The commit adds support for IMAGE_F_ROM_FIXED flag that allows setting
information on image base address into image_header.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Update version fields for 1.7.0 release.
Added compatibility note for zephyr-rtos.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
When Image.create() is called without the 'custom_tlvs' argument, it
gets its default value (None). It must be checked before performing
any operations on/with it.
Change-Id: I8e0755265f35f9eeb796fe078a6ad8c8d9f2b8da
Signed-off-by: David Vincze <david.vincze@linaro.org>
This patch introduces the ram-load mode in addition to the other
upgrade modes (swap strategies, overwrite-only, direct-XIP). When
ram-load is enabled with the MCUBOOT_RAM_LOAD option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image loaded to the RAM and
executed from there. Load address is extracted from the image header.
Therefore the images must be linked to the RAM memory region.
The ram-load mode is very similar to the direct-XIP mode, main
difference is to load the newest image to the RAM beforehand the
authentication and execution. Similar to direct-XIP mode either
of the primary and the secondary slots can hold the active image.
Ram-load can be useful in case of a bit more powerful SoC, which
is not constrained in terms of internal RAM. It could be that image
is stored in external and therefore untrusted flash. Loading image
to internal (trusted) RAM is essential from the security point
of view the system. Furthermore execution from internal RAM is much
faster than from external flash.
This patch is based on the RAM_LOADING upgrade strategy which was
first introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.
Change-Id: I95f02ff07c1dee51244ac372284f449c2efab362
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
In an effort to create a script to do firmware based on an URL, I could
not easily retrieve the image digest. `newtmgr` needs the hash when
marking a image for testing.
Signed-off-by: Casper Meijn <casper@meijn.net>
This patch introduces the direct execute-in-place (XIP) mode in addition
to the other upgrade modes (swap strategies, overwrite-only). When
direct-XIP is enabled with the MCUBOOT_DIRECT_XIP option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image runs directly from its
flash partition (slot) instead of moving it. Therefore the images must
be linked to be executed from the given image slot. It means that in
direct-XIP mode either of the primary and the secondary slots can hold
the active image.
This patch is based on the NO_SWAP upgrade strategy which was first
introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.
Change-Id: If584cf01ae5aa7208845f6a6fa206f0595e0e61e
Signed-off-by: David Vincze <david.vincze@linaro.org>
Custom TLVs will be placed in the protected area.
Tag and value come from command line.
Values with 0x prefix will be interpreted as an integer, otherwise
it will be interpreted as a string.
Signed-off-by: Ihor Slabkyy <ihor.slabkyy@cypress.com>
Update various version fields. Also include a note in the release notes
describing Zephyr compatibility.
Signed-off-by: David Brown <david.brown@linaro.org>
Set the RAM_LOAD flag in the image header when a load address was passed
to the imgtool script, indicating that the image should be loaded into
RAM and run from there.
Change-Id: Id9d2c179d7fa1ff7d15cf671c09c61b5b78c88a8
Signed-off-by: David Vincze <david.vincze@linaro.org>
The --public-key-format option can be used to distinguish where
the public key is stored for image authentication. It can be embedded
in MCUboot or by selecting 'full' it can be in the image manifest.
The source of this change:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/1579
Change-Id: If658dff8147cfce2f27bfc0209ecf0d6d9cb2a73
Signed-off-by: David Vincze <david.vincze@linaro.org>
Add new '--boot-record' option for imgtool to add a new type of TLV to
the image manifest called BOOT_RECORD. This TLV contains CBOR encoded
data with some basic information about the image (SW component) it
belongs to, these are the following:
- SW type (role of the software component)
- SW version
- Signer ID (identifies the signing authority)
- Measurement value (hash of the image)
- Measurement type (algorithm used to calculate the measurement value)
The boot_record.py file and most of the modifications in image.py are
coming from the Trusted Firmware-M project
(https://www.trustedfirmware.org/about/).
Hash of the source commit: 08d5572b4bcee306d8cf709c2200359a22d5b72c.
This patch is based on the recommendations of Arm's Platform Security
Architecture (PSA) and its purpose is to support compliance with it.
Change-Id: I379ccc57b48ad2311837cb3fd90f5f9d1c9b5bac
Signed-off-by: David Vincze <david.vincze@linaro.org>
Since commit:
commit a36082664e
Author: David Brown <david.brown@linaro.org>
Date: Thu Dec 12 15:35:31 2019 -0700
ecdsa: Allow ECDSA signatures to be actual length
MCUboot no longer requires ECDSA signatures to be padded to a fixed
length. This change makes imgtool, by default, also no longer add this
padding to images. There is an option `--pad-sig` that can be given to
the sign command to re-instate this padding. This flag will be needed
to make images that will work with older (pre 1.5.0) versions of
MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
Add imgtool command line option for confirming (setting image_ok =
0x01) in a padded image.
