Commit Graph

121 Commits

Author SHA1 Message Date
Philip Colmer aad01efd58 Create CNAME 2021-05-04 15:47:49 +01:00
dependabot[bot] 000ef72ac4 build(deps): bump rexml from 3.2.4 to 3.2.5 in /docs
Bumps [rexml](https://github.com/ruby/rexml) from 3.2.4 to 3.2.5.
- [Release notes](https://github.com/ruby/rexml/releases)
- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)
- [Commits](https://github.com/ruby/rexml/compare/v3.2.4...v3.2.5)

Signed-off-by: dependabot[bot] <support@github.com>
2021-05-04 07:36:10 -06:00
David Brown 208db88779 Delete CNAME 2021-05-04 01:23:13 -06:00
David Brown d23214eb05 Create CNAME 2021-05-04 01:22:29 -06:00
David Brown cdee0b7885 docs: Upgrade doc generating dependencies
Addresses CVE-2021-28834
https://github.com/advisories/GHSA-52p9-v744-mwjj

Also removed the explicit jekyll dependency, which according to the
instructions should be commented out if the github-pages dependency is
used.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-04-13 08:45:11 -03:00
David Brown 986c212ea9 docs: Add links to wikipage on project
Update the main webpage to contain links to the wiki page docs on the
project charter, and the membership page.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-04-02 09:13:59 -06:00
Fabio Utzig 5b0f220659 doc: update release process with branching
Add extra step with branch creation after stable releases, to be used
for doing patch releases.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2021-01-13 16:53:07 -03:00
Fabio Utzig ac61c2e464 Fix nokogiri<=1.11.0.rc4 vulnerability
Run "bundle update" and upgrade most ruby gems. This should fix a
warning from GH because of a vulnerable nokogiri version.

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2021-01-06 19:25:23 -03:00
George Beckstein d1233e1b2d Add reference counting to Mbed OS flash backend
The internal functions of mcuboot are not consistent in opening/closing flash areas and sometimes nested calls happen to `flash_area_open` and `flash_area_close`. With the previous implementation, a nested call to `flash_area_close` would deinitialize the underlying `BlockDevice`. This could cause subsequent flash operations on an "open" flash area to fail.

This PR adds a simple open counter for each flash area and ensures the underlying `BlockDevice` is initialized and deinitialized appropriately. The `BlockDevice` is only initialized when transitioning from an open count of 0 to 1. The `BlockDevice` is only deinitialized when the open count falls to 0.

Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
2020-12-15 14:43:24 -07:00
Andrzej Puzdrowski a8e12dae38 Preps for 1.7.0 release
Update version fields for 1.7.0 release.
Added compatibility note for zephyr-rtos.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-11-25 16:26:11 +01:00
Andrzej Puzdrowski e75966105a Preps for 1.7.0-rc2
Update version fields for 1.7.0-rc2 release.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-11-12 11:14:28 +01:00
Mate Toth-Pal cbf9d39cbb travis: Add documentation to FIH CI test
Change-Id: Ib0def822e9748d64fd0dd77eefaaeba4ceaf1a83
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2020-11-12 09:27:10 +01:00
Fabio Utzig de1d72d069 doc: fix github urls to use the new org
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2020-11-10 14:19:19 -03:00
George Beckstein d82afbfaa8 Mbed-OS porting layer implementation for mcuboot
This PR provides a porting layer implementation and framework for building an mcuboot-based bootloader with Mbed-OS. Some symbols are not provided by the Mbed-OS port within mcuboot, namely:

- The secondary storage device (see below)
- The signing keys
- The encryption keys, if used

Use of this port is demonstrated by the following projects:
- https://github.com/AGlass0fMilk/mbed-mcuboot-demo (a complete mcuboot/Mbed-OS-based bootloader)
- https://github.com/AGlass0fMilk/mbed-mcuboot-blinky (example showing how to make an Mbed-OS application that is bootable by mcuboot)

Memory porting implementation:

The underlying implemenation uses Mbed's BlockDevice API as the storage backend for mcuboot's memory operations. This provides a very flexible way of configuring the location and layout of the secondary flash storage area. To build an mcuboot-based bootloader with Mbed-OS, the user must implement a hook function, mbed::BlockDevice* get_secondary_bd(), to provide the secondary BlockDevice that mcuboot will use.

