Add new bootutil function that returns the size of the status area.
The simulator was updated to remove the custom calculation and get
the size directly from bootutil, avoiding breakages the happen when
both are not in sync.
Signed-off-by: Fabio Utzig <utzig@apache.org>
In zephyr code-base some generic include patches
and defines had been deprecated since a while.
This condition was maintained until zephyr v2.1.0 inclusive.
Recently these deprecated items were removed completely from
the zephyr master branch. Zephyr current SHA of this patch is
e124c1cd34938f02bbe879533c6bd29b5ff53707
This patch switch mcuboot to using most recent items.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
are interesting while debugging bootutil in the simulator. This should
be used for extra verbose prints.
* Also added fflushs after fprints to guarantee that messages are printed
even when assertions are raised.
* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
to the other ports.
* Make DEBUG the default level when building the simulator (one can
still lower verbosity using any other value for RUST_LOG).
Signed-off-by: Fabio Utzig <utzig@apache.org>
For some reason, the ECDSA signature generation code attempted to adjust
the length of the ASN.1 of the actual signature. It wasn't doing this
right, and was creating ASN.1 expecting many more entries than were
present. The half-run parser in the tinycrypt ECDSA signature check
didn't care about this, but mbed TLS's signature check does care.
The intent of the padding was to be able to predict the size of the TLV
before writing it out. Keep the padding for now, even though there is
no simple way of knowing how many pad bytes to remove (just removing
them will remove extra if there is a zero in the last byte of the
signature.
A future change will eliminate the padding, as it should no longer be
needed.
Signed-off-by: David Brown <david.brown@linaro.org>
Update `make_device` to return a slice of unsupported caps for a test.
This allows skipping tests in devices that are known to be non working
under some build configuration.
The device constructor was updated to return a `Result`, so that the
specific reason for skipping can be returned as a `String`.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add cap for swap using move and rename old swap upgrade cap to swap
using scratch. Update sim to allow swapping tests to also run using
move.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Currently, the tests that appear to be testing for invalid signatures
are actually just testing that images aren't used if the entire TLV
block is missing. Fix this by being more subtle about our corruptions.
If there is no signature, corrupt that data being used to generate the
hash. Otherwise, modify the data before it goes into the signature, but
generate a valid SHA256 in the TLV. This way, we exercise the signature
itself being corrupt.
Signed-off-by: David Brown <david.brown@linaro.org>
Previous changes have used 16-bit writes for calculated lengths, but are
using a pair of 8-bit writes for hard-coded values. Change these to
also use 16-bit writes for consistency, and clarity.
Signed-off-by: David Brown <david.brown@linaro.org>
Change the type of the TLV tag from an 8-bit unsigned value (followed by
8 bits of padding) to a 16-bit value. Because we are storing the tag as
little endian, the encoding will end up the same, but this will later
allow us to add more tags.
Signed-off-by: David Brown <david.brown@linaro.org>
These were added during development to make sure conditional compilation
was working. Now, they just cause excess messages to be printed.
Remove them.
Signed-off-by: David Brown <david.brown@linaro.org>
Removes the hard-coded image encryption keys, and updates with keys
generated randomly before use. This tests the correct behavior of
how ephemeral keys should be used when generating new images.
Signed-off-by: Fabio Utzig <utzig@apache.org>
To start adding support for devices with a large write size, modify the
simulator to allow a 'large-write' feature that will also run tests with
128 and 512 byte write alignments.
This requires fixing some places in image generation that assumed a
fairly small alignment (namely, padding the buffer at the end, rather
than individual parts), and detecting the large writes when writing the
MAGIC value to the image.
The flash API still passes the alignment back as a uint_8, but in
overwrite mode, this verifies that the boot code won't use this value.
Currently the 'large-write' feature requires 'overwrite-only' as well.
Signed-off-by: David Brown <david.brown@linaro.org>
Overwrite mode is always a permanent upgrade, so skip trying to mark
this in the images. This marking is problematic with larger write
alignments.
Signed-off-by: David Brown <david.brown@linaro.org>
This constant array is always just unwrapped. Remove the Option from
its type, and just make it an array.
