Currently if max-align > 8, magic_boot only works in little endian
For example :
With max-align = 16 and endian = big, boot_magic starts with 0x10 0x00,
but it should be 0x00 0x10
Signed-off-by: Raphael Dupont <raphael7dup@gmail.com>
The TLV type field in trailer TLV struct is defined as unsigned 16-bit
(in LE byte order). Currently, due to Python's struct format specified
as 'BBH', the 'imgtool' accepts only single byte for this field.
This results in error when trying to use 16-bit TLV type with option
'--custom-tlv':
struct.error: ubyte format requires 0 <= number <= 255
This changes format to 'HH' which allows using 16-bit TLV types and
while at it, adds also simple range validation for custom TLV type.
As defined in image.h header, the vendor reserved TLVs value should
be from 0x00a0 to 0xfffe range.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Verify mode already works for the public halves of RSA and ECDSA keypairs.
This patch corrects an apparent oversight, enabling that functionality
in Ed25519.
Signed-off-by: Ross Younger <crazyscot@gmail.com>
A previous change was added to allow the `getpriv` command to dump ec256
keys in both openssl and pkcs8. That PR did not touch other key file
types which resulted in errors using that command with RSA, X25519, etc.
This commit generalizes the passing of the `format` parameter, so each
key type can decide which format it allows a dump to be produced in,
and what default to use.
Fixes#1529
Signed-off-by: Fabio Utzig <utzig@apache.org>
`--vector-to-sign` only exports the image payload, or digest, to be
signed externally; it doesn't require any keys to be provided. This
commit moves the code outside a key required block, after the payload
and digest were already calculated from "image + headers + protected
TLVs".
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fix the remaining PEP8 warnings that appear on image.py, ecdsa.py
or main.py for imgtool.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
This patch improves the existing ECDSA key generation feature
in the imgtool by:
- Fix a bug in the 'minimal' representation of PKCS#8 keys where
the resulting ASN.1 DER encoding is not compliant
- Add the option to export ECDSA private keys in SEC1 format by
providing a command line option -f or --format that can be
'openssl' (for SEC1 format) or 'pkcs8'. This format ends up in
key encodings which are generally smaller than PKCS#8.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Common prints such as the one that happens when an image is signed
are clearer if the source of print is added (i.e. filename), especially
for those build integration flows where imgtool is invoked as part of
a set of operations.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Update a previous PR were PEM exporting was added to the `--lang`
parameter, even though PEM is not a source code language per se.
This PR adds `--encoding/-e` to `getpub` command, for exporting
in formats other than a language source code. `--lang` is left with
a deprecation message, so it could be removed in a future version.
The default behavior of exporting source code in C was preserved.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Update `getpub` with new `lang` option, "pem", which allows exporting a
public key as a PEM file. This can later be distributed to be used for
encrypting an image, and gets away with having to use openssl for this
step.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The image_ok was written to the wrong offset
when outputting HEX format. This commit fixes that.
Drive-by change: Use actual length of boot magic
instead of assuming it's 16 bytes long.
Signed-off-by: Alexander Mihajlovic <alexander@eub.se>
The fix adds a condition that checks if either key or fixed_sig are
`not None` before payload signing and TLV addition.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
Extend sign/create command so it allows to export image's byte string
which is the substrate for the image signature. The new option is
'--vector-to-sign'. It might takes 'payload' or 'digest'.
The exported data might be used to calculate the signature externally.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Extend sign/create command so it now allow to export the image
signature to the file pointed by --sig-out option.
The image signature will be encoded as base64 formatted string.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The sign command was extended so it now allow to provide the signature
as base64 formatted RAW file using --fix-sig along with the relevant
public key --fix-sig-pubkey.
This patch is added for support the case where the party which produces
the image dose not have access to the signing image key but must request
third party for the signature.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
When generating an image with trailer (--pad or --confirm), the
imgtool also adds the erased values into that area. This is not
wanted for flash drivers which use ECC and treat writing erased
values as a real write action, which cannot be overwritten anymore.
See issue #1288
Signed-off-by: Wouter Cappelle <wouter.cappelle@crodeon.com>
The value of `--max-align` parameter passed to imgtool can never be
less than the value of `--align` parameter. At present the default
value of `--max-align` is fixed at 8. This forces user to pass the
parameter even when its value can be safely inferred.
