There is a bug in split_go that never opens the loader image flash
area, but opens the app/split image flash arta twice. This prevents
split_image_check from passing and the app from ever loading.
Signed-off-by: Alvaro Prieto <source@alvaroprieto.com>
mbedTLS made sha256 functions that do not return errors deprecated. This
updates to use the new functions avoiding the extra functions calls, and
breakage when the deprecated calls are effectively removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Since Ed25519 curve primitives are available since cryptography package
version 2.6 need to bump its version.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This adds the boringssl version of fiat-crypto. The version bundled here
had most if its non-used code removed, like signing, X25519 curve
operations not required by verification, etc.
Under boringssl tree, fiat can be found in third_party/fiat. The version
included here comes from a boringssl tree where the last commit is
f109f2087349712d3ac717d15fab48e130618110.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds ed25519 signature support using the "prehash" method. Instead
of using the direct contents of the image and header payloads, a sha256
is generated and signed (SHA256-Ed25519). This allows for compatibility
with already existing tools that use the sha256 hash, like mcumgr, etc.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This extends the test+revert case with an interruption on the revert
stage, as it was previously only interrupted on the test stage. For
simplicity the interruption happens on the same interruption point for
both test and revert stages.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Christopher Collins <ccollins@apache.org>
Make images slightly larger to allow more swap status metadata to be
written to flash, to increase amount of debugging info and possibility
of failures on random write fails.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Christopher Collins <ccollins@apache.org>
This fixes#480.
When mcuboot rewrites image trailers during a swap, some information is
lost. If a reset occurs before the swap completes, mcuboot may not be
able to determine what which swap type to resume upon startup.
Specifically, if a "revert" swap gets interupted, mcuboot will perform
an extraneous swap on the subsequent boot. See
https://github.com/JuulLabs-OSS/mcuboot/issues/480 for details.
This commit adds an additional field to the image trailer: `swap-type`.
The new trailer structure is illustrated below:
```
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
~ Swap status (BOOT_MAX_IMG_SECTORS * min-write-size * 3) ~
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 0 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 1 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap size | 0xff padding (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap type | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Copy done | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Image OK | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ MAGIC (16 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
```
The `swap-type` field contains one of the `BOOT_SWAP_TYPE_[...]` constants.
Every time a trailer is written, this field is written along with it.
When resuming an interrupted swap, mcuboot uses this field alone to
determine the type of swap being resumed. For new swap operations
(non-resume case), this field is not read at all; instead, mcuboot
consults the `boot_swap_tables` array to determine the swap operation to
perform (as it did prior to this commit).
Some additional changes were necessary to make all the simulated unit
tests pass:
* Before initiating a new swap operation, always write the image trailer
to the scratch area. This step allows mcuboot to persist the
`swap-type` field somewhere before erasing the trailer in the primary
slot. If a reset occurs immediately after the erase, mcuboot recovers
by using the trailer in the scratch area.
* Related to the above: if the scratch area is being used to hold status
bytes (because there are no spare sectors in the primary slot), erase
the scratch area immediately after the trailer gets written to the
primary slot. This eliminates ambiguity regarding the location of the
current trailer in case a reset occurs shortly afterwards.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Prior to this change, the scratch image trailer had a different format
from a slot image trailer. Specifically:
1. The scratch trailer only contained a single set of status entries
(three bytes); the slot trailer contained `BOOT_STATUS_MAX_ENTRIES`
sets of status entries.
2. The scratch trailer did not contain the `copy_done` field.
This inconsistency required some extra conditional logic in the trailer
handling code. It is simpler to just use the same trailer format
everywhere.
This commit removes this inconsistency. Now, the scratch trailer
structure is identical to that of the slot trailer.
Signed-off-by: Christopher Collins <ccollins@apache.org>
imgtool verify -k <some-key.(pub|sec)> <img-file>
Allow imgtool to validate that an image has a valid sha256sum and that
it was signed by the supplied key.
NOTE: this does not yet support verifying encrypted images
Signed-off-by: Fabio Utzig <utzig@apache.org>
This allows the CI targets to be built if MCUBoot is a dependency of
other repos as well as current local package only build support.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This device is similar to the K64f device, but it is twice as large, and
has the extra partitions needed to test multi-image.
