In zephyr code-base some generic include patches
and defines had been deprecated since a while.
This condition was maintained until zephyr v2.1.0 inclusive.
Recently these deprecated items were removed completely from
the zephyr master branch. Zephyr current SHA of this patch is
e124c1cd34938f02bbe879533c6bd29b5ff53707
This patch switch mcuboot to using most recent items.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
* Adds a new level (BOOT_LOG_SIM) to be used only for messages that
are interesting while debugging bootutil in the simulator. This should
be used for extra verbose prints.
* Also added fflushs after fprints to guarantee that messages are printed
even when assertions are raised.
* For abstraction completeness, add "do nothing" definitions of _LOG_SIM
to the other ports.
* Make DEBUG the default level when building the simulator (one can
still lower verbosity using any other value for RUST_LOG).
Signed-off-by: Fabio Utzig <utzig@apache.org>
For some reason, the ECDSA signature generation code attempted to adjust
the length of the ASN.1 of the actual signature. It wasn't doing this
right, and was creating ASN.1 expecting many more entries than were
present. The half-run parser in the tinycrypt ECDSA signature check
didn't care about this, but mbed TLS's signature check does care.
The intent of the padding was to be able to predict the size of the TLV
before writing it out. Keep the padding for now, even though there is
no simple way of knowing how many pad bytes to remove (just removing
them will remove extra if there is a zero in the last byte of the
signature.
A future change will eliminate the padding, as it should no longer be
needed.
Signed-off-by: David Brown <david.brown@linaro.org>
Update `make_device` to return a slice of unsupported caps for a test.
This allows skipping tests in devices that are known to be non working
under some build configuration.
The device constructor was updated to return a `Result`, so that the
specific reason for skipping can be returned as a `String`.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add cap for swap using move and rename old swap upgrade cap to swap
using scratch. Update sim to allow swapping tests to also run using
move.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Currently, the tests that appear to be testing for invalid signatures
are actually just testing that images aren't used if the entire TLV
block is missing. Fix this by being more subtle about our corruptions.
If there is no signature, corrupt that data being used to generate the
hash. Otherwise, modify the data before it goes into the signature, but
generate a valid SHA256 in the TLV. This way, we exercise the signature
itself being corrupt.
Signed-off-by: David Brown <david.brown@linaro.org>
Previous changes have used 16-bit writes for calculated lengths, but are
using a pair of 8-bit writes for hard-coded values. Change these to
also use 16-bit writes for consistency, and clarity.
Signed-off-by: David Brown <david.brown@linaro.org>
Change the type of the TLV tag from an 8-bit unsigned value (followed by
8 bits of padding) to a 16-bit value. Because we are storing the tag as
little endian, the encoding will end up the same, but this will later
allow us to add more tags.
Signed-off-by: David Brown <david.brown@linaro.org>
These were added during development to make sure conditional compilation
was working. Now, they just cause excess messages to be printed.
Remove them.
Signed-off-by: David Brown <david.brown@linaro.org>
Removes the hard-coded image encryption keys, and updates with keys
generated randomly before use. This tests the correct behavior of
how ephemeral keys should be used when generating new images.
Signed-off-by: Fabio Utzig <utzig@apache.org>
To start adding support for devices with a large write size, modify the
simulator to allow a 'large-write' feature that will also run tests with
128 and 512 byte write alignments.
This requires fixing some places in image generation that assumed a
fairly small alignment (namely, padding the buffer at the end, rather
than individual parts), and detecting the large writes when writing the
MAGIC value to the image.
The flash API still passes the alignment back as a uint_8, but in
overwrite mode, this verifies that the boot code won't use this value.
Currently the 'large-write' feature requires 'overwrite-only' as well.
Signed-off-by: David Brown <david.brown@linaro.org>
Overwrite mode is always a permanent upgrade, so skip trying to mark
this in the images. This marking is problematic with larger write
alignments.