Signed-off-by: David Brown <david.brown@linaro.org>
Some devices have a write alignment larger than 128. Allow this within
the simulator, by using `usize` instead of `u8` for the write alignment.
The value is still returned to the C code as an 8-bit integer, but this
help start debugging issues found on these devices.
Signed-off-by: David Brown <david.brown@linaro.org>
Ran automated checker for common typos [1]. Most of these changes have
no functional change *except* for `./ci/sim_run.sh` where, previously
the `bootstrap` feature wasn't being selected properly.
I didn't touch anything in the `./ext/` folder as anything in there
should probably be fixed in the upstream repo.
[1] https://github.com/codespell-project/codespell
Signed-off-by: Sam Bristow <sam@bristow.nz>
Move the external mbedtls submodule out of the sim/mcuboot-sys directory
into the ext directory. This will allow the same copy of mbed TLS to be
used by other board support packages, instead of having to make a
duplicate clone.
Signed-off-by: David Brown <david.brown@linaro.org>
The ext/mbedtls directory has a copy of the ASN.1 parser from the mbed
TLS library. To allow a future change to bring the entire mbed TLS
library in as a submodule under ext, rename this to mbedtls-asn1 to make
it clear this is only a subset.
Signed-off-by: David Brown <david.brown@linaro.org>
Convert this `extern const uint32_t` to a simple define. Provide an
accessor function so that the simulator is able to access the value as
well. This has a minor improvement on the generated code within MCUboot
itself.
Signed-off-by: David Brown <david.brown@linaro.org>
BOOT_MAX_ALIGN is defined as
extern const uint32_t BOOT_MAX_ALIGN;
and is assigned a value in a single file. This causes extra work when
this is used as the size of a local variable in a function.
The value was made a constant in order for the simulator to be able to
access the value. Instead of making it a "real" constant, keep it as a
define, unifying the value of FLASH_MAX_ALIGN and this one, and provide
an accessor function for the test code to be able to access this value.
This causes a minor improvement in the code generated in
`boot_write_status`, but more importantly, eliminates a VLA from the
code, which increases the possible compilers supported by MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
This introduces an API which allows for iteration over an image's TLVs
without resorting to low-level implementation details. All previous TLV
low-level handling was updated to comply with this new interface, and it
also makes it easier for external code to handle TLVs.
The API provides two functions:
1) To start a new iterator:
```
int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
const struct image_header *hdr,
const struct flash_area *fap, uint8_t type,
bool prot);
```
2) To iterate over existing TLVs of given type:
```
int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
uint16_t *len, uint8_t *type);
```
A type of IMAGE_TLV_ANY was added to allow for iteration over all TLVs.
Low-level TLV access functions were removed from API, but low-level
structs are still visible in the namespace.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Test the variations of the situation where we are built for multi-image,
but are only upgrading a single image, including no dependencies,
correct dependencies, and unmet dependencies.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add two additional dependency types. The NoUpgrade type indicates that
this slot should not contain an upgrade at all. The OldCorrect
indicates a dependency on the old version of the other slot.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
Instead of allowing a preliminary error if the first image is marked to
be held, allow this error if any of the images are marked to be held.
The error doesn't return which image caused the failure, so just check
if any are supposed to be held.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
Test the configuration where one image has its dependencies met and the
other does not, and make sure in these cases we just hold back from
upgrading entirely.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
When generating dependencies, we were using the slot number instead of
the image number to determine which dependencies to mark invalid. Fix
this, so that we can test configurations where one image is upgradeable
and the other not.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
Before running tests, a sanity upgrade was run to gather the amount of
flash writes to be expected for the operation. This operation fails when
the dependencies hold an upgrade, so the checks were updated to avoid
aborting under those circumstances.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Decode the MCUBOOT_DEBUG_DUMP environment variable into a series of
comma-separated strings, and create debug dumps for any test that
matches one of these strings. Also, the special string 'all' will match
every test, causing every image under test to be dumped.
The dumped images will contain an atomic counter, so that all of the
generated files will be unique for a given run.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a `debug_dump()` method to `Images` to allow the images to be
written to a file. The dependency test will call this if the
environment variable MCUBOOT_DEBUG_DUMP is set.