Fixes: #664
Signed-off-by: Henrik Brix Andersen <hebad@vestas.com>
Optionally add new security counter TLV to the protected image manifest
and also introduce a new command line option for the imgtool to specify
the value of this counter. The security counter can be used in rollback
protection to compare the new image's security counter against the
active counter value. Its value can be independent from the image
version, but if the 'auto' keyword is passed in the argument list of the
script then it will be generated from the version number (not including
the build number).
The value of the security counter is security critical data. Therefore,
it must be part of the protected TLV area.
Change-Id: I45926d22364d0528164f50fa379abf050bdf65ff
Signed-off-by: David Vincze <david.vincze@arm.com>
The `--erased-val` (or `-R`) option was doing conversion of base 10, so
the only value that was acceptable was 0. Although not passing this
option would result in the default `0xff` being used, this fixes the
issue by allowing Python to auto-detects the base from string.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Click has better UI for exceptions, so instead of throwing a backtrace,
allow it to print a nicer error message.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This breaks the check() routine into two, one to check the header, one
to check the trailer. The reason is that header checking must be
performed when loading the input binary, while trailer overrun check
must be done after the whole image (with TLVs) is built.
To support the option of saving encrypted TLVs during swap in the
bootloader, a new parameters was added to the create command, to
allow the user to provide a config that matches the bootloader build
option and to do proper image overrun checks.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This applies a few improvements to a commit previously included in
PR #596:
* Move functions to dump a private key to the private key classes
* Remove language option; always dumps in C format
* Add option to generate a minimal dump. This will remove extra
parameters that are present in keys generated with the `keygen`
command.
For P256 this will remove the public point, which is already
ignored by the parsing function. The resulting key dump shrinks
from 138 to 70 bytes.
For RSA it will remove the DP/DQ/QP parameters which are only
used with CRT enabled, and if not available, can be calculated at
runtime. This reduces the size of a key dump from around 1190
bytes to somewhere close to 800 bytes. A patch to the RSA parsing
routine will be added in another commit.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Ioannis Konstantelias <ikonstadel@gmail.com>
Apply a few improvements to the type parameter in the keygen command.
Currently finding out the key types requires passing an invalid value
to display what values are available. Instead add them the help page,
so it shows an output like below:
```
-t, --type type One of: rsa-2048, rsa-3072, ecdsa-p256, ecdsa-p224,
ed25519 [required]
```
When no type is given in the cli, ask for it:
```
$ ./imgtool.py keygen -k privkey.pem
Type (rsa-2048, rsa-3072, ecdsa-p256, ecdsa-p224, ed25519):
```
Signed-off-by: Fabio Utzig <utzig@apache.org>
Commit 9117fded47 added support for
supplying an `--erased-val`, which defaults to 0xff. When padding a
header, the checks were still validating against 0, which is the
value used for padding by the Zephyr build system. Now when the
user passes `--pad-header` this check is skipped (we already know
the contents).
Signed-off-by: Fabio Utzig <utzig@apache.org>
When generating HEX output, instead of just adding the `magic`, also add
the whole trailer (with erased value). This allows for HEX writing tools
to erase the trailer region, avoiding possible issues when garbage
exists there.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add `-R`/`--erased-val` CLI option when creating images, which accepts
a value to be used for padding. This is useful when creating images
that run in devices that have flash erased to some value different
from 0xff (like STM32L0x and STM32L1x that have 0s).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add a new flag `-x` (or `--hex_addr`) which adjusts the memory address
where this file has to be written to. This is useful when generating
upgrade images that will go to the secondary slot, in cases where the
user is not using mcumgr or some other delivery mechanism, and has to
manually adjust the addresses using `objcopy`.
Also when using hex files, image padding now only adds a segment with
the magic at the end instead of filling the whole output with `0xff`.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Allow the user to set the load_addr field of the header.
This could be useful in multi image situations to help
deduce the image number of an update without having to
look at the swap info.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
This struct currently relies on padding being done by the C compiler.
Although this is generally done the same across targets, this isn't
required, and it is better to make any padding explicit. This also
makes it clear that there is extra space in this structure that can be
used for another purpose.
The python imgtool is also fixed to match. It was using a 32-bit int,
which only worked in the little endian case.
