Update the dependencies in the main sim to the latest versions. There
are some minor changes in a few of the packages, and a fairly
significant change to the aes. The aes_ctr crate has been merged into
the aes crate, along with some changes to how it initialized.
Signed-off-by: David Brown <david.brown@linaro.org>
This reverts commit 78e4441bd3.
Although it shouldn't, this change is provoking numerous errors in
CI. In order to allow CI to continue, revert this change, and it can be
redone later, after fixing whatever is causing the CI build failures.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of requiring cargo to be run in the sim directory, create a
top-level "workspace" Cargo file, that references the others. The main
result of this is that cargo can now be run in the top of the workspace,
and the 'target' directory will be placed there, rather than in the sim
directory.
This is primarily of benefit to tools such as RLS, Rust-analyzer and
various IDEs that expect a crate at the top level of the tree.
Signed-off-by: David Brown <david.brown@linaro.org>
Combine all of the pieces to be able to test ram loading with multiple
images. We construct a model `RamData` that indicates where each image
should be loaded into RAM. This has to be made early enough to compute
signatures on the images, and then used later to verify that the images
were loaded properly.
Signed-off-by: David Brown <david.brown@linaro.org>
This RamData is filled in with a mapping between partitions and
information about where the data should be loaded into RAM when booting
in RamLoad mode. This commit creates the data, but does not yet use it.
Signed-off-by: David Brown <david.brown@linaro.org>
Test the basic configuration for ram loading. Instead of a fixed
address for RAM, the values come dynamically from a thread-local
variable (allowing the tests to run in parallel). The size of the ram
along with the address of the buffer in the test address space are
passed in this way.
This tests the single-image configurations of ram loading. Testing
multi-image will take additional work, as the RAM will need to be large
enough for both images, and the second image will need a meaningful
offset address in RAM.
Signed-off-by: David Brown <david.brown@linaro.org>
Perform simplistic test of the DIRECT_XIP configuration (both with
single and multi-images). This verifies that the bootloader indicates
the upgrade image should be booted.
Signed-off-by: David Brown <david.brown@linaro.org>
Add simulator support for building the direct-xip configuration.
Although this builds, there are no tests that test any of the
functionality, so all current tests trivially pass.
Signed-off-by: David Brown <david.brown@linaro.org>
Allow the sim to test configurations with MCUBOOT_RAM_LOAD defined.
This does not define any tests for this mode.
This adds definitions for simulated RAM offsets to the simulator. This
will define the offset (from `IMAGE_RAM_BASE`) to where the simulated
RAM will be located. For now, just give these somewhat reasonable
values so that we are able to at least compile the RAM_LOADING code in
the simulator.
Signed-off-by: David Brown <david.brown@linaro.org>
The function `flash_area_id_from_image_slot` is used in the RAM_LOAD and
DIRECT_XIP configurations. Define a version for use in the simulator.
Signed-off-by: David Brown <david.brown@linaro.org>
Some configurations of MCUboot do not modify the flash, but instead
MCUboot operates in a mode where it detects the best image to run.
Detect this, and skip what is currently a majority of the tests that
expect the upgrade to be moving data around in flash.
Signed-off-by: David Brown <david.brown@linaro.org>
The MCUBOOT_RAM_LOAD feature supports configurations where code is
loaded from flash into RAM before execution. As such, it is not
necessary for upgrades to move data around in flash.
Signed-off-by: David Brown <david.brown@linaro.org>
When the bootloader completes, it fills a response structure with
various information. Move this into the BootGoResult and provide an
accessor for it.
Signed-off-by: David Brown <david.brown@linaro.org>
Now that this result is abstracted, take the special case for a sim stop
and make it its own field. This hides the magic number we use to
indicate this to be entirely within mcuboot-sys.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of a tuple of values that is matched, return an abstract type
that has methods for querying the information we need. Abstracting this
will allow us to return additional information without having to change
all of the code that matches against these patterns.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of having this struct at a fairly low level in the simulator,
with the filled-in values effectively discarded after each call, pass
the value from higher up in the simulator. This prepares us for being
able to use the resulting data in upcoming tests.
