Upmerge 08.08.2025 #513
Closed
Upmerge 08.08.2025 #513
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Aug 13, 2025
- Indicate that swap-using-offset is preferred over swap-using-move. Reference: mcu-tools/mcuboot#2162 (comment) - Indicate that swap-using-scratch may be removed in the coming future. Reference: mcu-tools/mcuboot#2162 (comment) Signed-off-by: Diego Herranz <[email protected]>
This commit fixes the issue, occuring when the maximum amount of security counter updates has been reached. This fact was only detected after a permament update already happened - the updated firmware was unable to boot, as it failed when trying to update the security counter after the permament swap. This commit adds the check if the security counter can be updated (i. e. free security counter slots are still available) before the swap is performed, fixing the issue. Signed-off-by: Artur Hadasz <[email protected]>
de-nordic
requested changes
Aug 14, 2025
Contributor
de-nordic
left a comment
de-nordic
left a comment
There was a problem hiding this comment.
This [nrf noup] boot: Use NCS_ prefix for sdk-nrf specific Kconfigs should be squashed to this: [nrf noup] Added BOOT_SIGNATURE_USING_ITS for ecdsa configuration
And this one:[nrf noup] boot: Use NCS_ prefix for sdk-nrf specific Kconfigs should be squashed into this one [nrf noup] boot: Add retry for image verification
Contributor
Author
I was not really planning to do rebasing like this in the upmerge. We have a script that helps to solve cherry-pick conflicts but it does not support rebasing work. So I would need to do a manual squash of these every time a new upmerge "run" is done. I can try to manually squash these just before the PR is ready to be merged if possible. |
Contributor
|
mcu-tools/mcuboot#2433 needs bringing in or anything with swap using offset (the new default) will fail |
Contributor
|
mcu-tools/mcuboot#2420 seems to have been removed too (maybe use latest commit, above PR is still open so would need adding on top) |
nordicjm
reviewed
Aug 21, 2025
|
|
||
| endchoice | ||
|
|
||
| config BOOT_BYPASS_KEY_MATCH |
Contributor
There was a problem hiding this comment.
@Vge0rge line 74 has changed but doesn't show in PR, can you check it's ok, now is:
config BOOT_PSA_IMG_HASH_ALG_SHA256_DEPENDENCIES
bool
default y if BOOT_SOMETHING_USES_SHA256
select PSA_WANT_ALG_SHA_256 if !PSA_CORE_LITE
help
Dependencies for hashing with SHA256
Fixes an issue whereby the pure check did not set an offset to search for the TLVs Signed-off-by: Jamie McCrae <[email protected]>
The slots definitions (BOOT_PRIMARY_SLOT, BOOT_SECONDARY_SLOT) were defined in bootutil_priv.h, which made them unusable for bootloader requests. This commit moves them to bootutil_public.h Signed-off-by: Artur Hadasz <[email protected]>
removing direct inclusion of mbedtls headers. bootutil has already abstracted away mbedtls apis. Signed-off-by: Gowri Ramshankar <[email protected]>
Move the Virtual eFuse offset in flash configuration from hardcoded value in sdkconfig.h to the .conf file. Signed-off-by: Almir Okato <[email protected]>
jukkar
force-pushed
the
meta-upmerge
branch
2 times, most recently
from
86e2d26 to
35157e4
Compare
nordicjm
approved these changes
Sep 2, 2025
de-nordic
approved these changes
Sep 2, 2025
Add a possibility to express vendor ID and image class ID inside image's TLVs. Signed-off-by: Tomasz Chyrowicz <[email protected]>
Allow to specify VID and CID for an image. Signed-off-by: Tomasz Chyrowicz <[email protected]>
nordicjm
reviewed
Sep 4, 2025
Comment on lines
123
to
131
| static inline int | ||
| bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len) | ||
| { | ||
| (void)image_index; | ||
| (void)key; | ||
| (void)key_len; | ||
|
|
||
| /* There is only one key, so it always matches */ | ||
| return 0; | ||
| } |
Contributor
There was a problem hiding this comment.
Contributor
There was a problem hiding this comment.
This is fallout of the upstream refactoring. They have made the bootutil_find_key a public api function so now the declaration in the header and this local definition are colliding.
Contributor
There was a problem hiding this comment.
static inline should be removed from the definition.
nordicjm
reviewed
Sep 4, 2025
boot/bootutil/src/image_validate.c
Outdated
Comment on lines
118
to
122
| #if !defined(MCUBOOT_BYPASS_KEY_MATCH) | ||
| /* Find functions are only needed when key is checked first */ |
Contributor
There was a problem hiding this comment.
new #if added but no #endif?
