[nrf fromlist] boot: zephyr: Cleanup RAM by default #530
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nto one place Make enc_key_public.h single point of definitions for key sizes, TLV indexes and so on. Upstream PR #: 2327 Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 2d93958)
Use bootutil_macros.h instead. Upstream PR #: 2327 Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit c1bb3a3)
…tions Cleanup. Upstream PR #: 2327 Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit f4a5081)
Incorrect range check fix. Upstream PR #: 2337 Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit fa17bc9)
This fixes issues when trying to compress images with no header padding requested. Upstream PR #: 2334 Signed-off-by: Michal Kozikowski <michal.kozikowski@nordicsemi.no> (cherry picked from commit 9e0bebc)
The hfwinfo returns bitmask, not single values. Upstream PR #: 2342 Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> (cherry picked from commit 18e3bc8)
…erase This fixes issues when trying to erase secondary slot trailer for platforms with MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE set from flash driver. Calling explicitly to 'scramble' region ensures we delete the trailer. Upstream PR #: 2341 Signed-off-by: Michal Kozikowski <michal.kozikowski@nordicsemi.no> (cherry picked from commit bb644c7)
Consolidates USB DFU entry logic by unifying GPIO and timeout-based DFU triggers under a common flag. This avoids code duplication and improves maintainability. Also improves log clarity for different DFU exit conditions. Signed-off-by: Sayooj K Karun <sayooj@aerlync.com> (cherry picked from commit 402d3f7) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Add additional log lines to allow easier tracking potential failures in image validation. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 11f9c6f)
Improve logging to make it easier to track image validation failures in development. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit c5011f2)
Fixed comments indentation. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit e56cecc)
…25519 Information on TLV and format. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit e542295)
Add support for HKDF/HMAC based on SHA512 for ECIES-X25519 key exchange. The commit adds MCUBOOT_HMAC_SHA512 that enables new TLV IMAGE_TLV_ENC_X25519_SHA512. Encryption code has been altered to support the MCUBOOT_HMAC_SHA512. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 1d83177)
The commit adds CONFIG_BOOT_HMAC_SHA512 that enables MCUboot configuration option MCUBOOT_HMAC_SHA512, that is used for switching HKDF/HMAC in ECIES key exchange to SHA512, from default SHA256. This option, currently, is only available for ECIES-X25519 with PSA as crypto backend. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 3771916)
…25519 Commit adds imgtool command line option --hmac-sha allowing to select between SHA256 and SHA512 for HMAC/HKDF. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit a36f951)
Fetch the flash base address if direct hash calculation is performed. Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> (cherry picked from commit 6a178d2)
…d config This board has not been supported in a long time, remove it Upstream PR #: 2380 Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> (cherry picked from commit 78ad12e)
Remove redundant application size calculations in favor of a swap-specific function, implemented inside swap_<type>.c. In this way, slot sizes use the same restrictions as image validation. Upstream PR #: 2318 Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> (cherry picked from commit cf1f76c)
…configuration Remove configs that enable multithreading just because of SPI/QSPI use. Currently, nrf drivers do not depend on multithreading, so it is not needed and this change can save memory usage. Upstream PR #: 2375 Signed-off-by: Michal Kozikowski <michal.kozikowski@nordicsemi.no> (cherry picked from commit dd6b3ac)
Option to put execution in infinite loop. Meant to be used for debug. Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no> (cherry picked from commit 5eaf190)
Commit introduces BOOT_SOMETHING_USES_SHA<256,384,512> Kconfig options that can be used to control what algorithms should be compiled in with crypto backends. Upstream PR #: 2390 Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 62ee266)
Allow to depend on a specific slot while specifying the version number. This functionality is useful when the Direct XIP mode is used and the booting process of other images is done by the next stage, not the MCUboot itself. Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> (cherry picked from commit dce784a)
Adds Kconfig option CONFIG_BOOT_ECDSA_PSA that allows to switch ECDSA to PSA backend. Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no> (cherry picked from commit 5ee96f5)
Use the generic commit-tags action to provide sauce tag checks. Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no> (cherry picked from commit 67c4da4)
Removes the `add_subdirectory` of nrfxlib it will still check that the nrfxlib is located outside the mcuboot directory. Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com> Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no> Signed-off-by: Emil Obalski <emil.obalski@nordicsemi.no> Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no> Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no> Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no> Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 0566363)
