Increase the size of the jmpbuf to accomodate other architectures.
Unfortunately, the size of this is not available in the libc crate.
Increase this so encompass any platforms we wish to support, including
aarch64 on both Linux and MacOS.
Increasing an array beyond 32 means there is no default offered, so
implement this manually.
Signed-off-by: David Brown <david.brown@linaro.org>
Many of these extern functions are missing the "C". It doesn't seem to matter on
any of our targets, but this does make the code more correct, and might be a
problem in the future.
Signed-off-by: David Brown <david.brown@linaro.org>
This struct was having addresses taken of fields within it, and then being
returned. It is platform-specific whether this causes a move. It seems to be
working on x86_64, but causes a segfault on aarch64. Box the struct so that it
isn't moved after being initialized.
Signed-off-by: David Brown <david.brown@linaro.org>
If the psa-crypto-api feature is defined, the simulator will
initialize the PSA Crypto API exactly once. It needs also to
enable the test external RNG as the assumption is that the
PSA subsystem is configured to use MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Signed-off-by: Matthew Dalzell <matthew.dalzell@arm.com>
Change-Id: Id02727b8673867ecf1e4fbbdfa3c4b6d6f98f8df
This commit adds simulator support to test the
hw-rollback-protection feature which is using
nv-counters. In the simulator they are stored in Rust
to prevent any race conditions from happening due to
the parallel execution of the tests.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I445fc50615ed1f0c06e5933b16811c24d9d302fc
Combine all of the pieces to be able to test ram loading with multiple
images. We construct a model `RamData` that indicates where each image
should be loaded into RAM. This has to be made early enough to compute
signatures on the images, and then used later to verify that the images
were loaded properly.
Signed-off-by: David Brown <david.brown@linaro.org>
Test the basic configuration for ram loading. Instead of a fixed
address for RAM, the values come dynamically from a thread-local
variable (allowing the tests to run in parallel). The size of the ram
along with the address of the buffer in the test address space are
passed in this way.
This tests the single-image configurations of ram loading. Testing
multi-image will take additional work, as the RAM will need to be large
enough for both images, and the second image will need a meaningful
offset address in RAM.
Signed-off-by: David Brown <david.brown@linaro.org>
When the bootloader completes, it fills a response structure with
various information. Move this into the BootGoResult and provide an
accessor for it.
Signed-off-by: David Brown <david.brown@linaro.org>
Now that this result is abstracted, take the special case for a sim stop
and make it its own field. This hides the magic number we use to
indicate this to be entirely within mcuboot-sys.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of a tuple of values that is matched, return an abstract type
that has methods for querying the information we need. Abstracting this
will allow us to return additional information without having to change
all of the code that matches against these patterns.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of having this struct at a fairly low level in the simulator,
with the filled-in values effectively discarded after each call, pass
the value from higher up in the simulator. This prepares us for being
able to use the resulting data in upcoming tests.
Signed-off-by: David Brown <david.brown@linaro.org>
Apply clippy suggestions to directly result in values instead of
returning those values at the end of a function. Better matches common
Rust style.
Signed-off-by: David Brown <david.brown@linaro.org>
Cleanup some of the unsafe usage in mcuboot-sys. In one case, add a
safety comment to the function documentation. In the other, move the
unsafe to a narrower scope, reducing the number of instances of unsafe
needed. From clippy suggestions.
Signed-off-by: David Brown <david.brown@linaro.org>
Clippy suggests implementing Default when the `new` function for that
type just initializes the type to default values.
Signed-off-by: David Brown <david.brown@linaro.org>
According to clippy, `&'static` can just be `&` for static definitions,
which always have a static lifetime. Clean this up in the arrays in the
code, as well as generation code in imgtool.
