Devices with a physical reset button might prefer to use it to enter USB
DFU mode, instead of always entering it with a timeout. Extract the
existing CONFIG_BOOT_SERIAL_DETECT detection code and use it to enter
DFU mode when CONFIG_BOOT_USB_DFU_GPIO is enabled.
This commit depends on zephyrproject-rtos/zephyr#30015, which changes
wait_for_usb_dfu from a nullary function that waits for a compile-time
fixed amount of time, to one that takes a timeout.
Signed-off-by: Josh Gao <josh@jmgao.dev>
The commit fixes definition and usage of ZEPHYR_LOG_MODE_MINIMAL
to prevent compilation warnings on possibly non-portable code.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Add Mbed TLS ECDSA signature verification as an option (in addition to
Tinycrypt and the CC310 hardware version). Although the Mbed TLS ECDSA
verification code is both larger and slower, this will still save space
if there is another reason that the Mbed TLS code is already being
brought in for another reason (such as certificate management, for
example).
Mbed TLS's ECDSA verification works at a different level than the other
two libraries, so this takes a bit of reworking. There are some
additional parameters passed to the various functions, and a new define
MCUBOOT_ECDSA_NEED_ASN1_SIG to indicate that the ecdsa verification
wants the original ASN1 signature, not a decoded key.
This adds the boot changes and simulator support to test this configuration.
Signed-off-by: David Brown <david.brown@linaro.org>
The commit adds logic that checks if image, that has IMAGE_F_ROM_FIXED
flag set together with proper address in header, has not been mismatched
with slot.
This code will prevent attempting to boot image that has been build for
different ROM address than a slot it currently resides in.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The IMAGE_F_ROM_FIXED, now supported by imgtool and mcumgr, allows to
use image_header.ih_load_addr to store fixed ROM address information.
The address is provided for Direct-XIP mcuboot to be able to verify
if it can boot an image in given slot, by checking if the address
the image has been built for corresponds to slot address.
This flag is not required to be set within image, in which case
the check will not happen, but is highly desired as it allows mcuboot
to detect images that have been mismatched with slot.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit changes banner message to indicate that bootloader has been
built for Direct-XIP mode.
It also removes, in Direct-XIP compiled code, information on jumping
into first slot: that information is not always correct for Direct-XIP
and other messages correctly point slot that will be used.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Setting LED to initial level before beginning.
Making comment about BOOT_SERIAL_DETECT_DELAY more clear in Kconfig.
Signed-off-by: Jared Wolff <hello@jaredwolff.com>
Part of defines which are needed for bootutil_public.c compilation
were moved to separate file, so the bootutil_public library doesn't
need to include cryptographic libraries headers anymore.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Objective for existence botutil_public.c is to provide common code
for MCUboot itself and for an chain-loaded application. Therefor
it shouldn't depend on MCUboot exclusive functions or so.
This path moves missing part of bootutil_private.h to bootutil_private.c
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Add watchdog timer to MCUBootApp plus BlinkyApp to implement additional way of boot/upgrade image operation confirmation.
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
CONFIG_LOG_MINIMAL was replaced by CONFIG_LOG_MODE_MINIMAL since
https://github.com/zephyrproject-rtos/zephyr/pull/31404 PR was
merged.
CONFIG_LOG_MINIMAL is still emitted as legacy property, but
can't be assigned so prj.conf was fixed.
Signed-off-by: Gerard Marull-Paretas <gerard@teslabs.com>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Modify the function boot_add_data_to_shared_area from static to global
thereby it can be used in the user interface boot_save_shared_data.
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: Ic6a36eb526a0883a156f832942af3138bde86dd6
Added boot_read_image_ok() to public API as reading image_ok
might be used by the chain-loaded application for checking by
image itself its confirmation state.
Additionally extracted common code for determine a trailer flag to
boot_read_flash() function.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Part of code of boot/bootutil/ is re-implemented in zephyr-rtos
repository.
As some code are defined here and there it becomes problem when
need to include it with outstanding feature in a build.
It is possible to mitigate problem using #fdefry - but this was
rather temporary hack.
This patch introduce new module which is common for MCUBoot build
and application build.
Common code were extracted to bootutil_public.c source file and
bootutil_public.h header
MCUboot also select DISABLE_MCUBOOT_BOOTUTIL_LIB_OWN_LOG Kconfig
option, as it must define log configuration on its own for all its
sourcecode.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Fix compilation with CONFIG_LOG_MINIMAL enabled by disabling the
custom log handling code.