The signing and encryption keys must also be provided by the user. They can be generated using the existing imgtool utility in the same manner used by Zephyr. There are no automated build steps currently provided by Mbed-OS to sign/encrypt build artifacts.

Known limitations:

The update candidate encryption features have not yet been fully tested. A truly secure implementation will require integration with Mbed's TRNG API in the future to inhibit side-channel attacks on the decryption process.

The TinyCrypt backend is currently only supported for Mbed-OS builds when building with the GCC toolchain. The new cmake-based Mbed-OS build system will fix the underlying issue (file name uniqueness).

Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
Signed-off-by: Evelyne Donnaes <evelyne.donnaes@arm.com>
Signed-off-by: Lingkai Dong <lingkai.dong@arm.com>

Co-authored-by: Lingkai Dong <lingkai.dong@arm.com>
Co-authored-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2020-11-03 19:16:46 -03:00
David Vincze 505fba252e Boot: Add 'revert' support to direct-xip mode
The 'revert' mechanism in direct-xip is similar to the one in swap mode.
It requires the trailer magic to be added to the signed image. When a
reboot happens without the image being confirmed at runtime (without the
image_ok flag being set), the bootloader considers the image faulty and
erases it. After this it will attempt to boot the previous image
instead. The images can also be made permanent (marked as confirmed in
advance) just like in swap mode.

Change-Id: Ibde9361d4a7302dd8efbb277b691b71eca0ca877
Signed-off-by: David Vincze <david.vincze@linaro.org>
2020-11-03 21:52:11 +01:00
Fabio Utzig f6c692315c Delete CNAME 2020-10-30 14:13:11 -03:00
Andrzej Puzdrowski 69344636be Preps for 1.7.0-rc1
Update version fields for 1.7.0-rc1 release.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-10-30 17:56:02 +01:00
David Brown 1151714a68 Create CNAME 2020-10-30 09:13:13 -06:00
Andrzej Puzdrowski dfc7c5f9a4 doc/release: Describe development version designation
After each release version will be changed to
MAJOR.MINOR.PATCH-dev.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-10-30 16:12:38 +01:00
Fabio Utzig b94c985a26 Delete CNAME 2020-10-30 12:07:54 -03:00
Fabio Utzig 8084e8beaa Create CNAME 2020-10-30 12:06:39 -03:00
Martí Bolívar a6a0e0e77c doc: clean up multi-image documentation
Some design.md content is causing build errors when they are included
in a .rst based documentation tree in Sphinx.

Adjust the format to make it work in both systems.

Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
2020-10-22 17:46:06 -03:00
Fabio Utzig 05722f4a01 doc: PORTING: drop flash_area_read_is_empty()
Update PORTING guide dropping `flash_area_read_is_empty`.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2020-10-08 20:47:56 -03:00
Fabio Utzig 8ebe53537b doc: fix link to external page in PORTING
Remove a footnote that is not generating a proper link and add an inline
link to the mbed TLS referece for platform.h. This also fixes a warning
when running through recommonmark==0.6.0 because it is unable to parse the
old syntax.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2020-10-01 09:16:47 -03:00
Tamas Ban 67e3fff047 docs: Revert the moving of design.md
This commit fix the issue reported in #803:
https://github.com/JuulLabs-OSS/mcuboot/issues/803

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
2020-09-18 10:51:22 +02:00
Tamas Ban fe03109ab1 boot: Add ram-load upgrade mode
This patch introduces the ram-load mode in addition to the other
upgrade modes (swap strategies, overwrite-only, direct-XIP). When
ram-load is enabled with the MCUBOOT_RAM_LOAD option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image loaded to the RAM and
executed from there. Load address is extracted from the image header.
Therefore the images must be linked to the RAM memory region.
The ram-load mode is very similar to the direct-XIP mode, main
difference is to load the newest image to the RAM beforehand the
authentication and execution. Similar to direct-XIP mode either
of the primary and the secondary slots can hold the active image.

