Prevents enabling the option to save encrypted TLVs if encryption
support is not enabled, as it is required to make use of this
functionality.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds MCUboot's estimated overhead footer size to the application's
cache when using sysbuild, this allows that information to be
propagated to applications which can use the information to reduce
the available size for an application, preventing the MCUboot
error of image too large to swap.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Add support for ESP32xx_luatos_core targets to build
as Zephyr application.
This target is simular to esp32 devkitm,
copy conf file from esp32xx_devkitm
Signed-off-by: YuLong Yao <feilongphone@gmail.com>
The static declaration of 'led0' was moved to 'io.c' which broke
building with the 'MCUBOOT_INDICATION_LED' enabled:
mcuboot/boot/zephyr/main.c:380:22: error:
'led0' undeclared (first use in this function)
380 | gpio_pin_set_dt(&led0, 1);
| ^~~~
This adds simple function 'io_led_set()' for changing LED's value.
Fixes: 433b8480 ("zephyr: Move IO functions out of main to separate file")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This fixes below error when building with 'MCUBOOT_INDICATION_LED' and
'LOG' enabled:
In file included from zephyr/include/zephyr/logging/log.h:11,
from zephyr/include/zephyr/usb/usb_device.h:43,
from bootloader/mcuboot/boot/zephyr/io.c:26:
mcuboot/boot/zephyr/io.c: In function 'io_led_init':
zephyr/include/zephyr/logging/log_core.h:151:20: error:
'__log_level' undeclared (first use in this function)
151 | (_level <= __log_level) && \
| ^~~~~~~~~~~
Fixes: 433b8480 ("zephyr: Move IO functions out of main to separate file")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This fixes below warning when building with 'MCUBOOT_INDICATION_LED'
enabled:
mcuboot/boot/zephyr/main.c:410:5:
warning: implicit declaration of function 'led_init';
did you mean 'io_led_init'? [-Wimplicit-function-declaration]
410 | led_init();
| ^~~~~~~~
| io_led_init
Fixes: 433b8480 ("zephyr: Move IO functions out of main to separate file")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Adds a new operation style in which the secondary slot has an
image which is used to update the primary image only.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes an issue whereby MCUboot is configured in single application
slot mode with serial recovery with encryption and an encrypted
image has been loaded, if valid this will have been decrypted, so
should not be treated as encrypted
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Prevents an issue which occurs when the MCUboot configuration is
changed which then selects multiple conflicting symbols
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes an issue whereby when an echo command is sent in serial
recovery mode, if it is disabled, there would just be no response
at all, which is invalid operation
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes USB configurations so that they build out of the box, this
previously falsely built successfully but would not run
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds a build failure if the main thread priority is not preemptible
and USB CDC ACM serial recovery is used, this is because if this is
the case, USB events will never be able to be processed and serial
recovery cannot ever enumerate
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This prevents MCUboot from successfully building if console and
serial recovery (USB CDC) are both enabled and they both point to
the same device
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
- Assert should be checked only for SWAP update modes.
- Allow platforms with page size >32 Bytes (e.g. LPC) to use
MCUBoot, at least for non-SWAP update modes.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
This allows for out-of-tree modules to define their own boot serial
functions by using iterable sections.
Note that this also removes the custom img list command, which was
not used in-tree.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds support for sharing the direct-XIP MCUboot mode with revert
to applications using shared data
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds the ability to share mcuboot configuration with the
application using Zephyr's retention subsystem.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This fixes a build error when PSA Crypto API is being used
as it has no need for bootutil_import_key but it's included
currently since it's allowed to have both Mbed TLS and PSA defined.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: If38d3011fc4fa2d317f8be65df9e231d7d57dcbf
Adjust secure boot and flash encryption after IDF v5.x updates.
It also allows to enable secure boot on ESP32-C2.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
Fixes 2 issues, one whereby multiple slots were checked despite
operating in single slot mode, and another whereby decrypted
images would not appear on serial recovery image listing, due
to assuming that the images were still encrypted.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes an issue whereby multiple commands are received and some
are still being processed. This generally arises when a response
takes a long time (e.g. when image decryption is required),
duplicate commands will now send multiple responses but avoids
the bug of future commands being sent to which previous responses
are received.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Currently all the hashing functionality is done with SHA256
but if we would like to use ECDSA-P384 that requires SHA384
as the hashing algorithm, but MCUboot is using SHA256
for image hashing and public key hashing. This commit modifies
the hashing operations to use SHA384 thus SHA256 can be omitted
which is beneficial from a code size standpoint.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: I59230f76f88e0b42ad6383b2c9b71b73f33d7dd7
Fixes an include which is needed for multiple options by just
always including it, and fixing the path so it can be included.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Make MINIMAL_LIBC as default for MCUboot app build instead
of picolibc. Footprint is lower and no need to
MULTLTHREADING enabled for SoC build.
