http://git-wip-us.apache.org/repos/asf/incubator-mynewt-site/blob/86a27381/develop/mkdocs/search_index.json ---------------------------------------------------------------------- diff --git a/develop/mkdocs/search_index.json b/develop/mkdocs/search_index.json index 84d2e36..c6dfaad 100644 --- a/develop/mkdocs/search_index.json +++ b/develop/mkdocs/search_index.json @@ -1442,7 +1442,7 @@ }, { "location": "/os/tutorials/project-target-slinky/", - "text": "Project Slinky using STM32 board\n\n\n\n\nThe goal of the project is to enable and demonstrate remote communications with the Mynewt OS via newt manager (newtmgr) by leveraging a sample app \"Slinky\" included under the /apps directory in the repository. In this project we will define a target for the STM32-E407 board and assign the app \"Slinky\" to it.\n\n\nIf you have an existing project using a target that does not use the Slinky app and you wish to add newtmgt functonality to it, check out the tutorial titled \nEnable newtmgr in any app\n.\n\n\n\n\nWhat you need\n\n\n\n\nSTM32-E407 development board from Olimex. You can order it from \nhttp://www.mouser.com\n, \nhttp://www.digikey.com\n, and other places.\n\n\nARM-USB-TINY-H connector with JTAG interface for debugging ARM microcontrollers (comes with the ribbon cable to hook up to the board)\n\n\nUSB A-B type cable to connect the debugger to your personal computer\n\n\nA USB to TTL Serial Cable with female wiring harness. An example is \nhttp://www.amazon.com/JBtek\u00ae-WINDOWS-Supported-Raspberry-Programming/dp/B00QT7LQ88/ref=lp_464404_1_9?s=pc\nie=UTF8\nqid=1454631303\nsr=1-9\n\n\nPersonal Computer\n\n\n\n\nThe instructions assume the user is using a Bourne-compatible shell (e.g. bash or zsh) on your computer. The given instructions have been tested with the following releases of operating systems:\n\n\n\n\nMac: OS X Yosemite Version 10.10.5\n\n\n\n\nOverview of steps\n\n\n\n\nInstall dependencies\n\n\nDefine a target using the newt tool\n\n\nBuild executables for the targets using the newt tool\n\n\nSet up serial connection with the targets\n\n\nCreate a connection profile using the newtmgr tool\n\n\nUse the newtmgr tool to communicate with the targets\n\n\n\n\nInstall newt\n\n\nIf you have not already installed \nnewt\n, see the\n\nnewt installation instructions\n and ensure newt is installed an in your path.\n\n\nInstall newtmgr\n\n\nIf you have not already installed \nnewtmgr\n , see the\n\nnewtmgr installation instructions\n and ensure newtmgr is installed an in your path.\n\n\nCreate a new project\n\n\nInstructions for creating a project are located in the \nBasic Setup\n section of the \nMynewt Documentation\n.\n\n\nIf you already completed \nSim Slinky\n you can skip this step.\n\n\nWe will list only the steps here for brevity. We will name the project\n\nslinky\n.\n\n\n$ newt new slinky\nDownloading project skeleton from apache/incubator-mynewt-blinky...\n...\nInstalling skeleton in slink...\nProject slink successfully created\n$ cd slinky\n$newt install -v\nDownloading repository description for apache-mynewt-core... success!\n...\nRepos successfully installed\n\n\n\n\n\n\n\nSet up your target builds\n\n\nCreate a target for \nstm32_slinky\n using the native BSP. The Newt tool output is suppressed below for brevity.\n\n\n$ newt target create stm32_slinky\n$ newt target set stm32_slinky bsp=@apache-mynewt-core/hw/bsp/olimex_stm32-e407_devboard\n$ new t target set stm32_slinky build_profile=debug\n$ newt target set stm32_slinky app=@apache-mynewt-core/apps/slinky\n\n\n\n\n\nCreate a second target for \nstm32_bootloader\n to build a bootloader to boot\nthe \nstm32_slinky\n image. The tool output is suppressed below for brevity.\n\n\n$ newt target create stm32_bootloader\n$ newt target set stm32_bootloader bsp=@apache-mynewt-core/hw/bsp/olimex_stm32-e407_devboard\n$ newt target set stm32_bootloader build_profile=optimized\n$ newt target set stm32_bootloader target.app=@apache-mynewt-core/apps/boot\n\n\n\n\n\n\n\nBuild Targets\n\n\n$ newt build stm32_slinky\nCompiling main.c\n...\nLinking slinky.elf\nApp successfully built: ~/dev/slinky/bin/stm32_slinky/apps/slinky/slinky.elf\n\n\n\n\n\nnewt build stm32_bootloader\nCompiling crc16.c\n...\nLinking boot.elf\nApp successfully built: ~/slinky/bin/stm32_bootloader/apps/boot/boot.elf\n\n\n\n\n\nFor the main image, you need to create an image using newt create-image.\nGive this image some arbitrary version number \"1.2.3\".\n\n\n$ newt create-image stm32_slinky 1.2.3\nApp image successfully generated: /Users/paulfdietrich/dev/slinky/bin/stm32_slinky/apps/slinky/slinky.img\nBuild manifest: /Users/paulfdietrich/dev/slinky/bin/stm32_slinky/apps/slinky/manifest.json\n\n\n\n\n\n\n\nUsing newtmgr with a remote target\n\n\n\n\n\n\nFirst make sure the USB A-B type cable is connected to the ARM-USB-TINY-H debugger connector on the Olimex board.\n\n\nNext go the to project directory and download the slinky project image to the flash of the Olimex board.\n\n\n\n\n\n\n$ newt load stm32_bootloader\n$ newt load stm32_slinky\n\n\n\n\n\nYou can now disconnect the debugging cable from the board. You should see the green LED blinking. If not, try powercycling the board.\n\n\n\n\n\n\n\n\nNow you have to set up the serial connection from your computer to the Olimex board. Locate the PC6/USART6_TX (pin#3), PC7/USART6_RX (pin#4), and GND (pin#2) of the UEXT connector on the Olimex board. More information on the UEXT connector can be found at \nhttps://www.olimex.com/Products/Modules/UEXT/\n. The schematic of the board can be found at \nhttps://www.olimex.com/Products/ARM/ST/STM32-E407/resources/STM32-E407_sch.pdf\n for reference.\n\n\n\n\n\n\nConnect the female RX pin of the USB-TTL serial cable to the TX of the UEXT connector on the board.\n\n\nConnect the female TX pin of the USB-TTL serial cable to the RX of the UEXT connector on the board.\n\n\nConnect the GND pin of the USB-TTL serial cable to the GND of the UEXT connector on the board.\n\n\n\n\n\n\n\n\n\n\n\n\nLocate the serial connection established in the /dev directory of your computer. It should be of the type \ntty.usbserial-\nsome identifier\n.