Commit Graph

1143 Commits

Author SHA1 Message Date
David Vincze b75c12a431 Boot: Extend flash layout for multiple images
This patch introduces the BOOT_IMAGE_NUMBER macro and current_image
variable to support multiple updatable images and the associated
extended flash layout.

The FLASH_AREA_IMAGE_* object-like macros are replaced with
function-like ones and therefore some functions have been updated,
because the labels of a switch statement and the initialization
values of objects with static storage duration have to be constant
expressions.

Change-Id: Ib7b26ec3c94233e52db4f97825ddb6a3e55bb1d3
Signed-off-by: David Vincze <david.vincze@arm.com>
2019-07-23 09:11:34 -05:00
David Vincze 6c9b416cd8 sim: Support non-continuous area ID mapping
Support non-continuous image flash area ID mapping. It was assumed
that the flash area IDs are subsequent and increasing numbers which
might not be true in all cases.

Change-Id: I0d1285d6fcf1e83a64611c9ad4f65abd002c25d3
Signed-off-by: David Vincze <david.vincze@arm.com>
2019-07-23 09:11:34 -05:00
David Vincze e24534799b Boot: Save image sequence number to image trailer
Overload the swap_type field in image trailer to store as an addition
the image sequence number. It indicates which image's swap was
interrupted. It is required by multi image boot to determine which
image the trailer belongs to if boot status is found on scratch area
when the swap operation is resumed.

Change-Id: I6820fd8277931aff4f0db408376eae8b42a030ed
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
2019-07-23 09:11:34 -05:00
Fabio Utzig 853657c23d Add watchdog feeding macro
When HW / OS provides an always enabled watchdog, this macro can
optionally be implemented to avoid resets which are expected to
occur under normal conditions when swapping very large images or
running on slower devices.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-07-12 08:06:13 -03:00
Fabio Utzig af1e02e347 [MYNEWT] Allow initialization of HASH when enabled
The Mynewt HASH HW driver can be used to do the sha256 validation in the
bootloader instead of relying on mbedTLS/tinycrypt. When enabled it must
be initialized before boot_go (and boot_img_validate) is run, so this
does the extra checking and runs initialization when required.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-07-12 08:05:51 -03:00
Fabio Utzig eadbf58850 Revert Mynewt version metadata
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-07-12 07:58:43 -03:00
Szymon Janc 7fea84665f Release 1.3.1
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
2019-07-08 08:50:16 -03:00
Alvaro Prieto 63a2bdbda9 Fix bug that prevents split images from working.
There is a bug in split_go that never opens the loader image flash
area, but opens the app/split image flash arta twice. This prevents
split_image_check from passing and the app from ever loading.

Signed-off-by: Alvaro Prieto <source@alvaroprieto.com>
2019-07-05 07:23:17 -03:00
Andrzej Puzdrowski f99a4c790a zephyr: fix include of system_timer.h
Above header was moved to another path.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2019-07-01 09:34:01 +02:00
Fabio Utzig 9871cebf2a Update mbedTLS sha256 usage to avoid deprecation
mbedTLS made sha256 functions that do not return errors deprecated. This
updates to use the new functions avoiding the extra functions calls, and
breakage when the deprecated calls are effectively removed.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-28 08:47:43 -03:00
Fabio Utzig 195411f212 Add ed25519 TLV to design doc
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-28 08:46:12 -03:00
Fabio Utzig cf17561fbb Update mynewt travis test to use go 1.12
`newt` was recently updated to build with go module and requires go
1.12.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-28 08:46:12 -03:00
Fabio Utzig 4bd4c7cfb9 Allow imgtool to generated encrypted ed25519 keys
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-28 08:46:12 -03:00
Andrzej Puzdrowski 9686e702e4 requirements.txt: bump cryptography Py package version
Since Ed25519 curve primitives are available since cryptography package
version 2.6 need to bump its version.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2019-06-18 14:08:27 +02:00
Fabio Utzig 3c469bc698 Add ed25519 test to travis-ci
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-13 19:21:05 -03:00
Fabio Utzig 9771028579 Add ed25519 verification to sim
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-13 19:21:05 -03:00
Fabio Utzig 4876484bce Add bootutil support for ed25519 validation
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-13 19:21:05 -03:00
Fabio Utzig a1e8e4334d Add Mynewt ed25519 support
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-13 19:21:05 -03:00
Fabio Utzig 1171df91b9 Add Zephyr infrastructure for ed25519
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-13 19:21:05 -03:00
Fabio Utzig 705dfb3c29 Add third_party/fiat from boringssl
This adds the boringssl version of fiat-crypto. The version bundled here
had most if its non-used code removed, like signing, X25519 curve
operations not required by verification, etc.