In order to make these debug dumps more useful, add a simple partition
table to the beginning of the image (where MCUboot would reside on
target). This has a simple header, and then entries for each partition,
using the partition ids used within the simulator. This allows the
image to be more easily used by external tools.
As an example, `scripts/mcubin.bt` is a binary template for the [010
Editor](https://www.sweetscape.com/010editor/), allowing it to decode
and show the details of images from MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
With the recent changes in bootutil, now there is no need to lock the
test threads to run sequentially, so the global lock was removed. The
locking now happens to access resources such as flash, flash params,
simulator context, etc on a per thread basis. Some of the global
variables that were used by the simulator itself (FFI) were made into a
context struct passed in to invoke_go.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Currently to determine which image is being operated on, there is a global
variable called current_image which is used by most macros and APIs to
correctly access the flash areas required by the bootloader. This moves
this variable to the already existing state struct and refactors all
macros and APIs to receive the current image by parameters. To maintain
compatibility some of the macros were not updated and use image 0 when
called.
The definitions of FLASH_AREA_IMAGE_PRIMARY and FLASH_AREA_IMAGE_SECONDARY
for Mynewt compatibility were moved out of bootutil sources to a Mynewt
specific include file.
Signed-off-by: Fabio Utzig <utzig@apache.org>
There are three methods that verify multiple images that essentially
manually implement the `all` and `any` methods of `Iterator`. It makes
it difficult to understand what these do, as there is an early return of
true or false, with various negations of the check.
Replace these with calls directly to `any` or `all` so that it is
clearer what each function is doing. The generated code should be the
same.
Signed-off-by: David Brown <david.brown@linaro.org>
Rather than just make the test images entirely pseudorandom data, add a
small textual header to the front that describes some key information
about each image. This can be helpful when debugging, to determine what
exactly is in each image slot.
Signed-off-by: David Brown <david.brown@linaro.org>
Create a trait `Depender` which is passed down to the image create and
verification to check and test for various types of dependency
resolution. Add a test that uses this to test the simple case of unmet
dependencies preventing an upgrade.
The actual test is disabled (with an `if false ...`) because the code
under test loops forever in this configuration.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of manually expanding multi-byte encoding, use the byteorder
crate which has its own extension methods to do this. This both makes
the code a bit clearer, and also makes it clear that these encodings are
specific to little endian platforms.
Signed-off-by: David Brown <david.brown@linaro.org>
Many places in the image code pass a pair of
slots: &[SlotInfo], slot: usize,
around as arguments. Simplify this by just passing a `&SlotInfo`. For
the few instances where code needs to know the index of a slot, add an
index field to the `SlotInfo` struct for these to use. This eliminates
an argument from 4 functions/methods, and the numerous places they are
called.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of a growing number of no-argument methods that just call other
methods with fixed arguments, change the `sim_test` macro to pass
through arguments to the test methods. This will make it easier to
further parameterize the test entrypoints.
Signed-off-by: David Brown <david.brown@linaro.org>
When doing a test with fails, the total number of flash accesses is
first calculated doing an upgrade without fails, which is then used to
fail/resume at all test points. The count was always considering the
setting of a permanent upgrade, which added 1 to the total count in a
non-permanent upgrade. This amount was being discounted when running
the test/revert with fails, although the discount was only ok for single
images. This adds a new image constructor that does not run a permanent
upgrade and thus gets the correct number of flash accesses for a
test/revert no matter how many images are being tested.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This was previously removed because it failed on multi-image tests due
to some image having finished an upgrade and having it's flag already
set. A new method was added that checks that at least one copy_done flag
is unset, thus not all upgrades have finished.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Recent versions of the Rust compile tool `cargo` insert a comment at the
top of `Cargo.lock` indicating that this file is auto-generated. Commit
versions of these files with this comment in, so that users of recent
versions of Rust will not have sprious diffs everytime they compile.
Older versions of Rust will remove these lines. However, this is less
likely to be an issue, as we now depend on at least Rust 1.31 in order
to have Rust 2018 support. We recommend using 'rustup' to keep the Rust
install up to date.
