Modify the definition of certain shared data TLV entry header fields to
be aligned with the image TLV's behaviour (the meaning of the tlv_len
field was different) and achieve unified interpretation.
Modify some macro definitions that use bitwise shift operators to
prevent certain errors from occurring due to implementation-defined
behaviour.
Change-Id: Ib736703a391d390a87d629a8ac4e77e1789120a5
Signed-off-by: David Vincze <david.vincze@linaro.org>
Implement the functions declared in boot_record.h and add
each BOOT_RECORD TLV's CBOR encoded binary data (one TLV entry per
image) to a shared data area between the bootloader and the runtime SW.
These data units are stored in a TLV format (in the shared area too) and
contain certain attributes of the given image / SW component such as:
- SW type (role of the software component)
- SW version
- Signer ID (identifies the signing authority)
- Measurement value (hash of the image)
- Measurement type (algorithm used to calculate the measurement value)
Preserving all these image attributes from the boot stage for use by
later runtime services is known as a measured boot. The list of the
shared attributes is based on the recommendations of Arm's Platform
Security Architecture (PSA).
The main purpose of this patch is to create the prerequisites of an
attestation service by providing these measurements.
The boot_record.c and boot_status.h (originally tfm_boot_status.h) files
were copied (with modifications) from the Trusted Firmware-M project
(https://www.trustedfirmware.org/about/).
Hash of the source commit: 08d5572b4bcee306d8cf709c2200359a22d5b72c.
Change-Id: I37a8e7b10d5bf80a581651ffaf65b3cba45eaff2
Signed-off-by: David Vincze <david.vincze@arm.com>
Define interface for sharing boot status (certain attributes of the
authenticated images) and adding arbitrary data in TLV encoded format
to a shared data area between the bootloader and runtime SW.
The boot_record.h file was copied (with minor modifications) from the
Trusted Firmware-M project (https://www.trustedfirmware.org/about/).
Hash of the source commit: 08d5572b4bcee306d8cf709c2200359a22d5b72c.
Change-Id: Ia25bac27e9f1ce7faa5043c5a0455c804a24701e
Signed-off-by: David Vincze <david.vincze@arm.com>
Zephyr commit [1] has changed kconfig option name. Update kconfig
selection to the new one.
[1] 90b9eb3a9e93 ("kconfig: Rename USE_CODE_PARTITION to
USE_DT_CODE_PARTITION")
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Zephyr timeout API is changing and will use opaque value (k_timeout_t)
instead of raw values. K_MSEC is used to convert raw milliseconds value
to k_timeout_t.
This change is backward compatible so can be merged independently.
Signed-off-by: Krzysztof Chruscinski <krzysztof.chruscinski@nordicsemi.no>
Generated serial_recovery_cbor.c and serial_recovery_cbor.h
Copied cbor_decode.c and cbor_decode.h
This commit is the result of running
./regenerate_serial_recovery_cbor.sh "2020 Nordic Semiconductor ASA"
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
- Add the cddl_gen repository as a submodule.
- Add a CDDL description file for the serial recovery packets to be
decoded.
- Add generated code files and cddl_gen's CBOR library to CMakeList.txt
for Zephyr.
- Convert boot_serial.c to use the new code.
- Add a bash script to (re)generate code files using cddl_gen.py.
Serial recovery should work exactly as before, but the binary should be
about 1k smaller.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Name of the board is changing in the zephyr-rtos:
https://github.com/zephyrproject-rtos/zephyr/pull/23447
This patch aligns the board name used which is required for suppression
of build warnings.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Replace BUILD_ASSERT_MSG() with BUILD_ASSERT()
after merging BUILD_ASSERT() and BUILD_ASSERT_MSG().
Signed-off-by: Oleg Zhurakivskyy <oleg.zhurakivskyy@intel.com>
This patch is needed as MCUBoot should be able to chain-load any
application, not only these built using zephyr.
Introduced cleanup on ARM core control register.
Might be required as for instance the application assumes
that it starts with thread mode configured as by default, not
according to zephyr-rtos configuration.
MCUBoot disables interrupt before application chain-load used
basepr register. This Patch introduce additional celenup on
NVIC register.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Updating the URL for git repository in README file to reflect merge
of PSoC62 into mcuboot master.
Signed-off-by: Christian Daudt <christian.daudt@cypress.com>
Modified serial_adapter so log are allowed when using USB
CDC ACM serial port emulation.
Added dedicated thread for log processing of the highest application
priority. This allows to transmit all logs without adding k_sleep
anywhere else int the code.
Introduced boot log thread is simpler than the default log threat
which decreases flash footprint by a few dozen bytes.
Added configuration for nrf52840_pca10056 which shows how
to enable looging along with USB - among other, thread log
processing is required.
build command (form zephyr-project root directory)
west build -d build/mcuboot/nrf52840_pca10056 -b nrf52840_pca10056
./bootloader/mcuboot/boot/zephyr/
-- -DDTC_OVERLAY_FILE=./boards/nrf52840_pca10056_big.overlay
-DOVERLAY_CONFIG=./usb_cdc_acm_log_recovery.conf
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Add Log processing configuration synchronous as default
if multithreading is disabled.
