Commit Graph

177 Commits

Author SHA1 Message Date
David Brown a5c12c6ad7 Merge pull request #44 from utzig/create-doc
Move design doc to doc dir
2017-05-01 09:38:38 -06:00
David Brown 079793ca46 Merge pull request #43 from d3zd3z/frdm
Better frdm_k64f partitions
2017-05-01 09:38:28 -06:00
Fabio Utzig 9d6ee9de31 Move design doc to doc dir 2017-05-01 07:41:59 -03:00
David Brown b8e9dde77c frdm_k64f: Use entire flash.
Expand the data slots to 384K each, leaving the boot and scratch areas
as 128K.  This allows more room for code, but will wear the scratch
partition about 3x faster because of the more extensive use of the
partition.
2017-04-27 16:35:27 -06:00
David Brown e629bf3745 Generalize SHA256 code to allow tinycrypt support
When building with ECDSA P-256 as the signature algorithm, we are still
bringing in SHA256 and some ASN.1 code from mbed TLS.  Fix part of this
by wrapping the hash functions with general routines (inline functions)
allowing to select between mbed TLS and Tinycrypt for the
implementation.

Update the Zephyr config files so that the Tinycrypt version is used
when building the ECDSA P-256 signing variant.
2017-04-27 16:31:12 -06:00
David Brown d7e350df7d zephyr: Fix up mbed TLS configuration
There are some problems with how mbed TLS is configured in Zephyr.
First, include the makefile stub in the Makefile that uses these
defines.  This makes sure the right definitions get made so that our
custom config gets used for all compiled files, rather than a mixed set.

Also, fix up the wrappers on the custom configs so that each is
different, making it easier to detect if multiple configs are being
included.

Lastly, only include the right header in the image validation.  The mbed
TLS includes don't seem to want to allow both RSA and ECDSA to be used
(due to the key size), and including the wrong header results in a
compilation error.
2017-04-27 16:31:04 -06:00
David Brown 3e1c38c624 Merge pull request #38 from utzig/magic-sz-const
Use constant for magic size
2017-04-25 15:01:24 -06:00
Fabio Utzig 24a273d451 Use constant for magic size
- This also fixes an issue that could arrive if the magic is only partly
  erased.
2017-04-20 08:21:31 -03:00
Fabio Utzig 644b8d4f06 Make max align size a #define 2017-04-20 07:56:05 -03:00
David Brown 7406f18e49 Merge pull request #33 from d3zd3z/zepspace
Make zephyr code comply with indentation of rest of mcuboot
2017-04-12 07:47:16 -06:00
David Brown 74b3c58f53 zephyr: Add braces around single lines
The coding guidelines for mcuboot specify using braces around all
single-line constructs.  Add these to those lines missing this.
2017-04-11 17:59:05 -06:00
David Brown 0d0652a10f zephyr: use indentation consistent across mcuboot
The original Zephyr platform support files use tabs for indentation
(to match the Zephyr project).  Since this code is all together, and
will be used as the basis for other platforms, fix this indentation to
match that used by the rest of mynewt.

This change is clean with respect to "git show -b", and only changes
the indentation of the beginning of lines.
2017-04-11 17:59:04 -06:00
Fabio Utzig fb291e4467 Add descriptions to syscfg.yml options 2017-04-11 16:20:16 -03:00
Marti Bolivar 7f6ea1599d zephyr: add nrf52840_pca10056 target
This board, called the NRF52840-PDK in marketing materials, is a
preview development board for the nRF52840 SoC.

Flash layout (4 KiB sectors):

        User    Start   End     Size (KiB) Size (B)
        ------- ------- ------- ---------- --------
        mcuboot 0x00000 0x07FFF         32  0x08000
        Image 0 0x08000 0x73FFF        432  0x6C000
        Image 1 0x74000 0xDFFFF        432  0x6C000
        Scratch 0xE0000 0xFCFFF        116  0x1D000

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-03-21 15:48:17 -04:00
Marti Bolivar 29d3a77d3b zephyr: fix flash_area_to_sectors()
This fixes MCUB-39.

