From e188dbb0e1c1e2e2cecd627fbf2e13042222b1da Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 29 Aug 2023 07:43:16 +0100 Subject: [PATCH 001/113] zephyr: Fix boot serial extensions Fixes building the bootloader with serial recovery mode and boot serial extensions enabled due to changes in Zephyr's MCUmgr file and naming changes. Signed-off-by: Jamie McCrae --- boot/zephyr/boot_serial_extensions.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/boot/zephyr/boot_serial_extensions.c b/boot/zephyr/boot_serial_extensions.c index baa151c7d..b8bcd3e95 100644 --- a/boot/zephyr/boot_serial_extensions.c +++ b/boot/zephyr/boot_serial_extensions.c @@ -4,9 +4,12 @@ * SPDX-License-Identifier: Apache-2.0 */ +#include #include #include -#include +#include +#include +#include <../subsys/mgmt/mcumgr/transport/include/mgmt/mcumgr/transport/smp_internal.h> #include #include @@ -140,7 +143,7 @@ int bs_peruser_system_specific(const struct nmgr_hdr *hdr, const char *buffer, { int mgmt_rc = MGMT_ERR_ENOTSUP; - if (hdr->nh_group == ZEPHYR_MGMT_GRP_BASE) { + if (hdr->nh_group == ZEPHYR_MGMT_GRP_BASIC) { if (hdr->nh_op == NMGR_OP_WRITE) { #ifdef CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE if (hdr->nh_id == ZEPHYR_MGMT_GRP_BASIC_CMD_ERASE_STORAGE) { From 0d2772cee874cba43f67986be62e67a0a3bb3217 Mon Sep 17 00:00:00 2001 From: Fabio Utzig Date: Wed, 9 Aug 2023 15:05:12 -0300 Subject: [PATCH 002/113] Add Espressif build status badge Add new badge to easily check build status for Espressif CI. Signed-off-by: Fabio Utzig --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a400a4def..5bf3f384e 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,7 @@ [![Coverity Scan Build Status](https://scan.coverity.com/projects/12307/badge.svg)][coverity] [![Build Status (Sim)](https://github.com/mcu-tools/mcuboot/workflows/Sim/badge.svg)][sim] [![Build Status (Mynewt)](https://github.com/mcu-tools/mcuboot/workflows/Mynewt/badge.svg)][mynewt] +[![Build Status (Espressif)](https://github.com/mcu-tools/mcuboot/workflows/Espressif/badge.svg)][espressif] [![Publishing Status (imgtool)](https://github.com/mcu-tools/mcuboot/workflows/imgtool/badge.svg)][imgtool] [![Build Status (Travis CI)](https://img.shields.io/travis/mcu-tools/mcuboot/main.svg?label=travis-ci)][travis] [![Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)][license] @@ -12,6 +13,7 @@ [coverity]: https://scan.coverity.com/projects/mcuboot [sim]: https://github.com/mcu-tools/mcuboot/actions?query=workflow:Sim [mynewt]: https://github.com/mcu-tools/mcuboot/actions?query=workflow:Mynewt +[espressif]: https://github.com/mcu-tools/mcuboot/actions?query=workflow:Espressif [imgtool]: https://github.com/mcu-tools/mcuboot/actions?query=workflow:imgtool [travis]: https://travis-ci.org/mcu-tools/mcuboot [license]: https://github.com/mcu-tools/mcuboot/blob/main/LICENSE From b58962fad93b16a318a7afa5d46dc165a2857fcc Mon Sep 17 00:00:00 2001 From: Fabio Utzig Date: Sat, 2 Sep 2023 15:58:55 -0300 Subject: [PATCH 003/113] docs: espressif: fix formatting of markdown Fix documentation issues for the rendering of the Espressif README page. No content is changed with this commit, but formatting and line breaks are set to approximately 100 columns. Signed-off-by: Fabio Utzig --- docs/readme-espressif.md | 513 ++++++++++++++++++++++++++------------- 1 file changed, 348 insertions(+), 165 deletions(-) diff --git a/docs/readme-espressif.md b/docs/readme-espressif.md index cc2fa8bd1..ff51d1f67 100644 --- a/docs/readme-espressif.md +++ b/docs/readme-espressif.md @@ -1,67 +1,89 @@ # [Building and using MCUboot with Espressif's chips](#building-and-using-mcuboot-with-espressifs-chips) -The MCUBoot Espressif's port depends on HAL (Hardware Abstraction Layer) sources based on ESP-IDF or 3rd party frameworks as such as Zephyr-RTOS (`zephyrproject-rtos/hal_espressif/`) or NuttX RTOS (`espressif/esp-hal-3rdparty`). Building the MCUboot Espressif's port and its features is platform dependent, therefore, the system environment including toolchains, must be set accordingly. A standalone build version means that ESP-IDF and its toolchain are used as source. For 3rd parties framework, HAL path and toolchain must be set. +The MCUBoot Espressif's port depends on HAL (Hardware Abstraction Layer) sources based on ESP-IDF +or 3rd party frameworks as such as Zephyr-RTOS (`zephyrproject-rtos/hal_espressif/`) or NuttX RTOS +(`espressif/esp-hal-3rdparty`). Building the MCUboot Espressif's port and its features is platform +dependent, therefore, the system environment including toolchains, must be set accordingly. A +standalone build version means that ESP-IDF and its toolchain are used as source. For 3rd parties +framework, HAL path and toolchain must be set. -Documentation about the MCUboot bootloader design, operation and features can be found in the [design document](design.md). +Documentation about the MCUboot bootloader design, operation and features can be found in the +[design document](design.md). ## [SoC support availability](#soc-support-availability) The current port is available for use in the following SoCs within the OSes: -| | ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | ESP32-C2 | ESP32-C6 | ESP32-H2 | -| :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | +| | ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | ESP32-C2 | ESP32-C6 | ESP32-H2 | +| :----: | :-----: | :-----: | :-----: | :-----: | :---------: | :-----: | :-----: | | Zephyr | Supported | Supported | Supported | Supported | In progress | In progress | In progress | -| NuttX | Supported | Supported | Supported | Supported | In progress | In progress | In progress | +| NuttX | Supported | Supported | Supported | Supported | In progress | In progress | In progress | -Notice that any customization in the memory layout from the OS application must be done aware of the bootloader own memory layout to avoid overlapping. More information on the section [Memory map organization for OS compatibility](#memory-map-organization-for-os-compatibility). +Notice that any customization in the memory layout from the OS application must be done aware of +the bootloader own memory layout to avoid overlapping. More information on the section +[Memory map organization for OS compatibility](#memory-map-organization-for-os-compatibility). ## [Installing requirements and dependencies](#installing-requirements-and-dependencies) The following instructions considers a MCUboot Espressif port standalone build. 1. Install additional packages required for development with MCUboot: -```bash -cd ~/mcuboot # or to your directory where MCUboot is cloned -``` -```bash -pip3 install --user -r scripts/requirements.txt -``` + + ```bash + cd ~/mcuboot # or to your directory where MCUboot is cloned + ``` + + ```bash + pip3 install --user -r scripts/requirements.txt + ``` 2. Update the Mbed TLS submodule required by MCUboot: -```bash -git submodule update --init --recursive ext/mbedtls -``` -3. If ESP-IDF is the chosen option for use as HAL layer and the system already have ESP-IDF installed, ensure that the environment is set: -```bash -/install.sh -``` -```bash -. /export.sh -``` + ```bash + git submodule update --init --recursive ext/mbedtls + ``` ---- -***Note*** +3. If ESP-IDF is the chosen option for use as HAL layer and the system already have ESP-IDF + installed, ensure that the environment is set: -*If desirable, instructions for ESP-IDF installation can be found [here](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/index.html#manual-installation)* + ```bash + /install.sh + ``` ---- + ```bash + . /export.sh + ``` ---- -***Note*** + --- + ***Note*** -*The other HALs mentioned above like `hal_espressif` from Zephyr RTOS or `esp-hal-3rdparty` from NuttX RTOS environments also can be used for the bootloader standalone build, however as eventually code revision may differ from what is currently expected, it is recommended using them only within their RTOS build system.* + *If desirable, instructions for ESP-IDF installation can be found + [here](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/index.html#manual-installation)* ---- + --- + + --- + ***Note*** + + *The other HALs mentioned above like `hal_espressif` from Zephyr RTOS or `esp-hal-3rdparty` + from NuttX RTOS environments also can be used for the bootloader standalone build, however as + eventually code revision may differ from what is currently expected, it is recommended using + them only within their RTOS build system.* + + --- 4. If ESP-IDF is not installed and will not be used, install `esptool`: -```bash -pip3 install esptool -``` + + ```bash + pip3 install esptool + ``` ## [Building the bootloader itself](#building-the-bootloader-itself) -The MCUboot Espressif port bootloader is built using the toolchain and tools provided by Espressif. Additional configuration related to MCUboot features and slot partitioning may be made using the `port//bootloader.conf` file or passing a custom config file using the `-DMCUBOOT_CONFIG_FILE` argument on the first step below. +The MCUboot Espressif port bootloader is built using the toolchain and tools provided by Espressif. +Additional configuration related to MCUboot features and slot partitioning may be made using the +`port//bootloader.conf` file or passing a custom config file using the +`-DMCUBOOT_CONFIG_FILE` argument on the first step below. --- ***Note*** @@ -71,126 +93,154 @@ The MCUboot Espressif port bootloader is built using the toolchain and tools pro --- 1. Compile and generate the BIN: -```bash -cmake -DCMAKE_TOOLCHAIN_FILE=tools/toolchain-.cmake -DMCUBOOT_TARGET= -DESP_HAL_PATH= -DMCUBOOT_FLASH_PORT= -B build -GNinja -``` -```bash -ninja -C build/ -``` ---- -***Note*** + ```bash + cmake -DCMAKE_TOOLCHAIN_FILE=tools/toolchain-.cmake -DMCUBOOT_TARGET= -DESP_HAL_PATH= -DMCUBOOT_FLASH_PORT= -B build -GNinja + ``` -*If using ESP-IDF as HAL layer source, `ESP_HAL_PATH` can be ommited.* + ```bash + ninja -C build/ + ``` ---- + --- + ***Note*** + + *If using ESP-IDF as HAL layer source, `ESP_HAL_PATH` can be ommited.* + + --- 2. Flash MCUboot in your device: -```bash -ninja -C build/ flash -``` -If `MCUBOOT_FLASH_PORT` arg was not passed to `cmake`, the default `PORT` for flashing will be `/dev/ttyUSB0`. + ```bash + ninja -C build/ flash + ``` -Alternatively: -```bash -esptool.py -p -b --before default_reset --after no_reset --chip write_flash --flash_mode dio --flash_size --flash_freq 40m build/mcuboot_.bin -``` ---- -***Note*** + If `MCUBOOT_FLASH_PORT` arg was not passed to `cmake`, the default `PORT` for flashing will be + `/dev/ttyUSB0`. -You may adjust the port `` (like `/dev/ttyUSB0`) and baud rate `` (like `2000000`) according to the connection with your board. -You can also skip `` and `` parameters so that esptool tries to automatically detect it. + Alternatively: -*`` can be found using the command below:* -```bash -esptool.py -p -b flash_id -``` -The output contains device information and its flash size: -``` -Detected flash size: 4MB -``` + ```bash + esptool.py -p -b --before default_reset --after no_reset --chip write_flash --flash_mode dio --flash_size --flash_freq 40m build/mcuboot_.bin + ``` + --- + ***Note*** -*`` value must follow one of the addresses below:* + You may adjust the port `` (like `/dev/ttyUSB0`) and baud rate `` (like `2000000`) + according to the connection with your board. You can also skip `` and `` parameters + so that esptool tries to automatically detect it. -| ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | ESP32-C2 | ESP32-C6 | ESP32-H2 | -| :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | -| 0x1000 | 0x1000 | 0x0000 | 0x0000 | 0x0000 | 0x0000 | 0x0000 | + *`` can be found using the command below:* ---- + ```bash + esptool.py -p -b flash_id + ``` + + The output contains device information and its flash size: + + ``` + Detected flash size: 4MB + ``` + + *`` value must follow one of the addresses below:* + + | ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | ESP32-C2 | ESP32-C6 | ESP32-H2 | + | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | :-----: | + | 0x1000 | 0x1000 | 0x0000 | 0x0000 | 0x0000 | 0x0000 | 0x0000 | + + --- 3. Reset your device ## [Signing and flashing an application](#signing-and-flashing-an-application) 1. Images can be regularly signed with the `scripts/imgtool.py` script: -```bash -imgtool.py sign --align 4 -v 0 -H 32 --pad-header -S -``` ---- + ```bash + imgtool.py sign --align 4 -v 0 -H 32 --pad-header -S + ``` -***Note*** + --- -`` is the size of the slot to be used. -Default slot0 size is `0x100000`, but it can change as per application flash partitions. + ***Note*** -For Zephyr images, `--pad-header` is not needed as it already has the padding for MCUboot header. + `` is the size of the slot to be used. + Default slot0 size is `0x100000`, but it can change as per application flash partitions. ---- + For Zephyr images, `--pad-header` is not needed as it already has the padding for MCUboot + header. -:warning: ***ATTENTION*** + --- -*This is the basic signing needed for adding MCUboot headers and trailers. -For signing with a crypto key and guarantee the authenticity of the image being booted, see the section [MCUboot image signature verification](#mcuboot-image-signature-verification) below.* + :warning: ***ATTENTION*** ---- + *This is the basic signing needed for adding MCUboot headers and trailers. + For signing with a crypto key and guarantee the authenticity of the image being booted, see the + section [MCUboot image signature verification](#mcuboot-image-signature-verification) below.* + + --- 2. Flash the signed application: -```bash -esptool.py -p -b --before default_reset --after hard_reset --chip write_flash --flash_mode dio --flash_size --flash_freq 40m -``` + + ```bash + esptool.py -p -b --before default_reset --after hard_reset --chip write_flash --flash_mode dio --flash_size --flash_freq 40m + ``` # [Downgrade prevention](#downgrade-prevention) -Downgrade prevention (avoid updating of images to an older version) can be enabled using the following configuration: +Downgrade prevention (avoid updating of images to an older version) can be enabled using the +following configuration: ``` CONFIG_ESP_DOWNGRADE_PREVENTION=y ``` -MCUboot will then verify and compare the new image version number with the current one before perform an update swap. +MCUboot will then verify and compare the new image version number with the current one before +perform an update swap. -Version number is added to the image when signing it with `imgtool` (`-v` parameter, e.g. `-v 1.0.0`). +Version number is added to the image when signing it with `imgtool` (`-v` parameter, e.g. +`-v 1.0.0`). ### [Downgrade prevention with security counter](#downgrade-prevention-with-security-counter) -It is also possible to rely on a security counter, also added to the image when signing with `imgtool` (`-s` parameter), apart from version number. This allows image downgrade at some extent, since any update must have greater or equal security counter value. Enable using the following configuration: +It is also possible to rely on a security counter, also added to the image when signing with +`imgtool` (`-s` parameter), apart from version number. This allows image downgrade at some extent, +since any update must have greater or equal security counter value. Enable using the following +configuration: ``` CONFIG_ESP_DOWNGRADE_PREVENTION_SECURITY_COUNTER=y ``` -E.g.: if the current image was signed using `-s 1` parameter, an eventual update image must have been signed using security counter `-s 1` or greater. +E.g.: if the current image was signed using `-s 1` parameter, an eventual update image must have +been signed using security counter `-s 1` or greater. # [Security Chain on Espressif port](#security-chain-on-espressif-port) -[MCUboot encrypted images](encrypted_images.md) do not provide full code confidentiality when only external storage is available (see [Threat model](encrypted_images.md#threat-model)) since by MCUboot design the image in Primary Slot, from where the image is executed, is stored plaintext. -Espressif chips have off-chip flash memory, so to ensure a security chain along with MCUboot image signature verification, the hardware-assisted Secure Boot and Flash Encryption were made available on the MCUboot Espressif port. +[MCUboot encrypted images](encrypted_images.md) do not provide full code confidentiality when only +external storage is available (see [Threat model](encrypted_images.md#threat-model)) since by +MCUboot design the image in Primary Slot, from where the image is executed, is stored plaintext. +Espressif chips have off-chip flash memory, so to ensure a security chain along with MCUboot image +signature verification, the hardware-assisted Secure Boot and Flash Encryption were made available +on the MCUboot Espressif port. ## [MCUboot image signature verification](#mcuboot-image-signature-verification) -The image that MCUboot is booting can be signed with 4 types of keys: RSA-2048, RSA-3072, EC256 and ED25519. In order to enable the feature, the **bootloader** must be compiled with the following configurations: +The image that MCUboot is booting can be signed with 4 types of keys: RSA-2048, RSA-3072, EC256 and +ED25519. In order to enable the feature, the **bootloader** must be compiled with the following +configurations: --- ***Note*** -*It is strongly recommended to generate a new signing key using `imgtool` instead of use the existent samples.* +*It is strongly recommended to generate a new signing key using `imgtool` instead of use the +existent samples.* --- #### For EC256 algorithm use + ``` CONFIG_ESP_SIGN_EC256=y @@ -201,6 +251,7 @@ CONFIG_ESP_SIGN_KEY_FILE= ``` #### For ED25519 algorithm use + ``` CONFIG_ESP_SIGN_ED25519=y @@ -211,6 +262,7 @@ CONFIG_ESP_SIGN_KEY_FILE= ``` #### For RSA (2048 or 3072) algorithm use + ``` CONFIG_ESP_SIGN_RSA=y # RSA_LEN is 2048 or 3072 @@ -222,27 +274,38 @@ CONFIG_ESP_USE_MBEDTLS=y CONFIG_ESP_SIGN_KEY_FILE= ``` -Notice that the public key will be embedded in the bootloader code, since the hardware key storage is not supported by Espressif port. +Notice that the public key will be embedded in the bootloader code, since the hardware key storage +is not supported by Espressif port. ### [Signing the image](#signing-the-image) Now you need to sign the **image binary**, use the `imgtool` with `-k` parameter: + ```bash imgtool.py sign -k --pad --pad-sig --align 4 -v 0 -H 32 --pad-header -S 0x00100000 ``` -If signing a Zephyr image, the `--pad-header` is not needed, as it already have the padding for MCUboot header. + +If signing a Zephyr image, the `--pad-header` is not needed, as it already have the padding for +MCUboot header. ## [Secure Boot](#secure-boot) -The Secure Boot implementation is based on [IDF's Secure Boot V2](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v2.html), is hardware-assisted and RSA based, and has the role for ensuring that only authorized code will be executed on the device. This is done through bootloader signature checking by the ROM bootloader. \ -***Note***: ROM bootloader is the First Stage Bootloader, while the Espressif MCUboot port is the Second Stage Bootloader. +The Secure Boot implementation is based on +[IDF's Secure Boot V2](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v2.html), +is hardware-assisted and RSA based, and has the role for ensuring that only authorized code will be +executed on the device. This is done through bootloader signature checking by the ROM bootloader. + +***Note***: ROM bootloader is the First Stage Bootloader, while the Espressif MCUboot port is the +Second Stage Bootloader. -***Note***: Currently on MCUboot Espressif Port, the Secure Boot V2 for ESP32-C2 is not supported yet. +***Note***: Currently on MCUboot Espressif Port, the Secure Boot V2 for ESP32-C2 is not supported +yet. ### [Building bootloader with Secure Boot](#building-bootloader-with-secure-boot) In order to build the bootloader with the feature on, the following configurations must be enabled: + ``` CONFIG_SECURE_BOOT=1 CONFIG_SECURE_BOOT_V2_ENABLED=1 @@ -254,7 +317,9 @@ CONFIG_SECURE_BOOT_SUPPORTS_RSA=1 --- :warning: ***ATTENTION*** -*On development phase is recommended add the following configuration in order to keep the debugging enabled and also to avoid any unrecoverable/permanent state change:* +*On development phase is recommended add the following configuration in order to keep the debugging +enabled and also to avoid any unrecoverable/permanent state change:* + ``` CONFIG_SECURE_BOOT_ALLOW_JTAG=1 CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=1 @@ -263,20 +328,23 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=1 CONFIG_EFUSE_VIRTUAL=1 CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=1 ``` - --- --- :warning: ***ATTENTION*** *You can disable UART Download Mode by adding the following configuration:* + ``` CONFIG_SECURE_DISABLE_ROM_DL_MODE=1 ``` -*This may be suitable for **production** builds. **After disabling UART Download Mode you will not be able to flash other images through UART.*** +*This may be suitable for __production__ builds. __After disabling UART Download Mode you will not +be able to flash other images through UART.__* + +*Otherwise, you can switch the UART ROM Download Mode to the Secure Download Mode. It will limit +the use of Download Mode functions to simple flash read, write and erase operations.* -*Otherwise, you can switch the UART ROM Download Mode to the Secure Download Mode. It will limit the use of Download Mode functions to simple flash read, write and erase operations.* ``` CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=1 ``` @@ -285,14 +353,17 @@ CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=1 --- -Once the **bootloader image** is built, the resulting binary file is required to be signed with `espsecure.py` tool. +Once the **bootloader image** is built, the resulting binary file is required to be signed with +`espsecure.py` tool. First create a signing key: + ```bash espsecure.py generate_signing_key --version 2 ``` Then sign the bootloader image: + ```bash espsecure.py sign_data --version 2 --keyfile -o ``` @@ -300,58 +371,81 @@ espsecure.py sign_data --version 2 --keyfile -o -b 2000000 --after no_reset --chip write_flash --flash_mode dio --flash_size --flash_freq 40m ``` ### [Secure Boot Process](#secure-boot-process) -Secure boot uses a signature block appended to the bootloader image in order to verify the authenticity. The signature block contains the RSA-3072 signature of that image and the RSA-3072 public key. +Secure boot uses a signature block appended to the bootloader image in order to verify the +authenticity. The signature block contains the RSA-3072 signature of that image and the RSA-3072 +public key. -On its **first boot** the Secure Boot is not enabled on the device eFuses yet, neither the key nor digests. So the first boot will have the following process: +On its **first boot** the Secure Boot is not enabled on the device eFuses yet, neither the key nor +digests. So the first boot will have the following process: -1. On startup, since it is the first boot, the ROM bootloader will not verify the bootloader image (the Secure Boot bit in the eFuse is disabled) yet, so it proceeds to execute it (our MCUboot bootloader port). +1. On startup, since it is the first boot, the ROM bootloader will not verify the bootloader image + (the Secure Boot bit in the eFuse is disabled) yet, so it proceeds to execute it (our MCUboot + bootloader port). 2. Bootloader calculates the SHA-256 hash digest of the public key and writes the result to eFuse. 3. Bootloader validates the application images and prepare the booting process (MCUboot phase). 4. Bootloader burns eFuse to enable Secure Boot V2. 5. Bootloader proceeds to load the Primary image. -After that the Secure Boot feature is permanently enabled and on every next boot the ROM bootloader will verify the MCUboot bootloader image. -The process of an usual boot: - -1. On startup, the ROM bootloader checks the Secure Boot enable bit in the eFuse. If it is enabled, the boot will proceed as following. -2. ROM bootloader verifies the bootloader's signature block integrity (magic number and CRC). Interrupt boot if it fails. -3. ROM bootloader verifies the bootloader image, interrupt boot if any step fails.: \ -3.1. Compare the SHA-256 hash digest of the public key embedded in the bootloader’s signature block with the digest saved in the eFuses. \ -3.2. Generate the application image digest and match it with the image digest in the signature block. \ -3.3. Use the public key to verify the signature of the bootloader image, using RSA-PSS with the image digest calculated from previous step for comparison. +After that the Secure Boot feature is permanently enabled and on every next boot the ROM bootloader +will verify the MCUboot bootloader image. The process of an usual boot: + +1. On startup, the ROM bootloader checks the Secure Boot enable bit in the eFuse. If it is enabled, + the boot will proceed as following. +2. ROM bootloader verifies the bootloader's signature block integrity (magic number and CRC). + Interrupt boot if it fails. +3. ROM bootloader verifies the bootloader image, interrupt boot if any step fails: + 1. Compare the SHA-256 hash digest of the public key embedded in the bootloader’s signature + block with the digest saved in the eFuses. + 2. Generate the application image digest and match it with the image digest in the signature + block. + 3. Use the public key to verify the signature of the bootloader image, using RSA-PSS with the + image digest calculated from previous step for comparison. 4. ROM bootloader executes the bootloader image. 5. Bootloader does the usual verification (MCUboot phase). 6. Proceeds to boot the Primary image. ## [Flash Encryption](#flash-encryption) -The Espressif Flash Encryption is hardware-assisted, transparent to the MCUboot process and is an additional security measure beyond MCUboot existent features. -The Flash Encryption implementation is also based on [IDF](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html) and is intended for encrypting off-chip flash memory contents, so it is protected against physical reading. +The Espressif Flash Encryption is hardware-assisted, transparent to the MCUboot process and is an +additional security measure beyond MCUboot existent features. +The Flash Encryption implementation is also based on +[IDF](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html) +and is intended for encrypting off-chip flash memory contents, so it is protected against physical +reading. -When enabling the Flash Encryption, the user can encrypt the content either using a **device generated key** (remains unknown and unreadable) or a **host generated key** (owner is responsible for keeping the key private and safe). After the flash encryption gets enabled through eFuse burning on the device, all read and write operations are decrypted/encrypted in runtime. +When enabling the Flash Encryption, the user can encrypt the content either using a **device +generated key** (remains unknown and unreadable) or a **host generated key** (owner is responsible +for keeping the key private and safe). After the flash encryption gets enabled through eFuse +burning on the device, all read and write operations are decrypted/encrypted in runtime. ### [Building bootloader with Flash Encryption](#building-bootloader-with-flash-encryption) In order to build the bootloader with the feature on, the following configurations must be enabled: For **release mode**: + ``` CONFIG_SECURE_FLASH_ENC_ENABLED=1 CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=1 ``` For **development mode**: + ``` CONFIG_SECURE_FLASH_ENC_ENABLED=1 CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=1 @@ -360,7 +454,9 @@ CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=1 --- :warning: ***ATTENTION*** -*On development phase is strongly recommended adding the following configuration in order to keep the debugging enabled and also to avoid any unrecoverable/permanent state change:* +*On development phase is strongly recommended adding the following configuration in order to keep +the debugging enabled and also to avoid any unrecoverable/permanent state change:* + ``` CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=1 CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=1 @@ -376,18 +472,27 @@ CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=1 --- :warning: ***ATTENTION*** -*Unless the recommended flags for **DEVELOPMENT MODE** were enabled, the actions made by Flash Encryption process are **PERMANENT**.* \ -*Once the bootloader is flashed and the device resets, the **first boot will enable Flash Encryption, encrypt the flash content including bootloader and image slots, burn the eFuses that no longer can be modified** and if device generated the key **it will not be recoverable**.* \ -*When on **RELEASE MODE**, **ENSURE** that the application with an update agent is flashed before reset the device.* +*Unless the recommended flags for __DEVELOPMENT MODE__ were enabled, the actions made by Flash +Encryption process are __PERMANENT__.* \ +*Once the bootloader is flashed and the device resets, the __first boot will enable Flash +Encryption, encrypt the flash content including bootloader and image slots, burn the eFuses that no +longer can be modified__ and if device generated the key __it will not be recoverable__.* \ +*When on __RELEASE MODE__, __ENSURE__ that the application with an update agent is flashed before +reset the device.* + +*In the same way as Secure Boot feature, you can disable UART Download Mode by adding the following +configuration:* -*In the same way as Secure Boot feature, you can disable UART Download Mode by adding the following configuration:* ``` CONFIG_SECURE_DISABLE_ROM_DL_MODE=1 ``` -*This may be suitable for **production** builds. **After disabling UART Download Mode you will not be able to flash other images through UART.*** +*This may be suitable for __production__ builds. __After disabling UART Download Mode you will not +be able to flash other images through UART.__* + +*Otherwise, you can switch the UART Download Mode to the Secure Download Mode. It will limit the +use of Download Mode functions to simple flash read, write and erase operations.* -*Otherwise, you can switch the UART Download Mode to the Secure Download Mode. It will limit the use of Download Mode functions to simple flash read, write and erase operations.* ``` CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=1 ``` @@ -398,25 +503,30 @@ CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=1 ### [Signing the image when working with Flash Encryption](#signing-the-image-when-working-with-flash-encryption) -When enabling flash encryption, it is required to signed the image using 32-byte alignment: `--align 32 --max-align 32`. +When enabling flash encryption, it is required to signed the image using 32-byte alignment: +`--align 32 --max-align 32`. Command example: + ```bash imgtool.py sign -k --pad --pad-sig --align 32 --max-align 32 -v 0 -H 32 --pad-header -S ``` ### [Device generated key](#device-generated-key) -First ensure that the application image is able to perform encrypted read and write operations to the SPI Flash. -Flash the bootloader and application normally: +First ensure that the application image is able to perform encrypted read and write operations to +the SPI Flash. Flash the bootloader and application normally: + ```bash esptool.py -p -b 2000000 --after no_reset --chip write_flash --flash_mode dio --flash_size --flash_freq 40m ``` + ```bash esptool.py -p -b 2000000 --after no_reset --chip write_flash --flash_mode dio --flash_size --flash_freq 40m ``` On the **first boot**, the bootloader will: + 1. Generate Flash Encryption key and write to eFuse. 2. Encrypt flash in-place including bootloader, image primary/secondary slot and scratch. 3. Burn eFuse to enable Flash Encryption. @@ -424,55 +534,73 @@ On the **first boot**, the bootloader will: ### [Host generated key](#host-generated-key) -First ensure that the application image is able to perform encrypted read and write operations to the SPI Flash. Also ensure that the **UART ROM Download Mode is not disabled** - or that the **Secure Download Mode is enabled**. -Before flashing, generate the encryption key using `espsecure.py` tool: +First ensure that the application image is able to perform encrypted read and write operations to +the SPI Flash. Also ensure that the **UART ROM Download Mode is not disabled** - or that the +**Secure Download Mode is enabled**. Before flashing, generate the encryption key using +`espsecure.py` tool: + ```bash espsecure.py generate_flash_encryption_key ``` -Burn the key into the device's eFuse (keep a copy on the host), this action can be done **only once**: +Burn the key into the device's eFuse (keep a copy on the host), this action can be done **only +once**: --- :warning: ***ATTENTION*** -*eFuse emulation in Flash configuration options do not have any effect, so if the key burning command below is used, it will actually burn the physical eFuse.* +*eFuse emulation in Flash configuration options do not have any effect, so if the key burning +command below is used, it will actually burn the physical eFuse.* --- - ESP32 + ```bash espefuse.py --port PORT burn_key flash_encryption ``` - ESP32S2, ESP32C3 and ESP32S3 + ```bash espefuse.py --port PORT burn_key BLOCK ``` -BLOCK is a free keyblock between BLOCK_KEY0 and BLOCK_KEY5. And KEYPURPOSE is either XTS_AES_128_KEY, XTS_AES_256_KEY_1, XTS_AES_256_KEY_2 (AES XTS 256 is available only in ESP32S2). +`BLOCK` is a free keyblock between `BLOCK_KEY0` and `BLOCK_KEY5`. And `KEYPURPOSE` is either +`XTS_AES_128_KEY`, `XTS_AES_256_KEY_1`, `XTS_AES_256_KEY_2` (AES XTS 256 is available only in +ESP32S2). -Now, similar as the Device generated key, the bootloader and application can be flashed plaintext. The **first boot** will encrypt the flash content using the host key burned in the eFuse instead of generate a new one. +Now, similar as the Device generated key, the bootloader and application can be flashed plaintext. +The **first boot** will encrypt the flash content using the host key burned in the eFuse instead +of generate a new one. Flashing the bootloader and application: + ```bash esptool.py -p -b 2000000 --after no_reset --chip write_flash --flash_mode dio --flash_size --flash_freq 40m ``` + ```bash esptool.py -p -b 2000000 --after no_reset --chip write_flash --flash_mode dio --flash_size --flash_freq 40m ``` On the **first boot**, the bootloader will: -1. Encrypt flash in-place including bootloader, image primary/secondary slot and scratch using the written key. + +1. Encrypt flash in-place including bootloader, image primary/secondary slot and scratch using the + written key. 2. Burn eFuse to enable Flash Encryption. 3. Reset system to ensure Flash Encryption cache resets properly. Encrypting data on the host: + - ESP32 + ```bash espsecure.py encrypt_flash_data --keyfile --address --output ``` - ESP32-S2, ESP32-C3 and ESP32-S3 + ```bash espsecure.py encrypt_flash_data --aes_xts --keyfile --address --output ``` @@ -480,36 +608,51 @@ espsecure.py encrypt_flash_data --aes_xts --keyfile - --- ***Note*** -OTA updates are required to be sent plaintext. The reason is that, as said before, after the Flash Encryption is enabled all read/write operations are decrypted/encrypted in runtime, so as e.g. if pre-encrypted data is sent for an OTA update, it would be wrongly double-encrypted when the update agent writes to the flash. +OTA updates are required to be sent plaintext. The reason is that, as said before, after the Flash +Encryption is enabled all read/write operations are decrypted/encrypted in runtime, so as e.g. if +pre-encrypted data is sent for an OTA update, it would be wrongly double-encrypted when the update +agent writes to the flash. -For updating with an image encrypted on the host, flash it through serial using `esptool.py` as above. **UART ROM Download Mode must not be disabled**. +For updating with an image encrypted on the host, flash it through serial using `esptool.py` as +above. **UART ROM Download Mode must not be disabled**. --- ## [Security Chain scheme](#security-chain-scheme) -Using the 3 features, Secure Boot, Image signature verification and Flash Encryption, a Security Chain can be established so only trusted code is executed, and also the code and content residing in the off-chip flash are protected against undesirable reading. +Using the 3 features, Secure Boot, Image signature verification and Flash Encryption, a Security +Chain can be established so only trusted code is executed, and also the code and content residing +in the off-chip flash are protected against undesirable reading. The overall final process when all features are enabled: + 1. ROM bootloader validates the MCUboot bootloader using RSA signature verification. -2. MCUboot bootloader validates the image using the chosen algorithm EC256/RSA/ED25519. It also validates an upcoming image when updating. +2. MCUboot bootloader validates the image using the chosen algorithm EC256/RSA/ED25519. It also + validates an upcoming image when updating. 3. Flash Encryption guarantees that code and data are not exposed. ### [Size Limitation](#size-limitation) -When all 3 features are enable at same time, the bootloader size may exceed the fixed limit for the ROM bootloader checking on the Espressif chips **depending on which algorithm** was chosen for MCUboot image signing. The issue https://github.com/mcu-tools/mcuboot/issues/1262 was created to track this limitation. +When all 3 features are enable at same time, the bootloader size may exceed the fixed limit for +the ROM bootloader checking on the Espressif chips **depending on which algorithm** was chosen for +MCUboot image signing. The issue was created to +track this limitation. ## [Multi image](#multi-image) -The multi image feature (currently limited to 2 images) allows the images to be updated separately (each one has its own primary and secondary slot) by MCUboot. +The multi image feature (currently limited to 2 images) allows the images to be updated separately +(each one has its own primary and secondary slot) by MCUboot. The Espressif port bootloader handles the boot in two different approaches: ### [Host OS boots second image](#host-os-boots-second-image) -Host OS from the *first image* is responsible for booting the *second image*, therefore the bootloader is aware of the second image regions and can update it, however it does not load neither boots it. +Host OS from the *first image* is responsible for booting the *second image*, therefore the +bootloader is aware of the second image regions and can update it, however it does not load +neither boots it. Configuration example (`bootloader.conf`): + ``` CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_MCUBOOT_WDT_ENABLE=y @@ -532,7 +675,10 @@ CONFIG_ESP_SCRATCH_SIZE=0x40000 ### [Multi boot](#multi-boot) -In the multi boot approach the bootloader is responsible for booting two different images in two different CPUs, firstly the *second image* on the APP CPU and then the *first image* on the PRO CPU (current CPU), it is also responsible for update both images as well. Thus multi boot will be only supported by Espressif multi core chips - currently only ESP32 is implemented. +In the multi boot approach the bootloader is responsible for booting two different images in two +different CPUs, firstly the *second image* on the APP CPU and then the *first image* on the PRO +CPU (current CPU), it is also responsible for update both images as well. Thus multi boot will be +only supported by Espressif multi core chips - currently only ESP32 is implemented. --- ***Note*** @@ -542,6 +688,7 @@ In the multi boot approach the bootloader is responsible for booting two differe --- Configuration example: + ``` CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_MCUBOOT_WDT_ENABLE=y @@ -569,29 +716,38 @@ CONFIG_ESP_SCRATCH_SIZE=0x40000 ### [Image version dependency](#image-version-dependency) -MCUboot allows version dependency check between the images when updating them. As `imgtool.py` allows a version assigment when signing an image, it is also possible to add the version dependency constraint: +MCUboot allows version dependency check between the images when updating them. As `imgtool.py` +allows a version assigment when signing an image, it is also possible to add the version +dependency constraint: + ```bash imgtool.py sign --align 4 -v -d "(, )" -H 32 --pad-header -S ``` - `` defines the version of the image being signed. -- `"(, )"` defines the minimum version and from which image is needed to satisfy the dependency. +- `"(, )"` defines the minimum version and from which image is + needed to satisfy the dependency. --- Example: + ```bash imgtool.py sign --align 4 -v 1.0.0 -d "(1, 0.0.1+0)" -H 32 --pad-header -S 0x100000 image0.bin image0-signed.bin ``` -Supposing that the image 0 is being signed, its version is 1.0.0 and it depends on image 1 with version at least 0.0.1+0. +Supposing that the image 0 is being signed, its version is 1.0.0 and it depends on image 1 with +version at least 0.0.1+0. --- ## [Serial recovery mode](#serial-recovery-mode) -Serial recovery mode allows management through MCUMGR (more information and how to install it: https://github.com/apache/mynewt-mcumgr-cli) for communicating and uploading a firmware to the device. +Serial recovery mode allows management through MCUMGR (more information and how to install it: +) for communicating and uploading a firmware to the +device. Configuration example: + ``` # Enables the MCUboot Serial Recovery, that allows the use of # MCUMGR to upload a firmware through the serial port @@ -612,20 +768,28 @@ CONFIG_ESP_SERIAL_BOOT_GPIO_RX=25 CONFIG_ESP_SERIAL_BOOT_GPIO_TX=26 ``` -When enabled, the bootloader checks the if the GPIO `` configured has the signal value `` for approximately `` seconds for entering the Serial recovery mode. Example: a button configured on GPIO 32 pressed for 5 seconds. +When enabled, the bootloader checks the if the GPIO `` +configured has the signal value `` for approximately +`` seconds for entering the Serial recovery mode. Example: +a button configured on GPIO 32 pressed for 5 seconds. -Serial mode then uses the UART port configured for communication (``, pins ``, ``). +Serial mode then uses the UART port configured for communication +(``, pins ``, +``). ### [Serial Recovery through USB JTAG Serial port](#serial-recovery-through-usb-jtag-serial-port) -Some chips, like ESP32-C3 and ESP32-S3 have an integrated USB JTAG Serial Controller that implements a serial port (CDC) that can also be used for handling MCUboot Serial Recovery. +Some chips, like ESP32-C3 and ESP32-S3 have an integrated USB JTAG Serial Controller that +implements a serial port (CDC) that can also be used for handling MCUboot Serial Recovery. More information about the USB pins and hardware configuration: -- ESP32-C3: https://docs.espressif.com/projects/esp-idf/en/latest/esp32c3/api-guides/usb-serial-jtag-console.html -- ESP32-S3: https://docs.espressif.com/projects/esp-idf/en/latest/esp32s3/api-guides/usb-serial-jtag-console.html. -- ESP32-C6: https://docs.espressif.com/projects/esp-idf/en/latest/esp32c6/api-guides/usb-serial-jtag-console.html -- ESP32-H2: https://docs.espressif.com/projects/esp-idf/en/latest/esp32h2/api-guides/usb-serial-jtag-console.html + +- ESP32-C3: +- ESP32-S3: +- ESP32-C6: +- ESP32-H2: Configuration example: + ``` # Use Serial through USB JTAG Serial port for Serial Recovery CONFIG_ESP_MCUBOOT_SERIAL_USB_SERIAL_JTAG=y @@ -645,7 +809,8 @@ CONFIG_ESP_SERIAL_BOOT_DETECT_DELAY_S=5 --- :warning: ***ATTENTION*** -*When working with Flash Encryption enabled, `CONFIG_ESP_MCUBOOT_ERASE_PROGRESSIVELY` must be ***disabled***, although it is recommended for common Serial Recovery usage* +*When working with Flash Encryption enabled, `CONFIG_ESP_MCUBOOT_ERASE_PROGRESSIVELY` must be +__disabled__, although it is recommended for common Serial Recovery usage* --- @@ -671,28 +836,39 @@ mcumgr -c esp reset --- :warning: ***ATTENTION*** -*Serial recovery mode uploads the image to the PRIMARY_SLOT, therefore if the upload process gets interrupted the image may be corrupted and unable to boot* +*Serial recovery mode uploads the image to the PRIMARY_SLOT, therefore if the upload process gets +interrupted the image may be corrupted and unable to boot* --- ## [Memory map organization for OS compatibility](#memory-map-organization-for-os-compatibility) -When adding support for this MCUboot port to an OS or even customizing an already supported application memory layout, it is mandatory for the OS linker script to avoid overlaping on `iram_loader_seg` and `dram_seg` bootloader RAM regions. Although part of the RAM becomes initially unavailable, it is reclaimable by the OS after boot as heap. +When adding support for this MCUboot port to an OS or even customizing an already supported +application memory layout, it is mandatory for the OS linker script to avoid overlaping on +`iram_loader_seg` and `dram_seg` bootloader RAM regions. Although part of the RAM becomes initially +unavailable, it is reclaimable by the OS after boot as heap. Therefore, the application must be designed aware of the bootloader memory usage. --- ***Note*** -*Mostly of the Espressif chips have a separation on the address space for the same physical memory ammount: IRAM (accessed by the instruction bus) and DRAM (accessed by the data bus), which means that they need to be accessed by different addresses ranges depending on type, but refer to the same region. More information on the [Espressif TRMs](https://www.espressif.com/en/support/documents/technical-documents?keys=&field_download_document_type_tid%5B%5D=963).* +*Mostly of the Espressif chips have a separation on the address space for the same physical memory +ammount: IRAM (accessed by the instruction bus) and DRAM (accessed by the data bus), which means +that they need to be accessed by different addresses ranges depending on type, but refer to the +same region. More information on the +[Espressif TRMs](https://www.espressif.com/en/support/documents/technical-documents?keys=&field_download_document_type_tid%5B%5D=963).