[nrf noup] treewide: add NCS partition manager support

SebastianBoe · mbolivar-nordic · commit 4eba7803b69e · 2021-09-03T14:35:23.000-07:00
Partition Manager is an nRF Connect SDK component which uses yaml files to resolve flash partition placement with a holistic view of the device. This component's MCUboot portions began life as upstream mcuboot PR#430. This added support for being built as a sub image from the downstream Nordic patch set for a zephyr multi image build system (mcuboot 430 was combined with effor submitted to upstream zephyr as PR#13672, which was ultimately reworked after being rejected for mainline at the ELCE 2019 conference in Lyon). It has since evolved over time. This is the version that will go into NCS v1.3. It features: - page size aligned partitions for all partitions used by mcuboot. - image swaps without scratch partitions Add support for configurations where there exists two primary slots but only one secondary slot, which is shared. These two primary slots are the regular application and B1. B1 can be either S0 or S1 depending on the state of the device. Decide where an upgrade should be stored by looking at the vector table. Provide update candidates for both s0 and s1. These candidates must be signed with mcuboot after being signed by b0. Additional notes: - we make update.hex without trailer data This is needed for serial recovery to work using hex files. Prior to this the update.hex got TLV data at the end of the partition, which caused many blank pages to be included, which made it hard to use in a serial recovery scheme. Instead, make update.hex without TLV data at the end, and provide a new file test_update.hex which contains the TLV data, and can be directly flashed to test the upgrade procedure. - we use a function for signing the application as future-proofing for when other components must be signed as well - this includes an update to single image applications that enables support for partition manager; when single image DFU is used, a scratch partition is not needed. - In NCS, image 1 primary slot is the upgrade bank for mcuboot (IE S0 or S1 depending on the active slot). It is not required that this slot contains any valid data. - The nRF boards all have a single flash page size, and partition manager deals with the size of the update partitions and so on, so we must skip a boot_slots_compatible() check to avoid getting an error. - There is no need to verify the target when using partition manager. - We lock mcuboot using fprotect before jumping, to enable the secure boot property of the system. Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no> Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no> Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com> Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no> Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no> Signed-off-by: Andrzej Głąbek <andrzej.glabek@nordicsemi.no> Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no> Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> Signed-off-by: Emil Obalski <emil.obalski@nordicsemi.no> Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no> Signed-off-by: Pawel Dunaj <pawel.dunaj@nordicsemi.no> Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no> Signed-off-by: Johann Fischer <johann.fischer@nordicsemi.no> Signed-off-by: Vidar Berg <vidar.berg@nordicsemi.no> Signed-off-by: Draus, Sebastian <sebastian.draus@nordicsemi.no> Signed-off-by: Trond Einar Snekvik <Trond.Einar.Snekvik@nordicsemi.no> (cherry picked from commit 60e1d4b) (cherry picked from commit d84e34f) (cherry picked from commit 669b951) (cherry picked from commit 280bc15) (cherry picked from commit 262ef98) (cherry picked from commit 28db522) (cherry picked from commit 9efa2fd)
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
@@ -108,6 +108,15 @@ boot_read_image_headers(struct boot_loader_state *state, bool require_all,
              *
              * Failure to read any headers is a fatal error.
              */
+#ifdef PM_S1_ADDRESS
+            /* Patch needed for NCS. The primary slot of the second image
+             * (image 1) will not contain a valid image header until an upgrade
+             * of mcuboot has happened (filling S1 with the new version).
+             */
+            if (BOOT_CURR_IMG(state) == 1 && i == 0) {
+                continue;
+            }
+#endif /* PM_S1_ADDRESS */
             if (i > 0 && !require_all) {
                 return 0;
             } else {
@@ -839,6 +848,42 @@ boot_validated_swap_type(struct boot_loader_state *state,
 {
     int swap_type;
     fih_int fih_rc = FIH_FAILURE;
+#ifdef PM_S1_ADDRESS
+    /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other
+     * B1 slot S0 or S1) share the same secondary slot, we need to check
+     * whether the update candidate in the secondary slot is intended for
+     * image 0 or image 1 primary by looking at the address of the reset
+     * vector. Note that there are good reasons for not using img_num from
+     * the swap info.
+     */
+    const struct flash_area *secondary_fa =
+	    BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT);
+    struct image_header *hdr =
+	    (struct image_header *)secondary_fa->fa_off;
+
+    if (hdr->ih_magic == IMAGE_MAGIC) {
+	    const struct flash_area *primary_fa;
+	    uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size;
+	    uint32_t *vtable = (uint32_t *)(vtable_addr);
+	    uint32_t reset_addr = vtable[1];
+	    int rc = flash_area_open(
+			    flash_area_id_from_multi_image_slot(
+				    BOOT_CURR_IMG(state),
+				    BOOT_PRIMARY_SLOT),
+			    &primary_fa);
+
+	    if (rc != 0) {
+		    return BOOT_SWAP_TYPE_FAIL;
+	    }
+	    /* Get start and end of primary slot for current image */
+	    if (reset_addr < primary_fa->fa_off ||
+	        reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) {
+		    /* The image in the secondary slot is not intended for this image
+		    */
+		    return BOOT_SWAP_TYPE_NONE;
+	    }
+    }
+#endif
 
     swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state));
     if (BOOT_IS_UPGRADE(swap_type)) {
@@ -2007,10 +2052,23 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
         }
 
 #ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT
-        FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL);
-        if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
-            goto out;
-        }
+#ifdef PM_S1_ADDRESS
+	/* Patch needed for NCS. If secure boot is enabled, then mcuboot
+	 * will be stored in either partition S0 or S1. Image 1 primary
+	 * will point to the 'other' Sx partition. Hence, image 1 primary
+	 * does not contain a valid image until mcuboot has been upgraded.
+	 * Note that B0 will perform validation of the active mcuboot image,
+	 * so there is no security lost by skipping this check for image 1
+	 * primary.
+	 */
+	if (BOOT_CURR_IMG(state) == 0)
+#endif
+	{
+            FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL);
+            if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+                goto out;
+            }
+	}
 #else
         /* Even if we're not re-validating the primary slot, we could be booting
          * onto an empty flash chip. At least do a basic sanity check that
diff --git a/boot/bootutil/src/swap_move.c b/boot/bootutil/src/swap_move.c
@@ -211,6 +211,18 @@ boot_status_internal_off(const struct boot_status *bs, int elem_sz)
 int
 boot_slots_compatible(struct boot_loader_state *state)
 {
+#ifdef PM_S1_ADDRESS
+    /* Patch needed for NCS. In this case, image 1 primary points to the other
+     * B1 slot (ie S0 or S1), and image 0 primary points to the app.
+     * With this configuration, image 0 and image 1 share the secondary slot.
+     * Hence, the primary slot of image 1 will be *smaller* than image 1's
+     * secondary slot. This is not allowed in upstream mcuboot, so we need
+     * this patch to allow it. Also, all of these checks are redundant when
+     * partition manager is in use, and since we have the same sector size
+     * in all of our flash.
+     */
+        return 1;
+#else
     size_t num_sectors_pri;
     size_t num_sectors_sec;
     size_t sector_sz_pri = 0;
@@ -247,6 +259,7 @@ boot_slots_compatible(struct boot_loader_state *state)
     }
 
     return 1;
+#endif /* PM_S1_ADDRESS */
 }
 
 #define BOOT_LOG_SWAP_STATE(area, state)                            \
diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c
@@ -175,6 +175,18 @@ boot_status_internal_off(const struct boot_status *bs, int elem_sz)
 int
 boot_slots_compatible(struct boot_loader_state *state)
 {
+#ifdef PM_S1_ADDRESS
+    /* Patch needed for NCS. In this case, image 1 primary points to the other
+     * B1 slot (ie S0 or S1), and image 0 primary points to the app.
+     * With this configuration, image 0 and image 1 share the secondary slot.
+     * Hence, the primary slot of image 1 will be *smaller* than image 1's
+     * secondary slot. This is not allowed in upstream mcuboot, so we need
+     * this patch to allow it. Also, all of these checks are redundant when
+     * partition manager is in use, and since we have the same sector size
+     * in all of our flash.
+     */
+        return 1;
+#else
     size_t num_sectors_primary;
     size_t num_sectors_secondary;
     size_t sz0, sz1;
@@ -260,6 +272,7 @@ boot_slots_compatible(struct boot_loader_state *state)
     }
 
     return 1;
+#endif /* PM_S1_ADDRESS */
 }
 
 #define BOOT_LOG_SWAP_STATE(area, state)                            \
diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
@@ -276,6 +276,13 @@ if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "")
   endif()
   message("MCUBoot bootloader key file: ${KEY_FILE}")
 
