boot: add DFU timeout and non-blocking CDC-ACM serial recover #544
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
adds TLV and Kconfig to decouple verification from other options. Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 41df52e) (cherry picked from commit 756c5bf) (cherry picked from commit bf74f34)
The adds support for hashing image with SHA512, to allow SHA512-ED25519-SHA512 signature. To support above --sha parameter has been added that can take value: auto, 256, 384, 512 to select sha, where auto brings the default behaviour, or current, behaviour. The sha provided here is tested against key so not all combinations are supported. Upstream PR #: 2048 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 3a28585) (cherry picked from commit 9cb8f93)
…t_enc_decrypt To be able to implement encryption with API that requires different calls for encryption and encryption, the boot_encrypt needs to be replaced with encryption/decryption specific functions. Upstream PR #: 2017 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 18781c5) (cherry picked from commit a92ee3c)
Adds LZMA2 compression to imgtool. Python lzma library is unable to compress with proper parameters while using "ALONE" container, therefore 2 header bytes are calculated and added to payload by imgtool. Upstream PR #: 2038 Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 237b8b9) (cherry picked from commit 2b70952)
…M load Fixes an issue when either of these modes is used with serial recovery slot info enabled Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 30109df) (cherry picked from commit d44d7bc) (cherry picked from commit 5040256)
Fixes an issue whereby static buffers were changed into pointers, whereby they are then assumed to be the size of a pointer rather than the size of the actual buffers Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 3a195f2) Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 22adc04) (cherry picked from commit 218c63d)
Adds LZMA2 compression to imgtool. Python lzma library is unable to compress with proper parameters while using "ALONE" container, therefore 2 header bytes are calculated and added to payload by imgtool. Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 35c9291fcafafe8608722e0ec3c801178884f0ef) (cherry picked from commit 10f3dbe) (cherry picked from commit 3d346f7)
…tor size check Fixes an issue with compressed update support whereby it would wrong continue to check all sector sizes and error due to the sector sizes of the secondary slot being 0 until overflow Upstream PR #: 2085 Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 8c814cb) (cherry picked from commit a46eb1e)
Adds ARM thumb filter to imgtool's LZMA2 compression. Upstream PR #: 2084 Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 94212b4) (cherry picked from commit 10df2a3)
The SHA512_ALLOW Kconfig has been added to allow signature algorithms to select which SHA they support. Unfortunately it has been given dependency on PSA crypto, which now is problematic because if signature algorithm wants to indicate that it allows SHA512 it immediately becomes dependent on PSA crypto. The commit removes the dependency. Upstream PR #: 2088 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 7bfbd35) (cherry picked from commit af4e468)
fixing broken encryption caused by shift in function parameters. Upstream PR #: 2098 Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 31f74eb) (cherry picked from commit 2b568d8)
Adds PureEdDSA signature support. The change includes implementation of SIG_PURE TLV that, when present, indicates the signature that is present is Pure type. Upstream PR #: 2063 Signed-off-by: Dominik Ermel <[email protected]> Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 32a6e8c) (cherry picked from commit a5786cd)
Kept creating the field for external usage. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 29646ac) (cherry picked from commit 283fd06)
The commit adds SIG_PURE TLV that should be used as TLV indicating that the signature attached to image has been calculated over entire image, rather than digest of image. This is generic flag as the "pure" usage may be applied to, potentially, any signature algorithm. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 30bcd46) (cherry picked from commit 7e01086) (cherry picked from commit 3d2808d)
Use the generic commit-tags action to provide sauce tag checks. Signed-off-by: Carles Cufi <[email protected]> (cherry picked from commit 00f5860) (cherry picked from commit 6813bbb)
Removes the `add_subdirectory` of nrfxlib it will still check that the nrfxlib is located outside the mcuboot directory. Signed-off-by: Sigvart Hovland <[email protected]> Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Martí Bolívar <[email protected]> Signed-off-by: Emil Obalski <[email protected]> Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Håkon Øye Amundsen <[email protected]> Signed-off-by: Ioannis Glaropoulos <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 6bc65a9) (cherry picked from commit 7f05233)
Add prj_minimal.conf, a Kconfig fragment to be used for minimally sized image production. The minimal fragment has been simplified for only external crypto. Move partition sizing into Kconfig to be consistent with the method used by b0. Using this fragment with prj_minimal.conf makes MCUboot < 16kB for all nRF devices (9160 still needs 32kB partition). Ref: NCSDK-6704 Signed-off-by: Stephen Stauts <[email protected]> Signed-off-by: Martí Bolívar <[email protected]> Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit bee9475) (cherry picked from commit 60c998f)