Signed-off-by: David Brown <david.brown@linaro.org>
In case of multi image boot this check fails, because
copy_done flag set per images when an image swap has finished.
When second image update is interrupted then copy_done flag
already has set for first image.
Change-Id: Ic97dd5e4c5cdb5a5a94971f3ca84bfe0d7583dd4
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
This patch introduces the BOOT_IMAGE_NUMBER macro and current_image
variable to support multiple updatable images and the associated
extended flash layout.
The FLASH_AREA_IMAGE_* object-like macros are replaced with
function-like ones and therefore some functions have been updated,
because the labels of a switch statement and the initialization
values of objects with static storage duration have to be constant
expressions.
Change-Id: Ib7b26ec3c94233e52db4f97825ddb6a3e55bb1d3
Signed-off-by: David Vincze <david.vincze@arm.com>
Support non-continuous image flash area ID mapping. It was assumed
that the flash area IDs are subsequent and increasing numbers which
might not be true in all cases.
Change-Id: I0d1285d6fcf1e83a64611c9ad4f65abd002c25d3
Signed-off-by: David Vincze <david.vincze@arm.com>
This extends the test+revert case with an interruption on the revert
stage, as it was previously only interrupted on the test stage. For
simplicity the interruption happens on the same interruption point for
both test and revert stages.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Christopher Collins <ccollins@apache.org>
Make images slightly larger to allow more swap status metadata to be
written to flash, to increase amount of debugging info and possibility
of failures on random write fails.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Christopher Collins <ccollins@apache.org>
This fixes#480.
When mcuboot rewrites image trailers during a swap, some information is
lost. If a reset occurs before the swap completes, mcuboot may not be
able to determine what which swap type to resume upon startup.
Specifically, if a "revert" swap gets interupted, mcuboot will perform
an extraneous swap on the subsequent boot. See
https://github.com/JuulLabs-OSS/mcuboot/issues/480 for details.
This commit adds an additional field to the image trailer: `swap-type`.
The new trailer structure is illustrated below:
```
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
~ Swap status (BOOT_MAX_IMG_SECTORS * min-write-size * 3) ~
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 0 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 1 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap size | 0xff padding (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap type | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Copy done | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Image OK | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ MAGIC (16 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
```
The `swap-type` field contains one of the `BOOT_SWAP_TYPE_[...]` constants.
Every time a trailer is written, this field is written along with it.
When resuming an interrupted swap, mcuboot uses this field alone to
determine the type of swap being resumed. For new swap operations
(non-resume case), this field is not read at all; instead, mcuboot
consults the `boot_swap_tables` array to determine the swap operation to
perform (as it did prior to this commit).
Some additional changes were necessary to make all the simulated unit
tests pass:
* Before initiating a new swap operation, always write the image trailer
to the scratch area. This step allows mcuboot to persist the
`swap-type` field somewhere before erasing the trailer in the primary
slot. If a reset occurs immediately after the erase, mcuboot recovers
by using the trailer in the scratch area.
* Related to the above: if the scratch area is being used to hold status
bytes (because there are no spare sectors in the primary slot), erase
the scratch area immediately after the trailer gets written to the
primary slot. This eliminates ambiguity regarding the location of the
current trailer in case a reset occurs shortly afterwards.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Prior to this change, the scratch image trailer had a different format
from a slot image trailer. Specifically:
1. The scratch trailer only contained a single set of status entries
(three bytes); the slot trailer contained `BOOT_STATUS_MAX_ENTRIES`
sets of status entries.
2. The scratch trailer did not contain the `copy_done` field.
This inconsistency required some extra conditional logic in the trailer
handling code. It is simpler to just use the same trailer format
everywhere.
This commit removes this inconsistency. Now, the scratch trailer
structure is identical to that of the slot trailer.
Signed-off-by: Christopher Collins <ccollins@apache.org>
This device is similar to the K64f device, but it is twice as large, and
has the extra partitions needed to test multi-image.
Signed-off-by: David Brown <david.brown@linaro.org>
Construct the ImagesBuilder based on the number of images compiled into
the code. If the flash device doesn't have enough areas for the test,
the test will be skipped.
