When hooks are enabled then boot_reset_request_hook will be
called to check whether it is allowed to reset a device.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Provide prototype for a new hook boot_reset_request_hook
which is called when device is requested to reboot.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
When MCUBOOT_SINGLE_APPLICATION_SLOT is set then the app can
only be overwritten with new image and scratch algorithm
is not used. The configuration logic would default
MCUBOOT_SWAP_USING_SCRATCH to 1 because it was lacking
check for MCUBOOT_SINGLE_APPLICATION_SLOT.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Add support for RT595 to MCUBoot. A larger number of max sectors is
required due to the large flash size present on the RT595 EVK.
Signed-off-by: Daniel DeGrasse <daniel.degrasse@nxp.com>
This deprecates the flash erase Kconfig for zephyr, if this action
is required then the board should be flashed using west with the
`--erase` argument supplied instead.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fix a swap corruption which occurs on the swap move algorithm when a
reset happens exactly at the point after the last move up, and its
status update. On restart the image headers should be read at the 2nd
sector of the primary slot, but due to lacking initialization it is
read on the first sector, and then fails. This error was masked on the
simulator because of the use of a global variable, which retained its
value on a "reset simulation".
Fixes#1588
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add jobs for testing build ESP32-XX within more features:
Serial Recovery, Multi Image and Multi Boot
Signed-off-by: Almir Okato <almir.okato@espressif.com>
Returned values are now hardcoded. Indeed, while it is not
strictly needed (few return values different from SUCCESS
or FAILURE) complexity added by encoding return values might
cause the software to be vulnerable to fault attacks.
Return type changed from fih_int to fih_ret to make
the whole thing much simpler and therefore more robust
to fault attacks. In addition, its easier to predict
compiler behavior.
Affectation of sentive variables has been hardened using macro
FIH_SET (affectation + check wether write access has been properly
done). FIH_DECLARE() is added to ease the declaration of sentive
variables.
Equality tests fih_eq() and fih_not_eq() are now macros because
inlining produce more complex code (and weaker) than macros.
In addition fih_not_eq is modified to be the negation of fih_eq
which was not the case until now.
when FIH_NOT_EQ is used , FIH_SET(fih_rc, FIH_FAILURE) has been added
in some part of the code.
variable image_mask (bootutil_priv.h) is now volatile because a
double IF test is made on it.
some others parts of the code have been hardenned (eg. loop on images)
Signed-off-by: Michael Grand <m.grand@trustngo.tech>
This makes it possible to enable timeout (BOOT_SERIAL_WAIT_FOR_DFU) mode
for the serial recovery when using CDC ACM based serial device. This was
runtime tested on nRF52840-Dongle.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Add basic flash_sector struct and offset calculation routines. This
fixes the build using swap move, because this data is required to
calculate the maximum image size.
Fixes#1567
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fixes a bug when writing to devices which have memory alignment
requirements with data being using directly from a zcbor-response
whereby the alignment of the buffer data does not meet the
requirements of the flash driver.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
There are 3 levels of buffers and only the first one seems to be
configurable, this fixes that issue.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes an issue whereby rc is a signed variable but is returned as
an unsigned variable in the zcbor functions.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
The return value of bootutil_find_key is used as the key_id in the
bootutil_img_validate function, and negative key_id value used in case
of errors. If MCUBOOT_HW_KEY is set, than the key hash is read by
boot_retrieve_public_key_hash function, but the exceptation is only to
return nonzero on failure, so its error code should not be propagated
up to the caller. Instead, bootutil_find_key should return -1 in case
of a platform error.
Change-Id: I8e2bd12a5cf53787e10ae45c2ab556e8a856692d
Signed-off-by: Mark Horvath <mark.horvath@arm.com>
The current specific setting of devicetree overlay files using `set()`
has a couple of built-in flaws.
It keeps readding the overlay file on each subsequent CMake invocation.
The build command (make/ninja), will automatically invoke CMake if there
are any changes to files used as configure time dependencies.
This can easily be seen by manually re-invoking CMake:
```
# First invocation
$ cmake -DBOARD=nrf52840dk_nrf52840 -DDTC_OVERLAY_FILE=custom.dts ..
Loading Zephyr default modules (Zephyr workspace).
-- Application: /projects/github/ncs/bootloader/mcuboot/boot/zephyr
...
-- Found devicetree overlay: custom.dts
-- Found devicetree overlay: bootloader/mcuboot/boot/zephyr/dts.overlay
# Second invocation
$ cmake -DBOARD=nrf52840dk_nrf52840 -DDTC_OVERLAY_FILE=custom.dts ..
Loading Zephyr default modules (Zephyr workspace).
-- Application: /projects/github/ncs/bootloader/mcuboot/boot/zephyr
...
