Since not all ICs default to enabling flash page layout, enable it from
the MCUboot Kconfig options whenever it is available.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Add a new MCUboot device settings option that enables or configures
features that are specific to a particular device.
Additionally enable software vector relay in Cortex-M0 CPUs that do not
have a hardware mechanism to relay or forward interrupts.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Since the Kconfig file is only relevant to Zephyr, move it from the root
folder into boot/zephyr, in order to keep all Zephyr-related files
together.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
When a relative path was used the build would fail when CMake was
invoked with the -B -H flags. Using an absolute path for the
dts.overlay flags fixes#187.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Since boot_read_image_headers only failed when reading headers from
both Slots failed, it could happen that even with a failure reading
Slot 1, this data would still be used by split booting. Now when
reading image headers an extra parameter allows the caller to ask
for failure when any slot read failed.
JIRA: MCUB-56
Signed-off-by: Fabio Utzig <utzig@apache.org>
Assertions that are expected to fail under sim test, are now marked as such
using the macro ASSERT which allows to programmatically switch between normal
assert() behavior and captured assertion.
Assertion changes were moved to more appropriate owners and code duplication
was removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The rationale behind this change is that while performing a swap
operation, writes to the status area are not important enough
to abort the operation. If the swap is not interrupted, status
writes are ignored. If the swap is interrupted, failures to write
status area are detected during the next boot and an appropriate
measure is taken.
If MCUBOOT_VALIDATE_SLOT0 is set we ignore the status write fail
and allow slot0 to be validated by its hash/signature. Otherwise,
the old behavior is maintained, which is to abort on any write
failures.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When building in simulator mode, mock assert() to call an simulator
function which will enable other code to check if some path failed.
The assert checking interface, was added to boot_go which now
returns the low-level invocation results as well as the number of
asserts triggered.
Some new added tests check for assert() and expect it to happen. To not
abort tests, assert() was changed under sim env to not call c assert()
and instead just do some internal calculation which could be checked
by the simulator after a bootloader run and assert() catching behavior
was made optional (each test choses the behavior it needs).
Signed-off-by: Fabio Utzig <utzig@apache.org>
When using EC256 for signing, Zephyr now uses the bundled tinycrypt
and mbed-tls ASN1 parser instead of relying on the one provided by
the OS.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This commit removes the pseudo tinycrypt package based on symlinks
by adding a new pkg.yml to ext/tinycrypt and using it directly. It
also uses the new mbed-tls bundled ASN1 parser when EC256 is selected.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes a comparison issue that was previously fixed by doing a
cast. Since tinycrypt and mbed-tls both already use an unsigned for
the size, the mcuboot interface was updated to also use an unsigned
value (size_t to be more precise!).
Signed-off-by: Fabio Utzig <utzig@apache.org>
This enables building ecdsa feature using tinycrypt (mbed still built
for ASN1). The default mbed-tls config was update to use the MCUBOOT_SIGN_*
symbols.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This patch introduced serial bootloader functionality ported
from mynewt targets tree.
For achieving this following changes were applied:
- Modified boot_serial module for using, zephyr-os modules
(crc driver, mbedtls-base64 library) and the zephyr serial adapter module
introduced recently.
- Added service of boot serial recovery mode to main.
- Adapted the input parser to using static buffers.
Default serial-boot-pin configuration was added for nrf52_pca10040
and nrf52840_pca10056 boards.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The library is needed for support mcuboot serial recovery interface.
This library wraps the tinycbor decoder with a attribute based decoder
suitable for decoding a binary version of json.
Origin: apache Mynewt
License: Apache-2.0
URL: https://github.com/apache/mynewt-core/tree/master/encoding/cborattr
commit: bf4b3f6f4cf293fc5a71d7787d5b81555434b6f8
Maintained-by: External
f. cbor_read_mbuf_attrs was removed as it was Mynewt specific.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The library is needed for support mcuboot serial recovery interface.
Tinycbor lib from mynewt is imported because it is already modified for
Add tinycbor library for zephyr
mcuboot serial recovery protocol.