On Zephyr targets, flash_area_to_sectors() assumes that the flash
device's sector size is equal to the size of the scratch area.

That breaks swap and rollback when scratch size doesn't divide image
size, since the image flash areas will not be correctly configured.
This is a valid configuration supported by the rest of mcuboot.

The best way to fix this would be to get the flash layout from Zephyr,
but that's not possible yet.

Instead, provide a new FLASH_AREA_IMAGE_SECTOR_SIZE define from
target.h. This must be the sector size for these areas:

       - FLASH_AREA_IMAGE_0
       - FLASH_AREA_IMAGE_1
       - FLASH_AREA_IMAGE_SCRATCH

Other areas on the device may have sizes different than
FLASH_AREA_IMAGE_SECTOR_SIZE.

This won't work on platforms where those areas have nonuniform sector
sizes, but we'll cross that bridge when we come to it. (At that point,
an upstream Zephyr change to the flash API really seems needed.)

Revert to the old/buggy behavior when FLASH_AREA_IMAGE_SECTOR_SIZE
isn't provided, but emit a warning. Additionally, touch up the logging
and error handling while we're here.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-03-21 15:48:15 -04:00
Marti Bolivar 94f3f91ca7 zephyr: 96b_nitrogen: increase scratch space
The current configuration only allows ~170 updates before we can
expect wear on the flash device (per product spec that the flash
device supports 10,000 erase cycles). Increase the scratch size to
make this better by removing some application space, to allow for
~2500 application updates or rollbacks.

The new configuration is 52 KiB (13 sectors) for scratch, and 208
KiB (52 sectors) for each application image.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-03-21 15:39:53 -04:00
Marti Bolivar 51181cf34f zephyr: add "real" target header
MCUBOOT_TARGET_CONFIG is included in several places now,
not just boot/zephyr/main.c. This seems likely to continue.

Let's avoid trouble and make it a real header file, target.h, that
pulls in MCUBOOT_TARGET_CONFIG. That done, include target.h instead
everywhere MCUBOOT_TARGET_CONFIG is included.

This will make it easier to provide values at an SoC/family level
later.  We can expect different Zephyr boards to have the same SoC and
thus likely the same mcuboot flash layout, so this will avoid
duplication.

All supported boards are compile-tested.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-03-21 15:39:46 -04:00
Marti Bolivar 1011b433c2 zephyr: flash_map: fix up logging
The Zephyr log backend already prepends the function, so it's
redundant to do it here.

Also convert a stray SYS_LOG_ERR to BOOT_LOG_ERR().

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-03-20 09:00:58 -04:00
Ricardo Salveti 8e4d44d1e4 zephyr: disable clock before reset
Avoid clock related interrupts before jumping into the first image. Safe
to disable as the first application will enable the clock/timer again
once booted.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-03-17 15:12:17 -04:00
Andrew Boie c41cb110bd arduino_101: disable some additional options
We won't need the GPIO, timer, or pinmux drivers for
functioning asa bootloader, and some extra exception
debug info has been disabled.

Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-03-16 15:22:25 -07:00
Marti Bolivar 836768b2da zephyr: fix do_boot() warning on ARM
Commit 7238f51 ("zephyr: add support for x86 booting method")
introduced a backend-specific do_boot() function. On ARM, this casts
to an undefined type 'struct vector_table*'.  Fix this by using the
'struct arm_vector_table*' introduced in that patch.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-03-16 15:14:21 -04:00
Marti Bolivar 77683adc20 Move arduino_101.conf to boot/zephyr/.
It's currently one level down, in boot/zephyr/targets, from the rest
of the .conf files.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-03-16 15:06:20 -04:00
Andrew Boie 7238f511d9 zephyr: add support for x86 booting method
For x86 you just need to jump into the beginning of the image.

Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-03-15 13:19:31 -07:00
Andrew Boie 91c23f214a zephyr: add arduino_101 demo configuration
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-03-15 10:16:17 -07:00
Andrew Boie 240ac64e83 zephyr: disable multithreading
The bootloader is just using Zephyr as a HAL and doesn't require
thread scheduling. Build Zephyr in single-threaded mode and gain
some footprint savings.

Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-03-15 10:16:17 -07:00
David Brown e482000015 Merge pull request #21 from ccollins476ad/assert-flash-ops
Assert flash ops
2017-03-14 17:42:35 +01:00
Fabio Utzig 150ea968e2 Add new ECDSA256 flags to design 2017-03-08 11:25:09 -03:00
Christopher Collins 4772ac4464 Assert flash ops succeed during swap.
Previously, the return of boot_swap_sectors() was discarded.  If a flash
operation failed, this information was lost.

Now, boot_swap_sectors() returns void.  Rather than returning a result,
success is asserted for all flash operations during function execution
(boot_copy_sector() and boot_erase_sector()).
2017-02-27 20:10:50 -08:00
Christopher Collins abfd75b144 Remove dead code. 2017-02-27 20:07:51 -08:00
Christopher Collins b9f15794b1 This closes #19.
Merge remote-tracking branch 'd3zd3z/fix-slot0'

* d3zd3z/fix-slot0:
  Fix slot0 validation
2017-02-27 19:54:08 -08:00
David Brown b38e04494b Fix slot0 validation
commit d930ec69c8
    Author: David Brown <david.brown@linaro.org>
    Date:   Wed Dec 14 07:59:48 2016 -0700

        Validate slot zero before booting

adds a feature to validate slot 0 before booting it.  However, there
is an error in the logic, and if the magic number is written to an
invalid value, but not all 0xFF, it will consider any image to be
valid.

Fix this logic so that slot zero is always validated.
2017-02-24 17:31:21 -07:00
David Brown 2e40f35ff9 Merge pull request #17 from mbolivar/misc-fixups
Miscellaneous minor fixups
2017-02-24 17:14:06 -07:00
Marti Bolivar 53cfdb9988 zephyr: fix flash_area_erase()
Flash must be unlocked before it can be erased.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-10 15:33:14 -08:00
Michael Scott 72559a4681 zephyr: targets: update flash driver names to use Zephyr CONFIGs
Let's stay in-sync automatically with Zephyr master by referring
to CONFIGs for the flash device names.

Signed-off-by: Michael Scott <michael.scott@linaro.org>
2017-02-10 15:33:14 -08:00
Marti Bolivar a9d55180b0 hal_flash.c: delete obsolete comment
Multiple supported targets (NRF52, K64F) do not support single byte
writes.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-10 16:44:41 -05:00
Marti Bolivar 2649aafa55 flash_map: delete obsolete flash_map* declarations
The following declarations are undefined and unused in both simulator
and zephyr builds (96b_nitrogen, 96b_carbon, frdm_k64f):

- flash_map
- flash-map_entries
- flash_map_init()

Delete them.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-10 16:44:41 -05:00
Christopher Collins 871054f067 This closes #11.
Merge remote-tracking branch 'd3zd3z/zephyr'

* d3zd3z/zephyr:
  zephyr: Make makefile clearer about configuration
  zephyr: Support RSA, and ECDSA P-256 signing
  bootutil: ecdsa P-256: Fix handling of sizes
2017-02-09 15:25:16 -08:00
Marti Bolivar fd20c7652a bootutil: log the boot source
Use the bootutil_log.h APIs to log the boot source chosen by the
loader, as well as the image trailer state that led it to its
conclusion.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-07 16:59:50 -05:00
Marti Bolivar 4a97b4c0b1 boot: zephyr: use bootutil_log.h, not sys_log.h
Now that mcuboot has its own logging subsystem, use that instead.