\n\n\n\n\n $ ls /dev/tty.usbserial-AJ03HAQQ\n /dev/tty.usbserial-AJ03HAQQ\n\n\n\n\n\n\n\n\n\nYou now have to define a connection profile using newtmgr. You can give it any name you want. The example below shows the connection profile being named as t he very imaginative \nolimex01\n.\n\n\n\n\n $ pwd\n /Users/\nuser\n/dev/larva/project/slinky\n $ newtmgr conn add olimex01 type=serial connstring=/dev/tty.usbserial-AJ03HAQQ\n Connection profile olimex01 successfully added\n $ newtmgr conn show\n Connection profiles:\n sim1: type=serial, connstring=\n/dev/ttys007\n\n olimex01: type=serial, connstring=\n/dev/tty.usbserial-AJ03HAQQ\n\n\n\n\n\n\n\n\n\n\nNow go ahead and query the Olimex board to get responses back. The simplest command is the \necho\n command to ask it to respond with the text you send it.\n\n\n\n\n $ newtmgr echo -c olimex01 hello\n {\nr\n: \nhello\n}\n $ newtmgr image -c olimex01 list\n Images:\n 0 : 1.2.3\n $ newtmgr -c olimex01 taskstats\n Return Code = 0\n newtmgr (prio=4 tid=2 runtime=0 cswcnt=12 stksize=512 stkusage=255 last_checkin=0 next_checkin=0)\n task1 (prio=1 tid=3 runtime=0 cswcnt=299 stksize=128 stkusage=33 la st_checkin=0 next_checkin=0)\n task2 (prio=2 tid=4 runtime=0 cswcnt=300 stksize=128 stkusage=31 last_checkin=0 next_checkin=0)\n idle (prio=255 tid=0 runtime=299916 cswcnt=313 stksize=32 stkusage=18 last_checkin=0 next_checkin=0)\n shell (prio=3 tid=1 runtime=1 cswcnt=20 stksize=384 stkusage=60 last_checkin=0 next_checkin=0)", + "text": "Project Slinky using STM32 board\n\n\n\n\nThe goal of the project is to enable and demonstrate remote communications with the Mynewt OS via newt manager (newtmgr) by leveraging a sample app \"Slinky\" included under the /apps directory in the repository. In this project we will define a target for the STM32-E407 board and assign the app \"Slinky\" to it.\n\n\nIf you have an existing project using a target that does not use the Slinky app and you wish to add newtmgt functonality to it, check out the tutorial titled \nEnable newtmgr in any app\n.\n\n\n\n\nWhat you need\n\n\n\n\nSTM32-E407 development board from Olimex. You can order it from \nhttp://www.mouser.com\n, \nhttp://www.digikey.com\n, and other places.\n\n\nARM-USB-TINY-H connector with JTAG interface for debugging ARM microcontrollers (comes with the ribbon cable to hook up to the board)\n\n\nUSB A-B type cable to connect the debugger to your personal computer\n\n\nA USB to TTL Serial Cable with female wiring harness. An example is \nhttp://www.amazon.com/JBtek\u00ae-WINDOWS-Supported-Raspberry-Programming/dp/B00QT7LQ88/ref=lp_464404_1_9?s=pc\nie=UTF8\nqid=1454631303\nsr=1-9\n\n\nPersonal Computer\n\n\n\n\nThe instructions assume the user is using a Bourne-compatible shell (e.g. bash or zsh) on your computer. The given instructions have been tested with the following releases of operating systems:\n\n\n\n\nMac: OS X Yosemite Version 10.10.5\n\n\n\n\nOverview of steps\n\n\n\n\nInstall dependencies\n\n\nDefine a target using the newt tool\n\n\nBuild executables for the targets using the newt tool\n\n\nSet up serial connection with the targets\n\n\nCreate a connection profile using the newtmgr tool\n\n\nUse the newtmgr tool to communicate with the targets\n\n\n\n\nInstall newt\n\n\nIf you have not already installed \nnewt\n, see the\n\nnewt installation instructions\n and ensure newt is installed an in your path.\n\n\nInstall newtmgr\n\n\nIf you have not already installed \nnewtmgr\n , see the\n\nnewtmgr installation instructions\n and ensure newtmgr is installed an in your path.\n\n\nCreate a new project\n\n\nInstructions for creating a project are located in the \nBasic Setup\n section of the \nMynewt Documentation\n.\n\n\nIf you already completed \nSim Slinky\n you can skip this step.\n\n\nWe will list only the steps here for brevity. We will name the project\n\nslinky\n.\n\n\n$ newt new slinky\nDownloading project skeleton from apache/incubator-mynewt-blinky...\n...\nInstalling skeleton in slink...\nProject slink successfully created\n$ cd slinky\n$newt install -v\nDownloading repository description for apache-mynewt-core... success!\n...\nRepos successfully installed\n\n\n\n\n\n\n\nSet up your target builds\n\n\nCreate a target for \nstm32_slinky\n using the native BSP. The Newt tool output is suppressed below for brevity.\n\n\n$ newt target create stm32_slinky\n$ newt target set stm32_slinky bsp=@apache-mynewt-core/hw/bsp/olimex_stm32-e407_devboard\n$ new t target set stm32_slinky build_profile=debug\n$ newt target set stm32_slinky app=@apache-mynewt-core/apps/slinky\n\n\n\n\n\nCreate a second target for \nstm32_bootloader\n to build a bootloader to boot\nthe \nstm32_slinky\n image. The tool output is suppressed below for brevity.\n\n\n$ newt target create stm32_bootloader\n$ newt target set stm32_bootloader bsp=@apache-mynewt-core/hw/bsp/olimex_stm32-e407_devboard\n$ newt target set stm32_bootloader build_profile=optimized\n$ newt target set stm32_bootloader target.app=@apache-mynewt-core/apps/boot\n\n\n\n\n\n\n\nBuild Targets\n\n\n$ newt build stm32_slinky\nCompiling main.c\n...\nLinking slinky.elf\nApp successfully built: ~/dev/slinky/bin/stm32_slinky/apps/slinky/slinky.elf\n\n\n\n\n\nnewt build stm32_bootloader\nCompiling crc16.c\n...\nLinking boot.elf\nApp successfully built: ~/slinky/bin/stm32_bootloader/apps/boot/boot.elf\n\n\n\n\n\nFor the main image, you need to create an image using newt create-image.\nGive this image some arbitrary version number \"1.2.3\".\n\n\n$ newt create-image stm32_slinky 1.2.3\nApp image successfully generated: /Users/paulfdietrich/dev/slinky/bin/stm32_slinky/apps/slinky/slinky.img\nBuild manifest: /Users/paulfdietrich/dev/slinky/bin/stm32_slinky/apps/slinky/manifest.json\n\n\n\n\n\n\n\nUsing newtmgr with a remote target\n\n\n\n\n\n\nFirst make sure the USB A-B type cable is connected to the ARM-USB-TINY-H debugger connector on the Olimex board.\n\n\nNext go the to project directory and download the slinky project image to the flash of the Olimex board.\n\n\n\n\n\n\n$ newt load stm32_bootloader\n$ newt load stm32_slinky\n\n\n\n\n\nYou can now disconnect the debugging cable from the board. You should see the green LED blinking. If not, try powercycling the board.