From bc4478c9467186d01d0987d50ebefbc250572c73 Mon Sep 17 00:00:00 2001 From: Karambite <01sudesh.e@gmail.com> Date: Tue, 19 Nov 2024 08:50:26 -0600 Subject: [PATCH 001/228] IAR compiler compatibility break in image.h Signed-off-by: Karambite <01sudesh.e@gmail.com> --- boot/bootutil/include/bootutil/image.h | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h index 05e04438b..243910815 100644 --- a/boot/bootutil/include/bootutil/image.h +++ b/boot/bootutil/include/bootutil/image.h @@ -36,8 +36,10 @@ extern "C" { #endif -#ifndef __packed -#define __packed __attribute__((__packed__)) +#if defined(__IAR_SYSTEMS_ICC__) + #define STRUCT_PACKED __packed struct +#else + #define STRUCT_PACKED struct __attribute__((__packed__)) #endif struct flash_area; @@ -136,12 +138,12 @@ struct flash_area; */ #define IMAGE_TLV_ANY 0xffff /* Used to iterate over all TLV */ -struct image_version { +STRUCT_PACKED image_version { uint8_t iv_major; uint8_t iv_minor; uint16_t iv_revision; uint32_t iv_build_num; -} __packed; +}; struct image_dependency { uint8_t image_id; /* Image index (from 0) */ @@ -154,7 +156,7 @@ struct image_dependency { }; /** Image header. All fields are in little endian byte order. */ -struct image_header { +STRUCT_PACKED image_header { uint32_t ih_magic; uint32_t ih_load_addr; uint16_t ih_hdr_size; /* Size of image header (bytes). */ @@ -163,19 +165,19 @@ struct image_header { uint32_t ih_flags; /* IMAGE_F_[...]. */ struct image_version ih_ver; uint32_t _pad1; -} __packed; +}; /** Image TLV header. All fields in little endian. */ -struct image_tlv_info { +STRUCT_PACKED image_tlv_info { uint16_t it_magic; uint16_t it_tlv_tot; /* size of TLV area (including tlv_info header) */ -} __packed; +}; /** Image trailer TLV format. All fields in little endian. */ -struct image_tlv { +STRUCT_PACKED image_tlv { uint16_t it_type; /* IMAGE_TLV_[...]. */ uint16_t it_len; /* Data length (not including TLV header). */ -} __packed; +}; #define ENCRYPTIONFLAGS (IMAGE_F_ENCRYPTED_AES128 | IMAGE_F_ENCRYPTED_AES256) #define IS_ENCRYPTED(hdr) (((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES128) \ From 95773edf33082a1689795e0278c14b2da1e6ab74 Mon Sep 17 00:00:00 2001 From: TOKITA Hiroshi Date: Sun, 22 Dec 2024 08:33:12 +0900 Subject: [PATCH 002/228] boot: zephyr: boards: add support for M5stack CoreS3/CoreS3SE Add m5stack_cores3/esp32s3/procpu and m5stack_cores3/esp32s3/procpu/se board targets. Adds an overlay to disable devices that cause dependency conflicts. Signed-off-by: TOKITA Hiroshi --- .../m5stack_cores3_esp32s3_procpu.overlay | 17 +++++++++++++++++ .../m5stack_cores3_esp32s3_procpu_se.overlay | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 boot/zephyr/boards/m5stack_cores3_esp32s3_procpu.overlay create mode 100644 boot/zephyr/boards/m5stack_cores3_esp32s3_procpu_se.overlay diff --git a/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu.overlay b/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu.overlay new file mode 100644 index 000000000..f0740c854 --- /dev/null +++ b/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu.overlay @@ -0,0 +1,17 @@ +/* + * Copyright (c) 2024 TOKITA Hiroshi + * + * SPDX-License-Identifier: Apache-2.0 + */ + +&aw9523b { + status = "disabled"; +}; + +&aw9523b_gpio { + status = "disabled"; +}; + +&ft6336_touch { + status = "disabled"; +}; diff --git a/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu_se.overlay b/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu_se.overlay new file mode 100644 index 000000000..f0740c854 --- /dev/null +++ b/boot/zephyr/boards/m5stack_cores3_esp32s3_procpu_se.overlay @@ -0,0 +1,17 @@ +/* + * Copyright (c) 2024 TOKITA Hiroshi + * + * SPDX-License-Identifier: Apache-2.0 + */ + +&aw9523b { + status = "disabled"; +}; + +&aw9523b_gpio { + status = "disabled"; +}; + +&ft6336_touch { + status = "disabled"; +}; From 1c04eac60b3bc2552023d9276850d19d5f343ea1 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 12 Sep 2024 19:37:40 +0000 Subject: [PATCH 003/228] imgtool: Add pure signature support Adds PureEdDSA signature support. The change includes implementation of SIG_PURE TLV that, when present, indicates the signature that is present is Pure type. Signed-off-by: Dominik Ermel Signed-off-by: Mateusz Michalek --- scripts/imgtool/image.py | 74 ++++++++++++++++++++++++++++++++-------- scripts/imgtool/main.py | 26 ++++++++++---- 2 files changed, 80 insertions(+), 20 deletions(-) diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py index 5fec3c1b7..88ef7b90c 100644 --- a/scripts/imgtool/image.py +++ b/scripts/imgtool/image.py @@ -190,7 +190,15 @@ def tlv_sha_to_sha(tlv): keys.X25519 : ['256', '512'] } -def key_and_user_sha_to_alg_and_tlv(key, user_sha): +ALLOWED_PURE_KEY_SHA = { + keys.Ed25519 : ['512'] +} + +ALLOWED_PURE_SIG_TLVS = [ + TLV_VALUES['ED25519'] +] + +def key_and_user_sha_to_alg_and_tlv(key, user_sha, is_pure = False): """Matches key and user requested sha to sha alogrithm and TLV name. The returned tuple will contain hash functions and TVL name. @@ -204,12 +212,16 @@ def key_and_user_sha_to_alg_and_tlv(key, user_sha): # If key is not None, then we have to filter hash to only allowed allowed = None + allowed_key_ssh = ALLOWED_PURE_KEY_SHA if is_pure else ALLOWED_KEY_SHA try: - allowed = ALLOWED_KEY_SHA[type(key)] + allowed = allowed_key_ssh[type(key)] + except KeyError: raise click.UsageError("Colud not find allowed hash algorithms for {}" .format(type(key))) - if user_sha == 'auto': + + # Pure enforces auto, and user selection is ignored + if user_sha == 'auto' or is_pure: return USER_SHA_TO_ALG_AND_TLV[allowed[0]] if user_sha in allowed: @@ -447,12 +459,13 @@ def ecies_hkdf(self, enckey, plainkey): def create(self, key, public_key_format, enckey, dependencies=None, sw_type=None, custom_tlvs=None, compression_tlvs=None, compression_type=None, encrypt_keylen=128, clear=False, - fixed_sig=None, pub_key=None, vector_to_sign=None, user_sha='auto'): + fixed_sig=None, pub_key=None, vector_to_sign=None, + user_sha='auto', is_pure=False): self.enckey = enckey # key decides on sha, then pub_key; of both are none default is used check_key = key if key is not None else pub_key - hash_algorithm, hash_tlv = key_and_user_sha_to_alg_and_tlv(check_key, user_sha) + hash_algorithm, hash_tlv = key_and_user_sha_to_alg_and_tlv(check_key, user_sha, is_pure) # Calculate the hash of the public key if key is not None: @@ -592,9 +605,17 @@ def create(self, key, public_key_format, enckey, dependencies=None, sha = hash_algorithm() sha.update(self.payload) digest = sha.digest() - message = digest; tlv.add(hash_tlv, digest) self.image_hash = digest + # Unless pure, we are signing digest. + message = digest + + if is_pure: + # Note that when Pure signature is used, hash TLV is not present. + message = bytes(self.payload) + e = STRUCT_ENDIAN_DICT[self.endian] + sig_pure = struct.pack(e + '?', True) + tlv.add('SIG_PURE', sig_pure) if vector_to_sign == 'payload': # Stop amending data to the image @@ -786,7 +807,7 @@ def verify(imgfile, key): version = struct.unpack('BBHI', b[20:28]) if magic != IMAGE_MAGIC: - return VerifyResult.INVALID_MAGIC, None, None + return VerifyResult.INVALID_MAGIC, None, None, None tlv_off = header_size + img_size tlv_info = b[tlv_off:tlv_off + TLV_INFO_SIZE] @@ -797,11 +818,27 @@ def verify(imgfile, key): magic, tlv_tot = struct.unpack('HH', tlv_info) if magic != TLV_INFO_MAGIC: - return VerifyResult.INVALID_TLV_INFO_MAGIC, None, None + return VerifyResult.INVALID_TLV_INFO_MAGIC, None, None, None + + # This is set by existence of TLV SIG_PURE + is_pure = False prot_tlv_size = tlv_off hash_region = b[:prot_tlv_size] + tlv_end = tlv_off + tlv_tot + tlv_off += TLV_INFO_SIZE # skip tlv info + + # First scan all TLVs in search of SIG_PURE + while tlv_off < tlv_end: + tlv = b[tlv_off:tlv_off + TLV_SIZE] + tlv_type, _, tlv_len = struct.unpack('BBH', tlv) + if tlv_type == TLV_VALUES['SIG_PURE']: + is_pure = True + break + tlv_off += TLV_SIZE + tlv_len + digest = None + tlv_off = header_size + img_size tlv_end = tlv_off + tlv_tot tlv_off += TLV_INFO_SIZE # skip tlv info while tlv_off < tlv_end: @@ -809,15 +846,15 @@ def verify(imgfile, key): tlv_type, _, tlv_len = struct.unpack('BBH', tlv) if is_sha_tlv(tlv_type): if not tlv_matches_key_type(tlv_type, key): - return VerifyResult.KEY_MISMATCH, None, None + return VerifyResult.KEY_MISMATCH, None, None, None off = tlv_off + TLV_SIZE digest = get_digest(tlv_type, hash_region) if digest == b[off:off + tlv_len]: if key is None: - return VerifyResult.OK, version, digest + return VerifyResult.OK, version, digest, None else: - return VerifyResult.INVALID_HASH, None, None - elif key is not None and tlv_type == TLV_VALUES[key.sig_tlv()]: + return VerifyResult.INVALID_HASH, None, None, None + elif not is_pure and key is not None and tlv_type == TLV_VALUES[key.sig_tlv()]: off = tlv_off + TLV_SIZE tlv_sig = b[off:off + tlv_len] payload = b[:prot_tlv_size] @@ -826,9 +863,18 @@ def verify(imgfile, key): key.verify(tlv_sig, payload) else: key.verify_digest(tlv_sig, digest) - return VerifyResult.OK, version, digest + return VerifyResult.OK, version, digest, None + except InvalidSignature: + # continue to next TLV + pass + elif is_pure and key is not None and tlv_type in ALLOWED_PURE_SIG_TLVS: + off = tlv_off + TLV_SIZE + tlv_sig = b[off:off + tlv_len] + try: + key.verify_digest(tlv_sig, hash_region) + return VerifyResult.OK, version, None, tlv_sig except InvalidSignature: # continue to next TLV pass tlv_off += TLV_SIZE + tlv_len - return VerifyResult.INVALID_SIGNATURE, None, None + return VerifyResult.INVALID_SIGNATURE, None, None, None diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py index e0f70945c..434530c7a 100755 --- a/scripts/imgtool/main.py +++ b/scripts/imgtool/main.py @@ -226,11 +226,14 @@ def getpriv(key, minimal, format): @click.command(help="Check that signed image can be verified by given key") def verify(key, imgfile): key = load_key(key) if key else None - ret, version, digest = image.Image.verify(imgfile, key) + ret, version, digest, signature = image.Image.verify(imgfile, key) if ret == image.VerifyResult.OK: print("Image was correctly validated") print("Image version: {}.{}.{}+{}".format(*version)) - print("Image digest: {}".format(digest.hex())) + if digest: + print("Image digest: {}".format(digest.hex())) + if signature and digest is None: + print("Image signature over image: {}".format(signature.hex())) return elif ret == image.VerifyResult.INVALID_MAGIC: print("Invalid image magic; is this an MCUboot image?") @@ -423,6 +426,10 @@ def convert(self, value, param, ctx): 'the signature calculated using the public key') @click.option('--fix-sig-pubkey', metavar='filename', help='public key relevant to fixed signature') +@click.option('--pure', 'is_pure', is_flag=True, default=False, show_default=True, + help='Expected Pure variant of signature; the Pure variant is ' + 'expected to be signature done over an image rather than hash of ' + 'that image.') @click.option('--sig-out', metavar='filename', help='Path to the file to which signature will be written. ' 'The image signature will be encoded as base64 formatted string') @@ -441,8 +448,8 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, endian, encrypt_keylen, encrypt, compression, infile, outfile, dependencies, load_addr, hex_addr, erased_val, save_enctlv, security_counter, boot_record, custom_tlv, rom_fixed, max_align, - clear, fix_sig, fix_sig_pubkey, sig_out, user_sha, vector_to_sign, - non_bootable): + clear, fix_sig, fix_sig_pubkey, sig_out, user_sha, is_pure, + vector_to_sign, non_bootable): if confirm: # Confirmed but non-padded images don't make much sense, because @@ -509,9 +516,15 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, 'value': raw_signature } + if is_pure and user_sha != 'auto': + raise click.UsageError( + 'Pure signatures, currently, enforces preferred hash algorithm, ' + 'and forbids sha selection by user.') + img.create(key, public_key_format, enckey, dependencies, boot_record, custom_tlvs, compression_tlvs, None, int(encrypt_keylen), clear, - baked_signature, pub_key, vector_to_sign, user_sha) + baked_signature, pub_key, vector_to_sign, user_sha=user_sha, + is_pure=is_pure) if compression in ["lzma2", "lzma2armthumb"]: compressed_img = image.Image(version=decode_version(version), @@ -552,7 +565,8 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, compressed_img.create(key, public_key_format, enckey, dependencies, boot_record, custom_tlvs, compression_tlvs, compression, int(encrypt_keylen), clear, baked_signature, - pub_key, vector_to_sign, user_sha=user_sha) + pub_key, vector_to_sign, user_sha=user_sha, + is_pure=is_pure) img = compressed_img img.save(outfile, hex_addr) if sig_out is not None: From 1c32c9b1015c42dfe12bf1aa4bd9a113d25bf1c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20J=C3=A4ger?= Date: Sun, 5 Jan 2025 13:35:32 +0100 Subject: [PATCH 004/228] boot: espressif: add support for upgrade modes w/o scratch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upgrade using move decreases flash wear and is now the default mode used by Zephyr. The implementation is done by MCUboot itself, so it is just a matter of setting the correct define to enable it. Swap using move was successfully tested with ESP32C6. Signed-off-by: Martin Jäger --- .../include/mcuboot_config/mcuboot_config.h | 34 +++++++++++++++---- boot/espressif/hal/src/flash_encrypt.c | 3 ++ .../port/esp32/bootloader-multi.conf | 4 +++ boot/espressif/port/esp32/bootloader.conf | 4 +++ boot/espressif/port/esp32c2/bootloader.conf | 4 +++ boot/espressif/port/esp32c3/bootloader.conf | 4 +++ boot/espressif/port/esp32c6/bootloader.conf | 4 +++ boot/espressif/port/esp32h2/bootloader.conf | 4 +++ boot/espressif/port/esp32s2/bootloader.conf | 4 +++ .../port/esp32s3/bootloader-multi.conf | 4 +++ boot/espressif/port/esp32s3/bootloader.conf | 4 +++ boot/espressif/port/esp_mcuboot.c | 12 +++++-- 12 files changed, 76 insertions(+), 9 deletions(-) diff --git a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h index a299e3cfc..345ca57b8 100644 --- a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h +++ b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h @@ -45,23 +45,43 @@ * the default upgrade mode. */ -/* Uncomment to enable the overwrite-only code path. */ -/* #define MCUBOOT_OVERWRITE_ONLY */ +/* Define to enable the swap-using-move code path. */ +#if defined(CONFIG_ESP_BOOT_SWAP_USING_MOVE) +#define MCUBOOT_SWAP_USING_MOVE 1 +#endif -#ifdef MCUBOOT_OVERWRITE_ONLY +/* Define to enable the overwrite-only code path. */ +#if defined(CONFIG_ESP_BOOT_UPGRADE_ONLY) +#define MCUBOOT_OVERWRITE_ONLY /* Uncomment to only erase and overwrite those primary slot sectors needed * to install the new image, rather than the entire image slot. */ /* #define MCUBOOT_OVERWRITE_ONLY_FAST */ #endif -/* Uncomment to enable the direct-xip code path. */ -/* #define MCUBOOT_DIRECT_XIP */ +/* Define to enable the direct-xip code path (CURRENTLY UNSUPPORTED!). */ +#if defined(CONFIG_ESP_BOOT_DIRECT_XIP) +#define MCUBOOT_DIRECT_XIP +#endif -/* Define to enable the ram-load code path. */ -#if defined(CONFIG_BOOT_RAM_LOAD) +/* Define to enable the ram-load code path (CURRENTLY UNSUPPORTED!). */ +#if defined(CONFIG_ESP_BOOT_RAM_LOAD) #define MCUBOOT_RAM_LOAD #endif +/* If none of the above paths is defined, define CONFIG_ESP_BOOT_SWAP_USING_SCRATCH. + * + * Note: MCUBOOT_SWAP_USING_SCRATCH does not have to be defined, as it will be defined + * by MCUboot in bootutil_priv.h. + */ +#if !defined(CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) && \ + !defined(CONFIG_ESP_BOOT_SWAP_USING_MOVE) && \ + !defined(CONFIG_ESP_BOOT_UPGRADE_ONLY) && \ + !defined(CONFIG_ESP_BOOT_DIRECT_XIP) && \ + !defined(CONFIG_ESP_BOOT_RAM_LOAD) +#define CONFIG_ESP_BOOT_SWAP_USING_SCRATCH +#endif + + /* * Cryptographic settings * diff --git a/boot/espressif/hal/src/flash_encrypt.c b/boot/espressif/hal/src/flash_encrypt.c index d064d8b7b..3996d0e7a 100644 --- a/boot/espressif/hal/src/flash_encrypt.c +++ b/boot/espressif/hal/src/flash_encrypt.c @@ -307,12 +307,15 @@ esp_err_t esp_flash_encrypt_contents(void) if (err != ESP_OK) { return err; } + +#ifdef CONFIG_ESP_BOOT_SWAP_USING_SCRATCH region_addr = CONFIG_ESP_SCRATCH_OFFSET; region_size = CONFIG_ESP_SCRATCH_SIZE; err = esp_flash_encrypt_region(region_addr, region_size); if (err != ESP_OK) { return err; } +#endif #if defined(CONFIG_ESP_IMAGE_NUMBER) && (CONFIG_ESP_IMAGE_NUMBER == 2) region_addr = CONFIG_ESP_IMAGE1_PRIMARY_START_ADDRESS; diff --git a/boot/espressif/port/esp32/bootloader-multi.conf b/boot/espressif/port/esp32/bootloader-multi.conf index ad3355ec2..29e2073f6 100644 --- a/boot/espressif/port/esp32/bootloader-multi.conf +++ b/boot/espressif/port/esp32/bootloader-multi.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x1000 diff --git a/boot/espressif/port/esp32/bootloader.conf b/boot/espressif/port/esp32/bootloader.conf index 8f555ec57..5a59a422a 100644 --- a/boot/espressif/port/esp32/bootloader.conf +++ b/boot/espressif/port/esp32/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x1000 diff --git a/boot/espressif/port/esp32c2/bootloader.conf b/boot/espressif/port/esp32c2/bootloader.conf index 54f797e71..8f6886023 100644 --- a/boot/espressif/port/esp32c2/bootloader.conf +++ b/boot/espressif/port/esp32c2/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32c3/bootloader.conf b/boot/espressif/port/esp32c3/bootloader.conf index 88954eea0..8ebd1b40e 100644 --- a/boot/espressif/port/esp32c3/bootloader.conf +++ b/boot/espressif/port/esp32c3/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32c6/bootloader.conf b/boot/espressif/port/esp32c6/bootloader.conf index 5c5307c9c..e92ddcc22 100644 --- a/boot/espressif/port/esp32c6/bootloader.conf +++ b/boot/espressif/port/esp32c6/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32h2/bootloader.conf b/boot/espressif/port/esp32h2/bootloader.conf index 5c5307c9c..e92ddcc22 100644 --- a/boot/espressif/port/esp32h2/bootloader.conf +++ b/boot/espressif/port/esp32h2/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32s2/bootloader.conf b/boot/espressif/port/esp32s2/bootloader.conf index 485ba77e1..981be59a1 100644 --- a/boot/espressif/port/esp32s2/bootloader.conf +++ b/boot/espressif/port/esp32s2/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x1000 diff --git a/boot/espressif/port/esp32s3/bootloader-multi.conf b/boot/espressif/port/esp32s3/bootloader-multi.conf index 21c3457a4..f82b5e235 100644 --- a/boot/espressif/port/esp32s3/bootloader-multi.conf +++ b/boot/espressif/port/esp32s3/bootloader-multi.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp32s3/bootloader.conf b/boot/espressif/port/esp32s3/bootloader.conf index 138737dfb..a45c0cd19 100644 --- a/boot/espressif/port/esp32s3/bootloader.conf +++ b/boot/espressif/port/esp32s3/bootloader.conf @@ -2,6 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 +# Define upgrade mode (default is CONFIG_ESP_BOOT_SWAP_USING_SCRATCH) +# CONFIG_ESP_BOOT_SWAP_USING_MOVE=y +# CONFIG_ESP_BOOT_UPGRADE_ONLY=y + CONFIG_ESP_FLASH_SIZE=4MB CONFIG_ESP_BOOTLOADER_SIZE=0xF000 CONFIG_ESP_BOOTLOADER_OFFSET=0x0000 diff --git a/boot/espressif/port/esp_mcuboot.c b/boot/espressif/port/esp_mcuboot.c index 0ee9e388b..9bbd5a9f2 100644 --- a/boot/espressif/port/esp_mcuboot.c +++ b/boot/espressif/port/esp_mcuboot.c @@ -15,6 +15,7 @@ #include "esp_err.h" #include "bootloader_flash_priv.h" #include "esp_flash_encrypt.h" +#include "mcuboot_config/mcuboot_config.h" #include "flash_map_backend/flash_map_backend.h" #include "sysflash/sysflash.h" @@ -49,16 +50,19 @@ _Static_assert(IS_ALIGNED(FLASH_BUFFER_SIZE, 4), "Buffer size for SPI Flash oper #define BOOTLOADER_START_ADDRESS CONFIG_BOOTLOADER_OFFSET_IN_FLASH #define BOOTLOADER_SIZE CONFIG_ESP_BOOTLOADER_SIZE + #define IMAGE0_PRIMARY_START_ADDRESS CONFIG_ESP_IMAGE0_PRIMARY_START_ADDRESS #define IMAGE0_SECONDARY_START_ADDRESS CONFIG_ESP_IMAGE0_SECONDARY_START_ADDRESS -#define SCRATCH_OFFSET CONFIG_ESP_SCRATCH_OFFSET #if (MCUBOOT_IMAGE_NUMBER == 2) #define IMAGE1_PRIMARY_START_ADDRESS CONFIG_ESP_IMAGE1_PRIMARY_START_ADDRESS #define IMAGE1_SECONDARY_START_ADDRESS CONFIG_ESP_IMAGE1_SECONDARY_START_ADDRESS #endif - #define APPLICATION_SIZE CONFIG_ESP_APPLICATION_SIZE + +#ifdef CONFIG_ESP_BOOT_SWAP_USING_SCRATCH +#define SCRATCH_OFFSET CONFIG_ESP_SCRATCH_OFFSET #define SCRATCH_SIZE CONFIG_ESP_SCRATCH_SIZE +#endif extern int ets_printf(const char *fmt, ...); @@ -99,12 +103,14 @@ static const struct flash_area secondary_img1 = { }; #endif +#ifdef CONFIG_ESP_BOOT_SWAP_USING_SCRATCH static const struct flash_area scratch_img0 = { .fa_id = FLASH_AREA_IMAGE_SCRATCH, .fa_device_id = FLASH_DEVICE_INTERNAL_FLASH, .fa_off = SCRATCH_OFFSET, .fa_size = SCRATCH_SIZE, }; +#endif static const struct flash_area *s_flash_areas[] = { &bootloader, @@ -114,7 +120,9 @@ static const struct flash_area *s_flash_areas[] = { &primary_img1, &secondary_img1, #endif +#ifdef CONFIG_ESP_BOOT_SWAP_USING_SCRATCH &scratch_img0, +#endif }; static const struct flash_area *prv_lookup_flash_area(uint8_t id) { From d3080f10e5c72187c7c0d3f4e83455ac2c6ba04e Mon Sep 17 00:00:00 2001 From: Jamie Smith Date: Wed, 4 Dec 2024 00:44:09 -0800 Subject: [PATCH 005/228] Update Mbed CMakeLists.txt for Mbed CE Signed-off-by: Jamie Smith --- boot/mbed/CMakeLists.txt | 60 +++-- .../flash_map_backend/flash_map_backend.h | 5 + .../include/mcuboot_config/mcuboot_logging.h | 3 + boot/mbed/mbed_lib.json | 9 +- boot/mbed/mcuboot_imgtool.cmake | 219 ++++++++++++++++++ boot/mbed/mcuboot_main.cpp | 3 +- boot/mbed/src/flash_map_backend.cpp | 12 +- 7 files changed, 273 insertions(+), 38 deletions(-) create mode 100644 boot/mbed/mcuboot_imgtool.cmake diff --git a/boot/mbed/CMakeLists.txt b/boot/mbed/CMakeLists.txt index 8baa2628e..05199c380 100644 --- a/boot/mbed/CMakeLists.txt +++ b/boot/mbed/CMakeLists.txt @@ -1,10 +1,11 @@ # Copyright (c) 2021 ARM Limited. All rights reserved. # SPDX-License-Identifier: Apache-2.0 -# Mbed-MCUboot Port +# Pull in functions for working with imgtool +include(mcuboot_imgtool.cmake) +# Mbed-MCUboot Port cmake_minimum_required(VERSION 3.19.0 FATAL_ERROR) - get_filename_component(BOOT_UTIL_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../bootutil REALPATH) set(LIB_TARGET mbed-mcuboot) @@ -13,49 +14,46 @@ set(LIB_BOOTUTIL bootutil) add_library(${LIB_TARGET} STATIC) target_include_directories(${LIB_TARGET} - PUBLIC - include - ${BOOT_UTIL_DIR}/include - ${BOOT_UTIL_DIR}/src + PUBLIC + include + ${BOOT_UTIL_DIR}/src ) target_sources(${LIB_TARGET} - PRIVATE - mcuboot_main.cpp - app_enc_keys.c - src/flash_map_backend.cpp - src/secondary_bd.cpp + PRIVATE + mcuboot_main.cpp + app_enc_keys.c + src/flash_map_backend.cpp + src/secondary_bd.cpp ) target_link_libraries(${LIB_TARGET} - PUBLIC - bootutil # Cross-dependency - mbed-mbedtls - mbed-storage-flashiap - mbed-storage-blockdevice + PUBLIC + bootutil # Cross-dependency + mbed-mbedtls + mbed-storage-flashiap + mbed-storage-blockdevice + mbed-core-flags ) -if("_RTE_" IN_LIST MBED_CONFIG_DEFINITIONS) - target_link_libraries(${LIB_TARGET} - PUBLIC - mbed-os - ) -else() - target_link_libraries(${LIB_TARGET} - PUBLIC - mbed-baremetal - ) +# Add signing key generated source file +mcuboot_generate_signing_keys_file(${CMAKE_CURRENT_BINARY_DIR}/signing_keys.c) +target_sources(${LIB_TARGET} PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/signing_keys.c) + +if("MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS) + mcuboot_generate_encryption_key_file(${CMAKE_CURRENT_BINARY_DIR}/enc_keys.c) + target_sources(${LIB_TARGET} PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/enc_keys.c) endif() # The cross-dependency requires that bootutil have access to the mbed port's # include directory and is linked with the appropriate mbed-specific libraries. target_include_directories(${LIB_BOOTUTIL} - PUBLIC - include + PUBLIC + include ) target_link_libraries(${LIB_BOOTUTIL} - PUBLIC - mbed-mcuboot - mbed-mbedtls + PUBLIC + mbed-mcuboot + mbed-mbedtls ) diff --git a/boot/mbed/include/flash_map_backend/flash_map_backend.h b/boot/mbed/include/flash_map_backend/flash_map_backend.h index d526c5cfa..c8a9e3745 100644 --- a/boot/mbed/include/flash_map_backend/flash_map_backend.h +++ b/boot/mbed/include/flash_map_backend/flash_map_backend.h @@ -152,6 +152,11 @@ uint8_t flash_area_erased_val(const struct flash_area * fap); /* * Given flash area ID, return info about sectors within the area. + * + * Note: the sectors array has size MCUBOOT_MAX_IMG_SECTORS, and only that many elements should + * be stored into it. However, if the flash area has more than MCUBOOT_MAX_IMG_SECTORS sectors, + * the count variable should be set to indicate the real sector count. This will trigger the appropriate + * warning to be printed. */ int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors); diff --git a/boot/mbed/include/mcuboot_config/mcuboot_logging.h b/boot/mbed/include/mcuboot_config/mcuboot_logging.h index c6a1cf78a..e80b0a76f 100644 --- a/boot/mbed/include/mcuboot_config/mcuboot_logging.h +++ b/boot/mbed/include/mcuboot_config/mcuboot_logging.h @@ -36,6 +36,8 @@ #define MCUBOOT_LOG_LEVEL MCUBOOT_LOG_LEVEL_OFF #endif +// Set Mbed log level appropriately if not already set +#ifndef MBED_TRACE_MAX_LEVEL #if MCUBOOT_LOG_LEVEL == MCUBOOT_LOG_LEVEL_ERROR #define MBED_TRACE_MAX_LEVEL TRACE_LEVEL_ERROR #elif MCUBOOT_LOG_LEVEL == MCUBOOT_LOG_LEVEL_WARNING @@ -45,6 +47,7 @@ #elif MCUBOOT_LOG_LEVEL == MCUBOOT_LOG_LEVEL_DEBUG #define MBED_TRACE_MAX_LEVEL TRACE_LEVEL_DEBUG #endif +#endif #define TRACE_GROUP "MCUb" #include "mbed-trace/mbed_trace.h" diff --git a/boot/mbed/mbed_lib.json b/boot/mbed/mbed_lib.json index f5b7b6743..f7c7ff14f 100644 --- a/boot/mbed/mbed_lib.json +++ b/boot/mbed/mbed_lib.json @@ -88,7 +88,7 @@ "value": true }, "max-img-sectors": { - "help": "Maximum number of flash sectors per image slot. Target-dependent, please set on a per-target basis.", + "help": "Maximum number of flash sectors per image slot. This should be set to account for the sector sizes of both the main and secondary block devices. Target-dependent, please set on a per-target basis.", "macro_name": "MCUBOOT_MAX_IMG_SECTORS", "required": true }, @@ -119,7 +119,7 @@ "value": null }, "encrypt-rsa": { - "help": "Encrypt images using RSA (NOT TESTED)", + "help": "Encrypt update images using RSA", "macro_name": "MCUBOOT_ENCRYPT_RSA", "accepted_values": [true, null], "value": null @@ -189,6 +189,11 @@ "xip-secondary-slot-address": { "help": "Specify start address for secondary slot address in XIP-accessible memory. This is required if direct-xip is enabled.", "value": null + }, + "flash-block-size": { + "help": "Size in bytes of a programmable block of the flash memory.", + "macro_name": "MCUBOOT_BOOT_MAX_ALIGN", + "value": 8 } } } diff --git a/boot/mbed/mcuboot_imgtool.cmake b/boot/mbed/mcuboot_imgtool.cmake new file mode 100644 index 000000000..9760196fe --- /dev/null +++ b/boot/mbed/mcuboot_imgtool.cmake @@ -0,0 +1,219 @@ +# Copyright (c) 2024 Jamie Smith +# SPDX-License-Identifier: Apache-2.0 + +check_python_package(imgtool.main MCUBOOT_IMGTOOL_FOUND) + +get_filename_component(IMGTOOL_SCRIPTS_DIR ${CMAKE_CURRENT_LIST_DIR}/../../scripts REALPATH) + +# Find or install imgtool + +if(NOT MCUBOOT_IMGTOOL_FOUND) + # If we are using the Mbed venv, we can install asn1tools automatically + if(MBED_CREATE_PYTHON_VENV) + message(STATUS "mcuboot: Installing imgtool into Mbed's Python virtualenv") + execute_process( + COMMAND ${Python3_EXECUTABLE} -m pip install ${IMGTOOL_SCRIPTS_DIR} + COMMAND_ERROR_IS_FATAL ANY + ) + else() + message(FATAL_ERROR "The mcuboot imgtool python package needs to be installed (from mcuboot/scripts/) into Mbed's python interpreter (${Python3_EXECUTABLE})") + endif() +endif() + +# Signing key +set(MCUBOOT_SIGNING_KEY "" CACHE STRING "Path to key file (.pem) used to sign firmware updates for your device. The public key will be stored in the bootloader. This file must be kept safe!") + +# Make sure the signing key path is absolute for EXISTS, relative to the top level build dir +get_filename_component(MCUBOOT_SIGNING_KEY_ABSPATH "${MCUBOOT_SIGNING_KEY}" ABSOLUTE BASE_DIR ${CMAKE_SOURCE_DIR}) +set(MCUBOOT_SIGNING_KEY_ABSPATH ${MCUBOOT_SIGNING_KEY_ABSPATH} CACHE INTERNAL "Absolute version of MCUBOOT_SIGNING_KEY" FORCE) + +if("${MCUBOOT_SIGNING_KEY}" STREQUAL "" OR NOT EXISTS "${MCUBOOT_SIGNING_KEY_ABSPATH}") + message(FATAL_ERROR "Must specify path to valid image signing key via MCUBOOT_SIGNING_KEY CMake option in order to build this project.") +endif() + +# Encryption key +if("MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS) + set(MCUBOOT_ENCRYPTION_KEY "" CACHE STRING "Path to key file (.pem) used to encrypt firmware updates for your device. The private key will be stored in the bootloader. This file must be kept safe!") + + # Make sure the signing key path is absolute for EXISTS, relative to the top level build dir + get_filename_component(MCUBOOT_ENCRYPTION_KEY_ABSPATH "${MCUBOOT_ENCRYPTION_KEY}" ABSOLUTE BASE_DIR ${CMAKE_SOURCE_DIR}) + set(MCUBOOT_ENCRYPTION_KEY_ABSPATH ${MCUBOOT_ENCRYPTION_KEY_ABSPATH} CACHE INTERNAL "Absolute version of MCUBOOT_ENCRYPTION_KEY" FORCE) + + if("${MCUBOOT_ENCRYPTION_KEY}" STREQUAL "" OR NOT EXISTS "${MCUBOOT_ENCRYPTION_KEY_ABSPATH}") + message(FATAL_ERROR "Since mcuboot.encrypt-rsa is enabled, you must specify the path to a valid image encryption key via the MCUBOOT_ENCRYPTION_KEY CMake option in order to build this project.") + endif() +endif() + +# Imgtool usage functions + +# +# Generate a signed image hex file for the given executable target. +# +function(_mcuboot_generate_image TARGET IMAGE_TYPE IMAGE_BASE_PATH) + if("${MBED_OUTPUT_EXT}" STREQUAL "bin") + message(FATAL_ERROR "Hex file output must be enabled to use mcuboot. Set MBED_OUTPUT_EXT to empty string after including app.cmake in your top level CMakeLists.txt!") + endif() + + if("${PROJECT_VERSION}" STREQUAL "") + message(FATAL_ERROR "You must set the project version to sign images by passing a version number into your app's project() command!") + endif() + + # mbed_generate_bin_hex() puts the hex file at the following path + set(TARGET_HEX_FILE ${CMAKE_CURRENT_BINARY_DIR}/$.hex) + + # Grab header size + if(NOT "${MBED_CONFIG_DEFINITIONS}" MATCHES "MCUBOOT_HEADER_SIZE=(0x[0-9A-Fa-f]+)") + message(FATAL_ERROR "Couldn't find MCUBOOT_HEADER_SIZE in Mbed configuration!") + endif() + set(HEADER_SIZE_HEX ${CMAKE_MATCH_1}) + + # Grab slot size + if(NOT "${MBED_CONFIG_DEFINITIONS}" MATCHES "MCUBOOT_SLOT_SIZE=(0x[0-9A-Fa-f]+)") + message(FATAL_ERROR "Couldn't find MCUBOOT_SLOT_SIZE in Mbed configuration!") + endif() + set(SLOT_SIZE_HEX ${CMAKE_MATCH_1}) + + get_property(objcopy GLOBAL PROPERTY ELF2BIN) + + if(${IMAGE_TYPE} STREQUAL "update" AND "MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS) + set(IMGTOOL_EXTRA_ARGS --encrypt ${MCUBOOT_ENCRYPTION_KEY_ABSPATH}) + elseif(${IMAGE_TYPE} STREQUAL "initial" AND "MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS) + # If encryption is enabled, generate unencrypted initial image which supports encryption. + # See https://github.com/mbed-ce/mbed-os/issues/401#issuecomment-2567099213 + set(IMGTOOL_EXTRA_ARGS --clear) + else() + set(IMGTOOL_EXTRA_ARGS "") + endif() + + add_custom_command( + TARGET ${TARGET} + POST_BUILD + DEPENDS ${MCUBOOT_SIGNING_KEY_ABSPATH} + COMMAND + ${Python3_EXECUTABLE} -m imgtool.main + sign + --key ${MCUBOOT_SIGNING_KEY_ABSPATH} # this specifies the file containing the keys used to sign/verify the application + --align 4 # this lets mcuboot know the intrinsic alignment of the flash (32-bits = 4 byte alignment) + --version ${PROJECT_VERSION} # this sets the version number of the application + --header-size ${HEADER_SIZE_HEX} # this must be the same as the value specified in mcuboot.header-size configuration + --pad-header # this tells imgtool to insert the entire header, including any necessary padding bytes. + --slot-size ${SLOT_SIZE_HEX} # this specifies the maximum size of the application ("slot size"). It must be the same as the configured mcuboot.slot-size! + ${IMGTOOL_EXTRA_ARGS} + ${TARGET_HEX_FILE} ${IMAGE_BASE_PATH}.hex + + COMMAND + ${CMAKE_COMMAND} -E echo "-- built: ${IMAGE_BASE_PATH}.hex" + + # Also generate bin file + COMMAND + ${objcopy} -I ihex -O binary ${IMAGE_BASE_PATH}.hex ${IMAGE_BASE_PATH}.bin + + COMMAND + ${CMAKE_COMMAND} -E echo "-- built: ${IMAGE_BASE_PATH}.bin" + + COMMENT "Generating mcuboot ${IMAGE_TYPE} image for ${TARGET}..." + WORKING_DIRECTORY ${CMAKE_BINARY_DIR} + VERBATIM + ) +endfunction(_mcuboot_generate_image) + +# +# Generate an initial image hex file for the given executable target. +# This initial image is what should be flashed to a blank device (along with the bootloader). +# A flash target (ninja flash-${TARGET}-initial-image) will also be created. +# +# NOTE: This function must be called *after* mbed_set_post_build() for the target! +# +# If you wish to specify the base name of the initial image, pass that as the second argument to +# this function. Otherwise, it will default to $-initial-image +# +function(mcuboot_generate_initial_image TARGET) # optional 2nd arg: initial image base filename + # Figure out file path + if("${ARGN}" STREQUAL "") + set(INITIAL_IMAGE_BASE_PATH ${CMAKE_CURRENT_BINARY_DIR}/$-initial-image) + else() + set(INITIAL_IMAGE_BASE_PATH ${CMAKE_CURRENT_BINARY_DIR}/${ARGN}) + endif() + + _mcuboot_generate_image(${TARGET} initial ${INITIAL_IMAGE_BASE_PATH}) + + # Create a flash target. + # We need to be slightly creative here -- Mbed thinks that the application start address + # is +
, but we actually want to upload to . + # So we need to temporarily override MBED_UPLOAD_BASE_ADDR with an offset value + if(NOT "${MBED_CONFIG_DEFINITIONS}" MATCHES "MCUBOOT_HEADER_SIZE=(0x[0-9A-Fa-f]+)") + message(FATAL_ERROR "Couldn't find MCUBOOT_HEADER_SIZE in Mbed configuration!") + endif() + set(HEADER_SIZE_HEX ${CMAKE_MATCH_1}) + math(EXPR MBED_UPLOAD_BASE_ADDR "${MBED_UPLOAD_BASE_ADDR} - ${HEADER_SIZE_HEX}" OUTPUT_FORMAT HEXADECIMAL) + + gen_upload_target(${TARGET}-initial-image ${INITIAL_IMAGE_BASE_PATH}.bin) + if(TARGET flash-${TARGET}-initial-image) + add_dependencies(flash-${TARGET}-initial-image ${TARGET}) + endif() +endfunction(mcuboot_generate_initial_image) + +# +# Generate an update image hex file for the given executable target. +# This image is what should be flashed to the secondary block device and passed to +# mcuboot as an update file. +# +# NOTE: This function must be called *after* mbed_set_post_build() for the target! +# +# NOTE 2: The hex file produced by this function will still "declare" its address as the primary slot +# address. This can cause issues if you pass it to a tool that uses this offset to decide where to load it. +# If this is a problem, we recommend the "arm-none-eabi-objcopy --change-addresses" command to change this address. +# +# If you wish to specify the base name of the update image, pass that as the second argument to +# this function. Otherwise, it will default to $-update-image +# +function(mcuboot_generate_update_image TARGET) # optional 2nd arg: update image base filename + # Figure out file path + if("${ARGN}" STREQUAL "") + set(UPDATE_IMAGE_BASE_PATH ${CMAKE_CURRENT_BINARY_DIR}/$-update-image) + else() + set(UPDATE_IMAGE_BASE_PATH${CMAKE_CURRENT_BINARY_DIR}/${ARGN}) + endif() + + _mcuboot_generate_image(${TARGET} update ${UPDATE_IMAGE_BASE_PATH}) +endfunction(mcuboot_generate_update_image) + +# +# Generate a C source file with signing keys in it at the given location. +# The file should be added as a source file to a library built in the same directory. +# +function(mcuboot_generate_signing_keys_file SIGNING_KEYS_C_PATH) + add_custom_command( + OUTPUT ${SIGNING_KEYS_C_PATH} + COMMAND + ${Python3_EXECUTABLE} -m imgtool.main + getpub + --key ${MCUBOOT_SIGNING_KEY_ABSPATH} + --output ${SIGNING_KEYS_C_PATH} + + DEPENDS ${MCUBOOT_SIGNING_KEY_ABSPATH} + COMMENT "Converting signing key to C source..." + WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} + VERBATIM + ) +endfunction(mcuboot_generate_signing_keys_file) + +# +# Generate a C source file with the encryption private key in it at the given location. +# The file should be added as a source file to a library built in the same directory. +# +function(mcuboot_generate_encryption_key_file ENC_KEY_C_PATH) + add_custom_command( + OUTPUT ${ENC_KEY_C_PATH} + COMMAND + ${Python3_EXECUTABLE} -m imgtool.main + getpriv + --key ${MCUBOOT_SIGNING_KEY_ABSPATH} + > ${ENC_KEY_C_PATH} + + DEPENDS ${MCUBOOT_SIGNING_KEY_ABSPATH} + COMMENT "Converting encryption key to C source..." + WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} + VERBATIM + ) +endfunction(mcuboot_generate_encryption_key_file) \ No newline at end of file diff --git a/boot/mbed/mcuboot_main.cpp b/boot/mbed/mcuboot_main.cpp index bf95e3abf..3c31bdf49 100644 --- a/boot/mbed/mcuboot_main.cpp +++ b/boot/mbed/mcuboot_main.cpp @@ -19,6 +19,7 @@ #if MCUBOOT_BOOTLOADER_BUILD #include +#include #include "bootutil/bootutil.h" #include "bootutil/image.h" #include "hal/serial_api.h" @@ -83,7 +84,7 @@ int main() // Workaround: The extra \n ensures the last trace gets flushed // before mbed_start_application() destroys the stack and jumps // to the application - tr_info("Booting firmware image at 0x%x\n", address); + tr_info("Booting firmware image at 0x%" PRIx32 "\n", address); // Run the application in the primary slot // Add header size offset to calculate the actual start address of application diff --git a/boot/mbed/src/flash_map_backend.cpp b/boot/mbed/src/flash_map_backend.cpp index 955ac42b6..d673e5038 100644 --- a/boot/mbed/src/flash_map_backend.cpp +++ b/boot/mbed/src/flash_map_backend.cpp @@ -18,6 +18,7 @@ #include #include +#include #include "flash_map_backend/flash_map_backend.h" #include "flash_map_backend/secondary_bd.h" #include "sysflash/sysflash.h" @@ -142,7 +143,7 @@ int flash_area_read(const struct flash_area* fap, uint32_t off, void* dst, uint3 return -1; } if (MCUBOOT_READ_GRANULARITY < read_size) { - MCUBOOT_LOG_ERR("Please increase MCUBOOT_READ_GRANULARITY (currently %u) to be at least %u", + MCUBOOT_LOG_ERR("Please increase MCUBOOT_READ_GRANULARITY (currently %u) to be at least %" PRIu32, MCUBOOT_READ_GRANULARITY, read_size); return -1; } @@ -214,11 +215,14 @@ int flash_area_get_sectors(int fa_id, uint32_t* count, struct flash_sector* sect /* Loop through sectors and collect information on them */ bd_addr_t offset = 0; *count = 0; - while (*count < MCUBOOT_MAX_IMG_SECTORS && bd->is_valid_read(offset, bd->get_read_size())) { + while (bd->is_valid_read(offset, bd->get_read_size())) { - sectors[*count].fs_off = offset; bd_size_t erase_size = bd->get_erase_size(offset); - sectors[*count].fs_size = erase_size; + + if (*count < MCUBOOT_MAX_IMG_SECTORS) { + sectors[*count].fs_off = offset; + sectors[*count].fs_size = erase_size; + } offset += erase_size; *count += 1; From 4bda587549c0fccd5cd9b59d76c8edf061ee84c3 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 9 Jan 2025 11:09:49 +0000 Subject: [PATCH 006/228] boot: bootutil: Add TLV for size of compressed but decrypted image This TLV is needed in order to know what the data length provided to the decompression system is to remove the padding that is a resultant of the encryption block size Signed-off-by: Jamie McCrae --- boot/bootutil/include/bootutil/image.h | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h index 243910815..501ee33ee 100644 --- a/boot/bootutil/include/bootutil/image.h +++ b/boot/bootutil/include/bootutil/image.h @@ -126,6 +126,7 @@ struct flash_area; * the format and size of the raw slot (compressed) * signature */ +#define IMAGE_TLV_COMP_DEC_SIZE 0x73 /* Compressed decrypted image size */ /* * vendor reserved TLVs at xxA0-xxFF, * where xx denotes the upper byte From 517fc979386713afb2ef8fbd8e5430720af15791 Mon Sep 17 00:00:00 2001 From: Almir Okato Date: Thu, 19 Dec 2024 18:10:37 -0300 Subject: [PATCH 007/228] espressif: fix missing macro for esp32s3 XMC flash support Add CONFIG_BOOTLOADER_FLASH_XMC_SUPPORT macro to esp32s3 sdkconfig.h Signed-off-by: Almir Okato --- boot/espressif/hal/include/esp32s3/sdkconfig.h | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/espressif/hal/include/esp32s3/sdkconfig.h b/boot/espressif/hal/include/esp32s3/sdkconfig.h index 25581c80d..9d5762358 100644 --- a/boot/espressif/hal/include/esp32s3/sdkconfig.h +++ b/boot/espressif/hal/include/esp32s3/sdkconfig.h @@ -25,3 +25,4 @@ #define CONFIG_EFUSE_VIRTUAL_OFFSET 0x250000 #define CONFIG_EFUSE_VIRTUAL_SIZE 0x2000 #define CONFIG_EFUSE_MAX_BLK_LEN 256 +#define CONFIG_BOOTLOADER_FLASH_XMC_SUPPORT 1 From 9286264563ab5509d2ae74fab8fa4b201c7982ff Mon Sep 17 00:00:00 2001 From: Almir Okato Date: Thu, 19 Dec 2024 18:16:10 -0300 Subject: [PATCH 008/228] espressif: update readme-espressif.md documentation Update SoC x RTOS status for ESP32-C2, ESP32-C6 and ESP32-H2 Also add missing cd command to the guide Signed-off-by: Almir Okato --- docs/readme-espressif.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/readme-espressif.md b/docs/readme-espressif.md index 21004df98..9629b66a6 100644 --- a/docs/readme-espressif.md +++ b/docs/readme-espressif.md @@ -14,10 +14,10 @@ Documentation about the MCUboot bootloader design, operation and features can be The current port is available for use in the following SoCs within the OSes: -| | ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | ESP32-C2 | ESP32-C6 | ESP32-H2 | -| :----: | :-----: | :-----: | :-----: | :-----: | :---------: | :-----: | :-----: | -| Zephyr | Supported | Supported | Supported | Supported | In progress | In progress | In progress | -| NuttX | Supported | Supported | Supported | Supported | In progress | In progress | In progress | +| | ESP32 | ESP32-S2 | ESP32-C3 | ESP32-S3 | ESP32-C2 | ESP32-C6 | ESP32-H2 | +| :----: | :-------: | :-------: | :-------: | :-------: | :---------: | :-------: | :---------: | +| Zephyr | Supported | Supported | Supported | Supported | Supported | Supported | In progress | +| NuttX | Supported | Supported | Supported | Supported | In progress | Supported | Supported | Notice that any customization in the memory layout from the OS application must be done aware of the bootloader own memory layout to avoid overlapping. More information on the section @@ -94,6 +94,10 @@ Additional configuration related to MCUboot features and slot partitioning may b 1. Compile and generate the BIN: + ```bash + cd /boot/espressif + ``` + ```bash cmake -DCMAKE_TOOLCHAIN_FILE=tools/toolchain-.cmake -DMCUBOOT_TARGET= -DESP_HAL_PATH= -DMCUBOOT_FLASH_PORT= -B build -GNinja ``` From 59e9f03bb3a78c78bdf100d66e9d088a344e7c33 Mon Sep 17 00:00:00 2001 From: Almir Okato Date: Thu, 19 Dec 2024 18:33:43 -0300 Subject: [PATCH 009/228] espressif: add checking for supported IDF version Verify if IDF-based HAL version is supported Signed-off-by: Almir Okato --- boot/espressif/CMakeLists.txt | 21 +++++++++++++++++++ boot/espressif/tools/utils.cmake | 13 ++++++++++++ ci/espressif_install.sh | 2 +- .../espressif-idf-version-checking.md | 2 ++ 4 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 docs/release-notes.d/espressif-idf-version-checking.md diff --git a/boot/espressif/CMakeLists.txt b/boot/espressif/CMakeLists.txt index d1e18d2da..05358839c 100644 --- a/boot/espressif/CMakeLists.txt +++ b/boot/espressif/CMakeLists.txt @@ -14,6 +14,8 @@ endif() add_definitions(-DMCUBOOT_TARGET=${MCUBOOT_TARGET}) add_definitions(-D__ESPRESSIF__=1) +set(EXPECTED_IDF_HAL_VERSION "5.1.4") + if ("${MCUBOOT_TARGET}" STREQUAL "esp32" OR "${MCUBOOT_TARGET}" STREQUAL "esp32s2" OR "${MCUBOOT_TARGET}" STREQUAL "esp32s3") @@ -92,6 +94,25 @@ if (NOT DEFINED ESP_HAL_PATH) endif() endif() endif() +message(STATUS "Defined ESP_HAL_PATH: ${ESP_HAL_PATH}") + +# Verify from which IDF version the HAL is based on +set(IDF_VER_HEADER_FILE "${ESP_HAL_PATH}/components/esp_common/include/esp_idf_version.h") + +get_version_from_header("ESP_IDF_VERSION_MAJOR" ${IDF_VER_HEADER_FILE} IDF_VERSION_MAJOR) +get_version_from_header("ESP_IDF_VERSION_MINOR" ${IDF_VER_HEADER_FILE} IDF_VERSION_MINOR) +get_version_from_header("ESP_IDF_VERSION_PATCH" ${IDF_VER_HEADER_FILE} IDF_VERSION_PATCH) + +set(IDF_VERSION "${IDF_VERSION_MAJOR}.${IDF_VERSION_MINOR}.${IDF_VERSION_PATCH}") + +if (NOT IDF_VERSION VERSION_EQUAL ${EXPECTED_IDF_HAL_VERSION}) + message(FATAL_ERROR + "Unsupported HAL version ${IDF_VERSION}, expected ${EXPECTED_IDF_HAL_VERSION}. \ + Verify if the RTOS repository, where you are trying to build from, is up to date, \ + or check the installation pointed on ESP_HAL_PATH.") +else () + message(STATUS "HAL based on ESP-IDF version: ${IDF_VERSION}") +endif() execute_process( COMMAND git describe --tags diff --git a/boot/espressif/tools/utils.cmake b/boot/espressif/tools/utils.cmake index 238b30eb2..965571fda 100644 --- a/boot/espressif/tools/utils.cmake +++ b/boot/espressif/tools/utils.cmake @@ -29,3 +29,16 @@ function(parse_and_set_config_file CONFIG_FILE) endif() endforeach() endfunction() + +# Auxiliar function to get IDF version from esp_idf_version.h file +function(get_version_from_header VAR_NAME HEADER_FILE VERSION_OUT) + # Read the header file and extract the value of the specified macro + file(READ "${HEADER_FILE}" CONTENTS) + string(REGEX MATCH "#define ${VAR_NAME}[ ]+([0-9]+)" MATCH "${CONTENTS}") + if(MATCH) + string(REGEX REPLACE "#define ${VAR_NAME}[ ]+([0-9]+)" "\\1" VERSION "${MATCH}") + set(${VERSION_OUT} "${VERSION}" PARENT_SCOPE) + else() + message(FATAL_ERROR "Could not find ${VAR_NAME} in ${HEADER_FILE}") + endif() +endfunction() diff --git a/ci/espressif_install.sh b/ci/espressif_install.sh index c2ec2c4ed..4ac52c9ab 100755 --- a/ci/espressif_install.sh +++ b/ci/espressif_install.sh @@ -10,7 +10,7 @@ install_imgtool() { install_idf() { pushd $HOME - git clone --depth=1 https://github.com/espressif/esp-idf.git --branch release/v5.1 + git clone --depth=1 https://github.com/espressif/esp-idf.git --branch v5.1.4 [[ $? -ne 0 ]] && exit 1 $HOME/esp-idf/install.sh diff --git a/docs/release-notes.d/espressif-idf-version-checking.md b/docs/release-notes.d/espressif-idf-version-checking.md new file mode 100644 index 000000000..8944a6959 --- /dev/null +++ b/docs/release-notes.d/espressif-idf-version-checking.md @@ -0,0 +1,2 @@ +- Added verification for supported IDF-based HAL version. +- Fixed missing macro for XMC flash devices on ESP32-S3 From 256a02c3a5dd244f765c697a125b34ed1a52e576 Mon Sep 17 00:00:00 2001 From: Michael Konieczny Date: Sat, 11 Jan 2025 15:54:45 +0100 Subject: [PATCH 010/228] added missing MCUBOOT_VERSION_TWEAK in Zephyr port Signed-off-by: Michael Konieczny --- boot/zephyr/include/mcuboot_config/mcuboot_config.h | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 573155b39..60fb8e600 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -323,6 +323,7 @@ #define MCUBOOT_VERSION_MAJOR APP_VERSION_MAJOR #define MCUBOOT_VERSION_MINOR APP_VERSION_MINOR #define MCUBOOT_VERSION_PATCHLEVEL APP_PATCHLEVEL +#define MCUBOOT_VERSION_TWEAK APP_TWEAK #endif /* Support 32-byte aligned flash sizes */ From 1da18e9060d7af0df9b1e85e07c75ef717ad4723 Mon Sep 17 00:00:00 2001 From: Mateusz Michalek Date: Thu, 2 Jan 2025 14:48:28 +0100 Subject: [PATCH 011/228] scripts: imgtool: fix compression with encryption adds TLV which stores compressed image size in case encryption is on. This is to avoid wrong streaam size due to encryption padding. Signed-off-by: Mateusz Michalek --- scripts/imgtool/image.py | 11 ++++++++--- scripts/imgtool/main.py | 17 ++++++++++++----- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py index 88ef7b90c..3e2c11073 100644 --- a/scripts/imgtool/image.py +++ b/scripts/imgtool/image.py @@ -94,6 +94,7 @@ 'DECOMP_SIZE': 0x70, 'DECOMP_SHA': 0x71, 'DECOMP_SIGNATURE': 0x72, + 'COMP_DEC_SIZE' : 0x73, } TLV_SIZE = 4 @@ -460,7 +461,7 @@ def create(self, key, public_key_format, enckey, dependencies=None, sw_type=None, custom_tlvs=None, compression_tlvs=None, compression_type=None, encrypt_keylen=128, clear=False, fixed_sig=None, pub_key=None, vector_to_sign=None, - user_sha='auto', is_pure=False): + user_sha='auto', is_pure=False, keep_comp_size=False, dont_encrypt=False): self.enckey = enckey # key decides on sha, then pub_key; of both are none default is used @@ -522,6 +523,9 @@ def create(self, key, public_key_format, enckey, dependencies=None, dependencies_num = len(dependencies[DEP_IMAGES_KEY]) protected_tlv_size += (dependencies_num * 16) + if keep_comp_size: + compression_tlvs["COMP_DEC_SIZE"] = struct.pack( + self.get_struct_endian() + 'L', self.image_size) if compression_tlvs is not None: for value in compression_tlvs.values(): protected_tlv_size += TLV_SIZE + len(value) @@ -537,7 +541,7 @@ def create(self, key, public_key_format, enckey, dependencies=None, # # This adds the padding if image is not aligned to the 16 Bytes # in encrypted mode - if self.enckey is not None: + if self.enckey is not None and dont_encrypt is False: pad_len = len(self.payload) % 16 if pad_len > 0: pad = bytes(16 - pad_len) @@ -594,6 +598,7 @@ def create(self, key, public_key_format, enckey, dependencies=None, prot_tlv.add(tag, value) protected_tlv_off = len(self.payload) + self.payload += prot_tlv.get() tlv = TLV(self.endian) @@ -657,7 +662,7 @@ def create(self, key, public_key_format, enckey, dependencies=None, if protected_tlv_off is not None: self.payload = self.payload[:protected_tlv_off] - if enckey is not None: + if enckey is not None and dont_encrypt is False: if encrypt_keylen == 256: plainkey = os.urandom(32) else: diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py index 434530c7a..28caa8947 100755 --- a/scripts/imgtool/main.py +++ b/scripts/imgtool/main.py @@ -521,12 +521,11 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, 'Pure signatures, currently, enforces preferred hash algorithm, ' 'and forbids sha selection by user.') - img.create(key, public_key_format, enckey, dependencies, boot_record, + if compression in ["lzma2", "lzma2armthumb"]: + img.create(key, public_key_format, enckey, dependencies, boot_record, custom_tlvs, compression_tlvs, None, int(encrypt_keylen), clear, baked_signature, pub_key, vector_to_sign, user_sha=user_sha, - is_pure=is_pure) - - if compression in ["lzma2", "lzma2armthumb"]: + is_pure=is_pure, keep_comp_size=False, dont_encrypt=True) compressed_img = image.Image(version=decode_version(version), header_size=header_size, pad_header=pad_header, pad=pad, confirm=confirm, align=int(align), @@ -562,12 +561,20 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, lc = comp_default_lc, lp = comp_default_lp) compressed_img.load_compressed(compressed_data, compression_header) compressed_img.base_addr = img.base_addr + keep_comp_size = False; + if enckey: + keep_comp_size = True compressed_img.create(key, public_key_format, enckey, dependencies, boot_record, custom_tlvs, compression_tlvs, compression, int(encrypt_keylen), clear, baked_signature, pub_key, vector_to_sign, user_sha=user_sha, - is_pure=is_pure) + is_pure=is_pure, keep_comp_size=keep_comp_size) img = compressed_img + else: + img.create(key, public_key_format, enckey, dependencies, boot_record, + custom_tlvs, compression_tlvs, None, int(encrypt_keylen), clear, + baked_signature, pub_key, vector_to_sign, user_sha=user_sha, + is_pure=is_pure) img.save(outfile, hex_addr) if sig_out is not None: new_signature = img.get_signature() From b18b91c2b1fed39887e534631dea1a2a95f5b1d2 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 15 Jan 2025 13:35:35 +0000 Subject: [PATCH 012/228] boot: boot_serial: Fix uninitialised variables for upload Fixes some issues whereby some variables were not initialised, and undefined values were wrongly used instead Signed-off-by: Jamie McCrae --- boot/boot_serial/src/boot_serial.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 137cb5633..8b256c623 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -452,8 +452,8 @@ bs_set(char *buf, int len) uint8_t image_index = 0; size_t decoded = 0; uint8_t hash[IMAGE_HASH_SIZE]; - bool confirm; - struct zcbor_string img_hash; + bool confirm = false; + struct zcbor_string img_hash = { 0 }; bool ok; int rc; @@ -798,7 +798,7 @@ bs_upload(char *buf, int len) size_t img_size_tmp = SIZE_MAX; /* Temp variable for image size */ const struct flash_area *fap = NULL; int rc; - struct zcbor_string img_chunk_data; + struct zcbor_string img_chunk_data = { 0 }; size_t decoded = 0; bool ok; #ifdef MCUBOOT_ERASE_PROGRESSIVELY @@ -1021,7 +1021,7 @@ bs_upload(char *buf, int len) } } } else { - out_invalid_data: +out_invalid_data: rc = MGMT_ERR_EINVAL; } From 0cd1d0a46b8efc97a195b0a787aac067eaffd8cc Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 15 Jan 2025 13:37:44 +0000 Subject: [PATCH 013/228] docs: release-notes: Add note on serial recovery fix Adds a note about a fix for unitialised variables Signed-off-by: Jamie McCrae --- docs/release-notes.d/serial-recovery-var.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 docs/release-notes.d/serial-recovery-var.md diff --git a/docs/release-notes.d/serial-recovery-var.md b/docs/release-notes.d/serial-recovery-var.md new file mode 100644 index 000000000..e86477ca8 --- /dev/null +++ b/docs/release-notes.d/serial-recovery-var.md @@ -0,0 +1,3 @@ +- Fixed issue with serial recovery variables not being + correctly initialised to default values which could cause + some commands to do unexpected operations From cd22b693da426826e0255f8ee5b18d7360d9bc8f Mon Sep 17 00:00:00 2001 From: Sylvio Alves Date: Mon, 13 Jan 2025 11:04:04 -0300 Subject: [PATCH 014/228] espressif: extend loader data Add additional regions in loader to include RTC, LP, IROM and DROM information. Signed-off-by: Sylvio Alves --- .../espressif/hal/include/esp_mcuboot_image.h | 29 ++++++--- boot/espressif/port/esp32s2/ld/bootloader.ld | 2 +- boot/espressif/port/esp_loader.c | 65 +++++++++++++++++++ .../espressif-idf-version-checking.md | 1 + 4 files changed, 88 insertions(+), 9 deletions(-) diff --git a/boot/espressif/hal/include/esp_mcuboot_image.h b/boot/espressif/hal/include/esp_mcuboot_image.h index baccf08fb..95b8a9c78 100644 --- a/boot/espressif/hal/include/esp_mcuboot_image.h +++ b/boot/espressif/hal/include/esp_mcuboot_image.h @@ -15,12 +15,25 @@ * for MCUboot-Espressif port booting. */ typedef struct esp_image_load_header { - uint32_t header_magic; /* Magic for load header */ - uint32_t entry_addr; /* Application entry address */ - uint32_t iram_dest_addr; /* Destination address(VMA) for IRAM region */ - uint32_t iram_flash_offset; /* Flash offset(LMA) for start of IRAM region */ - uint32_t iram_size; /* Size of IRAM region */ - uint32_t dram_dest_addr; /* Destination address(VMA) for DRAM region */ - uint32_t dram_flash_offset; /* Flash offset(LMA) for start of DRAM region */ - uint32_t dram_size; /* Size of DRAM region */ + uint32_t header_magic; /* Magic for load header */ + uint32_t entry_addr; /* Application entry address */ + uint32_t iram_dest_addr; /* Destination address(VMA) for IRAM region */ + uint32_t iram_flash_offset; /* Flash offset(LMA) for start of IRAM region */ + uint32_t iram_size; /* Size of IRAM region */ + uint32_t dram_dest_addr; /* Destination address(VMA) for DRAM region */ + uint32_t dram_flash_offset; /* Flash offset(LMA) for start of DRAM region */ + uint32_t dram_size; /* Size of DRAM region */ + uint32_t lp_rtc_iram_dest_addr; /* Destination address (VMA) for LP_IRAM region */ + uint32_t lp_rtc_iram_flash_offset; /* Flash offset (LMA) for LP_IRAM region */ + uint32_t lp_rtc_iram_size; /* Size of LP_IRAM region */ + uint32_t lp_rtc_dram_dest_addr; /* Destination address (VMA) for LP_DRAM region */ + uint32_t lp_rtc_dram_flash_offset; /* Flash offset (LMA) for LP_DRAM region */ + uint32_t lp_rtc_dram_size; /* Size of LP_DRAM region */ + uint32_t irom_map_addr; /* Mapped address (VMA) for IROM region */ + uint32_t irom_flash_offset; /* Flash offset (LMA) for IROM region */ + uint32_t irom_size; /* Size of IROM region */ + uint32_t drom_map_addr; /* Mapped address (VMA) for DROM region */ + uint32_t drom_flash_offset; /* Flash offset (LMA) for DROM region */ + uint32_t drom_size; /* Size of DROM region */ + uint32_t _reserved[4]; /* Up to 24 words reserved for the header */ } esp_image_load_header_t; diff --git a/boot/espressif/port/esp32s2/ld/bootloader.ld b/boot/espressif/port/esp32s2/ld/bootloader.ld index cf159c312..b615b73c5 100644 --- a/boot/espressif/port/esp32s2/ld/bootloader.ld +++ b/boot/espressif/port/esp32s2/ld/bootloader.ld @@ -14,7 +14,7 @@ MEMORY { iram_seg (RWX) : org = 0x40047000, len = 0x9000 iram_loader_seg (RWX) : org = 0x40050000, len = 0x6000 - dram_seg (RW) : org = 0x3FFE6000, len = 0x9000 + dram_seg (RW) : org = 0x3FFE6000, len = 0x9A00 } /* Default entry point: */ diff --git a/boot/espressif/port/esp_loader.c b/boot/espressif/port/esp_loader.c index 907466521..8180bc516 100644 --- a/boot/espressif/port/esp_loader.c +++ b/boot/espressif/port/esp_loader.c @@ -23,6 +23,24 @@ #include "app_cpu_start.h" #endif +#include "esp_rom_sys.h" +#include "esp_cpu.h" + +#if CONFIG_IDF_TARGET_ESP32 +#define LP_RTC_PREFIX "RTC" +#elif CONFIG_IDF_TARGET_ESP32S2 +#define LP_RTC_PREFIX "RTC" +#elif CONFIG_IDF_TARGET_ESP32S3 +#define LP_RTC_PREFIX "RTC" +#elif CONFIG_IDF_TARGET_ESP32C2 +#elif CONFIG_IDF_TARGET_ESP32C3 +#define LP_RTC_PREFIX "RTC" +#elif CONFIG_IDF_TARGET_ESP32C6 +#define LP_RTC_PREFIX "LP" +#elif CONFIG_IDF_TARGET_ESP32H2 +#define LP_RTC_PREFIX "LP" +#endif + static int load_segment(const struct flash_area *fap, uint32_t data_addr, uint32_t data_len, uint32_t load_addr) { const uint32_t *data = (const uint32_t *)bootloader_mmap((fap->fa_off + data_addr), data_len); @@ -69,6 +87,26 @@ void esp_app_image_load(int image_index, int slot, unsigned int hdr_offset, unsi FIH_PANIC; } +#if SOC_RTC_FAST_MEM_SUPPORTED + if (load_header.lp_rtc_iram_size > 0) { + if (!esp_ptr_in_rtc_iram_fast((void *)load_header.lp_rtc_iram_dest_addr) || + !esp_ptr_in_rtc_iram_fast((void *)(load_header.lp_rtc_iram_dest_addr + load_header.lp_rtc_iram_size))) { + BOOT_LOG_ERR("%s_IRAM region in load header is not valid. Aborting", LP_RTC_PREFIX); + FIH_PANIC; + } + } +#endif + +#if SOC_RTC_SLOW_MEM_SUPPORTED + if (load_header.lp_rtc_dram_size > 0) { + if (!esp_ptr_in_rtc_slow((void *)load_header.lp_rtc_dram_dest_addr) || + !esp_ptr_in_rtc_slow((void *)(load_header.lp_rtc_dram_dest_addr + load_header.lp_rtc_dram_size))) { + BOOT_LOG_ERR("%s_RAM region in load header is not valid. Aborting %p", LP_RTC_PREFIX, load_header.lp_rtc_dram_dest_addr); + FIH_PANIC; + } + } +#endif + if (!esp_ptr_in_iram((void *)load_header.entry_addr)) { BOOT_LOG_ERR("Application entry point (0x%x) is not in IRAM. Aborting", load_header.entry_addr); FIH_PANIC; @@ -80,6 +118,33 @@ void esp_app_image_load(int image_index, int slot, unsigned int hdr_offset, unsi BOOT_LOG_INF("IRAM segment: start=0x%x, size=0x%x, vaddr=0x%x", fap->fa_off + load_header.iram_flash_offset, load_header.iram_size, load_header.iram_dest_addr); load_segment(fap, load_header.iram_flash_offset, load_header.iram_size, load_header.iram_dest_addr); +#if SOC_RTC_FAST_MEM_SUPPORTED || SOC_RTC_SLOW_MEM_SUPPORTED + if (load_header.lp_rtc_dram_size > 0) { + soc_reset_reason_t reset_reason = esp_rom_get_reset_reason(0); + + /* Unless waking from deep sleep (implying RTC memory is intact), load its segments */ + if (reset_reason != RESET_REASON_CORE_DEEP_SLEEP) { + BOOT_LOG_INF("%s_RAM segment: paddr=%08xh, vaddr=%08xh, size=%05xh (%6d) load", LP_RTC_PREFIX, + (fap->fa_off + load_header.lp_rtc_dram_flash_offset), load_header.lp_rtc_dram_dest_addr, + load_header.lp_rtc_dram_size, load_header.lp_rtc_dram_size); + load_segment(fap, load_header.lp_rtc_dram_flash_offset, + load_header.lp_rtc_dram_size, load_header.lp_rtc_dram_dest_addr); + } else { + BOOT_LOG_INF("%s_RAM segment: paddr=%08xh, vaddr=%08xh, size=%05xh (%6d) noload", LP_RTC_PREFIX, + load_header.lp_rtc_dram_flash_offset, load_header.lp_rtc_dram_dest_addr, + load_header.lp_rtc_dram_size, load_header.lp_rtc_dram_size); + } + } + + if (load_header.lp_rtc_iram_size > 0) { + BOOT_LOG_INF("%s_IRAM segment: paddr=%08xh, vaddr=%08xh, size=%05xh (%6d) load", LP_RTC_PREFIX, + (fap->fa_off + load_header.lp_rtc_iram_flash_offset), load_header.lp_rtc_iram_dest_addr, + load_header.lp_rtc_iram_size, load_header.lp_rtc_iram_size); + load_segment(fap, load_header.lp_rtc_iram_flash_offset, + load_header.lp_rtc_iram_size, load_header.lp_rtc_iram_dest_addr); + } +#endif + BOOT_LOG_INF("start=0x%x", load_header.entry_addr); uart_tx_wait_idle(0); diff --git a/docs/release-notes.d/espressif-idf-version-checking.md b/docs/release-notes.d/espressif-idf-version-checking.md index 8944a6959..ff12912c7 100644 --- a/docs/release-notes.d/espressif-idf-version-checking.md +++ b/docs/release-notes.d/espressif-idf-version-checking.md @@ -1,2 +1,3 @@ - Added verification for supported IDF-based HAL version. - Fixed missing macro for XMC flash devices on ESP32-S3 +- Extended image loader header to include RTC/LP RAM, DROM and IROM segments. From 06747985eee7c27d891f2529c58e18f4a84ea6a3 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 3 Jan 2025 16:08:43 +0000 Subject: [PATCH 015/228] zephyr: Remove scratch from flash_area_id_from_multi_image_slot The mapping does not seem to be needed as scratch is opened directly, and there is only one for all images anyway. Simulator seems to error out when asked to identify scratch with this function. Signed-off-by: Dominik Ermel --- boot/zephyr/flash_map_extended.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/boot/zephyr/flash_map_extended.c b/boot/zephyr/flash_map_extended.c index 4631da75b..bf0d8f191 100644 --- a/boot/zephyr/flash_map_extended.c +++ b/boot/zephyr/flash_map_extended.c @@ -62,9 +62,6 @@ int flash_area_id_from_multi_image_slot(int image_index, int slot) case 0: return FLASH_AREA_IMAGE_PRIMARY(image_index); #if !defined(CONFIG_SINGLE_APPLICATION_SLOT) case 1: return FLASH_AREA_IMAGE_SECONDARY(image_index); -#endif -#if defined(CONFIG_BOOT_SWAP_USING_SCRATCH) - case 2: return FLASH_AREA_IMAGE_SCRATCH; #endif } From c6f5db297c2f4a67e22517c98d6cd1d52fdc96cb Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 22 Jan 2025 15:58:21 +0000 Subject: [PATCH 016/228] bootutil: Add missing MBEDTLS_ASN1_PARSE_C Need to define MBEDTLS_ASN1_PARSE_C to be able to see ASN1 functions declarations from mbedTLS. Signed-off-by: Dominik Ermel --- boot/bootutil/src/image_ed25519.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 0d5e66df0..4e2423a08 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -12,6 +12,8 @@ #ifdef MCUBOOT_SIGN_ED25519 #include "bootutil/sign_key.h" +/* We are not really using the MBEDTLS but need the ASN.1 parsing functions */ +#define MBEDTLS_ASN1_PARSE_C #include "mbedtls/oid.h" #include "mbedtls/asn1.h" From 3f6721346f050edf69ce001da2f38be7060f96d9 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 22 Jan 2025 16:03:53 +0000 Subject: [PATCH 017/228] zephyr: Fix usage of CONFIG_MBEDTLS_BUILTIN and ASN1 This commit fixes issue where even if Zephyr provided mbedTLS module was used, ASN1 decoding procedures have been taken from MCUboot own version of mbedTLS extracted sources for these functions. To be able to do that this commit changes config file used with mbedTLS with the one provided from Zephyr (the generic one), which allows to select required mbedTLS features via Kconfig options exposed by Zephyr. Signed-off-by: Dominik Ermel --- boot/zephyr/CMakeLists.txt | 34 ++++++++++++++++++++++------------ boot/zephyr/Kconfig | 11 ++++++++++- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index ed490e6ee..8c3467a4d 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -25,8 +25,10 @@ assert_exists(TINYCRYPT_SHA512_DIR) set(FIAT_DIR "${MCUBOOT_DIR}/ext/fiat") assert_exists(FIAT_DIR) # Path to mbed-tls' asn1 parser library. -set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") -assert_exists(MBEDTLS_ASN1_DIR) +if(NOT CONFIG_MBEDTLS_BUILTIN) + set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") + assert_exists(MBEDTLS_ASN1_DIR) +endif() set(NRF_DIR "${MCUBOOT_DIR}/ext/nrf") if(CONFIG_BOOT_USE_NRF_CC310_BL) @@ -150,14 +152,16 @@ if(CONFIG_BOOT_RAM_LOAD OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) - zephyr_library_include_directories( - ${MBEDTLS_ASN1_DIR}/include + if(MBEDTLS_ASN1_DIR) + zephyr_library_include_directories( + ${MBEDTLS_ASN1_DIR}/include ) - zephyr_library_sources( - # Additionally pull in just the ASN.1 parser from mbedTLS. - ${MBEDTLS_ASN1_DIR}/src/asn1parse.c - ${MBEDTLS_ASN1_DIR}/src/platform_util.c + zephyr_library_sources( + # Additionally pull in just the ASN.1 parser from mbedTLS. + ${MBEDTLS_ASN1_DIR}/src/asn1parse.c + ${MBEDTLS_ASN1_DIR}/src/platform_util.c ) + endif() if(CONFIG_BOOT_USE_TINYCRYPT) # When using ECDSA signatures, pull in our copy of the tinycrypt library. zephyr_library_include_directories( @@ -207,8 +211,17 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_RSA) endif() elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) if(CONFIG_BOOT_USE_TINYCRYPT) + if(MBEDTLS_ASN1_DIR) + zephyr_library_include_directories( + ${MBEDTLS_ASN1_DIR}/include + ) + zephyr_library_sources( + # Additionally pull in just the ASN.1 parser from mbedTLS. + ${MBEDTLS_ASN1_DIR}/src/asn1parse.c + ${MBEDTLS_ASN1_DIR}/src/platform_util.c + ) + endif() zephyr_library_include_directories( - ${MBEDTLS_ASN1_DIR}/include ${BOOT_DIR}/zephyr/include ${TINYCRYPT_DIR}/include ${TINYCRYPT_SHA512_DIR}/include @@ -217,9 +230,6 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) ${TINYCRYPT_DIR}/source/sha256.c ${TINYCRYPT_DIR}/source/utils.c ${TINYCRYPT_SHA512_DIR}/source/sha512.c - # Additionally pull in just the ASN.1 parser from mbedTLS. - ${MBEDTLS_ASN1_DIR}/src/asn1parse.c - ${MBEDTLS_ASN1_DIR}/src/platform_util.c ) zephyr_library_compile_definitions( MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h" diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index d93014192..4c048a31c 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -131,6 +131,8 @@ config BOOT_SIGNATURE_TYPE_RSA bool "RSA signatures" select BOOT_USE_MBEDTLS select MBEDTLS + select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN + select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if MBEDTLS_BUILTIN select BOOT_ENCRYPTION_SUPPORT select BOOT_IMG_HASH_ALG_SHA256_ALLOW @@ -181,6 +183,8 @@ config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS select MBEDTLS + select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN + endchoice endif @@ -225,8 +229,13 @@ config MCUBOOT_CLEANUP_RAM help Sets contents of memory to 0 before jumping to application. +if MBEDTLS + config MBEDTLS_CFG_FILE - default "mcuboot-mbedtls-cfg.h" + default "config-tls-generic.h" if MBEDTLS_BUILTIN + default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS + +endif config BOOT_HW_KEY bool "Use HW key for image verification" From 4b8a37bba22a9732ba00bff54f7d58ccfbc577ca Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Fri, 20 Dec 2024 08:44:37 +0000 Subject: [PATCH 018/228] zephyr: Add imgtool/cbor to pip packages installed by west Adds imgtool and cbor to be automatically installed when using the west packages command, instead of residing in zephyr itself Signed-off-by: Jamie McCrae --- zephyr/module.yml | 4 ++++ zephyr/requirements.txt | 2 ++ 2 files changed, 6 insertions(+) create mode 100644 zephyr/requirements.txt diff --git a/zephyr/module.yml b/zephyr/module.yml index 014a21956..d2af55384 100644 --- a/zephyr/module.yml +++ b/zephyr/module.yml @@ -3,3 +3,7 @@ samples: build: cmake: ./boot/bootutil/zephyr sysbuild-cmake: boot/zephyr/sysbuild +package-managers: + pip: + requirement-files: + - zephyr/requirements.txt diff --git a/zephyr/requirements.txt b/zephyr/requirements.txt new file mode 100644 index 000000000..0eaed4d84 --- /dev/null +++ b/zephyr/requirements.txt @@ -0,0 +1,2 @@ +cbor>=1.0.0 +imgtool>=2.1.0 From f72158ff313ac771c3b510adf64685cabf34f8c0 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 2 Oct 2024 11:05:20 +0000 Subject: [PATCH 019/228] bootutil: Allow SHA512 with TinyCrypt The commit enables SHA512 support, for image hashing, with TinyCrypt. Although on 32bit machines the SHA256 will be faster than SHA512, benefit of enabling the SHA512 is that you have only one algorithm compiled in which reduces size of code. Signed-off-by: Dominik Ermel --- boot/bootutil/include/bootutil/crypto/sha.h | 20 ++++++++++++++++++++ boot/bootutil/src/image_ed25519.c | 9 ++++++--- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/include/bootutil/crypto/sha.h b/boot/bootutil/include/bootutil/crypto/sha.h index d136a7f53..6a009ff95 100644 --- a/boot/bootutil/include/bootutil/crypto/sha.h +++ b/boot/bootutil/include/bootutil/crypto/sha.h @@ -69,7 +69,11 @@ #endif /* MCUBOOT_USE_MBED_TLS */ #if defined(MCUBOOT_USE_TINYCRYPT) +#if defined(MCUBOOT_SHA512) + #include +#else #include +#endif #include #endif /* MCUBOOT_USE_TINYCRYPT */ @@ -192,11 +196,19 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx, #endif /* MCUBOOT_USE_MBED_TLS */ #if defined(MCUBOOT_USE_TINYCRYPT) +#if defined(MCUBOOT_SHA512) +typedef struct tc_sha512_state_struct bootutil_sha_context; +#else typedef struct tc_sha256_state_struct bootutil_sha_context; +#endif static inline int bootutil_sha_init(bootutil_sha_context *ctx) { +#if defined(MCUBOOT_SHA512) + tc_sha512_init(ctx); +#else tc_sha256_init(ctx); +#endif return 0; } @@ -210,13 +222,21 @@ static inline int bootutil_sha_update(bootutil_sha_context *ctx, const void *data, uint32_t data_len) { +#if defined(MCUBOOT_SHA512) + return tc_sha512_update(ctx, data, data_len); +#else return tc_sha256_update(ctx, data, data_len); +#endif } static inline int bootutil_sha_finish(bootutil_sha_context *ctx, uint8_t *output) { +#if defined(MCUBOOT_SHA512) + return tc_sha512_final(output, ctx); +#else return tc_sha256_final(output, ctx); +#endif } #endif /* MCUBOOT_USE_TINYCRYPT */ diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 4e2423a08..4a5755b66 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -21,12 +21,14 @@ #include "bootutil/crypto/common.h" #include "bootutil/crypto/sha.h" +#define EDDSA_SIGNATURE_LENGTH 64 + static const uint8_t ed25519_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG "\x65\x70"; #define NUM_ED25519_BYTES 32 extern int ED25519_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[64], - const uint8_t public_key[32]); + const uint8_t signature[EDDSA_SIGNATURE_LENGTH], + const uint8_t public_key[NUM_ED25519_BYTES]); /* * Parse the public key used for signing. @@ -76,7 +78,8 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, uint8_t *pubkey; uint8_t *end; - if (hlen != IMAGE_HASH_SIZE || slen != 64) { + if (hlen != IMAGE_HASH_SIZE || + slen != EDDSA_SIGNATURE_LENGTH) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } From b43b8c80b87b9cf7a8efe35b7cdaea49ed0b457f Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 5 Sep 2024 10:53:17 +0000 Subject: [PATCH 020/228] bootutil: Enable hash calculation directly on storage The commit add support for passing storage device address space to hash calculation functions, which allows to use hardware accelerated hash calculation on storage. This feature only works when image encryption is not enabled and all slots are defined within internal storage of device. The feature is enabled with MCUboot configuration option MCUBOOT_HASH_STORAGE_DIRECTLY. Signed-off-by: Dominik Ermel --- boot/bootutil/src/image_validate.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index ec5d986df..ae22e27ed 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -68,13 +68,15 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, uint8_t *seed, int seed_len) { bootutil_sha_context sha_ctx; - uint32_t blk_sz; uint32_t size; uint16_t hdr_size; - uint32_t off; - int rc; uint32_t blk_off; uint32_t tlv_off; +#if !defined(MCUBOOT_HASH_STORAGE_DIRECTLY) + int rc; + uint32_t off; + uint32_t blk_sz; +#endif #if (BOOT_IMAGE_NUMBER == 1) || !defined(MCUBOOT_ENC_IMAGES) || \ defined(MCUBOOT_RAM_LOAD) @@ -117,6 +119,12 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, /* If protected TLVs are present they are also hashed. */ size += hdr->ih_protect_tlv_size; +#ifdef MCUBOOT_HASH_STORAGE_DIRECTLY + /* No chunk loading, storage is mapped to address space and can + * be directly given to hashing function. + */ + bootutil_sha_update(&sha_ctx, (void *)flash_area_get_off(fap), size); +#else /* MCUBOOT_HASH_STORAGE_DIRECTLY */ #ifdef MCUBOOT_RAM_LOAD bootutil_sha_update(&sha_ctx, (void*)(IMAGE_RAM_BASE + hdr->ih_load_addr), @@ -161,6 +169,7 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, bootutil_sha_update(&sha_ctx, tmp_buf, blk_sz); } #endif /* MCUBOOT_RAM_LOAD */ +#endif /* MCUBOOT_HASH_STORAGE_DIRECTLY */ bootutil_sha_finish(&sha_ctx, hash_result); bootutil_sha_drop(&sha_ctx); From de9bc3d006b2ac44f056bb66ef1b2f60d15df11d Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 6 Sep 2024 16:16:28 +0000 Subject: [PATCH 021/228] bootutil: PureEdDSA using ED25519 The commit adds support for PureEdDSA, which validates signature of image rather than hash. This is most secure, available, ED25519 usage in MCUboot, but due to requirement of PureEdDSA to be able to calculate signature at whole message at once, here image, it only works on setups where entire image can be mapped to device address space, so that PSA functions calculating the signature can see the whole image at once. The feature is enabled with MCUBOOT_SIGN_PURE MCUboot configuration option. Signed-off-by: Dominik Ermel --- boot/bootutil/src/bootutil_priv.h | 9 +++ boot/bootutil/src/image_ed25519.c | 59 ++++++++++++++++-- boot/bootutil/src/image_validate.c | 96 ++++++++++++++++++++++++++++-- docs/design.md | 2 + 4 files changed, 154 insertions(+), 12 deletions(-) diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index 345933a5f..5703f627a 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -267,9 +267,18 @@ struct boot_loader_state { #endif /* MCUBOOT_DIRECT_XIP || MCUBOOT_RAM_LOAD */ }; +/* The function is intended for verification of image hash against + * provided signature. + */ fih_ret bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, uint8_t key_id); +/* The function is intended for direct verification of image + * against provided signature. + */ +fih_ret bootutil_verify_img(uint8_t *img, uint32_t size, + uint8_t *sig, size_t slen, uint8_t key_id); + fih_ret boot_fih_memequal(const void *s1, const void *s2, size_t n); int boot_find_status(int image_index, const struct flash_area **fap); diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 4a5755b66..238c9d671 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -69,17 +69,23 @@ bootutil_import_key(uint8_t **cp, uint8_t *end) return 0; } -fih_ret -bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, - uint8_t key_id) +/* Signature verification base function. + * The function takes buffer of specified length and tries to verify + * it against provided signature. + * The function does key import and checks whether signature is + * of expected length. + */ +static fih_ret +bootutil_verify(uint8_t *buf, uint32_t blen, + uint8_t *sig, size_t slen, + uint8_t key_id) { int rc; FIH_DECLARE(fih_rc, FIH_FAILURE); uint8_t *pubkey; uint8_t *end; - if (hlen != IMAGE_HASH_SIZE || - slen != EDDSA_SIGNATURE_LENGTH) { + if (slen != EDDSA_SIGNATURE_LENGTH) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } @@ -93,7 +99,7 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, goto out; } - rc = ED25519_verify(hash, IMAGE_HASH_SIZE, sig, pubkey); + rc = ED25519_verify(buf, blen, sig, pubkey); if (rc == 0) { /* if verify returns 0, there was an error. */ @@ -107,4 +113,45 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, FIH_RET(fih_rc); } +/* Hash signature verification function. + * Verifies hash against provided signature. + * The function verifies that hash is of expected size and then + * calls bootutil_verify to do the signature verification. + */ +fih_ret +bootutil_verify_sig(uint8_t *hash, uint32_t hlen, + uint8_t *sig, size_t slen, + uint8_t key_id) +{ + FIH_DECLARE(fih_rc, FIH_FAILURE); + + if (hlen != IMAGE_HASH_SIZE) { + FIH_SET(fih_rc, FIH_FAILURE); + goto out; + } + + FIH_CALL(bootutil_verify, fih_rc, hash, IMAGE_HASH_SIZE, sig, + slen, key_id); + +out: + FIH_RET(fih_rc); +} + +/* Image verification function. + * The function directly calls bootutil_verify to verify signature + * of image. + */ +fih_ret +bootutil_verify_img(uint8_t *img, uint32_t size, + uint8_t *sig, size_t slen, + uint8_t key_id) +{ + FIH_DECLARE(fih_rc, FIH_FAILURE); + + FIH_CALL(bootutil_verify, fih_rc, img, size, sig, + slen, key_id); + + FIH_RET(fih_rc); +} + #endif /* MCUBOOT_SIGN_ED25519 */ diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index ae22e27ed..e038f22fe 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -56,6 +56,7 @@ #include "bootutil_priv.h" +#ifndef MCUBOOT_SIGN_PURE /* * Compute SHA hash over the image. * (SHA384 if ECDSA-P384 is being used, @@ -175,6 +176,7 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, return 0; } +#endif /* * Currently, we only support being able to verify one type of @@ -361,6 +363,44 @@ bootutil_get_img_security_cnt(struct image_header *hdr, return 0; } +#if defined(MCUBOOT_SIGN_PURE) +/* Returns: + * 0 -- found + * 1 -- not found or found but not true + * -1 -- failed for some reason + * + * Value of TLV does not matter, presence decides. + */ +static int bootutil_check_for_pure(const struct image_header *hdr, + const struct flash_area *fap) +{ + struct image_tlv_iter it; + uint32_t off; + uint16_t len; + int32_t rc; + + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_SIG_PURE, false); + if (rc) { + return -1; + } + + /* Search for the TLV */ + rc = bootutil_tlv_iter_next(&it, &off, &len, NULL); + if (rc == 0 && len == 1) { + uint8_t val; + + rc = LOAD_IMAGE_DATA(hdr, fap, off, &val, sizeof(val)); + if (rc == 0) { + return (val == 1) ? 0 : 1; + } else { + return -1; + } + } + + return 1; +} +#endif + #ifndef ALLOW_ROGUE_TLVS /* * The following list of TLVs are the only entries allowed in the unprotected @@ -377,6 +417,9 @@ static const uint16_t allowed_unprot_tlvs[] = { IMAGE_TLV_ECDSA_SIG, IMAGE_TLV_RSA3072_PSS, IMAGE_TLV_ED25519, +#if defined(MCUBOOT_SIGN_PURE) + IMAGE_TLV_SIG_PURE, +#endif IMAGE_TLV_ENC_RSA2048, IMAGE_TLV_ENC_KW, IMAGE_TLV_ENC_EC256, @@ -399,7 +442,6 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, uint32_t off; uint16_t len; uint16_t type; - int image_hash_valid = 0; #ifdef EXPECTED_SIG_TLV FIH_DECLARE(valid_signature, FIH_FAILURE); #ifndef MCUBOOT_BUILTIN_KEY @@ -416,7 +458,10 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, #endif /* EXPECTED_SIG_TLV */ struct image_tlv_iter it; uint8_t buf[SIG_BUF_SIZE]; +#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) + int image_hash_valid = 0; uint8_t hash[IMAGE_HASH_SIZE]; +#endif int rc = 0; FIH_DECLARE(fih_rc, FIH_FAILURE); #ifdef MCUBOOT_HW_ROLLBACK_PROT @@ -425,6 +470,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, FIH_DECLARE(security_counter_valid, FIH_FAILURE); #endif +#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) rc = bootutil_img_hash(enc_state, image_index, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len); if (rc) { @@ -434,6 +480,15 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, if (out_hash) { memcpy(out_hash, hash, IMAGE_HASH_SIZE); } +#endif + +#if defined(MCUBOOT_SIGN_PURE) + /* If Pure type signature is expected then it has to be there */ + rc = bootutil_check_for_pure(hdr, fap); + if (rc != 0) { + goto out; + } +#endif rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); if (rc) { @@ -477,8 +532,10 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, } } #endif - - if (type == EXPECTED_HASH_TLV) { + switch(type) { +#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) + case EXPECTED_HASH_TLV: + { /* Verify the image hash. This must always be present. */ if (len != sizeof(hash)) { rc = -1; @@ -496,8 +553,12 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, } image_hash_valid = 1; + break; + } +#endif /* defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) */ #ifdef EXPECTED_KEY_TLV - } else if (type == EXPECTED_KEY_TLV) { + case EXPECTED_KEY_TLV: + { /* * Determine which key we should be checking. */ @@ -522,9 +583,12 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, * The key may not be found, which is acceptable. There * can be multiple signatures, each preceded by a key. */ + break; + } #endif /* EXPECTED_KEY_TLV */ #ifdef EXPECTED_SIG_TLV - } else if (type == EXPECTED_SIG_TLV) { + case EXPECTED_SIG_TLV: + { /* Ignore this signature if it is out of bounds. */ if (key_id < 0 || key_id >= bootutil_key_cnt) { key_id = -1; @@ -538,12 +602,25 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, if (rc) { goto out; } +#ifndef MCUBOOT_SIGN_PURE FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash), buf, len, key_id); +#else + /* Directly check signature on the image, by using the mapping of + * a device to memory. The pointer is beginning of image in flash, + * so offset of area, the range is header + image + protected tlvs. + */ + FIH_CALL(bootutil_verify_img, valid_signature, (void *)flash_area_get_off(fap), + hdr->ih_hdr_size + hdr->ih_img_size + hdr->ih_protect_tlv_size, + buf, len, key_id); +#endif key_id = -1; + break; + } #endif /* EXPECTED_SIG_TLV */ #ifdef MCUBOOT_HW_ROLLBACK_PROT - } else if (type == IMAGE_TLV_SEC_CNT) { + case IMAGE_TLV_SEC_CNT: + { /* * Verify the image's security counter. * This must always be present. @@ -578,14 +655,21 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, /* The image's security counter has been successfully verified. */ security_counter_valid = fih_rc; + break; + } #endif /* MCUBOOT_HW_ROLLBACK_PROT */ } } +#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) rc = !image_hash_valid; if (rc) { goto out; } +#elif defined(MCUBOOT_SIGN_PURE) + /* This returns true on EQ, rc is err on non-0 */ + rc = FIH_NOT_EQ(valid_signature, FIH_SUCCESS); +#endif #ifdef EXPECTED_SIG_TLV FIH_SET(fih_rc, valid_signature); #endif diff --git a/docs/design.md b/docs/design.md index 7fa06fe6b..b1979a7c2 100755 --- a/docs/design.md +++ b/docs/design.md @@ -111,6 +111,8 @@ struct image_tlv { #define IMAGE_TLV_ECDSA_SIG 0x22 /* ECDSA of hash output */ #define IMAGE_TLV_RSA3072_PSS 0x23 /* RSA3072 of hash output */ #define IMAGE_TLV_ED25519 0x24 /* ED25519 of hash output */ +#define IMAGE_TLV_SIG_PURE 0x25 /* If true then any signature found has been + calculated over image directly. */ #define IMAGE_TLV_ENC_RSA2048 0x30 /* Key encrypted with RSA-OAEP-2048 */ #define IMAGE_TLV_ENC_KW 0x31 /* Key encrypted with AES-KW-128 or 256 */ From 30e6adfe43bb0786d6c32426fdd11cb750f01ac6 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 2 Oct 2024 11:05:20 +0000 Subject: [PATCH 022/228] zephyr: Allow SHA512 with TinyCrypt Select BOOT_IMG_HASH_ALG_SHA512_ALLOW via BOOT_ED25519_TINYCRYPT. Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 4c048a31c..4eb0e215b 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -179,6 +179,7 @@ choice BOOT_ED25519_IMPLEMENTATION config BOOT_ED25519_TINYCRYPT bool "Use tinycrypt" select BOOT_USE_TINYCRYPT + select BOOT_IMG_HASH_ALG_SHA512_ALLOW config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS From 96f01aad668929cbcebc5c1395aa4af110e53a51 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 5 Sep 2024 10:53:17 +0000 Subject: [PATCH 023/228] zephyr: Add Kconfig and configuration for SHA on storage Adds CONFIG_BOOT_IMG_HASH_DIRECTLY_ON_STORAGE, which enables MCUBOOT_HASH_STORAGE_DIRECTLY for Zephyr. Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 16 ++++++++++++++++ .../include/mcuboot_config/mcuboot_config.h | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 4eb0e215b..e2942d65c 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -88,6 +88,22 @@ config BOOT_IMG_HASH_ALG_SHA512_ALLOW help Hidden option set by configurations that allow SHA512 +config BOOT_IMG_HASH_DIRECTLY_ON_STORAGE + bool "Hash calculation functions access storage through address space" + depends on !BOOT_ENCRYPT_IMAGE + help + When possible to map storage device, at least for read operations, + to address space or RAM area, enabling this option allows hash + calculation functions to directly access the storage through that address + space or using its own DMA. This reduces flash read overhead done + by MCUboot. + Notes: + - not supported when encrypted images are in use, because calculating + SHA requires image to be decrypted first, which is done in RAM. + - currently only supported on internal storage of devices; this + option will not work with devices that use external storage for + either of the image slots. + choice BOOT_IMG_HASH_ALG prompt "Selected image hash algorithm" default BOOT_IMG_HASH_ALG_SHA256 if BOOT_IMG_HASH_ALG_SHA256_ALLOW diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 60fb8e600..edab36e72 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -149,6 +149,13 @@ #define MCUBOOT_DECOMPRESS_IMAGES #endif +/* Invoke hashing functions directly on storage device. This requires the device + * be able to map storage to address space or RAM. + */ +#ifdef CONFIG_BOOT_IMG_HASH_DIRECTLY_ON_STORAGE +#define MCUBOOT_HASH_STORAGE_DIRECTLY +#endif + #ifdef CONFIG_BOOT_BOOTSTRAP #define MCUBOOT_BOOTSTRAP 1 #endif From 9668469f00a70d43e6b1fcaf8287833d102870b7 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 6 Sep 2024 16:16:28 +0000 Subject: [PATCH 024/228] zephyr: Add Kconfig option to select PureEdDS Commit adds CONFIG_BOOT_SIGNATURE_TYPE_PURE Kconfig option, which enables MCUBOOT_SIGN_PURE in MCUboot configuration. Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 30 +++++++++++++++++-- .../include/mcuboot_config/mcuboot_config.h | 4 +++ 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index e2942d65c..3afcd05c3 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -134,6 +134,14 @@ config BOOT_IMG_HASH_ALG_SHA512 endchoice # BOOT_IMG_HASH_ALG +config BOOT_SIGNATURE_TYPE_PURE_ALLOW + bool + help + Hidden option set by configurations that allow Pure variant, + for example ed25519. The pure variant means that image + signature is calculated over entire image instead of hash + of an image. + choice BOOT_SIGNATURE_TYPE prompt "Signature type" default BOOT_SIGNATURE_TYPE_RSA @@ -185,10 +193,28 @@ endif config BOOT_SIGNATURE_TYPE_ED25519 bool "Edwards curve digital signatures using ed25519" - select BOOT_ENCRYPTION_SUPPORT - select BOOT_IMG_HASH_ALG_SHA256_ALLOW + select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE + select BOOT_IMG_HASH_ALG_SHA256_ALLOW if !BOOT_SIGNATURE_TYPE_PURE + # The SHA is used only for key hashing, not for images. + select BOOT_SIGNATURE_TYPE_PURE_ALLOW + help + This is ed25519 signature calculated over SHA512 of SHA256 of application + image. + To check signature over entire image directly, rather than hash, + select BOOT_SIGNATURE_TYPE_PURE. if BOOT_SIGNATURE_TYPE_ED25519 + +config BOOT_SIGNATURE_TYPE_PURE + bool "Use Pure signature of image" + depends on BOOT_SIGNATURE_TYPE_PURE_ALLOW + help + The Pure signature is calculated directly over image rather than + hash of an image, as the BOOT_SIGNATURE_TYPE_ED25519 does by + default. + Image to be verified needs to be accessible through memory address + space that cryptography functions can access via pointers. + choice BOOT_ED25519_IMPLEMENTATION prompt "Ecdsa implementation" default BOOT_ED25519_TINYCRYPT diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index edab36e72..b15c1682f 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -156,6 +156,10 @@ #define MCUBOOT_HASH_STORAGE_DIRECTLY #endif +#ifdef CONFIG_BOOT_SIGNATURE_TYPE_PURE +#define MCUBOOT_SIGN_PURE +#endif + #ifdef CONFIG_BOOT_BOOTSTRAP #define MCUBOOT_BOOTSTRAP 1 #endif From 2fe9cd4b6cf34499fb54c9551e01ca6fb0b3e9f8 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 14 Jan 2025 16:42:00 +0000 Subject: [PATCH 025/228] boot: bootutil: Refactor some functions to have state Refactors some functions so that the state variable is present in it Signed-off-by: Jamie McCrae --- boot/boot_serial/src/boot_serial.c | 4 +- boot/boot_serial/src/boot_serial_encryption.c | 10 +-- boot/bootutil/include/bootutil/enc_key.h | 3 +- boot/bootutil/include/bootutil/image.h | 7 +- boot/bootutil/src/encrypted.c | 3 +- boot/bootutil/src/image_validate.c | 40 +++++++--- boot/bootutil/src/loader.c | 76 +++++++++---------- boot/bootutil/src/ram_load.c | 2 +- boot/mynewt/src/single_loader.c | 2 +- boot/zephyr/firmware_loader.c | 2 +- boot/zephyr/single_loader.c | 2 +- 11 files changed, 83 insertions(+), 68 deletions(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 8b256c623..73a4b5062 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -333,7 +333,7 @@ bs_list(char *buf, int len) } #endif - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, &hdr, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); #if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) } @@ -522,7 +522,7 @@ bs_set(char *buf, int len) &hdr, tmpbuf, sizeof(tmpbuf)); } else { #endif - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, &hdr, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); #ifdef MCUBOOT_ENC_IMAGES } diff --git a/boot/boot_serial/src/boot_serial_encryption.c b/boot/boot_serial/src/boot_serial_encryption.c index c4bd7d87b..bb88584fc 100644 --- a/boot/boot_serial/src/boot_serial_encryption.c +++ b/boot/boot_serial/src/boot_serial_encryption.c @@ -30,22 +30,20 @@ boot_image_validate_encrypted(const struct flash_area *fa_p, struct boot_loader_state *state = &boot_data; struct boot_status _bs; struct boot_status *bs = &_bs; - uint8_t image_index; int rc; memset(&boot_data, 0, sizeof(struct boot_loader_state)); - image_index = BOOT_CURR_IMG(state); if(IS_ENCRYPTED(hdr)) { - rc = boot_enc_load(BOOT_CURR_ENC(state), 1, hdr, fa_p, bs); + rc = boot_enc_load(state, 1, hdr, fa_p, bs); if (rc < 0) { FIH_RET(fih_rc); } - rc = boot_enc_set_key(BOOT_CURR_ENC(state), 1, bs); + rc = boot_enc_set_key(state, 1, bs); if (rc < 0) { FIH_RET(fih_rc); } } - FIH_CALL(bootutil_img_validate, fih_rc, BOOT_CURR_ENC(state), image_index, + FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fa_p, buf, buf_size, NULL, 0, NULL); FIH_RET(fih_rc); @@ -238,7 +236,7 @@ decrypt_image_inplace(const struct flash_area *fa_p, #endif memset(&boot_data, 0, sizeof(struct boot_loader_state)); /* Load the encryption keys into cache */ - rc = boot_enc_load(BOOT_CURR_ENC(state), 0, hdr, fa_p, bs); + rc = boot_enc_load(state, 0, hdr, fa_p, bs); if (rc < 0) { FIH_RET(fih_rc); } diff --git a/boot/bootutil/include/bootutil/enc_key.h b/boot/bootutil/include/bootutil/enc_key.h index 4ff2432cd..7e65ee07a 100644 --- a/boot/bootutil/include/bootutil/enc_key.h +++ b/boot/bootutil/include/bootutil/enc_key.h @@ -58,6 +58,7 @@ struct enc_key_data { int boot_enc_retrieve_private_key(struct bootutil_key **private_key); struct boot_status; +struct boot_loader_state; /* Decrypt random, symmetric encryption key */ int boot_decrypt_key(const uint8_t *buf, uint8_t *enckey); @@ -66,7 +67,7 @@ int boot_enc_init(struct enc_key_data *enc_state, uint8_t slot); int boot_enc_drop(struct enc_key_data *enc_state, uint8_t slot); int boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot, const struct boot_status *bs); -int boot_enc_load(struct enc_key_data *enc_state, int slot, +int boot_enc_load(struct boot_loader_state *state, int slot, const struct image_header *hdr, const struct flash_area *fap, struct boot_status *bs); bool boot_enc_valid(struct enc_key_data *enc_state, int slot); diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h index 501ee33ee..bbf3d3eca 100644 --- a/boot/bootutil/include/bootutil/image.h +++ b/boot/bootutil/include/bootutil/image.h @@ -196,7 +196,8 @@ _Static_assert(sizeof(struct image_header) == IMAGE_HEADER_SIZE, "struct image_header not required size"); struct enc_key_data; -fih_ret bootutil_img_validate(struct enc_key_data *enc_state, int image_index, +struct boot_loader_state; +fih_ret bootutil_img_validate(struct boot_loader_state *state, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, @@ -220,9 +221,9 @@ int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off, uint16_t *len, uint16_t *type); int bootutil_tlv_iter_is_prot(struct image_tlv_iter *it, uint32_t off); -int32_t bootutil_get_img_security_cnt(struct image_header *hdr, +int32_t bootutil_get_img_security_cnt(struct boot_loader_state *state, int slot, const struct flash_area *fap, - uint32_t *security_cnt); + uint32_t *img_security_cnt); #ifdef __cplusplus } diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index 8449a28dd..6b9cb3291 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -632,10 +632,11 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) * Load encryption key. */ int -boot_enc_load(struct enc_key_data *enc_state, int slot, +boot_enc_load(struct boot_loader_state *state, int slot, const struct image_header *hdr, const struct flash_area *fap, struct boot_status *bs) { + struct enc_key_data *enc_state = BOOT_CURR_ENC(state); uint32_t off; uint16_t len; struct image_tlv_iter it; diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index e038f22fe..d844eb525 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -4,6 +4,7 @@ * Copyright (c) 2017-2019 Linaro LTD * Copyright (c) 2016-2019 JUUL Labs * Copyright (c) 2019-2024 Arm Limited + * Copyright (c) 2025 Nordic Semiconductor ASA * * Original license: * @@ -29,6 +30,7 @@ #include #include #include +#include #include @@ -63,7 +65,7 @@ * SHA256 otherwise). */ static int -bootutil_img_hash(struct enc_key_data *enc_state, int image_index, +bootutil_img_hash(struct boot_loader_state *state, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result, uint8_t *seed, int seed_len) @@ -78,11 +80,14 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, uint32_t off; uint32_t blk_sz; #endif +#if defined(MCUBOOT_ENC_IMAGES) + struct enc_key_data *enc_state; + int image_index; +#endif #if (BOOT_IMAGE_NUMBER == 1) || !defined(MCUBOOT_ENC_IMAGES) || \ defined(MCUBOOT_RAM_LOAD) - (void)enc_state; - (void)image_index; + (void)state; (void)hdr_size; (void)blk_off; (void)tlv_off; @@ -97,6 +102,14 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, #endif #ifdef MCUBOOT_ENC_IMAGES + if (state == NULL) { + enc_state = NULL; + image_index = 0; + } else { + enc_state = BOOT_CURR_ENC(state); + image_index = BOOT_CURR_IMG(state); + } + /* Encrypted images only exist in the secondary slot */ if (MUST_DECRYPT(fap, image_index, hdr) && !boot_enc_valid(enc_state, 1)) { @@ -306,7 +319,8 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) /** * Reads the value of an image's security counter. * - * @param hdr Pointer to the image header structure. + * @param state Pointer to the boot state object. + * @param slot Slot of the current image to get the security counter of. * @param fap Pointer to a description structure of the image's * flash area. * @param security_cnt Pointer to store the security counter value. @@ -314,7 +328,7 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) * @return 0 on success; nonzero on failure. */ int32_t -bootutil_get_img_security_cnt(struct image_header *hdr, +bootutil_get_img_security_cnt(struct boot_loader_state *state, int slot, const struct flash_area *fap, uint32_t *img_security_cnt) { @@ -323,7 +337,8 @@ bootutil_get_img_security_cnt(struct image_header *hdr, uint16_t len; int32_t rc; - if ((hdr == NULL) || + if ((state == NULL) || + (boot_img_hdr(state, slot) == NULL) || (fap == NULL) || (img_security_cnt == NULL)) { /* Invalid parameter. */ @@ -331,11 +346,11 @@ bootutil_get_img_security_cnt(struct image_header *hdr, } /* The security counter TLV is in the protected part of the TLV area. */ - if (hdr->ih_protect_tlv_size == 0) { + if (boot_img_hdr(state, slot)->ih_protect_tlv_size == 0) { return BOOT_EBADIMAGE; } - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_SEC_CNT, true); + rc = bootutil_tlv_iter_begin(&it, boot_img_hdr(state, slot), fap, IMAGE_TLV_SEC_CNT, true); if (rc) { return rc; } @@ -355,7 +370,7 @@ bootutil_get_img_security_cnt(struct image_header *hdr, return BOOT_EBADIMAGE; } - rc = LOAD_IMAGE_DATA(hdr, fap, off, img_security_cnt, len); + rc = LOAD_IMAGE_DATA(boot_img_hdr(state, slot), fap, off, img_security_cnt, len); if (rc != 0) { return BOOT_EFLASH; } @@ -434,11 +449,14 @@ static const uint16_t allowed_unprot_tlvs[] = { * Return non-zero if image could not be validated/does not validate. */ fih_ret -bootutil_img_validate(struct enc_key_data *enc_state, int image_index, +bootutil_img_validate(struct boot_loader_state *state, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *seed, int seed_len, uint8_t *out_hash) { +#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) + int image_index = (state == NULL ? 0 : BOOT_CURR_IMG(state)); +#endif uint32_t off; uint16_t len; uint16_t type; @@ -471,7 +489,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, #endif #if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) - rc = bootutil_img_hash(enc_state, image_index, hdr, fap, tmp_buf, + rc = bootutil_img_hash(state, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len); if (rc) { goto out; diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 94ec0bfc6..d86984bb5 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -4,7 +4,7 @@ * Copyright (c) 2016-2020 Linaro LTD * Copyright (c) 2016-2019 JUUL Labs * Copyright (c) 2019-2023 Arm Limited - * Copyright (c) 2024 Nordic Semiconductor ASA + * Copyright (c) 2024-2025 Nordic Semiconductor ASA * * Original license: * @@ -770,7 +770,7 @@ boot_image_check(struct boot_loader_state *state, struct image_header *hdr, * decrypted when copied in ram */ #if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_RAM_LOAD) if (MUST_DECRYPT(fap, BOOT_CURR_IMG(state), hdr)) { - rc = boot_enc_load(BOOT_CURR_ENC(state), 1, hdr, fap, bs); + rc = boot_enc_load(state, 1, hdr, fap, bs); if (rc < 0) { FIH_RET(fih_rc); } @@ -780,8 +780,7 @@ boot_image_check(struct boot_loader_state *state, struct image_header *hdr, } #endif - FIH_CALL(bootutil_img_validate, fih_rc, BOOT_CURR_ENC(state), - BOOT_CURR_IMG(state), hdr, fap, tmpbuf, BOOT_TMPBUF_SZ, + FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fap, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, NULL); FIH_RET(fih_rc); @@ -805,13 +804,13 @@ split_image_check(struct image_header *app_hdr, } } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, loader_hdr, loader_fap, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, loader_hdr, loader_fap, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, loader_hash); if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { FIH_RET(fih_rc); } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, app_hdr, app_fap, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, app_hdr, app_fap, tmpbuf, BOOT_TMPBUF_SZ, loader_hash, 32, NULL); out: @@ -973,7 +972,7 @@ boot_rom_address_check(struct boot_loader_state *state) */ static fih_ret boot_validate_slot(struct boot_loader_state *state, int slot, - struct boot_status *bs) + struct boot_status *bs, int expected_swap_type) { const struct flash_area *fap; struct image_header *hdr; @@ -981,6 +980,8 @@ boot_validate_slot(struct boot_loader_state *state, int slot, FIH_DECLARE(fih_rc, FIH_FAILURE); int rc; + (void)expected_swap_type; + area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); rc = flash_area_open(area_id, &fap); if (rc != 0) { @@ -1100,35 +1101,35 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * value which resides in the given slot, only if it's greater than the stored * value. * - * @param image_index Index of the image to determine which security - * counter to update. + * @param state Boot state where the current image's security counter will + * be updated. * @param slot Slot number of the image. - * @param hdr Pointer to the image header structure of the image - * that is currently stored in the given slot. + * @param hdr_slot_idx Index of the header in the state current image variable + * containing the pointer to the image header structure of the + * image that is currently stored in the given slot. * * @return 0 on success; nonzero on failure. */ static int -boot_update_security_counter(uint8_t image_index, int slot, - struct image_header *hdr) +boot_update_security_counter(struct boot_loader_state *state, int slot, int hdr_slot_idx) { const struct flash_area *fap = NULL; uint32_t img_security_cnt; int rc; - rc = flash_area_open(flash_area_id_from_multi_image_slot(image_index, slot), + rc = flash_area_open(flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot), &fap); if (rc != 0) { rc = BOOT_EFLASH; goto done; } - rc = bootutil_get_img_security_cnt(hdr, fap, &img_security_cnt); + rc = bootutil_get_img_security_cnt(state, hdr_slot_idx, fap, &img_security_cnt); if (rc != 0) { goto done; } - rc = boot_nv_security_counter_update(image_index, img_security_cnt); + rc = boot_nv_security_counter_update(BOOT_CURR_IMG(state), img_security_cnt); if (rc != 0) { goto done; } @@ -1160,7 +1161,7 @@ boot_validated_swap_type(struct boot_loader_state *state, /* Boot loader wants to switch to the secondary slot. * Ensure image is valid. */ - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_SECONDARY_SLOT, bs); + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_SECONDARY_SLOT, bs, swap_type); if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { if (FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { swap_type = BOOT_SWAP_TYPE_NONE; @@ -1217,6 +1218,8 @@ static void like_mbedtls_zeroize(void *p, size_t n) * @param off_dst The offset within the destination flash area to * copy to. * @param sz The number of bytes to copy. + * @param sector_off (Swap using offset with encryption only) the + * sector offset for encryption/decryption * * @return 0 on success; nonzero on failure. */ @@ -1436,7 +1439,7 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) #ifdef MCUBOOT_ENC_IMAGES if (IS_ENCRYPTED(boot_img_hdr(state, BOOT_SECONDARY_SLOT))) { - rc = boot_enc_load(BOOT_CURR_ENC(state), BOOT_SECONDARY_SLOT, + rc = boot_enc_load(state, BOOT_SECONDARY_SLOT, boot_img_hdr(state, BOOT_SECONDARY_SLOT), fap_secondary_slot, bs); @@ -1475,8 +1478,7 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) * slot's image header must be passed since the image headers in the * boot_data structure have not been updated yet. */ - rc = boot_update_security_counter(BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT, - boot_img_hdr(state, BOOT_SECONDARY_SLOT)); + rc = boot_update_security_counter(state, BOOT_PRIMARY_SLOT, BOOT_SECONDARY_SLOT); if (rc != 0) { BOOT_LOG_ERR("Security counter update failed after image upgrade."); return rc; @@ -1560,7 +1562,7 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) #ifdef MCUBOOT_ENC_IMAGES if (IS_ENCRYPTED(hdr)) { fap = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); - rc = boot_enc_load(BOOT_CURR_ENC(state), 0, hdr, fap, bs); + rc = boot_enc_load(state, 0, hdr, fap, bs); assert(rc >= 0); if (rc == 0) { @@ -1584,7 +1586,7 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); if (IS_ENCRYPTED(hdr)) { fap = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - rc = boot_enc_load(BOOT_CURR_ENC(state), 1, hdr, fap, bs); + rc = boot_enc_load(state, 1, hdr, fap, bs); assert(rc >= 0); if (rc == 0) { @@ -1679,7 +1681,7 @@ boot_perform_update(struct boot_loader_state *state, struct boot_status *bs) */ FIH_DECLARE(fih_rc, FIH_FAILURE); rc = boot_check_header_erased(state, BOOT_PRIMARY_SLOT); - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, bs); + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, bs, 0); if (rc == 0 || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { rc = boot_copy_image(state, bs); } else { @@ -1714,10 +1716,7 @@ boot_perform_update(struct boot_loader_state *state, struct boot_status *bs) * revert the images on the next reboot. Therefore, the security * counter must be increased right after the image upgrade. */ - rc = boot_update_security_counter( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT, - boot_img_hdr(state, BOOT_SECONDARY_SLOT)); + rc = boot_update_security_counter(state, BOOT_PRIMARY_SLOT, BOOT_SECONDARY_SLOT); if (rc != 0) { BOOT_LOG_ERR("Security counter update failed after " "image upgrade."); @@ -1988,7 +1987,7 @@ boot_prepare_image_for_update(struct boot_loader_state *state, BOOT_SWAP_TYPE(state) = boot_validated_swap_type(state, bs); } else { FIH_CALL(boot_validate_slot, fih_rc, - state, BOOT_SECONDARY_SLOT, bs); + state, BOOT_SECONDARY_SLOT, bs, 0); if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_FAIL; } else { @@ -2010,13 +2009,13 @@ boot_prepare_image_for_update(struct boot_loader_state *state, */ rc = boot_check_header_erased(state, BOOT_PRIMARY_SLOT); FIH_CALL(boot_validate_slot, fih_rc, - state, BOOT_PRIMARY_SLOT, bs); + state, BOOT_PRIMARY_SLOT, bs, 0); if (rc == 0 || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { rc = (boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_magic == IMAGE_MAGIC) ? 1: 0; FIH_CALL(boot_validate_slot, fih_rc, - state, BOOT_SECONDARY_SLOT, bs); + state, BOOT_SECONDARY_SLOT, bs, 0); if (rc == 1 && FIH_EQ(fih_rc, FIH_SUCCESS)) { /* Set swap type to REVERT to overwrite the primary @@ -2060,10 +2059,7 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state) * necessary. */ if (BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_NONE) { - rc = boot_update_security_counter( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT, - boot_img_hdr(state, BOOT_PRIMARY_SLOT)); + rc = boot_update_security_counter(state, BOOT_PRIMARY_SLOT, BOOT_PRIMARY_SLOT); if (rc != 0) { BOOT_LOG_ERR("Security counter update failed after image " "validation."); @@ -2100,7 +2096,7 @@ check_downgrade_prevention(struct boot_loader_state *state) if (MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER) { /* If there was security no counter in slot 0, allow swap */ - rc = bootutil_get_img_security_cnt(&(BOOT_IMG(state, 0).hdr), + rc = bootutil_get_img_security_cnt(state, BOOT_PRIMARY_SLOT, BOOT_IMG(state, 0).area, &security_counter[0]); if (rc != 0) { @@ -2108,7 +2104,7 @@ check_downgrade_prevention(struct boot_loader_state *state) } /* If there is no security counter in slot 1, or it's lower than * that of slot 0, prevent downgrade */ - rc = bootutil_get_img_security_cnt(&(BOOT_IMG(state, 1).hdr), + rc = bootutil_get_img_security_cnt(state, BOOT_SECONDARY_SLOT, BOOT_IMG(state, 1).area, &security_counter[1]); if (rc != 0 || security_counter[0] > security_counter[1]) { @@ -2374,7 +2370,7 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } #ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL); + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL, 0); /* Check for all possible values is redundant in normal operation it * is meant to prevent FI attack. */ @@ -2786,7 +2782,7 @@ boot_load_and_validate_images(struct boot_loader_state *state) } #endif /* MCUBOOT_RAM_LOAD */ - FIH_CALL(boot_validate_slot, fih_rc, state, active_slot, NULL); + FIH_CALL(boot_validate_slot, fih_rc, state, active_slot, NULL, 0); if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { /* Image is invalid. */ #ifdef MCUBOOT_RAM_LOAD @@ -2829,9 +2825,9 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state) */ if (state->slot_usage[BOOT_CURR_IMG(state)].swap_state.image_ok == BOOT_FLAG_SET) { #endif - rc = boot_update_security_counter(BOOT_CURR_IMG(state), + rc = boot_update_security_counter(state, state->slot_usage[BOOT_CURR_IMG(state)].active_slot, - boot_img_hdr(state, state->slot_usage[BOOT_CURR_IMG(state)].active_slot)); + state->slot_usage[BOOT_CURR_IMG(state)].active_slot); if (rc != 0) { BOOT_LOG_ERR("Security counter update failed after image %d validation.", BOOT_CURR_IMG(state)); return rc; diff --git a/boot/bootutil/src/ram_load.c b/boot/bootutil/src/ram_load.c index 72255367a..dd74052a3 100644 --- a/boot/bootutil/src/ram_load.c +++ b/boot/bootutil/src/ram_load.c @@ -153,7 +153,7 @@ boot_decrypt_and_copy_image_to_sram(struct boot_loader_state *state, goto done; } - rc = boot_enc_load(BOOT_CURR_ENC(state), slot, hdr, fap_src, &bs); + rc = boot_enc_load(state, slot, hdr, fap_src, &bs); if (rc < 0) { goto done; } diff --git a/boot/mynewt/src/single_loader.c b/boot/mynewt/src/single_loader.c index 564d7489e..394fc372a 100644 --- a/boot/mynewt/src/single_loader.c +++ b/boot/mynewt/src/single_loader.c @@ -51,7 +51,7 @@ boot_image_validate(const struct flash_area *fa_p, */ hdr->ih_flags &= ~(ENCRYPTIONFLAGS); } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, hdr, fa_p, tmpbuf, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, hdr, fa_p, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, NULL); FIH_RET(fih_rc); diff --git a/boot/zephyr/firmware_loader.c b/boot/zephyr/firmware_loader.c index 11b461c41..d0f70af4a 100644 --- a/boot/zephyr/firmware_loader.c +++ b/boot/zephyr/firmware_loader.c @@ -55,7 +55,7 @@ boot_image_validate(const struct flash_area *fa_p, */ hdr->ih_flags &= ~(ENCRYPTIONFLAGS); } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, hdr, fa_p, tmpbuf, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, hdr, fa_p, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, NULL); FIH_RET(fih_rc); diff --git a/boot/zephyr/single_loader.c b/boot/zephyr/single_loader.c index 03b61d4bd..f4122783c 100644 --- a/boot/zephyr/single_loader.c +++ b/boot/zephyr/single_loader.c @@ -53,7 +53,7 @@ boot_image_validate(const struct flash_area *fa_p, */ hdr->ih_flags &= ~(ENCRYPTIONFLAGS); } - FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, hdr, fa_p, tmpbuf, + FIH_CALL(bootutil_img_validate, fih_rc, NULL, hdr, fa_p, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, NULL); FIH_RET(fih_rc); From 4af73169506609e37aa40aa0278af409b439798f Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 2 Jan 2025 11:09:57 +0000 Subject: [PATCH 026/228] boot: bootutil: Add swap using offset algorithm Adds a new variation of the swap using move mode, named swap using offset, whereby instead of moving all the sectors in the primary image, the sectors in the secondary image are offset instead. This fastens image swapping time both for updates and reverts as each sector in both slots is erased only once, which also reduces flash wear, and uses less swap status bits to represent Signed-off-by: Jamie McCrae --- boot/bootutil/include/bootutil/boot_status.h | 1 + boot/bootutil/include/bootutil/bootutil.h | 2 + .../include/bootutil/bootutil_public.h | 2 +- boot/bootutil/include/bootutil/caps.h | 1 + boot/bootutil/include/bootutil/image.h | 3 + boot/bootutil/src/boot_record.c | 5 + boot/bootutil/src/bootutil_misc.c | 3 +- boot/bootutil/src/bootutil_priv.h | 25 +- boot/bootutil/src/bootutil_public.c | 32 +- boot/bootutil/src/caps.c | 2 + boot/bootutil/src/encrypted.c | 4 + boot/bootutil/src/image_validate.c | 22 + boot/bootutil/src/loader.c | 83 +- boot/bootutil/src/swap_misc.c | 4 +- boot/bootutil/src/swap_offset.c | 785 ++++++++++++++++++ boot/bootutil/src/swap_priv.h | 8 +- boot/bootutil/src/swap_scratch.c | 4 +- boot/bootutil/src/tlv.c | 6 + 18 files changed, 975 insertions(+), 17 deletions(-) create mode 100644 boot/bootutil/src/swap_offset.c diff --git a/boot/bootutil/include/bootutil/boot_status.h b/boot/bootutil/include/bootutil/boot_status.h index fddcc4bc2..91f266bc7 100644 --- a/boot/bootutil/include/bootutil/boot_status.h +++ b/boot/bootutil/include/bootutil/boot_status.h @@ -130,6 +130,7 @@ enum mcuboot_mode { MCUBOOT_MODE_RAM_LOAD, MCUBOOT_MODE_FIRMWARE_LOADER, MCUBOOT_MODE_SINGLE_SLOT_RAM_LOAD, + MCUBOOT_MODE_SWAP_USING_OFFSET, }; enum mcuboot_signature_type { diff --git a/boot/bootutil/include/bootutil/bootutil.h b/boot/bootutil/include/bootutil/bootutil.h index 070adaf43..cea5689b9 100644 --- a/boot/bootutil/include/bootutil/bootutil.h +++ b/boot/bootutil/include/bootutil/bootutil.h @@ -90,6 +90,8 @@ struct boot_loader_state; void boot_state_clear(struct boot_loader_state *state); fih_ret context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp); const struct image_max_size *boot_get_max_app_size(void); +uint32_t boot_get_state_secondary_offset(struct boot_loader_state *state, + const struct flash_area *fap); #define SPLIT_GO_OK (0) #define SPLIT_GO_NON_MATCHING (-1) diff --git a/boot/bootutil/include/bootutil/bootutil_public.h b/boot/bootutil/include/bootutil/bootutil_public.h index b2d5a5de8..ffd263591 100644 --- a/boot/bootutil/include/bootutil/bootutil_public.h +++ b/boot/bootutil/include/bootutil/bootutil_public.h @@ -85,7 +85,7 @@ extern "C" { #ifdef MCUBOOT_BOOT_MAX_ALIGN -#if defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH) +#if defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_OFFSET) _Static_assert(MCUBOOT_BOOT_MAX_ALIGN >= 8 && MCUBOOT_BOOT_MAX_ALIGN <= 32, "Unsupported value for MCUBOOT_BOOT_MAX_ALIGN for SWAP upgrade modes"); #endif diff --git a/boot/bootutil/include/bootutil/caps.h b/boot/bootutil/include/bootutil/caps.h index f4ff37334..3227f7e49 100644 --- a/boot/bootutil/include/bootutil/caps.h +++ b/boot/bootutil/include/bootutil/caps.h @@ -53,6 +53,7 @@ uint32_t bootutil_get_caps(void); #define BOOTUTIL_CAP_DIRECT_XIP (1<<17) #define BOOTUTIL_CAP_HW_ROLLBACK_PROT (1<<18) #define BOOTUTIL_CAP_ECDSA_P384 (1<<19) +#define BOOTUTIL_CAP_SWAP_USING_OFFSET (1<<20) /* * Query the number of images this bootloader is configured for. This diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h index bbf3d3eca..f6b660fe4 100644 --- a/boot/bootutil/include/bootutil/image.h +++ b/boot/bootutil/include/bootutil/image.h @@ -211,6 +211,9 @@ struct image_tlv_iter { uint32_t prot_end; uint32_t tlv_off; uint32_t tlv_end; +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint32_t start_off; +#endif }; int bootutil_tlv_iter_begin(struct image_tlv_iter *it, diff --git a/boot/bootutil/src/boot_record.c b/boot/bootutil/src/boot_record.c index d6c235af9..3ab704ef2 100644 --- a/boot/bootutil/src/boot_record.c +++ b/boot/bootutil/src/boot_record.c @@ -143,6 +143,9 @@ boot_save_boot_status(uint8_t sw_module, /* Manifest data is concatenated to the end of the image. * It is encoded in TLV format. */ +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = 0; +#endif rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); if (rc) { @@ -249,6 +252,8 @@ int boot_save_shared_data(const struct image_header *hdr, const struct flash_are uint8_t mode = MCUBOOT_MODE_UPGRADE_ONLY; #elif defined(MCUBOOT_SWAP_USING_MOVE) uint8_t mode = MCUBOOT_MODE_SWAP_USING_MOVE; +#elif defined(MCUBOOT_SWAP_USING_OFFSET) + uint8_t mode = MCUBOOT_MODE_SWAP_USING_OFFSET; #elif defined(MCUBOOT_DIRECT_XIP) #if defined(MCUBOOT_DIRECT_XIP_REVERT) uint8_t mode = MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT; diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c index 56859d515..97b1e94fe 100644 --- a/boot/bootutil/src/bootutil_misc.c +++ b/boot/bootutil/src/bootutil_misc.c @@ -336,7 +336,7 @@ uint32_t bootutil_max_image_size(const struct flash_area *fap) #if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SINGLE_APPLICATION_SLOT) || \ defined(MCUBOOT_FIRMWARE_LOADER) || defined(MCUBOOT_SINGLE_APPLICATION_SLOT_RAM_LOAD) return boot_status_off(fap); -#elif defined(MCUBOOT_SWAP_USING_MOVE) +#elif defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) struct flash_sector sector; /* get the last sector offset */ int rc = flash_area_get_sector(fap, boot_status_off(fap), §or); @@ -361,6 +361,7 @@ uint32_t bootutil_max_image_size(const struct flash_area *fap) * the TLVs. */ #if !defined(MCUBOOT_DIRECT_XIP) && \ + !defined(MCUBOOT_SWAP_USING_OFFSET) && \ (!defined(MCUBOOT_OVERWRITE_ONLY) || \ defined(MCUBOOT_OVERWRITE_ONLY_FAST)) int diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index 5703f627a..bb8a79cc4 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -58,11 +58,12 @@ struct flash_area; #if (defined(MCUBOOT_OVERWRITE_ONLY) + \ defined(MCUBOOT_SWAP_USING_MOVE) + \ + defined(MCUBOOT_SWAP_USING_OFFSET) + \ defined(MCUBOOT_DIRECT_XIP) + \ defined(MCUBOOT_RAM_LOAD) + \ defined(MCUBOOT_FIRMWARE_LOADER) + \ defined(MCUBOOT_SWAP_USING_SCRATCH)) > 1 -#error "Please enable only one of MCUBOOT_OVERWRITE_ONLY, MCUBOOT_SWAP_USING_MOVE, MCUBOOT_DIRECT_XIP, MCUBOOT_RAM_LOAD or MCUBOOT_FIRMWARE_LOADER" +#error "Please enable only one of MCUBOOT_OVERWRITE_ONLY, MCUBOOT_SWAP_USING_MOVE, MCUBOOT_SWAP_USING_OFFSET, MCUBOOT_DIRECT_XIP, MCUBOOT_RAM_LOAD or MCUBOOT_FIRMWARE_LOADER" #endif #if !defined(MCUBOOT_DIRECT_XIP) && \ @@ -72,6 +73,7 @@ struct flash_area; #if !defined(MCUBOOT_OVERWRITE_ONLY) && \ !defined(MCUBOOT_SWAP_USING_MOVE) && \ + !defined(MCUBOOT_SWAP_USING_OFFSET) && \ !defined(MCUBOOT_DIRECT_XIP) && \ !defined(MCUBOOT_RAM_LOAD) && \ !