Additionally Kconfig makes MULTITHREADING default
if USB is selected.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
- Add image security counter verification (read security counter value
from the image manifest and compare it against the stored/active
security counter) as an optional part of the image validation process
to prevent the restoration of older, potentially vulnerable images.
- This feature can be enabled with the MCUBOOT_HW_ROLLBACK_PROT option.
- Add security counter interface to MCUBoot. If HW rollback protection
is enabled then the platform must provide a mechanism to store and
read the security counter value in a robust and secure way.
Change-Id: Iee4961c1da5275a98ef17982a65b361370d2a178
Signed-off-by: David Vincze <david.vincze@arm.com>
GPIO_DIR_IN has been replaced by GPIO_INPUT, GPIO_PUD_PULL_UP by
GPIO_PULL_UP, and gpio_pin_read() by gpio_pin_get_raw(). Update the
code to use the preferred API if it available. This avoids
deprecation warnings in the build.
Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
According to our CI:
Redundant 'source "$(ZEPHYR_BASE)/Kconfig.zephyr" in
'boot/zephyr/Kconfig'. Just do 'source "Kconfig.zephyr"'
instead. The $srctree environment variable already points
to the Zephyr root, and all 'source's are relative to it.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Zephyr will soon no longer add the drivers subdirectory of the include
hierarchy to the search path, so references to driver headers must
include the drivers/ prefix.
Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
Depends on 'MCUBOOT_OVERWRITE_ONLY' option since swap info is not protected
by signature
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
To be more robust in the placement of MCUBoot directory,
use the ZEPHYR_BASE env variable to locate
nrfxlib directory.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Swap without scratch has been tested enough and no obvious bugs (or
"show stopper) bugs seem to exist; so remove [EXPERIMENTAL] and make
it "stable".
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add a missing test which ensures that there is enough free sectors to
perform an upgrade when using the move strategy; this basically checks
that the sectors used by the trailer don't overlap the last sector
required for a move up operation.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add a new option that when enabled, allows a swap status to store
an encrypted key TLV instead of plain keys. When a new swap operation is
started the encryption keys are saved to the swap status area to allow
for resuming (because it is challenging to find those TLV in the middle
of a swap operation).
Previously those keys were saved in plain text, so it would be easy to
dump them if the images were stored in external flash. With this new
option one can choose to save the TLV instead, which uses more flash
but does not leak secrets. The amount of flash required varies depending
on the size of the TLV, which is 48 for AES-128-KW, 512 for RSA and 240
for ECIES-P256.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Avoid jumping into an image while still having encryption keys stored in
RAM, which could then be recovered by the app.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add new bootutil function that returns the size of the status area.
The simulator was updated to remove the custom calculation and get
the size directly from bootutil, avoiding breakages the happen when
both are not in sync.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When using swap withouth scratch, if a revert operation is detected there
is a fixup that needs to be done to avoid losing metadata. This fixup
copied metadata from the primary slot to the secondary slot temporarily.
Previously it was also copying the encrypted image keys but this is not
required since a fixup is only run when starting a new swap where the
keys were loaded directly from the images. This also avoids that a
secondary slot in external flash would leak keys (according to our
threat model).
Signed-off-by: Fabio Utzig <utzig@apache.org>
ECDSA signatures are variable length. They are also encoded as ASN.1.
The ASN.1 parser we use is given the length, and will return a decoding
error if the signature block is not sufficiently long. Instead of
requiring the signature block be padded to the longest possible length a
signature can be, allow them to be their natural length.
This allows image signing tools to be able to generate signatures that
don't have this padding. Along with removing the pad removal code from
the EC224 code, this will allow this code to correctly validate all
signatures, not just 255 out of 256.
Signed-off-by: David Brown <david.brown@linaro.org>
Allow runtime generation of CRT params when not available in the
embedded private key. Also remove parsing/calculation of CRT
parameters when CRT was disabled in the config (mbedTLS does not
use those in this case).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Added sample.yaml which is required for automatic building
mcuboot using zephyr sanitycheck.
Can be run by zephyr sanitycheck locally using
--testcase-root=/path/to/mcuboot/boot/zephyr
to make it detect the sample.yaml added.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
This adds a Kconfig feature CONFIG_BOOT_USE_BENCH, which when enabled
will print the simple benchmarking output as log messages.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a `bootutil/bench.h` file that defines two calls
`boot_bench_start()` and `boot_bench_stop()` along with a type for the
state. These calls can be placed around blocks of code, and with a
properly defined implementation, will print simple performance
information about these operations.
This change merely adds the includes, and the empty implementations that
are used if the bencharking feature is not enabled.
Signed-off-by: David Brown <david.brown@linaro.org>
In zephyr code-base some generic include patches
and defines had been deprecated since a while.
