diff --git a/.github/workflows/sim.yaml b/.github/workflows/sim.yaml index c1d91a673..36d890d4f 100644 --- a/.github/workflows/sim.yaml +++ b/.github/workflows/sim.yaml @@ -17,7 +17,7 @@ jobs: matrix: features: - "sig-ecdsa,sig-ecdsa-mbedtls,sig-ed25519,enc-kw,bootstrap" - - "sig-rsa,sig-rsa3072,overwrite-only,validate-primary-slot,swap-move" + - "sig-rsa,sig-rsa3072,overwrite-only,validate-primary-slot,swap-move,swap-offset" - "enc-rsa,enc-rsa max-align-32" - "enc-aes256-rsa,enc-aes256-rsa max-align-32" - "enc-ec256,enc-ec256 max-align-32" @@ -29,7 +29,7 @@ jobs: - "enc-kw overwrite-only,enc-kw overwrite-only max-align-32" - "enc-rsa overwrite-only,enc-rsa overwrite-only max-align-32" - "enc-aes256-kw overwrite-only,enc-aes256-kw overwrite-only max-align-32" - - "sig-rsa enc-rsa validate-primary-slot,swap-move enc-rsa sig-rsa validate-primary-slot bootstrap" + - "sig-rsa enc-rsa validate-primary-slot,swap-move enc-rsa sig-rsa validate-primary-slot bootstrap,swap-offset enc-rsa sig-rsa validate-primary-slot bootstrap" - "sig-rsa enc-kw validate-primary-slot bootstrap,sig-ed25519 enc-x25519 validate-primary-slot" - "sig-ecdsa enc-kw validate-primary-slot" - "sig-ecdsa-mbedtls enc-kw validate-primary-slot" diff --git a/.github/workflows/zephyr_build.yaml b/.github/workflows/zephyr_build.yaml index e1ef4631d..a3826fb31 100644 --- a/.github/workflows/zephyr_build.yaml +++ b/.github/workflows/zephyr_build.yaml @@ -87,6 +87,7 @@ jobs: -T ../bootloader/mcuboot/boot/zephyr -T ./tests/subsys/dfu -T ./samples/subsys/mgmt/mcumgr/smp_svr + -T ../bootloader/mcuboot/samples/runtime-source/zephyr/app run: | export ZEPHYR_BASE=${PWD} export ZEPHYR_TOOLCHAIN_VARIANT=zephyr diff --git a/boot/boot_serial/include/boot_serial/boot_serial_encryption.h b/boot/boot_serial/include/boot_serial/boot_serial_encryption.h index b7cf9ff55..890f0cb18 100644 --- a/boot/boot_serial/include/boot_serial/boot_serial_encryption.h +++ b/boot/boot_serial/include/boot_serial/boot_serial_encryption.h @@ -15,13 +15,18 @@ * @param[in] hdr boot image header pointer * @param[in] buf buffer which is used for validating data * @param[in] buf_size size of input buffer + * @param[in] start_off start offset inside of image (swap using offset only) * * @return FIH_SUCCESS on success, error code otherwise */ fih_ret boot_image_validate_encrypted(const struct flash_area *fa_p, struct image_header *hdr, uint8_t *buf, - uint16_t buf_size); + uint16_t buf_size +#ifdef MCUBOOT_SWAP_USING_OFFSET + , uint32_t start_off +#endif +); /** * Handle an encrypted firmware in the main flash. diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 8b256c623..9ddc712de 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -154,6 +154,9 @@ BOOT_LOG_MODULE_DECLARE(mcuboot); #define IMAGES_ITER(x) #endif +#define SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN 1 +#define BOOT_DIRECT_UPLOAD_SECONDARY_SLOT_ID_REMAINDER 0 + static char in_buf[MCUBOOT_SERIAL_MAX_RECEIVE_SIZE + 1]; static char dec_buf[MCUBOOT_SERIAL_MAX_RECEIVE_SIZE + 1]; const struct boot_uart_funcs *boot_uf; @@ -165,9 +168,14 @@ static char bs_obuf[BOOT_SERIAL_OUT_MAX]; static void boot_serial_output(void); #ifdef MCUBOOT_SERIAL_IMG_GRP_HASH +#ifdef MCUBOOT_SWAP_USING_OFFSET +static int boot_serial_get_hash(const struct image_header *hdr, + const struct flash_area *fap, uint8_t *hash, uint32_t start_off); +#else static int boot_serial_get_hash(const struct image_header *hdr, const struct flash_area *fap, uint8_t *hash); #endif +#endif static zcbor_state_t cbor_state[2]; @@ -288,6 +296,7 @@ bs_list(char *buf, int len) for (slot = 0; slot < BOOT_NUM_SLOTS; slot++) { FIH_DECLARE(fih_rc, FIH_FAILURE); + int rc; uint8_t tmpbuf[64]; #ifdef MCUBOOT_SERIAL_IMG_GRP_IMAGE_STATE @@ -297,16 +306,41 @@ bs_list(char *buf, int len) bool permanent = false; #endif +#ifdef MCUBOOT_SWAP_USING_OFFSET + uint32_t start_off = 0; +#endif + area_id = flash_area_id_from_multi_image_slot(image_index, slot); if (flash_area_open(area_id, &fap)) { continue; } - int rc = BOOT_HOOK_CALL(boot_read_image_header_hook, - BOOT_HOOK_REGULAR, image_index, slot, &hdr); +#ifdef MCUBOOT_SWAP_USING_OFFSET + if (slot == BOOT_SECONDARY_SLOT && swap_status != BOOT_SWAP_TYPE_REVERT) { + uint32_t num_sectors = SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN; + struct flash_sector sector_data; + + rc = flash_area_sectors(fap, &num_sectors, §or_data); + + if ((rc != 0 && rc != -ENOMEM) || + num_sectors != SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN) { + flash_area_close(fap); + continue; + } + + start_off = sector_data.fs_size; + } +#endif + + rc = BOOT_HOOK_CALL(boot_read_image_header_hook, + BOOT_HOOK_REGULAR, image_index, slot, &hdr); if (rc == BOOT_HOOK_REGULAR) { +#ifdef MCUBOOT_SWAP_USING_OFFSET + flash_area_read(fap, start_off, &hdr, sizeof(hdr)); +#else flash_area_read(fap, 0, &hdr, sizeof(hdr)); +#endif } if (hdr.ih_magic == IMAGE_MAGIC) @@ -319,8 +353,13 @@ bs_list(char *buf, int len) #if defined(MCUBOOT_ENC_IMAGES) #if !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) if (IS_ENCRYPTED(&hdr) && MUST_DECRYPT(fap, image_index, &hdr)) { +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, + &hdr, tmpbuf, sizeof(tmpbuf), start_off); +#else FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, &hdr, tmpbuf, sizeof(tmpbuf)); +#endif } else { #endif if (IS_ENCRYPTED(&hdr)) { @@ -333,8 +372,13 @@ bs_list(char *buf, int len) } #endif - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, &hdr, +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, + fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL, start_off); +#else + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); +#endif #if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) } #endif @@ -348,7 +392,11 @@ bs_list(char *buf, int len) #ifdef MCUBOOT_SERIAL_IMG_GRP_HASH /* Retrieve hash of image for identification */ +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = boot_serial_get_hash(&hdr, fap, hash, start_off); +#else rc = boot_serial_get_hash(&hdr, fap, hash); +#endif #endif flash_area_close(fap); @@ -494,17 +542,39 @@ bs_set(char *buf, int len) const struct flash_area *fap; uint8_t tmpbuf[64]; +#ifdef MCUBOOT_SWAP_USING_OFFSET + uint32_t num_sectors = SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN; + struct flash_sector sector_data; + uint32_t start_off = 0; +#endif + area_id = flash_area_id_from_multi_image_slot(image_index, 1); if (flash_area_open(area_id, &fap)) { BOOT_LOG_ERR("Failed to open flash area ID %d", area_id); continue; } +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_sectors(fap, &num_sectors, §or_data); + + if ((rc != 0 && rc != -ENOMEM) || + num_sectors != SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN) { + flash_area_close(fap); + continue; + } + + start_off = sector_data.fs_size; +#endif + rc = BOOT_HOOK_CALL(boot_read_image_header_hook, BOOT_HOOK_REGULAR, image_index, 1, &hdr); if (rc == BOOT_HOOK_REGULAR) { +#ifdef MCUBOOT_SWAP_USING_OFFSET + flash_area_read(fap, start_off, &hdr, sizeof(hdr)); +#else flash_area_read(fap, 0, &hdr, sizeof(hdr)); +#endif } if (hdr.ih_magic == IMAGE_MAGIC) @@ -518,12 +588,22 @@ bs_set(char *buf, int len) { #ifdef MCUBOOT_ENC_IMAGES if (IS_ENCRYPTED(&hdr)) { +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, + &hdr, tmpbuf, sizeof(tmpbuf), start_off); +#else FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, &hdr, tmpbuf, sizeof(tmpbuf)); +#endif } else { #endif - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, &hdr, +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, + fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL, start_off); +#else + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); +#endif #ifdef MCUBOOT_ENC_IMAGES } #endif @@ -534,8 +614,14 @@ bs_set(char *buf, int len) } } +#ifdef MCUBOOT_SERIAL_IMG_GRP_HASH /* Retrieve hash of image for identification */ +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = boot_serial_get_hash(&hdr, fap, hash, start_off); +#else rc = boot_serial_get_hash(&hdr, fap, hash); +#endif +#endif flash_area_close(fap); if (rc == 0 && memcmp(hash, img_hash.value, sizeof(hash)) == 0) { @@ -811,6 +897,9 @@ bs_upload(char *buf, int len) */ static struct flash_sector status_sector; #endif +#ifdef MCUBOOT_SWAP_USING_OFFSET + static uint32_t start_off = 0; +#endif zcbor_state_t zsd[4]; zcbor_new_state(zsd, sizeof(zsd) / sizeof(zcbor_state_t), (uint8_t *)buf, len, 1, NULL, 0); @@ -874,6 +963,11 @@ bs_upload(char *buf, int len) */ const size_t area_size = flash_area_get_size(fap); +#ifdef MCUBOOT_SWAP_USING_OFFSET + uint32_t num_sectors = SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN; + struct flash_sector sector_data; +#endif + curr_off = 0; #ifdef MCUBOOT_ERASE_PROGRESSIVELY /* Get trailer sector information; this is done early because inability to get @@ -915,6 +1009,35 @@ bs_upload(char *buf, int len) #endif img_size = img_size_tmp; + +#ifdef MCUBOOT_SWAP_USING_OFFSET +#ifdef MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD + if (img_num > 0 && + (img_num % BOOT_NUM_SLOTS) == BOOT_DIRECT_UPLOAD_SECONDARY_SLOT_ID_REMAINDER) { + rc = flash_area_sectors(fap, &num_sectors, §or_data); + + if ((rc != 0 && rc != -ENOMEM) || + num_sectors != SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN) { + rc = MGMT_ERR_ENOENT; + goto out; + } + + start_off = sector_data.fs_size; + } else { + start_off = 0; + } +#else + rc = flash_area_sectors(fap, &num_sectors, §or_data); + + if ((rc != 0 && rc != -ENOMEM) || + num_sectors != SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN) { + rc = MGMT_ERR_ENOENT; + goto out; + } + + start_off = sector_data.fs_size; +#endif +#endif } else if (img_chunk_off != curr_off) { /* If received chunk offset does not match expected one jump, pretend * success and jump to out; out will respond to client with success @@ -931,8 +1054,13 @@ bs_upload(char *buf, int len) /* Progressive erase will erase enough flash, aligned to sector size, * as needed for the current chunk to be written. */ +#ifdef MCUBOOT_SWAP_USING_OFFSET + not_yet_erased = erase_range(fap, not_yet_erased, + curr_off + img_chunk_len - 1 + start_off); +#else not_yet_erased = erase_range(fap, not_yet_erased, curr_off + img_chunk_len - 1); +#endif if (not_yet_erased < 0) { rc = MGMT_ERR_EINVAL; @@ -969,7 +1097,11 @@ bs_upload(char *buf, int len) memset(wbs_aligned, flash_area_erased_val(fap), sizeof(wbs_aligned)); memcpy(wbs_aligned, img_chunk, write_size); +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_write(fap, curr_off + start_off, wbs_aligned, write_size); +#else rc = flash_area_write(fap, curr_off, wbs_aligned, write_size); +#endif if (rc != 0) { goto out; @@ -980,10 +1112,18 @@ bs_upload(char *buf, int len) img_chunk_len -= write_size; } } else { +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_write(fap, curr_off + start_off, img_chunk, img_chunk_len); +#else rc = flash_area_write(fap, curr_off, img_chunk, img_chunk_len); +#endif } +#else +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_write(fap, curr_off + start_off, img_chunk, img_chunk_len); #else rc = flash_area_write(fap, curr_off, img_chunk, img_chunk_len); +#endif #endif if (rc == 0 && rem_bytes) { @@ -996,8 +1136,13 @@ bs_upload(char *buf, int len) memset(wbs_aligned, flash_area_erased_val(fap), sizeof(wbs_aligned)); memcpy(wbs_aligned, img_chunk + img_chunk_len, rem_bytes); +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_write(fap, curr_off + img_chunk_len + start_off, wbs_aligned, + flash_area_align(fap)); +#else rc = flash_area_write(fap, curr_off + img_chunk_len, wbs_aligned, flash_area_align(fap)); +#endif } if (rc == 0) { @@ -1452,8 +1597,13 @@ boot_serial_check_start(const struct boot_uart_funcs *f, int timeout_in_ms) #ifdef MCUBOOT_SERIAL_IMG_GRP_HASH /* Function to find the hash of an image, returns 0 on success. */ +#ifdef MCUBOOT_SWAP_USING_OFFSET +static int boot_serial_get_hash(const struct image_header *hdr, + const struct flash_area *fap, uint8_t *hash, uint32_t start_off) +#else static int boot_serial_get_hash(const struct image_header *hdr, const struct flash_area *fap, uint8_t *hash) +#endif { struct image_tlv_iter it; uint32_t offset; @@ -1464,6 +1614,10 @@ static int boot_serial_get_hash(const struct image_header *hdr, /* Manifest data is concatenated to the end of the image. * It is encoded in TLV format. */ +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = start_off; +#endif + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); if (rc) { return -1; diff --git a/boot/boot_serial/src/boot_serial_encryption.c b/boot/boot_serial/src/boot_serial_encryption.c index c4bd7d87b..744b22312 100644 --- a/boot/boot_serial/src/boot_serial_encryption.c +++ b/boot/boot_serial/src/boot_serial_encryption.c @@ -22,7 +22,11 @@ BOOT_LOG_MODULE_DECLARE(serial_encryption); fih_ret boot_image_validate_encrypted(const struct flash_area *fa_p, struct image_header *hdr, uint8_t *buf, - uint16_t buf_size) + uint16_t buf_size +#ifdef MCUBOOT_SWAP_USING_OFFSET + , uint32_t start_off +#endif + ) { FIH_DECLARE(fih_rc, FIH_FAILURE); @@ -30,13 +34,15 @@ boot_image_validate_encrypted(const struct flash_area *fa_p, struct boot_loader_state *state = &boot_data; struct boot_status _bs; struct boot_status *bs = &_bs; - uint8_t image_index; int rc; memset(&boot_data, 0, sizeof(struct boot_loader_state)); - image_index = BOOT_CURR_IMG(state); if(IS_ENCRYPTED(hdr)) { - rc = boot_enc_load(BOOT_CURR_ENC(state), 1, hdr, fa_p, bs); +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = boot_enc_load(state, 1, hdr, fa_p, bs, start_off); +#else + rc = boot_enc_load(state, 1, hdr, fa_p, bs); +#endif if (rc < 0) { FIH_RET(fih_rc); } @@ -45,8 +51,14 @@ boot_image_validate_encrypted(const struct flash_area *fa_p, FIH_RET(fih_rc); } } - FIH_CALL(bootutil_img_validate, fih_rc, BOOT_CURR_ENC(state), image_index, + +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(bootutil_img_validate, fih_rc, state, + hdr, fa_p, buf, buf_size, NULL, 0, NULL, start_off); +#else + FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fa_p, buf, buf_size, NULL, 0, NULL); +#endif FIH_RET(fih_rc); } @@ -226,7 +238,6 @@ decrypt_image_inplace(const struct flash_area *fa_p, /* Get size from last sector to know page/sector erase size */ rc = flash_area_get_sector(fa_p, boot_status_off(fa_p), §or); - if(IS_ENCRYPTED(hdr)) { #if 0 //Skip this step?, the image will just not boot if it's not decrypted properly static uint8_t tmpbuf[BOOT_TMPBUF_SZ]; @@ -238,7 +249,11 @@ decrypt_image_inplace(const struct flash_area *fa_p, #endif memset(&boot_data, 0, sizeof(struct boot_loader_state)); /* Load the encryption keys into cache */ - rc = boot_enc_load(BOOT_CURR_ENC(state), 0, hdr, fa_p, bs); +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = boot_enc_load(state, 0, hdr, fa_p, bs, 0); +#else + rc = boot_enc_load(state, 0, hdr, fa_p, bs); +#endif if (rc < 0) { FIH_RET(fih_rc); } diff --git a/boot/bootutil/include/bootutil/boot_hooks.h b/boot/bootutil/include/bootutil/boot_hooks.h index 6d4a34e87..ef7a89b28 100644 --- a/boot/bootutil/include/bootutil/boot_hooks.h +++ b/boot/bootutil/include/bootutil/boot_hooks.h @@ -34,25 +34,65 @@ #ifndef H_BOOTUTIL_HOOKS #define H_BOOTUTIL_HOOKS -#ifdef MCUBOOT_IMAGE_ACCESS_HOOKS +#include "bootutil/bootutil.h" +#include "bootutil/fault_injection_hardening.h" -#define BOOT_HOOK_CALL(f, ret_default, ...) f(__VA_ARGS__) +#define DO_HOOK_CALL(f, ret_default, ...) \ + f(__VA_ARGS__) -#define BOOT_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ +#define DO_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ do { \ FIH_CALL(f, fih_rc, __VA_ARGS__); \ } while(0); -#else - -#define BOOT_HOOK_CALL(f, ret_default, ...) ret_default +#define HOOK_CALL_NOP(f, ret_default, ...) ret_default -#define BOOT_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ +#define HOOK_CALL_FIH_NOP(f, fih_ret_default, fih_rc, ...) \ do { \ fih_rc = fih_ret_default; \ } while(0); -#endif +#ifdef MCUBOOT_IMAGE_ACCESS_HOOKS + +#define BOOT_HOOK_CALL(f, ret_default, ...) \ + DO_HOOK_CALL(f, ret_default, __VA_ARGS__) + +#define BOOT_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ + DO_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, __VA_ARGS__) + +#else + +#define BOOT_HOOK_CALL(f, ret_default, ...) \ + HOOK_CALL_NOP(f, ret_default, __VA_ARGS__) + +#define BOOT_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ + HOOK_CALL_FIH_NOP(f, fih_ret_default, fih_rc, __VA_ARGS__) + +#endif /* MCUBOOT_IMAGE_ACCESS_HOOKS */ + +#ifdef MCUBOOT_BOOT_GO_HOOKS + +#define BOOT_HOOK_GO_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ + DO_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, __VA_ARGS__); + +#else + +#define BOOT_HOOK_GO_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ + HOOK_CALL_FIH_NOP(f, fih_ret_default, fih_rc, __VA_ARGS__) + +#endif /* MCUBOOT_BOOT_GO_HOOKS */ + +#ifdef MCUBOOT_FLASH_AREA_HOOKS + +#define BOOT_HOOK_FLASH_AREA_CALL(f, ret_default, ...) \ + DO_HOOK_CALL(f, ret_default, __VA_ARGS__) + +#else + +#define BOOT_HOOK_FLASH_AREA_CALL(f, ret_default, ...) \ + HOOK_CALL_NOP(f, ret_default, __VA_ARGS__) + +#endif /* MCUBOOT_FLASH_AREA_ID_HOOKS */ /** Hook for provide image header data. * @@ -173,6 +213,48 @@ int boot_img_install_stat_hook(int image_index, int slot, */ int boot_reset_request_hook(bool force); +/** + * Hook to implement custom action before boot_go() function. + * + * @param rsp boot response structure. + * + * @retval FIH_SUCCESS: boot_go() should be skipped, boot response is already + * filled. + * FIH_FAILURE: boot_go() should be skipped, boot response is already + * filled with error. + * FIH_BOOT_HOOK_REGULAR: follow the normal execution path. + */ +fih_ret boot_go_hook(struct boot_rsp *rsp); + +/** + * Hook to implement custom action before retrieving flash area ID. + * + * @param image_index the index of the image pair + * @param slot slot number + * @param area_id the flash area ID to be populated + * + * @retval 0 the flash area ID was fetched successfully; + * BOOT_HOOK_REGULAR follow the normal execution path to get the flash + * area ID; + * otherwise an error-code value. + */ +int flash_area_id_from_multi_image_slot_hook(int image_index, int slot, + int *area_id); + +/** + * Hook to implement custom action before retrieving flash area device ID. + * + * @param fa the flash area structure + * @param device_id the device ID to be populated + * + * @retval 0 the device ID was fetched successfully; + * BOOT_HOOK_REGULAR follow the normal execution path to get the device + * ID; + * otherwise an error-code value. + */ +int flash_area_get_device_id_hook(const struct flash_area *fa, + uint8_t *device_id); + #define BOOT_RESET_REQUEST_HOOK_BUSY 1 #define BOOT_RESET_REQUEST_HOOK_TIMEOUT 2 #define BOOT_RESET_REQUEST_HOOK_CHECK_FAILED 3 diff --git a/boot/bootutil/include/bootutil/boot_status.h b/boot/bootutil/include/bootutil/boot_status.h index fddcc4bc2..91f266bc7 100644 --- a/boot/bootutil/include/bootutil/boot_status.h +++ b/boot/bootutil/include/bootutil/boot_status.h @@ -130,6 +130,7 @@ enum mcuboot_mode { MCUBOOT_MODE_RAM_LOAD, MCUBOOT_MODE_FIRMWARE_LOADER, MCUBOOT_MODE_SINGLE_SLOT_RAM_LOAD, + MCUBOOT_MODE_SWAP_USING_OFFSET, }; enum mcuboot_signature_type { diff --git a/boot/bootutil/include/bootutil/bootutil.h b/boot/bootutil/include/bootutil/bootutil.h index 070adaf43..babb62fdc 100644 --- a/boot/bootutil/include/bootutil/bootutil.h +++ b/boot/bootutil/include/bootutil/bootutil.h @@ -86,10 +86,12 @@ struct image_max_size { fih_ret boot_go(struct boot_rsp *rsp); fih_ret boot_go_for_image_id(struct boot_rsp *rsp, uint32_t image_id); -struct boot_loader_state; void boot_state_clear(struct boot_loader_state *state); fih_ret context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp); +struct boot_loader_state *boot_get_loader_state(void); const struct image_max_size *boot_get_max_app_size(void); +uint32_t boot_get_state_secondary_offset(struct boot_loader_state *state, + const struct flash_area *fap); #define SPLIT_GO_OK (0) #define SPLIT_GO_NON_MATCHING (-1) diff --git a/boot/bootutil/include/bootutil/bootutil_public.h b/boot/bootutil/include/bootutil/bootutil_public.h index b2d5a5de8..bbfb729a3 100644 --- a/boot/bootutil/include/bootutil/bootutil_public.h +++ b/boot/bootutil/include/bootutil/bootutil_public.h @@ -85,7 +85,7 @@ extern "C" { #ifdef MCUBOOT_BOOT_MAX_ALIGN -#if defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH) +#if defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_OFFSET) _Static_assert(MCUBOOT_BOOT_MAX_ALIGN >= 8 && MCUBOOT_BOOT_MAX_ALIGN <= 32, "Unsupported value for MCUBOOT_BOOT_MAX_ALIGN for SWAP upgrade modes"); #endif @@ -145,6 +145,8 @@ _Static_assert(MCUBOOT_BOOT_MAX_ALIGN >= 8 && MCUBOOT_BOOT_MAX_ALIGN <= 32, #endif #endif +struct boot_loader_state; + struct boot_swap_state { uint8_t magic; /* One of the BOOT_MAGIC_[...] values. */ uint8_t swap_type; /* One of the BOOT_SWAP_TYPE_[...] values. */ @@ -309,6 +311,41 @@ int boot_image_load_header(const struct flash_area *fa_p, struct image_header *hdr); +#ifdef MCUBOOT_RAM_LOAD +/** + * Loads image with given header to RAM. + * + * Destination on RAM and size is described on image header. + * + * @param[in] state boot loader state + * @param[in] hdr image header + * + * @return 0 on success, error code otherwise + */ +int boot_load_image_from_flash_to_sram(struct boot_loader_state *state, + struct image_header *hdr); + +/** + * Removes an image from SRAM, by overwriting it with zeros. + * + * @param state Boot loader status information. + * + * @return 0 on success; nonzero on failure. + */ +int boot_remove_image_from_sram(struct boot_loader_state *state); + +/** + * Removes an image from flash by erasing the corresponding flash area + * + * @param state Boot loader status information. + * @param slot The flash slot of the image to be erased. + * + * @return 0 on success; nonzero on failure. + */ +int boot_remove_image_from_flash(struct boot_loader_state *state, + uint32_t slot); +#endif + #ifdef __cplusplus } #endif diff --git a/boot/bootutil/include/bootutil/caps.h b/boot/bootutil/include/bootutil/caps.h index f4ff37334..3227f7e49 100644 --- a/boot/bootutil/include/bootutil/caps.h +++ b/boot/bootutil/include/bootutil/caps.h @@ -53,6 +53,7 @@ uint32_t bootutil_get_caps(void); #define BOOTUTIL_CAP_DIRECT_XIP (1<<17) #define BOOTUTIL_CAP_HW_ROLLBACK_PROT (1<<18) #define BOOTUTIL_CAP_ECDSA_P384 (1<<19) +#define BOOTUTIL_CAP_SWAP_USING_OFFSET (1<<20) /* * Query the number of images this bootloader is configured for. This diff --git a/boot/bootutil/include/bootutil/enc_key.h b/boot/bootutil/include/bootutil/enc_key.h index 4ff2432cd..9240d699d 100644 --- a/boot/bootutil/include/bootutil/enc_key.h +++ b/boot/bootutil/include/bootutil/enc_key.h @@ -58,6 +58,7 @@ struct enc_key_data { int boot_enc_retrieve_private_key(struct bootutil_key **private_key); struct boot_status; +struct boot_loader_state; /* Decrypt random, symmetric encryption key */ int boot_decrypt_key(const uint8_t *buf, uint8_t *enckey); @@ -65,10 +66,14 @@ int boot_decrypt_key(const uint8_t *buf, uint8_t *enckey); int boot_enc_init(struct enc_key_data *enc_state, uint8_t slot); int boot_enc_drop(struct enc_key_data *enc_state, uint8_t slot); int boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot, - const struct boot_status *bs); -int boot_enc_load(struct enc_key_data *enc_state, int slot, - const struct image_header *hdr, const struct flash_area *fap, - struct boot_status *bs); + const struct boot_status *bs); +int boot_enc_load(struct boot_loader_state *state, int slot, + const struct image_header *hdr, const struct flash_area *fap, + struct boot_status *bs +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_off +#endif + ); bool boot_enc_valid(struct enc_key_data *enc_state, int slot); void boot_enc_encrypt(struct enc_key_data *enc_state, int slot, uint32_t off, uint32_t sz, uint32_t blk_off, uint8_t *buf); diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h index 92adc605b..f5431b187 100644 --- a/boot/bootutil/include/bootutil/image.h +++ b/boot/bootutil/include/bootutil/image.h @@ -36,8 +36,10 @@ extern "C" { #endif -#ifndef __packed -#define __packed __attribute__((__packed__)) +#if defined(__IAR_SYSTEMS_ICC__) + #define STRUCT_PACKED __packed struct +#else + #define STRUCT_PACKED struct __attribute__((__packed__)) #endif struct flash_area; @@ -137,12 +139,12 @@ struct flash_area; */ #define IMAGE_TLV_ANY 0xffff /* Used to iterate over all TLV */ -struct image_version { +STRUCT_PACKED image_version { uint8_t iv_major; uint8_t iv_minor; uint16_t iv_revision; uint32_t iv_build_num; -} __packed; +}; struct image_dependency { uint8_t image_id; /* Image index (from 0) */ @@ -155,7 +157,7 @@ struct image_dependency { }; /** Image header. All fields are in little endian byte order. */ -struct image_header { +STRUCT_PACKED image_header { uint32_t ih_magic; uint32_t ih_load_addr; uint16_t ih_hdr_size; /* Size of image header (bytes). */ @@ -164,19 +166,19 @@ struct image_header { uint32_t ih_flags; /* IMAGE_F_[...]. */ struct image_version ih_ver; uint32_t _pad1; -} __packed; +}; /** Image TLV header. All fields in little endian. */ -struct image_tlv_info { +STRUCT_PACKED image_tlv_info { uint16_t it_magic; uint16_t it_tlv_tot; /* size of TLV area (including tlv_info header) */ -} __packed; +}; /** Image trailer TLV format. All fields in little endian. */ -struct image_tlv { +STRUCT_PACKED image_tlv { uint16_t it_type; /* IMAGE_TLV_[...]