Introduce a new MCUBOOT_BUILTIN_KEY option to enable the usage of
builtin keys for signature verification. This way the details of the key
handling mechanism are abstracted away from the boot code and this
responsibility is delegated to the given crypto library.
This is an alternative option to the existing MCUBOOT_HW_KEY feature,
however in this case we can entirely rely on key IDs and not only the
code, but also the image metadata does not contain any public key data.
Change-Id: Id01b67951310549b2734730c58bfa7210a2d5236
Signed-off-by: David Vincze <david.vincze@arm.com>
Use the default MCUBoot PEM key file in hello-world project settings.
Without it the application is not verified by MCUBoot.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
<zephyr/zephyr.h> is just a shim to the <zephyr/kernel.h> header, better
use it directly as it is explicit that Kernel APIs are being included.
Signed-off-by: Gerard Marull-Paretas <gerard@teslabs.com>
Zephyr has prefixed all of its includes with <zephyr/...>. While the
_old_ mode can still be used (CONFIG_LEGACY_INCLUDE_PATH) and is still
enabled by default, it's better to be prepared for its removal in the
future.
Signed-off-by: Gerard Marull-Paretas <gerard@teslabs.com>
Instead of trying to main two test runners for the Zephyr sample
directory, have the old test runner just print out a message that users
should use the new test runner. Eventually, we can just remove old
runner entirely.
Instead of asking the user for each test if it worked or not, the new
test runner looks at the serial log and makes this conclusion itself.
It is able to run the whole test suite completely automatically.
Signed-off-by: David Brown <david.brown@linaro.org>
Change the configs for the Zephyr tests to use move swap, as this is the
code intended for future use.
Signed-off-by: David Brown <david.brown@linaro.org>
Introduced MCUBOOT_CPU_IDLE() macro.
If a port supports single thread or is bare-metal then might be need
to switch to idle mode explicitly form MCUboot code.
The call allows to enable lower power consumption while waiting for
incoming transmission in serial recovery etc.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The 'revert' mechanism in direct-xip is similar to the one in swap mode.
It requires the trailer magic to be added to the signed image. When a
reboot happens without the image being confirmed at runtime (without the
image_ok flag being set), the bootloader considers the image faulty and
erases it. After this it will attempt to boot the previous image
instead. The images can also be made permanent (marked as confirmed in
advance) just like in swap mode.
Change-Id: Ibde9361d4a7302dd8efbb277b691b71eca0ca877
Signed-off-by: David Vincze <david.vincze@linaro.org>
Optionally extract build artifacts from an archive file instead of
building them. This completes the separation between building the tests
and running them. To use this, do something like:
go run test-compile.go
Arrange to have the mcuboot dir and the test-images.zip on the test
target, and then run:
go run run-tests.go -prebuilt test-images.zip
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of just having the build commands part of the test execution,
separate them into a separate value. This will facilitate having an
option that doesn't actually build the tests, but extracts them from an
archive.
Signed-off-by: David Brown <david.brown@linaro.org>
Create a program that separately compiles the tests and assembles them
into a zip file. This will help when the build environment and the test
environment are not the same machine.
Signed-off-by: David Brown <david.brown@linaro.org>
Move the list of tests to run from the test runner itself into its own
package. The test can be invoked the same way (Go will find the go.mod
at the top of mcuboot), but this will make it easier to separate a test
runner from a test builder.
Signed-off-by: David Brown <david.brown@linaro.org>
This patch introduces the ram-load mode in addition to the other
upgrade modes (swap strategies, overwrite-only, direct-XIP). When
ram-load is enabled with the MCUBOOT_RAM_LOAD option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image loaded to the RAM and
executed from there. Load address is extracted from the image header.
Therefore the images must be linked to the RAM memory region.
The ram-load mode is very similar to the direct-XIP mode, main
difference is to load the newest image to the RAM beforehand the
authentication and execution. Similar to direct-XIP mode either
of the primary and the secondary slots can hold the active image.
Ram-load can be useful in case of a bit more powerful SoC, which
is not constrained in terms of internal RAM. It could be that image
is stored in external and therefore untrusted flash. Loading image
to internal (trusted) RAM is essential from the security point
of view the system. Furthermore execution from internal RAM is much
faster than from external flash.
This patch is based on the RAM_LOADING upgrade strategy which was
first introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.
Change-Id: I95f02ff07c1dee51244ac372284f449c2efab362
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
This patch introduces the direct execute-in-place (XIP) mode in addition
to the other upgrade modes (swap strategies, overwrite-only). When
direct-XIP is enabled with the MCUBOOT_DIRECT_XIP option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image runs directly from its
flash partition (slot) instead of moving it. Therefore the images must
be linked to be executed from the given image slot. It means that in
direct-XIP mode either of the primary and the secondary slots can hold
the active image.
