Commit Graph

250 Commits

Author SHA1 Message Date
Fabio Utzig 03cce47291 sim: update dependencies
Updates a few sim dependencies, reducing the amount of crates
required for a build; also gets rid of cases of more than one
version required for some crates. Results in depending on 76
crates instead of 89 before the PR.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-14 06:19:51 -03:00
Fabio Utzig a1c142d168 Add Tinycrypt based SHA-512 for ED25519
Add option to build ed25519 with tinycrypt; enable tinycrypt based
sha-512 for ed25519 sim tests.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-04 06:09:01 -03:00
David Brown 2ee5f7f7f2 sim: Test software rollback protection
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
2020-01-23 12:47:05 -07:00
David Brown e2acfaede5 sim: Add explicit copyright and licenses to the sim
Add an apache SPDX header and explicit license lines.  The date ranges
of the license lines is derived from the git history.  Having these
explicitly present will make contributions from other parties easier, as
they will simply be able to add their own copyright line, rather than
having to describe that it only covers modifications.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-01-22 10:11:13 -07:00
Ulf Magnusson e96b6873bd dts: Include devicetree.h instead of generated_dts_board.h
Needed for https://github.com/zephyrproject-rtos/zephyr/pull/20757, to
avoid a warning-turned-error.

Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
2020-01-16 11:41:28 +01:00
David Brown 3dc86c90cb sim: Compute TLV size from actual size
Instead of having lots of magic numbers to try and track the resulting
size of the TLV, just determine the size we end up with after encoding
it.  The only place the size is used is in the header within the TLV
itself.  Make this work by putting a placeholder in the TLV, and then
patching the value back after we know the full size.

In addition to removing a lot of magic numbers from the code, this will
make it easier to handle things that vary in size, such as X.509
certificates.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-01-09 11:29:40 -07:00
David Brown 2b73ed9440 sim: Always compute protected size
Instead of having a running size that we try to always match the encoded
size of, compute it a bit more dynamically.  The size is still needed
before the contents can be filled in, so this doesn't gain too much, but
will make it easier to compute the rest of the TLV size based on the
actual encoding rather than lots of magic numbers.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-01-09 11:29:40 -07:00
Fabio Utzig 4b4ed98310 sim: enable saving encrypted TLV for ECIES
This changes the simulator to save the encryption TLV itself instead
of the unecrypted AES-128 key when doing the ECIES encryption test,
to add proper test coverage of this configuration option.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 17:08:22 -03:00
Fabio Utzig 4626853d3e sim: fix RSA signature length macro usage
Update RSA-3072 test that was using old Zephyr macros to set size.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 16:03:55 -03:00
Fabio Utzig 66b4caac45 sim: allow generation of non-signed + encrypted EC images
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 16:03:55 -03:00
Fabio Utzig 3fbbdac56a sim: get status area size from bootutil
Add new bootutil function that returns the size of the status area.
The simulator was updated to remove the custom calculation and get
the size directly from bootutil, avoiding breakages the happen when
both are not in sync.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-20 14:57:06 -03:00
Fabio Utzig 272c5eb540 zephyr: sim: add minimized ECIES-P256 key
Remove public key from embedded private encryption key (it was already
ignored before).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-17 16:26:53 -03:00
Andrzej Puzdrowski f1d189c486 zephyr: switch to recent defines and include headers
In zephyr code-base some generic include patches
and defines had been deprecated since a while.
This condition was maintained until zephyr v2.1.0 inclusive.

Recently these deprecated items were removed completely from
the zephyr master branch. Zephyr current SHA of this patch is
e124c1cd34938f02bbe879533c6bd29b5ff53707

This patch switch mcuboot to using most recent items.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2019-12-12 11:54:44 +01:00
Fabio Utzig 6fa2d40d45 sim: log flash writes/reads/erases at highest level
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-10 16:04:44 -03:00
Fabio Utzig e92df93461 sim: log: add new level targetting simulator
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
  are interesting while debugging bootutil in the simulator. This should
  be used for extra verbose prints.

* Also added fflushs after fprints to guarantee that messages are printed
  even when assertions are raised.

* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
  to the other ports.

* Make DEBUG the default level when building the simulator (one can
  still lower verbosity using any other value for RUST_LOG).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-10 16:04:44 -03:00
David Brown 3cabd927a7 sim: Fix ecdsa padding
For some reason, the ECDSA signature generation code attempted to adjust
the length of the ASN.1 of the actual signature.  It wasn't doing this
right, and was creating ASN.1 expecting many more entries than were
present.  The half-run parser in the tinycrypt ECDSA signature check
didn't care about this, but mbed TLS's signature check does care.

The intent of the padding was to be able to predict the size of the TLV
before writing it out.  Keep the padding for now, even though there is
no simple way of knowing how many pad bytes to remove (just removing
them will remove extra if there is a zero in the last byte of the
signature.

