Fixes an issue with saving shared boot data when the number of
images is more than 1. This is caused becuase the function is
called once per image but the function itself saves common data
plus data for all images, so prevent saving when it has already
ran once
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit bcffc62c66)
- Fixes MCUBoot partition allocation for
frdm_mcxn947_mcxn947_cpu0_qspi
- Assign "zephyr,code-partition" in the
frdm_mcxn947_mcxn947_cpu0_qspi overlay,
as app.overlay is ignored if a board overlay is present.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
(cherry picked from commit ab01443605)
Use EXTRA_CONF_FILE that replaced OVERLAY_CONFIG
since the Zephyr v3.4 release.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
(cherry picked from commit 5c21093af5)
Serial recovery failed for NXP IMX.RT platforms
unless BOOT_ERASE_PROGRESSIVELY is set.
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
(cherry picked from commit a91a61564a)
Fix possible warning "boot_serial_enter defined but not used".
Signed-off-by: Andrej Butok <andrey.butok@nxp.com>
(cherry picked from commit a967c66ed0)
For some reason, the calls to mbedtls_aes_free, mbedtls_nist_kw_free and
mbedtls_sha256_free_drop were commented out which means the AES and
SHA-256 contexts were not properly de-initialized after usage when
mbedTLS is used. In the case of AES-KW it seems that might lead to a
memory leak depending on the mbedTLS configuration, but in any case and
independently of the mbedTLS configuration, this leads to the contexts
not be zeroized after usage.
Not zeroizing a context means it stays in RAM an undefined amount of
time, which might enable an attacker to access it and to dump the
sensitive data it contains.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
(cherry picked from commit 5d5f04923f)
Improves the mode selection checks to prevent selecting multiple
conflicting modes as has been seen in TFM
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 43a49a3b92)
Fixes an issue with this file as it was wrongly disabling QSPI
NOR, which the hardware does not support, when it should have been
disabling SPI NOR
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 651775b550)
Update the configuration to remove swap mode support.
MCXN94x ROM Flash API supports writing of 128byes page.
Signed-off-by: Mahesh Mahadevan <mahesh.mahadevan@nxp.com>
(cherry picked from commit a3762626f8)
The variable `rc` was declared as int and then implicitly casted to
`size_t` when passed to `base64_decode`, which on 64 bit architectures
is wrong.
Signed-off-by: Lluis Campos <lluis.campos@northern.tech>
(cherry picked from commit dd4d6541c8)
Changes the order of operations to validate the image header
before checking the image, it does not make sense to check the
image if the header itself is invalid
Note: This PR has been modified from the upstream commit due to
a merge failure from other changes that are not being brought into
Zephyr 3.7
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 2939d30545)
In case ESP32 SoC is used, *start will get
build warning as it is not used.
Signed-off-by: Sylvio Alves <sylvio.alves@espressif.com>
(cherry picked from commit 334d2c28f6)
This calculation failed to take into consideration the additional
sector needed for the swap move part of the upgrade process
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit e2e1e945fa)
Fixes an issue which can occur in tests whereby an application
has the name mcuboot but is not mcuboot itself
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 8456464c04)
In all cases where boot_enc_load is called it is known what slot
is addressed, so it is better to just pass the slot number
instead of making the boot_enc_load figure out slot number from
image index and provided flash area object.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 7f9ac97951)
Fixes showing the wrong address when booting a RAM load image
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
(cherry picked from commit 7fc3ad3d0b)
The enc_key_data.valid had been set to true when key has been added
to the encryption context, but in case when boot_enc_drop was called,
on the same context, the flag remained true, even though the context
may no longer hold any valid context nor key.
The commit moves the enc_key_data invalidation to enc_key_drop.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 335573520d)
All of boot_enc_ function follow the same pattern where
they take encryption context as the first parameter, and the
boot_enc_decrypt stands out here as it does not work around
the encryption context, but is rather single-part decryption
function only used for decrypting of the image encryption
key.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 2371c0aa7f)
Update the log level for RX and TX messages from INFO to DEBUG to reduce
clutter in the serial interface logs. This change helps in keeping the
output cleaner and focuses on more critical information by default.
Signed-off-by: Hudson C. Dalpra <hudson@bduncanltd.com>
(cherry picked from commit 4b9d07dc4f)
The boot_enc_set_key in boot_swap_image, when recovering from
reset, has been caled on AES context that has not been
initialized.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 7e3a1cecd7)
In the boot_image_validate_encrypted there was call to
flash_area_id_to_multi_image_slot, which tries to figure out
slot index from flash area and image index, and the result of the
call was not used for anything as slot index is hardcoded in the
next call to be 1 (secondary).
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 4da4a72cb1)
For swap using scratch, the boot_read_image_header routine, responsible
for reading the image headers, was always looking for the primary and
secondary image's headers at the beginning of respectively the primary
and secondary slots, regardless of the current boot status.
This means if during a swap-scratch upgrade a reset happens after the
sector containing the image header in the primary or secondary slot has
been erased, invalid image headers were read since at that time the
location of the headers has changed.
Currently, this doesn't seem to cause any issue because the swap-scratch
algorithm is implemented in such a way the content of the headers is no
more necessary when the headers are erased. However, to be able to
decrypt the secondary image when copied to the primary slot instead of
when copied to the scratch area, properly reading the secondary image's
header is required even after it has been erased from the secondary
slot.