Signed-off-by: David Brown <david.brown@linaro.org>
This constant array is always just unwrapped. Remove the Option from
its type, and just make it an array.
Signed-off-by: David Brown <david.brown@linaro.org>
Some devices have a write alignment larger than 128. Allow this within
the simulator, by using `usize` instead of `u8` for the write alignment.
The value is still returned to the C code as an 8-bit integer, but this
help start debugging issues found on these devices.
Signed-off-by: David Brown <david.brown@linaro.org>
Ran automated checker for common typos [1]. Most of these changes have
no functional change *except* for `./ci/sim_run.sh` where, previously
the `bootstrap` feature wasn't being selected properly.
I didn't touch anything in the `./ext/` folder as anything in there
should probably be fixed in the upstream repo.
[1] https://github.com/codespell-project/codespell
Signed-off-by: Sam Bristow <sam@bristow.nz>
Move the external mbedtls submodule out of the sim/mcuboot-sys directory
into the ext directory. This will allow the same copy of mbed TLS to be
used by other board support packages, instead of having to make a
duplicate clone.
Signed-off-by: David Brown <david.brown@linaro.org>
The ext/mbedtls directory has a copy of the ASN.1 parser from the mbed
TLS library. To allow a future change to bring the entire mbed TLS
library in as a submodule under ext, rename this to mbedtls-asn1 to make
it clear this is only a subset.
Signed-off-by: David Brown <david.brown@linaro.org>
Convert this `extern const uint32_t` to a simple define. Provide an
accessor function so that the simulator is able to access the value as
well. This has a minor improvement on the generated code within MCUboot
itself.
Signed-off-by: David Brown <david.brown@linaro.org>
BOOT_MAX_ALIGN is defined as
extern const uint32_t BOOT_MAX_ALIGN;
and is assigned a value in a single file. This causes extra work when
this is used as the size of a local variable in a function.
The value was made a constant in order for the simulator to be able to
access the value. Instead of making it a "real" constant, keep it as a
define, unifying the value of FLASH_MAX_ALIGN and this one, and provide
an accessor function for the test code to be able to access this value.
This causes a minor improvement in the code generated in
`boot_write_status`, but more importantly, eliminates a VLA from the
code, which increases the possible compilers supported by MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
This introduces an API which allows for iteration over an image's TLVs
without resorting to low-level implementation details. All previous TLV
low-level handling was updated to comply with this new interface, and it
also makes it easier for external code to handle TLVs.
The API provides two functions:
1) To start a new iterator:
```
int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
const struct image_header *hdr,
const struct flash_area *fap, uint8_t type,
bool prot);
```
2) To iterate over existing TLVs of given type:
```
int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
uint16_t *len, uint8_t *type);
```
A type of IMAGE_TLV_ANY was added to allow for iteration over all TLVs.
Low-level TLV access functions were removed from API, but low-level
structs are still visible in the namespace.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Test the variations of the situation where we are built for multi-image,
but are only upgrading a single image, including no dependencies,
correct dependencies, and unmet dependencies.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add two additional dependency types. The NoUpgrade type indicates that
this slot should not contain an upgrade at all. The OldCorrect
indicates a dependency on the old version of the other slot.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
Instead of allowing a preliminary error if the first image is marked to
be held, allow this error if any of the images are marked to be held.
The error doesn't return which image caused the failure, so just check
if any are supposed to be held.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
Test the configuration where one image has its dependencies met and the
other does not, and make sure in these cases we just hold back from
upgrading entirely.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
When generating dependencies, we were using the slot number instead of
the image number to determine which dependencies to mark invalid. Fix
this, so that we can test configurations where one image is upgradeable
and the other not.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
Before running tests, a sanity upgrade was run to gather the amount of
flash writes to be expected for the operation. This operation fails when
the dependencies hold an upgrade, so the checks were updated to avoid
aborting under those circumstances.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Decode the MCUBOOT_DEBUG_DUMP environment variable into a series of
comma-separated strings, and create debug dumps for any test that
matches one of these strings. Also, the special string 'all' will match
every test, causing every image under test to be dumped.
