Add an offset parameter to mode ctr so it can be properly used as a
streaming cipher, like required by the flash encryption algorithm.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Avoid memset'ing a buffer that does not hold a secret; it contains
the encryption of the counter.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
mynewt code calls hal_bsp_init() at start of bootloader.
This may initialize some resources (timer/uart/dma).
mynewt has now hal_bsp_deinit() function that should be called
before application is executed.
This new function allows to stop resources that were started.
This can stop cputimer which was started including enabled
interrupt. This timer interrupt was very likely to fire
for STM devices that has 16 bits timer used, when mcuboot
did not started LSE and application wanted to.
Starting LSE oscillator takes so much time in some cases
that timer interrupt will execute MCU from mcuboot vector
after RAM was already cleared by startup code and that
would lead to crash loop.
Blocking interrupts before starting application would
also help but leaving peripherals in reset state
seems reasonable.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
Update version fields for 1.7.0 release.
Added compatibility note for zephyr-rtos.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
If RAM_LOAD is defined then the return value of memcpy() is
always compared against its first parameter. By definition
memcpy() returns with its first paramter (destination) so
the not equal check is always false. The fix replaces this
runtime check with a comma operator assigning 0 to the
variable at build time, as a result compiler can be done
dead code elimination much better.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I8d0d6e68a931661fa19d395556beb20470d74fb1
BOOT_DIRECT_XIP_REVER enable code which shall only be enabled
while BOOT_DIRECT_XIP=y.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Sim and Mynewt workflows were only running on pull requests, while they
should also run when new commits are pushed to master.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Fix workflows names on yaml root to be able to use them to refer to the
workflow. Add badges for pypi, workflows and license.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Add scripts that can run instruction skip FIH tests on QEMU.
Co-authored-by: Raef Coles <raef.coles@arm.com>
Change-Id: Ia6da00174115e1dabaf84fdfc0e40476dc1b7a10
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
Build MCUBoot with TF-M build system for AN521 platform, and run it in
QEMU. The result of the test run is not evaluated yet.
Change-Id: I5fbfef8e6d8dec99a8e3e00d659a07ccfcaf0b5b
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
Disable imgtool publishing on Travis; update scripts to work on both
Travis and GH; add GH workflow for publishing.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Add configuration and DTS overlays to run MCUboot + smp_svr on the
nrf52840dk using the secondary slot in the external QSPI NOR flash.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
TinyCrypt uses a modified version of micro-ecc that is also used by the Mbed Cordio BLE stack. When building mcuboot for a target with BLE enabled, this causes multiple-defined symbol errors during linking. Due to the nature of Mbed's current build system, it is difficult to fix this.
Mbed will soon release a more flexible cmake-based build system that will make it possible to exclude these TinyCrypt files from an application build that may also link Cordio BLE sources.
Until then, this commit temporarily disables the use of TinyCrypt with Mbed-OS and excludes its sources from the build to avoid this build error.
Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
This commit reverts the addition of an mbed-os.lib file introduced with the Mbed-OS port. Mbed-OS build tools use .lib files to pull in additional dependencies automatically with a single command. The intended usage of mcuboot with mbed-os is to clone mcuboot *next to* mbed-os, rather than mbed-os inside mcuboot.
Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
This PR provides a porting layer implementation and framework for building an mcuboot-based bootloader with Mbed-OS. Some symbols are not provided by the Mbed-OS port within mcuboot, namely:
- The secondary storage device (see below)
- The signing keys
- The encryption keys, if used
Use of this port is demonstrated by the following projects:
- https://github.com/AGlass0fMilk/mbed-mcuboot-demo (a complete mcuboot/Mbed-OS-based bootloader)
- https://github.com/AGlass0fMilk/mbed-mcuboot-blinky (example showing how to make an Mbed-OS application that is bootable by mcuboot)
Memory porting implementation:
The underlying implemenation uses Mbed's BlockDevice API as the storage backend for mcuboot's memory operations. This provides a very flexible way of configuring the location and layout of the secondary flash storage area. To build an mcuboot-based bootloader with Mbed-OS, the user must implement a hook function, mbed::BlockDevice* get_secondary_bd(), to provide the secondary BlockDevice that mcuboot will use.
The signing and encryption keys must also be provided by the user. They can be generated using the existing imgtool utility in the same manner used by Zephyr. There are no automated build steps currently provided by Mbed-OS to sign/encrypt build artifacts.
