This updates `image list` and `image upload` objects to support
multi-images. The information about which image is being handled was
added to the CBOR as "image" field, which when not available, is
considered to have value 0.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Allow Mynewt to be used in multi-image builds. Primary and secondary
slots of image 1 are hard-coded to FLASH_AREA_IMAGE_2 and FLASH_AREA_IMAGE_3.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Allow the user to set the load_addr field of the header.
This could be useful in multi image situations to help
deduce the image number of an update without having to
look at the swap info.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
This accounts for changes in the Zephyr build which include:
1) Flash areas are prefixed with `DT_`
2) The generated DTS was renamed to generated_dts_board_unfixed.h
3) The build tree has an extra "zephyr" dir.
Fixes#408
Signed-off-by: Fabio Utzig <utzig@apache.org>
CONFIG_MULTITHREADING is generally assumed to be y by the zephyr
kernel, even though that's not reflected in the Kconfig. For example,
semaphores depend on it being y, but CMake will still build sem.c even
if it's n.
The sensible default for this option is thus y.
However, it's a size advantage to disable it if the platform drivers
are all aware of this option, such as nRF.
Let's re-work our use of this option to keep it disabled when we know
it's safe, but enable it by default so more platforms can be expected
to work out of the box.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
Decode the MCUBOOT_DEBUG_DUMP environment variable into a series of
comma-separated strings, and create debug dumps for any test that
matches one of these strings. Also, the special string 'all' will match
every test, causing every image under test to be dumped.
The dumped images will contain an atomic counter, so that all of the
generated files will be unique for a given run.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a `debug_dump()` method to `Images` to allow the images to be
written to a file. The dependency test will call this if the
environment variable MCUBOOT_DEBUG_DUMP is set.
In order to make these debug dumps more useful, add a simple partition
table to the beginning of the image (where MCUboot would reside on
target). This has a simple header, and then entries for each partition,
using the partition ids used within the simulator. This allows the
image to be more easily used by external tools.
As an example, `scripts/mcubin.bt` is a binary template for the [010
Editor](https://www.sweetscape.com/010editor/), allowing it to decode
and show the details of images from MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
For some basic mcuboot configurations the zephyr timers are
not required which reduce the flash footprint significantly.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
While iterating over the swap table looking for swap type,
avoid asserting on errors; let caller handle error handling.
Signed-off-by: Fabio Utzig <utzig@apache.org>
`boot_read_image_size` was already receiving the bootloader state and
slot; since the image_header is part of the state and can be gathered
from it, it was removed from the list of parameters.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds a single trailer writing routine that can write any amount of
data (upto BOOT_MAX_ALIGN); the functions that were writing to the
trailer now just call this one passing the offset and data/len.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Update each function to calculate the offset based on a previous
function offset, so that if one has to be changed not all functions have
to be updated.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When doing a swap some of the information required by the process
is temporarily written to the status area; previously each data
writing routines tried to find the correct area by looking for the
magic and assuming that data is located there (because everything
fits a single sector). This moves the code to find the magic into
a separate routine that is now used by others.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When the hash key length parameter is invalid (bigger than allowed) just
return an error for the caller routines; this will work like a not found
key and allows the removal of assert() code in this module.
Signed-off-by: Fabio Utzig <utzig@apache.org>
TLV offset was determined by manually adding the header and image
size in many places; this makes the addition into a macro receiving
a image_header to ease future changes.
Signed-off-by: Fabio Utzig <utzig@apache.org>
With the recent changes in bootutil, now there is no need to lock the
test threads to run sequentially, so the global lock was removed. The
locking now happens to access resources such as flash, flash params,
simulator context, etc on a per thread basis. Some of the global
variables that were used by the simulator itself (FFI) were made into a
context struct passed in to invoke_go.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The boot loader state currently exists as global variable (boot_data)
which is accessed by all routines; this updates all routines that
require access to the state to receive it by parameter.
Variables that are declared as "static" (globals) were #ifdef'ed to
only use static when building a native bootloader, to avoid stack
allocation. When bootutil is built to run in the simulator they are
stack allocated to avoid thread share.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Currently to determine which image is being operated on, there is a global
variable called current_image which is used by most macros and APIs to
correctly access the flash areas required by the bootloader. This moves
this variable to the already existing state struct and refactors all
macros and APIs to receive the current image by parameters. To maintain
compatibility some of the macros were not updated and use image 0 when
called.
The definitions of FLASH_AREA_IMAGE_PRIMARY and FLASH_AREA_IMAGE_SECONDARY
for Mynewt compatibility were moved out of bootutil sources to a Mynewt
specific include file.
Signed-off-by: Fabio Utzig <utzig@apache.org>
There are three methods that verify multiple images that essentially
manually implement the `all` and `any` methods of `Iterator`. It makes
it difficult to understand what these do, as there is an early return of
true or false, with various negations of the check.
Replace these with calls directly to `any` or `all` so that it is
clearer what each function is doing. The generated code should be the
same.