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) && \ @@ -79,8 +81,12 @@ struct flash_area; #define MCUBOOT_SWAP_USING_SCRATCH 1 #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) +#define BOOT_STATUS_OP_SWAP 1 +#else #define BOOT_STATUS_OP_MOVE 1 #define BOOT_STATUS_OP_SWAP 2 +#endif /* * Maintain state of copy progress. @@ -196,6 +202,9 @@ _Static_assert(sizeof(boot_img_magic) == BOOT_MAGIC_SZ, "Invalid size for image #define BOOT_STATUS_MOVE_STATE_COUNT 1 #define BOOT_STATUS_SWAP_STATE_COUNT 2 #define BOOT_STATUS_STATE_COUNT (BOOT_STATUS_MOVE_STATE_COUNT + BOOT_STATUS_SWAP_STATE_COUNT) +#elif MCUBOOT_SWAP_USING_OFFSET +#define BOOT_STATUS_SWAP_STATE_COUNT 2 +#define BOOT_STATUS_STATE_COUNT BOOT_STATUS_SWAP_STATE_COUNT #else #define BOOT_STATUS_STATE_COUNT 3 #endif @@ -241,6 +250,13 @@ struct boot_loader_state { uint8_t swap_type[BOOT_IMAGE_NUMBER]; uint32_t write_sz; +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint32_t secondary_offset[BOOT_IMAGE_NUMBER]; +#if defined(MCUBOOT_BOOTSTRAP) + bool bootstrap_secondary_offset_set[BOOT_IMAGE_NUMBER]; +#endif +#endif + #if defined(MCUBOOT_ENC_IMAGES) struct enc_key_data enc[BOOT_IMAGE_NUMBER][BOOT_NUM_SLOTS]; #endif @@ -307,10 +323,17 @@ int boot_slots_compatible(struct boot_loader_state *state); uint32_t boot_status_internal_off(const struct boot_status *bs, int elem_sz); int boot_read_image_header(struct boot_loader_state *state, int slot, struct image_header *out_hdr, struct boot_status *bs); +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_ENC_IMAGES) +int boot_copy_region(struct boot_loader_state *state, + const struct flash_area *fap_src, + const struct flash_area *fap_dst, + uint32_t off_src, uint32_t off_dst, uint32_t sz, uint32_t sector_off); +#else int boot_copy_region(struct boot_loader_state *state, const struct flash_area *fap_src, const struct flash_area *fap_dst, uint32_t off_src, uint32_t off_dst, uint32_t sz); +#endif int boot_erase_region(const struct flash_area *fap, uint32_t off, uint32_t sz); bool boot_status_is_reset(const struct boot_status *bs); diff --git a/boot/bootutil/src/bootutil_public.c b/boot/bootutil/src/bootutil_public.c index ee3e50619..102118864 100644 --- a/boot/bootutil/src/bootutil_public.c +++ b/boot/bootutil/src/bootutil_public.c @@ -4,7 +4,7 @@ * Copyright (c) 2017-2019 Linaro LTD * Copyright (c) 2016-2019 JUUL Labs * Copyright (c) 2019-2023 Arm Limited - * Copyright (c) 2020-2023 Nordic Semiconductor ASA + * Copyright (c) 2020-2025 Nordic Semiconductor ASA * * Original license: * @@ -84,6 +84,9 @@ struct boot_swap_table { uint8_t image_ok_primary_slot; uint8_t image_ok_secondary_slot; uint8_t copy_done_primary_slot; +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint8_t copy_done_secondary_slot; +#endif uint8_t swap_type; }; @@ -100,12 +103,26 @@ struct boot_swap_table { * the bootloader, as in starting/finishing a swap operation. */ static const struct boot_swap_table boot_swap_tables[] = { +#if defined(MCUBOOT_SWAP_USING_OFFSET) + { + .magic_primary_slot = BOOT_MAGIC_ANY, + .magic_secondary_slot = BOOT_MAGIC_GOOD, + .image_ok_primary_slot = BOOT_FLAG_ANY, + .image_ok_secondary_slot = BOOT_FLAG_UNSET, + .copy_done_primary_slot = BOOT_FLAG_ANY, + .copy_done_secondary_slot = BOOT_FLAG_SET, + .swap_type = BOOT_SWAP_TYPE_REVERT, + }, +#endif { .magic_primary_slot = BOOT_MAGIC_ANY, .magic_secondary_slot = BOOT_MAGIC_GOOD, .image_ok_primary_slot = BOOT_FLAG_ANY, .image_ok_secondary_slot = BOOT_FLAG_UNSET, .copy_done_primary_slot = BOOT_FLAG_ANY, +#if defined(MCUBOOT_SWAP_USING_OFFSET) + .copy_done_secondary_slot = BOOT_FLAG_ANY, +#endif .swap_type = BOOT_SWAP_TYPE_TEST, }, { @@ -114,6 +131,9 @@ static const struct boot_swap_table boot_swap_tables[] = { .image_ok_primary_slot = BOOT_FLAG_ANY, .image_ok_secondary_slot = BOOT_FLAG_SET, .copy_done_primary_slot = BOOT_FLAG_ANY, +#if defined(MCUBOOT_SWAP_USING_OFFSET) + .copy_done_secondary_slot = BOOT_FLAG_ANY, +#endif .swap_type = BOOT_SWAP_TYPE_PERM, }, { @@ -122,6 +142,9 @@ static const struct boot_swap_table boot_swap_tables[] = { .image_ok_primary_slot = BOOT_FLAG_UNSET, .image_ok_secondary_slot = BOOT_FLAG_ANY, .copy_done_primary_slot = BOOT_FLAG_SET, +#if defined(MCUBOOT_SWAP_USING_OFFSET) + .copy_done_secondary_slot = BOOT_FLAG_ANY, +#endif .swap_type = BOOT_SWAP_TYPE_REVERT, }, }; @@ -439,7 +462,12 @@ boot_swap_type_multi(int image_index) (table->image_ok_secondary_slot == BOOT_FLAG_ANY || table->image_ok_secondary_slot == secondary_slot.image_ok) && (table->copy_done_primary_slot == BOOT_FLAG_ANY || - table->copy_done_primary_slot == primary_slot.copy_done)) { + table->copy_done_primary_slot == primary_slot.copy_done) +#if defined(MCUBOOT_SWAP_USING_OFFSET) + && (table->copy_done_secondary_slot == BOOT_FLAG_ANY || + table->copy_done_secondary_slot == secondary_slot.copy_done) +#endif + ) { BOOT_LOG_INF("Image index: %d, Swap type: %s", image_index, table->swap_type == BOOT_SWAP_TYPE_TEST ? "test" : table->swap_type == BOOT_SWAP_TYPE_PERM ? "perm" : diff --git a/boot/bootutil/src/caps.c b/boot/bootutil/src/caps.c index d7cd59042..f1cf63c15 100644 --- a/boot/bootutil/src/caps.c +++ b/boot/bootutil/src/caps.c @@ -45,6 +45,8 @@ uint32_t bootutil_get_caps(void) res |= BOOTUTIL_CAP_OVERWRITE_UPGRADE; #elif defined(MCUBOOT_SWAP_USING_MOVE) res |= BOOTUTIL_CAP_SWAP_USING_MOVE; +#elif defined(MCUBOOT_SWAP_USING_OFFSET) + res |= BOOTUTIL_CAP_SWAP_USING_OFFSET; #else res |= BOOTUTIL_CAP_SWAP_USING_SCRATCH; #endif diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index 6b9cb3291..cbf81233c 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -655,6 +655,10 @@ boot_enc_load(struct boot_loader_state *state, int slot, /* Initialize the AES context */ boot_enc_init(enc_state, slot); +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = boot_get_state_secondary_offset(state, fap); +#endif + rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_ENC_TLV, false); if (rc) { return -1; diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index d844eb525..609eaa3c1 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -84,6 +84,9 @@ bootutil_img_hash(struct boot_loader_state *state, struct enc_key_data *enc_state; int image_index; #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint32_t sector_off = 0; +#endif #if (BOOT_IMAGE_NUMBER == 1) || !defined(MCUBOOT_ENC_IMAGES) || \ defined(MCUBOOT_RAM_LOAD) @@ -117,6 +120,13 @@ bootutil_img_hash(struct boot_loader_state *state, } #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) + /* For swap using offset mode, the image starts in the second sector of the upgrade slot, so + * apply the offset when this is needed + */ + sector_off = boot_get_state_secondary_offset(state, fap); +#endif + bootutil_sha_init(&sha_ctx); /* in some cases (split image) the hash is seeded with data from @@ -162,7 +172,11 @@ bootutil_img_hash(struct boot_loader_state *state, blk_sz = tlv_off - off; } #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) + rc = flash_area_read(fap, off + sector_off, tmp_buf, blk_sz); +#else rc = flash_area_read(fap, off, tmp_buf, blk_sz); +#endif if (rc) { bootutil_sha_drop(&sha_ctx); return rc; @@ -350,6 +364,10 @@ bootutil_get_img_security_cnt(struct boot_loader_state *state, int slot, return BOOT_EBADIMAGE; } +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = boot_get_state_secondary_offset(state, fap); +#endif + rc = bootutil_tlv_iter_begin(&it, boot_img_hdr(state, slot), fap, IMAGE_TLV_SEC_CNT, true); if (rc) { return rc; @@ -508,6 +526,10 @@ bootutil_img_validate(struct boot_loader_state *state, } #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = boot_get_state_secondary_offset(state, fap); +#endif + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); if (rc) { goto out; diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index d86984bb5..b0f137a21 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -110,6 +110,14 @@ static struct sector_buffer_t sector_buffers; #define BUF_SZ 1024 #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_ENC_IMAGES) +#define BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) \ + boot_copy_region(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) +#else +#define BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) \ + boot_copy_region(state, fap_pri, fap_sec, pri_off, sec_off, sz) +#endif + static int boot_read_image_headers(struct boot_loader_state *state, bool require_all, struct boot_status *bs) @@ -545,6 +553,10 @@ boot_verify_slot_dependencies(struct boot_loader_state *state, uint32_t slot) goto done; } +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = boot_get_state_secondary_offset(state, fap); +#endif + rc = bootutil_tlv_iter_begin(&it, boot_img_hdr(state, slot), fap, IMAGE_TLV_DEPENDENCY, true); if (rc != 0) { @@ -669,7 +681,11 @@ boot_status_reset(struct boot_status *bs) bs->swap_size = 0; bs->source = 0; +#if defined(MCUBOOT_SWAP_USING_OFFSET) + bs->op = BOOT_STATUS_OP_SWAP; +#else bs->op = BOOT_STATUS_OP_MOVE; +#endif bs->idx = BOOT_STATUS_IDX_0; bs->state = BOOT_STATUS_STATE_0; bs->swap_type = BOOT_SWAP_TYPE_NONE; @@ -678,7 +694,12 @@ boot_status_reset(struct boot_status *bs) bool boot_status_is_reset(const struct boot_status *bs) { - return (bs->op == BOOT_STATUS_OP_MOVE && + return ( +#if defined(MCUBOOT_SWAP_USING_OFFSET) + bs->op == BOOT_STATUS_OP_SWAP && +#else + bs->op == BOOT_STATUS_OP_MOVE && +#endif bs->idx == BOOT_STATUS_IDX_0 && bs->state == BOOT_STATUS_STATE_0); } @@ -980,7 +1001,9 @@ boot_validate_slot(struct boot_loader_state *state, int slot, FIH_DECLARE(fih_rc, FIH_FAILURE); int rc; +#if !defined(MCUBOOT_SWAP_USING_OFFSET) (void)expected_swap_type; +#endif area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); rc = flash_area_open(area_id, &fap); @@ -992,7 +1015,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, if (boot_check_header_erased(state, slot) == 0 || (hdr->ih_flags & IMAGE_F_NON_BOOTABLE)) { -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) /* * This fixes an issue where an image might be erased, but a trailer * be left behind. It can happen if the image is in the secondary slot @@ -1013,6 +1036,26 @@ boot_validate_slot(struct boot_loader_state *state, int slot, goto out; } +#if defined(MCUBOOT_SWAP_USING_OFFSET) + if (slot != BOOT_PRIMARY_SLOT && boot_status_is_reset(bs) && + (expected_swap_type == BOOT_SWAP_TYPE_TEST || expected_swap_type == BOOT_SWAP_TYPE_PERM)) { + /* Check first sector to see if there is a magic header here, if so the update has likely + * been loaded to the wrong sector and cannot be used + */ + struct image_header first_sector_hdr; + + if (flash_area_read(fap, 0, &first_sector_hdr, sizeof(first_sector_hdr))) { + FIH_RET(fih_rc); + } + + if (first_sector_hdr.ih_magic == IMAGE_MAGIC) { + BOOT_LOG_ERR("Secondary header magic detected in first sector, wrong upload address?"); + fih_rc = FIH_NO_BOOTABLE_IMAGE; + goto check_validity; + } + } +#endif + #if defined(MCUBOOT_OVERWRITE_ONLY) && defined(MCUBOOT_DOWNGRADE_PREVENTION) if (slot != BOOT_PRIMARY_SLOT) { /* Check if version of secondary slot is sufficient */ @@ -1039,6 +1082,9 @@ boot_validate_slot(struct boot_loader_state *state, int slot, FIH_CALL(boot_image_check, fih_rc, state, hdr, fap, bs); } } +#if defined(MCUBOOT_SWAP_USING_OFFSET) +check_validity: +#endif if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { if ((slot != BOOT_PRIMARY_SLOT) || ARE_SLOTS_EQUIVALENT()) { flash_area_erase(fap, 0, flash_area_get_size(fap)); @@ -1224,10 +1270,17 @@ static void like_mbedtls_zeroize(void *p, size_t n) * @return 0 on success; nonzero on failure. */ int +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_ENC_IMAGES) +boot_copy_region(struct boot_loader_state *state, + const struct flash_area *fap_src, + const struct flash_area *fap_dst, + uint32_t off_src, uint32_t off_dst, uint32_t sz, uint32_t sector_off) +#else boot_copy_region(struct boot_loader_state *state, const struct flash_area *fap_src, const struct flash_area *fap_dst, uint32_t off_src, uint32_t off_dst, uint32_t sz) +#endif { uint32_t bytes_copied; int chunk_sz; @@ -1296,7 +1349,11 @@ boot_copy_region(struct boot_loader_state *state, /* If only copy, then does not matter if header indicates need for * encryptio/decryptio, we just copy data. */ if (!only_copy && IS_ENCRYPTED(hdr)) { +#if defined(MCUBOOT_SWAP_USING_OFFSET) + uint32_t abs_off = off - sector_off + bytes_copied; +#else uint32_t abs_off = off + bytes_copied; +#endif if (abs_off < hdr->ih_hdr_size) { /* do not decrypt header */ if (abs_off + chunk_sz > hdr->ih_hdr_size) { @@ -1454,7 +1511,12 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) BOOT_LOG_INF("Image %d copying the secondary slot to the primary slot: 0x%zx bytes", image_index, size); +#if defined(MCUBOOT_SWAP_USING_OFFSET) + rc = BOOT_COPY_REGION(state, fap_secondary_slot, fap_primary_slot, + boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0), 0, size, 0); +#else rc = boot_copy_region(state, fap_secondary_slot, fap_primary_slot, 0, 0, size); +#endif if (rc != 0) { return rc; } @@ -1920,7 +1982,7 @@ boot_prepare_image_for_update(struct boot_loader_state *state, } #endif -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) /* * Must re-read image headers because the boot status might * have been updated in the previous function call. @@ -2090,7 +2152,7 @@ static int check_downgrade_prevention(struct boot_loader_state *state) { #if defined(MCUBOOT_DOWNGRADE_PREVENTION) && \ - (defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH)) + (defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_OFFSET)) uint32_t security_counter[2]; int rc; @@ -3074,3 +3136,16 @@ const struct image_max_size *boot_get_max_app_size(void) return image_max_sizes; } #endif + +#if defined(MCUBOOT_SWAP_USING_OFFSET) +uint32_t boot_get_state_secondary_offset(struct boot_loader_state *state, + const struct flash_area *fap) +{ + if (state != NULL && flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), + BOOT_SECONDARY_SLOT) == fap->fa_id) { + return state->secondary_offset[BOOT_CURR_IMG(state)]; + } + + return 0; +} +#endif diff --git a/boot/bootutil/src/swap_misc.c b/boot/bootutil/src/swap_misc.c index 733a39744..b1ce44119 100644 --- a/boot/bootutil/src/swap_misc.c +++ b/boot/bootutil/src/swap_misc.c @@ -30,7 +30,7 @@ BOOT_LOG_MODULE_DECLARE(mcuboot); -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) int swap_erase_trailer_sectors(const struct boot_loader_state *state, const struct flash_area *fap) @@ -231,4 +231,4 @@ swap_set_image_ok(uint8_t image_index) } -#endif /* defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) */ +#endif /* defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) */ diff --git a/boot/bootutil/src/swap_offset.c b/boot/bootutil/src/swap_offset.c new file mode 100644 index 000000000..7664df929 --- /dev/null +++ b/boot/bootutil/src/swap_offset.c @@ -0,0 +1,785 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * Copyright (c) 2019 JUUL Labs + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include +#include "bootutil/bootutil.h" +#include "bootutil_priv.h" +#include "swap_priv.h" +#include "bootutil/bootutil_log.h" + +#include "mcuboot_config/mcuboot_config.h" + +BOOT_LOG_MODULE_DECLARE(mcuboot); + +#ifdef MCUBOOT_SWAP_USING_OFFSET + +#if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) +/* + * FIXME: this might have to be updated for threaded sim + */ +int boot_status_fails = 0; +#define BOOT_STATUS_ASSERT(x) \ + do { \ + if (!(x)) { \ + boot_status_fails++; \ + } \ + } while (0) +#else +#define BOOT_STATUS_ASSERT(x) ASSERT(x) +#endif + +#if defined(MCUBOOT_ENC_IMAGES) +#define BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) \ + boot_copy_region(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) +#else +#define BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_off) \ + boot_copy_region(state, fap_pri, fap_sec, pri_off, sec_off, sz) +#endif + +uint32_t find_last_idx(struct boot_loader_state *state, uint32_t swap_size) +{ + uint32_t sector_sz; + uint32_t sz; + uint32_t last_idx; + + sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + sz = 0; + last_idx = 0; + + while (1) { + sz += sector_sz; + last_idx++; + if (sz >= swap_size) { + break; + } + } + + return last_idx; +} + +int boot_read_image_header(struct boot_loader_state *state, int slot, + struct image_header *out_hdr, struct boot_status *bs) +{ + const struct flash_area *fap; + uint32_t off = 0; + uint32_t sz; + uint32_t last_idx; + uint32_t swap_size; + int area_id; + int rc; + bool check_other_sector = true; + +#if (BOOT_IMAGE_NUMBER == 1) + (void)state; +#endif + + if (bs == NULL) { + area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); + + if (slot == BOOT_SECONDARY_SLOT && + boot_swap_type_multi(BOOT_CURR_IMG(state)) != BOOT_SWAP_TYPE_REVERT) { + off = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); + } + } else { + if (!boot_status_is_reset(bs)) { + check_other_sector = false; + boot_find_status(BOOT_CURR_IMG(state), &fap); + + if (fap == NULL || boot_read_swap_size(fap, &swap_size)) { + rc = BOOT_EFLASH; + goto done; + } + + flash_area_close(fap); + last_idx = find_last_idx(state, swap_size); + sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + + /* + * Find the correct offset or slot where the image header is expected to + * be found for the steps where it is moved or swapped. + */ + if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || + boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { + if (slot == 0) { + if (((bs->idx - BOOT_STATUS_IDX_0) > last_idx || + ((bs->idx - BOOT_STATUS_IDX_0) == last_idx && + bs->state == BOOT_STATUS_STATE_1))) { + slot = 1; + off = sz; + } else { + slot = 0; + off = 0; + } + } else if (slot == 1) { + if ((bs->idx - BOOT_STATUS_IDX_0) > last_idx || + ((bs->idx - BOOT_STATUS_IDX_0) == last_idx && + bs->state == BOOT_STATUS_STATE_2)) { + slot = 0; + off = 0; + } else { + slot = 1; + off = 0; + } + } + } else { + if (slot == 0) { + if ((bs->idx > BOOT_STATUS_IDX_0 || + (bs->idx == BOOT_STATUS_IDX_0 && bs->state == BOOT_STATUS_STATE_1)) && + bs->idx <= last_idx) { + slot = 1; + off = 0; + } else { + slot = 0; + off = 0; + } + } else if (slot == 1) { + if (bs->idx > BOOT_STATUS_IDX_0) { + slot = 0; + off = 0; + } else { + slot = 1; + off = sz; + } + } + } + + area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); + } else { + area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); + + if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || + boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { + off = 0; + } + else if (slot == BOOT_SECONDARY_SLOT) { + off = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); + } + } + } + + rc = flash_area_open(area_id, &fap); + if (rc != 0) { + rc = BOOT_EFLASH; + goto done; + } + + rc = flash_area_read(fap, off, out_hdr, sizeof *out_hdr); + if (rc != 0) { + rc = BOOT_EFLASH; + goto done; + } + + if (check_other_sector == true && out_hdr->ih_magic != IMAGE_MAGIC && + slot == BOOT_SECONDARY_SLOT) { + if (boot_swap_type_multi(BOOT_CURR_IMG(state)) != BOOT_SWAP_TYPE_REVERT) { + off = 0; + } else { + off = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); + } + + rc = flash_area_read(fap, off, out_hdr, sizeof(*out_hdr)); + if (rc != 0) { + rc = BOOT_EFLASH; + goto done; + } + } + +#if defined(MCUBOOT_BOOTSTRAP) + if (out_hdr->ih_magic == IMAGE_MAGIC && (bs != NULL || state->bootstrap_secondary_offset_set[ + BOOT_CURR_IMG(state)] == false) && + slot == BOOT_SECONDARY_SLOT) { + state->bootstrap_secondary_offset_set[BOOT_CURR_IMG(state)] = true; +#else + if (out_hdr->ih_magic == IMAGE_MAGIC && bs != NULL && slot == BOOT_SECONDARY_SLOT) { +#endif + state->secondary_offset[BOOT_CURR_IMG(state)] = off; + } + + /* We only know where the headers are located when bs is valid */ + if (bs != NULL && out_hdr->ih_magic != IMAGE_MAGIC) { + rc = -1; + goto done; + } + + rc = 0; + +done: + flash_area_close(fap); + return rc; +} + +int swap_read_status_bytes(const struct flash_area *fap, struct boot_loader_state *state, + struct boot_status *bs) +{ + uint32_t off; + uint8_t status; + int max_entries; + int found_idx; + uint8_t write_sz; + int rc; + int last_rc; + int erased_sections; + int i; + + max_entries = boot_status_entries(BOOT_CURR_IMG(state), fap); + + if (max_entries < 0) { + return BOOT_EBADARGS; + } + + erased_sections = 0; + found_idx = -1; + /* Skip erased sectors at the end */ + last_rc = 1; + write_sz = BOOT_WRITE_SZ(state); + off = boot_status_off(fap); + for (i = max_entries; i > 0; i--) { + rc = flash_area_read(fap, off + (i - 1) * write_sz, &status, 1); + if (rc < 0) { + return BOOT_EFLASH; + } + + if (bootutil_buffer_is_erased(fap, &status, 1)) { + if (rc != last_rc) { + erased_sections++; + } + } else { + if (found_idx == -1) { + found_idx = i; + } + } + last_rc = rc; + } + + if (erased_sections > 1) { + /* This means there was an error writing status on the last swap. Tell user and move on + * to validation! + */ +#if !defined(__BOOTSIM__) + BOOT_LOG_ERR("Detected inconsistent status!"); +#endif + +#if !defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) + /* With validation of the primary slot disabled, there is no way to be sure the swapped + * primary slot is OK, so abort! + */ + assert(0); +#endif + } + + if (found_idx == -1) { + /* no swap status found; nothing to do */ + } else { + bs->op = BOOT_STATUS_OP_SWAP; + bs->idx = (found_idx / BOOT_STATUS_SWAP_STATE_COUNT) + BOOT_STATUS_IDX_0; + bs->state = (found_idx % BOOT_STATUS_SWAP_STATE_COUNT) + BOOT_STATUS_STATE_0; + } + + return 0; +} + +uint32_t boot_status_internal_off(const struct boot_status *bs, int elem_sz) +{ + uint32_t off; + int idx_sz; + + idx_sz = elem_sz * BOOT_STATUS_STATE_COUNT; + off = (bs->idx - BOOT_STATUS_IDX_0) * idx_sz + + (bs->state - BOOT_STATUS_STATE_0) * elem_sz; + + return off; +} + +static int app_max_sectors(struct boot_loader_state *state) +{ + uint32_t sz = 0; + uint32_t sector_sz; + uint32_t trailer_sz; + uint32_t first_trailer_idx; + + sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); + first_trailer_idx = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT); + + while (1) { + sz += sector_sz; + + if (sz >= trailer_sz) { + break; + } + + first_trailer_idx--; + } + + return first_trailer_idx; +} + +int boot_slots_compatible(struct boot_loader_state *state) +{ + size_t num_sectors_pri; + size_t num_sectors_sec; + size_t sector_sz_pri = 0; + size_t sector_sz_sec = 0; + size_t i; + size_t num_usable_sectors_pri; + + num_sectors_pri = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT); + num_sectors_sec = boot_img_num_sectors(state, BOOT_SECONDARY_SLOT); + num_usable_sectors_pri = app_max_sectors(state); + + if ((num_sectors_pri != num_sectors_sec) && + ((num_sectors_pri + 1) != num_sectors_sec) && + ((num_usable_sectors_pri + 1) != (num_sectors_sec))) { + BOOT_LOG_WRN("Cannot upgrade: not a compatible amount of sectors"); + BOOT_LOG_DBG("slot0 sectors: %d, slot1 sectors: %d, usable slot0 sectors: %d", + (int)num_sectors_pri, (int)num_sectors_sec, + (int)(num_usable_sectors_pri - 1)); + return 0; + } else if (num_sectors_pri > BOOT_MAX_IMG_SECTORS) { + BOOT_LOG_WRN("Cannot upgrade: more sectors than allowed"); + return 0; + } + + if ((num_usable_sectors_pri + 1) != num_sectors_sec) { + BOOT_LOG_DBG("Non-optimal sector distribution, slot0 has %d usable sectors " + "but slot1 has %d usable sectors", (int)(num_usable_sectors_pri), + ((int)num_sectors_sec - 1)); + } + + for (i = 0; i < num_sectors_pri; i++) { + sector_sz_pri = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, i); + sector_sz_sec = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, i); + if (sector_sz_pri != sector_sz_sec) { + BOOT_LOG_WRN("Cannot upgrade: not same sector layout"); + return 0; + } + } + +#ifdef MCUBOOT_SLOT0_EXPECTED_ERASE_SIZE + if (sector_sz_pri != MCUBOOT_SLOT0_EXPECTED_ERASE_SIZE) { + BOOT_LOG_DBG("Discrepancy, slot0 expected erase size: %d, actual: %d", + MCUBOOT_SLOT0_EXPECTED_ERASE_SIZE, sector_sz_pri); + } +#endif +#ifdef MCUBOOT_SLOT1_EXPECTED_ERASE_SIZE + if (sector_sz_sec != MCUBOOT_SLOT1_EXPECTED_ERASE_SIZE) { + BOOT_LOG_DBG("Discrepancy, slot1 expected erase size: %d, actual: %d", + MCUBOOT_SLOT1_EXPECTED_ERASE_SIZE, sector_sz_sec); + } +#endif + +#if defined(MCUBOOT_SLOT0_EXPECTED_WRITE_SIZE) || defined(MCUBOOT_SLOT1_EXPECTED_WRITE_SIZE) + if (!swap_write_block_size_check(state)) { + BOOT_LOG_WRN("Cannot upgrade: slot write sizes are not compatible"); + return 0; + } +#endif + + if (num_sectors_pri > num_sectors_sec) { + if (sector_sz_pri != boot_img_sector_size(state, BOOT_PRIMARY_SLOT, i)) { + BOOT_LOG_WRN("Cannot upgrade: not same sector layout"); + return 0; + } + } + + return 1; +} + +#define BOOT_LOG_SWAP_STATE(area, state) \ + BOOT_LOG_INF("%s: magic=%s, swap_type=0x%x, copy_done=0x%x, " \ + "image_ok=0x%x", \ + (area), \ + ((state)->magic == BOOT_MAGIC_GOOD ? "good" : \ + (state)->magic == BOOT_MAGIC_UNSET ? "unset" : \ + "bad"), \ + (state)->swap_type, \ + (state)->copy_done, \ + (state)->image_ok) + +int swap_status_source(struct boot_loader_state *state) +{ + struct boot_swap_state state_primary_slot; + struct boot_swap_state state_secondary_slot; + int rc; + uint8_t source; + uint8_t image_index; + +#if (BOOT_IMAGE_NUMBER == 1) + (void)state; +#endif + + image_index = BOOT_CURR_IMG(state); + rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY(image_index), &state_primary_slot); + assert(rc == 0); + BOOT_LOG_SWAP_STATE("Primary image", &state_primary_slot); + + rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(image_index), + &state_secondary_slot); + assert(rc == 0); + BOOT_LOG_SWAP_STATE("Secondary image", &state_secondary_slot); + + if (state_primary_slot.magic == BOOT_MAGIC_GOOD && + state_primary_slot.copy_done == BOOT_FLAG_UNSET && + state_secondary_slot.magic != BOOT_MAGIC_GOOD) { + + source = BOOT_STATUS_SOURCE_PRIMARY_SLOT; + + BOOT_LOG_INF("Boot source: primary slot"); + return source; + } + + BOOT_LOG_INF("Boot source: none"); + return BOOT_STATUS_SOURCE_NONE; +} + +static void boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, + struct boot_status *bs, const struct flash_area *fap_pri, + const struct flash_area *fap_sec) +{ + uint32_t pri_off; + uint32_t sec_off; + uint32_t sec_up_off; + int rc = 0; + + pri_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx); + sec_off = boot_img_sector_off(state, BOOT_SECONDARY_SLOT, idx); + sec_up_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, (idx + 1)); + + if (bs->state == BOOT_STATUS_STATE_0) { + /* Copy from slot 0 X to slot 1 X */ + BOOT_LOG_DBG("Erasing secondary 0x%x of 0x%x", sec_off, sz); + rc = boot_erase_region(fap_sec, sec_off, sz); + assert(rc == 0); + + BOOT_LOG_DBG("Copying primary 0x%x -> secondary 0x%x of 0x%x", pri_off, sec_off, sz); + rc = BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, 0); + assert(rc == 0); + + rc = boot_write_status(state, bs); + bs->state = BOOT_STATUS_STATE_1; + BOOT_STATUS_ASSERT(rc == 0); + } + + if (bs->state == BOOT_STATUS_STATE_1) { + /* Erase slot 0 X */ + BOOT_LOG_DBG("Erasing primary 0x%x of 0x%x", pri_off, sz); + rc = boot_erase_region(fap_pri, pri_off, sz); + assert(rc == 0); + + /* Copy from slot 1 (X + 1) to slot 0 X */ + BOOT_LOG_DBG("Copying secondary 0x%x -> primary 0x%x of 0x%x", sec_up_off, pri_off, + sz); + rc = BOOT_COPY_REGION(state, fap_sec, fap_pri, sec_up_off, pri_off, sz, 0); + assert(rc == 0); + + rc = boot_write_status(state, bs); + bs->idx++; + bs->state = BOOT_STATUS_STATE_0; + BOOT_STATUS_ASSERT(rc == 0); + } +} + +static void boot_swap_sectors_revert(int idx, uint32_t sz, struct boot_loader_state *state, + struct boot_status *bs, const struct flash_area *fap_pri, + const struct flash_area *fap_sec, uint32_t sector_sz) +{ + uint32_t pri_off; + uint32_t sec_off; + uint32_t sec_up_off; + int rc = 0; +#if !defined(MCUBOOT_ENC_IMAGES) + (void)sector_sz; +#endif + + pri_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx); + sec_off = boot_img_sector_off(state, BOOT_SECONDARY_SLOT, idx + 1); + sec_up_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx); + + if (bs->state == BOOT_STATUS_STATE_0) { + /* Copy from slot 0 X to slot 1 X */ + BOOT_LOG_DBG("Erasing secondary 0x%x of 0x%x", sec_off, sz); + rc = boot_erase_region(fap_sec, sec_off, sz); + assert(rc == 0); + + BOOT_LOG_DBG("Copying primary 0x%x -> secondary 0x%x of 0x%x", pri_off, sec_off, sz); + rc = BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_sz); + assert(rc == 0); + + rc = boot_write_status(state, bs); + bs->state = BOOT_STATUS_STATE_1; + BOOT_STATUS_ASSERT(rc == 0); + } + + if (bs->state == BOOT_STATUS_STATE_1) { + /* Erase slot 0 X */ + BOOT_LOG_DBG("Erasing primary 0x%x of 0x%x", pri_off, sz); + rc = boot_erase_region(fap_pri, pri_off, sz); + assert(rc == 0); + + /* Copy from slot 1 (X + 1) to slot 0 X */ + BOOT_LOG_DBG("Copying secondary 0x%x -> primary 0x%x of 0x%x", sec_up_off, pri_off, + sz); + rc = BOOT_COPY_REGION(state, fap_sec, fap_pri, sec_up_off, pri_off, sz, 0); + assert(rc == 0); + + rc = boot_write_status(state, bs); + bs->idx++; + bs->state = BOOT_STATUS_STATE_0; + BOOT_STATUS_ASSERT(rc == 0); + } +} + +/* + * When starting a revert the swap status exists in the primary slot, and + * the status in the secondary slot is erased. To start the swap, the status + * area in the primary slot must be re-initialized; if during the small + * window of time between re-initializing it and writing the first metadata + * a reset happens, the swap process is broken and cannot be resumed. + * + * This function handles the issue by making the revert look like a permanent + * upgrade (by initializing the secondary slot). + */ +void fixup_revert(const struct boot_loader_state *state, struct boot_status *bs, + const struct flash_area *fap_sec) +{ + struct boot_swap_state swap_state; + int rc; + +#if (BOOT_IMAGE_NUMBER == 1) + (void)state; +#endif + + /* No fixup required */ + if (bs->swap_type != BOOT_SWAP_TYPE_REVERT || + bs->idx != BOOT_STATUS_IDX_0) { + return; + } + + rc = boot_read_swap_state(fap_sec, &swap_state); + assert(rc == 0); + + BOOT_LOG_SWAP_STATE("Secondary image", &swap_state); + + if (swap_state.magic == BOOT_MAGIC_UNSET) { + rc = swap_erase_trailer_sectors(state, fap_sec); + assert(rc == 0); + + rc = boot_write_copy_done(fap_sec); + assert(rc == 0); + + rc = swap_status_init(state, fap_sec, bs); + assert(rc == 0); + } +} + +void swap_run(struct boot_loader_state *state, struct boot_status *bs, + uint32_t copy_size) +{ + uint32_t sz; + uint32_t sector_sz; + uint32_t idx; + uint32_t trailer_sz; + uint32_t first_trailer_idx; + uint32_t last_idx; + uint8_t image_index; + const struct flash_area *fap_pri; + const struct flash_area *fap_sec; + int rc; + + BOOT_LOG_INF("Starting swap using offset algorithm."); + + last_idx = find_last_idx(state, copy_size); + sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + + /* When starting a new swap upgrade, check that there is enough space */ + if (boot_status_is_reset(bs)) { + sz = 0; + trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); + first_trailer_idx = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT) - 1; + + while (1) { + sz += sector_sz; + if (sz >= trailer_sz) { + break; + } + first_trailer_idx--; + } + + if (last_idx >= first_trailer_idx) { + BOOT_LOG_WRN("Not enough free space to run swap upgrade"); + BOOT_LOG_WRN("required %d bytes but only %d are available", + (last_idx + 1) * sector_sz, + first_trailer_idx * sector_sz); + bs->swap_type = BOOT_SWAP_TYPE_NONE; + return; + } + } + + image_index = BOOT_CURR_IMG(state); + + rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), &fap_pri); + assert (rc == 0); + + rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index), &fap_sec); + assert (rc == 0); + + fixup_revert(state, bs, fap_sec); + + /* Init areas for storing swap status */ + if (bs->idx == BOOT_STATUS_IDX_0) { + int rc; + + if (bs->source != BOOT_STATUS_SOURCE_PRIMARY_SLOT) { + rc = swap_erase_trailer_sectors(state, fap_pri); + assert(rc == 0); + + rc = swap_status_init(state, fap_pri, bs); + assert(rc == 0); + } + + rc = swap_erase_trailer_sectors(state, fap_sec); + assert(rc == 0); + } + + bs->op = BOOT_STATUS_OP_SWAP; + idx = 0; + + if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || + boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { + while (idx <= last_idx) { + if (idx >= (bs->idx - BOOT_STATUS_IDX_0)) { + uint32_t mirror_idx = last_idx - idx; + + boot_swap_sectors_revert(mirror_idx, sector_sz, state, bs, fap_pri, fap_sec, + sector_sz); + } + + idx++; + } + + /* Erase the first sector in the secondary slot before completing revert so that the + * status is not wrongly used as a valid header. Also erase the trailer in the secondary + * to allow for a future update to be loaded + */ + rc = boot_erase_region(fap_sec, boot_img_sector_off(state, BOOT_SECONDARY_SLOT, 0), + sector_sz); + assert(rc == 0); + rc = swap_erase_trailer_sectors(state, fap_sec); + assert(rc == 0); + } else { + while (idx <= last_idx) { + if (idx >= (bs->idx - BOOT_STATUS_IDX_0)) { + boot_swap_sectors(idx, sector_sz, state, bs, fap_pri, fap_sec); + } + + idx++; + } + } + + flash_area_close(fap_pri); + flash_area_close(fap_sec); +} + +int app_max_size(struct boot_loader_state *state) +{ + uint32_t sector_sz_primary; + uint32_t sector_sz_secondary; + uint32_t sz_primary; + uint32_t sz_secondary; + + sector_sz_primary = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); + sector_sz_secondary = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); + + /* Account for image flags and move sector */ + sz_primary = app_max_sectors(state) * sector_sz_primary; + sz_secondary = boot_img_num_sectors(state, BOOT_SECONDARY_SLOT) * sector_sz_secondary - + sector_sz_primary; + + return (sz_primary <= sz_secondary ? sz_primary : sz_secondary); +} + +/* Compute the total size of the given image. Includes the size of the TLVs. */ +int boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size) +{ + const struct flash_area *fap; + struct image_tlv_info info; + uint32_t off; + uint32_t secondary_slot_off = 0; + uint32_t protect_tlv_size; + int area_id; + int rc; + +#if (BOOT_IMAGE_NUMBER == 1) + (void)state; +#endif + + area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); + rc = flash_area_open(area_id, &fap); + if (rc != 0) { + rc = BOOT_EFLASH; + goto done; + } + + off = BOOT_TLV_OFF(boot_img_hdr(state, slot)); + + if (slot == BOOT_SECONDARY_SLOT) { + /* Check in the secondary position in the upgrade slot */ + secondary_slot_off = state->secondary_offset[BOOT_CURR_IMG(state)]; + } + + if (flash_area_read(fap, (off + secondary_slot_off), &info, sizeof(info))) { + rc = BOOT_EFLASH; + goto done; + } + + protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size; + if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) { + if (protect_tlv_size != info.it_tlv_tot) { + rc = BOOT_EBADIMAGE; + goto done; + } + + if (flash_area_read(fap, (off + secondary_slot_off + info.it_tlv_tot), + &info, sizeof(info))) { + rc = BOOT_EFLASH; + goto done; + } + } else if (protect_tlv_size != 0) { + rc = BOOT_EBADIMAGE; + goto done; + } + + if (info.it_magic != IMAGE_TLV_INFO_MAGIC) { + rc = BOOT_EBADIMAGE; + goto done; + } + + *size = off + protect_tlv_size + info.it_tlv_tot; + rc = 0; + +done: + flash_area_close(fap); + return rc; +} + +#endif diff --git a/boot/bootutil/src/swap_priv.h b/boot/bootutil/src/swap_priv.h index 255e74736..6fdf797e1 100644 --- a/boot/bootutil/src/swap_priv.h +++ b/boot/bootutil/src/swap_priv.h @@ -21,7 +21,7 @@ #include "mcuboot_config/mcuboot_config.h" -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) /** * Calculates the amount of space required to store the trailer, and erases @@ -99,9 +99,9 @@ static inline size_t boot_scratch_area_size(const struct boot_loader_state *stat } #endif -#endif /* defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) */ +#endif /* defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) */ -#if defined(MCUBOOT_SWAP_USING_MOVE) +#if defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) /** * Check if device write block sizes are as expected, function should emit an error if there is * a problem. If true is returned, the slots are marked as compatible, otherwise the slots are @@ -112,7 +112,7 @@ static inline size_t boot_scratch_area_size(const struct boot_loader_state *stat * slot. */ bool swap_write_block_size_check(struct boot_loader_state *state); -#endif /* defined(MCUBOOT_SWAP_USING_MOVE) */ +#endif /* defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) */ /** * Returns the maximum size of an application that can be loaded to a slot. diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index f60109120..446112dc5 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -30,7 +30,7 @@ BOOT_LOG_MODULE_DECLARE(mcuboot); -#if !defined(MCUBOOT_SWAP_USING_MOVE) +#if !defined(MCUBOOT_SWAP_USING_MOVE) && !defined(MCUBOOT_SWAP_USING_OFFSET) #if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) /* @@ -976,4 +976,4 @@ boot_read_image_header(struct boot_loader_state *state, int slot, return rc; } -#endif /* !MCUBOOT_SWAP_USING_MOVE */ +#endif /* !MCUBOOT_SWAP_USING_MOVE && !MCUBOOT_SWAP_USING_OFFSET */ diff --git a/boot/bootutil/src/tlv.c b/boot/bootutil/src/tlv.c index a763c9685..629bc235d 100644 --- a/boot/bootutil/src/tlv.c +++ b/boot/bootutil/src/tlv.c @@ -3,6 +3,7 @@ * * Copyright (c) 2019 JUUL Labs * Copyright (c) 2020 Arm Limited + * Copyright (c) 2025 Nordic Semiconductor ASA * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -46,7 +47,12 @@ bootutil_tlv_iter_begin(struct image_tlv_iter *it, const struct image_header *hd return -1; } +#if defined(MCUBOOT_SWAP_USING_OFFSET) + off_ = BOOT_TLV_OFF(hdr) + it->start_off; +#else off_ = BOOT_TLV_OFF(hdr); +#endif + if (LOAD_IMAGE_DATA(hdr, fap, off_, &info, sizeof(info))) { return -1; } From 18fee817edb857e87233860d2533542c697094aa Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 2 Jan 2025 12:23:31 +0000 Subject: [PATCH 027/228] zephyr: Add support for swap using offset mode Adds support for using this mode to zephyr Signed-off-by: Jamie McCrae --- boot/zephyr/CMakeLists.txt | 81 +++++++++++++------ boot/zephyr/Kconfig | 28 ++++++- .../include/mcuboot_config/mcuboot_config.h | 4 + boot/zephyr/include/sysflash/sysflash.h | 2 +- boot/zephyr/sample.yaml | 6 ++ boot/zephyr/swap_offset.conf | 1 + 6 files changed, 93 insertions(+), 29 deletions(-) create mode 100644 boot/zephyr/swap_offset.conf diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 8c3467a4d..d8bef2f21 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -125,30 +125,48 @@ zephyr_library_sources( ) endif() -if(CONFIG_SINGLE_APPLICATION_SLOT OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) -zephyr_library_sources( - ${BOOT_DIR}/zephyr/single_loader.c - ) -zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) +if(CONFIG_SINGLE_APPLICATION_SLOT) + zephyr_library_sources( + ${BOOT_DIR}/zephyr/single_loader.c + ) + zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) +elseif(CONFIG_SINGLE_APPLICATION_SLOT OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) + zephyr_library_sources( + ${BOOT_DIR}/zephyr/single_loader.c + ${BOOT_DIR}/bootutil/src/ram_load.c + ) + zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) elseif(CONFIG_BOOT_FIRMWARE_LOADER) -zephyr_library_sources( - ${BOOT_DIR}/zephyr/firmware_loader.c - ) -zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) + zephyr_library_sources( + ${BOOT_DIR}/zephyr/firmware_loader.c + ) + zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) else() -zephyr_library_sources( - ${BOOT_DIR}/bootutil/src/loader.c - ${BOOT_DIR}/bootutil/src/swap_misc.c - ${BOOT_DIR}/bootutil/src/swap_scratch.c - ${BOOT_DIR}/bootutil/src/swap_move.c - ${BOOT_DIR}/bootutil/src/caps.c - ) -endif() - -if(CONFIG_BOOT_RAM_LOAD OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) zephyr_library_sources( - ${BOOT_DIR}/bootutil/src/ram_load.c + ${BOOT_DIR}/bootutil/src/loader.c + ${BOOT_DIR}/bootutil/src/swap_misc.c + ${BOOT_DIR}/bootutil/src/caps.c ) + + if(CONFIG_BOOT_SWAP_USING_MOVE) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/swap_move.c + ) + elseif(CONFIG_BOOT_SWAP_USING_OFFSET) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/swap_offset.c + ) + else() + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/swap_scratch.c + ) + + if(CONFIG_BOOT_RAM_LOAD OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/ram_load.c + ) + endif() + endif() endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) @@ -427,7 +445,7 @@ dt_get_parent(slot0_flash) dt_prop(erase_size_slot0 PATH "${slot0_flash}" PROPERTY "erase-block-size") dt_prop(write_size_slot0 PATH "${slot0_flash}" PROPERTY "write-block-size") -if(CONFIG_BOOT_SWAP_USING_MOVE) +if(CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_SWAP_USING_OFFSET) if(DEFINED erase_size_slot0) zephyr_compile_definitions("MCUBOOT_SLOT0_EXPECTED_ERASE_SIZE=${erase_size_slot0}") endif() @@ -445,7 +463,7 @@ if(NOT CONFIG_SINGLE_APPLICATION_SLOT AND NOT CONFIG_SINGLE_APPLICATION_SLOT_RAM dt_prop(erase_size_slot1 PATH "${slot1_flash}" PROPERTY "erase-block-size") dt_prop(write_size_slot1 PATH "${slot1_flash}" PROPERTY "write-block-size") - if(CONFIG_BOOT_SWAP_USING_MOVE) + if(CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_SWAP_USING_OFFSET) if(DEFINED erase_size_slot1) zephyr_compile_definitions("MCUBOOT_SLOT1_EXPECTED_ERASE_SIZE=${erase_size_slot1}") endif() @@ -487,12 +505,12 @@ if(CONFIG_BOOT_MAX_IMG_SECTORS_AUTO) endif() endif() -if((CONFIG_BOOT_SWAP_USING_SCRATCH OR CONFIG_BOOT_SWAP_USING_MOVE) AND (DEFINED write_size_slot0 OR DEFINED write_size_slot1)) +if((CONFIG_BOOT_SWAP_USING_SCRATCH OR CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_SWAP_USING_OFFSET) AND (DEFINED write_size_slot0 OR DEFINED write_size_slot1)) zephyr_library_sources(flash_check.c) endif() if(SYSBUILD) - if(CONFIG_SINGLE_APPLICATION_SLOT OR CONFIG_BOOT_FIRMWARE_LOADER OR CONFIG_BOOT_SWAP_USING_SCRATCH OR CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_UPGRADE_ONLY OR CONFIG_BOOT_DIRECT_XIP OR CONFIG_BOOT_RAM_LOAD) + if(CONFIG_SINGLE_APPLICATION_SLOT OR CONFIG_BOOT_FIRMWARE_LOADER OR CONFIG_BOOT_SWAP_USING_SCRATCH OR CONFIG_BOOT_SWAP_USING_MOVE OR CONFIG_BOOT_SWAP_USING_OFFSET OR CONFIG_BOOT_UPGRADE_ONLY OR CONFIG_BOOT_DIRECT_XIP OR CONFIG_BOOT_RAM_LOAD) # TODO: RAM LOAD support dt_nodelabel(slot0_flash NODELABEL "slot0_partition") dt_get_parent(slot0_flash) @@ -617,6 +635,17 @@ if(SYSBUILD) math(EXPR boot_status_data_size "128 * (3 * ${write_size})") endif() endif() + elseif(CONFIG_BOOT_SWAP_USING_OFFSET) + if(CONFIG_BOOT_MAX_IMG_SECTORS_AUTO AND DEFINED slot_min_sectors AND "${slot_min_sectors}" GREATER "0") + math(EXPR boot_status_data_size "${slot_min_sectors} * (2 * ${write_size})") + else() + if(CONFIG_BOOT_MAX_IMG_SECTORS) + math(EXPR boot_status_data_size "${CONFIG_BOOT_MAX_IMG_SECTORS} * (2 * ${write_size})") + else() + message(WARNING "CONFIG_BOOT_MAX_IMG_SECTORS is not defined, falling back to 128 sector default. Please set CONFIG_BOOT_MAX_IMG_SECTORS to the required value") + math(EXPR boot_status_data_size "128 * (2 * ${write_size})") + endif() + endif() else() set(boot_status_data_size 0) endif() @@ -634,6 +663,10 @@ if(SYSBUILD) if(CONFIG_BOOT_SWAP_USING_MOVE) math(EXPR required_size "${required_size} + ${erase_size}") math(EXPR required_upgrade_size "${required_upgrade_size} + ${erase_size}") + elseif(CONFIG_BOOT_SWAP_USING_OFFSET) +#todo: check how different slot sizes are... +# math(EXPR required_size "${required_size} + ${erase_size}") +# math(EXPR required_upgrade_size "${required_upgrade_size} + ${erase_size}") endif() else() set(required_size 0) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 3afcd05c3..1188f5ae6 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -310,6 +310,13 @@ config BOOT_VALIDATE_SLOT0_ONCE low end devices with as a compromise lowering the security level. If unsure, leave at the default value. +config BOOT_PREFER_SWAP_OFFSET + bool "Prefer the newer swap offset algorithm" + help + If y, the BOOT_IMAGE_UPGRADE_MODE will default to using "offset" instead of "scratch". + This is a separate bool config option, because Kconfig doesn't allow defaults to be + overridden in choice options. Most devices should be using swap using offset mode. + config BOOT_PREFER_SWAP_MOVE bool "Prefer the newer swap move algorithm" default y if SOC_FAMILY_NORDIC_NRF @@ -318,12 +325,14 @@ config BOOT_PREFER_SWAP_MOVE If y, the BOOT_IMAGE_UPGRADE_MODE will default to using "move" instead of "scratch". This is a separate bool config option, because Kconfig doesn't allow defaults to be - overridden in choice options. Most devices should be using - swap move. + overridden in choice options. This mode has been superceded + by swap using offset, but is kept to allow existing projects + to make use of it. if !SINGLE_APPLICATION_SLOT choice BOOT_IMAGE_UPGRADE_MODE prompt "Image upgrade modes" + default BOOT_SWAP_USING_OFFSET if BOOT_PREFER_SWAP_OFFSET default BOOT_SWAP_USING_MOVE if BOOT_PREFER_SWAP_MOVE default BOOT_SWAP_USING_SCRATCH @@ -340,8 +349,19 @@ config BOOT_UPGRADE_ONLY of swapping them. This prevents the fallback recovery, but uses a much simpler code path. +config BOOT_SWAP_USING_OFFSET + bool "Swap using offset mode without scratch partition" + help + If y, the swap upgrade is done by each sector X+1 in the secondary slot moved index X in + the primary slot, then the sector at X+1 in the primary is moved to index X in the + secondary. + This allows a swap upgrade without using a scratch partition, but is currently limited + to all sectors in both slots being of the same size. This mode offers faster swap times + with less flash endurance usage than swap using move, firmware updates must be placed at + the second sector in the second slot instead of the first. + config BOOT_SWAP_USING_MOVE - bool "Swap mode that can run without a scratch partition" + bool "Swap using mode mode without scratch partition" help If y, the swap upgrade is done in two steps, where first every sector of the primary slot is moved up one sector, then for @@ -779,7 +799,7 @@ config MCUBOOT_DOWNGRADE_PREVENTION config MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER bool "Use image security counter instead of version number" depends on MCUBOOT_DOWNGRADE_PREVENTION - depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH) + depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH || BOOT_SWAP_USING_OFFSET) help Security counter is used for version eligibility check instead of pure version. When this option is set, any upgrade must have greater or diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index b15c1682f..dc49c6688 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -84,6 +84,10 @@ #define MCUBOOT_SWAP_USING_MOVE 1 #endif +#ifdef CONFIG_BOOT_SWAP_USING_OFFSET +#define MCUBOOT_SWAP_USING_OFFSET 1 +#endif + #ifdef CONFIG_BOOT_DIRECT_XIP #define MCUBOOT_DIRECT_XIP #endif diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 1952950b9..16d222280 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -54,7 +54,7 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #define FLASH_AREA_IMAGE_PRIMARY(x) __flash_area_ids_for_slot(x, 0) #define FLASH_AREA_IMAGE_SECONDARY(x) __flash_area_ids_for_slot(x, 1) -#if !defined(CONFIG_BOOT_SWAP_USING_MOVE) +#if !defined(CONFIG_BOOT_SWAP_USING_MOVE) && !defined(CONFIG_BOOT_SWAP_USING_OFFSET) #define FLASH_AREA_IMAGE_SCRATCH FIXED_PARTITION_ID(scratch_partition) #endif diff --git a/boot/zephyr/sample.yaml b/boot/zephyr/sample.yaml index 2c36fbe1e..924f950ca 100644 --- a/boot/zephyr/sample.yaml +++ b/boot/zephyr/sample.yaml @@ -90,3 +90,9 @@ tests: platform_allow: mimxrt1020_evk integration_platforms: - mimxrt1020_evk + sample.bootloader.mcuboot.swap_offset: + extra_args: EXTRA_CONF_FILE=./swap_offset.conf + platform_allow: nrf52840dk/nrf52840 + integration_platforms: + - nrf52840dk/nrf52840 + tags: bootloader_mcuboot diff --git a/boot/zephyr/swap_offset.conf b/boot/zephyr/swap_offset.conf new file mode 100644 index 000000000..c6a15932b --- /dev/null +++ b/boot/zephyr/swap_offset.conf @@ -0,0 +1 @@ +CONFIG_BOOT_SWAP_USING_OFFSET=y From be9b2ad312ab3ecbf4628b63671cfb7cdbdd000f Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 6 Jan 2025 11:11:29 +0000 Subject: [PATCH 028/228] sim: mcuboot-sys: Add support for limited sector size information Adds support for getting the sector size of less sectors than are in an image, which mirrors support in zephyr and allows getting just the size of the first sector in an image Signed-off-by: Jamie McCrae --- sim/mcuboot-sys/csupport/run.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/sim/mcuboot-sys/csupport/run.c b/sim/mcuboot-sys/csupport/run.c index 98689968f..d5ffa16e5 100644 --- a/sim/mcuboot-sys/csupport/run.c +++ b/sim/mcuboot-sys/csupport/run.c @@ -7,6 +7,7 @@ #include #include #include +#include #include @@ -369,6 +370,7 @@ int flash_area_erase(const struct flash_area *area, uint32_t off, uint32_t len) int flash_area_to_sectors(int idx, int *cnt, struct flash_area *ret) { + int rc = 0; uint32_t i; struct area *slot; struct area_desc *flash_areas; @@ -385,20 +387,21 @@ int flash_area_to_sectors(int idx, int *cnt, struct flash_area *ret) slot = &flash_areas->slots[i]; - if (slot->num_areas > (uint32_t)*cnt) { - printf("Too many areas in slot\n"); - abort(); + if ((uint32_t)*cnt > slot->num_areas) { + *cnt = slot->num_areas; + } else if (slot->num_areas > (uint32_t)*cnt) { + rc = -ENOMEM; } - *cnt = slot->num_areas; - memcpy(ret, slot->areas, slot->num_areas * sizeof(struct flash_area)); + memcpy(ret, slot->areas, *cnt * sizeof(struct flash_area)); - return 0; + return rc; } int flash_area_get_sectors(int fa_id, uint32_t *count, struct flash_sector *sectors) { + int rc = 0; uint32_t i; struct area *slot; struct area_desc *flash_areas; @@ -415,19 +418,19 @@ int flash_area_get_sectors(int fa_id, uint32_t *count, slot = &flash_areas->slots[i]; - if (slot->num_areas > *count) { - printf("Too many areas in slot\n"); - abort(); + if (*count > slot->num_areas) { + *count = slot->num_areas; + } else if (slot->num_areas > *count) { + rc = -ENOMEM; } - for (i = 0; i < slot->num_areas; i++) { + for (i = 0; i < *count; i++) { sectors[i].fs_off = slot->areas[i].fa_off - slot->whole.fa_off; sectors[i].fs_size = slot->areas[i].fa_size; } - *count = slot->num_areas; - return 0; + return rc; } int flash_area_id_to_multi_image_slot(int image_index, int area_id) From 09aeaeb441b36ae8d6f718244a9dceb51a131e66 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Fri, 3 Jan 2025 07:45:33 +0000 Subject: [PATCH 029/228] sim: Add swap using offset to tests Enables testing this new mode Signed-off-by: Jamie McCrae --- .github/workflows/sim.yaml | 4 +- sim/Cargo.toml | 1 + sim/mcuboot-sys/Cargo.toml | 4 ++ sim/mcuboot-sys/build.rs | 6 ++- sim/src/caps.rs | 1 + sim/src/image.rs | 108 ++++++++++++++++++++++++++----------- sim/src/lib.rs | 4 +- 7 files changed, 94 insertions(+), 34 deletions(-) diff --git a/.github/workflows/sim.yaml b/.github/workflows/sim.yaml index c1d91a673..36d890d4f 100644 --- a/.github/workflows/sim.yaml +++ b/.github/workflows/sim.yaml @@ -17,7 +17,7 @@ jobs: matrix: features: - "sig-ecdsa,sig-ecdsa-mbedtls,sig-ed25519,enc-kw,bootstrap" - - "sig-rsa,sig-rsa3072,overwrite-only,validate-primary-slot,swap-move" + - "sig-rsa,sig-rsa3072,overwrite-only,validate-primary-slot,swap-move,swap-offset" - "enc-rsa,enc-rsa max-align-32" - "enc-aes256-rsa,enc-aes256-rsa max-align-32" - "enc-ec256,enc-ec256 max-align-32" @@ -29,7 +29,7 @@ jobs: - "enc-kw overwrite-only,enc-kw overwrite-only max-align-32" - "enc-rsa overwrite-only,enc-rsa overwrite-only max-align-32" - "enc-aes256-kw overwrite-only,enc-aes256-kw overwrite-only max-align-32" - - "sig-rsa enc-rsa validate-primary-slot,swap-move enc-rsa sig-rsa validate-primary-slot bootstrap" + - "sig-rsa enc-rsa validate-primary-slot,swap-move enc-rsa sig-rsa validate-primary-slot bootstrap,swap-offset enc-rsa sig-rsa validate-primary-slot bootstrap" - "sig-rsa enc-kw validate-primary-slot bootstrap,sig-ed25519 enc-x25519 validate-primary-slot" - "sig-ecdsa enc-kw validate-primary-slot" - "sig-ecdsa-mbedtls enc-kw validate-primary-slot" diff --git a/sim/Cargo.toml b/sim/Cargo.toml index 7cef823d8..6d2262d90 100644 --- a/sim/Cargo.toml +++ b/sim/Cargo.toml @@ -15,6 +15,7 @@ sig-ecdsa-psa = ["mcuboot-sys/sig-ecdsa-psa", "mcuboot-sys/psa-crypto-api"] sig-p384 = ["mcuboot-sys/sig-p384"] sig-ed25519 = ["mcuboot-sys/sig-ed25519"] overwrite-only = ["mcuboot-sys/overwrite-only"] +swap-offset = ["mcuboot-sys/swap-offset"] swap-move = ["mcuboot-sys/swap-move"] validate-primary-slot = ["mcuboot-sys/validate-primary-slot"] enc-rsa = ["mcuboot-sys/enc-rsa"] diff --git a/sim/mcuboot-sys/Cargo.toml b/sim/mcuboot-sys/Cargo.toml index ab97bbfe1..f2eb70634 100644 --- a/sim/mcuboot-sys/Cargo.toml +++ b/sim/mcuboot-sys/Cargo.toml @@ -36,6 +36,10 @@ sig-ed25519 = [] # Overwrite only upgrade overwrite-only = [] +# Swap using offset mode +swap-offset = [] + +# Swap using move move swap-move = [] # Disable validation of the primary slot diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs index 47ee880c5..e74a086d0 100644 --- a/sim/mcuboot-sys/build.rs +++ b/sim/mcuboot-sys/build.rs @@ -20,6 +20,7 @@ fn main() { let sig_ed25519 = env::var("CARGO_FEATURE_SIG_ED25519").is_ok(); let overwrite_only = env::var("CARGO_FEATURE_OVERWRITE_ONLY").is_ok(); let swap_move = env::var("CARGO_FEATURE_SWAP_MOVE").is_ok(); + let swap_offset = env::var("CARGO_FEATURE_SWAP_OFFSET").is_ok(); let validate_primary_slot = env::var("CARGO_FEATURE_VALIDATE_PRIMARY_SLOT").is_ok(); let enc_rsa = env::var("CARGO_FEATURE_ENC_RSA").is_ok(); @@ -253,7 +254,9 @@ fn main() { conf.conf.define("MCUBOOT_OVERWRITE_ONLY", None); } - if swap_move { + if swap_offset { + conf.conf.define("MCUBOOT_SWAP_USING_OFFSET", None); + } else if swap_move { conf.conf.define("MCUBOOT_SWAP_USING_MOVE", None); } else if !overwrite_only && !direct_xip && !ram_load { conf.conf.define("CONFIG_BOOT_SWAP_USING_SCRATCH", None); @@ -461,6 +464,7 @@ fn main() { conf.file("../../boot/bootutil/src/swap_misc.c"); conf.file("../../boot/bootutil/src/swap_scratch.c"); conf.file("../../boot/bootutil/src/swap_move.c"); + conf.file("../../boot/bootutil/src/swap_offset.c"); conf.file("../../boot/bootutil/src/caps.c"); conf.file("../../boot/bootutil/src/bootutil_misc.c"); conf.file("../../boot/bootutil/src/bootutil_public.c"); diff --git a/sim/src/caps.rs b/sim/src/caps.rs index d8dd068ec..2b98ab6f3 100644 --- a/sim/src/caps.rs +++ b/sim/src/caps.rs @@ -30,6 +30,7 @@ pub enum Caps { DirectXip = (1 << 17), HwRollbackProtection = (1 << 18), EcdsaP384 = (1 << 19), + SwapUsingOffset = (1 << 20), } impl Caps { diff --git a/sim/src/image.rs b/sim/src/image.rs index 4cd648832..e406a8130 100644 --- a/sim/src/image.rs +++ b/sim/src/image.rs @@ -235,20 +235,20 @@ impl ImagesBuilder { let (primaries,upgrades) = if img_manipulation == ImageManipulation::CorruptHigherVersionImage && !higher_version_corrupted { higher_version_corrupted = true; let prim = install_image(&mut flash, &slots[0], - maximal(42784), &ram, &*dep, ImageManipulation::None, Some(0)); + maximal(42784), &ram, &*dep, ImageManipulation::None, Some(0), false); let upgr = match deps.depends[image_num] { DepType::NoUpgrade => install_no_image(), _ => install_image(&mut flash, &slots[1], - maximal(46928), &ram, &*dep, ImageManipulation::BadSignature, Some(0)) + maximal(46928), &ram, &*dep, ImageManipulation::BadSignature, Some(0), true) }; (prim, upgr) } else { let prim = install_image(&mut flash, &slots[0], - maximal(42784), &ram, &*dep, img_manipulation, Some(0)); + maximal(42784), &ram, &*dep, img_manipulation, Some(0), false); let upgr = match deps.depends[image_num] { DepType::NoUpgrade => install_no_image(), _ => install_image(&mut flash, &slots[1], - maximal(46928), &ram, &*dep, img_manipulation, Some(0)) + maximal(46928), &ram, &*dep, img_manipulation, Some(0), true) }; (prim, upgr) }; @@ -299,9 +299,9 @@ impl ImagesBuilder { let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_image(&mut bad_flash, &slots[0], - maximal(32784), &ram, &dep, ImageManipulation::None, Some(0)); + maximal(32784), &ram, &dep, ImageManipulation::None, Some(0), false); let upgrades = install_image(&mut bad_flash, &slots[1], - maximal(41928), &ram, &dep, ImageManipulation::BadSignature, Some(0)); + maximal(41928), &ram, &dep, ImageManipulation::BadSignature, Some(0), true); OneImage { slots, primaries, @@ -322,9 +322,9 @@ impl ImagesBuilder { let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_image(&mut bad_flash, &slots[0], - maximal(32784), &ram, &dep, ImageManipulation::None, Some(0)); + maximal(32784), &ram, &dep, ImageManipulation::None, Some(0), false); let upgrades = install_image(&mut bad_flash, &slots[1], - ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0)); + ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0), true); OneImage { slots, primaries, @@ -345,7 +345,7 @@ impl ImagesBuilder { let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_image(&mut flash, &slots[0], - maximal(32784), &ram, &dep,ImageManipulation::None, Some(0)); + maximal(32784), &ram, &dep,ImageManipulation::None, Some(0), false); let upgrades = install_no_image(); OneImage { slots, @@ -368,7 +368,7 @@ impl ImagesBuilder { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_no_image(); let upgrades = install_image(&mut flash, &slots[1], - maximal(32784), &ram, &dep, ImageManipulation::None, Some(0)); + maximal(32784), &ram, &dep, ImageManipulation::None, Some(0), true); OneImage { slots, primaries, @@ -390,7 +390,7 @@ impl ImagesBuilder { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_no_image(); let upgrades = install_image(&mut flash, &slots[1], - ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0)); + ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0), true); OneImage { slots, primaries, @@ -412,9 +412,9 @@ impl ImagesBuilder { let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_image(&mut flash, &slots[0], - maximal(32784), &ram, &dep, ImageManipulation::None, security_cnt); + maximal(32784), &ram, &dep, ImageManipulation::None, security_cnt, false); let upgrades = install_image(&mut flash, &slots[1], - maximal(41928), &ram, &dep, ImageManipulation::None, security_cnt.map(|v| v + 1)); + maximal(41928), &ram, &dep, ImageManipulation::None, security_cnt.map(|v| v + 1), true); OneImage { slots, primaries, @@ -451,7 +451,7 @@ impl ImagesBuilder { let mut flash = SimMultiFlash::new(); flash.insert(dev_id, dev); - (flash, Rc::new(areadesc), &[Caps::SwapUsingMove]) + (flash, Rc::new(areadesc), &[Caps::SwapUsingMove, Caps::SwapUsingOffset]) } DeviceName::K64f => { // NXP style flash. Small sectors, one small sector for scratch. @@ -482,7 +482,7 @@ impl ImagesBuilder { let mut flash = SimMultiFlash::new(); flash.insert(dev_id, dev); - (flash, Rc::new(areadesc), &[Caps::SwapUsingMove]) + (flash, Rc::new(areadesc), &[Caps::SwapUsingMove, Caps::SwapUsingOffset]) } DeviceName::Nrf52840 => { // Simulating the flash on the nrf52840 with partitions set up so that the scratch size @@ -511,7 +511,20 @@ impl ImagesBuilder { let mut flash = SimMultiFlash::new(); flash.insert(dev_id, dev); - (flash, Rc::new(areadesc), &[Caps::SwapUsingScratch, Caps::OverwriteUpgrade]) + (flash, Rc::new(areadesc), &[Caps::SwapUsingScratch, Caps::OverwriteUpgrade, Caps::SwapUsingOffset]) + } + DeviceName::Nrf52840UnequalSlotsLargerSlot1 => { + let dev = SimFlash::new(vec![4096; 128], align as usize, erased_val); + + let dev_id = 0; + let mut areadesc = AreaDesc::new(); + areadesc.add_flash_sectors(dev_id, &dev); + areadesc.add_image(0x008000, 0x03b000, FlashId::Image0, dev_id); + areadesc.add_image(0x043000, 0x03c000, FlashId::Image1, dev_id); + + let mut flash = SimMultiFlash::new(); + flash.insert(dev_id, dev); + (flash, Rc::new(areadesc), &[Caps::SwapUsingScratch, Caps::OverwriteUpgrade, Caps::SwapUsingMove, Caps::RamLoad, Caps::DirectXip]) } DeviceName::Nrf52840SpiFlash => { // Simulate nrf52840 with external SPI flash. The external SPI flash @@ -530,7 +543,7 @@ impl ImagesBuilder { let mut flash = SimMultiFlash::new(); flash.insert(0, dev0); flash.insert(1, dev1); - (flash, Rc::new(areadesc), &[Caps::SwapUsingMove]) + (flash, Rc::new(areadesc), &[Caps::SwapUsingMove, Caps::SwapUsingOffset]) } DeviceName::K64fMulti => { // NXP style flash, but larger, to support multiple images. @@ -653,7 +666,7 @@ impl Images { } fn is_swap_upgrade(&self) -> bool { - Caps::SwapUsingScratch.present() || Caps::SwapUsingMove.present() + Caps::SwapUsingScratch.present() || Caps::SwapUsingMove.present() || Caps::SwapUsingOffset.present() } pub fn run_basic_revert(&self) -> bool { @@ -1738,7 +1751,7 @@ fn image_largest_trailer(dev: &dyn Flash) -> usize { // This computation is incorrect, and we need to figure out the correct size. // c::boot_status_sz(dev.align() as u32) as usize 16 + 4 * dev.align() - } else if Caps::SwapUsingMove.present() { + } else if Caps::SwapUsingOffset.present() || Caps::SwapUsingMove.present() { let sector_size = dev.sector_iter().next().unwrap().size as u32; align_up(c::boot_trailer_sz(dev.align() as u32), sector_size) as usize } else if Caps::SwapUsingScratch.present() { @@ -1754,13 +1767,19 @@ fn image_largest_trailer(dev: &dyn Flash) -> usize { /// fields used by the given code. Returns a copy of the image that was written. fn install_image(flash: &mut SimMultiFlash, slot: &SlotInfo, len: ImageSize, ram: &RamData, - deps: &dyn Depender, img_manipulation: ImageManipulation, security_counter:Option) -> ImageData { - let offset = slot.base_off; + deps: &dyn Depender, img_manipulation: ImageManipulation, security_counter:Option, secondary_slot:bool) -> ImageData { + let mut offset = slot.base_off; let slot_len = slot.len; let dev_id = slot.dev_id; let dev = flash.get_mut(&dev_id).unwrap(); let mut tlv: Box = Box::new(make_tlv()); + + if Caps::SwapUsingOffset.present() && secondary_slot { + let sector_size = dev.sector_iter().next().unwrap().size as usize; + offset += sector_size; + } + if img_manipulation == ImageManipulation::IgnoreRamLoadFlag { tlv.set_ignore_ram_load_flag(); } @@ -1798,11 +1817,19 @@ fn install_image(flash: &mut SimMultiFlash, slot: &SlotInfo, len: ImageSize, ImageSize::Oversized => { let trailer = image_largest_trailer(dev); let tlv_len = tlv.estimate_size(); + let mut sector_offset = 0; + + if Caps::SwapUsingOffset.present() && secondary_slot { + // This accounts for when both slots have the same size, it will not work where + // the second slot is one sector larger than the primary + sector_offset = dev.sector_iter().next().unwrap().size as usize; + } + info!("slot: 0x{:x}, HDR: 0x{:x}, trailer: 0x{:x}", slot_len, HDR_SIZE, trailer); // the overflow size is rougly estimated to work for all // configurations. It might be precise if tlv_len will be maked precise. - slot_len - HDR_SIZE - trailer - tlv_len + dev.align()*4 + slot_len - HDR_SIZE - trailer - tlv_len - sector_offset + dev.align()*4 } }; @@ -2046,17 +2073,37 @@ fn verify_image(flash: &SimMultiFlash, slot: &SlotInfo, images: &ImageData) -> b let dev = flash.get(&dev_id).unwrap(); dev.read(offset, &mut copy).unwrap(); - if buf != ©[..] { - for i in 0 .. buf.len() { - if buf[i] != copy[i] { - info!("First failure for slot{} at {:#x} ({:#x} within) {:#x}!={:#x}", - slot.index, offset + i, i, buf[i], copy[i]); - break; + if Caps::SwapUsingOffset.present() && (slot.index % 2) == 1 { + let sector_size = dev.sector_iter().next().unwrap().size as usize; + let mut copy_offset = vec![0u8; buf.len()]; + let offset_offset = slot.base_off + sector_size; + dev.read(offset_offset, &mut copy_offset).unwrap(); + + if buf != ©[..] && buf != ©_offset[..] { + for i in 0 .. buf.len() { + if buf[i] != copy[i] && buf[i] != copy_offset[i] { + info!("First failure for slot{} at {:#x} ({:#x} within) {:#x}!=({:#x} or {:#x})", + slot.index, offset + i, i, buf[i], copy[i], copy_offset[i]); + break; + } } + false + } else { + true } - false } else { - true + if buf != ©[..] { + for i in 0 .. buf.len() { + if buf[i] != copy[i] { + info!("First failure for slot{} at {:#x} ({:#x} within) {:#x}!={:#x}", + slot.index, offset + i, i, buf[i], copy[i]); + break; + } + } + false + } else { + true + } } } @@ -2294,6 +2341,7 @@ trait AsRaw : Sized { /// Returns an ImageSize representing the best size to test, possibly just with the given size. fn maximal(size: usize) -> ImageSize { if Caps::OverwriteUpgrade.present() || + Caps::SwapUsingOffset.present() || Caps::SwapUsingMove.present() { ImageSize::Given(size) diff --git a/sim/src/lib.rs b/sim/src/lib.rs index fe43e46bc..5e4304b82 100644 --- a/sim/src/lib.rs +++ b/sim/src/lib.rs @@ -64,7 +64,7 @@ struct Args { #[derive(Copy, Clone, Debug, Deserialize)] pub enum DeviceName { Stm32f4, K64f, K64fBig, K64fMulti, Nrf52840, Nrf52840SpiFlash, - Nrf52840UnequalSlots, + Nrf52840UnequalSlots, Nrf52840UnequalSlotsLargerSlot1, } pub static ALL_DEVICES: &[DeviceName] = &[ @@ -75,6 +75,7 @@ pub static ALL_DEVICES: &[DeviceName] = &[ DeviceName::Nrf52840, DeviceName::Nrf52840SpiFlash, DeviceName::Nrf52840UnequalSlots, + DeviceName::Nrf52840UnequalSlotsLargerSlot1, ]; impl fmt::Display for DeviceName { @@ -87,6 +88,7 @@ impl fmt::Display for DeviceName { DeviceName::Nrf52840 => "nrf52840", DeviceName::Nrf52840SpiFlash => "Nrf52840SpiFlash", DeviceName::Nrf52840UnequalSlots => "Nrf52840UnequalSlots", + DeviceName::Nrf52840UnequalSlotsLargerSlot1 => "Nrf52840UnequalSlotsLargerSlot1", }; f.write_str(name) } From afa3620ec6ea860fe80dfc1fdd726930ef78f678 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 9 Jan 2025 10:17:56 +0000 Subject: [PATCH 030/228] sim: Fix wrong usage of pointer Fixes not using a pointer as a pointer Signed-off-by: Jamie McCrae --- sim/mcuboot-sys/csupport/run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sim/mcuboot-sys/csupport/run.c b/sim/mcuboot-sys/csupport/run.c index d5ffa16e5..24e50adc1 100644 --- a/sim/mcuboot-sys/csupport/run.c +++ b/sim/mcuboot-sys/csupport/run.c @@ -279,7 +279,7 @@ int invoke_boot_go(struct sim_context *ctx, struct area_desc *adesc, sim_reset_flash_areas(); sim_reset_context(); free(state); - /* printf("boot_go off: %d (0x%08x)\n", res, rsp.br_image_off); */ + /* printf("boot_go off: %d (0x%08x)\n", res, rsp->br_image_off); */ return res; } else { sim_reset_flash_areas(); From 4bcb969e88b00c3d6dfbb30aa1b6c066e09f0ff4 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Fri, 3 Jan 2025 08:06:56 +0000 Subject: [PATCH 031/228] docs: design: Add information on swap using offset mode Adds details on how this new mode works Signed-off-by: Jamie McCrae --- docs/design.md | 85 +++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 70 insertions(+), 15 deletions(-) diff --git a/docs/design.md b/docs/design.md index b1979a7c2..8b2e3ea2a 100755 --- a/docs/design.md +++ b/docs/design.md @@ -237,7 +237,48 @@ Where: `image-slot-size` is the size of the image slot. `image-trailer-size` is the size of the image trailer. -### [Swap without using scratch](#image-swap-no-scratch) +### [Swap using offset (without using scratch)](#image-swap-offset-no-scratch) + +This algorithm is an alternative to the swap-using-scratch algorithm and an +enhancement of the swap using move algorithm. +It uses an additional sector in the secondary slot to make swap possible. +The algorithm works as follows: + + 1. Update image must be placed starting at the second sector in the secondary slot + 2. Copies the N-th sector from the primary slot to the N-th sector of the + secondary slot. + 3. Copies the (N+1)-th sector from the secondary slot to the N-th sector of the + primary slot. + 4. Repeats steps 2. and 3. until all the slots' sectors are swapped. + +This algorithm is designed so that the lower sector of the secondary slot is +used only for allowing sectors to move down during a swap. Therefore the most +memory-size-effective slot layout is when the secondary slot is larger than +the primary slot by exactly one sector, although same-sized slots are allowed +as well. The algorithm is limited to support sectors of the same sector layout. +All slot's sectors should be of the same size. This algorithm uses 2 flags per +sector update rather than the 3 flags used by swap using move, which requires +a smaller swap status area size. + +When using this algorithm the maximum image size available for the application +will be: +``` +maximum-image-size1 = N * slot-sector-size - image-trailer-sectors-size +``` + +Where: + `N` is the number of sectors in the primary slot. + `image-trailer-sectors-size` is the size of the image trailer rounded up to + the total size of sectors its occupied. For instance if the image-trailer-size + is equal to 1056 B and the sector size is equal to 1024 B, then + `image-trailer-sectors-size` will be equal to 2048 B. + +The algorithm does one erase cycle on both the primary and secondary slots +during each swap. + +The algorithm is enabled using the `MCUBOOT_SWAP_USING_OFFSET` option. + +### [Swap using move (without using scratch)](#image-swap-no-scratch) This algorithm is an alternative to the swap-using-scratch algorithm. It uses an additional sector in the primary slot to make swap possible. @@ -635,7 +676,17 @@ types described above via a set of tables. These tables are reproduced below. --- ``` - State I + State I (swap using offset only) + | primary slot | secondary slot | + -----------------+--------------+----------------| + magic | Any | Good | + image-ok | Any | Unset | + copy-done | Any | Set | + -----------------+--------------+----------------' + result: BOOT_SWAP_TYPE_REVERT | + -------------------------------------------------' + + State II | primary slot | secondary slot | -----------------+--------------+----------------| magic | Any | Good | @@ -646,7 +697,7 @@ types described above via a set of tables. These tables are reproduced below. -------------------------------------------------' - State II + State III | primary slot | secondary slot | -----------------+--------------+----------------| magic | Any | Good | @@ -657,7 +708,7 @@ types described above via a set of tables. These tables are reproduced below. -------------------------------------------------' - State III + State IV | primary slot | secondary slot | -----------------+--------------+----------------| magic | Good | Any | @@ -674,7 +725,7 @@ Otherwise, MCUboot does not attempt to swap images, resulting in one of the other three swap types, as illustrated by State IV. ``` - State IV + State V | primary slot | secondary slot | -----------------+--------------+----------------| magic | Any | Any | @@ -687,7 +738,7 @@ other three swap types, as illustrated by State IV. -------------------------------------------------' ``` -In State IV, when no errors occur, MCUboot will attempt to boot the contents of +In State V, when no errors occur, MCUboot will attempt to boot the contents of the primary slot directly, and the result is `BOOT_SWAP_TYPE_NONE`. If the image in the primary slot is not valid, the result is `BOOT_SWAP_TYPE_FAIL`. If a fatal error occurs during boot, the result is `BOOT_SWAP_TYPE_PANIC`. If the @@ -979,7 +1030,10 @@ the middle of an image swap operation. The swap status region consists of a series of single-byte records. These records are written independently, and therefore must be padded according to the minimum write size imposed by the flash hardware. The structure of the swap status region is illustrated below. -In this figure, a min-write-size of 1 is assumed for simplicity. +In this figure, a min-write-size of 1 is assumed for simplicity, this diagram +shows 3 states per sector which is applicable to swap using scratch and swap +using move, however in swap using offset mode there are only 2 states per +sector and the overall state size required is less. ``` 0 1 2 3 @@ -1040,14 +1094,15 @@ values map to the above four states as follows The swap status region can accommodate `BOOT_MAX_IMG_SECTORS` sector indices. Hence, the size of the region, in bytes, is -`BOOT_MAX_IMG_SECTORS * min-write-size * 3`. The only requirement for the index -count is that it is great enough to account for a maximum-sized image -(i.e., at least as great as the total sector count in an image slot). If a -device's image slots have been configured with `BOOT_MAX_IMG_SECTORS: 128` and -use less than 128 sectors, the first record that gets written will be somewhere -in the middle of the region. For example, if a slot uses 64 sectors, the first -sector index that gets swapped is 63, which corresponds to the exact halfway -point within the region. +`BOOT_MAX_IMG_SECTORS * min-write-size * s` where `s` is 3 for swap using +scratch and swap using move modes, and is 2 for swap using offset mode. The +only requirement for the index count is that it is great enough to account +for a maximum-sized image (i.e., at least as great as the total sector count in +an image slot). If a device's image slots have been configured with +`BOOT_MAX_IMG_SECTORS: 128` and use less than 128 sectors, the first record +that gets written will be somewhere in the middle of the region. For example, +if a slot uses 64 sectors, the first sector index that gets swapped is 63, +which corresponds to the exact halfway point within the region. --- ***Note*** From 3fea62b672b0cdd34d269d4cb0b72bd639a7b0e2 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Fri, 3 Jan 2025 08:10:00 +0000 Subject: [PATCH 032/228] docs: release-notes: Add note on new swap using offset mode Adds a note about this new algorithm being added Signed-off-by: Jamie McCrae --- docs/release-notes.d/swap-using-offset.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 docs/release-notes.d/swap-using-offset.md diff --git a/docs/release-notes.d/swap-using-offset.md b/docs/release-notes.d/swap-using-offset.md new file mode 100644 index 000000000..c36dc350d --- /dev/null +++ b/docs/release-notes.d/swap-using-offset.md @@ -0,0 +1,6 @@ +- Added a new swap using offset algorithm which is set with + `MCUBOOT_SWAP_USING_OFFSET`. This algorithm is similar to swap + using move but avoids moving the sectors in the primary slot + up by having the update image written in the second sector in + the update slot, which offers a faster update process and + requires a smaller swap status area From fecf7e87ffee74a9a056929f72d67e0221de6da3 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Fri, 10 Jan 2025 11:42:38 +0000 Subject: [PATCH 033/228] boot: bootutil: loader: Fix some comments Fixes some comments which had typos or were not formatted correctly Signed-off-by: Jamie McCrae --- boot/bootutil/src/loader.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index b0f137a21..25870bc8d 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -787,8 +787,9 @@ boot_image_check(struct boot_loader_state *state, struct image_header *hdr, (void)bs; (void)rc; -/* In the case of ram loading the image has already been decrypted as it is - * decrypted when copied in ram */ + /* In the case of ram loading the image has already been decrypted as it is + * decrypted when copied in ram + */ #if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_RAM_LOAD) if (MUST_DECRYPT(fap, BOOT_CURR_IMG(state), hdr)) { rc = boot_enc_load(state, 1, hdr, fap, bs); @@ -1347,7 +1348,7 @@ boot_copy_region(struct boot_loader_state *state, #ifdef MCUBOOT_ENC_IMAGES /* If only copy, then does not matter if header indicates need for - * encryptio/decryptio, we just copy data. */ + * encryption/decryption, we just copy data. */ if (!only_copy && IS_ENCRYPTED(hdr)) { #if defined(MCUBOOT_SWAP_USING_OFFSET) uint32_t abs_off = off - sector_off + bytes_copied; From e5b895294f0ae283e79f130650582c9b0912b5b0 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 15 Jan 2025 12:21:55 +0000 Subject: [PATCH 034/228] boot: boot_serial: Add support for swap using offset mode Adds support for serial recovery of images when MCUboot is set to swap using offset mode Signed-off-by: Jamie McCrae --- .../boot_serial/boot_serial_encryption.h | 7 +- boot/boot_serial/src/boot_serial.c | 158 +++++++++++++++++- boot/boot_serial/src/boot_serial_encryption.c | 23 ++- boot/bootutil/include/bootutil/enc_key.h | 10 +- boot/bootutil/include/bootutil/image.h | 6 +- boot/bootutil/src/encrypted.c | 12 +- boot/bootutil/src/image_validate.c | 28 +++- boot/bootutil/src/loader.c | 33 ++++ 8 files changed, 261 insertions(+), 16 deletions(-) diff --git a/boot/boot_serial/include/boot_serial/boot_serial_encryption.h b/boot/boot_serial/include/boot_serial/boot_serial_encryption.h index b7cf9ff55..890f0cb18 100644 --- a/boot/boot_serial/include/boot_serial/boot_serial_encryption.h +++ b/boot/boot_serial/include/boot_serial/boot_serial_encryption.h @@ -15,13 +15,18 @@ * @param[in] hdr boot image header pointer * @param[in] buf buffer which is used for validating data * @param[in] buf_size size of input buffer + * @param[in] start_off start offset inside of image (swap using offset only) * * @return FIH_SUCCESS on success, error code otherwise */ fih_ret boot_image_validate_encrypted(const struct flash_area *fa_p, struct image_header *hdr, uint8_t *buf, - uint16_t buf_size); + uint16_t buf_size +#ifdef MCUBOOT_SWAP_USING_OFFSET + , uint32_t start_off +#endif +); /** * Handle an encrypted firmware in the main flash. diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 73a4b5062..9ddc712de 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -154,6 +154,9 @@ BOOT_LOG_MODULE_DECLARE(mcuboot); #define IMAGES_ITER(x) #endif +#define SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN 1 +#define BOOT_DIRECT_UPLOAD_SECONDARY_SLOT_ID_REMAINDER 0 + static char in_buf[MCUBOOT_SERIAL_MAX_RECEIVE_SIZE + 1]; static char dec_buf[MCUBOOT_SERIAL_MAX_RECEIVE_SIZE + 1]; const struct boot_uart_funcs *boot_uf; @@ -165,9 +168,14 @@ static char bs_obuf[BOOT_SERIAL_OUT_MAX]; static void boot_serial_output(void); #ifdef MCUBOOT_SERIAL_IMG_GRP_HASH +#ifdef MCUBOOT_SWAP_USING_OFFSET +static int boot_serial_get_hash(const struct image_header *hdr, + const struct flash_area *fap, uint8_t *hash, uint32_t start_off); +#else static int boot_serial_get_hash(const struct image_header *hdr, const struct flash_area *fap, uint8_t *hash); #endif +#endif static zcbor_state_t cbor_state[2]; @@ -288,6 +296,7 @@ bs_list(char *buf, int len) for (slot = 0; slot < BOOT_NUM_SLOTS; slot++) { FIH_DECLARE(fih_rc, FIH_FAILURE); + int rc; uint8_t tmpbuf[64]; #ifdef MCUBOOT_SERIAL_IMG_GRP_IMAGE_STATE @@ -297,16 +306,41 @@ bs_list(char *buf, int len) bool permanent = false; #endif +#ifdef MCUBOOT_SWAP_USING_OFFSET + uint32_t start_off = 0; +#endif + area_id = flash_area_id_from_multi_image_slot(image_index, slot); if (flash_area_open(area_id, &fap)) { continue; } - int rc = BOOT_HOOK_CALL(boot_read_image_header_hook, - BOOT_HOOK_REGULAR, image_index, slot, &hdr); +#ifdef MCUBOOT_SWAP_USING_OFFSET + if (slot == BOOT_SECONDARY_SLOT && swap_status != BOOT_SWAP_TYPE_REVERT) { + uint32_t num_sectors = SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN; + struct flash_sector sector_data; + + rc = flash_area_sectors(fap, &num_sectors, §or_data); + + if ((rc != 0 && rc != -ENOMEM) || + num_sectors != SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN) { + flash_area_close(fap); + continue; + } + + start_off = sector_data.fs_size; + } +#endif + + rc = BOOT_HOOK_CALL(boot_read_image_header_hook, + BOOT_HOOK_REGULAR, image_index, slot, &hdr); if (rc == BOOT_HOOK_REGULAR) { +#ifdef MCUBOOT_SWAP_USING_OFFSET + flash_area_read(fap, start_off, &hdr, sizeof(hdr)); +#else flash_area_read(fap, 0, &hdr, sizeof(hdr)); +#endif } if (hdr.ih_magic == IMAGE_MAGIC) @@ -319,8 +353,13 @@ bs_list(char *buf, int len) #if defined(MCUBOOT_ENC_IMAGES) #if !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) if (IS_ENCRYPTED(&hdr) && MUST_DECRYPT(fap, image_index, &hdr)) { +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, + &hdr, tmpbuf, sizeof(tmpbuf), start_off); +#else FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, &hdr, tmpbuf, sizeof(tmpbuf)); +#endif } else { #endif if (IS_ENCRYPTED(&hdr)) { @@ -333,8 +372,13 @@ bs_list(char *buf, int len) } #endif +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, + fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL, start_off); +#else FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); +#endif #if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_SINGLE_APPLICATION_SLOT) } #endif @@ -348,7 +392,11 @@ bs_list(char *buf, int len) #ifdef MCUBOOT_SERIAL_IMG_GRP_HASH /* Retrieve hash of image for identification */ +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = boot_serial_get_hash(&hdr, fap, hash, start_off); +#else rc = boot_serial_get_hash(&hdr, fap, hash); +#endif #endif flash_area_close(fap); @@ -494,17 +542,39 @@ bs_set(char *buf, int len) const struct flash_area *fap; uint8_t tmpbuf[64]; +#ifdef MCUBOOT_SWAP_USING_OFFSET + uint32_t num_sectors = SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN; + struct flash_sector sector_data; + uint32_t start_off = 0; +#endif + area_id = flash_area_id_from_multi_image_slot(image_index, 1); if (flash_area_open(area_id, &fap)) { BOOT_LOG_ERR("Failed to open flash area ID %d", area_id); continue; } +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_sectors(fap, &num_sectors, §or_data); + + if ((rc != 0 && rc != -ENOMEM) || + num_sectors != SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN) { + flash_area_close(fap); + continue; + } + + start_off = sector_data.fs_size; +#endif + rc = BOOT_HOOK_CALL(boot_read_image_header_hook, BOOT_HOOK_REGULAR, image_index, 1, &hdr); if (rc == BOOT_HOOK_REGULAR) { +#ifdef MCUBOOT_SWAP_USING_OFFSET + flash_area_read(fap, start_off, &hdr, sizeof(hdr)); +#else flash_area_read(fap, 0, &hdr, sizeof(hdr)); +#endif } if (hdr.ih_magic == IMAGE_MAGIC) @@ -518,12 +588,22 @@ bs_set(char *buf, int len) { #ifdef MCUBOOT_ENC_IMAGES if (IS_ENCRYPTED(&hdr)) { +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, + &hdr, tmpbuf, sizeof(tmpbuf), start_off); +#else FIH_CALL(boot_image_validate_encrypted, fih_rc, fap, &hdr, tmpbuf, sizeof(tmpbuf)); +#endif } else { #endif +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, + fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL, start_off); +#else FIH_CALL(bootutil_img_validate, fih_rc, NULL, &hdr, fap, tmpbuf, sizeof(tmpbuf), NULL, 0, NULL); +#endif #ifdef MCUBOOT_ENC_IMAGES } #endif @@ -534,8 +614,14 @@ bs_set(char *buf, int len) } } +#ifdef MCUBOOT_SERIAL_IMG_GRP_HASH /* Retrieve hash of image for identification */ +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = boot_serial_get_hash(&hdr, fap, hash, start_off); +#else rc = boot_serial_get_hash(&hdr, fap, hash); +#endif +#endif flash_area_close(fap); if (rc == 0 && memcmp(hash, img_hash.value, sizeof(hash)) == 0) { @@ -811,6 +897,9 @@ bs_upload(char *buf, int len) */ static struct flash_sector status_sector; #endif +#ifdef MCUBOOT_SWAP_USING_OFFSET + static uint32_t start_off = 0; +#endif zcbor_state_t zsd[4]; zcbor_new_state(zsd, sizeof(zsd) / sizeof(zcbor_state_t), (uint8_t *)buf, len, 1, NULL, 0); @@ -874,6 +963,11 @@ bs_upload(char *buf, int len) */ const size_t area_size = flash_area_get_size(fap); +#ifdef MCUBOOT_SWAP_USING_OFFSET + uint32_t num_sectors = SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN; + struct flash_sector sector_data; +#endif + curr_off = 0; #ifdef MCUBOOT_ERASE_PROGRESSIVELY /* Get trailer sector information; this is done early because inability to get @@ -915,6 +1009,35 @@ bs_upload(char *buf, int len) #endif img_size = img_size_tmp; + +#ifdef MCUBOOT_SWAP_USING_OFFSET +#ifdef MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD + if (img_num > 0 && + (img_num % BOOT_NUM_SLOTS) == BOOT_DIRECT_UPLOAD_SECONDARY_SLOT_ID_REMAINDER) { + rc = flash_area_sectors(fap, &num_sectors, §or_data); + + if ((rc != 0 && rc != -ENOMEM) || + num_sectors != SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN) { + rc = MGMT_ERR_ENOENT; + goto out; + } + + start_off = sector_data.fs_size; + } else { + start_off = 0; + } +#else + rc = flash_area_sectors(fap, &num_sectors, §or_data); + + if ((rc != 0 && rc != -ENOMEM) || + num_sectors != SWAP_USING_OFFSET_SECTOR_UPDATE_BEGIN) { + rc = MGMT_ERR_ENOENT; + goto out; + } + + start_off = sector_data.fs_size; +#endif +#endif } else if (img_chunk_off != curr_off) { /* If received chunk offset does not match expected one jump, pretend * success and jump to out; out will respond to client with success @@ -931,8 +1054,13 @@ bs_upload(char *buf, int len) /* Progressive erase will erase enough flash, aligned to sector size, * as needed for the current chunk to be written. */ +#ifdef MCUBOOT_SWAP_USING_OFFSET + not_yet_erased = erase_range(fap, not_yet_erased, + curr_off + img_chunk_len - 1 + start_off); +#else not_yet_erased = erase_range(fap, not_yet_erased, curr_off + img_chunk_len - 1); +#endif if (not_yet_erased < 0) { rc = MGMT_ERR_EINVAL; @@ -969,7 +1097,11 @@ bs_upload(char *buf, int len) memset(wbs_aligned, flash_area_erased_val(fap), sizeof(wbs_aligned)); memcpy(wbs_aligned, img_chunk, write_size); +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_write(fap, curr_off + start_off, wbs_aligned, write_size); +#else rc = flash_area_write(fap, curr_off, wbs_aligned, write_size); +#endif if (rc != 0) { goto out; @@ -980,10 +1112,18 @@ bs_upload(char *buf, int len) img_chunk_len -= write_size; } } else { +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_write(fap, curr_off + start_off, img_chunk, img_chunk_len); +#else rc = flash_area_write(fap, curr_off, img_chunk, img_chunk_len); +#endif } +#else +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_write(fap, curr_off + start_off, img_chunk, img_chunk_len); #else rc = flash_area_write(fap, curr_off, img_chunk, img_chunk_len); +#endif #endif if (rc == 0 && rem_bytes) { @@ -996,8 +1136,13 @@ bs_upload(char *buf, int len) memset(wbs_aligned, flash_area_erased_val(fap), sizeof(wbs_aligned)); memcpy(wbs_aligned, img_chunk + img_chunk_len, rem_bytes); +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = flash_area_write(fap, curr_off + img_chunk_len + start_off, wbs_aligned, + flash_area_align(fap)); +#else rc = flash_area_write(fap, curr_off + img_chunk_len, wbs_aligned, flash_area_align(fap)); +#endif } if (rc == 0) { @@ -1452,8 +1597,13 @@ boot_serial_check_start(const struct boot_uart_funcs *f, int timeout_in_ms) #ifdef MCUBOOT_SERIAL_IMG_GRP_HASH /* Function to find the hash of an image, returns 0 on success. */ +#ifdef MCUBOOT_SWAP_USING_OFFSET +static int boot_serial_get_hash(const struct image_header *hdr, + const struct flash_area *fap, uint8_t *hash, uint32_t start_off) +#else static int boot_serial_get_hash(const struct image_header *hdr, const struct flash_area *fap, uint8_t *hash) +#endif { struct image_tlv_iter it; uint32_t offset; @@ -1464,6 +1614,10 @@ static int boot_serial_get_hash(const struct image_header *hdr, /* Manifest data is concatenated to the end of the image. * It is encoded in TLV format. */ +#if defined(MCUBOOT_SWAP_USING_OFFSET) + it.start_off = start_off; +#endif + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); if (rc) { return -1; diff --git a/boot/boot_serial/src/boot_serial_encryption.c b/boot/boot_serial/src/boot_serial_encryption.c index bb88584fc..744b22312 100644 --- a/boot/boot_serial/src/boot_serial_encryption.c +++ b/boot/boot_serial/src/boot_serial_encryption.c @@ -22,7 +22,11 @@ BOOT_LOG_MODULE_DECLARE(serial_encryption); fih_ret boot_image_validate_encrypted(const struct flash_area *fa_p, struct image_header *hdr, uint8_t *buf, - uint16_t buf_size) + uint16_t buf_size +#ifdef MCUBOOT_SWAP_USING_OFFSET + , uint32_t start_off +#endif + ) { FIH_DECLARE(fih_rc, FIH_FAILURE); @@ -34,17 +38,27 @@ boot_image_validate_encrypted(const struct flash_area *fa_p, memset(&boot_data, 0, sizeof(struct boot_loader_state)); if(IS_ENCRYPTED(hdr)) { +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = boot_enc_load(state, 1, hdr, fa_p, bs, start_off); +#else rc = boot_enc_load(state, 1, hdr, fa_p, bs); +#endif if (rc < 0) { FIH_RET(fih_rc); } - rc = boot_enc_set_key(state, 1, bs); + rc = boot_enc_set_key(BOOT_CURR_ENC(state), 1, bs); if (rc < 0) { FIH_RET(fih_rc); } } + +#ifdef MCUBOOT_SWAP_USING_OFFSET + FIH_CALL(bootutil_img_validate, fih_rc, state, + hdr, fa_p, buf, buf_size, NULL, 0, NULL, start_off); +#else FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fa_p, buf, buf_size, NULL, 0, NULL); +#endif FIH_RET(fih_rc); } @@ -224,7 +238,6 @@ decrypt_image_inplace(const struct flash_area *fa_p, /* Get size from last sector to know page/sector erase size */ rc = flash_area_get_sector(fa_p, boot_status_off(fa_p), §or); - if(IS_ENCRYPTED(hdr)) { #if 0 //Skip this step?, the image will just not boot if it's not decrypted properly static uint8_t tmpbuf[BOOT_TMPBUF_SZ]; @@ -236,7 +249,11 @@ decrypt_image_inplace(const struct flash_area *fa_p, #endif memset(&boot_data, 0, sizeof(struct boot_loader_state)); /* Load the encryption keys into cache */ +#ifdef MCUBOOT_SWAP_USING_OFFSET + rc = boot_enc_load(state, 0, hdr, fa_p, bs, 0); +#else rc = boot_enc_load(state, 0, hdr, fa_p, bs); +#endif if (rc < 0) { FIH_RET(fih_rc); } diff --git a/boot/bootutil/include/bootutil/enc_key.h b/boot/bootutil/include/bootutil/enc_key.h index 7e65ee07a..9240d699d 100644 --- a/boot/bootutil/include/bootutil/enc_key.h +++ b/boot/bootutil/include/bootutil/enc_key.h @@ -66,10 +66,14 @@ int boot_decrypt_key(const uint8_t *buf, uint8_t *enckey); int boot_enc_init(struct enc_key_data *enc_state, uint8_t slot); int boot_enc_drop(struct enc_key_data *enc_state, uint8_t slot); int boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot, - const struct boot_status *bs); + const struct boot_status *bs); int boot_enc_load(struct boot_loader_state *state, int slot, - const struct image_header *hdr, const struct flash_area *fap, - struct boot_status *bs); + const struct image_header *hdr, const struct flash_area *fap, + struct boot_status *bs +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_off +#endif + ); bool boot_enc_valid(struct enc_key_data *enc_state, int slot); void boot_enc_encrypt(struct enc_key_data *enc_state, int slot, uint32_t off, uint32_t sz, uint32_t blk_off, uint8_t *buf); diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h index f6b660fe4..f5431b187 100644 --- a/boot/bootutil/include/bootutil/image.h +++ b/boot/bootutil/include/bootutil/image.h @@ -201,7 +201,11 @@ fih_ret bootutil_img_validate(struct boot_loader_state *state, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, - uint8_t *seed, int seed_len, uint8_t *out_hash); + uint8_t *seed, int seed_len, uint8_t *out_hash +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_off +#endif +); struct image_tlv_iter { const struct image_header *hdr; diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index cbf81233c..f61fd74b9 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -633,8 +633,12 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) */ int boot_enc_load(struct boot_loader_state *state, int slot, - const struct image_header *hdr, const struct flash_area *fap, - struct boot_status *bs) + const struct image_header *hdr, const struct flash_area *fap, + struct boot_status *bs +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_off +#endif + ) { struct enc_key_data *enc_state = BOOT_CURR_ENC(state); uint32_t off; @@ -656,7 +660,11 @@ boot_enc_load(struct boot_loader_state *state, int slot, boot_enc_init(enc_state, slot); #if defined(MCUBOOT_SWAP_USING_OFFSET) +#if defined(MCUBOOT_SERIAL_RECOVERY) + it.start_off = boot_get_state_secondary_offset(state, fap) + start_off; +#else it.start_off = boot_get_state_secondary_offset(state, fap); +#endif #endif rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_ENC_TLV, false); diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 609eaa3c1..735f194f3 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -68,7 +68,11 @@ static int bootutil_img_hash(struct boot_loader_state *state, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result, - uint8_t *seed, int seed_len) + uint8_t *seed, int seed_len +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_offset +#endif + ) { bootutil_sha_context sha_ctx; uint32_t size; @@ -124,7 +128,11 @@ bootutil_img_hash(struct boot_loader_state *state, /* For swap using offset mode, the image starts in the second sector of the upgrade slot, so * apply the offset when this is needed */ +#if defined(MCUBOOT_SERIAL_RECOVERY) + sector_off = boot_get_state_secondary_offset(state, fap) + start_offset; +#else sector_off = boot_get_state_secondary_offset(state, fap); +#endif #endif bootutil_sha_init(&sha_ctx); @@ -470,7 +478,11 @@ fih_ret bootutil_img_validate(struct boot_loader_state *state, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *seed, - int seed_len, uint8_t *out_hash) + int seed_len, uint8_t *out_hash +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + , uint32_t start_offset +#endif + ) { #if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) int image_index = (state == NULL ? 0 : BOOT_CURR_IMG(state)); @@ -507,8 +519,12 @@ bootutil_img_validate(struct boot_loader_state *state, #endif #if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) - rc = bootutil_img_hash(state, hdr, fap, tmp_buf, - tmp_buf_sz, hash, seed, seed_len); +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = bootutil_img_hash(state, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len, + start_offset); +#else + rc = bootutil_img_hash(state, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len); +#endif if (rc) { goto out; } @@ -527,7 +543,11 @@ bootutil_img_validate(struct boot_loader_state *state, #endif #if defined(MCUBOOT_SWAP_USING_OFFSET) +#if defined(MCUBOOT_SERIAL_RECOVERY) + it.start_off = boot_get_state_secondary_offset(state, fap) + start_offset; +#else it.start_off = boot_get_state_secondary_offset(state, fap); +#endif #endif rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 25870bc8d..43dcd3f22 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -792,7 +792,11 @@ boot_image_check(struct boot_loader_state *state, struct image_header *hdr, */ #if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_RAM_LOAD) if (MUST_DECRYPT(fap, BOOT_CURR_IMG(state), hdr)) { +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = boot_enc_load(state, 1, hdr, fap, bs, 0); +#else rc = boot_enc_load(state, 1, hdr, fap, bs); +#endif if (rc < 0) { FIH_RET(fih_rc); } @@ -802,8 +806,13 @@ boot_image_check(struct boot_loader_state *state, struct image_header *hdr, } #endif +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fap, tmpbuf, BOOT_TMPBUF_SZ, + NULL, 0, NULL, 0); +#else FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fap, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, NULL); +#endif FIH_RET(fih_rc); } @@ -826,14 +835,24 @@ split_image_check(struct image_header *app_hdr, } } +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + FIH_CALL(bootutil_img_validate, fih_rc, NULL, loader_hdr, loader_fap, + tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, loader_hash, 0); +#else FIH_CALL(bootutil_img_validate, fih_rc, NULL, loader_hdr, loader_fap, tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, loader_hash); +#endif if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { FIH_RET(fih_rc); } +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + FIH_CALL(bootutil_img_validate, fih_rc, NULL, app_hdr, app_fap, + tmpbuf, BOOT_TMPBUF_SZ, loader_hash, 32, NULL, 0); +#else FIH_CALL(bootutil_img_validate, fih_rc, NULL, app_hdr, app_fap, tmpbuf, BOOT_TMPBUF_SZ, loader_hash, 32, NULL); +#endif out: FIH_RET(fih_rc); @@ -1497,9 +1516,15 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) #ifdef MCUBOOT_ENC_IMAGES if (IS_ENCRYPTED(boot_img_hdr(state, BOOT_SECONDARY_SLOT))) { +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = boot_enc_load(state, BOOT_SECONDARY_SLOT, + boot_img_hdr(state, BOOT_SECONDARY_SLOT), + fap_secondary_slot, bs, 0); +#else rc = boot_enc_load(state, BOOT_SECONDARY_SLOT, boot_img_hdr(state, BOOT_SECONDARY_SLOT), fap_secondary_slot, bs); +#endif if (rc < 0) { return BOOT_EBADIMAGE; @@ -1625,7 +1650,11 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) #ifdef MCUBOOT_ENC_IMAGES if (IS_ENCRYPTED(hdr)) { fap = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = boot_enc_load(state, 0, hdr, fap, bs, 0); +#else rc = boot_enc_load(state, 0, hdr, fap, bs); +#endif assert(rc >= 0); if (rc == 0) { @@ -1649,7 +1678,11 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); if (IS_ENCRYPTED(hdr)) { fap = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); +#if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) + rc = boot_enc_load(state, 1, hdr, fap, bs, 0); +#else rc = boot_enc_load(state, 1, hdr, fap, bs); +#endif assert(rc >= 0); if (rc == 0) { From 96b70086c8e3104564c72f718f5191aa18952f96 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 24 Jan 2025 17:05:18 +0000 Subject: [PATCH 035/228] zephyr: Fix image encryption configuration for mbedTLS. Add a few missing Kconfig options. Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 1188f5ae6..f4b9a55f7 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -63,6 +63,15 @@ config NRF_CC310_BL bool default n +if BOOT_USE_MBEDTLS && MBEDTLS_BUILTIN + +config BOOT_AES_MBEDTLS_DEPENDENCIES + bool + select MBEDTLS_CIPHER_AES_ENABLED + select MBEDTLS_CIPHER_MODE_CTR_ENABLED + +endif + menu "MCUBoot settings" config SINGLE_APPLICATION_SLOT @@ -159,6 +168,7 @@ config BOOT_SIGNATURE_TYPE_RSA select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if MBEDTLS_BUILTIN select BOOT_ENCRYPTION_SUPPORT select BOOT_IMG_HASH_ALG_SHA256_ALLOW + select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE if BOOT_SIGNATURE_TYPE_RSA config BOOT_SIGNATURE_TYPE_RSA_LEN @@ -227,6 +237,7 @@ config BOOT_ED25519_MBEDTLS select BOOT_USE_MBEDTLS select MBEDTLS select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN + select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE endchoice endif From 9a02794a14fa2e539ffe039a986360590d9e025f Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Fri, 31 Jan 2025 13:43:13 +0000 Subject: [PATCH 036/228] boot: bootutil: swap_offset: Skip erasing/copying empty sectors Only erases and copies sectors where there is data present Signed-off-by: Jamie McCrae --- boot/bootutil/src/swap_offset.c | 108 +++++++++++++++++++++----------- 1 file changed, 72 insertions(+), 36 deletions(-) diff --git a/boot/bootutil/src/swap_offset.c b/boot/bootutil/src/swap_offset.c index 7664df929..c7df0c0da 100644 --- a/boot/bootutil/src/swap_offset.c +++ b/boot/bootutil/src/swap_offset.c @@ -454,7 +454,8 @@ int swap_status_source(struct boot_loader_state *state) static void boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, struct boot_status *bs, const struct flash_area *fap_pri, - const struct flash_area *fap_sec) + const struct flash_area *fap_sec, bool skip_primary, + bool skip_secondary) { uint32_t pri_off; uint32_t sec_off; @@ -466,14 +467,19 @@ static void boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *st sec_up_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, (idx + 1)); if (bs->state == BOOT_STATUS_STATE_0) { - /* Copy from slot 0 X to slot 1 X */ - BOOT_LOG_DBG("Erasing secondary 0x%x of 0x%x", sec_off, sz); - rc = boot_erase_region(fap_sec, sec_off, sz); - assert(rc == 0); + if (skip_primary == true) { + BOOT_LOG_DBG("Skipping erase of secondary 0x%x and copy from primary 0x%x", sec_off, + pri_off); + } else { + /* Copy from slot 0 X to slot 1 X */ + BOOT_LOG_DBG("Erasing secondary 0x%x of 0x%x", sec_off, sz); + rc = boot_erase_region(fap_sec, sec_off, sz); + assert(rc == 0); - BOOT_LOG_DBG("Copying primary 0x%x -> secondary 0x%x of 0x%x", pri_off, sec_off, sz); - rc = BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, 0); - assert(rc == 0); + BOOT_LOG_DBG("Copying primary 0x%x -> secondary 0x%x of 0x%x", pri_off, sec_off, sz); + rc = BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, 0); + assert(rc == 0); + } rc = boot_write_status(state, bs); bs->state = BOOT_STATUS_STATE_1; @@ -481,16 +487,21 @@ static void boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *st } if (bs->state == BOOT_STATUS_STATE_1) { - /* Erase slot 0 X */ - BOOT_LOG_DBG("Erasing primary 0x%x of 0x%x", pri_off, sz); - rc = boot_erase_region(fap_pri, pri_off, sz); - assert(rc == 0); + if (skip_secondary == true) { + BOOT_LOG_DBG("Skipping erase of primary 0x%x and copy from secondary 0x%x", pri_off, + sec_up_off); + } else { + /* Erase slot 0 X */ + BOOT_LOG_DBG("Erasing primary 0x%x of 0x%x", pri_off, sz); + rc = boot_erase_region(fap_pri, pri_off, sz); + assert(rc == 0); - /* Copy from slot 1 (X + 1) to slot 0 X */ - BOOT_LOG_DBG("Copying secondary 0x%x -> primary 0x%x of 0x%x", sec_up_off, pri_off, - sz); - rc = BOOT_COPY_REGION(state, fap_sec, fap_pri, sec_up_off, pri_off, sz, 0); - assert(rc == 0); + /* Copy from slot 1 (X + 1) to slot 0 X */ + BOOT_LOG_DBG("Copying secondary 0x%x -> primary 0x%x of 0x%x", sec_up_off, pri_off, + sz); + rc = BOOT_COPY_REGION(state, fap_sec, fap_pri, sec_up_off, pri_off, sz, 0); + assert(rc == 0); + } rc = boot_write_status(state, bs); bs->idx++; @@ -501,7 +512,8 @@ static void boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *st static void boot_swap_sectors_revert(int idx, uint32_t sz, struct boot_loader_state *state, struct boot_status *bs, const struct flash_area *fap_pri, - const struct flash_area *fap_sec, uint32_t sector_sz) + const struct flash_area *fap_sec, uint32_t sector_sz, + bool skip_primary, bool skip_secondary) { uint32_t pri_off; uint32_t sec_off; @@ -516,14 +528,19 @@ static void boot_swap_sectors_revert(int idx, uint32_t sz, struct boot_loader_st sec_up_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx); if (bs->state == BOOT_STATUS_STATE_0) { - /* Copy from slot 0 X to slot 1 X */ - BOOT_LOG_DBG("Erasing secondary 0x%x of 0x%x", sec_off, sz); - rc = boot_erase_region(fap_sec, sec_off, sz); - assert(rc == 0); + if (skip_primary == true) { + BOOT_LOG_DBG("Skipping erase of secondary 0x%x and copy from primary 0x%x", sec_off, + pri_off); + } else { + /* Copy from slot 0 X to slot 1 X */ + BOOT_LOG_DBG("Erasing secondary 0x%x of 0x%x", sec_off, sz); + rc = boot_erase_region(fap_sec, sec_off, sz); + assert(rc == 0); - BOOT_LOG_DBG("Copying primary 0x%x -> secondary 0x%x of 0x%x", pri_off, sec_off, sz); - rc = BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_sz); - assert(rc == 0); + BOOT_LOG_DBG("Copying primary 0x%x -> secondary 0x%x of 0x%x", pri_off, sec_off, sz); + rc = BOOT_COPY_REGION(state, fap_pri, fap_sec, pri_off, sec_off, sz, sector_sz); + assert(rc == 0); + } rc = boot_write_status(state, bs); bs->state = BOOT_STATUS_STATE_1; @@ -531,16 +548,21 @@ static void boot_swap_sectors_revert(int idx, uint32_t sz, struct boot_loader_st } if (bs->state == BOOT_STATUS_STATE_1) { - /* Erase slot 0 X */ - BOOT_LOG_DBG("Erasing primary 0x%x of 0x%x", pri_off, sz); - rc = boot_erase_region(fap_pri, pri_off, sz); - assert(rc == 0); + if (skip_secondary == true) { + BOOT_LOG_DBG("Skipping erase of primary 0x%x and copy from secondary 0x%x", pri_off, + sec_up_off); + } else { + /* Erase slot 0 X */ + BOOT_LOG_DBG("Erasing primary 0x%x of 0x%x", pri_off, sz); + rc = boot_erase_region(fap_pri, pri_off, sz); + assert(rc == 0); - /* Copy from slot 1 (X + 1) to slot 0 X */ - BOOT_LOG_DBG("Copying secondary 0x%x -> primary 0x%x of 0x%x", sec_up_off, pri_off, - sz); - rc = BOOT_COPY_REGION(state, fap_sec, fap_pri, sec_up_off, pri_off, sz, 0); - assert(rc == 0); + /* Copy from slot 1 (X + 1) to slot 0 X */ + BOOT_LOG_DBG("Copying secondary 0x%x -> primary 0x%x of 0x%x", sec_up_off, pri_off, + sz); + rc = BOOT_COPY_REGION(state, fap_sec, fap_pri, sec_up_off, pri_off, sz, 0); + assert(rc == 0); + } rc = boot_write_status(state, bs); bs->idx++; @@ -601,6 +623,8 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, uint32_t trailer_sz; uint32_t first_trailer_idx; uint32_t last_idx; + uint32_t used_sectors_pri; + uint32_t used_sectors_sec; uint8_t image_index; const struct flash_area *fap_pri; const struct flash_area *fap_sec; @@ -663,6 +687,14 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, bs->op = BOOT_STATUS_OP_SWAP; idx = 0; + used_sectors_pri = ((state->imgs[BOOT_CURR_IMG(state)][BOOT_PRIMARY_SLOT].hdr.ih_hdr_size + + state->imgs[BOOT_CURR_IMG(state)][BOOT_PRIMARY_SLOT].hdr.ih_protect_tlv_size + + state->imgs[BOOT_CURR_IMG(state)][BOOT_PRIMARY_SLOT].hdr.ih_img_size) + sector_sz - 1) / + sector_sz; + used_sectors_sec = ((state->imgs[BOOT_CURR_IMG(state)][BOOT_SECONDARY_SLOT].hdr.ih_hdr_size + + state->imgs[BOOT_CURR_IMG(state)][BOOT_SECONDARY_SLOT].hdr.ih_protect_tlv_size + + state->imgs[BOOT_CURR_IMG(state)][BOOT_SECONDARY_SLOT].hdr.ih_img_size) + sector_sz - 1) / + sector_sz; if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { @@ -671,7 +703,9 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, uint32_t mirror_idx = last_idx - idx; boot_swap_sectors_revert(mirror_idx, sector_sz, state, bs, fap_pri, fap_sec, - sector_sz); + sector_sz, + (mirror_idx > used_sectors_pri ? true : false), + (mirror_idx > used_sectors_sec ? true : false)); } idx++; @@ -689,7 +723,9 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, } else { while (idx <= last_idx) { if (idx >= (bs->idx - BOOT_STATUS_IDX_0)) { - boot_swap_sectors(idx, sector_sz, state, bs, fap_pri, fap_sec); + boot_swap_sectors(idx, sector_sz, state, bs, fap_pri, fap_sec, + (idx > used_sectors_pri ? true : false), + (idx > used_sectors_sec ? true : false)); } idx++; From 724ee7ee12c90a0c813903b807cc8bd5b50a68cd Mon Sep 17 00:00:00 2001 From: Mateusz Michalek Date: Mon, 9 Dec 2024 15:36:37 +0100 Subject: [PATCH 037/228] samples: compression_test Stand alone tool that extracts compressed stream from signed.bin, decompresses it and compares against uncompressed application binary. Signed-off-by: Mateusz Michalek --- samples/compression_test/README.txt | 32 ++++++ samples/compression_test/independent_cmp.c | 108 +++++++++++++++++++++ 2 files changed, 140 insertions(+) create mode 100644 samples/compression_test/README.txt create mode 100644 samples/compression_test/independent_cmp.c diff --git a/samples/compression_test/README.txt b/samples/compression_test/README.txt new file mode 100644 index 000000000..fcf6fbd4a --- /dev/null +++ b/samples/compression_test/README.txt @@ -0,0 +1,32 @@ +Independent LZMA test +--------------------- + +This tool finds and extracts compressed stream, decompresses it and verifies if +decompressed one is identical as before compression. + +Building and running: + + change directory to the top of the repos: + + cd $ZEPHYR_BASE + cd .. + + build tool: + + g++ bootloader/mcuboot/samples/compression_test/independent_cmp.c -o indcmp + + build example application: + + west build -b nrf54l15dk/nrf54l15/cpuapp -p + -s zephyr/samples/hello_world/ -- + -DSB_CONFIG_BOOTLOADER_MCUBOOT=y + -DSB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y + -DSB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT=y + + + compare application image with the one carried by signed binary: + + ./indcmp build/hello_world/zephyr/zephyr.signed.bin + build/hello_world/zephyr/zephyr.bin + + note: order of arguments matter. Compressed goes first. diff --git a/samples/compression_test/independent_cmp.c b/samples/compression_test/independent_cmp.c new file mode 100644 index 000000000..fc9a32675 --- /dev/null +++ b/samples/compression_test/independent_cmp.c @@ -0,0 +1,108 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include +#include +#include +#include +#include + +#define EXPECTED_MAGIC 0x96f3b83d +#define LZMA_HEADER_SIZE 2 +#define FLAG_LZMA2 0x400 +#define FLAG_ARM_THUMB 0x800 + +struct __attribute__((__packed__)) image_header { + uint32_t magic; + uint32_t unused0; + uint16_t hdr_size; + uint16_t unused1; + uint32_t img_size; + uint32_t flags; +}; + +int main(int argc, char *argv[]) +{ + if (argc != 3) { + printf("needs 2 parameters: signed image file and application binary file\n\r"); + return EXIT_FAILURE; + } + + int app_fd = open(argv[2], O_NONBLOCK); + + if (app_fd < 0) { + printf("Opening signed image failed.\n\r"); + return EXIT_FAILURE; + } + int signed_fd = open(argv[1], O_NONBLOCK); + + if (signed_fd < 0) { + printf("Opening signed image failed.\n\r"); + return EXIT_FAILURE; + } + system("mkdir -p tmp; rm -rf tmp/stream*"); + struct image_header ih; + size_t rc = pread(signed_fd, &ih, sizeof(struct image_header), 0); + + if (ih.magic != EXPECTED_MAGIC) { + printf("Expected magic value at the start of signed image.\n\r"); + printf("Input files in wrong order?\n\r"); + return EXIT_FAILURE; + } + if (!ih.flags & FLAG_LZMA2) { + printf("Signed image is not compressed with LZMA2.\n\r"); + return EXIT_FAILURE; + } + int lzma_stream_size = ih.img_size - LZMA_HEADER_SIZE; + int lzma_stream_offset = ih.hdr_size + LZMA_HEADER_SIZE; + uint8_t *lzma_buf = (uint8_t *)malloc(lzma_stream_size); + + rc = pread(signed_fd, lzma_buf, lzma_stream_size, lzma_stream_offset); + if (rc != lzma_stream_size) { + printf("Error while reading compressed stream from signed image.\n\r"); + return EXIT_FAILURE; + } + int lzma_fd = creat("tmp/stream.lzma", 0600); + + write(lzma_fd, lzma_buf, lzma_stream_size); + close(lzma_fd); + if (ih.flags & FLAG_ARM_THUMB) { + system("unlzma --armthumb --lzma2 --format=raw --suffix=.lzma tmp/stream.lzma"); + } else { + system("unlzma --lzma2 --format=raw --suffix=.lzma tmp/stream.lzma"); + } + int unlzma_fd = open("tmp/stream", O_NONBLOCK); + int unlzma_size = lseek(unlzma_fd, 0L, SEEK_END); + int app_size = lseek(app_fd, 0L, SEEK_END); + + if (app_size != unlzma_size) { + printf("Decompressed stream size and application size mismatch.\n\r"); + return EXIT_FAILURE; + } + uint8_t *unlzma_buf = (uint8_t *)malloc(unlzma_size); + uint8_t *app_buf = (uint8_t *)malloc(app_size); + + rc = pread(app_fd, app_buf, app_size, 0); + if (rc != app_size) { + printf("Error while loading application binary.\n\r"); + return EXIT_FAILURE; + } + rc = pread(unlzma_fd, unlzma_buf, unlzma_size, 0); + if (rc != unlzma_size) { + printf("Error while loading decompressed stream.\n\r"); + return EXIT_FAILURE; + } + for (int i = 0; i < app_size; i++) { + if (app_buf[i] != unlzma_buf[i]) { + printf("Diff at %d\r\n", i); + return EXIT_FAILURE; + } + } + close(unlzma_fd); + close(app_fd); + printf("All checks OK.\n\r"); + return 0; +} From 25e2761c669035c991dff115f03e34f1505bd97a Mon Sep 17 00:00:00 2001 From: Mateusz Michalek Date: Mon, 9 Dec 2024 15:34:31 +0100 Subject: [PATCH 038/228] doc: compression format describes internals of signed image with compressed payload. Signed-off-by: Mateusz Michalek Signed-off-by: Anna Wojdylo --- docs/compression_format.md | 172 +++++++++++++++++++++++++++++++++++++ docs/images/decomp.png | Bin 0 -> 41701 bytes docs/imgtool.md | 126 +++++++++++++++++++-------- 3 files changed, 263 insertions(+), 35 deletions(-) create mode 100644 docs/compression_format.md create mode 100644 docs/images/decomp.png diff --git a/docs/compression_format.md b/docs/compression_format.md new file mode 100644 index 000000000..ddb99d534 --- /dev/null +++ b/docs/compression_format.md @@ -0,0 +1,172 @@ +# Compressed binary file internals + +This article describes the structure of the +`zephyr.signed.bin` file when image +compression is enabled. You do not need to know these details to use the +image compression subsystem, but they can be beneficial if you want to +use them for verification or custom integration purposes. + +For an example, see the following structure of the file: + +![LZMA header](./images/decomp.png) + +## [LZMA Header](#LZMA-Header) + +The Lempel-Ziv-Markov chain Algorithm (LZMA) header is crucial for files +compressed using the LZMA method. It contains metadata essential for +decompression. The `lzma2_header` encodes compression parameters using +two bytes. + +### [Calculating compression parameters](#Calculating-compression-parameters) + +Compression parameters can be calculated, retrieved, or changed +depending on your needs. For details, see the following sections. + +#### [Default values](#Default-values) + +Compression parameters have the following default values: + +- `dict_size`: 131072 +- `pb`: 2 +- `lc`: 3 +- `lp`: 1 + +#### [Adjusting dictionary size](#Adjusting-dictionary-size) + +You can calculate the `dict_size` using the following method: + +``` {.c} +unsigned int i = 0; + +for (i = 0; i < 40; i++) { + if (raw_dict_size <= (((uint32_t)2 | ((i) & 1)) << ((i) / 2 + 11))) { + break; + } +} +dict_size = (uint8_t)i; +``` + +With this method, `dict_size` can have one of the following values: + + |Hex Value | Size | + |-----------|------------| + |0x00 | 4096 | + |0x01 | 6144 | + |0x02 | 8192 | + |0x03 | 12288 | + |0x04 | 16384 | + |0x05 | 24576 | + |0x06 | 32768 | + |0x07 | 49152 | + |0x08 | 65536 | + |0x09 | 98304 | + |0x0a | 131072 | + |0x0b | 196608 | + |0x0c | 262144 | + |0x0d | 393216 | + |0x0e | 524288 | + |0x0f | 786432 | + |0x10 | 1048576 | + |0x11 | 1572864 | + |0x12 | 2097152 | + |0x13 | 3145728 | + |0x14 | 4194304 | + |0x15 | 6291456 | + |0x16 | 8388608 | + |0x17 | 12582912 | + |0x18 | 16777216 | + |0x19 | 25165824 | + |0x1a | 33554432 | + |0x1b | 50331648 | + |0x1c | 67108864 | + |0x1d | 100663296 | + |0x1e | 134217728 | + |0x1f | 201326592 | + |0x20 | 268435456 | + |0x21 | 402653184 | + |0x22 | 536870912 | + |0x23 | 805306368 | + |0x24 | 1073741824 | + |0x25 | 1610612736 | + |0x26 | 2147483648 | + |0x27 | 3221225472 | + +#### [Calculating literal context, literal pos, and pos bits](#Calculating-literal-context-literal-pos-and-pos-bits) + +The second byte of the `lzma2_header` carries the following parameters: + +- `lc`, which specifies a number of literal context bits + +- `lp`, which specifies a number of literal pos bits + +- `pb`, which specifies a number of pos bits + + These parameters are encoded with the following formula: + + ``` {.c} + pb_lp_lc = (uint8_t)((pb * 5 + lp) * 9 + lc); + ``` + + To decode these values from the combined `pb_lp_lc` byte, run the + following code: + + ``` {.c} + lc = pb_lp_lc % 9; + pb_lp_lc /= 9; + pb = pb_lp_lc / 5; + lp = pb_lp_lc % 5; + ``` + +## [Extracting LZMA stream from image](#Extracting-LZMA-stream-from-image) + +To extract and decompress the LZMA stream from the image, follow these +steps: + +1. Determine the offset of the compressed stream by adding the + `lzma2_header` size and the value stored under + `image_header.ih_hdr_size`. For the size of the compressed stream, + see `image_header.ih_img_size`. +2. If the compressed stream is isolated and stored in a file named + `raw.lzma`, you can perform + decompression using the following commands: + + - Without an ARM thumb filter: + + ``` {.bash} + unlzma --lzma2 --format=raw --suffix=.lzma raw.lzma + ``` + + - With an ARM thumb filter: + + ``` {.bash} + unlzma --armthumb --lzma2 --format=raw --suffix=.lzma raw.lzma + ``` + +Once the command is executed you will see a newly created file named +`raw`, which is identical to the +image before compression. + +## [TLVs](#TLVs) + +The following Type-Length-Values (TLVs) are used in the context of +decompressed images: + +- `DECOMP_SIZE (0x70)`: Specifies the size of the decompressed image. +- `DECOMP_SHA (0x71)`: Contains the hash of the decompressed image. +- `DECOMP_SIGNATURE (0x72)`: Holds the signature of either the hash or + the entire image. + +These TLVs are placed in the protected TLV section, ensuring they are +included in the hashing and signature calculations during the +verification process. The process for choosing the type of cryptographic +signature and hash algorithm used for securing the image is the same, +regardless of whether the image has undergone compression. + +## [Sample](#Sample) + +For practical implementation, you can find a simple stand-alone +verification program under the following path +`bootloader/mcuboot/samples/compression_test/independent_cmp.c` + +This program demonstrates how to independently verify the integrity and +authenticity of a decompressed image using the specified TLVs. diff --git a/docs/images/decomp.png b/docs/images/decomp.png new file mode 100644 index 0000000000000000000000000000000000000000..a24220fa5c60fd71e78e37ce49461b5ebf26d2bb GIT binary patch literal 41701 zcmZsCbzGC*`}b_cKt({wj{ztlf)Y}*00HS{bmw4nPeni(p&(sK=SDL|Ou*4yqsC-( z4aw1aZuIkgp6~DVd;So&vvZ&Oy3V=ImGA45ijwSQ8YUVL2y|KQ^(!?H=wvJiblT$l zNnph6gAW<_?}Uq*>o-2*zK z-EDq9GB&gs8O`-T_#=c*LCyYZrCv;i4)fpzXt^kH|M#3+tFTM{T-Sn2rDaloyY}C& z@S|?9lU>s;xSPuPV8jx-bui{gEr&b~Pe}c0|G3gy1B@1$%JEl_uZV|8E_y8ug{G(c zT}d|CYCHj^6^$ETgymbvg+mC)=w%Ir>t4|ZBl@0B_x!Y{6MDTt(h!MUHm z?Nuatdny1|3B0Gp`1o__8w9^_Vu|SO_ar{D<<%E?^&|*Di}@p+q|a;r?{f#3Z~;?4 z#@KCO5<3UR>}-w=ok$RwkfJU}geC`*Nl)=f!>v|GA2g$Lj%>J%W z#%L+u%ObWUsa#DA=4esepj0yvHNLJFN#K3*GV@5lsb;TVWTJP;lH9S40khyb-ER4v zcWo-q_|ikd(C)ufABI-F92!@A0Tt0n>Hz2KNnAB~!MR_zE>gEqQWI?*O@2k~3iSJ| z#;t#oRSY4q6-nkjTJXT+-3T0#$t7Frl*;2s(SzOKrP(EO6@*bHT`A|y zRD)d)kiX{&BvQWRvVel2fY7il3aiInwdiVgXe_ezacJ=Iy+UYQzWWG8&AxwtbhaFi zNBUZzG_}M|*Zp=6QuNWzEH}>`mW3d>#B%0!9u#8G-BvcE3%nYpE(h! z|2Z?}2`R#?HV>)X#-|SxxezZ~B&utEpi&}AQ;_69=zDE&ID*Zg@vvO2P*Zb@?aPW9 zR7`qdT8_8SQlM~JewY-rajV6T&b-Gl`><-1_ubYh<_IfrW*K8(uT1>VaZe|S_Yna% zZGV43X-0@KCaE|1uv9fyaXEwh%7|P4h8psTHm|Dm2v4DFqPk|h-F~kVSV_w(t?yoZ zvDWBP^p$#aS44GLq-MC;7%83h;cb_Xm7*Sgx7%NP&^!!_$Iz{TCaXL-me6~Mz;>>^ z%{_Mumwd>$Py5DzFEX{9uh93I=SX-#8J>sry(Xlug}b@fW{v*J!`qL~GjO%b^M4}k zx^e^#7dUSl&Annrkq*B2s@0|7G&{7L)M9x^#FotH%Iy~%V_%}Ty)$1H*(xyAlgwoU zaINqAE)$$DVlL@?|EdU)z{D)IO>18pD)UTTLM;+yN6w1+-tBLzhK^6`_>SM!Ddz|S zPAwgHR$!qk2M8hCz@$Wvgww%kAO#w$g> z>dN=PS2QgOkZ;ZKy9`|KoneQ2o9lz6`F6ZYv&m#;2V9hWs%F=|Fku8+Bkyc!wEAjw zXm2xO?;P}9cN>GF9FK#XmRG+V@=JZ+;2$1L6_{+Ww?BHEK+t^x2x?kTs&2enW4Ij{ ziKFv#Tx(dUrc;BTfOpdQiCitKJi`}nY=NjWA8|kmGf-UCSr@kN6nNok4HvEsMA+y4 zIqUY?FkEX1uqpOaN~mZPtpxJdLf$^&#})RJa~{7!x(P?ij#>*)c6T=d;o}pDLX=P1 z>d&kPb=PzWqzSlV>N%nUrILFij8}6)-1#SKzt#kB@Xvc9`@%M!8RV`+{Jocf6S z^wSt7*uQDD%Q?9qB=)^|n))k)opq0zdhL2@KVGWW!||1E3KUYaZS!Jh_8(5BbK2Yy ziX&_8{*-m0W6mGdad6H|I6(>sXC%2p|6Q&C3QImn^;=le6?u56Z&$`nnf8QFZ17ae z!===DX2u_GL#61DTXx$HTH(HTnGzBQcpMM81mH7fowaO$;u(1Dw@iJ)T!c=z#ok=Z z`u^`eKsn2H&Q3iknk;-1xoPJ1qUAd91JqKS!2|Muw!AWBHt-!^ZQ<eW>#?9YXR+HC zKb2H?cRH^Mmz0it!|mTjSwan$1Cuv|iIaEC1%Lx?E^RILq&h5C^3TrWcs2~6)%(cg zxztYovoh!7T>!0qY-~Ic)wckPa$fiKzXShY>tpGSpe}iUcUGbv0}h7uMm2mpU@5|X za#iUoCAS$xJ4>={>u=8KtHsqs&M;%CKmpWi8?GGka6z+e}!~JzIb*w zyM*7nD^Ug!V+Zt3wlno#JP)Srp@%WrYYSIDX6j~!oB zH8fL*zILR`imkJW9?rj;5-C@@OLp^rPtQ*Z)Tej_NBFV8-v1_YZ7Kz zqsP8kYYbbP6lo1K$UEd+mZLVK{o7|xfu5atz@U8kTXUeh;EmE=TXUk5jhKzb079K# z@P)kA!i8CJ6E1m|3Bf3GF++y8%da^fWo8feyvNma+QZRL#+Yt96Kb3MceRJKMw1(B$GT`KWtMkFUd^`fsd*&2E5r14)KyEMDp^uC52eP=va@7wFf&l9 zN2Zqe)rtLMF zI=^L}88n}0QGT{eZit3!i5}VCAhQvqmtqgdTu@ve3EC7^8jdRmy}$h}bzpYhJPGns z|AR*=4s&tc@7=Q`f|{h-C7w$cxY=#itm_O79BNS``bzU(EjLF*IH5Y8li#10toE9h zH&|XwFMrQ4lo(rf`=w(S>O2S(@VXe?@aboy&d)rI^))W8z{5Zfoge30`BwP1&(iNj zeo3<(?cxmBa|@tjufA+^C46gQ7iK$9q&kH+$0zvcO{jbi?Con?#RZJ^g=GPk_$~c4 zbJ)mFhS&?h?bNx(E2R)QS$zu^^Kj~-nROAskARLZ@)i5lP^ZLeaJ2jn=d);c)b1c~ z=%WAojz&M=lgh5H18#H6IRySD#cv@hAmh#YsU>4o*F=h{k!Uyf>iIF@##OfsO&8Ex zzIQms7kNDCzscH!y``brmcj-?#^b{ul8v&Ms}?6g%MW!9IPaYujH>^q8f#;Bw7)t` zu{eI~B_|hzkv>+c)^}@p(fbnvzco5>nSJcs9;)^xndSqw`ysXNX_2SW6SeM}ITChr zU-;RVl~^grhSjhB8`tcg6x>5!v)A(~x?gk3Zn$O#T7VQukOZ_(`mxG;UE%2~P*dqx z;{8fr5VzyFQtUa}CBLyKY7%U>yB#M-(Wxx$cTn>xyGUjea?f=%tO-fMp7Qv13N*~7 zBk{z-R(3X<>>PLu!Uu&|KOrP^;o}u*&pudsA#)sK$}E{!8+?j#tI)yIVg= zFhDsP+ZK7|q&W$y^{T|*nZ>~TCCA15cf6g`*JYST6&GK#jHi^jIx3F)O5QS3=y5Sc zFfN?{y1DI1%7rWV-C*=glSgpv@ z7*)dB{5ALLST7T7lYUlaCQSH}P^%i={mIDvCO}6TpEX`1&DBG{c#Zd%*W8cQ`X-kD z+j;@i>i%-k!Mc#Xr^iJ!K1Wa49aoZkxvpiX@;UgI3m`z9#ZwHlV2p4?ZTubjGZ-2! zb%g~-&t2LEw?JqvY$8O;?*1c(mjLfFdJ+jJyDKP;f+JQpf8(>DM*@J+`M)Nk_!WXD zDJc~D^2~NbWBfvffbJ%}ut>A!yyfUS&!!(%O8UDrWpppP?ggiz*SK*NE4-2C6t4j2Km zaaxq}l}N!>+JXRSGEy)`mDtnuN5+xK50(lwW#Rn}ef$N3+)2JK0TXu?LHsZfC^I>^ z(&0_i39Od0+Iz?TCgKJkaQB7{igpxV>*sILwZ9h-GTYCMoRfcODwH>_H&&8hfs)Q)qqjW_X3W+9g`?sOXG$8TjuM9@N42(?UXWR!OwgQIl*CHba?~)=P$XMD%;QHOQ z67c`z)ZdrLE2R4lHK&N?KDEXA&^@Xl2yquUwmd06IJy8b)&@lHL1XJtvHvgGoZj*^ z^Q~~GHRO;c@xi0bGnMi)31!LAvqJNBJyZA`4va%B=P7|;AuEUg@-j`VZf!$UQxJ(2 z;90K7^ZqBN61YUxn`V9_Oqt*gXuO7id z3sj6Ap&YEIQ%-_jpG5?7p6A+cHfz&pAy_U8K~In5)bs{@=X{DWJ!7@c)FJJ-qF31W zEh8Qqj?*suedKTU@-F2D=$YXEaCSUpmR~Ow^)kL=jushxG;mK=o43*v%%yun$u=4Z zT@&Iq2M(cUdX{0eR0E+cr9tNSGJGc~l#wGw?X+_VO+?I<&-Nl26G20IxBZIu=18A( zx6HL&DzYtCgLvy?0!QXZ^+7V^2cWm+?&G9MS^R7<<4gWeL7ZDtD)08HwT}XRKl|LI zmM%LPQ?~xL>@u)#=R*R8g*FIQ+ao?qngx!^84l`=ML2w3QQh}1J~W_z;#n)v4GXVK z;5XQ8nY_%g1(U>t92l!WPBcEX(9Y#n3*RDiq(|nXIVByOHBuRvYtHxEKC4 zm6s5*hEKY8>BoGh2pT>DGL7YP*$GCz$cB}7IIi231#Du>-8SzxzVX=1N%VT$;h9M0 z`);%L5vS*CrNT)T8(|x=Ww*7;wt7?Awyl(&s6A!Q+dzWdb;OZoA3Q+@{Uum`7>2M~ zq?yrRn@VAK_pYmUTv@s?_Px!+Wt&V8qCJTi^UmWUU-vqMy^|N;ue@d;K6VL}GvN|< zIrmUZv|<&!DYFtX>rkECFV&eWS%<}Au~pf^_)g^}5>irt%(4hcvpp{xf{b(s*V2|| z?L>MlwpLJn7k#ruJSFp)EIm|HCj7cm9`3Zs@{skWW;GXFyU#6)1KxxwTx!nBsC@^6 zZT+rs1e>+ZH6zj>zqw_W18uqiQxqa|IgIm+U6_5OZ4h7XtW|QBk7%6DKA*LVk@EUk zB}WCtAlZ8dDx44lI@UUC>?Zf!;HiZ_XJr3_w5IOcLVB>bn+(wc<5$@w{rmXVQ4b+= z6VEAH|HP=o*BqgL47)ekWnL<{nZkQ=KxT^mT-TMrLLhCiou=QH^0Ltd$+0r=OG8{- z<6`wgHSsixLFH5NEQWpi0yc4iG{@4;XooqTIm;!D&hO)hmUiNTZ!MvLQ|!GotkOf7 z9v@mH_dO}C;%T%yp9g5Pp_YcBvylesJmFX~5H! zWjLBY!uEzbGrE~q3o~f0$afnK)9C1@vLDjvf%mKXGrf?({CT#mgM3ibJ@GIhL&xxF zK0_O;fHi|Jyq#M1lQj9IlZ3S%6cK1$ZLekMiiloP&oomXDVQCSZ&H9x!5y3<1mW3OhEQx9nUBJ`#|114$N zns{xXfcWI5#bW6PaKT-Q0wYgN0*klJOrZ>dS;EI8zQxe8FEhMjlDKke+i-%o5LMWov#Iksh6%0>tSMGsZGq9rAHH4x^KX^M7ME3 zF^{6t#|KsNZE1Mw&4W3y`0-p5Yqim#+}#wL-sl48+J%(bq6=AN=)8F#p@iGAt28Ir zw~&nXepv`MOC_dfqkT-`v{7DzZm4O?);tTs0S+?maK}2^2%y-st1Cj8ZDO^Ke^~&L4dtP^F?zUtO2#bR0@l z--rnLhiw06KV>fWi`eK#=tdUuq$Oy2Z4Do-w1wf%$37Q|ttW5K+Q+-*~!g9l?KzIQHebkK95AdnBq&;k@ zeH{`QwZ)X>*!LqXC#sVZ*m$}l(S(4KSl?9NasSMp9Hj=#fr~6sH&Qto`24p$@RTD` zFm--|sN#0C7+bfs+I3{7_M=9jQ-I%oL!Y)g4q#+4ky2zH7Yl1uBW5vt!v|VD~JC)?N=q)=EIu z(_3vXcXCSGg*mA8g`PLyz43j-yX2FTL22~#!M7#;%18D=$hL0wIF{hNnhGPQ>em%J zy%efeJY+CyM_aj$Ix*NCc{1o1h3G>Ykoug067aEvp`54^?x;m_%@mk?8UDzi1l_>M zwxRI&WtD%Wb)dV}EkoEZ3du~Frmm6xh-;zOa1+wq!&SdAmF|P&P}r+QdkYryKJw5P zYhc<;+vmy@k*SB3an4&yU4AdMno{ge2NRGjYH_XR*Gj#_lwvl>gHsy4R zFF*1DvOb6c+EVu5@&@OuQt+_rOY@ijGy?T0U`y=B=-s4B#Cwb&NW$B(8rpUgP)sy`Fl|>!UTKU9&99AZZwmS~^5d@E283}kz^^Bz<=}%dca>QqDa{ia}m?4YKFRoYM_wY1WW_sj{o3WQ!fT> zGctT@dOt7pg(Q0Lw&%*Sjq-^##M8ZZ!4Dq&jznsvJSrLHL{Dbn$Lb;D#9US73;QfZ zcb@)ns#XjpKbh2FS;=nBE|G=beEg%ZN235O>Go?Nhw8FtI8xwUp-1o~PkyA?8Z&lJ z103pFB>8X`@uHJm)P>9Gx@PCL`bfiJTPe!cvd5n~l)c$nIg-w(D`cxZpiB3u%kOm6^IV+g8PGh_EmGU7DgKm~rBW89wt)Himq`-=2Jqeyag?@!io;K& zk}J)RHe(gHfq?PI4VqGZ*neMF@*m&w9XUvJ)^_BT9Bno}+b1X`3X@B8TxlM0WLju8 z*8R*lg4@=l%tjrKjqu8jm+oD3i!^l?q=!ruEEZ=M*5!GkHe%u|xwv}PuOI{RZUd}g zp>L7Go}-&_SwZ{Ek8SpwS;^$o_|7f9 z-uc3>BG>i=i70crQ{tLPt~hK-4ZDm>XK*dazdd?r?4K@KXTp)! z$^0(QD^t4@`sh#Ef~$CkdKAk)z=EsA?wE+eX&SgJ1V_MZ>YR7|*%D)AeeYO+)Q| zduA*14O!#SERPJwZr7D=tG%bYT4L+v2eYJdnIU*%wz`>H?S21~(}8rG7@K!lxT(sx z!L!Ztmh+9H(H-8^#p;JF(t64*J;mpRzkBrT2ztKEx`}Vi(m6cHifwXKX>tzG4l|#H zt{G0IdQoH#I~HCWa!;C5J>SG%I=n$qCe3R)-12w8^Ej4&FV=cH;e9~kifXmrdLh0q z_x?E@YM&D9%d_9Xnpy7}llnr-#lfD%}B<~MJ;eXx44>VoD7_#arhZKKvaM2I2 zaq^C_S^mY8qZsNprn>r!n6WUL>e$|$ODTOwr#)dm=5!b~G%F<9RET86p?=nLwTau@9HYc973SRMwMtF!`Wc;-Q3W6qnte#KUBj z61?Uby_$ZnI!eOsI1kxzu{E{kpuMil+f}XS3mLj%?};(bZ8lv&hUkf`ObgFmeKn{4ID08ZZj2}~K4Yn!suW^hXnCkE zncRegiVNS@HI_t-;XQ5Z<65k;c;uVQvN7s~-gh>+4-uJe15YenOBJz)RV+K?-TWXJnm z&ubt^Ya?$s)^AdKHhPeUPg&2}Xq$B;G0tDrgDrQ}_?12{^t;XQ@1yP0;@6Yp_rwU| zRUhh(+OBNhf#HHwX7Hkj1(~xDT06AK{^Pdb>h*CI4S3%0a9Vfg-N2zjlF|BXgwst&(t{-wDRp0i#Z9Lcnr#|=_J`>I2!RTRAF7`v+M@grmKb{#38KT@B z%IkmF%kMwctF9Sv#|FS_fu=iJNLb1oSR)_ug{$y1P%BNU(m6n|*Jv#HFK-Y%DKp)F z62Ui*oxvr@!CtzN??L-&t{YJE{Lc9|Q*3FnMx+i!42EELw;zi?rA0*SOaE+ruEx1L zX<2lCk8d@HA8r}#@xcMI8p~X{?-Mab*wYf-!1md|dC)uUQ@S2qIoUHz1?89{gLQeM zxX}X_#~IGc>Yg-blphVlphOZQ9<@U0BLeKNBzfuhURt-nZ>1&v2k*XAiK z<)#;AHvj9M98ANJ0^vlEk4r-5Q*o^6mZ8 zONja_F8d7Bj%xOta;e=d7m-?H#8RvAXV&qU`}+@+ruPN!DvKn7dFmJMi+G&F)xFDS zTY8V9?@ut67pC|^@-5dG@HbLk)YDyZPli-@g0I4X?HVsA)RXX%3ywN8+kZw4L%NTi zh|2V};Q`7s`T$AH+#^8!H~M948yP znHn-@DrFx_mlrLuxP7CrvE?E2pP=p6%-Od}Gkd@x@{EJtQuS=-;hX)Yt?t@>dP8>M z;nicE{#!*UzJmH9er#Gkjb^s_SVJbE)7{i2y}OAS2__18yDJ_WxNMc*rvsAbV)%}7 zJ?gTxE}SEAKQ8m6mOMeV9&JSxuw9FNBVhHRyqRPp&eLhvGx)2keR8qR#IjE^oM~B! z{E}HPdf(uYU3}|0GB9z8vsy7Ok9%%r_q*PhoYEEq-#yc4Q0)1LNJ(s9A(QP5SJG^| zxt^p-%&f#jB;VE_$a|VHz@b>WKNzL>Dk^Ml63x{yAA}Q{Uty^B>*S2L{2J~Po@caL zXIMKH;w=F+7(N5-CvD4G*z%^783!>?vQKTOb+r9NYdf#qGktU>Pk}YMP3T`zuO{oZ zMfnvM>AB3VbCn2siy#)cSM)HSJh3+hM`wd=^Vo$ifAcAEl@UIvvY&r$Mi)Gsg7WAc zuCtZ!vK`}N6_-WlsJaZ<%VL4()3{_yq9c#b=vAL)* zPquKshB6*@)qsatd)q;Z@(IOEJd*X#B>qGMedIO|Kd;@ryFxVD(^N_65S#+PnG4NL z3R}(J5}C6rE^}%87<%~Y$XXNwKK)*rwzn~w_U&|@Yu#SZ-%B@!bGtD zL?S6?F*(B<7q+;R-KrOgFP>*Cw|ls)Y?Ot8E_sP=Ur=|{DLq?iBhKY*R}PJev@G~( ztNiF{ccJb9Es^>ODF57n-fbqW<@ThUmobvD0}33CDp4#3#na{ni34-#TfF36J?H$N zVNW1()fQWObMHr!Bcts!c%dvcR8h%0A@kot7t_AY(Jd;cEV?r*7diEE3yJRuZn-gc zHx}3SB5TxM_RTsucXD!c>YORx(o6x)0#dr;c-ZQpImz$;yHD}lNC~bMoQAih3g%;% zqoj8i9(V>q0%aA>y{=$Zb9`x6_!+4)wRuCyvf9$!szdH^h9hM7b$Wh-uFZ6K2d!I= z_HIXsJ&Yej0QW*zu-3kegYujk{ZneAP_y*OG?~sl*g~zn5$D6JQWU-JMstKvr0Jx2 zZP2g4aYc6yynSEGP>c#>?j`Izkbht7P41rq5Ch|p-av?+?q2FY(Q0SD-!;@1~ChoOsqig3%$ z6C>B8D(}e%Ph7r-SUlC{^?h_f-0Acg1Xp)V&#kPby(rIeM4n`7kMH`|%6#_m-!`{I z#%joz1jYEKd_hBeSy3tr<-;vv(YK&^x9{4jV=Lk&g~!`@LbKJI=e-7CtP%z8Y{%s9 zQbz47tYLvZiV2UUcls9DxlonXeKox4rA3KT+^&y15hLBJzxh}1{9CWIbH&L(^sg^|~ zKiZsr;NTINZ82c)ale0XrSE{rzX-b2JQ6)O$9?&t?MGp6OY!e$!WTvP3h|={wd-`3 ze!7S=R8sfv)$}XGt?01~nP%WbK6v{Gr~?Qa`)EiJP;=!ee?i46uN$w8d&BDBGCn(W0%Y09r!#)^=76@&XCbR}`7o(GDIp<@b>L zB*+?CPuh0&Hp>?`KgJa?7dasE!*ctu>w%7#1+~AHvcdrd!FZO&{>9;3QrFYhboJil z#-`ieG(hftNB_Ye-E92I!0xhILG;~^=T_eji~j=_y4k43ceK7GoA+%0B`n%YN1~SX zRs1oez}e#?04WHLQU!l)`?uVB%TIijO;R5fL?Cq#YxFz}R`82^i3f);57`>0f)&Q2 ziy}%eibk%4pM9fTa&3if^ePdwlzIerW7TCC{W;NU!-kZP@>9kW5lUi$UApv{(T$ryKo&XTshg%f%&o9s|% z8w4XpO!O+qcsLISpSeiXI1@r`=Iyw|H<9YvVVw(($T+(ANg?azU8E#~@)!_G2b2Z* zzr>gjpAsG@Y%~)Fe}TSM##`A_hzc zJG<1>tcq9P&5%e_nG+q-hczLY(n?g;OqxkMFW@_Gq{{wOlTG2fq#Ddio;7iJNOIb_t z-*LfhHw3uW4yJRIO?tQbXu{f<9jrxivsGUPJ7gPVus7#zbD7p+?7#4|hRv%5tTISj z!8U#jexr%Ye#Nb1_EV)&rnN%5|J04KQOZGrpc0SkrPcKzKICXs*DUB&DZn6q4tz2B zn86I48rO*uY$jsr?BCX1WE`P)5U65O1z%m;JJ9g03ad5n4mneAZ=bkVoQRYS$4&Jo zNvcPvqtpJiq#CxbyV?)U?Jp|MyejZ3>bl_Fl%sUh5gme4RL;Ay$rggU^>uT8s;?Sr zKayOsBY*CsvDI)2Zl$~9==WhNdcnKG9)=p6FBquiyJ0AJi@#0Twq9<_QTuc4!{pEjQM6O$v#WZ_3cgC)* zU5BnkUpf7wt4I<7UtgNDT>$i*h(R|4AGE8Kd|<)0U#jMq{z@U2+EDD~D?C7t$(;2S z@xB3-$rUFQ!{N-LR-R@O>wt0i4!0+7+ggEi1cTpbiQv__AWjC#4%l5zH9L_aG z5!5;SM^B$tPCR&_r1m|rG$<5r2&-n$4%4@SfcgM1QFM8>FT$m<;77&e5o{m zaml~2Ej#(Wv17`~QVakk*Wc>tgwbQ-w{Ii~INfRISq1XZqPppNFMBiy68&fKUB-9- z#`Q_`3np{92$!~PN>3c%gZkvIS`p&6TZ9d)_iET3mhRHKma_+*3q)L6e(%^J|B6rf ziic>tB%Lq61tKpeGN0xA+hh|T1|V}zR983$=S7wnAR6^PFrdD7t*0yX6uqesXE^uv z4x|JfS*iDAwwc7O>9NX=C&yUPj(4k4^z*(A#xx(`zltvHY^8bw>nF z)4hc>D-mZvEgN5cBI4CK``)QL&V{ljWwq#4v>o-mmLyl{8koN}dmUqtJa_iTjbrF% z`VG6ada9*m>C0nKDEb7XWM^T9=NS9>i0==CAlH77lzOmNl?Xk1j0+7lQDCSPQPmC{ zcYR!1w9{HIW>n{(f^?ehuAUKC38$2=*uzi$2ruD4P>!cOF4~zE{PA$?o&VXlgp&xy zdeX(fk-~f`B|Z0E@Tr{vs2wZy zbUrI`XHC#)BTV|vevm@HoJ-#->o>-Db$E%q@+0C%SK(M|BVlIX4W@atKlu@p@ z?aqK-pHE`!h15%i2QofXqW$+{z&!@>REVlJf>zRJPgq9f|qC%N3Hs%)bt{?Q*FxYL1tF`xmMUl}hH z&M&o5U3U+kTJ7TMUx&<3`{$m*N`{e9rSQo8tis3Myi(V-t;UbE9LgmJzxs%d+y!&x z=Bc`1tq-^bqK-)%8ji#+M#)RcHBlctyheH1QZYD$2|D z<7;Rgt}qAB;Gta_JY~A3H9DA3TIOHVZ;@x;t^jmVo6@sw7vjQ9*0w%9 zG>SmS+5comUjK#a<4@^aon5Q@Mn3s=2GH`vr+&zox(yL_%!2oS(lf_6K*GD~x*Xp> zCIHYbA_la_%I0R{Ht$iq2Utac`q%#a>!w=4W*o~ks>T)Z0mtC=CLoPIn0}0AH_)%* zfF0+WG^>caqx(=y3XpRdR}T9F{EMgpfPY7i0N|fh7dMe@58^z6FW>a|xkF$A{RlmV z8p&|*8^JT${&hqC_>oy6G^-MfpL)2*6~+2#4{AK4#be$m)srxi2YUdDQ481|?rp9q z`8g;i5~ruHd^TYDm%rfxf0Y?AHa-e>NIMMB{3G<(vzoJ8%})ye3y-DYE;5lh_nWuh z9oZ?)(tH3vS6a=twV8-6^=!phq1S1=aX!IZ{#(<1eopWqr)HsEs}r)%H$ofSB=??M z!=U0cAg6Xf>E6X=Nxei+{bxJGBnLG1o01Tk`^_8zp zuUP?=-jQ6WH}0=^Sa~#E4Y2udvY`GcmJP}Z_PvcU@Cxi`wsetZ=X$xV(>+-JAC6b> z1IO;9Yk&0XV$aq$;*n zlTs7nx+3?<72UrPv-p+%pxV>#v~4z0$9_kQU?UJ-h0eD+Em69aNw;jipC@f{s8y)xxYS@HhKvW zR{JTD>5CD3^P)(8dl+BJxB@)@>gBAoghl^}BB|$ywXXdJPKATr@=RE6`G7LM3>Xv^`=34tJu?-eJkpezZ}wyYdJG`X|gwSAQnT2&^4_(2k;N_Nf3H^ZMA1zA-!AguLrG0DU5C z!vhR|=;$JG50Q>B3{Ur~moln=v7X232x_UU@}Lni9}tlzK-~t=tB31rB7*@w@U_Ma z95Bf^J{PCi9$rVSq_&Kon}z#$U#qwYjPq`kqhIVoB(;7kiX3O;bs_q&Ret{*&cScM z!D)i&fH^l@D$yh(|3lP35`0~D^>9I1>e3wWre)DT3Bkx^a}PgNIo@OF5A^_il$o&G z%_ix$x@a|d2Uya;@&tqSeXsmtbOL;CI+Xnj@T5+R2@IEdH2rdatn_&I1@8bGrvk{r z)_m8(27m&AwqhRW>Gx7U9^k1v;=VG+&g-AjtE?uaioK3^9WFs_g;U^53QN?LIqVwN ze@?mt0B{&*@09b`iirQGrK^<5@gRHksErYuDZEQO2=<@`qofpLfV;JP1-owrMjy>H zDy7<4cq3?K%6BM7`qXg!HK5m6Bo^o!yUjDpzzf{~WWDT;_E_Dd__gEaWf2!U2JKza zIexGux!iwlbGIGOUR8D6XLc(VNYS=c^TW5-_?K3zbFm^+Z;9hhH1#R~?&S;gj#0bt z6WU=azCcuY>?U6X8lA89g;oOoc|Lr91*;WcR%u?Xy0R0^KW`M3k6kQIR5!?R8{xlp zthRlusT;Y{l1BsL0LI(G7u(2&n-JW_)f)Ai`=mkj-Mx>13Cwwm!v~>XMZ{is)>xH7P99* zR3~}xbli={4Wh?C9kBZyF{4>P*8%R0*K7yW4*+5;Ibx!EPj_7&hzL&~zmPpK76n$z^Z&gWxL9y}*Mq_@sn%%^XFy{rX62FWK5@d3kj-!)ZR?2p?0#T9unNvz0bZiICZ>)5!m*(LoKvEn#DL4*wXhnu5c!I9u5FIUy^c^jH*SIB_C8c za15Y{7;L?xubb~-*UT~gp*7#TO5&-HFB-l|PIRoDM0K~5QtBeXy=HM@MR)`=)J5swA{QBL)_nB-xh@G=dk~x?jc;2=yiei zMPE27)}xJ(zELLe<}!oPeI5NbHMnTifxAL0F`vDD`m+&dk3{_K3FEIO=(n0Fg+-Jr zSCqR_H#a(aSiU$0KSwl5{9%OSCmT-e4wm5VZ!J6NLtBeIHGcJXXTX&GwKwPgE?b2D za7kC6#NVlOCFtJDlhiBC0bekN7?02J_iXy7rNG;Ps{}AiQ}XH4d2kT6nkwqeY{HyH zge0-E2jWN(i;4n-in_eofX2FK2XgS@FT3F^?wydrP}7dt8&(*RNLHh%ki9Srp5D_F z-o1)v_Mwp3=|jRCezy=}&oD4X0RjhzE!cDKB!XY`3_=0Bgpg#U)qe!O_^=dmQu6eD z_$!=Pr-WzJ1P2MJP+T z(v_Xurr{ z_)oG%GGTG6tiSG2_1iw$lFfSmfq9n>d z45Plm1mV=#Jq4w!qCB|^*JadE8k@_EBev}c#bLaKb{umF)7#SUuZ9OnkjHf$zh-U8 z8pBe$|EIh6j;H$n|A%R*gm=l2tRg9!;@DbFIAk2M z*Fla==wxO8o@cZ^@AbK^@AtZHx9j@T%NeipdXC5aalhXmk7pBh*2$g$ndg}Ur(!AH zV5=fLHYOYR_`;XTZEeZqil>Zw-Ck?@-755Rbk!1A|8O;N!9;Hyip!M?>o$Z&0|*ZO|Fnn)%4D7GB9NDl^9ItshdVQ+7OT zhwHW~xukOhB}L(Jt%`U-6Z+#^0YpzH|3B6h9dQHZs$Q-(Hitn7W z!?d)UpG`z37UrOHt$l6uxTN!{>_Zf447EakG8(a!sXiEc%#^oS?Zw6dcJB9NCS1IwdhPArug2^tp9PdS*sP&FV|< zAU)V0Xzg+8+m%J>p94@9a(b;?VXtgVQz|dS( zep6yU_#Y3Si1w!Qd#uBImc5>5hrAzt8B5wo(qFe20!8g$hev^mKWc3ch~uzY>&VAr z#JjJ;B6maLsTz7%7EV`Q#n^qnN_L$PN$43t?kfD-MSmp7>F6P(>#hig1rZZaQ}ws6 zZ}?GE`2h6>)YV_0;^E^5(}svX!0z-vxp?cBP8fW6vep^^3bk%c3-|fK(*mTwL0AB@ z@zp-kGa|kS2btVKP*MV(`8Xlc3?5?R_@~$Z<%j%!aUc(H!CRrW6Ut|_zJ1${wpT8D zEj0Pq-M$=`JUZWYPxFMuqMd}8>nPg&u|?mehU;BN)rC$%eSa_h8M`7D-QgyE;V4de z?TqRKz2IAvTf8Z59MDn0$vo| zrcZtmDmP1#;#oTxVC#e?04V|ODOLk&_bxxpu4=F>Y6~#t9Z0KScymyLF{C9J9vg~& z97|kM(f+(~q8CchDt@;_)&o8>@+or$K6N`cEh~4mflF$9EjdI*SEV1?O1=YHhVoMwM0deGfh&Ypz z3yav+4`^}*TxTi1I^)(cf0mlcMnrLvKJyW>fLSTZX)cI~i4(;mm&PtP621;|c2lv0 z)->B|V|qF|3X5)hoAP`ROGdmgDs4=t{-?RI=ZK_CWP*gSFe7RaJ@Ym)MBFBH?pCb6 zR-2(Gbn&%=Y9fPMMw=;IK4X|^{aIj1CYb~|nFmUEHP!(e9*(OsT%ro z#Kaq1L*_4IR8I$WhE_yq6dBnZRfw)>=$}6y{X8F2z~wz~^v3Wrjy|T(BE$%zWDB3W zZ@hnsvp`auVUq2D(=6Wy!1{!y@pQqJY=RI{<`UUYzs$tEt_VS>~m3>vtL_bfzL4Q+iv#P zK{tw2!FAUPdH$zmy-|k>(_E6EHk~Z3uQo%rtmn-IPGkxvX6J9a<1(uq6VGZh?IH%T z$RTXDWwz)ZuAuqx1BzW1!sh0z+sxvlec~Yw|+G9M@923?acMeOK ziS5?kh}>U!oPviBz)V|G9z@t73ER`@A?&6%{QIs30BrQdq&>u)>oj=1xjhbU6e%rs zwegWm7|TZBYWkd`NV~CDKOGtO1LEq>qY=CGA6UtP1+~C*Cn?Mi!Tq^l9ErT!wWdzw6pjrvydleE8oNejCo8 za@C!qOKi{$N2B)c%JXks3Q|Z{jHK$D{yl^J*qz6O* zfv|FoK9OrRtxvY%2*NyZQ!&RWtuTjKt2^d|xGi>}Wxsw|FSA#bFAyY419wW?#}F3~ z7Sz`=Wwfr&xE$@y&@B_4;@8q+Ti1Fw$OZ1-$=wGQY?Nbxkt5dyqYQRj_K(=L-t+P5 zC*D?G&MNiIalJC0P(GmOW?<4eM4rBz_;eR@zJ0V9@~5t8csTPggoBp;>de9iYf8Bq zE5_~}eaSaQ-1<_b;q%(|v}85lWA8b_od7f8lfn1ON7W)U1#|uM?j+OLNo~O{LB&> z$IBAL_5nD}^D0gbhuDv1HgHc1M&%b|e07JP%Tu#^3*thWOTU%e0lY*UJmTZjpWx1CjP}XM@FJmu@?413| zYq#YZPxHaVlej)ih+!I!_lPkXzx#cU-TL3VRvbrM`yL2i6m<2)f#`CG6d1FMdYgx^ z)3F+jF-)g!SC_szlm%%~0|utY4nPe45LJ7LcMA{1J$8h6sGou5R;!0WpSS^@7N_|^P&yCP0!9N)nuX*e z+cIHcJcg;K^c@$z)Y5-JUdn^WaPe9n{%nx=mCIz(QW0uDxiT$4Mf_r(ChV5e*Quy` zI<~Y1Y72W7Aif2~vV(rjW7fxEHw`(gErw_?_H?I7A?vn|Br`?I?OmId`)4_Nl5hI6 zIpjf7n6v2VGnRsz8N;*=3^1%7cn@0d;b&VO4}vBP9^t*O1pEjZZuk{@`a|nm5AIof z)b4CO`-iP%?D43y-AV_E({2}UT(RBw$-7T7dAqI6aIR|7DHpO|%Z+cvyqK6F3kAO! z+(h67#3Y-((-S5kW1MT42K4*`)HS<(5&Ma&Z^9Jr-6j#D&Yw}6J7QLr%F`1afJ&tN zx_;Ml)B*QEwScb5?|7J&f{RD(^vM!*NO{=$z=`M{&wED$YAvB<0!+_Jt2 zGpzC}il+k$6V=kAO^=D`qPg3SwfV^$T(z_0u|Ayd5qmtuE1S(F4ZxKM2=T7XO>xDy zWF-_^)AEWNHPG5jFw!