Origin: apache Mynewt
License: Apache-2.0
URL: https://github.com/apache/mynewt-core/tree/master/encoding/tinycbor
commit: bf4b3f6f4cf293fc5a71d7787d5b81555434b6f8
Maintained-by: External
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Serial adapter uses the zephyr UART driver in interrupt mode for
providing communication capabilities needed for the boot serial
recovery mode.
This module provide API similar to mynewt console module.
Serial adapter module can not be compiled along with
the zephyr uart console module so this case is checked.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Fixes warnings treated as errors when upgrading gcc crate to 0.3.54.
Warnings are due to non-used variables and comparison between signed
and unsigned.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When not validating slot 0, we could be booting into an empty
chip. This means we jump based on garbage data.
Try to make this better by at least checking the magic number. Without
this patch, booting with just the bootloader fails the Zephyr release
tests.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
The Zephyr configuration was enabling the memory buffer allocator (but
not using it) without defining enough other features to allow it to
compile (undefined reference to `exit()`).
Disable the memory buffer allocator when just using the ASN.1 library,
and conditionalize the heap itself to avoid using the RAM for that.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of the overly-simplistic allocator in Zephyr, use the still
simplistic allocator in mbed TLS.
On K64f, this saves 848 bytes of text, 44 bytes of data, and 208 bytes
of bss.
Signed-off-by: David Brown <david.brown@linaro.org>
This add a new option to overwrite-only mode that enables copy/erase of
only the amount of sectors that are required to store the source image.
This is enabled by default when overwrite-only mode is used.
MCUB-70
Signed-off-by: Fabio Utzig <utzig@apache.org>
Zephyr now has proper page layout APIs in its flash driver. Use these
to implement flash_area_get_sectors() and flash_area_to_sectors() when
they are available. Leave the existing implementation behind as a
"legacy" version, for flash drivers which lack page layout support.
This lets us obtain all the target support we need for nRF and STM32
targets entirely from the operating system.
There are two cases where OS-level support is still not enough:
- NXP K6x targets still need an SoC family header, because their flash
driver does not yet support CONFIG_FLASH_PAGE_LAYOUT.
- The arduino_101 target needs partition and flash alignment
definitions in its DTS, and a flash driver with page layout support
as well, so its board-specific header must remain for now.
Fixing these is left to future work. Once that is done,
boot/zephyr/targets/ can be removed completely.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Zephyr now provides defines for FLASH_DRIVER_NAME and
FLASH_WRITE_BLOCK_SIZE (which is what we call FLASH_ALIGN) in
the SoC headers for most targets supported by mcuboot. Use that
information when it's available, falling back on MCUBOOT_TARGET_CONFIG
otherwise.
The soc_family_foo.h files remain for FLASH_AREA_IMAGE_SECTOR_SIZE. A
subsequent patch can remove these files when the relevant SoC flash
driver provides a page layout.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
This cleanup commit requires a bit more target-specific knowledge
that's a bit harder to read than board-specific headers, but it's
still an improvement over what we have now.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
All of the information we need is in DTS or is the same across all
boards in the SoC family. There's no need for board-specific headers
for these targets.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Commit 4094813 ("zephyr: force mcuboot to fit in the boot partition")
added a DTC overlay file that breaks the build on arduino_101. That
board doesn't have its flash partitions defined in DTS.
Keep things working for now without allowing other issues to creep in
on ARM targets by excluding the chosen node on x86 targets only.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
This function is unused in overwrite-only mode. Clang seems to catch
this, whereas gcc does not. Add the proper ifdefs so that the
simulator tests all pass on MacOS.
Signed-off-by: David Brown <david.brown@linaro.org>
Fixes a bug when MCUBOOT_VALIDATE_SLOT0 is enabled which caused the
header in Slot 1 to be used for calculating the bootstrap offset. This
bug is masked when MCUBOOT_OVERWRITE_ONLY is not enabled because both
slots have the same header size (usually!). With MCUBOOT_OVERWRITE_ONLY
Slot 1 was erased and the header size would be read as 0xffff resulting
in a jump to the wrong address.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When building in overwrite-only, there is no status/trailer management.