This condition was maintained until zephyr v2.1.0 inclusive.
Recently these deprecated items were removed completely from
the zephyr master branch. Zephyr current SHA of this patch is
e124c1cd34938f02bbe879533c6bd29b5ff53707
This patch switch mcuboot to using most recent items.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
There are a few error messages printed by the boot code. In a normal
platform, these are real errors, and really should print a message.
However, in the simulator, we intentionally create these scenarios, and
these errors only serve to distract from the rest of the test output.
Conditionalize the error prints based on whether we are running in the
simulator.
Signed-off-by: David Brown <david.brown@linaro.org>
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
are interesting while debugging bootutil in the simulator. This should
be used for extra verbose prints.
* Also added fflushs after fprints to guarantee that messages are printed
even when assertions are raised.
* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
to the other ports.
* Make DEBUG the default level when building the simulator (one can
still lower verbosity using any other value for RUST_LOG).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fix an issue where an upgrade could fail to execute.
This happened randomly in the "perm_with_fails" test in the simulator;
for it to happen the first reset had to occur just after writing the
metadata to mark the start of a new upgrade, but before any swap happened;
if followed by a new reset happening at a point where the metadata was
erased and rewritten, it would result in an upgrade failure. The images
would still be valid though although in their original slots.
The fix stores the detected boot status source in the state. When
metadata was found in the primary slot we assume a swap has already
started (even though no sector swap has happened) and avoid
erasing/rewriting it.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add Zephyr option to enable building a bootloader that uses an
alternative swap algorithm, that first moves up all sectors in slot1 and
then directly swaps between slot0 and slot1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add Mynewt option to enable building a bootloader that uses an
alternative swap algorithm, that first moves up all sectors in slot1 and
then directly swaps between slot0 and slot1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add cap for swap using move and rename old swap upgrade cap to swap
using scratch. Update sim to allow swapping tests to also run using
move.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This implements a swap upgrade that does not use a scratch area. It
works by first moving all sectors in the primary slot up one position,
and then looping on moving sector of index X of the secondary slot to
index X of the primary slot, followed by moving sector X+1 of the
primary slot to X on the secondary slot, for each sector X.
The idea behind this implementation was initially suggested by Jehudi
Maes (@Laczen) and implemented on his own bootloader (ZEPboot).
Signed-off-by: Fabio Utzig <utzig@apache.org>
This moves the functionality that is unique to a scratch based swap
upgrade into a separate file. Later other upgrade strategies can be
added by reimplementing those functions.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The current TLV tag is an unsigned 8-bit integer, that is stored with 8
bits of padding. As the TLV tag is defined to be little endian
(although the code doesn't properly handle this), we can use the 8 bits
of padding as the upper 8-bits, treating the TLV tag as a 16 bit value,
and all existing tags will operate as they did before.
Change the types used throughout the code to represent the TLV to a
`uint16_t`. Change the ANY tag type to `0xffff` instead of `0xff`.
This value is never stored, but will avoid conflicts with any future
allocated tags.
Signed-off-by: David Brown <david.brown@linaro.org>
0e3fa72df4 removed device tree overlay
that is required to flash mcuboot to correct partition and CMake
variable that pointed to it. Restore it.
Do not restore adding "boards/${BOARD}.overlay" to the list since Zephyr
detects this file automatically now - see https://docs.zephyrproject.org/latest/application/index.html#devicetree-overlays
Signed-off-by: Sergey Koziakov <dya.eshshmai@gmail.com>
Don't set the board to qemu_x86 either; that's not right by any means.
Remove dts.overlay and build system logic related to it in
boot/zephyr/CMakeLists.txt. This file was a hack for arduino_101,
which is no longer supported by Zephyr.
Remove all the other DTC_OVERLAY_FILE logic in general while we're
here. Zephyr picks up
${APPLICATION_SOURCE_DIR}/boards/${BOARD}.overlay and uses it as
DTC_OVERLAY_FILE "for free" if DTC_OVERLAY_FILE is unset.
Adjust the minimum CMake version while we're here to account for
Zephyr build system changes.
Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
Remove this workaround. The Kinetis flash driver has supported
FLASH_PAGE_LAYOUT since at least January 2018.
Signed-off-by: David Brown <david.brown@linaro.org>
Only execute serial recovery if valid pin condition is detected
during power up reset or pin reset on nRF devices with RESETREAS
register. This is to prevent going into serial recovery when
waking up from power off mode with the same pin conditions that
is configured to trigger serial recovery.
Signed-off-by: Jon Helge Nistad <jon.helge.nistad@nordicsemi.no>
While doing a revert, the image encryption keys might be saved temporarily
in the scratch area; this is required in situations that we need to swap
one of the last sectors of the primary slot. When this happens, and the
device is interrupted just after restarting the revert swap, bootutil will
try to load the encrypted keys from the primary slot, and possibly use them
in reverted order (image in primary uses key of image in secondary and
vice-versa) which was saved in the test upgrade.
