Downgrade prevention check moved to secure both TEST
and PERMANENT upgrade modes. Downgrade can still be
performed during REVERT.
Signed-off-by: Michael Grand <m.grand@trustngo.tech>
Adds a note that there is now additional information that can
(optionally) be provided via shared boot information.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This allows the currently executing slot number to be checked by
the external function, which can be used by XIP images to know
which slot is currently being executed from to allow for correct
uploading/positioning of firmware files, and also provides the
maximum size of an upgrade that can be loaded so that applications
can reject images that are too large.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
The function was incorrectly identifying partition of secondary slot
of image 0 as belonging to image 1, at the same time failing to
identify partition of primary slot of image 1.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit fixes boot_set_next always passing image 0 to
boot_write_swap_info, instead of the proper image number.
This has been affecting applications that tried to call boot_set_next
in multi-image MCUboot configuration using scratch-swap algorithm.
Fixes#1762
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Updates the zephyr CONFIG_BOOTLOADER_MCUBOOT documentation link to
target the new location.
Signed-off-by: Daniel Mangum <georgedanielmangum@gmail.com>
Function flash_area_sector_from_off is replaced with newly used
flash_area_get_sector to cope with calls in bootutil_misc.c file.
This is required for CONFIG_MCUBOOT_SWAP_USING_MOVE to work correctly.
Signed-off-by: Michal Lenc <michallenc@seznam.cz>
Adds missing fields which were wrongly treated as part of the
operation value, which they were not, and adds a big/little
endian check.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This is a follow-up on upstream Zephyr split from `esp32` to distinct
esp32_devkitc_wroom and esp32_devkitc_wrover (see [1] and [2]).
[1] https://github.com/zephyrproject-rtos/zephyr/pull/58454
[2] 3776402f40
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Typecasting pointer variables to uint32_t
instead of uintptr_t was causing build error
on 64-bit architecture.
This is useful, because I am currently working
on implementing support for 64-bit native target
in Apache Mynewt. There is unit test for boot_serial
and it cannot be compiled without this changes.
Signed-off-by: Michal Gorecki <michal.gorecki@codecoup.pl>
Fixes an issue with missing packed attributes on image.h's
structures which would lead to faults on some devices e.g. ARM
Cortex M0, and adds a define for the SHA256 hash size.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Update the script for cloning and installing Espressif IDF needed
for building MCUboot Espressif's port on CI.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
Remove the ESP-IDF from git submodules to avoid potential
duplicated repo clones on the user system. IDF HAL code is still
a dependency for Espressif port, therefore now the HAL code
reference needs to be passed by parameter when building.
The Espressif port was also updated to work with last v5.1 IDF
code.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
This commit fixes a bug with the getpriv command using
ECDSA keys.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I66c1365a855e97199921ac136a18e26988bce508
In same cases (loging, hash, crypto) main function called
newt tool generated sysinit() function to create
uart device and crypto.
Now user can specify that sysinit should be called for
other cases if needed. This can be useful if some other
package should be included in the build and it has
package initialization function.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
For MCUs with restriction on minimum write size (STM32H7)
unaligned writes resulted in flash write errors preventing
any sort of update.
Now MCUBOOT_BOOT_MAX_ALIGN can be set accordingly to value
that flash driver uses.
For alignment <= 8 default value provided by mcuboot config
is still used.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
For downgrade prevention it's possible to use build number
for grater control.
So far only Zephyr has this option in Kconfig now
option is also available in mynewt.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
This allows user to enable echo for mcumgr command in serial boot.
Code was enabled in zephyr only so far.
Now mynewt build can also have this feature if enabled.
No code changes just option in mynewt build to enable existing
mcuboot feature.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
Definition of MCUBOOT_SWAP_USING_MOVE in case swap without scratch area
is configured in NuttX was missing from mcuboot_config.h file.
Also necessary function flash_area_sector_from_off() is defined and
declared in order to support swap without scratch.
