Boot: Remove forked MCUboot from TF-M
Remove the generic MCUboot source files from TF-M in order to
rely only on upstream MCUboot project as a secure second stage
bootloader. At this point all the features from the internal
fork are already upstreamed to the original project so from
feature point of view the switch is seamless. From now on
any new development is going to be directly upstreamed to the
original project.
Some platform and project specific files and scripts are still
kept in the bl2/ext/mcuboot folder to make possible the integration
with TF-M project.
Signed-off-by: Balint Matyi <Balint.Matyi@arm.com>
Signed-off-by: Tamas Ban <Tamas.Ban@arm.com>
Change-Id: I261c11383202d02eecff06c21d5c51d6ec8f27ea
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index cc3a54a..2e1e082 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -8,10 +8,6 @@
cmake_minimum_required(VERSION 3.13)
cmake_policy(SET CMP0079 NEW)
-if(TFM_INTERNAL_MCUBOOT)
- set(MCUBOOT_PATH ${CMAKE_CURRENT_SOURCE_DIR} CACHE PATH "Path to mcuboot (or DOWNLOAD to get automatically" FORCE)
-endif()
-
set(MCUBOOT_KEY_ENC "${MCUBOOT_PATH}/enc-rsa2048-pub.pem" CACHE FILEPATH "Path to key with which to encrypt binary")
target_include_directories(bl2
@@ -34,10 +30,10 @@
${MCUBOOT_PATH}/boot/bootutil/src/image_rsa.c
${MCUBOOT_PATH}/boot/bootutil/src/tlv.c
${MCUBOOT_PATH}/boot/bootutil/src/boot_record.c
- $<$<NOT:$<BOOL:${TFM_INTERNAL_MCUBOOT}>>:${MCUBOOT_PATH}/boot/bootutil/src/swap_scratch.c>
- $<$<NOT:$<BOOL:${TFM_INTERNAL_MCUBOOT}>>:${MCUBOOT_PATH}/boot/bootutil/src/swap_move.c>
- $<$<NOT:$<BOOL:${TFM_INTERNAL_MCUBOOT}>>:${MCUBOOT_PATH}/boot/bootutil/src/swap_misc.c>
- $<$<NOT:$<BOOL:${TFM_INTERNAL_MCUBOOT}>>:${MCUBOOT_PATH}/boot/bootutil/src/encrypted.c>
+ ${MCUBOOT_PATH}/boot/bootutil/src/swap_scratch.c
+ ${MCUBOOT_PATH}/boot/bootutil/src/swap_move.c
+ ${MCUBOOT_PATH}/boot/bootutil/src/swap_misc.c
+ ${MCUBOOT_PATH}/boot/bootutil/src/encrypted.c
)
set(MCUBOOT_ALLOWED_LOG_LEVELS OFF ERROR WARNING INFO DEBUG)
diff --git a/bl2/ext/mcuboot/bl2_main.c b/bl2/ext/mcuboot/bl2_main.c
index 7cbc9a5..e9fc75e 100644
--- a/bl2/ext/mcuboot/bl2_main.c
+++ b/bl2/ext/mcuboot/bl2_main.c
@@ -17,7 +17,6 @@
#include "mcuboot_config/mcuboot_config.h"
#include <assert.h>
-#include "bl2_util.h"
#include "target.h"
#include "tfm_hal_device_header.h"
#include "Driver_Flash.h"
@@ -27,7 +26,7 @@
#include "bootutil/bootutil.h"
#include "flash_map_backend/flash_map_backend.h"
#include "bootutil/boot_record.h"
-#include "security_cnt.h"
+#include "bootutil/security_cnt.h"
#include "boot_hal.h"
#include "region.h"
#if MCUBOOT_LOG_LEVEL > MCUBOOT_LOG_LEVEL_OFF
diff --git a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/boot_record.h b/bl2/ext/mcuboot/boot/bootutil/include/bootutil/boot_record.h
deleted file mode 100644
index c39d752..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/boot_record.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#ifndef __BOOT_RECORD_H__
-#define __BOOT_RECORD_H__
-
-#include <stdint.h>
-#include <stddef.h>
-#include <limits.h>
-#include "bootutil/image.h"
-#include "flash_map/flash_map.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*!
- * \enum shared_data_err_t
- *
- * \brief Return values for adding data entry to shared memory area
- */
-enum shared_memory_err_t {
- SHARED_MEMORY_OK = 0,
- SHARED_MEMORY_OVERFLOW = 1,
- SHARED_MEMORY_OVERWRITE = 2,
- SHARED_MEMORY_GEN_ERROR = 3,
-
- /* This is used to force the maximum size */
- TLV_TYPE_MAX = INT_MAX
-};
-
-/*!
- * \enum boot_status_err_t
- *
- * \brief Return values for saving boot status information to shared memory area
- */
-enum boot_status_err_t {
- BOOT_STATUS_OK,
- BOOT_STATUS_ERROR,
-};
-
-/*!
- * \brief Add a data item to the shared data area between bootloader and
- * runtime SW
- *
- * \param[in] major_type TLV major type, identify consumer
- * \param[in] minor_type TLV minor type, identify TLV type
- * \param[in] size length of added data
- * \param[in] data pointer to data
- *
- * \return Returns error code as specified in \ref shared_memory_err_t
- */
-enum shared_memory_err_t
-boot_add_data_to_shared_area(uint8_t major_type,
- uint16_t minor_type,
- size_t size,
- const uint8_t *data);
-
-/*!
- * \brief Add an image's all boot status information to the shared data area
- * between bootloader and runtime SW
- *
- * \param[in] sw_module Identifier of the SW component
- * \param[in] hdr Pointer to the image header stored in RAM
- * \param[in] fap Pointer to the flash area where image is stored
- *
- * \return Returns error code as specified in \ref boot_status_err_t
- */
-enum boot_status_err_t
-boot_save_boot_status(uint8_t sw_module,
- const struct image_header *hdr,
- const struct flash_area *fap);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __BOOT_RECORD_H__ */
diff --git a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/bootutil.h b/bl2/ext/mcuboot/boot/bootutil/include/bootutil/bootutil.h
deleted file mode 100644
index 92a9efc..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/bootutil.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-#ifndef H_BOOTUTIL_
-#define H_BOOTUTIL_
-
-#include <inttypes.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/** Attempt to boot the contents of the primary slot. */
-#define BOOT_SWAP_TYPE_NONE 1
-
-/**
- * Swap to the secondary slot.
- * Absent a confirm command, revert back on next boot.
- */
-#define BOOT_SWAP_TYPE_TEST 2
-
-/**
- * Swap to the secondary slot,
- * and permanently switch to booting its contents.
- */
-#define BOOT_SWAP_TYPE_PERM 3
-
-/** Swap back to alternate slot. A confirm changes this state to NONE. */
-#define BOOT_SWAP_TYPE_REVERT 4
-
-/** Swap failed because image to be run is not valid */
-#define BOOT_SWAP_TYPE_FAIL 5
-
-/** Swapping encountered an unrecoverable error */
-#define BOOT_SWAP_TYPE_PANIC 0xff
-
-#define BOOT_MAX_ALIGN 8
-
-struct image_header;
-/**
- * A response object provided by the boot loader code; indicates where to jump
- * to execute the main image.
- */
-struct boot_rsp {
- /** A pointer to the header of the image to be executed. */
- const struct image_header *br_hdr;
-
- /**
- * The flash offset of the image to execute. Indicates the position of
- * the image header within its flash device.
- */
- uint8_t br_flash_dev_id;
- uint32_t br_image_off;
-};
-
-/* This is not actually used by mcuboot's code but can be used by apps
- * when attempting to read/write a trailer.
- */
-struct image_trailer {
- uint8_t swap_type;
- uint8_t pad1[BOOT_MAX_ALIGN - 1];
- uint8_t copy_done;
- uint8_t pad2[BOOT_MAX_ALIGN - 1];
- uint8_t image_ok;
- uint8_t pad3[BOOT_MAX_ALIGN - 1];
- uint8_t magic[16];
-};
-
-/* you must have pre-allocated all the entries within this structure */
-int boot_go(struct boot_rsp *rsp);
-
-struct boot_loader_state;
-int context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp);
-
-int boot_swap_type_multi(int image_index);
-int boot_swap_type(void);
-
-int boot_set_pending(int permanent);
-int boot_set_confirmed(void);
-
-#define SPLIT_GO_OK (0)
-#define SPLIT_GO_NON_MATCHING (-1)
-#define SPLIT_GO_ERR (-2)
-int
-split_go(int loader_slot, int split_slot, void **entry);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/bootutil_log.h b/bl2/ext/mcuboot/boot/bootutil/include/bootutil/bootutil_log.h
deleted file mode 100644
index c7bb70f..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/bootutil_log.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (c) 2017 Linaro Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef H_BOOTUTIL_LOG_H_
-#define H_BOOTUTIL_LOG_H_
-
-#include "ignore.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include <mcuboot_config/mcuboot_config.h>
-#include <mcuboot_config/mcuboot_logging.h>
-
-#ifdef MCUBOOT_HAVE_LOGGING
-
-#define BOOT_LOG_ERR(...) MCUBOOT_LOG_ERR(__VA_ARGS__)
-#define BOOT_LOG_WRN(...) MCUBOOT_LOG_WRN(__VA_ARGS__)
-#define BOOT_LOG_INF(...) MCUBOOT_LOG_INF(__VA_ARGS__)
-#define BOOT_LOG_DBG(...) MCUBOOT_LOG_DBG(__VA_ARGS__)
-
-#else
-
-#define BOOT_LOG_ERR(...) IGNORE(__VA_ARGS__)
-#define BOOT_LOG_WRN(...) IGNORE(__VA_ARGS__)
-#define BOOT_LOG_INF(...) IGNORE(__VA_ARGS__)
-#define BOOT_LOG_DBG(...) IGNORE(__VA_ARGS__)
-
-#endif /* MCUBOOT_HAVE_LOGGING */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/bootutil_test.h b/bl2/ext/mcuboot/boot/bootutil/include/bootutil/bootutil_test.h
deleted file mode 100644
index 4188bb1..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/bootutil_test.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-#ifndef H_BOOTUTIL_TEST_
-#define H_BOOTUTIL_TEST_
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-int boot_test_all(void);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/ignore.h b/bl2/ext/mcuboot/boot/bootutil/include/bootutil/ignore.h
deleted file mode 100644
index 4cc5430..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/ignore.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-#ifndef H_IGNORE_
-#define H_IGNORE_
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * These macros prevent the "set but not used" warnings for log writes below
- * the log level.
- */
-
-#define IGN_1(X) ((void)(X))
-#define IGN_2(X, ...) ((void)(X)); IGN_1(__VA_ARGS__)
-#define IGN_3(X, ...) ((void)(X)); IGN_2(__VA_ARGS__)
-#define IGN_4(X, ...) ((void)(X)); IGN_3(__VA_ARGS__)
-#define IGN_5(X, ...) ((void)(X)); IGN_4(__VA_ARGS__)
-#define IGN_6(X, ...) ((void)(X)); IGN_5(__VA_ARGS__)
-#define IGN_7(X, ...) ((void)(X)); IGN_6(__VA_ARGS__)
-#define IGN_8(X, ...) ((void)(X)); IGN_7(__VA_ARGS__)
-#define IGN_9(X, ...) ((void)(X)); IGN_8(__VA_ARGS__)
-#define IGN_10(X, ...) ((void)(X)); IGN_9(__VA_ARGS__)
-#define IGN_11(X, ...) ((void)(X)); IGN_10(__VA_ARGS__)
-#define IGN_12(X, ...) ((void)(X)); IGN_11(__VA_ARGS__)
-#define IGN_13(X, ...) ((void)(X)); IGN_12(__VA_ARGS__)
-#define IGN_14(X, ...) ((void)(X)); IGN_13(__VA_ARGS__)
-#define IGN_15(X, ...) ((void)(X)); IGN_14(__VA_ARGS__)
-#define IGN_16(X, ...) ((void)(X)); IGN_15(__VA_ARGS__)
-#define IGN_17(X, ...) ((void)(X)); IGN_16(__VA_ARGS__)
-#define IGN_18(X, ...) ((void)(X)); IGN_17(__VA_ARGS__)
-#define IGN_19(X, ...) ((void)(X)); IGN_18(__VA_ARGS__)
-#define IGN_20(X, ...) ((void)(X)); IGN_19(__VA_ARGS__)
-
-#define GET_MACRO(_1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, \
- _13, _14, _15, _16, _17, _18, _19, _20, NAME, ...) NAME
-#define IGNORE(...) \
- GET_MACRO(__VA_ARGS__, IGN_20, IGN_19, IGN_18, IGN_17, IGN_16, IGN_15, \
- IGN_14, IGN_13, IGN_12, IGN_11, IGN_10, IGN_9, IGN_8, IGN_7, \
- IGN_6, IGN_5, IGN_4, IGN_3, IGN_2, IGN_1)(__VA_ARGS__)
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/image.h b/bl2/ext/mcuboot/boot/bootutil/include/bootutil/image.h
deleted file mode 100644
index a3ebf91..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/image.h
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/*
- * Original code taken from mcuboot project at:
- * https://github.com/JuulLabs-OSS/mcuboot
- * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
- * Modifications are Copyright (c) 2018-2019 Arm Limited.
- */
-
-#ifndef H_IMAGE_
-#define H_IMAGE_
-
-#include <inttypes.h>
-#include <stdbool.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-struct flash_area;
-
-#define IMAGE_MAGIC 0x96f3b83d
-#define IMAGE_MAGIC_V1 0x96f3b83c
-#define IMAGE_MAGIC_NONE 0xffffffff
-#define IMAGE_TLV_INFO_MAGIC 0x6907
-#define IMAGE_TLV_PROT_INFO_MAGIC 0x6908
-
-#define IMAGE_HEADER_SIZE 32
-
-/*
- * Image header flags.
- */
-#define IMAGE_F_PIC 0x00000001 /* Not supported. */
-#define IMAGE_F_NON_BOOTABLE 0x00000010 /* Split image app. */
-/*
- * Indicates that this image should be loaded into RAM instead of run
- * directly from flash. The address to load should be in the
- * ih_load_addr field of the header.
- */
-#define IMAGE_F_RAM_LOAD 0x00000020
-
-/*
- * Image trailer TLV types.
- *
- * Signature is generated by computing signature over the image hash.
- * Currently the only image hash type is SHA256.
- *
- * Signature comes in the form of 2 TLVs.
- * 1st on identifies the public key which should be used to verify it.
- * 2nd one is the actual signature.
- */
-#define IMAGE_TLV_KEYHASH 0x01 /* hash of the public key */
-#define IMAGE_TLV_KEY 0x02 /* public key */
-#define IMAGE_TLV_SHA256 0x10 /* SHA256 of image hdr and body */
-#define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */
-#define IMAGE_TLV_RSA3072_PSS 0x23 /* RSA3072 of hash output */
-#define IMAGE_TLV_DEPENDENCY 0x40 /* Image depends on other image */
-#define IMAGE_TLV_SEC_CNT 0x50 /* security counter */
-#define IMAGE_TLV_BOOT_RECORD 0x60 /* measured boot record */
-#define IMAGE_TLV_ANY 0xff /* Used to iterate over all TLV */
-
-#define IMAGE_VER_MAJOR_LENGTH 8
-#define IMAGE_VER_MINOR_LENGTH 8
-#define IMAGE_VER_REVISION_LENGTH 16
-#define IMAGE_VER_BUILD_NUM_LENGTH 32
-
-struct image_version {
- uint8_t iv_major;
- uint8_t iv_minor;
- uint16_t iv_revision;
- uint32_t iv_build_num;
-};
-
-struct image_dependency {
- uint8_t image_id; /* Image index (from 0) */
- uint8_t _pad1;
- uint16_t _pad2;
- struct image_version image_min_version; /* Indicates at minimum which
- * version of firmware must be
- * available to satisfy compliance
- */
-};
-
-/** Image header. All fields are in little endian byte order. */
-struct image_header {
- uint32_t ih_magic;
- uint32_t ih_load_addr;
- uint16_t ih_hdr_size; /* Size of image header (bytes). */
- uint16_t ih_protect_tlv_size; /* Size of protected TLV area (bytes). */
- uint32_t ih_img_size; /* Does not include header. */
- uint32_t ih_flags; /* IMAGE_F_[...]. */
- struct image_version ih_ver;
- uint32_t _pad1;
-};
-
-/** Image TLV header. All fields in little endian. */
-struct image_tlv_info {
- uint16_t it_magic;
- uint16_t it_tlv_tot; /* size of TLV area (including tlv_info header) */
-};
-
-/** Image trailer TLV format. All fields in little endian. */
-struct image_tlv {
- uint8_t it_type; /* IMAGE_TLV_[...]. */
- uint8_t _pad;
- uint16_t it_len; /* Data length (not including TLV header). */
-};
-
-_Static_assert(sizeof(struct image_header) == IMAGE_HEADER_SIZE,
- "struct image_header not required size");
-
-int bootutil_img_validate(int image_index,
- struct image_header *hdr,
- const struct flash_area *fap,
- uint8_t *tmp_buf, uint32_t tmp_buf_sz,
- uint8_t *seed, int seed_len, uint8_t *out_hash);
-
-struct image_tlv_iter {
- const struct image_header *hdr;
- const struct flash_area *fap;
- uint8_t type;
- bool prot;
- uint32_t prot_end;
- uint32_t tlv_off;
- uint32_t tlv_end;
-};
-
-int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
- const struct image_header *hdr,
- const struct flash_area *fap, uint8_t type,
- bool prot);
-int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
- uint16_t *len, uint8_t *type);
-
-int32_t bootutil_get_img_security_cnt(struct image_header *hdr,
- const struct flash_area *fap,
- uint32_t *security_cnt);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/sha256.h b/bl2/ext/mcuboot/boot/bootutil/include/bootutil/sha256.h
deleted file mode 100644
index 545621e..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/sha256.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/*
- * This module provides a thin abstraction over some of the crypto
- * primitives to make it easier to swap out the used crypto library.
- *
- * At this point, only Mbed Crypto is supported.
- */
-
-/*
- * Original code taken from mcuboot project at:
- * https://github.com/JuulLabs-OSS/mcuboot
- * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
- * Modifications are Copyright (c) 2019 Arm Limited.
- */
-
-#ifndef __BOOTUTIL_CRYPTO_H_
-#define __BOOTUTIL_CRYPTO_H_
-
-#include "mbedtls/sha256.h"
-
-#include <stdint.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef mbedtls_sha256_context bootutil_sha256_context;
-
-static inline void bootutil_sha256_init(bootutil_sha256_context *ctx)
-{
- mbedtls_sha256_init(ctx);
- (void)mbedtls_sha256_starts_ret(ctx, 0);
-}
-
-static inline void bootutil_sha256_update(bootutil_sha256_context *ctx,
- const void *data,
- uint32_t data_len)
-{
- (void)mbedtls_sha256_update_ret(ctx, data, data_len);
-}
-
-static inline void bootutil_sha256_finish(bootutil_sha256_context *ctx,
- uint8_t *output)
-{
- (void)mbedtls_sha256_finish_ret(ctx, output);
-}
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __BOOTUTIL_SIGN_KEY_H_ */
diff --git a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/sign_key.h b/bl2/ext/mcuboot/boot/bootutil/include/bootutil/sign_key.h
deleted file mode 100644
index 7b87df8..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/include/bootutil/sign_key.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-#ifndef __BOOTUTIL_SIGN_KEY_H_
-#define __BOOTUTIL_SIGN_KEY_H_
-
-#include <stdint.h>
-#include "mcuboot_config/mcuboot_config.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifdef MCUBOOT_HW_KEY
-struct bootutil_key {
- uint8_t *key;
- unsigned int *len;
-};
-
-extern struct bootutil_key bootutil_keys[];
-#else
-struct bootutil_key {
- const uint8_t *key;
- const unsigned int *len;
-};
-
-extern const struct bootutil_key bootutil_keys[];
-#endif
-
-extern const int bootutil_key_cnt;
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __BOOTUTIL_SIGN_KEY_H_ */
diff --git a/bl2/ext/mcuboot/boot/bootutil/src/boot_record.c b/bl2/ext/mcuboot/boot/bootutil/src/boot_record.c
deleted file mode 100644
index 534b9d8..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/src/boot_record.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#include "mcuboot_config/mcuboot_config.h"
-#include "bootutil/boot_record.h"
-#include "region_defs.h"
-#include "tfm_boot_status.h"
-#include "target.h"
-#include "bootutil_priv.h"
-#include "bootutil/image.h"
-#include "bootutil/sha256.h"
-#include "flash_map/flash_map.h"
-#include <stdint.h>
-#include <string.h>
-#include <stdio.h>
-
-#define SHA256_HASH_SIZE (32u)
-#if defined(MCUBOOT_SIGN_RSA) && defined(MCUBOOT_HW_KEY)
-# define SIG_BUF_SIZE (MCUBOOT_SIGN_RSA_LEN / 8)
-#endif
-
-/*!
- * \var shared_memory_init_done
- *
- * \brief Indicates whether shared memory area was already initialized.
- *
- */
-static uint32_t shared_memory_init_done;
-
-/*!
- * \def SHARED_MEMORY_UNINITIALZED
- *
- * \brief Indicates that shared memory is uninitialized.
- */
-#define SHARED_MEMORY_UNINITIALZED (0u)
-
-/*!
- * \def SHARED_MEMORY_INITIALZED
- *
- * \brief Indicates that shared memory was already initialized.
- */
-#define SHARED_MEMORY_INITIALZED (1u)
-
-/* Compile time check to verify that shared data region is not overlapping with
- * non-secure data area.
- */
-#if ((BOOT_TFM_SHARED_DATA_BASE >= NS_DATA_START && \
- BOOT_TFM_SHARED_DATA_BASE <= NS_DATA_LIMIT) || \
- (BOOT_TFM_SHARED_DATA_LIMIT >= NS_DATA_START && \
- BOOT_TFM_SHARED_DATA_LIMIT <= NS_DATA_LIMIT))
-#error "Shared data area and non-secure data area is overlapping"
-#endif
-
-/* See in boot_record.h */
-enum shared_memory_err_t
-boot_add_data_to_shared_area(uint8_t major_type,
- uint16_t minor_type,
- size_t size,
- const uint8_t *data)
-{
- struct shared_data_tlv_entry tlv_entry = {0};
- struct tfm_boot_data *boot_data;
- uint8_t *next_tlv;
- uint16_t boot_data_size;
- uintptr_t tlv_end, offset;
-
- boot_data = (struct tfm_boot_data *)BOOT_TFM_SHARED_DATA_BASE;
-
- /* Check whether first time to call this function. If does then initialise
- * shared data area.
