If the psa-crypto-api feature is defined, the simulator will
initialize the PSA Crypto API exactly once. It needs also to
enable the test external RNG as the assumption is that the
PSA subsystem is configured to use MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Signed-off-by: Matthew Dalzell <matthew.dalzell@arm.com>
Change-Id: Id02727b8673867ecf1e4fbbdfa3c4b6d6f98f8df
This commit adds simulator support to test the
hw-rollback-protection feature which is using
nv-counters. In the simulator they are stored in Rust
to prevent any race conditions from happening due to
the parallel execution of the tests.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I445fc50615ed1f0c06e5933b16811c24d9d302fc
Update dependencies that don't require any code changes. This leaves
'aes' and 'cipher' which will require code changes to support newer
versions.
Signed-off-by: David Brown <david.brown@linaro.org>
Change the edition in the various Cargo.toml to 2021. There are no
changes to the code needed for this. This will require Rust 1.56 in
order to build.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of having to cd into the 'sim' directory, create a top-level
Cargo.toml file that adds the sim as a workspace.
For the most part, this doesn't change how the simulator works. It is
still possible to run `cargo test ...` within the `sim` directory.
However, the `target` directory will reside at the top-level of the tree
instead of within the sim directory.
One change is that running cargo commands at the top of the tree will
run those commands on all of the packages found within the tree.
Specific packages can be tested by either changing to the directory of
that package, or passing `-p <dir>` to the cargo test command (i.e.
`cargo test -p bootsim`).
The other visible change from this commit is that the 'target' directory
will always be at the top of the tree, rather than in particular
directory where the test is run. Any scripts or tools that expect this
to be in a certainly location, will have to be modified.
Signed-off-by: David Brown <david.brown@linaro.org>
Update the dependencies in the main sim to the latest versions. There
are some minor changes in a few of the packages, and a fairly
significant change to the aes. The aes_ctr crate has been merged into
the aes crate, along with some changes to how it initialized.
Signed-off-by: David Brown <david.brown@linaro.org>
This reverts commit 78e4441bd3.
Although it shouldn't, this change is provoking numerous errors in
CI. In order to allow CI to continue, revert this change, and it can be
redone later, after fixing whatever is causing the CI build failures.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of requiring cargo to be run in the sim directory, create a
top-level "workspace" Cargo file, that references the others. The main
result of this is that cargo can now be run in the top of the workspace,
and the 'target' directory will be placed there, rather than in the sim
directory.
This is primarily of benefit to tools such as RLS, Rust-analyzer and
various IDEs that expect a crate at the top level of the tree.
Signed-off-by: David Brown <david.brown@linaro.org>
Add simulator support for building the direct-xip configuration.
Although this builds, there are no tests that test any of the
functionality, so all current tests trivially pass.
Signed-off-by: David Brown <david.brown@linaro.org>
Allow the sim to test configurations with MCUBOOT_RAM_LOAD defined.
This does not define any tests for this mode.
This adds definitions for simulated RAM offsets to the simulator. This
will define the offset (from `IMAGE_RAM_BASE`) to where the simulated
RAM will be located. For now, just give these somewhat reasonable
values so that we are able to at least compile the RAM_LOADING code in
the simulator.
Signed-off-by: David Brown <david.brown@linaro.org>
Add new feature that allows testing EC256 encrypted images using the
Mbed TLS backend.
Move config-ecdsa.h to config-ec.h because definitions are very similar
between ECDSA and ECDH with Mbed TLS so resort to a single config file.
Add new feature and fix the build; add proper Mbed TLS memory
initialization when enc-ec256-mbedtls is used.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add Mbed TLS ECDSA signature verification as an option (in addition to
Tinycrypt and the CC310 hardware version). Although the Mbed TLS ECDSA
verification code is both larger and slower, this will still save space
if there is another reason that the Mbed TLS code is already being
brought in for another reason (such as certificate management, for
example).
Mbed TLS's ECDSA verification works at a different level than the other
two libraries, so this takes a bit of reworking. There are some
additional parameters passed to the various functions, and a new define
MCUBOOT_ECDSA_NEED_ASN1_SIG to indicate that the ecdsa verification
wants the original ASN1 signature, not a decoded key.
This adds the boot changes and simulator support to test this configuration.
Signed-off-by: David Brown <david.brown@linaro.org>
Upgrade to the latest aes-ctr package, and apply minor fixes due to
trait naming changes in this version.
Signed-off-by: David Brown <david.brown@linaro.org>
Update to the newest version of this crate. There are no API changes
affecting us, so this is just an update of the Cargo.toml file.
Signed-off-by: David Brown <david.brown@linaro.org>
Updates a few sim dependencies, reducing the amount of crates
required for a build; also gets rid of cases of more than one
version required for some crates. Results in depending on 76
crates instead of 89 before the PR.
