_sectors, and applies changes to
the flash_area_get_sectors using variant, to make it
alternatively work with flash_area_to_sectors.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The change aligns type of "sector counter" to the type
used for *cnt parameter of flash_area_get_sectors.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Multiple image boot support is implemented for direct-xip and ram-load
strategies. Dependency checking is also added, and for ram-load more
executable ram regions can be set.
Wrapper functions are intoduced to all boot strategies.
Change-Id: I59b346277dcb2c17cef4800f1e556b4ea9144845
Signed-off-by: Mark Horvath <mark.horvath@arm.com>
The commit reorganizes logic of the boot_swap_sectors and
the boot_set_pending_multi to use the boot_read_swap_state,
instead of previously used boot_read_swap_state_by_id, to utilize
the flash area object the functions area obtaining.
It also fixes double a flash_area_open that happened implicitly within
the boot_swap_sectors, as it has been calling boot_read_swap_state_by_id
on the FLASH_AREA_IMAGE_SCRATCH, after it has already opened the area.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The fixup_revert has been switched to use boot_read_swap_state,
from boot_read_swap_state_by_id, and no longer needs the ID
parameter. It can now get swap state information by flash_area
object pointer, which is provided as 3rd parameter.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The function itself is not static within bootutil and may be used
to operate on flash areas, for which the flash_area object has
already been obtained.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The variable `rc` is used in `context_boot_go` for a number of operations, mostly checking return codes for an error. It is also used to store the result of comparing the installed application version numbers (using `boot_version_cmp`).
At the end of `context_boot_go`, `rc` is returned as the result of the operation.
In some configurations, namely direct XIP (without revert or any other extra boot checks), it is possible for the comparison result to be the last value of `rc`. In most cases, this will cause `context_boot_go` to report a failure (ie: non-zero return code), as the value of `rc` will be 1 or -1 if the installed applications aren't the same version.
This commit resets the value of `rc` to 0 after the version comparison has taken place.
Fixes#976
Signed-off-by: George Beckstein <george.beckstein@gmail.com>
During fetching of swap-status scratch was examined unnecessary
in swap_status_source(). Scratch area shouldn't be needed in this mode.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Add boot_set_pending_multi() and boot_set_confirmed_multi() APIs so
that the user can set the image with given index as pending, confirmed.
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: Ifca04d396b38c6c64581703794071f6b42e9dfbf
This patch is for fixing:
https://github.com/zephyrproject-rtos/zephyr/issues/34683
copy-done flag is used to design completely copied image.
It is used to recognize whether need to complete image upgrade.
If image is running then:
1) it was already verified and copied by MCUboot
copy-done flag is set for sure.
2) or it was programmed directly using programming interface
For case 2) when image contains magic but not copy-done flag it was
impossible to confirm it. This patch removes needs of having copy-done
flag set while confirming. This make API behavior similar to situation
when the not-padded image was programmed.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This is a define from Tinycrypt that was being used in the Mbed TLS
EC256 encrypted images implementation so properly define it.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The commit fixes alignment issue in boot_write_trailer, that would
occur in case when input buffer length would be greater than
alignment parameter of flash.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Add Mbed TLS ECDSA signature verification as an option (in addition to
Tinycrypt and the CC310 hardware version). Although the Mbed TLS ECDSA
verification code is both larger and slower, this will still save space
if there is another reason that the Mbed TLS code is already being
brought in for another reason (such as certificate management, for
example).
Mbed TLS's ECDSA verification works at a different level than the other
two libraries, so this takes a bit of reworking. There are some
additional parameters passed to the various functions, and a new define
MCUBOOT_ECDSA_NEED_ASN1_SIG to indicate that the ecdsa verification
wants the original ASN1 signature, not a decoded key.
This adds the boot changes and simulator support to test this configuration.
Signed-off-by: David Brown <david.brown@linaro.org>
The commit adds logic that checks if image, that has IMAGE_F_ROM_FIXED
flag set together with proper address in header, has not been mismatched
with slot.
This code will prevent attempting to boot image that has been build for
different ROM address than a slot it currently resides in.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The IMAGE_F_ROM_FIXED, now supported by imgtool and mcumgr, allows to
use image_header.ih_load_addr to store fixed ROM address information.