- */
- if (shared_memory_init_done == SHARED_MEMORY_UNINITIALZED) {
- memset((void *)BOOT_TFM_SHARED_DATA_BASE, 0, BOOT_TFM_SHARED_DATA_SIZE);
- boot_data->header.tlv_magic = SHARED_DATA_TLV_INFO_MAGIC;
- boot_data->header.tlv_tot_len = SHARED_DATA_HEADER_SIZE;
- shared_memory_init_done = SHARED_MEMORY_INITIALZED;
- }
-
- /* Check whether TLV entry is already added.
- * Get the boundaries of TLV section
- */
- tlv_end = BOOT_TFM_SHARED_DATA_BASE + boot_data->header.tlv_tot_len;
- offset = BOOT_TFM_SHARED_DATA_BASE + SHARED_DATA_HEADER_SIZE;
-
- /* Iterates over the TLV section looks for the same entry if found then
- * returns with error: SHARED_MEMORY_OVERWRITE
- */
- for (; offset < tlv_end; offset += tlv_entry.tlv_len) {
- /* Create local copy to avoid unaligned access */
- memcpy(&tlv_entry, (const void *)offset, SHARED_DATA_ENTRY_HEADER_SIZE);
- if (GET_MAJOR(tlv_entry.tlv_type) == major_type &&
- GET_MINOR(tlv_entry.tlv_type) == minor_type) {
- return SHARED_MEMORY_OVERWRITE;
- }
- }
-
- /* Add TLV entry */
- tlv_entry.tlv_type = SET_TLV_TYPE(major_type, minor_type);
- tlv_entry.tlv_len = SHARED_DATA_ENTRY_SIZE(size);
-
- if (!boot_u16_safe_add(&boot_data_size, boot_data->header.tlv_tot_len,
- tlv_entry.tlv_len)) {
- return SHARED_MEMORY_GEN_ERROR;
- }
-
- /* Verify overflow of shared area */
- if (boot_data_size > BOOT_TFM_SHARED_DATA_SIZE) {
- return SHARED_MEMORY_OVERFLOW;
- }
-
- next_tlv = (uint8_t *)boot_data + boot_data->header.tlv_tot_len;
- memcpy(next_tlv, &tlv_entry, SHARED_DATA_ENTRY_HEADER_SIZE);
-
- next_tlv += SHARED_DATA_ENTRY_HEADER_SIZE;
- memcpy(next_tlv, data, size);
-
- boot_data->header.tlv_tot_len += tlv_entry.tlv_len;
-
- return SHARED_MEMORY_OK;
-}
-
-/* See in boot_record.h */
-enum boot_status_err_t
-boot_save_boot_status(uint8_t sw_module,
- const struct image_header *hdr,
- const struct flash_area *fap)
-{
- struct image_tlv_iter it;
- uint32_t offset;
- uint16_t len;
- uint8_t type;
- size_t record_len = 0;
- uint8_t image_hash[32]; /* SHA256 - 32 Bytes */
- uint8_t buf[MAX_BOOT_RECORD_SZ];
- uint32_t boot_record_found = 0;
- uint32_t hash_found = 0;
- uint16_t ias_minor;
- int32_t res;
- enum shared_memory_err_t res2;
-
- /* Manifest data is concatenated to the end of the image.
- * It is encoded in TLV format.
- */
-
- res = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false);
- if (res) {
- return BOOT_STATUS_ERROR;
- }
-
- /* Traverse through the TLV area to find the boot record
- * and image hash TLVs.
- */
- while (true) {
- res = bootutil_tlv_iter_next(&it, &offset, &len, &type);
- if (res < 0) {
- return BOOT_STATUS_ERROR;
- } else if (res > 0) {
- break;
- }
-
- if (type == IMAGE_TLV_BOOT_RECORD) {
- if (len > sizeof(buf)) {
- return BOOT_STATUS_ERROR;
- }
- res = LOAD_IMAGE_DATA(hdr, fap, offset, buf, len);
- if (res) {
- return BOOT_STATUS_ERROR;
- }
-
- record_len = len;
- boot_record_found = 1;
-
- } else if (type == IMAGE_TLV_SHA256) {
- /* Get the image's hash value from the manifest section. */
- if (len > sizeof(image_hash)) {
- return BOOT_STATUS_ERROR;
- }
- res = LOAD_IMAGE_DATA(hdr, fap, offset, image_hash, len);
- if (res) {
- return BOOT_STATUS_ERROR;
- }
-
- hash_found = 1;
-
- /* The boot record TLV is part of the protected TLV area which is
- * located before the other parts of the TLV area (including the
- * image hash) so at this point it is okay to break the loop
- * as the boot record TLV should have already been found.
- */
- break;
- }
- }
-
-
- if (!boot_record_found || !hash_found) {
- return BOOT_STATUS_ERROR;
- }
-
- /* Update the measurement value (hash of the image) data item in the
- * boot record. It is always the last item in the structure to make
- * it easy to calculate its position.
- * The image hash is computed over the image header, the image itself and
- * the protected TLV area (which should already include the image hash as
- * part of the boot record TLV). For this reason this field has been
- * filled with zeros during the image signing process.
- */
- offset = record_len - sizeof(image_hash);
- /* Avoid buffer overflow. */
- if ((offset + sizeof(image_hash)) > sizeof(buf)) {
- return BOOT_STATUS_ERROR;
- }
- memcpy(buf + offset, image_hash, sizeof(image_hash));
-
- /* Add the CBOR encoded boot record to the shared data area. */
- ias_minor = SET_IAS_MINOR(sw_module, SW_BOOT_RECORD);
- res2 = boot_add_data_to_shared_area(TLV_MAJOR_IAS,
- ias_minor,
- record_len,
- buf);
- if (res2) {
- return BOOT_STATUS_ERROR;
- }
-
- return BOOT_STATUS_OK;
-}
diff --git a/bl2/ext/mcuboot/boot/bootutil/src/bootutil_misc.c b/bl2/ext/mcuboot/boot/bootutil/src/bootutil_misc.c
deleted file mode 100644
index 812443a..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/src/bootutil_misc.c
+++ /dev/null
@@ -1,701 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/*
- * Original code taken from mcuboot project at:
- * https://github.com/JuulLabs-OSS/mcuboot
- * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
- * Modifications are Copyright (c) 2019-2020 Arm Limited.
- */
-
-#include <assert.h>
-#include <string.h>
-#include <inttypes.h>
-#include <stddef.h>
-#include <stdbool.h>
-
-#include "sysflash/sysflash.h"
-#include "flash_map/flash_map.h"
-#include "flash_map_backend/flash_map_backend.h"
-
-#include "bootutil/image.h"
-#include "bootutil/bootutil.h"
-#include "bootutil_priv.h"
-#include "bootutil/bootutil_log.h"
-
-/* Currently only used by imgmgr */
-int boot_current_slot;
-
-const uint32_t boot_img_magic[] = {
- 0xf395c277,
- 0x7fefd260,
- 0x0f505235,
- 0x8079b62c,
-};
-
-#define BOOT_MAGIC_ARR_SZ \
- (sizeof boot_img_magic / sizeof boot_img_magic[0])
-
-struct boot_swap_table {
- uint8_t magic_primary_slot;
- uint8_t magic_secondary_slot;
- uint8_t image_ok_primary_slot;
- uint8_t image_ok_secondary_slot;
- uint8_t copy_done_primary_slot;
-
- uint8_t swap_type;
-};
-
-/**
- * This set of tables maps image trailer contents to swap operation type.
- * When searching for a match, these tables must be iterated sequentially.
- *
- * NOTE: the table order is very important. The settings in the secondary
- * slot always are priority to the primary slot and should be located
- * earlier in the table.
- *
- * The table lists only states where there is action needs to be taken by
- * the bootloader, as in starting/finishing a swap operation.
- */
-static const struct boot_swap_table boot_swap_tables[] = {
- {
- .magic_primary_slot = BOOT_MAGIC_ANY,
- .magic_secondary_slot = BOOT_MAGIC_GOOD,
- .image_ok_primary_slot = BOOT_FLAG_ANY,
- .image_ok_secondary_slot = BOOT_FLAG_UNSET,
- .copy_done_primary_slot = BOOT_FLAG_ANY,
- .swap_type = BOOT_SWAP_TYPE_TEST,
- },
- {
- .magic_primary_slot = BOOT_MAGIC_ANY,
- .magic_secondary_slot = BOOT_MAGIC_GOOD,
- .image_ok_primary_slot = BOOT_FLAG_ANY,
- .image_ok_secondary_slot = BOOT_FLAG_SET,
- .copy_done_primary_slot = BOOT_FLAG_ANY,
- .swap_type = BOOT_SWAP_TYPE_PERM,
- },
- {
- .magic_primary_slot = BOOT_MAGIC_GOOD,
- .magic_secondary_slot = BOOT_MAGIC_UNSET,
- .image_ok_primary_slot = BOOT_FLAG_UNSET,
- .image_ok_secondary_slot = BOOT_FLAG_ANY,
- .copy_done_primary_slot = BOOT_FLAG_SET,
- .swap_type = BOOT_SWAP_TYPE_REVERT,
- },
-};
-
-#define BOOT_SWAP_TABLES_COUNT \
- (sizeof(boot_swap_tables) / sizeof(boot_swap_tables[0]))
-
-/**
- * @brief Determine if the data at two memory addresses is equal
- *
- * @param s1 The first memory region to compare.
- * @param s2 The second memory region to compare.
- * @param n The amount of bytes to compare.
- *
- * @note This function does not comply with the specification of memcmp,
- * so should not be considered a drop-in replacement.
- *
- * @return 0 if memory regions are equal.
- */
-uint32_t boot_secure_memequal(const void *s1, const void *s2, size_t n)
-{
- size_t i;
- uint8_t *s1_p = (uint8_t*) s1;
- uint8_t *s2_p = (uint8_t*) s2;
- uint32_t ret = 0;
-
- for (i = 0; i < n; i++) {
- ret |= (s1_p[i] ^ s2_p[i]);
- }
-
- return ret;
-}
-
-static int
-boot_magic_decode(const uint32_t *magic)
-{
- if (boot_secure_memequal(magic, boot_img_magic, BOOT_MAGIC_SZ) == 0) {
- return BOOT_MAGIC_GOOD;
- }
- return BOOT_MAGIC_BAD;
-}
-
-static int
-boot_flag_decode(uint8_t flag)
-{
- if (flag != BOOT_FLAG_SET) {
- return BOOT_FLAG_BAD;
- }
- return BOOT_FLAG_SET;
-}
-
-/**
- * Determines if a status source table is satisfied by the specified magic
- * code.
- *
- * @param tbl_val A magic field from a status source table.
- * @param val The magic value in a trailer, encoded as a
- * BOOT_MAGIC_[...].
- *
- * @return 1 if the two values are compatible;
- * 0 otherwise.
- */
-int
-boot_magic_compatible_check(uint8_t tbl_val, uint8_t val)
-{
- switch (tbl_val) {
- case BOOT_MAGIC_ANY:
- return 1;
-
- case BOOT_MAGIC_NOTGOOD:
- return val != BOOT_MAGIC_GOOD;
-
- default:
- return tbl_val == val;
- }
-}
-
-uint32_t
-boot_trailer_sz(uint32_t min_write_sz)
-{
- return /* state for all sectors */
- BOOT_STATUS_MAX_ENTRIES * BOOT_STATUS_STATE_COUNT * min_write_sz +
- /* swap_type + copy_done + image_ok + swap_size */
- BOOT_MAX_ALIGN * 4 +
- BOOT_MAGIC_SZ;
-}
-
-int
-boot_status_entries(int image_index, const struct flash_area *fap)
-{
- if (fap->fa_id == FLASH_AREA_IMAGE_SCRATCH) {
- return BOOT_STATUS_STATE_COUNT;
- } else if ((fap->fa_id == FLASH_AREA_IMAGE_PRIMARY(image_index)) ||
- (fap->fa_id == FLASH_AREA_IMAGE_SECONDARY(image_index))) {
- return BOOT_STATUS_STATE_COUNT * BOOT_STATUS_MAX_ENTRIES;
- }
- return -1;
-}
-
-uint32_t
-boot_status_off(const struct flash_area *fap)
-{
- uint32_t off_from_end;
- uint32_t elem_sz;
-
- elem_sz = flash_area_align(fap);
-
- off_from_end = boot_trailer_sz(elem_sz);
-
- assert(off_from_end <= fap->fa_size);
- return fap->fa_size - off_from_end;
-}
-
-static inline uint32_t
-boot_magic_off(const struct flash_area *fap)
-{
- return fap->fa_size - BOOT_MAGIC_SZ;
-}
-
-static inline uint32_t
-boot_image_ok_off(const struct flash_area *fap)
-{
- return boot_magic_off(fap) - BOOT_MAX_ALIGN;
-}
-
-static inline uint32_t
-boot_copy_done_off(const struct flash_area *fap)
-{
- return boot_image_ok_off(fap) - BOOT_MAX_ALIGN;
-}
-
-uint32_t
-boot_swap_info_off(const struct flash_area *fap)
-{
- return boot_copy_done_off(fap) - BOOT_MAX_ALIGN;
-}
-
-static inline uint32_t
-boot_swap_size_off(const struct flash_area *fap)
-{
- return boot_swap_info_off(fap) - BOOT_MAX_ALIGN;
-}
-
-int
-boot_read_swap_state(const struct flash_area *fap,
- struct boot_swap_state *state)
-{
- uint32_t magic[BOOT_MAGIC_ARR_SZ];
- uint32_t off;
- uint8_t swap_info;
- int rc;
-
- off = boot_magic_off(fap);
- rc = flash_area_read_is_empty(fap, off, magic, BOOT_MAGIC_SZ);
- if (rc < 0) {
- return BOOT_EFLASH;
- }
- if (rc == 1) {
- state->magic = BOOT_MAGIC_UNSET;
- } else {
- state->magic = boot_magic_decode(magic);
- }
-
- off = boot_swap_info_off(fap);
- rc = flash_area_read_is_empty(fap, off, &swap_info, sizeof swap_info);
- if (rc < 0) {
- return BOOT_EFLASH;
- }
-
- /* Extract the swap type and image number */
- state->swap_type = BOOT_GET_SWAP_TYPE(swap_info);
- state->image_num = BOOT_GET_IMAGE_NUM(swap_info);
-
- if (rc == 1 || state->swap_type > BOOT_SWAP_TYPE_REVERT) {
- state->swap_type = BOOT_SWAP_TYPE_NONE;
- state->image_num = 0;
- }
-
- off = boot_copy_done_off(fap);
- rc = flash_area_read_is_empty(fap, off, &state->copy_done,
- sizeof state->copy_done);
- if (rc < 0) {
- return BOOT_EFLASH;
- }
- if (rc == 1) {
- state->copy_done = BOOT_FLAG_UNSET;
- } else {
- state->copy_done = boot_flag_decode(state->copy_done);
- }
-
- off = boot_image_ok_off(fap);
- rc = flash_area_read_is_empty(fap, off, &state->image_ok,
- sizeof state->image_ok);
- if (rc < 0) {
- return BOOT_EFLASH;
- }
- if (rc == 1) {
- state->image_ok = BOOT_FLAG_UNSET;
- } else {
- state->image_ok = boot_flag_decode(state->image_ok);
- }
-
- return 0;
-}
-
-/**
- * Reads the image trailer from the scratch area.
- */
-int
-boot_read_swap_state_by_id(int flash_area_id, struct boot_swap_state *state)
-{
- const struct flash_area *fap;
- int rc;
-
- rc = flash_area_open(flash_area_id, &fap);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- rc = boot_read_swap_state(fap, state);
- flash_area_close(fap);
- return rc;
-}
-
-/**
- * This functions tries to locate the status area after an aborted swap,
- * by looking for the magic in the possible locations.
- *
- * If the magic is sucessfully found, a flash_area * is returned and it
- * is the responsibility of the called to close it.
- *
- * @returns 0 on success, -1 on errors
- */
-static int
-boot_find_status(int image_index, const struct flash_area **fap)
-{
- uint32_t magic[BOOT_MAGIC_ARR_SZ];
- uint32_t off;
- uint8_t areas[2] = {
- FLASH_AREA_IMAGE_PRIMARY(image_index),
- FLASH_AREA_IMAGE_SCRATCH,
- };
- unsigned int i;
- int rc;
-
- /*
- * In the middle a swap, tries to locate the area that is currently
- * storing a valid magic, first on the primary slot, then on scratch.
- * Both "slots" can end up being temporary storage for a swap and it
- * is assumed that if magic is valid then other metadata is too,
- * because magic is always written in the last step.
- */
-
- for (i = 0; i < sizeof(areas) / sizeof(areas[0]); i++) {
- rc = flash_area_open(areas[i], fap);
- if (rc != 0) {
- return rc;
- }
-
- off = boot_magic_off(*fap);
- rc = flash_area_read(*fap, off, magic, BOOT_MAGIC_SZ);
- if (rc != 0) {
- flash_area_close(*fap);
- return rc;
- }
-
- if (boot_secure_memequal(magic, boot_img_magic, BOOT_MAGIC_SZ) == 0) {
- return 0;
- }
-
- flash_area_close(*fap);
- }
-
- /* If we got here, no magic was found */
- return -1;
-}
-
-int
-boot_read_swap_size(int image_index, uint32_t *swap_size)
-{
- uint32_t off;
- const struct flash_area *fap;
- int rc;
-
- rc = boot_find_status(image_index, &fap);
- if (rc == 0) {
- off = boot_swap_size_off(fap);
- rc = flash_area_read(fap, off, swap_size, sizeof *swap_size);
- flash_area_close(fap);
- }
-
- return rc;
-}
-
-int
-boot_write_magic(const struct flash_area *fap)
-{
- uint32_t off;
- int rc;
-
- off = boot_magic_off(fap);
-
- BOOT_LOG_DBG("writing magic; fa_id=%d off=0x%lx (0x%lx)",
- fap->fa_id, (unsigned long)off,
- (unsigned long)(fap->fa_off + off));
- rc = flash_area_write(fap, off, boot_img_magic, BOOT_MAGIC_SZ);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- return 0;
-}
-
-/**
- * Write trailer data; status bytes, swap_size, etc
- *
- * @returns 0 on success, != 0 on error.
- */
-static int
-boot_write_trailer(const struct flash_area *fap, uint32_t off,
- const uint8_t *inbuf, uint8_t inlen)
-{
- uint8_t buf[BOOT_MAX_ALIGN];
- uint8_t align;
- uint8_t erased_val;
- int rc;
-
- align = flash_area_align(fap);
- if (inlen > BOOT_MAX_ALIGN || align > BOOT_MAX_ALIGN) {
- return -1;
- }
- erased_val = flash_area_erased_val(fap);
- if (align < inlen) {
- align = inlen;
- }
- memcpy(buf, inbuf, inlen);
- memset(&buf[inlen], erased_val, align - inlen);
-
- rc = flash_area_write(fap, off, buf, align);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- return 0;
-}
-
-static int
-boot_write_trailer_flag(const struct flash_area *fap, uint32_t off,
- uint8_t flag_val)
-{
- const uint8_t buf[1] = { flag_val };
- return boot_write_trailer(fap, off, buf, 1);
-}
-
-int
-boot_write_copy_done(const struct flash_area *fap)
-{
- uint32_t off;
-
- off = boot_copy_done_off(fap);
- BOOT_LOG_DBG("writing copy_done; fa_id=%d off=0x%lx (0x%lx)",
- fap->fa_id, (unsigned long)off,
- (unsigned long)(fap->fa_off + off));
- return boot_write_trailer_flag(fap, off, BOOT_FLAG_SET);
-}
-
-int
-boot_write_image_ok(const struct flash_area *fap)
-{
- uint32_t off;
-
- off = boot_image_ok_off(fap);
- BOOT_LOG_DBG("writing image_ok; fa_id=%d off=0x%lx (0x%lx)",
- fap->fa_id, (unsigned long)off,
- (unsigned long)(fap->fa_off + off));
- return boot_write_trailer_flag(fap, off, BOOT_FLAG_SET);
-}
-
-/**
- * Writes the specified value to the `swap-type` field of an image trailer.
- * This value is persisted so that the boot loader knows what swap operation to
- * resume in case of an unexpected reset.
- */
-int
-boot_write_swap_info(const struct flash_area *fap, uint8_t swap_type,
- uint8_t image_num)
-{
- uint32_t off;
- uint8_t swap_info;
-
- BOOT_SET_SWAP_INFO(swap_info, image_num, swap_type);
- off = boot_swap_info_off(fap);
- BOOT_LOG_DBG("writing swap_info; fa_id=%d off=0x%lx (0x%lx), swap_type=0x%x"
- " image_num=0x%x",
- fap->fa_id, (unsigned long)off,
- (unsigned long)(fap->fa_off + off), swap_type, image_num);
- return boot_write_trailer(fap, off, (const uint8_t *) &swap_info, 1);
-}
-
-int
-boot_write_swap_size(const struct flash_area *fap, uint32_t swap_size)
-{
- uint32_t off;
-
- off = boot_swap_size_off(fap);
- BOOT_LOG_DBG("writing swap_size; fa_id=%d off=0x%lx (0x%lx)",
- fap->fa_id, (unsigned long)off,
- (unsigned long)fap->fa_off + off);
- return boot_write_trailer(fap, off, (const uint8_t *) &swap_size, 4);
-}
-
-int
-boot_swap_type_multi(int image_index)
-{
- const struct boot_swap_table *table;
- struct boot_swap_state primary_slot;
- struct boot_swap_state secondary_slot;
- int rc;
- size_t i;
-
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY(image_index),
- &primary_slot);
- if (rc) {
- return BOOT_SWAP_TYPE_PANIC;
- }
-
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(image_index),
- &secondary_slot);
- if (rc) {
- return BOOT_SWAP_TYPE_PANIC;
- }
-
- for (i = 0; i < BOOT_SWAP_TABLES_COUNT; i++) {
- table = boot_swap_tables + i;
-
- if (boot_magic_compatible_check(table->magic_primary_slot,
- primary_slot.magic) &&
- boot_magic_compatible_check(table->magic_secondary_slot,
- secondary_slot.magic) &&
- (table->image_ok_primary_slot == BOOT_FLAG_ANY ||
- table->image_ok_primary_slot == primary_slot.image_ok) &&
- (table->image_ok_secondary_slot == BOOT_FLAG_ANY ||
- table->image_ok_secondary_slot == secondary_slot.image_ok) &&
- (table->copy_done_primary_slot == BOOT_FLAG_ANY ||
- table->copy_done_primary_slot == primary_slot.copy_done)) {
- BOOT_LOG_INF("Swap type: %s",
- table->swap_type == BOOT_SWAP_TYPE_TEST ? "test" :
- table->swap_type == BOOT_SWAP_TYPE_PERM ? "perm" :
- table->swap_type == BOOT_SWAP_TYPE_REVERT ? "revert" :
- "BUG; can't happen");
- if (table->swap_type != BOOT_SWAP_TYPE_TEST &&
- table->swap_type != BOOT_SWAP_TYPE_PERM &&
- table->swap_type != BOOT_SWAP_TYPE_REVERT) {
- return BOOT_SWAP_TYPE_PANIC;
- }
- return table->swap_type;
- }
- }
-
- BOOT_LOG_INF("Swap type: none");
- return BOOT_SWAP_TYPE_NONE;
-}
-
-/*
- * This function is not used by the bootloader itself, but its required API
- * by external tooling like mcumgr.
