Commit Graph

1178 Commits

Author SHA1 Message Date
Fabio Utzig 2f6c164f9a sim: fix flash padding to use erased val
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-10-01 18:30:05 -03:00
Fabio Utzig ea3d3abe5f sim: add protected TLVs to hash calculation
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-10-01 18:30:05 -03:00
Fabio Utzig e52c08edf0 bootutil: update to new protected TLV format
Implements the validation system where hashing is performed over header
+ payload + protected TLVs.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-10-01 18:30:05 -03:00
Fabio Utzig fd140ecef2 New protected TLV format proposal
Updates the protected TLV specification to have their own TLV info struct,
to ease hashing without having to skip parts of the image, while adding the
ability to append new non-protected TLVs.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-10-01 18:30:05 -03:00
Fabio Utzig ea34f9a77b Fix Mynewt boot_serial unittest
The boot_serial test was failing build because it hadn't been updated to
use new multi-image flash area nomenclature. This fixes the build.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-10-01 17:36:12 -03:00
Fabio Utzig 61fd888a7f Add TLV iterator API
This introduces an API which allows for iteration over an image's TLVs
without resorting to low-level implementation details. All previous TLV
low-level handling was updated to comply with this new interface, and it
also makes it easier for external code to handle TLVs.

The API provides two functions:

1) To start a new iterator:

```
int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
                            const struct image_header *hdr,
                            const struct flash_area *fap, uint8_t type,
                            bool prot);
```

2) To iterate over existing TLVs of given type:

```
int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
                           uint16_t *len, uint8_t *type);
```

A type of IMAGE_TLV_ANY was added to allow for iteration over all TLVs.

Low-level TLV access functions were removed from API, but low-level
structs are still visible in the namespace.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-18 07:38:50 -05:00
Fabio Utzig 4f0ea747c3 Fix pep-8 (long line)
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-17 14:03:58 +02:00
Fabio Utzig b916e8dbb0 Fix author_email UNKNOWN in pip show
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-17 14:03:58 +02:00
Fabio Utzig 25c6a1590a Add versioning to imgtool
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-17 14:03:58 +02:00
Marti Bolivar 99ec383ea1 bootutil_misc: fix printf types in log macros
Upstream PR #547

The recent changes to these are tripping GCC printf-like macro
attribute warnings on my platform. Just cast all the values to ulong
to make everybody's compilers happy.

Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
2019-09-13 15:54:36 -06:00
Fabio Utzig e575b0b8ef Add macro to check if swap_type is an upgrade
This allows refactoring a check that was done in multiple places looking
for the same swap types.

Also fixes an issue where dependency checks would be run if a swap type
had a value that indicates fail.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-12 14:08:35 -03:00
Fabio Utzig b1adb1ed2e Fix validation when no image is present
The slot validation routine would result in a non-installed image to be
equivalent to a failed validation, which would set the swap type to
*_FAIL and require special handling in the dependency checks. This
routine was updated, so that it now returns a value that can be used to
check that the error was due to an image not found.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-12 14:08:35 -03:00
Fabio Utzig 59b63e5625 Fix identation
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-10 13:41:58 -03:00
Fabio Utzig c28005b04f Use better naming for swap copy/erase functions
Since a copy/erase during a swap can result in some number of sectors
erased and copied, which is not necessarily equal to 1, update design
document and bootloader function naming to reflect this fact, by using
the postfix "_region" instead of "_sector" in those cases.

This fixes #541

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-10 13:41:58 -03:00
Fabio Utzig c21c210b82 Fix encrypted images with dependencies
This fixes an issue where dependencies were being decrypted before
hashing when encrypted images are used. When using dependencies, some
"protected" TLVs are added to the image. Those TLVs take part into the
image hash calculation, but are not encrypted and must be sent plain
to the hash update routine.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-10 12:13:56 -03:00
Ben McCrea 4c0ee9567c botutil/botutil_misc: fix compile error for debug log
BOOTUTIL_LOG_LEVEL_DEBUG was giving printf format compile errors

This patch fixes the issue.

