Commit Graph

1129 Commits

Author SHA1 Message Date
Andrzej Puzdrowski 3f092bd313 zephyr: allow recovery over usb cdc-acm with logs enabled
Modified serial_adapter so log are allowed when using USB
CDC ACM serial port emulation.

Added dedicated thread for log processing of the highest application
priority. This allows to transmit all logs without adding k_sleep
anywhere else int the code.

Introduced boot log thread is simpler than the default log threat
which decreases flash footprint by a few dozen bytes.
Added configuration for nrf52840_pca10056 which shows how
to enable looging along with USB - among other, thread log
processing is required.

build command (form zephyr-project root directory)
west build -d build/mcuboot/nrf52840_pca10056 -b nrf52840_pca10056
./bootloader/mcuboot/boot/zephyr/
 -- -DDTC_OVERLAY_FILE=./boards/nrf52840_pca10056_big.overlay
-DOVERLAY_CONFIG=./usb_cdc_acm_log_recovery.conf

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-02-27 10:01:25 +01:00
Andrzej Puzdrowski 9a4946ce9a zephyr: add default LOG and MULTITHREADING values in kconfig
Add Log processing configuration synchronous as default
if multithreading is disabled.

Additionally Kconfig makes MULTITHREADING default
if USB is selected.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-02-27 10:01:25 +01:00
Andrzej Puzdrowski 5d96bd20a9 zephyr: tabs to spaces in line indentation
Uses spaces instead of tabs.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-02-27 10:01:25 +01:00
David Vincze c308413760 bootutil: Introduce HW rollback protection
- Add image security counter verification (read security counter value
  from the image manifest and compare it against the stored/active
  security counter) as an optional part of the image validation process
  to prevent the restoration of older, potentially vulnerable images.
- This feature can be enabled with the MCUBOOT_HW_ROLLBACK_PROT option.
- Add security counter interface to MCUBoot. If HW rollback protection
  is enabled then the platform must provide a mechanism to store and
  read the security counter value in a robust and secure way.

Change-Id: Iee4961c1da5275a98ef17982a65b361370d2a178
Signed-off-by: David Vincze <david.vincze@arm.com>
2020-02-25 23:43:12 +01:00
David Vincze 1a7a6905c5 imgtool: Add security counter to image manifest
Optionally add new security counter TLV to the protected image manifest
and also introduce a new command line option for the imgtool to specify
the value of this counter. The security counter can be used in rollback
protection to compare the new image's security counter against the
active counter value. Its value can be independent from the image
version, but if the 'auto' keyword is passed in the argument list of the
script then it will be generated from the version number (not including
the build number).

The value of the security counter is security critical data. Therefore,
it must be part of the protected TLV area.

Change-Id: I45926d22364d0528164f50fa379abf050bdf65ff
Signed-off-by: David Vincze <david.vincze@arm.com>
2020-02-25 23:43:12 +01:00
Fabio Utzig 19df5c44de mynewt: allow newt to bypass submodule cloning
A recently added `newt` feature allows it to only clone selected git
submodules: https://github.com/apache/mynewt-newt/pull/377. This changes
the MCUBoot repository to remove submodules from the cloning process,
because they are not used by Mynewt.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-25 11:37:15 -03:00
Fabio Utzig 3647ded973 docs: update nokogiri to fix CVE-2020-7595
https://nvd.nist.gov/vuln/detail/CVE-2020-7595

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-25 09:26:02 -03:00
Fabio Utzig a1ed50bb11 mynewt: rollback version.yml
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-24 11:09:47 +01:00
Fabio Utzig 310af87f61 Update to v1.5.0
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-19 10:29:01 -03:00
Fabio Utzig 7de8a29672 Preparing for v1.5.0-rc2
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-17 11:22:32 -03:00
Fabio Utzig 03cce47291 sim: update dependencies
Updates a few sim dependencies, reducing the amount of crates
required for a build; also gets rid of cases of more than one
version required for some crates. Results in depending on 76
crates instead of 89 before the PR.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-14 06:19:51 -03:00
Håkon Øye Amundsen 6fc259511a zephyr: add default pin for serial recovery for nrf53
Prior to this the kconfig would fail because of invalid value for an int

Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
2020-02-12 11:30:03 +01:00
David Brown a222bf3b17 README: update mailing list
Update the top-level README.md file to refer to the new mailing list.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-02-10 11:13:27 -07:00
Fabio Utzig ef7fbd7012 Preparing for v1.5.0-rc1
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-07 15:30:45 -03:00
Fabio Utzig cb0807355c imgtool: fix passing --erased-val with 0xff value
The `--erased-val` (or `-R`) option was doing conversion of base 10, so
the only value that was acceptable was 0. Although not passing this
option would result in the default `0xff` being used, this fixes the
issue by allowing Python to auto-detects the base from string.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-07 14:19:33 -03:00
Fabio Utzig 970840ccf5 docs: fix mailing list URL
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-06 06:00:28 -03:00
Andrzej Puzdrowski ac1f1fff50 zephyr: enable usb by the application
Since zephyrproject-rtos/zephyr#20375
Need to enable USB by the application.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-02-05 12:49:05 +01:00
Fabio Utzig 34e93a507b boot: zephyr: mynewt: sha-512 from tinycrypt
* Mynewt always uses sha-512 from tinycrypt
* Zephyr can choose either tinycrypt or mbedTLS