- */
-int
-boot_swap_type(void)
-{
- return boot_swap_type_multi(0);
-}
-
-/**
- * Marks the image in the secondary slot as pending. On the next reboot,
- * the system will perform a one-time boot of the the secondary slot image.
- *
- * @param permanent Whether the image should be used permanently or
- * only tested once:
- * 0=run image once, then confirm or revert.
- * 1=run image forever.
- *
- * @return 0 on success; nonzero on failure.
- */
-int
-boot_set_pending(int permanent)
-{
- const struct flash_area *fap = NULL;
- struct boot_swap_state state_secondary_slot;
- uint8_t swap_type;
- int rc;
-
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(0),
- &state_secondary_slot);
- if (rc != 0) {
- return rc;
- }
-
- switch (state_secondary_slot.magic) {
- case BOOT_MAGIC_GOOD:
- /* Swap already scheduled. */
- return 0;
-
- case BOOT_MAGIC_UNSET:
- rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(0), &fap);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- } else {
- rc = boot_write_magic(fap);
- }
-
- if (rc == 0 && permanent) {
- rc = boot_write_image_ok(fap);
- }
-
- if (rc == 0) {
- if (permanent) {
- swap_type = BOOT_SWAP_TYPE_PERM;
- } else {
- swap_type = BOOT_SWAP_TYPE_TEST;
- }
- rc = boot_write_swap_info(fap, swap_type, 0);
- }
-
- flash_area_close(fap);
- return rc;
-
- case BOOT_MAGIC_BAD:
- /* The image slot is corrupt. There is no way to recover, so erase the
- * slot to allow future upgrades.
- */
- rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(0), &fap);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- flash_area_erase(fap, 0, fap->fa_size);
- flash_area_close(fap);
- return BOOT_EBADIMAGE;
-
- default:
- assert(0);
- return BOOT_EBADIMAGE;
- }
-}
-
-/**
- * Marks the image in the primary slot as confirmed. The system will continue
- * booting into the image in the primary slot until told to boot from a
- * different slot.
- *
- * @return 0 on success; non-zero on failure.
- */
-int
-boot_set_confirmed(void)
-{
- const struct flash_area *fap = NULL;
- struct boot_swap_state state_primary_slot;
- int rc;
-
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY(0),
- &state_primary_slot);
- if (rc != 0) {
- return rc;
- }
-
- switch (state_primary_slot.magic) {
- case BOOT_MAGIC_GOOD:
- /* Confirm needed; proceed. */
- break;
-
- case BOOT_MAGIC_UNSET:
- /* Already confirmed. */
- return 0;
-
- case BOOT_MAGIC_BAD:
- /* Unexpected state. */
- return BOOT_EBADVECT;
- }
-
- rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(0), &fap);
- if (rc) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- if (state_primary_slot.copy_done == BOOT_FLAG_UNSET) {
- /* Swap never completed. This is unexpected. */
- rc = BOOT_EBADVECT;
- goto done;
- }
-
- if (state_primary_slot.image_ok != BOOT_FLAG_UNSET) {
- /* Already confirmed. */
- goto done;
- }
-
- rc = boot_write_image_ok(fap);
-
-done:
- flash_area_close(fap);
- return rc;
-}
diff --git a/bl2/ext/mcuboot/boot/bootutil/src/bootutil_priv.h b/bl2/ext/mcuboot/boot/bootutil/src/bootutil_priv.h
deleted file mode 100644
index a55b50d..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/src/bootutil_priv.h
+++ /dev/null
@@ -1,384 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/*
- * Original code taken from mcuboot project at:
- * https://github.com/JuulLabs-OSS/mcuboot
- * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
- * Modifications are Copyright (c) 2018-2020 Arm Limited.
- */
-
-#ifndef H_BOOTUTIL_PRIV_
-#define H_BOOTUTIL_PRIV_
-
-#include <stdbool.h>
-#include "flash_map/flash_map.h"
-#include "bootutil/bootutil.h"
-#include "bootutil/image.h"
-#include "flash_layout.h"
-#include "mcuboot_config/mcuboot_config.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifdef MCUBOOT_HAVE_ASSERT_H
-#include "mcuboot_config/mcuboot_assert.h"
-#else
-#define ASSERT assert
-#endif
-
-struct flash_area;
-
-#define BOOT_EFLASH 1
-#define BOOT_EFILE 2
-#define BOOT_EBADIMAGE 3
-#define BOOT_EBADVECT 4
-#define BOOT_EBADSTATUS 5
-#define BOOT_ENOMEM 6
-#define BOOT_EBADARGS 7
-#define BOOT_EBADVERSION 8
-#define BOOT_EBADMAGIC 9
-
-#define BOOT_TMPBUF_SZ 256
-
-/*
- * Maintain state of copy progress.
- */
-struct boot_status {
- uint32_t idx; /* Which area we're operating on */
- uint8_t state; /* Which part of the swapping process are we at */
- uint8_t use_scratch; /* Are status bytes ever written to scratch? */
- uint8_t swap_type; /* The type of swap in effect */
- uint32_t swap_size; /* Total size of swapped image */
-};
-
-#define BOOT_MAGIC_GOOD 1
-#define BOOT_MAGIC_BAD 2
-#define BOOT_MAGIC_UNSET 3
-#define BOOT_MAGIC_ANY 4 /* NOTE: control only, not dependent on sector */
-#define BOOT_MAGIC_NOTGOOD 5 /* NOTE: control only, not dependent on sector */
-
-/*
- * NOTE: leave BOOT_FLAG_SET equal to one, this is written to flash!
- */
-#define BOOT_FLAG_SET 1
-#define BOOT_FLAG_BAD 2
-#define BOOT_FLAG_UNSET 3
-#define BOOT_FLAG_ANY 4 /* NOTE: control only, not dependent on sector */
-
-#define BOOT_STATUS_IDX_0 1
-
-#define BOOT_STATUS_STATE_0 1
-#define BOOT_STATUS_STATE_1 2
-#define BOOT_STATUS_STATE_2 3
-
-/**
- * End-of-image slot structure.
- *
- * 0 1 2 3
- * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * ~ ~
- * ~ Swap status (BOOT_MAX_IMG_SECTORS * min-write-size * 3) ~
- * ~ ~
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | Swap size (4 octets) |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | Swap info | 0xff padding (7 octets) |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | Copy done | 0xff padding (7 octets) |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | Image OK | 0xff padding (7 octets) |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | MAGIC (16 octets) |
- * | |
- * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- */
-
-extern const uint32_t boot_img_magic[4];
-
-struct boot_swap_state {
- uint8_t magic; /* One of the BOOT_MAGIC_[...] values. */
- uint8_t swap_type; /* One of the BOOT_SWAP_TYPE_[...] values. */
- uint8_t copy_done; /* One of the BOOT_FLAG_[...] values. */
- uint8_t image_ok; /* One of the BOOT_FLAG_[...] values. */
- uint8_t image_num; /* Boot status belongs to this image */
-};
-
-#ifdef MCUBOOT_IMAGE_NUMBER
-#define BOOT_IMAGE_NUMBER MCUBOOT_IMAGE_NUMBER
-#else
-#define BOOT_IMAGE_NUMBER 1
-#endif
-
-_Static_assert(BOOT_IMAGE_NUMBER > 0, "Invalid value for BOOT_IMAGE_NUMBER");
-
-#define BOOT_MAX_IMG_SECTORS MCUBOOT_MAX_IMG_SECTORS
-
-/*
- * Extract the swap type and image number from image trailers's swap_info
- * field.
- */
-#define SWAP_INFO_SWAP_TYPE_MASK (0x0Fu)
-#define SWAP_INFO_SWAP_TYPE_POS (0)
-#define SWAP_INFO_IMAGE_NUM_MASK (0xF0u)
-#define SWAP_INFO_IMAGE_NUM_POS (4)
-
-#define BOOT_GET_SWAP_TYPE(swap_info) ((swap_info) & SWAP_INFO_SWAP_TYPE_MASK)
-#define BOOT_GET_IMAGE_NUM(swap_info) ((swap_info) >> SWAP_INFO_IMAGE_NUM_POS)
-
-/* Construct the swap_info field from swap type and image number */
-#define BOOT_SET_SWAP_INFO(swap_info, image, type) { \
- assert(((image) & (SWAP_INFO_IMAGE_NUM_MASK >> \
- SWAP_INFO_IMAGE_NUM_POS)) == (image)); \
- assert(((type) & SWAP_INFO_SWAP_TYPE_MASK) == (type)); \
- (swap_info) = (image) << SWAP_INFO_IMAGE_NUM_POS \
- | (type); \
- }
-
-/*
- * The current flashmap API does not check the amount of space allocated when
- * loading sector data from the flash device, allowing for smaller counts here
- * would most surely incur in overruns.
- *
- * TODO: make flashmap API receive the current sector array size.
- */
-#if BOOT_MAX_IMG_SECTORS < 32
-#error "Too few sectors, please increase BOOT_MAX_IMG_SECTORS to at least 32"
-#endif
-
-/** Number of image slots in flash; currently limited to two. */
-#define BOOT_NUM_SLOTS 2
-
-/** Maximum number of image sectors supported by the bootloader. */
-#define BOOT_STATUS_STATE_COUNT 3
-#define BOOT_STATUS_MAX_ENTRIES MCUBOOT_STATUS_MAX_ENTRIES
-
-#define BOOT_PRIMARY_SLOT 0
-#define BOOT_SECONDARY_SLOT 1
-
-#define BOOT_STATUS_SOURCE_NONE 0
-#define BOOT_STATUS_SOURCE_SCRATCH 1
-#define BOOT_STATUS_SOURCE_PRIMARY_SLOT 2
-
-#define BOOT_MAGIC_SZ (sizeof boot_img_magic)
-
-/**
- * Compatibility shim for flash sector type.
- *
- * This can be deleted when flash_area_to_sectors() is removed.
- */
-#ifdef MCUBOOT_USE_FLASH_AREA_GET_SECTORS
-typedef struct flash_sector boot_sector_t;
-#else
-typedef struct flash_area boot_sector_t;
-#endif
-
-/** Private state maintained during boot. */
-struct boot_loader_state {
- struct {
- struct image_header hdr;
- const struct flash_area *area;
- boot_sector_t *sectors;
- size_t num_sectors;
- bool is_hdr_valid;
- } imgs[BOOT_IMAGE_NUMBER][BOOT_NUM_SLOTS];
-
- struct {
- const struct flash_area *area;
- boot_sector_t *sectors;
- size_t num_sectors;
- } scratch;
-
- uint8_t swap_type[BOOT_IMAGE_NUMBER];
- uint32_t write_sz;
-
-#if (BOOT_IMAGE_NUMBER > 1)
- uint8_t curr_img_idx;
-#endif
-};
-
-uint32_t boot_secure_memequal(const void *s1, const void *s2, size_t n);
-int bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig,
- size_t slen, uint8_t key_id);
-
-int boot_magic_compatible_check(uint8_t tbl_val, uint8_t val);
-uint32_t boot_trailer_sz(uint32_t min_write_sz);
-int boot_status_entries(int image_index, const struct flash_area *fap);
-uint32_t boot_status_off(const struct flash_area *fap);
-uint32_t boot_swap_info_off(const struct flash_area *fap);
-int boot_read_swap_state(const struct flash_area *fap,
- struct boot_swap_state *state);
-int boot_read_swap_state_by_id(int flash_area_id,
- struct boot_swap_state *state);
-int boot_write_magic(const struct flash_area *fap);
-int boot_write_status(struct boot_loader_state *state, struct boot_status *bs);
-int boot_schedule_test_swap(void);
-int boot_write_copy_done(const struct flash_area *fap);
-int boot_write_image_ok(const struct flash_area *fap);
-int boot_write_swap_info(const struct flash_area *fap, uint8_t swap_type,
- uint8_t image_num);
-int boot_write_swap_size(const struct flash_area *fap, uint32_t swap_size);
-int boot_read_swap_size(int image_index, uint32_t *swap_size);
-
-/**
- * Safe (non-overflowing) uint32_t addition. Returns true, and stores
- * the result in *dest if it can be done without overflow. Otherwise,
- * returns false.
- */
-static inline bool boot_u32_safe_add(uint32_t *dest, uint32_t a, uint32_t b)
-{
- /*
- * "a + b <= UINT32_MAX", subtract 'b' from both sides to avoid
- * the overflow.
- */
- if (a > UINT32_MAX - b) {
- return false;
- } else {
- *dest = a + b;
- return true;
- }
-}
-
-/**
- * Safe (non-overflowing) uint16_t addition. Returns true, and stores
- * the result in *dest if it can be done without overflow. Otherwise,
- * returns false.
- */
-static inline bool boot_u16_safe_add(uint16_t *dest, uint16_t a, uint16_t b)
-{
- uint32_t tmp = a + b;
- if (tmp > UINT16_MAX) {
- return false;
- } else {
- *dest = tmp;
- return true;
- }
-}
-
-/*
- * Accessors for the contents of struct boot_loader_state.
- */
-
-/* These are macros so they can be used as lvalues. */
-#if (BOOT_IMAGE_NUMBER > 1)
-#define BOOT_CURR_IMG(state) ((state)->curr_img_idx)
-#else
-#define BOOT_CURR_IMG(state) 0
-#endif
-#define BOOT_IMG(state, slot) ((state)->imgs[BOOT_CURR_IMG(state)][(slot)])
-#define BOOT_IMG_AREA(state, slot) (BOOT_IMG(state, slot).area)
-#define BOOT_IMG_HDR_IS_VALID(state, slot) (BOOT_IMG(state, slot).is_hdr_valid)
-#define BOOT_SCRATCH_AREA(state) ((state)->scratch.area)
-#define BOOT_WRITE_SZ(state) ((state)->write_sz)
-#define BOOT_SWAP_TYPE(state) ((state)->swap_type[BOOT_CURR_IMG(state)])
-#define BOOT_TLV_OFF(hdr) ((hdr)->ih_hdr_size + (hdr)->ih_img_size)
-
-#define BOOT_IS_UPGRADE(swap_type) \
- (((swap_type) == BOOT_SWAP_TYPE_TEST) || \
- ((swap_type) == BOOT_SWAP_TYPE_REVERT) || \
- ((swap_type) == BOOT_SWAP_TYPE_PERM))
-
-static inline struct image_header*
-boot_img_hdr(struct boot_loader_state *state, size_t slot)
-{
- return &BOOT_IMG(state, slot).hdr;
-}
-
-static inline size_t
-boot_img_num_sectors(const struct boot_loader_state *state, size_t slot)
-{
- return BOOT_IMG(state, slot).num_sectors;
-}
-
-static inline size_t
-boot_scratch_num_sectors(struct boot_loader_state *state)
-{
- return state->scratch.num_sectors;
-}
-
-/*
- * Offset of the slot from the beginning of the flash device.
- */
-static inline uint32_t
-boot_img_slot_off(struct boot_loader_state *state, size_t slot)
-{
- return BOOT_IMG(state, slot).area->fa_off;
-}
-
-static inline size_t boot_scratch_area_size(struct boot_loader_state *state)
-{
- return BOOT_SCRATCH_AREA(state)->fa_size;
-}
-
-#ifndef MCUBOOT_USE_FLASH_AREA_GET_SECTORS
-
-static inline size_t
-boot_img_sector_size(const struct boot_loader_state *state,
- size_t slot, size_t sector)
-{
- return BOOT_IMG(state, slot).sectors[sector].fa_size;
-}
-
-/*
- * Offset of the sector from the beginning of the image, NOT the flash
- * device.
- */
-static inline uint32_t
-boot_img_sector_off(const struct boot_loader_state *state, size_t slot,
- size_t sector)
-{
- return BOOT_IMG(state, slot).sectors[sector].fa_off -
- BOOT_IMG(state, slot).sectors[0].fa_off;
-}
-
-#else /* defined(MCUBOOT_USE_FLASH_AREA_GET_SECTORS) */
-
-static inline size_t
-boot_img_sector_size(const struct boot_loader_state *state,
- size_t slot, size_t sector)
-{
- return BOOT_IMG(state, slot).sectors[sector].fs_size;
-}
-
-static inline uint32_t
-boot_img_sector_off(const struct boot_loader_state *state, size_t slot,
- size_t sector)
-{
- return BOOT_IMG(state, slot).sectors[sector].fs_off -
- BOOT_IMG(state, slot).sectors[0].fs_off;
-}
-
-#endif /* !defined(MCUBOOT_USE_FLASH_AREA_GET_SECTORS) */
-
-#ifdef MCUBOOT_RAM_LOADING
-#define LOAD_IMAGE_DATA(hdr, fap, start, output, size) \
- (memcpy((output),(void*)((hdr)->ih_load_addr + (start)), \
- (size)) != (output))
-#else
-#define LOAD_IMAGE_DATA(hdr, fap, start, output, size) \
- (flash_area_read((fap), (start), (output), (size)))
-#endif /* MCUBOOT_RAM_LOADING */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/bl2/ext/mcuboot/boot/bootutil/src/image_rsa.c b/bl2/ext/mcuboot/boot/bootutil/src/image_rsa.c
deleted file mode 100644
index c29ea00..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/src/image_rsa.c
+++ /dev/null
@@ -1,299 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/*
- * Original code taken from mcuboot project at:
- * https://github.com/JuulLabs-OSS/mcuboot
- * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
- * Modifications are Copyright (c) 2018-2020 Arm Limited.
- */
-
-#include <string.h>
-
-#include "mcuboot_config/mcuboot_config.h"
-
-#ifdef MCUBOOT_SIGN_RSA
-#include "bootutil/sign_key.h"
-#include "bootutil/sha256.h"
-
-#include "mbedtls/rsa.h"
-#include "mbedtls/asn1.h"
-#include "mbedtls/version.h"
-
-#include "bootutil_priv.h"
-
-/*
- * Constants for this particular constrained implementation of
- * RSA-PSS. In particular, we support RSA 2048 and RSA 3072, with a SHA256
- * hash, and a 32-byte salt. A signature with different parameters will be
- * rejected as invalid.
- */
-
-/* The size, in octets, of the message. */
-#define PSS_EMLEN (MCUBOOT_SIGN_RSA_LEN / 8)
-
-/* The size of the hash function. For SHA256, this is 32 bytes. */
-#define PSS_HLEN 32
-
-/* Size of the salt, should be fixed. */
-#define PSS_SLEN 32
-
-/* The length of the mask: emLen - hLen - 1. */
-#define PSS_MASK_LEN (PSS_EMLEN - PSS_HLEN - 1)
-
-#define PSS_HASH_OFFSET PSS_MASK_LEN
-
-/* For the mask itself, how many bytes should be all zeros. */
-#define PSS_MASK_ZERO_COUNT (PSS_MASK_LEN - PSS_SLEN - 1)
-#define PSS_MASK_ONE_POS PSS_MASK_ZERO_COUNT
-
-/* Where the salt starts. */
-#define PSS_MASK_SALT_POS (PSS_MASK_ONE_POS + 1)
-
-static const uint8_t pss_zeros[8] = {0};
-
-/*
- * Parse the public key used for signing. Simple RSA format.
- */
-static int
-bootutil_parse_rsakey(mbedtls_rsa_context *ctx, uint8_t **p, uint8_t *end)
-{
- int rc, rc2;
- size_t len;
-
- rc = mbedtls_asn1_get_tag(p, end, &len,
- MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
- if (rc != 0) {
- return -1;
- }
-
- if (*p + len != end) {
- return -2;
- }
-
- rc = mbedtls_asn1_get_mpi(p, end, &ctx->N);
- rc2 = mbedtls_asn1_get_mpi(p, end, &ctx->E);
- if ((rc != 0) || (rc2 != 0)) {
- return -3;
- }
-
- ctx->len = mbedtls_mpi_size(&ctx->N);
-
- if (*p != end) {
- return -4;
- }
-
- /* The mbedtls version is more than 2.6.1 */
-#if MBEDTLS_VERSION_NUMBER > 0x02060100
- rc = mbedtls_rsa_import(ctx, &ctx->N, NULL, NULL, NULL, &ctx->E);
- if (rc != 0) {
- return -5;
- }
-#endif
-
- rc = mbedtls_rsa_check_pubkey(ctx);
- if (rc != 0) {
- return -6;
- }
-
- ctx->len = mbedtls_mpi_size(&ctx->N);
-
- return 0;
-}
-
-/*
- * Compute the RSA-PSS mask-generation function, MGF1. Assumptions
- * are that the mask length will be less than 256 * PSS_HLEN, and
- * therefore we never need to increment anything other than the low
- * byte of the counter.
- *
- * This is described in PKCS#1, B.2.1.
- */
-static void
-pss_mgf1(uint8_t *mask, const uint8_t *hash)
-{
- bootutil_sha256_context ctx;
- uint8_t counter[4] = { 0, 0, 0, 0 };
- uint8_t htmp[PSS_HLEN];
- int count = PSS_MASK_LEN;
- int bytes;
-
- while (count > 0) {
- bootutil_sha256_init(&ctx);
- bootutil_sha256_update(&ctx, hash, PSS_HLEN);
- bootutil_sha256_update(&ctx, counter, 4);
- bootutil_sha256_finish(&ctx, htmp);
-
- counter[3]++;
-
- bytes = PSS_HLEN;
- if (bytes > count)
- bytes = count;
-
- memcpy(mask, htmp, bytes);
- mask += bytes;
- count -= bytes;
- }
-}
-
-/*
- * Validate an RSA signature, using RSA-PSS, as described in PKCS #1
- * v2.2, section 9.1.2, with many parameters required to have fixed
- * values.
- */
-static int
-bootutil_cmp_rsasig(mbedtls_rsa_context *ctx, uint8_t *hash, uint32_t hlen,
- uint8_t *sig)
-{
- bootutil_sha256_context shactx;
- uint8_t em[MBEDTLS_MPI_MAX_SIZE];
- uint8_t db_mask[PSS_MASK_LEN];
- uint8_t h2[PSS_HLEN];
- int i;
-
- if (ctx->len != PSS_EMLEN || PSS_EMLEN > MBEDTLS_MPI_MAX_SIZE) {
- return -1;
- }
-
- if (hlen != PSS_HLEN) {
- return -1;
- }
-
- if (mbedtls_rsa_public(ctx, sig, em)) {
- return -1;
- }
-
- /*
- * PKCS #1 v2.2, 9.1.2 EMSA-PSS-Verify
- *
- * emBits is 2048
- * emLen = ceil(emBits/8) = 256
- *
- * The salt length is not known at the beginning.
