This adds new cargo features to allow running tests of encrypted
images with both RSA-OAEP and AES-128-KW.
When installing images on the simulated flash, both a plain and an
encrypted images are created. When encrypted image support is enabled,
verification of images in slot1 match against the encrypted image,
otherwise plain images are used.
PS: Also fixes ImageHeader to match bootutil definition.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This extends the simulator to be able to test the bootloader in devices
which use flash technologies that erase flash at 0 instead of 0xff.
Two MCU devices that have this "property" are the STM32L0x and STM32L1x
lines from ST.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This also updates the RSA test to add extra build files for zeroize, and
updates to new calloc/free configuration style.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This updates error-chain to remove a warning on recent rust distros.
`pem` was update to get fairly recent `error-chain` as well.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The hardcoded keys for Zephyr were removed and external references were
added for the built time autogenerated variables. A hardcoded key file
was added specifically for the simulator.
Signed-off-by: Fabio Utzig <utzig@apache.org>
New logging macros were added for all supported platforms, following the
documentation defined in the template config file.
Signed-off-by: Fabio Utzig <utzig@apache.org>
These (currently) trivial files do not add license headers. Go ahead
and add the boilerplate Apache header.
In addition, I've also added an SPDX header. Although this is a first
for the MCUboot project, this will provide a template for adding these
headers to other files.
Fixes#282
Signed-off-by: David Brown <david.brown@linaro.org>
CC: Marti Bolivar <marti@opensourcefoundries.com>
CC: Fabio Utzig <utzig@apache.org>
The patch introduce usage of zephyr flas_map module instead
of mcuboot zephyr-only implementation. Unused flash_area_to_sectors
API of former flash_map was removed as well.
Size of sector-status-update-map entry is now defined thanks to the
minimum write size supported by the flash driver.
For avoid ambiguity former zephyr-only files flash_map.c
were renamed to flash_map_extended.c (its code now implements
only addition to this what zephyr flash_map implements).
flash_map.h header include is now warped by flash_map_backedn.h headre
because implementations and include pathes are diferent in Zephyr and Mynewt.
Usage of hal_flash_align() were replaced by usage flash_area_align().
This provide consistency between MyNewt and Zephyr implementation as
this API is available in both RTOSes.
flash_map.h was moved to the simulator c-support files as now missing in
the boot/zephyr subdirectories.
f. boot_scratch_fa_device_id was removed as unused.
f. boot_img_fa_device_id was and expanded the only use of it
(on loader.c).
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The README file is missing extra information about how to run all the
different test configurations; add this in.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Continue removing platform-specific conditional compilation from
bootutil by adding a new MCUBOOT_HAVE_ASSERT_H configuration option
and associated header file. Right now, that's only used by the
simulator.
That leaves just bootutil_log.h with platform-specific contents, but
since it's meant to be an abstraction layer for logging, we'll let it
stand for now.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Take the opportunity to clean up a bit of platform cruft that has
gotten into bootutil by moving it to mcuboot_config.h, and ensuring it
is documented in the template config file.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Handle the CONFIG_BOOT_SIGNATURE_TYPE_xxx values in Zephyr's
mcuboot_config.h by converting them into the platform-agnostic MCUboot
definitions.
This requires some changes to the way the release test Makefile is
structured, since Kconfig symbols cannot be set from the command line.
Instead, use the OVERLAY_CONFIG feature of the Zephyr build system,
which allows specifying extra fragments to merge into the final
.config. (This is an orthogonal mechanism to setting CONF_FILE; it is
used by Zephyr's CI script sanitycheck to add additional fragments, so
it's appropriate for use by MCUboot's testing scripts as well.)
We additionally need to move to a single prj.conf file due to a
dependency issue. We can no longer determine CONF_FILE from the
signature type, since that is now determined from the final .config or
autoconf.h, which is a build output that depends on CONF_FILE.
To move to a single prj.conf:
- delete prj-p256.conf and adjust prj.conf to serve both signature types
- add a top-level mbedTLS configuration file which dispatches to
the right sub-header depending on the key type
- as a side effect, have the simulator pick the right config file
depending on the case
This fixes and cleans up quite a bit of the signature type handling,
which had become something of a mess over time. For example, it fixes
a bug in ECDSA mode's configuration that wasn't actually selecting
config-asn1.h, and forces the simulator to use the same mbedTLS
configuration file as builds for real hardware.
Finally, we also have to move the mbedTLS vs. TinyCrypt choice into
mcuboot_config.h at the same time as well, since CMakeLists.txt was
making that decision based on the signature type.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2.7.0 fixes a security issue but breaks MCU boot. Bump to this version
so that the simulator will verify that this version works properly.