=s?Q!2%cXRB1YtzWYe=an=w+2F{{XKxmKvDrFqyOQ6049&%~xcU`v6^$TPQvNFztiB090`T^$F6RC}IlFOx=Bz zKnc-DPxHbu6C7ym$;iP^A|lDAeLR_MJL92%QHM~2$v{Br4SsdlGfWr29pD#;l06Q) zGrjBnUg9(Wt}+7l1pl$^#p)YSXbTWu2kx|rNRDfR?U?k=G3gmjip`lr#;?IwM)qT6 z#I?G_hALd=C-^ve;ypJiJ=W!62{CC1sI<$r22^lX$r`>YgT7?Py5K-@>^|tP1(w_9 zL?ylVc5F)J(PQ&z3p^@g0P#BS0wXwtg;ux>G^u*ePg`VR9x0rWE$9qt%h=VGkP^QY z#8^~`i=FlQBa3ymdNRIi;Xr3hrplXEWUI`Uv(e=nul*~Jd_*@-9@YFj5wWh0kQc6< zr4~`(9&VXVvs?J~Le1$ki9!sW=E=0Z$$BphUYz%WJ9+QUwS}@yhxD1vQI+sQ5#C~z z$RXc~OP=KKGt+wRu75V4a5%^1exR^Kk?frFu) ze~6e~3BBn%$fS1!vHSg;4{H2&Vmu;E_VwJ&92{gJJh|~R>&p6{r9nA9DQ2leE#e+T+ zTcaK-RwzrAuf?v0m%Fe!Xe))%VDM%bD*&Ig+WPfRKDKSB)<4lPMTuDAQsO~bdyw0! z=2w^aWyaNz)0t+{DftQ3_aoKUgWNQIcx_o|gd55-1RXrkbIi!#6#sr0iHE%x`2pKu z=JsX|^!WVGC6|{g8hL_r$5q&N(1H!0O@+D`Z7WT007km@$2Hp9c20%yV6vJS{!>y2 zFqL=$U_!x4Eafm8A-(iZNb3hOqo;LB)m$&z{T+mP2o?jO%rt%nbPn4xPHH0V5+KQ? zr@ak#NFAP<%3hbb5$K@(j3cI6@H&%2%J`SDJ%Zd4i2#CX6eD?@d$ zkNeBhZ(jZwd71&isLQ9d7}~>2cAr3Dimt+TS`QOK{7e(j?39&GIw7kA~Hy7KcXsjXE_F zy31W$&A4Sm3w=k;zoE}oucR!$oPfT23h5I$q?ecTblwA*3jd&pDhV;k+l@$(XPDRx zph_Lq!2+YLKjJq!bMb3QIYaroMbM%rETO}vO)l%H*|O`~!**s5g{(NF)(T@*5~7qB z({IMSsZM^Uz-fA}&%byvGObq2(i$wz?i|R@ZghPJ>0Bd)hKz z66>Zm5Nx|ZiorU5JgB|{{XT{49; zbZb=bHdEWw$A}Xmx1Q%8k>?BP-}F++O%;sP!t#U(pGLkk(xT@(P%2cZrjfN6chM$D zU$*sT;IzxT_5p<)>zzFg#$E)J=b(zh?)4r>jck}*F+VlAL}*hKa8hD98j)W-b|hq7 z!qJYyZtUT-%~go->BYv_H@S6=Zr7$7mny3dT4+x6q;WZRJ`)~Di+EGG4ax^u6PVK> z*Gg0bJ6R%jjp*T41@PI+qqo%a z>H-S2=8hM|52q^fN5Oc8W*!?;P^@!mCmpk;X(q#G#UAqqc%(nsGiuO# zl#MI4ctqndW8}gEn|R6hfyRT+&`wpw`ySZ2SyY$)SGsRZu zIxYp|Y(s_FM?blo^t;0iTTBtG#2cm!LJe#ef>1b7owcD@Sh_zZcAj?iQRq5+rrPjO z1%g&A8;zd64K3D3UTfBOZ<*P7CB8FzZl!ut!GDIU zEhu^$C&jenoT%OI^wccHI2?ppHNNZXh9j%kvBF!t(sjck>U#PkD#HgiuFZbQhp{|9 z*P$@_dMZT+rjq*T zg`Z8jjvd1Y`Nh@*B&CVH7NUTMr7ZSgBuI*`=;+1H74M$i_4U&<;`w%A-+h!z2iLnIJ=9>=p?qYFV7NjbyY4|qwW4;wG+#Ycl;<*C~2+Yl3+-e;s&$9i?? zM)j4-w$Uv;achA+1Z3iLMU~%(V<$0+2MWw41Y(RtEdD?wpqo-EF`4`Yru>%|!B+ai ztMtp>4)##m@2LmiP5&GozU<&R%Kv48uzKOghn{ZipRsK%AJ{|s5`3=vBf@Iuzk;u{D}<3C+yyvz$bE`qzg8 z)ZhJ)E@h}<7e>75o&I~f)tVi8ytoVjU8afsz4diLeF^}syU0GMO;WfdpSS_Y({X$d zWZaoPM0R45)q5lwBX0l%*!jAypbJ68%hQ0> zhK4>~T^%a%4rz&hs@&;amgSy!V{&c8u+vIog|$?pg=MJAfjY>O#?92AU*p`ok01R=8&@4Fk9ztZl&7nMo=Ns2T6L*hBBj;I^ zh1p(O;9}%n9VDJxg4) zvhk4o*FiKJ>4PIu8mGtMSifoe&&=NtB^JRntAXx^z;6rknJrhjM*f^0U6R>iJIJz; zgG@777~1+|x}h+$Q`NTy*S6is37N{!E=x-(8w}%1iB_Q$mtP)uKE!WiUTebaVi~3P z9MA6C!vUksqb+$ONNRAwWpdqBO(0L+zgwd#*Y@7vP2+o1PrW4F7S~H-1N$V3yg`%U z1s28OYXZ^7TpnC0Ka1NqawN0jtBJC^X{Y8XV*Y^+(!;#Xk)e<7D33LzFjM`UoxW-W zHKMXEh2Il3<1xfJ`>05KDL@6qhWI#@Dr213%PN$5zcF?W)2a8**F|~el(p>JZ6H2` z?FyMV6JQ-IVK^d7>6vqKFtOi+xzC9m$%a>Uz#?<*!CDNN^i4~bhtJ9d_Pyt3REF@( z4xKS$Z!z}1vxIQSH3 zXA$^K0u1HQrNA1GdoCraM{nFoVb?Gy&G33BNh0MFT3NuG{-KJ19P?5&wE1`y8T>F=Bvt+ zCQQ;cYs@_zx0UAou5Jjev#`{G)i8|FwBVbuvEy}(kA-JSa)_(Miyw$!k_qqjvrpq}ymw@VO~AIexM!xhCp$Ctkh zI{$JJ%bUr9Kh$9g+sJ#85;%uRqE)d=G;q-TeWZT0gMS{xO!G(HMr0BHZ(pRRB|K!J ziuPYhZCdh6r0!ymcqEDU185VMb5CCU)7=wwEE%yP?+`Rbpne1BXy%IT0k;^?Kr^f8 z1+l?St-i0O)boKOH*C37ezHob29&m&6iaOcZ*lRm3T;azh-J(2PBt zC*3Hv_y%Izm-Ny{Ddi7!B|Dp38P8@Q4lTfvx{OFu+!e|0f(J(_ZyyPey+qE~AbarM zT}S>SswH9b$`=YxPBztItpwQzo!RMx_j+IbzW7Dt7|*-Abb&hR*yma%tY&_iKRh>Gh#hGZ~M-~44?0Qc3hb5 zROQn$_+V?FB*Yg7{X_{z6;GZ8Flg@rdRcjhpor4`zIHv(ra)Al4IZD^45dj`~m zH)h`LQh?gbay~BED?;`o05aygeiM~cwt!K$EJvOV&AaCt6&O&0nW#i*T*o?ZsP<#@0iV8GNJ{w5QQw!##c%pJ)f(~rSbM0aic4l--6662is!= zDfTB5vVZ#MKwV4>qTmWpS>hiSEOMpTZoOaQN&4J!KPs?#P1$sLMS0?Jrz|#Xbhgd@ zM6-|AaOl4C19?IvA{$;D%kiGvv@Wjo2kov7sf5wox})))sS*2t+tx8#gvSfCO%)v3 z0V=RLZzg9~U*GneIkmQ=;rXDafoxD@Ae{m4{sXp2HfJKGwV}NUL(1bPh3n_k+V4BN zzdI!|_jcvAG#kpCThr>YhgqKaqnA>)GMHg4-UG_EZOcj0EUC(Bx|AX`B(<@yNIH6W z5V6-vrEi2m?2bb2x^|<;Q%@1&^jzk^u#JMo+n1{LK#->;ZlsAaa!_fbUY#5{y=$o@ zifY{5;QCwBFp*O%!tx?wPYlvZkiu3B%H{Dk1y+qVRiGa~p7p&=3!zc1H@{97--u@D zimu^N3aDB<+rGu0odY@3>n> zILpoY@zU_JtlG6G+I{rBoR`cvBf;g$ojh5;a55nzZ0%lTzize(Nl)y@#+JB2En88O zMiQCrJ~!2cIs$}m%P-u&`s@HKQBa`(CFGZVum6IVTHBp@gD31mikPc&EJi2P%!P{C z;1V?k`yXiyj*ofDJqQtULO&1jVIOa*2VF~q^Ay+mFXV_+T5eT5TqgaryNHxClb~sh z4Nf~Jd(Xp*E1Ja_bHL_t49Gmug+<3@WnXsCX?x^M3Bt$ke%L2AB0YoLM|$r0Mde>( z;=OZR83*idE7F%BpH^I|7&J}UhecNOl#;ZfXcjlAhd7=G)Tz+Sj{X8#3h0^0psb3}BZ>m5DxHe|doVB2PrVq6cYv-ke@bX1NPc64Ykw+7Q( z`vkK-fDUdXdmlprUs&FWk+D)9c?R{PuqePwaPtZb~$sP~H_fv8y& z*^igxpwREd%S2#FFyZu@%-=-07<9|j4v`h&l`EoHQ48tuS%96GpEUEag39shN}k}| zN2W&_7%N^F-+e7!77s(OJNnEB=u`6dnqXpqRKncd6jxg>j6nW!=@!DGec4F$+8+DN zaC)90uAiR+3?m+C7||k7)zGhrm}iMy4V{Ol9V4@)BM$6oWD(mpV~O>0*Yi6(o9iW> zpS}1E`MbZByB3`}TbI>L-c6G6lmU(~1H%vg{GPmmOnMgakAUcx7yl{({jb}S{&Bql z^H){nKJQsz2@(?1Hl7%_FA^VzmaLDBYmk$chc06G{Zqf;&A;cye=ryS0wTds{h9ax z>YstpBhv53=W5AFl8MPrY{&&!Nv#m2#*^6R{;if?LI#t@J0t4uisXL=LuD8iQLg?8 zZLJ`b7<1j0CUOUJ?2f@(?-*F*r#QQu2S=JbT$A+}d6If*Fm1#zm6=KHoGsYp2wzxO zRM<2JOb;)d>`vq*)UgHFUV6jOAj_AtBT%zoOaNV|mv2!Wx9ZSya$HIhH7Y>^V*S_> z-0J*7n$*E%oeK+2+OJ_3ki}nc+RZRI-h6vSta)k_Md>aPk_dT=H}lC}b-oT$kC+0? zu^gi&Oa61=L*p%5-LEM6L~n$N6|q8%m7)<-bm|I^Cs=IYi$P8zXfd7*WC^@_cX zCm!3wb~Vph-2qudJS)XV#9j}VPcKw$a;cb#d)FvZ}`sY6uf8E&(S%M^D7 z${dV9cTvq9aN(`{{9LD#;b!Y}bcSZ-G6n{8Xv1@|=yn z1Wft}lS>(fZ$l_(-R~(yzY7lr1RFdp1-5QEx;lln4?Hr$tH;54Y4ehXLJ2_LeH-xl zbxxdR51R-320YvA)4{Y@p#kONuQ+L&sF5dAT%3pPJsH=9qAX{Vt40cyOojZdbIV(T z)gxpX&IAndCRdpZLF_iBL* z77RKoh~SIwOor04R8$}yLQUMfY{yg0M)PG(S z+s1dE7bYPyAIZ`oD;t)4&c}2N%DkY~e<)8;^PZ|5_pHldC44f0S1Bil>~?{`ss2JF zgch!TN} z-faZa<2+#F`vgEIJc5Jy6{;X_^kN~cv!$D?&;c?Bav}vvrHAqS3QjX44+kjhx2>*k zMjHc8)e8S^Im~y}XeFX7V8n0FRY0T+%g79QH!0mBKr{l`CdZq(-66F*|X}2^FBo@o4iWFa6hK^>3C?k`Vo4IRE;Q!4X;uHOC$9z7I4ao4~t( ziEu}fr)6${Y~s6hnn-BiAMpVMg^K~uJdf&NFp7gC`F7jWMbX8pUlcMT{3J4V{en~u zXO|n5Fh5CCuz;7RI^5X|zLAjQTK)@|DJ){pe%wuBh4=(ni+&*{E6lA%5z+?qfsb5(k0+P z$>gsF{@8QV>scur520GX=4DU!^P_4ZsudbACjH|G8@n`Fp!04htQKjIz#o9up`a&} zM>g}8p=6Xd#LII~+PRWGi{56_P*VTJ(NV1lg3SnEC-iARZV3U5@)x#i{Kyl><9|vp z{aPUNU9M32FNKM}%~U!-V$t)-eo#tW^)v-#bJ-@9R?4QFR(x3*7s;L@@Y9d;FRax6 zCf@uFZ$VoQ{R7_ep8ONuBC%Vu*L1O8r@i{jDZ-99Qs%K_qk~)otdyQ)backg>0bB7 z%rPrKgCriFEYbD8|M}#{v8~V%N_ocuSt{!OwD0ZWZG$v+(XVlJa_i#l0vT4kPY&3EzIoS?WZ^oB`4gY(_amS(I~v;q5N3m0^d zte)lTp<(ycRSn;_Uzw9HBnztVyh4TULJcx~jv*@_^^7$^ni-tmCGnF2@?&CBF z(P*$tY5u0rkI+jJ0tZ@0{1)gUUH%xj< zw|1YC@wf~z*5q$q@ZXShmF8g~!6{KdZ6r>dpPPtwNDy+o-W+d&)+vxUNgXF8VLiEe z$E$R#j}UE?rcUC2&9UM zE1gu=m5kMy&pB9frxG^ARnEWCFkPBzZe$SVeVYC%Wq{ZdO43k+OxuGgPVO9(!lJeL z#kTE0g0mMi7oHZaZbzP1T=H7#`3PGxOQdY9>rzZbpS5iHf&%+ByYA=@c3SUka|V2i zyxDv^2be}Y8KTnrJ}CzKQuM38aMU(=eP7I3ZPe*rWlvoD14Q&o8{wGIIMaE7HKCx! zxD`;wxodkZ+m)o2B%#n&P>0JSOg-^87W3wcXm4So;|LVn>vILC`wR9De;AVcguM!GF6FG=R@IOqEI6{}W%hK4@L z6lX7*NhtI6ZY8Cy&d;h#6)ao(swJmZrK~RGNpUCIwcDs^K#}ZO()AgwA}n+HpQd!NbCT zTz>o}WAW>``%~5zuio+M5jL|{+cUdQue0>6wROCrhi)U_G1wt zm?$9cpr-(Nr+_E#+_>xA4XhULqtLpm^D7&1oqZ-skX9(SrsC3nKP;5N@w5pj50e@#ZP zS~+5U)}H;md6<*C5o@lq8k2F6?L62N(m2V;>K?Ae+8xR|ymO|pn5#?Q(%U^bS(IZh)1eyD+7FK+cxZ7SI%y03H69iZhxr(iX4z&lLg zWZHa0uItY+jwI_l!MFPVq%r|!Oid<_ychl(DFKA?Ukb$f@=-Md8qP@XoZCxA5;A9u zDrh;$FyN3LLQ+Qnrpf~U2~6=~<_};>LH7fg62#P3s73G0@kh*2hR>CDz1JuDfN$48 zT;e^z0oeE7+$ZX|n)O&}9_s8vq)p`&D$T79OV&gxsZrLI+}d8lZR?o>t0vEG(%x$g zm;L4rU);M~rX<=2*rnVvF=GJe;GZve+f>1xyXogUG`3>jbXY&t9ieeRLKEAYDOnH0i@c)3BDZze7mp@ z)!*Mp^aVs`yMAH4KF`b|3tDw_H;?3du6%((Cj*I0;bsr*4^%k@f$l2YDQ%{%?Mlik zGVBx+-A;Mard?+E6AjYpVGgC&*o?}}Xx1opJqS(=dHpN;JePx7{#45NWJ9daxIeHB z^hmvmAdrCsx?UF%P5DU!K@tCwl}W1}8+Z#Gd`lXaA#F(<9F5KRc`33N8|k>!({ZFK zIt{>m5`#$ioLdOaVJ;{&Um&WWuqy$Gds|8F7$T1d!0pTM29Qoj_Xc_Kv!G=tD=T2E zrNf9GgfRG^+u^?O5B-3G4A8%S2~SC-g6nMmQYuI|mjRr!G5%jUf__;Ne@U(X z`QqOx$p2Pb`E&jKE&aS!Z}cr${1q9Q7``{mH-j9&kK(&>ysg6GTTucl#<#uDvHo#J^iTZ{{QD1~g}*p8I%lnC!RyNarv>=h?_ERY z%`S#Bfdw&BGTxy2lcwG#PQ+)qWRzTzl=;fl~d4t;2OY9p4Wu~*r<5%mJg^O_3)dm(0F5fTR*h*dB>@}RB$=VZuA$}o# zl)!z*qPU0Q=S-Ib(@NVsR&e(;?NUa@j+AfMN|zpc*34Q;SA;Le`&~cAf9)g4!sc;< zmmu{ zKVA&siPPhI6X^0Fr^>yxa@ThPa6eyC~-e?(kxe2hkB>Puc}?5Zt0au*VBo5b(s9x6(9xcS}Y zo^%EqcOPjo3kL_~yJinsdR0&T_PwEcWqIkxM>Czp%1Q2-1-^+%y@1AG(ijmRSq?d( zR9q|U7E*J`#@?I$rSE`?Pkc$>AaN}IGls|0GUgQN**LMwfpe8+VOimpr6zD$4^}5ngp+r$ zNPQ~tzQ30g|2O{6zvN~9hZjk<*IC5-Kf{vWHh~`vvi=`4+5}C3&IUmLgB{RuB?WzA ziPSG5$)CZ%4}^dZUjHU1{mA)6Ts?Ns$e}MxOdGOi2pXJ;vGGHGyR7>Q|q;p-^-Y);9e7~9tqw#I*D&2mr^EP2lsmCXvCT2#5i!<|# zl3Y^K1Uw`IJY^0;E7bHlCBJW4X4?82q6Maw;5>Jzo3yA%;-n>iu2^PLY^QazU*+-g z!8@HS8FYtN^hz|X78IwYF-Xl&hJpDtqI*DVjL5G*+9RhFTj z1~S`|)?rWGLRoBjk_EQ9D-pZ)gAc~%f1!}o%gvUbB5V>@6*FU;m^vg%v#e{iCEe{` zzl025n399s#=NGSqNCis4tpM-=r5k}@c@pgBin6vi1MK>kuP3*of%2Qt~GAx%+{Bi ziJm&Rr(VW;nQ{_P%n$q?^9}_@tG6phL#Rcw+$T+D0%8q3)I*wiR#n+1+~QC9QrOgB zuLHK*AKy@mo8v2}=V=DWzZGvA3A^-p7-rtbZLYEdI;8p~9H*-&yojKuobo(iq1!=2 znKfM1`SOitPi<`YoXRHb0(5!XOVdF$x9vgyQMXxbrl%mT5G`JyxJ_4VJ=&`)+y$x~7Bi|T?V8Rr*g^+lF|$#%iOC%y+tbIhqF)chgyWK; zExVE%253H#5b;e#qp)Amr6ED!!U34OwTCL#E0fMt0b_yvG_&9@t_G z`W!2N6)P*;_wsX+4ZTKJbf@ug))m#^-Bkm-q-4A=Uym}%$Pl7 z4gT;)%$v+QFX^S-3$Y7RzBfhS_eJ!xZxyvAqwL(deAMzJC?2bYx^14u7&5lM%RfDs z(7$nCzx*O+t)Bld?NRYlX^Lv;Xnw8=AE4$w#E&%I=OKSO#8THmt0A-8-hZH<51)tN z(+UwgxNzq+idWiYk637tndfcy3E#0eL5(lq0pO+Y6)G@;GUPq>Ha?egMjU^VLf=b% ziS*AUkXwY~8*|yifhCXUhp!F@8`b}mf&9j=Hg!TKSL^YIF8}S$b-M#XGyiFDSQZoB z<~_IhYV#Aio!r=+Bo(P47=2w_D9#~m&#@u5ofi{@$OJfl&^ybcQ>SOyt3K52U9hh@wxW_w_Vg!zr?6(gq=73tw$;*$+${e_GvXrf>?9x#K$%-26Xwe3YTq zcCgjol?Omd{4IO@e=UoXP8Z~)zO_+xA?sIyp+cc?&J}bv>z6X242`6+l7}f3aoXzjz0ek6Vp!O3rikDexkeL zw?-?sZy}-|IJw$kt`1sjzZL%izbTaOnn+Y8@O$y;!Xg$Am)&p~PDZ6tLAN$6xs@PU zFBd6x*uWjg%dByq7Qgz8&S;ZtA_Q80fDyqdovBks6b}fOX!RsRGk4r{*<2k8Kx-q- zUp~hcH>NjUSM?^RsJl?tadoOJ-Z7XYTHy0Bp<)zW6~#c?0_Y!XG1AjBXS(W+bISp~ zoEljLL9g4?c(Xl$JODjOPvBP!IBW=%u1J-Z)O{BlerkE&GvdEYy6xehrOtP2$p0Wo z|MNun=f(H$vV)Qh@Eiev`P-@_mE-@581~Cq4x`D1sKkx|fd=Q~W$Qmcb zIxK1<*x!EAjH7%SxDCu%=|CF&)-3%djhVzi&V!z!)PTt>?SDUmv#45-g|0 zU3J@wDsdq*KOZkHk#REJnF{gPAVZ60K)+xAz~WH#A9|RZMO&l$f$0i_IME#=eQf|i z%Kxy#do&QWG)!pAWxPp)Pg-lc;AWpg_y^}V&n?v-XO27T^`j7u~KLc zc{BXzbl=;Y=&2{%t$~a!aL-iDx7x+M4ao&trQE%wz9fA~s4Z8)<9jFErouu8EMu;T zE2KGPP^)vIym(FJT2Xd^jAx>g{rW{RxGMHe#||!hE>d<)@Zww2ldNA>)vQdk#BCbv z{|p+D;RhAy&E+gFWU*@Yvfz-_F1=b&#H!Pb$f>$_vjQhXjNXIa10@#=tcy0+^USow zjiHr`uk99$4$3Gzb@uanEFkdkvLXR+7y!UAaUV4*J9^d5A}Nd-0ky&1ik#oN!ZyfK ziHZ(H<*lRjo*FineBIcv)+>HTRl=anbdZ?7=9wUDyfK4_%A2=esH@om6YAXohQNCq z_84rKQ>pn2oBd10K`0;T^II{FR$9?8pUhLdqi1!?R$6vDe^{xDo2Z180znY9DG9MT^Hof*{ z#1-y!^T20f~$x@y+kMv=;BK=}fxO(SQ%mYzl_(gy_^DZI= zDEo^KWq&i9;vQq1QV{-w-z%3)g5p2+pQhw`ELpZbF^m)WmcOM?!r$_?@V_7%Ba*Ry zxpOro^Rf)76qIfucoTQ}*DkJg+i8*;H-WMHwQEl}a72Tn$jB^Wd=BDC;5w+V6(h#k@SuIpQiqg%*k(4F{)o3s=A^vf!Cf^z0w zHL2o)gsV9*4>F~(_mXhh8n?!fKzxTA0_ zWfV36=%<2P$LI48ey3uA$RPKA#cSI6MCR#O)N(>g6;4LczYe?n8#QZg%xuUAy@5Qg z`HtFyDGZ#JbB2I42>h!*Zzjd?-~~);!@dq!fMLGt1ziGzOn?M{chM)y0*ZUt=BFZY zi2YH56@hSvD|J}^V4ENAgx@*|o-TAfZLqVPf91=BHNXcXqWDJ#r-=V`?<~J?dW|)nDrogbsy2<}_$}66&+T z+1HG|>s2%fi($A?;y*FEp%&>gn*Sd7vu$SO^b{y#m>d!F%yD}ccRQlpY2x=dRO@+( zNGRL)(;v&ph!EDz6t^}TKfyrEnSe*Edu&eIV+Ve|^+~Ib^EM{LBH?$J#pkAkeT!HX0ksFZHeT4$l_qE7vWE8B-7wak+F~$Qh~T&X*{1#yBu-fu6U?62W-{+*$Wp8&=U=OhneA)S zPcwQmpuaLy9jrqeuzxGsFPXB2S(S&SE8ec0eWrD#@Mv<&`m&#fF3hqb>;W_At3wKH zAO>h(L@4&5nl3P=vC*VO2B<+6#?1n>g>{s&Zb&${DnRXYkNIbmNyxS05#e6#!5L}mp83=6+Rn#u_9&MGk7Dfg7@6pRqS@fJ5En%wsljf7$7t}h;5Ql=0G$z zEH0(@?rZ$O?s!??sc*kXZp?_%3v2+Lw#5F$YC|MD(z7af} z^$M*q#{qG1DCv(%2&|hz*`dNVsQo4KEN(U}Ct#x)dqI&LUOT}H)Q!*m4@7l83LweT z0_>!GKOfcQ%Ex^B7LKmX6#G^7iSpfQ&rWg#C2+)sQ|V%QON@8%R0ypfTyu5@KFKsz zs`v9G3HKlIM#LBQA9a^M`ZM7RR3r}&3RHe>yT9zkzcb;jcmzV8{}X}K;StCH7y=SW zMUbb_mz&XsfA5>DXZaydlh~QX9h>Q2T%<5Y^v*L?8bfHK6|~O%o#dFVgg1RfPV(CQ0KUzm=EL>gm%|ls+hm52Z>T zJXUUryPr=oWD-3d|KBKN`Tu_h4Ym4Z2N{n8plybYksA%73HWfMhqqc~zRiW61LtZC zZ{@M-gY#5ea!*{NhTt1vgdhLj2;*M`X`q|qHEx~XHEzEhenKY=>E9LY|3(k@BED0& zvA=N;QyPdD#0^P;IO**;$j;DX8JThqqJ0Lht(T30g9^Y)Pnw;y($VKFby)Y1EJ(wp zbuWTC?hJ-Wa2$a`gNQ@gBsiwg!KQ8voPKbMW1u-Bu75dNwS2KW$t=3KYgDr-})pb|v&HF7+!6Et=M?K6`zzG5wBDahHSJ8n_dAW,), ... " + --pad-sig Add 0-2 bytes of padding to ECDSA signature + (for mcuboot <1.5) + -H, --header-size INTEGER [required] + --pad-header Add --header-size zeroed bytes at the + beginning of the image + -S, --slot-size INTEGER Size of the slot. If the slots have + different sizes, use the size of the + secondary slot. [required] + --pad Pad image to --slot-size bytes, adding + trailer magic + --confirm When padding the image, mark it as confirmed + (implies --pad) + -M, --max-sectors INTEGER When padding allow for this amount of + sectors (defaults to 128) + --boot-record sw_type Create CBOR encoded boot record TLV. The + sw_type represents the role of the software + component (e.g. CoFM for coprocessor + firmware). [max. 12 characters] + --overwrite-only Use overwrite-only instead of swap upgrades + -e, --endian [little|big] Select little or big endian + -c, --clear Output a non-encrypted image with encryption + capabilities,so it can be installed in the + primary slot, and encrypted when swapped to + the secondary. + --skip-encryption Set encryption flags and TLV's without + applying encryption. + --compression [disabled|lzma2|lzma2armthumb] + Enable image compression using specified + type. Will fall back without image + compression automatically if the compression + increases the image size. + --encrypt-keylen [128|256] When encrypting the image using AES, select + a 128 bit or 256 bit key len. + -E, --encrypt filename Encrypt image using the provided public key. + (Not supported in direct-xip or ram-load + mode.) + --save-enctlv When upgrading, save encrypted key TLVs + instead of plain keys. Enable when + BOOT_SWAP_SAVE_ENCTLV config option was set. + -F, --rom-fixed INTEGER Set flash address the image is built for. + -L, --load-addr INTEGER Load address for image when it should run + from RAM. + -x, --hex-addr INTEGER Adjust address in hex output file. + -R, --erased-val [0|0xff] The value that is read back from erased + flash. + --custom-tlv [tag] [value] Custom TLV that will be placed into + protected area. Add "0x" prefix if the value + should be interpreted as an integer, + otherwise it will be interpreted as a + string. Specify the option multiple times to + add multiple TLVs. + --non-bootable Mark the image as non-bootable. + -h, --help Show this message and exit. The main arguments given are the key file generated above, a version field to place in the header (1.2.3 for example), the alignment of the @@ -111,6 +161,12 @@ the load address (in Intel Hex terms, the Extended Linear Address record) to adjust for the new bytes prepended to the file. The load address of all data existing in the file should not change. +The `--compression` option enables LZMA compression over payload. Details +about internals of image generated with this option can be found here +[here](./compression_format.md) +This isn't fully supported on the embedded side but can be utilised when +project is built on top of the mcuboot. + The `--slot-size` argument is required and used to check that the firmware does not overflow into the swap status area (metadata). If swap upgrades are not being used, `--overwrite-only` can be passed to avoid adding the swap From 33094fc5a50096c8cbb3d2f443c4162a0ff08ea8 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 10 Feb 2025 11:56:38 +0000 Subject: [PATCH 039/228] boot: bootutil: loader: Fix issue with stuck revert Fixes an issue (only for swap using move, unsure if it affects other modes) whereby a device can get into a state that there is a valid primary image, no secondary image but the primary image flag is still set to revert, which then makes loading a firmware update from the application impossible due to it assuming that a revert will happen upon device reboot Signed-off-by: Jamie McCrae --- boot/bootutil/src/loader.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 43dcd3f22..d9e482304 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1034,7 +1034,6 @@ boot_validate_slot(struct boot_loader_state *state, int slot, hdr = boot_img_hdr(state, slot); if (boot_check_header_erased(state, slot) == 0 || (hdr->ih_flags & IMAGE_F_NON_BOOTABLE)) { - #if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) /* * This fixes an issue where an image might be erased, but a trailer @@ -1048,6 +1047,27 @@ boot_validate_slot(struct boot_loader_state *state, int slot, */ if (slot != BOOT_PRIMARY_SLOT) { swap_erase_trailer_sectors(state, fap); + +#if defined(MCUBOOT_SWAP_USING_MOVE) + if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || + boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { + const struct flash_area *fap_pri; + + rc = flash_area_open(flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), + BOOT_PRIMARY_SLOT), + &fap_pri); + + if (rc == 0) { + rc = swap_erase_trailer_sectors(state, fap_pri); + flash_area_close(fap_pri); + + if (rc == 0) { + BOOT_LOG_INF("Cleared image %d primary slot trailer due to stuck revert", + BOOT_CURR_IMG(state)); + } + } + } +#endif } #endif From 251c054176f1651af01cbaddeb42859413f7feb7 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 10 Feb 2025 11:59:04 +0000 Subject: [PATCH 040/228] docs: release-notes: Add note on fix for revert issue Adds a note on this fix Signed-off-by: Jamie McCrae --- docs/release-notes.d/fix-stuck-revert.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 docs/release-notes.d/fix-stuck-revert.md diff --git a/docs/release-notes.d/fix-stuck-revert.md b/docs/release-notes.d/fix-stuck-revert.md new file mode 100644 index 000000000..a49cd3bc8 --- /dev/null +++ b/docs/release-notes.d/fix-stuck-revert.md @@ -0,0 +1,3 @@ +- Fixed issue for swap using move whereby a device could get + stuck in a revert loop despite there being no image in the + secondary slot From 9e72eb393bb1cef5a33d20cd462e2028c6541dd2 Mon Sep 17 00:00:00 2001 From: Mateusz Michalek Date: Tue, 11 Feb 2025 13:55:18 +0100 Subject: [PATCH 041/228] doc: imgtool: importance of clear flag factory-programming procedure. Signed-off-by: Mateusz Michalek Signed-off-by: Anna Wojdylo --- docs/encrypted_images.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/encrypted_images.md b/docs/encrypted_images.md index 85d26d8e1..ebc4f46ed 100644 --- a/docs/encrypted_images.md +++ b/docs/encrypted_images.md @@ -147,6 +147,14 @@ the status area just before starting the upgrade process, because it would be very hard to determine this information when an interruption occurs and the information is spread across multiple areas. +## [Factory-programing requirement](#factory-programing-requirement) + +It is important to have updates without any voids in encryption. +Therefore, from the very beginning, flags and TLV's must be set accordingly. +Perform the first flashing with an image signed by imgtool with encryption settings +intended for DFU. +Append it with the `--clear` flag to keep the image unencrypted and ready for use. + ## [Creating your keys with imgtool](#creating-your-keys-with-imgtool) `imgtool` can generate keys by using `imgtool keygen -k -t `, From dbbcb78b46f286abba32811f148a1ccdd3e662ab Mon Sep 17 00:00:00 2001 From: Ederson de Souza Date: Tue, 4 Feb 2025 10:14:31 -0800 Subject: [PATCH 042/228] boot/zephyr: Fix SINGLE_APPLICATION_SLOT_RAM_LOAD file inclusion Tweak if/else chain so that: - single_loader.c and ram_load.c are included if CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD=y. - single_loader.c is included if CONFIG_SINGLE_APPLICATION_SLOT=y - ram_load.c is included if CONFIG_BOOT_RAM_LOAD=y and CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD=n and CONFIG_SINGLE_APPLICATION_SLOT=n. Without this patch, having both CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD and CONFIG_SINGLE_APPLICATION_SLOT would not include ram_load.c. Signed-off-by: Ederson de Souza --- boot/zephyr/CMakeLists.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index d8bef2f21..b4d4860a9 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -125,15 +125,15 @@ zephyr_library_sources( ) endif() -if(CONFIG_SINGLE_APPLICATION_SLOT) +if(CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) zephyr_library_sources( ${BOOT_DIR}/zephyr/single_loader.c + ${BOOT_DIR}/bootutil/src/ram_load.c ) zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) -elseif(CONFIG_SINGLE_APPLICATION_SLOT OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) +elseif(CONFIG_SINGLE_APPLICATION_SLOT) zephyr_library_sources( ${BOOT_DIR}/zephyr/single_loader.c - ${BOOT_DIR}/bootutil/src/ram_load.c ) zephyr_library_include_directories(${BOOT_DIR}/bootutil/src) elseif(CONFIG_BOOT_FIRMWARE_LOADER) @@ -161,7 +161,7 @@ else() ${BOOT_DIR}/bootutil/src/swap_scratch.c ) - if(CONFIG_BOOT_RAM_LOAD OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) + if(CONFIG_BOOT_RAM_LOAD) zephyr_library_sources( ${BOOT_DIR}/bootutil/src/ram_load.c ) From 98a6681da0df95f1e0ec6c0474263fb2338d8a65 Mon Sep 17 00:00:00 2001 From: Ederson de Souza Date: Fri, 20 Dec 2024 12:34:19 -0800 Subject: [PATCH 043/228] boot/bootutil: Get bootloader state Add `boot_get_loader_state()` to allow one have a reference to current bootloader state. While this state is internal - and struct is opaque - it will be important to be able to "pass it around" when using hooks that will be introduced in future patches. While at it, make Zephyr single loader also expose it. Signed-off-by: Ederson de Souza --- boot/bootutil/include/bootutil/bootutil.h | 2 +- boot/bootutil/include/bootutil/bootutil_public.h | 2 ++ boot/bootutil/src/loader.c | 5 +++++ boot/zephyr/single_loader.c | 6 ++++++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/boot/bootutil/include/bootutil/bootutil.h b/boot/bootutil/include/bootutil/bootutil.h index cea5689b9..babb62fdc 100644 --- a/boot/bootutil/include/bootutil/bootutil.h +++ b/boot/bootutil/include/bootutil/bootutil.h @@ -86,9 +86,9 @@ struct image_max_size { fih_ret boot_go(struct boot_rsp *rsp); fih_ret boot_go_for_image_id(struct boot_rsp *rsp, uint32_t image_id); -struct boot_loader_state; void boot_state_clear(struct boot_loader_state *state); fih_ret context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp); +struct boot_loader_state *boot_get_loader_state(void); const struct image_max_size *boot_get_max_app_size(void); uint32_t boot_get_state_secondary_offset(struct boot_loader_state *state, const struct flash_area *fap); diff --git a/boot/bootutil/include/bootutil/bootutil_public.h b/boot/bootutil/include/bootutil/bootutil_public.h index ffd263591..49c4725a7 100644 --- a/boot/bootutil/include/bootutil/bootutil_public.h +++ b/boot/bootutil/include/bootutil/bootutil_public.h @@ -145,6 +145,8 @@ _Static_assert(MCUBOOT_BOOT_MAX_ALIGN >= 8 && MCUBOOT_BOOT_MAX_ALIGN <= 32, #endif #endif +struct boot_loader_state; + struct boot_swap_state { uint8_t magic; /* One of the BOOT_MAGIC_[...] values. */ uint8_t swap_type; /* One of the BOOT_SWAP_TYPE_[...] values. */ diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index d9e482304..a7e72855d 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -118,6 +118,11 @@ static struct sector_buffer_t sector_buffers; boot_copy_region(state, fap_pri, fap_sec, pri_off, sec_off, sz) #endif +struct boot_loader_state *boot_get_loader_state(void) +{ + return &boot_data; +} + static int boot_read_image_headers(struct boot_loader_state *state, bool require_all, struct boot_status *bs) diff --git a/boot/zephyr/single_loader.c b/boot/zephyr/single_loader.c index f4122783c..382f81eaa 100644 --- a/boot/zephyr/single_loader.c +++ b/boot/zephyr/single_loader.c @@ -21,6 +21,12 @@ BOOT_LOG_MODULE_DECLARE(mcuboot); /* Variables passed outside of unit via poiters. */ static const struct flash_area *_fa_p; static struct image_header _hdr = { 0 }; +static struct boot_loader_state boot_data; + +struct boot_loader_state *boot_get_loader_state(void) +{ + return &boot_data; +} #if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) || defined(MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE) /** From c9aa7fd95e32fa123b69cf147b9e455c787eb9ae Mon Sep 17 00:00:00 2001 From: Ederson de Souza Date: Fri, 20 Dec 2024 12:26:51 -0800 Subject: [PATCH 044/228] boot/bootutil: Make RAM loading methods public RAM loading methods are currently private, which prevents external modules with hooks from using them. This patch makes them public. An interesting note is that a new method, `boot_load_image_from_flash_to_sram()`, is added so that code can actually set the image to be loaded - currently, that is inferred from current boot loader state, but external code can't directly access members of relevant `struct boot_loader_state`. Signed-off-by: Ederson de Souza --- .../include/bootutil/bootutil_public.h | 35 +++++++++++++++++++ boot/bootutil/src/bootutil_priv.h | 3 -- boot/bootutil/src/ram_load.c | 14 ++++++++ 3 files changed, 49 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/include/bootutil/bootutil_public.h b/boot/bootutil/include/bootutil/bootutil_public.h index 49c4725a7..bbfb729a3 100644 --- a/boot/bootutil/include/bootutil/bootutil_public.h +++ b/boot/bootutil/include/bootutil/bootutil_public.h @@ -311,6 +311,41 @@ int boot_image_load_header(const struct flash_area *fa_p, struct image_header *hdr); +#ifdef MCUBOOT_RAM_LOAD +/** + * Loads image with given header to RAM. + * + * Destination on RAM and size is described on image header. + * + * @param[in] state boot loader state + * @param[in] hdr image header + * + * @return 0 on success, error code otherwise + */ +int boot_load_image_from_flash_to_sram(struct boot_loader_state *state, + struct image_header *hdr); + +/** + * Removes an image from SRAM, by overwriting it with zeros. + * + * @param state Boot loader status information. + * + * @return 0 on success; nonzero on failure. + */ +int boot_remove_image_from_sram(struct boot_loader_state *state); + +/** + * Removes an image from flash by erasing the corresponding flash area + * + * @param state Boot loader status information. + * @param slot The flash slot of the image to be erased. + * + * @return 0 on success; nonzero on failure. + */ +int boot_remove_image_from_flash(struct boot_loader_state *state, + uint32_t slot); +#endif + #ifdef __cplusplus } #endif diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index bb8a79cc4..01ec23fc1 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -503,9 +503,6 @@ struct bootsim_ram_info *bootsim_get_ram_info(void); (size)), 0) int boot_load_image_to_sram(struct boot_loader_state *state); -int boot_remove_image_from_sram(struct boot_loader_state *state); -int boot_remove_image_from_flash(struct boot_loader_state *state, - uint32_t slot); #else #define IMAGE_RAM_BASE ((uintptr_t)0) diff --git a/boot/bootutil/src/ram_load.c b/boot/bootutil/src/ram_load.c index dd74052a3..630af1170 100644 --- a/boot/bootutil/src/ram_load.c +++ b/boot/bootutil/src/ram_load.c @@ -438,3 +438,17 @@ boot_remove_image_from_flash(struct boot_loader_state *state, uint32_t slot) return rc; } + +int boot_load_image_from_flash_to_sram(struct boot_loader_state *state, + struct image_header *hdr) +{ + int active_slot; + + /* boot_load_image_to_sram will load the image from state active_slot, + * so force it before loading the image. + */ + active_slot = state->slot_usage[BOOT_CURR_IMG(state)].active_slot; + BOOT_IMG(state, active_slot).hdr = *hdr; + + return boot_load_image_to_sram(state); +} From b3ed5cc6f765fe2e3b03924bdbe9f5d7b1d62e20 Mon Sep 17 00:00:00 2001 From: Ederson de Souza Date: Mon, 23 Dec 2024 11:45:57 -0800 Subject: [PATCH 045/228] boot: New boot_go hook This new hook allows external modules to override the choice of which image to boot - it can be used, for instance, to load an image based on some GPIO state. If the hook returns FIH_BOOT_HOOK_REGULAR, then normal platform boot_go() will be run to choose image to boot. This hook is shielded by a different configuration than other hooks - MCUBOOT_BOOT_GO_HOOKS, so that it can be enabled independently from other available hooks. Support for this new hook was added to Zephyr port. Signed-off-by: Ederson de Souza --- boot/bootutil/include/bootutil/boot_hooks.h | 58 ++++++++++++++++--- boot/zephyr/Kconfig | 7 +++ .../include/mcuboot_config/mcuboot_config.h | 4 ++ boot/zephyr/main.c | 6 +- 4 files changed, 66 insertions(+), 9 deletions(-) diff --git a/boot/bootutil/include/bootutil/boot_hooks.h b/boot/bootutil/include/bootutil/boot_hooks.h index 6d4a34e87..4cbc7d5f5 100644 --- a/boot/bootutil/include/bootutil/boot_hooks.h +++ b/boot/bootutil/include/bootutil/boot_hooks.h @@ -34,25 +34,54 @@ #ifndef H_BOOTUTIL_HOOKS #define H_BOOTUTIL_HOOKS -#ifdef MCUBOOT_IMAGE_ACCESS_HOOKS +#include "bootutil/bootutil.h" +#include "bootutil/fault_injection_hardening.h" -#define BOOT_HOOK_CALL(f, ret_default, ...) f(__VA_ARGS__) +#define DO_HOOK_CALL(f, ret_default, ...) \ + f(__VA_ARGS__) -#define BOOT_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ +#define DO_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ do { \ FIH_CALL(f, fih_rc, __VA_ARGS__); \ } while(0); -#else - -#define BOOT_HOOK_CALL(f, ret_default, ...) ret_default +#define HOOK_CALL_NOP(f, ret_default, ...) ret_default -#define BOOT_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ +#define HOOK_CALL_FIH_NOP(f, fih_ret_default, fih_rc, ...) \ do { \ fih_rc = fih_ret_default; \ } while(0); -#endif +#ifdef MCUBOOT_IMAGE_ACCESS_HOOKS + +#define BOOT_HOOK_CALL(f, ret_default, ...) \ + DO_HOOK_CALL(f, ret_default, __VA_ARGS__) + +#define BOOT_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ + DO_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, __VA_ARGS__) + +#else + +#define BOOT_HOOK_CALL(f, ret_default, ...) \ + HOOK_CALL_NOP(f, ret_default, __VA_ARGS__) + +#define BOOT_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ + HOOK_CALL_FIH_NOP(f, fih_ret_default, fih_rc, __VA_ARGS__) + +#endif /* MCUBOOT_IMAGE_ACCESS_HOOKS */ + +#ifdef MCUBOOT_BOOT_GO_HOOKS + +#define BOOT_HOOK_GO_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ + DO_HOOK_CALL_FIH(f, fih_ret_default, fih_rc, __VA_ARGS__); + +#else + +#define BOOT_HOOK_GO_CALL_FIH(f, fih_ret_default, fih_rc, ...) \ + HOOK_CALL_FIH_NOP(f, fih_ret_default, fih_rc, __VA_ARGS__) + +#endif /* MCUBOOT_BOOT_GO_HOOKS */ + /** Hook for provide image header data. * @@ -173,6 +202,19 @@ int boot_img_install_stat_hook(int image_index, int slot, */ int boot_reset_request_hook(bool force); +/** + * Hook to implement custom action before boot_go() function. + * + * @param rsp boot response structure. + * + * @retval FIH_SUCCESS: boot_go() should be skipped, boot response is already + * filled. + * FIH_FAILURE: boot_go() should be skipped, boot response is already + * filled with error. + * FIH_BOOT_HOOK_REGULAR: follow the normal execution path. + */ +fih_ret boot_go_hook(struct boot_rsp *rsp); + #define BOOT_RESET_REQUEST_HOOK_BUSY 1 #define BOOT_RESET_REQUEST_HOOK_TIMEOUT 2 #define BOOT_RESET_REQUEST_HOOK_CHECK_FAILED 3 diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index f4b9a55f7..1bb27786f 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -855,6 +855,13 @@ config BOOT_IMAGE_ACCESS_HOOKS update. It is up to the project customization to add required source files to the build. +config BOOT_GO_HOOKS + bool "Enable hooks for overriding MCUBOOT's boot_go routine" + help + Allow to provide procedures for override or extend native + MCUboot's boot_go routine. It is up to the project customization to + add required source files to the build. + config MCUBOOT_ACTION_HOOKS bool "Enable hooks for responding to MCUboot status changes" help diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index dc49c6688..e568dee7b 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -242,6 +242,10 @@ #define MCUBOOT_IMAGE_ACCESS_HOOKS #endif +#ifdef CONFIG_BOOT_GO_HOOKS +#define MCUBOOT_BOOT_GO_HOOKS +#endif + #ifdef CONFIG_MCUBOOT_VERIFY_IMG_ADDRESS #define MCUBOOT_VERIFY_IMG_ADDRESS #endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index c84f18a1d..683b2f7f5 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -41,6 +41,7 @@ #include "bootutil/bootutil_log.h" #include "bootutil/image.h" #include "bootutil/bootutil.h" +#include "bootutil/boot_hooks.h" #include "bootutil/fault_injection_hardening.h" #include "bootutil/mcuboot_status.h" #include "flash_map_backend/flash_map_backend.h" @@ -525,7 +526,10 @@ int main(void) #endif #endif - FIH_CALL(boot_go, fih_rc, &rsp); + BOOT_HOOK_GO_CALL_FIH(boot_go_hook, FIH_BOOT_HOOK_REGULAR, fih_rc, &rsp); + if (FIH_EQ(fih_rc, FIH_BOOT_HOOK_REGULAR)) { + FIH_CALL(boot_go, fih_rc, &rsp); + } #ifdef CONFIG_BOOT_SERIAL_BOOT_MODE if (io_detect_boot_mode()) { From 2aa6da15a3878d65c7258d98d5640c16474e0eda Mon Sep 17 00:00:00 2001 From: Ederson de Souza Date: Fri, 20 Dec 2024 13:00:13 -0800 Subject: [PATCH 046/228] boot: Add flash area ID/device ID retrieval hooks For users that customise (for instance, via boot_go() hook) from where images are being loaded from, having those hardcoded to `slot_partitionX` (when using Zephyr) can be problematic. New hooks, `flash_area_id_from_multi_image_slot_hook` and `flash_area_get_device_id_hook` allow some customisation around these processes. Support for these hooks is shielded by a different configuration than other hooks - MCUBOOT_FLASH_AREA_HOOKS, so that it can be enabled independently from other available hooks. Support for this new hook was added to the Zephyr port. Signed-off-by: Ederson de Souza --- boot/bootutil/include/bootutil/boot_hooks.h | 40 +++++++++++++++++++ boot/zephyr/Kconfig | 18 +++++++++ boot/zephyr/flash_map_extended.c | 19 +++++++++ .../include/mcuboot_config/mcuboot_config.h | 4 ++ 4 files changed, 81 insertions(+) diff --git a/boot/bootutil/include/bootutil/boot_hooks.h b/boot/bootutil/include/bootutil/boot_hooks.h index 4cbc7d5f5..ef7a89b28 100644 --- a/boot/bootutil/include/bootutil/boot_hooks.h +++ b/boot/bootutil/include/bootutil/boot_hooks.h @@ -82,6 +82,17 @@ #endif /* MCUBOOT_BOOT_GO_HOOKS */ +#ifdef MCUBOOT_FLASH_AREA_HOOKS + +#define BOOT_HOOK_FLASH_AREA_CALL(f, ret_default, ...) \ + DO_HOOK_CALL(f, ret_default, __VA_ARGS__) + +#else + +#define BOOT_HOOK_FLASH_AREA_CALL(f, ret_default, ...) \ + HOOK_CALL_NOP(f, ret_default, __VA_ARGS__) + +#endif /* MCUBOOT_FLASH_AREA_ID_HOOKS */ /** Hook for provide image header data. * @@ -215,6 +226,35 @@ int boot_reset_request_hook(bool force); */ fih_ret boot_go_hook(struct boot_rsp *rsp); +/** + * Hook to implement custom action before retrieving flash area ID. + * + * @param image_index the index of the image pair + * @param slot slot number + * @param area_id the flash area ID to be populated + * + * @retval 0 the flash area ID was fetched successfully; + * BOOT_HOOK_REGULAR follow the normal execution path to get the flash + * area ID; + * otherwise an error-code value. + */ +int flash_area_id_from_multi_image_slot_hook(int image_index, int slot, + int *area_id); + +/** + * Hook to implement custom action before retrieving flash area device ID. + * + * @param fa the flash area structure + * @param device_id the device ID to be populated + * + * @retval 0 the device ID was fetched successfully; + * BOOT_HOOK_REGULAR follow the normal execution path to get the device + * ID; + * otherwise an error-code value. + */ +int flash_area_get_device_id_hook(const struct flash_area *fa, + uint8_t *device_id); + #define BOOT_RESET_REQUEST_HOOK_BUSY 1 #define BOOT_RESET_REQUEST_HOOK_TIMEOUT 2 #define BOOT_RESET_REQUEST_HOOK_CHECK_FAILED 3 diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 1bb27786f..9afd292b0 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -472,6 +472,17 @@ config BOOT_IMAGE_EXECUTABLE_RAM_SIZE default $(dt_chosen_reg_size_int,$(DT_CHOSEN_Z_SRAM),0) endif +config FLASH_RUNTIME_SOURCES + bool "Images are read from flash partitions defined at runtime" + depends on SINGLE_APPLICATION_SLOT + help + Instead of using information on the flash slots to decide which images + to load/update, the application provides the information from which + flash slot to load in runtime. This is useful when the application + reads the state for hardware straps or other sources to decide which + image to load. Usually, application will provide a boot_go_hook() to + decide which image to load. + config BOOT_ENCRYPTION_SUPPORT bool help @@ -862,6 +873,13 @@ config BOOT_GO_HOOKS MCUboot's boot_go routine. It is up to the project customization to add required source files to the build. +config BOOT_FLASH_AREA_HOOKS + bool "Enable hooks for overriding MCUboot's flash area routines" + help + Allow to provide procedures for override or extend native + MCUboot's flash area routines. It is up to the project customization to + add required source files to the build. + config MCUBOOT_ACTION_HOOKS bool "Enable hooks for responding to MCUboot status changes" help diff --git a/boot/zephyr/flash_map_extended.c b/boot/zephyr/flash_map_extended.c index bf0d8f191..4a29750f7 100644 --- a/boot/zephyr/flash_map_extended.c +++ b/boot/zephyr/flash_map_extended.c @@ -14,7 +14,9 @@ #include #include +#include "bootutil/boot_hooks.h" #include "bootutil/bootutil_log.h" +#include "bootutil/bootutil_public.h" BOOT_LOG_MODULE_DECLARE(mcuboot); @@ -58,6 +60,14 @@ int flash_device_base(uint8_t fd_id, uintptr_t *ret) */ int flash_area_id_from_multi_image_slot(int image_index, int slot) { + int rc, id; + + rc = BOOT_HOOK_FLASH_AREA_CALL(flash_area_id_from_multi_image_slot_hook, + BOOT_HOOK_REGULAR, image_index, slot, &id); + if (rc != BOOT_HOOK_REGULAR) { + return id; + } + switch (slot) { case 0: return FLASH_AREA_IMAGE_PRIMARY(image_index); #if !defined(CONFIG_SINGLE_APPLICATION_SLOT) @@ -138,6 +148,15 @@ int flash_area_sector_from_off(off_t off, struct flash_sector *sector) uint8_t flash_area_get_device_id(const struct flash_area *fa) { + uint8_t device_id; + int rc; + + rc = BOOT_HOOK_FLASH_AREA_CALL(flash_area_get_device_id_hook, + BOOT_HOOK_REGULAR, fa, &device_id); + if (rc != BOOT_HOOK_REGULAR) { + return device_id; + } + #if defined(CONFIG_ARM) return fa->fa_id; #else diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index e568dee7b..b5fcf82b4 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -246,6 +246,10 @@ #define MCUBOOT_BOOT_GO_HOOKS #endif +#ifdef CONFIG_BOOT_FLASH_AREA_HOOKS +#define MCUBOOT_FLASH_AREA_HOOKS +#endif + #ifdef CONFIG_MCUBOOT_VERIFY_IMG_ADDRESS #define MCUBOOT_VERIFY_IMG_ADDRESS #endif From 1017c43b18c5c3104d6ce8a40a29b91b44a5d17b Mon Sep 17 00:00:00 2001 From: Ederson de Souza Date: Wed, 7 Aug 2024 08:34:26 -0700 Subject: [PATCH 047/228] samples: Add a sample for runtime chosen image A sample for runtime chose image on FRDM K64F. It provides implementation for boot_go and flash area id related hooks, showing how an external module implementing hooks can influence which images end up being booted on the platform. In this sample, one can influence from which slot image will be loaded by pressing a button on the board. For more details on how to build and test the samples, check the provided README.md. Signed-off-by: Ederson de Souza Signed-off-by: Tom Burdick --- samples/runtime-source/zephyr/README.md | 55 +++++++++ .../runtime-source/zephyr/app/CMakeLists.txt | 14 +++ .../zephyr/app/boards/frdm_k64f.overlay | 5 + samples/runtime-source/zephyr/app/prj.conf | 3 + samples/runtime-source/zephyr/app/src/main.c | 15 +++ .../zephyr/hooks/CMakeLists.txt | 3 + samples/runtime-source/zephyr/hooks/hooks.c | 114 ++++++++++++++++++ .../zephyr/hooks/zephyr/module.yml | 3 + samples/runtime-source/zephyr/sample.conf | 8 ++ 9 files changed, 220 insertions(+) create mode 100644 samples/runtime-source/zephyr/README.md create mode 100644 samples/runtime-source/zephyr/app/CMakeLists.txt create mode 100644 samples/runtime-source/zephyr/app/boards/frdm_k64f.overlay create mode 100644 samples/runtime-source/zephyr/app/prj.conf create mode 100644 samples/runtime-source/zephyr/app/src/main.c create mode 100644 samples/runtime-source/zephyr/hooks/CMakeLists.txt create mode 100644 samples/runtime-source/zephyr/hooks/hooks.c create mode 100644 samples/runtime-source/zephyr/hooks/zephyr/module.yml create mode 100644 samples/runtime-source/zephyr/sample.conf diff --git a/samples/runtime-source/zephyr/README.md b/samples/runtime-source/zephyr/README.md new file mode 100644 index 000000000..e30c0b906 --- /dev/null +++ b/samples/runtime-source/zephyr/README.md @@ -0,0 +1,55 @@ +# Runtime chosen image sample application + +This sample demonstrates how to use a non flash storage to retrieve the image +being booted. It was tested on a FRDM K64F. Both slots are used to store two +different images. The image to be booted is selected based on a button press. + +## Build + +Build mcuboot. First, ensure ZEPHYR_SDK_INSTALL_DIR is defined. From the +sample directory, run the following commands: + +``` + source /zephyr-env.sh + + west build -p -b frdm_k64f ../../../boot/zephyr/ -- \ + -DEXTRA_ZEPHYR_MODULES=$PWD/hooks -DEXTRA_CONF_FILE="$PWD/sample.conf" + + west build -t flash +``` + +Then, build the sample application to be loaded. We need to build it twice, one +for each slot. From the sample +app directory (mcuboot/samples/non-flash-source/zephyr/app), run: + +``` + west build -p -b frdm_k64f . + west flash +``` + +Then change the overlay file to use the second slot. For instance, open +`boards/frdm_k64f.overlay` and change the line: + +``` + zephyr,code-partition = &slot0_partition; + +``` + +to: + +``` + zephyr,code-partition = &slot1_partition; +``` + +And build and flash again: + +``` + west build -b frdm_k64f . + west flash +``` + +## Run + +Open a serial terminal to see the output and reset the board. It shall boot the +image on slot0 by default. By keeping the SW2 button pressed during reset, the +bootloader will boot the one on slot1. diff --git a/samples/runtime-source/zephyr/app/CMakeLists.txt b/samples/runtime-source/zephyr/app/CMakeLists.txt new file mode 100644 index 000000000..63d893340 --- /dev/null +++ b/samples/runtime-source/zephyr/app/CMakeLists.txt @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: Apache-2.0 + +cmake_minimum_required(VERSION 3.20.0) + +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) +project(non_flash_backend_app) + +if(NOT DEFINED FROM_WHO) + set(FROM_WHO Zephyr) +endif() + +target_compile_definitions(app PRIVATE "-DMCUBOOT_HELLO_WORLD_FROM=\"${FROM_WHO}\"") + +target_sources(app PRIVATE src/main.c) diff --git a/samples/runtime-source/zephyr/app/boards/frdm_k64f.overlay b/samples/runtime-source/zephyr/app/boards/frdm_k64f.overlay new file mode 100644 index 000000000..364d7e35e --- /dev/null +++ b/samples/runtime-source/zephyr/app/boards/frdm_k64f.overlay @@ -0,0 +1,5 @@ +/ { + chosen { + zephyr,code-partition = &slot0_partition; + }; +}; diff --git a/samples/runtime-source/zephyr/app/prj.conf b/samples/runtime-source/zephyr/app/prj.conf new file mode 100644 index 000000000..bf0ea6a28 --- /dev/null +++ b/samples/runtime-source/zephyr/app/prj.conf @@ -0,0 +1,3 @@ +CONFIG_BOOTLOADER_MCUBOOT=y + +CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="./bootloader/mcuboot/root-rsa-2048.pem" diff --git a/samples/runtime-source/zephyr/app/src/main.c b/samples/runtime-source/zephyr/app/src/main.c new file mode 100644 index 000000000..03e16e2cf --- /dev/null +++ b/samples/runtime-source/zephyr/app/src/main.c @@ -0,0 +1,15 @@ +/* + * Copyright (c) 2024 Intel Corporation + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include + +int main(void) +{ + printk("Hello World from %s on %s, slot %s!\n", + MCUBOOT_HELLO_WORLD_FROM, CONFIG_BOARD, + DT_PROP(DT_CHOSEN(zephyr_code_partition), label)); +} diff --git a/samples/runtime-source/zephyr/hooks/CMakeLists.txt b/samples/runtime-source/zephyr/hooks/CMakeLists.txt new file mode 100644 index 000000000..d7d05669b --- /dev/null +++ b/samples/runtime-source/zephyr/hooks/CMakeLists.txt @@ -0,0 +1,3 @@ +zephyr_library() +zephyr_library_sources(hooks.c) +zephyr_library_link_libraries(MCUBOOT_BOOTUTIL) diff --git a/samples/runtime-source/zephyr/hooks/hooks.c b/samples/runtime-source/zephyr/hooks/hooks.c new file mode 100644 index 000000000..849ce8014 --- /dev/null +++ b/samples/runtime-source/zephyr/hooks/hooks.c @@ -0,0 +1,114 @@ +/* + * Copyright (c) 2024 Intel Corporation + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include + +#include "bootutil/bootutil.h" +#include "bootutil/bootutil_public.h" +#include "bootutil/fault_injection_hardening.h" + +#define BOOT_TMPBUF_SZ 256 + +static struct image_header _hdr; +static uint8_t tmpbuf[BOOT_TMPBUF_SZ]; + +static uint8_t known_ids[] = { + FIXED_PARTITION_ID(slot0_partition), + FIXED_PARTITION_ID(slot1_partition), +}; + +static int current_id; + +#define SW1_NODE DT_ALIAS(sw1) +#if DT_NODE_HAS_STATUS(SW1_NODE, okay) +static struct gpio_dt_spec sw1_spec = GPIO_DT_SPEC_GET(SW1_NODE, gpios); +#endif + +fih_ret boot_go_hook(struct boot_rsp *rsp) +{ + int rc; +#ifdef MCUBOOT_RAM_LOAD + struct boot_loader_state *state; +#endif + FIH_DECLARE(fih_rc, FIH_FAILURE); + const struct flash_area *_fa_p; + + current_id = 0; + +#if DT_NODE_HAS_STATUS(SW1_NODE, okay) + if (gpio_pin_configure_dt(&sw1_spec, GPIO_INPUT) == 0) { + if (gpio_pin_get_dt(&sw1_spec) == 1) { + current_id = ARRAY_SIZE(known_ids) - 1; + printk("%s pressed, forcing boot from partition %u\n", + sw1_spec.port->name, known_ids[current_id]); + } else { + printk("%s not pressed, looping partitions to boot\n", + sw1_spec.port->name); + } + } +#else + printk("SW1 not defined, looping partitions to boot\n"); +#endif + + for ( ; current_id < ARRAY_SIZE(known_ids); current_id++) { + printk("Trying to boot from fixed partition %u\n", + known_ids[current_id]); + + rc = flash_area_open(known_ids[current_id], &_fa_p); + if (rc != 0) { + continue; + } + + rc = boot_image_load_header(_fa_p, &_hdr); + if (rc != 0) { + flash_area_close(_fa_p); + continue; + } + +#ifdef MCUBOOT_RAM_LOAD + state = boot_get_loader_state(); + + rc = boot_load_image_from_flash_to_sram(state, &_hdr); + if (rc != 0) { + flash_area_close(_fa_p); + continue; + } +#endif + + FIH_CALL(bootutil_img_validate, fih_rc, NULL, &_hdr, _fa_p, tmpbuf, + BOOT_TMPBUF_SZ, NULL, 0, NULL); + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + flash_area_close(_fa_p); +#ifdef MCUBOOT_RAM_LOAD + boot_remove_image_from_sram(state); +#endif + continue; + } + + rsp->br_flash_dev_id = flash_area_get_device_id(_fa_p); + rsp->br_image_off = flash_area_get_off(_fa_p); + rsp->br_hdr = &_hdr; + + flash_area_close(_fa_p); + break; + } + + FIH_RET(fih_rc); +} + +int flash_area_id_from_multi_image_slot_hook(int image_index, int slot, + int *area_id) +{ + *area_id = known_ids[current_id]; + + return 0; +} + +int flash_area_get_device_id_hook(const struct flash_area *fa, uint8_t *dev_id) +{ + return BOOT_HOOK_REGULAR; +} diff --git a/samples/runtime-source/zephyr/hooks/zephyr/module.yml b/samples/runtime-source/zephyr/hooks/zephyr/module.yml new file mode 100644 index 000000000..2beee397c --- /dev/null +++ b/samples/runtime-source/zephyr/hooks/zephyr/module.yml @@ -0,0 +1,3 @@ +name: testmod +build: + cmake: . diff --git a/samples/runtime-source/zephyr/sample.conf b/samples/runtime-source/zephyr/sample.conf new file mode 100644 index 000000000..fc9764ae0 --- /dev/null +++ b/samples/runtime-source/zephyr/sample.conf @@ -0,0 +1,8 @@ +CONFIG_FLASH_RUNTIME_SOURCES=y +CONFIG_SINGLE_APPLICATION_SLOT=y +CONFIG_BOOT_SIGNATURE_TYPE_RSA=y +CONFIG_TEST_RANDOM_GENERATOR=y +CONFIG_ENTROPY_GENERATOR=y + +CONFIG_BOOT_GO_HOOKS=y +CONFIG_BOOT_FLASH_AREA_HOOKS=y From 7c620b9d8ab39501163a9b636bb4e57386de7207 Mon Sep 17 00:00:00 2001 From: Ederson de Souza Date: Mon, 6 Jan 2025 15:57:18 -0800 Subject: [PATCH 048/228] samples/runtime-source: Make it buildable on twister This sample has two parts: hooks for an mcuboot instance and a target application. For the first, a new entry at boot/zephyr/sample.yaml is added as well as a corresponding change at boot/zephyr/CMakeLists.txt to include the hook as a module. For the second, added a sample.yaml as well as invoke it from the github workflow. Signed-off-by: Ederson de Souza --- .github/workflows/zephyr_build.yaml | 1 + boot/zephyr/CMakeLists.txt | 6 ++++++ boot/zephyr/sample.yaml | 6 ++++++ samples/runtime-source/zephyr/app/sample.yaml | 10 ++++++++++ 4 files changed, 23 insertions(+) create mode 100644 samples/runtime-source/zephyr/app/sample.yaml diff --git a/.github/workflows/zephyr_build.yaml b/.github/workflows/zephyr_build.yaml index e1ef4631d..a3826fb31 100644 --- a/.github/workflows/zephyr_build.yaml +++ b/.github/workflows/zephyr_build.yaml @@ -87,6 +87,7 @@ jobs: -T ../bootloader/mcuboot/boot/zephyr -T ./tests/subsys/dfu -T ./samples/subsys/mgmt/mcumgr/smp_svr + -T ../bootloader/mcuboot/samples/runtime-source/zephyr/app run: | export ZEPHYR_BASE=${PWD} export ZEPHYR_TOOLCHAIN_VARIANT=zephyr diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index b4d4860a9..b332000da 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -7,6 +7,12 @@ cmake_minimum_required(VERSION 3.13.1) +# This sample shows usage of an external module and we need to set the +# set the extra module path before calling find_package(Zephyr). +if(TEST_RUNTIME_SOURCE_HOOKS) + set(EXTRA_ZEPHYR_MODULES "${CMAKE_SOURCE_DIR}/../../samples/runtime-source/zephyr/hooks") +endif() + # find_package(Zephyr) in order to load application boilerplate: # http://docs.zephyrproject.org/application/application.html find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) diff --git a/boot/zephyr/sample.yaml b/boot/zephyr/sample.yaml index 924f950ca..bf5bc93ea 100644 --- a/boot/zephyr/sample.yaml +++ b/boot/zephyr/sample.yaml @@ -96,3 +96,9 @@ tests: integration_platforms: - nrf52840dk/nrf52840 tags: bootloader_mcuboot + sample.bootloader.mcuboot.runtime_source.hooks: + extra_args: EXTRA_CONF_FILE=../../samples/runtime-source/zephyr/sample.conf + TEST_RUNTIME_SOURCE_HOOKS=y + tags: bootloader_mcuboot runtime_source + platform_allow: frdm_k64f + build_only: true diff --git a/samples/runtime-source/zephyr/app/sample.yaml b/samples/runtime-source/zephyr/app/sample.yaml new file mode 100644 index 000000000..ed90d7d69 --- /dev/null +++ b/samples/runtime-source/zephyr/app/sample.yaml @@ -0,0 +1,10 @@ +sample: + name: Runtime source target + description: Application loaded from mcuboot using runtime source hooks +common: + build_only: true +tests: + sample.zephyr.runtime_source.app: + tags: samples tests runtime_source + platform_allow: + - frdm_k64f From 346f7374ff4467e40b5594658f8ac67a5e9813c9 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 12 Feb 2025 18:09:35 +0100 Subject: [PATCH 049/228] boot: bootutil: Use BOOT_IMG_AREA to get boot_loader_state area There have been invocations of BOOT_IMG(...).area used where BOOT_IMG_AREA could be used to obtain the same result. Signed-off-by: Dominik Ermel --- boot/bootutil/src/bootutil_priv.h | 2 +- boot/bootutil/src/loader.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index 01ec23fc1..b3bb99842 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -433,7 +433,7 @@ boot_img_num_sectors(const struct boot_loader_state *state, size_t slot) static inline uint32_t boot_img_slot_off(struct boot_loader_state *state, size_t slot) { - return flash_area_get_off(BOOT_IMG(state, slot).area); + return flash_area_get_off(BOOT_IMG_AREA(state, slot)); } #ifndef MCUBOOT_USE_FLASH_AREA_GET_SECTORS diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index a7e72855d..e6ca0738e 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -2218,7 +2218,7 @@ check_downgrade_prevention(struct boot_loader_state *state) if (MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER) { /* If there was security no counter in slot 0, allow swap */ rc = bootutil_get_img_security_cnt(state, BOOT_PRIMARY_SLOT, - BOOT_IMG(state, 0).area, + BOOT_IMG_AREA(state, 0), &security_counter[0]); if (rc != 0) { return 0; @@ -2226,7 +2226,7 @@ check_downgrade_prevention(struct boot_loader_state *state) /* If there is no security counter in slot 1, or it's lower than * that of slot 0, prevent downgrade */ rc = bootutil_get_img_security_cnt(state, BOOT_SECONDARY_SLOT, - BOOT_IMG(state, 1).area, + BOOT_IMG_AREA(state, 1), &security_counter[1]); if (rc != 0 || security_counter[0] > security_counter[1]) { rc = -1; @@ -2239,8 +2239,8 @@ check_downgrade_prevention(struct boot_loader_state *state) if (rc < 0) { /* Image in slot 0 prevents downgrade, delete image in slot 1 */ BOOT_LOG_INF("Image %d in slot 1 erased due to downgrade prevention", BOOT_CURR_IMG(state)); - flash_area_erase(BOOT_IMG(state, 1).area, 0, - flash_area_get_size(BOOT_IMG(state, 1).area)); + flash_area_erase(BOOT_IMG_AREA(state, 1), 0, + flash_area_get_size(BOOT_IMG_AREA(state, 1))); } else { rc = 0; } From 92422ca800a18a81240bab5910c0fadd3bda88da Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 12 Dec 2024 14:04:06 +0100 Subject: [PATCH 050/228] mynewt: Add flash_sector_get_size Getter for sector size stored in flash_sector object. Signed-off-by: Dominik Ermel --- .../include/flash_map_backend/flash_map_backend.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/boot/mynewt/flash_map_backend/include/flash_map_backend/flash_map_backend.h b/boot/mynewt/flash_map_backend/include/flash_map_backend/flash_map_backend.h index 368651019..5adea1a1a 100644 --- a/boot/mynewt/flash_map_backend/include/flash_map_backend/flash_map_backend.h +++ b/boot/mynewt/flash_map_backend/include/flash_map_backend/flash_map_backend.h @@ -83,4 +83,9 @@ static inline uint32_t flash_sector_get_off(const struct flash_sector *fs) return fs->fs_off; } +static inline uint32_t flash_sector_get_size(const struct flash_sector *fs) +{ + return fs->fs_size; +} + #endif /* __FLASH_MAP_BACKEND_H__ */ From e02568939c8698f4eff197281a394f2eb12c31dc Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 11 Nov 2024 14:31:57 +0100 Subject: [PATCH 051/228] bootutil: Add support for devices without erase and reduced erases The commit adds two MCUboot configuration options: - MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE - MCUBOOT_SUPPORT_DEV_WITH_ERASE - MCUBOOT_MINIMAL_SCRAMBLE The first one should be enabled to support devices that do not require erase. When such devices are used in system then MCUboot will avoid erasing such device, which is not needed by hardware, and will just write data to it. This allows to both improve device lifetime and reduce time of operations like swap. The second option is just bringing a configuration option for already existing support for deviceses with erase. The third option allows to reduce amount of removed data. When enabled, MCUboot will remove enough of data, depending on the purpose of the removal, to just fulfill the purpose; for example if removal of data is done to make image unrecognizable for MCUboot, with this option, it will only remove header. Signed-off-by: Dominik Ermel --- boot/boot_serial/src/boot_serial.c | 4 +- boot/boot_serial/src/boot_serial_encryption.c | 2 +- boot/bootutil/src/bootutil_misc.c | 68 ++++++ boot/bootutil/src/bootutil_priv.h | 36 +++ boot/bootutil/src/loader.c | 213 +++++++++++++++++- boot/bootutil/src/ram_load.c | 2 +- boot/bootutil/src/swap_misc.c | 108 ++++++--- boot/bootutil/src/swap_move.c | 11 +- boot/bootutil/src/swap_offset.c | 12 +- boot/bootutil/src/swap_priv.h | 11 + boot/bootutil/src/swap_scratch.c | 4 +- 11 files changed, 408 insertions(+), 63 deletions(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 9ddc712de..a9c0630c8 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -856,7 +856,7 @@ static off_t erase_range(const struct flash_area *fap, off_t start, off_t end) BOOT_LOG_DBG("Erasing range 0x%jx:0x%jx", (intmax_t)start, (intmax_t)(start + size - 1)); - rc = flash_area_erase(fap, start, size); + rc = boot_erase_region(fap, start, size); if (rc != 0) { BOOT_LOG_ERR("Error %d while erasing range", rc); return -EINVAL; @@ -1000,7 +1000,7 @@ bs_upload(char *buf, int len) /* Non-progressive erase erases entire image slot when first chunk of * an image is received. */ - rc = flash_area_erase(fap, 0, area_size); + rc = boot_erase_region(fap, 0, area_size); if (rc) { goto out_invalid_data; } diff --git a/boot/boot_serial/src/boot_serial_encryption.c b/boot/boot_serial/src/boot_serial_encryption.c index 744b22312..81af6b850 100644 --- a/boot/boot_serial/src/boot_serial_encryption.c +++ b/boot/boot_serial/src/boot_serial_encryption.c @@ -187,7 +187,7 @@ decrypt_region_inplace(struct boot_loader_state *state, (off + bytes_copied + idx) - hdr->ih_hdr_size, blk_sz, blk_off, &buf[idx]); } - rc = flash_area_erase(fap, off + bytes_copied, chunk_sz); + rc = boot_erase_region(fap, off + bytes_copied, chunk_sz); if (rc != 0) { return BOOT_EFLASH; } diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c index 97b1e94fe..08cf5971d 100644 --- a/boot/bootutil/src/bootutil_misc.c +++ b/boot/bootutil/src/bootutil_misc.c @@ -135,6 +135,74 @@ boot_trailer_sz(uint32_t min_write_sz) return boot_status_sz(min_write_sz) + boot_trailer_info_sz(); } +int boot_trailer_scramble_offset(const struct flash_area *fa, size_t alignment, + size_t *off) +{ + int ret = 0; + + /* Not allowed to enforce alignment smaller than device allows */ + if (alignment < flash_area_align(fa)) { + alignment = flash_area_align(fa); + } + + if (device_requires_erase(fa)) { + /* For device requiring erase align to erase unit */ + struct flash_sector sector; + + ret = flash_area_get_sector(fa, flash_area_get_size(fa) - boot_trailer_sz(alignment), + §or); + if (ret < 0) { + return ret; + } + + *off = flash_sector_get_off(§or); + } else { + /* For device not requiring erase align to write block */ + *off = flash_area_get_size(fa) - ALIGN_DOWN(boot_trailer_sz(alignment), alignment); + } + + return ret; +} + +int boot_header_scramble_off_sz(const struct flash_area *fa, int slot, size_t *off, + size_t *size) +{ + int ret = 0; + const size_t write_block = flash_area_align(fa); + size_t loff = 0; + struct flash_sector sector; + + (void)slot; +#if defined(MCUBOOT_SWAP_USING_OFFSET) + /* In case of swap offset, header of secondary slot image is positioned + * in second sector of slot. + */ + if (slot == BOOT_SECONDARY_SLOT) { + ret = flash_area_get_sector(fa, 0, §or); + if (ret < 0) { + return ret; + } + loff = flash_sector_get_off(§or); + } +#endif + + if (device_requires_erase(fa)) { + /* For device requiring erase align to erase unit */ + ret = flash_area_get_sector(fa, loff, §or); + if (ret < 0) { + return ret; + } + + *size = flash_sector_get_size(§or); + } else { + /* For device not requiring erase align to write block */ + *size = ALIGN_UP(sizeof(((struct image_header *)0)->ih_magic), write_block); + } + *off = loff; + + return ret; +} + #if MCUBOOT_SWAP_USING_SCRATCH /* * Similar to `boot_trailer_sz` but this function returns the space used to diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index b3bb99842..2ae2ae1a0 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -301,6 +301,16 @@ int boot_find_status(int image_index, const struct flash_area **fap); int boot_magic_compatible_check(uint8_t tbl_val, uint8_t val); uint32_t boot_status_sz(uint32_t min_write_sz); uint32_t boot_trailer_sz(uint32_t min_write_sz); +/* Get offset of trailer aligned to either device erase unit or alignment + * depending on whether device has erase or not. + */ +int boot_trailer_scramble_offset(const struct flash_area *fa, size_t alignment, + size_t *off); +/* Get size of header aligned to device erase unit or write block, + * depending on whether device has erase or not. + */ +int boot_header_scramble_off_sz(const struct flash_area *fa, int slot, size_t *off, + size_t *size); int boot_status_entries(int image_index, const struct flash_area *fap); uint32_t boot_status_off(const struct flash_area *fap); int boot_read_swap_state(const struct flash_area *fap, @@ -334,7 +344,19 @@ int boot_copy_region(struct boot_loader_state *state, const struct flash_area *fap_dst, uint32_t off_src, uint32_t off_dst, uint32_t sz); #endif +/* Prepare for write device that requires erase prior to write. This will + * do nothing on devices without erase requirement. + */ int boot_erase_region(const struct flash_area *fap, uint32_t off, uint32_t sz); +/* Similar to boot_erase_region but will always remove data */ +int boot_scramble_region(const struct flash_area *fap, uint32_t off, uint32_t sz); +/* Similar to boot_scramble_region but works backwards */ +int boot_scramble_region_backwards(const struct flash_area *fap, uint32_t off, uint32_t sz); +/* Makes slot unbootable, either by scrambling header magic, header sector + * or entire slot, depending on settings. + * Note: slot is passed here becuase at this point there is no function + * matching flash_area object to slot */ +int boot_scramble_slot(const struct flash_area *fap, int slot); bool boot_status_is_reset(const struct boot_status *bs); #ifdef MCUBOOT_ENC_IMAGES @@ -516,6 +538,20 @@ uint32_t bootutil_max_image_size(const struct flash_area *fap); int boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size); +/* Helper macro to avoid compile errors with systems that do not + * provide function to check device type. + * Note: it used to be inline, but somehow compiler would not + * optimize out branches that were impossible when this evaluated to + * just "true". + */ +#if defined(MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE) && defined(MCUBOOT_SUPPORT_DEV_WITH_ERASE) +#define device_requires_erase(fa) (flash_area_erase_required(fa)) +#elif defined(MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE) +#define device_requires_erase(fa) (false) +#else +#define device_requires_erase(fa) (true) +#endif + #ifdef __cplusplus } #endif diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index e6ca0738e..61b71fc60 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1051,7 +1051,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * is erased. */ if (slot != BOOT_PRIMARY_SLOT) { - swap_erase_trailer_sectors(state, fap); + swap_scramble_trailer_sectors(state, fap); #if defined(MCUBOOT_SWAP_USING_MOVE) if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || @@ -1063,7 +1063,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, &fap_pri); if (rc == 0) { - rc = swap_erase_trailer_sectors(state, fap_pri); + rc = swap_scramble_trailer_sectors(state, fap_pri); flash_area_close(fap_pri); if (rc == 0) { @@ -1109,7 +1109,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); if (rc < 0 && boot_check_header_erased(state, BOOT_PRIMARY_SLOT)) { BOOT_LOG_ERR("insufficient version in secondary slot"); - flash_area_erase(fap, 0, flash_area_get_size(fap)); + boot_scramble_slot(fap, slot); /* Image in the secondary slot does not satisfy version requirement. * Erase the image and continue booting from the primary slot. */ @@ -1132,7 +1132,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #endif if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { if ((slot != BOOT_PRIMARY_SLOT) || ARE_SLOTS_EQUIVALENT()) { - flash_area_erase(fap, 0, flash_area_get_size(fap)); + boot_scramble_slot(fap, slot); /* Image is invalid, erase it to prevent further unnecessary * attempts to validate and boot it. */ @@ -1173,7 +1173,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * * Erase the image and continue booting from the primary slot. */ - flash_area_erase(fap, 0, fap->fa_size); + boot_scramble_slot(fap, slot); fih_rc = FIH_NO_BOOTABLE_IMAGE; goto out; } @@ -1267,11 +1267,12 @@ boot_validated_swap_type(struct boot_loader_state *state, #endif /** - * Erases a region of flash. + * Erases a region of device that requires erase prior to write; does + * nothing on devices without erase. * - * @param flash_area The flash_area containing the region to erase. + * @param fap The flash_area containing the region to erase. * @param off The offset within the flash area to start the - * erase. + * erase. * @param sz The number of bytes to erase. * * @return 0 on success; nonzero on failure. @@ -1279,7 +1280,197 @@ boot_validated_swap_type(struct boot_loader_state *state, int boot_erase_region(const struct flash_area *fap, uint32_t off, uint32_t sz) { - return flash_area_erase(fap, off, sz); + if (device_requires_erase(fap)) { + return flash_area_erase(fap, off, sz); + } + return 0; +} + +/** + * Removes data from specified region either by writing erase value in place of + * data or by doing erase, if device has such hardware requirement. + * Note that function will fail if off or size are not aligned to device + * write block size or erase block size. + * + * @param fa The flash_area containing the region to erase. + * @param off The offset within the flash area to start the + * erase. + * @param size The number of bytes to erase. + * + * @return 0 on success; nonzero on failure. + */ +int +boot_scramble_region(const struct flash_area *fa, uint32_t off, uint32_t size) +{ + int ret = 0; + + if (size == 0) { + return 0; + } + + if (device_requires_erase(fa)) { + return flash_area_erase(fa, off, size); + } else { + uint8_t buf[BOOT_MAX_ALIGN]; + size_t size_done = 0; + const size_t write_block = flash_area_align(fa); + + memset(buf, flash_area_erased_val(fa), sizeof(buf)); + + while (size_done < size) { + ret = flash_area_write(fa, size_done + off, buf, write_block); + if (ret != 0) { + break; + } + size_done += write_block; + } + } + return ret; +} + +/** + * Removes data from specified region backwards either by writing erase_value + * in place of data or by doing erase, if device has such hardware requirement. + * Note that function will fail if off or size are not aligned to device + * write block size or erase block size. + * + * @param fa The flash_area containing the region to erase. + * @param off The offset within the flash area to start the + * erase. + * @param size The number of bytes to erase. + * + * @return 0 on success; nonzero on failure. + */ +int boot_scramble_region_backwards(const struct flash_area *fa, uint32_t off, uint32_t size) +{ + int ret = 0; + uint32_t first_offset = 0; + + if (size == 0) { + return 0; + } + + if (off >= flash_area_get_size(fa) || (flash_area_get_size(fa) - off) < size) { + return -1; + } + + if (device_requires_erase(fa)) { + struct flash_sector sector; + + /* Get the lowest erased page offset first */ + ret = flash_area_get_sector(fa, off, §or); + if (ret < 0) { + return ret; + } + first_offset = flash_sector_get_off(§or); + + /* Set boundary condition, the highest probable offset to erase, within + * last sector to erase + */ + off += size - 1; + + while (true) { + /* Size to read in this iteration */ + size_t csize; + + /* Get current sector and, also, correct offset */ + ret = flash_area_get_sector(fa, off, §or); + if (ret < 0) { + return ret; + } + + /* Corrected offset and size of current sector to erase */ + off = flash_sector_get_off(§or); + csize = flash_sector_get_size(§or); + + ret = flash_area_erase(fa, off, csize); + if (ret < 0) { + return ret; + } + + if (first_offset >= off) { + /* Reached the first offsset in range and already erased it */ + break; + } + + /* Move down to previous sector, the flash_area_get_sector will + * correct the value to real page offset + */ + off -= 1; + } + } else { + uint8_t buf[BOOT_MAX_ALIGN]; + const size_t write_block = flash_area_align(fa); + uint32_t first_offset = ALIGN_DOWN(off, write_block); + + memset(buf, flash_area_erased_val(fa), sizeof(buf)); + + /* Starting at the last write block in range */ + off += size - write_block; + + while (true) { + /* Write over the area to scramble data that is there */ + ret = flash_area_write(fa, off, buf, write_block); + if (ret != 0) { + break; + } + + if (first_offset >= off) { + /* Reached the first offset in range and already scrambled it */ + break; + } + + off -= write_block; + } + } + return ret; +} + +/** + * Remove enough data from slot to mark is as unused + * Assumption: header and trailer are not overlapping on write block or + * erase block, if device has erase requirement. + * Note that this function is intended for removing data not preparing device + * for write. + * + * @param fa Pointer to flash area object for slot + * @param slot Slot the @p fa represents + * + * @return 0 on success; nonzero on failure. + */ +int +boot_scramble_slot(const struct flash_area *fa, int slot) +{ + size_t size; + int ret = 0; + + (void)slot; + + /* Without minimal entire area needs to be scrambled */ +#if !defined(MCUBOOT_MINIMAL_SCRAMBLE) + size = flash_area_get_size(fa); + ret = boot_scramble_region(fa, 0, size); +#else + size_t off = 0; + + ret = boot_header_scramble_off_sz(fa, slot, &off, &size); + if (ret < 0) { + return ret; + } + + ret = boot_scramble_region(fa, off, size); + if (ret < 0) { + return ret; + } + + ret = boot_trailer_scramble_offset(fa, 0, &off); + if (ret < 0) { + return ret; + } + + ret = boot_scramble_region_backwards(fa, off, flash_area_get_size(fa) - off); +#endif + return ret; } #if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) @@ -1776,7 +1967,6 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) } #endif - /** * Performs a clean (not aborted) image update. * @@ -2239,8 +2429,7 @@ check_downgrade_prevention(struct boot_loader_state *state) if (rc < 0) { /* Image in slot 0 prevents downgrade, delete image in slot 1 */ BOOT_LOG_INF("Image %d in slot 1 erased due to downgrade prevention", BOOT_CURR_IMG(state)); - flash_area_erase(BOOT_IMG_AREA(state, 1), 0, - flash_area_get_size(BOOT_IMG_AREA(state, 1))); + boot_scramble_slot(BOOT_IMG_AREA(state, 1), BOOT_SECONDARY_SLOT); } else { rc = 0; } diff --git a/boot/bootutil/src/ram_load.c b/boot/bootutil/src/ram_load.c index 630af1170..7942c188b 100644 --- a/boot/bootutil/src/ram_load.c +++ b/boot/bootutil/src/ram_load.c @@ -432,7 +432,7 @@ boot_remove_image_from_flash(struct boot_loader_state *state, uint32_t slot) area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); rc = flash_area_open(area_id, &fap); if (rc == 0) { - flash_area_erase(fap, 0, flash_area_get_size(fap)); + boot_scramble_slot(fap, slot); flash_area_close(fap); } diff --git a/boot/bootutil/src/swap_misc.c b/boot/bootutil/src/swap_misc.c index b1ce44119..4efc0aff2 100644 --- a/boot/bootutil/src/swap_misc.c +++ b/boot/bootutil/src/swap_misc.c @@ -35,50 +35,86 @@ int swap_erase_trailer_sectors(const struct boot_loader_state *state, const struct flash_area *fap) { - uint8_t slot; - uint32_t sector; - uint32_t trailer_sz; - uint32_t total_sz; - uint32_t off; - uint32_t sz; - int fa_id_primary; - int fa_id_secondary; - uint8_t image_index; - int rc; - - BOOT_LOG_DBG("erasing trailer; fa_id=%d", flash_area_get_id(fap)); + int rc = 0; + + /* Intention is to prepare slot for write, if device does not require/support + * erase, there is nothing to do here. + */ + if (device_requires_erase(fap)) { + uint8_t slot; + uint32_t sector; + uint32_t trailer_sz; + uint32_t total_sz; + uint32_t off; + uint32_t sz; + int fa_id_primary; + int fa_id_secondary; + uint8_t image_index; + + BOOT_LOG_DBG("Erasing trailer; fa_id=%d", flash_area_get_id(fap)); + + image_index = BOOT_CURR_IMG(state); + fa_id_primary = flash_area_id_from_multi_image_slot(image_index, + BOOT_PRIMARY_SLOT); + fa_id_secondary = flash_area_id_from_multi_image_slot(image_index, + BOOT_SECONDARY_SLOT); + + if (flash_area_get_id(fap) == fa_id_primary) { + slot = BOOT_PRIMARY_SLOT; + } else if (flash_area_get_id(fap) == fa_id_secondary) { + slot = BOOT_SECONDARY_SLOT; + } else { + return BOOT_EFLASH; + } - image_index = BOOT_CURR_IMG(state); - fa_id_primary = flash_area_id_from_multi_image_slot(image_index, - BOOT_PRIMARY_SLOT); - fa_id_secondary = flash_area_id_from_multi_image_slot(image_index, - BOOT_SECONDARY_SLOT); - - if (flash_area_get_id(fap) == fa_id_primary) { - slot = BOOT_PRIMARY_SLOT; - } else if (flash_area_get_id(fap) == fa_id_secondary) { - slot = BOOT_SECONDARY_SLOT; + /* Delete starting from last sector and moving to beginning */ + sector = boot_img_num_sectors(state, slot) - 1; + trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); + total_sz = 0; + do { + sz = boot_img_sector_size(state, slot, sector); + off = boot_img_sector_off(state, slot, sector); + rc = boot_erase_region(fap, off, sz); + assert(rc == 0); + + sector--; + total_sz += sz; + } while (total_sz < trailer_sz); } else { - return BOOT_EFLASH; + BOOT_LOG_DBG("Erasing trailer not required; fa_id=%d", flash_area_get_id(fap)); } + return rc; +} - /* delete starting from last sector and moving to beginning */ - sector = boot_img_num_sectors(state, slot) - 1; - trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); - total_sz = 0; - do { - sz = boot_img_sector_size(state, slot, sector); - off = boot_img_sector_off(state, slot, sector); - rc = boot_erase_region(fap, off, sz); - assert(rc == 0); +int +swap_scramble_trailer_sectors(const struct boot_loader_state *state, + const struct flash_area *fap) +{ + size_t off; + int rc; - sector--; - total_sz += sz; - } while (total_sz < trailer_sz); + BOOT_LOG_DBG("Scrambling trailer; fa_id=%d", flash_area_get_id(fap)); - return rc; + /* Delete starting from last sector and moving to beginning */ + rc = boot_trailer_scramble_offset(fap, BOOT_WRITE_SZ(state), &off); + if (rc < 0) { + return BOOT_EFLASH; + } + rc = boot_scramble_region_backwards(fap, off, flash_area_get_size(fap) - off); + if (rc < 0) { + return BOOT_EFLASH; + } + + return 0; } +/* NOTE: There is often call made to swap_scramble_trailer_sectors followed + * by swap_status_init to initialize swap status: this is not efficient on + * devices that do not require erase; we need implementation of swap_status_init + * or swap_status_reinit, that will remove old status and initialize new one + * in a single call; the current approach writes certain parts of status + * twice on these devices. + */ int swap_status_init(const struct boot_loader_state *state, const struct flash_area *fap, diff --git a/boot/bootutil/src/swap_move.c b/boot/bootutil/src/swap_move.c index b124ff894..902932aaf 100644 --- a/boot/bootutil/src/swap_move.c +++ b/boot/bootutil/src/swap_move.c @@ -403,14 +403,18 @@ boot_move_sector_up(int idx, uint32_t sz, struct boot_loader_state *state, if (bs->idx == BOOT_STATUS_IDX_0) { if (bs->source != BOOT_STATUS_SOURCE_PRIMARY_SLOT) { - rc = swap_erase_trailer_sectors(state, fap_pri); + /* Remove data and prepare for write on devices requiring erase */ + rc = swap_scramble_trailer_sectors(state, fap_pri); assert(rc == 0); rc = swap_status_init(state, fap_pri, bs); assert(rc == 0); } - rc = swap_erase_trailer_sectors(state, fap_sec); + /* Remove status from secondary slot trailer, in case of device with + * erase requirement this will also prepare traier for write. + */ + rc = swap_scramble_trailer_sectors(state, fap_sec); assert(rc == 0); } @@ -500,7 +504,8 @@ fixup_revert(const struct boot_loader_state *state, struct boot_status *bs, BOOT_LOG_SWAP_STATE("Secondary image", &swap_state); if (swap_state.magic == BOOT_MAGIC_UNSET) { - rc = swap_erase_trailer_sectors(state, fap_sec); + /* Remove trailer and prepare area for write on devices requiring erase */ + rc = swap_scramble_trailer_sectors(state, fap_sec); assert(rc == 0); rc = boot_write_image_ok(fap_sec); diff --git a/boot/bootutil/src/swap_offset.c b/boot/bootutil/src/swap_offset.c index c7df0c0da..883b125ce 100644 --- a/boot/bootutil/src/swap_offset.c +++ b/boot/bootutil/src/swap_offset.c @@ -603,7 +603,7 @@ void fixup_revert(const struct boot_loader_state *state, struct boot_status *bs, BOOT_LOG_SWAP_STATE("Secondary image", &swap_state); if (swap_state.magic == BOOT_MAGIC_UNSET) { - rc = swap_erase_trailer_sectors(state, fap_sec); + rc = swap_scramble_trailer_sectors(state, fap_sec); assert(rc == 0); rc = boot_write_copy_done(fap_sec); @@ -674,14 +674,14 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, int rc; if (bs->source != BOOT_STATUS_SOURCE_PRIMARY_SLOT) { - rc = swap_erase_trailer_sectors(state, fap_pri); + rc = swap_scramble_trailer_sectors(state, fap_pri); assert(rc == 0); rc = swap_status_init(state, fap_pri, bs); assert(rc == 0); } - rc = swap_erase_trailer_sectors(state, fap_sec); + rc = swap_scramble_trailer_sectors(state, fap_sec); assert(rc == 0); } @@ -715,10 +715,10 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, * status is not wrongly used as a valid header. Also erase the trailer in the secondary * to allow for a future update to be loaded */ - rc = boot_erase_region(fap_sec, boot_img_sector_off(state, BOOT_SECONDARY_SLOT, 0), - sector_sz); + rc = boot_scramble_region(fap_sec, boot_img_sector_off(state, BOOT_SECONDARY_SLOT, 0), + sector_sz); assert(rc == 0); - rc = swap_erase_trailer_sectors(state, fap_sec); + rc = swap_scramble_trailer_sectors(state, fap_sec); assert(rc == 0); } else { while (idx <= last_idx) { diff --git a/boot/bootutil/src/swap_priv.h b/boot/bootutil/src/swap_priv.h index 6fdf797e1..b564ea99e 100644 --- a/boot/bootutil/src/swap_priv.h +++ b/boot/bootutil/src/swap_priv.h @@ -26,10 +26,21 @@ /** * Calculates the amount of space required to store the trailer, and erases * all sectors required for this storage in the given flash_area. + * The erase will only happen on devices that require erase as a preparation + * for write. To just remove swap status, the swap_scramble_trailer_sectors + * should be called. */ int swap_erase_trailer_sectors(const struct boot_loader_state *state, const struct flash_area *fap); +/** + * Calculate the amount of space required to store the trailer and remove + * data from trailer. This is similar to swap_erase_trailer_sectors, but + * is intended to remove swap status not to prepare device with explicit + * erase requirements before write. + */ +int swap_scramble_trailer_sectors(const struct boot_loader_state *state, + const struct flash_area *fap); /** * Initialize the given flash_area with the metadata required to start a new * swap upgrade. diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 446112dc5..c9f1dde6d 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -629,7 +629,7 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, * last sector is not being used by the image data so it's safe * to erase. */ - rc = swap_erase_trailer_sectors(state, fap_primary_slot); + rc = swap_scramble_trailer_sectors(state, fap_primary_slot); assert(rc == 0); rc = swap_status_init(state, fap_primary_slot, bs); @@ -663,7 +663,7 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, /* If not all sectors of the slot are being swapped, * guarantee here that only the primary slot will have the state. */ - rc = swap_erase_trailer_sectors(state, fap_secondary_slot); + rc = swap_scramble_trailer_sectors(state, fap_secondary_slot); assert(rc == 0); } From c12dcedb02d649927d51b4c8cee433af70c7d04d Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 12 Nov 2024 21:23:29 +0100 Subject: [PATCH 052/228] zephyr: Add support for devices without erase and reduced erases Add Kconfig options: - CONFIG_MCUBOOT_STORAGE_WITHOUT_ERASE that enables MCUboot configuration MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE - CONFIG_MCUBOOT_STORAGE_WITH_ERASE that enables MCUboot configuration MCUBOOT_SUPPORT_DEV_WITH_ERASE - CONFIG_MCUBOOT_STORAGE_MINIMAL_SCRAMBLE that enables MCUboot configuration MCUBOOT_MINIMAL_SCRAMBLE Adds implementation of flash_area_erase_required, which is required when MCUBOOT_STORAGE_DEV_WITHOUT_ERASE is enabled. Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 38 +++++++++++++++++++ .../flash_map_backend/flash_map_backend.h | 17 +++++++++ .../include/mcuboot_config/mcuboot_config.h | 23 +++++++++++ 3 files changed, 78 insertions(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 9afd292b0..1ddcea377 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -946,6 +946,44 @@ endif # BOOT_DECOMPRESSION_SUPPORT endmenu +config MCUBOOT_STORAGE_WITHOUT_ERASE + bool "Support for devices without erase" + depends on FLASH_HAS_NO_EXPLICIT_ERASE + default y + help + Not all devices require erase before write and, depending on driver, + may emulate erase by write, as a way to scramble data rather then + by hardware requirement. This unfortunately means that code that + does erase before write, when not needed, will write device twice + which not only reduces device life time but also doubles time + of any write operation (one write for erase and one write for actual + write). + When this option is enabled, MCUboot will check for type of device + and will avoid erase where not needed. + +config MCUBOOT_STORAGE_WITH_ERASE + bool "Support for devices with erase" + depends on FLASH_HAS_EXPLICIT_ERASE + default y + help + Support for devices with erase + +config MCUBOOT_STORAGE_MINIMAL_SCRAMBLE + bool "Do minimal required work to remove data (EXPERIMENTAL)" + help + In some cases MCUboot has to remove data, which usually means make + it non-viable for MCUboot rather then completely destroyed. + For example when MCUboot does not want to bother with broken image, + in some slot, it will remove it. + The same can be achieved with just removal of header and footer, + leaving the rest of image untouched, as without header MCUboot will + not be able to recognize image in slot as bootable. + When this option is enabled, MCUboot will not attempt to erase + entire slot or image, instead it will just remove enough of + data from slot to not recognize it as image anymore. + Depending on type of device this may be done by erase of minimal + number of pages or overwrite of part of image. + config MCUBOOT_DEVICE_SETTINGS # Hidden selector for device-specific settings bool diff --git a/boot/zephyr/include/flash_map_backend/flash_map_backend.h b/boot/zephyr/include/flash_map_backend/flash_map_backend.h index e5408a18a..81a183259 100644 --- a/boot/zephyr/include/flash_map_backend/flash_map_backend.h +++ b/boot/zephyr/include/flash_map_backend/flash_map_backend.h @@ -106,6 +106,23 @@ static inline uint32_t flash_sector_get_size(const struct flash_sector *fs) int flash_area_get_sector(const struct flash_area *fa, off_t off, struct flash_sector *fs); + +#if defined(CONFIG_MCUBOOT) +static inline bool flash_area_erase_required(const struct flash_area *fa) +{ +#if defined(CONFIG_FLASH_HAS_EXPLICIT_ERASE) && defined(CONFIG_FLASH_HAS_NO_EXPLICIT_ERASE) + const struct flash_parameters *fp = flash_get_parameters(flash_area_get_device(fa)); + + return flash_params_get_erase_cap(flash_get_parameters(flash_area_get_device(fa))) & + FLASH_ERASE_C_EXPLICIT; +#elif defined(CONFIG_FLASH_HAS_EXPLICIT_ERASE) + return true; +#else + return false; +#endif +} +#endif + #ifdef __cplusplus } #endif diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index b5fcf82b4..f9a0b998f 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -303,6 +303,29 @@ #define MCUBOOT_ERASE_PROGRESSIVELY #endif +/* + * Devices that do not require erase prior to write or do not support + * erase should avoid emulation of erase by additional write. + * The emulation is also taking time which doubles required write time + * for such devices. + */ +#ifdef CONFIG_MCUBOOT_STORAGE_WITHOUT_ERASE +#define MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE +#endif + +#ifdef CONFIG_MCUBOOT_STORAGE_WITH_ERASE +#define MCUBOOT_SUPPORT_DEV_WITH_ERASE +#endif + +/* + * MCUboot often calls erase on device just to remove data or make application + * image not recognizable. In such instances it may be faster to just remove + * portion of data to make image unrecognizable. + */ +#ifdef CONFIG_MCUBOOT_STORAGE_MINIMAL_SCRAMBLE +#define MCUBOOT_MINIMAL_SCRAMBLE +#endif + /* * Enabling this option uses newer flash map APIs. This saves RAM and * avoids deprecated API usage. From ecd48775dcd917c772ceea959a222bcd7902d7e9 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 12 Nov 2024 21:40:20 +0100 Subject: [PATCH 053/228] zephyr: Use flash_area_flatten in bs_custom_storage_erase The intention of bs_custom_storage_erase is to remove data from device; to support devices that do not require erase, without calling erase, so that devices that do not implement such functions could work, the flash_area_erase has been replaced with flash_area_flatten. Signed-off-by: Dominik Ermel --- boot/zephyr/boot_serial_extension_zephyr_basic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/boot_serial_extension_zephyr_basic.c b/boot/zephyr/boot_serial_extension_zephyr_basic.c index b0c75f4a7..e0f978adf 100644 --- a/boot/zephyr/boot_serial_extension_zephyr_basic.c +++ b/boot/zephyr/boot_serial_extension_zephyr_basic.c @@ -47,7 +47,7 @@ static int bs_custom_storage_erase(const struct nmgr_hdr *hdr, if (rc < 0) { BOOT_LOG_ERR("failed to open flash area"); } else { - rc = flash_area_erase(fa, 0, flash_area_get_size(fa)); + rc = flash_area_flatten(fa, 0, flash_area_get_size(fa)); if (rc < 0) { BOOT_LOG_ERR("failed to erase flash area"); } From e5c0078fd2ea4bbdd3b5cc41781e2b527ff64b75 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 10 Dec 2024 20:21:58 +0100 Subject: [PATCH 054/228] boot: Enable MCUBOOT_DEV_WITH_ERASE in other systems By default enable all other systems to work with devices that require erase prior to write. Signed-off-by: Dominik Ermel --- boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h | 2 ++ boot/espressif/hal/include/mcuboot_config/mcuboot_config.h | 2 ++ boot/mbed/include/mcuboot_config/mcuboot_config.h | 2 ++ .../mcuboot_config/include/mcuboot_config/mcuboot_config.h | 2 ++ boot/nuttx/include/mcuboot_config/mcuboot_config.h | 2 ++ 5 files changed, 10 insertions(+) diff --git a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h index 7f8472b3d..9af2a7d27 100644 --- a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h +++ b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h @@ -83,6 +83,8 @@ // TODO: FWSECURITY-755 #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS +#define MCUBOOT_DEV_WITH_ERASE + /* Default number of separately updateable images; change in case of * multiple images. */ #ifndef MCUBOOT_IMAGE_NUMBER diff --git a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h index 345ca57b8..2435172d8 100644 --- a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h +++ b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h @@ -126,6 +126,8 @@ * See the flash APIs for more details. */ #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS +#define MCUBOOT_DEV_WITH_ERASE + /* Default maximum number of flash sectors per image slot; change * as desirable. */ #define MCUBOOT_MAX_IMG_SECTORS 512 diff --git a/boot/mbed/include/mcuboot_config/mcuboot_config.h b/boot/mbed/include/mcuboot_config/mcuboot_config.h index b57e8d651..4794d3db3 100644 --- a/boot/mbed/include/mcuboot_config/mcuboot_config.h +++ b/boot/mbed/include/mcuboot_config/mcuboot_config.h @@ -78,6 +78,8 @@ */ #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS +#define MCUBOOT_DEV_WITH_ERASE + /* * No watchdog integration for now */ diff --git a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h index 1ed162835..6ee2c2ad2 100644 --- a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h +++ b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h @@ -137,6 +137,8 @@ #define MCUBOOT_BOOT_MAX_ALIGN MYNEWT_VAL(MCU_FLASH_MIN_WRITE_SIZE) #endif +#define MCUBOOT_DEV_WITH_ERASE + #if MYNEWT_VAL(BOOTUTIL_FEED_WATCHDOG) && MYNEWT_VAL(WATCHDOG_INTERVAL) #include #define MCUBOOT_WATCHDOG_FEED() \ diff --git a/boot/nuttx/include/mcuboot_config/mcuboot_config.h b/boot/nuttx/include/mcuboot_config/mcuboot_config.h index 41e7d6742..8a3383f5b 100644 --- a/boot/nuttx/include/mcuboot_config/mcuboot_config.h +++ b/boot/nuttx/include/mcuboot_config/mcuboot_config.h @@ -132,6 +132,8 @@ #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS +#define MCUBOOT_DEV_WITH_ERASE + /* Default maximum number of flash sectors per image slot; change * as desirable. */ From 615a9dffd03e6ebcdd1bcc58a67cc92e5eafea7b Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 29 May 2024 17:46:17 +0000 Subject: [PATCH 055/228] bootutil: PSA implementation of x25519 and ed25519 verification The commit provides implementation of image verification with ed25519 and encryption/decryption support where random key is encrypted using x25519. Signed-off-by: Dominik Ermel --- .../include/bootutil/crypto/aes_ctr.h | 37 +- boot/bootutil/pkg.yml | 2 + boot/bootutil/src/ed25519_psa.c | 71 +++ boot/bootutil/src/encrypted.c | 114 ++--- boot/bootutil/src/encrypted_psa.c | 454 ++++++++++++++++++ boot/bootutil/src/image_ed25519.c | 3 +- 6 files changed, 624 insertions(+), 57 deletions(-) create mode 100644 boot/bootutil/src/ed25519_psa.c create mode 100644 boot/bootutil/src/encrypted_psa.c diff --git a/boot/bootutil/include/bootutil/crypto/aes_ctr.h b/boot/bootutil/include/bootutil/crypto/aes_ctr.h index 50d36a4fc..23862825c 100644 --- a/boot/bootutil/include/bootutil/crypto/aes_ctr.h +++ b/boot/bootutil/include/bootutil/crypto/aes_ctr.h @@ -15,8 +15,8 @@ #include "mcuboot_config/mcuboot_config.h" #if (defined(MCUBOOT_USE_MBED_TLS) + \ - defined(MCUBOOT_USE_TINYCRYPT)) != 1 - #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT" + defined(MCUBOOT_USE_TINYCRYPT) + defined(MCUBOOT_USE_PSA_CRYPTO)) != 1 + #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT or PSA" #endif #if defined(MCUBOOT_USE_MBED_TLS) @@ -38,12 +38,45 @@ #define BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE TC_AES_BLOCK_SIZE #endif /* MCUBOOT_USE_TINYCRYPT */ +#if defined(MCUBOOT_USE_PSA_CRYPTO) + #include + #include "bootutil/enc_key_public.h" + #define BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE BOOT_ENC_KEY_SIZE + #define BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE (16) +#endif + #include #ifdef __cplusplus extern "C" { #endif +#if defined(MCUBOOT_USE_PSA_CRYPTO) +typedef struct { + /* Fixme: This should not be, here, psa_key_id should be passed */ + uint8_t key[BOOT_ENC_KEY_SIZE]; +} bootutil_aes_ctr_context; + +void bootutil_aes_ctr_init(bootutil_aes_ctr_context *ctx); + +static inline void bootutil_aes_ctr_drop(bootutil_aes_ctr_context *ctx) +{ + memset(ctx, 0, sizeof(ctx)); +} + +static inline int bootutil_aes_ctr_set_key(bootutil_aes_ctr_context *ctx, const uint8_t *k) +{ + memcpy(ctx->key, k, sizeof(ctx->key)); + + return 0; +} + +int bootutil_aes_ctr_encrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, + const uint8_t *m, uint32_t mlen, size_t blk_off, uint8_t *c); +int bootutil_aes_ctr_decrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, + const uint8_t *c, uint32_t clen, size_t blk_off, uint8_t *m); +#endif + #if defined(MCUBOOT_USE_MBED_TLS) typedef mbedtls_aes_context bootutil_aes_ctr_context; static inline void bootutil_aes_ctr_init(bootutil_aes_ctr_context *ctx) diff --git a/boot/bootutil/pkg.yml b/boot/bootutil/pkg.yml index ed6f35810..4a7fabc1c 100644 --- a/boot/bootutil/pkg.yml +++ b/boot/bootutil/pkg.yml @@ -47,6 +47,8 @@ pkg.ign_files.BOOTUTIL_SINGLE_APPLICATION_SLOT: pkg.ign_files: - "ram_load.c" + - "ed25519_psa.c" # Currently no PSA for mynewet + - "encrypted_psa.c" pkg.deps.BOOTUTIL_USE_MBED_TLS: - "@apache-mynewt-core/crypto/mbedtls" diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c new file mode 100644 index 000000000..12ba20ac1 --- /dev/null +++ b/boot/bootutil/src/ed25519_psa.c @@ -0,0 +1,71 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: Apache-2.0 + */ +#include +#include +#include + +#include +#include "bootutil/bootutil_log.h" + +#include +#include + +BOOT_LOG_MODULE_REGISTER(ed25519_psa); + +#define SHA512_DIGEST_LENGTH 64 +#define EDDSA_KEY_LENGTH 32 +#define EDDSA_SIGNAGURE_LENGTH 64 + +int ED25519_verify(const uint8_t *message, size_t message_len, + const uint8_t signature[EDDSA_SIGNAGURE_LENGTH], + const uint8_t public_key[EDDSA_KEY_LENGTH]) +{ + /* Set to any error */ + psa_status_t status = PSA_ERROR_BAD_STATE; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t kid; + int ret = 0; /* Fail by default */ + + /* Initialize PSA Crypto */ + status = psa_crypto_init(); + if (status != PSA_SUCCESS) { + BOOT_LOG_ERR("PSA crypto init failed %d\n", status); + return 0; + } + + status = PSA_ERROR_BAD_STATE; + + psa_set_key_type(&key_attr, + PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS)); + psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_VERIFY_MESSAGE); + psa_set_key_algorithm(&key_attr, PSA_ALG_PURE_EDDSA); + + status = psa_import_key(&key_attr, public_key, EDDSA_KEY_LENGTH, &kid); + if (status != PSA_SUCCESS) { + BOOT_LOG_ERR("ED25519 key import failed %d", status); + return 0; + } + + status = psa_verify_message(kid, PSA_ALG_PURE_EDDSA, message, message_len, + signature, EDDSA_SIGNAGURE_LENGTH); + if (status != PSA_SUCCESS) { + BOOT_LOG_ERR("ED25519 signature verification failed %d", status); + ret = 0; + /* Pass through to destroy key */ + } else { + ret = 1; + /* Pass through to destroy key */ + } + + status = psa_destroy_key(kid); + + if (status != PSA_SUCCESS) { + /* Just for logging */ + BOOT_LOG_WRN("Failed to destroy key %d", status); + } + + return ret; +} diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index f61fd74b9..6b9e50a64 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -3,6 +3,7 @@ * * Copyright (c) 2018-2019 JUUL Labs * Copyright (c) 2019-2024 Arm Limited + * Copyright (c) 2025 Nordic Semiconductor ASA */ #include "mcuboot_config/mcuboot_config.h" @@ -25,6 +26,7 @@ #include "bootutil/crypto/ecdh_p256.h" #endif +#if !defined(MCUBOOT_USE_PSA_CRYPTO) #if defined(MCUBOOT_ENCRYPT_X25519) #include "bootutil/crypto/ecdh_x25519.h" #endif @@ -35,6 +37,7 @@ #include "mbedtls/oid.h" #include "mbedtls/asn1.h" #endif +#endif #include "bootutil/image.h" #include "bootutil/enc_key.h" @@ -43,6 +46,30 @@ #include "bootutil_priv.h" +#define EXPECTED_ENC_LEN BOOT_ENC_TLV_SIZE + +#if defined(MCUBOOT_ENCRYPT_RSA) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_RSA2048 +#elif defined(MCUBOOT_ENCRYPT_KW) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_KW +#elif defined(MCUBOOT_ENCRYPT_EC256) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_EC256 +# define EC_PUBK_INDEX (0) +# define EC_TAG_INDEX (65) +# define EC_CIPHERKEY_INDEX (65 + 32) +_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, + "Please fix ECIES-P256 component indexes"); +#elif defined(MCUBOOT_ENCRYPT_X25519) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_X25519 +# define EC_PUBK_INDEX (0) +# define EC_TAG_INDEX (32) +# define EC_CIPHERKEY_INDEX (32 + 32) +_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, + "Please fix ECIES-X25519 component indexes"); +#endif + +/* NOUP Fixme: */ +#if !defined(CONFIG_BOOT_ED25519_PSA) #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519) #if defined(_compare) static inline int bootutil_constant_time_compare(const uint8_t *a, const uint8_t *b, size_t size) @@ -351,60 +378,6 @@ int boot_enc_retrieve_private_key(struct bootutil_key **private_key) } #endif /* !MCUBOOT_ENC_BUILTIN_KEY */ -int -boot_enc_init(struct enc_key_data *enc_state, uint8_t slot) -{ - bootutil_aes_ctr_init(&enc_state[slot].aes_ctr); - return 0; -} - -int -boot_enc_drop(struct enc_key_data *enc_state, uint8_t slot) -{ - bootutil_aes_ctr_drop(&enc_state[slot].aes_ctr); - enc_state[slot].valid = 0; - return 0; -} - -int -boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot, - const struct boot_status *bs) -{ - int rc; - - rc = bootutil_aes_ctr_set_key(&enc_state[slot].aes_ctr, bs->enckey[slot]); - if (rc != 0) { - boot_enc_drop(enc_state, slot); - return -1; - } - - enc_state[slot].valid = 1; - - return 0; -} - -#define EXPECTED_ENC_LEN BOOT_ENC_TLV_SIZE - -#if defined(MCUBOOT_ENCRYPT_RSA) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_RSA2048 -#elif defined(MCUBOOT_ENCRYPT_KW) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_KW -#elif defined(MCUBOOT_ENCRYPT_EC256) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_EC256 -# define EC_PUBK_INDEX (0) -# define EC_TAG_INDEX (65) -# define EC_CIPHERKEY_INDEX (65 + 32) -_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, - "Please fix ECIES-P256 component indexes"); -#elif defined(MCUBOOT_ENCRYPT_X25519) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_X25519 -# define EC_PUBK_INDEX (0) -# define EC_TAG_INDEX (32) -# define EC_CIPHERKEY_INDEX (32 + 32) -_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, - "Please fix ECIES-X25519 component indexes"); -#endif - #if ( (defined(MCUBOOT_ENCRYPT_RSA) && defined(MCUBOOT_USE_MBED_TLS) && !defined(MCUBOOT_USE_PSA_CRYPTO)) || \ (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS)) ) #if MBEDTLS_VERSION_NUMBER >= 0x03000000 @@ -627,6 +600,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) return rc; } +#endif /* CONFIG_BOOT_ED25519_PSA */ /* * Load encryption key. @@ -694,6 +668,38 @@ boot_enc_load(struct boot_loader_state *state, int slot, return boot_decrypt_key(buf, bs->enckey[slot]); } +int +boot_enc_init(struct enc_key_data *enc_state, uint8_t slot) +{ + bootutil_aes_ctr_init(&enc_state[slot].aes_ctr); + return 0; +} + +int +boot_enc_drop(struct enc_key_data *enc_state, uint8_t slot) +{ + bootutil_aes_ctr_drop(&enc_state[slot].aes_ctr); + enc_state[slot].valid = 0; + return 0; +} + +int +boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot, + const struct boot_status *bs) +{ + int rc; + + rc = bootutil_aes_ctr_set_key(&enc_state[slot].aes_ctr, bs->enckey[slot]); + if (rc != 0) { + boot_enc_drop(enc_state, slot); + return -1; + } + + enc_state[slot].valid = 1; + + return 0; +} + bool boot_enc_valid(struct enc_key_data *enc_state, int slot) { diff --git a/boot/bootutil/src/encrypted_psa.c b/boot/bootutil/src/encrypted_psa.c new file mode 100644 index 000000000..441ce94df --- /dev/null +++ b/boot/bootutil/src/encrypted_psa.c @@ -0,0 +1,454 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include "mcuboot_config/mcuboot_config.h" + +#include +#include +#include + +/* We are not really using the MBEDTLS but need the ASN.1 parsing functions */ +#define MBEDTLS_ASN1_PARSE_C + +#include "bootutil/crypto/sha.h" +#include "mbedtls/oid.h" +#include "mbedtls/asn1.h" + +#include "bootutil/image.h" +#include "bootutil/enc_key.h" +#include "bootutil/sign_key.h" +#include "bootutil/crypto/common.h" + +#include "bootutil_priv.h" +#include "bootutil/bootutil_log.h" + +BOOT_LOG_MODULE_DECLARE(mcuboot_psa_enc); + +#define EXPECTED_ENC_LEN BOOT_ENC_TLV_SIZE +#define EXPECTED_ENC_TLV IMAGE_TLV_ENC_X25519 +#define EC_PUBK_INDEX (0) +#define EC_TAG_INDEX (32) +#define EC_CIPHERKEY_INDEX (32 + 32) +_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, + "Please fix ECIES-X25519 component indexes"); + +#define X25519_OID "\x6e" +static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG \ + MBEDTLS_OID_ORG_GOV X25519_OID; + +#define SHARED_KEY_LEN 32 +#define PRIV_KEY_LEN 32 + +/* Fixme: This duplicates code from encrypted.c and depends on mbedtls */ +static int +parse_x25519_enckey(uint8_t **p, uint8_t *end, uint8_t *private_key) +{ + size_t len; + int version; + mbedtls_asn1_buf alg; + mbedtls_asn1_buf param; + + if (mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE) != 0) { + return -1; + } + + if (*p + len != end) { + return -2; + } + + version = 0; + if (mbedtls_asn1_get_int(p, end, &version) || version != 0) { + return -3; + } + + if (mbedtls_asn1_get_alg(p, end, &alg, ¶m) != 0) { + return -4; + } + + if (alg.ASN1_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || + memcmp(alg.ASN1_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { + return -5; + } + + if (mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING) != 0) { + return -6; + } + + if (mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING) != 0) { + return -7; + } + + if (len != PRIV_KEY_LEN) { + return -8; + } + + memcpy(private_key, *p, PRIV_KEY_LEN); + return 0; +} + +void bootutil_aes_ctr_init(bootutil_aes_ctr_context *ctx) +{ + psa_status_t psa_ret = psa_crypto_init(); + + (void)ctx; + + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES init PSA crypto init failed %d", psa_ret); + assert(0); + } +} + +#if defined(MCUBOOT_ENC_IMAGES) +extern const struct bootutil_key bootutil_enc_key; +/* + * Decrypt an encryption key TLV. + * + * @param buf An encryption TLV read from flash (build time fixed length) + * @param enckey An AES-128 or AES-256 key sized buffer to store to plain key. + */ +int +boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) +{ + uint8_t derived_key[BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE]; + uint8_t *cp; + uint8_t *cpend; + uint8_t private_key[PRIV_KEY_LEN]; + size_t len; + psa_status_t psa_ret = PSA_ERROR_BAD_STATE; + psa_status_t psa_cleanup_ret = PSA_ERROR_BAD_STATE; + psa_key_id_t kid; + psa_key_attributes_t kattr = PSA_KEY_ATTRIBUTES_INIT; + psa_key_derivation_operation_t key_do = PSA_KEY_DERIVATION_OPERATION_INIT; + psa_algorithm_t key_do_alg; + int rc = -1; + + cp = (uint8_t *)bootutil_enc_key.key; + cpend = cp + *bootutil_enc_key.len; + + /* The psa_cipher_decrypt needs initialization vector of proper length at + * the beginning of the input buffer. + */ + uint8_t iv_and_key[PSA_CIPHER_IV_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CTR) + + BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE]; + + psa_ret = psa_crypto_init(); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES crypto init failed %d", psa_ret); + return -1; + } + + /* + * Load the stored X25519 decryption private key + */ + rc = parse_x25519_enckey(&cp, cpend, private_key); + if (rc) { + return rc; + } + + psa_set_key_type(&kattr, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY)); + psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&kattr, PSA_ALG_ECDH); + + psa_ret = psa_import_key(&kattr, private_key, sizeof(private_key), &kid); + memset(private_key, 0, sizeof(private_key)); + psa_reset_key_attributes(&kattr); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("Built-in key import failed %d", psa_ret); + return -1; + } + + key_do_alg = PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)); + + psa_ret = psa_key_derivation_setup(&key_do, key_do_alg); + if (psa_ret != PSA_SUCCESS) { + psa_cleanup_ret = psa_destroy_key(kid); + if (psa_cleanup_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("Built-in key destruction failed %d", psa_cleanup_ret); + } + BOOT_LOG_ERR("Key derivation setup failed %d", psa_ret); + return -1; + } + + /* Note: PSA 1.1.2 does not have psa_key_agreement that would be useful here + * as it could just add the derived key to the storage and return key id. + * Instead, we have to use the code below to generate derived key and put it + * into storage, to obtain the key id we can then use with psa_mac_* functions. + */ + psa_ret = psa_key_derivation_key_agreement(&key_do, PSA_KEY_DERIVATION_INPUT_SECRET, + kid, &buf[EC_PUBK_INDEX], + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE); + psa_cleanup_ret = psa_destroy_key(kid); + if (psa_cleanup_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("Built-in key destruction failed %d", psa_cleanup_ret); + } + if (psa_ret != PSA_SUCCESS) { + psa_cleanup_ret = psa_key_derivation_abort(&key_do); + if (psa_cleanup_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("Key derivation abort failed %d", psa_ret); + } + + BOOT_LOG_ERR("Key derivation failed %d", psa_ret); + return -1; + } + + /* Only info, no salt */ + psa_ret = psa_key_derivation_input_bytes(&key_do, PSA_KEY_DERIVATION_INPUT_INFO, + "MCUBoot_ECIES_v1", 16); + if (psa_ret != PSA_SUCCESS) { + psa_cleanup_ret = psa_key_derivation_abort(&key_do); + if (psa_cleanup_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("Key derivation abort failed %d", psa_ret); + } + BOOT_LOG_ERR("Key derivation failed %d", psa_ret); + return -1; + } + + len = BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE; + psa_ret = psa_key_derivation_output_bytes(&key_do, derived_key, len); + psa_cleanup_ret = psa_key_derivation_abort(&key_do); + if (psa_cleanup_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("Key derivation cleanup failed %d", psa_ret); + } + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("Key derivation failed %d", psa_ret); + return -1; + } + + /* The derived key consists of BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE bytes + * followed by BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE bytes. Both parts will + * be imported at the point where needed and discarded immediately after. + */ + psa_set_key_type(&kattr, PSA_KEY_TYPE_HMAC); + psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_VERIFY_MESSAGE); + psa_set_key_algorithm(&kattr, PSA_ALG_HMAC(PSA_ALG_SHA_256)); + + /* Import the MAC tag key part of derived key, that is the part that starts + * after BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE and has length of + * BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE bytes. + */ + psa_ret = psa_import_key(&kattr, + &derived_key[BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE], + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE, &kid); + psa_reset_key_attributes(&kattr); + if (psa_ret != PSA_SUCCESS) { + memset(derived_key, 0, sizeof(derived_key)); + BOOT_LOG_ERR("MAC key import failed %d", psa_ret); + return -1; + } + + /* Verify the MAC tag of the random encryption key */ + psa_ret = psa_mac_verify(kid, PSA_ALG_HMAC(PSA_ALG_SHA_256), + &buf[EC_CIPHERKEY_INDEX], BOOT_ENC_KEY_SIZE, + &buf[EC_TAG_INDEX], + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE); + psa_cleanup_ret = psa_destroy_key(kid); + if (psa_cleanup_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("MAC key destruction failed %d", psa_cleanup_ret); + } + if (psa_ret != PSA_SUCCESS) { + memset(derived_key, 0, sizeof(derived_key)); + BOOT_LOG_ERR("MAC verification failed %d", psa_ret); + return -1; + } + + /* The derived key is used in AES decryption of random key */ + psa_set_key_type(&kattr, PSA_KEY_TYPE_AES); + psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_DECRYPT); + psa_set_key_algorithm(&kattr, PSA_ALG_CTR); + + /* Import the AES partition of derived key, the first 16 bytes */ + psa_ret = psa_import_key(&kattr, &derived_key[0], + BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE, &kid); + memset(derived_key, 0, sizeof(derived_key)); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES key import failed %d", psa_ret); + return -1; + } + + /* Decrypt the random AES encryption key with AES and the key obtained + * at derivation. */ + memset(&iv_and_key[0], 0, PSA_CIPHER_IV_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CTR)); + memcpy(&iv_and_key[PSA_CIPHER_IV_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CTR)], + &buf[EC_CIPHERKEY_INDEX], + sizeof(iv_and_key) - PSA_CIPHER_IV_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CTR)); + + len = 0; + psa_ret = psa_cipher_decrypt(kid, PSA_ALG_CTR, iv_and_key, sizeof(iv_and_key), + enckey, BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE, &len); + memset(iv_and_key, 0, sizeof(iv_and_key)); + psa_cleanup_ret = psa_destroy_key(kid); + if (psa_cleanup_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("AES key destruction failed %d", psa_cleanup_ret); + } + if (psa_ret != PSA_SUCCESS || len != BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE) { + memset(enckey, 0, BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE); + BOOT_LOG_ERR("Random key decryption failed %d", psa_ret); + return -1; + } + + return 0; +} + +int bootutil_aes_ctr_encrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, + const uint8_t *m, uint32_t mlen, size_t blk_off, uint8_t *c) +{ + int ret = 0; + psa_status_t psa_ret = PSA_ERROR_BAD_STATE; + psa_key_attributes_t kattr = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t kid; + psa_cipher_operation_t psa_op; + size_t elen = 0; /* Decrypted length */ + + /* Fixme: calling psa_crypto_init multiple times is not a problem, + * yet the code here is only present because there is not general + * crypto init. */ + psa_ret = psa_crypto_init(); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("PSA crypto init failed %d", psa_ret); + ret = -1; + goto gone; + } + + psa_op = psa_cipher_operation_init(); + + /* Fixme: Import should happen when key is decrypted, but due to lack + * of key destruction there is no way to destroy key stored by + * psa other way than here. */ + psa_set_key_type(&kattr, PSA_KEY_TYPE_AES); + psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_ENCRYPT); + psa_set_key_algorithm(&kattr, PSA_ALG_CTR); + + psa_ret = psa_import_key(&kattr, ctx->key, BOOT_ENC_KEY_SIZE, &kid); + psa_reset_key_attributes(&kattr); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES enc import key failed %d", psa_ret); + ret = -1; + goto gone; + } + + /* This could be done with psa_cipher_decrypt one-shot operation, but + * multi-part operation is used to avoid re-allocating input buffer + * to account for IV in front of data. + */ + psa_ret = psa_cipher_encrypt_setup(&psa_op, kid, PSA_ALG_CTR); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES enc setup failed %d", psa_ret); + ret = -1; + goto gone_with_key; + } + + /* Fixme: hardcoded counter size, but it is hardcoded everywhere */ + psa_ret = psa_cipher_set_iv(&psa_op, counter, 16); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES enc IV set failed %d", psa_ret); + ret = -1; + goto gone_after_setup; + } + + psa_ret = psa_cipher_update(&psa_op, m, mlen, c, mlen, &elen); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES enc encryption failed %d", psa_ret); + ret = -1; + goto gone_after_setup; + } + +gone_after_setup: + psa_ret = psa_cipher_abort(&psa_op); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("AES enc cipher abort failed %d", psa_ret); + /* Intentionally not changing the ret */ + } +gone_with_key: + /* Fixme: Should be removed once key is shared by id */ + psa_ret = psa_destroy_key(kid); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("AES enc destroy key failed %d", psa_ret); + /* Intentionally not changing the ret */ + } +gone: + return ret; +} + +int bootutil_aes_ctr_decrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, + const uint8_t *c, uint32_t clen, size_t blk_off, uint8_t *m) +{ + int ret = 0; + psa_status_t psa_ret = PSA_ERROR_BAD_STATE; + psa_key_attributes_t kattr = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t kid; + psa_cipher_operation_t psa_op; + size_t dlen = 0; /* Decrypted length */ + + /* Fixme: the init should already happen before calling the function, but + * somehow it does not, for example when recovering in swap. + */ + psa_ret = psa_crypto_init(); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("PSA crypto init failed %d", psa_ret); + ret = -1; + goto gone; + } + + psa_op = psa_cipher_operation_init(); + + /* Fixme: Import should happen when key is decrypted, but due to lack + * of key destruction there is no way to destroy key stored by + * psa other way than here. */ + psa_set_key_type(&kattr, PSA_KEY_TYPE_AES); + psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_DECRYPT); + psa_set_key_algorithm(&kattr, PSA_ALG_CTR); + + psa_ret = psa_import_key(&kattr, ctx->key, BOOT_ENC_KEY_SIZE, &kid); + psa_reset_key_attributes(&kattr); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES dec import key failed %d", psa_ret); + ret = -1; + goto gone; + } + + /* This could be done with psa_cipher_decrypt one-shot operation, but + * multi-part operation is used to avoid re-allocating input buffer + * to account for IV in front of data. + */ + psa_ret = psa_cipher_decrypt_setup(&psa_op, kid, PSA_ALG_CTR); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES dec setup failed %d", psa_ret); + ret = -1; + goto gone_with_key; + } + + /* Fixme: hardcoded counter size, but it is hardcoded everywhere */ + psa_ret = psa_cipher_set_iv(&psa_op, counter, 16); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES dec IV set failed %d", psa_ret); + ret = -1; + goto gone_after_setup; + } + + psa_ret = psa_cipher_update(&psa_op, c, clen, m, clen, &dlen); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_ERR("AES dec decryption failed %d", psa_ret); + ret = -1; + goto gone_after_setup; + } + +gone_after_setup: + psa_ret = psa_cipher_abort(&psa_op); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("PSA dec abort failed %d", psa_ret); + /* Intentionally not changing the ret */ + } +gone_with_key: + psa_ret = psa_destroy_key(kid); + if (psa_ret != PSA_SUCCESS) { + BOOT_LOG_WRN("PSA dec key failed %d", psa_ret); + /* Intentionally not changing the ret */ + } +gone: + return ret; +} +#endif /* defined(MCUBOOT_ENC_IMAGES) */ diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 238c9d671..0c5810666 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -3,6 +3,7 @@ * * Copyright (c) 2019 JUUL Labs * Copyright (c) 2021-2023 Arm Limited + * Copyright (c) 2025 Nordic Semiconductor ASA */ #include @@ -85,7 +86,7 @@ bootutil_verify(uint8_t *buf, uint32_t blen, uint8_t *pubkey; uint8_t *end; - if (slen != EDDSA_SIGNATURE_LENGTH) { + if (blen != IMAGE_HASH_SIZE || slen != EDDSA_SIGNATURE_LENGTH) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } From f2b6def94041820ddb9f5c384d0406a3a8f91b4a Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 24 Jan 2025 17:12:05 +0000 Subject: [PATCH 056/228] zephyr: Enable building ed25519 PSA variant with Zephyr Adds Kconfig option CONFIG_BOOT_ED25519_PSA that allows to switch ed25519 to PSA backend. Signed-off-by: Dominik Ermel --- boot/bootutil/zephyr/CMakeLists.txt | 16 ++++--- boot/zephyr/CMakeLists.txt | 41 ++++++++++++----- boot/zephyr/Kconfig | 70 ++++++++++++++++++++++++++++- 3 files changed, 110 insertions(+), 17 deletions(-) diff --git a/boot/bootutil/zephyr/CMakeLists.txt b/boot/bootutil/zephyr/CMakeLists.txt index 72a6a8638..f6d37441c 100644 --- a/boot/bootutil/zephyr/CMakeLists.txt +++ b/boot/bootutil/zephyr/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2020 Nordic Semiconductor ASA +# Copyright (c) 2020-2025 Nordic Semiconductor ASA # # SPDX-License-Identifier: Apache-2.0 @@ -29,12 +29,18 @@ zephyr_library_link_libraries(MCUBOOT_BOOTUTIL) target_link_libraries(MCUBOOT_BOOTUTIL INTERFACE zephyr_interface) if(CONFIG_BOOT_USE_TINYCRYPT) -target_include_directories(MCUBOOT_BOOTUTIL INTERFACE - ../../../ext/tinycrypt/lib/include -) + target_include_directories(MCUBOOT_BOOTUTIL INTERFACE + ../../../ext/tinycrypt/lib/include + ) +endif() + +if(CONFIG_BOOT_USE_PSA_CRYPTO) + target_include_directories(MCUBOOT_BOOTUTIL INTERFACE + ${ZEPHYR_MBEDTLS_MODULE_DIR}/include + ) endif() -if(CONFIG_BOOT_USE_MBEDTLS) +if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO) zephyr_link_libraries(mbedTLS) endif() endif() diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index b332000da..0e4bf7c50 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -1,7 +1,7 @@ # CMakeLists.txt for building mcuboot as a Zephyr project # # Copyright (c) 2017 Open Source Foundries Limited -# Copyright (c) 2023 Nordic Semiconductor ASA +# Copyright (c) 2023-2025 Nordic Semiconductor ASA # # SPDX-License-Identifier: Apache-2.0 @@ -58,6 +58,12 @@ zephyr_library_include_directories( include ) +if(DEFINED CONFIG_MBEDTLS) + zephyr_library_include_directories( + ${ZEPHYR_MBEDTLS_MODULE_DIR}/include + ) +endif() + # Zephyr port-specific sources. zephyr_library_sources( main.c @@ -109,6 +115,10 @@ zephyr_library_sources( ${BOOT_DIR}/bootutil/src/fault_injection_hardening.c ) +if(DEFINED CONFIG_BOOT_ENCRYPT_X25519 AND DEFINED CONFIG_BOOT_ED25519_PSA) + zephyr_library_sources(${BOOT_DIR}/bootutil/src/encrypted_psa.c) +endif() + if(DEFINED CONFIG_MEASURED_BOOT OR DEFINED CONFIG_BOOT_SHARE_DATA) zephyr_library_sources( ${BOOT_DIR}/bootutil/src/boot_record.c @@ -267,19 +277,28 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) ${FIAT_DIR}/include/ ) - zephyr_library_sources( - ${FIAT_DIR}/src/curve25519.c - ) + if(NOT CONFIG_BOOT_ED25519_PSA) + zephyr_library_sources( + ${FIAT_DIR}/src/curve25519.c + ) + else() + zephyr_library_sources( + ${MBEDTLS_ASN1_DIR}/src/asn1parse.c + ${BOOT_DIR}/bootutil/src/ed25519_psa.c + ) + endif() endif() -if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519) - zephyr_library_sources( - ${TINYCRYPT_DIR}/source/aes_encrypt.c - ${TINYCRYPT_DIR}/source/aes_decrypt.c - ${TINYCRYPT_DIR}/source/ctr_mode.c - ${TINYCRYPT_DIR}/source/hmac.c - ${TINYCRYPT_DIR}/source/ecc_dh.c +if(NOT CONFIG_BOOT_ED25519_PSA) + if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519) + zephyr_library_sources( + ${TINYCRYPT_DIR}/source/aes_encrypt.c + ${TINYCRYPT_DIR}/source/aes_decrypt.c + ${TINYCRYPT_DIR}/source/ctr_mode.c + ${TINYCRYPT_DIR}/source/hmac.c + ${TINYCRYPT_DIR}/source/ecc_dh.c ) + endif() endif() if(CONFIG_BOOT_ENCRYPT_EC256) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 1ddcea377..7c3855852 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -72,6 +72,60 @@ config BOOT_AES_MBEDTLS_DEPENDENCIES endif +if BOOT_USE_PSA_CRYPTO + +config BOOT_PSA_IMG_HASH_ALG_SHA256_DEPENDENCIES + bool + default y if BOOT_IMG_HASH_ALG_SHA256 + select PSA_WANT_ALG_SHA_256 + help + Dependencies for hashing with SHA256 + +config BOOT_ED25519_PSA_DEPENDENCIES + bool + select PSA_WANT_ALG_SHA_256 + select PSA_WANT_ALG_SHA_512 + select PSA_WANT_ALG_PURE_EDDSA + # Seems that upstream mbedTLS does not have TE + #select PSA_WANT_ECC_TWISTED_EDWARDS_255 + select PSA_WANT_ECC_MONTGOMERY_255 + select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT + help + Dependencies for ed25519 signature + +if BOOT_ENCRYPT_IMAGE + +config BOOT_X25519_PSA_DEPENDENCIES + bool + select PSA_WANT_ALG_ECDH + select PSA_WANT_ALG_HMAC + select PSA_WANT_ALG_HKDF + select PSA_WANT_ALG_CTR + select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT + select PSA_WANT_KEY_TYPE_DERIVE + select PSA_WANT_KEY_TYPE_AES + select PSA_WANT_ECC_MONTGOMERY_255 + help + Dependencies for x25519 shared-random key encryption and AES + encryption. The PSA_WANT_ALG_CTR and PSA_WANT_KEY_TYPE_AES + enable Counter based block cipher and AES key, and algorithm support, + to use with it; the others are used for shared key decryption + and derivation. + +endif # BOOT_ENCRYPT_IMAGE + +if MBEDTLS_ENABLE_HEAP + +config MBEDTLS_HEAP_SIZE + default 2048 if BOOT_USE_PSA_CRYPTO + help + The PSA internals need to be able to allocate memory for operation + and it uses mbedTLS heap for that. + +endif # MBEDTLS_ENABLE_HEAP + +endif # BOOT_USE_PSA_CRYPTO + menu "MCUBoot settings" config SINGLE_APPLICATION_SLOT @@ -153,6 +207,7 @@ config BOOT_SIGNATURE_TYPE_PURE_ALLOW choice BOOT_SIGNATURE_TYPE prompt "Signature type" + default BOOT_SIGNATURE_TYPE_ED25519 if SOC_NRF54L15_CPUAPP default BOOT_SIGNATURE_TYPE_RSA config BOOT_SIGNATURE_TYPE_NONE @@ -228,10 +283,12 @@ config BOOT_SIGNATURE_TYPE_PURE choice BOOT_ED25519_IMPLEMENTATION prompt "Ecdsa implementation" default BOOT_ED25519_TINYCRYPT + config BOOT_ED25519_TINYCRYPT bool "Use tinycrypt" select BOOT_USE_TINYCRYPT select BOOT_IMG_HASH_ALG_SHA512_ALLOW + config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS @@ -239,6 +296,17 @@ config BOOT_ED25519_MBEDTLS select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE +config BOOT_ED25519_PSA + bool "Use PSA crypto" + select MBEDTLS + select BOOT_USE_PSA_CRYPTO + select MBEDTLS_PSA_CRYPTO_C + select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN + select PSA_CRYPTO_CLIENT + select PSA_CRYPTO_C + select BOOT_ED25519_PSA_DEPENDENCIES + select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE + endchoice endif @@ -286,7 +354,7 @@ config MCUBOOT_CLEANUP_RAM if MBEDTLS config MBEDTLS_CFG_FILE - default "config-tls-generic.h" if MBEDTLS_BUILTIN + default "config-tls-generic.h" if MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS endif From 1dcfbdacc41762a89aeba9a5eb334b73563e3b43 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 8 Oct 2024 16:31:48 +0000 Subject: [PATCH 057/228] bootutil: Allow bypassing ASN.1 encoding for ED25519 key import The commit adds MCUBOOT_KEY_IMPORT_BYPASS_ASN configuration option that allows bypassing ASN.1 decoding of ED25519 public key, compiled into MCUboot. When the option is enabled the key will be accessed directly and ASN.1 processing is not compiled in, resulting in smaller footprint of MCUboot, at a cost of reduced detection of invalid key, i.e. public key designated for different method than compiled in. Signed-off-by: Dominik Ermel --- boot/bootutil/src/image_ed25519.c | 22 +++++++++++++++++-- .../include/mcuboot_config/mcuboot_config.h | 4 ++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 0c5810666..01bef149d 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -13,27 +13,30 @@ #ifdef MCUBOOT_SIGN_ED25519 #include "bootutil/sign_key.h" +#if !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) /* We are not really using the MBEDTLS but need the ASN.1 parsing functions */ #define MBEDTLS_ASN1_PARSE_C #include "mbedtls/oid.h" #include "mbedtls/asn1.h" +#endif #include "bootutil_priv.h" #include "bootutil/crypto/common.h" #include "bootutil/crypto/sha.h" #define EDDSA_SIGNATURE_LENGTH 64 - -static const uint8_t ed25519_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG "\x65\x70"; #define NUM_ED25519_BYTES 32 extern int ED25519_verify(const uint8_t *message, size_t message_len, const uint8_t signature[EDDSA_SIGNATURE_LENGTH], const uint8_t public_key[NUM_ED25519_BYTES]); +#if !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) /* * Parse the public key used for signing. */ +static const uint8_t ed25519_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG "\x65\x70"; + static int bootutil_import_key(uint8_t **cp, uint8_t *end) { @@ -69,6 +72,7 @@ bootutil_import_key(uint8_t **cp, uint8_t *end) return 0; } +#endif /* !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) */ /* Signature verification base function. * The function takes buffer of specified length and tries to verify @@ -94,11 +98,25 @@ bootutil_verify(uint8_t *buf, uint32_t blen, pubkey = (uint8_t *)bootutil_keys[key_id].key; end = pubkey + *bootutil_keys[key_id].len; +#if !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) rc = bootutil_import_key(&pubkey, end); if (rc) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } +#else + /* Directly use the key contents from the ASN stream, + * these are the last NUM_ED25519_BYTES. + * There is no check whether this is the correct key, + * here, by the algorithm selected. + */ + if (*bootutil_keys[key_id].len < NUM_ED25519_BYTES) { + FIH_SET(fih_rc, FIH_FAILURE); + goto out; + } + + pubkey = end - NUM_ED25519_BYTES; +#endif rc = ED25519_verify(buf, blen, sig, pubkey); diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index f9a0b998f..13a5683d2 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -34,6 +34,10 @@ # error "One crypto library implementation allowed at a time." #endif +#if defined(CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN) +#define MCUBOOT_KEY_IMPORT_BYPASS_ASN +#endif + #ifdef CONFIG_BOOT_USE_MBEDTLS #define MCUBOOT_USE_MBED_TLS #elif defined(CONFIG_BOOT_USE_TINYCRYPT) From 3ff75490e4a42096e07d38f8325953da334b367c Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 8 Oct 2024 16:36:15 +0000 Subject: [PATCH 058/228] zephyr: Add Kconfig option CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN The option enables MCUboot configuration option MCUBOOT_KEY_IMPORT_BYPASS_ASN. Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 7c3855852..640327c6e 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -308,6 +308,15 @@ config BOOT_ED25519_PSA select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE endchoice + +config BOOT_KEY_IMPORT_BYPASS_ASN + bool "Directly access key value without ASN.1 parsing" + help + Originally, public keys compiled into MCUboot were + stored in ASN.1 encoded format. Enabling this option + bypasses the ASN.1 decoding and directly accesses the key + in ASN.1 bitstream; this reduces MCUboot code by removing + the ASN.1 processing. endif endchoice From 602cb45920a0d7b93a006d3e3924f26fead7d48e Mon Sep 17 00:00:00 2001 From: Ben Date: Mon, 17 Feb 2025 14:54:06 +0100 Subject: [PATCH 059/228] Fix path for DT example --- docs/readme-zephyr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/readme-zephyr.md b/docs/readme-zephyr.md index 1e55ea766..1d6daaef6 100644 --- a/docs/readme-zephyr.md +++ b/docs/readme-zephyr.md @@ -33,7 +33,7 @@ the rest of the images too (for example, `slot2_partition` and The flash partitions are typically defined in the Zephyr boards folder, in a file named `boards///.dts`. An example `.dts` file with flash partitions defined is the frdm_k64f's in -`boards/arm/frdm_k64f/frdm_k64f.dts`. Make sure the DT node labels in your board's +`boards/nxp/frdm_k64f/frdm_k64f.dts`. Make sure the DT node labels in your board's `.dts` file match the ones used there. ## Installing requirements and dependencies From c513187085d38270d5c457162ff27c721958052b Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 18 Feb 2025 14:14:08 +0100 Subject: [PATCH 060/228] Revert "boot: Enable MCUBOOT_DEV_WITH_ERASE in other systems" Need to revert changes provided to support devices without erase until problme with TF-M, missing implementation of flash_area_get_sector, is resolved. This reverts commit e5c0078fd2ea4bbdd3b5cc41781e2b527ff64b75. Signed-off-by: Dominik Ermel --- boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h | 2 -- boot/espressif/hal/include/mcuboot_config/mcuboot_config.h | 2 -- boot/mbed/include/mcuboot_config/mcuboot_config.h | 2 -- .../mcuboot_config/include/mcuboot_config/mcuboot_config.h | 2 -- boot/nuttx/include/mcuboot_config/mcuboot_config.h | 2 -- 5 files changed, 10 deletions(-) diff --git a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h index 9af2a7d27..7f8472b3d 100644 --- a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h +++ b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h @@ -83,8 +83,6 @@ // TODO: FWSECURITY-755 #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS -#define MCUBOOT_DEV_WITH_ERASE - /* Default number of separately updateable images; change in case of * multiple images. */ #ifndef MCUBOOT_IMAGE_NUMBER diff --git a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h index 2435172d8..345ca57b8 100644 --- a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h +++ b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h @@ -126,8 +126,6 @@ * See the flash APIs for more details. */ #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS -#define MCUBOOT_DEV_WITH_ERASE - /* Default maximum number of flash sectors per image slot; change * as desirable. */ #define MCUBOOT_MAX_IMG_SECTORS 512 diff --git a/boot/mbed/include/mcuboot_config/mcuboot_config.h b/boot/mbed/include/mcuboot_config/mcuboot_config.h index 4794d3db3..b57e8d651 100644 --- a/boot/mbed/include/mcuboot_config/mcuboot_config.h +++ b/boot/mbed/include/mcuboot_config/mcuboot_config.h @@ -78,8 +78,6 @@ */ #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS -#define MCUBOOT_DEV_WITH_ERASE - /* * No watchdog integration for now */ diff --git a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h index 6ee2c2ad2..1ed162835 100644 --- a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h +++ b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h @@ -137,8 +137,6 @@ #define MCUBOOT_BOOT_MAX_ALIGN MYNEWT_VAL(MCU_FLASH_MIN_WRITE_SIZE) #endif -#define MCUBOOT_DEV_WITH_ERASE - #if MYNEWT_VAL(BOOTUTIL_FEED_WATCHDOG) && MYNEWT_VAL(WATCHDOG_INTERVAL) #include #define MCUBOOT_WATCHDOG_FEED() \ diff --git a/boot/nuttx/include/mcuboot_config/mcuboot_config.h b/boot/nuttx/include/mcuboot_config/mcuboot_config.h index 8a3383f5b..41e7d6742 100644 --- a/boot/nuttx/include/mcuboot_config/mcuboot_config.h +++ b/boot/nuttx/include/mcuboot_config/mcuboot_config.h @@ -132,8 +132,6 @@ #define MCUBOOT_USE_FLASH_AREA_GET_SECTORS -#define MCUBOOT_DEV_WITH_ERASE - /* Default maximum number of flash sectors per image slot; change * as desirable. */ From 9c84013b7e32f13164aa65eadde1f1ac286ca6a8 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 18 Feb 2025 14:14:22 +0100 Subject: [PATCH 061/228] Revert "zephyr: Use flash_area_flatten in bs_custom_storage_erase" Need to revert changes provided to support devices without erase until problme with TF-M, missing implementation of flash_area_get_sector, is resolved. This reverts commit ecd48775dcd917c772ceea959a222bcd7902d7e9. Signed-off-by: Dominik Ermel --- boot/zephyr/boot_serial_extension_zephyr_basic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/boot_serial_extension_zephyr_basic.c b/boot/zephyr/boot_serial_extension_zephyr_basic.c index e0f978adf..b0c75f4a7 100644 --- a/boot/zephyr/boot_serial_extension_zephyr_basic.c +++ b/boot/zephyr/boot_serial_extension_zephyr_basic.c @@ -47,7 +47,7 @@ static int bs_custom_storage_erase(const struct nmgr_hdr *hdr, if (rc < 0) { BOOT_LOG_ERR("failed to open flash area"); } else { - rc = flash_area_flatten(fa, 0, flash_area_get_size(fa)); + rc = flash_area_erase(fa, 0, flash_area_get_size(fa)); if (rc < 0) { BOOT_LOG_ERR("failed to erase flash area"); } From dbbeae4b884dc3c52c50580b12246d42693a8f30 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 18 Feb 2025 14:14:41 +0100 Subject: [PATCH 062/228] Revert "zephyr: Add support for devices without erase and reduced erases" Need to revert changes provided to support devices without erase until problme with TF-M, missing implementation of flash_area_get_sector, is resolved. This reverts commit c12dcedb02d649927d51b4c8cee433af70c7d04d. Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 38 ------------------- .../flash_map_backend/flash_map_backend.h | 17 --------- .../include/mcuboot_config/mcuboot_config.h | 23 ----------- 3 files changed, 78 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 640327c6e..cfc73a6f6 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -1023,44 +1023,6 @@ endif # BOOT_DECOMPRESSION_SUPPORT endmenu -config MCUBOOT_STORAGE_WITHOUT_ERASE - bool "Support for devices without erase" - depends on FLASH_HAS_NO_EXPLICIT_ERASE - default y - help - Not all devices require erase before write and, depending on driver, - may emulate erase by write, as a way to scramble data rather then - by hardware requirement. This unfortunately means that code that - does erase before write, when not needed, will write device twice - which not only reduces device life time but also doubles time - of any write operation (one write for erase and one write for actual - write). - When this option is enabled, MCUboot will check for type of device - and will avoid erase where not needed. - -config MCUBOOT_STORAGE_WITH_ERASE - bool "Support for devices with erase" - depends on FLASH_HAS_EXPLICIT_ERASE - default y - help - Support for devices with erase - -config MCUBOOT_STORAGE_MINIMAL_SCRAMBLE - bool "Do minimal required work to remove data (EXPERIMENTAL)" - help - In some cases MCUboot has to remove data, which usually means make - it non-viable for MCUboot rather then completely destroyed. - For example when MCUboot does not want to bother with broken image, - in some slot, it will remove it. - The same can be achieved with just removal of header and footer, - leaving the rest of image untouched, as without header MCUboot will - not be able to recognize image in slot as bootable. - When this option is enabled, MCUboot will not attempt to erase - entire slot or image, instead it will just remove enough of - data from slot to not recognize it as image anymore. - Depending on type of device this may be done by erase of minimal - number of pages or overwrite of part of image. - config MCUBOOT_DEVICE_SETTINGS # Hidden selector for device-specific settings bool diff --git a/boot/zephyr/include/flash_map_backend/flash_map_backend.h b/boot/zephyr/include/flash_map_backend/flash_map_backend.h index 81a183259..e5408a18a 100644 --- a/boot/zephyr/include/flash_map_backend/flash_map_backend.h +++ b/boot/zephyr/include/flash_map_backend/flash_map_backend.h @@ -106,23 +106,6 @@ static inline uint32_t flash_sector_get_size(const struct flash_sector *fs) int flash_area_get_sector(const struct flash_area *fa, off_t off, struct flash_sector *fs); - -#if defined(CONFIG_MCUBOOT) -static inline bool flash_area_erase_required(const struct flash_area *fa) -{ -#if defined(CONFIG_FLASH_HAS_EXPLICIT_ERASE) && defined(CONFIG_FLASH_HAS_NO_EXPLICIT_ERASE) - const struct flash_parameters *fp = flash_get_parameters(flash_area_get_device(fa)); - - return flash_params_get_erase_cap(flash_get_parameters(flash_area_get_device(fa))) & - FLASH_ERASE_C_EXPLICIT; -#elif defined(CONFIG_FLASH_HAS_EXPLICIT_ERASE) - return true; -#else - return false; -#endif -} -#endif - #ifdef __cplusplus } #endif diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 13a5683d2..850a618b3 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -307,29 +307,6 @@ #define MCUBOOT_ERASE_PROGRESSIVELY #endif -/* - * Devices that do not require erase prior to write or do not support - * erase should avoid emulation of erase by additional write. - * The emulation is also taking time which doubles required write time - * for such devices. - */ -#ifdef CONFIG_MCUBOOT_STORAGE_WITHOUT_ERASE -#define MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE -#endif - -#ifdef CONFIG_MCUBOOT_STORAGE_WITH_ERASE -#define MCUBOOT_SUPPORT_DEV_WITH_ERASE -#endif - -/* - * MCUboot often calls erase on device just to remove data or make application - * image not recognizable. In such instances it may be faster to just remove - * portion of data to make image unrecognizable. - */ -#ifdef CONFIG_MCUBOOT_STORAGE_MINIMAL_SCRAMBLE -#define MCUBOOT_MINIMAL_SCRAMBLE -#endif - /* * Enabling this option uses newer flash map APIs. This saves RAM and * avoids deprecated API usage. From ef78369666ec5479c6b3a3d457f613e37296c5fb Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 18 Feb 2025 14:14:58 +0100 Subject: [PATCH 063/228] Revert "bootutil: Add support for devices without erase and reduced erases" Need to revert changes provided to support devices without erase until problme with TF-M, missing implementation of flash_area_get_sector, is resolved. This reverts commit e02568939c8698f4eff197281a394f2eb12c31dc. Signed-off-by: Dominik Ermel --- boot/boot_serial/src/boot_serial.c | 4 +- boot/boot_serial/src/boot_serial_encryption.c | 2 +- boot/bootutil/src/bootutil_misc.c | 68 ------ boot/bootutil/src/bootutil_priv.h | 36 --- boot/bootutil/src/loader.c | 213 +----------------- boot/bootutil/src/ram_load.c | 2 +- boot/bootutil/src/swap_misc.c | 108 +++------ boot/bootutil/src/swap_move.c | 11 +- boot/bootutil/src/swap_offset.c | 12 +- boot/bootutil/src/swap_priv.h | 11 - boot/bootutil/src/swap_scratch.c | 4 +- 11 files changed, 63 insertions(+), 408 deletions(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index a9c0630c8..9ddc712de 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -856,7 +856,7 @@ static off_t erase_range(const struct flash_area *fap, off_t start, off_t end) BOOT_LOG_DBG("Erasing range 0x%jx:0x%jx", (intmax_t)start, (intmax_t)(start + size - 1)); - rc = boot_erase_region(fap, start, size); + rc = flash_area_erase(fap, start, size); if (rc != 0) { BOOT_LOG_ERR("Error %d while erasing range", rc); return -EINVAL; @@ -1000,7 +1000,7 @@ bs_upload(char *buf, int len) /* Non-progressive erase erases entire image slot when first chunk of * an image is received. */ - rc = boot_erase_region(fap, 0, area_size); + rc = flash_area_erase(fap, 0, area_size); if (rc) { goto out_invalid_data; } diff --git a/boot/boot_serial/src/boot_serial_encryption.c b/boot/boot_serial/src/boot_serial_encryption.c index 81af6b850..744b22312 100644 --- a/boot/boot_serial/src/boot_serial_encryption.c +++ b/boot/boot_serial/src/boot_serial_encryption.c @@ -187,7 +187,7 @@ decrypt_region_inplace(struct boot_loader_state *state, (off + bytes_copied + idx) - hdr->ih_hdr_size, blk_sz, blk_off, &buf[idx]); } - rc = boot_erase_region(fap, off + bytes_copied, chunk_sz); + rc = flash_area_erase(fap, off + bytes_copied, chunk_sz); if (rc != 0) { return BOOT_EFLASH; } diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c index 08cf5971d..97b1e94fe 100644 --- a/boot/bootutil/src/bootutil_misc.c +++ b/boot/bootutil/src/bootutil_misc.c @@ -135,74 +135,6 @@ boot_trailer_sz(uint32_t min_write_sz) return boot_status_sz(min_write_sz) + boot_trailer_info_sz(); } -int boot_trailer_scramble_offset(const struct flash_area *fa, size_t alignment, - size_t *off) -{ - int ret = 0; - - /* Not allowed to enforce alignment smaller than device allows */ - if (alignment < flash_area_align(fa)) { - alignment = flash_area_align(fa); - } - - if (device_requires_erase(fa)) { - /* For device requiring erase align to erase unit */ - struct flash_sector sector; - - ret = flash_area_get_sector(fa, flash_area_get_size(fa) - boot_trailer_sz(alignment), - §or); - if (ret < 0) { - return ret; - } - - *off = flash_sector_get_off(§or); - } else { - /* For device not requiring erase align to write block */ - *off = flash_area_get_size(fa) - ALIGN_DOWN(boot_trailer_sz(alignment), alignment); - } - - return ret; -} - -int boot_header_scramble_off_sz(const struct flash_area *fa, int slot, size_t *off, - size_t *size) -{ - int ret = 0; - const size_t write_block = flash_area_align(fa); - size_t loff = 0; - struct flash_sector sector; - - (void)slot; -#if defined(MCUBOOT_SWAP_USING_OFFSET) - /* In case of swap offset, header of secondary slot image is positioned - * in second sector of slot. - */ - if (slot == BOOT_SECONDARY_SLOT) { - ret = flash_area_get_sector(fa, 0, §or); - if (ret < 0) { - return ret; - } - loff = flash_sector_get_off(§or); - } -#endif - - if (device_requires_erase(fa)) { - /* For device requiring erase align to erase unit */ - ret = flash_area_get_sector(fa, loff, §or); - if (ret < 0) { - return ret; - } - - *size = flash_sector_get_size(§or); - } else { - /* For device not requiring erase align to write block */ - *size = ALIGN_UP(sizeof(((struct image_header *)0)->ih_magic), write_block); - } - *off = loff; - - return ret; -} - #if MCUBOOT_SWAP_USING_SCRATCH /* * Similar to `boot_trailer_sz` but this function returns the space used to diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index 2ae2ae1a0..b3bb99842 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -301,16 +301,6 @@ int boot_find_status(int image_index, const struct flash_area **fap); int boot_magic_compatible_check(uint8_t tbl_val, uint8_t val); uint32_t boot_status_sz(uint32_t min_write_sz); uint32_t boot_trailer_sz(uint32_t min_write_sz); -/* Get offset of trailer aligned to either device erase unit or alignment - * depending on whether device has erase or not. - */ -int boot_trailer_scramble_offset(const struct flash_area *fa, size_t alignment, - size_t *off); -/* Get size of header aligned to device erase unit or write block, - * depending on whether device has erase or not. - */ -int boot_header_scramble_off_sz(const struct flash_area *fa, int slot, size_t *off, - size_t *size); int boot_status_entries(int image_index, const struct flash_area *fap); uint32_t boot_status_off(const struct flash_area *fap); int boot_read_swap_state(const struct flash_area *fap, @@ -344,19 +334,7 @@ int boot_copy_region(struct boot_loader_state *state, const struct flash_area *fap_dst, uint32_t off_src, uint32_t off_dst, uint32_t sz); #endif -/* Prepare for write device that requires erase prior to write. This will - * do nothing on devices without erase requirement. - */ int boot_erase_region(const struct flash_area *fap, uint32_t off, uint32_t sz); -/* Similar to boot_erase_region but will always remove data */ -int boot_scramble_region(const struct flash_area *fap, uint32_t off, uint32_t sz); -/* Similar to boot_scramble_region but works backwards */ -int boot_scramble_region_backwards(const struct flash_area *fap, uint32_t off, uint32_t sz); -/* Makes slot unbootable, either by scrambling header magic, header sector - * or entire slot, depending on settings. - * Note: slot is passed here becuase at this point there is no function - * matching flash_area object to slot */ -int boot_scramble_slot(const struct flash_area *fap, int slot); bool boot_status_is_reset(const struct boot_status *bs); #ifdef MCUBOOT_ENC_IMAGES @@ -538,20 +516,6 @@ uint32_t bootutil_max_image_size(const struct flash_area *fap); int boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size); -/* Helper macro to avoid compile errors with systems that do not - * provide function to check device type. - * Note: it used to be inline, but somehow compiler would not - * optimize out branches that were impossible when this evaluated to - * just "true". - */ -#if defined(MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE) && defined(MCUBOOT_SUPPORT_DEV_WITH_ERASE) -#define device_requires_erase(fa) (flash_area_erase_required(fa)) -#elif defined(MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE) -#define device_requires_erase(fa) (false) -#else -#define device_requires_erase(fa) (true) -#endif - #ifdef __cplusplus } #endif diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 61b71fc60..e6ca0738e 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1051,7 +1051,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * is erased. */ if (slot != BOOT_PRIMARY_SLOT) { - swap_scramble_trailer_sectors(state, fap); + swap_erase_trailer_sectors(state, fap); #if defined(MCUBOOT_SWAP_USING_MOVE) if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || @@ -1063,7 +1063,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, &fap_pri); if (rc == 0) { - rc = swap_scramble_trailer_sectors(state, fap_pri); + rc = swap_erase_trailer_sectors(state, fap_pri); flash_area_close(fap_pri); if (rc == 0) { @@ -1109,7 +1109,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); if (rc < 0 && boot_check_header_erased(state, BOOT_PRIMARY_SLOT)) { BOOT_LOG_ERR("insufficient version in secondary slot"); - boot_scramble_slot(fap, slot); + flash_area_erase(fap, 0, flash_area_get_size(fap)); /* Image in the secondary slot does not satisfy version requirement. * Erase the image and continue booting from the primary slot. */ @@ -1132,7 +1132,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #endif if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { if ((slot != BOOT_PRIMARY_SLOT) || ARE_SLOTS_EQUIVALENT()) { - boot_scramble_slot(fap, slot); + flash_area_erase(fap, 0, flash_area_get_size(fap)); /* Image is invalid, erase it to prevent further unnecessary * attempts to validate and boot it. */ @@ -1173,7 +1173,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * * Erase the image and continue booting from the primary slot. */ - boot_scramble_slot(fap, slot); + flash_area_erase(fap, 0, fap->fa_size); fih_rc = FIH_NO_BOOTABLE_IMAGE; goto out; } @@ -1267,12 +1267,11 @@ boot_validated_swap_type(struct boot_loader_state *state, #endif /** - * Erases a region of device that requires erase prior to write; does - * nothing on devices without erase. + * Erases a region of flash. * - * @param fap The flash_area containing the region to erase. + * @param flash_area The flash_area containing the region to erase. * @param off The offset within the flash area to start the - * erase. + * erase. * @param sz The number of bytes to erase. * * @return 0 on success; nonzero on failure. @@ -1280,197 +1279,7 @@ boot_validated_swap_type(struct boot_loader_state *state, int boot_erase_region(const struct flash_area *fap, uint32_t off, uint32_t sz) { - if (device_requires_erase(fap)) { - return flash_area_erase(fap, off, sz); - } - return 0; -} - -/** - * Removes data from specified region either by writing erase value in place of - * data or by doing erase, if device has such hardware requirement. - * Note that function will fail if off or size are not aligned to device - * write block size or erase block size. - * - * @param fa The flash_area containing the region to erase. - * @param off The offset within the flash area to start the - * erase. - * @param size The number of bytes to erase. - * - * @return 0 on success; nonzero on failure. - */ -int -boot_scramble_region(const struct flash_area *fa, uint32_t off, uint32_t size) -{ - int ret = 0; - - if (size == 0) { - return 0; - } - - if (device_requires_erase(fa)) { - return flash_area_erase(fa, off, size); - } else { - uint8_t buf[BOOT_MAX_ALIGN]; - size_t size_done = 0; - const size_t write_block = flash_area_align(fa); - - memset(buf, flash_area_erased_val(fa), sizeof(buf)); - - while (size_done < size) { - ret = flash_area_write(fa, size_done + off, buf, write_block); - if (ret != 0) { - break; - } - size_done += write_block; - } - } - return ret; -} - -/** - * Removes data from specified region backwards either by writing erase_value - * in place of data or by doing erase, if device has such hardware requirement. - * Note that function will fail if off or size are not aligned to device - * write block size or erase block size. - * - * @param fa The flash_area containing the region to erase. - * @param off The offset within the flash area to start the - * erase. - * @param size The number of bytes to erase. - * - * @return 0 on success; nonzero on failure. - */ -int boot_scramble_region_backwards(const struct flash_area *fa, uint32_t off, uint32_t size) -{ - int ret = 0; - uint32_t first_offset = 0; - - if (size == 0) { - return 0; - } - - if (off >= flash_area_get_size(fa) || (flash_area_get_size(fa) - off) < size) { - return -1; - } - - if (device_requires_erase(fa)) { - struct flash_sector sector; - - /* Get the lowest erased page offset first */ - ret = flash_area_get_sector(fa, off, §or); - if (ret < 0) { - return ret; - } - first_offset = flash_sector_get_off(§or); - - /* Set boundary condition, the highest probable offset to erase, within - * last sector to erase - */ - off += size - 1; - - while (true) { - /* Size to read in this iteration */ - size_t csize; - - /* Get current sector and, also, correct offset */ - ret = flash_area_get_sector(fa, off, §or); - if (ret < 0) { - return ret; - } - - /* Corrected offset and size of current sector to erase */ - off = flash_sector_get_off(§or); - csize = flash_sector_get_size(§or); - - ret = flash_area_erase(fa, off, csize); - if (ret < 0) { - return ret; - } - - if (first_offset >= off) { - /* Reached the first offsset in range and already erased it */ - break; - } - - /* Move down to previous sector, the flash_area_get_sector will - * correct the value to real page offset - */ - off -= 1; - } - } else { - uint8_t buf[BOOT_MAX_ALIGN]; - const size_t write_block = flash_area_align(fa); - uint32_t first_offset = ALIGN_DOWN(off, write_block); - - memset(buf, flash_area_erased_val(fa), sizeof(buf)); - - /* Starting at the last write block in range */ - off += size - write_block; - - while (true) { - /* Write over the area to scramble data that is there */ - ret = flash_area_write(fa, off, buf, write_block); - if (ret != 0) { - break; - } - - if (first_offset >= off) { - /* Reached the first offset in range and already scrambled it */ - break; - } - - off -= write_block; - } - } - return ret; -} - -/** - * Remove enough data from slot to mark is as unused - * Assumption: header and trailer are not overlapping on write block or - * erase block, if device has erase requirement. - * Note that this function is intended for removing data not preparing device - * for write. - * - * @param fa Pointer to flash area object for slot - * @param slot Slot the @p fa represents - * - * @return 0 on success; nonzero on failure. - */ -int -boot_scramble_slot(const struct flash_area *fa, int slot) -{ - size_t size; - int ret = 0; - - (void)slot; - - /* Without minimal entire area needs to be scrambled */ -#if !defined(MCUBOOT_MINIMAL_SCRAMBLE) - size = flash_area_get_size(fa); - ret = boot_scramble_region(fa, 0, size); -#else - size_t off = 0; - - ret = boot_header_scramble_off_sz(fa, slot, &off, &size); - if (ret < 0) { - return ret; - } - - ret = boot_scramble_region(fa, off, size); - if (ret < 0) { - return ret; - } - - ret = boot_trailer_scramble_offset(fa, 0, &off); - if (ret < 0) { - return ret; - } - - ret = boot_scramble_region_backwards(fa, off, flash_area_get_size(fa) - off); -#endif - return ret; + return flash_area_erase(fap, off, sz); } #if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) @@ -1967,6 +1776,7 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) } #endif + /** * Performs a clean (not aborted) image update. * @@ -2429,7 +2239,8 @@ check_downgrade_prevention(struct boot_loader_state *state) if (rc < 0) { /* Image in slot 0 prevents downgrade, delete image in slot 1 */ BOOT_LOG_INF("Image %d in slot 1 erased due to downgrade prevention", BOOT_CURR_IMG(state)); - boot_scramble_slot(BOOT_IMG_AREA(state, 1), BOOT_SECONDARY_SLOT); + flash_area_erase(BOOT_IMG_AREA(state, 1), 0, + flash_area_get_size(BOOT_IMG_AREA(state, 1))); } else { rc = 0; } diff --git a/boot/bootutil/src/ram_load.c b/boot/bootutil/src/ram_load.c index 7942c188b..630af1170 100644 --- a/boot/bootutil/src/ram_load.c +++ b/boot/bootutil/src/ram_load.c @@ -432,7 +432,7 @@ boot_remove_image_from_flash(struct boot_loader_state *state, uint32_t slot) area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); rc = flash_area_open(area_id, &fap); if (rc == 0) { - boot_scramble_slot(fap, slot); + flash_area_erase(fap, 0, flash_area_get_size(fap)); flash_area_close(fap); } diff --git a/boot/bootutil/src/swap_misc.c b/boot/bootutil/src/swap_misc.c index 4efc0aff2..b1ce44119 100644 --- a/boot/bootutil/src/swap_misc.c +++ b/boot/bootutil/src/swap_misc.c @@ -35,86 +35,50 @@ int swap_erase_trailer_sectors(const struct boot_loader_state *state, const struct flash_area *fap) { - int rc = 0; - - /* Intention is to prepare slot for write, if device does not require/support - * erase, there is nothing to do here. - */ - if (device_requires_erase(fap)) { - uint8_t slot; - uint32_t sector; - uint32_t trailer_sz; - uint32_t total_sz; - uint32_t off; - uint32_t sz; - int fa_id_primary; - int fa_id_secondary; - uint8_t image_index; - - BOOT_LOG_DBG("Erasing trailer; fa_id=%d", flash_area_get_id(fap)); - - image_index = BOOT_CURR_IMG(state); - fa_id_primary = flash_area_id_from_multi_image_slot(image_index, - BOOT_PRIMARY_SLOT); - fa_id_secondary = flash_area_id_from_multi_image_slot(image_index, - BOOT_SECONDARY_SLOT); - - if (flash_area_get_id(fap) == fa_id_primary) { - slot = BOOT_PRIMARY_SLOT; - } else if (flash_area_get_id(fap) == fa_id_secondary) { - slot = BOOT_SECONDARY_SLOT; - } else { - return BOOT_EFLASH; - } - - /* Delete starting from last sector and moving to beginning */ - sector = boot_img_num_sectors(state, slot) - 1; - trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); - total_sz = 0; - do { - sz = boot_img_sector_size(state, slot, sector); - off = boot_img_sector_off(state, slot, sector); - rc = boot_erase_region(fap, off, sz); - assert(rc == 0); - - sector--; - total_sz += sz; - } while (total_sz < trailer_sz); - } else { - BOOT_LOG_DBG("Erasing trailer not required; fa_id=%d", flash_area_get_id(fap)); - } - return rc; -} - -int -swap_scramble_trailer_sectors(const struct boot_loader_state *state, - const struct flash_area *fap) -{ - size_t off; + uint8_t slot; + uint32_t sector; + uint32_t trailer_sz; + uint32_t total_sz; + uint32_t off; + uint32_t sz; + int fa_id_primary; + int fa_id_secondary; + uint8_t image_index; int rc; - BOOT_LOG_DBG("Scrambling trailer; fa_id=%d", flash_area_get_id(fap)); + BOOT_LOG_DBG("erasing trailer; fa_id=%d", flash_area_get_id(fap)); - /* Delete starting from last sector and moving to beginning */ - rc = boot_trailer_scramble_offset(fap, BOOT_WRITE_SZ(state), &off); - if (rc < 0) { - return BOOT_EFLASH; - } - rc = boot_scramble_region_backwards(fap, off, flash_area_get_size(fap) - off); - if (rc < 0) { + image_index = BOOT_CURR_IMG(state); + fa_id_primary = flash_area_id_from_multi_image_slot(image_index, + BOOT_PRIMARY_SLOT); + fa_id_secondary = flash_area_id_from_multi_image_slot(image_index, + BOOT_SECONDARY_SLOT); + + if (flash_area_get_id(fap) == fa_id_primary) { + slot = BOOT_PRIMARY_SLOT; + } else if (flash_area_get_id(fap) == fa_id_secondary) { + slot = BOOT_SECONDARY_SLOT; + } else { return BOOT_EFLASH; } - return 0; + /* delete starting from last sector and moving to beginning */ + sector = boot_img_num_sectors(state, slot) - 1; + trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); + total_sz = 0; + do { + sz = boot_img_sector_size(state, slot, sector); + off = boot_img_sector_off(state, slot, sector); + rc = boot_erase_region(fap, off, sz); + assert(rc == 0); + + sector--; + total_sz += sz; + } while (total_sz < trailer_sz); + + return rc; } -/* NOTE: There is often call made to swap_scramble_trailer_sectors followed - * by swap_status_init to initialize swap status: this is not efficient on - * devices that do not require erase; we need implementation of swap_status_init - * or swap_status_reinit, that will remove old status and initialize new one - * in a single call; the current approach writes certain parts of status - * twice on these devices. - */ int swap_status_init(const struct boot_loader_state *state, const struct flash_area *fap, diff --git a/boot/bootutil/src/swap_move.c b/boot/bootutil/src/swap_move.c index 902932aaf..b124ff894 100644 --- a/boot/bootutil/src/swap_move.c +++ b/boot/bootutil/src/swap_move.c @@ -403,18 +403,14 @@ boot_move_sector_up(int idx, uint32_t sz, struct boot_loader_state *state, if (bs->idx == BOOT_STATUS_IDX_0) { if (bs->source != BOOT_STATUS_SOURCE_PRIMARY_SLOT) { - /* Remove data and prepare for write on devices requiring erase */ - rc = swap_scramble_trailer_sectors(state, fap_pri); + rc = swap_erase_trailer_sectors(state, fap_pri); assert(rc == 0); rc = swap_status_init(state, fap_pri, bs); assert(rc == 0); } - /* Remove status from secondary slot trailer, in case of device with - * erase requirement this will also prepare traier for write. - */ - rc = swap_scramble_trailer_sectors(state, fap_sec); + rc = swap_erase_trailer_sectors(state, fap_sec); assert(rc == 0); } @@ -504,8 +500,7 @@ fixup_revert(const struct boot_loader_state *state, struct boot_status *bs, BOOT_LOG_SWAP_STATE("Secondary image", &swap_state); if (swap_state.magic == BOOT_MAGIC_UNSET) { - /* Remove trailer and prepare area for write on devices requiring erase */ - rc = swap_scramble_trailer_sectors(state, fap_sec); + rc = swap_erase_trailer_sectors(state, fap_sec); assert(rc == 0); rc = boot_write_image_ok(fap_sec); diff --git a/boot/bootutil/src/swap_offset.c b/boot/bootutil/src/swap_offset.c index 883b125ce..c7df0c0da 100644 --- a/boot/bootutil/src/swap_offset.c +++ b/boot/bootutil/src/swap_offset.c @@ -603,7 +603,7 @@ void fixup_revert(const struct boot_loader_state *state, struct boot_status *bs, BOOT_LOG_SWAP_STATE("Secondary image", &swap_state); if (swap_state.magic == BOOT_MAGIC_UNSET) { - rc = swap_scramble_trailer_sectors(state, fap_sec); + rc = swap_erase_trailer_sectors(state, fap_sec); assert(rc == 0); rc = boot_write_copy_done(fap_sec); @@ -674,14 +674,14 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, int rc; if (bs->source != BOOT_STATUS_SOURCE_PRIMARY_SLOT) { - rc = swap_scramble_trailer_sectors(state, fap_pri); + rc = swap_erase_trailer_sectors(state, fap_pri); assert(rc == 0); rc = swap_status_init(state, fap_pri, bs); assert(rc == 0); } - rc = swap_scramble_trailer_sectors(state, fap_sec); + rc = swap_erase_trailer_sectors(state, fap_sec); assert(rc == 0); } @@ -715,10 +715,10 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, * status is not wrongly used as a valid header. Also erase the trailer in the secondary * to allow for a future update to be loaded */ - rc = boot_scramble_region(fap_sec, boot_img_sector_off(state, BOOT_SECONDARY_SLOT, 0), - sector_sz); + rc = boot_erase_region(fap_sec, boot_img_sector_off(state, BOOT_SECONDARY_SLOT, 0), + sector_sz); assert(rc == 0); - rc = swap_scramble_trailer_sectors(state, fap_sec); + rc = swap_erase_trailer_sectors(state, fap_sec); assert(rc == 0); } else { while (idx <= last_idx) { diff --git a/boot/bootutil/src/swap_priv.h b/boot/bootutil/src/swap_priv.h index b564ea99e..6fdf797e1 100644 --- a/boot/bootutil/src/swap_priv.h +++ b/boot/bootutil/src/swap_priv.h @@ -26,21 +26,10 @@ /** * Calculates the amount of space required to store the trailer, and erases * all sectors required for this storage in the given flash_area. - * The erase will only happen on devices that require erase as a preparation - * for write. To just remove swap status, the swap_scramble_trailer_sectors - * should be called. */ int swap_erase_trailer_sectors(const struct boot_loader_state *state, const struct flash_area *fap); -/** - * Calculate the amount of space required to store the trailer and remove - * data from trailer. This is similar to swap_erase_trailer_sectors, but - * is intended to remove swap status not to prepare device with explicit - * erase requirements before write. - */ -int swap_scramble_trailer_sectors(const struct boot_loader_state *state, - const struct flash_area *fap); /** * Initialize the given flash_area with the metadata required to start a new * swap upgrade. diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index c9f1dde6d..446112dc5 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -629,7 +629,7 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, * last sector is not being used by the image data so it's safe * to erase. */ - rc = swap_scramble_trailer_sectors(state, fap_primary_slot); + rc = swap_erase_trailer_sectors(state, fap_primary_slot); assert(rc == 0); rc = swap_status_init(state, fap_primary_slot, bs); @@ -663,7 +663,7 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, /* If not all sectors of the slot are being swapped, * guarantee here that only the primary slot will have the state. */ - rc = swap_scramble_trailer_sectors(state, fap_secondary_slot); + rc = swap_erase_trailer_sectors(state, fap_secondary_slot); assert(rc == 0); } From 429e2fea24518f178cd4d33928cb66fcb0205803 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 17 Feb 2025 08:53:41 +0000 Subject: [PATCH 064/228] boot: zephyr: kconfig: Add new defaults option for FIH Adds a new menu with options which can be used by e.g. sysbuild to select which default options are set in a build, adds options for fault injection hardening modes Signed-off-by: Jamie McCrae --- boot/zephyr/Kconfig | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index cfc73a6f6..3e790861b 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -729,6 +729,9 @@ config MEASURED_BOOT_MAX_CBOR_SIZE choice BOOT_FAULT_INJECTION_HARDENING_PROFILE prompt "Fault injection hardening profile" + default BOOT_FIH_PROFILE_HIGH if BOOT_FIH_PROFILE_DEFAULT_HIGH + default BOOT_FIH_PROFILE_MEDIUM if BOOT_FIH_PROFILE_DEFAULT_MEDIUM + default BOOT_FIH_PROFILE_LOW if BOOT_FIH_PROFILE_DEFAULT_LOW default BOOT_FIH_PROFILE_OFF config BOOT_FIH_PROFILE_OFF @@ -1021,6 +1024,22 @@ endif # BOOT_DECOMPRESSION endif # BOOT_DECOMPRESSION_SUPPORT +menu "Defaults" + # Items in this menu should not be manually set. These options are for modules/sysbuild to + # set as defaults to allow MCUboot's default configuration to be set, but still allow it + # to be overridden by users. + +config BOOT_FIH_PROFILE_DEFAULT_LOW + bool "Default to low fault inject hardening level" + +config BOOT_FIH_PROFILE_DEFAULT_MEDIUM + bool "Default to medium fault inject hardening level" + +config BOOT_FIH_PROFILE_DEFAULT_HIGH + bool "Default to high fault inject hardening level" + +endmenu + endmenu config MCUBOOT_DEVICE_SETTINGS From 7330df7c783b0da75190459860257fc9f758fd50 Mon Sep 17 00:00:00 2001 From: Thomas Altenbach Date: Sat, 22 Feb 2025 02:02:20 +0100 Subject: [PATCH 065/228] boot: bootutil: Fix last sector index computation for swap-offset When using swap-offset, the index of the last sector of the primary slot that have to be swapped is computed at the beginning of the upgrade process. This computation was in fact returning the number of sector to swap rather than the index of the last sectpr (so N+1 instead of N). This was causing the upgrade to fail for large image, using all the available sectors. Signed-off-by: Thomas Altenbach --- boot/bootutil/src/swap_offset.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/bootutil/src/swap_offset.c b/boot/bootutil/src/swap_offset.c index c7df0c0da..2a63ee863 100644 --- a/boot/bootutil/src/swap_offset.c +++ b/boot/bootutil/src/swap_offset.c @@ -68,10 +68,10 @@ uint32_t find_last_idx(struct boot_loader_state *state, uint32_t swap_size) while (1) { sz += sector_sz; - last_idx++; if (sz >= swap_size) { break; } + last_idx++; } return last_idx; From 7724bcfd506a58d17a6d17f0dd27194eea20105a Mon Sep 17 00:00:00 2001 From: Thomas Altenbach Date: Sat, 15 Feb 2025 17:47:58 +0100 Subject: [PATCH 066/228] sim: Add device with larger sectors in slot 0 than in slot 1 The simulator was not performing any test with a configuration where the primary slot is composed of larger sectors than the secondary slot. This can be typically case when using a STM32 with an external flash memory since most STM32 have large internal sectors. This configuration was causing issues when using the swap-scratch upgrade strategy. Signed-off-by: Thomas Altenbach --- sim/src/image.rs | 23 +++++++++++++++++++++++ sim/src/lib.rs | 4 +++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/sim/src/image.rs b/sim/src/image.rs index e406a8130..a32dad553 100644 --- a/sim/src/image.rs +++ b/sim/src/image.rs @@ -453,6 +453,29 @@ impl ImagesBuilder { flash.insert(dev_id, dev); (flash, Rc::new(areadesc), &[Caps::SwapUsingMove, Caps::SwapUsingOffset]) } + DeviceName::Stm32f4SpiFlash => { + // STM style internal flash and external SPI flash. + let dev0 = SimFlash::new(vec![ + 16 * 1024, 16 * 1024, 16 * 1024, 16 * 1024, 64 * 1024, + 32 * 1024, 32 * 1024, 64 * 1024, + 32 * 1024, 32 * 1024, 64 * 1024, + 128 * 1024], + align as usize, erased_val); + + let dev1: SimFlash = SimFlash::new(vec![8192; 64], align as usize, erased_val); + + let mut areadesc = AreaDesc::new(); + areadesc.add_flash_sectors(0, &dev0); + areadesc.add_flash_sectors(1, &dev1); + areadesc.add_image(0x020000, 0x020000, FlashId::Image0, 0); + areadesc.add_image(0x000000, 0x020000, FlashId::Image1, 1); + areadesc.add_image(0x020000, 0x020000, FlashId::ImageScratch, 1); + + let mut flash = SimMultiFlash::new(); + flash.insert(0, dev0); + flash.insert(1, dev1); + (flash, Rc::new(areadesc), &[Caps::SwapUsingMove, Caps::SwapUsingOffset]) + } DeviceName::K64f => { // NXP style flash. Small sectors, one small sector for scratch. let dev = SimFlash::new(vec![4096; 128], align as usize, erased_val); diff --git a/sim/src/lib.rs b/sim/src/lib.rs index 5e4304b82..8c648ca63 100644 --- a/sim/src/lib.rs +++ b/sim/src/lib.rs @@ -63,12 +63,13 @@ struct Args { #[derive(Copy, Clone, Debug, Deserialize)] pub enum DeviceName { - Stm32f4, K64f, K64fBig, K64fMulti, Nrf52840, Nrf52840SpiFlash, + Stm32f4, Stm32f4SpiFlash, K64f, K64fBig, K64fMulti, Nrf52840, Nrf52840SpiFlash, Nrf52840UnequalSlots, Nrf52840UnequalSlotsLargerSlot1, } pub static ALL_DEVICES: &[DeviceName] = &[ DeviceName::Stm32f4, + DeviceName::Stm32f4SpiFlash, DeviceName::K64f, DeviceName::K64fBig, DeviceName::K64fMulti, @@ -82,6 +83,7 @@ impl fmt::Display for DeviceName { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { let name = match *self { DeviceName::Stm32f4 => "stm32f4", + DeviceName::Stm32f4SpiFlash => "stm32f4SpiFlash", DeviceName::K64f => "k64f", DeviceName::K64fBig => "k64fbig", DeviceName::K64fMulti => "k64fmulti", From fbd2267e75bb47c1f3b48666bd460520498075d6 Mon Sep 17 00:00:00 2001 From: Thomas Altenbach Date: Sat, 15 Feb 2025 17:55:15 +0100 Subject: [PATCH 067/228] boot: bootutil: Fix invalid last sector computation for swap-scratch At the beginning of a swap-scratch upgrade, the index of the last sector in the primary slot that need to be swapped is computed using the 'find_last_sector_idx' routine. However, if the primary slot is composed of larger sectors than the secondary slots, this routine could return a wrong sector index for the primary slot. The index might even be outside the primary slot, which would lead to (at best) a simple failure of the upgrade and at worst a corruption of the flash memory bricking the device. This commit fixes the issue by ensuring 'find_last_sector_idx' always returns a valid sector index for the primary slot. Signed-off-by: Thomas Altenbach --- boot/bootutil/src/swap_scratch.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 446112dc5..2136d744f 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -464,13 +464,15 @@ boot_copy_sz(const struct boot_loader_state *state, int last_sector_idx, static int find_last_sector_idx(const struct boot_loader_state *state, uint32_t copy_size) { - int last_sector_idx; + int last_sector_idx_primary; + int last_sector_idx_secondary; uint32_t primary_slot_size; uint32_t secondary_slot_size; primary_slot_size = 0; secondary_slot_size = 0; - last_sector_idx = 0; + last_sector_idx_primary = 0; + last_sector_idx_secondary = 0; /* * Knowing the size of the largest image between both slots, here we @@ -483,23 +485,24 @@ find_last_sector_idx(const struct boot_loader_state *state, uint32_t copy_size) (primary_slot_size < secondary_slot_size)) { primary_slot_size += boot_img_sector_size(state, BOOT_PRIMARY_SLOT, - last_sector_idx); + last_sector_idx_primary); + ++last_sector_idx_primary; } if ((secondary_slot_size < copy_size) || (secondary_slot_size < primary_slot_size)) { secondary_slot_size += boot_img_sector_size(state, BOOT_SECONDARY_SLOT, - last_sector_idx); + last_sector_idx_secondary); + ++last_sector_idx_secondary; } if (primary_slot_size >= copy_size && secondary_slot_size >= copy_size && primary_slot_size == secondary_slot_size) { break; } - last_sector_idx++; } - return last_sector_idx; + return last_sector_idx_primary - 1; } /** From a43167e359d7bc18e1482d25f685bfcfe9cdc161 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 17 Feb 2025 16:32:44 +0100 Subject: [PATCH 068/228] zephyr: fix Mbed TLS configuration header file selection Mbed TLS already provides MBEDTLS_CFG_FILE Kconfig when it's builtin. So we only need to override that config when not using the builtin Mbed TLS version. This commit also fixes some hardcoding of "mcuboot-mbedtls-cfg.h" in Kconfig and prj.conf. Signed-off-by: Valerio Setti --- boot/zephyr/CMakeLists.txt | 4 ++-- boot/zephyr/Kconfig | 11 +++++------ boot/zephyr/prj.conf | 1 - 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 0e4bf7c50..209c61dbe 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -220,7 +220,7 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) # to set MBEDTLS_CONFIG_FILE ourselves. When using Zephyr's copy, this # variable is set by its Kconfig in the Zephyr codebase. zephyr_library_compile_definitions( - MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h" + MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}" ) elseif(CONFIG_BOOT_SIGNATURE_TYPE_NONE) zephyr_library_include_directories( @@ -266,7 +266,7 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) ${TINYCRYPT_SHA512_DIR}/source/sha512.c ) zephyr_library_compile_definitions( - MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h" + MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}" ) else() zephyr_include_directories(include) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 3e790861b..b366b26d9 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -360,13 +360,12 @@ config MCUBOOT_CLEANUP_RAM help Sets contents of memory to 0 before jumping to application. -if MBEDTLS - config MBEDTLS_CFG_FILE - default "config-tls-generic.h" if MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO - default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS - -endif + # It might be awkward to define an Mbed TLS header file when TinyCrypt + # is used, but the fact is that Mbed TLS' ASN1 parse module is used + # also when TinyCrypt is used as crypto backend. + default "mcuboot-mbedtls-cfg.h" if BOOT_USE_TINYCRYPT + default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS && !MBEDTLS_BUILTIN config BOOT_HW_KEY bool "Use HW key for image verification" diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 851c133ec..119e07579 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -1,7 +1,6 @@ CONFIG_PM=n CONFIG_MAIN_STACK_SIZE=10240 -CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h" CONFIG_BOOT_SWAP_SAVE_ENCTLV=n CONFIG_BOOT_ENCRYPT_IMAGE=n From 7fd761185f32bc5d66919e33e7d643ef8322c611 Mon Sep 17 00:00:00 2001 From: Thomas Altenbach Date: Sun, 16 Feb 2025 00:48:44 +0100 Subject: [PATCH 069/228] sim: Avoid assuming trailer is sector-aligned for swap-scratch + max-align-32 When testing the swap-scratch upgrade strategy with 32-byte flash write size, the largest image size was computed assuming the trailer starts at the beginning of a sector. This assumption is not mentionned in the MCUboot's user documentation and a user would therefore expect that swap-scratch is working even if a sector contains both firmware and trailer data. Also, this assumption is not made for flash write sizes lower than 32 bytes. This is probably due to the fact that when 'max-align-32' is not selected, the trailer fits into a single sector for all tested configuration. However, when 'max-align-32' is enabled, the trailer is larger than a single sector in some tested configurations, which makes harder to compute the maximal image size since the size of the trailer in the scratch area has to be taken into account. This commit modifies in the simulator the routine computing the size that must be reserved for the trailer to properly handle the case of trailers too large to fit into a single sector. Unfortunately, this reveals that the swap-scratch implementation doesn't properly handle this case, which will be fixed in the following commits. Signed-off-by: Thomas Altenbach --- sim/mcuboot-sys/src/area.rs | 7 +++ sim/src/image.rs | 86 ++++++++++++++++++++++++++----------- 2 files changed, 67 insertions(+), 26 deletions(-) diff --git a/sim/mcuboot-sys/src/area.rs b/sim/mcuboot-sys/src/area.rs index 1ebb40552..c41e33f83 100644 --- a/sim/mcuboot-sys/src/area.rs +++ b/sim/mcuboot-sys/src/area.rs @@ -149,6 +149,13 @@ impl AreaDesc { pub fn iter_areas(&self) -> impl Iterator { self.whole.iter() } + + /// Return the list of sectors of a given flash area. + pub fn get_area_sectors(&self, flash_id: FlashId) -> Option<&Vec> { + self.areas.iter() + .filter(|area| !area.is_empty()) + .find(|area| area[0].flash_id == flash_id) + } } /// The area descriptor, C format. diff --git a/sim/src/image.rs b/sim/src/image.rs index a32dad553..0aafd1563 100644 --- a/sim/src/image.rs +++ b/sim/src/image.rs @@ -234,20 +234,20 @@ impl ImagesBuilder { let (primaries,upgrades) = if img_manipulation == ImageManipulation::CorruptHigherVersionImage && !higher_version_corrupted { higher_version_corrupted = true; - let prim = install_image(&mut flash, &slots[0], + let prim = install_image(&mut flash, &self.areadesc, &slots[0], maximal(42784), &ram, &*dep, ImageManipulation::None, Some(0), false); let upgr = match deps.depends[image_num] { DepType::NoUpgrade => install_no_image(), - _ => install_image(&mut flash, &slots[1], + _ => install_image(&mut flash, &self.areadesc, &slots[1], maximal(46928), &ram, &*dep, ImageManipulation::BadSignature, Some(0), true) }; (prim, upgr) } else { - let prim = install_image(&mut flash, &slots[0], + let prim = install_image(&mut flash, &self.areadesc, &slots[0], maximal(42784), &ram, &*dep, img_manipulation, Some(0), false); let upgr = match deps.depends[image_num] { DepType::NoUpgrade => install_no_image(), - _ => install_image(&mut flash, &slots[1], + _ => install_image(&mut flash, &self.areadesc, &slots[1], maximal(46928), &ram, &*dep, img_manipulation, Some(0), true) }; (prim, upgr) @@ -298,9 +298,9 @@ impl ImagesBuilder { let ram = self.ram.clone(); // TODO: Avoid this clone. let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); - let primaries = install_image(&mut bad_flash, &slots[0], + let primaries = install_image(&mut bad_flash, &self.areadesc, &slots[0], maximal(32784), &ram, &dep, ImageManipulation::None, Some(0), false); - let upgrades = install_image(&mut bad_flash, &slots[1], + let upgrades = install_image(&mut bad_flash, &self.areadesc, &slots[1], maximal(41928), &ram, &dep, ImageManipulation::BadSignature, Some(0), true); OneImage { slots, @@ -321,9 +321,9 @@ impl ImagesBuilder { let ram = self.ram.clone(); // TODO: Avoid this clone. let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); - let primaries = install_image(&mut bad_flash, &slots[0], + let primaries = install_image(&mut bad_flash, &self.areadesc, &slots[0], maximal(32784), &ram, &dep, ImageManipulation::None, Some(0), false); - let upgrades = install_image(&mut bad_flash, &slots[1], + let upgrades = install_image(&mut bad_flash, &self.areadesc, &slots[1], ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0), true); OneImage { slots, @@ -344,7 +344,7 @@ impl ImagesBuilder { let ram = self.ram.clone(); // TODO: Avoid this clone. let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); - let primaries = install_image(&mut flash, &slots[0], + let primaries = install_image(&mut flash, &self.areadesc, &slots[0], maximal(32784), &ram, &dep,ImageManipulation::None, Some(0), false); let upgrades = install_no_image(); OneImage { @@ -367,7 +367,7 @@ impl ImagesBuilder { let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_no_image(); - let upgrades = install_image(&mut flash, &slots[1], + let upgrades = install_image(&mut flash, &self.areadesc, &slots[1], maximal(32784), &ram, &dep, ImageManipulation::None, Some(0), true); OneImage { slots, @@ -389,7 +389,7 @@ impl ImagesBuilder { let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); let primaries = install_no_image(); - let upgrades = install_image(&mut flash, &slots[1], + let upgrades = install_image(&mut flash, &self.areadesc, &slots[1], ImageSize::Oversized, &ram, &dep, ImageManipulation::None, Some(0), true); OneImage { slots, @@ -411,9 +411,9 @@ impl ImagesBuilder { let ram = self.ram.clone(); // TODO: Avoid this clone. let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| { let dep = BoringDep::new(image_num, &NO_DEPS); - let primaries = install_image(&mut flash, &slots[0], + let primaries = install_image(&mut flash, &self.areadesc, &slots[0], maximal(32784), &ram, &dep, ImageManipulation::None, security_cnt, false); - let upgrades = install_image(&mut flash, &slots[1], + let upgrades = install_image(&mut flash, &self.areadesc, &slots[1], maximal(41928), &ram, &dep, ImageManipulation::None, security_cnt.map(|v| v + 1), true); OneImage { slots, @@ -1754,20 +1754,54 @@ enum ImageSize { Oversized, } -#[cfg(not(feature = "max-align-32"))] -fn tralier_estimation(dev: &dyn Flash) -> usize { - c::boot_trailer_sz(dev.align() as u32) as usize -} +/// Estimate the number of bytes in each slot that must be reserved for the trailer when +/// swap-scratch is used. +fn estimate_swap_scratch_trailer_size(dev: &dyn Flash, areadesc: &AreaDesc, slot: &SlotInfo) -> usize { + // Compute the minimal size that must be allocated to the trailer, without considering the + // trailer in the sratch area. + let mut trailer_sz = c::boot_trailer_sz(dev.align() as u32) as usize; + + // If the trailer is not a multiple of the sector size, the last sector that can hold firmware + // data also contains the trailer or a part of it. Let's compute the size of the part of the + // trailer that is in the last firmware sector. + let mut trailer_sz_in_fw_sector = trailer_sz; + + let flash_id = match slot.index { + 0 => FlashId::Image0, + 1 => FlashId::Image1, + _ => panic!("Invalid slot index"), + }; -#[cfg(feature = "max-align-32")] -fn tralier_estimation(dev: &dyn Flash) -> usize { + let slot_sectors = areadesc.get_area_sectors(flash_id).unwrap(); - let sector_size = dev.sector_iter().next().unwrap().size as u32; + for sector in slot_sectors.iter().rev() { + let sector_sz = sector.size as usize; + + if sector_sz > trailer_sz_in_fw_sector { + break; + } + + trailer_sz_in_fw_sector -= sector_sz; + } + + // If the trailer is not a multiple of the sector size, when the last sector containing firmware + // data will be copied to the scratch area, it must be ensured enough space is left to write the + // scratch trailer. + if trailer_sz_in_fw_sector != 0 { + // The scratch contains a single boot status entry + let boot_status_entry_sz = 3 * dev.align(); + let trailer_info_sz = trailer_sz - c::boot_status_sz(dev.align() as u32) as usize; + let scratch_trailer_sz = boot_status_entry_sz + trailer_info_sz; + + if scratch_trailer_sz > trailer_sz_in_fw_sector { + trailer_sz += scratch_trailer_sz - trailer_sz_in_fw_sector; + } + } - align_up(c::boot_trailer_sz(dev.align() as u32), sector_size) as usize + trailer_sz } -fn image_largest_trailer(dev: &dyn Flash) -> usize { +fn image_largest_trailer(dev: &dyn Flash, areadesc: &AreaDesc, slot: &SlotInfo) -> usize { // Using the header size we know, the trailer size, and the slot size, we can compute // the largest image possible. let trailer = if Caps::OverwriteUpgrade.present() { @@ -1778,7 +1812,7 @@ fn image_largest_trailer(dev: &dyn Flash) -> usize { let sector_size = dev.sector_iter().next().unwrap().size as u32; align_up(c::boot_trailer_sz(dev.align() as u32), sector_size) as usize } else if Caps::SwapUsingScratch.present() { - tralier_estimation(dev) + estimate_swap_scratch_trailer_size(dev, areadesc, slot) } else { panic!("The maximum image size can't be calculated.") }; @@ -1788,7 +1822,7 @@ fn image_largest_trailer(dev: &dyn Flash) -> usize { /// Install a "program" into the given image. This fakes the image header, or at least all of the /// fields used by the given code. Returns a copy of the image that was written. -fn install_image(flash: &mut SimMultiFlash, slot: &SlotInfo, len: ImageSize, +fn install_image(flash: &mut SimMultiFlash, areadesc: &AreaDesc, slot: &SlotInfo, len: ImageSize, ram: &RamData, deps: &dyn Depender, img_manipulation: ImageManipulation, security_counter:Option, secondary_slot:bool) -> ImageData { let mut offset = slot.base_off; @@ -1831,14 +1865,14 @@ fn install_image(flash: &mut SimMultiFlash, slot: &SlotInfo, len: ImageSize, let len = match len { ImageSize::Given(size) => size, ImageSize::Largest => { - let trailer = image_largest_trailer(dev); + let trailer = image_largest_trailer(dev, &areadesc, &slot); let tlv_len = tlv.estimate_size(); info!("slot: 0x{:x}, HDR: 0x{:x}, trailer: 0x{:x}", slot_len, HDR_SIZE, trailer); slot_len - HDR_SIZE - trailer - tlv_len }, ImageSize::Oversized => { - let trailer = image_largest_trailer(dev); + let trailer = image_largest_trailer(dev, &areadesc, &slot); let tlv_len = tlv.estimate_size(); let mut sector_offset = 0; From 8975d5c43f7eef3e4b9461b8544dc0720a9cb920 Mon Sep 17 00:00:00 2001 From: Thomas Altenbach Date: Sun, 16 Feb 2025 02:58:30 +0100 Subject: [PATCH 070/228] boot: bootutil: Fix underflow in swap-scratch when trailer is large When using swap-scratch, the last sector of a slot able to contain firmware data might also contain part of the trailer (or the whole trailer, if the latter is small enough). When the trailer is large, a single sector it might not fit in a single sector and that last firmware sector might therefore not be the last sector of the slot. When that happens, and unless the trailer starts exactly at the beginning of a sector, an underflow could occur when computing the number of bytes that must be copied from the last firmware sector. Indeed, when the trailer is large, its size can be larger than that sector and, depending on the size of the sratch area, 'copy_sz' can at worst equal to the size of this sector. If this underflow occurs, 'copy_sz' would end up containing a very large value, that would probably cause the upgrade to fail and could lead to a corruption of a large part of the flash memory if no bound check is performed in the flash driver. Signed-off-by: Thomas Altenbach --- boot/bootutil/src/swap_scratch.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 2136d744f..a82e6a241 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -563,6 +563,17 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, uint8_t image_index; int rc; + image_index = BOOT_CURR_IMG(state); + + rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), &fap_primary_slot); + assert (rc == 0); + + rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index), &fap_secondary_slot); + assert (rc == 0); + + rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH, &fap_scratch); + assert (rc == 0); + /* Calculate offset from start of image area. */ img_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx); @@ -594,26 +605,14 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, } } + /* Check if the currently swapped sector(s) contain the trailer or part of it */ if ((img_off + sz) > boot_img_sector_off(state, BOOT_PRIMARY_SLOT, last_sector)) { - copy_sz -= trailer_sz; + copy_sz = flash_area_get_size(fap_primary_slot) - img_off - trailer_sz; } bs->use_scratch = (bs->idx == BOOT_STATUS_IDX_0 && copy_sz != sz); - image_index = BOOT_CURR_IMG(state); - - rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), - &fap_primary_slot); - assert (rc == 0); - - rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index), - &fap_secondary_slot); - assert (rc == 0); - - rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH, &fap_scratch); - assert (rc == 0); - if (bs->state == BOOT_STATUS_STATE_0) { BOOT_LOG_DBG("erasing scratch area"); rc = boot_erase_region(fap_scratch, 0, flash_area_get_size(fap_scratch)); From 66d41e73a2676beca20e26a957dbc07a9b907879 Mon Sep 17 00:00:00 2001 From: Thomas Altenbach Date: Sun, 16 Feb 2025 03:16:52 +0100 Subject: [PATCH 071/228] boot: bootutil: Fix scratch trailer overwritten if image trailer is large When using swap-scratch and the image trailer doesn't fit in a single sector, some padding might be necessary between the end of the firmware data and the beginning of the image trailer. Indeed, when the trailer fit in a single sector, it is guaranteed that when copying the firmware data from this sector to the scratch area, it won't overwrite the trailer in the scratch trailer since that trailer is always smaller the image trailer. However, when the trailer is larger than a single sector, the sector containing the last part of the firmware data might only contain a very small part of the trailer. There is no more guarantee that the scratch trailer won't get overwritten when copying that sector to the sratch area. Therefore, a check must be added to handle that case. Signed-off-by: Thomas Altenbach --- boot/bootutil/src/swap_scratch.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index a82e6a241..9d6c5cb97 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -609,6 +609,18 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, if ((img_off + sz) > boot_img_sector_off(state, BOOT_PRIMARY_SLOT, last_sector)) { copy_sz = flash_area_get_size(fap_primary_slot) - img_off - trailer_sz; + + /* Check if the computed copy size would cause the beginning of the trailer in the scratch + * area to be overwritten. If so, adjust the copy size to avoid this. + * + * This could happen if the trailer is larger than a single sector since in that case the + * first part of the trailer may be smaller than the trailer in the scratch area. + */ + scratch_trailer_off = boot_status_off(fap_scratch); + + if (copy_sz > scratch_trailer_off) { + copy_sz = scratch_trailer_off; + } } bs->use_scratch = (bs->idx == BOOT_STATUS_IDX_0 && copy_sz != sz); From d1a3b9536986ac2a30d7feda8db52c46dbc98c7b Mon Sep 17 00:00:00 2001 From: Thomas Altenbach Date: Sun, 16 Feb 2025 03:39:02 +0100 Subject: [PATCH 072/228] boot: bootutil: Ensure the whole trailer is erased when it is large When using swap-scratch and the trailer is too large to fit in a single sector, might not be fully erased in both the primary and the secondary slot if the last sector containing firmware data also contains part of the trailer. Indeed, in that case, it might happen that only the first part of the trailer was erased, causing issues e.g. when attempting to rewrite the trailer in the primary slot during the upgrade. Signed-off-by: Thomas Altenbach --- boot/bootutil/src/swap_scratch.c | 126 ++++++++++++++++++++++--------- 1 file changed, 91 insertions(+), 35 deletions(-) diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 9d6c5cb97..9fce9d571 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -534,6 +534,33 @@ find_swap_count(const struct boot_loader_state *state, uint32_t copy_size) return swap_count; } +/** + * Finds the first sector of a given slot that holds image trailer data. + * + * @param state Current bootloader's state. + * @param slot The index of the slot to consider. + * @param trailer_sz The size of the trailer, in bytes. + * + * @return The index of the first sector of the slot that holds image trailer data. + */ +static size_t +get_first_trailer_sector(struct boot_loader_state *state, size_t slot, size_t trailer_sz) +{ + size_t first_trailer_sector = boot_img_num_sectors(state, slot) - 1; + size_t sector_sz = boot_img_sector_size(state, slot, first_trailer_sector); + size_t trailer_sector_sz = sector_sz; + + while (trailer_sector_sz < trailer_sz) { + /* Consider that the image trailer may span across sectors of different sizes */ + --first_trailer_sector; + sector_sz = boot_img_sector_size(state, slot, first_trailer_sector); + + trailer_sector_sz += sector_sz; + } + + return first_trailer_sector; +} + /** * Swaps the contents of two flash regions within the two image slots. * @@ -554,11 +581,10 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, const struct flash_area *fap_scratch; uint32_t copy_sz; uint32_t trailer_sz; - uint32_t sector_sz; uint32_t img_off; uint32_t scratch_trailer_off; struct boot_swap_state swap_state; - size_t last_sector; + size_t first_trailer_sector_primary; bool erase_scratch; uint8_t image_index; int rc; @@ -581,33 +607,23 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); /* sz in this function is always sized on a multiple of the sector size. - * The check against the start offset of the last sector - * is to determine if we're swapping the last sector. The last sector - * needs special handling because it's where the trailer lives. If we're - * copying it, we need to use scratch to write the trailer temporarily. + * The check against the start offset of the first trailer sector is to determine if we're + * swapping that sector, which might contains both part of the firmware image and part of the + * trailer (or the whole trailer if the latter is small enough). Therefore, that sector needs + * special handling: if we're copying it, we need to use scratch to write the trailer + * temporarily. + * + * Since the primary and secondary slots don't necessarily have the same layout, the index of + * the first trailer sector may be different for each slot. * * NOTE: `use_scratch` is a temporary flag (never written to flash) which - * controls if special handling is needed (swapping last sector). + * controls if special handling is needed (swapping the first trailer sector). */ - last_sector = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT) - 1; - sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, last_sector); - - if (sector_sz < trailer_sz) { - uint32_t trailer_sector_sz = sector_sz; - - while (trailer_sector_sz < trailer_sz) { - /* Consider that the image trailer may span across sectors of - * different sizes. - */ - sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, --last_sector); - - trailer_sector_sz += sector_sz; - } - } + first_trailer_sector_primary = get_first_trailer_sector(state, BOOT_PRIMARY_SLOT, trailer_sz); /* Check if the currently swapped sector(s) contain the trailer or part of it */ if ((img_off + sz) > - boot_img_sector_off(state, BOOT_PRIMARY_SLOT, last_sector)) { + boot_img_sector_off(state, BOOT_PRIMARY_SLOT, first_trailer_sector_primary)) { copy_sz = flash_area_get_size(fap_primary_slot) - img_off - trailer_sz; /* Check if the computed copy size would cause the beginning of the trailer in the scratch @@ -666,29 +682,69 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, } if (bs->state == BOOT_STATUS_STATE_1) { - rc = boot_erase_region(fap_secondary_slot, img_off, sz); - assert(rc == 0); - - rc = boot_copy_region(state, fap_primary_slot, fap_secondary_slot, - img_off, img_off, copy_sz); - assert(rc == 0); + uint32_t erase_sz = sz; - if (bs->idx == BOOT_STATUS_IDX_0 && !bs->use_scratch) { - /* If not all sectors of the slot are being swapped, - * guarantee here that only the primary slot will have the state. - */ + if (bs->idx == BOOT_STATUS_IDX_0) { + /* Guarantee here that only the primary slot will have the state. + * + * This is necessary even though the current area being swapped contains part of the + * trailer since in case the trailer spreads over multiple sector erasing the [img_off, + * img_off + sz) might not erase the entire trailer. + */ rc = swap_erase_trailer_sectors(state, fap_secondary_slot); assert(rc == 0); + + if (bs->use_scratch) { + /* If the area being swapped contains the trailer or part of it, ensure the + * sector(s) containing the beginning of the trailer won't be erased again. + */ + size_t trailer_sector_secondary = + get_first_trailer_sector(state, BOOT_SECONDARY_SLOT, trailer_sz); + + uint32_t trailer_sector_offset = + boot_img_sector_off(state, BOOT_SECONDARY_SLOT, trailer_sector_secondary); + + erase_sz = trailer_sector_offset - img_off; + } + } + + if (erase_sz > 0) { + rc = boot_erase_region(fap_secondary_slot, img_off, erase_sz); + assert(rc == 0); } + rc = boot_copy_region(state, fap_primary_slot, fap_secondary_slot, + img_off, img_off, copy_sz); + assert(rc == 0); + rc = boot_write_status(state, bs); bs->state = BOOT_STATUS_STATE_2; BOOT_STATUS_ASSERT(rc == 0); } if (bs->state == BOOT_STATUS_STATE_2) { - rc = boot_erase_region(fap_primary_slot, img_off, sz); - assert(rc == 0); + uint32_t erase_sz = sz; + + if (bs->use_scratch) { + /* The current area that is being swapped contains the trailer or part of it. In that + * case, make sure to erase all sectors containing the trailer in the primary slot to be + * able to write the new trailer. This is not always equivalent to erasing the [img_off, + * img_off + sz) range when the trailer spreads across multiple sectors. + */ + rc = swap_erase_trailer_sectors(state, fap_primary_slot); + assert(rc == 0); + + /* Ensure the sector(s) containing the beginning of the trailer won't be erased twice */ + uint32_t trailer_sector_off = + boot_img_sector_off(state, BOOT_PRIMARY_SLOT, first_trailer_sector_primary); + + erase_sz = trailer_sector_off - img_off; + } + + if (erase_sz > 0) { + rc = boot_erase_region(fap_primary_slot, img_off, erase_sz); + assert(rc == 0); + } /* NOTE: If this is the final sector, we exclude the image trailer from * this copy (copy_sz was truncated earlier). From d00b11dc234caee267eb12376e2279ed57c35d5d Mon Sep 17 00:00:00 2001 From: Thomas Altenbach Date: Mon, 17 Feb 2025 02:53:22 +0100 Subject: [PATCH 073/228] boot: bootutil: Take into account scratch trailer when computing max image size When using swap-scratch and the trailer is larger than a single sector, the sector containing the last part of the firmware data might only contain a very small part of the trailer and some padding might be necessary between the end of the firmware image and the beginning of the trailer to ensure the scratch trailer won't be overwritten when copying that sector to the scratch area. This commit updates the 'bootutil_max_image_size' routine to take that padding into account. Signed-off-by: Thomas Altenbach --- boot/bootutil/src/bootutil_misc.c | 84 ++++++++++++++++++++++++++++-- boot/bootutil/src/bootutil_priv.h | 16 +++++- boot/bootutil/src/image_validate.c | 2 +- boot/bootutil/src/swap_scratch.c | 32 ++---------- 4 files changed, 100 insertions(+), 34 deletions(-) diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c index 97b1e94fe..8fd2a4fe1 100644 --- a/boot/bootutil/src/bootutil_misc.c +++ b/boot/bootutil/src/bootutil_misc.c @@ -331,12 +331,87 @@ boot_write_enc_key(const struct flash_area *fap, uint8_t slot, } #endif -uint32_t bootutil_max_image_size(const struct flash_area *fap) +#ifdef MCUBOOT_SWAP_USING_SCRATCH +size_t +boot_get_first_trailer_sector(struct boot_loader_state *state, size_t slot, size_t trailer_sz) { -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SINGLE_APPLICATION_SLOT) || \ - defined(MCUBOOT_FIRMWARE_LOADER) || defined(MCUBOOT_SINGLE_APPLICATION_SLOT_RAM_LOAD) + size_t first_trailer_sector = boot_img_num_sectors(state, slot) - 1; + size_t sector_sz = boot_img_sector_size(state, slot, first_trailer_sector); + size_t trailer_sector_sz = sector_sz; + + while (trailer_sector_sz < trailer_sz) { + /* Consider that the image trailer may span across sectors of different sizes */ + --first_trailer_sector; + sector_sz = boot_img_sector_size(state, slot, first_trailer_sector); + + trailer_sector_sz += sector_sz; + } + + return first_trailer_sector; +} + +/** + * Returns the offset to the end of the first sector of a given slot that holds image trailer data. + * + * @param state Current bootloader's state. + * @param slot The index of the slot to consider. + * @param trailer_sz The size of the trailer, in bytes. + * + * @return The offset to the end of the first sector of the slot that holds image trailer data. + */ +static uint32_t +get_first_trailer_sector_end_off(struct boot_loader_state *state, size_t slot, size_t trailer_sz) +{ + size_t first_trailer_sector = boot_get_first_trailer_sector(state, slot, trailer_sz); + + return boot_img_sector_off(state, slot, first_trailer_sector) + + boot_img_sector_size(state, slot, first_trailer_sector); +} +#endif /* MCUBOOT_SWAP_USING_SCRATCH */ + +uint32_t bootutil_max_image_size(struct boot_loader_state *state, const struct flash_area *fap) +{ +#if defined(MCUBOOT_SINGLE_APPLICATION_SLOT) || \ + defined(MCUBOOT_FIRMWARE_LOADER) || \ + defined(MCUBOOT_SINGLE_APPLICATION_SLOT_RAM_LOAD) + (void) state; return boot_status_off(fap); +#elif defined(MCUBOOT_SWAP_USING_SCRATCH) + size_t slot_trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state)); + size_t slot_trailer_off = flash_area_get_size(fap) - slot_trailer_sz; + + /* If the trailer doesn't fit in the last sector of the primary or secondary slot, some padding + * might have to be inserted between the end of the firmware image and the beginning of the + * trailer to ensure there is enough space for the trailer in the scratch area when the last + * sector of the secondary will be copied to the scratch area. + * + * The value of the padding depends on the amount of trailer data that is contained in the first + * trailer containing part of the trailer in the primary and secondary slot. + */ + size_t trailer_sector_primary_end_off = + get_first_trailer_sector_end_off(state, BOOT_PRIMARY_SLOT, slot_trailer_sz); + size_t trailer_sector_secondary_end_off = + get_first_trailer_sector_end_off(state, BOOT_SECONDARY_SLOT, slot_trailer_sz); + + size_t trailer_sz_in_first_sector; + + if (trailer_sector_primary_end_off > trailer_sector_secondary_end_off) { + trailer_sz_in_first_sector = trailer_sector_primary_end_off - slot_trailer_off; + } else { + trailer_sz_in_first_sector = trailer_sector_secondary_end_off - slot_trailer_off; + } + + size_t trailer_padding = 0; + size_t scratch_trailer_sz = boot_scratch_trailer_sz(BOOT_WRITE_SZ(state)); + + if (scratch_trailer_sz > trailer_sz_in_first_sector) { + trailer_padding = scratch_trailer_sz - trailer_sz_in_first_sector; + } + + return slot_trailer_off - trailer_padding; #elif defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) + (void) state; + struct flash_sector sector; /* get the last sector offset */ int rc = flash_area_get_sector(fap, boot_status_off(fap), §or); @@ -348,10 +423,13 @@ uint32_t bootutil_max_image_size(const struct flash_area *fap) } return flash_sector_get_off(§or); #elif defined(MCUBOOT_OVERWRITE_ONLY) + (void) state; return boot_swap_info_off(fap); #elif defined(MCUBOOT_DIRECT_XIP) + (void) state; return boot_swap_info_off(fap); #elif defined(MCUBOOT_RAM_LOAD) + (void) state; return boot_swap_info_off(fap); #endif } diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index b3bb99842..d2fc4a1c3 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -344,6 +344,20 @@ int boot_read_enc_key(const struct flash_area *fap, uint8_t slot, struct boot_status *bs); #endif +#ifdef MCUBOOT_SWAP_USING_SCRATCH +/** + * Finds the first sector of a given slot that holds image trailer data. + * + * @param state Current bootloader's state. + * @param slot The index of the slot to consider. + * @param trailer_sz The size of the trailer, in bytes. + * + * @return The index of the first sector of the slot that holds image trailer data. + */ +size_t +boot_get_first_trailer_sector(struct boot_loader_state *state, size_t slot, size_t trailer_sz); +#endif + /** * Checks that a buffer is erased according to what the erase value for the * flash device provided in `flash_area` is. @@ -511,7 +525,7 @@ int boot_load_image_to_sram(struct boot_loader_state *state); #endif /* MCUBOOT_RAM_LOAD */ -uint32_t bootutil_max_image_size(const struct flash_area *fap); +uint32_t bootutil_max_image_size(struct boot_loader_state *state, const struct flash_area *fap); int boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size); diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 735f194f3..61cbf4de0 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -555,7 +555,7 @@ bootutil_img_validate(struct boot_loader_state *state, goto out; } - if (it.tlv_end > bootutil_max_image_size(fap)) { + if (it.tlv_end > bootutil_max_image_size(state, fap)) { rc = -1; goto out; } diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 9fce9d571..79a9b67fc 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -534,33 +534,6 @@ find_swap_count(const struct boot_loader_state *state, uint32_t copy_size) return swap_count; } -/** - * Finds the first sector of a given slot that holds image trailer data. - * - * @param state Current bootloader's state. - * @param slot The index of the slot to consider. - * @param trailer_sz The size of the trailer, in bytes. - * - * @return The index of the first sector of the slot that holds image trailer data. - */ -static size_t -get_first_trailer_sector(struct boot_loader_state *state, size_t slot, size_t trailer_sz) -{ - size_t first_trailer_sector = boot_img_num_sectors(state, slot) - 1; - size_t sector_sz = boot_img_sector_size(state, slot, first_trailer_sector); - size_t trailer_sector_sz = sector_sz; - - while (trailer_sector_sz < trailer_sz) { - /* Consider that the image trailer may span across sectors of different sizes */ - --first_trailer_sector; - sector_sz = boot_img_sector_size(state, slot, first_trailer_sector); - - trailer_sector_sz += sector_sz; - } - - return first_trailer_sector; -} - /** * Swaps the contents of two flash regions within the two image slots. * @@ -619,7 +592,8 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, * NOTE: `use_scratch` is a temporary flag (never written to flash) which * controls if special handling is needed (swapping the first trailer sector). */ - first_trailer_sector_primary = get_first_trailer_sector(state, BOOT_PRIMARY_SLOT, trailer_sz); + first_trailer_sector_primary = + boot_get_first_trailer_sector(state, BOOT_PRIMARY_SLOT, trailer_sz); /* Check if the currently swapped sector(s) contain the trailer or part of it */ if ((img_off + sz) > @@ -699,7 +673,7 @@ boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state, * sector(s) containing the beginning of the trailer won't be erased again. */ size_t trailer_sector_secondary = - get_first_trailer_sector(state, BOOT_SECONDARY_SLOT, trailer_sz); + boot_get_first_trailer_sector(state, BOOT_SECONDARY_SLOT, trailer_sz); uint32_t trailer_sector_offset = boot_img_sector_off(state, BOOT_SECONDARY_SLOT, trailer_sector_secondary); From 1b2fc096d9a683a7481b13749d01ca8fa78e7afd Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Mon, 17 Feb 2025 20:08:31 +0100 Subject: [PATCH 074/228] boot: Reuse pointers for flash_area objects from state Reduce flash_area_open/flash_area_close calls by reusing pointers to flash_area objects stored in boot_loader_state, that should be populated by context_boot_go. Signed-off-by: Dominik Ermel --- boot/bootutil/src/bootutil_misc.c | 34 ++++++------- boot/bootutil/src/bootutil_priv.h | 5 +- boot/bootutil/src/loader.c | 81 +++++++++---------------------- boot/bootutil/src/ram_load.c | 35 +++---------- boot/bootutil/src/swap_misc.c | 17 ++----- boot/bootutil/src/swap_move.c | 21 +++----- boot/bootutil/src/swap_offset.c | 54 +++++++-------------- boot/bootutil/src/swap_scratch.c | 38 ++++++--------- 8 files changed, 91 insertions(+), 194 deletions(-) diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c index 8fd2a4fe1..476489e54 100644 --- a/boot/bootutil/src/bootutil_misc.c +++ b/boot/bootutil/src/bootutil_misc.c @@ -205,16 +205,17 @@ boot_enc_key_off(const struct flash_area *fap, uint8_t slot) * If the magic is successfully found, a flash_area * is returned and it * is the responsibility of the called to close it. * - * @returns 0 on success, -1 on errors + * @returns flash_area pointer on success, NULL on failure. */ -int -boot_find_status(int image_index, const struct flash_area **fap) +const struct flash_area * +boot_find_status(const struct boot_loader_state *state, int image_index) { - uint8_t areas[] = { + const struct flash_area *fa_p = NULL; + const struct flash_area *areas[] = { #if MCUBOOT_SWAP_USING_SCRATCH - FLASH_AREA_IMAGE_SCRATCH, + state->scratch.area, #endif - FLASH_AREA_IMAGE_PRIMARY(image_index), + state->imgs[image_index][BOOT_PRIMARY_SLOT].area, }; unsigned int i; @@ -225,29 +226,26 @@ boot_find_status(int image_index, const struct flash_area **fap) * is assumed that if magic is valid then other metadata is too, * because magic is always written in the last step. */ - for (i = 0; i < sizeof(areas) / sizeof(areas[0]); i++) { uint8_t magic[BOOT_MAGIC_SZ]; + int rc = 0; - if (flash_area_open(areas[i], fap)) { - break; - } + fa_p = areas[i]; + rc = flash_area_read(fa_p, boot_magic_off(fa_p), magic, BOOT_MAGIC_SZ); - if (flash_area_read(*fap, boot_magic_off(*fap), magic, BOOT_MAGIC_SZ)) { - flash_area_close(*fap); + if (rc != 0) { + BOOT_LOG_ERR("Failed to read status from %d, err %d\n", + flash_area_get_id(fa_p), rc); + fa_p = NULL; break; } if (BOOT_MAGIC_GOOD == boot_magic_decode(magic)) { - return 0; + break; } - - flash_area_close(*fap); } - /* If we got here, no magic was found */ - fap = NULL; - return -1; + return fa_p; } int diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index d2fc4a1c3..b8be9122e 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -297,7 +297,8 @@ fih_ret bootutil_verify_img(uint8_t *img, uint32_t size, fih_ret boot_fih_memequal(const void *s1, const void *s2, size_t n); -int boot_find_status(int image_index, const struct flash_area **fap); +const struct flash_area *boot_find_status(const struct boot_loader_state *state, + int image_index); int boot_magic_compatible_check(uint8_t tbl_val, uint8_t val); uint32_t boot_status_sz(uint32_t min_write_sz); uint32_t boot_trailer_sz(uint32_t min_write_sz); @@ -305,8 +306,6 @@ int boot_status_entries(int image_index, const struct flash_area *fap); uint32_t boot_status_off(const struct flash_area *fap); int boot_read_swap_state(const struct flash_area *fap, struct boot_swap_state *state); -int boot_read_swap_state_by_id(int flash_area_id, - struct boot_swap_state *state); int boot_write_magic(const struct flash_area *fap); int boot_write_status(const struct boot_loader_state *state, struct boot_status *bs); int boot_write_copy_done(const struct flash_area *fap); diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index e6ca0738e..cf6a388f8 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -548,15 +548,10 @@ boot_verify_slot_dependencies(struct boot_loader_state *state, uint32_t slot) struct image_dependency dep; uint32_t off; uint16_t len; - int area_id; int rc; - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - rc = BOOT_EFLASH; - goto done; - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); #if defined(MCUBOOT_SWAP_USING_OFFSET) it.start_off = boot_get_state_secondary_offset(state, fap); @@ -603,7 +598,6 @@ boot_verify_slot_dependencies(struct boot_loader_state *state, uint32_t slot) } done: - flash_area_close(fap); return rc; } @@ -948,20 +942,14 @@ boot_data_is_set_to(uint8_t val, void *data, size_t len) static int boot_check_header_erased(struct boot_loader_state *state, int slot) { - const struct flash_area *fap; + const struct flash_area *fap = NULL; struct image_header *hdr; uint8_t erased_val; - int area_id; - int rc; - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - return -1; - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); erased_val = flash_area_erased_val(fap); - flash_area_close(fap); hdr = boot_img_hdr(state, slot); if (!boot_data_is_set_to(erased_val, &hdr->ih_magic, sizeof(hdr->ih_magic))) { @@ -1022,19 +1010,14 @@ boot_validate_slot(struct boot_loader_state *state, int slot, { const struct flash_area *fap; struct image_header *hdr; - int area_id; FIH_DECLARE(fih_rc, FIH_FAILURE); - int rc; #if !defined(MCUBOOT_SWAP_USING_OFFSET) (void)expected_swap_type; #endif - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - FIH_RET(fih_rc); - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); hdr = boot_img_hdr(state, slot); if (boot_check_header_erased(state, slot) == 0 || @@ -1056,20 +1039,13 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #if defined(MCUBOOT_SWAP_USING_MOVE) if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { - const struct flash_area *fap_pri; - - rc = flash_area_open(flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT), - &fap_pri); + const struct flash_area *fap_pri = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); - if (rc == 0) { - rc = swap_erase_trailer_sectors(state, fap_pri); - flash_area_close(fap_pri); + assert(fap_pri != NULL); - if (rc == 0) { - BOOT_LOG_INF("Cleared image %d primary slot trailer due to stuck revert", - BOOT_CURR_IMG(state)); - } + if (swap_erase_trailer_sectors(state, fap_pri) == 0) { + BOOT_LOG_INF("Cleared image %d primary slot trailer due to stuck revert", + BOOT_CURR_IMG(state)); } } #endif @@ -1103,6 +1079,8 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #if defined(MCUBOOT_OVERWRITE_ONLY) && defined(MCUBOOT_DOWNGRADE_PREVENTION) if (slot != BOOT_PRIMARY_SLOT) { + int rc; + /* Check if version of secondary slot is sufficient */ rc = boot_version_cmp( &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, @@ -1151,14 +1129,13 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * overwriting an application written to the incorrect slot. * This feature is only supported by ARM platforms. */ - if (area_id == FLASH_AREA_IMAGE_SECONDARY(BOOT_CURR_IMG(state))) { + if (fap == BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT)) { const struct flash_area *pri_fa = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); struct image_header *secondary_hdr = boot_img_hdr(state, slot); uint32_t reset_value = 0; uint32_t reset_addr = secondary_hdr->ih_hdr_size + sizeof(reset_value); - rc = flash_area_read(fap, reset_addr, &reset_value, sizeof(reset_value)); - if (rc != 0) { + if (flash_area_read(fap, reset_addr, &reset_value, sizeof(reset_value)) != 0) { fih_rc = FIH_NO_BOOTABLE_IMAGE; goto out; } @@ -1181,8 +1158,6 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #endif out: - flash_area_close(fap); - FIH_RET(fih_rc); } @@ -1208,12 +1183,8 @@ boot_update_security_counter(struct boot_loader_state *state, int slot, int hdr_ uint32_t img_security_cnt; int rc; - rc = flash_area_open(flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot), - &fap); - if (rc != 0) { - rc = BOOT_EFLASH; - goto done; - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); rc = bootutil_get_img_security_cnt(state, hdr_slot_idx, fap, &img_security_cnt); if (rc != 0) { @@ -1226,7 +1197,6 @@ boot_update_security_counter(struct boot_loader_state *state, int slot, int hdr_ } done: - flash_area_close(fap); return rc; } #endif /* MCUBOOT_HW_ROLLBACK_PROT */ @@ -1732,7 +1702,7 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) * in the trailer... */ - rc = boot_find_status(image_index, &fap); + fap = boot_find_status(state, image_index); assert(fap != NULL); rc = boot_read_swap_size(fap, &bs->swap_size); assert(rc == 0); @@ -2764,17 +2734,15 @@ print_loaded_images(struct boot_loader_state *state) static int boot_select_or_erase(struct boot_loader_state *state) { - const struct flash_area *fap; - int fa_id; + const struct flash_area *fap = NULL; int rc; uint32_t active_slot; struct boot_swap_state* active_swap_state; active_slot = state->slot_usage[BOOT_CURR_IMG(state)].active_slot; - fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), active_slot); - rc = flash_area_open(fa_id, &fap); - assert(rc == 0); + fap = BOOT_IMG_AREA(state, active_slot); + assert(fap != NULL); active_swap_state = &(state->slot_usage[BOOT_CURR_IMG(state)].swap_state); @@ -2795,7 +2763,6 @@ boot_select_or_erase(struct boot_loader_state *state) rc = flash_area_erase(fap, 0, flash_area_get_size(fap)); assert(rc == 0); - flash_area_close(fap); rc = -1; } else { if (active_swap_state->copy_done != BOOT_FLAG_SET) { @@ -2817,7 +2784,6 @@ boot_select_or_erase(struct boot_loader_state *state) rc = 0; } } - flash_area_close(fap); } return rc; @@ -3200,8 +3166,7 @@ const struct image_max_size *boot_get_max_app_size(void) uint32_t boot_get_state_secondary_offset(struct boot_loader_state *state, const struct flash_area *fap) { - if (state != NULL && flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), - BOOT_SECONDARY_SLOT) == fap->fa_id) { + if (state != NULL && BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT) == fap) { return state->secondary_offset[BOOT_CURR_IMG(state)]; } diff --git a/boot/bootutil/src/ram_load.c b/boot/bootutil/src/ram_load.c index 630af1170..2aba3bf30 100644 --- a/boot/bootutil/src/ram_load.c +++ b/boot/bootutil/src/ram_load.c @@ -135,15 +135,11 @@ boot_decrypt_and_copy_image_to_sram(struct boot_loader_state *state, uint32_t max_sz = 1024; uint16_t idx; uint8_t * cur_dst; - int area_id; int rc; uint8_t * ram_dst = (void *)(IMAGE_RAM_BASE + img_dst); - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap_src); - if (rc != 0){ - return BOOT_EFLASH; - } + fap_src = BOOT_IMG_AREA(state, slot); + assert(fap_src != NULL); tlv_off = BOOT_TLV_OFF(hdr); @@ -188,8 +184,6 @@ boot_decrypt_and_copy_image_to_sram(struct boot_loader_state *state, rc = 0; done: - flash_area_close(fap_src); - return rc; } @@ -211,18 +205,13 @@ boot_copy_image_to_sram(struct boot_loader_state *state, int slot, { int rc; const struct flash_area *fap_src = NULL; - int area_id; #if (BOOT_IMAGE_NUMBER == 1) (void)state; #endif - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - - rc = flash_area_open(area_id, &fap_src); - if (rc != 0) { - return BOOT_EFLASH; - } + fap_src = BOOT_IMG_AREA(state, slot); + assert(fap_src != NULL); /* Direct copy from flash to its new location in SRAM. */ rc = flash_area_read(fap_src, 0, (void *)(IMAGE_RAM_BASE + img_dst), img_sz); @@ -231,8 +220,6 @@ boot_copy_image_to_sram(struct boot_loader_state *state, int slot, BOOT_CURR_IMG(state), rc); } - flash_area_close(fap_src); - return rc; } @@ -421,22 +408,14 @@ boot_remove_image_from_sram(struct boot_loader_state *state) int boot_remove_image_from_flash(struct boot_loader_state *state, uint32_t slot) { - int area_id; - int rc; const struct flash_area *fap; - (void)state; - BOOT_LOG_INF("Removing image %d slot %d from flash", BOOT_CURR_IMG(state), slot); - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc == 0) { - flash_area_erase(fap, 0, flash_area_get_size(fap)); - flash_area_close(fap); - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); - return rc; + return flash_area_erase(fap, 0, flash_area_get_size(fap)); } int boot_load_image_from_flash_to_sram(struct boot_loader_state *state, diff --git a/boot/bootutil/src/swap_misc.c b/boot/bootutil/src/swap_misc.c index b1ce44119..70e09767f 100644 --- a/boot/bootutil/src/swap_misc.c +++ b/boot/bootutil/src/swap_misc.c @@ -41,22 +41,13 @@ swap_erase_trailer_sectors(const struct boot_loader_state *state, uint32_t total_sz; uint32_t off; uint32_t sz; - int fa_id_primary; - int fa_id_secondary; - uint8_t image_index; int rc; BOOT_LOG_DBG("erasing trailer; fa_id=%d", flash_area_get_id(fap)); - image_index = BOOT_CURR_IMG(state); - fa_id_primary = flash_area_id_from_multi_image_slot(image_index, - BOOT_PRIMARY_SLOT); - fa_id_secondary = flash_area_id_from_multi_image_slot(image_index, - BOOT_SECONDARY_SLOT); - - if (flash_area_get_id(fap) == fa_id_primary) { + if (fap == BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)) { slot = BOOT_PRIMARY_SLOT; - } else if (flash_area_get_id(fap) == fa_id_secondary) { + } else if (fap == BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT)) { slot = BOOT_SECONDARY_SLOT; } else { return BOOT_EFLASH; @@ -96,8 +87,8 @@ swap_status_init(const struct boot_loader_state *state, BOOT_LOG_DBG("initializing status; fa_id=%d", flash_area_get_id(fap)); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(image_index), - &swap_state); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_SECONDARY_SLOT].area, + &swap_state); assert(rc == 0); if (bs->swap_type != BOOT_SWAP_TYPE_NONE) { diff --git a/boot/bootutil/src/swap_move.c b/boot/bootutil/src/swap_move.c index b124ff894..dd5b131a7 100644 --- a/boot/bootutil/src/swap_move.c +++ b/boot/bootutil/src/swap_move.c @@ -77,7 +77,6 @@ boot_read_image_header(struct boot_loader_state *state, int slot, uint32_t sz; uint32_t last_idx; uint32_t swap_size; - int area_id; int rc; #if (BOOT_IMAGE_NUMBER == 1) @@ -86,12 +85,11 @@ boot_read_image_header(struct boot_loader_state *state, int slot, off = 0; if (bs && !boot_status_is_reset(bs)) { - boot_find_status(BOOT_CURR_IMG(state), &fap); + fap = boot_find_status(state, BOOT_CURR_IMG(state)); if (fap == NULL || boot_read_swap_size(fap, &swap_size)) { rc = BOOT_EFLASH; goto done; } - flash_area_close(fap); last_idx = find_last_idx(state, swap_size); sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); @@ -115,12 +113,8 @@ boot_read_image_header(struct boot_loader_state *state, int slot, } } - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - rc = BOOT_EFLASH; - goto done; - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); rc = flash_area_read(fap, off, out_hdr, sizeof *out_hdr); if (rc != 0) { @@ -137,7 +131,6 @@ boot_read_image_header(struct boot_loader_state *state, int slot, rc = 0; done: - flash_area_close(fap); return rc; } @@ -354,14 +347,14 @@ swap_status_source(struct boot_loader_state *state) image_index = BOOT_CURR_IMG(state); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY(image_index), - &state_primary_slot); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_PRIMARY_SLOT].area, + &state_primary_slot); assert(rc == 0); BOOT_LOG_SWAP_STATE("Primary image", &state_primary_slot); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(image_index), - &state_secondary_slot); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_SECONDARY_SLOT].area, + &state_secondary_slot); assert(rc == 0); BOOT_LOG_SWAP_STATE("Secondary image", &state_secondary_slot); diff --git a/boot/bootutil/src/swap_offset.c b/boot/bootutil/src/swap_offset.c index 2a63ee863..ebef36df9 100644 --- a/boot/bootutil/src/swap_offset.c +++ b/boot/bootutil/src/swap_offset.c @@ -80,12 +80,11 @@ uint32_t find_last_idx(struct boot_loader_state *state, uint32_t swap_size) int boot_read_image_header(struct boot_loader_state *state, int slot, struct image_header *out_hdr, struct boot_status *bs) { - const struct flash_area *fap; + const struct flash_area *fap = NULL; uint32_t off = 0; uint32_t sz; uint32_t last_idx; uint32_t swap_size; - int area_id; int rc; bool check_other_sector = true; @@ -94,7 +93,7 @@ int boot_read_image_header(struct boot_loader_state *state, int slot, #endif if (bs == NULL) { - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); + fap = BOOT_IMG_AREA(state, slot); if (slot == BOOT_SECONDARY_SLOT && boot_swap_type_multi(BOOT_CURR_IMG(state)) != BOOT_SWAP_TYPE_REVERT) { @@ -103,14 +102,13 @@ int boot_read_image_header(struct boot_loader_state *state, int slot, } else { if (!boot_status_is_reset(bs)) { check_other_sector = false; - boot_find_status(BOOT_CURR_IMG(state), &fap); + fap = boot_find_status(state, BOOT_CURR_IMG(state)); if (fap == NULL || boot_read_swap_size(fap, &swap_size)) { rc = BOOT_EFLASH; goto done; } - flash_area_close(fap); last_idx = find_last_idx(state, swap_size); sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0); @@ -163,9 +161,9 @@ int boot_read_image_header(struct boot_loader_state *state, int slot, } } - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); + fap = BOOT_IMG_AREA(state, slot); } else { - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); + fap = BOOT_IMG_AREA(state, slot); if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || boot_swap_type_multi(BOOT_CURR_IMG(state)) == BOOT_SWAP_TYPE_REVERT) { @@ -177,11 +175,7 @@ int boot_read_image_header(struct boot_loader_state *state, int slot, } } - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - rc = BOOT_EFLASH; - goto done; - } + assert(fap != NULL); rc = flash_area_read(fap, off, out_hdr, sizeof *out_hdr); if (rc != 0) { @@ -222,9 +216,7 @@ int boot_read_image_header(struct boot_loader_state *state, int slot, } rc = 0; - done: - flash_area_close(fap); return rc; } @@ -429,12 +421,13 @@ int swap_status_source(struct boot_loader_state *state) #endif image_index = BOOT_CURR_IMG(state); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY(image_index), &state_primary_slot); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_PRIMARY_SLOT].area, + &state_primary_slot); assert(rc == 0); BOOT_LOG_SWAP_STATE("Primary image", &state_primary_slot); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(image_index), - &state_secondary_slot); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_SECONDARY_SLOT].area, + &state_secondary_slot); assert(rc == 0); BOOT_LOG_SWAP_STATE("Secondary image", &state_secondary_slot); @@ -625,9 +618,8 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, uint32_t last_idx; uint32_t used_sectors_pri; uint32_t used_sectors_sec; - uint8_t image_index; - const struct flash_area *fap_pri; - const struct flash_area *fap_sec; + const struct flash_area *fap_pri = NULL; + const struct flash_area *fap_sec = NULL; int rc; BOOT_LOG_INF("Starting swap using offset algorithm."); @@ -659,13 +651,11 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, } } - image_index = BOOT_CURR_IMG(state); - - rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), &fap_pri); - assert (rc == 0); + fap_pri = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); + assert(fap_pri != NULL); - rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index), &fap_sec); - assert (rc == 0); + fap_sec = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); + assert(fap_sec != NULL); fixup_revert(state, bs, fap_sec); @@ -731,9 +721,6 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs, idx++; } } - - flash_area_close(fap_pri); - flash_area_close(fap_sec); } int app_max_size(struct boot_loader_state *state) @@ -762,19 +749,14 @@ int boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *si uint32_t off; uint32_t secondary_slot_off = 0; uint32_t protect_tlv_size; - int area_id; int rc; #if (BOOT_IMAGE_NUMBER == 1) (void)state; #endif - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot); - rc = flash_area_open(area_id, &fap); - if (rc != 0) { - rc = BOOT_EFLASH; - goto done; - } + fap = BOOT_IMG_AREA(state, slot); + assert(fap != NULL); off = BOOT_TLV_OFF(boot_img_hdr(state, slot)); diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 79a9b67fc..60751029d 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -356,12 +356,12 @@ swap_status_source(struct boot_loader_state *state) #endif image_index = BOOT_CURR_IMG(state); - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY(image_index), - &state_primary_slot); + rc = boot_read_swap_state(state->imgs[image_index][BOOT_PRIMARY_SLOT].area, + &state_primary_slot); assert(rc == 0); #if MCUBOOT_SWAP_USING_SCRATCH - rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SCRATCH, &state_scratch); + rc = boot_read_swap_state(state->scratch.area, &state_scratch); assert(rc == 0); #endif @@ -898,19 +898,15 @@ int app_max_size(struct boot_loader_state *state) #else int app_max_size(struct boot_loader_state *state) { - const struct flash_area *fap; - int fa_id; - int rc; + const struct flash_area *fap = NULL; uint32_t active_slot; int primary_sz, secondary_sz; active_slot = state->slot_usage[BOOT_CURR_IMG(state)].active_slot; - fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), active_slot); - rc = flash_area_open(fa_id, &fap); - assert(rc == 0); + fap = BOOT_IMG_AREA(state, active_slot); + assert(fap != NULL); primary_sz = flash_area_get_size(fap); - flash_area_close(fap); if (active_slot == BOOT_PRIMARY_SLOT) { active_slot = BOOT_SECONDARY_SLOT; @@ -918,11 +914,9 @@ int app_max_size(struct boot_loader_state *state) active_slot = BOOT_PRIMARY_SLOT; } - fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), active_slot); - rc = flash_area_open(fa_id, &fap); - assert(rc == 0); + fap = BOOT_IMG_AREA(state, active_slot); + assert(fap != NULL); secondary_sz = flash_area_get_size(fap); - flash_area_close(fap); return (secondary_sz < primary_sz ? secondary_sz : primary_sz); } @@ -938,7 +932,6 @@ boot_read_image_header(struct boot_loader_state *state, int slot, uint32_t swap_count; uint32_t swap_size; #endif - int area_id; int hdr_slot; int rc = 0; @@ -957,7 +950,7 @@ boot_read_image_header(struct boot_loader_state *state, int slot, * other slot depending on the progress of the swap process. */ if (bs && !boot_status_is_reset(bs)) { - rc = boot_find_status(BOOT_CURR_IMG(state), &fap); + fap = boot_find_status(state, BOOT_CURR_IMG(state)); if (rc != 0) { rc = BOOT_EFLASH; @@ -997,19 +990,16 @@ boot_read_image_header(struct boot_loader_state *state, int slot, } if (hdr_slot == BOOT_NUM_SLOTS) { - area_id = FLASH_AREA_IMAGE_SCRATCH; + fap = state->scratch.area; } else { - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), hdr_slot); + fap = BOOT_IMG_AREA(state, hdr_slot); } #else - area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), hdr_slot); + fap = BOOT_IMG_AREA(state, hdr_slot); #endif + assert(fap != NULL); - rc = flash_area_open(area_id, &fap); - if (rc == 0) { - rc = flash_area_read(fap, 0, out_hdr, sizeof *out_hdr); - flash_area_close(fap); - } + rc = flash_area_read(fap, 0, out_hdr, sizeof *out_hdr); if (rc != 0) { rc = BOOT_EFLASH; From 141eea5a1ff808ebe73f0975119f3537dbb99fec Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 075/228] Revert "[nrf noup] zephyr: Use mbedTLS specific C functions with RSA" This reverts commit 91c282e7afc83c666ad478fbe70ff3e48ac56a05. --- boot/zephyr/Kconfig | 2 -- 1 file changed, 2 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index a2614917b..99b946926 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -223,8 +223,6 @@ config BOOT_SIGNATURE_TYPE_RSA select MBEDTLS select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if MBEDTLS_BUILTIN - select MBEDTLS_PLATFORM_NO_STD_FUNCTIONS if MBEDTLS_BUILTIN - select MBEDTLS_PLATFORM_SNPRINTF_ALT if MBEDTLS_BUILTIN select BOOT_ENCRYPTION_SUPPORT select BOOT_IMG_HASH_ALG_SHA256_ALLOW select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE From 71fdba27398b16295e6119bd8f2f626999f063bb Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 076/228] Revert "[nrf fromtree] boot: bootutil: Add TLV for size of compressed but decrypted image" This reverts commit 0535f4c35a6ac59b5146aaaadea3b9c57881640f. --- boot/bootutil/include/bootutil/image.h | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h index 92adc605b..05e04438b 100644 --- a/boot/bootutil/include/bootutil/image.h +++ b/boot/bootutil/include/bootutil/image.h @@ -124,7 +124,6 @@ struct flash_area; * the format and size of the raw slot (compressed) * signature */ -#define IMAGE_TLV_COMP_DEC_SIZE 0x73 /* Compressed decrypted image size */ /* * vendor reserved TLVs at xxA0-xxFF, * where xx denotes the upper byte From e94fddd23f505e4e44ebfa8f953b47b46f5b67e6 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 077/228] Revert "[nrf noup] boot: bootutil: Allow configuring number of KMU keys" This reverts commit 519e62ae6b11e7cb82a1773e125ea761a7999f43. --- boot/bootutil/src/ed25519_psa.c | 7 ++----- boot/zephyr/Kconfig | 12 ------------ 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c index 3e9cf2cbd..b6153f9a4 100644 --- a/boot/bootutil/src/ed25519_psa.c +++ b/boot/bootutil/src/ed25519_psa.c @@ -12,7 +12,6 @@ #include #include -#include #if defined(CONFIG_BOOT_SIGNATURE_USING_KMU) #include #endif @@ -31,9 +30,7 @@ static psa_key_id_t kmu_key_ids[3] = { MAKE_PSA_KMU_KEY_ID(228), MAKE_PSA_KMU_KEY_ID(230) }; - -BUILD_ASSERT(CONFIG_BOOT_SIGNATURE_KMU_SLOTS <= ARRAY_SIZE(kmu_key_ids), - "Invalid number of KMU slots, up to 3 are supported on nRF54L15"); +#define KMU_KEY_COUNT (sizeof(kmu_key_ids)/sizeof(kmu_key_ids[0])) #endif #if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) @@ -106,7 +103,7 @@ int ED25519_verify(const uint8_t *message, size_t message_len, status = PSA_ERROR_BAD_STATE; - for (int i = 0; i < CONFIG_BOOT_SIGNATURE_KMU_SLOTS; ++i) { + for (int i = 0; i < KMU_KEY_COUNT; ++i) { psa_key_id_t kid = kmu_key_ids[i]; status = psa_verify_message(kid, PSA_ALG_PURE_EDDSA, message, diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 99b946926..6af784f9a 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -345,18 +345,6 @@ config BOOT_SIGNATURE_USING_KMU MCUboot will use keys provisioned to the device key management unit for signature verification instead of compiling in key data from a file. -if BOOT_SIGNATURE_USING_KMU - -config BOOT_SIGNATURE_KMU_SLOTS - int "KMU key slots" - range 1 3 - default 1 - help - Selects the number of KMU key slots (also known as generations) to use when verifying - an image. - -endif - if !BOOT_SIGNATURE_USING_KMU config BOOT_SIGNATURE_KEY_FILE From 9d96f130788b817bf1881867b4eb51b8d963a149 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 078/228] Revert "[nrf noup] boot: zephyr: Add experimental selection to compression" This reverts commit 2ffbf8aa3ee9e7b8d9788dcf140623e4bdc297a0. --- boot/zephyr/Kconfig | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 6af784f9a..a9289ccbd 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -1000,10 +1000,9 @@ config BOOT_DECOMPRESSION_SUPPORT if BOOT_DECOMPRESSION_SUPPORT menuconfig BOOT_DECOMPRESSION - bool "Decompression [EXPERIMENTAL]" + bool "Decompression" select NRF_COMPRESS_CLEANUP select PM_USE_CONFIG_SRAM_SIZE if SOC_NRF54L15_CPUAPP - select EXPERIMENTAL help If enabled, will include support for compressed images being loaded to the secondary slot which then get decompressed into the primary slot. This mode allows the secondary slot to From 88b600b06550fbb54a6a2c2a15288e7605b4ec67 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 079/228] Revert "[nrf noup] bootutil: Add support for KMU stored ED25519 signature key" This reverts commit 1d1508349c93896750da1c0a2271ac0ec22dc5b0. --- boot/bootutil/src/ed25519_psa.c | 51 ------------------------------ boot/bootutil/src/image_ed25519.c | 9 +----- boot/bootutil/src/image_validate.c | 12 ++----- boot/zephyr/CMakeLists.txt | 2 +- boot/zephyr/Kconfig | 26 --------------- 5 files changed, 4 insertions(+), 96 deletions(-) diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c index b6153f9a4..12ba20ac1 100644 --- a/boot/bootutil/src/ed25519_psa.c +++ b/boot/bootutil/src/ed25519_psa.c @@ -12,9 +12,6 @@ #include #include -#if defined(CONFIG_BOOT_SIGNATURE_USING_KMU) -#include -#endif BOOT_LOG_MODULE_REGISTER(ed25519_psa); @@ -22,18 +19,6 @@ BOOT_LOG_MODULE_REGISTER(ed25519_psa); #define EDDSA_KEY_LENGTH 32 #define EDDSA_SIGNAGURE_LENGTH 64 -#if defined(CONFIG_BOOT_SIGNATURE_USING_KMU) -/* List of KMU stored key ids available for MCUboot */ -#define MAKE_PSA_KMU_KEY_ID(id) PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, id) -static psa_key_id_t kmu_key_ids[3] = { - MAKE_PSA_KMU_KEY_ID(226), - MAKE_PSA_KMU_KEY_ID(228), - MAKE_PSA_KMU_KEY_ID(230) -}; -#define KMU_KEY_COUNT (sizeof(kmu_key_ids)/sizeof(kmu_key_ids[0])) -#endif - -#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) int ED25519_verify(const uint8_t *message, size_t message_len, const uint8_t signature[EDDSA_SIGNAGURE_LENGTH], const uint8_t public_key[EDDSA_KEY_LENGTH]) @@ -84,39 +69,3 @@ int ED25519_verify(const uint8_t *message, size_t message_len, return ret; } -#else -int ED25519_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[EDDSA_SIGNAGURE_LENGTH], - const uint8_t public_key[EDDSA_KEY_LENGTH]) -{ - ARG_UNUSED(public_key); - /* Set to any error */ - psa_status_t status = PSA_ERROR_BAD_STATE; - int ret = 0; /* Fail by default */ - - /* Initialize PSA Crypto */ - status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - BOOT_LOG_ERR("PSA crypto init failed %d", status); - return 0; - } - - status = PSA_ERROR_BAD_STATE; - - for (int i = 0; i < KMU_KEY_COUNT; ++i) { - psa_key_id_t kid = kmu_key_ids[i]; - - status = psa_verify_message(kid, PSA_ALG_PURE_EDDSA, message, - message_len, signature, - EDDSA_SIGNAGURE_LENGTH); - if (status == PSA_SUCCESS) { - ret = 1; - break; - } - - BOOT_LOG_ERR("ED25519 signature verification failed %d", status); - } - - return ret; -} -#endif diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index d5aee65bc..ffb8cec3b 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -31,7 +31,6 @@ extern int ED25519_verify(const uint8_t *message, size_t message_len, const uint8_t signature[EDDSA_SIGNATURE_LENGTH], const uint8_t public_key[NUM_ED25519_BYTES]); -#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) #if !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) /* * Parse the public key used for signing. @@ -74,7 +73,6 @@ bootutil_import_key(uint8_t **cp, uint8_t *end) return 0; } #endif /* !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) */ -#endif /* Signature verification base function. * The function takes buffer of specified length and tries to verify @@ -89,17 +87,14 @@ bootutil_verify(uint8_t *buf, uint32_t blen, { int rc; FIH_DECLARE(fih_rc, FIH_FAILURE); - uint8_t *pubkey = NULL; -#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) + uint8_t *pubkey; uint8_t *end; -#endif if (slen != EDDSA_SIGNATURE_LENGTH) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } -#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) pubkey = (uint8_t *)bootutil_keys[key_id].key; end = pubkey + *bootutil_keys[key_id].len; @@ -121,8 +116,6 @@ bootutil_verify(uint8_t *buf, uint32_t blen, } pubkey = end - NUM_ED25519_BYTES; -#endif - #endif rc = ED25519_verify(buf, blen, sig, pubkey); diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 6f1cbc568..08f354be8 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -245,7 +245,6 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, # define KEY_BUF_SIZE (SIG_BUF_SIZE + 24) #endif /* !MCUBOOT_HW_KEY */ -#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) #if !defined(MCUBOOT_HW_KEY) static int bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len) @@ -311,7 +310,6 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) } #endif /* !MCUBOOT_HW_KEY */ #endif /* !MCUBOOT_BUILTIN_KEY */ -#endif /* !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) */ #endif /* EXPECTED_SIG_TLV */ /** @@ -629,7 +627,6 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, break; } #endif /* defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) */ -#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) #ifdef EXPECTED_KEY_TLV case EXPECTED_KEY_TLV: { @@ -660,17 +657,14 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, break; } #endif /* EXPECTED_KEY_TLV */ -#endif /* !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) */ #ifdef EXPECTED_SIG_TLV case EXPECTED_SIG_TLV: { -#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) /* Ignore this signature if it is out of bounds. */ if (key_id < 0 || key_id >= bootutil_key_cnt) { key_id = -1; continue; } -#endif /* !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) */ if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) { rc = -1; goto out; @@ -816,7 +810,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, } #ifdef EXPECTED_SIG_TLV -#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) && defined(EXPECTED_KEY_TLV) +#ifdef EXPECTED_KEY_TLV rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_KEY_TLV, false); if (rc) { goto out; @@ -862,7 +856,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, */ } } -#endif /* !CONFIG_BOOT_SIGNATURE_USING_KMU && EXPECTED_KEY_TLV */ +#endif /* EXPECTED_KEY_TLV */ rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SIGNATURE, true); if (rc) { @@ -885,12 +879,10 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, if (type == IMAGE_TLV_DECOMP_SIGNATURE) { /* Ignore this signature if it is out of bounds. */ -#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) if (key_id < 0 || key_id >= bootutil_key_cnt) { key_id = -1; continue; } -#endif if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) { rc = -1; diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 537a7580c..a9a761a4d 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -315,7 +315,7 @@ if(CONFIG_MCUBOOT_SERIAL) endif() endif() -if(NOT CONFIG_BOOT_SIGNATURE_USING_KMU AND NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") +if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") # CONF_FILE points to the KConfig configuration files of the bootloader. foreach (filepath ${CONF_FILE}) file(READ ${filepath} temp_text) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index a9289ccbd..72eb8031b 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -331,22 +331,6 @@ endif endchoice -config BOOT_SIGNATURE_USING_KMU - bool "Use KMU stored keys for signature verification" - depends on NRF_SECURITY - depends on CRACEN_LIB_KMU - select PSA_WANT_ALG_GCM - select PSA_WANT_KEY_TYPE_AES - select PSA_WANT_AES_KEY_SIZE_256 - select PSA_WANT_ALG_SP800_108_COUNTER_CMAC - select PSA_WANT_ALG_CMAC - select PSA_WANT_ALG_ECB_NO_PADDING - help - MCUboot will use keys provisioned to the device key management unit for signature - verification instead of compiling in key data from a file. - -if !BOOT_SIGNATURE_USING_KMU - config BOOT_SIGNATURE_KEY_FILE string "PEM key file" default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256 @@ -364,8 +348,6 @@ config BOOT_SIGNATURE_KEY_FILE with the public key information will be written in a format expected by MCUboot. -endif - config MCUBOOT_CLEANUP_ARM_CORE bool "Perform core cleanup before chain-load the application" depends on CPU_CORTEX_M @@ -388,14 +370,6 @@ config MCUBOOT_CLEANUP_RAM help Sets contents of memory to 0 before jumping to application. -# Disable MBEDTLS from being selected if NRF_SECURITY is enabled, and use default NRF_SECURITY -# configuration file for MBEDTLS -config MBEDTLS - depends on !NRF_SECURITY - -config NRF_SECURITY - select MBEDTLS_PROMPTLESS - if MBEDTLS || NRF_SECURITY config MBEDTLS_CFG_FILE From 8587cbf3ac4b1dcecfeb780f7bd043ada9117e2a Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 080/228] Revert "[nrf noup] Remove setting default MCUboot mbedTLS config" This reverts commit d88f72af380e60371d21f7e58e32ff8b38493829. --- boot/zephyr/prj.