* --- -The following diagrams illustrate a memory organization from the bootloader point of view (notice that the addresses and sizes may vary depending on the chip), they reflect the linker script `boot/espressif/port//ld/bootloader.ld`: +The following diagrams illustrate a memory organization from the bootloader point of view (notice +that the addresses and sizes may vary depending on the chip), they reflect the linker script +`boot/espressif/port//ld/bootloader.ld`: ### ESP32 #### ESP32 standard + ``` SRAM0 IRAM ADDR / DRAM ADDR @@ -736,7 +912,9 @@ The following diagrams illustrate a memory organization from the bootloader poin * | | | * | v | * +--------+--------------+------+ 0x400BFFFF / 0x3FFE0000 - SRAM1 END - Note: On ESP32 the SRAM1 addresses are accessed in reverse order comparing Instruction bus (IRAM) and Data bus (DRAM), but refer to the same location. See the TRM for more information. + Note: On ESP32 the SRAM1 addresses are accessed in reverse order comparing Instruction + bus (IRAM) and Data bus (DRAM), but refer to the same location. See the TRM for more + information. SRAM2 IRAM ADDR / DRAM ADDR @@ -747,7 +925,10 @@ The following diagrams illustrate a memory organization from the bootloader poin #### ESP32 Multi Processor Boot -This is the linker script mapping when the `CONFIG_ESP_MULTI_PROCESSOR_BOOT` is enabled ([Multi boot](#multi-boot)) since APP CPU Cache region cannot be used for `iram_loader_seg` region as there would be conflict when the bootloader starts the APP CPU before jump to the main application. +This is the linker script mapping when the `CONFIG_ESP_MULTI_PROCESSOR_BOOT` is enabled +([Multi boot](#multi-boot)) since APP CPU Cache region cannot be used for `iram_loader_seg` region +as there would be conflict when the bootloader starts the APP CPU before jump to the main +application. ``` SRAM0 @@ -791,7 +972,9 @@ This is the linker script mapping when the `CONFIG_ESP_MULTI_PROCESSOR_BOOT` is * | | | * | v | * +--------+--------------+------+ 0x400BFFFF / 0x3FFE0000 - SRAM1 END - Note: On ESP32 the SRAM1 addresses are accessed in reverse order comparing Instruction bus (IRAM) and Data bus (DRAM), but refer to the same location. See the TRM for more information. + Note: On ESP32 the SRAM1 addresses are accessed in reverse order comparing Instruction + bus (IRAM) and Data bus (DRAM), but refer to the same location. See the TRM for more + information. SRAM2 IRAM ADDR / DRAM ADDR From 54fd52d914ae16f4e9ac7e669f4a94b44d36c5a4 Mon Sep 17 00:00:00 2001 From: Fabio Utzig Date: Mon, 4 Sep 2023 18:46:13 -0300 Subject: [PATCH 004/113] docs: update github-pages and deps versions Update to versions matching: https://pages.github.com/versions/ Signed-off-by: Fabio Utzig --- docs/Gemfile | 1 - docs/Gemfile.lock | 215 ++++++++++++++++++++++------------------------ 2 files changed, 105 insertions(+), 111 deletions(-) diff --git a/docs/Gemfile b/docs/Gemfile index 3c56a3b5e..7b9e0cb2d 100644 --- a/docs/Gemfile +++ b/docs/Gemfile @@ -20,4 +20,3 @@ gem "github-pages", group: :jekyll_plugins # Windows does not include zoneinfo files, so bundle the tzinfo-data gem gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby] - diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock index 02c41d290..4ec5c04fd 100644 --- a/docs/Gemfile.lock +++ b/docs/Gemfile.lock @@ -1,49 +1,47 @@ GEM remote: https://rubygems.org/ specs: - activesupport (6.0.6.1) + activesupport (7.0.7.2) concurrent-ruby (~> 1.0, >= 1.0.2) - i18n (>= 0.7, < 2) - minitest (~> 5.1) - tzinfo (~> 1.1) - zeitwerk (~> 2.2, >= 2.2.2) - addressable (2.8.0) - public_suffix (>= 2.0.2, < 5.0) + i18n (>= 1.6, < 2) + minitest (>= 5.1) + tzinfo (~> 2.0) + addressable (2.8.5) + public_suffix (>= 2.0.2, < 6.0) coffee-script (2.4.1) coffee-script-source execjs coffee-script-source (1.11.1) colorator (1.1.0) - commonmarker (0.17.13) - ruby-enum (~> 0.5) - concurrent-ruby (1.2.0) - dnsruby (1.61.5) - simpleidn (~> 0.1) - em-websocket (0.5.2) + commonmarker (0.23.10) + concurrent-ruby (1.2.2) + dnsruby (1.70.0) + simpleidn (~> 0.2.1) + em-websocket (0.5.3) eventmachine (>= 0.12.9) - http_parser.rb (~> 0.6.0) - ethon (0.12.0) - ffi (>= 1.3.0) + http_parser.rb (~> 0) + ethon (0.16.0) + ffi (>= 1.15.0) eventmachine (1.2.7) - execjs (2.7.0) - faraday (1.3.0) - faraday-net_http (~> 1.0) - multipart-post (>= 1.2, < 3) - ruby2_keywords - faraday-net_http (1.0.1) - ffi (1.15.0) + execjs (2.8.1) + faraday (2.7.10) + faraday-net_http (>= 2.0, < 3.1) + ruby2_keywords (>= 0.0.4) + faraday-net_http (3.0.2) + ffi (1.15.5) forwardable-extended (2.6.0) gemoji (3.0.1) - github-pages (214) - github-pages-health-check (= 1.17.0) - jekyll (= 3.9.0) + github-pages (228) + github-pages-health-check (= 1.17.9) + jekyll (= 3.9.3) jekyll-avatar (= 0.7.0) jekyll-coffeescript (= 1.1.1) - jekyll-commonmark-ghpages (= 0.1.6) + jekyll-commonmark-ghpages (= 0.4.0) jekyll-default-layout (= 0.1.4) jekyll-feed (= 0.15.1) jekyll-gist (= 1.5.0) jekyll-github-metadata (= 2.13.0) + jekyll-include-cache (= 0.2.1) jekyll-mentions (= 1.6.0) jekyll-optional-front-matter (= 0.3.2) jekyll-paginate (= 1.1.0) @@ -52,49 +50,49 @@ GEM jekyll-relative-links (= 0.6.1) jekyll-remote-theme (= 0.4.3) jekyll-sass-converter (= 1.5.2) - jekyll-seo-tag (= 2.7.1) + jekyll-seo-tag (= 2.8.0) jekyll-sitemap (= 1.4.0) jekyll-swiss (= 1.0.0) - jekyll-theme-architect (= 0.1.1) - jekyll-theme-cayman (= 0.1.1) - jekyll-theme-dinky (= 0.1.1) - jekyll-theme-hacker (= 0.1.2) - jekyll-theme-leap-day (= 0.1.1) - jekyll-theme-merlot (= 0.1.1) - jekyll-theme-midnight (= 0.1.1) - jekyll-theme-minimal (= 0.1.1) - jekyll-theme-modernist (= 0.1.1) - jekyll-theme-primer (= 0.5.4) - jekyll-theme-slate (= 0.1.1) - jekyll-theme-tactile (= 0.1.1) - jekyll-theme-time-machine (= 0.1.1) + jekyll-theme-architect (= 0.2.0) + jekyll-theme-cayman (= 0.2.0) + jekyll-theme-dinky (= 0.2.0) + jekyll-theme-hacker (= 0.2.0) + jekyll-theme-leap-day (= 0.2.0) + jekyll-theme-merlot (= 0.2.0) + jekyll-theme-midnight (= 0.2.0) + jekyll-theme-minimal (= 0.2.0) + jekyll-theme-modernist (= 0.2.0) + jekyll-theme-primer (= 0.6.0) + jekyll-theme-slate (= 0.2.0) + jekyll-theme-tactile (= 0.2.0) + jekyll-theme-time-machine (= 0.2.0) jekyll-titles-from-headings (= 0.5.3) jemoji (= 0.12.0) - kramdown (= 2.3.1) + kramdown (= 2.3.2) kramdown-parser-gfm (= 1.1.0) - liquid (= 4.0.3) + liquid (= 4.0.4) mercenary (~> 0.3) minima (= 2.5.1) - nokogiri (>= 1.10.4, < 2.0) + nokogiri (>= 1.13.6, < 2.0) rouge (= 3.26.0) terminal-table (~> 1.4) - github-pages-health-check (1.17.0) + github-pages-health-check (1.17.9) addressable (~> 2.3) dnsruby (~> 1.60) octokit (~> 4.0) - public_suffix (>= 2.0.2, < 5.0) + public_suffix (>= 3.0, < 5.0) typhoeus (~> 1.3) - html-pipeline (2.14.0) + html-pipeline (2.14.3) activesupport (>= 2) nokogiri (>= 1.4) - http_parser.rb (0.6.0) - i18n (0.9.5) + http_parser.rb (0.8.0) + i18n (1.14.1) concurrent-ruby (~> 1.0) - jekyll (3.9.0) + jekyll (3.9.3) addressable (~> 2.4) colorator (~> 1.0) em-websocket (~> 0.5) - i18n (~> 0.7) + i18n (>= 0.7, < 2) jekyll-sass-converter (~> 1.0) jekyll-watch (~> 2.0) kramdown (>= 1.17, < 3) @@ -108,13 +106,13 @@ GEM jekyll-coffeescript (1.1.1) coffee-script (~> 2.2) coffee-script-source (~> 1.11.1) - jekyll-commonmark (1.3.1) - commonmarker (~> 0.14) - jekyll (>= 3.7, < 5.0) - jekyll-commonmark-ghpages (0.1.6) - commonmarker (~> 0.17.6) - jekyll-commonmark (~> 1.2) - rouge (>= 2.0, < 4.0) + jekyll-commonmark (1.4.0) + commonmarker (~> 0.22) + jekyll-commonmark-ghpages (0.4.0) + commonmarker (~> 0.23.7) + jekyll (~> 3.9.0) + jekyll-commonmark (~> 1.4.0) + rouge (>= 2.0, < 5.0) jekyll-default-layout (0.1.4) jekyll (~> 3.0) jekyll-feed (0.15.1) @@ -124,6 +122,8 @@ GEM jekyll-github-metadata (2.13.0) jekyll (>= 3.4, < 5.0) octokit (~> 4.0, != 4.4.0) + jekyll-include-cache (0.2.1) + jekyll (>= 3.7, < 5.0) jekyll-mentions (1.6.0) html-pipeline (~> 2.3) jekyll (>= 3.7, < 5.0) @@ -143,50 +143,50 @@ GEM rubyzip (>= 1.3.0, < 3.0) jekyll-sass-converter (1.5.2) sass (~> 3.4) - jekyll-seo-tag (2.7.1) + jekyll-seo-tag (2.8.0) jekyll (>= 3.8, < 5.0) jekyll-sitemap (1.4.0) jekyll (>= 3.7, < 5.0) jekyll-swiss (1.0.0) - jekyll-theme-architect (0.1.1) - jekyll (~> 3.5) + jekyll-theme-architect (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-cayman (0.1.1) - jekyll (~> 3.5) + jekyll-theme-cayman (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-dinky (0.1.1) - jekyll (~> 3.5) + jekyll-theme-dinky (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-hacker (0.1.2) + jekyll-theme-hacker (0.2.0) jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-leap-day (0.1.1) - jekyll (~> 3.5) + jekyll-theme-leap-day (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-merlot (0.1.1) - jekyll (~> 3.5) + jekyll-theme-merlot (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-midnight (0.1.1) - jekyll (~> 3.5) + jekyll-theme-midnight (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-minimal (0.1.1) - jekyll (~> 3.5) + jekyll-theme-minimal (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-modernist (0.1.1) - jekyll (~> 3.5) + jekyll-theme-modernist (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-primer (0.5.4) + jekyll-theme-primer (0.6.0) jekyll (> 3.5, < 5.0) jekyll-github-metadata (~> 2.9) jekyll-seo-tag (~> 2.0) - jekyll-theme-slate (0.1.1) - jekyll (~> 3.5) + jekyll-theme-slate (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-tactile (0.1.1) - jekyll (~> 3.5) + jekyll-theme-tactile (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-time-machine (0.1.1) - jekyll (~> 3.5) + jekyll-theme-time-machine (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) jekyll-titles-from-headings (0.5.3) jekyll (>= 3.3, < 5.0) @@ -196,64 +196,59 @@ GEM gemoji (~> 3.0) html-pipeline (~> 2.2) jekyll (>= 3.0, < 5.0) - kramdown (2.3.1) + kramdown (2.3.2) rexml kramdown-parser-gfm (1.1.0) kramdown (~> 2.0) - liquid (4.0.3) - listen (3.5.1) + liquid (4.0.4) + listen (3.8.0) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) mercenary (0.3.6) - mini_portile2 (2.8.1) + mini_portile2 (2.8.4) minima (2.5.1) jekyll (>= 3.5, < 5.0) jekyll-feed (~> 0.9) jekyll-seo-tag (~> 2.1) - minitest (5.17.0) - multipart-post (2.1.1) - nokogiri (1.14.3) - mini_portile2 (~> 2.8.0) + minitest (5.19.0) + nokogiri (1.15.4) + mini_portile2 (~> 2.8.2) racc (~> 1.4) - octokit (4.20.0) - faraday (>= 0.9) - sawyer (~> 0.8.0, >= 0.5.3) + octokit (4.25.1) + faraday (>= 1, < 3) + sawyer (~> 0.9) pathutil (0.16.2) forwardable-extended (~> 2.6) - public_suffix (4.0.6) - racc (1.6.2) - rb-fsevent (0.10.4) + public_suffix (4.0.7) + racc (1.7.1) + rb-fsevent (0.11.2) rb-inotify (0.10.1) ffi (~> 1.0) - rexml (3.2.5) + rexml (3.2.6) rouge (3.26.0) - ruby-enum (0.9.0) - i18n - ruby2_keywords (0.0.4) - rubyzip (2.3.0) + ruby2_keywords (0.0.5) + rubyzip (2.3.2) safe_yaml (1.0.5) sass (3.7.4) sass-listen (~> 4.0.0) sass-listen (4.0.0) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) - sawyer (0.8.2) + sawyer (0.9.2) addressable (>= 2.3.5) - faraday (> 0.8, < 2.0) + faraday (>= 0.17.3, < 3) simpleidn (0.2.1) unf (~> 0.1.4) terminal-table (1.8.0) unicode-display_width (~> 1.1, >= 1.1.1) - thread_safe (0.3.6) typhoeus (1.4.0) ethon (>= 0.9.0) - tzinfo (1.2.11) - thread_safe (~> 0.1) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) unf (0.1.4) unf_ext - unf_ext (0.0.7.7) - unicode-display_width (1.7.0) - zeitwerk (2.6.7) + unf_ext (0.0.8.2) + unicode-display_width (1.8.0) PLATFORMS ruby From b688ef77cc5fdfccf420e94e70f123da6ba22dad Mon Sep 17 00:00:00 2001 From: Fabio Utzig Date: Mon, 4 Sep 2023 19:47:55 -0300 Subject: [PATCH 005/113] docs: add jemoji plugin This plugin enables jekyll to display emojis; the version added matches current on github-pages (https://pages.github.com/versions/) Signed-off-by: Fabio Utzig --- docs/Gemfile | 2 ++ docs/Gemfile.lock | 1 + docs/_config.yml | 2 ++ 3 files changed, 5 insertions(+) diff --git a/docs/Gemfile b/docs/Gemfile index 7b9e0cb2d..fd9a462c7 100644 --- a/docs/Gemfile +++ b/docs/Gemfile @@ -20,3 +20,5 @@ gem "github-pages", group: :jekyll_plugins # Windows does not include zoneinfo files, so bundle the tzinfo-data gem gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby] + +gem "jemoji", "~> 0.12.0" diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock index 4ec5c04fd..58b252955 100644 --- a/docs/Gemfile.lock +++ b/docs/Gemfile.lock @@ -255,6 +255,7 @@ PLATFORMS DEPENDENCIES github-pages + jemoji (~> 0.12.0) tzinfo-data BUNDLED WITH diff --git a/docs/_config.yml b/docs/_config.yml index 277f1f2c5..be854e842 100644 --- a/docs/_config.yml +++ b/docs/_config.yml @@ -1 +1,3 @@ theme: jekyll-theme-cayman +plugins: + - jemoji From f0ad026fa75c1433c3f0c0661b3bd49aa6e6d11e Mon Sep 17 00:00:00 2001 From: Fabio Utzig Date: Mon, 4 Sep 2023 19:49:49 -0300 Subject: [PATCH 006/113] docs: add webrick dependency webrick needs to be installed for ruby versions >3, which should ease local testing for someone running newer versions. This is compatible with running on ruby 2.7.4, the version used on github pages. Signed-off-by: Fabio Utzig --- docs/Gemfile | 2 ++ docs/Gemfile.lock | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/Gemfile b/docs/Gemfile index fd9a462c7..b88481b27 100644 --- a/docs/Gemfile +++ b/docs/Gemfile @@ -22,3 +22,5 @@ gem "github-pages", group: :jekyll_plugins gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby] gem "jemoji", "~> 0.12.0" + +gem "webrick", "~> 1.8" diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock index 58b252955..433585667 100644 --- a/docs/Gemfile.lock +++ b/docs/Gemfile.lock @@ -249,6 +249,7 @@ GEM unf_ext unf_ext (0.0.8.2) unicode-display_width (1.8.0) + webrick (1.8.1) PLATFORMS ruby @@ -257,6 +258,7 @@ DEPENDENCIES github-pages jemoji (~> 0.12.0) tzinfo-data + webrick (~> 1.8) BUNDLED WITH 1.17.2 From 9bf7ce8c5fe8152836a6e00bd4444153bd950342 Mon Sep 17 00:00:00 2001 From: Lucas Tamborrino Date: Tue, 5 Sep 2023 11:20:50 -0300 Subject: [PATCH 007/113] zephyr: Fix build for non-arm archs Guards the inclusion of cmsis_core header for ARM targets only. Fixes #1799 Signed-off-by: Lucas Tamborrino --- boot/zephyr/main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 855164915..089f75b2b 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -27,7 +27,9 @@ #include #include +#if defined(CONFIG_ARM) #include +#endif #include "target.h" From 0035c33b447c77233895ae0a8f0d93b83be78ac1 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 4 Sep 2023 16:26:35 +0000 Subject: [PATCH 008/113] zephyr: Provide third image cases for direct image upload The commit adds missing support for direct upload of third image slots. Signed-off-by: Dominik Ermel --- boot/zephyr/flash_map_extended.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/boot/zephyr/flash_map_extended.c b/boot/zephyr/flash_map_extended.c index be90a8e1d..64e80085c 100644 --- a/boot/zephyr/flash_map_extended.c +++ b/boot/zephyr/flash_map_extended.c @@ -109,6 +109,14 @@ int flash_area_id_from_direct_image(int image_id) #if FIXED_PARTITION_EXISTS(slot3_partition) case 4: return FIXED_PARTITION_ID(slot3_partition); +#endif +#if FIXED_PARTITION_EXISTS(slot4_partition) + case 5: + return FIXED_PARTITION_ID(slot4_partition); +#endif +#if FIXED_PARTITION_EXISTS(slot5_partition) + case 6: + return FIXED_PARTITION_ID(slot5_partition); #endif } return -EINVAL; From 3790f5f05532f00dcb7cbb9cc879d393a6642983 Mon Sep 17 00:00:00 2001 From: Piotr Dymacz Date: Thu, 15 Dec 2022 14:58:45 +0100 Subject: [PATCH 009/113] boot: zephyr: use indication LED also in timeout based recovery This adds support for indication LED option (MCUBOOT_INDICATION_LED) in the timeout based recovery. Configured LED will be enabled when entering the recovery and disabled after selected timeout (if no mcumgr command was received). Signed-off-by: Piotr Dymacz --- boot/zephyr/main.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 089f75b2b..7b3702475 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -622,6 +622,10 @@ int main(void) rc = boot_console_init(); int timeout_in_ms = CONFIG_BOOT_SERIAL_WAIT_FOR_DFU_TIMEOUT; uint32_t start = k_uptime_get_32(); + +#ifdef CONFIG_MCUBOOT_INDICATION_LED + gpio_pin_set_dt(&led0, 1); +#endif #endif FIH_CALL(boot_go, fih_rc, &rsp); @@ -645,6 +649,10 @@ int main(void) timeout_in_ms = 1; } boot_serial_check_start(&boot_funcs,timeout_in_ms); + +#ifdef CONFIG_MCUBOOT_INDICATION_LED + gpio_pin_set_dt(&led0, 0); +#endif #endif if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { From 480b97f2e28606557575be3218f0df9cf7c6a1c0 Mon Sep 17 00:00:00 2001 From: Benjamin Bigler Date: Thu, 7 Sep 2023 15:25:34 +0200 Subject: [PATCH 010/113] boot_serial: Fix missing point if using snprintf Adds missing point in version when snprintf is used Signed-off-by: Benjamin Bigler --- boot/boot_serial/src/boot_serial.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index cddf8e289..72f2df325 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -234,7 +234,7 @@ bs_list_img_ver(char *dst, int maxlen, struct image_version *ver) (uint16_t)ver->iv_minor, ver->iv_revision); if (ver->iv_build_num != 0 && len > 0 && len < maxlen) { - snprintf(&dst[len], (maxlen - len), "%u", ver->iv_build_num); + snprintf(&dst[len], (maxlen - len), ".%u", ver->iv_build_num); } } #endif /* !MCUBOOT_USE_SNPRINTF */ From b847a33ba22dcb62f561265cfa701ae9c3a1ba28 Mon Sep 17 00:00:00 2001 From: Sylvio Alves Date: Fri, 8 Sep 2023 09:04:37 -0300 Subject: [PATCH 011/113] espressif: use minimal libc as default for ESP32 boards Make MINIMAL_LIBC as default for MCUboot app build instead of picolibc. Footprint is lower and no need to MULTLTHREADING enabled for SoC build. Signed-off-by: Sylvio Alves --- boot/zephyr/boards/esp32_devkitc_wroom.conf | 1 + boot/zephyr/boards/esp32_devkitc_wrover.conf | 1 + boot/zephyr/boards/esp32_ethernet_kit.conf | 1 + boot/zephyr/boards/esp32c3_devkitm.conf | 1 + boot/zephyr/boards/esp32s2_franzininho.conf | 1 + boot/zephyr/boards/esp32s2_saola.conf | 1 + boot/zephyr/boards/esp32s3_devkitm.conf | 1 + boot/zephyr/boards/esp_wrover_kit.conf | 1 + boot/zephyr/boards/heltec_wifi_lora32_v2.conf | 1 + boot/zephyr/boards/icev_wireless.conf | 1 + boot/zephyr/boards/m5stickc_plus.conf | 1 + boot/zephyr/boards/odroid_go.conf | 1 + boot/zephyr/boards/olimex_esp32_evb.conf | 1 + boot/zephyr/boards/stamp_c3.conf | 1 + boot/zephyr/boards/xiao_esp32c3.conf | 1 + 15 files changed, 15 insertions(+) diff --git a/boot/zephyr/boards/esp32_devkitc_wroom.conf b/boot/zephyr/boards/esp32_devkitc_wroom.conf index 1b1e862be..76a126cb4 100644 --- a/boot/zephyr/boards/esp32_devkitc_wroom.conf +++ b/boot/zephyr/boards/esp32_devkitc_wroom.conf @@ -15,3 +15,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/esp32_devkitc_wrover.conf b/boot/zephyr/boards/esp32_devkitc_wrover.conf index 1b1e862be..76a126cb4 100644 --- a/boot/zephyr/boards/esp32_devkitc_wrover.conf +++ b/boot/zephyr/boards/esp32_devkitc_wrover.conf @@ -15,3 +15,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/esp32_ethernet_kit.conf b/boot/zephyr/boards/esp32_ethernet_kit.conf index 70a092a8b..b2b405922 100644 --- a/boot/zephyr/boards/esp32_ethernet_kit.conf +++ b/boot/zephyr/boards/esp32_ethernet_kit.conf @@ -16,3 +16,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/esp32c3_devkitm.conf b/boot/zephyr/boards/esp32c3_devkitm.conf index 8a90ef8ea..56298cd4f 100644 --- a/boot/zephyr/boards/esp32c3_devkitm.conf +++ b/boot/zephyr/boards/esp32c3_devkitm.conf @@ -17,3 +17,4 @@ CONFIG_DEBUG=n CONFIG_XIP=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/esp32s2_franzininho.conf b/boot/zephyr/boards/esp32s2_franzininho.conf index 70a092a8b..b2b405922 100644 --- a/boot/zephyr/boards/esp32s2_franzininho.conf +++ b/boot/zephyr/boards/esp32s2_franzininho.conf @@ -16,3 +16,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/esp32s2_saola.conf b/boot/zephyr/boards/esp32s2_saola.conf index 70a092a8b..b2b405922 100644 --- a/boot/zephyr/boards/esp32s2_saola.conf +++ b/boot/zephyr/boards/esp32s2_saola.conf @@ -16,3 +16,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/esp32s3_devkitm.conf b/boot/zephyr/boards/esp32s3_devkitm.conf index 70a092a8b..b2b405922 100644 --- a/boot/zephyr/boards/esp32s3_devkitm.conf +++ b/boot/zephyr/boards/esp32s3_devkitm.conf @@ -16,3 +16,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/esp_wrover_kit.conf b/boot/zephyr/boards/esp_wrover_kit.conf index 70a092a8b..b2b405922 100644 --- a/boot/zephyr/boards/esp_wrover_kit.conf +++ b/boot/zephyr/boards/esp_wrover_kit.conf @@ -16,3 +16,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/heltec_wifi_lora32_v2.conf b/boot/zephyr/boards/heltec_wifi_lora32_v2.conf index 70a092a8b..b2b405922 100644 --- a/boot/zephyr/boards/heltec_wifi_lora32_v2.conf +++ b/boot/zephyr/boards/heltec_wifi_lora32_v2.conf @@ -16,3 +16,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/icev_wireless.conf b/boot/zephyr/boards/icev_wireless.conf index 792e0e325..5d761a5b3 100644 --- a/boot/zephyr/boards/icev_wireless.conf +++ b/boot/zephyr/boards/icev_wireless.conf @@ -16,3 +16,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_XIP=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/m5stickc_plus.conf b/boot/zephyr/boards/m5stickc_plus.conf index 70a092a8b..b2b405922 100644 --- a/boot/zephyr/boards/m5stickc_plus.conf +++ b/boot/zephyr/boards/m5stickc_plus.conf @@ -16,3 +16,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/odroid_go.conf b/boot/zephyr/boards/odroid_go.conf index be139d66d..916d6cf5f 100644 --- a/boot/zephyr/boards/odroid_go.conf +++ b/boot/zephyr/boards/odroid_go.conf @@ -18,3 +18,4 @@ CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 CONFIG_REGULATOR=n +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/olimex_esp32_evb.conf b/boot/zephyr/boards/olimex_esp32_evb.conf index 70a092a8b..b2b405922 100644 --- a/boot/zephyr/boards/olimex_esp32_evb.conf +++ b/boot/zephyr/boards/olimex_esp32_evb.conf @@ -16,3 +16,4 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_DEBUG=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/stamp_c3.conf b/boot/zephyr/boards/stamp_c3.conf index 8a90ef8ea..56298cd4f 100644 --- a/boot/zephyr/boards/stamp_c3.conf +++ b/boot/zephyr/boards/stamp_c3.conf @@ -17,3 +17,4 @@ CONFIG_DEBUG=n CONFIG_XIP=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y diff --git a/boot/zephyr/boards/xiao_esp32c3.conf b/boot/zephyr/boards/xiao_esp32c3.conf index 8a90ef8ea..56298cd4f 100644 --- a/boot/zephyr/boards/xiao_esp32c3.conf +++ b/boot/zephyr/boards/xiao_esp32c3.conf @@ -17,3 +17,4 @@ CONFIG_DEBUG=n CONFIG_XIP=n CONFIG_HEAP_MEM_POOL_SIZE=4096 +CONFIG_MINIMAL_LIBC=y From 5c5222f8847f989c3f4fe01a08cb16462e7ab7fb Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 12 Sep 2023 09:43:49 +0100 Subject: [PATCH 012/113] boot_serial: Fix include Fixes an include which is needed for multiple options by just always including it, and fixing the path so it can be included. Signed-off-by: Jamie McCrae --- boot/boot_serial/src/boot_serial.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 72f2df325..edfff7910 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -67,10 +67,7 @@ #include "boot_serial/boot_serial.h" #include "boot_serial_priv.h" #include "mcuboot_config/mcuboot_config.h" - -#ifdef MCUBOOT_ERASE_PROGRESSIVELY -#include "bootutil_priv.h" -#endif +#include "../src/bootutil_priv.h" #ifdef MCUBOOT_ENC_IMAGES #include "boot_serial/boot_serial_encryption.h" From 8f8fbf9956758ded9a5e20400be69964cc57d624 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 12 Sep 2023 10:57:45 +0100 Subject: [PATCH 013/113] zephyr: Fall back to minimal C library Changes back to the minimal C library instead of picolibc to reduce flash usage Signed-off-by: Jamie McCrae --- boot/zephyr/prj.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index a6da04933..851c133ec 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -33,3 +33,5 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_MCUBOOT_LOG_LEVEL_INF=y ### Decrease footprint by ~4 KB in comparison to CBPRINTF_COMPLETE=y CONFIG_CBPRINTF_NANO=y +### Use the minimal C library to reduce flash usage +CONFIG_MINIMAL_LIBC=y From 274547ce06ff1eb487c48af56448afdfdfcec9cc Mon Sep 17 00:00:00 2001 From: Roland Mikhel Date: Tue, 7 Mar 2023 13:21:34 +0100 Subject: [PATCH 014/113] bootutil: PSA Crypto ECDSA enablement This commit enables ECDSA signature verification using PSA Crypto API. Signed-off-by: Roland Mikhel Change-Id: I51c7aadba03348f335e89d9252e70c09f8787f30 --- boot/bootutil/include/bootutil/caps.h | 1 + boot/bootutil/src/caps.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/boot/bootutil/include/bootutil/caps.h b/boot/bootutil/include/bootutil/caps.h index e29b9365f..f4ff37334 100644 --- a/boot/bootutil/include/bootutil/caps.h +++ b/boot/bootutil/include/bootutil/caps.h @@ -52,6 +52,7 @@ uint32_t bootutil_get_caps(void); #define BOOTUTIL_CAP_RAM_LOAD (1<<16) #define BOOTUTIL_CAP_DIRECT_XIP (1<<17) #define BOOTUTIL_CAP_HW_ROLLBACK_PROT (1<<18) +#define BOOTUTIL_CAP_ECDSA_P384 (1<<19) /* * Query the number of images this bootloader is configured for. This diff --git a/boot/bootutil/src/caps.c b/boot/bootutil/src/caps.c index 49bdfecf7..d7cd59042 100644 --- a/boot/bootutil/src/caps.c +++ b/boot/bootutil/src/caps.c @@ -35,6 +35,9 @@ uint32_t bootutil_get_caps(void) #if defined(MCUBOOT_SIGN_EC256) res |= BOOTUTIL_CAP_ECDSA_P256; #endif +#if defined(MCUBOOT_SIGN_EC384) + res |= BOOTUTIL_CAP_ECDSA_P384; +#endif #if defined(MCUBOOT_SIGN_ED25519) res |= BOOTUTIL_CAP_ED25519; #endif From 5899face4d9132004b2d3487c9a62fddefd017cf Mon Sep 17 00:00:00 2001 From: Roland Mikhel Date: Tue, 14 Mar 2023 13:59:55 +0100 Subject: [PATCH 015/113] sim: PSA Crypto ECDSA enablement This commit enables ECDSA signature verification using PSA Crypto API. Signed-off-by: Roland Mikhel Change-Id: I33f559ecdd59b1ce41c6a2d5f315212300d585e3 --- root-ec-p384-pkcs8.pem | 6 ++++ root-ec-p384.pem | 6 ++++ sim/Cargo.toml | 3 +- sim/mcuboot-sys/Cargo.toml | 6 ++++ sim/mcuboot-sys/build.rs | 26 +++++++++++++++-- sim/mcuboot-sys/csupport/config-ec-psa.h | 37 ++++++++++++++++++++++++ sim/mcuboot-sys/csupport/keys.c | 24 ++++++++++++++- sim/src/caps.rs | 3 +- sim/src/ecdsa_pub_key-rs.txt | 18 ++++++++++++ sim/src/image.rs | 2 +- sim/src/tlv.rs | 37 +++++++++++++++++------- 11 files changed, 151 insertions(+), 17 deletions(-) create mode 100644 root-ec-p384-pkcs8.pem create mode 100644 root-ec-p384.pem create mode 100644 sim/mcuboot-sys/csupport/config-ec-psa.h diff --git a/root-ec-p384-pkcs8.pem b/root-ec-p384-pkcs8.pem new file mode 100644 index 000000000..4d4894cc3 --- /dev/null +++ b/root-ec-p384-pkcs8.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDC8ZQWjooCCaLQJ9DJN +KMyPoUoFcqGluXGu13Zf526RX6TdRhnkExtL1T7fC13n32ChZANiAAQMdsqucjql +6PDU8Ra1Au93oRuTYXjACSZ7O0Cc7kmF4MlP5/K6l2zzgmUULPUMczNNMueb00LM +lVrl4vX0bkXg7SA1XK9SNYHU3JzjniI++z8iENpwAzetqPJI/jpgaaU= +-----END PRIVATE KEY----- diff --git a/root-ec-p384.pem b/root-ec-p384.pem new file mode 100644 index 000000000..916c80032 --- /dev/null +++ b/root-ec-p384.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDC8ZQWjooCCaLQJ9DJNKMyPoUoFcqGluXGu13Zf526RX6TdRhnkExtL +1T7fC13n32CgBwYFK4EEACKhZANiAAQMdsqucjql6PDU8Ra1Au93oRuTYXjACSZ7 +O0Cc7kmF4MlP5/K6l2zzgmUULPUMczNNMueb00LMlVrl4vX0bkXg7SA1XK9SNYHU +3JzjniI++z8iENpwAzetqPJI/jpgaaU= +-----END EC PRIVATE KEY----- diff --git a/sim/Cargo.toml b/sim/Cargo.toml index 1689a3c4b..7cef823d8 100644 --- a/sim/Cargo.toml +++ b/sim/Cargo.toml @@ -11,6 +11,8 @@ sig-rsa = ["mcuboot-sys/sig-rsa"] sig-rsa3072 = ["mcuboot-sys/sig-rsa3072"] sig-ecdsa = ["mcuboot-sys/sig-ecdsa"] sig-ecdsa-mbedtls = ["mcuboot-sys/sig-ecdsa-mbedtls"] +sig-ecdsa-psa = ["mcuboot-sys/sig-ecdsa-psa", "mcuboot-sys/psa-crypto-api"] +sig-p384 = ["mcuboot-sys/sig-p384"] sig-ed25519 = ["mcuboot-sys/sig-ed25519"] overwrite-only = ["mcuboot-sys/overwrite-only"] swap-move = ["mcuboot-sys/swap-move"] @@ -31,7 +33,6 @@ direct-xip = ["mcuboot-sys/direct-xip"] downgrade-prevention = ["mcuboot-sys/downgrade-prevention"] max-align-32 = ["mcuboot-sys/max-align-32"] hw-rollback-protection = ["mcuboot-sys/hw-rollback-protection"] -psa-crypto-api = ["mcuboot-sys/psa-crypto-api"] [dependencies] byteorder = "1.4" diff --git a/sim/mcuboot-sys/Cargo.toml b/sim/mcuboot-sys/Cargo.toml index f4f2aceb3..ab97bbfe1 100644 --- a/sim/mcuboot-sys/Cargo.toml +++ b/sim/mcuboot-sys/Cargo.toml @@ -24,6 +24,12 @@ sig-ecdsa = [] # Verify ECDSA (secp256r1) signatures using mbed TLS sig-ecdsa-mbedtls = [] +# Verify ECDSA (p256 or p384) signatures using PSA Crypto API +sig-ecdsa-psa = [] + +# Enable P384 Curve support (instead of P256) for PSA Crypto +sig-p384 = [] + # Verify ED25519 signatures. sig-ed25519 = [] diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs index 88316effe..4221292f5 100644 --- a/sim/mcuboot-sys/build.rs +++ b/sim/mcuboot-sys/build.rs @@ -15,6 +15,8 @@ fn main() { let sig_rsa3072 = env::var("CARGO_FEATURE_SIG_RSA3072").is_ok(); let sig_ecdsa = env::var("CARGO_FEATURE_SIG_ECDSA").is_ok(); let sig_ecdsa_mbedtls = env::var("CARGO_FEATURE_SIG_ECDSA_MBEDTLS").is_ok(); + let sig_ecdsa_psa = env::var("CARGO_FEATURE_SIG_ECDSA_PSA").is_ok(); + let sig_p384 = env::var("CARGO_FEATURE_SIG_P384").is_ok(); let sig_ed25519 = env::var("CARGO_FEATURE_SIG_ED25519").is_ok(); let overwrite_only = env::var("CARGO_FEATURE_OVERWRITE_ONLY").is_ok(); let swap_move = env::var("CARGO_FEATURE_SWAP_MOVE").is_ok(); @@ -205,6 +207,24 @@ fn main() { conf.file("../../ext/mbedtls/library/ecp_curves.c"); conf.file("../../ext/mbedtls/library/platform.c"); conf.file("../../ext/mbedtls/library/platform_util.c"); + } else if sig_ecdsa_psa { + conf.conf.include("../../ext/mbedtls/include"); + + if sig_p384 { + conf.conf.define("MCUBOOT_SIGN_EC384", None); + conf.file("../../ext/mbedtls/library/sha512.c"); + } else { + conf.conf.define("MCUBOOT_SIGN_EC256", None); + conf.file("../../ext/mbedtls/library/sha256.c"); + } + + conf.file("csupport/keys.c"); + conf.file("../../ext/mbedtls/library/asn1parse.c"); + conf.file("../../ext/mbedtls/library/bignum.c"); + conf.file("../../ext/mbedtls/library/ecp.c"); + conf.file("../../ext/mbedtls/library/ecp_curves.c"); + conf.file("../../ext/mbedtls/library/platform.c"); + conf.file("../../ext/mbedtls/library/platform_util.c"); } else if sig_ed25519 { conf.conf.define("MCUBOOT_SIGN_ED25519", None); conf.conf.define("MCUBOOT_USE_TINYCRYPT", None); @@ -421,17 +441,19 @@ fn main() { conf.conf.define("MBEDTLS_CONFIG_FILE", Some("")); } else if enc_aes256_x25519 { conf.conf.define("MBEDTLS_CONFIG_FILE", Some("")); + } else if sig_ecdsa_psa { + conf.conf.define("MBEDTLS_CONFIG_FILE", Some("")); } conf.file("../../boot/bootutil/src/image_validate.c"); if sig_rsa || sig_rsa3072 { conf.file("../../boot/bootutil/src/image_rsa.c"); - } else if sig_ecdsa || sig_ecdsa_mbedtls { - conf.conf.include("../../ext/mbedtls/include"); + } else if sig_ecdsa || sig_ecdsa_mbedtls || sig_ecdsa_psa { conf.file("../../boot/bootutil/src/image_ecdsa.c"); } else if sig_ed25519 { conf.file("../../boot/bootutil/src/image_ed25519.c"); } + conf.file("../../boot/bootutil/src/loader.c"); conf.file("../../boot/bootutil/src/swap_misc.c"); conf.file("../../boot/bootutil/src/swap_scratch.c"); diff --git a/sim/mcuboot-sys/csupport/config-ec-psa.h b/sim/mcuboot-sys/csupport/config-ec-psa.h new file mode 100644 index 000000000..709330ff8 --- /dev/null +++ b/sim/mcuboot-sys/csupport/config-ec-psa.h @@ -0,0 +1,37 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * Copyright (c) 2023 Arm Limited + */ + +#ifndef MCUBOOT_PSA_CRYPTO_CONFIG_ECDSA +#define MCUBOOT_PSA_CRYPTO_CONFIG_ECDSA + +#if defined(MCUBOOT_USE_PSA_CRYPTO) +#include "config-add-psa-crypto.h" +#endif + +#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_NIST_OPTIM +#define MBEDTLS_ECDSA_C + +/* mbed TLS modules */ +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_AES_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_MD_C +#define MBEDTLS_OID_C +#if defined(MCUBOOT_SIGN_EC384) +#define MBEDTLS_SHA384_C +#define MBEDTLS_SHA512_C +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#else +#define MBEDTLS_SHA256_C +#define MBEDTLS_SHA224_C +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#endif /* MCUBOOT_SIGN_EC384 */ + +#include "mbedtls/check_config.h" + +#endif /* MCUBOOT_PSA_CRYPTO_CONFIG_ECDSA */ diff --git a/sim/mcuboot-sys/csupport/keys.c b/sim/mcuboot-sys/csupport/keys.c index f9325be45..82a746ba0 100644 --- a/sim/mcuboot-sys/csupport/keys.c +++ b/sim/mcuboot-sys/csupport/keys.c @@ -106,8 +106,10 @@ const unsigned char root_pub_der[] = { }; const unsigned int root_pub_der_len = 398; #endif -#elif defined(MCUBOOT_SIGN_EC256) +#elif defined(MCUBOOT_SIGN_EC256) || \ + defined(MCUBOOT_SIGN_EC384) #define HAVE_KEYS +#ifndef MCUBOOT_SIGN_EC384 const unsigned char root_pub_der[] = { 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, @@ -122,6 +124,26 @@ const unsigned char root_pub_der[] = { 0x8b, 0x68, 0x34, 0xcc, 0x3a, 0x6a, 0xfc, 0x53, 0x8e, 0xfa, 0xc1, }; const unsigned int root_pub_der_len = 91; +#else /* MCUBOOT_SIGN_EC384 */ +const unsigned char root_pub_der[] = { + 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, + 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, + 0x0c, 0x76, 0xca, 0xae, 0x72, 0x3a, 0xa5, 0xe8, + 0xf0, 0xd4, 0xf1, 0x16, 0xb5, 0x02, 0xef, 0x77, + 0xa1, 0x1b, 0x93, 0x61, 0x78, 0xc0, 0x09, 0x26, + 0x7b, 0x3b, 0x40, 0x9c, 0xee, 0x49, 0x85, 0xe0, + 0xc9, 0x4f, 0xe7, 0xf2, 0xba, 0x97, 0x6c, 0xf3, + 0x82, 0x65, 0x14, 0x2c, 0xf5, 0x0c, 0x73, 0x33, + 0x4d, 0x32, 0xe7, 0x9b, 0xd3, 0x42, 0xcc, 0x95, + 0x5a, 0xe5, 0xe2, 0xf5, 0xf4, 0x6e, 0x45, 0xe0, + 0xed, 0x20, 0x35, 0x5c, 0xaf, 0x52, 0x35, 0x81, + 0xd4, 0xdc, 0x9c, 0xe3, 0x9e, 0x22, 0x3e, 0xfb, + 0x3f, 0x22, 0x10, 0xda, 0x70, 0x03, 0x37, 0xad, + 0xa8, 0xf2, 0x48, 0xfe, 0x3a, 0x60, 0x69, 0xa5, +}; +const unsigned int root_pub_der_len = 120; +#endif /* MCUBOOT_SIGN_EC384 */ #elif defined(MCUBOOT_SIGN_ED25519) #define HAVE_KEYS const unsigned char root_pub_der[] = { diff --git a/sim/src/caps.rs b/sim/src/caps.rs index 54631730c..d8dd068ec 100644 --- a/sim/src/caps.rs +++ b/sim/src/caps.rs @@ -29,6 +29,7 @@ pub enum Caps { RamLoad = (1 << 16), DirectXip = (1 << 17), HwRollbackProtection = (1 << 18), + EcdsaP384 = (1 << 19), } impl Caps { @@ -39,7 +40,7 @@ impl Caps { /// Does this build have ECDSA of some type enabled for signatures. pub fn has_ecdsa() -> bool { - Caps::EcdsaP256.present() + Caps::EcdsaP256.present() || Caps::EcdsaP384.present() } /// Query for the number of images that have been configured into this diff --git a/sim/src/ecdsa_pub_key-rs.txt b/sim/src/ecdsa_pub_key-rs.txt index e3a0cc1af..3d8643674 100644 --- a/sim/src/ecdsa_pub_key-rs.txt +++ b/sim/src/ecdsa_pub_key-rs.txt @@ -12,3 +12,21 @@ static ECDSA256_PUB_KEY: &[u8] = &[ 0x8b, 0x68, 0x34, 0xcc, 0x3a, 0x6a, 0xfc, 0x53, 0x8e, 0xfa, 0xc1, ]; + +static ECDSAP384_PUB_KEY: &[u8] = &[ + 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, + 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, + 0x0c, 0x76, 0xca, 0xae, 0x72, 0x3a, 0xa5, 0xe8, + 0xf0, 0xd4, 0xf1, 0x16, 0xb5, 0x02, 0xef, 0x77, + 0xa1, 0x1b, 0x93, 0x61, 0x78, 0xc0, 0x09, 0x26, + 0x7b, 0x3b, 0x40, 0x9c, 0xee, 0x49, 0x85, 0xe0, + 0xc9, 0x4f, 0xe7, 0xf2, 0xba, 0x97, 0x6c, 0xf3, + 0x82, 0x65, 0x14, 0x2c, 0xf5, 0x0c, 0x73, 0x33, + 0x4d, 0x32, 0xe7, 0x9b, 0xd3, 0x42, 0xcc, 0x95, + 0x5a, 0xe5, 0xe2, 0xf5, 0xf4, 0x6e, 0x45, 0xe0, + 0xed, 0x20, 0x35, 0x5c, 0xaf, 0x52, 0x35, 0x81, + 0xd4, 0xdc, 0x9c, 0xe3, 0x9e, 0x22, 0x3e, 0xfb, + 0x3f, 0x22, 0x10, 0xda, 0x70, 0x03, 0x37, 0xad, + 0xa8, 0xf2, 0x48, 0xfe, 0x3a, 0x60, 0x69, 0xa5, +]; diff --git a/sim/src/image.rs b/sim/src/image.rs index 54e4f31b0..632dfa568 100644 --- a/sim/src/image.rs +++ b/sim/src/image.rs @@ -1999,7 +1999,7 @@ fn make_tlv() -> TlvGen { TlvGen::new_rsa_pss() } else if Caps::RSA3072.present() { TlvGen::new_rsa3072_pss() - } else if Caps::EcdsaP256.present() { + } else if Caps::EcdsaP256.present() || Caps::EcdsaP384.present() { TlvGen::new_ecdsa() } else if Caps::Ed25519.present() { TlvGen::new_ed25519() diff --git a/sim/src/tlv.rs b/sim/src/tlv.rs index 5541f112b..9a7e14f99 100644 --- a/sim/src/tlv.rs +++ b/sim/src/tlv.rs @@ -29,6 +29,7 @@ use ring::signature::{ EcdsaKeyPair, ECDSA_P256_SHA256_ASN1_SIGNING, Ed25519KeyPair, + ECDSA_P384_SHA384_ASN1_SIGNING, }; use aes::{ Aes128, @@ -385,12 +386,17 @@ impl ManifestGen for TlvGen { estimate += 4 + 64; // ED25519 signature. } if self.kinds.contains(&TlvKinds::ECDSASIG) { - estimate += 4 + 32; // keyhash - - // ECDSA signatures are encoded as ASN.1 with the x and y values stored as signed - // integers. As such, the size can vary by 2 bytes, if the 256-bit value has the high - // bit, it takes an extra 0 byte to avoid it being seen as a negative number. - estimate += 4 + 72; // ECDSA256 (varies) + // ECDSA signatures are encoded as ASN.1 with the x and y values + // stored as signed integers. As such, the size can vary by 2 bytes, + // if for example the 256-bit value has the high bit, it takes an + // extra 0 byte to avoid it being seen as a negative number. + if cfg!(feature = "use-p384-curve") { + estimate += 4 + 48; // keyhash + estimate += 4 + 104; // ECDSA384 (varies) + } else { + estimate += 4 + 32; // keyhash + estimate += 4 + 72; // ECDSA256 (varies) + } } // Estimate encryption. @@ -559,11 +565,19 @@ impl ManifestGen for TlvGen { if self.kinds.contains(&TlvKinds::ECDSASIG) { let rng = rand::SystemRandom::new(); - let keyhash = digest::digest(&digest::SHA256, ECDSA256_PUB_KEY); - let key_bytes = pem::parse(include_bytes!("../../root-ec-p256-pkcs8.pem").as_ref()).unwrap(); - let sign_algo = &ECDSA_P256_SHA256_ASN1_SIGNING; - let key_pair = EcdsaKeyPair::from_pkcs8(sign_algo, &key_bytes.contents).unwrap(); - let signature = key_pair.sign(&rng,&sig_payload).unwrap(); + let (signature, keyhash) = if cfg!(feature = "use-p384-curve") { + let keyhash = digest::digest(&digest::SHA384, ECDSAP384_PUB_KEY); + let key_bytes = pem::parse(include_bytes!("../../root-ec-p384-pkcs8.pem").as_ref()).unwrap(); + let sign_algo = &ECDSA_P384_SHA384_ASN1_SIGNING; + let key_pair = EcdsaKeyPair::from_pkcs8(sign_algo, &key_bytes.contents).unwrap(); + (key_pair.sign(&rng, &sig_payload).unwrap(), keyhash) + } else { + let keyhash = digest::digest(&digest::SHA256, ECDSA256_PUB_KEY); + let key_bytes = pem::parse(include_bytes!("../../root-ec-p256-pkcs8.pem").as_ref()).unwrap(); + let sign_algo = &ECDSA_P256_SHA256_ASN1_SIGNING; + let key_pair = EcdsaKeyPair::from_pkcs8(sign_algo, &key_bytes.contents).unwrap(); + (key_pair.sign(&rng, &sig_payload).unwrap(), keyhash) + }; // Write public key let keyhash_slice = keyhash.as_ref(); @@ -578,6 +592,7 @@ impl ManifestGen for TlvGen { result.write_u16::(signature.len() as u16).unwrap(); result.extend_from_slice(&signature); } + if self.kinds.contains(&TlvKinds::ED25519) { let keyhash = digest::digest(&digest::SHA256, ED25519_PUB_KEY); let keyhash = keyhash.as_ref(); From 03c9ad07815ba065b3dc0440d5e8b66a68c4a442 Mon Sep 17 00:00:00 2001 From: Roland Mikhel Date: Wed, 8 Mar 2023 15:56:43 +0100 Subject: [PATCH 016/113] bootutil: Replace hash with SHA384 when P384 is used Currently all the hashing functionality is done with SHA256 but if we would like to use ECDSA-P384 that requires SHA384 as the hashing algorithm, but MCUboot is using SHA256 for image hashing and public key hashing. This commit modifies the hashing operations to use SHA384 thus SHA256 can be omitted which is beneficial from a code size standpoint. Signed-off-by: Roland Mikhel Change-Id: I59230f76f88e0b42ad6383b2c9b71b73f33d7dd7 --- .../bootutil/crypto/{sha256.h => sha.h} | 90 +++++++++++-------- boot/bootutil/include/bootutil/image.h | 2 +- boot/bootutil/src/boot_record.c | 7 +- boot/bootutil/src/encrypted.c | 2 +- boot/bootutil/src/image_rsa.c | 28 +++--- boot/bootutil/src/image_validate.c | 77 ++++++++-------- ext/nrf/cc310_glue.h | 4 +- 7 files changed, 115 insertions(+), 95 deletions(-) rename boot/bootutil/include/bootutil/crypto/{sha256.h => sha.h} (56%) diff --git a/boot/bootutil/include/bootutil/crypto/sha256.h b/boot/bootutil/include/bootutil/crypto/sha.h similarity index 56% rename from boot/bootutil/include/bootutil/crypto/sha256.h rename to boot/bootutil/include/bootutil/crypto/sha.h index ff9cf61d1..9ce54bee5 100644 --- a/boot/bootutil/include/bootutil/crypto/sha256.h +++ b/boot/bootutil/include/bootutil/crypto/sha.h @@ -18,8 +18,8 @@ * the MCUBOOT_USE_PSA_CRYPTO will take precedence. */ -#ifndef __BOOTUTIL_CRYPTO_SHA256_H_ -#define __BOOTUTIL_CRYPTO_SHA256_H_ +#ifndef __BOOTUTIL_CRYPTO_SHA_H_ +#define __BOOTUTIL_CRYPTO_SHA_H_ #include "mcuboot_config/mcuboot_config.h" #include "mcuboot_config/mcuboot_logging.h" @@ -34,8 +34,16 @@ #error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO" #endif +#if defined(MCUBOOT_SIGN_EC384) + #define IMAGE_HASH_SIZE (48) + #define EXPECTED_HASH_TLV IMAGE_TLV_SHA384 +#else + #define IMAGE_HASH_SIZE (32) + #define EXPECTED_HASH_TLV IMAGE_TLV_SHA256 +#endif /* MCUBOOT_SIGN_EC384 */ + /* Universal defines for SHA-256 */ -#define BOOTUTIL_CRYPTO_SHA256_BLOCK_SIZE (64) +#define BOOTUTIL_CRYPTO_SHA256_BLOCK_SIZE (64) #define BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE (32) #if defined(MCUBOOT_USE_PSA_CRYPTO) @@ -69,45 +77,54 @@ extern "C" { #if defined(MCUBOOT_USE_PSA_CRYPTO) -typedef psa_hash_operation_t bootutil_sha256_context; +typedef psa_hash_operation_t bootutil_sha_context; -static inline int bootutil_sha256_init(bootutil_sha256_context *ctx) +static inline int bootutil_sha_init(bootutil_sha_context *ctx) { *ctx = psa_hash_operation_init(); - return (int)psa_hash_setup(ctx, PSA_ALG_SHA_256); +#if defined(MCUBOOT_SIGN_EC384) + psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_384); +#else + psa_status_t status = psa_hash_setup(ctx, PSA_ALG_SHA_256); +#endif + return (int)status; } -static inline int bootutil_sha256_drop(bootutil_sha256_context *ctx) +static inline int bootutil_sha_drop(bootutil_sha_context *ctx) { return (int)psa_hash_abort(ctx); } -static inline int bootutil_sha256_update(bootutil_sha256_context *ctx, - const void *data, - uint32_t data_len) +static inline int bootutil_sha_update(bootutil_sha_context *ctx, + const void *data, + uint32_t data_len) { return (int)psa_hash_update(ctx, data, data_len); } -static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx, - uint8_t *output) +static inline int bootutil_sha_finish(bootutil_sha_context *ctx, + uint8_t *output) { size_t hash_length = 0; /* Assumes the output buffer is at least the expected size of the hash */ +#if defined(MCUBOOT_SIGN_EC384) + return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_384), &hash_length); +#else return (int)psa_hash_finish(ctx, output, PSA_HASH_LENGTH(PSA_ALG_SHA_256), &hash_length); +#endif } #elif defined(MCUBOOT_USE_MBED_TLS) -typedef mbedtls_sha256_context bootutil_sha256_context; +typedef mbedtls_sha256_context bootutil_sha_context; -static inline int bootutil_sha256_init(bootutil_sha256_context *ctx) +static inline int bootutil_sha_init(bootutil_sha_context *ctx) { mbedtls_sha256_init(ctx); return mbedtls_sha256_starts_ret(ctx, 0); } -static inline int bootutil_sha256_drop(bootutil_sha256_context *ctx) +static inline int bootutil_sha_drop(bootutil_sha_context *ctx) { /* XXX: config defines MBEDTLS_PLATFORM_NO_STD_FUNCTIONS so no need to free */ /* (void)mbedtls_sha256_free(ctx); */ @@ -115,15 +132,15 @@ static inline int bootutil_sha256_drop(bootutil_sha256_context *ctx) return 0; } -static inline int bootutil_sha256_update(bootutil_sha256_context *ctx, - const void *data, - uint32_t data_len) +static inline int bootutil_sha_update(bootutil_sha_context *ctx, + const void *data, + uint32_t data_len) { return mbedtls_sha256_update_ret(ctx, data, data_len); } -static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx, - uint8_t *output) +static inline int bootutil_sha_finish(bootutil_sha_context *ctx, + uint8_t *output) { return mbedtls_sha256_finish_ret(ctx, output); } @@ -131,57 +148,58 @@ static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx, #endif /* MCUBOOT_USE_MBED_TLS */ #if defined(MCUBOOT_USE_TINYCRYPT) -typedef struct tc_sha256_state_struct bootutil_sha256_context; -static inline int bootutil_sha256_init(bootutil_sha256_context *ctx) +typedef struct tc_sha256_state_struct bootutil_sha_context; + +static inline int bootutil_sha_init(bootutil_sha_context *ctx) { tc_sha256_init(ctx); return 0; } -static inline int bootutil_sha256_drop(bootutil_sha256_context *ctx) +static inline int bootutil_sha_drop(bootutil_sha_context *ctx) { (void)ctx; return 0; } -static inline int bootutil_sha256_update(bootutil_sha256_context *ctx, - const void *data, - uint32_t data_len) +static inline int bootutil_sha_update(bootutil_sha_context *ctx, + const void *data, + uint32_t data_len) { return tc_sha256_update(ctx, data, data_len); } -static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx, - uint8_t *output) +static inline int bootutil_sha_finish(bootutil_sha_context *ctx, + uint8_t *output) { return tc_sha256_final(output, ctx); } #endif /* MCUBOOT_USE_TINYCRYPT */ #if defined(MCUBOOT_USE_CC310) -static inline int bootutil_sha256_init(bootutil_sha256_context *ctx) +static inline int bootutil_sha_init(bootutil_sha_context *ctx) { cc310_sha256_init(ctx); return 0; } -static inline int bootutil_sha256_drop(bootutil_sha256_context *ctx) +static inline int bootutil_sha_drop(bootutil_sha_context *ctx) { (void)ctx; nrf_cc310_disable(); return 0; } -static inline int bootutil_sha256_update(bootutil_sha256_context *ctx, - const void *data, - uint32_t data_len) +static inline int bootutil_sha_update(bootutil_sha_context *ctx, + const void *data, + uint32_t data_len) { cc310_sha256_update(ctx, data, data_len); return 0; } -static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx, - uint8_t *output) +static inline int bootutil_sha_finish(bootutil_sha_context *ctx, + uint8_t *output) { cc310_sha256_finalize(ctx, output); return 0; @@ -192,4 +210,4 @@ static inline int bootutil_sha256_finish(bootutil_sha256_context *ctx, } #endif -#endif /* __BOOTUTIL_CRYPTO_SHA256_H_ */ +#endif /* __BOOTUTIL_CRYPTO_SHA_H_ */ diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h index 69ff033b3..d3e5f93af 100644 --- a/boot/bootutil/include/bootutil/image.h +++ b/boot/bootutil/include/bootutil/image.h @@ -80,7 +80,6 @@ struct flash_area; * Image trailer TLV types. * * Signature is generated by computing signature over the image hash. - * Currently the only image hash type is SHA256. * * Signature comes in the form of 2 TLVs. * 1st on identifies the public key which should be used to verify it. @@ -89,6 +88,7 @@ struct flash_area; #define IMAGE_TLV_KEYHASH 0x01 /* hash of the public key */ #define IMAGE_TLV_PUBKEY 0x02 /* public key */ #define IMAGE_TLV_SHA256 0x10 /* SHA256 of image hdr and body */ +#define IMAGE_TLV_SHA384 0x11 /* SHA384 of image hdr and body */ #define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */ #define IMAGE_TLV_ECDSA224 0x21 /* ECDSA of hash output - Not supported anymore */ #define IMAGE_TLV_ECDSA_SIG 0x22 /* ECDSA of hash output */ diff --git a/boot/bootutil/src/boot_record.c b/boot/bootutil/src/boot_record.c index 343aba00d..59a900cd4 100644 --- a/boot/bootutil/src/boot_record.c +++ b/boot/bootutil/src/boot_record.