2.7.0 fixes a security issue but breaks MCU boot. Bump to this version
so that the simulator will verify that this version works properly.
Signed-off-by: David Brown <david.brown@linaro.org>
Move to newer versions of some upstream packages, lazy_static, which is
now at 1.0 (no api change), and error-chain (0.11), which eliminates a
warning during compilation.
Signed-off-by: David Brown <david.brown@linaro.org>
Assertions that are expected to fail under sim test, are now marked as such
using the macro ASSERT which allows to programmatically switch between normal
assert() behavior and captured assertion.
Assertion changes were moved to more appropriate owners and code duplication
was removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This test marks the status write regions as a bad region,
causing errors, but it is allowed to complete the swap. On
restart the firmware in slot0 should be validated and work.
Signed-off-by: Fabio Utzig <utzig@apache.org>
At the moment writes always checking that they are being
performed on an erased section of memory. This patch enables
a test to disable that, to enable looking for other error
causes.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add new interface to enable configuring regions of the simulated
memory to fail probabilistically. An entry is based on an offset,
length and rate of failure. This only applies to write operatios
and throws an error that can be caught in tests.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When building in simulator mode, mock assert() to call an simulator
function which will enable other code to check if some path failed.
The assert checking interface, was added to boot_go which now
returns the low-level invocation results as well as the number of
asserts triggered.
Some new added tests check for assert() and expect it to happen. To not
abort tests, assert() was changed under sim env to not call c assert()
and instead just do some internal calculation which could be checked
by the simulator after a bootloader run and assert() catching behavior
was made optional (each test choses the behavior it needs).
Signed-off-by: Fabio Utzig <utzig@apache.org>
This bundles the asn1 parser from mbed-tls into mcuboot, which allows
adding EC crypto (tinycrypt based) functionality for target OSes that
don't bundle mbed-tls.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Our current travis environment still uses gcc 4.8.4 which defaults to
std=gnu90. Some of tinycrypt's code requires c99.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Since ring does not yet support ecdsa signing, a thin layer was added
to allow the simulator to call tinycrypt's signing routine.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This enables building ecdsa feature using tinycrypt (mbed still built
for ASN1). The default mbed-tls config was update to use the MCUBOOT_SIGN_*
symbols.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fixes warnings treated as errors when upgrading gcc crate to 0.3.54.
Warnings are due to non-used variables and comparison between signed
and unsigned.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Now that the test infrastructure has changed so that the tests can be
run independently, create a series of cargo tests that run them. This
allows the tests to simply be run as:
cargo test
or possibly with feature flags
cargo test --features overwrite-only
It is also possible to run individual tests by giving their name after
the "cargo test" command.
Signed-off-by: David Brown <david.brown@linaro.org>
In order to allow the tests to be run independently, compute the total
count for each image that is generated, and store it in the images
struct. This causes a basic upgrade to be run an additional time for
each top-level test.
Signed-off-by: David Brown <david.brown@linaro.org>
Now that most of the relevant data is assembled into a single `Images`
struct, make the test operations on it into methods on this type.
This change looks larger than it really is because of the indentation
change of moving top-level functions into methods. There is also a lot
of change of `image` to `self`.
Signed-off-by: David Brown <david.brown@linaro.org>
Every use of `Images` uses the same flash device as a base. Move this
value into the struct, instead of having to pass it around in parallel.
Signed-off-by: David Brown <david.brown@linaro.org>
Refactor the tests so that most of the test data is inside of a new
`Run` structure instead of needing to be passed around.
Signed-off-by: David Brown <david.brown@linaro.org>
Lock the simulation with a mutex to prevent concurrent access. The C
code being tested uses globals, and can only be run in one context at a
time. The Rust test framework may run tests concurrently, so use the
mutex to prevent this.
