Mynewt has recently added an encrypted flash layer driver, that runs
transparently on any flash, handling reads and writes, and bypassing
other flash operations to the HW driver. As a result of this change,
checking for erased data cannot be done by read + compare to erased_val
but need to be routed to an empty check on the lower level. To do this
Mynewt added a new flash_map function called "flash_area_read_is_empty"
which checks for erased blocks (and reads/decrypts the data as well).
This commit uses `flash_area_read_is_empty` to determine if magic,
flags and swap status are erased. For Zephyr/sim commits were added
previously that mimic this functionality by simply doing the
read/compare.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This compliments the previous change on `image_ok` and also removes
`flash_area_erased_val` call that is not needed anymore.
Signed-off-by: Fabio Utzig <utzig@apache.org>
It was impossible to set confirm flag due to incorrect comparison.
In this point of time state->image_ok is already decoded and contains
one of following values:
If BOOT_FLAG_UNSET then we are ok to set a confirm flag.
Signed-off-by: Łukasz Rymanowski <lukasz.rymanowski@codecoup.pl>
This will fix#335 by defining the array size of the magic word and
give it to the relevant functions.
Signed-off-by: Hovland, Sigvart <sigvart.hovland@nordicsemi.no>
This extends mcuboot to allow use on devices which don't follow the
typical erased at 0xff. This was tested on some previously supported
devices (erased at 0xff) and STM32L1/L0 which are erased at 0.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The swap status area is used to maintain information that allows
recovery when interrupted in the middle of a swap. This area has no
usefulness when doing a overwrite-only upgrade, which always copies the
entire slot.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This removes settings of log level on a per file basis. The log level
should be set by the global config, while per file log configuration can
still be set, don't enforce them.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Now bootutil_log.h was converted to use per platform logging primitives
defined according to documentation established on the template file.
Some "null" macros were left to avoid breaking per source logging level
definition when MCUBOOT_HAVE_LOGGING was not defined.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The patch introduce usage of zephyr flas_map module instead
of mcuboot zephyr-only implementation. Unused flash_area_to_sectors
API of former flash_map was removed as well.
Size of sector-status-update-map entry is now defined thanks to the
minimum write size supported by the flash driver.
For avoid ambiguity former zephyr-only files flash_map.c
were renamed to flash_map_extended.c (its code now implements
only addition to this what zephyr flash_map implements).
flash_map.h header include is now warped by flash_map_backedn.h headre
because implementations and include pathes are diferent in Zephyr and Mynewt.
Usage of hal_flash_align() were replaced by usage flash_area_align().
This provide consistency between MyNewt and Zephyr implementation as
this API is available in both RTOSes.
flash_map.h was moved to the simulator c-support files as now missing in
the boot/zephyr subdirectories.
f. boot_scratch_fa_device_id was removed as unused.
f. boot_img_fa_device_id was and expanded the only use of it
(on loader.c).
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This removes the old "TLV size" and "keyId" fields that used to exist
in the old image header format and updates it to use `load_addr`. Also
fixes the name of reserved fields to index from 1.
This fixes#279
Signed-off-by: Fabio Utzig <utzig@apache.org>
The unit tests depend on a few Mynewt packages (`test/testutil` and
`sys/console/stub`). If there is no repo prefix in the dependency
specifier, newt assumes the package is in the local repo (mcuboot)`.
This commit adds the `@apache-mynewt-core/` prefix to these
dependencies.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Continue removing platform-specific conditional compilation from
bootutil by adding a new MCUBOOT_HAVE_ASSERT_H configuration option
and associated header file. Right now, that's only used by the
simulator.
That leaves just bootutil_log.h with platform-specific contents, but
since it's meant to be an abstraction layer for logging, we'll let it
stand for now.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Take the opportunity to clean up a bit of platform cruft that has
gotten into bootutil by moving it to mcuboot_config.h, and ensuring it
is documented in the template config file.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Mynewt uses this file to convert MYNEWT_VAL(xxx) to MCUBOOT_xxx config
options. Zephyr currently adds config options via the compiler command
line, but it should use this instead.
As prep work for that conversion, add an empty mcuboot_config.h to the
Zephyr port, and include this file unconditionally wherever it's
needed. This takes care of the simulator as well, since that puts
boot/zephyr/include on its C file include path.
This turned up a couple of files (bootutil_priv.h and caps.c) that
were using the MCUBOOT_xxx config values without including the
file. Add the includes there, as they'll be needed later.
To make this official, add it to the requirements in the porting guide
and provide a template file porters can use while getting started.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
fixup! Mandate the presence of mcuboot_config/mcuboot_config.h
This still defaults to 128 for compatibility, but allows users to
specify less elements to save space, or more elements for devices that
have massive flash size and/or too small sectors.
Signed-off-by: Fabio Utzig <utzig@apache.org>
BOOT_STATUS_ASSERT increments the variable if the macro argument
is evaluated as true, which is incorrect behavior compared to the
ASSERT macro.
Signed-off-by: Johann Fischer <j.fischer@phytec.de>
In 2f8f06aa25
commit 2f8f06aa25e9d5ee4fc9fe217543c872b39e4d05
Author: Hanno Becker <hanno.becker@arm.com>
Date: Fri Sep 29 11:47:26 2017 +0100
Don't always recompute context length in mbedtls_rsa_get_len
mbed TLS begins assuming that the 'len' field of the context has been
set properly. Previously, we relied on this not being true, and various
tests fail for all keys without setting this.
