Allow runtime generation of CRT params when not available in the
embedded private key. Also remove parsing/calculation of CRT
parameters when CRT was disabled in the config (mbedTLS does not
use those in this case).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Added sample.yaml which is required for automatic building
mcuboot using zephyr sanitycheck.
Can be run by zephyr sanitycheck locally using
--testcase-root=/path/to/mcuboot/boot/zephyr
to make it detect the sample.yaml added.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
This adds a Kconfig feature CONFIG_BOOT_USE_BENCH, which when enabled
will print the simple benchmarking output as log messages.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a `bootutil/bench.h` file that defines two calls
`boot_bench_start()` and `boot_bench_stop()` along with a type for the
state. These calls can be placed around blocks of code, and with a
properly defined implementation, will print simple performance
information about these operations.
This change merely adds the includes, and the empty implementations that
are used if the bencharking feature is not enabled.
Signed-off-by: David Brown <david.brown@linaro.org>
In zephyr code-base some generic include patches
and defines had been deprecated since a while.
This condition was maintained until zephyr v2.1.0 inclusive.
Recently these deprecated items were removed completely from
the zephyr master branch. Zephyr current SHA of this patch is
e124c1cd34938f02bbe879533c6bd29b5ff53707
This patch switch mcuboot to using most recent items.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
There are a few error messages printed by the boot code. In a normal
platform, these are real errors, and really should print a message.
However, in the simulator, we intentionally create these scenarios, and
these errors only serve to distract from the rest of the test output.
Conditionalize the error prints based on whether we are running in the
simulator.
Signed-off-by: David Brown <david.brown@linaro.org>
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
are interesting while debugging bootutil in the simulator. This should
be used for extra verbose prints.
* Also added fflushs after fprints to guarantee that messages are printed
even when assertions are raised.
* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
to the other ports.
* Make DEBUG the default level when building the simulator (one can
still lower verbosity using any other value for RUST_LOG).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fix an issue where an upgrade could fail to execute.
This happened randomly in the "perm_with_fails" test in the simulator;
for it to happen the first reset had to occur just after writing the
metadata to mark the start of a new upgrade, but before any swap happened;
if followed by a new reset happening at a point where the metadata was
erased and rewritten, it would result in an upgrade failure. The images
would still be valid though although in their original slots.
The fix stores the detected boot status source in the state. When
metadata was found in the primary slot we assume a swap has already
started (even though no sector swap has happened) and avoid
erasing/rewriting it.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add Zephyr option to enable building a bootloader that uses an
alternative swap algorithm, that first moves up all sectors in slot1 and
then directly swaps between slot0 and slot1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add Mynewt option to enable building a bootloader that uses an
alternative swap algorithm, that first moves up all sectors in slot1 and
then directly swaps between slot0 and slot1.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add cap for swap using move and rename old swap upgrade cap to swap
using scratch. Update sim to allow swapping tests to also run using
move.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This implements a swap upgrade that does not use a scratch area. It
works by first moving all sectors in the primary slot up one position,
and then looping on moving sector of index X of the secondary slot to
index X of the primary slot, followed by moving sector X+1 of the
primary slot to X on the secondary slot, for each sector X.
The idea behind this implementation was initially suggested by Jehudi
Maes (@Laczen) and implemented on his own bootloader (ZEPboot).
Signed-off-by: Fabio Utzig <utzig@apache.org>
This moves the functionality that is unique to a scratch based swap
upgrade into a separate file. Later other upgrade strategies can be
added by reimplementing those functions.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The current TLV tag is an unsigned 8-bit integer, that is stored with 8
bits of padding. As the TLV tag is defined to be little endian
(although the code doesn't properly handle this), we can use the 8 bits
of padding as the upper 8-bits, treating the TLV tag as a 16 bit value,
and all existing tags will operate as they did before.
Change the types used throughout the code to represent the TLV to a
`uint16_t`. Change the ANY tag type to `0xffff` instead of `0xff`.
This value is never stored, but will avoid conflicts with any future
allocated tags.
Signed-off-by: David Brown <david.brown@linaro.org>
0e3fa72df4 removed device tree overlay
that is required to flash mcuboot to correct partition and CMake
variable that pointed to it. Restore it.
Do not restore adding "boards/${BOARD}.overlay" to the list since Zephyr
detects this file automatically now - see https://docs.zephyrproject.org/latest/application/index.html#devicetree-overlays
Signed-off-by: Sergey Koziakov <dya.eshshmai@gmail.com>
Don't set the board to qemu_x86 either; that's not right by any means.
Remove dts.overlay and build system logic related to it in
boot/zephyr/CMakeLists.txt. This file was a hack for arduino_101,
which is no longer supported by Zephyr.
Remove all the other DTC_OVERLAY_FILE logic in general while we're
here. Zephyr picks up
${APPLICATION_SOURCE_DIR}/boards/${BOARD}.overlay and uses it as
DTC_OVERLAY_FILE "for free" if DTC_OVERLAY_FILE is unset.
Adjust the minimum CMake version while we're here to account for
Zephyr build system changes.
Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
Remove this workaround. The Kinetis flash driver has supported
FLASH_PAGE_LAYOUT since at least January 2018.
Signed-off-by: David Brown <david.brown@linaro.org>
Only execute serial recovery if valid pin condition is detected
during power up reset or pin reset on nRF devices with RESETREAS
register. This is to prevent going into serial recovery when
waking up from power off mode with the same pin conditions that
is configured to trigger serial recovery.
Signed-off-by: Jon Helge Nistad <jon.helge.nistad@nordicsemi.no>
While doing a revert, the image encryption keys might be saved temporarily
in the scratch area; this is required in situations that we need to swap
one of the last sectors of the primary slot. When this happens, and the
device is interrupted just after restarting the revert swap, bootutil will
try to load the encrypted keys from the primary slot, and possibly use them
in reverted order (image in primary uses key of image in secondary and
vice-versa) which was saved in the test upgrade.