The address is provided for Direct-XIP mcuboot to be able to verify
if it can boot an image in given slot, by checking if the address
the image has been built for corresponds to slot address.
This flag is not required to be set within image, in which case
the check will not happen, but is highly desired as it allows mcuboot
to detect images that have been mismatched with slot.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Part of defines which are needed for bootutil_public.c compilation
were moved to separate file, so the bootutil_public library doesn't
need to include cryptographic libraries headers anymore.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Objective for existence botutil_public.c is to provide common code
for MCUboot itself and for an chain-loaded application. Therefor
it shouldn't depend on MCUboot exclusive functions or so.
This path moves missing part of bootutil_private.h to bootutil_private.c
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Modify the function boot_add_data_to_shared_area from static to global
thereby it can be used in the user interface boot_save_shared_data.
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: Ic6a36eb526a0883a156f832942af3138bde86dd6
Added boot_read_image_ok() to public API as reading image_ok
might be used by the chain-loaded application for checking by
image itself its confirmation state.
Additionally extracted common code for determine a trailer flag to
boot_read_flash() function.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Part of code of boot/bootutil/ is re-implemented in zephyr-rtos
repository.
As some code are defined here and there it becomes problem when
need to include it with outstanding feature in a build.
It is possible to mitigate problem using #fdefry - but this was
rather temporary hack.
This patch introduce new module which is common for MCUBoot build
and application build.
Common code were extracted to bootutil_public.c source file and
bootutil_public.h header
MCUboot also select DISABLE_MCUBOOT_BOOTUTIL_LIB_OWN_LOG Kconfig
option, as it must define log configuration on its own for all its
sourcecode.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
In order to allow other projects to include the bootutil files more
easily. Allows renaming and moving of bootutil files without breaking
external projects' file lists (if they include this cmake file instead
of directly listing the files they use). Prevents an issue where
moving/renaming bootutil files breaks the FIH CI test.
Signed-off-by: Raef Coles <raef.coles@arm.com>
Change-Id: Ic982413c6a26ea2039712437f2d511fbe202e1e4
Add an offset parameter to mode ctr so it can be properly used as a
streaming cipher, like required by the flash encryption algorithm.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Avoid memset'ing a buffer that does not hold a secret; it contains
the encryption of the counter.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
If RAM_LOAD is defined then the return value of memcpy() is
always compared against its first parameter. By definition
memcpy() returns with its first paramter (destination) so
the not equal check is always false. The fix replaces this
runtime check with a comma operator assigning 0 to the
variable at build time, as a result compiler can be done
dead code elimination much better.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I8d0d6e68a931661fa19d395556beb20470d74fb1
This patch adds comments to reserve off a portion of the available TLV range
for use by vendors for proprietary TLV types.
Signed-off-by: Andy Gross <andy.gross@juul.com>
The 'revert' mechanism in direct-xip is similar to the one in swap mode.
It requires the trailer magic to be added to the signed image. When a
reboot happens without the image being confirmed at runtime (without the
image_ok flag being set), the bootloader considers the image faulty and
erases it. After this it will attempt to boot the previous image
instead. The images can also be made permanent (marked as confirmed in
advance) just like in swap mode.
Change-Id: Ibde9361d4a7302dd8efbb277b691b71eca0ca877
Signed-off-by: David Vincze <david.vincze@linaro.org>
A previous fix for allowing padded images in the primary slot, ended up
causing an issue that would fail to upgrade under the right
circumstances. The issue was caused when the following set of steps
happened after an upgrade was detected:
1) trailer is erased on the primary slot
2) status is written to the primary slot
3) trailer is erased on the secondary slot
4) reset
1) trailer is erased on the primary slot
2) status partially written or not written to primary slot (no magic)
3) reset
This would result in images stored in the same slots they were
initially, aka no upgrade, which would fail the simulator test for
upgraded images.
The previous padded images fix was reverted and the status source was
upgraded to also check that the secondary slot has a valid magic in it,
so that there's never a circumstance where there is no trailer in any
of the slots while an upgrade operation is being decided on.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
The IAR toolchain does not handle the "%=" template. Emulate it with
a combination of __LINE__ and __COUNTER__
Signed-off-by: TTornblom <thomas.tornblom@iar.com>
This contains fixes for CC310 for nRF devices using the nrfxlib.
