Commit Graph

324 Commits

Author SHA1 Message Date
Fabio Utzig 1e48b914a9 Add encrypted image support on sim
This adds new cargo features to allow running tests of encrypted
images with both RSA-OAEP and AES-128-KW.

When installing images on the simulated flash, both a plain and an
encrypted images are created. When encrypted image support is enabled,
verification of images in slot1 match against the encrypted image,
otherwise plain images are used.

PS: Also fixes ImageHeader to match bootutil definition.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-10-12 13:36:13 -03:00
Fabio Utzig 35d31b4023 Add flash_area_read_is_empty to sim
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-10-01 21:42:20 -03:00
Fabio Utzig ea0290b88b Add sim support for flash erased at 0
This extends the simulator to be able to test the bootloader in devices
which use flash technologies that erase flash at 0 instead of 0xff.
Two MCU devices that have this "property" are the STM32L0x and STM32L1x
lines from ST.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-09-17 12:42:49 -03:00
Fabio Utzig fc711e3de9 Remove usage of hal_flash_align
`hal_flash_*` functions were replaced by `flash_area_*` with similar
functionality.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-09-17 12:42:49 -03:00
Fabio Utzig b04afa9cb3 Update mbedtls submodule to 2.12.0
This also updates the RSA test to add extra build files for zeroize, and
updates to new calloc/free configuration style.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-09-13 06:54:30 -03:00
Fabio Utzig c354e4ac5e Update sim dependencies
This updates error-chain to remove a warning on recent rust distros.
`pem` was update to get fairly recent `error-chain` as well.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-07-10 11:11:29 -03:00
Fabio Utzig 806af0ed87 Update old hardcoded keys to use autogenerated
The hardcoded keys for Zephyr were removed and external references were
added for the built time autogenerated variables. A hardcoded key file
was added specifically for the simulator.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-06-06 11:07:06 -03:00
Fabio Utzig 9a4b9ba1c0 Add per platform mcuboot_logging.h files
New logging macros were added for all supported platforms, following the
documentation defined in the template config file.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-06-04 06:54:39 -03:00
David Brown 34fe103d04 sim: Add missing license headers
These (currently) trivial files do not add license headers.  Go ahead
and add the boilerplate Apache header.

In addition, I've also added an SPDX header.  Although this is a first
for the MCUboot project, this will provide a template for adding these
headers to other files.

Fixes #282

Signed-off-by: David Brown <david.brown@linaro.org>
CC: Marti Bolivar <marti@opensourcefoundries.com>
CC: Fabio Utzig <utzig@apache.org>
2018-05-23 09:29:25 -06:00
Andrzej Puzdrowski b788c71c08 Replace mcuboot flash_map by zephyr flash_map
The patch introduce usage of zephyr flas_map module instead
of mcuboot zephyr-only implementation. Unused flash_area_to_sectors
API of former flash_map was removed as well.
Size of sector-status-update-map entry is now defined thanks to the
minimum write size supported by the flash driver.

For avoid ambiguity former zephyr-only files flash_map.c
were renamed to flash_map_extended.c (its code now implements
only addition to this what zephyr flash_map implements).

flash_map.h header include is now warped by flash_map_backedn.h headre
because implementations and include pathes are diferent in Zephyr and Mynewt.

Usage of hal_flash_align() were replaced by usage flash_area_align().
This provide consistency between MyNewt and Zephyr implementation as
this API is available in both RTOSes.

flash_map.h was moved to the simulator c-support files as now missing in
the boot/zephyr subdirectories.

f. boot_scratch_fa_device_id was removed as unused.
f. boot_img_fa_device_id was and expanded the only use of it
(on loader.c).

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
2018-05-16 16:05:17 -03:00
Marti Bolivar 4ec7f7686c sim: update README.rst with information on features
The README file is missing extra information about how to run all the
different test configurations; add this in.

Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2018-04-25 18:44:03 -03:00
Marti Bolivar 248da08849 Move bootsim-specific assert behavior behind mcuboot_config.h
Continue removing platform-specific conditional compilation from
bootutil by adding a new MCUBOOT_HAVE_ASSERT_H configuration option
and associated header file. Right now, that's only used by the
simulator.

That leaves just bootutil_log.h with platform-specific contents, but
since it's meant to be an abstraction layer for logging, we'll let it
stand for now.

Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2018-04-25 18:44:03 -03:00
Marti Bolivar f9bfddd685 Move max image sector config to mcuboot_config.h
Take the opportunity to clean up a bit of platform cruft that has
gotten into bootutil by moving it to mcuboot_config.h, and ensuring it
is documented in the template config file.

Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2018-04-25 18:44:03 -03:00
Marti Bolivar a4818a5565 zephyr: migrate signature type to Kconfig
Handle the CONFIG_BOOT_SIGNATURE_TYPE_xxx values in Zephyr's
mcuboot_config.h by converting them into the platform-agnostic MCUboot
definitions.

This requires some changes to the way the release test Makefile is
structured, since Kconfig symbols cannot be set from the command line.

Instead, use the OVERLAY_CONFIG feature of the Zephyr build system,
which allows specifying extra fragments to merge into the final
.config. (This is an orthogonal mechanism to setting CONF_FILE; it is
used by Zephyr's CI script sanitycheck to add additional fragments, so
it's appropriate for use by MCUboot's testing scripts as well.)

We additionally need to move to a single prj.conf file due to a
dependency issue. We can no longer determine CONF_FILE from the
signature type, since that is now determined from the final .config or
autoconf.h, which is a build output that depends on CONF_FILE.

To move to a single prj.conf:

- delete prj-p256.conf and adjust prj.conf to serve both signature types
- add a top-level mbedTLS configuration file which dispatches to
  the right sub-header depending on the key type
- as a side effect, have the simulator pick the right config file
  depending on the case

This fixes and cleans up quite a bit of the signature type handling,
which had become something of a mess over time. For example, it fixes
a bug in ECDSA mode's configuration that wasn't actually selecting
config-asn1.h, and forces the simulator to use the same mbedTLS
configuration file as builds for real hardware.

Finally, we also have to move the mbedTLS vs. TinyCrypt choice into
mcuboot_config.h at the same time as well, since CMakeLists.txt was
making that decision based on the signature type.

Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2018-04-25 18:44:03 -03:00
David Brown b77262e18d Bump internal mbedtls to 2.7.0
2.7.0 fixes a security issue but breaks MCU boot.  Bump to this version
so that the simulator will verify that this version works properly.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-02-13 15:10:36 -07:00
David Brown 59ae522541 sim: Remove extraneous `mut`
This value does not need to be mutable as it is just given to another
function immediately.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-04 10:36:07 -07:00
David Brown 3df2a0ea15 sim: Update some dependencies
Move to newer versions of some upstream packages, lazy_static, which is
now at 1.0 (no api change), and error-chain (0.11), which eliminates a
warning during compilation.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-04 10:36:07 -07:00
Fabio Utzig 57c40f7164 Fix assert abstraction in sim
Assertions that are expected to fail under sim test, are now marked as such
using the macro ASSERT which allows to programmatically switch between normal
assert() behavior and captured assertion.

Assertion changes were moved to more appropriate owners and code duplication
was removed.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig a91c626f89 Mark non-used functions in overwrite only mode
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig eedcc450d6 Add test with write status area fail and interruption
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig b841f0a0c6 Add simple status write test without interruption
This test marks the status write regions as a bad region,
causing errors, but it is allowed to complete the swap. On
restart the firmware in slot0 should be validated and work.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig fa137fc83d Add option to disable verifying contents before writes
At the moment writes always checking that they are being
performed on an erased section of memory. This patch enables
a test to disable that, to enable looking for other error
causes.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig f5c895e3fc Add configurable simulation of bad memory writes
Add new interface to enable configuring regions of the simulated
memory to fail probabilistically. An entry is based on an offset,
length and rate of failure. This only applies to write operatios
and throws an error that can be caught in tests.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig 9b0ee9034a Enable capturing asserts inside simulator
When building in simulator mode, mock assert() to call an simulator
function which will enable other code to check if some path failed.

