# MCUboot Release Notes - Table of Contents {:toc} ## Version 1.3.0 The 1.3.0 release of MCUboot brings in many fixes and updates. There are no breaking changes in functionality. Many of the changes are refactorings that will make the code easier to maintain going forward. In addition, support has been added for encrypted images. See [the docs](encrypted_images.md) for more information. ### About this release - Modernize the Zephyr build scripts. - Add a `ptest` utility to help run the simulator in different configurations. - Migrate the simulator to Rust 2018 edition. The sim now requires at least Rust 1.32 to build. - Simulator cleanups. The simulator code is now built the same way for every configuration, and queries the MCUboot code for how it was compiled. - Abstract logging in MCUboot. This was needed to support the new logging system used in Zephyr. - Add multiple flash support. Allows slot1/scratch to be stored in an external flash device. - Add support for [encrypted images](encrypted_images.md). - Add support for flash devices that read as '0' when erased. - Add support to Zephyr for the `nrf52840_pca10059`. This board supports serial recovery over USB with CDC ACM. - imgtool is now also available as a python package on pypi.org. - Add an option to erase flash pages progressively during recovery to avoid possible timeouts (required especially by serial recovery using USB with CDC ACM). - imgtool: big-endian support - imgtool: saves in intel-hex format when output filename has `.hex` extension; otherwise saves in binary format. ## Version 1.2.0 The 1.2.0 release of MCUboot brings a lot of fixes/updates, where much of the changes were on the boot serial functionality and imgtool utility. There are no breaking changes in MCUBoot functionality, but some of the CLI parameters in imgtool were changed (either removed or added or updated). ### About this release - imgtool accepts .hex formatted input - Logging system is now configurable - Most Zephyr configuration has been switched to Kconfig - Build system accepts .pem files in build system to autogenerate required key arrays used internally - Zephyr build switched to using built-in flash_map and TinyCBOR modules - Serial boot has substantially decreased in space usage after refactorings - Serial boot build doesn't require newlib-c anymore on Zephyr - imgtool updates: + "create" subcommand can be used as an alias for "sign" + To allow imgtool to always perform the check that firmware does not overflow the status area, `--slot-size` was added and `--pad` was updated to act as a flag parameter. + `--overwrite-only` can be passed if not using swap upgrades + `--max-sectors` can be used to adjust the maximum amount of sectors that a swap can handle; this value must also be configured for the bootloader + `--pad-header` substitutes `--included-header` with reverted semantics, so it's not required for firmware built by Zephyr build system ### Known issues None ## Version 1.1.0 The 1.1.0 release of MCUboot brings a lot of fixes/updates to its inner workings, specially to its testing infrastructure which now enables a more thorough quality assurance of many of the available options. As expected of the 1.x.x release cycle, no breaking changes were made. From the tooling perpective the main addition is newt/imgtool support for password protected keys. ### About this release - serial recovery functionality support under Zephyr - simulator: lots of refactors were applied, which result in the simulator now leveraging the Rust testing infrastructure; testing of ecdsa (secp256r1) was added - imgtool: removed PKCS1.5 support, added support for password protected keys - tinycrypt 0.2.8 and the mbed-tls ASN1 parser are now bundled with mcuboot (eg secp256r1 is now free of external dependencies!) - Overwrite-only mode was updated to erase/copy only sectors that actually store firmware - A lot of small code and documentation fixes and updates. ### Known issues None ## Version 1.0.0 The 1.0.0 release of MCUboot introduces a format change. It is important to either use the `imgtool.py` also from this release, or pass the `-2` to recent versions of the `newt` tool in order to generate image headers with the new format. There should be no incompatible format changes throughout the 1.x.y release series. ### About this release - Header format change. This change was made to move all of the information about signatures out of the header and into the TLV block appended to the image. This allows - The signature to be replaced without changing the image. - Multiple signatures to be applied. This can be used, for example, to sign an image with two algorithms, to support different bootloader configurations based on these image. - The public key is referred to by its SHA1 hash (or a prefix of the hash), instead of an index that has to be maintained with the bootloader. - Allow new types of signatures in the future. - Support for PKCS#1 v1.5 signatures has been dropped. All RSA signatures should be made with PSS. The tools have been changed to reflect this. - The source for Tinycrypt has been placed in the MCUboot tree. A recent version of Tinycrypt introduced breaking API changes. To allow MCUboot to work across various platforms, we stop using the Tinycrypt bundled with the OS platform, and use our own version. A future release of MCUboot will update the Tinycrypt version. - Support for some new targets: - Nordic nRF51 and nRF52832 dev kits - Hexiwear K64 - Clearer sample applications have been added under `samples`. - Test plans for [zephyr](testplan-zephyr.md), and [mynewt](testplan-mynewt.md). - The simulator is now able to test RSA signatures. - There is an unimplemented `load_addr` header for future support for RAM loading in the bootloader. - Numerous documentation. ### Known issues None ## Version 0.9.0 This is the first release of MCUboot, a secure bootloader for 32-bit MCUs. It is designed to be operating system-agnostic and works over any transport - wired or wireless. It is also hardware independent, and relies on hardware porting layers from the operating system it works with. For the first release, we have support for three open source operating systems: Apache Mynewt, Zephyr and RIOT. ### About this release - This release supports building with and running Apache Mynewt and Zephyr targets. - RIOT is supported as a running target. - Image integrity is provided with SHA256. - Image originator authenticity is provided supporting the following signature algorithms: - RSA 2048 and RSA PKCS#1 v1.5 or v2.1 - Elliptic curve DSA with secp224r1 and secp256r1 - Two firmware upgrade algorithms are provided: - An overwrite only which upgrades slot 0 with the image in slot 1. - A swapping upgrade which enables image test, allowing for rollback to a previous known good image. - Supports both mbed-TLS and tinycrypt as backend crypto libraries. One of them must be defined and the chosen signing algorithm will require a particular library according to this list: - RSA 2048 needs mbed TLS - ECDSA secp224r1 needs mbed TLS - ECDSA secp256r1 needs tinycrypt as well as the ASN.1 code from mbed TLS (so still needs that present). ### Known issues - The image header and TLV formats are planned to change with release 1.0: https://runtimeco.atlassian.net/browse/MCUB-66