\n\n\n\n\n\n\n\n\nNow you have to set up the serial connection from your computer to the Olimex board. Locate the PC6/USART6_TX (pin#3), PC7/USART6_RX (pin#4), and GND (pin#2) of the UEXT connector on the Olimex board. More information on the UEXT connector can be found at \nhttps://www.olimex.com/Products/Modules/UEXT/\n. The schematic of the board can be found at \nhttps://www.olimex.com/Products/ARM/ST/STM32-E407/resources/STM32-E407_sch.pdf\n for reference.\n\n\n\n\n\n\nConnect the female RX pin of the USB-TTL serial cable to the TX of the UEXT connector on the board.\n\n\nConnect the female TX pin of the USB-TTL serial cable to the RX of the UEXT connector on the board.\n\n\nConnect the GND pin of the USB-TTL serial cable to the GND of the UEXT connector on the board.\n\n\n\n\n\n\n\n\n\n\n\n\nLocate the serial connection established in the /dev directory of your computer. It should be of the type \ntty.usbserial-\nsome identifier\n.\n\n\n\n\n $ ls /dev/tty.usbserial-AJ03HAQQ\n /dev/tty.usbserial-AJ03HAQQ\n\n\n\n\n\n\n\n\n\nYou now have to define a connection profile using newtmgr. You can give it any name you want. The example below shows the connection profile being named as t he very imaginative \nolimex01\n.\n\n\n\n\n $ pwd\n /Users/\nuser\n/dev/project/slinky\n $ newtmgr conn add olimex01 type=serial connstring=/dev/tty.usbserial-AJ03HAQQ\n Connection profile olimex01 successfully added\n $ newtmgr conn show\n Connection profiles:\n sim1: type=serial, connstring=\n/dev/ttys007\n\n olimex01: type=serial, connstring=\n/dev/tty.usbserial-AJ03HAQQ\n\n\n\n\n\n\n\n\n\n\nNow go ahead and query the Olimex board to get responses back. The simplest command is the \necho\n command to ask it to respond with the text you send it.\n\n\n\n\n $ newtmgr echo -c olimex01 hello\n {\nr\n: \nhello\n}\n $ newtmgr image -c olimex01 list\n Images:\n 0 : 1.2.3\n $ newtmgr -c olimex01 taskstats\n Return Code = 0\n newtmgr (prio=4 tid=2 runtime=0 cswcnt=12 stksize=512 stkusage=255 last_checkin=0 next_checkin=0)\n task1 (prio=1 tid=3 runtime=0 cswcnt=299 stksize=128 stkusage=33 last_che ckin=0 next_checkin=0)\n task2 (prio=2 tid=4 runtime=0 cswcnt=300 stksize=128 stkusage=31 last_checkin=0 next_checkin=0)\n idle (prio=255 tid=0 runtime=299916 cswcnt=313 stksize=32 stkusage=18 last_checkin=0 next_checkin=0)\n shell (prio=3 tid=1 runtime=1 cswcnt=20 stksize=384 stkusage=60 last_checkin=0 next_checkin=0)", "title": "Slinky on STM32 board" }, { @@ -1487,7 +1487,7 @@ }, { "location": "/os/tutorials/project-target-slinky/#using-newtmgr-with-a-remote-target", - "text": "First make sure the USB A-B type cable is connected to the ARM-USB-TINY-H debugger connector on the Olimex board. Next go the to project directory and download the slinky project image to the flash of the Olimex board. $ newt load stm32_bootloader\n$ newt load stm32_slinky You can now disconnect the debugging cable from the board. You should see the green LED blinking. If not, try powercycling the board. Now you have to set up the serial connection from your computer to the Olimex board. Locate the PC6/USART6_TX (pin#3), PC7/USART6_RX (pin#4), and GND (pin#2) of the UEXT connector on the Olimex board. More information on the UEXT connector can be found at https://www.olimex.com/Products/Modules/UEXT/ . The schematic of the board can be found at https://www.olimex.com/Products/ARM/ST/STM32-E407/resources/STM32-E407_sch.pdf for reference. Connect the female RX pin of the USB-TTL serial cable to the TX of the UEXT connector on the board. Connect the female TX pin of the USB-TTL serial cable to the RX of the UEXT connector on the board. Connect the GND pin of the USB-TTL serial cable to the GND of the UEXT connector on the board. Locate the serial connection established in the /dev directory of your computer. It should be of the type tty.usbserial- some identifier . $ ls /dev/tty.usbserial-AJ03HAQQ\n /dev/tty.usbserial-AJ03HAQQ You now have to define a connection profile using newtmgr. You can give it any name you want. The example below shows the connection profile being named as the very imaginative olimex01 . $ pwd\n /Users/ user /dev/larva/project/slinky\n $ newtmgr conn add olimex01 type=serial connstring=/dev/tty.usbserial-AJ03HAQQ\n Connection profile olimex01 successfully added\n $ newtmgr conn show\n Connection profiles:\n sim1: type=serial, connstring= /dev/ttys007 \n olimex01: type=serial, connstring= /dev/tty.usbserial-AJ03HA QQ Now go ahead and query the Olimex board to get responses back. The simplest command is the echo command to ask it to respond with the text you send it. $ newtmgr echo -c olimex01 hello\n { r : hello }\n $ newtmgr image -c olimex01 list\n Images:\n 0 : 1.2.3\n $ newtmgr -c olimex01 taskstats\n Return Code = 0\n newtmgr (prio=4 tid=2 runtime=0 cswcnt=12 stksize=512 stkusage=255 last_checkin=0 next_checkin=0)\n task1 (prio=1 tid=3 runtime=0 cswcnt=299 stksize=128 stkusage=33 last_checkin=0 next_checkin=0)\n task2 (prio=2 tid=4 runtime=0 cswcnt=300 stksize=128 stkusage=31 last_checkin=0 next_checkin=0)\n idle (prio=255 tid=0 runtime=299916 cswcnt=313 stksize=32 stkusage=18 last_checkin=0 next_checkin=0)\n shell (prio=3 tid=1 runtime=1 cswcnt=20 stksize=384 stkusage=60 last_checkin=0 next_checkin=0)", + "text": "First make sure the USB A-B type cable is connected to the ARM-USB-TINY-H debugger connector on the Olimex board. Next go the to project directory and download the slinky project image to the flash of the Olimex board. $ newt load stm32_bootloader\n$ newt load stm32_slinky You can now disconnect the debugging cable from the board. You should see the green LED blinking. If not, try powercycling the board. Now you have to set up the serial connection from your computer to the Olimex board. Locate the PC6/USART6_TX (pin#3), PC7/USART6_RX (pin#4), and GND (pin#2) of the UEXT connector on the Olimex board. More information on the UEXT connector can be found at https://www.olimex.com/Products/Modules/UEXT/ . The schematic of the board can be found at https://www.olimex.com/Products/ARM/ST/STM32-E407/resources/STM32-E407_sch.pdf for reference. Connect the female RX pin of the USB-TTL serial cable to the TX of the UEXT connector on the board. Connect