This commit fixes an issue where there was a write to image_ok/copy_done
where those flags where already set (copied from slot 1) which would
cause a write over non-erased flash.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This removes the dependency on tinycrypt lib provided by mynewt and
switches to the one bundled in mcuboot. Also fixes a bug where tc
was only being used when eliptic curve 256 was selected as sign
algorithm.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add a flag `IMAGE_F_RAM_LOAD` and an associated header field
`ih_load_addr` to indicate that a particular image should be loaded into
RAM instead of being executed directly out of flash. If the flag is not
set, this field will be ignored. If it is set, and this feature is
supported by the bootloader, the image will be loaded into RAM at the
address specified in the new header field.
None of this functionality is implemented at this time. This is merely
to define the header format to avoid having to change the image format
later.
JIRA: MCUB-79
Signed-off-by: David Brown <david.brown@linaro.org>
Disable the Zephyr-provided Tinycrypt, and use our local copy. This
avoids problems with changing version across different Zephyr releases.
Signed-off-by: David Brown <david.brown@linaro.org>
Add the 2 official Nordic Development Kit targets that are missing from
the list in mcuboot, but supported in Zephyr.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
The keyhash should be able to have any size up to the maximum allowed
size of 32, but the assert was not allowing images created with newt to
be accepted as valid (newt currently uses only 4 bytes for keyhash).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: David Brown <david.brown@linaro.org>
When starting a swap upgrade, the total size of data to be swapped is
calculated only at the beginning and saved to the trailer. This avoids
having to use complicated heuristics to find the total swap size, which
might depend on data that was already moved. When resuming a swap, the
size is found in the trailer and used.
Also includes some small comment fixes and refactors.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: David Brown <david.brown@linaro.org>
The local variable 'size' is actually the offset of the end, and not the
size. Rename it to reflect this reality.
Signed-off-by: David Brown <david.brown@linaro.org>
Clarify the name of the TLV field to more fully describe the signature
type.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Since we are changing the image header format, there is no reason to
continue to support the old PKCS#1 v1.5 signatures. Remove the
definitions, and conditional complication related to this, and only
support the newer PSS signatures.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Since we've changed the meaning of several fields in the header, bump
the header to a new magic number. The fields that are still present are
in the same place, but all of the signature and TLV information is moved
into the TLV itself, which is still immediately after the image.
As of this commit, this defines the new image header/TLV format used for
1.0.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
To allow the signatures to be replaced, move the size of the TLV into a
small "info" header at the start of the TLV.
Note that this causes image swapping to lose robustness. This is fixed
by a later commit.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
JIRA: MCUB-65
Remove the key_id field from the image header. There are two problems
with this field. First, it is only an integer offset, and so causes an
unnecessarily tight coupling between the particular keys built into the
bootloader, and the key that is used to sign. Second, it makes the
key_id part of the image header, which is included in the signature.
This makes it impossible to later sign the image with a different
signature.
Instead of the key-id, add a TLV KEYHASH entry. This will hold the
SHA256 of the public key that the signature is against. Each signature
placed in the TLV should be preceeded by this entry to indicate the
public key used.
The signature check will check each signature, and if the KEYHASH is
known and the signature type is supported, it will be checked. As long
as at least one signature is considered valid, the image will be
considered signed. This also allows the image to be signed with
multiple signatures to support having different devices with possibly
different keys compiled into the bootloaders.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for moving the signature related values out of the main
image header and into the TLV, renumber the existing TLV values to be
grouped together better.
The SHA256 is moved into the first group, at 0x10, and the signature
values themselves are moved to start with 0x20.
This change is the first in a series of changes toward the new v1.0
image format. The intermediate results are all internally consistent
(meaning that the simulator, and the builtin imgtool.py will all work
together), but until all patches are applied, the image format is not
valid with any external tools.
Based on work by Marko Kiiskila <marko@runtime.io>.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Upstream Zephyr is making a habit of enabling subsystems on any board
that supports them. That's a potential security risk if any of those
allow interference with the running bootloader, and is currently
exceeding mcuboot's flash allowance on some STM32 targets,
e.g. 96b_carbon. Turn off I2C to restore the build for those.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Adds a new zephyr target for the nrf52_blenano2. This is the BLE
Nano 2 board created by Red Bear which contains a NRF52832 MCU.