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018-2021 Arm Limited + * Copyright (c) 2018-2023 Arm Limited * Copyright (c) 2020 Linaro Limited * Copyright (c) 2023, Nordic Semiconductor ASA * @@ -23,6 +23,7 @@ #include #include "mcuboot_config/mcuboot_config.h" +#include "bootutil/crypto/sha.h" #if defined(MCUBOOT_MEASURED_BOOT) || defined(MCUBOOT_DATA_SHARING) #include "bootutil/boot_record.h" @@ -127,7 +128,7 @@ boot_save_boot_status(uint8_t sw_module, uint16_t type; uint16_t ias_minor; size_t record_len = 0; - uint8_t image_hash[32]; /* SHA256 - 32 Bytes */ + uint8_t image_hash[IMAGE_HASH_SIZE]; uint8_t buf[MAX_BOOT_RECORD_SZ]; bool boot_record_found = false; bool hash_found = false; @@ -165,7 +166,7 @@ boot_save_boot_status(uint8_t sw_module, record_len = len; boot_record_found = true; - } else if (type == IMAGE_TLV_SHA256) { + } else if (type == EXPECTED_HASH_TLV) { /* Get the image's hash value from the manifest section. */ if (len > sizeof(image_hash)) { return -1; diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index 82435a425..bc4d917bd 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -30,7 +30,7 @@ #endif #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519) -#include "bootutil/crypto/sha256.h" +#include "bootutil/crypto/sha.h" #include "bootutil/crypto/hmac_sha256.h" #include "mbedtls/oid.h" #include "mbedtls/asn1.h" diff --git a/boot/bootutil/src/image_rsa.c b/boot/bootutil/src/image_rsa.c index 34ee85bbd..37c35e05e 100644 --- a/boot/bootutil/src/image_rsa.c +++ b/boot/bootutil/src/image_rsa.c @@ -43,7 +43,7 @@ */ #if !defined(MCUBOOT_USE_PSA_CRYPTO) -#include "bootutil/crypto/sha256.h" +#include "bootutil/crypto/sha.h" /* * Constants for this particular constrained implementation of @@ -86,17 +86,17 @@ static const uint8_t pss_zeros[8] = {0}; static void pss_mgf1(uint8_t *mask, const uint8_t *hash) { - bootutil_sha256_context ctx; + bootutil_sha_context ctx; uint8_t counter[4] = { 0, 0, 0, 0 }; uint8_t htmp[PSS_HLEN]; int count = PSS_MASK_LEN; int bytes; while (count > 0) { - bootutil_sha256_init(&ctx); - bootutil_sha256_update(&ctx, hash, PSS_HLEN); - bootutil_sha256_update(&ctx, counter, 4); - bootutil_sha256_finish(&ctx, htmp); + bootutil_sha_init(&ctx); + bootutil_sha_update(&ctx, hash, PSS_HLEN); + bootutil_sha_update(&ctx, counter, 4); + bootutil_sha_finish(&ctx, htmp); counter[3]++; @@ -109,7 +109,7 @@ pss_mgf1(uint8_t *mask, const uint8_t *hash) count -= bytes; } - bootutil_sha256_drop(&ctx); + bootutil_sha_drop(&ctx); } /* @@ -121,7 +121,7 @@ static fih_ret bootutil_cmp_rsasig(bootutil_rsa_context *ctx, uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen) { - bootutil_sha256_context shactx; + bootutil_sha_context shactx; uint8_t em[MBEDTLS_MPI_MAX_SIZE]; uint8_t db_mask[PSS_MASK_LEN]; uint8_t h2[PSS_HLEN]; @@ -221,12 +221,12 @@ bootutil_cmp_rsasig(bootutil_rsa_context *ctx, uint8_t *hash, uint32_t hlen, /* Step 12. Let M' = 0x00 00 00 00 00 00 00 00 || mHash || salt; */ /* Step 13. Let H' = Hash(M') */ - bootutil_sha256_init(&shactx); - bootutil_sha256_update(&shactx, pss_zeros, 8); - bootutil_sha256_update(&shactx, hash, PSS_HLEN); - bootutil_sha256_update(&shactx, &db_mask[PSS_MASK_SALT_POS], PSS_SLEN); - bootutil_sha256_finish(&shactx, h2); - bootutil_sha256_drop(&shactx); + bootutil_sha_init(&shactx); + bootutil_sha_update(&shactx, pss_zeros, 8); + bootutil_sha_update(&shactx, hash, PSS_HLEN); + bootutil_sha_update(&shactx, &db_mask[PSS_MASK_SALT_POS], PSS_SLEN); + bootutil_sha_finish(&shactx, h2); + bootutil_sha_drop(&shactx); /* Step 14. If H = H', output "consistent". Otherwise, output * "inconsistent". */ diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 8260e5949..d045a3e79 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -33,7 +33,7 @@ #include #include "bootutil/image.h" -#include "bootutil/crypto/sha256.h" +#include "bootutil/crypto/sha.h" #include "bootutil/sign_key.h" #include "bootutil/security_cnt.h" #include "bootutil/fault_injection_hardening.h" @@ -57,7 +57,9 @@ #include "bootutil_priv.h" /* - * Compute SHA256 over the image. + * Compute SHA hash over the image. + * (SHA384 if ECDSA-P384 is being used, + * SHA256 otherwise). */ static int bootutil_img_hash(struct enc_key_data *enc_state, int image_index, @@ -65,7 +67,7 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result, uint8_t *seed, int seed_len) { - bootutil_sha256_context sha256_ctx; + bootutil_sha_context sha_ctx; uint32_t blk_sz; uint32_t size; uint16_t hdr_size; @@ -99,12 +101,12 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, } #endif - bootutil_sha256_init(&sha256_ctx); + bootutil_sha_init(&sha_ctx); /* in some cases (split image) the hash is seeded with data from * the loader image */ if (seed && (seed_len > 0)) { - bootutil_sha256_update(&sha256_ctx, seed, seed_len); + bootutil_sha_update(&sha_ctx, seed, seed_len); } /* Hash is computed over image header and image itself. */ @@ -116,9 +118,9 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, size += hdr->ih_protect_tlv_size; #ifdef MCUBOOT_RAM_LOAD - bootutil_sha256_update(&sha256_ctx, - (void*)(IMAGE_RAM_BASE + hdr->ih_load_addr), - size); + bootutil_sha_update(&sha_ctx, + (void*)(IMAGE_RAM_BASE + hdr->ih_load_addr), + size); #else for (off = 0; off < size; off += blk_sz) { blk_sz = size - off; @@ -140,7 +142,7 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, #endif rc = flash_area_read(fap, off, tmp_buf, blk_sz); if (rc) { - bootutil_sha256_drop(&sha256_ctx); + bootutil_sha_drop(&sha_ctx); return rc; } #ifdef MCUBOOT_ENC_IMAGES @@ -153,11 +155,11 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, } } #endif - bootutil_sha256_update(&sha256_ctx, tmp_buf, blk_sz); + bootutil_sha_update(&sha_ctx, tmp_buf, blk_sz); } #endif /* MCUBOOT_RAM_LOAD */ - bootutil_sha256_finish(&sha256_ctx, hash_result); - bootutil_sha256_drop(&sha256_ctx); + bootutil_sha_finish(&sha_ctx, hash_result); + bootutil_sha_drop(&sha_ctx); return 0; } @@ -170,6 +172,7 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, */ #if (defined(MCUBOOT_SIGN_RSA) + \ defined(MCUBOOT_SIGN_EC256) + \ + defined(MCUBOOT_SIGN_EC384) + \ defined(MCUBOOT_SIGN_ED25519)) > 1 #error "Only a single signature type is supported!" #endif @@ -185,6 +188,7 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, # define SIG_BUF_SIZE (MCUBOOT_SIGN_RSA_LEN / 8) # define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE) /* 2048 bits */ #elif defined(MCUBOOT_SIGN_EC256) || \ + defined(MCUBOOT_SIGN_EC384) || \ defined(MCUBOOT_SIGN_EC) # define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA_SIG # define SIG_BUF_SIZE 128 @@ -202,26 +206,26 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, static int bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len) { - bootutil_sha256_context sha256_ctx; + bootutil_sha_context sha_ctx; int i; const struct bootutil_key *key; - uint8_t hash[32]; + uint8_t hash[IMAGE_HASH_SIZE]; - if (keyhash_len > 32) { + if (keyhash_len > IMAGE_HASH_SIZE) { return -1; } for (i = 0; i < bootutil_key_cnt; i++) { key = &bootutil_keys[i]; - bootutil_sha256_init(&sha256_ctx); - bootutil_sha256_update(&sha256_ctx, key->key, *key->len); - bootutil_sha256_finish(&sha256_ctx, hash); + bootutil_sha_init(&sha_ctx); + bootutil_sha_update(&sha_ctx, key->key, *key->len); + bootutil_sha_finish(&sha_ctx, hash); if (!memcmp(hash, keyhash, keyhash_len)) { - bootutil_sha256_drop(&sha256_ctx); + bootutil_sha_drop(&sha_ctx); return i; } } - bootutil_sha256_drop(&sha256_ctx); + bootutil_sha_drop(&sha_ctx); return -1; } #else @@ -229,17 +233,17 @@ extern unsigned int pub_key_len; static int bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) { - bootutil_sha256_context sha256_ctx; - uint8_t hash[32]; - uint8_t key_hash[32]; + bootutil_sha_context sha_ctx; + uint8_t hash[IMAGE_HASH_SIZE]; + uint8_t key_hash[IMAGE_HASH_SIZE]; size_t key_hash_size = sizeof(key_hash); int rc; FIH_DECLARE(fih_rc, FIH_FAILURE); - bootutil_sha256_init(&sha256_ctx); - bootutil_sha256_update(&sha256_ctx, key, key_len); - bootutil_sha256_finish(&sha256_ctx, hash); - bootutil_sha256_drop(&sha256_ctx); + bootutil_sha_init(&sha_ctx); + bootutil_sha_update(&sha_ctx, key, key_len); + bootutil_sha_finish(&sha_ctx, hash); + bootutil_sha_drop(&sha_ctx); rc = boot_retrieve_public_key_hash(image_index, key_hash, &key_hash_size); if (rc) { @@ -337,7 +341,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, uint32_t off; uint16_t len; uint16_t type; - int sha256_valid = 0; + int image_hash_valid = 0; #ifdef EXPECTED_SIG_TLV FIH_DECLARE(valid_signature, FIH_FAILURE); int key_id = -1; @@ -348,7 +352,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, #endif /* EXPECTED_SIG_TLV */ struct image_tlv_iter it; uint8_t buf[SIG_BUF_SIZE]; - uint8_t hash[32]; + uint8_t hash[IMAGE_HASH_SIZE]; int rc = 0; FIH_DECLARE(fih_rc, FIH_FAILURE); #ifdef MCUBOOT_HW_ROLLBACK_PROT @@ -364,7 +368,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, } if (out_hash) { - memcpy(out_hash, hash, 32); + memcpy(out_hash, hash, IMAGE_HASH_SIZE); } rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); @@ -389,11 +393,8 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, break; } - if (type == IMAGE_TLV_SHA256) { - /* - * Verify the SHA256 image hash. This must always be - * present. - */ + if (type == EXPECTED_HASH_TLV) { + /* Verify the image hash. This must always be present. */ if (len != sizeof(hash)) { rc = -1; goto out; @@ -409,14 +410,14 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, goto out; } - sha256_valid = 1; + image_hash_valid = 1; #ifdef EXPECTED_SIG_TLV #ifndef MCUBOOT_HW_KEY } else if (type == IMAGE_TLV_KEYHASH) { /* * Determine which key we should be checking. */ - if (len > 32) { + if (len > IMAGE_HASH_SIZE) { rc = -1; goto out; } @@ -506,7 +507,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, } } - rc = !sha256_valid; + rc = !image_hash_valid; if (rc) { goto out; } diff --git a/ext/nrf/cc310_glue.h b/ext/nrf/cc310_glue.h index c42fad5a5..ed3ed5c00 100644 --- a/ext/nrf/cc310_glue.h +++ b/ext/nrf/cc310_glue.h @@ -32,7 +32,7 @@ #define NRF_CRYPTOCELL NRF_CRYPTOCELL_S #endif -typedef nrf_cc310_bl_hash_context_sha256_t bootutil_sha256_context; +typedef nrf_cc310_bl_hash_context_sha256_t bootutil_sha_context; int cc310_ecdsa_verify_secp256r1(uint8_t *hash, uint8_t *public_key, @@ -66,7 +66,7 @@ static inline void cc310_sha256_init(nrf_cc310_bl_hash_context_sha256_t * ctx) nrf_cc310_bl_hash_sha256_init(ctx); } -static inline void cc310_sha256_finalize(bootutil_sha256_context *ctx, +static inline void cc310_sha256_finalize(nrf_cc310_bl_hash_context_sha256_t *ctx, uint8_t *output) { nrf_cc310_bl_hash_sha256_finalize(ctx, From fb5507b4a4f7e70dd9379e480a8a06e534350560 Mon Sep 17 00:00:00 2001 From: Roland Mikhel Date: Tue, 14 Mar 2023 14:08:43 +0100 Subject: [PATCH 017/113] sim: Replace hash with SHA384 when P384 is used Currently all the hashing functionality is done with SHA256 but if we would like to use ECDSA-P384 that requires SHA384 as the hashing algorithm. However, MCUboot is using SHA256 for image hashing and public key hashing. This commit modifies the hashing operations to use SHA384 thus SHA256 can be omitted which is beneficial from a code size standpoint. Signed-off-by: Roland Mikhel Change-Id: I364eefe334e4fe6668b8a3b97991b5dbb0c80104 --- sim/src/tlv.rs | 45 ++++++++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/sim/src/tlv.rs b/sim/src/tlv.rs index 9a7e14f99..ce6876e9d 100644 --- a/sim/src/tlv.rs +++ b/sim/src/tlv.rs @@ -51,6 +51,7 @@ use typenum::{U16, U32}; pub enum TlvKinds { KEYHASH = 0x01, SHA256 = 0x10, + SHA384 = 0x11, RSA2048 = 0x20, ECDSASIG = 0x22, RSA3072 = 0x23, @@ -167,8 +168,13 @@ impl TlvGen { #[allow(dead_code)] pub fn new_ecdsa() -> TlvGen { + let hash_kind = if cfg!(feature = "sig-p384") { + TlvKinds::SHA384 + } else { + TlvKinds::SHA256 + }; TlvGen { - kinds: vec![TlvKinds::SHA256, TlvKinds::ECDSASIG], + kinds: vec![hash_kind, TlvKinds::ECDSASIG], ..Default::default() } } @@ -370,6 +376,8 @@ impl ManifestGen for TlvGen { // Estimate the size of the image hash. if self.kinds.contains(&TlvKinds::SHA256) { estimate += 4 + 32; + } else if self.kinds.contains(&TlvKinds::SHA384) { + estimate += 4 + 48; } // Add an estimate in for each of the signature algorithms. @@ -390,11 +398,11 @@ impl ManifestGen for TlvGen { // stored as signed integers. As such, the size can vary by 2 bytes, // if for example the 256-bit value has the high bit, it takes an // extra 0 byte to avoid it being seen as a negative number. - if cfg!(feature = "use-p384-curve") { - estimate += 4 + 48; // keyhash + if self.kinds.contains(&TlvKinds::SHA384) { + estimate += 4 + 48; // SHA384 estimate += 4 + 104; // ECDSA384 (varies) } else { - estimate += 4 + 32; // keyhash + estimate += 4 + 32; // SHA256 estimate += 4 + 72; // ECDSA256 (varies) } } @@ -479,7 +487,7 @@ impl ManifestGen for TlvGen { // Placeholder for the size. result.write_u16::(0).unwrap(); - if self.kinds.contains(&TlvKinds::SHA256) { + if self.kinds.iter().any(|v| v == &TlvKinds::SHA256 || v == &TlvKinds::SHA384) { // If a signature is not requested, corrupt the hash we are // generating. But, if there is a signature, output the // correct hash. We want the hash test to pass so that the @@ -497,13 +505,20 @@ impl ManifestGen for TlvGen { if corrupt_hash { sig_payload[0] ^= 1; } - - let hash = digest::digest(&digest::SHA256, &sig_payload); + let (hash,hash_size,tlv_kind) = if self.kinds.contains(&TlvKinds::SHA256) + { + let hash = digest::digest(&digest::SHA256, &sig_payload); + (hash,32,TlvKinds::SHA256) + } + else { + let hash = digest::digest(&digest::SHA384, &sig_payload); + (hash,48,TlvKinds::SHA384) + }; let hash = hash.as_ref(); - assert!(hash.len() == 32); - result.write_u16::(TlvKinds::SHA256 as u16).unwrap(); - result.write_u16::(32).unwrap(); + assert!(hash.len() == hash_size); + result.write_u16::(tlv_kind as u16).unwrap(); + result.write_u16::(hash_size as u16).unwrap(); result.extend_from_slice(hash); // Undo the corruption. @@ -565,25 +580,25 @@ impl ManifestGen for TlvGen { if self.kinds.contains(&TlvKinds::ECDSASIG) { let rng = rand::SystemRandom::new(); - let (signature, keyhash) = if cfg!(feature = "use-p384-curve") { + let (signature, keyhash, keyhash_size) = if self.kinds.contains(&TlvKinds::SHA384) { let keyhash = digest::digest(&digest::SHA384, ECDSAP384_PUB_KEY); let key_bytes = pem::parse(include_bytes!("../../root-ec-p384-pkcs8.pem").as_ref()).unwrap(); let sign_algo = &ECDSA_P384_SHA384_ASN1_SIGNING; let key_pair = EcdsaKeyPair::from_pkcs8(sign_algo, &key_bytes.contents).unwrap(); - (key_pair.sign(&rng, &sig_payload).unwrap(), keyhash) + (key_pair.sign(&rng, &sig_payload).unwrap(), keyhash, 48) } else { let keyhash = digest::digest(&digest::SHA256, ECDSA256_PUB_KEY); let key_bytes = pem::parse(include_bytes!("../../root-ec-p256-pkcs8.pem").as_ref()).unwrap(); let sign_algo = &ECDSA_P256_SHA256_ASN1_SIGNING; let key_pair = EcdsaKeyPair::from_pkcs8(sign_algo, &key_bytes.contents).unwrap(); - (key_pair.sign(&rng, &sig_payload).unwrap(), keyhash) + (key_pair.sign(&rng, &sig_payload).unwrap(), keyhash, 32) }; // Write public key let keyhash_slice = keyhash.as_ref(); - assert!(keyhash_slice.len() == 32); + assert!(keyhash_slice.len() == keyhash_size); result.write_u16::(TlvKinds::KEYHASH as u16).unwrap(); - result.write_u16::(32).unwrap(); + result.write_u16::(keyhash_size as u16).unwrap(); result.extend_from_slice(keyhash_slice); // Write signature From 5c00da45429fdd921b756653f2438f214c202373 Mon Sep 17 00:00:00 2001 From: Roland Mikhel Date: Mon, 12 Jun 2023 10:41:52 +0200 Subject: [PATCH 018/113] ci: Add test cases for ECDSA using PSA Crypto Add ECDSA verification tests to the CI using the PSA Crypto API Signed-off-by: Roland Mikhel Change-Id: I904c8929f355ec791ff28ac7c3e0ca3832b2403d --- .github/workflows/sim.yaml | 1 + ci/sim_run.sh | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sim.yaml b/.github/workflows/sim.yaml index 79765fbd5..c1d91a673 100644 --- a/.github/workflows/sim.yaml +++ b/.github/workflows/sim.yaml @@ -44,6 +44,7 @@ jobs: - "sig-rsa validate-primary-slot ram-load multiimage" - "sig-rsa validate-primary-slot direct-xip multiimage" - "sig-ecdsa hw-rollback-protection multiimage" + - "sig-ecdsa-psa,sig-ecdsa-psa sig-p384" - "ram-load enc-aes256-kw multiimage" - "ram-load enc-aes256-kw sig-ecdsa-mbedtls multiimage" runs-on: ubuntu-latest diff --git a/ci/sim_run.sh b/ci/sim_run.sh index 59d65e10d..7a9ff2de4 100755 --- a/ci/sim_run.sh +++ b/ci/sim_run.sh @@ -43,10 +43,20 @@ fi if [[ ! -z $MULTI_FEATURES ]]; then IFS=',' read -ra multi_features <<< "$MULTI_FEATURES" + + # psa crypto tests require single thread mode + TEST_ARGS='' + for features in "${multi_features[@]}"; do + if [[ $features =~ "psa" ]]; then + TEST_ARGS='--test-threads=1' + break + fi + done + for features in "${multi_features[@]}"; do echo "Running cargo for features=\"${features}\"" - time cargo test --no-run --features "$features" - time cargo test --features "$features" + time cargo test --no-run --features "$features" -- $TEST_ARGS + time cargo test --features "$features" -- $TEST_ARGS rc=$? && [ $rc -ne 0 ] && EXIT_CODE=$rc done fi From 6ba46c0b826dc43cb37f2b02c4540642daae29b0 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Fri, 15 Sep 2023 10:33:44 +0100 Subject: [PATCH 019/113] boot_serial: Fix issue with queued commands Fixes an issue whereby multiple commands are received and some are still being processed. This generally arises when a response takes a long time (e.g. when image decryption is required), duplicate commands will now send multiple responses but avoids the bug of future commands being sent to which previous responses are received. Signed-off-by: Jamie McCrae --- boot/boot_serial/src/boot_serial.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index edfff7910..c32a24fb3 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -1189,6 +1189,10 @@ boot_serial_read_console(const struct boot_uart_funcs *f,int timeout_in_ms) int max_input; int elapsed_in_ms = 0; +#ifndef MCUBOOT_SERIAL_WAIT_FOR_DFU + bool allow_idle = true; +#endif + boot_uf = f; max_input = sizeof(in_buf); @@ -1200,7 +1204,10 @@ boot_serial_read_console(const struct boot_uart_funcs *f,int timeout_in_ms) * from serial console (if single-thread mode is used). */ #ifndef MCUBOOT_SERIAL_WAIT_FOR_DFU - MCUBOOT_CPU_IDLE(); + if (allow_idle == true) { + MCUBOOT_CPU_IDLE(); + allow_idle = false; + } #endif MCUBOOT_WATCHDOG_FEED(); #ifdef MCUBOOT_SERIAL_WAIT_FOR_DFU @@ -1208,6 +1215,9 @@ boot_serial_read_console(const struct boot_uart_funcs *f,int timeout_in_ms) #endif rc = f->read(in_buf + off, sizeof(in_buf) - off, &full_line); if (rc <= 0 && !full_line) { +#ifndef MCUBOOT_SERIAL_WAIT_FOR_DFU + allow_idle = true; +#endif goto check_timeout; } off += rc; From 5f30562e0c6da4825eb88fb436550a10c0a3398c Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Fri, 15 Sep 2023 10:37:03 +0100 Subject: [PATCH 020/113] docs: release: Add note on boot_serial duplicate command fix Adds a note about a fix for boot_serial duplicate commands Signed-off-by: Jamie McCrae --- docs/release-notes.d/serial-timeoout-fix.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 docs/release-notes.d/serial-timeoout-fix.md diff --git a/docs/release-notes.d/serial-timeoout-fix.md b/docs/release-notes.d/serial-timeoout-fix.md new file mode 100644 index 000000000..439e03fc7 --- /dev/null +++ b/docs/release-notes.d/serial-timeoout-fix.md @@ -0,0 +1,4 @@ +- Fixed an issue with boot_serial repeats not being processed when + output was sent, this would lead to a divergence of commands + whereby later commands being sent would have the previous command + output sent instead. From c7aa2c029e9cb14ce4dd512757d39f94d8b56680 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 13 Sep 2023 12:43:30 +0100 Subject: [PATCH 021/113] boot_serial: Fix issues with single slot mode/encrypted images Fixes 2 issues, one whereby multiple slots were checked despite operating in single slot mode, and another whereby decrypted images would not appear on serial recovery image listing, due to assuming that the images were still encrypted. Signed-off-by: Jamie McCrae --- boot/boot_serial/src/boot_serial.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index c32a24fb3..31ea0c7cc 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -259,7 +259,11 @@ bs_list(char *buf, int len) int swap_status = boot_swap_type_multi(image_index); #endif +#ifdef MCUBOOT_SINGLE_APPLICATION_SLOT + for (slot = 0; slot < 1; slot++) { +#else for (slot = 0; slot < 2; slot++) { +#endif FIH_DECLARE(fih_rc, FIH_FAILURE); uint8_t tmpbuf[64]; @@ -289,15 +293,24 @@ bs_list(char *buf, int len) fih_rc, image_index, slot); if (FIH_EQ(fih_rc, FIH_BOOT_HOOK_REGULAR)) { -#ifdef MCUBOOT_ENC_IMAGES - if (IS_ENCRYPTED(&hdr)) { +#if defined(MCUBOOT_ENC_IMAGES) + if (IS_ENCRYPTED(&hdr) && MUST_DECRYPT(fap, image_index, &hdr)) { FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, &hdr, tmpbuf, sizeof(tmpbuf)); } else { + if (IS_ENCRYPTED(&hdr)) { + /* + * There is an image present which has an encrypted flag set but is + * not encrypted, therefore remove the flag from the header and run a + * normal image validation on it. + */ + hdr.ih_flags &= ~ENCRYPTIONFLAGS; + } #endif + FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); -#ifdef MCUBOOT_ENC_IMAGES +#if defined(MCUBOOT_ENC_IMAGES) } #endif } From 736234caa5ee0b3090cf02e5af0c2dc798aa4beb Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 13 Sep 2023 12:50:14 +0100 Subject: [PATCH 022/113] docs: release: Add note on bs image list fixes Adds a note on fixes with boot serial image listing Signed-off-by: Jamie McCrae --- docs/release-notes.d/bs-encrypted-list.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 docs/release-notes.d/bs-encrypted-list.md diff --git a/docs/release-notes.d/bs-encrypted-list.md b/docs/release-notes.d/bs-encrypted-list.md new file mode 100644 index 000000000..869649585 --- /dev/null +++ b/docs/release-notes.d/bs-encrypted-list.md @@ -0,0 +1,4 @@ +- Fixed issue with serial recovery not showing image details for + decrypted images. +- Fixes issue with serial recovery in single slot mode wrongly + iterating over 2 image slots. From db2024eb205bc05161321414ede305c145a1c65a Mon Sep 17 00:00:00 2001 From: Almir Okato Date: Thu, 24 Aug 2023 15:40:26 -0300 Subject: [PATCH 023/113] espressif: update secure boot and flash encryption Adjust secure boot and flash encryption after IDF v5.x updates. It also allows to enable secure boot on ESP32-C2. Signed-off-by: Almir Okato --- boot/espressif/hal/CMakeLists.txt | 14 +- .../hal/include/esp32c6/esp32c6.cmake | 2 +- .../hal/include/esp32h2/esp32h2.cmake | 1 + boot/espressif/hal/src/flash_encrypt.c | 179 ++++++++++++------ boot/espressif/hal/src/secure_boot.c | 35 +++- boot/espressif/main.c | 74 +++++++- boot/espressif/port/esp32c2/bootloader.conf | 10 + boot/espressif/port/esp32c3/ld/bootloader.ld | 4 +- docs/readme-espressif.md | 24 ++- 9 files changed, 256 insertions(+), 87 deletions(-) diff --git a/boot/espressif/hal/CMakeLists.txt b/boot/espressif/hal/CMakeLists.txt index 7f3d1bbb4..d248c2670 100644 --- a/boot/espressif/hal/CMakeLists.txt +++ b/boot/espressif/hal/CMakeLists.txt @@ -71,11 +71,8 @@ set(hal_srcs ${esp_hal_dir}/components/bootloader_support/src/bootloader_random_${MCUBOOT_TARGET}.c ${esp_hal_dir}/components/bootloader_support/src/bootloader_utility.c ${esp_hal_dir}/components/bootloader_support/src/esp_image_format.c - ${esp_hal_dir}/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c ${esp_hal_dir}/components/bootloader_support/src/${MCUBOOT_TARGET}/bootloader_soc.c ${esp_hal_dir}/components/bootloader_support/src/${MCUBOOT_TARGET}/bootloader_sha.c - ${esp_hal_dir}/components/bootloader_support/src/${MCUBOOT_TARGET}/secure_boot_secure_features.c - ${esp_hal_dir}/components/bootloader_support/src/${MCUBOOT_TARGET}/flash_encryption_secure_features.c ${esp_hal_dir}/components/hal/mpu_hal.c ${esp_hal_dir}/components/hal/efuse_hal.c ${esp_hal_dir}/components/hal/mmu_hal.c @@ -103,12 +100,23 @@ set(hal_srcs if(DEFINED CONFIG_SECURE_BOOT_V2_ENABLED) list(APPEND hal_srcs ${src_dir}/secure_boot.c + ${esp_hal_dir}/components/bootloader_support/src/secure_boot_v2/secure_boot_signatures_bootloader.c + ${esp_hal_dir}/components/bootloader_support/src/${MCUBOOT_TARGET}/secure_boot_secure_features.c + ) + list(APPEND include_dirs + ${esp_hal_dir}/components/bootloader_support/src/secure_boot_v2 ) endif() if(DEFINED CONFIG_SECURE_FLASH_ENC_ENABLED) list(APPEND hal_srcs ${src_dir}/flash_encrypt.c + ${esp_hal_dir}/components/bootloader_support/src/${MCUBOOT_TARGET}/flash_encryption_secure_features.c + ) + set_source_files_properties( + ${src_dir}/flash_encrypt.c + PROPERTIES COMPILE_FLAGS + "-Wno-unused-variable" ) endif() diff --git a/boot/espressif/hal/include/esp32c6/esp32c6.cmake b/boot/espressif/hal/include/esp32c6/esp32c6.cmake index 23b6b0091..d26c5f0dc 100644 --- a/boot/espressif/hal/include/esp32c6/esp32c6.cmake +++ b/boot/espressif/hal/include/esp32c6/esp32c6.cmake @@ -8,7 +8,7 @@ list(APPEND include_dirs list(APPEND hal_srcs ${esp_hal_dir}/components/hal/cache_hal.c - ${esp_hal_dir}/components/hal/${MCUBOOT_TARGET}/lp_timer_hal.c + ${esp_hal_dir}/components/hal/lp_timer_hal.c ${esp_hal_dir}/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c ${esp_hal_dir}/components/esp_rom/patches/esp_rom_regi2c_${MCUBOOT_TARGET}.c ) diff --git a/boot/espressif/hal/include/esp32h2/esp32h2.cmake b/boot/espressif/hal/include/esp32h2/esp32h2.cmake index 9160eaba5..d26c5f0dc 100644 --- a/boot/espressif/hal/include/esp32h2/esp32h2.cmake +++ b/boot/espressif/hal/include/esp32h2/esp32h2.cmake @@ -8,6 +8,7 @@ list(APPEND include_dirs list(APPEND hal_srcs ${esp_hal_dir}/components/hal/cache_hal.c + ${esp_hal_dir}/components/hal/lp_timer_hal.c ${esp_hal_dir}/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c ${esp_hal_dir}/components/esp_rom/patches/esp_rom_regi2c_${MCUBOOT_TARGET}.c ) diff --git a/boot/espressif/hal/src/flash_encrypt.c b/boot/espressif/hal/src/flash_encrypt.c index 222e32e2a..d064d8b7b 100644 --- a/boot/espressif/hal/src/flash_encrypt.c +++ b/boot/espressif/hal/src/flash_encrypt.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -15,7 +15,11 @@ #include "esp_efuse_table.h" #include "esp_log.h" #include "hal/wdt_hal.h" +#include "hal/efuse_hal.h" #include "soc/soc_caps.h" +#ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK +#include "soc/sensitive_reg.h" +#endif #include "esp_mcuboot_image.h" @@ -27,6 +31,8 @@ #define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT #endif +#define FLASH_ENC_CNT_MAX (CRYPT_CNT[0]->bit_count) + /* This file implements FLASH ENCRYPTION related APIs to perform * various operations such as programming necessary flash encryption * eFuses, detect whether flash encryption is enabled (by reading eFuse) @@ -36,10 +42,9 @@ static const char *TAG = "flash_encrypt"; /* Static functions for stages of flash encryption */ -static esp_err_t initialise_flash_encryption(void); -static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis) __attribute__((unused)); static esp_err_t encrypt_bootloader(void); static esp_err_t encrypt_primary_slot(void); +static size_t get_flash_encrypt_cnt_value(void); /** * This former inlined function must not be defined in the header file anymore. @@ -50,15 +55,14 @@ static esp_err_t encrypt_primary_slot(void); */ bool IRAM_ATTR esp_flash_encryption_enabled(void) { - uint32_t flash_crypt_cnt = 0; #ifndef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH - flash_crypt_cnt = efuse_ll_get_flash_crypt_cnt(); + return efuse_hal_flash_encryption_enabled(); #else + uint32_t flash_crypt_cnt = 0; #if CONFIG_IDF_TARGET_ESP32 esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count); #else esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count); -#endif #endif /* __builtin_parity is in flash, so we calculate parity inline */ bool enabled = false; @@ -69,34 +73,84 @@ bool IRAM_ATTR esp_flash_encryption_enabled(void) flash_crypt_cnt >>= 1; } return enabled; +#endif // CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH } -esp_err_t esp_flash_encrypt_check_and_update(void) +static size_t get_flash_encrypt_cnt_value(void) { size_t flash_crypt_cnt = 0; esp_efuse_read_field_cnt(CRYPT_CNT, &flash_crypt_cnt); - bool flash_crypt_wr_dis = esp_efuse_read_field_bit(WR_DIS_CRYPT_CNT); + return flash_crypt_cnt; +} + +bool esp_flash_encrypt_initialized_once(void) +{ + return get_flash_encrypt_cnt_value() != 0; +} + +bool esp_flash_encrypt_is_write_protected(bool print_error) +{ + if (esp_efuse_read_field_bit(WR_DIS_CRYPT_CNT)) { + if (print_error) { + ESP_LOGE(TAG, "Flash Encryption cannot be enabled (CRYPT_CNT (%d) is write protected)", get_flash_encrypt_cnt_value()); + } + return true; + } + return false; +} + +bool esp_flash_encrypt_state(void) +{ + size_t flash_crypt_cnt = get_flash_encrypt_cnt_value(); + bool flash_crypt_wr_dis = esp_flash_encrypt_is_write_protected(false); ESP_LOGV(TAG, "CRYPT_CNT %d, write protection %d", flash_crypt_cnt, flash_crypt_wr_dis); if (flash_crypt_cnt % 2 == 1) { /* Flash is already encrypted */ - int left = (CRYPT_CNT[0]->bit_count - flash_crypt_cnt) / 2; + int left = (FLASH_ENC_CNT_MAX - flash_crypt_cnt) / 2; if (flash_crypt_wr_dis) { left = 0; /* can't update FLASH_CRYPT_CNT, no more flashes */ } ESP_LOGI(TAG, "flash encryption is enabled (%d plaintext flashes left)", left); - return ESP_OK; - } else { + return true; + } + return false; +} + +esp_err_t esp_flash_encrypt_check_and_update(void) +{ + bool flash_encryption_enabled = esp_flash_encrypt_state(); + if (!flash_encryption_enabled) { #ifndef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED - /* Flash is not encrypted, so encrypt it! */ - return encrypt_flash_contents(flash_crypt_cnt, flash_crypt_wr_dis); + if (esp_flash_encrypt_is_write_protected(true)) { + return ESP_FAIL; + } + + esp_err_t err = esp_flash_encrypt_init(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Initialization of Flash encryption key failed (%d)", err); + return err; + } + + err = esp_flash_encrypt_contents(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Encryption flash contents failed (%d)", err); + return err; + } + + err = esp_flash_encrypt_enable(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Enabling of Flash encryption failed (%d)", err); + return err; + } #else ESP_LOGE(TAG, "flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED " "is set, refusing to boot."); return ESP_ERR_INVALID_STATE; #endif // CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED } + return ESP_OK; } static esp_err_t check_and_generate_encryption_keys(void) @@ -126,11 +180,19 @@ static esp_err_t check_and_generate_encryption_keys(void) ESP_LOGE(TAG, "XTS_AES_128_KEY is already in use, XTS_AES_256_KEY_1/2 can not be used"); return ESP_ERR_INVALID_STATE; } +#else +#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_AES128_DERIVED + enum { BLOCKS_NEEDED = 1 }; + esp_efuse_purpose_t purposes[BLOCKS_NEEDED] = { + ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS, + }; + key_size = 16; #else enum { BLOCKS_NEEDED = 1 }; esp_efuse_purpose_t purposes[BLOCKS_NEEDED] = { ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY, }; +#endif // CONFIG_SECURE_FLASH_ENCRYPTION_AES128_DERIVED #endif // CONFIG_SECURE_FLASH_ENCRYPTION_AES256 #endif // CONFIG_IDF_TARGET_ESP32 @@ -181,8 +243,14 @@ static esp_err_t check_and_generate_encryption_keys(void) return ESP_OK; } -static esp_err_t initialise_flash_encryption(void) +esp_err_t esp_flash_encrypt_init(void) { + if (esp_flash_encryption_enabled() || esp_flash_encrypt_initialized_once()) { + return ESP_OK; + } + + /* Very first flash encryption pass: generate keys, etc. */ + esp_efuse_batch_write_begin(); /* Batch all efuse writes at the end of this function */ /* Before first flash encryption pass, need to initialise key & crypto config */ @@ -198,26 +266,6 @@ static esp_err_t initialise_flash_encryption(void) return err; } -#if defined(SOC_SUPPORTS_SECURE_DL_MODE) && defined(CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE) - ESP_LOGI(TAG, "Enabling Secure Download mode..."); - err = esp_efuse_enable_rom_secure_download_mode(); - if (err != ESP_OK) { - ESP_LOGE(TAG, "Could not enable Secure Download mode..."); - esp_efuse_batch_write_cancel(); - return err; - } -#elif CONFIG_SECURE_DISABLE_ROM_DL_MODE - ESP_LOGI(TAG, "Disable ROM Download mode..."); - err = esp_efuse_disable_rom_download_mode(); - if (err != ESP_OK) { - ESP_LOGE(TAG, "Could not disable ROM Download mode..."); - esp_efuse_batch_write_cancel(); - return err; - } -#else - ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED"); -#endif - err = esp_efuse_batch_write_commit(); if (err != ESP_OK) { ESP_LOGE(TAG, "Error programming security eFuses (err=0x%x).", err); @@ -228,24 +276,13 @@ static esp_err_t initialise_flash_encryption(void) } /* Encrypt all flash data that should be encrypted */ -static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_crypt_wr_dis) +esp_err_t esp_flash_encrypt_contents(void) { esp_err_t err; - /* If all flash_crypt_cnt bits are burned or write-disabled, the - device can't re-encrypt itself. */ - if (flash_crypt_wr_dis || flash_crypt_cnt == CRYPT_CNT[0]->bit_count) { - ESP_LOGE(TAG, "Cannot re-encrypt data CRYPT_CNT %d write disabled %d", flash_crypt_cnt, flash_crypt_wr_dis); - return ESP_FAIL; - } - - if (flash_crypt_cnt == 0) { - /* Very first flash of encrypted data: generate keys, etc. */ - err = initialise_flash_encryption(); - if (err != ESP_OK) { - return err; - } - } +#ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK + REG_WRITE(SENSITIVE_XTS_AES_KEY_UPDATE_REG, 1); +#endif err = encrypt_bootloader(); if (err != ESP_OK) { @@ -292,20 +329,48 @@ static esp_err_t encrypt_flash_contents(uint32_t flash_crypt_cnt, bool flash_cry } #endif + ESP_LOGI(TAG, "Flash encryption completed"); + + return ESP_OK; +} + +esp_err_t esp_flash_encrypt_enable(void) +{ + esp_err_t err = ESP_OK; + if (!esp_flash_encryption_enabled()) { + + if (esp_flash_encrypt_is_write_protected(true)) { + return ESP_FAIL; + } + + size_t flash_crypt_cnt = get_flash_encrypt_cnt_value(); + #ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE - // Go straight to max, permanently enabled - ESP_LOGI(TAG, "Setting CRYPT_CNT for permanent encryption"); - size_t new_flash_crypt_cnt = CRYPT_CNT[0]->bit_count - flash_crypt_cnt; + // Go straight to max, permanently enabled + ESP_LOGI(TAG, "Setting CRYPT_CNT for permanent encryption"); + size_t new_flash_crypt_cnt = FLASH_ENC_CNT_MAX - flash_crypt_cnt; #else - /* Set least significant 0-bit in flash_crypt_cnt */ - size_t new_flash_crypt_cnt = 1; + /* Set least significant 0-bit in flash_crypt_cnt */ + size_t new_flash_crypt_cnt = 1; +#endif + ESP_LOGD(TAG, "CRYPT_CNT %d -> %d", flash_crypt_cnt, new_flash_crypt_cnt); + err = esp_efuse_write_field_cnt(CRYPT_CNT, new_flash_crypt_cnt); + +#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED) + // For AES128_DERIVED, FE key is 16 bytes and XTS_KEY_LENGTH_256 is 0. + // It is important to protect XTS_KEY_LENGTH_256 from further changing it to 1. Set write protection for this bit. + // Burning WR_DIS_CRYPT_CNT, blocks further changing of eFuses: DOWNLOAD_DIS_MANUAL_ENCRYPT, SPI_BOOT_CRYPT_CNT, [XTS_KEY_LENGTH_256], SECURE_BOOT_EN. + esp_efuse_write_field_bit(WR_DIS_CRYPT_CNT); #endif - ESP_LOGD(TAG, "CRYPT_CNT %d -> %d", flash_crypt_cnt, new_flash_crypt_cnt); - err = esp_efuse_write_field_cnt(CRYPT_CNT, new_flash_crypt_cnt); + } ESP_LOGI(TAG, "Flash encryption completed"); - return ESP_OK; +#ifdef CONFIG_EFUSE_VIRTUAL + ESP_LOGW(TAG, "Flash encryption not really completed. Must disable virtual efuses"); +#endif + + return err; } static esp_err_t encrypt_bootloader(void) diff --git a/boot/espressif/hal/src/secure_boot.c b/boot/espressif/hal/src/secure_boot.c index f724f0e88..8ad29ae7c 100644 --- a/boot/espressif/hal/src/secure_boot.c +++ b/boot/espressif/hal/src/secure_boot.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -14,7 +14,8 @@ #include "esp_image_format.h" #include "esp_efuse.h" #include "esp_efuse_table.h" -#include "rom/secure_boot.h" +#include "secure_boot_signature_priv.h" + /* The following API implementations are used only when called * from the bootloader code. @@ -99,12 +100,20 @@ static esp_err_t s_calculate_image_public_key_digests(uint32_t flash_offset, uin /* Generating the SHA of the public key components in the signature block */ bootloader_sha256_handle_t sig_block_sha; sig_block_sha = bootloader_sha256_start(); +#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME bootloader_sha256_data(sig_block_sha, &block->key, sizeof(block->key)); +#elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME + bootloader_sha256_data(sig_block_sha, &block->ecdsa.key, sizeof(block->ecdsa.key)); +#endif bootloader_sha256_finish(sig_block_sha, key_digest); // Check we can verify the image using this signature and this key uint8_t temp_verified_digest[ESP_SECURE_BOOT_DIGEST_LEN]; +#if CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME bool verified = ets_rsa_pss_verify(&block->key, block->signature, image_digest, temp_verified_digest); +#elif CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME + bool verified = ets_ecdsa_verify(&block->ecdsa.key.point[0], block->ecdsa.signature, block->ecdsa.key.curve_id, image_digest, temp_verified_digest); +#endif if (!verified) { /* We don't expect this: the signature blocks before we enable secure boot should all be verifiable or invalid, @@ -133,21 +142,22 @@ esp_err_t check_and_generate_secure_boot_keys(void) { esp_err_t ret; #ifdef CONFIG_IDF_TARGET_ESP32 - esp_efuse_purpose_t secure_boot_key_purpose[SECURE_BOOT_NUM_BLOCKS] = { - ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2, - }; esp_efuse_coding_scheme_t coding_scheme = esp_efuse_get_coding_scheme(EFUSE_BLK_SECURE_BOOT); if (coding_scheme != EFUSE_CODING_SCHEME_NONE) { ESP_LOGE(TAG, "No coding schemes are supported in secure boot v2.(Detected scheme: 0x%x)", coding_scheme); return ESP_ERR_NOT_SUPPORTED; } -#else +#endif // CONFIG_IDF_TARGET_ESP32 + esp_efuse_purpose_t secure_boot_key_purpose[SECURE_BOOT_NUM_BLOCKS] = { +#if SECURE_BOOT_NUM_BLOCKS == 1 + ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2, +#else ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0, ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST1, ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST2, +#endif }; -#endif // CONFIG_IDF_TARGET_ESP32 /* Verify the bootloader */ esp_image_metadata_t bootloader_data = { 0 }; @@ -209,17 +219,24 @@ esp_err_t check_and_generate_secure_boot_keys(void) continue; } #endif +#ifndef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK if (esp_efuse_get_key_dis_read(blocks[i])) { ESP_LOGE(TAG, "Key digest (BLK%d) read protected, aborting...", blocks[i]); return ESP_FAIL; } +#endif if (esp_efuse_block_is_empty(blocks[i])) { ESP_LOGE(TAG, "%d eFuse block is empty, aborting...", blocks[i]); return ESP_FAIL; } esp_efuse_set_key_dis_write(blocks[i]); - ret = esp_efuse_read_block(blocks[i], boot_key_digests.key_digests[boot_key_digests.num_digests], 0, - sizeof(boot_key_digests.key_digests[0]) * 8); +#ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK + size_t offset = 128; +#else + size_t offset = 0; +#endif + ret = esp_efuse_read_block(blocks[i], boot_key_digests.key_digests[boot_key_digests.num_digests], offset, + ESP_SECURE_BOOT_KEY_DIGEST_LEN * 8); if (ret) { ESP_LOGE(TAG, "Error during reading %d eFuse block (err=0x%x)", blocks[i], ret); return ret; diff --git a/boot/espressif/main.c b/boot/espressif/main.c index 9e1aa0704..3f4d5a064 100644 --- a/boot/espressif/main.c +++ b/boot/espressif/main.c @@ -12,6 +12,7 @@ #include "bootloader_init.h" #include "bootloader_utility.h" #include "bootloader_random.h" +#include "bootloader_soc.h" #include "esp_assert.h" @@ -118,6 +119,21 @@ int main() esp_efuse_init_virtual_mode_in_flash(CONFIG_EFUSE_VIRTUAL_OFFSET, CONFIG_EFUSE_VIRTUAL_SIZE); #endif +#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_SECURE_FLASH_ENC_ENABLED) + esp_err_t err; +#endif + +#ifdef CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER + if (esp_secure_boot_enabled() ^ esp_flash_encrypt_initialized_once()) { + BOOT_LOG_ERR("Secure Boot and Flash Encryption cannot be enabled separately, only together (their keys go into one eFuse key block)"); + FIH_PANIC; + } + + if (!esp_secure_boot_enabled() || !esp_flash_encryption_enabled()) { + esp_efuse_batch_write_begin(); + } +#endif // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER + #ifdef CONFIG_SECURE_BOOT /* Steps 1 (see above for full description): * 1) Compute digest of the public key. @@ -132,7 +148,6 @@ int main() } else { esp_efuse_batch_write_begin(); /* Batch all efuse writes at the end of this function */ - esp_err_t err; err = check_and_generate_secure_boot_keys(); if (err != ESP_OK) { esp_efuse_batch_write_cancel(); @@ -178,7 +193,6 @@ int main() if (!sb_hw_enabled) { BOOT_LOG_INF("blowing secure boot efuse..."); - esp_err_t err; err = esp_secure_boot_enable_secure_features(); if (err != ESP_OK) { esp_efuse_batch_write_cancel(); @@ -195,8 +209,10 @@ int main() assert(esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE)); #endif +#ifndef CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER assert(esp_secure_boot_enabled()); BOOT_LOG_INF("Secure boot permanently enabled"); +#endif } #endif @@ -206,16 +222,50 @@ int main() * 5) Encrypt flash in-place including bootloader, image primary/secondary slot and scratch. * 6) Burn EFUSE to enable flash encryption */ - - int rc; - BOOT_LOG_INF("Checking flash encryption..."); - bool flash_encryption_enabled = esp_flash_encryption_enabled(); - rc = esp_flash_encrypt_check_and_update(); - if (rc != ESP_OK) { - BOOT_LOG_ERR("Flash encryption check failed (%d).", rc); + bool flash_encryption_enabled = esp_flash_encrypt_state(); + if (!flash_encryption_enabled) { +#ifdef CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED + BOOT_LOG_ERR("flash encryption is not enabled, and SECURE_FLASH_REQUIRE_ALREADY_ENABLED is set, refusing to boot."); FIH_PANIC; +#endif // CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED + + if (esp_flash_encrypt_is_write_protected(true)) { + FIH_PANIC; + } + + err = esp_flash_encrypt_init(); + if (err != ESP_OK) { + BOOT_LOG_ERR("Initialization of Flash Encryption key failed (%d)", err); + FIH_PANIC; + } + } + + if (!flash_encryption_enabled) { + err = esp_flash_encrypt_contents(); + if (err != ESP_OK) { + BOOT_LOG_ERR("Encryption flash contents failed (%d)", err); + FIH_PANIC; + } + + err = esp_flash_encrypt_enable(); + if (err != ESP_OK) { + BOOT_LOG_ERR("Enabling of Flash encryption failed (%d)", err); + FIH_PANIC; + } + } + +#ifdef CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER + if (!esp_secure_boot_enabled() || !flash_encryption_enabled) { + err = esp_efuse_batch_write_commit(); + if (err != ESP_OK) { + BOOT_LOG_ERR("Error programming eFuses (err=0x%x).", err); + FIH_PANIC; + } + assert(esp_secure_boot_enabled()); + BOOT_LOG_INF("Secure boot permanently enabled"); } +#endif // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER /* Step 7 (see above for full description): * 7) Reset system to ensure flash encryption cache resets properly. @@ -229,6 +279,12 @@ int main() BOOT_LOG_INF("Disabling RNG early entropy source..."); bootloader_random_disable(); + /* Disable glitch reset after all the security checks are completed. + * Glitch detection can be falsely triggered by EMI interference (high RF TX power, etc) + * and to avoid such false alarms, disable it. + */ + bootloader_ana_clock_glitch_reset_config(false); + #ifdef CONFIG_ESP_MULTI_PROCESSOR_BOOT /* Multi image independent boot * Boot on the second processor happens before the image0 boot diff --git a/boot/espressif/port/esp32c2/bootloader.conf b/boot/espressif/port/esp32c2/bootloader.conf index 286b1a197..54f797e71 100644 --- a/boot/espressif/port/esp32c2/bootloader.conf +++ b/boot/espressif/port/esp32c2/bootloader.conf @@ -63,6 +63,12 @@ CONFIG_ESP_CONSOLE_UART_NUM=0 # using imgtool instead of use the existent sample # CONFIG_ESP_SIGN_KEY_FILE=root-ec-p256.pem +# Hardware Secure Boot related options +# CONFIG_SECURE_SIGNED_ON_BOOT=1 +# CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=1 +# CONFIG_SECURE_BOOT=1 +# CONFIG_SECURE_BOOT_V2_ENABLED=1 + # Hardware Flash Encryption related options # CONFIG_SECURE_FLASH_ENC_ENABLED=1 # CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=1 @@ -72,6 +78,10 @@ CONFIG_ESP_CONSOLE_UART_NUM=0 # CONFIG_SECURE_BOOT_ALLOW_JTAG=1 # CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=1 +# This option must be also enabled when enabling both Secure Boot +# and Flash Encryption at same time +# CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER=1 + # Options for enabling eFuse emulation in Flash # CONFIG_EFUSE_VIRTUAL=1 # CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=1 diff --git a/boot/espressif/port/esp32c3/ld/bootloader.ld b/boot/espressif/port/esp32c3/ld/bootloader.ld index 65f15cc4d..747b54914 100644 --- a/boot/espressif/port/esp32c3/ld/bootloader.ld +++ b/boot/espressif/port/esp32c3/ld/bootloader.ld @@ -13,8 +13,8 @@ MEMORY { iram_seg (RWX) : org = 0x403C7000, len = 0x9000 - iram_loader_seg (RWX) : org = 0x403D0000, len = 0x5000 - dram_seg (RW) : org = 0x3FCD5000, len = 0xA000 + iram_loader_seg (RWX) : org = 0x403D0000, len = 0x5400 + dram_seg (RW) : org = 0x3FCD5400, len = 0xA000 } /* Default entry point: */ diff --git a/docs/readme-espressif.md b/docs/readme-espressif.md index ff51d1f67..dc236fbdd 100644 --- a/docs/readme-espressif.md +++ b/docs/readme-espressif.md @@ -293,15 +293,13 @@ MCUboot header. The Secure Boot implementation is based on [IDF's Secure Boot V2](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v2.html), -is hardware-assisted and RSA based, and has the role for ensuring that only authorized code will be -executed on the device. This is done through bootloader signature checking by the ROM bootloader. +is hardware-assisted and RSA based - except ESP32-C2 that uses ECDSA signing scheme - and has the +role for ensuring that only authorized code will be executed on the device. This is done through +bootloader signature checking by the ROM bootloader. ***Note***: ROM bootloader is the First Stage Bootloader, while the Espressif MCUboot port is the Second Stage Bootloader. -***Note***: Currently on MCUboot Espressif Port, the Secure Boot V2 for ESP32-C2 is not supported -yet. - ### [Building bootloader with Secure Boot](#building-bootloader-with-secure-boot) In order to build the bootloader with the feature on, the following configurations must be enabled: @@ -310,10 +308,24 @@ In order to build the bootloader with the feature on, the following configuratio CONFIG_SECURE_BOOT=1 CONFIG_SECURE_BOOT_V2_ENABLED=1 CONFIG_SECURE_SIGNED_ON_BOOT=1 +``` + +For the currently supported chips, with exception of ESP32-C2, enable RSA signing scheme: + +``` CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1 CONFIG_SECURE_BOOT_SUPPORTS_RSA=1 ``` +For ESP32-C2, enable ECDSA signing scheme and, if working with Flash Encryption too, enable the +configuration to burn keys to efuse together: + +``` +CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=1 + +CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER=1 +``` + --- :warning: ***ATTENTION*** @@ -1152,7 +1164,7 @@ application. * | | | *** OS CAN RECLAIM IT AFTER BOOT LATER AS HEAP *** * | | | * | v | - * +------------------------------+ 0x403D5000 / 0x3FCD5000 + * +------------------------------+ 0x403D5400 / 0x3FCD5400 * | ^ | * | | | * | | dram_seg | *** SHOULD NOT BE OVERLAPPED *** From 9bef51ce4ad3b0add2edeff2dc67fb79412c6e07 Mon Sep 17 00:00:00 2001 From: Roland Mikhel Date: Mon, 25 Sep 2023 10:32:52 +0200 Subject: [PATCH 024/113] bootutil/crypto: Do not include import key with PSA This fixes a build error when PSA Crypto API is being used as it has no need for bootutil_import_key but it's included currently since it's allowed to have both Mbed TLS and PSA defined. Signed-off-by: Roland Mikhel Change-Id: If38d3011fc4fa2d317f8be65df9e231d7d57dcbf --- boot/bootutil/include/bootutil/crypto/ecdsa.