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 9ff1ba274..e4f7d9030 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -1,6 +1,7 @@ CONFIG_PM=n CONFIG_MAIN_STACK_SIZE=10240 +CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h" CONFIG_BOOT_SWAP_SAVE_ENCTLV=n CONFIG_BOOT_ENCRYPT_IMAGE=n From 9e7619765cfe79e0daf45a77c54f8361dd13e442 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 081/228] Revert "[nrf noup] zephyr: Add support for ARM thumb filter" This reverts commit b94c842a720f84bc5e63205b2db33d9ba6941612. --- boot/bootutil/src/loader.c | 2 +- boot/zephyr/Kconfig | 3 +- boot/zephyr/decompression.c | 439 +++++++----------------------------- 3 files changed, 79 insertions(+), 365 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index f9a9de71d..a561d5cb7 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1612,7 +1612,7 @@ boot_copy_region(struct boot_loader_state *state, #else (void)state; #endif -#if defined(MCUBOOT_DECOMPRESS_IMAGES) && !defined(MCUBOOT_ENC_IMAGES) +#ifdef MCUBOOT_DECOMPRESS_IMAGES struct image_header *hdr; #endif diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 72eb8031b..d68ac4f6e 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -966,7 +966,8 @@ config BOOT_BANNER_STRING config BOOT_DECOMPRESSION_SUPPORT bool depends on NRF_COMPRESS && NRF_COMPRESS_DECOMPRESSION && (NRF_COMPRESS_LZMA_VERSION_LZMA1 || NRF_COMPRESS_LZMA_VERSION_LZMA2) - depends on !SINGLE_APPLICATION_SLOT && BOOT_UPGRADE_ONLY + depends on !SINGLE_APPLICATION_SLOT && !BOOT_ENCRYPT_IMAGE && BOOT_UPGRADE_ONLY + depends on UPDATEABLE_IMAGE_NUMBER = 1 default y help Hidden symbol which should be selected if a system provided decompression support. diff --git a/boot/zephyr/decompression.c b/boot/zephyr/decompression.c index 7a9507de6..062cdbc61 100644 --- a/boot/zephyr/decompression.c +++ b/boot/zephyr/decompression.c @@ -29,14 +29,6 @@ #define EXPECTED_SIG_TLV IMAGE_TLV_ED25519 #endif -#define DECOMP_BUF_SIZE CONFIG_BOOT_DECOMPRESSION_BUFFER_SIZE -#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) -#define DECOMP_BUF_EXTRA_SIZE 2 -#else -#define DECOMP_BUF_EXTRA_SIZE 0 -#endif -#define DECOMP_BUF_ALLOC_SIZE (DECOMP_BUF_SIZE + DECOMP_BUF_EXTRA_SIZE) - /* Number of times that consumed data by decompression system can be 0 in a row before aborting */ #define OFFSET_ZERO_CHECK_TIMES 3 @@ -58,17 +50,11 @@ bool boot_is_compressed_header_valid(const struct image_header *hdr, const struc uint32_t protected_tlvs_size; uint32_t decompressed_size; - primary_fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT); - - if (primary_fa_id == fap->fa_id) { - BOOT_LOG_ERR("Primary slots cannot be compressed, image: %d", BOOT_CURR_IMG(state)); - return false; - } - if (BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT) == NULL) { opened_flash_area = true; } + primary_fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT); rc = flash_area_open(primary_fa_id, &BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)); assert(rc == 0); @@ -101,71 +87,13 @@ bool boot_is_compressed_header_valid(const struct image_header *hdr, const struc if (size >= size_check) { BOOT_LOG_ERR("Compressed image too large, decompressed image size: 0x%x, slot size: 0x%x", size, size_check); + return false; } return true; } -static bool is_compression_object_valid(struct nrf_compress_implementation *compression) -{ - if (compression == NULL || compression->init == NULL || compression->deinit == NULL || - compression->decompress_bytes_needed == NULL || compression->decompress == NULL) { - return false; - } - - return true; -} - -#ifdef MCUBOOT_ENC_IMAGES -int bootutil_get_img_decrypted_comp_size(const struct image_header *hdr, - const struct flash_area *fap, uint32_t *img_comp_size) -{ - if (hdr == NULL || fap == NULL || img_comp_size == NULL) { - return BOOT_EBADARGS; - } else if (hdr->ih_protect_tlv_size == 0) { - return BOOT_EBADIMAGE; - } - - if (!IS_ENCRYPTED(hdr)) { - /* Update is not encrypted so use size from header */ - *img_comp_size = hdr->ih_img_size; - } else { - struct image_tlv_iter it; - uint32_t off; - uint16_t len; - int32_t rc; - - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_COMP_DEC_SIZE, true); - - if (rc) { - return rc; - } - - rc = bootutil_tlv_iter_next(&it, &off, &len, NULL); - - if (rc != 0) { - return -1; - } - - if (len != sizeof(*img_comp_size)) { - BOOT_LOG_ERR("Invalid decompressed image size TLV: %d", len); - return BOOT_EBADIMAGE; - } - - rc = LOAD_IMAGE_DATA(hdr, fap, off, img_comp_size, len); - - if (rc) { - BOOT_LOG_ERR("Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - off, len, fap->fa_id, rc); - return BOOT_EFLASH; - } - } - - return 0; -} -#endif - int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index, struct image_header *hdr, const struct flash_area *fap, uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result, @@ -176,35 +104,13 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index uint32_t write_pos = 0; uint32_t protected_tlv_size = 0; uint32_t decompressed_image_size; - uint32_t output_size_total = 0; - struct nrf_compress_implementation *compression_lzma = NULL; - struct nrf_compress_implementation *compression_arm_thumb = NULL; + struct nrf_compress_implementation *compression = NULL; TARGET_STATIC struct image_header modified_hdr; bootutil_sha_context sha_ctx; uint8_t flash_erased_value; -#ifdef MCUBOOT_ENC_IMAGES - uint32_t comp_size = 0; - - rc = bootutil_get_img_decrypted_comp_size(hdr, fap, &comp_size); - - if (rc) { - BOOT_LOG_ERR("Invalid/missing image decrypted compressed size value"); - rc = BOOT_EBADIMAGE; - goto finish_end; - } -#endif - bootutil_sha_init(&sha_ctx); -#ifdef MCUBOOT_ENC_IMAGES - /* Encrypted images only exist in the secondary slot */ - if (MUST_DECRYPT(fap, image_index, hdr) && - !boot_enc_valid(enc_state, 1)) { - return -1; - } -#endif - /* Setup decompression system */ #if CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA1 if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA1)) { @@ -216,26 +122,27 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index */ BOOT_LOG_ERR("Invalid image compression flags: no supported compression found"); rc = BOOT_EBADIMAGE; + goto finish_without_clean; } - compression_lzma = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_LZMA); - compression_arm_thumb = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_ARM_THUMB); + compression = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_LZMA); - if (!is_compression_object_valid(compression_lzma) || - !is_compression_object_valid(compression_arm_thumb)) { + if (compression == NULL || compression->init == NULL || compression->deinit == NULL || + compression->decompress_bytes_needed == NULL || compression->decompress == NULL) { /* Compression library missing or missing required function pointer */ BOOT_LOG_ERR("Decompression library fatal error"); rc = BOOT_EBADSTATUS; + goto finish_without_clean; } - rc = compression_lzma->init(NULL); - rc = compression_arm_thumb->init(NULL); + rc = compression->init(NULL); if (rc) { BOOT_LOG_ERR("Decompression library fatal error"); rc = BOOT_EBADSTATUS; + goto finish_without_clean; } @@ -250,6 +157,7 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index if (rc) { BOOT_LOG_ERR("Unable to determine decompressed size of compressed image"); rc = BOOT_EBADIMAGE; + goto finish; } @@ -264,6 +172,7 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index if (rc) { BOOT_LOG_ERR("Unable to determine protected TLV size of compressed image"); rc = BOOT_EBADIMAGE; + goto finish; } @@ -287,13 +196,8 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index /* Read in compressed data, decompress and add to hash calculation */ read_pos = 0; -#ifdef MCUBOOT_ENC_IMAGES - while (read_pos < comp_size) { - uint32_t copy_size = comp_size - read_pos; -#else while (read_pos < hdr->ih_img_size) { uint32_t copy_size = hdr->ih_img_size - read_pos; -#endif uint32_t tmp_off = 0; uint8_t offset_zero_check = 0; @@ -307,17 +211,10 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index BOOT_LOG_ERR("Flash read failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", (hdr->ih_hdr_size + read_pos), copy_size, fap->fa_id, rc); rc = BOOT_EFLASH; + goto finish; } -#ifdef MCUBOOT_ENC_IMAGES - if (MUST_DECRYPT(fap, image_index, hdr)) { - boot_enc_decrypt(enc_state, 1, read_pos, - copy_size, (read_pos & 0xf), - tmp_buf); - } -#endif - /* Decompress data in chunks, writing it back with a larger write offset of the primary * slot than read size of the secondary slot */ @@ -328,26 +225,23 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index uint32_t chunk_size; bool last_packet = false; - chunk_size = compression_lzma->decompress_bytes_needed(NULL); + chunk_size = compression->decompress_bytes_needed(NULL); if (chunk_size > (copy_size - tmp_off)) { chunk_size = (copy_size - tmp_off); } -#ifdef MCUBOOT_ENC_IMAGES - if ((read_pos + tmp_off + chunk_size) >= comp_size) { -#else if ((read_pos + tmp_off + chunk_size) >= hdr->ih_img_size) { -#endif last_packet = true; } - rc = compression_lzma->decompress(NULL, &tmp_buf[tmp_off], chunk_size, last_packet, - &offset, &output, &output_size); + rc = compression->decompress(NULL, &tmp_buf[tmp_off], chunk_size, last_packet, &offset, + &output, &output_size); if (rc) { BOOT_LOG_ERR("Decompression error: %d", rc); rc = BOOT_EBADSTATUS; + goto finish; } @@ -357,6 +251,7 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index BOOT_LOG_ERR("Decompressed image larger than claimed TLV size, at least: %d", write_pos); rc = BOOT_EBADIMAGE; + goto finish; } @@ -365,6 +260,7 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index /* Last packet and we still have no output, this is a faulty update */ BOOT_LOG_ERR("All compressed data consumed without any output, image not valid"); rc = BOOT_EBADIMAGE; + goto finish; } @@ -375,6 +271,7 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index if (offset_zero_check >= OFFSET_ZERO_CHECK_TIMES) { BOOT_LOG_ERR("Decompression system returning no output data, image not valid"); rc = BOOT_EBADIMAGE; + goto finish; } @@ -385,48 +282,8 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index offset_zero_check = 0; } - /* Copy data to secondary buffer for calculating hash */ if (output_size > 0) { - if (hdr->ih_flags & IMAGE_F_COMPRESSED_ARM_THUMB_FLT) { - /* Run this through the ARM thumb filter */ - uint32_t offset_arm_thumb = 0; - uint8_t *output_arm_thumb = NULL; - uint32_t processed_size = 0; - uint32_t output_size_arm_thumb = 0; - - while (processed_size < output_size) { - uint32_t current_size = output_size - processed_size; - bool arm_thumb_last_packet = false; - - if (current_size > CONFIG_NRF_COMPRESS_CHUNK_SIZE) { - current_size = CONFIG_NRF_COMPRESS_CHUNK_SIZE; - } - - if (last_packet && (processed_size + current_size) == - output_size) { - arm_thumb_last_packet = true; - } - - rc = compression_arm_thumb->decompress(NULL, &output[processed_size], - current_size, arm_thumb_last_packet, - &offset_arm_thumb, - &output_arm_thumb, - &output_size_arm_thumb); - - if (rc) { - BOOT_LOG_ERR("Decompression error: %d", rc); - rc = BOOT_EBADSTATUS; - goto finish; - } - - bootutil_sha_update(&sha_ctx, output_arm_thumb, output_size_arm_thumb); - output_size_total += output_size_arm_thumb; - processed_size += current_size; - } - } else { - bootutil_sha_update(&sha_ctx, output, output_size); - output_size_total += output_size; - } + bootutil_sha_update(&sha_ctx, output, output_size); } tmp_off += offset; @@ -435,13 +292,6 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index read_pos += copy_size; } - if (modified_hdr.ih_img_size != output_size_total) { - BOOT_LOG_ERR("Decompression expected output_size mismatch: %d vs %d", - modified_hdr.ih_img_size, output_size_total); - rc = BOOT_EBADSTATUS; - goto finish; - } - /* If there are any protected TLVs present, add them after the main decompressed image */ if (modified_hdr.ih_protect_tlv_size > 0) { rc = boot_sha_protected_tlvs(hdr, fap, modified_hdr.ih_protect_tlv_size, tmp_buf, @@ -452,15 +302,11 @@ int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index finish: /* Clean up decompression system */ - (void)compression_lzma->deinit(NULL); - (void)compression_arm_thumb->deinit(NULL); + (void)compression->deinit(NULL); finish_without_clean: bootutil_sha_drop(&sha_ctx); -#ifdef MCUBOOT_ENC_IMAGES -finish_end: -#endif return rc; } @@ -507,6 +353,7 @@ static int boot_copy_protected_tlvs(const struct image_header *hdr, BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); rc = BOOT_EFLASH; + goto out; } @@ -532,7 +379,7 @@ static int boot_copy_protected_tlvs(const struct image_header *hdr, } if (type == IMAGE_TLV_DECOMP_SIZE || type == IMAGE_TLV_DECOMP_SHA || - type == IMAGE_TLV_DECOMP_SIGNATURE || type == IMAGE_TLV_COMP_DEC_SIZE) { + type == IMAGE_TLV_DECOMP_SIGNATURE) { /* Skip these TLVs as they are not needed */ continue; } else { @@ -575,6 +422,7 @@ static int boot_copy_protected_tlvs(const struct image_header *hdr, BOOT_LOG_ERR( "Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", (off + (len - data_size_left)), single_copy_size, fap_src->fa_id, rc); + goto out; } @@ -590,6 +438,7 @@ static int boot_copy_protected_tlvs(const struct image_header *hdr, "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); rc = BOOT_EFLASH; + goto out; } @@ -641,7 +490,7 @@ static int boot_sha_protected_tlvs(const struct image_header *hdr, } if (type == IMAGE_TLV_DECOMP_SIZE || type == IMAGE_TLV_DECOMP_SHA || - type == IMAGE_TLV_DECOMP_SIGNATURE || type == IMAGE_TLV_COMP_DEC_SIZE) { + type == IMAGE_TLV_DECOMP_SIGNATURE) { /* Skip these TLVs as they are not needed */ continue; } @@ -664,6 +513,7 @@ static int boot_sha_protected_tlvs(const struct image_header *hdr, BOOT_LOG_ERR( "Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", (off + read_off), copy_size, fap_src->fa_id, rc); + goto out; } @@ -706,7 +556,7 @@ int boot_size_protected_tlvs(const struct image_header *hdr, const struct flash_ } if (type == IMAGE_TLV_DECOMP_SIZE || type == IMAGE_TLV_DECOMP_SHA || - type == IMAGE_TLV_DECOMP_SIGNATURE || type == IMAGE_TLV_COMP_DEC_SIZE) { + type == IMAGE_TLV_DECOMP_SIGNATURE) { /* Exclude these TLVs as they will be copied to the unprotected area */ tlv_size -= len + sizeof(struct image_tlv); } @@ -758,7 +608,7 @@ int boot_size_unprotected_tlvs(const struct image_header *hdr, const struct flas * original ones */ continue; - } else if (type == EXPECTED_HASH_TLV || type == EXPECTED_SIG_TLV || type == IMAGE_TLV_COMP_DEC_SIZE) { + } else if (type == EXPECTED_HASH_TLV || type == EXPECTED_SIG_TLV) { /* Exclude the original unprotected TLVs for signature and hash, the length of the * signature of the compressed data might not be the same size as the signaute of the * decompressed data, as is the case when using ECDSA-P256 @@ -776,6 +626,7 @@ int boot_size_unprotected_tlvs(const struct image_header *hdr, const struct flas */ BOOT_LOG_ERR("No unprotected TLVs in post-decompressed image output, image is invalid"); rc = BOOT_EBADIMAGE; + goto out; } @@ -830,6 +681,7 @@ static int boot_copy_unprotected_tlvs(const struct image_header *hdr, BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); rc = BOOT_EFLASH; + goto out; } @@ -926,6 +778,7 @@ static int boot_copy_unprotected_tlvs(const struct image_header *hdr, BOOT_LOG_ERR( "Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", (off + (len - data_size_left)), single_copy_size, fap_src->fa_id, rc); + goto out; } @@ -941,6 +794,7 @@ static int boot_copy_unprotected_tlvs(const struct image_header *hdr, "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); rc = BOOT_EFLASH; + goto out; } @@ -969,33 +823,13 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl uint32_t unprotected_tlv_size = 0; uint32_t tlv_write_size = 0; uint32_t decompressed_image_size; - struct nrf_compress_implementation *compression_lzma = NULL; - struct nrf_compress_implementation *compression_arm_thumb = NULL; + struct nrf_compress_implementation *compression = NULL; struct image_header *hdr; - TARGET_STATIC uint8_t decomp_buf[DECOMP_BUF_ALLOC_SIZE] __attribute__((aligned(4))); + TARGET_STATIC uint8_t decomp_buf[CONFIG_BOOT_DECOMPRESSION_BUFFER_SIZE] __attribute__((aligned(4))); TARGET_STATIC struct image_header modified_hdr; -#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) - uint8_t excess_data_buffer[DECOMP_BUF_EXTRA_SIZE]; - bool excess_data_buffer_full = false; -#endif - -#ifdef MCUBOOT_ENC_IMAGES - uint32_t comp_size = 0; -#endif - hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); -#ifdef MCUBOOT_ENC_IMAGES - rc = bootutil_get_img_decrypted_comp_size(hdr, fap_src, &comp_size); - - if (rc) { - BOOT_LOG_ERR("Invalid/missing image decrypted compressed size value"); - rc = BOOT_EBADIMAGE; - goto finish; - } -#endif - /* Setup decompression system */ #if CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA1 if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA1)) { @@ -1007,26 +841,27 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl */ BOOT_LOG_ERR("Invalid image compression flags: no supported compression found"); rc = BOOT_EBADIMAGE; + goto finish; } - compression_lzma = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_LZMA); - compression_arm_thumb = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_ARM_THUMB); + compression = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_LZMA); - if (!is_compression_object_valid(compression_lzma) || - !is_compression_object_valid(compression_arm_thumb)) { + if (compression == NULL || compression->init == NULL || compression->deinit == NULL || + compression->decompress_bytes_needed == NULL || compression->decompress == NULL) { /* Compression library missing or missing required function pointer */ BOOT_LOG_ERR("Decompression library fatal error"); rc = BOOT_EBADSTATUS; + goto finish; } - rc = compression_lzma->init(NULL); - rc = compression_arm_thumb->init(NULL); + rc = compression->init(NULL); if (rc) { BOOT_LOG_ERR("Decompression library fatal error"); rc = BOOT_EBADSTATUS; + goto finish; } @@ -1039,6 +874,7 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl if (rc) { BOOT_LOG_ERR("Unable to determine decompressed size of compressed image"); rc = BOOT_EBADIMAGE; + goto finish; } @@ -1051,6 +887,7 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl if (rc) { BOOT_LOG_ERR("Unable to determine protected TLV size of compressed image"); rc = BOOT_EBADIMAGE; + goto finish; } @@ -1061,6 +898,7 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl if (rc) { BOOT_LOG_ERR("Unable to determine unprotected TLV size of compressed image"); rc = BOOT_EBADIMAGE; + goto finish; } @@ -1071,17 +909,13 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", off_dst, sizeof(modified_hdr), fap_dst->fa_id, rc); rc = BOOT_EFLASH; + goto finish; } /* Read in, decompress and write out data */ -#ifdef MCUBOOT_ENC_IMAGES - while (pos < comp_size) { - uint32_t copy_size = comp_size - pos; -#else while (pos < hdr->ih_img_size) { uint32_t copy_size = hdr->ih_img_size - pos; -#endif uint32_t tmp_off = 0; if (copy_size > buf_size) { @@ -1094,14 +928,9 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl BOOT_LOG_ERR("Flash read failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", (off_src + hdr->ih_hdr_size + pos), copy_size, fap_src->fa_id, rc); rc = BOOT_EFLASH; - goto finish; - } -#ifdef MCUBOOT_ENC_IMAGES - if (IS_ENCRYPTED(hdr)) { - boot_enc_decrypt(BOOT_CURR_ENC(state), 1, pos, copy_size, (pos & 0xf), buf); + goto finish; } -#endif /* Decompress data in chunks, writing it back with a larger write offset of the primary * slot than read size of the secondary slot @@ -1114,156 +943,57 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl uint8_t *output = NULL; bool last_packet = false; - chunk_size = compression_lzma->decompress_bytes_needed(NULL); + chunk_size = compression->decompress_bytes_needed(NULL); if (chunk_size > (copy_size - tmp_off)) { chunk_size = (copy_size - tmp_off); } -#ifdef MCUBOOT_ENC_IMAGES - if ((pos + tmp_off + chunk_size) >= comp_size) { -#else if ((pos + tmp_off + chunk_size) >= hdr->ih_img_size) { -#endif last_packet = true; } - rc = compression_lzma->decompress(NULL, &buf[tmp_off], chunk_size, last_packet, - &offset, &output, &output_size); + rc = compression->decompress(NULL, &buf[tmp_off], chunk_size, last_packet, &offset, + &output, &output_size); if (rc) { BOOT_LOG_ERR("Decompression error: %d", rc); rc = BOOT_EBADSTATUS; + goto finish; } /* Copy data to secondary buffer for writing out */ while (output_size > 0) { - uint32_t data_size = (DECOMP_BUF_SIZE - decomp_buf_size); + uint32_t data_size = (sizeof(decomp_buf) - decomp_buf_size); if (data_size > output_size) { data_size = output_size; } -#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) - if (hdr->ih_flags & IMAGE_F_COMPRESSED_ARM_THUMB_FLT) { - memcpy(&decomp_buf[decomp_buf_size + DECOMP_BUF_EXTRA_SIZE], - &output[compression_buffer_pos], data_size); - } else -#endif - { - memcpy(&decomp_buf[decomp_buf_size], &output[compression_buffer_pos], - data_size); - } - + memcpy(&decomp_buf[decomp_buf_size], &output[compression_buffer_pos], data_size); compression_buffer_pos += data_size; decomp_buf_size += data_size; output_size -= data_size; /* Write data out from secondary buffer when it is full */ - if (decomp_buf_size == DECOMP_BUF_SIZE) { -#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) - if (hdr->ih_flags & IMAGE_F_COMPRESSED_ARM_THUMB_FLT) { - uint32_t filter_writeback_pos = 0; - uint32_t processed_size = 0; - - /* Run this through the ARM thumb filter */ - while (processed_size < DECOMP_BUF_SIZE) { - uint32_t offset_arm_thumb = 0; - uint32_t output_size_arm_thumb = 0; - uint8_t *output_arm_thumb = NULL; - uint32_t current_size = DECOMP_BUF_SIZE; - bool arm_thumb_last_packet = false; - - if (current_size > CONFIG_NRF_COMPRESS_CHUNK_SIZE) { - current_size = CONFIG_NRF_COMPRESS_CHUNK_SIZE; - } - - if (last_packet && (processed_size + current_size) == DECOMP_BUF_SIZE - && output_size == 0) { - arm_thumb_last_packet = true; - } - - rc = compression_arm_thumb->decompress(NULL, - &decomp_buf[processed_size + - DECOMP_BUF_EXTRA_SIZE], - current_size, - arm_thumb_last_packet, - &offset_arm_thumb, - &output_arm_thumb, - &output_size_arm_thumb); - - if (rc) { - BOOT_LOG_ERR("Decompression error: %d", rc); - rc = BOOT_EBADSTATUS; - goto finish; - } - - memcpy(&decomp_buf[filter_writeback_pos], output_arm_thumb, - output_size_arm_thumb); - filter_writeback_pos += output_size_arm_thumb; - processed_size += current_size; - } - - if (excess_data_buffer_full == true) - { - /* Restore extra data removed from previous iteration to the write - * buffer - */ - memmove(&decomp_buf[DECOMP_BUF_EXTRA_SIZE], decomp_buf, - filter_writeback_pos); - memcpy(decomp_buf, excess_data_buffer, DECOMP_BUF_EXTRA_SIZE); - excess_data_buffer_full = false; - filter_writeback_pos += DECOMP_BUF_EXTRA_SIZE; - } - - if ((filter_writeback_pos % sizeof(uint32_t)) != 0) - { - /* Since there are an extra 2 bytes here, remove them and stash for - * later usage to prevent flash write issues with non-word boundary - * writes - */ - memcpy(excess_data_buffer, &decomp_buf[filter_writeback_pos - - DECOMP_BUF_EXTRA_SIZE], - DECOMP_BUF_EXTRA_SIZE); - excess_data_buffer_full = true; - filter_writeback_pos -= DECOMP_BUF_EXTRA_SIZE; - } - - rc = flash_area_write(fap_dst, (off_dst + hdr->ih_hdr_size + write_pos), - decomp_buf, filter_writeback_pos); - - if (rc != 0) { - BOOT_LOG_ERR( - "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off_dst + hdr->ih_hdr_size + write_pos), DECOMP_BUF_SIZE, - fap_dst->fa_id, rc); - rc = BOOT_EFLASH; - goto finish; - } - - write_pos += filter_writeback_pos; - decomp_buf_size = 0; - filter_writeback_pos = 0; - } else -#endif - { - rc = flash_area_write(fap_dst, (off_dst + hdr->ih_hdr_size + write_pos), - decomp_buf, DECOMP_BUF_SIZE); - - if (rc != 0) { - BOOT_LOG_ERR( - "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off_dst + hdr->ih_hdr_size + write_pos), DECOMP_BUF_SIZE, - fap_dst->fa_id, rc); - rc = BOOT_EFLASH; - goto finish; - } - - write_pos += DECOMP_BUF_SIZE; - decomp_buf_size = 0; + if (decomp_buf_size == sizeof(decomp_buf)) { + rc = flash_area_write(fap_dst, (off_dst + hdr->ih_hdr_size + write_pos), + decomp_buf, sizeof(decomp_buf)); + + if (rc != 0) { + BOOT_LOG_ERR( + "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off_dst + hdr->ih_hdr_size + write_pos), sizeof(decomp_buf), + fap_dst->fa_id, rc); + rc = BOOT_EFLASH; + + goto finish; } + + write_pos += sizeof(decomp_buf); + decomp_buf_size = 0; } } @@ -1273,30 +1003,8 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl pos += copy_size; } -#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) - if (hdr->ih_flags & IMAGE_F_COMPRESSED_ARM_THUMB_FLT && decomp_buf_size > 0) { - /* Extra data that has not been written out that needs ARM thumb filter applied */ - uint32_t offset_arm_thumb = 0; - uint32_t output_size_arm_thumb = 0; - uint8_t *output_arm_thumb = NULL; - - rc = compression_arm_thumb->decompress(NULL, &decomp_buf[DECOMP_BUF_EXTRA_SIZE], - decomp_buf_size, true, &offset_arm_thumb, - &output_arm_thumb, &output_size_arm_thumb); - - if (rc) { - BOOT_LOG_ERR("Decompression error: %d", rc); - rc = BOOT_EBADSTATUS; - goto finish; - } - - memcpy(decomp_buf, output_arm_thumb, output_size_arm_thumb); - } -#endif - /* Clean up decompression system */ - (void)compression_lzma->deinit(NULL); - (void)compression_arm_thumb->deinit(NULL); + (void)compression->deinit(NULL); if (protected_tlv_size > 0) { rc = boot_copy_protected_tlvs(hdr, fap_src, fap_dst, (off_dst + hdr->ih_hdr_size + @@ -1306,6 +1014,7 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl if (rc) { BOOT_LOG_ERR("Protected TLV copy failure: %d", rc); + goto finish; } @@ -1320,6 +1029,7 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl if (rc) { BOOT_LOG_ERR("Protected TLV copy failure: %d", rc); + goto finish; } @@ -1330,7 +1040,7 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl uint32_t write_padding_size = write_alignment - (decomp_buf_size % write_alignment); /* Check if additional write padding should be applied to meet the minimum write size */ - if (write_alignment > 1 && write_padding_size) { + if (write_padding_size) { uint8_t flash_erased_value; flash_erased_value = flash_area_erased_val(fap_dst); @@ -1346,6 +1056,7 @@ int boot_copy_region_decompress(struct boot_loader_state *state, const struct fl (off_dst + hdr->ih_hdr_size + write_pos), decomp_buf_size, fap_dst->fa_id, rc); rc = BOOT_EFLASH; + goto finish; } @@ -1387,6 +1098,7 @@ int bootutil_get_img_decomp_size(const struct image_header *hdr, const struct fl if (len != sizeof(*img_decomp_size)) { BOOT_LOG_ERR("Invalid decompressed image size TLV: %d", len); + return BOOT_EBADIMAGE; } @@ -1395,6 +1107,7 @@ int bootutil_get_img_decomp_size(const struct image_header *hdr, const struct fl if (rc) { BOOT_LOG_ERR("Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", off, len, fap->fa_id, rc); + return BOOT_EFLASH; } From 38dfc5d0ada957051717ffa23d65122484ea15fe Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 082/228] Revert "[nrf noup] zephyr: Add support for compressed image updates" This reverts commit 4399de2a69ff425a0a06c5955b042055e4c2fe49. --- boot/bootutil/src/bootutil_misc.c | 80 +- boot/bootutil/src/image_validate.c | 226 ---- boot/bootutil/src/loader.c | 27 +- boot/zephyr/CMakeLists.txt | 6 - boot/zephyr/Kconfig | 10 +- boot/zephyr/decompression.c | 1115 ----------------- .../include/compression/decompression.h | 104 -- 7 files changed, 23 insertions(+), 1545 deletions(-) delete mode 100644 boot/zephyr/decompression.c delete mode 100644 boot/zephyr/include/compression/decompression.h diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c index ac50eaa52..56859d515 100644 --- a/boot/bootutil/src/bootutil_misc.c +++ b/boot/bootutil/src/bootutil_misc.c @@ -42,11 +42,6 @@ #include "bootutil/enc_key.h" #endif -#if defined(MCUBOOT_DECOMPRESS_IMAGES) -#include -#include -#endif - BOOT_LOG_MODULE_DECLARE(mcuboot); /* Currently only used by imgmgr */ @@ -389,76 +384,35 @@ boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size) goto done; } -#ifdef MCUBOOT_DECOMPRESS_IMAGES - if (MUST_DECOMPRESS(fap, BOOT_CURR_IMG(state), boot_img_hdr(state, slot))) { - uint32_t tmp_size = 0; - - rc = bootutil_get_img_decomp_size(boot_img_hdr(state, slot), fap, &tmp_size); - - if (rc) { - rc = BOOT_EBADIMAGE; - goto done; - } - - off = boot_img_hdr(state, slot)->ih_hdr_size + tmp_size; + off = BOOT_TLV_OFF(boot_img_hdr(state, slot)); - rc = boot_size_protected_tlvs(boot_img_hdr(state, slot), fap, &tmp_size); - - if (rc) { - rc = BOOT_EBADIMAGE; - goto done; - } - - off += tmp_size; - - if (flash_area_read(fap, (BOOT_TLV_OFF(boot_img_hdr(state, slot)) + - boot_img_hdr(state, slot)->ih_protect_tlv_size), &info, - sizeof(info))) { - rc = BOOT_EFLASH; - goto done; - } + if (flash_area_read(fap, off, &info, sizeof(info))) { + rc = BOOT_EFLASH; + goto done; + } - if (info.it_magic != IMAGE_TLV_INFO_MAGIC) { + protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size; + if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) { + if (protect_tlv_size != info.it_tlv_tot) { rc = BOOT_EBADIMAGE; goto done; } - *size = off + info.it_tlv_tot; - } else { -#else - if (1) { -#endif - off = BOOT_TLV_OFF(boot_img_hdr(state, slot)); - - if (flash_area_read(fap, off, &info, sizeof(info))) { + if (flash_area_read(fap, off + info.it_tlv_tot, &info, sizeof(info))) { rc = BOOT_EFLASH; goto done; } + } else if (protect_tlv_size != 0) { + rc = BOOT_EBADIMAGE; + goto done; + } - protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size; - if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) { - if (protect_tlv_size != info.it_tlv_tot) { - rc = BOOT_EBADIMAGE; - goto done; - } - - if (flash_area_read(fap, off + info.it_tlv_tot, &info, sizeof(info))) { - rc = BOOT_EFLASH; - goto done; - } - } else if (protect_tlv_size != 0) { - rc = BOOT_EBADIMAGE; - goto done; - } - - if (info.it_magic != IMAGE_TLV_INFO_MAGIC) { - rc = BOOT_EBADIMAGE; - goto done; - } - - *size = off + protect_tlv_size + info.it_tlv_tot; + if (info.it_magic != IMAGE_TLV_INFO_MAGIC) { + rc = BOOT_EBADIMAGE; + goto done; } + *size = off + protect_tlv_size + info.it_tlv_tot; rc = 0; done: diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 08f354be8..e038f22fe 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -40,15 +40,6 @@ #include "mcuboot_config/mcuboot_config.h" -#if defined(MCUBOOT_DECOMPRESS_IMAGES) -#include -#include -#endif - -#include "bootutil/bootutil_log.h" - -BOOT_LOG_MODULE_DECLARE(mcuboot); - #ifdef MCUBOOT_ENC_IMAGES #include "bootutil/enc_key.h" #endif @@ -479,68 +470,6 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, FIH_DECLARE(security_counter_valid, FIH_FAILURE); #endif -#ifdef MCUBOOT_DECOMPRESS_IMAGES - /* If the image is compressed, the integrity of the image must also be validated */ - if (MUST_DECOMPRESS(fap, image_index, hdr)) { - bool found_decompressed_size = false; - bool found_decompressed_sha = false; - bool found_decompressed_signature = false; - - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, true); - if (rc) { - goto out; - } - - if (it.tlv_end > bootutil_max_image_size(fap)) { - rc = -1; - goto out; - } - - while (true) { - uint16_t expected_size = 0; - bool *found_flag = NULL; - - rc = bootutil_tlv_iter_next(&it, &off, &len, &type); - if (rc < 0) { - goto out; - } else if (rc > 0) { - break; - } - - switch (type) { - case IMAGE_TLV_DECOMP_SIZE: - expected_size = sizeof(size_t); - found_flag = &found_decompressed_size; - break; - case IMAGE_TLV_DECOMP_SHA: - expected_size = IMAGE_HASH_SIZE; - found_flag = &found_decompressed_sha; - break; - case IMAGE_TLV_DECOMP_SIGNATURE: - found_flag = &found_decompressed_signature; - break; - default: - continue; - }; - - if (type == IMAGE_TLV_DECOMP_SIGNATURE && !EXPECTED_SIG_LEN(len)) { - rc = -1; - goto out; - } else if (type != IMAGE_TLV_DECOMP_SIGNATURE && len != expected_size) { - rc = -1; - goto out; - } - - *found_flag = true; - } - - rc = (!found_decompressed_size || !found_decompressed_sha || !found_decompressed_signature); - if (rc) { - goto out; - } - } -#endif - #if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) rc = bootutil_img_hash(enc_state, image_index, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len); @@ -751,161 +680,6 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, } #endif -#ifdef MCUBOOT_DECOMPRESS_IMAGES - /* Only after all previous verifications have passed, perform a dry-run of the decompression - * and ensure the image is valid - */ - if (!rc && MUST_DECOMPRESS(fap, image_index, hdr)) { - image_hash_valid = 0; - FIH_SET(valid_signature, FIH_FAILURE); - - rc = bootutil_img_hash_decompress(enc_state, image_index, hdr, fap, tmp_buf, tmp_buf_sz, - hash, seed, seed_len); - if (rc) { - goto out; - } - - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SHA, true); - if (rc) { - goto out; - } - - if (it.tlv_end > bootutil_max_image_size(fap)) { - rc = -1; - goto out; - } - - while (true) { - rc = bootutil_tlv_iter_next(&it, &off, &len, &type); - if (rc < 0) { - goto out; - } else if (rc > 0) { - break; - } - - if (type == IMAGE_TLV_DECOMP_SHA) { - /* Verify the image hash. This must always be present. */ - if (len != sizeof(hash)) { - rc = -1; - goto out; - } - rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, sizeof(hash)); - if (rc) { - goto out; - } - - FIH_CALL(boot_fih_memequal, fih_rc, hash, buf, sizeof(hash)); - if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { - FIH_SET(fih_rc, FIH_FAILURE); - goto out; - } - - image_hash_valid = 1; - } - } - - rc = !image_hash_valid; - if (rc) { - goto out; - } - -#ifdef EXPECTED_SIG_TLV -#ifdef EXPECTED_KEY_TLV - rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_KEY_TLV, false); - if (rc) { - goto out; - } - - if (it.tlv_end > bootutil_max_image_size(fap)) { - rc = -1; - goto out; - } - - while (true) { - rc = bootutil_tlv_iter_next(&it, &off, &len, &type); - if (rc < 0) { - goto out; - } else if (rc > 0) { - break; - } - - if (type == EXPECTED_KEY_TLV) { - /* - * Determine which key we should be checking. - */ - if (len > KEY_BUF_SIZE) { - rc = -1; - goto out; - } -#ifndef MCUBOOT_HW_KEY - rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len); - if (rc) { - goto out; - } - key_id = bootutil_find_key(buf, len); -#else - rc = LOAD_IMAGE_DATA(hdr, fap, off, key_buf, len); - if (rc) { - goto out; - } - key_id = bootutil_find_key(image_index, key_buf, len); -#endif /* !MCUBOOT_HW_KEY */ - /* - * The key may not be found, which is acceptable. There - * can be multiple signatures, each preceded by a key. - */ - } - } -#endif /* EXPECTED_KEY_TLV */ - - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SIGNATURE, true); - if (rc) { - goto out; - } - - if (it.tlv_end > bootutil_max_image_size(fap)) { - rc = -1; - goto out; - } - - while (true) { - rc = bootutil_tlv_iter_next(&it, &off, &len, &type); - if (rc < 0) { - goto out; - } else if (rc > 0) { - rc = 0; - break; - } - - if (type == IMAGE_TLV_DECOMP_SIGNATURE) { - /* Ignore this signature if it is out of bounds. */ - if (key_id < 0 || key_id >= bootutil_key_cnt) { - key_id = -1; - continue; - } - - if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) { - rc = -1; - goto out; - } - rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len); - if (rc) { - goto out; - } - - FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash), - buf, len, key_id); - key_id = -1; - } - } -#endif /* EXPECTED_SIG_TLV */ - } -#endif - -#ifdef EXPECTED_SIG_TLV - FIH_SET(fih_rc, valid_signature); -#endif - out: if (rc) { FIH_SET(fih_rc, FIH_FAILURE); diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index a561d5cb7..4c61c4217 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -49,11 +49,6 @@ #include "bootutil/boot_hooks.h" #include "bootutil/mcuboot_status.h" -#if defined(MCUBOOT_DECOMPRESS_IMAGES) -#include -#include -#endif - #ifdef __ZEPHYR__ #include #endif @@ -918,10 +913,10 @@ boot_is_header_valid(const struct image_header *hdr, const struct flash_area *fa return false; } #else - if (MUST_DECOMPRESS(fap, BOOT_CURR_IMG(state), hdr)) { - if (!boot_is_compressed_header_valid(hdr, fap, state)) { - return false; - } + if ((hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA1) && + (hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA2)) + { + return false; } #endif @@ -1135,7 +1130,6 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * attempts to validate and boot it. */ } - #if !defined(__BOOTSIM__) BOOT_LOG_ERR("Image in the %s slot is not valid!", (slot == BOOT_PRIMARY_SLOT) ? "primary" : "secondary"); @@ -1612,9 +1606,6 @@ boot_copy_region(struct boot_loader_state *state, #else (void)state; #endif -#ifdef MCUBOOT_DECOMPRESS_IMAGES - struct image_header *hdr; -#endif TARGET_STATIC uint8_t buf[BUF_SZ] __attribute__((aligned(4))); @@ -1640,16 +1631,6 @@ boot_copy_region(struct boot_loader_state *state, } #endif -#ifdef MCUBOOT_DECOMPRESS_IMAGES - hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); - - if (MUST_DECOMPRESS(fap_src, BOOT_CURR_IMG(state), hdr)) { - /* Use alternative function for compressed images */ - return boot_copy_region_decompress(state, fap_src, fap_dst, off_src, off_dst, sz, buf, - BUF_SZ); - } -#endif - bytes_copied = 0; while (bytes_copied < sz) { if (sz - bytes_copied > sizeof buf) { diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index a9a761a4d..7c60125bf 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -288,12 +288,6 @@ if(CONFIG_BOOT_ENCRYPT_EC256) ) endif() -if(CONFIG_BOOT_DECOMPRESSION) - zephyr_library_sources( - decompression.c - ) -endif() - if(CONFIG_MCUBOOT_SERIAL) zephyr_sources(${BOOT_DIR}/zephyr/serial_adapter.c) zephyr_sources(${BOOT_DIR}/boot_serial/src/boot_serial.c) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index d68ac4f6e..a3bb0aab0 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -965,10 +965,6 @@ config BOOT_BANNER_STRING config BOOT_DECOMPRESSION_SUPPORT bool - depends on NRF_COMPRESS && NRF_COMPRESS_DECOMPRESSION && (NRF_COMPRESS_LZMA_VERSION_LZMA1 || NRF_COMPRESS_LZMA_VERSION_LZMA2) - depends on !SINGLE_APPLICATION_SLOT && !BOOT_ENCRYPT_IMAGE && BOOT_UPGRADE_ONLY - depends on UPDATEABLE_IMAGE_NUMBER = 1 - default y help Hidden symbol which should be selected if a system provided decompression support. @@ -976,8 +972,6 @@ if BOOT_DECOMPRESSION_SUPPORT menuconfig BOOT_DECOMPRESSION bool "Decompression" - select NRF_COMPRESS_CLEANUP - select PM_USE_CONFIG_SRAM_SIZE if SOC_NRF54L15_CPUAPP help If enabled, will include support for compressed images being loaded to the secondary slot which then get decompressed into the primary slot. This mode allows the secondary slot to @@ -986,9 +980,9 @@ menuconfig BOOT_DECOMPRESSION if BOOT_DECOMPRESSION config BOOT_DECOMPRESSION_BUFFER_SIZE - int + int "Write buffer size" range 16 16384 - default NRF_COMPRESS_CHUNK_SIZE + default 4096 help The size of a secondary buffer used for writing decompressed data to the storage device. diff --git a/boot/zephyr/decompression.c b/boot/zephyr/decompression.c deleted file mode 100644 index 062cdbc61..000000000 --- a/boot/zephyr/decompression.c +++ /dev/null @@ -1,1115 +0,0 @@ -/* - * Copyright (c) 2024 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#include -#include "compression/decompression.h" -#include "bootutil/crypto/sha.h" -#include "bootutil/bootutil_log.h" - -#if !defined(__BOOTSIM__) -#define TARGET_STATIC static -#else -#define TARGET_STATIC -#endif - -#if defined(MCUBOOT_SIGN_RSA) -#if MCUBOOT_SIGN_RSA_LEN == 2048 -#define EXPECTED_SIG_TLV IMAGE_TLV_RSA2048_PSS -#elif MCUBOOT_SIGN_RSA_LEN == 3072 -#define EXPECTED_SIG_TLV IMAGE_TLV_RSA3072_PSS -#endif -#elif defined(MCUBOOT_SIGN_EC256) || \ - defined(MCUBOOT_SIGN_EC384) || \ - defined(MCUBOOT_SIGN_EC) -#define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA_SIG -#elif defined(MCUBOOT_SIGN_ED25519) -#define EXPECTED_SIG_TLV IMAGE_TLV_ED25519 -#endif - -/* Number of times that consumed data by decompression system can be 0 in a row before aborting */ -#define OFFSET_ZERO_CHECK_TIMES 3 - -BOOT_LOG_MODULE_DECLARE(mcuboot); - -static int boot_sha_protected_tlvs(const struct image_header *hdr, - const struct flash_area *fap_src, uint32_t protected_size, - uint8_t *buf, size_t buf_size, bootutil_sha_context *sha_ctx); - -bool boot_is_compressed_header_valid(const struct image_header *hdr, const struct flash_area *fap, - struct boot_loader_state *state) -{ - /* Image is compressed in secondary slot, need to check if fits into the primary slot */ - bool opened_flash_area = false; - int primary_fa_id; - int rc; - int size_check; - int size; - uint32_t protected_tlvs_size; - uint32_t decompressed_size; - - if (BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT) == NULL) { - opened_flash_area = true; - } - - primary_fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT); - rc = flash_area_open(primary_fa_id, &BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)); - assert(rc == 0); - - size_check = flash_area_get_size(BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)); - - if (opened_flash_area) { - (void)flash_area_close(BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)); - } - - rc = bootutil_get_img_decomp_size(hdr, fap, &decompressed_size); - - if (rc) { - return false; - } - - if (!boot_u32_safe_add(&size, decompressed_size, hdr->ih_hdr_size)) { - return false; - } - - rc = boot_size_protected_tlvs(hdr, fap, &protected_tlvs_size); - - if (rc) { - return false; - } - - if (!boot_u32_safe_add(&size, size, protected_tlvs_size)) { - return false; - } - - if (size >= size_check) { - BOOT_LOG_ERR("Compressed image too large, decompressed image size: 0x%x, slot size: 0x%x", - size, size_check); - - return false; - } - - return true; -} - -int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index, - struct image_header *hdr, const struct flash_area *fap, - uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result, - uint8_t *seed, int seed_len) -{ - int rc; - uint32_t read_pos = 0; - uint32_t write_pos = 0; - uint32_t protected_tlv_size = 0; - uint32_t decompressed_image_size; - struct nrf_compress_implementation *compression = NULL; - TARGET_STATIC struct image_header modified_hdr; - bootutil_sha_context sha_ctx; - uint8_t flash_erased_value; - - bootutil_sha_init(&sha_ctx); - - /* Setup decompression system */ -#if CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA1 - if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA1)) { -#elif CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA2 - if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA2)) { -#endif - /* Compressed image does not use the correct compression type which is supported by this - * build - */ - BOOT_LOG_ERR("Invalid image compression flags: no supported compression found"); - rc = BOOT_EBADIMAGE; - - goto finish_without_clean; - } - - compression = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_LZMA); - - if (compression == NULL || compression->init == NULL || compression->deinit == NULL || - compression->decompress_bytes_needed == NULL || compression->decompress == NULL) { - /* Compression library missing or missing required function pointer */ - BOOT_LOG_ERR("Decompression library fatal error"); - rc = BOOT_EBADSTATUS; - - goto finish_without_clean; - } - - rc = compression->init(NULL); - - if (rc) { - BOOT_LOG_ERR("Decompression library fatal error"); - rc = BOOT_EBADSTATUS; - - goto finish_without_clean; - } - - /* We need a modified header which has the updated sizes, start with the original header */ - memcpy(&modified_hdr, hdr, sizeof(modified_hdr)); - - /* Extract the decompressed image size from the protected TLV, set it and remove the - * compressed image flags - */ - rc = bootutil_get_img_decomp_size(hdr, fap, &decompressed_image_size); - - if (rc) { - BOOT_LOG_ERR("Unable to determine decompressed size of compressed image"); - rc = BOOT_EBADIMAGE; - - goto finish; - } - - modified_hdr.ih_flags &= ~COMPRESSIONFLAGS; - modified_hdr.ih_img_size = decompressed_image_size; - - /* Calculate the protected TLV size, these will not include the decompressed - * sha/size/signature entries - */ - rc = boot_size_protected_tlvs(hdr, fap, &protected_tlv_size); - - if (rc) { - BOOT_LOG_ERR("Unable to determine protected TLV size of compressed image"); - rc = BOOT_EBADIMAGE; - - goto finish; - } - - modified_hdr.ih_protect_tlv_size = protected_tlv_size; - bootutil_sha_update(&sha_ctx, &modified_hdr, sizeof(modified_hdr)); - read_pos = sizeof(modified_hdr); - flash_erased_value = flash_area_erased_val(fap); - memset(tmp_buf, flash_erased_value, tmp_buf_sz); - - while (read_pos < modified_hdr.ih_hdr_size) { - uint32_t copy_size = tmp_buf_sz; - - if ((read_pos + copy_size) > modified_hdr.ih_hdr_size) { - copy_size = modified_hdr.ih_hdr_size - read_pos; - } - - bootutil_sha_update(&sha_ctx, tmp_buf, copy_size); - read_pos += copy_size; - } - - /* Read in compressed data, decompress and add to hash calculation */ - read_pos = 0; - - while (read_pos < hdr->ih_img_size) { - uint32_t copy_size = hdr->ih_img_size - read_pos; - uint32_t tmp_off = 0; - uint8_t offset_zero_check = 0; - - if (copy_size > tmp_buf_sz) { - copy_size = tmp_buf_sz; - } - - rc = flash_area_read(fap, (hdr->ih_hdr_size + read_pos), tmp_buf, copy_size); - - if (rc != 0) { - BOOT_LOG_ERR("Flash read failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (hdr->ih_hdr_size + read_pos), copy_size, fap->fa_id, rc); - rc = BOOT_EFLASH; - - goto finish; - } - - /* Decompress data in chunks, writing it back with a larger write offset of the primary - * slot than read size of the secondary slot - */ - while (tmp_off < copy_size) { - uint32_t offset = 0; - uint8_t *output = NULL; - uint32_t output_size = 0; - uint32_t chunk_size; - bool last_packet = false; - - chunk_size = compression->decompress_bytes_needed(NULL); - - if (chunk_size > (copy_size - tmp_off)) { - chunk_size = (copy_size - tmp_off); - } - - if ((read_pos + tmp_off + chunk_size) >= hdr->ih_img_size) { - last_packet = true; - } - - rc = compression->decompress(NULL, &tmp_buf[tmp_off], chunk_size, last_packet, &offset, - &output, &output_size); - - if (rc) { - BOOT_LOG_ERR("Decompression error: %d", rc); - rc = BOOT_EBADSTATUS; - - goto finish; - } - - write_pos += output_size; - - if (write_pos > decompressed_image_size) { - BOOT_LOG_ERR("Decompressed image larger than claimed TLV size, at least: %d", - write_pos); - rc = BOOT_EBADIMAGE; - - goto finish; - } - - /* Additional dry-run validity checks */ - if (last_packet == true && write_pos == 0) { - /* Last packet and we still have no output, this is a faulty update */ - BOOT_LOG_ERR("All compressed data consumed without any output, image not valid"); - rc = BOOT_EBADIMAGE; - - goto finish; - } - - if (offset == 0) { - /* If the decompression system continually consumes 0 bytes, then there is a - * problem with this update image, abort and mark image as bad - */ - if (offset_zero_check >= OFFSET_ZERO_CHECK_TIMES) { - BOOT_LOG_ERR("Decompression system returning no output data, image not valid"); - rc = BOOT_EBADIMAGE; - - goto finish; - } - - ++offset_zero_check; - - break; - } else { - offset_zero_check = 0; - } - - if (output_size > 0) { - bootutil_sha_update(&sha_ctx, output, output_size); - } - - tmp_off += offset; - } - - read_pos += copy_size; - } - - /* If there are any protected TLVs present, add them after the main decompressed image */ - if (modified_hdr.ih_protect_tlv_size > 0) { - rc = boot_sha_protected_tlvs(hdr, fap, modified_hdr.ih_protect_tlv_size, tmp_buf, - tmp_buf_sz, &sha_ctx); - } - - bootutil_sha_finish(&sha_ctx, hash_result); - -finish: - /* Clean up decompression system */ - (void)compression->deinit(NULL); - -finish_without_clean: - bootutil_sha_drop(&sha_ctx); - - return rc; -} - -static int boot_copy_protected_tlvs(const struct image_header *hdr, - const struct flash_area *fap_src, - const struct flash_area *fap_dst, uint32_t off_dst, - uint32_t protected_size, uint8_t *buf, size_t buf_size, - uint16_t *buf_pos, uint32_t *written) -{ - int rc; - uint32_t off; - uint32_t write_pos = 0; - uint16_t len; - uint16_t type; - struct image_tlv_iter it; - struct image_tlv tlv_header; - struct image_tlv_info tlv_info_header = { - .it_magic = IMAGE_TLV_PROT_INFO_MAGIC, - .it_tlv_tot = protected_size, - }; - uint16_t info_size_left = sizeof(tlv_info_header); - - while (info_size_left > 0) { - uint16_t copy_size = buf_size - *buf_pos; - - if (info_size_left > 0 && copy_size > 0) { - uint16_t single_copy_size = copy_size; - uint8_t *tlv_info_header_address = (uint8_t *)&tlv_info_header; - - if (single_copy_size > info_size_left) { - single_copy_size = info_size_left; - } - - memcpy(&buf[*buf_pos], &tlv_info_header_address[sizeof(tlv_info_header) - - info_size_left], single_copy_size); - *buf_pos += single_copy_size; - info_size_left -= single_copy_size; - } - - if (*buf_pos == buf_size) { - rc = flash_area_write(fap_dst, (off_dst + write_pos), buf, *buf_pos); - - if (rc != 0) { - BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); - rc = BOOT_EFLASH; - - goto out; - } - - write_pos += *buf_pos; - *buf_pos = 0; - } - } - - rc = bootutil_tlv_iter_begin(&it, hdr, fap_src, IMAGE_TLV_ANY, true); - - if (rc) { - goto out; - } - - while (true) { - rc = bootutil_tlv_iter_next(&it, &off, &len, &type); - - if (rc < 0) { - goto out; - } else if (rc > 0) { - rc = 0; - break; - } - - if (type == IMAGE_TLV_DECOMP_SIZE || type == IMAGE_TLV_DECOMP_SHA || - type == IMAGE_TLV_DECOMP_SIGNATURE) { - /* Skip these TLVs as they are not needed */ - continue; - } else { - uint16_t header_size_left = sizeof(tlv_header); - uint16_t data_size_left = len; - - tlv_header.it_type = type; - tlv_header.it_len = len; - - while (header_size_left > 0 || data_size_left > 0) { - uint16_t copy_size = buf_size - *buf_pos; - uint8_t *tlv_header_address = (uint8_t *)&tlv_header; - - if (header_size_left > 0 && copy_size > 0) { - uint16_t single_copy_size = copy_size; - - if (single_copy_size > header_size_left) { - single_copy_size = header_size_left; - } - - memcpy(&buf[*buf_pos], &tlv_header_address[sizeof(tlv_header) - - header_size_left], - single_copy_size); - *buf_pos += single_copy_size; - copy_size -= single_copy_size; - header_size_left -= single_copy_size; - } - - if (data_size_left > 0 && copy_size > 0) { - uint16_t single_copy_size = copy_size; - - if (single_copy_size > data_size_left) { - single_copy_size = data_size_left; - } - - rc = LOAD_IMAGE_DATA(hdr, fap_src, (off + (len - data_size_left)), - &buf[*buf_pos], single_copy_size); - - if (rc) { - BOOT_LOG_ERR( - "Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off + (len - data_size_left)), single_copy_size, fap_src->fa_id, rc); - - goto out; - } - - *buf_pos += single_copy_size; - data_size_left -= single_copy_size; - } - - if (*buf_pos == buf_size) { - rc = flash_area_write(fap_dst, (off_dst + write_pos), buf, *buf_pos); - - if (rc != 0) { - BOOT_LOG_ERR( - "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); - rc = BOOT_EFLASH; - - goto out; - } - - write_pos += *buf_pos; - *buf_pos = 0; - } - } - } - } - - *written = write_pos; - -out: - return rc; -} - -static int boot_sha_protected_tlvs(const struct image_header *hdr, - const struct flash_area *fap_src, uint32_t protected_size, - uint8_t *buf, size_t buf_size, bootutil_sha_context *sha_ctx) -{ - int rc; - uint32_t off; - uint16_t len; - uint16_t type; - struct image_tlv_iter it; - struct image_tlv tlv_header; - struct image_tlv_info tlv_info_header = { - .it_magic = IMAGE_TLV_PROT_INFO_MAGIC, - .it_tlv_tot = protected_size, - }; - - bootutil_sha_update(sha_ctx, &tlv_info_header, sizeof(tlv_info_header)); - - rc = bootutil_tlv_iter_begin(&it, hdr, fap_src, IMAGE_TLV_ANY, true); - if (rc) { - goto out; - } - - while (true) { - uint32_t read_off = 0; - - rc = bootutil_tlv_iter_next(&it, &off, &len, &type); - - if (rc < 0) { - goto out; - } else if (rc > 0) { - rc = 0; - break; - } - - if (type == IMAGE_TLV_DECOMP_SIZE || type == IMAGE_TLV_DECOMP_SHA || - type == IMAGE_TLV_DECOMP_SIGNATURE) { - /* Skip these TLVs as they are not needed */ - continue; - } - - tlv_header.it_type = type; - tlv_header.it_len = len; - - bootutil_sha_update(sha_ctx, &tlv_header, sizeof(tlv_header)); - - while (read_off < len) { - uint32_t copy_size = buf_size; - - if (copy_size > (len - read_off)) { - copy_size = len - read_off; - } - - rc = LOAD_IMAGE_DATA(hdr, fap_src, (off + read_off), buf, copy_size); - - if (rc) { - BOOT_LOG_ERR( - "Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off + read_off), copy_size, fap_src->fa_id, rc); - - goto out; - } - - bootutil_sha_update(sha_ctx, buf, copy_size); - read_off += copy_size; - } - } - -out: - return rc; -} - -int boot_size_protected_tlvs(const struct image_header *hdr, const struct flash_area *fap, - uint32_t *sz) -{ - int rc = 0; - uint32_t tlv_size; - uint32_t off; - uint16_t len; - uint16_t type; - struct image_tlv_iter it; - - *sz = 0; - tlv_size = hdr->ih_protect_tlv_size; - - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, true); - - if (rc) { - goto out; - } - - while (true) { - rc = bootutil_tlv_iter_next(&it, &off, &len, &type); - - if (rc < 0) { - goto out; - } else if (rc > 0) { - rc = 0; - break; - } - - if (type == IMAGE_TLV_DECOMP_SIZE || type == IMAGE_TLV_DECOMP_SHA || - type == IMAGE_TLV_DECOMP_SIGNATURE) { - /* Exclude these TLVs as they will be copied to the unprotected area */ - tlv_size -= len + sizeof(struct image_tlv); - } - } - - if (!rc) { - if (tlv_size == sizeof(struct image_tlv_info)) { - /* If there are no entries then omit protected TLV section entirely */ - tlv_size = 0; - } - - *sz = tlv_size; - } - -out: - return rc; -} - -int boot_size_unprotected_tlvs(const struct image_header *hdr, const struct flash_area *fap, - uint32_t *sz) -{ - int rc = 0; - uint32_t tlv_size; - uint32_t off; - uint16_t len; - uint16_t type; - struct image_tlv_iter it; - - *sz = 0; - tlv_size = sizeof(struct image_tlv_info); - - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); - - if (rc) { - goto out; - } - - while (true) { - rc = bootutil_tlv_iter_next(&it, &off, &len, &type); - - if (rc < 0) { - goto out; - } else if (rc > 0) { - rc = 0; - break; - } else if (bootutil_tlv_iter_is_prot(&it, off) && type != IMAGE_TLV_DECOMP_SHA && - type != IMAGE_TLV_DECOMP_SIGNATURE) { - /* Include size of protected hash and signature as these will be replacing the - * original ones - */ - continue; - } else if (type == EXPECTED_HASH_TLV || type == EXPECTED_SIG_TLV) { - /* Exclude the original unprotected TLVs for signature and hash, the length of the - * signature of the compressed data might not be the same size as the signaute of the - * decompressed data, as is the case when using ECDSA-P256 - */ - continue; - } - - tlv_size += len + sizeof(struct image_tlv); - } - - if (!rc) { - if (tlv_size == sizeof(struct image_tlv_info)) { - /* If there are no entries in the unprotected TLV section then there is something wrong - * with this image - */ - BOOT_LOG_ERR("No unprotected TLVs in post-decompressed image output, image is invalid"); - rc = BOOT_EBADIMAGE; - - goto out; - } - - *sz = tlv_size; - } - -out: - return rc; -} - -static int boot_copy_unprotected_tlvs(const struct image_header *hdr, - const struct flash_area *fap_src, - const struct flash_area *fap_dst, uint32_t off_dst, - uint32_t unprotected_size, uint8_t *buf, size_t buf_size, - uint16_t *buf_pos, uint32_t *written) -{ - int rc; - uint32_t write_pos = 0; - uint32_t off; - uint16_t len; - uint16_t type; - struct image_tlv_iter it; - struct image_tlv_iter it_protected; - struct image_tlv tlv_header; - struct image_tlv_info tlv_info_header = { - .it_magic = IMAGE_TLV_INFO_MAGIC, - .it_tlv_tot = unprotected_size, - }; - uint16_t info_size_left = sizeof(tlv_info_header); - - while (info_size_left > 0) { - uint16_t copy_size = buf_size - *buf_pos; - - if (info_size_left > 0 && copy_size > 0) { - uint16_t single_copy_size = copy_size; - uint8_t *tlv_info_header_address = (uint8_t *)&tlv_info_header; - - if (single_copy_size > info_size_left) { - single_copy_size = info_size_left; - } - - memcpy(&buf[*buf_pos], &tlv_info_header_address[sizeof(tlv_info_header) - - info_size_left], single_copy_size); - *buf_pos += single_copy_size; - info_size_left -= single_copy_size; - } - - if (*buf_pos == buf_size) { - rc = flash_area_write(fap_dst, (off_dst + write_pos), buf, *buf_pos); - - if (rc != 0) { - BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); - rc = BOOT_EFLASH; - - goto out; - } - - write_pos += *buf_pos; - *buf_pos = 0; - } - } - - rc = bootutil_tlv_iter_begin(&it, hdr, fap_src, IMAGE_TLV_ANY, false); - if (rc) { - goto out; - } - - while (true) { - uint16_t header_size_left = sizeof(tlv_header); - uint16_t data_size_left; - - rc = bootutil_tlv_iter_next(&it, &off, &len, &type); - if (rc < 0) { - goto out; - } else if (rc > 0) { - rc = 0; - break; - } else if (bootutil_tlv_iter_is_prot(&it, off)) { - /* Skip protected TLVs */ - continue; - } - - /* Change the values of these fields from having the data in the compressed image - * unprotected TLV (which is valid only for the compressed image data) to having the - * fields in the protected TLV section (which is valid for the decompressed image data). - * The compressed data is no longer needed - */ - if (type == EXPECTED_HASH_TLV || type == EXPECTED_SIG_TLV) { - rc = bootutil_tlv_iter_begin(&it_protected, hdr, fap_src, (type == EXPECTED_HASH_TLV ? - IMAGE_TLV_DECOMP_SHA : - IMAGE_TLV_DECOMP_SIGNATURE), - true); - - if (rc) { - goto out; - } - - while (true) { - rc = bootutil_tlv_iter_next(&it_protected, &off, &len, &type); - if (rc < 0) { - goto out; - } else if (rc > 0) { - rc = 0; - break; - } - } - - if (type == IMAGE_TLV_DECOMP_SHA) { - type = EXPECTED_HASH_TLV; - } else { - type = EXPECTED_SIG_TLV; - } - } - - data_size_left = len; - tlv_header.it_type = type; - tlv_header.it_len = len; - - while (header_size_left > 0 || data_size_left > 0) { - uint16_t copy_size = buf_size - *buf_pos; - - if (header_size_left > 0 && copy_size > 0) { - uint16_t single_copy_size = copy_size; - uint8_t *tlv_header_address = (uint8_t *)&tlv_header; - - if (single_copy_size > header_size_left) { - single_copy_size = header_size_left; - } - - memcpy(&buf[*buf_pos], &tlv_header_address[sizeof(tlv_header) - header_size_left], - single_copy_size); - *buf_pos += single_copy_size; - copy_size -= single_copy_size; - header_size_left -= single_copy_size; - } - - if (data_size_left > 0 && copy_size > 0) { - uint16_t single_copy_size = copy_size; - - if (single_copy_size > data_size_left) { - single_copy_size = data_size_left; - } - - rc = LOAD_IMAGE_DATA(hdr, fap_src, (off + len - data_size_left), - &buf[*buf_pos], single_copy_size); - - if (rc) { - BOOT_LOG_ERR( - "Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off + (len - data_size_left)), single_copy_size, fap_src->fa_id, rc); - - goto out; - } - - *buf_pos += single_copy_size; - data_size_left -= single_copy_size; - } - - if (*buf_pos == buf_size) { - rc = flash_area_write(fap_dst, (off_dst + write_pos), buf, *buf_pos); - - if (rc != 0) { - BOOT_LOG_ERR( - "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); - rc = BOOT_EFLASH; - - goto out; - } - - write_pos += *buf_pos; - *buf_pos = 0; - } - } - } - - *written = write_pos; - -out: - return rc; -} - -int boot_copy_region_decompress(struct boot_loader_state *state, const struct flash_area *fap_src, - const struct flash_area *fap_dst, uint32_t off_src, - uint32_t off_dst, uint32_t sz, uint8_t *buf, size_t buf_size) -{ - int rc; - uint32_t pos = 0; - uint16_t decomp_buf_size = 0; - uint16_t write_alignment; - uint32_t write_pos = 0; - uint32_t protected_tlv_size = 0; - uint32_t unprotected_tlv_size = 0; - uint32_t tlv_write_size = 0; - uint32_t decompressed_image_size; - struct nrf_compress_implementation *compression = NULL; - struct image_header *hdr; - TARGET_STATIC uint8_t decomp_buf[CONFIG_BOOT_DECOMPRESSION_BUFFER_SIZE] __attribute__((aligned(4))); - TARGET_STATIC struct image_header modified_hdr; - - hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); - - /* Setup decompression system */ -#if CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA1 - if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA1)) { -#elif CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA2 - if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA2)) { -#endif - /* Compressed image does not use the correct compression type which is supported by this - * build - */ - BOOT_LOG_ERR("Invalid image compression flags: no supported compression found"); - rc = BOOT_EBADIMAGE; - - goto finish; - } - - compression = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_LZMA); - - if (compression == NULL || compression->init == NULL || compression->deinit == NULL || - compression->decompress_bytes_needed == NULL || compression->decompress == NULL) { - /* Compression library missing or missing required function pointer */ - BOOT_LOG_ERR("Decompression library fatal error"); - rc = BOOT_EBADSTATUS; - - goto finish; - } - - rc = compression->init(NULL); - - if (rc) { - BOOT_LOG_ERR("Decompression library fatal error"); - rc = BOOT_EBADSTATUS; - - goto finish; - } - - write_alignment = flash_area_align(fap_dst); - - memcpy(&modified_hdr, hdr, sizeof(modified_hdr)); - - rc = bootutil_get_img_decomp_size(hdr, fap_src, &decompressed_image_size); - - if (rc) { - BOOT_LOG_ERR("Unable to determine decompressed size of compressed image"); - rc = BOOT_EBADIMAGE; - - goto finish; - } - - modified_hdr.ih_flags &= ~COMPRESSIONFLAGS; - modified_hdr.ih_img_size = decompressed_image_size; - - /* Calculate protected TLV size for target image once items are removed */ - rc = boot_size_protected_tlvs(hdr, fap_src, &protected_tlv_size); - - if (rc) { - BOOT_LOG_ERR("Unable to determine protected TLV size of compressed image"); - rc = BOOT_EBADIMAGE; - - goto finish; - } - - modified_hdr.ih_protect_tlv_size = protected_tlv_size; - - rc = boot_size_unprotected_tlvs(hdr, fap_src, &unprotected_tlv_size); - - if (rc) { - BOOT_LOG_ERR("Unable to determine unprotected TLV size of compressed image"); - rc = BOOT_EBADIMAGE; - - goto finish; - } - - /* Write out the image header first, this should be a multiple of the write size */ - rc = flash_area_write(fap_dst, off_dst, &modified_hdr, sizeof(modified_hdr)); - - if (rc != 0) { - BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - off_dst, sizeof(modified_hdr), fap_dst->fa_id, rc); - rc = BOOT_EFLASH; - - goto finish; - } - - /* Read in, decompress and write out data */ - while (pos < hdr->ih_img_size) { - uint32_t copy_size = hdr->ih_img_size - pos; - uint32_t tmp_off = 0; - - if (copy_size > buf_size) { - copy_size = buf_size; - } - - rc = flash_area_read(fap_src, off_src + hdr->ih_hdr_size + pos, buf, copy_size); - - if (rc != 0) { - BOOT_LOG_ERR("Flash read failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off_src + hdr->ih_hdr_size + pos), copy_size, fap_src->fa_id, rc); - rc = BOOT_EFLASH; - - goto finish; - } - - /* Decompress data in chunks, writing it back with a larger write offset of the primary - * slot than read size of the secondary slot - */ - while (tmp_off < copy_size) { - uint32_t offset = 0; - uint32_t output_size = 0; - uint32_t chunk_size; - uint32_t compression_buffer_pos = 0; - uint8_t *output = NULL; - bool last_packet = false; - - chunk_size = compression->decompress_bytes_needed(NULL); - - if (chunk_size > (copy_size - tmp_off)) { - chunk_size = (copy_size - tmp_off); - } - - if ((pos + tmp_off + chunk_size) >= hdr->ih_img_size) { - last_packet = true; - } - - rc = compression->decompress(NULL, &buf[tmp_off], chunk_size, last_packet, &offset, - &output, &output_size); - - if (rc) { - BOOT_LOG_ERR("Decompression error: %d", rc); - rc = BOOT_EBADSTATUS; - - goto finish; - } - - /* Copy data to secondary buffer for writing out */ - while (output_size > 0) { - uint32_t data_size = (sizeof(decomp_buf) - decomp_buf_size); - - if (data_size > output_size) { - data_size = output_size; - } - - memcpy(&decomp_buf[decomp_buf_size], &output[compression_buffer_pos], data_size); - compression_buffer_pos += data_size; - - decomp_buf_size += data_size; - output_size -= data_size; - - /* Write data out from secondary buffer when it is full */ - if (decomp_buf_size == sizeof(decomp_buf)) { - rc = flash_area_write(fap_dst, (off_dst + hdr->ih_hdr_size + write_pos), - decomp_buf, sizeof(decomp_buf)); - - if (rc != 0) { - BOOT_LOG_ERR( - "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off_dst + hdr->ih_hdr_size + write_pos), sizeof(decomp_buf), - fap_dst->fa_id, rc); - rc = BOOT_EFLASH; - - goto finish; - } - - write_pos += sizeof(decomp_buf); - decomp_buf_size = 0; - } - } - - tmp_off += offset; - } - - pos += copy_size; - } - - /* Clean up decompression system */ - (void)compression->deinit(NULL); - - if (protected_tlv_size > 0) { - rc = boot_copy_protected_tlvs(hdr, fap_src, fap_dst, (off_dst + hdr->ih_hdr_size + - write_pos), protected_tlv_size, - decomp_buf, DECOMP_BUF_SIZE, &decomp_buf_size, - &tlv_write_size); - - if (rc) { - BOOT_LOG_ERR("Protected TLV copy failure: %d", rc); - - goto finish; - } - - write_pos += tlv_write_size; - } - - tlv_write_size = 0; - rc = boot_copy_unprotected_tlvs(hdr, fap_src, fap_dst, (off_dst + hdr->ih_hdr_size + - write_pos), unprotected_tlv_size, - decomp_buf, DECOMP_BUF_SIZE, &decomp_buf_size, - &tlv_write_size); - - if (rc) { - BOOT_LOG_ERR("Protected TLV copy failure: %d", rc); - - goto finish; - } - - write_pos += tlv_write_size; - - /* Check if we have unwritten data buffered up and, if so, write it out */ - if (decomp_buf_size > 0) { - uint32_t write_padding_size = write_alignment - (decomp_buf_size % write_alignment); - - /* Check if additional write padding should be applied to meet the minimum write size */ - if (write_padding_size) { - uint8_t flash_erased_value; - - flash_erased_value = flash_area_erased_val(fap_dst); - memset(&decomp_buf[decomp_buf_size], flash_erased_value, write_padding_size); - decomp_buf_size += write_padding_size; - } - - rc = flash_area_write(fap_dst, (off_dst + hdr->ih_hdr_size + write_pos), decomp_buf, - decomp_buf_size); - - if (rc != 0) { - BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - (off_dst + hdr->ih_hdr_size + write_pos), decomp_buf_size, - fap_dst->fa_id, rc); - rc = BOOT_EFLASH; - - goto finish; - } - - write_pos += decomp_buf_size; - decomp_buf_size = 0; - } - -finish: - memset(decomp_buf, 0, sizeof(decomp_buf)); - - return rc; -} - -int bootutil_get_img_decomp_size(const struct image_header *hdr, const struct flash_area *fap, - uint32_t *img_decomp_size) -{ - struct image_tlv_iter it; - uint32_t off; - uint16_t len; - int32_t rc; - - if (hdr == NULL || fap == NULL || img_decomp_size == NULL) { - return BOOT_EBADARGS; - } else if (hdr->ih_protect_tlv_size == 0) { - return BOOT_EBADIMAGE; - } - - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SIZE, true); - - if (rc) { - return rc; - } - - rc = bootutil_tlv_iter_next(&it, &off, &len, NULL); - - if (rc != 0) { - return -1; - } - - if (len != sizeof(*img_decomp_size)) { - BOOT_LOG_ERR("Invalid decompressed image size TLV: %d", len); - - return BOOT_EBADIMAGE; - } - - rc = LOAD_IMAGE_DATA(hdr, fap, off, img_decomp_size, len); - - if (rc) { - BOOT_LOG_ERR("Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", - off, len, fap->fa_id, rc); - - return BOOT_EFLASH; - } - - return 0; -} diff --git a/boot/zephyr/include/compression/decompression.h b/boot/zephyr/include/compression/decompression.h deleted file mode 100644 index f8a676ac5..000000000 --- a/boot/zephyr/include/compression/decompression.h +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 2024 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#ifndef H_DECOMPRESSION_ -#define H_DECOMPRESSION_ - -#include -#include -#include -#include "bootutil/bootutil.h" -#include "bootutil/bootutil_public.h" -#include "bootutil/image.h" -#include "../src/bootutil_priv.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * Checks if a compressed image header is valid. - * - * @param hdr Image header. - * @param fap Flash area of the slot. - * @param state Bootloader state object. - * - * @return true if valid; false if invalid. - */ -bool boot_is_compressed_header_valid(const struct image_header *hdr, const struct flash_area *fap, - struct boot_loader_state *state); - -/** - * Reads in compressed image data from a slot, decompresses it and writes it out to a destination - * slot, including corresponding image headers and TLVs. - * - * @param state Bootloader state object. - * @param fap_src Flash area of the source slot. - * @param fap_dst Flash area of the destination slot. - * @param off_src Offset of the source slot to read from (should be 0). - * @param off_dst Offset of the destination slot to write to (should be 0). - * @param sz Size of the source slot data. - * @param buf Temporary buffer for reading data from. - * @param buf_size Size of temporary buffer. - * - * @return 0 on success; nonzero on failure. - */ -int boot_copy_region_decompress(struct boot_loader_state *state, const struct flash_area *fap_src, - const struct flash_area *fap_dst, uint32_t off_src, - uint32_t off_dst, uint32_t sz, uint8_t *buf, size_t buf_size); - -/** - * Gets the total data size (excluding headers and TLVs) of a compressed image when it is - * decompressed. - * - * @param hdr Image header. - * @param fap Flash area of the slot. - * @param img_decomp_size Pointer to variable that will be updated with the decompressed image - * size. - * - * @return 0 on success; nonzero on failure. - */ -int bootutil_get_img_decomp_size(const struct image_header *hdr, const struct flash_area *fap, - uint32_t *img_decomp_size); - -/** - * Calculate MCUboot-compatible image hash of compressed image slot. - * - * @param enc_state Not currently used, set to NULL. - * @param image_index Image number. - * @param hdr Image header. - * @param fap Flash area of the slot. - * @param tmp_buf Temporary buffer for reading data from. - * @param tmp_buf_sz Size of temporary buffer. - * @param hash_result Pointer to a variable that will be updated with the image hash. - * @param seed Not currently used, set to NULL. - * @param seed_len Not currently used, set to 0. - * - * @return 0 on success; nonzero on failure. - */ -int bootutil_img_hash_decompress(struct enc_key_data *enc_state, int image_index, - struct image_header *hdr, const struct flash_area *fap, - uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result, - uint8_t *seed, int seed_len); - -/** - * Calculates the size that the compressed image protected TLV section will occupy once the image - * has been decompressed. - * - * @param hdr Image header. - * @param fap Flash area of the slot. - * @param sz Pointer to variable that will be updated with the protected TLV size. - * - * @return 0 on success; nonzero on failure. - */ -int boot_size_protected_tlvs(const struct image_header *hdr, const struct flash_area *fap_src, - uint32_t *sz); - -#ifdef __cplusplus -} -#endif - -#endif /* H_DECOMPRESSION_ */ From 9b0501560ce39f7e043dfa907afbf4461cf452e8 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 083/228] Revert "[nrf noup] zephyr: Fix path variables" This reverts commit a1a093a728f4a1aeec87c98de5372e1af305fc28. --- boot/zephyr/CMakeLists.txt | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 7c60125bf..2849e31fe 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -29,20 +29,21 @@ if(NOT CONFIG_MBEDTLS_BUILTIN AND NOT CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN) set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") assert_exists(MBEDTLS_ASN1_DIR) endif() -set(MCUBOOT_NRF_EXT_DIR "${MCUBOOT_DIR}/ext/nrf") +set(NRF_DIR "${MCUBOOT_DIR}/ext/nrf") if(CONFIG_BOOT_USE_NRF_CC310_BL) - if(NOT EXISTS ${ZEPHYR_NRFXLIB_MODULE_DIR}) - message(FATAL_ERROR " +set(NRFXLIB_DIR ${ZEPHYR_BASE}/../nrfxlib) +if(NOT EXISTS ${NRFXLIB_DIR}) + message(FATAL_ERROR " ------------------------------------------------------------------------ - No such file or directory: ${ZEPHYR_NRFXLIB_MODULE_DIR} + No such file or directory: ${NRFXLIB_DIR} The current configuration enables nRF CC310 crypto accelerator hardware with the `CONFIG_BOOT_USE_NRF_CC310_BL` option. Please follow `ext/nrf/README.md` guide to fix your setup or use tinycrypt instead of the HW accelerator. To use the tinycrypt set `CONFIG_BOOT_ECDSA_TINYCRYPT` to y. ------------------------------------------------------------------------") - endif() +endif() endif() zephyr_library_include_directories( @@ -190,8 +191,8 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) ${TINYCRYPT_DIR}/source/utils.c ) elseif(CONFIG_BOOT_USE_NRF_CC310_BL) - zephyr_library_sources(${MCUBOOT_NRF_EXT_DIR}/cc310_glue.c) - zephyr_library_include_directories(${MCUBOOT_NRF_EXT_DIR}) + zephyr_library_sources(${NRF_DIR}/cc310_glue.c) + zephyr_library_include_directories(${NRF_DIR}) zephyr_link_libraries(nrfxlib_crypto) elseif(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) zephyr_include_directories(${BL_CRYPTO_DIR}/../include) From fbbf9a88e66ccec1326de7c37acfe22256785a60 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 084/228] Revert "[nrf noup] zephyr: sdk-nrf specific overrides on PSA Kconfigs" This reverts commit 72a8bdc50ac77adc40b94649bf1bd57952d0bc92. --- boot/bootutil/zephyr/CMakeLists.txt | 2 +- boot/zephyr/Kconfig | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/boot/bootutil/zephyr/CMakeLists.txt b/boot/bootutil/zephyr/CMakeLists.txt index 44f78f395..f6d37441c 100644 --- a/boot/bootutil/zephyr/CMakeLists.txt +++ b/boot/bootutil/zephyr/CMakeLists.txt @@ -40,7 +40,7 @@ if(CONFIG_BOOT_USE_PSA_CRYPTO) ) endif() -if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO AND NOT CONFIG_NRF_SECURITY) +if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO) zephyr_link_libraries(mbedTLS) endif() endif() diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index a3bb0aab0..5d8c66570 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -89,7 +89,8 @@ config BOOT_ED25519_PSA_DEPENDENCIES select PSA_WANT_ALG_SHA_256 select PSA_WANT_ALG_SHA_512 select PSA_WANT_ALG_PURE_EDDSA - select PSA_WANT_ECC_TWISTED_EDWARDS_255 + # Seems that upstream mbedTLS does not have TE + #select PSA_WANT_ECC_TWISTED_EDWARDS_255 select PSA_WANT_ECC_MONTGOMERY_255 select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT help @@ -284,7 +285,6 @@ config BOOT_SIGNATURE_TYPE_PURE choice BOOT_ED25519_IMPLEMENTATION prompt "Ecdsa implementation" - default BOOT_ED25519_PSA if NRF_SECURITY default BOOT_ED25519_TINYCRYPT config BOOT_ED25519_TINYCRYPT @@ -305,7 +305,7 @@ config BOOT_ED25519_MBEDTLS config BOOT_ED25519_PSA bool "Use PSA crypto" - depends on NRF_SECURITY + select MBEDTLS select BOOT_USE_PSA_CRYPTO select PSA_CRYPTO_CLIENT select PSA_CRYPTO_C @@ -370,11 +370,11 @@ config MCUBOOT_CLEANUP_RAM help Sets contents of memory to 0 before jumping to application. -if MBEDTLS || NRF_SECURITY +if MBEDTLS config MBEDTLS_CFG_FILE default "config-tls-generic.h" if MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO - default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS && !NRF_SECURITY + default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS endif From e335b7eb3b4913cad96f3416da64ee2c0697057a Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 085/228] Revert "[nrf fromlist] bootutil: Fix ed25519 pure signature verification" This reverts commit f203bf1269e5de19c5e4e543fb174fbfa5844913. --- boot/bootutil/src/image_ed25519.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index ffb8cec3b..90e8300de 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -90,7 +90,7 @@ bootutil_verify(uint8_t *buf, uint32_t blen, uint8_t *pubkey; uint8_t *end; - if (slen != EDDSA_SIGNATURE_LENGTH) { + if (blen != IMAGE_HASH_SIZE || slen != EDDSA_SIGNATURE_LENGTH) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } From 3ebc4cc1a08a8f306fb168306ad67fadab09495a Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 086/228] Revert "[nrf fromtree] zephyr: Add missing selection for allowed SHA algorithms" This reverts commit 04c71e3e74a2ed316492db20492080d7517787ea. --- boot/zephyr/Kconfig | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 5d8c66570..8ee906621 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -290,13 +290,11 @@ choice BOOT_ED25519_IMPLEMENTATION config BOOT_ED25519_TINYCRYPT bool "Use tinycrypt" select BOOT_USE_TINYCRYPT - select BOOT_IMG_HASH_ALG_SHA256_ALLOW select BOOT_IMG_HASH_ALG_SHA512_ALLOW config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS - select BOOT_IMG_HASH_ALG_SHA256_ALLOW select BOOT_IMG_HASH_ALG_SHA512_ALLOW select MBEDTLS select MBEDTLS_SHA512 @@ -307,13 +305,10 @@ config BOOT_ED25519_PSA bool "Use PSA crypto" select MBEDTLS select BOOT_USE_PSA_CRYPTO - select PSA_CRYPTO_CLIENT - select PSA_CRYPTO_C select MBEDTLS_PSA_CRYPTO_C select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN - select MBEDTLS_ENABLE_HEAP - select BOOT_IMG_HASH_ALG_SHA256_ALLOW - select BOOT_IMG_HASH_ALG_SHA512_ALLOW + select PSA_CRYPTO_CLIENT + select PSA_CRYPTO_C select BOOT_ED25519_PSA_DEPENDENCIES select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE From 47961c3fe1cfae782a611f5b7961c3ad90ade6e4 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 087/228] Revert "[nrf fromtree] zephyr: Fix ED25519 compilation with mbedTLS" This reverts commit de7aeef3a18c85aa7feb7900e77f904510bacb3c. --- boot/zephyr/Kconfig | 2 -- 1 file changed, 2 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 8ee906621..17a7007c1 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -295,9 +295,7 @@ config BOOT_ED25519_TINYCRYPT config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS - select BOOT_IMG_HASH_ALG_SHA512_ALLOW select MBEDTLS - select MBEDTLS_SHA512 select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN && !BOOT_KEY_IMPORT_BYPASS_ASN select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE From 14219aba9a858f852a9884e4184fff4c4f634aa0 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 088/228] Revert "[nrf fromtree] zephyr: Prevent selecting MBEDTLS_ASN1_PARSE_C when not needed" This reverts commit 721b3f681b192ff1835c4e837ad72feeebf5c169. --- boot/zephyr/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 17a7007c1..18bbcb134 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -296,7 +296,7 @@ config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS select MBEDTLS - select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN && !BOOT_KEY_IMPORT_BYPASS_ASN + select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE config BOOT_ED25519_PSA From 13022a58c963bc3746d740e8224a21d57cfcaf17 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 089/228] Revert "[nrf fromtree] zephyr: Do not compile ASN1 code when bypassed" This reverts commit afa5789069349e3836c062b46fd854d0aa3e8e6d. --- boot/zephyr/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 2849e31fe..cc74de180 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -25,7 +25,7 @@ assert_exists(TINYCRYPT_SHA512_DIR) set(FIAT_DIR "${MCUBOOT_DIR}/ext/fiat") assert_exists(FIAT_DIR) # Path to mbed-tls' asn1 parser library. -if(NOT CONFIG_MBEDTLS_BUILTIN AND NOT CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN) +if(NOT CONFIG_MBEDTLS_BUILTIN) set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") assert_exists(MBEDTLS_ASN1_DIR) endif() From b885e39cdaa7537d7d0c4cfdb0c49c27380059eb Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 090/228] Revert "[nrf fromtree] bootutil: Fix ASN1 bypass not building" This reverts commit da2ae88950991d463f10852a49f9db07408a6d7c. --- boot/bootutil/src/image_ed25519.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 90e8300de..01bef149d 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -18,10 +18,10 @@ #define MBEDTLS_ASN1_PARSE_C #include "mbedtls/oid.h" #include "mbedtls/asn1.h" -#include "bootutil/crypto/common.h" #endif #include "bootutil_priv.h" +#include "bootutil/crypto/common.h" #include "bootutil/crypto/sha.h" #define EDDSA_SIGNATURE_LENGTH 64 From e929260f3aef1c9624dbea94bff716c6d45ecd9d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 091/228] Revert "[nrf fromtree] zephyr: Add Kconfig option CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN" This reverts commit 5f21ef3ce33ce4fb852ea6a30950c57e5ec1e971. --- boot/zephyr/Kconfig | 9 --------- 1 file changed, 9 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 18bbcb134..f9870248c 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -311,15 +311,6 @@ config BOOT_ED25519_PSA select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE endchoice - -config BOOT_KEY_IMPORT_BYPASS_ASN - bool "Directly access key value without ASN.1 parsing" - help - Originally, public keys compiled into MCUboot were - stored in ASN.1 encoded format. Enabling this option - bypasses the ASN.1 decoding and directly accesses the key - in ASN.1 bitstream; this reduces MCUboot code by removing - the ASN.1 processing. endif endchoice From ffbd27abf959dcc5a4a957d082142a8ff23b551e Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 092/228] Revert "[nrf fromtree] bootutil: Allow bypassing ASN.1 encoding for ED25519 key import" This reverts commit 421c664eb542157d536da0047836dc0cd530cc22. --- boot/bootutil/src/image_ed25519.c | 22 ++----------------- .../include/mcuboot_config/mcuboot_config.h | 4 ---- 2 files changed, 2 insertions(+), 24 deletions(-) diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 01bef149d..0c5810666 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -13,30 +13,27 @@ #ifdef MCUBOOT_SIGN_ED25519 #include "bootutil/sign_key.h" -#if !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) /* We are not really using the MBEDTLS but need the ASN.1 parsing functions */ #define MBEDTLS_ASN1_PARSE_C #include "mbedtls/oid.h" #include "mbedtls/asn1.h" -#endif #include "bootutil_priv.h" #include "bootutil/crypto/common.h" #include "bootutil/crypto/sha.h" #define EDDSA_SIGNATURE_LENGTH 64 + +static const uint8_t ed25519_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG "\x65\x70"; #define NUM_ED25519_BYTES 32 extern int ED25519_verify(const uint8_t *message, size_t message_len, const uint8_t signature[EDDSA_SIGNATURE_LENGTH], const uint8_t public_key[NUM_ED25519_BYTES]); -#if !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) /* * Parse the public key used for signing. */ -static const uint8_t ed25519_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG "\x65\x70"; - static int bootutil_import_key(uint8_t **cp, uint8_t *end) { @@ -72,7 +69,6 @@ bootutil_import_key(uint8_t **cp, uint8_t *end) return 0; } -#endif /* !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) */ /* Signature verification base function. * The function takes buffer of specified length and tries to verify @@ -98,25 +94,11 @@ bootutil_verify(uint8_t *buf, uint32_t blen, pubkey = (uint8_t *)bootutil_keys[key_id].key; end = pubkey + *bootutil_keys[key_id].len; -#if !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) rc = bootutil_import_key(&pubkey, end); if (rc) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } -#else - /* Directly use the key contents from the ASN stream, - * these are the last NUM_ED25519_BYTES. - * There is no check whether this is the correct key, - * here, by the algorithm selected. - */ - if (*bootutil_keys[key_id].len < NUM_ED25519_BYTES) { - FIH_SET(fih_rc, FIH_FAILURE); - goto out; - } - - pubkey = end - NUM_ED25519_BYTES; -#endif rc = ED25519_verify(buf, blen, sig, pubkey); diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 01a9439aa..db80f1882 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -34,10 +34,6 @@ # error "One crypto library implementation allowed at a time." #endif -#if defined(CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN) -#define MCUBOOT_KEY_IMPORT_BYPASS_ASN -#endif - #ifdef CONFIG_BOOT_USE_MBEDTLS #define MCUBOOT_USE_MBED_TLS #elif defined(CONFIG_BOOT_USE_TINYCRYPT) From 0f96030aa6589e52690092af5f8cfb19be736b74 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 093/228] Revert "[nrf fromtree] zephyr: Enable building ed25519 PSA variant with Zephyr" This reverts commit 2ff8e8e4cc14804cbcbf042b619c384d3ba7607d. --- boot/bootutil/zephyr/CMakeLists.txt | 16 +++---- boot/zephyr/CMakeLists.txt | 41 +++++------------ boot/zephyr/Kconfig | 70 +---------------------------- 3 files changed, 17 insertions(+), 110 deletions(-) diff --git a/boot/bootutil/zephyr/CMakeLists.txt b/boot/bootutil/zephyr/CMakeLists.txt index f6d37441c..72a6a8638 100644 --- a/boot/bootutil/zephyr/CMakeLists.txt +++ b/boot/bootutil/zephyr/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2020-2025 Nordic Semiconductor ASA +# Copyright (c) 2020 Nordic Semiconductor ASA # # SPDX-License-Identifier: Apache-2.0 @@ -29,18 +29,12 @@ zephyr_library_link_libraries(MCUBOOT_BOOTUTIL) target_link_libraries(MCUBOOT_BOOTUTIL INTERFACE zephyr_interface) if(CONFIG_BOOT_USE_TINYCRYPT) - target_include_directories(MCUBOOT_BOOTUTIL INTERFACE - ../../../ext/tinycrypt/lib/include - ) -endif() - -if(CONFIG_BOOT_USE_PSA_CRYPTO) - target_include_directories(MCUBOOT_BOOTUTIL INTERFACE - ${ZEPHYR_MBEDTLS_MODULE_DIR}/include - ) +target_include_directories(MCUBOOT_BOOTUTIL INTERFACE + ../../../ext/tinycrypt/lib/include +) endif() -if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO) +if(CONFIG_BOOT_USE_MBEDTLS) zephyr_link_libraries(mbedTLS) endif() endif() diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index cc74de180..b0c119da4 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -1,7 +1,7 @@ # CMakeLists.txt for building mcuboot as a Zephyr project # # Copyright (c) 2017 Open Source Foundries Limited -# Copyright (c) 2023-2025 Nordic Semiconductor ASA +# Copyright (c) 2023 Nordic Semiconductor ASA # # SPDX-License-Identifier: Apache-2.0 @@ -50,12 +50,6 @@ zephyr_library_include_directories( include ) -if(DEFINED CONFIG_MBEDTLS) - zephyr_library_include_directories( - ${ZEPHYR_MBEDTLS_MODULE_DIR}/include - ) -endif() - # Zephyr port-specific sources. zephyr_library_sources( main.c @@ -107,10 +101,6 @@ zephyr_library_sources( ${BOOT_DIR}/bootutil/src/fault_injection_hardening.c ) -if(DEFINED CONFIG_BOOT_ENCRYPT_X25519 AND DEFINED CONFIG_BOOT_ED25519_PSA) - zephyr_library_sources(${BOOT_DIR}/bootutil/src/encrypted_psa.c) -endif() - if(DEFINED CONFIG_MEASURED_BOOT OR DEFINED CONFIG_BOOT_SHARE_DATA) zephyr_library_sources( ${BOOT_DIR}/bootutil/src/boot_record.c @@ -259,28 +249,19 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) ${FIAT_DIR}/include/ ) - if(NOT CONFIG_BOOT_ED25519_PSA) - zephyr_library_sources( - ${FIAT_DIR}/src/curve25519.c - ) - else() - zephyr_library_sources( - ${MBEDTLS_ASN1_DIR}/src/asn1parse.c - ${BOOT_DIR}/bootutil/src/ed25519_psa.c - ) - endif() + zephyr_library_sources( + ${FIAT_DIR}/src/curve25519.c + ) endif() -if(NOT CONFIG_BOOT_ED25519_PSA) - if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519) - zephyr_library_sources( - ${TINYCRYPT_DIR}/source/aes_encrypt.c - ${TINYCRYPT_DIR}/source/aes_decrypt.c - ${TINYCRYPT_DIR}/source/ctr_mode.c - ${TINYCRYPT_DIR}/source/hmac.c - ${TINYCRYPT_DIR}/source/ecc_dh.c +if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519) + zephyr_library_sources( + ${TINYCRYPT_DIR}/source/aes_encrypt.c + ${TINYCRYPT_DIR}/source/aes_decrypt.c + ${TINYCRYPT_DIR}/source/ctr_mode.c + ${TINYCRYPT_DIR}/source/hmac.c + ${TINYCRYPT_DIR}/source/ecc_dh.c ) - endif() endif() if(CONFIG_BOOT_ENCRYPT_EC256) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index f9870248c..5de63a2e3 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -75,60 +75,6 @@ config BOOT_AES_MBEDTLS_DEPENDENCIES endif -if BOOT_USE_PSA_CRYPTO - -config BOOT_PSA_IMG_HASH_ALG_SHA256_DEPENDENCIES - bool - default y if BOOT_IMG_HASH_ALG_SHA256 - select PSA_WANT_ALG_SHA_256 - help - Dependencies for hashing with SHA256 - -config BOOT_ED25519_PSA_DEPENDENCIES - bool - select PSA_WANT_ALG_SHA_256 - select PSA_WANT_ALG_SHA_512 - select PSA_WANT_ALG_PURE_EDDSA - # Seems that upstream mbedTLS does not have TE - #select PSA_WANT_ECC_TWISTED_EDWARDS_255 - select PSA_WANT_ECC_MONTGOMERY_255 - select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT - help - Dependencies for ed25519 signature - -if BOOT_ENCRYPT_IMAGE - -config BOOT_X25519_PSA_DEPENDENCIES - bool - select PSA_WANT_ALG_ECDH - select PSA_WANT_ALG_HMAC - select PSA_WANT_ALG_HKDF - select PSA_WANT_ALG_CTR - select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT - select PSA_WANT_KEY_TYPE_DERIVE - select PSA_WANT_KEY_TYPE_AES - select PSA_WANT_ECC_MONTGOMERY_255 - help - Dependencies for x25519 shared-random key encryption and AES - encryption. The PSA_WANT_ALG_CTR and PSA_WANT_KEY_TYPE_AES - enable Counter based block cipher and AES key, and algorithm support, - to use with it; the others are used for shared key decryption - and derivation. - -endif # BOOT_ENCRYPT_IMAGE - -if MBEDTLS_ENABLE_HEAP - -config MBEDTLS_HEAP_SIZE - default 2048 if BOOT_USE_PSA_CRYPTO - help - The PSA internals need to be able to allocate memory for operation - and it uses mbedTLS heap for that. - -endif # MBEDTLS_ENABLE_HEAP - -endif # BOOT_USE_PSA_CRYPTO - menu "MCUBoot settings" config SINGLE_APPLICATION_SLOT @@ -210,7 +156,6 @@ config BOOT_SIGNATURE_TYPE_PURE_ALLOW choice BOOT_SIGNATURE_TYPE prompt "Signature type" - default BOOT_SIGNATURE_TYPE_ED25519 if SOC_NRF54L15_CPUAPP default BOOT_SIGNATURE_TYPE_RSA config BOOT_SIGNATURE_TYPE_NONE @@ -286,12 +231,10 @@ config BOOT_SIGNATURE_TYPE_PURE choice BOOT_ED25519_IMPLEMENTATION prompt "Ecdsa implementation" default BOOT_ED25519_TINYCRYPT - config BOOT_ED25519_TINYCRYPT bool "Use tinycrypt" select BOOT_USE_TINYCRYPT select BOOT_IMG_HASH_ALG_SHA512_ALLOW - config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS @@ -299,17 +242,6 @@ config BOOT_ED25519_MBEDTLS select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE -config BOOT_ED25519_PSA - bool "Use PSA crypto" - select MBEDTLS - select BOOT_USE_PSA_CRYPTO - select MBEDTLS_PSA_CRYPTO_C - select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN - select PSA_CRYPTO_CLIENT - select PSA_CRYPTO_C - select BOOT_ED25519_PSA_DEPENDENCIES - select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE - endchoice endif @@ -357,7 +289,7 @@ config MCUBOOT_CLEANUP_RAM if MBEDTLS config MBEDTLS_CFG_FILE - default "config-tls-generic.h" if MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO + default "config-tls-generic.h" if MBEDTLS_BUILTIN default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS endif From e77672933d66b2728f3d5b246cdaf62678cc935a Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 094/228] Revert "[nrf fromtree] bootutil: PSA implementation of x25519 and ed25519 verification" This reverts commit 6938931d4cafe2223e640ceeb85d55d2d6ee2958. --- .../include/bootutil/crypto/aes_ctr.h | 37 +- boot/bootutil/pkg.yml | 2 - boot/bootutil/src/ed25519_psa.c | 71 --- boot/bootutil/src/encrypted.c | 114 +++-- boot/bootutil/src/encrypted_psa.c | 454 ------------------ boot/bootutil/src/image_ed25519.c | 3 +- 6 files changed, 57 insertions(+), 624 deletions(-) delete mode 100644 boot/bootutil/src/ed25519_psa.c delete mode 100644 boot/bootutil/src/encrypted_psa.c diff --git a/boot/bootutil/include/bootutil/crypto/aes_ctr.h b/boot/bootutil/include/bootutil/crypto/aes_ctr.h index 23862825c..50d36a4fc 100644 --- a/boot/bootutil/include/bootutil/crypto/aes_ctr.h +++ b/boot/bootutil/include/bootutil/crypto/aes_ctr.h @@ -15,8 +15,8 @@ #include "mcuboot_config/mcuboot_config.h" #if (defined(MCUBOOT_USE_MBED_TLS) + \ - defined(MCUBOOT_USE_TINYCRYPT) + defined(MCUBOOT_USE_PSA_CRYPTO)) != 1 - #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT or PSA" + defined(MCUBOOT_USE_TINYCRYPT)) != 1 + #error "One crypto backend must be defined: either MBED_TLS or TINYCRYPT" #endif #if defined(MCUBOOT_USE_MBED_TLS) @@ -38,45 +38,12 @@ #define BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE TC_AES_BLOCK_SIZE #endif /* MCUBOOT_USE_TINYCRYPT */ -#if defined(MCUBOOT_USE_PSA_CRYPTO) - #include - #include "bootutil/enc_key_public.h" - #define BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE BOOT_ENC_KEY_SIZE - #define BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE (16) -#endif - #include #ifdef __cplusplus extern "C" { #endif -#if defined(MCUBOOT_USE_PSA_CRYPTO) -typedef struct { - /* Fixme: This should not be, here, psa_key_id should be passed */ - uint8_t key[BOOT_ENC_KEY_SIZE]; -} bootutil_aes_ctr_context; - -void bootutil_aes_ctr_init(bootutil_aes_ctr_context *ctx); - -static inline void bootutil_aes_ctr_drop(bootutil_aes_ctr_context *ctx) -{ - memset(ctx, 0, sizeof(ctx)); -} - -static inline int bootutil_aes_ctr_set_key(bootutil_aes_ctr_context *ctx, const uint8_t *k) -{ - memcpy(ctx->key, k, sizeof(ctx->key)); - - return 0; -} - -int bootutil_aes_ctr_encrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, - const uint8_t *m, uint32_t mlen, size_t blk_off, uint8_t *c); -int bootutil_aes_ctr_decrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, - const uint8_t *c, uint32_t clen, size_t blk_off, uint8_t *m); -#endif - #if defined(MCUBOOT_USE_MBED_TLS) typedef mbedtls_aes_context bootutil_aes_ctr_context; static inline void bootutil_aes_ctr_init(bootutil_aes_ctr_context *ctx) diff --git a/boot/bootutil/pkg.yml b/boot/bootutil/pkg.yml index 4a7fabc1c..ed6f35810 100644 --- a/boot/bootutil/pkg.yml +++ b/boot/bootutil/pkg.yml @@ -47,8 +47,6 @@ pkg.ign_files.BOOTUTIL_SINGLE_APPLICATION_SLOT: pkg.ign_files: - "ram_load.c" - - "ed25519_psa.c" # Currently no PSA for mynewet - - "encrypted_psa.c" pkg.deps.BOOTUTIL_USE_MBED_TLS: - "@apache-mynewt-core/crypto/mbedtls" diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c deleted file mode 100644 index 12ba20ac1..000000000 --- a/boot/bootutil/src/ed25519_psa.c +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (c) 2025 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: Apache-2.0 - */ -#include -#include -#include - -#include -#include "bootutil/bootutil_log.h" - -#include -#include - -BOOT_LOG_MODULE_REGISTER(ed25519_psa); - -#define SHA512_DIGEST_LENGTH 64 -#define EDDSA_KEY_LENGTH 32 -#define EDDSA_SIGNAGURE_LENGTH 64 - -int ED25519_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[EDDSA_SIGNAGURE_LENGTH], - const uint8_t public_key[EDDSA_KEY_LENGTH]) -{ - /* Set to any error */ - psa_status_t status = PSA_ERROR_BAD_STATE; - psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t kid; - int ret = 0; /* Fail by default */ - - /* Initialize PSA Crypto */ - status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - BOOT_LOG_ERR("PSA crypto init failed %d\n", status); - return 0; - } - - status = PSA_ERROR_BAD_STATE; - - psa_set_key_type(&key_attr, - PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS)); - psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_VERIFY_MESSAGE); - psa_set_key_algorithm(&key_attr, PSA_ALG_PURE_EDDSA); - - status = psa_import_key(&key_attr, public_key, EDDSA_KEY_LENGTH, &kid); - if (status != PSA_SUCCESS) { - BOOT_LOG_ERR("ED25519 key import failed %d", status); - return 0; - } - - status = psa_verify_message(kid, PSA_ALG_PURE_EDDSA, message, message_len, - signature, EDDSA_SIGNAGURE_LENGTH); - if (status != PSA_SUCCESS) { - BOOT_LOG_ERR("ED25519 signature verification failed %d", status); - ret = 0; - /* Pass through to destroy key */ - } else { - ret = 1; - /* Pass through to destroy key */ - } - - status = psa_destroy_key(kid); - - if (status != PSA_SUCCESS) { - /* Just for logging */ - BOOT_LOG_WRN("Failed to destroy key %d", status); - } - - return ret; -} diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index 8c631d731..8449a28dd 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -3,7 +3,6 @@ * * Copyright (c) 2018-2019 JUUL Labs * Copyright (c) 2019-2024 Arm Limited - * Copyright (c) 2025 Nordic Semiconductor ASA */ #include "mcuboot_config/mcuboot_config.h" @@ -26,7 +25,6 @@ #include "bootutil/crypto/ecdh_p256.h" #endif -#if !defined(MCUBOOT_USE_PSA_CRYPTO) #if defined(MCUBOOT_ENCRYPT_X25519) #include "bootutil/crypto/ecdh_x25519.h" #endif @@ -37,7 +35,6 @@ #include "mbedtls/oid.h" #include "mbedtls/asn1.h" #endif -#endif #include "bootutil/image.h" #include "bootutil/enc_key.h" @@ -46,30 +43,6 @@ #include "bootutil_priv.h" -#define EXPECTED_ENC_LEN BOOT_ENC_TLV_SIZE - -#if defined(MCUBOOT_ENCRYPT_RSA) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_RSA2048 -#elif defined(MCUBOOT_ENCRYPT_KW) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_KW -#elif defined(MCUBOOT_ENCRYPT_EC256) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_EC256 -# define EC_PUBK_INDEX (0) -# define EC_TAG_INDEX (65) -# define EC_CIPHERKEY_INDEX (65 + 32) -_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, - "Please fix ECIES-P256 component indexes"); -#elif defined(MCUBOOT_ENCRYPT_X25519) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_X25519 -# define EC_PUBK_INDEX (0) -# define EC_TAG_INDEX (32) -# define EC_CIPHERKEY_INDEX (32 + 32) -_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, - "Please fix ECIES-X25519 component indexes"); -#endif - -/* NOUP Fixme: */ -#if !defined(CONFIG_BOOT_ED25519_PSA) #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519) #if defined(_compare) static inline int bootutil_constant_time_compare(const uint8_t *a, const uint8_t *b, size_t size) @@ -378,6 +351,60 @@ int boot_enc_retrieve_private_key(struct bootutil_key **private_key) } #endif /* !MCUBOOT_ENC_BUILTIN_KEY */ +int +boot_enc_init(struct enc_key_data *enc_state, uint8_t slot) +{ + bootutil_aes_ctr_init(&enc_state[slot].aes_ctr); + return 0; +} + +int +boot_enc_drop(struct enc_key_data *enc_state, uint8_t slot) +{ + bootutil_aes_ctr_drop(&enc_state[slot].aes_ctr); + enc_state[slot].valid = 0; + return 0; +} + +int +boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot, + const struct boot_status *bs) +{ + int rc; + + rc = bootutil_aes_ctr_set_key(&enc_state[slot].aes_ctr, bs->enckey[slot]); + if (rc != 0) { + boot_enc_drop(enc_state, slot); + return -1; + } + + enc_state[slot].valid = 1; + + return 0; +} + +#define EXPECTED_ENC_LEN BOOT_ENC_TLV_SIZE + +#if defined(MCUBOOT_ENCRYPT_RSA) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_RSA2048 +#elif defined(MCUBOOT_ENCRYPT_KW) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_KW +#elif defined(MCUBOOT_ENCRYPT_EC256) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_EC256 +# define EC_PUBK_INDEX (0) +# define EC_TAG_INDEX (65) +# define EC_CIPHERKEY_INDEX (65 + 32) +_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, + "Please fix ECIES-P256 component indexes"); +#elif defined(MCUBOOT_ENCRYPT_X25519) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_X25519 +# define EC_PUBK_INDEX (0) +# define EC_TAG_INDEX (32) +# define EC_CIPHERKEY_INDEX (32 + 32) +_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, + "Please fix ECIES-X25519 component indexes"); +#endif + #if ( (defined(MCUBOOT_ENCRYPT_RSA) && defined(MCUBOOT_USE_MBED_TLS) && !defined(MCUBOOT_USE_PSA_CRYPTO)) || \ (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS)) ) #if MBEDTLS_VERSION_NUMBER >= 0x03000000 @@ -600,7 +627,6 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) return rc; } -#endif /* CONFIG_BOOT_ED25519_PSA */ /* * Load encryption key. @@ -655,38 +681,6 @@ boot_enc_load(struct enc_key_data *enc_state, int slot, return boot_decrypt_key(buf, bs->enckey[slot]); } -int -boot_enc_init(struct enc_key_data *enc_state, uint8_t slot) -{ - bootutil_aes_ctr_init(&enc_state[slot].aes_ctr); - return 0; -} - -int -boot_enc_drop(struct enc_key_data *enc_state, uint8_t slot) -{ - bootutil_aes_ctr_drop(&enc_state[slot].aes_ctr); - enc_state[slot].valid = 0; - return 0; -} - -int -boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot, - const struct boot_status *bs) -{ - int rc; - - rc = bootutil_aes_ctr_set_key(&enc_state[slot].aes_ctr, bs->enckey[slot]); - if (rc != 0) { - boot_enc_drop(enc_state, slot); - return -1; - } - - enc_state[slot].valid = 1; - - return 0; -} - bool boot_enc_valid(struct enc_key_data *enc_state, int slot) { diff --git a/boot/bootutil/src/encrypted_psa.c b/boot/bootutil/src/encrypted_psa.c deleted file mode 100644 index 441ce94df..000000000 --- a/boot/bootutil/src/encrypted_psa.c +++ /dev/null @@ -1,454 +0,0 @@ -/* - * Copyright (c) 2025 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: Apache-2.0 - */ - -#include "mcuboot_config/mcuboot_config.h" - -#include -#include -#include - -/* We are not really using the MBEDTLS but need the ASN.1 parsing functions */ -#define MBEDTLS_ASN1_PARSE_C - -#include "bootutil/crypto/sha.h" -#include "mbedtls/oid.h" -#include "mbedtls/asn1.h" - -#include "bootutil/image.h" -#include "bootutil/enc_key.h" -#include "bootutil/sign_key.h" -#include "bootutil/crypto/common.h" - -#include "bootutil_priv.h" -#include "bootutil/bootutil_log.h" - -BOOT_LOG_MODULE_DECLARE(mcuboot_psa_enc); - -#define EXPECTED_ENC_LEN BOOT_ENC_TLV_SIZE -#define EXPECTED_ENC_TLV IMAGE_TLV_ENC_X25519 -#define EC_PUBK_INDEX (0) -#define EC_TAG_INDEX (32) -#define EC_CIPHERKEY_INDEX (32 + 32) -_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, - "Please fix ECIES-X25519 component indexes"); - -#define X25519_OID "\x6e" -static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG \ - MBEDTLS_OID_ORG_GOV X25519_OID; - -#define SHARED_KEY_LEN 32 -#define PRIV_KEY_LEN 32 - -/* Fixme: This duplicates code from encrypted.c and depends on mbedtls */ -static int -parse_x25519_enckey(uint8_t **p, uint8_t *end, uint8_t *private_key) -{ - size_t len; - int version; - mbedtls_asn1_buf alg; - mbedtls_asn1_buf param; - - if (mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE) != 0) { - return -1; - } - - if (*p + len != end) { - return -2; - } - - version = 0; - if (mbedtls_asn1_get_int(p, end, &version) || version != 0) { - return -3; - } - - if (mbedtls_asn1_get_alg(p, end, &alg, ¶m) != 0) { - return -4; - } - - if (alg.ASN1_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || - memcmp(alg.ASN1_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { - return -5; - } - - if (mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING) != 0) { - return -6; - } - - if (mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING) != 0) { - return -7; - } - - if (len != PRIV_KEY_LEN) { - return -8; - } - - memcpy(private_key, *p, PRIV_KEY_LEN); - return 0; -} - -void bootutil_aes_ctr_init(bootutil_aes_ctr_context *ctx) -{ - psa_status_t psa_ret = psa_crypto_init(); - - (void)ctx; - - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES init PSA crypto init failed %d", psa_ret); - assert(0); - } -} - -#if defined(MCUBOOT_ENC_IMAGES) -extern const struct bootutil_key bootutil_enc_key; -/* - * Decrypt an encryption key TLV. - * - * @param buf An encryption TLV read from flash (build time fixed length) - * @param enckey An AES-128 or AES-256 key sized buffer to store to plain key. - */ -int -boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) -{ - uint8_t derived_key[BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE]; - uint8_t *cp; - uint8_t *cpend; - uint8_t private_key[PRIV_KEY_LEN]; - size_t len; - psa_status_t psa_ret = PSA_ERROR_BAD_STATE; - psa_status_t psa_cleanup_ret = PSA_ERROR_BAD_STATE; - psa_key_id_t kid; - psa_key_attributes_t kattr = PSA_KEY_ATTRIBUTES_INIT; - psa_key_derivation_operation_t key_do = PSA_KEY_DERIVATION_OPERATION_INIT; - psa_algorithm_t key_do_alg; - int rc = -1; - - cp = (uint8_t *)bootutil_enc_key.key; - cpend = cp + *bootutil_enc_key.len; - - /* The psa_cipher_decrypt needs initialization vector of proper length at - * the beginning of the input buffer. - */ - uint8_t iv_and_key[PSA_CIPHER_IV_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CTR) + - BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE]; - - psa_ret = psa_crypto_init(); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES crypto init failed %d", psa_ret); - return -1; - } - - /* - * Load the stored X25519 decryption private key - */ - rc = parse_x25519_enckey(&cp, cpend, private_key); - if (rc) { - return rc; - } - - psa_set_key_type(&kattr, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY)); - psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&kattr, PSA_ALG_ECDH); - - psa_ret = psa_import_key(&kattr, private_key, sizeof(private_key), &kid); - memset(private_key, 0, sizeof(private_key)); - psa_reset_key_attributes(&kattr); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("Built-in key import failed %d", psa_ret); - return -1; - } - - key_do_alg = PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)); - - psa_ret = psa_key_derivation_setup(&key_do, key_do_alg); - if (psa_ret != PSA_SUCCESS) { - psa_cleanup_ret = psa_destroy_key(kid); - if (psa_cleanup_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("Built-in key destruction failed %d", psa_cleanup_ret); - } - BOOT_LOG_ERR("Key derivation setup failed %d", psa_ret); - return -1; - } - - /* Note: PSA 1.1.2 does not have psa_key_agreement that would be useful here - * as it could just add the derived key to the storage and return key id. - * Instead, we have to use the code below to generate derived key and put it - * into storage, to obtain the key id we can then use with psa_mac_* functions. - */ - psa_ret = psa_key_derivation_key_agreement(&key_do, PSA_KEY_DERIVATION_INPUT_SECRET, - kid, &buf[EC_PUBK_INDEX], - BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE); - psa_cleanup_ret = psa_destroy_key(kid); - if (psa_cleanup_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("Built-in key destruction failed %d", psa_cleanup_ret); - } - if (psa_ret != PSA_SUCCESS) { - psa_cleanup_ret = psa_key_derivation_abort(&key_do); - if (psa_cleanup_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("Key derivation abort failed %d", psa_ret); - } - - BOOT_LOG_ERR("Key derivation failed %d", psa_ret); - return -1; - } - - /* Only info, no salt */ - psa_ret = psa_key_derivation_input_bytes(&key_do, PSA_KEY_DERIVATION_INPUT_INFO, - "MCUBoot_ECIES_v1", 16); - if (psa_ret != PSA_SUCCESS) { - psa_cleanup_ret = psa_key_derivation_abort(&key_do); - if (psa_cleanup_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("Key derivation abort failed %d", psa_ret); - } - BOOT_LOG_ERR("Key derivation failed %d", psa_ret); - return -1; - } - - len = BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE; - psa_ret = psa_key_derivation_output_bytes(&key_do, derived_key, len); - psa_cleanup_ret = psa_key_derivation_abort(&key_do); - if (psa_cleanup_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("Key derivation cleanup failed %d", psa_ret); - } - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("Key derivation failed %d", psa_ret); - return -1; - } - - /* The derived key consists of BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE bytes - * followed by BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE bytes. Both parts will - * be imported at the point where needed and discarded immediately after. - */ - psa_set_key_type(&kattr, PSA_KEY_TYPE_HMAC); - psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_VERIFY_MESSAGE); - psa_set_key_algorithm(&kattr, PSA_ALG_HMAC(PSA_ALG_SHA_256)); - - /* Import the MAC tag key part of derived key, that is the part that starts - * after BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE and has length of - * BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE bytes. - */ - psa_ret = psa_import_key(&kattr, - &derived_key[BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE], - BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE, &kid); - psa_reset_key_attributes(&kattr); - if (psa_ret != PSA_SUCCESS) { - memset(derived_key, 0, sizeof(derived_key)); - BOOT_LOG_ERR("MAC key import failed %d", psa_ret); - return -1; - } - - /* Verify the MAC tag of the random encryption key */ - psa_ret = psa_mac_verify(kid, PSA_ALG_HMAC(PSA_ALG_SHA_256), - &buf[EC_CIPHERKEY_INDEX], BOOT_ENC_KEY_SIZE, - &buf[EC_TAG_INDEX], - BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE); - psa_cleanup_ret = psa_destroy_key(kid); - if (psa_cleanup_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("MAC key destruction failed %d", psa_cleanup_ret); - } - if (psa_ret != PSA_SUCCESS) { - memset(derived_key, 0, sizeof(derived_key)); - BOOT_LOG_ERR("MAC verification failed %d", psa_ret); - return -1; - } - - /* The derived key is used in AES decryption of random key */ - psa_set_key_type(&kattr, PSA_KEY_TYPE_AES); - psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_DECRYPT); - psa_set_key_algorithm(&kattr, PSA_ALG_CTR); - - /* Import the AES partition of derived key, the first 16 bytes */ - psa_ret = psa_import_key(&kattr, &derived_key[0], - BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE, &kid); - memset(derived_key, 0, sizeof(derived_key)); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES key import failed %d", psa_ret); - return -1; - } - - /* Decrypt the random AES encryption key with AES and the key obtained - * at derivation. */ - memset(&iv_and_key[0], 0, PSA_CIPHER_IV_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CTR)); - memcpy(&iv_and_key[PSA_CIPHER_IV_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CTR)], - &buf[EC_CIPHERKEY_INDEX], - sizeof(iv_and_key) - PSA_CIPHER_IV_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CTR)); - - len = 0; - psa_ret = psa_cipher_decrypt(kid, PSA_ALG_CTR, iv_and_key, sizeof(iv_and_key), - enckey, BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE, &len); - memset(iv_and_key, 0, sizeof(iv_and_key)); - psa_cleanup_ret = psa_destroy_key(kid); - if (psa_cleanup_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("AES key destruction failed %d", psa_cleanup_ret); - } - if (psa_ret != PSA_SUCCESS || len != BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE) { - memset(enckey, 0, BOOTUTIL_CRYPTO_AES_CTR_KEY_SIZE); - BOOT_LOG_ERR("Random key decryption failed %d", psa_ret); - return -1; - } - - return 0; -} - -int bootutil_aes_ctr_encrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, - const uint8_t *m, uint32_t mlen, size_t blk_off, uint8_t *c) -{ - int ret = 0; - psa_status_t psa_ret = PSA_ERROR_BAD_STATE; - psa_key_attributes_t kattr = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t kid; - psa_cipher_operation_t psa_op; - size_t elen = 0; /* Decrypted length */ - - /* Fixme: calling psa_crypto_init multiple times is not a problem, - * yet the code here is only present because there is not general - * crypto init. */ - psa_ret = psa_crypto_init(); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("PSA crypto init failed %d", psa_ret); - ret = -1; - goto gone; - } - - psa_op = psa_cipher_operation_init(); - - /* Fixme: Import should happen when key is decrypted, but due to lack - * of key destruction there is no way to destroy key stored by - * psa other way than here. */ - psa_set_key_type(&kattr, PSA_KEY_TYPE_AES); - psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_ENCRYPT); - psa_set_key_algorithm(&kattr, PSA_ALG_CTR); - - psa_ret = psa_import_key(&kattr, ctx->key, BOOT_ENC_KEY_SIZE, &kid); - psa_reset_key_attributes(&kattr); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES enc import key failed %d", psa_ret); - ret = -1; - goto gone; - } - - /* This could be done with psa_cipher_decrypt one-shot operation, but - * multi-part operation is used to avoid re-allocating input buffer - * to account for IV in front of data. - */ - psa_ret = psa_cipher_encrypt_setup(&psa_op, kid, PSA_ALG_CTR); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES enc setup failed %d", psa_ret); - ret = -1; - goto gone_with_key; - } - - /* Fixme: hardcoded counter size, but it is hardcoded everywhere */ - psa_ret = psa_cipher_set_iv(&psa_op, counter, 16); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES enc IV set failed %d", psa_ret); - ret = -1; - goto gone_after_setup; - } - - psa_ret = psa_cipher_update(&psa_op, m, mlen, c, mlen, &elen); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES enc encryption failed %d", psa_ret); - ret = -1; - goto gone_after_setup; - } - -gone_after_setup: - psa_ret = psa_cipher_abort(&psa_op); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("AES enc cipher abort failed %d", psa_ret); - /* Intentionally not changing the ret */ - } -gone_with_key: - /* Fixme: Should be removed once key is shared by id */ - psa_ret = psa_destroy_key(kid); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("AES enc destroy key failed %d", psa_ret); - /* Intentionally not changing the ret */ - } -gone: - return ret; -} - -int bootutil_aes_ctr_decrypt(bootutil_aes_ctr_context *ctx, uint8_t *counter, - const uint8_t *c, uint32_t clen, size_t blk_off, uint8_t *m) -{ - int ret = 0; - psa_status_t psa_ret = PSA_ERROR_BAD_STATE; - psa_key_attributes_t kattr = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t kid; - psa_cipher_operation_t psa_op; - size_t dlen = 0; /* Decrypted length */ - - /* Fixme: the init should already happen before calling the function, but - * somehow it does not, for example when recovering in swap. - */ - psa_ret = psa_crypto_init(); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("PSA crypto init failed %d", psa_ret); - ret = -1; - goto gone; - } - - psa_op = psa_cipher_operation_init(); - - /* Fixme: Import should happen when key is decrypted, but due to lack - * of key destruction there is no way to destroy key stored by - * psa other way than here. */ - psa_set_key_type(&kattr, PSA_KEY_TYPE_AES); - psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_DECRYPT); - psa_set_key_algorithm(&kattr, PSA_ALG_CTR); - - psa_ret = psa_import_key(&kattr, ctx->key, BOOT_ENC_KEY_SIZE, &kid); - psa_reset_key_attributes(&kattr); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES dec import key failed %d", psa_ret); - ret = -1; - goto gone; - } - - /* This could be done with psa_cipher_decrypt one-shot operation, but - * multi-part operation is used to avoid re-allocating input buffer - * to account for IV in front of data. - */ - psa_ret = psa_cipher_decrypt_setup(&psa_op, kid, PSA_ALG_CTR); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES dec setup failed %d", psa_ret); - ret = -1; - goto gone_with_key; - } - - /* Fixme: hardcoded counter size, but it is hardcoded everywhere */ - psa_ret = psa_cipher_set_iv(&psa_op, counter, 16); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES dec IV set failed %d", psa_ret); - ret = -1; - goto gone_after_setup; - } - - psa_ret = psa_cipher_update(&psa_op, c, clen, m, clen, &dlen); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_ERR("AES dec decryption failed %d", psa_ret); - ret = -1; - goto gone_after_setup; - } - -gone_after_setup: - psa_ret = psa_cipher_abort(&psa_op); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("PSA dec abort failed %d", psa_ret); - /* Intentionally not changing the ret */ - } -gone_with_key: - psa_ret = psa_destroy_key(kid); - if (psa_ret != PSA_SUCCESS) { - BOOT_LOG_WRN("PSA dec key failed %d", psa_ret); - /* Intentionally not changing the ret */ - } -gone: - return ret; -} -#endif /* defined(MCUBOOT_ENC_IMAGES) */ diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 0c5810666..238c9d671 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -3,7 +3,6 @@ * * Copyright (c) 2019 JUUL Labs * Copyright (c) 2021-2023 Arm Limited - * Copyright (c) 2025 Nordic Semiconductor ASA */ #include @@ -86,7 +85,7 @@ bootutil_verify(uint8_t *buf, uint32_t blen, uint8_t *pubkey; uint8_t *end; - if (blen != IMAGE_HASH_SIZE || slen != EDDSA_SIGNATURE_LENGTH) { + if (slen != EDDSA_SIGNATURE_LENGTH) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } From ba302f046fda92e43ee3b90c986b03d4e959c5f2 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 095/228] Revert "[nrf fromtree] zephyr: Fix image encryption configuration for mbedTLS." This reverts commit 96d10de4a42f4cccd540c7b5ecfbaf663c51eac2. --- boot/zephyr/Kconfig | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 5de63a2e3..2b335498c 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -66,15 +66,6 @@ config NRF_CC310_BL bool default n -if BOOT_USE_MBEDTLS && MBEDTLS_BUILTIN - -config BOOT_AES_MBEDTLS_DEPENDENCIES - bool - select MBEDTLS_CIPHER_AES_ENABLED - select MBEDTLS_CIPHER_MODE_CTR_ENABLED - -endif - menu "MCUBoot settings" config SINGLE_APPLICATION_SLOT @@ -171,7 +162,6 @@ config BOOT_SIGNATURE_TYPE_RSA select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if MBEDTLS_BUILTIN select BOOT_ENCRYPTION_SUPPORT select BOOT_IMG_HASH_ALG_SHA256_ALLOW - select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE if BOOT_SIGNATURE_TYPE_RSA config BOOT_SIGNATURE_TYPE_RSA_LEN @@ -240,7 +230,6 @@ config BOOT_ED25519_MBEDTLS select BOOT_USE_MBEDTLS select MBEDTLS select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN - select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE endchoice endif From e5e61ac2710bad2ee76b36d6409770112e023ea5 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 096/228] Revert "[nrf fromtree] zephyr: Add Kconfig option to select PureEdDS" This reverts commit 0bb59a7277454bc2ca56e695c7877f622fd6f4aa. --- boot/zephyr/Kconfig | 30 ++----------------- .../include/mcuboot_config/mcuboot_config.h | 4 --- 2 files changed, 2 insertions(+), 32 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 2b335498c..33708b8a2 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -137,14 +137,6 @@ config BOOT_IMG_HASH_ALG_SHA512 endchoice # BOOT_IMG_HASH_ALG -config BOOT_SIGNATURE_TYPE_PURE_ALLOW - bool - help - Hidden option set by configurations that allow Pure variant, - for example ed25519. The pure variant means that image - signature is calculated over entire image instead of hash - of an image. - choice BOOT_SIGNATURE_TYPE prompt "Signature type" default BOOT_SIGNATURE_TYPE_RSA @@ -196,28 +188,10 @@ endif config BOOT_SIGNATURE_TYPE_ED25519 bool "Edwards curve digital signatures using ed25519" - select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE - select BOOT_IMG_HASH_ALG_SHA256_ALLOW if !BOOT_SIGNATURE_TYPE_PURE - # The SHA is used only for key hashing, not for images. - select BOOT_SIGNATURE_TYPE_PURE_ALLOW - help - This is ed25519 signature calculated over SHA512 of SHA256 of application - image. - To check signature over entire image directly, rather than hash, - select BOOT_SIGNATURE_TYPE_PURE. + select BOOT_ENCRYPTION_SUPPORT + select BOOT_IMG_HASH_ALG_SHA256_ALLOW if BOOT_SIGNATURE_TYPE_ED25519 - -config BOOT_SIGNATURE_TYPE_PURE - bool "Use Pure signature of image" - depends on BOOT_SIGNATURE_TYPE_PURE_ALLOW - help - The Pure signature is calculated directly over image rather than - hash of an image, as the BOOT_SIGNATURE_TYPE_ED25519 does by - default. - Image to be verified needs to be accessible through memory address - space that cryptography functions can access via pointers. - choice BOOT_ED25519_IMPLEMENTATION prompt "Ecdsa implementation" default BOOT_ED25519_TINYCRYPT diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index db80f1882..cb3d26535 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -155,10 +155,6 @@ #define MCUBOOT_HASH_STORAGE_DIRECTLY #endif -#ifdef CONFIG_BOOT_SIGNATURE_TYPE_PURE -#define MCUBOOT_SIGN_PURE -#endif - #ifdef CONFIG_BOOT_BOOTSTRAP #define MCUBOOT_BOOTSTRAP 1 #endif From f612f18a2289a5e84dc16fc6eda088dd6f2b82a1 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 097/228] Revert "[nrf fromtree] zephyr: Add Kconfig and configuration for SHA on storage" This reverts commit e8142682fecd3dfdfa1fa246b6bdaed90a4aa76d. --- boot/zephyr/Kconfig | 16 ---------------- .../include/mcuboot_config/mcuboot_config.h | 7 ------- 2 files changed, 23 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 33708b8a2..915075819 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -91,22 +91,6 @@ config BOOT_IMG_HASH_ALG_SHA512_ALLOW help Hidden option set by configurations that allow SHA512 -config BOOT_IMG_HASH_DIRECTLY_ON_STORAGE - bool "Hash calculation functions access storage through address space" - depends on !BOOT_ENCRYPT_IMAGE - help - When possible to map storage device, at least for read operations, - to address space or RAM area, enabling this option allows hash - calculation functions to directly access the storage through that address - space or using its own DMA. This reduces flash read overhead done - by MCUboot. - Notes: - - not supported when encrypted images are in use, because calculating - SHA requires image to be decrypted first, which is done in RAM. - - currently only supported on internal storage of devices; this - option will not work with devices that use external storage for - either of the image slots. - choice BOOT_IMG_HASH_ALG prompt "Selected image hash algorithm" default BOOT_IMG_HASH_ALG_SHA256 if BOOT_IMG_HASH_ALG_SHA256_ALLOW diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index cb3d26535..4743539f1 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -148,13 +148,6 @@ #define MCUBOOT_DECOMPRESS_IMAGES #endif -/* Invoke hashing functions directly on storage device. This requires the device - * be able to map storage to address space or RAM. - */ -#ifdef CONFIG_BOOT_IMG_HASH_DIRECTLY_ON_STORAGE -#define MCUBOOT_HASH_STORAGE_DIRECTLY -#endif - #ifdef CONFIG_BOOT_BOOTSTRAP #define MCUBOOT_BOOTSTRAP 1 #endif From 9bfc0fa57e9c8e7ada20b3134db5452536688d3c Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 098/228] Revert "[nrf fromtree] zephyr: Allow SHA512 with TinyCrypt" This reverts commit 29818ad3bbfcc38df973aa365d65f083039b885e. --- boot/zephyr/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 915075819..512f485f6 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -182,7 +182,6 @@ choice BOOT_ED25519_IMPLEMENTATION config BOOT_ED25519_TINYCRYPT bool "Use tinycrypt" select BOOT_USE_TINYCRYPT - select BOOT_IMG_HASH_ALG_SHA512_ALLOW config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS From 5c254494c61ede0046bd9d00e07dbe8ff9120ba1 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 099/228] Revert "[nrf fromtree] bootutil: PureEdDSA using ED25519" This reverts commit 16750b3086de90301aadaead72235706747ef9d2. --- boot/bootutil/src/bootutil_priv.h | 9 --- boot/bootutil/src/image_ed25519.c | 59 ++---------------- boot/bootutil/src/image_validate.c | 96 ++---------------------------- docs/design.md | 2 - 4 files changed, 12 insertions(+), 154 deletions(-) diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h index 5703f627a..345933a5f 100644 --- a/boot/bootutil/src/bootutil_priv.h +++ b/boot/bootutil/src/bootutil_priv.h @@ -267,18 +267,9 @@ struct boot_loader_state { #endif /* MCUBOOT_DIRECT_XIP || MCUBOOT_RAM_LOAD */ }; -/* The function is intended for verification of image hash against - * provided signature. - */ fih_ret bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, uint8_t key_id); -/* The function is intended for direct verification of image - * against provided signature. - */ -fih_ret bootutil_verify_img(uint8_t *img, uint32_t size, - uint8_t *sig, size_t slen, uint8_t key_id); - fih_ret boot_fih_memequal(const void *s1, const void *s2, size_t n); int boot_find_status(int image_index, const struct flash_area **fap); diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 238c9d671..4a5755b66 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -69,23 +69,17 @@ bootutil_import_key(uint8_t **cp, uint8_t *end) return 0; } -/* Signature verification base function. - * The function takes buffer of specified length and tries to verify - * it against provided signature. - * The function does key import and checks whether signature is - * of expected length. - */ -static fih_ret -bootutil_verify(uint8_t *buf, uint32_t blen, - uint8_t *sig, size_t slen, - uint8_t key_id) +fih_ret +bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, + uint8_t key_id) { int rc; FIH_DECLARE(fih_rc, FIH_FAILURE); uint8_t *pubkey; uint8_t *end; - if (slen != EDDSA_SIGNATURE_LENGTH) { + if (hlen != IMAGE_HASH_SIZE || + slen != EDDSA_SIGNATURE_LENGTH) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } @@ -99,7 +93,7 @@ bootutil_verify(uint8_t *buf, uint32_t blen, goto out; } - rc = ED25519_verify(buf, blen, sig, pubkey); + rc = ED25519_verify(hash, IMAGE_HASH_SIZE, sig, pubkey); if (rc == 0) { /* if verify returns 0, there was an error. */ @@ -113,45 +107,4 @@ bootutil_verify(uint8_t *buf, uint32_t blen, FIH_RET(fih_rc); } -/* Hash signature verification function. - * Verifies hash against provided signature. - * The function verifies that hash is of expected size and then - * calls bootutil_verify to do the signature verification. - */ -fih_ret -bootutil_verify_sig(uint8_t *hash, uint32_t hlen, - uint8_t *sig, size_t slen, - uint8_t key_id) -{ - FIH_DECLARE(fih_rc, FIH_FAILURE); - - if (hlen != IMAGE_HASH_SIZE) { - FIH_SET(fih_rc, FIH_FAILURE); - goto out; - } - - FIH_CALL(bootutil_verify, fih_rc, hash, IMAGE_HASH_SIZE, sig, - slen, key_id); - -out: - FIH_RET(fih_rc); -} - -/* Image verification function. - * The function directly calls bootutil_verify to verify signature - * of image. - */ -fih_ret -bootutil_verify_img(uint8_t *img, uint32_t size, - uint8_t *sig, size_t slen, - uint8_t key_id) -{ - FIH_DECLARE(fih_rc, FIH_FAILURE); - - FIH_CALL(bootutil_verify, fih_rc, img, size, sig, - slen, key_id); - - FIH_RET(fih_rc); -} - #endif /* MCUBOOT_SIGN_ED25519 */ diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index e038f22fe..ae22e27ed 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -56,7 +56,6 @@ #include "bootutil_priv.h" -#ifndef MCUBOOT_SIGN_PURE /* * Compute SHA hash over the image. * (SHA384 if ECDSA-P384 is being used, @@ -176,7 +175,6 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, return 0; } -#endif /* * Currently, we only support being able to verify one type of @@ -363,44 +361,6 @@ bootutil_get_img_security_cnt(struct image_header *hdr, return 0; } -#if defined(MCUBOOT_SIGN_PURE) -/* Returns: - * 0 -- found - * 1 -- not found or found but not true - * -1 -- failed for some reason - * - * Value of TLV does not matter, presence decides. - */ -static int bootutil_check_for_pure(const struct image_header *hdr, - const struct flash_area *fap) -{ - struct image_tlv_iter it; - uint32_t off; - uint16_t len; - int32_t rc; - - rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_SIG_PURE, false); - if (rc) { - return -1; - } - - /* Search for the TLV */ - rc = bootutil_tlv_iter_next(&it, &off, &len, NULL); - if (rc == 0 && len == 1) { - uint8_t val; - - rc = LOAD_IMAGE_DATA(hdr, fap, off, &val, sizeof(val)); - if (rc == 0) { - return (val == 1) ? 0 : 1; - } else { - return -1; - } - } - - return 1; -} -#endif - #ifndef ALLOW_ROGUE_TLVS /* * The following list of TLVs are the only entries allowed in the unprotected @@ -417,9 +377,6 @@ static const uint16_t allowed_unprot_tlvs[] = { IMAGE_TLV_ECDSA_SIG, IMAGE_TLV_RSA3072_PSS, IMAGE_TLV_ED25519, -#if defined(MCUBOOT_SIGN_PURE) - IMAGE_TLV_SIG_PURE, -#endif IMAGE_TLV_ENC_RSA2048, IMAGE_TLV_ENC_KW, IMAGE_TLV_ENC_EC256, @@ -442,6 +399,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, uint32_t off; uint16_t len; uint16_t type; + int image_hash_valid = 0; #ifdef EXPECTED_SIG_TLV FIH_DECLARE(valid_signature, FIH_FAILURE); #ifndef MCUBOOT_BUILTIN_KEY @@ -458,10 +416,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, #endif /* EXPECTED_SIG_TLV */ struct image_tlv_iter it; uint8_t buf[SIG_BUF_SIZE]; -#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) - int image_hash_valid = 0; uint8_t hash[IMAGE_HASH_SIZE]; -#endif int rc = 0; FIH_DECLARE(fih_rc, FIH_FAILURE); #ifdef MCUBOOT_HW_ROLLBACK_PROT @@ -470,7 +425,6 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, FIH_DECLARE(security_counter_valid, FIH_FAILURE); #endif -#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) rc = bootutil_img_hash(enc_state, image_index, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len); if (rc) { @@ -480,15 +434,6 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, if (out_hash) { memcpy(out_hash, hash, IMAGE_HASH_SIZE); } -#endif - -#if defined(MCUBOOT_SIGN_PURE) - /* If Pure type signature is expected then it has to be there */ - rc = bootutil_check_for_pure(hdr, fap); - if (rc != 0) { - goto out; - } -#endif rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); if (rc) { @@ -532,10 +477,8 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, } } #endif - switch(type) { -#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) - case EXPECTED_HASH_TLV: - { + + if (type == EXPECTED_HASH_TLV) { /* Verify the image hash. This must always be present. */ if (len != sizeof(hash)) { rc = -1; @@ -553,12 +496,8 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, } image_hash_valid = 1; - break; - } -#endif /* defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) */ #ifdef EXPECTED_KEY_TLV - case EXPECTED_KEY_TLV: - { + } else if (type == EXPECTED_KEY_TLV) { /* * Determine which key we should be checking. */ @@ -583,12 +522,9 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, * The key may not be found, which is acceptable. There * can be multiple signatures, each preceded by a key. */ - break; - } #endif /* EXPECTED_KEY_TLV */ #ifdef EXPECTED_SIG_TLV - case EXPECTED_SIG_TLV: - { + } else if (type == EXPECTED_SIG_TLV) { /* Ignore this signature if it is out of bounds. */ if (key_id < 0 || key_id >= bootutil_key_cnt) { key_id = -1; @@ -602,25 +538,12 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, if (rc) { goto out; } -#ifndef MCUBOOT_SIGN_PURE FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash), buf, len, key_id); -#else - /* Directly check signature on the image, by using the mapping of - * a device to memory. The pointer is beginning of image in flash, - * so offset of area, the range is header + image + protected tlvs. - */ - FIH_CALL(bootutil_verify_img, valid_signature, (void *)flash_area_get_off(fap), - hdr->ih_hdr_size + hdr->ih_img_size + hdr->ih_protect_tlv_size, - buf, len, key_id); -#endif key_id = -1; - break; - } #endif /* EXPECTED_SIG_TLV */ #ifdef MCUBOOT_HW_ROLLBACK_PROT - case IMAGE_TLV_SEC_CNT: - { + } else if (type == IMAGE_TLV_SEC_CNT) { /* * Verify the image's security counter. * This must always be present. @@ -655,21 +578,14 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, /* The image's security counter has been successfully verified. */ security_counter_valid = fih_rc; - break; - } #endif /* MCUBOOT_HW_ROLLBACK_PROT */ } } -#if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) rc = !image_hash_valid; if (rc) { goto out; } -#elif defined(MCUBOOT_SIGN_PURE) - /* This returns true on EQ, rc is err on non-0 */ - rc = FIH_NOT_EQ(valid_signature, FIH_SUCCESS); -#endif #ifdef EXPECTED_SIG_TLV FIH_SET(fih_rc, valid_signature); #endif diff --git a/docs/design.md b/docs/design.md index b1979a7c2..7fa06fe6b 100755 --- a/docs/design.md +++ b/docs/design.md @@ -111,8 +111,6 @@ struct image_tlv { #define IMAGE_TLV_ECDSA_SIG 0x22 /* ECDSA of hash output */ #define IMAGE_TLV_RSA3072_PSS 0x23 /* RSA3072 of hash output */ #define IMAGE_TLV_ED25519 0x24 /* ED25519 of hash output */ -#define IMAGE_TLV_SIG_PURE 0x25 /* If true then any signature found has been - calculated over image directly. */ #define IMAGE_TLV_ENC_RSA2048 0x30 /* Key encrypted with RSA-OAEP-2048 */ #define IMAGE_TLV_ENC_KW 0x31 /* Key encrypted with AES-KW-128 or 256 */ From bb08883b5a0a2d428a3df7dede41ebe2408177e5 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 100/228] Revert "[nrf fromtree] bootutil: Enable hash calculation directly on storage" This reverts commit 411c06e61f2be24251c15042f69f77108f49b29a. --- boot/bootutil/src/image_validate.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index ae22e27ed..ec5d986df 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -68,15 +68,13 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, uint8_t *seed, int seed_len) { bootutil_sha_context sha_ctx; + uint32_t blk_sz; uint32_t size; uint16_t hdr_size; + uint32_t off; + int rc; uint32_t blk_off; uint32_t tlv_off; -#if !defined(MCUBOOT_HASH_STORAGE_DIRECTLY) - int rc; - uint32_t off; - uint32_t blk_sz; -#endif #if (BOOT_IMAGE_NUMBER == 1) || !defined(MCUBOOT_ENC_IMAGES) || \ defined(MCUBOOT_RAM_LOAD) @@ -119,12 +117,6 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, /* If protected TLVs are present they are also hashed. */ size += hdr->ih_protect_tlv_size; -#ifdef MCUBOOT_HASH_STORAGE_DIRECTLY - /* No chunk loading, storage is mapped to address space and can - * be directly given to hashing function. - */ - bootutil_sha_update(&sha_ctx, (void *)flash_area_get_off(fap), size); -#else /* MCUBOOT_HASH_STORAGE_DIRECTLY */ #ifdef MCUBOOT_RAM_LOAD bootutil_sha_update(&sha_ctx, (void*)(IMAGE_RAM_BASE + hdr->ih_load_addr), @@ -169,7 +161,6 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index, bootutil_sha_update(&sha_ctx, tmp_buf, blk_sz); } #endif /* MCUBOOT_RAM_LOAD */ -#endif /* MCUBOOT_HASH_STORAGE_DIRECTLY */ bootutil_sha_finish(&sha_ctx, hash_result); bootutil_sha_drop(&sha_ctx); From 61ff2bd0c5ab633a3a045adab2762d9462a613c3 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 101/228] Revert "[nrf fromtree] bootutil: Allow SHA512 with TinyCrypt" This reverts commit e3ce7c39563926e12c3e1ff79df3dae63350aa1a. --- boot/bootutil/include/bootutil/crypto/sha.h | 20 -------------------- boot/bootutil/src/image_ed25519.c | 9 +++------ 2 files changed, 3 insertions(+), 26 deletions(-) diff --git a/boot/bootutil/include/bootutil/crypto/sha.h b/boot/bootutil/include/bootutil/crypto/sha.h index b83a3ec40..6ba8d946d 100644 --- a/boot/bootutil/include/bootutil/crypto/sha.h +++ b/boot/bootutil/include/bootutil/crypto/sha.h @@ -70,11 +70,7 @@ #endif /* MCUBOOT_USE_MBED_TLS */ #if defined(MCUBOOT_USE_TINYCRYPT) -#if defined(MCUBOOT_SHA512) - #include -#else #include -#endif #include #endif /* MCUBOOT_USE_TINYCRYPT */ @@ -197,19 +193,11 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx, #endif /* MCUBOOT_USE_MBED_TLS */ #if defined(MCUBOOT_USE_TINYCRYPT) -#if defined(MCUBOOT_SHA512) -typedef struct tc_sha512_state_struct bootutil_sha_context; -#else typedef struct tc_sha256_state_struct bootutil_sha_context; -#endif static inline int bootutil_sha_init(bootutil_sha_context *ctx) { -#if defined(MCUBOOT_SHA512) - tc_sha512_init(ctx); -#else tc_sha256_init(ctx); -#endif return 0; } @@ -223,21 +211,13 @@ static inline int bootutil_sha_update(bootutil_sha_context *ctx, const void *data, uint32_t data_len) { -#if defined(MCUBOOT_SHA512) - return tc_sha512_update(ctx, data, data_len); -#else return tc_sha256_update(ctx, data, data_len); -#endif } static inline int bootutil_sha_finish(bootutil_sha_context *ctx, uint8_t *output) { -#if defined(MCUBOOT_SHA512) - return tc_sha512_final(output, ctx); -#else return tc_sha256_final(output, ctx); -#endif } #endif /* MCUBOOT_USE_TINYCRYPT */ diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 4a5755b66..4e2423a08 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -21,14 +21,12 @@ #include "bootutil/crypto/common.h" #include "bootutil/crypto/sha.h" -#define EDDSA_SIGNATURE_LENGTH 64 - static const uint8_t ed25519_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG "\x65\x70"; #define NUM_ED25519_BYTES 32 extern int ED25519_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[EDDSA_SIGNATURE_LENGTH], - const uint8_t public_key[NUM_ED25519_BYTES]); + const uint8_t signature[64], + const uint8_t public_key[32]); /* * Parse the public key used for signing. @@ -78,8 +76,7 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen, uint8_t *pubkey; uint8_t *end; - if (hlen != IMAGE_HASH_SIZE || - slen != EDDSA_SIGNATURE_LENGTH) { + if (hlen != IMAGE_HASH_SIZE || slen != 64) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } From b5892967655518444578f081a38ad0b1f4e5c653 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 102/228] Revert "[nrf fromtree] zephyr: Fix usage of CONFIG_MBEDTLS_BUILTIN and ASN1" This reverts commit 7ab23b4518c9a91747e3abb19d9d7cf23fe197f5. --- boot/zephyr/CMakeLists.txt | 34 ++++++++++++---------------------- boot/zephyr/Kconfig | 11 +---------- 2 files changed, 13 insertions(+), 32 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index b0c119da4..6522f8572 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -25,10 +25,8 @@ assert_exists(TINYCRYPT_SHA512_DIR) set(FIAT_DIR "${MCUBOOT_DIR}/ext/fiat") assert_exists(FIAT_DIR) # Path to mbed-tls' asn1 parser library. -if(NOT CONFIG_MBEDTLS_BUILTIN) - set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") - assert_exists(MBEDTLS_ASN1_DIR) -endif() +set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") +assert_exists(MBEDTLS_ASN1_DIR) set(NRF_DIR "${MCUBOOT_DIR}/ext/nrf") if(CONFIG_BOOT_USE_NRF_CC310_BL) @@ -156,16 +154,14 @@ if(CONFIG_BOOT_RAM_LOAD OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) - if(MBEDTLS_ASN1_DIR) - zephyr_library_include_directories( - ${MBEDTLS_ASN1_DIR}/include + zephyr_library_include_directories( + ${MBEDTLS_ASN1_DIR}/include ) - zephyr_library_sources( - # Additionally pull in just the ASN.1 parser from mbedTLS. - ${MBEDTLS_ASN1_DIR}/src/asn1parse.c - ${MBEDTLS_ASN1_DIR}/src/platform_util.c + zephyr_library_sources( + # Additionally pull in just the ASN.1 parser from mbedTLS. + ${MBEDTLS_ASN1_DIR}/src/asn1parse.c + ${MBEDTLS_ASN1_DIR}/src/platform_util.c ) - endif() if(CONFIG_BOOT_USE_TINYCRYPT) # When using ECDSA signatures, pull in our copy of the tinycrypt library. zephyr_library_include_directories( @@ -217,17 +213,8 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_RSA) endif() elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) if(CONFIG_BOOT_USE_TINYCRYPT) - if(MBEDTLS_ASN1_DIR) - zephyr_library_include_directories( - ${MBEDTLS_ASN1_DIR}/include - ) - zephyr_library_sources( - # Additionally pull in just the ASN.1 parser from mbedTLS. - ${MBEDTLS_ASN1_DIR}/src/asn1parse.c - ${MBEDTLS_ASN1_DIR}/src/platform_util.c - ) - endif() zephyr_library_include_directories( + ${MBEDTLS_ASN1_DIR}/include ${BOOT_DIR}/zephyr/include ${TINYCRYPT_DIR}/include ${TINYCRYPT_SHA512_DIR}/include @@ -236,6 +223,9 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519) ${TINYCRYPT_DIR}/source/sha256.c ${TINYCRYPT_DIR}/source/utils.c ${TINYCRYPT_SHA512_DIR}/source/sha512.c + # Additionally pull in just the ASN.1 parser from mbedTLS. + ${MBEDTLS_ASN1_DIR}/src/asn1parse.c + ${MBEDTLS_ASN1_DIR}/src/platform_util.c ) zephyr_library_compile_definitions( MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h" diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 512f485f6..a13201969 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -134,8 +134,6 @@ config BOOT_SIGNATURE_TYPE_RSA bool "RSA signatures" select BOOT_USE_MBEDTLS select MBEDTLS - select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN - select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if MBEDTLS_BUILTIN select BOOT_ENCRYPTION_SUPPORT select BOOT_IMG_HASH_ALG_SHA256_ALLOW @@ -186,8 +184,6 @@ config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS select MBEDTLS - select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN - endchoice endif @@ -232,13 +228,8 @@ config MCUBOOT_CLEANUP_RAM help Sets contents of memory to 0 before jumping to application. -if MBEDTLS - config MBEDTLS_CFG_FILE - default "config-tls-generic.h" if MBEDTLS_BUILTIN - default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS - -endif + default "mcuboot-mbedtls-cfg.h" config BOOT_HW_KEY bool "Use HW key for image verification" From a2643916b16d9eb5c8c11500223c73803ffb5aa8 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 103/228] Revert "[nrf noup] partition_manager: Add support for internal flash netcore DFU" This reverts commit e8cc9b61368957621fb89a9b2fc30f41a64b4873. --- boot/zephyr/pm.