Before this patch, the swapping would process all sectors in a slot
not matter what the size of the binary firmware was. This changes the
swap process to swap only sectors that are in use by firmware.
Also, if the last slot sector, which stores the trailer, is actually not
in use by the binary firmware, now trailer is never written to scratch.
`use_scratch` temp variable was added to boot_status struct to control
this (this var is never written to disk).
Random other small refactorings were applied.
Before this change, trailer was handled as part of the binary image,
which during a swap was just copied around together with the image.
This had issues if some fault happened while the trailer copy was
underway.
This patch changes how trailer is handled by making by non-copying.
The trailer is now updated step-by-step based on the current status.
Magic, copy_done and image_ok are also handled by writing them
individually, not by copying.
The trailer on scratch area was reduced to include at most swap state for
one sector, since it is only used temporarily while erasing the last
sector of the slot that stores the final trailer.
Many other small fixes were applied.
MCUB-54: Flash map API improvements
The series adds new flash_device_base() and flash_area_get_sectors() routines to flash_map.h. If accepted, it needs to be propagated to mynewt as well, as it also ports the core bootutil library to use flash_area_get_sectors().
In order to allow messages to be printed, set the compiled level to
INFO. This allows messages at this level to be printed without having
to recompile.
Change the C logging code, when in the simulator, to query what the rust
logging level is set to. This allows the level of logging from the C
code to be set through the environment. For example
RUST_LOG=bootsim=info cargo run --release runall
will enable logging at the "info" level for all of the C code as well as
the simulator code. The C code's logging can be selected specifically
by using bootsim::api instead of just bootsim in the above.
Add a configuration option "BOOTUTIL_OVERWRITE_ONLY" that avoids using
the image swap code. Instead, when an upgrade is detected in slot 1, it
is copied directly onto slot 0. As long as the image in slot 1 is
valid, this should work robustly (it will redo it if power is lost
during the upgrade).
This doesn't protect against the case of deploying an image that fails
to boot on some devices. But, the behavior is similar to the swap
upgrade approach when the slot 1 image is marked initially as "image
ok", but without the complexity (or need of a swap partition) of the
swap code.
Add a simple function to query the bootloader for capabilities.
Ultimately, this API should be available to the running app, but the
simulator can use this to determine what to test.
Add reference counting to the flash areas, and a zephyr-only routine
which warns when areas are still open when none should be. Call the
warn routine right before chain-loading.
This prints warnings due to code in loader.c. Future work will be
needed to clean this up.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Use flash_device_base() in the boot code to compute a real address,
given the offset returned by boot_go().
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Similarly, it's confusing whether br_flash_id is a flash device ID or
a flash area ID. Make this unambiguous.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The boot response returns a flash offset, not a flash address. This is
causing confusion and leading to crashes on some platforms which don't
have flash at address 0.
Rename the field to make it more clear what its purpose is; future
patches can start fixing up usages.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The flash map API has added a new routine, flash_area_get_sectors().
Use that instead of flash_area_to_sectors(), which is now deprecated.
This exposed a bug in boot_swap_sectors() (a large sz would still lead
to copying past the end of the area, including the trailer); fix it.
This also exposed a bug in split_go(). Calling boot_read_sectors()
there makes a potentially invalid assumption, namely:
(loader_slot == FLASH_AREA_IMAGE_0 &&
split_slot == FLASH_AREA_IMAGE_1)
We make this slightly better by making sure that loader_slot and
split_slot in split_go() get placed into boot_data at indices
mynewt-core currently sets LOADER_SLOT and SPLIT_SLOT to, but a real
fix is left to future work.
This patch also frees up about 650B of RAM, since struct flash_sector
is smaller than struct flash_area.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The current flash_map.h API treats flash areas and flash sectors
synonymously. This isn't totally accurate; a flash area comprises one
or more sectors.
To distinguish them, add a new struct flash_sector, and a new
flash_area_get_sectors() which initializes an array of struct
flash_sector instead of struct flash area.
That done, deprecate flash_area_to_sectors().
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Instead of a separate invocation of printf to print the trailing
newline, use some modern cpp trickery to expand the format string
explicitly. The ## will remove the preceding comma of the argument list
if empty.
Add logging support for when running in the simulator. Log messages are
still based on compile-time determinations, and log using printf.
Based on a patch from Marti Bolivar <marti.bolivar@linaro.org>.
Expand the data slots to 384K each, leaving the boot and scratch areas
as 128K. This allows more room for code, but will wear the scratch
partition about 3x faster because of the more extensive use of the
partition.
When building with ECDSA P-256 as the signature algorithm, we are still
bringing in SHA256 and some ASN.1 code from mbed TLS. Fix part of this
by wrapping the hash functions with general routines (inline functions)
allowing to select between mbed TLS and Tinycrypt for the
implementation.
Update the Zephyr config files so that the Tinycrypt version is used
when building the ECDSA P-256 signing variant.
There are some problems with how mbed TLS is configured in Zephyr.
First, include the makefile stub in the Makefile that uses these
defines. This makes sure the right definitions get made so that our
custom config gets used for all compiled files, rather than a mixed set.
Also, fix up the wrappers on the custom configs so that each is
different, making it easier to detect if multiple configs are being
included.
Lastly, only include the right header in the image validation. The mbed
TLS includes don't seem to want to allow both RSA and ECDSA to be used
(due to the key size), and including the wrong header results in a
compilation error.
Fabio Utzig