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa.h b/boot/bootutil/include/bootutil/crypto/ecdsa.h index aa5c532a0..a73388622 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdsa.h +++ b/boot/bootutil/include/bootutil/crypto/ecdsa.h @@ -74,7 +74,8 @@ extern "C" { #endif -#if defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || defined(MCUBOOT_USE_CC310) +#if (defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || \ + defined(MCUBOOT_USE_CC310)) && !defined(MCUBOOT_USE_PSA_CRYPTO) /* * Declaring these like this adds NULL termination. */ @@ -124,7 +125,7 @@ static int bootutil_import_key(uint8_t **cp, uint8_t *end) return 0; } -#endif /* MCUBOOT_USE_TINYCRYPT || MCUBOOT_USE_MBED_TLS || MCUBOOT_USE_CC310 */ +#endif /* (MCUBOOT_USE_TINYCRYPT || MCUBOOT_USE_MBED_TLS || MCUBOOT_USE_CC310) && !MCUBOOT_USE_PSA_CRYPTO */ #if defined(MCUBOOT_USE_TINYCRYPT) #ifndef MCUBOOT_ECDSA_NEED_ASN1_SIG From 4da510137aeb238221e535cb1726c88190840a3d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 3 Aug 2023 16:23:02 +0100 Subject: [PATCH 025/113] zephyr: Add shared data support Adds the ability to share mcuboot configuration with the application using Zephyr's retention subsystem. Signed-off-by: Jamie McCrae --- boot/bootutil/src/boot_record.c | 2 + boot/zephyr/CMakeLists.txt | 19 +++ boot/zephyr/Kconfig | 84 +++++++++++- .../include/mcuboot_config/mcuboot_config.h | 25 ++++ boot/zephyr/shared_data.c | 124 ++++++++++++++++++ 5 files changed, 249 insertions(+), 5 deletions(-) create mode 100644 boot/zephyr/shared_data.c diff --git a/boot/bootutil/src/boot_record.c b/boot/bootutil/src/boot_record.c index 59a900cd4..400cbb282 100644 --- a/boot/bootutil/src/boot_record.c +++ b/boot/bootutil/src/boot_record.c @@ -32,6 +32,7 @@ #include "bootutil/image.h" #include "flash_map_backend/flash_map_backend.h" +#if !defined(MCUBOOT_CUSTOM_DATA_SHARING_FUNCTION) /** * @var shared_memory_init_done * @@ -113,6 +114,7 @@ boot_add_data_to_shared_area(uint8_t major_type, return SHARED_MEMORY_OK; } #endif /* MCUBOOT_MEASURED_BOOT OR MCUBOOT_DATA_SHARING */ +#endif /* !MCUBOOT_CUSTOM_DATA_SHARING_FUNCTION */ #ifdef MCUBOOT_MEASURED_BOOT /* See in boot_record.h */ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index d15977e77..638bd91cc 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -93,6 +93,12 @@ if(NOT DEFINED CONFIG_FLASH_PAGE_LAYOUT) ) endif() +if(DEFINED CONFIG_BOOT_SHARE_BACKEND_RETENTION) + zephyr_library_sources( + shared_data.c + ) +endif() + # Generic bootutil sources and includes. zephyr_library_include_directories(${BOOT_DIR}/bootutil/include) zephyr_library_sources( @@ -106,6 +112,19 @@ zephyr_library_sources( ${BOOT_DIR}/bootutil/src/fault_injection_hardening.c ) +if(DEFINED CONFIG_MEASURED_BOOT OR DEFINED CONFIG_BOOT_SHARE_DATA) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/boot_record.c + ) + + # Set a define for this file which will allow inclusion of the Zephyr version + # include file + set_source_files_properties( + ${BOOT_DIR}/bootutil/src/boot_record.c + PROPERTIES COMPILE_FLAGS -DZEPHYR_VER_INCLUDE=1 + ) +endif() + # library which might be common source code for MCUBoot and an application zephyr_link_libraries(MCUBOOT_BOOTUTIL) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index e8b630986..9517e91e0 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -374,17 +374,91 @@ config BOOT_MAX_IMG_SECTORS memory usage; larger values allow it to support larger images. If unsure, leave at the default value. -config MEASURED_BOOT - bool "Store the boot state/measurements in shared memory" +config BOOT_SHARE_BACKEND_AVAILABLE + bool + default n + help + Hidden open which indicates if there is a sharing backend available. + +# Workaround for not being able to have commas in macro arguments +DT_CHOSEN_BOOTLOADER_INFO := zephyr,bootloader-info + +config BOOT_SHARE_BACKEND_AVAILABLE + bool default n + help + Hidden open which indicates if there is a sharing backend available. + +choice BOOT_SHARE_BACKEND + prompt "Shared data backend" + default BOOT_SHARE_BACKEND_DISABLED + +config BOOT_SHARE_BACKEND_DISABLED + bool "Disabled" + help + No data sharing support. + +config BOOT_SHARE_BACKEND_RETENTION + bool "Retention" + depends on RETENTION + depends on $(dt_chosen_enabled,$(DT_CHOSEN_BOOTLOADER_INFO)) + select BOOT_SHARE_BACKEND_AVAILABLE + help + Use retention to share data with application. Requires: + - Retained memory area + - Retention partition of retained memory area + - Chosen node "zephyr,bootloader-info" to be set to the retention + partition + +config BOOT_SHARE_BACKEND_EXTERNAL + bool "External (user-provided code)" + select BOOT_SHARE_BACKEND_AVAILABLE + help + Use a custom user-specified storage. + +endchoice + +menuconfig BOOT_SHARE_DATA + bool "Save application specific data" + default n + depends on BOOT_SHARE_BACKEND_AVAILABLE + help + This will allow data to be shared between MCUboot and an application, + it does not include any informatiom by default. + + Note: This requires a backend to function, see + BOOT_SHARE_BACKEND_RETENTION for details on using the retention + subsystem as a backend. + +config BOOT_SHARE_DATA_BOOTINFO + bool "Save boot information data" + default n + depends on BOOT_SHARE_DATA + help + This will place information about the MCUboot configuration and + running application into a shared memory area. + +menuconfig MEASURED_BOOT + bool "Store the boot state/measurements in shared memory area" + default n + depends on BOOT_SHARE_BACKEND_AVAILABLE help If enabled, the bootloader will store certain boot measurements such as the hash of the firmware image in a shared memory area. This data can be used later by runtime services (e.g. by a device attestation service). -config BOOT_SHARE_DATA - bool "Save application specific data in shared memory area" - default n + Note: This requires a backend to function, see + BOOT_SHARE_BACKEND_RETENTION for details on using the retention + subsystem as a backend. + +config MEASURED_BOOT_MAX_CBOR_SIZE + int "Maximum CBOR size of boot state/measurements" + default 64 + range 0 256 + depends on MEASURED_BOOT + help + The maximum size of the CBOR message which stores boot + state/measurements. choice BOOT_FAULT_INJECTION_HARDENING_PROFILE prompt "Fault injection hardening profile" diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 483d7a59f..04e4c599c 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -155,6 +155,18 @@ #define MCUBOOT_DATA_SHARING #endif +#ifdef CONFIG_BOOT_SHARE_BACKEND_RETENTION +#define MCUBOOT_CUSTOM_DATA_SHARING_FUNCTION +#endif + +#ifdef CONFIG_BOOT_SHARE_DATA_BOOTINFO +#define MCUBOOT_DATA_SHARING_BOOTINFO +#endif + +#ifdef CONFIG_MEASURED_BOOT_MAX_CBOR_SIZE +#define MAX_BOOT_RECORD_SZ CONFIG_MEASURED_BOOT_MAX_CBOR_SIZE +#endif + #ifdef CONFIG_BOOT_FIH_PROFILE_OFF #define MCUBOOT_FIH_PROFILE_OFF #endif @@ -193,6 +205,10 @@ #define MCUBOOT_VERIFY_IMG_ADDRESS #endif +#ifdef CONFIG_MCUBOOT_SERIAL +#define MCUBOOT_SERIAL +#endif + /* * The configuration option enables direct image upload with the * serial recovery. @@ -266,6 +282,15 @@ #define MCUBOOT_SERIAL_UNALIGNED_BUFFER_SIZE CONFIG_BOOT_SERIAL_UNALIGNED_BUFFER_SIZE #endif +#if defined(MCUBOOT_DATA_SHARING) && defined(ZEPHYR_VER_INCLUDE) +#include + +#define MCUBOOT_VERSION_AVAILABLE +#define MCUBOOT_VERSION_MAJOR APP_VERSION_MAJOR +#define MCUBOOT_VERSION_MINOR APP_VERSION_MINOR +#define MCUBOOT_VERSION_PATCHLEVEL APP_PATCHLEVEL +#endif + /* Support 32-byte aligned flash sizes */ #if DT_HAS_CHOSEN(zephyr_flash) #if DT_PROP_OR(DT_CHOSEN(zephyr_flash), write_block_size, 0) > 8 diff --git a/boot/zephyr/shared_data.c b/boot/zephyr/shared_data.c new file mode 100644 index 000000000..5554a7ec9 --- /dev/null +++ b/boot/zephyr/shared_data.c @@ -0,0 +1,124 @@ +/* + * Copyright (c) 2023, Nordic Semiconductor ASA + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include +#include <../../bootutil/src/bootutil_priv.h> + +#define SHARED_MEMORY_MIN_SIZE 8 + +LOG_MODULE_REGISTER(bootloader_info, CONFIG_RETENTION_LOG_LEVEL); + +static bool shared_memory_init_done = false; +static uint16_t shared_data_size = SHARED_DATA_HEADER_SIZE; +static ssize_t shared_data_max_size = 0; +static const struct device *bootloader_info_dev = + DEVICE_DT_GET(DT_CHOSEN(zephyr_bootloader_info)); + +BUILD_ASSERT(SHARED_MEMORY_MIN_SIZE < \ + DT_REG_SIZE_BY_IDX(DT_CHOSEN(zephyr_bootloader_info), 0), \ + "zephyr,bootloader-info area is too small for bootloader information struct"); + +int boot_add_data_to_shared_area(uint8_t major_type, + uint16_t minor_type, + size_t size, + const uint8_t *data) +{ + struct shared_data_tlv_header header = { + .tlv_magic = SHARED_DATA_TLV_INFO_MAGIC, + .tlv_tot_len = shared_data_size, + }; + struct shared_data_tlv_entry tlv_entry = {0}; + uint16_t boot_data_size; + uintptr_t tlv_end, offset; + int rc; + + if (data == NULL) { + return SHARED_MEMORY_GEN_ERROR; + } + + /* Check whether first time to call this function. If does then initialise + * shared data area. + */ + if (!shared_memory_init_done) { + retention_clear(bootloader_info_dev); + shared_data_max_size = retention_size(bootloader_info_dev); + shared_memory_init_done = true; + } + + /* Check whether TLV entry is already added. + * Get the boundaries of TLV section + */ + tlv_end = shared_data_size; + offset = SHARED_DATA_HEADER_SIZE; + + /* Iterates over the TLV section looks for the same entry if found then + * returns with error: SHARED_MEMORY_OVERWRITE + */ + while (offset < tlv_end) { + /* Create local copy to avoid unaligned access */ + rc = retention_read(bootloader_info_dev, offset, (void *)&tlv_entry, + SHARED_DATA_ENTRY_HEADER_SIZE); + + if (rc) { + return SHARED_MEMORY_READ_ERROR; + } + + if (GET_MAJOR(tlv_entry.tlv_type) == major_type && + GET_MINOR(tlv_entry.tlv_type) == minor_type) { + return SHARED_MEMORY_OVERWRITE; + } + + offset += SHARED_DATA_ENTRY_SIZE(tlv_entry.tlv_len); + } + + /* Add TLV entry */ + tlv_entry.tlv_type = SET_TLV_TYPE(major_type, minor_type); + tlv_entry.tlv_len = size; + + if (!boot_u16_safe_add(&boot_data_size, shared_data_size, + SHARED_DATA_ENTRY_SIZE(size))) { + return SHARED_MEMORY_GEN_ERROR; + } + + /* Verify overflow of shared area */ + if (boot_data_size > shared_data_max_size) { + return SHARED_MEMORY_OVERFLOW; + } + + offset = shared_data_size; + rc = retention_write(bootloader_info_dev, offset, (void*)&tlv_entry, + SHARED_DATA_ENTRY_HEADER_SIZE); + if (rc) { + LOG_ERR("Shared data TLV header write failed: %d", rc); + return SHARED_MEMORY_WRITE_ERROR; + } + + offset += SHARED_DATA_ENTRY_HEADER_SIZE; + rc = retention_write(bootloader_info_dev, offset, data, size); + + if (rc) { + LOG_ERR("Shared data TLV data write failed: %d", rc); + return SHARED_MEMORY_WRITE_ERROR; + } + + shared_data_size += SHARED_DATA_ENTRY_SIZE(size); + header.tlv_tot_len = shared_data_size; + + rc = retention_write(bootloader_info_dev, 0, (void *)&header, + sizeof(header)); + + if (rc) { + return SHARED_MEMORY_WRITE_ERROR; + } + + return SHARED_MEMORY_OK; +} From 6c8c76fc37f10d7f3ce44474dc2a450f61ff46e0 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 3 Aug 2023 16:30:03 +0100 Subject: [PATCH 026/113] docs: Add note on addition of zephyr retention shared boot info Adds a note that Zephyr can now use the retention subsystem to share information with applications about MCUboot's configuration. Signed-off-by: Jamie McCrae --- docs/release-notes.d/zephyr-data-sharing.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 docs/release-notes.d/zephyr-data-sharing.md diff --git a/docs/release-notes.d/zephyr-data-sharing.md b/docs/release-notes.d/zephyr-data-sharing.md new file mode 100644 index 000000000..fceb9f532 --- /dev/null +++ b/docs/release-notes.d/zephyr-data-sharing.md @@ -0,0 +1,2 @@ +- (Zephyr) Adds support for sharing boot information with + application via retention subsystem From 8d0b35a1e9a4cd54f11ac817a0c27e0d6d4c860b Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 27 Sep 2023 14:36:40 +0100 Subject: [PATCH 027/113] bootutil: Add mode for XIP with revert Adds a new define if bootloader in built in direct-XIP with revert mode Signed-off-by: Jamie McCrae --- boot/bootutil/include/bootutil/boot_status.h | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/bootutil/include/bootutil/boot_status.h b/boot/bootutil/include/bootutil/boot_status.h index 27a41fd37..149e45e87 100644 --- a/boot/bootutil/include/bootutil/boot_status.h +++ b/boot/bootutil/include/bootutil/boot_status.h @@ -121,6 +121,7 @@ enum mcuboot_mode { MCUBOOT_MODE_UPGRADE_ONLY, MCUBOOT_MODE_SWAP_USING_MOVE, MCUBOOT_MODE_DIRECT_XIP, + MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT, MCUBOOT_MODE_RAM_LOAD }; From 50f8b5f7424ea6347215c1bc5c1bf7c1fe8c4490 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 27 Sep 2023 14:47:29 +0100 Subject: [PATCH 028/113] bootutil: Add shared data support for XIP with revert mode Adds support for sharing the direct-XIP MCUboot mode with revert to applications using shared data Signed-off-by: Jamie McCrae --- boot/bootutil/src/boot_record.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/boot/bootutil/src/boot_record.c b/boot/bootutil/src/boot_record.c index 400cbb282..5e4e25d4b 100644 --- a/boot/bootutil/src/boot_record.c +++ b/boot/bootutil/src/boot_record.c @@ -243,7 +243,11 @@ int boot_save_shared_data(const struct image_header *hdr, const struct flash_are #elif defined(MCUBOOT_SWAP_USING_MOVE) uint8_t mode = MCUBOOT_MODE_SWAP_USING_MOVE; #elif defined(MCUBOOT_DIRECT_XIP) +#if defined(MCUBOOT_DIRECT_XIP_REVERT) + uint8_t mode = MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT; +#else uint8_t mode = MCUBOOT_MODE_DIRECT_XIP; +#endif #elif defined(MCUBOOT_RAM_LOAD) uint8_t mode = MCUBOOT_MODE_RAM_LOAD; #else From 268433e0a8a81ca3153e2e40c47c58365b5bcf8b Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 29 Aug 2023 15:37:15 +0100 Subject: [PATCH 029/113] zephyr: Allow user-defined boot serial extensions This allows for out-of-tree modules to define their own boot serial functions by using iterable sections. Note that this also removes the custom img list command, which was not used in-tree. Signed-off-by: Jamie McCrae --- boot/zephyr/CMakeLists.txt | 11 ++ boot/zephyr/Kconfig.serial_recovery | 6 - .../boot_serial_extension_zephyr_basic.c | 71 +++++++++ boot/zephyr/boot_serial_extensions.c | 147 +----------------- .../zephyr/include/boot_serial/boot_serial.ld | 9 ++ .../boot_serial/boot_serial_extensions.h | 41 +++++ 6 files changed, 140 insertions(+), 145 deletions(-) create mode 100644 boot/zephyr/boot_serial_extension_zephyr_basic.c create mode 100644 boot/zephyr/include/boot_serial/boot_serial.ld create mode 100644 boot/zephyr/include/boot_serial/boot_serial_extensions.h diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 638bd91cc..159ef5d3d 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -85,6 +85,17 @@ if(DEFINED CONFIG_ENABLE_MGMT_PERUSER) zephyr_library_sources( boot_serial_extensions.c ) + + zephyr_linker_sources_ifdef( + CONFIG_ENABLE_MGMT_PERUSER + SECTIONS include/boot_serial/boot_serial.ld + ) + + if(DEFINED CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE OR DEFINED CONFIG_BOOT_MGMT_CUSTOM_IMG_LIST) + zephyr_library_sources( + boot_serial_extension_zephyr_basic.c + ) + endif() endif() if(NOT DEFINED CONFIG_FLASH_PAGE_LAYOUT) diff --git a/boot/zephyr/Kconfig.serial_recovery b/boot/zephyr/Kconfig.serial_recovery index 52ec3b013..c73baddf0 100644 --- a/boot/zephyr/Kconfig.serial_recovery +++ b/boot/zephyr/Kconfig.serial_recovery @@ -128,12 +128,6 @@ config BOOT_MGMT_CUSTOM_STORAGE_ERASE Note that the storage partition needs to be defined, in DTS, otherwise enabling the option will cause a compilation to fail. -config BOOT_MGMT_CUSTOM_IMG_LIST - bool "Enable custom image list command" - help - The option enables command which returns versions and installation - statuses (custom property) for all images. - endif # ENABLE_MGMT_PERUSER menu "Entrance methods" diff --git a/boot/zephyr/boot_serial_extension_zephyr_basic.c b/boot/zephyr/boot_serial_extension_zephyr_basic.c new file mode 100644 index 000000000..b0c75f4a7 --- /dev/null +++ b/boot/zephyr/boot_serial_extension_zephyr_basic.c @@ -0,0 +1,71 @@ +/* + * Copyright (c) 2021-2023 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include +#include +#include +#include +#include <../subsys/mgmt/mcumgr/transport/include/mgmt/mcumgr/transport/smp_internal.h> + +#include +#include + +#include "bootutil/bootutil_log.h" +#include "../boot_serial/src/boot_serial_priv.h" +#include + +#include "bootutil/image.h" +#include "bootutil/bootutil_public.h" +#include "bootutil/boot_hooks.h" + +#include + +BOOT_LOG_MODULE_DECLARE(mcuboot); + +#ifdef CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE +static int bs_custom_storage_erase(const struct nmgr_hdr *hdr, + const char *buffer, int len, + zcbor_state_t *cs) +{ + int rc; + const struct flash_area *fa; + + (void)buffer; + (void)len; + + if (hdr->nh_group != ZEPHYR_MGMT_GRP_BASIC || hdr->nh_op != NMGR_OP_WRITE || + hdr->nh_id != ZEPHYR_MGMT_GRP_BASIC_CMD_ERASE_STORAGE) { + return MGMT_ERR_ENOTSUP; + } + + rc = flash_area_open(FIXED_PARTITION_ID(storage_partition), &fa); + + if (rc < 0) { + BOOT_LOG_ERR("failed to open flash area"); + } else { + rc = flash_area_erase(fa, 0, flash_area_get_size(fa)); + if (rc < 0) { + BOOT_LOG_ERR("failed to erase flash area"); + } + flash_area_close(fa); + } + if (rc == 0) { + rc = MGMT_ERR_OK; + } else { + rc = MGMT_ERR_EUNKNOWN; + } + + zcbor_map_start_encode(cs, 10); + zcbor_tstr_put_lit(cs, "rc"); + zcbor_uint32_put(cs, rc); + zcbor_map_end_encode(cs, 10); + + return rc; +} + +MCUMGR_HANDLER_DEFINE(storage_erase, bs_custom_storage_erase); +#endif diff --git a/boot/zephyr/boot_serial_extensions.c b/boot/zephyr/boot_serial_extensions.c index b8bcd3e95..abbb65173 100644 --- a/boot/zephyr/boot_serial_extensions.c +++ b/boot/zephyr/boot_serial_extensions.c @@ -1,161 +1,30 @@ /* - * Copyright (c) 2021 Nordic Semiconductor ASA + * Copyright (c) 2021-2023 Nordic Semiconductor ASA * * SPDX-License-Identifier: Apache-2.0 */ -#include #include -#include -#include -#include -#include <../subsys/mgmt/mcumgr/transport/include/mgmt/mcumgr/transport/smp_internal.h> - -#include -#include #include "bootutil/bootutil_log.h" #include "../boot_serial/src/boot_serial_priv.h" #include - -#include "bootutil/image.h" -#include "bootutil/bootutil_public.h" -#include "bootutil/boot_hooks.h" +#include BOOT_LOG_MODULE_DECLARE(mcuboot); -#ifdef CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE -static int bs_custom_storage_erase(zcbor_state_t *cs) -{ - int rc; - - const struct flash_area *fa; - - rc = flash_area_open(FIXED_PARTITION_ID(storage_partition), &fa); - - if (rc < 0) { - BOOT_LOG_ERR("failed to open flash area"); - } else { - rc = flash_area_erase(fa, 0, flash_area_get_size(fa)); - if (rc < 0) { - BOOT_LOG_ERR("failed to erase flash area"); - } - flash_area_close(fa); - } - if (rc == 0) { - rc = MGMT_ERR_OK; - } else { - rc = MGMT_ERR_EUNKNOWN; - } - - zcbor_map_start_encode(cs, 10); - zcbor_tstr_put_lit(cs, "rc"); - zcbor_uint32_put(cs, rc); - zcbor_map_end_encode(cs, 10); - - return rc; -} -#endif - -#ifdef MCUBOOT_MGMT_CUSTOM_IMG_LIST -static int custom_img_status(int image_index, uint32_t slot,char *buffer, - ssize_t len) -{ - uint32_t area_id; - struct flash_area const *fap; - struct image_header hdr; - int rc; - int img_install_stat; - - rc = BOOT_HOOK_CALL(boot_img_install_stat_hook, BOOT_HOOK_REGULAR, - image_index, slot, &img_install_stat); - if (rc == BOOT_HOOK_REGULAR) - { - img_install_stat = 0; - } - - rc = BOOT_HOOK_CALL(boot_read_image_header_hook, BOOT_HOOK_REGULAR, - image_index, slot, &hdr); - if (rc == BOOT_HOOK_REGULAR) - { - area_id = flash_area_id_from_multi_image_slot(image_index, slot); - - rc = flash_area_open(area_id, &fap); - if (rc) { - return rc; - } - - rc = flash_area_read(fap, 0, &hdr, sizeof(hdr)); - - flash_area_close(fap); - } - - if (rc == 0) { - if (hdr.ih_magic == IMAGE_MAGIC) { - snprintf(buffer, len, "ver=%d.%d.%d.%d,install_stat=%d", - hdr.ih_ver.iv_major, - hdr.ih_ver.iv_minor, - hdr.ih_ver.iv_revision, - hdr.ih_ver.iv_build_num, - img_install_stat); - } else { - rc = 1; - } - } - - return rc; -} - -static int bs_custom_img_list(zcbor_state_t *cs) -{ - int rc = 0; - char tmpbuf[64]; /* Buffer should fit version and flags */ - - zcbor_map_start_encode(cs, 10); - - for (int img = 0; img < MCUBOOT_IMAGE_NUMBER; img++) { - for (int slot = 0; slot < 2; slot++) { - rc = custom_img_status(img, slot, tmpbuf, sizeof(tmpbuf)); - - zcbor_int32_put(cs, img * 2 + slot + 1); - if (rc == 0) { - zcbor_tstr_put_term(cs, tmpbuf); - } else { - zcbor_tstr_put_lit(cs, ""); - } - } - } - - zcbor_tstr_put_lit(cs, "rc"); - zcbor_uint32_put(cs, MGMT_ERR_OK); - zcbor_map_end_encode(cs, 10); - - return rc; -} - -#ifndef ZEPHYR_MGMT_GRP_BASIC_CMD_IMAGE_LIST - #define ZEPHYR_MGMT_GRP_BASIC_CMD_IMAGE_LIST 1 -#endif -#endif /*MCUBOOT_MGMT_CUSTOM_IMG_LIST*/ - int bs_peruser_system_specific(const struct nmgr_hdr *hdr, const char *buffer, int len, zcbor_state_t *cs) { int mgmt_rc = MGMT_ERR_ENOTSUP; - if (hdr->nh_group == ZEPHYR_MGMT_GRP_BASIC) { - if (hdr->nh_op == NMGR_OP_WRITE) { -#ifdef CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE - if (hdr->nh_id == ZEPHYR_MGMT_GRP_BASIC_CMD_ERASE_STORAGE) { - mgmt_rc = bs_custom_storage_erase(cs); - } -#endif - } else if (hdr->nh_op == NMGR_OP_READ) { -#ifdef MCUBOOT_MGMT_CUSTOM_IMG_LIST - if (hdr->nh_id == ZEPHYR_MGMT_GRP_BASIC_CMD_IMAGE_LIST) { - mgmt_rc = bs_custom_img_list(cs); + STRUCT_SECTION_FOREACH(mcuboot_bs_custom_handlers, function) { + if (function->handler) { + mgmt_rc = function->handler(hdr, buffer, len, cs); + + if (mgmt_rc != MGMT_ERR_ENOTSUP) { + break; } -#endif } } diff --git a/boot/zephyr/include/boot_serial/boot_serial.ld b/boot/zephyr/include/boot_serial/boot_serial.ld new file mode 100644 index 000000000..c0e82ad35 --- /dev/null +++ b/boot/zephyr/include/boot_serial/boot_serial.ld @@ -0,0 +1,9 @@ +/* + * Copyright (c) 2023 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include + +ITERABLE_SECTION_ROM(mcuboot_bs_custom_handlers, 4) diff --git a/boot/zephyr/include/boot_serial/boot_serial_extensions.h b/boot/zephyr/include/boot_serial/boot_serial_extensions.h new file mode 100644 index 000000000..6eea574fa --- /dev/null +++ b/boot/zephyr/include/boot_serial/boot_serial_extensions.h @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2023 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#ifndef H_BOOT_SERIAL_EXTENTIONS_ +#define H_BOOT_SERIAL_EXTENTIONS_ + +#include +#include +#include + +/** + * Callback handler prototype for boot serial extensions. + * + * @param[in] hdr MCUmgr header + * @param[in] buffer Buffer with first MCUmgr message + * @param[in] len Length of data in buffer + * @param[out] cs Response + * + * @return MGMT_ERR_ENOTSUP to run other handlers, other MGMT_ERR_* value + * when expected handler has ran. + */ +typedef int (*bs_custom_handler_cb)(const struct nmgr_hdr *hdr, + const char *buffer, int len, + zcbor_state_t *cs); + +struct mcuboot_bs_custom_handlers { + const bs_custom_handler_cb handler; +}; + +/* Used to create an iterable section containing a boot serial handler + * function + */ +#define MCUMGR_HANDLER_DEFINE(name, _handler) \ + STRUCT_SECTION_ITERABLE(mcuboot_bs_custom_handlers, name) = { \ + .handler = _handler, \ + } + +#endif /* H_BOOT_SERIAL_EXTENTIONS_ */ From ae2aeedfe8bb66f7fdddc25271689144d3579959 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 29 Aug 2023 15:40:26 +0100 Subject: [PATCH 030/113] docs: release: Add note on boot serial extension rework Adds a note on the reworked boot serial extensions features which now allows modules to add handlers Signed-off-by: Jamie McCrae --- docs/release-notes.d/zephyr-bs-extensions.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 docs/release-notes.d/zephyr-bs-extensions.md diff --git a/docs/release-notes.d/zephyr-bs-extensions.md b/docs/release-notes.d/zephyr-bs-extensions.md new file mode 100644 index 000000000..0cc748367 --- /dev/null +++ b/docs/release-notes.d/zephyr-bs-extensions.md @@ -0,0 +1,3 @@ +- Reworked boot serial extensions so that they can be used by modules + or from user repositories by switching to iterable sections. +- Removed Zephyr custom img list boot serial extension support. From 2929a975c75745480e220446a06ed6c6f30627d4 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 25 Sep 2023 11:12:20 +0100 Subject: [PATCH 031/113] bootutil: Show error if flash area open fails Shows an error if a particular flash area fails to open Signed-off-by: Jamie McCrae --- boot/bootutil/src/loader.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 5f99f002f..8bbabbbac 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -2064,11 +2064,22 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) fa_id = flash_area_id_from_multi_image_slot(image_index, slot); rc = flash_area_open(fa_id, &BOOT_IMG_AREA(state, slot)); assert(rc == 0); + + if (rc != 0) { + BOOT_LOG_ERR("Failed to open flash area ID %d (image %d slot %d): %d, " + "cannot continue", fa_id, image_index, (int8_t)slot, rc); + FIH_PANIC; + } } #if MCUBOOT_SWAP_USING_SCRATCH rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH, &BOOT_SCRATCH_AREA(state)); assert(rc == 0); + + if (rc != 0) { + BOOT_LOG_ERR("Failed to open scratch flash area: %d, cannot continue", rc); + FIH_PANIC; + } #endif /* Determine swap type and complete swap if it has been aborted. */ From bf8cf46b348eb8c8c10a1f1e4a7c24cdef52acf0 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 25 Sep 2023 11:22:04 +0100 Subject: [PATCH 032/113] docs: release: Add note on panicking if flash device open fails Adds a note that flash open failing will cause the bootloader to panic and now prints a verbose error out when this happens Signed-off-by: Jamie McCrae --- docs/release-notes.d/boot-open-failure.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 docs/release-notes.d/boot-open-failure.md diff --git a/docs/release-notes.d/boot-open-failure.md b/docs/release-notes.d/boot-open-failure.md new file mode 100644 index 000000000..25f80c261 --- /dev/null +++ b/docs/release-notes.d/boot-open-failure.md @@ -0,0 +1,2 @@ +- Add error when flash device fails to open. +- Panic bootloader when flash device fails to open. From 62e2b4dead3237f33aba9f6421c7730712a07e23 Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 28 Sep 2023 11:39:14 -0600 Subject: [PATCH 033/113] docs: Update release notes for 2.0.0-rc1 Collect release notes, and add a bit about the API change. Signed-off-by: David Brown --- docs/release-notes.d/boot-open-failure.md | 2 - docs/release-notes.d/bs-encrypted-list.md | 4 -- docs/release-notes.d/cddl-change.md | 2 - docs/release-notes.d/data-sharing.md | 2 - docs/release-notes.d/ecdsa-tlv-p384.md | 2 - docs/release-notes.d/espressif-hal-updates.md | 3 - docs/release-notes.d/img-state.md | 1 - docs/release-notes.d/imgtool-getpub-hash.md | 1 - .../imgtool-getpub-output-file.md | 1 - docs/release-notes.d/imgtool-getpub-raw.md | 1 - docs/release-notes.d/imgtool_dumpinfo.md | 1 - docs/release-notes.d/p224-removal.md | 1 - docs/release-notes.d/serial-timeoout-fix.md | 4 -- docs/release-notes.d/zcbor-fix.md | 3 - docs/release-notes.d/zcbor-update.md | 1 - docs/release-notes.d/zephyr-bs-extensions.md | 3 - docs/release-notes.d/zephyr-data-sharing.md | 2 - docs/release-notes.d/zephyr-debug.md | 2 - docs/release-notes.d/zephyr-encryption.md | 9 --- docs/release-notes.md | 62 +++++++++++++++++++ 20 files changed, 62 insertions(+), 45 deletions(-) delete mode 100644 docs/release-notes.d/boot-open-failure.md delete mode 100644 docs/release-notes.d/bs-encrypted-list.md delete mode 100644 docs/release-notes.d/cddl-change.md delete mode 100644 docs/release-notes.d/data-sharing.md delete mode 100644 docs/release-notes.d/ecdsa-tlv-p384.md delete mode 100644 docs/release-notes.d/espressif-hal-updates.md delete mode 100644 docs/release-notes.d/img-state.md delete mode 100644 docs/release-notes.d/imgtool-getpub-hash.md delete mode 100644 docs/release-notes.d/imgtool-getpub-output-file.md delete mode 100644 docs/release-notes.d/imgtool-getpub-raw.md delete mode 100644 docs/release-notes.d/imgtool_dumpinfo.md delete mode 100644 docs/release-notes.d/p224-removal.md delete mode 100644 docs/release-notes.d/serial-timeoout-fix.md delete mode 100644 docs/release-notes.d/zcbor-fix.md delete mode 100644 docs/release-notes.d/zcbor-update.md delete mode 100644 docs/release-notes.d/zephyr-bs-extensions.md delete mode 100644 docs/release-notes.d/zephyr-data-sharing.md delete mode 100644 docs/release-notes.d/zephyr-debug.md delete mode 100644 docs/release-notes.d/zephyr-encryption.md diff --git a/docs/release-notes.d/boot-open-failure.md b/docs/release-notes.d/boot-open-failure.md deleted file mode 100644 index 25f80c261..000000000 --- a/docs/release-notes.d/boot-open-failure.md +++ /dev/null @@ -1,2 +0,0 @@ -- Add error when flash device fails to open. -- Panic bootloader when flash device fails to open. diff --git a/docs/release-notes.d/bs-encrypted-list.md b/docs/release-notes.d/bs-encrypted-list.md deleted file mode 100644 index 869649585..000000000 --- a/docs/release-notes.d/bs-encrypted-list.md +++ /dev/null @@ -1,4 +0,0 @@ -- Fixed issue with serial recovery not showing image details for - decrypted images. -- Fixes issue with serial recovery in single slot mode wrongly - iterating over 2 image slots. diff --git a/docs/release-notes.d/cddl-change.md b/docs/release-notes.d/cddl-change.md deleted file mode 100644 index 17852eda1..000000000 --- a/docs/release-notes.d/cddl-change.md +++ /dev/null @@ -1,2 +0,0 @@ -- CDDL auto-generated function code has been replaced with zcbor function - calls, this now allows the parameters to be supplied in any order. diff --git a/docs/release-notes.d/data-sharing.md b/docs/release-notes.d/data-sharing.md deleted file mode 100644 index 767aaada1..000000000 --- a/docs/release-notes.d/data-sharing.md +++ /dev/null @@ -1,2 +0,0 @@ -- Added currently running slot ID and maximum application size to - shared data function definition. diff --git a/docs/release-notes.d/ecdsa-tlv-p384.md b/docs/release-notes.d/ecdsa-tlv-p384.md deleted file mode 100644 index 48a70f2cd..000000000 --- a/docs/release-notes.d/ecdsa-tlv-p384.md +++ /dev/null @@ -1,2 +0,0 @@ -- Make the ECDSA256 TLV curve agnostic and rename it to ECDSA_SIG. -- imgtool: add P384 support along with SHA384. diff --git a/docs/release-notes.d/espressif-hal-updates.md b/docs/release-notes.d/espressif-hal-updates.md deleted file mode 100644 index 121c8853a..000000000 --- a/docs/release-notes.d/espressif-hal-updates.md +++ /dev/null @@ -1,3 +0,0 @@ -- espressif: refactor after removing IDF submodule -- espressif: add ESP32-C6, ESP32-C2 and ESP32-H2 new chips support -- espressif: adjustments after IDF v5.1 compatibility, secure boot build and memory map organization diff --git a/docs/release-notes.d/img-state.md b/docs/release-notes.d/img-state.md deleted file mode 100644 index 1302be365..000000000 --- a/docs/release-notes.d/img-state.md +++ /dev/null @@ -1 +0,0 @@ -- Serial recovery image state and image set state optional commands added diff --git a/docs/release-notes.d/imgtool-getpub-hash.md b/docs/release-notes.d/imgtool-getpub-hash.md deleted file mode 100644 index 1613876ae..000000000 --- a/docs/release-notes.d/imgtool-getpub-hash.md +++ /dev/null @@ -1 +0,0 @@ -- imgtool: add 'getpubhash' command to dump the sha256 hash of the public key diff --git a/docs/release-notes.d/imgtool-getpub-output-file.md b/docs/release-notes.d/imgtool-getpub-output-file.md deleted file mode 100644 index 414a7c934..000000000 --- a/docs/release-notes.d/imgtool-getpub-output-file.md +++ /dev/null @@ -1 +0,0 @@ -- imgtool's getpub can print the output to a file diff --git a/docs/release-notes.d/imgtool-getpub-raw.md b/docs/release-notes.d/imgtool-getpub-raw.md deleted file mode 100644 index 468edd6c1..000000000 --- a/docs/release-notes.d/imgtool-getpub-raw.md +++ /dev/null @@ -1 +0,0 @@ -- imgtool can dump the raw versions of the public keys diff --git a/docs/release-notes.d/imgtool_dumpinfo.md b/docs/release-notes.d/imgtool_dumpinfo.md deleted file mode 100644 index 81e97e324..000000000 --- a/docs/release-notes.d/imgtool_dumpinfo.md +++ /dev/null @@ -1 +0,0 @@ -- imgtool: add 'dumpinfo' command for signed image parsing. diff --git a/docs/release-notes.d/p224-removal.md b/docs/release-notes.d/p224-removal.md deleted file mode 100644 index 07a5d92da..000000000 --- a/docs/release-notes.d/p224-removal.md +++ /dev/null @@ -1 +0,0 @@ -- Drop ECDSA P224 support diff --git a/docs/release-notes.d/serial-timeoout-fix.md b/docs/release-notes.d/serial-timeoout-fix.md deleted file mode 100644 index 439e03fc7..000000000 --- a/docs/release-notes.d/serial-timeoout-fix.md +++ /dev/null @@ -1,4 +0,0 @@ -- Fixed an issue with boot_serial repeats not being processed when - output was sent, this would lead to a divergence of commands - whereby later commands being sent would have the previous command - output sent instead. diff --git a/docs/release-notes.d/zcbor-fix.md b/docs/release-notes.d/zcbor-fix.md deleted file mode 100644 index 6f191df91..000000000 --- a/docs/release-notes.d/zcbor-fix.md +++ /dev/null @@ -1,3 +0,0 @@ -- Fixed an issue with the boot_serial zcbor setup encoder function - wrongly including the buffer address in the size which caused - serial recovery to fail on some platforms. diff --git a/docs/release-notes.d/zcbor-update.md b/docs/release-notes.d/zcbor-update.md deleted file mode 100644 index ec6c7908a..000000000 --- a/docs/release-notes.d/zcbor-update.md +++ /dev/null @@ -1 +0,0 @@ -- zcbor library files have been updated to version 0.7.0 diff --git a/docs/release-notes.d/zephyr-bs-extensions.md b/docs/release-notes.d/zephyr-bs-extensions.md deleted file mode 100644 index 0cc748367..000000000 --- a/docs/release-notes.d/zephyr-bs-extensions.md +++ /dev/null @@ -1,3 +0,0 @@ -- Reworked boot serial extensions so that they can be used by modules - or from user repositories by switching to iterable sections. -- Removed Zephyr custom img list boot serial extension support. diff --git a/docs/release-notes.d/zephyr-data-sharing.md b/docs/release-notes.d/zephyr-data-sharing.md deleted file mode 100644 index fceb9f532..000000000 --- a/docs/release-notes.d/zephyr-data-sharing.md +++ /dev/null @@ -1,2 +0,0 @@ -- (Zephyr) Adds support for sharing boot information with - application via retention subsystem diff --git a/docs/release-notes.d/zephyr-debug.md b/docs/release-notes.d/zephyr-debug.md deleted file mode 100644 index 71a09f75e..000000000 --- a/docs/release-notes.d/zephyr-debug.md +++ /dev/null @@ -1,2 +0,0 @@ -- Zephyr no longer builds in optimize for debug mode, this saves a - significant amount of flash space. diff --git a/docs/release-notes.d/zephyr-encryption.md b/docs/release-notes.d/zephyr-encryption.md deleted file mode 100644 index f60e18f84..000000000 --- a/docs/release-notes.d/zephyr-encryption.md +++ /dev/null @@ -1,9 +0,0 @@ -- Reworked image encryption support for Zephyr, static dummy key files - are no longer in the code, a pem file must be supplied to extract - the private and public keys. The Kconfig menu has changed to only - show a single option for enabling encryption and selecting the key - file. -- Serial recovery can now read and handle encrypted seondary slot - partitions. -- Serial recovery with MBEDTLS no longer has undefined operations which - led to usage faults when the secondary slot image was encrypted. diff --git a/docs/release-notes.md b/docs/release-notes.md index 00bb6261e..2fc96f74a 100644 --- a/docs/release-notes.md +++ b/docs/release-notes.md @@ -3,6 +3,68 @@ - Table of Contents {:toc} +## Version 2.0.0 + +Note that this release, 2.0.0 is a new major number, and contains a small API +change in the interface between mcuboot and the platform. All platforms +contained within the MCUboot tree have been updated, but any external platforms +will have to be adjusted. The following commit makes the API change, in the +function `boot_save_shared_data`. + + commit 3016d00cd765e7c09a14af55fb4dcad945e4b982 + Author: Jamie McCrae + Date: Tue Mar 14 12:35:51 2023 +0000 + + bootutil: Add active slot number and max app size to shared data + +### About this release + +- Add error when flash device fails to open. +- Panic bootloader when flash device fails to open. +- Fixed issue with serial recovery not showing image details for + decrypted images. +- Fixes issue with serial recovery in single slot mode wrongly + iterating over 2 image slots. +- CDDL auto-generated function code has been replaced with zcbor function + calls, this now allows the parameters to be supplied in any order. +- Added currently running slot ID and maximum application size to + shared data function definition. +- Make the ECDSA256 TLV curve agnostic and rename it to ECDSA_SIG. +- imgtool: add P384 support along with SHA384. +- espressif: refactor after removing IDF submodule +- espressif: add ESP32-C6, ESP32-C2 and ESP32-H2 new chips support +- espressif: adjustments after IDF v5.1 compatibility, secure boot build and memory map organization +- Serial recovery image state and image set state optional commands added +- imgtool: add 'dumpinfo' command for signed image parsing. +- imgtool: add 'getpubhash' command to dump the sha256 hash of the public key +- imgtool's getpub can print the output to a file +- imgtool can dump the raw versions of the public keys +- Drop ECDSA P224 support +- Fixed an issue with boot_serial repeats not being processed when + output was sent, this would lead to a divergence of commands + whereby later commands being sent would have the previous command + output sent instead. +- Fixed an issue with the boot_serial zcbor setup encoder function + wrongly including the buffer address in the size which caused + serial recovery to fail on some platforms. +- zcbor library files have been updated to version 0.7.0 +- Reworked boot serial extensions so that they can be used by modules + or from user repositories by switching to iterable sections. +- Removed Zephyr custom img list boot serial extension support. +- (Zephyr) Adds support for sharing boot information with + application via retention subsystem +- Zephyr no longer builds in optimize for debug mode, this saves a + significant amount of flash space. +- Reworked image encryption support for Zephyr, static dummy key files + are no longer in the code, a pem file must be supplied to extract + the private and public keys. The Kconfig menu has changed to only + show a single option for enabling encryption and selecting the key + file. +- Serial recovery can now read and handle encrypted seondary slot + partitions. +- Serial recovery with MBEDTLS no longer has undefined operations which + led to usage faults when the secondary slot image was encrypted. + ## Version 1.10.0 The 1.10.0 release of MCUboot contains... From 6a6de4b26ab0c947eed4a35bda35841681232ea3 Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 28 Sep 2023 11:42:15 -0600 Subject: [PATCH 034/113] scripts: imgtool: update to 2.0.0-rc1 release Update the version of imgtool. This should auto-publish when released. Signed-off-by: David Brown --- scripts/imgtool/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/imgtool/__init__.py b/scripts/imgtool/__init__.py index ea5502494..04e2fec5f 100644 --- a/scripts/imgtool/__init__.py +++ b/scripts/imgtool/__init__.py @@ -14,4 +14,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -imgtool_version = "1.10.0" +imgtool_version = "2.0.0rc1" From 4fe28b3cf6d30c3e57d6a4f7ee3dba8617aa9a0a Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 28 Sep 2023 11:45:08 -0600 Subject: [PATCH 035/113] Update zephyr version files for 2.0.0-rc1 Update for the rc1 release. Signed-off-by: David Brown --- README.md | 2 +- boot/zephyr/VERSION | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 5bf3f384e..d4a8fb602 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ [travis]: https://travis-ci.org/mcu-tools/mcuboot [license]: https://github.com/mcu-tools/mcuboot/blob/main/LICENSE -This is MCUboot version 1.11.0-dev +This is MCUboot version 2.0.0-rc1 MCUboot is a secure bootloader for 32-bits microcontrollers. It defines a common infrastructure for the bootloader and the system flash layout on diff --git a/boot/zephyr/VERSION b/boot/zephyr/VERSION index 465a40304..c359e4c0f 100644 --- a/boot/zephyr/VERSION +++ b/boot/zephyr/VERSION @@ -1,5 +1,5 @@ -VERSION_MAJOR = 1 -VERSION_MINOR = 11 -PATCHLEVEL = 99 +VERSION_MAJOR = 2 +VERSION_MINOR = 0 +PATCHLEVEL = 0 VERSION_TWEAK = 0 -EXTRAVERSION = dev +EXTRAVERSION = rc1 From 13767d0b72eb14ce42eb8aad1e5a133ef66afc54 Mon Sep 17 00:00:00 2001 From: Andrej Butok Date: Wed, 4 Oct 2023 10:18:26 +0200 Subject: [PATCH 036/113] bootutil: Disable MCUBOOT_BOOT_MAX_ALIGN assert for non-swap modes - Assert should be checked only for SWAP update modes. - Allow platforms with page size >32 Bytes (e.g. LPC) to use MCUBoot, at least for non-SWAP update modes. Signed-off-by: Andrej Butok --- boot/bootutil/include/bootutil/bootutil_public.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/boot/bootutil/include/bootutil/bootutil_public.h b/boot/bootutil/include/bootutil/bootutil_public.h index e8d83a1d2..b2d5a5de8 100644 --- a/boot/bootutil/include/bootutil/bootutil_public.h +++ b/boot/bootutil/include/bootutil/bootutil_public.h @@ -85,8 +85,10 @@ extern "C" { #ifdef MCUBOOT_BOOT_MAX_ALIGN +#if defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH) _Static_assert(MCUBOOT_BOOT_MAX_ALIGN >= 8 && MCUBOOT_BOOT_MAX_ALIGN <= 32, - "Unsupported value for MCUBOOT_BOOT_MAX_ALIGN"); + "Unsupported value for MCUBOOT_BOOT_MAX_ALIGN for SWAP upgrade modes"); +#endif #define BOOT_MAX_ALIGN MCUBOOT_BOOT_MAX_ALIGN #define BOOT_MAGIC_ALIGN_SIZE ALIGN_UP(BOOT_MAGIC_SZ, BOOT_MAX_ALIGN) From 9b92ee918f4c30d924aa98c405a057e15b312cbc Mon Sep 17 00:00:00 2001 From: Andrej Butok Date: Thu, 5 Oct 2023 11:07:33 +0200 Subject: [PATCH 037/113] boot: zephyr: add support for LPC55Sxx Add configuration for LPC55Sxx to MCUBoot. It supports the upgrade only mode. Signed-off-by: Andrej Butok --- boot/zephyr/boards/lpcxpresso55s06.conf | 6 ++++++ boot/zephyr/boards/lpcxpresso55s16.conf | 6 ++++++ boot/zephyr/boards/lpcxpresso55s36.conf | 6 ++++++ boot/zephyr/boards/lpcxpresso55s69_cpu0.conf | 6 ++++++ 4 files changed, 24 insertions(+) create mode 100644 boot/zephyr/boards/lpcxpresso55s06.conf create mode 100644 boot/zephyr/boards/lpcxpresso55s16.conf create mode 100644 boot/zephyr/boards/lpcxpresso55s36.conf create mode 100644 boot/zephyr/boards/lpcxpresso55s69_cpu0.conf diff --git a/boot/zephyr/boards/lpcxpresso55s06.conf b/boot/zephyr/boards/lpcxpresso55s06.conf new file mode 100644 index 000000000..c0f96374c --- /dev/null +++ b/boot/zephyr/boards/lpcxpresso55s06.conf @@ -0,0 +1,6 @@ +# Copyright 2023 NXP +# SPDX-License-Identifier: Apache-2.0 + +#LPC does not support the MCUBoot swap mode. +CONFIG_BOOT_UPGRADE_ONLY=y +CONFIG_BOOT_MAX_IMG_SECTORS=256 diff --git a/boot/zephyr/boards/lpcxpresso55s16.conf b/boot/zephyr/boards/lpcxpresso55s16.conf new file mode 100644 index 000000000..c0f96374c --- /dev/null +++ b/boot/zephyr/boards/lpcxpresso55s16.conf @@ -0,0 +1,6 @@ +# Copyright 2023 NXP +# SPDX-License-Identifier: Apache-2.0 + +#LPC does not support the MCUBoot swap mode. +CONFIG_BOOT_UPGRADE_ONLY=y +CONFIG_BOOT_MAX_IMG_SECTORS=256 diff --git a/boot/zephyr/boards/lpcxpresso55s36.conf b/boot/zephyr/boards/lpcxpresso55s36.conf new file mode 100644 index 000000000..c0f96374c --- /dev/null +++ b/boot/zephyr/boards/lpcxpresso55s36.conf @@ -0,0 +1,6 @@ +# Copyright 2023 NXP +# SPDX-License-Identifier: Apache-2.0 + +#LPC does not support the MCUBoot swap mode. +CONFIG_BOOT_UPGRADE_ONLY=y +CONFIG_BOOT_MAX_IMG_SECTORS=256 diff --git a/boot/zephyr/boards/lpcxpresso55s69_cpu0.conf b/boot/zephyr/boards/lpcxpresso55s69_cpu0.conf new file mode 100644 index 000000000..fbe7b6723 --- /dev/null +++ b/boot/zephyr/boards/lpcxpresso55s69_cpu0.conf @@ -0,0 +1,6 @@ +# Copyright 2023 NXP +# SPDX-License-Identifier: Apache-2.0 + +#LPC does not support the MCUBoot swap mode. +CONFIG_BOOT_UPGRADE_ONLY=y +CONFIG_BOOT_MAX_IMG_SECTORS=512 From d3819c90b48e8db66215deb917e731f3b6a3f118 Mon Sep 17 00:00:00 2001 From: Almir Okato Date: Wed, 4 Oct 2023 19:42:40 -0300 Subject: [PATCH 038/113] espressif: allow the use of a different toolchain for building TOOLCHAIN_BIN_DIR can be defined for a different toolchain use. Signed-off-by: Almir Okato --- boot/espressif/CMakeLists.txt | 41 +++++++++++++++++++++-- docs/readme-espressif.md | 5 +++ docs/release-notes.d/espressif-updates.md | 1 + 3 files changed, 44 insertions(+), 3 deletions(-) create mode 100644 docs/release-notes.d/espressif-updates.md diff --git a/boot/espressif/CMakeLists.txt b/boot/espressif/CMakeLists.txt index bc7868f8f..bc703fc24 100644 --- a/boot/espressif/CMakeLists.txt +++ b/boot/espressif/CMakeLists.txt @@ -11,8 +11,6 @@ if (NOT DEFINED MCUBOOT_TARGET) message(FATAL_ERROR "MCUBOOT_TARGET not defined. Please pass -DMCUBOOT_TARGET flag.") endif() -project(mcuboot_${MCUBOOT_TARGET}) - add_definitions(-DMCUBOOT_TARGET=${MCUBOOT_TARGET}) add_definitions(-D__ESPRESSIF__=1) @@ -27,6 +25,41 @@ elseif("${MCUBOOT_TARGET}" STREQUAL "esp32c3" OR set(MCUBOOT_ARCH "riscv") endif() +if (NOT DEFINED CMAKE_TOOLCHAIN_FILE) + if (DEFINED TOOLCHAIN_BIN_DIR) + message("CMAKE_TOOLCHAIN_FILE not defined, searching for toolchain compiler in TOOLCHAIN_BIN_DIR: ${TOOLCHAIN_BIN_DIR}") + set(CMAKE_SYSTEM_NAME Generic) + + file(GLOB C_COMPILER_BIN "${TOOLCHAIN_BIN_DIR}/*${MCUBOOT_ARCH}*elf-gcc") + if (NOT C_COMPILER_BIN) + message(FATAL_ERROR "No C compiler found. Please ensure that TOOLCHAIN_BIN_DIR directory contains a set of C compiling tools compatible with the target") + endif() + set(CMAKE_C_COMPILER ${C_COMPILER_BIN}) + set(CMAKE_ASM_COMPILER ${C_COMPILER_BIN}) + message("C compiler found: ${CMAKE_C_COMPILER}") + + file(GLOB CXX_COMPILER_BIN "${TOOLCHAIN_BIN_DIR}/*${MCUBOOT_ARCH}*elf-g++") + if (NOT CXX_COMPILER_BIN) + message(FATAL_ERROR "No C++ compiler found. Please ensure that TOOLCHAIN_BIN_DIR directory contains a set of C++ compiling tools compatible with the target") + endif() + set(CMAKE_CXX_COMPILER ${CXX_COMPILER_BIN}) + message("CXX compiler found: ${CMAKE_CXX_COMPILER}") + else() + # Set toolchain file that expect the same toolchain as IDF sets on PATH + set(CMAKE_TOOLCHAIN_FILE ${CMAKE_CURRENT_LIST_DIR}/tools/toolchain-${MCUBOOT_TARGET}.cmake) + message("No user-defined toolchain, setting default toolchain file: ${CMAKE_TOOLCHAIN_FILE}") + endif() + + # This flag is needed when redefining a different compiler toolchain at this point + # on CMakeLists, the reason is that CMake does a compiler testing prior to building + # that may fail due to cross-compilation + set(CMAKE_TRY_COMPILE_TARGET_TYPE "STATIC_LIBRARY") +else() + message("CMAKE_TOOLCHAIN_FILE: ${CMAKE_TOOLCHAIN_FILE}") +endif() + +project(mcuboot_${MCUBOOT_TARGET}) + # Set the minimum revision for each supported chip if ("${MCUBOOT_TARGET}" STREQUAL "esp32") set(ESP_MIN_REVISION 3) @@ -50,10 +83,12 @@ if (NOT DEFINED ESP_HAL_PATH) if (DEFINED ENV{ESP_HAL_PATH}) set(ESP_HAL_PATH $ENV{ESP_HAL_PATH}) else() - message(WARNING "ESP_HAL_PATH not found. Please set -DESP_HAL_PATH parameter or define ESP_HAL_PATH environment variable.") + message(WARNING "ESP_HAL_PATH not defined, checking if IDF_PATH exists.") if (DEFINED ENV{IDF_PATH}) set(ESP_HAL_PATH $ENV{IDF_PATH}) message("IDF installation found in the system, using IDF_PATH as ESP_HAL_PATH.") + else () + message(FATAL_ERROR "Please set -DESP_HAL_PATH parameter or define ESP_HAL_PATH environment variable.") endif() endif() endif() diff --git a/docs/readme-espressif.md b/docs/readme-espressif.md index dc236fbdd..21004df98 100644 --- a/docs/readme-espressif.md +++ b/docs/readme-espressif.md @@ -107,6 +107,11 @@ Additional configuration related to MCUboot features and slot partitioning may b *If using ESP-IDF as HAL layer source, `ESP_HAL_PATH` can be ommited.* + *If desirable, `` can be defined with the path for a different compatible + toolchain, however it is recommended to actually create a CMake toolchain file and + pass it through `` variable since it may require a distinct set of + compilation flags.* + --- 2. Flash MCUboot in your device: diff --git a/docs/release-notes.d/espressif-updates.md b/docs/release-notes.d/espressif-updates.md new file mode 100644 index 000000000..11b918205 --- /dev/null +++ b/docs/release-notes.d/espressif-updates.md @@ -0,0 +1 @@ +espressif: allow the use of a different toolchain for building From e0bdcdecec1c628d0bd6ba7f0c4723b5476708e9 Mon Sep 17 00:00:00 2001 From: David Brown Date: Wed, 18 Oct 2023 14:23:59 -0600 Subject: [PATCH 039/113] Update version files for 2.0.0 Update documentation and version tags for final 2.0.0 release. Signed-off-by: David Brown --- README.md | 2 +- boot/zephyr/VERSION | 2 +- docs/release-notes.d/espressif-updates.md | 1 - docs/release-notes.md | 1 + scripts/imgtool/__init__.py | 2 +- 5 files changed, 4 insertions(+), 4 deletions(-) delete mode 100644 docs/release-notes.d/espressif-updates.md diff --git a/README.md b/README.md index d4a8fb602..fdb3f8a84 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ [travis]: https://travis-ci.org/mcu-tools/mcuboot [license]: https://github.com/mcu-tools/mcuboot/blob/main/LICENSE -This is MCUboot version 2.0.0-rc1 +This is MCUboot version 2.0.0 MCUboot is a secure bootloader for 32-bits microcontrollers. It defines a common infrastructure for the bootloader and the system flash layout on diff --git a/boot/zephyr/VERSION b/boot/zephyr/VERSION index c359e4c0f..f646e74ba 100644 --- a/boot/zephyr/VERSION +++ b/boot/zephyr/VERSION @@ -2,4 +2,4 @@ VERSION_MAJOR = 2 VERSION_MINOR = 0 PATCHLEVEL = 0 VERSION_TWEAK = 0 -EXTRAVERSION = rc1 +EXTRAVERSION = diff --git a/docs/release-notes.d/espressif-updates.md b/docs/release-notes.d/espressif-updates.md deleted file mode 100644 index 11b918205..000000000 --- a/docs/release-notes.d/espressif-updates.md +++ /dev/null @@ -1 +0,0 @@ -espressif: allow the use of a different toolchain for building diff --git a/docs/release-notes.md b/docs/release-notes.md index 2fc96f74a..45b32e6e2 100644 --- a/docs/release-notes.md +++ b/docs/release-notes.md @@ -64,6 +64,7 @@ function `boot_save_shared_data`. partitions. - Serial recovery with MBEDTLS no longer has undefined operations which led to usage faults when the secondary slot image was encrypted. +- espressif: allow the use of a different toolchain for building ## Version 1.10.0 diff --git a/scripts/imgtool/__init__.py b/scripts/imgtool/__init__.py index 04e2fec5f..249e23c95 100644 --- a/scripts/imgtool/__init__.py +++ b/scripts/imgtool/__init__.py @@ -14,4 +14,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -imgtool_version = "2.0.0rc1" +imgtool_version = "2.0.0" From 304fd41980ed929533b9f387dde1b463b0be5b90 Mon Sep 17 00:00:00 2001 From: Fabio Utzig Date: Sun, 22 Oct 2023 20:20:31 -0300 Subject: [PATCH 040/113] mynewt: update to release 2.0.0 Update Mynewt metadata for v2.0.0 release. Signed-off-by: Fabio Utzig Signed-off-by: David Brown --- repository.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/repository.yml b/repository.yml index 43023035e..fab3830da 100644 --- a/repository.yml +++ b/repository.yml @@ -36,9 +36,12 @@ repo.versions: "1.8.0": "v1.8.0" "1.9.0": "v1.9.0" "1.10.0": "v1.10.0" + "2.0.0": "v2.0.0" "0-dev": "0.0.0" # main - "0-latest": "1.10.0" # latest stable release - "1-latest": "1.10.0" # latest stable release + "0-latest": "2.0.0" # latest stable release + "1-latest": "1.11.0" + "2-latest": "2.0.0" - "1.0-latest": "1.10.0" + "1.0-latest": "1.11.0" + "2.0-latest": "2.0.0" From 301d5655607fe4b1dfa963d36a0268a357ecb59d Mon Sep 17 00:00:00 2001 From: David Brown Date: Fri, 27 Oct 2023 13:14:45 -0600 Subject: [PATCH 041/113] readme: update for next dev release Bump version described in README to a development version of the next release. Signed-off-by: David Brown --- README.md | 2 +- boot/zephyr/VERSION | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fdb3f8a84..7211e2284 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ [travis]: https://travis-ci.org/mcu-tools/mcuboot [license]: https://github.com/mcu-tools/mcuboot/blob/main/LICENSE -This is MCUboot version 2.0.0 +This is MCUboot version 2.1.0-dev MCUboot is a secure bootloader for 32-bits microcontrollers. It defines a common infrastructure for the bootloader and the system flash layout on diff --git a/boot/zephyr/VERSION b/boot/zephyr/VERSION index f646e74ba..428a3550d 100644 --- a/boot/zephyr/VERSION +++ b/boot/zephyr/VERSION @@ -1,5 +1,5 @@ VERSION_MAJOR = 2 -VERSION_MINOR = 0 +VERSION_MINOR = 1 PATCHLEVEL = 0 VERSION_TWEAK = 0 -EXTRAVERSION = +EXTRAVERSION = dev From 25b7c7a8e7322503358b1f68e3d62f4453847748 Mon Sep 17 00:00:00 2001 From: Andrej Butok Date: Thu, 5 Oct 2023 13:00:17 +0200 Subject: [PATCH 042/113] imgtool: make "align" command line parameter optional Align parameter should be optional: - it has a default value. - it is not used for non-swap update modes. Signed-off-by: Andrej Butok --- scripts/imgtool/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py index c3fce5435..a38abe7d0 100755 --- a/scripts/imgtool/main.py +++ b/scripts/imgtool/main.py @@ -377,7 +377,7 @@ def convert(self, value, param, ctx): 'keyword to automatically generate it from the image version.') @click.option('-v', '--version', callback=validate_version, required=True) @click.option('--align', type=click.Choice(['1', '2', '4', '8', '16', '32']), - required=True) + required=False) @click.option('--max-align', type=click.Choice(['8', '16', '32']), required=False, help='Maximum flash alignment. Set if flash alignment of the ' From 2b924da4644f296d290eff0ffa0dc17eafd26398 Mon Sep 17 00:00:00 2001 From: Andrej Butok Date: Wed, 11 Oct 2023 09:44:11 +0200 Subject: [PATCH 043/113] samples: zephyr: Use the default MCUBoot PEM key file. Use the default MCUBoot PEM key file in hello-world project settings. Without it the application is not verified by MCUBoot. Signed-off-by: Andrej Butok --- samples/zephyr/hello-world/prj.