According to clippy, `&'static` can just be `&` for static definitions,
which always have a static lifetime. Clean this up in the arrays in the
code, as well as generation code in imgtool.
Signed-off-by: David Brown <david.brown@linaro.org>
Since there won't be anymore alpha releases, rollback to latest official
(from master). The next released versions now can be either 1.7.X from
v1.7-branch or X.Y.Zrc1 for the release candidate of next stable
version.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fixes padding hex images when encrypting. The issues stems from binaries
using `bytes` and IntelHex returning `array` where `bytes` cannot be
appended to, so use `.extend()` instead.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add SPDX headers indicating the Apache-2.0 license to the scripts in the
scripts directory. This can be assumed due to the presence of the
Apache-2.0 LICENSE file at the top of the project.
Fixes#930
Signed-off-by: David Brown <david.brown@linaro.org>
After the change to support protected TLVs, the `verify` command was not
updated with proper support. Fix it by skipping any protected TLV found,
and fix the size of the hashed/signed region to also include the
protected TLV area.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
The commit adds support for IMAGE_F_ROM_FIXED flag that allows setting
information on image base address into image_header.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Update version fields for 1.7.0 release.
Added compatibility note for zephyr-rtos.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
When Image.create() is called without the 'custom_tlvs' argument, it
gets its default value (None). It must be checked before performing
any operations on/with it.
Change-Id: I8e0755265f35f9eeb796fe078a6ad8c8d9f2b8da
Signed-off-by: David Vincze <david.vincze@linaro.org>
This patch introduces the ram-load mode in addition to the other
upgrade modes (swap strategies, overwrite-only, direct-XIP). When
ram-load is enabled with the MCUBOOT_RAM_LOAD option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image loaded to the RAM and
executed from there. Load address is extracted from the image header.
Therefore the images must be linked to the RAM memory region.
The ram-load mode is very similar to the direct-XIP mode, main
difference is to load the newest image to the RAM beforehand the
authentication and execution. Similar to direct-XIP mode either
of the primary and the secondary slots can hold the active image.
Ram-load can be useful in case of a bit more powerful SoC, which
is not constrained in terms of internal RAM. It could be that image
is stored in external and therefore untrusted flash. Loading image
to internal (trusted) RAM is essential from the security point
of view the system. Furthermore execution from internal RAM is much
faster than from external flash.
This patch is based on the RAM_LOADING upgrade strategy which was
first introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.
Change-Id: I95f02ff07c1dee51244ac372284f449c2efab362
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
In an effort to create a script to do firmware based on an URL, I could
not easily retrieve the image digest. `newtmgr` needs the hash when
marking a image for testing.
Signed-off-by: Casper Meijn <casper@meijn.net>
This patch introduces the direct execute-in-place (XIP) mode in addition
to the other upgrade modes (swap strategies, overwrite-only). When
direct-XIP is enabled with the MCUBOOT_DIRECT_XIP option, mcuboot
selects the newest valid image based on the image version numbers from
the image header, thereafter the selected image runs directly from its
flash partition (slot) instead of moving it. Therefore the images must
be linked to be executed from the given image slot. It means that in
direct-XIP mode either of the primary and the secondary slots can hold
the active image.
This patch is based on the NO_SWAP upgrade strategy which was first
introduced in the Trusted Firmware-M project.
Source TF-M version: TF-Mv1.0.
Change-Id: If584cf01ae5aa7208845f6a6fa206f0595e0e61e
Signed-off-by: David Vincze <david.vincze@linaro.org>
Custom TLVs will be placed in the protected area.
Tag and value come from command line.
Values with 0x prefix will be interpreted as an integer, otherwise
it will be interpreted as a string.
Signed-off-by: Ihor Slabkyy <ihor.slabkyy@cypress.com>
Update various version fields. Also include a note in the release notes
describing Zephyr compatibility.
Signed-off-by: David Brown <david.brown@linaro.org>
Set the RAM_LOAD flag in the image header when a load address was passed
to the imgtool script, indicating that the image should be loaded into
RAM and run from there.
Change-Id: Id9d2c179d7fa1ff7d15cf671c09c61b5b78c88a8
Signed-off-by: David Vincze <david.vincze@linaro.org>
The --public-key-format option can be used to distinguish where
the public key is stored for image authentication. It can be embedded
in MCUboot or by selecting 'full' it can be in the image manifest.