Adds project configurations for the two systems on the Thingy:91 (PCA-20035) board. The bootloader that is factory-programmed on thing91 does not support ECDSA signature type. Hence this commit also sets the signature type to RSA for applications built for Thingy:91. Signed-off-by: Bernt Johan Damslora <[email protected]> Signed-off-by: Sigvart Hovland <[email protected]> Signed-off-by: Jon Helge Nistad <[email protected]> Signed-off-by: Balaji Srinivasan <[email protected]> Signed-off-by: Robert Lubos <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Marek Pieta <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 49e2872) (cherry picked from commit 1e82a20)
The default value of CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT for nRF52 SOCs has been changed from 0 to 3, but it makes MCUBoot get stuck on erasing flash pages when swapping two images. Restore the previous value until the RTC issue is resolved (see NCSDK-14427) Signed-off-by: Damian Krolik <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 93bb567) (cherry picked from commit 4be7cf8)
This patch adds board configuration for the Thingy:91 X. Signed-off-by: Maximilian Deubel <[email protected]> (cherry picked from commit c473f8e) (cherry picked from commit 932db78)
Partition Manager is an nRF Connect SDK component which uses yaml files to resolve flash partition placement with a holistic view of the device. This component's MCUboot portions began life as upstream mcuboot PR#430. This added support for being built as a sub image from the downstream Nordic patch set for a zephyr multi image build system (mcuboot 430 was combined with effor submitted to upstream zephyr as PR#13672, which was ultimately reworked after being rejected for mainline at the ELCE 2019 conference in Lyon). It has since evolved over time. This is the version that will go into NCS v1.3. It features: - page size aligned partitions for all partitions used by mcuboot. - image swaps without scratch partitions Add support for configurations where there exists two primary slots but only one secondary slot, which is shared. These two primary slots are the regular application and B1. B1 can be either S0 or S1 depending on the state of the device. Decide where an upgrade should be stored by looking at the vector table. Provide update candidates for both s0 and s1. These candidates must be signed with mcuboot after being signed by b0. Additional notes: - we make update.hex without trailer data This is needed for serial recovery to work using hex files. Prior to this the update.hex got TLV data at the end of the partition, which caused many blank pages to be included, which made it hard to use in a serial recovery scheme. Instead, make update.hex without TLV data at the end, and provide a new file test_update.hex which contains the TLV data, and can be directly flashed to test the upgrade procedure. - we use a function for signing the application as future-proofing for when other components must be signed as well - this includes an update to single image applications that enables support for partition manager; when single image DFU is used, a scratch partition is not needed. - In NCS, image 1 primary slot is the upgrade bank for mcuboot (IE S0 or S1 depending on the active slot). It is not required that this slot contains any valid data. - The nRF boards all have a single flash page size, and partition manager deals with the size of the update partitions and so on, so we must skip a boot_slots_compatible() check to avoid getting an error. - There is no need to verify the target when using partition manager. - We lock mcuboot using fprotect before jumping, to enable the secure boot property of the system. - Call fw_info_ext_api_provide() before booting if EXT_API_PROVIDE EXT_API is enabled. This is relevant only when the immutable bootloader has booted mcuboot. Signed-off-by: Håkon Øye Amundsen <[email protected]> Signed-off-by: Øyvind Rønningstad <[email protected]> Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Sigvart Hovland <[email protected]> Signed-off-by: Martí Bolívar <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Andrzej Głąbek <[email protected]> Signed-off-by: Robert Lubos <[email protected]> Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Emil Obalski <[email protected]> Signed-off-by: Pawel Dunaj <[email protected]> Signed-off-by: Ioannis Glaropoulos <[email protected]> Signed-off-by: Johann Fischer <[email protected]> Signed-off-by: Vidar Berg <[email protected]> Signed-off-by: Draus, Sebastian <[email protected]> Signed-off-by: Trond Einar Snekvik <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Joakim Andersson <[email protected]> Signed-off-by: Georgios Vasilakis <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 6facec9) (cherry picked from commit c13d7b3)