Removed some const for compilation warnings and added `NUM_ECC_BYTES`
define.
Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com>
For some configurations, eg CONFIG_BOOT_DIRECT_XIP=y, fih_rc might
never be initialized; initialize and fix warning.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Removes the current `flash_area_read_is_empty` which lacked a bit of
clarity in its naming and error handling, as well as requiring an
extra API in the flash map, and switches to using an internal function
`bootutil_buffer_is_erased`.
Code that was previously using `flash_area_read_is_empty` must now be
updated to do a `flash_area_read` followed by a call to
`bootutil_buffer_is_erased` with the read buffer.
The proposal was previously discussed here:
https://github.com/zephyrproject-rtos/zephyr/pull/28519
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
When the image in the primary slot is padded, the boot source is
considered the primary slot; this results in skipping the typical
initialization of the trailer, which ends up bricking the device. As
it is fine to always initialize the trailer in the primary slot when
starting a new upgrade the extra check was removed.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Direct inclusion of "bootutil/fault_injection_hardening_delay_rng.h"
might cause linking collision as this header belongs to `FIH_ENABLE_DELAY`
mode.
This header is already included by "bootutil/fault_injection_hardening.h"
appropriately.
fixes#831
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Remove unnecessary includes and create conditionally
the MCUBOOT_FIH_PROFILE_OFF define to avoid redefinition
warnings.
Change-Id: I6a34af2a5e45b81fdedd26bc1fa50ab0b9a05918
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Fix boostrapping in swap-move that was being skipped due to the having
an erased header in the primary slot which caused an early return
because of the requirement of having to re-read image headers when
"moving" an image during an upgrade.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Previously when `MCUBOOT_OVERWRITE_ONLY_FAST` was set, the whole amount
of sectors that stored an image were being copied. After this commit
only the exact amount of data used by the image is copied; this avoids
copying some 0xff (or garbage) data between the end of the image and the
end of the last sector storing it.
Extra trailer management was added which suits using the copy upgrade
routine also for bootstrapping.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Add fault attack mitigation measures to code vital for the correct
validation of images.
Change-Id: If6eb1110a8c2966faf105d07ad2e95482a80a8d9
Signed-off-by: Raef Coles <raef.coles@arm.com>
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
- The enc_context needs to initialize.
boot_enc_load seems to always be used to start the process, so calling
init inside makes sense.
- Handle boot_encrypt getting called with size of 0.
- No need to free contexts because Zephyr sets MBEDTLS_PLATFORM_NO_STD_FUNCTIONS.
I don't quite like this because it's implicit and will leak memory on
other ports.
Signed-off-by: Blaž Hrastnik <blaz@mxxn.io>
bootutil already handles ASSERT definition, allowing us to override it
with a custom implementation. Importing assert.h would pull in stdio.h
and a whole bunch of other stuff by TI compiler into the final
firmware.
Signed-off-by: Blaž Hrastnik <blaz@mxxn.io>
This patch introduces the ram-load mode in addition to the other
upgrade modes (swap strategies, overwrite-only, direct-XIP). When
ram-load is enabled with the MCUBOOT_RAM_LOAD option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image loaded to the RAM and
executed from there. Load address is extracted from the image header.
Therefore the images must be linked to the RAM memory region.
The ram-load mode is very similar to the direct-XIP mode, main
difference is to load the newest image to the RAM beforehand the
authentication and execution. Similar to direct-XIP mode either
of the primary and the secondary slots can hold the active image.
Ram-load can be useful in case of a bit more powerful SoC, which
is not constrained in terms of internal RAM. It could be that image
is stored in external and therefore untrusted flash. Loading image
to internal (trusted) RAM is essential from the security point
of view the system. Furthermore execution from internal RAM is much
faster than from external flash.
This patch is based on the RAM_LOADING upgrade strategy which was
first introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.