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml index eec62473c..ab8f6d1c3 100644 --- a/boot/zephyr/pm.yml +++ b/boot/zephyr/pm.yml @@ -78,17 +78,11 @@ mcuboot_pad: mcuboot_primary_1: region: ram_flash size: CONFIG_NRF53_RAM_FLASH_SIZE -#endif /* CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH */ +#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ #if (CONFIG_NRF53_MULTI_IMAGE_UPDATE) mcuboot_secondary_1: -#if defined(CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY) region: external_flash -#else - placement: - align: {start: CONFIG_FPROTECT_BLOCK_SIZE} - after: mcuboot_secondary -#endif size: CONFIG_NRF53_RAM_FLASH_SIZE #endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ From 32cf74ee851567a9198dd22d535ce4ce8fd1d357 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 104/228] Revert "[nrf fromlist] boot: zephyr: kconfig: Add new defaults option for FIH" This reverts commit 47faf767ec38947bd317dee906d44bdaaeb59368. --- boot/zephyr/Kconfig | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index a13201969..f62e1d366 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -561,9 +561,6 @@ config MEASURED_BOOT_MAX_CBOR_SIZE choice BOOT_FAULT_INJECTION_HARDENING_PROFILE prompt "Fault injection hardening profile" - default BOOT_FIH_PROFILE_HIGH if BOOT_FIH_PROFILE_DEFAULT_HIGH - default BOOT_FIH_PROFILE_MEDIUM if BOOT_FIH_PROFILE_DEFAULT_MEDIUM - default BOOT_FIH_PROFILE_LOW if BOOT_FIH_PROFILE_DEFAULT_LOW default BOOT_FIH_PROFILE_OFF config BOOT_FIH_PROFILE_OFF @@ -843,22 +840,6 @@ endif # BOOT_DECOMPRESSION endif # BOOT_DECOMPRESSION_SUPPORT -menu "Defaults" - # Items in this menu should not be manually set. These options are for modules/sysbuild to - # set as defaults to allow MCUboot's default configuration to be set, but still allow it - # to be overridden by users. - -config BOOT_FIH_PROFILE_DEFAULT_LOW - bool "Default to low fault inject hardening level" - -config BOOT_FIH_PROFILE_DEFAULT_MEDIUM - bool "Default to medium fault inject hardening level" - -config BOOT_FIH_PROFILE_DEFAULT_HIGH - bool "Default to high fault inject hardening level" - -endmenu - endmenu config MCUBOOT_DEVICE_SETTINGS From 03d14c31b3e4c8072196c279085a3ef9f2206c87 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 105/228] Revert "[nrf fromtree] doc: imgtool: importance of clear flag" This reverts commit 7fd6163e6ca5d069b9cc26f2d6746bad3f8bc9e7. --- docs/encrypted_images.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/docs/encrypted_images.md b/docs/encrypted_images.md index ebc4f46ed..85d26d8e1 100644 --- a/docs/encrypted_images.md +++ b/docs/encrypted_images.md @@ -147,14 +147,6 @@ the status area just before starting the upgrade process, because it would be very hard to determine this information when an interruption occurs and the information is spread across multiple areas. -## [Factory-programing requirement](#factory-programing-requirement) - -It is important to have updates without any voids in encryption. -Therefore, from the very beginning, flags and TLV's must be set accordingly. -Perform the first flashing with an image signed by imgtool with encryption settings -intended for DFU. -Append it with the `--clear` flag to keep the image unencrypted and ready for use. - ## [Creating your keys with imgtool](#creating-your-keys-with-imgtool) `imgtool` can generate keys by using `imgtool keygen -k -t `, From cc871a0fcd6713d3e122951114d5056d051366bf Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 106/228] Revert "[nrf fromtree] boot: bootutil: loader: Fix some comments" This reverts commit b5d6e6cb4cf17169903cae9123eaddcf378403ca. --- boot/bootutil/src/loader.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 4c61c4217..0711f3337 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -804,9 +804,8 @@ boot_image_check(struct boot_loader_state *state, struct image_header *hdr, (void)bs; (void)rc; - /* In the case of ram loading the image has already been decrypted as it is - * decrypted when copied in ram - */ +/* In the case of ram loading the image has already been decrypted as it is + * decrypted when copied in ram */ #if defined(MCUBOOT_ENC_IMAGES) && !defined(MCUBOOT_RAM_LOAD) if (MUST_DECRYPT(fap, BOOT_CURR_IMG(state), hdr)) { rc = boot_enc_load(BOOT_CURR_ENC(state), 1, hdr, fap, bs); @@ -1646,7 +1645,7 @@ boot_copy_region(struct boot_loader_state *state, #ifdef MCUBOOT_ENC_IMAGES /* If only copy, then does not matter if header indicates need for - * encryption/decryption, we just copy data. */ + * encryptio/decryptio, we just copy data. */ if (!only_copy && IS_ENCRYPTED(hdr)) { uint32_t abs_off = off + bytes_copied; if (abs_off < hdr->ih_hdr_size) { From 232ae06970e7e9a50ea82af98a1c1d11f0b2ab87 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 107/228] Revert "[nrf fromtree] bootutil: Add missing MBEDTLS_ASN1_PARSE_C" This reverts commit 61d971b8de92a76793783e021d5ccc9afc2390dc. --- boot/bootutil/src/image_ed25519.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 4e2423a08..0d5e66df0 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -12,8 +12,6 @@ #ifdef MCUBOOT_SIGN_ED25519 #include "bootutil/sign_key.h" -/* We are not really using the MBEDTLS but need the ASN.1 parsing functions */ -#define MBEDTLS_ASN1_PARSE_C #include "mbedtls/oid.h" #include "mbedtls/asn1.h" From 5b6baeb78b527def67322fe67c51860372a5a0b0 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 108/228] Revert "[nrf fromtree] zephyr: Remove scratch from flash_area_id_from_multi_image_slot" This reverts commit 9278beed6e1fb5345817d03298b38e09cdb33a01. --- boot/zephyr/flash_map_extended.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/boot/zephyr/flash_map_extended.c b/boot/zephyr/flash_map_extended.c index 46f4c5a3c..d0744afbd 100644 --- a/boot/zephyr/flash_map_extended.c +++ b/boot/zephyr/flash_map_extended.c @@ -62,6 +62,9 @@ int flash_area_id_from_multi_image_slot(int image_index, int slot) case 0: return FLASH_AREA_IMAGE_PRIMARY(image_index); #if !defined(CONFIG_SINGLE_APPLICATION_SLOT) case 1: return FLASH_AREA_IMAGE_SECONDARY(image_index); +#endif +#if defined(CONFIG_BOOT_SWAP_USING_SCRATCH) + case 2: return FLASH_AREA_IMAGE_SCRATCH; #endif } From b10150c07697e224f6c6c64f497ef0b07d0669ae Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 109/228] Revert "[nrf fromtree] boot: boot_serial: Fix uninitialised variables for upload" This reverts commit a7db1f9c61d9917a7014c500038b0fc1cde138a8. --- boot/boot_serial/src/boot_serial.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c index 8b256c623..137cb5633 100644 --- a/boot/boot_serial/src/boot_serial.c +++ b/boot/boot_serial/src/boot_serial.c @@ -452,8 +452,8 @@ bs_set(char *buf, int len) uint8_t image_index = 0; size_t decoded = 0; uint8_t hash[IMAGE_HASH_SIZE]; - bool confirm = false; - struct zcbor_string img_hash = { 0 }; + bool confirm; + struct zcbor_string img_hash; bool ok; int rc; @@ -798,7 +798,7 @@ bs_upload(char *buf, int len) size_t img_size_tmp = SIZE_MAX; /* Temp variable for image size */ const struct flash_area *fap = NULL; int rc; - struct zcbor_string img_chunk_data = { 0 }; + struct zcbor_string img_chunk_data; size_t decoded = 0; bool ok; #ifdef MCUBOOT_ERASE_PROGRESSIVELY @@ -1021,7 +1021,7 @@ bs_upload(char *buf, int len) } } } else { -out_invalid_data: + out_invalid_data: rc = MGMT_ERR_EINVAL; } From 315be136268e0841ff115fd4e4d38792b3bce4db Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 110/228] Revert "[nrf fromtree] scripts: imgtool: fix compression with encryption" This reverts commit 56c26be7ed723b5aec894e875a06d06f23bd9cc7. --- scripts/imgtool/image.py | 11 +++-------- scripts/imgtool/main.py | 17 +++++------------ 2 files changed, 8 insertions(+), 20 deletions(-) diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py index 3e2c11073..88ef7b90c 100644 --- a/scripts/imgtool/image.py +++ b/scripts/imgtool/image.py @@ -94,7 +94,6 @@ 'DECOMP_SIZE': 0x70, 'DECOMP_SHA': 0x71, 'DECOMP_SIGNATURE': 0x72, - 'COMP_DEC_SIZE' : 0x73, } TLV_SIZE = 4 @@ -461,7 +460,7 @@ def create(self, key, public_key_format, enckey, dependencies=None, sw_type=None, custom_tlvs=None, compression_tlvs=None, compression_type=None, encrypt_keylen=128, clear=False, fixed_sig=None, pub_key=None, vector_to_sign=None, - user_sha='auto', is_pure=False, keep_comp_size=False, dont_encrypt=False): + user_sha='auto', is_pure=False): self.enckey = enckey # key decides on sha, then pub_key; of both are none default is used @@ -523,9 +522,6 @@ def create(self, key, public_key_format, enckey, dependencies=None, dependencies_num = len(dependencies[DEP_IMAGES_KEY]) protected_tlv_size += (dependencies_num * 16) - if keep_comp_size: - compression_tlvs["COMP_DEC_SIZE"] = struct.pack( - self.get_struct_endian() + 'L', self.image_size) if compression_tlvs is not None: for value in compression_tlvs.values(): protected_tlv_size += TLV_SIZE + len(value) @@ -541,7 +537,7 @@ def create(self, key, public_key_format, enckey, dependencies=None, # # This adds the padding if image is not aligned to the 16 Bytes # in encrypted mode - if self.enckey is not None and dont_encrypt is False: + if self.enckey is not None: pad_len = len(self.payload) % 16 if pad_len > 0: pad = bytes(16 - pad_len) @@ -598,7 +594,6 @@ def create(self, key, public_key_format, enckey, dependencies=None, prot_tlv.add(tag, value) protected_tlv_off = len(self.payload) - self.payload += prot_tlv.get() tlv = TLV(self.endian) @@ -662,7 +657,7 @@ def create(self, key, public_key_format, enckey, dependencies=None, if protected_tlv_off is not None: self.payload = self.payload[:protected_tlv_off] - if enckey is not None and dont_encrypt is False: + if enckey is not None: if encrypt_keylen == 256: plainkey = os.urandom(32) else: diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py index 28caa8947..434530c7a 100755 --- a/scripts/imgtool/main.py +++ b/scripts/imgtool/main.py @@ -521,11 +521,12 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, 'Pure signatures, currently, enforces preferred hash algorithm, ' 'and forbids sha selection by user.') - if compression in ["lzma2", "lzma2armthumb"]: - img.create(key, public_key_format, enckey, dependencies, boot_record, + img.create(key, public_key_format, enckey, dependencies, boot_record, custom_tlvs, compression_tlvs, None, int(encrypt_keylen), clear, baked_signature, pub_key, vector_to_sign, user_sha=user_sha, - is_pure=is_pure, keep_comp_size=False, dont_encrypt=True) + is_pure=is_pure) + + if compression in ["lzma2", "lzma2armthumb"]: compressed_img = image.Image(version=decode_version(version), header_size=header_size, pad_header=pad_header, pad=pad, confirm=confirm, align=int(align), @@ -561,20 +562,12 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, lc = comp_default_lc, lp = comp_default_lp) compressed_img.load_compressed(compressed_data, compression_header) compressed_img.base_addr = img.base_addr - keep_comp_size = False; - if enckey: - keep_comp_size = True compressed_img.create(key, public_key_format, enckey, dependencies, boot_record, custom_tlvs, compression_tlvs, compression, int(encrypt_keylen), clear, baked_signature, pub_key, vector_to_sign, user_sha=user_sha, - is_pure=is_pure, keep_comp_size=keep_comp_size) - img = compressed_img - else: - img.create(key, public_key_format, enckey, dependencies, boot_record, - custom_tlvs, compression_tlvs, None, int(encrypt_keylen), clear, - baked_signature, pub_key, vector_to_sign, user_sha=user_sha, is_pure=is_pure) + img = compressed_img img.save(outfile, hex_addr) if sig_out is not None: new_signature = img.get_signature() From ea99b2551a4572a9b8af91c996588a5904facf1c Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 111/228] Revert "[nrf fromtree] added missing MCUBOOT_VERSION_TWEAK in Zephyr port" This reverts commit 9fa43565f0fbcf09f55619307f6a818e3c83c83e. --- boot/zephyr/include/mcuboot_config/mcuboot_config.h | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 4743539f1..ae17f85ff 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -322,7 +322,6 @@ #define MCUBOOT_VERSION_MAJOR APP_VERSION_MAJOR #define MCUBOOT_VERSION_MINOR APP_VERSION_MINOR #define MCUBOOT_VERSION_PATCHLEVEL APP_PATCHLEVEL -#define MCUBOOT_VERSION_TWEAK APP_TWEAK #endif /* Support 32-byte aligned flash sizes */ From ab1f2c24523f533e4aa5caff2a591dcc39da06ac Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 112/228] Revert "[nrf noup] boot: zephyr: boards: Disabled NCS boot banner for thingy 53" This reverts commit 3897a7b0f645f3c79829bd6840fc3502ea1bdacb. --- boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf index c584aa911..e10656678 100644 --- a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf @@ -47,7 +47,6 @@ CONFIG_USB_CDC_ACM=y CONFIG_CBPRINTF_NANO=y CONFIG_TIMESLICING=n CONFIG_BOOT_BANNER=n -CONFIG_NCS_BOOT_BANNER=n CONFIG_CONSOLE=n CONFIG_CONSOLE_HANDLER=n CONFIG_UART_CONSOLE=n From aa4d157c80e3beaedb84916190925a07cdc83137 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 113/228] Revert "[nrf noup] sysflash: Add missing _FLASH_0_ID definitions" This reverts commit 2a8f5b43cb99cecdecd6fdc1cb59dda286d8929c. --- boot/zephyr/include/sysflash/pm_sysflash.h | 8 -------- 1 file changed, 8 deletions(-) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index 0cb16292f..42f25182e 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -84,12 +84,4 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ -#ifndef SOC_FLASH_0_ID -#define SOC_FLASH_0_ID 0 -#endif - -#ifndef SPI_FLASH_0_ID -#define SPI_FLASH_0_ID 1 -#endif - #endif /* __PM_SYSFLASH_H__ */ From f9577a4985faf062fe72398f71a7a0f441566e21 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 114/228] Revert "[nrf noup] boot: Remove child/parent references" This reverts commit 81be16e08923ce2adc72a53f6cf749d3bfca3ebf. --- boot/bootutil/src/swap_priv.h | 2 +- boot/zephyr/pm.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/boot/bootutil/src/swap_priv.h b/boot/bootutil/src/swap_priv.h index cc72b7653..f64e8fcf6 100644 --- a/boot/bootutil/src/swap_priv.h +++ b/boot/bootutil/src/swap_priv.h @@ -120,7 +120,7 @@ bool swap_write_block_size_check(struct boot_loader_state *state); int app_max_size(struct boot_loader_state *state); #if defined(PM_S1_ADDRESS) && !defined(MCUBOOT_OVERWRITE_ONLY) && \ -CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 +(CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 || defined(LEGACY_CHILD_PARENT_S0_S1_UPDATE_ENABLED)) /** * Performs an NSIB update */ diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml index ab8f6d1c3..13ffc44aa 100644 --- a/boot/zephyr/pm.yml +++ b/boot/zephyr/pm.yml @@ -4,7 +4,9 @@ mcuboot: size: CONFIG_PM_PARTITION_SIZE_MCUBOOT placement: before: [mcuboot_primary] +#if defined(CONFIG_HIDE_CHILD_PARENT_CONFIG) align: {end: 0x1000} +#endif mcuboot_primary_app: # All images to be placed in MCUboot's slot 0 should be placed in this From 9514ec82490d96879dca7e60348b4a08c8424940 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:13 +0000 Subject: [PATCH 115/228] Revert "[nrf noup] boot/zephyr/boards: configure fastest RRAM operations" This reverts commit 1068cb1b4fb46014baf4fa9b3aeb288294bb5984. --- boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf index 12650a9ed..8fc12e074 100644 --- a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf +++ b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf @@ -13,6 +13,3 @@ CONFIG_NORDIC_QSPI_NOR=n CONFIG_FPROTECT=n CONFIG_BOOT_WATCHDOG_FEED=n - -# Ensure the fastest RRAM write operations -CONFIG_NRF_RRAM_WRITE_BUFFER_SIZE=32 From 04ce425fbd3d004a50630221d0411efd1a5c6aa7 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 116/228] Revert "[nrf noup] boot: zephyr: serial_recovery: Add nRF5340 Kconfig override" This reverts commit 2341b2977b2fbf78c94a01cd0e2b8c4760b60697. --- boot/zephyr/Kconfig.serial_recovery | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/boot/zephyr/Kconfig.serial_recovery b/boot/zephyr/Kconfig.serial_recovery index f5ee8945b..72be5ccfb 100644 --- a/boot/zephyr/Kconfig.serial_recovery +++ b/boot/zephyr/Kconfig.serial_recovery @@ -47,14 +47,9 @@ config BOOT_SERIAL_CDC_ACM endchoice -DT_COMPAT_SIM_FLASH:= zephyr,sim-flash -DT_SIM_FLASH_PATH := $(dt_nodelabel_path,flash_sim0) - config MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD bool "Allow to select image number for DFU" - # Allow this option to be selected in cases where support for direct uploading to nRF5340 - # network core should be supported - depends on !SINGLE_APPLICATION_SLOT || (SINGLE_APPLICATION_SLOT && SOC_NRF5340_CPUAPP && BOOT_IMAGE_ACCESS_HOOK_NRF5340 && FLASH_SIMULATOR && $(dt_compat_enabled,$(DT_COMPAT_SIM_FLASH))) + depends on !SINGLE_APPLICATION_SLOT help With the option enabled, the mcuboot serial recovery will respect the "image" field in mcumgr image update frame From bb25ee1025dddd5f51abb0c093b2cb8a4e474e98 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 117/228] Revert "[nrf noup] boot/zephyr/Kconfig: conditionally disable BOOT_MAX_IMG_SECTORS_AUTO" This reverts commit d6a16f86aa8b344ccc8ba25820338f7ebb0517a3. --- boot/zephyr/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index f62e1d366..848b6ca83 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -454,7 +454,7 @@ config BOOT_ENCRYPTION_KEY_FILE config BOOT_MAX_IMG_SECTORS_AUTO bool "Calculate maximum sectors automatically" - default y if !PARTITION_MANAGER_ENABLED + default y help If this option is enabled then the maximum number of supported sectors per image will be calculated automatically from the flash erase sizes and size of each partition for From 8ef909a7e3c1c9cf0d7482e62353d3877113ae9d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 118/228] Revert "[nrf noup] boot/zephyr: add nrf54l15dk ext flash configs" This reverts commit ba988088164972b78c86e0af0e28b4a027bf74d3. --- .../nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf | 15 ------ ...f54l15dk_nrf54l15_cpuapp_ext_flash.overlay | 47 ------------------- 2 files changed, 62 deletions(-) delete mode 100644 boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf delete mode 100644 boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.overlay diff --git a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf deleted file mode 100644 index 8fc12e074..000000000 --- a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf +++ /dev/null @@ -1,15 +0,0 @@ -CONFIG_MULTITHREADING=y -CONFIG_SPI=y -CONFIG_SPI_NOR=y -CONFIG_FLASH=y -CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x14000 -CONFIG_MAIN_STACK_SIZE=20480 -CONFIG_BOOT_MAX_IMG_SECTORS=512 -CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 -# Ensure that the qspi driver is disabled by default -CONFIG_NORDIC_QSPI_NOR=n - -# TODO: below are not yet supported and need fixing -CONFIG_FPROTECT=n - -CONFIG_BOOT_WATCHDOG_FEED=n diff --git a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.overlay deleted file mode 100644 index 60ee6fe51..000000000 --- a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.overlay +++ /dev/null @@ -1,47 +0,0 @@ -/ { - chosen { - nordic,pm-ext-flash = &mx25r64; - zephyr,code-partition = &boot_partition; - }; -}; - -/delete-node/ &boot_partition; -/delete-node/ &slot0_partition; -/delete-node/ &slot1_partition; - -/delete-node/ &slot0_ns_partition; -/delete-node/ &slot1_ns_partition; - -/delete-node/ &storage_partition; - -&cpuapp_rram { - reg = < 0x0 DT_SIZE_K(1524) >; - partitions { - boot_partition: partition@0 { - label = "mcuboot"; - reg = <0x000000000 0x00014000>; - }; - slot0_partition: partition@14000 { - label = "image-0"; - reg = <0x000014000 0x0015A000>; - }; - storage_partition: partition@16E000 { - label = "storage"; - reg = < 0x16E000 0x9000 >; - }; - }; -}; - -&mx25r64 { - status = "okay"; - partitions { - compatible = "fixed-partitions"; - #address-cells = <1>; - #size-cells = <1>; - - slot1_partition: partition@0 { - label = "image-1"; - reg = <0x000000000 0x0015A000>; - }; - }; -}; From 821c86963c9041fb32ec4ee39bc5f2bf08164c01 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 119/228] Revert "[nrf noup] workflows: Add a backport workflow" This reverts commit dc0e95d910100e3584a0e733da8757744793e1a4. --- .github/workflows/backport.yml | 31 ------------------------------- 1 file changed, 31 deletions(-) delete mode 100644 .github/workflows/backport.yml diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml deleted file mode 100644 index e986738ff..000000000 --- a/.github/workflows/backport.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Backport -on: - pull_request_target: - types: - - closed - - labeled - branches: - - main - -jobs: - backport: - name: Backport - runs-on: ubuntu-22.04 - # Only react to merged PRs for security reasons. - # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target. - if: > - github.event.pull_request.merged && - ( - github.event.action == 'closed' || - ( - github.event.action == 'labeled' && - contains(github.event.label.name, 'backport') - ) - ) - steps: - - name: Backport - uses: zephyrproject-rtos/action-backport@v2.0.3-3 - with: - github_token: ${{ secrets.NCS_GITHUB_TOKEN }} - issue_labels: Backport - labels_template: '["Backport"]' From b37c1397f9f57a3f1543ea432d603e0e59f1b6f2 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 120/228] Revert "[nrf noup] boards: Thingy:91 X release config" This reverts commit dd40ff344529fa8d8430523fb0553d9549170a98. --- boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf | 3 --- boot/zephyr/boards/thingy91x_nrf9151.conf | 6 +----- boot/zephyr/boards/thingy91x_nrf9151.overlay | 4 ---- 3 files changed, 1 insertion(+), 12 deletions(-) delete mode 100644 boot/zephyr/boards/thingy91x_nrf9151.overlay diff --git a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf index d3e253b65..37c7e95b1 100644 --- a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf @@ -58,6 +58,3 @@ CONFIG_BOOT_SERIAL_IMG_GRP_IMAGE_STATE=y # Skip checks on the secondary image to make it possible to update MCUBoot on S1/S0 CONFIG_MCUBOOT_VERIFY_IMG_ADDRESS=n - -CONFIG_BOOT_SERIAL_NO_APPLICATION=y -CONFIG_FW_INFO_FIRMWARE_VERSION=2 diff --git a/boot/zephyr/boards/thingy91x_nrf9151.conf b/boot/zephyr/boards/thingy91x_nrf9151.conf index 7c2042de6..2efe1e170 100644 --- a/boot/zephyr/boards/thingy91x_nrf9151.conf +++ b/boot/zephyr/boards/thingy91x_nrf9151.conf @@ -12,10 +12,6 @@ CONFIG_CONSOLE=n CONFIG_CONSOLE_HANDLER=n CONFIG_UART_CONSOLE=n CONFIG_MCUBOOT_SERIAL=y + CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y CONFIG_BOOT_SERIAL_IMG_GRP_IMAGE_STATE=y - -CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=y -CONFIG_PM_OVERRIDE_EXTERNAL_DRIVER_CHECK=y - -CONFIG_FW_INFO_FIRMWARE_VERSION=2 diff --git a/boot/zephyr/boards/thingy91x_nrf9151.overlay b/boot/zephyr/boards/thingy91x_nrf9151.overlay deleted file mode 100644 index 7f2818c0d..000000000 --- a/boot/zephyr/boards/thingy91x_nrf9151.overlay +++ /dev/null @@ -1,4 +0,0 @@ -&uart0 { - status = "okay"; - current-speed = < 1000000 >; -}; From 1fd9e306deecb288785b062131d09f3dbdf3baa1 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 121/228] Revert "[nrf noup] boot: bootutil: loader: Add s0/s1 checking of MCUboot image" This reverts commit b481eb0b9e27ae2712b1831b7172758b5eb1b628. --- boot/bootutil/src/loader.c | 45 -------------------------------------- 1 file changed, 45 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 0711f3337..22a47a476 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -100,17 +100,6 @@ static struct sector_buffer_t sector_buffers; #endif #endif -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 && defined(MCUBOOT_OVERWRITE_ONLY) && \ - defined(MCUBOOT_DOWNGRADE_PREVENTION) -/* s0/s1 package version of the current MCUboot image */ -static const struct image_version mcuboot_s0_s1_image_version = { - .iv_major = CONFIG_MCUBOOT_MCUBOOT_S0_S1_VERSION_MAJOR, - .iv_minor = CONFIG_MCUBOOT_MCUBOOT_S0_S1_VERSION_MINOR, - .iv_revision = CONFIG_MCUBOOT_MCUBOOT_S0_S1_VERSION_REVISION, - .iv_build_num = CONFIG_MCUBOOT_MCUBOOT_S0_S1_VERSION_BUILD_NUMBER, -}; -#endif - #if (BOOT_IMAGE_NUMBER > 1) #define IMAGES_ITER(x) for ((x) = 0; (x) < BOOT_IMAGE_NUMBER; ++(x)) #else @@ -1062,45 +1051,11 @@ boot_validate_slot(struct boot_loader_state *state, int slot, rc = boot_version_cmp( &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); - -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 - if (rc >= 0 && BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { - /* Also check the new version of MCUboot against that of the current s0/s1 MCUboot - * trailer version to prevent downgrades - */ - int version_check; - - version_check = boot_version_cmp(&boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, - &mcuboot_s0_s1_image_version); - - /* Only update rc if the currently running version is newer */ - if (version_check < rc) { - rc = version_check; - } - } -#endif } #else rc = boot_version_cmp( &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); - -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 - if (rc >= 0 && BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { - /* Also check the new version of MCUboot against that of the current s0/s1 MCUboot - * trailer version to prevent downgrades - */ - int version_check; - - version_check = boot_version_cmp(&boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, - &mcuboot_s0_s1_image_version); - - /* Only update rc if the currently running version is newer */ - if (version_check < rc) { - rc = version_check; - } - } -#endif #endif if (rc < 0 && boot_check_header_erased(state, BOOT_PRIMARY_SLOT)) { BOOT_LOG_ERR("insufficient version in secondary slot"); From fd4a2f4f9a718c6884cc450783657e57e3727f76 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 122/228] Revert "[nrf noup] treewide: Add support for sysbuild assigned images" This reverts commit 8041ad6935fce96c37e873ef6ca5a1d42e98a04c. --- boot/bootutil/src/loader.c | 176 ++++++++------------- boot/bootutil/src/swap_nsib.c | 70 -------- boot/bootutil/src/swap_priv.h | 8 - boot/zephyr/CMakeLists.txt | 6 - boot/zephyr/include/sysflash/pm_sysflash.h | 69 ++++---- 5 files changed, 104 insertions(+), 225 deletions(-) delete mode 100644 boot/bootutil/src/swap_nsib.c diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 22a47a476..7b718758d 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -146,15 +146,15 @@ boot_read_image_headers(struct boot_loader_state *state, bool require_all, * * Failure to read any headers is a fatal error. */ -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 +#ifdef PM_S1_ADDRESS /* Patch needed for NCS. The primary slot of the second image * (image 1) will not contain a valid image header until an upgrade * of mcuboot has happened (filling S1 with the new version). */ - if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER && i == 0) { + if (BOOT_CURR_IMG(state) == 1 && i == 0) { continue; } -#endif /* CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 */ +#endif /* PM_S1_ADDRESS */ if (i > 0 && !require_all) { return 0; } else { @@ -1045,7 +1045,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) \ && defined(CONFIG_PCD_APP) && defined(CONFIG_PCD_READ_NETCORE_APP_VERSION) - if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) { + if (BOOT_CURR_IMG(state) == 1) { rc = pcd_version_cmp_net(fap, boot_img_hdr(state, BOOT_SECONDARY_SLOT)); } else { rc = boot_version_cmp( @@ -1113,8 +1113,6 @@ boot_validate_slot(struct boot_loader_state *state, int slot, struct image_header *secondary_hdr = boot_img_hdr(state, slot); uint32_t reset_value = 0; uint32_t reset_addr = secondary_hdr->ih_hdr_size + sizeof(reset_value); - uint32_t min_addr, max_addr; - bool check_addresses = false; rc = flash_area_read(fap, reset_addr, &reset_value, sizeof(reset_value)); if (rc != 0) { @@ -1122,46 +1120,29 @@ boot_validate_slot(struct boot_loader_state *state, int slot, goto out; } + uint32_t min_addr, max_addr; + #ifdef PM_CPUNET_APP_ADDRESS /* The primary slot for the network core is emulated in RAM. * Its flash_area hasn't got relevant boundaries. * Therfore need to override its boundaries for the check. */ - if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) { + if (BOOT_CURR_IMG(state) == 1) { min_addr = PM_CPUNET_APP_ADDRESS; max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; - check_addresses = true; - } else -#endif -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 - if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { -#if (CONFIG_NCS_IS_VARIANT_IMAGE) +#ifdef PM_S1_ADDRESS + } else if (BOOT_CURR_IMG(state) == 0) { min_addr = PM_S0_ADDRESS; - max_addr = (PM_S0_ADDRESS + PM_S0_SIZE); -#else - min_addr = PM_S1_ADDRESS; - max_addr = (PM_S1_ADDRESS + PM_S1_SIZE); + max_addr = pri_fa->fa_off + pri_fa->fa_size; #endif - check_addresses = true; } else #endif - if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER) { -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 -#if (CONFIG_NCS_IS_VARIANT_IMAGE) - min_addr = MIN(pri_fa->fa_off, PM_S0_ADDRESS); - max_addr = MAX((pri_fa->fa_off + pri_fa->fa_size), (PM_S0_ADDRESS + PM_S0_SIZE)); -#else - min_addr = MIN(pri_fa->fa_off, PM_S1_ADDRESS); - max_addr = MAX((pri_fa->fa_off + pri_fa->fa_size), (PM_S1_ADDRESS + PM_S1_SIZE)); -#endif -#else + { min_addr = pri_fa->fa_off; max_addr = pri_fa->fa_off + pri_fa->fa_size; -#endif - check_addresses = true; } - if (check_addresses == true && (reset_value < min_addr || reset_value > max_addr)) { + if (reset_value < min_addr || reset_value> (max_addr)) { BOOT_LOG_ERR("Reset address of image in secondary slot is not in the primary slot"); BOOT_LOG_ERR("Erasing image from secondary slot"); @@ -1238,54 +1219,36 @@ boot_update_security_counter(uint8_t image_index, int slot, #define SEC_SLOT_TOUCHED 1 #define SEC_SLOT_ASSIGNED 2 -static uint8_t sec_slot_assignment[MCUBOOT_IMAGE_NUMBER] = {0}; - -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 -static inline void sec_slot_untouch(struct boot_loader_state *state) -{ - sec_slot_assignment[CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER] = SEC_SLOT_VIRGIN; - sec_slot_assignment[CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER] = SEC_SLOT_VIRGIN; -} +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +/* This configuration is peculiar - the one physical secondary slot is + * mocking two logical secondary + */ +#define SEC_SLOT_PHYSICAL_CNT 1 #else -static inline void sec_slot_untouch(struct boot_loader_state *state) -{ -} +#define SEC_SLOT_PHYSICAL_CNT MCUBOOT_IMAGE_NUMBER #endif +static uint8_t sec_slot_assignmnet[SEC_SLOT_PHYSICAL_CNT] = {0}; + static inline void sec_slot_touch(struct boot_loader_state *state) { -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 - if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { - if (sec_slot_assignment[CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER] == SEC_SLOT_VIRGIN) { - sec_slot_assignment[CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER] = SEC_SLOT_TOUCHED; - } - } else if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER) { - if (sec_slot_assignment[CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER] == SEC_SLOT_VIRGIN) { - sec_slot_assignment[CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER] = SEC_SLOT_TOUCHED; - } - } -#endif + uint8_t idx = (SEC_SLOT_PHYSICAL_CNT == 1) ? 0 : BOOT_CURR_IMG(state); - if (sec_slot_assignment[BOOT_CURR_IMG(state)] == SEC_SLOT_VIRGIN) { - sec_slot_assignment[BOOT_CURR_IMG(state)] = SEC_SLOT_TOUCHED; + if (SEC_SLOT_VIRGIN == sec_slot_assignmnet[idx]) { + sec_slot_assignmnet[idx] = SEC_SLOT_TOUCHED; } } static inline void sec_slot_mark_assigned(struct boot_loader_state *state) { -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 - if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { - sec_slot_assignment[CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER] = SEC_SLOT_ASSIGNED; - } else if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER) { - sec_slot_assignment[CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER] = SEC_SLOT_ASSIGNED; - } -#endif + uint8_t idx = (SEC_SLOT_PHYSICAL_CNT == 1) ? 0 : BOOT_CURR_IMG(state); - sec_slot_assignment[BOOT_CURR_IMG(state)] = SEC_SLOT_ASSIGNED; + sec_slot_assignmnet[idx] = SEC_SLOT_ASSIGNED; } /** - * Cleanup up all secondary slot which couldn't be assigned to any primary slot. + * Cleanu up all secondary slot which couldn't be assigned to any primary slot. * * This function erases content of each secondary slot which contains valid * header but couldn't be assigned to any of supported primary images. @@ -1297,8 +1260,8 @@ static void sec_slot_cleanup_if_unusable(void) { uint8_t idx; - for (idx = 0; idx < MCUBOOT_IMAGE_NUMBER; idx++) { - if (SEC_SLOT_TOUCHED == sec_slot_assignment[idx]) { + for (idx = 0; idx < SEC_SLOT_PHYSICAL_CNT; idx++) { + if (SEC_SLOT_TOUCHED == sec_slot_assignmnet[idx]) { const struct flash_area *secondary_fa; int rc; @@ -1307,20 +1270,17 @@ static void sec_slot_cleanup_if_unusable(void) if (!rc) { rc = flash_area_erase(secondary_fa, 0, secondary_fa->fa_size); if (!rc) { - BOOT_LOG_ERR("Cleaned-up secondary slot of image %d", idx); + BOOT_LOG_ERR("Cleaned-up secondary slot of %d. image.", idx); } } if (rc) { - BOOT_LOG_ERR("Failed to clean-up secondary slot of image %d: %d", idx, rc); + BOOT_LOG_ERR("Can not cleanup secondary slot of %d. image.", idx); } } } } #else -static inline void sec_slot_untouch(struct boot_loader_state *state) -{ -} static inline void sec_slot_touch(struct boot_loader_state *state) { } @@ -1352,7 +1312,7 @@ boot_validated_swap_type(struct boot_loader_state *state, owner_nsib[BOOT_CURR_IMG(state)] = false; #endif -#if defined(PM_S1_ADDRESS) || defined(PM_CPUNET_B0N_ADDRESS) +#if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) const struct flash_area *secondary_fa = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); struct image_header *hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); @@ -1390,31 +1350,31 @@ boot_validated_swap_type(struct boot_loader_state *state, } /* Check start and end of primary slot for current image */ -#if (CONFIG_NCS_IS_VARIANT_IMAGE) - if (reset_addr >= PM_S0_ADDRESS && reset_addr <= (PM_S0_ADDRESS + PM_S0_SIZE)) { -#else - if (reset_addr >= PM_S1_ADDRESS && reset_addr <= (PM_S1_ADDRESS + PM_S1_SIZE)) { -#endif - if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER) { - /* This is not the s0/s1 upgrade image but the application image, pretend - * there is no image so the NSIB update can be loaded - */ - return BOOT_SWAP_TYPE_NONE; - } + if (reset_addr < primary_fa->fa_off) { +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + const struct flash_area *nsib_fa; - owner_nsib[BOOT_CURR_IMG(state)] = true; -#if (CONFIG_NCS_IS_VARIANT_IMAGE) - } else if (reset_addr >= PM_S1_ADDRESS && reset_addr <= (PM_S1_ADDRESS + PM_S1_SIZE)) { + /* NSIB upgrade slot */ + rc = flash_area_open((uint32_t)_image_1_primary_slot_id, + &nsib_fa); + + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } + + /* Image is placed before Primary and within the NSIB slot */ + if (reset_addr > nsib_fa->fa_off + && reset_addr < (nsib_fa->fa_off + nsib_fa->fa_size)) { + /* Set primary to be NSIB upgrade slot */ + BOOT_IMG_AREA(state, 0) = nsib_fa; + owner_nsib[BOOT_CURR_IMG(state)] = true; + } #else - } else if (reset_addr >= PM_S0_ADDRESS && reset_addr <= (PM_S0_ADDRESS + PM_S0_SIZE)) { + return BOOT_SWAP_TYPE_NONE; + #endif - /* NSIB upgrade but for the wrong slot, must be erased */ - BOOT_LOG_ERR("Image in slot is for wrong s0/s1 image"); - flash_area_erase(secondary_fa, 0, secondary_fa->fa_size); - sec_slot_untouch(state); - BOOT_LOG_ERR("Cleaned-up secondary slot of image %d", BOOT_CURR_IMG(state)); - return BOOT_SWAP_TYPE_FAIL; - } else if (reset_addr < primary_fa->fa_off || reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + + } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { /* The image in the secondary slot is not intended for any */ return BOOT_SWAP_TYPE_NONE; } @@ -1427,7 +1387,7 @@ boot_validated_swap_type(struct boot_loader_state *state, sec_slot_mark_assigned(state); } -#endif /* PM_S1_ADDRESS || PM_CPUNET_B0N_ADDRESS */ +#endif /* PM_S1_ADDRESS || CONFIG_SOC_NRF5340_CPUAPP */ swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -1946,22 +1906,7 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) flash_area_close(fap); } -#if defined(PM_S1_ADDRESS) && CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 - if (owner_nsib[BOOT_CURR_IMG(state)]) { - if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { - /* For NSIB, move the image instead of swapping it */ - nsib_swap_run(state, bs); - -#if defined(CONFIG_REBOOT) - /* Should also reboot at this point so the new S0/S1 update is applied */ - sys_reboot(SYS_REBOOT_COLD); -#endif - } - } else -#endif - { - swap_run(state, bs, copy_size); - } + swap_run(state, bs, copy_size); #ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT extern int boot_status_fails; @@ -2639,6 +2584,12 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) rc = boot_perform_update(state, &bs); } assert(rc == 0); +#if defined(PM_S1_ADDRESS) && defined(CONFIG_REBOOT) + if (owner_nsib[BOOT_CURR_IMG(state)]) { + sys_reboot(SYS_REBOOT_COLD); + + } +#endif break; case BOOT_SWAP_TYPE_FAIL: @@ -2712,8 +2663,7 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) * executing MCUBoot image, and is therefore already validated by NSIB and * does not need to also be validated by MCUBoot. */ - bool image_validated_by_nsib = BOOT_CURR_IMG(state) == - CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER; + bool image_validated_by_nsib = BOOT_CURR_IMG(state) == 1; if (!image_validated_by_nsib) #endif { diff --git a/boot/bootutil/src/swap_nsib.c b/boot/bootutil/src/swap_nsib.c deleted file mode 100644 index 39ed4c652..000000000 --- a/boot/bootutil/src/swap_nsib.c +++ /dev/null @@ -1,70 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * Copyright (c) 2024 Nordic Semiconductor ASA - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include -#include -#include -#include -#include -#include "bootutil/bootutil.h" -#include "bootutil_priv.h" -#include "swap_priv.h" -#include "bootutil/bootutil_log.h" - -#include "mcuboot_config/mcuboot_config.h" - -BOOT_LOG_MODULE_DECLARE(mcuboot); - -void nsib_swap_run(struct boot_loader_state *state, struct boot_status *bs) -{ - uint32_t sector_sz; - uint8_t image_index; - const struct flash_area *fap_pri; - const struct flash_area *fap_sec; - int rc; - - BOOT_LOG_INF("Starting swap using nsib algorithm."); - - sector_sz = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); - -#if (CONFIG_NCS_IS_VARIANT_IMAGE) - rc = flash_area_open(PM_S0_ID, &fap_pri); -#else - rc = flash_area_open(PM_S1_ID, &fap_pri); -#endif - assert (rc == 0); - image_index = BOOT_CURR_IMG(state); - - rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index), &fap_sec); - assert (rc == 0); - - rc = boot_erase_region(fap_pri, 0, fap_pri->fa_size); - assert(rc == 0); - - rc = boot_copy_region(state, fap_sec, fap_pri, 0, 0, fap_pri->fa_size); - assert(rc == 0); - - rc = swap_erase_trailer_sectors(state, fap_sec); - assert(rc == 0); - - rc = boot_erase_region(fap_sec, 0, MIN((fap_pri->fa_size + sector_sz), fap_sec->fa_size)); - assert(rc == 0); - - flash_area_close(fap_pri); - flash_area_close(fap_sec); -} diff --git a/boot/bootutil/src/swap_priv.h b/boot/bootutil/src/swap_priv.h index f64e8fcf6..255e74736 100644 --- a/boot/bootutil/src/swap_priv.h +++ b/boot/bootutil/src/swap_priv.h @@ -119,12 +119,4 @@ bool swap_write_block_size_check(struct boot_loader_state *state); */ int app_max_size(struct boot_loader_state *state); -#if defined(PM_S1_ADDRESS) && !defined(MCUBOOT_OVERWRITE_ONLY) && \ -(CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 || defined(LEGACY_CHILD_PARENT_S0_S1_UPDATE_ENABLED)) -/** - * Performs an NSIB update - */ -void nsib_swap_run(struct boot_loader_state *state, struct boot_status *bs); -#endif - #endif /* H_SWAP_PRIV_ */ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 6522f8572..9d9ef8261 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -139,12 +139,6 @@ zephyr_library_sources( ${BOOT_DIR}/bootutil/src/swap_move.c ${BOOT_DIR}/bootutil/src/caps.c ) - - if(NOT CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER EQUAL "-1" AND NOT CONFIG_BOOT_UPGRADE_ONLY) - zephyr_library_sources( - ${BOOT_DIR}/bootutil/src/swap_nsib.c - ) - endif() endif() if(CONFIG_BOOT_RAM_LOAD OR CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index 42f25182e..db60ddd03 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -15,36 +15,48 @@ #ifndef CONFIG_SINGLE_APPLICATION_SLOT +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) +/* If B0 is present then two bootloaders are present, and we must use + * a single secondary slot for both primary slots. + */ +extern uint32_t _image_1_primary_slot_id[]; +#endif /* (MCUBOOT_IMAGE_NUMBER == 2 && defined(PM_B0_ADDRESS) */ + +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + (uint32_t)_image_1_primary_slot_id : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + 255 ) + +#else /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + */ + /* Each pair of slots is separated by , and there is no terminating character */ -#define FLASH_AREA_IMAGE_0_SLOTS PM_MCUBOOT_PRIMARY_ID, PM_MCUBOOT_SECONDARY_ID, -#define FLASH_AREA_IMAGE_1_SLOTS PM_MCUBOOT_PRIMARY_1_ID, PM_MCUBOOT_SECONDARY_1_ID, -#define FLASH_AREA_IMAGE_2_SLOTS PM_MCUBOOT_PRIMARY_2_ID, PM_MCUBOOT_SECONDARY_2_ID, -#define FLASH_AREA_IMAGE_3_SLOTS PM_MCUBOOT_PRIMARY_3_ID, PM_MCUBOOT_SECONDARY_3_ID, - -#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 -#ifdef CONFIG_NCS_IS_VARIANT_IMAGE -#define MCUBOOT_S0_S1_SLOTS PM_S0_ID, PM_MCUBOOT_SECONDARY_ID, -#else -#define MCUBOOT_S0_S1_SLOTS PM_S1_ID, PM_MCUBOOT_SECONDARY_ID, -#endif -#else -#define MCUBOOT_S0_S1_SLOTS -#endif +#define FLASH_AREA_IMAGE_0_SLOTS PM_MCUBOOT_PRIMARY_ID, PM_MCUBOOT_SECONDARY_ID +#define FLASH_AREA_IMAGE_1_SLOTS PM_MCUBOOT_PRIMARY_1_ID, PM_MCUBOOT_SECONDARY_1_ID +#define FLASH_AREA_IMAGE_2_SLOTS PM_MCUBOOT_PRIMARY_2_ID, PM_MCUBOOT_SECONDARY_2_ID -#if (MCUBOOT_IMAGE_NUMBER == 1) || (MCUBOOT_IMAGE_NUMBER == 2 && CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1) +#if (MCUBOOT_IMAGE_NUMBER == 1) #define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS -#elif (MCUBOOT_IMAGE_NUMBER == 2) || (MCUBOOT_IMAGE_NUMBER == 3 && CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS \ +#elif (MCUBOOT_IMAGE_NUMBER == 2) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ FLASH_AREA_IMAGE_1_SLOTS -#elif (MCUBOOT_IMAGE_NUMBER == 3) || (MCUBOOT_IMAGE_NUMBER == 4 && CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS \ - FLASH_AREA_IMAGE_1_SLOTS \ +#elif (MCUBOOT_IMAGE_NUMBER == 3) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ + FLASH_AREA_IMAGE_1_SLOTS, \ FLASH_AREA_IMAGE_2_SLOTS -#elif (MCUBOOT_IMAGE_NUMBER == 4) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS \ - FLASH_AREA_IMAGE_1_SLOTS \ - FLASH_AREA_IMAGE_2_SLOTS \ - FLASH_AREA_IMAGE_3_SLOTS #else #error Unsupported number of images #endif @@ -53,7 +65,6 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) { static const int all_slots[] = { ALL_AVAILABLE_SLOTS - MCUBOOT_S0_S1_SLOTS }; return all_slots[img * 2 + slot]; }; @@ -61,8 +72,6 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #undef FLASH_AREA_IMAGE_0_SLOTS #undef FLASH_AREA_IMAGE_1_SLOTS #undef FLASH_AREA_IMAGE_2_SLOTS -#undef FLASH_AREA_IMAGE_3_SLOTS -#undef MCUBOOT_S0_S1_SLOTS #undef ALL_AVAILABLE_SLOTS #define FLASH_AREA_IMAGE_PRIMARY(x) __flash_area_ids_for_slot(x, 0) @@ -72,6 +81,10 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID #endif +#endif /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + */ + #else /* CONFIG_SINGLE_APPLICATION_SLOT */ #define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID From 5b96060d5181ebefe40f0df59feaba25a2d90ce3 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 123/228] Revert "[nrf noup] boot: zephyr: Do not lock PCD region with TF-M" This reverts commit 09035f0f04709d5d29d61532bbedd433a569d506. --- boot/zephyr/main.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 62a9c2c57..b8bb6ec14 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -648,11 +648,7 @@ int main(void) } #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) && defined(CONFIG_PCD_APP) -#if defined(PM_TFM_SECURE_ADDRESS) - pcd_lock_ram(false); -#else - pcd_lock_ram(true); -#endif + pcd_lock_ram(); #endif #endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ From 16049fdc1fad2ebb798b20ca65a9d7de6425072b Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 124/228] Revert "[nrf noup] boot: Add shared crypto for ECDSA and SHA" This reverts commit 7ff8c8fa0c1689026566c8cb2ed9121d6831809f. --- boot/bootutil/include/bootutil/crypto/ecdsa.h | 64 ++----------------- boot/bootutil/include/bootutil/crypto/sha.h | 32 ---------- boot/zephyr/CMakeLists.txt | 2 - boot/zephyr/external_crypto.conf | 20 ------ .../include/mcuboot_config/mcuboot_config.h | 5 +- 5 files changed, 9 insertions(+), 114 deletions(-) delete mode 100644 boot/zephyr/external_crypto.conf diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa.h b/boot/bootutil/include/bootutil/crypto/ecdsa.h index 85355f20c..3b0541072 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdsa.h +++ b/boot/bootutil/include/bootutil/crypto/ecdsa.h @@ -34,7 +34,6 @@ #if (defined(MCUBOOT_USE_TINYCRYPT) + \ defined(MCUBOOT_USE_CC310) + \ - defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \ defined(MCUBOOT_USE_PSA_OR_MBED_TLS)) != 1 #error "One crypto backend must be defined: either CC310/TINYCRYPT/MBED_TLS/PSA_CRYPTO" #endif @@ -71,18 +70,12 @@ #include "bootutil/sign_key.h" #include "common.h" -#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) - #include - #define NUM_ECC_BYTES (256 / 8) -#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ - #ifdef __cplusplus extern "C" { #endif #if (defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || \ - defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)) \ - && !defined(MCUBOOT_USE_PSA_CRYPTO) + defined(MCUBOOT_USE_CC310)) && !defined(MCUBOOT_USE_PSA_CRYPTO) /* * Declaring these like this adds NULL termination. */ @@ -134,6 +127,8 @@ static int bootutil_import_key(uint8_t **cp, uint8_t *end) } #endif /* (MCUBOOT_USE_TINYCRYPT || MCUBOOT_USE_MBED_TLS || MCUBOOT_USE_CC310) && !MCUBOOT_USE_PSA_CRYPTO */ +#if defined(MCUBOOT_USE_TINYCRYPT) +#ifndef MCUBOOT_ECDSA_NEED_ASN1_SIG /* * cp points to ASN1 string containing an integer. * Verify the tag, and that the length is 32 bytes. Helper function. @@ -183,8 +178,8 @@ static int bootutil_decode_sig(uint8_t signature[NUM_ECC_BYTES * 2], uint8_t *cp } return 0; } +#endif /* not MCUBOOT_ECDSA_NEED_ASN1_SIG */ -#if defined(MCUBOOT_USE_TINYCRYPT) typedef uintptr_t bootutil_ecdsa_context; static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx) { @@ -253,12 +248,8 @@ static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx, { (void)ctx; (void)pk_len; + (void)sig_len; (void)hash_len; - uint8_t dsig[2 * NUM_ECC_BYTES]; - - if (bootutil_decode_sig(dsig, sig, sig + sig_len)) { - return -1; - } /* Only support uncompressed keys. */ if (pk[0] != 0x04) { @@ -266,7 +257,7 @@ static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx, } pk++; - return cc310_ecdsa_verify_secp256r1(hash, pk, dsig, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE); + return cc310_ecdsa_verify_secp256r1(hash, pk, sig, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE); } static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, @@ -622,49 +613,6 @@ static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, #endif /* MCUBOOT_USE_MBED_TLS */ -#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) -typedef uintptr_t bootutil_ecdsa_context; -static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx) -{ - (void)ctx; -} - -static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx) -{ - (void)ctx; -} - -static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx, - uint8_t *pk, size_t pk_len, - uint8_t *hash, size_t hash_len, - uint8_t *sig, size_t sig_len) -{ - (void)ctx; - (void)pk_len; - (void)hash_len; - uint8_t dsig[2 * NUM_ECC_BYTES]; - - if (bootutil_decode_sig(dsig, sig, sig + sig_len)) { - return -1; - } - - /* Only support uncompressed keys. */ - if (pk[0] != 0x04) { - return -1; - } - pk++; - - return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, pk, dsig); -} - -static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, - uint8_t **cp,uint8_t *end) -{ - (void)ctx; - return bootutil_import_key(cp, end); -} -#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ - #ifdef __cplusplus } #endif diff --git a/boot/bootutil/include/bootutil/crypto/sha.h b/boot/bootutil/include/bootutil/crypto/sha.h index 6ba8d946d..d136a7f53 100644 --- a/boot/bootutil/include/bootutil/crypto/sha.h +++ b/boot/bootutil/include/bootutil/crypto/sha.h @@ -30,7 +30,6 @@ #if (defined(MCUBOOT_USE_PSA_OR_MBED_TLS) + \ defined(MCUBOOT_USE_TINYCRYPT) + \ - defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \ defined(MCUBOOT_USE_CC310)) != 1 #error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO" #endif @@ -251,37 +250,6 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx, } #endif /* MCUBOOT_USE_CC310 */ -#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) - -#include - -typedef bl_sha256_ctx_t bootutil_sha_context; - -static inline void bootutil_sha_init(bootutil_sha_context *ctx) -{ - bl_sha256_init(ctx); -} - -static inline void bootutil_sha_drop(bootutil_sha_context *ctx) -{ - (void)ctx; -} - -static inline int bootutil_sha_update(bootutil_sha_context *ctx, - const void *data, - uint32_t data_len) -{ - return bl_sha256_update(ctx, data, data_len); -} - -static inline int bootutil_sha_finish(bootutil_sha_context *ctx, - uint8_t *output) -{ - bl_sha256_finalize(ctx, output); - return 0; -} -#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ - #ifdef __cplusplus } #endif diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 9d9ef8261..fdb1cf101 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -174,8 +174,6 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) zephyr_library_sources(${NRF_DIR}/cc310_glue.c) zephyr_library_include_directories(${NRF_DIR}) zephyr_link_libraries(nrfxlib_crypto) - elseif(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) - zephyr_include_directories(${BL_CRYPTO_DIR}/../include) endif() # Since here we are not using Zephyr's mbedTLS but rather our own, we need diff --git a/boot/zephyr/external_crypto.conf b/boot/zephyr/external_crypto.conf deleted file mode 100644 index 8181ad51c..000000000 --- a/boot/zephyr/external_crypto.conf +++ /dev/null @@ -1,20 +0,0 @@ -# -# Copyright (c) 2021 Nordic Semiconductor ASA -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# - -# These configurations should be used when using nrf/samples/bootloader -# as the immutable bootloader (B0), and MCUBoot as the second stage updateable -# bootloader. - -# Set ECDSA as signing mechanism -CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y - -# Use crypto backend from B0 -CONFIG_BOOT_NRF_EXTERNAL_CRYPTO=y -CONFIG_SECURE_BOOT_CRYPTO=y -CONFIG_SB_CRYPTO_CLIENT_ECDSA_SECP256R1=y -CONFIG_SB_CRYPTO_CLIENT_SHA256=y -CONFIG_BL_SHA256_EXT_API_REQUIRED=y -CONFIG_BL_SECP256R1_EXT_API_REQUIRED=y diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index ae17f85ff..573155b39 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -40,10 +40,11 @@ #define MCUBOOT_USE_TINYCRYPT #elif defined(CONFIG_BOOT_USE_CC310) #define MCUBOOT_USE_CC310 +#ifdef CONFIG_BOOT_USE_NRF_CC310_BL +#define MCUBOOT_USE_NRF_CC310_BL +#endif #elif defined(CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT) #define MCUBOOT_USE_PSA_CRYPTO -#elif defined(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) -#define MCUBOOT_USE_NRF_EXTERNAL_CRYPTO #endif #ifdef CONFIG_BOOT_IMG_HASH_ALG_SHA512 From 6b725247fa37d9d7dd64d5134ea61e16f8319fe1 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 125/228] Revert "[nrf noup] boards: nrf54l15dk: Disable FPROTECT" This reverts commit 3952b4d304a53c9cf7664f786110faa131247c44. --- boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf index 1dbd7c1ab..c8fcd32c3 100644 --- a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf +++ b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf @@ -7,9 +7,6 @@ CONFIG_BOOT_MAX_IMG_SECTORS=256 # Ensure that the SPI NOR driver is disabled by default CONFIG_SPI_NOR=n -# TODO: below are not yet supported and need fixing -CONFIG_FPROTECT=n - CONFIG_BOOT_WATCHDOG_FEED=n # Ensure the fastest RRAM write operations From 48cbb9a99de634c53c2c6a256769005cd8be2e4c Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 126/228] Revert "[nrf noup] bootutil: loader: Fix netcore address checking" This reverts commit b5a4c74a5a1a52111d391ec58497f416ccbba2f3. --- boot/bootutil/src/loader.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 7b718758d..6a26de3dc 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1338,7 +1338,7 @@ boot_validated_swap_type(struct boot_loader_state *state, #ifdef PM_S1_ADDRESS #ifdef PM_CPUNET_B0N_ADDRESS - if(!(reset_addr >= PM_CPUNET_APP_ADDRESS && reset_addr < PM_CPUNET_APP_END_ADDRESS)) + if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif { const struct flash_area *primary_fa; @@ -1411,8 +1411,7 @@ boot_validated_swap_type(struct boot_loader_state *state, * update and indicate to the caller of this function that no update is * available */ - if (upgrade_valid && reset_addr >= PM_CPUNET_APP_ADDRESS && - reset_addr < PM_CPUNET_APP_END_ADDRESS) { + if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; uint32_t *net_core_fw_addr = (uint32_t *)(vtable_addr); From 66f75a204c8bc6e6a65f0b5dd15371b2d0f41c37 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 127/228] Revert "[nrf noup] boot/../loader: reboot after updating s0/s1" This reverts commit 0e1a28868543d824058ebba69479a0f0b31af106. --- boot/bootutil/src/loader.c | 10 ---------- boot/zephyr/Kconfig | 1 - 2 files changed, 11 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 6a26de3dc..1f9ce5bb6 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -49,10 +49,6 @@ #include "bootutil/boot_hooks.h" #include "bootutil/mcuboot_status.h" -#ifdef __ZEPHYR__ -#include -#endif - #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) #include #ifdef CONFIG_PCD_READ_NETCORE_APP_VERSION @@ -2583,12 +2579,6 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) rc = boot_perform_update(state, &bs); } assert(rc == 0); -#if defined(PM_S1_ADDRESS) && defined(CONFIG_REBOOT) - if (owner_nsib[BOOT_CURR_IMG(state)]) { - sys_reboot(SYS_REBOOT_COLD); - - } -#endif break; case BOOT_SWAP_TYPE_FAIL: diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 848b6ca83..af3134694 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -18,7 +18,6 @@ config MCUBOOT select MPU_ALLOW_FLASH_WRITE if ARM_MPU select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET select MCUBOOT_BOOTUTIL_LIB - select REBOOT if SECURE_BOOT config BOOT_USE_MBEDTLS bool From e2f1dadbcb3d6c5e729b04251c61132b32f35008 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 128/228] Revert "[nrf noup] boot/../loader: skip downgrade prevention for s1/s0" This reverts commit 21024f623e6b4197b8b26f2f95da8f10ade5507f. --- boot/bootutil/src/loader.c | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 1f9ce5bb6..a98d6ba79 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -70,9 +70,6 @@ int pcd_version_cmp_net(const struct flash_area *fap, struct image_header *hdr); BOOT_LOG_MODULE_DECLARE(mcuboot); static struct boot_loader_state boot_data; -#ifdef PM_S1_ADDRESS -static bool owner_nsib[BOOT_IMAGE_NUMBER] = {false}; -#endif #if defined(MCUBOOT_SERIAL_IMG_GRP_SLOT_INFO) || defined(MCUBOOT_DATA_SHARING) static struct image_max_size image_max_sizes[BOOT_IMAGE_NUMBER] = {0}; @@ -1304,9 +1301,6 @@ boot_validated_swap_type(struct boot_loader_state *state, int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); bool upgrade_valid = false; -#if defined(PM_S1_ADDRESS) - owner_nsib[BOOT_CURR_IMG(state)] = false; -#endif #if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) const struct flash_area *secondary_fa = @@ -1363,7 +1357,6 @@ boot_validated_swap_type(struct boot_loader_state *state, && reset_addr < (nsib_fa->fa_off + nsib_fa->fa_size)) { /* Set primary to be NSIB upgrade slot */ BOOT_IMG_AREA(state, 0) = nsib_fa; - owner_nsib[BOOT_CURR_IMG(state)] = true; } #else return BOOT_SWAP_TYPE_NONE; @@ -1374,10 +1367,6 @@ boot_validated_swap_type(struct boot_loader_state *state, /* The image in the secondary slot is not intended for any */ return BOOT_SWAP_TYPE_NONE; } - - if ((primary_fa->fa_off == PM_S0_ADDRESS) || (primary_fa->fa_off == PM_S1_ADDRESS)) { - owner_nsib[BOOT_CURR_IMG(state)] = true; - } } #endif /* PM_S1_ADDRESS */ sec_slot_mark_assigned(state); @@ -2361,13 +2350,6 @@ check_downgrade_prevention(struct boot_loader_state *state) uint32_t security_counter[2]; int rc; -#if defined(PM_S1_ADDRESS) - if (owner_nsib[BOOT_CURR_IMG(state)]) { - /* Downgrade prevention on S0/S1 image is managed by NSIB */ - return 0; - } -#endif - if (MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER) { /* If there was security no counter in slot 0, allow swap */ rc = bootutil_get_img_security_cnt(&(BOOT_IMG(state, 0).hdr), From e55b99914873ce87944ebb921f397ff3701b920c Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 129/228] Revert "[nrf noup] boot: zephyr: Add NCS boot banner" This reverts commit 053d2f231d01e9833fabf647aaedbabef9ca6cbd. --- boot/zephyr/prj.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index e4f7d9030..23b5f3b93 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -37,6 +37,3 @@ CONFIG_CBPRINTF_NANO=y ### Use the minimal C library to reduce flash usage CONFIG_MINIMAL_LIBC=y CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT=0 - -# NCS boot banner -CONFIG_NCS_APPLICATION_BOOT_BANNER_STRING="MCUboot" From 853f1d41e183424ae288400684fd26b84b64742b Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 130/228] Revert "[nrf noup] zephyr/boards: fix nrf54l15pdk ext flash dts overlay" This reverts commit b062f946ad0f971d34a81df36a5c8ee2db79e5b1. --- .../boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay index 60ee6fe51..ea024fcec 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay @@ -14,8 +14,7 @@ /delete-node/ &storage_partition; -&cpuapp_rram { - reg = < 0x0 DT_SIZE_K(1524) >; +&rram0 { partitions { boot_partition: partition@0 { label = "mcuboot"; From 85d13bf4da52e9dc69ed9b2f6cb72b4bb6f8e63f Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 131/228] Revert "[nrf noup] Revert of zephyr: arm: Update reading the flash image reset vector" This reverts commit e48c56f63dc33b0d40d54d84397e0617998a2212. --- boot/zephyr/flash_map_extended.c | 8 ++++++-- boot/zephyr/main.c | 20 +++++++++++++++----- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/boot/zephyr/flash_map_extended.c b/boot/zephyr/flash_map_extended.c index d0744afbd..4631da75b 100644 --- a/boot/zephyr/flash_map_extended.c +++ b/boot/zephyr/flash_map_extended.c @@ -141,8 +141,12 @@ int flash_area_sector_from_off(off_t off, struct flash_sector *sector) uint8_t flash_area_get_device_id(const struct flash_area *fa) { - (void)fa; - return FLASH_DEVICE_ID; +#if defined(CONFIG_ARM) + return fa->fa_id; +#else + (void)fa; + return FLASH_DEVICE_ID; +#endif } #define ERASED_VAL 0xff diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index b8bb6ec14..397d88cf4 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -174,16 +174,26 @@ static void do_boot(struct boot_rsp *rsp) /* Get ram address for image */ vt = (struct arm_vector_table *)(rsp->br_hdr->ih_load_addr + rsp->br_hdr->ih_hdr_size); #else - uintptr_t flash_base; int rc; + const struct flash_area *fap; + static uint32_t dst[2]; /* Jump to flash image */ - rc = flash_device_base(rsp->br_flash_dev_id, &flash_base); + rc = flash_area_open(rsp->br_flash_dev_id, &fap); + assert(rc == 0); + + rc = flash_area_read(fap, rsp->br_hdr->ih_hdr_size, dst, sizeof(dst)); assert(rc == 0); +#ifndef CONFIG_ASSERT + /* Enter a lock up as asserts are disabled */ + if (rc != 0) { + while (1); + } +#endif + + flash_area_close(fap); - vt = (struct arm_vector_table *)(flash_base + - rsp->br_image_off + - rsp->br_hdr->ih_hdr_size); + vt = (struct arm_vector_table *)dst; #endif if (IS_ENABLED(CONFIG_SYSTEM_TIMER_HAS_DISABLE_SUPPORT)) { From c8105527e8893f781b1884d6a0259d921f405a91 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 132/228] Revert "[nrf noup] boot/zephyr: fix fw_info search" This reverts commit b1851b65f49448e74aeac4ad0c5fd7cc46bafa93. --- boot/zephyr/main.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 397d88cf4..7330a164b 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -206,14 +206,7 @@ static void do_boot(struct boot_rsp *rsp) #endif #if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) - uintptr_t fw_start_addr; - - rc = flash_device_base(rsp->br_flash_dev_id, &fw_start_addr); - assert(rc == 0); - - fw_start_addr += rsp->br_image_off + rsp->br_hdr->ih_hdr_size; - - const struct fw_info *firmware_info = fw_info_find(fw_start_addr); + const struct fw_info *firmware_info = fw_info_find((uint32_t) vt); bool provided = fw_info_ext_api_provide(firmware_info, true); #ifdef PM_S0_ADDRESS From f0c3867a6624945226c0e96de6c9acb76bd4b28d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 133/228] Revert "[nrf noup] boot: zephyr: Disable boot banner if NCS_BOOT_BANNER is used" This reverts commit fb3cc4c5863822d190135640989110d2257dcbd2. --- boot/zephyr/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index af3134694..77e1e9c37 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -797,7 +797,6 @@ config BOOT_DISABLE_CACHES config MCUBOOT_BOOT_BANNER bool "Use MCUboot boot banner" depends on BOOT_BANNER - depends on !NCS_BOOT_BANNER depends on "$(APP_VERSION_EXTENDED_STRING)" != "" default y help From 70c7ca63102d7fd1d0ca3b01b2ceb869dfdcf08f Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 134/228] Revert "[nrf noup] boards: thingy91x: enable serial recovery" This reverts commit d8729897a98f78cc5d99664fc5b7d93e31477210. --- boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf | 10 ++-------- boot/zephyr/boards/thingy91x_nrf9151.conf | 9 --------- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf index 37c7e95b1..72dfa7fca 100644 --- a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf @@ -32,7 +32,7 @@ CONFIG_USB_COMPOSITE_DEVICE=y CONFIG_USB_MASS_STORAGE=n CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor" CONFIG_USB_DEVICE_VID=0x1915 -CONFIG_USB_DEVICE_PID=0x910A +CONFIG_USB_DEVICE_PID=0x520F CONFIG_BOOT_SERIAL_BOOT_MODE=y @@ -49,12 +49,6 @@ CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y CONFIG_FLASH_SIMULATOR_STATS=n CONFIG_BOOT_IMAGE_ACCESS_HOOKS=y - -# Makes it possible to update the network core using the flash simulator -CONFIG_NRF53_RECOVERY_NETWORK_CORE=y - CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y -CONFIG_BOOT_SERIAL_IMG_GRP_IMAGE_STATE=y -# Skip checks on the secondary image to make it possible to update MCUBoot on S1/S0 -CONFIG_MCUBOOT_VERIFY_IMG_ADDRESS=n +CONFIG_NRF53_RECOVERY_NETWORK_CORE=y diff --git a/boot/zephyr/boards/thingy91x_nrf9151.conf b/boot/zephyr/boards/thingy91x_nrf9151.conf index 2efe1e170..33cd3301c 100644 --- a/boot/zephyr/boards/thingy91x_nrf9151.conf +++ b/boot/zephyr/boards/thingy91x_nrf9151.conf @@ -6,12 +6,3 @@ CONFIG_SPI_NOR=y CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 CONFIG_SPI_NOR_SFDP_DEVICETREE=y CONFIG_MULTITHREADING=y - -# Disable Zephyr console and use UART for MCUboot serial recovery instead -CONFIG_CONSOLE=n -CONFIG_CONSOLE_HANDLER=n -CONFIG_UART_CONSOLE=n -CONFIG_MCUBOOT_SERIAL=y - -CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y -CONFIG_BOOT_SERIAL_IMG_GRP_IMAGE_STATE=y From bafd0a0f37462ac668e683922397d4f04fe73c6a Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 135/228] Revert "[nrf noup] boot/zephyr/boards: nrf54l15pdk ext-flash update" This reverts commit 6b35b59e16ecfa58c889956e1e91dc4f353204d5. --- .../boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf | 7 ------- .../boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay | 1 - 2 files changed, 8 deletions(-) diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf index 8fc12e074..841922dbd 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf @@ -6,10 +6,3 @@ CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x14000 CONFIG_MAIN_STACK_SIZE=20480 CONFIG_BOOT_MAX_IMG_SECTORS=512 CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 -# Ensure that the qspi driver is disabled by default -CONFIG_NORDIC_QSPI_NOR=n - -# TODO: below are not yet supported and need fixing -CONFIG_FPROTECT=n - -CONFIG_BOOT_WATCHDOG_FEED=n diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay index ea024fcec..76b648903 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay @@ -1,7 +1,6 @@ / { chosen { nordic,pm-ext-flash = &mx25r64; - zephyr,code-partition = &boot_partition; }; }; From f196714445ec70d95ab4871e947c431a16f3bc2d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 136/228] Revert "[nrf noup] boot/zephyr/boards: nrf54l15pdk ext-flash partition" This reverts commit 8929c5ffb322cdfb75f583a7103ef41f59349cf8. --- ...54l15pdk_nrf54l15_cpuapp_ext_flash.overlay | 35 ------------------- 1 file changed, 35 deletions(-) diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay index 76b648903..2341ffd26 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay @@ -4,42 +4,7 @@ }; }; -/delete-node/ &boot_partition; -/delete-node/ &slot0_partition; -/delete-node/ &slot1_partition; - -/delete-node/ &slot0_ns_partition; -/delete-node/ &slot1_ns_partition; - -/delete-node/ &storage_partition; - -&rram0 { - partitions { - boot_partition: partition@0 { - label = "mcuboot"; - reg = <0x000000000 0x00014000>; - }; - slot0_partition: partition@14000 { - label = "image-0"; - reg = <0x000014000 0x0015A000>; - }; - storage_partition: partition@16E000 { - label = "storage"; - reg = < 0x16E000 0x9000 >; - }; - }; -}; &mx25r64 { status = "okay"; - partitions { - compatible = "fixed-partitions"; - #address-cells = <1>; - #size-cells = <1>; - - slot1_partition: partition@0 { - label = "image-1"; - reg = <0x000000000 0x0015A000>; - }; - }; }; From f854fa0fab0e19694bf1bf95f7c7a1f921aa0cce Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 137/228] Revert "[nrf noup] loader: remove cleanup for direct xip mode" This reverts commit 2cb3c76754d6cef2b26edf823da0d4586be862a2. --- boot/bootutil/src/loader.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index a98d6ba79..5a5a3c2c0 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1203,8 +1203,6 @@ boot_update_security_counter(uint8_t image_index, int slot, } #endif /* MCUBOOT_HW_ROLLBACK_PROT */ -#if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) - #if defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\ (defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP)) @@ -1286,6 +1284,7 @@ static inline void sec_slot_cleanup_if_unusable(void) #endif /* defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\ defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) */ +#if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) /** * Determines which swap operation to perform, if any. If it is determined * that a swap operation is required, the image in the secondary slot is checked From 0cdd6c4ce8d7509171f8f206b99aa7b7804e5ed6 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 138/228] Revert "[nrf noup] boards: nrf54l15: Disable FPROTECT" This reverts commit 43623ffcfd53396c1a8410e335a6c4faf0128ea0. --- boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf index 8d8eb845f..43d8cebe3 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf @@ -7,7 +7,4 @@ CONFIG_BOOT_MAX_IMG_SECTORS=256 # Ensure that the SPI NOR driver is disabled by default CONFIG_SPI_NOR=n -# TODO: below are not yet supported and need fixing -CONFIG_FPROTECT=n - CONFIG_BOOT_WATCHDOG_FEED=n From 76c85fa7cdabb89f7c04b8ae775826eb5a389b24 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 139/228] Revert "[nrf noup] loader: introduced cleanup of unusable secondary slot" This reverts commit 36ac0266fae1fb057d8b3230599d4942635bc81c. --- boot/bootutil/src/loader.c | 90 -------------------------------------- 1 file changed, 90 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 5a5a3c2c0..c5b0c1002 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1203,87 +1203,6 @@ boot_update_security_counter(uint8_t image_index, int slot, } #endif /* MCUBOOT_HW_ROLLBACK_PROT */ -#if defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\ -(defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP)) - -#define SEC_SLOT_VIRGIN 0 -#define SEC_SLOT_TOUCHED 1 -#define SEC_SLOT_ASSIGNED 2 - -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -/* This configuration is peculiar - the one physical secondary slot is - * mocking two logical secondary - */ -#define SEC_SLOT_PHYSICAL_CNT 1 -#else -#define SEC_SLOT_PHYSICAL_CNT MCUBOOT_IMAGE_NUMBER -#endif - -static uint8_t sec_slot_assignmnet[SEC_SLOT_PHYSICAL_CNT] = {0}; - -static inline void sec_slot_touch(struct boot_loader_state *state) -{ - uint8_t idx = (SEC_SLOT_PHYSICAL_CNT == 1) ? 0 : BOOT_CURR_IMG(state); - - if (SEC_SLOT_VIRGIN == sec_slot_assignmnet[idx]) { - sec_slot_assignmnet[idx] = SEC_SLOT_TOUCHED; - } -} - -static inline void sec_slot_mark_assigned(struct boot_loader_state *state) -{ - uint8_t idx = (SEC_SLOT_PHYSICAL_CNT == 1) ? 0 : BOOT_CURR_IMG(state); - - sec_slot_assignmnet[idx] = SEC_SLOT_ASSIGNED; -} - -/** - * Cleanu up all secondary slot which couldn't be assigned to any primary slot. - * - * This function erases content of each secondary slot which contains valid - * header but couldn't be assigned to any of supported primary images. - * - * This function is supposed to be called after boot_validated_swap_type() - * iterates over all the images in context_boot_go(). - */ -static void sec_slot_cleanup_if_unusable(void) -{ - uint8_t idx; - - for (idx = 0; idx < SEC_SLOT_PHYSICAL_CNT; idx++) { - if (SEC_SLOT_TOUCHED == sec_slot_assignmnet[idx]) { - const struct flash_area *secondary_fa; - int rc; - - rc = flash_area_open(flash_area_id_from_multi_image_slot(idx, BOOT_SECONDARY_SLOT), - &secondary_fa); - if (!rc) { - rc = flash_area_erase(secondary_fa, 0, secondary_fa->fa_size); - if (!rc) { - BOOT_LOG_ERR("Cleaned-up secondary slot of %d. image.", idx); - } - } - - if (rc) { - BOOT_LOG_ERR("Can not cleanup secondary slot of %d. image.", idx); - } - } - } -} -#else -static inline void sec_slot_touch(struct boot_loader_state *state) -{ -} -static inline void sec_slot_mark_assigned(struct boot_loader_state *state) -{ -} -static inline void sec_slot_cleanup_if_unusable(void) -{ -} -#endif /* defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\ - defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) */ - #if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) /** * Determines which swap operation to perform, if any. If it is determined @@ -1322,9 +1241,6 @@ boot_validated_swap_type(struct boot_loader_state *state, if (rc != 0) { return BOOT_SWAP_TYPE_FAIL; } - - sec_slot_touch(state); - #ifdef PM_S1_ADDRESS #ifdef PM_CPUNET_B0N_ADDRESS if(reset_addr < PM_CPUNET_B0N_ADDRESS) @@ -1359,7 +1275,6 @@ boot_validated_swap_type(struct boot_loader_state *state, } #else return BOOT_SWAP_TYPE_NONE; - #endif } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { @@ -1368,9 +1283,7 @@ boot_validated_swap_type(struct boot_loader_state *state, } } #endif /* PM_S1_ADDRESS */ - sec_slot_mark_assigned(state); } - #endif /* PM_S1_ADDRESS || CONFIG_SOC_NRF5340_CPUAPP */ swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); @@ -2487,9 +2400,6 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } } - /* cleanup secondary slots which were recognized unusable*/ - sec_slot_cleanup_if_unusable(); - #if (BOOT_IMAGE_NUMBER > 1) if (has_upgrade) { /* Iterate over all the images and verify whether the image dependencies From 9b5c2a41b2b3f93289576a8aa114def832e3058d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 140/228] Revert "[nrf noup] sysflash: Add support for three images" This reverts commit 0952fb36679a6bc43de0325dbde9a3fc4c0fef46. --- boot/zephyr/include/sysflash/pm_sysflash.h | 82 ++++++++++------------ 1 file changed, 37 insertions(+), 45 deletions(-) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index db60ddd03..377291e8b 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -11,19 +11,37 @@ #include #include -#include #ifndef CONFIG_SINGLE_APPLICATION_SLOT -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) +#if (MCUBOOT_IMAGE_NUMBER == 1) + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID + +#elif (MCUBOOT_IMAGE_NUMBER == 2) + /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ +#if defined(PM_B0_ADDRESS) extern uint32_t _image_1_primary_slot_id[]; -#endif /* (MCUBOOT_IMAGE_NUMBER == 2 && defined(PM_B0_ADDRESS) */ +#endif +#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) +#elif defined(PM_B0_ADDRESS) #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ @@ -38,52 +56,26 @@ extern uint32_t _image_1_primary_slot_id[]; (x == 1) ? \ PM_MCUBOOT_SECONDARY_ID: \ 255 ) - -#else /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - */ - -/* Each pair of slots is separated by , and there is no terminating character */ -#define FLASH_AREA_IMAGE_0_SLOTS PM_MCUBOOT_PRIMARY_ID, PM_MCUBOOT_SECONDARY_ID -#define FLASH_AREA_IMAGE_1_SLOTS PM_MCUBOOT_PRIMARY_1_ID, PM_MCUBOOT_SECONDARY_1_ID -#define FLASH_AREA_IMAGE_2_SLOTS PM_MCUBOOT_PRIMARY_2_ID, PM_MCUBOOT_SECONDARY_2_ID - -#if (MCUBOOT_IMAGE_NUMBER == 1) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS -#elif (MCUBOOT_IMAGE_NUMBER == 2) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ - FLASH_AREA_IMAGE_1_SLOTS -#elif (MCUBOOT_IMAGE_NUMBER == 3) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ - FLASH_AREA_IMAGE_1_SLOTS, \ - FLASH_AREA_IMAGE_2_SLOTS #else -#error Unsupported number of images -#endif -static inline uint32_t __flash_area_ids_for_slot(int img, int slot) -{ - static const int all_slots[] = { - ALL_AVAILABLE_SLOTS - }; - return all_slots[img * 2 + slot]; -}; +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) -#undef FLASH_AREA_IMAGE_0_SLOTS -#undef FLASH_AREA_IMAGE_1_SLOTS -#undef FLASH_AREA_IMAGE_2_SLOTS -#undef ALL_AVAILABLE_SLOTS +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) -#define FLASH_AREA_IMAGE_PRIMARY(x) __flash_area_ids_for_slot(x, 0) -#define FLASH_AREA_IMAGE_SECONDARY(x) __flash_area_ids_for_slot(x, 1) +#endif /* PM_B0_ADDRESS */ -#if !defined(CONFIG_BOOT_SWAP_USING_MOVE) -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID #endif - -#endif /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - */ +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID #else /* CONFIG_SINGLE_APPLICATION_SLOT */ From a1e81f137695a62f26eb179aa86e47c6ab7b2ea2 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 141/228] Revert "[nrf noup] sysflash: Move partition manager definitions to pm_sysflash.h" This reverts commit 277c5c401ff2f9288ed774ca84c18ba83cc967f0. --- boot/zephyr/include/sysflash/pm_sysflash.h | 92 ---------------------- boot/zephyr/include/sysflash/sysflash.h | 90 +++++++++++++++++++-- 2 files changed, 85 insertions(+), 97 deletions(-) delete mode 100644 boot/zephyr/include/sysflash/pm_sysflash.h diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h deleted file mode 100644 index 377291e8b..000000000 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 2023 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#ifndef __PM_SYSFLASH_H__ -#define __PM_SYSFLASH_H__ -/* Blocking the __SYSFLASH_H__ */ -#define __SYSFLASH_H__ - -#include -#include - -#ifndef CONFIG_SINGLE_APPLICATION_SLOT - -#if (MCUBOOT_IMAGE_NUMBER == 1) - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID - -#elif (MCUBOOT_IMAGE_NUMBER == 2) - -/* If B0 is present then two bootloaders are present, and we must use - * a single secondary slot for both primary slots. - */ -#if defined(PM_B0_ADDRESS) -extern uint32_t _image_1_primary_slot_id[]; -#endif -#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) -#elif defined(PM_B0_ADDRESS) - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - (uint32_t)_image_1_primary_slot_id : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - 255 ) -#else - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) - -#endif /* PM_B0_ADDRESS */ - -#endif -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID - -#else /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID -/* NOTE: Scratch parition is not used by single image DFU but some of - * functions in common files reference it, so the definitions has been - * provided to allow compilation of common units. - */ -#define FLASH_AREA_IMAGE_SCRATCH 0 - -#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#endif /* __PM_SYSFLASH_H__ */ diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index f231c3d02..8b47a32b5 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -4,15 +4,93 @@ * SPDX-License-Identifier: Apache-2.0 */ -#if USE_PARTITION_MANAGER -/* Blocking the rest of the file */ +#ifndef __SYSFLASH_H__ #define __SYSFLASH_H__ -#include + +#if USE_PARTITION_MANAGER +#include +#include + +#ifndef CONFIG_SINGLE_APPLICATION_SLOT + +#if (MCUBOOT_IMAGE_NUMBER == 1) + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID + +#elif (MCUBOOT_IMAGE_NUMBER == 2) + +/* If B0 is present then two bootloaders are present, and we must use + * a single secondary slot for both primary slots. + */ +#if defined(PM_B0_ADDRESS) +extern uint32_t _image_1_primary_slot_id[]; #endif +#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) +#elif defined(PM_B0_ADDRESS) + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + (uint32_t)_image_1_primary_slot_id : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + 255 ) +#else + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) + +#endif /* PM_B0_ADDRESS */ -#ifndef __SYSFLASH_H__ -#define __SYSFLASH_H__ +#endif +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID + +#else /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID +/* NOTE: Scratch parition is not used by single image DFU but some of + * functions in common files reference it, so the definitions has been + * provided to allow compilation of common units. + */ +#define FLASH_AREA_IMAGE_SCRATCH 0 + +#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ +#else + +#include #include #include #include @@ -71,4 +149,6 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ +#endif /* USE_PARTITION_MANAGER */ + #endif /* __SYSFLASH_H__ */ From 7b82725e59edb85bbb5dbf6b4e862ee64f3c9a26 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 142/228] Revert "[nrf noup] boot: Add support for NSIB and multi-image" This reverts commit f90af57904232422bbd8f16444c1b49b44834587. --- boot/bootutil/src/loader.c | 44 ++++++------------------- boot/zephyr/include/sysflash/sysflash.h | 19 ++--------- 2 files changed, 12 insertions(+), 51 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index c5b0c1002..2db4d2101 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1123,11 +1123,6 @@ boot_validate_slot(struct boot_loader_state *state, int slot, if (BOOT_CURR_IMG(state) == 1) { min_addr = PM_CPUNET_APP_ADDRESS; max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; -#ifdef PM_S1_ADDRESS - } else if (BOOT_CURR_IMG(state) == 0) { - min_addr = PM_S0_ADDRESS; - max_addr = pri_fa->fa_off + pri_fa->fa_size; -#endif } else #endif { @@ -1248,37 +1243,18 @@ boot_validated_swap_type(struct boot_loader_state *state, { const struct flash_area *primary_fa; rc = flash_area_open(flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), - &primary_fa); + BOOT_CURR_IMG(state), + BOOT_PRIMARY_SLOT), + &primary_fa); + if (rc != 0) { return BOOT_SWAP_TYPE_FAIL; } - - /* Check start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off) { -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - const struct flash_area *nsib_fa; - - /* NSIB upgrade slot */ - rc = flash_area_open((uint32_t)_image_1_primary_slot_id, - &nsib_fa); - - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } - - /* Image is placed before Primary and within the NSIB slot */ - if (reset_addr > nsib_fa->fa_off - && reset_addr < (nsib_fa->fa_off + nsib_fa->fa_size)) { - /* Set primary to be NSIB upgrade slot */ - BOOT_IMG_AREA(state, 0) = nsib_fa; - } -#else - return BOOT_SWAP_TYPE_NONE; -#endif - - } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for any */ + /* Get start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off || + reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for this image + */ return BOOT_SWAP_TYPE_NONE; } } @@ -1560,7 +1536,7 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) BOOT_LOG_INF("Image %d upgrade secondary slot -> primary slot", image_index); BOOT_LOG_INF("Erasing the primary slot"); - rc = flash_area_open(flash_area_get_id(BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)), + rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), &fap_primary_slot); assert (rc == 0); diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 8b47a32b5..b98e48bce 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -23,24 +23,9 @@ /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ -#if defined(PM_B0_ADDRESS) -extern uint32_t _image_1_primary_slot_id[]; -#endif -#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) +#ifdef PM_B0_ADDRESS -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) -#elif defined(PM_B0_ADDRESS) +extern uint32_t _image_1_primary_slot_id[]; #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ From 681c00200aeddc48dc52d2e9f77732b350d2f435 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 143/228] Revert "[nrf noup] loader: Fix missing PCD define check" This reverts commit 444a78defaa3bec84f38f1b5a46bdefadd49a435. --- boot/bootutil/src/loader.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 2db4d2101..de536855d 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1279,7 +1279,7 @@ boot_validated_swap_type(struct boot_loader_state *state, } #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) \ - && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) && defined(CONFIG_PCD_APP) + && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) /* If the update is valid, and it targets the network core: perform the * update and indicate to the caller of this function that no update is * available @@ -1307,8 +1307,7 @@ boot_validated_swap_type(struct boot_loader_state *state, swap_type = BOOT_SWAP_TYPE_NONE; } } -#endif /* CONFIG_SOC_NRF5340_CPUAPP && PM_CPUNET_B0N_ADDRESS && - !CONFIG_NRF53_MULTI_IMAGE_UPDATE && CONFIG_PCD_APP */ +#endif /* CONFIG_SOC_NRF5340_CPUAPP */ } return swap_type; From 12f02a44dda4cf1ea9fdf56f58bab060c6d8e42f Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 144/228] Revert "[nrf noup] loader: work-around for multi-image builds" This reverts commit 366116a1e3381bec6d39951b5b4a1eebccbcbcdf. --- boot/bootutil/src/loader.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index de536855d..d4d3ab298 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -482,7 +482,7 @@ boot_verify_dependencies(struct boot_loader_state *state) if (rc == 0) { /* All dependencies've been satisfied, continue with next image. */ BOOT_CURR_IMG(state)++; - } else if (rc == BOOT_EBADIMAGE) { + } else { /* Cannot upgrade due to non-met dependencies, so disable all * image upgrades. */ @@ -491,10 +491,7 @@ boot_verify_dependencies(struct boot_loader_state *state) BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE; } break; - } else { - /* Other error happened, images are inconsistent */ - return rc; - } + } } return rc; } @@ -1793,6 +1790,7 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) } #endif + /** * Performs a clean (not aborted) image update. * From efd812bad484ec12b3c387aff207d93452ca3ce3 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 145/228] Revert "[nrf noup] boot/zephyr/boards: nRF54l15pdk ext flash cfg" This reverts commit cc3462a3cbae39770c5c74e69ac2349539c7c9d3. --- .../boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf | 8 -------- .../nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay | 10 ---------- 2 files changed, 18 deletions(-) delete mode 100644 boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf delete mode 100644 boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf deleted file mode 100644 index 841922dbd..000000000 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf +++ /dev/null @@ -1,8 +0,0 @@ -CONFIG_MULTITHREADING=y -CONFIG_SPI=y -CONFIG_SPI_NOR=y -CONFIG_FLASH=y -CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x14000 -CONFIG_MAIN_STACK_SIZE=20480 -CONFIG_BOOT_MAX_IMG_SECTORS=512 -CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay deleted file mode 100644 index 2341ffd26..000000000 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay +++ /dev/null @@ -1,10 +0,0 @@ -/ { - chosen { - nordic,pm-ext-flash = &mx25r64; - }; -}; - - -&mx25r64 { - status = "okay"; -}; From dabd36efa0bd3b9a47f09a92f3d936a539900128 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 146/228] Revert "[nrf noup] boards: thingy53: disable GPIO ISR support" This reverts commit 6c636e4394da40223340de4b87d117c2a64f97d0. --- boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf index e10656678..7d3bc0bec 100644 --- a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf @@ -21,7 +21,6 @@ CONFIG_UART_LINE_CTRL=y # MCUBoot serial CONFIG_GPIO=y -CONFIG_GPIO_NRFX_INTERRUPT=n CONFIG_MCUBOOT_SERIAL=y CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y CONFIG_BOOT_SERIAL_CDC_ACM=y From 1c23f38493f505ec880b0a12c70ff001473679e8 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 147/228] =?UTF-8?q?Revert=20"[nrf=20noup]=C2=A0loader:=20A?= =?UTF-8?q?dd=20firmware=20version=20check=20downgrade=20prevention"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 45f9b8e1f1c738f21b3b5909a6d1a159d5243143. --- boot/bootutil/src/loader.c | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index d4d3ab298..511165f37 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -51,10 +51,6 @@ #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) #include -#ifdef CONFIG_PCD_READ_NETCORE_APP_VERSION -#include -int pcd_version_cmp_net(const struct flash_area *fap, struct image_header *hdr); -#endif #endif #ifdef MCUBOOT_ENC_IMAGES @@ -1032,21 +1028,9 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #if defined(MCUBOOT_OVERWRITE_ONLY) && defined(MCUBOOT_DOWNGRADE_PREVENTION) if (slot != BOOT_PRIMARY_SLOT) { /* Check if version of secondary slot is sufficient */ - -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) \ - && defined(CONFIG_PCD_APP) && defined(CONFIG_PCD_READ_NETCORE_APP_VERSION) - if (BOOT_CURR_IMG(state) == 1) { - rc = pcd_version_cmp_net(fap, boot_img_hdr(state, BOOT_SECONDARY_SLOT)); - } else { - rc = boot_version_cmp( - &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, - &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); - } -#else - rc = boot_version_cmp( - &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, - &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); -#endif + rc = boot_version_cmp( + &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, + &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); if (rc < 0 && boot_check_header_erased(state, BOOT_PRIMARY_SLOT)) { BOOT_LOG_ERR("insufficient version in secondary slot"); flash_area_erase(fap, 0, flash_area_get_size(fap)); From d511de7cb5b2cd2790da36f0384a1a5314712f1f Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 148/228] Revert "[nrf noup] zephyr: Boot even if EXT_ABI is not provided" This reverts commit 72947ce77e53f17238594012c57ca7d2cb24934c. --- boot/zephyr/main.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 7330a164b..82763843d 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -206,16 +206,13 @@ static void do_boot(struct boot_rsp *rsp) #endif #if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) - const struct fw_info *firmware_info = fw_info_find((uint32_t) vt); - bool provided = fw_info_ext_api_provide(firmware_info, true); + bool provided = fw_info_ext_api_provide(fw_info_find((uint32_t)vt), true); #ifdef PM_S0_ADDRESS /* Only fail if the immutable bootloader is present. */ if (!provided) { - if (firmware_info == NULL) { - BOOT_LOG_WRN("Unable to find firmware info structure in %p", vt); - } - BOOT_LOG_ERR("Failed to provide EXT_APIs to %p", vt); + BOOT_LOG_ERR("Failed to provide EXT_APIs\n"); + return; } #endif #endif From 714bed20114da773723212c69f6988ae98f92ee1 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 149/228] Revert "[nrf noup] zephyr: Add RAM flash configuration to cache for sysbuild" This reverts commit 9b2bbcc98515992702f1bdd54bf8a113352ff5c3. --- boot/zephyr/CMakeLists.txt | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index fdb1cf101..ec84a445c 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -644,14 +644,3 @@ zephyr_library_sources( ${BOOT_DIR}/zephyr/nrf_cleanup.c ) endif() - -if(SYSBUILD AND CONFIG_PCD_APP) - # Sysbuild requires details of the RAM flash device are stored to the cache of MCUboot so - # that they can be read when running partition manager - dt_nodelabel(ram_flash_dev NODELABEL flash_sim0) - dt_reg_addr(ram_flash_addr PATH ${ram_flash_dev}) - dt_reg_size(ram_flash_size PATH ${ram_flash_dev}) - - set(RAM_FLASH_ADDR "${ram_flash_addr}" CACHE STRING "" FORCE) - set(RAM_FLASH_SIZE "${ram_flash_size}" CACHE STRING "" FORCE) -endif() From 5c1fe37686f58f29a24053c51042fe549db9a224 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 150/228] Revert "[nrf noup] loader: Do not check reset vector for XIP image" This reverts commit 4ff3af115647a1187ae8a52d433865eb5b8779ec. --- boot/bootutil/src/loader.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 511165f37..ef16c5f6b 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1072,16 +1072,6 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * overwriting an application written to the incorrect slot. * This feature is only supported by ARM platforms. */ -#if MCUBOOT_IMAGE_NUMBER >= 3 - /* Currently the MCUboot can be configured for up to 3 image, where image number 2 is - * designated for XIP, where it is the second part of image stored in slots of image - * 0. This part of image is not bootable, as the XIP setup is done by the app in - * image 0 slot, and it does not carry the reset vector. - */ - if (area_id == FLASH_AREA_IMAGE_SECONDARY(2)) { - goto out; - } -#endif if (area_id == FLASH_AREA_IMAGE_SECONDARY(BOOT_CURR_IMG(state))) { const struct flash_area *pri_fa = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); struct image_header *secondary_hdr = boot_img_hdr(state, slot); From 256d159cac73502a8d386aabfe2b3f06e2091eb0 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 151/228] Revert "[nrf noup] loader: Fix reading reset addr to support ext flash" This reverts commit 85b9daefc0bdbf883ad82f97bc8959135dafd82b. --- boot/bootutil/src/loader.c | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index ef16c5f6b..e332dc729 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1189,9 +1189,10 @@ boot_validated_swap_type(struct boot_loader_state *state, #if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) const struct flash_area *secondary_fa = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); + struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; + uint32_t vtable_addr = 0; + uint32_t *vtable = 0; uint32_t reset_addr = 0; - int rc = 0; /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other * B1 slot S0 or S1) share the same secondary slot, we need to check * whether the update candidate in the secondary slot is intended for @@ -1201,19 +1202,16 @@ boot_validated_swap_type(struct boot_loader_state *state, */ if (hdr->ih_magic == IMAGE_MAGIC) { - rc = flash_area_read(secondary_fa, hdr->ih_hdr_size + - sizeof(uint32_t), &reset_addr, - sizeof(reset_addr)); - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } + vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + vtable = (uint32_t *)(vtable_addr); + reset_addr = vtable[1]; #ifdef PM_S1_ADDRESS #ifdef PM_CPUNET_B0N_ADDRESS if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif { const struct flash_area *primary_fa; - rc = flash_area_open(flash_area_id_from_multi_image_slot( + int rc = flash_area_open(flash_area_id_from_multi_image_slot( BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), &primary_fa); @@ -1249,19 +1247,16 @@ boot_validated_swap_type(struct boot_loader_state *state, upgrade_valid = true; } -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) \ - && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) /* If the update is valid, and it targets the network core: perform the * update and indicate to the caller of this function that no update is * available */ if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { - struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; - uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - uint32_t *net_core_fw_addr = (uint32_t *)(vtable_addr); uint32_t fw_size = hdr->ih_img_size; + BOOT_LOG_INF("Starting network core update"); - rc = pcd_network_core_update(net_core_fw_addr, fw_size); + int rc = pcd_network_core_update(vtable, fw_size); if (rc != 0) { swap_type = BOOT_SWAP_TYPE_FAIL; From 7dfd88e06f6e6ab0c5a6f9f67f6739c8d0dc985e Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 152/228] Revert "[nrf noup] zephyr: Clean up non-secure RAM if enabled" This reverts commit a5c6d2e418c621d6e008265ed6c950caa7ac7f0a. --- boot/zephyr/CMakeLists.txt | 2 +- boot/zephyr/include/nrf_cleanup.h | 5 -- boot/zephyr/main.c | 5 +- boot/zephyr/nrf_cleanup.c | 79 ++++++++----------------------- 4 files changed, 22 insertions(+), 69 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index ec84a445c..abc13171b 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -639,7 +639,7 @@ if(SYSBUILD) set(mcuboot_image_upgrade_footer_size ${required_upgrade_size} CACHE INTERNAL "Estimated MCUboot update image trailer size" FORCE) endif() -if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL OR CONFIG_MCUBOOT_CLEANUP_NONSECURE_RAM) +if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL) zephyr_library_sources( ${BOOT_DIR}/zephyr/nrf_cleanup.c ) diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h index 9e87e13f5..6b04cedfe 100644 --- a/boot/zephyr/include/nrf_cleanup.h +++ b/boot/zephyr/include/nrf_cleanup.h @@ -16,9 +16,4 @@ */ void nrf_cleanup_peripheral(void); -/** - * Perform cleanup of non-secure RAM that may have been used by MCUBoot. - */ -void nrf_cleanup_ns_ram(void); - #endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 82763843d..7ab35ce47 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -142,7 +142,7 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); #include #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL || CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM +#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL #include #endif @@ -219,9 +219,6 @@ static void do_boot(struct boot_rsp *rsp) #if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL nrf_cleanup_peripheral(); #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM && defined(PM_SRAM_NONSECURE_NAME) - nrf_cleanup_ns_ram(); -#endif #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c index 051705ec9..5bab26b24 100644 --- a/boot/zephyr/nrf_cleanup.c +++ b/boot/zephyr/nrf_cleanup.c @@ -5,8 +5,9 @@ */ #include -#include -#include +#if defined(NRF_UARTE0) || defined(NRF_UARTE1) + #include +#endif #if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) #include #endif @@ -19,15 +20,6 @@ #include -#if USE_PARTITION_MANAGER -#include -#endif - -#if defined(NRF_UARTE0) || defined(NRF_UARTE1) || defined(NRF_UARTE20) || \ - defined(NRF_UARTE30) -#define NRF_UARTE_CLEANUP -#endif - #define NRF_UARTE_SUBSCRIBE_CONF_OFFS offsetof(NRF_UARTE_Type, SUBSCRIBE_STARTRX) #define NRF_UARTE_SUBSCRIBE_CONF_SIZE (offsetof(NRF_UARTE_Type, EVENTS_CTS) -\ NRF_UARTE_SUBSCRIBE_CONF_OFFS) @@ -45,23 +37,6 @@ static inline void nrf_cleanup_rtc(NRF_RTC_Type * rtc_reg) } #endif -#if defined(NRF_UARTE_CLEANUP) -static NRF_UARTE_Type *nrf_uarte_to_clean[] = { -#if defined(NRF_UARTE0) - NRF_UARTE0, -#endif -#if defined(NRF_UARTE1) - NRF_UARTE1, -#endif -#if defined(NRF_UARTE20) - NRF_UARTE20, -#endif -#if defined(NRF_UARTE30) - NRF_UARTE30, -#endif -}; -#endif - static void nrf_cleanup_clock(void) { nrf_clock_int_disable(NRF_CLOCK, 0xFFFFFFFF); @@ -78,31 +53,26 @@ void nrf_cleanup_peripheral(void) #if defined(NRF_RTC2) nrf_cleanup_rtc(NRF_RTC2); #endif - -#if defined(NRF_UARTE_CLEANUP) - for (int i = 0; i < sizeof(nrf_uarte_to_clean) / sizeof(nrf_uarte_to_clean[0]); ++i) { - NRF_UARTE_Type *current = nrf_uarte_to_clean[i]; - - nrfy_uarte_int_disable(current, 0xFFFFFFFF); - nrfy_uarte_int_uninit(current); - nrfy_uarte_task_trigger(current, NRF_UARTE_TASK_STOPRX); - - nrfy_uarte_event_clear(current, NRF_UARTE_EVENT_RXSTARTED); - nrfy_uarte_event_clear(current, NRF_UARTE_EVENT_ENDRX); - nrfy_uarte_event_clear(current, NRF_UARTE_EVENT_RXTO); - nrfy_uarte_disable(current); - +#if defined(NRF_UARTE0) + nrf_uarte_disable(NRF_UARTE0); + nrf_uarte_int_disable(NRF_UARTE0, 0xFFFFFFFF); #if defined(NRF_DPPIC) - /* Clear all SUBSCRIBE configurations. */ - memset((uint8_t *)current + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, - NRF_UARTE_SUBSCRIBE_CONF_SIZE); - /* Clear all PUBLISH configurations. */ - memset((uint8_t *)current + NRF_UARTE_PUBLISH_CONF_OFFS, 0, - NRF_UARTE_PUBLISH_CONF_SIZE); + /* Clear all SUBSCRIBE configurations. */ + memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); + /* Clear all PUBLISH configurations. */ + memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); +#endif +#endif +#if defined(NRF_UARTE1) + nrf_uarte_disable(NRF_UARTE1); + nrf_uarte_int_disable(NRF_UARTE1, 0xFFFFFFFF); +#if defined(NRF_DPPIC) + /* Clear all SUBSCRIBE configurations. */ + memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); + /* Clear all PUBLISH configurations. */ + memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); #endif - } #endif - #if defined(NRF_PPI) nrf_ppi_channels_disable_all(NRF_PPI); #endif @@ -111,12 +81,3 @@ void nrf_cleanup_peripheral(void) #endif nrf_cleanup_clock(); } - -#if USE_PARTITION_MANAGER \ - && defined(CONFIG_ARM_TRUSTZONE_M) \ - && defined(PM_SRAM_NONSECURE_NAME) -void nrf_cleanup_ns_ram(void) -{ - memset((void *) PM_SRAM_NONSECURE_ADDRESS, 0, PM_SRAM_NONSECURE_SIZE); -} -#endif From 4463b2de6a9ae5b0b8290a2455232a7f8be95860 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 153/228] Revert "[nrf noup] zephyr: clean peripherals state before boot" This reverts commit 62d5f7b7057ffa148934f6b79f562ae733001507. --- boot/zephyr/CMakeLists.txt | 6 --- boot/zephyr/include/nrf_cleanup.h | 19 ------- boot/zephyr/main.c | 8 +-- boot/zephyr/nrf_cleanup.c | 83 ------------------------------- 4 files changed, 1 insertion(+), 115 deletions(-) delete mode 100644 boot/zephyr/include/nrf_cleanup.h delete mode 100644 boot/zephyr/nrf_cleanup.c diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index abc13171b..3571d22d5 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -638,9 +638,3 @@ if(SYSBUILD) set(mcuboot_image_footer_size ${required_size} CACHE INTERNAL "Estimated MCUboot image trailer size" FORCE) set(mcuboot_image_upgrade_footer_size ${required_upgrade_size} CACHE INTERNAL "Estimated MCUboot update image trailer size" FORCE) endif() - -if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL) -zephyr_library_sources( - ${BOOT_DIR}/zephyr/nrf_cleanup.c -) -endif() diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h deleted file mode 100644 index 6b04cedfe..000000000 --- a/boot/zephyr/include/nrf_cleanup.h +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright (c) 2020 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#ifndef H_NRF_CLEANUP_ -#define H_NRF_CLEANUP_ - -/** - * Perform cleanup on some peripheral resources used by MCUBoot prior chainload - * the application. - * - * This function disables all RTC instances and UARTE instances. - * It Disables their interrupts signals as well. - */ -void nrf_cleanup_peripheral(void); - -#endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 7ab35ce47..fc8e8c40a 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -142,10 +142,6 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); #include #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL -#include -#endif - BOOT_LOG_MODULE_REGISTER(mcuboot); void os_heap_init(void); @@ -216,9 +212,7 @@ static void do_boot(struct boot_rsp *rsp) } #endif #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL - nrf_cleanup_peripheral(); -#endif + #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c deleted file mode 100644 index 5bab26b24..000000000 --- a/boot/zephyr/nrf_cleanup.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 2020 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#include -#if defined(NRF_UARTE0) || defined(NRF_UARTE1) - #include -#endif -#if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) - #include -#endif -#if defined(NRF_PPI) - #include -#endif -#if defined(NRF_DPPIC) - #include -#endif - -#include - -#define NRF_UARTE_SUBSCRIBE_CONF_OFFS offsetof(NRF_UARTE_Type, SUBSCRIBE_STARTRX) -#define NRF_UARTE_SUBSCRIBE_CONF_SIZE (offsetof(NRF_UARTE_Type, EVENTS_CTS) -\ - NRF_UARTE_SUBSCRIBE_CONF_OFFS) - -#define NRF_UARTE_PUBLISH_CONF_OFFS offsetof(NRF_UARTE_Type, PUBLISH_CTS) -#define NRF_UARTE_PUBLISH_CONF_SIZE (offsetof(NRF_UARTE_Type, SHORTS) -\ - NRF_UARTE_PUBLISH_CONF_OFFS) - -#if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) -static inline void nrf_cleanup_rtc(NRF_RTC_Type * rtc_reg) -{ - nrf_rtc_task_trigger(rtc_reg, NRF_RTC_TASK_STOP); - nrf_rtc_event_disable(rtc_reg, 0xFFFFFFFF); - nrf_rtc_int_disable(rtc_reg, 0xFFFFFFFF); -} -#endif - -static void nrf_cleanup_clock(void) -{ - nrf_clock_int_disable(NRF_CLOCK, 0xFFFFFFFF); -} - -void nrf_cleanup_peripheral(void) -{ -#if defined(NRF_RTC0) - nrf_cleanup_rtc(NRF_RTC0); -#endif -#if defined(NRF_RTC1) - nrf_cleanup_rtc(NRF_RTC1); -#endif -#if defined(NRF_RTC2) - nrf_cleanup_rtc(NRF_RTC2); -#endif -#if defined(NRF_UARTE0) - nrf_uarte_disable(NRF_UARTE0); - nrf_uarte_int_disable(NRF_UARTE0, 0xFFFFFFFF); -#if defined(NRF_DPPIC) - /* Clear all SUBSCRIBE configurations. */ - memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); - /* Clear all PUBLISH configurations. */ - memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); -#endif -#endif -#if defined(NRF_UARTE1) - nrf_uarte_disable(NRF_UARTE1); - nrf_uarte_int_disable(NRF_UARTE1, 0xFFFFFFFF); -#if defined(NRF_DPPIC) - /* Clear all SUBSCRIBE configurations. */ - memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); - /* Clear all PUBLISH configurations. */ - memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); -#endif -#endif -#if defined(NRF_PPI) - nrf_ppi_channels_disable_all(NRF_PPI); -#endif -#if defined(NRF_DPPIC) - nrf_dppi_channels_disable_all(NRF_DPPIC); -#endif - nrf_cleanup_clock(); -} From 7ed8d2654e66a449f12761156501ed62bf923f27 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 154/228] Revert "[nrf noup] boot: nrf53-specific customizations" This reverts commit 9b3b8d293289d188c75a3303ea23dc666be47052. --- boot/bootutil/src/loader.c | 96 +++++-------------- .../boards/thingy53_nrf5340_cpuapp.conf | 74 +------------- boot/zephyr/include/sysflash/sysflash.h | 23 ----- boot/zephyr/main.c | 7 -- boot/zephyr/pm.yml | 13 --- 5 files changed, 28 insertions(+), 185 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index e332dc729..86da6db6c 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -49,10 +49,6 @@ #include "bootutil/boot_hooks.h" #include "bootutil/mcuboot_status.h" -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) -#include -#endif - #ifdef MCUBOOT_ENC_IMAGES #include "bootutil/enc_key.h" #endif @@ -1184,15 +1180,7 @@ boot_validated_swap_type(struct boot_loader_state *state, { int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); - bool upgrade_valid = false; - -#if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) - const struct flash_area *secondary_fa = - BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; - uint32_t vtable_addr = 0; - uint32_t *vtable = 0; - uint32_t reset_addr = 0; +#ifdef PM_S1_ADDRESS /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other * B1 slot S0 or S1) share the same secondary slot, we need to check * whether the update candidate in the secondary slot is intended for @@ -1200,36 +1188,34 @@ boot_validated_swap_type(struct boot_loader_state *state, * vector. Note that there are good reasons for not using img_num from * the swap info. */ + const struct flash_area *secondary_fa = + BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); + struct image_header *hdr = + (struct image_header *)secondary_fa->fa_off; if (hdr->ih_magic == IMAGE_MAGIC) { - vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - vtable = (uint32_t *)(vtable_addr); - reset_addr = vtable[1]; -#ifdef PM_S1_ADDRESS -#ifdef PM_CPUNET_B0N_ADDRESS - if(reset_addr < PM_CPUNET_B0N_ADDRESS) -#endif - { - const struct flash_area *primary_fa; - int rc = flash_area_open(flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT), - &primary_fa); - - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } - /* Get start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off || - reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for this image - */ - return BOOT_SWAP_TYPE_NONE; - } - } -#endif /* PM_S1_ADDRESS */ + const struct flash_area *primary_fa; + uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + uint32_t *vtable = (uint32_t *)(vtable_addr); + uint32_t reset_addr = vtable[1]; + int rc = flash_area_open( + flash_area_id_from_multi_image_slot( + BOOT_CURR_IMG(state), + BOOT_PRIMARY_SLOT), + &primary_fa); + + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } + /* Get start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off || + reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for this image + */ + return BOOT_SWAP_TYPE_NONE; + } } -#endif /* PM_S1_ADDRESS || CONFIG_SOC_NRF5340_CPUAPP */ +#endif swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -1243,37 +1229,7 @@ boot_validated_swap_type(struct boot_loader_state *state, } else { swap_type = BOOT_SWAP_TYPE_FAIL; } - } else { - upgrade_valid = true; - } - -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) - /* If the update is valid, and it targets the network core: perform the - * update and indicate to the caller of this function that no update is - * available - */ - if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { - uint32_t fw_size = hdr->ih_img_size; - - BOOT_LOG_INF("Starting network core update"); - int rc = pcd_network_core_update(vtable, fw_size); - - if (rc != 0) { - swap_type = BOOT_SWAP_TYPE_FAIL; - } else { - BOOT_LOG_INF("Done updating network core"); -#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) - /* swap_erase_trailer_sectors is undefined if upgrade only - * method is used. There is no need to erase sectors, because - * the image cannot be reverted. - */ - rc = swap_erase_trailer_sectors(state, - secondary_fa); -#endif - swap_type = BOOT_SWAP_TYPE_NONE; - } } -#endif /* CONFIG_SOC_NRF5340_CPUAPP */ } return swap_type; diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf index 7d3bc0bec..f2e42fd64 100644 --- a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf @@ -1,73 +1,3 @@ -CONFIG_SIZE_OPTIMIZATIONS=y - -CONFIG_SYSTEM_CLOCK_NO_WAIT=y -CONFIG_PM=n - -CONFIG_MAIN_STACK_SIZE=10240 -CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h" - -CONFIG_BOOT_MAX_IMG_SECTORS=2048 -CONFIG_BOOT_SIGNATURE_TYPE_RSA=y - -# Flash -CONFIG_FLASH=y -CONFIG_BOOT_ERASE_PROGRESSIVELY=y -CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y -CONFIG_FPROTECT=y - -# Serial -CONFIG_SERIAL=y -CONFIG_UART_LINE_CTRL=y - -# MCUBoot serial -CONFIG_GPIO=y -CONFIG_MCUBOOT_SERIAL=y -CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y -CONFIG_BOOT_SERIAL_CDC_ACM=y - -# Required by QSPI -CONFIG_NORDIC_QSPI_NOR=y -CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 -CONFIG_NORDIC_QSPI_NOR_STACK_WRITE_BUFFER_SIZE=16 - -# Required by USB and QSPI -CONFIG_MULTITHREADING=y - -# USB -CONFIG_BOARD_SERIAL_BACKEND_CDC_ACM=n -CONFIG_USB_DEVICE_REMOTE_WAKEUP=n -CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor ASA" -CONFIG_USB_DEVICE_PRODUCT="Bootloader Thingy:53" -CONFIG_USB_DEVICE_VID=0x1915 -CONFIG_USB_DEVICE_PID=0x5300 -CONFIG_USB_CDC_ACM=y - -# Decrease memory footprint -CONFIG_CBPRINTF_NANO=y -CONFIG_TIMESLICING=n -CONFIG_BOOT_BANNER=n -CONFIG_CONSOLE=n -CONFIG_CONSOLE_HANDLER=n -CONFIG_UART_CONSOLE=n -CONFIG_USE_SEGGER_RTT=n -CONFIG_LOG=n -CONFIG_ERRNO=n -CONFIG_PRINTK=n -CONFIG_RESET_ON_FATAL_ERROR=n +CONFIG_NORDIC_QSPI_NOR=n CONFIG_SPI=n -CONFIG_I2C=n -CONFIG_UART_NRFX=n - -# The following configurations are required to support simultaneous multi image update -CONFIG_PCD_APP=y -CONFIG_UPDATEABLE_IMAGE_NUMBER=2 -CONFIG_BOOT_UPGRADE_ONLY=y -# The network core cannot access external flash directly. The flash simulator must be used to -# provide a memory region that is used to forward the new firmware to the network core. -CONFIG_FLASH_SIMULATOR=y -CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y -CONFIG_FLASH_SIMULATOR_STATS=n - -# Enable custom command to erase settings partition. -CONFIG_ENABLE_MGMT_PERUSER=y -CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE=y +CONFIG_MULTITHREADING=y diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index b98e48bce..4eaf0309e 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -20,11 +20,6 @@ #elif (MCUBOOT_IMAGE_NUMBER == 2) -/* If B0 is present then two bootloaders are present, and we must use - * a single secondary slot for both primary slots. - */ -#ifdef PM_B0_ADDRESS - extern uint32_t _image_1_primary_slot_id[]; #define FLASH_AREA_IMAGE_PRIMARY(x) \ @@ -40,24 +35,6 @@ extern uint32_t _image_1_primary_slot_id[]; (x == 1) ? \ PM_MCUBOOT_SECONDARY_ID: \ 255 ) -#else - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) - -#endif /* PM_B0_ADDRESS */ - #endif #define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index fc8e8c40a..978992fa6 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -91,10 +91,6 @@ const struct boot_uart_funcs boot_funcs = { #include #endif -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) -#include -#endif - /* CONFIG_LOG_MINIMAL is the legacy Kconfig property, * replaced by CONFIG_LOG_MODE_MINIMAL. */ @@ -638,9 +634,6 @@ int main(void) ; } -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) && defined(CONFIG_PCD_APP) - pcd_lock_ram(); -#endif #endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ ZEPHYR_BOOT_LOG_STOP(); diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml index 13ffc44aa..5df9ae547 100644 --- a/boot/zephyr/pm.yml +++ b/boot/zephyr/pm.yml @@ -75,16 +75,3 @@ mcuboot_pad: #ifdef CONFIG_FPROTECT align: {start: CONFIG_FPROTECT_BLOCK_SIZE} #endif - -#if (CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH) -mcuboot_primary_1: - region: ram_flash - size: CONFIG_NRF53_RAM_FLASH_SIZE -#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ - -#if (CONFIG_NRF53_MULTI_IMAGE_UPDATE) -mcuboot_secondary_1: - region: external_flash - size: CONFIG_NRF53_RAM_FLASH_SIZE - -#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ From 64c611d0c8f41d54cc1011c948849f94508e6831 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 155/228] Revert "[nrf noup] treewide: add NCS partition manager support" This reverts commit 7d603f8e56c63fea7c1fe54054daf70c8f0faac1. --- boot/bootutil/src/loader.c | 95 +++---------------------- boot/bootutil/src/swap_move.c | 13 ---- boot/bootutil/src/swap_scratch.c | 13 ---- boot/zephyr/CMakeLists.txt | 7 -- boot/zephyr/Kconfig | 2 - boot/zephyr/include/sysflash/sysflash.h | 48 ------------- boot/zephyr/include/target.h | 4 -- boot/zephyr/main.c | 45 ------------ boot/zephyr/pm.yml | 77 -------------------- boot/zephyr/prj.conf | 1 - ext/nrf/cc310_glue.h | 2 +- zephyr/module.yml | 3 +- 12 files changed, 11 insertions(+), 299 deletions(-) delete mode 100644 boot/zephyr/pm.yml diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 86da6db6c..94ec0bfc6 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -131,15 +131,6 @@ boot_read_image_headers(struct boot_loader_state *state, bool require_all, * * Failure to read any headers is a fatal error. */ -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. The primary slot of the second image - * (image 1) will not contain a valid image header until an upgrade - * of mcuboot has happened (filling S1 with the new version). - */ - if (BOOT_CURR_IMG(state) == 1 && i == 0) { - continue; - } -#endif /* PM_S1_ADDRESS */ if (i > 0 && !require_all) { return 0; } else { @@ -1080,24 +1071,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, goto out; } - uint32_t min_addr, max_addr; - -#ifdef PM_CPUNET_APP_ADDRESS - /* The primary slot for the network core is emulated in RAM. - * Its flash_area hasn't got relevant boundaries. - * Therfore need to override its boundaries for the check. - */ - if (BOOT_CURR_IMG(state) == 1) { - min_addr = PM_CPUNET_APP_ADDRESS; - max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; - } else -#endif - { - min_addr = pri_fa->fa_off; - max_addr = pri_fa->fa_off + pri_fa->fa_size; - } - - if (reset_value < min_addr || reset_value> (max_addr)) { + if (reset_value < pri_fa->fa_off || reset_value> (pri_fa->fa_off + pri_fa->fa_size)) { BOOT_LOG_ERR("Reset address of image in secondary slot is not in the primary slot"); BOOT_LOG_ERR("Erasing image from secondary slot"); @@ -1180,42 +1154,6 @@ boot_validated_swap_type(struct boot_loader_state *state, { int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other - * B1 slot S0 or S1) share the same secondary slot, we need to check - * whether the update candidate in the secondary slot is intended for - * image 0 or image 1 primary by looking at the address of the reset - * vector. Note that there are good reasons for not using img_num from - * the swap info. - */ - const struct flash_area *secondary_fa = - BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = - (struct image_header *)secondary_fa->fa_off; - - if (hdr->ih_magic == IMAGE_MAGIC) { - const struct flash_area *primary_fa; - uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - uint32_t *vtable = (uint32_t *)(vtable_addr); - uint32_t reset_addr = vtable[1]; - int rc = flash_area_open( - flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT), - &primary_fa); - - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } - /* Get start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off || - reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for this image - */ - return BOOT_SWAP_TYPE_NONE; - } - } -#endif swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -2436,25 +2374,15 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } #ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. Image 1 primary is the currently - * executing MCUBoot image, and is therefore already validated by NSIB and - * does not need to also be validated by MCUBoot. + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL); + /* Check for all possible values is redundant in normal operation it + * is meant to prevent FI attack. */ - bool image_validated_by_nsib = BOOT_CURR_IMG(state) == 1; - if (!image_validated_by_nsib) -#endif - { - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL); - /* Check for all possible values is redundant in normal operation it - * is meant to prevent FI attack. - */ - if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS) || - FIH_EQ(fih_rc, FIH_FAILURE) || - FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { - FIH_SET(fih_rc, FIH_FAILURE); - goto out; - } + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS) || + FIH_EQ(fih_rc, FIH_FAILURE) || + FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { + FIH_SET(fih_rc, FIH_FAILURE); + goto out; } #else /* Even if we're not re-validating the primary slot, we could be booting @@ -2471,16 +2399,11 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } #endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT */ -#ifdef PM_S1_ADDRESS - if (!image_validated_by_nsib) -#endif - { rc = boot_update_hw_rollback_protection(state); if (rc != 0) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } - } rc = boot_add_shared_data(state, BOOT_PRIMARY_SLOT); if (rc != 0) { diff --git a/boot/bootutil/src/swap_move.c b/boot/bootutil/src/swap_move.c index 67bab1439..b124ff894 100644 --- a/boot/bootutil/src/swap_move.c +++ b/boot/bootutil/src/swap_move.c @@ -259,18 +259,6 @@ static int app_max_sectors(struct boot_loader_state *state) int boot_slots_compatible(struct boot_loader_state *state) { -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. In this case, image 1 primary points to the other - * B1 slot (ie S0 or S1), and image 0 primary points to the app. - * With this configuration, image 0 and image 1 share the secondary slot. - * Hence, the primary slot of image 1 will be *smaller* than image 1's - * secondary slot. This is not allowed in upstream mcuboot, so we need - * this patch to allow it. Also, all of these checks are redundant when - * partition manager is in use, and since we have the same sector size - * in all of our flash. - */ - return 1; -#else size_t num_sectors_pri; size_t num_sectors_sec; size_t sector_sz_pri = 0; @@ -338,7 +326,6 @@ boot_slots_compatible(struct boot_loader_state *state) } return 1; -#endif /* PM_S1_ADDRESS */ } #define BOOT_LOG_SWAP_STATE(area, state) \ diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 66dca83e9..f60109120 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -141,18 +141,6 @@ boot_status_internal_off(const struct boot_status *bs, int elem_sz) int boot_slots_compatible(struct boot_loader_state *state) { -#ifdef PM_S1_ADDRESS - /* Patch needed for NCS. In this case, image 1 primary points to the other - * B1 slot (ie S0 or S1), and image 0 primary points to the app. - * With this configuration, image 0 and image 1 share the secondary slot. - * Hence, the primary slot of image 1 will be *smaller* than image 1's - * secondary slot. This is not allowed in upstream mcuboot, so we need - * this patch to allow it. Also, all of these checks are redundant when - * partition manager is in use, and since we have the same sector size - * in all of our flash. - */ - return 1; -#else size_t num_sectors_primary; size_t num_sectors_secondary; size_t sz0, sz1; @@ -250,7 +238,6 @@ boot_slots_compatible(struct boot_loader_state *state) #endif return 1; -#endif /* PM_S1_ADDRESS */ } #define BOOT_LOG_SWAP_STATE(area, state) \ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 3571d22d5..68e4c38bb 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -297,13 +297,6 @@ if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") endif() message("MCUBoot bootloader key file: ${KEY_FILE}") - set_property( - GLOBAL - PROPERTY - KEY_FILE - ${KEY_FILE} - ) - set(mcuboot_default_signature_files ${MCUBOOT_DIR}/root-ec-p256-pkcs8.pem ${MCUBOOT_DIR}/root-ec-p384.pem diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 77e1e9c37..d93014192 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -9,8 +9,6 @@ mainmenu "MCUboot configuration" comment "MCUboot-specific configuration options" -source "$(ZEPHYR_NRF_MODULE_DIR)/modules/mcuboot/boot/zephyr/Kconfig" - # Hidden option to mark a project as MCUboot config MCUBOOT default y diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 4eaf0309e..1952950b9 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -7,52 +7,6 @@ #ifndef __SYSFLASH_H__ #define __SYSFLASH_H__ -#if USE_PARTITION_MANAGER -#include -#include - -#ifndef CONFIG_SINGLE_APPLICATION_SLOT - -#if (MCUBOOT_IMAGE_NUMBER == 1) - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID - -#elif (MCUBOOT_IMAGE_NUMBER == 2) - -extern uint32_t _image_1_primary_slot_id[]; - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - (uint32_t)_image_1_primary_slot_id : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - 255 ) -#endif -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID - -#else /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID -/* NOTE: Scratch parition is not used by single image DFU but some of - * functions in common files reference it, so the definitions has been - * provided to allow compilation of common units. - */ -#define FLASH_AREA_IMAGE_SCRATCH 0 - -#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#else - -#include #include #include #include @@ -111,6 +65,4 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ -#endif /* USE_PARTITION_MANAGER */ - #endif /* __SYSFLASH_H__ */ diff --git a/boot/zephyr/include/target.h b/boot/zephyr/include/target.h index 40287d515..9bbfd4b19 100644 --- a/boot/zephyr/include/target.h +++ b/boot/zephyr/include/target.h @@ -8,8 +8,6 @@ #ifndef H_TARGETS_TARGET_ #define H_TARGETS_TARGET_ -#ifndef USE_PARTITION_MANAGER - #if defined(MCUBOOT_TARGET_CONFIG) /* * Target-specific definitions are permitted in legacy cases that @@ -47,6 +45,4 @@ #error "Target support is incomplete; cannot build mcuboot." #endif -#endif /* ifndef USE_PARTITION_MANAGER */ - #endif /* H_TARGETS_TARGET_ */ diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 978992fa6..c84f18a1d 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -69,10 +69,6 @@ #endif /* CONFIG_SOC_FAMILY_ESPRESSIF_ESP32 */ -#ifdef CONFIG_FW_INFO -#include -#endif - #ifdef CONFIG_MCUBOOT_SERIAL #include "boot_serial/boot_serial.h" #include "serial_adapter/serial_adapter.h" @@ -133,11 +129,6 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); * !defined(ZEPHYR_LOG_MODE_MINIMAL) */ -#if USE_PARTITION_MANAGER && CONFIG_FPROTECT -#include -#include -#endif - BOOT_LOG_MODULE_REGISTER(mcuboot); void os_heap_init(void); @@ -196,19 +187,6 @@ static void do_boot(struct boot_rsp *rsp) /* Disable the USB to prevent it from firing interrupts */ usb_disable(); #endif - -#if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) - bool provided = fw_info_ext_api_provide(fw_info_find((uint32_t)vt), true); - -#ifdef PM_S0_ADDRESS - /* Only fail if the immutable bootloader is present. */ - if (!provided) { - BOOT_LOG_ERR("Failed to provide EXT_APIs\n"); - return; - } -#endif -#endif - #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ @@ -614,30 +592,7 @@ int main(void) mcuboot_status_change(MCUBOOT_STATUS_BOOTABLE_IMAGE_FOUND); -#if USE_PARTITION_MANAGER && CONFIG_FPROTECT - -#ifdef PM_S1_ADDRESS -/* MCUBoot is stored in either S0 or S1, protect both */ -#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_S0_ADDRESS) -#define PROTECT_ADDR PM_S0_ADDRESS -#else -/* There is only one instance of MCUBoot */ -#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_MCUBOOT_ADDRESS) -#define PROTECT_ADDR PM_MCUBOOT_ADDRESS -#endif - - rc = fprotect_area(PROTECT_ADDR, PROTECT_SIZE); - - if (rc != 0) { - BOOT_LOG_ERR("Protect mcuboot flash failed, cancel startup."); - while (1) - ; - } - -#endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ - ZEPHYR_BOOT_LOG_STOP(); - do_boot(&rsp); mcuboot_status_change(MCUBOOT_STATUS_BOOT_FAILED); diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml deleted file mode 100644 index 5df9ae547..000000000 --- a/boot/zephyr/pm.yml +++ /dev/null @@ -1,77 +0,0 @@ -#include - -mcuboot: - size: CONFIG_PM_PARTITION_SIZE_MCUBOOT - placement: - before: [mcuboot_primary] -#if defined(CONFIG_HIDE_CHILD_PARENT_CONFIG) - align: {end: 0x1000} -#endif - -mcuboot_primary_app: - # All images to be placed in MCUboot's slot 0 should be placed in this - # partition - span: [app] - -mcuboot_primary: - span: [mcuboot_pad, mcuboot_primary_app] - -# Partition for secondary slot is not created if building in single application -# slot configuration. -#if !