Signed-off-by: Ben McCrea <bmccrea@juul.com>
2019-09-10 08:54:35 -06:00
Fabio Utzig cac58f6c72 boot: zephyr: main: tabs -> spaces
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 75b344198e Fix a few formatting issues in design doc
Fix text structures that were not rendering correctly in the generated
html.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 60319acf0f Update swap operation description in design doc
Update to better match the current implementation.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 4d7396d7f2 Fix swap status control
This fixes two issues related to swap status control:

1. During a swap, the status was written offset by one, because it was
   being incremented before it was written to flash. With the increment
   happening early the offset was calculated always one position after
   where it should be, which would leave the first status index free,
   and override the last one (worst case scenario).
2. When an image is too big it requires the swap status to be
   temporarily stored on scratch, to allow the last sector on the
   primary slot to be erased. The status is written to scratch for 2
   status updates, and afterwards copied back to the primary slot, which
   then receives future status updates. The code that copied the status
   back from scratch to the primary slot was erroneously copying the space
   of 3 status writes, which would result in a write over non-erased area
   for the third byte.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown e4576b888c sim: Test variants of single upgrade with multi-image
Test the variations of the situation where we are built for multi-image,
but are only upgrading a single image, including no dependencies,
correct dependencies, and unmet dependencies.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown e6ab34c367 Allow upgrades of only one slot
When only upgrading one slot, the swap type for the non upgraded slot is
BOOT_SWAP_TYPE_FAIL instead of NONE.  Account for this, and check slot 0
in this case.

This is probably not the correct solution, but it is unclear of the
timing of when the dependencies of the other images first slot would be
checked.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 873be31d5e sim: Add OldCorrect and NoUpgrade dependency types
Add two additional dependency types.  The NoUpgrade type indicates that
this slot should not contain an upgrade at all.  The OldCorrect
indicates a dependency on the old version of the other slot.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 0e6bc7fe1c sim: Fix upgrade check
Instead of allowing a preliminary error if the first image is marked to
be held, allow this error if any of the images are marked to be held.
The error doesn't return which image caused the failure, so just check
if any are supposed to be held.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 207c457dc6 sim: Derive PartialEq and Eq for UpgradeInfo
This will allow comparisons of the upgrade info.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 18d301f588 sim: Add additional tests for mismatched upgrades
Test the configuration where one image has its dependencies met and the
other does not, and make sure in these cases we just hold back from
upgrading entirely.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
David Brown 179098888c sim: Use image number instead of slot in dep test
When generating dependencies, we were using the slot number instead of
the image number to determine which dependencies to mark invalid.  Fix
this, so that we can test configurations where one image is upgradeable
and the other not.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 135f716bfb Uncomment hold and add correct upgrades
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 298913b940 Fix dependency check infinite loop
This fixes the issue where an unmet dependency would result in a restart
of image dependency checks. To make the code easier to follow, some
function nesting was removed, functions that check slot dependencies
were renamed appropriately and dependency check is not done when no
upgrades are marked.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 7c1d1557f2 Do not panic when upgrade info tells to hold
Before running tests, a sanity upgrade was run to gather the amount of
flash writes to be expected for the operation. This operation fails when
the dependencies hold an upgrade, so the checks were updated to avoid
aborting under those circumstances.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 019a81a4f4 Move boot_is_version_sufficient to module scope
The checking of image version compatibility is only used by dependencies
code; this moves the version checking function static, and removes it
from the exported API.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 75e9a59d40 Remove boot_swap_type usage in the bootloader
`boot_swap_type_multi` should be used instead. The `BOOT_CURR_IMG` macro
already returns the correct value in single image mode.

For compatibility with external tools like mcumgr, `boot_swap_type`
remains available and always returns the swap type of image 0.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 233af7d7b3 Add utility function to find offset/len of TLVs
Add a new function, boot_find_tlv_offs, that loads the beginning and end
offset of the TLV region.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig a87cc7d98c Use local var instead of repeated macro call
Store TLV offset in a variable to avoid repeating many calls to the
calculation macro.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig bc07793ab2 Add macro to check if image must be decrypted
An image must be decrypted when it is loaded on the secondary slot and
its header flag indicates it is encrypted. Instead of checking both
things every time the image is read, add a new macro, MUST_DECRYPT, that
does both checks.

