Adding an os.unlink() call to remove the outfile results in an exception
being thrown if the file does not exist. Fix this by trapping, and
checking for the specific error we get on a missing file.
Signed-off-by: David Brown <david.brown@linaro.org>
This full.bin target demonstrates how to assemble all of the images into
a single file which can be flashed to the device. As it is, it will
then boot into the first "primary" image. The second image will be
present, but will not ever be run.
Signed-off-by: David Brown <david.brown@linaro.org>
When image is slot 1 had bad signature, the swap would fail and
try to write image_ok in slot 0 which if that was already a
permanent image would cause a overwrite in flash.
Fix warning/error when slot 0 validation is not enabled.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This test was added to exercise a bug which happens when a failure
verifying the image in slot 1 would cause a write to image_ok when
the image in slot 0 already was a permanent image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
After a swap operation is finished trailer control flags are written
according to the type of swap that was performed. The function names
that execute those operations were renamed to explicity reflect what
they do, and all "less deterministic" behaviors, of the type
"if flash is not set, set it", were removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds handling of the copy_done bit while evaluation a swap state.
Since copy_done is only ever written when a swap finishes, it can be
safely assumed that if copy_done is not set no swap was ever performed
and the image was written directly to flash, and thus no revert is run.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This reworks much of the code, as well as tables, handling swap
state to make them simpler. Only states that require an actual
swap to be performed, perm/test/revert are checked for and acted
upon. Other possible states try to default to no operation
performed.
One extra state, BOOT_SWAP_TYPE_PANIC, was added to differentiate
between "soft" errors and unrecoverable ones (as flash read/write
errors).
Non well defined state changes after swap failures, as described
in MCUB-59 were also clean up.
This should also fix situations as described in MCUB-63, where
images generated using imgtool (magic + image_ok set) are written
to slot 0 and cause an incorrect "revert".
Signed-off-by: Fabio Utzig <utzig@apache.org>
The MCUBOOT_VALIDATE_SLOT0 feature only verifies the signature when
there is no swapping happening. The assumption was that if there is a
swap being done, the code will verify the signature of slot 1 before
doing the slot.
However, either due to bugs, or intentional trickery, it may be possible
to confuse the code into continuing a swap operation. If the data is
modified before this, the bootloader can be tricked into booting the
resulting image in slot 0 without having verified the signature.
Fix this by always verifying slot 0's signature before booting it.
JIRA: MCUB-64
Signed-off-by: David Brown <david.brown@linaro.org>
The docopt package has moved from rustc-serialize to serde. Move to
this version, upgrading the custom deserialize we use for the alignment
argument.
Signed-off-by: David Brown <david.brown@linaro.org>
Move most dependencies to the latest version at the time of this commit.
docopt is left at the current version as there is an api change in the
newer version.
Signed-off-by: David Brown <david.brown@linaro.org>
It isn't necessary for the 'area' module to be exposed. Re-export the
two definitions from the crate at the top level, and make the module
private.
Signed-off-by: David Brown <david.brown@linaro.org>
The mbedtls library is used by the binding crate, so move the submodule
into this directory as well.
Signed-off-by: David Brown <david.brown@linaro.org>
Create a crate `mcuboot-sys` to hold the building and binding of the
mcuboot code. There aren't any substantive code changes here, just
moving the code into a separate crate.
Signed-off-by: David Brown <david.brown@linaro.org>
Using the published debug keypair, generate a signature with it, to add
to the TLV. This verifies that signature verification works as
expected.
Signed-off-by: David Brown <david.brown@linaro.org>
The bitflags crate seems to be better supported, and doesn't have the
problems getting the results back into the enum type.
Signed-off-by: David Brown <david.brown@linaro.org>
Since the signing code will also need a copy of the message, make a
local copy of it in the signature verification code, and compute the
digest all in one shot.
Signed-off-by: David Brown <david.brown@linaro.org>
The ring crate's SHA256 is slightly slower than the one from
rust-crypto, but is much cleaner to use. It also has all of the hashing
operations we need.
This crate is somewhat opinionated, e.g. will not sign messages without
also performing the signature itself. Unfortunately, this means we'll
end up computing signatures of the same data many times, and perhaps
this should be improved, since we're always using the same data.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of stubbing out the image validation code, compile it, and add
the SHA256 TLV to the buffer.
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for moving the bootutil binding into a separate crate,
move the flash simulator into its own crate. This will allow the
binding to have access to the simulator without creating a circular
dependency.
Signed-off-by: David Brown <david.brown@linaro.org>
Make 'Flash' a trait, and move the current functionality into a type
called 'SimFlash'. The code that runs the simulation only uses the
trait.
Signed-off-by: David Brown <david.brown@linaro.org>
Move the reference to the Flash device up into the Rust code instead of
trying to pass it back and forth to C. This will allow a future change
to use a fat pointer (such as a trait pointer), which ultimately will
allow different kinds of flash devices.
Signed-off-by: David Brown <david.brown@linaro.org>
David Brown