Commit Graph

132 Commits

Author SHA1 Message Date
Marti Bolivar fd20c7652a bootutil: log the boot source
Use the bootutil_log.h APIs to log the boot source chosen by the
loader, as well as the image trailer state that led it to its
conclusion.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-07 16:59:50 -05:00
Marti Bolivar 4a97b4c0b1 boot: zephyr: use bootutil_log.h, not sys_log.h
Now that mcuboot has its own logging subsystem, use that instead.

Note that this changes the domain from "[BOOTLOADER]" to "[MCUBOOT]".

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-07 16:59:50 -05:00
Marti Bolivar d652f27470 bootutil: add logging
This patch adds platform-independent logging to bootutil.

When bootutil is compiled as part of an application, the
application environment can provide logging hooks using this
file. Initially, hooks for Zephyr are provided. When built for
simulation or unit testing, the logging macros produce no
code (the ignore.h used by mynewt is used to avoid unused
variable warnings in this case).

Before including this file, users may define BOOT_LOG_LEVEL.  If
they do, it must be one of BOOT_LOG_LEVEL_OFF,
BOOT_LOG_LEVEL_ERROR, ..., BOOT_LOG_LEVEL_DEBUG. This determines
the log level for the current translation unit. If they do not, a
default log level is determined in a target-specific way.

After including bootutil_log.h, the macros BOOT_LOG_ERR(),
BOOT_LOG_WRN(), etc. may be used to log messages. These take
printf-like arguments.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-07 16:59:50 -05:00
Sterling Hughes 500705efce update link format 2017-02-07 13:28:09 -08:00
Sterling Hughes b6903ece2a update README 2017-02-07 13:12:19 -08:00
Christopher Collins cf18a03fe0 MCUB-3 Add sample Mynewt boot app. 2017-02-06 15:10:45 -08:00
David Brown 49aa88680e doc: Initial Zephyr build docs
Create a small document to describe how to build and use mcuboot for
Zephyr.
2017-02-06 08:10:16 -07:00
David Brown 5e1d8f9d5d doc: Add a note to imgtool docs
Because of branch, and https server configuration issues, the plain 'go
get' instructions to build imgtool don't work.  Add a note to the README
file for imgtool and give some instructions on how to manually clone the
necessary git repositories.
2017-02-06 08:10:16 -07:00
David Brown 58c19dd389 Merge pull request #8 from Hashcode/master
zephyr: small fixes
2017-02-03 17:30:34 -07:00
Marti Bolivar 5e6a1a6245 boot: zephyr: Fix 96b_nitrogen flash alignment
The Zephyr flash driver transparently handles non-word-aligned writes,
but the NRF52's flash write alignment is 4 bytes. Fix that.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-02-03 16:25:14 -08:00
Michael Scott de6ee59daf zephyr: generate mutliple records in flash_map when required
Currently, the flash map is a single entry sized to fit the
FLASH_AREA_IMAGE_0_SIZE.  This works for HW where
FLASH_AREA_IMAGE_SCRATCH_SIZE is the same or larger than
FLASH_AREA_IMAGE_0_SIZE.

However, if FLASH_AREA_IMAGE_SCRATCH_SIZE is smaller than
FLASH_AREA_IMAGE_0_SIZE, we need to generate enough write blocks in the
flash_map so that each will fit in FLASH_AREA_IMAGE_SCRATCH_SIZE.

Signed-off-by: Michael Scott <michael.scott@linaro.org>
2017-02-03 16:25:14 -08:00
Michael Scott e12746c4a2 zephyr: flash HAL requires flash_write_protection_set() calls
In Zephyr there is a flash HAL function: flash_write_protection_set()
which for many SoCs is a stubbed function with no functionality,
but for others performs the unlock / lock procedures required before
writing to flash.

We need to add this function to our flash_area_write() wrapper
to support the hardware that requires it.

This fixes mcuboot flash writing for the nRF5x SoCs.

Signed-off-by: Michael Scott <michael.scott@linaro.org>
2017-02-03 16:25:14 -08:00
Michael Scott db8ac52c2d zephyr: fix _scs_relocate_vector_table build break
Zephyr now supports moving the vector table for Corext M* targets.
Let's remove this code from mcuboot as this has been changed
upstream and breaks mcuboot build.

Signed-off-by: Michael Scott <michael.scott@linaro.org>
2017-02-03 16:25:14 -08:00
Christopher Collins 4443f9a3f2 This closes #12.
Merge remote-tracking branch 'd3zd3z/verify0'

* d3zd3z/verify0:
  Validate slot zero before booting
2017-02-02 15:51:18 -08:00
David Brown 8322c301e3 zephyr: Make makefile clearer about configuration
Separate the signature selection blocks, so that it is clearer to add
another config option for the boot verification.
2017-02-02 08:39:18 -07:00
David Brown 3869e76090 zephyr: Support RSA, and ECDSA P-256 signing
Make it clear in the top-level Makefile how to configure mcuboot for
Zephyr for a particular signing algorithm.  Currently supported, are the
RSA signatures, and ECDSA with the P-256 curve.  These configuration
lines will select the code built in the bootloader, as well as which
public key gets included with the image.

