When 'direct-xip' or 'ram-load' features were enabled,
CONFIG_BOOT_SWAP_USING_SCRATCH and MCUBOOT_SWAP_USING_SCRATCH were
defined even though swap using scratch wasn't used. This commit fixes
the issue.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
(cherry picked from commit 60806bce8e)
This reverts commit 0fa46270c0.
This breaks:
samples/synchronization/sample.kernel.synchronization on
b_u585i_iot02a/stm32u585xx/ns error
as this TF-M configuration uses its own keys. This change is an API
change that needs to be coordinated with TF-M changes.
Before this revert, compiling this test results in:
.../encrypted.c:447: undefined reference to
`boot_enc_retrieve_private_key`
Signed-off-by: David Brown <david.brown@linaro.org>
Increase the size of the jmpbuf to accomodate other architectures.
Unfortunately, the size of this is not available in the libc crate.
Increase this so encompass any platforms we wish to support, including
aarch64 on both Linux and MacOS.
Increasing an array beyond 32 means there is no default offered, so
implement this manually.
Signed-off-by: David Brown <david.brown@linaro.org>
Many of these extern functions are missing the "C". It doesn't seem to matter on
any of our targets, but this does make the code more correct, and might be a
problem in the future.
Signed-off-by: David Brown <david.brown@linaro.org>
Since there are references to this struct passed to C code, put it into an Rc so
that it won't move around when the data is moved.
Signed-off-by: David Brown <david.brown@linaro.org>
This struct was having addresses taken of fields within it, and then being
returned. It is platform-specific whether this causes a move. It seems to be
working on x86_64, but causes a segfault on aarch64. Box the struct so that it
isn't moved after being initialized.
Signed-off-by: David Brown <david.brown@linaro.org>
Currently encryption supports only private key embed
in mcuboot itself. To support MCUBOOT_HW_KEY for image
encryption boot_retrieve_private_key() hook is added.
This hook helps retrieving private key from trusted
sources like OTP, TPM.
Signed-off-by: Dinesh Kumar K <dinesh@linumiz.com>
check_config.h was included manually by custom configuration files.
This caused compilation errors when updating MbedTLS to 3.6.0
because check_config.h was processed too early, before the whole
configuration is defined, effectively causing configuration check errors.
MbedTLS already takes care of including check_config.h at the right time.
Remove those erroneous manual check_config.h includes.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
The normal simulation test takes several hours to run on most machines. Allow a
few very slow tests to be skipped by setting the environment variable
`MCUBOOT_SKIP_SLOW_TESTS` to some value. For obvious reasons, this shouldn't be
done if these power failure simulation tests are needed.
With this change, on my desktop Linux machine, the test time with the skipping
goes from about 2 hours, to around 5 minutes.
Signed-off-by: David Brown <david.brown@linaro.org>
Currently all the hashing functionality is done with SHA256
but if we would like to use ECDSA-P384 that requires SHA384
as the hashing algorithm. However, MCUboot is using SHA256
for image hashing and public key hashing. This commit modifies
the hashing operations to use SHA384 thus SHA256 can be omitted
which is beneficial from a code size standpoint.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I364eefe334e4fe6668b8a3b97991b5dbb0c80104
This commits reverts the changes made to cap values in 75c7c31.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Ibbbf66e89d059ef4e4b45218a8a39778c849f21b
Adds new test cases to various ram-load related logic.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I3a0ca951b2c720be4e6fe2ed0e5d1830fcfb240c
If ram-load is being used with encryption and
the higher version image is loaded from the primary slot the
verification will fail as the image is always non-encrypted
and will produce an invalid hash. This fix puts encrypted images
into both slots to prevent this issue.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I4ac9f332434a95d140c5572096b8a9161db2d217
This patch enables psa-crypto-api feature
Signed-off-by: Matthew Dalzell <matthew.dalzell@arm.com>
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
If the psa-crypto-api feature is defined, the simulator will
initialize the PSA Crypto API exactly once. It needs also to
enable the test external RNG as the assumption is that the
PSA subsystem is configured to use MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Signed-off-by: Matthew Dalzell <matthew.dalzell@arm.com>
Change-Id: Id02727b8673867ecf1e4fbbdfa3c4b6d6f98f8df
This commit adds simulator support to test the
hw-rollback-protection feature which is using
nv-counters. In the simulator they are stored in Rust
to prevent any race conditions from happening due to
the parallel execution of the tests.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I445fc50615ed1f0c06e5933b16811c24d9d302fc
This patch refactor the RSA operations done by the signature verification
module and by the encrypted images decryption module. Previous solution is
tightly coupled with Mbed TLS, while this patch provides an abstraction of
the RSA functionalities in a dedicated crypto abstraction header, crypto/rsa.h
that supports both Mbed TLS APIs and PSA Crypto APIs. In case of PSA Crypto,
the verification scheme is directly provided by the crypto backend hence it
simplifies the operations done in the image verification module.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I973bc3374b62eee2d7717c2368bce7611d37a0c8
The IMAGE_TLV_ECDSA256 TLV has been put out of use by
commit 63d2346da4.