. */ uint16_t it_len; /* Data length (not including TLV header). */ -} __packed; +}; #define ENCRYPTIONFLAGS (IMAGE_F_ENCRYPTED_AES128 | IMAGE_F_ENCRYPTED_AES256) #define IS_ENCRYPTED(hdr) (((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES128) \ @@ -194,11 +196,16 @@ _Static_assert(sizeof(struct image_header) == IMAGE_HEADER_SIZE, "struct image_header not required size"); struct enc_key_data; -fih_ret bootutil_img_validate(struct enc_key_data *enc_state, int image_index, +struct boot_loader_state; +fih_ret bootutil_img_validate(struct boot_loader_state *state, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, - uint8_t *seed, int seed_len, uint8_t *out_hash); + uint8_t *seed, int seed_len, uint8_t *out_hash +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_off +#endif +); struct image_tlv_iter { const struct image_header *hdr; @@ -208,6 +215,9 @@ struct image_tlv_iter { uint32_t prot_end; uint32_t tlv_off; uint32_t tlv_end; +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint32_t start_off; +#endif }; int bootutil_tlv_iter_begin(struct image_tlv_iter *it, @@ -218,9 +228,9 @@ int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off, uint16_t *len, uint16_t *type); int bootutil_tlv_iter_is_prot(struct image_tlv_iter *it, uint32_t off); -int32_t bootutil_get_img_security_cnt(struct image_header *hdr, +int32_t bootutil_get_img_security_cnt(struct boot_loader_state *state, int slot, const struct flash_area *fap, - uint32_t *security_cnt); + uint32_t *img_security_cnt); #ifdef __cplusplus } diff --git a/boot/bootutil/src/boot_record.c b/boot/bootutil/src/boot_record.c index d6c235af9..3ab704ef2 100644 --- a/boot/bootutil/src/boot_record.c +++ b/boot/bootutil/src/boot_record.c @@ -143,6 +143,9 @@ boot_save_boot_status(uint8_t sw_module, /* Manifest data is concatenated to the end of the image. * It is encoded in TLV format. */ +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = 0; +#endif rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); if (rc) { @@ -249,6 +252,8 @@ int boot_save_shared_data(const struct image_header *hdr, const struct flash_are uint8_t mode = MCUBOOT_MODE_UPGRADE_ONLY; #elif defined(MCUBOOT_SWAP_USING_MOVE) uint8_t mode = MCUBOOT_MODE_SWAP_USING_MOVE; +#elif defined(MCUBOOT_SWAP_USING_OFFSET) + uint8_t mode = MCUBOOT_MODE_SWAP_USING_OFFSET; #elif defined(MCUBOOT_DIRECT_XIP) #if defined(MCUBOOT_DIRECT_XIP_REVERT) uint8_t mode = MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT; diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c index ac50eaa52..c459059a9 100644 --- a/boot/bootutil/src/bootutil_misc.c +++ b/boot/bootutil/src/bootutil_misc.c @@ -210,16 +210,17 @@ boot_enc_key_off(const struct flash_area *fap, uint8_t slot) * If the magic is successfully found, a flash_area * is returned and it * is the responsibility of the called to close it. * - * @returns 0 on success, -1 on errors + * @returns flash_area pointer on success, NULL on failure. */ -int -boot_find_status(int image_index, const struct flash_area **fap) +const struct flash_area * +boot_find_status(const struct boot_loader_state *state, int image_index) { - uint8_t areas[] = { + const struct flash_area *fa_p = NULL; + const struct flash_area *areas[] = { #if MCUBOOT_SWAP_USING_SCRATCH - FLASH_AREA_IMAGE_SCRATCH, + state->scratch.area, #endif - FLASH_AREA_IMAGE_PRIMARY(image_index), + state->imgs[image_index][BOOT_PRIMARY_SLOT].area, }; unsigned int i; @@ -230,29 +231,26 @@ boot_find_status(int image_index, const struct flash_area **fap) * is assumed that if magic is valid then other metadata is too, * because magic is always written in the last step. */ - for (i = 0; i < sizeof(areas) / sizeof(areas[0]); i++) { uint8_t magic[BOOT_MAGIC_SZ]; + int rc = 0; - if (flash_area_open(areas[i], fap)) { - break; - } + fa_p = areas[i]; + rc = flash_area_read(fa_p, boot_magic_off(fa_p), magic, BOOT_MAGIC_SZ); - if (flash_area_read(*fap, boot_magic_off(*fap), magic, BOOT_MAGIC_SZ)) { - flash_area_close(*fap); + if (rc != 0) { + BOOT_LOG_ERR("Failed to read status from %d, err %d\n", + flash_area_get_id(fa_p), rc); + fa_p = NULL; break; } if (BOOT_MAGIC_GOOD == boot_magic_decode(magic)) { - return 0; + break; } - - flash_area_close(*fap); } - /* If we got here, no magic was found */ - fap = NULL; - return -1; + return fa_p; } int @@ -336,12 +334,87 @@ boot_write_enc_key(const struct flash_area *fap, uint8_t slot, } #endif -uint32_t bootutil_max_image_size(const struct flash_area *fap) +#ifdef MCUBOOT_SWAP_USING_SCRATCH +size_t +boot_get_first_trailer_sector(struct boot_loader_state *state, size_t slot, size_t trailer_sz) { -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SINGLE_APPLICATION_SLOT) || \ - defined(MCUBOOT_FIRMWARE_LOADER) || defined(MCUBOOT_SINGLE_APPLICATION_SLOT_RAM_LOAD) + size_t first_trailer_sector = boot_img_num_sectors(state, slot) - 1; + size_t sector_sz = boot_img_sector_size(state, slot, first_trailer_sector); + size_t trailer_sector_sz = sector_sz; + + while (trailer_sector_sz < trailer_sz) { + /* Consider that the image trailer may span across sectors of different sizes */ + --first_trailer_sector; + sector_sz = boot_img_sector_size(state, slot, first_trailer_sector); + + trailer_sector_sz += sector_sz; + } + + return first_trailer_sector; +} + +/** + * Returns the offset to the end of the first sector of a given slot that holds image trailer data. + * + * @param state Current bootloader's state. + * @param slot The index of the slot to consider. + * @param trailer_sz The size of the trailer, in bytes. + * + * @return The offset to the end of the first sector of the slot that holds image trailer data. + */ +static uint32_t +get_first_trailer_sector_end_off(struct boot_loader_state *state, size_t slot, size_t trailer_sz) +{ + size_t first_trailer_sector = boot_get_first_trailer_sector(state, slot, trailer_sz); + + return boot_img_sector_off(state, slot, first_trailer_sector) + + boot_img_sector_size(state, slot, first_trailer_sector); +} +#endif /* MCUBOOT_SWAP_USING_SCRATCH */ + +uint32_t bootutil_max_image_size(struct boot_loader_state *state, const struct flash_area *fap) +{ +#if defined(MCUBOOT_SINGLE_APPLICATION_SLOT) || \ + defined(MCUBOOT_FIRMWARE_LOADER) || \ + defined(MCUBOOT_SINGLE_APPLICATION_SLOT_RAM_LOAD) + (void) state; return boot_status_off(fap); -#elif defined(MCUBOOT_SWAP_USING_MOVE) +#elif defined(MCUBOOT_SWAP_USING_SCRATCH) + size_t slot_trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); + size_t slot_trailer_off = flash_area_get_size(fap) - slot_trailer_sz; + + /* If the trailer doesn't fit in the last sector of the primary or secondary slot, some padding + * might have to be inserted between the end of the firmware image and the beginning of the + * trailer to ensure there is enough space for the trailer in the scratch area when the last + * sector of the secondary will be copied to the scratch area. + * + * The value of the padding depends on the amount of trailer data that is contained in the first + * trailer containing part of the trailer in the primary and secondary slot. + */ + size_t trailer_sector_primary_end_off = + get_first_trailer_sector_end_off(state, BOOT_PRIMARY_SLOT, slot_trailer_sz); + size_t trailer_sector_secondary_end_off = + get_first_trailer_sector_end_off(state, BOOT_SECONDARY_SLOT, slot_trailer_sz); + + size_t trailer_sz_in_first_sector; + + if (trailer_sector_primary_end_off > trailer_sector_secondary_end_off) { + trailer_sz_in_first_sector = trailer_sector_primary_end_off - slot_trailer_off; + } else { + trailer_sz_in_first_sector = trailer_sector_secondary_end_off - slot_trailer_off; + } + + size_t trailer_padding = 0; + size_t scratch_trailer_sz = boot_scratch_trailer_sz(BOOT_WRITE_SZ(state)); + + if (scratch_trailer_sz > trailer_sz_in_first_sector) { + trailer_padding = scratch_trailer_sz - trailer_sz_in_first_sector; + } + + return slot_trailer_off - trailer_padding; +#elif defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) + (void) state; + struct flash_sector sector; /* get the last sector offset */ int rc = flash_area_get_sector(fap, boot_status_off(fap), §or); @@ -353,10 +426,13 @@ uint32_t bootutil_max_image_size(const struct flash_area *fap) } return flash_sector_get_off(§or); #elif defined(MCUBOOT_OVERWRITE_ONLY) + (void) state; return boot_swap_info_off(fap); #elif defined(MCUBOOT_DIRECT_XIP) + (void) state; return boot_swap_info_off(fap); #elif defined(MCUBOOT_RAM_LOAD) + (void) state; return boot_swap_info_off(fap); #endif } @@ -366,6 +442,7 @@ uint32_t bootutil_max_image_size(const struct flash_area *fap) * the TLVs. */ #if !defined(MCUBOOT_DIRECT_XIP) && \ + !defined(MCUBOOT_SWAP_USING_OFFSET) && \ (!defined(MCUBOOT_OVERWRITE_ONLY) || \ defined(MCUBOOT_OVERWRITE_ONLY_FAST)) int diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index 5703f627a..b8be9122e 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -58,11 +58,12 @@ struct flash_area; #if (defined(MCUBOOT_OVERWRITE_ONLY) + \ defined(MCUBOOT_SWAP_USING_MOVE) + \ + defined(MCUBOOT_SWAP_USING_OFFSET) + \ defined(MCUBOOT_DIRECT_XIP) + \ defined(MCUBOOT_RAM_LOAD) + \ defined(MCUBOOT_FIRMWARE_LOADER) + \ defined(MCUBOOT_SWAP_USING_SCRATCH)) > 1 -#error "Please enable only one of MCUBOOT_OVERWRITE_ONLY, MCUBOOT_SWAP_USING_MOVE, MCUBOOT_DIRECT_XIP, MCUBOOT_RAM_LOAD or MCUBOOT_FIRMWARE_LOADER" +#error "Please enable only one of MCUBOOT_OVERWRITE_ONLY, MCUBOOT_SWAP_USING_MOVE, MCUBOOT_SWAP_USING_OFFSET, MCUBOOT_DIRECT_XIP, MCUBOOT_RAM_LOAD or MCUBOOT_FIRMWARE_LOADER" #endif #if !defined(MCUBOOT_DIRECT_XIP) && \ @@ -72,6 +73,7 @@ struct flash_area; #if !defined(MCUBOOT_OVERWRITE_ONLY) && \ !defined(MCUBOOT_SWAP_USING_MOVE) && \ + !defined(MCUBOOT_SWAP_USING_OFFSET) && \ !defined(MCUBOOT_DIRECT_XIP) && \ !defined(MCUBOOT_RAM_LOAD) && \ !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) && \ @@ -79,8 +81,12 @@ struct flash_area; #define MCUBOOT_SWAP_USING_SCRATCH 1 #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) +#define BOOT_STATUS_OP_SWAP 1 +#else #define BOOT_STATUS_OP_MOVE 1 #define BOOT_STATUS_OP_SWAP 2 +#endif /* * Maintain state of copy progress. @@ -196,6 +202,9 @@ _Static_assert(sizeof(boot_img_magic) == BOOT_MAGIC_SZ, "Invalid size for image #define BOOT_STATUS_MOVE_STATE_COUNT 1 #define BOOT_STATUS_SWAP_STATE_COUNT 2 #define BOOT_STATUS_STATE_COUNT (BOOT_STATUS_MOVE_STATE_COUNT + BOOT_STATUS_SWAP_STATE_COUNT) +#elif MCUBOOT_SWAP_USING_OFFSET +#define BOOT_STATUS_SWAP_STATE_COUNT 2 +#define BOOT_STATUS_STATE_COUNT BOOT_STATUS_SWAP_STATE_COUNT #else #define BOOT_STATUS_STATE_COUNT 3 #endif @@ -241,6 +250,13 @@ struct boot_loader_state { uint8_t swap_type[BOOT_IMAGE_NUMBER]; uint32_t write_sz; +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint32_t secondary_offset[BOOT_IMAGE_NUMBER]; +#if defined(MCUBOOT_BOOTSTRAP) + bool bootstrap_secondary_offset_set[BOOT_IMAGE_NUMBER]; +#endif +#endif + #if defined(MCUBOOT_ENC_IMAGES) struct enc_key_data enc[BOOT_IMAGE_NUMBER][BOOT_NUM_SLOTS]; #endif @@ -281,7 +297,8 @@ fih_ret bootutil_verify_img(uint8_t *img, uint32_t size, fih_ret boot_fih_memequal(const void *s1, const void *s2, size_t n); -int boot_find_status(int image_index, const struct flash_area **fap); +const struct flash_area *boot_find_status(const struct boot_loader_state *state, + int image_index); int boot_magic_compatible_check(uint8_t tbl_val, uint8_t val); uint32_t boot_status_sz(uint32_t min_write_sz); uint32_t boot_trailer_sz(uint32_t min_write_sz); @@ -289,8 +306,6 @@ int boot_status_entries(int image_index, const struct flash_area *fap); uint32_t boot_status_off(const struct flash_area *fap); int boot_read_swap_state(const struct flash_area *fap, struct boot_swap_state *state); -int boot_read_swap_state_by_id(int flash_area_id, - struct boot_swap_state *state); int boot_write_magic(const struct flash_area *fap); int boot_write_status(const struct boot_loader_state *state, struct boot_status *bs); int boot_write_copy_done(const struct flash_area *fap); @@ -307,10 +322,17 @@ int boot_slots_compatible(struct boot_loader_state *state); uint32_t boot_status_internal_off(const struct boot_status *bs, int elem_sz); int boot_read_image_header(struct boot_loader_state *state, int slot, struct image_header *out_hdr, struct boot_status *bs); +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_ENC_IMAGES) +int boot_copy_region(struct boot_loader_state *state, + const struct flash_area *fap_src, + const struct flash_area *fap_dst, + uint32_t off_src, uint32_t off_dst, uint32_t sz, uint32_t sector_off); +#else int boot_copy_region(struct boot_loader_state *state, const struct flash_area *fap_src, const struct flash_area *fap_dst, uint32_t off_src, uint32_t off_dst, uint32_t sz); +#endif int boot_erase_region(const struct flash_area *fap, uint32_t off, uint32_t sz); bool boot_status_is_reset(const struct boot_status *bs); @@ -321,6 +343,20 @@ int boot_read_enc_key(const struct flash_area *fap, uint8_t slot, struct boot_status *bs); #endif +#ifdef MCUBOOT_SWAP_USING_SCRATCH +/** + * Finds the first sector of a given slot that holds image trailer data. + * + * @param state Current bootloader's state. + * @param slot The index of the slot to consider. + * @param trailer_sz The size of the trailer, in bytes. + * + * @return The index of the first sector of the slot that holds image trailer data. + */ +size_t +boot_get_first_trailer_sector(struct boot_loader_state *state, size_t slot, size_t trailer_sz); +#endif + /** * Checks that a buffer is erased according to what the erase value for the * flash device provided in `flash_area` is. @@ -410,7 +446,7 @@ boot_img_num_sectors(const struct boot_loader_state *state, size_t slot) static inline uint32_t boot_img_slot_off(struct boot_loader_state *state, size_t slot) { - return flash_area_get_off(BOOT_IMG(state, slot).area); + return flash_area_get_off(BOOT_IMG_AREA(state, slot)); } #ifndef MCUBOOT_USE_FLASH_AREA_GET_SECTORS @@ -480,9 +516,6 @@ struct bootsim_ram_info *bootsim_get_ram_info(void); (size)), 0) int boot_load_image_to_sram(struct boot_loader_state *state); -int boot_remove_image_from_sram(struct boot_loader_state *state); -int boot_remove_image_from_flash(struct boot_loader_state *state, - uint32_t slot); #else #define IMAGE_RAM_BASE ((uintptr_t)0) @@ -491,7 +524,7 @@ int boot_remove_image_from_flash(struct boot_loader_state *state, #endif /* MCUBOOT_RAM_LOAD */ -uint32_t bootutil_max_image_size(const struct flash_area *fap); +uint32_t bootutil_max_image_size(struct boot_loader_state *state, const struct flash_area *fap); int boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size); diff --git a/boot/bootutil/src/bootutil_public.c b/boot/bootutil/src/bootutil_public.c index ee3e50619..102118864 100644 --- a/boot/bootutil/src/bootutil_public.c +++ b/boot/bootutil/src/bootutil_public.c @@ -4,7 +4,7 @@ * Copyright (c) 2017-2019 Linaro LTD * Copyright (c) 2016-2019 JUUL Labs * Copyright (c) 2019-2023 Arm Limited - * Copyright (c) 2020-2023 Nordic Semiconductor ASA + * Copyright (c) 2020-2025 Nordic Semiconductor ASA * * Original license: * @@ -84,6 +84,9 @@ struct boot_swap_table { uint8_t image_ok_primary_slot; uint8_t image_ok_secondary_slot; uint8_t copy_done_primary_slot; +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint8_t copy_done_secondary_slot; +#endif uint8_t swap_type; }; @@ -100,12 +103,26 @@ struct boot_swap_table { * the bootloader, as in starting/finishing a swap operation. */ static const struct boot_swap_table boot_swap_tables[] = { +#if defined(MCUBOOT_SWAP_USING_OFFSET) + { + .magic_primary_slot = BOOT_MAGIC_ANY, + .magic_secondary_slot = BOOT_MAGIC_GOOD, + .image_ok_primary_slot = BOOT_FLAG_ANY, + .image_ok_secondary_slot = BOOT_FLAG_UNSET, + .copy_done_primary_slot = BOOT_FLAG_ANY, + .copy_done_secondary_slot = BOOT_FLAG_SET, + .swap_type = BOOT_SWAP_TYPE_REVERT, + }, +#endif { .magic_primary_slot = BOOT_MAGIC_ANY, .magic_secondary_slot = BOOT_MAGIC_GOOD, .image_ok_primary_slot = BOOT_FLAG_ANY, .image_ok_secondary_slot = BOOT_FLAG_UNSET, .copy_done_primary_slot = BOOT_FLAG_ANY, +#if defined(MCUBOOT_SWAP_USING_OFFSET) + .copy_done_secondary_slot = BOOT_FLAG_ANY, +#endif .swap_type = BOOT_SWAP_TYPE_TEST, }, { @@ -114,6 +131,9 @@ static const struct boot_swap_table boot_swap_tables[] = { .image_ok_primary_slot = BOOT_FLAG_ANY, .image_ok_secondary_slot = BOOT_FLAG_SET, .copy_done_primary_slot = BOOT_FLAG_ANY, +#if defined(MCUBOOT_SWAP_USING_OFFSET) + .copy_done_secondary_slot = BOOT_FLAG_ANY, +#endif .swap_type = BOOT_SWAP_TYPE_PERM, }, { @@ -122,6 +142,9 @@ static const struct boot_swap_table boot_swap_tables[] = { .image_ok_primary_slot = BOOT_FLAG_UNSET, .image_ok_secondary_slot = BOOT_FLAG_ANY, .copy_done_primary_slot = BOOT_FLAG_SET, +#if defined(MCUBOOT_SWAP_USING_OFFSET) + .copy_done_secondary_slot = BOOT_FLAG_ANY, +#endif .swap_type = BOOT_SWAP_TYPE_REVERT, }, }; @@ -439,7 +462,12 @@ boot_swap_type_multi(int image_index) (table->image_ok_secondary_slot == BOOT_FLAG_ANY || table->image_ok_secondary_slot == secondary_slot.image_ok) && (table->copy_done_primary_slot == BOOT_FLAG_ANY || - table->copy_done_primary_slot == primary_slot.copy_done)) { + table->copy_done_primary_slot == primary_slot.copy_done) +#if defined(MCUBOOT_SWAP_USING_OFFSET) + && (table->copy_done_secondary_slot == BOOT_FLAG_ANY || + table->copy_done_secondary_slot == secondary_slot.copy_done) +#endif + ) { BOOT_LOG_INF("Image index: %d, Swap type: %s", image_index, table->swap_type == BOOT_SWAP_TYPE_TEST ? "test" : table->swap_type == BOOT_SWAP_TYPE_PERM ? "perm" : diff --git a/boot/bootutil/src/caps.c b/boot/bootutil/src/caps.c index d7cd59042..f1cf63c15 100644 --- a/boot/bootutil/src/caps.c +++ b/boot/bootutil/src/caps.c @@ -45,6 +45,8 @@ uint32_t bootutil_get_caps(void) res |= BOOTUTIL_CAP_OVERWRITE_UPGRADE; #elif defined(MCUBOOT_SWAP_USING_MOVE) res |= BOOTUTIL_CAP_SWAP_USING_MOVE; +#elif defined(MCUBOOT_SWAP_USING_OFFSET) + res |= BOOTUTIL_CAP_SWAP_USING_OFFSET; #else res |= BOOTUTIL_CAP_SWAP_USING_SCRATCH; #endif diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index 8c631d731..6b9e50a64 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -606,10 +606,15 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) * Load encryption key. */ int -boot_enc_load(struct enc_key_data *enc_state, int slot, - const struct image_header *hdr, const struct flash_area *fap, - struct boot_status *bs) +boot_enc_load(struct boot_loader_state *state, int slot, + const struct image_header *hdr, const struct flash_area *fap, + struct boot_status *bs +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_off +#endif + ) { + struct enc_key_data *enc_state = BOOT_CURR_ENC(state); uint32_t off; uint16_t len; struct image_tlv_iter it; @@ -628,6 +633,14 @@ boot_enc_load(struct enc_key_data *enc_state, int slot, /* Initialize the AES context */ boot_enc_init(enc_state, slot); +#if defined(MCUBOOT_SWAP_USING_OFFSET) +#if defined(MCUBOOT_SERIAL_RECOVERY) + it.start_off = boot_get_state_secondary_offset(state, fap) + start_off; +#else + it.start_off = boot_get_state_secondary_offset(state, fap); +#endif +#endif + rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_ENC_TLV, false); if (rc) { return -1; diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 6f1cbc568..bb7aec148 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -4,6 +4,7 @@ * Copyright (c) 2017-2019 Linaro LTD * Copyright (c) 2016-2019 JUUL Labs * Copyright (c) 2019-2024 Arm Limited + * Copyright (c) 2025 Nordic Semiconductor ASA * * Original license: * @@ -29,6 +30,7 @@ #include #include #include +#include #include @@ -72,10 +74,14 @@ BOOT_LOG_MODULE_DECLARE(mcuboot); * SHA256 otherwise). */ static int -bootutil_img_hash(struct enc_key_data *enc_state, int image_index, +bootutil_img_hash(struct boot_loader_state *state, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result, - uint8_t *seed, int seed_len) + uint8_t *seed, int seed_len +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_offset +#endif + ) { bootutil_sha_context sha_ctx; uint32_t size; @@ -87,11 +93,17 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, uint32_t off; uint32_t blk_sz; #endif +#if defined(MCUBOOT_ENC_IMAGES) + struct enc_key_data *enc_state; + int image_index; +#endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint32_t sector_off = 0; +#endif #if (BOOT_IMAGE_NUMBER == 1) || !defined(MCUBOOT_ENC_IMAGES) || \ defined(MCUBOOT_RAM_LOAD) - (void)enc_state; - (void)image_index; + (void)state; (void)hdr_size; (void)blk_off; (void)tlv_off; @@ -106,6 +118,14 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, #endif #ifdef MCUBOOT_ENC_IMAGES + if (state == NULL) { + enc_state = NULL; + image_index = 0; + } else { + enc_state = BOOT_CURR_ENC(state); + image_index = BOOT_CURR_IMG(state); + } + /* Encrypted images only exist in the secondary slot */ if (MUST_DECRYPT(fap, image_index, hdr) && !boot_enc_valid(enc_state, 1)) { @@ -113,6 +133,17 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, } #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) + /* For swap using offset mode, the image starts in the second sector of the upgrade slot, so + * apply the offset when this is needed + */ +#if defined(MCUBOOT_SERIAL_RECOVERY) + sector_off = boot_get_state_secondary_offset(state, fap) + start_offset; +#else + sector_off = boot_get_state_secondary_offset(state, fap); +#endif +#endif + bootutil_sha_init(&sha_ctx); /* in some cases (split image) the hash is seeded with data from @@ -158,7 +189,11 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, blk_sz = tlv_off - off; } #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) + rc = flash_area_read(fap, off + sector_off, tmp_buf, blk_sz); +#else rc = flash_area_read(fap, off, tmp_buf, blk_sz); +#endif if (rc) { bootutil_sha_drop(&sha_ctx); return rc; @@ -317,7 +352,8 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) /** * Reads the value of an image's security counter. * - * @param hdr Pointer to the image header structure. + * @param state Pointer to the boot state object. + * @param slot Slot of the current image to get the security counter of. * @param fap Pointer to a description structure of the image's * flash area. * @param security_cnt Pointer to store the security counter value. @@ -325,7 +361,7 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) * @return 0 on success; nonzero on failure. */ int32_t -bootutil_get_img_security_cnt(struct image_header *hdr, +bootutil_get_img_security_cnt(struct boot_loader_state *state, int slot, const struct flash_area *fap, uint32_t *img_security_cnt) { @@ -334,7 +370,8 @@ bootutil_get_img_security_cnt(struct image_header *hdr, uint16_t len; int32_t rc; - if ((hdr == NULL) || + if ((state == NULL) || + (boot_img_hdr(state, slot) == NULL) || (fap == NULL) || (img_security_cnt == NULL)) { /* Invalid parameter. */ @@ -342,11 +379,15 @@ bootutil_get_img_security_cnt(struct image_header *hdr, } /* The security counter TLV is in the protected part of the TLV area. */ - if (hdr->ih_protect_tlv_size == 0) { + if (boot_img_hdr(state, slot)->ih_protect_tlv_size == 0) { return BOOT_EBADIMAGE; } - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_SEC_CNT, true); +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = boot_get_state_secondary_offset(state, fap); +#endif + + rc = bootutil_tlv_iter_begin(&it, boot_img_hdr(state, slot), fap, IMAGE_TLV_SEC_CNT, true); if (rc) { return rc; } @@ -366,7 +407,7 @@ bootutil_get_img_security_cnt(struct image_header *hdr, return BOOT_EBADIMAGE; } - rc = LOAD_IMAGE_DATA(hdr, fap, off, img_security_cnt, len); + rc = LOAD_IMAGE_DATA(boot_img_hdr(state, slot), fap, off, img_security_cnt, len); if (rc != 0) { return BOOT_EFLASH; } @@ -445,11 +486,18 @@ static const uint16_t allowed_unprot_tlvs[] = { * Return non-zero if image could not be validated/does not validate. */ fih_ret -bootutil_img_validate(struct enc_key_data *enc_state, int image_index, +bootutil_img_validate(struct boot_loader_state *state, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *seed, - int seed_len, uint8_t *out_hash) + int seed_len, uint8_t *out_hash +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_offset +#endif + ) { +#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) || defined(MCUBOOT_DECOMPRESS_IMAGES) + int image_index = (state == NULL ? 0 : BOOT_CURR_IMG(state)); +#endif uint32_t off; uint16_t len; uint16_t type; @@ -493,7 +541,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, goto out; } - if (it.tlv_end > bootutil_max_image_size(fap)) { + if (it.tlv_end > bootutil_max_image_size(state, fap)) { rc = -1; goto out; } @@ -544,8 +592,12 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, #endif #if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) - rc = bootutil_img_hash(enc_state, image_index, hdr, fap, tmp_buf, - tmp_buf_sz, hash, seed, seed_len); +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = bootutil_img_hash(state, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len, + start_offset); +#else + rc = bootutil_img_hash(state, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len); +#endif if (rc) { goto out; } @@ -563,12 +615,20 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, } #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) +#if defined(MCUBOOT_SERIAL_RECOVERY) + it.start_off = boot_get_state_secondary_offset(state, fap) + start_offset; +#else + it.start_off = boot_get_state_secondary_offset(state, fap); +#endif +#endif + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); if (rc) { goto out; } - if (it.tlv_end > bootutil_max_image_size(fap)) { + if (it.tlv_end > bootutil_max_image_size(state, fap)) { rc = -1; goto out; } @@ -765,7 +825,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, image_hash_valid = 0; FIH_SET(valid_signature, FIH_FAILURE); - rc = bootutil_img_hash_decompress(enc_state, image_index, hdr, fap, tmp_buf, tmp_buf_sz, + rc = bootutil_img_hash_decompress(state, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len); if (rc) { goto out; @@ -776,7 +836,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, goto out; } - if (it.tlv_end > bootutil_max_image_size(fap)) { + if (it.tlv_end > bootutil_max_image_size(state, fap)) { rc = -1; goto out; } @@ -822,7 +882,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, goto out; } - if (it.tlv_end > bootutil_max_image_size(fap)) { + if (it.tlv_end > bootutil_max_image_size(state, fap)) { rc = -1; goto out; } @@ -869,7 +929,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, goto out; } - if (it.tlv_end > bootutil_max_image_size(fap)) { + if (it.tlv_end > bootutil_max_image_size(state, fap)) { rc = -1; goto out; } diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index f9a9de71d..ddfe3793b 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -4,7 +4,7 @@ * Copyright (c) 2016-2020 Linaro LTD * Copyright (c) 2016-2019 JUUL Labs * Copyright (c) 2019-2023 Arm Limited - * Copyright (c) 2024 Nordic Semiconductor ASA + * Copyright (c) 2024-2025 Nordic Semiconductor ASA * * Original license: * @@ -141,6 +141,19 @@ static const struct image_version mcuboot_s0_s1_image_version = { #define BUF_SZ 1024 #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_ENC_IMAGES) +#define BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) \ + boot_copy_region(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) +#else +#define BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) \ + boot_copy_region(state, fap_pri, fap_sec, pri_off, sec_off, sz) +#endif + +struct boot_loader_state *boot_get_loader_state(void) +{ + return &boot_data; +} + static int boot_read_image_headers(struct boot_loader_state *state, bool require_all, struct boot_status *bs) @@ -578,15 +591,14 @@ boot_verify_slot_dependencies(struct boot_loader_state *state, uint32_t slot) struct image_dependency dep; uint32_t off; uint16_t len; - int area_id; int rc; - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - rc = BOOT_EFLASH; - goto done; - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); + +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = boot_get_state_secondary_offset(state, fap); +#endif rc = bootutil_tlv_iter_begin(&it, boot_img_hdr(state, slot), fap, IMAGE_TLV_DEPENDENCY, true); @@ -629,7 +641,6 @@ boot_verify_slot_dependencies(struct boot_loader_state *state, uint32_t slot) } done: - flash_area_close(fap); return rc; } @@ -712,7 +723,11 @@ boot_status_reset(struct boot_status *bs) bs->swap_size = 0; bs->source = 0; +#if defined(MCUBOOT_SWAP_USING_OFFSET) + bs->op = BOOT_STATUS_OP_SWAP; +#else bs->op = BOOT_STATUS_OP_MOVE; +#endif bs->idx = BOOT_STATUS_IDX_0; bs->state = BOOT_STATUS_STATE_0; bs->swap_type = BOOT_SWAP_TYPE_NONE; @@ -721,7 +736,12 @@ boot_status_reset(struct boot_status *bs) bool boot_status_is_reset(const struct boot_status *bs) { - return (bs->op == BOOT_STATUS_OP_MOVE && + return ( +#if defined(MCUBOOT_SWAP_USING_OFFSET) + bs->op == BOOT_STATUS_OP_SWAP && +#else + bs->op == BOOT_STATUS_OP_MOVE && +#endif bs->idx == BOOT_STATUS_IDX_0 && bs->state == BOOT_STATUS_STATE_0); } @@ -814,7 +834,11 @@ boot_image_check(struct boot_loader_state *state, struct image_header *hdr, */ #if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_RAM_LOAD) if (MUST_DECRYPT(fap, BOOT_CURR_IMG(state), hdr)) { - rc = boot_enc_load(BOOT_CURR_ENC(state), 1, hdr, fap, bs); +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = boot_enc_load(state, 1, hdr, fap, bs, 0); +#else + rc = boot_enc_load(state, 1, hdr, fap, bs); +#endif if (rc < 0) { FIH_RET(fih_rc); } @@ -824,9 +848,13 @@ boot_image_check(struct boot_loader_state *state, struct image_header *hdr, } #endif - FIH_CALL(bootutil_img_validate, fih_rc, BOOT_CURR_ENC(state), - BOOT_CURR_IMG(state), hdr, fap, tmpbuf, BOOT_TMPBUF_SZ, +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fap, tmpbuf, BOOT_TMPBUF_SZ, + NULL, 0, NULL, 0); +#else + FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fap, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, NULL); +#endif FIH_RET(fih_rc); } @@ -849,14 +877,24 @@ split_image_check(struct image_header *app_hdr, } } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, loader_hdr, loader_fap, +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + FIH_CALL(bootutil_img_validate, fih_rc, NULL, loader_hdr, loader_fap, + tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, loader_hash, 0); +#else + FIH_CALL(bootutil_img_validate, fih_rc, NULL, loader_hdr, loader_fap, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, loader_hash); +#endif if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { FIH_RET(fih_rc); } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, app_hdr, app_fap, +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + FIH_CALL(bootutil_img_validate, fih_rc, NULL, app_hdr, app_fap, + tmpbuf, BOOT_TMPBUF_SZ, loader_hash, 32, NULL, 0); +#else + FIH_CALL(bootutil_img_validate, fih_rc, NULL, app_hdr, app_fap, tmpbuf, BOOT_TMPBUF_SZ, loader_hash, 32, NULL); +#endif out: FIH_RET(fih_rc); @@ -947,20 +985,14 @@ boot_data_is_set_to(uint8_t val, void *data, size_t len) static int boot_check_header_erased(struct boot_loader_state *state, int slot) { - const struct flash_area *fap; + const struct flash_area *fap = NULL; struct image_header *hdr; uint8_t erased_val; - int area_id; - int rc; - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - return -1; - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); erased_val = flash_area_erased_val(fap); - flash_area_close(fap); hdr = boot_img_hdr(state, slot); if (!boot_data_is_set_to(erased_val, &hdr->ih_magic, sizeof(hdr->ih_magic))) { @@ -1017,25 +1049,23 @@ boot_rom_address_check(struct boot_loader_state *state) */ static fih_ret boot_validate_slot(struct boot_loader_state *state, int slot, - struct boot_status *bs) + struct boot_status *bs, int expected_swap_type) { const struct flash_area *fap; struct image_header *hdr; - int area_id; FIH_DECLARE(fih_rc, FIH_FAILURE); - int rc; - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - FIH_RET(fih_rc); - } +#if !defined(MCUBOOT_SWAP_USING_OFFSET) + (void)expected_swap_type; +#endif + + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); hdr = boot_img_hdr(state, slot); if (boot_check_header_erased(state, slot) == 0 || (hdr->ih_flags & IMAGE_F_NON_BOOTABLE)) { - -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) /* * This fixes an issue where an image might be erased, but a trailer * be left behind. It can happen if the image is in the secondary slot @@ -1048,6 +1078,20 @@ boot_validate_slot(struct boot_loader_state *state, int slot, */ if (slot != BOOT_PRIMARY_SLOT) { swap_erase_trailer_sectors(state, fap); + +#if defined(MCUBOOT_SWAP_USING_MOVE) + if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || + boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { + const struct flash_area *fap_pri = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); + + assert(fap_pri != NULL); + + if (swap_erase_trailer_sectors(state, fap_pri) == 0) { + BOOT_LOG_INF("Cleared image %d primary slot trailer due to stuck revert", + BOOT_CURR_IMG(state)); + } + } +#endif } #endif @@ -1056,8 +1100,30 @@ boot_validate_slot(struct boot_loader_state *state, int slot, goto out; } +#if defined(MCUBOOT_SWAP_USING_OFFSET) + if (slot != BOOT_PRIMARY_SLOT && boot_status_is_reset(bs) && + (expected_swap_type == BOOT_SWAP_TYPE_TEST || expected_swap_type == BOOT_SWAP_TYPE_PERM)) { + /* Check first sector to see if there is a magic header here, if so the update has likely + * been loaded to the wrong sector and cannot be used + */ + struct image_header first_sector_hdr; + + if (flash_area_read(fap, 0, &first_sector_hdr, sizeof(first_sector_hdr))) { + FIH_RET(fih_rc); + } + + if (first_sector_hdr.ih_magic == IMAGE_MAGIC) { + BOOT_LOG_ERR("Secondary header magic detected in first sector, wrong upload address?"); + fih_rc = FIH_NO_BOOTABLE_IMAGE; + goto check_validity; + } + } +#endif + #if defined(MCUBOOT_OVERWRITE_ONLY) && defined(MCUBOOT_DOWNGRADE_PREVENTION) if (slot != BOOT_PRIMARY_SLOT) { + int rc; + /* Check if version of secondary slot is sufficient */ #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) \ @@ -1128,6 +1194,9 @@ boot_validate_slot(struct boot_loader_state *state, int slot, FIH_CALL(boot_image_check, fih_rc, state, hdr, fap, bs); } } +#if defined(MCUBOOT_SWAP_USING_OFFSET) +check_validity: +#endif if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { if ((slot != BOOT_PRIMARY_SLOT) || ARE_SLOTS_EQUIVALENT()) { flash_area_erase(fap, 0, flash_area_get_size(fap)); @@ -1156,11 +1225,11 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * 0. This part of image is not bootable, as the XIP setup is done by the app in * image 0 slot, and it does not carry the reset vector. */ - if (area_id == FLASH_AREA_IMAGE_SECONDARY(2)) { + if (fap == state->imgs[2][BOOT_SECONDARY_SLOT].area) { goto out; } #endif - if (area_id == FLASH_AREA_IMAGE_SECONDARY(BOOT_CURR_IMG(state))) { + if (fap == BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT)) { const struct flash_area *pri_fa = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); struct image_header *secondary_hdr = boot_img_hdr(state, slot); uint32_t reset_value = 0; @@ -1168,8 +1237,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, uint32_t min_addr, max_addr; bool check_addresses = false; - rc = flash_area_read(fap, reset_addr, &reset_value, sizeof(reset_value)); - if (rc != 0) { + if (flash_area_read(fap, reset_addr, &reset_value, sizeof(reset_value)) != 0) { fih_rc = FIH_NO_BOOTABLE_IMAGE; goto out; } @@ -1231,8 +1299,6 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #endif out: - flash_area_close(fap); - FIH_RET(fih_rc); } @@ -1242,41 +1308,36 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * value which resides in the given slot, only if it's greater than the stored * value. * - * @param image_index Index of the image to determine which security - * counter to update. + * @param state Boot state where the current image's security counter will + * be updated. * @param slot Slot number of the image. - * @param hdr Pointer to the image header structure of the image - * that is currently stored in the given slot. + * @param hdr_slot_idx Index of the header in the state current image variable + * containing the pointer to the image header structure of the + * image that is currently stored in the given slot. * * @return 0 on success; nonzero on failure. */ static int -boot_update_security_counter(uint8_t image_index, int slot, - struct image_header *hdr) +boot_update_security_counter(struct boot_loader_state *state, int slot, int hdr_slot_idx) { const struct flash_area *fap = NULL; uint32_t img_security_cnt; int rc; - rc = flash_area_open(flash_area_id_from_multi_image_slot(image_index, slot), - &fap); - if (rc != 0) { - rc = BOOT_EFLASH; - goto done; - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); - rc = bootutil_get_img_security_cnt(hdr, fap, &img_security_cnt); + rc = bootutil_get_img_security_cnt(state, hdr_slot_idx, fap, &img_security_cnt); if (rc != 0) { goto done; } - rc = boot_nv_security_counter_update(image_index, img_security_cnt); + rc = boot_nv_security_counter_update(BOOT_CURR_IMG(state), img_security_cnt); if (rc != 0) { goto done; } done: - flash_area_close(fap); return rc; } #endif /* MCUBOOT_HW_ROLLBACK_PROT */ @@ -1486,7 +1547,7 @@ boot_validated_swap_type(struct boot_loader_state *state, /* Boot loader wants to switch to the secondary slot. * Ensure image is valid. */ - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_SECONDARY_SLOT, bs); + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_SECONDARY_SLOT, bs, swap_type); if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { if (FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { swap_type = BOOT_SWAP_TYPE_NONE; @@ -1578,14 +1639,23 @@ static void like_mbedtls_zeroize(void *p, size_t n) * @param off_dst The offset within the destination flash area to * copy to. * @param sz The number of bytes to copy. + * @param sector_off (Swap using offset with encryption only) the + * sector offset for encryption/decryption * * @return 0 on success; nonzero on failure. */ int +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_ENC_IMAGES) +boot_copy_region(struct boot_loader_state *state, + const struct flash_area *fap_src, + const struct flash_area *fap_dst, + uint32_t off_src, uint32_t off_dst, uint32_t sz, uint32_t sector_off) +#else boot_copy_region(struct boot_loader_state *state, const struct flash_area *fap_src, const struct flash_area *fap_dst, uint32_t off_src, uint32_t off_dst, uint32_t sz) +#endif { uint32_t bytes_copied; int chunk_sz; @@ -1667,7 +1737,11 @@ boot_copy_region(struct boot_loader_state *state, /* If only copy, then does not matter if header indicates need for * encryption/decryption, we just copy data. */ if (!only_copy && IS_ENCRYPTED(hdr)) { +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint32_t abs_off = off - sector_off + bytes_copied; +#else uint32_t abs_off = off + bytes_copied; +#endif if (abs_off < hdr->ih_hdr_size) { /* do not decrypt header */ if (abs_off + chunk_sz > hdr->ih_hdr_size) { @@ -1810,9 +1884,15 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) #ifdef MCUBOOT_ENC_IMAGES if (IS_ENCRYPTED(boot_img_hdr(state, BOOT_SECONDARY_SLOT))) { - rc = boot_enc_load(BOOT_CURR_ENC(state), BOOT_SECONDARY_SLOT, +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = boot_enc_load(state, BOOT_SECONDARY_SLOT, + boot_img_hdr(state, BOOT_SECONDARY_SLOT), + fap_secondary_slot, bs, 0); +#else + rc = boot_enc_load(state, BOOT_SECONDARY_SLOT, boot_img_hdr(state, BOOT_SECONDARY_SLOT), fap_secondary_slot, bs); +#endif if (rc < 0) { return BOOT_EBADIMAGE; @@ -1825,7 +1905,12 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) BOOT_LOG_INF("Image %d copying the secondary slot to the primary slot: 0x%zx bytes", image_index, size); +#if defined(MCUBOOT_SWAP_USING_OFFSET) + rc = BOOT_COPY_REGION(state, fap_secondary_slot, fap_primary_slot, + boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0), 0, size, 0); +#else rc = boot_copy_region(state, fap_secondary_slot, fap_primary_slot, 0, 0, size); +#endif if (rc != 0) { return rc; } @@ -1849,8 +1934,7 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) * slot's image header must be passed since the image headers in the * boot_data structure have not been updated yet. */ - rc = boot_update_security_counter(BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT, - boot_img_hdr(state, BOOT_SECONDARY_SLOT)); + rc = boot_update_security_counter(state, BOOT_PRIMARY_SLOT, BOOT_SECONDARY_SLOT); if (rc != 0) { BOOT_LOG_ERR("Security counter update failed after image upgrade."); return rc; @@ -1934,7 +2018,11 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) #ifdef MCUBOOT_ENC_IMAGES if (IS_ENCRYPTED(hdr)) { fap = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); - rc = boot_enc_load(BOOT_CURR_ENC(state), 0, hdr, fap, bs); +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = boot_enc_load(state, 0, hdr, fap, bs, 0); +#else + rc = boot_enc_load(state, 0, hdr, fap, bs); +#endif assert(rc >= 0); if (rc == 0) { @@ -1958,7 +2046,11 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); if (IS_ENCRYPTED(hdr)) { fap = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - rc = boot_enc_load(BOOT_CURR_ENC(state), 1, hdr, fap, bs); +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = boot_enc_load(state, 1, hdr, fap, bs, 0); +#else + rc = boot_enc_load(state, 1, hdr, fap, bs); +#endif assert(rc >= 0); if (rc == 0) { @@ -1983,7 +2075,7 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) * in the trailer... */ - rc = boot_find_status(image_index, &fap); + fap = boot_find_status(state, image_index); assert(fap != NULL); rc = boot_read_swap_size(fap, &bs->swap_size); assert(rc == 0); @@ -2067,7 +2159,7 @@ boot_perform_update(struct boot_loader_state *state, struct boot_status *bs) */ FIH_DECLARE(fih_rc, FIH_FAILURE); rc = boot_check_header_erased(state, BOOT_PRIMARY_SLOT); - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, bs); + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, bs, 0); if (rc == 0 || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { rc = boot_copy_image(state, bs); } else { @@ -2102,10 +2194,7 @@ boot_perform_update(struct boot_loader_state *state, struct boot_status *bs) * revert the images on the next reboot. Therefore, the security * counter must be increased right after the image upgrade. */ - rc = boot_update_security_counter( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT, - boot_img_hdr(state, BOOT_SECONDARY_SLOT)); + rc = boot_update_security_counter(state, BOOT_PRIMARY_SLOT, BOOT_SECONDARY_SLOT); if (rc != 0) { BOOT_LOG_ERR("Security counter update failed after " "image upgrade."); @@ -2309,7 +2398,7 @@ boot_prepare_image_for_update(struct boot_loader_state *state, } #endif -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) /* * Must re-read image headers because the boot status might * have been updated in the previous function call. @@ -2376,7 +2465,7 @@ boot_prepare_image_for_update(struct boot_loader_state *state, BOOT_SWAP_TYPE(state) = boot_validated_swap_type(state, bs); } else { FIH_CALL(boot_validate_slot, fih_rc, - state, BOOT_SECONDARY_SLOT, bs); + state, BOOT_SECONDARY_SLOT, bs, 0); if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_FAIL; } else { @@ -2398,13 +2487,13 @@ boot_prepare_image_for_update(struct boot_loader_state *state, */ rc = boot_check_header_erased(state, BOOT_PRIMARY_SLOT); FIH_CALL(boot_validate_slot, fih_rc, - state, BOOT_PRIMARY_SLOT, bs); + state, BOOT_PRIMARY_SLOT, bs, 0); if (rc == 0 || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { rc = (boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_magic == IMAGE_MAGIC) ? 1: 0; FIH_CALL(boot_validate_slot, fih_rc, - state, BOOT_SECONDARY_SLOT, bs); + state, BOOT_SECONDARY_SLOT, bs, 0); if (rc == 1 && FIH_EQ(fih_rc, FIH_SUCCESS)) { /* Set swap type to REVERT to overwrite the primary @@ -2448,10 +2537,7 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state) * necessary. */ if (BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_NONE) { - rc = boot_update_security_counter( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT, - boot_img_hdr(state, BOOT_PRIMARY_SLOT)); + rc = boot_update_security_counter(state, BOOT_PRIMARY_SLOT, BOOT_PRIMARY_SLOT); if (rc != 0) { BOOT_LOG_ERR("Security counter update failed after image " "validation."); @@ -2482,7 +2568,7 @@ static int check_downgrade_prevention(struct boot_loader_state *state) { #if defined(MCUBOOT_DOWNGRADE_PREVENTION) && \ - (defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH)) + (defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_OFFSET)) uint32_t security_counter[2]; int rc; @@ -2495,16 +2581,16 @@ check_downgrade_prevention(struct boot_loader_state *state) if (MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER) { /* If there was security no counter in slot 0, allow swap */ - rc = bootutil_get_img_security_cnt(&(BOOT_IMG(state, 0).hdr), - BOOT_IMG(state, 0).area, + rc = bootutil_get_img_security_cnt(state, BOOT_PRIMARY_SLOT, + BOOT_IMG_AREA(state, 0), &security_counter[0]); if (rc != 0) { return 0; } /* If there is no security counter in slot 1, or it's lower than * that of slot 0, prevent downgrade */ - rc = bootutil_get_img_security_cnt(&(BOOT_IMG(state, 1).hdr), - BOOT_IMG(state, 1).area, + rc = bootutil_get_img_security_cnt(state, BOOT_SECONDARY_SLOT, + BOOT_IMG_AREA(state, 1), &security_counter[1]); if (rc != 0 || security_counter[0] > security_counter[1]) { rc = -1; @@ -2517,8 +2603,8 @@ check_downgrade_prevention(struct boot_loader_state *state) if (rc < 0) { /* Image in slot 0 prevents downgrade, delete image in slot 1 */ BOOT_LOG_INF("Image %d in slot 1 erased due to downgrade prevention", BOOT_CURR_IMG(state)); - flash_area_erase(BOOT_IMG(state, 1).area, 0, - flash_area_get_size(BOOT_IMG(state, 1).area)); + flash_area_erase(BOOT_IMG_AREA(state, 1), 0, + flash_area_get_size(BOOT_IMG_AREA(state, 1))); } else { rc = 0; } @@ -2782,7 +2868,7 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) if (!image_validated_by_nsib) #endif { - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL); + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL, 0); /* Check for all possible values is redundant in normal operation it * is meant to prevent FI attack. */ @@ -3061,17 +3147,15 @@ print_loaded_images(struct boot_loader_state *state) static int boot_select_or_erase(struct boot_loader_state *state) { - const struct flash_area *fap; - int fa_id; + const struct flash_area *fap = NULL; int rc; uint32_t active_slot; struct boot_swap_state* active_swap_state; active_slot = state->slot_usage[BOOT_CURR_IMG(state)].active_slot; - fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), active_slot); - rc = flash_area_open(fa_id, &fap); - assert(rc == 0); + fap = BOOT_IMG_AREA(state, active_slot); + assert(fap != NULL); active_swap_state = &(state->slot_usage[BOOT_CURR_IMG(state)].swap_state); @@ -3092,7 +3176,6 @@ boot_select_or_erase(struct boot_loader_state *state) rc = flash_area_erase(fap, 0, flash_area_get_size(fap)); assert(rc == 0); - flash_area_close(fap); rc = -1; } else { if (active_swap_state->copy_done != BOOT_FLAG_SET) { @@ -3114,7 +3197,6 @@ boot_select_or_erase(struct boot_loader_state *state) rc = 0; } } - flash_area_close(fap); } return rc; @@ -3200,7 +3282,7 @@ boot_load_and_validate_images(struct boot_loader_state *state) } #endif /* MCUBOOT_RAM_LOAD */ - FIH_CALL(boot_validate_slot, fih_rc, state, active_slot, NULL); + FIH_CALL(boot_validate_slot, fih_rc, state, active_slot, NULL, 0); if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { /* Image is invalid. */ #ifdef MCUBOOT_RAM_LOAD @@ -3243,9 +3325,9 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state) */ if (state->slot_usage[BOOT_CURR_IMG(state)].swap_state.image_ok == BOOT_FLAG_SET) { #endif - rc = boot_update_security_counter(BOOT_CURR_IMG(state), + rc = boot_update_security_counter(state, state->slot_usage[BOOT_CURR_IMG(state)].active_slot, - boot_img_hdr(state, state->slot_usage[BOOT_CURR_IMG(state)].active_slot)); + state->slot_usage[BOOT_CURR_IMG(state)].active_slot); if (rc != 0) { BOOT_LOG_ERR("Security counter update failed after image %d validation.", BOOT_CURR_IMG(state)); return rc; @@ -3492,3 +3574,15 @@ const struct image_max_size *boot_get_max_app_size(void) return image_max_sizes; } #endif + +#if defined(MCUBOOT_SWAP_USING_OFFSET) +uint32_t boot_get_state_secondary_offset(struct boot_loader_state *state, + const struct flash_area *fap) +{ + if (state != NULL && BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT) == fap) { + return state->secondary_offset[BOOT_CURR_IMG(state)]; + } + + return 0; +} +#endif diff --git a/boot/bootutil/src/ram_load.c b/boot/bootutil/src/ram_load.c index 72255367a..2aba3bf30 100644 --- a/boot/bootutil/src/ram_load.c +++ b/boot/bootutil/src/ram_load.c @@ -135,15 +135,11 @@ boot_decrypt_and_copy_image_to_sram(struct boot_loader_state *state, uint32_t max_sz = 1024; uint16_t idx; uint8_t * cur_dst; - int area_id; int rc; uint8_t * ram_dst = (void *)(IMAGE_RAM_BASE + img_dst); - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap_src); - if (rc != 0){ - return BOOT_EFLASH; - } + fap_src = BOOT_IMG_AREA(state, slot); + assert(fap_src != NULL); tlv_off = BOOT_TLV_OFF(hdr); @@ -153,7 +149,7 @@ boot_decrypt_and_copy_image_to_sram(struct boot_loader_state *state, goto done; } - rc = boot_enc_load(BOOT_CURR_ENC(state), slot, hdr, fap_src, &bs); + rc = boot_enc_load(state, slot, hdr, fap_src, &bs); if (rc < 0) { goto done; } @@ -188,8 +184,6 @@ boot_decrypt_and_copy_image_to_sram(struct boot_loader_state *state, rc = 0; done: - flash_area_close(fap_src); - return rc; } @@ -211,18 +205,13 @@ boot_copy_image_to_sram(struct boot_loader_state *state, int slot, { int rc; const struct flash_area *fap_src = NULL; - int area_id; #if (BOOT_IMAGE_NUMBER == 1) (void)state; #endif - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - - rc = flash_area_open(area_id, &fap_src); - if (rc != 0) { - return BOOT_EFLASH; - } + fap_src = BOOT_IMG_AREA(state, slot); + assert(fap_src != NULL); /* Direct copy from flash to its new location in SRAM. */ rc = flash_area_read(fap_src, 0, (void *)(IMAGE_RAM_BASE + img_dst), img_sz); @@ -231,8 +220,6 @@ boot_copy_image_to_sram(struct boot_loader_state *state, int slot, BOOT_CURR_IMG(state), rc); } - flash_area_close(fap_src); - return rc; } @@ -421,20 +408,26 @@ boot_remove_image_from_sram(struct boot_loader_state *state) int boot_remove_image_from_flash(struct boot_loader_state *state, uint32_t slot) { - int area_id; - int rc; const struct flash_area *fap; - (void)state; - BOOT_LOG_INF("Removing image %d slot %d from flash", BOOT_CURR_IMG(state), slot); - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc == 0) { - flash_area_erase(fap, 0, flash_area_get_size(fap)); - flash_area_close(fap); - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); - return rc; + return flash_area_erase(fap, 0, flash_area_get_size(fap)); +} + +int boot_load_image_from_flash_to_sram(struct boot_loader_state *state, + struct image_header *hdr) +{ + int active_slot; + + /* boot_load_image_to_sram will load the image from state active_slot, + * so force it before loading the image. + */ + active_slot = state->slot_usage[BOOT_CURR_IMG(state)].active_slot; + BOOT_IMG(state, active_slot).hdr = *hdr; + + return boot_load_image_to_sram(state); } diff --git a/boot/bootutil/src/swap_misc.c b/boot/bootutil/src/swap_misc.c index 733a39744..70e09767f 100644 --- a/boot/bootutil/src/swap_misc.c +++ b/boot/bootutil/src/swap_misc.c @@ -30,7 +30,7 @@ BOOT_LOG_MODULE_DECLARE(mcuboot); -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) int swap_erase_trailer_sectors(const struct boot_loader_state *state, const struct flash_area *fap) @@ -41,22 +41,13 @@ swap_erase_trailer_sectors(const struct boot_loader_state *state, uint32_t total_sz; uint32_t off; uint32_t sz; - int fa_id_primary; - int fa_id_secondary; - uint8_t image_index; int rc; BOOT_LOG_DBG("erasing trailer; fa_id=%d", flash_area_get_id(fap)); - image_index = BOOT_CURR_IMG(state); - fa_id_primary = flash_area_id_from_multi_image_slot(image_index, - BOOT_PRIMARY_SLOT); - fa_id_secondary = flash_area_id_from_multi_image_slot(image_index, - BOOT_SECONDARY_SLOT); - - if (flash_area_get_id(fap) == fa_id_primary) { + if (fap == BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)) { slot = BOOT_PRIMARY_SLOT; - } else if (flash_area_get_id(fap) == fa_id_secondary) { + } else if (fap == BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT)) { slot = BOOT_SECONDARY_SLOT; } else { return BOOT_EFLASH; @@ -96,8 +87,8 @@ swap_status_init(const struct boot_loader_state *state, BOOT_LOG_DBG("initializing status; fa_id=%d", flash_area_get_id(fap)); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(image_index), - &swap_state); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_SECONDARY_SLOT].area, + &swap_state); assert(rc == 0); if (bs->swap_type != BOOT_SWAP_TYPE_NONE) { @@ -231,4 +222,4 @@ swap_set_image_ok(uint8_t image_index) } -#endif /* defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) */ +#endif /* defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) */ diff --git a/boot/bootutil/src/swap_move.c b/boot/bootutil/src/swap_move.c index 67bab1439..276eba00e 100644 --- a/boot/bootutil/src/swap_move.c +++ b/boot/bootutil/src/swap_move.c @@ -77,7 +77,6 @@ boot_read_image_header(struct boot_loader_state *state, int slot, uint32_t sz; uint32_t last_idx; uint32_t swap_size; - int area_id; int rc; #if (BOOT_IMAGE_NUMBER == 1) @@ -86,12 +85,11 @@ boot_read_image_header(struct boot_loader_state *state, int slot, off = 0; if (bs && !boot_status_is_reset(bs)) { - boot_find_status(BOOT_CURR_IMG(state), &fap); + fap = boot_find_status(state, BOOT_CURR_IMG(state)); if (fap == NULL || boot_read_swap_size(fap, &swap_size)) { rc = BOOT_EFLASH; goto done; } - flash_area_close(fap); last_idx = find_last_idx(state, swap_size); sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); @@ -115,12 +113,8 @@ boot_read_image_header(struct boot_loader_state *state, int slot, } } - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - rc = BOOT_EFLASH; - goto done; - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); rc = flash_area_read(fap, off, out_hdr, sizeof *out_hdr); if (rc != 0) { @@ -137,7 +131,6 @@ boot_read_image_header(struct boot_loader_state *state, int slot, rc = 0; done: - flash_area_close(fap); return rc; } @@ -367,14 +360,14 @@ swap_status_source(struct boot_loader_state *state) image_index = BOOT_CURR_IMG(state); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY(image_index), - &state_primary_slot); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_PRIMARY_SLOT].area, + &state_primary_slot); assert(rc == 0); BOOT_LOG_SWAP_STATE("Primary image", &state_primary_slot); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(image_index), - &state_secondary_slot); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_SECONDARY_SLOT].area, + &state_secondary_slot); assert(rc == 0); BOOT_LOG_SWAP_STATE("Secondary image", &state_secondary_slot); diff --git a/boot/bootutil/src/swap_offset.c b/boot/bootutil/src/swap_offset.c new file mode 100644 index 000000000..ebef36df9 --- /dev/null +++ b/boot/bootutil/src/swap_offset.c @@ -0,0 +1,803 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * Copyright (c) 2019 JUUL Labs + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include +#include "bootutil/bootutil.h" +#include "bootutil_priv.h" +#include "swap_priv.h" +#include "bootutil/bootutil_log.h" + +#include "mcuboot_config/mcuboot_config.h" + +BOOT_LOG_MODULE_DECLARE(mcuboot); + +#ifdef MCUBOOT_SWAP_USING_OFFSET + +#if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) +/* + * FIXME: this might have to be updated for threaded sim + */ +int boot_status_fails = 0; +#define BOOT_STATUS_ASSERT(x) \ + do { \ + if (!(x)) { \ + boot_status_fails++; \ + } \ + } while (0) +#else +#define BOOT_STATUS_ASSERT(x) ASSERT(x) +#endif + +#if defined(MCUBOOT_ENC_IMAGES) +#define BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) \ + boot_copy_region(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) +#else +#define BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) \ + boot_copy_region(state, fap_pri, fap_sec, pri_off, sec_off, sz) +#endif + +uint32_t find_last_idx(struct boot_loader_state *state, uint32_t swap_size) +{ + uint32_t sector_sz; + uint32_t sz; + uint32_t last_idx; + + sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + sz = 0; + last_idx = 0; + + while (1) { + sz += sector_sz; + if (sz >= swap_size) { + break; + } + last_idx++; + } + + return last_idx; +} + +int boot_read_image_header(struct boot_loader_state *state, int slot, + struct image_header *out_hdr, struct boot_status *bs) +{ + const struct flash_area *fap = NULL; + uint32_t off = 0; + uint32_t sz; + uint32_t last_idx; + uint32_t swap_size; + int rc; + bool check_other_sector = true; + +#if (BOOT_IMAGE_NUMBER == 1) + (void)state; +#endif + + if (bs == NULL) { + fap = BOOT_IMG_AREA(state, slot); + + if (slot == BOOT_SECONDARY_SLOT && + boot_swap_type_multi(BOOT_CURR_IMG(state)) != BOOT_SWAP_TYPE_REVERT) { + off = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); + } + } else { + if (!boot_status_is_reset(bs)) { + check_other_sector = false; + fap = boot_find_status(state, BOOT_CURR_IMG(state)); + + if (fap == NULL || boot_read_swap_size(fap, &swap_size)) { + rc = BOOT_EFLASH; + goto done; + } + + last_idx = find_last_idx(state, swap_size); + sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + + /* + * Find the correct offset or slot where the image header is expected to + * be found for the steps where it is moved or swapped. + */ + if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || + boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { + if (slot == 0) { + if (((bs->idx - BOOT_STATUS_IDX_0) > last_idx || + ((bs->idx - BOOT_STATUS_IDX_0) == last_idx && + bs->state == BOOT_STATUS_STATE_1))) { + slot = 1; + off = sz; + } else { + slot = 0; + off = 0; + } + } else if (slot == 1) { + if ((bs->idx - BOOT_STATUS_IDX_0) > last_idx || + ((bs->idx - BOOT_STATUS_IDX_0) == last_idx && + bs->state == BOOT_STATUS_STATE_2)) { + slot = 0; + off = 0; + } else { + slot = 1; + off = 0; + } + } + } else { + if (slot == 0) { + if ((bs->idx > BOOT_STATUS_IDX_0 || + (bs->idx == BOOT_STATUS_IDX_0 && bs->state == BOOT_STATUS_STATE_1)) && + bs->idx <= last_idx) { + slot = 1; + off = 0; + } else { + slot = 0; + off = 0; + } + } else if (slot == 1) { + if (bs->idx > BOOT_STATUS_IDX_0) { + slot = 0; + off = 0; + } else { + slot = 1; + off = sz; + } + } + } + + fap = BOOT_IMG_AREA(state, slot); + } else { + fap = BOOT_IMG_AREA(state, slot); + + if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || + boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { + off = 0; + } + else if (slot == BOOT_SECONDARY_SLOT) { + off = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); + } + } + } + + assert(fap != NULL); + + rc = flash_area_read(fap, off, out_hdr, sizeof *out_hdr); + if (rc != 0) { + rc = BOOT_EFLASH; + goto done; + } + + if (check_other_sector == true && out_hdr->ih_magic != IMAGE_MAGIC && + slot == BOOT_SECONDARY_SLOT) { + if (boot_swap_type_multi(BOOT_CURR_IMG(state)) != BOOT_SWAP_TYPE_REVERT) { + off = 0; + } else { + off = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); + } + + rc = flash_area_read(fap, off, out_hdr, sizeof(*out_hdr)); + if (rc != 0) { + rc = BOOT_EFLASH; + goto done; + } + } + +#if defined(MCUBOOT_BOOTSTRAP) + if (out_hdr->ih_magic == IMAGE_MAGIC && (bs != NULL || state->bootstrap_secondary_offset_set[ + BOOT_CURR_IMG(state)] == false) && + slot == BOOT_SECONDARY_SLOT) { + state->bootstrap_secondary_offset_set[BOOT_CURR_IMG(state)] = true; +#else + if (out_hdr->ih_magic == IMAGE_MAGIC && bs != NULL && slot == BOOT_SECONDARY_SLOT) { +#endif + state->secondary_offset[BOOT_CURR_IMG(state)] = off; + } + + /* We only know where the headers are located when bs is valid */ + if (bs != NULL && out_hdr->ih_magic != IMAGE_MAGIC) { + rc = -1; + goto done; + } + + rc = 0; +done: + return rc; +} + +int swap_read_status_bytes(const struct flash_area *fap, struct boot_loader_state *state, + struct boot_status *bs) +{ + uint32_t off; + uint8_t status; + int max_entries; + int found_idx; + uint8_t write_sz; + int rc; + int last_rc; + int erased_sections; + int i; + + max_entries = boot_status_entries(BOOT_CURR_IMG(state), fap); + + if (max_entries < 0) { + return BOOT_EBADARGS; + } + + erased_sections = 0; + found_idx = -1; + /* Skip erased sectors at the end */ + last_rc = 1; + write_sz = BOOT_WRITE_SZ(state); + off = boot_status_off(fap); + for (i = max_entries; i > 0; i--) { + rc = flash_area_read(fap, off + (i - 1) * write_sz, &status, 1); + if (rc < 0) { + return