Signed-off-by: David Brown <david.brown@linaro.org>
For Mynewt, if a watchdog driver is available, it is always used and feed
during a swap operation. Since the swap operation is able to resist resets,
the watchdog can stay disabled to preserve some flash space (watchdog
driver), with the side-effect that a swap might take longer because of
having to resume interrupted operations.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Rather than just make the test images entirely pseudorandom data, add a
small textual header to the front that describes some key information
about each image. This can be helpful when debugging, to determine what
exactly is in each image slot.
Signed-off-by: David Brown <david.brown@linaro.org>
Create a trait `Depender` which is passed down to the image create and
verification to check and test for various types of dependency
resolution. Add a test that uses this to test the simple case of unmet
dependencies preventing an upgrade.
The actual test is disabled (with an `if false ...`) because the code
under test loops forever in this configuration.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of manually expanding multi-byte encoding, use the byteorder
crate which has its own extension methods to do this. This both makes
the code a bit clearer, and also makes it clear that these encodings are
specific to little endian platforms.
Signed-off-by: David Brown <david.brown@linaro.org>
Many places in the image code pass a pair of
slots: &[SlotInfo], slot: usize,
around as arguments. Simplify this by just passing a `&SlotInfo`. For
the few instances where code needs to know the index of a slot, add an
index field to the `SlotInfo` struct for these to use. This eliminates
an argument from 4 functions/methods, and the numerous places they are
called.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of a growing number of no-argument methods that just call other
methods with fixed arguments, change the `sim_test` macro to pass
through arguments to the test methods. This will make it easier to
further parameterize the test entrypoints.
Signed-off-by: David Brown <david.brown@linaro.org>
This struct currently relies on padding being done by the C compiler.
Although this is generally done the same across targets, this isn't
required, and it is better to make any padding explicit. This also
makes it clear that there is extra space in this structure that can be
used for another purpose.
The python imgtool is also fixed to match. It was using a 32-bit int,
which only worked in the little endian case.
Signed-off-by: David Brown <david.brown@linaro.org>
When doing a test with fails, the total number of flash accesses is
first calculated doing an upgrade without fails, which is then used to
fail/resume at all test points. The count was always considering the
setting of a permanent upgrade, which added 1 to the total count in a
non-permanent upgrade. This amount was being discounted when running
the test/revert with fails, although the discount was only ok for single
images. This adds a new image constructor that does not run a permanent
upgrade and thus gets the correct number of flash accesses for a
test/revert no matter how many images are being tested.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This was previously removed because it failed on multi-image tests due
to some image having finished an upgrade and having it's flag already
set. A new method was added that checks that at least one copy_done flag
is unset, thus not all upgrades have finished.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Zephyr builds use 'cmake' which can generate either makefiles, or use
the Ninja build tools. There are several significant advantages to
using Ninja as the build tool:
- It is significantly faster. Ninja reads a directory and stats the
files in it once. Make often stats a given directory thousands of
times, many for files that don't even exist.
- It has better output. Ninja collects commands together with their
error output. When doing multi-cpu builds, Ninja prints a status
indicator, and only prints fully verbose commands when that command
fails. Instead of having to try an piece together a given command
with its errors, they will always be together.
- Make's support of multiple CPUs is a crude hack. Make forks off
multiple processes to use multiple CPUs. These processes don't
communicate with each other (very much), which causes make to often
continue after enountering errors. It is common for a multi-CPU
make invocation to print hundreds or thousands of additional lines
after an error message.
Nearly all distros have a version of Ninja available in their package
manager, making this change of low cost.
Signed-off-by: David Brown <david.brown@linaro.org>
Recent versions of the Rust compile tool `cargo` insert a comment at the
top of `Cargo.lock` indicating that this file is auto-generated. Commit
versions of these files with this comment in, so that users of recent
versions of Rust will not have sprious diffs everytime they compile.
Older versions of Rust will remove these lines. However, this is less
likely to be an issue, as we now depend on at least Rust 1.31 in order
to have Rust 2018 support. We recommend using 'rustup' to keep the Rust
install up to date.
Signed-off-by: David Brown <david.brown@linaro.org>
In case of multi image boot this check fails, because
copy_done flag set per images when an image swap has finished.
When second image update is interrupted then copy_done flag
already has set for first image.
Change-Id: Ic97dd5e4c5cdb5a5a94971f3ca84bfe0d7583dd4
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
This patch adds the capability to check image dependencies in case
of multi-image boot. The dependencies are described with a new type
of TLV in the manifest.
Change-Id: If45f81a00d4324c881634f50156f9939e1bf8707
Signed-off-by: David Vincze <david.vincze@arm.com>
This patch adds the capability to handle multiple firmware images,
to update them independently. Also update the design documentation.
It separates the completion of aborted image swap operations and the
update of images even more as these should be happening at different
stages of the boot process according to the design proposal of
the multiple image support:
https://github.com/JuulLabs-OSS/mcuboot/pull/317.
Change-Id: I7eb5f632298bb08c805bfaee0359703b2ae19e9d
Signed-off-by: David Vincze <david.vincze@arm.com>
Fabio Utzig