This fixes the issue by reverting the order used to check for the swap
metadata, with scratch being checked before the primary slot.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Use correct macro for the size of a DH shared secret. The previously
used macro had the same size (SHA-256 digest length) but incorrect
semantics.
Signed-off-by: Fabio Utzig <utzig@apache.org>
In overwrite-only mode, the write alignment is not used for much.
Making this a larger value will allow the alignment for a particular
device to be larger than a uint8_t. This will make the trailer size
very large for these devices (and prevent
!defined(MCUBOOT_OVERWRITE_ONLY) from being used), but at least allows
the overwrite only mode to be used on these devices.
Signed-off-by: David Brown <david.brown@linaro.org>
Ran automated checker for common typos [1]. Most of these changes have
no functional change *except* for `./ci/sim_run.sh` where, previously
the `bootstrap` feature wasn't being selected properly.
I didn't touch anything in the `./ext/` folder as anything in there
should probably be fixed in the upstream repo.
[1] https://github.com/codespell-project/codespell
Signed-off-by: Sam Bristow <sam@bristow.nz>
Add a new Mynewt option that allows for overriding the default
`hal_system_start` routine; this allows for startup customizations
required by some BSPs.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Before using the image and header size fields from the image header,
verify that both of these values are sane. In this case, sanity means
that there is no arithmetic overflow when they are added, and that the
result is within the bounds of the containing flash region. This is
done in addition to the check of the header's magic number.
Signed-off-by: David Brown <david.brown@linaro.org>
To facility better checking for integer overflow, add these two
functions to add while checking for overflow. If the result overflows,
they will return an error, instead of performing the addition.
Signed-off-by: David Brown <david.brown@linaro.org>
The ext/mbedtls directory has a copy of the ASN.1 parser from the mbed
TLS library. To allow a future change to bring the entire mbed TLS
library in as a submodule under ext, rename this to mbedtls-asn1 to make
it clear this is only a subset.
Signed-off-by: David Brown <david.brown@linaro.org>
In the TLV iterator code a variable is used to save the offset in flash
where the protected TLVs end; this was declared as uint16_t and could
easily overflow so fix it by updating the type to uint32_t.
Signed-off-by: Fabio Utzig <utzig@apache.org>
zephyr changes the way in which it provide name of
serial device used by serial recover.
see: https://github.com/zephyrproject-rtos/zephyr/pull/18752
This path introduce build time configuration of device name
which is set to exact the same device which was set before.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
To enable multi image support in mcuboot one needs
to set the 'UPDATEABLE_IMAGE_NUMBER' config.
Add this to zephyrs MCUBoot kconfig to allow this.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Convert this `extern const uint32_t` to a simple define. Provide an
accessor function so that the simulator is able to access the value as
well. This has a minor improvement on the generated code within MCUboot
itself.
Signed-off-by: David Brown <david.brown@linaro.org>
BOOT_MAX_ALIGN is defined as
extern const uint32_t BOOT_MAX_ALIGN;
and is assigned a value in a single file. This causes extra work when
this is used as the size of a local variable in a function.
The value was made a constant in order for the simulator to be able to
access the value. Instead of making it a "real" constant, keep it as a
define, unifying the value of FLASH_MAX_ALIGN and this one, and provide
an accessor function for the test code to be able to access this value.
This causes a minor improvement in the code generated in
`boot_write_status`, but more importantly, eliminates a VLA from the
code, which increases the possible compilers supported by MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
The boot_serial test was failing build because it hadn't been updated to
use new multi-image flash area nomenclature. This fixes the build.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This introduces an API which allows for iteration over an image's TLVs
without resorting to low-level implementation details. All previous TLV
low-level handling was updated to comply with this new interface, and it
also makes it easier for external code to handle TLVs.
The API provides two functions:
1) To start a new iterator:
```
int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
const struct image_header *hdr,
const struct flash_area *fap, uint8_t type,
bool prot);
```
2) To iterate over existing TLVs of given type:
```
int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
uint16_t *len, uint8_t *type);
```
A type of IMAGE_TLV_ANY was added to allow for iteration over all TLVs.
Low-level TLV access functions were removed from API, but low-level
structs are still visible in the namespace.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Upstream PR #547
The recent changes to these are tripping GCC printf-like macro
attribute warnings on my platform. Just cast all the values to ulong
to make everybody's compilers happy.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
This allows refactoring a check that was done in multiple places looking
for the same swap types.
Also fixes an issue where dependency checks would be run if a swap type
had a value that indicates fail.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The slot validation routine would result in a non-installed image to be
equivalent to a failed validation, which would set the swap type to
*_FAIL and require special handling in the dependency checks. This
routine was updated, so that it now returns a value that can be used to
check that the error was due to an image not found.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Since a copy/erase during a swap can result in some number of sectors
erased and copied, which is not necessarily equal to 1, update design
document and bootloader function naming to reflect this fact, by using
the postfix "_region" instead of "_sector" in those cases.
This fixes#541
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes an issue where dependencies were being decrypted before
hashing when encrypted images are used. When using dependencies, some
"protected" TLVs are added to the image. Those TLVs take part into the
image hash calculation, but are not encrypted and must be sent plain
to the hash update routine.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes two issues related to swap status control:
1. During a swap, the status was written offset by one, because it was
being incremented before it was written to flash. With the increment
happening early the offset was calculated always one position after
where it should be, which would leave the first status index free,
and override the last one (worst case scenario).
2. When an image is too big it requires the swap status to be
temporarily stored on scratch, to allow the last sector on the
primary slot to be erased. The status is written to scratch for 2
status updates, and afterwards copied back to the primary slot, which
then receives future status updates. The code that copied the status
back from scratch to the primary slot was erroneously copying the space
of 3 status writes, which would result in a write over non-erased area
for the third byte.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When only upgrading one slot, the swap type for the non upgraded slot is
BOOT_SWAP_TYPE_FAIL instead of NONE. Account for this, and check slot 0
in this case.