- */
-
- /* Step 1. The message is constrained by the address space of a
- * 32-bit processor, which is far less than the 2^61-1 limit of
- * SHA-256.
- */
-
- /* Step 2. mHash is passed in as 'hash', with hLen the hlen
- * argument. */
-
- /* Step 3. if emLen < hLen + sLen + 2, inconsistent and stop.
- * The salt length is not known at this point.
- */
-
- /* Step 4. If the rightmost octect of EM does have the value
- * 0xbc, output inconsistent and stop.
- */
- if (em[PSS_EMLEN - 1] != 0xbc) {
- return -1;
- }
-
- /* Step 5. Let maskedDB be the leftmost emLen - hLen - 1 octets
- * of EM, and H be the next hLen octets.
- *
- * maskedDB is then the first 256 - 32 - 1 = 0-222
- * H is 32 bytes 223-254
- */
-
- /* Step 6. If the leftmost 8emLen - emBits bits of the leftmost
- * octet in maskedDB are not all equal to zero, output
- * inconsistent and stop.
- *
- * 8emLen - emBits is zero, so there is nothing to test here.
- */
-
- /* Step 7. let dbMask = MGF(H, emLen - hLen - 1). */
- pss_mgf1(db_mask, &em[PSS_HASH_OFFSET]);
-
- /* Step 8. let DB = maskedDB xor dbMask.
- * To avoid needing an additional buffer, store the 'db' in the
- * same buffer as db_mask. From now, to the end of this function,
- * db_mask refers to the unmasked 'db'. */
- for (i = 0; i < PSS_MASK_LEN; i++) {
- db_mask[i] ^= em[i];
- }
-
- /* Step 9. Set the leftmost 8emLen - emBits bits of the leftmost
- * octet in DB to zero.
- * pycrypto seems to always make the emBits 2047, so we need to
- * clear the top bit. */
- db_mask[0] &= 0x7F;
-
- /* Step 10. If the emLen - hLen - sLen - 2 leftmost octets of DB
- * are not zero or if the octet at position emLen - hLen - sLen -
- * 1 (the leftmost position is "position 1") does not have
- * hexadecimal value 0x01, output "inconsistent" and stop. */
- for (i = 0; i < PSS_MASK_ZERO_COUNT; i++) {
- if (db_mask[i] != 0) {
- return -1;
- }
- }
-
- if (db_mask[PSS_MASK_ONE_POS] != 1) {
- return -1;
- }
-
- /* Step 11. Let salt be the last sLen octets of DB */
-
- /* Step 12. Let M' = 0x00 00 00 00 00 00 00 00 || mHash || salt; */
-
- /* Step 13. Let H' = Hash(M') */
- bootutil_sha256_init(&shactx);
- bootutil_sha256_update(&shactx, pss_zeros, 8);
- bootutil_sha256_update(&shactx, hash, PSS_HLEN);
- bootutil_sha256_update(&shactx, &db_mask[PSS_MASK_SALT_POS], PSS_SLEN);
- bootutil_sha256_finish(&shactx, h2);
-
- /* Step 14. If H = H', output "consistent". Otherwise, output
- * "inconsistent". */
- if (boot_secure_memequal(h2, &em[PSS_HASH_OFFSET], PSS_HLEN) != 0) {
- return -1;
- }
-
- return 0;
-}
-
-int
-bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
- uint8_t key_id)
-{
- mbedtls_rsa_context ctx;
- int rc;
- uint8_t *cp;
- uint8_t *end;
-
- mbedtls_rsa_init(&ctx, 0, 0);
-
- cp = (uint8_t *)bootutil_keys[key_id].key;
- end = cp + *bootutil_keys[key_id].len;
-
- rc = bootutil_parse_rsakey(&ctx, &cp, end);
- if (rc || slen != ctx.len) {
- mbedtls_rsa_free(&ctx);
- return rc;
- }
- rc = bootutil_cmp_rsasig(&ctx, hash, hlen, sig);
- mbedtls_rsa_free(&ctx);
-
- return rc;
-}
-#endif /* MCUBOOT_SIGN_RSA */
diff --git a/bl2/ext/mcuboot/boot/bootutil/src/image_validate.c b/bl2/ext/mcuboot/boot/bootutil/src/image_validate.c
deleted file mode 100644
index e5414b7..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/src/image_validate.c
+++ /dev/null
@@ -1,413 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/*
- * Original code taken from mcuboot project at:
- * https://github.com/JuulLabs-OSS/mcuboot
- * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
- * Modifications are Copyright (c) 2018-2020 Arm Limited.
- */
-
-#include <assert.h>
-#include <stddef.h>
-#include <inttypes.h>
-#include <string.h>
-
-#include "flash_map/flash_map.h"
-#include "bootutil/image.h"
-#include "bootutil/sha256.h"
-#include "bootutil/sign_key.h"
-#include "security_cnt.h"
-
-#include "mcuboot_config/mcuboot_config.h"
-
-#if defined(MCUBOOT_SIGN_RSA)
-#include "mbedtls/rsa.h"
-#endif
-
-#include "mbedtls/asn1.h"
-
-#include "bootutil_priv.h"
-
-#ifdef MCUBOOT_HW_KEY
-#include "tfm_plat_crypto_keys.h"
-#endif
-
-/*
- * Compute SHA256 over the image.
- */
-static int
-bootutil_img_hash(int image_index,
- struct image_header *hdr, const struct flash_area *fap,
- uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result,
- uint8_t *seed, int seed_len)
-{
- bootutil_sha256_context sha256_ctx;
- uint32_t size;
-#ifndef MCUBOOT_RAM_LOADING
- uint32_t blk_sz;
- uint32_t off;
- int rc;
-#endif /* MCUBOOT_RAM_LOADING */
-
- (void)image_index;
-
- bootutil_sha256_init(&sha256_ctx);
-
- /* in some cases (split image) the hash is seeded with data from
- * the loader image */
- if (seed && (seed_len > 0)) {
- bootutil_sha256_update(&sha256_ctx, seed, seed_len);
- }
-
- /* Hash is computed over image header and image itself. */
- size = BOOT_TLV_OFF(hdr);
-
- /* If protected TLVs are present they are also hashed. */
- size += hdr->ih_protect_tlv_size;
-
-#ifdef MCUBOOT_RAM_LOADING
- bootutil_sha256_update(&sha256_ctx,(void*)(hdr->ih_load_addr), size);
-#else
- for (off = 0; off < size; off += blk_sz) {
- blk_sz = size - off;
- if (blk_sz > tmp_buf_sz) {
- blk_sz = tmp_buf_sz;
- }
- rc = flash_area_read(fap, off, tmp_buf, blk_sz);
- if (rc) {
- return rc;
- }
- bootutil_sha256_update(&sha256_ctx, tmp_buf, blk_sz);
- }
-#endif
- bootutil_sha256_finish(&sha256_ctx, hash_result);
-
- return 0;
-}
-
-/*
- * Currently, we only support being able to verify one type of
- * signature, because there is a single verification function that we
- * call. List the type of TLV we are expecting. If we aren't
- * configured for any signature, don't define this macro.
- */
-
-#if defined(MCUBOOT_SIGN_RSA)
-# if MCUBOOT_SIGN_RSA_LEN == 2048
-# define EXPECTED_SIG_TLV IMAGE_TLV_RSA2048_PSS
-# elif MCUBOOT_SIGN_RSA_LEN == 3072
-# define EXPECTED_SIG_TLV IMAGE_TLV_RSA3072_PSS
-# else
-# error "Unsupported RSA signature length"
-# endif
-# define SIG_BUF_SIZE (MCUBOOT_SIGN_RSA_LEN / 8)
-# define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE)
-#else
-# define SIG_BUF_SIZE 32 /* no signing, sha256 digest only */
-#endif
-
-#ifdef EXPECTED_SIG_TLV
-#ifdef MCUBOOT_HW_KEY
-extern unsigned int pub_key_len;
-static int
-bootutil_find_key(uint8_t image_id, uint8_t *key, uint16_t key_len)
-{
- bootutil_sha256_context sha256_ctx;
- uint8_t hash[32];
- uint8_t key_hash[32];
- uint32_t key_hash_size= sizeof(key_hash);
- enum tfm_plat_err_t plat_err;
-
- bootutil_sha256_init(&sha256_ctx);
- bootutil_sha256_update(&sha256_ctx, key, key_len);
- bootutil_sha256_finish(&sha256_ctx, hash);
-
- plat_err = tfm_plat_get_rotpk_hash(image_id, key_hash, &key_hash_size);
- if (plat_err != TFM_PLAT_ERR_SUCCESS) {
- return -1;
- }
- if (!boot_secure_memequal(hash, key_hash, key_hash_size)) {
- bootutil_keys[0].key = key;
- pub_key_len = key_len;
- return 0;
- }
- return -1;
-}
-#else /* !MCUBOOT_HW_KEY */
-static int
-bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len)
-{
- bootutil_sha256_context sha256_ctx;
- int i;
- const struct bootutil_key *key;
- uint8_t hash[32];
-
- if (keyhash_len > 32) {
- return -1;
- }
-
- for (i = 0; i < bootutil_key_cnt; i++) {
- key = &bootutil_keys[i];
- bootutil_sha256_init(&sha256_ctx);
- bootutil_sha256_update(&sha256_ctx, key->key, *key->len);
- bootutil_sha256_finish(&sha256_ctx, hash);
- if (!boot_secure_memequal(hash, keyhash, keyhash_len)) {
- return i;
- }
- }
- return -1;
-}
-#endif
-#endif
-
-/**
- * Reads the value of an image's security counter.
- *
- * @param hdr Pointer to the image header structure.
- * @param fap Pointer to a description structure of the image's
- * flash area.
- * @param security_cnt Pointer to store the security counter value.
- *
- * @return 0 on success; nonzero on failure.
- */
-int32_t
-bootutil_get_img_security_cnt(struct image_header *hdr,
- const struct flash_area *fap,
- uint32_t *img_security_cnt)
-{
- struct image_tlv_iter it;
- uint32_t off;
- uint16_t len;
- int32_t rc;
-
- if ((hdr == NULL) ||
- (fap == NULL) ||
- (img_security_cnt == NULL)) {
- /* Invalid parameter. */
- return BOOT_EBADARGS;
- }
-
- /* The security counter TLV is in the protected part of the TLV area. */
- if (hdr->ih_protect_tlv_size == 0) {
- return BOOT_EBADIMAGE;
- }
-
- rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_SEC_CNT, true);
- if (rc) {
- return rc;
- }
-
- /* Traverse through the protected TLV area to find
- * the security counter TLV.
- */
-
- rc = bootutil_tlv_iter_next(&it, &off, &len, NULL);
- if (rc != 0) {
- /* Security counter TLV has not been found. */
- return -1;
- }
-
- if (len != sizeof(*img_security_cnt)) {
- /* Security counter is not valid. */
- return BOOT_EBADIMAGE;
- }
-
- rc = LOAD_IMAGE_DATA(hdr, fap, off, img_security_cnt, len);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- return 0;
-}
-
-/*
- * Verify the integrity of the image.
- * Return non-zero if image could not be validated/does not validate.
- */
-int
-bootutil_img_validate(int image_index,
- struct image_header *hdr, const struct flash_area *fap,
- uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *seed,
- int seed_len, uint8_t *out_hash)
-{
- uint32_t off;
- uint16_t len;
- uint8_t type;
- int sha256_valid = 0;
-#ifdef EXPECTED_SIG_TLV
- int valid_signature = 0;
- int key_id = -1;
-#ifdef MCUBOOT_HW_KEY
- /* Few extra bytes for encoding and for public exponent */
- uint8_t key_buf[SIG_BUF_SIZE + 24];
-#endif
-#endif
- struct image_tlv_iter it;
- uint8_t buf[SIG_BUF_SIZE];
- uint8_t hash[32] = {0};
- uint32_t security_cnt;
- uint32_t img_security_cnt;
- int32_t security_counter_valid = 0;
- int rc;
-
- rc = bootutil_img_hash(image_index, hdr, fap, tmp_buf,
- tmp_buf_sz, hash, seed, seed_len);
- if (rc) {
- return rc;
- }
-
- if (out_hash) {
- memcpy(out_hash, hash, 32);
- }
-
- rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false);
- if (rc) {
- return rc;
- }
-
- /*
- * Traverse through all of the TLVs, performing any checks we know
- * and are able to do.
- */
- while (true) {
- rc = bootutil_tlv_iter_next(&it, &off, &len, &type);
- if (rc < 0) {
- return -1;
- } else if (rc > 0) {
- break;
- }
-
- if (type == IMAGE_TLV_SHA256) {
- /*
- * Verify the SHA256 image hash. This must always be
- * present.
- */
- if (len != sizeof(hash)) {
- return -1;
- }
- rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, sizeof(hash));
- if (rc) {
- return rc;
- }
- if (boot_secure_memequal(hash, buf, sizeof(hash))) {
- return -1;
- }
-
- sha256_valid = 1;
-#ifdef EXPECTED_SIG_TLV
-#ifndef MCUBOOT_HW_KEY
- } else if (type == IMAGE_TLV_KEYHASH) {
- /*
- * Determine which key we should be checking.
- */
- if (len > 32) {
- return -1;
- }
- rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len);
- if (rc) {
- return rc;
- }
- key_id = bootutil_find_key(buf, len);
- /*
- * The key may not be found, which is acceptable. There
- * can be multiple signatures, each preceded by a key.
- */
-#else /* MCUBOOT_HW_KEY */
- } else if (type == IMAGE_TLV_KEY) {
- /*
- * Determine which key we should be checking.
- */
- if (len > sizeof(key_buf)) {
- return -1;
- }
- rc = LOAD_IMAGE_DATA(hdr, fap, off, key_buf, len);
- if (rc) {
- return rc;
- }
- key_id = bootutil_find_key(image_index, key_buf, len);
- /*
- * The key may not be found, which is acceptable. There
- * can be multiple signatures, each preceded by a key.
- */
-#endif /* MCUBOOT_HW_KEY */
- } else if (type == EXPECTED_SIG_TLV) {
- /* Ignore this signature if it is out of bounds. */
- if (key_id < 0 || key_id >= bootutil_key_cnt) {
- key_id = -1;
- continue;
- }
- if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) {
- return -1;
- }
- rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len);
- if (rc) {
- return -1;
- }
- rc = bootutil_verify_sig(hash, sizeof(hash), buf, len, key_id);
- if (rc == 0) {
- valid_signature = 1;
- }
- key_id = -1;
-#endif
- } else if (type == IMAGE_TLV_SEC_CNT) {
- /*
- * Verify the image's security counter.
- * This must always be present.
- */
- if (len != sizeof(img_security_cnt)) {
- /* Security counter is not valid. */
- return -1;
- }
-
- rc = LOAD_IMAGE_DATA(hdr, fap, off, &img_security_cnt, len);
- if (rc) {
- return rc;
- }
-
- rc = boot_nv_security_counter_get(image_index, &security_cnt);
- if (rc) {
- return rc;
- }
-
- /* Compare the new image's security counter value against the
- * stored security counter value.
- */
- if (img_security_cnt < security_cnt) {
- /* The image's security counter is not accepted. */
- return -1;
- }
-
- /* The image's security counter has been successfully verified. */
- security_counter_valid = 1;
- }
- }
-
- if (!sha256_valid || !security_counter_valid) {
- return -1;
- }
-
-#ifdef EXPECTED_SIG_TLV
- if (!valid_signature) {
- return -1;
- }
-#endif
-
- return 0;
-}
diff --git a/bl2/ext/mcuboot/boot/bootutil/src/loader.c b/bl2/ext/mcuboot/boot/bootutil/src/loader.c
deleted file mode 100644
index e340b44..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/src/loader.c
+++ /dev/null
@@ -1,2843 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/*
- * Original code taken from mcuboot project at:
- * https://github.com/JuulLabs-OSS/mcuboot
- * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
- * Modifications are Copyright (c) 2018-2020 Arm Limited.
- */
-
-/**
- * This file provides an interface to the boot loader. Functions defined in
- * this file should only be called while the boot loader is running.
- */
-
-#include <assert.h>
-#include <stddef.h>
-#include <stdbool.h>
-#include <inttypes.h>
-#include <stdlib.h>
-#include <string.h>
-#include "sysflash/sysflash.h"
-#include "flash_map/flash_map.h"
-#include "flash_map_backend/flash_map_backend.h"
-#include "bootutil/bootutil.h"
-#include "bootutil/image.h"
-#include "bootutil_priv.h"
-#include "bootutil/bootutil_log.h"
-#include "tfm_boot_status.h"
-#include "bootutil/boot_record.h"
-#include "security_cnt.h"
-#include "mcuboot_config/mcuboot_config.h"
-
-static struct boot_loader_state boot_data;
-
-#if (BOOT_IMAGE_NUMBER > 1)
-#define IMAGES_ITER(x) for ((x) = 0; (x) < BOOT_IMAGE_NUMBER; ++(x))
-#else
-#define IMAGES_ITER(x)
-#endif
-
-#if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOADING) && \
- !defined(MCUBOOT_OVERWRITE_ONLY)
-
-#if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) && !defined(MCUBOOT_OVERWRITE_ONLY)
-static int boot_status_fails = 0;
-#define BOOT_STATUS_ASSERT(x) \
- do { \
- if (!(x)) { \
- boot_status_fails++; \
- } \
- } while (0)
-#else
-#define BOOT_STATUS_ASSERT(x) ASSERT(x)
-#endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT && !MCUBOOT_OVERWRITE_ONLY */
-
-struct boot_status_table {
- uint8_t bst_magic_primary_slot;
- uint8_t bst_magic_scratch;
- uint8_t bst_copy_done_primary_slot;
- uint8_t bst_status_source;
-};
-
-/**
- * This set of tables maps swap state contents to boot status location.
- * When searching for a match, these tables must be iterated in order.
- */
-static const struct boot_status_table boot_status_tables[] = {
- {
- /* | primary slot | scratch |
- * ----------+--------------+--------------|
- * magic | Good | Any |
- * copy-done | Set | N/A |
- * ----------+--------------+--------------'
- * source: none |
- * ----------------------------------------'
- */
- .bst_magic_primary_slot = BOOT_MAGIC_GOOD,
- .bst_magic_scratch = BOOT_MAGIC_NOTGOOD,
- .bst_copy_done_primary_slot = BOOT_FLAG_SET,
- .bst_status_source = BOOT_STATUS_SOURCE_NONE,
- },
-
- {
- /* | primary slot | scratch |
- * ----------+--------------+--------------|
- * magic | Good | Any |
- * copy-done | Unset | N/A |
- * ----------+--------------+--------------'
- * source: primary slot |
- * ----------------------------------------'
- */
- .bst_magic_primary_slot = BOOT_MAGIC_GOOD,
- .bst_magic_scratch = BOOT_MAGIC_NOTGOOD,
- .bst_copy_done_primary_slot = BOOT_FLAG_UNSET,
- .bst_status_source = BOOT_STATUS_SOURCE_PRIMARY_SLOT,
- },
-
- {
- /* | primary slot | scratch |
- * ----------+--------------+--------------|
- * magic | Any | Good |
- * copy-done | Any | N/A |
- * ----------+--------------+--------------'
- * source: scratch |
- * ----------------------------------------'
- */
- .bst_magic_primary_slot = BOOT_MAGIC_ANY,
- .bst_magic_scratch = BOOT_MAGIC_GOOD,
- .bst_copy_done_primary_slot = BOOT_FLAG_ANY,
- .bst_status_source = BOOT_STATUS_SOURCE_SCRATCH,
- },
-
- {
- /* | primary slot | scratch |
- * ----------+--------------+--------------|
- * magic | Unset | Any |
- * copy-done | Unset | N/A |
- * ----------+--------------+--------------|
- * source: varies |
- * ----------------------------------------+--------------------------+
- * This represents one of two cases: |
- * o No swaps ever (no status to read, so no harm in checking). |
- * o Mid-revert; status in the primary slot. |
- * -------------------------------------------------------------------'
- */
- .bst_magic_primary_slot = BOOT_MAGIC_UNSET,
- .bst_magic_scratch = BOOT_MAGIC_ANY,
- .bst_copy_done_primary_slot = BOOT_FLAG_UNSET,
- .bst_status_source = BOOT_STATUS_SOURCE_PRIMARY_SLOT,
- },
-};
-
-#define BOOT_STATUS_TABLES_COUNT \
- (sizeof(boot_status_tables) / sizeof(boot_status_tables[0]))
-
-#define BOOT_LOG_SWAP_STATE(area, state) \
- BOOT_LOG_INF("%s: magic=%5s, swap_type=0x%x, copy_done=0x%x, " \
- "image_ok=0x%x", \
- (area), \
- ((state)->magic == BOOT_MAGIC_GOOD ? "good" : \
- (state)->magic == BOOT_MAGIC_UNSET ? "unset" : \
- "bad"), \
- (state)->swap_type, \
- (state)->copy_done, \
- (state)->image_ok)
-#endif /* !MCUBOOT_DIRECT_XIP && !MCUBOOT_RAM_LOADING && !MCUBOOT_OVERWRITE_ONLY */
-
-/*
- * \brief Verifies the image header: magic value, flags, integer overflow.
- *
- * \retval 0
- * \retval BOOT_EBADIMAGE
- */
-static int
-boot_verify_image_header(struct image_header *hdr)
-{
- uint32_t image_end;
- uint32_t x;
-
- if (hdr->ih_magic != IMAGE_MAGIC) {
- return BOOT_EBADIMAGE;
- }
-
- /* Check input parameters against integer overflow */
- if (!boot_u32_safe_add(&image_end, hdr->ih_hdr_size, hdr->ih_img_size)) {
- return BOOT_EBADIMAGE;
- }
-
- if (!boot_u32_safe_add(&x, image_end, hdr->ih_protect_tlv_size)) {
- return BOOT_EBADIMAGE;
- }
-
-#ifdef MCUBOOT_RAM_LOADING
- if (!(hdr->ih_flags & IMAGE_F_RAM_LOAD)) {
- return BOOT_EBADIMAGE;
- }
-
- /* Check input parameters against integer overflow */
- if (!boot_u32_safe_add(&x, image_end, hdr->ih_load_addr)) {
- return BOOT_EBADIMAGE;
- }
-#endif
-
- return 0;
-}
-
-static int
-boot_read_image_header(struct boot_loader_state *state, int slot,
- struct image_header *out_hdr)
-{
- const struct flash_area *fap = NULL;
- int area_id;
- int rc;
-
-#if (BOOT_IMAGE_NUMBER == 1)
- (void)state;
-#endif
-
- area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot);
- rc = flash_area_open(area_id, &fap);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- rc = flash_area_read(fap, 0, out_hdr, sizeof(*out_hdr));
- if (rc != 0) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- rc = boot_verify_image_header(out_hdr);
- BOOT_IMG_HDR_IS_VALID(state, slot) = (rc == 0);
-
-done:
- flash_area_close(fap);
- return rc;
-}
-
-static int
-boot_read_image_headers(struct boot_loader_state *state, bool require_all)
-{
- int rc;
- int i;
-
- for (i = 0; i < BOOT_NUM_SLOTS; i++) {
- rc = boot_read_image_header(state, i, boot_img_hdr(state, i));
- if (rc != 0) {
- /* If `require_all` is set, fail on any single fail, otherwise
- * if at least the first slot's header was read successfully,
- * then the boot loader can attempt a boot.
