Recent Zephyr trees require this config option to be set in order to be
able to write to the flash device. Without it, targets with an MPU
enabled will abort during startup, usually before even printing a
message to the UART.
Signed-off-by: David Brown <david.brown@linaro.org>
Previous commits added the full.bin target. Add a flash_full target to
be able to flash this full image for testing.
Signed-off-by: David Brown <david.brown@linaro.org>
This enables mynewt to use mcuboot as a remote repository, which is only
required when using newtmgr to manage images. Since mcuboot has slightly
changed the trailer format, newtmgr built against the bundled mynewt
bootloader writes the magic and flags to the wrong location.
To build a mynewt app the wants to run with mcuboot as the bootloader
and requires newtmgr one needs to change the app's pkg.yml dependencies
as follows:
- - boot/bootutil
+ - "@mcuboot/boot/bootutil"
Signed-off-by: Fabio Utzig <utzig@apache.org>
Now that we depend on a submodule for mbed TLS code, update the docs to
explain how to fetch this. Otherwise, the error is somewhat misleading,
just showing a missing sha256.c file.
Signed-off-by: David Brown <david.brown@linaro.org>
Adding an os.unlink() call to remove the outfile results in an exception
being thrown if the file does not exist. Fix this by trapping, and
checking for the specific error we get on a missing file.
Signed-off-by: David Brown <david.brown@linaro.org>
This full.bin target demonstrates how to assemble all of the images into
a single file which can be flashed to the device. As it is, it will
then boot into the first "primary" image. The second image will be
present, but will not ever be run.
Signed-off-by: David Brown <david.brown@linaro.org>
When image is slot 1 had bad signature, the swap would fail and
try to write image_ok in slot 0 which if that was already a
permanent image would cause a overwrite in flash.
Fix warning/error when slot 0 validation is not enabled.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This test was added to exercise a bug which happens when a failure
verifying the image in slot 1 would cause a write to image_ok when
the image in slot 0 already was a permanent image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
After a swap operation is finished trailer control flags are written
according to the type of swap that was performed. The function names
that execute those operations were renamed to explicity reflect what
they do, and all "less deterministic" behaviors, of the type
"if flash is not set, set it", were removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds handling of the copy_done bit while evaluation a swap state.
Since copy_done is only ever written when a swap finishes, it can be
safely assumed that if copy_done is not set no swap was ever performed
and the image was written directly to flash, and thus no revert is run.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This reworks much of the code, as well as tables, handling swap
state to make them simpler. Only states that require an actual
swap to be performed, perm/test/revert are checked for and acted
upon. Other possible states try to default to no operation
performed.
One extra state, BOOT_SWAP_TYPE_PANIC, was added to differentiate
between "soft" errors and unrecoverable ones (as flash read/write
errors).
Non well defined state changes after swap failures, as described
in MCUB-59 were also clean up.
This should also fix situations as described in MCUB-63, where
images generated using imgtool (magic + image_ok set) are written
to slot 0 and cause an incorrect "revert".
Signed-off-by: Fabio Utzig <utzig@apache.org>
The MCUBOOT_VALIDATE_SLOT0 feature only verifies the signature when
there is no swapping happening. The assumption was that if there is a
swap being done, the code will verify the signature of slot 1 before
doing the slot.
However, either due to bugs, or intentional trickery, it may be possible
to confuse the code into continuing a swap operation. If the data is
modified before this, the bootloader can be tricked into booting the
resulting image in slot 0 without having verified the signature.
Fix this by always verifying slot 0's signature before booting it.
JIRA: MCUB-64
Signed-off-by: David Brown <david.brown@linaro.org>
The docopt package has moved from rustc-serialize to serde. Move to
this version, upgrading the custom deserialize we use for the alignment
argument.
Signed-off-by: David Brown <david.brown@linaro.org>
Move most dependencies to the latest version at the time of this commit.
docopt is left at the current version as there is an api change in the
newer version.
Signed-off-by: David Brown <david.brown@linaro.org>
It isn't necessary for the 'area' module to be exposed. Re-export the
two definitions from the crate at the top level, and make the module
private.
Signed-off-by: David Brown <david.brown@linaro.org>