The source of this change:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/1579
Change-Id: If658dff8147cfce2f27bfc0209ecf0d6d9cb2a73
Signed-off-by: David Vincze <david.vincze@linaro.org>
Add new '--boot-record' option for imgtool to add a new type of TLV to
the image manifest called BOOT_RECORD. This TLV contains CBOR encoded
data with some basic information about the image (SW component) it
belongs to, these are the following:
- SW type (role of the software component)
- SW version
- Signer ID (identifies the signing authority)
- Measurement value (hash of the image)
- Measurement type (algorithm used to calculate the measurement value)
The boot_record.py file and most of the modifications in image.py are
coming from the Trusted Firmware-M project
(https://www.trustedfirmware.org/about/).
Hash of the source commit: 08d5572b4bcee306d8cf709c2200359a22d5b72c.
This patch is based on the recommendations of Arm's Platform Security
Architecture (PSA) and its purpose is to support compliance with it.
Change-Id: I379ccc57b48ad2311837cb3fd90f5f9d1c9b5bac
Signed-off-by: David Vincze <david.vincze@linaro.org>
Since commit:
commit a36082664e
Author: David Brown <david.brown@linaro.org>
Date: Thu Dec 12 15:35:31 2019 -0700
ecdsa: Allow ECDSA signatures to be actual length
MCUboot no longer requires ECDSA signatures to be padded to a fixed
length. This change makes imgtool, by default, also no longer add this
padding to images. There is an option `--pad-sig` that can be given to
the sign command to re-instate this padding. This flag will be needed
to make images that will work with older (pre 1.5.0) versions of
MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
Add imgtool command line option for confirming (setting image_ok =
0x01) in a padded image.
Fixes: #664
Signed-off-by: Henrik Brix Andersen <hebad@vestas.com>
Optionally add new security counter TLV to the protected image manifest
and also introduce a new command line option for the imgtool to specify
the value of this counter. The security counter can be used in rollback
protection to compare the new image's security counter against the
active counter value. Its value can be independent from the image
version, but if the 'auto' keyword is passed in the argument list of the
script then it will be generated from the version number (not including
the build number).
The value of the security counter is security critical data. Therefore,
it must be part of the protected TLV area.
Change-Id: I45926d22364d0528164f50fa379abf050bdf65ff
Signed-off-by: David Vincze <david.vincze@arm.com>
The `--erased-val` (or `-R`) option was doing conversion of base 10, so
the only value that was acceptable was 0. Although not passing this
option would result in the default `0xff` being used, this fixes the
issue by allowing Python to auto-detects the base from string.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Click has better UI for exceptions, so instead of throwing a backtrace,
allow it to print a nicer error message.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This breaks the check() routine into two, one to check the header, one
to check the trailer. The reason is that header checking must be
performed when loading the input binary, while trailer overrun check
must be done after the whole image (with TLVs) is built.
To support the option of saving encrypted TLVs during swap in the
bootloader, a new parameters was added to the create command, to
allow the user to provide a config that matches the bootloader build
option and to do proper image overrun checks.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This applies a few improvements to a commit previously included in
PR #596:
* Move functions to dump a private key to the private key classes
* Remove language option; always dumps in C format
* Add option to generate a minimal dump. This will remove extra
parameters that are present in keys generated with the `keygen`
command.
For P256 this will remove the public point, which is already
ignored by the parsing function. The resulting key dump shrinks
from 138 to 70 bytes.
For RSA it will remove the DP/DQ/QP parameters which are only
used with CRT enabled, and if not available, can be calculated at
runtime. This reduces the size of a key dump from around 1190
bytes to somewhere close to 800 bytes. A patch to the RSA parsing
routine will be added in another commit.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Ioannis Konstantelias <ikonstadel@gmail.com>
Apply a few improvements to the type parameter in the keygen command.
Currently finding out the key types requires passing an invalid value
to display what values are available. Instead add them the help page,
so it shows an output like below:
```
-t, --type type One of: rsa-2048, rsa-3072, ecdsa-p256, ecdsa-p224,
ed25519 [required]
```
When no type is given in the cli, ask for it:
```
$ ./imgtool.py keygen -k privkey.pem
Type (rsa-2048, rsa-3072, ecdsa-p256, ecdsa-p224, ed25519):
```
Signed-off-by: Fabio Utzig <utzig@apache.org>
Commit 9117fded47 added support for
supplying an `--erased-val`, which defaults to 0xff. When padding a
header, the checks were still validating against 0, which is the
value used for padding by the Zephyr build system. Now when the
user passes `--pad-header` this check is skipped (we already know
the contents).
Signed-off-by: Fabio Utzig <utzig@apache.org>