Boot: integrate MCUBoot with TF-M to act as a BL2 bootloader
Modifications in MCUBoot to be aligned with BL2 requirements in TF-M:
-- OS dependency was removed, no need to copy any OS repo to build it
-- CMSIS serial driver is used
-- flash driver interface is aligned with original version
-- S and NS images are handeled as a single binary blob
-- automatic image concatenation and signing at build time
-- authentication based on SHA256 and RSA-2048 digital signature
-- mbedTLS library is used for cryptographic operation
-- static analyser warnings fixed in some files
Change-Id: I54891762eac8d0df634e954ff19a9505b16f3028
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
diff --git a/bl2/ext/mcuboot/bootutil/src/bootutil_misc.c b/bl2/ext/mcuboot/bootutil/src/bootutil_misc.c
index bf4e9b8..494879c 100644
--- a/bl2/ext/mcuboot/bootutil/src/bootutil_misc.c
+++ b/bl2/ext/mcuboot/bootutil/src/bootutil_misc.c
@@ -22,11 +22,8 @@
#include <inttypes.h>
#include <stddef.h>
-#include "sysflash/sysflash.h"
-#include "hal/hal_bsp.h"
#include "hal/hal_flash.h"
#include "flash_map/flash_map.h"
-#include "os/os.h"
#include "bootutil/image.h"
#include "bootutil/bootutil.h"
#include "bootutil_priv.h"
@@ -43,7 +40,7 @@
0x8079b62c,
};
-const uint32_t BOOT_MAGIC_SZ = sizeof boot_img_magic;
+const uint32_t BOOT_MAGIC_SZ = sizeof(boot_img_magic);
const uint32_t BOOT_MAX_ALIGN = MAX_FLASH_ALIGN;
struct boot_swap_table {
@@ -95,7 +92,7 @@
};
#define BOOT_SWAP_TABLES_COUNT \
- (sizeof boot_swap_tables / sizeof boot_swap_tables[0])
+ (sizeof(boot_swap_tables) / sizeof(boot_swap_tables[0]))
int
boot_magic_code(const uint32_t *magic)
@@ -106,7 +103,7 @@
return BOOT_MAGIC_GOOD;
}
- for (i = 0; i < BOOT_MAGIC_SZ / sizeof *magic; i++) {
+ for (i = 0; i < BOOT_MAGIC_SZ / sizeof(*magic); i++) {
if (magic[i] != 0xffffffff) {
return BOOT_MAGIC_BAD;
}
@@ -217,14 +214,15 @@
if (fap->fa_id != FLASH_AREA_IMAGE_SCRATCH) {
off = boot_copy_done_off(fap);
- rc = flash_area_read(fap, off, &state->copy_done, sizeof state->copy_done);
+ rc = flash_area_read(fap, off, &state->copy_done,
+ sizeof(state->copy_done));
if (rc != 0) {
return BOOT_EFLASH;
}
}
off = boot_image_ok_off(fap);
- rc = flash_area_read(fap, off, &state->image_ok, sizeof state->image_ok);
+ rc = flash_area_read(fap, off, &state->image_ok, sizeof(state->image_ok));
if (rc != 0) {
return BOOT_EFLASH;
}
@@ -310,7 +308,7 @@
}
off = boot_swap_size_off(fap);
- rc = flash_area_read(fap, off, swap_size, sizeof *swap_size);
+ rc = flash_area_read(fap, off, swap_size, sizeof(*swap_size));
if (rc != 0) {
rc = BOOT_EFLASH;
}
@@ -392,11 +390,11 @@
off = boot_swap_size_off(fap);
align = hal_flash_align(fap->fa_device_id);
assert(align <= BOOT_MAX_ALIGN);
- if (align < sizeof swap_size) {
- align = sizeof swap_size;
+ if (align < sizeof(swap_size)) {
+ align = sizeof(swap_size);
}
memset(buf, 0xFF, BOOT_MAX_ALIGN);
- memcpy(buf, (uint8_t *)&swap_size, sizeof swap_size);
+ memcpy(buf, (uint8_t *)&swap_size, sizeof(swap_size));
rc = flash_area_write(fap, off, buf, align);
if (rc != 0) {
@@ -463,7 +461,7 @@
int
boot_set_pending(int permanent)
{
- const struct flash_area *fap;
+ const struct flash_area *fap = NULL;
struct boot_swap_state state_slot1;
int rc;
@@ -500,14 +498,15 @@
}
/**
- * Marks the image in slot 0 as confirmed. The system will continue booting into the image in slot 0 until told to boot from a different slot.