This is probably not the correct solution, but it is unclear of the
timing of when the dependencies of the other images first slot would be
checked.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes the issue where an unmet dependency would result in a restart
of image dependency checks. To make the code easier to follow, some
function nesting was removed, functions that check slot dependencies
were renamed appropriately and dependency check is not done when no
upgrades are marked.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The checking of image version compatibility is only used by dependencies
code; this moves the version checking function static, and removes it
from the exported API.
Signed-off-by: Fabio Utzig <utzig@apache.org>
`boot_swap_type_multi` should be used instead. The `BOOT_CURR_IMG` macro
already returns the correct value in single image mode.
For compatibility with external tools like mcumgr, `boot_swap_type`
remains available and always returns the swap type of image 0.
Signed-off-by: Fabio Utzig <utzig@apache.org>
An image must be decrypted when it is loaded on the secondary slot and
its header flag indicates it is encrypted. Instead of checking both
things every time the image is read, add a new macro, MUST_DECRYPT, that
does both checks.
Also `BOOT_CURR_ENC` was simplified to be used directly on
`bootutil_img_validate` calls, returning NULL for no encrypted images.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This updates `image list` and `image upload` objects to support
multi-images. The information about which image is being handled was
added to the CBOR as "image" field, which when not available, is
considered to have value 0.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Allow Mynewt to be used in multi-image builds. Primary and secondary
slots of image 1 are hard-coded to FLASH_AREA_IMAGE_2 and FLASH_AREA_IMAGE_3.
Signed-off-by: Fabio Utzig <utzig@apache.org>
CONFIG_MULTITHREADING is generally assumed to be y by the zephyr
kernel, even though that's not reflected in the Kconfig. For example,
semaphores depend on it being y, but CMake will still build sem.c even
if it's n.
The sensible default for this option is thus y.
However, it's a size advantage to disable it if the platform drivers
are all aware of this option, such as nRF.
Let's re-work our use of this option to keep it disabled when we know
it's safe, but enable it by default so more platforms can be expected
to work out of the box.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
For some basic mcuboot configurations the zephyr timers are
not required which reduce the flash footprint significantly.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
While iterating over the swap table looking for swap type,
avoid asserting on errors; let caller handle error handling.
Signed-off-by: Fabio Utzig <utzig@apache.org>
`boot_read_image_size` was already receiving the bootloader state and
slot; since the image_header is part of the state and can be gathered
from it, it was removed from the list of parameters.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds a single trailer writing routine that can write any amount of
data (upto BOOT_MAX_ALIGN); the functions that were writing to the
trailer now just call this one passing the offset and data/len.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Update each function to calculate the offset based on a previous
function offset, so that if one has to be changed not all functions have
to be updated.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When doing a swap some of the information required by the process
is temporarily written to the status area; previously each data
writing routines tried to find the correct area by looking for the
magic and assuming that data is located there (because everything
fits a single sector). This moves the code to find the magic into
a separate routine that is now used by others.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When the hash key length parameter is invalid (bigger than allowed) just
return an error for the caller routines; this will work like a not found
key and allows the removal of assert() code in this module.
Signed-off-by: Fabio Utzig <utzig@apache.org>
TLV offset was determined by manually adding the header and image
size in many places; this makes the addition into a macro receiving
a image_header to ease future changes.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The boot loader state currently exists as global variable (boot_data)
which is accessed by all routines; this updates all routines that
require access to the state to receive it by parameter.
Variables that are declared as "static" (globals) were #ifdef'ed to
only use static when building a native bootloader, to avoid stack
allocation. When bootutil is built to run in the simulator they are
stack allocated to avoid thread share.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Currently to determine which image is being operated on, there is a global
variable called current_image which is used by most macros and APIs to
correctly access the flash areas required by the bootloader. This moves
this variable to the already existing state struct and refactors all
macros and APIs to receive the current image by parameters. To maintain
compatibility some of the macros were not updated and use image 0 when
called.
The definitions of FLASH_AREA_IMAGE_PRIMARY and FLASH_AREA_IMAGE_SECONDARY
for Mynewt compatibility were moved out of bootutil sources to a Mynewt
specific include file.
Signed-off-by: Fabio Utzig <utzig@apache.org>
For Mynewt, if a watchdog driver is available, it is always used and feed
during a swap operation. Since the swap operation is able to resist resets,
the watchdog can stay disabled to preserve some flash space (watchdog
driver), with the side-effect that a swap might take longer because of
having to resume interrupted operations.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This struct currently relies on padding being done by the C compiler.
Although this is generally done the same across targets, this isn't
required, and it is better to make any padding explicit. This also
makes it clear that there is extra space in this structure that can be
used for another purpose.
The python imgtool is also fixed to match. It was using a 32-bit int,
which only worked in the little endian case.
Signed-off-by: David Brown <david.brown@linaro.org>
This patch adds the capability to check image dependencies in case
of multi-image boot. The dependencies are described with a new type
of TLV in the manifest.
Change-Id: If45f81a00d4324c881634f50156f9939e1bf8707
Signed-off-by: David Vincze <david.vincze@arm.com>
This patch adds the capability to handle multiple firmware images,
to update them independently. Also update the design documentation.
It separates the completion of aborted image swap operations and the
update of images even more as these should be happening at different
stages of the boot process according to the design proposal of
the multiple image support:
https://github.com/JuulLabs-OSS/mcuboot/pull/317.
Change-Id: I7eb5f632298bb08c805bfaee0359703b2ae19e9d
Signed-off-by: David Vincze <david.vincze@arm.com>
This patch introduces the BOOT_IMAGE_NUMBER macro and current_image
variable to support multiple updatable images and the associated
extended flash layout.
The FLASH_AREA_IMAGE_* object-like macros are replaced with
function-like ones and therefore some functions have been updated,
because the labels of a switch statement and the initialization
values of objects with static storage duration have to be constant
expressions.
Change-Id: Ib7b26ec3c94233e52db4f97825ddb6a3e55bb1d3
Signed-off-by: David Vincze <david.vincze@arm.com>
Overload the swap_type field in image trailer to store as an addition
the image sequence number. It indicates which image's swap was
interrupted. It is required by multi image boot to determine which
image the trailer belongs to if boot status is found on scratch area
when the swap operation is resumed.