A future change will eliminate the padding, as it should no longer be
needed.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-12-10 07:40:47 -07:00
Fabio Utzig 114a64768b sim: add unsupported caps to device creation
Update `make_device` to return a slice of unsupported caps for a test.
This allows skipping tests in devices that are known to be non working
under some build configuration.

The device constructor was updated to return a `Result`, so that the
specific reason for skipping can be returned as a `String`.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-09 14:21:09 -03:00
Fabio Utzig f5480c74e9 bootutil: sim: add cap for swap using move
Add cap for swap using move and rename old swap upgrade cap to swap
using scratch. Update sim to allow swapping tests to also run using
move.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-09 14:21:09 -03:00
Fabio Utzig 031eb7de76 sim: add feature for swap move strategy
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-09 14:21:09 -03:00
David Brown e90b13f9a9 sim: Actually test invalid signatures
Currently, the tests that appear to be testing for invalid signatures
are actually just testing that images aren't used if the entire TLV
block is missing.  Fix this by being more subtle about our corruptions.
If there is no signature, corrupt that data being used to generate the
hash.  Otherwise, modify the data before it goes into the signature, but
generate a valid SHA256 in the TLV.  This way, we exercise the signature
itself being corrupt.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-12-09 09:54:15 -07:00
David Brown 4fae8b8743 sim: Use 16 bit writes for length fields
Previous changes have used 16-bit writes for calculated lengths, but are
using a pair of 8-bit writes for hard-coded values.  Change these to
also use 16-bit writes for consistency, and clarity.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-12-09 09:47:26 -07:00
David Brown 6972118ce3 sim: Change TLV tag from u8 to u16
Change the type of the TLV tag from an 8-bit unsigned value (followed by
8 bits of padding) to a 16-bit value.  Because we are storing the tag as
little endian, the encoding will end up the same, but this will later
allow us to add more tags.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-12-09 09:47:26 -07:00
David Brown a0cb24b84e sim: Remove some extraneous print
These were added during development to make sure conditional compilation
was working.  Now, they just cause excess messages to be printed.
Remove them.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-12-04 11:21:56 -07:00
Fabio Utzig e84f0effb3 sim: add randomly generated image encryption keys
Removes the hard-coded image encryption keys, and updates with keys
generated randomly before use. This tests the correct behavior of
how ephemeral keys should be used when generating new images.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-11-22 15:15:29 -03:00
Fabio Utzig 9a2b5de5d4 sim: derive Default for TlvGen
Avoid having to declare default values in type instantiation.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-11-22 13:57:27 -03:00
David Brown 95de450b64 sim: Add test support for large write alignment
To start adding support for devices with a large write size, modify the
simulator to allow a 'large-write' feature that will also run tests with
128 and 512 byte write alignments.

This requires fixing some places in image generation that assumed a
fairly small alignment (namely, padding the buffer at the end, rather
than individual parts), and detecting the large writes when writing the
MAGIC value to the image.

The flash API still passes the alignment back as a uint_8, but in
overwrite mode, this verifies that the boot code won't use this value.

Currently the 'large-write' feature requires 'overwrite-only' as well.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-11-18 10:48:11 -07:00
David Brown eecae52af8 sim: Don't mark permanent in overwrite mode
Overwrite mode is always a permanent upgrade, so skip trying to mark
this in the images.  This marking is problematic with larger write
alignments.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-11-18 10:48:11 -07:00
David Brown 347dc5726d sim: Remove Option from MAGIC
This constant array is always just unwrapped.  Remove the Option from
its type, and just make it an array.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-11-18 10:48:11 -07:00
David Brown 5a317752fb sim: Use `usize` instead of `u8` for alignment
Some devices have a write alignment larger than 128.  Allow this within
the simulator, by using `usize` instead of `u8` for the write alignment.
The value is still returned to the C code as an 8-bit integer, but this
help start debugging issues found on these devices.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-11-18 10:48:11 -07:00
Fabio Utzig ffc673e7d2 sim: remove deprecated usage of sync::ONCE_INIT
Switch to `Once::new()`.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-11-06 06:55:25 -03:00
Fabio Utzig 90f449ee5c sim: add testing of ECIES-P256 images
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-11-06 06:55:25 -03:00
Fabio Utzig cbd58e3f83 sim: cargo: update dependencies
Update ring to latest (`0.16.9`) and update crates (`cargo update`).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-11-06 06:55:25 -03:00
Fabio Utzig 73243918cd sim: add EC256 encryption key
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-11-06 06:55:25 -03:00
Fabio Utzig 5ef883a9b9 caps: add ECIES-P256
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-11-06 06:55:25 -03:00
Sam Bristow d0ca0ffc27 Fix up typos
Ran automated checker for common typos [1]. Most of these changes have
no functional change *except* for `./ci/sim_run.sh` where, previously
the `bootstrap` feature wasn't being selected properly.