- *
- * Failure to read any headers is a fatal error.
- */
- if (i > 0 && !require_all) {
- return 0;
- } else {
- return rc;
- }
- }
- }
-
- return 0;
-}
-
-static uint32_t
-boot_write_sz(struct boot_loader_state *state)
-{
- uint32_t elem_sz;
- uint32_t align;
-
- /* Figure out what size to write update status update as. The size depends
- * on what the minimum write size is for scratch area, active image slot.
- * We need to use the bigger of those 2 values.
- */
- elem_sz = flash_area_align(BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT));
- align = flash_area_align(BOOT_SCRATCH_AREA(state));
- if (align > elem_sz) {
- elem_sz = align;
- }
-
- return elem_sz;
-}
-
-#ifndef MCUBOOT_USE_FLASH_AREA_GET_SECTORS
-static int
-boot_initialize_area(struct boot_loader_state *state, int flash_area)
-{
- int num_sectors = BOOT_MAX_IMG_SECTORS;
- int rc;
-
- if (flash_area == FLASH_AREA_IMAGE_PRIMARY(BOOT_CURR_IMG(state))) {
- rc = flash_area_to_sectors(flash_area, &num_sectors,
- BOOT_IMG(state, BOOT_PRIMARY_SLOT).sectors);
- BOOT_IMG(state, BOOT_PRIMARY_SLOT).num_sectors = (size_t)num_sectors;
-
- } else if (flash_area == FLASH_AREA_IMAGE_SECONDARY(BOOT_CURR_IMG(state))) {
- rc = flash_area_to_sectors(flash_area, &num_sectors,
- BOOT_IMG(state, BOOT_SECONDARY_SLOT).sectors);
- BOOT_IMG(state, BOOT_SECONDARY_SLOT).num_sectors = (size_t)num_sectors;
-
- } else if (flash_area == FLASH_AREA_IMAGE_SCRATCH) {
- rc = flash_area_to_sectors(flash_area, &num_sectors,
- state->scratch.sectors);
- state->scratch.num_sectors = (size_t)num_sectors;
- } else {
- return BOOT_EFLASH;
- }
-
- return rc;
-}
-#else /* defined(MCUBOOT_USE_FLASH_AREA_GET_SECTORS) */
-static int
-boot_initialize_area(struct boot_loader_state *state, int flash_area)
-{
- uint32_t num_sectors;
- struct flash_sector *out_sectors;
- size_t *out_num_sectors;
- int rc;
-
- num_sectors = BOOT_MAX_IMG_SECTORS;
-
- if (flash_area == FLASH_AREA_IMAGE_PRIMARY(BOOT_CURR_IMG(state))) {
- out_sectors = BOOT_IMG(state, BOOT_PRIMARY_SLOT).sectors;
- out_num_sectors = &BOOT_IMG(state, BOOT_PRIMARY_SLOT).num_sectors;
- } else if (flash_area == FLASH_AREA_IMAGE_SECONDARY(BOOT_CURR_IMG(state))) {
- out_sectors = BOOT_IMG(state, BOOT_SECONDARY_SLOT).sectors;
- out_num_sectors = &BOOT_IMG(state, BOOT_SECONDARY_SLOT).num_sectors;
- } else if (flash_area == FLASH_AREA_IMAGE_SCRATCH) {
- out_sectors = state->scratch.sectors;
- out_num_sectors = &state->scratch.num_sectors;
- } else {
- return BOOT_EFLASH;
- }
-
- rc = flash_area_get_sectors(flash_area, &num_sectors, out_sectors);
- if (rc != 0) {
- return rc;
- }
- *out_num_sectors = num_sectors;
- return 0;
-}
-#endif /* !defined(MCUBOOT_USE_FLASH_AREA_GET_SECTORS) */
-
-/**
- * Determines the sector layout of both image slots and the scratch area.
- * This information is necessary for calculating the number of bytes to erase
- * and copy during an image swap. The information collected during this
- * function is used to populate the state.
- */
-static int
-boot_read_sectors(struct boot_loader_state *state)
-{
- uint8_t image_index;
- int rc;
-
- image_index = BOOT_CURR_IMG(state);
-
- rc = boot_initialize_area(state, FLASH_AREA_IMAGE_PRIMARY(image_index));
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- rc = boot_initialize_area(state, FLASH_AREA_IMAGE_SECONDARY(image_index));
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- rc = boot_initialize_area(state, FLASH_AREA_IMAGE_SCRATCH);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- BOOT_WRITE_SZ(state) = boot_write_sz(state);
-
- return 0;
-}
-
-/**
- * Validate image hash/signature and security counter in a slot.
- */
-static int
-boot_image_check(struct boot_loader_state *state, struct image_header *hdr,
- const struct flash_area *fap, struct boot_status *bs)
-{
- static uint8_t tmpbuf[BOOT_TMPBUF_SZ];
- uint8_t image_index;
-
-#if (BOOT_IMAGE_NUMBER == 1)
- (void)state;
-#endif
-
- (void)bs;
-
- image_index = BOOT_CURR_IMG(state);
-
- if (bootutil_img_validate(image_index, hdr, fap, tmpbuf,
- BOOT_TMPBUF_SZ, NULL, 0, NULL)) {
- return BOOT_EBADIMAGE;
- }
-
- return 0;
-}
-
-/*
- * Check that a memory area consists of a given value.
- */
-static inline bool
-boot_data_is_set_to(uint8_t val, void *data, size_t len)
-{
- uint8_t i;
- uint8_t *p = (uint8_t *)data;
- for (i = 0; i < len; i++) {
- if (val != p[i]) {
- return false;
- }
- }
- return true;
-}
-
-static int
-boot_check_header_erased(struct boot_loader_state *state, int slot)
-{
- const struct flash_area *fap;
- struct image_header *hdr;
- uint8_t erased_val;
- int area_id;
- int rc;
-
- area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot);
- rc = flash_area_open(area_id, &fap);
- if (rc != 0) {
- return -1;
- }
-
- erased_val = flash_area_erased_val(fap);
- flash_area_close(fap);
-
- hdr = boot_img_hdr(state, slot);
- if (!boot_data_is_set_to(erased_val, &hdr->ih_magic,
- sizeof(hdr->ih_magic))) {
- return -1;
- }
-
- return 0;
-}
-
-/*
- * Check that there is a valid image in a slot
- *
- * @returns
- * 0 if image was succesfully validated
- * 1 if no bootloable image was found
- * -1 on any errors
- */
-static int
-boot_validate_slot(struct boot_loader_state *state, int slot,
- struct boot_status *bs)
-{
- const struct flash_area *fap;
- struct image_header *hdr;
- int area_id;
- int rc;
-
- area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot);
- rc = flash_area_open(area_id, &fap);
- if (rc != 0) {
- return -1;
- }
-
- hdr = boot_img_hdr(state, slot);
- if ((boot_check_header_erased(state, slot) == 0) ||
- (hdr->ih_flags & IMAGE_F_NON_BOOTABLE)) {
- /* No bootable image in slot; continue booting from the primary slot. */
- rc = 1;
- goto out;
- }
-
- if ((!BOOT_IMG_HDR_IS_VALID(state, slot)) ||
- (boot_image_check(state, hdr, fap, bs) != 0)) {
- if (slot != BOOT_PRIMARY_SLOT) {
- flash_area_erase(fap, 0, fap->fa_size);
- /* Image in the secondary slot is invalid. Erase the image and
- * continue booting from the primary slot.
- */
- }
- BOOT_LOG_ERR("Image in the %s slot is not valid!",
- (slot == BOOT_PRIMARY_SLOT) ? "primary" : "secondary");
- rc = -1;
- goto out;
- }
-
- /* Image in the secondary slot is valid. */
- rc = 0;
-
-out:
- flash_area_close(fap);
- return rc;
-}
-
-/**
- * Updates the stored security counter value with the image's security counter
- * value which resides in the given slot if it's greater than the stored value.
- *
- * @param image_index Index of the image to determine which security
- * counter to update.
- * @param slot Slot number of the image.
- * @param hdr Pointer to the image header structure of the image
- * that is currently stored in the given slot.
- *
- * @return 0 on success; nonzero on failure.
- */
-static int
-boot_update_security_counter(uint8_t image_index, int slot,
- struct image_header *hdr)
-{
- const struct flash_area *fap = NULL;
- uint32_t img_security_cnt;
- int rc;
-
- rc = flash_area_open(flash_area_id_from_multi_image_slot(image_index, slot),
- &fap);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- rc = bootutil_get_img_security_cnt(hdr, fap, &img_security_cnt);
- if (rc != 0) {
- goto done;
- }
-
- rc = boot_nv_security_counter_update(image_index, img_security_cnt);
- if (rc != 0) {
- goto done;
- }
-
-done:
- flash_area_close(fap);
- return rc;
-}
-
-#if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_OVERWRITE_ONLY)
-/*
- * Compute the total size of the given image. Includes the size of
- * the TLVs.
- */
-static int
-boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size)
-{
- const struct flash_area *fap = NULL;
- struct image_tlv_info info;
- uint32_t off;
- uint32_t protect_tlv_size;
- int area_id;
- int rc;
-
-#if (BOOT_IMAGE_NUMBER == 1)
- (void)state;
-#endif
-
- area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot);
- rc = flash_area_open(area_id, &fap);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- off = BOOT_TLV_OFF(boot_img_hdr(state, slot));
-
- if (flash_area_read(fap, off, &info, sizeof(info))) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size;
- if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) {
- if (protect_tlv_size != info.it_tlv_tot) {
- rc = BOOT_EBADIMAGE;
- goto done;
- }
-
- if (flash_area_read(fap, off + info.it_tlv_tot, &info, sizeof(info))) {
- rc = BOOT_EFLASH;
- goto done;
- }
- } else if (protect_tlv_size != 0) {
- rc = BOOT_EBADIMAGE;
- goto done;
- }
-
- if (info.it_magic != IMAGE_TLV_INFO_MAGIC) {
- rc = BOOT_EBADIMAGE;
- goto done;
- }
-
- *size = off + protect_tlv_size + info.it_tlv_tot;
- rc = 0;
-
-done:
- flash_area_close(fap);
- return rc;
-}
-#endif /* !MCUBOOT_DIRECT_XIP && !MCUBOOT_OVERWRITE_ONLY */
-
-#if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOADING)
-/*
- * Slots are compatible when all sectors that store up to to size of the image
- * round up to sector size, in both slot's are able to fit in the scratch
- * area, and have sizes that are a multiple of each other (powers of two
- * presumably!).
- */
-static int
-boot_slots_compatible(struct boot_loader_state *state)
-{
- size_t num_sectors_primary;
- size_t num_sectors_secondary;
- size_t sz0, sz1;
- size_t primary_slot_sz, secondary_slot_sz;
-#ifndef MCUBOOT_OVERWRITE_ONLY
- size_t scratch_sz;
-#endif
- size_t i, j;
- int8_t smaller;
-
- num_sectors_primary = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT);
- num_sectors_secondary = boot_img_num_sectors(state, BOOT_SECONDARY_SLOT);
- if ((num_sectors_primary > BOOT_MAX_IMG_SECTORS) ||
- (num_sectors_secondary > BOOT_MAX_IMG_SECTORS)) {
- BOOT_LOG_WRN("Cannot upgrade: more sectors than allowed");
- return 0;
- }
-
-#ifndef MCUBOOT_OVERWRITE_ONLY
- scratch_sz = boot_scratch_area_size(state);
-#endif
-
- /*
- * The following loop scans all sectors in a linear fashion, assuring that
- * for each possible sector in each slot, it is able to fit in the other
- * slot's sector or sectors. Slot's should be compatible as long as any
- * number of a slot's sectors are able to fit into another, which only
- * excludes cases where sector sizes are not a multiple of each other.
- */
- i = sz0 = primary_slot_sz = 0;
- j = sz1 = secondary_slot_sz = 0;
- smaller = 0;
- while (i < num_sectors_primary || j < num_sectors_secondary) {
- if (sz0 == sz1) {
- sz0 += boot_img_sector_size(state, BOOT_PRIMARY_SLOT, i);
- sz1 += boot_img_sector_size(state, BOOT_SECONDARY_SLOT, j);
- i++;
- j++;
- } else if (sz0 < sz1) {
- sz0 += boot_img_sector_size(state, BOOT_PRIMARY_SLOT, i);
- /* Guarantee that multiple sectors of the secondary slot
- * fit into the primary slot.
- */
- if (smaller == 2) {
- BOOT_LOG_WRN("Cannot upgrade: slots have non-compatible"
- " sectors");
- return 0;
- }
- smaller = 1;
- i++;
- } else {
- sz1 += boot_img_sector_size(state, BOOT_SECONDARY_SLOT, j);
- /* Guarantee that multiple sectors of the primary slot
- * fit into the secondary slot.
- */
- if (smaller == 1) {
- BOOT_LOG_WRN("Cannot upgrade: slots have non-compatible"
- " sectors");
- return 0;
- }
- smaller = 2;
- j++;
- }
-#ifndef MCUBOOT_OVERWRITE_ONLY
- if (sz0 == sz1) {
- primary_slot_sz += sz0;
- secondary_slot_sz += sz1;
- /* Scratch has to fit each swap operation to the size of the larger
- * sector among the primary slot and the secondary slot.
- */
- if (sz0 > scratch_sz || sz1 > scratch_sz) {
- BOOT_LOG_WRN("Cannot upgrade: not all sectors fit inside"
- " scratch");
- return 0;
- }
- smaller = sz0 = sz1 = 0;
- }
-#endif
- }
-
- if ((i != num_sectors_primary) ||
- (j != num_sectors_secondary) ||
- (primary_slot_sz != secondary_slot_sz)) {
- BOOT_LOG_WRN("Cannot upgrade: slots are not compatible");
- return 0;
- }
-
- return 1;
-}
-
-static uint32_t
-boot_status_internal_off(int idx, int state, int elem_sz)
-{
- int idx_sz;
-
- idx_sz = elem_sz * BOOT_STATUS_STATE_COUNT;
-
- return (idx - BOOT_STATUS_IDX_0) * idx_sz +
- (state - BOOT_STATUS_STATE_0) * elem_sz;
-}
-
-#ifndef MCUBOOT_OVERWRITE_ONLY
-/**
- * Determines where in flash the most recent boot status is stored. The boot
- * status is necessary for completing a swap that was interrupted by a boot
- * loader reset.
- *
- * @return A BOOT_STATUS_SOURCE_[...] code indicating where status should
- * be read from.
- */
-static int
-boot_status_source(struct boot_loader_state *state)
-{
- const struct boot_status_table *table;
- struct boot_swap_state state_scratch;
- struct boot_swap_state state_primary_slot;
- int rc;
- size_t i;
- uint8_t source;
- uint8_t image_index;
-
-#if (BOOT_IMAGE_NUMBER == 1)
- (void)state;
-#endif
-
- image_index = BOOT_CURR_IMG(state);
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY(image_index),
- &state_primary_slot);
- assert(rc == 0);
-
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SCRATCH, &state_scratch);
- assert(rc == 0);
-
- BOOT_LOG_SWAP_STATE("Primary image", &state_primary_slot);
- BOOT_LOG_SWAP_STATE("Scratch", &state_scratch);
-
- for (i = 0; i < BOOT_STATUS_TABLES_COUNT; i++) {
- table = &boot_status_tables[i];
-
- if (boot_magic_compatible_check(table->bst_magic_primary_slot,
- state_primary_slot.magic) &&
- boot_magic_compatible_check(table->bst_magic_scratch,
- state_scratch.magic) &&
- (table->bst_copy_done_primary_slot == BOOT_FLAG_ANY ||
- table->bst_copy_done_primary_slot == state_primary_slot.copy_done))
- {
- source = table->bst_status_source;
-
-#if (BOOT_IMAGE_NUMBER > 1)
- /* In case of multi-image boot it can happen that if boot status
- * info is found on scratch area then it does not belong to the
- * currently examined image.
- */
- if (source == BOOT_STATUS_SOURCE_SCRATCH &&
- state_scratch.image_num != BOOT_CURR_IMG(state)) {
- source = BOOT_STATUS_SOURCE_NONE;
- }
-#endif
-
- BOOT_LOG_INF("Boot source: %s",
- source == BOOT_STATUS_SOURCE_NONE ? "none" :
- source == BOOT_STATUS_SOURCE_SCRATCH ? "scratch" :
- source == BOOT_STATUS_SOURCE_PRIMARY_SLOT ?
- "primary slot" : "BUG; can't happen");
- return source;
- }
- }
-
- BOOT_LOG_INF("Boot source: none");
- return BOOT_STATUS_SOURCE_NONE;
-}
-
-/**
- * Reads the status of a partially-completed swap, if any. This is necessary
- * to recover in case the boot lodaer was reset in the middle of a swap
- * operation.
- */
-static int
-boot_read_status_bytes(const struct flash_area *fap,
- struct boot_loader_state *state, struct boot_status *bs)
-{
- uint32_t off;
- uint8_t status;
- int max_entries;
- int found;
- int found_idx;
- int invalid;
- int rc;
- int i;
-
- off = boot_status_off(fap);
- max_entries = boot_status_entries(BOOT_CURR_IMG(state), fap);
- if (max_entries < 0) {
- return BOOT_EBADARGS;
- }
-
- found = 0;
- found_idx = 0;
- invalid = 0;
- for (i = 0; i < max_entries; i++) {
- rc = flash_area_read_is_empty(fap, off + i * BOOT_WRITE_SZ(state),
- &status, 1);
- if (rc < 0) {
- return BOOT_EFLASH;
- }
-
- if (rc == 1) {
- if (found && !found_idx) {
- found_idx = i;
- }
- } else if (!found) {
- found = 1;
- } else if (found_idx) {
- invalid = 1;
- break;
- }
- }
-
- if (invalid) {
- /* This means there was an error writing status on the last
- * swap. Tell user and move on to validation!
- */
- BOOT_LOG_ERR("Detected inconsistent status!");
-
-#if !defined(MCUBOOT_VALIDATE_PRIMARY_SLOT)
- /* With validation of the primary slot disabled, there is no way
- * to be sure the swapped primary slot is OK, so abort!
- */
- assert(0);
-#endif
- }
-
- if (found) {
- if (!found_idx) {
- found_idx = i;
- }
- bs->idx = (found_idx / BOOT_STATUS_STATE_COUNT) + 1;
- bs->state = (found_idx % BOOT_STATUS_STATE_COUNT) + 1;
- }
-
- return 0;
-}
-#endif /* !MCUBOOT_OVERWRITE_ONLY */
-
-/**
- * Reads the boot status from the flash. The boot status contains
- * the current state of an interrupted image copy operation. If the boot
- * status is not present, or it indicates that previous copy finished,
- * there is no operation in progress.
- */
-static int
-boot_read_status(struct boot_loader_state *state, struct boot_status *bs)
-{
- memset(bs, 0, sizeof *bs);
- bs->idx = BOOT_STATUS_IDX_0;
- bs->state = BOOT_STATUS_STATE_0;
- bs->swap_type = BOOT_SWAP_TYPE_NONE;
-
-#ifdef MCUBOOT_OVERWRITE_ONLY
- /* Overwrite-only doesn't make use of the swap status area. */
- return 0;
-#else
- const struct flash_area *fap;
- uint32_t off;
- uint8_t swap_info;
- int status_loc;
- int area_id;
- int rc;
-
- status_loc = boot_status_source(state);
- switch (status_loc) {
- case BOOT_STATUS_SOURCE_NONE:
- return 0;
-
- case BOOT_STATUS_SOURCE_SCRATCH:
- area_id = FLASH_AREA_IMAGE_SCRATCH;
- break;
-
- case BOOT_STATUS_SOURCE_PRIMARY_SLOT:
- area_id = FLASH_AREA_IMAGE_PRIMARY(BOOT_CURR_IMG(state));
- break;
-
- default:
- assert(0);
- return BOOT_EBADARGS;
- }
-
- rc = flash_area_open(area_id, &fap);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- rc = boot_read_status_bytes(fap, state, bs);
- if (rc == 0) {
- off = boot_swap_info_off(fap);
- rc = flash_area_read_is_empty(fap, off, &swap_info, sizeof swap_info);
- if (rc == 1) {
- BOOT_SET_SWAP_INFO(swap_info, 0, BOOT_SWAP_TYPE_NONE);
- rc = 0;
- }
-
- /* Extract the swap type info */
- bs->swap_type = BOOT_GET_SWAP_TYPE(swap_info);
- }
-
- flash_area_close(fap);
-
- return rc;
-#endif
-}
-
-/**
- * Writes the supplied boot status to the flash file system. The boot status
- * contains the current state of an in-progress image copy operation.
- *
- * @param bs The boot status to write.
- *
- * @return 0 on success; nonzero on failure.
- */
-int
-boot_write_status(struct boot_loader_state *state, struct boot_status *bs)
-{
- const struct flash_area *fap = NULL;
- uint32_t off;
- int area_id;
- int rc;
- uint8_t buf[BOOT_MAX_ALIGN];
- uint32_t align;
- uint8_t erased_val;
-
- /* NOTE: The first sector copied (that is the last sector on slot) contains
- * the trailer. Since in the last step the primary slot is erased, the
- * first two status writes go to the scratch which will be copied to
- * the primary slot!
- */
-
- if (bs->use_scratch) {
- /* Write to scratch. */
- area_id = FLASH_AREA_IMAGE_SCRATCH;
- } else {
- /* Write to the primary slot. */
- area_id = FLASH_AREA_IMAGE_PRIMARY(BOOT_CURR_IMG(state));
- }
-
- rc = flash_area_open(area_id, &fap);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- off = boot_status_off(fap) +
- boot_status_internal_off(bs->idx, bs->state, BOOT_WRITE_SZ(state));
- align = flash_area_align(fap);
- erased_val = flash_area_erased_val(fap);
- memset(buf, erased_val, BOOT_MAX_ALIGN);
- buf[0] = bs->state;
-
- rc = flash_area_write(fap, off, buf, align);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- rc = 0;
-
-done:
- flash_area_close(fap);
- return rc;
-}
-
-/**
- * Determines which swap operation to perform, if any. If it is determined
- * that a swap operation is required, the image in the secondary slot is checked
- * for validity. If the image in the secondary slot is invalid, it is erased,
- * and a swap type of "none" is indicated.