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/samples/zephyr/hello-world/prj.conf b/samples/zephyr/hello-world/prj.conf index cc674062a..12990aacb 100644 --- a/samples/zephyr/hello-world/prj.conf +++ b/samples/zephyr/hello-world/prj.conf @@ -7,3 +7,6 @@ CONFIG_STDOUT_CONSOLE=y # Enable Zephyr application to be booted by MCUboot CONFIG_BOOTLOADER_MCUBOOT=y + +# Use the default MCUBoot PEM key file (BOOT_SIGNATURE_KEY_FILE) +CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="bootloader/mcuboot/root-rsa-2048.pem" From 4a1effbc301fc302ecbaf40d4eb2be520b53010d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 31 Oct 2023 10:16:05 +0000 Subject: [PATCH 044/113] zephyr: Remove deprecated ZEPHYR_TRY_MASS_ERASE option This option was deprecated 8 months ago, remove it. Signed-off-by: Jamie McCrae --- boot/zephyr/CMakeLists.txt | 20 ------------------- boot/zephyr/Kconfig | 14 ------------- .../boards/nrf52_minimal_footprint.conf | 1 - 3 files changed, 35 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 159ef5d3d..ad4c823f2 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -6,26 +6,6 @@ cmake_minimum_required(VERSION 3.13.1) -# Enable Zephyr runner options which request mass erase if so -# configured. -# -# Note that this also disables the default "leave" option when -# targeting STM32 DfuSe devices with dfu-util, making the chip stay in -# the bootloader after flashing. -# -# That's the right thing, because mcuboot has nothing to do since the -# chip was just erased. The next thing the user is going to want to do -# is flash the application. (Developers can reset DfuSE devices -# manually to test mcuboot behavior on an otherwise erased flash -# device.) -macro(app_set_runner_args) - if(CONFIG_ZEPHYR_TRY_MASS_ERASE) - board_runner_args(dfu-util "--dfuse-modifiers=force:mass-erase") - board_runner_args(pyocd "--flash-opt=-e=chip") - board_runner_args(nrfjprog "--erase") - endif() -endmacro() - # find_package(Zephyr) in order to load application boilerplate: # http://docs.zephyrproject.org/application/application.html find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 9517e91e0..78fe793ed 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -546,20 +546,6 @@ config BOOT_USB_DFU_DETECT_DELAY endif # BOOT_USB_DFU_GPIO -config ZEPHYR_TRY_MASS_ERASE - bool "Try to mass erase flash when flashing MCUboot image (DEPRECATED)" - select DEPRECATED - help - If y, attempt to configure the Zephyr build system's "flash" - target to mass-erase the flash device before flashing the - MCUboot image. This ensures the scratch and other partitions - are in a consistent state. - - This is not available for all targets. - - This option has been deprecated, to perform a mass erase when - flashing a board, `west flash --erase` should be used instead. - config BOOT_USE_BENCH bool "Enable benchmark code" default n diff --git a/boot/zephyr/boards/nrf52_minimal_footprint.conf b/boot/zephyr/boards/nrf52_minimal_footprint.conf index c315b441a..e070b2d07 100644 --- a/boot/zephyr/boards/nrf52_minimal_footprint.conf +++ b/boot/zephyr/boards/nrf52_minimal_footprint.conf @@ -16,7 +16,6 @@ CONFIG_BOOT_SIGNATURE_KEY_FILE="root-ec-p256.pem" # by reliability reason. CONFIG_BOOT_UPGRADE_ONLY=y -# CONFIG_ZEPHYR_TRY_MASS_ERASE is not set # CONFIG_BOARD_ENABLE_DCDC is not set CONFIG_SOC_SERIES_NRF52X=y CONFIG_SOC_NRF52832_QFAA=y From 822b6cb710ff103880dda15f450382e393a2ed35 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 6 Nov 2023 14:40:05 +0000 Subject: [PATCH 045/113] boot: zephyr: serial_adapter: Fail if USB CDC enabled with console This prevents MCUboot from successfully building if console and serial recovery (USB CDC) are both enabled and they both point to the same device Signed-off-by: Jamie McCrae --- boot/zephyr/serial_adapter.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/boot/zephyr/serial_adapter.c b/boot/zephyr/serial_adapter.c index d6be6857a..bff34a250 100644 --- a/boot/zephyr/serial_adapter.c +++ b/boot/zephyr/serial_adapter.c @@ -25,12 +25,13 @@ #if defined(CONFIG_BOOT_SERIAL_UART) && defined(CONFIG_UART_CONSOLE) && \ (!DT_HAS_CHOSEN(zephyr_uart_mcumgr) || \ DT_SAME_NODE(DT_CHOSEN(zephyr_uart_mcumgr), DT_CHOSEN(zephyr_console))) -#error Zephyr UART console must been disabled if serial_adapter module is used. +#error Zephyr UART console must be disabled if serial_adapter module is used. #endif #if defined(CONFIG_BOOT_SERIAL_CDC_ACM) && \ - defined(CONFIG_UART_CONSOLE) && !DT_HAS_CHOSEN(zephyr_uart_mcumgr) -#error Zephyr UART console must been disabled if CDC ACM is enabled and MCUmgr \ + defined(CONFIG_UART_CONSOLE) && (!DT_HAS_CHOSEN(zephyr_uart_mcumgr) || \ + DT_SAME_NODE(DT_CHOSEN(zephyr_uart_mcumgr), DT_CHOSEN(zephyr_console))) +#error Zephyr UART console must be disabled if CDC ACM is enabled and MCUmgr \ has not been redirected to other UART with DTS chosen zephyr,uart-mcumgr. #endif @@ -199,7 +200,6 @@ boot_uart_fifo_getline(char **line) static int boot_uart_fifo_init(void) { - #if defined(CONFIG_BOOT_SERIAL_UART) #if DT_HAS_CHOSEN(zephyr_uart_mcumgr) From d5c963c54904bcbf2881d9a976646537f89d3f26 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 6 Nov 2023 15:17:19 +0000 Subject: [PATCH 046/113] boot: zephyr: serial_adapter: Add error if main thread not preemptible Adds a build failure if the main thread priority is not preemptible and USB CDC ACM serial recovery is used, this is because if this is the case, USB events will never be able to be processed and serial recovery cannot ever enumerate Signed-off-by: Jamie McCrae --- boot/zephyr/serial_adapter.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/boot/zephyr/serial_adapter.c b/boot/zephyr/serial_adapter.c index bff34a250..de2e5c511 100644 --- a/boot/zephyr/serial_adapter.c +++ b/boot/zephyr/serial_adapter.c @@ -35,6 +35,11 @@ has not been redirected to other UART with DTS chosen zephyr,uart-mcumgr. #endif +#if defined(CONFIG_BOOT_SERIAL_CDC_ACM) && CONFIG_MAIN_THREAD_PRIORITY < 0 +#error CONFIG_MAIN_THREAD_PRIORITY must be preemptible to support USB CDC ACM \ + (0 or above) +#endif + BOOT_LOG_MODULE_REGISTER(serial_adapter); /** @brief Console input representation From 0a8bbbf4b73a9991e46c724e17a9284eee2c0c98 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 6 Nov 2023 15:46:04 +0000 Subject: [PATCH 047/113] boot: zephyr: Fix USB configs Fixes USB configurations so that they build out of the box, this previously falsely built successfully but would not run Signed-off-by: Jamie McCrae --- boot/zephyr/boards/nrf52840dongle_nrf52840.conf | 9 ++------- boot/zephyr/usb_cdc_acm_log_recovery.conf | 9 ++------- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/boot/zephyr/boards/nrf52840dongle_nrf52840.conf b/boot/zephyr/boards/nrf52840dongle_nrf52840.conf index c1a938447..d219f351d 100644 --- a/boot/zephyr/boards/nrf52840dongle_nrf52840.conf +++ b/boot/zephyr/boards/nrf52840dongle_nrf52840.conf @@ -3,13 +3,10 @@ # Disable logging. CONFIG_LOG=n -# The build won't fit on the partition allocated for it without size -# optimizations. -CONFIG_SIZE_OPTIMIZATIONS=y - # Serial +CONFIG_CONSOLE=n CONFIG_SERIAL=y -CONFIG_UART_NRFX=y +CONFIG_UART_NRFX=n CONFIG_UART_INTERRUPT_DRIVEN=y CONFIG_UART_LINE_CTRL=y @@ -25,7 +22,5 @@ CONFIG_MULTITHREADING=y CONFIG_USB_DEVICE_STACK=y CONFIG_USB_DEVICE_REMOTE_WAKEUP=n CONFIG_USB_DEVICE_PRODUCT="MCUBOOT" -CONFIG_USB_COMPOSITE_DEVICE=n -CONFIG_USB_MASS_STORAGE=n CONFIG_NORDIC_QSPI_NOR=n diff --git a/boot/zephyr/usb_cdc_acm_log_recovery.conf b/boot/zephyr/usb_cdc_acm_log_recovery.conf index ae412fed5..2312c0ece 100644 --- a/boot/zephyr/usb_cdc_acm_log_recovery.conf +++ b/boot/zephyr/usb_cdc_acm_log_recovery.conf @@ -1,16 +1,11 @@ CONFIG_LOG=y -# The build won't fit on the partition allocated for it without size -# optimizations. -CONFIG_SIZE_OPTIMIZATIONS=y - # Serial +CONFIG_UART_CONSOLE=n +CONFIG_CONSOLE=n CONFIG_SERIAL=y CONFIG_UART_LINE_CTRL=y # MCUBoot serial CONFIG_MCUBOOT_SERIAL=y CONFIG_BOOT_SERIAL_CDC_ACM=y - -CONFIG_LOG_BACKEND_UART=y -CONFIG_LOG_BACKEND_RTT=n From 013c9e7654d4cf5e245e82d88b82671fb8c71077 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 6 Nov 2023 15:47:35 +0000 Subject: [PATCH 048/113] boot: zephyr: board: various: Remove size optimisation This value is now the default, remove explicitly setting it for some boards Signed-off-by: Jamie McCrae --- boot/zephyr/boards/circuitdojo_feather_nrf9160.conf | 3 --- boot/zephyr/boards/conexio_stratus.conf | 3 --- boot/zephyr/boards/nrf51dk_nrf51422.conf | 1 - boot/zephyr/boards/nrf52_minimal_footprint.conf | 3 --- boot/zephyr/boards/sparkfun_thing_plus_nrf9160.conf | 3 --- 5 files changed, 13 deletions(-) diff --git a/boot/zephyr/boards/circuitdojo_feather_nrf9160.conf b/boot/zephyr/boards/circuitdojo_feather_nrf9160.conf index 656239c81..c23f92ca0 100644 --- a/boot/zephyr/boards/circuitdojo_feather_nrf9160.conf +++ b/boot/zephyr/boards/circuitdojo_feather_nrf9160.conf @@ -11,6 +11,3 @@ CONFIG_BOOT_MAX_IMG_SECTORS=256 CONFIG_MCUBOOT_SERIAL=y CONFIG_BOOT_SERIAL_DETECT_DELAY=450 CONFIG_MCUBOOT_INDICATION_LED=y - -# Size of mcuboot partition -CONFIG_SIZE_OPTIMIZATIONS=y \ No newline at end of file diff --git a/boot/zephyr/boards/conexio_stratus.conf b/boot/zephyr/boards/conexio_stratus.conf index 5a2900035..79ba798e7 100644 --- a/boot/zephyr/boards/conexio_stratus.conf +++ b/boot/zephyr/boards/conexio_stratus.conf @@ -13,6 +13,3 @@ CONFIG_BOOT_MAX_IMG_SECTORS=256 CONFIG_MCUBOOT_SERIAL=y CONFIG_BOOT_SERIAL_DETECT_DELAY=450 CONFIG_MCUBOOT_INDICATION_LED=y - -# Size of mcuboot partition -CONFIG_SIZE_OPTIMIZATIONS=y diff --git a/boot/zephyr/boards/nrf51dk_nrf51422.conf b/boot/zephyr/boards/nrf51dk_nrf51422.conf index bd4eaac8d..b6d5ae599 100644 --- a/boot/zephyr/boards/nrf51dk_nrf51422.conf +++ b/boot/zephyr/boards/nrf51dk_nrf51422.conf @@ -3,4 +3,3 @@ # partition size with a zephyr DTS overlay to make MCUboot's debug # builds fit. CONFIG_LOG=n -CONFIG_SIZE_OPTIMIZATIONS=y diff --git a/boot/zephyr/boards/nrf52_minimal_footprint.conf b/boot/zephyr/boards/nrf52_minimal_footprint.conf index e070b2d07..a290312be 100644 --- a/boot/zephyr/boards/nrf52_minimal_footprint.conf +++ b/boot/zephyr/boards/nrf52_minimal_footprint.conf @@ -59,6 +59,3 @@ CONFIG_BOOT_DELAY=0 # Console CONFIG_STDOUT_CONSOLE=n - -# Build -CONFIG_SIZE_OPTIMIZATIONS=y diff --git a/boot/zephyr/boards/sparkfun_thing_plus_nrf9160.conf b/boot/zephyr/boards/sparkfun_thing_plus_nrf9160.conf index 656239c81..c23f92ca0 100644 --- a/boot/zephyr/boards/sparkfun_thing_plus_nrf9160.conf +++ b/boot/zephyr/boards/sparkfun_thing_plus_nrf9160.conf @@ -11,6 +11,3 @@ CONFIG_BOOT_MAX_IMG_SECTORS=256 CONFIG_MCUBOOT_SERIAL=y CONFIG_BOOT_SERIAL_DETECT_DELAY=450 CONFIG_MCUBOOT_INDICATION_LED=y - -# Size of mcuboot partition -CONFIG_SIZE_OPTIMIZATIONS=y \ No newline at end of file From e9fccef5dd487faaddb2bcb6e823b734d9ea9ca0 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 6 Nov 2023 14:25:57 +0000 Subject: [PATCH 049/113] boot_serial: Fix missing response if echo command disabled Fixes an issue whereby when an echo command is sent in serial recovery mode, if it is disabled, there would just be no response at all, which is invalid operation Signed-off-by: Jamie McCrae --- boot/boot_serial/src/boot_serial.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 31ea0c7cc..5213866ad 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -1023,11 +1023,11 @@ boot_serial_input(char *buf, int len) } } else if (hdr->nh_group == MGMT_GROUP_ID_DEFAULT) { switch (hdr->nh_id) { - case NMGR_ID_ECHO: #ifdef MCUBOOT_BOOT_MGMT_ECHO + case NMGR_ID_ECHO: bs_echo(buf, len); -#endif break; +#endif case NMGR_ID_CONS_ECHO_CTRL: bs_rc_rsp(0); break; From 6c4f7b4c6326edbdfd90826b2515e24e0c492c14 Mon Sep 17 00:00:00 2001 From: Andrej Butok Date: Mon, 6 Nov 2023 15:01:19 +0100 Subject: [PATCH 050/113] doc: imgtool: update align description Update the --align option values. Add its description. Delete [required], as it is optional now. Signed-off-by: Andrej Butok --- docs/imgtool.md | 2 +- scripts/imgtool/main.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/imgtool.md b/docs/imgtool.md index 9d50e672f..b4dc3b554 100644 --- a/docs/imgtool.md +++ b/docs/imgtool.md @@ -61,7 +61,7 @@ primary slot and adds a header and trailer that the bootloader is expecting: Options: -k, --key filename --public-key-format [hash|full] - --align [1|2|4|8] [required] + --align [1|2|4|8|16|32] Alignment used by swap update modes. -v, --version TEXT [required] -s, --security-counter TEXT Specify the value of security counter. Use the `auto` keyword to automatically generate diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py index a38abe7d0..9dd033c41 100755 --- a/scripts/imgtool/main.py +++ b/scripts/imgtool/main.py @@ -377,7 +377,8 @@ def convert(self, value, param, ctx): 'keyword to automatically generate it from the image version.') @click.option('-v', '--version', callback=validate_version, required=True) @click.option('--align', type=click.Choice(['1', '2', '4', '8', '16', '32']), - required=False) + required=False, + help='Alignment used by swap update modes.') @click.option('--max-align', type=click.Choice(['8', '16', '32']), required=False, help='Maximum flash alignment. Set if flash alignment of the ' From 0c0470e294dcfb52aab92299356a5f3caa0aa52b Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 6 Nov 2023 15:55:42 +0000 Subject: [PATCH 051/113] docs: release: Add notes on Zephyr USB fixes and boot serial echo Adds 3 notes, 2 for zephyr USB CDC ACM fixes and 1 for a boot serial echo fix Signed-off-by: Jamie McCrae --- docs/release-notes.d/boot-serial-echo.md | 1 + docs/release-notes.d/zephyr-usb.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 docs/release-notes.d/boot-serial-echo.md create mode 100644 docs/release-notes.d/zephyr-usb.md diff --git a/docs/release-notes.d/boot-serial-echo.md b/docs/release-notes.d/boot-serial-echo.md new file mode 100644 index 000000000..2667f733c --- /dev/null +++ b/docs/release-notes.d/boot-serial-echo.md @@ -0,0 +1 @@ +- Boot serial: Add response to echo command if support is not enabled, previously the command would have been accepted but no response indicating that the command is not supported would have been sent. diff --git a/docs/release-notes.d/zephyr-usb.md b/docs/release-notes.d/zephyr-usb.md new file mode 100644 index 000000000..7154f58ea --- /dev/null +++ b/docs/release-notes.d/zephyr-usb.md @@ -0,0 +1,2 @@ +- Zephyr: Add USB CDC serial recovery check that now causes a build failure if console is enabled and device is the same as the USB CDC device. +- Zephyr: Add USB CDC serial recovery check that now causes a build failure if the main thread priority is below 0 (cooperative thread), this would prevent USB CDC from working as the driver would not have been able to fire callbacks. From cd82f8bf7ad31fd602f81ab5c676de7666f1abdd Mon Sep 17 00:00:00 2001 From: Andrej Butok Date: Mon, 20 Nov 2023 09:18:27 +0100 Subject: [PATCH 052/113] boot: zephyr: add support for lpcxpresso55s28 Add default configuration for lpcxpresso55s28. Signed-off-by: Andrej Butok --- boot/zephyr/boards/lpcxpresso55s28.conf | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 boot/zephyr/boards/lpcxpresso55s28.conf diff --git a/boot/zephyr/boards/lpcxpresso55s28.conf b/boot/zephyr/boards/lpcxpresso55s28.conf new file mode 100644 index 000000000..fbe7b6723 --- /dev/null +++ b/boot/zephyr/boards/lpcxpresso55s28.conf @@ -0,0 +1,6 @@ +# Copyright 2023 NXP +# SPDX-License-Identifier: Apache-2.0 + +#LPC does not support the MCUBoot swap mode. +CONFIG_BOOT_UPGRADE_ONLY=y +CONFIG_BOOT_MAX_IMG_SECTORS=512 From 47b34362552835621bc289d53d2127691088cb7c Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 21 Nov 2023 10:38:41 +0000 Subject: [PATCH 053/113] zephyr: kconfig: Prevent MBEDTLS selection when tinycrypt is used Prevents an issue which occurs when the MCUboot configuration is changed which then selects multiple conflicting symbols Signed-off-by: Jamie McCrae --- boot/zephyr/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 78fe793ed..183bb500e 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -30,6 +30,7 @@ config BOOT_USE_TINYCRYPT # When building for ECDSA, we use our own copy of mbedTLS, so the # Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros # will collide. + select MBEDTLS_PROMPTLESS help Use TinyCrypt for crypto primitives. From 3f0b89d680ee1bc7bfeee1dd8055986c3dd9c278 Mon Sep 17 00:00:00 2001 From: Andrej Butok Date: Mon, 27 Nov 2023 14:45:57 +0100 Subject: [PATCH 054/113] boot: zephyr: add support for mimxrt101x_evk Add default configuration for mimxrt1010_evk and mimxrt1015_evk. Signed-off-by: Andrej Butok --- boot/zephyr/boards/mimxrt1010_evk.conf | 4 ++++ boot/zephyr/boards/mimxrt1015_evk.conf | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 boot/zephyr/boards/mimxrt1010_evk.conf create mode 100644 boot/zephyr/boards/mimxrt1015_evk.conf diff --git a/boot/zephyr/boards/mimxrt1010_evk.conf b/boot/zephyr/boards/mimxrt1010_evk.conf new file mode 100644 index 000000000..e7737afde --- /dev/null +++ b/boot/zephyr/boards/mimxrt1010_evk.conf @@ -0,0 +1,4 @@ +# Copyright 2023 NXP +# SPDX-License-Identifier: Apache-2.0 + +CONFIG_BOOT_MAX_IMG_SECTORS=2048 diff --git a/boot/zephyr/boards/mimxrt1015_evk.conf b/boot/zephyr/boards/mimxrt1015_evk.conf new file mode 100644 index 000000000..e7737afde --- /dev/null +++ b/boot/zephyr/boards/mimxrt1015_evk.conf @@ -0,0 +1,4 @@ +# Copyright 2023 NXP +# SPDX-License-Identifier: Apache-2.0 + +CONFIG_BOOT_MAX_IMG_SECTORS=2048 From 5e6cffbf4a8774dd9911a4abed6f8f24ea760786 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Fri, 24 Nov 2023 08:27:23 +0000 Subject: [PATCH 055/113] boot: boot_serial: Fix single slot encrypted image list Fixes an issue whereby MCUboot is configured in single application slot mode with serial recovery with encryption and an encrypted image has been loaded, if valid this will have been decrypted, so should not be treated as encrypted Signed-off-by: Jamie McCrae --- boot/boot_serial/src/boot_serial.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 5213866ad..bc07e2d60 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -294,10 +294,12 @@ bs_list(char *buf, int len) if (FIH_EQ(fih_rc, FIH_BOOT_HOOK_REGULAR)) { #if defined(MCUBOOT_ENC_IMAGES) +#if !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) if (IS_ENCRYPTED(&hdr) && MUST_DECRYPT(fap, image_index, &hdr)) { FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, &hdr, tmpbuf, sizeof(tmpbuf)); } else { +#endif if (IS_ENCRYPTED(&hdr)) { /* * There is an image present which has an encrypted flag set but is @@ -310,7 +312,7 @@ bs_list(char *buf, int len) FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); -#if defined(MCUBOOT_ENC_IMAGES) +#if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) } #endif } From 433b8480f760bdf40381e7543e358185a1006a2b Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 16 Aug 2023 07:33:24 +0100 Subject: [PATCH 056/113] zephyr: Move IO functions out of main to separate file Moves IO functions into a separate file to allow reuse Signed-off-by: Jamie McCrae --- boot/zephyr/CMakeLists.txt | 1 + boot/zephyr/include/io/io.h | 78 +++++++++++++++ boot/zephyr/io.c | 190 ++++++++++++++++++++++++++++++++++++ boot/zephyr/main.c | 164 ++----------------------------- 4 files changed, 275 insertions(+), 158 deletions(-) create mode 100644 boot/zephyr/include/io/io.h create mode 100644 boot/zephyr/io.c diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index ad4c823f2..3ce4235cb 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -56,6 +56,7 @@ endif() # Zephyr port-specific sources. zephyr_library_sources( main.c + io.c flash_map_extended.c os.c keys.c diff --git a/boot/zephyr/include/io/io.h b/boot/zephyr/include/io/io.h new file mode 100644 index 000000000..332eefbd8 --- /dev/null +++ b/boot/zephyr/include/io/io.h @@ -0,0 +1,78 @@ +/* + * Copyright (c) 2012-2014 Wind River Systems, Inc. + * Copyright (c) 2020 Arm Limited + * Copyright (c) 2021-2023 Nordic Semiconductor ASA + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef H_IO_ +#define H_IO_ + +#include + +#ifdef CONFIG_SOC_FAMILY_NRF +#include +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * Initialises the configured LED. + */ +void io_led_init(void); + +/* + * Checks if GPIO is set in the required way to remain in serial recovery mode + * + * @retval false for normal boot, true for serial recovery boot + */ +bool io_detect_pin(void); + +/* + * Checks if board was reset using reset pin and if device should stay in + * serial recovery mode + * + * @retval false for normal boot, true for serial recovery boot + */ +bool io_detect_pin_reset(void); + +/* + * Checks board boot mode via retention subsystem and if device should stay in + * serial recovery mode + * + * @retval false for normal boot, true for serial recovery boot + */ +bool io_detect_boot_mode(void); + +#ifdef CONFIG_SOC_FAMILY_NRF +static inline bool io_boot_skip_serial_recovery() +{ + uint32_t rr = nrfx_reset_reason_get(); + + return !(rr == 0 || (rr & NRFX_RESET_REASON_RESETPIN_MASK)); +} +#else +static inline bool io_boot_skip_serial_recovery() +{ + return false; +} +#endif + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/boot/zephyr/io.c b/boot/zephyr/io.c new file mode 100644 index 000000000..6d3b01ef5 --- /dev/null +++ b/boot/zephyr/io.c @@ -0,0 +1,190 @@ +/* + * Copyright (c) 2012-2014 Wind River Systems, Inc. + * Copyright (c) 2020 Arm Limited + * Copyright (c) 2021-2023 Nordic Semiconductor ASA + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "target.h" + +#if defined(CONFIG_BOOT_SERIAL_PIN_RESET) +#include +#endif + +#if defined(CONFIG_BOOT_SERIAL_BOOT_MODE) +#include +#endif + +/* Validate serial recovery configuration */ +#ifdef CONFIG_MCUBOOT_SERIAL +#if !defined(CONFIG_BOOT_SERIAL_ENTRANCE_GPIO) && \ + !defined(CONFIG_BOOT_SERIAL_WAIT_FOR_DFU) && \ + !defined(CONFIG_BOOT_SERIAL_BOOT_MODE) && \ + !defined(CONFIG_BOOT_SERIAL_NO_APPLICATION) && \ + !defined(CONFIG_BOOT_SERIAL_PIN_RESET) +#error "Serial recovery selected without an entrance mode set" +#endif +#endif + +#ifdef CONFIG_MCUBOOT_INDICATION_LED + +/* + * The led0 devicetree alias is optional. If present, we'll use it + * to turn on the LED whenever the button is pressed. + */ +#if DT_NODE_EXISTS(DT_ALIAS(mcuboot_led0)) +#define LED0_NODE DT_ALIAS(mcuboot_led0) +#elif DT_NODE_EXISTS(DT_ALIAS(bootloader_led0)) +#warning "bootloader-led0 alias is deprecated; use mcuboot-led0 instead" +#define LED0_NODE DT_ALIAS(bootloader_led0) +#endif + +#if DT_NODE_HAS_STATUS(LED0_NODE, okay) && DT_NODE_HAS_PROP(LED0_NODE, gpios) +static const struct gpio_dt_spec led0 = GPIO_DT_SPEC_GET(LED0_NODE, gpios); +#else +/* A build error here means your board isn't set up to drive an LED. */ +#error "Unsupported board: led0 devicetree alias is not defined" +#endif + +void io_led_init(void) +{ + if (!device_is_ready(led0.port)) { + BOOT_LOG_ERR("Didn't find LED device referred by the LED0_NODE\n"); + return; + } + + gpio_pin_configure_dt(&led0, GPIO_OUTPUT); + gpio_pin_set_dt(&led0, 0); +} +#endif /* CONFIG_MCUBOOT_INDICATION_LED */ + +#if defined(CONFIG_BOOT_SERIAL_ENTRANCE_GPIO) || defined(CONFIG_BOOT_USB_DFU_GPIO) + +#if defined(CONFIG_MCUBOOT_SERIAL) +#define BUTTON_0_DETECT_DELAY CONFIG_BOOT_SERIAL_DETECT_DELAY +#else +#define BUTTON_0_DETECT_DELAY CONFIG_BOOT_USB_DFU_DETECT_DELAY +#endif + +#define BUTTON_0_NODE DT_ALIAS(mcuboot_button0) + +#if DT_NODE_EXISTS(BUTTON_0_NODE) && DT_NODE_HAS_PROP(BUTTON_0_NODE, gpios) +static const struct gpio_dt_spec button0 = GPIO_DT_SPEC_GET(BUTTON_0_NODE, gpios); +#else +#error "Serial recovery/USB DFU button must be declared in device tree as 'mcuboot_button0'" +#endif + +bool io_detect_pin(void) +{ + int rc; + int pin_active; + + if (!device_is_ready(button0.port)) { + __ASSERT(false, "GPIO device is not ready.\n"); + return false; + } + + rc = gpio_pin_configure_dt(&button0, GPIO_INPUT); + __ASSERT(rc == 0, "Failed to initialize boot detect pin.\n"); + + rc = gpio_pin_get_dt(&button0); + pin_active = rc; + + __ASSERT(rc >= 0, "Failed to read boot detect pin.\n"); + + if (pin_active) { + if (BUTTON_0_DETECT_DELAY > 0) { +#ifdef CONFIG_MULTITHREADING + k_sleep(K_MSEC(50)); +#else + k_busy_wait(50000); +#endif + + /* Get the uptime for debounce purposes. */ + int64_t timestamp = k_uptime_get(); + + for(;;) { + rc = gpio_pin_get_dt(&button0); + pin_active = rc; + __ASSERT(rc >= 0, "Failed to read boot detect pin.\n"); + + /* Get delta from when this started */ + uint32_t delta = k_uptime_get() - timestamp; + + /* If not pressed OR if pressed > debounce period, stop. */ + if (delta >= BUTTON_0_DETECT_DELAY || !pin_active) { + break; + } + + /* Delay 1 ms */ +#ifdef CONFIG_MULTITHREADING + k_sleep(K_MSEC(1)); +#else + k_busy_wait(1000); +#endif + } + } + } + + return (bool)pin_active; +} +#endif + +#if defined(CONFIG_BOOT_SERIAL_PIN_RESET) +bool io_detect_pin_reset(void) +{ + uint32_t reset_cause; + int rc; + + rc = hwinfo_get_reset_cause(&reset_cause); + + if (rc == 0 && reset_cause == RESET_PIN) { + (void)hwinfo_clear_reset_cause(); + return true; + } + + return false; +} +#endif + +#if defined(CONFIG_BOOT_SERIAL_BOOT_MODE) +bool io_detect_boot_mode(void) +{ + int32_t boot_mode; + + boot_mode = bootmode_check(BOOT_MODE_TYPE_BOOTLOADER); + + if (boot_mode == 1) { + /* Boot mode to stay in bootloader, clear status and enter serial + * recovery mode + */ + bootmode_clear(); + + return true; + } + + return false; +} +#endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 7b3702475..abd2fe6eb 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -31,6 +31,7 @@ #include #endif +#include "io/io.h" #include "target.h" #include "bootutil/bootutil_log.h" @@ -74,10 +75,6 @@ const struct boot_uart_funcs boot_funcs = { }; #endif -#ifdef CONFIG_BOOT_SERIAL_BOOT_MODE -#include -#endif - #if defined(CONFIG_BOOT_USB_DFU_WAIT) || defined(CONFIG_BOOT_USB_DFU_GPIO) #include #endif @@ -86,10 +83,6 @@ const struct boot_uart_funcs boot_funcs = { #include #endif -#ifdef CONFIG_BOOT_SERIAL_PIN_RESET -#include -#endif - /* CONFIG_LOG_MINIMAL is the legacy Kconfig property, * replaced by CONFIG_LOG_MODE_MINIMAL. */ @@ -132,67 +125,8 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); * !defined(ZEPHYR_LOG_MODE_MINIMAL) */ -#ifdef CONFIG_SOC_FAMILY_NRF -#include - -static inline bool boot_skip_serial_recovery() -{ - uint32_t rr = nrfx_reset_reason_get(); - - return !(rr == 0 || (rr & NRFX_RESET_REASON_RESETPIN_MASK)); -} -#else -static inline bool boot_skip_serial_recovery() -{ - return false; -} -#endif - BOOT_LOG_MODULE_REGISTER(mcuboot); -/* Validate serial recovery configuration */ -#ifdef CONFIG_MCUBOOT_SERIAL -#if !defined(CONFIG_BOOT_SERIAL_ENTRANCE_GPIO) && \ - !defined(CONFIG_BOOT_SERIAL_WAIT_FOR_DFU) && \ - !defined(CONFIG_BOOT_SERIAL_BOOT_MODE) && \ - !defined(CONFIG_BOOT_SERIAL_NO_APPLICATION) && \ - !defined(CONFIG_BOOT_SERIAL_PIN_RESET) -#error "Serial recovery selected without an entrance mode set" -#endif -#endif - -#ifdef CONFIG_MCUBOOT_INDICATION_LED - -/* - * The led0 devicetree alias is optional. If present, we'll use it - * to turn on the LED whenever the button is pressed. - */ -#if DT_NODE_EXISTS(DT_ALIAS(mcuboot_led0)) -#define LED0_NODE DT_ALIAS(mcuboot_led0) -#elif DT_NODE_EXISTS(DT_ALIAS(bootloader_led0)) -#warning "bootloader-led0 alias is deprecated; use mcuboot-led0 instead" -#define LED0_NODE DT_ALIAS(bootloader_led0) -#endif - -#if DT_NODE_HAS_STATUS(LED0_NODE, okay) && DT_NODE_HAS_PROP(LED0_NODE, gpios) -static const struct gpio_dt_spec led0 = GPIO_DT_SPEC_GET(LED0_NODE, gpios); -#else -/* A build error here means your board isn't set up to drive an LED. */ -#error "Unsupported board: led0 devicetree alias is not defined" -#endif - -void led_init(void) -{ - if (!device_is_ready(led0.port)) { - BOOT_LOG_ERR("Didn't find LED device referred by the LED0_NODE\n"); - return; - } - - gpio_pin_configure_dt(&led0, GPIO_OUTPUT); - gpio_pin_set_dt(&led0, 0); -} -#endif /* CONFIG_MCUBOOT_INDICATION_LED */ - void os_heap_init(void); #if defined(CONFIG_ARM) @@ -437,78 +371,6 @@ void zephyr_boot_log_stop(void) * !defined(CONFIG_LOG_PROCESS_THREAD) && !defined(ZEPHYR_LOG_MODE_MINIMAL) */ -#if defined(CONFIG_BOOT_SERIAL_ENTRANCE_GPIO) || defined(CONFIG_BOOT_USB_DFU_GPIO) - -#ifdef CONFIG_MCUBOOT_SERIAL -#define BUTTON_0_DETECT_DELAY CONFIG_BOOT_SERIAL_DETECT_DELAY -#else -#define BUTTON_0_DETECT_DELAY CONFIG_BOOT_USB_DFU_DETECT_DELAY -#endif - -#define BUTTON_0_NODE DT_ALIAS(mcuboot_button0) - -#if DT_NODE_EXISTS(BUTTON_0_NODE) && DT_NODE_HAS_PROP(BUTTON_0_NODE, gpios) -static const struct gpio_dt_spec button0 = GPIO_DT_SPEC_GET(BUTTON_0_NODE, gpios); -#else -#error "Serial recovery/USB DFU button must be declared in device tree as 'mcuboot_button0'" -#endif - -static bool detect_pin(void) -{ - int rc; - int pin_active; - - if (!device_is_ready(button0.port)) { - __ASSERT(false, "GPIO device is not ready.\n"); - return false; - } - - rc = gpio_pin_configure_dt(&button0, GPIO_INPUT); - __ASSERT(rc == 0, "Failed to initialize boot detect pin.\n"); - - rc = gpio_pin_get_dt(&button0); - pin_active = rc; - - __ASSERT(rc >= 0, "Failed to read boot detect pin.\n"); - - if (pin_active) { - if (BUTTON_0_DETECT_DELAY > 0) { -#ifdef CONFIG_MULTITHREADING - k_sleep(K_MSEC(50)); -#else - k_busy_wait(50000); -#endif - - /* Get the uptime for debounce purposes. */ - int64_t timestamp = k_uptime_get(); - - for(;;) { - rc = gpio_pin_get_dt(&button0); - pin_active = rc; - __ASSERT(rc >= 0, "Failed to read boot detect pin.\n"); - - /* Get delta from when this started */ - uint32_t delta = k_uptime_get() - timestamp; - - /* If not pressed OR if pressed > debounce period, stop. */ - if (delta >= BUTTON_0_DETECT_DELAY || !pin_active) { - break; - } - - /* Delay 1 ms */ -#ifdef CONFIG_MULTITHREADING - k_sleep(K_MSEC(1)); -#else - k_busy_wait(1000); -#endif - } - } - } - - return (bool)pin_active; -} -#endif - #ifdef CONFIG_MCUBOOT_SERIAL static void boot_serial_enter() { @@ -534,14 +396,6 @@ int main(void) int rc; FIH_DECLARE(fih_rc, FIH_FAILURE); -#ifdef CONFIG_BOOT_SERIAL_BOOT_MODE - int32_t boot_mode; -#endif - -#ifdef CONFIG_BOOT_SERIAL_PIN_RESET - uint32_t reset_cause; -#endif - MCUBOOT_WATCHDOG_SETUP(); MCUBOOT_WATCHDOG_FEED(); @@ -565,23 +419,20 @@ int main(void) mcuboot_status_change(MCUBOOT_STATUS_STARTUP); #ifdef CONFIG_BOOT_SERIAL_ENTRANCE_GPIO - if (detect_pin() && - !boot_skip_serial_recovery()) { + if (io_detect_pin() && + !io_boot_skip_serial_recovery()) { boot_serial_enter(); } #endif #ifdef CONFIG_BOOT_SERIAL_PIN_RESET - rc = hwinfo_get_reset_cause(&reset_cause); - - if (rc == 0 && reset_cause == RESET_PIN) { - (void)hwinfo_clear_reset_cause(); + if (io_detect_pin_reset()) { boot_serial_enter(); } #endif #if defined(CONFIG_BOOT_USB_DFU_GPIO) - if (detect_pin()) { + if (io_detect_pin()) { #ifdef CONFIG_MCUBOOT_INDICATION_LED gpio_pin_set_dt(&led0, 1); #endif @@ -631,13 +482,10 @@ int main(void) FIH_CALL(boot_go, fih_rc, &rsp); #ifdef CONFIG_BOOT_SERIAL_BOOT_MODE - boot_mode = bootmode_check(BOOT_MODE_TYPE_BOOTLOADER); - - if (boot_mode == 1) { + if (io_detect_boot_mode()) { /* Boot mode to stay in bootloader, clear status and enter serial * recovery mode */ - bootmode_clear(); boot_serial_enter(); } #endif From 215345f76abd2377000148652247fa36ca16e200 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 16 Aug 2023 07:37:18 +0100 Subject: [PATCH 057/113] zephyr: Add firmware loader MCUboot operation style Adds a new operation style in which the secondary slot has an image which is used to update the primary image only. Signed-off-by: Jamie McCrae --- boot/bootutil/include/bootutil/boot_status.h | 3 +- boot/bootutil/src/boot_record.c | 2 + boot/bootutil/src/bootutil_misc.c | 3 +- boot/bootutil/src/bootutil_priv.h | 8 +- boot/zephyr/CMakeLists.txt | 5 + boot/zephyr/Kconfig | 14 ++ boot/zephyr/Kconfig.firmware_loader | 47 +++++ boot/zephyr/Kconfig.serial_recovery | 1 + boot/zephyr/firmware_loader.c | 194 ++++++++++++++++++ .../include/mcuboot_config/mcuboot_config.h | 4 + boot/zephyr/io.c | 23 ++- 11 files changed, 294 insertions(+), 10 deletions(-) create mode 100644 boot/zephyr/Kconfig.firmware_loader create mode 100644 boot/zephyr/firmware_loader.c diff --git a/boot/bootutil/include/bootutil/boot_status.h b/boot/bootutil/include/bootutil/boot_status.h index 149e45e87..8ec0619aa 100644 --- a/boot/bootutil/include/bootutil/boot_status.h +++ b/boot/bootutil/include/bootutil/boot_status.h @@ -122,7 +122,8 @@ enum mcuboot_mode { MCUBOOT_MODE_SWAP_USING_MOVE, MCUBOOT_MODE_DIRECT_XIP, MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT, - MCUBOOT_MODE_RAM_LOAD + MCUBOOT_MODE_RAM_LOAD, + MCUBOOT_MODE_FIRMWARE_LOADER }; enum mcuboot_signature_type { diff --git a/boot/bootutil/src/boot_record.c b/boot/bootutil/src/boot_record.c index 5e4e25d4b..64a36d7c1 100644 --- a/boot/bootutil/src/boot_record.c +++ b/boot/bootutil/src/boot_record.c @@ -250,6 +250,8 @@ int boot_save_shared_data(const struct image_header *hdr, const struct flash_are #endif #elif defined(MCUBOOT_RAM_LOAD) uint8_t mode = MCUBOOT_MODE_RAM_LOAD; +#elif defined(MCUBOOT_FIRMWARE_LOADER) + uint8_t mode = MCUBOOT_MODE_FIRMWARE_LOADER; #else #error "Unknown mcuboot operating mode" #endif diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c index 0caad7ff1..87b863507 100644 --- a/boot/bootutil/src/bootutil_misc.c +++ b/boot/bootutil/src/bootutil_misc.c @@ -333,7 +333,8 @@ boot_write_enc_key(const struct flash_area *fap, uint8_t slot, uint32_t bootutil_max_image_size(const struct flash_area *fap) { -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SINGLE_APPLICATION_SLOT) +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SINGLE_APPLICATION_SLOT) || \ + defined(MCUBOOT_FIRMWARE_LOADER) return boot_status_off(fap); #elif defined(MCUBOOT_SWAP_USING_MOVE) struct flash_sector sector; diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index 059bfcd1f..32f996e78 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -57,15 +57,17 @@ struct flash_area; #if (defined(MCUBOOT_OVERWRITE_ONLY) + \ defined(MCUBOOT_SWAP_USING_MOVE) + \ defined(MCUBOOT_DIRECT_XIP) + \ - defined(MCUBOOT_RAM_LOAD)) > 1 -#error "Please enable only one of MCUBOOT_OVERWRITE_ONLY, MCUBOOT_SWAP_USING_MOVE, MCUBOOT_DIRECT_XIP or MCUBOOT_RAM_LOAD" + defined(MCUBOOT_RAM_LOAD) + \ + defined(MCUBOOT_FIRMWARE_LOADER)) > 1 +#error "Please enable only one of MCUBOOT_OVERWRITE_ONLY, MCUBOOT_SWAP_USING_MOVE, MCUBOOT_DIRECT_XIP, MCUBOOT_RAM_LOAD or MCUBOOT_FIRMWARE_LOADER" #endif #if !defined(MCUBOOT_OVERWRITE_ONLY) && \ !defined(MCUBOOT_SWAP_USING_MOVE) && \ !defined(MCUBOOT_DIRECT_XIP) && \ !defined(MCUBOOT_RAM_LOAD) && \ - !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) + !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) && \ + !defined(MCUBOOT_FIRMWARE_LOADER) #define MCUBOOT_SWAP_USING_SCRATCH 1 #endif diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 3ce4235cb..1356f4e69 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -131,6 +131,11 @@ zephyr_library_sources( ${BOOT_DIR}/zephyr/single_loader.c ) zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) +elseif(CONFIG_BOOT_FIRMWARE_LOADER) +zephyr_library_sources( + ${BOOT_DIR}/zephyr/firmware_loader.c + ) +zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) else() zephyr_library_sources( ${BOOT_DIR}/bootutil/src/loader.c diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 183bb500e..a67126a0b 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -256,6 +256,18 @@ config BOOT_RAM_LOAD The address that the image is copied to is specified using the load-addr argument to the imgtool.py script which writes it to the image header. +config BOOT_FIRMWARE_LOADER + bool "Firmware loader" + help + If y, mcuboot will have a single application slot, and the secondary + slot will be for a non-upgradeable firmware loaded image (e.g. for + loading firmware via Bluetooth). The main application will boot by + default unless there is an error with it or the boot mode has been + forced to the firmware loader. + + Note: The firmware loader image must be signed with the same signing + key as the primary image. + endchoice # Workaround for not being able to have commas in macro arguments @@ -582,6 +594,8 @@ config MCUBOOT_INDICATION_LED rsource "Kconfig.serial_recovery" +rsource "Kconfig.firmware_loader" + config BOOT_INTR_VEC_RELOC bool "Relocate the interrupt vector to the application" default n diff --git a/boot/zephyr/Kconfig.firmware_loader b/boot/zephyr/Kconfig.firmware_loader new file mode 100644 index 000000000..1ba223949 --- /dev/null +++ b/boot/zephyr/Kconfig.firmware_loader @@ -0,0 +1,47 @@ +# Copyright (c) 2023 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: Apache-2.0 + +if BOOT_FIRMWARE_LOADER + +menu "Firmware loader entrance methods" + +menuconfig BOOT_FIRMWARE_LOADER_ENTRANCE_GPIO + bool "GPIO" + depends on GPIO + help + Use a GPIO to enter firmware loader mode. + +config BOOT_FIRMWARE_LOADER_DETECT_DELAY + int "Serial detect pin detection delay time [ms]" + default 0 + depends on BOOT_FIRMWARE_LOADER_ENTRANCE_GPIO + help + Used to prevent the bootloader from loading on button press. + Useful for powering on when using the same button as + the one used to place the device in bootloader mode. + +config BOOT_FIRMWARE_LOADER_BOOT_MODE + bool "Check boot mode via retention subsystem" + depends on RETENTION_BOOT_MODE + help + Allows for entering firmware loader mode by using Zephyr's boot mode + retention system (i.e. an application must set the boot mode to stay + in firmware loader mode and reboot the module). + +config BOOT_FIRMWARE_LOADER_NO_APPLICATION + bool "Stay in bootloader if no application" + help + Allows for entering firmware loader mode if there is no bootable + application that the bootloader can jump to. + +config BOOT_FIRMWARE_LOADER_PIN_RESET + bool "Check for device reset by pin" + select HWINFO + help + Checks if the module reset was caused by the reset pin and will + remain in bootloader firmware loader mode if it was. + +endmenu + +endif diff --git a/boot/zephyr/Kconfig.serial_recovery b/boot/zephyr/Kconfig.serial_recovery index c73baddf0..74bced750 100644 --- a/boot/zephyr/Kconfig.serial_recovery +++ b/boot/zephyr/Kconfig.serial_recovery @@ -13,6 +13,7 @@ menuconfig MCUBOOT_SERIAL select BASE64 select CRC select ZCBOR + depends on !BOOT_FIRMWARE_LOADER help If y, enables a serial-port based update mode. This allows MCUboot itself to load update images into flash over a UART. diff --git a/boot/zephyr/firmware_loader.c b/boot/zephyr/firmware_loader.c new file mode 100644 index 000000000..38b121cd4 --- /dev/null +++ b/boot/zephyr/firmware_loader.c @@ -0,0 +1,194 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * Copyright (c) 2020 Arm Limited + * Copyright (c) 2020-2023 Nordic Semiconductor ASA + */ + +#include +#include +#include +#include +#include "bootutil/image.h" +#include "bootutil_priv.h" +#include "bootutil/bootutil_log.h" +#include "bootutil/bootutil_public.h" +#include "bootutil/fault_injection_hardening.h" + +#include "io/io.h" +#include "mcuboot_config/mcuboot_config.h" + +BOOT_LOG_MODULE_DECLARE(mcuboot); + +/* Variables passed outside of unit via poiters. */ +static const struct flash_area *_fa_p; +static struct image_header _hdr = { 0 }; + +#if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) || defined(MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE) +/** + * Validate hash of a primary boot image. + * + * @param[in] fa_p flash area pointer + * @param[in] hdr boot image header pointer + * + * @return FIH_SUCCESS on success, error code otherwise + */ +fih_ret +boot_image_validate(const struct flash_area *fa_p, + struct image_header *hdr) +{ + static uint8_t tmpbuf[BOOT_TMPBUF_SZ]; + FIH_DECLARE(fih_rc, FIH_FAILURE); + + /* NOTE: The first argument to boot_image_validate, for enc_state pointer, + * is allowed to be NULL only because the single image loader compiles + * with BOOT_IMAGE_NUMBER == 1, which excludes the code that uses + * the pointer from compilation. + */ + /* Validate hash */ + if (IS_ENCRYPTED(hdr)) + { + /* Clear the encrypted flag we didn't supply a key + * This flag could be set if there was a decryption in place + * was performed. We will try to validate the image, and if still + * encrypted the validation will fail, and go in panic mode + */ + hdr->ih_flags &= ~(ENCRYPTIONFLAGS); + } + FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, hdr, fa_p, tmpbuf, + BOOT_TMPBUF_SZ, NULL, 0, NULL); + + FIH_RET(fih_rc); +} +#endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT || MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE*/ + +inline static fih_ret +boot_image_validate_once(const struct flash_area *fa_p, + struct image_header *hdr) +{ + static struct boot_swap_state state; + int rc; + FIH_DECLARE(fih_rc, FIH_FAILURE); + + memset(&state, 0, sizeof(struct boot_swap_state)); + rc = boot_read_swap_state(fa_p, &state); + if (rc != 0) + FIH_RET(FIH_FAILURE); + if (state.magic != BOOT_MAGIC_GOOD + || state.image_ok != BOOT_FLAG_SET) { + /* At least validate the image once */ + FIH_CALL(boot_image_validate, fih_rc, fa_p, hdr); + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + FIH_RET(FIH_FAILURE); + } + if (state.magic != BOOT_MAGIC_GOOD) { + rc = boot_write_magic(fa_p); + if (rc != 0) + FIH_RET(FIH_FAILURE); + } + rc = boot_write_image_ok(fa_p); + if (rc != 0) + FIH_RET(FIH_FAILURE); + } + FIH_RET(FIH_SUCCESS); +} + +/** + * Validates that an image in a slot is OK to boot. + * + * @param[in] slot Slot number to check + * @param[out] rsp Parameters for booting image, on success + * + * @return FIH_SUCCESS on success; non-zero on failure. + */ +static fih_ret validate_image_slot(int slot, struct boot_rsp *rsp) +{ + int rc = -1; + FIH_DECLARE(fih_rc, FIH_FAILURE); + + rc = flash_area_open(slot, &_fa_p); + assert(rc == 0); + + rc = boot_image_load_header(_fa_p, &_hdr); + if (rc != 0) { + goto other; + } + +#ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT + FIH_CALL(boot_image_validate, fih_rc, _fa_p, &_hdr); + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + goto other; + } +#elif defined(MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE) + FIH_CALL(boot_image_validate_once, fih_rc, _fa_p, &_hdr); + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + goto other; + } +#else + fih_rc = FIH_SUCCESS; +#endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT */ + + rsp->br_flash_dev_id = flash_area_get_device_id(_fa_p); + rsp->br_image_off = flash_area_get_off(_fa_p); + rsp->br_hdr = &_hdr; + +other: + flash_area_close(_fa_p); + + FIH_RET(fih_rc); +} + +/** + * Gather information on image and prepare for booting. Will boot from main + * image if none of the enabled entrance modes for the firmware loader are set, + * otherwise will boot the firmware loader. Note: firmware loader must be a + * valid signed image with the same signing key as the application image. + * + * @param[out] rsp Parameters for booting image, on success + * + * @return FIH_SUCCESS on success; non-zero on failure. + */ +fih_ret +boot_go(struct boot_rsp *rsp) +{ + bool boot_firmware_loader = false; + FIH_DECLARE(fih_rc, FIH_FAILURE); + +#ifdef CONFIG_BOOT_FIRMWARE_LOADER_ENTRANCE_GPIO + if (io_detect_pin() && + !io_boot_skip_serial_recovery()) { + boot_firmware_loader = true; + } +#endif + +#ifdef CONFIG_BOOT_FIRMWARE_LOADER_PIN_RESET + if (io_detect_pin_reset()) { + boot_firmware_loader = true; + } +#endif + +#ifdef CONFIG_BOOT_FIRMWARE_LOADER_BOOT_MODE + if (io_detect_boot_mode()) { + boot_firmware_loader = true; + } +#endif + + /* Check if firmware loader button is pressed. TODO: check all entrance methods */ + if (boot_firmware_loader == true) { + FIH_CALL(validate_image_slot, fih_rc, FLASH_AREA_IMAGE_SECONDARY(0), rsp); + + if (FIH_EQ(fih_rc, FIH_SUCCESS)) { + FIH_RET(fih_rc); + } + } + + FIH_CALL(validate_image_slot, fih_rc, FLASH_AREA_IMAGE_PRIMARY(0), rsp); + +#ifdef CONFIG_BOOT_FIRMWARE_LOADER_NO_APPLICATION + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + FIH_CALL(validate_image_slot, fih_rc, FLASH_AREA_IMAGE_SECONDARY(0), rsp); + } +#endif + + FIH_RET(fih_rc); +} diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 04e4c599c..a9c52bdaf 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -88,6 +88,10 @@ #define IMAGE_EXECUTABLE_RAM_SIZE CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_SIZE #endif +#ifdef CONFIG_BOOT_FIRMWARE_LOADER +#define MCUBOOT_FIRMWARE_LOADER +#endif + #ifdef CONFIG_UPDATEABLE_IMAGE_NUMBER #define MCUBOOT_IMAGE_NUMBER CONFIG_UPDATEABLE_IMAGE_NUMBER #else diff --git a/boot/zephyr/io.c b/boot/zephyr/io.c index 6d3b01ef5..fc1966d7f 100644 --- a/boot/zephyr/io.c +++ b/boot/zephyr/io.c @@ -29,11 +29,11 @@ #include "target.h" -#if defined(CONFIG_BOOT_SERIAL_PIN_RESET) +#if defined(CONFIG_BOOT_SERIAL_PIN_RESET) || defined(CONFIG_BOOT_FIRMWARE_LOADER_PIN_RESET) #include #endif -#if defined(CONFIG_BOOT_SERIAL_BOOT_MODE) +#if defined(CONFIG_BOOT_SERIAL_BOOT_MODE) || defined(CONFIG_BOOT_FIRMWARE_LOADER_BOOT_MODE) #include #endif @@ -48,6 +48,16 @@ #endif #endif +/* Validate firmware loader configuration */ +#ifdef CONFIG_BOOT_FIRMWARE_LOADER +#if !defined(CONFIG_BOOT_FIRMWARE_LOADER_ENTRANCE_GPIO) && \ + !defined(CONFIG_BOOT_FIRMWARE_LOADER_BOOT_MODE) && \ + !defined(CONFIG_BOOT_FIRMWARE_LOADER_NO_APPLICATION) && \ + !defined(CONFIG_BOOT_FIRMWARE_LOADER_PIN_RESET) +#error "Firmware loader selected without an entrance mode set" +#endif +#endif + #ifdef CONFIG_MCUBOOT_INDICATION_LED /* @@ -80,10 +90,13 @@ void io_led_init(void) } #endif /* CONFIG_MCUBOOT_INDICATION_LED */ -#if defined(CONFIG_BOOT_SERIAL_ENTRANCE_GPIO) || defined(CONFIG_BOOT_USB_DFU_GPIO) +#if defined(CONFIG_BOOT_SERIAL_ENTRANCE_GPIO) || defined(CONFIG_BOOT_USB_DFU_GPIO) || \ + defined(CONFIG_BOOT_FIRMWARE_LOADER_ENTRANCE_GPIO) #if defined(CONFIG_MCUBOOT_SERIAL) #define BUTTON_0_DETECT_DELAY CONFIG_BOOT_SERIAL_DETECT_DELAY +#elif defined(CONFIG_BOOT_FIRMWARE_LOADER) +#define BUTTON_0_DETECT_DELAY CONFIG_BOOT_FIRMWARE_LOADER_DETECT_DELAY #else #define BUTTON_0_DETECT_DELAY CONFIG_BOOT_USB_DFU_DETECT_DELAY #endif @@ -152,7 +165,7 @@ bool io_detect_pin(void) } #endif -#if defined(CONFIG_BOOT_SERIAL_PIN_RESET) +#if defined(CONFIG_BOOT_SERIAL_PIN_RESET) || defined(CONFIG_BOOT_FIRMWARE_LOADER_PIN_RESET) bool io_detect_pin_reset(void) { uint32_t reset_cause; @@ -169,7 +182,7 @@ bool io_detect_pin_reset(void) } #endif -#if defined(CONFIG_BOOT_SERIAL_BOOT_MODE) +#if defined(CONFIG_BOOT_SERIAL_BOOT_MODE) || defined(CONFIG_BOOT_FIRMWARE_LOADER_BOOT_MODE) bool io_detect_boot_mode(void) { int32_t boot_mode; From 05d11942774fc15b90af101232ec5305051216ec Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 16 Aug 2023 07:39:37 +0100 Subject: [PATCH 058/113] docs: release: Add note on firmware loader mode Adds a note on the new firmware loader operation type Signed-off-by: Jamie McCrae --- docs/release-notes.d/zephyr-firmware-loader.