Signed-off-by: David Brown <david.brown@linaro.org>
Move to newer versions of some upstream packages, lazy_static, which is
now at 1.0 (no api change), and error-chain (0.11), which eliminates a
warning during compilation.
Signed-off-by: David Brown <david.brown@linaro.org>
Assertions that are expected to fail under sim test, are now marked as such
using the macro ASSERT which allows to programmatically switch between normal
assert() behavior and captured assertion.
Assertion changes were moved to more appropriate owners and code duplication
was removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This test marks the status write regions as a bad region,
causing errors, but it is allowed to complete the swap. On
restart the firmware in slot0 should be validated and work.
Signed-off-by: Fabio Utzig <utzig@apache.org>
At the moment writes always checking that they are being
performed on an erased section of memory. This patch enables
a test to disable that, to enable looking for other error
causes.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add new interface to enable configuring regions of the simulated
memory to fail probabilistically. An entry is based on an offset,
length and rate of failure. This only applies to write operatios
and throws an error that can be caught in tests.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When building in simulator mode, mock assert() to call an simulator
function which will enable other code to check if some path failed.
The assert checking interface, was added to boot_go which now
returns the low-level invocation results as well as the number of
asserts triggered.
Some new added tests check for assert() and expect it to happen. To not
abort tests, assert() was changed under sim env to not call c assert()
and instead just do some internal calculation which could be checked
by the simulator after a bootloader run and assert() catching behavior
was made optional (each test choses the behavior it needs).
Signed-off-by: Fabio Utzig <utzig@apache.org>
This bundles the asn1 parser from mbed-tls into mcuboot, which allows
adding EC crypto (tinycrypt based) functionality for target OSes that
don't bundle mbed-tls.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Our current travis environment still uses gcc 4.8.4 which defaults to
std=gnu90. Some of tinycrypt's code requires c99.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Since ring does not yet support ecdsa signing, a thin layer was added
to allow the simulator to call tinycrypt's signing routine.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This enables building ecdsa feature using tinycrypt (mbed still built
for ASN1). The default mbed-tls config was update to use the MCUBOOT_SIGN_*
symbols.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Fixes warnings treated as errors when upgrading gcc crate to 0.3.54.
Warnings are due to non-used variables and comparison between signed
and unsigned.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Now that the test infrastructure has changed so that the tests can be
run independently, create a series of cargo tests that run them. This
allows the tests to simply be run as:
cargo test
or possibly with feature flags
cargo test --features overwrite-only
It is also possible to run individual tests by giving their name after
the "cargo test" command.
Signed-off-by: David Brown <david.brown@linaro.org>
In order to allow the tests to be run independently, compute the total
count for each image that is generated, and store it in the images
struct. This causes a basic upgrade to be run an additional time for
each top-level test.
Signed-off-by: David Brown <david.brown@linaro.org>
Now that most of the relevant data is assembled into a single `Images`
struct, make the test operations on it into methods on this type.
This change looks larger than it really is because of the indentation
change of moving top-level functions into methods. There is also a lot
of change of `image` to `self`.
Signed-off-by: David Brown <david.brown@linaro.org>
Every use of `Images` uses the same flash device as a base. Move this
value into the struct, instead of having to pass it around in parallel.
Signed-off-by: David Brown <david.brown@linaro.org>
Refactor the tests so that most of the test data is inside of a new
`Run` structure instead of needing to be passed around.
Signed-off-by: David Brown <david.brown@linaro.org>
Lock the simulation with a mutex to prevent concurrent access. The C
code being tested uses globals, and can only be run in one context at a
time. The Rust test framework may run tests concurrently, so use the
mutex to prevent this.
Signed-off-by: David Brown <david.brown@linaro.org>
Move the alignment into the `boot_go` wrapper. Instead of relying on
this as a global, pass it around, ultimately setting it in the C
wrapper. This is in preparation to protecting the `boot_go` call with a
mutex to prevent reentrancy.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of setting/reading a global, pass a reference through the Rust
wrapper to `boot_go`. This is one change needed so that `boot_go` can
be reentrant.
Signed-off-by: David Brown <david.brown@linaro.org>
As a start of doing the testing using Rust/Cargo's test framework, write
a test runner that just runs the existing tests. They run as they do
now, except that there is an assertion that there were no failures.
Signed-off-by: David Brown <david.brown@linaro.org>
So that this can be stored in its own structure, make it own the slot
info (which is only two usize values).
Signed-off-by: David Brown <david.brown@linaro.org>
In preparatio for separable unit tests, move the main body of the
simulator into a library crate, and make the main program just a small
function that initializes the logger, and calls it. The main entry
point is still called main.