Signed-off-by: Tyler Baker <tyler.baker@linaro.org>
The hexiwear k64 is very similar to the frdm_k64, as far as mcuboot is
concerned. The partitions are now defined in DTS in Zephyr, and this
target file just needs the device name, sector size, and alignment.
Signed-off-by: David Brown <david.brown@linaro.org>
The comment for BOOT_SWAP_TYPE_NONE says "Just boot whatever is in
slot 0". That's not correct: if configured to do so (and this the
strongly recommended configuration), mcuboot will first
cryptographically validate the contents of slot 0 before booting it.
Fix the comment to be more accurate.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Adjust alignment and add missing leading zero to
IMAGE_F_PKCS1_PSS_RSA2048_SHA256. This needed some comment changes to
keep things 80 column clean.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
This flag was added to the RSA config file, but not the ECDSA file. It
is needed to configure the MPU to allow the flash device to be written
to.
Signed-off-by: David Brown <david.brown@linaro.org>
Recent Zephyr trees require this config option to be set in order to be
able to write to the flash device. Without it, targets with an MPU
enabled will abort during startup, usually before even printing a
message to the UART.
Signed-off-by: David Brown <david.brown@linaro.org>
This enables mynewt to use mcuboot as a remote repository, which is only
required when using newtmgr to manage images. Since mcuboot has slightly
changed the trailer format, newtmgr built against the bundled mynewt
bootloader writes the magic and flags to the wrong location.
To build a mynewt app the wants to run with mcuboot as the bootloader
and requires newtmgr one needs to change the app's pkg.yml dependencies
as follows:
- - boot/bootutil
+ - "@mcuboot/boot/bootutil"
Signed-off-by: Fabio Utzig <utzig@apache.org>
When image is slot 1 had bad signature, the swap would fail and
try to write image_ok in slot 0 which if that was already a
permanent image would cause a overwrite in flash.
Fix warning/error when slot 0 validation is not enabled.
Signed-off-by: Fabio Utzig <utzig@apache.org>
After a swap operation is finished trailer control flags are written
according to the type of swap that was performed. The function names
that execute those operations were renamed to explicity reflect what
they do, and all "less deterministic" behaviors, of the type
"if flash is not set, set it", were removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds handling of the copy_done bit while evaluation a swap state.
Since copy_done is only ever written when a swap finishes, it can be
safely assumed that if copy_done is not set no swap was ever performed
and the image was written directly to flash, and thus no revert is run.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This reworks much of the code, as well as tables, handling swap
state to make them simpler. Only states that require an actual
swap to be performed, perm/test/revert are checked for and acted
upon. Other possible states try to default to no operation
performed.
One extra state, BOOT_SWAP_TYPE_PANIC, was added to differentiate
between "soft" errors and unrecoverable ones (as flash read/write
errors).
Non well defined state changes after swap failures, as described
in MCUB-59 were also clean up.
This should also fix situations as described in MCUB-63, where
images generated using imgtool (magic + image_ok set) are written
to slot 0 and cause an incorrect "revert".
Signed-off-by: Fabio Utzig <utzig@apache.org>
The MCUBOOT_VALIDATE_SLOT0 feature only verifies the signature when
there is no swapping happening. The assumption was that if there is a
swap being done, the code will verify the signature of slot 1 before
doing the slot.
However, either due to bugs, or intentional trickery, it may be possible
to confuse the code into continuing a swap operation. If the data is
modified before this, the bootloader can be tricked into booting the
resulting image in slot 0 without having verified the signature.
Fix this by always verifying slot 0's signature before booting it.
JIRA: MCUB-64
Signed-off-by: David Brown <david.brown@linaro.org>
This implements changes according to MCUB-14, easing the process
of making external apps parse and read/write the trailer.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Now that the partition table has been added to the device tree for the
frdm_k64f in upstream Zephyr, these symbols become redundant defines.
Remove them to fully use the partitions defined in Zephyr.