This commit reverts this part of that patch and at the
same time it extends the usage of this TLV to cover all types
of curves (replacing the newly introduced 0x25 TLV type)
while retaining its value (0x22) for backward compatibility.
Rename IMAGE_TLV_ECDSA256 to IMAGE_TLV_ECDSA_SIG.
Change-Id: I904f292db775c38f26a5e9a87c5f414165efc173
Signed-off-by: David Vincze <david.vincze@arm.com>
Remove the generic ECDSA verification module and keep the
existing one, just renaming it image_ecdsa.c. Make sure
that the abstraction layer is generically called ecdsa.h
and the abstraction names are not P256 specific.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I6f78cfc1b1c2851cdad67efa91c6cb49498187bb
Remove those TLVs that are tied to a specific curve and modify the
code to use the new generic ECDSA TLV.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Iffe9052580c99e75118cf5df4286e0e9a2af4a8c
Add support to the simulator so that
the generic ECDSA TLV can be tested.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I3322ed829d150ff35abfaaa8ecf69ab7017bd7cf
MCUBoot dropped P224 curve support as
there is little interest in using it.
The simulator threw an error as P224
was never supported, this was removed.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I96011e9b00dbc3a6f7590db365a5f480d85394e1
Commits adds implementation of flash_area_get_sector that
is supposed to replace flash_area_sector_from_off.
The flash_area_get_sector gets additional parameter of flash_area
type, while flash_area_sector_from_off uses hardcoded flash_area.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Differentiated image trailer size for swap-using-scratch with
max-align-32 feature and without it.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Corrected the maximal image size calculation for
the swap using scratch mode. Previously the vale which
is appropriate for the swap using move mode was used.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The sim platform was sharing a few header
files with the zephyr-rtos port. This patch provides
sim own headers.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Update dependencies that don't require any code changes. This leaves
'aes' and 'cipher' which will require code changes to support newer
versions.
Signed-off-by: David Brown <david.brown@linaro.org>
Change the edition in the various Cargo.toml to 2021. There are no
changes to the code needed for this. This will require Rust 1.56 in
order to build.
Signed-off-by: David Brown <david.brown@linaro.org>
This feature check was done statically instead of dynamically in the
build.rs file. Change this to match the rest. Perhaps we might want to
change all of them to be done at compile time, but that should be done
with all of the features.
Signed-off-by: David Brown <david.brown@linaro.org>
Change the flash layout of the stm32f4 simulated device to include
sectors of different sizes inside both slots; both slots have been
updated to still share the same layout. This layout changes allow for
testing and validation that a swap with scratch is possible even if not
all sectors inside a slot are the same size, as long as they all fit in
scratch.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This patch prepares the simulator to execute images with a max align
value other than 8 bytes.
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
The encoding of ECDSA signatures is variable sized. Better support this
by allowing the TLV size estimate to be off by as much as 6, but only in
the case of ECDSA signature.
Signed-off-by: David Brown <david.brown@linaro.org>
Having profile configuration in sub crates generates a warning every
time Cargo is run. Remove these lines, as the top-level Cargo.toml file
defines these values.
Signed-off-by: David Brown <david.brown@linaro.org>
When passed `Largest`, as the image size, compute the largest possible
image for the test.
This currently fails when 'swap-move' is enabled or
'overwrite-only,large-write' is enabled. Allow this by not testing
maximal images in these cases.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of just passing in a numeric value for the image size, create an
enum that can use a given size, or supports a `Largest` size. Largest
is not implemented yet, but this gets the types in place for this.
Signed-off-by: David Brown <david.brown@linaro.org>
In order to generate images that match exact sizes, we need to know the
size of the TLV. We can estimate this size before the payload is added
(since the payload doesn't directly affect the size).
This patch adds the size estimate, and compares it with the actual TLV
size.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of setting a mutable variable and possibly assigning to it, just
set the variable to the result of the conditional.
Signed-off-by: David Brown <david.brown@linaro.org>
This enum ended up with some fields out of order. Fix the order. No
impact to the code, as each enum entry has a specific value, this just
makes the whole enum more consistent.
Signed-off-by: David Brown <david.brown@linaro.org>
Thomas Altenbach