Fixes an issue whereby MCUboot is configured in single application
slot mode with serial recovery with encryption and an encrypted
image has been loaded, if valid this will have been decrypted, so
should not be treated as encrypted
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Prevents an issue which occurs when the MCUboot configuration is
changed which then selects multiple conflicting symbols
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes an issue whereby when an echo command is sent in serial
recovery mode, if it is disabled, there would just be no response
at all, which is invalid operation
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes USB configurations so that they build out of the box, this
previously falsely built successfully but would not run
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds a build failure if the main thread priority is not preemptible
and USB CDC ACM serial recovery is used, this is because if this is
the case, USB events will never be able to be processed and serial
recovery cannot ever enumerate
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This prevents MCUboot from successfully building if console and
serial recovery (USB CDC) are both enabled and they both point to
the same device
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
- Assert should be checked only for SWAP update modes.
- Allow platforms with page size >32 Bytes (e.g. LPC) to use
MCUBoot, at least for non-SWAP update modes.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
This allows for out-of-tree modules to define their own boot serial
functions by using iterable sections.
Note that this also removes the custom img list command, which was
not used in-tree.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds support for sharing the direct-XIP MCUboot mode with revert
to applications using shared data
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds the ability to share mcuboot configuration with the
application using Zephyr's retention subsystem.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This fixes a build error when PSA Crypto API is being used
as it has no need for bootutil_import_key but it's included
currently since it's allowed to have both Mbed TLS and PSA defined.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: If38d3011fc4fa2d317f8be65df9e231d7d57dcbf
Adjust secure boot and flash encryption after IDF v5.x updates.
It also allows to enable secure boot on ESP32-C2.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
Fixes 2 issues, one whereby multiple slots were checked despite
operating in single slot mode, and another whereby decrypted
images would not appear on serial recovery image listing, due
to assuming that the images were still encrypted.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes an issue whereby multiple commands are received and some
are still being processed. This generally arises when a response
takes a long time (e.g. when image decryption is required),
duplicate commands will now send multiple responses but avoids
the bug of future commands being sent to which previous responses
are received.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Currently all the hashing functionality is done with SHA256
but if we would like to use ECDSA-P384 that requires SHA384
as the hashing algorithm, but MCUboot is using SHA256
for image hashing and public key hashing. This commit modifies
the hashing operations to use SHA384 thus SHA256 can be omitted
which is beneficial from a code size standpoint.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I59230f76f88e0b42ad6383b2c9b71b73f33d7dd7
Fixes an include which is needed for multiple options by just
always including it, and fixing the path so it can be included.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Make MINIMAL_LIBC as default for MCUboot app build instead
of picolibc. Footprint is lower and no need to
MULTLTHREADING enabled for SoC build.
Signed-off-by: Sylvio Alves <sylvio.alves@espressif.com>
This adds support for indication LED option (MCUBOOT_INDICATION_LED) in
the timeout based recovery. Configured LED will be enabled when entering
the recovery and disabled after selected timeout (if no mcumgr command
was received).
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Fixes building the bootloader with serial recovery mode and boot
serial extensions enabled due to changes in Zephyr's MCUmgr file
and naming changes.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
CMSIS glue code is now provided by the CMSIS Zephyr module in
<cmsis_core.h>. Header is generic for M/A/R.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
The commit moves the flash_area_id_to_image to section compiled
only when not in DirectXIP mode, to prevent warnings about unused
static functions.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit adds DirectXIP version of bootutil boot_set_next
function.
The function is enabled by configuration option:
MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Builds in the default zephyr mode (optimised for size) which
saves about 6KiB of flash on a default nrf52840dk build.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes issues whereby encrypted images were not properly listed due
to not treating them as encrypted, also removes a piece of wrong
hack code that would never run as the primary slot cannot be
encrypted.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Improves the Kconfig layout for encrypted image support and allows
using key files instead of just using a pre-defined, insecure dummy
key.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Downgrade prevention check moved to secure both TEST
and PERMANENT upgrade modes. Downgrade can still be
performed during REVERT.