Signed-off-by: David Brown <david.brown@linaro.org>
For mynewt flash map only accepts values for slot 0 and 1. This
code was trying to read the image header on the scratch area using
the same interface and was segfaulting when slot0 and slot1 had
similarly sized images.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This error was catched by Coverity and it happens when a fail occurs
opening a flash map handle, which is not checked by the close
routine.
Right now this only affects Zephyr, but extra checking was added
assuming that in a future Mynewt implementation close could actually
be changed to do something.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add reference counting to the flash areas, and a zephyr-only routine
which warns when areas are still open when none should be. Call the
warn routine right before chain-loading.
This prints warnings due to code in loader.c. Future work will be
needed to clean this up.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Use flash_device_base() in the boot code to compute a real address,
given the offset returned by boot_go().
Provide an implementation on mynewt that preserves existing
behavior. If mynewt needs to support devices with nonzero flash base
addresses, this can be migrated to the core OS.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Similarly, it's confusing whether br_flash_id is a flash device ID or
a flash area ID. Make this unambiguous.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The boot response returns a flash offset, not a flash address. This is
causing confusion and leading to crashes on some platforms which don't
have flash at address 0.
Rename the field to make it more clear what its purpose is; future
patches can start fixing up usages.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Add a typedef which lets us use flash_sector or flash_area to contain
the sectors within the boot_data global. When
MCUBOOT_USE_FLASH_AREA_GET_SECTORS is defined, this is struct
flash_sector.
Also add struct boot_loader_state accessors to handle this case, and
make the appropriate changes to where the sectors are allocated to use
the new typedef.
Finally, ensure MCUBOOT_USE_FLASH_AREA_GET_SECTORS is defined in the
Zephyr Makefile, since flash_area_get_sectors() is already provided
there.
This lets mcuboot users convert to the new flash API gradually.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Move helpers which are needed for using flash_area_to_sectors() to the
end of file. This is just to keep things clean when we add support for
flash_area_get_sectors().
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Keep both image areas and the scratch area open while we are
bootloading. This fixes up a hack and will make it easier to use
flash_area_get_sectors() later.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Add abstractions for calculating the starting offset of a sector from
the beginning of its image, and the starting offset of an image slot
from the beginning of its flash device.
Using this tweaks a check in boot_swap_sectors(), but doesn't change
its outcome.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Add an abstraction for initializing bootloader state for a particular
flash area.
For now, we preserve some existing hacky behavior related to the
scratch area. This will get cleaned up more later in the series.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Taking the opportunity to move some signed integers over to unsigned
size_t as we go. (Depending on compiler settings, signed / unsigned
comparisons can generate warnings, so it's nice to use the signedness
we mean when possible).
Having boot_img_set_num_sectors() is just an intermediate step; this
gets cleaned up as we go forward.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
This begins some preparatory work to using flash_area_get_sectors() in
loader.c. Subsequent commits will add and use additional accessors for
the contents of this struct.
Making the struct contents opaque will allow it to contain struct
flash_area or struct flash_sector values in its sectors field. This
will allow use of either flash_area_get_sectors() or the
now-deprecated flash_area_to_sectors().
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Implement new flash API which allows users to learn the physical base
addresses of flash devices.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The current flash_map.h API treats flash areas and flash sectors
synonymously. This isn't accurate; a flash area comprises one or more
sectors.
To distinguish them, add a new struct flash_sector, and a new
flash_area_get_sectors() which initializes an array of struct
flash_sector instead of struct flash area.
That done, deprecate flash_area_to_sectors().
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
This accessor returns the physical base address of a flash device,
given its ID. This will be used to support flash devices with nonzero
base addresses in mcuboot.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Allow the size of bignums in mbed TLS to be configured larger than
needed for RSA2048. This will waste memory holding the large numbers,
but will still work.
The PKCS#1 standards, which define RSA signatures, are currently at
version 2.2. Starting in v2.1, the standard defines a new signature
method RSA-PSS, which has a stronger security proof than the signature
method used in earlier versions. The standard recommends that RSA-PSS
be used in new designs, instead of the older algorithm.