+ * Marks the image in slot 0 as confirmed. The system will continue booting
+ * into the image in slot 0 until told to boot from a different slot.
*
- * @return 0 on success; nonzero on failure.
+ * @return 0 on success; non-zero on failure.
*/
int
boot_set_confirmed(void)
{
- const struct flash_area *fap;
+ const struct flash_area *fap = NULL;
struct boot_swap_state state_slot0;
int rc;
diff --git a/bl2/ext/mcuboot/bootutil/src/bootutil_priv.h b/bl2/ext/mcuboot/bootutil/src/bootutil_priv.h
index c1cf779..4753673 100644
--- a/bl2/ext/mcuboot/bootutil/src/bootutil_priv.h
+++ b/bl2/ext/mcuboot/bootutil/src/bootutil_priv.h
@@ -20,7 +20,6 @@
#ifndef H_BOOTUTIL_PRIV_
#define H_BOOTUTIL_PRIV_
-#include "sysflash/sysflash.h"
#include "flash_map/flash_map.h"
#include "bootutil/image.h"
diff --git a/bl2/ext/mcuboot/bootutil/src/caps.c b/bl2/ext/mcuboot/bootutil/src/caps.c
index 61d4f3f..e92e881 100644
--- a/bl2/ext/mcuboot/bootutil/src/caps.c
+++ b/bl2/ext/mcuboot/bootutil/src/caps.c
@@ -23,12 +23,6 @@
#if defined(MCUBOOT_SIGN_RSA)
res |= BOOTUTIL_CAP_RSA2048;
#endif
-#if defined(MCUBOOT_SIGN_EC)
- res |= BOOTUTIL_CAP_ECDSA_P224;
-#endif
-#if defined(MCUBOOT_SIGN_EC256)
- res |= BOOTUTIL_CAP_ECDSA_P256;
-#endif
#if defined(MCUBOOT_OVERWRITE_ONLY)
res |= BOOTUTIL_CAP_OVERWRITE_UPGRADE;
#else
diff --git a/bl2/ext/mcuboot/bootutil/src/image_rsa.c b/bl2/ext/mcuboot/bootutil/src/image_rsa.c
index 88ec784..4a472d5 100644
--- a/bl2/ext/mcuboot/bootutil/src/image_rsa.c
+++ b/bl2/ext/mcuboot/bootutil/src/image_rsa.c
@@ -19,10 +19,6 @@
#include <string.h>
-#ifdef MCUBOOT_MYNEWT
-#include "mcuboot_config/mcuboot_config.h"
-#endif
-
#ifdef MCUBOOT_SIGN_RSA
#include "bootutil/sign_key.h"
#include "bootutil/sha256.h"
@@ -68,11 +64,12 @@
static int
bootutil_parse_rsakey(mbedtls_rsa_context *ctx, uint8_t **p, uint8_t *end)
{
- int rc;
+ int rc, rc2;
size_t len;
- if ((rc = mbedtls_asn1_get_tag(p, end, &len,
- MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ rc = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+ if (rc != 0) {
return -1;
}
@@ -80,8 +77,9 @@
return -2;
}
- if ((rc = mbedtls_asn1_get_mpi(p, end, &ctx->N)) != 0 ||
- (rc = mbedtls_asn1_get_mpi(p, end, &ctx->E)) != 0) {
+ rc = mbedtls_asn1_get_mpi(p, end, &ctx->N);
+ rc2 = mbedtls_asn1_get_mpi(p, end, &ctx->E);
+ if ((rc != 0) || (rc2 != 0)) {
return -3;
}
@@ -89,7 +87,8 @@
return -4;
}
- if ((rc = mbedtls_rsa_check_pubkey(ctx)) != 0) {
+ rc = mbedtls_rsa_check_pubkey(ctx);
+ if (rc != 0) {
return -5;
}
diff --git a/bl2/ext/mcuboot/bootutil/src/image_validate.c b/bl2/ext/mcuboot/bootutil/src/image_validate.c
index 5b2b9a0..2dca5bd 100644
--- a/bl2/ext/mcuboot/bootutil/src/image_validate.c
+++ b/bl2/ext/mcuboot/bootutil/src/image_validate.c
@@ -28,16 +28,10 @@
#include "bootutil/sha256.h"
#include "bootutil/sign_key.h"
-#ifdef MCUBOOT_MYNEWT