This fixes the issue by reverting the order used to check for the swap
metadata, with scratch being checked before the primary slot.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Use correct macro for the size of a DH shared secret. The previously
used macro had the same size (SHA-256 digest length) but incorrect
semantics.
Signed-off-by: Fabio Utzig <utzig@apache.org>
In overwrite-only mode, the write alignment is not used for much.
Making this a larger value will allow the alignment for a particular
device to be larger than a uint8_t. This will make the trailer size
very large for these devices (and prevent
!defined(MCUBOOT_OVERWRITE_ONLY) from being used), but at least allows
the overwrite only mode to be used on these devices.
Signed-off-by: David Brown <david.brown@linaro.org>
Ran automated checker for common typos [1]. Most of these changes have
no functional change *except* for `./ci/sim_run.sh` where, previously
the `bootstrap` feature wasn't being selected properly.
I didn't touch anything in the `./ext/` folder as anything in there
should probably be fixed in the upstream repo.
[1] https://github.com/codespell-project/codespell
Signed-off-by: Sam Bristow <sam@bristow.nz>
Add a new Mynewt option that allows for overriding the default
`hal_system_start` routine; this allows for startup customizations
required by some BSPs.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Before using the image and header size fields from the image header,
verify that both of these values are sane. In this case, sanity means
that there is no arithmetic overflow when they are added, and that the
result is within the bounds of the containing flash region. This is
done in addition to the check of the header's magic number.
Signed-off-by: David Brown <david.brown@linaro.org>
To facility better checking for integer overflow, add these two
functions to add while checking for overflow. If the result overflows,
they will return an error, instead of performing the addition.
Signed-off-by: David Brown <david.brown@linaro.org>
The ext/mbedtls directory has a copy of the ASN.1 parser from the mbed
TLS library. To allow a future change to bring the entire mbed TLS
library in as a submodule under ext, rename this to mbedtls-asn1 to make
it clear this is only a subset.
Signed-off-by: David Brown <david.brown@linaro.org>
In the TLV iterator code a variable is used to save the offset in flash
where the protected TLVs end; this was declared as uint16_t and could
easily overflow so fix it by updating the type to uint32_t.
Signed-off-by: Fabio Utzig <utzig@apache.org>
zephyr changes the way in which it provide name of
serial device used by serial recover.
see: https://github.com/zephyrproject-rtos/zephyr/pull/18752
This path introduce build time configuration of device name
which is set to exact the same device which was set before.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
To enable multi image support in mcuboot one needs
to set the 'UPDATEABLE_IMAGE_NUMBER' config.
Add this to zephyrs MCUBoot kconfig to allow this.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Convert this `extern const uint32_t` to a simple define. Provide an
accessor function so that the simulator is able to access the value as
well. This has a minor improvement on the generated code within MCUboot
itself.
Signed-off-by: David Brown <david.brown@linaro.org>
BOOT_MAX_ALIGN is defined as
extern const uint32_t BOOT_MAX_ALIGN;
and is assigned a value in a single file. This causes extra work when
this is used as the size of a local variable in a function.
The value was made a constant in order for the simulator to be able to
access the value. Instead of making it a "real" constant, keep it as a
define, unifying the value of FLASH_MAX_ALIGN and this one, and provide
an accessor function for the test code to be able to access this value.
This causes a minor improvement in the code generated in
`boot_write_status`, but more importantly, eliminates a VLA from the
code, which increases the possible compilers supported by MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
The boot_serial test was failing build because it hadn't been updated to
use new multi-image flash area nomenclature. This fixes the build.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This introduces an API which allows for iteration over an image's TLVs
without resorting to low-level implementation details. All previous TLV
low-level handling was updated to comply with this new interface, and it
also makes it easier for external code to handle TLVs.
The API provides two functions:
1) To start a new iterator:
```
int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
const struct image_header *hdr,
const struct flash_area *fap, uint8_t type,
bool prot);
```
2) To iterate over existing TLVs of given type:
```
int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
uint16_t *len, uint8_t *type);
```
A type of IMAGE_TLV_ANY was added to allow for iteration over all TLVs.
Low-level TLV access functions were removed from API, but low-level
structs are still visible in the namespace.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Upstream PR #547
The recent changes to these are tripping GCC printf-like macro
attribute warnings on my platform. Just cast all the values to ulong
to make everybody's compilers happy.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
This allows refactoring a check that was done in multiple places looking
for the same swap types.
Also fixes an issue where dependency checks would be run if a swap type
had a value that indicates fail.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The slot validation routine would result in a non-installed image to be
equivalent to a failed validation, which would set the swap type to
*_FAIL and require special handling in the dependency checks. This
routine was updated, so that it now returns a value that can be used to
check that the error was due to an image not found.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Since a copy/erase during a swap can result in some number of sectors
erased and copied, which is not necessarily equal to 1, update design
document and bootloader function naming to reflect this fact, by using
the postfix "_region" instead of "_sector" in those cases.