Ram-load can be useful in case of a bit more powerful SoC, which
is not constrained in terms of internal RAM. It could be that image
is stored in external and therefore untrusted flash. Loading image
to internal (trusted) RAM is essential from the security point
of view the system. Furthermore execution from internal RAM is much
faster than from external flash.

This patch is based on the RAM_LOADING upgrade strategy which was
first introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.

Change-Id: I95f02ff07c1dee51244ac372284f449c2efab362
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
2020-09-16 11:06:30 +02:00
David Vincze e574f2d617 boot: Introduce direct execute-in-place (XIP) mode
This patch introduces the direct execute-in-place (XIP) mode in addition
to the other upgrade modes (swap strategies, overwrite-only). When
direct-XIP is enabled with the MCUBOOT_DIRECT_XIP option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image runs directly from its
flash partition (slot) instead of moving it. Therefore the images must
be linked to be executed from the given image slot. It means that in
direct-XIP mode either of the primary and the secondary slots can hold
the active image.

This patch is based on the NO_SWAP upgrade strategy which was first
introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.

Change-Id: If584cf01ae5aa7208845f6a6fa206f0595e0e61e
Signed-off-by: David Vincze <david.vincze@linaro.org>
2020-08-12 09:39:44 +02:00
Fabio Utzig a468fce1ed Fix kramdown CVE-2020-14001
https://github.com/advisories/GHSA-mqm2-cgpr-p4m6

Run "bundle update" and upgrade most ruby gems.

Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2020-08-11 13:40:25 +02:00
Harry Jiang 6828151973 docs: Fix the typo for imgtool keygen command
Signed-off-by: Harry Jiang <explora26@gmail.com>
2020-07-06 06:36:12 -03:00
David Brown 50d24a5751 Preps for v1.6.0 release
Update README, release notes the mynewt repository file, and imgtool for
the v1.6.0 release.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-05-22 11:59:39 -06:00
David Brown 82c5f7c65c Preps for 1.6.0-rc2 release
Update various version fields.  Also include a note in the release notes
describing Zephyr compatibility.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-05-06 08:40:22 -06:00
David Brown 342e875d0f Preps for 1.6.0-rc1
Update version fields, and add release notes for the 1.6.0-rc1 release.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-04-22 18:27:00 -06:00
David Brown aac7111b02 boot: Update copyrights and licenses
To make contributions easier, place explicit copyrights by the major
contributors, along with an SPDX license identifier.  Files that came
from the mynewt project, which was an Apache project will retain the
Apache project license text, although this does not apply to new
contributions, which are being made by individual contributors.

Hopefully, this will keep everyone happy, but allow contributors that
need to add an explicit copyright to have a place they can add that.

Fixes #501

Signed-off-by: David Brown <david.brown@linaro.org>
2020-04-22 15:07:28 -06:00
David Vincze 25459bffcc docs: Provide description for multiple features
- Update documentation of 'HW based downgrade prevention'
- Add description for the following features:
      MCUBOOT_MEASURED_BOOT
      MCUBOOT_DATA_SHARING
      MCUBOOT_HW_KEY

Change-Id: If7247e906de3028d44cdd9d14a5004661fb955af
Signed-off-by: David Vincze <david.vincze@linaro.org>
2020-04-22 14:25:21 -06:00
David Vincze 4e3c47bfca docs: Fix Markdown rendering issues
- Fix rendering issues of multi-line HTML comments (license headers)
- Fix rendering issues of footnotes

Change-Id: I06c8ad3454a62187e9d527df62560b897ec478f4
Signed-off-by: David Vincze <david.vincze@linaro.org>
2020-04-21 15:42:29 -06:00
Fabio Utzig 20e747c920 mynewt: remove version.yml and references
With the merge of https://github.com/apache/mynewt-newt/pull/365 `newt`
does not use `version.yml` files anymore, so remove the file and
references to updating it in the release process.

