Another upmerge eh #450
Draft
Another upmerge eh #450
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enable LTO to cut down the MCUboot size for nrf54l15 Signed-off-by: Dominik Ermel <[email protected]>
Assert on the pointer validity in debug builds and make sure that an initialised value of 0 is always returned even in case of errors Change-Id: Ia0546941296fc9741c1b20955d7c7a0d47c7b2e1 Signed-off-by: Antonio de Angelis <[email protected]>
Remove unneeded and improve used. Signed-off-by: Dominik Ermel <[email protected]>
BOOT_ENC_KEY_SIZE is enough. BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE has been replaced with BOOT_ENC_BLOCK_SIZE. Signed-off-by: Dominik Ermel <[email protected]>
Provide proper identifiers for size and partitioning of the HKDF output. Signed-off-by: Dominik Ermel <[email protected]>
pointer to the image ARM vector table should be placed out of stack which is being reconfigured before vt is used for branch to the application. This caused transient boot failure when CONFIG_LTO=y. Moved vt to static data scope. Signed-off-by: Andrzej Puzdrowski <[email protected]>
Added cmsis_6 into range of modules. Signed-off-by: Andrzej Puzdrowski <[email protected]>
Correct tlv_off by accounting for protected TLVs found before main scan. Signed-off-by: Georgij Cernysiov <[email protected]>
When computing the maximum image size in bootutil_max_image_size for swap-move or swap-offset strategy, the computation was using the size of the flash area provided as argument and was not taking into account the size of the padding sector. This was causing an incorrect size to be returned in some cases, for example when the two slots have the same size or when the slots haven't the same size but the routine is called for the slot containing the padding sector. For example, let's imagine swap-move is being used on a device having a sector size S and two slots of N bytes. This is valid configuration and the maximum image size is N - S - T, T being the size of the trailer rounded up to the next multiple of S. When calling bootutil_max_image_size with either the primary or secondary slot, the size N - T is returned, which is incorrect. This commit fixes the issue by computing always the maximum image using the size of the slot containing the padding and substracting the size of the padding and of the aligned trailer. Signed-off-by: Thomas Altenbach <[email protected]>
When checking the size of an image in bootutil_img_validate, the offset to the end of the TLV area was used as the image size in all cases. However, when using swap-offset, the upgrade image is written in the secondary with an offset. This offset is not part of the image and must therefore not be taken into account in the image size. Signed-off-by: Thomas Altenbach <[email protected]>
For the swap-move and swap-offset strategies, the computation of the largest image size was not taking taking into account the padding that is needed when using those strategies. Due to this limitation, the simulator is currently using hardcoded image sizes, smaller than the maximum possible size, when running tests for the swap-move or swap-offset strategies. This commit fixes the maximum image size computation for those strategies. Signed-off-by: Thomas Altenbach <[email protected]>
The simulator was testing the upgrade with the largest image possible for all strategies, except for overwrite-only, swap-move and swap-offset because some tests were failing when the maximum image size was used. For overwrite-only, this was due to an incorrect trailer size computation. This has been fixed by 88294be. For swap-move and swap-offset, this was due to the simulator not taking into account the padding needed by those strategies in the primary or secondary slot, but also to incorrect computation of the maximum image size in some cases by the MCUboot library. Both issues have been fixed by the previous commits. Since all those issues have been fixed, the simulator can now be configured to test upgrade with the largest possible image for all strategies. Note that logic needed to generate image of a given image is kept even if not useful anymore at the moment, since that might be needed when test will be added to ensure proper behavior when images of different sizes are used. Signed-off-by: Thomas Altenbach <[email protected]>
The test case oversized_secondary_slot, introduced by PR !1286 was not enabled when the 'max-align-32' feature was selected because of the test case was failing with some configurations. Since 88294be, the oversized_secondary_slot test is now passing with 'max-align-32' in all configurations and can therefore be enabled. Signed-off-by: Thomas Altenbach <[email protected]>
Typo in identifier. Signed-off-by: Dominik Ermel <[email protected]>
When an upgrade is performed, the security counter must only be updated after the upgrade has been confirmed, to make possible to rollback if needed. To that end, the security counter was only updated for a given image if the swap type is BOOT_SWAP_TYPE_NONE, meaning in most cases that no update has been performed by MCUboot at this run. However, the swap type is also set to BOOT_SWAP_TYPE_NONE after an interrupted upgrade is completed, so at the time boot_update_hw_rollback_protection is called, having a "none" swap type doesn't guarantee that no upgrade is waiting for confirmation. This means MCUboot was wrongly updating the security counter immediately after the completion of a resumed upgrade, preventing any rollback in that case. Instead, the boot_update_hw_rollback_protection now checks the trailer of the primary image to determine if the security counter has to be updated. The update occurs only if the trailer is empty (no update has ever been made) or if the "image-ok" flag is set (the image has been confirmed). Signed-off-by: Thomas Altenbach <[email protected]>
When testing upgrades, the simulator was always using two images having the same security counter. This was preventing to test that the security counters are updated at the right time in the scenarios where a revert is possible. The upgrade image is now generated with a higher security counter than the original image, enabling to detect e.g. the issue fixed by the previous commit. Signed-off-by: Thomas Altenbach <[email protected]>
For mynewt hardware implementation of hash functionality calling bootutil_sha_init() in a loop without call to bootutil_sha_drop() result in a failure. In two places where bootutil_sha_drop() was called after the loop, call is move into the loop to match calls to bootutil_sha_init(). This will not impact default implementation where calling bootutil_sha_drop() in a loop does not change anything. Signed-off-by: Jerzy Kasenberg <[email protected]>
