[v3.7-branch] Updates from MCUboot 2.2.0 #130
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add support for reporting various sha in image list. There is always only one sha compiled in, but serial recovery has been previously hardcoded to support sha256 only. Note: This PR has been modified from the upstream commit due to a merge failure from other changes that are not being brought into Zephyr 3.7 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit d59ae34)
Adds an include which provides a definition for the flash_area_get_sector() function Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 7a33bca)
Fixes this function as it was not updated after an earlier fix Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit efa3039)
In order to determine the maximum image size, the size of the trailer is computed. When using swap-move or swap-offset, this trailer size has to be rounded up to the next multiple of the sector size. However, the current logic was rouding up the sum of the trailer size and the TLV area size, instead of only the trailer size. This commit fixes the issue. Signed-off-by: Thomas Altenbach <[email protected]> (cherry picked from commit f9e4e52)
When swap-scratch is used, the trailer size doesn't have to be rounded up to the next multiple of the sector size. Indeed, the trailer only need to be sector-aligned for swap-move and swap-offset. Note: This PR has been modified from the upstream commit due to a merge failure from other changes that are not being brought into Zephyr 3.7 Signed-off-by: Thomas Altenbach <[email protected]> (cherry picked from commit d5d3359)
Fixes an issue whereby when canonical mode for ZCBOR was enabled, the state variables were not increased to handle the backup states, and a bug whereby only secondary slots were checked for status when setting image state, whilst generally this is the intended outcome, a user should also be able to mark a primary image as confirmed too for other modes such as direct-xip Note: This PR has been modified from the upstream commit due to a merge failure from other changes that are not being brought into Zephyr 3.7 Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit bc18d7d)
Adds an include file that is missing Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 413eb38)
Moves the erase function from loader to bootutil misc to account for MCUboot modes that do not include the main loader file Note: This PR has been modified from the upstream commit due to a merge failure from other changes that are not being brought into Zephyr 3.7 Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit f6e8e88)
Uses a wrapper function, so that a watchdog timeout issue can be fixed. Note: This PR is specific to the v3.7-branch for zephyr and does not exist in MCUboot main Signed-off-by: Jamie McCrae <[email protected]>
Refactors the erase functionality in bootutil so that it can be used alongside feeding the watchdog. This has also optimised some functions out. Note: This PR has been modified from the upstream commit due to a merge failure from other changes that are not being brought into Zephyr 3.7 Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 7253f01)
Fixes an issue with the swap using scratch algorithm that would cause the image loaded into the primary slot to be corrupt and unbootable if a device was rebooted during an erase of the scratch section that had not completed Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit f76fba7)
pointer to the image ARM vector table should be placed out of stack which is being reconfigured before vt is used for branch to the application. This caused transient boot failure when CONFIG_LTO=y. Moved vt to static data scope. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 264f6ee)
When computing the maximum image size in bootutil_max_image_size for swap-move or swap-offset strategy, the computation was using the size of the flash area provided as argument and was not taking into account the size of the padding sector. This was causing an incorrect size to be returned in some cases, for example when the two slots have the same size or when the slots haven't the same size but the routine is called for the slot containing the padding sector. For example, let's imagine swap-move is being used on a device having a sector size S and two slots of N bytes. This is valid configuration and the maximum image size is N - S - T, T being the size of the trailer rounded up to the next multiple of S. When calling bootutil_max_image_size with either the primary or secondary slot, the size N - T is returned, which is incorrect. This commit fixes the issue by computing always the maximum image using the size of the slot containing the padding and substracting the size of the padding and of the aligned trailer. Note: This PR has been modified from the upstream commit due to a merge failure from other changes that are not being brought into Zephyr 3.7 Signed-off-by: Thomas Altenbach <[email protected]> (cherry picked from commit 61d280b)
When an upgrade is performed, the security counter must only be updated after the upgrade has been confirmed, to make possible to rollback if needed. To that end, the security counter was only updated for a given image if the swap type is BOOT_SWAP_TYPE_NONE, meaning in most cases that no update has been performed by MCUboot at this run. However, the swap type is also set to BOOT_SWAP_TYPE_NONE after an interrupted upgrade is completed, so at the time boot_update_hw_rollback_protection is called, having a "none" swap type doesn't guarantee that no upgrade is waiting for confirmation. This means MCUboot was wrongly updating the security counter immediately after the completion of a resumed upgrade, preventing any rollback in that case. Instead, the boot_update_hw_rollback_protection now checks the trailer of the primary image to determine if the security counter has to be updated. The update occurs only if the trailer is empty (no update has ever been made) or if the "image-ok" flag is set (the image has been confirmed). Signed-off-by: Thomas Altenbach <[email protected]> (cherry picked from commit 0eaf666)
For mynewt hardware implementation of hash functionality calling bootutil_sha_init() in a loop without call to bootutil_sha_drop() result in a failure. In two places where bootutil_sha_drop() was called after the loop, call is move into the loop to match calls to bootutil_sha_init(). This will not impact default implementation where calling bootutil_sha_drop() in a loop does not change anything. Signed-off-by: Jerzy Kasenberg <[email protected]> (cherry picked from commit e8b2236)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.