The dumped images will contain an atomic counter, so that all of the
generated files will be unique for a given run.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a `debug_dump()` method to `Images` to allow the images to be
written to a file. The dependency test will call this if the
environment variable MCUBOOT_DEBUG_DUMP is set.
In order to make these debug dumps more useful, add a simple partition
table to the beginning of the image (where MCUboot would reside on
target). This has a simple header, and then entries for each partition,
using the partition ids used within the simulator. This allows the
image to be more easily used by external tools.
As an example, `scripts/mcubin.bt` is a binary template for the [010
Editor](https://www.sweetscape.com/010editor/), allowing it to decode
and show the details of images from MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
With the recent changes in bootutil, now there is no need to lock the
test threads to run sequentially, so the global lock was removed. The
locking now happens to access resources such as flash, flash params,
simulator context, etc on a per thread basis. Some of the global
variables that were used by the simulator itself (FFI) were made into a
context struct passed in to invoke_go.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Currently to determine which image is being operated on, there is a global
variable called current_image which is used by most macros and APIs to
correctly access the flash areas required by the bootloader. This moves
this variable to the already existing state struct and refactors all
macros and APIs to receive the current image by parameters. To maintain
compatibility some of the macros were not updated and use image 0 when
called.
The definitions of FLASH_AREA_IMAGE_PRIMARY and FLASH_AREA_IMAGE_SECONDARY
for Mynewt compatibility were moved out of bootutil sources to a Mynewt
specific include file.
Signed-off-by: Fabio Utzig <utzig@apache.org>
There are three methods that verify multiple images that essentially
manually implement the `all` and `any` methods of `Iterator`. It makes
it difficult to understand what these do, as there is an early return of
true or false, with various negations of the check.
Replace these with calls directly to `any` or `all` so that it is
clearer what each function is doing. The generated code should be the
same.
Signed-off-by: David Brown <david.brown@linaro.org>
Rather than just make the test images entirely pseudorandom data, add a
small textual header to the front that describes some key information
about each image. This can be helpful when debugging, to determine what
exactly is in each image slot.
Signed-off-by: David Brown <david.brown@linaro.org>
Create a trait `Depender` which is passed down to the image create and
verification to check and test for various types of dependency
resolution. Add a test that uses this to test the simple case of unmet
dependencies preventing an upgrade.
The actual test is disabled (with an `if false ...`) because the code
under test loops forever in this configuration.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of manually expanding multi-byte encoding, use the byteorder
crate which has its own extension methods to do this. This both makes
the code a bit clearer, and also makes it clear that these encodings are
specific to little endian platforms.
Signed-off-by: David Brown <david.brown@linaro.org>
Many places in the image code pass a pair of
slots: &[SlotInfo], slot: usize,
around as arguments. Simplify this by just passing a `&SlotInfo`. For
the few instances where code needs to know the index of a slot, add an
index field to the `SlotInfo` struct for these to use. This eliminates
an argument from 4 functions/methods, and the numerous places they are
called.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of a growing number of no-argument methods that just call other
methods with fixed arguments, change the `sim_test` macro to pass
through arguments to the test methods. This will make it easier to
further parameterize the test entrypoints.
Signed-off-by: David Brown <david.brown@linaro.org>
When doing a test with fails, the total number of flash accesses is
first calculated doing an upgrade without fails, which is then used to
fail/resume at all test points. The count was always considering the
setting of a permanent upgrade, which added 1 to the total count in a
non-permanent upgrade. This amount was being discounted when running
the test/revert with fails, although the discount was only ok for single
images. This adds a new image constructor that does not run a permanent
upgrade and thus gets the correct number of flash accesses for a
test/revert no matter how many images are being tested.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Andrzej Puzdrowski