Under boringssl tree, fiat can be found in third_party/fiat. The version
included here comes from a boringssl tree where the last commit is
f109f2087349712d3ac717d15fab48e130618110.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-13 19:21:05 -03:00
Fabio Utzig 8101d1fa44 Add ed25519 signing support to imgtool
This adds ed25519 signature support using the "prehash" method. Instead
of using the direct contents of the image and header payloads, a sha256
is generated and signed (SHA256-Ed25519). This allows for compatibility
with already existing tools that use the sha256 hash, like mcumgr, etc.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-06-13 19:21:05 -03:00
Fabio Utzig fc07eab118 Add interruption at revert step of a test+revert
This extends the test+revert case with an interruption on the revert
stage, as it was previously only interrupted on the test stage. For
simplicity the interruption happens on the same interruption point for
both test and revert stages.

Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Christopher Collins <ccollins@apache.org>
2019-05-31 10:15:08 -07:00
Fabio Utzig 28d012c1c5 Increase size of swap testing images
Make images slightly larger to allow more swap status metadata to be
written to flash, to increase amount of debugging info and possibility
of failures on random write fails.

Signed-off-by: Fabio Utzig <utzig@apache.org>
Signed-off-by: Christopher Collins <ccollins@apache.org>
2019-05-31 10:15:08 -07:00
Christopher Collins a1c1204f65 Fix double swap on interrupted revert
This fixes #480.

When mcuboot rewrites image trailers during a swap, some information is
lost.  If a reset occurs before the swap completes, mcuboot may not be
able to determine what which swap type to resume upon startup.
Specifically, if a "revert" swap gets interupted, mcuboot will perform
an extraneous swap on the subsequent boot.  See
https://github.com/JuulLabs-OSS/mcuboot/issues/480 for details.

This commit adds an additional field to the image trailer: `swap-type`.
The new trailer structure is illustrated below:

```
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    ~                                                               ~
    ~    Swap status (BOOT_MAX_IMG_SECTORS * min-write-size * 3)    ~
    ~                                                               ~
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    ~                 Encryption key 0 (16 octets) [*]              ~
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    ~                 Encryption key 1 (16 octets) [*]              ~
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |           Swap size           |    0xff padding (4 octets)    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Swap type   |           0xff padding (7 octets)             ~
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Copy done   |           0xff padding (7 octets)             ~
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Image OK    |           0xff padding (7 octets)             ~
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    ~                       MAGIC (16 octets)                       ~
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
```

The `swap-type` field contains one of the `BOOT_SWAP_TYPE_[...]` constants.
Every time a trailer is written, this field is written along with it.
When resuming an interrupted swap, mcuboot uses this field alone to
determine the type of swap being resumed. For new swap operations
(non-resume case), this field is not read at all; instead, mcuboot
consults the `boot_swap_tables` array to determine the swap operation to
perform (as it did prior to this commit).

Some additional changes were necessary to make all the simulated unit
tests pass:

* Before initiating a new swap operation, always write the image trailer
to the scratch area.  This step allows mcuboot to persist the
`swap-type` field somewhere before erasing the trailer in the primary
slot.  If a reset occurs immediately after the erase, mcuboot recovers
by using the trailer in the scratch area.

* Related to the above: if the scratch area is being used to hold status
bytes (because there are no spare sectors in the primary slot), erase
the scratch area immediately after the trailer gets written to the
primary slot.  This eliminates ambiguity regarding the location of the
current trailer in case a reset occurs shortly afterwards.

Signed-off-by: Christopher Collins <ccollins@apache.org>
2019-05-31 10:15:08 -07:00
Christopher Collins 2c88e69be7 Add some more debug logging
Signed-off-by: Christopher Collins <ccollins@apache.org>
2019-05-31 10:15:08 -07:00
Christopher Collins 2adef70e33 Use same format for scratch and slot trailer
Prior to this change, the scratch image trailer had a different format
from a slot image trailer.  Specifically:

1. The scratch trailer only contained a single set of status entries
   (three bytes); the slot trailer contained `BOOT_STATUS_MAX_ENTRIES`
   sets of status entries.

2. The scratch trailer did not contain the `copy_done` field.

This inconsistency required some extra conditional logic in the trailer
handling code.  It is simpler to just use the same trailer format
everywhere.

This commit removes this inconsistency.  Now, the scratch trailer
structure is identical to that of the slot trailer.

Signed-off-by: Christopher Collins <ccollins@apache.org>
2019-05-31 10:15:08 -07:00
Fabio Utzig 4a5477ad96 Add new verify command
imgtool verify -k <some-key.(pub|sec)> <img-file>

Allow imgtool to validate that an image has a valid sha256sum and that
it was signed by the supplied key.

