Commit Graph

529 Commits

Author SHA1 Message Date
Fabio Utzig f70e302617 Fix warn in overwrite-only with slot0 validation
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-01-10 10:35:10 -07:00
Fabio Utzig 891f4fb023 Fix EC API usage due to change in mbed-TLS
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-01-10 10:34:45 -07:00
Fabio Utzig 476fd99d82 Bump to version 1.1.0
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-01-09 16:36:52 -02:00
Fabio Utzig 07d65c9a73 Update Mynewt version numbers
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-01-09 11:32:45 -07:00
Fabio Utzig 49045cc9e8 Update with 1.1.0 release notes
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-01-09 10:58:29 -07:00
David Brown f88d9f95d4 imgtool: Add password support to ECDSA
Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown 31d29c8edb imgtool: Update docs for new key format
Update the dependencies needed, as well as adding a blurb about how to
password protect the private key.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown 2c9153a268 imgtool: ECDSA pad signature
Until we fix the padding problem, pad the ecdsa signatures with zeros to
always be 72 bytes long.  Add a 'raw_sign' method so that the unit test
can use the real signature.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown b6e0ae695c fix: Add back ECDSA signature support
Replace the (now broken) ECDSA code with code using the python
'cryptography' library.

Similar to the change to RSA, this changes the format that private keys
are stored, again using PKCS#8.  This supports the stronger password
protection as well.

Again, this code will still support reading the older style of public
keys, but other tools that use keys generated by this change will need
to be updated to work with the new format.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown 20462a7179 fix: RSA: Use 32-byte salt with PSS
The verification code requires a fixed 32-byte salt, which seems is what
the old crypto library did.  Use this same value to avoid having to
modify the code.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown 1d5bea1cf7 imgtool: Add support for password protected RSA keys
The keygen command allows the `-p` argument which will prompt for a
password, and protect the private key with this password.  When loading
keys, it will prompt for a password if it detects a password protected
key.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown 47b77c521a imgtool: Fix signing payload type
The 'cryptography' library is pickier about the data it is asked to
sign.  Get the bytes value out of the bytearray for doing the actual
signature.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown 5e7c6dd58a imgtool: Update RSA code
Replace RSA code with one using the python 'cryptography' library.  This
library is much more complete, and will make adding support for password
protected keys, and separate public keys easier.

There is, however, a significant change brought about by this change:
the private keys are stored in PKCS#8 format, instead of the raw format
that was used previously.  This is a more modern format that has a few
advantages, including: supporting stronger password protection, and
allowing the key type to be determined upon read.

This tool will still support reading the old style public keys, but
other tools that use these keys will need to be updated in order to work
with the new format.

This new code has some unit tests to go along with it for some basic
sanity testing of the code.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown d4022576e4 imgtool: Remove PKCS1.5 support
Support for PKCS1.5 has been removed from the bootloader for a while
now, remove it as well from the tool.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown 244547346e imgtool: Move keys to submodule
Move this code into a submodule to prepare to cleanup and enhance the
key management code.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-09 09:41:30 -07:00
David Brown b730e2431a assemble.py: Add explicit license declaration
Although this file is likely implicitly licensed under the Apache 2.0
license because of the LICENSE file for this project, make this explicit
in this file.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-04 10:36:25 -07:00
David Brown 59ae522541 sim: Remove extraneous `mut`
This value does not need to be mutable as it is just given to another
function immediately.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-04 10:36:07 -07:00
David Brown 3df2a0ea15 sim: Update some dependencies
Move to newer versions of some upstream packages, lazy_static, which is
now at 1.0 (no api change), and error-chain (0.11), which eliminates a
warning during compilation.

Signed-off-by: David Brown <david.brown@linaro.org>
2018-01-04 10:36:07 -07:00
Fabio Utzig 9c25fa76e5 Avoid using uninitialized memory in split go
Since boot_read_image_headers only failed when reading headers from
both Slots failed, it could happen that even with a failure reading
Slot 1, this data would still be used by split booting. Now when
reading image headers an extra parameter allows the caller to ask
for failure when any slot read failed.

JIRA: MCUB-56
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-01-04 10:35:26 -07:00
Fabio Utzig 539860453c Remove duplicated copy/paste residue
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-01-04 10:35:26 -07:00
Fabio Utzig a722f5aaa1 Describe the tradeoffs of scratch size
JIRA: MCUB-74
Signed-off-by: Fabio Utzig <utzig@apache.org>
2018-01-04 10:34:43 -07:00
Dong Xiang 7cc3261e2d Correct the path of zephyr sample dts file
frdm_k64f.dts has been moved to boards/arm/frdm_k64f/

Signed-off-by: Dong Xiang <dong.xiang@linaro.org>
2017-12-27 07:30:55 -02:00
Sterling Hughes eafa1f028f Add NOTICE file for mcuboot from ASF
Signed-off-by: Sterling Hughes <sterling@runtime.io>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 14:49:11 -07:00
Fabio Utzig 57c40f7164 Fix assert abstraction in sim
Assertions that are expected to fail under sim test, are now marked as such
using the macro ASSERT which allows to programmatically switch between normal
assert() behavior and captured assertion.