the female TX pin of the USB-TTL serial cable to the RX of the UEXT connector on the board. Connect the GND pin of the USB-TTL serial cable to the GND of the UEXT connector on the board. Locate the serial connection established in the /dev directory of your computer. It should be of the type tty.usbserial- some identifier . $ ls /dev/tty.usbserial-AJ03HAQQ\n /dev/tty.usbserial-AJ03HAQQ You now have to define a connection profile using newtmgr. You can give it any name you want. The example below shows the connection profile being named as the very imaginative olimex01 . $ pwd\n /Users/ user /dev/project/slinky\n $ newtmgr conn add olimex01 type=serial connstring=/dev/tty.usbserial-AJ03HAQQ\n Connection profile olimex01 successfully added\n $ newtmgr conn show\n Connection profiles:\n sim1: type=serial, connstring= /dev/ttys007 \n olimex01: type=serial, connstring= /dev/tty.usbserial-AJ03HAQQ Now go ahead and query the Olimex board to get responses back. The simplest command is the echo command to ask it to respond with the text you send it. $ newtmgr echo -c olimex01 hello\n { r : hello }\n $ newtmgr image -c olimex01 list\n Images:\n 0 : 1.2.3\n $ newtmgr -c olimex01 taskstats\n Return Code = 0\n newtmgr (prio=4 tid=2 runtime=0 cswcnt=12 stksize=512 stkusage=255 last_checkin=0 next_checkin=0)\n task1 (prio=1 tid=3 runtime=0 cswcnt=299 stksize=128 stkusage=33 last_checkin=0 next_checkin=0)\n task2 (prio=2 tid=4 runtime=0 cswcnt=300 stksize=128 stkusage=31 last_checkin=0 next_checkin=0)\n idle (prio=255 tid=0 runtime=299916 cswcnt=313 stksize=32 stkusage=18 last_checkin=0 next_checkin=0)\n shell (prio=3 tid=1 runtime=1 cswcnt=20 stksize=384 stkusage=60 last_checkin=0 next_checkin=0)", "title": "Using newtmgr with a remote target" }, { @@ -5102,7 +5102,7 @@ }, { "location": "/os/modules/shell/shell/", - "text": "Shell\n\n\nThe shell runs above the console and provides two functionalities:\n\n\n\n\nProcesses console input. \n\n\nImplements the \nnewtmgr\n line protocol over serial transport. \n\n\n\n\nThe \nsys/shell\n package implements the shell. The shell uses the OS default event queue \nfor shell events and runs in the context of the main task. An application can, optionally, \nspecify a dedicated event queue for the shell to use.\n\n\nDescription\n\n\n\n\n\n\nThe shell's first job is to direct incoming commands to other subsystems. It parses the incoming character string \ninto tokens and uses the first token to determine the subsystem command handler to call to process the command.\n\n\n\n\n\n\nSubsystems register their command handlers using the \nshell_cmd_register()\n \n function. When shell calls the command handler, it passes the other tokens as arguments.\n\n\n\n\n\n\nA few commands are currently available in the shell - \ntasks\n, \nlog\n, \necho\n, \nda te\n and \nprompt\n.\n\n\n\n\n\n\n\n\n\n\nThe shell's second job is to handle packet framing, encoding, and decoding of newtmgr protocol messages that are\nsent over the console. The Newtmgr serial transport package (\nmgmt/newtmgr/transport/newtmgr_shell\n) \ncalls the \nshell_nlip_input_register()\n function to register a handler that the shell calls when it \nreceives newtmgr request messages.\n\n\n\n\n\n\n\n\nCreate a sim target to check out these commands available in shell.\n\n\nuser@~/dev/larva$ newt target create blinky_sim\nCreating target blinky_sim\nTarget blinky_sim successfully created!\nuser@~/dev/larva$ newt target set blinky_sim name=blinky_sim\nTarget blinky_sim successfully set name to blinky_sim\nuser@~/dev/larva$ newt target set blinky_sim arch=sim\nTarget blinky_sim successfully set arch to sim\nuser@~/dev/larva$ newt target set blinky_sim project=blinky\nTarget blinky_sim successfully set project to blinky\nuser@~/dev/larva$ newt target set blinky_sim bsp=hw/b sp/native\nTarget blinky_sim successfully set bsp to hw/bsp/native\nuser@~/dev/larva$ newt target set blinky_sim compiler_def=debug\nTarget blinky_sim successfully set compiler_def to debug\nuser@~/dev/larva$ newt target set blinky_sim compiler=sim\nTarget blinky_sim successfully set compiler to sim\nuser@~/dev/larva$ newt target show\nblinky_sim\n arch: sim\n bsp: hw/bsp/native\n compiler: sim\n compiler_def: debug\n name: blinky_sim\n project: blinky\nuser@~/dev/larva$ newt target build blinky_sim\nBuilding target blinky_sim (project = blinky)\nCompiling case.c\nCompiling suite.c\nCompiling testutil.c\n..\n..\nBuilding project blinky\nLinking blinky.elf\nSuccessfully run!\n\nuser@~/dev/larva$ ./project/blinky/bin/blinky_sim/blinky.elf\nuart0 at /dev/ttys005\n\n\n\n\n\nOpen up a new terminal to run minicom, a text-based serial port control and terminal emulation program. Set device name to the serial port of the target. \n\n\nuser@~$ minicom -D /dev/ttys005\nWelco me to minicom 2.7\n\nOPTIONS: \nCompiled on Nov 24 2015, 16:14:21.\nPort /dev/ttys005, 11:32:17\n\nPress Meta-Z for help on special keys\n\nlog \n174578:[0] bla\n174578:[0] bab\n\ntasks\n217809:6 tasks: \n217809: shell (prio: 3, nw: 0, flags: 0x0, ssize: 0, cswcnt: 59, tot_run_time: 0ms)\n217840: idle (prio: 255, nw: 0, flags: 0x0, ssize: 0, cswcnt: 18763, tot_run_time: 217809ms)\n217878: uart_poller (prio: 0, nw: 217819, flags: 0x0, ssize: 0, cswcnt: 18667, tot_run_time: 0ms)\n217923: task1 (prio: 1, nw: 218710, flags: 0x0, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n217953: os_sanity (prio: 254, nw: 218710, flags: 0x0, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n218010: task2 (prio: 2, nw: 217709, flags: 0x3, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n\n\nprompt\nUsage: prompt [set|show] [prompt_char]\nprompt set \n\nPrompt set to: \n\n229370: \n\n\n\n\n\n\nData structures\n\n\nThis data structure is used in holding information about registered command handlers.\n\n\nstruct\n \nshell_cmd\n {\n \nchar\n \n*sc_cmd\n;\n \nshell_cmd_func_t\n \nsc_cmd_func\n;\n \nSTAILQ_ENTRY\n(\nshell_cmd\n) \nsc_next\n;\n};\n\n\n\n\n\n\n\n\n\n\n\nElement\n\n\nDescription\n\n\n\n\n\n\n\n\n\n\nsc_cmd\n\n\nCharacter string of the command\n\n\n\n\n\n\nsc_cmd_func\n\n\nPointer to the command handler\n\n\n\n\n\n\nsc_next\n\n\nBookkeeping linkage internal for shell\n\n\n\n\n\n\n\n\nList of Functions\n\n\n\n\nThe functions available in this OS feature are:\n\n\n\n\n\n\n\n\nFunction\n\n\nDescription\n\n\n\n\n\n\n\n\n\n\nshell_cmd_register\n\n\nRegisters a handler for incoming console commands.