Signed-off-by: Sylvio Alves <sylvio.alves@espressif.com>
This adds support for indication LED option (MCUBOOT_INDICATION_LED) in
the timeout based recovery. Configured LED will be enabled when entering
the recovery and disabled after selected timeout (if no mcumgr command
was received).
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Fixes building the bootloader with serial recovery mode and boot
serial extensions enabled due to changes in Zephyr's MCUmgr file
and naming changes.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
CMSIS glue code is now provided by the CMSIS Zephyr module in
<cmsis_core.h>. Header is generic for M/A/R.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
The commit moves the flash_area_id_to_image to section compiled
only when not in DirectXIP mode, to prevent warnings about unused
static functions.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit adds DirectXIP version of bootutil boot_set_next
function.
The function is enabled by configuration option:
MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Builds in the default zephyr mode (optimised for size) which
saves about 6KiB of flash on a default nrf52840dk build.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes issues whereby encrypted images were not properly listed due
to not treating them as encrypted, also removes a piece of wrong
hack code that would never run as the primary slot cannot be
encrypted.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Improves the Kconfig layout for encrypted image support and allows
using key files instead of just using a pre-defined, insecure dummy
key.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Downgrade prevention check moved to secure both TEST
and PERMANENT upgrade modes. Downgrade can still be
performed during REVERT.
Signed-off-by: Michael Grand <m.grand@trustngo.tech>
This allows the currently executing slot number to be checked by
the external function, which can be used by XIP images to know
which slot is currently being executed from to allow for correct
uploading/positioning of firmware files, and also provides the
maximum size of an upgrade that can be loaded so that applications
can reject images that are too large.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
The function was incorrectly identifying partition of secondary slot
of image 0 as belonging to image 1, at the same time failing to
identify partition of primary slot of image 1.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit fixes boot_set_next always passing image 0 to
boot_write_swap_info, instead of the proper image number.
This has been affecting applications that tried to call boot_set_next
in multi-image MCUboot configuration using scratch-swap algorithm.
Fixes#1762
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Function flash_area_sector_from_off is replaced with newly used
flash_area_get_sector to cope with calls in bootutil_misc.c file.
This is required for CONFIG_MCUBOOT_SWAP_USING_MOVE to work correctly.
Signed-off-by: Michal Lenc <michallenc@seznam.cz>
Adds missing fields which were wrongly treated as part of the
operation value, which they were not, and adds a big/little
endian check.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This is a follow-up on upstream Zephyr split from `esp32` to distinct
esp32_devkitc_wroom and esp32_devkitc_wrover (see [1] and [2]).
[1] https://github.com/zephyrproject-rtos/zephyr/pull/58454
[2] 3776402f40
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Typecasting pointer variables to uint32_t
instead of uintptr_t was causing build error
on 64-bit architecture.
This is useful, because I am currently working
on implementing support for 64-bit native target
in Apache Mynewt. There is unit test for boot_serial
and it cannot be compiled without this changes.
Signed-off-by: Michal Gorecki <michal.gorecki@codecoup.pl>
Fixes an issue with missing packed attributes on image.h's
structures which would lead to faults on some devices e.g. ARM
Cortex M0, and adds a define for the SHA256 hash size.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Remove the ESP-IDF from git submodules to avoid potential
duplicated repo clones on the user system. IDF HAL code is still
a dependency for Espressif port, therefore now the HAL code
reference needs to be passed by parameter when building.
The Espressif port was also updated to work with last v5.1 IDF
code.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
In same cases (loging, hash, crypto) main function called
newt tool generated sysinit() function to create
uart device and crypto.
Now user can specify that sysinit should be called for
other cases if needed. This can be useful if some other
package should be included in the build and it has
package initialization function.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
For MCUs with restriction on minimum write size (STM32H7)
unaligned writes resulted in flash write errors preventing
any sort of update.
Now MCUBOOT_BOOT_MAX_ALIGN can be set accordingly to value
that flash driver uses.
For alignment <= 8 default value provided by mcuboot config
is still used.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
For downgrade prevention it's possible to use build number
for grater control.