- *
- * @return The type of swap to perform (BOOT_SWAP_TYPE...)
- */
-static int
-boot_validated_swap_type(struct boot_loader_state *state,
- struct boot_status *bs)
-{
- int swap_type;
- int rc;
-
- swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state));
- if (BOOT_IS_UPGRADE(swap_type)) {
- /* Boot loader wants to switch to the secondary slot.
- * Ensure image is valid.
- */
- rc = boot_validate_slot(state, BOOT_SECONDARY_SLOT, bs);
- if (rc == 1) {
- swap_type = BOOT_SWAP_TYPE_NONE;
- } else if (rc != 0) {
- swap_type = BOOT_SWAP_TYPE_FAIL;
- }
- }
-
- return swap_type;
-}
-
-/**
- * Calculates the number of sectors the scratch area can contain. A "last"
- * source sector is specified because images are copied backwards in flash
- * (final index to index number 0).
- *
- * @param last_sector_idx The index of the last source sector
- * (inclusive).
- * @param out_first_sector_idx The index of the first source sector
- * (inclusive) gets written here.
- *
- * @return The number of bytes comprised by the
- * [first-sector, last-sector] range.
- */
-#ifndef MCUBOOT_OVERWRITE_ONLY
-static uint32_t
-boot_copy_sz(struct boot_loader_state *state, int last_sector_idx,
- int *out_first_sector_idx)
-{
- size_t scratch_sz;
- uint32_t new_sz;
- uint32_t sz;
- int i;
-
- sz = 0;
-
- scratch_sz = boot_scratch_area_size(state);
- for (i = last_sector_idx; i >= 0; i--) {
- new_sz = sz + boot_img_sector_size(state, BOOT_PRIMARY_SLOT, i);
- /*
- * The secondary slot is not being checked here, because
- * `boot_slots_compatible` already provides assurance that the copy size
- * will be compatible with the primary slot and scratch.
- */
- if (new_sz > scratch_sz) {
- break;
- }
- sz = new_sz;
- }
-
- /* i currently refers to a sector that doesn't fit or it is -1 because all
- * sectors have been processed. In both cases, exclude sector i.
- */
- *out_first_sector_idx = i + 1;
- return sz;
-}
-#endif /* !MCUBOOT_OVERWRITE_ONLY */
-
-/**
- * Erases a region of flash.
- *
- * @param flash_area The flash_area containing the region to erase.
- * @param off The offset within the flash area to start the
- * erase.
- * @param sz The number of bytes to erase.
- *
- * @return 0 on success; nonzero on failure.
- */
-static inline int
-boot_erase_region(const struct flash_area *fap, uint32_t off, uint32_t sz)
-{
- return flash_area_erase(fap, off, sz);
-}
-
-/**
- * Copies the contents of one flash region to another. You must erase the
- * destination region prior to calling this function.
- *
- * @param flash_area_id_src The ID of the source flash area.
- * @param flash_area_id_dst The ID of the destination flash area.
- * @param off_src The offset within the source flash area to
- * copy from.
- * @param off_dst The offset within the destination flash area to
- * copy to.
- * @param sz The number of bytes to copy.
- *
- * @return 0 on success; nonzero on failure.
- */
-static int
-boot_copy_region(struct boot_loader_state *state,
- const struct flash_area *fap_src,
- const struct flash_area *fap_dst,
- uint32_t off_src, uint32_t off_dst, uint32_t sz)
-{
- uint32_t bytes_copied;
- int chunk_sz;
- int rc;
-
- static uint8_t buf[1024];
-
- (void)state;
-
- bytes_copied = 0;
- while (bytes_copied < sz) {
- if (sz - bytes_copied > sizeof(buf)) {
- chunk_sz = sizeof(buf);
- } else {
- chunk_sz = sz - bytes_copied;
- }
-
- rc = flash_area_read(fap_src, off_src + bytes_copied, buf, chunk_sz);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- rc = flash_area_write(fap_dst, off_dst + bytes_copied, buf, chunk_sz);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- bytes_copied += chunk_sz;
- }
-
- return 0;
-}
-
-#ifndef MCUBOOT_OVERWRITE_ONLY
-static inline int
-boot_status_init(const struct boot_loader_state *state,
- const struct flash_area *fap,
- const struct boot_status *bs)
-{
- struct boot_swap_state swap_state;
- uint8_t image_index;
- int rc;
-
-#if (BOOT_IMAGE_NUMBER == 1)
- (void)state;
-#endif
-
- image_index = BOOT_CURR_IMG(state);
-
- BOOT_LOG_DBG("initializing status; fa_id=%d", fap->fa_id);
-
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(image_index),
- &swap_state);
- assert(rc == 0);
-
- if (bs->swap_type != BOOT_SWAP_TYPE_NONE) {
- rc = boot_write_swap_info(fap, bs->swap_type, image_index);
- assert(rc == 0);
- }
-
- if (swap_state.image_ok == BOOT_FLAG_SET) {
- rc = boot_write_image_ok(fap);
- assert(rc == 0);
- }
-
- rc = boot_write_swap_size(fap, bs->swap_size);
- assert(rc == 0);
-
- rc = boot_write_magic(fap);
- assert(rc == 0);
-
- return 0;
-}
-
-static int
-boot_erase_trailer_sectors(const struct boot_loader_state *state,
- const struct flash_area *fap)
-{
- uint8_t slot;
- uint32_t sector;
- uint32_t trailer_sz;
- uint32_t total_sz;
- uint32_t off;
- uint32_t sz;
- int fa_id_primary;
- int fa_id_secondary;
- uint8_t image_index;
- int rc;
-
- BOOT_LOG_DBG("erasing trailer; fa_id=%d", fap->fa_id);
-
- image_index = BOOT_CURR_IMG(state);
- fa_id_primary = flash_area_id_from_multi_image_slot(image_index,
- BOOT_PRIMARY_SLOT);
- fa_id_secondary = flash_area_id_from_multi_image_slot(image_index,
- BOOT_SECONDARY_SLOT);
-
- if (fap->fa_id == fa_id_primary) {
- slot = BOOT_PRIMARY_SLOT;
- } else if (fap->fa_id == fa_id_secondary) {
- slot = BOOT_SECONDARY_SLOT;
- } else {
- return BOOT_EFLASH;
- }
-
- /* delete starting from last sector and moving to beginning */
- sector = boot_img_num_sectors(state, slot) - 1;
- trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state));
- total_sz = 0;
- do {
- sz = boot_img_sector_size(state, slot, sector);
- off = boot_img_sector_off(state, slot, sector);
- rc = boot_erase_region(fap, off, sz);
- assert(rc == 0);
-
- sector--;
- total_sz += sz;
- } while (total_sz < trailer_sz);
-
- return rc;
-}
-
-/**
- * Swaps the contents of two flash regions within the two image slots.
- *
- * @param idx The index of the first sector in the range of
- * sectors being swapped.
- * @param sz The number of bytes to swap.
- * @param bs The current boot status. This struct gets
- * updated according to the outcome.
- *
- * @return 0 on success; nonzero on failure.
- */
-static void
-boot_swap_sectors(int idx, uint32_t sz, struct boot_loader_state *state,
- struct boot_status *bs)
-{
- const struct flash_area *fap_primary_slot;
- const struct flash_area *fap_secondary_slot;
- const struct flash_area *fap_scratch;
- uint32_t copy_sz;
- uint32_t trailer_sz;
- uint32_t img_off;
- uint32_t scratch_trailer_off;
- struct boot_swap_state swap_state;
- size_t last_sector;
- bool erase_scratch;
- uint8_t image_index;
- int rc;
-
- /* Calculate offset from start of image area. */
- img_off = boot_img_sector_off(state, BOOT_PRIMARY_SLOT, idx);
-
- copy_sz = sz;
- trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state));
-
- /* sz in this function is always sized on a multiple of the sector size.
- * The check against the start offset of the last sector
- * is to determine if we're swapping the last sector. The last sector
- * needs special handling because it's where the trailer lives. If we're
- * copying it, we need to use scratch to write the trailer temporarily.
- *
- * NOTE: `use_scratch` is a temporary flag (never written to flash) which
- * controls if special handling is needed (swapping last sector).
- */
- last_sector = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT) - 1;
- if ((img_off + sz) >
- boot_img_sector_off(state, BOOT_PRIMARY_SLOT, last_sector)) {
- copy_sz -= trailer_sz;
- }
-
- bs->use_scratch = (bs->idx == BOOT_STATUS_IDX_0 && copy_sz != sz);
-
- image_index = BOOT_CURR_IMG(state);
-
- rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index),
- &fap_primary_slot);
- assert (rc == 0);
-
- rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index),
- &fap_secondary_slot);
- assert (rc == 0);
-
- rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH, &fap_scratch);
- assert (rc == 0);
-
- if (bs->state == BOOT_STATUS_STATE_0) {
- BOOT_LOG_DBG("erasing scratch area");
- rc = boot_erase_region(fap_scratch, 0, fap_scratch->fa_size);
- assert(rc == 0);
-
- if (bs->idx == BOOT_STATUS_IDX_0) {
- /* Write a trailer to the scratch area, even if we don't need the
- * scratch area for status. We need a temporary place to store the
- * `swap-type` while we erase the primary trailer.
- */
- rc = boot_status_init(state, fap_scratch, bs);
- assert(rc == 0);
-
- if (!bs->use_scratch) {
- /* Prepare the primary status area... here it is known that the
- * last sector is not being used by the image data so it's safe
- * to erase.
- */
- rc = boot_erase_trailer_sectors(state, fap_primary_slot);
- assert(rc == 0);
-
- rc = boot_status_init(state, fap_primary_slot, bs);
- assert(rc == 0);
-
- /* Erase the temporary trailer from the scratch area. */
- rc = boot_erase_region(fap_scratch, 0, fap_scratch->fa_size);
- assert(rc == 0);
- }
- }
-
- rc = boot_copy_region(state, fap_secondary_slot, fap_scratch,
- img_off, 0, copy_sz);
- assert(rc == 0);
-
- rc = boot_write_status(state, bs);
- bs->state = BOOT_STATUS_STATE_1;
- BOOT_STATUS_ASSERT(rc == 0);
- }
-
- if (bs->state == BOOT_STATUS_STATE_1) {
- rc = boot_erase_region(fap_secondary_slot, img_off, sz);
- assert(rc == 0);
-
- rc = boot_copy_region(state, fap_primary_slot, fap_secondary_slot,
- img_off, img_off, copy_sz);
- assert(rc == 0);
-
- if (bs->idx == BOOT_STATUS_IDX_0 && !bs->use_scratch) {
- /* If not all sectors of the slot are being swapped,
- * guarantee here that only the primary slot will have the state.
- */
- rc = boot_erase_trailer_sectors(state, fap_secondary_slot);
- assert(rc == 0);
- }
-
- rc = boot_write_status(state, bs);
- bs->state = BOOT_STATUS_STATE_2;
- BOOT_STATUS_ASSERT(rc == 0);
- }
-
- if (bs->state == BOOT_STATUS_STATE_2) {
- rc = boot_erase_region(fap_primary_slot, img_off, sz);
- assert(rc == 0);
-
- /* NOTE: If this is the final sector, we exclude the image trailer from
- * this copy (copy_sz was truncated earlier).
- */
- rc = boot_copy_region(state, fap_scratch, fap_primary_slot,
- 0, img_off, copy_sz);
- assert(rc == 0);
-
- if (bs->use_scratch) {
- scratch_trailer_off = boot_status_off(fap_scratch);
-
- /* copy current status that is being maintained in scratch */
- rc = boot_copy_region(state, fap_scratch, fap_primary_slot,
- scratch_trailer_off, img_off + copy_sz,
- (BOOT_STATUS_STATE_COUNT - 1) * BOOT_WRITE_SZ(state));
- BOOT_STATUS_ASSERT(rc == 0);
-
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SCRATCH,
- &swap_state);
- assert(rc == 0);
-
- if (swap_state.image_ok == BOOT_FLAG_SET) {
- rc = boot_write_image_ok(fap_primary_slot);
- assert(rc == 0);
- }
-
- if (swap_state.swap_type != BOOT_SWAP_TYPE_NONE) {
- rc = boot_write_swap_info(fap_primary_slot,
- swap_state.swap_type,
- image_index);
- assert(rc == 0);
- }
-
- rc = boot_write_swap_size(fap_primary_slot, bs->swap_size);
- assert(rc == 0);
-
- rc = boot_write_magic(fap_primary_slot);
- assert(rc == 0);
- }
-
- /* If we wrote a trailer to the scratch area, erase it after we persist
- * a trailer to the primary slot. We do this to prevent mcuboot from
- * reading a stale status from the scratch area in case of immediate
- * reset.
- */
- erase_scratch = bs->use_scratch;
- bs->use_scratch = 0;
-
- rc = boot_write_status(state, bs);
- bs->idx++;
- bs->state = BOOT_STATUS_STATE_0;
- BOOT_STATUS_ASSERT(rc == 0);
-
- if (erase_scratch) {
- rc = boot_erase_region(fap_scratch, 0, sz);
- assert(rc == 0);
- }
- }
-
- flash_area_close(fap_primary_slot);
- flash_area_close(fap_secondary_slot);
- flash_area_close(fap_scratch);
-}
-#endif /* !MCUBOOT_OVERWRITE_ONLY */
-
-/**
- * Overwrite primary slot with the image contained in the secondary slot.
- * If a prior copy operation was interrupted by a system reset, this function
- * redos the copy.
- *
- * @param bs The current boot status. This function reads
- * this struct to determine if it is resuming
- * an interrupted swap operation. This
- * function writes the updated status to this
- * function on return.
- *
- * @return 0 on success; nonzero on failure.
- */
-#ifdef MCUBOOT_OVERWRITE_ONLY
-static int
-boot_copy_image(struct boot_loader_state *state, struct boot_status *bs)
-{
- size_t sect_count;
- size_t sect;
- int rc;
- size_t size;
- size_t this_size;
- size_t last_sector;
- const struct flash_area *fap_primary_slot;
- const struct flash_area *fap_secondary_slot;
- uint8_t image_index;
-
- (void)bs;
-
- BOOT_LOG_INF("Image upgrade secondary slot -> primary slot");
- BOOT_LOG_INF("Erasing the primary slot");
-
- image_index = BOOT_CURR_IMG(state);
-
- rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index),
- &fap_primary_slot);
- assert (rc == 0);
-
- rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY(image_index),
- &fap_secondary_slot);
- assert (rc == 0);
-
- sect_count = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT);
- for (sect = 0, size = 0; sect < sect_count; sect++) {
- this_size = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, sect);
- rc = boot_erase_region(fap_primary_slot, size, this_size);
- assert(rc == 0);
-
- size += this_size;
- }
-
- BOOT_LOG_INF("Copying the secondary slot to the primary slot: 0x%zx bytes",
- size);
- rc = boot_copy_region(state, fap_secondary_slot, fap_primary_slot,
- 0, 0, size);
-
- /* Update the stored security counter with the new image's security counter
- * value. Both slots hold the new image at this point, but the secondary
- * slot's image header must be passed because the read image headers in the
- * boot_data structure have not been updated yet.
- */
- rc = boot_update_security_counter(BOOT_CURR_IMG(state), BOOT_PRIMARY_SLOT,
- boot_img_hdr(state, BOOT_SECONDARY_SLOT));
- if (rc != 0) {
- BOOT_LOG_ERR("Security counter update failed after image upgrade.");
- return rc;
- }
-
- /*
- * Erases header and trailer. The trailer is erased because when a new
- * image is written without a trailer as is the case when using newt, the
- * trailer that was left might trigger a new upgrade.
- */
- BOOT_LOG_DBG("erasing secondary header");
- rc = boot_erase_region(fap_secondary_slot,
- boot_img_sector_off(state, BOOT_SECONDARY_SLOT, 0),
- boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0));
- assert(rc == 0);
- last_sector = boot_img_num_sectors(state, BOOT_SECONDARY_SLOT) - 1;
- BOOT_LOG_DBG("erasing secondary trailer");
- rc = boot_erase_region(fap_secondary_slot,
- boot_img_sector_off(state, BOOT_SECONDARY_SLOT,
- last_sector),
- boot_img_sector_size(state, BOOT_SECONDARY_SLOT,
- last_sector));
- assert(rc == 0);
-
- flash_area_close(fap_primary_slot);
- flash_area_close(fap_secondary_slot);
-
- /* TODO: Perhaps verify the primary slot's signature again? */
-
- return 0;
-}
-#else
-/**
- * Swaps the two images in flash. If a prior copy operation was interrupted
- * by a system reset, this function completes that operation.
- *
- * @param bs The current boot status. This function reads
- * this struct to determine if it is resuming
- * an interrupted swap operation. This
- * function writes the updated status to this
- * function on return.
- *
- * @return 0 on success; nonzero on failure.
- */
-static int
-boot_swap_image(struct boot_loader_state *state, struct boot_status *bs)
-{
- uint32_t sz;
- int first_sector_idx;
- int last_sector_idx;
- int last_idx_secondary_slot;
- uint32_t swap_idx;
- struct image_header *hdr;
- uint32_t size;
- uint32_t copy_size;
- uint32_t primary_slot_size;
- uint32_t secondary_slot_size;
- uint8_t image_index;
- int rc;
-
- /* FIXME: just do this if asked by user? */
-
- size = copy_size = 0;
- image_index = BOOT_CURR_IMG(state);
-
- if (bs->idx == BOOT_STATUS_IDX_0 && bs->state == BOOT_STATUS_STATE_0) {
- /*
- * No swap ever happened, so need to find the largest image which
- * will be used to determine the amount of sectors to swap.
- */
- hdr = boot_img_hdr(state, BOOT_PRIMARY_SLOT);
- if (hdr->ih_magic == IMAGE_MAGIC) {
- rc = boot_read_image_size(state, BOOT_PRIMARY_SLOT, ©_size);
- assert(rc == 0);
- }
-
- hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT);
- if (hdr->ih_magic == IMAGE_MAGIC) {
- rc = boot_read_image_size(state, BOOT_SECONDARY_SLOT, &size);
- assert(rc == 0);
- }
-
- if (size > copy_size) {
- copy_size = size;
- }
-
- bs->swap_size = copy_size;
- } else {
- /*
- * If a swap was under way, the swap_size should already be present
- * in the trailer...
- */
- rc = boot_read_swap_size(image_index, &bs->swap_size);
- assert(rc == 0);
-
- copy_size = bs->swap_size;
- }
-
- primary_slot_size = 0;
- secondary_slot_size = 0;
- last_sector_idx = 0;
- last_idx_secondary_slot = 0;
-
- /*
- * Knowing the size of the largest image between both slots, here we
- * find what is the last sector in the primary slot that needs swapping.
- * Since we already know that both slots are compatible, the secondary
- * slot's last sector is not really required after this check is finished.
- */
- while (1) {
- if ((primary_slot_size < copy_size) ||
- (primary_slot_size < secondary_slot_size)) {
- primary_slot_size += boot_img_sector_size(state,
- BOOT_PRIMARY_SLOT,
- last_sector_idx);
- }
- if ((secondary_slot_size < copy_size) ||
- (secondary_slot_size < primary_slot_size)) {
- secondary_slot_size += boot_img_sector_size(state,
- BOOT_SECONDARY_SLOT,
- last_idx_secondary_slot);
- }
- if (primary_slot_size >= copy_size &&
- secondary_slot_size >= copy_size &&
- primary_slot_size == secondary_slot_size) {
- break;
- }
- last_sector_idx++;
- last_idx_secondary_slot++;
- }
-
- swap_idx = 0;
- while (last_sector_idx >= 0) {
- sz = boot_copy_sz(state, last_sector_idx, &first_sector_idx);
- if (swap_idx >= (bs->idx - BOOT_STATUS_IDX_0)) {
- boot_swap_sectors(first_sector_idx, sz, state, bs);
- }
-
- last_sector_idx = first_sector_idx - 1;
- swap_idx++;
- }
-
-#ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT
- if (boot_status_fails > 0) {
- BOOT_LOG_WRN("%d status write fails performing the swap",
- boot_status_fails);
- }
-#endif
-
- return 0;
-}
-#endif
-
-#ifndef MCUBOOT_OVERWRITE_ONLY
-/**
- * Marks the image in the primary slot as fully copied.
- */
-static int
-boot_set_copy_done(uint8_t image_index)
-{
- const struct flash_area *fap;
- int rc;
-
- rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index),
- &fap);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- rc = boot_write_copy_done(fap);
- flash_area_close(fap);
- return rc;
-}
-
-/**
- * Marks a reverted image in the primary slot as confirmed. This is necessary to
- * ensure the status bytes from the image revert operation don't get processed
- * on a subsequent boot.
- *
- * NOTE: image_ok is tested before writing because if there's a valid permanent
- * image installed on the primary slot and the new image to be upgrade to has a
- * bad sig, image_ok would be overwritten.
- */
-static int
-boot_set_image_ok(uint8_t image_index)
-{
- const struct flash_area *fap;
- struct boot_swap_state state;
- int rc;
-
- rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(image_index),
- &fap);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- rc = boot_read_swap_state(fap, &state);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- goto out;
- }
-
- if (state.image_ok == BOOT_FLAG_UNSET) {
- rc = boot_write_image_ok(fap);
- }
-
-out:
- flash_area_close(fap);
- return rc;
-}
-#endif /* !MCUBOOT_OVERWRITE_ONLY */
-
-#if (BOOT_IMAGE_NUMBER > 1)
-/**
- * Check if the version of the image is not older than required.
- *
- * @param req Required minimal image version.
- * @param ver Version of the image to be checked.
- *
- * @return 0 if the version is sufficient, nonzero otherwise.
- */
-static int
-boot_is_version_sufficient(struct image_version *req,
- struct image_version *ver)
-{
- if (ver->iv_major > req->iv_major) {
- return 0;
- }
- if (ver->iv_major < req->iv_major) {
- return BOOT_EBADVERSION;
- }
- /* The major version numbers are equal. */
- if (ver->iv_minor > req->iv_minor) {
- return 0;
- }
- if (ver->iv_minor < req->iv_minor) {
- return BOOT_EBADVERSION;
- }
- /* The minor version numbers are equal. */
- if (ver->iv_revision < req->iv_revision) {
- return BOOT_EBADVERSION;
- }
-
- return 0;
-}
-
-/**
- * Check the image dependency whether it is satisfied and modify
- * the swap type if necessary.
- *
- * @param dep Image dependency which has to be verified.
- *
- * @return 0 on success; nonzero on failure.