BOOT_EFLASH; + } + + if (bootutil_buffer_is_erased(fap, &status, 1)) { + if (rc != last_rc) { + erased_sections++; + } + } else { + if (found_idx == -1) { + found_idx = i; + } + } + last_rc = rc; + } + + if (erased_sections > 1) { + /* This means there was an error writing status on the last swap. Tell user and move on + * to validation! + */ +#if !defined(__BOOTSIM__) + BOOT_LOG_ERR("Detected inconsistent status!"); +#endif + +#if !defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) + /* With validation of the primary slot disabled, there is no way to be sure the swapped + * primary slot is OK, so abort! + */ + assert(0); +#endif + } + + if (found_idx == -1) { + /* no swap status found; nothing to do */ + } else { + bs->op = BOOT_STATUS_OP_SWAP; + bs->idx = (found_idx / BOOT_STATUS_SWAP_STATE_COUNT) + BOOT_STATUS_IDX_0; + bs->state = (found_idx % BOOT_STATUS_SWAP_STATE_COUNT) + BOOT_STATUS_STATE_0; + } + + return 0; +} + +uint32_t boot_status_internal_off(const struct boot_status *bs, int elem_sz) +{ + uint32_t off; + int idx_sz; + + idx_sz = elem_sz * BOOT_STATUS_STATE_COUNT; + off = (bs->idx - BOOT_STATUS_IDX_0) * idx_sz + + (bs->state - BOOT_STATUS_STATE_0) * elem_sz; + + return off; +} + +static int app_max_sectors(struct boot_loader_state *state) +{ + uint32_t sz = 0; + uint32_t sector_sz; + uint32_t trailer_sz; + uint32_t first_trailer_idx; + + sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); + first_trailer_idx = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT); + + while (1) { + sz += sector_sz; + + if (sz >= trailer_sz) { + break; + } + + first_trailer_idx--; + } + + return first_trailer_idx; +} + +int boot_slots_compatible(struct boot_loader_state *state) +{ + size_t num_sectors_pri; + size_t num_sectors_sec; + size_t sector_sz_pri = 0; + size_t sector_sz_sec = 0; + size_t i; + size_t num_usable_sectors_pri; + + num_sectors_pri = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT); + num_sectors_sec = boot_img_num_sectors(state, BOOT_SECONDARY_SLOT); + num_usable_sectors_pri = app_max_sectors(state); + + if ((num_sectors_pri != num_sectors_sec) && + ((num_sectors_pri + 1) != num_sectors_sec) && + ((num_usable_sectors_pri + 1) != (num_sectors_sec))) { + BOOT_LOG_WRN("Cannot upgrade: not a compatible amount of sectors"); + BOOT_LOG_DBG("slot0 sectors: %d, slot1 sectors: %d, usable slot0 sectors: %d", + (int)num_sectors_pri, (int)num_sectors_sec, + (int)(num_usable_sectors_pri - 1)); + return 0; + } else if (num_sectors_pri > BOOT_MAX_IMG_SECTORS) { + BOOT_LOG_WRN("Cannot upgrade: more sectors than allowed"); + return 0; + } + + if ((num_usable_sectors_pri + 1) != num_sectors_sec) { + BOOT_LOG_DBG("Non-optimal sector distribution, slot0 has %d usable sectors " + "but slot1 has %d usable sectors", (int)(num_usable_sectors_pri), + ((int)num_sectors_sec - 1)); + } + + for (i = 0; i < num_sectors_pri; i++) { + sector_sz_pri = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, i); + sector_sz_sec = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, i); + if (sector_sz_pri != sector_sz_sec) { + BOOT_LOG_WRN("Cannot upgrade: not same sector layout"); + return 0; + } + } + +#ifdef MCUBOOT_SLOT0_EXPECTED_ERASE_SIZE + if (sector_sz_pri != MCUBOOT_SLOT0_EXPECTED_ERASE_SIZE) { + BOOT_LOG_DBG("Discrepancy, slot0 expected erase size: %d, actual: %d", + MCUBOOT_SLOT0_EXPECTED_ERASE_SIZE, sector_sz_pri); + } +#endif +#ifdef MCUBOOT_SLOT1_EXPECTED_ERASE_SIZE + if (sector_sz_sec != MCUBOOT_SLOT1_EXPECTED_ERASE_SIZE) { + BOOT_LOG_DBG("Discrepancy, slot1 expected erase size: %d, actual: %d", + MCUBOOT_SLOT1_EXPECTED_ERASE_SIZE, sector_sz_sec); + } +#endif + +#if defined(MCUBOOT_SLOT0_EXPECTED_WRITE_SIZE) || defined(MCUBOOT_SLOT1_EXPECTED_WRITE_SIZE) + if (!swap_write_block_size_check(state)) { + BOOT_LOG_WRN("Cannot upgrade: slot write sizes are not compatible"); + return 0; + } +#endif + + if (num_sectors_pri > num_sectors_sec) { + if (sector_sz_pri != boot_img_sector_size(state, BOOT_PRIMARY_SLOT, i)) { + BOOT_LOG_WRN("Cannot upgrade: not same sector layout"); + return 0; + } + } + + return 1; +} + +#define BOOT_LOG_SWAP_STATE(area, state) \ + BOOT_LOG_INF("%s: magic=%s, swap_type=0x%x, copy_done=0x%x, " \ + "image_ok=0x%x", \ + (area), \ + ((state)->magic == BOOT_MAGIC_GOOD ? "good" : \ + (state)->magic == BOOT_MAGIC_UNSET ? "unset" : \ + "bad"), \ + (state)->swap_type, \ + (state)->copy_done, \ + (state)->image_ok) + +int swap_status_source(struct boot_loader_state *state) +{ + struct boot_swap_state state_primary_slot; + struct boot_swap_state state_secondary_slot; + int rc; + uint8_t source; + uint8_t image_index; + +#if (BOOT_IMAGE_NUMBER == 1) + (void)state; +#endif + + image_index = BOOT_CURR_IMG(state); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_PRIMARY_SLOT].area, + &state_primary_slot); + assert(rc == 0); + BOOT_LOG_SWAP_STATE("Primary image", &state_primary_slot); + + rc = boot_read_swap_state(state->imgs[image_index][BOOT_SECONDARY_SLOT].area, + &state_secondary_slot); + assert(rc == 0); + BOOT_LOG_SWAP_STATE("Secondary image", &state_secondary_slot); + + if (state_primary_slot.magic == BOOT_MAGIC_GOOD && + state_primary_slot.copy_done == BOOT_FLAG_UNSET && + state_secondary_slot.magic != BOOT_MAGIC_GOOD) { + + source = BOOT_STATUS_SOURCE_PRIMARY_SLOT; + + BOOT_LOG_INF("Boot source: primary slot"); + return source; + } + + BOOT_LOG_INF("Boot source: none"); + return BOOT_STATUS_SOURCE_NONE; +} + +static void boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, + struct boot_status *bs, const struct flash_area *fap_pri, + const struct flash_area *fap_sec, bool skip_primary, + bool skip_secondary) +{ + uint32_t pri_off; + uint32_t sec_off; + uint32_t sec_up_off; + int rc = 0; + + pri_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx); + sec_off = boot_img_sector_off(state, BOOT_SECONDARY_SLOT, idx); + sec_up_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, (idx + 1)); + + if (bs->state == BOOT_STATUS_STATE_0) { + if (skip_primary == true) { + BOOT_LOG_DBG("Skipping erase of secondary 0x%x and copy from primary 0x%x", sec_off, + pri_off); + } else { + /* Copy from slot 0 X to slot 1 X */ + BOOT_LOG_DBG("Erasing secondary 0x%x of 0x%x", sec_off, sz); + rc = boot_erase_region(fap_sec, sec_off, sz); + assert(rc == 0); + + BOOT_LOG_DBG("Copying primary 0x%x -> secondary 0x%x of 0x%x", pri_off, sec_off, sz); + rc = BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, 0); + assert(rc == 0); + } + + rc = boot_write_status(state, bs); + bs->state = BOOT_STATUS_STATE_1; + BOOT_STATUS_ASSERT(rc == 0); + } + + if (bs->state == BOOT_STATUS_STATE_1) { + if (skip_secondary == true) { + BOOT_LOG_DBG("Skipping erase of primary 0x%x and copy from secondary 0x%x", pri_off, + sec_up_off); + } else { + /* Erase slot 0 X */ + BOOT_LOG_DBG("Erasing primary 0x%x of 0x%x", pri_off, sz); + rc = boot_erase_region(fap_pri, pri_off, sz); + assert(rc == 0); + + /* Copy from slot 1 (X + 1) to slot 0 X */ + BOOT_LOG_DBG("Copying secondary 0x%x -> primary 0x%x of 0x%x", sec_up_off, pri_off, + sz); + rc = BOOT_COPY_REGION(state, fap_sec, fap_pri, sec_up_off, pri_off, sz, 0); + assert(rc == 0); + } + + rc = boot_write_status(state, bs); + bs->idx++; + bs->state = BOOT_STATUS_STATE_0; + BOOT_STATUS_ASSERT(rc == 0); + } +} + +static void boot_swap_sectors_revert(int idx, uint32_t sz, struct boot_loader_state *state, + struct boot_status *bs, const struct flash_area *fap_pri, + const struct flash_area *fap_sec, uint32_t sector_sz, + bool skip_primary, bool skip_secondary) +{ + uint32_t pri_off; + uint32_t sec_off; + uint32_t sec_up_off; + int rc = 0; +#if !defined(MCUBOOT_ENC_IMAGES) + (void)sector_sz; +#endif + + pri_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx); + sec_off = boot_img_sector_off(state, BOOT_SECONDARY_SLOT, idx + 1); + sec_up_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx); + + if (bs->state == BOOT_STATUS_STATE_0) { + if (skip_primary == true) { + BOOT_LOG_DBG("Skipping erase of secondary 0x%x and copy from primary 0x%x", sec_off, + pri_off); + } else { + /* Copy from slot 0 X to slot 1 X */ + BOOT_LOG_DBG("Erasing secondary 0x%x of 0x%x", sec_off, sz); + rc = boot_erase_region(fap_sec, sec_off, sz); + assert(rc == 0); + + BOOT_LOG_DBG("Copying primary 0x%x -> secondary 0x%x of 0x%x", pri_off, sec_off, sz); + rc = BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_sz); + assert(rc == 0); + } + + rc = boot_write_status(state, bs); + bs->state = BOOT_STATUS_STATE_1; + BOOT_STATUS_ASSERT(rc == 0); + } + + if (bs->state == BOOT_STATUS_STATE_1) { + if (skip_secondary == true) { + BOOT_LOG_DBG("Skipping erase of primary 0x%x and copy from secondary 0x%x", pri_off, + sec_up_off); + } else { + /* Erase slot 0 X */ + BOOT_LOG_DBG("Erasing primary 0x%x of 0x%x", pri_off, sz); + rc = boot_erase_region(fap_pri, pri_off, sz); + assert(rc == 0); + + /* Copy from slot 1 (X + 1) to slot 0 X */ + BOOT_LOG_DBG("Copying secondary 0x%x -> primary 0x%x of 0x%x", sec_up_off, pri_off, + sz); + rc = BOOT_COPY_REGION(state, fap_sec, fap_pri, sec_up_off, pri_off, sz, 0); + assert(rc == 0); + } + + rc = boot_write_status(state, bs); + bs->idx++; + bs->state = BOOT_STATUS_STATE_0; + BOOT_STATUS_ASSERT(rc == 0); + } +} + +/* + * When starting a revert the swap status exists in the primary slot, and + * the status in the secondary slot is erased. To start the swap, the status + * area in the primary slot must be re-initialized; if during the small + * window of time between re-initializing it and writing the first metadata + * a reset happens, the swap process is broken and cannot be resumed. + * + * This function handles the issue by making the revert look like a permanent + * upgrade (by initializing the secondary slot). + */ +void fixup_revert(const struct boot_loader_state *state, struct boot_status *bs, + const struct flash_area *fap_sec) +{ + struct boot_swap_state swap_state; + int rc; + +#if (BOOT_IMAGE_NUMBER == 1) + (void)state; +#endif + + /* No fixup required */ + if (bs->swap_type != BOOT_SWAP_TYPE_REVERT || + bs->idx != BOOT_STATUS_IDX_0) { + return; + } + + rc = boot_read_swap_state(fap_sec, &swap_state); + assert(rc == 0); + + BOOT_LOG_SWAP_STATE("Secondary image", &swap_state); + + if (swap_state.magic == BOOT_MAGIC_UNSET) { + rc = swap_erase_trailer_sectors(state, fap_sec); + assert(rc == 0); + + rc = boot_write_copy_done(fap_sec); + assert(rc == 0); + + rc = swap_status_init(state, fap_sec, bs); + assert(rc == 0); + } +} + +void swap_run(struct boot_loader_state *state, struct boot_status *bs, + uint32_t copy_size) +{ + uint32_t sz; + uint32_t sector_sz; + uint32_t idx; + uint32_t trailer_sz; + uint32_t first_trailer_idx; + uint32_t last_idx; + uint32_t used_sectors_pri; + uint32_t used_sectors_sec; + const struct flash_area *fap_pri = NULL; + const struct flash_area *fap_sec = NULL; + int rc; + + BOOT_LOG_INF("Starting swap using offset algorithm."); + + last_idx = find_last_idx(state, copy_size); + sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + + /* When starting a new swap upgrade, check that there is enough space */ + if (boot_status_is_reset(bs)) { + sz = 0; + trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); + first_trailer_idx = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT) - 1; + + while (1) { + sz += sector_sz; + if (sz >= trailer_sz) { + break; + } + first_trailer_idx--; + } + + if (last_idx >= first_trailer_idx) { + BOOT_LOG_WRN("Not enough free space to run swap upgrade"); + BOOT_LOG_WRN("required %d bytes but only %d are available", + (last_idx + 1) * sector_sz, + first_trailer_idx * sector_sz); + bs->swap_type = BOOT_SWAP_TYPE_NONE; + return; + } + } + + fap_pri = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); + assert(fap_pri != NULL); + + fap_sec = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); + assert(fap_sec != NULL); + + fixup_revert(state, bs, fap_sec); + + /* Init areas for storing swap status */ + if (bs->idx == BOOT_STATUS_IDX_0) { + int rc; + + if (bs->source != BOOT_STATUS_SOURCE_PRIMARY_SLOT) { + rc = swap_erase_trailer_sectors(state, fap_pri); + assert(rc == 0); + + rc = swap_status_init(state, fap_pri, bs); + assert(rc == 0); + } + + rc = swap_erase_trailer_sectors(state, fap_sec); + assert(rc == 0); + } + + bs->op = BOOT_STATUS_OP_SWAP; + idx = 0; + used_sectors_pri = ((state->imgs[BOOT_CURR_IMG(state)][BOOT_PRIMARY_SLOT].hdr.ih_hdr_size + + state->imgs[BOOT_CURR_IMG(state)][BOOT_PRIMARY_SLOT].hdr.ih_protect_tlv_size + + state->imgs[BOOT_CURR_IMG(state)][BOOT_PRIMARY_SLOT].hdr.ih_img_size) + sector_sz - 1) / + sector_sz; + used_sectors_sec = ((state->imgs[BOOT_CURR_IMG(state)][BOOT_SECONDARY_SLOT].hdr.ih_hdr_size + + state->imgs[BOOT_CURR_IMG(state)][BOOT_SECONDARY_SLOT].hdr.ih_protect_tlv_size + + state->imgs[BOOT_CURR_IMG(state)][BOOT_SECONDARY_SLOT].hdr.ih_img_size) + sector_sz - 1) / + sector_sz; + + if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || + boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { + while (idx <= last_idx) { + if (idx >= (bs->idx - BOOT_STATUS_IDX_0)) { + uint32_t mirror_idx = last_idx - idx; + + boot_swap_sectors_revert(mirror_idx, sector_sz, state, bs, fap_pri, fap_sec, + sector_sz, + (mirror_idx > used_sectors_pri ? true : false), + (mirror_idx > used_sectors_sec ? true : false)); + } + + idx++; + } + + /* Erase the first sector in the secondary slot before completing revert so that the + * status is not wrongly used as a valid header. Also erase the trailer in the secondary + * to allow for a future update to be loaded + */ + rc = boot_erase_region(fap_sec, boot_img_sector_off(state, BOOT_SECONDARY_SLOT, 0), + sector_sz); + assert(rc == 0); + rc = swap_erase_trailer_sectors(state, fap_sec); + assert(rc == 0); + } else { + while (idx <= last_idx) { + if (idx >= (bs->idx - BOOT_STATUS_IDX_0)) { + boot_swap_sectors(idx, sector_sz, state, bs, fap_pri, fap_sec, + (idx > used_sectors_pri ? true : false), + (idx > used_sectors_sec ? true : false)); + } + + idx++; + } + } +} + +int app_max_size(struct boot_loader_state *state) +{ + uint32_t sector_sz_primary; + uint32_t sector_sz_secondary; + uint32_t sz_primary; + uint32_t sz_secondary; + + sector_sz_primary = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + sector_sz_secondary = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); + + /* Account for image flags and move sector */ + sz_primary = app_max_sectors(state) * sector_sz_primary; + sz_secondary = boot_img_num_sectors(state, BOOT_SECONDARY_SLOT) * sector_sz_secondary - + sector_sz_primary; + + return (sz_primary <= sz_secondary ? sz_primary : sz_secondary); +} + +/* Compute the total size of the given image. Includes the size of the TLVs. */ +int boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size) +{ + const struct flash_area *fap; + struct image_tlv_info info; + uint32_t off; + uint32_t secondary_slot_off = 0; + uint32_t protect_tlv_size; + int rc; + +#if (BOOT_IMAGE_NUMBER == 1) + (void)state; +#endif + + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); + + off = BOOT_TLV_OFF(boot_img_hdr(state, slot)); + + if (slot == BOOT_SECONDARY_SLOT) { + /* Check in the secondary position in the upgrade slot */ + secondary_slot_off = state->secondary_offset[BOOT_CURR_IMG(state)]; + } + + if (flash_area_read(fap, (off + secondary_slot_off), &info, sizeof(info))) { + rc = BOOT_EFLASH; + goto done; + } + + protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size; + if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) { + if (protect_tlv_size != info.it_tlv_tot) { + rc = BOOT_EBADIMAGE; + goto done; + } + + if (flash_area_read(fap, (off + secondary_slot_off + info.it_tlv_tot), + &info, sizeof(info))) { + rc = BOOT_EFLASH; + goto done; + } + } else if (protect_tlv_size != 0) { + rc = BOOT_EBADIMAGE; + goto done; + } + + if (info.it_magic != IMAGE_TLV_INFO_MAGIC) { + rc = BOOT_EBADIMAGE; + goto done; + } + + *size = off + protect_tlv_size + info.it_tlv_tot; + rc = 0; + +done: + flash_area_close(fap); + return rc; +} + +#endif diff --git a/boot/bootutil/src/swap_priv.h b/boot/bootutil/src/swap_priv.h index cc72b7653..ee7e44d55 100644 --- a/boot/bootutil/src/swap_priv.h +++ b/boot/bootutil/src/swap_priv.h @@ -21,7 +21,7 @@ #include "mcuboot_config/mcuboot_config.h" -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) /** * Calculates the amount of space required to store the trailer, and erases @@ -99,9 +99,9 @@ static inline size_t boot_scratch_area_size(const struct boot_loader_state *stat } #endif -#endif /* defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) */ +#endif /* defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) */ -#if defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) /** * Check if device write block sizes are as expected, function should emit an error if there is * a problem. If true is returned, the slots are marked as compatible, otherwise the slots are @@ -112,7 +112,7 @@ static inline size_t boot_scratch_area_size(const struct boot_loader_state *stat * slot. */ bool swap_write_block_size_check(struct boot_loader_state *state); -#endif /* defined(MCUBOOT_SWAP_USING_MOVE) */ +#endif /* defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) */ /** * Returns the maximum size of an application that can be loaded to a slot. diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 66dca83e9..222d34b71 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -30,7 +30,7 @@ BOOT_LOG_MODULE_DECLARE(mcuboot); -#if !defined(MCUBOOT_SWAP_USING_MOVE) +#if !defined(MCUBOOT_SWAP_USING_MOVE) && !defined(MCUBOOT_SWAP_USING_OFFSET) #if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) /* @@ -369,12 +369,12 @@ swap_status_source(struct boot_loader_state *state) #endif image_index = BOOT_CURR_IMG(state); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY(image_index), - &state_primary_slot); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_PRIMARY_SLOT].area, + &state_primary_slot); assert(rc == 0); #if MCUBOOT_SWAP_USING_SCRATCH - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SCRATCH, &state_scratch); + rc = boot_read_swap_state(state->scratch.area, &state_scratch); assert(rc == 0); #endif @@ -477,13 +477,15 @@ boot_copy_sz(const struct boot_loader_state *state, int last_sector_idx, static int find_last_sector_idx(const struct boot_loader_state *state, uint32_t copy_size) { - int last_sector_idx; + int last_sector_idx_primary; + int last_sector_idx_secondary; uint32_t primary_slot_size; uint32_t secondary_slot_size; primary_slot_size = 0; secondary_slot_size = 0; - last_sector_idx = 0; + last_sector_idx_primary = 0; + last_sector_idx_secondary = 0; /* * Knowing the size of the largest image between both slots, here we @@ -496,23 +498,24 @@ find_last_sector_idx(const struct boot_loader_state *state, uint32_t copy_size) (primary_slot_size < secondary_slot_size)) { primary_slot_size += boot_img_sector_size(state, BOOT_PRIMARY_SLOT, - last_sector_idx); + last_sector_idx_primary); + ++last_sector_idx_primary; } if ((secondary_slot_size < copy_size) || (secondary_slot_size < primary_slot_size)) { secondary_slot_size += boot_img_sector_size(state, BOOT_SECONDARY_SLOT, - last_sector_idx); + last_sector_idx_secondary); + ++last_sector_idx_secondary; } if (primary_slot_size >= copy_size && secondary_slot_size >= copy_size && primary_slot_size == secondary_slot_size) { break; } - last_sector_idx++; } - return last_sector_idx; + return last_sector_idx_primary - 1; } /** @@ -564,15 +567,25 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, const struct flash_area *fap_scratch; uint32_t copy_sz; uint32_t trailer_sz; - uint32_t sector_sz; uint32_t img_off; uint32_t scratch_trailer_off; struct boot_swap_state swap_state; - size_t last_sector; + size_t first_trailer_sector_primary; bool erase_scratch; uint8_t image_index; int rc; + image_index = BOOT_CURR_IMG(state); + + rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), &fap_primary_slot); + assert (rc == 0); + + rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index), &fap_secondary_slot); + assert (rc == 0); + + rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH, &fap_scratch); + assert (rc == 0); + /* Calculate offset from start of image area. */ img_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx); @@ -580,50 +593,41 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); /* sz in this function is always sized on a multiple of the sector size. - * The check against the start offset of the last sector - * is to determine if we're swapping the last sector. The last sector - * needs special handling because it's where the trailer lives. If we're - * copying it, we need to use scratch to write the trailer temporarily. + * The check against the start offset of the first trailer sector is to determine if we're + * swapping that sector, which might contains both part of the firmware image and part of the + * trailer (or the whole trailer if the latter is small enough). Therefore, that sector needs + * special handling: if we're copying it, we need to use scratch to write the trailer + * temporarily. + * + * Since the primary and secondary slots don't necessarily have the same layout, the index of + * the first trailer sector may be different for each slot. * * NOTE: `use_scratch` is a temporary flag (never written to flash) which - * controls if special handling is needed (swapping last sector). + * controls if special handling is needed (swapping the first trailer sector). */ - last_sector = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT) - 1; - sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, last_sector); - - if (sector_sz < trailer_sz) { - uint32_t trailer_sector_sz = sector_sz; + first_trailer_sector_primary = + boot_get_first_trailer_sector(state, BOOT_PRIMARY_SLOT, trailer_sz); - while (trailer_sector_sz < trailer_sz) { - /* Consider that the image trailer may span across sectors of - * different sizes. - */ - sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, --last_sector); + /* Check if the currently swapped sector(s) contain the trailer or part of it */ + if ((img_off + sz) > + boot_img_sector_off(state, BOOT_PRIMARY_SLOT, first_trailer_sector_primary)) { + copy_sz = flash_area_get_size(fap_primary_slot) - img_off - trailer_sz; + + /* Check if the computed copy size would cause the beginning of the trailer in the scratch + * area to be overwritten. If so, adjust the copy size to avoid this. + * + * This could happen if the trailer is larger than a single sector since in that case the + * first part of the trailer may be smaller than the trailer in the scratch area. + */ + scratch_trailer_off = boot_status_off(fap_scratch); - trailer_sector_sz += sector_sz; + if (copy_sz > scratch_trailer_off) { + copy_sz = scratch_trailer_off; } } - if ((img_off + sz) > - boot_img_sector_off(state, BOOT_PRIMARY_SLOT, last_sector)) { - copy_sz -= trailer_sz; - } - bs->use_scratch = (bs->idx == BOOT_STATUS_IDX_0 && copy_sz != sz); - image_index = BOOT_CURR_IMG(state); - - rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), - &fap_primary_slot); - assert (rc == 0); - - rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index), - &fap_secondary_slot); - assert (rc == 0); - - rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH, &fap_scratch); - assert (rc == 0); - if (bs->state == BOOT_STATUS_STATE_0) { BOOT_LOG_DBG("erasing scratch area"); rc = boot_erase_region(fap_scratch, 0, flash_area_get_size(fap_scratch)); @@ -665,29 +669,69 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, } if (bs->state == BOOT_STATUS_STATE_1) { - rc = boot_erase_region(fap_secondary_slot, img_off, sz); - assert(rc == 0); - - rc = boot_copy_region(state, fap_primary_slot, fap_secondary_slot, - img_off, img_off, copy_sz); - assert(rc == 0); + uint32_t erase_sz = sz; - if (bs->idx == BOOT_STATUS_IDX_0 && !bs->use_scratch) { - /* If not all sectors of the slot are being swapped, - * guarantee here that only the primary slot will have the state. - */ + if (bs->idx == BOOT_STATUS_IDX_0) { + /* Guarantee here that only the primary slot will have the state. + * + * This is necessary even though the current area being swapped contains part of the + * trailer since in case the trailer spreads over multiple sector erasing the [img_off, + * img_off + sz) might not erase the entire trailer. + */ rc = swap_erase_trailer_sectors(state, fap_secondary_slot); assert(rc == 0); + + if (bs->use_scratch) { + /* If the area being swapped contains the trailer or part of it, ensure the + * sector(s) containing the beginning of the trailer won't be erased again. + */ + size_t trailer_sector_secondary = + boot_get_first_trailer_sector(state, BOOT_SECONDARY_SLOT, trailer_sz); + + uint32_t trailer_sector_offset = + boot_img_sector_off(state, BOOT_SECONDARY_SLOT, trailer_sector_secondary); + + erase_sz = trailer_sector_offset - img_off; + } + } + + if (erase_sz > 0) { + rc = boot_erase_region(fap_secondary_slot, img_off, erase_sz); + assert(rc == 0); } + rc = boot_copy_region(state, fap_primary_slot, fap_secondary_slot, + img_off, img_off, copy_sz); + assert(rc == 0); + rc = boot_write_status(state, bs); bs->state = BOOT_STATUS_STATE_2; BOOT_STATUS_ASSERT(rc == 0); } if (bs->state == BOOT_STATUS_STATE_2) { - rc = boot_erase_region(fap_primary_slot, img_off, sz); - assert(rc == 0); + uint32_t erase_sz = sz; + + if (bs->use_scratch) { + /* The current area that is being swapped contains the trailer or part of it. In that + * case, make sure to erase all sectors containing the trailer in the primary slot to be + * able to write the new trailer. This is not always equivalent to erasing the [img_off, + * img_off + sz) range when the trailer spreads across multiple sectors. + */ + rc = swap_erase_trailer_sectors(state, fap_primary_slot); + assert(rc == 0); + + /* Ensure the sector(s) containing the beginning of the trailer won't be erased twice */ + uint32_t trailer_sector_off = + boot_img_sector_off(state, BOOT_PRIMARY_SLOT, first_trailer_sector_primary); + + erase_sz = trailer_sector_off - img_off; + } + + if (erase_sz > 0) { + rc = boot_erase_region(fap_primary_slot, img_off, erase_sz); + assert(rc == 0); + } /* NOTE: If this is the final sector, we exclude the image trailer from * this copy (copy_sz was truncated earlier). @@ -867,19 +911,15 @@ int app_max_size(struct boot_loader_state *state) #else int app_max_size(struct boot_loader_state *state) { - const struct flash_area *fap; - int fa_id; - int rc; + const struct flash_area *fap = NULL; uint32_t active_slot; int primary_sz, secondary_sz; active_slot = state->slot_usage[BOOT_CURR_IMG(state)].active_slot; - fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), active_slot); - rc = flash_area_open(fa_id, &fap); - assert(rc == 0); + fap = BOOT_IMG_AREA(state, active_slot); + assert(fap != NULL); primary_sz = flash_area_get_size(fap); - flash_area_close(fap); if (active_slot == BOOT_PRIMARY_SLOT) { active_slot = BOOT_SECONDARY_SLOT; @@ -887,11 +927,9 @@ int app_max_size(struct boot_loader_state *state) active_slot = BOOT_PRIMARY_SLOT; } - fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), active_slot); - rc = flash_area_open(fa_id, &fap); - assert(rc == 0); + fap = BOOT_IMG_AREA(state, active_slot); + assert(fap != NULL); secondary_sz = flash_area_get_size(fap); - flash_area_close(fap); return (secondary_sz < primary_sz ? secondary_sz : primary_sz); } @@ -907,7 +945,6 @@ boot_read_image_header(struct boot_loader_state *state, int slot, uint32_t swap_count; uint32_t swap_size; #endif - int area_id; int hdr_slot; int rc = 0; @@ -926,7 +963,7 @@ boot_read_image_header(struct boot_loader_state *state, int slot, * other slot depending on the progress of the swap process. */ if (bs && !boot_status_is_reset(bs)) { - rc = boot_find_status(BOOT_CURR_IMG(state), &fap); + fap = boot_find_status(state, BOOT_CURR_IMG(state)); if (rc != 0) { rc = BOOT_EFLASH; @@ -966,19 +1003,16 @@ boot_read_image_header(struct boot_loader_state *state, int slot, } if (hdr_slot == BOOT_NUM_SLOTS) { - area_id = FLASH_AREA_IMAGE_SCRATCH; + fap = state->scratch.area; } else { - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), hdr_slot); + fap = BOOT_IMG_AREA(state, hdr_slot); } #else - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), hdr_slot); + fap = BOOT_IMG_AREA(state, hdr_slot); #endif + assert(fap != NULL); - rc = flash_area_open(area_id, &fap); - if (rc == 0) { - rc = flash_area_read(fap, 0, out_hdr, sizeof *out_hdr); - flash_area_close(fap); - } + rc = flash_area_read(fap, 0, out_hdr, sizeof *out_hdr); if (rc != 0) { rc = BOOT_EFLASH; @@ -989,4 +1023,4 @@ boot_read_image_header(struct boot_loader_state *state, int slot, return rc; } -#endif /* !MCUBOOT_SWAP_USING_MOVE */ +#endif /* !MCUBOOT_SWAP_USING_MOVE && !MCUBOOT_SWAP_USING_OFFSET */ diff --git a/boot/bootutil/src/tlv.c b/boot/bootutil/src/tlv.c index a763c9685..629bc235d 100644 --- a/boot/bootutil/src/tlv.c +++ b/boot/bootutil/src/tlv.c @@ -3,6 +3,7 @@ * * Copyright (c) 2019 JUUL Labs * Copyright (c) 2020 Arm Limited + * Copyright (c) 2025 Nordic Semiconductor ASA * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -46,7 +47,12 @@ bootutil_tlv_iter_begin(struct image_tlv_iter *it, const struct image_header *hd return -1; } +#if defined(MCUBOOT_SWAP_USING_OFFSET) + off_ = BOOT_TLV_OFF(hdr) + it->start_off; +#else off_ = BOOT_TLV_OFF(hdr); +#endif + if (LOAD_IMAGE_DATA(hdr, fap, off_, &info, sizeof(info))) { return -1; } diff --git a/boot/espressif/CMakeLists.txt b/boot/espressif/CMakeLists.txt index d1e18d2da..05358839c 100644 --- a/boot/espressif/CMakeLists.txt +++ b/boot/espressif/CMakeLists.txt @@ -14,6 +14,8 @@ endif() add_definitions(-DMCUBOOT_TARGET=${MCUBOOT_TARGET}) add_definitions(-D__ESPRESSIF__=1) +set(EXPECTED_IDF_HAL_VERSION "5.1.4") + if ("${MCUBOOT_TARGET}" STREQUAL "esp32" OR "${MCUBOOT_TARGET}" STREQUAL "esp32s2" OR "${MCUBOOT_TARGET}" STREQUAL "esp32s3") @@ -92,6 +94,25 @@ if (NOT DEFINED ESP_HAL_PATH) endif() endif() endif() +message(STATUS "Defined ESP_HAL_PATH: ${ESP_HAL_PATH}") + +# Verify from which IDF version the HAL is based on +set(IDF_VER_HEADER_FILE "${ESP_HAL_PATH}/components/esp_common/include/esp_idf_version.h") + +get_version_from_header("ESP_IDF_VERSION_MAJOR" ${IDF_VER_HEADER_FILE} IDF_VERSION_MAJOR) +get_version_from_header("ESP_IDF_VERSION_MINOR" ${IDF_VER_HEADER_FILE} IDF_VERSION_MINOR) +get_version_from_header("ESP_IDF_VERSION_PATCH" ${IDF_VER_HEADER_FILE} IDF_VERSION_PATCH) + +set(IDF_VERSION "${IDF_VERSION_MAJOR}.