+  set_property(
+	GLOBAL
+	PROPERTY
+	KEY_FILE
+	${KEY_FILE}
+	)
+
   set(GENERATED_PUBKEY ${ZEPHYR_BINARY_DIR}/autogen-pubkey.c)
   add_custom_command(
     OUTPUT ${GENERATED_PUBKEY}
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -16,6 +16,18 @@ config MCUBOOT
 	select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET
 	select MCUBOOT_BOOTUTIL_LIB
 
+partition=MCUBOOT
+partition-size=0xc000
+source "${ZEPHYR_BASE}/../nrf/subsys/partition_manager/Kconfig.template.partition_size"
+
+partition=MCUBOOT_SCRATCH
+partition-size=0x1e000
+source "${ZEPHYR_BASE}/../nrf/subsys/partition_manager/Kconfig.template.partition_size"
+
+partition=MCUBOOT_PAD
+partition-size=0x200
+source "${ZEPHYR_BASE}/../nrf/subsys/partition_manager/Kconfig.template.partition_size"
+
 config BOOT_USE_MBEDTLS
 	bool
 	# Hidden option
@@ -134,7 +146,6 @@ config BOOT_SIGNATURE_KEY_FILE
 	default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
 	default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072
 	default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048
-	default ""
 	help
 	  You can use either absolute or relative path.
 	  In case relative path is used, the build system assumes that it starts
diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h
@@ -3,6 +3,51 @@
 #ifndef __SYSFLASH_H__
 #define __SYSFLASH_H__
 
+#if USE_PARTITION_MANAGER
+#include <pm_config.h>
+#include <mcuboot_config/mcuboot_config.h>
+
+#ifndef CONFIG_SINGLE_APPLICATION_SLOT
+
+#if (MCUBOOT_IMAGE_NUMBER == 1)
+
+#define FLASH_AREA_IMAGE_PRIMARY(x)    PM_MCUBOOT_PRIMARY_ID
+#define FLASH_AREA_IMAGE_SECONDARY(x)  PM_MCUBOOT_SECONDARY_ID
+
+#elif (MCUBOOT_IMAGE_NUMBER == 2)
+
+extern uint32_t _image_1_primary_slot_id[];
+
+#define FLASH_AREA_IMAGE_PRIMARY(x)            \
+        ((x == 0) ?                            \
+           PM_MCUBOOT_PRIMARY_ID :             \
+         (x == 1) ?                            \
+          (uint32_t)_image_1_primary_slot_id : \
+           255 )
+
+#define FLASH_AREA_IMAGE_SECONDARY(x) \
+        ((x == 0) ?                   \
+            PM_MCUBOOT_SECONDARY_ID:  \
+        (x == 1) ?                    \
+           PM_MCUBOOT_SECONDARY_ID:   \
+           255 )
+#endif
+#define FLASH_AREA_IMAGE_SCRATCH    PM_MCUBOOT_SCRATCH_ID
+
+#else /* CONFIG_SINGLE_APPLICATION_SLOT */
+
+#define FLASH_AREA_IMAGE_PRIMARY(x)	PM_MCUBOOT_PRIMARY_ID
+#define FLASH_AREA_IMAGE_SECONDARY(x)	PM_MCUBOOT_PRIMARY_ID
+/* NOTE: Scratch parition is not used by single image DFU but some of
+ * functions in common files reference it, so the definitions has been
+ * provided to allow compilation of common units.
+ */
+#define FLASH_AREA_IMAGE_SCRATCH       0
+
+#endif /* CONFIG_SINGLE_APPLICATION_SLOT */
+
+#else
+
 #include <devicetree.h>
 #include <mcuboot_config/mcuboot_config.h>
 
@@ -55,4 +100,6 @@
 
 #endif /* CONFIG_SINGLE_APPLICATION_SLOT */
 
+#endif /* USE_PARTITION_MANAGER */
+
 #endif /* __SYSFLASH_H__ */
diff --git a/boot/zephyr/include/target.h b/boot/zephyr/include/target.h
@@ -8,6 +8,8 @@
 #ifndef H_TARGETS_TARGET_
 #define H_TARGETS_TARGET_
 
+#ifndef USE_PARTITION_MANAGER
+
 #if defined(MCUBOOT_TARGET_CONFIG)
 /*
  * Target-specific definitions are permitted in legacy cases that
@@ -47,4 +49,6 @@
 #error "Target support is incomplete; cannot build mcuboot."
 #endif
 