Change-Id: I6820fd8277931aff4f0db408376eae8b42a030ed
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
When HW / OS provides an always enabled watchdog, this macro can
optionally be implemented to avoid resets which are expected to
occur under normal conditions when swapping very large images or
running on slower devices.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The Mynewt HASH HW driver can be used to do the sha256 validation in the
bootloader instead of relying on mbedTLS/tinycrypt. When enabled it must
be initialized before boot_go (and boot_img_validate) is run, so this
does the extra checking and runs initialization when required.
Signed-off-by: Fabio Utzig <utzig@apache.org>
There is a bug in split_go that never opens the loader image flash
area, but opens the app/split image flash arta twice. This prevents
split_image_check from passing and the app from ever loading.
Signed-off-by: Alvaro Prieto <source@alvaroprieto.com>
mbedTLS made sha256 functions that do not return errors deprecated. This
updates to use the new functions avoiding the extra functions calls, and
breakage when the deprecated calls are effectively removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This fixes#480.
When mcuboot rewrites image trailers during a swap, some information is
lost. If a reset occurs before the swap completes, mcuboot may not be
able to determine what which swap type to resume upon startup.
Specifically, if a "revert" swap gets interupted, mcuboot will perform
an extraneous swap on the subsequent boot. See
https://github.com/JuulLabs-OSS/mcuboot/issues/480 for details.
This commit adds an additional field to the image trailer: `swap-type`.
The new trailer structure is illustrated below:
```
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
~ Swap status (BOOT_MAX_IMG_SECTORS * min-write-size * 3) ~
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 0 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 1 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap size | 0xff padding (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap type | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Copy done | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Image OK | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ MAGIC (16 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
```
The `swap-type` field contains one of the `BOOT_SWAP_TYPE_[...]` constants.
Every time a trailer is written, this field is written along with it.
When resuming an interrupted swap, mcuboot uses this field alone to
determine the type of swap being resumed. For new swap operations
(non-resume case), this field is not read at all; instead, mcuboot
consults the `boot_swap_tables` array to determine the swap operation to
perform (as it did prior to this commit).
Some additional changes were necessary to make all the simulated unit
tests pass:
* Before initiating a new swap operation, always write the image trailer
to the scratch area. This step allows mcuboot to persist the
`swap-type` field somewhere before erasing the trailer in the primary
slot. If a reset occurs immediately after the erase, mcuboot recovers
by using the trailer in the scratch area.
* Related to the above: if the scratch area is being used to hold status
bytes (because there are no spare sectors in the primary slot), erase
the scratch area immediately after the trailer gets written to the
primary slot. This eliminates ambiguity regarding the location of the
current trailer in case a reset occurs shortly afterwards.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Prior to this change, the scratch image trailer had a different format
from a slot image trailer. Specifically:
1. The scratch trailer only contained a single set of status entries
(three bytes); the slot trailer contained `BOOT_STATUS_MAX_ENTRIES`
sets of status entries.
2. The scratch trailer did not contain the `copy_done` field.
This inconsistency required some extra conditional logic in the trailer
handling code. It is simpler to just use the same trailer format
everywhere.
This commit removes this inconsistency. Now, the scratch trailer
structure is identical to that of the slot trailer.
Signed-off-by: Christopher Collins <ccollins@apache.org>
In addition to the binary capability flags, add a query function that
returns the number of images MCUboot has been configured to support.
Signed-off-by: David Brown <david.brown@linaro.org>
The change
boot: bootutil: Simplify check for crypto backends to reduce complexity
Adding multiple crypto backends will grow quadraticly. This change will
ensure that the growth will be linear and generate less complexity.
unfortunately is not legal C. It can be fixed by eliminating the
intermediate macro, so that the `defined` keywords are within the `#if`.
Signed-off-by: David Brown <david.brown@linaro.org>
mcuboot tests are done under sim and there is no need to maintain
separate tests just for Mynewt. Especially that those no longer
compile nor are maintained.
Also Mynewt code will rather depend on release and not master so
there is no need to run those on Mynewt anyway.
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
The build overflows by 100B using the 7-2018-q2-update GNU Arm
Embedded toolchain. Turn on size optimizations; this leaves about 19%
of the partition's flash available for MCUboot to grow into.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
The removal of CONFIG_BOOT_HAVE_LOGGING in 15aa6ef ("zephyr: remove
BOOT_HAVE_LOGGING Kconfig option") missed some uses. In particular,
the one in mcuboot_config.h that converts Kconfig options to MCUboot's
platform-agnostic configuration macros.
This broke logging even when the relevant Kconfig options were on.
Fix things up by using CONFIG_LOG instead.
Tested logging works again on nrf52840_pca10056. Build tested
nrf51_pca10056 to make sure it still fits. The nrf52840_pca10059 build
overflows flash by 0.16%, but that was a problem before 15aa6ef.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
This commit removes the non-standard BOOT_HAVE_LOGGING Kconfig option.
Instead the standard LOG / MCUBOOT_LOG_LEVEL can be used to control
logging.
Signed-off-by: Piotr Mienkowski <piotr.mienkowski@gmail.com>
Adding multiple crypto backends will grow quadraticly. This change will
ensure that the growth will be linear and generate less complexity.
Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com>
It is no longer necessary to override TEXT_SECTION_OFFSET when
BOARD_HAS_NRF5_BOOTLOADER. The nrf52840_pca10059 board no longer
overrides TEXT_SECTION_OFFSET but sets the correct FLASH_LOAD_OFFSET
instead, automatically.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Fix bug #399 where dts.overlay was not being appended.
The build scripts were erroneously modifying the shadowed non-cache
variable instead of the cache variable.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Adds `CC310` define which wraps the generic CC310 interface adds
includes for using `NRF_CC310_BL` to CMakeLists. This requires `nrfxlib`
to be located outside of the mcuboot folder by 1 directory level. Also
add the Kconfig defines needed for this to build while trying to make it
generic enough to be used by other vendors that have implemented
`CC310`.
Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com>
The bootutil unit tests fail to build with the following error:
Testing package @mcuboot/boot/bootutil/test
Unsatisfied APIs detected:
* log, required by: sys/log/modlog
This commit adds a `sys/log/stub` dependency to the bootutil unit test
package.
NOTE: This unit test package still fails to build because the code is
out of date. This commit just fixes one of several issues.
Signed-off-by: Christopher Collins <ccollins@apache.org>
These unit tests were failing with build errors such as this:
boot/boot_serial/test/src/testcases/boot_serial_img_msg.c:64:26: error: use of undeclared identifier 'FLASH_AREA_IMAGE_PRIMARY'
rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
^
The `FLASH_AREA_IMAGE_{PRIMARY,SECONDARY} definitions were not visible
because `MCUBOOT_MYNEWT` was not getting defined in the boot_serial
unit test package.
This commit defines `MCUBOOT_MYNEWT` in the boot_serial unit test
package, and adds the necessary include to pull in the PRIMARY /
SECONDARY definitions.
Signed-off-by: Christopher Collins <ccollins@apache.org>
This change only affects the Mynewt port.
Prior to this commit, the `FLASH_AREA_IMAGE_{PRIMARY,SECONDARY}` macros
were private to the bootutil package (defined in `bootutil_priv.h`).
Some other packages require these symbols (e.g., the boot_serial unit
tests), so they should be made public.
This commit moves these definitions into the public `bootutil.h` header.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Select the code partition as the target for link into.
This patch together with
https://github.com/zephyrproject-rtos/zephyr/pull/14620
fixes the issue which was imposed while zephyr moves
DTC before Kconfig processing in its build process.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
boot_enc_valid() is supposed to return boolena so
changed it return type in order to reflect this.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
enc_state table was indexed with assumption that
image flash area are subsequent and increasing numbers.
It might not be true while building zephyr.
Patch introduce flash_area_id_to_image_slot() implementation for
the zephyr port and uses it to assign proper slot number.
This API is already available in MyNewt.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This change replaces the slot 0/1 terminology with primary/secondary
slot and replaces FLASH_AREA_IMAGE_0/1 with
FLASH_AREA_IMAGE_PRIMARY/SECONDARY. This naming convention may be more
understandable, fits better to MCUs with multiple images and it is an
architecture agnostic alternative as well.
Change-Id: I655a585f6ae023852c671ee6635399efe25209c9
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
The pattern that 'set_conf_file' has been added to the Zephyr build
system, so it is not necesary for the application build script to
implement it.
Also, the macro has been deprecated, so it should not be used.
This change is a pure refactoring.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The logger issue on Xtensa is resolved in mainline Zephyr with
239805b2d82aebee4969c3ae57fbf8025c4fb60d. Hence logging can be
enabled now.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
This Kconfig parameter makes MCUboot wait for a prescribed duration
of time to allow for USB DFU to be invoked.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Fix#10990.
A warning is triggered when snprintf is used because it is being
declared / configured incorrectly. The MBEDTLS configuration is
defaulting to disabling all of LIBC, and then explicitly enabling the
LIBC functions in use, this has been done for printf with
MBEDTLS_PLATFORM_STD_PRINTF, but not for
MBEDTLS_PLATFORM_STD_SNPRINTF.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Zephyr changed way of generation UART device name label
which implies device name label text change.
Patch aligns the code to above change.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
zephyr macro min() was hanged to MIN()
Kconfig key CDC_ACM_PORT_NAME was changed to CDC_ACM_PORT_NAME_0
zephyr sha of the fixing time is 406dc2cb0e2868392f444677ace416440695829f.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Cleaned up the conf file for intel_s1000_crb by defining only
those values that are different from prj.conf.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The pyocd runner in zephyr changed its arguments slightly when it
converted to the new unified pyocd tool with subcommands. Change the
board runner args here similarly so we can use 'west flash' again for
the zephyr bootloader.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
Let's ensure that random Zephyr changes in logging don't affect
the resource usage in MCUBOOT, by setting LOG_LEVEL_DEFAULT
to 0.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Rather than use LOG_DEFAULT_LEVEL to control MCUBOOT's log output,
let's create an MCUBOOT specific log level setting.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Krzysztof Chruscinski <krzysztof.chruscinski@nordicsemi.no>
Commit 1d9e5ee1 ("logging: Refactoring 'in place' mode to reduce memory
footprint") changed the resource restrained version of LOGGER from
LOG_INPLACE_PROCESS to LOG_IMMEDIATE.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Zephyr flash_map reworks caused that areas id exact number are
assigned dynamically.
This patch i counterpart to
https://github.com/zephyrproject-rtos/zephyr/pull/8837
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The upstream Zephyr runner for nrfjprog now supports an --erase
toggle, which controls whether a mass-erase is done. Add that to its
invocation when CONF_ZEPHYR_TRY_MASS_ERASE is given, just like is done
for dfu-util and pyocd.
Signed-off-by: Marti Bolivar <marti@foundries.io>
This change affects the "set pending" operation. That is, the operation
that configures mcuboot to temporarily swap images on the next boot.
PRIOR TO COMMIT:
If the slot 1 trailer contained an invalid 128-bit magic number, an
assertion would fail, causing a crash.
AFTER COMMIT:
If corruption is detected in the slot 1 trailer, the entire image slot
is erased, and the "set pending" operation fails with a `BOOT_EBADIMAGE`
status.
RATIONALE:
mcuboot cannot meaningfully recover from data corruption. The only
recourse is to erase the bad data so that future upgrades can be
performed. I was tempted to add a build-time setting to control whether
the image slot gets erased when corruption is detected, but I dont think this
freedom justifies the cost of extra config. A device with a corrupt
image slot can no longer be upgraded, so the only reason someone would
want to preserve the corrupt data would be for debugging.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Disable logging and enable size optimizations on
nrf51_pca10028 target in order to fit in boot slot size
for out-off-the-box build.
fixes#411
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Previously it was assumed that the trailer would fit one sector. While
this works for most devices, some which happen to have lots of sectors
end up using lots of space for their swap status area. The same issue
could also happen if sectors are small (less than 2K/4K, for example).
