When hooks are enabled then boot_reset_request_hook will be
called to check whether it is allowed to reset a device.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Returned values are now hardcoded. Indeed, while it is not
strictly needed (few return values different from SUCCESS
or FAILURE) complexity added by encoding return values might
cause the software to be vulnerable to fault attacks.
Return type changed from fih_int to fih_ret to make
the whole thing much simpler and therefore more robust
to fault attacks. In addition, its easier to predict
compiler behavior.
Affectation of sentive variables has been hardened using macro
FIH_SET (affectation + check wether write access has been properly
done). FIH_DECLARE() is added to ease the declaration of sentive
variables.
Equality tests fih_eq() and fih_not_eq() are now macros because
inlining produce more complex code (and weaker) than macros.
In addition fih_not_eq is modified to be the negation of fih_eq
which was not the case until now.
when FIH_NOT_EQ is used , FIH_SET(fih_rc, FIH_FAILURE) has been added
in some part of the code.
variable image_mask (bootutil_priv.h) is now volatile because a
double IF test is made on it.
some others parts of the code have been hardenned (eg. loop on images)
Signed-off-by: Michael Grand <m.grand@trustngo.tech>
Fixes a bug when writing to devices which have memory alignment
requirements with data being using directly from a zcbor-response
whereby the alignment of the buffer data does not meet the
requirements of the flash driver.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
There are 3 levels of buffers and only the first one seems to be
configurable, this fixes that issue.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes an issue whereby rc is a signed variable but is returned as
an unsigned variable in the zcbor functions.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This adds short explanation (in form of a comment) why CPU shouldn't
enter idle state in timeout based serial recovery.
Ref: 3942e9bf8f ("boot_serial: fix serial recovery mode with timeout")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
If 'BOOT_SERIAL_WAIT_FOR_DFU' is selected, the CPU shouldn't enter idle
state, waiting for interrupt from the console because we expect booting
if no mcumgr command is received within a configured timeout (with the
'CONFIG_BOOT_SERIAL_WAIT_FOR_DFU_TIMEOUT').
Without this fix, when using 'BOOT_SERIAL_WAIT_FOR_DFU' the boot process
hangs forever, waiting for input from console.
Fixes: e3822f8180 ("boot_serial: zephyr: Add optional timeout to enter serial recovery")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The `BOOT_LOG_INF` function, which uses the format specifiers defined
by the C standard, was incorrectly printing a variable with the type of
`off_t` using the `%x` format specifier, which is intended to be used
with the `int` type.
The `off_t` type, specified by the POSIX standard, is not guaranteed to
be `int`, and it may be defined as `long` or `long long` depending on
the toolchain and the target architecture.
This commit updates the print routine such that it casts the arguments
of the `off_t` type to `intmax_t` and prints them out using the
corresponding `%jx` format specifier.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
Add relevant "zephyr/" prefixes to allow building with the Zephyr
option CONFIG_LEGACY_INCLUDE_PATH=n.
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
Add the serial adapter for ESP32 for boot recovery and MCUMGR
communication.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
espressif: Configure console via bootloader_support functions
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
repos/mcuboot/boot/boot_serial/test/src/testcases/
boot_serial_upload_bigger_image.c: In function
‘TEST_CASE_boot_serial_upload_bigger_image’:
repos/mcuboot/boot/boot_serial/test/src/testcases/
boot_serial_upload_bigger_image.c:91:42: error:
‘Value8Bit’ undeclared (first use in this function)
91 | buf[payload_off + len - 2] = Value8Bit;
| ^~~~~~~~~
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
The progressive erase and non-progressive erase code has been
refactored; some additional comments have been added to logic.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Types of a few variables have been changed to more align with
what they represent; variables have been renamed to make their
purpose more clear.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Move formatting of version string to use snprintf, which Zephyr
provides, instead defining utility function for that purpose.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
cddl-gen has been renamed to zcbor.