This patch is based on the NO_SWAP upgrade strategy which was first
introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.
Change-Id: If584cf01ae5aa7208845f6a6fa206f0595e0e61e
Signed-off-by: David Vincze <david.vincze@linaro.org>
This commit is a followup to the usage of `find_package(Zephyr ...)`.
The zephyr/hello-world sample has been updated to use find_package.
The assemble.py script now takes ZEPHYR_BASE as an argument, so it may
be used from CMakeLists.txt files when ZEPHYR_BASE is not set in
environment, and thus the Makefile sample has been adjusted accordingly.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Remove a redundant chip erase from run-tests.go. The '-e chip' should
tell pyocd to perform a chip erase. There seem to be some combinations
of daplink and pyocd that if an invalid image is loaded into the device,
it can no longer be flashed by pyocd. Performing the chip erase as a
separate command easily gets it into this state. It can be recovered by
using the DAP filesystem to write the image.
Signed-off-by: David Brown <david.brown@linaro.org>
Zephyr builds use 'cmake' which can generate either makefiles, or use
the Ninja build tools. There are several significant advantages to
using Ninja as the build tool:
- It is significantly faster. Ninja reads a directory and stats the
files in it once. Make often stats a given directory thousands of
times, many for files that don't even exist.
- It has better output. Ninja collects commands together with their
error output. When doing multi-cpu builds, Ninja prints a status
indicator, and only prints fully verbose commands when that command
fails. Instead of having to try an piece together a given command
with its errors, they will always be together.
- Make's support of multiple CPUs is a crude hack. Make forks off
multiple processes to use multiple CPUs. These processes don't
communicate with each other (very much), which causes make to often
continue after enountering errors. It is common for a multi-CPU
make invocation to print hundreds or thousands of additional lines
after an error message.
Nearly all distros have a version of Ninja available in their package
manager, making this change of low cost.
Signed-off-by: David Brown <david.brown@linaro.org>
This patch introduces the BOOT_IMAGE_NUMBER macro and current_image
variable to support multiple updatable images and the associated
extended flash layout.
The FLASH_AREA_IMAGE_* object-like macros are replaced with
function-like ones and therefore some functions have been updated,
because the labels of a switch statement and the initialization
values of objects with static storage duration have to be constant
expressions.
Change-Id: Ib7b26ec3c94233e52db4f97825ddb6a3e55bb1d3
Signed-off-by: David Vincze <david.vincze@arm.com>
When HW / OS provides an always enabled watchdog, this macro can
optionally be implemented to avoid resets which are expected to
occur under normal conditions when swapping very large images or
running on slower devices.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This change replaces the slot 0/1 terminology with primary/secondary
slot and replaces FLASH_AREA_IMAGE_0/1 with
FLASH_AREA_IMAGE_PRIMARY/SECONDARY. This naming convention may be more
understandable, fits better to MCUs with multiple images and it is an
architecture agnostic alternative as well.
Change-Id: I655a585f6ae023852c671ee6635399efe25209c9
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
pyocd 0.14.0 merged its command-line tools into a unified pyocd tool
with subcommands. The separate command-line tools still remain, but are
deprecated. Update all pyocd calls in samples and documentation to use
the new unified pyocd tool with subcommands.
Note that pyocd 0.15.0 has an issue with the command 'pyocd erase',
which was fixed in pyocd 0.16.0.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
Set the public key for ECDSA tests to use the ECDSA. This avoids a link
error with:
../app/libapp.a(keys.c.obj):(.rodata.bootutil_keys+0x0): undefined reference to `ecdsa_pub_key'
../app/libapp.a(keys.c.obj):(.rodata.bootutil_keys+0x4): undefined reference to `ecdsa_pub_key_len'
Signed-off-by: David Brown <david.brown@linaro.org>
Introduce MCUBOOT_LOG_MODULE_REGISTER and MCUBOOT_LOG_MODULE_DECLARE.
- MCUBOOT_LOG_MODULE_REGISTER
Register a new log module and add the current C file to it.
- MCUBOOT_LOG_MODULE_DECLARE
Add the current C file to an existing log module.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
- Removed MCUBOOT_LOG_LEVEL macros.
The global log level shall be set using a port's configuration
management system of choice instead e.g Kconfig.
- Removed BOOT_LOG_LEVEL macro, which was not honored by
either Zephyr or mynewt ports.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
This feature has been deleted in Zephyr upstream. The project won't
build with this line in anymore due to Kconfig errors.
