Commit Graph

74 Commits

Author SHA1 Message Date
Roland Mikhel 206b914852 bootutil: Remove P224 curve
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I49fad7ede202de4e3c710bf4aa1df195a310b037
2023-04-11 07:05:38 +02:00
Dominik Ermel c89a94f120 mynewt: Add flash_area_get_sector
Simple stub of flash_area_get_sector using system provided
flash_area_sector_from_off.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
2023-03-15 20:15:58 +01:00
Michael Grand 5047f032c9 fih: Hardening of fault injection countermeasures
Returned values are now hardcoded. Indeed, while it is not
strictly needed (few return values different from SUCCESS
or FAILURE) complexity added by encoding return values might
cause the software to be vulnerable to fault attacks.

Return type changed from fih_int to fih_ret to make
the whole thing much simpler and therefore more robust
to fault attacks. In addition, its easier to predict
compiler behavior.

Affectation of sentive variables has been hardened using macro
FIH_SET (affectation + check wether write access has been properly
done). FIH_DECLARE() is added to ease the declaration of sentive
variables.

Equality tests fih_eq() and fih_not_eq() are now macros because
inlining produce more complex code (and weaker) than macros.
In addition fih_not_eq is modified to be the negation of fih_eq
which was not the case until now.

when FIH_NOT_EQ is used , FIH_SET(fih_rc, FIH_FAILURE) has been added
in some part of the code.

variable image_mask (bootutil_priv.h) is now volatile because a
double IF test is made on it.

some others parts of the code have been hardenned (eg. loop on images)

Signed-off-by: Michael Grand <m.grand@trustngo.tech>
2023-01-30 09:34:34 -07:00
Fabio Utzig 4a748bfefa mynewt: add flash sector requirement for swap move
Add basic flash_sector struct and offset calculation routines. This
fixes the build using swap move, because this data is required to
calculate the maximum image size.

Fixes #1567

Signed-off-by: Fabio Utzig <utzig@apache.org>
2023-01-06 17:41:03 -03:00
Jerzy Kasenberg e3f895d7ef Add downgrade prevention for swaps
Currently, downgrade prevention was limited to overwrite only
builds (version check) or devices with hardware storage for
security counter.

This extends downgrade prevention to be used when swap update
is selected.
Unlike MCUBOOT_HW_ROLLBACK_PROT option it does not require user
code to provide external way to store security counter.
Security counter from slot 1 image is used for comparison.
With security counter usage it is possible to have limited
software rollback if security counter was not incremented.

It is possible to use image version where strict rule for
image version comparison prevents any downgrades.

Downgrade prevention is also added to mynewt configuration.

If image in slot 1 is marked as pending and downgrade prevention
is in place, image will be deleted to avoid check on next boot.

Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
2022-10-04 08:52:57 -06:00
Jerzy Kasenberg 0676589873 boot: mynewt: Add boot data sharing config
There is code for sharing data between booloader and application.
So far only zephyr had config flags to enable this.

This adds configuration that allows to turn on data sharing code
in mynewt version.

Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
2022-06-13 19:57:20 -03:00
Jerzy Kasenberg 17e344f575 mynewt: Allow custom boot to be provided by pkg
BOOT_CUSTOM_START is defined by APP package (here).
This changes default value from 0 to empty
to allow for constructing packege that provides function
boot_custom_start() and automatically sets BOOT_CUSTOM_START to 1
for easy setup.

Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
2022-06-13 19:57:09 -03:00
Jerzy Kasenberg cbb5b23070 mynewt: Add call to custom pre-boot function
Custom boot_preboot() function can be used to start
DFU in similar way as is already done in zephyr.

Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
2021-11-30 18:47:25 -03:00
Fabio Utzig 1a9c6d8495 mynewt: remove #error on ec256 with Mbed TLS
Allow building ec256 signature validation on Mynewt using Mbed TLS.
Related to https://github.com/apache/mynewt-artifact/pull/33

Signed-off-by: Fabio Utzig <utzig@apache.org>
2021-11-01 14:43:52 -03:00
Francesco Servidio 482921f724 doc: Fixed consistency of bootloader term
Fixed the consistency of the term bootloader.

Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no>
2021-10-21 06:45:13 -03:00
Francesco Servidio 4ff0c18693 doc: Fixed consistency of MCUboot
Fixed the consistency of the case used in the term MCUboot.

Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no>
2021-10-21 06:45:13 -03:00
Dominik Ermel a09ca5b964 boot: Add MCUBOOT_PERUSER_MGMT_GROUP_ENABLED to platforms
The commit adds the MCUBOOT_PERUSER_MGMT_GROUP_ENABLED configuration
option to cypress, mbed and mynewt configurations.
The options is used to enable custom, system specific, mcymgr
commands parsing in mcuboot serial recovery.
For the listed platforms it is set as not enabled (0), as neither
of the platforms currently provide supporting callback.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
2021-07-13 11:39:35 +02:00
Dominik Ermel dc1b9f0579 boot/ports: Provide getter function for flash area object access
The commit provides set of getter functions that allow to
access fields of flash_area and flash_sectors objects.
Usage of these function, instead of direct field access, allows
to keep common code intact when internal, system specific,
implementation changes.
The commit contains the implementation of getters for following
ports: cpress, mbed, mynewt, zephyr.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
2021-07-06 14:42:53 -06:00
Andrzej Puzdrowski 142b339667 boot: introduce MCUBOOT_CPU_IDLE() for support low power single thread
Introduced MCUBOOT_CPU_IDLE() macro.
If a port supports single thread or is bare-metal then might be need
to switch to idle mode explicitly form MCUboot code.
The call allows to enable lower power consumption while waiting for
incoming transmission in serial recovery etc.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2021-06-17 12:42:21 +02:00
Jerzy Kasenberg 1d0467e833 boot/mynewt: De-initialize peripherals before calling app
mynewt code calls hal_bsp_init() at start of bootloader.
This may initialize some resources (timer/uart/dma).
mynewt has now hal_bsp_deinit() function that should be called
before application is executed.
This new function allows to stop resources that were started.

This can stop cputimer which was started including enabled
interrupt. This timer interrupt was very likely to fire
for STM devices that has 16 bits timer used, when mcuboot
did not started LSE and application wanted to.
Starting LSE oscillator takes so much time in some cases
that timer interrupt will execute MCU from mcuboot vector
after RAM was already cleared by startup code and that
would lead to crash loop.
Blocking interrupts before starting application would
also help but leaving peripherals in reset state
seems reasonable.

Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
2020-11-25 12:36:10 -03:00
Andrzej Puzdrowski 907476d701 boot: remove direct fih delay rng inclusion
Direct inclusion of "bootutil/fault_injection_hardening_delay_rng.h"
might cause linking collision as this header belongs to `FIH_ENABLE_DELAY`
mode.
This header is already included by "bootutil/fault_injection_hardening.h"
appropriately.

fixes #831

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2020-10-07 13:50:16 +02:00
Tamas Ban 76177e1b8e boot/mynewt: Add fault injection mitigation
Add software countermeasures against fault injection attacks.

Change-Id: Ibea597fd9ee2bf0693f79f5979304143e2b3db2d
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
2020-10-02 07:31:11 -03:00
Fabio Utzig 92eb07fe3e boot: mynewt: add ECIES-X25519 support
Signed-off-by: Fabio Utzig <utzig@apache.org>
2020-04-10 17:56:14 -03:00
Fabio Utzig 6e137818d2 mynewt: add option for saving enckey TLVs in swap status
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-20 14:57:06 -03:00
Fabio Utzig e92df93461 sim: log: add new level targetting simulator
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
  are interesting while debugging bootutil in the simulator. This should
  be used for extra verbose prints.

* Also added fflushs after fprints to guarantee that messages are printed
  even when assertions are raised.

* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
  to the other ports.

* Make DEBUG the default level when building the simulator (one can
  still lower verbosity using any other value for RUST_LOG).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-10 16:04:44 -03:00
Fabio Utzig be43ea8977 boot: mynewt: add config for swap without scratch
Add Mynewt option to enable building a bootloader that uses an
alternative swap algorithm, that first moves up all sectors in slot1 and
then directly swaps between slot0 and slot1.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-12-09 14:21:09 -03:00
Fabio Utzig c67dd70423 boot: mynewt: add config for ECIES-P256 encrypted images
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-11-06 06:55:25 -03:00
Andy Gross 441e997891 mynewt: Make cflags consistent for if or ifdef usage
This patch changes the cflag entry for MCUBOOT_MYNEWT to make it
consistent when using #if or #ifdef.