To that end, the boot_read_image_header is modified to determine from
the boot status the current location of the image headers and to always
read the actual header, no matter the current state of the upgrade
process.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
(cherry picked from commit f515bb1c44)
This reverts commit 0fa46270c0.
This breaks:
samples/synchronization/sample.kernel.synchronization on
b_u585i_iot02a/stm32u585xx/ns error
as this TF-M configuration uses its own keys. This change is an API
change that needs to be coordinated with TF-M changes.
Before this revert, compiling this test results in:
.../encrypted.c:447: undefined reference to
`boot_enc_retrieve_private_key`
Signed-off-by: David Brown <david.brown@linaro.org>
In Mbed TLS 3.1, the private fields in the ASN.1 structure were made private.
This breaks code that accesses these private macros.
Fix this by changing the ASN.1 specific code to use a new field accessor
`ASN1_CONTEXT_MEMBER` that will be conditionally defined based on the version of
Mbed TLS that is present.
Signed-off-by: David Brown <david.brown@linaro.org>
The symbols injected here cause some kind of poor interaction with the linker on
MacOS, which results in most of the code becoming hopelessly corrupt. For now,
just disable these symbols on this target.
Signed-off-by: David Brown <david.brown@linaro.org>
When MCUBOOT_SWAP_SAVE_ENCTLV is enabled, a comparison between a signed
and an unsigned integer is made in boot_read_enc_key. This might cause a
warning to be emitted at compile-time.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
Currently encryption supports only private key embed
in mcuboot itself. To support MCUBOOT_HW_KEY for image
encryption boot_retrieve_private_key() hook is added.
This hook helps retrieving private key from trusted
sources like OTP, TPM.
Signed-off-by: Dinesh Kumar K <dinesh@linumiz.com>
1. set BOOT_MAX_IMG_SECTORS value for frmd_mcxn947_qspi. W25Q64 flash on the board
is very large (8MB), so we must increase the number of max sectors when
targeting this board with MCUboot.
2. Set the zephyr,flash chosen node to point to internal flash as this board
supports booting from internal flash only.
Signed-off-by: Mahesh Mahadevan <mahesh.mahadevan@nxp.com>
swap_scratch.c requires definition of SLOT1, in single application
slot build it's not needed and file would not be used anyway so
now it is removed from mynewt build
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
Use socs folder to configure Espressif targets.
Remove all boards confs which was created by copying other boards.
Signed-off-by: Marek Matej <marek.matej@espressif.com>
check_config.h was included manually by custom configuration files.
This caused compilation errors when updating MbedTLS to 3.6.0
because check_config.h was processed too early, before the whole
configuration is defined, effectively causing configuration check errors.
MbedTLS already takes care of including check_config.h at the right time.
Remove those erroneous manual check_config.h includes.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
The bootutil_hmac_sha256_set_key routine performs some dynamic memory
allocations when mbedTLS is used. To properly free the allocated memory,
bootutil_hmac_sha256_drop must be called before reinitializing the HMAC
context using bootutil_hmac_sha256_init. However, in the hkdf routine,
the HMAC context was freed only once even though it was initialized
multiple times.
Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>
This change uses the flash functions to read the applications
reset vector. This allow flexibility on which flash device the
application is programmed.
For e.g: MCUBoot can be programmed and running from Internal
Flash while Zephyr can be loaded from a different Flash device.
This change is made for ARM platform, it can be extended to
non-ARM platforms as well.
Signed-off-by: Mahesh Mahadevan <mahesh.mahadevan@nxp.com>
If-statement checks if length is greater than some value right after a check if it is equal to the same value.
This will never be true.
Signed-off-by: Robert Paananen <robert@paananen.nu>
Only allow TLV entries that are needed for signature verification to be placed
in the unprotected area of the TLV.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a query to the TLV iterator that will indicate if the currently iterated TLV
entry was found in the protected region or not.
Signed-off-by: David Brown <david.brown@linaro.org>
There is existing functionality for Zephyr where mcuboot works
with single slot (no swap) and image can be updated via boot_serial.
To have same functionality in mynewet single_loader.c file is copied
from zephyr tree and 2 pkg.yml files are modified to utilize new
file when BOOTUTIL_SINGLE_APPLICATION_SLOT is defined
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
mynewt system for some time now uses mynewt_main() as
starting point called from startup code.
This changes function name main to mynewt_main but
provides backup main function that will be linked if
pre 1.12 mynewt-core is used with mcuboot
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
Enable the usage of builtin keys in the ECDSA verification module with
the PSA Crypto API based cryptographic backend.
This way parsing and importing the verification keys can also be avoided.
Change-Id: I6ada1ef8ed04a3f12c228ef399e3a7b8ebc7fb5e
Signed-off-by: David Vincze <david.vincze@arm.com>
Introduce a new MCUBOOT_BUILTIN_KEY option to enable the usage of
builtin keys for signature verification. This way the details of the key
handling mechanism are abstracted away from the boot code and this
responsibility is delegated to the given crypto library.
This is an alternative option to the existing MCUBOOT_HW_KEY feature,
however in this case we can entirely rely on key IDs and not only the
code, but also the image metadata does not contain any public key data.
Change-Id: Id01b67951310549b2734730c58bfa7210a2d5236
Signed-off-by: David Vincze <david.vincze@arm.com>