Signed-off-by: David Brown <david.brown@linaro.org>
commit c304a7f84a
(refs/bisect/good-c304a7f84a7e7e345457e23b179fa302b8732fb9)
Author: Dominik Ermel <dominik.ermel@nordicsemi.no>
Date: Mon Jun 14 16:08:42 2021 +0000
sim: Add flash_area_get_device_id implementation
Adds an implementation for this function in the simulator that just
returns 0. Fix this to return the proper ID so that when tests start
checking for this, it will return the right value.
Signed-off-by: David Brown <david.brown@linaro.org>
Emits either MCUBOOT_SWAP_USING_SCRATCH and
CONFIG_BOOT_SWAP_USING_SCRATCH when swap using scratch
algorithm is expected.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Add new feature that allows testing EC256 encrypted images using the
Mbed TLS backend.
Move config-ecdsa.h to config-ec.h because definitions are very similar
between ECDSA and ECDH with Mbed TLS so resort to a single config file.
Add new feature and fix the build; add proper Mbed TLS memory
initialization when enc-ec256-mbedtls is used.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This padding field is defined as a u8 and a u16. Clarify the marshaling
code to match instead of just looping over bytes.
Signed-off-by: David Brown <david.brown@linaro.org>
This lifetime can be inferred by the compiler, so remove the explicit
one. This makes the code a little easier to read.
Signed-off-by: David Brown <david.brown@linaro.org>
Clippy suggests that having a closure in the condition of an if can be
confusing in regards to code formatting. Move the conditional outside
of the if into a temp variable.
Signed-off-by: David Brown <david.brown@linaro.org>
From a clippy suggestion, replace an index iterator over a slice, and
directly use a mutable iterator over the slice.
Signed-off-by: David Brown <david.brown@linaro.org>
Clippy suggests using a range with `contains` in situations where we
test if a value is within a range.
Signed-off-by: David Brown <david.brown@linaro.org>
Apply clippy suggestions to directly result in values instead of
returning those values at the end of a function. Better matches common
Rust style.
Signed-off-by: David Brown <david.brown@linaro.org>
In rust, if a struct field is initialized with a variable with the same
name as the field, it is redundant to say `field: field` as the
initializer, and just `field` is sufficient. Fix the instances of this
that clippy suggests.
Signed-off-by: David Brown <david.brown@linaro.org>
Cleanup some of the unsafe usage in mcuboot-sys. In one case, add a
safety comment to the function documentation. In the other, move the
unsafe to a narrower scope, reducing the number of instances of unsafe
needed. From clippy suggestions.
Signed-off-by: David Brown <david.brown@linaro.org>
Clippy suggests implementing Default when the `new` function for that
type just initializes the type to default values.
Signed-off-by: David Brown <david.brown@linaro.org>
According to clippy, `&'static` can just be `&` for static definitions,
which always have a static lifetime. Clean this up in the arrays in the
code, as well as generation code in imgtool.
Signed-off-by: David Brown <david.brown@linaro.org>
This incorporates changes both from the dependency changes in simflash,
as well as some minor changes that recent versions of Cargo make.
Signed-off-by: David Brown <david.brown@linaro.org>
The thiserror crate seems to be getting more momentum in the community
than failure. Switch to this for deriving our own error type.
Signed-off-by: David Brown <david.brown@linaro.org>
Add Mbed TLS ECDSA signature verification as an option (in addition to
Tinycrypt and the CC310 hardware version). Although the Mbed TLS ECDSA
verification code is both larger and slower, this will still save space
if there is another reason that the Mbed TLS code is already being
brought in for another reason (such as certificate management, for
example).
Mbed TLS's ECDSA verification works at a different level than the other
two libraries, so this takes a bit of reworking. There are some
additional parameters passed to the various functions, and a new define
MCUBOOT_ECDSA_NEED_ASN1_SIG to indicate that the ecdsa verification
wants the original ASN1 signature, not a decoded key.
This adds the boot changes and simulator support to test this configuration.
Signed-off-by: David Brown <david.brown@linaro.org>
Part of code of boot/bootutil/ is re-implemented in zephyr-rtos
repository.
As some code are defined here and there it becomes problem when
need to include it with outstanding feature in a build.
It is possible to mitigate problem using #fdefry - but this was
rather temporary hack.
This patch introduce new module which is common for MCUBoot build
and application build.
Common code were extracted to bootutil_public.c source file and
bootutil_public.h header
MCUboot also select DISABLE_MCUBOOT_BOOTUTIL_LIB_OWN_LOG Kconfig
option, as it must define log configuration on its own for all its
sourcecode.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Removes the current `flash_area_read_is_empty` which lacked a bit of
clarity in its naming and error handling, as well as requiring an
extra API in the flash map, and switches to using an internal function
`bootutil_buffer_is_erased`.