NOTE: this does not yet support verifying encrypted images

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-29 08:56:12 -03:00
Fabio Utzig 05b594b01d Newt master now requires go 1.11
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-23 08:55:56 -05:00
Jun Li 01bef716c2 bugfix: disable usb for all usb funcs
USB should be disabled if any usb func is enabled.

fix #477

Signed-off-by: Jun Li <jun.r.li@intel.com>
2019-05-23 13:51:34 +02:00
Filip Kubicz db6be2d118 boot: zephyr: Update USB CDC ACM device name
Follow the device name changes in Zephyr.

Signed-off-by: Filip Kubicz <filip.kubicz@nordicsemi.no>
2019-05-22 15:18:34 +02:00
Fabio Utzig 2dc9f8f4b3 Run RSA-3072 feature on travis-ci
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-16 14:01:19 -03:00
Fabio Utzig 3929743408 Add simulator support for RSA-3072 sigs
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-16 14:01:19 -03:00
Fabio Utzig 19fd79a496 Add RSA-3072 support to imgtool
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-16 14:01:19 -03:00
Fabio Utzig 3501c01641 Add bootutil support for RSA-3072
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-16 14:01:19 -03:00
Fabio Utzig 105b59a9b9 Add Zephyr config for RSA-3072
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-16 14:01:19 -03:00
Fabio Utzig 61f86fd848 Add Mynewt RSA-3072 config
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-16 14:01:19 -03:00
Fabio Utzig e1727d9d2b Add Mynewt specific release information
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-05-06 15:31:48 -03:00
Andreas Vibeto 704b8ba481 boot: serial recovery: Add pca10090 default detect pin
Add button 1 as default serial detect pin for nrf9160_pca10090

Signed-off-by: Andreas Vibeto <andreas.vibeto@nordicsemi.no>
2019-04-26 15:49:29 +02:00
Fabio Utzig 63ae7dee22 Add pkgpath to Mynewt key_files
This allows the CI targets to be built if MCUBoot is a dependency of
other repos as well as current local package only build support.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-04-17 18:12:23 -03:00
David Brown 5e6f5e0165 sim: Add multi-image config support to sim
Add support for building with multiple images to the simulator.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown 2bff647d8f sim: Add a K64fMulti flash device
This device is similar to the K64f device, but it is twice as large, and
has the extra partitions needed to test multi-image.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown 06ef06e69c sim: Base slots on number of images used
Construct the ImagesBuilder based on the number of images compiled into
the code.  If the flash device doesn't have enough areas for the test,
the test will be skipped.

Extend the FlashId to include Image2, and Image3.  Remove the unused
ones, so that these can be placed immediately after the scratcharea.
The current simulator code assumes the flash areas are numbered
contiguously, requiring these extraneous partitions to be eliminated.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown 4c9883b0d8 Add a capability query for image number
In addition to the binary capability flags, add a query function that
returns the number of images MCUboot has been configured to support.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown 74b161ea22 bootutil: Fix indentation in caps query
Fix indentation to match the rest of the source tree: 4 spaces, no tabs.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown 5bc62c6b73 sim: Make the test builder optional
Some of the simulated devices aren't large enough to support the 5 slots
needed to test a multi-image configuration.  To allow this to work, make
the return from the `ImagesBuilder` return an option, so that it will be
able to indicate (with `None`) that this configuration isn't possible to
test, and that the test should be skipped.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown 96eb0deb76 sim: simflash: Transition to failure
The Rust community has decided that 'failure' is the future, instead of
'error-chain'.  Migrate the flash simulator to this new error handling
package.  The changes are relatively minor, and the end result is a
similar `FlashError` type.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown 84b49f751e sim: Internal support for multiple images
Move the three fields associated with each "Image" into a substructure
where we can have an array.  If the array size is 1, the behavior should
be identical to the previous behavior, but this will make it possible to
support multiple images just by creating more than one of these.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown db505823a4 sim: Make various functions into methods
The functions `try_upgrade`, `try_revert`, `try_revert_with_fail_at`,
and `try_random_fails` make more sense as methods.  Move them into the
`Images` impl so they have access to `self` and some various fields.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown 761015712c sim: Rename `SimFlashMap` to `SimMultiFlash`
The name `SimFlashMap` is a bit misleading, as the Map part is more of
an implementation detail when the type really just represents multiple
flash devices.

This is just a rename, but the names `SimFlashMap` and the value
`flashmap` occur in a lot of places in the image module.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00
David Brown ca23469e82 sim: Create an `ImageData` type
Create an `ImageData` type to represent the stored content of a single
slot.  This holds plaintext and optional ciphertext.  This fixes a bit
of unclarity with regards to these fields:

  - Before, the plaintext was an Option, even though it is always
    present.  The field is clearly always present now.

  - The mapping between slot numbers, and plain and ciphertext was not
    made clear.  Now that is spelled out in a match statement.

  - The type has a name, rather than an anonymous array that looked a
    bit too much like it had to do with slot numbers.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-04-17 11:20:21 +07:00