-#include "mcuboot_config/mcuboot_config.h"
-#endif
-
#ifdef MCUBOOT_SIGN_RSA
#include "mbedtls/rsa.h"
#endif
-#if defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256)
-#include "mbedtls/ecdsa.h"
-#endif
+
#include "mbedtls/asn1.h"
#include "bootutil_priv.h"
@@ -60,7 +54,7 @@
/* in some cases (split image) the hash is seeded with data from
* the loader image */
- if(seed && (seed_len > 0)) {
+ if (seed && (seed_len > 0)) {
bootutil_sha256_update(&sha256_ctx, seed, seed_len);
}
@@ -96,18 +90,6 @@
#if defined(MCUBOOT_SIGN_RSA)
# define EXPECTED_SIG_TLV IMAGE_TLV_RSA2048_PSS
# define EXPECTED_SIG_LEN(x) ((x) == 256) /* 2048 bits */
-# if defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256)
-# error "Multiple signature types not yet supported"
-# endif
-#elif defined(MCUBOOT_SIGN_EC)
-# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA224
-# define EXPECTED_SIG_LEN(x) ((x) >= 64) /* oids + 2 * 28 bytes */
-# if defined(MCUBOOT_SIGN_EC256)
-# error "Multiple signature types not yet supported"
-# endif
-#elif defined(MCUBOOT_SIGN_EC256)
-# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA256
-# define EXPECTED_SIG_LEN(x) ((x) >= 72) /* oids + 2 * 32 bytes */
#endif
#ifdef EXPECTED_SIG_TLV
@@ -153,7 +135,7 @@
#endif
struct image_tlv tlv;
uint8_t buf[256];
- uint8_t hash[32];
+ uint8_t hash[32] = {0};
int rc;
rc = bootutil_img_hash(hdr, fap, tmp_buf, tmp_buf_sz, hash,
@@ -185,7 +167,7 @@
* and are able to do.
*/
for (; off < end; off += sizeof(tlv) + tlv.it_len) {
- rc = flash_area_read(fap, off, &tlv, sizeof tlv);
+ rc = flash_area_read(fap, off, &tlv, sizeof(tlv));
if (rc) {
return rc;
}
@@ -198,7 +180,7 @@
if (tlv.it_len != sizeof(hash)) {
return -1;
}
- rc = flash_area_read(fap, off + sizeof(tlv), buf, sizeof hash);
+ rc = flash_area_read(fap, off + sizeof(tlv), buf, sizeof(hash));
if (rc) {
return rc;
}
@@ -215,7 +197,7 @@
if (tlv.it_len > 32) {
return -1;
}
- rc = flash_area_read(fap, off + sizeof tlv, buf, tlv.it_len);
+ rc = flash_area_read(fap, off + sizeof(tlv), buf, tlv.it_len);
if (rc) {
return rc;
}
@@ -237,7 +219,8 @@
if (rc) {
return -1;
}
- rc = bootutil_verify_sig(hash, sizeof(hash), buf, tlv.it_len, key_id);
+ rc = bootutil_verify_sig(hash, sizeof(hash), buf, tlv.it_len,
+ key_id);
if (rc == 0) {
valid_signature = 1;
}
diff --git a/bl2/ext/mcuboot/bootutil/src/loader.c b/bl2/ext/mcuboot/bootutil/src/loader.c
index 30ac131..d091ec5 100644
--- a/bl2/ext/mcuboot/bootutil/src/loader.c
+++ b/bl2/ext/mcuboot/bootutil/src/loader.c
@@ -17,6 +17,12 @@
* under the License.
*/
+/*
+ Original code taken from mcuboot project at:
+ https://github.com/runtimeco/mcuboot
+ Modifications are Copyright (c) 2018 Arm Limited.
+ */
+
/**
* This file provides an interface to the boot loader. Functions defined in
* this file should only be called while the boot loader is running.