Change-Id: I95f02ff07c1dee51244ac372284f449c2efab362
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
This patch introduces the direct execute-in-place (XIP) mode in addition
to the other upgrade modes (swap strategies, overwrite-only). When
direct-XIP is enabled with the MCUBOOT_DIRECT_XIP option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image runs directly from its
flash partition (slot) instead of moving it. Therefore the images must
be linked to be executed from the given image slot. It means that in
direct-XIP mode either of the primary and the secondary slots can hold
the active image.
This patch is based on the NO_SWAP upgrade strategy which was first
introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.
Change-Id: If584cf01ae5aa7208845f6a6fa206f0595e0e61e
Signed-off-by: David Vincze <david.vincze@linaro.org>
Replace the boot_is_version_sufficient() function with a new,
boot_version_cmp() function which is more straightforward and
distinguishes the 3 possible results of the comparison.
Update the error handling accordingly.
Change-Id: Ie7d4f892dc3df2c6ef82769c4d0676965b75b7b8
Signed-off-by: David Vincze <david.vincze@linaro.org>
When using swap in move mode, the current compatibility test only allows
for same size and layout between slots. This results in one sector that
can never be used in the secondary slot, which corresponds to the first
move up operation in the primary slot. This relaxes and checking a bit,
so both same size slots and a primary with one extra sector are valid.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes an issue where an image might be erased, but a trailer left
behind. It can happen if the image in the secondary slot did not pass
validation, in which case the whole slot is erased. If during the erase
operation, a reset occurs, parts of the slot might have been erased
while some have not. The concerning part is the trailer because it
might disable a new image from being loaded through mcumgr; so just get
rid of the trailer here, if the header is erased.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Fix uninitialized variable warning that may occur when
compiler optimization is enabled (especially for size).
Change-Id: Id56669a2079ac20edbf74c17f943c974f1e8bf93
Signed-off-by: David Vincze <david.vincze@linaro.org>
- If MCUBOOT_SIGN_RSA, MCUBOOT_SIGN_EC, MCUBOOT_SIGN_EC256 are not
defined cryptographic signature check is skipped during validation.
sha256 check is still retained. This reduces the binary size, at the
expense of greatly reduced security. However this can be acceptable
in some scenarios where cryptographic check is not required.
Signed-off-by: Arvin Farahmand <arvinf@ip-logix.com>
To make contributions easier, place explicit copyrights by the major
contributors, along with an SPDX license identifier. Files that came
from the mynewt project, which was an Apache project will retain the
Apache project license text, although this does not apply to new
contributions, which are being made by individual contributors.
Hopefully, this will keep everyone happy, but allow contributors that
need to add an explicit copyright to have a place they can add that.
Fixes#501
Signed-off-by: David Brown <david.brown@linaro.org>
This macro is part of the C11 standard. Remove the use of a specialized macro
just for Zephyr, and use the standard macro for all platforms. This reduces
dependencies on specific versions of Zephyr.
In addition. The Zephyr-specific code was using toolchain/gcc.h which
would only work with gcc.h, so doesn't actually address any of the
objections. If this ever becomes a problem with Zephyr, we can figure
out a proper way to fix this.
Signed-off-by: David Brown <david.brown@linaro.org>
- Define new TLV for carrying information for x25519 based encrypted
images.
- Add routines to parse embedded encryption key, generated shared
secret and image decryption key.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This change enables the public key (used for image authentication) to
be removed from MCUboot and be appended to the image instead. In this
case the key or its hash must be provisioned to the device and MCUboot
must be able to retrieve the key-hash from the hardware to compare it
with the calculated hash of the public key from the image manifest in
order to verify its validity before image authentication.
The source of this change:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/1581
Change-Id: I36fe699732e0e4c113eaed331c22e707c722ed6e
Signed-off-by: David Vincze <david.vincze@linaro.org>
Replay of reverted to early committed patch 6d417c9:
Replace BUILD_ASSERT_MSG() with BUILD_ASSERT()
after merging BUILD_ASSERT() and BUILD_ASSERT_MSG().
Signed-off-by: Oleg Zhurakivskyy <oleg.zhurakivskyy@intel.com>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Modify the definition of certain shared data TLV entry header fields to
be aligned with the image TLV's behaviour (the meaning of the tlv_len
field was different) and achieve unified interpretation.
Modify some macro definitions that use bitwise shift operators to
prevent certain errors from occurring due to implementation-defined
behaviour.