Extend the FlashId to include Image2, and Image3. Remove the unused
ones, so that these can be placed immediately after the scratcharea.
The current simulator code assumes the flash areas are numbered
contiguously, requiring these extraneous partitions to be eliminated.
Signed-off-by: David Brown <david.brown@linaro.org>
In addition to the binary capability flags, add a query function that
returns the number of images MCUboot has been configured to support.
Signed-off-by: David Brown <david.brown@linaro.org>
Some of the simulated devices aren't large enough to support the 5 slots
needed to test a multi-image configuration. To allow this to work, make
the return from the `ImagesBuilder` return an option, so that it will be
able to indicate (with `None`) that this configuration isn't possible to
test, and that the test should be skipped.
Signed-off-by: David Brown <david.brown@linaro.org>
The Rust community has decided that 'failure' is the future, instead of
'error-chain'. Migrate the flash simulator to this new error handling
package. The changes are relatively minor, and the end result is a
similar `FlashError` type.
Signed-off-by: David Brown <david.brown@linaro.org>
Move the three fields associated with each "Image" into a substructure
where we can have an array. If the array size is 1, the behavior should
be identical to the previous behavior, but this will make it possible to
support multiple images just by creating more than one of these.
Signed-off-by: David Brown <david.brown@linaro.org>
The functions `try_upgrade`, `try_revert`, `try_revert_with_fail_at`,
and `try_random_fails` make more sense as methods. Move them into the
`Images` impl so they have access to `self` and some various fields.
Signed-off-by: David Brown <david.brown@linaro.org>
The name `SimFlashMap` is a bit misleading, as the Map part is more of
an implementation detail when the type really just represents multiple
flash devices.
This is just a rename, but the names `SimFlashMap` and the value
`flashmap` occur in a lot of places in the image module.
Signed-off-by: David Brown <david.brown@linaro.org>
Create an `ImageData` type to represent the stored content of a single
slot. This holds plaintext and optional ciphertext. This fixes a bit
of unclarity with regards to these fields:
- Before, the plaintext was an Option, even though it is always
present. The field is clearly always present now.
- The mapping between slot numbers, and plain and ciphertext was not
made clear. Now that is spelled out in a match statement.
- The type has a name, rather than an anonymous array that looked a
bit too much like it had to do with slot numbers.
Signed-off-by: David Brown <david.brown@linaro.org>
Rename `Run` to `ImagesBuilder`, and move its definition into the
`images` module. This makes much more of the functionality local to
this module. With this locality, all of the fields of `Images` can now
be made private making it easier to add future support for multiple
images.
Signed-off-by: David Brown <david.brown@linaro.org>
Rust convention is to have types before implementation. Move `Images`
up to the top to make it more prominent. This is also a good
opportunity to add a bit of a comment to this struct.
Signed-off-by: David Brown <david.brown@linaro.org>
The `Run` type is used as a builder for `Images`, describing the
particular device config. Convert the `make...` methods to take `self`
by value to avoid needing to clone all of the fields for the new struct.
The `main` test running now needs to do a few clones of `Run` in order
to build different configurations, but the primary test runner (through
`cargo test`) is now able to avoid having to clone the entire flash
simulators.
Signed-off-by: David Brown <david.brown@linaro.org>
Different manifest objects will use different magic values for the
header. Allow this support by providing a query to retrieve the
appropriate magic value.
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for adding support for differing manifest types, abstract
the TlvGen with a trait object `ManifestGen`. This will allow alternate
implementations to be made.
Signed-off-by: David Brown <david.brown@linaro.org>
enc_state table was indexed with assumption that
image flash area are subsequent and increasing numbers.
It might not be true while building zephyr.
Patch introduce flash_area_id_to_image_slot() implementation for
the zephyr port and uses it to assign proper slot number.
This API is already available in MyNewt.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This change replaces the slot 0/1 terminology with primary/secondary
slot and replaces FLASH_AREA_IMAGE_0/1 with
FLASH_AREA_IMAGE_PRIMARY/SECONDARY. This naming convention may be more
understandable, fits better to MCUs with multiple images and it is an
architecture agnostic alternative as well.
