Commit Graph

32 Commits

Author SHA1 Message Date
David Brown c06f7bb367 Revert "boot: Add MCUBOOT_HW_KEY support for image encryption"
This reverts commit 0fa46270c0.

This breaks:

    samples/synchronization/sample.kernel.synchronization on
    b_u585i_iot02a/stm32u585xx/ns error

as this TF-M configuration uses its own keys.  This change is an API
change that needs to be coordinated with TF-M changes.

Before this revert, compiling this test results in:

    .../encrypted.c:447: undefined reference to
    `boot_enc_retrieve_private_key`

Signed-off-by: David Brown <david.brown@linaro.org>
2024-07-09 09:19:43 -06:00
Dinesh Kumar K 0fa46270c0 boot: Add MCUBOOT_HW_KEY support for image encryption
Currently encryption supports only private key embed
in mcuboot itself. To support MCUBOOT_HW_KEY for image
encryption boot_retrieve_private_key() hook is added.

This hook helps retrieving private key from trusted
sources like OTP, TPM.

Signed-off-by: Dinesh Kumar K <dinesh@linumiz.com>
2024-06-12 15:17:54 -06:00
Tomi Fontanilles d4394c2f9b mbedtls config: fix too early check_config.h includes
check_config.h was included manually by custom configuration files.
This caused compilation errors when updating MbedTLS to 3.6.0
because check_config.h was processed too early, before the whole
configuration is defined, effectively causing configuration check errors.

MbedTLS already takes care of including check_config.h at the right time.
Remove those erroneous manual check_config.h includes.

Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
2024-04-25 11:05:54 +02:00
Roland Mikhel 206b914852 bootutil: Remove P224 curve
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I49fad7ede202de4e3c710bf4aa1df195a310b037
2023-04-11 07:05:38 +02:00
Michael Grand 5047f032c9 fih: Hardening of fault injection countermeasures
Returned values are now hardcoded. Indeed, while it is not
strictly needed (few return values different from SUCCESS
or FAILURE) complexity added by encoding return values might
cause the software to be vulnerable to fault attacks.

Return type changed from fih_int to fih_ret to make
the whole thing much simpler and therefore more robust
to fault attacks. In addition, its easier to predict
compiler behavior.

Affectation of sentive variables has been hardened using macro
FIH_SET (affectation + check wether write access has been properly
done). FIH_DECLARE() is added to ease the declaration of sentive
variables.

Equality tests fih_eq() and fih_not_eq() are now macros because
inlining produce more complex code (and weaker) than macros.
In addition fih_not_eq is modified to be the negation of fih_eq
which was not the case until now.

when FIH_NOT_EQ is used , FIH_SET(fih_rc, FIH_FAILURE) has been added
in some part of the code.

variable image_mask (bootutil_priv.h) is now volatile because a
double IF test is made on it.

some others parts of the code have been hardenned (eg. loop on images)

Signed-off-by: Michael Grand <m.grand@trustngo.tech>
2023-01-30 09:34:34 -07:00
Francesco Servidio 5bc983276f doc: Fix case in titles
Unified case in titles.
Fixed small grammar issues.

Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no>
2021-11-03 17:05:40 +01:00
Francesco Servidio 582367cfeb doc: Fixed consistency of Mbed term
Fixed the consistency of the case used for the Mbed term.

Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no>
2021-10-21 06:45:13 -03:00
Francesco Servidio 4ff0c18693 doc: Fixed consistency of MCUboot
Fixed the consistency of the case used in the term MCUboot.

Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no>
2021-10-21 06:45:13 -03:00
Roman Okhrimenko a41a850dd5 cypress: use mbedtls 3.0, do not use hw crypto by default
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@infineon.com>
2021-08-26 10:18:20 -06:00
Dominik Ermel a09ca5b964 boot: Add MCUBOOT_PERUSER_MGMT_GROUP_ENABLED to platforms
The commit adds the MCUBOOT_PERUSER_MGMT_GROUP_ENABLED configuration
option to cypress, mbed and mynewt configurations.
The options is used to enable custom, system specific, mcymgr
commands parsing in mcuboot serial recovery.
For the listed platforms it is set as not enabled (0), as neither
of the platforms currently provide supporting callback.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
2021-07-13 11:39:35 +02:00
Andrzej Puzdrowski 142b339667 boot: introduce MCUBOOT_CPU_IDLE() for support low power single thread
Introduced MCUBOOT_CPU_IDLE() macro.
If a port supports single thread or is bare-metal then might be need
to switch to idle mode explicitly form MCUboot code.
The call allows to enable lower power consumption while waiting for
incoming transmission in serial recovery etc.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2021-06-17 12:42:21 +02:00
Roman Okhrimenko 579b30c299 cypress: Update docs with new platforms support info
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@infineon.com>
2021-03-25 13:47:01 +02:00
Roman Okhrimenko 4bc2810cb5 cypress: Rework makefiles, reorganise source, add 062_1M and 062_512k support
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@infineon.com>
2021-03-25 13:47:01 +02:00
Bohdan Kovalchuk de51807249 Cypress: add encryption with mbedTLS
Signed-off-by: Bohdan Kovalchuk <bohd@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@infineon.com>
2021-03-16 21:38:06 -03:00
Roman Okhrimenko 895300103d cypress: Align cypress mbedtls hw accel implementation with bootutil update
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@infineon.com>
2021-03-12 14:17:28 -07:00
Roman Okhrimenko 0c7aebcfe3 cypress: Add support for watchdog timer update in boot image
Add watchdog timer to MCUBootApp plus BlinkyApp to implement  additional way of boot/upgrade image operation confirmation.

Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2021-02-01 16:39:18 +02:00
Andrzej Puzdrowski 907476d701 boot: remove direct fih delay rng inclusion
Direct inclusion of "bootutil/fault_injection_hardening_delay_rng.h"
might cause linking collision as this header belongs to `FIH_ENABLE_DELAY`
mode.
This header is already included by "bootutil/fault_injection_hardening.h"
appropriately.

fixes #831

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-10-07 13:50:16 +02:00
Tamas Ban 4e8d838d36 cypress: Add fault injection mitigation
Add software countermeasures against fault injection attacks.

Change-Id: I35ae95a3387a0231f81782e22728bf8a3f9b6005
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-10-02 07:31:11 -03:00
Roman Okhrimenko 6ea44be64f cypress: update user documentation with disclaimer and additional instructions
This change adds Disclaimer section to Cypress related documentation and adds details about custom hardware configuration flow.

Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-09-30 03:46:36 +03:00
Roman Okhrimenko ff026122e1 Cypress: Disable entering deep sleep if no boot/upgrade images found
Entering deep sleep on CM0 without valid application on CM4 caused pyocd error while programming. This fix disables entering deep sleep mode on CM0 if no valid applications found for boot. Waiting for uart complete tx reworked. Code refactoring

Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-09-30 03:22:53 +03:00
dmiv 8672c8e98a Cypress: Add entering deep sleep in MCUBootApp, code improvements
- improved code in MCUBootApp
- added possibility to enter deep sleep mode after mcuboot app execution
- minor refactoring

Signed-off-by: dmiv <dmiv@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
Signed-off-by: Taras Boretskyy <taras.boretskyy@cypress.com>
2020-09-22 18:27:21 +03:00
Bohdan Kovalchuk 8416f35a91 Cypress: fix one more unwanted warning
Signed-off-by: Bohdan Kovalchuk <bohd@cypress.com>
2020-07-16 13:25:22 +03:00
Bohdan Kovalchuk a333a4576b Cypress: fix flash_area_write, warnings, improve make, readme
Signed-off-by: Bohdan Kovalchuk <bohd@cypress.com>
2020-07-14 17:05:57 +03:00
Kostiantyn Tkachov 120efee34f Use cypress cy-mbedtls-acceleration revision w/o HAL
Signed-off-by: Kostiantyn Tkachov <kotk@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-06-05 01:08:36 +03:00
Bohdan Kovalchuk 0324f1b023 Add external memory support for cypress platform
Signed-off-by: Bohdan Kovalchuk <bohd@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-05-29 03:40:28 +03:00
Bohdan Kovalchuk 7725652e30 Add files to eliminate HAL dependency, build/compile pass
Signed-off-by: Bohdan Kovalchuk <bohd@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-04-21 07:55:10 -06:00
David Vincze 03368b8bec boot: Add hardware key support
This change enables the public key (used for image authentication) to
be removed from MCUboot and be appended to the image instead. In this
case the key or its hash must be provisioned to the device and MCUboot
must be able to retrieve the key-hash from the hardware to compare it
with the calculated hash of the public key from the image manifest in
order to verify its validity before image authentication.

The source of this change:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/1581

Change-Id: I36fe699732e0e4c113eaed331c22e707c722ed6e
Signed-off-by: David Vincze <david.vincze@linaro.org>
2020-04-07 09:20:13 -06:00
Roman Okhrimenko aa7c021eb8 Update user documentation in cypress folder
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-03-30 13:25:56 -06:00
Roman Okhrimenko 4c1c5b0955 Update Readme file with details on HW crypto acceleration
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-03-05 12:32:18 +02:00
Roman Okhrimenko 38aa6c4d23 Add crypto acceleration config file and support in build system
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-03-05 12:32:18 +02:00
Roman Okhrimenko 4650f2011b Add debug configurations for ModusToolbox
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-03-04 13:47:49 +02:00
Roman Okhrimenko 89ecdac3b8 Add initial implementation of MCUBoot application for Cypress PSOC6 platform
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
2020-03-04 13:47:49 +02:00