Known limitations:
The update candidate encryption features have not yet been fully tested. A truly secure implementation will require integration with Mbed's TRNG API in the future to inhibit side-channel attacks on the decryption process.
The TinyCrypt backend is currently only supported for Mbed-OS builds when building with the GCC toolchain. The new cmake-based Mbed-OS build system will fix the underlying issue (file name uniqueness).
Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
Signed-off-by: Evelyne Donnaes <evelyne.donnaes@arm.com>
Signed-off-by: Lingkai Dong <lingkai.dong@arm.com>
Co-authored-by: Lingkai Dong <lingkai.dong@arm.com>
Co-authored-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
This patch adds comments to reserve off a portion of the available TLV range
for use by vendors for proprietary TLV types.
Signed-off-by: Andy Gross <andy.gross@juul.com>
The 'revert' mechanism in direct-xip is similar to the one in swap mode.
It requires the trailer magic to be added to the signed image. When a
reboot happens without the image being confirmed at runtime (without the
image_ok flag being set), the bootloader considers the image faulty and
erases it. After this it will attempt to boot the previous image
instead. The images can also be made permanent (marked as confirmed in
advance) just like in swap mode.
Change-Id: Ibde9361d4a7302dd8efbb277b691b71eca0ca877
Signed-off-by: David Vincze <david.vincze@linaro.org>
After modifying the CONTROL register, ISB function should be
used to ensure the effect of the change applies to
subsequent code.
Due to the simple nature of the Cortex-M3, Cortex-M4, Cortex-M0+,
Cortex-M0, and Cortex-M1 pipeline,
omission of the ISB instruction does not cause any problem.
But might cause problem on a more advanced core.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
A previous fix for allowing padded images in the primary slot, ended up
causing an issue that would fail to upgrade under the right
circumstances. The issue was caused when the following set of steps
happened after an upgrade was detected:
1) trailer is erased on the primary slot
2) status is written to the primary slot
3) trailer is erased on the secondary slot
4) reset
1) trailer is erased on the primary slot
2) status partially written or not written to primary slot (no magic)
3) reset
This would result in images stored in the same slots they were
initially, aka no upgrade, which would fail the simulator test for
upgraded images.
The previous padded images fix was reverted and the status source was
upgraded to also check that the secondary slot has a valid magic in it,
so that there's never a circumstance where there is no trailer in any
of the slots while an upgrade operation is being decided on.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Clean up the ARM core configuration only when
the CONFIG_MCUBOOT_CLEANUP_ARM_CORE is selected.
This involves cache and stack pointer limit registers.
Add also an MPU cleanup in platforms with the ARM MPU
supported.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Zephyr has introduced an option to perform the cleanup
of ARM core HW registers during early boot, when the
firmware is chain-loaded by MCUboot. Therefore, MCUboot
does not need to perform the same cleanup before jumping
to the application image. The patch relies on the fact
that building MCUboot with Zephyr implies loading also
a Zephyr-based application firmware. If this is not the
case, the application developer needs to enable the
MCUBOOT_CLEANUP_ARM_CODE Kconfig option manually, in the
project configuration.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The IAR toolchain does not handle the "%=" template. Emulate it with
a combination of __LINE__ and __COUNTER__
Signed-off-by: TTornblom <thomas.tornblom@iar.com>
This contains fixes for CC310 for nRF devices using the nrfxlib.
Removed some const for compilation warnings and added `NUM_ECC_BYTES`
define.
Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com>
The function was made week so zephyr-rtos implementation
will be used if available.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
For some configurations, eg CONFIG_BOOT_DIRECT_XIP=y, fih_rc might
never be initialized; initialize and fix warning.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
The last data packet might be non aligned to multiple of
the flash write-block-size. This cause that the `image upload`
mcumgr command mighty fail if the device flash driver doesn't
support one-byte write-block-size.
This patch complements the last write operation to aligned chunk
so it meet the requirements.
Added check for ensure than received data chunk doesn't
cross expected image size.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Some design.md content is causing build errors when they are included
in a .rst based documentation tree in Sphinx.
Adjust the format to make it work in both systems.
Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
Enables BOOT_ERASE_PROGRESSIVELY for Nordic nRF boards.
This fixes issue where mcumgr upload command would result in
device being deleted, but no new image being uploaded
due to timeout while waiting for erase operation.
This avoids a delay of several seconds during firmware upload.
Signed-off-by: Bernt Johan Damslora <bernt.johan.damslora@nordicsemi.no>
Signed-off-by: Emil Obalski <emil.obalski@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
Fabio Utzig