This fixes the issue by checking the trailer size and erasing all
sectors that encompass it.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Modernize and simplify the build scripts of the Zephyr
bootloader. Most notably, the new build scripts are targeting the
'zephyr_library_' API instead of the 'target_' API.
In addition to simplifying the build scripts, this permits us to be
automatically compatible with an upcoming change that will break the
'target_' API but not the 'zephyr_library_' API.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Instead of detecting an invalid Kconfiguration during CMake
Configure-time we detect it where it belongs, in Kconfig.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The default board should be set simply by 'set'ing the BOARD. This has
the lowest precedence of all possible inputs.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The presence of a Kconfig file will be checked by the build system so
it is not necessary to explicitly set KCONFIG_ROOOT.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Commit 3ac36ead3 updated the bundled asn1parser, which now consists of
two files. The Zephyr build system was not updated with that commit which
has broken ECDSA signature builds. This adds the new file.
This fixes#397.
Signed-off-by: Fabio Utzig <utzig@apache.org>
While loading a new EC point, when it was smaller than the expected
number of bytes, a zero padding was being written beyond the end of the
buffer instead of at the initial position.
While this has been working before, it broke when images were signed using
the ring API.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The board cannot output logs on the UART because it is used
by MCUBoot's serial recovery for DFU. Remove logging and
the RTT console from project defaults.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
A recent change in the Mynewt repo
(b10cbea5ef882e7f91d1c34ffcf2506d3e183003) imposes the LOG API
requirement on the `sys/mfg` package. To fix broken builds, make the
Mynewt app and test package depend on `sys/log/stub`.
Signed-off-by: Christopher Collins <ccollins@apache.org>
The crc16.h header has been deprecated in Zephyr.
Update include directive to use the new header.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
The old log subsystem has been deprecated in Zephyr.
Migrate to the new subsystem to avoid compilation warnings.
In-place log processing is selected as it is required as MCUBoot is
one thread application.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Remove unnused BOOT_LOG_LEVEL macros.
These are not honored, nor usable since they are supposed to be
defined before including the header in which they are defined.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
The mcuboot_logging.h header includes the header for the log subystem,
which needs to be included regardless of whether logging is enabled
for logging macros to compile correctly.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Ensure that the offset in .text is zero.
This is necessary to ensure that MCUBoot is linked at
the beginning of the boot partition, as intended.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
As reported by issue #384, some #ifdefery was wrongly done, which broke
overwrite-only mode under Zephyr.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Mynewt builds require the `mcuboot_config.h` file to translate syscfg
setting names to MCUboot setting names. This change fixes a build error
that occurs when MCUboot is built with mbedTLS support:
Error: In file included from keys/bootkeys/src/bootkeys.c:2:0:
repos/mcuboot/boot/bootutil/include/bootutil/enc_key.h:29:10: fatal error: tinycrypt/aes.h: No such file or directory
#include "tinycrypt/aes.h"
^~~~~~~~~~~~~~~~~
Signed-off-by: Christopher Collins <ccollins@apache.org>
This implements AES key unwrapping following RFC-3394 section 2.2.2
using tinycrypt for AES-128 decryption. It is enabled when ECDSA was
chosen as the signature algorithm.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This adds a new option that allows copying slot0, from the contents
of slot1, if slot0 is found out to be erased and not validated, and
the contents of slot1 are validated.
This mechanism basically enables a device to "bootstrap" from the
contents of an external flash that has a valid image, given that the
only flashed thing in the internal flash is the bootloader.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Remove MPU_ALLOW_FLASH_WRITE from prj.conf and put it in
boot/zephyr/Kconfig enabling it only for every ARM_MPU
equipped device.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Make RX buffer size configurable for UART. Allow incoming
interrupts while copying data out of that buffer.
Signed-off-by: Marko Kiiskila <marko@apache.org>
This adds bootutil support for slots on different flash devices
the happen to have different sector sizes.
It consists basically in relaxing the `boot_slots_compatible` to
allow swaps as long as the sectors that are required to fit both
images are able to fit inside scratch and both slot's sectors have
sizes that are multiple of each other.
This is now tested on the simulator and was tested in a Nordic's
pca10056 using slot0 in internal flash, and slot1 in the external
QSPI flash, configured with 4K, 8K and 16K sized sectors (the HW
is 4KB but Mynewt allows emulating multiples of that!)
Signed-off-by: Fabio Utzig <utzig@apache.org>
For Zephyr the default mbedTLS mempool size for RSA-2048 signing was not
enough to allow for the calculations done by RSA-2048-OAEP (encrypted
images), so when encrypted image support is enabled, increase it to a
value that is known to work.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Encrypted images were known to be failing when the header size was larger
than 256 bytes because of incorrect handling of blocks sent to decryption
and hashing routines. An assert was previously added to check the header
and read block sizes matched to avoid incurring into the know error, but
it was incorrectly enabled also for non-encrypted images.
Now the handling of the header, which is not encrypted, is correctly
separated from the handling of the remaining image, when encryption is
used, to avoid ever sending header data into the decryption routines.
Signed-off-by: Fabio Utzig <utzig@apache.org>
zephyrproject-rtos/zephyr#11180: Zephyr target was corrupted as
recently zephyr's device tree started adding DT_ prefix in
generated labels.
This path aligns flash name macro used.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Add a hidden MCUBOOT config entry to mark a project as MCUBOOT.
It is useful when other parts of the system need to be aware
that they are, in fact, the bootloader.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
This commit adds a project configuration for the upcoming
nrf52840_pca10059 board.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This commit adds a choice for the device to use for serial recovery.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
fixup
This adds a mbedtls config that will enable the simulator to run tests
for the kw based encrypted images.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This allows storing encrypted images in slot1, that are automatically
decrypted when copying to slot0 and re-encrypted when copying from slot0
to slot1.