Signed-off-by: David Brown <david.brown@linaro.org>
The simulated alignment functions were returning u8 which would be
invalid for any alignment beyond 128; as a first step in the direction
of allowing larger alignments, make them u16 which should allow for up
to 2**15 aligment size.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Add an apache SPDX header and explicit license lines. The date ranges
of the license lines is derived from the git history. Having these
explicitly present will make contributions from other parties easier, as
they will simply be able to add their own copyright line, rather than
having to describe that it only covers modifications.
Signed-off-by: David Brown <david.brown@linaro.org>
Add new bootutil function that returns the size of the status area.
The simulator was updated to remove the custom calculation and get
the size directly from bootutil, avoiding breakages the happen when
both are not in sync.
Signed-off-by: Fabio Utzig <utzig@apache.org>
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
are interesting while debugging bootutil in the simulator. This should
be used for extra verbose prints.
* Also added fflushs after fprints to guarantee that messages are printed
even when assertions are raised.
* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
to the other ports.
* Make DEBUG the default level when building the simulator (one can
still lower verbosity using any other value for RUST_LOG).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Convert this `extern const uint32_t` to a simple define. Provide an
accessor function so that the simulator is able to access the value as
well. This has a minor improvement on the generated code within MCUboot
itself.
Signed-off-by: David Brown <david.brown@linaro.org>
BOOT_MAX_ALIGN is defined as
extern const uint32_t BOOT_MAX_ALIGN;
and is assigned a value in a single file. This causes extra work when
this is used as the size of a local variable in a function.
The value was made a constant in order for the simulator to be able to
access the value. Instead of making it a "real" constant, keep it as a
define, unifying the value of FLASH_MAX_ALIGN and this one, and provide
an accessor function for the test code to be able to access this value.
This causes a minor improvement in the code generated in
`boot_write_status`, but more importantly, eliminates a VLA from the
code, which increases the possible compilers supported by MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a `debug_dump()` method to `Images` to allow the images to be
written to a file. The dependency test will call this if the
environment variable MCUBOOT_DEBUG_DUMP is set.
In order to make these debug dumps more useful, add a simple partition
table to the beginning of the image (where MCUboot would reside on
target). This has a simple header, and then entries for each partition,
using the partition ids used within the simulator. This allows the
image to be more easily used by external tools.
As an example, `scripts/mcubin.bt` is a binary template for the [010
Editor](https://www.sweetscape.com/010editor/), allowing it to decode
and show the details of images from MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
With the recent changes in bootutil, now there is no need to lock the
test threads to run sequentially, so the global lock was removed. The
locking now happens to access resources such as flash, flash params,
simulator context, etc on a per thread basis. Some of the global
variables that were used by the simulator itself (FFI) were made into a
context struct passed in to invoke_go.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Prior to this change, the scratch image trailer had a different format
from a slot image trailer. Specifically:
1. The scratch trailer only contained a single set of status entries
(three bytes); the slot trailer contained `BOOT_STATUS_MAX_ENTRIES`
sets of status entries.
2. The scratch trailer did not contain the `copy_done` field.
This inconsistency required some extra conditional logic in the trailer
handling code. It is simpler to just use the same trailer format
everywhere.
This commit removes this inconsistency. Now, the scratch trailer
structure is identical to that of the slot trailer.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Construct the ImagesBuilder based on the number of images compiled into
the code. If the flash device doesn't have enough areas for the test,
the test will be skipped.
Extend the FlashId to include Image2, and Image3. Remove the unused
ones, so that these can be placed immediately after the scratcharea.
The current simulator code assumes the flash areas are numbered
contiguously, requiring these extraneous partitions to be eliminated.
Signed-off-by: David Brown <david.brown@linaro.org>
The name `SimFlashMap` is a bit misleading, as the Map part is more of
an implementation detail when the type really just represents multiple
flash devices.
This is just a rename, but the names `SimFlashMap` and the value
`flashmap` occur in a lot of places in the image module.