Assertion changes were moved to more appropriate owners and code duplication
was removed.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig a91c626f89 Mark non-used functions in overwrite only mode
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig eedcc450d6 Add test with write status area fail and interruption
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig b841f0a0c6 Add simple status write test without interruption
This test marks the status write regions as a bad region,
causing errors, but it is allowed to complete the swap. On
restart the firmware in slot0 should be validated and work.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig a0e1cce57a Enable ignoring write failures to status area
The rationale behind this change is that while performing a swap
operation, writes to the status area are not important enough
to abort the operation. If the swap is not interrupted, status
writes are ignored. If the swap is interrupted, failures to write
status area are detected during the next boot and an appropriate
measure is taken.

If MCUBOOT_VALIDATE_SLOT0 is set we ignore the status write fail
and allow slot0 to be validated by its hash/signature. Otherwise,
the old behavior is maintained, which is to abort on any write
failures.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig eb95a580b4 Enable slot0 validation in travis
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig fa137fc83d Add option to disable verifying contents before writes
At the moment writes always checking that they are being
performed on an erased section of memory. This patch enables
a test to disable that, to enable looking for other error
causes.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig f5c895e3fc Add configurable simulation of bad memory writes
Add new interface to enable configuring regions of the simulated
memory to fail probabilistically. An entry is based on an offset,
length and rate of failure. This only applies to write operatios
and throws an error that can be caught in tests.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig 9b0ee9034a Enable capturing asserts inside simulator
When building in simulator mode, mock assert() to call an simulator
function which will enable other code to check if some path failed.

The assert checking interface, was added to boot_go which now
returns the low-level invocation results as well as the number of
asserts triggered.

Some new added tests check for assert() and expect it to happen. To not
abort tests, assert() was changed under sim env to not call c assert()
and instead just do some internal calculation which could be checked
by the simulator after a bootloader run and assert() catching behavior
was made optional (each test choses the behavior it needs).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig ebdc969738 Add MCUBOOT_VALIDATE_SLOT0 as feature
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig 43685c211a Enable extra crates in simflash
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:36:34 -07:00
Fabio Utzig d32fd64e47 Fix mbed-tls' walk_dir in build
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:32:59 -07:00
Fabio Utzig 70f1481af3 Remove duplicated declaration
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:32:59 -07:00
Fabio Utzig 28ee5b0ea9 Add Zephyr support for bundled mbed-tls ASN1 parser
When using EC256 for signing, Zephyr now uses the bundled tinycrypt
and mbed-tls ASN1 parser instead of relying on the one provided by
the OS.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:32:59 -07:00
Fabio Utzig ac18eec773 Add Mynewt support for bundled tinycrypt + mbedtls
This commit removes the pseudo tinycrypt package based on symlinks
by adding a new pkg.yml to ext/tinycrypt and using it directly. It
also uses the new mbed-tls bundled ASN1 parser when EC256 is selected.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:32:59 -07:00
Fabio Utzig ba05f2a309 Add asn1 parser of mbed-tls
This bundles the asn1 parser from mbed-tls into mcuboot, which allows
adding EC crypto (tinycrypt based) functionality for target OSes that
don't bundle mbed-tls.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-21 13:32:59 -07:00
David Brown 1314bf3528 imgtool: Add explicit license declarations
Although these files are likely implicitly licensed under the Apache 2.0
license because of the LICENSE file for this project, make this explicit
in these files.

Signed-off-by: David Brown <david.brown@linaro.org>
2017-12-21 13:31:03 -07:00
Fabio Utzig 0bccf9d84c Build in std=c99 mode
Our current travis environment still uses gcc 4.8.4 which defaults to
std=gnu90. Some of tinycrypt's code requires c99.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig 1a927dd591 Update bootutil_sig_verify to receive slen as size_t
This fixes a comparison issue that was previously fixed by doing a
cast. Since tinycrypt and mbed-tls both already use an unsigned for
the size, the mcuboot interface was updated to also use an unsigned
value (size_t to be more precise!).

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig aaf767cf8a Fix warning in overwrite only
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig 181e54c382 Update cargo lock
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig a9a510b5a6 Add ecdsa testing to travis
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig 80fde2f544 Add ecdsa signing support to the simulator
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig 92be3fb667 Add ecdsa signing support
Since ring does not yet support ecdsa signing, a thin layer was added
to allow the simulator to call tinycrypt's signing routine.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig c786540825 Add ecdsa to build
This enables building ecdsa feature using tinycrypt (mbed still built
for ASN1). The default mbed-tls config was update to use the MCUBOOT_SIGN_*
symbols.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig 8b619bda54 Update ring+gcc crates and declare sig-ecdsa feature
Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-13 14:26:08 -07:00
Fabio Utzig f0e5419535 Use travis env variable to control check-signed-off-by
Instead of trying to determine current branch using git, just rely
on travis to know if this is a PR and if it is not, don't do
signed-off-by checking.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2017-12-06 16:46:58 -07:00