Code that was previously using `flash_area_read_is_empty` must now be
updated to do a `flash_area_read` followed by a call to
`bootutil_buffer_is_erased` with the read buffer.
The proposal was previously discussed here:
https://github.com/zephyrproject-rtos/zephyr/pull/28519
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Remove `MCUBOOT_OVERWRITE_ONLY_FAST` from overwrite-only upgrades, to
make it compatible with `large-write` tests after the latest changes
to the fast overwrite code; make it default when bootstrapping.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
The simulated alignment functions were returning u8 which would be
invalid for any alignment beyond 128; as a first step in the direction
of allowing larger alignments, make them u16 which should allow for up
to 2**15 aligment size.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Add fault attack mitigation measures to code vital for the correct
validation of images.
Change-Id: If6eb1110a8c2966faf105d07ad2e95482a80a8d9
Signed-off-by: Raef Coles <raef.coles@arm.com>
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
- The enc_context needs to initialize.
boot_enc_load seems to always be used to start the process, so calling
init inside makes sense.
- Handle boot_encrypt getting called with size of 0.
- No need to free contexts because Zephyr sets MBEDTLS_PLATFORM_NO_STD_FUNCTIONS.
I don't quite like this because it's implicit and will leak memory on
other ports.
Signed-off-by: Blaž Hrastnik <blaz@mxxn.io>
bootutil already handles ASSERT definition, allowing us to override it
with a custom implementation. Importing assert.h would pull in stdio.h
and a whole bunch of other stuff by TI compiler into the final
firmware.
Signed-off-by: Blaž Hrastnik <blaz@mxxn.io>
This device allows testing swap move with a primary slot that is one
sector larger than the secondary slot. No scratch was defined. Overwrite
upgrade could easily be made compatible as well, but for now leave it
as a disabled caps.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Upgrade to the latest aes-ctr package, and apply minor fixes due to
trait naming changes in this version.
Signed-off-by: David Brown <david.brown@linaro.org>
Update to the newest version of this crate. There are no API changes
affecting us, so this is just an update of the Cargo.toml file.
Signed-off-by: David Brown <david.brown@linaro.org>
There have been some revamping of the Rand API. The Standard
distribution on floating point numbers will return a value in the
interval [0,1).
Signed-off-by: David Brown <david.brown@linaro.org>
Fixup how we fake out devicetree.h, which is now really the flash map
API for what mcuboot is using.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Now that mbed tls has its own submodules, add `--recursive` to the
sample invocation of submodule update. Without this, building the
simulator produces difficult messages about `sha256.c` missing.
Signed-off-by: David Brown <david.brown@linaro.org>
With support for unpadded ecdsa signatures in place, always generate
unpadded signatures within the sim.
Signed-off-by: David Brown <david.brown@linaro.org>
Updates a few sim dependencies, reducing the amount of crates
required for a build; also gets rid of cases of more than one
version required for some crates. Results in depending on 76
crates instead of 89 before the PR.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add an apache SPDX header and explicit license lines. The date ranges
of the license lines is derived from the git history. Having these
explicitly present will make contributions from other parties easier, as
they will simply be able to add their own copyright line, rather than
having to describe that it only covers modifications.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of having lots of magic numbers to try and track the resulting
size of the TLV, just determine the size we end up with after encoding
it. The only place the size is used is in the header within the TLV
itself. Make this work by putting a placeholder in the TLV, and then
patching the value back after we know the full size.
In addition to removing a lot of magic numbers from the code, this will
make it easier to handle things that vary in size, such as X.509
certificates.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of having a running size that we try to always match the encoded
size of, compute it a bit more dynamically. The size is still needed
before the contents can be filled in, so this doesn't gain too much, but
will make it easier to compute the rest of the TLV size based on the
actual encoding rather than lots of magic numbers.
Signed-off-by: David Brown <david.brown@linaro.org>
This changes the simulator to save the encryption TLV itself instead
of the unecrypted AES-128 key when doing the ECIES encryption test,
to add proper test coverage of this configuration option.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add new bootutil function that returns the size of the status area.
The simulator was updated to remove the custom calculation and get
the size directly from bootutil, avoiding breakages the happen when
both are not in sync.