Signed-off-by: Marti Bolivar <marti@foundries.io>
The `--included-header` was "mandatory" when using imgtool with firmware
images generated by the Zephyr build system and it was a source of
issues when it was forgotten. This removes `--included-header` and adds
a new parameter `--pad-header` with inverted semantics, to be used only
when a zeroed header is required to be added to the firmware image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add the new `--slot-size` and make `--pad` a bool flag, to allow
checking that firmware fits in the slot without overflowing into the
trailer region even when no padding was requested.
Fixes#241
Signed-off-by: Fabio Utzig <utzig@apache.org>
Continue removing platform-specific conditional compilation from
bootutil by adding a new MCUBOOT_HAVE_ASSERT_H configuration option
and associated header file. Right now, that's only used by the
simulator.
That leaves just bootutil_log.h with platform-specific contents, but
since it's meant to be an abstraction layer for logging, we'll let it
stand for now.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Take the opportunity to clean up a bit of platform cruft that has
gotten into bootutil by moving it to mcuboot_config.h, and ensuring it
is documented in the template config file.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Handle CONFIG_BOOT_UPGRADE_ONLY in mcuboot_config.h, and switch the
release test Makefile to using an OVERLAY_CONFIG fragment.
This removes the last user of the Makefile BOOTLOADER_CONFIG variable,
so delete it as well.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Handle CONFIG_BOOT_VALIDATE_SLOT0 in mcuboot_config.h, and switch to
setting it with an OVERLAY_CONFIG fragment in the test Makefile.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Handle the CONFIG_BOOT_SIGNATURE_TYPE_xxx values in Zephyr's
mcuboot_config.h by converting them into the platform-agnostic MCUboot
definitions.
This requires some changes to the way the release test Makefile is
structured, since Kconfig symbols cannot be set from the command line.
Instead, use the OVERLAY_CONFIG feature of the Zephyr build system,
which allows specifying extra fragments to merge into the final
.config. (This is an orthogonal mechanism to setting CONF_FILE; it is
used by Zephyr's CI script sanitycheck to add additional fragments, so
it's appropriate for use by MCUboot's testing scripts as well.)
We additionally need to move to a single prj.conf file due to a
dependency issue. We can no longer determine CONF_FILE from the
signature type, since that is now determined from the final .config or
autoconf.h, which is a build output that depends on CONF_FILE.
To move to a single prj.conf:
- delete prj-p256.conf and adjust prj.conf to serve both signature types
- add a top-level mbedTLS configuration file which dispatches to
the right sub-header depending on the key type
- as a side effect, have the simulator pick the right config file
depending on the case
This fixes and cleans up quite a bit of the signature type handling,
which had become something of a mess over time. For example, it fixes
a bug in ECDSA mode's configuration that wasn't actually selecting
config-asn1.h, and forces the simulator to use the same mbedTLS
configuration file as builds for real hardware.
Finally, we also have to move the mbedTLS vs. TinyCrypt choice into
mcuboot_config.h at the same time as well, since CMakeLists.txt was
making that decision based on the signature type.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Mynewt uses this file to convert MYNEWT_VAL(xxx) to MCUBOOT_xxx config
options. Zephyr currently adds config options via the compiler command
line, but it should use this instead.
As prep work for that conversion, add an empty mcuboot_config.h to the
Zephyr port, and include this file unconditionally wherever it's
needed. This takes care of the simulator as well, since that puts
boot/zephyr/include on its C file include path.
This turned up a couple of files (bootutil_priv.h and caps.c) that
were using the MCUBOOT_xxx config values without including the
file. Add the includes there, as they'll be needed later.
To make this official, add it to the requirements in the porting guide
and provide a template file porters can use while getting started.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
fixup! Mandate the presence of mcuboot_config/mcuboot_config.h
Instead of manually setting the text section offset and the overlay
file, use the now readily available BOOTLOADER_MCUBOOT Kconfig option to
provide that automatically.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Enhance the test runner so that it can verify the output of the tests by
itself. This needs the console to be logged to a file, but otherwise
works the same as the current test runner.
Also, the build results are placed in a log file, so that it is easier
to see what is happening.
Signed-off-by: David Brown <david.brown@linaro.org>
hello-world is serving as a sample application and should therefore
not define a default board as Zephyr samples do not either.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The documentation claims that one can place per-board overlay files in
the boards/ directory. But no such support has been implemented.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
It's onerous to work through the tests in docs/testplan-zephyr.md by
hand. Add a script which takes the thinking out of it.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>