This patch implements RSA-PSS verification for a specific set of
parameters:
- RSA-2048
- SHA256 for both the message digest and the internal hash
- 32-byte salt
- 2047 bit message
Although RSA-PSS supports other parameters, due to size constraints,
this verificatino code only supports these specific parameters, and
signatures with other parameters will be considered invalid.
To encourage the use of the more secure algorithm, the default build
configuration is RSA-PSS. BOOTUTIL_RSA_PKCS1_15 needs to be defined in
order to support the older signature algorithm.
Remove most of mynewt specific stuff to a separate port package. This
should make mcuboot less "mynewt'y" and slightly easier to port to.
- Mynewt specific stuff moved to boot/mynewt.
- Sample app moved from apps/boot to boot/mynewt.
- Use MYNEWT_VAL macro only on mynewt port.
- BOOTUTIL_* and MYNEWT_VAL() usage moved to MCUBOOT_ defines.
Before this patch, the swapping would process all sectors in a slot
not matter what the size of the binary firmware was. This changes the
swap process to swap only sectors that are in use by firmware.
Also, if the last slot sector, which stores the trailer, is actually not
in use by the binary firmware, now trailer is never written to scratch.
`use_scratch` temp variable was added to boot_status struct to control
this (this var is never written to disk).
Random other small refactorings were applied.
Before this change, trailer was handled as part of the binary image,
which during a swap was just copied around together with the image.
This had issues if some fault happened while the trailer copy was
underway.
This patch changes how trailer is handled by making by non-copying.
The trailer is now updated step-by-step based on the current status.
Magic, copy_done and image_ok are also handled by writing them
individually, not by copying.
The trailer on scratch area was reduced to include at most swap state for
one sector, since it is only used temporarily while erasing the last
sector of the slot that stores the final trailer.
Many other small fixes were applied.
In order to allow messages to be printed, set the compiled level to
INFO. This allows messages at this level to be printed without having
to recompile.
Change the C logging code, when in the simulator, to query what the rust
logging level is set to. This allows the level of logging from the C
code to be set through the environment. For example
RUST_LOG=bootsim=info cargo run --release runall
will enable logging at the "info" level for all of the C code as well as
the simulator code. The C code's logging can be selected specifically
by using bootsim::api instead of just bootsim in the above.
Add a configuration option "BOOTUTIL_OVERWRITE_ONLY" that avoids using
the image swap code. Instead, when an upgrade is detected in slot 1, it
is copied directly onto slot 0. As long as the image in slot 1 is
valid, this should work robustly (it will redo it if power is lost
during the upgrade).
This doesn't protect against the case of deploying an image that fails
to boot on some devices. But, the behavior is similar to the swap
upgrade approach when the slot 1 image is marked initially as "image
ok", but without the complexity (or need of a swap partition) of the
swap code.
Add a simple function to query the bootloader for capabilities.
Ultimately, this API should be available to the running app, but the
simulator can use this to determine what to test.
Instead of a separate invocation of printf to print the trailing
newline, use some modern cpp trickery to expand the format string
explicitly. The ## will remove the preceding comma of the argument list
if empty.
Add logging support for when running in the simulator. Log messages are
still based on compile-time determinations, and log using printf.
Based on a patch from Marti Bolivar <marti.bolivar@linaro.org>.
Expand the data slots to 384K each, leaving the boot and scratch areas
as 128K. This allows more room for code, but will wear the scratch
partition about 3x faster because of the more extensive use of the
partition.
When building with ECDSA P-256 as the signature algorithm, we are still
bringing in SHA256 and some ASN.1 code from mbed TLS. Fix part of this
by wrapping the hash functions with general routines (inline functions)
allowing to select between mbed TLS and Tinycrypt for the
implementation.
Update the Zephyr config files so that the Tinycrypt version is used
when building the ECDSA P-256 signing variant.
There are some problems with how mbed TLS is configured in Zephyr.
First, include the makefile stub in the Makefile that uses these
defines. This makes sure the right definitions get made so that our
custom config gets used for all compiled files, rather than a mixed set.