\n\n\n\n\n\n\nshell_nlip_input_register\n\n\nRegisters a handler for incoming newtmgr messages.\n\n\n\n\n\n\nshell_nlip_output\n\n\nQueue outgoing newtmgr message for transmission.\n\n\n\n\n\n\nshell_evq_set\n\n\nSpecifies a dedicated event queue for shell events.", + "text": "Shell\n\n\nThe shell runs above the console and provides two functionalities:\n\n\n\n\nProcesses console input. \n\n\nImplements the \nnewtmgr\n line protocol over serial transport. \n\n\n\n\nThe \nsys/shell\n package implements the shell. The shell uses the OS default event queue \nfor shell events and runs in the context of the main task. An application can, optionally, \nspecify a dedicated event queue for the shell to use.\n\n\nDescription\n\n\n\n\n\n\nThe shell's first job is to direct incoming commands to other subsystems. It parses the incoming character string \ninto tokens and uses the first token to determine the subsystem command handler to call to process the command.\n\n\n\n\n\n\nSubsystems register their command handlers using the \nshell_cmd_register()\n \n function. When shell calls the command handler, it passes the other tokens as arguments.\n\n\n\n\n\n\nA few commands are currently available in the shell - \ntasks\n, \nlog\n, \necho\n, \nda te\n and \nprompt\n.\n\n\n\n\n\n\n\n\n\n\nThe shell's second job is to handle packet framing, encoding, and decoding of newtmgr protocol messages that are\nsent over the console. The Newtmgr serial transport package (\nmgmt/newtmgr/transport/newtmgr_shell\n) \ncalls the \nshell_nlip_input_register()\n function to register a handler that the shell calls when it \nreceives newtmgr request messages.\n\n\n\n\n\n\n\n\nCreate a sim target to check out these commands available in shell.\n\n\nuser@~/dev$ newt target create blinky_sim\nCreating target blinky_sim\nTarget blinky_sim successfully created!\nuser@~/dev$ newt target set blinky_sim name=blinky_sim\nTarget blinky_sim successfully set name to blinky_sim\nuser@~/dev$ newt target set blinky_sim arch=sim\nTarget blinky_sim successfully set arch to sim\nuser@~/dev$ newt target set blinky_sim project=blinky\nTarget blinky_sim successfully set project to blinky\nuser@~/dev$ newt target set blinky_sim bsp=hw/bsp/native\nTarget blinky_sim s uccessfully set bsp to hw/bsp/native\nuser@~/dev$ newt target set blinky_sim compiler_def=debug\nTarget blinky_sim successfully set compiler_def to debug\nuser@~/dev$ newt target set blinky_sim compiler=sim\nTarget blinky_sim successfully set compiler to sim\nuser@~/dev$ newt target show\nblinky_sim\n arch: sim\n bsp: hw/bsp/native\n compiler: sim\n compiler_def: debug\n name: blinky_sim\n project: blinky\nuser@~/dev$ newt target build blinky_sim\nBuilding target blinky_sim (project = blinky)\nCompiling case.c\nCompiling suite.c\nCompiling testutil.c\n..\n..\nBuilding project blinky\nLinking blinky.elf\nSuccessfully run!\n\nuser@~/dev$ ./project/blinky/bin/blinky_sim/blinky.elf\nuart0 at /dev/ttys005\n\n\n\n\n\nOpen up a new terminal to run minicom, a text-based serial port control and terminal emulation program. Set device name to the serial port of the target. \n\n\nuser@~$ minicom -D /dev/ttys005\nWelcome to minicom 2.7\n\nOPTIONS: \nCompiled on Nov 24 2015, 16: 14:21.\nPort /dev/ttys005, 11:32:17\n\nPress Meta-Z for help on special keys\n\nlog \n174578:[0] bla\n174578:[0] bab\n\ntasks\n217809:6 tasks: \n217809: shell (prio: 3, nw: 0, flags: 0x0, ssize: 0, cswcnt: 59, tot_run_time: 0ms)\n217840: idle (prio: 255, nw: 0, flags: 0x0, ssize: 0, cswcnt: 18763, tot_run_time: 217809ms)\n217878: uart_poller (prio: 0, nw: 217819, flags: 0x0, ssize: 0, cswcnt: 18667, tot_run_time: 0ms)\n217923: task1 (prio: 1, nw: 218710, flags: 0x0, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n217953: os_sanity (prio: 254, nw: 218710, flags: 0x0, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n218010: task2 (prio: 2, nw: 217709, flags: 0x3, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n\n\nprompt\nUsage: prompt [set|show] [prompt_char]\nprompt set \n\nPrompt set to: \n\n229370: \n\n\n\n\n\n\nData structures\n\n\nThis data structure is used in holding information about registered command handlers.\n\n\nstruct\n \nshell_cmd\n {\n \nchar\n \n*sc_cmd\n;\n \nshell_cmd_ func_t\n \nsc_cmd_func\n;\n \nSTAILQ_ENTRY\n(\nshell_cmd\n) \nsc_next\n;\n};\n\n\n\n\n\n\n\n\n\n\n\nElement\n\n\nDescription\n\n\n\n\n\n\n\n\n\n\nsc_cmd\n\n\nCharacter string of the command\n\n\n\n\n\n\nsc_cmd_func\n\n\nPointer to the command handler\n\n\n\n\n\n\nsc_next\n\n\nBookkeeping linkage internal for shell\n\n\n\n\n\n\n\n\nList of Functions\n\n\n\n\nThe functions available in this OS feature are:\n\n\n\n\n\n\n\n\nFunction\n\n\nDescription\n\n\n\n\n\n\n\n\n\n\nshell_cmd_register\n\n\nRegisters a handler for incoming console commands.\n\n\n\n\n\n\nshell_nlip_input_register\n\n\nRegisters a handler for incoming newtmgr messages.\n\n\n\n\n\n\nshell_nlip_output\n\n\nQueue outgoing newtmgr message for transmission.\n\n\n\n\n\n\nshell_evq_set\n\n\nSpecifies a dedicated event queue for shell events.", "title": "toc" }, { @@ -5112,7 +5112,7 @@ }, { "location": "/os/modules/shell/shell/#description", - "text": "The shell's first job is to direct incoming commands to other subsystems. It parses the incoming character string \ninto tokens and uses the first token to determine the subsystem command handler to call to process the command. Subsystems register their command handlers using the shell_cmd_register() \n function. When shell calls the command handler, it passes the other tokens as arguments. A few commands are currently available in the shell - tasks , log , echo , date and prompt . The shell's second job is to handle packet framing, encoding, and decoding of newtmgr protocol messages that are\nsent over the console. The Newtmgr serial transport package ( mgmt/newtmgr/transport/newtmgr_shell ) \ncalls the shell_nlip_input_register() function to register a handler that the shell calls when it \nreceives newtmgr request messages. Create a sim target to check out these commands available in shell. user@~/dev/larva$ newt target create bli nky_sim\nCreating target blinky_sim\nTarget blinky_sim successfully created!