Signed-off-by: David Brown <david.brown@linaro.org>
Construct the ImagesBuilder based on the number of images compiled into
the code. If the flash device doesn't have enough areas for the test,
the test will be skipped.
Extend the FlashId to include Image2, and Image3. Remove the unused
ones, so that these can be placed immediately after the scratcharea.
The current simulator code assumes the flash areas are numbered
contiguously, requiring these extraneous partitions to be eliminated.
Signed-off-by: David Brown <david.brown@linaro.org>
In addition to the binary capability flags, add a query function that
returns the number of images MCUboot has been configured to support.
Signed-off-by: David Brown <david.brown@linaro.org>
Some of the simulated devices aren't large enough to support the 5 slots
needed to test a multi-image configuration. To allow this to work, make
the return from the `ImagesBuilder` return an option, so that it will be
able to indicate (with `None`) that this configuration isn't possible to
test, and that the test should be skipped.
Signed-off-by: David Brown <david.brown@linaro.org>
The Rust community has decided that 'failure' is the future, instead of
'error-chain'. Migrate the flash simulator to this new error handling
package. The changes are relatively minor, and the end result is a
similar `FlashError` type.
Signed-off-by: David Brown <david.brown@linaro.org>
Move the three fields associated with each "Image" into a substructure
where we can have an array. If the array size is 1, the behavior should
be identical to the previous behavior, but this will make it possible to
support multiple images just by creating more than one of these.
Signed-off-by: David Brown <david.brown@linaro.org>
The functions `try_upgrade`, `try_revert`, `try_revert_with_fail_at`,
and `try_random_fails` make more sense as methods. Move them into the
`Images` impl so they have access to `self` and some various fields.
Signed-off-by: David Brown <david.brown@linaro.org>
The name `SimFlashMap` is a bit misleading, as the Map part is more of
an implementation detail when the type really just represents multiple
flash devices.
This is just a rename, but the names `SimFlashMap` and the value
`flashmap` occur in a lot of places in the image module.
Signed-off-by: David Brown <david.brown@linaro.org>
Create an `ImageData` type to represent the stored content of a single
slot. This holds plaintext and optional ciphertext. This fixes a bit
of unclarity with regards to these fields:
- Before, the plaintext was an Option, even though it is always
present. The field is clearly always present now.
- The mapping between slot numbers, and plain and ciphertext was not
made clear. Now that is spelled out in a match statement.
- The type has a name, rather than an anonymous array that looked a
bit too much like it had to do with slot numbers.
Signed-off-by: David Brown <david.brown@linaro.org>
Rename `Run` to `ImagesBuilder`, and move its definition into the
`images` module. This makes much more of the functionality local to
this module. With this locality, all of the fields of `Images` can now
be made private making it easier to add future support for multiple
images.
Signed-off-by: David Brown <david.brown@linaro.org>
Rust convention is to have types before implementation. Move `Images`
up to the top to make it more prominent. This is also a good
opportunity to add a bit of a comment to this struct.
Signed-off-by: David Brown <david.brown@linaro.org>
The `Run` type is used as a builder for `Images`, describing the
particular device config. Convert the `make...` methods to take `self`
by value to avoid needing to clone all of the fields for the new struct.
The `main` test running now needs to do a few clones of `Run` in order
to build different configurations, but the primary test runner (through
`cargo test`) is now able to avoid having to clone the entire flash
simulators.
Signed-off-by: David Brown <david.brown@linaro.org>
Different manifest objects will use different magic values for the
header. Allow this support by providing a query to retrieve the
appropriate magic value.
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for adding support for differing manifest types, abstract
the TlvGen with a trait object `ManifestGen`. This will allow alternate
implementations to be made.
Signed-off-by: David Brown <david.brown@linaro.org>
The change
boot: bootutil: Simplify check for crypto backends to reduce complexity
Adding multiple crypto backends will grow quadraticly. This change will
ensure that the growth will be linear and generate less complexity.
unfortunately is not legal C. It can be fixed by eliminating the
intermediate macro, so that the `defined` keywords are within the `#if`.
Signed-off-by: David Brown <david.brown@linaro.org>
Szymon Janc