Change-Id: Ib736703a391d390a87d629a8ac4e77e1789120a5
Signed-off-by: David Vincze <david.vincze@linaro.org>
Implement the functions declared in boot_record.h and add
each BOOT_RECORD TLV's CBOR encoded binary data (one TLV entry per
image) to a shared data area between the bootloader and the runtime SW.
These data units are stored in a TLV format (in the shared area too) and
contain certain attributes of the given image / SW component such as:
- SW type (role of the software component)
- SW version
- Signer ID (identifies the signing authority)
- Measurement value (hash of the image)
- Measurement type (algorithm used to calculate the measurement value)
Preserving all these image attributes from the boot stage for use by
later runtime services is known as a measured boot. The list of the
shared attributes is based on the recommendations of Arm's Platform
Security Architecture (PSA).
The main purpose of this patch is to create the prerequisites of an
attestation service by providing these measurements.
The boot_record.c and boot_status.h (originally tfm_boot_status.h) files
were copied (with modifications) from the Trusted Firmware-M project
(https://www.trustedfirmware.org/about/).
Hash of the source commit: 08d5572b4bcee306d8cf709c2200359a22d5b72c.
Change-Id: I37a8e7b10d5bf80a581651ffaf65b3cba45eaff2
Signed-off-by: David Vincze <david.vincze@arm.com>
Define interface for sharing boot status (certain attributes of the
authenticated images) and adding arbitrary data in TLV encoded format
to a shared data area between the bootloader and runtime SW.
The boot_record.h file was copied (with minor modifications) from the
Trusted Firmware-M project (https://www.trustedfirmware.org/about/).
Hash of the source commit: 08d5572b4bcee306d8cf709c2200359a22d5b72c.
Change-Id: Ia25bac27e9f1ce7faa5043c5a0455c804a24701e
Signed-off-by: David Vincze <david.vincze@arm.com>
Replace BUILD_ASSERT_MSG() with BUILD_ASSERT()
after merging BUILD_ASSERT() and BUILD_ASSERT_MSG().
Signed-off-by: Oleg Zhurakivskyy <oleg.zhurakivskyy@intel.com>
- Add image security counter verification (read security counter value
from the image manifest and compare it against the stored/active
security counter) as an optional part of the image validation process
to prevent the restoration of older, potentially vulnerable images.
- This feature can be enabled with the MCUBOOT_HW_ROLLBACK_PROT option.
- Add security counter interface to MCUBoot. If HW rollback protection
is enabled then the platform must provide a mechanism to store and
read the security counter value in a robust and secure way.
Change-Id: Iee4961c1da5275a98ef17982a65b361370d2a178
Signed-off-by: David Vincze <david.vincze@arm.com>
Depends on 'MCUBOOT_OVERWRITE_ONLY' option since swap info is not protected
by signature
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Add a missing test which ensures that there is enough free sectors to
perform an upgrade when using the move strategy; this basically checks
that the sectors used by the trailer don't overlap the last sector
required for a move up operation.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add a new option that when enabled, allows a swap status to store
an encrypted key TLV instead of plain keys. When a new swap operation is
started the encryption keys are saved to the swap status area to allow
for resuming (because it is challenging to find those TLV in the middle
of a swap operation).
Previously those keys were saved in plain text, so it would be easy to
dump them if the images were stored in external flash. With this new
option one can choose to save the TLV instead, which uses more flash
but does not leak secrets. The amount of flash required varies depending
on the size of the TLV, which is 48 for AES-128-KW, 512 for RSA and 240
for ECIES-P256.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Avoid jumping into an image while still having encryption keys stored in
RAM, which could then be recovered by the app.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add new bootutil function that returns the size of the status area.
The simulator was updated to remove the custom calculation and get
the size directly from bootutil, avoiding breakages the happen when
both are not in sync.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When using swap withouth scratch, if a revert operation is detected there
is a fixup that needs to be done to avoid losing metadata. This fixup
copied metadata from the primary slot to the secondary slot temporarily.
Previously it was also copying the encrypted image keys but this is not
required since a fixup is only run when starting a new swap where the
keys were loaded directly from the images. This also avoids that a
secondary slot in external flash would leak keys (according to our
threat model).