Also, fix up the wrappers on the custom configs so that each is
different, making it easier to detect if multiple configs are being
included.
Lastly, only include the right header in the image validation. The mbed
TLS includes don't seem to want to allow both RSA and ECDSA to be used
(due to the key size), and including the wrong header results in a
compilation error.
The original Zephyr platform support files use tabs for indentation
(to match the Zephyr project). Since this code is all together, and
will be used as the basis for other platforms, fix this indentation to
match that used by the rest of mynewt.
This change is clean with respect to "git show -b", and only changes
the indentation of the beginning of lines.
This fixes MCUB-39.
On Zephyr targets, flash_area_to_sectors() assumes that the flash
device's sector size is equal to the size of the scratch area.
That breaks swap and rollback when scratch size doesn't divide image
size, since the image flash areas will not be correctly configured.
This is a valid configuration supported by the rest of mcuboot.
The best way to fix this would be to get the flash layout from Zephyr,
but that's not possible yet.
Instead, provide a new FLASH_AREA_IMAGE_SECTOR_SIZE define from
target.h. This must be the sector size for these areas:
- FLASH_AREA_IMAGE_0
- FLASH_AREA_IMAGE_1
- FLASH_AREA_IMAGE_SCRATCH
Other areas on the device may have sizes different than
FLASH_AREA_IMAGE_SECTOR_SIZE.
This won't work on platforms where those areas have nonuniform sector
sizes, but we'll cross that bridge when we come to it. (At that point,
an upstream Zephyr change to the flash API really seems needed.)
Revert to the old/buggy behavior when FLASH_AREA_IMAGE_SECTOR_SIZE
isn't provided, but emit a warning. Additionally, touch up the logging
and error handling while we're here.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The current configuration only allows ~170 updates before we can
expect wear on the flash device (per product spec that the flash
device supports 10,000 erase cycles). Increase the scratch size to
make this better by removing some application space, to allow for
~2500 application updates or rollbacks.
The new configuration is 52 KiB (13 sectors) for scratch, and 208
KiB (52 sectors) for each application image.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
MCUBOOT_TARGET_CONFIG is included in several places now,
not just boot/zephyr/main.c. This seems likely to continue.
Let's avoid trouble and make it a real header file, target.h, that
pulls in MCUBOOT_TARGET_CONFIG. That done, include target.h instead
everywhere MCUBOOT_TARGET_CONFIG is included.
This will make it easier to provide values at an SoC/family level
later. We can expect different Zephyr boards to have the same SoC and
thus likely the same mcuboot flash layout, so this will avoid
duplication.
All supported boards are compile-tested.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The Zephyr log backend already prepends the function, so it's
redundant to do it here.
Also convert a stray SYS_LOG_ERR to BOOT_LOG_ERR().
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Avoid clock related interrupts before jumping into the first image. Safe
to disable as the first application will enable the clock/timer again
once booted.
Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
We won't need the GPIO, timer, or pinmux drivers for
functioning asa bootloader, and some extra exception
debug info has been disabled.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Commit 7238f51 ("zephyr: add support for x86 booting method")
introduced a backend-specific do_boot() function. On ARM, this casts
to an undefined type 'struct vector_table*'. Fix this by using the
'struct arm_vector_table*' introduced in that patch.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The bootloader is just using Zephyr as a HAL and doesn't require
thread scheduling. Build Zephyr in single-threaded mode and gain
some footprint savings.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Previously, the return of boot_swap_sectors() was discarded. If a flash
operation failed, this information was lost.
Now, boot_swap_sectors() returns void. Rather than returning a result,
success is asserted for all flash operations during function execution
(boot_copy_sector() and boot_erase_sector()).
commit d930ec69c8
Author: David Brown <david.brown@linaro.org>
Date: Wed Dec 14 07:59:48 2016 -0700
Validate slot zero before booting
adds a feature to validate slot 0 before booting it. However, there
is an error in the logic, and if the magic number is written to an
invalid value, but not all 0xFF, it will consider any image to be
valid.
Fix this logic so that slot zero is always validated.