Signed-off-by: David Brown <david.brown@linaro.org>
This change replaces the slot 0/1 terminology with primary/secondary
slot and replaces FLASH_AREA_IMAGE_0/1 with
FLASH_AREA_IMAGE_PRIMARY/SECONDARY. This naming convention may be more
understandable, fits better to MCUs with multiple images and it is an
architecture agnostic alternative as well.
Change-Id: I655a585f6ae023852c671ee6635399efe25209c9
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
This removes the unsafe Tinycrypt bindings previously used for signing
with ECDSA, and relies on ring native support.
The ring library was updated to 0.14.1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Apply the changes suggested by
cargo fix --edition-idioms
and cleanup the results a bit. Eliminate `macro_use` extern crates.
Signed-off-by: David Brown <david.brown@linaro.org>
This adds an initial device with multiple flash (nrf52840 + SPI flash)
and updates all test routines to use a HashMap of flash devices (added
as type SimFlashMap).
Signed-off-by: Fabio Utzig <utzig@apache.org>
A new type `FlashMap` that stores a HashMap of [device_id -> Flash trait]
was added, which enables multi-flash devices to be passed around.
The previously existing static FLASH value that was used to simulate the
raw device, was updated to using a FlashMap which enables bootutil to
interface with more than one flash device.
Signed-off-by: Fabio Utzig <utzig@apache.org>
AreaDesc was modified to not receive a flash device on its constructor,
and instead a new function `add_flash_sectors` was added that allows it
to receive a flash device and id.
The `add_image` function that populates the areas also now receives a
dev_id that is used internally as fa_device_id.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The previous c/rust ffi functions were hardcoding the values of align
and erased_val before each run through static globals. This adds new sim
flash functions that get the align/erased_val from the sim flash device
that is being run on, allowing that later multiple flash devices can
each use its own params.
Signed-off-by: Fabio Utzig <utzig@apache.org>
A new align() function was added to SimFlash, and most functions that
were using/receiving align or erased_val parameters that had access to a
Flash trait were cleaned up so that they get the parameters directly
from the Flash device.
This will make it easier to extend for multiple Flash devices since
parameters should depend on the device in use.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Update `flash_area_*()` functions to call `sim_flash_*()` directly
instead of using `hal_flash_*()` functions that were not part of the
main bootloader anymore.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds new cargo features to allow running tests of encrypted
images with both RSA-OAEP and AES-128-KW.
When installing images on the simulated flash, both a plain and an
encrypted images are created. When encrypted image support is enabled,
verification of images in slot1 match against the encrypted image,
otherwise plain images are used.
PS: Also fixes ImageHeader to match bootutil definition.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This extends the simulator to be able to test the bootloader in devices
which use flash technologies that erase flash at 0 instead of 0xff.
Two MCU devices that have this "property" are the STM32L0x and STM32L1x
lines from ST.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When building in simulator mode, mock assert() to call an simulator
function which will enable other code to check if some path failed.
The assert checking interface, was added to boot_go which now
returns the low-level invocation results as well as the number of
asserts triggered.
Some new added tests check for assert() and expect it to happen. To not
abort tests, assert() was changed under sim env to not call c assert()
and instead just do some internal calculation which could be checked
by the simulator after a bootloader run and assert() catching behavior
was made optional (each test choses the behavior it needs).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Since ring does not yet support ecdsa signing, a thin layer was added
to allow the simulator to call tinycrypt's signing routine.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Lock the simulation with a mutex to prevent concurrent access. The C
code being tested uses globals, and can only be run in one context at a
time. The Rust test framework may run tests concurrently, so use the
mutex to prevent this.
Signed-off-by: David Brown <david.brown@linaro.org>
Move the alignment into the `boot_go` wrapper. Instead of relying on
this as a global, pass it around, ultimately setting it in the C
wrapper. This is in preparation to protecting the `boot_go` call with a
mutex to prevent reentrancy.
Signed-off-by: David Brown <david.brown@linaro.org>
David Brown