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_BOOT_DIRECT_XIP) -mcuboot_secondary: - share_size: [mcuboot_primary] -#if defined(CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY) - region: external_flash - placement: - align: {start: 4} -#else - placement: - align: {start: CONFIG_FPROTECT_BLOCK_SIZE} - align_next: CONFIG_FPROTECT_BLOCK_SIZE # Ensure that the next partition does not interfere with this image - after: mcuboot_primary -#endif /* CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY */ - -#endif /* !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_BOOT_DIRECT_XIP) */ - -#if CONFIG_BOOT_DIRECT_XIP - -# Direct XIP is enabled, reserve area for metadata (padding) and name the -# partition so that its clear that it is not the secondary slot, but the direct -# XIP alternative. - -mcuboot_secondary_pad: - share_size: mcuboot_pad - placement: - after: mcuboot_primary - align: {start: CONFIG_FPROTECT_BLOCK_SIZE} - -mcuboot_secondary_app: - share_size: mcuboot_primary_app - placement: - after: mcuboot_secondary_pad - -mcuboot_secondary: - span: [mcuboot_secondary_pad, mcuboot_secondary_app] - -#endif /* CONFIG_BOOT_DIRECT_XIP */ - -#if CONFIG_BOOT_SWAP_USING_SCRATCH -mcuboot_scratch: - size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_SCRATCH - placement: - after: app - align: {start: CONFIG_FPROTECT_BLOCK_SIZE} -#endif /* CONFIG_BOOT_SWAP_USING_SCRATCH */ - -# Padding placed before image to boot. This reserves space for the MCUboot image header -# and it ensures that the boot image gets linked with the correct address offset in flash. -mcuboot_pad: - # MCUboot pad must be placed before the primary application partition. - # The primary application partition includes the secure firmware if present. - size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_PAD - placement: - before: [mcuboot_primary_app] -#ifdef CONFIG_FPROTECT - align: {start: CONFIG_FPROTECT_BLOCK_SIZE} -#endif diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 23b5f3b93..58cb2ae35 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -19,7 +19,6 @@ CONFIG_BOOT_BOOTSTRAP=n # CONFIG_TINYCRYPT_SHA256 is not set CONFIG_FLASH=y -CONFIG_FPROTECT=y ### Various Zephyr boards enable features that we don't want. # CONFIG_BT is not set diff --git a/ext/nrf/cc310_glue.h b/ext/nrf/cc310_glue.h index 22eb94911..ed3ed5c00 100644 --- a/ext/nrf/cc310_glue.h +++ b/ext/nrf/cc310_glue.h @@ -22,7 +22,7 @@ #include #include #include -#include +#include #include /* diff --git a/zephyr/module.yml b/zephyr/module.yml index 9360dbf70..014a21956 100644 --- a/zephyr/module.yml +++ b/zephyr/module.yml @@ -1,6 +1,5 @@ samples: - boot/zephyr build: - cmake-ext: True - kconfig-ext: True + cmake: ./boot/bootutil/zephyr sysbuild-cmake: boot/zephyr/sysbuild From e8a0325ebaf78c675616630c5ed0f29b59b19e25 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 156/228] Revert "[nrf noup] boards: thingy91x: add board config" This reverts commit 7a4b0a8d7c3eafa7cf04aa02b9d590f2dd56fd23. --- .../boards/thingy91x_nrf5340_cpuapp.conf | 54 ------------------- boot/zephyr/boards/thingy91x_nrf9151.conf | 8 --- 2 files changed, 62 deletions(-) delete mode 100644 boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf delete mode 100644 boot/zephyr/boards/thingy91x_nrf9151.conf diff --git a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf deleted file mode 100644 index 72dfa7fca..000000000 --- a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf +++ /dev/null @@ -1,54 +0,0 @@ -# MCUBoot settings -CONFIG_BOOT_MAX_IMG_SECTORS=110 - -# MCUboot serial recovery -CONFIG_MCUBOOT_SERIAL=y - -# Disable Zephyr console -CONFIG_LOG=n -CONFIG_CONSOLE=n -CONFIG_CONSOLE_HANDLER=n -CONFIG_UART_CONSOLE=n - -# Serial -CONFIG_SERIAL=y -CONFIG_UART_NRFX=y -CONFIG_UART_INTERRUPT_DRIVEN=y -CONFIG_UART_LINE_CTRL=y - -# MCUboot serial recovery -CONFIG_GPIO=y -CONFIG_MCUBOOT_SERIAL=y -CONFIG_BOOT_SERIAL_CDC_ACM=y - -# Required by USB -CONFIG_MULTITHREADING=y - -# USB -CONFIG_USB_DEVICE_STACK=y -CONFIG_USB_DEVICE_PRODUCT="MCUBOOT" -CONFIG_USB_CDC_ACM=y -CONFIG_USB_COMPOSITE_DEVICE=y -CONFIG_USB_MASS_STORAGE=n -CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor" -CONFIG_USB_DEVICE_VID=0x1915 -CONFIG_USB_DEVICE_PID=0x520F - -CONFIG_BOOT_SERIAL_BOOT_MODE=y - -CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x13E00 - -# The following configurations are required to support simultaneous multi image update -CONFIG_PCD_APP=y -CONFIG_UPDATEABLE_IMAGE_NUMBER=2 -CONFIG_BOOT_UPGRADE_ONLY=y -# The network core cannot access external flash directly. The flash simulator must be used to -# provide a memory region that is used to forward the new firmware to the network core. -CONFIG_FLASH_SIMULATOR=y -CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y -CONFIG_FLASH_SIMULATOR_STATS=n - -CONFIG_BOOT_IMAGE_ACCESS_HOOKS=y -CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y - -CONFIG_NRF53_RECOVERY_NETWORK_CORE=y diff --git a/boot/zephyr/boards/thingy91x_nrf9151.conf b/boot/zephyr/boards/thingy91x_nrf9151.conf deleted file mode 100644 index 33cd3301c..000000000 --- a/boot/zephyr/boards/thingy91x_nrf9151.conf +++ /dev/null @@ -1,8 +0,0 @@ -# MCUBoot settings -CONFIG_BOOT_MAX_IMG_SECTORS=512 - -CONFIG_SPI=y -CONFIG_SPI_NOR=y -CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 -CONFIG_SPI_NOR_SFDP_DEVICETREE=y -CONFIG_MULTITHREADING=y From 0fbbaa7a8c03cab3e8dbc6a4b277e55be2b673a4 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 157/228] Revert "[nrf noup] zephyr: Restore default RTC user channel count" This reverts commit 782c4a1d400b215c2c659271431401a23ca2c22a. --- boot/zephyr/prj.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 58cb2ae35..851c133ec 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -35,4 +35,3 @@ CONFIG_MCUBOOT_LOG_LEVEL_INF=y CONFIG_CBPRINTF_NANO=y ### Use the minimal C library to reduce flash usage CONFIG_MINIMAL_LIBC=y -CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT=0 From c9a6970609c7e8800450a265a604e0bd54f7946b Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 158/228] Revert "[nrf noup] boards: add support for Thingy:91" This reverts commit 3f63c19769a852f6cf9cb1e52605a4907fd0f93c. --- boot/zephyr/boards/thingy91_nrf52840.conf | 34 ----------------------- boot/zephyr/boards/thingy91_nrf9160.conf | 13 --------- 2 files changed, 47 deletions(-) delete mode 100644 boot/zephyr/boards/thingy91_nrf52840.conf delete mode 100644 boot/zephyr/boards/thingy91_nrf9160.conf diff --git a/boot/zephyr/boards/thingy91_nrf52840.conf b/boot/zephyr/boards/thingy91_nrf52840.conf deleted file mode 100644 index c0d183401..000000000 --- a/boot/zephyr/boards/thingy91_nrf52840.conf +++ /dev/null @@ -1,34 +0,0 @@ -# Disable Zephyr console -CONFIG_LOG=n -CONFIG_CONSOLE=n -CONFIG_CONSOLE_HANDLER=n -CONFIG_UART_CONSOLE=n - -# The build won't fit on the partition allocated for it without size -# optimizations. -CONFIG_SIZE_OPTIMIZATIONS=y -CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x12000 - -# Serial -CONFIG_SERIAL=y -CONFIG_UART_NRFX=y -CONFIG_UART_INTERRUPT_DRIVEN=y -CONFIG_UART_LINE_CTRL=y - -# MCUboot serial recovery -CONFIG_GPIO=y -CONFIG_MCUBOOT_SERIAL=y -CONFIG_BOOT_SERIAL_CDC_ACM=y - -# Required by USB -CONFIG_MULTITHREADING=y - -# USB -CONFIG_USB_DEVICE_STACK=y -CONFIG_USB_DEVICE_PRODUCT="MCUBOOT" -CONFIG_USB_CDC_ACM=y -CONFIG_USB_COMPOSITE_DEVICE=y -CONFIG_USB_MASS_STORAGE=n -CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor" -CONFIG_USB_DEVICE_VID=0x1915 -CONFIG_USB_DEVICE_PID=0x520F diff --git a/boot/zephyr/boards/thingy91_nrf9160.conf b/boot/zephyr/boards/thingy91_nrf9160.conf deleted file mode 100644 index 1bf2e424d..000000000 --- a/boot/zephyr/boards/thingy91_nrf9160.conf +++ /dev/null @@ -1,13 +0,0 @@ -# Disable Zephyr console -CONFIG_CONSOLE=n -CONFIG_CONSOLE_HANDLER=n -CONFIG_UART_CONSOLE=n - -# Disable Flash protection -CONFIG_FPROTECT=n - -# MCUBoot settings -CONFIG_BOOT_MAX_IMG_SECTORS=256 - -# MCUboot serial recovery -CONFIG_MCUBOOT_SERIAL=y From 3b11afc1db719d73b831c4bcaa4f5807deacaadf Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 159/228] Revert "[nrf noup] zephyr: add 'minimal' configuration files" This reverts commit f973fc6cee6313c39041bd81810832b3dc96f0da. --- .../nrf5340dk_nrf5340_cpuapp_minimal.conf | 13 ------ boot/zephyr/prj_minimal.conf | 40 ------------------- 2 files changed, 53 deletions(-) delete mode 100644 boot/zephyr/boards/nrf5340dk_nrf5340_cpuapp_minimal.conf delete mode 100644 boot/zephyr/prj_minimal.conf diff --git a/boot/zephyr/boards/nrf5340dk_nrf5340_cpuapp_minimal.conf b/boot/zephyr/boards/nrf5340dk_nrf5340_cpuapp_minimal.conf deleted file mode 100644 index dd5468106..000000000 --- a/boot/zephyr/boards/nrf5340dk_nrf5340_cpuapp_minimal.conf +++ /dev/null @@ -1,13 +0,0 @@ -# -# Copyright (c) 2021 Nordic Semiconductor ASA -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# - -# CC3xx is currently not used for nrf53 -CONFIG_HW_CC3XX=n -CONFIG_NRF_CC3XX_PLATFORM=n - -# Required for kernel operation -CONFIG_CLOCK_CONTROL=y -CONFIG_SYS_CLOCK_EXISTS=y diff --git a/boot/zephyr/prj_minimal.conf b/boot/zephyr/prj_minimal.conf deleted file mode 100644 index 55d4c6167..000000000 --- a/boot/zephyr/prj_minimal.conf +++ /dev/null @@ -1,40 +0,0 @@ -# -# Copyright (c) 2021 Nordic Semiconductor ASA -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# - -CONFIG_MAIN_STACK_SIZE=10240 -CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h" - -CONFIG_FLASH=y -CONFIG_FPROTECT=y -CONFIG_PM=n - -CONFIG_BOOT_SWAP_SAVE_ENCTLV=n -CONFIG_BOOT_ENCRYPT_IMAGE=n - -CONFIG_BOOT_BOOTSTRAP=n -CONFIG_BOOT_UPGRADE_ONLY=n - -### Minimal Configurations ### -CONFIG_BOOT_USE_MIN_PARTITION_SIZE=y -CONFIG_ASSERT=n -CONFIG_BOOT_BANNER=n -CONFIG_CLOCK_CONTROL=n -CONFIG_CONSOLE=n -CONFIG_CONSOLE_HANDLER=n -CONFIG_GPIO=n -CONFIG_KERNEL_MEM_POOL=n -CONFIG_LOG=n -CONFIG_MINIMAL_LIBC_CALLOC=n -CONFIG_MINIMAL_LIBC_MALLOC=n -CONFIG_MINIMAL_LIBC_REALLOCARRAY=n -CONFIG_NCS_SAMPLES_DEFAULTS=n -CONFIG_NO_RUNTIME_CHECKS=y -CONFIG_NRF_RTC_TIMER=n -CONFIG_PRINTK=n -CONFIG_SERIAL=n -CONFIG_SIZE_OPTIMIZATIONS=y -CONFIG_SYS_CLOCK_EXISTS=n -CONFIG_UART_CONSOLE=n From 91dfd7d9d277c65c40376476e1e7c3f7b878ac32 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 160/228] Revert "[nrf noup] zephyr: Remove duplication from cmake" This reverts commit 068908da503969ee6cb2678055ccbbbc0274a504. --- boot/zephyr/CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 68e4c38bb..ed490e6ee 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -42,6 +42,8 @@ if(NOT EXISTS ${NRFXLIB_DIR}) To use the tinycrypt set `CONFIG_BOOT_ECDSA_TINYCRYPT` to y. ------------------------------------------------------------------------") endif() +# Don't include this if we are using west + add_subdirectory(${NRFXLIB_DIR} ${PROJECT_BINARY_DIR}/nrfxlib) endif() zephyr_library_include_directories( From 820a62dfd0dbaaf1b990f2788418d850195544b6 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 161/228] Revert "[nrf noup] github: Add a commit tags check workflow" This reverts commit 4e424909e949c056e7f11d0192958a80fd9a6085. --- .github/workflows/commit-tags.yml | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 .github/workflows/commit-tags.yml diff --git a/.github/workflows/commit-tags.yml b/.github/workflows/commit-tags.yml deleted file mode 100644 index 534ed5b58..000000000 --- a/.github/workflows/commit-tags.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Commit tags - -on: - pull_request: - types: [synchronize, opened, reopened, edited, labeled, unlabeled, - milestoned, demilestoned, assigned, unassigned, ready_for_review, - review_requested] - -jobs: - commit_tags: - runs-on: ubuntu-22.04 - name: Run commit tags checks on patch series (PR) - steps: - - name: Update PATH for west - run: | - echo "$HOME/.local/bin" >> $GITHUB_PATH - - - name: Checkout the code - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - - - name: Run the commit tags - uses: nrfconnect/action-commit-tags@main - with: - target: . - upstream: mcu-tools/mcuboot/main From 3d9b08ea989ed482b9031fba4b06dfbd020f577e Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 07:51:14 +0000 Subject: [PATCH 162/228] Revert "[nrf fromtree] imgtool: Add pure signature support" This reverts commit 1deca3037607ab784a52e499bfefeedbb04f907c. --- scripts/imgtool/image.py | 74 ++++++++-------------------------------- scripts/imgtool/main.py | 26 ++++---------- 2 files changed, 20 insertions(+), 80 deletions(-) diff --git a/scripts/imgtool/image.py b/scripts/imgtool/image.py index 88ef7b90c..5fec3c1b7 100644 --- a/scripts/imgtool/image.py +++ b/scripts/imgtool/image.py @@ -190,15 +190,7 @@ def tlv_sha_to_sha(tlv): keys.X25519 : ['256', '512'] } -ALLOWED_PURE_KEY_SHA = { - keys.Ed25519 : ['512'] -} - -ALLOWED_PURE_SIG_TLVS = [ - TLV_VALUES['ED25519'] -] - -def key_and_user_sha_to_alg_and_tlv(key, user_sha, is_pure = False): +def key_and_user_sha_to_alg_and_tlv(key, user_sha): """Matches key and user requested sha to sha alogrithm and TLV name. The returned tuple will contain hash functions and TVL name. @@ -212,16 +204,12 @@ def key_and_user_sha_to_alg_and_tlv(key, user_sha, is_pure = False): # If key is not None, then we have to filter hash to only allowed allowed = None - allowed_key_ssh = ALLOWED_PURE_KEY_SHA if is_pure else ALLOWED_KEY_SHA try: - allowed = allowed_key_ssh[type(key)] - + allowed = ALLOWED_KEY_SHA[type(key)] except KeyError: raise click.UsageError("Colud not find allowed hash algorithms for {}" .format(type(key))) - - # Pure enforces auto, and user selection is ignored - if user_sha == 'auto' or is_pure: + if user_sha == 'auto': return USER_SHA_TO_ALG_AND_TLV[allowed[0]] if user_sha in allowed: @@ -459,13 +447,12 @@ def ecies_hkdf(self, enckey, plainkey): def create(self, key, public_key_format, enckey, dependencies=None, sw_type=None, custom_tlvs=None, compression_tlvs=None, compression_type=None, encrypt_keylen=128, clear=False, - fixed_sig=None, pub_key=None, vector_to_sign=None, - user_sha='auto', is_pure=False): + fixed_sig=None, pub_key=None, vector_to_sign=None, user_sha='auto'): self.enckey = enckey # key decides on sha, then pub_key; of both are none default is used check_key = key if key is not None else pub_key - hash_algorithm, hash_tlv = key_and_user_sha_to_alg_and_tlv(check_key, user_sha, is_pure) + hash_algorithm, hash_tlv = key_and_user_sha_to_alg_and_tlv(check_key, user_sha) # Calculate the hash of the public key if key is not None: @@ -605,17 +592,9 @@ def create(self, key, public_key_format, enckey, dependencies=None, sha = hash_algorithm() sha.update(self.payload) digest = sha.digest() + message = digest; tlv.add(hash_tlv, digest) self.image_hash = digest - # Unless pure, we are signing digest. - message = digest - - if is_pure: - # Note that when Pure signature is used, hash TLV is not present. - message = bytes(self.payload) - e = STRUCT_ENDIAN_DICT[self.endian] - sig_pure = struct.pack(e + '?', True) - tlv.add('SIG_PURE', sig_pure) if vector_to_sign == 'payload': # Stop amending data to the image @@ -807,7 +786,7 @@ def verify(imgfile, key): version = struct.unpack('BBHI', b[20:28]) if magic != IMAGE_MAGIC: - return VerifyResult.INVALID_MAGIC, None, None, None + return VerifyResult.INVALID_MAGIC, None, None tlv_off = header_size + img_size tlv_info = b[tlv_off:tlv_off + TLV_INFO_SIZE] @@ -818,27 +797,11 @@ def verify(imgfile, key): magic, tlv_tot = struct.unpack('HH', tlv_info) if magic != TLV_INFO_MAGIC: - return VerifyResult.INVALID_TLV_INFO_MAGIC, None, None, None - - # This is set by existence of TLV SIG_PURE - is_pure = False + return VerifyResult.INVALID_TLV_INFO_MAGIC, None, None prot_tlv_size = tlv_off hash_region = b[:prot_tlv_size] - tlv_end = tlv_off + tlv_tot - tlv_off += TLV_INFO_SIZE # skip tlv info - - # First scan all TLVs in search of SIG_PURE - while tlv_off < tlv_end: - tlv = b[tlv_off:tlv_off + TLV_SIZE] - tlv_type, _, tlv_len = struct.unpack('BBH', tlv) - if tlv_type == TLV_VALUES['SIG_PURE']: - is_pure = True - break - tlv_off += TLV_SIZE + tlv_len - digest = None - tlv_off = header_size + img_size tlv_end = tlv_off + tlv_tot tlv_off += TLV_INFO_SIZE # skip tlv info while tlv_off < tlv_end: @@ -846,15 +809,15 @@ def verify(imgfile, key): tlv_type, _, tlv_len = struct.unpack('BBH', tlv) if is_sha_tlv(tlv_type): if not tlv_matches_key_type(tlv_type, key): - return VerifyResult.KEY_MISMATCH, None, None, None + return VerifyResult.KEY_MISMATCH, None, None off = tlv_off + TLV_SIZE digest = get_digest(tlv_type, hash_region) if digest == b[off:off + tlv_len]: if key is None: - return VerifyResult.OK, version, digest, None + return VerifyResult.OK, version, digest else: - return VerifyResult.INVALID_HASH, None, None, None - elif not is_pure and key is not None and tlv_type == TLV_VALUES[key.sig_tlv()]: + return VerifyResult.INVALID_HASH, None, None + elif key is not None and tlv_type == TLV_VALUES[key.sig_tlv()]: off = tlv_off + TLV_SIZE tlv_sig = b[off:off + tlv_len] payload = b[:prot_tlv_size] @@ -863,18 +826,9 @@ def verify(imgfile, key): key.verify(tlv_sig, payload) else: key.verify_digest(tlv_sig, digest) - return VerifyResult.OK, version, digest, None - except InvalidSignature: - # continue to next TLV - pass - elif is_pure and key is not None and tlv_type in ALLOWED_PURE_SIG_TLVS: - off = tlv_off + TLV_SIZE - tlv_sig = b[off:off + tlv_len] - try: - key.verify_digest(tlv_sig, hash_region) - return VerifyResult.OK, version, None, tlv_sig + return VerifyResult.OK, version, digest except InvalidSignature: # continue to next TLV pass tlv_off += TLV_SIZE + tlv_len - return VerifyResult.INVALID_SIGNATURE, None, None, None + return VerifyResult.INVALID_SIGNATURE, None, None diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py index 434530c7a..e0f70945c 100755 --- a/scripts/imgtool/main.py +++ b/scripts/imgtool/main.py @@ -226,14 +226,11 @@ def getpriv(key, minimal, format): @click.command(help="Check that signed image can be verified by given key") def verify(key, imgfile): key = load_key(key) if key else None - ret, version, digest, signature = image.Image.verify(imgfile, key) + ret, version, digest = image.Image.verify(imgfile, key) if ret == image.VerifyResult.OK: print("Image was correctly validated") print("Image version: {}.{}.{}+{}".format(*version)) - if digest: - print("Image digest: {}".format(digest.hex())) - if signature and digest is None: - print("Image signature over image: {}".format(signature.hex())) + print("Image digest: {}".format(digest.hex())) return elif ret == image.VerifyResult.INVALID_MAGIC: print("Invalid image magic; is this an MCUboot image?") @@ -426,10 +423,6 @@ def convert(self, value, param, ctx): 'the signature calculated using the public key') @click.option('--fix-sig-pubkey', metavar='filename', help='public key relevant to fixed signature') -@click.option('--pure', 'is_pure', is_flag=True, default=False, show_default=True, - help='Expected Pure variant of signature; the Pure variant is ' - 'expected to be signature done over an image rather than hash of ' - 'that image.') @click.option('--sig-out', metavar='filename', help='Path to the file to which signature will be written. ' 'The image signature will be encoded as base64 formatted string') @@ -448,8 +441,8 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, endian, encrypt_keylen, encrypt, compression, infile, outfile, dependencies, load_addr, hex_addr, erased_val, save_enctlv, security_counter, boot_record, custom_tlv, rom_fixed, max_align, - clear, fix_sig, fix_sig_pubkey, sig_out, user_sha, is_pure, - vector_to_sign, non_bootable): + clear, fix_sig, fix_sig_pubkey, sig_out, user_sha, vector_to_sign, + non_bootable): if confirm: # Confirmed but non-padded images don't make much sense, because @@ -516,15 +509,9 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, 'value': raw_signature } - if is_pure and user_sha != 'auto': - raise click.UsageError( - 'Pure signatures, currently, enforces preferred hash algorithm, ' - 'and forbids sha selection by user.') - img.create(key, public_key_format, enckey, dependencies, boot_record, custom_tlvs, compression_tlvs, None, int(encrypt_keylen), clear, - baked_signature, pub_key, vector_to_sign, user_sha=user_sha, - is_pure=is_pure) + baked_signature, pub_key, vector_to_sign, user_sha) if compression in ["lzma2", "lzma2armthumb"]: compressed_img = image.Image(version=decode_version(version), @@ -565,8 +552,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size, compressed_img.create(key, public_key_format, enckey, dependencies, boot_record, custom_tlvs, compression_tlvs, compression, int(encrypt_keylen), clear, baked_signature, - pub_key, vector_to_sign, user_sha=user_sha, - is_pure=is_pure) + pub_key, vector_to_sign, user_sha=user_sha) img = compressed_img img.save(outfile, hex_addr) if sig_out is not None: From 0912fcde815cd413a549bc759f7ea162b29b6d23 Mon Sep 17 00:00:00 2001 From: Carles Cufi Date: Tue, 10 Oct 2023 15:51:54 +0200 Subject: [PATCH 163/228] [nrf noup] github: Add a commit tags check workflow Use the generic commit-tags action to provide sauce tag checks. Signed-off-by: Carles Cufi (cherry picked from commit 17f3f7f51a8d1b18444c0bcb6a6f01b66ee33ae6) --- .github/workflows/commit-tags.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/commit-tags.yml diff --git a/.github/workflows/commit-tags.yml b/.github/workflows/commit-tags.yml new file mode 100644 index 000000000..534ed5b58 --- /dev/null +++ b/.github/workflows/commit-tags.yml @@ -0,0 +1,28 @@ +name: Commit tags + +on: + pull_request: + types: [synchronize, opened, reopened, edited, labeled, unlabeled, + milestoned, demilestoned, assigned, unassigned, ready_for_review, + review_requested] + +jobs: + commit_tags: + runs-on: ubuntu-22.04 + name: Run commit tags checks on patch series (PR) + steps: + - name: Update PATH for west + run: | + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Checkout the code + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + + - name: Run the commit tags + uses: nrfconnect/action-commit-tags@main + with: + target: . + upstream: mcu-tools/mcuboot/main From 18db93f4af960663f5dbf77b70043aa9d071201e Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Tue, 26 Mar 2019 15:42:38 +0100 Subject: [PATCH 164/228] [nrf noup] zephyr: Remove duplication from cmake MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Removes the `add_subdirectory` of nrfxlib it will still check that the nrfxlib is located outside the mcuboot directory. Signed-off-by: Sigvart Hovland Signed-off-by: Andrzej Puzdrowski Signed-off-by: Martí Bolívar Signed-off-by: Emil Obalski Signed-off-by: Andrzej Puzdrowski Signed-off-by: Håkon Øye Amundsen Signed-off-by: Ioannis Glaropoulos Signed-off-by: Torsten Rasmussen Signed-off-by: Jamie McCrae Signed-off-by: Dominik Ermel (cherry picked from commit b85273aabd958d332750fb936ee30e81db7bd670) --- boot/zephyr/CMakeLists.txt | 2 -- 1 file changed, 2 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 209c61dbe..3a780e509 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -50,8 +50,6 @@ if(NOT EXISTS ${NRFXLIB_DIR}) To use the tinycrypt set `CONFIG_BOOT_ECDSA_TINYCRYPT` to y. ------------------------------------------------------------------------") endif() -# Don't include this if we are using west - add_subdirectory(${NRFXLIB_DIR} ${PROJECT_BINARY_DIR}/nrfxlib) endif() zephyr_library_include_directories( From cf7f4f67f5dec571c940910236b149f1a932fa3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mart=C3=AD=20Bol=C3=ADvar?= Date: Fri, 3 Sep 2021 14:38:54 -0700 Subject: [PATCH 165/228] [nrf noup] zephyr: add 'minimal' configuration files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add prj_minimal.conf, a Kconfig fragment to be used for minimally sized image production. The minimal fragment has been simplified for only external crypto. Move partition sizing into Kconfig to be consistent with the method used by b0. Using this fragment with prj_minimal.conf makes MCUboot < 16kB for all nRF devices (9160 still needs 32kB partition). Ref: NCSDK-6704 Signed-off-by: Stephen Stauts Signed-off-by: Martí Bolívar Signed-off-by: Sebastian Bøe Signed-off-by: Torsten Rasmussen Signed-off-by: Jamie McCrae Signed-off-by: Dominik Ermel (cherry picked from commit 883a6ceac3537e90505c54f3fa4082f07b79f647) --- .../nrf5340dk_nrf5340_cpuapp_minimal.conf | 13 ++++++ boot/zephyr/prj_minimal.conf | 40 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 boot/zephyr/boards/nrf5340dk_nrf5340_cpuapp_minimal.conf create mode 100644 boot/zephyr/prj_minimal.conf diff --git a/boot/zephyr/boards/nrf5340dk_nrf5340_cpuapp_minimal.conf b/boot/zephyr/boards/nrf5340dk_nrf5340_cpuapp_minimal.conf new file mode 100644 index 000000000..dd5468106 --- /dev/null +++ b/boot/zephyr/boards/nrf5340dk_nrf5340_cpuapp_minimal.conf @@ -0,0 +1,13 @@ +# +# Copyright (c) 2021 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# CC3xx is currently not used for nrf53 +CONFIG_HW_CC3XX=n +CONFIG_NRF_CC3XX_PLATFORM=n + +# Required for kernel operation +CONFIG_CLOCK_CONTROL=y +CONFIG_SYS_CLOCK_EXISTS=y diff --git a/boot/zephyr/prj_minimal.conf b/boot/zephyr/prj_minimal.conf new file mode 100644 index 000000000..55d4c6167 --- /dev/null +++ b/boot/zephyr/prj_minimal.conf @@ -0,0 +1,40 @@ +# +# Copyright (c) 2021 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +CONFIG_MAIN_STACK_SIZE=10240 +CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h" + +CONFIG_FLASH=y +CONFIG_FPROTECT=y +CONFIG_PM=n + +CONFIG_BOOT_SWAP_SAVE_ENCTLV=n +CONFIG_BOOT_ENCRYPT_IMAGE=n + +CONFIG_BOOT_BOOTSTRAP=n +CONFIG_BOOT_UPGRADE_ONLY=n + +### Minimal Configurations ### +CONFIG_BOOT_USE_MIN_PARTITION_SIZE=y +CONFIG_ASSERT=n +CONFIG_BOOT_BANNER=n +CONFIG_CLOCK_CONTROL=n +CONFIG_CONSOLE=n +CONFIG_CONSOLE_HANDLER=n +CONFIG_GPIO=n +CONFIG_KERNEL_MEM_POOL=n +CONFIG_LOG=n +CONFIG_MINIMAL_LIBC_CALLOC=n +CONFIG_MINIMAL_LIBC_MALLOC=n +CONFIG_MINIMAL_LIBC_REALLOCARRAY=n +CONFIG_NCS_SAMPLES_DEFAULTS=n +CONFIG_NO_RUNTIME_CHECKS=y +CONFIG_NRF_RTC_TIMER=n +CONFIG_PRINTK=n +CONFIG_SERIAL=n +CONFIG_SIZE_OPTIMIZATIONS=y +CONFIG_SYS_CLOCK_EXISTS=n +CONFIG_UART_CONSOLE=n From 07076213a88525fcc13db56f0bc981690b6eb513 Mon Sep 17 00:00:00 2001 From: Bernt Johan Damslora Date: Fri, 20 Sep 2019 18:25:41 +0200 Subject: [PATCH 166/228] [nrf noup] boards: add support for Thingy:91 Adds project configurations for the two systems on the Thingy:91 (PCA-20035) board. The bootloader that is factory-programmed on thing91 does not support ECDSA signature type. Hence this commit also sets the signature type to RSA for applications built for Thingy:91. Signed-off-by: Bernt Johan Damslora Signed-off-by: Sigvart Hovland Signed-off-by: Jon Helge Nistad Signed-off-by: Balaji Srinivasan Signed-off-by: Robert Lubos Signed-off-by: Torsten Rasmussen Signed-off-by: Jamie McCrae Signed-off-by: Marek Pieta Signed-off-by: Dominik Ermel (cherry picked from commit 1f7ca3dcfe94c8c929d0484ceec958bd7df2f4be) --- boot/zephyr/boards/thingy91_nrf52840.conf | 34 +++++++++++++++++++++++ boot/zephyr/boards/thingy91_nrf9160.conf | 13 +++++++++ 2 files changed, 47 insertions(+) create mode 100644 boot/zephyr/boards/thingy91_nrf52840.conf create mode 100644 boot/zephyr/boards/thingy91_nrf9160.conf diff --git a/boot/zephyr/boards/thingy91_nrf52840.conf b/boot/zephyr/boards/thingy91_nrf52840.conf new file mode 100644 index 000000000..c0d183401 --- /dev/null +++ b/boot/zephyr/boards/thingy91_nrf52840.conf @@ -0,0 +1,34 @@ +# Disable Zephyr console +CONFIG_LOG=n +CONFIG_CONSOLE=n +CONFIG_CONSOLE_HANDLER=n +CONFIG_UART_CONSOLE=n + +# The build won't fit on the partition allocated for it without size +# optimizations. +CONFIG_SIZE_OPTIMIZATIONS=y +CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x12000 + +# Serial +CONFIG_SERIAL=y +CONFIG_UART_NRFX=y +CONFIG_UART_INTERRUPT_DRIVEN=y +CONFIG_UART_LINE_CTRL=y + +# MCUboot serial recovery +CONFIG_GPIO=y +CONFIG_MCUBOOT_SERIAL=y +CONFIG_BOOT_SERIAL_CDC_ACM=y + +# Required by USB +CONFIG_MULTITHREADING=y + +# USB +CONFIG_USB_DEVICE_STACK=y +CONFIG_USB_DEVICE_PRODUCT="MCUBOOT" +CONFIG_USB_CDC_ACM=y +CONFIG_USB_COMPOSITE_DEVICE=y +CONFIG_USB_MASS_STORAGE=n +CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor" +CONFIG_USB_DEVICE_VID=0x1915 +CONFIG_USB_DEVICE_PID=0x520F diff --git a/boot/zephyr/boards/thingy91_nrf9160.conf b/boot/zephyr/boards/thingy91_nrf9160.conf new file mode 100644 index 000000000..1bf2e424d --- /dev/null +++ b/boot/zephyr/boards/thingy91_nrf9160.conf @@ -0,0 +1,13 @@ +# Disable Zephyr console +CONFIG_CONSOLE=n +CONFIG_CONSOLE_HANDLER=n +CONFIG_UART_CONSOLE=n + +# Disable Flash protection +CONFIG_FPROTECT=n + +# MCUBoot settings +CONFIG_BOOT_MAX_IMG_SECTORS=256 + +# MCUboot serial recovery +CONFIG_MCUBOOT_SERIAL=y From 072f69f72a253414b4396ae391c3e0ba94583a2f Mon Sep 17 00:00:00 2001 From: Damian Krolik Date: Mon, 21 Mar 2022 13:44:27 +0100 Subject: [PATCH 167/228] [nrf noup] zephyr: Restore default RTC user channel count The default value of CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT for nRF52 SOCs has been changed from 0 to 3, but it makes MCUBoot get stuck on erasing flash pages when swapping two images. Restore the previous value until the RTC issue is resolved (see NCSDK-14427) Signed-off-by: Damian Krolik Signed-off-by: Torsten Rasmussen Signed-off-by: Jamie McCrae Signed-off-by: Dominik Ermel (cherry picked from commit 48e0d079a0cfaef6c3622c24f804f4057701dc87) --- boot/zephyr/prj.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 119e07579..51dc99b27 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -34,3 +34,4 @@ CONFIG_MCUBOOT_LOG_LEVEL_INF=y CONFIG_CBPRINTF_NANO=y ### Use the minimal C library to reduce flash usage CONFIG_MINIMAL_LIBC=y +CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT=0 From 27d3de4e1ba5e6678d62fd6bd038c9f3e5454355 Mon Sep 17 00:00:00 2001 From: Maximilian Deubel Date: Fri, 8 Dec 2023 13:18:12 +0100 Subject: [PATCH 168/228] [nrf noup] boards: thingy91x: add board config This patch adds board configuration for the Thingy:91 X. Signed-off-by: Maximilian Deubel (cherry picked from commit e541ae9e6e9125bc3ae7457b395397541b3feca3) --- .../boards/thingy91x_nrf5340_cpuapp.conf | 54 +++++++++++++++++++ boot/zephyr/boards/thingy91x_nrf9151.conf | 8 +++ 2 files changed, 62 insertions(+) create mode 100644 boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf create mode 100644 boot/zephyr/boards/thingy91x_nrf9151.conf diff --git a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf new file mode 100644 index 000000000..72dfa7fca --- /dev/null +++ b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf @@ -0,0 +1,54 @@ +# MCUBoot settings +CONFIG_BOOT_MAX_IMG_SECTORS=110 + +# MCUboot serial recovery +CONFIG_MCUBOOT_SERIAL=y + +# Disable Zephyr console +CONFIG_LOG=n +CONFIG_CONSOLE=n +CONFIG_CONSOLE_HANDLER=n +CONFIG_UART_CONSOLE=n + +# Serial +CONFIG_SERIAL=y +CONFIG_UART_NRFX=y +CONFIG_UART_INTERRUPT_DRIVEN=y +CONFIG_UART_LINE_CTRL=y + +# MCUboot serial recovery +CONFIG_GPIO=y +CONFIG_MCUBOOT_SERIAL=y +CONFIG_BOOT_SERIAL_CDC_ACM=y + +# Required by USB +CONFIG_MULTITHREADING=y + +# USB +CONFIG_USB_DEVICE_STACK=y +CONFIG_USB_DEVICE_PRODUCT="MCUBOOT" +CONFIG_USB_CDC_ACM=y +CONFIG_USB_COMPOSITE_DEVICE=y +CONFIG_USB_MASS_STORAGE=n +CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor" +CONFIG_USB_DEVICE_VID=0x1915 +CONFIG_USB_DEVICE_PID=0x520F + +CONFIG_BOOT_SERIAL_BOOT_MODE=y + +CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x13E00 + +# The following configurations are required to support simultaneous multi image update +CONFIG_PCD_APP=y +CONFIG_UPDATEABLE_IMAGE_NUMBER=2 +CONFIG_BOOT_UPGRADE_ONLY=y +# The network core cannot access external flash directly. The flash simulator must be used to +# provide a memory region that is used to forward the new firmware to the network core. +CONFIG_FLASH_SIMULATOR=y +CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y +CONFIG_FLASH_SIMULATOR_STATS=n + +CONFIG_BOOT_IMAGE_ACCESS_HOOKS=y +CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y + +CONFIG_NRF53_RECOVERY_NETWORK_CORE=y diff --git a/boot/zephyr/boards/thingy91x_nrf9151.conf b/boot/zephyr/boards/thingy91x_nrf9151.conf new file mode 100644 index 000000000..33cd3301c --- /dev/null +++ b/boot/zephyr/boards/thingy91x_nrf9151.conf @@ -0,0 +1,8 @@ +# MCUBoot settings +CONFIG_BOOT_MAX_IMG_SECTORS=512 + +CONFIG_SPI=y +CONFIG_SPI_NOR=y +CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 +CONFIG_SPI_NOR_SFDP_DEVICETREE=y +CONFIG_MULTITHREADING=y From 70d45f0a754e37708b14d441324a3da8545f0ad2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B8e?= Date: Wed, 12 Dec 2018 08:59:47 +0100 Subject: [PATCH 169/228] [nrf noup] treewide: add NCS partition manager support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Partition Manager is an nRF Connect SDK component which uses yaml files to resolve flash partition placement with a holistic view of the device. This component's MCUboot portions began life as upstream mcuboot PR#430. This added support for being built as a sub image from the downstream Nordic patch set for a zephyr multi image build system (mcuboot 430 was combined with effor submitted to upstream zephyr as PR#13672, which was ultimately reworked after being rejected for mainline at the ELCE 2019 conference in Lyon). It has since evolved over time. This is the version that will go into NCS v1.3. It features: - page size aligned partitions for all partitions used by mcuboot. - image swaps without scratch partitions Add support for configurations where there exists two primary slots but only one secondary slot, which is shared. These two primary slots are the regular application and B1. B1 can be either S0 or S1 depending on the state of the device. Decide where an upgrade should be stored by looking at the vector table. Provide update candidates for both s0 and s1. These candidates must be signed with mcuboot after being signed by b0. Additional notes: - we make update.hex without trailer data This is needed for serial recovery to work using hex files. Prior to this the update.hex got TLV data at the end of the partition, which caused many blank pages to be included, which made it hard to use in a serial recovery scheme. Instead, make update.hex without TLV data at the end, and provide a new file test_update.hex which contains the TLV data, and can be directly flashed to test the upgrade procedure. - we use a function for signing the application as future-proofing for when other components must be signed as well - this includes an update to single image applications that enables support for partition manager; when single image DFU is used, a scratch partition is not needed. - In NCS, image 1 primary slot is the upgrade bank for mcuboot (IE S0 or S1 depending on the active slot). It is not required that this slot contains any valid data. - The nRF boards all have a single flash page size, and partition manager deals with the size of the update partitions and so on, so we must skip a boot_slots_compatible() check to avoid getting an error. - There is no need to verify the target when using partition manager. - We lock mcuboot using fprotect before jumping, to enable the secure boot property of the system. - Call fw_info_ext_api_provide() before booting if EXT_API_PROVIDE EXT_API is enabled. This is relevant only when the immutable bootloader has booted mcuboot. Signed-off-by: Håkon Øye Amundsen Signed-off-by: Øyvind Rønningstad Signed-off-by: Sebastian Bøe Signed-off-by: Sigvart Hovland Signed-off-by: Martí Bolívar Signed-off-by: Torsten Rasmussen Signed-off-by: Andrzej Głąbek Signed-off-by: Robert Lubos Signed-off-by: Andrzej Puzdrowski Signed-off-by: Emil Obalski Signed-off-by: Pawel Dunaj Signed-off-by: Ioannis Glaropoulos Signed-off-by: Johann Fischer Signed-off-by: Vidar Berg Signed-off-by: Draus, Sebastian Signed-off-by: Trond Einar Snekvik Signed-off-by: Jamie McCrae Signed-off-by: Joakim Andersson Signed-off-by: Georgios Vasilakis Signed-off-by: Dominik Ermel (cherry picked from commit 6a5dc04d20332548471564c0d88226c70f54f696) --- boot/bootutil/src/loader.c | 95 ++++++++++++++++++++++--- boot/bootutil/src/swap_move.c | 13 ++++ boot/bootutil/src/swap_scratch.c | 13 ++++ boot/zephyr/CMakeLists.txt | 7 ++ boot/zephyr/Kconfig | 2 + boot/zephyr/include/sysflash/sysflash.h | 48 +++++++++++++ boot/zephyr/include/target.h | 4 ++ boot/zephyr/main.c | 45 ++++++++++++ boot/zephyr/pm.yml | 77 ++++++++++++++++++++ boot/zephyr/prj.conf | 1 + ext/nrf/cc310_glue.h | 2 +- zephyr/module.yml | 3 +- 12 files changed, 299 insertions(+), 11 deletions(-) create mode 100644 boot/zephyr/pm.yml diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index cf6a388f8..907ec397e 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -144,6 +144,15 @@ boot_read_image_headers(struct boot_loader_state *state, bool require_all, * * Failure to read any headers is a fatal error. */ +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. The primary slot of the second image + * (image 1) will not contain a valid image header until an upgrade + * of mcuboot has happened (filling S1 with the new version). + */ + if (BOOT_CURR_IMG(state) == 1 && i == 0) { + continue; + } +#endif /* PM_S1_ADDRESS */ if (i > 0 && !require_all) { return 0; } else { @@ -1140,7 +1149,24 @@ boot_validate_slot(struct boot_loader_state *state, int slot, goto out; } - if (reset_value < pri_fa->fa_off || reset_value> (pri_fa->fa_off + pri_fa->fa_size)) { + uint32_t min_addr, max_addr; + +#ifdef PM_CPUNET_APP_ADDRESS + /* The primary slot for the network core is emulated in RAM. + * Its flash_area hasn't got relevant boundaries. + * Therfore need to override its boundaries for the check. + */ + if (BOOT_CURR_IMG(state) == 1) { + min_addr = PM_CPUNET_APP_ADDRESS; + max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; + } else +#endif + { + min_addr = pri_fa->fa_off; + max_addr = pri_fa->fa_off + pri_fa->fa_size; + } + + if (reset_value < min_addr || reset_value> (max_addr)) { BOOT_LOG_ERR("Reset address of image in secondary slot is not in the primary slot"); BOOT_LOG_ERR("Erasing image from secondary slot"); @@ -1216,6 +1242,42 @@ boot_validated_swap_type(struct boot_loader_state *state, { int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other + * B1 slot S0 or S1) share the same secondary slot, we need to check + * whether the update candidate in the secondary slot is intended for + * image 0 or image 1 primary by looking at the address of the reset + * vector. Note that there are good reasons for not using img_num from + * the swap info. + */ + const struct flash_area *secondary_fa = + BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); + struct image_header *hdr = + (struct image_header *)secondary_fa->fa_off; + + if (hdr->ih_magic == IMAGE_MAGIC) { + const struct flash_area *primary_fa; + uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + uint32_t *vtable = (uint32_t *)(vtable_addr); + uint32_t reset_addr = vtable[1]; + int rc = flash_area_open( + flash_area_id_from_multi_image_slot( + BOOT_CURR_IMG(state), + BOOT_PRIMARY_SLOT), + &primary_fa); + + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } + /* Get start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off || + reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for this image + */ + return BOOT_SWAP_TYPE_NONE; + } + } +#endif swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -2461,15 +2523,25 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } #ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT - FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL, 0); - /* Check for all possible values is redundant in normal operation it - * is meant to prevent FI attack. +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. Image 1 primary is the currently + * executing MCUBoot image, and is therefore already validated by NSIB and + * does not need to also be validated by MCUBoot. */ - if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS) || - FIH_EQ(fih_rc, FIH_FAILURE) || - FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { - FIH_SET(fih_rc, FIH_FAILURE); - goto out; + bool image_validated_by_nsib = BOOT_CURR_IMG(state) == 1; + if (!image_validated_by_nsib) +#endif + { + FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL, 0); + /* Check for all possible values is redundant in normal operation it + * is meant to prevent FI attack. + */ + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS) || + FIH_EQ(fih_rc, FIH_FAILURE) || + FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) { + FIH_SET(fih_rc, FIH_FAILURE); + goto out; + } } #else /* Even if we're not re-validating the primary slot, we could be booting @@ -2486,11 +2558,16 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } #endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT */ +#ifdef PM_S1_ADDRESS + if (!image_validated_by_nsib) +#endif + { rc = boot_update_hw_rollback_protection(state); if (rc != 0) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } + } rc = boot_add_shared_data(state, BOOT_PRIMARY_SLOT); if (rc != 0) { diff --git a/boot/bootutil/src/swap_move.c b/boot/bootutil/src/swap_move.c index dd5b131a7..276eba00e 100644 --- a/boot/bootutil/src/swap_move.c +++ b/boot/bootutil/src/swap_move.c @@ -252,6 +252,18 @@ static int app_max_sectors(struct boot_loader_state *state) int boot_slots_compatible(struct boot_loader_state *state) { +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. In this case, image 1 primary points to the other + * B1 slot (ie S0 or S1), and image 0 primary points to the app. + * With this configuration, image 0 and image 1 share the secondary slot. + * Hence, the primary slot of image 1 will be *smaller* than image 1's + * secondary slot. This is not allowed in upstream mcuboot, so we need + * this patch to allow it. Also, all of these checks are redundant when + * partition manager is in use, and since we have the same sector size + * in all of our flash. + */ + return 1; +#else size_t num_sectors_pri; size_t num_sectors_sec; size_t sector_sz_pri = 0; @@ -319,6 +331,7 @@ boot_slots_compatible(struct boot_loader_state *state) } return 1; +#endif /* PM_S1_ADDRESS */ } #define BOOT_LOG_SWAP_STATE(area, state) \ diff --git a/boot/bootutil/src/swap_scratch.c b/boot/bootutil/src/swap_scratch.c index 60751029d..222d34b71 100644 --- a/boot/bootutil/src/swap_scratch.c +++ b/boot/bootutil/src/swap_scratch.c @@ -141,6 +141,18 @@ boot_status_internal_off(const struct boot_status *bs, int elem_sz) int boot_slots_compatible(struct boot_loader_state *state) { +#ifdef PM_S1_ADDRESS + /* Patch needed for NCS. In this case, image 1 primary points to the other + * B1 slot (ie S0 or S1), and image 0 primary points to the app. + * With this configuration, image 0 and image 1 share the secondary slot. + * Hence, the primary slot of image 1 will be *smaller* than image 1's + * secondary slot. This is not allowed in upstream mcuboot, so we need + * this patch to allow it. Also, all of these checks are redundant when + * partition manager is in use, and since we have the same sector size + * in all of our flash. + */ + return 1; +#else size_t num_sectors_primary; size_t num_sectors_secondary; size_t sz0, sz1; @@ -238,6 +250,7 @@ boot_slots_compatible(struct boot_loader_state *state) #endif return 1; +#endif /* PM_S1_ADDRESS */ } #define BOOT_LOG_SWAP_STATE(area, state) \ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 3a780e509..dc687c209 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -350,6 +350,13 @@ if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") endif() message("MCUBoot bootloader key file: ${KEY_FILE}") + set_property( + GLOBAL + PROPERTY + KEY_FILE + ${KEY_FILE} + ) + set(mcuboot_default_signature_files ${MCUBOOT_DIR}/root-ec-p256-pkcs8.pem ${MCUBOOT_DIR}/root-ec-p384.pem diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index b366b26d9..1c38d2ba2 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -9,6 +9,8 @@ mainmenu "MCUboot configuration" comment "MCUboot-specific configuration options" +source "$(ZEPHYR_NRF_MODULE_DIR)/modules/mcuboot/boot/zephyr/Kconfig" + # Hidden option to mark a project as MCUboot config MCUBOOT default y diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 16d222280..99cbf56b7 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -7,6 +7,52 @@ #ifndef __SYSFLASH_H__ #define __SYSFLASH_H__ +#if USE_PARTITION_MANAGER +#include +#include + +#ifndef CONFIG_SINGLE_APPLICATION_SLOT + +#if (MCUBOOT_IMAGE_NUMBER == 1) + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID + +#elif (MCUBOOT_IMAGE_NUMBER == 2) + +extern uint32_t _image_1_primary_slot_id[]; + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + (uint32_t)_image_1_primary_slot_id : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + 255 ) +#endif +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID + +#else /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID +/* NOTE: Scratch parition is not used by single image DFU but some of + * functions in common files reference it, so the definitions has been + * provided to allow compilation of common units. + */ +#define FLASH_AREA_IMAGE_SCRATCH 0 + +#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#else + +#include #include #include #include @@ -65,4 +111,6 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ +#endif /* USE_PARTITION_MANAGER */ + #endif /* __SYSFLASH_H__ */ diff --git a/boot/zephyr/include/target.h b/boot/zephyr/include/target.h index 9bbfd4b19..40287d515 100644 --- a/boot/zephyr/include/target.h +++ b/boot/zephyr/include/target.h @@ -8,6 +8,8 @@ #ifndef H_TARGETS_TARGET_ #define H_TARGETS_TARGET_ +#ifndef USE_PARTITION_MANAGER + #if defined(MCUBOOT_TARGET_CONFIG) /* * Target-specific definitions are permitted in legacy cases that @@ -45,4 +47,6 @@ #error "Target support is incomplete; cannot build mcuboot." #endif +#endif /* ifndef USE_PARTITION_MANAGER */ + #endif /* H_TARGETS_TARGET_ */ diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 683b2f7f5..7353f3579 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -70,6 +70,10 @@ #endif /* CONFIG_SOC_FAMILY_ESPRESSIF_ESP32 */ +#ifdef CONFIG_FW_INFO +#include +#endif + #ifdef CONFIG_MCUBOOT_SERIAL #include "boot_serial/boot_serial.h" #include "serial_adapter/serial_adapter.h" @@ -130,6 +134,11 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); * !defined(ZEPHYR_LOG_MODE_MINIMAL) */ +#if USE_PARTITION_MANAGER && CONFIG_FPROTECT +#include +#include +#endif + BOOT_LOG_MODULE_REGISTER(mcuboot); void os_heap_init(void); @@ -188,6 +197,19 @@ static void do_boot(struct boot_rsp *rsp) /* Disable the USB to prevent it from firing interrupts */ usb_disable(); #endif + +#if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) + bool provided = fw_info_ext_api_provide(fw_info_find((uint32_t)vt), true); + +#ifdef PM_S0_ADDRESS + /* Only fail if the immutable bootloader is present. */ + if (!provided) { + BOOT_LOG_ERR("Failed to provide EXT_APIs\n"); + return; + } +#endif +#endif + #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ @@ -596,7 +618,30 @@ int main(void) mcuboot_status_change(MCUBOOT_STATUS_BOOTABLE_IMAGE_FOUND); +#if USE_PARTITION_MANAGER && CONFIG_FPROTECT + +#ifdef PM_S1_ADDRESS +/* MCUBoot is stored in either S0 or S1, protect both */ +#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_S0_ADDRESS) +#define PROTECT_ADDR PM_S0_ADDRESS +#else +/* There is only one instance of MCUBoot */ +#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_MCUBOOT_ADDRESS) +#define PROTECT_ADDR PM_MCUBOOT_ADDRESS +#endif + + rc = fprotect_area(PROTECT_ADDR, PROTECT_SIZE); + + if (rc != 0) { + BOOT_LOG_ERR("Protect mcuboot flash failed, cancel startup."); + while (1) + ; + } + +#endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ + ZEPHYR_BOOT_LOG_STOP(); + do_boot(&rsp); mcuboot_status_change(MCUBOOT_STATUS_BOOT_FAILED); diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml new file mode 100644 index 000000000..5df9ae547 --- /dev/null +++ b/boot/zephyr/pm.yml @@ -0,0 +1,77 @@ +#include + +mcuboot: + size: CONFIG_PM_PARTITION_SIZE_MCUBOOT + placement: + before: [mcuboot_primary] +#if defined(CONFIG_HIDE_CHILD_PARENT_CONFIG) + align: {end: 0x1000} +#endif + +mcuboot_primary_app: + # All images to be placed in MCUboot's slot 0 should be placed in this + # partition + span: [app] + +mcuboot_primary: + span: [mcuboot_pad, mcuboot_primary_app] + +# Partition for secondary slot is not created if building in single application +# slot configuration. +#if !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_BOOT_DIRECT_XIP) +mcuboot_secondary: + share_size: [mcuboot_primary] +#if defined(CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY) + region: external_flash + placement: + align: {start: 4} +#else + placement: + align: {start: CONFIG_FPROTECT_BLOCK_SIZE} + align_next: CONFIG_FPROTECT_BLOCK_SIZE # Ensure that the next partition does not interfere with this image + after: mcuboot_primary +#endif /* CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY */ + +#endif /* !defined(CONFIG_SINGLE_APPLICATION_SLOT) && !defined(CONFIG_BOOT_DIRECT_XIP) */ + +#if CONFIG_BOOT_DIRECT_XIP + +# Direct XIP is enabled, reserve area for metadata (padding) and name the +# partition so that its clear that it is not the secondary slot, but the direct +# XIP alternative. + +mcuboot_secondary_pad: + share_size: mcuboot_pad + placement: + after: mcuboot_primary + align: {start: CONFIG_FPROTECT_BLOCK_SIZE} + +mcuboot_secondary_app: + share_size: mcuboot_primary_app + placement: + after: mcuboot_secondary_pad + +mcuboot_secondary: + span: [mcuboot_secondary_pad, mcuboot_secondary_app] + +#endif /* CONFIG_BOOT_DIRECT_XIP */ + +#if CONFIG_BOOT_SWAP_USING_SCRATCH +mcuboot_scratch: + size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_SCRATCH + placement: + after: app + align: {start: CONFIG_FPROTECT_BLOCK_SIZE} +#endif /* CONFIG_BOOT_SWAP_USING_SCRATCH */ + +# Padding placed before image to boot. This reserves space for the MCUboot image header +# and it ensures that the boot image gets linked with the correct address offset in flash. +mcuboot_pad: + # MCUboot pad must be placed before the primary application partition. + # The primary application partition includes the secure firmware if present. + size: CONFIG_PM_PARTITION_SIZE_MCUBOOT_PAD + placement: + before: [mcuboot_primary_app] +#ifdef CONFIG_FPROTECT + align: {start: CONFIG_FPROTECT_BLOCK_SIZE} +#endif diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 51dc99b27..6d538d1de 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -18,6 +18,7 @@ CONFIG_BOOT_BOOTSTRAP=n # CONFIG_TINYCRYPT_SHA256 is not set CONFIG_FLASH=y +CONFIG_FPROTECT=y ### Various Zephyr boards enable features that we don't want. # CONFIG_BT is not set diff --git a/ext/nrf/cc310_glue.h b/ext/nrf/cc310_glue.h index ed3ed5c00..22eb94911 100644 --- a/ext/nrf/cc310_glue.h +++ b/ext/nrf/cc310_glue.h @@ -22,7 +22,7 @@ #include #include #include -#include +#include #include /* diff --git a/zephyr/module.yml b/zephyr/module.yml index d2af55384..b73ae2a0d 100644 --- a/zephyr/module.yml +++ b/zephyr/module.yml @@ -1,7 +1,8 @@ samples: - boot/zephyr build: - cmake: ./boot/bootutil/zephyr + cmake-ext: True + kconfig-ext: True sysbuild-cmake: boot/zephyr/sysbuild package-managers: pip: From ff0cc9c0ab4cf58aa926d2ef980f2c53821af997 Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Thu, 27 Aug 2020 14:29:31 +0200 Subject: [PATCH 170/228] [nrf noup] boot: nrf53-specific customizations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add network core bootloader implementation Enables network core updates of nrf53 using MCUBoot by identifying images through their start addresses. Also implements the control and transfer using the PCD module. - Add support for multi image DFU using partition manager. - Add check for netcore addr if NSIB is enabled so netcore updates works - boot: zephyr: move thingy53_nrf5340_cpuapp.conf downstream Moved the board configuration for Thingy:53 Application Core to the nRF Connect SDK MCUboot downstream repository. The configuration file contains references to the Kconfig modules that are only available in the nRF Connect SDK. The current configuration is set up to work in the nRF Connect SDK environment and cannot be used upstream. - pm: enable ram flash partition using common flag This patch makes mcuboot_primary_1 ram-flash partition selectable using CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH property. This is needed since CONFIG_NRF53_MULTI_IMAGE_UPDATE become not only configuration which requires that partition. - MCUBoot configures USB CDC by its own. There is no need for BOARD_SERIAL_BACKEND_CDC_ACM option to configure anything which is later overwritten anyway. Jira: NCSDK-18596 Signed-off-by: Andrzej Puzdrowski Signed-off-by: Emil Obalski Signed-off-by: Håkon Øye Amundsen Signed-off-by: Ioannis Glaropoulos Signed-off-by: Jamie McCrae Signed-off-by: Johann Fischer Signed-off-by: Kamil Piszczek Signed-off-by: Ole Sæther Signed-off-by: Sigvart Hovland Signed-off-by: Simon Iversen Signed-off-by: Torsten Rasmussen Signed-off-by: Trond Einar Snekvik Signed-off-by: Mateusz Kapala Signed-off-by: Dominik Ermel (cherry picked from commit 9c26bb601e487ec60629ebcb6898f47ec3360100) --- boot/bootutil/src/loader.c | 96 ++++++++++++++----- .../boards/thingy53_nrf5340_cpuapp.conf | 74 +++++++++++++- boot/zephyr/include/sysflash/sysflash.h | 23 +++++ boot/zephyr/main.c | 7 ++ boot/zephyr/pm.yml | 13 +++ 5 files changed, 185 insertions(+), 28 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 907ec397e..e75bfd42a 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -49,6 +49,10 @@ #include "bootutil/boot_hooks.h" #include "bootutil/mcuboot_status.h" +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) +#include +#endif + #ifdef MCUBOOT_ENC_IMAGES #include "bootutil/enc_key.h" #endif @@ -1242,7 +1246,15 @@ boot_validated_swap_type(struct boot_loader_state *state, { int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); -#ifdef PM_S1_ADDRESS + bool upgrade_valid = false; + +#if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) + const struct flash_area *secondary_fa = + BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); + struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; + uint32_t vtable_addr = 0; + uint32_t *vtable = 0; + uint32_t reset_addr = 0; /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other * B1 slot S0 or S1) share the same secondary slot, we need to check * whether the update candidate in the secondary slot is intended for @@ -1250,34 +1262,36 @@ boot_validated_swap_type(struct boot_loader_state *state, * vector. Note that there are good reasons for not using img_num from * the swap info. */ - const struct flash_area *secondary_fa = - BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = - (struct image_header *)secondary_fa->fa_off; if (hdr->ih_magic == IMAGE_MAGIC) { - const struct flash_area *primary_fa; - uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - uint32_t *vtable = (uint32_t *)(vtable_addr); - uint32_t reset_addr = vtable[1]; - int rc = flash_area_open( - flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT), - &primary_fa); - - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } - /* Get start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off || - reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for this image - */ - return BOOT_SWAP_TYPE_NONE; - } - } + vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + vtable = (uint32_t *)(vtable_addr); + reset_addr = vtable[1]; +#ifdef PM_S1_ADDRESS +#ifdef PM_CPUNET_B0N_ADDRESS + if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif + { + const struct flash_area *primary_fa; + int rc = flash_area_open(flash_area_id_from_multi_image_slot( + BOOT_CURR_IMG(state), + BOOT_PRIMARY_SLOT), + &primary_fa); + + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } + /* Get start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off || + reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for this image + */ + return BOOT_SWAP_TYPE_NONE; + } + } +#endif /* PM_S1_ADDRESS */ + } +#endif /* PM_S1_ADDRESS || CONFIG_SOC_NRF5340_CPUAPP */ swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -1291,7 +1305,37 @@ boot_validated_swap_type(struct boot_loader_state *state, } else { swap_type = BOOT_SWAP_TYPE_FAIL; } + } else { + upgrade_valid = true; + } + +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) + /* If the update is valid, and it targets the network core: perform the + * update and indicate to the caller of this function that no update is + * available + */ + if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { + uint32_t fw_size = hdr->ih_img_size; + + BOOT_LOG_INF("Starting network core update"); + int rc = pcd_network_core_update(vtable, fw_size); + + if (rc != 0) { + swap_type = BOOT_SWAP_TYPE_FAIL; + } else { + BOOT_LOG_INF("Done updating network core"); +#if defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) + /* swap_erase_trailer_sectors is undefined if upgrade only + * method is used. There is no need to erase sectors, because + * the image cannot be reverted. + */ + rc = swap_erase_trailer_sectors(state, + secondary_fa); +#endif + swap_type = BOOT_SWAP_TYPE_NONE; + } } +#endif /* CONFIG_SOC_NRF5340_CPUAPP */ } return swap_type; diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf index f2e42fd64..7d3bc0bec 100644 --- a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf @@ -1,3 +1,73 @@ -CONFIG_NORDIC_QSPI_NOR=n -CONFIG_SPI=n +CONFIG_SIZE_OPTIMIZATIONS=y + +CONFIG_SYSTEM_CLOCK_NO_WAIT=y +CONFIG_PM=n + +CONFIG_MAIN_STACK_SIZE=10240 +CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h" + +CONFIG_BOOT_MAX_IMG_SECTORS=2048 +CONFIG_BOOT_SIGNATURE_TYPE_RSA=y + +# Flash +CONFIG_FLASH=y +CONFIG_BOOT_ERASE_PROGRESSIVELY=y +CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y +CONFIG_FPROTECT=y + +# Serial +CONFIG_SERIAL=y +CONFIG_UART_LINE_CTRL=y + +# MCUBoot serial +CONFIG_GPIO=y +CONFIG_MCUBOOT_SERIAL=y +CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y +CONFIG_BOOT_SERIAL_CDC_ACM=y + +# Required by QSPI +CONFIG_NORDIC_QSPI_NOR=y +CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 +CONFIG_NORDIC_QSPI_NOR_STACK_WRITE_BUFFER_SIZE=16 + +# Required by USB and QSPI CONFIG_MULTITHREADING=y + +# USB +CONFIG_BOARD_SERIAL_BACKEND_CDC_ACM=n +CONFIG_USB_DEVICE_REMOTE_WAKEUP=n +CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor ASA" +CONFIG_USB_DEVICE_PRODUCT="Bootloader Thingy:53" +CONFIG_USB_DEVICE_VID=0x1915 +CONFIG_USB_DEVICE_PID=0x5300 +CONFIG_USB_CDC_ACM=y + +# Decrease memory footprint +CONFIG_CBPRINTF_NANO=y +CONFIG_TIMESLICING=n +CONFIG_BOOT_BANNER=n +CONFIG_CONSOLE=n +CONFIG_CONSOLE_HANDLER=n +CONFIG_UART_CONSOLE=n +CONFIG_USE_SEGGER_RTT=n +CONFIG_LOG=n +CONFIG_ERRNO=n +CONFIG_PRINTK=n +CONFIG_RESET_ON_FATAL_ERROR=n +CONFIG_SPI=n +CONFIG_I2C=n +CONFIG_UART_NRFX=n + +# The following configurations are required to support simultaneous multi image update +CONFIG_PCD_APP=y +CONFIG_UPDATEABLE_IMAGE_NUMBER=2 +CONFIG_BOOT_UPGRADE_ONLY=y +# The network core cannot access external flash directly. The flash simulator must be used to +# provide a memory region that is used to forward the new firmware to the network core. +CONFIG_FLASH_SIMULATOR=y +CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y +CONFIG_FLASH_SIMULATOR_STATS=n + +# Enable custom command to erase settings partition. +CONFIG_ENABLE_MGMT_PERUSER=y +CONFIG_BOOT_MGMT_CUSTOM_STORAGE_ERASE=y diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 99cbf56b7..7112f9baa 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -20,6 +20,11 @@ #elif (MCUBOOT_IMAGE_NUMBER == 2) +/* If B0 is present then two bootloaders are present, and we must use + * a single secondary slot for both primary slots. + */ +#ifdef PM_B0_ADDRESS + extern uint32_t _image_1_primary_slot_id[]; #define FLASH_AREA_IMAGE_PRIMARY(x) \ @@ -35,6 +40,24 @@ extern uint32_t _image_1_primary_slot_id[]; (x == 1) ? \ PM_MCUBOOT_SECONDARY_ID: \ 255 ) +#else + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) + +#endif /* PM_B0_ADDRESS */ + #endif #define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 7353f3579..bef85ad9f 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -92,6 +92,10 @@ const struct boot_uart_funcs boot_funcs = { #include #endif +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) +#include +#endif + /* CONFIG_LOG_MINIMAL is the legacy Kconfig property, * replaced by CONFIG_LOG_MODE_MINIMAL. */ @@ -638,6 +642,9 @@ int main(void) ; } +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) && defined(CONFIG_PCD_APP) + pcd_lock_ram(); +#endif #endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ ZEPHYR_BOOT_LOG_STOP(); diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml index 5df9ae547..13ffc44aa 100644 --- a/boot/zephyr/pm.yml +++ b/boot/zephyr/pm.yml @@ -75,3 +75,16 @@ mcuboot_pad: #ifdef CONFIG_FPROTECT align: {start: CONFIG_FPROTECT_BLOCK_SIZE} #endif + +#if (CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH) +mcuboot_primary_1: + region: ram_flash + size: CONFIG_NRF53_RAM_FLASH_SIZE +#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ + +#if (CONFIG_NRF53_MULTI_IMAGE_UPDATE) +mcuboot_secondary_1: + region: external_flash + size: CONFIG_NRF53_RAM_FLASH_SIZE + +#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ From f9432662129b508545cbf7d6b393e553552a778e Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Thu, 27 Feb 2020 12:48:56 +0100 Subject: [PATCH 171/228] [nrf noup] zephyr: clean peripherals state before boot MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do some cleanup of nRF peripherals. This is necessary since Zephyr doesn't have any driver deinitialization functionality, and we'd like to leave peripherals in a more predictable state before booting the Zephyr image. This should be re-worked when the zephyr driver model allows us to deinitialize devices cleanly before jumping to the chain-loaded image. Signed-off-by: Andrzej Puzdrowski Signed-off-by: Robert Lubos Signed-off-by: Torsten Rasmussen Signed-off-by: Øyvind Rønningstad Signed-off-by: Martí Bolívar Signed-off-by: Håkon Øye Amundsen Signed-off-by: Ioannis Glaropoulos Signed-off-by: Johann Fischer Signed-off-by: Trond Einar Snekvik Signed-off-by: Torsten Rasmussen Signed-off-by: Jamie McCrae Signed-off-by: Dominik Ermel (cherry picked from commit c82aef67eb4e2573f7d06aed3279019e3e6953b0) --- boot/zephyr/CMakeLists.txt | 6 +++ boot/zephyr/include/nrf_cleanup.h | 19 +++++++ boot/zephyr/main.c | 8 ++- boot/zephyr/nrf_cleanup.c | 83 +++++++++++++++++++++++++++++++ 4 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 boot/zephyr/include/nrf_cleanup.h create mode 100644 boot/zephyr/nrf_cleanup.c diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index dc687c209..d6d69cf7a 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -706,3 +706,9 @@ if(SYSBUILD) set(mcuboot_image_footer_size ${required_size} CACHE INTERNAL "Estimated MCUboot image trailer size" FORCE) set(mcuboot_image_upgrade_footer_size ${required_upgrade_size} CACHE INTERNAL "Estimated MCUboot update image trailer size" FORCE) endif() + +if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL) +zephyr_library_sources( + ${BOOT_DIR}/zephyr/nrf_cleanup.c +) +endif() diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h new file mode 100644 index 000000000..6b04cedfe --- /dev/null +++ b/boot/zephyr/include/nrf_cleanup.h @@ -0,0 +1,19 @@ +/* + * Copyright (c) 2020 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef H_NRF_CLEANUP_ +#define H_NRF_CLEANUP_ + +/** + * Perform cleanup on some peripheral resources used by MCUBoot prior chainload + * the application. + * + * This function disables all RTC instances and UARTE instances. + * It Disables their interrupts signals as well. + */ +void nrf_cleanup_peripheral(void); + +#endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index bef85ad9f..08587c31e 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -143,6 +143,10 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); #include #endif +#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL +#include +#endif + BOOT_LOG_MODULE_REGISTER(mcuboot); void os_heap_init(void); @@ -213,7 +217,9 @@ static void do_boot(struct boot_rsp *rsp) } #endif #endif - +#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL + nrf_cleanup_peripheral(); +#endif #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c new file mode 100644 index 000000000..5bab26b24 --- /dev/null +++ b/boot/zephyr/nrf_cleanup.c @@ -0,0 +1,83 @@ +/* + * Copyright (c) 2020 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include +#if defined(NRF_UARTE0) || defined(NRF_UARTE1) + #include +#endif +#if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) + #include +#endif +#if defined(NRF_PPI) + #include +#endif +#if defined(NRF_DPPIC) + #include +#endif + +#include + +#define NRF_UARTE_SUBSCRIBE_CONF_OFFS offsetof(NRF_UARTE_Type, SUBSCRIBE_STARTRX) +#define NRF_UARTE_SUBSCRIBE_CONF_SIZE (offsetof(NRF_UARTE_Type, EVENTS_CTS) -\ + NRF_UARTE_SUBSCRIBE_CONF_OFFS) + +#define NRF_UARTE_PUBLISH_CONF_OFFS offsetof(NRF_UARTE_Type, PUBLISH_CTS) +#define NRF_UARTE_PUBLISH_CONF_SIZE (offsetof(NRF_UARTE_Type, SHORTS) -\ + NRF_UARTE_PUBLISH_CONF_OFFS) + +#if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) +static inline void nrf_cleanup_rtc(NRF_RTC_Type * rtc_reg) +{ + nrf_rtc_task_trigger(rtc_reg, NRF_RTC_TASK_STOP); + nrf_rtc_event_disable(rtc_reg, 0xFFFFFFFF); + nrf_rtc_int_disable(rtc_reg, 0xFFFFFFFF); +} +#endif + +static void nrf_cleanup_clock(void) +{ + nrf_clock_int_disable(NRF_CLOCK, 0xFFFFFFFF); +} + +void nrf_cleanup_peripheral(void) +{ +#if defined(NRF_RTC0) + nrf_cleanup_rtc(NRF_RTC0); +#endif +#if defined(NRF_RTC1) + nrf_cleanup_rtc(NRF_RTC1); +#endif +#if defined(NRF_RTC2) + nrf_cleanup_rtc(NRF_RTC2); +#endif +#if defined(NRF_UARTE0) + nrf_uarte_disable(NRF_UARTE0); + nrf_uarte_int_disable(NRF_UARTE0, 0xFFFFFFFF); +#if defined(NRF_DPPIC) + /* Clear all SUBSCRIBE configurations. */ + memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); + /* Clear all PUBLISH configurations. */ + memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); +#endif +#endif +#if defined(NRF_UARTE1) + nrf_uarte_disable(NRF_UARTE1); + nrf_uarte_int_disable(NRF_UARTE1, 0xFFFFFFFF); +#if defined(NRF_DPPIC) + /* Clear all SUBSCRIBE configurations. */ + memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); + /* Clear all PUBLISH configurations. */ + memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); +#endif +#endif +#if defined(NRF_PPI) + nrf_ppi_channels_disable_all(NRF_PPI); +#endif +#if defined(NRF_DPPIC) + nrf_dppi_channels_disable_all(NRF_DPPIC); +#endif + nrf_cleanup_clock(); +} From ed0ee1fd4fe3bc39b5cffbc0e6c75b37de364d15 Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Fri, 6 Jan 2023 12:24:48 +0100 Subject: [PATCH 172/228] [nrf noup] zephyr: Clean up non-secure RAM if enabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To ensure that MCUBoot does not leak keys or other material through memory to non-secure side we clear the memory before jumping to the next image. Signed-off-by: Sigvart Hovland Signed-off-by: Dominik Ermel Signed-off-by: Ole Sæther (cherry picked from commit 75ab2de55cd557d4c19f5ed97bc508ddce07818a) --- boot/zephyr/CMakeLists.txt | 2 +- boot/zephyr/include/nrf_cleanup.h | 5 ++ boot/zephyr/main.c | 5 +- boot/zephyr/nrf_cleanup.c | 79 +++++++++++++++++++++++-------- 4 files changed, 69 insertions(+), 22 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index d6d69cf7a..03230f565 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -707,7 +707,7 @@ if(SYSBUILD) set(mcuboot_image_upgrade_footer_size ${required_upgrade_size} CACHE INTERNAL "Estimated MCUboot update image trailer size" FORCE) endif() -if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL) +if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL OR CONFIG_MCUBOOT_CLEANUP_NONSECURE_RAM) zephyr_library_sources( ${BOOT_DIR}/zephyr/nrf_cleanup.c ) diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h index 6b04cedfe..9e87e13f5 100644 --- a/boot/zephyr/include/nrf_cleanup.h +++ b/boot/zephyr/include/nrf_cleanup.h @@ -16,4 +16,9 @@ */ void nrf_cleanup_peripheral(void); +/** + * Perform cleanup of non-secure RAM that may have been used by MCUBoot. + */ +void nrf_cleanup_ns_ram(void); + #endif diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 08587c31e..880d62392 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -143,7 +143,7 @@ K_SEM_DEFINE(boot_log_sem, 1, 1); #include #endif -#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL +#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL || CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM #include #endif @@ -220,6 +220,9 @@ static void do_boot(struct boot_rsp *rsp) #if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL nrf_cleanup_peripheral(); #endif +#if CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM && defined(PM_SRAM_NONSECURE_NAME) + nrf_cleanup_ns_ram(); +#endif #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE cleanup_arm_nvic(); /* cleanup NVIC registers */ diff --git a/boot/zephyr/nrf_cleanup.c b/boot/zephyr/nrf_cleanup.c index 5bab26b24..051705ec9 100644 --- a/boot/zephyr/nrf_cleanup.c +++ b/boot/zephyr/nrf_cleanup.c @@ -5,9 +5,8 @@ */ #include -#if defined(NRF_UARTE0) || defined(NRF_UARTE1) - #include -#endif +#include +#include #if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2) #include #endif @@ -20,6 +19,15 @@ #include +#if USE_PARTITION_MANAGER +#include +#endif + +#if defined(NRF_UARTE0) || defined(NRF_UARTE1) || defined(NRF_UARTE20) || \ + defined(NRF_UARTE30) +#define NRF_UARTE_CLEANUP +#endif + #define NRF_UARTE_SUBSCRIBE_CONF_OFFS offsetof(NRF_UARTE_Type, SUBSCRIBE_STARTRX) #define NRF_UARTE_SUBSCRIBE_CONF_SIZE (offsetof(NRF_UARTE_Type, EVENTS_CTS) -\ NRF_UARTE_SUBSCRIBE_CONF_OFFS) @@ -37,6 +45,23 @@ static inline void nrf_cleanup_rtc(NRF_RTC_Type * rtc_reg) } #endif +#if defined(NRF_UARTE_CLEANUP) +static NRF_UARTE_Type *nrf_uarte_to_clean[] = { +#if defined(NRF_UARTE0) + NRF_UARTE0, +#endif +#if defined(NRF_UARTE1) + NRF_UARTE1, +#endif +#if defined(NRF_UARTE20) + NRF_UARTE20, +#endif +#if defined(NRF_UARTE30) + NRF_UARTE30, +#endif +}; +#endif + static void nrf_cleanup_clock(void) { nrf_clock_int_disable(NRF_CLOCK, 0xFFFFFFFF); @@ -53,26 +78,31 @@ void nrf_cleanup_peripheral(void) #if defined(NRF_RTC2) nrf_cleanup_rtc(NRF_RTC2); #endif -#if defined(NRF_UARTE0) - nrf_uarte_disable(NRF_UARTE0); - nrf_uarte_int_disable(NRF_UARTE0, 0xFFFFFFFF); -#if defined(NRF_DPPIC) - /* Clear all SUBSCRIBE configurations. */ - memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); - /* Clear all PUBLISH configurations. */ - memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); -#endif -#endif -#if defined(NRF_UARTE1) - nrf_uarte_disable(NRF_UARTE1); - nrf_uarte_int_disable(NRF_UARTE1, 0xFFFFFFFF); + +#if defined(NRF_UARTE_CLEANUP) + for (int i = 0; i < sizeof(nrf_uarte_to_clean) / sizeof(nrf_uarte_to_clean[0]); ++i) { + NRF_UARTE_Type *current = nrf_uarte_to_clean[i]; + + nrfy_uarte_int_disable(current, 0xFFFFFFFF); + nrfy_uarte_int_uninit(current); + nrfy_uarte_task_trigger(current, NRF_UARTE_TASK_STOPRX); + + nrfy_uarte_event_clear(current, NRF_UARTE_EVENT_RXSTARTED); + nrfy_uarte_event_clear(current, NRF_UARTE_EVENT_ENDRX); + nrfy_uarte_event_clear(current, NRF_UARTE_EVENT_RXTO); + nrfy_uarte_disable(current); + #if defined(NRF_DPPIC) - /* Clear all SUBSCRIBE configurations. */ - memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE); - /* Clear all PUBLISH configurations. */ - memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE); + /* Clear all SUBSCRIBE configurations. */ + memset((uint8_t *)current + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, + NRF_UARTE_SUBSCRIBE_CONF_SIZE); + /* Clear all PUBLISH configurations. */ + memset((uint8_t *)current + NRF_UARTE_PUBLISH_CONF_OFFS, 0, + NRF_UARTE_PUBLISH_CONF_SIZE); #endif + } #endif + #if defined(NRF_PPI) nrf_ppi_channels_disable_all(NRF_PPI); #endif @@ -81,3 +111,12 @@ void nrf_cleanup_peripheral(void) #endif nrf_cleanup_clock(); } + +#if USE_PARTITION_MANAGER \ + && defined(CONFIG_ARM_TRUSTZONE_M) \ + && defined(PM_SRAM_NONSECURE_NAME) +void nrf_cleanup_ns_ram(void) +{ + memset((void *) PM_SRAM_NONSECURE_ADDRESS, 0, PM_SRAM_NONSECURE_SIZE); +} +#endif From afd1f6f75e0c716900b31a026fa04086f0c7449c Mon Sep 17 00:00:00 2001 From: Christian Taedcke Date: Thu, 10 Feb 2022 15:37:49 +0100 Subject: [PATCH 173/228] [nrf noup] loader: Fix reading reset addr to support ext flash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When mcuboot_secondary is on external flash, the image header cannot dircetly be accessed via secondary_fa->fa_off. Instead the provided function boot_img_hdr() is used now. Additionally a similar issue is present when trying to read the address of the reset handler. For this flash_area_read() is used now. With this patch is possible to have the update partiton mcuboot_secondary on external flash and update a updatable bootloader (mcuboot) in s0 and/or s1. Signed-off-by: Christian Taedcke Signed-off-by: Ole Sæther Signed-off-by: Sigvart Hovland Signed-off-by: Dominik Ermel (cherry picked from commit f6bedc90762987f24cdc71a4b3014f85a3cb85e5) --- boot/bootutil/src/loader.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index e75bfd42a..b131c0ff4 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1251,10 +1251,9 @@ boot_validated_swap_type(struct boot_loader_state *state, #if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) const struct flash_area *secondary_fa = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); - struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; - uint32_t vtable_addr = 0; - uint32_t *vtable = 0; + struct image_header *hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); uint32_t reset_addr = 0; + int rc = 0; /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other * B1 slot S0 or S1) share the same secondary slot, we need to check * whether the update candidate in the secondary slot is intended for @@ -1264,16 +1263,19 @@ boot_validated_swap_type(struct boot_loader_state *state, */ if (hdr->ih_magic == IMAGE_MAGIC) { - vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; - vtable = (uint32_t *)(vtable_addr); - reset_addr = vtable[1]; + rc = flash_area_read(secondary_fa, hdr->ih_hdr_size + + sizeof(uint32_t), &reset_addr, + sizeof(reset_addr)); + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } #ifdef PM_S1_ADDRESS #ifdef PM_CPUNET_B0N_ADDRESS if(reset_addr < PM_CPUNET_B0N_ADDRESS) #endif { const struct flash_area *primary_fa; - int rc = flash_area_open(flash_area_id_from_multi_image_slot( + rc = flash_area_open(flash_area_id_from_multi_image_slot( BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), &primary_fa); @@ -1309,16 +1311,19 @@ boot_validated_swap_type(struct boot_loader_state *state, upgrade_valid = true; } -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) \ + && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) /* If the update is valid, and it targets the network core: perform the * update and indicate to the caller of this function that no update is * available */ if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { + struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; + uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; + uint32_t *net_core_fw_addr = (uint32_t *)(vtable_addr); uint32_t fw_size = hdr->ih_img_size; - BOOT_LOG_INF("Starting network core update"); - int rc = pcd_network_core_update(vtable, fw_size); + rc = pcd_network_core_update(net_core_fw_addr, fw_size); if (rc != 0) { swap_type = BOOT_SWAP_TYPE_FAIL; From 78f267f479d4da6cfed6382c667f9a68fbec985f Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 22 Sep 2023 21:31:08 +0000 Subject: [PATCH 174/228] [nrf noup] loader: Do not check reset vector for XIP image The XIP image, 2, does not have reset vector. Signed-off-by: Dominik Ermel (cherry picked from commit ec9999f7f812edea4679de01b72ae78e5438b1a1) --- boot/bootutil/src/loader.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index b131c0ff4..324d4b37b 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1142,6 +1142,16 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * overwriting an application written to the incorrect slot. * This feature is only supported by ARM platforms. */ +#if MCUBOOT_IMAGE_NUMBER >= 3 + /* Currently the MCUboot can be configured for up to 3 image, where image number 2 is + * designated for XIP, where it is the second part of image stored in slots of image + * 0. This part of image is not bootable, as the XIP setup is done by the app in + * image 0 slot, and it does not carry the reset vector. + */ + if (fap == state->imgs[2][BOOT_SECONDARY_SLOT].area) { + goto out; + } +#endif if (fap == BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT)) { const struct flash_area *pri_fa = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); struct image_header *secondary_hdr = boot_img_hdr(state, slot); From 5694ff5a65d06ec87901113fa333438be70bbc77 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 18 Sep 2023 13:47:00 +0100 Subject: [PATCH 175/228] [nrf noup] zephyr: Add RAM flash configuration to cache for sysbuild Puts the flash simulation configurtion into cache variables that can be used by other applications and CMake code to know specifics on the simulated flash details Signed-off-by: Jamie McCrae (cherry picked from commit 9d52cc5cd8e6b45bdb8becd92641d05acff03e22) --- boot/zephyr/CMakeLists.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 03230f565..1b4665050 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -712,3 +712,14 @@ zephyr_library_sources( ${BOOT_DIR}/zephyr/nrf_cleanup.c ) endif() + +if(SYSBUILD AND CONFIG_PCD_APP) + # Sysbuild requires details of the RAM flash device are stored to the cache of MCUboot so + # that they can be read when running partition manager + dt_nodelabel(ram_flash_dev NODELABEL flash_sim0) + dt_reg_addr(ram_flash_addr PATH ${ram_flash_dev}) + dt_reg_size(ram_flash_size PATH ${ram_flash_dev}) + + set(RAM_FLASH_ADDR "${ram_flash_addr}" CACHE STRING "" FORCE) + set(RAM_FLASH_SIZE "${ram_flash_size}" CACHE STRING "" FORCE) +endif() From 79ca4781225a9aa6f8631fb01c9ca5c8218712ca Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Tue, 17 Oct 2023 11:28:09 +0200 Subject: [PATCH 176/228] [nrf noup] zephyr: Boot even if EXT_ABI is not provided This removes the `return;` to ensure that the application is booted even if EXT_ABI is not provided to the application because it does not include `FW_INFO`. Added a bit more description to the error messages when FW_INFO is not found and EXT_ABI is not able to be provided to the next image. Ref. NCSDK-24132 Signed-off-by: Sigvart Hovland (cherry picked from commit 5e9aa4cb55cd88623976bb014c0a9c94425774be) --- boot/zephyr/main.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 880d62392..a8a231c3c 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -207,13 +207,16 @@ static void do_boot(struct boot_rsp *rsp) #endif #if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) - bool provided = fw_info_ext_api_provide(fw_info_find((uint32_t)vt), true); + const struct fw_info *firmware_info = fw_info_find((uint32_t) vt); + bool provided = fw_info_ext_api_provide(firmware_info, true); #ifdef PM_S0_ADDRESS /* Only fail if the immutable bootloader is present. */ if (!provided) { - BOOT_LOG_ERR("Failed to provide EXT_APIs\n"); - return; + if (firmware_info == NULL) { + BOOT_LOG_WRN("Unable to find firmware info structure in %p", vt); + } + BOOT_LOG_ERR("Failed to provide EXT_APIs to %p", vt); } #endif #endif From bb083baeaaed9eeded204e43cab53fef805ec4f7 Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Wed, 27 Sep 2023 15:18:04 +0200 Subject: [PATCH 177/228] =?UTF-8?q?[nrf=20noup]=C2=A0loader:=20Add=20firmw?= =?UTF-8?q?are=20version=20check=20downgrade=20prevention?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For nRF53, the only existing version number metadata is stored in the `firmware_info` structure in the network core. This utilizes PCD to read out the version number and compares it against the version number found in the secondary slot for the network core. Ref. NCSDK-21379 Signed-off-by: Sigvart Hovland (cherry picked from commit 186c927143ffac9ab1cd95bbf52ed459f1da127b) --- boot/bootutil/src/loader.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 324d4b37b..8687db9c4 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -51,6 +51,10 @@ #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) #include +#ifdef CONFIG_PCD_READ_NETCORE_APP_VERSION +#include +int pcd_version_cmp_net(const struct flash_area *fap, struct image_header *hdr); +#endif #endif #ifdef MCUBOOT_ENC_IMAGES @@ -1095,9 +1099,21 @@ boot_validate_slot(struct boot_loader_state *state, int slot, int rc; /* Check if version of secondary slot is sufficient */ - rc = boot_version_cmp( - &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, - &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); + +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) \ + && defined(CONFIG_PCD_APP) && defined(CONFIG_PCD_READ_NETCORE_APP_VERSION) + if (BOOT_CURR_IMG(state) == 1) { + rc = pcd_version_cmp_net(fap, boot_img_hdr(state, BOOT_SECONDARY_SLOT)); + } else { + rc = boot_version_cmp( + &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, + &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); + } +#else + rc = boot_version_cmp( + &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, + &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); +#endif if (rc < 0 && boot_check_header_erased(state, BOOT_PRIMARY_SLOT)) { BOOT_LOG_ERR("insufficient version in secondary slot"); flash_area_erase(fap, 0, flash_area_get_size(fap)); From fa084222682e185cb0c5be154ecaf310f5bd560e Mon Sep 17 00:00:00 2001 From: Nikodem Kastelik Date: Mon, 9 Oct 2023 09:55:57 +0200 Subject: [PATCH 178/228] [nrf noup] boards: thingy53: disable GPIO ISR support Change disables GPIO interrupt support in Zephyr GPIO driver, which is not obligatory for MCUboot. This is needed to reduce memory footprint. Signed-off-by: Nikodem Kastelik (cherry picked from commit 0564022cdfa7d8a20c36a9c2d0bfb4b8be77c1da) --- boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf index 7d3bc0bec..e10656678 100644 --- a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf @@ -21,6 +21,7 @@ CONFIG_UART_LINE_CTRL=y # MCUBoot serial CONFIG_GPIO=y +CONFIG_GPIO_NRFX_INTERRUPT=n CONFIG_MCUBOOT_SERIAL=y CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y CONFIG_BOOT_SERIAL_CDC_ACM=y From 8c73d8b51ebda556c5d2985fdf3c2ba60c0a6fd3 Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Thu, 11 Apr 2024 17:26:50 +0200 Subject: [PATCH 179/228] [nrf noup] boot/zephyr/boards: nRF54l15pdk ext flash cfg Added configuration which allows to build MCUboot for nrf54l15pdk_nrf54l15_cpuapp with external flash used for the secondary slot. Signed-off-by: Andrzej Puzdrowski (cherry picked from commit 513e91d505e178d4c4cbbe4fd5d3fa2230fc0ade) --- .../boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf | 8 ++++++++ .../nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay | 10 ++++++++++ 2 files changed, 18 insertions(+) create mode 100644 boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf create mode 100644 boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf new file mode 100644 index 000000000..841922dbd --- /dev/null +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf @@ -0,0 +1,8 @@ +CONFIG_MULTITHREADING=y +CONFIG_SPI=y +CONFIG_SPI_NOR=y +CONFIG_FLASH=y +CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x14000 +CONFIG_MAIN_STACK_SIZE=20480 +CONFIG_BOOT_MAX_IMG_SECTORS=512 +CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay new file mode 100644 index 000000000..2341ffd26 --- /dev/null +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay @@ -0,0 +1,10 @@ +/ { + chosen { + nordic,pm-ext-flash = &mx25r64; + }; +}; + + +&mx25r64 { + status = "okay"; +}; From 8c62ac94c953f93dbf80194f09b4bf0dd2c29a1f Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Tue, 30 Mar 2021 22:45:17 +0200 Subject: [PATCH 180/228] [nrf noup] loader: work-around for multi-image builds Seems multi-image dependencies are not supported for multi-image in NCS yet. This is a workaround which reverts some lines to restore previous MCUboot behavior, so that Immutable bootloader + MCUBoot type builds will work. Ref. NCSDK-8681 Signed-off-by: Sigvart Hovland (cherry picked from commit c85abeec4c1f0fbf1c4b563fb1219329c66a92f4) --- boot/bootutil/src/loader.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 8687db9c4..d706719e1 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -495,7 +495,7 @@ boot_verify_dependencies(struct boot_loader_state *state) if (rc == 0) { /* All dependencies've been satisfied, continue with next image. */ BOOT_CURR_IMG(state)++; - } else { + } else if (rc == BOOT_EBADIMAGE) { /* Cannot upgrade due to non-met dependencies, so disable all * image upgrades. */ @@ -504,7 +504,10 @@ boot_verify_dependencies(struct boot_loader_state *state) BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE; } break; - } + } else { + /* Other error happened, images are inconsistent */ + return rc; + } } return rc; } @@ -1883,7 +1886,6 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) } #endif - /** * Performs a clean (not aborted) image update. * From 566af5ee1f6e925d1208c382fa7386e3f0a9d8c0 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 31 Aug 2023 08:58:31 +0100 Subject: [PATCH 181/228] [nrf noup] loader: Fix missing PCD define check Fixes a missing PCD define check, an image might have the network core partition layout set but if PCD support is not enabled then it should not assume that PCD support is part of mcuboot. Signed-off-by: Jamie McCrae (cherry picked from commit 3213b0ca6ea88e264752d4ee71295ded7164c10a) --- boot/bootutil/src/loader.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index d706719e1..2a5d49f8d 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1341,7 +1341,7 @@ boot_validated_swap_type(struct boot_loader_state *state, } #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) \ - && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) && defined(CONFIG_PCD_APP) /* If the update is valid, and it targets the network core: perform the * update and indicate to the caller of this function that no update is * available @@ -1369,7 +1369,8 @@ boot_validated_swap_type(struct boot_loader_state *state, swap_type = BOOT_SWAP_TYPE_NONE; } } -#endif /* CONFIG_SOC_NRF5340_CPUAPP */ +#endif /* CONFIG_SOC_NRF5340_CPUAPP && PM_CPUNET_B0N_ADDRESS && + !CONFIG_NRF53_MULTI_IMAGE_UPDATE && CONFIG_PCD_APP */ } return swap_type; From 1f08c7930a316b62423b481ba62ff50c2ee2e8ac Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Wed, 31 May 2023 14:41:13 +0200 Subject: [PATCH 182/228] [nrf noup] boot: Add support for NSIB and multi-image This adds support for using both NSIB and the multi-image configuration in MCUboot. Before this was not possible due to upgradable bootloader support through NSIB was using the `UPDATEABLE_IMAGE_NUMBER` configuration to update the updateable bootloader. In this commit we change from using `FLASH_AREA_IMAGE_PRIMARY` to get the flash area ID to using the bootloader state where we set the flash area ID of the free updatable bootloader slot if the image is intended for this slot. Ref. NCSDK-19223 Ref. NCSDK-23305 Signed-off-by: Sigvart Hovland (cherry picked from commit 0bf9af473ffd1e0750b1eb3d4b2a3d3918811955) --- boot/bootutil/src/loader.c | 44 +++++++++++++++++++------ boot/zephyr/include/sysflash/sysflash.h | 19 +++++++++-- 2 files changed, 51 insertions(+), 12 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 2a5d49f8d..dbf27d5b0 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1192,6 +1192,11 @@ boot_validate_slot(struct boot_loader_state *state, int slot, if (BOOT_CURR_IMG(state) == 1) { min_addr = PM_CPUNET_APP_ADDRESS; max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; +#ifdef PM_S1_ADDRESS + } else if (BOOT_CURR_IMG(state) == 0) { + min_addr = PM_S0_ADDRESS; + max_addr = pri_fa->fa_off + pri_fa->fa_size; +#endif } else #endif { @@ -1305,18 +1310,37 @@ boot_validated_swap_type(struct boot_loader_state *state, { const struct flash_area *primary_fa; rc = flash_area_open(flash_area_id_from_multi_image_slot( - BOOT_CURR_IMG(state), - BOOT_PRIMARY_SLOT), - &primary_fa); - + BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT), + &primary_fa); if (rc != 0) { return BOOT_SWAP_TYPE_FAIL; } - /* Get start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off || - reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { - /* The image in the secondary slot is not intended for this image - */ + + /* Check start and end of primary slot for current image */ + if (reset_addr < primary_fa->fa_off) { +#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + const struct flash_area *nsib_fa; + + /* NSIB upgrade slot */ + rc = flash_area_open((uint32_t)_image_1_primary_slot_id, + &nsib_fa); + + if (rc != 0) { + return BOOT_SWAP_TYPE_FAIL; + } + + /* Image is placed before Primary and within the NSIB slot */ + if (reset_addr > nsib_fa->fa_off + && reset_addr < (nsib_fa->fa_off + nsib_fa->fa_size)) { + /* Set primary to be NSIB upgrade slot */ + BOOT_IMG_AREA(state, 0) = nsib_fa; + } +#else + return BOOT_SWAP_TYPE_NONE; +#endif + + } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + /* The image in the secondary slot is not intended for any */ return BOOT_SWAP_TYPE_NONE; } } @@ -1611,7 +1635,7 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs) BOOT_LOG_INF("Image %d upgrade secondary slot -> primary slot", image_index); BOOT_LOG_INF("Erasing the primary slot"); - rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index), + rc = flash_area_open(flash_area_get_id(BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)), &fap_primary_slot); assert (rc == 0); diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index 7112f9baa..f1ef4100e 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -23,9 +23,24 @@ /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ -#ifdef PM_B0_ADDRESS - +#if defined(PM_B0_ADDRESS) extern uint32_t _image_1_primary_slot_id[]; +#endif +#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) +#elif defined(PM_B0_ADDRESS) #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ From 0117f67d27406ede222e0300fbd7e1c72eadb8ef Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 10 Aug 2023 17:32:48 +0000 Subject: [PATCH 183/228] [nrf noup] sysflash: Move partition manager definitions to pm_sysflash.h Making sysflash.h and pm_sysflash.h more readable. Signed-off-by: Dominik Ermel (cherry picked from commit e005bf866a3699eaba6a296988022af1a2074610) --- boot/zephyr/include/sysflash/pm_sysflash.h | 92 ++++++++++++++++++++++ boot/zephyr/include/sysflash/sysflash.h | 90 ++------------------- 2 files changed, 97 insertions(+), 85 deletions(-) create mode 100644 boot/zephyr/include/sysflash/pm_sysflash.h diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h new file mode 100644 index 000000000..377291e8b --- /dev/null +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2023 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef __PM_SYSFLASH_H__ +#define __PM_SYSFLASH_H__ +/* Blocking the __SYSFLASH_H__ */ +#define __SYSFLASH_H__ + +#include +#include + +#ifndef CONFIG_SINGLE_APPLICATION_SLOT + +#if (MCUBOOT_IMAGE_NUMBER == 1) + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID + +#elif (MCUBOOT_IMAGE_NUMBER == 2) + +/* If B0 is present then two bootloaders are present, and we must use + * a single secondary slot for both primary slots. + */ +#if defined(PM_B0_ADDRESS) +extern uint32_t _image_1_primary_slot_id[]; +#endif +#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) +#elif defined(PM_B0_ADDRESS) + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + (uint32_t)_image_1_primary_slot_id : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + 255 ) +#else + +#define FLASH_AREA_IMAGE_PRIMARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_PRIMARY_ID : \ + (x == 1) ? \ + PM_MCUBOOT_PRIMARY_1_ID : \ + 255 ) + +#define FLASH_AREA_IMAGE_SECONDARY(x) \ + ((x == 0) ? \ + PM_MCUBOOT_SECONDARY_ID: \ + (x == 1) ? \ + PM_MCUBOOT_SECONDARY_1_ID: \ + 255 ) + +#endif /* PM_B0_ADDRESS */ + +#endif +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID + +#else /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID +#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID +/* NOTE: Scratch parition is not used by single image DFU but some of + * functions in common files reference it, so the definitions has been + * provided to allow compilation of common units. + */ +#define FLASH_AREA_IMAGE_SCRATCH 0 + +#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ + +#endif /* __PM_SYSFLASH_H__ */ diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h index f1ef4100e..3c3638d7f 100644 --- a/boot/zephyr/include/sysflash/sysflash.h +++ b/boot/zephyr/include/sysflash/sysflash.h @@ -4,93 +4,15 @@ * SPDX-License-Identifier: Apache-2.0 */ -#ifndef __SYSFLASH_H__ -#define __SYSFLASH_H__ - #if USE_PARTITION_MANAGER -#include -#include - -#ifndef CONFIG_SINGLE_APPLICATION_SLOT - -#if (MCUBOOT_IMAGE_NUMBER == 1) - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID - -#elif (MCUBOOT_IMAGE_NUMBER == 2) - -/* If B0 is present then two bootloaders are present, and we must use - * a single secondary slot for both primary slots. - */ -#if defined(PM_B0_ADDRESS) -extern uint32_t _image_1_primary_slot_id[]; -#endif -#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) -#elif defined(PM_B0_ADDRESS) - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - (uint32_t)_image_1_primary_slot_id : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - 255 ) -#else - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) - -#endif /* PM_B0_ADDRESS */ - +/* Blocking the rest of the file */ +#define __SYSFLASH_H__ +#include #endif -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID - -#else /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_PRIMARY_ID -/* NOTE: Scratch parition is not used by single image DFU but some of - * functions in common files reference it, so the definitions has been - * provided to allow compilation of common units. - */ -#define FLASH_AREA_IMAGE_SCRATCH 0 -#endif /* CONFIG_SINGLE_APPLICATION_SLOT */ - -#else +#ifndef __SYSFLASH_H__ +#define __SYSFLASH_H__ -#include #include #include #include @@ -149,6 +71,4 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ -#endif /* USE_PARTITION_MANAGER */ - #endif /* __SYSFLASH_H__ */ From 6f0279bf954c1a473a0f93244c867277cd073b41 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 11 Aug 2023 12:29:13 +0000 Subject: [PATCH 184/228] [nrf noup] sysflash: Add support for three images The commit modifies pm_sysflash.h to add support for three application images. Ref. NCSDK-19223 Signed-off-by: Dominik Ermel Signed-off-by: Sigvart Hovland (cherry picked from commit a251600dd2365d9da00f28e884770cfc43743fa7) --- boot/zephyr/include/sysflash/pm_sysflash.h | 82 ++++++++++++---------- 1 file changed, 45 insertions(+), 37 deletions(-) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index 377291e8b..db60ddd03 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -11,37 +11,19 @@ #include #include +#include #ifndef CONFIG_SINGLE_APPLICATION_SLOT -#if (MCUBOOT_IMAGE_NUMBER == 1) - -#define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID -#define FLASH_AREA_IMAGE_SECONDARY(x) PM_MCUBOOT_SECONDARY_ID - -#elif (MCUBOOT_IMAGE_NUMBER == 2) - +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) /* If B0 is present then two bootloaders are present, and we must use * a single secondary slot for both primary slots. */ -#if defined(PM_B0_ADDRESS) extern uint32_t _image_1_primary_slot_id[]; -#endif -#if defined(PM_B0_ADDRESS) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) +#endif /* (MCUBOOT_IMAGE_NUMBER == 2 && defined(PM_B0_ADDRESS) */ -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) -#elif defined(PM_B0_ADDRESS) +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) #define FLASH_AREA_IMAGE_PRIMARY(x) \ ((x == 0) ? \ @@ -56,26 +38,52 @@ extern uint32_t _image_1_primary_slot_id[]; (x == 1) ? \ PM_MCUBOOT_SECONDARY_ID: \ 255 ) + +#else /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + */ + +/* Each pair of slots is separated by , and there is no terminating character */ +#define FLASH_AREA_IMAGE_0_SLOTS PM_MCUBOOT_PRIMARY_ID, PM_MCUBOOT_SECONDARY_ID +#define FLASH_AREA_IMAGE_1_SLOTS PM_MCUBOOT_PRIMARY_1_ID, PM_MCUBOOT_SECONDARY_1_ID +#define FLASH_AREA_IMAGE_2_SLOTS PM_MCUBOOT_PRIMARY_2_ID, PM_MCUBOOT_SECONDARY_2_ID + +#if (MCUBOOT_IMAGE_NUMBER == 1) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS +#elif (MCUBOOT_IMAGE_NUMBER == 2) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ + FLASH_AREA_IMAGE_1_SLOTS +#elif (MCUBOOT_IMAGE_NUMBER == 3) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ + FLASH_AREA_IMAGE_1_SLOTS, \ + FLASH_AREA_IMAGE_2_SLOTS #else +#error Unsupported number of images +#endif -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - PM_MCUBOOT_PRIMARY_1_ID : \ - 255 ) +static inline uint32_t __flash_area_ids_for_slot(int img, int slot) +{ + static const int all_slots[] = { + ALL_AVAILABLE_SLOTS + }; + return all_slots[img * 2 + slot]; +}; -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_1_ID: \ - 255 ) +#undef FLASH_AREA_IMAGE_0_SLOTS +#undef FLASH_AREA_IMAGE_1_SLOTS +#undef FLASH_AREA_IMAGE_2_SLOTS +#undef ALL_AVAILABLE_SLOTS -#endif /* PM_B0_ADDRESS */ +#define FLASH_AREA_IMAGE_PRIMARY(x) __flash_area_ids_for_slot(x, 0) +#define FLASH_AREA_IMAGE_SECONDARY(x) __flash_area_ids_for_slot(x, 1) +#if !defined(CONFIG_BOOT_SWAP_USING_MOVE) +#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID #endif -#define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID + +#endif /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) + */ #else /* CONFIG_SINGLE_APPLICATION_SLOT */ From 154f4df0d4f76e123592993ddc932df8f37885bb Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Thu, 15 Feb 2024 16:47:25 +0100 Subject: [PATCH 185/228] [nrf noup] loader: introduced cleanup of unusable secondary slot Added procedure which clean-up content of all the secondary slot which contains valid header but couldn't be assigned to any of supported primary images. This behavior is needed when configuration allows to use one secondary slot for collecting image for multiple primary slots. Signed-off-by: Andrzej Puzdrowski (cherry picked from commit 6045ec967497abf777bf487db284c17f74bba0e0) --- boot/bootutil/src/loader.c | 90 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index dbf27d5b0..b822d2367 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1265,6 +1265,87 @@ boot_update_security_counter(struct boot_loader_state *state, int slot, int hdr_ } #endif /* MCUBOOT_HW_ROLLBACK_PROT */ +#if defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\ +(defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP)) + +#define SEC_SLOT_VIRGIN 0 +#define SEC_SLOT_TOUCHED 1 +#define SEC_SLOT_ASSIGNED 2 + +#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ + !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) +/* This configuration is peculiar - the one physical secondary slot is + * mocking two logical secondary + */ +#define SEC_SLOT_PHYSICAL_CNT 1 +#else +#define SEC_SLOT_PHYSICAL_CNT MCUBOOT_IMAGE_NUMBER +#endif + +static uint8_t sec_slot_assignmnet[SEC_SLOT_PHYSICAL_CNT] = {0}; + +static inline void sec_slot_touch(struct boot_loader_state *state) +{ + uint8_t idx = (SEC_SLOT_PHYSICAL_CNT == 1) ? 0 : BOOT_CURR_IMG(state); + + if (SEC_SLOT_VIRGIN == sec_slot_assignmnet[idx]) { + sec_slot_assignmnet[idx] = SEC_SLOT_TOUCHED; + } +} + +static inline void sec_slot_mark_assigned(struct boot_loader_state *state) +{ + uint8_t idx = (SEC_SLOT_PHYSICAL_CNT == 1) ? 0 : BOOT_CURR_IMG(state); + + sec_slot_assignmnet[idx] = SEC_SLOT_ASSIGNED; +} + +/** + * Cleanu up all secondary slot which couldn't be assigned to any primary slot. + * + * This function erases content of each secondary slot which contains valid + * header but couldn't be assigned to any of supported primary images. + * + * This function is supposed to be called after boot_validated_swap_type() + * iterates over all the images in context_boot_go(). + */ +static void sec_slot_cleanup_if_unusable(void) +{ + uint8_t idx; + + for (idx = 0; idx < SEC_SLOT_PHYSICAL_CNT; idx++) { + if (SEC_SLOT_TOUCHED == sec_slot_assignmnet[idx]) { + const struct flash_area *secondary_fa; + int rc; + + rc = flash_area_open(flash_area_id_from_multi_image_slot(idx, BOOT_SECONDARY_SLOT), + &secondary_fa); + if (!rc) { + rc = flash_area_erase(secondary_fa, 0, secondary_fa->fa_size); + if (!rc) { + BOOT_LOG_ERR("Cleaned-up secondary slot of %d. image.", idx); + } + } + + if (rc) { + BOOT_LOG_ERR("Can not cleanup secondary slot of %d. image.", idx); + } + } + } +} +#else +static inline void sec_slot_touch(struct boot_loader_state *state) +{ +} +static inline void sec_slot_mark_assigned(struct boot_loader_state *state) +{ +} +static inline void sec_slot_cleanup_if_unusable(void) +{ +} +#endif /* defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\ + defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) */ + #if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) /** * Determines which swap operation to perform, if any. If it is determined @@ -1303,6 +1384,9 @@ boot_validated_swap_type(struct boot_loader_state *state, if (rc != 0) { return BOOT_SWAP_TYPE_FAIL; } + + sec_slot_touch(state); + #ifdef PM_S1_ADDRESS #ifdef PM_CPUNET_B0N_ADDRESS if(reset_addr < PM_CPUNET_B0N_ADDRESS) @@ -1337,6 +1421,7 @@ boot_validated_swap_type(struct boot_loader_state *state, } #else return BOOT_SWAP_TYPE_NONE; + #endif } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { @@ -1345,7 +1430,9 @@ boot_validated_swap_type(struct boot_loader_state *state, } } #endif /* PM_S1_ADDRESS */ + sec_slot_mark_assigned(state); } + #endif /* PM_S1_ADDRESS || CONFIG_SOC_NRF5340_CPUAPP */ swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); @@ -2487,6 +2574,9 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) } } + /* cleanup secondary slots which were recognized unusable*/ + sec_slot_cleanup_if_unusable(); + #if (BOOT_IMAGE_NUMBER > 1) if (has_upgrade) { /* Iterate over all the images and verify whether the image dependencies From ef7aad1cdd15f358bdf921f36647d5d4e50b05a8 Mon Sep 17 00:00:00 2001 From: Grzegorz Chwierut Date: Tue, 16 Apr 2024 16:10:55 +0200 Subject: [PATCH 186/228] [nrf noup] boards: nrf54l15: Disable FPROTECT FPROTECT is not suppored yet for nrf54l15. Signed-off-by: Grzegorz Chwierut Signed-off-by: Gerard Marull-Paretas (cherry picked from commit 1bd0b62e4705f0a6d1a6ed4f723e4aa9fc7dfcc1) --- boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf index 43d8cebe3..8d8eb845f 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp.conf @@ -7,4 +7,7 @@ CONFIG_BOOT_MAX_IMG_SECTORS=256 # Ensure that the SPI NOR driver is disabled by default CONFIG_SPI_NOR=n +# TODO: below are not yet supported and need fixing +CONFIG_FPROTECT=n + CONFIG_BOOT_WATCHDOG_FEED=n From ab602b19743c24a0cc54ddfd0d5e1ef47e58ab05 Mon Sep 17 00:00:00 2001 From: Grzegorz Chwierut Date: Fri, 17 May 2024 18:25:07 +0200 Subject: [PATCH 187/228] [nrf noup] loader: remove cleanup for direct xip mode Move ifdefs just to not add code for cleanup unusable slot when direct xip mode is enabled to avoid warnings. Signed-off-by: Grzegorz Chwierut (cherry picked from commit dcef7e4813f5599cfe1302a6cc9b4b930ea85360) --- boot/bootutil/src/loader.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index b822d2367..49ae5c21f 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1265,6 +1265,8 @@ boot_update_security_counter(struct boot_loader_state *state, int slot, int hdr_ } #endif /* MCUBOOT_HW_ROLLBACK_PROT */ +#if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) + #if defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\ (defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP)) @@ -1346,7 +1348,6 @@ static inline void sec_slot_cleanup_if_unusable(void) #endif /* defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\ defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) */ -#if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD) /** * Determines which swap operation to perform, if any. If it is determined * that a swap operation is required, the image in the secondary slot is checked From cf16b826e8c699240a373048d69af4923cffee75 Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Mon, 15 Apr 2024 18:54:45 +0200 Subject: [PATCH 188/228] [nrf noup] boot/zephyr/boards: nrf54l15pdk ext-flash partition Added DTS with partitioning which involves external flash as place for slo1_partition. Signed-off-by: Andrzej Puzdrowski (cherry picked from commit 830ad12d077c584b2a99884e1129bba1a33dd72c) --- ...54l15pdk_nrf54l15_cpuapp_ext_flash.overlay | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay index 2341ffd26..76b648903 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay @@ -4,7 +4,42 @@ }; }; +/delete-node/ &boot_partition; +/delete-node/ &slot0_partition; +/delete-node/ &slot1_partition; + +/delete-node/ &slot0_ns_partition; +/delete-node/ &slot1_ns_partition; + +/delete-node/ &storage_partition; + +&rram0 { + partitions { + boot_partition: partition@0 { + label = "mcuboot"; + reg = <0x000000000 0x00014000>; + }; + slot0_partition: partition@14000 { + label = "image-0"; + reg = <0x000014000 0x0015A000>; + }; + storage_partition: partition@16E000 { + label = "storage"; + reg = < 0x16E000 0x9000 >; + }; + }; +}; &mx25r64 { status = "okay"; + partitions { + compatible = "fixed-partitions"; + #address-cells = <1>; + #size-cells = <1>; + + slot1_partition: partition@0 { + label = "image-1"; + reg = <0x000000000 0x0015A000>; + }; + }; }; From a493f54798318e6a4e484525417cbc79a0bf7a75 Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Mon, 20 May 2024 15:48:33 +0200 Subject: [PATCH 189/228] [nrf noup] boot/zephyr/boards: nrf54l15pdk ext-flash update This patch supplements the configuration for external flash so MCUboot can be build with FILE_SUFFIX="ext_flash" for the nrf54l15pdk instead of explicitly configuration specification. Signed-off-by: Andrzej Puzdrowski (cherry picked from commit 494c935ae019a4be93d700ec49c65198aaa562ba) --- .../boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf | 7 +++++++ .../boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay | 1 + 2 files changed, 8 insertions(+) diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf index 841922dbd..8fc12e074 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.conf @@ -6,3 +6,10 @@ CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x14000 CONFIG_MAIN_STACK_SIZE=20480 CONFIG_BOOT_MAX_IMG_SECTORS=512 CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 +# Ensure that the qspi driver is disabled by default +CONFIG_NORDIC_QSPI_NOR=n + +# TODO: below are not yet supported and need fixing +CONFIG_FPROTECT=n + +CONFIG_BOOT_WATCHDOG_FEED=n diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay index 76b648903..ea024fcec 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay @@ -1,6 +1,7 @@ / { chosen { nordic,pm-ext-flash = &mx25r64; + zephyr,code-partition = &boot_partition; }; }; From bf1b0fa4d62f4bddcbc51ba76e45ccb2ee10e060 Mon Sep 17 00:00:00 2001 From: Maximilian Deubel Date: Tue, 12 Mar 2024 12:30:52 +0100 Subject: [PATCH 190/228] [nrf noup] boards: thingy91x: enable serial recovery This patch disbales MCUBoot logging and enables serial recovery for the Thingy:91. Signed-off-by: Maximilian Deubel Signed-off-by: Bernt Johan Damslora (cherry picked from commit 732083d3ec8b3bc76a6fd528ebc14a27df05d069) --- boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf | 10 ++++++++-- boot/zephyr/boards/thingy91x_nrf9151.conf | 9 +++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf index 72dfa7fca..37c7e95b1 100644 --- a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf @@ -32,7 +32,7 @@ CONFIG_USB_COMPOSITE_DEVICE=y CONFIG_USB_MASS_STORAGE=n CONFIG_USB_DEVICE_MANUFACTURER="Nordic Semiconductor" CONFIG_USB_DEVICE_VID=0x1915 -CONFIG_USB_DEVICE_PID=0x520F +CONFIG_USB_DEVICE_PID=0x910A CONFIG_BOOT_SERIAL_BOOT_MODE=y @@ -49,6 +49,12 @@ CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y CONFIG_FLASH_SIMULATOR_STATS=n CONFIG_BOOT_IMAGE_ACCESS_HOOKS=y -CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y +# Makes it possible to update the network core using the flash simulator CONFIG_NRF53_RECOVERY_NETWORK_CORE=y + +CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y +CONFIG_BOOT_SERIAL_IMG_GRP_IMAGE_STATE=y + +# Skip checks on the secondary image to make it possible to update MCUBoot on S1/S0 +CONFIG_MCUBOOT_VERIFY_IMG_ADDRESS=n diff --git a/boot/zephyr/boards/thingy91x_nrf9151.conf b/boot/zephyr/boards/thingy91x_nrf9151.conf index 33cd3301c..2efe1e170 100644 --- a/boot/zephyr/boards/thingy91x_nrf9151.conf +++ b/boot/zephyr/boards/thingy91x_nrf9151.conf @@ -6,3 +6,12 @@ CONFIG_SPI_NOR=y CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 CONFIG_SPI_NOR_SFDP_DEVICETREE=y CONFIG_MULTITHREADING=y + +# Disable Zephyr console and use UART for MCUboot serial recovery instead +CONFIG_CONSOLE=n +CONFIG_CONSOLE_HANDLER=n +CONFIG_UART_CONSOLE=n +CONFIG_MCUBOOT_SERIAL=y + +CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y +CONFIG_BOOT_SERIAL_IMG_GRP_IMAGE_STATE=y From 2f25a92e5984771dc36395de2b9c45e7deef6ae9 Mon Sep 17 00:00:00 2001 From: Robert Lubos Date: Fri, 17 May 2024 14:14:54 +0200 Subject: [PATCH 191/228] [nrf noup] boot: zephyr: Disable boot banner if NCS_BOOT_BANNER is used Mcuboot's boot banner should not be used if NCS boot banner is enabled. Signed-off-by: Robert Lubos (cherry picked from commit 4ae34b4e81382f2f7259472f0eddd21dbc471d99) --- boot/zephyr/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 1c38d2ba2..1e10e6284 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -984,6 +984,7 @@ config BOOT_DISABLE_CACHES config MCUBOOT_BOOT_BANNER bool "Use MCUboot boot banner" depends on BOOT_BANNER + depends on !NCS_BOOT_BANNER depends on "$(APP_VERSION_EXTENDED_STRING)" != "" default y help From 09e1b9cf15af5e15e630d47feab64f9cf014604d Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Mon, 27 May 2024 13:59:49 +0200 Subject: [PATCH 192/228] [nrf noup] boot/zephyr: fix fw_info search By the upstream patch the vt get now the pointer to the copy of the arm_vector instead of original. This patch fixes address of the firmware which is to be taken by the fw_info_find. Signed-off-by: Andrzej Puzdrowski (cherry picked from commit efafb012f0a647a5e57a9438bc4b38a7cc5db1cf) --- boot/zephyr/main.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index a8a231c3c..ab863f156 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -207,7 +207,14 @@ static void do_boot(struct boot_rsp *rsp) #endif #if defined(CONFIG_FW_INFO) && !defined(CONFIG_EXT_API_PROVIDE_EXT_API_UNUSED) - const struct fw_info *firmware_info = fw_info_find((uint32_t) vt); + uintptr_t fw_start_addr; + + rc = flash_device_base(rsp->br_flash_dev_id, &fw_start_addr); + assert(rc == 0); + + fw_start_addr += rsp->br_image_off + rsp->br_hdr->ih_hdr_size; + + const struct fw_info *firmware_info = fw_info_find(fw_start_addr); bool provided = fw_info_ext_api_provide(firmware_info, true); #ifdef PM_S0_ADDRESS From 52c087af8d2ecfb20da35fc4139c25e0c3899885 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 28 May 2024 09:31:16 +0000 Subject: [PATCH 193/228] [nrf noup] Revert of zephyr: arm: Update reading the flash image reset vector This is revert of upstream commit 453096b17ddc3aac7bf6afb97c40591d5ea3aa9c which was supposed to allow picking interrupt vector table from flash area but the whole modification unfortunately misunderstood difference between flash device ID and flash area ID. The commit is not important for sdk-nrf and requires re-design and fixing upstream. Signed-off-by: Dominik Ermel (cherry picked from commit ccffc83489330ec2dc4a57902b100d1b738641ec) --- boot/zephyr/flash_map_extended.c | 13 ------------- boot/zephyr/main.c | 20 +++++--------------- 2 files changed, 5 insertions(+), 28 deletions(-) diff --git a/boot/zephyr/flash_map_extended.c b/boot/zephyr/flash_map_extended.c index 4a29750f7..68ae4f3b2 100644 --- a/boot/zephyr/flash_map_extended.c +++ b/boot/zephyr/flash_map_extended.c @@ -148,21 +148,8 @@ int flash_area_sector_from_off(off_t off, struct flash_sector *sector) uint8_t flash_area_get_device_id(const struct flash_area *fa) { - uint8_t device_id; - int rc; - - rc = BOOT_HOOK_FLASH_AREA_CALL(flash_area_get_device_id_hook, - BOOT_HOOK_REGULAR, fa, &device_id); - if (rc != BOOT_HOOK_REGULAR) { - return device_id; - } - -#if defined(CONFIG_ARM) - return fa->fa_id; -#else (void)fa; return FLASH_DEVICE_ID; -#endif } #define ERASED_VAL 0xff diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index ab863f156..918a01f7a 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -175,26 +175,16 @@ static void do_boot(struct boot_rsp *rsp) /* Get ram address for image */ vt = (struct arm_vector_table *)(rsp->br_hdr->ih_load_addr + rsp->br_hdr->ih_hdr_size); #else + uintptr_t flash_base; int rc; - const struct flash_area *fap; - static uint32_t dst[2]; /* Jump to flash image */ - rc = flash_area_open(rsp->br_flash_dev_id, &fap); - assert(rc == 0); - - rc = flash_area_read(fap, rsp->br_hdr->ih_hdr_size, dst, sizeof(dst)); + rc = flash_device_base(rsp->br_flash_dev_id, &flash_base); assert(rc == 0); -#ifndef CONFIG_ASSERT - /* Enter a lock up as asserts are disabled */ - if (rc != 0) { - while (1); - } -#endif - - flash_area_close(fap); - vt = (struct arm_vector_table *)dst; + vt = (struct arm_vector_table *)(flash_base + + rsp->br_image_off + + rsp->br_hdr->ih_hdr_size); #endif if (IS_ENABLED(CONFIG_SYSTEM_TIMER_HAS_DISABLE_SUPPORT)) { From 466fe91e663c71463f35f7e2b4907401289fed2e Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Wed, 5 Jun 2024 15:46:13 +0200 Subject: [PATCH 194/228] [nrf noup] zephyr/boards: fix nrf54l15pdk ext flash dts overlay Align to changes in DTS: renamed: rram0 -> cpuapp_rram sized up cpauapp_rram region szie as part of it was reserved for cpuflpr_rram (which is not used by this config). Signed-off-by: Andrzej Puzdrowski (cherry picked from commit f1393e6b8dde7f86513942271ad46c284fe22d3b) --- .../boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay index ea024fcec..60ee6fe51 100644 --- a/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay +++ b/boot/zephyr/boards/nrf54l15pdk_nrf54l15_cpuapp_ext_flash.overlay @@ -14,7 +14,8 @@ /delete-node/ &storage_partition; -&rram0 { +&cpuapp_rram { + reg = < 0x0 DT_SIZE_K(1524) >; partitions { boot_partition: partition@0 { label = "mcuboot"; From fe5f292599ef755f207096e148f3cc6ee02337ab Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 11 Jun 2024 12:32:51 +0100 Subject: [PATCH 195/228] [nrf noup] boot: zephyr: Add NCS boot banner Adds a boot banner which shows as MCUboot Signed-off-by: Jamie McCrae (cherry picked from commit f754885576c2c1f19b53e6a41dc718286964ed40) --- boot/zephyr/prj.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf index 6d538d1de..9ff1ba274 100644 --- a/boot/zephyr/prj.conf +++ b/boot/zephyr/prj.conf @@ -36,3 +36,6 @@ CONFIG_CBPRINTF_NANO=y ### Use the minimal C library to reduce flash usage CONFIG_MINIMAL_LIBC=y CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT=0 + +# NCS boot banner +CONFIG_NCS_APPLICATION_BOOT_BANNER_STRING="MCUboot" From 8e6e3c2b95893c21e320d87e88730e5918d468ab Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Thu, 13 Jun 2024 16:34:55 +0200 Subject: [PATCH 196/228] [nrf noup] boot/../loader: skip downgrade prevention for s1/s0 This patch introduces skip on checking downgrade for s1/s0 upgrade image (chain-loaded by NSIB). which is used for upgrade MCUboot instance itself. Reason is that sdk-mcuboot has not access to semantic version of its own image. I also shouldn't touch HW counter used for hardware downgrade prevention for the application image (which was the case). HW counters for s0/s1 image are owned by NSIB because its role is to prevnt dongrades of s0/s1 MCUboot. Signed-off-by: Andrzej Puzdrowski (cherry picked from commit de9d942b888ed8a2064fc36c44ef9cb93993d6db) --- boot/bootutil/src/loader.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 49ae5c21f..0a2b74626 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -70,6 +70,9 @@ int pcd_version_cmp_net(const struct flash_area *fap, struct image_header *hdr); BOOT_LOG_MODULE_DECLARE(mcuboot); static struct boot_loader_state boot_data; +#ifdef PM_S1_ADDRESS +static bool owner_nsib[BOOT_IMAGE_NUMBER] = {false}; +#endif #if defined(MCUBOOT_SERIAL_IMG_GRP_SLOT_INFO) || defined(MCUBOOT_DATA_SHARING) static struct image_max_size image_max_sizes[BOOT_IMAGE_NUMBER] = {0}; @@ -1363,6 +1366,9 @@ boot_validated_swap_type(struct boot_loader_state *state, int swap_type; FIH_DECLARE(fih_rc, FIH_FAILURE); bool upgrade_valid = false; +#if defined(PM_S1_ADDRESS) + owner_nsib[BOOT_CURR_IMG(state)] = false; +#endif #if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) const struct flash_area *secondary_fa = @@ -1419,6 +1425,7 @@ boot_validated_swap_type(struct boot_loader_state *state, && reset_addr < (nsib_fa->fa_off + nsib_fa->fa_size)) { /* Set primary to be NSIB upgrade slot */ BOOT_IMG_AREA(state, 0) = nsib_fa; + owner_nsib[BOOT_CURR_IMG(state)] = true; } #else return BOOT_SWAP_TYPE_NONE; @@ -1429,6 +1436,10 @@ boot_validated_swap_type(struct boot_loader_state *state, /* The image in the secondary slot is not intended for any */ return BOOT_SWAP_TYPE_NONE; } + + if ((primary_fa->fa_off == PM_S0_ADDRESS) || (primary_fa->fa_off == PM_S1_ADDRESS)) { + owner_nsib[BOOT_CURR_IMG(state)] = true; + } } #endif /* PM_S1_ADDRESS */ sec_slot_mark_assigned(state); @@ -2437,6 +2448,13 @@ check_downgrade_prevention(struct boot_loader_state *state) uint32_t security_counter[2]; int rc; +#if defined(PM_S1_ADDRESS) + if (owner_nsib[BOOT_CURR_IMG(state)]) { + /* Downgrade prevention on S0/S1 image is managed by NSIB */ + return 0; + } +#endif + if (MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER) { /* If there was security no counter in slot 0, allow swap */ rc = bootutil_get_img_security_cnt(state, BOOT_PRIMARY_SLOT, From b6eb81897a018d4a09006054750d65e9505c710d Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Tue, 18 Jun 2024 17:35:41 +0200 Subject: [PATCH 197/228] [nrf noup] boot/../loader: reboot after updating s0/s1 As this is MCUboot updating itself, it should reboot the device so NSIB will chainload the update MCUboot Signed-off-by: Andrzej Puzdrowski (cherry picked from commit f07918de07319dff91be492bf13f9a8320b73824) --- boot/bootutil/src/loader.c | 10 ++++++++++ boot/zephyr/Kconfig | 1 + 2 files changed, 11 insertions(+) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 0a2b74626..de8516e76 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -49,6 +49,10 @@ #include "bootutil/boot_hooks.h" #include "bootutil/mcuboot_status.h" +#ifdef __ZEPHYR__ +#include +#endif + #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) #include #ifdef CONFIG_PCD_READ_NETCORE_APP_VERSION @@ -2666,6 +2670,12 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) rc = boot_perform_update(state, &bs); } assert(rc == 0); +#if defined(PM_S1_ADDRESS) && defined(CONFIG_REBOOT) + if (owner_nsib[BOOT_CURR_IMG(state)]) { + sys_reboot(SYS_REBOOT_COLD); + + } +#endif break; case BOOT_SWAP_TYPE_FAIL: diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 1e10e6284..f110936ab 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -18,6 +18,7 @@ config MCUBOOT select MPU_ALLOW_FLASH_WRITE if ARM_MPU select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET select MCUBOOT_BOOTUTIL_LIB + select REBOOT if SECURE_BOOT config BOOT_USE_MBEDTLS bool From a1864167e432fe95c2595647c4fdf56fdb855413 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 29 Aug 2024 12:41:37 +0100 Subject: [PATCH 198/228] [nrf noup] bootutil: loader: Fix netcore address checking Fixes an issues with wrongly checking the network core reset address Signed-off-by: Jamie McCrae (cherry picked from commit e8705940ce0eebb48144854955d69465c69c5462) --- boot/bootutil/src/loader.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index de8516e76..daa778b85 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1400,7 +1400,7 @@ boot_validated_swap_type(struct boot_loader_state *state, #ifdef PM_S1_ADDRESS #ifdef PM_CPUNET_B0N_ADDRESS - if(reset_addr < PM_CPUNET_B0N_ADDRESS) + if(!