Signed-off-by: Michael Grand <m.grand@trustngo.tech>
This allows the currently executing slot number to be checked by
the external function, which can be used by XIP images to know
which slot is currently being executed from to allow for correct
uploading/positioning of firmware files, and also provides the
maximum size of an upgrade that can be loaded so that applications
can reject images that are too large.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
The function was incorrectly identifying partition of secondary slot
of image 0 as belonging to image 1, at the same time failing to
identify partition of primary slot of image 1.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit fixes boot_set_next always passing image 0 to
boot_write_swap_info, instead of the proper image number.
This has been affecting applications that tried to call boot_set_next
in multi-image MCUboot configuration using scratch-swap algorithm.
Fixes#1762
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Function flash_area_sector_from_off is replaced with newly used
flash_area_get_sector to cope with calls in bootutil_misc.c file.
This is required for CONFIG_MCUBOOT_SWAP_USING_MOVE to work correctly.
Signed-off-by: Michal Lenc <michallenc@seznam.cz>
Adds missing fields which were wrongly treated as part of the
operation value, which they were not, and adds a big/little
endian check.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This is a follow-up on upstream Zephyr split from `esp32` to distinct
esp32_devkitc_wroom and esp32_devkitc_wrover (see [1] and [2]).
[1] https://github.com/zephyrproject-rtos/zephyr/pull/58454
[2] 3776402f40
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Typecasting pointer variables to uint32_t
instead of uintptr_t was causing build error
on 64-bit architecture.
This is useful, because I am currently working
on implementing support for 64-bit native target
in Apache Mynewt. There is unit test for boot_serial
and it cannot be compiled without this changes.
Signed-off-by: Michal Gorecki <michal.gorecki@codecoup.pl>
Fixes an issue with missing packed attributes on image.h's
structures which would lead to faults on some devices e.g. ARM
Cortex M0, and adds a define for the SHA256 hash size.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Remove the ESP-IDF from git submodules to avoid potential
duplicated repo clones on the user system. IDF HAL code is still
a dependency for Espressif port, therefore now the HAL code
reference needs to be passed by parameter when building.
The Espressif port was also updated to work with last v5.1 IDF
code.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
In same cases (loging, hash, crypto) main function called
newt tool generated sysinit() function to create
uart device and crypto.
Now user can specify that sysinit should be called for
other cases if needed. This can be useful if some other
package should be included in the build and it has
package initialization function.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
For MCUs with restriction on minimum write size (STM32H7)
unaligned writes resulted in flash write errors preventing
any sort of update.
Now MCUBOOT_BOOT_MAX_ALIGN can be set accordingly to value
that flash driver uses.
For alignment <= 8 default value provided by mcuboot config
is still used.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
For downgrade prevention it's possible to use build number
for grater control.
So far only Zephyr has this option in Kconfig now
option is also available in mynewt.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
This allows user to enable echo for mcumgr command in serial boot.
Code was enabled in zephyr only so far.
Now mynewt build can also have this feature if enabled.
No code changes just option in mynewt build to enable existing
mcuboot feature.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
Definition of MCUBOOT_SWAP_USING_MOVE in case swap without scratch area
is configured in NuttX was missing from mcuboot_config.h file.
Also necessary function flash_area_sector_from_off() is defined and
declared in order to support swap without scratch.
Signed-off-by: Michal Lenc <michallenc@seznam.cz>
According to the SMP protocol documentation [1], 'image number' value
in 'image upload request' is optional and can be included only in packet
with 'off' (data offset) set to '0' (first packet in upload request).
In one of recent changes (commit 'cb07e888691d'), initialization of the
'img_num' variable was removed which, in extreme case (no image number
provided in upload request), results in use of its uninitialized value
in flash_area_open() call which then might lead to request abort.
This fixes above regression and also makes MCUboot implementation of the
'image upload request' aligned with Zephyr documentation of the protocol
by considering image number only from first (off == 0) 'image upload
request' SMP packet. In addition, 'image number' value is set to '0' if
the request doesn't provide this field.
[1] docs.zephyrproject.org/latest/services/device_mgmt/smp_groups/smp_group_1.html
Fixes: cb07e88869 ("boot_serial: Replace cbor auto-generated code with zcbor functions")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The 'matched' param in zcbor_map_decode_bulk() function is 'pointer to
the counter of matched keys', not length of payload buffer.