This fixes#541
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes an issue where dependencies were being decrypted before
hashing when encrypted images are used. When using dependencies, some
"protected" TLVs are added to the image. Those TLVs take part into the
image hash calculation, but are not encrypted and must be sent plain
to the hash update routine.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes two issues related to swap status control:
1. During a swap, the status was written offset by one, because it was
being incremented before it was written to flash. With the increment
happening early the offset was calculated always one position after
where it should be, which would leave the first status index free,
and override the last one (worst case scenario).
2. When an image is too big it requires the swap status to be
temporarily stored on scratch, to allow the last sector on the
primary slot to be erased. The status is written to scratch for 2
status updates, and afterwards copied back to the primary slot, which
then receives future status updates. The code that copied the status
back from scratch to the primary slot was erroneously copying the space
of 3 status writes, which would result in a write over non-erased area
for the third byte.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When only upgrading one slot, the swap type for the non upgraded slot is
BOOT_SWAP_TYPE_FAIL instead of NONE. Account for this, and check slot 0
in this case.
This is probably not the correct solution, but it is unclear of the
timing of when the dependencies of the other images first slot would be
checked.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes the issue where an unmet dependency would result in a restart
of image dependency checks. To make the code easier to follow, some
function nesting was removed, functions that check slot dependencies
were renamed appropriately and dependency check is not done when no
upgrades are marked.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The checking of image version compatibility is only used by dependencies
code; this moves the version checking function static, and removes it
from the exported API.
Signed-off-by: Fabio Utzig <utzig@apache.org>
`boot_swap_type_multi` should be used instead. The `BOOT_CURR_IMG` macro
already returns the correct value in single image mode.
For compatibility with external tools like mcumgr, `boot_swap_type`
remains available and always returns the swap type of image 0.
Signed-off-by: Fabio Utzig <utzig@apache.org>
An image must be decrypted when it is loaded on the secondary slot and
its header flag indicates it is encrypted. Instead of checking both
things every time the image is read, add a new macro, MUST_DECRYPT, that
does both checks.
Also `BOOT_CURR_ENC` was simplified to be used directly on
`bootutil_img_validate` calls, returning NULL for no encrypted images.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This updates `image list` and `image upload` objects to support
multi-images. The information about which image is being handled was
added to the CBOR as "image" field, which when not available, is
considered to have value 0.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Allow Mynewt to be used in multi-image builds. Primary and secondary
slots of image 1 are hard-coded to FLASH_AREA_IMAGE_2 and FLASH_AREA_IMAGE_3.
Signed-off-by: Fabio Utzig <utzig@apache.org>
CONFIG_MULTITHREADING is generally assumed to be y by the zephyr
kernel, even though that's not reflected in the Kconfig. For example,
semaphores depend on it being y, but CMake will still build sem.c even
if it's n.
The sensible default for this option is thus y.
However, it's a size advantage to disable it if the platform drivers
are all aware of this option, such as nRF.
Let's re-work our use of this option to keep it disabled when we know
it's safe, but enable it by default so more platforms can be expected
to work out of the box.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
For some basic mcuboot configurations the zephyr timers are
not required which reduce the flash footprint significantly.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
While iterating over the swap table looking for swap type,
avoid asserting on errors; let caller handle error handling.
Signed-off-by: Fabio Utzig <utzig@apache.org>
`boot_read_image_size` was already receiving the bootloader state and
slot; since the image_header is part of the state and can be gathered
from it, it was removed from the list of parameters.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds a single trailer writing routine that can write any amount of
data (upto BOOT_MAX_ALIGN); the functions that were writing to the
trailer now just call this one passing the offset and data/len.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Update each function to calculate the offset based on a previous
function offset, so that if one has to be changed not all functions have
to be updated.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When doing a swap some of the information required by the process
is temporarily written to the status area; previously each data
writing routines tried to find the correct area by looking for the
magic and assuming that data is located there (because everything
fits a single sector). This moves the code to find the magic into
a separate routine that is now used by others.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When the hash key length parameter is invalid (bigger than allowed) just
return an error for the caller routines; this will work like a not found
key and allows the removal of assert() code in this module.
Signed-off-by: Fabio Utzig <utzig@apache.org>
TLV offset was determined by manually adding the header and image
size in many places; this makes the addition into a macro receiving
a image_header to ease future changes.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The boot loader state currently exists as global variable (boot_data)
which is accessed by all routines; this updates all routines that
require access to the state to receive it by parameter.
Variables that are declared as "static" (globals) were #ifdef'ed to
only use static when building a native bootloader, to avoid stack
allocation. When bootutil is built to run in the simulator they are
stack allocated to avoid thread share.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Currently to determine which image is being operated on, there is a global
variable called current_image which is used by most macros and APIs to
correctly access the flash areas required by the bootloader. This moves
this variable to the already existing state struct and refactors all
macros and APIs to receive the current image by parameters. To maintain
compatibility some of the macros were not updated and use image 0 when
called.