Note that this changes the domain from "[BOOTLOADER]" to "[MCUBOOT]".

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-07 16:59:50 -05:00
Marti Bolivar d652f27470 bootutil: add logging
This patch adds platform-independent logging to bootutil.

When bootutil is compiled as part of an application, the
application environment can provide logging hooks using this
file. Initially, hooks for Zephyr are provided. When built for
simulation or unit testing, the logging macros produce no
code (the ignore.h used by mynewt is used to avoid unused
variable warnings in this case).

Before including this file, users may define BOOT_LOG_LEVEL.  If
they do, it must be one of BOOT_LOG_LEVEL_OFF,
BOOT_LOG_LEVEL_ERROR, ..., BOOT_LOG_LEVEL_DEBUG. This determines
the log level for the current translation unit. If they do not, a
default log level is determined in a target-specific way.

After including bootutil_log.h, the macros BOOT_LOG_ERR(),
BOOT_LOG_WRN(), etc. may be used to log messages. These take
printf-like arguments.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-07 16:59:50 -05:00
Marti Bolivar 5e6a1a6245 boot: zephyr: Fix 96b_nitrogen flash alignment
The Zephyr flash driver transparently handles non-word-aligned writes,
but the NRF52's flash write alignment is 4 bytes. Fix that.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-03 16:25:14 -08:00
Michael Scott de6ee59daf zephyr: generate mutliple records in flash_map when required
Currently, the flash map is a single entry sized to fit the
FLASH_AREA_IMAGE_0_SIZE.  This works for HW where
FLASH_AREA_IMAGE_SCRATCH_SIZE is the same or larger than
FLASH_AREA_IMAGE_0_SIZE.

However, if FLASH_AREA_IMAGE_SCRATCH_SIZE is smaller than
FLASH_AREA_IMAGE_0_SIZE, we need to generate enough write blocks in the
flash_map so that each will fit in FLASH_AREA_IMAGE_SCRATCH_SIZE.

Signed-off-by: Michael Scott <michael.scott@linaro.org>
2017-02-03 16:25:14 -08:00
Michael Scott e12746c4a2 zephyr: flash HAL requires flash_write_protection_set() calls
In Zephyr there is a flash HAL function: flash_write_protection_set()
which for many SoCs is a stubbed function with no functionality,
but for others performs the unlock / lock procedures required before
writing to flash.

We need to add this function to our flash_area_write() wrapper
to support the hardware that requires it.

This fixes mcuboot flash writing for the nRF5x SoCs.

Signed-off-by: Michael Scott <michael.scott@linaro.org>
2017-02-03 16:25:14 -08:00
Michael Scott db8ac52c2d zephyr: fix _scs_relocate_vector_table build break
Zephyr now supports moving the vector table for Corext M* targets.
Let's remove this code from mcuboot as this has been changed
upstream and breaks mcuboot build.

Signed-off-by: Michael Scott <michael.scott@linaro.org>
2017-02-03 16:25:14 -08:00
David Brown 3869e76090 zephyr: Support RSA, and ECDSA P-256 signing
Make it clear in the top-level Makefile how to configure mcuboot for
Zephyr for a particular signing algorithm.  Currently supported, are the
RSA signatures, and ECDSA with the P-256 curve.  These configuration
lines will select the code built in the bootloader, as well as which
public key gets included with the image.

This also adds a demo public key for the P-256 signatures.
2017-02-02 08:39:18 -07:00
David Brown d930ec69c8 Validate slot zero before booting
Instead of just checking the upgrade image signature, check the
signature on each boot.  This helps to prevent rogue images being flash
by a means other than the upgrade process.

This feature is controlled by whether BOOTUTIL_VALIDATE_SLOT0 is
defined.
2017-02-02 08:39:00 -07:00
David Brown baff96ff23 bootutil: ecdsa P-256: Fix handling of sizes
The ECDSA signature is written as two DER-encoded INTEGERS.  Although
the values are always 256 bits, the encoding ends up being variable
length, because the encoding is signed, and therefore needs an extra
zero byte to keep the number positive.  This means that the length can
vary by up to two bytes.

