This test was added to exercise a bug which happens when a failure
verifying the image in slot 1 would cause a write to image_ok when
the image in slot 0 already was a permanent image.
Signed-off-by: Fabio Utzig <utzig@apache.org>
The docopt package has moved from rustc-serialize to serde. Move to
this version, upgrading the custom deserialize we use for the alignment
argument.
Signed-off-by: David Brown <david.brown@linaro.org>
Move most dependencies to the latest version at the time of this commit.
docopt is left at the current version as there is an api change in the
newer version.
Signed-off-by: David Brown <david.brown@linaro.org>
It isn't necessary for the 'area' module to be exposed. Re-export the
two definitions from the crate at the top level, and make the module
private.
Signed-off-by: David Brown <david.brown@linaro.org>
The mbedtls library is used by the binding crate, so move the submodule
into this directory as well.
Signed-off-by: David Brown <david.brown@linaro.org>
Create a crate `mcuboot-sys` to hold the building and binding of the
mcuboot code. There aren't any substantive code changes here, just
moving the code into a separate crate.
Signed-off-by: David Brown <david.brown@linaro.org>
Using the published debug keypair, generate a signature with it, to add
to the TLV. This verifies that signature verification works as
expected.
Signed-off-by: David Brown <david.brown@linaro.org>
The bitflags crate seems to be better supported, and doesn't have the
problems getting the results back into the enum type.
Signed-off-by: David Brown <david.brown@linaro.org>
Since the signing code will also need a copy of the message, make a
local copy of it in the signature verification code, and compute the
digest all in one shot.
Signed-off-by: David Brown <david.brown@linaro.org>
The ring crate's SHA256 is slightly slower than the one from
rust-crypto, but is much cleaner to use. It also has all of the hashing
operations we need.
This crate is somewhat opinionated, e.g. will not sign messages without
also performing the signature itself. Unfortunately, this means we'll
end up computing signatures of the same data many times, and perhaps
this should be improved, since we're always using the same data.
Signed-off-by: David Brown <david.brown@linaro.org>
Instead of stubbing out the image validation code, compile it, and add
the SHA256 TLV to the buffer.
Signed-off-by: David Brown <david.brown@linaro.org>
In preparation for moving the bootutil binding into a separate crate,
move the flash simulator into its own crate. This will allow the
binding to have access to the simulator without creating a circular
dependency.
Signed-off-by: David Brown <david.brown@linaro.org>
Make 'Flash' a trait, and move the current functionality into a type
called 'SimFlash'. The code that runs the simulation only uses the
trait.
Signed-off-by: David Brown <david.brown@linaro.org>
Move the reference to the Flash device up into the Rust code instead of
trying to pass it back and forth to C. This will allow a future change
to use a fat pointer (such as a trait pointer), which ultimately will
allow different kinds of flash devices.
Signed-off-by: David Brown <david.brown@linaro.org>
- Some helper structs added to track state
- Add new trailer checking routine
- Add extra test for upgrade+revert with failure
- Misc improvements
Signed-off-by: Fabio Utzig <utzig@apache.org>
This implements changes according to MCUB-14, easing the process
of making external apps parse and read/write the trailer.
Signed-off-by: Fabio Utzig <utzig@apache.org>
Re-tab run.c to match the rest of the files in the system. This was
indented using Zephyr conventions (tabs for indent). Re-indent using
spaces, with a 4-space indent level.
Signed-off-by: David Brown <david.brown@linaro.org>
Extend the flash emulation in the simulator to verify that the
bootloader explicitly erases flash before writing to it for a second
time.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Implement the new flash sector query API for the simulator. This is
generated from the data for the deprecated API. Once the old API is
removed, the flash simulator can be changed to just return the new data
directly.
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
The boot response returns a flash offset, not a flash address. This is
causing confusion and leading to crashes on some platforms which don't
have flash at address 0.
Rename the field to make it more clear what its purpose is; future
patches can start fixing up usages.
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Before this change, trailer was handled as part of the binary image,
which during a swap was just copied around together with the image.
This had issues if some fault happened while the trailer copy was
underway.
This patch changes how trailer is handled by making by non-copying.
The trailer is now updated step-by-step based on the current status.
Magic, copy_done and image_ok are also handled by writing them
individually, not by copying.
The trailer on scratch area was reduced to include at most swap state for
one sector, since it is only used temporarily while erasing the last
sector of the slot that stores the final trailer.
Many other small fixes were applied.
Change the C logging code, when in the simulator, to query what the rust
logging level is set to. This allows the level of logging from the C
code to be set through the environment. For example
RUST_LOG=bootsim=info cargo run --release runall
will enable logging at the "info" level for all of the C code as well as
the simulator code. The C code's logging can be selected specifically
by using bootsim::api instead of just bootsim in the above.
Add a configuration option "BOOTUTIL_OVERWRITE_ONLY" that avoids using
the image swap code. Instead, when an upgrade is detected in slot 1, it
is copied directly onto slot 0. As long as the image in slot 1 is
valid, this should work robustly (it will redo it if power is lost
during the upgrade).
This doesn't protect against the case of deploying an image that fails
to boot on some devices. But, the behavior is similar to the swap
upgrade approach when the slot 1 image is marked initially as "image
ok", but without the complexity (or need of a swap partition) of the
swap code.
Add a simple function to query the bootloader for capabilities.
Ultimately, this API should be available to the running app, but the
simulator can use this to determine what to test.
Add logging support for when running in the simulator. Log messages are
still based on compile-time determinations, and log using printf.
Based on a patch from Marti Bolivar <marti.bolivar@linaro.org>.
In change
commit bb5635e074
Author: Fabio Utzig <utzig@utzig.org>
Date: Mon Apr 10 09:07:02 2017 -0300
Add test of multiple random resets while upgrading
in addition to adding the try_random_fails, it shuffled the order that
the initial interruption test ran. However, this test always clones
the flash device, so it doesn't matter what order the tests are run.
Revert this part of the change to avoid unnecessary complexity in the
code.
There are some instances of hard-coded offsets, which break if the
simulated device doesn't have the same configuration. Query these
from the flash descriptor rather than hard-coding them.
Although this contains a phantom pointer, because it is passed to C,
this generates a warning on every compile. Until this is fixed,
remove the lifetime declarations from the structures. The user will
have to make sure that the pointed-to structures remain until the C
structure is completed. For the common case of generating the C
structures just to make a call, this should be safe.
To make the images easier to identify during analysis, set the version
number. The major number tries to be set to the slot number, and the
build number is the byte offset.
Use the Rust logging so that normal messaging isn't overwhelmed by
messages printed. The default level is 'error' which will only print
full errors (including the failures at the end).
To run with warnings:
RUST_LOG=warn ./target/release/bootsim ...
This will print warnings, showing the particular failures in mind.
Using 'info' instead of 'warn' will print lots of progress as it runs.
'sim' is a small simulator for the bootloader's update code. It tests
untimely powerdowns to ensure that the bootloader will recover from a
power loss or reset at any time during the boot.
Note that, as of this commit, there are some failures in the test that
need to be investigated.
Also note that this build script does not output proper dependencies for
source files outside of the simulator directory, and won't rebuild the C
files if they or headers are modified.
Fabio Utzig