synchronized up to the mcu-tool/mcuboot 4eca54f

Synchronized to:
mcu-tools/mcuboot@4eca54f

- added precise check of the image size
- loader: Added post copy hook to swap function
- added Kconfig option for setting swap using move as default swap algorithm
- zephyr: fixed ram loading for ARM, with correct handling of vector table when code has moved to RAM.

- imgtool: add option to export public PEM

merged using GitHub web gui.

Signed-off-by: Andrzej Puzdrowski <[email protected]>

Author: nvlsianpu

boot/boot_serial/src/boot_serial.c

@@ -21,6 +21,7 @@
 #include <inttypes.h>
 #include <ctype.h>
 #include <stdio.h>
+#include <errno.h>
 
 #include "sysflash/sysflash.h"
 
@@ -32,6 +33,7 @@
 #include <zephyr/sys/byteorder.h>
 #include <zephyr/sys/__assert.h>
 #include <zephyr/drivers/flash.h>
+#include <zephyr/kernel.h>
 #include <zephyr/sys/crc.h>
 #include <zephyr/sys/base64.h>
 #include <hal/hal_flash.h>

boot/bootutil/src/bootutil_misc.c

@@ -387,3 +387,27 @@ boot_write_enc_key(const struct flash_area *fap, uint8_t slot,
     return 0;
 }
 #endif
+
+uint32_t bootutil_max_image_size(const struct flash_area *fap)
+{
+#if defined(MCUBOOT_SWAP_USING_SCRATCH)
+    return boot_status_off(fap);
+#elif defined(MCUBOOT_SWAP_USING_MOVE)
+    struct flash_sector sector;
+    /* get the last sector offset */
+    int rc = flash_area_sector_from_off(boot_status_off(fap), &sector);
+    if (rc) {
+        BOOT_LOG_ERR("Unable to determine flash sector of the image trailer");
+        return 0; /* Returning of zero here should cause any check which uses
+                   * this value to fail.
+                   */
+    }
+    return flash_sector_get_off(&sector);
+#elif defined(MCUBOOT_OVERWRITE_ONLY)
+    return boot_swap_info_off(fap);
+#elif defined(MCUBOOT_DIRECT_XIP)
+    return boot_swap_info_off(fap);
+#elif defined(MCUBOOT_RAM_LOAD)
+    return boot_swap_info_off(fap);
+#endif
+}

boot/bootutil/src/bootutil_priv.h

@@ -463,6 +463,8 @@ struct bootsim_ram_info *bootsim_get_ram_info(void);
     (flash_area_read((fap), (start), (output), (size)))
 #endif /* MCUBOOT_RAM_LOAD */
 
+uint32_t bootutil_max_image_size(const struct flash_area *fap);
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/src/image_validate.c

@@ -268,7 +268,6 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len)
 #endif /* !MCUBOOT_HW_KEY */
 #endif
 
-#ifdef MCUBOOT_HW_ROLLBACK_PROT
 /**
  * Reads the value of an image's security counter.
  *
@@ -328,7 +327,6 @@ bootutil_get_img_security_cnt(struct image_header *hdr,
 
     return 0;
 }
-#endif /* MCUBOOT_HW_ROLLBACK_PROT */
 
 /*
  * Verify the integrity of the image.
@@ -378,6 +376,11 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
         goto out;
     }
 
+    if (it.tlv_end > bootutil_max_image_size(fap)) {
+        rc = -1;
+        goto out;
+    }
+
     /*
      * Traverse through all of the TLVs, performing any checks we know
      * and are able to do.

boot/bootutil/src/loader.c

@@ -616,7 +616,7 @@ boot_check_header_erased(struct boot_loader_state *state, int slot)
 #if (BOOT_IMAGE_NUMBER > 1) || \
     defined(MCUBOOT_DIRECT_XIP) || \
     defined(MCUBOOT_RAM_LOAD) || \
-    (defined(MCUBOOT_OVERWRITE_ONLY) && defined(MCUBOOT_DOWNGRADE_PREVENTION))
+    defined(MCUBOOT_DOWNGRADE_PREVENTION)
 /**
  * Compare image version numbers not including the build number
  *
@@ -1332,6 +1332,8 @@ boot_swap_image(struct boot_loader_state *state, struct boot_status *bs)
                      boot_status_fails);
     }
 #endif
+    rc = BOOT_HOOK_CALL(boot_copy_region_post_hook, 0, BOOT_CURR_IMG(state),
+                        BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT), size);
 
     return 0;
 }
@@ -1903,6 +1905,60 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state)
 #endif
 }
 