The assert checking interface, was added to boot_go which now
returns the low-level invocation results as well as the number of
asserts triggered.

Some new added tests check for assert() and expect it to happen. To not
abort tests, assert() was changed under sim env to not call c assert()
and instead just do some internal calculation which could be checked
by the simulator after a bootloader run and assert() catching behavior
was made optional (each test choses the behavior it needs).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig ebdc969738 Add MCUBOOT_VALIDATE_SLOT0 as feature
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig 43685c211a Enable extra crates in simflash
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig d32fd64e47 Fix mbed-tls' walk_dir in build
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:32:59 -07:00
Fabio Utzig 70f1481af3 Remove duplicated declaration
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:32:59 -07:00
Fabio Utzig ba05f2a309 Add asn1 parser of mbed-tls
This bundles the asn1 parser from mbed-tls into mcuboot, which allows
adding EC crypto (tinycrypt based) functionality for target OSes that
don't bundle mbed-tls.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:32:59 -07:00
Fabio Utzig 0bccf9d84c Build in std=c99 mode
Our current travis environment still uses gcc 4.8.4 which defaults to
std=gnu90. Some of tinycrypt's code requires c99.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig 181e54c382 Update cargo lock
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig 80fde2f544 Add ecdsa signing support to the simulator
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig 92be3fb667 Add ecdsa signing support
Since ring does not yet support ecdsa signing, a thin layer was added
to allow the simulator to call tinycrypt's signing routine.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig c786540825 Add ecdsa to build
This enables building ecdsa feature using tinycrypt (mbed still built
for ASN1). The default mbed-tls config was update to use the MCUBOOT_SIGN_*
symbols.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig 8b619bda54 Update ring+gcc crates and declare sig-ecdsa feature
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig cd5774b7ba Fix for gcc warnings
Fixes warnings treated as errors when upgrading gcc crate to 0.3.54.
Warnings are due to non-used variables and comparison between signed
and unsigned.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-05 09:55:36 -02:00
David Brown da21ad73c4 sim: Update README for new test organization
Now that the tests can be run using `cargo test`, update the
instructions to reflect this.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown a4167efc8e sim: Create cargo tests for each testcase
Now that the test infrastructure has changed so that the tests can be
run independently, create a series of cargo tests that run them.  This
allows the tests to simply be run as:

    cargo test

or possibly with feature flags

    cargo test --features overwrite-only

It is also possible to run individual tests by giving their name after
the "cargo test" command.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown c49811e855 sim: Move total count into `Images`
In order to allow the tests to be run independently, compute the total
count for each image that is generated, and store it in the images
struct.  This causes a basic upgrade to be run an additional time for
each top-level test.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown f48b95022a sim: Make `Run` a factory for `Images`
Generate the various test images as methods of the `Run` struct.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown 5f7ec2b403 sim: Move `Images` methods to be methods
Now that most of the relevant data is assembled into a single `Images`
struct, make the test operations on it into methods on this type.