-- Found devicetree overlay: custom.dts
-- Found devicetree overlay: mcuboot/boot/zephyr/dts.overlay
-- Found devicetree overlay: mcuboot/boot/zephyr/dts.overlay
```
Zephyr has built-in support for application specific overlay config
which gets automatically applied when the overlay file is named:
`app.overlay`.
Therefore rename `dts.overlay` to `app.overlay`.
Ref: https://docs.zephyrproject.org/3.2.0/build/dts/howtos.html \
#set-devicetree-overlays
This change further allows users of mcuboot to place their mcuboot
configuration out-of-tree of the sample by using the
`APPLICATION_CONFIG_DIR` setting.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
The serial recovery depends on CRC from Zephyr, which it should
have been selecting explicitly.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Removed the board configuration for Thingy:53 Application Core as it
contains references to the Kconfig modules that are not available in
the upstream Zephyr. The current configuration is set up to work
in the nRF Connect SDK environment and should be moved there.
Signed-off-by: Kamil Piszczek <Kamil.Piszczek@nordicsemi.no>
With the exception of nrf targets BOOT_SWAP_USING_SCRATCH mode was
still the default algorithm.
Changing the preferred mode in cases where no scratch_partition is
defined will allow successfully building mcuboot for such boards w/o
the need for any board specific overlays.
Signed-off-by: Thomas Stranger <thomas.stranger@outlook.com>
It is possible that image in the slot is so big
that MCUboot swap metadata will interfere with
its content during the swap operation.
This patch introduces additional check to the image
validation procedure.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
main.c uses CMSIS functions such as __set_MSP, which require
cmsis.h to be included. Up until now, that file was included
indirectly through other ARM headers. This patch explicitly
includes cmsis.h, for platforms on which those indirect includes
do not work.
Signed-off-by: Yonatan Schachter <yonatan.schachter@gmail.com>
Signed-off-by: David Brown <david.brown@linaro.org>
Downgrade prevention for swap upgrades that was added to
mcuboot is now configurable in zephyr.
It may be using software version number from image in slot 0,
or security counter from the image in slot 0 (for limited downgrade
availability).
Hardware base security counter check remains unchanged.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
Currently, downgrade prevention was limited to overwrite only
builds (version check) or devices with hardware storage for
security counter.
This extends downgrade prevention to be used when swap update
is selected.
Unlike MCUBOOT_HW_ROLLBACK_PROT option it does not require user
code to provide external way to store security counter.
Security counter from slot 1 image is used for comparison.
With security counter usage it is possible to have limited
software rollback if security counter was not incremented.
It is possible to use image version where strict rule for
image version comparison prevents any downgrades.
Downgrade prevention is also added to mynewt configuration.
If image in slot 1 is marked as pending and downgrade prevention
is in place, image will be deleted to avoid check on next boot.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
This property should be enabled by default only when watchdog
driver is available.
This fixed build with pristine configuration on targets
with CONFIG_WATCHDOG=n.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The Kconfig system used by Zephyr does not allow the defaults for choice
options to be overridden. To compensate for this, create a new boolean
config option that will determine what the default is for the boot mode.
This allows the kconfig override file for various Zephyr boards to
change the default to swap move.
Signed-off-by: David Brown <david.brown@linaro.org>
Currently the post copy hook is only called from the `copy_region`
function. However when another update method than `BOOT_UPGRADE_ONLY` is
selected this function is not called. This adds post copy hook to the
end of `boot_swap_image` when we know the swap is complete.
Signed-off-by: Sigvart Hovland <sigvart.hovland@nordicsemi.no>
Building sample.bootloader.mcuboot for many platforms
is not possible (for instance a qemu). The limit is need
as otherwise zephyr-rtos/zephyr CI is failing on any push to
main branch or nightly CI run.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Change removes the legacy configuration. The legacy configuration
became problematic, because GPIO DTS nodes no longer support labels
that were used to identify nodes in MCUboot. Therefore we need to
use GPIO DTS node name with the legacy approach.
The GPIO should be configured by board's DTS, which is simpler.
Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no>
Change introduces default values of CONFIG_BOOT_SERIAL_DETECT_PIN
and CONFIG_BOOT_USB_DFU_DETECT_PIN. This is needed to prevent build
issues caused by uninitialized Kconfig.
Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no>
Enable tests to be run on frdm_k64f and disco_l475_iot1. The l475 uses
the STM32 IWDG by default, and the k64f can be used for the generic
watchdog path. Both boards also received a config to enable the
watchdog.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Switching from FLASH_AREA_ to FIXED_PARTITION_ macros.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The FLASH_AREA_ macros, which have been using DTS node label property
to identify partitions, have been replaced with FIXED_PARTITION_
macros that use DTS node label to identify partitions.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Dominik Ermel