Signed-off-by: David Brown <david.brown@linaro.org>
This add a new option to overwrite-only mode that enables copy/erase of
only the amount of sectors that are required to store the source image.
This is enabled by default when overwrite-only mode is used.
MCUB-70
Signed-off-by: Fabio Utzig <utzig@apache.org>
Adds the feature to enable testing of overwrite-only functionality.
While running with this feature enabled, disable tests that try to
revert and disables trailer verification, since overwrite-only doesn't
rely on status writing.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Since we've changed the meaning of several fields in the header, bump
the header to a new magic number. The fields that are still present are
in the same place, but all of the signature and TLV information is moved
into the TLV itself, which is still immediately after the image.
As of this commit, this defines the new image header/TLV format used for
1.0.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
To allow the signatures to be replaced, move the size of the TLV into a
small "info" header at the start of the TLV.
Note that this causes image swapping to lose robustness. This is fixed
by a later commit.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
JIRA: MCUB-65
Remove the key_id field from the image header. There are two problems
with this field. First, it is only an integer offset, and so causes an
unnecessarily tight coupling between the particular keys built into the
bootloader, and the key that is used to sign. Second, it makes the
key_id part of the image header, which is included in the signature.
This makes it impossible to later sign the image with a different
signature.
Instead of the key-id, add a TLV KEYHASH entry. This will hold the
SHA256 of the public key that the signature is against. Each signature
placed in the TLV should be preceeded by this entry to indicate the
public key used.
The signature check will check each signature, and if the KEYHASH is
known and the signature type is supported, it will be checked. As long
as at least one signature is considered valid, the image will be
considered signed. This also allows the image to be signed with
multiple signatures to support having different devices with possibly
different keys compiled into the bootloaders.
Based on work by Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for moving the signature related values out of the main
image header and into the TLV, renumber the existing TLV values to be
grouped together better.
The SHA256 is moved into the first group, at 0x10, and the signature
values themselves are moved to start with 0x20.
This change is the first in a series of changes toward the new v1.0
image format. The intermediate results are all internally consistent
(meaning that the simulator, and the builtin imgtool.py will all work
together), but until all patches are applied, the image format is not
valid with any external tools.
Based on work by Marko Kiiskila <marko@runtime.io>.
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
Now that we depend on a submodule for mbed TLS code, update the docs to
explain how to fetch this. Otherwise, the error is somewhat misleading,
just showing a missing sha256.c file.
Signed-off-by: David Brown <david.brown@linaro.org>
This test was added to exercise a bug which happens when a failure
verifying the image in slot 1 would cause a write to image_ok when
the image in slot 0 already was a permanent image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The docopt package has moved from rustc-serialize to serde. Move to
this version, upgrading the custom deserialize we use for the alignment
argument.
Signed-off-by: David Brown <david.brown@linaro.org>
Move most dependencies to the latest version at the time of this commit.
docopt is left at the current version as there is an api change in the
newer version.
Signed-off-by: David Brown <david.brown@linaro.org>
It isn't necessary for the 'area' module to be exposed. Re-export the
two definitions from the crate at the top level, and make the module
private.
Signed-off-by: David Brown <david.brown@linaro.org>
The mbedtls library is used by the binding crate, so move the submodule
into this directory as well.
Signed-off-by: David Brown <david.brown@linaro.org>
Create a crate `mcuboot-sys` to hold the building and binding of the
mcuboot code. There aren't any substantive code changes here, just
moving the code into a separate crate.
Signed-off-by: David Brown <david.brown@linaro.org>
Using the published debug keypair, generate a signature with it, to add
to the TLV. This verifies that signature verification works as
expected.
Signed-off-by: David Brown <david.brown@linaro.org>
The bitflags crate seems to be better supported, and doesn't have the
problems getting the results back into the enum type.
Signed-off-by: David Brown <david.brown@linaro.org>
Since the signing code will also need a copy of the message, make a
local copy of it in the signature verification code, and compute the
digest all in one shot.
Signed-off-by: David Brown <david.brown@linaro.org>
The ring crate's SHA256 is slightly slower than the one from
rust-crypto, but is much cleaner to use. It also has all of the hashing
operations we need.
This crate is somewhat opinionated, e.g. will not sign messages without
also performing the signature itself. Unfortunately, this means we'll
end up computing signatures of the same data many times, and perhaps
this should be improved, since we're always using the same data.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of stubbing out the image validation code, compile it, and add
the SHA256 TLV to the buffer.
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for moving the bootutil binding into a separate crate,
move the flash simulator into its own crate. This will allow the
binding to have access to the simulator without creating a circular
dependency.
Signed-off-by: David Brown <david.brown@linaro.org>
Make 'Flash' a trait, and move the current functionality into a type
called 'SimFlash'. The code that runs the simulation only uses the
trait.