The fix is to simply set the length based on the value we read.
fixes#235.
Signed-off-by: David Brown <david.brown@linaro.org>
Since boot_read_image_headers only failed when reading headers from
both Slots failed, it could happen that even with a failure reading
Slot 1, this data would still be used by split booting. Now when
reading image headers an extra parameter allows the caller to ask
for failure when any slot read failed.
JIRA: MCUB-56
Signed-off-by: Fabio Utzig <utzig@apache.org>
Assertions that are expected to fail under sim test, are now marked as such
using the macro ASSERT which allows to programmatically switch between normal
assert() behavior and captured assertion.
Assertion changes were moved to more appropriate owners and code duplication
was removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The rationale behind this change is that while performing a swap
operation, writes to the status area are not important enough
to abort the operation. If the swap is not interrupted, status
writes are ignored. If the swap is interrupted, failures to write
status area are detected during the next boot and an appropriate
measure is taken.
If MCUBOOT_VALIDATE_SLOT0 is set we ignore the status write fail
and allow slot0 to be validated by its hash/signature. Otherwise,
the old behavior is maintained, which is to abort on any write
failures.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When building in simulator mode, mock assert() to call an simulator
function which will enable other code to check if some path failed.
The assert checking interface, was added to boot_go which now
returns the low-level invocation results as well as the number of
asserts triggered.
Some new added tests check for assert() and expect it to happen. To not
abort tests, assert() was changed under sim env to not call c assert()
and instead just do some internal calculation which could be checked
by the simulator after a bootloader run and assert() catching behavior
was made optional (each test choses the behavior it needs).
Signed-off-by: Fabio Utzig <utzig@apache.org>
This commit removes the pseudo tinycrypt package based on symlinks
by adding a new pkg.yml to ext/tinycrypt and using it directly. It
also uses the new mbed-tls bundled ASN1 parser when EC256 is selected.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes a comparison issue that was previously fixed by doing a
cast. Since tinycrypt and mbed-tls both already use an unsigned for
the size, the mcuboot interface was updated to also use an unsigned
value (size_t to be more precise!).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fixes warnings treated as errors when upgrading gcc crate to 0.3.54.
Warnings are due to non-used variables and comparison between signed
and unsigned.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When not validating slot 0, we could be booting into an empty
chip. This means we jump based on garbage data.
Try to make this better by at least checking the magic number. Without
this patch, booting with just the bootloader fails the Zephyr release
tests.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
This add a new option to overwrite-only mode that enables copy/erase of
only the amount of sectors that are required to store the source image.
This is enabled by default when overwrite-only mode is used.
MCUB-70
Signed-off-by: Fabio Utzig <utzig@apache.org>
This function is unused in overwrite-only mode. Clang seems to catch
this, whereas gcc does not. Add the proper ifdefs so that the
simulator tests all pass on MacOS.
Signed-off-by: David Brown <david.brown@linaro.org>
Fixes a bug when MCUBOOT_VALIDATE_SLOT0 is enabled which caused the
header in Slot 1 to be used for calculating the bootstrap offset. This
bug is masked when MCUBOOT_OVERWRITE_ONLY is not enabled because both
slots have the same header size (usually!). With MCUBOOT_OVERWRITE_ONLY
Slot 1 was erased and the header size would be read as 0xffff resulting
in a jump to the wrong address.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When building in overwrite-only, there is no status/trailer management.
This commit fixes an issue where there was a write to image_ok/copy_done
where those flags where already set (copied from slot 1) which would
cause a write over non-erased flash.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This removes the dependency on tinycrypt lib provided by mynewt and
switches to the one bundled in mcuboot. Also fixes a bug where tc
was only being used when eliptic curve 256 was selected as sign
algorithm.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add a flag `IMAGE_F_RAM_LOAD` and an associated header field
`ih_load_addr` to indicate that a particular image should be loaded into
RAM instead of being executed directly out of flash. If the flag is not
set, this field will be ignored. If it is set, and this feature is
supported by the bootloader, the image will be loaded into RAM at the
address specified in the new header field.
None of this functionality is implemented at this time. This is merely
to define the header format to avoid having to change the image format
later.
JIRA: MCUB-79
Signed-off-by: David Brown <david.brown@linaro.org>
The keyhash should be able to have any size up to the maximum allowed
size of 32, but the assert was not allowing images created with newt to
be accepted as valid (newt currently uses only 4 bytes for keyhash).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: David Brown <david.brown@linaro.org>
When starting a swap upgrade, the total size of data to be swapped is
calculated only at the beginning and saved to the trailer. This avoids
having to use complicated heuristics to find the total swap size, which
might depend on data that was already moved. When resuming a swap, the
size is found in the trailer and used.
Also includes some small comment fixes and refactors.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: David Brown <david.brown@linaro.org>
The local variable 'size' is actually the offset of the end, and not the
size. Rename it to reflect this reality.
Signed-off-by: David Brown <david.brown@linaro.org>
Clarify the name of the TLV field to more fully describe the signature
type.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Fabio Utzig