+/**
+ * Checks test swap downgrade prevention conditions.
+ *
+ * Function called only for swap upgrades test run.  It may prevent
+ * swap if slot 1 image has <= version number or < security counter
+ *
+ * @param  state        Boot loader status information.
+ *
+ * @return              0 - image can be swapped, -1 downgrade prevention
+ */
+static int
+check_downgrade_prevention(struct boot_loader_state *state)
+{
+#if defined(MCUBOOT_DOWNGRADE_PREVENTION) && \
+    (defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_SCRATCH))
+    uint32_t security_counter[2];
+    int rc;
+
+    if (MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER) {
+        /* If there was security no counter in slot 0, allow swap */
+        rc = bootutil_get_img_security_cnt(&(BOOT_IMG(state, 0).hdr),
+                                           BOOT_IMG(state, 0).area,
+                                           &security_counter[0]);
+        if (rc != 0) {
+            return 0;
+        }
+        /* If there is no security counter in slot 1, or it's lower than
+         * that of slot 0, prevent downgrade */
+        rc = bootutil_get_img_security_cnt(&(BOOT_IMG(state, 1).hdr),
+                                           BOOT_IMG(state, 1).area,
+                                           &security_counter[1]);
+        if (rc != 0 || security_counter[0] > security_counter[1]) {
+            rc = -1;
+        }
+    }
+    else {
+        rc = boot_version_cmp(&boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver,
+                              &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver);
+    }
+    if (rc < 0) {
+        /* Image in slot 0 prevents downgrade, delete image in slot 1 */
+        BOOT_LOG_INF("Image in slot 1 erased due to downgrade prevention");
+        flash_area_erase(BOOT_IMG(state, 1).area, 0,
+                         flash_area_get_size(BOOT_IMG(state, 1).area));
+    } else {
+        rc = 0;
+    }
+    return rc;
+#else
+    (void)state;
+    return 0;
+#endif
+}
+
 fih_int
 context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
 {
@@ -2031,7 +2087,13 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
         case BOOT_SWAP_TYPE_NONE:
             break;
 
-        case BOOT_SWAP_TYPE_TEST:          /* fallthrough */
+        case BOOT_SWAP_TYPE_TEST:
+            if (check_downgrade_prevention(state) != 0) {
+                /* Downgrade prevented */
+                BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE;
+                break;
+            }
+            /* fallthrough */
         case BOOT_SWAP_TYPE_PERM:          /* fallthrough */
         case BOOT_SWAP_TYPE_REVERT:
             rc = BOOT_HOOK_CALL(boot_perform_update_hook, BOOT_HOOK_REGULAR,

boot/espressif/CMakeLists.txt

@@ -213,7 +213,6 @@ set(port_srcs
     ${CMAKE_CURRENT_LIST_DIR}/port/esp_mcuboot.c
     ${CMAKE_CURRENT_LIST_DIR}/port/esp_loader.c
     ${CMAKE_CURRENT_LIST_DIR}/os.c
-    ${CMAKE_CURRENT_LIST_DIR}/serial_adapter.c
     )
 
 if(CONFIG_ESP_MCUBOOT_SERIAL)
@@ -227,7 +226,7 @@ if(CONFIG_ESP_MCUBOOT_SERIAL)
         ${BOOT_SERIAL_DIR}/src/zcbor_common.c
         )
     list(APPEND port_srcs
-        ${CMAKE_CURRENT_LIST_DIR}/serial_adapter.c
+        ${CMAKE_CURRENT_LIST_DIR}/port/${MCUBOOT_TARGET}/serial_adapter.c
         ${MBEDTLS_DIR}/library/base64.c
         )
     list(APPEND CRYPTO_INC
@@ -247,6 +246,7 @@ target_include_directories(
     ${APP_EXECUTABLE}
     PUBLIC
     ${BOOTUTIL_DIR}/include
+    ${BOOTUTIL_DIR}/src
     ${BOOT_SERIAL_DIR}/include
     ${CRYPTO_INC}
     ${CMAKE_CURRENT_LIST_DIR}/include