+#endif /* ifndef USE_PARTITION_MANAGER */
+
 #endif /* H_TARGETS_TARGET_ */
diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c
@@ -85,6 +85,11 @@ K_SEM_DEFINE(boot_log_sem, 1, 1);
 #define ZEPHYR_BOOT_LOG_STOP() do { } while (false)
 #endif /* defined(CONFIG_LOG) && !defined(CONFIG_LOG_IMMEDIATE) */
 
+#if USE_PARTITION_MANAGER && CONFIG_FPROTECT
+#include <fprotect.h>
+#include <pm_config.h>
+#endif
+
 #ifdef CONFIG_SOC_FAMILY_NRF
 #include <hal/nrf_power.h>
 
@@ -526,7 +531,30 @@ void main(void)
 #else
     BOOT_LOG_INF("Jumping to the first image slot");
 #endif
+
+#if USE_PARTITION_MANAGER && CONFIG_FPROTECT
+
+#ifdef PM_S1_ADDRESS
+/* MCUBoot is stored in either S0 or S1, protect both */
+#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_S0_ADDRESS)
+#define PROTECT_ADDR PM_S0_ADDRESS
+#else
+/* There is only one instance of MCUBoot */
+#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_MCUBOOT_ADDRESS)
+#define PROTECT_ADDR PM_MCUBOOT_ADDRESS
+#endif
+
+    rc = fprotect_area(PROTECT_ADDR, PROTECT_SIZE);
+
+    if (rc != 0) {
+        BOOT_LOG_ERR("Protect mcuboot flash failed, cancel startup.");
+        while (1)
+            ;
+    }
+#endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */
+
     ZEPHYR_BOOT_LOG_STOP();
+
     do_boot(&rsp);
 
     BOOT_LOG_ERR("Never should get here");
diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml
@@ -0,0 +1,51 @@
+#include <autoconf.h>
+
+mcuboot:
+  size: CONFIG_PM_PARTITION_SIZE_MCUBOOT
+  placement:
+    before: [mcuboot_primary]
+
+mcuboot_primary_app:
+  # All images to be placed in MCUboot's slot 0 should be placed in this
+  # partition
+  span: [app]
+
+mcuboot_primary:
+  span: [mcuboot_pad, mcuboot_primary_app]
+
+# Partition for secondary slot is not created if building in single application
+# slot configuration.
+#if !defined(CONFIG_SINGLE_APPLICATION_SLOT)
+mcuboot_secondary:
+#if defined(CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY)
+  region: external_flash
+  size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_SECONDARY
+  placement:
+    align: {start: 4}
+#else
+  share_size: [mcuboot_primary]
+  placement:
+    align: {start: CONFIG_FPROTECT_BLOCK_SIZE}
+    after: mcuboot_primary
+#endif /* CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY */
+#endif /* !defined(CONFIG_SINGLE_APPLICATION_SLOT) */
+
+#if !defined(CONFIG_BOOT_SWAP_USING_MOVE) && !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_BOOT_UPGRADE_ONLY)
+mcuboot_scratch:
+  size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_SCRATCH
+  placement:
+    after: app
+    align: {start: CONFIG_FPROTECT_BLOCK_SIZE}
+#endif
+
+# Padding placed before image to boot. This reserves space for the MCUboot image header
+# and it ensures that the boot image gets linked with the correct address offset in flash.
+mcuboot_pad:
+    # MCUboot pad must be placed before the 'spm' partition if that is present.
+    # If 'spm' partition is not present, it must be placed before the 'app'.
+  size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_PAD
+  placement:
+    before: [mcuboot_primary_app]
+#ifdef CONFIG_FPROTECT
+    align: {start: CONFIG_FPROTECT_BLOCK_SIZE}
+#endif
diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf
@@ -24,6 +24,7 @@ CONFIG_BOOT_BOOTSTRAP=n
 # CONFIG_TINYCRYPT_SHA256 is not set
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 
 ### Various Zephyr boards enable features that we don't want.
 # CONFIG_BT is not set
diff --git a/zephyr/module.yml b/zephyr/module.yml
@@ -1,4 +1,5 @@
 samples:
   - boot/zephyr
 build:
-  cmake: ./boot/bootutil/zephyr
+  cmake-ext: True
+  kconfig-ext: True