This change looks larger than it really is because of the indentation
change of moving top-level functions into methods.  There is also a lot
of change of `image` to `self`.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown 3f687dc5bc sim: Move `areadesc` into `Images` struct
Move this struct into the images struct as well to avoid passing it
around with every call.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown dc9cba140b sim: Move `flash` inside of `Images` struct
Every use of `Images` uses the same flash device as a base.  Move this
value into the struct, instead of having to pass it around in parallel.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown db9a395dd9 sim: Move data into `Run` struct
Refactor the tests so that most of the test data is inside of a new
`Run` structure instead of needing to be passed around.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown 353610dea2 sim: Prevent reentrancy on simulation
Lock the simulation with a mutex to prevent concurrent access.  The C
code being tested uses globals, and can only be run in one context at a
time.  The Rust test framework may run tests concurrently, so use the
mutex to prevent this.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown 541860c28c sim: Pass alignment into `boot_go`
Move the alignment into the `boot_go` wrapper.  Instead of relying on
this as a global, pass it around, ultimately setting it in the C
wrapper.  This is in preparation to protecting the `boot_go` call with a
mutex to prevent reentrancy.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown ee61c8309a sim: Pass counter through boot_go API
Instead of setting/reading a global, pass a reference through the Rust
wrapper to `boot_go`.  This is one change needed so that `boot_go` can
be reentrant.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown ca7b5d33da sim: Enable logging in simulator test cases
When running simulations as unit tests, use a workaround from
https://stackoverflow.com/questions/30177845/how-to-initialize-the-logger-for-integration-tests
to initialize the logging system.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown dd2b118b21 sim: Run main test as a Rust unit test
As a start of doing the testing using Rust/Cargo's test framework, write
a test runner that just runs the existing tests.  They run as they do
now, except that there is an assertion that there were no failures.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown d5e632c43d Move Slotinfo values into Images struct
So that this can be stored in its own structure, make it own the slot
info (which is only two usize values).

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown decbd04644 sim: Extract flash builder
Move the code to build a flash device into its own function.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
David Brown 2639e074fb sim: Move main code into lib crate
In preparatio for separable unit tests, move the main body of the
simulator into a library crate, and make the main program just a small
function that initializes the logger, and calls it.  The main entry
point is still called main.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-11-07 09:39:45 -07:00
Fabio Utzig 13d9e35d52 Add faster copy/erase to overwrite-only mode
This add a new option to overwrite-only mode that enables copy/erase of
only the amount of sectors that are required to store the source image.

This is enabled by default when overwrite-only mode is used.

MCUB-70

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-10-19 09:28:37 -06:00
Fabio Utzig 100bb74b54 Enable overwrite-only testing on sim
Adds the feature to enable testing of overwrite-only functionality.
While running with this feature enabled, disable tests that try to
revert and disables trailer verification, since overwrite-only doesn't
rely on status writing.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-09-13 17:14:22 -06:00
David Brown 72e7a5176f Change the image header magic
Since we've changed the meaning of several fields in the header, bump
the header to a new magic number.  The fields that are still present are
in the same place, but all of the signature and TLV information is moved
into the TLV itself, which is still immediately after the image.

As of this commit, this defines the new image header/TLV format used for
1.0.

Based on work by Marko Kiiskila <marko@runtime.io>

Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
2017-09-06 16:16:58 -06:00
David Brown f5b33d8b9d Place TLV size into TLV itself
To allow the signatures to be replaced, move the size of the TLV into a
small "info" header at the start of the TLV.

Note that this causes image swapping to lose robustness.  This is fixed
by a later commit.

Based on work by Marko Kiiskila <marko@runtime.io>

Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
JIRA: MCUB-65
2017-09-06 16:16:58 -06:00
David Brown 43cda33c5a Move key_id from header into TLV
Remove the key_id field from the image header.  There are two problems
with this field.  First, it is only an integer offset, and so causes an
unnecessarily tight coupling between the particular keys built into the
bootloader, and the key that is used to sign.  Second, it makes the
key_id part of the image header, which is included in the signature.
This makes it impossible to later sign the image with a different
signature.

Instead of the key-id, add a TLV KEYHASH entry.  This will hold the
SHA256 of the public key that the signature is against.  Each signature
placed in the TLV should be preceeded by this entry to indicate the
public key used.

The signature check will check each signature, and if the KEYHASH is
known and the signature type is supported, it will be checked.  As long
as at least one signature is considered valid, the image will be
considered signed.  This also allows the image to be signed with
multiple signatures to support having different devices with possibly
different keys compiled into the bootloaders.

Based on work by Marko Kiiskila <marko@runtime.io>

Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
2017-09-06 16:16:58 -06:00
David Brown 27648b8344 Renumber the TLV type values
In preparation for moving the signature related values out of the main
image header and into the TLV, renumber the existing TLV values to be
grouped together better.