(reset_addr >= PM_CPUNET_APP_ADDRESS && reset_addr < PM_CPUNET_APP_END_ADDRESS)) #endif { const struct flash_area *primary_fa; @@ -1473,7 +1473,8 @@ boot_validated_swap_type(struct boot_loader_state *state, * update and indicate to the caller of this function that no update is * available */ - if (upgrade_valid && reset_addr > PM_CPUNET_B0N_ADDRESS) { + if (upgrade_valid && reset_addr >= PM_CPUNET_APP_ADDRESS && + reset_addr < PM_CPUNET_APP_END_ADDRESS) { struct image_header *hdr = (struct image_header *)secondary_fa->fa_off; uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size; uint32_t *net_core_fw_addr = (uint32_t *)(vtable_addr); From 243017cf6964dec4ea6af6fc64e72b176bda4f7c Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Wed, 18 Sep 2024 12:28:37 +0200 Subject: [PATCH 199/228] [nrf noup] boards: nrf54l15dk: Disable FPROTECT FPROTECT is not suppored for nrf54l15dk. Signed-off-by: Andrzej Puzdrowski (cherry picked from commit 9321e7f46a878d237209f4f596d5e88a8cf6aca3) --- boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf index c8fcd32c3..1dbd7c1ab 100644 --- a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf +++ b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf @@ -7,6 +7,9 @@ CONFIG_BOOT_MAX_IMG_SECTORS=256 # Ensure that the SPI NOR driver is disabled by default CONFIG_SPI_NOR=n +# TODO: below are not yet supported and need fixing +CONFIG_FPROTECT=n + CONFIG_BOOT_WATCHDOG_FEED=n # Ensure the fastest RRAM write operations From 259eadb4dec22b62322243963c6312e7ed764782 Mon Sep 17 00:00:00 2001 From: Sigvart Hovland Date: Thu, 14 Feb 2019 13:20:34 +0100 Subject: [PATCH 200/228] [nrf noup] boot: Add shared crypto for ECDSA and SHA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add functions for ecdsa_verify_secp256r1 and sha256 to use the shared crypto API * Add Kconfig and CMake variables for selecting shared crypto when using ecdsa * Add custom section to project for placing the API section in the correct location in flash * Add kconfig fragment for using external crypto Signed-off-by: Sigvart Hovland Signed-off-by: Martí Bolívar Signed-off-by: Emil Obalski Signed-off-by: Andrzej Puzdrowski Signed-off-by: Håkon Øye Amundsen Signed-off-by: Ioannis Glaropoulos Signed-off-by: Trond Einar Snekvik Signed-off-by: Georgios Vasilakis Signed-off-by: Johann Fischer Signed-off-by: Torsten Rasmussen Signed-off-by: Jamie McCrae Signed-off-by: Dominik Ermel (cherry picked from commit 049e896648b012a036bda2f451fbd279e396102b) --- boot/bootutil/include/bootutil/crypto/ecdsa.h | 64 +++++++++++++++++-- boot/bootutil/include/bootutil/crypto/sha.h | 32 ++++++++++ boot/zephyr/CMakeLists.txt | 2 + boot/zephyr/external_crypto.conf | 20 ++++++ .../include/mcuboot_config/mcuboot_config.h | 5 +- 5 files changed, 114 insertions(+), 9 deletions(-) create mode 100644 boot/zephyr/external_crypto.conf diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa.h b/boot/bootutil/include/bootutil/crypto/ecdsa.h index 3b0541072..85355f20c 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdsa.h +++ b/boot/bootutil/include/bootutil/crypto/ecdsa.h @@ -34,6 +34,7 @@ #if (defined(MCUBOOT_USE_TINYCRYPT) + \ defined(MCUBOOT_USE_CC310) + \ + defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \ defined(MCUBOOT_USE_PSA_OR_MBED_TLS)) != 1 #error "One crypto backend must be defined: either CC310/TINYCRYPT/MBED_TLS/PSA_CRYPTO" #endif @@ -70,12 +71,18 @@ #include "bootutil/sign_key.h" #include "common.h" +#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + #include + #define NUM_ECC_BYTES (256 / 8) +#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ + #ifdef __cplusplus extern "C" { #endif #if (defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || \ - defined(MCUBOOT_USE_CC310)) && !defined(MCUBOOT_USE_PSA_CRYPTO) + defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)) \ + && !defined(MCUBOOT_USE_PSA_CRYPTO) /* * Declaring these like this adds NULL termination. */ @@ -127,8 +134,6 @@ static int bootutil_import_key(uint8_t **cp, uint8_t *end) } #endif /* (MCUBOOT_USE_TINYCRYPT || MCUBOOT_USE_MBED_TLS || MCUBOOT_USE_CC310) && !MCUBOOT_USE_PSA_CRYPTO */ -#if defined(MCUBOOT_USE_TINYCRYPT) -#ifndef MCUBOOT_ECDSA_NEED_ASN1_SIG /* * cp points to ASN1 string containing an integer. * Verify the tag, and that the length is 32 bytes. Helper function. @@ -178,8 +183,8 @@ static int bootutil_decode_sig(uint8_t signature[NUM_ECC_BYTES * 2], uint8_t *cp } return 0; } -#endif /* not MCUBOOT_ECDSA_NEED_ASN1_SIG */ +#if defined(MCUBOOT_USE_TINYCRYPT) typedef uintptr_t bootutil_ecdsa_context; static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx) { @@ -248,8 +253,12 @@ static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx, { (void)ctx; (void)pk_len; - (void)sig_len; (void)hash_len; + uint8_t dsig[2 * NUM_ECC_BYTES]; + + if (bootutil_decode_sig(dsig, sig, sig + sig_len)) { + return -1; + } /* Only support uncompressed keys. */ if (pk[0] != 0x04) { @@ -257,7 +266,7 @@ static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx, } pk++; - return cc310_ecdsa_verify_secp256r1(hash, pk, sig, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE); + return cc310_ecdsa_verify_secp256r1(hash, pk, dsig, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE); } static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, @@ -613,6 +622,49 @@ static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, #endif /* MCUBOOT_USE_MBED_TLS */ +#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) +typedef uintptr_t bootutil_ecdsa_context; +static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx) +{ + (void)ctx; +} + +static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx) +{ + (void)ctx; +} + +static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx, + uint8_t *pk, size_t pk_len, + uint8_t *hash, size_t hash_len, + uint8_t *sig, size_t sig_len) +{ + (void)ctx; + (void)pk_len; + (void)hash_len; + uint8_t dsig[2 * NUM_ECC_BYTES]; + + if (bootutil_decode_sig(dsig, sig, sig + sig_len)) { + return -1; + } + + /* Only support uncompressed keys. */ + if (pk[0] != 0x04) { + return -1; + } + pk++; + + return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, pk, dsig); +} + +static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx, + uint8_t **cp,uint8_t *end) +{ + (void)ctx; + return bootutil_import_key(cp, end); +} +#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ + #ifdef __cplusplus } #endif diff --git a/boot/bootutil/include/bootutil/crypto/sha.h b/boot/bootutil/include/bootutil/crypto/sha.h index 6a009ff95..b83a3ec40 100644 --- a/boot/bootutil/include/bootutil/crypto/sha.h +++ b/boot/bootutil/include/bootutil/crypto/sha.h @@ -30,6 +30,7 @@ #if (defined(MCUBOOT_USE_PSA_OR_MBED_TLS) + \ defined(MCUBOOT_USE_TINYCRYPT) + \ + defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \ defined(MCUBOOT_USE_CC310)) != 1 #error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO" #endif @@ -270,6 +271,37 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx, } #endif /* MCUBOOT_USE_CC310 */ +#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + +#include + +typedef bl_sha256_ctx_t bootutil_sha_context; + +static inline void bootutil_sha_init(bootutil_sha_context *ctx) +{ + bl_sha256_init(ctx); +} + +static inline void bootutil_sha_drop(bootutil_sha_context *ctx) +{ + (void)ctx; +} + +static inline int bootutil_sha_update(bootutil_sha_context *ctx, + const void *data, + uint32_t data_len) +{ + return bl_sha256_update(ctx, data, data_len); +} + +static inline int bootutil_sha_finish(bootutil_sha_context *ctx, + uint8_t *output) +{ + bl_sha256_finalize(ctx, output); + return 0; +} +#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */ + #ifdef __cplusplus } #endif diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 1b4665050..15c4c2c06 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -212,6 +212,8 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) zephyr_library_sources(${NRF_DIR}/cc310_glue.c) zephyr_library_include_directories(${NRF_DIR}) zephyr_link_libraries(nrfxlib_crypto) + elseif(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) + zephyr_include_directories(${BL_CRYPTO_DIR}/../include) endif() # Since here we are not using Zephyr's mbedTLS but rather our own, we need diff --git a/boot/zephyr/external_crypto.conf b/boot/zephyr/external_crypto.conf new file mode 100644 index 000000000..8181ad51c --- /dev/null +++ b/boot/zephyr/external_crypto.conf @@ -0,0 +1,20 @@ +# +# Copyright (c) 2021 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# These configurations should be used when using nrf/samples/bootloader +# as the immutable bootloader (B0), and MCUBoot as the second stage updateable +# bootloader. + +# Set ECDSA as signing mechanism +CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y + +# Use crypto backend from B0 +CONFIG_BOOT_NRF_EXTERNAL_CRYPTO=y +CONFIG_SECURE_BOOT_CRYPTO=y +CONFIG_SB_CRYPTO_CLIENT_ECDSA_SECP256R1=y +CONFIG_SB_CRYPTO_CLIENT_SHA256=y +CONFIG_BL_SHA256_EXT_API_REQUIRED=y +CONFIG_BL_SECP256R1_EXT_API_REQUIRED=y diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 850a618b3..49854c754 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -44,11 +44,10 @@ #define MCUBOOT_USE_TINYCRYPT #elif defined(CONFIG_BOOT_USE_CC310) #define MCUBOOT_USE_CC310 -#ifdef CONFIG_BOOT_USE_NRF_CC310_BL -#define MCUBOOT_USE_NRF_CC310_BL -#endif #elif defined(CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT) #define MCUBOOT_USE_PSA_CRYPTO +#elif defined(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) +#define MCUBOOT_USE_NRF_EXTERNAL_CRYPTO #endif #ifdef CONFIG_BOOT_IMG_HASH_ALG_SHA512 From 01f3b098410164beefb32ce13d3b1eca7f537fbb Mon Sep 17 00:00:00 2001 From: Markus Lassila Date: Fri, 30 Aug 2024 13:10:05 +0300 Subject: [PATCH 201/228] [nrf noup] boot: zephyr: Do not lock PCD region with TF-M Previously PCD memory was locked as read-only, non-secure in MCUboot. Given that TF-M also needs write to PCD to communicate with b0n, the memory is left unlocked and locked to read-only, non-secure in TF-M. Signed-off-by: Markus Lassila (cherry picked from commit ad56ff5183465af7f590d3ce8e1132fab2c5201a) --- boot/zephyr/main.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c index 918a01f7a..6dc1e6fc3 100644 --- a/boot/zephyr/main.c +++ b/boot/zephyr/main.c @@ -652,7 +652,11 @@ int main(void) } #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) && defined(CONFIG_PCD_APP) - pcd_lock_ram(); +#if defined(PM_TFM_SECURE_ADDRESS) + pcd_lock_ram(false); +#else + pcd_lock_ram(true); +#endif #endif #endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */ From 3308732dfec501206b75825205643c72295ad4b3 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 10 Sep 2024 13:41:30 +0100 Subject: [PATCH 202/228] [nrf noup] treewide: Add support for sysbuild assigned images Adds support for image IDs that are assigned by sysbuild, which allows for dynamically supporting different configurations without needing dummy images to support different modes. Also fixes multiple deficiencies with the previous code where things were not properly accounted for e.g. using the swap algorithm including all swap status parts when updating s0/s1 MCUboot image which could overwrite and corrupt the image data in the other slot Signed-off-by: Jamie McCrae (cherry picked from commit 43d47399086a12c2d7f312fb30632655c5c23b3c) (cherry picked from commit c09c22a1b1c84a41dd0a1817c1c2802b8c6c4097) (cherry picked from commit 3a25855215a2cfc64c3f0e2dba3ada3f11df7816) --- boot/bootutil/src/loader.c | 176 +++++++++++++-------- boot/bootutil/src/swap_nsib.c | 70 ++++++++ boot/bootutil/src/swap_priv.h | 8 + boot/zephyr/CMakeLists.txt | 6 + boot/zephyr/include/sysflash/pm_sysflash.h | 69 ++++---- 5 files changed, 225 insertions(+), 104 deletions(-) create mode 100644 boot/bootutil/src/swap_nsib.c diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index daa778b85..18eaa0ea6 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -159,15 +159,15 @@ boot_read_image_headers(struct boot_loader_state *state, bool require_all, * * Failure to read any headers is a fatal error. */ -#ifdef PM_S1_ADDRESS +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 /* Patch needed for NCS. The primary slot of the second image * (image 1) will not contain a valid image header until an upgrade * of mcuboot has happened (filling S1 with the new version). */ - if (BOOT_CURR_IMG(state) == 1 && i == 0) { + if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER && i == 0) { continue; } -#endif /* PM_S1_ADDRESS */ +#endif /* CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 */ if (i > 0 && !require_all) { return 0; } else { @@ -1112,7 +1112,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) \ && defined(CONFIG_PCD_APP) && defined(CONFIG_PCD_READ_NETCORE_APP_VERSION) - if (BOOT_CURR_IMG(state) == 1) { + if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) { rc = pcd_version_cmp_net(fap, boot_img_hdr(state, BOOT_SECONDARY_SLOT)); } else { rc = boot_version_cmp( @@ -1183,35 +1183,54 @@ boot_validate_slot(struct boot_loader_state *state, int slot, struct image_header *secondary_hdr = boot_img_hdr(state, slot); uint32_t reset_value = 0; uint32_t reset_addr = secondary_hdr->ih_hdr_size + sizeof(reset_value); + uint32_t min_addr, max_addr; + bool check_addresses = false; if (flash_area_read(fap, reset_addr, &reset_value, sizeof(reset_value)) != 0) { fih_rc = FIH_NO_BOOTABLE_IMAGE; goto out; } - uint32_t min_addr, max_addr; - #ifdef PM_CPUNET_APP_ADDRESS /* The primary slot for the network core is emulated in RAM. * Its flash_area hasn't got relevant boundaries. * Therfore need to override its boundaries for the check. */ - if (BOOT_CURR_IMG(state) == 1) { + if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) { min_addr = PM_CPUNET_APP_ADDRESS; max_addr = PM_CPUNET_APP_ADDRESS + PM_CPUNET_APP_SIZE; -#ifdef PM_S1_ADDRESS - } else if (BOOT_CURR_IMG(state) == 0) { + check_addresses = true; + } else +#endif +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 + if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { +#if (CONFIG_NCS_IS_VARIANT_IMAGE) min_addr = PM_S0_ADDRESS; - max_addr = pri_fa->fa_off + pri_fa->fa_size; + max_addr = (PM_S0_ADDRESS + PM_S0_SIZE); +#else + min_addr = PM_S1_ADDRESS; + max_addr = (PM_S1_ADDRESS + PM_S1_SIZE); #endif + check_addresses = true; } else #endif - { + if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER) { +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 +#if (CONFIG_NCS_IS_VARIANT_IMAGE) + min_addr = MIN(pri_fa->fa_off, PM_S0_ADDRESS); + max_addr = MAX((pri_fa->fa_off + pri_fa->fa_size), (PM_S0_ADDRESS + PM_S0_SIZE)); +#else + min_addr = MIN(pri_fa->fa_off, PM_S1_ADDRESS); + max_addr = MAX((pri_fa->fa_off + pri_fa->fa_size), (PM_S1_ADDRESS + PM_S1_SIZE)); +#endif +#else min_addr = pri_fa->fa_off; max_addr = pri_fa->fa_off + pri_fa->fa_size; +#endif + check_addresses = true; } - if (reset_value < min_addr || reset_value> (max_addr)) { + if (check_addresses == true && (reset_value < min_addr || reset_value > max_addr)) { BOOT_LOG_ERR("Reset address of image in secondary slot is not in the primary slot"); BOOT_LOG_ERR("Erasing image from secondary slot"); @@ -1281,36 +1300,54 @@ boot_update_security_counter(struct boot_loader_state *state, int slot, int hdr_ #define SEC_SLOT_TOUCHED 1 #define SEC_SLOT_ASSIGNED 2 -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) -/* This configuration is peculiar - the one physical secondary slot is - * mocking two logical secondary - */ -#define SEC_SLOT_PHYSICAL_CNT 1 +static uint8_t sec_slot_assignment[MCUBOOT_IMAGE_NUMBER] = {0}; + +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 +static inline void sec_slot_untouch(struct boot_loader_state *state) +{ + sec_slot_assignment[CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER] = SEC_SLOT_VIRGIN; + sec_slot_assignment[CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER] = SEC_SLOT_VIRGIN; +} #else -#define SEC_SLOT_PHYSICAL_CNT MCUBOOT_IMAGE_NUMBER +static inline void sec_slot_untouch(struct boot_loader_state *state) +{ +} #endif -static uint8_t sec_slot_assignmnet[SEC_SLOT_PHYSICAL_CNT] = {0}; - static inline void sec_slot_touch(struct boot_loader_state *state) { - uint8_t idx = (SEC_SLOT_PHYSICAL_CNT == 1) ? 0 : BOOT_CURR_IMG(state); +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 + if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { + if (sec_slot_assignment[CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER] == SEC_SLOT_VIRGIN) { + sec_slot_assignment[CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER] = SEC_SLOT_TOUCHED; + } + } else if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER) { + if (sec_slot_assignment[CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER] == SEC_SLOT_VIRGIN) { + sec_slot_assignment[CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER] = SEC_SLOT_TOUCHED; + } + } +#endif - if (SEC_SLOT_VIRGIN == sec_slot_assignmnet[idx]) { - sec_slot_assignmnet[idx] = SEC_SLOT_TOUCHED; + if (sec_slot_assignment[BOOT_CURR_IMG(state)] == SEC_SLOT_VIRGIN) { + sec_slot_assignment[BOOT_CURR_IMG(state)] = SEC_SLOT_TOUCHED; } } static inline void sec_slot_mark_assigned(struct boot_loader_state *state) { - uint8_t idx = (SEC_SLOT_PHYSICAL_CNT == 1) ? 0 : BOOT_CURR_IMG(state); +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 + if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { + sec_slot_assignment[CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER] = SEC_SLOT_ASSIGNED; + } else if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER) { + sec_slot_assignment[CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER] = SEC_SLOT_ASSIGNED; + } +#endif - sec_slot_assignmnet[idx] = SEC_SLOT_ASSIGNED; + sec_slot_assignment[BOOT_CURR_IMG(state)] = SEC_SLOT_ASSIGNED; } /** - * Cleanu up all secondary slot which couldn't be assigned to any primary slot. + * Cleanup up all secondary slot which couldn't be assigned to any primary slot. * * This function erases content of each secondary slot which contains valid * header but couldn't be assigned to any of supported primary images. @@ -1322,8 +1359,8 @@ static void sec_slot_cleanup_if_unusable(void) { uint8_t idx; - for (idx = 0; idx < SEC_SLOT_PHYSICAL_CNT; idx++) { - if (SEC_SLOT_TOUCHED == sec_slot_assignmnet[idx]) { + for (idx = 0; idx < MCUBOOT_IMAGE_NUMBER; idx++) { + if (SEC_SLOT_TOUCHED == sec_slot_assignment[idx]) { const struct flash_area *secondary_fa; int rc; @@ -1332,17 +1369,20 @@ static void sec_slot_cleanup_if_unusable(void) if (!rc) { rc = flash_area_erase(secondary_fa, 0, secondary_fa->fa_size); if (!rc) { - BOOT_LOG_ERR("Cleaned-up secondary slot of %d. image.", idx); + BOOT_LOG_ERR("Cleaned-up secondary slot of image %d", idx); } } if (rc) { - BOOT_LOG_ERR("Can not cleanup secondary slot of %d. image.", idx); + BOOT_LOG_ERR("Failed to clean-up secondary slot of image %d: %d", idx, rc); } } } } #else +static inline void sec_slot_untouch(struct boot_loader_state *state) +{ +} static inline void sec_slot_touch(struct boot_loader_state *state) { } @@ -1374,7 +1414,7 @@ boot_validated_swap_type(struct boot_loader_state *state, owner_nsib[BOOT_CURR_IMG(state)] = false; #endif -#if defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) +#if defined(PM_S1_ADDRESS) || defined(PM_CPUNET_B0N_ADDRESS) const struct flash_area *secondary_fa = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); struct image_header *hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); @@ -1412,31 +1452,31 @@ boot_validated_swap_type(struct boot_loader_state *state, } /* Check start and end of primary slot for current image */ - if (reset_addr < primary_fa->fa_off) { -#if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - const struct flash_area *nsib_fa; - - /* NSIB upgrade slot */ - rc = flash_area_open((uint32_t)_image_1_primary_slot_id, - &nsib_fa); - - if (rc != 0) { - return BOOT_SWAP_TYPE_FAIL; - } - - /* Image is placed before Primary and within the NSIB slot */ - if (reset_addr > nsib_fa->fa_off - && reset_addr < (nsib_fa->fa_off + nsib_fa->fa_size)) { - /* Set primary to be NSIB upgrade slot */ - BOOT_IMG_AREA(state, 0) = nsib_fa; - owner_nsib[BOOT_CURR_IMG(state)] = true; - } +#if (CONFIG_NCS_IS_VARIANT_IMAGE) + if (reset_addr >= PM_S0_ADDRESS && reset_addr <= (PM_S0_ADDRESS + PM_S0_SIZE)) { #else - return BOOT_SWAP_TYPE_NONE; - + if (reset_addr >= PM_S1_ADDRESS && reset_addr <= (PM_S1_ADDRESS + PM_S1_SIZE)) { #endif + if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER) { + /* This is not the s0/s1 upgrade image but the application image, pretend + * there is no image so the NSIB update can be loaded + */ + return BOOT_SWAP_TYPE_NONE; + } - } else if (reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { + owner_nsib[BOOT_CURR_IMG(state)] = true; +#if (CONFIG_NCS_IS_VARIANT_IMAGE) + } else if (reset_addr >= PM_S1_ADDRESS && reset_addr <= (PM_S1_ADDRESS + PM_S1_SIZE)) { +#else + } else if (reset_addr >= PM_S0_ADDRESS && reset_addr <= (PM_S0_ADDRESS + PM_S0_SIZE)) { +#endif + /* NSIB upgrade but for the wrong slot, must be erased */ + BOOT_LOG_ERR("Image in slot is for wrong s0/s1 image"); + flash_area_erase(secondary_fa, 0, secondary_fa->fa_size); + sec_slot_untouch(state); + BOOT_LOG_ERR("Cleaned-up secondary slot of image %d", BOOT_CURR_IMG(state)); + return BOOT_SWAP_TYPE_FAIL; + } else if (reset_addr < primary_fa->fa_off || reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { /* The image in the secondary slot is not intended for any */ return BOOT_SWAP_TYPE_NONE; } @@ -1449,7 +1489,7 @@ boot_validated_swap_type(struct boot_loader_state *state, sec_slot_mark_assigned(state); } -#endif /* PM_S1_ADDRESS || CONFIG_SOC_NRF5340_CPUAPP */ +#endif /* PM_S1_ADDRESS || PM_CPUNET_B0N_ADDRESS */ swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state)); if (BOOT_IS_UPGRADE(swap_type)) { @@ -1999,7 +2039,22 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs) flash_area_close(fap); } - swap_run(state, bs, copy_size); +#if defined(PM_S1_ADDRESS) && CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 + if (owner_nsib[BOOT_CURR_IMG(state)]) { + if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { + /* For NSIB, move the image instead of swapping it */ + nsib_swap_run(state, bs); + +#if defined(CONFIG_REBOOT) + /* Should also reboot at this point so the new S0/S1 update is applied */ + sys_reboot(SYS_REBOOT_COLD); +#endif + } + } else +#endif + { + swap_run(state, bs, copy_size); + } #ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT extern int boot_status_fails; @@ -2671,12 +2726,6 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) rc = boot_perform_update(state, &bs); } assert(rc == 0); -#if defined(PM_S1_ADDRESS) && defined(CONFIG_REBOOT) - if (owner_nsib[BOOT_CURR_IMG(state)]) { - sys_reboot(SYS_REBOOT_COLD); - - } -#endif break; case BOOT_SWAP_TYPE_FAIL: @@ -2750,7 +2799,8 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) * executing MCUBoot image, and is therefore already validated by NSIB and * does not need to also be validated by MCUBoot. */ - bool image_validated_by_nsib = BOOT_CURR_IMG(state) == 1; + bool image_validated_by_nsib = BOOT_CURR_IMG(state) == + CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER; if (!image_validated_by_nsib) #endif { diff --git a/boot/bootutil/src/swap_nsib.c b/boot/bootutil/src/swap_nsib.c new file mode 100644 index 000000000..39ed4c652 --- /dev/null +++ b/boot/bootutil/src/swap_nsib.c @@ -0,0 +1,70 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include +#include "bootutil/bootutil.h" +#include "bootutil_priv.h" +#include "swap_priv.h" +#include "bootutil/bootutil_log.h" + +#include "mcuboot_config/mcuboot_config.h" + +BOOT_LOG_MODULE_DECLARE(mcuboot); + +void nsib_swap_run(struct boot_loader_state *state, struct boot_status *bs) +{ + uint32_t sector_sz; + uint8_t image_index; + const struct flash_area *fap_pri; + const struct flash_area *fap_sec; + int rc; + + BOOT_LOG_INF("Starting swap using nsib algorithm."); + + sector_sz = boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0); + +#if (CONFIG_NCS_IS_VARIANT_IMAGE) + rc = flash_area_open(PM_S0_ID, &fap_pri); +#else + rc = flash_area_open(PM_S1_ID, &fap_pri); +#endif + assert (rc == 0); + image_index = BOOT_CURR_IMG(state); + + rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index), &fap_sec); + assert (rc == 0); + + rc = boot_erase_region(fap_pri, 0, fap_pri->fa_size); + assert(rc == 0); + + rc = boot_copy_region(state, fap_sec, fap_pri, 0, 0, fap_pri->fa_size); + assert(rc == 0); + + rc = swap_erase_trailer_sectors(state, fap_sec); + assert(rc == 0); + + rc = boot_erase_region(fap_sec, 0, MIN((fap_pri->fa_size + sector_sz), fap_sec->fa_size)); + assert(rc == 0); + + flash_area_close(fap_pri); + flash_area_close(fap_sec); +} diff --git a/boot/bootutil/src/swap_priv.h b/boot/bootutil/src/swap_priv.h index 6fdf797e1..0e6de790e 100644 --- a/boot/bootutil/src/swap_priv.h +++ b/boot/bootutil/src/swap_priv.h @@ -119,4 +119,12 @@ bool swap_write_block_size_check(struct boot_loader_state *state); */ int app_max_size(struct boot_loader_state *state); +#if defined(PM_S1_ADDRESS) && !defined(MCUBOOT_OVERWRITE_ONLY) && \ +(CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 || defined(LEGACY_CHILD_PARENT_S0_S1_UPDATE_ENABLED)) +/** + * Performs an NSIB update + */ +void nsib_swap_run(struct boot_loader_state *state, struct boot_status *bs); +#endif + #endif /* H_SWAP_PRIV_ */ diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 15c4c2c06..3c2e19288 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -181,6 +181,12 @@ else() ) endif() endif() + + if(NOT CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER EQUAL "-1" AND NOT CONFIG_BOOT_UPGRADE_ONLY) + zephyr_library_sources( + ${BOOT_DIR}/bootutil/src/swap_nsib.c + ) + endif() endif() if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index db60ddd03..42f25182e 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -15,48 +15,36 @@ #ifndef CONFIG_SINGLE_APPLICATION_SLOT -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) -/* If B0 is present then two bootloaders are present, and we must use - * a single secondary slot for both primary slots. - */ -extern uint32_t _image_1_primary_slot_id[]; -#endif /* (MCUBOOT_IMAGE_NUMBER == 2 && defined(PM_B0_ADDRESS) */ - -#if (MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - -#define FLASH_AREA_IMAGE_PRIMARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_PRIMARY_ID : \ - (x == 1) ? \ - (uint32_t)_image_1_primary_slot_id : \ - 255 ) - -#define FLASH_AREA_IMAGE_SECONDARY(x) \ - ((x == 0) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - (x == 1) ? \ - PM_MCUBOOT_SECONDARY_ID: \ - 255 ) - -#else /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - */ - /* Each pair of slots is separated by , and there is no terminating character */ -#define FLASH_AREA_IMAGE_0_SLOTS PM_MCUBOOT_PRIMARY_ID, PM_MCUBOOT_SECONDARY_ID -#define FLASH_AREA_IMAGE_1_SLOTS PM_MCUBOOT_PRIMARY_1_ID, PM_MCUBOOT_SECONDARY_1_ID -#define FLASH_AREA_IMAGE_2_SLOTS PM_MCUBOOT_PRIMARY_2_ID, PM_MCUBOOT_SECONDARY_2_ID +#define FLASH_AREA_IMAGE_0_SLOTS PM_MCUBOOT_PRIMARY_ID, PM_MCUBOOT_SECONDARY_ID, +#define FLASH_AREA_IMAGE_1_SLOTS PM_MCUBOOT_PRIMARY_1_ID, PM_MCUBOOT_SECONDARY_1_ID, +#define FLASH_AREA_IMAGE_2_SLOTS PM_MCUBOOT_PRIMARY_2_ID, PM_MCUBOOT_SECONDARY_2_ID, +#define FLASH_AREA_IMAGE_3_SLOTS PM_MCUBOOT_PRIMARY_3_ID, PM_MCUBOOT_SECONDARY_3_ID, + +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 +#ifdef CONFIG_NCS_IS_VARIANT_IMAGE +#define MCUBOOT_S0_S1_SLOTS PM_S0_ID, PM_MCUBOOT_SECONDARY_ID, +#else +#define MCUBOOT_S0_S1_SLOTS PM_S1_ID, PM_MCUBOOT_SECONDARY_ID, +#endif +#else +#define MCUBOOT_S0_S1_SLOTS +#endif -#if (MCUBOOT_IMAGE_NUMBER == 1) +#if (MCUBOOT_IMAGE_NUMBER == 1) || (MCUBOOT_IMAGE_NUMBER == 2 && CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1) #define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS -#elif (MCUBOOT_IMAGE_NUMBER == 2) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ +#elif (MCUBOOT_IMAGE_NUMBER == 2) || (MCUBOOT_IMAGE_NUMBER == 3 && CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS \ FLASH_AREA_IMAGE_1_SLOTS -#elif (MCUBOOT_IMAGE_NUMBER == 3) -#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS, \ - FLASH_AREA_IMAGE_1_SLOTS, \ +#elif (MCUBOOT_IMAGE_NUMBER == 3) || (MCUBOOT_IMAGE_NUMBER == 4 && CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS \ + FLASH_AREA_IMAGE_1_SLOTS \ FLASH_AREA_IMAGE_2_SLOTS +#elif (MCUBOOT_IMAGE_NUMBER == 4) +#define ALL_AVAILABLE_SLOTS FLASH_AREA_IMAGE_0_SLOTS \ + FLASH_AREA_IMAGE_1_SLOTS \ + FLASH_AREA_IMAGE_2_SLOTS \ + FLASH_AREA_IMAGE_3_SLOTS #else #error Unsupported number of images #endif @@ -65,6 +53,7 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) { static const int all_slots[] = { ALL_AVAILABLE_SLOTS + MCUBOOT_S0_S1_SLOTS }; return all_slots[img * 2 + slot]; }; @@ -72,6 +61,8 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #undef FLASH_AREA_IMAGE_0_SLOTS #undef FLASH_AREA_IMAGE_1_SLOTS #undef FLASH_AREA_IMAGE_2_SLOTS +#undef FLASH_AREA_IMAGE_3_SLOTS +#undef MCUBOOT_S0_S1_SLOTS #undef ALL_AVAILABLE_SLOTS #define FLASH_AREA_IMAGE_PRIMARY(x) __flash_area_ids_for_slot(x, 0) @@ -81,10 +72,6 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #define FLASH_AREA_IMAGE_SCRATCH PM_MCUBOOT_SCRATCH_ID #endif -#endif /* MCUBOOT_IMAGE_NUMBER == 2) && defined(PM_B0_ADDRESS) && \ - * !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) - */ - #else /* CONFIG_SINGLE_APPLICATION_SLOT */ #define FLASH_AREA_IMAGE_PRIMARY(x) PM_MCUBOOT_PRIMARY_ID From 4738ae858d7dde54675aaa00b682e4b6697c35da Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 15 Oct 2024 11:31:20 +0100 Subject: [PATCH 203/228] [nrf noup] boot: bootutil: loader: Add s0/s1 checking of MCUboot image Adds a check that will also check the s0/s1 package version of the currently running MCUboot against a MCUboot update image to ensure that an older version of MCUboot isn't loaded to the opposite slot Signed-off-by: Jamie McCrae (cherry picked from commit 63e53ed94680150350e813e74957c5673704aee4) --- boot/bootutil/src/loader.c | 45 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 18eaa0ea6..12674359e 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -100,6 +100,17 @@ static struct sector_buffer_t sector_buffers; #endif #endif +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 && defined(MCUBOOT_OVERWRITE_ONLY) && \ + defined(MCUBOOT_DOWNGRADE_PREVENTION) +/* s0/s1 package version of the current MCUboot image */ +static const struct image_version mcuboot_s0_s1_image_version = { + .iv_major = CONFIG_MCUBOOT_MCUBOOT_S0_S1_VERSION_MAJOR, + .iv_minor = CONFIG_MCUBOOT_MCUBOOT_S0_S1_VERSION_MINOR, + .iv_revision = CONFIG_MCUBOOT_MCUBOOT_S0_S1_VERSION_REVISION, + .iv_build_num = CONFIG_MCUBOOT_MCUBOOT_S0_S1_VERSION_BUILD_NUMBER, +}; +#endif + #if (BOOT_IMAGE_NUMBER > 1) #define IMAGES_ITER(x) for ((x) = 0; (x) < BOOT_IMAGE_NUMBER; ++(x)) #else @@ -1118,11 +1129,45 @@ boot_validate_slot(struct boot_loader_state *state, int slot, rc = boot_version_cmp( &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); + +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 + if (rc >= 0 && BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { + /* Also check the new version of MCUboot against that of the current s0/s1 MCUboot + * trailer version to prevent downgrades + */ + int version_check; + + version_check = boot_version_cmp(&boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, + &mcuboot_s0_s1_image_version); + + /* Only update rc if the currently running version is newer */ + if (version_check < rc) { + rc = version_check; + } + } +#endif } #else rc = boot_version_cmp( &boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver); + +#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 + if (rc >= 0 && BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) { + /* Also check the new version of MCUboot against that of the current s0/s1 MCUboot + * trailer version to prevent downgrades + */ + int version_check; + + version_check = boot_version_cmp(&boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver, + &mcuboot_s0_s1_image_version); + + /* Only update rc if the currently running version is newer */ + if (version_check < rc) { + rc = version_check; + } + } +#endif #endif if (rc < 0 && boot_check_header_erased(state, BOOT_PRIMARY_SLOT)) { BOOT_LOG_ERR("insufficient version in secondary slot"); From 52322e20de27c93aa102058fb9e2fb762b705f11 Mon Sep 17 00:00:00 2001 From: Maximilian Deubel Date: Wed, 23 Oct 2024 16:48:13 +0200 Subject: [PATCH 204/228] [nrf noup] boards: Thingy:91 X release config Update the configuration files for the Thingy:91 X targets to the ones used in production. Signed-off-by: Maximilian Deubel (cherry picked from commit 78211ab58eb6b003416dc85effd2fe515ec5b53a) --- boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf | 3 +++ boot/zephyr/boards/thingy91x_nrf9151.conf | 6 +++++- boot/zephyr/boards/thingy91x_nrf9151.overlay | 4 ++++ 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 boot/zephyr/boards/thingy91x_nrf9151.overlay diff --git a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf index 37c7e95b1..d3e253b65 100644 --- a/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy91x_nrf5340_cpuapp.conf @@ -58,3 +58,6 @@ CONFIG_BOOT_SERIAL_IMG_GRP_IMAGE_STATE=y # Skip checks on the secondary image to make it possible to update MCUBoot on S1/S0 CONFIG_MCUBOOT_VERIFY_IMG_ADDRESS=n + +CONFIG_BOOT_SERIAL_NO_APPLICATION=y +CONFIG_FW_INFO_FIRMWARE_VERSION=2 diff --git a/boot/zephyr/boards/thingy91x_nrf9151.conf b/boot/zephyr/boards/thingy91x_nrf9151.conf index 2efe1e170..7c2042de6 100644 --- a/boot/zephyr/boards/thingy91x_nrf9151.conf +++ b/boot/zephyr/boards/thingy91x_nrf9151.conf @@ -12,6 +12,10 @@ CONFIG_CONSOLE=n CONFIG_CONSOLE_HANDLER=n CONFIG_UART_CONSOLE=n CONFIG_MCUBOOT_SERIAL=y - CONFIG_MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD=y CONFIG_BOOT_SERIAL_IMG_GRP_IMAGE_STATE=y + +CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=y +CONFIG_PM_OVERRIDE_EXTERNAL_DRIVER_CHECK=y + +CONFIG_FW_INFO_FIRMWARE_VERSION=2 diff --git a/boot/zephyr/boards/thingy91x_nrf9151.overlay b/boot/zephyr/boards/thingy91x_nrf9151.overlay new file mode 100644 index 000000000..7f2818c0d --- /dev/null +++ b/boot/zephyr/boards/thingy91x_nrf9151.overlay @@ -0,0 +1,4 @@ +&uart0 { + status = "okay"; + current-speed = < 1000000 >; +}; From 22409c3e6c613a5c98692ee67a7706ca543c99c9 Mon Sep 17 00:00:00 2001 From: Carles Cufi Date: Fri, 25 Oct 2024 09:37:44 +0200 Subject: [PATCH 205/228] [nrf noup] workflows: Add a backport workflow Enable backporting of PRs. Signed-off-by: Carles Cufi (cherry picked from commit 7058149cf30a37beb7b0a85bcad9a3cd00b14d1b) --- .github/workflows/backport.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/backport.yml diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml new file mode 100644 index 000000000..e986738ff --- /dev/null +++ b/.github/workflows/backport.yml @@ -0,0 +1,31 @@ +name: Backport +on: + pull_request_target: + types: + - closed + - labeled + branches: + - main + +jobs: + backport: + name: Backport + runs-on: ubuntu-22.04 + # Only react to merged PRs for security reasons. + # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target. + if: > + github.event.pull_request.merged && + ( + github.event.action == 'closed' || + ( + github.event.action == 'labeled' && + contains(github.event.label.name, 'backport') + ) + ) + steps: + - name: Backport + uses: zephyrproject-rtos/action-backport@v2.0.3-3 + with: + github_token: ${{ secrets.NCS_GITHUB_TOKEN }} + issue_labels: Backport + labels_template: '["Backport"]' From 8e5297e9b9565b51a75a6d89926c3002231217d2 Mon Sep 17 00:00:00 2001 From: Mateusz Michalek Date: Thu, 7 Nov 2024 11:09:18 +0100 Subject: [PATCH 206/228] [nrf noup] boot/zephyr: add nrf54l15dk ext flash configs Moved configs from nrf54l15pdk. Signed-off-by: Andrzej Puzdrowski (cherry picked from commit bd64752dfd68275f2927e46471f2ef0315ffe53a) --- .../nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf | 15 ++++++ ...f54l15dk_nrf54l15_cpuapp_ext_flash.overlay | 47 +++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf create mode 100644 boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.overlay diff --git a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf new file mode 100644 index 000000000..8fc12e074 --- /dev/null +++ b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf @@ -0,0 +1,15 @@ +CONFIG_MULTITHREADING=y +CONFIG_SPI=y +CONFIG_SPI_NOR=y +CONFIG_FLASH=y +CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x14000 +CONFIG_MAIN_STACK_SIZE=20480 +CONFIG_BOOT_MAX_IMG_SECTORS=512 +CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 +# Ensure that the qspi driver is disabled by default +CONFIG_NORDIC_QSPI_NOR=n + +# TODO: below are not yet supported and need fixing +CONFIG_FPROTECT=n + +CONFIG_BOOT_WATCHDOG_FEED=n diff --git a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.overlay b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.overlay new file mode 100644 index 000000000..60ee6fe51 --- /dev/null +++ b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.overlay @@ -0,0 +1,47 @@ +/ { + chosen { + nordic,pm-ext-flash = &mx25r64; + zephyr,code-partition = &boot_partition; + }; +}; + +/delete-node/ &boot_partition; +/delete-node/ &slot0_partition; +/delete-node/ &slot1_partition; + +/delete-node/ &slot0_ns_partition; +/delete-node/ &slot1_ns_partition; + +/delete-node/ &storage_partition; + +&cpuapp_rram { + reg = < 0x0 DT_SIZE_K(1524) >; + partitions { + boot_partition: partition@0 { + label = "mcuboot"; + reg = <0x000000000 0x00014000>; + }; + slot0_partition: partition@14000 { + label = "image-0"; + reg = <0x000014000 0x0015A000>; + }; + storage_partition: partition@16E000 { + label = "storage"; + reg = < 0x16E000 0x9000 >; + }; + }; +}; + +&mx25r64 { + status = "okay"; + partitions { + compatible = "fixed-partitions"; + #address-cells = <1>; + #size-cells = <1>; + + slot1_partition: partition@0 { + label = "image-1"; + reg = <0x000000000 0x0015A000>; + }; + }; +}; From b66e930b70e31ec76e0c1c2a7d4252221e810c26 Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Thu, 19 Sep 2024 14:32:37 +0200 Subject: [PATCH 207/228] [nrf noup] boot/zephyr/Kconfig: conditionally disable BOOT_MAX_IMG_SECTORS_AUTO Automatic calculation are based on DTS data which are no the right source on partition layout in case Partition manager does the partitioning. Signed-off-by: Andrzej Puzdrowski Signed-off-by: Dominik Ermel (cherry picked from commit d09c5a0cdcc4e4a115d1a77f961a031598a93b5c) --- boot/zephyr/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index f110936ab..b8c170a08 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -624,7 +624,7 @@ config BOOT_ENCRYPTION_KEY_FILE config BOOT_MAX_IMG_SECTORS_AUTO bool "Calculate maximum sectors automatically" - default y + default y if !PARTITION_MANAGER_ENABLED help If this option is enabled then the maximum number of supported sectors per image will be calculated automatically from the flash erase sizes and size of each partition for From b1690156f6ad1bbf68b7526eb914d2f8aae9237f Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 9 Dec 2024 12:27:38 +0000 Subject: [PATCH 208/228] [nrf noup] boot: zephyr: serial_recovery: Add nRF5340 Kconfig override Adds additional conditions that lets the direct upload option to be selected on nRF5340 to allow for uploading network core updates directly to the network core with the flash simulator Signed-off-by: Jamie McCrae (cherry picked from commit b82206c15fff357c151c24bf97c99c4348d14a46) --- boot/zephyr/Kconfig.serial_recovery | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/boot/zephyr/Kconfig.serial_recovery b/boot/zephyr/Kconfig.serial_recovery index 72be5ccfb..f5ee8945b 100644 --- a/boot/zephyr/Kconfig.serial_recovery +++ b/boot/zephyr/Kconfig.serial_recovery @@ -47,9 +47,14 @@ config BOOT_SERIAL_CDC_ACM endchoice +DT_COMPAT_SIM_FLASH:= zephyr,sim-flash +DT_SIM_FLASH_PATH := $(dt_nodelabel_path,flash_sim0) + config MCUBOOT_SERIAL_DIRECT_IMAGE_UPLOAD bool "Allow to select image number for DFU" - depends on !SINGLE_APPLICATION_SLOT + # Allow this option to be selected in cases where support for direct uploading to nRF5340 + # network core should be supported + depends on !SINGLE_APPLICATION_SLOT || (SINGLE_APPLICATION_SLOT && SOC_NRF5340_CPUAPP && BOOT_IMAGE_ACCESS_HOOK_NRF5340 && FLASH_SIMULATOR && $(dt_compat_enabled,$(DT_COMPAT_SIM_FLASH))) help With the option enabled, the mcuboot serial recovery will respect the "image" field in mcumgr image update frame From d18f8fd39d037e5a85dda2d50610f49f54d1a024 Mon Sep 17 00:00:00 2001 From: Andrzej Puzdrowski Date: Tue, 17 Dec 2024 15:54:01 +0100 Subject: [PATCH 209/228] [nrf noup] boot/zephyr/boards: configure fastest RRAM operations Configured CONFIG_NRF_RRAM_WRITE_BUFFER_SIZE=32 Which ensure the fastest bulk RRAM write operations. Signed-off-by: Andrzej Puzdrowski (cherry picked from commit 0a910b600a3ddeffd941fa59359e373a29d63bf3) --- boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf index 8fc12e074..12650a9ed 100644 --- a/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf +++ b/boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf @@ -13,3 +13,6 @@ CONFIG_NORDIC_QSPI_NOR=n CONFIG_FPROTECT=n CONFIG_BOOT_WATCHDOG_FEED=n + +# Ensure the fastest RRAM write operations +CONFIG_NRF_RRAM_WRITE_BUFFER_SIZE=32 From b7a30ffbfd277f7e03cd63b35a5b300230ba6793 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 5 Dec 2024 10:20:19 +0000 Subject: [PATCH 210/228] [nrf noup] boot: Remove child/parent references Removes stray child/parent references Signed-off-by: Jamie McCrae (cherry picked from commit 99d4ae97314c413208746f1fb272eb4ecf85b3ea) --- boot/bootutil/src/swap_priv.h | 2 +- boot/zephyr/pm.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/boot/bootutil/src/swap_priv.h b/boot/bootutil/src/swap_priv.h index 0e6de790e..ee7e44d55 100644 --- a/boot/bootutil/src/swap_priv.h +++ b/boot/bootutil/src/swap_priv.h @@ -120,7 +120,7 @@ bool swap_write_block_size_check(struct boot_loader_state *state); int app_max_size(struct boot_loader_state *state); #if defined(PM_S1_ADDRESS) && !defined(MCUBOOT_OVERWRITE_ONLY) && \ -(CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 || defined(LEGACY_CHILD_PARENT_S0_S1_UPDATE_ENABLED)) +CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 /** * Performs an NSIB update */ diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml index 13ffc44aa..ab8f6d1c3 100644 --- a/boot/zephyr/pm.yml +++ b/boot/zephyr/pm.yml @@ -4,9 +4,7 @@ mcuboot: size: CONFIG_PM_PARTITION_SIZE_MCUBOOT placement: before: [mcuboot_primary] -#if defined(CONFIG_HIDE_CHILD_PARENT_CONFIG) align: {end: 0x1000} -#endif mcuboot_primary_app: # All images to be placed in MCUboot's slot 0 should be placed in this From b9578ab6f7537e7a58d5c3609cd0de5ca0c24ff1 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 15 Jan 2025 15:09:55 +0000 Subject: [PATCH 211/228] [nrf noup] sysflash: Add missing _FLASH_0_ID definitions MCUboot uses SOC_FLASH_0_ID and SPI_FLASH_0_ID to distinguish between internal and external boot device. These IDs are provided by sysflash.h, but the pm_sysflash.h overrides entire file, and was lacking that definitions. Signed-off-by: Dominik Ermel --- boot/zephyr/include/sysflash/pm_sysflash.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/boot/zephyr/include/sysflash/pm_sysflash.h b/boot/zephyr/include/sysflash/pm_sysflash.h index 42f25182e..0cb16292f 100644 --- a/boot/zephyr/include/sysflash/pm_sysflash.h +++ b/boot/zephyr/include/sysflash/pm_sysflash.h @@ -84,4 +84,12 @@ static inline uint32_t __flash_area_ids_for_slot(int img, int slot) #endif /* CONFIG_SINGLE_APPLICATION_SLOT */ +#ifndef SOC_FLASH_0_ID +#define SOC_FLASH_0_ID 0 +#endif + +#ifndef SPI_FLASH_0_ID +#define SPI_FLASH_0_ID 1 +#endif + #endif /* __PM_SYSFLASH_H__ */ From 1027dd80a4de4a65e276af63543d37463fffcb03 Mon Sep 17 00:00:00 2001 From: Kamil Kasperczyk Date: Fri, 24 Jan 2025 08:59:31 +0100 Subject: [PATCH 212/228] [nrf noup] boot: zephyr: boards: Disabled NCS boot banner for thingy 53 Disabled NCS BOOT BANNER to save some flash, as Thingy:53 stopped to fit in the mcuboot partition. The boot banner is not used anyway, as logs are disabled. Signed-off-by: Kamil Kasperczyk --- boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf index e10656678..c584aa911 100644 --- a/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf +++ b/boot/zephyr/boards/thingy53_nrf5340_cpuapp.conf @@ -47,6 +47,7 @@ CONFIG_USB_CDC_ACM=y CONFIG_CBPRINTF_NANO=y CONFIG_TIMESLICING=n CONFIG_BOOT_BANNER=n +CONFIG_NCS_BOOT_BANNER=n CONFIG_CONSOLE=n CONFIG_CONSOLE_HANDLER=n CONFIG_UART_CONSOLE=n From f3fedff247cb98559bb184088efd555521c9cf81 Mon Sep 17 00:00:00 2001 From: Sigurd Hellesvik Date: Thu, 6 Feb 2025 08:47:39 +0100 Subject: [PATCH 213/228] [nrf noup] partition_manager: Add support for internal flash netcore DFU Adds check to region of mcuboot_secondary_1 to put it in external flash only if CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY is set. This should allow for DFU from internal flash on the nRF5340 with dynamic partitioning. Also fixing a typo. Signed-off-by: Sigurd Hellesvik --- boot/zephyr/pm.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/boot/zephyr/pm.yml b/boot/zephyr/pm.yml index ab8f6d1c3..eec62473c 100644 --- a/boot/zephyr/pm.yml +++ b/boot/zephyr/pm.yml @@ -78,11 +78,17 @@ mcuboot_pad: mcuboot_primary_1: region: ram_flash size: CONFIG_NRF53_RAM_FLASH_SIZE -#endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ +#endif /* CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH */ #if (CONFIG_NRF53_MULTI_IMAGE_UPDATE) mcuboot_secondary_1: +#if defined(CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY) region: external_flash +#else + placement: + align: {start: CONFIG_FPROTECT_BLOCK_SIZE} + after: mcuboot_secondary +#endif size: CONFIG_NRF53_RAM_FLASH_SIZE #endif /* CONFIG_NRF53_MULTI_IMAGE_UPDATE */ From 5d9a95c8a8a6eabd9f1fd5750f542c7e276c8b3a Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 12 Mar 2025 16:06:32 +0000 Subject: [PATCH 214/228] [nrf fromtree] bootutil: Fix ASN1 bypass not building One of includes is not available when bypassing ASN1 encoding as mbedTLS is no longer enabled for compilation. Discovered with zephyr, but common for other platforms, after recent changes in CMakeLists.txt. Signed-off-by: Dominik Ermel (cherry picked from commit a01ca4cf946badfc409c490850c335f7152bc391) --- boot/bootutil/src/image_ed25519.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 01bef149d..90e8300de 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -18,10 +18,10 @@ #define MBEDTLS_ASN1_PARSE_C #include "mbedtls/oid.h" #include "mbedtls/asn1.h" +#include "bootutil/crypto/common.h" #endif #include "bootutil_priv.h" -#include "bootutil/crypto/common.h" #include "bootutil/crypto/sha.h" #define EDDSA_SIGNATURE_LENGTH 64 From ff7f0defdfc054d7aac548d9f97278609544f8fb Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 12 Mar 2025 16:09:12 +0000 Subject: [PATCH 215/228] [nrf fromtree] zephyr: Do not compile ASN1 code when bypassed Commit removes files needed for ASN1 parsing from compilation, when ASN1 bypass is enabled. Signed-off-by: Dominik Ermel (cherry picked from commit ec86244ac150d87b46e41d948ce7b655be672f88) --- boot/zephyr/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 3c2e19288..1a6f86557 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -31,7 +31,7 @@ assert_exists(TINYCRYPT_SHA512_DIR) set(FIAT_DIR "${MCUBOOT_DIR}/ext/fiat") assert_exists(FIAT_DIR) # Path to mbed-tls' asn1 parser library. -if(NOT CONFIG_MBEDTLS_BUILTIN) +if(NOT CONFIG_MBEDTLS_BUILTIN AND NOT CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN) set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") assert_exists(MBEDTLS_ASN1_DIR) endif() From c617eba5d633899f329df675a4092f1f64a20b6d Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 12 Mar 2025 16:44:21 +0000 Subject: [PATCH 216/228] [nrf fromtree] zephyr: Prevent selecting MBEDTLS_ASN1_PARSE_C when not needed Make selection of MBEDTLS_ASN1_PARSE_C, in BOOT_ED25519_MBEDTLS, depending on ASN1 parsing being enabled. Signed-off-by: Dominik Ermel (cherry picked from commit 0ba80ffb1a0a2514385de47da67ac19c17ff23de) --- boot/zephyr/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index b8c170a08..369f19969 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -296,7 +296,7 @@ config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS select MBEDTLS - select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN + select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN && !BOOT_KEY_IMPORT_BYPASS_ASN select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE config BOOT_ED25519_PSA From f6ca88a8f0e7abcc53589fcbd2fc3766c0bf30dd Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 12 Mar 2025 16:13:28 +0000 Subject: [PATCH 217/228] [nrf fromtree] zephyr: Fix ED25519 compilation with mbedTLS ED25519 with mbedTLS has not been linking due to missing SHA512, which is internally required by ED25519 implementation. Signed-off-by: Dominik Ermel (cherry picked from commit f523c60dbd60677557d192dcabd20af28a8470c3) --- boot/zephyr/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 369f19969..2deb94841 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -295,7 +295,9 @@ config BOOT_ED25519_TINYCRYPT config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS + select BOOT_IMG_HASH_ALG_SHA512_ALLOW select MBEDTLS + select MBEDTLS_SHA512 select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN && !BOOT_KEY_IMPORT_BYPASS_ASN select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE From 69a93364d74cfb0ecbe1f4d9a5ae2a22f0d02fbc Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 13 Mar 2025 15:07:09 +0000 Subject: [PATCH 218/228] [nrf fromtree] zephyr: Add missing selection for allowed SHA algorithms All of ED25519 backends allow SHA512, together with SHA512. The ED25519 internally requires SHA512 for calculations, but image may be hashed with any SHA algorithm. The PSA has also been missing selecting of any SHA as allowed. Signed-off-by: Dominik Ermel (cherry picked from commit e5d8640cd49829a1d5916fbae04cb2c817fb6116) --- boot/zephyr/Kconfig | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 2deb94841..21bfa5a3a 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -290,11 +290,13 @@ choice BOOT_ED25519_IMPLEMENTATION config BOOT_ED25519_TINYCRYPT bool "Use tinycrypt" select BOOT_USE_TINYCRYPT + select BOOT_IMG_HASH_ALG_SHA256_ALLOW select BOOT_IMG_HASH_ALG_SHA512_ALLOW config BOOT_ED25519_MBEDTLS bool "Use mbedTLS" select BOOT_USE_MBEDTLS + select BOOT_IMG_HASH_ALG_SHA256_ALLOW select BOOT_IMG_HASH_ALG_SHA512_ALLOW select MBEDTLS select MBEDTLS_SHA512 @@ -305,10 +307,13 @@ config BOOT_ED25519_PSA bool "Use PSA crypto" select MBEDTLS select BOOT_USE_PSA_CRYPTO - select MBEDTLS_PSA_CRYPTO_C - select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN select PSA_CRYPTO_CLIENT select PSA_CRYPTO_C + select MBEDTLS_PSA_CRYPTO_C + select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN + select MBEDTLS_ENABLE_HEAP + select BOOT_IMG_HASH_ALG_SHA256_ALLOW + select BOOT_IMG_HASH_ALG_SHA512_ALLOW select BOOT_ED25519_PSA_DEPENDENCIES select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE From e9d96780bdf7c997c0ca36ccb4d00a2dd7bc3b61 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 18 Mar 2025 12:40:06 +0000 Subject: [PATCH 219/228] [nrf fromtree] bootutil: Fix ed25519 pure signature verification Accidentally added check for size of blen against hash length, in bootutil_verify, was doubling check done in bootutli_verify_sig and prevented pure signature from working. Signed-off-by: Dominik Ermel (cherry picked from commit 2d681da4891d995ea547c8355a0882c1c1016aa4) --- boot/bootutil/src/image_ed25519.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index 90e8300de..ffb8cec3b 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -90,7 +90,7 @@ bootutil_verify(uint8_t *buf, uint32_t blen, uint8_t *pubkey; uint8_t *end; - if (blen != IMAGE_HASH_SIZE || slen != EDDSA_SIGNATURE_LENGTH) { + if (slen != EDDSA_SIGNATURE_LENGTH) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } From fa89f7b8d1003afe48926214870772f9c718687b Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Tue, 4 Mar 2025 17:31:33 +0000 Subject: [PATCH 220/228] [nrf noup] zephyr: sdk-nrf specific overrides on PSA Kconfigs Select proper configuration and disable mbedTLS selection, as we are using NRF Security enabled Oberon. Signed-off-by: Dominik Ermel --- boot/bootutil/zephyr/CMakeLists.txt | 2 +- boot/zephyr/Kconfig | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/boot/bootutil/zephyr/CMakeLists.txt b/boot/bootutil/zephyr/CMakeLists.txt index f6d37441c..44f78f395 100644 --- a/boot/bootutil/zephyr/CMakeLists.txt +++ b/boot/bootutil/zephyr/CMakeLists.txt @@ -40,7 +40,7 @@ if(CONFIG_BOOT_USE_PSA_CRYPTO) ) endif() -if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO) +if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO AND NOT CONFIG_NRF_SECURITY) zephyr_link_libraries(mbedTLS) endif() endif() diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 21bfa5a3a..9535d4b5a 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -89,8 +89,7 @@ config BOOT_ED25519_PSA_DEPENDENCIES select PSA_WANT_ALG_SHA_256 select PSA_WANT_ALG_SHA_512 select PSA_WANT_ALG_PURE_EDDSA - # Seems that upstream mbedTLS does not have TE - #select PSA_WANT_ECC_TWISTED_EDWARDS_255 + select PSA_WANT_ECC_TWISTED_EDWARDS_255 select PSA_WANT_ECC_MONTGOMERY_255 select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT help @@ -285,6 +284,7 @@ config BOOT_SIGNATURE_TYPE_PURE choice BOOT_ED25519_IMPLEMENTATION prompt "Ecdsa implementation" + default BOOT_ED25519_PSA if NRF_SECURITY default BOOT_ED25519_TINYCRYPT config BOOT_ED25519_TINYCRYPT @@ -305,7 +305,7 @@ config BOOT_ED25519_MBEDTLS config BOOT_ED25519_PSA bool "Use PSA crypto" - select MBEDTLS + depends on NRF_SECURITY select BOOT_USE_PSA_CRYPTO select PSA_CRYPTO_CLIENT select PSA_CRYPTO_C @@ -375,6 +375,7 @@ config MBEDTLS_CFG_FILE # is used, but the fact is that Mbed TLS' ASN1 parse module is used # also when TinyCrypt is used as crypto backend. default "mcuboot-mbedtls-cfg.h" if BOOT_USE_TINYCRYPT + default "config-tls-generic.h" if NRF_SECURITY && (MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO) default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS && !MBEDTLS_BUILTIN config BOOT_HW_KEY From 5c886db89fdc8b13ff4879c3ee285913b899409b Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Tue, 11 Jul 2023 08:42:49 +0100 Subject: [PATCH 221/228] [nrf noup] zephyr: Fix path variables Fixes path variables to use the proper Zephyr module variables Signed-off-by: Jamie McCrae Signed-off-by: Dominik Ermel (cherry picked from commit d978f7b4e9c000d554242c65800fdee51381a3d2) (cherry picked from commit 4943e2f425738025e48efc74d323884c4effdf4d) --- boot/zephyr/CMakeLists.txt | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 1a6f86557..acdc3f568 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -35,21 +35,20 @@ if(NOT CONFIG_MBEDTLS_BUILTIN AND NOT CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN) set(MBEDTLS_ASN1_DIR "${MCUBOOT_DIR}/ext/mbedtls-asn1") assert_exists(MBEDTLS_ASN1_DIR) endif() -set(NRF_DIR "${MCUBOOT_DIR}/ext/nrf") +set(MCUBOOT_NRF_EXT_DIR "${MCUBOOT_DIR}/ext/nrf") if(CONFIG_BOOT_USE_NRF_CC310_BL) -set(NRFXLIB_DIR ${ZEPHYR_BASE}/../nrfxlib) -if(NOT EXISTS ${NRFXLIB_DIR}) - message(FATAL_ERROR " + if(NOT EXISTS ${ZEPHYR_NRFXLIB_MODULE_DIR}) + message(FATAL_ERROR " ------------------------------------------------------------------------ - No such file or directory: ${NRFXLIB_DIR} + No such file or directory: ${ZEPHYR_NRFXLIB_MODULE_DIR} The current configuration enables nRF CC310 crypto accelerator hardware with the `CONFIG_BOOT_USE_NRF_CC310_BL` option. Please follow `ext/nrf/README.md` guide to fix your setup or use tinycrypt instead of the HW accelerator. To use the tinycrypt set `CONFIG_BOOT_ECDSA_TINYCRYPT` to y. ------------------------------------------------------------------------") -endif() + endif() endif() zephyr_library_include_directories( @@ -215,8 +214,8 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) ${TINYCRYPT_DIR}/source/utils.c ) elseif(CONFIG_BOOT_USE_NRF_CC310_BL) - zephyr_library_sources(${NRF_DIR}/cc310_glue.c) - zephyr_library_include_directories(${NRF_DIR}) + zephyr_library_sources(${MCUBOOT_NRF_EXT_DIR}/cc310_glue.c) + zephyr_library_include_directories(${MCUBOOT_NRF_EXT_DIR}) zephyr_link_libraries(nrfxlib_crypto) elseif(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO) zephyr_include_directories(${BL_CRYPTO_DIR}/../include) From b2fc324ba916c718f64130bfd40513d4be003cf9 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 22 Aug 2024 14:17:46 +0100 Subject: [PATCH 222/228] [nrf noup] zephyr: Add support for compressed image updates Adds support for LZMA-compressed firmware updates which also supports encrypted images and supports more than 1 updateable image Signed-off-by: Jamie McCrae Signed-off-by: Dominik Ermel (cherry picked from commit 474a92290901ffb468978574087e98fc89fb3e80) (cherry picked from commit 655eeacf16cfd090bb309ef06f940a943790e671) --- boot/bootutil/src/bootutil_misc.c | 80 +- boot/bootutil/src/image_validate.c | 228 ++- boot/bootutil/src/loader.c | 27 +- boot/zephyr/CMakeLists.txt | 6 + boot/zephyr/Kconfig | 9 +- boot/zephyr/decompression.c | 1410 +++++++++++++++++ .../include/compression/decompression.h | 103 ++ 7 files changed, 1839 insertions(+), 24 deletions(-) create mode 100644 boot/zephyr/decompression.c create mode 100644 boot/zephyr/include/compression/decompression.h diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c index 476489e54..c459059a9 100644 --- a/boot/bootutil/src/bootutil_misc.c +++ b/boot/bootutil/src/bootutil_misc.c @@ -42,6 +42,11 @@ #include "bootutil/enc_key.h" #endif +#if defined(MCUBOOT_DECOMPRESS_IMAGES) +#include +#include +#endif + BOOT_LOG_MODULE_DECLARE(mcuboot); /* Currently only used by imgmgr */ @@ -461,35 +466,76 @@ boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size) goto done; } - off = BOOT_TLV_OFF(boot_img_hdr(state, slot)); +#ifdef MCUBOOT_DECOMPRESS_IMAGES + if (MUST_DECOMPRESS(fap, BOOT_CURR_IMG(state), boot_img_hdr(state, slot))) { + uint32_t tmp_size = 0; - if (flash_area_read(fap, off, &info, sizeof(info))) { - rc = BOOT_EFLASH; - goto done; - } + rc = bootutil_get_img_decomp_size(boot_img_hdr(state, slot), fap, &tmp_size); - protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size; - if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) { - if (protect_tlv_size != info.it_tlv_tot) { + if (rc) { rc = BOOT_EBADIMAGE; goto done; } - if (flash_area_read(fap, off + info.it_tlv_tot, &info, sizeof(info))) { + off = boot_img_hdr(state, slot)->ih_hdr_size + tmp_size; + + rc = boot_size_protected_tlvs(boot_img_hdr(state, slot), fap, &tmp_size); + + if (rc) { + rc = BOOT_EBADIMAGE; + goto done; + } + + off += tmp_size; + + if (flash_area_read(fap, (BOOT_TLV_OFF(boot_img_hdr(state, slot)) + + boot_img_hdr(state, slot)->ih_protect_tlv_size), &info, + sizeof(info))) { rc = BOOT_EFLASH; goto done; } - } else if (protect_tlv_size != 0) { - rc = BOOT_EBADIMAGE; - goto done; - } - if (info.it_magic != IMAGE_TLV_INFO_MAGIC) { - rc = BOOT_EBADIMAGE; - goto done; + if (info.it_magic != IMAGE_TLV_INFO_MAGIC) { + rc = BOOT_EBADIMAGE; + goto done; + } + + *size = off + info.it_tlv_tot; + } else { +#else + if (1) { +#endif + off = BOOT_TLV_OFF(boot_img_hdr(state, slot)); + + if (flash_area_read(fap, off, &info, sizeof(info))) { + rc = BOOT_EFLASH; + goto done; + } + + protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size; + if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) { + if (protect_tlv_size != info.it_tlv_tot) { + rc = BOOT_EBADIMAGE; + goto done; + } + + if (flash_area_read(fap, off + info.it_tlv_tot, &info, sizeof(info))) { + rc = BOOT_EFLASH; + goto done; + } + } else if (protect_tlv_size != 0) { + rc = BOOT_EBADIMAGE; + goto done; + } + + if (info.it_magic != IMAGE_TLV_INFO_MAGIC) { + rc = BOOT_EBADIMAGE; + goto done; + } + + *size = off + protect_tlv_size + info.it_tlv_tot; } - *size = off + protect_tlv_size + info.it_tlv_tot; rc = 0; done: diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 61cbf4de0..40f0aa857 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -42,6 +42,15 @@ #include "mcuboot_config/mcuboot_config.h" +#if defined(MCUBOOT_DECOMPRESS_IMAGES) +#include +#include +#endif + +#include "bootutil/bootutil_log.h" + +BOOT_LOG_MODULE_DECLARE(mcuboot); + #ifdef MCUBOOT_ENC_IMAGES #include "bootutil/enc_key.h" #endif @@ -484,7 +493,7 @@ bootutil_img_validate(struct boot_loader_state *state, #endif ) { -#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) +#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) || defined(MCUBOOT_DECOMPRESS_IMAGES) int image_index = (state == NULL ? 0 : BOOT_CURR_IMG(state)); #endif uint32_t off; @@ -518,6 +527,68 @@ bootutil_img_validate(struct boot_loader_state *state, FIH_DECLARE(security_counter_valid, FIH_FAILURE); #endif +#ifdef MCUBOOT_DECOMPRESS_IMAGES + /* If the image is compressed, the integrity of the image must also be validated */ + if (MUST_DECOMPRESS(fap, image_index, hdr)) { + bool found_decompressed_size = false; + bool found_decompressed_sha = false; + bool found_decompressed_signature = false; + + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, true); + if (rc) { + goto out; + } + + if (it.tlv_end > bootutil_max_image_size(state, fap)) { + rc = -1; + goto out; + } + + while (true) { + uint16_t expected_size = 0; + bool *found_flag = NULL; + + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); + if (rc < 0) { + goto out; + } else if (rc > 0) { + break; + } + + switch (type) { + case IMAGE_TLV_DECOMP_SIZE: + expected_size = sizeof(size_t); + found_flag = &found_decompressed_size; + break; + case IMAGE_TLV_DECOMP_SHA: + expected_size = IMAGE_HASH_SIZE; + found_flag = &found_decompressed_sha; + break; + case IMAGE_TLV_DECOMP_SIGNATURE: + found_flag = &found_decompressed_signature; + break; + default: + continue; + }; + + if (type == IMAGE_TLV_DECOMP_SIGNATURE && !EXPECTED_SIG_LEN(len)) { + rc = -1; + goto out; + } else if (type != IMAGE_TLV_DECOMP_SIGNATURE && len != expected_size) { + rc = -1; + goto out; + } + + *found_flag = true; + } + + rc = (!found_decompressed_size || !found_decompressed_sha || !found_decompressed_signature); + if (rc) { + goto out; + } + } +#endif + #if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) #if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY) rc = bootutil_img_hash(state, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len, @@ -740,6 +811,161 @@ bootutil_img_validate(struct boot_loader_state *state, } #endif +#ifdef MCUBOOT_DECOMPRESS_IMAGES + /* Only after all previous verifications have passed, perform a dry-run of the decompression + * and ensure the image is valid + */ + if (!rc && MUST_DECOMPRESS(fap, image_index, hdr)) { + image_hash_valid = 0; + FIH_SET(valid_signature, FIH_FAILURE); + + rc = bootutil_img_hash_decompress(state, hdr, fap, tmp_buf, tmp_buf_sz, + hash, seed, seed_len); + if (rc) { + goto out; + } + + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SHA, true); + if (rc) { + goto out; + } + + if (it.tlv_end > bootutil_max_image_size(state, fap)) { + rc = -1; + goto out; + } + + while (true) { + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); + if (rc < 0) { + goto out; + } else if (rc > 0) { + break; + } + + if (type == IMAGE_TLV_DECOMP_SHA) { + /* Verify the image hash. This must always be present. */ + if (len != sizeof(hash)) { + rc = -1; + goto out; + } + rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, sizeof(hash)); + if (rc) { + goto out; + } + + FIH_CALL(boot_fih_memequal, fih_rc, hash, buf, sizeof(hash)); + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + FIH_SET(fih_rc, FIH_FAILURE); + goto out; + } + + image_hash_valid = 1; + } + } + + rc = !image_hash_valid; + if (rc) { + goto out; + } + +#ifdef EXPECTED_SIG_TLV +#ifdef EXPECTED_KEY_TLV + rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_KEY_TLV, false); + if (rc) { + goto out; + } + + if (it.tlv_end > bootutil_max_image_size(state, fap)) { + rc = -1; + goto out; + } + + while (true) { + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); + if (rc < 0) { + goto out; + } else if (rc > 0) { + break; + } + + if (type == EXPECTED_KEY_TLV) { + /* + * Determine which key we should be checking. + */ + if (len > KEY_BUF_SIZE) { + rc = -1; + goto out; + } +#ifndef MCUBOOT_HW_KEY + rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len); + if (rc) { + goto out; + } + key_id = bootutil_find_key(buf, len); +#else + rc = LOAD_IMAGE_DATA(hdr, fap, off, key_buf, len); + if (rc) { + goto out; + } + key_id = bootutil_find_key(image_index, key_buf, len); +#endif /* !MCUBOOT_HW_KEY */ + /* + * The key may not be found, which is acceptable. There + * can be multiple signatures, each preceded by a key. + */ + } + } +#endif /* EXPECTED_KEY_TLV */ + + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SIGNATURE, true); + if (rc) { + goto out; + } + + if (it.tlv_end > bootutil_max_image_size(state, fap)) { + rc = -1; + goto out; + } + + while (true) { + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); + if (rc < 0) { + goto out; + } else if (rc > 0) { + rc = 0; + break; + } + + if (type == IMAGE_TLV_DECOMP_SIGNATURE) { + /* Ignore this signature if it is out of bounds. */ + if (key_id < 0 || key_id >= bootutil_key_cnt) { + key_id = -1; + continue; + } + + if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) { + rc = -1; + goto out; + } + rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len); + if (rc) { + goto out; + } + + FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash), + buf, len, key_id); + key_id = -1; + } + } +#endif /* EXPECTED_SIG_TLV */ + } +#endif + +#ifdef EXPECTED_SIG_TLV + FIH_SET(fih_rc, valid_signature); +#endif + out: if (rc) { FIH_SET(fih_rc, FIH_FAILURE); diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 12674359e..ddfe3793b 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -49,6 +49,11 @@ #include "bootutil/boot_hooks.h" #include "bootutil/mcuboot_status.h" +#if defined(MCUBOOT_DECOMPRESS_IMAGES) +#include +#include +#endif + #ifdef __ZEPHYR__ #include #endif @@ -951,10 +956,10 @@ boot_is_header_valid(const struct image_header *hdr, const struct flash_area *fa return false; } #else - if ((hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA1) && - (hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA2)) - { - return false; + if (MUST_DECOMPRESS(fap, BOOT_CURR_IMG(state), hdr)) { + if (!boot_is_compressed_header_valid(hdr, fap, state)) { + return false; + } } #endif @@ -1199,6 +1204,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, * attempts to validate and boot it. */ } + #if !defined(__BOOTSIM__) BOOT_LOG_ERR("Image in the %s slot is not valid!", (slot == BOOT_PRIMARY_SLOT) ? "primary" : "secondary"); @@ -1676,6 +1682,9 @@ boot_copy_region(struct boot_loader_state *state, #else (void)state; #endif +#if defined(MCUBOOT_DECOMPRESS_IMAGES) && !defined(MCUBOOT_ENC_IMAGES) + struct image_header *hdr; +#endif TARGET_STATIC uint8_t buf[BUF_SZ] __attribute__((aligned(4))); @@ -1701,6 +1710,16 @@ boot_copy_region(struct boot_loader_state *state, } #endif +#ifdef MCUBOOT_DECOMPRESS_IMAGES + hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); + + if (MUST_DECOMPRESS(fap_src, BOOT_CURR_IMG(state), hdr)) { + /* Use alternative function for compressed images */ + return boot_copy_region_decompress(state, fap_src, fap_dst, off_src, off_dst, sz, buf, + BUF_SZ); + } +#endif + bytes_copied = 0; while (bytes_copied < sz) { if (sz - bytes_copied > sizeof buf) { diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index acdc3f568..b7876bc9a 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -312,6 +312,12 @@ if(CONFIG_BOOT_ENCRYPT_EC256) ) endif() +if(CONFIG_BOOT_DECOMPRESSION) + zephyr_library_sources( + decompression.c + ) +endif() + if(CONFIG_MCUBOOT_SERIAL) zephyr_sources(${BOOT_DIR}/zephyr/serial_adapter.c) zephyr_sources(${BOOT_DIR}/boot_serial/src/boot_serial.c) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 9535d4b5a..967a57f6f 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -1010,6 +1010,9 @@ config BOOT_BANNER_STRING config BOOT_DECOMPRESSION_SUPPORT bool + depends on NRF_COMPRESS && NRF_COMPRESS_DECOMPRESSION && (NRF_COMPRESS_LZMA_VERSION_LZMA1 || NRF_COMPRESS_LZMA_VERSION_LZMA2) + depends on !SINGLE_APPLICATION_SLOT && BOOT_UPGRADE_ONLY + default y help Hidden symbol which should be selected if a system provided decompression support. @@ -1017,6 +1020,8 @@ if BOOT_DECOMPRESSION_SUPPORT menuconfig BOOT_DECOMPRESSION bool "Decompression" + select NRF_COMPRESS_CLEANUP + select PM_USE_CONFIG_SRAM_SIZE if SOC_NRF54L15_CPUAPP help If enabled, will include support for compressed images being loaded to the secondary slot which then get decompressed into the primary slot. This mode allows the secondary slot to @@ -1025,9 +1030,9 @@ menuconfig BOOT_DECOMPRESSION if BOOT_DECOMPRESSION config BOOT_DECOMPRESSION_BUFFER_SIZE - int "Write buffer size" + int range 16 16384 - default 4096 + default NRF_COMPRESS_CHUNK_SIZE help The size of a secondary buffer used for writing decompressed data to the storage device. diff --git a/boot/zephyr/decompression.c b/boot/zephyr/decompression.c new file mode 100644 index 000000000..f49898d55 --- /dev/null +++ b/boot/zephyr/decompression.c @@ -0,0 +1,1410 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include +#include "compression/decompression.h" +#include "bootutil/crypto/sha.h" +#include "bootutil/bootutil_log.h" + +#if !defined(__BOOTSIM__) +#define TARGET_STATIC static +#else +#define TARGET_STATIC +#endif + +#if defined(MCUBOOT_SIGN_RSA) +#if MCUBOOT_SIGN_RSA_LEN == 2048 +#define EXPECTED_SIG_TLV IMAGE_TLV_RSA2048_PSS +#elif MCUBOOT_SIGN_RSA_LEN == 3072 +#define EXPECTED_SIG_TLV IMAGE_TLV_RSA3072_PSS +#endif +#elif defined(MCUBOOT_SIGN_EC256) || \ + defined(MCUBOOT_SIGN_EC384) || \ + defined(MCUBOOT_SIGN_EC) +#define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA_SIG +#elif defined(MCUBOOT_SIGN_ED25519) +#define EXPECTED_SIG_TLV IMAGE_TLV_ED25519 +#endif + +#define DECOMP_BUF_SIZE CONFIG_BOOT_DECOMPRESSION_BUFFER_SIZE +#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) +#define DECOMP_BUF_EXTRA_SIZE 2 +#else +#define DECOMP_BUF_EXTRA_SIZE 0 +#endif +#define DECOMP_BUF_ALLOC_SIZE (DECOMP_BUF_SIZE + DECOMP_BUF_EXTRA_SIZE) + +/* Number of times that consumed data by decompression system can be 0 in a row before aborting */ +#define OFFSET_ZERO_CHECK_TIMES 3 + +BOOT_LOG_MODULE_DECLARE(mcuboot); + +static int boot_sha_protected_tlvs(const struct image_header *hdr, + const struct flash_area *fap_src, uint32_t protected_size, + uint8_t *buf, size_t buf_size, bootutil_sha_context *sha_ctx); + +bool boot_is_compressed_header_valid(const struct image_header *hdr, const struct flash_area *fap, + struct boot_loader_state *state) +{ + /* Image is compressed in secondary slot, need to check if fits into the primary slot */ + bool opened_flash_area = false; + int primary_fa_id; + int rc; + int size_check; + int size; + uint32_t protected_tlvs_size; + uint32_t decompressed_size; + + primary_fa_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT); + + if (primary_fa_id == fap->fa_id) { + BOOT_LOG_ERR("Primary slots cannot be compressed, image: %d", BOOT_CURR_IMG(state)); + return false; + } + + if (BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT) == NULL) { + opened_flash_area = true; + } + + rc = flash_area_open(primary_fa_id, &BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)); + assert(rc == 0); + + size_check = flash_area_get_size(BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)); + + if (opened_flash_area) { + (void)flash_area_close(BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)); + } + + rc = bootutil_get_img_decomp_size(hdr, fap, &decompressed_size); + + if (rc) { + return false; + } + + if (!boot_u32_safe_add(&size, decompressed_size, hdr->ih_hdr_size)) { + return false; + } + + rc = boot_size_protected_tlvs(hdr, fap, &protected_tlvs_size); + + if (rc) { + return false; + } + + if (!boot_u32_safe_add(&size, size, protected_tlvs_size)) { + return false; + } + + if (size >= size_check) { + BOOT_LOG_ERR("Compressed image too large, decompressed image size: 0x%x, slot size: 0x%x", + size, size_check); + return false; + } + + return true; +} + +static bool is_compression_object_valid(struct nrf_compress_implementation *compression) +{ + if (compression == NULL || compression->init == NULL || compression->deinit == NULL || + compression->decompress_bytes_needed == NULL || compression->decompress == NULL) { + return false; + } + + return true; +} + +#ifdef MCUBOOT_ENC_IMAGES +int bootutil_get_img_decrypted_comp_size(const struct image_header *hdr, + const struct flash_area *fap, uint32_t *img_comp_size) +{ + if (hdr == NULL || fap == NULL || img_comp_size == NULL) { + return BOOT_EBADARGS; + } else if (hdr->ih_protect_tlv_size == 0) { + return BOOT_EBADIMAGE; + } + + if (!IS_ENCRYPTED(hdr)) { + /* Update is not encrypted so use size from header */ + *img_comp_size = hdr->ih_img_size; + } else { + struct image_tlv_iter it; + uint32_t off; + uint16_t len; + int32_t rc; + + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_COMP_DEC_SIZE, true); + + if (rc) { + return rc; + } + + rc = bootutil_tlv_iter_next(&it, &off, &len, NULL); + + if (rc != 0) { + return -1; + } + + if (len != sizeof(*img_comp_size)) { + BOOT_LOG_ERR("Invalid decompressed image size TLV: %d", len); + return BOOT_EBADIMAGE; + } + + rc = LOAD_IMAGE_DATA(hdr, fap, off, img_comp_size, len); + + if (rc) { + BOOT_LOG_ERR("Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + off, len, fap->fa_id, rc); + return BOOT_EFLASH; + } + } + + return 0; +} +#endif + +int bootutil_img_hash_decompress(struct boot_loader_state *state, struct image_header *hdr, + const struct flash_area *fap, uint8_t *tmp_buf, + uint32_t tmp_buf_sz, uint8_t *hash_result, + uint8_t *seed, int seed_len) +{ + int rc; + uint32_t read_pos = 0; + uint32_t write_pos = 0; + uint32_t protected_tlv_size = 0; + uint32_t decompressed_image_size; + uint32_t output_size_total = 0; + struct nrf_compress_implementation *compression_lzma = NULL; + struct nrf_compress_implementation *compression_arm_thumb = NULL; + TARGET_STATIC struct image_header modified_hdr; + bootutil_sha_context sha_ctx; + uint8_t flash_erased_value; + +#ifdef MCUBOOT_ENC_IMAGES + struct enc_key_data *enc_state; + int image_index; + uint32_t comp_size = 0; + + rc = bootutil_get_img_decrypted_comp_size(hdr, fap, &comp_size); + + if (rc) { + BOOT_LOG_ERR("Invalid/missing image decrypted compressed size value"); + rc = BOOT_EBADIMAGE; + goto finish_end; + } + + if (state == NULL) { + enc_state = NULL; + image_index = 0; + } else { + enc_state = BOOT_CURR_ENC(state); + image_index = BOOT_CURR_IMG(state); + } + + /* Encrypted images only exist in the secondary slot */ + if (MUST_DECRYPT(fap, image_index, hdr) && + !boot_enc_valid(enc_state, 1)) { + return -1; + } +#endif + + bootutil_sha_init(&sha_ctx); + + /* Setup decompression system */ +#if CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA1 + if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA1)) { +#elif CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA2 + if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA2)) { +#endif + /* Compressed image does not use the correct compression type which is supported by this + * build + */ + BOOT_LOG_ERR("Invalid image compression flags: no supported compression found"); + rc = BOOT_EBADIMAGE; + goto finish_without_clean; + } + + compression_lzma = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_LZMA); + compression_arm_thumb = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_ARM_THUMB); + + if (!is_compression_object_valid(compression_lzma) || + !is_compression_object_valid(compression_arm_thumb)) { + /* Compression library missing or missing required function pointer */ + BOOT_LOG_ERR("Decompression library fatal error"); + rc = BOOT_EBADSTATUS; + goto finish_without_clean; + } + + rc = compression_lzma->init(NULL); + rc = compression_arm_thumb->init(NULL); + + if (rc) { + BOOT_LOG_ERR("Decompression library fatal error"); + rc = BOOT_EBADSTATUS; + goto finish_without_clean; + } + + /* We need a modified header which has the updated sizes, start with the original header */ + memcpy(&modified_hdr, hdr, sizeof(modified_hdr)); + + /* Extract the decompressed image size from the protected TLV, set it and remove the + * compressed image flags + */ + rc = bootutil_get_img_decomp_size(hdr, fap, &decompressed_image_size); + + if (rc) { + BOOT_LOG_ERR("Unable to determine decompressed size of compressed image"); + rc = BOOT_EBADIMAGE; + goto finish; + } + + modified_hdr.ih_flags &= ~COMPRESSIONFLAGS; + modified_hdr.ih_img_size = decompressed_image_size; + + /* Calculate the protected TLV size, these will not include the decompressed + * sha/size/signature entries + */ + rc = boot_size_protected_tlvs(hdr, fap, &protected_tlv_size); + + if (rc) { + BOOT_LOG_ERR("Unable to determine protected TLV size of compressed image"); + rc = BOOT_EBADIMAGE; + goto finish; + } + + modified_hdr.ih_protect_tlv_size = protected_tlv_size; + bootutil_sha_update(&sha_ctx, &modified_hdr, sizeof(modified_hdr)); + read_pos = sizeof(modified_hdr); + flash_erased_value = flash_area_erased_val(fap); + memset(tmp_buf, flash_erased_value, tmp_buf_sz); + + while (read_pos < modified_hdr.ih_hdr_size) { + uint32_t copy_size = tmp_buf_sz; + + if ((read_pos + copy_size) > modified_hdr.ih_hdr_size) { + copy_size = modified_hdr.ih_hdr_size - read_pos; + } + + bootutil_sha_update(&sha_ctx, tmp_buf, copy_size); + read_pos += copy_size; + } + + /* Read in compressed data, decompress and add to hash calculation */ + read_pos = 0; + +#ifdef MCUBOOT_ENC_IMAGES + while (read_pos < comp_size) { + uint32_t copy_size = comp_size - read_pos; +#else + while (read_pos < hdr->ih_img_size) { + uint32_t copy_size = hdr->ih_img_size - read_pos; +#endif + uint32_t tmp_off = 0; + uint8_t offset_zero_check = 0; + + if (copy_size > tmp_buf_sz) { + copy_size = tmp_buf_sz; + } + + rc = flash_area_read(fap, (hdr->ih_hdr_size + read_pos), tmp_buf, copy_size); + + if (rc != 0) { + BOOT_LOG_ERR("Flash read failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (hdr->ih_hdr_size + read_pos), copy_size, fap->fa_id, rc); + rc = BOOT_EFLASH; + goto finish; + } + +#ifdef MCUBOOT_ENC_IMAGES + if (MUST_DECRYPT(fap, image_index, hdr)) { + boot_enc_decrypt(enc_state, 1, read_pos, + copy_size, (read_pos & 0xf), + tmp_buf); + } +#endif + + /* Decompress data in chunks, writing it back with a larger write offset of the primary + * slot than read size of the secondary slot + */ + while (tmp_off < copy_size) { + uint32_t offset = 0; + uint8_t *output = NULL; + uint32_t output_size = 0; + uint32_t chunk_size; + bool last_packet = false; + + chunk_size = compression_lzma->decompress_bytes_needed(NULL); + + if (chunk_size > (copy_size - tmp_off)) { + chunk_size = (copy_size - tmp_off); + } + +#ifdef MCUBOOT_ENC_IMAGES + if ((read_pos + tmp_off + chunk_size) >= comp_size) { +#else + if ((read_pos + tmp_off + chunk_size) >= hdr->ih_img_size) { +#endif + last_packet = true; + } + + rc = compression_lzma->decompress(NULL, &tmp_buf[tmp_off], chunk_size, last_packet, + &offset, &output, &output_size); + + if (rc) { + BOOT_LOG_ERR("Decompression error: %d", rc); + rc = BOOT_EBADSTATUS; + goto finish; + } + + write_pos += output_size; + + if (write_pos > decompressed_image_size) { + BOOT_LOG_ERR("Decompressed image larger than claimed TLV size, at least: %d", + write_pos); + rc = BOOT_EBADIMAGE; + goto finish; + } + + /* Additional dry-run validity checks */ + if (last_packet == true && write_pos == 0) { + /* Last packet and we still have no output, this is a faulty update */ + BOOT_LOG_ERR("All compressed data consumed without any output, image not valid"); + rc = BOOT_EBADIMAGE; + goto finish; + } + + if (offset == 0) { + /* If the decompression system continually consumes 0 bytes, then there is a + * problem with this update image, abort and mark image as bad + */ + if (offset_zero_check >= OFFSET_ZERO_CHECK_TIMES) { + BOOT_LOG_ERR("Decompression system returning no output data, image not valid"); + rc = BOOT_EBADIMAGE; + goto finish; + } + + ++offset_zero_check; + + break; + } else { + offset_zero_check = 0; + } + + /* Copy data to secondary buffer for calculating hash */ + if (output_size > 0) { + if (hdr->ih_flags & IMAGE_F_COMPRESSED_ARM_THUMB_FLT) { + /* Run this through the ARM thumb filter */ + uint32_t offset_arm_thumb = 0; + uint8_t *output_arm_thumb = NULL; + uint32_t processed_size = 0; + uint32_t output_size_arm_thumb = 0; + + while (processed_size < output_size) { + uint32_t current_size = output_size - processed_size; + bool arm_thumb_last_packet = false; + + if (current_size > CONFIG_NRF_COMPRESS_CHUNK_SIZE) { + current_size = CONFIG_NRF_COMPRESS_CHUNK_SIZE; + } + + if (last_packet && (processed_size + current_size) == + output_size) { + arm_thumb_last_packet = true; + } + + rc = compression_arm_thumb->decompress(NULL, &output[processed_size], + current_size, arm_thumb_last_packet, + &offset_arm_thumb, + &output_arm_thumb, + &output_size_arm_thumb); + + if (rc) { + BOOT_LOG_ERR("Decompression error: %d", rc); + rc = BOOT_EBADSTATUS; + goto finish; + } + + bootutil_sha_update(&sha_ctx, output_arm_thumb, output_size_arm_thumb); + output_size_total += output_size_arm_thumb; + processed_size += current_size; + } + } else { + bootutil_sha_update(&sha_ctx, output, output_size); + output_size_total += output_size; + } + } + + tmp_off += offset; + } + + read_pos += copy_size; + } + + if (modified_hdr.ih_img_size != output_size_total) { + BOOT_LOG_ERR("Decompression expected output_size mismatch: %d vs %d", + modified_hdr.ih_img_size, output_size_total); + rc = BOOT_EBADSTATUS; + goto finish; + } + + /* If there are any protected TLVs present, add them after the main decompressed image */ + if (modified_hdr.ih_protect_tlv_size > 0) { + rc = boot_sha_protected_tlvs(hdr, fap, modified_hdr.ih_protect_tlv_size, tmp_buf, + tmp_buf_sz, &sha_ctx); + } + + bootutil_sha_finish(&sha_ctx, hash_result); + +finish: + /* Clean up decompression system */ + (void)compression_lzma->deinit(NULL); + (void)compression_arm_thumb->deinit(NULL); + +finish_without_clean: + bootutil_sha_drop(&sha_ctx); + +#ifdef MCUBOOT_ENC_IMAGES +finish_end: +#endif + return rc; +} + +static int boot_copy_protected_tlvs(const struct image_header *hdr, + const struct flash_area *fap_src, + const struct flash_area *fap_dst, uint32_t off_dst, + uint32_t protected_size, uint8_t *buf, size_t buf_size, + uint16_t *buf_pos, uint32_t *written) +{ + int rc; + uint32_t off; + uint32_t write_pos = 0; + uint16_t len; + uint16_t type; + struct image_tlv_iter it; + struct image_tlv tlv_header; + struct image_tlv_info tlv_info_header = { + .it_magic = IMAGE_TLV_PROT_INFO_MAGIC, + .it_tlv_tot = protected_size, + }; + uint16_t info_size_left = sizeof(tlv_info_header); + + while (info_size_left > 0) { + uint16_t copy_size = buf_size - *buf_pos; + + if (info_size_left > 0 && copy_size > 0) { + uint16_t single_copy_size = copy_size; + uint8_t *tlv_info_header_address = (uint8_t *)&tlv_info_header; + + if (single_copy_size > info_size_left) { + single_copy_size = info_size_left; + } + + memcpy(&buf[*buf_pos], &tlv_info_header_address[sizeof(tlv_info_header) - + info_size_left], single_copy_size); + *buf_pos += single_copy_size; + info_size_left -= single_copy_size; + } + + if (*buf_pos == buf_size) { + rc = flash_area_write(fap_dst, (off_dst + write_pos), buf, *buf_pos); + + if (rc != 0) { + BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); + rc = BOOT_EFLASH; + goto out; + } + + write_pos += *buf_pos; + *buf_pos = 0; + } + } + + rc = bootutil_tlv_iter_begin(&it, hdr, fap_src, IMAGE_TLV_ANY, true); + + if (rc) { + goto out; + } + + while (true) { + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); + + if (rc < 0) { + goto out; + } else if (rc > 0) { + rc = 0; + break; + } + + if (type == IMAGE_TLV_DECOMP_SIZE || type == IMAGE_TLV_DECOMP_SHA || + type == IMAGE_TLV_DECOMP_SIGNATURE || type == IMAGE_TLV_COMP_DEC_SIZE) { + /* Skip these TLVs as they are not needed */ + continue; + } else { + uint16_t header_size_left = sizeof(tlv_header); + uint16_t data_size_left = len; + + tlv_header.it_type = type; + tlv_header.it_len = len; + + while (header_size_left > 0 || data_size_left > 0) { + uint16_t copy_size = buf_size - *buf_pos; + uint8_t *tlv_header_address = (uint8_t *)&tlv_header; + + if (header_size_left > 0 && copy_size > 0) { + uint16_t single_copy_size = copy_size; + + if (single_copy_size > header_size_left) { + single_copy_size = header_size_left; + } + + memcpy(&buf[*buf_pos], &tlv_header_address[sizeof(tlv_header) - + header_size_left], + single_copy_size); + *buf_pos += single_copy_size; + copy_size -= single_copy_size; + header_size_left -= single_copy_size; + } + + if (data_size_left > 0 && copy_size > 0) { + uint16_t single_copy_size = copy_size; + + if (single_copy_size > data_size_left) { + single_copy_size = data_size_left; + } + + rc = LOAD_IMAGE_DATA(hdr, fap_src, (off + (len - data_size_left)), + &buf[*buf_pos], single_copy_size); + + if (rc) { + BOOT_LOG_ERR( + "Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off + (len - data_size_left)), single_copy_size, fap_src->fa_id, rc); + goto out; + } + + *buf_pos += single_copy_size; + data_size_left -= single_copy_size; + } + + if (*buf_pos == buf_size) { + rc = flash_area_write(fap_dst, (off_dst + write_pos), buf, *buf_pos); + + if (rc != 0) { + BOOT_LOG_ERR( + "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); + rc = BOOT_EFLASH; + goto out; + } + + write_pos += *buf_pos; + *buf_pos = 0; + } + } + } + } + + *written = write_pos; + +out: + return rc; +} + +static int boot_sha_protected_tlvs(const struct image_header *hdr, + const struct flash_area *fap_src, uint32_t protected_size, + uint8_t *buf, size_t buf_size, bootutil_sha_context *sha_ctx) +{ + int rc; + uint32_t off; + uint16_t len; + uint16_t type; + struct image_tlv_iter it; + struct image_tlv tlv_header; + struct image_tlv_info tlv_info_header = { + .it_magic = IMAGE_TLV_PROT_INFO_MAGIC, + .it_tlv_tot = protected_size, + }; + + bootutil_sha_update(sha_ctx, &tlv_info_header, sizeof(tlv_info_header)); + + rc = bootutil_tlv_iter_begin(&it, hdr, fap_src, IMAGE_TLV_ANY, true); + if (rc) { + goto out; + } + + while (true) { + uint32_t read_off = 0; + + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); + + if (rc < 0) { + goto out; + } else if (rc > 0) { + rc = 0; + break; + } + + if (type == IMAGE_TLV_DECOMP_SIZE || type == IMAGE_TLV_DECOMP_SHA || + type == IMAGE_TLV_DECOMP_SIGNATURE || type == IMAGE_TLV_COMP_DEC_SIZE) { + /* Skip these TLVs as they are not needed */ + continue; + } + + tlv_header.it_type = type; + tlv_header.it_len = len; + + bootutil_sha_update(sha_ctx, &tlv_header, sizeof(tlv_header)); + + while (read_off < len) { + uint32_t copy_size = buf_size; + + if (copy_size > (len - read_off)) { + copy_size = len - read_off; + } + + rc = LOAD_IMAGE_DATA(hdr, fap_src, (off + read_off), buf, copy_size); + + if (rc) { + BOOT_LOG_ERR( + "Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off + read_off), copy_size, fap_src->fa_id, rc); + goto out; + } + + bootutil_sha_update(sha_ctx, buf, copy_size); + read_off += copy_size; + } + } + +out: + return rc; +} + +int boot_size_protected_tlvs(const struct image_header *hdr, const struct flash_area *fap, + uint32_t *sz) +{ + int rc = 0; + uint32_t tlv_size; + uint32_t off; + uint16_t len; + uint16_t type; + struct image_tlv_iter it; + + *sz = 0; + tlv_size = hdr->ih_protect_tlv_size; + + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, true); + + if (rc) { + goto out; + } + + while (true) { + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); + + if (rc < 0) { + goto out; + } else if (rc > 0) { + rc = 0; + break; + } + + if (type == IMAGE_TLV_DECOMP_SIZE || type == IMAGE_TLV_DECOMP_SHA || + type == IMAGE_TLV_DECOMP_SIGNATURE || type == IMAGE_TLV_COMP_DEC_SIZE) { + /* Exclude these TLVs as they will be copied to the unprotected area */ + tlv_size -= len + sizeof(struct image_tlv); + } + } + + if (!rc) { + if (tlv_size == sizeof(struct image_tlv_info)) { + /* If there are no entries then omit protected TLV section entirely */ + tlv_size = 0; + } + + *sz = tlv_size; + } + +out: + return rc; +} + +int boot_size_unprotected_tlvs(const struct image_header *hdr, const struct flash_area *fap, + uint32_t *sz) +{ + int rc = 0; + uint32_t tlv_size; + uint32_t off; + uint16_t len; + uint16_t type; + struct image_tlv_iter it; + + *sz = 0; + tlv_size = sizeof(struct image_tlv_info); + + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false); + + if (rc) { + goto out; + } + + while (true) { + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); + + if (rc < 0) { + goto out; + } else if (rc > 0) { + rc = 0; + break; + } else if (bootutil_tlv_iter_is_prot(&it, off) && type != IMAGE_TLV_DECOMP_SHA && + type != IMAGE_TLV_DECOMP_SIGNATURE) { + /* Include size of protected hash and signature as these will be replacing the + * original ones + */ + continue; + } else if (type == EXPECTED_HASH_TLV || type == EXPECTED_SIG_TLV || type == IMAGE_TLV_COMP_DEC_SIZE) { + /* Exclude the original unprotected TLVs for signature and hash, the length of the + * signature of the compressed data might not be the same size as the signaute of the + * decompressed data, as is the case when using ECDSA-P256 + */ + continue; + } + + tlv_size += len + sizeof(struct image_tlv); + } + + if (!rc) { + if (tlv_size == sizeof(struct image_tlv_info)) { + /* If there are no entries in the unprotected TLV section then there is something wrong + * with this image + */ + BOOT_LOG_ERR("No unprotected TLVs in post-decompressed image output, image is invalid"); + rc = BOOT_EBADIMAGE; + goto out; + } + + *sz = tlv_size; + } + +out: + return rc; +} + +static int boot_copy_unprotected_tlvs(const struct image_header *hdr, + const struct flash_area *fap_src, + const struct flash_area *fap_dst, uint32_t off_dst, + uint32_t unprotected_size, uint8_t *buf, size_t buf_size, + uint16_t *buf_pos, uint32_t *written) +{ + int rc; + uint32_t write_pos = 0; + uint32_t off; + uint16_t len; + uint16_t type; + struct image_tlv_iter it; + struct image_tlv_iter it_protected; + struct image_tlv tlv_header; + struct image_tlv_info tlv_info_header = { + .it_magic = IMAGE_TLV_INFO_MAGIC, + .it_tlv_tot = unprotected_size, + }; + uint16_t info_size_left = sizeof(tlv_info_header); + + while (info_size_left > 0) { + uint16_t copy_size = buf_size - *buf_pos; + + if (info_size_left > 0 && copy_size > 0) { + uint16_t single_copy_size = copy_size; + uint8_t *tlv_info_header_address = (uint8_t *)&tlv_info_header; + + if (single_copy_size > info_size_left) { + single_copy_size = info_size_left; + } + + memcpy(&buf[*buf_pos], &tlv_info_header_address[sizeof(tlv_info_header) - + info_size_left], single_copy_size); + *buf_pos += single_copy_size; + info_size_left -= single_copy_size; + } + + if (*buf_pos == buf_size) { + rc = flash_area_write(fap_dst, (off_dst + write_pos), buf, *buf_pos); + + if (rc != 0) { + BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); + rc = BOOT_EFLASH; + goto out; + } + + write_pos += *buf_pos; + *buf_pos = 0; + } + } + + rc = bootutil_tlv_iter_begin(&it, hdr, fap_src, IMAGE_TLV_ANY, false); + if (rc) { + goto out; + } + + while (true) { + uint16_t header_size_left = sizeof(tlv_header); + uint16_t data_size_left; + + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); + if (rc < 0) { + goto out; + } else if (rc > 0) { + rc = 0; + break; + } else if (bootutil_tlv_iter_is_prot(&it, off)) { + /* Skip protected TLVs */ + continue; + } + + /* Change the values of these fields from having the data in the compressed image + * unprotected TLV (which is valid only for the compressed image data) to having the + * fields in the protected TLV section (which is valid for the decompressed image data). + * The compressed data is no longer needed + */ + if (type == EXPECTED_HASH_TLV || type == EXPECTED_SIG_TLV) { + rc = bootutil_tlv_iter_begin(&it_protected, hdr, fap_src, (type == EXPECTED_HASH_TLV ? + IMAGE_TLV_DECOMP_SHA : + IMAGE_TLV_DECOMP_SIGNATURE), + true); + + if (rc) { + goto out; + } + + while (true) { + rc = bootutil_tlv_iter_next(&it_protected, &off, &len, &type); + if (rc < 0) { + goto out; + } else if (rc > 0) { + rc = 0; + break; + } + } + + if (type == IMAGE_TLV_DECOMP_SHA) { + type = EXPECTED_HASH_TLV; + } else { + type = EXPECTED_SIG_TLV; + } + } + + data_size_left = len; + tlv_header.it_type = type; + tlv_header.it_len = len; + + while (header_size_left > 0 || data_size_left > 0) { + uint16_t copy_size = buf_size - *buf_pos; + + if (header_size_left > 0 && copy_size > 0) { + uint16_t single_copy_size = copy_size; + uint8_t *tlv_header_address = (uint8_t *)&tlv_header; + + if (single_copy_size > header_size_left) { + single_copy_size = header_size_left; + } + + memcpy(&buf[*buf_pos], &tlv_header_address[sizeof(tlv_header) - header_size_left], + single_copy_size); + *buf_pos += single_copy_size; + copy_size -= single_copy_size; + header_size_left -= single_copy_size; + } + + if (data_size_left > 0 && copy_size > 0) { + uint16_t single_copy_size = copy_size; + + if (single_copy_size > data_size_left) { + single_copy_size = data_size_left; + } + + rc = LOAD_IMAGE_DATA(hdr, fap_src, (off + len - data_size_left), + &buf[*buf_pos], single_copy_size); + + if (rc) { + BOOT_LOG_ERR( + "Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off + (len - data_size_left)), single_copy_size, fap_src->fa_id, rc); + goto out; + } + + *buf_pos += single_copy_size; + data_size_left -= single_copy_size; + } + + if (*buf_pos == buf_size) { + rc = flash_area_write(fap_dst, (off_dst + write_pos), buf, *buf_pos); + + if (rc != 0) { + BOOT_LOG_ERR( + "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off_dst + write_pos), *buf_pos, fap_dst->fa_id, rc); + rc = BOOT_EFLASH; + goto out; + } + + write_pos += *buf_pos; + *buf_pos = 0; + } + } + } + + *written = write_pos; + +out: + return rc; +} + +int boot_copy_region_decompress(struct boot_loader_state *state, const struct flash_area *fap_src, + const struct flash_area *fap_dst, uint32_t off_src, + uint32_t off_dst, uint32_t sz, uint8_t *buf, size_t buf_size) +{ + int rc; + uint32_t pos = 0; + uint16_t decomp_buf_size = 0; + uint16_t write_alignment; + uint32_t write_pos = 0; + uint32_t protected_tlv_size = 0; + uint32_t unprotected_tlv_size = 0; + uint32_t tlv_write_size = 0; + uint32_t decompressed_image_size; + struct nrf_compress_implementation *compression_lzma = NULL; + struct nrf_compress_implementation *compression_arm_thumb = NULL; + struct image_header *hdr; + TARGET_STATIC uint8_t decomp_buf[DECOMP_BUF_ALLOC_SIZE] __attribute__((aligned(4))); + TARGET_STATIC struct image_header modified_hdr; + +#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) + uint8_t excess_data_buffer[DECOMP_BUF_EXTRA_SIZE]; + bool excess_data_buffer_full = false; +#endif + +#ifdef MCUBOOT_ENC_IMAGES + uint32_t comp_size = 0; +#endif + + hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); + +#ifdef MCUBOOT_ENC_IMAGES + rc = bootutil_get_img_decrypted_comp_size(hdr, fap_src, &comp_size); + + if (rc) { + BOOT_LOG_ERR("Invalid/missing image decrypted compressed size value"); + rc = BOOT_EBADIMAGE; + goto finish; + } +#endif + + /* Setup decompression system */ +#if CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA1 + if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA1)) { +#elif CONFIG_NRF_COMPRESS_LZMA_VERSION_LZMA2 + if (!(hdr->ih_flags & IMAGE_F_COMPRESSED_LZMA2)) { +#endif + /* Compressed image does not use the correct compression type which is supported by this + * build + */ + BOOT_LOG_ERR("Invalid image compression flags: no supported compression found"); + rc = BOOT_EBADIMAGE; + goto finish; + } + + compression_lzma = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_LZMA); + compression_arm_thumb = nrf_compress_implementation_find(NRF_COMPRESS_TYPE_ARM_THUMB); + + if (!is_compression_object_valid(compression_lzma) || + !is_compression_object_valid(compression_arm_thumb)) { + /* Compression library missing or missing required function pointer */ + BOOT_LOG_ERR("Decompression library fatal error"); + rc = BOOT_EBADSTATUS; + goto finish; + } + + rc = compression_lzma->init(NULL); + rc = compression_arm_thumb->init(NULL); + + if (rc) { + BOOT_LOG_ERR("Decompression library fatal error"); + rc = BOOT_EBADSTATUS; + goto finish; + } + + write_alignment = flash_area_align(fap_dst); + + memcpy(&modified_hdr, hdr, sizeof(modified_hdr)); + + rc = bootutil_get_img_decomp_size(hdr, fap_src, &decompressed_image_size); + + if (rc) { + BOOT_LOG_ERR("Unable to determine decompressed size of compressed image"); + rc = BOOT_EBADIMAGE; + goto finish; + } + + modified_hdr.ih_flags &= ~COMPRESSIONFLAGS; + modified_hdr.ih_img_size = decompressed_image_size; + + /* Calculate protected TLV size for target image once items are removed */ + rc = boot_size_protected_tlvs(hdr, fap_src, &protected_tlv_size); + + if (rc) { + BOOT_LOG_ERR("Unable to determine protected TLV size of compressed image"); + rc = BOOT_EBADIMAGE; + goto finish; + } + + modified_hdr.ih_protect_tlv_size = protected_tlv_size; + + rc = boot_size_unprotected_tlvs(hdr, fap_src, &unprotected_tlv_size); + + if (rc) { + BOOT_LOG_ERR("Unable to determine unprotected TLV size of compressed image"); + rc = BOOT_EBADIMAGE; + goto finish; + } + + /* Write out the image header first, this should be a multiple of the write size */ + rc = flash_area_write(fap_dst, off_dst, &modified_hdr, sizeof(modified_hdr)); + + if (rc != 0) { + BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + off_dst, sizeof(modified_hdr), fap_dst->fa_id, rc); + rc = BOOT_EFLASH; + goto finish; + } + + /* Read in, decompress and write out data */ +#ifdef MCUBOOT_ENC_IMAGES + while (pos < comp_size) { + uint32_t copy_size = comp_size - pos; +#else + while (pos < hdr->ih_img_size) { + uint32_t copy_size = hdr->ih_img_size - pos; +#endif + uint32_t tmp_off = 0; + + if (copy_size > buf_size) { + copy_size = buf_size; + } + + rc = flash_area_read(fap_src, off_src + hdr->ih_hdr_size + pos, buf, copy_size); + + if (rc != 0) { + BOOT_LOG_ERR("Flash read failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off_src + hdr->ih_hdr_size + pos), copy_size, fap_src->fa_id, rc); + rc = BOOT_EFLASH; + goto finish; + } + +#ifdef MCUBOOT_ENC_IMAGES + if (IS_ENCRYPTED(hdr)) { + boot_enc_decrypt(BOOT_CURR_ENC(state), 1, pos, copy_size, (pos & 0xf), buf); + } +#endif + + /* Decompress data in chunks, writing it back with a larger write offset of the primary + * slot than read size of the secondary slot + */ + while (tmp_off < copy_size) { + uint32_t offset = 0; + uint32_t output_size = 0; + uint32_t chunk_size; + uint32_t compression_buffer_pos = 0; + uint8_t *output = NULL; + bool last_packet = false; + + chunk_size = compression_lzma->decompress_bytes_needed(NULL); + + if (chunk_size > (copy_size - tmp_off)) { + chunk_size = (copy_size - tmp_off); + } + +#ifdef MCUBOOT_ENC_IMAGES + if ((pos + tmp_off + chunk_size) >= comp_size) { +#else + if ((pos + tmp_off + chunk_size) >= hdr->ih_img_size) { +#endif + last_packet = true; + } + + rc = compression_lzma->decompress(NULL, &buf[tmp_off], chunk_size, last_packet, + &offset, &output, &output_size); + + if (rc) { + BOOT_LOG_ERR("Decompression error: %d", rc); + rc = BOOT_EBADSTATUS; + goto finish; + } + + /* Copy data to secondary buffer for writing out */ + while (output_size > 0) { + uint32_t data_size = (DECOMP_BUF_SIZE - decomp_buf_size); + + if (data_size > output_size) { + data_size = output_size; + } + +#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) + if (hdr->ih_flags & IMAGE_F_COMPRESSED_ARM_THUMB_FLT) { + memcpy(&decomp_buf[decomp_buf_size + DECOMP_BUF_EXTRA_SIZE], + &output[compression_buffer_pos], data_size); + } else +#endif + { + memcpy(&decomp_buf[decomp_buf_size], &output[compression_buffer_pos], + data_size); + } + + compression_buffer_pos += data_size; + + decomp_buf_size += data_size; + output_size -= data_size; + + /* Write data out from secondary buffer when it is full */ + if (decomp_buf_size == DECOMP_BUF_SIZE) { +#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) + if (hdr->ih_flags & IMAGE_F_COMPRESSED_ARM_THUMB_FLT) { + uint32_t filter_writeback_pos = 0; + uint32_t processed_size = 0; + + /* Run this through the ARM thumb filter */ + while (processed_size < DECOMP_BUF_SIZE) { + uint32_t offset_arm_thumb = 0; + uint32_t output_size_arm_thumb = 0; + uint8_t *output_arm_thumb = NULL; + uint32_t current_size = DECOMP_BUF_SIZE; + bool arm_thumb_last_packet = false; + + if (current_size > CONFIG_NRF_COMPRESS_CHUNK_SIZE) { + current_size = CONFIG_NRF_COMPRESS_CHUNK_SIZE; + } + + if (last_packet && (processed_size + current_size) == DECOMP_BUF_SIZE + && output_size == 0) { + arm_thumb_last_packet = true; + } + + rc = compression_arm_thumb->decompress(NULL, + &decomp_buf[processed_size + + DECOMP_BUF_EXTRA_SIZE], + current_size, + arm_thumb_last_packet, + &offset_arm_thumb, + &output_arm_thumb, + &output_size_arm_thumb); + + if (rc) { + BOOT_LOG_ERR("Decompression error: %d", rc); + rc = BOOT_EBADSTATUS; + goto finish; + } + + memcpy(&decomp_buf[filter_writeback_pos], output_arm_thumb, + output_size_arm_thumb); + filter_writeback_pos += output_size_arm_thumb; + processed_size += current_size; + } + + if (excess_data_buffer_full == true) + { + /* Restore extra data removed from previous iteration to the write + * buffer + */ + memmove(&decomp_buf[DECOMP_BUF_EXTRA_SIZE], decomp_buf, + filter_writeback_pos); + memcpy(decomp_buf, excess_data_buffer, DECOMP_BUF_EXTRA_SIZE); + excess_data_buffer_full = false; + filter_writeback_pos += DECOMP_BUF_EXTRA_SIZE; + } + + if ((filter_writeback_pos % sizeof(uint32_t)) != 0) + { + /* Since there are an extra 2 bytes here, remove them and stash for + * later usage to prevent flash write issues with non-word boundary + * writes + */ + memcpy(excess_data_buffer, &decomp_buf[filter_writeback_pos - + DECOMP_BUF_EXTRA_SIZE], + DECOMP_BUF_EXTRA_SIZE); + excess_data_buffer_full = true; + filter_writeback_pos -= DECOMP_BUF_EXTRA_SIZE; + } + + rc = flash_area_write(fap_dst, (off_dst + hdr->ih_hdr_size + write_pos), + decomp_buf, filter_writeback_pos); + + if (rc != 0) { + BOOT_LOG_ERR( + "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off_dst + hdr->ih_hdr_size + write_pos), DECOMP_BUF_SIZE, + fap_dst->fa_id, rc); + rc = BOOT_EFLASH; + goto finish; + } + + write_pos += filter_writeback_pos; + decomp_buf_size = 0; + filter_writeback_pos = 0; + } else +#endif + { + rc = flash_area_write(fap_dst, (off_dst + hdr->ih_hdr_size + write_pos), + decomp_buf, DECOMP_BUF_SIZE); + + if (rc != 0) { + BOOT_LOG_ERR( + "Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off_dst + hdr->ih_hdr_size + write_pos), DECOMP_BUF_SIZE, + fap_dst->fa_id, rc); + rc = BOOT_EFLASH; + goto finish; + } + + write_pos += DECOMP_BUF_SIZE; + decomp_buf_size = 0; + } + } + } + + tmp_off += offset; + } + + pos += copy_size; + } + +#if defined(CONFIG_NRF_COMPRESS_ARM_THUMB) + if (hdr->ih_flags & IMAGE_F_COMPRESSED_ARM_THUMB_FLT && decomp_buf_size > 0) { + /* Extra data that has not been written out that needs ARM thumb filter applied */ + uint32_t offset_arm_thumb = 0; + uint32_t output_size_arm_thumb = 0; + uint8_t *output_arm_thumb = NULL; + + rc = compression_arm_thumb->decompress(NULL, &decomp_buf[DECOMP_BUF_EXTRA_SIZE], + decomp_buf_size, true, &offset_arm_thumb, + &output_arm_thumb, &output_size_arm_thumb); + + if (rc) { + BOOT_LOG_ERR("Decompression error: %d", rc); + rc = BOOT_EBADSTATUS; + goto finish; + } + + memcpy(decomp_buf, output_arm_thumb, output_size_arm_thumb); + } +#endif + + /* Clean up decompression system */ + (void)compression_lzma->deinit(NULL); + (void)compression_arm_thumb->deinit(NULL); + + if (protected_tlv_size > 0) { + rc = boot_copy_protected_tlvs(hdr, fap_src, fap_dst, (off_dst + hdr->ih_hdr_size + + write_pos), protected_tlv_size, + decomp_buf, DECOMP_BUF_SIZE, &decomp_buf_size, + &tlv_write_size); + + if (rc) { + BOOT_LOG_ERR("Protected TLV copy failure: %d", rc); + goto finish; + } + + write_pos += tlv_write_size; + } + + tlv_write_size = 0; + rc = boot_copy_unprotected_tlvs(hdr, fap_src, fap_dst, (off_dst + hdr->ih_hdr_size + + write_pos), unprotected_tlv_size, + decomp_buf, DECOMP_BUF_SIZE, &decomp_buf_size, + &tlv_write_size); + + if (rc) { + BOOT_LOG_ERR("Protected TLV copy failure: %d", rc); + goto finish; + } + + write_pos += tlv_write_size; + + /* Check if we have unwritten data buffered up and, if so, write it out */ + if (decomp_buf_size > 0) { + uint32_t write_padding_size = write_alignment - (decomp_buf_size % write_alignment); + + /* Check if additional write padding should be applied to meet the minimum write size */ + if (write_alignment > 1 && write_padding_size) { + uint8_t flash_erased_value; + + flash_erased_value = flash_area_erased_val(fap_dst); + memset(&decomp_buf[decomp_buf_size], flash_erased_value, write_padding_size); + decomp_buf_size += write_padding_size; + } + + rc = flash_area_write(fap_dst, (off_dst + hdr->ih_hdr_size + write_pos), decomp_buf, + decomp_buf_size); + + if (rc != 0) { + BOOT_LOG_ERR("Flash write failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + (off_dst + hdr->ih_hdr_size + write_pos), decomp_buf_size, + fap_dst->fa_id, rc); + rc = BOOT_EFLASH; + goto finish; + } + + write_pos += decomp_buf_size; + decomp_buf_size = 0; + } + +finish: + memset(decomp_buf, 0, sizeof(decomp_buf)); + + return rc; +} + +int bootutil_get_img_decomp_size(const struct image_header *hdr, const struct flash_area *fap, + uint32_t *img_decomp_size) +{ + struct image_tlv_iter it; + uint32_t off; + uint16_t len; + int32_t rc; + + if (hdr == NULL || fap == NULL || img_decomp_size == NULL) { + return BOOT_EBADARGS; + } else if (hdr->ih_protect_tlv_size == 0) { + return BOOT_EBADIMAGE; + } + + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SIZE, true); + + if (rc) { + return rc; + } + + rc = bootutil_tlv_iter_next(&it, &off, &len, NULL); + + if (rc != 0) { + return -1; + } + + if (len != sizeof(*img_decomp_size)) { + BOOT_LOG_ERR("Invalid decompressed image size TLV: %d", len); + return BOOT_EBADIMAGE; + } + + rc = LOAD_IMAGE_DATA(hdr, fap, off, img_decomp_size, len); + + if (rc) { + BOOT_LOG_ERR("Image data load failed at offset: 0x%x, size: 0x%x, area: %d, rc: %d", + off, len, fap->fa_id, rc); + return BOOT_EFLASH; + } + + return 0; +} diff --git a/boot/zephyr/include/compression/decompression.h b/boot/zephyr/include/compression/decompression.h new file mode 100644 index 000000000..2104c4eb6 --- /dev/null +++ b/boot/zephyr/include/compression/decompression.h @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef H_DECOMPRESSION_ +#define H_DECOMPRESSION_ + +#include +#include +#include +#include "bootutil/bootutil.h" +#include "bootutil/bootutil_public.h" +#include "bootutil/image.h" +#include "../src/bootutil_priv.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * Checks if a compressed image header is valid. + * + * @param hdr Image header. + * @param fap Flash area of the slot. + * @param state Bootloader state object. + * + * @return true if valid; false if invalid. + */ +bool boot_is_compressed_header_valid(const struct image_header *hdr, const struct flash_area *fap, + struct boot_loader_state *state); + +/** + * Reads in compressed image data from a slot, decompresses it and writes it out to a destination + * slot, including corresponding image headers and TLVs. + * + * @param state Bootloader state object. + * @param fap_src Flash area of the source slot. + * @param fap_dst Flash area of the destination slot. + * @param off_src Offset of the source slot to read from (should be 0). + * @param off_dst Offset of the destination slot to write to (should be 0). + * @param sz Size of the source slot data. + * @param buf Temporary buffer for reading data from. + * @param buf_size Size of temporary buffer. + * + * @return 0 on success; nonzero on failure. + */ +int boot_copy_region_decompress(struct boot_loader_state *state, const struct flash_area *fap_src, + const struct flash_area *fap_dst, uint32_t off_src, + uint32_t off_dst, uint32_t sz, uint8_t *buf, size_t buf_size); + +/** + * Gets the total data size (excluding headers and TLVs) of a compressed image when it is + * decompressed. + * + * @param hdr Image header. + * @param fap Flash area of the slot. + * @param img_decomp_size Pointer to variable that will be updated with the decompressed image + * size. + * + * @return 0 on success; nonzero on failure. + */ +int bootutil_get_img_decomp_size(const struct image_header *hdr, const struct flash_area *fap, + uint32_t *img_decomp_size); + +/** + * Calculate MCUboot-compatible image hash of compressed image slot. + * + * @param state MCUboot state. + * @param hdr Image header. + * @param fap Flash area of the slot. + * @param tmp_buf Temporary buffer for reading data from. + * @param tmp_buf_sz Size of temporary buffer. + * @param hash_result Pointer to a variable that will be updated with the image hash. + * @param seed Not currently used, set to NULL. + * @param seed_len Not currently used, set to 0. + * + * @return 0 on success; nonzero on failure. + */ +int bootutil_img_hash_decompress(struct boot_loader_state *state, struct image_header *hdr, + const struct flash_area *fap, uint8_t *tmp_buf, + uint32_t tmp_buf_sz, uint8_t *hash_result, + uint8_t *seed, int seed_len); + +/** + * Calculates the size that the compressed image protected TLV section will occupy once the image + * has been decompressed. + * + * @param hdr Image header. + * @param fap Flash area of the slot. + * @param sz Pointer to variable that will be updated with the protected TLV size. + * + * @return 0 on success; nonzero on failure. + */ +int boot_size_protected_tlvs(const struct image_header *hdr, const struct flash_area *fap_src, + uint32_t *sz); + +#ifdef __cplusplus +} +#endif + +#endif /* H_DECOMPRESSION_ */ From 2ae98d5637e2fae869744cd96066915a271d9070 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 20 Sep 2024 16:34:00 +0000 Subject: [PATCH 223/228] [nrf noup] bootutil: Add support for KMU stored ED25519 signature key The commit adds verification of image using keys stored in KMU. Signed-off-by: Dominik Ermel (cherry picked from commit 6e0c2b8794daa33d7688b35fc4af04c4d8052d41) (cherry picked from commit b647a94a24b1a20b3cbbde41ff9a4a92be67a232) --- boot/bootutil/src/ed25519_psa.c | 51 ++++++++++++++++++++++++++++++ boot/bootutil/src/image_ed25519.c | 9 +++++- boot/bootutil/src/image_validate.c | 12 +++++-- boot/zephyr/CMakeLists.txt | 2 +- boot/zephyr/Kconfig | 26 +++++++++++++++ 5 files changed, 96 insertions(+), 4 deletions(-) diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c index 12ba20ac1..b6153f9a4 100644 --- a/boot/bootutil/src/ed25519_psa.c +++ b/boot/bootutil/src/ed25519_psa.c @@ -12,6 +12,9 @@ #include #include +#if defined(CONFIG_BOOT_SIGNATURE_USING_KMU) +#include +#endif BOOT_LOG_MODULE_REGISTER(ed25519_psa); @@ -19,6 +22,18 @@ BOOT_LOG_MODULE_REGISTER(ed25519_psa); #define EDDSA_KEY_LENGTH 32 #define EDDSA_SIGNAGURE_LENGTH 64 +#if defined(CONFIG_BOOT_SIGNATURE_USING_KMU) +/* List of KMU stored key ids available for MCUboot */ +#define MAKE_PSA_KMU_KEY_ID(id) PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, id) +static psa_key_id_t kmu_key_ids[3] = { + MAKE_PSA_KMU_KEY_ID(226), + MAKE_PSA_KMU_KEY_ID(228), + MAKE_PSA_KMU_KEY_ID(230) +}; +#define KMU_KEY_COUNT (sizeof(kmu_key_ids)/sizeof(kmu_key_ids[0])) +#endif + +#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) int ED25519_verify(const uint8_t *message, size_t message_len, const uint8_t signature[EDDSA_SIGNAGURE_LENGTH], const uint8_t public_key[EDDSA_KEY_LENGTH]) @@ -69,3 +84,39 @@ int ED25519_verify(const uint8_t *message, size_t message_len, return ret; } +#else +int ED25519_verify(const uint8_t *message, size_t message_len, + const uint8_t signature[EDDSA_SIGNAGURE_LENGTH], + const uint8_t public_key[EDDSA_KEY_LENGTH]) +{ + ARG_UNUSED(public_key); + /* Set to any error */ + psa_status_t status = PSA_ERROR_BAD_STATE; + int ret = 0; /* Fail by default */ + + /* Initialize PSA Crypto */ + status = psa_crypto_init(); + if (status != PSA_SUCCESS) { + BOOT_LOG_ERR("PSA crypto init failed %d", status); + return 0; + } + + status = PSA_ERROR_BAD_STATE; + + for (int i = 0; i < KMU_KEY_COUNT; ++i) { + psa_key_id_t kid = kmu_key_ids[i]; + + status = psa_verify_message(kid, PSA_ALG_PURE_EDDSA, message, + message_len, signature, + EDDSA_SIGNAGURE_LENGTH); + if (status == PSA_SUCCESS) { + ret = 1; + break; + } + + BOOT_LOG_ERR("ED25519 signature verification failed %d", status); + } + + return ret; +} +#endif diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index ffb8cec3b..d5aee65bc 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -31,6 +31,7 @@ extern int ED25519_verify(const uint8_t *message, size_t message_len, const uint8_t signature[EDDSA_SIGNATURE_LENGTH], const uint8_t public_key[NUM_ED25519_BYTES]); +#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) #if !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) /* * Parse the public key used for signing. @@ -73,6 +74,7 @@ bootutil_import_key(uint8_t **cp, uint8_t *end) return 0; } #endif /* !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN) */ +#endif /* Signature verification base function. * The function takes buffer of specified length and tries to verify @@ -87,14 +89,17 @@ bootutil_verify(uint8_t *buf, uint32_t blen, { int rc; FIH_DECLARE(fih_rc, FIH_FAILURE); - uint8_t *pubkey; + uint8_t *pubkey = NULL; +#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) uint8_t *end; +#endif if (slen != EDDSA_SIGNATURE_LENGTH) { FIH_SET(fih_rc, FIH_FAILURE); goto out; } +#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) pubkey = (uint8_t *)bootutil_keys[key_id].key; end = pubkey + *bootutil_keys[key_id].len; @@ -116,6 +121,8 @@ bootutil_verify(uint8_t *buf, uint32_t blen, } pubkey = end - NUM_ED25519_BYTES; +#endif + #endif rc = ED25519_verify(buf, blen, sig, pubkey); diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 40f0aa857..bb7aec148 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -280,6 +280,7 @@ bootutil_img_hash(struct boot_loader_state *state, # define KEY_BUF_SIZE (SIG_BUF_SIZE + 24) #endif /* !MCUBOOT_HW_KEY */ +#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) #if !defined(MCUBOOT_HW_KEY) static int bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len) @@ -345,6 +346,7 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) } #endif /* !MCUBOOT_HW_KEY */ #endif /* !MCUBOOT_BUILTIN_KEY */ +#endif /* !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) */ #endif /* EXPECTED_SIG_TLV */ /** @@ -687,6 +689,7 @@ bootutil_img_validate(struct boot_loader_state *state, break; } #endif /* defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) */ +#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) #ifdef EXPECTED_KEY_TLV case EXPECTED_KEY_TLV: { @@ -717,14 +720,17 @@ bootutil_img_validate(struct boot_loader_state *state, break; } #endif /* EXPECTED_KEY_TLV */ +#endif /* !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) */ #ifdef EXPECTED_SIG_TLV case EXPECTED_SIG_TLV: { +#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) /* Ignore this signature if it is out of bounds. */ if (key_id < 0 || key_id >= bootutil_key_cnt) { key_id = -1; continue; } +#endif /* !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) */ if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) { rc = -1; goto out; @@ -870,7 +876,7 @@ bootutil_img_validate(struct boot_loader_state *state, } #ifdef EXPECTED_SIG_TLV -#ifdef EXPECTED_KEY_TLV +#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) && defined(EXPECTED_KEY_TLV) rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_KEY_TLV, false); if (rc) { goto out; @@ -916,7 +922,7 @@ bootutil_img_validate(struct boot_loader_state *state, */ } } -#endif /* EXPECTED_KEY_TLV */ +#endif /* !CONFIG_BOOT_SIGNATURE_USING_KMU && EXPECTED_KEY_TLV */ rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SIGNATURE, true); if (rc) { @@ -939,10 +945,12 @@ bootutil_img_validate(struct boot_loader_state *state, if (type == IMAGE_TLV_DECOMP_SIGNATURE) { /* Ignore this signature if it is out of bounds. */ +#if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) if (key_id < 0 || key_id >= bootutil_key_cnt) { key_id = -1; continue; } +#endif if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) { rc = -1; diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index b7876bc9a..97fba4096 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -339,7 +339,7 @@ if(CONFIG_MCUBOOT_SERIAL) endif() endif() -if(NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") +if(NOT CONFIG_BOOT_SIGNATURE_USING_KMU AND NOT CONFIG_BOOT_SIGNATURE_KEY_FILE STREQUAL "") # CONF_FILE points to the KConfig configuration files of the bootloader. foreach (filepath ${CONF_FILE}) file(READ ${filepath} temp_text) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 967a57f6f..bec163153 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -331,6 +331,22 @@ endif endchoice +config BOOT_SIGNATURE_USING_KMU + bool "Use KMU stored keys for signature verification" + depends on NRF_SECURITY + depends on CRACEN_LIB_KMU + select PSA_WANT_ALG_GCM + select PSA_WANT_KEY_TYPE_AES + select PSA_WANT_AES_KEY_SIZE_256 + select PSA_WANT_ALG_SP800_108_COUNTER_CMAC + select PSA_WANT_ALG_CMAC + select PSA_WANT_ALG_ECB_NO_PADDING + help + MCUboot will use keys provisioned to the device key management unit for signature + verification instead of compiling in key data from a file. + +if !BOOT_SIGNATURE_USING_KMU + config BOOT_SIGNATURE_KEY_FILE string "PEM key file" default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256 @@ -348,6 +364,8 @@ config BOOT_SIGNATURE_KEY_FILE with the public key information will be written in a format expected by MCUboot. +endif + config MCUBOOT_CLEANUP_ARM_CORE bool "Perform core cleanup before chain-load the application" depends on CPU_CORTEX_M @@ -370,6 +388,14 @@ config MCUBOOT_CLEANUP_RAM help Sets contents of memory to 0 before jumping to application. +# Disable MBEDTLS from being selected if NRF_SECURITY is enabled, and use default NRF_SECURITY +# configuration file for MBEDTLS +config MBEDTLS + depends on !NRF_SECURITY + +config NRF_SECURITY + select MBEDTLS_PROMPTLESS + config MBEDTLS_CFG_FILE # It might be awkward to define an Mbed TLS header file when TinyCrypt # is used, but the fact is that Mbed TLS' ASN1 parse module is used From 1c9556a24ee3952b649e366b9d399fb554f65ab3 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 7 Nov 2024 10:53:06 +0000 Subject: [PATCH 224/228] [nrf noup] boot: zephyr: Add experimental selection to compression Adds selecting the experimental Kconfig when compession is in use Signed-off-by: Jamie McCrae Signed-off-by: Dominik Ermel (cherry picked from commit ff3c31fba7e8eb659d8505e9c635057a2ca53987) (cherry picked from commit 4ceb4773b31dd8d56dfcb6e0461a70bb161ca95f) --- boot/zephyr/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index bec163153..87313c22c 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -1045,9 +1045,10 @@ config BOOT_DECOMPRESSION_SUPPORT if BOOT_DECOMPRESSION_SUPPORT menuconfig BOOT_DECOMPRESSION - bool "Decompression" + bool "Decompression [EXPERIMENTAL]" select NRF_COMPRESS_CLEANUP select PM_USE_CONFIG_SRAM_SIZE if SOC_NRF54L15_CPUAPP + select EXPERIMENTAL help If enabled, will include support for compressed images being loaded to the secondary slot which then get decompressed into the primary slot. This mode allows the secondary slot to From 59987a6aa2d4c95e6f02d6ec9f8f9af94ecd834d Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Mon, 2 Dec 2024 10:51:41 +0000 Subject: [PATCH 225/228] [nrf noup] boot: bootutil: Allow configuring number of KMU keys Adds a new Kconfig CONFIG_BOOT_SIGNATURE_KMU_SLOTS which allows specifying how many KMU key IDs are supported, the default is set to 1 instead of 3 which was set before NCSDK-30743 Signed-off-by: Jamie McCrae (cherry picked from commit 12e5ee106034972b0f1074d6f2261b2b39d1501b) (cherry picked from commit 2ca0efedf8d331028455f05d77f1c3c5064b773b) --- boot/bootutil/src/ed25519_psa.c | 7 +++++-- boot/zephyr/Kconfig | 12 ++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c index b6153f9a4..3e9cf2cbd 100644 --- a/boot/bootutil/src/ed25519_psa.c +++ b/boot/bootutil/src/ed25519_psa.c @@ -12,6 +12,7 @@ #include #include +#include #if defined(CONFIG_BOOT_SIGNATURE_USING_KMU) #include #endif @@ -30,7 +31,9 @@ static psa_key_id_t kmu_key_ids[3] = { MAKE_PSA_KMU_KEY_ID(228), MAKE_PSA_KMU_KEY_ID(230) }; -#define KMU_KEY_COUNT (sizeof(kmu_key_ids)/sizeof(kmu_key_ids[0])) + +BUILD_ASSERT(CONFIG_BOOT_SIGNATURE_KMU_SLOTS <= ARRAY_SIZE(kmu_key_ids), + "Invalid number of KMU slots, up to 3 are supported on nRF54L15"); #endif #if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU) @@ -103,7 +106,7 @@ int ED25519_verify(const uint8_t *message, size_t message_len, status = PSA_ERROR_BAD_STATE; - for (int i = 0; i < KMU_KEY_COUNT; ++i) { + for (int i = 0; i < CONFIG_BOOT_SIGNATURE_KMU_SLOTS; ++i) { psa_key_id_t kid = kmu_key_ids[i]; status = psa_verify_message(kid, PSA_ALG_PURE_EDDSA, message, diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 87313c22c..052ecc9a0 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -345,6 +345,18 @@ config BOOT_SIGNATURE_USING_KMU MCUboot will use keys provisioned to the device key management unit for signature verification instead of compiling in key data from a file. +if BOOT_SIGNATURE_USING_KMU + +config BOOT_SIGNATURE_KMU_SLOTS + int "KMU key slots" + range 1 3 + default 1 + help + Selects the number of KMU key slots (also known as generations) to use when verifying + an image. + +endif + if !BOOT_SIGNATURE_USING_KMU config BOOT_SIGNATURE_KEY_FILE From 03d9b4fb8cac4232f61971c2961a40907a154eb4 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Fri, 14 Mar 2025 17:51:23 +0000 Subject: [PATCH 226/228] [nrf noup] zephyr: Use mbedTLS specific C functions with RSA Use snprinf, alloc, calloc and free from mbedTLS rather than from Zephyr. Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index 052ecc9a0..fc06ed3c6 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -223,6 +223,8 @@ config BOOT_SIGNATURE_TYPE_RSA select MBEDTLS select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if MBEDTLS_BUILTIN + select MBEDTLS_PLATFORM_NO_STD_FUNCTIONS if MBEDTLS_BUILTIN + select MBEDTLS_PLATFORM_SNPRINTF_ALT if MBEDTLS_BUILTIN select BOOT_ENCRYPTION_SUPPORT select BOOT_IMG_HASH_ALG_SHA256_ALLOW select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE From dd65770fad1cf23a20e07aeb44128149a665a8c4 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 10:02:54 +0000 Subject: [PATCH 227/228] [nrf fromtree] boot: zephyr: Only supply MBEDTLS config file path if set Fixes an issue where the variable might not be set and be empty, and would still be included which would cause a compiler include empty file error Signed-off-by: Jamie McCrae (cherry picked from commit b92d4dd716c11c5e1b3f6ffb6370ab68b565f25c) --- boot/zephyr/CMakeLists.txt | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt index 97fba4096..7b291a37b 100644 --- a/boot/zephyr/CMakeLists.txt +++ b/boot/zephyr/CMakeLists.txt @@ -200,18 +200,18 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) ) endif() if(CONFIG_BOOT_USE_TINYCRYPT) - # When using ECDSA signatures, pull in our copy of the tinycrypt library. - zephyr_library_include_directories( - ${BOOT_DIR}/zephyr/include - ${TINYCRYPT_DIR}/include + # When using ECDSA signatures, pull in our copy of the tinycrypt library. + zephyr_library_include_directories( + ${BOOT_DIR}/zephyr/include + ${TINYCRYPT_DIR}/include ) - zephyr_include_directories(${TINYCRYPT_DIR}/include) + zephyr_include_directories(${TINYCRYPT_DIR}/include) - zephyr_library_sources( - ${TINYCRYPT_DIR}/source/ecc.c - ${TINYCRYPT_DIR}/source/ecc_dsa.c - ${TINYCRYPT_DIR}/source/sha256.c - ${TINYCRYPT_DIR}/source/utils.c + zephyr_library_sources( + ${TINYCRYPT_DIR}/source/ecc.c + ${TINYCRYPT_DIR}/source/ecc_dsa.c + ${TINYCRYPT_DIR}/source/sha256.c + ${TINYCRYPT_DIR}/source/utils.c ) elseif(CONFIG_BOOT_USE_NRF_CC310_BL) zephyr_library_sources(${MCUBOOT_NRF_EXT_DIR}/cc310_glue.c) @@ -221,12 +221,14 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256) zephyr_include_directories(${BL_CRYPTO_DIR}/../include) endif() - # Since here we are not using Zephyr's mbedTLS but rather our own, we need - # to set MBEDTLS_CONFIG_FILE ourselves. When using Zephyr's copy, this - # variable is set by its Kconfig in the Zephyr codebase. - zephyr_library_compile_definitions( - MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}" + if(CONFIG_MBEDTLS_CFG_FILE) + # Since here we are not using Zephyr's mbedTLS but rather our own, we need + # to set MBEDTLS_CONFIG_FILE ourselves. When using Zephyr's copy, this + # variable is set by its Kconfig in the Zephyr codebase. + zephyr_library_compile_definitions( + MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}" ) + endif() elseif(CONFIG_BOOT_SIGNATURE_TYPE_NONE) zephyr_library_include_directories( ${BOOT_DIR}/zephyr/include From 14cbca413937c36a1b417a2ac1888d2027720933 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Wed, 26 Mar 2025 12:18:04 +0000 Subject: [PATCH 228/228] [nrf fromlist] docs: compression_format: Fix tags Fixes tags for pygments Upstream PR #: 2245 Signed-off-by: Jamie McCrae --- docs/compression_format.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/compression_format.md b/docs/compression_format.md index ddb99d534..78397da7c 100644 --- a/docs/compression_format.md +++ b/docs/compression_format.md @@ -35,7 +35,7 @@ Compression parameters have the following default values: You can calculate the `dict_size` using the following method: -``` {.c} +```c unsigned int i = 0; for (i = 0; i < 40; i++) { @@ -103,14 +103,14 @@ The second byte of the `lzma2_header` carries the following parameters: These parameters are encoded with the following formula: - ``` {.c} + ```c pb_lp_lc = (uint8_t)((pb * 5 + lp) * 9 + lc); ``` To decode these values from the combined `pb_lp_lc` byte, run the following code: - ``` {.c} + ```c lc = pb_lp_lc % 9; pb_lp_lc /= 9; pb = pb_lp_lc / 5; @@ -132,13 +132,13 @@ steps: - Without an ARM thumb filter: - ``` {.bash} + ```bash unlzma --lzma2 --format=raw --suffix=.lzma raw.lzma ``` - With an ARM thumb filter: - ``` {.bash} + ```bash unlzma --armthumb --lzma2 --format=raw --suffix=.lzma raw.lzma ```