Also `BOOT_CURR_ENC` was simplified to be used directly on
`bootutil_img_validate` calls, returning NULL for no encrypted images.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 1e4284b358 Allow encrypted images in multi-image setting
Add extra encryption storage; add macro to access correct encryption
data for image being handled.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 6f49c27a56 Add boot_serial support for multi-images
This updates `image list` and `image upload` objects to support
multi-images. The information about which image is being handled was
added to the CBOR as "image" field, which when not available, is
considered to have value 0.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 61f08a04ae Add basic multi-image support for Mynewt
Allow Mynewt to be used in multi-image builds. Primary and secondary
slots of image 1 are hard-coded to FLASH_AREA_IMAGE_2 and FLASH_AREA_IMAGE_3.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig b63d995641 Remove function that marks encr keys invalid
Just use existing zeroize function, which also takes care of zeroing out
the encryption key data.

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig ea0de009c4 Enable already fixed test in Travis-CI
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 268ace0f6b Zero AES key when marking invalid
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 6ace9ee95c Mark key_unwrap local function static
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Fabio Utzig 81c467505b Fix build for multi-image using encrypted images
Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-09 10:00:09 -03:00
Håkon Øye Amundsen df8c8918b7 scripts: allow user to set load_addr
Allow the user to set the load_addr field of the header.
This could be useful in multi image situations to help
deduce the image number of an update without having to
look at the swap info.

Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
2019-09-06 12:18:07 -03:00
Fabio Utzig 539d7662d1 Fix assemble.py tool for compatibility
This accounts for changes in the Zephyr build which include:

1) Flash areas are prefixed with `DT_`
2) The generated DTS was renamed to generated_dts_board_unfixed.h
3) The build tree has an extra "zephyr" dir.

Fixes #408

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-09-06 09:31:57 -03:00
Fabio Utzig 7eaaf67bbf Fix for CVE-2019-5477
https://nvd.nist.gov/vuln/detail/CVE-2019-5477

Signed-off-by: Fabio Utzig <utzig@apache.org>
2019-08-26 14:01:37 -03:00
Marti Bolivar f84cc4b309 zephyr: enable MULTITHREADING by default except on nRF
CONFIG_MULTITHREADING is generally assumed to be y by the zephyr
kernel, even though that's not reflected in the Kconfig. For example,
semaphores depend on it being y, but CMake will still build sem.c even
if it's n.

The sensible default for this option is thus y.

However, it's a size advantage to disable it if the platform drivers
are all aware of this option, such as nRF.

Let's re-work our use of this option to keep it disabled when we know
it's safe, but enable it by default so more platforms can be expected
to work out of the box.

Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
2019-08-22 14:21:41 +02:00
Marti Bolivar f2a8b78c98 zephyr: delete arduino_101.conf
This board is no longer supported by Zephyr or its hardware
manufacturer.

Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
2019-08-22 14:21:41 +02:00
Marti Bolivar 787b5cc2cd zephyr: remove ZEPHYR_BASE "bounce option" from Kconfig
These are not necessary anymore; kconfiglib evaluates $FOO in the
environment.

Signed-off-by: Marti Bolivar <marti.bolivar@nordicsemi.no>
2019-08-22 14:21:41 +02:00
David Brown fe5ab1c35b sim: Generalize test image dumping
Decode the MCUBOOT_DEBUG_DUMP environment variable into a series of
comma-separated strings, and create debug dumps for any test that
matches one of these strings.  Also, the special string 'all' will match
every test, causing every image under test to be dumped.

The dumped images will contain an atomic counter, so that all of the
generated files will be unique for a given run.

Signed-off-by: David Brown <david.brown@linaro.org>
2019-08-15 14:23:37 -05:00