This fixes#480.
When mcuboot rewrites image trailers during a swap, some information is
lost. If a reset occurs before the swap completes, mcuboot may not be
able to determine what which swap type to resume upon startup.
Specifically, if a "revert" swap gets interupted, mcuboot will perform
an extraneous swap on the subsequent boot. See
https://github.com/JuulLabs-OSS/mcuboot/issues/480 for details.
This commit adds an additional field to the image trailer: `swap-type`.
The new trailer structure is illustrated below:
```
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~
~ Swap status (BOOT_MAX_IMG_SECTORS * min-write-size * 3) ~
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 0 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encryption key 1 (16 octets) [*] ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap size | 0xff padding (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Swap type | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Copy done | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Image OK | 0xff padding (7 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ MAGIC (16 octets) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
```
The `swap-type` field contains one of the `BOOT_SWAP_TYPE_[...]` constants.
Every time a trailer is written, this field is written along with it.
When resuming an interrupted swap, mcuboot uses this field alone to
determine the type of swap being resumed. For new swap operations
(non-resume case), this field is not read at all; instead, mcuboot
consults the `boot_swap_tables` array to determine the swap operation to
perform (as it did prior to this commit).
Some additional changes were necessary to make all the simulated unit
tests pass:
* Before initiating a new swap operation, always write the image trailer
to the scratch area. This step allows mcuboot to persist the
`swap-type` field somewhere before erasing the trailer in the primary
slot. If a reset occurs immediately after the erase, mcuboot recovers
by using the trailer in the scratch area.
* Related to the above: if the scratch area is being used to hold status
bytes (because there are no spare sectors in the primary slot), erase
the scratch area immediately after the trailer gets written to the
primary slot. This eliminates ambiguity regarding the location of the
current trailer in case a reset occurs shortly afterwards.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Prior to this change, the scratch image trailer had a different format
from a slot image trailer. Specifically:
1. The scratch trailer only contained a single set of status entries
(three bytes); the slot trailer contained `BOOT_STATUS_MAX_ENTRIES`
sets of status entries.
2. The scratch trailer did not contain the `copy_done` field.
This inconsistency required some extra conditional logic in the trailer
handling code. It is simpler to just use the same trailer format
everywhere.
This commit removes this inconsistency. Now, the scratch trailer
structure is identical to that of the slot trailer.
Signed-off-by: Christopher Collins <ccollins@apache.org>
In addition to the binary capability flags, add a query function that
returns the number of images MCUboot has been configured to support.
Signed-off-by: David Brown <david.brown@linaro.org>
The change
boot: bootutil: Simplify check for crypto backends to reduce complexity
Adding multiple crypto backends will grow quadraticly. This change will
ensure that the growth will be linear and generate less complexity.
unfortunately is not legal C. It can be fixed by eliminating the
intermediate macro, so that the `defined` keywords are within the `#if`.
Signed-off-by: David Brown <david.brown@linaro.org>
mcuboot tests are done under sim and there is no need to maintain
separate tests just for Mynewt. Especially that those no longer
compile nor are maintained.
Also Mynewt code will rather depend on release and not master so
there is no need to run those on Mynewt anyway.
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
The build overflows by 100B using the 7-2018-q2-update GNU Arm
Embedded toolchain. Turn on size optimizations; this leaves about 19%
of the partition's flash available for MCUboot to grow into.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
The removal of CONFIG_BOOT_HAVE_LOGGING in 15aa6ef ("zephyr: remove
BOOT_HAVE_LOGGING Kconfig option") missed some uses. In particular,
the one in mcuboot_config.h that converts Kconfig options to MCUboot's
platform-agnostic configuration macros.
This broke logging even when the relevant Kconfig options were on.
Fix things up by using CONFIG_LOG instead.
Tested logging works again on nrf52840_pca10056. Build tested
nrf51_pca10056 to make sure it still fits. The nrf52840_pca10059 build
overflows flash by 0.16%, but that was a problem before 15aa6ef.
Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
This commit removes the non-standard BOOT_HAVE_LOGGING Kconfig option.
Instead the standard LOG / MCUBOOT_LOG_LEVEL can be used to control
logging.
Signed-off-by: Piotr Mienkowski <piotr.mienkowski@gmail.com>
Adding multiple crypto backends will grow quadraticly. This change will
ensure that the growth will be linear and generate less complexity.
Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com>
It is no longer necessary to override TEXT_SECTION_OFFSET when
BOARD_HAS_NRF5_BOOTLOADER. The nrf52840_pca10059 board no longer
overrides TEXT_SECTION_OFFSET but sets the correct FLASH_LOAD_OFFSET
instead, automatically.
Signed-off-by: Emanuele Di Santo <emdi@nordicsemi.no>
Fix bug #399 where dts.overlay was not being appended.
The build scripts were erroneously modifying the shadowed non-cache
variable instead of the cache variable.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Adds `CC310` define which wraps the generic CC310 interface adds
includes for using `NRF_CC310_BL` to CMakeLists. This requires `nrfxlib`
to be located outside of the mcuboot folder by 1 directory level. Also
add the Kconfig defines needed for this to build while trying to make it
generic enough to be used by other vendors that have implemented
`CC310`.
Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com>
The bootutil unit tests fail to build with the following error:
Testing package @mcuboot/boot/bootutil/test
Unsatisfied APIs detected:
* log, required by: sys/log/modlog
This commit adds a `sys/log/stub` dependency to the bootutil unit test
package.
NOTE: This unit test package still fails to build because the code is
out of date. This commit just fixes one of several issues.