Change-Id: I655a585f6ae023852c671ee6635399efe25209c9
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
Zephyr flash_map reworks caused that areas id exact number are
assigned dynamically.
This patch i counterpart to
https://github.com/zephyrproject-rtos/zephyr/pull/8837
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This removes the unsafe Tinycrypt bindings previously used for signing
with ECDSA, and relies on ring native support.
The ring library was updated to 0.14.1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Remove the final conditional compilation in the simulator. The
simulator is now always built the same way, and bases the tests it runs
on the capability queries made to the MCUboot code. This simplifies the
simulator code a bit, and, importantly, removes the ability to have
mismatches between the configuration as compiled into the MCUboot code
and how the simulator is compiled.
Signed-off-by: David Brown <david.brown@linaro.org>
Turn some more conditional compilation into runtime decisions based on
how the code being tested is compiled.
Signed-off-by: David Brown <david.brown@linaro.org>
Now that we can dynamically query whether mcuboot is built with
encryption support, remove conditional compilation in favor of a dynamic
query.
Signed-off-by: David Brown <david.brown@linaro.org>
Remove some compile-time configuration of the overwrite-only flag.
These will be decided by doing a dynamic query of how the mcuboot code
has been compiled.
Signed-off-by: David Brown <david.brown@linaro.org>
Start refactoring the image code by moving it to a separate module.
This requires some structs and fields be made public. Otherwise, the
code is unchanged.
Signed-off-by: David Brown <david.brown@linaro.org>
Since logging was broken due to incompatibility between log and
env_logger versions, those crates were updated to known to be compatible
versions. Update initialization of env_logger that does not return a
Result<> anymore.
Other crates were updated to remove duplicated versions as much as
possible.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The old log subsystem has been deprecated in Zephyr.
Migrate to the new subsystem to avoid compilation warnings.
In-place log processing is selected as it is required as MCUBoot is
one thread application.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Apply the changes suggested by
cargo fix --edition-idioms
as well as a bit of cleanup of the results. The result should be more
idiomatic Rust 2018 and a good starting point moving forward.
Signed-off-by: David Brown <david.brown@linaro.org>
Automatic migration to Rust 2018. This is the result of running
cargo fix --edition
The resulting code is compatible with both Rust 2015 and 2018. Change
the edition field in the Cargo.toml file as well to begin a more
complete migration.
Signed-off-by: David Brown <david.brown@linaro.org>
Apply the changes suggested by
cargo fix --edition-idioms
and cleanup the results a bit. Eliminate `macro_use` extern crates.
Signed-off-by: David Brown <david.brown@linaro.org>
Apply the changes suggested by
cargo fix --edition-idioms
as well as a bit of cleanup of the results. The result should be more
idiomatic Rust 2018 and a good starting point moving forward.
Signed-off-by: David Brown <david.brown@linaro.org>
Automatic migration to Rust 2018. This is the result of running
cargo fix --edition
The resulting code is compatible with both Rust 2015 and 2018. Change
the edition field in the Cargo.toml file as well to begin a more
complete migration.
Signed-off-by: David Brown <david.brown@linaro.org>
A few packages have updates that make them more convient to use with
Rust 2018's 'use macro'. This is convenient as it allows control over
what macros are imported, but without these updates, these packages
require you to know the names of internal macros to import.
Signed-off-by: David Brown <david.brown@linaro.org>
This adds the functionality to build/run testing on images that were
signed using ECDSA and encrypted with KW, using tinycrypt.
Also when it this mode, ecdsa+kw, adds the Mbed-TLS submodule to the
build because the simulator needs to use the Mbed-TLS keywrapping
infrastructure to generate the keys sent to the image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds an external SPI flash that uses a larger sector size than
the internal flash. Currently this breaks the tests but it's being
added here to trigger a CI fail that will be fixed by adding support
for this feature in a subsequent commit.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds an initial device with multiple flash (nrf52840 + SPI flash)
and updates all test routines to use a HashMap of flash devices (added
as type SimFlashMap).