- */
-static int
-boot_verify_slot_dependency(struct boot_loader_state *state,
- struct image_dependency *dep)
-{
- struct image_version *dep_version;
- size_t dep_slot;
- int rc;
- uint8_t swap_type;
-
- /* Determine the source of the image which is the subject of
- * the dependency and get it's version. */
- swap_type = state->swap_type[dep->image_id];
- dep_slot = (swap_type != BOOT_SWAP_TYPE_NONE) ?
- BOOT_SECONDARY_SLOT : BOOT_PRIMARY_SLOT;
- dep_version = &state->imgs[dep->image_id][dep_slot].hdr.ih_ver;
-
- rc = boot_is_version_sufficient(&dep->image_min_version, dep_version);
- if (rc != 0) {
- /* Dependency not satisfied.
- * Modify the swap type to decrease the version number of the image
- * (which will be located in the primary slot after the boot process),
- * consequently the number of unsatisfied dependencies will be
- * decreased or remain the same.
- */
- switch (BOOT_SWAP_TYPE(state)) {
- case BOOT_SWAP_TYPE_TEST:
- case BOOT_SWAP_TYPE_PERM:
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE;
- break;
- case BOOT_SWAP_TYPE_NONE:
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_REVERT;
- break;
- default:
- break;
- }
- }
-
- return rc;
-}
-
-/**
- * Read all dependency TLVs of an image from the flash and verify
- * one after another to see if they are all satisfied.
- *
- * @param slot Image slot number.
- *
- * @return 0 on success; nonzero on failure.
- */
-static int
-boot_verify_slot_dependencies(struct boot_loader_state *state, uint32_t slot)
-{
- const struct flash_area *fap;
- struct image_tlv_iter it;
- struct image_dependency dep;
- uint32_t off;
- uint16_t len;
- int area_id;
- int rc;
-
- area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot);
- rc = flash_area_open(area_id, &fap);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- rc = bootutil_tlv_iter_begin(&it, boot_img_hdr(state, slot), fap,
- IMAGE_TLV_DEPENDENCY, true);
- if (rc != 0) {
- goto done;
- }
-
- while (true) {
- rc = bootutil_tlv_iter_next(&it, &off, &len, NULL);
- if (rc < 0) {
- return -1;
- } else if (rc > 0) {
- rc = 0;
- break;
- }
-
- if (len != sizeof(dep)) {
- rc = BOOT_EBADIMAGE;
- goto done;
- }
-
- rc = flash_area_read(fap, off, &dep, len);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- goto done;
- }
-
- if (dep.image_id >= BOOT_IMAGE_NUMBER) {
- rc = BOOT_EBADARGS;
- goto done;
- }
-
- /* Verify dependency and modify the swap type if not satisfied. */
- rc = boot_verify_slot_dependency(state, &dep);
- if (rc != 0) {
- /* Dependency not satisfied. */
- goto done;
- }
- }
-
-done:
- flash_area_close(fap);
- return rc;
-}
-
-/**
- * Iterate over all the images and verify whether the image dependencies in the
- * TLV area are all satisfied and update the related swap type if necessary.
- */
-static int
-boot_verify_dependencies(struct boot_loader_state *state)
-{
- int rc;
- uint8_t slot;
-
- BOOT_CURR_IMG(state) = 0;
- while (BOOT_CURR_IMG(state) < BOOT_IMAGE_NUMBER) {
- if (BOOT_SWAP_TYPE(state) != BOOT_SWAP_TYPE_NONE &&
- BOOT_SWAP_TYPE(state) != BOOT_SWAP_TYPE_FAIL) {
- slot = BOOT_SECONDARY_SLOT;
- } else {
- slot = BOOT_PRIMARY_SLOT;
- }
-
- rc = boot_verify_slot_dependencies(state, slot);
- if (rc == 0) {
- /* All dependencies've been satisfied, continue with next image. */
- BOOT_CURR_IMG(state)++;
- } else if (rc == BOOT_EBADVERSION) {
- /* Cannot upgrade due to non-met dependencies, so disable all
- * image upgrades.
- */
- for (int idx = 0; idx < BOOT_IMAGE_NUMBER; idx++) {
- BOOT_CURR_IMG(state) = idx;
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE;
- }
- break;
- } else {
- /* Other error happened, images are inconsistent */
- return rc;
- }
- }
- return rc;
-}
-#endif /* (BOOT_IMAGE_NUMBER > 1) */
-
-/**
- * Performs a clean (not aborted) image update.
- *
- * @param bs The current boot status.
- *
- * @return 0 on success; nonzero on failure.
- */
-static int
-boot_perform_update(struct boot_loader_state *state, struct boot_status *bs)
-{
- int rc;
-#ifndef MCUBOOT_OVERWRITE_ONLY
- uint8_t swap_type;
-#endif
-
- /* At this point there are no aborted swaps. */
-#if defined(MCUBOOT_OVERWRITE_ONLY)
- rc = boot_copy_image(state, bs);
-#else
- rc = boot_swap_image(state, bs);
-#endif
- assert(rc == 0);
-
-#ifndef MCUBOOT_OVERWRITE_ONLY
- /* The following state needs image_ok be explicitly set after the
- * swap was finished to avoid a new revert.
- */
- swap_type = BOOT_SWAP_TYPE(state);
- if (swap_type == BOOT_SWAP_TYPE_REVERT ||
- swap_type == BOOT_SWAP_TYPE_PERM) {
- rc = boot_set_image_ok(BOOT_CURR_IMG(state));
- if (rc != 0) {
- BOOT_SWAP_TYPE(state) = swap_type = BOOT_SWAP_TYPE_PANIC;
- }
- }
-
- if (swap_type == BOOT_SWAP_TYPE_PERM) {
- /* Update the stored security counter with the new image's security
- * counter value. The primary slot holds the new image at this
- * point, but the secondary slot's image header must be passed
- * because the read image headers in the boot_data structure have
- * not been updated yet.
- *
- * In case of a permanent image swap mcuboot will never attempt to
- * revert the images on the next reboot. Therefore, the security
- * counter must be increased right after the image upgrade.
- */
- rc = boot_update_security_counter(
- BOOT_CURR_IMG(state),
- BOOT_PRIMARY_SLOT,
- boot_img_hdr(state, BOOT_SECONDARY_SLOT));
- if (rc != 0) {
- BOOT_LOG_ERR("Security counter update failed after "
- "image upgrade.");
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC;
- }
- }
-
- if (BOOT_IS_UPGRADE(swap_type)) {
- rc = boot_set_copy_done(BOOT_CURR_IMG(state));
- if (rc != 0) {
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC;
- }
- }
-#endif /* !MCUBOOT_OVERWRITE_ONLY */
-
- return rc;
-}
-
-/**
- * Completes a previously aborted image swap.
- *
- * @param bs The current boot status.
- *
- * @return 0 on success; nonzero on failure.
- */
-#if !defined(MCUBOOT_OVERWRITE_ONLY)
-static int
-boot_complete_partial_swap(struct boot_loader_state *state,
- struct boot_status *bs)
-{
- int rc;
-
- /* Determine the type of swap operation being resumed from the
- * `swap-type` trailer field.
- */
- rc = boot_swap_image(state, bs);
- assert(rc == 0);
-
- BOOT_SWAP_TYPE(state) = bs->swap_type;
-
- /* The following states need image_ok be explicitly set after the
- * swap was finished to avoid a new revert.
- */
- if (bs->swap_type == BOOT_SWAP_TYPE_REVERT ||
- bs->swap_type == BOOT_SWAP_TYPE_PERM) {
- rc = boot_set_image_ok(BOOT_CURR_IMG(state));
- if (rc != 0) {
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC;
- }
- }
-
- if (BOOT_IS_UPGRADE(bs->swap_type)) {
- rc = boot_set_copy_done(BOOT_CURR_IMG(state));
- if (rc != 0) {
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC;
- }
- }
-
- if (BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_PANIC) {
- BOOT_LOG_ERR("panic!");
- assert(0);
-
- /* Loop forever... */
- while (1) {}
- }
-
- return rc;
-}
-#endif /* !MCUBOOT_OVERWRITE_ONLY */
-
-#if (BOOT_IMAGE_NUMBER > 1)
-/**
- * Review the validity of previously determined swap types of other images.
- *
- * @param aborted_swap The current image upgrade is a
- * partial/aborted swap.
- */
-static void
-boot_review_image_swap_types(struct boot_loader_state *state,
- bool aborted_swap)
-{
- /* In that case if we rebooted in the middle of an image upgrade process, we
- * must review the validity of swap types, that were previously determined
- * for other images. The image_ok flag had not been set before the reboot
- * for any of the updated images (only the copy_done flag) and thus falsely
- * the REVERT swap type has been determined for the previous images that had
- * been updated before the reboot.
- *
- * There are two separate scenarios that we have to deal with:
- *
- * 1. The reboot has happened during swapping an image:
- * The current image upgrade has been determined as a
- * partial/aborted swap.
- * 2. The reboot has happened between two separate image upgrades:
- * In this scenario we must check the swap type of the current image.
- * In those cases if it is NONE or REVERT we cannot certainly determine
- * the fact of a reboot. In a consistent state images must move in the
- * same direction or stay in place, e.g. in practice REVERT and TEST
- * swap types cannot be present at the same time. If the swap type of
- * the current image is either TEST, PERM or FAIL we must review the
- * already determined swap types of other images and set each false
- * REVERT swap types to NONE (these images had been successfully
- * updated before the system rebooted between two separate image
- * upgrades).
- */
-
- if (BOOT_CURR_IMG(state) == 0) {
- /* Nothing to do */
- return;
- }
-
- if (!aborted_swap) {
- if ((BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_NONE) ||
- (BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_REVERT)) {
- /* Nothing to do */
- return;
- }
- }
-
- for (uint8_t i = 0; i < BOOT_CURR_IMG(state); i++) {
- if (state->swap_type[i] == BOOT_SWAP_TYPE_REVERT) {
- state->swap_type[i] = BOOT_SWAP_TYPE_NONE;
- }
- }
-}
-#endif
-
-/**
- * Prepare image to be updated if required.
- *
- * Prepare image to be updated if required with completing an image swap
- * operation if one was aborted and/or determining the type of the
- * swap operation. In case of any error set the swap type to NONE.
- *
- * @param state Boot loader status information.
- * @param bs Pointer where the read and possibly updated
- * boot status can be written to.
- */
-static void
-boot_prepare_image_for_update(struct boot_loader_state *state,
- struct boot_status *bs)
-{
- int rc;
-
- /* Determine the sector layout of the image slots and scratch area. */
- rc = boot_read_sectors(state);
- if (rc != 0) {
- BOOT_LOG_WRN("Failed reading sectors; BOOT_MAX_IMG_SECTORS=%d"
- " - too small?", BOOT_MAX_IMG_SECTORS);
- /* Unable to determine sector layout, continue with next image
- * if there is one.
- */
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE;
- return;
- }
-
- /* Attempt to read an image header from each slot. */
- rc = boot_read_image_headers(state, false);
- if (rc != 0) {
- /* Continue with next image if there is one. */
- BOOT_LOG_WRN("Failed reading image headers; Image=%u",
- BOOT_CURR_IMG(state));
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE;
- return;
- }
-
- /* If the current image's slots aren't compatible, no swap is possible.
- * Just boot into primary slot.
- */
- if (boot_slots_compatible(state)) {
- rc = boot_read_status(state, bs);
- if (rc != 0) {
- BOOT_LOG_WRN("Failed reading boot status; Image=%u",
- BOOT_CURR_IMG(state));
- /* Continue with next image if there is one. */
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE;
- return;
- }
-
- /* Determine if we rebooted in the middle of an image swap
- * operation. If a partial swap was detected, complete it.
- */
- if (bs->idx != BOOT_STATUS_IDX_0 || bs->state != BOOT_STATUS_STATE_0) {
-
-#if (BOOT_IMAGE_NUMBER > 1)
- boot_review_image_swap_types(state, true);
-#endif
-
-#ifdef MCUBOOT_OVERWRITE_ONLY
- /* Should never arrive here, overwrite-only mode has
- * no swap state.
- */
- assert(0);
-#else
- /* Determine the type of swap operation being resumed from the
- * `swap-type` trailer field.
- */
- rc = boot_complete_partial_swap(state, bs);
- assert(rc == 0);
-#endif
- /* Attempt to read an image header from each slot. Ensure that
- * image headers in slots are aligned with headers in boot_data.
- */
- rc = boot_read_image_headers(state, false);
- assert(rc == 0);
-
- /* Swap has finished set to NONE */
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE;
- } else {
- /* There was no partial swap, determine swap type. */
- if (bs->swap_type == BOOT_SWAP_TYPE_NONE) {
- BOOT_SWAP_TYPE(state) = boot_validated_swap_type(state, bs);
- } else if (boot_validate_slot(state,
- BOOT_SECONDARY_SLOT, bs) != 0) {
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_FAIL;
- } else {
- BOOT_SWAP_TYPE(state) = bs->swap_type;
- }
-
-#if (BOOT_IMAGE_NUMBER > 1)
- boot_review_image_swap_types(state, false);
-#endif
- }
- } else {
- /* In that case if slots are not compatible. */
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE;
- }
-}
-
-/**
- * Prepares the booting process. This function moves images around in flash as
- * appropriate, and tells you what address to boot from.
- *
- * @param state Boot loader status information.
- * @param rsp On success, indicates how booting should occur.
- *
- * @return 0 on success; nonzero on failure.
- */
-int
-context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
-{
- size_t slot;
- struct boot_status bs;
- int rc = 0;
- int fa_id;
- int image_index;
- bool has_upgrade;
-
- /* The array of slot sectors are defined here (as opposed to file scope) so
- * that they don't get allocated for non-boot-loader apps. This is
- * necessary because the gcc option "-fdata-sections" doesn't seem to have
- * any effect in older gcc versions (e.g., 4.8.4).
- */
- static boot_sector_t
- primary_slot_sectors[BOOT_IMAGE_NUMBER][BOOT_MAX_IMG_SECTORS];
- static boot_sector_t
- secondary_slot_sectors[BOOT_IMAGE_NUMBER][BOOT_MAX_IMG_SECTORS];
- static boot_sector_t scratch_sectors[BOOT_MAX_IMG_SECTORS];
-
- /* Iterate over all the images. By the end of the loop the swap type has
- * to be determined for each image and all aborted swaps have to be
- * completed.
- */
- IMAGES_ITER(BOOT_CURR_IMG(state)) {
-
- image_index = BOOT_CURR_IMG(state);
-
- BOOT_IMG(state, BOOT_PRIMARY_SLOT).sectors =
- primary_slot_sectors[image_index];
- BOOT_IMG(state, BOOT_SECONDARY_SLOT).sectors =
- secondary_slot_sectors[image_index];
- state->scratch.sectors = scratch_sectors;
-
- /* Open primary and secondary image areas for the duration
- * of this call.
- */
- for (slot = 0; slot < BOOT_NUM_SLOTS; slot++) {
- fa_id = flash_area_id_from_multi_image_slot(image_index, slot);
- rc = flash_area_open(fa_id, &BOOT_IMG_AREA(state, slot));
- assert(rc == 0);
- }
- rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH,
- &BOOT_SCRATCH_AREA(state));
- assert(rc == 0);
-
- /* Determine swap type and complete swap if it has been aborted. */
- boot_prepare_image_for_update(state, &bs);
-
- if (BOOT_IS_UPGRADE(BOOT_SWAP_TYPE(state))) {
- has_upgrade = true;
- }
- }
-
-#if (BOOT_IMAGE_NUMBER > 1)
- if (has_upgrade) {
- /* Iterate over all the images and verify whether the image dependencies
- * are all satisfied and update swap type if necessary.
- */
- rc = boot_verify_dependencies(state);
- if (rc == BOOT_EBADVERSION) {
- /*
- * It was impossible to upgrade because the expected dependency
- * version was not available. Here we already changed the swap_type
- * so that instead of asserting the bootloader, we continue and no
- * upgrade is performed.
- */
- rc = 0;
- }
- }
-#endif
-
- /* Iterate over all the images. At this point there are no aborted swaps
- * and the swap types are determined for each image. By the end of the loop
- * all required update operations will have been finished.
- */
- IMAGES_ITER(BOOT_CURR_IMG(state)) {
-
-#if (BOOT_IMAGE_NUMBER > 1)
- /* Indicate that swap is not aborted */
- memset(&bs, 0, sizeof bs);
- bs.idx = BOOT_STATUS_IDX_0;
- bs.state = BOOT_STATUS_STATE_0;
-#endif /* (BOOT_IMAGE_NUMBER > 1) */
-
- /* Set the previously determined swap type */
- bs.swap_type = BOOT_SWAP_TYPE(state);
-
- switch (BOOT_SWAP_TYPE(state)) {
- case BOOT_SWAP_TYPE_NONE:
- break;
-
- case BOOT_SWAP_TYPE_TEST: /* fallthrough */
- case BOOT_SWAP_TYPE_PERM: /* fallthrough */
- case BOOT_SWAP_TYPE_REVERT:
- rc = boot_perform_update(state, &bs);
- assert(rc == 0);
- break;
-
- case BOOT_SWAP_TYPE_FAIL:
- /* The image in secondary slot was invalid and is now erased. Ensure
- * we don't try to boot into it again on the next reboot. Do this by
- * pretending we just reverted back to primary slot.
- */
-#ifndef MCUBOOT_OVERWRITE_ONLY
- /* image_ok needs to be explicitly set to avoid a new revert. */
- rc = boot_set_image_ok(BOOT_CURR_IMG(state));
- if (rc != 0) {
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC;
- }
-#endif /* !MCUBOOT_OVERWRITE_ONLY */
- break;
-
- default:
- BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC;
- }
-
- if (BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_PANIC) {
- BOOT_LOG_ERR("panic!");
- assert(0);
-
- /* Loop forever... */
- while (1) {}
- }
- }
-
- /* Iterate over all the images. At this point all required update operations
- * have finished. By the end of the loop each image in the primary slot will
- * have been re-validated.
- */
- IMAGES_ITER(BOOT_CURR_IMG(state)) {
- if (BOOT_SWAP_TYPE(state) != BOOT_SWAP_TYPE_NONE) {
- /* Attempt to read an image header from each slot. Ensure that image
- * headers in slots are aligned with headers in boot_data.
- */
- rc = boot_read_image_headers(state, false);
- if (rc != 0) {
- goto out;
- }
- /* Since headers were reloaded, it can be assumed we just performed
- * a swap or overwrite. Now the header info that should be used to
- * provide the data for the bootstrap, which previously was at
- * secondary slot, was updated to primary slot.
- */
- }
-
-#ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT
- rc = boot_validate_slot(state, BOOT_PRIMARY_SLOT, NULL);
- if (rc != 0) {
- rc = BOOT_EBADIMAGE;
- goto out;
- }
-#else
- /* Even if we're not re-validating the primary slot, we could be booting
- * onto an empty flash chip. At least do a basic sanity check that
- * the magic number on the image is OK.
- */
- if (!BOOT_IMG_HDR_IS_VALID(state, BOOT_PRIMARY_SLOT)) {
- BOOT_LOG_ERR("bad image magic 0x%lx; Image=%u", (unsigned long)
- &boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_magic,
- BOOT_CURR_IMG(state));
- rc = BOOT_EBADIMAGE;
- goto out;
- }
-#endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT */
-
- /* Update the stored security counter with the active image's security
- * counter value. It will be updated only if the new security counter is
- * greater than the stored value.
- *
- * In case of a successful image swapping when the swap type is TEST the
- * security counter can be increased only after a reset, when the swap
- * type is NONE and the image has marked itself "OK" (the image_ok flag
- * has been set). This way a "revert" swap can be performed if it's
- * necessary.
- */
- if (BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_NONE) {
- rc = boot_update_security_counter(
- BOOT_CURR_IMG(state),
- BOOT_PRIMARY_SLOT,
- boot_img_hdr(state, BOOT_PRIMARY_SLOT));
- if (rc != 0) {
- BOOT_LOG_ERR("Security counter update failed after image "
- "validation.");
- goto out;
- }
- }
-
- /* Save boot status to shared memory area */
-#if (BOOT_IMAGE_NUMBER > 1)
- rc = boot_save_boot_status((BOOT_CURR_IMG(state) == 0) ?
- SW_SPE : SW_NSPE,
- boot_img_hdr(state, BOOT_PRIMARY_SLOT),
- BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)
- );
-#else
- rc = boot_save_boot_status(SW_S_NS,
- boot_img_hdr(state, BOOT_PRIMARY_SLOT),
- BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)
- );
-#endif
- if (rc) {
- BOOT_LOG_ERR("Failed to add Image %u data to shared area",
- BOOT_CURR_IMG(state));
- }
- }
-
-#if (BOOT_IMAGE_NUMBER > 1)
- /* Always boot from the primary slot of Image 0. */
- BOOT_CURR_IMG(state) = 0;
-#endif
-
- rsp->br_flash_dev_id =
- BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)->fa_device_id;
- rsp->br_image_off =
- boot_img_slot_off(state, BOOT_PRIMARY_SLOT);
- rsp->br_hdr =
- boot_img_hdr(state, BOOT_PRIMARY_SLOT);
-
-out:
- IMAGES_ITER(BOOT_CURR_IMG(state)) {
- flash_area_close(BOOT_SCRATCH_AREA(state));
- for (slot = 0; slot < BOOT_NUM_SLOTS; slot++) {
- flash_area_close(BOOT_IMG_AREA(state,
- BOOT_NUM_SLOTS - 1 - slot));
- }
- }
- return rc;
-}
-
-#else /* MCUBOOT_DIRECT_XIP || MCUBOOT_RAM_LOADING */
-
-#define BOOT_LOG_IMAGE_INFO(area, hdr, state) \
- BOOT_LOG_INF("Image %u: version=%u.%u.%u+%u, magic=%5s, image_ok=0x%x", \
- (area), \
- (hdr)->ih_ver.iv_major, \
- (hdr)->ih_ver.iv_minor, \
- (hdr)->ih_ver.iv_revision, \
- (hdr)->ih_ver.iv_build_num, \
- ((state)->magic == BOOT_MAGIC_GOOD ? "good" : \
- (state)->magic == BOOT_MAGIC_UNSET ? "unset" : \
- "bad"), \
- (state)->image_ok)
-
-struct image_slot_version {
- uint64_t version;
- uint32_t slot_number;
-};
-
-/**
- * Extract the version number from the image header. This function must be
- * ported if version number format has changed in the image header.
- *
- * @param hdr Pointer to an image header structure
- *
- * @return Version number casted to uint64_t
- */
-static uint64_t
-boot_get_version_number(struct image_header *hdr)
-{
- uint64_t version = 0;
- version |= (uint64_t)hdr->ih_ver.iv_major << (IMAGE_VER_MINOR_LENGTH
- + IMAGE_VER_REVISION_LENGTH
- + IMAGE_VER_BUILD_NUM_LENGTH);
- version |= (uint64_t)hdr->ih_ver.iv_minor << (IMAGE_VER_REVISION_LENGTH
- + IMAGE_VER_BUILD_NUM_LENGTH);
- version |= (uint64_t)hdr->ih_ver.iv_revision << IMAGE_VER_BUILD_NUM_LENGTH;
- version |= hdr->ih_ver.iv_build_num;
- return version;
-}
-
-/**
- * Comparator function for `qsort` to compare version numbers. This function
- * must be ported if version number format has changed in the image header.
