Use the generic commit-tags action to provide sauce tag checks.

Signed-off-by: Carles Cufi <[email protected]>
(cherry picked from commit 786e351)

Removes the `add_subdirectory`
of nrfxlib it will still check that the nrfxlib is located outside
the mcuboot directory.

Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Martí Bolívar <[email protected]>
Signed-off-by: Emil Obalski <[email protected]>
Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Håkon Øye Amundsen <[email protected]>
Signed-off-by: Ioannis Glaropoulos <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 5c94965)

Add prj_minimal.conf, a Kconfig fragment to be used for minimally
sized image production. The minimal fragment has been simplified for
only external crypto.

Move partition sizing into Kconfig to be consistent with the method
used by b0.

Using this fragment with prj_minimal.conf makes MCUboot < 16kB for
all nRF devices (9160 still needs 32kB partition).

Ref: NCSDK-6704
Signed-off-by: Stephen Stauts <[email protected]>
Signed-off-by: Martí Bolívar <[email protected]>
Signed-off-by: Sebastian Bøe <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 64740f7)

Adds project configurations for the two systems on the Thingy:91
(PCA-20035) board.

The bootloader that is factory-programmed on thing91 does not support
ECDSA signature type. Hence this commit also sets the signature type
to RSA for applications built for Thingy:91.

Signed-off-by: Bernt Johan Damslora <[email protected]>
Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Jon Helge Nistad <[email protected]>
Signed-off-by: Balaji Srinivasan <[email protected]>
Signed-off-by: Robert Lubos <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Marek Pieta <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit de32681)

* Add functions for ecdsa_verify_secp256r1 and sha256 to use the shared
crypto API
* Add Kconfig and CMake variables for selecting shared crypto when using
ecdsa
* Add custom section to project for placing the API section in the
correct location in flash
* Add kconfig fragment for using external crypto

Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Martí Bolívar <[email protected]>
Signed-off-by: Emil Obalski <[email protected]>
Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Håkon Øye Amundsen <[email protected]>
Signed-off-by: Ioannis Glaropoulos <[email protected]>
Signed-off-by: Trond Einar Snekvik <[email protected]>
Signed-off-by: Georgios Vasilakis <[email protected]>
Signed-off-by: Johann Fischer <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 55683e3)

The CC310 and bl_crypto require decoded signature instead of raw ASN.1

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit ba55561)

After the upmerge using external crypto from NSIB in MCUBoot resulted in
build failures. This commit fixes the build failures but also fixes a
change in the API call which resulted in `-102` error when calling the
verify function.

Ref. NCSDK-23994

Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit a0c21e2)

-This sets the provide EXT_API to be at least
 optional when the external_crypto is being used.

Ref: NCSDK-12021

Signed-off-by: Georgios Vasilakis <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit fcd7281)

The default value of CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT
for nRF52 SOCs has been changed from 0 to 3, but it makes
MCUBoot get stuck on erasing flash pages when swapping two
images. Restore the previous value until the RTC issue is
resolved (see NCSDK-14427)

Signed-off-by: Damian Krolik <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit a01d30a)

This patch adds board configuration for the Thingy:91 X.

Signed-off-by: Maximilian Deubel <[email protected]>
(cherry picked from commit 3c2f2ff)

Partition Manager is an nRF Connect SDK component which uses yaml
files to resolve flash partition placement with a holistic view of the
device.

This component's MCUboot portions began life as upstream mcuboot
PR#430. This added support for being built as a sub image from the
downstream Nordic patch set for a zephyr multi image build
system (mcuboot 430 was combined with effor submitted to upstream
zephyr as PR#13672, which was ultimately reworked after being rejected
for mainline at the ELCE 2019 conference in Lyon).

It has since evolved over time. This is the version that will go into
NCS v1.3. It features:

- page size aligned partitions for all partitions used by mcuboot.
- image swaps without scratch partitions

Add support for configurations where there exists two primary slots
but only one secondary slot, which is shared. These two primary slots
are the regular application and B1. B1 can be either S0 or S1
depending on the state of the device.

Decide where an upgrade should be stored by looking at the vector
table.

Provide update candidates for both s0 and s1. These candidates must be
signed with mcuboot after being signed by b0.