@@ -37,10 +43,6 @@
#define BOOT_LOG_LEVEL BOOT_LOG_LEVEL_INFO
#include "bootutil/bootutil_log.h"
-#ifdef MCUBOOT_MYNEWT
-#include "mcuboot_config/mcuboot_config.h"
-#endif
-
static struct boot_loader_state boot_data;
struct boot_status_table {
@@ -124,7 +126,7 @@
};
#define BOOT_STATUS_TABLES_COUNT \
- (sizeof boot_status_tables / sizeof boot_status_tables[0])
+ (sizeof(boot_status_tables) / sizeof(boot_status_tables[0]))
#define BOOT_LOG_SWAP_STATE(area, state) \
BOOT_LOG_INF("%s: magic=%s, copy_done=0x%x, image_ok=0x%x", \
@@ -136,11 +138,12 @@
(state)->image_ok)
/**
- * Determines where in flash the most recent boot status is stored. The boot
+ * Determines where in flash the most recent boot status is stored. The boot
* status is necessary for completing a swap that was interrupted by a boot
* loader reset.
*
- * @return A BOOT_STATUS_SOURCE_[...] code indicating where * status should be read from.
+ * @return BOOT_STATUS_SOURCE_[...] code indicating where
+ * status should be read from.
*/
static int
boot_status_source(void)
@@ -198,9 +201,9 @@
post_swap_type = boot_swap_type();
switch (post_swap_type) {
- case BOOT_SWAP_TYPE_NONE : return BOOT_SWAP_TYPE_PERM;
- case BOOT_SWAP_TYPE_REVERT : return BOOT_SWAP_TYPE_TEST;
- case BOOT_SWAP_TYPE_PANIC : return BOOT_SWAP_TYPE_PANIC;
+ case BOOT_SWAP_TYPE_NONE: return BOOT_SWAP_TYPE_PERM;
+ case BOOT_SWAP_TYPE_REVERT: return BOOT_SWAP_TYPE_TEST;
+ case BOOT_SWAP_TYPE_PANIC: return BOOT_SWAP_TYPE_PANIC;
}
return BOOT_SWAP_TYPE_FAIL;
@@ -214,7 +217,7 @@
static int
boot_read_image_size(int slot, struct image_header *hdr, uint32_t *size)
{
- const struct flash_area *fap;
+ const struct flash_area *fap = NULL;
struct image_tlv_info info;
int area_id;
int rc;
@@ -248,7 +251,7 @@
static int
boot_read_image_header(int slot, struct image_header *out_hdr)
{
- const struct flash_area *fap;
+ const struct flash_area *fap = NULL;
int area_id;
int rc;
@@ -259,7 +262,7 @@
goto done;
}
- rc = flash_area_read(fap, 0, out_hdr, sizeof *out_hdr);
+ rc = flash_area_read(fap, 0, out_hdr, sizeof(*out_hdr));
if (rc != 0) {
rc = BOOT_EFLASH;
goto done;
@@ -432,7 +435,7 @@
int area_id;
int rc;
- memset(bs, 0, sizeof *bs);
+ memset(bs, 0, sizeof(*bs));
status_loc = boot_status_source();
switch (status_loc) {
@@ -474,7 +477,7 @@
int
boot_write_status(struct boot_status *bs)
{
- const struct flash_area *fap;
+ const struct flash_area *fap = NULL;
uint32_t off;
int area_id;
int rc;
@@ -537,35 +540,6 @@
}
static int
-split_image_check(struct image_header *app_hdr,
- const struct flash_area *app_fap,
- struct image_header *loader_hdr,
- const struct flash_area *loader_fap)
-{
- static void *tmpbuf;
- uint8_t loader_hash[32];
-
- if (!tmpbuf) {
- tmpbuf = malloc(BOOT_TMPBUF_SZ);
- if (!tmpbuf) {
- return BOOT_ENOMEM;
- }
- }
-
- if (bootutil_img_validate(loader_hdr, loader_fap, tmpbuf, BOOT_TMPBUF_SZ,
- NULL, 0, loader_hash)) {
- return BOOT_EBADIMAGE;
- }
-
- if (bootutil_img_validate(app_hdr, app_fap, tmpbuf, BOOT_TMPBUF_SZ,
- loader_hash, 32, NULL)) {
- return BOOT_EBADIMAGE;
- }
-
- return 0;
-}
-
-static int
boot_validate_slot(int slot)
{
const struct flash_area *fap;
@@ -682,7 +656,7 @@
static int
boot_erase_sector(int flash_area_id, uint32_t off, uint32_t sz)
{
- const struct flash_area *fap;
+ const struct flash_area *fap = NULL;
int rc;
rc = flash_area_open(flash_area_id, &fap);
@@ -747,8 +721,8 @@
bytes_copied = 0;
while (bytes_copied < sz) {
- if (sz - bytes_copied > sizeof buf) {
- chunk_sz = sizeof buf;
+ if (sz - bytes_copied > sizeof(buf)) {
+ chunk_sz = sizeof(buf);
} else {
chunk_sz = sz - bytes_copied;
}
@@ -1250,6 +1224,7 @@
*/
static boot_sector_t slot0_sectors[BOOT_MAX_IMG_SECTORS];
static boot_sector_t slot1_sectors[BOOT_MAX_IMG_SECTORS];
+
boot_data.imgs[0].sectors = slot0_sectors;
boot_data.imgs[1].sectors = slot1_sectors;
@@ -1289,7 +1264,8 @@
* The following states need image_ok be explicitly set after the
* swap was finished to avoid a new revert.