Signed-off-by: David Brown <david.brown@linaro.org>
Move the alignment into the `boot_go` wrapper. Instead of relying on
this as a global, pass it around, ultimately setting it in the C
wrapper. This is in preparation to protecting the `boot_go` call with a
mutex to prevent reentrancy.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of setting/reading a global, pass a reference through the Rust
wrapper to `boot_go`. This is one change needed so that `boot_go` can
be reentrant.
Signed-off-by: David Brown <david.brown@linaro.org>
As a start of doing the testing using Rust/Cargo's test framework, write
a test runner that just runs the existing tests. They run as they do
now, except that there is an assertion that there were no failures.
Signed-off-by: David Brown <david.brown@linaro.org>
So that this can be stored in its own structure, make it own the slot
info (which is only two usize values).
Signed-off-by: David Brown <david.brown@linaro.org>
In preparatio for separable unit tests, move the main body of the
simulator into a library crate, and make the main program just a small
function that initializes the logger, and calls it. The main entry
point is still called main.
Signed-off-by: David Brown <david.brown@linaro.org>
This add a new option to overwrite-only mode that enables copy/erase of
only the amount of sectors that are required to store the source image.
This is enabled by default when overwrite-only mode is used.
MCUB-70
Signed-off-by: Fabio Utzig <utzig@apache.org>
Adds the feature to enable testing of overwrite-only functionality.
While running with this feature enabled, disable tests that try to
revert and disables trailer verification, since overwrite-only doesn't
rely on status writing.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Since we've changed the meaning of several fields in the header, bump
the header to a new magic number. The fields that are still present are
in the same place, but all of the signature and TLV information is moved
into the TLV itself, which is still immediately after the image.
As of this commit, this defines the new image header/TLV format used for
1.0.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
To allow the signatures to be replaced, move the size of the TLV into a
small "info" header at the start of the TLV.
Note that this causes image swapping to lose robustness. This is fixed
by a later commit.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
JIRA: MCUB-65
Remove the key_id field from the image header. There are two problems
with this field. First, it is only an integer offset, and so causes an
unnecessarily tight coupling between the particular keys built into the
bootloader, and the key that is used to sign. Second, it makes the
key_id part of the image header, which is included in the signature.
This makes it impossible to later sign the image with a different
signature.
Instead of the key-id, add a TLV KEYHASH entry. This will hold the
SHA256 of the public key that the signature is against. Each signature
placed in the TLV should be preceeded by this entry to indicate the
public key used.
The signature check will check each signature, and if the KEYHASH is
known and the signature type is supported, it will be checked. As long
as at least one signature is considered valid, the image will be
considered signed. This also allows the image to be signed with
multiple signatures to support having different devices with possibly
different keys compiled into the bootloaders.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for moving the signature related values out of the main
image header and into the TLV, renumber the existing TLV values to be
grouped together better.
The SHA256 is moved into the first group, at 0x10, and the signature
values themselves are moved to start with 0x20.
This change is the first in a series of changes toward the new v1.0
image format. The intermediate results are all internally consistent
(meaning that the simulator, and the builtin imgtool.py will all work
together), but until all patches are applied, the image format is not
valid with any external tools.
Based on work by Marko Kiiskila <marko@runtime.io>.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Now that we depend on a submodule for mbed TLS code, update the docs to
explain how to fetch this. Otherwise, the error is somewhat misleading,
just showing a missing sha256.c file.
Signed-off-by: David Brown <david.brown@linaro.org>
This test was added to exercise a bug which happens when a failure
verifying the image in slot 1 would cause a write to image_ok when
the image in slot 0 already was a permanent image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The docopt package has moved from rustc-serialize to serde. Move to
this version, upgrading the custom deserialize we use for the alignment
argument.
Signed-off-by: David Brown <david.brown@linaro.org>
Move most dependencies to the latest version at the time of this commit.
docopt is left at the current version as there is an api change in the
newer version.
Signed-off-by: David Brown <david.brown@linaro.org>
David Brown