I didn't touch anything in the `./ext/` folder as anything in there
should probably be fixed in the upstream repo.

[1] https://github.com/codespell-project/codespell

Signed-off-by: Sam Bristow <sam@bristow.nz>
2019-10-30 06:24:10 -03:00
David Brown f984b95735 Move mbedtls submodule from sim to ext
Move the external mbedtls submodule out of the sim/mcuboot-sys directory
into the ext directory.  This will allow the same copy of mbed TLS to be
used by other board support packages, instead of having to make a
duplicate clone.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-10-15 09:29:20 -06:00
David Brown b748f6fa2a Rename ext/mbedtls to ext/mbedtls-asn1
The ext/mbedtls directory has a copy of the ASN.1 parser from the mbed
TLS library.  To allow a future change to bring the entire mbed TLS
library in as a submodule under ext, rename this to mbedtls-asn1 to make
it clear this is only a subset.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-10-15 09:29:20 -06:00
David Brown 2b8a695be1 Convert BOOT_MAGIC_SZ to #define
Convert this `extern const uint32_t` to a simple define.  Provide an
accessor function so that the simulator is able to access the value as
well.  This has a minor improvement on the generated code within MCUboot
itself.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-10-02 10:17:22 -07:00
David Brown e0bb1f956f Change BOOT_MAX_ALIGN to #define
BOOT_MAX_ALIGN is defined as

    extern const uint32_t BOOT_MAX_ALIGN;

and is assigned a value in a single file.  This causes extra work when
this is used as the size of a local variable in a function.

The value was made a constant in order for the simulator to be able to
access the value.  Instead of making it a "real" constant, keep it as a
define, unifying the value of FLASH_MAX_ALIGN and this one, and provide
an accessor function for the test code to be able to access this value.

This causes a minor improvement in the code generated in
`boot_write_status`, but more importantly, eliminates a VLA from the
code, which increases the possible compilers supported by MCUboot.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-10-02 10:17:22 -07:00
Fabio Utzig 2f6c164f9a sim: fix flash padding to use erased val
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-10-01 18:30:05 -03:00
Fabio Utzig ea3d3abe5f sim: add protected TLVs to hash calculation
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-10-01 18:30:05 -03:00
Fabio Utzig 61fd888a7f Add TLV iterator API
This introduces an API which allows for iteration over an image's TLVs
without resorting to low-level implementation details. All previous TLV
low-level handling was updated to comply with this new interface, and it
also makes it easier for external code to handle TLVs.

The API provides two functions:

1) To start a new iterator:

```
int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
                            const struct image_header *hdr,
                            const struct flash_area *fap, uint8_t type,
                            bool prot);
```

2) To iterate over existing TLVs of given type:

```
int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
                           uint16_t *len, uint8_t *type);
```

A type of IMAGE_TLV_ANY was added to allow for iteration over all TLVs.

Low-level TLV access functions were removed from API, but low-level
structs are still visible in the namespace.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-18 07:38:50 -05:00
David Brown e4576b888c sim: Test variants of single upgrade with multi-image
Test the variations of the situation where we are built for multi-image,
but are only upgrading a single image, including no dependencies,
correct dependencies, and unmet dependencies.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 873be31d5e sim: Add OldCorrect and NoUpgrade dependency types
Add two additional dependency types.  The NoUpgrade type indicates that
this slot should not contain an upgrade at all.  The OldCorrect
indicates a dependency on the old version of the other slot.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 0e6bc7fe1c sim: Fix upgrade check
Instead of allowing a preliminary error if the first image is marked to
be held, allow this error if any of the images are marked to be held.
The error doesn't return which image caused the failure, so just check
if any are supposed to be held.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 207c457dc6 sim: Derive PartialEq and Eq for UpgradeInfo
This will allow comparisons of the upgrade info.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 18d301f588 sim: Add additional tests for mismatched upgrades
Test the configuration where one image has its dependencies met and the
other does not, and make sure in these cases we just hold back from
upgrading entirely.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 179098888c sim: Use image number instead of slot in dep test
When generating dependencies, we were using the slot number instead of
the image number to determine which dependencies to mark invalid.  Fix
this, so that we can test configurations where one image is upgradeable
and the other not.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 135f716bfb Uncomment hold and add correct upgrades
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 7c1d1557f2 Do not panic when upgrade info tells to hold
Before running tests, a sanity upgrade was run to gather the amount of
flash writes to be expected for the operation. This operation fails when
the dependencies hold an upgrade, so the checks were updated to avoid
aborting under those circumstances.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00