Additional notes:

- we make update.hex without trailer data

  This is needed for serial recovery to work using hex files.
  Prior to this the update.hex got TLV data at the end of the
  partition, which caused many blank pages to be included,
  which made it hard to use in a serial recovery scheme.

  Instead, make update.hex without TLV data at the end,
  and provide a new file test_update.hex which contains
  the TLV data, and can be directly flashed to test the
  upgrade procedure.

- we use a function for signing the application as future-proofing
  for when other components must be signed as well

- this includes an update to single image applications that enables
  support for partition manager; when single image DFU is used, a
  scratch partition is not needed.

- In NCS, image 1 primary slot is the upgrade bank for mcuboot (IE S0 or
  S1 depending on the active slot). It is not required that this slot
  contains any valid data.

- The nRF boards all have a single flash page size, and partition
  manager deals with the size of the update partitions and so on, so we
  must skip a boot_slots_compatible() check to avoid getting an error.

- There is no need to verify the target when using partition manager.

- We lock mcuboot using fprotect before jumping, to enable the secure
  boot property of the system.

- Call fw_info_ext_api_provide() before booting if EXT_API_PROVIDE
  EXT_API is enabled. This is relevant only when the immutable
  bootloader has booted mcuboot.

Signed-off-by: Håkon Øye Amundsen <[email protected]>
Signed-off-by: Øyvind Rønningstad <[email protected]>
Signed-off-by: Sebastian Bøe <[email protected]>
Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Martí Bolívar <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Andrzej Głąbek <[email protected]>
Signed-off-by: Robert Lubos <[email protected]>
Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Emil Obalski <[email protected]>
Signed-off-by: Pawel Dunaj <[email protected]>
Signed-off-by: Ioannis Glaropoulos <[email protected]>
Signed-off-by: Johann Fischer <[email protected]>
Signed-off-by: Vidar Berg <[email protected]>
Signed-off-by: Draus, Sebastian <[email protected]>
Signed-off-by: Trond Einar Snekvik <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Joakim Andersson <[email protected]>
Signed-off-by: Georgios Vasilakis <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 518617a)

- Add network core bootloader implementation

  Enables network core updates of nrf53 using MCUBoot by identifying
  images through their start addresses. Also implements the control and
  transfer using the PCD module.

- Add support for multi image DFU using partition manager.

- Add check for netcore addr if NSIB is enabled so netcore updates works

- boot: zephyr: move thingy53_nrf5340_cpuapp.conf downstream

  Moved the board configuration for Thingy:53 Application Core to the
  nRF Connect SDK MCUboot downstream repository. The configuration file
  contains references to the Kconfig modules that are only available in
  the nRF Connect SDK. The current configuration is set up to work in the
  nRF Connect SDK environment and cannot be used upstream.

- pm: enable ram flash partition using common flag

  This patch makes mcuboot_primary_1 ram-flash partition
  selectable using CONFIG_NRF53_MCUBOOT_PRIMARY_1_RAM_FLASH
  property. This is needed since CONFIG_NRF53_MULTI_IMAGE_UPDATE
  become not only configuration which requires that partition.

- MCUBoot configures USB CDC by its own. There is no need for
  BOARD_SERIAL_BACKEND_CDC_ACM option to configure anything which is
  later overwritten anyway.

  Jira: NCSDK-18596

Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Emil Obalski <[email protected]>
Signed-off-by: Håkon Øye Amundsen <[email protected]>
Signed-off-by: Ioannis Glaropoulos <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Johann Fischer <[email protected]>
Signed-off-by: Kamil Piszczek <[email protected]>
Signed-off-by: Ole Sæther <[email protected]>
Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Simon Iversen <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Trond Einar Snekvik <[email protected]>
Signed-off-by: Mateusz Kapala <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 42e43d0)

Do some cleanup of nRF peripherals. This is necessary since Zephyr
doesn't have any driver deinitialization functionality, and we'd like
to leave peripherals in a more predictable state before booting the
Zephyr image. This should be re-worked when the zephyr driver model
allows us to deinitialize devices cleanly before jumping to the
chain-loaded image.

Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Robert Lubos <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Øyvind Rønningstad <[email protected]>
Signed-off-by: Martí Bolívar <[email protected]>
Signed-off-by: Håkon Øye Amundsen <[email protected]>
Signed-off-by: Ioannis Glaropoulos <[email protected]>
Signed-off-by: Johann Fischer <[email protected]>
Signed-off-by: Trond Einar Snekvik <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 3b2a5ba)

To ensure that MCUBoot does not leak keys or other material through
memory to non-secure side we clear the memory before jumping to the next
image.

Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
Signed-off-by: Ole Sæther <[email protected]>
(cherry picked from commit 047d463)

When mcuboot_secondary is on external flash, the image header cannot
dircetly be accessed via secondary_fa->fa_off. Instead the provided
function boot_img_hdr() is used now.
Additionally a similar issue is present when trying to read the address
of the reset handler. For this flash_area_read() is used now.

With this patch is possible to have the update partiton
mcuboot_secondary on external flash and update a updatable
bootloader (mcuboot) in s0 and/or s1.

Signed-off-by: Christian Taedcke <[email protected]>
Signed-off-by: Ole Sæther <[email protected]>
Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 2dac63a)

Fixes path variables to use the proper Zephyr module variables

Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit c28fa1d)

The XIP image, 2, does not have reset vector.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit d798de3)

Puts the flash simulation configurtion into cache variables that can
be used by other applications and CMake code to know specifics on
the simulated flash details

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit af27205)

This removes the `return;` to ensure that the application is booted even
if EXT_ABI is not provided to the application because it does not
include `FW_INFO`.

Added a bit more description to the error messages when FW_INFO is not
found and EXT_ABI is not able to be provided to the next image.

Ref. NCSDK-24132

Signed-off-by: Sigvart Hovland <[email protected]>
(cherry picked from commit 41cc274)

For nRF53, the only existing version number metadata is stored in the
`firmware_info` structure in the network core. This utilizes PCD to read
out the version number and compares it against the version number found
in the secondary slot for the network core.

Ref. NCSDK-21379

Signed-off-by: Sigvart Hovland <[email protected]>
(cherry picked from commit 8e91ec1)

Change disables GPIO interrupt support in Zephyr GPIO driver,
which is not obligatory for MCUboot.
This is needed to reduce memory footprint.

Signed-off-by: Nikodem Kastelik <[email protected]>
(cherry picked from commit 86af2de)

Added configuration which allows to build MCUboot for
nrf54l15pdk_nrf54l15_cpuapp with external flash used for
the secondary slot.

Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit 78bc87c)

Seems multi-image dependencies are not supported for multi-image in
NCS yet. This is a workaround which reverts some lines to restore
previous MCUboot behavior, so that Immutable bootloader + MCUBoot type
builds will work.

Ref. NCSDK-8681

Signed-off-by: Sigvart Hovland <[email protected]>
(cherry picked from commit 4ce3844)

Fixes a missing PCD define check, an image might have the
network core partition layout set but if PCD support is not
enabled then it should not assume that PCD support is part
of mcuboot.

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit 150a1d4)

This adds support for using both NSIB and the multi-image configuration
in MCUboot. Before this was not possible due to upgradable bootloader
support through NSIB was using the `UPDATEABLE_IMAGE_NUMBER`
configuration to update the updateable bootloader.

In this commit we change from using `FLASH_AREA_IMAGE_PRIMARY` to get
the flash area ID to using the bootloader state where we set the flash
area ID of the free updatable bootloader slot if the image is intended
for this slot.

Ref. NCSDK-19223
Ref. NCSDK-23305

Signed-off-by: Sigvart Hovland <[email protected]>
(cherry picked from commit 3ec5084)

Making sysflash.h and pm_sysflash.h more readable.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 51b7a3f)

The commit modifies pm_sysflash.h to add support for three
application images.

Ref. NCSDK-19223

Signed-off-by: Dominik Ermel <[email protected]>
Signed-off-by: Sigvart Hovland <[email protected]>
(cherry picked from commit 9c67351)

Added procedure which clean-up content of all the secondary slot
which contains valid header but couldn't be assigned to any of
supported primary images.
This behavior is needed when configuration allows to use one secondary
slot for collecting image for multiple primary slots.

Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit 8f4b472)

FPROTECT is not suppored yet for nrf54l15.

Signed-off-by: Grzegorz Chwierut <[email protected]>
Signed-off-by: Gerard Marull-Paretas <[email protected]>
(cherry picked from commit 0b5810d)

Move ifdefs just to not add code for cleanup unusable
slot when direct xip mode is enabled to avoid warnings.