Signed-off-by: Fabio Utzig <utzig@apache.org>
A new type `FlashMap` that stores a HashMap of [device_id -> Flash trait]
was added, which enables multi-flash devices to be passed around.
The previously existing static FLASH value that was used to simulate the
raw device, was updated to using a FlashMap which enables bootutil to
interface with more than one flash device.
Signed-off-by: Fabio Utzig <utzig@apache.org>
AreaDesc was modified to not receive a flash device on its constructor,
and instead a new function `add_flash_sectors` was added that allows it
to receive a flash device and id.
The `add_image` function that populates the areas also now receives a
dev_id that is used internally as fa_device_id.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The previous c/rust ffi functions were hardcoding the values of align
and erased_val before each run through static globals. This adds new sim
flash functions that get the align/erased_val from the sim flash device
that is being run on, allowing that later multiple flash devices can
each use its own params.
Signed-off-by: Fabio Utzig <utzig@apache.org>
A new align() function was added to SimFlash, and most functions that
were using/receiving align or erased_val parameters that had access to a
Flash trait were cleaned up so that they get the parameters directly
from the Flash device.
This will make it easier to extend for multiple Flash devices since
parameters should depend on the device in use.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Update `flash_area_*()` functions to call `sim_flash_*()` directly
instead of using `hal_flash_*()` functions that were not part of the
main bootloader anymore.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds an HDR_SIZE constant to the simulator which allows for easier
testing of images with different header sizes.
Signed-off-by: Fabio Utzig <utzig@apache.org>
TLV types don't need to list KEYHASH because it's already added by any
signature TLV.
Total sizes were missing the KEYHASH amount.
Add a new TLV for images signed with RSA and encrypted with RSA-OAEP.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds new cargo features to allow running tests of encrypted
images with both RSA-OAEP and AES-128-KW.
When installing images on the simulated flash, both a plain and an
encrypted images are created. When encrypted image support is enabled,
verification of images in slot1 match against the encrypted image,
otherwise plain images are used.
PS: Also fixes ImageHeader to match bootutil definition.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This extends the simulator to be able to test the bootloader in devices
which use flash technologies that erase flash at 0 instead of 0xff.
Two MCU devices that have this "property" are the STM32L0x and STM32L1x
lines from ST.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This also updates the RSA test to add extra build files for zeroize, and
updates to new calloc/free configuration style.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This updates error-chain to remove a warning on recent rust distros.
`pem` was update to get fairly recent `error-chain` as well.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The hardcoded keys for Zephyr were removed and external references were
added for the built time autogenerated variables. A hardcoded key file
was added specifically for the simulator.
Signed-off-by: Fabio Utzig <utzig@apache.org>
New logging macros were added for all supported platforms, following the
documentation defined in the template config file.
Signed-off-by: Fabio Utzig <utzig@apache.org>
These (currently) trivial files do not add license headers. Go ahead
and add the boilerplate Apache header.
In addition, I've also added an SPDX header. Although this is a first
for the MCUboot project, this will provide a template for adding these
headers to other files.
Fixes#282
Signed-off-by: David Brown <david.brown@linaro.org>
CC: Marti Bolivar <marti@opensourcefoundries.com>
CC: Fabio Utzig <utzig@apache.org>
The patch introduce usage of zephyr flas_map module instead
of mcuboot zephyr-only implementation. Unused flash_area_to_sectors
API of former flash_map was removed as well.
Size of sector-status-update-map entry is now defined thanks to the
minimum write size supported by the flash driver.
For avoid ambiguity former zephyr-only files flash_map.c
were renamed to flash_map_extended.c (its code now implements
only addition to this what zephyr flash_map implements).
flash_map.h header include is now warped by flash_map_backedn.h headre
because implementations and include pathes are diferent in Zephyr and Mynewt.
Usage of hal_flash_align() were replaced by usage flash_area_align().
This provide consistency between MyNewt and Zephyr implementation as
this API is available in both RTOSes.
flash_map.h was moved to the simulator c-support files as now missing in
the boot/zephyr subdirectories.
f. boot_scratch_fa_device_id was removed as unused.
f. boot_img_fa_device_id was and expanded the only use of it
(on loader.c).
