Use EXTRA_CONF_FILE that replaced OVERLAY_CONFIG
since the Zephyr v3.4 release.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
(cherry picked from commit 5c21093af5)
Serial recovery failed for NXP IMX.RT platforms
unless BOOT_ERASE_PROGRESSIVELY is set.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
(cherry picked from commit a91a61564a)
Fix possible warning "boot_serial_enter defined but not used".
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
(cherry picked from commit a967c66ed0)
For some reason, the calls to mbedtls_aes_free, mbedtls_nist_kw_free and
mbedtls_sha256_free_drop were commented out which means the AES and
SHA-256 contexts were not properly de-initialized after usage when
mbedTLS is used. In the case of AES-KW it seems that might lead to a
memory leak depending on the mbedTLS configuration, but in any case and
independently of the mbedTLS configuration, this leads to the contexts
not be zeroized after usage.
Not zeroizing a context means it stays in RAM an undefined amount of
time, which might enable an attacker to access it and to dump the
sensitive data it contains.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
(cherry picked from commit 5d5f04923f)
Improves the mode selection checks to prevent selecting multiple
conflicting modes as has been seen in TFM
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 43a49a3b92)
The scripts for fih tests install and run where running different
versions of the docker images, since the install specified a version and
not version was specified for run, defaulting to `latest`.
This commits adds a new file for specifying the docker image to be used.
Signed-off-by: Fabio Utzig <utzig@apache.org>
(cherry picked from commit 4619da5660)
Fixes an issue with this file as it was wrongly disabling QSPI
NOR, which the hardware does not support, when it should have been
disabling SPI NOR
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 651775b550)
Update the configuration to remove swap mode support.
MCXN94x ROM Flash API supports writing of 128byes page.
Signed-off-by: Mahesh Mahadevan <mahesh.mahadevan@nxp.com>
(cherry picked from commit a3762626f8)
The variable `rc` was declared as int and then implicitly casted to
`size_t` when passed to `base64_decode`, which on 64 bit architectures
is wrong.
Signed-off-by: Lluis Campos <lluis.campos@northern.tech>
(cherry picked from commit dd4d6541c8)
Changes the order of operations to validate the image header
before checking the image, it does not make sense to check the
image if the header itself is invalid
Note: This PR has been modified from the upstream commit due to
a merge failure from other changes that are not being brought into
Zephyr 3.7
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 2939d30545)
In case ESP32 SoC is used, *start will get
build warning as it is not used.
Signed-off-by: Sylvio Alves <sylvio.alves@espressif.com>
(cherry picked from commit 334d2c28f6)
This calculation failed to take into consideration the additional
sector needed for the swap move part of the upgrade process
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit e2e1e945fa)
Fix getpub command fails to emit public pair of ed25519 key with
encoding.
Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I3d255f576b2d8a8d0cbc8e31ff378717acb060c7
(cherry picked from commit ef598b13b5)
Fixes an issue which can occur in tests whereby an application
has the name mcuboot but is not mcuboot itself
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 8456464c04)
In all cases where boot_enc_load is called it is known what slot
is addressed, so it is better to just pass the slot number
instead of making the boot_enc_load figure out slot number from
image index and provided flash area object.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 7f9ac97951)
Fixes showing the wrong address when booting a RAM load image
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 7fc3ad3d0b)
Update requirements.txt to support PrivateKeyType and
PublicKeyType which are available in cryptography library since
version 40.0.0 and prevent failing CI jobs in upcoming changes.
Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I94b888d64c2f33ccb829912491e3b8c44b9cc2b2
(cherry picked from commit 49976dc678)
The enc_key_data.valid had been set to true when key has been added
to the encryption context, but in case when boot_enc_drop was called,
on the same context, the flag remained true, even though the context
may no longer hold any valid context nor key.
The commit moves the enc_key_data invalidation to enc_key_drop.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 335573520d)
All of boot_enc_ function follow the same pattern where
they take encryption context as the first parameter, and the
boot_enc_decrypt stands out here as it does not work around
the encryption context, but is rather single-part decryption
function only used for decrypting of the image encryption
key.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 2371c0aa7f)
Update the log level for RX and TX messages from INFO to DEBUG to reduce
clutter in the serial interface logs. This change helps in keeping the
output cleaner and focuses on more critical information by default.
Signed-off-by: Hudson C. Dalpra <hudson@bduncanltd.com>
(cherry picked from commit 4b9d07dc4f)
It tells about adding the 24KB scratch partition,
not about storage partition.