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 docs/release-notes.d/zephyr-firmware-loader.md diff --git a/docs/release-notes.d/zephyr-firmware-loader.md b/docs/release-notes.d/zephyr-firmware-loader.md new file mode 100644 index 000000000..8f6acf455 --- /dev/null +++ b/docs/release-notes.d/zephyr-firmware-loader.md @@ -0,0 +1,4 @@ +- Added firmware loader configuration type support for Zephyr, this + allows for a single application slot and firmware loader image in + the secondary slot which is used to update the primary image + (loading it in any way it sees fit e.g. via Bluetooth). From ab99fe28122aea665161c4762567b56cc67762d5 Mon Sep 17 00:00:00 2001 From: Samuel Tardieu Date: Sun, 19 Nov 2023 11:04:39 +0100 Subject: [PATCH 059/113] scripts: add missing pyyaml dependency `pyyaml` is a dependency introduced in `imgtool dumpinfo` Signed-off-by: Samuel Tardieu --- scripts/requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 244692809..79883b6da 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -2,3 +2,4 @@ cryptography>=2.6 intelhex click cbor2 +pyyaml From c43a20fd193dc445faa9b7f0d2ed77759a6aca8f Mon Sep 17 00:00:00 2001 From: Andrej Butok Date: Tue, 5 Dec 2023 13:30:54 +0100 Subject: [PATCH 060/113] boot: zephyr: add support for mimxrt1040_evk Add default configuration for mimxrt1040_evk. Signed-off-by: Andrej Butok --- boot/zephyr/boards/mimxrt1040_evk.conf | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 boot/zephyr/boards/mimxrt1040_evk.conf diff --git a/boot/zephyr/boards/mimxrt1040_evk.conf b/boot/zephyr/boards/mimxrt1040_evk.conf new file mode 100644 index 000000000..35f90d455 --- /dev/null +++ b/boot/zephyr/boards/mimxrt1040_evk.conf @@ -0,0 +1,4 @@ +# Copyright 2023 NXP +# SPDX-License-Identifier: Apache-2.0 + +CONFIG_BOOT_MAX_IMG_SECTORS=1024 From d99154f441191fc8b13a5ca506c2887466d7ceea Mon Sep 17 00:00:00 2001 From: Piotr Dymacz Date: Tue, 5 Dec 2023 13:41:59 +0100 Subject: [PATCH 061/113] zephyr: rename 'led_init()' to 'io_led_init()' This fixes below warning when building with 'MCUBOOT_INDICATION_LED' enabled: mcuboot/boot/zephyr/main.c:410:5: warning: implicit declaration of function 'led_init'; did you mean 'io_led_init'? [-Wimplicit-function-declaration] 410 | led_init(); | ^~~~~~~~ | io_led_init Fixes: 433b8480 ("zephyr: Move IO functions out of main to separate file") Signed-off-by: Piotr Dymacz --- boot/zephyr/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index abd2fe6eb..91c9b9b9d 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -407,7 +407,7 @@ int main(void) #ifdef CONFIG_MCUBOOT_INDICATION_LED /* LED init */ - led_init(); + io_led_init(); #endif os_heap_init(); From 8c6c67016acf0e312c5933b926bb3ce6b434dfe0 Mon Sep 17 00:00:00 2001 From: Piotr Dymacz Date: Tue, 5 Dec 2023 14:05:38 +0100 Subject: [PATCH 062/113] zephyr: io: include 'bootutil_log.h' and declare log module membership This fixes below error when building with 'MCUBOOT_INDICATION_LED' and 'LOG' enabled: In file included from zephyr/include/zephyr/logging/log.h:11, from zephyr/include/zephyr/usb/usb_device.h:43, from bootloader/mcuboot/boot/zephyr/io.c:26: mcuboot/boot/zephyr/io.c: In function 'io_led_init': zephyr/include/zephyr/logging/log_core.h:151:20: error: '__log_level' undeclared (first use in this function) 151 | (_level <= __log_level) && \ | ^~~~~~~~~~~ Fixes: 433b8480 ("zephyr: Move IO functions out of main to separate file") Signed-off-by: Piotr Dymacz --- boot/zephyr/io.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/boot/zephyr/io.c b/boot/zephyr/io.c index fc1966d7f..e6d54d3c7 100644 --- a/boot/zephyr/io.c +++ b/boot/zephyr/io.c @@ -28,6 +28,7 @@ #include #include "target.h" +#include "bootutil/bootutil_log.h" #if defined(CONFIG_BOOT_SERIAL_PIN_RESET) || defined(CONFIG_BOOT_FIRMWARE_LOADER_PIN_RESET) #include @@ -78,6 +79,8 @@ static const struct gpio_dt_spec led0 = GPIO_DT_SPEC_GET(LED0_NODE, gpios); #error "Unsupported board: led0 devicetree alias is not defined" #endif +BOOT_LOG_MODULE_DECLARE(mcuboot); + void io_led_init(void) { if (!device_is_ready(led0.port)) { From 2a74a2b580035e767f4a4ead2b7c8b9253872276 Mon Sep 17 00:00:00 2001 From: Piotr Dymacz Date: Tue, 5 Dec 2023 14:26:22 +0100 Subject: [PATCH 063/113] zephyr: io: add 'io_led_set()' The static declaration of 'led0' was moved to 'io.c' which broke building with the 'MCUBOOT_INDICATION_LED' enabled: mcuboot/boot/zephyr/main.c:380:22: error: 'led0' undeclared (first use in this function) 380 | gpio_pin_set_dt(&led0, 1); | ^~~~ This adds simple function 'io_led_set()' for changing LED's value. Fixes: 433b8480 ("zephyr: Move IO functions out of main to separate file") Signed-off-by: Piotr Dymacz --- boot/zephyr/include/io/io.h | 5 +++++ boot/zephyr/io.c | 5 +++++ boot/zephyr/main.c | 8 ++++---- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/boot/zephyr/include/io/io.h b/boot/zephyr/include/io/io.h index 332eefbd8..145530bb8 100644 --- a/boot/zephyr/include/io/io.h +++ b/boot/zephyr/include/io/io.h @@ -34,6 +34,11 @@ extern "C" { */ void io_led_init(void); +/* + * Sets value of the configured LED. + */ +void io_led_set(int value); + /* * Checks if GPIO is set in the required way to remain in serial recovery mode * diff --git a/boot/zephyr/io.c b/boot/zephyr/io.c index e6d54d3c7..309f1ab94 100644 --- a/boot/zephyr/io.c +++ b/boot/zephyr/io.c @@ -91,6 +91,11 @@ void io_led_init(void) gpio_pin_configure_dt(&led0, GPIO_OUTPUT); gpio_pin_set_dt(&led0, 0); } + +void io_led_set(int value) +{ + gpio_pin_set_dt(&led0, value); +} #endif /* CONFIG_MCUBOOT_INDICATION_LED */ #if defined(CONFIG_BOOT_SERIAL_ENTRANCE_GPIO) || defined(CONFIG_BOOT_USB_DFU_GPIO) || \ diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 91c9b9b9d..c6a0f74ae 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -377,7 +377,7 @@ static void boot_serial_enter() int rc; #ifdef CONFIG_MCUBOOT_INDICATION_LED - gpio_pin_set_dt(&led0, 1); + io_led_set(1); #endif mcuboot_status_change(MCUBOOT_STATUS_SERIAL_DFU_ENTERED); @@ -434,7 +434,7 @@ int main(void) #if defined(CONFIG_BOOT_USB_DFU_GPIO) if (io_detect_pin()) { #ifdef CONFIG_MCUBOOT_INDICATION_LED - gpio_pin_set_dt(&led0, 1); + io_led_set(1); #endif mcuboot_status_change(MCUBOOT_STATUS_USB_DFU_ENTERED); @@ -475,7 +475,7 @@ int main(void) uint32_t start = k_uptime_get_32(); #ifdef CONFIG_MCUBOOT_INDICATION_LED - gpio_pin_set_dt(&led0, 1); + io_led_set(1); #endif #endif @@ -499,7 +499,7 @@ int main(void) boot_serial_check_start(&boot_funcs,timeout_in_ms); #ifdef CONFIG_MCUBOOT_INDICATION_LED - gpio_pin_set_dt(&led0, 0); + io_led_set(0); #endif #endif From a88e229346204c09b6292f49e4481627254946e7 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 7 Dec 2023 09:40:51 +0000 Subject: [PATCH 064/113] zephyr: sysflash: Fix if condition for zephyr applications Fixes an issue when sysflash is included by zephyr (non-mcuboot) applications Signed-off-by: Jamie McCrae --- boot/zephyr/include/sysflash/sysflash.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 646f1122f..890e69d98 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -12,7 +12,7 @@ #include #include -#ifndef CONFIG_SINGLE_APPLICATION_SLOT +#if !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_SINGLE_APP) /* Each pair of slots is separated by , and there is no terminating character */ #define FLASH_AREA_IMAGE_0_SLOTS slot0_partition, slot1_partition @@ -50,7 +50,7 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #define FLASH_AREA_IMAGE_SCRATCH FIXED_PARTITION_ID(scratch_partition) #endif -#else /* CONFIG_SINGLE_APPLICATION_SLOT */ +#else /* !CONFIG_SINGLE_APPLICATION_SLOT && !CONFIG_MCUBOOT_BOOTLOADER_MODE_SINGLE_APP */ #define FLASH_AREA_IMAGE_PRIMARY(x) FIXED_PARTITION_ID(slot0_partition) #define FLASH_AREA_IMAGE_SECONDARY(x) FIXED_PARTITION_ID(slot0_partition) From 212997395ed34ff1721f5f4461b800e81abeb68d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 7 Dec 2023 09:41:55 +0000 Subject: [PATCH 065/113] zephyr: firmware/single_loader: Fix compile warning Fixes an issue of an unused function calling an undefined function Signed-off-by: Jamie McCrae --- boot/zephyr/firmware_loader.c | 2 ++ boot/zephyr/single_loader.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/boot/zephyr/firmware_loader.c b/boot/zephyr/firmware_loader.c index 38b121cd4..11b461c41 100644 --- a/boot/zephyr/firmware_loader.c +++ b/boot/zephyr/firmware_loader.c @@ -62,6 +62,7 @@ boot_image_validate(const struct flash_area *fa_p, } #endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT || MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE*/ +#if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE) inline static fih_ret boot_image_validate_once(const struct flash_area *fa_p, struct image_header *hdr) @@ -92,6 +93,7 @@ boot_image_validate_once(const struct flash_area *fa_p, } FIH_RET(FIH_SUCCESS); } +#endif /** * Validates that an image in a slot is OK to boot. diff --git a/boot/zephyr/single_loader.c b/boot/zephyr/single_loader.c index 5d1e76fcf..75374d2db 100644 --- a/boot/zephyr/single_loader.c +++ b/boot/zephyr/single_loader.c @@ -58,6 +58,7 @@ boot_image_validate(const struct flash_area *fa_p, } #endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT || MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE*/ +#if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE) inline static fih_ret boot_image_validate_once(const struct flash_area *fa_p, struct image_header *hdr) @@ -88,6 +89,7 @@ boot_image_validate_once(const struct flash_area *fa_p, } FIH_RET(FIH_SUCCESS); } +#endif /** * Gather information on image and prepare for booting. From c5d4f7baedc3ff3bcd36bc02d08df3cd0ca698c0 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 066/113] Revert "[nrf noup] boards: thingy53: disable GPIO ISR support" This reverts commit adab597a0eb0eb9c030a7b797748a49ca89988c2. Signed-off-by: Dominik Ermel --- boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf index e10656678..7d3bc0bec 100644 --- a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf @@ -21,7 +21,6 @@ CONFIG_UART_LINE_CTRL=y # MCUBoot serial CONFIG_GPIO=y -CONFIG_GPIO_NRFX_INTERRUPT=n CONFIG_MCUBOOT_SERIAL=y CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y CONFIG_BOOT_SERIAL_CDC_ACM=y From 877be0c3b1aeb9cdf761c08c99f1c63fdd9bb3c2 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 067/113] Revert "[nrf noup] crypto: ecdsa: Fix shared crypto MCUBoot EXT_ABI" This reverts commit 289166425805f937abfe9058f57323085ec96523. Signed-off-by: Dominik Ermel --- boot/bootutil/include/bootutil/crypto/ecdsa.h | 43 +++++++++---------- boot/zephyr/prj_minimal.conf | 4 +- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa.h b/boot/bootutil/include/bootutil/crypto/ecdsa.h index 0c0f16a6b..e577f988d 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdsa.h +++ b/boot/bootutil/include/bootutil/crypto/ecdsa.h @@ -73,15 +73,14 @@ #if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) #include - #define NUM_ECC_BYTES (256 / 8) + #define BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE (4 * 8) #endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ #ifdef __cplusplus extern "C" { #endif -#if defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || defined(MCUBOOT_USE_CC310) \ - || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) +#if defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || defined(MCUBOOT_USE_CC310) /* * Declaring these like this adds NULL termination. */ @@ -603,45 +602,43 @@ static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, #endif /* MCUBOOT_USE_MBED_TLS */ #if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) -typedef uintptr_t bootutil_ecdsa_context; -static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx) +typedef uintptr_t bootutil_ecdsa_p256_context; + +static inline void bootutil_ecdsa_p256_init(bootutil_ecdsa_p256_context *ctx) { (void)ctx; } -static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx) +static inline void bootutil_ecdsa_p256_drop(bootutil_ecdsa_p256_context *ctx) { (void)ctx; } -static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx, - uint8_t *pk, size_t pk_len, - uint8_t *hash, size_t hash_len, - uint8_t *sig, size_t sig_len) +static inline int bootutil_ecdsa_p256_verify(bootutil_ecdsa_p256_context *ctx, + uint8_t *pk, size_t pk_len, + uint8_t *hash, + uint8_t *sig, size_t sig_len) { (void)ctx; (void)pk_len; - (void)hash_len; uint8_t dsig[2 * NUM_ECC_BYTES]; if (bootutil_decode_sig(dsig, sig, sig + sig_len)) { return -1; } - /* Only support uncompressed keys. */ - if (pk[0] != 0x04) { - return -1; - } - pk++; + /* As described on the compact representation in IETF protocols, + * the first byte of the key defines if the ECC points are + * compressed (0x2 or 0x3) or uncompressed (0x4). + * We only support uncompressed keys. + */ + if (pk[0] != 0x04) + return -1; - return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, pk, dsig); -} + pk++; -static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, - uint8_t **cp,uint8_t *end) -{ - (void)ctx; - return bootutil_import_key(cp, end); + return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, + pk, dsig); } #endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ diff --git a/boot/zephyr/prj_minimal.conf b/boot/zephyr/prj_minimal.conf index 1f90e708b..9f7688859 100644 --- a/boot/zephyr/prj_minimal.conf +++ b/boot/zephyr/prj_minimal.conf @@ -11,8 +11,10 @@ CONFIG_FLASH=y CONFIG_FPROTECT=y CONFIG_PM=n +CONFIG_BOOT_ENCRYPT_EC256=n +CONFIG_BOOT_ENCRYPT_RSA=n +CONFIG_BOOT_ENCRYPT_X25519=n CONFIG_BOOT_SWAP_SAVE_ENCTLV=n -CONFIG_BOOT_ENCRYPT_IMAGE=n CONFIG_BOOT_BOOTSTRAP=n CONFIG_BOOT_UPGRADE_ONLY=n From 1b9a2ad41e746c43d9494e61deb43c0423a2caf6 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 068/113] =?UTF-8?q?Revert=20"[nrf=20noup]=C2=A0loader:=20A?= =?UTF-8?q?dd=20firmware=20version=20check=20downgrade=20prevention"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 4d9859acba20b5c84558f02b98f8fc82e523648b. Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 623f670a7..f357f7186 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -50,10 +50,6 @@ #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) #include -#ifdef CONFIG_PCD_READ_NETCORE_APP_VERSION -#include -int pcd_version_cmp_net(const struct flash_area *fap, struct image_header *hdr); -#endif #endif #ifdef MCUBOOT_ENC_IMAGES @@ -785,21 +781,9 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #if defined(MCUBOOT_OVERWRITE_ONLY) && defined(MCUBOOT_DOWNGRADE_PREVENTION) if (slot != BOOT_PRIMARY_SLOT) { /* Check if version of secondary slot is sufficient */ - -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) \ - && defined(CONFIG_PCD_APP) && defined(CONFIG_PCD_READ_NETCORE_APP_VERSION) - if (BOOT_CURR_IMG(state) == 1) { - rc = pcd_version_cmp_net(fap, boot_img_hdr(state, BOOT_SECONDARY_SLOT)); - } else { - rc = boot_version_cmp( - &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, - &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); - } -#else - rc = boot_version_cmp( - &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, - &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); -#endif + rc = boot_version_cmp( + &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, + &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); if (rc < 0 && boot_check_header_erased(state, BOOT_PRIMARY_SLOT)) { BOOT_LOG_ERR("insufficient version in secondary slot"); flash_area_erase(fap, 0, flash_area_get_size(fap)); From 9de47c05bd604e4a4a94f098167152047c6d3797 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 069/113] Revert "[nrf noup] boot: zephyr: Boot even if EXT_ABI is not provided" This reverts commit 01f17ebce077e2f736c28ae4fb4215081e5b21b3. Signed-off-by: Dominik Ermel --- boot/zephyr/main.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 270397003..bb48c21c5 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -256,16 +256,13 @@ static void do_boot(struct boot_rsp *rsp) #endif #if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) - const struct fw_info *firmware_info = fw_info_find((uint32_t) vt); - bool provided = fw_info_ext_api_provide(firmware_info, true); + bool provided = fw_info_ext_api_provide(fw_info_find((uint32_t)vt), true); #ifdef PM_S0_ADDRESS /* Only fail if the immutable bootloader is present. */ if (!provided) { - if (firmware_info == NULL) { - BOOT_LOG_WRN("Unable to find firmware info structure in %p", vt); - } - BOOT_LOG_ERR("Failed to provide EXT_APIs to %p", vt); + BOOT_LOG_ERR("Failed to provide EXT_APIs\n"); + return; } #endif #endif From b046f52eb0c1ddbc66822353da51df19ec6ed895 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 070/113] Revert "[nrf noup] sysflash: pm_sysflash: Fix incorrect define exclude for NSIB" This reverts commit 862bca582b91398e5ed48d4f481c29cd7b6d6178. Signed-off-by: Dominik Ermel --- boot/zephyr/include/sysflash/pm_sysflash.h | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index db60ddd03..b11b22180 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -15,15 +15,13 @@ #ifndef CONFIG_SINGLE_APPLICATION_SLOT -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ extern uint32_t _image_1_primary_slot_id[]; -#endif /* (MCUBOOT_IMAGE_NUMBER == 2 && defined(PM_B0_ADDRESS) */ - -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ From 3d536185e6ec62725959cb10e293bff5b8a4af94 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 071/113] Revert "[nrf noup] zephyr: Add RAM flash configuration to cache for sysbuild" This reverts commit 9cd1de1148dc78cea02e6c8148975fb28d7f74ff. Signed-off-by: Dominik Ermel --- boot/zephyr/CMakeLists.txt | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 2e41259a4..9f707c6c0 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -352,14 +352,3 @@ zephyr_library_sources( ${BOOT_DIR}/zephyr/nrf_cleanup.c ) endif() - -if(SYSBUILD AND CONFIG_PCD_APP) - # Sysbuild requires details of the RAM flash device are stored to the cache of MCUboot so - # that they can be read when running partition manager - dt_nodelabel(ram_flash_dev NODELABEL flash_sim0) - dt_reg_addr(ram_flash_addr PATH ${ram_flash_dev}) - dt_reg_size(ram_flash_size PATH ${ram_flash_dev}) - - set(RAM_FLASH_ADDR "${ram_flash_addr}" CACHE STRING "" FORCE) - set(RAM_FLASH_SIZE "${ram_flash_size}" CACHE STRING "" FORCE) -endif() From 61d9ba8e3f1eb5f001cd516a941e320cc43de333 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 072/113] Revert "[nrf fromtree] bootutil: Add shared data support for XIP with revert mode" This reverts commit eb1ff87ed52724222a283f418e964c7158939856. Signed-off-by: Dominik Ermel --- boot/bootutil/src/boot_record.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/boot/bootutil/src/boot_record.c b/boot/bootutil/src/boot_record.c index 8f02fe626..343aba00d 100644 --- a/boot/bootutil/src/boot_record.c +++ b/boot/bootutil/src/boot_record.c @@ -240,11 +240,7 @@ int boot_save_shared_data(const struct image_header *hdr, const struct flash_are #elif defined(MCUBOOT_SWAP_USING_MOVE) uint8_t mode = MCUBOOT_MODE_SWAP_USING_MOVE; #elif defined(MCUBOOT_DIRECT_XIP) -#if defined(MCUBOOT_DIRECT_XIP_REVERT) - uint8_t mode = MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT; -#else uint8_t mode = MCUBOOT_MODE_DIRECT_XIP; -#endif #elif defined(MCUBOOT_RAM_LOAD) uint8_t mode = MCUBOOT_MODE_RAM_LOAD; #else From 57c2d479585b674f24a5d6f9494e8c5aac9d6ffc Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 073/113] Revert "[nrf fromtree] bootutil: Add mode for XIP with revert" This reverts commit c15589e1d04fa18cf0ef8a5f6f3eda4fd60bc656. Signed-off-by: Dominik Ermel --- boot/bootutil/include/bootutil/boot_status.h | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/bootutil/include/bootutil/boot_status.h b/boot/bootutil/include/bootutil/boot_status.h index 149e45e87..27a41fd37 100644 --- a/boot/bootutil/include/bootutil/boot_status.h +++ b/boot/bootutil/include/bootutil/boot_status.h @@ -121,7 +121,6 @@ enum mcuboot_mode { MCUBOOT_MODE_UPGRADE_ONLY, MCUBOOT_MODE_SWAP_USING_MOVE, MCUBOOT_MODE_DIRECT_XIP, - MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT, MCUBOOT_MODE_RAM_LOAD }; From ce8da0f1439fab80e86e6f58ba69adf9bcd9d24e Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 074/113] Revert "[nrf fromtree] boot_serial: Fix include" This reverts commit ec0aa5f0adb239a7ae93d978cb65071cb39ecd8a. Signed-off-by: Dominik Ermel --- boot/boot_serial/src/boot_serial.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 3e3175ba4..cddf8e289 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -67,7 +67,10 @@ #include "boot_serial/boot_serial.h" #include "boot_serial_priv.h" #include "mcuboot_config/mcuboot_config.h" -#include "../src/bootutil_priv.h" + +#ifdef MCUBOOT_ERASE_PROGRESSIVELY +#include "bootutil_priv.h" +#endif #ifdef MCUBOOT_ENC_IMAGES #include "boot_serial/boot_serial_encryption.h" From d5a5e6dcf5a6c1d20876d557fcd073cb91d8e104 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 075/113] Revert "[nrf fromtree] zephyr: Fall back to minimal C library" This reverts commit 1e6532a4ee071e36baaff7bbe7b1096d5106441b. Signed-off-by: Dominik Ermel --- boot/zephyr/prj.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 394a6e6dc..5e2c42a75 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -35,5 +35,3 @@ CONFIG_MCUBOOT_LOG_LEVEL_INF=y ### Decrease footprint by ~4 KB in comparison to CBPRINTF_COMPLETE=y CONFIG_CBPRINTF_NANO=y CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT=0 -### Use the minimal C library to reduce flash usage -CONFIG_MINIMAL_LIBC=y From 18a697277a688ac88cff9bc59705eced2025300e Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 076/113] Revert "[nrf fromtree] zephyr: Fix boot serial extensions" This reverts commit 100ea3d4545586deec92789cb4f309a7fbd8d199. Signed-off-by: Dominik Ermel --- boot/zephyr/boot_serial_extensions.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/boot/zephyr/boot_serial_extensions.c b/boot/zephyr/boot_serial_extensions.c index b8bcd3e95..baa151c7d 100644 --- a/boot/zephyr/boot_serial_extensions.c +++ b/boot/zephyr/boot_serial_extensions.c @@ -4,12 +4,9 @@ * SPDX-License-Identifier: Apache-2.0 */ -#include #include #include -#include -#include -#include <../subsys/mgmt/mcumgr/transport/include/mgmt/mcumgr/transport/smp_internal.h> +#include #include #include @@ -143,7 +140,7 @@ int bs_peruser_system_specific(const struct nmgr_hdr *hdr, const char *buffer, { int mgmt_rc = MGMT_ERR_ENOTSUP; - if (hdr->nh_group == ZEPHYR_MGMT_GRP_BASIC) { + if (hdr->nh_group == ZEPHYR_MGMT_GRP_BASE) { if (hdr->nh_op == NMGR_OP_WRITE) { #ifdef CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE if (hdr->nh_id == ZEPHYR_MGMT_GRP_BASIC_CMD_ERASE_STORAGE) { From 1478f7e7aa27eea023eb1189728bdd5d4cfe24ac Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 077/113] Revert "[nrf noup] booutil: loader: Do not check reset vector for XIP image" This reverts commit 4fe70b6e5a2c2c126e490b86d1edce0c3b5fd606. Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index f357f7186..385eabd2e 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -822,16 +822,6 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * overwriting an application written to the incorrect slot. * This feature is only supported by ARM platforms. */ -#if MCUBOOT_IMAGE_NUMBER >= 3 - /* Currently the MCUboot can be configured for up to 3 image, where image number 2 is - * designated for XIP, where it is the second part of image stored in slots of image - * 0. This part of image is not bootable, as the XIP setup is done by the app in - * image 0 slot, and it does not carry the reset vector. - */ - if (area_id == FLASH_AREA_IMAGE_SECONDARY(2)) { - goto out; - } -#endif if (area_id == FLASH_AREA_IMAGE_SECONDARY(BOOT_CURR_IMG(state))) { const struct flash_area *pri_fa = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); struct image_header *secondary_hdr = boot_img_hdr(state, slot); From 462c56bb91e09505590939a81373b480330f6402 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:41 +0000 Subject: [PATCH 078/113] Revert "[nrf noup] zephyr: Add support for three images" This reverts commit 5822244b43609099236584d932aecca616eabe94. Signed-off-by: Dominik Ermel --- boot/zephyr/include/sysflash/pm_sysflash.h | 80 ++++++++++------------ 1 file changed, 37 insertions(+), 43 deletions(-) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index b11b22180..377291e8b 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -11,17 +11,37 @@ #include #include -#include #ifndef CONFIG_SINGLE_APPLICATION_SLOT -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#if (MCUBOOT_IMAGE_NUMBER == 1) + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID + +#elif (MCUBOOT_IMAGE_NUMBER == 2) /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ +#if defined(PM_B0_ADDRESS) extern uint32_t _image_1_primary_slot_id[]; +#endif +#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) +#elif defined(PM_B0_ADDRESS) #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ @@ -36,52 +56,26 @@ extern uint32_t _image_1_primary_slot_id[]; (x == 1) ? \ PM_MCUBOOT_SECONDARY_ID: \ 255 ) - -#else /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - */ - -/* Each pair of slots is separated by , and there is no terminating character */ -#define FLASH_AREA_IMAGE_0_SLOTS PM_MCUBOOT_PRIMARY_ID, PM_MCUBOOT_SECONDARY_ID -#define FLASH_AREA_IMAGE_1_SLOTS PM_MCUBOOT_PRIMARY_1_ID, PM_MCUBOOT_SECONDARY_1_ID -#define FLASH_AREA_IMAGE_2_SLOTS PM_MCUBOOT_PRIMARY_2_ID, PM_MCUBOOT_SECONDARY_2_ID - -#if (MCUBOOT_IMAGE_NUMBER == 1) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS -#elif (MCUBOOT_IMAGE_NUMBER == 2) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ - FLASH_AREA_IMAGE_1_SLOTS -#elif (MCUBOOT_IMAGE_NUMBER == 3) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ - FLASH_AREA_IMAGE_1_SLOTS, \ - FLASH_AREA_IMAGE_2_SLOTS #else -#error Unsupported number of images -#endif -static inline uint32_t __flash_area_ids_for_slot(int img, int slot) -{ - static const int all_slots[] = { - ALL_AVAILABLE_SLOTS - }; - return all_slots[img * 2 + slot]; -}; +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) -#undef FLASH_AREA_IMAGE_0_SLOTS -#undef FLASH_AREA_IMAGE_1_SLOTS -#undef FLASH_AREA_IMAGE_2_SLOTS -#undef ALL_AVAILABLE_SLOTS +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) -#define FLASH_AREA_IMAGE_PRIMARY(x) __flash_area_ids_for_slot(x, 0) -#define FLASH_AREA_IMAGE_SECONDARY(x) __flash_area_ids_for_slot(x, 1) +#endif /* PM_B0_ADDRESS */ -#if !defined(CONFIG_BOOT_SWAP_USING_MOVE) -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID #endif - -#endif /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - */ +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID #else /* CONFIG_SINGLE_APPLICATION_SLOT */ From 50c51f76bc374499cb26f5b4f16f41157d60be30 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 079/113] Revert "[nrf noup] booutil: loader: Fixup for NSIB and multi-image" This reverts commit 745cf4e19836ce942694a117d4e0ebea5f90f56a. Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 385eabd2e..f4a74a956 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -967,6 +967,7 @@ boot_validated_swap_type(struct boot_loader_state *state, if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif { + const struct flash_area *nsib_fa; const struct flash_area *primary_fa; rc = flash_area_open(flash_area_id_from_multi_image_slot( BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), @@ -977,9 +978,6 @@ boot_validated_swap_type(struct boot_loader_state *state, /* Check start and end of primary slot for current image */ if (reset_addr < primary_fa->fa_off) { -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - const struct flash_area *nsib_fa; - /* NSIB upgrade slot */ rc = flash_area_open((uint32_t)_image_1_primary_slot_id, &nsib_fa); @@ -994,10 +992,6 @@ boot_validated_swap_type(struct boot_loader_state *state, /* Set primary to be NSIB upgrade slot */ BOOT_IMG_AREA(state, 0) = nsib_fa; } -#else - return BOOT_SWAP_TYPE_NONE; -#endif - } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { /* The image in the secondary slot is not intended for any */ return BOOT_SWAP_TYPE_NONE; From ef0171c9007202f0c798cf702f36970d60f9f510 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 080/113] Revert "[nrf noup] zephyr: Move partition manager definitions to pm_sysflash.h" This reverts commit 0383b7c29c5a93b5770d228e394f298dcde372f7. Signed-off-by: Dominik Ermel --- boot/zephyr/include/sysflash/pm_sysflash.h | 92 ---------------------- boot/zephyr/include/sysflash/sysflash.h | 90 +++++++++++++++++++-- 2 files changed, 85 insertions(+), 97 deletions(-) delete mode 100644 boot/zephyr/include/sysflash/pm_sysflash.h diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h deleted file mode 100644 index 377291e8b..000000000 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 2023 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#ifndef __PM_SYSFLASH_H__ -#define __PM_SYSFLASH_H__ -/* Blocking the __SYSFLASH_H__ */ -#define __SYSFLASH_H__ - -#include -#include - -#ifndef CONFIG_SINGLE_APPLICATION_SLOT - -#if (MCUBOOT_IMAGE_NUMBER == 1) - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID - -#elif (MCUBOOT_IMAGE_NUMBER == 2) - -/* If B0 is present then two bootloaders are present, and we must use - * a single secondary slot for both primary slots. - */ -#if defined(PM_B0_ADDRESS) -extern uint32_t _image_1_primary_slot_id[]; -#endif -#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) -#elif defined(PM_B0_ADDRESS) - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - (uint32_t)_image_1_primary_slot_id : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - 255 ) -#else - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) - -#endif /* PM_B0_ADDRESS */ - -#endif -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID - -#else /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID -/* NOTE: Scratch parition is not used by single image DFU but some of - * functions in common files reference it, so the definitions has been - * provided to allow compilation of common units. - */ -#define FLASH_AREA_IMAGE_SCRATCH 0 - -#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#endif /* __PM_SYSFLASH_H__ */ diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 501c0b2e5..da21832a9 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -4,15 +4,93 @@ * SPDX-License-Identifier: Apache-2.0 */ -#if USE_PARTITION_MANAGER -/* Blocking the rest of the file */ +#ifndef __SYSFLASH_H__ #define __SYSFLASH_H__ -#include + +#if USE_PARTITION_MANAGER +#include +#include + +#ifndef CONFIG_SINGLE_APPLICATION_SLOT + +#if (MCUBOOT_IMAGE_NUMBER == 1) + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID + +#elif (MCUBOOT_IMAGE_NUMBER == 2) + +/* If B0 is present then two bootloaders are present, and we must use + * a single secondary slot for both primary slots. + */ +#if defined(PM_B0_ADDRESS) +extern uint32_t _image_1_primary_slot_id[]; #endif +#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) -#ifndef __SYSFLASH_H__ -#define __SYSFLASH_H__ +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) +#elif defined(PM_B0_ADDRESS) +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + (uint32_t)_image_1_primary_slot_id : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + 255 ) +#else + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) + +#endif /* PM_B0_ADDRESS */ + +#endif +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID + +#else /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID +/* NOTE: Scratch parition is not used by single image DFU but some of + * functions in common files reference it, so the definitions has been + * provided to allow compilation of common units. + */ +#define FLASH_AREA_IMAGE_SCRATCH 0 + +#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#else + +#include #include #include #include @@ -63,4 +141,6 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ +#endif /* USE_PARTITION_MANAGER */ + #endif /* __SYSFLASH_H__ */ From d12a734395ad24f67e395f0268f7ea36671af3c8 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 081/113] Revert "[nrf noup] booutil: loader: Add support for NSIB and multi-image" This reverts commit b518e13be49bddda0749825378c37655dd023208. Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 38 +++++++------------------ boot/zephyr/include/sysflash/sysflash.h | 19 ++----------- 2 files changed, 12 insertions(+), 45 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index f4a74a956..4d33f3b88 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -844,11 +844,6 @@ boot_validate_slot(struct boot_loader_state *state, int slot, if (BOOT_CURR_IMG(state) == 1) { min_addr = PM_CPUNET_APP_ADDRESS; max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; -#ifdef PM_S1_ADDRESS - } else if (BOOT_CURR_IMG(state) == 0) { - min_addr = PM_S0_ADDRESS; - max_addr = pri_fa->fa_off + pri_fa->fa_size; -#endif } else #endif { @@ -967,33 +962,20 @@ boot_validated_swap_type(struct boot_loader_state *state, if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif { - const struct flash_area *nsib_fa; const struct flash_area *primary_fa; rc = flash_area_open(flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), - &primary_fa); + BOOT_CURR_IMG(state), + BOOT_PRIMARY_SLOT), + &primary_fa); + if (rc != 0) { return BOOT_SWAP_TYPE_FAIL; } - - /* Check start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off) { - /* NSIB upgrade slot */ - rc = flash_area_open((uint32_t)_image_1_primary_slot_id, - &nsib_fa); - - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } - - /* Image is placed before Primary and within the NSIB slot */ - if (reset_addr > nsib_fa->fa_off - && reset_addr < (nsib_fa->fa_off + nsib_fa->fa_size)) { - /* Set primary to be NSIB upgrade slot */ - BOOT_IMG_AREA(state, 0) = nsib_fa; - } - } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for any */ + /* Get start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off || + reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for this image + */ return BOOT_SWAP_TYPE_NONE; } } @@ -1257,7 +1239,7 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) BOOT_LOG_INF("Image %d upgrade secondary slot -> primary slot", image_index); BOOT_LOG_INF("Erasing the primary slot"); - rc = flash_area_open(flash_area_get_id(BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)), + rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), &fap_primary_slot); assert (rc == 0); diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index da21832a9..d6a74f370 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -23,24 +23,9 @@ /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ -#if defined(PM_B0_ADDRESS) -extern uint32_t _image_1_primary_slot_id[]; -#endif -#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) +#ifdef PM_B0_ADDRESS -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) -#elif defined(PM_B0_ADDRESS) +extern uint32_t _image_1_primary_slot_id[]; #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ From 06e56e01761a6501834d5646982903cf9d6780b9 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 082/113] Revert "[nrf fromtree] zephyr: Provide third image cases for direct image upload" This reverts commit a0c919b1ff4462aa862aa8c60e7ee98cf7f69473. Signed-off-by: Dominik Ermel --- boot/zephyr/flash_map_extended.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/boot/zephyr/flash_map_extended.c b/boot/zephyr/flash_map_extended.c index 64e80085c..be90a8e1d 100644 --- a/boot/zephyr/flash_map_extended.c +++ b/boot/zephyr/flash_map_extended.c @@ -109,14 +109,6 @@ int flash_area_id_from_direct_image(int image_id) #if FIXED_PARTITION_EXISTS(slot3_partition) case 4: return FIXED_PARTITION_ID(slot3_partition); -#endif -#if FIXED_PARTITION_EXISTS(slot4_partition) - case 5: - return FIXED_PARTITION_ID(slot4_partition); -#endif -#if FIXED_PARTITION_EXISTS(slot5_partition) - case 6: - return FIXED_PARTITION_ID(slot5_partition); #endif } return -EINVAL; From bddbcf35211154c55ae8beec44de15d5dac9f008 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 083/113] Revert "[nrf noup] boot: zephyr: Add ifdef protection for RAM locking" This reverts commit 52997e197541cf12908b4f341fbe0a0601bbc9f7. Signed-off-by: Dominik Ermel --- boot/zephyr/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index bb48c21c5..cca749a45 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -726,7 +726,7 @@ int main(void) ; } -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) && defined(CONFIG_PCD_APP) +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) pcd_lock_ram(); #endif #endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ From e36f8115e6fcee1074c7e3b46ef81e932249bb49 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 084/113] Revert "[nrf noup] bootutil: Fix missing PCD define check" This reverts commit 815fa3a1a4d072d6f34b5ede1da0ee3b96f3caca. Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 4d33f3b88..8ffac144d 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1000,7 +1000,7 @@ boot_validated_swap_type(struct boot_loader_state *state, } #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) \ - && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) && defined(CONFIG_PCD_APP) + && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) /* If the update is valid, and it targets the network core: perform the * update and indicate to the caller of this function that no update is * available @@ -1028,8 +1028,7 @@ boot_validated_swap_type(struct boot_loader_state *state, swap_type = BOOT_SWAP_TYPE_NONE; } } -#endif /* CONFIG_SOC_NRF5340_CPUAPP && PM_CPUNET_B0N_ADDRESS && - !CONFIG_NRF53_MULTI_IMAGE_UPDATE && CONFIG_PCD_APP */ +#endif /* CONFIG_SOC_NRF5340_CPUAPP */ } return swap_type; From 939cab438129d0e20a1da125cbf65a1f924e2722 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 085/113] Revert "[nrf noup] Fix path variables" This reverts commit 57773376b8fa9e1ebd7678822649c3d9e9806b0b. Signed-off-by: Dominik Ermel --- boot/zephyr/CMakeLists.txt | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 9f707c6c0..b4a00c2bc 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -46,20 +46,21 @@ assert_exists(FIAT_DIR) # Path to mbed-tls' asn1 parser library. set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") assert_exists(MBEDTLS_ASN1_DIR) -set(MCUBOOT_NRF_EXT_DIR "${MCUBOOT_DIR}/ext/nrf") +set(NRF_DIR "${MCUBOOT_DIR}/ext/nrf") if(CONFIG_BOOT_USE_NRF_CC310_BL) - if(NOT EXISTS ${ZEPHYR_NRFXLIB_MODULE_DIR}) - message(FATAL_ERROR " +set(NRFXLIB_DIR ${ZEPHYR_BASE}/../nrfxlib) +if(NOT EXISTS ${NRFXLIB_DIR}) + message(FATAL_ERROR " ------------------------------------------------------------------------ - No such file or directory: ${ZEPHYR_NRFXLIB_MODULE_DIR} + No such file or directory: ${NRFXLIB_DIR} The current configuration enables nRF CC310 crypto accelerator hardware with the `CONFIG_BOOT_USE_NRF_CC310_BL` option. Please follow `ext/nrf/README.md` guide to fix your setup or use tinycrypt instead of the HW accelerator. To use the tinycrypt set `CONFIG_BOOT_ECDSA_TINYCRYPT` to y. ------------------------------------------------------------------------") - endif() +endif() endif() zephyr_library_include_directories( @@ -151,8 +152,8 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) ${TINYCRYPT_DIR}/source/utils.c ) elseif(CONFIG_BOOT_USE_NRF_CC310_BL) - zephyr_library_sources(${MCUBOOT_NRF_EXT_DIR}/cc310_glue.c) - zephyr_library_include_directories(${MCUBOOT_NRF_EXT_DIR}) + zephyr_library_sources(${NRF_DIR}/cc310_glue.c) + zephyr_library_include_directories(${NRF_DIR}) zephyr_link_libraries(nrfxlib_crypto) elseif(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) zephyr_include_directories(${BL_CRYPTO_DIR}/../include) From 8dc8d617af197c0b2ff976519e7ca6977e9da515 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 086/113] Revert "[nrf noup] bootloader: mcuboot: Fix wrong use of if defined" This reverts commit 09bad48a07090a6d32ebb253f15e3d08ea1f97fa. Signed-off-by: Dominik Ermel --- boot/zephyr/nrf_cleanup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c index 2165159ea..f567b97e0 100644 --- a/boot/zephyr/nrf_cleanup.c +++ b/boot/zephyr/nrf_cleanup.c @@ -20,7 +20,7 @@ #include -#if USE_PARTITION_MANAGER +#if defined(USE_PARTITION_MANAGER) #include #endif @@ -86,7 +86,7 @@ void nrf_cleanup_peripheral(void) nrf_cleanup_clock(); } -#if USE_PARTITION_MANAGER \ +#if defined(USE_PARTITION_MANAGER) \ && defined(CONFIG_ARM_TRUSTZONE_M) \ && defined(PM_SRAM_NONSECURE_NAME) void nrf_cleanup_ns_ram(void) From 9db63771cd8535bdb6638bfc971eb011d566d712 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 087/113] Revert "[nrf noup] loader: Fix reading reset addr to support ext flash" This reverts commit 48ad055386404000fc45b8273ede976334ca027b. Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 8ffac144d..b27d1fd7e 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -939,9 +939,10 @@ boot_validated_swap_type(struct boot_loader_state *state, #if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) const struct flash_area *secondary_fa = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); + struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; + uint32_t vtable_addr = 0; + uint32_t *vtable = 0; uint32_t reset_addr = 0; - int rc = 0; /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other * B1 slot S0 or S1) share the same secondary slot, we need to check * whether the update candidate in the secondary slot is intended for @@ -951,19 +952,16 @@ boot_validated_swap_type(struct boot_loader_state *state, */ if (hdr->ih_magic == IMAGE_MAGIC) { - rc = flash_area_read(secondary_fa, hdr->ih_hdr_size + - sizeof(uint32_t), &reset_addr, - sizeof(reset_addr)); - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } + vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + vtable = (uint32_t *)(vtable_addr); + reset_addr = vtable[1]; #ifdef PM_S1_ADDRESS #ifdef PM_CPUNET_B0N_ADDRESS if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif { const struct flash_area *primary_fa; - rc = flash_area_open(flash_area_id_from_multi_image_slot( + int rc = flash_area_open(flash_area_id_from_multi_image_slot( BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), &primary_fa); @@ -999,19 +997,16 @@ boot_validated_swap_type(struct boot_loader_state *state, upgrade_valid = true; } -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) \ - && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) /* If the update is valid, and it targets the network core: perform the * update and indicate to the caller of this function that no update is * available */ if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { - struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; - uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - uint32_t *net_core_fw_addr = (uint32_t *)(vtable_addr); uint32_t fw_size = hdr->ih_img_size; + BOOT_LOG_INF("Starting network core update"); - rc = pcd_network_core_update(net_core_fw_addr, fw_size); + int rc = pcd_network_core_update(vtable, fw_size); if (rc != 0) { swap_type = BOOT_SWAP_TYPE_FAIL; From ddb5250ceaf064073d392b12d18e3b9fade1530f Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 088/113] Revert "[nrf noup] zephyr: Clean up non-secure RAM if enabled" This reverts commit a47c9c4a05a48ec8cea7f59c2f9db31047be93e2. Signed-off-by: Dominik Ermel --- boot/zephyr/CMakeLists.txt | 2 +- boot/zephyr/include/nrf_cleanup.h | 5 ----- boot/zephyr/main.c | 5 +---- boot/zephyr/nrf_cleanup.c | 13 ------------- 4 files changed, 2 insertions(+), 23 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index b4a00c2bc..c48fa830e 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -348,7 +348,7 @@ zephyr_library_sources( ) endif() -if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL OR CONFIG_MCUBOOT_CLEANUP_NONSECURE_RAM) +if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL) zephyr_library_sources( ${BOOT_DIR}/zephyr/nrf_cleanup.c ) diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h index 9e87e13f5..6b04cedfe 100644 --- a/boot/zephyr/include/nrf_cleanup.h +++ b/boot/zephyr/include/nrf_cleanup.h @@ -16,9 +16,4 @@ */ void nrf_cleanup_peripheral(void); -/** - * Perform cleanup of non-secure RAM that may have been used by MCUBoot. - */ -void nrf_cleanup_ns_ram(void); - #endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index cca749a45..26f4ee118 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -143,7 +143,7 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); #include #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL || CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM +#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL #include #endif @@ -269,9 +269,6 @@ static void do_boot(struct boot_rsp *rsp) #if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL nrf_cleanup_peripheral(); #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM && defined(PM_SRAM_NONSECURE_NAME) - nrf_cleanup_ns_ram(); -#endif #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c index f567b97e0..5bab26b24 100644 --- a/boot/zephyr/nrf_cleanup.c +++ b/boot/zephyr/nrf_cleanup.c @@ -20,10 +20,6 @@ #include -#if defined(USE_PARTITION_MANAGER) -#include -#endif - #define NRF_UARTE_SUBSCRIBE_CONF_OFFS offsetof(NRF_UARTE_Type, SUBSCRIBE_STARTRX) #define NRF_UARTE_SUBSCRIBE_CONF_SIZE (offsetof(NRF_UARTE_Type, EVENTS_CTS) -\ NRF_UARTE_SUBSCRIBE_CONF_OFFS) @@ -85,12 +81,3 @@ void nrf_cleanup_peripheral(void) #endif nrf_cleanup_clock(); } - -#if defined(USE_PARTITION_MANAGER) \ - && defined(CONFIG_ARM_TRUSTZONE_M) \ - && defined(PM_SRAM_NONSECURE_NAME) -void nrf_cleanup_ns_ram(void) -{ - memset((void *) PM_SRAM_NONSECURE_ADDRESS, 0, PM_SRAM_NONSECURE_SIZE); -} -#endif From b616e1c85302e079722e71ffffe28eacdc746dbc Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 089/113] Revert "[nrf noup] do_boot: clean peripherals state before boot" This reverts commit 1f14ccb15d0b2e70bee98d87074a5aecb9c0e92d. Signed-off-by: Dominik Ermel --- boot/zephyr/CMakeLists.txt | 6 --- boot/zephyr/include/nrf_cleanup.h | 19 ------- boot/zephyr/main.c | 8 +-- boot/zephyr/nrf_cleanup.c | 83 ------------------------------- 4 files changed, 1 insertion(+), 115 deletions(-) delete mode 100644 boot/zephyr/include/nrf_cleanup.h delete mode 100644 boot/zephyr/nrf_cleanup.c diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index c48fa830e..403120554 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -347,9 +347,3 @@ zephyr_library_sources( ${BOOT_DIR}/zephyr/arm_cleanup.c ) endif() - -if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL) -zephyr_library_sources( - ${BOOT_DIR}/zephyr/nrf_cleanup.c -) -endif() diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h deleted file mode 100644 index 6b04cedfe..000000000 --- a/boot/zephyr/include/nrf_cleanup.h +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright (c) 2020 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#ifndef H_NRF_CLEANUP_ -#define H_NRF_CLEANUP_ - -/** - * Perform cleanup on some peripheral resources used by MCUBoot prior chainload - * the application. - * - * This function disables all RTC instances and UARTE instances. - * It Disables their interrupts signals as well. - */ -void nrf_cleanup_peripheral(void); - -#endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 26f4ee118..15b0ab035 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -143,10 +143,6 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); #include #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL -#include -#endif - #ifdef CONFIG_SOC_FAMILY_NRF #include @@ -266,9 +262,7 @@ static void do_boot(struct boot_rsp *rsp) } #endif #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL - nrf_cleanup_peripheral(); -#endif + #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c deleted file mode 100644 index 5bab26b24..000000000 --- a/boot/zephyr/nrf_cleanup.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 2020 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#include -#if defined(NRF_UARTE0) || defined(NRF_UARTE1) - #include -#endif -#if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) - #include -#endif -#if defined(NRF_PPI) - #include -#endif -#if defined(NRF_DPPIC) - #include -#endif - -#include - -#define NRF_UARTE_SUBSCRIBE_CONF_OFFS offsetof(NRF_UARTE_Type, SUBSCRIBE_STARTRX) -#define NRF_UARTE_SUBSCRIBE_CONF_SIZE (offsetof(NRF_UARTE_Type, EVENTS_CTS) -\ - NRF_UARTE_SUBSCRIBE_CONF_OFFS) - -#define NRF_UARTE_PUBLISH_CONF_OFFS offsetof(NRF_UARTE_Type, PUBLISH_CTS) -#define NRF_UARTE_PUBLISH_CONF_SIZE (offsetof(NRF_UARTE_Type, SHORTS) -\ - NRF_UARTE_PUBLISH_CONF_OFFS) - -#if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) -static inline void nrf_cleanup_rtc(NRF_RTC_Type * rtc_reg) -{ - nrf_rtc_task_trigger(rtc_reg, NRF_RTC_TASK_STOP); - nrf_rtc_event_disable(rtc_reg, 0xFFFFFFFF); - nrf_rtc_int_disable(rtc_reg, 0xFFFFFFFF); -} -#endif - -static void nrf_cleanup_clock(void) -{ - nrf_clock_int_disable(NRF_CLOCK, 0xFFFFFFFF); -} - -void nrf_cleanup_peripheral(void) -{ -#if defined(NRF_RTC0) - nrf_cleanup_rtc(NRF_RTC0); -#endif -#if defined(NRF_RTC1) - nrf_cleanup_rtc(NRF_RTC1); -#endif -#if defined(NRF_RTC2) - nrf_cleanup_rtc(NRF_RTC2); -#endif -#if defined(NRF_UARTE0) - nrf_uarte_disable(NRF_UARTE0); - nrf_uarte_int_disable(NRF_UARTE0, 0xFFFFFFFF); -#if defined(NRF_DPPIC) - /* Clear all SUBSCRIBE configurations. */ - memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); - /* Clear all PUBLISH configurations. */ - memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); -#endif -#endif -#if defined(NRF_UARTE1) - nrf_uarte_disable(NRF_UARTE1); - nrf_uarte_int_disable(NRF_UARTE1, 0xFFFFFFFF); -#if defined(NRF_DPPIC) - /* Clear all SUBSCRIBE configurations. */ - memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); - /* Clear all PUBLISH configurations. */ - memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); -#endif -#endif -#if defined(NRF_PPI) - nrf_ppi_channels_disable_all(NRF_PPI); -#endif -#if defined(NRF_DPPIC) - nrf_dppi_channels_disable_all(NRF_DPPIC); -#endif - nrf_cleanup_clock(); -} From b103d4d8ce91e4d715bc32e5ca1a6a62b001187d Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 090/113] Revert "[nrf noup] boot: nrf53-specific customizations" This reverts commit 0030544b5f5dc805b2d9e136f5e8c64c143369e7. Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 96 +++++-------------- .../boards/thingy53_nrf5340_cpuapp.conf | 73 -------------- boot/zephyr/include/sysflash/sysflash.h | 23 ----- boot/zephyr/main.c | 7 -- boot/zephyr/pm.yml | 13 --- 5 files changed, 26 insertions(+), 186 deletions(-) delete mode 100644 boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index b27d1fd7e..199c92e2b 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -48,10 +48,6 @@ #include "bootutil/boot_hooks.h" #include "bootutil/mcuboot_status.h" -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) -#include -#endif - #ifdef MCUBOOT_ENC_IMAGES #include "bootutil/enc_key.h" #endif @@ -934,15 +930,7 @@ boot_validated_swap_type(struct boot_loader_state *state, { int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); - bool upgrade_valid = false; - -#if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) - const struct flash_area *secondary_fa = - BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; - uint32_t vtable_addr = 0; - uint32_t *vtable = 0; - uint32_t reset_addr = 0; +#ifdef PM_S1_ADDRESS /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other * B1 slot S0 or S1) share the same secondary slot, we need to check * whether the update candidate in the secondary slot is intended for @@ -950,36 +938,34 @@ boot_validated_swap_type(struct boot_loader_state *state, * vector. Note that there are good reasons for not using img_num from * the swap info. */ + const struct flash_area *secondary_fa = + BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); + struct image_header *hdr = + (struct image_header *)secondary_fa->fa_off; if (hdr->ih_magic == IMAGE_MAGIC) { - vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - vtable = (uint32_t *)(vtable_addr); - reset_addr = vtable[1]; -#ifdef PM_S1_ADDRESS -#ifdef PM_CPUNET_B0N_ADDRESS - if(reset_addr < PM_CPUNET_B0N_ADDRESS) -#endif - { - const struct flash_area *primary_fa; - int rc = flash_area_open(flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT), - &primary_fa); - - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } - /* Get start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off || - reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for this image - */ - return BOOT_SWAP_TYPE_NONE; - } - } -#endif /* PM_S1_ADDRESS */ + const struct flash_area *primary_fa; + uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + uint32_t *vtable = (uint32_t *)(vtable_addr); + uint32_t reset_addr = vtable[1]; + int rc = flash_area_open( + flash_area_id_from_multi_image_slot( + BOOT_CURR_IMG(state), + BOOT_PRIMARY_SLOT), + &primary_fa); + + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } + /* Get start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off || + reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for this image + */ + return BOOT_SWAP_TYPE_NONE; + } } -#endif /* PM_S1_ADDRESS || CONFIG_SOC_NRF5340_CPUAPP */ +#endif swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -993,37 +979,7 @@ boot_validated_swap_type(struct boot_loader_state *state, } else { swap_type = BOOT_SWAP_TYPE_FAIL; } - } else { - upgrade_valid = true; - } - -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) - /* If the update is valid, and it targets the network core: perform the - * update and indicate to the caller of this function that no update is - * available - */ - if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { - uint32_t fw_size = hdr->ih_img_size; - - BOOT_LOG_INF("Starting network core update"); - int rc = pcd_network_core_update(vtable, fw_size); - - if (rc != 0) { - swap_type = BOOT_SWAP_TYPE_FAIL; - } else { - BOOT_LOG_INF("Done updating network core"); -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) - /* swap_erase_trailer_sectors is undefined if upgrade only - * method is used. There is no need to erase sectors, because - * the image cannot be reverted. - */ - rc = swap_erase_trailer_sectors(state, - secondary_fa); -#endif - swap_type = BOOT_SWAP_TYPE_NONE; - } } -#endif /* CONFIG_SOC_NRF5340_CPUAPP */ } return swap_type; diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf deleted file mode 100644 index 7d3bc0bec..000000000 --- a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf +++ /dev/null @@ -1,73 +0,0 @@ -CONFIG_SIZE_OPTIMIZATIONS=y - -CONFIG_SYSTEM_CLOCK_NO_WAIT=y -CONFIG_PM=n - -CONFIG_MAIN_STACK_SIZE=10240 -CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h" - -CONFIG_BOOT_MAX_IMG_SECTORS=2048 -CONFIG_BOOT_SIGNATURE_TYPE_RSA=y - -# Flash -CONFIG_FLASH=y -CONFIG_BOOT_ERASE_PROGRESSIVELY=y -CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y -CONFIG_FPROTECT=y - -# Serial -CONFIG_SERIAL=y -CONFIG_UART_LINE_CTRL=y - -# MCUBoot serial -CONFIG_GPIO=y -CONFIG_MCUBOOT_SERIAL=y -CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y -CONFIG_BOOT_SERIAL_CDC_ACM=y - -# Required by QSPI -CONFIG_NORDIC_QSPI_NOR=y -CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 -CONFIG_NORDIC_QSPI_NOR_STACK_WRITE_BUFFER_SIZE=16 - -# Required by USB and QSPI -CONFIG_MULTITHREADING=y - -# USB -CONFIG_BOARD_SERIAL_BACKEND_CDC_ACM=n -CONFIG_USB_DEVICE_REMOTE_WAKEUP=n -CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor ASA" -CONFIG_USB_DEVICE_PRODUCT="Bootloader Thingy:53" -CONFIG_USB_DEVICE_VID=0x1915 -CONFIG_USB_DEVICE_PID=0x5300 -CONFIG_USB_CDC_ACM=y - -# Decrease memory footprint -CONFIG_CBPRINTF_NANO=y -CONFIG_TIMESLICING=n -CONFIG_BOOT_BANNER=n -CONFIG_CONSOLE=n -CONFIG_CONSOLE_HANDLER=n -CONFIG_UART_CONSOLE=n -CONFIG_USE_SEGGER_RTT=n -CONFIG_LOG=n -CONFIG_ERRNO=n -CONFIG_PRINTK=n -CONFIG_RESET_ON_FATAL_ERROR=n -CONFIG_SPI=n -CONFIG_I2C=n -CONFIG_UART_NRFX=n - -# The following configurations are required to support simultaneous multi image update -CONFIG_PCD_APP=y -CONFIG_UPDATEABLE_IMAGE_NUMBER=2 -CONFIG_BOOT_UPGRADE_ONLY=y -# The network core cannot access external flash directly. The flash simulator must be used to -# provide a memory region that is used to forward the new firmware to the network core. -CONFIG_FLASH_SIMULATOR=y -CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y -CONFIG_FLASH_SIMULATOR_STATS=n - -# Enable custom command to erase settings partition. -CONFIG_ENABLE_MGMT_PERUSER=y -CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE=y diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index d6a74f370..e22f9b776 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -20,11 +20,6 @@ #elif (MCUBOOT_IMAGE_NUMBER == 2) -/* If B0 is present then two bootloaders are present, and we must use - * a single secondary slot for both primary slots. - */ -#ifdef PM_B0_ADDRESS - extern uint32_t _image_1_primary_slot_id[]; #define FLASH_AREA_IMAGE_PRIMARY(x) \ @@ -40,24 +35,6 @@ extern uint32_t _image_1_primary_slot_id[]; (x == 1) ? \ PM_MCUBOOT_SECONDARY_ID: \ 255 ) -#else - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) - -#endif /* PM_B0_ADDRESS */ - #endif #define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 15b0ab035..6fe02eae1 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -92,10 +92,6 @@ const struct boot_uart_funcs boot_funcs = { #include #endif -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) -#include -#endif - /* CONFIG_LOG_MINIMAL is the legacy Kconfig property, * replaced by CONFIG_LOG_MODE_MINIMAL. */ @@ -717,9 +713,6 @@ int main(void) ; } -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) - pcd_lock_ram(); -#endif #endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ ZEPHYR_BOOT_LOG_STOP(); diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml index 125b8813c..0c3a59154 100644 --- a/boot/zephyr/pm.yml +++ b/boot/zephyr/pm.yml @@ -72,16 +72,3 @@ mcuboot_pad: #ifdef CONFIG_FPROTECT align: {start: CONFIG_FPROTECT_BLOCK_SIZE} #endif - -#if (CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH) -mcuboot_primary_1: - region: ram_flash - size: CONFIG_NRF53_RAM_FLASH_SIZE -#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ - -#if (CONFIG_NRF53_MULTI_IMAGE_UPDATE) -mcuboot_secondary_1: - region: external_flash - size: CONFIG_NRF53_RAM_FLASH_SIZE - -#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ From c03575eb4a0af2af8f3716ddc4d22abc61d96806 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 091/113] Revert "[nrf noup] treewide: add NCS partition manager support" This reverts commit 16fd63c01c7d318ca427db7d0f4fa6880be14794. Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 95 +++---------------------- boot/bootutil/src/swap_move.c | 13 ---- boot/bootutil/src/swap_scratch.c | 13 ---- boot/zephyr/CMakeLists.txt | 7 -- boot/zephyr/Kconfig | 2 - boot/zephyr/include/sysflash/sysflash.h | 48 ------------- boot/zephyr/include/target.h | 4 -- boot/zephyr/main.c | 45 ------------ boot/zephyr/pm.yml | 74 ------------------- boot/zephyr/prj.conf | 1 - ext/nrf/cc310_glue.h | 2 +- zephyr/module.yml | 3 +- 12 files changed, 11 insertions(+), 296 deletions(-) delete mode 100644 boot/zephyr/pm.yml diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 199c92e2b..77fc888ec 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -108,15 +108,6 @@ boot_read_image_headers(struct boot_loader_state *state, bool require_all, * * Failure to read any headers is a fatal error. */ -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. The primary slot of the second image - * (image 1) will not contain a valid image header until an upgrade - * of mcuboot has happened (filling S1 with the new version). - */ - if (BOOT_CURR_IMG(state) == 1 && i == 0) { - continue; - } -#endif /* PM_S1_ADDRESS */ if (i > 0 && !require_all) { return 0; } else { @@ -830,24 +821,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, goto out; } - uint32_t min_addr, max_addr; - -#ifdef PM_CPUNET_APP_ADDRESS - /* The primary slot for the network core is emulated in RAM. - * Its flash_area hasn't got relevant boundaries. - * Therfore need to override its boundaries for the check. - */ - if (BOOT_CURR_IMG(state) == 1) { - min_addr = PM_CPUNET_APP_ADDRESS; - max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; - } else -#endif - { - min_addr = pri_fa->fa_off; - max_addr = pri_fa->fa_off + pri_fa->fa_size; - } - - if (reset_value < min_addr || reset_value> (max_addr)) { + if (reset_value < pri_fa->fa_off || reset_value> (pri_fa->fa_off + pri_fa->fa_size)) { BOOT_LOG_ERR("Reset address of image in secondary slot is not in the primary slot"); BOOT_LOG_ERR("Erasing image from secondary slot"); @@ -930,42 +904,6 @@ boot_validated_swap_type(struct boot_loader_state *state, { int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other - * B1 slot S0 or S1) share the same secondary slot, we need to check - * whether the update candidate in the secondary slot is intended for - * image 0 or image 1 primary by looking at the address of the reset - * vector. Note that there are good reasons for not using img_num from - * the swap info. - */ - const struct flash_area *secondary_fa = - BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = - (struct image_header *)secondary_fa->fa_off; - - if (hdr->ih_magic == IMAGE_MAGIC) { - const struct flash_area *primary_fa; - uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - uint32_t *vtable = (uint32_t *)(vtable_addr); - uint32_t reset_addr = vtable[1]; - int rc = flash_area_open( - flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT), - &primary_fa); - - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } - /* Get start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off || - reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for this image - */ - return BOOT_SWAP_TYPE_NONE; - } - } -#endif swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -2275,25 +2213,15 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } #ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. Image 1 primary is the currently - * executing MCUBoot image, and is therefore already validated by NSIB and - * does not need to also be validated by MCUBoot. + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL); + /* Check for all possible values is redundant in normal operation it + * is meant to prevent FI attack. */ - bool image_validated_by_nsib = BOOT_CURR_IMG(state) == 1; - if (!image_validated_by_nsib) -#endif - { - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL); - /* Check for all possible values is redundant in normal operation it - * is meant to prevent FI attack. - */ - if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS) || - FIH_EQ(fih_rc, FIH_FAILURE) || - FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { - FIH_SET(fih_rc, FIH_FAILURE); - goto out; - } + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS) || + FIH_EQ(fih_rc, FIH_FAILURE) || + FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { + FIH_SET(fih_rc, FIH_FAILURE); + goto out; } #else /* Even if we're not re-validating the primary slot, we could be booting @@ -2310,16 +2238,11 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } #endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT */ -#ifdef PM_S1_ADDRESS - if (!image_validated_by_nsib) -#endif - { rc = boot_update_hw_rollback_protection(state); if (rc != 0) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } - } rc = boot_add_shared_data(state, BOOT_PRIMARY_SLOT); if (rc != 0) { diff --git a/boot/bootutil/src/swap_move.c b/boot/bootutil/src/swap_move.c index cd5016391..61246b9e5 100644 --- a/boot/bootutil/src/swap_move.c +++ b/boot/bootutil/src/swap_move.c @@ -237,18 +237,6 @@ boot_status_internal_off(const struct boot_status *bs, int elem_sz) int boot_slots_compatible(struct boot_loader_state *state) { -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. In this case, image 1 primary points to the other - * B1 slot (ie S0 or S1), and image 0 primary points to the app. - * With this configuration, image 0 and image 1 share the secondary slot. - * Hence, the primary slot of image 1 will be *smaller* than image 1's - * secondary slot. This is not allowed in upstream mcuboot, so we need - * this patch to allow it. Also, all of these checks are redundant when - * partition manager is in use, and since we have the same sector size - * in all of our flash. - */ - return 1; -#else size_t num_sectors_pri; size_t num_sectors_sec; size_t sector_sz_pri = 0; @@ -285,7 +273,6 @@ boot_slots_compatible(struct boot_loader_state *state) } return 1; -#endif /* PM_S1_ADDRESS */ } #define BOOT_LOG_SWAP_STATE(area, state) \ diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index a32eb8d87..66cbdce5f 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -170,18 +170,6 @@ boot_status_internal_off(const struct boot_status *bs, int elem_sz) int boot_slots_compatible(struct boot_loader_state *state) { -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. In this case, image 1 primary points to the other - * B1 slot (ie S0 or S1), and image 0 primary points to the app. - * With this configuration, image 0 and image 1 share the secondary slot. - * Hence, the primary slot of image 1 will be *smaller* than image 1's - * secondary slot. This is not allowed in upstream mcuboot, so we need - * this patch to allow it. Also, all of these checks are redundant when - * partition manager is in use, and since we have the same sector size - * in all of our flash. - */ - return 1; -#else size_t num_sectors_primary; size_t num_sectors_secondary; size_t sz0, sz1; @@ -267,7 +255,6 @@ boot_slots_compatible(struct boot_loader_state *state) } return 1; -#endif /* PM_S1_ADDRESS */ } #define BOOT_LOG_SWAP_STATE(area, state) \ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 403120554..2a6b58a61 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -280,13 +280,6 @@ if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") endif() message("MCUBoot bootloader key file: ${KEY_FILE}") - set_property( - GLOBAL - PROPERTY - KEY_FILE - ${KEY_FILE} - ) - set(GENERATED_PUBKEY ${ZEPHYR_BINARY_DIR}/autogen-pubkey.c) add_custom_command( OUTPUT ${GENERATED_PUBKEY} diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 5c71f79e1..e8b630986 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -8,8 +8,6 @@ mainmenu "MCUboot configuration" comment "MCUboot-specific configuration options" -source "$(ZEPHYR_NRF_MODULE_DIR)/modules/mcuboot/boot/zephyr/Kconfig" - # Hidden option to mark a project as MCUboot config MCUBOOT default y diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index e22f9b776..646f1122f 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -7,52 +7,6 @@ #ifndef __SYSFLASH_H__ #define __SYSFLASH_H__ -#if USE_PARTITION_MANAGER -#include -#include - -#ifndef CONFIG_SINGLE_APPLICATION_SLOT - -#if (MCUBOOT_IMAGE_NUMBER == 1) - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID - -#elif (MCUBOOT_IMAGE_NUMBER == 2) - -extern uint32_t _image_1_primary_slot_id[]; - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - (uint32_t)_image_1_primary_slot_id : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - 255 ) -#endif -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID - -#else /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID -/* NOTE: Scratch parition is not used by single image DFU but some of - * functions in common files reference it, so the definitions has been - * provided to allow compilation of common units. - */ -#define FLASH_AREA_IMAGE_SCRATCH 0 - -#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#else - -#include #include #include #include @@ -103,6 +57,4 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ -#endif /* USE_PARTITION_MANAGER */ - #endif /* __SYSFLASH_H__ */ diff --git a/boot/zephyr/include/target.h b/boot/zephyr/include/target.h index 513693511..61dfd9322 100644 --- a/boot/zephyr/include/target.h +++ b/boot/zephyr/include/target.h @@ -8,8 +8,6 @@ #ifndef H_TARGETS_TARGET_ #define H_TARGETS_TARGET_ -#ifndef USE_PARTITION_MANAGER - #if defined(MCUBOOT_TARGET_CONFIG) /* * Target-specific definitions are permitted in legacy cases that @@ -47,6 +45,4 @@ #error "Target support is incomplete; cannot build mcuboot." #endif -#endif /* ifndef USE_PARTITION_MANAGER */ - #endif /* H_TARGETS_TARGET_ */ diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 6fe02eae1..855164915 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -62,10 +62,6 @@ #endif /* CONFIG_SOC_FAMILY_ESP32 */ -#ifdef CONFIG_FW_INFO -#include -#endif - #ifdef CONFIG_MCUBOOT_SERIAL #include "boot_serial/boot_serial.h" #include "serial_adapter/serial_adapter.h" @@ -134,11 +130,6 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); * !defined(ZEPHYR_LOG_MODE_MINIMAL) */ -#if USE_PARTITION_MANAGER && CONFIG_FPROTECT -#include -#include -#endif - #ifdef CONFIG_SOC_FAMILY_NRF #include @@ -246,19 +237,6 @@ static void do_boot(struct boot_rsp *rsp) /* Disable the USB to prevent it from firing interrupts */ usb_disable(); #endif - -#if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) - bool provided = fw_info_ext_api_provide(fw_info_find((uint32_t)vt), true); - -#ifdef PM_S0_ADDRESS - /* Only fail if the immutable bootloader is present. */ - if (!provided) { - BOOT_LOG_ERR("Failed to provide EXT_APIs\n"); - return; - } -#endif -#endif - #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ @@ -693,30 +671,7 @@ int main(void) mcuboot_status_change(MCUBOOT_STATUS_BOOTABLE_IMAGE_FOUND); -#if USE_PARTITION_MANAGER && CONFIG_FPROTECT - -#ifdef PM_S1_ADDRESS -/* MCUBoot is stored in either S0 or S1, protect both */ -#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_S0_ADDRESS) -#define PROTECT_ADDR PM_S0_ADDRESS -#else -/* There is only one instance of MCUBoot */ -#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_MCUBOOT_ADDRESS) -#define PROTECT_ADDR PM_MCUBOOT_ADDRESS -#endif - - rc = fprotect_area(PROTECT_ADDR, PROTECT_SIZE); - - if (rc != 0) { - BOOT_LOG_ERR("Protect mcuboot flash failed, cancel startup."); - while (1) - ; - } - -#endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ - ZEPHYR_BOOT_LOG_STOP(); - do_boot(&rsp); mcuboot_status_change(MCUBOOT_STATUS_BOOT_FAILED); diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml deleted file mode 100644 index 0c3a59154..000000000 --- a/boot/zephyr/pm.yml +++ /dev/null @@ -1,74 +0,0 @@ -#include - -mcuboot: - size: CONFIG_PM_PARTITION_SIZE_MCUBOOT - placement: - before: [mcuboot_primary] - -mcuboot_primary_app: - # All images to be placed in MCUboot's slot 0 should be placed in this - # partition - span: [app] - -mcuboot_primary: - span: [mcuboot_pad, mcuboot_primary_app] - -# Partition for secondary slot is not created if building in single application -# slot configuration. -#if !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_BOOT_DIRECT_XIP) -mcuboot_secondary: - share_size: [mcuboot_primary] -#if defined(CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY) - region: external_flash - placement: - align: {start: 4} -#else - placement: - align: {start: CONFIG_FPROTECT_BLOCK_SIZE} - align_next: CONFIG_FPROTECT_BLOCK_SIZE # Ensure that the next partition does not interfere with this image - after: mcuboot_primary -#endif /* CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY */ - -#endif /* !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_BOOT_DIRECT_XIP) */ - -#if CONFIG_BOOT_DIRECT_XIP - -# Direct XIP is enabled, reserve area for metadata (padding) and name the -# partition so that its clear that it is not the secondary slot, but the direct -# XIP alternative. - -mcuboot_secondary_pad: - share_size: mcuboot_pad - placement: - after: mcuboot_primary - align: {start: CONFIG_FPROTECT_BLOCK_SIZE} - -mcuboot_secondary_app: - share_size: mcuboot_primary_app - placement: - after: mcuboot_secondary_pad - -mcuboot_secondary: - span: [mcuboot_secondary_pad, mcuboot_secondary_app] - -#endif /* CONFIG_BOOT_DIRECT_XIP */ - -#if CONFIG_BOOT_SWAP_USING_SCRATCH -mcuboot_scratch: - size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_SCRATCH - placement: - after: app - align: {start: CONFIG_FPROTECT_BLOCK_SIZE} -#endif /* CONFIG_BOOT_SWAP_USING_SCRATCH */ - -# Padding placed before image to boot. This reserves space for the MCUboot image header -# and it ensures that the boot image gets linked with the correct address offset in flash. -mcuboot_pad: - # MCUboot pad must be placed before the primary application partition. - # The primary application partition includes the secure firmware if present. - size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_PAD - placement: - before: [mcuboot_primary_app] -#ifdef CONFIG_FPROTECT - align: {start: CONFIG_FPROTECT_BLOCK_SIZE} -#endif diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 5e2c42a75..6705119e9 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -19,7 +19,6 @@ CONFIG_BOOT_BOOTSTRAP=n # CONFIG_TINYCRYPT_SHA256 is not set CONFIG_FLASH=y -CONFIG_FPROTECT=y ### Various Zephyr boards enable features that we don't want. # CONFIG_BT is not set diff --git a/ext/nrf/cc310_glue.h b/ext/nrf/cc310_glue.h index 395cfc531..c42fad5a5 100644 --- a/ext/nrf/cc310_glue.h +++ b/ext/nrf/cc310_glue.h @@ -22,7 +22,7 @@ #include #include #include -#include +#include #include /* diff --git a/zephyr/module.yml b/zephyr/module.yml index 797b0fa10..c4293e387 100644 --- a/zephyr/module.yml +++ b/zephyr/module.yml @@ -1,5 +1,4 @@ samples: - boot/zephyr build: - cmake-ext: True - kconfig-ext: True + cmake: ./boot/bootutil/zephyr From a33a13f6b65fd74db1c0ad9ea24646bac5a7e534 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Dec 2023 19:01:42 +0000 Subject: [PATCH 092/113] Revert "[nrf noup] Restore default RTC user channel count" This reverts commit 8ba5c7f93b7a7038f567770b3978eb7e1c46ee4a. Signed-off-by: Dominik Ermel --- boot/zephyr/prj.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 6705119e9..a6da04933 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -33,4 +33,3 @@ CONFIG_LOG_DEFAULT_LEVEL=0 CONFIG_MCUBOOT_LOG_LEVEL_INF=y ### Decrease footprint by ~4 KB in comparison to CBPRINTF_COMPLETE=y CONFIG_CBPRINTF_NANO=y -CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT=0 From 53c1009a06b1d4f364afd600daab1cfdb2b5be89 Mon Sep 17 00:00:00 2001 From: Damian Krolik Date: Mon, 21 Mar 2022 13:44:27 +0100 Subject: [PATCH 093/113] [nrf noup] Restore default RTC user channel count The default value of CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT for nRF52 SOCs has been changed from 0 to 3, but it makes MCUBoot get stuck on erasing flash pages when swapping two images. Restore the previous value until the RTC issue is resolved (see NCSDK-14427) Signed-off-by: Damian Krolik Signed-off-by: Torsten Rasmussen Signed-off-by: Jamie McCrae (cherry picked from commit f5559b74b01df5e41ab3714e7b8e86c9ba95f879) (cherry picked from commit 36c37c0bc7a24536f9ddfaed589d80cafd013e3c) (cherry picked from commit 0e3ab1bda05a24573aeb526ed7168b927408fed9) (cherry picked from commit 8ba5c7f93b7a7038f567770b3978eb7e1c46ee4a) Signed-off-by: Dominik Ermel --- boot/zephyr/prj.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 851c133ec..58cb2ae35 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -35,3 +35,4 @@ CONFIG_MCUBOOT_LOG_LEVEL_INF=y CONFIG_CBPRINTF_NANO=y ### Use the minimal C library to reduce flash usage CONFIG_MINIMAL_LIBC=y +CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT=0 From fab404a7b867f730300fbe6ee3f7168acdd3d988 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B8e?= Date: Wed, 12 Dec 2018 08:59:47 +0100 Subject: [PATCH 094/113] [nrf noup] treewide: add NCS partition manager support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Partition Manager is an nRF Connect SDK component which uses yaml files to resolve flash partition placement with a holistic view of the device. This component's MCUboot portions began life as upstream mcuboot PR#430. This added support for being built as a sub image from the downstream Nordic patch set for a zephyr multi image build system (mcuboot 430 was combined with effor submitted to upstream zephyr as PR#13672, which was ultimately reworked after being rejected for mainline at the ELCE 2019 conference in Lyon). It has since evolved over time. This is the version that will go into NCS v1.3. It features: - page size aligned partitions for all partitions used by mcuboot. - image swaps without scratch partitions Add support for configurations where there exists two primary slots but only one secondary slot, which is shared. These two primary slots are the regular application and B1. B1 can be either S0 or S1 depending on the state of the device. Decide where an upgrade should be stored by looking at the vector table. Provide update candidates for both s0 and s1. These candidates must be signed with mcuboot after being signed by b0. Additional notes: - we make update.hex without trailer data This is needed for serial recovery to work using hex files. Prior to this the update.hex got TLV data at the end of the partition, which caused many blank pages to be included, which made it hard to use in a serial recovery scheme. Instead, make update.hex without TLV data at the end, and provide a new file test_update.hex which contains the TLV data, and can be directly flashed to test the upgrade procedure. - we use a function for signing the application as future-proofing for when other components must be signed as well - this includes an update to single image applications that enables support for partition manager; when single image DFU is used, a scratch partition is not needed. - In NCS, image 1 primary slot is the upgrade bank for mcuboot (IE S0 or S1 depending on the active slot). It is not required that this slot contains any valid data. - The nRF boards all have a single flash page size, and partition manager deals with the size of the update partitions and so on, so we must skip a boot_slots_compatible() check to avoid getting an error. - There is no need to verify the target when using partition manager. - We lock mcuboot using fprotect before jumping, to enable the secure boot property of the system. - Call fw_info_ext_api_provide() before booting if EXT_API_PROVIDE EXT_API is enabled. This is relevant only when the immutable bootloader has booted mcuboot. Signed-off-by: Håkon Øye Amundsen Signed-off-by: Øyvind Rønningstad Signed-off-by: Sebastian Bøe Signed-off-by: Sigvart Hovland Signed-off-by: Martí Bolívar Signed-off-by: Torsten Rasmussen Signed-off-by: Andrzej Głąbek Signed-off-by: Robert Lubos Signed-off-by: Andrzej Puzdrowski Signed-off-by: Emil Obalski Signed-off-by: Torsten Rasmussen Signed-off-by: Pawel Dunaj Signed-off-by: Ioannis Glaropoulos Signed-off-by: Johann Fischer Signed-off-by: Vidar Berg Signed-off-by: Draus, Sebastian Signed-off-by: Trond Einar Snekvik Signed-off-by: Jamie McCrae Signed-off-by: Joakim Andersson Signed-off-by: Georgios Vasilakis (cherry picked from commit ed5f069290f5c40ef24d56d5fa5e06b1261fcf15) (cherry picked from commit d2cac70d1dc1532916b7595006ab67da6307ba9e) (cherry picked from commit 16306289fe1e6a4611ddf76f6031b84021c60123) (cherry picked from commit 349361ee87833adefc0efbe07ec293cc62a2dbdd) (cherry picked from commit 16fd63c01c7d318ca427db7d0f4fa6880be14794) Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 95 ++++++++++++++++++++++--- boot/bootutil/src/swap_move.c | 13 ++++ boot/bootutil/src/swap_scratch.c | 13 ++++ boot/zephyr/CMakeLists.txt | 7 ++ boot/zephyr/Kconfig | 2 + boot/zephyr/include/sysflash/sysflash.h | 48 +++++++++++++ boot/zephyr/include/target.h | 4 ++ boot/zephyr/main.c | 61 ++++++++++++++++ boot/zephyr/pm.yml | 74 +++++++++++++++++++ boot/zephyr/prj.conf | 1 + ext/nrf/cc310_glue.h | 2 +- zephyr/module.yml | 3 +- 12 files changed, 312 insertions(+), 11 deletions(-) create mode 100644 boot/zephyr/pm.yml diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index ded656504..4f05838b4 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -108,6 +108,15 @@ boot_read_image_headers(struct boot_loader_state *state, bool require_all, * * Failure to read any headers is a fatal error. */ +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. The primary slot of the second image + * (image 1) will not contain a valid image header until an upgrade + * of mcuboot has happened (filling S1 with the new version). + */ + if (BOOT_CURR_IMG(state) == 1 && i == 0) { + continue; + } +#endif /* PM_S1_ADDRESS */ if (i > 0 && !require_all) { return 0; } else { @@ -821,7 +830,24 @@ boot_validate_slot(struct boot_loader_state *state, int slot, goto out; } - if (reset_value < pri_fa->fa_off || reset_value> (pri_fa->fa_off + pri_fa->fa_size)) { + uint32_t min_addr, max_addr; + +#ifdef PM_CPUNET_APP_ADDRESS + /* The primary slot for the network core is emulated in RAM. + * Its flash_area hasn't got relevant boundaries. + * Therfore need to override its boundaries for the check. + */ + if (BOOT_CURR_IMG(state) == 1) { + min_addr = PM_CPUNET_APP_ADDRESS; + max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; + } else +#endif + { + min_addr = pri_fa->fa_off; + max_addr = pri_fa->fa_off + pri_fa->fa_size; + } + + if (reset_value < min_addr || reset_value> (max_addr)) { BOOT_LOG_ERR("Reset address of image in secondary slot is not in the primary slot"); BOOT_LOG_ERR("Erasing image from secondary slot"); @@ -904,6 +930,42 @@ boot_validated_swap_type(struct boot_loader_state *state, { int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other + * B1 slot S0 or S1) share the same secondary slot, we need to check + * whether the update candidate in the secondary slot is intended for + * image 0 or image 1 primary by looking at the address of the reset + * vector. Note that there are good reasons for not using img_num from + * the swap info. + */ + const struct flash_area *secondary_fa = + BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); + struct image_header *hdr = + (struct image_header *)secondary_fa->fa_off; + + if (hdr->ih_magic == IMAGE_MAGIC) { + const struct flash_area *primary_fa; + uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + uint32_t *vtable = (uint32_t *)(vtable_addr); + uint32_t reset_addr = vtable[1]; + int rc = flash_area_open( + flash_area_id_from_multi_image_slot( + BOOT_CURR_IMG(state), + BOOT_PRIMARY_SLOT), + &primary_fa); + + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } + /* Get start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off || + reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for this image + */ + return BOOT_SWAP_TYPE_NONE; + } + } +#endif swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -2224,15 +2286,25 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } #ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL); - /* Check for all possible values is redundant in normal operation it - * is meant to prevent FI attack. +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. Image 1 primary is the currently + * executing MCUBoot image, and is therefore already validated by NSIB and + * does not need to also be validated by MCUBoot. */ - if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS) || - FIH_EQ(fih_rc, FIH_FAILURE) || - FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { - FIH_SET(fih_rc, FIH_FAILURE); - goto out; + bool image_validated_by_nsib = BOOT_CURR_IMG(state) == 1; + if (!image_validated_by_nsib) +#endif + { + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL); + /* Check for all possible values is redundant in normal operation it + * is meant to prevent FI attack. + */ + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS) || + FIH_EQ(fih_rc, FIH_FAILURE) || + FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { + FIH_SET(fih_rc, FIH_FAILURE); + goto out; + } } #else /* Even if we're not re-validating the primary slot, we could be booting @@ -2249,11 +2321,16 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } #endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT */ +#ifdef PM_S1_ADDRESS + if (!image_validated_by_nsib) +#endif + { rc = boot_update_hw_rollback_protection(state); if (rc != 0) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } + } rc = boot_add_shared_data(state, BOOT_PRIMARY_SLOT); if (rc != 0) { diff --git a/boot/bootutil/src/swap_move.c b/boot/bootutil/src/swap_move.c index 61246b9e5..cd5016391 100644 --- a/boot/bootutil/src/swap_move.c +++ b/boot/bootutil/src/swap_move.c @@ -237,6 +237,18 @@ boot_status_internal_off(const struct boot_status *bs, int elem_sz) int boot_slots_compatible(struct boot_loader_state *state) { +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. In this case, image 1 primary points to the other + * B1 slot (ie S0 or S1), and image 0 primary points to the app. + * With this configuration, image 0 and image 1 share the secondary slot. + * Hence, the primary slot of image 1 will be *smaller* than image 1's + * secondary slot. This is not allowed in upstream mcuboot, so we need + * this patch to allow it. Also, all of these checks are redundant when + * partition manager is in use, and since we have the same sector size + * in all of our flash. + */ + return 1; +#else size_t num_sectors_pri; size_t num_sectors_sec; size_t sector_sz_pri = 0; @@ -273,6 +285,7 @@ boot_slots_compatible(struct boot_loader_state *state) } return 1; +#endif /* PM_S1_ADDRESS */ } #define BOOT_LOG_SWAP_STATE(area, state) \ diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 66cbdce5f..a32eb8d87 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -170,6 +170,18 @@ boot_status_internal_off(const struct boot_status *bs, int elem_sz) int boot_slots_compatible(struct boot_loader_state *state) { +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. In this case, image 1 primary points to the other + * B1 slot (ie S0 or S1), and image 0 primary points to the app. + * With this configuration, image 0 and image 1 share the secondary slot. + * Hence, the primary slot of image 1 will be *smaller* than image 1's + * secondary slot. This is not allowed in upstream mcuboot, so we need + * this patch to allow it. Also, all of these checks are redundant when + * partition manager is in use, and since we have the same sector size + * in all of our flash. + */ + return 1; +#else size_t num_sectors_primary; size_t num_sectors_secondary; size_t sz0, sz1; @@ -255,6 +267,7 @@ boot_slots_compatible(struct boot_loader_state *state) } return 1; +#endif /* PM_S1_ADDRESS */ } #define BOOT_LOG_SWAP_STATE(area, state) \ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 36b681521..10bdf6201 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -296,6 +296,13 @@ if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") endif() message("MCUBoot bootloader key file: ${KEY_FILE}") + set_property( + GLOBAL + PROPERTY + KEY_FILE + ${KEY_FILE} + ) + set(GENERATED_PUBKEY ${ZEPHYR_BINARY_DIR}/autogen-pubkey.c) add_custom_command( OUTPUT ${GENERATED_PUBKEY} diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index a67126a0b..e9d5be0a4 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -8,6 +8,8 @@ mainmenu "MCUboot configuration" comment "MCUboot-specific configuration options" +source "$(ZEPHYR_NRF_MODULE_DIR)/modules/mcuboot/boot/zephyr/Kconfig" + # Hidden option to mark a project as MCUboot config MCUBOOT default y diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 890e69d98..2ec4fc7e2 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -7,6 +7,52 @@ #ifndef __SYSFLASH_H__ #define __SYSFLASH_H__ +#if USE_PARTITION_MANAGER +#include +#include + +#ifndef CONFIG_SINGLE_APPLICATION_SLOT + +#if (MCUBOOT_IMAGE_NUMBER == 1) + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID + +#elif (MCUBOOT_IMAGE_NUMBER == 2) + +extern uint32_t _image_1_primary_slot_id[]; + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + (uint32_t)_image_1_primary_slot_id : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + 255 ) +#endif +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID + +#else /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID +/* NOTE: Scratch parition is not used by single image DFU but some of + * functions in common files reference it, so the definitions has been + * provided to allow compilation of common units. + */ +#define FLASH_AREA_IMAGE_SCRATCH 0 + +#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#else + +#include #include #include #include @@ -57,4 +103,6 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ +#endif /* USE_PARTITION_MANAGER */ + #endif /* __SYSFLASH_H__ */ diff --git a/boot/zephyr/include/target.h b/boot/zephyr/include/target.h index 61dfd9322..513693511 100644 --- a/boot/zephyr/include/target.h +++ b/boot/zephyr/include/target.h @@ -8,6 +8,8 @@ #ifndef H_TARGETS_TARGET_ #define H_TARGETS_TARGET_ +#ifndef USE_PARTITION_MANAGER + #if defined(MCUBOOT_TARGET_CONFIG) /* * Target-specific definitions are permitted in legacy cases that @@ -45,4 +47,6 @@ #error "Target support is incomplete; cannot build mcuboot." #endif +#endif /* ifndef USE_PARTITION_MANAGER */ + #endif /* H_TARGETS_TARGET_ */ diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index c6a0f74ae..4a6f71e79 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -65,6 +65,10 @@ #endif /* CONFIG_SOC_FAMILY_ESP32 */ +#ifdef CONFIG_FW_INFO +#include +#endif + #ifdef CONFIG_MCUBOOT_SERIAL #include "boot_serial/boot_serial.h" #include "serial_adapter/serial_adapter.h" @@ -125,6 +129,27 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); * !defined(ZEPHYR_LOG_MODE_MINIMAL) */ +#if USE_PARTITION_MANAGER && CONFIG_FPROTECT +#include +#include +#endif + +#ifdef CONFIG_SOC_FAMILY_NRF +#include + +static inline bool boot_skip_serial_recovery() +{ + uint32_t rr = nrfx_reset_reason_get(); + + return !(rr == 0 || (rr & NRFX_RESET_REASON_RESETPIN_MASK)); +} +#else +static inline bool boot_skip_serial_recovery() +{ + return false; +} +#endif + BOOT_LOG_MODULE_REGISTER(mcuboot); void os_heap_init(void); @@ -173,6 +198,19 @@ static void do_boot(struct boot_rsp *rsp) /* Disable the USB to prevent it from firing interrupts */ usb_disable(); #endif + +#if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) + bool provided = fw_info_ext_api_provide(fw_info_find((uint32_t)vt), true); + +#ifdef PM_S0_ADDRESS + /* Only fail if the immutable bootloader is present. */ + if (!provided) { + BOOT_LOG_ERR("Failed to provide EXT_APIs\n"); + return; + } +#endif +#endif + #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ @@ -529,7 +567,30 @@ int main(void) mcuboot_status_change(MCUBOOT_STATUS_BOOTABLE_IMAGE_FOUND); +#if USE_PARTITION_MANAGER && CONFIG_FPROTECT + +#ifdef PM_S1_ADDRESS +/* MCUBoot is stored in either S0 or S1, protect both */ +#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_S0_ADDRESS) +#define PROTECT_ADDR PM_S0_ADDRESS +#else +/* There is only one instance of MCUBoot */ +#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_MCUBOOT_ADDRESS) +#define PROTECT_ADDR PM_MCUBOOT_ADDRESS +#endif + + rc = fprotect_area(PROTECT_ADDR, PROTECT_SIZE); + + if (rc != 0) { + BOOT_LOG_ERR("Protect mcuboot flash failed, cancel startup."); + while (1) + ; + } + +#endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ + ZEPHYR_BOOT_LOG_STOP(); + do_boot(&rsp); mcuboot_status_change(MCUBOOT_STATUS_BOOT_FAILED); diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml new file mode 100644 index 000000000..0c3a59154 --- /dev/null +++ b/boot/zephyr/pm.yml @@ -0,0 +1,74 @@ +#include + +mcuboot: + size: CONFIG_PM_PARTITION_SIZE_MCUBOOT + placement: + before: [mcuboot_primary] + +mcuboot_primary_app: + # All images to be placed in MCUboot's slot 0 should be placed in this + # partition + span: [app] + +mcuboot_primary: + span: [mcuboot_pad, mcuboot_primary_app] + +# Partition for secondary slot is not created if building in single application +# slot configuration. +#if !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_BOOT_DIRECT_XIP) +mcuboot_secondary: + share_size: [mcuboot_primary] +#if defined(CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY) + region: external_flash + placement: + align: {start: 4} +#else + placement: + align: {start: CONFIG_FPROTECT_BLOCK_SIZE} + align_next: CONFIG_FPROTECT_BLOCK_SIZE # Ensure that the next partition does not interfere with this image + after: mcuboot_primary +#endif /* CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY */ + +#endif /* !