The SHA256 is moved into the first group, at 0x10, and the signature
values themselves are moved to start with 0x20.

This change is the first in a series of changes toward the new v1.0
image format.  The intermediate results are all internally consistent
(meaning that the simulator, and the builtin imgtool.py will all work
together), but until all patches are applied, the image format is not
valid with any external tools.

Based on work by Marko Kiiskila <marko@runtime.io>.

Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: David Brown <david.brown@linaro.org>
2017-09-06 16:16:58 -06:00
David Brown 9600ec84f2 sim: Update doc to explain submodules
Now that we depend on a submodule for mbed TLS code, update the docs to
explain how to fetch this.  Otherwise, the error is somewhat misleading,
just showing a missing sha256.c file.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-21 11:50:48 -06:00
Fabio Utzig 645e514b79 Add test checking upgrade to image with bad signature
This test was added to exercise a bug which happens when a failure
verifying the image in slot 1 would cause a write to image_ok when
the image in slot 0 already was a permanent image.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-07-17 15:36:13 -03:00
Fabio Utzig 65935d7111 Fix flash to not ignore write to non-erased area
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-07-17 15:34:36 -03:00
Fabio Utzig 7b47ef7b70 Test imgtool generated FW written to slot0
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-07-13 21:24:03 -03:00
David Brown 046a0a6224 sim: Upgrade docopt dependency
The docopt package has moved from rustc-serialize to serde.  Move to
this version, upgrading the custom deserialize we use for the alignment
argument.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 19:04:18 -06:00
David Brown ccb2a1dd5e sim: Update most dependencies
Move most dependencies to the latest version at the time of this commit.
docopt is left at the current version as there is an api change in the
newer version.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 19:04:18 -06:00
David Brown 0b693c0c74 sim: Enable -Werror
Enable -Werror in the build of the C code (also remove an unneeded TODO
comment).

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 704ac6f570 sim: Conditionalize rsa signature checking
Allow a build with sig-rsa set or not set.  Only add the signature to
the TLV if we are building with the signature checking.
2017-07-12 15:00:57 -06:00
David Brown f52272c76d sim: Flatten 'area' module in mcuboot-sys
It isn't necessary for the 'area' module to be exposed.  Re-export the
two definitions from the crate at the top level, and make the module
private.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown d2b1853f02 sim: Move csupport into mcuboot-sys
This C code is also part of the binding.  Move it into the binding crate
to reflect this.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 82bf7c2d09 sim: Move mbedtls into mcuboot-sys
The mbedtls library is used by the binding crate, so move the submodule
into this directory as well.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 6390277f64 sim: Naive move of binding into mcuboot-sys
Create a crate `mcuboot-sys` to hold the building and binding of the
mcuboot code.  There aren't any substantive code changes here, just
moving the code into a separate crate.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 7e701d8ca3 sim: Add RSA signature verification to simulator
Using the published debug keypair, generate a signature with it, to add
to the TLV.  This verifies that signature verification works as
expected.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 1e15859951 sim: Switch to bitflags from enumflags
The bitflags crate seems to be better supported, and doesn't have the
problems getting the results back into the enum type.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 4243ab09f8 sim: Capture payload in TLV code
Since the signing code will also need a copy of the message, make a
local copy of it in the signature verification code, and compute the
digest all in one shot.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 8054ce281a sim: Change to `ring` instead of `rust-crypto`
The ring crate's SHA256 is slightly slower than the one from
rust-crypto, but is much cleaner to use.  It also has all of the hashing
operations we need.