Signed-off-by: Andy Gross <andy.gross@juul.com>
2019-10-21 17:22:34 -03:00
Fabio Utzig e47ccd63df mynewt: allow overriding the startup routine
Add a new Mynewt option that allows for overriding the default
`hal_system_start` routine; this allows for startup customizations
required by some BSPs.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-10-21 17:21:27 -03:00
Fabio Utzig ea34f9a77b Fix Mynewt boot_serial unittest
The boot_serial test was failing build because it hadn't been updated to
use new multi-image flash area nomenclature. This fixes the build.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-10-01 17:36:12 -03:00
Fabio Utzig 61f08a04ae Add basic multi-image support for Mynewt
Allow Mynewt to be used in multi-image builds. Primary and secondary
slots of image 1 are hard-coded to FLASH_AREA_IMAGE_2 and FLASH_AREA_IMAGE_3.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 10ee648145 Update bootutil to reduce amount of global state
The boot loader state currently exists as global variable (boot_data)
which is accessed by all routines; this updates all routines that
require access to the state to receive it by parameter.

Variables that are declared as "static" (globals) were #ifdef'ed to
only use static when building a native bootloader, to avoid stack
allocation. When bootutil is built to run in the simulator they are
stack allocated to avoid thread share.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-08-07 14:33:36 -03:00
Fabio Utzig b0f0473352 Remove current_image global and macro updates
Currently to determine which image is being operated on, there is a global
variable called current_image which is used by most macros and APIs to
correctly access the flash areas required by the bootloader. This moves
this variable to the already existing state struct and refactors all
macros and APIs to receive the current image by parameters. To maintain
compatibility some of the macros were not updated and use image 0 when
called.

The definitions of FLASH_AREA_IMAGE_PRIMARY and FLASH_AREA_IMAGE_SECONDARY
for Mynewt compatibility were moved out of bootutil sources to a Mynewt
specific include file.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-08-07 14:33:36 -03:00
Fabio Utzig 78cc1261f3 Add Mynewt option to enable the watchdog
For Mynewt, if a watchdog driver is available, it is always used and feed
during a swap operation. Since the swap operation is able to resist resets,
the watchdog can stay disabled to preserve some flash space (watchdog
driver), with the side-effect that a swap might take longer because of
having to resume interrupted operations.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-08-06 14:25:04 -03:00
Fabio Utzig 853657c23d Add watchdog feeding macro
When HW / OS provides an always enabled watchdog, this macro can
optionally be implemented to avoid resets which are expected to
occur under normal conditions when swapping very large images or
running on slower devices.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-07-12 08:06:13 -03:00
Fabio Utzig af1e02e347 [MYNEWT] Allow initialization of HASH when enabled
The Mynewt HASH HW driver can be used to do the sha256 validation in the
bootloader instead of relying on mbedTLS/tinycrypt. When enabled it must
be initialized before boot_go (and boot_img_validate) is run, so this
does the extra checking and runs initialization when required.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-07-12 08:05:51 -03:00
Fabio Utzig a1e8e4334d Add Mynewt ed25519 support
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-13 19:21:05 -03:00
Fabio Utzig 61f86fd848 Add Mynewt RSA-3072 config
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-16 14:01:19 -03:00
Fabio Utzig ad0e9b8077 Add Mynewt configuration to enable HW crypto
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-03-14 07:29:01 -03:00
David Vincze 2d736ad4c5 Replace flash partitioning terminology
This change replaces the slot 0/1 terminology with primary/secondary
slot and replaces FLASH_AREA_IMAGE_0/1 with
FLASH_AREA_IMAGE_PRIMARY/SECONDARY. This naming convention may be more
understandable, fits better to MCUs with multiple images and it is an
architecture agnostic alternative as well.

Change-Id: I655a585f6ae023852c671ee6635399efe25209c9
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
2019-03-13 15:40:21 -06:00
Christopher Collins fea163c6a4 Fix Mynewt builds; add log stub dependency
A recent change in the Mynewt repo
(b10cbea5ef882e7f91d1c34ffcf2506d3e183003) imposes the LOG API
requirement on the `sys/mfg` package.  To fix broken builds, make the
Mynewt app and test package depend on `sys/log/stub`.

Signed-off-by: Christopher Collins <ccollins@apache.org>
2019-01-12 14:38:41 -07:00
Emanuele Di Santo 9f1933d1a5 boot: zephyr: migrate to new log subystem
The old log subsystem has been deprecated in Zephyr.
Migrate to the new subsystem to avoid compilation warnings.

In-place log processing is selected as it is required as MCUBoot is
one thread application.

Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2019-01-10 19:11:15 +01:00
Fabio Utzig 338a19f70d Add boostrapping from slot1 support
This adds a new option that allows copying slot0, from the contents
of slot1, if slot0 is found out to be erased and not validated, and
the contents of slot1 are validated.