The 'newt' tool handles this for signature by allowing space for the
largest encoding, and padding with one or two zeros.  However, the
bootutil image check code insists that the length is exact, resulting in
a decoding error on about 3/4 signatures.

Fix this by only verifying that we have at least enough payload to hold
the signature.  There are later checks that will fail if the integers
themselves are too large.
2017-02-02 08:28:40 -07:00
Ricardo Salveti e156e57012 zephyr: add target header file for nucleo f401re
Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-26 22:11:19 -02:00
David Brown 9d72546f02 bootutil: Fix issue with align > 1
Some flash devices not only require writes to occur on an `align` byte
boundary, but also require that the writes be done in chunks of this
size as well.  Enhance the sections that write status bytes to write
more than a single status byte.
2017-01-23 16:01:02 -07:00
David Brown 79fdfe5dfc k64f: change flash device name
Recent Zephyr changes the flash device name.  Change to match it.
2017-01-23 16:01:01 -07:00
Ricardo Salveti 7cf3d9ec91 zephyr: use SYS_LOG instead of printk
Easier to manage and can be easily disabled via config.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 19:51:35 -02:00
Ricardo Salveti a2d5b1ac2d image_rsa: include missing string.h
Avoid warning when using memcmp.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 19:51:01 -02:00
Ricardo Salveti 3dbf2229e6 boot/zephyr/prj.conf: disable bluetooth support by default
Bluetooth is enabled by default with some boards, so just make sure that
it gets disabled here to avoid having a large bootloader firmware.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 19:51:01 -02:00
Ricardo Salveti 43fc2cd556 boot/zephyr/prj.conf: remove SOC_FLASH_STM32F4, make it generic
Make it generic and let the SoC itself handle the FLASH driver support
as part of the Zephyr build system.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 19:51:01 -02:00
Ricardo Salveti 88303ff1da zephyr: targets: add support for 96b_nitrogen
Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 10:50:46 -02:00
Ricardo Salveti 3a2c1242f1 zephyr: restructure the build process to use board config files
Move the board specific configurations into its own header file, which
can now be created per board, once it gets tested and validated by the
bootloader.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 10:26:40 -02:00
Christopher Collins 034a62016d bootutil - Fix warning on 64-bit architectures. 2017-01-11 12:20:22 -08:00
Christopher Collins 0960365ba4 Revert "boot - don't interpet end of image as trailer."
This reverts commit 920fc16b89.

The boot loader records its current state in the form of a pair of image
trailers, each located at the end of the corresponding image slot.  If
an image is so big that it extends into the trailer space of a slot, the
boot loader would read the end of the image and interpet it as the start
of a trailer.  The fix was to determine the size of each image upfront
by reading their headers, and only attempt to read an image's trailer if
the image is small enough that it doesn't extend into the trailer space.
If an image is too big to allow for a trailer, the boot loader fails
over to its "rescue mode": just boot into whatever is in slot 0.

The problem arises when the boot loader reads the image headers.  There
are certain points during a swap when an image header is not in the
expected location.  That is, if the device reboots at the wrong time
during an image swap, the boot loader will fail to read the image
headers when it comes up.

The image sectors are swapped in reverse order.  When a swap is
performed, the final sectors of each slot are swapped first, and the
first sectors (containing the image headers) get swapped last.  During
the final swap operation, there are two points at which the image
headers are not in the expected place:

    1. slot 1 erased; header 1 in scratch area.
    2. slot 0 erased; header 0 in scratch area.

In each case, the image header is not actually missing.  Rather, the
boot loader is just looking in the wrong place.  It should be looking in
the scratch area, not the start of the image slot.

