Disable the Zephyr-provided Tinycrypt, and use our local copy. This
avoids problems with changing version across different Zephyr releases.
Signed-off-by: David Brown <david.brown@linaro.org>
Add the 2 official Nordic Development Kit targets that are missing from
the list in mcuboot, but supported in Zephyr.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
The keyhash should be able to have any size up to the maximum allowed
size of 32, but the assert was not allowing images created with newt to
be accepted as valid (newt currently uses only 4 bytes for keyhash).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: David Brown <david.brown@linaro.org>
When starting a swap upgrade, the total size of data to be swapped is
calculated only at the beginning and saved to the trailer. This avoids
having to use complicated heuristics to find the total swap size, which
might depend on data that was already moved. When resuming a swap, the
size is found in the trailer and used.
Also includes some small comment fixes and refactors.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: David Brown <david.brown@linaro.org>
The local variable 'size' is actually the offset of the end, and not the
size. Rename it to reflect this reality.
Signed-off-by: David Brown <david.brown@linaro.org>
Clarify the name of the TLV field to more fully describe the signature
type.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Since we are changing the image header format, there is no reason to
continue to support the old PKCS#1 v1.5 signatures. Remove the
definitions, and conditional complication related to this, and only
support the newer PSS signatures.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Since we've changed the meaning of several fields in the header, bump
the header to a new magic number. The fields that are still present are
in the same place, but all of the signature and TLV information is moved
into the TLV itself, which is still immediately after the image.
As of this commit, this defines the new image header/TLV format used for
1.0.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
To allow the signatures to be replaced, move the size of the TLV into a
small "info" header at the start of the TLV.
Note that this causes image swapping to lose robustness. This is fixed
by a later commit.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
JIRA: MCUB-65
Remove the key_id field from the image header. There are two problems
with this field. First, it is only an integer offset, and so causes an
unnecessarily tight coupling between the particular keys built into the
bootloader, and the key that is used to sign. Second, it makes the
key_id part of the image header, which is included in the signature.
This makes it impossible to later sign the image with a different
signature.
Instead of the key-id, add a TLV KEYHASH entry. This will hold the
SHA256 of the public key that the signature is against. Each signature
placed in the TLV should be preceeded by this entry to indicate the
public key used.
The signature check will check each signature, and if the KEYHASH is
known and the signature type is supported, it will be checked. As long
as at least one signature is considered valid, the image will be
considered signed. This also allows the image to be signed with
multiple signatures to support having different devices with possibly
different keys compiled into the bootloaders.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for moving the signature related values out of the main
image header and into the TLV, renumber the existing TLV values to be
grouped together better.
The SHA256 is moved into the first group, at 0x10, and the signature
values themselves are moved to start with 0x20.
This change is the first in a series of changes toward the new v1.0
image format. The intermediate results are all internally consistent
(meaning that the simulator, and the builtin imgtool.py will all work
together), but until all patches are applied, the image format is not
valid with any external tools.
Based on work by Marko Kiiskila <marko@runtime.io>.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Upstream Zephyr is making a habit of enabling subsystems on any board
that supports them. That's a potential security risk if any of those
allow interference with the running bootloader, and is currently
exceeding mcuboot's flash allowance on some STM32 targets,
e.g. 96b_carbon. Turn off I2C to restore the build for those.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Adds a new zephyr target for the nrf52_blenano2. This is the BLE
Nano 2 board created by Red Bear which contains a NRF52832 MCU.
Signed-off-by: Tyler Baker <tyler.baker@linaro.org>
The hexiwear k64 is very similar to the frdm_k64, as far as mcuboot is
concerned. The partitions are now defined in DTS in Zephyr, and this
target file just needs the device name, sector size, and alignment.
Signed-off-by: David Brown <david.brown@linaro.org>
The comment for BOOT_SWAP_TYPE_NONE says "Just boot whatever is in
slot 0". That's not correct: if configured to do so (and this the
strongly recommended configuration), mcuboot will first
cryptographically validate the contents of slot 0 before booting it.