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_BOOT_DIRECT_XIP) */ + +#if CONFIG_BOOT_DIRECT_XIP + +# Direct XIP is enabled, reserve area for metadata (padding) and name the +# partition so that its clear that it is not the secondary slot, but the direct +# XIP alternative. + +mcuboot_secondary_pad: + share_size: mcuboot_pad + placement: + after: mcuboot_primary + align: {start: CONFIG_FPROTECT_BLOCK_SIZE} + +mcuboot_secondary_app: + share_size: mcuboot_primary_app + placement: + after: mcuboot_secondary_pad + +mcuboot_secondary: + span: [mcuboot_secondary_pad, mcuboot_secondary_app] + +#endif /* CONFIG_BOOT_DIRECT_XIP */ + +#if CONFIG_BOOT_SWAP_USING_SCRATCH +mcuboot_scratch: + size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_SCRATCH + placement: + after: app + align: {start: CONFIG_FPROTECT_BLOCK_SIZE} +#endif /* CONFIG_BOOT_SWAP_USING_SCRATCH */ + +# Padding placed before image to boot. This reserves space for the MCUboot image header +# and it ensures that the boot image gets linked with the correct address offset in flash. +mcuboot_pad: + # MCUboot pad must be placed before the primary application partition. + # The primary application partition includes the secure firmware if present. + size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_PAD + placement: + before: [mcuboot_primary_app] +#ifdef CONFIG_FPROTECT + align: {start: CONFIG_FPROTECT_BLOCK_SIZE} +#endif diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 58cb2ae35..23b5f3b93 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -19,6 +19,7 @@ CONFIG_BOOT_BOOTSTRAP=n # CONFIG_TINYCRYPT_SHA256 is not set CONFIG_FLASH=y +CONFIG_FPROTECT=y ### Various Zephyr boards enable features that we don't want. # CONFIG_BT is not set diff --git a/ext/nrf/cc310_glue.h b/ext/nrf/cc310_glue.h index ed3ed5c00..22eb94911 100644 --- a/ext/nrf/cc310_glue.h +++ b/ext/nrf/cc310_glue.h @@ -22,7 +22,7 @@ #include #include #include -#include +#include #include /* diff --git a/zephyr/module.yml b/zephyr/module.yml index c4293e387..797b0fa10 100644 --- a/zephyr/module.yml +++ b/zephyr/module.yml @@ -1,4 +1,5 @@ samples: - boot/zephyr build: - cmake: ./boot/bootutil/zephyr + cmake-ext: True + kconfig-ext: True From 1ead686941912e77921b1a07cc4e30b3acc628f4 Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Thu, 27 Aug 2020 14:29:31 +0200 Subject: [PATCH 095/113] [nrf noup] boot: nrf53-specific customizations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add network core bootloader implementation Enables network core updates of nrf53 using MCUBoot by identifying images through their start addresses. Also implements the control and transfer using the PCD module. - Add support for multi image DFU using partition manager. - Add check for netcore addr if NSIB is enabled so netcore updates works - boot: zephyr: move thingy53_nrf5340_cpuapp.conf downstream Moved the board configuration for Thingy:53 Application Core to the nRF Connect SDK MCUboot downstream repository. The configuration file contains references to the Kconfig modules that are only available in the nRF Connect SDK. The current configuration is set up to work in the nRF Connect SDK environment and cannot be used upstream. - pm: enable ram flash partition using common flag This patch makes mcuboot_primary_1 ram-flash partition selectable using CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH property. This is needed since CONFIG_NRF53_MULTI_IMAGE_UPDATE become not only configuration which requires that partition. - MCUBoot configures USB CDC by its own. There is no need for BOARD_SERIAL_BACKEND_CDC_ACM option to configure anything which is later overwritten anyway. Jira: NCSDK-18596 Signed-off-by: Andrzej Puzdrowski Signed-off-by: Emil Obalski Signed-off-by: Håkon Øye Amundsen Signed-off-by: Ioannis Glaropoulos Signed-off-by: Jamie McCrae Signed-off-by: Johann Fischer Signed-off-by: Kamil Piszczek Signed-off-by: Ole Sæther Signed-off-by: Sigvart Hovland Signed-off-by: Simon Iversen Signed-off-by: Torsten Rasmussen Signed-off-by: Trond Einar Snekvik Signed-off-by: Mateusz Kapala (cherry picked from commit b96bed8acf51c26c60114bd40042c08c1a83097f) (cherry picked from commit 4302a915a0658ae89ba9d71e80f2ce3db8adac66) (cherry picked from commit e52481a517dfbbc47bc9af5d9439cf881028ade3) (cherry picked from commit 8642c39bc35fc2f1ca6ec1c849debb7df4257211) (cherry picked from commit 0030544b5f5dc805b2d9e136f5e8c64c143369e7) Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 96 ++++++++++++++----- .../boards/thingy53_nrf5340_cpuapp.conf | 73 ++++++++++++++ boot/zephyr/include/sysflash/sysflash.h | 23 +++++ boot/zephyr/main.c | 11 +++ boot/zephyr/pm.yml | 13 +++ 5 files changed, 190 insertions(+), 26 deletions(-) create mode 100644 boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 4f05838b4..313cb5061 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -48,6 +48,10 @@ #include "bootutil/boot_hooks.h" #include "bootutil/mcuboot_status.h" +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) +#include +#endif + #ifdef MCUBOOT_ENC_IMAGES #include "bootutil/enc_key.h" #endif @@ -930,7 +934,15 @@ boot_validated_swap_type(struct boot_loader_state *state, { int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); -#ifdef PM_S1_ADDRESS + bool upgrade_valid = false; + +#if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) + const struct flash_area *secondary_fa = + BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); + struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; + uint32_t vtable_addr = 0; + uint32_t *vtable = 0; + uint32_t reset_addr = 0; /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other * B1 slot S0 or S1) share the same secondary slot, we need to check * whether the update candidate in the secondary slot is intended for @@ -938,34 +950,36 @@ boot_validated_swap_type(struct boot_loader_state *state, * vector. Note that there are good reasons for not using img_num from * the swap info. */ - const struct flash_area *secondary_fa = - BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = - (struct image_header *)secondary_fa->fa_off; if (hdr->ih_magic == IMAGE_MAGIC) { - const struct flash_area *primary_fa; - uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - uint32_t *vtable = (uint32_t *)(vtable_addr); - uint32_t reset_addr = vtable[1]; - int rc = flash_area_open( - flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT), - &primary_fa); - - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } - /* Get start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off || - reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for this image - */ - return BOOT_SWAP_TYPE_NONE; - } - } + vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + vtable = (uint32_t *)(vtable_addr); + reset_addr = vtable[1]; +#ifdef PM_S1_ADDRESS +#ifdef PM_CPUNET_B0N_ADDRESS + if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif + { + const struct flash_area *primary_fa; + int rc = flash_area_open(flash_area_id_from_multi_image_slot( + BOOT_CURR_IMG(state), + BOOT_PRIMARY_SLOT), + &primary_fa); + + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } + /* Get start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off || + reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for this image + */ + return BOOT_SWAP_TYPE_NONE; + } + } +#endif /* PM_S1_ADDRESS */ + } +#endif /* PM_S1_ADDRESS || CONFIG_SOC_NRF5340_CPUAPP */ swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -979,7 +993,37 @@ boot_validated_swap_type(struct boot_loader_state *state, } else { swap_type = BOOT_SWAP_TYPE_FAIL; } + } else { + upgrade_valid = true; + } + +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) + /* If the update is valid, and it targets the network core: perform the + * update and indicate to the caller of this function that no update is + * available + */ + if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { + uint32_t fw_size = hdr->ih_img_size; + + BOOT_LOG_INF("Starting network core update"); + int rc = pcd_network_core_update(vtable, fw_size); + + if (rc != 0) { + swap_type = BOOT_SWAP_TYPE_FAIL; + } else { + BOOT_LOG_INF("Done updating network core"); +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) + /* swap_erase_trailer_sectors is undefined if upgrade only + * method is used. There is no need to erase sectors, because + * the image cannot be reverted. + */ + rc = swap_erase_trailer_sectors(state, + secondary_fa); +#endif + swap_type = BOOT_SWAP_TYPE_NONE; + } } +#endif /* CONFIG_SOC_NRF5340_CPUAPP */ } return swap_type; diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf new file mode 100644 index 000000000..7d3bc0bec --- /dev/null +++ b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf @@ -0,0 +1,73 @@ +CONFIG_SIZE_OPTIMIZATIONS=y + +CONFIG_SYSTEM_CLOCK_NO_WAIT=y +CONFIG_PM=n + +CONFIG_MAIN_STACK_SIZE=10240 +CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h" + +CONFIG_BOOT_MAX_IMG_SECTORS=2048 +CONFIG_BOOT_SIGNATURE_TYPE_RSA=y + +# Flash +CONFIG_FLASH=y +CONFIG_BOOT_ERASE_PROGRESSIVELY=y +CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y +CONFIG_FPROTECT=y + +# Serial +CONFIG_SERIAL=y +CONFIG_UART_LINE_CTRL=y + +# MCUBoot serial +CONFIG_GPIO=y +CONFIG_MCUBOOT_SERIAL=y +CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y +CONFIG_BOOT_SERIAL_CDC_ACM=y + +# Required by QSPI +CONFIG_NORDIC_QSPI_NOR=y +CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 +CONFIG_NORDIC_QSPI_NOR_STACK_WRITE_BUFFER_SIZE=16 + +# Required by USB and QSPI +CONFIG_MULTITHREADING=y + +# USB +CONFIG_BOARD_SERIAL_BACKEND_CDC_ACM=n +CONFIG_USB_DEVICE_REMOTE_WAKEUP=n +CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor ASA" +CONFIG_USB_DEVICE_PRODUCT="Bootloader Thingy:53" +CONFIG_USB_DEVICE_VID=0x1915 +CONFIG_USB_DEVICE_PID=0x5300 +CONFIG_USB_CDC_ACM=y + +# Decrease memory footprint +CONFIG_CBPRINTF_NANO=y +CONFIG_TIMESLICING=n +CONFIG_BOOT_BANNER=n +CONFIG_CONSOLE=n +CONFIG_CONSOLE_HANDLER=n +CONFIG_UART_CONSOLE=n +CONFIG_USE_SEGGER_RTT=n +CONFIG_LOG=n +CONFIG_ERRNO=n +CONFIG_PRINTK=n +CONFIG_RESET_ON_FATAL_ERROR=n +CONFIG_SPI=n +CONFIG_I2C=n +CONFIG_UART_NRFX=n + +# The following configurations are required to support simultaneous multi image update +CONFIG_PCD_APP=y +CONFIG_UPDATEABLE_IMAGE_NUMBER=2 +CONFIG_BOOT_UPGRADE_ONLY=y +# The network core cannot access external flash directly. The flash simulator must be used to +# provide a memory region that is used to forward the new firmware to the network core. +CONFIG_FLASH_SIMULATOR=y +CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y +CONFIG_FLASH_SIMULATOR_STATS=n + +# Enable custom command to erase settings partition. +CONFIG_ENABLE_MGMT_PERUSER=y +CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE=y diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 2ec4fc7e2..78c5ead1c 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -20,6 +20,11 @@ #elif (MCUBOOT_IMAGE_NUMBER == 2) +/* If B0 is present then two bootloaders are present, and we must use + * a single secondary slot for both primary slots. + */ +#ifdef PM_B0_ADDRESS + extern uint32_t _image_1_primary_slot_id[]; #define FLASH_AREA_IMAGE_PRIMARY(x) \ @@ -35,6 +40,24 @@ extern uint32_t _image_1_primary_slot_id[]; (x == 1) ? \ PM_MCUBOOT_SECONDARY_ID: \ 255 ) +#else + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) + +#endif /* PM_B0_ADDRESS */ + #endif #define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 4a6f71e79..e61f34874 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -87,6 +87,14 @@ const struct boot_uart_funcs boot_funcs = { #include #endif +#ifdef CONFIG_BOOT_SERIAL_PIN_RESET +#include +#endif + +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) +#include +#endif + /* CONFIG_LOG_MINIMAL is the legacy Kconfig property, * replaced by CONFIG_LOG_MODE_MINIMAL. */ @@ -587,6 +595,9 @@ int main(void) ; } +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) + pcd_lock_ram(); +#endif #endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ ZEPHYR_BOOT_LOG_STOP(); diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml index 0c3a59154..125b8813c 100644 --- a/boot/zephyr/pm.yml +++ b/boot/zephyr/pm.yml @@ -72,3 +72,16 @@ mcuboot_pad: #ifdef CONFIG_FPROTECT align: {start: CONFIG_FPROTECT_BLOCK_SIZE} #endif + +#if (CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH) +mcuboot_primary_1: + region: ram_flash + size: CONFIG_NRF53_RAM_FLASH_SIZE +#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ + +#if (CONFIG_NRF53_MULTI_IMAGE_UPDATE) +mcuboot_secondary_1: + region: external_flash + size: CONFIG_NRF53_RAM_FLASH_SIZE + +#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ From 7489b108d9f644cc478063596613483397e2741b Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Thu, 27 Feb 2020 12:48:56 +0100 Subject: [PATCH 096/113] [nrf noup] do_boot: clean peripherals state before boot MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do some cleanup of nRF peripherals. This is necessary since Zephyr doesn't have any driver deinitialization functionality, and we'd like to leave peripherals in a more predictable state before booting the Zephyr image. This should be re-worked when the zephyr driver model allows us to deinitialize devices cleanly before jumping to the chain-loaded image. Signed-off-by: Andrzej Puzdrowski Signed-off-by: Robert Lubos Signed-off-by: Torsten Rasmussen Signed-off-by: Øyvind Rønningstad Signed-off-by: Martí Bolívar Signed-off-by: Håkon Øye Amundsen Signed-off-by: Ioannis Glaropoulos Signed-off-by: Johann Fischer Signed-off-by: Trond Einar Snekvik Signed-off-by: Torsten Rasmussen Signed-off-by: Jamie McCrae Signed-off-by: Dominik Ermel (cherry picked from commit 0a4da3a684592450b559a6631eb17dd283654b77) (cherry picked from commit e56136a6b370f37bee300748b6a7e6eb5f782215) (cherry picked from commit 05405d4d57273a5b8d99a75cd15360a64c161104) (cherry picked from commit 0eacb355e9985fcfcf0533342764d81ce028822c) (cherry picked from commit 1f14ccb15d0b2e70bee98d87074a5aecb9c0e92d) Signed-off-by: Dominik Ermel --- boot/zephyr/CMakeLists.txt | 6 +++ boot/zephyr/include/nrf_cleanup.h | 19 +++++++ boot/zephyr/main.c | 8 ++- boot/zephyr/nrf_cleanup.c | 83 +++++++++++++++++++++++++++++++ 4 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 boot/zephyr/include/nrf_cleanup.h create mode 100644 boot/zephyr/nrf_cleanup.c diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 10bdf6201..d481d9b8d 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -363,3 +363,9 @@ zephyr_library_sources( ${BOOT_DIR}/zephyr/arm_cleanup.c ) endif() + +if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL) +zephyr_library_sources( + ${BOOT_DIR}/zephyr/nrf_cleanup.c +) +endif() diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h new file mode 100644 index 000000000..6b04cedfe --- /dev/null +++ b/boot/zephyr/include/nrf_cleanup.h @@ -0,0 +1,19 @@ +/* + * Copyright (c) 2020 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef H_NRF_CLEANUP_ +#define H_NRF_CLEANUP_ + +/** + * Perform cleanup on some peripheral resources used by MCUBoot prior chainload + * the application. + * + * This function disables all RTC instances and UARTE instances. + * It Disables their interrupts signals as well. + */ +void nrf_cleanup_peripheral(void); + +#endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index e61f34874..c56248458 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -142,6 +142,10 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); #include #endif +#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL +#include +#endif + #ifdef CONFIG_SOC_FAMILY_NRF #include @@ -218,7 +222,9 @@ static void do_boot(struct boot_rsp *rsp) } #endif #endif - +#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL + nrf_cleanup_peripheral(); +#endif #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c new file mode 100644 index 000000000..5bab26b24 --- /dev/null +++ b/boot/zephyr/nrf_cleanup.c @@ -0,0 +1,83 @@ +/* + * Copyright (c) 2020 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include +#if defined(NRF_UARTE0) || defined(NRF_UARTE1) + #include +#endif +#if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) + #include +#endif +#if defined(NRF_PPI) + #include +#endif +#if defined(NRF_DPPIC) + #include +#endif + +#include + +#define NRF_UARTE_SUBSCRIBE_CONF_OFFS offsetof(NRF_UARTE_Type, SUBSCRIBE_STARTRX) +#define NRF_UARTE_SUBSCRIBE_CONF_SIZE (offsetof(NRF_UARTE_Type, EVENTS_CTS) -\ + NRF_UARTE_SUBSCRIBE_CONF_OFFS) + +#define NRF_UARTE_PUBLISH_CONF_OFFS offsetof(NRF_UARTE_Type, PUBLISH_CTS) +#define NRF_UARTE_PUBLISH_CONF_SIZE (offsetof(NRF_UARTE_Type, SHORTS) -\ + NRF_UARTE_PUBLISH_CONF_OFFS) + +#if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) +static inline void nrf_cleanup_rtc(NRF_RTC_Type * rtc_reg) +{ + nrf_rtc_task_trigger(rtc_reg, NRF_RTC_TASK_STOP); + nrf_rtc_event_disable(rtc_reg, 0xFFFFFFFF); + nrf_rtc_int_disable(rtc_reg, 0xFFFFFFFF); +} +#endif + +static void nrf_cleanup_clock(void) +{ + nrf_clock_int_disable(NRF_CLOCK, 0xFFFFFFFF); +} + +void nrf_cleanup_peripheral(void) +{ +#if defined(NRF_RTC0) + nrf_cleanup_rtc(NRF_RTC0); +#endif +#if defined(NRF_RTC1) + nrf_cleanup_rtc(NRF_RTC1); +#endif +#if defined(NRF_RTC2) + nrf_cleanup_rtc(NRF_RTC2); +#endif +#if defined(NRF_UARTE0) + nrf_uarte_disable(NRF_UARTE0); + nrf_uarte_int_disable(NRF_UARTE0, 0xFFFFFFFF); +#if defined(NRF_DPPIC) + /* Clear all SUBSCRIBE configurations. */ + memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); + /* Clear all PUBLISH configurations. */ + memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); +#endif +#endif +#if defined(NRF_UARTE1) + nrf_uarte_disable(NRF_UARTE1); + nrf_uarte_int_disable(NRF_UARTE1, 0xFFFFFFFF); +#if defined(NRF_DPPIC) + /* Clear all SUBSCRIBE configurations. */ + memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); + /* Clear all PUBLISH configurations. */ + memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); +#endif +#endif +#if defined(NRF_PPI) + nrf_ppi_channels_disable_all(NRF_PPI); +#endif +#if defined(NRF_DPPIC) + nrf_dppi_channels_disable_all(NRF_DPPIC); +#endif + nrf_cleanup_clock(); +} From 4a6f6e011a8c7b6b9d2e520178f2c34d137a367e Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Fri, 6 Jan 2023 12:24:48 +0100 Subject: [PATCH 097/113] [nrf noup] zephyr: Clean up non-secure RAM if enabled To ensure that MCUBoot does not leak keys or other material through memory to non-secure side we clear the memory before jumping to the next image. Signed-off-by: Sigvart Hovland Signed-off-by: Dominik Ermel (cherry picked from commit ff95e7bef35065ba9adfd512665435395019ad7a) (cherry picked from commit d584ea0f37b2cf1b5c5d2e459def6028853cecea) (cherry picked from commit 2394b5b65de1cc4539816e143f906756702eb4e9) (cherry picked from commit 3266b9917e66ab6b9827d39486ae924e935b49ce) (cherry picked from commit a47c9c4a05a48ec8cea7f59c2f9db31047be93e2) Signed-off-by: Dominik Ermel --- boot/zephyr/CMakeLists.txt | 2 +- boot/zephyr/include/nrf_cleanup.h | 5 +++++ boot/zephyr/main.c | 5 ++++- boot/zephyr/nrf_cleanup.c | 13 +++++++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index d481d9b8d..5b1139298 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -364,7 +364,7 @@ zephyr_library_sources( ) endif() -if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL) +if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL OR CONFIG_MCUBOOT_CLEANUP_NONSECURE_RAM) zephyr_library_sources( ${BOOT_DIR}/zephyr/nrf_cleanup.c ) diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h index 6b04cedfe..9e87e13f5 100644 --- a/boot/zephyr/include/nrf_cleanup.h +++ b/boot/zephyr/include/nrf_cleanup.h @@ -16,4 +16,9 @@ */ void nrf_cleanup_peripheral(void); +/** + * Perform cleanup of non-secure RAM that may have been used by MCUBoot. + */ +void nrf_cleanup_ns_ram(void); + #endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index c56248458..250fb2bc7 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -142,7 +142,7 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); #include #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL +#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL || CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM #include #endif @@ -225,6 +225,9 @@ static void do_boot(struct boot_rsp *rsp) #if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL nrf_cleanup_peripheral(); #endif +#if CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM && defined(PM_SRAM_NONSECURE_NAME) + nrf_cleanup_ns_ram(); +#endif #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c index 5bab26b24..f567b97e0 100644 --- a/boot/zephyr/nrf_cleanup.c +++ b/boot/zephyr/nrf_cleanup.c @@ -20,6 +20,10 @@ #include +#if defined(USE_PARTITION_MANAGER) +#include +#endif + #define NRF_UARTE_SUBSCRIBE_CONF_OFFS offsetof(NRF_UARTE_Type, SUBSCRIBE_STARTRX) #define NRF_UARTE_SUBSCRIBE_CONF_SIZE (offsetof(NRF_UARTE_Type, EVENTS_CTS) -\ NRF_UARTE_SUBSCRIBE_CONF_OFFS) @@ -81,3 +85,12 @@ void nrf_cleanup_peripheral(void) #endif nrf_cleanup_clock(); } + +#if defined(USE_PARTITION_MANAGER) \ + && defined(CONFIG_ARM_TRUSTZONE_M) \ + && defined(PM_SRAM_NONSECURE_NAME) +void nrf_cleanup_ns_ram(void) +{ + memset((void *) PM_SRAM_NONSECURE_ADDRESS, 0, PM_SRAM_NONSECURE_SIZE); +} +#endif From 352f95e5bf7a135f505408b92b3e9712fd307658 Mon Sep 17 00:00:00 2001 From: Christian Taedcke Date: Thu, 10 Feb 2022 15:37:49 +0100 Subject: [PATCH 098/113] [nrf noup] loader: Fix reading reset addr to support ext flash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When mcuboot_secondary is on external flash, the image header cannot dircetly be accessed via secondary_fa->fa_off. Instead the provided function boot_img_hdr() is used now. Additionally a similar issue is present when trying to read the address of the reset handler. For this flash_area_read() is used now. With this patch is possible to have the update partiton mcuboot_secondary on external flash and update a updatable bootloader (mcuboot) in s0 and/or s1. Signed-off-by: Christian Taedcke Signed-off-by: Ole Sæther Signed-off-by: Sigvart Hovland Signed-off-by: Dominik Ermel (cherry picked from commit d6c6170b2bef748fbcd645e0f5ffa475a7c3b55a) (cherry picked from commit 4d30b551e558579b40896a83b36ce94b0668194f) (cherry picked from commit 7af56df670bf1b8a6e8ed615bac4452860c85e67) (cherry picked from commit a49b83e7e066ee9fa626f08b3d9958839284f015) (cherry picked from commit 48ad055386404000fc45b8273ede976334ca027b) Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 313cb5061..e3ea4e16e 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -939,10 +939,9 @@ boot_validated_swap_type(struct boot_loader_state *state, #if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) const struct flash_area *secondary_fa = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; - uint32_t vtable_addr = 0; - uint32_t *vtable = 0; + struct image_header *hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); uint32_t reset_addr = 0; + int rc = 0; /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other * B1 slot S0 or S1) share the same secondary slot, we need to check * whether the update candidate in the secondary slot is intended for @@ -952,16 +951,19 @@ boot_validated_swap_type(struct boot_loader_state *state, */ if (hdr->ih_magic == IMAGE_MAGIC) { - vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - vtable = (uint32_t *)(vtable_addr); - reset_addr = vtable[1]; + rc = flash_area_read(secondary_fa, hdr->ih_hdr_size + + sizeof(uint32_t), &reset_addr, + sizeof(reset_addr)); + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } #ifdef PM_S1_ADDRESS #ifdef PM_CPUNET_B0N_ADDRESS if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif { const struct flash_area *primary_fa; - int rc = flash_area_open(flash_area_id_from_multi_image_slot( + rc = flash_area_open(flash_area_id_from_multi_image_slot( BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), &primary_fa); @@ -997,16 +999,19 @@ boot_validated_swap_type(struct boot_loader_state *state, upgrade_valid = true; } -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) \ + && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) /* If the update is valid, and it targets the network core: perform the * update and indicate to the caller of this function that no update is * available */ if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { + struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; + uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + uint32_t *net_core_fw_addr = (uint32_t *)(vtable_addr); uint32_t fw_size = hdr->ih_img_size; - BOOT_LOG_INF("Starting network core update"); - int rc = pcd_network_core_update(vtable, fw_size); + rc = pcd_network_core_update(net_core_fw_addr, fw_size); if (rc != 0) { swap_type = BOOT_SWAP_TYPE_FAIL; From c987bd0e703e08f7397959ddc48cbc1d1aef35de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ole=20S=C3=A6ther?= Date: Tue, 20 Jun 2023 08:30:25 +0200 Subject: [PATCH 099/113] [nrf noup] bootloader: mcuboot: Fix wrong use of if defined MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The file nrf_cleanup.c has "#if defined(USE_PARTITION_MANAGER)" Which is true even if USE_PARTITION_MANAGER=n. This must be changed to "#if USE_PARTITION_MANAGER" for correct behaviour. Ref: NCSIDB-987 Signed-off-by: Ole Sæther (cherry picked from commit 823fd369c1430b50d263ccd6fbcf98bdd44001ba) (cherry picked from commit 09bad48a07090a6d32ebb253f15e3d08ea1f97fa) Signed-off-by: Dominik Ermel --- boot/zephyr/nrf_cleanup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c index f567b97e0..2165159ea 100644 --- a/boot/zephyr/nrf_cleanup.c +++ b/boot/zephyr/nrf_cleanup.c @@ -20,7 +20,7 @@ #include -#if defined(USE_PARTITION_MANAGER) +#if USE_PARTITION_MANAGER #include #endif @@ -86,7 +86,7 @@ void nrf_cleanup_peripheral(void) nrf_cleanup_clock(); } -#if defined(USE_PARTITION_MANAGER) \ +#if USE_PARTITION_MANAGER \ && defined(CONFIG_ARM_TRUSTZONE_M) \ && defined(PM_SRAM_NONSECURE_NAME) void nrf_cleanup_ns_ram(void) From 4a343029cacb539c6a9227a25fced893ccc63288 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 11 Jul 2023 08:42:49 +0100 Subject: [PATCH 100/113] [nrf noup] Fix path variables Fixes path variables to use the proper Zephyr module variables Signed-off-by: Jamie McCrae (cherry picked from commit fecfb1effd2b0f1ae4dc66acb9852d9d1e0e5122) (cherry picked from commit 57773376b8fa9e1ebd7678822649c3d9e9806b0b) Signed-off-by: Dominik Ermel --- boot/zephyr/CMakeLists.txt | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 5b1139298..f82778aa4 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -26,21 +26,20 @@ assert_exists(FIAT_DIR) # Path to mbed-tls' asn1 parser library. set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") assert_exists(MBEDTLS_ASN1_DIR) -set(NRF_DIR "${MCUBOOT_DIR}/ext/nrf") +set(MCUBOOT_NRF_EXT_DIR "${MCUBOOT_DIR}/ext/nrf") if(CONFIG_BOOT_USE_NRF_CC310_BL) -set(NRFXLIB_DIR ${ZEPHYR_BASE}/../nrfxlib) -if(NOT EXISTS ${NRFXLIB_DIR}) - message(FATAL_ERROR " + if(NOT EXISTS ${ZEPHYR_NRFXLIB_MODULE_DIR}) + message(FATAL_ERROR " ------------------------------------------------------------------------ - No such file or directory: ${NRFXLIB_DIR} + No such file or directory: ${ZEPHYR_NRFXLIB_MODULE_DIR} The current configuration enables nRF CC310 crypto accelerator hardware with the `CONFIG_BOOT_USE_NRF_CC310_BL` option. Please follow `ext/nrf/README.md` guide to fix your setup or use tinycrypt instead of the HW accelerator. To use the tinycrypt set `CONFIG_BOOT_ECDSA_TINYCRYPT` to y. ------------------------------------------------------------------------") -endif() + endif() endif() zephyr_library_include_directories( @@ -168,8 +167,8 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) ${TINYCRYPT_DIR}/source/utils.c ) elseif(CONFIG_BOOT_USE_NRF_CC310_BL) - zephyr_library_sources(${NRF_DIR}/cc310_glue.c) - zephyr_library_include_directories(${NRF_DIR}) + zephyr_library_sources(${MCUBOOT_NRF_EXT_DIR}/cc310_glue.c) + zephyr_library_include_directories(${MCUBOOT_NRF_EXT_DIR}) zephyr_link_libraries(nrfxlib_crypto) elseif(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) zephyr_include_directories(${BL_CRYPTO_DIR}/../include) From c0523781f31122a5a846e9f85102d52a38bdad10 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 31 Aug 2023 08:58:31 +0100 Subject: [PATCH 101/113] [nrf noup] bootutil: Fix missing PCD define check Fixes a missing PCD define check, an image might have the network core partition layout set but if PCD support is not enabled then it should not assume that PCD support is part of mcuboot. Signed-off-by: Jamie McCrae (cherry picked from commit 71ec2664cc4aff87bd7e443c80fc177e0795d2eb) (cherry picked from commit 815fa3a1a4d072d6f34b5ede1da0ee3b96f3caca) Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index e3ea4e16e..71a0f8c68 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1000,7 +1000,7 @@ boot_validated_swap_type(struct boot_loader_state *state, } #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) \ - && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) && defined(CONFIG_PCD_APP) /* If the update is valid, and it targets the network core: perform the * update and indicate to the caller of this function that no update is * available @@ -1028,7 +1028,8 @@ boot_validated_swap_type(struct boot_loader_state *state, swap_type = BOOT_SWAP_TYPE_NONE; } } -#endif /* CONFIG_SOC_NRF5340_CPUAPP */ +#endif /* CONFIG_SOC_NRF5340_CPUAPP && PM_CPUNET_B0N_ADDRESS && + !CONFIG_NRF53_MULTI_IMAGE_UPDATE && CONFIG_PCD_APP */ } return swap_type; From c0ec15800ce8e2ecda0f6149f72a013db96b0e7d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 31 Aug 2023 08:58:42 +0100 Subject: [PATCH 102/113] [nrf noup] boot: zephyr: Add ifdef protection for RAM locking This adds an ifdef check so that RAM is only protected if PCD is enabled, whereas previously this would cause a build failure. Signed-off-by: Jamie McCrae (cherry picked from commit 4ec411c10a594ff214ffadcce05a835d8398652a) (cherry picked from commit 52997e197541cf12908b4f341fbe0a0601bbc9f7) Signed-off-by: Dominik Ermel --- boot/zephyr/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 250fb2bc7..a149a00c1 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -604,7 +604,7 @@ int main(void) ; } -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) && defined(CONFIG_PCD_APP) pcd_lock_ram(); #endif #endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ From 08575cc9fa46bc8016470a962b7fa0008f83e1ee Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Wed, 31 May 2023 14:41:13 +0200 Subject: [PATCH 103/113] [nrf noup] booutil: loader: Add support for NSIB and multi-image This adds support for using both NSIB and the multi-image configuration in MCUboot. Before this was not possible due to upgradable bootloader support through NSIB was using the `UPDATEABLE_IMAGE_NUMBER` configuration to update the updateable bootloader. In this commit we change from using `FLASH_AREA_IMAGE_PRIMARY` to get the flash area ID to using the bootloader state where we set the flash area ID of the free updatable bootloader slot if the image is intended for this slot. Ref. NCSDK-19223 Signed-off-by: Sigvart Hovland (cherry picked from commit 8fe7070ee192f8e72a9a67560cee9e3518155579) Signed-off-by: Dominik Ermel (cherry picked from commit 037f4da95bf65020dbac1b40c8ce7e53adbe348a) (cherry picked from commit b518e13be49bddda0749825378c37655dd023208) Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 38 ++++++++++++++++++------- boot/zephyr/include/sysflash/sysflash.h | 19 +++++++++++-- 2 files changed, 45 insertions(+), 12 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 71a0f8c68..a1e4585fb 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -844,6 +844,11 @@ boot_validate_slot(struct boot_loader_state *state, int slot, if (BOOT_CURR_IMG(state) == 1) { min_addr = PM_CPUNET_APP_ADDRESS; max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; +#ifdef PM_S1_ADDRESS + } else if (BOOT_CURR_IMG(state) == 0) { + min_addr = PM_S0_ADDRESS; + max_addr = pri_fa->fa_off + pri_fa->fa_size; +#endif } else #endif { @@ -962,20 +967,33 @@ boot_validated_swap_type(struct boot_loader_state *state, if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif { + const struct flash_area *nsib_fa; const struct flash_area *primary_fa; rc = flash_area_open(flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT), - &primary_fa); - + BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), + &primary_fa); if (rc != 0) { return BOOT_SWAP_TYPE_FAIL; } - /* Get start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off || - reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for this image - */ + + /* Check start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off) { + /* NSIB upgrade slot */ + rc = flash_area_open((uint32_t)_image_1_primary_slot_id, + &nsib_fa); + + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } + + /* Image is placed before Primary and within the NSIB slot */ + if (reset_addr > nsib_fa->fa_off + && reset_addr < (nsib_fa->fa_off + nsib_fa->fa_size)) { + /* Set primary to be NSIB upgrade slot */ + BOOT_IMG_AREA(state, 0) = nsib_fa; + } + } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for any */ return BOOT_SWAP_TYPE_NONE; } } @@ -1239,7 +1257,7 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) BOOT_LOG_INF("Image %d upgrade secondary slot -> primary slot", image_index); BOOT_LOG_INF("Erasing the primary slot"); - rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), + rc = flash_area_open(flash_area_get_id(BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)), &fap_primary_slot); assert (rc == 0); diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 78c5ead1c..fb5aa4782 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -23,9 +23,24 @@ /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ -#ifdef PM_B0_ADDRESS - +#if defined(PM_B0_ADDRESS) extern uint32_t _image_1_primary_slot_id[]; +#endif +#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) +#elif defined(PM_B0_ADDRESS) #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ From d44b9861baa159131bf928131b0ff24d304d7911 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 10 Aug 2023 17:32:48 +0000 Subject: [PATCH 104/113] [nrf noup] zephyr: Move partition manager definitions to pm_sysflash.h Making sysflash.h and pm_sysflash.h more readable. (cherry picked from commit eafdae91cb0d357a0ee81014a8101abdc1917dbb) Signed-off-by: Dominik Ermel (cherry picked from commit 99001d0a2186c611cf67a31b4d3858780686f0be) (cherry picked from commit 0383b7c29c5a93b5770d228e394f298dcde372f7) Signed-off-by: Dominik Ermel --- boot/zephyr/include/sysflash/pm_sysflash.h | 92 ++++++++++++++++++++++ boot/zephyr/include/sysflash/sysflash.h | 90 ++------------------- 2 files changed, 97 insertions(+), 85 deletions(-) create mode 100644 boot/zephyr/include/sysflash/pm_sysflash.h diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h new file mode 100644 index 000000000..377291e8b --- /dev/null +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2023 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef __PM_SYSFLASH_H__ +#define __PM_SYSFLASH_H__ +/* Blocking the __SYSFLASH_H__ */ +#define __SYSFLASH_H__ + +#include +#include + +#ifndef CONFIG_SINGLE_APPLICATION_SLOT + +#if (MCUBOOT_IMAGE_NUMBER == 1) + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID + +#elif (MCUBOOT_IMAGE_NUMBER == 2) + +/* If B0 is present then two bootloaders are present, and we must use + * a single secondary slot for both primary slots. + */ +#if defined(PM_B0_ADDRESS) +extern uint32_t _image_1_primary_slot_id[]; +#endif +#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) +#elif defined(PM_B0_ADDRESS) + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + (uint32_t)_image_1_primary_slot_id : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + 255 ) +#else + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) + +#endif /* PM_B0_ADDRESS */ + +#endif +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID + +#else /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID +/* NOTE: Scratch parition is not used by single image DFU but some of + * functions in common files reference it, so the definitions has been + * provided to allow compilation of common units. + */ +#define FLASH_AREA_IMAGE_SCRATCH 0 + +#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#endif /* __PM_SYSFLASH_H__ */ diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index fb5aa4782..6db393b00 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -4,93 +4,15 @@ * SPDX-License-Identifier: Apache-2.0 */ -#ifndef __SYSFLASH_H__ -#define __SYSFLASH_H__ - #if USE_PARTITION_MANAGER -#include -#include - -#ifndef CONFIG_SINGLE_APPLICATION_SLOT - -#if (MCUBOOT_IMAGE_NUMBER == 1) - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID - -#elif (MCUBOOT_IMAGE_NUMBER == 2) - -/* If B0 is present then two bootloaders are present, and we must use - * a single secondary slot for both primary slots. - */ -#if defined(PM_B0_ADDRESS) -extern uint32_t _image_1_primary_slot_id[]; -#endif -#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) -#elif defined(PM_B0_ADDRESS) - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - (uint32_t)_image_1_primary_slot_id : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - 255 ) -#else - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) - -#endif /* PM_B0_ADDRESS */ - +/* Blocking the rest of the file */ +#define __SYSFLASH_H__ +#include #endif -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID -#else /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID -/* NOTE: Scratch parition is not used by single image DFU but some of - * functions in common files reference it, so the definitions has been - * provided to allow compilation of common units. - */ -#define FLASH_AREA_IMAGE_SCRATCH 0 - -#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#else +#ifndef __SYSFLASH_H__ +#define __SYSFLASH_H__ -#include #include #include #include @@ -141,6 +63,4 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ -#endif /* USE_PARTITION_MANAGER */ - #endif /* __SYSFLASH_H__ */ From d9732b8f0f6a75b569d4aa6904b3d44ac1b20d3f Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Fri, 15 Sep 2023 12:16:12 +0200 Subject: [PATCH 105/113] [nrf noup] booutil: loader: Fixup for NSIB and multi-image Commit 8fe7070ee192f8e72a9a67560cee9e3518155579 broke bootloader updates for nRF91 and non-multi image builds. This commit is fixing this by restoring the previous functionality and `ifdef` out the new logic needed for multi-image. Ref. NCSDK-23305 Signed-off-by: Sigvart Hovland (cherry picked from commit 7429a98e530451021c96c7b49078824b86db0064) Signed-off-by: Dominik Ermel (cherry picked from commit 8c5b560c4c01eb34138962a5dea1a3ffb11047b6) (cherry picked from commit 745cf4e19836ce942694a117d4e0ebea5f90f56a) Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index a1e4585fb..60e57ad24 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -967,7 +967,6 @@ boot_validated_swap_type(struct boot_loader_state *state, if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif { - const struct flash_area *nsib_fa; const struct flash_area *primary_fa; rc = flash_area_open(flash_area_id_from_multi_image_slot( BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), @@ -978,6 +977,9 @@ boot_validated_swap_type(struct boot_loader_state *state, /* Check start and end of primary slot for current image */ if (reset_addr < primary_fa->fa_off) { +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + const struct flash_area *nsib_fa; + /* NSIB upgrade slot */ rc = flash_area_open((uint32_t)_image_1_primary_slot_id, &nsib_fa); @@ -992,6 +994,10 @@ boot_validated_swap_type(struct boot_loader_state *state, /* Set primary to be NSIB upgrade slot */ BOOT_IMG_AREA(state, 0) = nsib_fa; } +#else + return BOOT_SWAP_TYPE_NONE; +#endif + } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { /* The image in the secondary slot is not intended for any */ return BOOT_SWAP_TYPE_NONE; From 7ce6393c8c8cb872302ba70bbb64861b9cada9a3 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 11 Aug 2023 12:29:13 +0000 Subject: [PATCH 106/113] [nrf noup] zephyr: Add support for three images The commit modifies pm_sysflash.h to add support for three application images. (cherry picked from commit 8fba4db81dc9aefa6b7481b3b9a6c5589214e13e) Signed-off-by: Dominik Ermel (cherry picked from commit a7f6ccb982583ec14bfced13bf9f6da55dc27c7e) (cherry picked from commit 5822244b43609099236584d932aecca616eabe94) Signed-off-by: Dominik Ermel --- boot/zephyr/include/sysflash/pm_sysflash.h | 80 ++++++++++++---------- 1 file changed, 43 insertions(+), 37 deletions(-) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index 377291e8b..b11b22180 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -11,37 +11,17 @@ #include #include +#include #ifndef CONFIG_SINGLE_APPLICATION_SLOT -#if (MCUBOOT_IMAGE_NUMBER == 1) - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID - -#elif (MCUBOOT_IMAGE_NUMBER == 2) +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ -#if defined(PM_B0_ADDRESS) extern uint32_t _image_1_primary_slot_id[]; -#endif -#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) -#elif defined(PM_B0_ADDRESS) #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ @@ -56,26 +36,52 @@ extern uint32_t _image_1_primary_slot_id[]; (x == 1) ? \ PM_MCUBOOT_SECONDARY_ID: \ 255 ) + +#else /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + */ + +/* Each pair of slots is separated by , and there is no terminating character */ +#define FLASH_AREA_IMAGE_0_SLOTS PM_MCUBOOT_PRIMARY_ID, PM_MCUBOOT_SECONDARY_ID +#define FLASH_AREA_IMAGE_1_SLOTS PM_MCUBOOT_PRIMARY_1_ID, PM_MCUBOOT_SECONDARY_1_ID +#define FLASH_AREA_IMAGE_2_SLOTS PM_MCUBOOT_PRIMARY_2_ID, PM_MCUBOOT_SECONDARY_2_ID + +#if (MCUBOOT_IMAGE_NUMBER == 1) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS +#elif (MCUBOOT_IMAGE_NUMBER == 2) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ + FLASH_AREA_IMAGE_1_SLOTS +#elif (MCUBOOT_IMAGE_NUMBER == 3) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ + FLASH_AREA_IMAGE_1_SLOTS, \ + FLASH_AREA_IMAGE_2_SLOTS #else +#error Unsupported number of images +#endif -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) +static inline uint32_t __flash_area_ids_for_slot(int img, int slot) +{ + static const int all_slots[] = { + ALL_AVAILABLE_SLOTS + }; + return all_slots[img * 2 + slot]; +}; -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) +#undef FLASH_AREA_IMAGE_0_SLOTS +#undef FLASH_AREA_IMAGE_1_SLOTS +#undef FLASH_AREA_IMAGE_2_SLOTS +#undef ALL_AVAILABLE_SLOTS -#endif /* PM_B0_ADDRESS */ +#define FLASH_AREA_IMAGE_PRIMARY(x) __flash_area_ids_for_slot(x, 0) +#define FLASH_AREA_IMAGE_SECONDARY(x) __flash_area_ids_for_slot(x, 1) +#if !defined(CONFIG_BOOT_SWAP_USING_MOVE) +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID #endif -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID + +#endif /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + */ #else /* CONFIG_SINGLE_APPLICATION_SLOT */ From e8b06a8c4e5d736aaff44813fccf05aff0a31480 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 22 Sep 2023 21:31:08 +0000 Subject: [PATCH 107/113] [nrf noup] booutil: loader: Do not check reset vector for XIP image The XIP image, 2, does not have reset vector. Signed-off-by: Dominik Ermel (cherry picked from commit 568d62cede5dfcb355ebcd5ca002b74ed6a7bf3d) Signed-off-by: Dominik Ermel (cherry picked from commit c6349b9e5c7414b75ec2f751094ff5db00526ad8) (cherry picked from commit 4fe70b6e5a2c2c126e490b86d1edce0c3b5fd606) Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 60e57ad24..ed80d96b9 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -822,6 +822,16 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * overwriting an application written to the incorrect slot. * This feature is only supported by ARM platforms. */ +#if MCUBOOT_IMAGE_NUMBER >= 3 + /* Currently the MCUboot can be configured for up to 3 image, where image number 2 is + * designated for XIP, where it is the second part of image stored in slots of image + * 0. This part of image is not bootable, as the XIP setup is done by the app in + * image 0 slot, and it does not carry the reset vector. + */ + if (area_id == FLASH_AREA_IMAGE_SECONDARY(2)) { + goto out; + } +#endif if (area_id == FLASH_AREA_IMAGE_SECONDARY(BOOT_CURR_IMG(state))) { const struct flash_area *pri_fa = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); struct image_header *secondary_hdr = boot_img_hdr(state, slot); From 8809c85940f14066ef59e785a371fd276b585de4 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 18 Sep 2023 13:47:00 +0100 Subject: [PATCH 108/113] [nrf noup] zephyr: Add RAM flash configuration to cache for sysbuild Puts the flash simulation configurtion into cache variables that can be used by other applications and CMake code to know specifics on the simulated flash details Signed-off-by: Jamie McCrae (cherry picked from commit c28768eb2aa7b68e1420b7e260f6139b5b019ebd) (cherry picked from commit 9cd1de1148dc78cea02e6c8148975fb28d7f74ff) Signed-off-by: Dominik Ermel --- boot/zephyr/CMakeLists.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index f82778aa4..3ad6e6edd 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -368,3 +368,14 @@ zephyr_library_sources( ${BOOT_DIR}/zephyr/nrf_cleanup.c ) endif() + +if(SYSBUILD AND CONFIG_PCD_APP) + # Sysbuild requires details of the RAM flash device are stored to the cache of MCUboot so + # that they can be read when running partition manager + dt_nodelabel(ram_flash_dev NODELABEL flash_sim0) + dt_reg_addr(ram_flash_addr PATH ${ram_flash_dev}) + dt_reg_size(ram_flash_size PATH ${ram_flash_dev}) + + set(RAM_FLASH_ADDR "${ram_flash_addr}" CACHE STRING "" FORCE) + set(RAM_FLASH_SIZE "${ram_flash_size}" CACHE STRING "" FORCE) +endif() From 4d68fd45d93fa5c5b29d3d97513d7a208edbc6e2 Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Mon, 16 Oct 2023 12:54:21 +0200 Subject: [PATCH 109/113] [nrf noup] sysflash: pm_sysflash: Fix incorrect define exclude for NSIB A mismatch in defines was made for `_image_1_primary_slot_id` resulting in some configurations not working. This fixes that the linker variable is exposed for mcuboot so that it knows which slot is running an which slot a bootloader upgrade is to be put into. Ref. NCSDK-19223 Signed-off-by: Sigvart Hovland (cherry picked from commit 1f38eb867091b3dc8142d68f09545a8d9e3ed95e) (cherry picked from commit 862bca582b91398e5ed48d4f481c29cd7b6d6178) Signed-off-by: Dominik Ermel --- boot/zephyr/include/sysflash/pm_sysflash.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index b11b22180..db60ddd03 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -15,13 +15,15 @@ #ifndef CONFIG_SINGLE_APPLICATION_SLOT -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ extern uint32_t _image_1_primary_slot_id[]; +#endif /* (MCUBOOT_IMAGE_NUMBER == 2 && defined(PM_B0_ADDRESS) */ + +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ From fec69879ff5729ab08f312cc9decd06b130d42ef Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Tue, 17 Oct 2023 11:28:09 +0200 Subject: [PATCH 110/113] [nrf noup] boot: zephyr: Boot even if EXT_ABI is not provided This removes the `return;` to ensure that the application is booted even if EXT_ABI is not provided to the application because it does not include `FW_INFO`. Added a bit more description to the error messages when FW_INFO is not found and EXT_ABI is not able to be provided to the next image. Ref. NCSDK-24132 Signed-off-by: Sigvart Hovland (cherry picked from commit b80046d57c768fd9297f7921b323396359c5c2ca) (cherry picked from commit 01f17ebce077e2f736c28ae4fb4215081e5b21b3) Signed-off-by: Dominik Ermel --- boot/zephyr/main.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index a149a00c1..35465c170 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -212,13 +212,16 @@ static void do_boot(struct boot_rsp *rsp) #endif #if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) - bool provided = fw_info_ext_api_provide(fw_info_find((uint32_t)vt), true); + const struct fw_info *firmware_info = fw_info_find((uint32_t) vt); + bool provided = fw_info_ext_api_provide(firmware_info, true); #ifdef PM_S0_ADDRESS /* Only fail if the immutable bootloader is present. */ if (!provided) { - BOOT_LOG_ERR("Failed to provide EXT_APIs\n"); - return; + if (firmware_info == NULL) { + BOOT_LOG_WRN("Unable to find firmware info structure in %p", vt); + } + BOOT_LOG_ERR("Failed to provide EXT_APIs to %p", vt); } #endif #endif From 5b59dbfb0bc03bf6716c1282e20b1822c3e9ad6a Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Wed, 27 Sep 2023 15:18:04 +0200 Subject: [PATCH 111/113] =?UTF-8?q?[nrf=20noup]=C2=A0loader:=20Add=20firmw?= =?UTF-8?q?are=20version=20check=20downgrade=20prevention?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For nRF53, the only existing version number metadata is stored in the `firmware_info` structure in the network core. This utilizes PCD to read out the version number and compares it against the version number found in the secondary slot for the network core. Ref. NCSDK-21379 Signed-off-by: Sigvart Hovland (cherry picked from commit 1b6571d1287e852bec62e436fe1f9967f6021498) (cherry picked from commit 4d9859acba20b5c84558f02b98f8fc82e523648b) Signed-off-by: Dominik Ermel --- boot/bootutil/src/loader.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index ed80d96b9..f1bb10803 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -50,6 +50,10 @@ #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) #include +#ifdef CONFIG_PCD_READ_NETCORE_APP_VERSION +#include +int pcd_version_cmp_net(const struct flash_area *fap, struct image_header *hdr); +#endif #endif #ifdef MCUBOOT_ENC_IMAGES @@ -781,9 +785,21 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #if defined(MCUBOOT_OVERWRITE_ONLY) && defined(MCUBOOT_DOWNGRADE_PREVENTION) if (slot != BOOT_PRIMARY_SLOT) { /* Check if version of secondary slot is sufficient */ - rc = boot_version_cmp( - &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, - &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); + +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) \ + && defined(CONFIG_PCD_APP) && defined(CONFIG_PCD_READ_NETCORE_APP_VERSION) + if (BOOT_CURR_IMG(state) == 1) { + rc = pcd_version_cmp_net(fap, boot_img_hdr(state, BOOT_SECONDARY_SLOT)); + } else { + rc = boot_version_cmp( + &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, + &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); + } +#else + rc = boot_version_cmp( + &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, + &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); +#endif if (rc < 0 && boot_check_header_erased(state, BOOT_PRIMARY_SLOT)) { BOOT_LOG_ERR("insufficient version in secondary slot"); flash_area_erase(fap, 0, flash_area_get_size(fap)); From 691f405119b919ced0bc368d7565333a8eed4a70 Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Tue, 10 Oct 2023 14:05:04 +0200 Subject: [PATCH 112/113] [nrf noup] crypto: ecdsa: Fix shared crypto MCUBoot EXT_ABI After the upmerge using external crypto from NSIB in MCUBoot resulted in build failures. This commit fixes the build failures but also fixes a change in the API call which resulted in `-102` error when calling the verify function. Ref. NCSDK-23994 Signed-off-by: Sigvart Hovland (cherry picked from commit dc0b692181837d912e49fc49841918e47a60d22c) (cherry picked from commit 289166425805f937abfe9058f57323085ec96523) Signed-off-by: Dominik Ermel --- boot/bootutil/include/bootutil/crypto/ecdsa.h | 43 ++++++++++--------- boot/zephyr/prj_minimal.conf | 4 +- 2 files changed, 24 insertions(+), 23 deletions(-) diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa.h b/boot/bootutil/include/bootutil/crypto/ecdsa.h index e62f3d606..949ec82bf 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdsa.h +++ b/boot/bootutil/include/bootutil/crypto/ecdsa.h @@ -73,7 +73,7 @@ #if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) #include - #define BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE (4 * 8) + #define NUM_ECC_BYTES (256 / 8) #endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ #ifdef __cplusplus @@ -81,7 +81,8 @@ extern "C" { #endif #if (defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || \ - defined(MCUBOOT_USE_CC310)) && !defined(MCUBOOT_USE_PSA_CRYPTO) + defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)) \ + && !defined(MCUBOOT_USE_PSA_CRYPTO) /* * Declaring these like this adds NULL termination. */ @@ -603,43 +604,45 @@ static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, #endif /* MCUBOOT_USE_MBED_TLS */ #if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) -typedef uintptr_t bootutil_ecdsa_p256_context; - -static inline void bootutil_ecdsa_p256_init(bootutil_ecdsa_p256_context *ctx) +typedef uintptr_t bootutil_ecdsa_context; +static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx) { (void)ctx; } -static inline void bootutil_ecdsa_p256_drop(bootutil_ecdsa_p256_context *ctx) +static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx) { (void)ctx; } -static inline int bootutil_ecdsa_p256_verify(bootutil_ecdsa_p256_context *ctx, - uint8_t *pk, size_t pk_len, - uint8_t *hash, - uint8_t *sig, size_t sig_len) +static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx, + uint8_t *pk, size_t pk_len, + uint8_t *hash, size_t hash_len, + uint8_t *sig, size_t sig_len) { (void)ctx; (void)pk_len; + (void)hash_len; uint8_t dsig[2 * NUM_ECC_BYTES]; if (bootutil_decode_sig(dsig, sig, sig + sig_len)) { return -1; } - /* As described on the compact representation in IETF protocols, - * the first byte of the key defines if the ECC points are - * compressed (0x2 or 0x3) or uncompressed (0x4). - * We only support uncompressed keys. - */ - if (pk[0] != 0x04) - return -1; + /* Only support uncompressed keys. */ + if (pk[0] != 0x04) { + return -1; + } + pk++; - pk++; + return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, pk, dsig); +} - return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, - pk, dsig); +static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, + uint8_t **cp,uint8_t *end) +{ + (void)ctx; + return bootutil_import_key(cp, end); } #endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ diff --git a/boot/zephyr/prj_minimal.conf b/boot/zephyr/prj_minimal.conf index 9f7688859..1f90e708b 100644 --- a/boot/zephyr/prj_minimal.conf +++ b/boot/zephyr/prj_minimal.conf @@ -11,10 +11,8 @@ CONFIG_FLASH=y CONFIG_FPROTECT=y CONFIG_PM=n -CONFIG_BOOT_ENCRYPT_EC256=n -CONFIG_BOOT_ENCRYPT_RSA=n -CONFIG_BOOT_ENCRYPT_X25519=n CONFIG_BOOT_SWAP_SAVE_ENCTLV=n +CONFIG_BOOT_ENCRYPT_IMAGE=n CONFIG_BOOT_BOOTSTRAP=n CONFIG_BOOT_UPGRADE_ONLY=n From 75eae0e28027678685dfa739fcbe2b80e08ba256 Mon Sep 17 00:00:00 2001 From: Nikodem Kastelik Date: Mon, 9 Oct 2023 09:55:57 +0200 Subject: [PATCH 113/113] [nrf noup] boards: thingy53: disable GPIO ISR support Change disables GPIO interrupt support in Zephyr GPIO driver, which is not obligatory for MCUboot. This is needed to reduce memory footprint. Signed-off-by: Nikodem Kastelik (cherry picked from commit adab597a0eb0eb9c030a7b797748a49ca89988c2) Signed-off-by: Dominik Ermel --- boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf index 7d3bc0bec..e10656678 100644 --- a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf @@ -21,6 +21,7 @@ CONFIG_UART_LINE_CTRL=y # MCUBoot serial CONFIG_GPIO=y +CONFIG_GPIO_NRFX_INTERRUPT=n CONFIG_MCUBOOT_SERIAL=y CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y CONFIG_BOOT_SERIAL_CDC_ACM=y