This change introduced a few warnings that weren't caught until enabling
simulator builds with these features enabled. Add some simple
workarounds to avoid the warnings.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a macro `IMAGE_RAM_BASE` that will support a simulated device RAM
that can be different per test. This will be zero on targets. Define
an invalid value (3) in the simulator environment. As there are not yet
tests of this configuration, all tests will continue to pass.
Signed-off-by: David Brown <david.brown@linaro.org>
The function `boot_erase_region` is used in some cases when DIRECT_XIP
or RAM_LOAD are defined, however it is specifically not compiled in in
these cases. Correct the ifdefs so this function will be available.
Signed-off-by: David Brown <david.brown@linaro.org>
The MCUBOOT_RAM_LOAD feature supports configurations where code is
loaded from flash into RAM before execution. As such, it is not
necessary for upgrades to move data around in flash.
Signed-off-by: David Brown <david.brown@linaro.org>
In MCUBOOT_RAM_LOAD mode, bootutil_img_hash has some arguments that end
up being unused, which creates warnings. Add these to the list of
variables intentionally unused.
Signed-off-by: David Brown <david.brown@linaro.org>
Change fixes memory alignment of the RAM buffer that is used to
temporarily store data during swap. Some FLASH drivers require
word-aligned input data buffer. Using unaligned buffer results
in FLASH write error.
Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no>
It is required to include "mcuboot_config.h" header for the evaluation
of the MCUBOOT_HAVE_ASSERT_H definition. Otherwise it will implicitly
depend on that header being included somewhere else.
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
The commit changes direct access to flash_area, and flash_structure,
objects via filed names to access via getter functions
Purpose of this change is to make common code agnostic to internal
implementation of flash_area, and flash_sector, objects.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Treat state of unreachable image device as if it is empty image.
This is required for boot the primary image if it is still available.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Let's distinguish a case when secondary image device has a malfunction
from case when primary has a such.
It might be still possible to boot the primary image.
This make sens especially if the secondary image resides in an
external flash which might be damaged while SoC is still working.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
To avoid potential errors caused by misconfiguration make sure the
conditionally compiled snippets of code surrounded by the
MCUBOOT_DIRECT_XIP_REVERT macro are only used when direct-xip mode
is selected.
Change-Id: I6178d8186a7ca05887bc7590f5fa0c8f83f3d731
Signed-off-by: David Vincze <david.vincze@arm.com>
When the shared data area is not exclusively used by MCUboot, but also
by other boot stages it is inappropriate to initialize (erase) the
shared area based on a global variable. It must check the magic value
at the beginning of the area plus it should sanity-check other
available values for a case when memory garbage matches the magic
value.
Change-Id: I3a4552ad2863a61d81de9374ef6302ae0609f7bf
Signed-off-by: David Vincze <david.vincze@arm.com>
The commit removes implementation of boot_initialize_area
specific for flash_area_to_sectors, and applies changes to
the flash_area_get_sectors using variant, to make it
alternatively work with flash_area_to_sectors.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The change aligns type of "sector counter" to the type
used for *cnt parameter of flash_area_get_sectors.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Multiple image boot support is implemented for direct-xip and ram-load
strategies. Dependency checking is also added, and for ram-load more
executable ram regions can be set.
Wrapper functions are intoduced to all boot strategies.
Change-Id: I59b346277dcb2c17cef4800f1e556b4ea9144845
Signed-off-by: Mark Horvath <mark.horvath@arm.com>
The commit reorganizes logic of the boot_swap_sectors and
the boot_set_pending_multi to use the boot_read_swap_state,
instead of previously used boot_read_swap_state_by_id, to utilize
the flash area object the functions area obtaining.
It also fixes double a flash_area_open that happened implicitly within
the boot_swap_sectors, as it has been calling boot_read_swap_state_by_id
on the FLASH_AREA_IMAGE_SCRATCH, after it has already opened the area.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The fixup_revert has been switched to use boot_read_swap_state,
from boot_read_swap_state_by_id, and no longer needs the ID
parameter. It can now get swap state information by flash_area
object pointer, which is provided as 3rd parameter.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The function itself is not static within bootutil and may be used
to operate on flash areas, for which the flash_area object has
already been obtained.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The variable `rc` is used in `context_boot_go` for a number of operations, mostly checking return codes for an error. It is also used to store the result of comparing the installed application version numbers (using `boot_version_cmp`).
At the end of `context_boot_go`, `rc` is returned as the result of the operation.
In some configurations, namely direct XIP (without revert or any other extra boot checks), it is possible for the comparison result to be the last value of `rc`. In most cases, this will cause `context_boot_go` to report a failure (ie: non-zero return code), as the value of `rc` will be 1 or -1 if the installed applications aren't the same version.
This commit resets the value of `rc` to 0 after the version comparison has taken place.