Fix the comment to be more accurate.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Adjust alignment and add missing leading zero to
IMAGE_F_PKCS1_PSS_RSA2048_SHA256. This needed some comment changes to
keep things 80 column clean.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
This flag was added to the RSA config file, but not the ECDSA file. It
is needed to configure the MPU to allow the flash device to be written
to.
Signed-off-by: David Brown <david.brown@linaro.org>
Recent Zephyr trees require this config option to be set in order to be
able to write to the flash device. Without it, targets with an MPU
enabled will abort during startup, usually before even printing a
message to the UART.
Signed-off-by: David Brown <david.brown@linaro.org>
This enables mynewt to use mcuboot as a remote repository, which is only
required when using newtmgr to manage images. Since mcuboot has slightly
changed the trailer format, newtmgr built against the bundled mynewt
bootloader writes the magic and flags to the wrong location.
To build a mynewt app the wants to run with mcuboot as the bootloader
and requires newtmgr one needs to change the app's pkg.yml dependencies
as follows:
- - boot/bootutil
+ - "@mcuboot/boot/bootutil"
Signed-off-by: Fabio Utzig <utzig@apache.org>
When image is slot 1 had bad signature, the swap would fail and
try to write image_ok in slot 0 which if that was already a
permanent image would cause a overwrite in flash.
Fix warning/error when slot 0 validation is not enabled.
Signed-off-by: Fabio Utzig <utzig@apache.org>
After a swap operation is finished trailer control flags are written
according to the type of swap that was performed. The function names
that execute those operations were renamed to explicity reflect what
they do, and all "less deterministic" behaviors, of the type
"if flash is not set, set it", were removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds handling of the copy_done bit while evaluation a swap state.
Since copy_done is only ever written when a swap finishes, it can be
safely assumed that if copy_done is not set no swap was ever performed
and the image was written directly to flash, and thus no revert is run.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This reworks much of the code, as well as tables, handling swap
state to make them simpler. Only states that require an actual
swap to be performed, perm/test/revert are checked for and acted
upon. Other possible states try to default to no operation
performed.
One extra state, BOOT_SWAP_TYPE_PANIC, was added to differentiate
between "soft" errors and unrecoverable ones (as flash read/write
errors).
Non well defined state changes after swap failures, as described
in MCUB-59 were also clean up.
This should also fix situations as described in MCUB-63, where
images generated using imgtool (magic + image_ok set) are written
to slot 0 and cause an incorrect "revert".
Signed-off-by: Fabio Utzig <utzig@apache.org>
The MCUBOOT_VALIDATE_SLOT0 feature only verifies the signature when
there is no swapping happening. The assumption was that if there is a
swap being done, the code will verify the signature of slot 1 before
doing the slot.
However, either due to bugs, or intentional trickery, it may be possible
to confuse the code into continuing a swap operation. If the data is
modified before this, the bootloader can be tricked into booting the
resulting image in slot 0 without having verified the signature.
Fix this by always verifying slot 0's signature before booting it.
JIRA: MCUB-64
Signed-off-by: David Brown <david.brown@linaro.org>
This implements changes according to MCUB-14, easing the process
of making external apps parse and read/write the trailer.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Now that the partition table has been added to the device tree for the
frdm_k64f in upstream Zephyr, these symbols become redundant defines.
Remove them to fully use the partitions defined in Zephyr.
Signed-off-by: David Brown <david.brown@linaro.org>
For mynewt flash map only accepts values for slot 0 and 1. This
code was trying to read the image header on the scratch area using
the same interface and was segfaulting when slot0 and slot1 had
similarly sized images.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This error was catched by Coverity and it happens when a fail occurs
opening a flash map handle, which is not checked by the close
routine.
Right now this only affects Zephyr, but extra checking was added
assuming that in a future Mynewt implementation close could actually
be changed to do something.
Signed-off-by: Fabio Utzig <utzig@apache.org>
David Brown