Add a documentation formalizing the process for contributing to MCUboot. Signed-off-by: David Brown <[email protected]>
This helps ensure it is clear, when reading the docs, what version of mcuboot they correspond with. Signed-off-by: David Brown <[email protected]>
Fixes wrongly including swap and trailer sizes for single image builds which reduced the maximum size of applications, these areas are not used or applicable with single image modes Signed-off-by: Jamie McCrae <[email protected]>
Update release notes and the various release version files. Signed-off-by: David Brown <[email protected]>
Adds a note on this fix Signed-off-by: Jamie McCrae <[email protected]>
…n definitions" This reverts commit b37f58b. Signed-off-by: Robert Lubos <[email protected]>
This reverts commit e78fe84. Signed-off-by: Robert Lubos <[email protected]>
…ifiers into one place" This reverts commit cff5b9a. Signed-off-by: Robert Lubos <[email protected]>
This reverts commit fad8beb. Signed-off-by: Robert Lubos <[email protected]>
This reverts commit 1c75a58. Signed-off-by: Robert Lubos <[email protected]>
…IZE" This reverts commit 53e81a6. Signed-off-by: Robert Lubos <[email protected]>
…urce" This reverts commit 72c673f. Signed-off-by: Robert Lubos <[email protected]>
… enabled" This reverts commit 4532c33. Signed-off-by: Robert Lubos <[email protected]>
Adds additional conditions that lets the direct upload option to be selected on nRF5340 to allow for uploading network core updates directly to the network core with the flash simulator Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit e041019)
Configured CONFIG_NRF_RRAM_WRITE_BUFFER_SIZE=32 Which ensure the fastest bulk RRAM write operations. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 514a007)
Removes stray child/parent references Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 1d1ca9b)
MCUboot uses SOC_FLASH_0_ID and SPI_FLASH_0_ID to distinguish between internal and external boot device. These IDs are provided by sysflash.h, but the pm_sysflash.h overrides entire file, and was lacking that definitions. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 298f630)
Disabled NCS BOOT BANNER to save some flash, as Thingy:53 stopped to fit in the mcuboot partition. The boot banner is not used anyway, as logs are disabled. Signed-off-by: Kamil Kasperczyk <[email protected]> (cherry picked from commit 1d96021)
Adds check to region of mcuboot_secondary_1 to put it in external flash only if CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY is set. This should allow for DFU from internal flash on the nRF5340 with dynamic partitioning. Also fixing a typo. Signed-off-by: Sigurd Hellesvik <[email protected]> (cherry picked from commit 19d25e4)
Select proper configuration and disable mbedTLS selection, as we are using NRF Security enabled Oberon. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit a6b51f1)
Fixes path variables to use the proper Zephyr module variables Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit ab3b5d7)
Adds support for LZMA-compressed firmware updates which also supports encrypted images and supports more than 1 updateable image Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 2f691b7)
The commit adds verification of image using keys stored in KMU. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 3e3db4b)
Adds selecting the experimental Kconfig when compession is in use Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 26b638c)
Adds a new Kconfig CONFIG_BOOT_SIGNATURE_KMU_SLOTS which allows specifying how many KMU key IDs are supported, the default is set to 1 instead of 3 which was set before NCSDK-30743 Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 8a366a3)
Use snprinf, alloc, calloc and free from mbedTLS rather than from Zephyr. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 7f9f7e1)
Added basic support for nrf54h20dk_nrf54h20_cpuapp_iron board. This commit turns off CONFIG_FPROTECT for this board build. Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit 1ec9e79)
This commit removes NRF_CLOCK cleanup for this board build - for Lillium, there is no clock peripheral access from the app domain. Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit ede9b99)
Disable previous generation key when update comes with new valid key and application is confirmed. Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 22c2cac)
Added procedure which does configure UARTE pins to the default states. This allows to reduce power consumption if pin is floating. clean-up UARTE only if its driver was enabled Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 1e75d5d)
Zephyr provides "mcuboot-mbedtls-cfg.h" as glue interface for configure mbedts. "config-tls-generic.h" default value was erroneously introduced during a meta codebase synchronization. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit e80f8ed)
Compile out code which does cleanup on UARTE pins as this cause issues on for some applications. ref.: NCSDK-33039 Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 62ee7ad)
adding default configs. Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit ce377b6)
This commit adds cleanup for GRTC and UARTE peripherals. ref: NCSDK-32966 Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit e92888b)
This commit aligns to the changes in the nrfcompress API, which now enables the caller to provide the expected size of the decompressed image. ref: NCSDK-32340 Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit e110d76)
…nto one place Make enc_key_public.h single point of definitions for key sizes, TLV indexes and so on. Upstream PR #: 2327 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit cff5b9a)
Use bootutil_macros.h instead. Upstream PR #: 2327 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit e78fe84)
…tions Cleanup. Upstream PR #: 2327 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit b37f58b)
Add additional log lines to allow easier tracking potential failures in image validation. Upstream PR #: 2308 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 3e4e8a08717c1fc11ba56bab4055fd8e167d49af) Signed-off-by: Dominik Ermel <[email protected]>
Improve logging to make it easier to track image validation failures in development. Upstream PR #: 2308 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 1609c024c6934b89e892324379f7ef88bd4e915e)
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.