Signed-off-by: Grzegorz Chwierut <[email protected]>
(cherry picked from commit 650d11c)

fixup! [nrf noup] zephyr: Clean up non-secure RAM if enabled

Add support for nrf54l15 UARTE20 and UARTE30.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 0611b4c)

Added DTS with partitioning which involves external flash
as place for slo1_partition.

Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit efe6681)

This patch supplements the configuration for external flash so
MCUboot can be build with FILE_SUFFIX="ext_flash" for the nrf54l15pdk
instead of explicitly configuration specification.

Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit 3131c92)

This patch disbales MCUBoot logging and enables
serial recovery for the Thingy:91.

Signed-off-by: Maximilian Deubel <[email protected]>
Signed-off-by: Bernt Johan Damslora <[email protected]>
(cherry picked from commit f67a11a)

Mcuboot's boot banner should not be used if NCS boot banner is enabled.

Signed-off-by: Robert Lubos <[email protected]>
(cherry picked from commit 7b018cb)

By the upstream patch the vt get now the pointer to the copy
of the arm_vector instead of original.

This patch fixes address of the firmware which is to be taken by
the fw_info_find.

Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit 3be724f)

…t vector

This is revert of upstream commit
 453096b
which was supposed to allow picking interrupt vector table from
flash area but the whole modification unfortunately misunderstood
difference between flash device ID and flash area ID.
The commit is not important for sdk-nrf and requires re-design
and fixing upstream.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit f1e1675)

Disabled at last optional EXT_API when external-crypto is enabled.

Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit 1d02303)

Align to changes in DTS:
renamed: rram0 -> cpuapp_rram
sized up cpauapp_rram region szie as part of it was reserved for
cpuflpr_rram (which is not used by this config).

Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit f1c2b8c)

Adds a boot banner which shows as MCUboot

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit 6869a65)

This patch introduces skip on checking downgrade for s1/s0 upgrade
image (chain-loaded by NSIB). which is used for upgrade MCUboot
instance itself.

Reason is that sdk-mcuboot has not access to semantic version of its own
image. I also shouldn't touch HW counter used for hardware downgrade
prevention for the application image (which was the case). HW counters for
s0/s1 image are owned by NSIB because its role is to prevnt dongrades of
s0/s1 MCUboot.

Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit 776ee26)

As this is MCUboot updating itself, it should reboot the device
so NSIB will chainload the update MCUboot

Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit 8541955)

fixup! [nrf noup] zephyr: add 'minimal' configuration files

Removes setting a now removed Kconfig option

Signed-off-by: Jamie McCrae <[email protected]>

Fixes an issues with wrongly checking the network core reset
address

Signed-off-by: Jamie McCrae <[email protected]>

Adds the configuration for this board

Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Andrzej Puzdrowski <[email protected]>
(cherry picked from commit 242db1a)

FPROTECT is not suppored for nrf54l15dk.

Signed-off-by: Andrzej Puzdrowski <[email protected]>

…function

Adds the state object to this function so it can be referenced

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit dbb5c78)

…image

Changes the order of operations to validate the image header
before checking the image, it does not make sense to check the
image if the header itself is invalid

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit 2939d30)

Adds notes on the changed bootutil features

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit bf13555)

Adds some flags to indicate if the data of an image is compressed
(lzma1 and lzma2) and adds new TLVs for compressed images relating
to the hash, signature and size of the decompressed image data,
this allows the image to be validated before decompressing, then
validated after decompression to ensure an image is always valid
for a device

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit 91d86b8)

Adds a Kconfig allowing the decompression option to be selected

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit 0c1ddf7)

…ithout support

Checks if images have compressed or encrypted image flags and, if
so, and those options are not enabled in that MCUboot build, will
class the images as invalid and delete them (these images cannot
be used without support anyway)

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit 206c7e7)

Marks images as invalid if they have conflicting flags, e.g. more
than one type of LZMA compression or more than one type of
encryption

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit 4d85e29)

… check

The protected TLV section was not included in the size check of
if an image could fit into a slot, which means that it was
possible for file to be deemed as OK for storing but then failing
due to insufficient flash space during the update

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit feb9265)

…ession

When compression is used, it allows for the secondary slot to be
smaller than the primary slot, therefore do not ensure that the
number of sectors in each slot are the same

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit 2931f9d)

Adds release notes based on these changes

Signed-off-by: Jamie McCrae <[email protected]>
(cherry picked from commit ebf60e0)

Adds support for LZMA-compressed firmware updates

Signed-off-by: Jamie McCrae <[email protected]>

This reverts commit 895c76b.