Signed-off-by: David Brown <david.brown@linaro.org>
Move the reference to the Flash device up into the Rust code instead of
trying to pass it back and forth to C. This will allow a future change
to use a fat pointer (such as a trait pointer), which ultimately will
allow different kinds of flash devices.
Signed-off-by: David Brown <david.brown@linaro.org>
- Some helper structs added to track state
- Add new trailer checking routine
- Add extra test for upgrade+revert with failure
- Misc improvements
Signed-off-by: Fabio Utzig <utzig@apache.org>
This implements changes according to MCUB-14, easing the process
of making external apps parse and read/write the trailer.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Re-tab run.c to match the rest of the files in the system. This was
indented using Zephyr conventions (tabs for indent). Re-indent using
spaces, with a 4-space indent level.
Signed-off-by: David Brown <david.brown@linaro.org>
Extend the flash emulation in the simulator to verify that the
bootloader explicitly erases flash before writing to it for a second
time.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Implement the new flash sector query API for the simulator. This is
generated from the data for the deprecated API. Once the old API is
removed, the flash simulator can be changed to just return the new data
directly.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The boot response returns a flash offset, not a flash address. This is
causing confusion and leading to crashes on some platforms which don't
have flash at address 0.
Rename the field to make it more clear what its purpose is; future
patches can start fixing up usages.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Before this change, trailer was handled as part of the binary image,
which during a swap was just copied around together with the image.
This had issues if some fault happened while the trailer copy was
underway.
This patch changes how trailer is handled by making by non-copying.
The trailer is now updated step-by-step based on the current status.
Magic, copy_done and image_ok are also handled by writing them
individually, not by copying.
The trailer on scratch area was reduced to include at most swap state for
one sector, since it is only used temporarily while erasing the last
sector of the slot that stores the final trailer.
Many other small fixes were applied.
Change the C logging code, when in the simulator, to query what the rust
logging level is set to. This allows the level of logging from the C
code to be set through the environment. For example
RUST_LOG=bootsim=info cargo run --release runall
will enable logging at the "info" level for all of the C code as well as
the simulator code. The C code's logging can be selected specifically
by using bootsim::api instead of just bootsim in the above.
Add a configuration option "BOOTUTIL_OVERWRITE_ONLY" that avoids using
the image swap code. Instead, when an upgrade is detected in slot 1, it
is copied directly onto slot 0. As long as the image in slot 1 is
valid, this should work robustly (it will redo it if power is lost
during the upgrade).
This doesn't protect against the case of deploying an image that fails
to boot on some devices. But, the behavior is similar to the swap
upgrade approach when the slot 1 image is marked initially as "image
ok", but without the complexity (or need of a swap partition) of the
swap code.
Add a simple function to query the bootloader for capabilities.
Ultimately, this API should be available to the running app, but the
simulator can use this to determine what to test.
Add logging support for when running in the simulator. Log messages are
still based on compile-time determinations, and log using printf.
Based on a patch from Marti Bolivar <marti.bolivar@linaro.org>.
In change
commit bb5635e074
Author: Fabio Utzig <utzig@utzig.org>
Date: Mon Apr 10 09:07:02 2017 -0300
Add test of multiple random resets while upgrading
in addition to adding the try_random_fails, it shuffled the order that
the initial interruption test ran. However, this test always clones
the flash device, so it doesn't matter what order the tests are run.
Revert this part of the change to avoid unnecessary complexity in the
code.
There are some instances of hard-coded offsets, which break if the
simulated device doesn't have the same configuration. Query these
from the flash descriptor rather than hard-coding them.
Although this contains a phantom pointer, because it is passed to C,
this generates a warning on every compile. Until this is fixed,
remove the lifetime declarations from the structures. The user will
have to make sure that the pointed-to structures remain until the C
structure is completed. For the common case of generating the C
structures just to make a call, this should be safe.
To make the images easier to identify during analysis, set the version
number. The major number tries to be set to the slot number, and the
build number is the byte offset.
Use the Rust logging so that normal messaging isn't overwhelmed by
messages printed. The default level is 'error' which will only print
full errors (including the failures at the end).
To run with warnings:
RUST_LOG=warn ./target/release/bootsim ...
This will print warnings, showing the particular failures in mind.
Using 'info' instead of 'warn' will print lots of progress as it runs.
'sim' is a small simulator for the bootloader's update code. It tests
untimely powerdowns to ensure that the bootloader will recover from a
power loss or reset at any time during the boot.
Note that, as of this commit, there are some failures in the test that
need to be investigated.
Also note that this build script does not output proper dependencies for
source files outside of the simulator directory, and won't rebuild the C
files if they or headers are modified.