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-04 06:09:01 -03:00
Fabio Utzig a1c142d168 Add Tinycrypt based SHA-512 for ED25519
Add option to build ed25519 with tinycrypt; enable tinycrypt based
sha-512 for ed25519 sim tests.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-04 06:09:01 -03:00
Fabio Utzig e4fe4633ff Add sha-512 port of tinycrypt's sha-256
A patch adding sha-512 to upstream tinycrypt was submitted:
https://github.com/intel/tinycrypt/pull/42

While it is not accepted, add the code under a new ext/tinycrypt-sha512
depedency.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-04 06:09:01 -03:00
Peter Bigot 36e9029ff0 boot: zephyr: move to non-deprecated GPIO flags
GPIO_DIR_IN has been replaced by GPIO_INPUT, GPIO_PUD_PULL_UP by
GPIO_PULL_UP, and gpio_pin_read() by gpio_pin_get_raw().  Update the
code to use the preferred API if it available.  This avoids
deprecation warnings in the build.

Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
2020-02-03 16:49:14 +01:00
Robert Lubos 1b19d2a198 boot: zephyr: Fix Kconfig inclusion
According to our CI:

Redundant 'source "$(ZEPHYR_BASE)/Kconfig.zephyr" in
'boot/zephyr/Kconfig'. Just do 'source "Kconfig.zephyr"'
instead. The $srctree environment variable already points
to the Zephyr root, and all 'source's are relative to it.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
2020-02-03 08:51:56 +01:00
Håkon Øye Amundsen 09be783644 zephyr: use move swap instead of scratch for nRF devices
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
2020-01-25 19:40:31 -03:00
Peter Bigot 54c1e3fb6b zephyr: fix driver include paths
Zephyr will soon no longer add the drivers subdirectory of the include
hierarchy to the search path, so references to driver headers must
include the drivers/ prefix.

Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
2020-01-25 10:01:42 -03:00
David Brown 2ee5f7f7f2 sim: Test software rollback protection
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
2020-01-23 12:47:05 -07:00
David Brown 07e1381d0f Add a capability for querying downgrade prevention
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
2020-01-23 12:47:05 -07:00
Håkon Øye Amundsen 2d1bac164f add option for rollback protection
Depends on 'MCUBOOT_OVERWRITE_ONLY' option since swap info is not protected
by signature

Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
2020-01-23 12:47:05 -07:00
David Brown e2acfaede5 sim: Add explicit copyright and licenses to the sim
Add an apache SPDX header and explicit license lines.  The date ranges
of the license lines is derived from the git history.  Having these
explicitly present will make contributions from other parties easier, as
they will simply be able to add their own copyright line, rather than
having to describe that it only covers modifications.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-01-22 10:11:13 -07:00
Håkon Øye Amundsen f0e5a842b3 cmake: use zephyr base in relative path
To be more robust in the placement of MCUBoot directory,
use the ZEPHYR_BASE env variable to locate
nrfxlib directory.

Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
2020-01-22 10:09:57 -07:00
Ulf Magnusson e96b6873bd dts: Include devicetree.h instead of generated_dts_board.h
Needed for https://github.com/zephyrproject-rtos/zephyr/pull/20757, to
avoid a warning-turned-error.

Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
2020-01-16 11:41:28 +01:00
Fabio Utzig 1f50892096 imgtool: update a few errors to use click's
Click has better UI for exceptions, so instead of throwing a backtrace,
allow it to print a nicer error message.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-16 06:11:34 -03:00
Fabio Utzig 9a492d5e87 imgtool: add better image overrun checks
This breaks the check() routine into two, one to check the header, one
to check the trailer. The reason is that header checking must be
performed when loading the input binary, while trailer overrun check
must be done after the whole image (with TLVs) is built.

To support the option of saving encrypted TLVs during swap in the
bootloader, a new parameters was added to the create command, to
allow the user to provide a config that matches the bootloader build
option and to do proper image overrun checks.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-16 06:11:34 -03:00
Rajiv Ranganath b976a4c0dc docs/PORTING.md: Update APIs needed for porting MCUboot
Signed-off-by: Rajiv Ranganath <rajiv.ranganath@atihita.com>
2020-01-13 10:09:54 -03:00
David Brown 3dc86c90cb sim: Compute TLV size from actual size
Instead of having lots of magic numbers to try and track the resulting
size of the TLV, just determine the size we end up with after encoding
it.  The only place the size is used is in the header within the TLV
itself.  Make this work by putting a placeholder in the TLV, and then
patching the value back after we know the full size.