Fixes#976
Signed-off-by: George Beckstein <george.beckstein@gmail.com>
During fetching of swap-status scratch was examined unnecessary
in swap_status_source(). Scratch area shouldn't be needed in this mode.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Add boot_set_pending_multi() and boot_set_confirmed_multi() APIs so
that the user can set the image with given index as pending, confirmed.
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: Ifca04d396b38c6c64581703794071f6b42e9dfbf
This patch is for fixing:
https://github.com/zephyrproject-rtos/zephyr/issues/34683
copy-done flag is used to design completely copied image.
It is used to recognize whether need to complete image upgrade.
If image is running then:
1) it was already verified and copied by MCUboot
copy-done flag is set for sure.
2) or it was programmed directly using programming interface
For case 2) when image contains magic but not copy-done flag it was
impossible to confirm it. This patch removes needs of having copy-done
flag set while confirming. This make API behavior similar to situation
when the not-padded image was programmed.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This is a define from Tinycrypt that was being used in the Mbed TLS
EC256 encrypted images implementation so properly define it.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The commit fixes alignment issue in boot_write_trailer, that would
occur in case when input buffer length would be greater than
alignment parameter of flash.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Add Mbed TLS ECDSA signature verification as an option (in addition to
Tinycrypt and the CC310 hardware version). Although the Mbed TLS ECDSA
verification code is both larger and slower, this will still save space
if there is another reason that the Mbed TLS code is already being
brought in for another reason (such as certificate management, for
example).
Mbed TLS's ECDSA verification works at a different level than the other
two libraries, so this takes a bit of reworking. There are some
additional parameters passed to the various functions, and a new define
MCUBOOT_ECDSA_NEED_ASN1_SIG to indicate that the ecdsa verification
wants the original ASN1 signature, not a decoded key.
This adds the boot changes and simulator support to test this configuration.
Signed-off-by: David Brown <david.brown@linaro.org>
The commit adds logic that checks if image, that has IMAGE_F_ROM_FIXED
flag set together with proper address in header, has not been mismatched
with slot.
This code will prevent attempting to boot image that has been build for
different ROM address than a slot it currently resides in.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The IMAGE_F_ROM_FIXED, now supported by imgtool and mcumgr, allows to
use image_header.ih_load_addr to store fixed ROM address information.
The address is provided for Direct-XIP mcuboot to be able to verify
if it can boot an image in given slot, by checking if the address
the image has been built for corresponds to slot address.
This flag is not required to be set within image, in which case
the check will not happen, but is highly desired as it allows mcuboot
to detect images that have been mismatched with slot.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Part of defines which are needed for bootutil_public.c compilation
were moved to separate file, so the bootutil_public library doesn't
need to include cryptographic libraries headers anymore.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Objective for existence botutil_public.c is to provide common code
for MCUboot itself and for an chain-loaded application. Therefor
it shouldn't depend on MCUboot exclusive functions or so.
This path moves missing part of bootutil_private.h to bootutil_private.c
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Modify the function boot_add_data_to_shared_area from static to global
thereby it can be used in the user interface boot_save_shared_data.
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: Ic6a36eb526a0883a156f832942af3138bde86dd6
Added boot_read_image_ok() to public API as reading image_ok
might be used by the chain-loaded application for checking by
image itself its confirmation state.
Additionally extracted common code for determine a trailer flag to
boot_read_flash() function.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Part of code of boot/bootutil/ is re-implemented in zephyr-rtos
repository.
As some code are defined here and there it becomes problem when
need to include it with outstanding feature in a build.
It is possible to mitigate problem using #fdefry - but this was
rather temporary hack.
This patch introduce new module which is common for MCUBoot build
and application build.
Common code were extracted to bootutil_public.c source file and
bootutil_public.h header
MCUboot also select DISABLE_MCUBOOT_BOOTUTIL_LIB_OWN_LOG Kconfig
option, as it must define log configuration on its own for all its
sourcecode.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
In order to allow other projects to include the bootutil files more
easily. Allows renaming and moving of bootutil files without breaking
external projects' file lists (if they include this cmake file instead
of directly listing the files they use). Prevents an issue where
moving/renaming bootutil files breaks the FIH CI test.
Signed-off-by: Raef Coles <raef.coles@arm.com>
Change-Id: Ic982413c6a26ea2039712437f2d511fbe202e1e4
Add an offset parameter to mode ctr so it can be properly used as a
streaming cipher, like required by the flash encryption algorithm.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Avoid memset'ing a buffer that does not hold a secret; it contains
the encryption of the counter.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
If RAM_LOAD is defined then the return value of memcpy() is
always compared against its first parameter. By definition
memcpy() returns with its first paramter (destination) so
the not equal check is always false. The fix replaces this
runtime check with a comma operator assigning 0 to the
variable at build time, as a result compiler can be done
dead code elimination much better.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I8d0d6e68a931661fa19d395556beb20470d74fb1
David Brown