Fixes e75e33d981
Signed-off-by: Henrik Brix Andersen <hebad@vestas.com>
This commit also introduces changes that allow users to build for other non-swap type update methods (overwrite only, swap using move, direct xip, or RAM loading). Changes include:
- Adding configuration options relating to XIP
- Updating the Mbed flash map backend to be compatible with XIP updates
- Add default secondary_bd in internal flash for XIP on Mbed OS.
Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
In order to allow other projects to include the bootutil files more
easily. Allows renaming and moving of bootutil files without breaking
external projects' file lists (if they include this cmake file instead
of directly listing the files they use). Prevents an issue where
moving/renaming bootutil files breaks the FIH CI test.
Signed-off-by: Raef Coles <raef.coles@arm.com>
Change-Id: Ic982413c6a26ea2039712437f2d511fbe202e1e4
The internal functions of mcuboot are not consistent in opening/closing flash areas and sometimes nested calls happen to `flash_area_open` and `flash_area_close`. With the previous implementation, a nested call to `flash_area_close` would deinitialize the underlying `BlockDevice`. This could cause subsequent flash operations on an "open" flash area to fail.
This PR adds a simple open counter for each flash area and ensures the underlying `BlockDevice` is initialized and deinitialized appropriately. The `BlockDevice` is only initialized when transitioning from an open count of 0 to 1. The `BlockDevice` is only deinitialized when the open count falls to 0.
Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
This PR prevents the following build error:
```
./mcuboot/boot/mbed/include/mcuboot_config/mcuboot_logging.h:65:30: error: 'IGNORE' was not declared in this scope
65 | #define MCUBOOT_LOG_ERR(...) IGNORE(__VA_ARGS__)
```
This build error occurs when the bootloader is configured with Mbed's logging library, mbed-trace, disabled or when a logging level other than "MCUBOOT_LOG_LEVEL_DEBUG" is used. Since "bootutil/ignore.h" was not included previously, the "IGNORE(...)" macro was undefined in this scope.
Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
Enables LOG_MINIMAL in the default build, saving 2kB+ of free space for
its partition without losing logging functionality or other cost to the
end user.
Ref: NCSDK-7206
Signed-off-by: Stephen Stauts <stephen.stauts@nordicsemi.no>
Addition of cbprintf capability in zephyr
https://github.com/zephyrproject-rtos/zephyr/pull/29876
cause flash footprint rise by ~4 KB. Selecting
CBPRINTF_NANO=y mitigates the footprint rise.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Add an offset parameter to mode ctr so it can be properly used as a
streaming cipher, like required by the flash encryption algorithm.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Avoid memset'ing a buffer that does not hold a secret; it contains
the encryption of the counter.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
mynewt code calls hal_bsp_init() at start of bootloader.
This may initialize some resources (timer/uart/dma).
mynewt has now hal_bsp_deinit() function that should be called
before application is executed.
This new function allows to stop resources that were started.
This can stop cputimer which was started including enabled
interrupt. This timer interrupt was very likely to fire
for STM devices that has 16 bits timer used, when mcuboot
did not started LSE and application wanted to.
Starting LSE oscillator takes so much time in some cases
that timer interrupt will execute MCU from mcuboot vector
after RAM was already cleared by startup code and that
would lead to crash loop.
Blocking interrupts before starting application would
also help but leaving peripherals in reset state
seems reasonable.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
If RAM_LOAD is defined then the return value of memcpy() is
always compared against its first parameter. By definition
memcpy() returns with its first paramter (destination) so
the not equal check is always false. The fix replaces this
runtime check with a comma operator assigning 0 to the
variable at build time, as a result compiler can be done
dead code elimination much better.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I8d0d6e68a931661fa19d395556beb20470d74fb1
BOOT_DIRECT_XIP_REVER enable code which shall only be enabled
while BOOT_DIRECT_XIP=y.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Add configuration and DTS overlays to run MCUboot + smp_svr on the
nrf52840dk using the secondary slot in the external QSPI NOR flash.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
TinyCrypt uses a modified version of micro-ecc that is also used by the Mbed Cordio BLE stack. When building mcuboot for a target with BLE enabled, this causes multiple-defined symbol errors during linking. Due to the nature of Mbed's current build system, it is difficult to fix this.