Let's stay in-sync automatically with Zephyr master by referring
to CONFIGs for the flash device names.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
The following declarations are undefined and unused in both simulator
and zephyr builds (96b_nitrogen, 96b_carbon, frdm_k64f):
- flash_map
- flash-map_entries
- flash_map_init()
Delete them.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Use the bootutil_log.h APIs to log the boot source chosen by the
loader, as well as the image trailer state that led it to its
conclusion.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Now that mcuboot has its own logging subsystem, use that instead.
Note that this changes the domain from "[BOOTLOADER]" to "[MCUBOOT]".
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
This patch adds platform-independent logging to bootutil.
When bootutil is compiled as part of an application, the
application environment can provide logging hooks using this
file. Initially, hooks for Zephyr are provided. When built for
simulation or unit testing, the logging macros produce no
code (the ignore.h used by mynewt is used to avoid unused
variable warnings in this case).
Before including this file, users may define BOOT_LOG_LEVEL. If
they do, it must be one of BOOT_LOG_LEVEL_OFF,
BOOT_LOG_LEVEL_ERROR, ..., BOOT_LOG_LEVEL_DEBUG. This determines
the log level for the current translation unit. If they do not, a
default log level is determined in a target-specific way.
After including bootutil_log.h, the macros BOOT_LOG_ERR(),
BOOT_LOG_WRN(), etc. may be used to log messages. These take
printf-like arguments.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Currently, the flash map is a single entry sized to fit the
FLASH_AREA_IMAGE_0_SIZE. This works for HW where
FLASH_AREA_IMAGE_SCRATCH_SIZE is the same or larger than
FLASH_AREA_IMAGE_0_SIZE.
However, if FLASH_AREA_IMAGE_SCRATCH_SIZE is smaller than
FLASH_AREA_IMAGE_0_SIZE, we need to generate enough write blocks in the
flash_map so that each will fit in FLASH_AREA_IMAGE_SCRATCH_SIZE.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
In Zephyr there is a flash HAL function: flash_write_protection_set()
which for many SoCs is a stubbed function with no functionality,
but for others performs the unlock / lock procedures required before
writing to flash.
We need to add this function to our flash_area_write() wrapper
to support the hardware that requires it.
This fixes mcuboot flash writing for the nRF5x SoCs.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Zephyr now supports moving the vector table for Corext M* targets.
Let's remove this code from mcuboot as this has been changed
upstream and breaks mcuboot build.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Make it clear in the top-level Makefile how to configure mcuboot for
Zephyr for a particular signing algorithm. Currently supported, are the
RSA signatures, and ECDSA with the P-256 curve. These configuration
lines will select the code built in the bootloader, as well as which
public key gets included with the image.
This also adds a demo public key for the P-256 signatures.
Instead of just checking the upgrade image signature, check the
signature on each boot. This helps to prevent rogue images being flash
by a means other than the upgrade process.
This feature is controlled by whether BOOTUTIL_VALIDATE_SLOT0 is
defined.
The ECDSA signature is written as two DER-encoded INTEGERS. Although
the values are always 256 bits, the encoding ends up being variable
length, because the encoding is signed, and therefore needs an extra
zero byte to keep the number positive. This means that the length can
vary by up to two bytes.
The 'newt' tool handles this for signature by allowing space for the
largest encoding, and padding with one or two zeros. However, the
bootutil image check code insists that the length is exact, resulting in
a decoding error on about 3/4 signatures.
Fix this by only verifying that we have at least enough payload to hold
the signature. There are later checks that will fail if the integers
themselves are too large.
Some flash devices not only require writes to occur on an `align` byte
boundary, but also require that the writes be done in chunks of this
size as well. Enhance the sections that write status bytes to write
more than a single status byte.
Bluetooth is enabled by default with some boards, so just make sure that
it gets disabled here to avoid having a large bootloader firmware.
Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
Make it generic and let the SoC itself handle the FLASH driver support
as part of the Zephyr build system.
Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
Move the board specific configurations into its own header file, which
can now be created per board, once it gets tested and validated by the
bootloader.
Signed-off-by: Ricardo Salveti <ricardo.salveti@linaro.org>
Carles Cufi