The definitions of FLASH_AREA_IMAGE_PRIMARY and FLASH_AREA_IMAGE_SECONDARY
for Mynewt compatibility were moved out of bootutil sources to a Mynewt
specific include file.
Signed-off-by: Fabio Utzig <utzig@apache.org>
For Mynewt, if a watchdog driver is available, it is always used and feed
during a swap operation. Since the swap operation is able to resist resets,
the watchdog can stay disabled to preserve some flash space (watchdog
driver), with the side-effect that a swap might take longer because of
having to resume interrupted operations.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This struct currently relies on padding being done by the C compiler.
Although this is generally done the same across targets, this isn't
required, and it is better to make any padding explicit. This also
makes it clear that there is extra space in this structure that can be
used for another purpose.
The python imgtool is also fixed to match. It was using a 32-bit int,
which only worked in the little endian case.
Signed-off-by: David Brown <david.brown@linaro.org>
This patch adds the capability to check image dependencies in case
of multi-image boot. The dependencies are described with a new type
of TLV in the manifest.
Change-Id: If45f81a00d4324c881634f50156f9939e1bf8707
Signed-off-by: David Vincze <david.vincze@arm.com>
This patch adds the capability to handle multiple firmware images,
to update them independently. Also update the design documentation.
It separates the completion of aborted image swap operations and the
update of images even more as these should be happening at different
stages of the boot process according to the design proposal of
the multiple image support:
https://github.com/JuulLabs-OSS/mcuboot/pull/317.
Change-Id: I7eb5f632298bb08c805bfaee0359703b2ae19e9d
Signed-off-by: David Vincze <david.vincze@arm.com>
This patch introduces the BOOT_IMAGE_NUMBER macro and current_image
variable to support multiple updatable images and the associated
extended flash layout.
The FLASH_AREA_IMAGE_* object-like macros are replaced with
function-like ones and therefore some functions have been updated,
because the labels of a switch statement and the initialization
values of objects with static storage duration have to be constant
expressions.
Change-Id: Ib7b26ec3c94233e52db4f97825ddb6a3e55bb1d3
Signed-off-by: David Vincze <david.vincze@arm.com>
Overload the swap_type field in image trailer to store as an addition
the image sequence number. It indicates which image's swap was
interrupted. It is required by multi image boot to determine which
image the trailer belongs to if boot status is found on scratch area
when the swap operation is resumed.
Change-Id: I6820fd8277931aff4f0db408376eae8b42a030ed
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
When HW / OS provides an always enabled watchdog, this macro can
optionally be implemented to avoid resets which are expected to
occur under normal conditions when swapping very large images or
running on slower devices.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The Mynewt HASH HW driver can be used to do the sha256 validation in the
bootloader instead of relying on mbedTLS/tinycrypt. When enabled it must
be initialized before boot_go (and boot_img_validate) is run, so this
does the extra checking and runs initialization when required.
Signed-off-by: Fabio Utzig <utzig@apache.org>
There is a bug in split_go that never opens the loader image flash
area, but opens the app/split image flash arta twice. This prevents
split_image_check from passing and the app from ever loading.
Signed-off-by: Alvaro Prieto <source@alvaroprieto.com>
mbedTLS made sha256 functions that do not return errors deprecated. This
updates to use the new functions avoiding the extra functions calls, and
breakage when the deprecated calls are effectively removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes#480.
When mcuboot rewrites image trailers during a swap, some information is
lost. If a reset occurs before the swap completes, mcuboot may not be
able to determine what which swap type to resume upon startup.
Specifically, if a "revert" swap gets interupted, mcuboot will perform
an extraneous swap on the subsequent boot. See
https://github.com/JuulLabs-OSS/mcuboot/issues/480 for details.
This commit adds an additional field to the image trailer: `swap-type`.
The new trailer structure is illustrated below:
```
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
~ Swap status (BOOT_MAX_IMG_SECTORS * min-write-size * 3) ~
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 0 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 1 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap size | 0xff padding (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap type | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Copy done | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Image OK | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ MAGIC (16 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
```
The `swap-type` field contains one of the `BOOT_SWAP_TYPE_[...]` constants.
Every time a trailer is written, this field is written along with it.
When resuming an interrupted swap, mcuboot uses this field alone to
determine the type of swap being resumed. For new swap operations
(non-resume case), this field is not read at all; instead, mcuboot
consults the `boot_swap_tables` array to determine the swap operation to
perform (as it did prior to this commit).
Some additional changes were necessary to make all the simulated unit
tests pass:
* Before initiating a new swap operation, always write the image trailer
to the scratch area. This step allows mcuboot to persist the
`swap-type` field somewhere before erasing the trailer in the primary
slot. If a reset occurs immediately after the erase, mcuboot recovers
by using the trailer in the scratch area.