The encryption works by applying AES-CTR-128 on the image blocks
(excluding the header and TLVs) using a random key. This random key
is itself encrypted using either RSA-OAEP-2048 or AES-KW-128 (AES keywrap
as defined by RFC3394), and appended to the image as newly defined TLVs.
AES-CTR-128 was chosen primarily for having stream cipher proporties,
which basically means that any block being encrypted/decrypted does not
depend on any other previous blocks results.
The TLV adds about 256 bytes to the image in RSA-OAEP-2048 mode, and 24
bytes in AES-KW-128 mode. Resulting sizes for a Mynewt generated mcuboot
(frdm-k64f):
- swap mode and no signing: 12KB
- adding encryption with RSA-OAEP-2048: 28KB
- adding encryption with AES-KW-128: 20KB
Some extra comments:
- AES-KW-128 requires a fairly new mbedtls with nist_kw support.
- An alternative methods which could be added later are ECIES.
- Key-wrapping seems easy enough to implement using just standard
AES-ECB mode that it should be straight-forward to also add support to
tinycrypt.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Implementation of flash_area_read_is_empty introduced recently
uses deprecated hal_flash_read API which caused build failure.
This patch uses zephyr's native flash_area_read() API which
solves the bug.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Mynewt has recently added an encrypted flash layer driver, that runs
transparently on any flash, handling reads and writes, and bypassing
other flash operations to the HW driver. As a result of this change,
checking for erased data cannot be done by read + compare to erased_val
but need to be routed to an empty check on the lower level. To do this
Mynewt added a new flash_map function called "flash_area_read_is_empty"
which checks for erased blocks (and reads/decrypts the data as well).
This commit uses `flash_area_read_is_empty` to determine if magic,
flags and swap status are erased. For Zephyr/sim commits were added
previously that mimic this functionality by simply doing the
read/compare.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This compliments the previous change on `image_ok` and also removes
`flash_area_erased_val` call that is not needed anymore.
Signed-off-by: Fabio Utzig <utzig@apache.org>
It was impossible to set confirm flag due to incorrect comparison.
In this point of time state->image_ok is already decoded and contains
one of following values:
If BOOT_FLAG_UNSET then we are ok to set a confirm flag.
Signed-off-by: Łukasz Rymanowski <lukasz.rymanowski@codecoup.pl>
This will fix#335 by defining the array size of the magic word and
give it to the relevant functions.
Signed-off-by: Hovland, Sigvart <sigvart.hovland@nordicsemi.no>
For Zephyr assume flash is always erased to 0xff. This allows backward
compatibility of the new flash erased to 0 support.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This extends mcuboot to allow use on devices which don't follow the
typical erased at 0xff. This was tested on some previously supported
devices (erased at 0xff) and STM32L1/L0 which are erased at 0.
Signed-off-by: Fabio Utzig <utzig@apache.org>
MCUboot doesn't need mbedTLS's entropy code (you don't need random
numbers to check a digital signature), but it enables it. This causes
really scary warnings when building entropy.c, since the test entropy
source is enabled:
[113/197] Building C object zephyr/ext/lib/crypto/mbedtls/CMakeFiles/ext__lib__crypto__mbedtls.dir/library/entropy.c.obj
/home/mbolivar/src/zephyr/ext/lib/crypto/mbedtls/library/entropy.c:31:2: warning: #warning "**** WARNING! MBEDTLS_TEST_NULL_ENTROPY defined! " [-Wcpp]
#warning "**** WARNING! MBEDTLS_TEST_NULL_ENTROPY defined! "
^~~~~~~
/home/mbolivar/src/zephyr/ext/lib/crypto/mbedtls/library/entropy.c:32:2: warning: #warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES " [-Wcpp]
#warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES "
^~~~~~~
/home/mbolivar/src/zephyr/ext/lib/crypto/mbedtls/library/entropy.c:33:2: warning: #warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE " [-Wcpp]
#warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE "
^~~~~~~
Delete the bits of the mbedTLS configuration that compile this
file (along with some testing code we don't care about either) to
clean up the warning. This looks like copy/paste code from the initial
mbedTLS config import into MCUboot.
Signed-off-by: Marti Bolivar <marti@foundries.io>
Various Zephyr boards (I'm looking at you, every-single-nRF-board)
set CONFIG_BT_CTLR=y as well as CONFIG_BT. Make sure it's disabled for
MCUboot's default prj.conf, where it's not needed and has been causing
very verbose Kconfiglib warnings:
warning: BT_CTLR (defined at subsys/bluetooth/controller/Kconfig:10) was assigned the value 'y' but
got the value 'n'. You can check symbol information (including dependencies) in the 'menuconfig'
interface (see the Application Development Primer section of the manual), or in the Kconfig
reference at http://docs.zephyrproject.org/reference/kconfig/CONFIG_BT_CTLR.html (which is updated
regularly from the master branch). See the 'Setting configuration values' section of the Board
Porting Guide as well.
Signed-off-by: Marti Bolivar <marti@foundries.io>
It is possible that while flash was erased progressively
the flash image status page was not erased.
This patch check this case and performs additional eras
if it was required.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This commit adds the option to erase flash pages while receiving
the firmware, opposed to bulk-erasing the whole image area at
the beginning of the DFU process. This is required on some
hardware that has long erase times, to prevent a long wait
and possibly a timeout during DFU.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The UART device ISR in serial_adapter expected the device
to fire an interrupt for each byte that was received.
Although this might have worked for some devices it wouldn't
work for USB. This commit fixed the issue by modifying the ISR
according to the uart.h documentation.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
On Mynewt some flash drivers on very slow devices tickle the watchdog to
avoid possible hangs; those were also trying to tickle the watchdog in
mcuboot when performing an upgrade or serial boot, without initializing
the watchdog, causing an invalid memory write and reset issue.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Remove the simple pointers and use the "&" operator throughout to
simplify the understanding of the code.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
In order to avoid overwriting an existing allocated buffer that has not
yet been processed by the main loop, switch to a new command buffer
whenever we have received a complete one.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
While building with Zephyr 1.12 for the nucleo_f091rc I got undefined
reference to __set_MSP() during linking. Including soc.h fixes the
problem. Thanks carlesc.