${IDF_VERSION_MINOR}.${IDF_VERSION_PATCH}") + +if (NOT IDF_VERSION VERSION_EQUAL ${EXPECTED_IDF_HAL_VERSION}) + message(FATAL_ERROR + "Unsupported HAL version ${IDF_VERSION}, expected ${EXPECTED_IDF_HAL_VERSION}. \ + Verify if the RTOS repository, where you are trying to build from, is up to date, \ + or check the installation pointed on ESP_HAL_PATH.") +else () + message(STATUS "HAL based on ESP-IDF version: ${IDF_VERSION}") +endif() execute_process( COMMAND git describe --tags diff --git a/boot/espressif/hal/include/esp32s3/sdkconfig.h b/boot/espressif/hal/include/esp32s3/sdkconfig.h index 25581c80d..9d5762358 100644 --- a/boot/espressif/hal/include/esp32s3/sdkconfig.h +++ b/boot/espressif/hal/include/esp32s3/sdkconfig.h @@ -25,3 +25,4 @@ #define CONFIG_EFUSE_VIRTUAL_OFFSET 0x250000 #define CONFIG_EFUSE_VIRTUAL_SIZE 0x2000 #define CONFIG_EFUSE_MAX_BLK_LEN 256 +#define CONFIG_BOOTLOADER_FLASH_XMC_SUPPORT 1 diff --git a/boot/espressif/hal/include/esp_mcuboot_image.h b/boot/espressif/hal/include/esp_mcuboot_image.h index baccf08fb..95b8a9c78 100644 --- a/boot/espressif/hal/include/esp_mcuboot_image.h +++ b/boot/espressif/hal/include/esp_mcuboot_image.h @@ -15,12 +15,25 @@ * for MCUboot-Espressif port booting. */ typedef struct esp_image_load_header { - uint32_t header_magic; /* Magic for load header */ - uint32_t entry_addr; /* Application entry address */ - uint32_t iram_dest_addr; /* Destination address(VMA) for IRAM region */ - uint32_t iram_flash_offset; /* Flash offset(LMA) for start of IRAM region */ - uint32_t iram_size; /* Size of IRAM region */ - uint32_t dram_dest_addr; /* Destination address(VMA) for DRAM region */ - uint32_t dram_flash_offset; /* Flash offset(LMA) for start of DRAM region */ - uint32_t dram_size; /* Size of DRAM region */ + uint32_t header_magic; /* Magic for load header */ + uint32_t entry_addr; /* Application entry address */ + uint32_t iram_dest_addr; /* Destination address(VMA) for IRAM region */ + uint32_t iram_flash_offset; /* Flash offset(LMA) for start of IRAM region */ + uint32_t iram_size; /* Size of IRAM region */ + uint32_t dram_dest_addr; /* Destination address(VMA) for DRAM region */ + uint32_t dram_flash_offset; /* Flash offset(LMA) for start of DRAM region */ + uint32_t dram_size; /* Size of DRAM region */ + uint32_t lp_rtc_iram_dest_addr; /* Destination address (VMA) for LP_IRAM region */ + uint32_t lp_rtc_iram_flash_offset; /* Flash offset (LMA) for LP_IRAM region */ + uint32_t lp_rtc_iram_size; /* Size of LP_IRAM region */ + uint32_t lp_rtc_dram_dest_addr; /* Destination address (VMA) for LP_DRAM region */ + uint32_t lp_rtc_dram_flash_offset; /* Flash offset (LMA) for LP_DRAM region */ + uint32_t lp_rtc_dram_size; /* Size of LP_DRAM region */ + uint32_t irom_map_addr; /* Mapped address (VMA) for IROM region */ + uint32_t irom_flash_offset; /* Flash offset (LMA) for IROM region */ + uint32_t irom_size; /* Size of IROM region */ + uint32_t drom_map_addr; /* Mapped address (VMA) for DROM region */ + uint32_t drom_flash_offset; /* Flash offset (LMA) for DROM region */ + uint32_t drom_size; /* Size of DROM region */ + uint32_t _reserved[4]; /* Up to 24 words reserved for the header */ } esp_image_load_header_t; diff --git a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h index a299e3cfc..345ca57b8 100644 --- a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h +++ b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h @@ -45,23 +45,43 @@ * the default upgrade mode. */ -/* Uncomment to enable the overwrite-only code path. */ -/* #define MCUBOOT_OVERWRITE_ONLY */ +/* Define to enable the swap-using-move code path. */ +#if defined(CONFIG_ESP_BOOT_SWAP_USING_MOVE) +#define MCUBOOT_SWAP_USING_MOVE 1 +#endif -#ifdef MCUBOOT_OVERWRITE_ONLY +/* Define to enable the overwrite-only code path. */ +#if defined(CONFIG_ESP_BOOT_UPGRADE_ONLY) +#define MCUBOOT_OVERWRITE_ONLY /* Uncomment to only erase and overwrite those primary slot sectors needed * to install the new image, rather than the entire image slot. */ /* #define MCUBOOT_OVERWRITE_ONLY_FAST */ #endif -/* Uncomment to enable the direct-xip code path. */ -/* #define MCUBOOT_DIRECT_XIP */ +/* Define to enable the direct-xip code path (CURRENTLY UNSUPPORTED!). */ +#if defined(CONFIG_ESP_BOOT_DIRECT_XIP) +#define MCUBOOT_DIRECT_XIP +#endif -/* Define to enable the ram-load code path. */ -#if defined(CONFIG_BOOT_RAM_LOAD) +/* Define to enable the ram-load code path (CURRENTLY UNSUPPORTED!). */ +#if defined(CONFIG_ESP_BOOT_RAM_LOAD) #define MCUBOOT_RAM_LOAD #endif +/* If none of the above paths is defined, define CONFIG_ESP_BOOT_SWAP_USING_SCRATCH. + * + * Note: MCUBOOT_SWAP_USING_SCRATCH does not have to be defined, as it will be defined + * by MCUboot in bootutil_priv.h. + */ +#if !defined(CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) && \ + !defined(CONFIG_ESP_BOOT_SWAP_USING_MOVE) && \ + !defined(CONFIG_ESP_BOOT_UPGRADE_ONLY) && \ + !defined(CONFIG_ESP_BOOT_DIRECT_XIP) && \ + !defined(CONFIG_ESP_BOOT_RAM_LOAD) +#define CONFIG_ESP_BOOT_SWAP_USING_SCRATCH +#endif + + /* * Cryptographic settings * diff --git a/boot/espressif/hal/src/flash_encrypt.c b/boot/espressif/hal/src/flash_encrypt.c index d064d8b7b..3996d0e7a 100644 --- a/boot/espressif/hal/src/flash_encrypt.c +++ b/boot/espressif/hal/src/flash_encrypt.c @@ -307,12 +307,15 @@ esp_err_t esp_flash_encrypt_contents(void) if (err != ESP_OK) { return err; } + +#ifdef CONFIG_ESP_BOOT_SWAP_USING_SCRATCH region_addr = CONFIG_ESP_SCRATCH_OFFSET; region_size = CONFIG_ESP_SCRATCH_SIZE; err = esp_flash_encrypt_region(region_addr, region_size); if (err != ESP_OK) { return err; } +#endif #if defined(CONFIG_ESP_IMAGE_NUMBER) && (CONFIG_ESP_IMAGE_NUMBER == 2) region_addr = CONFIG_ESP_IMAGE1_PRIMARY_START_ADDRESS; diff --git a/boot/espressif/port/esp32/bootloader-multi.conf b/boot/espressif/port/esp32/bootloader-multi.conf index ad3355ec2..29e2073f6 100644 --- a/boot/espressif/port/esp32/bootloader-multi.conf +++ b/boot/espressif/port/esp32/bootloader-multi.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x1000 diff --git a/boot/espressif/port/esp32/bootloader.conf b/boot/espressif/port/esp32/bootloader.conf index 8f555ec57..5a59a422a 100644 --- a/boot/espressif/port/esp32/bootloader.conf +++ b/boot/espressif/port/esp32/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x1000 diff --git a/boot/espressif/port/esp32c2/bootloader.conf b/boot/espressif/port/esp32c2/bootloader.conf index 54f797e71..8f6886023 100644 --- a/boot/espressif/port/esp32c2/bootloader.conf +++ b/boot/espressif/port/esp32c2/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32c3/bootloader.conf b/boot/espressif/port/esp32c3/bootloader.conf index 88954eea0..8ebd1b40e 100644 --- a/boot/espressif/port/esp32c3/bootloader.conf +++ b/boot/espressif/port/esp32c3/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32c6/bootloader.conf b/boot/espressif/port/esp32c6/bootloader.conf index 5c5307c9c..e92ddcc22 100644 --- a/boot/espressif/port/esp32c6/bootloader.conf +++ b/boot/espressif/port/esp32c6/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32h2/bootloader.conf b/boot/espressif/port/esp32h2/bootloader.conf index 5c5307c9c..e92ddcc22 100644 --- a/boot/espressif/port/esp32h2/bootloader.conf +++ b/boot/espressif/port/esp32h2/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32s2/bootloader.conf b/boot/espressif/port/esp32s2/bootloader.conf index 485ba77e1..981be59a1 100644 --- a/boot/espressif/port/esp32s2/bootloader.conf +++ b/boot/espressif/port/esp32s2/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x1000 diff --git a/boot/espressif/port/esp32s2/ld/bootloader.ld b/boot/espressif/port/esp32s2/ld/bootloader.ld index cf159c312..b615b73c5 100644 --- a/boot/espressif/port/esp32s2/ld/bootloader.ld +++ b/boot/espressif/port/esp32s2/ld/bootloader.ld @@ -14,7 +14,7 @@ MEMORY { iram_seg (RWX) : org = 0x40047000, len = 0x9000 iram_loader_seg (RWX) : org = 0x40050000, len = 0x6000 - dram_seg (RW) : org = 0x3FFE6000, len = 0x9000 + dram_seg (RW) : org = 0x3FFE6000, len = 0x9A00 } /* Default entry point: */ diff --git a/boot/espressif/port/esp32s3/bootloader-multi.conf b/boot/espressif/port/esp32s3/bootloader-multi.conf index 21c3457a4..f82b5e235 100644 --- a/boot/espressif/port/esp32s3/bootloader-multi.conf +++ b/boot/espressif/port/esp32s3/bootloader-multi.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32s3/bootloader.conf b/boot/espressif/port/esp32s3/bootloader.conf index 138737dfb..a45c0cd19 100644 --- a/boot/espressif/port/esp32s3/bootloader.conf +++ b/boot/espressif/port/esp32s3/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp_loader.c b/boot/espressif/port/esp_loader.c index 907466521..8180bc516 100644 --- a/boot/espressif/port/esp_loader.c +++ b/boot/espressif/port/esp_loader.c @@ -23,6 +23,24 @@ #include "app_cpu_start.h" #endif +#include "esp_rom_sys.h" +#include "esp_cpu.h" + +#if CONFIG_IDF_TARGET_ESP32 +#define LP_RTC_PREFIX "RTC" +#elif CONFIG_IDF_TARGET_ESP32S2 +#define LP_RTC_PREFIX "RTC" +#elif CONFIG_IDF_TARGET_ESP32S3 +#define LP_RTC_PREFIX "RTC" +#elif CONFIG_IDF_TARGET_ESP32C2 +#elif CONFIG_IDF_TARGET_ESP32C3 +#define LP_RTC_PREFIX "RTC" +#elif CONFIG_IDF_TARGET_ESP32C6 +#define LP_RTC_PREFIX "LP" +#elif CONFIG_IDF_TARGET_ESP32H2 +#define LP_RTC_PREFIX "LP" +#endif + static int load_segment(const struct flash_area *fap, uint32_t data_addr, uint32_t data_len, uint32_t load_addr) { const uint32_t *data = (const uint32_t *)bootloader_mmap((fap->fa_off + data_addr), data_len); @@ -69,6 +87,26 @@ void esp_app_image_load(int image_index, int slot, unsigned int hdr_offset, unsi FIH_PANIC; } +#if SOC_RTC_FAST_MEM_SUPPORTED + if (load_header.lp_rtc_iram_size > 0) { + if (!esp_ptr_in_rtc_iram_fast((void *)load_header.lp_rtc_iram_dest_addr) || + !esp_ptr_in_rtc_iram_fast((void *)(load_header.lp_rtc_iram_dest_addr + load_header.lp_rtc_iram_size))) { + BOOT_LOG_ERR("%s_IRAM region in load header is not valid. Aborting", LP_RTC_PREFIX); + FIH_PANIC; + } + } +#endif + +#if SOC_RTC_SLOW_MEM_SUPPORTED + if (load_header.lp_rtc_dram_size > 0) { + if (!esp_ptr_in_rtc_slow((void *)load_header.lp_rtc_dram_dest_addr) || + !esp_ptr_in_rtc_slow((void *)(load_header.lp_rtc_dram_dest_addr + load_header.lp_rtc_dram_size))) { + BOOT_LOG_ERR("%s_RAM region in load header is not valid. Aborting %p", LP_RTC_PREFIX, load_header.lp_rtc_dram_dest_addr); + FIH_PANIC; + } + } +#endif + if (!esp_ptr_in_iram((void *)load_header.entry_addr)) { BOOT_LOG_ERR("Application entry point (0x%x) is not in IRAM. Aborting", load_header.entry_addr); FIH_PANIC; @@ -80,6 +118,33 @@ void esp_app_image_load(int image_index, int slot, unsigned int hdr_offset, unsi BOOT_LOG_INF("IRAM segment: start=0x%x, size=0x%x, vaddr=0x%x", fap->fa_off + load_header.iram_flash_offset, load_header.iram_size, load_header.iram_dest_addr); load_segment(fap, load_header.iram_flash_offset, load_header.iram_size, load_header.iram_dest_addr); +#if SOC_RTC_FAST_MEM_SUPPORTED || SOC_RTC_SLOW_MEM_SUPPORTED + if (load_header.lp_rtc_dram_size > 0) { + soc_reset_reason_t reset_reason = esp_rom_get_reset_reason(0); + + /* Unless waking from deep sleep (implying RTC memory is intact), load its segments */ + if (reset_reason != RESET_REASON_CORE_DEEP_SLEEP) { + BOOT_LOG_INF("%s_RAM segment: paddr=%08xh, vaddr=%08xh, size=%05xh (%6d) load", LP_RTC_PREFIX, + (fap->fa_off + load_header.lp_rtc_dram_flash_offset), load_header.lp_rtc_dram_dest_addr, + load_header.lp_rtc_dram_size, load_header.lp_rtc_dram_size); + load_segment(fap, load_header.lp_rtc_dram_flash_offset, + load_header.lp_rtc_dram_size, load_header.lp_rtc_dram_dest_addr); + } else { + BOOT_LOG_INF("%s_RAM segment: paddr=%08xh, vaddr=%08xh, size=%05xh (%6d) noload", LP_RTC_PREFIX, + load_header.lp_rtc_dram_flash_offset, load_header.lp_rtc_dram_dest_addr, + load_header.lp_rtc_dram_size, load_header.lp_rtc_dram_size); + } + } + + if (load_header.lp_rtc_iram_size > 0) { + BOOT_LOG_INF("%s_IRAM segment: paddr=%08xh, vaddr=%08xh, size=%05xh (%6d) load", LP_RTC_PREFIX, + (fap->fa_off + load_header.lp_rtc_iram_flash_offset), load_header.lp_rtc_iram_dest_addr, + load_header.lp_rtc_iram_size, load_header.lp_rtc_iram_size); + load_segment(fap, load_header.lp_rtc_iram_flash_offset, + load_header.lp_rtc_iram_size, load_header.lp_rtc_iram_dest_addr); + } +#endif + BOOT_LOG_INF("start=0x%x", load_header.entry_addr); uart_tx_wait_idle(0); diff --git a/boot/espressif/port/esp_mcuboot.c b/boot/espressif/port/esp_mcuboot.c index 0ee9e388b..9bbd5a9f2 100644 --- a/boot/espressif/port/esp_mcuboot.c +++ b/boot/espressif/port/esp_mcuboot.c @@ -15,6 +15,7 @@ #include "esp_err.h" #include "bootloader_flash_priv.h" #include "esp_flash_encrypt.h" +#include "mcuboot_config/mcuboot_config.h" #include "flash_map_backend/flash_map_backend.h" #include "sysflash/sysflash.h" @@ -49,16 +50,19 @@ _Static_assert(IS_ALIGNED(FLASH_BUFFER_SIZE, 4), "Buffer size for SPI Flash oper #define BOOTLOADER_START_ADDRESS CONFIG_BOOTLOADER_OFFSET_IN_FLASH #define BOOTLOADER_SIZE CONFIG_ESP_BOOTLOADER_SIZE + #define IMAGE0_PRIMARY_START_ADDRESS CONFIG_ESP_IMAGE0_PRIMARY_START_ADDRESS #define IMAGE0_SECONDARY_START_ADDRESS CONFIG_ESP_IMAGE0_SECONDARY_START_ADDRESS -#define SCRATCH_OFFSET CONFIG_ESP_SCRATCH_OFFSET #if (MCUBOOT_IMAGE_NUMBER == 2) #define IMAGE1_PRIMARY_START_ADDRESS CONFIG_ESP_IMAGE1_PRIMARY_START_ADDRESS #define IMAGE1_SECONDARY_START_ADDRESS CONFIG_ESP_IMAGE1_SECONDARY_START_ADDRESS #endif - #define APPLICATION_SIZE CONFIG_ESP_APPLICATION_SIZE + +#ifdef CONFIG_ESP_BOOT_SWAP_USING_SCRATCH +#define SCRATCH_OFFSET CONFIG_ESP_SCRATCH_OFFSET #define SCRATCH_SIZE CONFIG_ESP_SCRATCH_SIZE +#endif extern int ets_printf(const char *fmt, ...); @@ -99,12 +103,14 @@ static const struct flash_area secondary_img1 = { }; #endif +#ifdef CONFIG_ESP_BOOT_SWAP_USING_SCRATCH static const struct flash_area scratch_img0 = { .fa_id = FLASH_AREA_IMAGE_SCRATCH, .fa_device_id = FLASH_DEVICE_INTERNAL_FLASH, .fa_off = SCRATCH_OFFSET, .fa_size = SCRATCH_SIZE, }; +#endif static const struct flash_area *s_flash_areas[] = { &bootloader, @@ -114,7 +120,9 @@ static const struct flash_area *s_flash_areas[] = { &primary_img1, &secondary_img1, #endif +#ifdef CONFIG_ESP_BOOT_SWAP_USING_SCRATCH &scratch_img0, +#endif }; static const struct flash_area *prv_lookup_flash_area(uint8_t id) { diff --git a/boot/espressif/tools/utils.cmake b/boot/espressif/tools/utils.cmake index 238b30eb2..965571fda 100644 --- a/boot/espressif/tools/utils.cmake +++ b/boot/espressif/tools/utils.cmake @@ -29,3 +29,16 @@ function(parse_and_set_config_file CONFIG_FILE) endif() endforeach() endfunction() + +# Auxiliar function to get IDF version from esp_idf_version.h file +function(get_version_from_header VAR_NAME HEADER_FILE VERSION_OUT) + # Read the header file and extract the value of the specified macro + file(READ "${HEADER_FILE}" CONTENTS) + string(REGEX MATCH "#define ${VAR_NAME}[ ]+([0-9]+)" MATCH "${CONTENTS}") + if(MATCH) + string(REGEX REPLACE "#define ${VAR_NAME}[ ]+([0-9]+)" "\\1" VERSION "${MATCH}") + set(${VERSION_OUT} "${VERSION}" PARENT_SCOPE) + else() + message(FATAL_ERROR "Could not find ${VAR_NAME} in ${HEADER_FILE}") + endif() +endfunction() diff --git a/boot/mbed/CMakeLists.txt b/boot/mbed/CMakeLists.txt index 8baa2628e..05199c380 100644 --- a/boot/mbed/CMakeLists.txt +++ b/boot/mbed/CMakeLists.txt @@ -1,10 +1,11 @@ # Copyright (c) 2021 ARM Limited. All rights reserved. # SPDX-License-Identifier: Apache-2.0 -# Mbed-MCUboot Port +# Pull in functions for working with imgtool +include(mcuboot_imgtool.cmake) +# Mbed-MCUboot Port cmake_minimum_required(VERSION 3.19.0 FATAL_ERROR) - get_filename_component(BOOT_UTIL_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../bootutil REALPATH) set(LIB_TARGET mbed-mcuboot) @@ -13,49 +14,46 @@ set(LIB_BOOTUTIL bootutil) add_library(${LIB_TARGET} STATIC) target_include_directories(${LIB_TARGET} - PUBLIC - include - ${BOOT_UTIL_DIR}/include - ${BOOT_UTIL_DIR}/src + PUBLIC + include + ${BOOT_UTIL_DIR}/src ) target_sources(${LIB_TARGET} - PRIVATE - mcuboot_main.cpp - app_enc_keys.c - src/flash_map_backend.cpp - src/secondary_bd.cpp + PRIVATE + mcuboot_main.cpp + app_enc_keys.c + src/flash_map_backend.cpp + src/secondary_bd.cpp ) target_link_libraries(${LIB_TARGET} - PUBLIC - bootutil # Cross-dependency - mbed-mbedtls - mbed-storage-flashiap - mbed-storage-blockdevice + PUBLIC + bootutil # Cross-dependency + mbed-mbedtls + mbed-storage-flashiap + mbed-storage-blockdevice + mbed-core-flags ) -if("_RTE_" IN_LIST MBED_CONFIG_DEFINITIONS) - target_link_libraries(${LIB_TARGET} - PUBLIC - mbed-os - ) -else() - target_link_libraries(${LIB_TARGET} - PUBLIC - mbed-baremetal - ) +# Add signing key generated source file +mcuboot_generate_signing_keys_file(${CMAKE_CURRENT_BINARY_DIR}/signing_keys.c) +target_sources(${LIB_TARGET} PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/signing_keys.c) + +if("MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS) + mcuboot_generate_encryption_key_file(${CMAKE_CURRENT_BINARY_DIR}/enc_keys.c) + target_sources(${LIB_TARGET} PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/enc_keys.c) endif() # The cross-dependency requires that bootutil have access to the mbed port's # include directory and is linked with the appropriate mbed-specific libraries. target_include_directories(${LIB_BOOTUTIL} - PUBLIC - include + PUBLIC + include ) target_link_libraries(${LIB_BOOTUTIL} - PUBLIC - mbed-mcuboot - mbed-mbedtls + PUBLIC + mbed-mcuboot + mbed-mbedtls ) diff --git a/boot/mbed/include/flash_map_backend/flash_map_backend.h b/boot/mbed/include/flash_map_backend/flash_map_backend.h index d526c5cfa..c8a9e3745 100644 --- a/boot/mbed/include/flash_map_backend/flash_map_backend.h +++ b/boot/mbed/include/flash_map_backend/flash_map_backend.h @@ -152,6 +152,11 @@ uint8_t flash_area_erased_val(const struct flash_area * fap); /* * Given flash area ID, return info about sectors within the area. + * + * Note: the sectors array has size MCUBOOT_MAX_IMG_SECTORS, and only that many elements should + * be stored into it. However, if the flash area has more than MCUBOOT_MAX_IMG_SECTORS sectors, + * the count variable should be set to indicate the real sector count. This will trigger the appropriate + * warning to be printed. */ int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors); diff --git a/boot/mbed/include/mcuboot_config/mcuboot_logging.h b/boot/mbed/include/mcuboot_config/mcuboot_logging.h index c6a1cf78a..e80b0a76f 100644 --- a/boot/mbed/include/mcuboot_config/mcuboot_logging.h +++ b/boot/mbed/include/mcuboot_config/mcuboot_logging.h @@ -36,6 +36,8 @@ #define MCUBOOT_LOG_LEVEL MCUBOOT_LOG_LEVEL_OFF #endif +// Set Mbed log level appropriately if not already set +#ifndef MBED_TRACE_MAX_LEVEL #if MCUBOOT_LOG_LEVEL == MCUBOOT_LOG_LEVEL_ERROR #define MBED_TRACE_MAX_LEVEL TRACE_LEVEL_ERROR #elif MCUBOOT_LOG_LEVEL == MCUBOOT_LOG_LEVEL_WARNING @@ -45,6 +47,7 @@ #elif MCUBOOT_LOG_LEVEL == MCUBOOT_LOG_LEVEL_DEBUG #define MBED_TRACE_MAX_LEVEL TRACE_LEVEL_DEBUG #endif +#endif #define TRACE_GROUP "MCUb" #include "mbed-trace/mbed_trace.h" diff --git a/boot/mbed/mbed_lib.json b/boot/mbed/mbed_lib.json index f5b7b6743..f7c7ff14f 100644 --- a/boot/mbed/mbed_lib.json +++ b/boot/mbed/mbed_lib.json @@ -88,7 +88,7 @@ "value": true }, "max-img-sectors": { - "help": "Maximum number of flash sectors per image slot. Target-dependent, please set on a per-target basis.", + "help": "Maximum number of flash sectors per image slot. This should be set to account for the sector sizes of both the main and secondary block devices. Target-dependent, please set on a per-target basis.", "macro_name": "MCUBOOT_MAX_IMG_SECTORS", "required": true }, @@ -119,7 +119,7 @@ "value": null }, "encrypt-rsa": { - "help": "Encrypt images using RSA (NOT TESTED)", + "help": "Encrypt update images using RSA", "macro_name": "MCUBOOT_ENCRYPT_RSA", "accepted_values": [true, null], "value": null @@ -189,6 +189,11 @@ "xip-secondary-slot-address": { "help": "Specify start address for secondary slot address in XIP-accessible memory. This is required if direct-xip is enabled.", "value": null + }, + "flash-block-size": { + "help": "Size in bytes of a programmable block of the flash memory.", + "macro_name": "MCUBOOT_BOOT_MAX_ALIGN", + "value": 8 } } } diff --git a/boot/mbed/mcuboot_imgtool.cmake b/boot/mbed/mcuboot_imgtool.cmake new file mode 100644 index 000000000..9760196fe --- /dev/null +++ b/boot/mbed/mcuboot_imgtool.cmake @@ -0,0 +1,219 @@ +# Copyright (c) 2024 Jamie Smith +# SPDX-License-Identifier: Apache-2.0 + +check_python_package(imgtool.main MCUBOOT_IMGTOOL_FOUND) + +get_filename_component(IMGTOOL_SCRIPTS_DIR ${CMAKE_CURRENT_LIST_DIR}/../../scripts REALPATH) + +# Find or install imgtool + +if(NOT MCUBOOT_IMGTOOL_FOUND) + # If we are using the Mbed venv, we can install asn1tools automatically + if(MBED_CREATE_PYTHON_VENV) + message(STATUS "mcuboot: Installing imgtool into Mbed's Python virtualenv") + execute_process( + COMMAND ${Python3_EXECUTABLE} -m pip install ${IMGTOOL_SCRIPTS_DIR} + COMMAND_ERROR_IS_FATAL ANY + ) + else() + message(FATAL_ERROR "The mcuboot imgtool python package needs to be installed (from mcuboot/scripts/) into Mbed's python interpreter (${Python3_EXECUTABLE})") + endif() +endif() + +# Signing key +set(MCUBOOT_SIGNING_KEY "" CACHE STRING "Path to key file (.pem) used to sign firmware updates for your device. The public key will be stored in the bootloader. This file must be kept safe!") + +# Make sure the signing key path is absolute for EXISTS, relative to the top level build dir +get_filename_component(MCUBOOT_SIGNING_KEY_ABSPATH "${MCUBOOT_SIGNING_KEY}" ABSOLUTE BASE_DIR ${CMAKE_SOURCE_DIR}) +set(MCUBOOT_SIGNING_KEY_ABSPATH ${MCUBOOT_SIGNING_KEY_ABSPATH} CACHE INTERNAL "Absolute version of MCUBOOT_SIGNING_KEY" FORCE) + +if("${MCUBOOT_SIGNING_KEY}" STREQUAL "" OR NOT EXISTS "${MCUBOOT_SIGNING_KEY_ABSPATH}") + message(FATAL_ERROR "Must specify path to valid image signing key via MCUBOOT_SIGNING_KEY CMake option in order to build this project.") +endif() + +# Encryption key +if("MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS) + set(MCUBOOT_ENCRYPTION_KEY "" CACHE STRING "Path to key file (.pem) used to encrypt firmware updates for your device. The private key will be stored in the bootloader. This file must be kept safe!") + + # Make sure the signing key path is absolute for EXISTS, relative to the top level build dir + get_filename_component(MCUBOOT_ENCRYPTION_KEY_ABSPATH "${MCUBOOT_ENCRYPTION_KEY}" ABSOLUTE BASE_DIR ${CMAKE_SOURCE_DIR}) + set(MCUBOOT_ENCRYPTION_KEY_ABSPATH ${MCUBOOT_ENCRYPTION_KEY_ABSPATH} CACHE INTERNAL "Absolute version of MCUBOOT_ENCRYPTION_KEY" FORCE) + + if("${MCUBOOT_ENCRYPTION_KEY}" STREQUAL "" OR NOT EXISTS "${MCUBOOT_ENCRYPTION_KEY_ABSPATH}") + message(FATAL_ERROR "Since mcuboot.encrypt-rsa is enabled, you must specify the path to a valid image encryption key via the MCUBOOT_ENCRYPTION_KEY CMake option in order to build this project.") + endif() +endif() + +# Imgtool usage functions + +# +# Generate a signed image hex file for the given executable target. +# +function(_mcuboot_generate_image TARGET IMAGE_TYPE IMAGE_BASE_PATH) + if("${MBED_OUTPUT_EXT}" STREQUAL "bin") + message(FATAL_ERROR "Hex file output must be enabled to use mcuboot. Set MBED_OUTPUT_EXT to empty string after including app.cmake in your top level CMakeLists.txt!") + endif() + + if("${PROJECT_VERSION}" STREQUAL "") + message(FATAL_ERROR "You must set the project version to sign images by passing a version number into your app's project() command!") + endif() + + # mbed_generate_bin_hex() puts the hex file at the following path + set(TARGET_HEX_FILE ${CMAKE_CURRENT_BINARY_DIR}/$.hex) + + # Grab header size + if(NOT "${MBED_CONFIG_DEFINITIONS}" MATCHES "MCUBOOT_HEADER_SIZE=(0x[0-9A-Fa-f]+)") + message(FATAL_ERROR "Couldn't find MCUBOOT_HEADER_SIZE in Mbed configuration!") + endif() + set(HEADER_SIZE_HEX ${CMAKE_MATCH_1}) + + # Grab slot size + if(NOT "${MBED_CONFIG_DEFINITIONS}" MATCHES "MCUBOOT_SLOT_SIZE=(0x[0-9A-Fa-f]+)") + message(FATAL_ERROR "Couldn't find MCUBOOT_SLOT_SIZE in Mbed configuration!") + endif() + set(SLOT_SIZE_HEX ${CMAKE_MATCH_1}) + + get_property(objcopy GLOBAL PROPERTY ELF2BIN) + + if(${IMAGE_TYPE} STREQUAL "update" AND "MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS) + set(IMGTOOL_EXTRA_ARGS --encrypt ${MCUBOOT_ENCRYPTION_KEY_ABSPATH}) + elseif(${IMAGE_TYPE} STREQUAL "initial" AND "MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS) + # If encryption is enabled, generate unencrypted initial image which supports encryption. + # See https://github.com/mbed-ce/mbed-os/issues/401#issuecomment-2567099213 + set(IMGTOOL_EXTRA_ARGS --clear) + else() + set(IMGTOOL_EXTRA_ARGS "") + endif() + + add_custom_command( + TARGET ${TARGET} + POST_BUILD + DEPENDS ${MCUBOOT_SIGNING_KEY_ABSPATH} + COMMAND + ${Python3_EXECUTABLE} -m imgtool.main + sign + --key ${MCUBOOT_SIGNING_KEY_ABSPATH} # this specifies the file containing the keys used to sign/verify the application + --align 4 # this lets mcuboot know the intrinsic alignment of the flash (32-bits = 4 byte alignment) + --version ${PROJECT_VERSION} # this sets the version number of the application + --header-size ${HEADER_SIZE_HEX} # this must be the same as the value specified in mcuboot.header-size configuration + --pad-header # this tells imgtool to insert the entire header, including any necessary padding bytes. + --slot-size ${SLOT_SIZE_HEX} # this specifies the maximum size of the application ("slot size"). It must be the same as the configured mcuboot.slot-size! + ${IMGTOOL_EXTRA_ARGS} + ${TARGET_HEX_FILE} ${IMAGE_BASE_PATH}.hex + + COMMAND + ${CMAKE_COMMAND} -E echo "-- built: ${IMAGE_BASE_PATH}.hex" + + # Also generate bin file + COMMAND + ${objcopy} -I ihex -O binary ${IMAGE_BASE_PATH}.hex ${IMAGE_BASE_PATH}.bin + + COMMAND + ${CMAKE_COMMAND} -E echo "-- built: ${IMAGE_BASE_PATH}.bin" + + COMMENT "Generating mcuboot ${IMAGE_TYPE} image for ${TARGET}..." + WORKING_DIRECTORY ${CMAKE_BINARY_DIR} + VERBATIM + ) +endfunction(_mcuboot_generate_image) + +# +# Generate an initial image hex file for the given executable target. +# This initial image is what should be flashed to a blank device (along with the bootloader). +# A flash target (ninja flash-${TARGET}-initial-image) will also be created. +# +# NOTE: This function must be called *after* mbed_set_post_build() for the target! +# +# If you wish to specify the base name of the initial image, pass that as the second argument to +# this function. Otherwise, it will default to $-initial-image +# +function(mcuboot_generate_initial_image TARGET) # optional 2nd arg: initial image base filename + # Figure out file path + if("${ARGN}" STREQUAL "") + set(INITIAL_IMAGE_BASE_PATH ${CMAKE_CURRENT_BINARY_DIR}/$-initial-image) + else() + set(INITIAL_IMAGE_BASE_PATH ${CMAKE_CURRENT_BINARY_DIR}/${ARGN}) + endif() + + _mcuboot_generate_image(${TARGET} initial ${INITIAL_IMAGE_BASE_PATH}) + + # Create a flash target. + # We need to be slightly creative here -- Mbed thinks that the application start address + # is +