Signed-off-by: Dominik Ermel <[email protected]>

This reverts commit a42e9cc.

Signed-off-by: Dominik Ermel <[email protected]>

This reverts commit cc42516.

Signed-off-by: Dominik Ermel <[email protected]>

This reverts commit ff53382.

Signed-off-by: Dominik Ermel <[email protected]>

This reverts commit 0faa8b2.

Signed-off-by: Dominik Ermel <[email protected]>

adds TLV and Kconfig to decouple verification from
other options.

Signed-off-by: Mateusz Michalek <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 41df52e)

* Add functions for ecdsa_verify_secp256r1 and sha256 to use the shared
crypto API
* Add Kconfig and CMake variables for selecting shared crypto when using
ecdsa
* Add custom section to project for placing the API section in the
correct location in flash
* Add kconfig fragment for using external crypto

Signed-off-by: Sigvart Hovland <[email protected]>
Signed-off-by: Martí Bolívar <[email protected]>
Signed-off-by: Emil Obalski <[email protected]>
Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Håkon Øye Amundsen <[email protected]>
Signed-off-by: Ioannis Glaropoulos <[email protected]>
Signed-off-by: Trond Einar Snekvik <[email protected]>
Signed-off-by: Georgios Vasilakis <[email protected]>
Signed-off-by: Johann Fischer <[email protected]>
Signed-off-by: Torsten Rasmussen <[email protected]>
Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 55683e3)
(cherry picked from commit 0faa8b2)
(cherry picked from commit a42e9cc)
(cherry picked from commit 895c76b)
(cherry picked from commit ff53382)
(cherry picked from commit cc42516)

Fixed hash algorithm defaults to SHA256 in case no key provided.
Verification improved by adding check for key - tlv mismatch,
VerifyResult.KEY_MISMATCH added to indicate this case.
Multiple styling fixes and import optimisation, exception handling.

Signed-off-by: Rustam Ismayilov <[email protected]>
Change-Id: I61a588de5b39678707c0179f4edaa411ceb67c8e
(cherry picked from commit 36f8bf3)
Signed-off-by: Dominik Ermel <[email protected]>

Defaults to false.

Signed-off-by: Mateusz Wielgos <[email protected]>
(cherry picked from commit dc03055)
Signed-off-by: Dominik Ermel <[email protected]>

The adds support for hashing image with SHA512, to allow
SHA512-ED25519-SHA512 signature.

To support above --sha parameter has been added that can take value:
 auto, 256, 384, 512
to select sha, where auto brings the default behaviour, or current,
behaviour. The sha provided here is tested against key so not all
combinations are supported.

Upstream PR: mcu-tools/mcuboot#2048

Signed-off-by: Dominik Ermel <[email protected]>

In Mbed TLS 3.1, the private fields in the ASN.1 structure were made private.
This breaks code that accesses these private macros.

Fix this by changing the ASN.1 specific code to use a new field accessor
`ASN1_CONTEXT_MEMBER` that will be conditionally defined based on the version of
Mbed TLS that is present.

Signed-off-by: David Brown <[email protected]>
(cherry picked from commit 1d79ef3)
Signed-off-by: Dominik Ermel <[email protected]>

Currently, when swap using scratch is used with encrypted images,
MCUboot is decrypting the images during the copy from the secondary slot
to the scratch area. This means the scratch area contains plaintext
image data and therefore that the scratch area must be placed in the
MCU's internal flash memory. This commit makes the necessary changes to
perform the decryption when copying from the scratch area to the primary
slot instead, making possible to place the scratch area in an external
flash memory since the scratch area is now encrypted.

Note that BOOT_SWAP_SAVE_ENCTLV must be enabled if the scratch area is
placed in external flash memory.

Signed-off-by: Thomas Altenbach <[email protected]>
(cherry picked from commit 08d2d94)
Signed-off-by: Dominik Ermel <[email protected]>

In the boot_image_validate_encrypted there was call to
flash_area_id_to_multi_image_slot, which tries to figure out
slot index from flash area and image index, and the result of the
call was not used for anything as slot index is hardcoded in the
next call to be 1 (secondary).