Signed-off-by: Fabio Utzig <utzig@apache.org>
To start adding support for devices with a large write size, modify the
simulator to allow a 'large-write' feature that will also run tests with
128 and 512 byte write alignments.
This requires fixing some places in image generation that assumed a
fairly small alignment (namely, padding the buffer at the end, rather
than individual parts), and detecting the large writes when writing the
MAGIC value to the image.
The flash API still passes the alignment back as a uint_8, but in
overwrite mode, this verifies that the boot code won't use this value.
Currently the 'large-write' feature requires 'overwrite-only' as well.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of manually expanding multi-byte encoding, use the byteorder
crate which has its own extension methods to do this. This both makes
the code a bit clearer, and also makes it clear that these encodings are
specific to little endian platforms.
Signed-off-by: David Brown <david.brown@linaro.org>
This change replaces the slot 0/1 terminology with primary/secondary
slot and replaces FLASH_AREA_IMAGE_0/1 with
FLASH_AREA_IMAGE_PRIMARY/SECONDARY. This naming convention may be more
understandable, fits better to MCUs with multiple images and it is an
architecture agnostic alternative as well.
Change-Id: I655a585f6ae023852c671ee6635399efe25209c9
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
This removes the unsafe Tinycrypt bindings previously used for signing
with ECDSA, and relies on ring native support.
The ring library was updated to 0.14.1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Since logging was broken due to incompatibility between log and
env_logger versions, those crates were updated to known to be compatible
versions. Update initialization of env_logger that does not return a
Result<> anymore.
Other crates were updated to remove duplicated versions as much as
possible.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Automatic migration to Rust 2018. This is the result of running
cargo fix --edition
The resulting code is compatible with both Rust 2015 and 2018. Change
the edition field in the Cargo.toml file as well to begin a more
complete migration.
Signed-off-by: David Brown <david.brown@linaro.org>
A few packages have updates that make them more convient to use with
Rust 2018's 'use macro'. This is convenient as it allows control over
what macros are imported, but without these updates, these packages
require you to know the names of internal macros to import.
Signed-off-by: David Brown <david.brown@linaro.org>
This adds new cargo features to allow running tests of encrypted
images with both RSA-OAEP and AES-128-KW.
When installing images on the simulated flash, both a plain and an
encrypted images are created. When encrypted image support is enabled,
verification of images in slot1 match against the encrypted image,
otherwise plain images are used.
PS: Also fixes ImageHeader to match bootutil definition.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This updates error-chain to remove a warning on recent rust distros.
`pem` was update to get fairly recent `error-chain` as well.
Signed-off-by: Fabio Utzig <utzig@apache.org>
As a start of doing the testing using Rust/Cargo's test framework, write
a test runner that just runs the existing tests. They run as they do
now, except that there is an assertion that there were no failures.
Signed-off-by: David Brown <david.brown@linaro.org>
Adds the feature to enable testing of overwrite-only functionality.
While running with this feature enabled, disable tests that try to
revert and disables trailer verification, since overwrite-only doesn't
rely on status writing.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Remove the key_id field from the image header. There are two problems
with this field. First, it is only an integer offset, and so causes an
unnecessarily tight coupling between the particular keys built into the
bootloader, and the key that is used to sign. Second, it makes the
key_id part of the image header, which is included in the signature.
This makes it impossible to later sign the image with a different
signature.
Instead of the key-id, add a TLV KEYHASH entry. This will hold the
SHA256 of the public key that the signature is against. Each signature
placed in the TLV should be preceeded by this entry to indicate the
public key used.
The signature check will check each signature, and if the KEYHASH is
known and the signature type is supported, it will be checked. As long
as at least one signature is considered valid, the image will be
considered signed. This also allows the image to be signed with
multiple signatures to support having different devices with possibly
different keys compiled into the bootloaders.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
The docopt package has moved from rustc-serialize to serde. Move to
this version, upgrading the custom deserialize we use for the alignment
argument.
Signed-off-by: David Brown <david.brown@linaro.org>
Move most dependencies to the latest version at the time of this commit.
docopt is left at the current version as there is an api change in the
newer version.
Signed-off-by: David Brown <david.brown@linaro.org>
Create a crate `mcuboot-sys` to hold the building and binding of the
mcuboot code. There aren't any substantive code changes here, just
moving the code into a separate crate.
Signed-off-by: David Brown <david.brown@linaro.org>
Using the published debug keypair, generate a signature with it, to add
to the TLV. This verifies that signature verification works as
expected.
Signed-off-by: David Brown <david.brown@linaro.org>
The bitflags crate seems to be better supported, and doesn't have the
problems getting the results back into the enum type.
Signed-off-by: David Brown <david.brown@linaro.org>