- Add network core bootloader implementation Enables network core updates of nrf53 using MCUBoot by identifying images through their start addresses. Also implements the control and transfer using the PCD module. - Add support for multi image DFU using partition manager. - Add check for netcore addr if NSIB is enabled so netcore updates works - boot: zephyr: move thingy53_nrf5340_cpuapp.conf downstream Moved the board configuration for Thingy:53 Application Core to the nRF Connect SDK MCUboot downstream repository. The configuration file contains references to the Kconfig modules that are only available in the nRF Connect SDK. The current configuration is set up to work in the nRF Connect SDK environment and cannot be used upstream. - pm: enable ram flash partition using common flag This patch makes mcuboot_primary_1 ram-flash partition selectable using CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH property. This is needed since CONFIG_NRF53_MULTI_IMAGE_UPDATE become not only configuration which requires that partition. - MCUBoot configures USB CDC by its own. There is no need for BOARD_SERIAL_BACKEND_CDC_ACM option to configure anything which is later overwritten anyway. Jira: NCSDK-18596 Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Emil Obalski <[email protected]> Signed-off-by: Håkon Øye Amundsen <[email protected]> Signed-off-by: Ioannis Glaropoulos <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Johann Fischer <[email protected]> Signed-off-by: Kamil Piszczek <[email protected]> Signed-off-by: Ole Sæther <[email protected]> Signed-off-by: Sigvart Hovland <[email protected]> Signed-off-by: Simon Iversen <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Trond Einar Snekvik <[email protected]> Signed-off-by: Mateusz Kapala <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 56934f9) (cherry picked from commit 33cf05d)
Do some cleanup of nRF peripherals. This is necessary since Zephyr doesn't have any driver deinitialization functionality, and we'd like to leave peripherals in a more predictable state before booting the Zephyr image. This should be re-worked when the zephyr driver model allows us to deinitialize devices cleanly before jumping to the chain-loaded image. Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Robert Lubos <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Øyvind Rønningstad <[email protected]> Signed-off-by: Martí Bolívar <[email protected]> Signed-off-by: Håkon Øye Amundsen <[email protected]> Signed-off-by: Ioannis Glaropoulos <[email protected]> Signed-off-by: Johann Fischer <[email protected]> Signed-off-by: Trond Einar Snekvik <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 50c5cdb) (cherry picked from commit 0a3f9c7)
To ensure that MCUBoot does not leak keys or other material through memory to non-secure side we clear the memory before jumping to the next image. Signed-off-by: Sigvart Hovland <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> Signed-off-by: Ole Sæther <[email protected]> (cherry picked from commit d04dd27) (cherry picked from commit 9aa2a23)
When mcuboot_secondary is on external flash, the image header cannot dircetly be accessed via secondary_fa->fa_off. Instead the provided function boot_img_hdr() is used now. Additionally a similar issue is present when trying to read the address of the reset handler. For this flash_area_read() is used now. With this patch is possible to have the update partiton mcuboot_secondary on external flash and update a updatable bootloader (mcuboot) in s0 and/or s1. Signed-off-by: Christian Taedcke <[email protected]> Signed-off-by: Ole Sæther <[email protected]> Signed-off-by: Sigvart Hovland <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit a3a50e7) (cherry picked from commit 4081b79)
Fixes path variables to use the proper Zephyr module variables Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 76d0d9a) (cherry picked from commit a97a24c)
The XIP image, 2, does not have reset vector. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 5a8e708) (cherry picked from commit c2eb5fc)
Puts the flash simulation configurtion into cache variables that can be used by other applications and CMake code to know specifics on the simulated flash details Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 9599724) (cherry picked from commit 002409b)
This removes the `return;` to ensure that the application is booted even if EXT_ABI is not provided to the application because it does not include `FW_INFO`. Added a bit more description to the error messages when FW_INFO is not found and EXT_ABI is not able to be provided to the next image. Ref. NCSDK-24132 Signed-off-by: Sigvart Hovland <[email protected]> (cherry picked from commit 5b37400) (cherry picked from commit c6fe3b4)
For nRF53, the only existing version number metadata is stored in the `firmware_info` structure in the network core. This utilizes PCD to read out the version number and compares it against the version number found in the secondary slot for the network core. Ref. NCSDK-21379 Signed-off-by: Sigvart Hovland <[email protected]> (cherry picked from commit 2011395) (cherry picked from commit fecd88c)
Adds support for image IDs that are assigned by sysbuild, which allows for dynamically supporting different configurations without needing dummy images to support different modes. Also fixes multiple deficiencies with the previous code where things were not properly accounted for e.g. using the swap algorithm including all swap status parts when updating s0/s1 MCUboot image which could overwrite and corrupt the image data in the other slot Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 5646583) (cherry picked from commit ba255be)
Adds a check that will also check the s0/s1 package version of the currently running MCUboot against a MCUboot update image to ensure that an older version of MCUboot isn't loaded to the opposite slot Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 04481ec) (cherry picked from commit 4aaec13)
Adds support for child and parent images back, this commit will be reverted after the NCS 2.8 release when child/parent support is dropped Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 20ee337) (cherry picked from commit d5aa215)