Fixes: fac2cabe98 ("boot_serial: Add image state set/get")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Fixes an issue which was introduced in commit
fac2cabe98 which would show all
images, including those with invalid headers in the output of
images being listed.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This commit reverts the changes to the cap values made in 206b914.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Ie47c3f253409932b960f4fc12e3b722b000b3093
Currently there's a compile error when building MCUboot
with HW_ROLLBACK_PROT due to a comparison
when decoding the security_cnt fih_int value. In the security_cnt.h
it is stated that this value must be between 0 and UINT32_MAX
so this cast would not cause any undefined behaviour.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Iee158a31955ff43b73e67a0c08e7a086077b9eb5
Similarly to what has been done for the init function, also
the abort function should return a state in case the caller
needs to implement some error recovery procedure, or even
just for debugging reasons.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I5b8bc8fc2da57cfbc6ddea3f7e95ed7a7ae8e5a9
SHA-256 init functions should return the status of the init
instead of being void. This would allow the callers to implement
proper error recovery, otherwise on error the SHA-256 operation
will enter an undefined behaviour.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I162ceb8e6dc90dc3c6b83c8a85fbd17b41c0b5d6
A couple of typos in comments for the newly added RSA modules
need to be assessed.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: Ia06529adb81215fad796895d7b412b35717b6d65
image_index should be added to additional prints as noted
during the original PR review.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I2e456f05ee4ccb372aeab564f7f388bc2fd564e5
The crypto/common.h header checks for MBEDTLS_VERSION_NUMBER
value but it needs to include mbedtls/version.h first
otherwise it won't return a reliable check.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: Ice12fe26bb24fd98c09c4adfe001b5274cee555c
This patch adds a dedicated crypto backend based on PSA Crypto APIs to
implement SHA-256 operations. The enabling of the backend is controlled
by the MCUBOOT_USE_PSA_CRYPTO define.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I6065f7fccb483eda54f0190457f33aa89c6a0796
This patch refactor the RSA operations done by the signature verification
module and by the encrypted images decryption module. Previous solution is
tightly coupled with Mbed TLS, while this patch provides an abstraction of
the RSA functionalities in a dedicated crypto abstraction header, crypto/rsa.h
that supports both Mbed TLS APIs and PSA Crypto APIs. In case of PSA Crypto,
the verification scheme is directly provided by the crypto backend hence it
simplifies the operations done in the image verification module.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I973bc3374b62eee2d7717c2368bce7611d37a0c8
Add the image_index to common prints that get repeated in the
print out logging so that it helps differentiate the information
conveyed by the print.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I560b0f76d879e4bd5f82ef65e845fe5c80585c97
Adds a file which contains the current MCUboot code version, which
can be used by Zephyr builds.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds optional image state set/get functionality to serial recovery
mode which allows for listing image states and marking images to
be tested or as confirmed.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fix usage of zcbor_new_encode_state API, to correctly pass the payload
length. The previous usage was passing a pointer to the end of the
payload, which resulted in the ZCBOR structure being initialized with
an invalid `payload_end` field. On some platforms, this breaks MCUBoot
serial recovery, as the ZCBOR structures required to send response data
are invalid and can no longer be populated with response data.
Signed-off-by: Daniel DeGrasse <daniel.degrasse@nxp.com>
Replaces the auto-generated decoding/encoding files with inline code
for encoding/decoding cbor data structures, this adds the benefit of
allowing the elements to be in any order and reduces code size. To
accommodate this, zcbor_bulk has been imported from Zephyr.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fix a local variable name typo in parse public key function
for the PSA Crypto abstraction, and at the same time put the
memcmp under ifdefs.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: Icadca37e4207ad703a853ea720a053aa2ba76411
The IMAGE_TLV_ECDSA256 TLV has been put out of use by
commit 63d2346da4.
This commit reverts this part of that patch and at the
same time it extends the usage of this TLV to cover all types
of curves (replacing the newly introduced 0x25 TLV type)
while retaining its value (0x22) for backward compatibility.
Rename IMAGE_TLV_ECDSA256 to IMAGE_TLV_ECDSA_SIG.
Change-Id: I904f292db775c38f26a5e9a87c5f414165efc173
Signed-off-by: David Vincze <david.vincze@arm.com>