This mechanism basically enables a device to "bootstrap" from the
contents of an external flash that has a valid image, given that the
only flashed thing in the internal flash is the bootloader.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-12-27 10:58:50 -02:00
Marko Kiiskila 8e7b7ac9e0 boot_uart: mynewt; option for faster speed with serial.
Make RX buffer size configurable for UART. Allow incoming
interrupts while copying data out of that buffer.

Signed-off-by: Marko Kiiskila <marko@apache.org>
2018-12-24 08:47:25 -02:00
Fabio Utzig 0170f26de1 Add Mynewt config for encrypted images
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-10-12 13:36:13 -03:00
Fabio Utzig 0f29c48e8d Initialize watchdog when running on Mynewt
On Mynewt some flash drivers on very slow devices tickle the watchdog to
avoid possible hangs; those were also trying to tickle the watchdog in
mcuboot when performing an upgrade or serial boot, without initializing
the watchdog, causing an invalid memory write and reset issue.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-07-30 08:33:00 -03:00
Fabio Utzig 3b69d6f845 Deinit timer after serial load is finished
This fixes an issue where the bootloader is activating a timer that is
later not used by the installed target image causing a non handled interrupt
fault.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-06-26 09:12:43 -03:00
Marko Kiiskila 149b457a22 boot_serial; improve platform abstraction.
Pass function pointers to do reads/writes from uart.

Signed-off-by: Marko Kiiskila <marko@runtime.io>
2018-06-14 23:19:06 +03:00
Marko Kiiskila ce50ab0648 boot_serial; text size reduction.
- Remove dependency to sprintf()
 - Remove dependency to cborattr
 - mynewt: replace console with more direct interface to uart
 - mynewt: settings to reduce included os code

Signed-off-by: Marko Kiiskila <marko@runtime.io>
2018-06-14 23:19:06 +03:00
Marko Kiiskila 316d361fb3 mynewt app; support additional options to enter serial dfu.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
2018-06-14 23:19:06 +03:00
Fabio Utzig 94912c518f Enable serial only when required for Mynewt
For Mynewt when no logging (default option) or serial boot was selected,
avoid initializing all serial supporting system. This enables to save
flash space when only basic bootloader functionality is used.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-06-04 06:54:39 -03:00
Fabio Utzig 9a4b9ba1c0 Add per platform mcuboot_logging.h files
New logging macros were added for all supported platforms, following the
documentation defined in the template config file.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-06-04 06:54:39 -03:00
Andrzej Puzdrowski b788c71c08 Replace mcuboot flash_map by zephyr flash_map
The patch introduce usage of zephyr flas_map module instead
of mcuboot zephyr-only implementation. Unused flash_area_to_sectors
API of former flash_map was removed as well.
Size of sector-status-update-map entry is now defined thanks to the
minimum write size supported by the flash driver.

For avoid ambiguity former zephyr-only files flash_map.c
were renamed to flash_map_extended.c (its code now implements
only addition to this what zephyr flash_map implements).

flash_map.h header include is now warped by flash_map_backedn.h headre
because implementations and include pathes are diferent in Zephyr and Mynewt.

Usage of hal_flash_align() were replaced by usage flash_area_align().
This provide consistency between MyNewt and Zephyr implementation as
this API is available in both RTOSes.

flash_map.h was moved to the simulator c-support files as now missing in
the boot/zephyr subdirectories.

f. boot_scratch_fa_device_id was removed as unused.
f. boot_img_fa_device_id was and expanded the only use of it
(on loader.c).

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2018-05-16 16:05:17 -03:00
Marti Bolivar f9bfddd685 Move max image sector config to mcuboot_config.h
Take the opportunity to clean up a bit of platform cruft that has
gotten into bootutil by moving it to mcuboot_config.h, and ensuring it
is documented in the template config file.

Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2018-04-25 18:44:03 -03:00
Marti Bolivar f91bca51a6 Mandate the presence of mcuboot_config/mcuboot_config.h
Mynewt uses this file to convert MYNEWT_VAL(xxx) to MCUBOOT_xxx config
options. Zephyr currently adds config options via the compiler command
line, but it should use this instead.

As prep work for that conversion, add an empty mcuboot_config.h to the
Zephyr port, and include this file unconditionally wherever it's
needed. This takes care of the simulator as well, since that puts
boot/zephyr/include on its C file include path.

This turned up a couple of files (bootutil_priv.h and caps.c) that
were using the MCUBOOT_xxx config values without including the
file. Add the includes there, as they'll be needed later.

To make this official, add it to the requirements in the porting guide
and provide a template file porters can use while getting started.

Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>

fixup! Mandate the presence of mcuboot_config/mcuboot_config.h
2018-04-25 18:44:03 -03:00