\nuser@~/dev/larva$ newt target set blinky_sim name=blinky_sim\nTarget blinky_sim successfully set name to blinky_sim\nuser@~/dev/larva$ newt target set blinky_sim arch=sim\nTarget blinky_sim successfully set arch to sim\nuser@~/dev/larva$ newt target set blinky_sim project=blinky\nTarget blinky_sim successfully set project to blinky\nuser@~/dev/larva$ newt target set blinky_sim bsp=hw/bsp/native\nTarget blinky_sim successfully set bsp to hw/bsp/native\nuser@~/dev/larva$ newt target set blinky_sim compiler_def=debug\nTarget blinky_sim successfully set compiler_def to debug\nuser@~/dev/larva$ newt target set blinky_sim compiler=sim\nTarget blinky_sim successfully set compiler to sim\nuser@~/dev/larva$ newt target show\nblinky_sim\n arch: sim\n bsp: hw/bsp/native\n compiler: sim\n compiler_def: debug\n name: blinky_sim\n project: blinky\nuser@~/dev/larva$ newt target build blinky_sim\nBuildin g target blinky_sim (project = blinky)\nCompiling case.c\nCompiling suite.c\nCompiling testutil.c\n..\n..\nBuilding project blinky\nLinking blinky.elf\nSuccessfully run!\n\nuser@~/dev/larva$ ./project/blinky/bin/blinky_sim/blinky.elf\nuart0 at /dev/ttys005 Open up a new terminal to run minicom, a text-based serial port control and terminal emulation program. Set device name to the serial port of the target. user@~$ minicom -D /dev/ttys005\nWelcome to minicom 2.7\n\nOPTIONS: \nCompiled on Nov 24 2015, 16:14:21.\nPort /dev/ttys005, 11:32:17\n\nPress Meta-Z for help on special keys\n\nlog \n174578:[0] bla\n174578:[0] bab\n\ntasks\n217809:6 tasks: \n217809: shell (prio: 3, nw: 0, flags: 0x0, ssize: 0, cswcnt: 59, tot_run_time: 0ms)\n217840: idle (prio: 255, nw: 0, flags: 0x0, ssize: 0, cswcnt: 18763, tot_run_time: 217809ms)\n217878: uart_poller (prio: 0, nw: 217819, flags: 0x0, ssize: 0, cswcnt: 18667, tot_run_time: 0ms)\n217923: task1 (prio: 1, nw: 218710, flags: 0x0, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n217953: os_sanity (prio: 254, nw: 218710, flags: 0x0, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n218010: task2 (prio: 2, nw: 217709, flags: 0x3, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n\n\nprompt\nUsage: prompt [set|show] [prompt_char]\nprompt set \nPrompt set to: \n229370:", + "text": "The shell's first job is to direct incoming commands to other subsystems. It parses the incoming character string \ninto tokens and uses the first token to determine the subsystem command handler to call to process the command. Subsystems register their command handlers using the shell_cmd_register() \n function. When shell calls the command handler, it passes the other tokens as arguments. A few commands are currently available in the shell - tasks , log , echo , date and prompt . The shell's second job is to handle packet framing, encoding, and decoding of newtmgr protocol messages that are\nsent over the console. The Newtmgr serial transport package ( mgmt/newtmgr/transport/newtmgr_shell ) \ncalls the shell_nlip_input_register() function to register a handler that the shell calls when it \nreceives newtmgr request messages. Create a sim target to check out these commands available in shell. user@~/dev$ newt target create blinky_si m\nCreating target blinky_sim\nTarget blinky_sim successfully created!\nuser@~/dev$ newt target set blinky_sim name=blinky_sim\nTarget blinky_sim successfully set name to blinky_sim\nuser@~/dev$ newt target set blinky_sim arch=sim\nTarget blinky_sim successfully set arch to sim\nuser@~/dev$ newt target set blinky_sim project=blinky\nTarget blinky_sim successfully set project to blinky\nuser@~/dev$ newt target set blinky_sim bsp=hw/bsp/native\nTarget blinky_sim successfully set bsp to hw/bsp/native\nuser@~/dev$ newt target set blinky_sim compiler_def=debug\nTarget blinky_sim successfully set compiler_def to debug\nuser@~/dev$ newt target set blinky_sim compiler=sim\nTarget blinky_sim successfully set compiler to sim\nuser@~/dev$ newt target show\nblinky_sim\n arch: sim\n bsp: hw/bsp/native\n compiler: sim\n compiler_def: debug\n name: blinky_sim\n project: blinky\nuser@~/dev$ newt target build blinky_sim\nBuilding target blinky_sim (project = blinky)\nCompiling case .c\nCompiling suite.c\nCompiling testutil.c\n..\n..\nBuilding project blinky\nLinking blinky.elf\nSuccessfully run!\n\nuser@~/dev$ ./project/blinky/bin/blinky_sim/blinky.elf\nuart0 at /dev/ttys005 Open up a new terminal to run minicom, a text-based serial port control and terminal emulation program. Set device name to the serial port of the target. user@~$ minicom -D /dev/ttys005\nWelcome to minicom 2.7\n\nOPTIONS: \nCompiled on Nov 24 2015, 16:14:21.\nPort /dev/ttys005, 11:32:17\n\nPress Meta-Z for help on special keys\n\nlog \n174578:[0] bla\n174578:[0] bab\n\ntasks\n217809:6 tasks: \n217809: shell (prio: 3, nw: 0, flags: 0x0, ssize: 0, cswcnt: 59, tot_run_time: 0ms)\n217840: idle (prio: 255, nw: 0, flags: 0x0, ssize: 0, cswcnt: 18763, tot_run_time: 217809ms)\n217878: uart_poller (prio: 0, nw: 217819, flags: 0x0, ssize: 0, cswcnt: 18667, tot_run_time: 0ms)\n217923: task1 (prio: 1, nw: 218710, flags: 0x0, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n217953: os_sanity (prio: 2 54, nw: 218710, flags: 0x0, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n218010: task2 (prio: 2, nw: 217709, flags: 0x3, ssize: 0, cswcnt: 218, tot_run_time: 0ms)\n\n\nprompt\nUsage: prompt [set|show] [prompt_char]\nprompt set \nPrompt set to: \n229370:", "title": "Description" }, { @@ -5322,7 +5322,7 @@ }, { "location": "/os/modules/bootloader/bootloader/", - "text": "Bootloader\n\n\nThe \"bootloader\" is the code that loads the Mynewt OS image into memory and conducts some checks before allowing the OS to be run. It manages images for the embedded system and upgrades of those images using protocols over various interfaces (e.g. serial, BLE etc.). Typically, systems with bootloaders have at least two program images coexisting on the same microcontroller, and hence must include branch code that performs a check to see if an attempt to update software is already underway and manage the progress of the process.