| /* |
| * Copyright (c) 2012-2014 Wind River Systems, Inc. |
| * Copyright (c) 2017-2023 Arm Limited. |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include "mcuboot_config/mcuboot_config.h" |
| #include <assert.h> |
| #include "target.h" |
| #include "tfm_hal_device_header.h" |
| #include "mbedtls/memory_buffer_alloc.h" |
| #include "bootutil/security_cnt.h" |
| #include "bootutil/bootutil_log.h" |
| #include "bootutil/image.h" |
| #include "bootutil/bootutil.h" |
| #include "bootutil/boot_record.h" |
| #include "bootutil/fault_injection_hardening.h" |
| #include "flash_map_backend/flash_map_backend.h" |
| #include "boot_hal.h" |
| #include "uart_stdout.h" |
| #include "tfm_plat_otp.h" |
| #include "tfm_plat_provisioning.h" |
| #ifdef TEST_BL2 |
| #include "mcuboot_suites.h" |
| #endif /* TEST_BL2 */ |
| |
| /* Avoids the semihosting issue */ |
| #if defined (__ARMCC_VERSION) && (__ARMCC_VERSION >= 6010050) |
| __asm(" .global __ARM_use_no_argv\n"); |
| #endif |
| |
| #ifdef MCUBOOT_ENCRYPT_RSA |
| #define BL2_MBEDTLS_MEM_BUF_LEN 0x3000 |
| #else |
| #define BL2_MBEDTLS_MEM_BUF_LEN 0x2000 |
| #endif |
| |
| /* Static buffer to be used by mbedtls for memory allocation */ |
| static uint8_t mbedtls_mem_buf[BL2_MBEDTLS_MEM_BUF_LEN]; |
| struct boot_rsp rsp; |
| |
| static void do_boot(struct boot_rsp *rsp) |
| { |
| struct boot_arm_vector_table *vt; |
| uintptr_t flash_base; |
| int rc; |
| |
| /* The beginning of the image is the ARM vector table, containing |
| * the initial stack pointer address and the reset vector |
| * consecutively. Manually set the stack pointer and jump into the |
| * reset vector |
| */ |
| rc = flash_device_base(rsp->br_flash_dev_id, &flash_base); |
| assert(rc == 0); |
| |
| if (rsp->br_hdr->ih_flags & IMAGE_F_RAM_LOAD) { |
| /* The image has been copied to SRAM, find the vector table |
| * at the load address instead of image's address in flash |
| */ |
| vt = (struct boot_arm_vector_table *)(rsp->br_hdr->ih_load_addr + |
| rsp->br_hdr->ih_hdr_size); |
| } else { |
| /* Using the flash address as not executing in SRAM */ |
| vt = (struct boot_arm_vector_table *)(flash_base + |
| rsp->br_image_off + |
| rsp->br_hdr->ih_hdr_size); |
| } |
| |
| #if MCUBOOT_LOG_LEVEL > MCUBOOT_LOG_LEVEL_OFF || TEST_BL2 |
| stdio_uninit(); |
| #endif |
| |
| /* This function never returns, because it calls the secure application |
| * Reset_Handler(). |
| */ |
| boot_platform_quit(vt); |
| } |
| |
| int main(void) |
| { |
| fih_ret fih_rc = FIH_FAILURE; |
| enum tfm_plat_err_t plat_err; |
| int32_t image_id; |
| |
| /* Initialise the mbedtls static memory allocator so that mbedtls allocates |
| * memory from the provided static buffer instead of from the heap. |
| */ |
| mbedtls_memory_buffer_alloc_init(mbedtls_mem_buf, BL2_MBEDTLS_MEM_BUF_LEN); |
| |
| #if MCUBOOT_LOG_LEVEL > MCUBOOT_LOG_LEVEL_OFF || TEST_BL2 |
| stdio_init(); |
| #endif |
| |
| /* Perform platform specific initialization */ |
| if (boot_platform_init() != 0) { |
| BOOT_LOG_ERR("Platform init failed"); |
| FIH_PANIC; |
| } |
| |
| BOOT_LOG_INF("Starting bootloader"); |
| |
| plat_err = tfm_plat_otp_init(); |
| if (plat_err != TFM_PLAT_ERR_SUCCESS) { |
| BOOT_LOG_ERR("OTP system initialization failed"); |
| FIH_PANIC; |
| } |
| |
| if (tfm_plat_provisioning_is_required()) { |
| plat_err = tfm_plat_provisioning_perform(); |
| if (plat_err != TFM_PLAT_ERR_SUCCESS) { |
| BOOT_LOG_ERR("Provisioning failed"); |
| FIH_PANIC; |
| } |
| } else { |
| tfm_plat_provisioning_check_for_dummy_keys(); |
| } |
| |
| FIH_CALL(boot_nv_security_counter_init, fih_rc); |
| if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { |
| BOOT_LOG_ERR("Error while initializing the security counter"); |
| FIH_PANIC; |
| } |
| |
| /* Perform platform specific post-initialization */ |
| if (boot_platform_post_init() != 0) { |
| BOOT_LOG_ERR("Platform post init failed"); |
| FIH_PANIC; |
| } |
| |
| #ifdef TEST_BL2 |
| (void)run_mcuboot_testsuite(); |
| #endif /* TEST_BL2 */ |
| |
| /* Images are loaded in reverse order so that the last image loaded is the |
| * TF-M image, which means the response is filled correctly. |
| */ |
| for (image_id = MCUBOOT_IMAGE_NUMBER - 1; image_id >= 0; image_id--) { |
| if (boot_platform_pre_load(image_id)) { |
| BOOT_LOG_ERR("Pre-load step for image %d failed", image_id); |
| FIH_PANIC; |
| } |
| |
| /* Primary goal to zeroize the 'rsp' is to avoid to accidentally load |
| * the NS image in case of a fault injection attack. However, it is |
| * done anyway as a good practice to sanitize memory. |
| */ |
| memset(&rsp, 0, sizeof(struct boot_rsp)); |
| FIH_CALL(boot_go_for_image_id, fih_rc, &rsp, image_id); |
| if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { |
| BOOT_LOG_ERR("Unable to find bootable image"); |
| FIH_PANIC; |
| } |
| |
| if (boot_platform_post_load(image_id)) { |
| BOOT_LOG_ERR("Post-load step for image %d failed", image_id); |
| FIH_PANIC; |
| } |
| } |
| |
| BOOT_LOG_INF("Bootloader chainload address offset: 0x%x", |
| rsp.br_image_off); |
| BOOT_LOG_INF("Jumping to the first image slot"); |
| do_boot(&rsp); |
| |
| BOOT_LOG_ERR("Never should get here"); |
| FIH_PANIC; |
| } |