- *
- * @param ver1 Pointer to an array element which holds the version number
- * @param ver2 Pointer to another array element which holds the version
- * number
- *
- * @return if version1 > version2 -1
- * if version1 == version2 0
- * if version1 < version2 1
- */
-static int
-boot_compare_version_numbers(const void *ver1, const void *ver2)
-{
- if (((struct image_slot_version *)ver1)->version <
- ((struct image_slot_version *)ver2)->version) {
- return 1;
- }
-
- if (((struct image_slot_version *)ver1)->version ==
- ((struct image_slot_version *)ver2)->version) {
- return 0;
- }
-
- return -1;
-}
-
-/**
- * Sort the available images based on the version number and puts them in
- * a list.
- *
- * @param state Boot loader status information.
- * @param boot_sequence A pointer to an array, whose aim is to carry
- * the boot order of candidate images.
- * @param slot_cnt The number of flash areas, which can contains firmware
- * images.
- *
- * @return The number of valid images.
- */
-uint32_t
-boot_get_boot_sequence(struct boot_loader_state *state,
- uint32_t *boot_sequence, uint32_t slot_cnt)
-{
- struct boot_swap_state slot_state;
- struct image_header *hdr;
- struct image_slot_version image_versions[BOOT_NUM_SLOTS] = {{0}};
- uint32_t image_cnt = 0;
- uint32_t slot;
- int32_t rc;
- int32_t fa_id;
-
- for (slot = 0; slot < slot_cnt; slot++) {
- hdr = boot_img_hdr(state, slot);
- fa_id = flash_area_id_from_image_slot(slot);
- rc = boot_read_swap_state_by_id(fa_id, &slot_state);
- if (rc != 0) {
- BOOT_LOG_ERR("Error during reading image trailer from slot: %u",
- slot);
- continue;
- }
-
- if (BOOT_IMG_HDR_IS_VALID(state, slot)) {
- if (slot_state.magic == BOOT_MAGIC_GOOD ||
- slot_state.image_ok == BOOT_FLAG_SET) {
- /* Valid cases:
- * - Test mode: magic is OK in image trailer
- * - Permanent mode: image_ok flag has previously set
- */
- image_versions[slot].slot_number = slot;
- image_versions[slot].version = boot_get_version_number(hdr);
- image_cnt++;
- }
-
- BOOT_LOG_IMAGE_INFO(slot, hdr, &slot_state);
- } else {
- BOOT_LOG_INF("Image %u: No valid image", slot);
- }
- }
-
- /* Sort the images based on version number */
- qsort(&image_versions[0],
- slot_cnt,
- sizeof(struct image_slot_version),
- boot_compare_version_numbers);
-
- /* Copy the calculated boot sequence to boot_sequence array */
- for (slot = 0; slot < slot_cnt; slot++) {
- boot_sequence[slot] = image_versions[slot].slot_number;
- }
-
- return image_cnt;
-}
-
-#ifdef MCUBOOT_RAM_LOADING
-
-/**
- * Verifies that the image in a slot lies within the predefined bounds that are
- * allowed to be used by executable images.
- *
- * @param img_dst The address to which the image is going to be copied.
- *
- * @param img_sz The size of the image.
- *
- * @return 0 on success; nonzero on failure.
- */
-static int
-boot_verify_ram_loading_address(uint32_t img_dst, uint32_t img_sz)
-{
- uint32_t img_end_addr;
-
- if (img_dst < IMAGE_EXECUTABLE_RAM_START) {
- return BOOT_EBADIMAGE;
- }
-
- if (!boot_u32_safe_add(&img_end_addr, img_dst, img_sz)) {
- return BOOT_EBADIMAGE;
- }
-
- if (img_end_addr > (IMAGE_EXECUTABLE_RAM_START +
- IMAGE_EXECUTABLE_RAM_SIZE)) {
- return BOOT_EBADIMAGE;
- }
-
- return 0;
-}
-
-/**
- * Copies an image from a slot in the flash to an SRAM address, where the load
- * address has already been inserted into the image header by this point and is
- * extracted from it within this method. The copying is done sector-by-sector.
- *
- * @param state Boot loader status information.
- * @param slot The flash slot of the image to be copied to SRAM.
- *
- * @param hdr Pointer to the image header structure of the image
- *
- * @param img_dst The address at which the image needs to be copied to
- * SRAM.
- *
- * @param img_sz The size of the image that needs to be copied to SRAM.
- *
- * @return 0 on success; nonzero on failure.
- */
-static int
-boot_copy_image_to_sram(struct boot_loader_state *state, int slot,
- struct image_header *hdr,
- uint32_t img_dst, uint32_t img_sz)
-{
- int rc;
- uint32_t sect_sz;
- uint32_t sect = 0;
- uint32_t bytes_copied = 0;
- const struct flash_area *fap_src = NULL;
-
- if (img_dst % 4 != 0) {
- BOOT_LOG_INF("Cannot copy the image to the SRAM address 0x%x "
- "- the load address must be aligned with 4 bytes due to SRAM "
- "restrictions", img_dst);
- return BOOT_EBADARGS;
- }
-
- rc = flash_area_open(flash_area_id_from_image_slot(slot), &fap_src);
- if (rc != 0) {
- return BOOT_EFLASH;
- }
-
- while (bytes_copied < img_sz) {
- sect_sz = boot_img_sector_size(state, slot, sect);
- /*
- * Direct copy from where the image sector resides in flash to its new
- * location in SRAM
- */
- rc = flash_area_read(fap_src,
- bytes_copied,
- (void *)(img_dst + bytes_copied),
- sect_sz);
- if (rc != 0) {
- BOOT_LOG_INF("Error whilst copying image from Flash to SRAM");
- break;
- } else {
- bytes_copied += sect_sz;
- }
- sect++;
- }
-
- if (fap_src) {
- flash_area_close(fap_src);
- }
- return rc;
-}
-
-/**
- * Removes an image from SRAM, by overwriting it with zeros.
- *
- * @param img_dst The address of the image that needs to be removed from
- * SRAM.
- *
- * @param img_sz The size of the image that needs to be removed from
- * SRAM.
- *
- * @return 0 on success; nonzero on failure.
- */
-static int
-boot_remove_image_from_sram(uint32_t img_dst, uint32_t img_sz)
-{
- BOOT_LOG_INF("Removing image from SRAM at address 0x%x", img_dst);
- memset((void*)img_dst, 0, img_sz);
-
- return 0;
-}
-#endif /* MCUBOOT_RAM_LOADING */
-
-/**
- * Prepares the booting process. This function choose the newer image in flash
- * as appropriate, and tells you what address to boot from.
- *
- * @param state Boot loader status information.
- * @param rsp On success, indicates how booting should occur.
- *
- * @return 0 on success; nonzero on failure.
- */
-int
-context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
-{
- size_t slot = 0;
- int32_t i;
- int rc;
- int fa_id;
- uint32_t boot_sequence[BOOT_NUM_SLOTS];
- uint32_t img_cnt;
- struct image_header *selected_image_header = NULL;
-#ifdef MCUBOOT_RAM_LOADING
- int image_copied = 0;
- uint32_t img_dst = 0;
- uint32_t img_sz = 0;
-#endif /* MCUBOOT_RAM_LOADING */
-
- static boot_sector_t primary_slot_sectors[BOOT_MAX_IMG_SECTORS];
- static boot_sector_t secondary_slot_sectors[BOOT_MAX_IMG_SECTORS];
- static boot_sector_t scratch_sectors[BOOT_MAX_IMG_SECTORS];
-
- BOOT_IMG(state, BOOT_PRIMARY_SLOT).sectors = primary_slot_sectors;
- BOOT_IMG(state, BOOT_SECONDARY_SLOT).sectors = secondary_slot_sectors;
- state->scratch.sectors = scratch_sectors;
-
- /* Open boot_data image areas for the duration of this call. */
- for (i = 0; i < BOOT_NUM_SLOTS; i++) {
- fa_id = flash_area_id_from_image_slot(i);
- rc = flash_area_open(fa_id, &BOOT_IMG_AREA(state, i));
- assert(rc == 0);
- }
-
- /* Determine the sector layout of the image slots. */
- rc = boot_read_sectors(state);
- if (rc != 0) {
- BOOT_LOG_WRN("Failed reading sectors; BOOT_MAX_IMG_SECTORS=%d - "
- "too small?", BOOT_MAX_IMG_SECTORS);
- goto out;
- }
-
- /* Attempt to read an image header from each slot. */
- rc = boot_read_image_headers(state, false);
- if (rc != 0) {
- goto out;
- }
-
- img_cnt = boot_get_boot_sequence(state, boot_sequence, BOOT_NUM_SLOTS);
- if (img_cnt) {
- /* Authenticate images */
- for (i = 0; i < img_cnt; i++) {
-
- slot = boot_sequence[i];
- selected_image_header = boot_img_hdr(state, slot);
-
-#ifdef MCUBOOT_RAM_LOADING
- if (selected_image_header->ih_flags & IMAGE_F_RAM_LOAD) {
-
- img_dst = selected_image_header->ih_load_addr;
-
- rc = boot_read_image_size(state, slot, &img_sz);
- if (rc != 0) {
- rc = BOOT_EFLASH;
- BOOT_LOG_INF("Could not load image headers from the image"
- "in the %s slot.",
- (slot == BOOT_PRIMARY_SLOT) ?
- "primary" : "secondary");
- continue;
- }
-
- rc = boot_verify_ram_loading_address(img_dst, img_sz);
- if (rc != 0) {
- BOOT_LOG_INF("Could not copy image from the %s slot in "
- "the Flash to load address 0x%x in SRAM as"
- " the image would overlap memory outside"
- " the defined executable region.",
- (slot == BOOT_PRIMARY_SLOT) ?
- "primary" : "secondary",
- selected_image_header->ih_load_addr);
- continue;
- }
-
- /* Copy image to the load address from where it
- * currently resides in flash
- */
- rc = boot_copy_image_to_sram(state, slot, selected_image_header,
- img_dst, img_sz);
- if (rc != 0) {
- rc = BOOT_EBADIMAGE;
- BOOT_LOG_INF("Could not copy image from the %s slot in "
- "the Flash to load address 0x%x in SRAM, "
- "aborting..", (slot == BOOT_PRIMARY_SLOT) ?
- "primary" : "secondary",
- selected_image_header->ih_load_addr);
- continue;
- } else {
- BOOT_LOG_INF("Image has been copied from the %s slot in "
- "the flash to SRAM address 0x%x",
- (slot == BOOT_PRIMARY_SLOT) ?
- "primary" : "secondary",
- selected_image_header->ih_load_addr);
- image_copied = 1;
- }
- } else {
- /* Only images that support IMAGE_F_RAM_LOAD are allowed if
- * MCUBOOT_RAM_LOADING is set.
- */
- rc = BOOT_EBADIMAGE;
- continue;
- }
-#endif /* MCUBOOT_RAM_LOADING */
- rc = boot_validate_slot(state, slot, NULL);
- if (rc == 0) {
- /* If a valid image is found then there is no reason to check
- * the rest of the images, as they were already ordered by
- * preference.
- */
- break;
- }
-#ifdef MCUBOOT_RAM_LOADING
- else if (image_copied) {
- /* If an image is found to be invalid then it is removed from
- * RAM to prevent it being a shellcode vector.
- */
- boot_remove_image_from_sram(img_dst, img_sz);
- image_copied = 0;
- }
-#endif /* MCUBOOT_RAM_LOADING */
- }
- if (rc) {
- /* If there was no valid image at all */
- rc = BOOT_EBADIMAGE;
- goto out;
- }
-
- /* Update the security counter with the newest image's security
- * counter value.
- */
- rc = boot_update_security_counter(BOOT_CURR_IMG(state), slot,
- selected_image_header);
- if (rc != 0) {
- BOOT_LOG_ERR("Security counter update failed after image "
- "validation.");
- goto out;
- }
-
-
-#ifdef MCUBOOT_RAM_LOADING
- BOOT_LOG_INF("Booting image from SRAM at address 0x%x",
- selected_image_header->ih_load_addr);
-#else
- BOOT_LOG_INF("Booting image from the %s slot",
- (slot == BOOT_PRIMARY_SLOT) ? "primary" : "secondary");
-#endif /* MCUBOOT_RAM_LOADING */
-
- rsp->br_hdr = selected_image_header;
- rsp->br_image_off = boot_img_slot_off(state, slot);
- rsp->br_flash_dev_id = BOOT_IMG_AREA(state, slot)->fa_device_id;
- } else {
- /* No candidate image available */
- rc = BOOT_EBADIMAGE;
- goto out;
- }
-
- /* Save boot status to shared memory area */
- rc = boot_save_boot_status(SW_S_NS,
- rsp->br_hdr,
- BOOT_IMG_AREA(state, slot));
- if (rc) {
- BOOT_LOG_ERR("Failed to add data to shared area");
- }
-
-out:
- for (slot = 0; slot < BOOT_NUM_SLOTS; slot++) {
- flash_area_close(BOOT_IMG_AREA(state, BOOT_NUM_SLOTS - 1 - slot));
- }
- return rc;
-}
-#endif /* MCUBOOT_DIRECT_XIP || MCUBOOT_RAM_LOADING */
-
-int
-boot_go(struct boot_rsp *rsp)
-{
- return context_boot_go(&boot_data, rsp);
-}
diff --git a/bl2/ext/mcuboot/boot/bootutil/src/tlv.c b/bl2/ext/mcuboot/boot/bootutil/src/tlv.c
deleted file mode 100644
index 742c930..0000000
--- a/bl2/ext/mcuboot/boot/bootutil/src/tlv.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Copyright (c) 2019 JUUL Labs
- * Copyright (c) 2019 Arm Limited.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/*
- * Original code taken from mcuboot project at:
- * https://github.com/JuulLabs-OSS/mcuboot
- * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
- */
-
-#include <stddef.h>
-#include <string.h>
-
-#include "bootutil/bootutil.h"
-#include "bootutil/image.h"
-#include "bootutil_priv.h"
-
-/*
- * Initialize a TLV iterator.
- *
- * @param it An iterator struct
- * @param hdr image_header of the slot's image
- * @param fap flash_area of the slot which is storing the image
- * @param type Type of TLV to look for
- * @param prot true if TLV has to be stored in the protected area, false otherwise
- *
- * @returns 0 if the TLV iterator was succesfully started
- * -1 on errors
- */
-int
-bootutil_tlv_iter_begin(struct image_tlv_iter *it, const struct image_header *hdr,
- const struct flash_area *fap, uint8_t type, bool prot)
-{
- uint32_t off_;
- struct image_tlv_info info;
-
- if (it == NULL || hdr == NULL || fap == NULL) {
- return -1;
- }
-
- off_ = BOOT_TLV_OFF(hdr);
- if (LOAD_IMAGE_DATA(hdr, fap, off_, &info, sizeof(info))) {
- return -1;
- }
-
- if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) {
- if (hdr->ih_protect_tlv_size != info.it_tlv_tot) {
- return -1;
- }
-
- if (LOAD_IMAGE_DATA(hdr, fap, off_ + info.it_tlv_tot,
- &info, sizeof(info))) {
- return -1;
- }
- } else if (hdr->ih_protect_tlv_size != 0) {
- return -1;
- }
-
- if (info.it_magic != IMAGE_TLV_INFO_MAGIC) {
- return -1;
- }
-
- it->hdr = hdr;
- it->fap = fap;
- it->type = type;
- it->prot = prot;
- it->prot_end = off_ + it->hdr->ih_protect_tlv_size;
- if (!boot_u32_safe_add(&(it->tlv_end), it->prot_end, info.it_tlv_tot)) {
- return -1;
- }
- // position on first TLV
- it->tlv_off = off_ + sizeof(info);
- return 0;
-}
-
-/*
- * Find next TLV
- *
- * @param it The image TLV iterator struct
- * @param off The offset of the TLV's payload in flash
- * @param len The length of the TLV's payload
- * @param type If not NULL returns the type of TLV found
- *
- * @returns 0 if a TLV with with matching type was found
- * 1 if no more TLVs with matching type are available
- * -1 on errors
- */
-int
-bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off, uint16_t *len,
- uint8_t *type)
-{
- struct image_tlv tlv;
- int rc;
-
- if (it == NULL || it->hdr == NULL || it->fap == NULL) {
- return -1;
- }
-
- while (it->tlv_off < it->tlv_end) {
- if (it->hdr->ih_protect_tlv_size > 0 && it->tlv_off == it->prot_end) {
- it->tlv_off += sizeof(struct image_tlv_info);
- }
-
- rc = LOAD_IMAGE_DATA(it->hdr, it->fap, it->tlv_off, &tlv, sizeof tlv);
- if (rc) {
- return -1;
- }
-
- /* No more TLVs in the protected area */
- if (it->prot && it->tlv_off >= it->prot_end) {
- return 1;
- }
-
- if (it->type == IMAGE_TLV_ANY || tlv.it_type == it->type) {
- if (type != NULL) {
- *type = tlv.it_type;
- }
- *off = it->tlv_off + sizeof(tlv);
- *len = tlv.it_len;
-
- if (!boot_u32_safe_add(&(it->tlv_off), *off, *len)) {
- return -1;
- }
-
- return 0;
- }
-
- if (!boot_u32_safe_add(&(it->tlv_off), it->tlv_off,
- sizeof(tlv) + tlv.it_len)) {
- return -1;
- }
- }
-
- return 1;
-}
diff --git a/bl2/ext/mcuboot/flash_map_legacy.c b/bl2/ext/mcuboot/flash_map_legacy.c
index 6ea65fe..b0e6f69 100644
--- a/bl2/ext/mcuboot/flash_map_legacy.c
+++ b/bl2/ext/mcuboot/flash_map_legacy.c
@@ -27,7 +27,7 @@
#include "bootutil/bootutil_log.h"
#include "flash_map/flash_map.h"
#include <inttypes.h>
-#include <target.h>
+#include "target.h"
/*
* Lookup the sector map for a given flash area. This should fill in
diff --git a/bl2/ext/mcuboot/include/bl2_util.h b/bl2/ext/mcuboot/include/bl2_util.h
deleted file mode 100644
index ea8df98..0000000
--- a/bl2/ext/mcuboot/include/bl2_util.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (c) 2011-2014, Wind River Systems, Inc.
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-
-#ifndef __BL2_UTIL_H__
-#define __BL2_UTIL_H__
-
-#ifdef __cplusplus
- extern "C" {
-#endif
-
-#include <stddef.h>
-
- /* Evaluates to 0 if cond is true-ish; compile error otherwise */
-#define ZERO_OR_COMPILE_ERROR(cond) ((int) sizeof(char[1 - 2 * !(cond)]) - 1)
-
- /* Evaluates to 0 if array is an array; compile error if not array (e.g.
- * pointer)
- */
-#if defined(NO_TYPEOF)
- /* __typeof__ is a non-standard gcc extension, not universally available.
- * As this is just compile time data type test, assume things are ok for
- * tool chains missing this feature.
- */
-#define IS_ARRAY(array) 0
-#else
-#define IS_ARRAY(array) \
- ZERO_OR_COMPILE_ERROR(!__builtin_types_compatible_p(__typeof__(array), \
- __typeof__(&(array)[0])))
-#endif
-
-#define ARRAY_SIZE(array) \
- ((unsigned long) (IS_ARRAY(array) + \
- (sizeof(array) / sizeof((array)[0]))))
-
-#define CONTAINER_OF(ptr, type, field) \
- ((type *)(((char *)(ptr)) - offsetof(type, field)))
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __BL2_UTIL_H__ */
-
diff --git a/bl2/ext/mcuboot/include/config-rsa.h b/bl2/ext/mcuboot/include/mcuboot-mbedtls-cfg.h
similarity index 95%
rename from bl2/ext/mcuboot/include/config-rsa.h
rename to bl2/ext/mcuboot/include/mcuboot-mbedtls-cfg.h
index c345245..7e52d34 100644
--- a/bl2/ext/mcuboot/include/config-rsa.h
+++ b/bl2/ext/mcuboot/include/mcuboot-mbedtls-cfg.h
@@ -33,8 +33,8 @@
* - RSA signature verification
*/
-#ifndef MCUBOOT_MBEDTLS_CONFIG_RSA
-#define MCUBOOT_MBEDTLS_CONFIG_RSA
+#ifndef __MCUBOOT_MBEDTLS_CFG__
+#define __MCUBOOT_MBEDTLS_CFG__
/* System support */
#define MBEDTLS_PLATFORM_C
@@ -85,4 +85,4 @@
#include "mbedtls/check_config.h"
-#endif /* MCUBOOT_MBEDTLS_CONFIG_RSA */
+#endif /* __MCUBOOT_MBEDTLS_CFG__ */
diff --git a/bl2/ext/mcuboot/include/security_cnt.h b/bl2/ext/mcuboot/include/security_cnt.h
deleted file mode 100644
index 7c17a94..0000000
--- a/bl2/ext/mcuboot/include/security_cnt.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-
-#ifndef __SECURITY_CNT_H__
-#define __SECURITY_CNT_H__
-
-/**
- * @file security_cnt.h
- *
- * @note The interface must be implemented in a fail-safe way that is
- * resistant to asynchronous power failures or it can use hardware
- * counters that have this capability, if supported by the platform.
- * When a counter incrementation was interrupted it must be able to
- * continue the incrementation process or recover the previous consistent
- * status of the counters. If the counters have reached a stable status
- * (every counter incrementation operation has finished), from that point
- * their value cannot decrease due to any kind of power failure.
- */
-
-#include <stdint.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Initialises the security counters.
- *
- * @return 0 on success; nonzero on failure.
- */
-int32_t boot_nv_security_counter_init(void);
-
-/**
- * Reads the stored value of a given image's security counter.
- *
- * @param image_id Index of the image (from 0).
- * @param security_cnt Pointer to store the security counter value.
- *
- * @return 0 on success; nonzero on failure.
- */
-int32_t boot_nv_security_counter_get(uint32_t image_id, uint32_t *security_cnt);
-
-/**
- * Updates the stored value of a given image's security counter with a new
- * security counter value if the new one is greater.
- *
- * @param image_id Index of the image (from 0).
- * @param img_security_cnt New security counter value. The new value must be
- * between 0 and UINT32_MAX and it must be greater than
- * or equal to the current security counter value.
- *
- * @return 0 on success; nonzero on failure.
- */
-int32_t boot_nv_security_counter_update(uint32_t image_id,
- uint32_t img_security_cnt);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __SECURITY_CNT_H__ */