Changes the order of operations to validate the image header
before checking the image, it does not make sense to check the
image if the header itself is invalid
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
- Introduce the MCUBOOT_ENC_BUILTIN_KEY config option for controlling the
usage of builtin key-encryption keys and replacing the MCUBOOT_HW_KEY
option in the image encryption module to avoid ambiguity as the latter
mentioned option is meant for configuring the handling of the
image verification keys,
- Add encryption build configs to template file.
Change-Id: Ic633d2103fb4e56d9fafdabef1fbddc3244cb795
Signed-off-by: David Vincze <david.vincze@arm.com>
Adds a minimal version of the slot info feature to serial recovery,
and enables it by default.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This calculation failed to take into consideration the additional
sector needed for the swap move part of the upgrade process
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds support for getting the maximum image size of multiple images
and adding this data to the shared data area
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds a feature that will calculate the maximum number of sectors
that are needed for a build. Can be disabled to revert back to
the old behaviour by disabling CONFIG_BOOT_MAX_IMG_SECTORS_AUTO
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Move checking of conditions, which remain the same for the whole
loop run, outside of the loop.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
- Add common mimxrt1050_evk_mimxrt1052.conf for all revisions.
- Delete the qspi revision mimxrt1050_evk_mimxrt1052_qspi.conf
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
- Add default configurations for mimxrt1160_evk and vmu_rt1170
- Fix configuration for mimxrt1170_evk
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
boot_encrypt required the image_index paired with flash area pointer
to be able to figure out which slot it will operate on.
Since in most calls the slot is known in advance it can be just
passed to the function directly.
The commit replaces both parameters with slot number.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Move the definition of boot_enc_retrieve_private_key() to a common file
to avoid code duplication and also endure seamless transition to this new
key handling approach for targets which don't use hardware keys.
Change-Id: I57e54e4332503c11d18762f8291c3cab53df3d20
Signed-off-by: David Vincze <david.vincze@arm.com>
Fix getpub command fails to emit public pair of ed25519 key with
encoding.
Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I3d255f576b2d8a8d0cbc8e31ff378717acb060c7
Fixes an issue which can occur in tests whereby an application
has the name mcuboot but is not mcuboot itself
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
There was not really needed repetition of code in if-else
block; common code has been moved out and the block has been
reduced.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
In all cases where boot_enc_load is called it is known what slot
is addressed, so it is better to just pass the slot number
instead of making the boot_enc_load figure out slot number from
image index and provided flash area object.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Update requirements.txt to support PrivateKeyType and
PublicKeyType which are available in cryptography library since
version 40.0.0 and prevent failing CI jobs in upcoming changes.
Signed-off-by: Rustam Ismayilov <rustam.ismayilov@arm.com>
Change-Id: I94b888d64c2f33ccb829912491e3b8c44b9cc2b2
The enc_key_data.valid had been set to true when key has been added
to the encryption context, but in case when boot_enc_drop was called,
on the same context, the flag remained true, even though the context
may no longer hold any valid context nor key.
The commit moves the enc_key_data invalidation to enc_key_drop.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
All of boot_enc_ function follow the same pattern where
they take encryption context as the first parameter, and the
boot_enc_decrypt stands out here as it does not work around
the encryption context, but is rather single-part decryption
function only used for decrypting of the image encryption
key.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
It tells about adding the 24KB scratch partition,
not about storage partition.
Updates the used path to HWMv2.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
Update the log level for RX and TX messages from INFO to DEBUG to reduce
clutter in the serial interface logs. This change helps in keeping the
output cleaner and focuses on more critical information by default.
Signed-off-by: Hudson C. Dalpra <hudson@bduncanltd.com>
The boot_enc_set_key in boot_swap_image, when recovering from
reset, has been caled on AES context that has not been
initialized.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
In the boot_image_validate_encrypted there was call to
flash_area_id_to_multi_image_slot, which tries to figure out
slot index from flash area and image index, and the result of the
call was not used for anything as slot index is hardcoded in the
next call to be 1 (secondary).
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Add release note snippet regarding the change made to the swap with
scratch algorithm to avoid having plaintext firmware data stored in the
scratch area.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
When 'direct-xip' or 'ram-load' features were enabled,
CONFIG_BOOT_SWAP_USING_SCRATCH and MCUBOOT_SWAP_USING_SCRATCH were
defined even though swap using scratch wasn't used. This commit fixes
the issue.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
When using swap using scratch, the decryption now happens when copying
from the scratch area to the primary slot, which means the image is
stored encrypted in the scratch area. This commit updates the
documentation accordingly.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
Currently, when swap using scratch is used with encrypted images,
MCUboot is decrypting the images during the copy from the secondary slot
to the scratch area. This means the scratch area contains plaintext
image data and therefore that the scratch area must be placed in the
MCU's internal flash memory. This commit makes the necessary changes to
perform the decryption when copying from the scratch area to the primary
slot instead, making possible to place the scratch area in an external
flash memory since the scratch area is now encrypted.
Note that BOOT_SWAP_SAVE_ENCTLV must be enabled if the scratch area is
placed in external flash memory.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
For swap using scratch, the boot_read_image_header routine, responsible
for reading the image headers, was always looking for the primary and
secondary image's headers at the beginning of respectively the primary
and secondary slots, regardless of the current boot status.
This means if during a swap-scratch upgrade a reset happens after the
sector containing the image header in the primary or secondary slot has
been erased, invalid image headers were read since at that time the
location of the headers has changed.
Currently, this doesn't seem to cause any issue because the swap-scratch
algorithm is implemented in such a way the content of the headers is no
more necessary when the headers are erased. However, to be able to
decrypt the secondary image when copied to the primary slot instead of
when copied to the scratch area, properly reading the secondary image's
header is required even after it has been erased from the secondary
slot.
To that end, the boot_read_image_header is modified to determine from
the boot status the current location of the image headers and to always
read the actual header, no matter the current state of the upgrade
process.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
Jamie McCrae