Signed-off-by: David Brown <david.brown@linaro.org>
This adds ed25519 signature support using the "prehash" method. Instead
of using the direct contents of the image and header payloads, a sha256
is generated and signed (SHA256-Ed25519). This allows for compatibility
with already existing tools that use the sha256 hash, like mcumgr, etc.
Signed-off-by: Fabio Utzig <utzig@apache.org>
imgtool verify -k <some-key.(pub|sec)> <img-file>
Allow imgtool to validate that an image has a valid sha256sum and that
it was signed by the supplied key.
NOTE: this does not yet support verifying encrypted images
Signed-off-by: Fabio Utzig <utzig@apache.org>
This commit aims to add the ability to specify and add dependency
TLVs to MCUBOOT. Due to the private nature of this feature, having
dependency TLVs mean that the TLV Info header and these TLVs become
part of the protected area (they are supposed to get signed as well).
Since the TLV Info header containing the whole TLV section's size
becomes protected, this size needs to be calculated in advance to get
proper hash values.
Change-Id: I13277a3b595acc2bb8c5084420f3d61c8d301dc2
Author: Bence Kaposzta <bence.kaposzta@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
If imgtool is used for signing with encryption
it will disallow using public RSA key for
signing.
Signed-off-by: Chris Bittner <chris.bittner@nordicsemi.no>
Updates imgtool to infer, based on output image filename, which format
should be use for output file. Filenames that end with extension `.hex`
are saved in Intel HEX, otherwise saves a binary image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds initial support for publishing imgtool to pypi.org.
The main imgtool.py was moved to imgtool package and made into the main
file, and a new imgtool.py that calls into the package, was added allowing
for the old usage behavior to remain functional.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Generating images with no signature or encryption was broken by commit
06b77b8353
This allows generating images with just sha256 again, and fixes a few
leftovers from the imghash TLV change.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Adds a new flag to imgtool, -E/--encrypt which accepts a public rsa-2048
key file that will be used to encrypt the image.
The encryption method uses AES-128-CTR to encrypt the image data (ignores
the header and TLVs), using a random key that is itself encrypted using
RSA-2048-OAEP and added to the generated image as a new TLV.
Signed-off-by: Fabio Utzig <utzig@apache.org>
If adding a header to a .hex file (using the command line
"--pad-header"), the hex file gets shifted by header size. This may
cause hard coded addresses to be off by "header-size", making the
firmware unusable. Instead, adjust the base address by the header
size, so the existing firmware in the hex file is loaded to the
proper addresses.
Signed-off-by: Mark Schulte <mschulte@lyft.com>
The `--included-header` was "mandatory" when using imgtool with firmware
images generated by the Zephyr build system and it was a source of
issues when it was forgotten. This removes `--included-header` and adds
a new parameter `--pad-header` with inverted semantics, to be used only
when a zeroed header is required to be added to the firmware image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Overwrite only requires just magic + image_ok + copy_done. This fixes
issues generating images in overwrite only mode when the firmware image
is too big and overflows the swap status area.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add the new `--slot-size` and make `--pad` a bool flag, to allow
checking that firmware fits in the slot without overflowing into the
trailer region even when no padding was requested.
Fixes#241
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds a new command line flag to allow passing in the max number of
sectors for a swap when the image is padded. It defaults to 128 and
should match the value configured in the bootloader.
Fixes#285
Signed-off-by: Fabio Utzig <utzig@apache.org>
This removes the old "TLV size" and "keyId" fields that used to exist
in the old image header format and updates it to use `load_addr`. Also
fixes the name of reserved fields to index from 1.
This fixes#279
Signed-off-by: Fabio Utzig <utzig@apache.org>
Some platforms prefer images in the Intel Hex (.hex) format. Implement
support for signing images in this format in imgtool.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Until we fix the padding problem, pad the ecdsa signatures with zeros to
always be 72 bytes long. Add a 'raw_sign' method so that the unit test
can use the real signature.
Signed-off-by: David Brown <david.brown@linaro.org>
Replace the (now broken) ECDSA code with code using the python
'cryptography' library.
Similar to the change to RSA, this changes the format that private keys
are stored, again using PKCS#8. This supports the stronger password
protection as well.
Again, this code will still support reading the older style of public
keys, but other tools that use keys generated by this change will need
to be updated to work with the new format.
Signed-off-by: David Brown <david.brown@linaro.org>
The verification code requires a fixed 32-byte salt, which seems is what
the old crypto library did. Use this same value to avoid having to
modify the code.