Signed-off-by: Fabio Utzig <utzig@apache.org>
ECDSA signatures are variable length. They are also encoded as ASN.1.
The ASN.1 parser we use is given the length, and will return a decoding
error if the signature block is not sufficiently long. Instead of
requiring the signature block be padded to the longest possible length a
signature can be, allow them to be their natural length.
This allows image signing tools to be able to generate signatures that
don't have this padding. Along with removing the pad removal code from
the EC224 code, this will allow this code to correctly validate all
signatures, not just 255 out of 256.
Signed-off-by: David Brown <david.brown@linaro.org>
Allow runtime generation of CRT params when not available in the
embedded private key. Also remove parsing/calculation of CRT
parameters when CRT was disabled in the config (mbedTLS does not
use those in this case).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add a `bootutil/bench.h` file that defines two calls
`boot_bench_start()` and `boot_bench_stop()` along with a type for the
state. These calls can be placed around blocks of code, and with a
properly defined implementation, will print simple performance
information about these operations.
This change merely adds the includes, and the empty implementations that
are used if the bencharking feature is not enabled.
Signed-off-by: David Brown <david.brown@linaro.org>
There are a few error messages printed by the boot code. In a normal
platform, these are real errors, and really should print a message.
However, in the simulator, we intentionally create these scenarios, and
these errors only serve to distract from the rest of the test output.
Conditionalize the error prints based on whether we are running in the
simulator.
Signed-off-by: David Brown <david.brown@linaro.org>
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
are interesting while debugging bootutil in the simulator. This should
be used for extra verbose prints.
* Also added fflushs after fprints to guarantee that messages are printed
even when assertions are raised.
* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
to the other ports.
* Make DEBUG the default level when building the simulator (one can
still lower verbosity using any other value for RUST_LOG).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fix an issue where an upgrade could fail to execute.
This happened randomly in the "perm_with_fails" test in the simulator;
for it to happen the first reset had to occur just after writing the
metadata to mark the start of a new upgrade, but before any swap happened;
if followed by a new reset happening at a point where the metadata was
erased and rewritten, it would result in an upgrade failure. The images
would still be valid though although in their original slots.
The fix stores the detected boot status source in the state. When
metadata was found in the primary slot we assume a swap has already
started (even though no sector swap has happened) and avoid
erasing/rewriting it.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add cap for swap using move and rename old swap upgrade cap to swap
using scratch. Update sim to allow swapping tests to also run using
move.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This implements a swap upgrade that does not use a scratch area. It
works by first moving all sectors in the primary slot up one position,
and then looping on moving sector of index X of the secondary slot to
index X of the primary slot, followed by moving sector X+1 of the
primary slot to X on the secondary slot, for each sector X.
The idea behind this implementation was initially suggested by Jehudi
Maes (@Laczen) and implemented on his own bootloader (ZEPboot).
Signed-off-by: Fabio Utzig <utzig@apache.org>
This moves the functionality that is unique to a scratch based swap
upgrade into a separate file. Later other upgrade strategies can be
added by reimplementing those functions.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The current TLV tag is an unsigned 8-bit integer, that is stored with 8
bits of padding. As the TLV tag is defined to be little endian
(although the code doesn't properly handle this), we can use the 8 bits
of padding as the upper 8-bits, treating the TLV tag as a 16 bit value,
and all existing tags will operate as they did before.
Change the types used throughout the code to represent the TLV to a
`uint16_t`. Change the ANY tag type to `0xffff` instead of `0xff`.
This value is never stored, but will avoid conflicts with any future
allocated tags.
Signed-off-by: David Brown <david.brown@linaro.org>
While doing a revert, the image encryption keys might be saved temporarily
in the scratch area; this is required in situations that we need to swap
one of the last sectors of the primary slot. When this happens, and the
device is interrupted just after restarting the revert swap, bootutil will
try to load the encrypted keys from the primary slot, and possibly use them
in reverted order (image in primary uses key of image in secondary and
vice-versa) which was saved in the test upgrade.
This fixes the issue by reverting the order used to check for the swap
metadata, with scratch being checked before the primary slot.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Jamie McCrae