Signed-off-by: Fabio Utzig <utzig@apache.org>
In zephyr code-base some generic include patches
and defines had been deprecated since a while.
This condition was maintained until zephyr v2.1.0 inclusive.
Recently these deprecated items were removed completely from
the zephyr master branch. Zephyr current SHA of this patch is
e124c1cd34938f02bbe879533c6bd29b5ff53707
This patch switch mcuboot to using most recent items.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
are interesting while debugging bootutil in the simulator. This should
be used for extra verbose prints.
* Also added fflushs after fprints to guarantee that messages are printed
even when assertions are raised.
* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
to the other ports.
* Make DEBUG the default level when building the simulator (one can
still lower verbosity using any other value for RUST_LOG).
Signed-off-by: Fabio Utzig <utzig@apache.org>
For some reason, the ECDSA signature generation code attempted to adjust
the length of the ASN.1 of the actual signature. It wasn't doing this
right, and was creating ASN.1 expecting many more entries than were
present. The half-run parser in the tinycrypt ECDSA signature check
didn't care about this, but mbed TLS's signature check does care.
The intent of the padding was to be able to predict the size of the TLV
before writing it out. Keep the padding for now, even though there is
no simple way of knowing how many pad bytes to remove (just removing
them will remove extra if there is a zero in the last byte of the
signature.
A future change will eliminate the padding, as it should no longer be
needed.
Signed-off-by: David Brown <david.brown@linaro.org>
Update `make_device` to return a slice of unsupported caps for a test.
This allows skipping tests in devices that are known to be non working
under some build configuration.
The device constructor was updated to return a `Result`, so that the
specific reason for skipping can be returned as a `String`.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add cap for swap using move and rename old swap upgrade cap to swap
using scratch. Update sim to allow swapping tests to also run using
move.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Currently, the tests that appear to be testing for invalid signatures
are actually just testing that images aren't used if the entire TLV
block is missing. Fix this by being more subtle about our corruptions.
If there is no signature, corrupt that data being used to generate the
hash. Otherwise, modify the data before it goes into the signature, but
generate a valid SHA256 in the TLV. This way, we exercise the signature
itself being corrupt.
Signed-off-by: David Brown <david.brown@linaro.org>
Previous changes have used 16-bit writes for calculated lengths, but are
using a pair of 8-bit writes for hard-coded values. Change these to
also use 16-bit writes for consistency, and clarity.
Signed-off-by: David Brown <david.brown@linaro.org>
Change the type of the TLV tag from an 8-bit unsigned value (followed by
8 bits of padding) to a 16-bit value. Because we are storing the tag as
little endian, the encoding will end up the same, but this will later
allow us to add more tags.
Signed-off-by: David Brown <david.brown@linaro.org>
These were added during development to make sure conditional compilation
was working. Now, they just cause excess messages to be printed.
Remove them.
Signed-off-by: David Brown <david.brown@linaro.org>
Removes the hard-coded image encryption keys, and updates with keys
generated randomly before use. This tests the correct behavior of
how ephemeral keys should be used when generating new images.
Signed-off-by: Fabio Utzig <utzig@apache.org>
To start adding support for devices with a large write size, modify the
simulator to allow a 'large-write' feature that will also run tests with
128 and 512 byte write alignments.
This requires fixing some places in image generation that assumed a
fairly small alignment (namely, padding the buffer at the end, rather
than individual parts), and detecting the large writes when writing the
MAGIC value to the image.
The flash API still passes the alignment back as a uint_8, but in
overwrite mode, this verifies that the boot code won't use this value.
Currently the 'large-write' feature requires 'overwrite-only' as well.
Signed-off-by: David Brown <david.brown@linaro.org>
Overwrite mode is always a permanent upgrade, so skip trying to mark
this in the images. This marking is problematic with larger write
alignments.
Signed-off-by: David Brown <david.brown@linaro.org>
This constant array is always just unwrapped. Remove the Option from
its type, and just make it an array.
Signed-off-by: David Brown <david.brown@linaro.org>
Some devices have a write alignment larger than 128. Allow this within
the simulator, by using `usize` instead of `u8` for the write alignment.
The value is still returned to the C code as an 8-bit integer, but this
help start debugging issues found on these devices.
Signed-off-by: David Brown <david.brown@linaro.org>
David Brown