Update regenerate_serial_recovery_cbor.sh and regenerate/recopy all
files.
Remove the submodule in ext/ since it is no longer necessary when
the zcbor package is installed (only needed for regeneration, not
for building).
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
In case when echo string would be too long to fit into buffer,
there would be no space left for container termination.
Due to lack of error checking such non-terminated container would
be sent out, where error response should be sent out instead.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The buf buffer set to collect total console payload consisting
of total size (two bytes), SMP header (eigth bytes), data payload
(bs_obuf, BOOT_SERIAL_OUT_MAX) and CRC (two bytes), pior to base64
encoding has been set to size of BOOT_SERIAL_OUT_MAX.
This means that if output data len, in bs_obuf, would be longer than
BOOT_SERIAL_OUT_MAX - 8 - 2 - 2, then composing of the output buffer
would overflow.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
This PR adds the possibility to only enter the bootloader's
serial recovery mode when a mcumgr command is received within a
given timeout.
Signed-off-by: Wouter Cappelle <wouter.cappelle@crodeon.com>
Calculation of BOOT_SERIAL_OUT_MAX was based on MCUBOOT_IMAGE_NUMBER
while in other places BOOT_IMAGE_NUMBER is taken into account as
number of images. Let's align the calculation to use same literal value
as others.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The commit replaces bs_emtpy_rsp with bs_rc_rsp that responds with
mcumgr rc code after completing command or with MGMT_ERR_ENOTSUP,
when command is not supported.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit fixes compilation error when attempting to build
support for single application slot with serial recovery enabled.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Change increases BOOT_SERIAL_OUT_MAX. This is necessary to provide
complete image list when multi-image DFU is enabled and four image
slots are occupied.
Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no>
Added hook for: read image header, validate the image and hook
which is called after image was uploaded completely.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Change fixes encoding data length and adds support for big endian
byte ordering. According to specification, data length can be
encoded either on 1, 2, 4 or 8 bytes.
Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no>
The commit modifies mcumgr group processing in boot_serial_input
to allow catching any group that has not been processed by user
provided function.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The "MCUBOOT_LOG_MODULE_(DECLARE|REGISTER)" macros should have a name
coherent with the rest of the logs macors, ie "BOOT_LOG_*". Also,
"bootutil_log.h" should define them as empty when the logs are disabled and
as "MCUBOOT_LOG_MODULE_*" when they are not.
With this change, the mcuboot user doesn't have to define
MCUBOOT_LOG_MODULE_* macros if the logs don't going to be used.
Signed-off-by: Carlos Falgueras García <carlos.falgueras@wslw.es>
The code switches conditional compilation of progressive erase
code from Zephyr specific CONFIG_ option to more platform
agnostic MCUBOOT_ERASE_PROGRESSIVELY.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit provides support for "image" parameter in mcumgr image
update frame, that is used to select image number to be updated;
for the purpose, the option MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD
that enables the feature.
Platform that enables the feature needs, to provide an implementation
of the flash_area_id_from_direct_image function that will match
the image number to flash area to upload to.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit adds optional processing of MGMT_GROUP_ID_PERUSER,
as defined by mcumgr library, and above; the processing requires
systems to provide own functions as these groups are system
specific.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit changes direct access to flash_area, and flash_structure,
objects via filed names to access via getter functions
Purpose of this change is to make common code agnostic to internal
implementation of flash_area, and flash_sector, objects.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Sine zephyr https://github.com/zephyrproject-rtos/zephyr/pull/34279
was merged there is no silent idle thread created automatically while
CONFIG_MULTITHREADING=n. Since that any single thread application
needs to call k_cpu_idle() (wrapped by MCUBOOT_CPU_IDLE)
by itself for entering idle mode, which allows for reduction
power consumption.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Non-generated. Using cbor_encode directly
This removes the dependence on TinyCBOR.
Fixes#978
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Dominik Ermel