, but we actually want to upload to . + # So we need to temporarily override MBED_UPLOAD_BASE_ADDR with an offset value + if(NOT "${MBED_CONFIG_DEFINITIONS}" MATCHES "MCUBOOT_HEADER_SIZE=(0x[0-9A-Fa-f]+)") + message(FATAL_ERROR "Couldn't find MCUBOOT_HEADER_SIZE in Mbed configuration!") + endif() + set(HEADER_SIZE_HEX ${CMAKE_MATCH_1}) + math(EXPR MBED_UPLOAD_BASE_ADDR "${MBED_UPLOAD_BASE_ADDR} - ${HEADER_SIZE_HEX}" OUTPUT_FORMAT HEXADECIMAL) + + gen_upload_target(${TARGET}-initial-image ${INITIAL_IMAGE_BASE_PATH}.bin) + if(TARGET flash-${TARGET}-initial-image) + add_dependencies(flash-${TARGET}-initial-image ${TARGET}) + endif() +endfunction(mcuboot_generate_initial_image) + +# +# Generate an update image hex file for the given executable target. +# This image is what should be flashed to the secondary block device and passed to +# mcuboot as an update file. +# +# NOTE: This function must be called *after* mbed_set_post_build() for the target! +# +# NOTE 2: The hex file produced by this function will still "declare" its address as the primary slot +# address. This can cause issues if you pass it to a tool that uses this offset to decide where to load it. +# If this is a problem, we recommend the "arm-none-eabi-objcopy --change-addresses" command to change this address. +# +# If you wish to specify the base name of the update image, pass that as the second argument to +# this function. Otherwise, it will default to $-update-image +# +function(mcuboot_generate_update_image TARGET) # optional 2nd arg: update image base filename + # Figure out file path + if("${ARGN}" STREQUAL "") + set(UPDATE_IMAGE_BASE_PATH ${CMAKE_CURRENT_BINARY_DIR}/$-update-image) + else() + set(UPDATE_IMAGE_BASE_PATH${CMAKE_CURRENT_BINARY_DIR}/${ARGN}) + endif() + + _mcuboot_generate_image(${TARGET} update ${UPDATE_IMAGE_BASE_PATH}) +endfunction(mcuboot_generate_update_image) + +# +# Generate a C source file with signing keys in it at the given location. +# The file should be added as a source file to a library built in the same directory. +# +function(mcuboot_generate_signing_keys_file SIGNING_KEYS_C_PATH) + add_custom_command( + OUTPUT ${SIGNING_KEYS_C_PATH} + COMMAND + ${Python3_EXECUTABLE} -m imgtool.main + getpub + --key ${MCUBOOT_SIGNING_KEY_ABSPATH} + --output ${SIGNING_KEYS_C_PATH} + + DEPENDS ${MCUBOOT_SIGNING_KEY_ABSPATH} + COMMENT "Converting signing key to C source..." + WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} + VERBATIM + ) +endfunction(mcuboot_generate_signing_keys_file) + +# +# Generate a C source file with the encryption private key in it at the given location. +# The file should be added as a source file to a library built in the same directory. +# +function(mcuboot_generate_encryption_key_file ENC_KEY_C_PATH) + add_custom_command( + OUTPUT ${ENC_KEY_C_PATH} + COMMAND + ${Python3_EXECUTABLE} -m imgtool.main + getpriv + --key ${MCUBOOT_SIGNING_KEY_ABSPATH} + > ${ENC_KEY_C_PATH} + + DEPENDS ${MCUBOOT_SIGNING_KEY_ABSPATH} + COMMENT "Converting encryption key to C source..." + WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} + VERBATIM + ) +endfunction(mcuboot_generate_encryption_key_file) \ No newline at end of file diff --git a/boot/mbed/mcuboot_main.cpp b/boot/mbed/mcuboot_main.cpp index bf95e3abf..3c31bdf49 100644 --- a/boot/mbed/mcuboot_main.cpp +++ b/boot/mbed/mcuboot_main.cpp @@ -19,6 +19,7 @@ #if MCUBOOT_BOOTLOADER_BUILD #include +#include #include "bootutil/bootutil.h" #include "bootutil/image.h" #include "hal/serial_api.h" @@ -83,7 +84,7 @@ int main() // Workaround: The extra \n ensures the last trace gets flushed // before mbed_start_application() destroys the stack and jumps // to the application - tr_info("Booting firmware image at 0x%x\n", address); + tr_info("Booting firmware image at 0x%" PRIx32 "\n", address); // Run the application in the primary slot // Add header size offset to calculate the actual start address of application diff --git a/boot/mbed/src/flash_map_backend.cpp b/boot/mbed/src/flash_map_backend.cpp index 955ac42b6..d673e5038 100644 --- a/boot/mbed/src/flash_map_backend.cpp +++ b/boot/mbed/src/flash_map_backend.cpp @@ -18,6 +18,7 @@ #include #include +#include #include "flash_map_backend/flash_map_backend.h" #include "flash_map_backend/secondary_bd.h" #include "sysflash/sysflash.h" @@ -142,7 +143,7 @@ int flash_area_read(const struct flash_area* fap, uint32_t off, void* dst, uint3 return -1; } if (MCUBOOT_READ_GRANULARITY < read_size) { - MCUBOOT_LOG_ERR("Please increase MCUBOOT_READ_GRANULARITY (currently %u) to be at least %u", + MCUBOOT_LOG_ERR("Please increase MCUBOOT_READ_GRANULARITY (currently %u) to be at least %" PRIu32, MCUBOOT_READ_GRANULARITY, read_size); return -1; } @@ -214,11 +215,14 @@ int flash_area_get_sectors(int fa_id, uint32_t* count, struct flash_sector* sect /* Loop through sectors and collect information on them */ bd_addr_t offset = 0; *count = 0; - while (*count < MCUBOOT_MAX_IMG_SECTORS && bd->is_valid_read(offset, bd->get_read_size())) { + while (bd->is_valid_read(offset, bd->get_read_size())) { - sectors[*count].fs_off = offset; bd_size_t erase_size = bd->get_erase_size(offset); - sectors[*count].fs_size = erase_size; + + if (*count < MCUBOOT_MAX_IMG_SECTORS) { + sectors[*count].fs_off = offset; + sectors[*count].fs_size = erase_size; + } offset += erase_size; *count += 1; diff --git a/boot/mynewt/flash_map_backend/include/flash_map_backend/flash_map_backend.h b/boot/mynewt/flash_map_backend/include/flash_map_backend/flash_map_backend.h index 368651019..5adea1a1a 100644 --- a/boot/mynewt/flash_map_backend/include/flash_map_backend/flash_map_backend.h +++ b/boot/mynewt/flash_map_backend/include/flash_map_backend/flash_map_backend.h @@ -83,4 +83,9 @@ static inline uint32_t flash_sector_get_off(const struct flash_sector *fs) return fs->fs_off; } +static inline uint32_t flash_sector_get_size(const struct flash_sector *fs) +{ + return fs->fs_size; +} + #endif /* __FLASH_MAP_BACKEND_H__ */ diff --git a/boot/mynewt/src/single_loader.c b/boot/mynewt/src/single_loader.c index 564d7489e..394fc372a 100644 --- a/boot/mynewt/src/single_loader.c +++ b/boot/mynewt/src/single_loader.c @@ -51,7 +51,7 @@ boot_image_validate(const struct flash_area *fa_p, */ hdr->ih_flags &= ~(ENCRYPTIONFLAGS); } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, hdr, fa_p, tmpbuf, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, hdr, fa_p, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, NULL); FIH_RET(fih_rc); diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 537a7580c..7b291a37b 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -7,6 +7,12 @@ cmake_minimum_required(VERSION 3.13.1) +# This sample shows usage of an external module and we need to set the +# set the extra module path before calling find_package(Zephyr). +if(TEST_RUNTIME_SOURCE_HOOKS) + set(EXTRA_ZEPHYR_MODULES "${CMAKE_SOURCE_DIR}/../../samples/runtime-source/zephyr/hooks") +endif() + # find_package(Zephyr) in order to load application boilerplate: # http://docs.zephyrproject.org/application/application.html find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) @@ -132,24 +138,48 @@ zephyr_library_sources( ) endif() -if(CONFIG_SINGLE_APPLICATION_SLOT OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) -zephyr_library_sources( - ${BOOT_DIR}/zephyr/single_loader.c - ) -zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) +if(CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) + zephyr_library_sources( + ${BOOT_DIR}/zephyr/single_loader.c + ${BOOT_DIR}/bootutil/src/ram_load.c + ) + zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) +elseif(CONFIG_SINGLE_APPLICATION_SLOT) + zephyr_library_sources( + ${BOOT_DIR}/zephyr/single_loader.c + ) + zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) elseif(CONFIG_BOOT_FIRMWARE_LOADER) -zephyr_library_sources( - ${BOOT_DIR}/zephyr/firmware_loader.c - ) -zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) + zephyr_library_sources( + ${BOOT_DIR}/zephyr/firmware_loader.c + ) + zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) else() -zephyr_library_sources( - ${BOOT_DIR}/bootutil/src/loader.c - ${BOOT_DIR}/bootutil/src/swap_misc.c - ${BOOT_DIR}/bootutil/src/swap_scratch.c - ${BOOT_DIR}/bootutil/src/swap_move.c - ${BOOT_DIR}/bootutil/src/caps.c - ) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/loader.c + ${BOOT_DIR}/bootutil/src/swap_misc.c + ${BOOT_DIR}/bootutil/src/caps.c + ) + + if(CONFIG_BOOT_SWAP_USING_MOVE) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/swap_move.c + ) + elseif(CONFIG_BOOT_SWAP_USING_OFFSET) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/swap_offset.c + ) + else() + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/swap_scratch.c + ) + + if(CONFIG_BOOT_RAM_LOAD) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/ram_load.c + ) + endif() + endif() if(NOT CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER EQUAL "-1" AND NOT CONFIG_BOOT_UPGRADE_ONLY) zephyr_library_sources( @@ -158,12 +188,6 @@ zephyr_library_sources( endif() endif() -if(CONFIG_BOOT_RAM_LOAD OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) - zephyr_library_sources( - ${BOOT_DIR}/bootutil/src/ram_load.c - ) -endif() - if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) if(MBEDTLS_ASN1_DIR) zephyr_library_include_directories( @@ -176,18 +200,18 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) ) endif() if(CONFIG_BOOT_USE_TINYCRYPT) - # When using ECDSA signatures, pull in our copy of the tinycrypt library. - zephyr_library_include_directories( - ${BOOT_DIR}/zephyr/include - ${TINYCRYPT_DIR}/include + # When using ECDSA signatures, pull in our copy of the tinycrypt library. + zephyr_library_include_directories( + ${BOOT_DIR}/zephyr/include + ${TINYCRYPT_DIR}/include ) - zephyr_include_directories(${TINYCRYPT_DIR}/include) + zephyr_include_directories(${TINYCRYPT_DIR}/include) - zephyr_library_sources( - ${TINYCRYPT_DIR}/source/ecc.c - ${TINYCRYPT_DIR}/source/ecc_dsa.c - ${TINYCRYPT_DIR}/source/sha256.c - ${TINYCRYPT_DIR}/source/utils.c + zephyr_library_sources( + ${TINYCRYPT_DIR}/source/ecc.c + ${TINYCRYPT_DIR}/source/ecc_dsa.c + ${TINYCRYPT_DIR}/source/sha256.c + ${TINYCRYPT_DIR}/source/utils.c ) elseif(CONFIG_BOOT_USE_NRF_CC310_BL) zephyr_library_sources(${MCUBOOT_NRF_EXT_DIR}/cc310_glue.c) @@ -197,12 +221,14 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) zephyr_include_directories(${BL_CRYPTO_DIR}/../include) endif() - # Since here we are not using Zephyr's mbedTLS but rather our own, we need - # to set MBEDTLS_CONFIG_FILE ourselves. When using Zephyr's copy, this - # variable is set by its Kconfig in the Zephyr codebase. - zephyr_library_compile_definitions( - MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h" + if(CONFIG_MBEDTLS_CFG_FILE) + # Since here we are not using Zephyr's mbedTLS but rather our own, we need + # to set MBEDTLS_CONFIG_FILE ourselves. When using Zephyr's copy, this + # variable is set by its Kconfig in the Zephyr codebase. + zephyr_library_compile_definitions( + MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}" ) + endif() elseif(CONFIG_BOOT_SIGNATURE_TYPE_NONE) zephyr_library_include_directories( ${BOOT_DIR}/zephyr/include @@ -247,7 +273,7 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) ${TINYCRYPT_SHA512_DIR}/source/sha512.c ) zephyr_library_compile_definitions( - MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h" + MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}" ) else() zephyr_include_directories(include) @@ -464,7 +490,7 @@ dt_get_parent(slot0_flash) dt_prop(erase_size_slot0 PATH "${slot0_flash}" PROPERTY "erase-block-size") dt_prop(write_size_slot0 PATH "${slot0_flash}" PROPERTY "write-block-size") -if(CONFIG_BOOT_SWAP_USING_MOVE) +if(CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_SWAP_USING_OFFSET) if(DEFINED erase_size_slot0) zephyr_compile_definitions("MCUBOOT_SLOT0_EXPECTED_ERASE_SIZE=${erase_size_slot0}") endif() @@ -482,7 +508,7 @@ if(NOT CONFIG_SINGLE_APPLICATION_SLOT AND NOT CONFIG_SINGLE_APPLICATION_SLOT_RAM dt_prop(erase_size_slot1 PATH "${slot1_flash}" PROPERTY "erase-block-size") dt_prop(write_size_slot1 PATH "${slot1_flash}" PROPERTY "write-block-size") - if(CONFIG_BOOT_SWAP_USING_MOVE) + if(CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_SWAP_USING_OFFSET) if(DEFINED erase_size_slot1) zephyr_compile_definitions("MCUBOOT_SLOT1_EXPECTED_ERASE_SIZE=${erase_size_slot1}") endif() @@ -524,12 +550,12 @@ if(CONFIG_BOOT_MAX_IMG_SECTORS_AUTO) endif() endif() -if((CONFIG_BOOT_SWAP_USING_SCRATCH OR CONFIG_BOOT_SWAP_USING_MOVE) AND (DEFINED write_size_slot0 OR DEFINED write_size_slot1)) +if((CONFIG_BOOT_SWAP_USING_SCRATCH OR CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_SWAP_USING_OFFSET) AND (DEFINED write_size_slot0 OR DEFINED write_size_slot1)) zephyr_library_sources(flash_check.c) endif() if(SYSBUILD) - if(CONFIG_SINGLE_APPLICATION_SLOT OR CONFIG_BOOT_FIRMWARE_LOADER OR CONFIG_BOOT_SWAP_USING_SCRATCH OR CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_UPGRADE_ONLY OR CONFIG_BOOT_DIRECT_XIP OR CONFIG_BOOT_RAM_LOAD) + if(CONFIG_SINGLE_APPLICATION_SLOT OR CONFIG_BOOT_FIRMWARE_LOADER OR CONFIG_BOOT_SWAP_USING_SCRATCH OR CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_SWAP_USING_OFFSET OR CONFIG_BOOT_UPGRADE_ONLY OR CONFIG_BOOT_DIRECT_XIP OR CONFIG_BOOT_RAM_LOAD) # TODO: RAM LOAD support dt_nodelabel(slot0_flash NODELABEL "slot0_partition") dt_get_parent(slot0_flash) @@ -654,6 +680,17 @@ if(SYSBUILD) math(EXPR boot_status_data_size "128 * (3 * ${write_size})") endif() endif() + elseif(CONFIG_BOOT_SWAP_USING_OFFSET) + if(CONFIG_BOOT_MAX_IMG_SECTORS_AUTO AND DEFINED slot_min_sectors AND "${slot_min_sectors}" GREATER "0") + math(EXPR boot_status_data_size "${slot_min_sectors} * (2 * ${write_size})") + else() + if(CONFIG_BOOT_MAX_IMG_SECTORS) + math(EXPR boot_status_data_size "${CONFIG_BOOT_MAX_IMG_SECTORS} * (2 * ${write_size})") + else() + message(WARNING "CONFIG_BOOT_MAX_IMG_SECTORS is not defined, falling back to 128 sector default. Please set CONFIG_BOOT_MAX_IMG_SECTORS to the required value") + math(EXPR boot_status_data_size "128 * (2 * ${write_size})") + endif() + endif() else() set(boot_status_data_size 0) endif() @@ -671,6 +708,10 @@ if(SYSBUILD) if(CONFIG_BOOT_SWAP_USING_MOVE) math(EXPR required_size "${required_size} + ${erase_size}") math(EXPR required_upgrade_size "${required_upgrade_size} + ${erase_size}") + elseif(CONFIG_BOOT_SWAP_USING_OFFSET) +#todo: check how different slot sizes are... +# math(EXPR required_size "${required_size} + ${erase_size}") +# math(EXPR required_upgrade_size "${required_upgrade_size} + ${erase_size}") endif() else() set(required_size 0) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index a2614917b..fc06ed3c6 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -410,13 +410,13 @@ config MBEDTLS config NRF_SECURITY select MBEDTLS_PROMPTLESS -if MBEDTLS || NRF_SECURITY - config MBEDTLS_CFG_FILE - default "config-tls-generic.h" if MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO - default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS && !NRF_SECURITY - -endif + # It might be awkward to define an Mbed TLS header file when TinyCrypt + # is used, but the fact is that Mbed TLS' ASN1 parse module is used + # also when TinyCrypt is used as crypto backend. + default "mcuboot-mbedtls-cfg.h" if BOOT_USE_TINYCRYPT + default "config-tls-generic.h" if NRF_SECURITY && (MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO) + default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS && !MBEDTLS_BUILTIN config BOOT_HW_KEY bool "Use HW key for image verification" @@ -448,6 +448,13 @@ config BOOT_VALIDATE_SLOT0_ONCE low end devices with as a compromise lowering the security level. If unsure, leave at the default value. +config BOOT_PREFER_SWAP_OFFSET + bool "Prefer the newer swap offset algorithm" + help + If y, the BOOT_IMAGE_UPGRADE_MODE will default to using "offset" instead of "scratch". + This is a separate bool config option, because Kconfig doesn't allow defaults to be + overridden in choice options. Most devices should be using swap using offset mode. + config BOOT_PREFER_SWAP_MOVE bool "Prefer the newer swap move algorithm" default y if SOC_FAMILY_NORDIC_NRF @@ -456,12 +463,14 @@ config BOOT_PREFER_SWAP_MOVE If y, the BOOT_IMAGE_UPGRADE_MODE will default to using "move" instead of "scratch". This is a separate bool config option, because Kconfig doesn't allow defaults to be - overridden in choice options. Most devices should be using - swap move. + overridden in choice options. This mode has been superceded + by swap using offset, but is kept to allow existing projects + to make use of it. if !SINGLE_APPLICATION_SLOT choice BOOT_IMAGE_UPGRADE_MODE prompt "Image upgrade modes" + default BOOT_SWAP_USING_OFFSET if BOOT_PREFER_SWAP_OFFSET default BOOT_SWAP_USING_MOVE if BOOT_PREFER_SWAP_MOVE default BOOT_SWAP_USING_SCRATCH @@ -478,8 +487,19 @@ config BOOT_UPGRADE_ONLY of swapping them. This prevents the fallback recovery, but uses a much simpler code path. +config BOOT_SWAP_USING_OFFSET + bool "Swap using offset mode without scratch partition" + help + If y, the swap upgrade is done by each sector X+1 in the secondary slot moved index X in + the primary slot, then the sector at X+1 in the primary is moved to index X in the + secondary. + This allows a swap upgrade without using a scratch partition, but is currently limited + to all sectors in both slots being of the same size. This mode offers faster swap times + with less flash endurance usage than swap using move, firmware updates must be placed at + the second sector in the second slot instead of the first. + config BOOT_SWAP_USING_MOVE - bool "Swap mode that can run without a scratch partition" + bool "Swap using mode mode without scratch partition" help If y, the swap upgrade is done in two steps, where first every sector of the primary slot is moved up one sector, then for @@ -579,6 +599,17 @@ config BOOT_IMAGE_EXECUTABLE_RAM_SIZE default $(dt_chosen_reg_size_int,$(DT_CHOSEN_Z_SRAM),0) endif +config FLASH_RUNTIME_SOURCES + bool "Images are read from flash partitions defined at runtime" + depends on SINGLE_APPLICATION_SLOT + help + Instead of using information on the flash slots to decide which images + to load/update, the application provides the information from which + flash slot to load in runtime. This is useful when the application + reads the state for hardware straps or other sources to decide which + image to load. Usually, application will provide a boot_go_hook() to + decide which image to load. + config BOOT_ENCRYPTION_SUPPORT bool help @@ -920,7 +951,7 @@ config MCUBOOT_DOWNGRADE_PREVENTION config MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER bool "Use image security counter instead of version number" depends on MCUBOOT_DOWNGRADE_PREVENTION - depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH) + depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH || BOOT_SWAP_USING_OFFSET) help Security counter is used for version eligibility check instead of pure version. When this option is set, any upgrade must have greater or @@ -965,6 +996,20 @@ config BOOT_IMAGE_ACCESS_HOOKS update. It is up to the project customization to add required source files to the build. +config BOOT_GO_HOOKS + bool "Enable hooks for overriding MCUBOOT's boot_go routine" + help + Allow to provide procedures for override or extend native + MCUboot's boot_go routine. It is up to the project customization to + add required source files to the build. + +config BOOT_FLASH_AREA_HOOKS + bool "Enable hooks for overriding MCUboot's flash area routines" + help + Allow to provide procedures for override or extend native + MCUboot's flash area routines. It is up to the project customization to + add required source files to the build. + config MCUBOOT_ACTION_HOOKS bool "Enable hooks for responding to MCUboot status changes" help diff --git a/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu.overlay b/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu.overlay new file mode 100644 index 000000000..f0740c854 --- /dev/null +++ b/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu.overlay @@ -0,0 +1,17 @@ +/* + * Copyright (c) 2024 TOKITA Hiroshi + * + * SPDX-License-Identifier: Apache-2.0 + */ + +&aw9523b { + status = "disabled"; +}; + +&aw9523b_gpio { + status = "disabled"; +}; + +&ft6336_touch { + status = "disabled"; +}; diff --git a/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu_se.overlay b/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu_se.overlay new file mode 100644 index 000000000..f0740c854 --- /dev/null +++ b/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu_se.overlay @@ -0,0 +1,17 @@ +/* + * Copyright (c) 2024 TOKITA Hiroshi + * + * SPDX-License-Identifier: Apache-2.0 + */ + +&aw9523b { + status = "disabled"; +}; + +&aw9523b_gpio { + status = "disabled"; +}; + +&ft6336_touch { + status = "disabled"; +}; diff --git a/boot/zephyr/decompression.c b/boot/zephyr/decompression.c index 7a9507de6..f49898d55 100644 --- a/boot/zephyr/decompression.c +++ b/boot/zephyr/decompression.c @@ -166,9 +166,9 @@ int bootutil_get_img_decrypted_comp_size(const struct image_header *hdr, } #endif -int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index, - struct image_header *hdr, const struct flash_area *fap, - uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result, +int bootutil_img_hash_decompress(struct boot_loader_state *state, struct image_header *hdr, + const struct flash_area *fap, uint8_t *tmp_buf, + uint32_t tmp_buf_sz, uint8_t *hash_result, uint8_t *seed, int seed_len) { int rc; @@ -184,6 +184,8 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index uint8_t flash_erased_value; #ifdef MCUBOOT_ENC_IMAGES + struct enc_key_data *enc_state; + int image_index; uint32_t comp_size = 0; rc = bootutil_get_img_decrypted_comp_size(hdr, fap, &comp_size); @@ -193,11 +195,15 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index rc = BOOT_EBADIMAGE; goto finish_end; } -#endif - bootutil_sha_init(&sha_ctx); + if (state == NULL) { + enc_state = NULL; + image_index = 0; + } else { + enc_state = BOOT_CURR_ENC(state); + image_index = BOOT_CURR_IMG(state); + } -#ifdef MCUBOOT_ENC_IMAGES /* Encrypted images only exist in the secondary slot */ if (MUST_DECRYPT(fap, image_index, hdr) && !boot_enc_valid(enc_state, 1)) { @@ -205,6 +211,8 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index } #endif + bootutil_sha_init(&sha_ctx); + /* Setup decompression system */ #if CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA1 if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA1)) { diff --git a/boot/zephyr/firmware_loader.c b/boot/zephyr/firmware_loader.c index 11b461c41..d0f70af4a 100644 --- a/boot/zephyr/firmware_loader.c +++ b/boot/zephyr/firmware_loader.c @@ -55,7 +55,7 @@ boot_image_validate(const struct flash_area *fa_p, */ hdr->ih_flags &= ~(ENCRYPTIONFLAGS); } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, hdr, fa_p, tmpbuf, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, hdr, fa_p, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, NULL); FIH_RET(fih_rc); diff --git a/boot/zephyr/flash_map_extended.c b/boot/zephyr/flash_map_extended.c index 46f4c5a3c..68ae4f3b2 100644 --- a/boot/zephyr/flash_map_extended.c +++ b/boot/zephyr/flash_map_extended.c @@ -14,7 +14,9 @@ #include #include +#include "bootutil/boot_hooks.h" #include "bootutil/bootutil_log.h" +#include "bootutil/bootutil_public.h" BOOT_LOG_MODULE_DECLARE(mcuboot); @@ -58,6 +60,14 @@ int flash_device_base(uint8_t fd_id, uintptr_t *ret) */ int flash_area_id_from_multi_image_slot(int image_index, int slot) { + int rc, id; + + rc = BOOT_HOOK_FLASH_AREA_CALL(flash_area_id_from_multi_image_slot_hook, + BOOT_HOOK_REGULAR, image_index, slot, &id); + if (rc != BOOT_HOOK_REGULAR) { + return id; + } + switch (slot) { case 0: return FLASH_AREA_IMAGE_PRIMARY(image_index); #if !defined(CONFIG_SINGLE_APPLICATION_SLOT) @@ -138,8 +148,8 @@ int flash_area_sector_from_off(off_t off, struct flash_sector *sector) uint8_t flash_area_get_device_id(const struct flash_area *fa) { - (void)fa; - return FLASH_DEVICE_ID; + (void)fa; + return FLASH_DEVICE_ID; } #define ERASED_VAL 0xff diff --git a/boot/zephyr/include/compression/decompression.h b/boot/zephyr/include/compression/decompression.h index f8a676ac5..2104c4eb6 100644 --- a/boot/zephyr/include/compression/decompression.h +++ b/boot/zephyr/include/compression/decompression.h @@ -67,8 +67,7 @@ int bootutil_get_img_decomp_size(const struct image_header *hdr, const struct fl /** * Calculate MCUboot-compatible image hash of compressed image slot. * - * @param enc_state Not currently used, set to NULL. - * @param image_index Image number. + * @param state MCUboot state. * @param hdr Image header. * @param fap Flash area of the slot. * @param tmp_buf Temporary buffer for reading data from. @@ -79,9 +78,9 @@ int bootutil_get_img_decomp_size(const struct image_header *hdr, const struct fl * * @return 0 on success; nonzero on failure. */ -int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index, - struct image_header *hdr, const struct flash_area *fap, - uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result, +int bootutil_img_hash_decompress(struct boot_loader_state *state, struct image_header *hdr, + const struct flash_area *fap, uint8_t *tmp_buf, + uint32_t tmp_buf_sz, uint8_t *hash_result, uint8_t *seed, int seed_len); /** diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 01a9439aa..49854c754 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -87,6 +87,10 @@ #define MCUBOOT_SWAP_USING_MOVE 1 #endif +#ifdef CONFIG_BOOT_SWAP_USING_OFFSET +#define MCUBOOT_SWAP_USING_OFFSET 1 +#endif + #ifdef CONFIG_BOOT_DIRECT_XIP #define MCUBOOT_DIRECT_XIP #endif @@ -241,6 +245,14 @@ #define MCUBOOT_IMAGE_ACCESS_HOOKS #endif +#ifdef CONFIG_BOOT_GO_HOOKS +#define MCUBOOT_BOOT_GO_HOOKS +#endif + +#ifdef CONFIG_BOOT_FLASH_AREA_HOOKS +#define MCUBOOT_FLASH_AREA_HOOKS +#endif + #ifdef CONFIG_MCUBOOT_VERIFY_IMG_ADDRESS #define MCUBOOT_VERIFY_IMG_ADDRESS #endif diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index f231c3d02..3c3638d7f 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -60,7 +60,7 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #define FLASH_AREA_IMAGE_PRIMARY(x) __flash_area_ids_for_slot(x, 0) #define FLASH_AREA_IMAGE_SECONDARY(x) __flash_area_ids_for_slot(x, 1) -#if !defined(CONFIG_BOOT_SWAP_USING_MOVE) +#if !defined(CONFIG_BOOT_SWAP_USING_MOVE) && !defined(CONFIG_BOOT_SWAP_USING_OFFSET) #define FLASH_AREA_IMAGE_SCRATCH FIXED_PARTITION_ID(scratch_partition) #endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 62a9c2c57..6dc1e6fc3 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -41,6 +41,7 @@ #include "bootutil/bootutil_log.h" #include "bootutil/image.h" #include "bootutil/bootutil.h" +#include "bootutil/boot_hooks.h" #include "bootutil/fault_injection_hardening.h" #include "bootutil/mcuboot_status.h" #include "flash_map_backend/flash_map_backend.h" @@ -560,7 +561,10 @@ int main(void) #endif #endif - FIH_CALL(boot_go, fih_rc, &rsp); + BOOT_HOOK_GO_CALL_FIH(boot_go_hook, FIH_BOOT_HOOK_REGULAR, fih_rc, &rsp); + if (FIH_EQ(fih_rc, FIH_BOOT_HOOK_REGULAR)) { + FIH_CALL(boot_go, fih_rc, &rsp); + } #ifdef CONFIG_BOOT_SERIAL_BOOT_MODE if (io_detect_boot_mode()) { diff --git a/boot/zephyr/sample.yaml b/boot/zephyr/sample.yaml index 2c36fbe1e..bf5bc93ea 100644 --- a/boot/zephyr/sample.yaml +++ b/boot/zephyr/sample.yaml @@ -90,3 +90,15 @@ tests: platform_allow: mimxrt1020_evk integration_platforms: - mimxrt1020_evk + sample.bootloader.mcuboot.swap_offset: + extra_args: EXTRA_CONF_FILE=./swap_offset.conf + platform_allow: nrf52840dk/nrf52840 + integration_platforms: + - nrf52840dk/nrf52840 + tags: bootloader_mcuboot + sample.bootloader.mcuboot.runtime_source.hooks: + extra_args: EXTRA_CONF_FILE=../../samples/runtime-source/zephyr/sample.conf + TEST_RUNTIME_SOURCE_HOOKS=y + tags: bootloader_mcuboot runtime_source + platform_allow: frdm_k64f + build_only: true diff --git a/boot/zephyr/single_loader.c b/boot/zephyr/single_loader.c index 03b61d4bd..382f81eaa 100644 --- a/boot/zephyr/single_loader.c +++ b/boot/zephyr/single_loader.c @@ -21,6 +21,12 @@ BOOT_LOG_MODULE_DECLARE(mcuboot); /* Variables passed outside of unit via poiters. */ static const struct flash_area *_fa_p; static struct image_header _hdr = { 0 }; +static struct boot_loader_state boot_data; + +struct boot_loader_state *boot_get_loader_state(void) +{ + return &boot_data; +} #if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) || defined(MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE) /** @@ -53,7 +59,7 @@ boot_image_validate(const struct flash_area *fa_p, */ hdr->ih_flags &= ~(ENCRYPTIONFLAGS); } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, hdr, fa_p, tmpbuf, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, hdr, fa_p, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, NULL); FIH_RET(fih_rc); diff --git a/boot/zephyr/swap_offset.conf b/boot/zephyr/swap_offset.conf new file mode 100644 index 000000000..c6a15932b --- /dev/null +++ b/boot/zephyr/swap_offset.conf @@ -0,0 +1 @@ +CONFIG_BOOT_SWAP_USING_OFFSET=y diff --git a/ci/espressif_install.sh b/ci/espressif_install.sh index c2ec2c4ed..4ac52c9ab 100755 --- a/ci/espressif_install.sh +++ b/ci/espressif_install.sh @@ -10,7 +10,7 @@ install_imgtool() { install_idf() { pushd $HOME - git clone --depth=1 https://github.com/espressif/esp-idf.git --branch release/v5.1 + git clone --depth=1 https://github.com/espressif/esp-idf.git --branch v5.1.4 [[ $? -ne 0 ]] && exit 1 $HOME/esp-idf/install.sh diff --git a/docs/compression_format.md b/docs/compression_format.md new file mode 100644 index 000000000..78397da7c --- /dev/null +++ b/docs/compression_format.md @@ -0,0 +1,172 @@ +# Compressed binary file internals + +This article describes the structure of the +`zephyr.signed.bin` file when image +compression is enabled. You do not need to know these details to use the +image compression subsystem, but they can be beneficial if you want to +use them for verification or custom integration purposes. + +For an example, see the following structure of the file: + +![LZMA header](./images/decomp.png) + +## [LZMA Header](#LZMA-Header) + +The Lempel-Ziv-Markov chain Algorithm (LZMA) header is crucial for files +compressed using the LZMA method. It contains metadata essential for +decompression. The `lzma2_header` encodes compression parameters using +two bytes. + +### [Calculating compression parameters](#Calculating-compression-parameters) + +Compression parameters can be calculated, retrieved, or changed +depending on your needs. For details, see the following sections. + +#### [Default values](#Default-values) + +Compression parameters have the following default values: + +- `dict_size`: 131072 +- `pb`: 2 +- `lc`: 3 +- `lp`: 1 + +#### [Adjusting dictionary size](#Adjusting-dictionary-size) + +You can calculate the `dict_size` using the following method: + +```c +unsigned int i = 0; + +for (i = 0; i < 40; i++) { + if (raw_dict_size <= (((uint32_t)2 | ((i) & 1)) << ((i) / 2 + 11))) { + break; + } +} +dict_size = (uint8_t)i; +``` + +With this method, `dict_size` can have one of the following values: + + |Hex Value | Size | + |-----------|------------| + |0x00 | 4096 | + |0x01 | 6144 | + |0x02 | 8192 | + |0x03 | 12288 | + |0x04 | 16384 | + |0x05 | 24576 | + |0x06 | 32768 | + |0x07 | 49152 | + |0x08 | 65536 | + |0x09 | 98304 | + |0x0a | 131072 | + |0x0b | 196608 | + |0x0c | 262144 | + |0x0d | 393216 | + |0x0e | 524288 | + |0x0f | 786432 | + |0x10 | 1048576 | + |0x11 | 1572864 | + |0x12 | 2097152 | + |0x13 | 3145728 | + |0x14 | 4194304 | + |0x15 | 6291456 | + |0x16 | 8388608 | + |0x17 | 12582912 | + |0x18 | 16777216 | + |0x19 | 25165824 | + |0x1a | 33554432 | + |0x1b | 50331648 | + |0x1c | 67108864 | + |0x1d | 100663296 | + |0x1e | 134217728 | + |0x1f | 201326592 | + |0x20 | 268435456 | + |0x21 | 402653184 | + |0x22 | 536870912 | + |0x23 | 805306368 | + |0x24 | 1073741824 | + |0x25 | 1610612736 | + |0x26 | 2147483648 | + |0x27 | 3221225472 | + +#### [Calculating literal context, literal pos, and pos bits](#Calculating-literal-context-literal-pos-and-pos-bits) + +The second byte of the `lzma2_header` carries the following parameters: + +- `lc`, which specifies a number of literal context bits + +- `lp`, which specifies a number of literal pos bits + +- `pb`, which specifies a number of pos bits + + These parameters are encoded with the following formula: + + ```c + pb_lp_lc = (uint8_t)((pb * 5 + lp) * 9 + lc); + ``` + + To decode these values from the combined `pb_lp_lc` byte, run the + following code: + + ```c + lc = pb_lp_lc % 9; + pb_lp_lc /= 9; + pb = pb_lp_lc / 5; + lp = pb_lp_lc % 5; + ``` + +## [Extracting LZMA stream from image](#Extracting-LZMA-stream-from-image) + +To extract and decompress the LZMA stream from the image, follow these +steps: + +1. Determine the offset of the compressed stream by adding the + `lzma2_header` size and the value stored under + `image_header.ih_hdr_size`. For the size of the compressed stream, + see `image_header.ih_img_size`. +2. If the compressed stream is isolated and stored in a file named + `raw.lzma`, you can perform + decompression using the following commands: + + - Without an ARM thumb filter: + + ```bash + unlzma --lzma2 --format=raw --suffix=.lzma raw.lzma + ``` + + - With an ARM thumb filter: + + ```bash + unlzma --armthumb --lzma2 --format=raw --suffix=.lzma raw.lzma + ``` + +Once the command is executed you will see a newly created file named +`raw`, which is identical to the +image before compression. + +## [TLVs](#TLVs) + +The following Type-Length-Values (TLVs) are used in the context of +decompressed images: + +- `DECOMP_SIZE (0x70)`: Specifies the size of the decompressed image. +- `DECOMP_SHA (0x71)`: Contains the hash of the decompressed image. +- `DECOMP_SIGNATURE (0x72)`: Holds the signature of either the hash or + the entire image. + +These TLVs are placed in the protected TLV section, ensuring they are +included in the hashing and signature calculations during the +verification process. The process for choosing the type of cryptographic +signature and hash algorithm used for securing the image is the same, +regardless of whether the image has undergone compression. + +## [Sample](#Sample) + +For practical implementation, you can find a simple stand-alone +verification program under the following path +`bootloader/mcuboot/samples/compression_test/independent_cmp.c` + +This program demonstrates how to independently verify the integrity and +authenticity of a decompressed image using the specified TLVs. diff --git a/docs/design.md b/docs/design.md index b1979a7c2..8b2e3ea2a 100755 --- a/docs/design.md +++ b/docs/design.md @@ -237,7 +237,48 @@ Where: `image-slot-size` is the size of the image slot. `image-trailer-size` is the size of the image trailer. -### [Swap without using scratch](#image-swap-no-scratch) +### [Swap using offset (without using scratch)](#image-swap-offset-no-scratch) + +This algorithm is an alternative to the swap-using-scratch algorithm and an +enhancement of the swap using move algorithm. +It uses an additional sector in the secondary slot to make swap possible. +The algorithm works as follows: + + 1. Update image must be placed starting at the second sector in the secondary slot + 2. Copies the N-th sector from the primary slot to the N-th sector of the + secondary slot. + 3. Copies the (N+1)-th sector from the secondary slot to the N-th sector of the + primary slot. + 4. Repeats steps 2. and 3. until all the slots' sectors are swapped. + +This algorithm is designed so that the lower sector of the secondary slot is +used only for allowing sectors to move down during a swap. Therefore the most +memory-size-effective slot layout is when the secondary slot is larger than +the primary slot by exactly one sector, although same-sized slots are allowed +as well. The algorithm is limited to support sectors of the same sector layout. +All slot's sectors should be of the same size. This algorithm uses 2 flags per +sector update rather than the 3 flags used by swap using move, which requires +a smaller swap status area size. + +When using this algorithm the maximum image size available for the application +will be: +``` +maximum-image-size1 = N * slot-sector-size - image-trailer-sectors-size +``` + +Where: + `N` is the number of sectors in the primary slot. + `image-trailer-sectors-size` is the size of the image trailer rounded up to + the total size of sectors its occupied. For instance if the image-trailer-size + is equal to 1056 B and the sector size is equal to 1024 B, then + `image-trailer-sectors-size` will be equal to 2048 B. + +The algorithm does one erase cycle on both the primary and secondary slots +during each swap. + +The algorithm is enabled using the `MCUBOOT_SWAP_USING_OFFSET` option. + +### [Swap using move (without using scratch)](#image-swap-no-scratch) This algorithm is an alternative to the swap-using-scratch algorithm. It uses an additional sector in the primary slot to make swap possible. @@ -635,7 +676,17 @@ types described above via a set of tables. These tables are reproduced below. --- ``` - State I + State I (swap using offset only) + | primary slot | secondary slot | + -----------------+--------------+----------------| + magic | Any | Good | + image-ok | Any | Unset | + copy-done | Any | Set | + -----------------+--------------+----------------' + result: BOOT_SWAP_TYPE_REVERT | + -------------------------------------------------' + + State II | primary slot | secondary slot | -----------------+--------------+----------------| magic | Any | Good | @@ -646,7 +697,7 @@ types described above via a set of tables. These tables are reproduced below. -------------------------------------------------' - State II + State III | primary slot | secondary slot | -----------------+--------------+----------------| magic | Any | Good | @@ -657,7 +708,7 @@ types described above via a set of tables. These tables are reproduced below. -------------------------------------------------' - State III + State IV | primary slot | secondary slot | -----------------+--------------+----------------| magic | Good | Any | @@ -674,7 +725,7 @@ Otherwise, MCUboot does not attempt to swap images, resulting in one of the other three swap types, as illustrated by State IV. ``` - State IV + State V | primary slot | secondary slot | -----------------+--------------+----------------| magic | Any | Any | @@ -687,7 +738,7 @@ other three swap types, as illustrated by State IV. -------------------------------------------------' ``` -In State IV, when no errors occur, MCUboot will attempt to boot the contents of +In State V, when no errors occur, MCUboot will attempt to boot the contents of the primary slot directly, and the result is `BOOT_SWAP_TYPE_NONE`. If the image in the primary slot is not valid, the result is `BOOT_SWAP_TYPE_FAIL`. If a fatal error occurs during boot, the result is `BOOT_SWAP_TYPE_PANIC`. If the @@ -979,7 +1030,10 @@ the middle of an image swap operation. The swap status region consists of a series of single-byte records. These records are written independently, and therefore must be padded according to the minimum write size imposed by the flash hardware. The structure of the swap status region is illustrated below. -In this figure, a min-write-size of 1 is assumed for simplicity. +In this figure, a min-write-size of 1 is assumed for simplicity, this diagram +shows 3 states per sector which is applicable to swap using scratch and swap +using move, however in swap using offset mode there are only 2 states per +sector and the overall state size required is less. ``` 0 1 2 3 @@ -1040,14 +1094,15 @@ values map to the above four states as follows The swap status region can accommodate `BOOT_MAX_IMG_SECTORS` sector indices. Hence, the size of the region, in bytes, is -`BOOT_MAX_IMG_SECTORS * min-write-size * 3`. The only requirement for the index -count is that it is great enough to account for a maximum-sized image -(i.e., at least as great as the total sector count in an image slot). If a -device's image slots have been configured with `BOOT_MAX_IMG_SECTORS: 128` and -use less than 128 sectors, the first record that gets written will be somewhere -in the middle of the region. For example, if a slot uses 64 sectors, the first -sector index that gets swapped is 63, which corresponds to the exact halfway -point within the region. +`BOOT_MAX_IMG_SECTORS * min-write-size * s` where `s` is 3 for swap using +scratch and swap using move modes, and is 2 for swap using offset mode. The +only requirement for the index count is that it is great enough to account +for a maximum-sized image (i.e., at least as great as the total sector count in +an image slot). If a device's image slots have been configured with +`BOOT_MAX_IMG_SECTORS: 128` and use less than 128 sectors, the first record +that gets written will be somewhere in the middle of the region. For example, +if a slot uses 64 sectors, the first sector index that gets swapped is 63, +which corresponds to the exact halfway point within the region. --- ***Note*** diff --git a/docs/images/decomp.png b/docs/images/decomp.png new file mode 100644 index 000000000..a24220fa5 Binary files /dev/null and b/docs/images/decomp.png differ diff --git a/docs/imgtool.md b/docs/imgtool.md index b4dc3b554..958e1af15 100644 --- a/docs/imgtool.md +++ b/docs/imgtool.md @@ -51,7 +51,7 @@ enabled, this last step is unnecessary and can be skipped. Image signing takes an image in binary or Intel Hex format intended for the primary slot and adds a header and trailer that the bootloader is expecting: - Usage: imgtool.py sign [OPTIONS] INFILE OUTFILE + Usage: imgtool sign [OPTIONS] INFILE OUTFILE Create a signed or unsigned image @@ -59,42 +59,92 @@ primary slot and adds a header and trailer that the bootloader is expecting: extension, otherwise binary format is used Options: + --vector-to-sign [payload|digest] + send to OUTFILE the payload or payloads + digest instead of complied image. These data + can be used for external image signing + --sha [auto|256|384|512] selected sha algorithm to use; defaults to + "auto" which is 256 if no cryptographic + signature is used, or default for signature + type + --sig-out filename Path to the file to which signature will be + written. The image signature will be encoded + as base64 formatted string + --pure Expected Pure variant of signature; the Pure + variant is expected to be signature done + over an image rather than hash of that + image. + --fix-sig-pubkey filename public key relevant to fixed signature + --fix-sig filename fixed signature for the image. It will be + used instead of the signature calculated + using the public key -k, --key filename --public-key-format [hash|full] - --align [1|2|4|8|16|32] Alignment used by swap update modes. - -v, --version TEXT [required] - -s, --security-counter TEXT Specify the value of security counter. Use - the `auto` keyword to automatically generate - it from the image version. - -d, --dependencies TEXT - --pad-sig Add 0-2 bytes of padding to ECDSA signature - (for MCUboot <1.5) - -H, --header-size INTEGER [required] - --pad-header Add --header-size zeroed bytes at the - beginning of the image - -S, --slot-size INTEGER Size of the slot where the image will be - written [required] - --pad Pad image to --slot-size bytes, adding - trailer magic - --confirm When padding the image, mark it as confirmed - -M, --max-sectors INTEGER When padding allow for this amount of - sectors (defaults to 128) - --boot-record sw_type Create CBOR encoded boot record TLV. The - sw_type represents the role of the software - component (e.g. CoFM for coprocessor - firmware). [max. 12 characters] - --overwrite-only Use overwrite-only instead of swap upgrades - -e, --endian [little|big] Select little or big endian - -E, --encrypt filename Encrypt image using the provided public key - --save-enctlv When upgrading, save encrypted key TLVs - instead of plain keys. Enable when - BOOT_SWAP_SAVE_ENCTLV config option was set. - -L, --load-addr INTEGER Load address for image when it should run - from RAM. - -x, --hex-addr INTEGER Adjust address in hex output file. - -R, --erased-val [0|0xff] The value that is read back from erased - flash. - -h, --help Show this message and exit. + In what format to add the public key to the + image manifest: full key or hash of the key. + --max-align [8|16|32] Maximum flash alignment. Set if flash + alignment of the primary and secondary slot + differ and any of them is larger than 8. + --align [1|2|4|8|16|32] Alignment used by swap update modes. + -v, --version TEXT [required] + -s, --security-counter TEXT Specify the value of security counter. Use + the `auto` keyword to automatically generate + it from the image version. + -d, --dependencies TEXT Add dependence on another image, format: + "(,), ... " + --pad-sig Add 0-2 bytes of padding to ECDSA signature + (for mcuboot <1.5) + -H, --header-size INTEGER [required] + --pad-header Add --header-size zeroed bytes at the + beginning of the image + -S, --slot-size INTEGER Size of the slot. If the slots have + different sizes, use the size of the + secondary slot. [required] + --pad Pad image to --slot-size bytes, adding + trailer magic + --confirm When padding the image, mark it as confirmed + (implies --pad) + -M, --max-sectors INTEGER When padding allow for this amount of + sectors (defaults to 128) + --boot-record sw_type Create CBOR encoded boot record TLV. The + sw_type represents the role of the software + component (e.g. CoFM for coprocessor + firmware). [max. 12 characters] + --overwrite-only Use overwrite-only instead of swap upgrades + -e, --endian [little|big] Select little or big endian + -c, --clear Output a non-encrypted image with encryption + capabilities,so it can be installed in the + primary slot, and encrypted when swapped to + the secondary. + --skip-encryption Set encryption flags and TLV's without + applying encryption. + --compression [disabled|lzma2|lzma2armthumb] + Enable image compression using specified + type. Will fall back without image + compression automatically if the compression + increases the image size. + --encrypt-keylen [128|256] When encrypting the image using AES, select + a 128 bit or 256 bit key len. + -E, --encrypt filename Encrypt image using the provided public key. + (Not supported in direct-xip or ram-load + mode.) + --save-enctlv When upgrading, save encrypted key TLVs + instead of plain keys. Enable when + BOOT_SWAP_SAVE_ENCTLV config option was set. + -F, --rom-fixed INTEGER Set flash address the image is built for. + -L, --load-addr INTEGER Load address for image when it should run + from RAM. + -x, --hex-addr INTEGER Adjust address in hex output file. + -R, --erased-val [0|0xff] The value that is read back from erased + flash. + --custom-tlv [tag] [value] Custom TLV that will be placed into + protected area. Add "0x" prefix if the value + should be interpreted as an integer, + otherwise it will be interpreted as a + string. Specify the option multiple times to + add multiple TLVs. + --non-bootable Mark the image as non-bootable. + -h, --help Show this message and exit. The main arguments given are the key file generated above, a version field to place in the header (1.2.3 for example), the alignment of the @@ -111,6 +161,12 @@ the load address (in Intel Hex terms, the Extended Linear Address record) to adjust for the new bytes prepended to the file. The load address of all data existing in the file should not change. +The `--compression` option enables LZMA compression over payload. Details +about internals of image generated with this option can be found here +[here](./compression_format.md) +This isn't fully supported on the embedded side but can be utilised when +project is built on top of the mcuboot. + The `--slot-size` argument is required and used to check that the firmware does not overflow into the swap status area (metadata). If swap upgrades are not being used, `--overwrite-only` can be passed to avoid adding the swap diff --git a/docs/readme-espressif.md b/docs/readme-espressif.md index 21004df98..9629b66a6 100644 --- a/docs/readme-espressif.md +++ b/docs/readme-espressif.md @@ -14,10 +14,10 @@ Documentation about the MCUboot bootloader design, operation and features can be The current port is available for use in the following SoCs within the OSes: -| | ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | ESP32-C2 | ESP32-C6 | ESP32-H2 | -| :----: | :-----: | :-----: | :-----: | :-----: | :---------: | :-----: | :-----: | -| Zephyr | Supported | Supported | Supported | Supported | In progress | In progress | In progress | -| NuttX | Supported | Supported | Supported | Supported | In progress | In progress | In progress | +| | ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | ESP32-C2 | ESP32-C6 | ESP32-H2 | +| :----: | :-------: | :-------: | :-------: | :-------: | :---------: | :-------: | :---------: | +| Zephyr | Supported | Supported | Supported | Supported | Supported | Supported | In progress | +| NuttX | Supported | Supported | Supported | Supported | In progress | Supported | Supported | Notice that any customization in the memory layout from the OS application must be done aware of the bootloader own memory layout to avoid overlapping. More information on the section @@ -94,6 +94,10 @@ Additional configuration related to MCUboot features and slot partitioning may b 1. Compile and generate the BIN: + ```bash + cd /boot/espressif + ``` + ```bash cmake -DCMAKE_TOOLCHAIN_FILE=tools/toolchain-.cmake -DMCUBOOT_TARGET= -DESP_HAL_PATH= -DMCUBOOT_FLASH_PORT= -B build -GNinja ``` diff --git a/docs/readme-zephyr.md b/docs/readme-zephyr.md index 1e55ea766..1d6daaef6 100644 --- a/docs/readme-zephyr.md +++ b/docs/readme-zephyr.md @@ -33,7 +33,7 @@ the rest of the images too (for example, `slot2_partition` and The flash partitions are typically defined in the Zephyr boards folder, in a file named `boards///.dts`. An example `.dts` file with flash partitions defined is the frdm_k64f's in -`boards/arm/frdm_k64f/frdm_k64f.dts`. Make sure the DT node labels in your board's +`boards/nxp/frdm_k64f/frdm_k64f.dts`. Make sure the DT node labels in your board's `.dts` file match the ones used there. ## Installing requirements and dependencies diff --git a/docs/release-notes.d/espressif-idf-version-checking.md b/docs/release-notes.d/espressif-idf-version-checking.md new file mode 100644 index 000000000..ff12912c7 --- /dev/null +++ b/docs/release-notes.d/espressif-idf-version-checking.md @@ -0,0 +1,3 @@ +- Added verification for supported IDF-based HAL version. +- Fixed missing macro for XMC flash devices on ESP32-S3 +- Extended image loader header to include RTC/LP RAM, DROM and IROM segments. diff --git a/docs/release-notes.d/fix-stuck-revert.md b/docs/release-notes.d/fix-stuck-revert.md new file mode 100644 index 000000000..a49cd3bc8 --- /dev/null +++ b/docs/release-notes.d/fix-stuck-revert.md @@ -0,0 +1,3 @@ +- Fixed issue for swap using move whereby a device could get + stuck in a revert loop despite there being no image in the + secondary slot diff --git a/docs/release-notes.d/serial-recovery-var.md b/docs/release-notes.d/serial-recovery-var.md new file mode 100644 index 000000000..e86477ca8 --- /dev/null +++ b/docs/release-notes.d/serial-recovery-var.md @@ -0,0 +1,3 @@ +- Fixed issue with serial recovery variables not being + correctly initialised to default values which could cause + some commands to do unexpected operations diff --git a/docs/release-notes.d/swap-using-offset.md b/docs/release-notes.d/swap-using-offset.md new file mode 100644 index 000000000..c36dc350d --- /dev/null +++ b/docs/release-notes.d/swap-using-offset.md @@ -0,0 +1,6 @@ +- Added a new swap using offset algorithm which is set with + `MCUBOOT_SWAP_USING_OFFSET`. This algorithm is similar to swap + using move but avoids moving the sectors in the primary slot + up by having the update image written in the second sector in + the update slot, which offers a faster update process and + requires a smaller swap status area diff --git a/samples/compression_test/README.txt b/samples/compression_test/README.txt new file mode 100644 index 000000000..fcf6fbd4a --- /dev/null +++ b/samples/compression_test/README.txt @@ -0,0 +1,32 @@ +Independent LZMA test +--------------------- + +This tool finds and extracts compressed stream, decompresses it and verifies if +decompressed one is identical as before compression. + +Building and running: + + change directory to the top of the repos: + + cd $ZEPHYR_BASE + cd .. + + build tool: + + g++ bootloader/mcuboot/samples/compression_test/independent_cmp.c -o indcmp + + build example application: + + west build -b nrf54l15dk/nrf54l15/cpuapp -p + -s zephyr/samples/hello_world/ -- + -DSB_CONFIG_BOOTLOADER_MCUBOOT=y + -DSB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y + -DSB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT=y + + + compare application image with the one carried by signed binary: + + ./indcmp build/hello_world/zephyr/zephyr.signed.bin + build/hello_world/zephyr/zephyr.bin + + note: order of arguments matter. Compressed goes first. diff --git a/samples/compression_test/independent_cmp.c b/samples/compression_test/independent_cmp.c new file mode 100644 index 000000000..fc9a32675 --- /dev/null +++ b/samples/compression_test/independent_cmp.c @@ -0,0 +1,108 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include +#include +#include +#include +#include + +#define EXPECTED_MAGIC 0x96f3b83d +#define LZMA_HEADER_SIZE 2 +#define FLAG_LZMA2 0x400 +#define FLAG_ARM_THUMB 0x800 + +struct __attribute__((__packed__)) image_header { + uint32_t magic; + uint32_t unused0; + uint16_t hdr_size; + uint16_t unused1; + uint32_t img_size; + uint32_t flags; +}; + +int main(int argc, char *argv[]) +{ + if (argc != 3) { + printf("needs 2 parameters: signed image file and application binary file\n\r"); + return EXIT_FAILURE; + } + + int app_fd = open(argv[2], O_NONBLOCK); + + if (app_fd < 0) { + printf("Opening signed image failed.\n\r"); + return EXIT_FAILURE; + } + int signed_fd = open(argv[1], O_NONBLOCK); + + if (signed_fd < 0) { + printf("Opening signed image failed.\n\r"); + return EXIT_FAILURE; + } + system("mkdir -p tmp; rm -rf tmp/stream*"); + struct image_header ih; + size_t rc = pread(signed_fd, &ih, sizeof(struct image_header), 0); + + if (ih.magic != EXPECTED_MAGIC) { + printf("Expected magic value at the start of signed image.\n\r"); + printf("Input files in wrong order?\n\r"); + return EXIT_FAILURE; + } + if (!ih.flags & FLAG_LZMA2) { + printf("Signed image is not compressed with LZMA2.\n\r"); + return EXIT_FAILURE; + } + int lzma_stream_size = ih.img_size - LZMA_HEADER_SIZE; + int lzma_stream_offset = ih.hdr_size + LZMA_HEADER_SIZE; + uint8_t *lzma_buf = (uint8_t *)malloc(lzma_stream_size); + + rc = pread(signed_fd, lzma_buf, lzma_stream_size, lzma_stream_offset); + if (rc != lzma_stream_size) { + printf("Error while reading compressed stream from signed image.\n\r"); + return EXIT_FAILURE; + } + int lzma_fd = creat("tmp/stream.lzma", 0600); + + write(lzma_fd, lzma_buf, lzma_stream_size); + close(lzma_fd); + if (ih.flags & FLAG_ARM_THUMB) { + system("unlzma --armthumb --lzma2 --format=raw --suffix=.lzma tmp/stream.lzma"); + } else { + system("unlzma --lzma2 --format=raw --suffix=.lzma tmp/stream.lzma"); + } + int unlzma_fd = open("tmp/stream", O_NONBLOCK); + int unlzma_size = lseek(unlzma_fd, 0L, SEEK_END); + int app_size = lseek(app_fd, 0L, SEEK_END); + + if (app_size != unlzma_size) { + printf("Decompressed stream size and application size mismatch.\n\r"); + return EXIT_FAILURE; + } + uint8_t *unlzma_buf = (uint8_t *)malloc(unlzma_size); + uint8_t *app_buf = (uint8_t *)malloc(app_size); + + rc = pread(app_fd, app_buf, app_size, 0); + if (rc != app_size) { + printf("Error while loading application binary.\n\r"); + return EXIT_FAILURE; + } + rc = pread(unlzma_fd, unlzma_buf, unlzma_size, 0); + if (rc != unlzma_size) { + printf("Error while loading decompressed stream.\n\r"); + return EXIT_FAILURE; + } + for (int i = 0; i < app_size; i++) { + if (app_buf[i] != unlzma_buf[i]) { + printf("Diff at %d\r\n", i); + return EXIT_FAILURE; + } + } + close(unlzma_fd); + close(app_fd); + printf("All checks OK.