boot/espressif/hal/CMakeLists.txt

@@ -41,6 +41,7 @@ list(APPEND include_dirs
     ${esp_idf_dir}/components/efuse/${MCUBOOT_TARGET}/include
     ${esp_idf_dir}/components/efuse/private_include
     ${esp_idf_dir}/components/efuse/${MCUBOOT_TARGET}/private_include
+    ${esp_idf_dir}/components/esp_system/include
     ${esp_idf_dir}/components/newlib/platform_include
     )
 

boot/espressif/hal/include/mcuboot_config/mcuboot_config.h

@@ -143,6 +143,18 @@
 #define CONFIG_MCUBOOT_SERIAL
 #endif
 
+/*
+ * When a serial recovery process is receiving the image data, this option
+ * enables it to erase flash progressively (by sectors) instead of the
+ * default behavior that is erasing whole image size of flash area after
+ * receiving first frame.
+ * Enabling this options prevents stalling the beginning of transfer
+ * for the time needed to erase large chunk of flash.
+ */
+#ifdef CONFIG_ESP_MCUBOOT_ERASE_PROGRESSIVELY
+#define MCUBOOT_ERASE_PROGRESSIVELY
+#endif
+
 /* Serial extensions are not implemented
  */
 #define MCUBOOT_PERUSER_MGMT_GROUP_ENABLED 0

boot/espressif/hal/src/esp32c3/bootloader_init.c

@@ -19,6 +19,7 @@
 
 #include "bootloader_init.h"
 #include "bootloader_common.h"
+#include "bootloader_console.h"
 #include "bootloader_clock.h"
 #include "bootloader_flash_config.h"
 #include "bootloader_mem.h"
@@ -31,6 +32,10 @@
 #include "soc/efuse_reg.h"
 #include "soc/rtc.h"
 
+#include "hal/gpio_hal.h"
+#include <hal/gpio_ll.h>
+#include <hal/uart_ll.h>
+
 #include "esp32c3/rom/cache.h"
 #include "esp32c3/rom/spi_flash.h"
 
@@ -39,6 +44,12 @@
 
 extern esp_image_header_t WORD_ALIGNED_ATTR bootloader_image_hdr;
 
+#if CONFIG_ESP_CONSOLE_UART_CUSTOM
+static uart_dev_t *alt_console_uart_dev = (CONFIG_ESP_CONSOLE_UART_NUM == 0) ?
+                                          &UART0 :
+                                          &UART1;
+#endif
+
 void IRAM_ATTR bootloader_configure_spi_pins(int drv)
 {
     const uint32_t spiconfig = esp_rom_efuse_get_flash_gpio_info();
@@ -161,15 +172,13 @@ static void bootloader_super_wdt_auto_feed(void)
     REG_WRITE(RTC_CNTL_SWD_WPROTECT_REG, 0);
 }
 
-static void bootloader_init_uart_console(void)
+#if CONFIG_ESP_CONSOLE_UART_CUSTOM
+void IRAM_ATTR esp_rom_uart_putc(char c)
 {
-    const int uart_num = 0;
-
-    esp_rom_install_uart_printf();
-    esp_rom_uart_tx_wait_idle(0);
-    uint32_t clock_hz = UART_CLK_FREQ_ROM;
-    esp_rom_uart_set_clock_baudrate(uart_num, clock_hz, CONFIG_ESP_CONSOLE_UART_BAUDRATE);
+    while (uart_ll_get_txfifo_len(alt_console_uart_dev) == 0);
+    uart_ll_write_txfifo(alt_console_uart_dev, (const uint8_t *) &c, 1);
 }
+#endif
 
 esp_err_t bootloader_init(void)
 {
@@ -190,7 +199,7 @@ esp_err_t bootloader_init(void)
     // config clock
     bootloader_clock_configure();
     /* initialize uart console, from now on, we can use ets_printf */
-    bootloader_init_uart_console();
+    bootloader_console_init();
     // update flash ID
     bootloader_flash_update_id();
     // read bootloader header

boot/espressif/include/flash_map_backend/flash_map_backend.h

@@ -77,6 +77,9 @@ uint8_t flash_area_erased_val(const struct flash_area *area);
 int flash_area_get_sectors(int fa_id, uint32_t *count,
                            struct flash_sector *sectors);
 
+//! Retrieve the flash sector a given offset belongs to.
+int flash_area_sector_from_off(uint32_t off, struct flash_sector *sector);
+
 //! Returns the `fa_id` for slot, where slot is 0 (primary) or 1 (secondary).
 //!
 //! `image_index` (0 or 1) is the index of the image. Image index is