So far only Zephyr has this option in Kconfig now
option is also available in mynewt.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
This allows user to enable echo for mcumgr command in serial boot.
Code was enabled in zephyr only so far.
Now mynewt build can also have this feature if enabled.
No code changes just option in mynewt build to enable existing
mcuboot feature.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
Definition of MCUBOOT_SWAP_USING_MOVE in case swap without scratch area
is configured in NuttX was missing from mcuboot_config.h file.
Also necessary function flash_area_sector_from_off() is defined and
declared in order to support swap without scratch.
Signed-off-by: Michal Lenc <michallenc@seznam.cz>
According to the SMP protocol documentation [1], 'image number' value
in 'image upload request' is optional and can be included only in packet
with 'off' (data offset) set to '0' (first packet in upload request).
In one of recent changes (commit 'cb07e888691d'), initialization of the
'img_num' variable was removed which, in extreme case (no image number
provided in upload request), results in use of its uninitialized value
in flash_area_open() call which then might lead to request abort.
This fixes above regression and also makes MCUboot implementation of the
'image upload request' aligned with Zephyr documentation of the protocol
by considering image number only from first (off == 0) 'image upload
request' SMP packet. In addition, 'image number' value is set to '0' if
the request doesn't provide this field.
[1] docs.zephyrproject.org/latest/services/device_mgmt/smp_groups/smp_group_1.html
Fixes: cb07e88869 ("boot_serial: Replace cbor auto-generated code with zcbor functions")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The 'matched' param in zcbor_map_decode_bulk() function is 'pointer to
the counter of matched keys', not length of payload buffer.
Fixes: fac2cabe98 ("boot_serial: Add image state set/get")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Fixes an issue which was introduced in commit
fac2cabe98 which would show all
images, including those with invalid headers in the output of
images being listed.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This commit reverts the changes to the cap values made in 206b914.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Ie47c3f253409932b960f4fc12e3b722b000b3093
Currently there's a compile error when building MCUboot
with HW_ROLLBACK_PROT due to a comparison
when decoding the security_cnt fih_int value. In the security_cnt.h
it is stated that this value must be between 0 and UINT32_MAX
so this cast would not cause any undefined behaviour.
Signed-off-by: Roland Mikhel <roland.mikhel@arm.com>
Change-Id: Iee158a31955ff43b73e67a0c08e7a086077b9eb5
Similarly to what has been done for the init function, also
the abort function should return a state in case the caller
needs to implement some error recovery procedure, or even
just for debugging reasons.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I5b8bc8fc2da57cfbc6ddea3f7e95ed7a7ae8e5a9
SHA-256 init functions should return the status of the init
instead of being void. This would allow the callers to implement
proper error recovery, otherwise on error the SHA-256 operation
will enter an undefined behaviour.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I162ceb8e6dc90dc3c6b83c8a85fbd17b41c0b5d6
A couple of typos in comments for the newly added RSA modules
need to be assessed.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: Ia06529adb81215fad796895d7b412b35717b6d65
image_index should be added to additional prints as noted
during the original PR review.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I2e456f05ee4ccb372aeab564f7f388bc2fd564e5
The crypto/common.h header checks for MBEDTLS_VERSION_NUMBER
value but it needs to include mbedtls/version.h first
otherwise it won't return a reliable check.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: Ice12fe26bb24fd98c09c4adfe001b5274cee555c
This patch adds a dedicated crypto backend based on PSA Crypto APIs to
implement SHA-256 operations. The enabling of the backend is controlled
by the MCUBOOT_USE_PSA_CRYPTO define.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I6065f7fccb483eda54f0190457f33aa89c6a0796
This patch refactor the RSA operations done by the signature verification
module and by the encrypted images decryption module. Previous solution is
tightly coupled with Mbed TLS, while this patch provides an abstraction of
the RSA functionalities in a dedicated crypto abstraction header, crypto/rsa.h
that supports both Mbed TLS APIs and PSA Crypto APIs. In case of PSA Crypto,
the verification scheme is directly provided by the crypto backend hence it
simplifies the operations done in the image verification module.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I973bc3374b62eee2d7717c2368bce7611d37a0c8
Add the image_index to common prints that get repeated in the
print out logging so that it helps differentiate the information
conveyed by the print.
Signed-off-by: Antonio de Angelis <Antonio.deAngelis@arm.com>
Change-Id: I560b0f76d879e4bd5f82ef65e845fe5c80585c97