In addition to removing a lot of magic numbers from the code, this will
make it easier to handle things that vary in size, such as X.509
certificates.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-01-09 11:29:40 -07:00
David Brown 2b73ed9440 sim: Always compute protected size
Instead of having a running size that we try to always match the encoded
size of, compute it a bit more dynamically.  The size is still needed
before the contents can be filled in, so this doesn't gain too much, but
will make it easier to compute the rest of the TLV size based on the
actual encoding rather than lots of magic numbers.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-01-09 11:29:40 -07:00
Fabio Utzig dd2b6804d9 boot: zephyr: remove [EXPERIMENTAL] from config option
Swap without scratch has been tested enough and no obvious bugs (or
"show stopper) bugs seem to exist; so remove [EXPERIMENTAL] and make
it "stable".

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 17:08:22 -03:00
Fabio Utzig 4b4ed98310 sim: enable saving encrypted TLV for ECIES
This changes the simulator to save the encryption TLV itself instead
of the unecrypted AES-128 key when doing the ECIES encryption test,
to add proper test coverage of this configuration option.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 17:08:22 -03:00
Fabio Utzig 9e1db9a88f boot: Add free space check for swap without scratch
Add a missing test which ensures that there is enough free sectors to
perform an upgrade when using the move strategy; this basically checks
that the sectors used by the trailer don't overlap the last sector
required for a move up operation.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 17:08:22 -03:00
Fabio Utzig fc9477504e ci: enable enc-ec256 test
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 16:03:55 -03:00
Fabio Utzig 4626853d3e sim: fix RSA signature length macro usage
Update RSA-3072 test that was using old Zephyr macros to set size.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 16:03:55 -03:00
Fabio Utzig 66b4caac45 sim: allow generation of non-signed + encrypted EC images
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 16:03:55 -03:00
Fabio Utzig 729139f80f ci: add tool to check for Cargo features
When running tests from .travis.yml, the passed in features are first
checked locally for support in the current simulator. The list of
supported features was manually maintained, allowing newly implemented
features to be skipped, also skipping the related test (without
warnings). This adds a new tool that parses and prints the list of
features directly from the given Cargo.toml.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-01-07 16:03:55 -03:00
Rajiv Ranganath ce6fe63817 scripts: Add `imgtool.nix`
Nix environment for working with `imgtool.py`

Signed-off-by: Rajiv Ranganath <rajiv.ranganath@atihita.com>
2019-12-30 19:55:58 -03:00
Fabio Utzig ca8ead2af7 zephyr: add option for saving enckey TLVs in swap status
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-20 14:57:06 -03:00
Fabio Utzig 6e137818d2 mynewt: add option for saving enckey TLVs in swap status
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-20 14:57:06 -03:00
Fabio Utzig 4741c45293 bootutil: allow encryption key TLVs in swap status
Add a new option that when enabled, allows a swap status to store
an encrypted key TLV instead of plain keys. When a new swap operation is
started the encryption keys are saved to the swap status area to allow
for resuming (because it is challenging to find those TLV in the middle
of a swap operation).

Previously those keys were saved in plain text, so it would be easy to
dump them if the images were stored in external flash. With this new
option one can choose to save the TLV instead, which uses more flash
but does not leak secrets. The amount of flash required varies depending
on the size of the TLV, which is 48 for AES-128-KW, 512 for RSA and 240
for ECIES-P256.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-20 14:57:06 -03:00
Fabio Utzig f616c5494b bootutil: zero memory containing plain text keys
Avoid jumping into an image while still having encryption keys stored in
RAM, which could then be recovered by the app.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-20 14:57:06 -03:00
Fabio Utzig 3fbbdac56a sim: get status area size from bootutil
Add new bootutil function that returns the size of the status area.
The simulator was updated to remove the custom calculation and get
the size directly from bootutil, avoiding breakages the happen when
both are not in sync.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-20 14:57:06 -03:00
Fabio Utzig 07a9a0364d bootutil: avoid save of enc keys in secondary slot
When using swap withouth scratch, if a revert operation is detected there
is a fixup that needs to be done to avoid losing metadata. This fixup
copied metadata from the primary slot to the secondary slot temporarily.

Previously it was also copying the encrypted image keys but this is not
required since a fixup is only run when starting a new swap where the
keys were loaded directly from the images. This also avoids that a
secondary slot in external flash would leak keys (according to our
threat model).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-20 14:57:06 -03:00
David Brown a36082664e ecdsa: Allow ECDSA signatures to be actual length
ECDSA signatures are variable length.  They are also encoded as ASN.1.
The ASN.1 parser we use is given the length, and will return a decoding
error if the signature block is not sufficiently long.  Instead of
requiring the signature block be padded to the longest possible length a
signature can be, allow them to be their natural length.

This allows image signing tools to be able to generate signatures that
don't have this padding.  Along with removing the pad removal code from
the EC224 code, this will allow this code to correctly validate all
signatures, not just 255 out of 256.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-12-18 11:53:25 -07:00