This also adds a demo public key for the P-256 signatures.
2017-02-02 08:39:18 -07:00
David Brown d930ec69c8 Validate slot zero before booting
Instead of just checking the upgrade image signature, check the
signature on each boot.  This helps to prevent rogue images being flash
by a means other than the upgrade process.

This feature is controlled by whether BOOTUTIL_VALIDATE_SLOT0 is
defined.
2017-02-02 08:39:00 -07:00
David Brown baff96ff23 bootutil: ecdsa P-256: Fix handling of sizes
The ECDSA signature is written as two DER-encoded INTEGERS.  Although
the values are always 256 bits, the encoding ends up being variable
length, because the encoding is signed, and therefore needs an extra
zero byte to keep the number positive.  This means that the length can
vary by up to two bytes.

The 'newt' tool handles this for signature by allowing space for the
largest encoding, and padding with one or two zeros.  However, the
bootutil image check code insists that the length is exact, resulting in
a decoding error on about 3/4 signatures.

Fix this by only verifying that we have at least enough payload to hold
the signature.  There are later checks that will fail if the integers
themselves are too large.
2017-02-02 08:28:40 -07:00
Christopher Collins f8a8bb926e This closes #10.
Merge remote-tracking branch 'd3zd3z/imgtool'

* d3zd3z/imgtool:
  imgtool: Add support for RSA keys
  imgtool: Add support for P-224
  imgtool: Create simple signing tool
2017-02-01 14:35:19 -08:00
David Brown 3c1a744658 imgtool: Add support for RSA keys
Add the possibility of "rsa-2048" as a "--key-type" argument to the
keygen command.
2017-02-01 14:49:54 -07:00
David Brown c20a027a80 Merge pull request #9 from rsalveti/zephyr_add_nucleo_f401re
zephyr: add target header file for nucleo f401re
2017-01-31 16:20:36 -07:00
David Brown 6b0df8103a imgtool: Add support for P-224
The --key-type (-t) parameter to keygen allows (requires) the user to
specify the type of key to generate.  This now supports "ecdsa-p224" and
"ecdsa-256".  Note that the curve must match the one coded into the
bootloader.
2017-01-31 13:38:34 -07:00
David Brown 039649548c imgtool: Create simple signing tool
The imgtool is a simple image signing tool based on the libraries in the
`newt` tool, but appropriate for images that live outside of a Mynewt
project.

This initial version is able to generate, extract public keys from, and
sign ECDSA P-256 keys.  The signing tool is also able to add an image
trailer to mark this image for upgrade.
2017-01-31 09:00:45 -07:00
Ricardo Salveti e156e57012 zephyr: add target header file for nucleo f401re
Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-26 22:11:19 -02:00
Christopher Collins 4a293ea75f This closes #6.
Merge remote-tracking branch 'd3zd3z/big-align'

* d3zd3z/big-align:
  bootutil: Fix issue with align > 1
  sim: Set version numbers in images
  sim: Add some debug code to dump images
  sim: Write image_ok properly
  sim: pad images to alignment
  sim: Make misaligned writes panic
  sim: Be consistent about flash alignment
  sim: Verify write alignment
  sim: Add the K64fBig target
  k64f: change flash device name
  scripts: Allow image version number
  scripts: Remove .pyc file from repo
  Add some simple scripts for signing/flashing
2017-01-23 16:35:52 -08:00
David Brown 9d72546f02 bootutil: Fix issue with align > 1
Some flash devices not only require writes to occur on an `align` byte
boundary, but also require that the writes be done in chunks of this
size as well.  Enhance the sections that write status bytes to write
more than a single status byte.
2017-01-23 16:01:02 -07:00
David Brown e380fa6e30 sim: Set version numbers in images
To make the images easier to identify during analysis, set the version
number.  The major number tries to be set to the slot number, and the
build number is the byte offset.
2017-01-23 16:01:02 -07:00
David Brown 163ab23340 sim: Add some debug code to dump images
The code is commented out, but can easily be uncommented to allow the
various images to be dumped out for external analysis.
2017-01-23 16:01:02 -07:00
David Brown 75e16d6900 sim: Write image_ok properly
With stricter checking of alignment, always write the image ok flag as a
group of 'align' bytes.
2017-01-23 16:01:02 -07:00
David Brown 74cc14c31e sim: pad images to alignment
Adjust the image sizes up to a multiple of 8.  With the strict checking
in the flash driver, we aren't allowed to write partial lines.
2017-01-23 16:01:02 -07:00
David Brown f253fa815c sim: Make misaligned writes panic
To make things a little easier to debug, change misaligned writes to
panics, so that the debugger can more easily intercept them.
2017-01-23 16:01:01 -07:00
David Brown 5acda26f88 sim: Be consistent about flash alignment
The flash API has two calls that can return the device alignment.  Fix
this so that both calls return the same alignment.
2017-01-23 16:01:01 -07:00
David Brown 562a7a05d4 sim: Verify write alignment
When an alignment greater than one is specified, enforce this in the
simulated flash driver.
2017-01-23 16:01:01 -07:00
David Brown 90c1913c13 sim: Add the K64fBig target
This target simulates running with pretend large sectors on a device
that really has small sectors.
2017-01-23 16:01:01 -07:00
David Brown 79fdfe5dfc k64f: change flash device name
Recent Zephyr changes the flash device name.  Change to match it.
2017-01-23 16:01:01 -07:00
David Brown 06446dda2c scripts: Allow image version number
Add an --image-version argument to zep2newt.py to allow the major
version number to be set.  This helps make testing easier by having
differing version numbers.
2017-01-23 16:01:01 -07:00
David Brown adec29ebe5 scripts: Remove .pyc file from repo
Add *.pyc to the .gitignore, and remove the file that got mistakenly
checked in.
2017-01-23 15:56:39 -07:00
David Brown 22a6fe32d3 Add some simple scripts for signing/flashing
These are some simple scripts for signing images (with an example with a
hardcoded path), a fixed root key that matches the one checked into the
code, and a few scripts to use the Segger debugger to flash the images.
2017-01-23 15:56:39 -07:00
Christopher Collins 7469e70c20 This closes #5.
Merge remote-tracking branch 'rsalveti/zephyr-updates'