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 4da4a72)

All of boot_enc_ function follow the same pattern where
they take encryption context as the first parameter, and the
boot_enc_decrypt stands out here as it does not work around
the encryption context, but is rather single-part decryption
function only used for decrypting of the image encryption
key.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 2371c0a)

…_drop.

The enc_key_data.valid had been set to true when key has been added
to the encryption context, but in case when boot_enc_drop was called,
on the same context, the flag remained true, even though the context
may no longer hold any valid context nor key.
The commit moves the enc_key_data invalidation to enc_key_drop.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 3355735)

… of image

In all cases where boot_enc_load is called it is known what slot
is addressed, so it is better to just pass the slot number
instead of making the boot_enc_load figure out slot number from
image index and provided flash area object.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 7f9ac97)

…mage_to_sram

There was not really needed repetition of code in if-else
block; common code has been moved out and the block has been
reduced.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit d09112a)

Convert tab to spaces; fix opening brace position.

Signed-off-by: Fabio Utzig <[email protected]>
(cherry picked from commit d5e0e89)

boot_encrypt required the image_index paired with flash area pointer
to be able to figure out which slot it will operate on.
Since in most calls the slot is known in advance it can be just
passed to the function directly.
The commit replaces both parameters with slot number.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 3f11286)

Move checking of conditions, which remain the same for the whole
loop run, outside of the loop.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 6fe259b)

…ndex

There is no point for boot_enc_valid to take image index and
flash area and use these to figure out slot number.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 956311d)

…t_enc_decrypt

To be able to implement encryption with API that requires different
calls for encryption and encryption, the boot_encrypt
needs to be replaced with encryption/decryption specific functions.

Upstream PR: mcu-tools/mcuboot#2017

Signed-off-by: Dominik Ermel <[email protected]>

Set of changes to Kconfig, CMakeLists.txt and some of headers
that are required for the PSA support to compile.

Signed-off-by: Dominik Ermel <[email protected]>

The commit provides implementation of image verification with
ed25519 and encryption/decryption support where random key
is encrypted using x25519.

Signed-off-by: Dominik Ermel <[email protected]>

fixup! [nrf noup] PSA configuration required changes

Signed-off-by: Dominik Ermel <[email protected]>

Use SHA512 directly calculated over image with the ED25519 signature.

Signed-off-by: Dominik Ermel <[email protected]>

The commit add support for passing storage device address space
to hash calculation functions, which allows to use hardware
accelerated hash calculation on storage.
This feature only works when image encryption is not enabled
and all slots are defined within internal storage of device.

The feature is enabled using Kconfig option
 CONFIG_BOOT_IMG_HASH_DIRECTLY_ON_STORAGE

Signed-off-by: Dominik Ermel <[email protected]>

The commit adds support for PureEdDSA, which validates signature
of image rather than hash. This is most secure, available, ED25519
usage in MCUboot, but due to requirement of PureEdDSA to be able
to calculate signature at whole message at once, here image,
it only works on setups where entire image can be mapped to
device address space, so that PSA functions calculating the
signature can see the whole image at once.

This option is enabled with Kconfig option:
 CONFIG_BOOT_SIGNATURE_TYPE_PURE
when the ED25519 signature type is already selected.

Note that the option will enable SHA512 for calculating public
key hash.

Signed-off-by: Dominik Ermel <[email protected]>

fixup! [nrf noup] PSA implementation of x25519 and ed25519 verification

And fixing typos.

Signed-off-by: Dominik Ermel <[email protected]>

fixup! [nrf noup] bootutil: PureEdDSA using ED25519

Signed-off-by: Dominik Ermel <[email protected]>

Adds LZMA2 compression to imgtool.
Python lzma library is unable to compress with proper parameters while using
"ALONE" container, therefore 2 header bytes are calculated and added
to payload by imgtool.

Upstream PR: mcu-tools/mcuboot#2038

Signed-off-by: Mateusz Michalek <[email protected]>

… needed

fixup! [nrf noup] zephyr: Add support for compressed image updates

Selects this Kconfig when compression is enabled for nrf54l15

Signed-off-by: Jamie McCrae <[email protected]>

fixup! [nrf noup] PSA configuration required changes

Signed-off-by: Dominik Ermel <[email protected]>

This reverts commit 9101a24.

…IZE when needed"

This reverts commit 3909498.