Add prj_minimal.conf, a Kconfig fragment to be used for minimally sized image production. The minimal fragment has been simplified for only external crypto. Move partition sizing into Kconfig to be consistent with the method used by b0. Using this fragment with prj_minimal.conf makes MCUboot < 16kB for all nRF devices (9160 still needs 32kB partition). Ref: NCSDK-6704 Signed-off-by: Stephen Stauts <stephen.stauts@nordicsemi.no> Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no> Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no> Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no> (cherry picked from commit 33d3e61)
Adds project configurations for the two systems on the Thingy:91 (PCA-20035) board. The bootloader that is factory-programmed on thing91 does not support ECDSA signature type. Hence this commit also sets the signature type to RSA for applications built for Thingy:91. Signed-off-by: Bernt Johan Damslora <bernt.johan.damslora@nordicsemi.no> Signed-off-by: Sigvart Hovland <sigvart.hovland@nordicsemi.no> Signed-off-by: Jon Helge Nistad <jon.helge.nistad@nordicsemi.no> Signed-off-by: Balaji Srinivasan <balaji.srinivasan@nordicsemi.no> Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no> Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no> Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no> Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 0512d8d)
The default value of CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT for nRF52 SOCs has been changed from 0 to 3, but it makes MCUBoot get stuck on erasing flash pages when swapping two images. Restore the previous value until the RTC issue is resolved (see NCSDK-14427) Signed-off-by: Damian Krolik <damian.krolik@nordicsemi.no> Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no> Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 3957a30)
This patch adds board configuration for the Thingy:91 X. Signed-off-by: Maximilian Deubel <maximilian.deubel@nordicsemi.no> (cherry picked from commit 1b2d11c)
Partition Manager is an nRF Connect SDK component which uses yaml files to resolve flash partition placement with a holistic view of the device. This component's MCUboot portions began life as upstream mcuboot PR#430. This added support for being built as a sub image from the downstream Nordic patch set for a zephyr multi image build system (mcuboot 430 was combined with effor submitted to upstream zephyr as PR#13672, which was ultimately reworked after being rejected for mainline at the ELCE 2019 conference in Lyon). It has since evolved over time. This is the version that will go into NCS v1.3. It features: - page size aligned partitions for all partitions used by mcuboot. - image swaps without scratch partitions Add support for configurations where there exists two primary slots but only one secondary slot, which is shared. These two primary slots are the regular application and B1. B1 can be either S0 or S1 depending on the state of the device. Decide where an upgrade should be stored by looking at the vector table. Provide update candidates for both s0 and s1. These candidates must be signed with mcuboot after being signed by b0. Additional notes: - we make update.hex without trailer data This is needed for serial recovery to work using hex files. Prior to this the update.hex got TLV data at the end of the partition, which caused many blank pages to be included, which made it hard to use in a serial recovery scheme. Instead, make update.hex without TLV data at the end, and provide a new file test_update.hex which contains the TLV data, and can be directly flashed to test the upgrade procedure. - we use a function for signing the application as future-proofing for when other components must be signed as well - this includes an update to single image applications that enables support for partition manager; when single image DFU is used, a scratch partition is not needed. - In NCS, image 1 primary slot is the upgrade bank for mcuboot (IE S0 or S1 depending on the active slot). It is not required that this slot contains any valid data. - The nRF boards all have a single flash page size, and partition manager deals with the size of the update partitions and so on, so we must skip a boot_slots_compatible() check to avoid getting an error. - There is no need to verify the target when using partition manager. - We lock mcuboot using fprotect before jumping, to enable the secure boot property of the system. - Call fw_info_ext_api_provide() before booting if EXT_API_PROVIDE EXT_API is enabled. This is relevant only when the immutable bootloader has booted mcuboot. Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no> Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no> Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> Signed-off-by: Sigvart Hovland <sigvart.m@gmail.com> Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no> Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no> Signed-off-by: Andrzej Głąbek <andrzej.glabek@nordicsemi.no> Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no> Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Signed-off-by: Emil Obalski <emil.obalski@nordicsemi.no> Signed-off-by: Pawel Dunaj <pawel.dunaj@nordicsemi.no> Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no> Signed-off-by: Johann Fischer <johann.fischer@nordicsemi.no> Signed-off-by: Vidar Berg <vidar.berg@nordicsemi.no> Signed-off-by: Draus, Sebastian <sebastian.draus@nordicsemi.no> Signed-off-by: Trond Einar Snekvik <Trond.Einar.Snekvik@nordicsemi.no> Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no> Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no> Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 9554013)