Updates the used path to HWMv2.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
(cherry picked from commit 50f35144e4)
The boot_enc_set_key in boot_swap_image, when recovering from
reset, has been caled on AES context that has not been
initialized.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 7e3a1cecd7)
In the boot_image_validate_encrypted there was call to
flash_area_id_to_multi_image_slot, which tries to figure out
slot index from flash area and image index, and the result of the
call was not used for anything as slot index is hardcoded in the
next call to be 1 (secondary).
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 4da4a72cb1)
When 'direct-xip' or 'ram-load' features were enabled,
CONFIG_BOOT_SWAP_USING_SCRATCH and MCUBOOT_SWAP_USING_SCRATCH were
defined even though swap using scratch wasn't used. This commit fixes
the issue.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
(cherry picked from commit 60806bce8e)
For swap using scratch, the boot_read_image_header routine, responsible
for reading the image headers, was always looking for the primary and
secondary image's headers at the beginning of respectively the primary
and secondary slots, regardless of the current boot status.
This means if during a swap-scratch upgrade a reset happens after the
sector containing the image header in the primary or secondary slot has
been erased, invalid image headers were read since at that time the
location of the headers has changed.
Currently, this doesn't seem to cause any issue because the swap-scratch
algorithm is implemented in such a way the content of the headers is no
more necessary when the headers are erased. However, to be able to
decrypt the secondary image when copied to the primary slot instead of
when copied to the scratch area, properly reading the secondary image's
header is required even after it has been erased from the secondary
slot.
To that end, the boot_read_image_header is modified to determine from
the boot status the current location of the image headers and to always
read the actual header, no matter the current state of the upgrade
process.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
(cherry picked from commit f515bb1c44)
This reverts commit 0fa46270c0.
This breaks:
samples/synchronization/sample.kernel.synchronization on
b_u585i_iot02a/stm32u585xx/ns error
as this TF-M configuration uses its own keys. This change is an API
change that needs to be coordinated with TF-M changes.
Before this revert, compiling this test results in:
.../encrypted.c:447: undefined reference to
`boot_enc_retrieve_private_key`
Signed-off-by: David Brown <david.brown@linaro.org>
In Mbed TLS 3.1, the private fields in the ASN.1 structure were made private.
This breaks code that accesses these private macros.
Fix this by changing the ASN.1 specific code to use a new field accessor
`ASN1_CONTEXT_MEMBER` that will be conditionally defined based on the version of
Mbed TLS that is present.
Signed-off-by: David Brown <david.brown@linaro.org>
The libc assert macro was used in curve25519.c even if the user provided
its own definition of the assert macro for MCUboot through
mcuboot_assert.h. This commit fixes this issue.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
Increase the size of the jmpbuf to accomodate other architectures.
Unfortunately, the size of this is not available in the libc crate.
Increase this so encompass any platforms we wish to support, including
aarch64 on both Linux and MacOS.
Increasing an array beyond 32 means there is no default offered, so
implement this manually.
Signed-off-by: David Brown <david.brown@linaro.org>
Cargo prints a warning about conflicting resolvers being used. Fix this
by explicitly setting the resolver in the project file.
Signed-off-by: David Brown <david.brown@linaro.org>
Many of these extern functions are missing the "C". It doesn't seem to matter on
any of our targets, but this does make the code more correct, and might be a
problem in the future.
Signed-off-by: David Brown <david.brown@linaro.org>
The symbols injected here cause some kind of poor interaction with the linker on
MacOS, which results in most of the code becoming hopelessly corrupt. For now,
just disable these symbols on this target.
Signed-off-by: David Brown <david.brown@linaro.org>
Since there are references to this struct passed to C code, put it into an Rc so
that it won't move around when the data is moved.
Signed-off-by: David Brown <david.brown@linaro.org>
This struct was having addresses taken of fields within it, and then being
returned. It is platform-specific whether this causes a move. It seems to be
working on x86_64, but causes a segfault on aarch64. Box the struct so that it
isn't moved after being initialized.
Signed-off-by: David Brown <david.brown@linaro.org>
When MCUBOOT_SWAP_SAVE_ENCTLV is enabled, a comparison between a signed
and an unsigned integer is made in boot_read_enc_key. This might cause a
warning to be emitted at compile-time.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
Replace Slack channel links with MCUboot Discord channel
as the discussions have moved there.
Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: I132279574e674408dffc9ed377d216775a54fd56
Main method printed hardcoded versions, update to take argument
to enable the possibility of testing version strings by invoking
the command through command line.
Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: If75769ef223944865313ed95336e859ebef85fd6
Andrej Butok