This crate is somewhat opinionated, e.g. will not sign messages without
also performing the signature itself.  Unfortunately, this means we'll
end up computing signatures of the same data many times, and perhaps
this should be improved, since we're always using the same data.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 187dd889dc sim: Validate the SHA256 verification
Instead of stubbing out the image validation code, compile it, and add
the SHA256 TLV to the buffer.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 2cbc4708e9 sim: Move simflash to be its own crate
In preparation for moving the bootutil binding into a separate crate,
move the flash simulator into its own crate.  This will allow the
binding to have access to the simulator without creating a circular
dependency.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 7ddec0b5cc sim: Move 'Flash' into a trait
Make 'Flash' a trait, and move the current functionality into a type
called 'SimFlash'.  The code that runs the simulation only uses the
trait.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown bdb6db723d sim: Move flash pointer up into Rust
Move the reference to the Flash device up into the Rust code instead of
trying to pass it back and forth to C.  This will allow a future change
to use a fat pointer (such as a trait pointer), which ultimately will
allow different kinds of flash devices.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
David Brown 2784a2e2f2 sim: Update gcc dependency
Signed-off-by: David Brown <david.brown@linaro.org>
2017-07-12 15:00:57 -06:00
Fabio Utzig ebeecef4b4 Refactor of main test code
- Some helper structs added to track state
- Add new trailer checking routine
- Add extra test for upgrade+revert with failure
- Misc improvements

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-07-10 16:31:47 -06:00
Fabio Utzig a0bc9b5469 Update trailer format
This implements changes according to MCUB-14, easing the process
of making external apps parse and read/write the trailer.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-07-06 10:03:55 -06:00
Fabio Utzig 40b4aa07de Fix offset print writing to non-erased area
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-07-06 10:03:55 -06:00
David Brown 7ad8088a57 sim: Match spacing on csupport/run.c
Re-tab run.c to match the rest of the files in the system.  This was
indented using Zephyr conventions (tabs for indent).  Re-indent using
spaces, with a 4-space indent level.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-06-20 15:30:36 -06:00
Marti Bolivar 51d36dd592 sim: add stricter write checking
Extend the flash emulation in the simulator to verify that the
bootloader explicitly erases flash before writing to it for a second
time.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-06-19 14:46:48 -06:00
Marti Bolivar 450d44955f sim: use flash_area_get_sectors()
Use the new flash sector API by default when testing.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-06-15 13:24:15 -04:00
David Brown 60399f69fb sim: Implement flash_area_get_sectors for sim
Implement the new flash sector query API for the simulator.  This is
generated from the data for the deprecated API.  Once the old API is
removed, the flash simulator can be changed to just return the new data
directly.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-06-15 13:24:15 -04:00
Marti Bolivar 88f48d9140 Rename br_image_addr to br_image_off.
The boot response returns a flash offset, not a flash address. This is
causing confusion and leading to crashes on some platforms which don't
have flash at address 0.

Rename the field to make it more clear what its purpose is; future
patches can start fixing up usages.

Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
2017-06-15 13:24:15 -04:00
Fabio Utzig b119424aa8 Merge pull request #64 from utzig/fix-build-config-leftovers
Fix some leftovers after mynewt move (PR #52)
2017-06-13 13:16:04 -03:00
David Brown 9ebd1f5a38 Merge pull request #51 from d3zd3z/pr/logging
sim: Allow Rust logging level to control C logging
2017-06-13 12:09:26 -04:00
Fabio Utzig 3488eef598 Fix some leftovers after mynewt move (PR #52)
- caps.c was now updated (missed this one!).
- *_OVERWRITE_ONLY flag was now also updated.
2017-06-12 10:25:43 -03:00
Fabio Utzig 7ebb7c23d9 Update how trailer is handled during a swap
Before this change, trailer was handled as part of the binary image,
which during a swap was just copied around together with the image.
This had issues if some fault happened while the trailer copy was
underway.

This patch changes how trailer is handled by making by non-copying.
The trailer is now updated step-by-step based on the current status.
Magic, copy_done and image_ok are also handled by writing them
individually, not by copying.

The trailer on scratch area was reduced to include at most swap state for
one sector, since it is only used temporarily while erasing the last
sector of the slot that stores the final trailer.