The fix is to revert the original commit.  Now, the boot loader won't
fail when an image header read fails.  It is the user's responsibility
to ensure an image isn't too big.
2017-01-10 15:52:53 -08:00
David Brown e7c66635cf zephyr: Include mbedtls config file
Rather than commit our specific mbedtls config file into the Zephyr
tree, include it here, and add a path early in the make process so that
it will get picked up when building the library.
2017-01-10 09:51:39 -07:00
David Brown 299245d7de zephyr: Move code under 'boot' directory
The Zephyr build systems makes some assumptions about the directory
layout, and encounters problems if the necessary path contains "../..".
To help this, place the zephyr directory next to the bootutil directory
so that the Makefile can just refer to "../bootutil".  This keeps all of
the build artifacts under the proper top-level directory.
2017-01-10 09:49:47 -07:00
Christopher Collins 4c2662d811 This closes #1.
Merge remote-tracking branch 'd3zd3z/zephyr'
2017-01-06 14:02:06 -08:00
David Brown 5315d50a0c bootutil: Create Zephyr Makefile
Create a small Makefile for the Zephyr build system to use.
2017-01-06 11:08:03 -07:00
David Brown db1d9d38e2 loader: Remove malloc dependency
Allocate a static tmpbuf instead of calling malloc.  This is the only
direct call to malloc in the code.
2017-01-06 11:07:54 -07:00
Marko Kiiskila bd14468fd8 bootutil; need to include string.h when building for native. 2017-01-05 17:57:51 -08:00
Marko Kiiskila 755daedde9 bootutil; fix issues in parsing signature with ECDSA256. 2017-01-05 17:57:51 -08:00
Marko Kiiskila 8eeba12f2a bootutil; add info about how to create keys for ECC 256. 2017-01-05 17:57:51 -08:00
Marko Kiiskila 351a0b231b boot; drop unnecessary include from image_ec.c. 2017-01-05 17:57:51 -08:00
Marko Kiiskila bf94339025 boot; first cut at adding support for signatures with ECSDA using NIST P-256. 2017-01-05 17:57:46 -08:00
Marko Kiiskila 919eaf4111 signed_images.md; include ECC key generation steps in the doc. 2017-01-05 17:56:50 -08:00
Christopher Collins 920fc16b89 boot - don't interpet end of image as trailer.
This fix handles the case where the image is so big that there is not
room for a trailer.  In this case, the boot loader always boots into
slot 0.
2017-01-05 17:56:50 -08:00
Christopher Collins fd7eb5cc5e MYNEWT-518 - Clean up previous commit.
The previous commit for this ticket left the code in a working state.
However, it was not possible for image management to distinguish between
the test and permanent states.

Now, these two states are indicated by the addition of a new swap type:
BOOT_SWAP_TYPE_PERMANENT.
2017-01-05 17:56:50 -08:00
Christopher Collins 553ba4feb2 MYNEWT-518 Update comments and design doc. 2017-01-05 17:56:50 -08:00
Christopher Collins 0ff3c6c033 MYNEWT-520 boot - Allow incompatible image slots 2017-01-05 17:56:50 -08:00
Christopher Collins 7835c1e4db MYNEWT-518 boot - Allow test+confirm as single act
Currently, to permanently run the alternate image, the boot loader
requires the following sequence:

1. image test <slot-01-hash>
2. reboot
3. image confirm

The new feature is to remove the need for the third step. The user
should be able to permanently switch images with this sequence:

1. image confirm <slot-01-hash>
2. reboot
2017-01-05 17:56:50 -08:00
Marko Kiiskila bf986da2c3 bootutil; update signed_images.md with the new location of bootutil. 2017-01-05 17:56:40 -08:00
Christopher Collins 3569c37894 bootutil tests - Don't assume min-write-sz==1. 2016-12-13 14:52:19 -08:00
Christopher Collins 39a5fa95c3 Move packages into "boot" top-level directory. 2016-12-12 17:51:23 -08:00