\n\n\nThe bootloader in the Apache Mynewt project verifies the cryptographic signature of the firmware image before running it. It maintains a detailed status log for each stage of the boot process. For verification of the authenticity of the OS image, it:\n\n\n\n\nCalculates hash of the image.\n\n\nUses public key to uncover hash value from included signature. \n\n\nCompares the calculated and uncovered hashes for a match .\n\n\n\n\nThe \"secure bootloader\" should be placed in protected memory on a given microcontroller.\n\n\nThe Mynewt bootloader comprises two packages:\n\n\n\n\nThe bootutil library (boot/bootutil)\n\n\nThe boot application (apps/boot)\n\n\n\n\nThe Mynewt code is thus structured so that the generic bootutil library performs most of the functions of a boot loader. The final step of actually jumping to the main image is kept out of the bootutil library. This last step should instead be implemented in an\narchitecture-specific project. Boot loader functionality is separated in this\nmanner for the following two reasons:\n\n\n\n\nBy keeping architecture-dependent code separate, the bootutil library can be\n reused among several boot loaders.\n\n\nBy excluding the last boot step from the library, the bootloader can be unit tested since a library can be unit tested but an applicant can't.\n\n\n\n\nLimitations\n\n\nThe boot loader currently only supports images with the following\ncha racteristics:\n\n\n\n\nBuilt to run from flash.\n\n\nBuild to run from a fixed location (i.e., position-independent).\n\n\n\n\nImage Format\n\n\nThe following definitions describe the image header format.\n\n\n#define IMAGE_MAGIC 0x96f3b83c\n\n\n#define IMAGE_MAGIC_NONE 0xffffffff\n\n\n\nstruct\n \nimage_version\n {\n \nuint8_t\n \niv_major\n;\n \nuint8_t\n \niv_minor\n;\n \nuint16_t\n \niv_revision\n;\n \nuint32_t\n \niv_build_num\n;\n};\n\n\n/** Image header. All fields are in little endian byte order. */\n\n\nstruct\n \nimage_header\n {\n \nuint32_t\n \nih_magic\n;\n \nuint16_t\n \nih_tlv_size\n; \n/* Trailing TLVs */\n\n \nuint8_t\n \nih_key_id\n;\n \nuint8_t\n \n_pad1\n;\n \nuint16_t\n \nih_hdr_s\n \nbok@bok\n.\nnet\n\n\n35\nd33\n\n\n \nericmanganaro@gmail\n.\ncom\n\n\n42\nd39\n\n\n \ntam@proxy\n.\nco\n\n\n55\nd51\n\n\n \nnathan@natb1\n.\ncom\n\n\n110\nd105\n\n\n \nrvs@apache\n.\norgize\n;\n \nuint16_t\n \n_pad2\n;\n \nuint32_t\n \nih_img_size\n; \n/* Does not include header. */\n\n \nuint32_t\n \nih_flags\n;\n \nstruct\n \nimage_version\n \nih_ver\n;\n \nuint32_t\n \n_pad3\n;\n};\n\n\n\n\n\nThe \nih_hdr_size\n field indicates the length of the header, and therefore the\noffset of the image itself. This field provides for backwards compatibility in\ncase of changes to the format of the image header.\n\n\nThe following are the image header flags available.\n\n\n#define IMAGE_F_PIC 0x00000001\n\n\n#define IMAGE_F_SHA256 0x00000002 \n/* Image contains hash TLV */\n\n\n#define IMAGE_F_PKCS15_RSA2048_SHA256 0x00000004 \n/* PKCS15 w/RSA and SHA */\n\n\n#define IMAGE_F_ECDSA224_SHA256 0x00000008 \n/* ECDSA256 over SHA256 */\n\n\n#define IMAGE_F_NON_BOOTABLE 0x00000010\n\n\n#define IMAGE_HEADER_SIZE 32\n\n\n\n\n\n\nOptional type-length-value records (TLVs) containing image metadata are placed\nafter the end of the image. For examp le, security data gets added as a footer at the end of the image.\n\n\n/** Image trailer TLV format. All fields in little endian. */\n\n\nstruct\n \nimage_tlv\n {\n \nuint8_t\n \nit_type\n; \n/* IMAGE_TLV_[...]. */\n\n \nuint8_t\n \n_pad\n;\n \nuint16_t\n \nit_len\n \n/* Data length (not including TLV header). */\n\n};\n\n\n/*\n\n\n * Image trailer TLV types.\n\n\n */\n\n\n#define IMAGE_TLV_SHA256 1 \n/* SHA256 of image hdr and body */\n\n\n#define IMAGE_TLV_RSA2048 2 \n/* RSA2048 of hash output */\n\n\n#define IMAGE_TLV_ECDSA224 3 \n/* ECDSA of hash output */\n\n\n\n\n\n\nFlash Map\n\n\nA Mynewt device's flash is partitioned according to its \nflash map\n. At a high\nlevel, the flash map maps numeric IDs to \nflash areas\n. A flash area is a\nregion of disk with the following properties:\n\n\n1. An area can be fully erased without affecting any other areas.\n2. A write to one area does not restrict writes to other areas.\n\n\n\ n\n\nThe boot loader uses the following flash areas:\n\n\n#define FLASH_AREA_BOOTLOADER 0\n\n\n#define FLASH_AREA_IMAGE_0 1\n\n\n#define FLASH_AREA_IMAGE_1 2\n\n\n#define FLASH_AREA_IMAGE_SCRATCH 3\n\n\n\n\n\n\nImage Slots\n\n\nA portion of the flash memory is partitioned into two image slots: a primary\nslot and a secondary slot. The boot loader will only run an image from the\nprimary slot, so images must be built such that they can run from that fixed\nlocation in flash. If the boot loader needs to run the image resident in the\nsecondary slot, it must swap the two images in flash prior to booting.\n\n\nIn addition to the two image slots, the boot loader requires a scratch area to\nallow for reliable image swapping.\n\n\nBoot States\n\n\nLogically, you can think of a pair of flags associated with each image slot:\npending and confirmed. On startup, the boot loader determines the state of the\ndevice by inspecting each pair of flags. These flags have the following\nmeanings:\n\n\n\n\npending: image gets tested on next reboot; absent subsequent confirm command,\n revert to original image on second reboot.\n\n\nconfirmed: always use image unless excluded by a test image.\n\n\n\n\nIn English, when the user wants to run the secondary image, they set the\npending flag for the second slot and reboot the device. On startup, the boot\nloader will swap the two images in flash, clear the secondary slot's pending\nflag, and run the newly-copied image in slot 0. This is a temporary state; if\nthe device reboots again, the boot loader swaps the images back to their\noriginal slots and boots into the original image. If the user doesn't want to\nrevert to the original state, they can make the current state permanent by\nsetting the confirmed flag in slot 0.