\n\r"); + return 0; +} diff --git a/samples/runtime-source/zephyr/README.md b/samples/runtime-source/zephyr/README.md new file mode 100644 index 000000000..e30c0b906 --- /dev/null +++ b/samples/runtime-source/zephyr/README.md @@ -0,0 +1,55 @@ +# Runtime chosen image sample application + +This sample demonstrates how to use a non flash storage to retrieve the image +being booted. It was tested on a FRDM K64F. Both slots are used to store two +different images. The image to be booted is selected based on a button press. + +## Build + +Build mcuboot. First, ensure ZEPHYR_SDK_INSTALL_DIR is defined. From the +sample directory, run the following commands: + +``` + source /zephyr-env.sh + + west build -p -b frdm_k64f ../../../boot/zephyr/ -- \ + -DEXTRA_ZEPHYR_MODULES=$PWD/hooks -DEXTRA_CONF_FILE="$PWD/sample.conf" + + west build -t flash +``` + +Then, build the sample application to be loaded. We need to build it twice, one +for each slot. From the sample +app directory (mcuboot/samples/non-flash-source/zephyr/app), run: + +``` + west build -p -b frdm_k64f . + west flash +``` + +Then change the overlay file to use the second slot. For instance, open +`boards/frdm_k64f.overlay` and change the line: + +``` + zephyr,code-partition = &slot0_partition; + +``` + +to: + +``` + zephyr,code-partition = &slot1_partition; +``` + +And build and flash again: + +``` + west build -b frdm_k64f . + west flash +``` + +## Run + +Open a serial terminal to see the output and reset the board. It shall boot the +image on slot0 by default. By keeping the SW2 button pressed during reset, the +bootloader will boot the one on slot1. diff --git a/samples/runtime-source/zephyr/app/CMakeLists.txt b/samples/runtime-source/zephyr/app/CMakeLists.txt new file mode 100644 index 000000000..63d893340 --- /dev/null +++ b/samples/runtime-source/zephyr/app/CMakeLists.txt @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: Apache-2.0 + +cmake_minimum_required(VERSION 3.20.0) + +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) +project(non_flash_backend_app) + +if(NOT DEFINED FROM_WHO) + set(FROM_WHO Zephyr) +endif() + +target_compile_definitions(app PRIVATE "-DMCUBOOT_HELLO_WORLD_FROM=\"${FROM_WHO}\"") + +target_sources(app PRIVATE src/main.c) diff --git a/samples/runtime-source/zephyr/app/boards/frdm_k64f.overlay b/samples/runtime-source/zephyr/app/boards/frdm_k64f.overlay new file mode 100644 index 000000000..364d7e35e --- /dev/null +++ b/samples/runtime-source/zephyr/app/boards/frdm_k64f.overlay @@ -0,0 +1,5 @@ +/ { + chosen { + zephyr,code-partition = &slot0_partition; + }; +}; diff --git a/samples/runtime-source/zephyr/app/prj.conf b/samples/runtime-source/zephyr/app/prj.conf new file mode 100644 index 000000000..bf0ea6a28 --- /dev/null +++ b/samples/runtime-source/zephyr/app/prj.conf @@ -0,0 +1,3 @@ +CONFIG_BOOTLOADER_MCUBOOT=y + +CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="./bootloader/mcuboot/root-rsa-2048.pem" diff --git a/samples/runtime-source/zephyr/app/sample.yaml b/samples/runtime-source/zephyr/app/sample.yaml new file mode 100644 index 000000000..ed90d7d69 --- /dev/null +++ b/samples/runtime-source/zephyr/app/sample.yaml @@ -0,0 +1,10 @@ +sample: + name: Runtime source target + description: Application loaded from mcuboot using runtime source hooks +common: + build_only: true +tests: + sample.zephyr.runtime_source.app: + tags: samples tests runtime_source + platform_allow: + - frdm_k64f diff --git a/samples/runtime-source/zephyr/app/src/main.c b/samples/runtime-source/zephyr/app/src/main.c new file mode 100644 index 000000000..03e16e2cf --- /dev/null +++ b/samples/runtime-source/zephyr/app/src/main.c @@ -0,0 +1,15 @@ +/* + * Copyright (c) 2024 Intel Corporation + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include + +int main(void) +{ + printk("Hello World from %s on %s, slot %s!\n", + MCUBOOT_HELLO_WORLD_FROM, CONFIG_BOARD, + DT_PROP(DT_CHOSEN(zephyr_code_partition), label)); +} diff --git a/samples/runtime-source/zephyr/hooks/CMakeLists.txt b/samples/runtime-source/zephyr/hooks/CMakeLists.txt new file mode 100644 index 000000000..d7d05669b --- /dev/null +++ b/samples/runtime-source/zephyr/hooks/CMakeLists.txt @@ -0,0 +1,3 @@ +zephyr_library() +zephyr_library_sources(hooks.c) +zephyr_library_link_libraries(MCUBOOT_BOOTUTIL) diff --git a/samples/runtime-source/zephyr/hooks/hooks.c b/samples/runtime-source/zephyr/hooks/hooks.c new file mode 100644 index 000000000..849ce8014 --- /dev/null +++ b/samples/runtime-source/zephyr/hooks/hooks.c @@ -0,0 +1,114 @@ +/* + * Copyright (c) 2024 Intel Corporation + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include + +#include "bootutil/bootutil.h" +#include "bootutil/bootutil_public.h" +#include "bootutil/fault_injection_hardening.h" + +#define BOOT_TMPBUF_SZ 256 + +static struct image_header _hdr; +static uint8_t tmpbuf[BOOT_TMPBUF_SZ]; + +static uint8_t known_ids[] = { + FIXED_PARTITION_ID(slot0_partition), + FIXED_PARTITION_ID(slot1_partition), +}; + +static int current_id; + +#define SW1_NODE DT_ALIAS(sw1) +#if DT_NODE_HAS_STATUS(SW1_NODE, okay) +static struct gpio_dt_spec sw1_spec = GPIO_DT_SPEC_GET(SW1_NODE, gpios); +#endif + +fih_ret boot_go_hook(struct boot_rsp *rsp) +{ + int rc; +#ifdef MCUBOOT_RAM_LOAD + struct boot_loader_state *state; +#endif + FIH_DECLARE(fih_rc, FIH_FAILURE); + const struct flash_area *_fa_p; + + current_id = 0; + +#if DT_NODE_HAS_STATUS(SW1_NODE, okay) + if (gpio_pin_configure_dt(&sw1_spec, GPIO_INPUT) == 0) { + if (gpio_pin_get_dt(&sw1_spec) == 1) { + current_id = ARRAY_SIZE(known_ids) - 1; + printk("%s pressed, forcing boot from partition %u\n", + sw1_spec.port->name, known_ids[current_id]); + } else { + printk("%s not pressed, looping partitions to boot\n", + sw1_spec.port->name); + } + } +#else + printk("SW1 not defined, looping partitions to boot\n"); +#endif + + for ( ; current_id < ARRAY_SIZE(known_ids); current_id++) { + printk("Trying to boot from fixed partition %u\n", + known_ids[current_id]); + + rc = flash_area_open(known_ids[current_id], &_fa_p); + if (rc != 0) { + continue; + } + + rc = boot_image_load_header(_fa_p, &_hdr); + if (rc != 0) { + flash_area_close(_fa_p); + continue; + } + +#ifdef MCUBOOT_RAM_LOAD + state = boot_get_loader_state(); + + rc = boot_load_image_from_flash_to_sram(state, &_hdr); + if (rc != 0) { + flash_area_close(_fa_p); + continue; + } +#endif + + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &_hdr, _fa_p, tmpbuf, + BOOT_TMPBUF_SZ, NULL, 0, NULL); + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + flash_area_close(_fa_p); +#ifdef MCUBOOT_RAM_LOAD + boot_remove_image_from_sram(state); +#endif + continue; + } + + rsp->br_flash_dev_id = flash_area_get_device_id(_fa_p); + rsp->br_image_off = flash_area_get_off(_fa_p); + rsp->br_hdr = &_hdr; + + flash_area_close(_fa_p); + break; + } + + FIH_RET(fih_rc); +} + +int flash_area_id_from_multi_image_slot_hook(int image_index, int slot, + int *area_id) +{ + *area_id = known_ids[current_id]; + + return 0; +} + +int flash_area_get_device_id_hook(const struct flash_area *fa, uint8_t *dev_id) +{ + return BOOT_HOOK_REGULAR; +} diff --git a/samples/runtime-source/zephyr/hooks/zephyr/module.yml b/samples/runtime-source/zephyr/hooks/zephyr/module.yml new file mode 100644 index 000000000..2beee397c --- /dev/null +++ b/samples/runtime-source/zephyr/hooks/zephyr/module.yml @@ -0,0 +1,3 @@ +name: testmod +build: + cmake: . diff --git a/samples/runtime-source/zephyr/sample.conf b/samples/runtime-source/zephyr/sample.conf new file mode 100644 index 000000000..fc9764ae0 --- /dev/null +++ b/samples/runtime-source/zephyr/sample.conf @@ -0,0 +1,8 @@ +CONFIG_FLASH_RUNTIME_SOURCES=y +CONFIG_SINGLE_APPLICATION_SLOT=y +CONFIG_BOOT_SIGNATURE_TYPE_RSA=y +CONFIG_TEST_RANDOM_GENERATOR=y +CONFIG_ENTROPY_GENERATOR=y + +CONFIG_BOOT_GO_HOOKS=y +CONFIG_BOOT_FLASH_AREA_HOOKS=y diff --git a/sim/Cargo.toml b/sim/Cargo.toml index 7cef823d8..6d2262d90 100644 --- a/sim/Cargo.toml +++ b/sim/Cargo.toml @@ -15,6 +15,7 @@ sig-ecdsa-psa = ["mcuboot-sys/sig-ecdsa-psa", "mcuboot-sys/psa-crypto-api"] sig-p384 = ["mcuboot-sys/sig-p384"] sig-ed25519 = ["mcuboot-sys/sig-ed25519"] overwrite-only = ["mcuboot-sys/overwrite-only"] +swap-offset = ["mcuboot-sys/swap-offset"] swap-move = ["mcuboot-sys/swap-move"] validate-primary-slot = ["mcuboot-sys/validate-primary-slot"] enc-rsa = ["mcuboot-sys/enc-rsa"] diff --git a/sim/mcuboot-sys/Cargo.toml b/sim/mcuboot-sys/Cargo.toml index ab97bbfe1..f2eb70634 100644 --- a/sim/mcuboot-sys/Cargo.toml +++ b/sim/mcuboot-sys/Cargo.toml @@ -36,6 +36,10 @@ sig-ed25519 = [] # Overwrite only upgrade overwrite-only = [] +# Swap using offset mode +swap-offset = [] + +# Swap using move move swap-move = [] # Disable validation of the primary slot diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs index 47ee880c5..e74a086d0 100644 --- a/sim/mcuboot-sys/build.rs +++ b/sim/mcuboot-sys/build.rs @@ -20,6 +20,7 @@ fn main() { let sig_ed25519 = env::var("CARGO_FEATURE_SIG_ED25519").is_ok(); let overwrite_only = env::var("CARGO_FEATURE_OVERWRITE_ONLY").is_ok(); let swap_move = env::var("CARGO_FEATURE_SWAP_MOVE").is_ok(); + let swap_offset = env::var("CARGO_FEATURE_SWAP_OFFSET").is_ok(); let validate_primary_slot = env::var("CARGO_FEATURE_VALIDATE_PRIMARY_SLOT").is_ok(); let enc_rsa = env::var("CARGO_FEATURE_ENC_RSA").is_ok(); @@ -253,7 +254,9 @@ fn main() { conf.conf.define("MCUBOOT_OVERWRITE_ONLY", None); } - if swap_move { + if swap_offset { + conf.conf.define("MCUBOOT_SWAP_USING_OFFSET", None); + } else if swap_move { conf.conf.define("MCUBOOT_SWAP_USING_MOVE", None); } else if !overwrite_only && !direct_xip && !ram_load { conf.conf.define("CONFIG_BOOT_SWAP_USING_SCRATCH", None); @@ -461,6 +464,7 @@ fn main() { conf.file("../../boot/bootutil/src/swap_misc.c"); conf.file("../../boot/bootutil/src/swap_scratch.c"); conf.file("../../boot/bootutil/src/swap_move.c"); + conf.file("../../boot/bootutil/src/swap_offset.c"); conf.file("../../boot/bootutil/src/caps.c"); conf.file("../../boot/bootutil/src/bootutil_misc.c"); conf.file("../../boot/bootutil/src/bootutil_public.c"); diff --git a/sim/mcuboot-sys/csupport/run.c b/sim/mcuboot-sys/csupport/run.c index 98689968f..24e50adc1 100644 --- a/sim/mcuboot-sys/csupport/run.c +++ b/sim/mcuboot-sys/csupport/run.c @@ -7,6 +7,7 @@ #include #include #include +#include #include @@ -278,7 +279,7 @@ int invoke_boot_go(struct sim_context *ctx, struct area_desc *adesc, sim_reset_flash_areas(); sim_reset_context(); free(state); - /* printf("boot_go off: %d (0x%08x)\n", res, rsp.br_image_off); */ + /* printf("boot_go off: %d (0x%08x)\n", res, rsp->br_image_off); */ return res; } else { sim_reset_flash_areas(); @@ -369,6 +370,7 @@ int flash_area_erase(const struct flash_area *area, uint32_t off, uint32_t len) int flash_area_to_sectors(int idx, int *cnt, struct flash_area *ret) { + int rc = 0; uint32_t i; struct area *slot; struct area_desc *flash_areas; @@ -385,20 +387,21 @@ int flash_area_to_sectors(int idx, int *cnt, struct flash_area *ret) slot = &flash_areas->slots[i]; - if (slot->num_areas > (uint32_t)*cnt) { - printf("Too many areas in slot\n"); - abort(); + if ((uint32_t)*cnt > slot->num_areas) { + *cnt = slot->num_areas; + } else if (slot->num_areas > (uint32_t)*cnt) { + rc = -ENOMEM; } - *cnt = slot->num_areas; - memcpy(ret, slot->areas, slot->num_areas * sizeof(struct flash_area)); + memcpy(ret, slot->areas, *cnt * sizeof(struct flash_area)); - return 0; + return rc; } int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors) { + int rc = 0; uint32_t i; struct area *slot; struct area_desc *flash_areas; @@ -415,19 +418,19 @@ int flash_area_get_sectors(int fa_id, uint32_t *count, slot = &flash_areas->slots[i]; - if (slot->num_areas > *count) { - printf("Too many areas in slot\n"); - abort(); + if (*count > slot->num_areas) { + *count = slot->num_areas; + } else if (slot->num_areas > *count) { + rc = -ENOMEM; } - for (i = 0; i < slot->num_areas; i++) { + for (i = 0; i < *count; i++) { sectors[i].fs_off = slot->areas[i].fa_off - slot->whole.fa_off; sectors[i].fs_size = slot->areas[i].fa_size; } - *count = slot->num_areas; - return 0; + return rc; } int flash_area_id_to_multi_image_slot(int image_index, int area_id) diff --git a/sim/mcuboot-sys/src/area.rs b/sim/mcuboot-sys/src/area.rs index 1ebb40552..c41e33f83 100644 --- a/sim/mcuboot-sys/src/area.rs +++ b/sim/mcuboot-sys/src/area.rs @@ -149,6 +149,13 @@ impl AreaDesc { pub fn iter_areas(&self) -> impl Iterator { self.whole.iter() } + + /// Return the list of sectors of a given flash area. + pub fn get_area_sectors(&self, flash_id: FlashId) -> Option<&Vec> { + self.areas.iter() + .filter(|area| !area.is_empty()) + .find(|area| area[0].flash_id == flash_id) + } } /// The area descriptor, C format. diff --git a/sim/src/caps.rs b/sim/src/caps.rs index d8dd068ec..2b98ab6f3 100644 --- a/sim/src/caps.rs +++ b/sim/src/caps.rs @@ -30,6 +30,7 @@ pub enum Caps { DirectXip = (1 << 17), HwRollbackProtection = (1 << 18), EcdsaP384 = (1 << 19), + SwapUsingOffset = (1 << 20), } impl Caps { diff --git a/sim/src/image.rs b/sim/src/image.rs index 4cd648832..0aafd1563 100644 --- a/sim/src/image.rs +++ b/sim/src/image.rs @@ -234,21 +234,21 @@ impl ImagesBuilder { let (primaries,upgrades) = if img_manipulation == ImageManipulation::CorruptHigherVersionImage && !higher_version_corrupted { higher_version_corrupted = true; - let prim = install_image(&mut flash, &slots[0], - maximal(42784), &ram, &*dep, ImageManipulation::None, Some(0)); + let prim = install_image(&mut flash, &self.areadesc, &slots[0], + maximal(42784), &ram, &*dep, ImageManipulation::None, Some(0), false); let upgr = match deps.depends[image_num] { DepType::NoUpgrade => install_no_image(), - _ => install_image(&mut flash, &slots[1], - maximal(46928), &ram, &*dep, ImageManipulation::BadSignature, Some(0)) + _ => install_image(&mut flash, &self.areadesc, &slots[1], + maximal(46928), &ram, &*dep, ImageManipulation::BadSignature, Some(0), true) }; (prim, upgr) } else { - let prim = install_image(&mut flash, &slots[0], - maximal(42784), &ram, &*dep, img_manipulation, Some(0)); + let prim = install_image(&mut flash, &self.areadesc, &slots[0], + maximal(42784), &ram, &*dep, img_manipulation, Some(0), false); let upgr = match deps.depends[image_num] { DepType::NoUpgrade => install_no_image(), - _ => install_image(&mut flash, &slots[1], - maximal(46928), &ram, &*dep, img_manipulation, Some(0)) + _ => install_image(&mut flash, &self.areadesc, &slots[1], + maximal(46928), &ram, &*dep, img_manipulation, Some(0), true) }; (prim, upgr) }; @@ -298,10 +298,10 @@ impl ImagesBuilder { let ram = self.ram.clone(); // TODO: Avoid this clone. let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); - let primaries = install_image(&mut bad_flash, &slots[0], - maximal(32784), &ram, &dep, ImageManipulation::None, Some(0)); - let upgrades = install_image(&mut bad_flash, &slots[1], - maximal(41928), &ram, &dep, ImageManipulation::BadSignature, Some(0)); + let primaries = install_image(&mut bad_flash, &self.areadesc, &slots[0], + maximal(32784), &ram, &dep, ImageManipulation::None, Some(0), false); + let upgrades = install_image(&mut bad_flash, &self.areadesc, &slots[1], + maximal(41928), &ram, &dep, ImageManipulation::BadSignature, Some(0), true); OneImage { slots, primaries, @@ -321,10 +321,10 @@ impl ImagesBuilder { let ram = self.ram.clone(); // TODO: Avoid this clone. let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); - let primaries = install_image(&mut bad_flash, &slots[0], - maximal(32784), &ram, &dep, ImageManipulation::None, Some(0)); - let upgrades = install_image(&mut bad_flash, &slots[1], - ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0)); + let primaries = install_image(&mut bad_flash, &self.areadesc, &slots[0], + maximal(32784), &ram, &dep, ImageManipulation::None, Some(0), false); + let upgrades = install_image(&mut bad_flash, &self.areadesc, &slots[1], + ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0), true); OneImage { slots, primaries, @@ -344,8 +344,8 @@ impl ImagesBuilder { let ram = self.ram.clone(); // TODO: Avoid this clone. let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); - let primaries = install_image(&mut flash, &slots[0], - maximal(32784), &ram, &dep,ImageManipulation::None, Some(0)); + let primaries = install_image(&mut flash, &self.areadesc, &slots[0], + maximal(32784), &ram, &dep,ImageManipulation::None, Some(0), false); let upgrades = install_no_image(); OneImage { slots, @@ -367,8 +367,8 @@ impl ImagesBuilder { let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_no_image(); - let upgrades = install_image(&mut flash, &slots[1], - maximal(32784), &ram, &dep, ImageManipulation::None, Some(0)); + let upgrades = install_image(&mut flash, &self.areadesc, &slots[1], + maximal(32784), &ram, &dep, ImageManipulation::None, Some(0), true); OneImage { slots, primaries, @@ -389,8 +389,8 @@ impl ImagesBuilder { let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_no_image(); - let upgrades = install_image(&mut flash, &slots[1], - ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0)); + let upgrades = install_image(&mut flash, &self.areadesc, &slots[1], + ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0), true); OneImage { slots, primaries, @@ -411,10 +411,10 @@ impl ImagesBuilder { let ram = self.ram.clone(); // TODO: Avoid this clone. let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); - let primaries = install_image(&mut flash, &slots[0], - maximal(32784), &ram, &dep, ImageManipulation::None, security_cnt); - let upgrades = install_image(&mut flash, &slots[1], - maximal(41928), &ram, &dep, ImageManipulation::None, security_cnt.map(|v| v + 1)); + let primaries = install_image(&mut flash, &self.areadesc, &slots[0], + maximal(32784), &ram, &dep, ImageManipulation::None, security_cnt, false); + let upgrades = install_image(&mut flash, &self.areadesc, &slots[1], + maximal(41928), &ram, &dep, ImageManipulation::None, security_cnt.map(|v| v + 1), true); OneImage { slots, primaries, @@ -451,7 +451,30 @@ impl ImagesBuilder { let mut flash = SimMultiFlash::new(); flash.insert(dev_id, dev); - (flash, Rc::new(areadesc), &[Caps::SwapUsingMove]) + (flash, Rc::new(areadesc), &[Caps::SwapUsingMove, Caps::SwapUsingOffset]) + } + DeviceName::Stm32f4SpiFlash => { + // STM style internal flash and external SPI flash. + let dev0 = SimFlash::new(vec![ + 16 * 1024, 16 * 1024, 16 * 1024, 16 * 1024, 64 * 1024, + 32 * 1024, 32 * 1024, 64 * 1024, + 32 * 1024, 32 * 1024, 64 * 1024, + 128 * 1024], + align as usize, erased_val); + + let dev1: SimFlash = SimFlash::new(vec![8192; 64], align as usize, erased_val); + + let mut areadesc = AreaDesc::new(); + areadesc.add_flash_sectors(0, &dev0); + areadesc.add_flash_sectors(1, &dev1); + areadesc.add_image(0x020000, 0x020000, FlashId::Image0, 0); + areadesc.add_image(0x000000, 0x020000, FlashId::Image1, 1); + areadesc.add_image(0x020000, 0x020000, FlashId::ImageScratch, 1); + + let mut flash = SimMultiFlash::new(); + flash.insert(0, dev0); + flash.insert(1, dev1); + (flash, Rc::new(areadesc), &[Caps::SwapUsingMove, Caps::SwapUsingOffset]) } DeviceName::K64f => { // NXP style flash. Small sectors, one small sector for scratch. @@ -482,7 +505,7 @@ impl ImagesBuilder { let mut flash = SimMultiFlash::new(); flash.insert(dev_id, dev); - (flash, Rc::new(areadesc), &[Caps::SwapUsingMove]) + (flash, Rc::new(areadesc), &[Caps::SwapUsingMove, Caps::SwapUsingOffset]) } DeviceName::Nrf52840 => { // Simulating the flash on the nrf52840 with partitions set up so that the scratch size @@ -511,7 +534,20 @@ impl ImagesBuilder { let mut flash = SimMultiFlash::new(); flash.insert(dev_id, dev); - (flash, Rc::new(areadesc), &[Caps::SwapUsingScratch, Caps::OverwriteUpgrade]) + (flash, Rc::new(areadesc), &[Caps::SwapUsingScratch, Caps::OverwriteUpgrade, Caps::SwapUsingOffset]) + } + DeviceName::Nrf52840UnequalSlotsLargerSlot1 => { + let dev = SimFlash::new(vec![4096; 128], align as usize, erased_val); + + let dev_id = 0; + let mut areadesc = AreaDesc::new(); + areadesc.add_flash_sectors(dev_id, &dev); + areadesc.add_image(0x008000, 0x03b000, FlashId::Image0, dev_id); + areadesc.add_image(0x043000, 0x03c000, FlashId::Image1, dev_id); + + let mut flash = SimMultiFlash::new(); + flash.insert(dev_id, dev); + (flash, Rc::new(areadesc), &[Caps::SwapUsingScratch, Caps::OverwriteUpgrade, Caps::SwapUsingMove, Caps::RamLoad, Caps::DirectXip]) } DeviceName::Nrf52840SpiFlash => { // Simulate nrf52840 with external SPI flash. The external SPI flash @@ -530,7 +566,7 @@ impl ImagesBuilder { let mut flash = SimMultiFlash::new(); flash.insert(0, dev0); flash.insert(1, dev1); - (flash, Rc::new(areadesc), &[Caps::SwapUsingMove]) + (flash, Rc::new(areadesc), &[Caps::SwapUsingMove, Caps::SwapUsingOffset]) } DeviceName::K64fMulti => { // NXP style flash, but larger, to support multiple images. @@ -653,7 +689,7 @@ impl Images { } fn is_swap_upgrade(&self) -> bool { - Caps::SwapUsingScratch.present() || Caps::SwapUsingMove.present() + Caps::SwapUsingScratch.present() || Caps::SwapUsingMove.present() || Caps::SwapUsingOffset.present() } pub fn run_basic_revert(&self) -> bool { @@ -1718,31 +1754,65 @@ enum ImageSize { Oversized, } -#[cfg(not(feature = "max-align-32"))] -fn tralier_estimation(dev: &dyn Flash) -> usize { - c::boot_trailer_sz(dev.align() as u32) as usize -} +/// Estimate the number of bytes in each slot that must be reserved for the trailer when +/// swap-scratch is used. +fn estimate_swap_scratch_trailer_size(dev: &dyn Flash, areadesc: &AreaDesc, slot: &SlotInfo) -> usize { + // Compute the minimal size that must be allocated to the trailer, without considering the + // trailer in the sratch area. + let mut trailer_sz = c::boot_trailer_sz(dev.align() as u32) as usize; + + // If the trailer is not a multiple of the sector size, the last sector that can hold firmware + // data also contains the trailer or a part of it. Let's compute the size of the part of the + // trailer that is in the last firmware sector. + let mut trailer_sz_in_fw_sector = trailer_sz; + + let flash_id = match slot.index { + 0 => FlashId::Image0, + 1 => FlashId::Image1, + _ => panic!("Invalid slot index"), + }; -#[cfg(feature = "max-align-32")] -fn tralier_estimation(dev: &dyn Flash) -> usize { + let slot_sectors = areadesc.get_area_sectors(flash_id).unwrap(); - let sector_size = dev.sector_iter().next().unwrap().size as u32; + for sector in slot_sectors.iter().rev() { + let sector_sz = sector.size as usize; - align_up(c::boot_trailer_sz(dev.align() as u32), sector_size) as usize + if sector_sz > trailer_sz_in_fw_sector { + break; + } + + trailer_sz_in_fw_sector -= sector_sz; + } + + // If the trailer is not a multiple of the sector size, when the last sector containing firmware + // data will be copied to the scratch area, it must be ensured enough space is left to write the + // scratch trailer. + if trailer_sz_in_fw_sector != 0 { + // The scratch contains a single boot status entry + let boot_status_entry_sz = 3 * dev.align(); + let trailer_info_sz = trailer_sz - c::boot_status_sz(dev.align() as u32) as usize; + let scratch_trailer_sz = boot_status_entry_sz + trailer_info_sz; + + if scratch_trailer_sz > trailer_sz_in_fw_sector { + trailer_sz += scratch_trailer_sz - trailer_sz_in_fw_sector; + } + } + + trailer_sz } -fn image_largest_trailer(dev: &dyn Flash) -> usize { +fn image_largest_trailer(dev: &dyn Flash, areadesc: &AreaDesc, slot: &SlotInfo) -> usize { // Using the header size we know, the trailer size, and the slot size, we can compute // the largest image possible. let trailer = if Caps::OverwriteUpgrade.present() { // This computation is incorrect, and we need to figure out the correct size. // c::boot_status_sz(dev.align() as u32) as usize 16 + 4 * dev.align() - } else if Caps::SwapUsingMove.present() { + } else if Caps::SwapUsingOffset.present() || Caps::SwapUsingMove.present() { let sector_size = dev.sector_iter().next().unwrap().size as u32; align_up(c::boot_trailer_sz(dev.align() as u32), sector_size) as usize } else if Caps::SwapUsingScratch.present() { - tralier_estimation(dev) + estimate_swap_scratch_trailer_size(dev, areadesc, slot) } else { panic!("The maximum image size can't be calculated.") }; @@ -1752,15 +1822,21 @@ fn image_largest_trailer(dev: &dyn Flash) -> usize { /// Install a "program" into the given image. This fakes the image header, or at least all of the /// fields used by the given code. Returns a copy of the image that was written. -fn install_image(flash: &mut SimMultiFlash, slot: &SlotInfo, len: ImageSize, +fn install_image(flash: &mut SimMultiFlash, areadesc: &AreaDesc, slot: &SlotInfo, len: ImageSize, ram: &RamData, - deps: &dyn Depender, img_manipulation: ImageManipulation, security_counter:Option) -> ImageData { - let offset = slot.base_off; + deps: &dyn Depender, img_manipulation: ImageManipulation, security_counter:Option, secondary_slot:bool) -> ImageData { + let mut offset = slot.base_off; let slot_len = slot.len; let dev_id = slot.dev_id; let dev = flash.get_mut(&dev_id).unwrap(); let mut tlv: Box = Box::new(make_tlv()); + + if Caps::SwapUsingOffset.present() && secondary_slot { + let sector_size = dev.sector_iter().next().unwrap().size as usize; + offset += sector_size; + } + if img_manipulation == ImageManipulation::IgnoreRamLoadFlag { tlv.set_ignore_ram_load_flag(); } @@ -1789,20 +1865,28 @@ fn install_image(flash: &mut SimMultiFlash, slot: &SlotInfo, len: ImageSize, let len = match len { ImageSize::Given(size) => size, ImageSize::Largest => { - let trailer = image_largest_trailer(dev); + let trailer = image_largest_trailer(dev, &areadesc, &slot); let tlv_len = tlv.estimate_size(); info!("slot: 0x{:x}, HDR: 0x{:x}, trailer: 0x{:x}", slot_len, HDR_SIZE, trailer); slot_len - HDR_SIZE - trailer - tlv_len }, ImageSize::Oversized => { - let trailer = image_largest_trailer(dev); + let trailer = image_largest_trailer(dev, &areadesc, &slot); let tlv_len = tlv.estimate_size(); + let mut sector_offset = 0; + + if Caps::SwapUsingOffset.present() && secondary_slot { + // This accounts for when both slots have the same size, it will not work where + // the second slot is one sector larger than the primary + sector_offset = dev.sector_iter().next().unwrap().size as usize; + } + info!("slot: 0x{:x}, HDR: 0x{:x}, trailer: 0x{:x}", slot_len, HDR_SIZE, trailer); // the overflow size is rougly estimated to work for all // configurations. It might be precise if tlv_len will be maked precise. - slot_len - HDR_SIZE - trailer - tlv_len + dev.align()*4 + slot_len - HDR_SIZE - trailer - tlv_len - sector_offset + dev.align()*4 } }; @@ -2046,17 +2130,37 @@ fn verify_image(flash: &SimMultiFlash, slot: &SlotInfo, images: &ImageData) -> b let dev = flash.get(&dev_id).unwrap(); dev.read(offset, &mut copy).unwrap(); - if buf != ©[..] { - for i in 0 .. buf.len() { - if buf[i] != copy[i] { - info!("First failure for slot{} at {:#x} ({:#x} within) {:#x}!={:#x}", - slot.index, offset + i, i, buf[i], copy[i]); - break; + if Caps::SwapUsingOffset.present() && (slot.index % 2) == 1 { + let sector_size = dev.sector_iter().next().unwrap().size as usize; + let mut copy_offset = vec![0u8; buf.len()]; + let offset_offset = slot.base_off + sector_size; + dev.read(offset_offset, &mut copy_offset).unwrap(); + + if buf != ©[..] && buf != ©_offset[..] { + for i in 0 .. buf.len() { + if buf[i] != copy[i] && buf[i] != copy_offset[i] { + info!("First failure for slot{} at {:#x} ({:#x} within) {:#x}!=({:#x} or {:#x})", + slot.index, offset + i, i, buf[i], copy[i], copy_offset[i]); + break; + } } + false + } else { + true } - false } else { - true + if buf != ©[..] { + for i in 0 .. buf.len() { + if buf[i] != copy[i] { + info!("First failure for slot{} at {:#x} ({:#x} within) {:#x}!={:#x}", + slot.index, offset + i, i, buf[i], copy[i]); + break; + } + } + false + } else { + true + } } } @@ -2294,6 +2398,7 @@ trait AsRaw : Sized { /// Returns an ImageSize representing the best size to test, possibly just with the given size. fn maximal(size: usize) -> ImageSize { if Caps::OverwriteUpgrade.present() || + Caps::SwapUsingOffset.present() || Caps::SwapUsingMove.present() { ImageSize::Given(size) diff --git a/sim/src/lib.rs b/sim/src/lib.rs index fe43e46bc..8c648ca63 100644 --- a/sim/src/lib.rs +++ b/sim/src/lib.rs @@ -63,30 +63,34 @@ struct Args { #[derive(Copy, Clone, Debug, Deserialize)] pub enum DeviceName { - Stm32f4, K64f, K64fBig, K64fMulti, Nrf52840, Nrf52840SpiFlash, - Nrf52840UnequalSlots, + Stm32f4, Stm32f4SpiFlash, K64f, K64fBig, K64fMulti, Nrf52840, Nrf52840SpiFlash, + Nrf52840UnequalSlots, Nrf52840UnequalSlotsLargerSlot1, } pub static ALL_DEVICES: &[DeviceName] = &[ DeviceName::Stm32f4, + DeviceName::Stm32f4SpiFlash, DeviceName::K64f, DeviceName::K64fBig, DeviceName::K64fMulti, DeviceName::Nrf52840, DeviceName::Nrf52840SpiFlash, DeviceName::Nrf52840UnequalSlots, + DeviceName::Nrf52840UnequalSlotsLargerSlot1, ]; impl fmt::Display for DeviceName { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { let name = match *self { DeviceName::Stm32f4 => "stm32f4", + DeviceName::Stm32f4SpiFlash => "stm32f4SpiFlash", DeviceName::K64f => "k64f", DeviceName::K64fBig => "k64fbig", DeviceName::K64fMulti => "k64fmulti", DeviceName::Nrf52840 => "nrf52840", DeviceName::Nrf52840SpiFlash => "Nrf52840SpiFlash", DeviceName::Nrf52840UnequalSlots => "Nrf52840UnequalSlots", + DeviceName::Nrf52840UnequalSlotsLargerSlot1 => "Nrf52840UnequalSlotsLargerSlot1", }; f.write_str(name) } diff --git a/zephyr/module.yml b/zephyr/module.yml index 9360dbf70..b73ae2a0d 100644 --- a/zephyr/module.yml +++ b/zephyr/module.yml @@ -4,3 +4,7 @@ build: cmake-ext: True kconfig-ext: True sysbuild-cmake: boot/zephyr/sysbuild +package-managers: + pip: + requirement-files: + - zephyr/requirements.txt diff --git a/zephyr/requirements.txt b/zephyr/requirements.txt new file mode 100644 index 000000000..0eaed4d84 --- /dev/null +++ b/zephyr/requirements.txt @@ -0,0 +1,2 @@ +cbor>=1.0.0 +imgtool>=2.1.0