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The README file is missing extra information about how to run all the
different test configurations; add this in.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Continue removing platform-specific conditional compilation from
bootutil by adding a new MCUBOOT_HAVE_ASSERT_H configuration option
and associated header file. Right now, that's only used by the
simulator.
That leaves just bootutil_log.h with platform-specific contents, but
since it's meant to be an abstraction layer for logging, we'll let it
stand for now.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Take the opportunity to clean up a bit of platform cruft that has
gotten into bootutil by moving it to mcuboot_config.h, and ensuring it
is documented in the template config file.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Handle the CONFIG_BOOT_SIGNATURE_TYPE_xxx values in Zephyr's
mcuboot_config.h by converting them into the platform-agnostic MCUboot
definitions.
This requires some changes to the way the release test Makefile is
structured, since Kconfig symbols cannot be set from the command line.
Instead, use the OVERLAY_CONFIG feature of the Zephyr build system,
which allows specifying extra fragments to merge into the final
.config. (This is an orthogonal mechanism to setting CONF_FILE; it is
used by Zephyr's CI script sanitycheck to add additional fragments, so
it's appropriate for use by MCUboot's testing scripts as well.)
We additionally need to move to a single prj.conf file due to a
dependency issue. We can no longer determine CONF_FILE from the
signature type, since that is now determined from the final .config or
autoconf.h, which is a build output that depends on CONF_FILE.
To move to a single prj.conf:
- delete prj-p256.conf and adjust prj.conf to serve both signature types
- add a top-level mbedTLS configuration file which dispatches to
the right sub-header depending on the key type
- as a side effect, have the simulator pick the right config file
depending on the case
This fixes and cleans up quite a bit of the signature type handling,
which had become something of a mess over time. For example, it fixes
a bug in ECDSA mode's configuration that wasn't actually selecting
config-asn1.h, and forces the simulator to use the same mbedTLS
configuration file as builds for real hardware.
Finally, we also have to move the mbedTLS vs. TinyCrypt choice into
mcuboot_config.h at the same time as well, since CMakeLists.txt was
making that decision based on the signature type.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2.7.0 fixes a security issue but breaks MCU boot. Bump to this version
so that the simulator will verify that this version works properly.
Signed-off-by: David Brown <david.brown@linaro.org>
Move to newer versions of some upstream packages, lazy_static, which is
now at 1.0 (no api change), and error-chain (0.11), which eliminates a
warning during compilation.
Signed-off-by: David Brown <david.brown@linaro.org>
Assertions that are expected to fail under sim test, are now marked as such
using the macro ASSERT which allows to programmatically switch between normal
assert() behavior and captured assertion.
Assertion changes were moved to more appropriate owners and code duplication
was removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This test marks the status write regions as a bad region,
causing errors, but it is allowed to complete the swap. On
restart the firmware in slot0 should be validated and work.
Signed-off-by: Fabio Utzig <utzig@apache.org>
At the moment writes always checking that they are being
performed on an erased section of memory. This patch enables
a test to disable that, to enable looking for other error
causes.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add new interface to enable configuring regions of the simulated
memory to fail probabilistically. An entry is based on an offset,
length and rate of failure. This only applies to write operatios
and throws an error that can be caught in tests.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When building in simulator mode, mock assert() to call an simulator
function which will enable other code to check if some path failed.
The assert checking interface, was added to boot_go which now
returns the low-level invocation results as well as the number of
asserts triggered.
Some new added tests check for assert() and expect it to happen. To not
abort tests, assert() was changed under sim env to not call c assert()
and instead just do some internal calculation which could be checked
by the simulator after a bootloader run and assert() catching behavior
was made optional (each test choses the behavior it needs).
Signed-off-by: Fabio Utzig <utzig@apache.org>
This bundles the asn1 parser from mbed-tls into mcuboot, which allows
adding EC crypto (tinycrypt based) functionality for target OSes that
don't bundle mbed-tls.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Our current travis environment still uses gcc 4.8.4 which defaults to
std=gnu90. Some of tinycrypt's code requires c99.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fabio Utzig