de-nordic
reviewed
Sep 4, 2025
Added SHA512 to the list of supported algorithms for ECDSA256P1. Signed-off-by: Lukasz Fundakowski <[email protected]>
Function was incorrectly filling sector data when offset was set to the beginning of the sector. It returned previous sector instead of correct one. Signed-off-by: Jerzy Kasenberg <[email protected]>
Fixes a wrong definition which creates a static inline function which does not match the prototype and also in a file where said function is not used at all Signed-off-by: Jamie McCrae <[email protected]>
Adds a new Kconfig CONFIG_BOOT_SIGNATURE_KMU_SLOTS which allows specifying how many KMU key IDs are supported, the default is set to 1 instead of 3 which was set before NCSDK-30743 Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 83d1d95)
Disable previous generation key when update comes with new valid key and application is confirmed. Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 51b0897)
This configuration has the purpose of using keys provisioned to the internal trusted storage (ITS). It makes use of the already existing parts of code for MCUBOOT_BUILTIN_KEY Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit 7ed4927)
nrf-squash! [nrf noup] Added BOOT_SIGNATURE_USING_ITS for ecdsa configuration Replace NRF_BOOT_SIGNATURE_USING_ITS with NCS_BOOT_SIGNATURE_USING_ITS prefix. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit a4bae13)
Thic commit introduces support for ed25519 signature verification when CONFIG_NCS_BOOT_SIGNATURE_USING_ITS is set (through PSA API). Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit 227eb0a)
Provide an implementation for MCUboot UUID checks that specify a single, common vendor identifier and a unique class identifier for each image. Ref: NCSDK-34175 Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit 25f4981)
nrf-squash! [nrf noup] boot: Improve bootloader request handling Setting "test" for image was failing when using bootloader requests due to an incorrect value being returned from send_boot_request. Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit 7b333ff)
nrf-squash! [nrf noup] bootloader: Add bootloader requests boot_request_retention.c could not be built if logs were disabled. Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit 26d9f6e)
Lock KMU keys before passing execution to application. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit b6b46a7)
Application need special support in the bootloader in order to resume for suspend to RAM. MCUboot is immediate actor which redirects execution to the application (application reset vector) when wake-up from S2RAM is detected. Detection is based on HW (NRF_RESETINFO) and hardened using additional check over independent source of truth (variable with magic value). Thanks to above the application is resuming using its routines - instead of mocking that by routines compiled in by the MCUboot. Implementation is able to support only MCUboot modes with a swap. Direct-XIP is not handled as it require a way to run-time recognization of active application slot. Signed-off-by: Karol Lasończyk <[email protected]> Signed-off-by: Tomasz Chyrowicz <[email protected]> Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit b26db4d)
Added configuration which pre-configures MCUboot so It is able to support operation of resuming the App from S2RAM by the application itself. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit c390295)
Previously reopening of PR did not reopen manifest PR. This commit will enable reopening of manifest PR in such case. Signed-off-by: Kari Hamalainen <[email protected]> (cherry picked from commit d0796dc)
nrf-squash! [nrf noup] bootutil: Add support for KMU stored ED25519 signature key It is now only provided by bootutil_find_key.c. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] loader: Add firmware version check downgrade prevention The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
fixup! [nrf noup] boot: bootutil: loader: Add s0/s1 checking of MCUboot image The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] loader: Do not check reset vector for XIP image The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] loader: introduced cleanup of unusable secondary slot The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] boot: nrf53-specific customizations The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] loader: Fix reading reset addr to support ext flash The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] boot: Add support for NSIB and multi-image The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] zephyr: Add support for compressed image updates The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] treewide: add NCS partition manager support The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
nrf-squash! [nrf noup] treewide: Add support for sysbuild assigned images The commit replaces BOOT_PRIMARY_SLOT and BOOT_SECONDARY_SLOT with BOOT_SLOT_PRIMARY and BOOT_SLOT_SECONDARY respectively. Signed-off-by: Dominik Ermel <[email protected]>
There was one extra parameter when calling bootutil_img_validate() so remove it. Signed-off-by: Jukka Rissanen <[email protected]>
Prevents a deprecation warning from failing builds when the old USB stack is used for USB DFU or serial recovery modes Signed-off-by: Jamie McCrae <[email protected]>
nrf-squash! [nrf noup] treewide: add NCS partition manager support Fixes invalid checks for b0 that would wrongly skip checking if partition sizes were valid for the non-b0 updates when b0 updates were generally enabled, and ports the check to swap using offset also Signed-off-by: Jamie McCrae <[email protected]>
CONFIG_PM enables CONFIG_PM_DEVICE by default, this is not desired for MCUBOOT as PM_DEVICE requires multithreading Signed-off-by: Jukka Rissanen <[email protected]>
jukkar
force-pushed
the
meta-upmerge
branch
from
fd08f30 to
33977e7
Compare
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
32 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Conflicting commits at the moment of creating the PR, please verify if conflicts were resolved correctly:
89361bd: [nrf noup] treewide: add NCS partition manager support
2cdbcb0: [nrf noup] boot: nrf53-specific customizations
1ec17e9: [nrf noup] loader: Do not check reset vector for XIP image
420ac79: [nrf noup] loader: Add firmware version check downgrade prevention
d5f373a: [nrf noup] boot: bootutil: loader: Add s0/s1 checking of MCUboot image
898b9bc: [nrf noup] zephyr: Add support for compressed image updates
a9e70e4: [nrf noup] boot: Add retry for image verification
26192ca: [nrf noup] bootutil: Add support for KMU stored ED25519 signature key
285fd59: [nrf noup] boot: zephyr: Disable self RWX
e1f2ab3: [nrf noup] bootloader: Add bootloader requests