Testing a MCUBoot release now depends on `newt` `master` or `> 1.7.0`
(to be released).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-04-12 14:31:28 -03:00
Fabio Utzig 5eaa57647e docs: Update with X25519 encrypted images info
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-04-10 17:56:14 -03:00
Håkon Øye Amundsen cdf94c2623 docs: secondary slot magic is unset after update
This description is needed to explain why MCUBoot won't
revert a recently performed update.

Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
2020-03-10 15:54:18 +01:00
Håkon Øye Amundsen 11d91c34a3 docs: fix incorrect state reference
The TEST is state I and PERM is state II.

Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
2020-03-10 15:54:18 +01:00
David Vincze c308413760 bootutil: Introduce HW rollback protection
- Add image security counter verification (read security counter value
  from the image manifest and compare it against the stored/active
  security counter) as an optional part of the image validation process
  to prevent the restoration of older, potentially vulnerable images.
- This feature can be enabled with the MCUBOOT_HW_ROLLBACK_PROT option.
- Add security counter interface to MCUBoot. If HW rollback protection
  is enabled then the platform must provide a mechanism to store and
  read the security counter value in a robust and secure way.

Change-Id: Iee4961c1da5275a98ef17982a65b361370d2a178
Signed-off-by: David Vincze <david.vincze@arm.com>
2020-02-25 23:43:12 +01:00
Fabio Utzig 3647ded973 docs: update nokogiri to fix CVE-2020-7595
https://nvd.nist.gov/vuln/detail/CVE-2020-7595

Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-25 09:26:02 -03:00
Fabio Utzig ef7fbd7012 Preparing for v1.5.0-rc1
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-07 15:30:45 -03:00
Fabio Utzig 970840ccf5 docs: fix mailing list URL
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-02-06 06:00:28 -03:00
Håkon Øye Amundsen 2d1bac164f add option for rollback protection
Depends on 'MCUBOOT_OVERWRITE_ONLY' option since swap info is not protected
by signature

Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
2020-01-23 12:47:05 -07:00
Rajiv Ranganath b976a4c0dc docs/PORTING.md: Update APIs needed for porting MCUboot
Signed-off-by: Rajiv Ranganath <rajiv.ranganath@atihita.com>
2020-01-13 10:09:54 -03:00
David Brown 3639aca071 docs: Change name of padding arguments
To be squashed

Signed-off-by: David Brown <david.brown@linaro.org>
2019-12-18 11:53:25 -07:00
David Brown bf3a3a9c71 docs: Typo fixes and suggestions from mbolivar
To be squashed after review.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-12-18 11:53:25 -07:00
David Brown 8f057ca5ae docs: Write up some docs about ecdsa padding
Start with some documentation on ECDSA signatures, and the problems with
the current padding approach.  Present a plan to support correctly
formatted ECDSA signatures, and how to handle the transition both in the
C code, as well as the tooling that signs images.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-12-18 11:53:25 -07:00
Fabio Utzig d37d877603 Add html anchors to design and imgtool documents
When pages are built from the markdown sources, the html anchors for
titles are automatically added, but no links are inserted in the pages.
This makes it harder to send URLs to sections; one has to browse the
page source to get the correct link. This fixes the issue by adding
links directly to the generated pages.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-03 16:35:58 -03:00
Fabio Utzig 478ad247b3 docs: add URL anchor links to encrypted images md
URL anchors are already generated automatically by the GH markdown
processor, but they are not visible. This adds the proper links to the
page.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-11-29 12:55:33 -03:00