* rsalveti/zephyr-updates:
  zephyr: use SYS_LOG instead of printk
  image_rsa: include missing string.h
  boot/zephyr/prj.conf: disable bluetooth support by default
  boot/zephyr/prj.conf: remove SOC_FLASH_STM32F4, make it generic
  zephyr: targets: add support for 96b_nitrogen
  zephyr: restructure the build process to use board config files
2017-01-20 08:24:25 -08:00
Ricardo Salveti 7cf3d9ec91 zephyr: use SYS_LOG instead of printk
Easier to manage and can be easily disabled via config.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 19:51:35 -02:00
Ricardo Salveti a2d5b1ac2d image_rsa: include missing string.h
Avoid warning when using memcmp.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 19:51:01 -02:00
Ricardo Salveti 3dbf2229e6 boot/zephyr/prj.conf: disable bluetooth support by default
Bluetooth is enabled by default with some boards, so just make sure that
it gets disabled here to avoid having a large bootloader firmware.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 19:51:01 -02:00
Ricardo Salveti 43fc2cd556 boot/zephyr/prj.conf: remove SOC_FLASH_STM32F4, make it generic
Make it generic and let the SoC itself handle the FLASH driver support
as part of the Zephyr build system.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 19:51:01 -02:00
Ricardo Salveti 88303ff1da zephyr: targets: add support for 96b_nitrogen
Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 10:50:46 -02:00
Ricardo Salveti 3a2c1242f1 zephyr: restructure the build process to use board config files
Move the board specific configurations into its own header file, which
can now be created per board, once it gets tested and validated by the
bootloader.

Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
2017-01-19 10:26:40 -02:00
Christopher Collins 034a62016d bootutil - Fix warning on 64-bit architectures. 2017-01-11 12:20:22 -08:00
Christopher Collins 4c3ce3f70e This closes #4.
Merge remote-tracking branch 'd3zd3z/sim' into mcuboot-master

* d3zd3z/sim:
  sim: Fix build paths for new directory layout
  sim: Test multiple reverts
  sim: Add dependency output
2017-01-10 17:29:29 -08:00
Christopher Collins 0960365ba4 Revert "boot - don't interpet end of image as trailer."
This reverts commit 920fc16b89.

The boot loader records its current state in the form of a pair of image
trailers, each located at the end of the corresponding image slot.  If
an image is so big that it extends into the trailer space of a slot, the
boot loader would read the end of the image and interpet it as the start
of a trailer.  The fix was to determine the size of each image upfront
by reading their headers, and only attempt to read an image's trailer if
the image is small enough that it doesn't extend into the trailer space.
If an image is too big to allow for a trailer, the boot loader fails
over to its "rescue mode": just boot into whatever is in slot 0.

The problem arises when the boot loader reads the image headers.  There
are certain points during a swap when an image header is not in the
expected location.  That is, if the device reboots at the wrong time
during an image swap, the boot loader will fail to read the image
headers when it comes up.

The image sectors are swapped in reverse order.  When a swap is
performed, the final sectors of each slot are swapped first, and the
first sectors (containing the image headers) get swapped last.  During
the final swap operation, there are two points at which the image
headers are not in the expected place:

    1. slot 1 erased; header 1 in scratch area.
    2. slot 0 erased; header 0 in scratch area.

In each case, the image header is not actually missing.  Rather, the
boot loader is just looking in the wrong place.  It should be looking in
the scratch area, not the start of the image slot.

The fix is to revert the original commit.  Now, the boot loader won't
fail when an image header read fails.  It is the user's responsibility
to ensure an image isn't too big.
2017-01-10 15:52:53 -08:00
David Brown dc1964c0a6 sim: Fix build paths for new directory layout
The zephyr sources have moved to a different directory.  Adjust the
build script to fix the paths referenced.
2017-01-10 16:45:05 -07:00
David Brown c638f799a0 sim: Test multiple reverts
Make sure reboots after an image is reverted never results in the images
being swapped again.
2017-01-10 16:43:07 -07:00