This change affects the "set pending" operation. That is, the operation
that configures mcuboot to temporarily swap images on the next boot.
PRIOR TO COMMIT:
If the slot 1 trailer contained an invalid 128-bit magic number, an
assertion would fail, causing a crash.
AFTER COMMIT:
If corruption is detected in the slot 1 trailer, the entire image slot
is erased, and the "set pending" operation fails with a `BOOT_EBADIMAGE`
status.
RATIONALE:
mcuboot cannot meaningfully recover from data corruption. The only
recourse is to erase the bad data so that future upgrades can be
performed. I was tempted to add a build-time setting to control whether
the image slot gets erased when corruption is detected, but I dont think this
freedom justifies the cost of extra config. A device with a corrupt
image slot can no longer be upgraded, so the only reason someone would
want to preserve the corrupt data would be for debugging.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Disable logging and enable size optimizations on
nrf51_pca10028 target in order to fit in boot slot size
for out-off-the-box build.
fixes#411
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Newt only allows the following stability strings in a repo version:
VERSION_STABILITY_NONE = ""
VERSION_STABILITY_STABLE = "stable"
VERSION_STABILITY_DEV = "dev"
VERSION_STABILITY_LATEST = "latest"
VERSION_STABILITY_COMMIT = "commit"
An attempt to update a project that uses mcuboot would choke due to the
invalid stability string "rc1":
Error: Unknown stability (rc1) in version 1.3.0-rc1
Signed-off-by: Christopher Collins <ccollins@apache.org>
Previously it was assumed that the trailer would fit one sector. While
this works for most devices, some which happen to have lots of sectors
end up using lots of space for their swap status area. The same issue
could also happen if sectors are small (less than 2K/4K, for example).
This fixes the issue by checking the trailer size and erasing all
sectors that encompass it.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Modernize and simplify the build scripts of the Zephyr
bootloader. Most notably, the new build scripts are targeting the
'zephyr_library_' API instead of the 'target_' API.
In addition to simplifying the build scripts, this permits us to be
automatically compatible with an upcoming change that will break the
'target_' API but not the 'zephyr_library_' API.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Instead of detecting an invalid Kconfiguration during CMake
Configure-time we detect it where it belongs, in Kconfig.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The default board should be set simply by 'set'ing the BOARD. This has
the lowest precedence of all possible inputs.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The presence of a Kconfig file will be checked by the build system so
it is not necessary to explicitly set KCONFIG_ROOOT.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Set the public key for ECDSA tests to use the ECDSA. This avoids a link
error with:
../app/libapp.a(keys.c.obj):(.rodata.bootutil_keys+0x0): undefined reference to `ecdsa_pub_key'
../app/libapp.a(keys.c.obj):(.rodata.bootutil_keys+0x4): undefined reference to `ecdsa_pub_key_len'
Signed-off-by: David Brown <david.brown@linaro.org>
The travis config allows multiple tests to run in parallel. Run a small
program that does the same thing.
Signed-off-by: David Brown <david.brown@linaro.org>
Commit 3ac36ead3 updated the bundled asn1parser, which now consists of
two files. The Zephyr build system was not updated with that commit which
has broken ECDSA signature builds. This adds the new file.
This fixes#397.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This removes the unsafe Tinycrypt bindings previously used for signing
with ECDSA, and relies on ring native support.
The ring library was updated to 0.14.1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
While loading a new EC point, when it was smaller than the expected
number of bytes, a zero padding was being written beyond the end of the
buffer instead of at the initial position.
While this has been working before, it broke when images were signed using
the ring API.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The ring crypto library used by the simulator only accepts PEM keys in
PKCS#8 format; this provides a conversion of the original bundled key.
```
$ openssl pkcs8 -topk8 -nocrypt -in ../root-ec-p256.pem -out ../root-ec-p256-pkcs8.pem
```
Signed-off-by: Fabio Utzig <utzig@apache.org>
The board cannot output logs on the UART because it is used
by MCUBoot's serial recovery for DFU. Remove logging and
the RTT console from project defaults.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
A recent change in the Mynewt repo
(b10cbea5ef882e7f91d1c34ffcf2506d3e183003) imposes the LOG API
requirement on the `sys/mfg` package. To fix broken builds, make the
Mynewt app and test package depend on `sys/log/stub`.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Remove the final conditional compilation in the simulator. The
simulator is now always built the same way, and bases the tests it runs
on the capability queries made to the MCUboot code. This simplifies the
simulator code a bit, and, importantly, removes the ability to have
mismatches between the configuration as compiled into the MCUboot code
and how the simulator is compiled.