Signed-off-by: David Brown <david.brown@linaro.org>
The keygen command allows the `-p` argument which will prompt for a
password, and protect the private key with this password. When loading
keys, it will prompt for a password if it detects a password protected
key.
Signed-off-by: David Brown <david.brown@linaro.org>
The 'cryptography' library is pickier about the data it is asked to
sign. Get the bytes value out of the bytearray for doing the actual
signature.
Signed-off-by: David Brown <david.brown@linaro.org>
Replace RSA code with one using the python 'cryptography' library. This
library is much more complete, and will make adding support for password
protected keys, and separate public keys easier.
There is, however, a significant change brought about by this change:
the private keys are stored in PKCS#8 format, instead of the raw format
that was used previously. This is a more modern format that has a few
advantages, including: supporting stronger password protection, and
allowing the key type to be determined upon read.
This tool will still support reading the old style public keys, but
other tools that use these keys will need to be updated in order to work
with the new format.
This new code has some unit tests to go along with it for some basic
sanity testing of the code.
Signed-off-by: David Brown <david.brown@linaro.org>
Although these files are likely implicitly licensed under the Apache 2.0
license because of the LICENSE file for this project, make this explicit
in these files.
Signed-off-by: David Brown <david.brown@linaro.org>
Earlier refactoring created a call for get_public_bytes() that was added
to the RSA class, but missed on the ECDSA class. Add this call so that
ECDSA signatures will work again.
Signed-off-by: David Brown <david.brown@linaro.org>
Since we've changed the meaning of several fields in the header, bump
the header to a new magic number. The fields that are still present are
in the same place, but all of the signature and TLV information is moved
into the TLV itself, which is still immediately after the image.
As of this commit, this defines the new image header/TLV format used for
1.0.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
To allow the signatures to be replaced, move the size of the TLV into a
small "info" header at the start of the TLV.
Note that this causes image swapping to lose robustness. This is fixed
by a later commit.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
JIRA: MCUB-65
Remove the key_id field from the image header. There are two problems
with this field. First, it is only an integer offset, and so causes an
unnecessarily tight coupling between the particular keys built into the
bootloader, and the key that is used to sign. Second, it makes the
key_id part of the image header, which is included in the signature.
This makes it impossible to later sign the image with a different
signature.
Instead of the key-id, add a TLV KEYHASH entry. This will hold the
SHA256 of the public key that the signature is against. Each signature
placed in the TLV should be preceeded by this entry to indicate the
public key used.
The signature check will check each signature, and if the KEYHASH is
known and the signature type is supported, it will be checked. As long
as at least one signature is considered valid, the image will be
considered signed. This also allows the image to be signed with
multiple signatures to support having different devices with possibly
different keys compiled into the bootloaders.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Add a `--rust` flag to the getpub subcommand to output the public key in
Rust format rather than C.
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for moving the signature related values out of the main
image header and into the TLV, renumber the existing TLV values to be
grouped together better.
The SHA256 is moved into the first group, at 0x10, and the signature
values themselves are moved to start with 0x20.
This change is the first in a series of changes toward the new v1.0
image format. The intermediate results are all internally consistent
(meaning that the simulator, and the builtin imgtool.py will all work
together), but until all patches are applied, the image format is not
valid with any external tools.
Based on work by Marko Kiiskila <marko@runtime.io>.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
The imgtool.py program has been assuming that the input image for
signing has a zero padded place for the header at the beginning of the
image. This is only true for some platforms.
Instead, make this included header space optional. By default, prepend
the header to the image. If `--included-header` is specified to the
sign command, consider the bytes at the beginning of the image to be
padded space for the header. This option is required for Zephyr builds.
If the --key is not specified, only the SHA256 hash is added to the TLV.
This is useful for testing configurations, where the crypto has not been
fully configured. Note that this configuration is not secure, and this
only verifies that the image has not been corrupted.
When parsing versions for the --version argument, allow a field to be
zero. Also, restrict the build to just an integer to match what we
allow (rather than allow alphabetic, and then failing to parse as an
integer).
In addition, add the missing import of argparse, so that when the
version is invalid, we get nice usage rather than an error about a
missing module.
Jira: MCUB-58
Add support for the RSA-PSS signature algorithm to imgtool.py. This
algorithm has a strong security proof, and is recommended for all new
designs. The new algorithm is enabled by default for RSA signatures to
match the default in the bootloader also being changed.
This is the start of a python implementation of imgtool. This
implements all of the functionality that was missing in the zep2newt.py
tool, namely creation of keypairs, and converting the public version of
these keys into C code.
Dominik Ermel