GPIO_DIR_IN has been replaced by GPIO_INPUT, GPIO_PUD_PULL_UP by
GPIO_PULL_UP, and gpio_pin_read() by gpio_pin_get_raw(). Update the
code to use the preferred API if it available. This avoids
deprecation warnings in the build.
Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
According to our CI:
Redundant 'source "$(ZEPHYR_BASE)/Kconfig.zephyr" in
'boot/zephyr/Kconfig'. Just do 'source "Kconfig.zephyr"'
instead. The $srctree environment variable already points
to the Zephyr root, and all 'source's are relative to it.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Zephyr will soon no longer add the drivers subdirectory of the include
hierarchy to the search path, so references to driver headers must
include the drivers/ prefix.
Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
Depends on 'MCUBOOT_OVERWRITE_ONLY' option since swap info is not protected
by signature
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
To be more robust in the placement of MCUBoot directory,
use the ZEPHYR_BASE env variable to locate
nrfxlib directory.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Swap without scratch has been tested enough and no obvious bugs (or
"show stopper) bugs seem to exist; so remove [EXPERIMENTAL] and make
it "stable".
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add a missing test which ensures that there is enough free sectors to
perform an upgrade when using the move strategy; this basically checks
that the sectors used by the trailer don't overlap the last sector
required for a move up operation.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add a new option that when enabled, allows a swap status to store
an encrypted key TLV instead of plain keys. When a new swap operation is
started the encryption keys are saved to the swap status area to allow
for resuming (because it is challenging to find those TLV in the middle
of a swap operation).
Previously those keys were saved in plain text, so it would be easy to
dump them if the images were stored in external flash. With this new
option one can choose to save the TLV instead, which uses more flash
but does not leak secrets. The amount of flash required varies depending
on the size of the TLV, which is 48 for AES-128-KW, 512 for RSA and 240
for ECIES-P256.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Avoid jumping into an image while still having encryption keys stored in
RAM, which could then be recovered by the app.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add new bootutil function that returns the size of the status area.
The simulator was updated to remove the custom calculation and get
the size directly from bootutil, avoiding breakages the happen when
both are not in sync.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When using swap withouth scratch, if a revert operation is detected there
is a fixup that needs to be done to avoid losing metadata. This fixup
copied metadata from the primary slot to the secondary slot temporarily.
Previously it was also copying the encrypted image keys but this is not
required since a fixup is only run when starting a new swap where the
keys were loaded directly from the images. This also avoids that a
secondary slot in external flash would leak keys (according to our
threat model).
Signed-off-by: Fabio Utzig <utzig@apache.org>
ECDSA signatures are variable length. They are also encoded as ASN.1.
The ASN.1 parser we use is given the length, and will return a decoding
error if the signature block is not sufficiently long. Instead of
requiring the signature block be padded to the longest possible length a
signature can be, allow them to be their natural length.
This allows image signing tools to be able to generate signatures that
don't have this padding. Along with removing the pad removal code from
the EC224 code, this will allow this code to correctly validate all
signatures, not just 255 out of 256.
Signed-off-by: David Brown <david.brown@linaro.org>
Allow runtime generation of CRT params when not available in the
embedded private key. Also remove parsing/calculation of CRT
parameters when CRT was disabled in the config (mbedTLS does not
use those in this case).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Added sample.yaml which is required for automatic building
mcuboot using zephyr sanitycheck.
Can be run by zephyr sanitycheck locally using
--testcase-root=/path/to/mcuboot/boot/zephyr
to make it detect the sample.yaml added.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
This adds a Kconfig feature CONFIG_BOOT_USE_BENCH, which when enabled
will print the simple benchmarking output as log messages.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a `bootutil/bench.h` file that defines two calls
`boot_bench_start()` and `boot_bench_stop()` along with a type for the
state. These calls can be placed around blocks of code, and with a
properly defined implementation, will print simple performance
information about these operations.
This change merely adds the includes, and the empty implementations that
are used if the bencharking feature is not enabled.
Signed-off-by: David Brown <david.brown@linaro.org>
In zephyr code-base some generic include patches
and defines had been deprecated since a while.
This condition was maintained until zephyr v2.1.0 inclusive.
Recently these deprecated items were removed completely from
the zephyr master branch. Zephyr current SHA of this patch is
e124c1cd34938f02bbe879533c6bd29b5ff53707
This patch switch mcuboot to using most recent items.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
There are a few error messages printed by the boot code. In a normal
platform, these are real errors, and really should print a message.
However, in the simulator, we intentionally create these scenarios, and
these errors only serve to distract from the rest of the test output.
Conditionalize the error prints based on whether we are running in the
simulator.
Signed-off-by: David Brown <david.brown@linaro.org>
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
are interesting while debugging bootutil in the simulator. This should
be used for extra verbose prints.
* Also added fflushs after fprints to guarantee that messages are printed
even when assertions are raised.
* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
to the other ports.
* Make DEBUG the default level when building the simulator (one can
still lower verbosity using any other value for RUST_LOG).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fix an issue where an upgrade could fail to execute.
This happened randomly in the "perm_with_fails" test in the simulator;
for it to happen the first reset had to occur just after writing the
metadata to mark the start of a new upgrade, but before any swap happened;
if followed by a new reset happening at a point where the metadata was
erased and rewritten, it would result in an upgrade failure. The images
would still be valid though although in their original slots.
The fix stores the detected boot status source in the state. When
metadata was found in the primary slot we assume a swap has already
started (even though no sector swap has happened) and avoid
erasing/rewriting it.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add Zephyr option to enable building a bootloader that uses an
alternative swap algorithm, that first moves up all sectors in slot1 and
then directly swaps between slot0 and slot1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add Mynewt option to enable building a bootloader that uses an
alternative swap algorithm, that first moves up all sectors in slot1 and
then directly swaps between slot0 and slot1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add cap for swap using move and rename old swap upgrade cap to swap
using scratch. Update sim to allow swapping tests to also run using
move.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This implements a swap upgrade that does not use a scratch area. It
works by first moving all sectors in the primary slot up one position,
and then looping on moving sector of index X of the secondary slot to
index X of the primary slot, followed by moving sector X+1 of the
primary slot to X on the secondary slot, for each sector X.
The idea behind this implementation was initially suggested by Jehudi
Maes (@Laczen) and implemented on his own bootloader (ZEPboot).
Signed-off-by: Fabio Utzig <utzig@apache.org>
This moves the functionality that is unique to a scratch based swap
upgrade into a separate file. Later other upgrade strategies can be
added by reimplementing those functions.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The current TLV tag is an unsigned 8-bit integer, that is stored with 8
bits of padding. As the TLV tag is defined to be little endian
(although the code doesn't properly handle this), we can use the 8 bits
of padding as the upper 8-bits, treating the TLV tag as a 16 bit value,
and all existing tags will operate as they did before.
Change the types used throughout the code to represent the TLV to a
`uint16_t`. Change the ANY tag type to `0xffff` instead of `0xff`.
This value is never stored, but will avoid conflicts with any future
allocated tags.
Signed-off-by: David Brown <david.brown@linaro.org>
0e3fa72df4 removed device tree overlay
that is required to flash mcuboot to correct partition and CMake
variable that pointed to it. Restore it.
Do not restore adding "boards/${BOARD}.overlay" to the list since Zephyr
detects this file automatically now - see https://docs.zephyrproject.org/latest/application/index.html#devicetree-overlays
Signed-off-by: Sergey Koziakov <dya.eshshmai@gmail.com>
Don't set the board to qemu_x86 either; that's not right by any means.
Remove dts.overlay and build system logic related to it in
boot/zephyr/CMakeLists.txt. This file was a hack for arduino_101,
which is no longer supported by Zephyr.
Remove all the other DTC_OVERLAY_FILE logic in general while we're
here. Zephyr picks up
${APPLICATION_SOURCE_DIR}/boards/${BOARD}.overlay and uses it as
DTC_OVERLAY_FILE "for free" if DTC_OVERLAY_FILE is unset.
Adjust the minimum CMake version while we're here to account for
Zephyr build system changes.
Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
Remove this workaround. The Kinetis flash driver has supported
FLASH_PAGE_LAYOUT since at least January 2018.
Signed-off-by: David Brown <david.brown@linaro.org>
Only execute serial recovery if valid pin condition is detected
during power up reset or pin reset on nRF devices with RESETREAS
register. This is to prevent going into serial recovery when
waking up from power off mode with the same pin conditions that
is configured to trigger serial recovery.
Signed-off-by: Jon Helge Nistad <jon.helge.nistad@nordicsemi.no>
While doing a revert, the image encryption keys might be saved temporarily
in the scratch area; this is required in situations that we need to swap
one of the last sectors of the primary slot. When this happens, and the
device is interrupted just after restarting the revert swap, bootutil will
try to load the encrypted keys from the primary slot, and possibly use them
in reverted order (image in primary uses key of image in secondary and
vice-versa) which was saved in the test upgrade.
This fixes the issue by reverting the order used to check for the swap
metadata, with scratch being checked before the primary slot.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Use correct macro for the size of a DH shared secret. The previously
used macro had the same size (SHA-256 digest length) but incorrect
semantics.
Signed-off-by: Fabio Utzig <utzig@apache.org>
In overwrite-only mode, the write alignment is not used for much.
Making this a larger value will allow the alignment for a particular
device to be larger than a uint8_t. This will make the trailer size
very large for these devices (and prevent
!defined(MCUBOOT_OVERWRITE_ONLY) from being used), but at least allows
the overwrite only mode to be used on these devices.
Signed-off-by: David Brown <david.brown@linaro.org>
Håkon Øye Amundsen