Instead of relying on distro packages standardize the imgtool
dependencies into a requirements.txt.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
The upstream Zephyr project is renaming FLASH_DRIVER_NAME to
FLASH_DEV_NAME as part of some changes related to device tree.
Work around this for now by keeping the MCUboot name the same if
FLASH_DRIVER_NAME is not provided by Zephyr, but FLASH_DEV_NAME is.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
It's recommended practice to mass erase the flash chip before
reflashing mcuboot. Add a configuration option for Zephyr which does
this by default on some Zephyr runner backends which can support
this (pyOCD and dfu-util). Additional runners can be added as needed.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
When the target doesn't have good enough generic support for MCUBoot,
you can specify the flash layout etc on a per-board basis by creating
a header, boot/zephyr/targets/BOARD.h.
The build system tries to pick this up, but isn't doing it
correctly. Fix it.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Enhance the test runner so that it can verify the output of the tests by
itself. This needs the console to be logged to a file, but otherwise
works the same as the current test runner.
Also, the build results are placed in a log file, so that it is easier
to see what is happening.
Signed-off-by: David Brown <david.brown@linaro.org>
Since the Kconfig file was moved in 51a0921006 ("zephyr: Move Kconfig
file to boot/zephyr"), the CMakeLists.txt reference to it needs updating.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Since not all ICs default to enabling flash page layout, enable it from
the MCUboot Kconfig options whenever it is available.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Add a new MCUboot device settings option that enables or configures
features that are specific to a particular device.
Additionally enable software vector relay in Cortex-M0 CPUs that do not
have a hardware mechanism to relay or forward interrupts.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Since the Kconfig file is only relevant to Zephyr, move it from the root
folder into boot/zephyr, in order to keep all Zephyr-related files
together.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
hello-world is serving as a sample application and should therefore
not define a default board as Zephyr samples do not either.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The documentation claims that one can place per-board overlay files in
the boards/ directory. But no such support has been implemented.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
When a relative path was used the build would fail when CMake was
invoked with the -B -H flags. Using an absolute path for the
dts.overlay flags fixes#187.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Link to usage instructions from the main README file and from
docs/index.md so that the usage is visible from the root documentation
files.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
To avoid having multiple documentation standards, transition all
documentation files to the Markdown (md) format and move them to the
docs/ folder.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Update the dependencies needed, as well as adding a blurb about how to
password protect the private key.
Signed-off-by: David Brown <david.brown@linaro.org>
Until we fix the padding problem, pad the ecdsa signatures with zeros to
always be 72 bytes long. Add a 'raw_sign' method so that the unit test
can use the real signature.
Signed-off-by: David Brown <david.brown@linaro.org>
Replace the (now broken) ECDSA code with code using the python
'cryptography' library.
Similar to the change to RSA, this changes the format that private keys
are stored, again using PKCS#8. This supports the stronger password
protection as well.
Again, this code will still support reading the older style of public
keys, but other tools that use keys generated by this change will need
to be updated to work with the new format.
Signed-off-by: David Brown <david.brown@linaro.org>
The verification code requires a fixed 32-byte salt, which seems is what
the old crypto library did. Use this same value to avoid having to
modify the code.
Signed-off-by: David Brown <david.brown@linaro.org>
The keygen command allows the `-p` argument which will prompt for a
password, and protect the private key with this password. When loading
keys, it will prompt for a password if it detects a password protected
key.
Signed-off-by: David Brown <david.brown@linaro.org>
The 'cryptography' library is pickier about the data it is asked to
sign. Get the bytes value out of the bytearray for doing the actual
signature.
Signed-off-by: David Brown <david.brown@linaro.org>
Replace RSA code with one using the python 'cryptography' library. This
library is much more complete, and will make adding support for password
protected keys, and separate public keys easier.
There is, however, a significant change brought about by this change:
the private keys are stored in PKCS#8 format, instead of the raw format
that was used previously. This is a more modern format that has a few
advantages, including: supporting stronger password protection, and
allowing the key type to be determined upon read.
This tool will still support reading the old style public keys, but
other tools that use these keys will need to be updated in order to work
with the new format.
This new code has some unit tests to go along with it for some basic
sanity testing of the code.
Signed-off-by: David Brown <david.brown@linaro.org>
Support for PKCS1.5 has been removed from the bootloader for a while
now, remove it as well from the tool.
Signed-off-by: David Brown <david.brown@linaro.org>
Although this file is likely implicitly licensed under the Apache 2.0
license because of the LICENSE file for this project, make this explicit
in this file.
Signed-off-by: David Brown <david.brown@linaro.org>
Move to newer versions of some upstream packages, lazy_static, which is
now at 1.0 (no api change), and error-chain (0.11), which eliminates a
warning during compilation.
Signed-off-by: David Brown <david.brown@linaro.org>
Since boot_read_image_headers only failed when reading headers from
both Slots failed, it could happen that even with a failure reading
Slot 1, this data would still be used by split booting. Now when
reading image headers an extra parameter allows the caller to ask
for failure when any slot read failed.
JIRA: MCUB-56
Signed-off-by: Fabio Utzig <utzig@apache.org>
Assertions that are expected to fail under sim test, are now marked as such
using the macro ASSERT which allows to programmatically switch between normal
assert() behavior and captured assertion.
Assertion changes were moved to more appropriate owners and code duplication
was removed.
Signed-off-by: Fabio Utzig <utzig@apache.org>
This test marks the status write regions as a bad region,
causing errors, but it is allowed to complete the swap. On
restart the firmware in slot0 should be validated and work.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The rationale behind this change is that while performing a swap
operation, writes to the status area are not important enough
to abort the operation. If the swap is not interrupted, status
writes are ignored. If the swap is interrupted, failures to write
status area are detected during the next boot and an appropriate
measure is taken.
If MCUBOOT_VALIDATE_SLOT0 is set we ignore the status write fail
and allow slot0 to be validated by its hash/signature. Otherwise,
the old behavior is maintained, which is to abort on any write
failures.
Signed-off-by: Fabio Utzig <utzig@apache.org>
At the moment writes always checking that they are being
performed on an erased section of memory. This patch enables
a test to disable that, to enable looking for other error
causes.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Add new interface to enable configuring regions of the simulated
memory to fail probabilistically. An entry is based on an offset,
length and rate of failure. This only applies to write operatios
and throws an error that can be caught in tests.
Signed-off-by: Fabio Utzig <utzig@apache.org>
When building in simulator mode, mock assert() to call an simulator
function which will enable other code to check if some path failed.
The assert checking interface, was added to boot_go which now
returns the low-level invocation results as well as the number of
asserts triggered.
Some new added tests check for assert() and expect it to happen. To not
abort tests, assert() was changed under sim env to not call c assert()
and instead just do some internal calculation which could be checked
by the simulator after a bootloader run and assert() catching behavior
was made optional (each test choses the behavior it needs).
Signed-off-by: Fabio Utzig <utzig@apache.org>
Carles Cufi