Signed-off-by: Evan Gates <evan@gnarbox.com>
This fixes an issue where the bootloader is activating a timer that is
later not used by the installed target image causing a non handled interrupt
fault.
Signed-off-by: Fabio Utzig <utzig@apache.org>
It was possible that free_queue locks on the self referencing
node.
This patch introduce check for this issue
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
For zephyr it was possible to make buffer overflow while decoding
incoming base64 sting. This patch correct the available
buffer size transferred to base64 decoding function, which mitigate the
issue.
Clean up boot_serial_start function from unwanted
execution constant pointers.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Due to an issue described here:
https://github.com/zephyrproject-rtos/zephyr/issues/8393
interrupts are not enabled when multithreading is disabled.
Enable interrupts to allow the serial recovery mode UART to receive
characters.
Note: This commit must be reverted once the issue is addressed.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
The k_fifo_* primitives are not available when multithreading is
disabled. Use sys_slist_* instead.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Power management requires multithreading and other kernel features that
are disabled in MCUboot, so disable it to avoid interrupts being
confused by power management code wrappers.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
- Remove dependency to sprintf()
- Remove dependency to cborattr
- mynewt: replace console with more direct interface to uart
- mynewt: settings to reduce included os code
Signed-off-by: Marko Kiiskila <marko@runtime.io>
For serial recovery enabled Assertions conditions were improperly
which cause runtime assertion whenever __ASSERT macro was enabled
along with the serial recovery mode running.
This patch fixes the issue.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The swap status area is used to maintain information that allows
recovery when interrupted in the middle of a swap. This area has no
usefulness when doing a overwrite-only upgrade, which always copies the
entire slot.
Signed-off-by: Fabio Utzig <utzig@apache.org>
In order to provide a pleasant out-of-the-box experience to users,
default to the RSA .pem file so that users do not get a cryptic error
when building with the default .conf file in upstream.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
The hardcoded keys for Zephyr were removed and external references were
added for the built time autogenerated variables. A hardcoded key file
was added specifically for the simulator.
Signed-off-by: Fabio Utzig <utzig@apache.org>
For both RSA (which uses Zephyr's mbedTLS copy) and ECDSA (which uses
our own for ASN1 parsing) use the common "mcuboot-mbedtls-cfg.h" header
file instead of relying on the default config.h bundled with mbedTLS.
Additionally issue a descriptive error when CONFIG_MBEDTLS is set and we
are building with our own copy.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
This removes settings of log level on a per file basis. The log level
should be set by the global config, while per file log configuration can
still be set, don't enforce them.
Signed-off-by: Fabio Utzig <utzig@apache.org>
For Mynewt when no logging (default option) or serial boot was selected,
avoid initializing all serial supporting system. This enables to save
flash space when only basic bootloader functionality is used.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Now bootutil_log.h was converted to use per platform logging primitives
defined according to documentation established on the template file.
Some "null" macros were left to avoid breaking per source logging level
definition when MCUBOOT_HAVE_LOGGING was not defined.
Signed-off-by: Fabio Utzig <utzig@apache.org>
New logging macros were added for all supported platforms, following the
documentation defined in the template config file.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This patch isolates mcuboot settings under `MCUBoot`
menu in menuconfig view. This improves legibility.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The patch introduce usage of zephyr flas_map module instead
of mcuboot zephyr-only implementation. Unused flash_area_to_sectors
API of former flash_map was removed as well.
Size of sector-status-update-map entry is now defined thanks to the
minimum write size supported by the flash driver.
For avoid ambiguity former zephyr-only files flash_map.c
were renamed to flash_map_extended.c (its code now implements
only addition to this what zephyr flash_map implements).
flash_map.h header include is now warped by flash_map_backedn.h headre
because implementations and include pathes are diferent in Zephyr and Mynewt.
Usage of hal_flash_align() were replaced by usage flash_area_align().
This provide consistency between MyNewt and Zephyr implementation as
this API is available in both RTOSes.
flash_map.h was moved to the simulator c-support files as now missing in
the boot/zephyr subdirectories.
f. boot_scratch_fa_device_id was removed as unused.
f. boot_img_fa_device_id was and expanded the only use of it
(on loader.c).
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This removes the old "TLV size" and "keyId" fields that used to exist
in the old image header format and updates it to use `load_addr`. Also
fixes the name of reserved fields to index from 1.
This fixes#279
Signed-off-by: Fabio Utzig <utzig@apache.org>
The unit tests depend on a few Mynewt packages (`test/testutil` and
`sys/console/stub`). If there is no repo prefix in the dependency
specifier, newt assumes the package is in the local repo (mcuboot)`.
This commit adds the `@apache-mynewt-core/` prefix to these
dependencies.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Continue removing platform-specific conditional compilation from
bootutil by adding a new MCUBOOT_HAVE_ASSERT_H configuration option
and associated header file. Right now, that's only used by the
simulator.
That leaves just bootutil_log.h with platform-specific contents, but
since it's meant to be an abstraction layer for logging, we'll let it
stand for now.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Take the opportunity to clean up a bit of platform cruft that has
gotten into bootutil by moving it to mcuboot_config.h, and ensuring it
is documented in the template config file.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
This allows us to delete all the remaining compiler command line
configuration from CMakeLists.txt.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Finish the job of removing the CONF_xxx fields from CMakeLists.txt by
using the Kconfig symbol from the application runner configuration macro.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Handle CONFIG_BOOT_UPGRADE_ONLY in mcuboot_config.h, and switch the
release test Makefile to using an OVERLAY_CONFIG fragment.
This removes the last user of the Makefile BOOTLOADER_CONFIG variable,
so delete it as well.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Handle CONFIG_BOOT_VALIDATE_SLOT0 in mcuboot_config.h, and switch to
setting it with an OVERLAY_CONFIG fragment in the test Makefile.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Fabio Utzig