Change the default value of the `--max-align` parameter to the larger
of the two values: `--align` or 8. Consequently, the user is required
to pass the parameter only if the flash alignment of the primary and
secondary slot differ.
Signed-off-by: Piotr Mienkowski <piotr.mienkowski@gmail.com>
Create an option to generate a clear image with encryption capability
that can be installed on a primary slot. Since image has encryption
capability image can be swapped encrypted in secondary slot
Signed-off-by: Michel Jaouen <michel.jaouen@st.com>
The magic value applies to images built with maximum write alignment
values other than 8 bytes, whose trailer region is generated in a
different layout.
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
This file has been removed from upstream Zephyr in commit 2b7c61e306a
("cmake: re-work devicetree preprocessing steps").
Get the board name from .config instead; this is a stable place for it
to be found. Load the EDT itself from the pickle file in the build
directory; this has the advantage of fixing the script when out of
tree devicetree bindings are used.
Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
The cbor module is unmaintained, with the last release in 2016[1]. The
cbor2 module however is under active development and was last released
just last month[2].
As the APIs are identical, we can import cbor2 and if that fails fall
back to cbor.
[1] https://pypi.org/project/cbor/#history
[2] https://pypi.org/project/cbor2/#historyCloses#1189
Signed-off-by: Ross Burton <ross.burton@arm.com>
Change-Id: Iaf2d0df625a200a5cebf72dec4a89877a26194ea
This PR updates the path to the devicetree python package lib files according to the Zephyr PR
zephyrproject-rtos#33746 which moved the devicetree lib files.
Old path: ZEPHYR_BASE/scripts/dts/
New path: ZEPHYR_BASE/scripts/dts/python-devicetree/src/devicetree/
Signed-off-by: Carl-Johan Landin <carl-johan.landin@endian.se>
According to clippy, `&'static` can just be `&` for static definitions,
which always have a static lifetime. Clean this up in the arrays in the
code, as well as generation code in imgtool.
Signed-off-by: David Brown <david.brown@linaro.org>
Since there won't be anymore alpha releases, rollback to latest official
(from master). The next released versions now can be either 1.7.X from
v1.7-branch or X.Y.Zrc1 for the release candidate of next stable
version.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fixes padding hex images when encrypting. The issues stems from binaries
using `bytes` and IntelHex returning `array` where `bytes` cannot be
appended to, so use `.extend()` instead.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add SPDX headers indicating the Apache-2.0 license to the scripts in the
scripts directory. This can be assumed due to the presence of the
Apache-2.0 LICENSE file at the top of the project.
Fixes#930
Signed-off-by: David Brown <david.brown@linaro.org>
After the change to support protected TLVs, the `verify` command was not
updated with proper support. Fix it by skipping any protected TLV found,
and fix the size of the hashed/signed region to also include the
protected TLV area.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
The commit adds support for IMAGE_F_ROM_FIXED flag that allows setting
information on image base address into image_header.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Update version fields for 1.7.0 release.
Added compatibility note for zephyr-rtos.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
When Image.create() is called without the 'custom_tlvs' argument, it
gets its default value (None). It must be checked before performing
any operations on/with it.
Change-Id: I8e0755265f35f9eeb796fe078a6ad8c8d9f2b8da
Signed-off-by: David Vincze <david.vincze@linaro.org>
This patch introduces the ram-load mode in addition to the other
upgrade modes (swap strategies, overwrite-only, direct-XIP). When
ram-load is enabled with the MCUBOOT_RAM_LOAD option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image loaded to the RAM and
executed from there. Load address is extracted from the image header.
Therefore the images must be linked to the RAM memory region.
The ram-load mode is very similar to the direct-XIP mode, main
difference is to load the newest image to the RAM beforehand the
authentication and execution. Similar to direct-XIP mode either
of the primary and the secondary slots can hold the active image.
Ram-load can be useful in case of a bit more powerful SoC, which
is not constrained in terms of internal RAM. It could be that image
is stored in external and therefore untrusted flash. Loading image
to internal (trusted) RAM is essential from the security point
of view the system. Furthermore execution from internal RAM is much
faster than from external flash.
This patch is based on the RAM_LOADING upgrade strategy which was
first introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.
Change-Id: I95f02ff07c1dee51244ac372284f449c2efab362
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
In an effort to create a script to do firmware based on an URL, I could
not easily retrieve the image digest. `newtmgr` needs the hash when
marking a image for testing.
Signed-off-by: Casper Meijn <casper@meijn.net>