Many other small fixes were applied.
2017-05-24 08:45:53 -04:00
David Brown dc76c9690c Merge pull request #48 from d3zd3z/pr/overwrite
Add overwrite-only upgrade
2017-05-11 15:52:06 -06:00
David Brown 2d1d7cfd47 sim: Allow Rust logging level to control C logging
Change the C logging code, when in the simulator, to query what the rust
logging level is set to.  This allows the level of logging from the C
code to be set through the environment.  For example

    RUST_LOG=bootsim=info cargo run --release runall

will enable logging at the "info" level for all of the C code as well as
the simulator code.  The C code's logging can be selected specifically
by using bootsim::api instead of just bootsim in the above.
2017-05-11 09:17:03 -06:00
David Brown 186323e47e Merge pull request #50 from utzig/fix-var-shadowing
Fix shadowing of variable in print
2017-05-10 08:58:20 -06:00
David Brown 17609d8a7e Add "upgrade only" support
Add a configuration option "BOOTUTIL_OVERWRITE_ONLY" that avoids using
the image swap code.  Instead, when an upgrade is detected in slot 1, it
is copied directly onto slot 0.  As long as the image in slot 1 is
valid, this should work robustly (it will redo it if power is lost
during the upgrade).

This doesn't protect against the case of deploying an image that fails
to boot on some devices.  But, the behavior is similar to the swap
upgrade approach when the slot 1 image is marked initially as "image
ok", but without the complexity (or need of a swap partition) of the
swap code.
2017-05-10 08:33:19 -06:00
David Brown 902d617687 Add capabilities query
Add a simple function to query the bootloader for capabilities.
Ultimately, this API should be available to the running app, but the
simulator can use this to determine what to test.
2017-05-10 08:32:42 -06:00
Fabio Utzig 5ac0a1ae29 Fix shadowing of variable in print 2017-05-10 08:49:39 -03:00
David Brown 5b35d1f467 sim: Enable warnings in sim builds
Enable -Wall so that warnings will be generated.  Remove an unneeded
declaration that this reveals.
2017-05-05 11:07:42 -06:00
David Brown 54b7779803 sim: Clean up logging
Make error the default log level in the sim shims, and add a function
name to two of the calls.
2017-05-05 11:07:42 -06:00
David Brown 75fd5dc05e sim: Generate logging within the sim
Add logging support for when running in the simulator.  Log messages are
still based on compile-time determinations, and log using printf.

Based on a patch from Marti Bolivar <marti.bolivar@linaro.org>.
2017-05-05 11:07:42 -06:00
Fabio Utzig 57652319ae Fix random reset behaviour 2017-04-25 19:54:26 -03:00
Fabio Utzig 19b2c1a927 Add extra information on errors
* Print bail out error information
* Print specific location of non-ff writes
2017-04-20 08:25:30 -03:00
David Brown 4cb2623574 Back out unneeded part of random reset test
In change

    commit bb5635e074
    Author: Fabio Utzig <utzig@utzig.org>
    Date:   Mon Apr 10 09:07:02 2017 -0300

        Add test of multiple random resets while upgrading

in addition to adding the try_random_fails, it shuffled the order that
the initial interruption test ran.  However, this test always clones
the flash device, so it doesn't matter what order the tests are run.
Revert this part of the change to avoid unnecessary complexity in the
code.
2017-04-11 08:18:18 -06:00
Fabio Utzig bb5635e074 Add test of multiple random resets while upgrading 2017-04-10 09:07:02 -03:00
David Brown a3b93cfe95 sim: Add runall command
Add a `runall` command that will run all combinations of devices and
alignments.

Jira: MCUB-44
2017-03-29 13:02:13 -06:00
David Brown 361be7ade7 sim: Return exit status from sim run
Instead of just printing a message, return an exit status so that
scripts running the sim can more easily tell if the tests passed.