Mbed will soon release a more flexible cmake-based build system that will make it possible to exclude these TinyCrypt files from an application build that may also link Cordio BLE sources.
Until then, this commit temporarily disables the use of TinyCrypt with Mbed-OS and excludes its sources from the build to avoid this build error.
Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
This PR provides a porting layer implementation and framework for building an mcuboot-based bootloader with Mbed-OS. Some symbols are not provided by the Mbed-OS port within mcuboot, namely:
- The secondary storage device (see below)
- The signing keys
- The encryption keys, if used
Use of this port is demonstrated by the following projects:
- https://github.com/AGlass0fMilk/mbed-mcuboot-demo (a complete mcuboot/Mbed-OS-based bootloader)
- https://github.com/AGlass0fMilk/mbed-mcuboot-blinky (example showing how to make an Mbed-OS application that is bootable by mcuboot)
Memory porting implementation:
The underlying implemenation uses Mbed's BlockDevice API as the storage backend for mcuboot's memory operations. This provides a very flexible way of configuring the location and layout of the secondary flash storage area. To build an mcuboot-based bootloader with Mbed-OS, the user must implement a hook function, mbed::BlockDevice* get_secondary_bd(), to provide the secondary BlockDevice that mcuboot will use.
The signing and encryption keys must also be provided by the user. They can be generated using the existing imgtool utility in the same manner used by Zephyr. There are no automated build steps currently provided by Mbed-OS to sign/encrypt build artifacts.
Known limitations:
The update candidate encryption features have not yet been fully tested. A truly secure implementation will require integration with Mbed's TRNG API in the future to inhibit side-channel attacks on the decryption process.
The TinyCrypt backend is currently only supported for Mbed-OS builds when building with the GCC toolchain. The new cmake-based Mbed-OS build system will fix the underlying issue (file name uniqueness).
Signed-off-by: George Beckstein <becksteing@embeddedplanet.com>
Signed-off-by: Evelyne Donnaes <evelyne.donnaes@arm.com>
Signed-off-by: Lingkai Dong <lingkai.dong@arm.com>
Co-authored-by: Lingkai Dong <lingkai.dong@arm.com>
Co-authored-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
This patch adds comments to reserve off a portion of the available TLV range
for use by vendors for proprietary TLV types.
Signed-off-by: Andy Gross <andy.gross@juul.com>
The 'revert' mechanism in direct-xip is similar to the one in swap mode.
It requires the trailer magic to be added to the signed image. When a
reboot happens without the image being confirmed at runtime (without the
image_ok flag being set), the bootloader considers the image faulty and
erases it. After this it will attempt to boot the previous image
instead. The images can also be made permanent (marked as confirmed in
advance) just like in swap mode.
Change-Id: Ibde9361d4a7302dd8efbb277b691b71eca0ca877
Signed-off-by: David Vincze <david.vincze@linaro.org>
After modifying the CONTROL register, ISB function should be
used to ensure the effect of the change applies to
subsequent code.
Due to the simple nature of the Cortex-M3, Cortex-M4, Cortex-M0+,
Cortex-M0, and Cortex-M1 pipeline,
omission of the ISB instruction does not cause any problem.
But might cause problem on a more advanced core.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
A previous fix for allowing padded images in the primary slot, ended up
causing an issue that would fail to upgrade under the right
circumstances. The issue was caused when the following set of steps
happened after an upgrade was detected:
1) trailer is erased on the primary slot
2) status is written to the primary slot
3) trailer is erased on the secondary slot
4) reset
1) trailer is erased on the primary slot
2) status partially written or not written to primary slot (no magic)
3) reset
This would result in images stored in the same slots they were
initially, aka no upgrade, which would fail the simulator test for
upgraded images.
The previous padded images fix was reverted and the status source was
upgraded to also check that the secondary slot has a valid magic in it,
so that there's never a circumstance where there is no trailer in any
of the slots while an upgrade operation is being decided on.
Signed-off-by: Fabio Utzig <fabio.utzig@nordicsemi.no>
Clean up the ARM core configuration only when
the CONFIG_MCUBOOT_CLEANUP_ARM_CORE is selected.
This involves cache and stack pointer limit registers.
Add also an MPU cleanup in platforms with the ARM MPU
supported.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Bohdan Kovalchuk