*/
- if (swap_type == BOOT_SWAP_TYPE_REVERT || swap_type == BOOT_SWAP_TYPE_FAIL) {
+ if (swap_type == BOOT_SWAP_TYPE_REVERT ||
+ swap_type == BOOT_SWAP_TYPE_FAIL) {
#ifndef MCUBOOT_OVERWRITE_ONLY
rc = boot_set_image_ok();
if (rc != 0) {
@@ -1337,7 +1313,8 @@
assert(0);
/* Loop forever... */
- while (1) {}
+ while (1)
+ ;
}
#ifdef MCUBOOT_VALIDATE_SLOT0
@@ -1376,65 +1353,3 @@
}
return rc;
}
-
-int
-split_go(int loader_slot, int split_slot, void **entry)
-{
- boot_sector_t *sectors;
- uintptr_t entry_val;
- int loader_flash_id;
- int split_flash_id;
- int rc;
-
- sectors = malloc(BOOT_MAX_IMG_SECTORS * 2 * sizeof *sectors);
- if (sectors == NULL) {
- return SPLIT_GO_ERR;
- }
- boot_data.imgs[loader_slot].sectors = sectors + 0;
- boot_data.imgs[split_slot].sectors = sectors + BOOT_MAX_IMG_SECTORS;
-
- loader_flash_id = flash_area_id_from_image_slot(loader_slot);
- rc = flash_area_open(loader_flash_id,
- &BOOT_IMG_AREA(&boot_data, split_slot));
- assert(rc == 0);
- split_flash_id = flash_area_id_from_image_slot(split_slot);
- rc = flash_area_open(split_flash_id,
- &BOOT_IMG_AREA(&boot_data, split_slot));
- assert(rc == 0);
-
- /* Determine the sector layout of the image slots and scratch area. */
- rc = boot_read_sectors();
- if (rc != 0) {
- rc = SPLIT_GO_ERR;
- goto done;
- }
-
- rc = boot_read_image_headers();
- if (rc != 0) {
- goto done;
- }
-
- /* Don't check the bootable image flag because we could really call a
- * bootable or non-bootable image. Just validate that the image check
- * passes which is distinct from the normal check.
- */
- rc = split_image_check(boot_img_hdr(&boot_data, split_slot),
- BOOT_IMG_AREA(&boot_data, split_slot),
- boot_img_hdr(&boot_data, loader_slot),
- BOOT_IMG_AREA(&boot_data, loader_slot));
- if (rc != 0) {
- rc = SPLIT_GO_NON_MATCHING;
- goto done;
- }
-
- entry_val = boot_img_slot_off(&boot_data, split_slot) +
- boot_img_hdr(&boot_data, split_slot)->ih_hdr_size;
- *entry = (void *) entry_val;
- rc = SPLIT_GO_OK;
-
-done:
- flash_area_close(BOOT_IMG_AREA(&boot_data, split_slot));
- flash_area_close(BOOT_IMG_AREA(&boot_data, loader_slot));
- free(sectors);
- return rc;
-}