Signed-off-by: Christopher Collins <ccollins@apache.org>
These unit tests were failing with build errors such as this:
boot/boot_serial/test/src/testcases/boot_serial_img_msg.c:64:26: error: use of undeclared identifier 'FLASH_AREA_IMAGE_PRIMARY'
rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
^
The `FLASH_AREA_IMAGE_{PRIMARY,SECONDARY} definitions were not visible
because `MCUBOOT_MYNEWT` was not getting defined in the boot_serial
unit test package.
This commit defines `MCUBOOT_MYNEWT` in the boot_serial unit test
package, and adds the necessary include to pull in the PRIMARY /
SECONDARY definitions.
Signed-off-by: Christopher Collins <ccollins@apache.org>
This change only affects the Mynewt port.
Prior to this commit, the `FLASH_AREA_IMAGE_{PRIMARY,SECONDARY}` macros
were private to the bootutil package (defined in `bootutil_priv.h`).
Some other packages require these symbols (e.g., the boot_serial unit
tests), so they should be made public.
This commit moves these definitions into the public `bootutil.h` header.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Select the code partition as the target for link into.
This patch together with
https://github.com/zephyrproject-rtos/zephyr/pull/14620
fixes the issue which was imposed while zephyr moves
DTC before Kconfig processing in its build process.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
boot_enc_valid() is supposed to return boolena so
changed it return type in order to reflect this.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
enc_state table was indexed with assumption that
image flash area are subsequent and increasing numbers.
It might not be true while building zephyr.
Patch introduce flash_area_id_to_image_slot() implementation for
the zephyr port and uses it to assign proper slot number.
This API is already available in MyNewt.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
This change replaces the slot 0/1 terminology with primary/secondary
slot and replaces FLASH_AREA_IMAGE_0/1 with
FLASH_AREA_IMAGE_PRIMARY/SECONDARY. This naming convention may be more
understandable, fits better to MCUs with multiple images and it is an
architecture agnostic alternative as well.
Change-Id: I655a585f6ae023852c671ee6635399efe25209c9
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
The pattern that 'set_conf_file' has been added to the Zephyr build
system, so it is not necesary for the application build script to
implement it.
Also, the macro has been deprecated, so it should not be used.
This change is a pure refactoring.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The logger issue on Xtensa is resolved in mainline Zephyr with
239805b2d82aebee4969c3ae57fbf8025c4fb60d. Hence logging can be
enabled now.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
This Kconfig parameter makes MCUboot wait for a prescribed duration
of time to allow for USB DFU to be invoked.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Fix#10990.
A warning is triggered when snprintf is used because it is being
declared / configured incorrectly. The MBEDTLS configuration is
defaulting to disabling all of LIBC, and then explicitly enabling the
LIBC functions in use, this has been done for printf with
MBEDTLS_PLATFORM_STD_PRINTF, but not for
MBEDTLS_PLATFORM_STD_SNPRINTF.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Zephyr changed way of generation UART device name label
which implies device name label text change.
Patch aligns the code to above change.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
zephyr macro min() was hanged to MIN()
Kconfig key CDC_ACM_PORT_NAME was changed to CDC_ACM_PORT_NAME_0
zephyr sha of the fixing time is 406dc2cb0e2868392f444677ace416440695829f.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Cleaned up the conf file for intel_s1000_crb by defining only
those values that are different from prj.conf.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The pyocd runner in zephyr changed its arguments slightly when it
converted to the new unified pyocd tool with subcommands. Change the
board runner args here similarly so we can use 'west flash' again for
the zephyr bootloader.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
Let's ensure that random Zephyr changes in logging don't affect
the resource usage in MCUBOOT, by setting LOG_LEVEL_DEFAULT
to 0.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Rather than use LOG_DEFAULT_LEVEL to control MCUBOOT's log output,
let's create an MCUBOOT specific log level setting.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Krzysztof Chruscinski <krzysztof.chruscinski@nordicsemi.no>
Commit 1d9e5ee1 ("logging: Refactoring 'in place' mode to reduce memory
footprint") changed the resource restrained version of LOGGER from
LOG_INPLACE_PROCESS to LOG_IMMEDIATE.
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Zephyr flash_map reworks caused that areas id exact number are
assigned dynamically.
This patch i counterpart to
https://github.com/zephyrproject-rtos/zephyr/pull/8837
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
The upstream Zephyr runner for nrfjprog now supports an --erase
toggle, which controls whether a mass-erase is done. Add that to its
invocation when CONF_ZEPHYR_TRY_MASS_ERASE is given, just like is done
for dfu-util and pyocd.
Signed-off-by: Marti Bolivar <marti@foundries.io>
This change affects the "set pending" operation. That is, the operation
that configures mcuboot to temporarily swap images on the next boot.
PRIOR TO COMMIT:
If the slot 1 trailer contained an invalid 128-bit magic number, an
assertion would fail, causing a crash.
AFTER COMMIT:
If corruption is detected in the slot 1 trailer, the entire image slot
is erased, and the "set pending" operation fails with a `BOOT_EBADIMAGE`
status.
RATIONALE:
mcuboot cannot meaningfully recover from data corruption. The only
recourse is to erase the bad data so that future upgrades can be
performed. I was tempted to add a build-time setting to control whether
the image slot gets erased when corruption is detected, but I dont think this
freedom justifies the cost of extra config. A device with a corrupt
image slot can no longer be upgraded, so the only reason someone would
want to preserve the corrupt data would be for debugging.
Signed-off-by: Christopher Collins <ccollins@apache.org>
Disable logging and enable size optimizations on
nrf51_pca10028 target in order to fit in boot slot size
for out-off-the-box build.
fixes#411
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Christopher Collins