Update the configuration files for the Thingy:91 X targets to the ones used in production. Signed-off-by: Maximilian Deubel <[email protected]> (cherry picked from commit ae07a33) (cherry picked from commit 0ab75e0)
Enable backporting of PRs. Signed-off-by: Carles Cufi <[email protected]> (cherry picked from commit 93f4645)
Moved configs from nrf54l15pdk. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 6b030d7)
Add support for reporting various sha in image list. There is always only one sha compiled in, but serial recovery has been previously hardcoded to support sha256 only. Upstream PR #: 2116 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit bcdf6e2)
Log module has been declared but never registered. This commit fixes that by just registering the module. Signed-off-by: Maciej Baczmanski <[email protected]> Co-authored-by: Marek Pieta <[email protected]> (cherry picked from commit c6b9d83)
Add Kconfig option to cleanup RAM in MCUboot before passing control to an application. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 39aab3d) (cherry picked from commit 1c2a423)
Set of changes to Kconfig, CMakeLists.txt and some of headers that are required for the PSA support to compile. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 6400cc8) (cherry picked from commit 3cdcdb3) (cherry picked from commit a47fccf)
Use SHA512 directly calculated over image with the ED25519 signature. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit ccb9552) (cherry picked from commit 10211d4) (cherry picked from commit bb17cf7)
The commit add support for passing storage device address space to hash calculation functions, which allows to use hardware accelerated hash calculation on storage. This feature only works when image encryption is not enabled and all slots are defined within internal storage of device. The feature is enabled using Kconfig option CONFIG_BOOT_IMG_HASH_DIRECTLY_ON_STORAGE Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 258b369) (cherry picked from commit b4e5a3b) (cherry picked from commit c7f1478)
The commit adds support for PureEdDSA, which validates signature of image rather than hash. This is most secure, available, ED25519 usage in MCUboot, but due to requirement of PureEdDSA to be able to calculate signature at whole message at once, here image, it only works on setups where entire image can be mapped to device address space, so that PSA functions calculating the signature can see the whole image at once. This option is enabled with Kconfig option: CONFIG_BOOT_SIGNATURE_TYPE_PURE when the ED25519 signature type is already selected. Note that the option will enable SHA512 for calculating public key hash. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit d1b85af) (cherry picked from commit 81988f9) (cherry picked from commit 347b49e)
…CTORS_AUTO Automatic calculation are based on DTS data which are no the right source on partition layout in case Partition manager does the partitioning. Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 12e9928) (cherry picked from commit a023c2e) (cherry picked from commit 7432f4a)
The commit adds verification of image using keys stored in KMU. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 1dbca8f) (cherry picked from commit 40543f1) (cherry picked from commit 896a16e)
Adds selecting the experimental Kconfig when compession is in use Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit b836582) Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 36788a6)
adds default configs. Upstream PR #: 2133 Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 7cc6005) (cherry picked from commit be32923)
Adds a new Kconfig CONFIG_BOOT_SIGNATURE_KMU_SLOTS which allows specifying how many KMU key IDs are supported, the default is set to 1 instead of 3 which was set before NCSDK-30743 Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit ed0fc24)
…SOC_NRF5340_CPUAPP
- Change do_boot() from static to public so it can be called externally (e.g. after DFU completes).- Add on_upload_done(slot, status) handler that prints upload results and does a warm reboot on success.- Introduce BUILD_ASSERT to ensure the console device is a CDC ACM UART (required for serial DFU).
Add an informational log before reading the console in boot_serial_start. Introduce DFU_TIMEOUT_MS (5s) and a non-blocking DFU wait loop in boot/zephyr/main.c that polls boot_serial_check_start() with the remaining timeout. This allows MCUboot to fall through to a normal boot if no DFU session starts within the timeout window instead of blocking indefinitely. Use FIH protection for boot_go and call it via FIH_CALL to integrate hardened return-code checking. Improve log messages for entering serial recovery mode and on timeout. Ensure boot_serial_start is still used when entering recovery; keep the old assert if the serial process terminates unexpectedly. Keep BUILD_ASSERT for CDC-ACM console compatibility.
|
none Note: This comment is automatically posted and updated by the Contribs GitHub Action. |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
boot/zephyr/main.c that polls boot_serial_check_start() with the
remaining timeout. This allows MCUboot to fall through to a normal boot
if no DFU session starts within the timeout window instead of blocking
indefinitely.
hardened return-code checking.
old assert if the serial process terminates unexpectedly.
This change prevents the bootloader from hanging forever when CDC-ACM is
available but no host initiates a DFU, and makes DFU entry non-blocking
for a configurable window.