* Related to the above: if the scratch area is being used to hold status
bytes (because there are no spare sectors in the primary slot), erase
the scratch area immediately after the trailer gets written to the
primary slot. This eliminates ambiguity regarding the location of the
current trailer in case a reset occurs shortly afterwards.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Prior to this change, the scratch image trailer had a different format
from a slot image trailer. Specifically:
1. The scratch trailer only contained a single set of status entries
(three bytes); the slot trailer contained `BOOT_STATUS_MAX_ENTRIES`
sets of status entries.
2. The scratch trailer did not contain the `copy_done` field.
This inconsistency required some extra conditional logic in the trailer
handling code. It is simpler to just use the same trailer format
everywhere.
This commit removes this inconsistency. Now, the scratch trailer
structure is identical to that of the slot trailer.
Signed-off-by: Christopher Collins <ccollins@apache.org>
In addition to the binary capability flags, add a query function that
returns the number of images MCUboot has been configured to support.
Signed-off-by: David Brown <david.brown@linaro.org>
The change
boot: bootutil: Simplify check for crypto backends to reduce complexity
Adding multiple crypto backends will grow quadraticly. This change will
ensure that the growth will be linear and generate less complexity.
unfortunately is not legal C. It can be fixed by eliminating the
intermediate macro, so that the `defined` keywords are within the `#if`.
Signed-off-by: David Brown <david.brown@linaro.org>
mcuboot tests are done under sim and there is no need to maintain
separate tests just for Mynewt. Especially that those no longer
compile nor are maintained.
Also Mynewt code will rather depend on release and not master so
there is no need to run those on Mynewt anyway.
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
The build overflows by 100B using the 7-2018-q2-update GNU Arm
Embedded toolchain. Turn on size optimizations; this leaves about 19%
of the partition's flash available for MCUboot to grow into.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
The removal of CONFIG_BOOT_HAVE_LOGGING in 15aa6ef ("zephyr: remove
BOOT_HAVE_LOGGING Kconfig option") missed some uses. In particular,
the one in mcuboot_config.h that converts Kconfig options to MCUboot's
platform-agnostic configuration macros.
This broke logging even when the relevant Kconfig options were on.
Fix things up by using CONFIG_LOG instead.
Tested logging works again on nrf52840_pca10056. Build tested
nrf51_pca10056 to make sure it still fits. The nrf52840_pca10059 build
overflows flash by 0.16%, but that was a problem before 15aa6ef.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
This commit removes the non-standard BOOT_HAVE_LOGGING Kconfig option.
Instead the standard LOG / MCUBOOT_LOG_LEVEL can be used to control
logging.
Signed-off-by: Piotr Mienkowski <piotr.mienkowski@gmail.com>
Adding multiple crypto backends will grow quadraticly. This change will
ensure that the growth will be linear and generate less complexity.
Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com>
It is no longer necessary to override TEXT_SECTION_OFFSET when
BOARD_HAS_NRF5_BOOTLOADER. The nrf52840_pca10059 board no longer
overrides TEXT_SECTION_OFFSET but sets the correct FLASH_LOAD_OFFSET
instead, automatically.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Fix bug #399 where dts.overlay was not being appended.
The build scripts were erroneously modifying the shadowed non-cache
variable instead of the cache variable.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Adds `CC310` define which wraps the generic CC310 interface adds
includes for using `NRF_CC310_BL` to CMakeLists. This requires `nrfxlib`
to be located outside of the mcuboot folder by 1 directory level. Also
add the Kconfig defines needed for this to build while trying to make it
generic enough to be used by other vendors that have implemented
`CC310`.
Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com>
The bootutil unit tests fail to build with the following error:
Testing package @mcuboot/boot/bootutil/test
Unsatisfied APIs detected:
* log, required by: sys/log/modlog
This commit adds a `sys/log/stub` dependency to the bootutil unit test
package.
NOTE: This unit test package still fails to build because the code is
out of date. This commit just fixes one of several issues.
Signed-off-by: Christopher Collins <ccollins@apache.org>
These unit tests were failing with build errors such as this:
boot/boot_serial/test/src/testcases/boot_serial_img_msg.c:64:26: error: use of undeclared identifier 'FLASH_AREA_IMAGE_PRIMARY'
rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
^
The `FLASH_AREA_IMAGE_{PRIMARY,SECONDARY} definitions were not visible
because `MCUBOOT_MYNEWT` was not getting defined in the boot_serial
unit test package.
This commit defines `MCUBOOT_MYNEWT` in the boot_serial unit test
package, and adds the necessary include to pull in the PRIMARY /
SECONDARY definitions.
Signed-off-by: Christopher Collins <ccollins@apache.org>
This change only affects the Mynewt port.
Prior to this commit, the `FLASH_AREA_IMAGE_{PRIMARY,SECONDARY}` macros
were private to the bootutil package (defined in `bootutil_priv.h`).
Some other packages require these symbols (e.g., the boot_serial unit
tests), so they should be made public.