Jira: MCUB-45
2017-03-29 13:01:44 -06:00
David Brown 274f7874db sim: Show address for overwrite error
When trying to write to the flash to a non-FF location, put the
location of the failure in the error message to help diagnose the
problem.
2017-03-29 13:01:13 -06:00
David Brown 07fb8fa0c8 sim: Add NRF52840 device
Add the flash device from the NRF52840 SoC.
2017-03-29 13:01:13 -06:00
David Brown 5c6b6798d0 sim: Use simulated flash configuration
There are some instances of hard-coded offsets, which break if the
simulated device doesn't have the same configuration.  Query these
from the flash descriptor rather than hard-coding them.
2017-03-29 13:01:13 -06:00
David Brown 0daa36c99f sim: Remove phantom declaration from CAreaDesc
Although this contains a phantom pointer, because it is passed to C,
this generates a warning on every compile.  Until this is fixed,
remove the lifetime declarations from the structures.  The user will
have to make sure that the pointed-to structures remain until the C
structure is completed.  For the common case of generating the C
structures just to make a call, this should be safe.
2017-03-29 12:58:40 -06:00
David Brown e380fa6e30 sim: Set version numbers in images
To make the images easier to identify during analysis, set the version
number.  The major number tries to be set to the slot number, and the
build number is the byte offset.
2017-01-23 16:01:02 -07:00
David Brown 163ab23340 sim: Add some debug code to dump images
The code is commented out, but can easily be uncommented to allow the
various images to be dumped out for external analysis.
2017-01-23 16:01:02 -07:00
David Brown 75e16d6900 sim: Write image_ok properly
With stricter checking of alignment, always write the image ok flag as a
group of 'align' bytes.
2017-01-23 16:01:02 -07:00
David Brown 74cc14c31e sim: pad images to alignment
Adjust the image sizes up to a multiple of 8.  With the strict checking
in the flash driver, we aren't allowed to write partial lines.
2017-01-23 16:01:02 -07:00
David Brown f253fa815c sim: Make misaligned writes panic
To make things a little easier to debug, change misaligned writes to
panics, so that the debugger can more easily intercept them.
2017-01-23 16:01:01 -07:00
David Brown 5acda26f88 sim: Be consistent about flash alignment
The flash API has two calls that can return the device alignment.  Fix
this so that both calls return the same alignment.
2017-01-23 16:01:01 -07:00
David Brown 562a7a05d4 sim: Verify write alignment
When an alignment greater than one is specified, enforce this in the
simulated flash driver.
2017-01-23 16:01:01 -07:00
David Brown 90c1913c13 sim: Add the K64fBig target
This target simulates running with pretend large sectors on a device
that really has small sectors.
2017-01-23 16:01:01 -07:00
David Brown dc1964c0a6 sim: Fix build paths for new directory layout
The zephyr sources have moved to a different directory.  Adjust the
build script to fix the paths referenced.
2017-01-10 16:45:05 -07:00
David Brown c638f799a0 sim: Test multiple reverts
Make sure reboots after an image is reverted never results in the images
being swapped again.
2017-01-10 16:43:07 -07:00
David Brown 1a44316c85 sim: Add dependency output
Output the names of source files used to build the C library so that
Cargo knows to rerun the compilation if these have changed.
2017-01-10 16:43:07 -07:00
David Brown 841d73aaf1 sim: Create a small README.rst
Describe how to build and run the simulator.
2017-01-09 12:28:11 -07:00
David Brown 4440af8f59 sim: Use logging to control output
Use the Rust logging so that normal messaging isn't overwhelmed by
messages printed.  The default level is 'error' which will only print
full errors (including the failures at the end).

To run with warnings:

   RUST_LOG=warn ./target/release/bootsim ...

This will print warnings, showing the particular failures in mind.
Using 'info' instead of 'warn' will print lots of progress as it runs.
2017-01-09 12:28:10 -07:00
David Brown de7729e6ec sim: Add simulator code
'sim' is a small simulator for the bootloader's update code.  It tests
untimely powerdowns to ensure that the bootloader will recover from a
power loss or reset at any time during the boot.

Note that, as of this commit, there are some failures in the test that
need to be investigated.

Also note that this build script does not output proper dependencies for
source files outside of the simulator directory, and won't rebuild the C
files if they or headers are modified.
2017-01-09 12:28:10 -07:00