…late This commit fixes the issue, occuring when the maximum amount of security counter updates has been reached. This fact was only detected after a permament update already happened - the updated firmware was unable to boot, as it failed when trying to update the security counter after the permament swap. This commit adds the check if the security counter can be updated (i. e. free security counter slots are still available) before the swap is performed, fixing the issue. Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no> (cherry picked from commit fe8f9fc)
This commit sets the MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED by default for platforms which support the security counter. Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no>
This commit introduces fix for PureEdDSA signature verification when the flash base address is not 0x0. The issue was that the flash base address was not taken into account when passing the image address to the signature verification function. Upstream PR #: 2414 Signed-off-by: Michal Kozikowski <michal.kozikowski@nordicsemi.no>
FLASH_DEVICE_ID was incorrectly set to spi related flash id instead of SoC related. Upstream PR #: 2414 Signed-off-by: Michal Kozikowski <michal.kozikowski@nordicsemi.no>
Modified code to correctly generate the TLV for AES256 Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no> (cherry picked from commit a5c48f3)
This commit adds the parts in the tooling allowing AES256 to work with MCUBoot in zephyr. Currently only in combination PSA + ED25519 Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no> (cherry picked from commit 268968f)
nrf-squash! [nrf noup] zephyr: Clean up non-secure RAM if enabled This leads to stack corruption. Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no>
nrf-squash! [nrf noup] boot: zephyr: Add bm firmware loader code Delays checking IO button state by 5us after pull-up has been applied to allow time for it to be applied Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This reverts commit 8d31ad7. Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This reverts commit 50e1caa. Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds a boot banner which shows as MCUboot Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no> (cherry picked from commit 4b3d6ab)
Allows GPIO entrance mode when bare metal is used, this is needed because the zephyr GPIO drivers are not used, therefore the Kconfig will not be enabled Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Disables read write and execute on mcuboots NVM at the end of execution. Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no>
adding DK default configuration and fixing PDK configuration. Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no>
Add a bootloader hook to alter the logic of the active slot selection in Direct XIP modes. Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> (cherry picked from commit 7c4ec9a)
Add a Kconfig option to enable a bootloader hook to alter the logic of the active slot selection in Direct XIP modes. Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> (cherry picked from commit d5f84b4)
Add a capability inside the Zephyr bootloader to handle memory-based bootloader requests to: - Boot recovery firmware - Boot firmware loader - Confirm an image - Set the slot preference Ref: NCSDK-34429 Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
memset was given incorrectly pointer size, instead of object size. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit aa22913)
This reverts commit 54f2129. nrf-squash! [nrf noup] zephyr: add 'minimal' configuration files The minimal configuration is now deprecated: - it is not minimal configuration anymore - built image cannot fit into flash memory - smp_svr_mini_boot sample is a new reference for minimal config Signed-off-by: Adam Szczygieł <adam.szczygiel@nordicsemi.no>
This configuration was not supported until now. Signed-off-by: Artur Hadasz <artur.hadasz@nordicsemi.no> (cherry picked from commit e375252)
nrf-squash! [nrf noup] bootloader: Add bootloader requests Improve logic that handles sending bootloader requests as a result of issuing the MCUmgr commands. Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
Thic commit introduces support for ed25519 signature verification when CONFIG_NCS_BOOT_SIGNATURE_USING_ITS is set (through PSA API). Signed-off-by: Michal Kozikowski <artur.hadasz@nordicsemi.no>
Enable the CONFIG_MCUBOOT_CLEANUP_RAM by deafult to improve security of the default configuration. Upstream PR #: 2451 Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no>
Contributor
Author
|
PR opened to validate the new default in the nRF Connect SDK |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
28 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enable the CONFIG_MCUBOOT_CLEANUP_RAM by deafult to improve security of the default configuration.
Upstream PR #: 2451