Signed-off-by: David Brown <david.brown@linaro.org>
Turn some more conditional compilation into runtime decisions based on
how the code being tested is compiled.
Signed-off-by: David Brown <david.brown@linaro.org>
Now that we can dynamically query whether mcuboot is built with
encryption support, remove conditional compilation in favor of a dynamic
query.
Signed-off-by: David Brown <david.brown@linaro.org>
Remove some compile-time configuration of the overwrite-only flag.
These will be decided by doing a dynamic query of how the mcuboot code
has been compiled.
Signed-off-by: David Brown <david.brown@linaro.org>
Start refactoring the image code by moving it to a separate module.
This requires some structs and fields be made public. Otherwise, the
code is unchanged.
Signed-off-by: David Brown <david.brown@linaro.org>
Since logging was broken due to incompatibility between log and
env_logger versions, those crates were updated to known to be compatible
versions. Update initialization of env_logger that does not return a
Result<> anymore.
Other crates were updated to remove duplicated versions as much as
possible.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The crc16.h header has been deprecated in Zephyr.
Update include directive to use the new header.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
The old log subsystem has been deprecated in Zephyr.
Migrate to the new subsystem to avoid compilation warnings.
In-place log processing is selected as it is required as MCUBoot is
one thread application.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Remove unnused BOOT_LOG_LEVEL macros.
These are not honored, nor usable since they are supposed to be
defined before including the header in which they are defined.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Introduce MCUBOOT_LOG_MODULE_REGISTER and MCUBOOT_LOG_MODULE_DECLARE.
- MCUBOOT_LOG_MODULE_REGISTER
Register a new log module and add the current C file to it.
- MCUBOOT_LOG_MODULE_DECLARE
Add the current C file to an existing log module.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
- Removed MCUBOOT_LOG_LEVEL macros.
The global log level shall be set using a port's configuration
management system of choice instead e.g Kconfig.
- Removed BOOT_LOG_LEVEL macro, which was not honored by
either Zephyr or mynewt ports.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
The mcuboot_logging.h header includes the header for the log subystem,
which needs to be included regardless of whether logging is enabled
for logging macros to compile correctly.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Updates imgtool to infer, based on output image filename, which format
should be use for output file. Filenames that end with extension `.hex`
are saved in Intel HEX, otherwise saves a binary image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds initial support for publishing imgtool to pypi.org.
The main imgtool.py was moved to imgtool package and made into the main
file, and a new imgtool.py that calls into the package, was added allowing
for the old usage behavior to remain functional.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Ensure that the offset in .text is zero.
This is necessary to ensure that MCUBoot is linked at
the beginning of the boot partition, as intended.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
As reported by issue #384, some #ifdefery was wrongly done, which broke
overwrite-only mode under Zephyr.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Mynewt builds require the `mcuboot_config.h` file to translate syscfg
setting names to MCUboot setting names. This change fixes a build error
that occurs when MCUboot is built with mbedTLS support:
Error: In file included from keys/bootkeys/src/bootkeys.c:2:0:
repos/mcuboot/boot/bootutil/include/bootutil/enc_key.h:29:10: fatal error: tinycrypt/aes.h: No such file or directory
#include "tinycrypt/aes.h"
^~~~~~~~~~~~~~~~~
Signed-off-by: Christopher Collins <ccollins@apache.org>
Apply the changes suggested by
cargo fix --edition-idioms
as well as a bit of cleanup of the results. The result should be more
idiomatic Rust 2018 and a good starting point moving forward.
Signed-off-by: David Brown <david.brown@linaro.org>
Automatic migration to Rust 2018. This is the result of running
cargo fix --edition
The resulting code is compatible with both Rust 2015 and 2018. Change
the edition field in the Cargo.toml file as well to begin a more
complete migration.
Signed-off-by: David Brown <david.brown@linaro.org>
Apply the changes suggested by
cargo fix --edition-idioms
and cleanup the results a bit. Eliminate `macro_use` extern crates.
Signed-off-by: David Brown <david.brown@linaro.org>
Apply the changes suggested by
cargo fix --edition-idioms
as well as a bit of cleanup of the results. The result should be more
idiomatic Rust 2018 and a good starting point moving forward.
Signed-off-by: David Brown <david.brown@linaro.org>
Automatic migration to Rust 2018. This is the result of running
cargo fix --edition
The resulting code is compatible with both Rust 2015 and 2018. Change
the edition field in the Cargo.toml file as well to begin a more
complete migration.
Signed-off-by: David Brown <david.brown@linaro.org>