Signed-off-by: Michal Lenc <michallenc@seznam.cz>
According to the SMP protocol documentation [1], 'image number' value
in 'image upload request' is optional and can be included only in packet
with 'off' (data offset) set to '0' (first packet in upload request).
In one of recent changes (commit 'cb07e888691d'), initialization of the
'img_num' variable was removed which, in extreme case (no image number
provided in upload request), results in use of its uninitialized value
in flash_area_open() call which then might lead to request abort.
This fixes above regression and also makes MCUboot implementation of the
'image upload request' aligned with Zephyr documentation of the protocol
by considering image number only from first (off == 0) 'image upload
request' SMP packet. In addition, 'image number' value is set to '0' if
the request doesn't provide this field.
[1] docs.zephyrproject.org/latest/services/device_mgmt/smp_groups/smp_group_1.html
Fixes: cb07e88869 ("boot_serial: Replace cbor auto-generated code with zcbor functions")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The 'matched' param in zcbor_map_decode_bulk() function is 'pointer to
the counter of matched keys', not length of payload buffer.
Fixes: fac2cabe98 ("boot_serial: Add image state set/get")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Fixes an issue which was introduced in commit
fac2cabe98 which would show all
images, including those with invalid headers in the output of
images being listed.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This commits reverts the changes made to cap values in 75c7c31.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Ibbbf66e89d059ef4e4b45218a8a39778c849f21b
This commit reverts the changes to the cap values made in 206b914.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Ie47c3f253409932b960f4fc12e3b722b000b3093
Adds new test combinations to the CI to
test the ram-load feature more thoroughly.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I56d6f74af55ed078947c092726160b123d36f67f
Adds new test cases to various ram-load related logic.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I3a0ca951b2c720be4e6fe2ed0e5d1830fcfb240c
If ram-load is being used with encryption and
the higher version image is loaded from the primary slot the
verification will fail as the image is always non-encrypted
and will produce an invalid hash. This fix puts encrypted images
into both slots to prevent this issue.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I4ac9f332434a95d140c5572096b8a9161db2d217
This patch enables psa-crypto-api feature
Signed-off-by: Matthew Dalzell <matthew.dalzell@arm.com>
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
If the psa-crypto-api feature is defined, the simulator will
initialize the PSA Crypto API exactly once. It needs also to
enable the test external RNG as the assumption is that the
PSA subsystem is configured to use MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Signed-off-by: Matthew Dalzell <matthew.dalzell@arm.com>
Change-Id: Id02727b8673867ecf1e4fbbdfa3c4b6d6f98f8df
This commit adds simulator support to test the
hw-rollback-protection feature which is using
nv-counters. In the simulator they are stored in Rust
to prevent any race conditions from happening due to
the parallel execution of the tests.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I445fc50615ed1f0c06e5933b16811c24d9d302fc
Currently there's a compile error when building MCUboot
with HW_ROLLBACK_PROT due to a comparison
when decoding the security_cnt fih_int value. In the security_cnt.h
it is stated that this value must be between 0 and UINT32_MAX
so this cast would not cause any undefined behaviour.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Iee158a31955ff43b73e67a0c08e7a086077b9eb5
Hackerone hasn't turned out to be particularly useful. Fortunately, github now
has a mechanism to directly report security vulnerabilities within the project's
pages. Update the docs to show this as the preferred vulnerability reporting
mechanism.
Signed-off-by: David Brown <david.brown@linaro.org>
Similarly to what has been done for the init function, also
the abort function should return a state in case the caller
needs to implement some error recovery procedure, or even
just for debugging reasons.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I5b8bc8fc2da57cfbc6ddea3f7e95ed7a7ae8e5a9
SHA-256 init functions should return the status of the init
instead of being void. This would allow the callers to implement
proper error recovery, otherwise on error the SHA-256 operation
will enter an undefined behaviour.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I162ceb8e6dc90dc3c6b83c8a85fbd17b41c0b5d6
A couple of typos in comments for the newly added RSA modules
need to be assessed.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: Ia06529adb81215fad796895d7b412b35717b6d65
Bence Balogh