This commit moves these definitions into the public `bootutil.h` header.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Select the code partition as the target for link into.
This patch together with
https://github.com/zephyrproject-rtos/zephyr/pull/14620
fixes the issue which was imposed while zephyr moves
DTC before Kconfig processing in its build process.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
boot_enc_valid() is supposed to return boolena so
changed it return type in order to reflect this.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
enc_state table was indexed with assumption that
image flash area are subsequent and increasing numbers.
It might not be true while building zephyr.
Patch introduce flash_area_id_to_image_slot() implementation for
the zephyr port and uses it to assign proper slot number.
This API is already available in MyNewt.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This change replaces the slot 0/1 terminology with primary/secondary
slot and replaces FLASH_AREA_IMAGE_0/1 with
FLASH_AREA_IMAGE_PRIMARY/SECONDARY. This naming convention may be more
understandable, fits better to MCUs with multiple images and it is an
architecture agnostic alternative as well.
Change-Id: I655a585f6ae023852c671ee6635399efe25209c9
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
The pattern that 'set_conf_file' has been added to the Zephyr build
system, so it is not necesary for the application build script to
implement it.
Also, the macro has been deprecated, so it should not be used.
This change is a pure refactoring.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The logger issue on Xtensa is resolved in mainline Zephyr with
239805b2d82aebee4969c3ae57fbf8025c4fb60d. Hence logging can be
enabled now.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
This Kconfig parameter makes MCUboot wait for a prescribed duration
of time to allow for USB DFU to be invoked.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Fix#10990.
A warning is triggered when snprintf is used because it is being
declared / configured incorrectly. The MBEDTLS configuration is
defaulting to disabling all of LIBC, and then explicitly enabling the
LIBC functions in use, this has been done for printf with
MBEDTLS_PLATFORM_STD_PRINTF, but not for
MBEDTLS_PLATFORM_STD_SNPRINTF.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Zephyr changed way of generation UART device name label
which implies device name label text change.
Patch aligns the code to above change.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
zephyr macro min() was hanged to MIN()
Kconfig key CDC_ACM_PORT_NAME was changed to CDC_ACM_PORT_NAME_0
zephyr sha of the fixing time is 406dc2cb0e2868392f444677ace416440695829f.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Cleaned up the conf file for intel_s1000_crb by defining only
those values that are different from prj.conf.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The pyocd runner in zephyr changed its arguments slightly when it
converted to the new unified pyocd tool with subcommands. Change the
board runner args here similarly so we can use 'west flash' again for
the zephyr bootloader.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
Let's ensure that random Zephyr changes in logging don't affect
the resource usage in MCUBOOT, by setting LOG_LEVEL_DEFAULT
to 0.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Rather than use LOG_DEFAULT_LEVEL to control MCUBOOT's log output,
let's create an MCUBOOT specific log level setting.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Krzysztof Chruscinski <krzysztof.chruscinski@nordicsemi.no>
Commit 1d9e5ee1 ("logging: Refactoring 'in place' mode to reduce memory
footprint") changed the resource restrained version of LOGGER from
LOG_INPLACE_PROCESS to LOG_IMMEDIATE.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Zephyr flash_map reworks caused that areas id exact number are
assigned dynamically.
This patch i counterpart to
https://github.com/zephyrproject-rtos/zephyr/pull/8837
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The upstream Zephyr runner for nrfjprog now supports an --erase
toggle, which controls whether a mass-erase is done. Add that to its
invocation when CONF_ZEPHYR_TRY_MASS_ERASE is given, just like is done
for dfu-util and pyocd.
Signed-off-by: Marti Bolivar <marti@foundries.io>
This change affects the "set pending" operation. That is, the operation
that configures mcuboot to temporarily swap images on the next boot.
PRIOR TO COMMIT:
If the slot 1 trailer contained an invalid 128-bit magic number, an
assertion would fail, causing a crash.
AFTER COMMIT:
If corruption is detected in the slot 1 trailer, the entire image slot
is erased, and the "set pending" operation fails with a `BOOT_EBADIMAGE`
status.
RATIONALE:
mcuboot cannot meaningfully recover from data corruption. The only
recourse is to erase the bad data so that future upgrades can be
performed. I was tempted to add a build-time setting to control whether
the image slot gets erased when corruption is detected, but I dont think this
freedom justifies the cost of extra config. A device with a corrupt
image slot can no longer be upgraded, so the only reason someone would
want to preserve the corrupt data would be for debugging.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Disable logging and enable size optimizations on
nrf51_pca10028 target in order to fit in boot slot size
for out-off-the-box build.
fixes#411
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Previously it was assumed that the trailer would fit one sector. While
this works for most devices, some which happen to have lots of sectors
end up using lots of space for their swap status area. The same issue
could also happen if sectors are small (less than 2K/4K, for example).
This fixes the issue by checking the trailer size and erasing all
sectors that encompass it.
Signed-off-by: Fabio Utzig <utzig@apache.org>
David Vincze