\n\n\nSwitching to an alternate image is a two-step process (set + confirm) to\nprevent a device from becoming \"bricked\" b y bad firmware. If the device\ncrashes immediately upon booting the second image, the boot loader reverts to\nthe working image, rather than repeatedly rebooting into the bad image.\n\n\nThe following set of tables illustrate the three possible states that the\ndevice can be in:\n\n\n | slot-0 | slot-1 |\n---------------+--------+--------|\n pending | | |\n confirmed | X | |\n---------------+--------+--------\n\nImage 0 confirmed; |\nNo change on reboot |\n---------------------------------\n\n\n | slot-0 | slot-1 |\n---------------+--------+--------|\n pending | | X |\n confirmed | X | |\n---------------+--------+--------\n\nImage 0 confirmed; |\nTest image 1 on next reboot |\n---------------------------------\n\n\n | slot-0 | slot-1 |\n---------------+--------+--------|\n pending | | |\n confirmed | | X |\n---------------+--------+--------\n\nTesting image 0; |\nRevert to image 1 on next reboot |\n---------------------------------\n\n\n\n\n\n\nBoot Vector\n\n\nAt startup, the boot loader determines which of the above three boot states a device is in by inspecting the boot vector. The boot vector consists of two\nrecords (called \"image trailers\"), one written at the end of each image slot.\nAn image trailer has the following structure:\n\n\n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n~ MAGIC (16 octets) ~\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n~ ~\n~ Swap status (128 * min-write-size * 3) ~\n~ ~\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| Copy done | 0xff padding (up to min-write-sz - 1) ~\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| Image OK | 0xff padding (up to min-write-sz - 1) ~\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\n\n\n\n\nThese records are at the end of each image slot. The offset immediately\nfollowing such a record represents the start of the next flash area.\n\n\nNote: \"min-write-size\" is a property of the flash hardware. If the hardware\nallows individual bytes to be written at arbitrary addresses, then\nmin-write-size is 1. If the hardware only allows writes at even addresses,\nthen min-write-size is 2, and so on.\n\n\nThe fields are defined as follows:\n\n\n\n\n\n\nMAGIC: The following 16 bytes, written in host-byte-order:\n\n\nconst uint32_t boot_img_magic[4] = {\n 0xf395c277,\n 0x7fefd260,\n 0x0f505235,\n 0x8079b62c,\n};\n\n \n\n\n\n\nSwap status: A series of single-byte records. Each record corresponds to a\nflash sector in an image slot. A swap status byte indicate the location of\nthe corresponding sector data. During an image swap, image data is moved one\nsector at a time. The swap status is necessary for resuming a swap operation\nif the device rebooted before a swap operation completed.\n\n\n\n\n\n\nCopy done: A single byte indicating whether the image in this slot is\ncomplete (0x01=d\n [email protected]\n35d33\n\n [email protected]\n42d39\n\n [email protected]\n55d51\n\n [email protected]\n110d105\n\n [email protected]; 0xff=not done).\n\n\n\n\n\n\nImage OK: A single byte indicating whether the image in this slot has been\nconfirmed as good by the user (0x01=confirmed; 0xff=not confirmed).\n\n\n\n\n\n\nThe boot vector records are structured around the limitations imposed by flash\nhardware. As a consequence, they do not have a very intuitive design, and it\nis difficult to get a sense of the sta te of the device just by looking at the\nboot vector. It is better to map all the possible vector states to the swap types (None, Test, Revert)\nvia a set of tables. These tables are reproduced below.\nIn these tables, the \"pending\" and \"confirmed\" flags are shown for illustrative\npurposes; they are not actually present in the boot vector.\n\n\nState I\n | slot-0 | slot-1 |\n-----------------+--------+--------|\n magic | Unset | Unset |\n image-ok | Any | N/A |\n-----------------+--------+--------\n\n pending | | |\n confirmed | X | |\n-----------------+--------+--------\n\n swap: none |\n-----------------------------------\n\n\n\nState II\n | slot-0 | slot-1 |\n-----------------+--------+--------|\n magic | Any | Good |\n image-ok | Any | N/A |\n-----------------+--------+--------\n\n pending | | X |\n co nfirmed | X | |\n-----------------+--------+--------\n\n swap: test |\n-----------------------------------\n\n\n\nState III\n | slot-0 | slot-1 |\n-----------------+--------+--------|\n magic | Good | Unset |\n image-ok | 0xff | N/A |\n-----------------+--------+--------\n\n pending | | |\n confirmed | | X |\n-----------------+--------+--------\n\n swap: revert (test image running) |\n-----------------------------------\n\n\n\nState IV\n | slot-0 | slot-1 |\n-----------------+--------+--------|\n magic | Good | Unset |\n image-ok | 0x01 | N/A |\n-----------------+--------+--------\n\n pending | | |\n confirmed | X | |\n-----------------+--------+--------\n\n swap: none (confirmed test image) |\n-----------------------------------\n\n\n\n\n\n\nHigh-level Operation\n\n\nWith the terms defin ed, we can now explore the boot loader's operation. First,\na high-level overview of the boot process is presented. Then, the following\nsections describe each step of the process in more detail.\n\n\nProcedure:\n\n\nA. Inspect swap status region; is an interrupted swap is being resumed?\n Yes: Complete the partial swap operation; skip to step C.\n No: Proceed to step B.\n\n\nB. Insect boot vector; is a swap requested?\n Yes.\n 1. Is the requested image valid (integrity and security check)?\n Yes.\n a. Perform swap operation.\n b. Persist completion of swap procedure to boot vector.\n c. Proceed to step C.\n No.\n a. Erase invalid image.\n b. Persist failure of swap procedure to boot vector.\n c. Proceed to step C.\n No: Proceed to step C.\n\n\nC. Boot into image in slot 0.\n\n\nImage Swapping\n\n\nThe boot loader swaps the contents of the two image sl ots for two reasons:\n * User has issued an \"image test\" operation; the image in slot-1 should be\n run once (state II).\n * Test image rebooted without being confirmed; the boot loader should\n revert to the original image currently in slot-1 (state III).\n\n\nIf the boot vector indicates that the image in the secondary slot should be\nrun, the boot loader needs to copy it to the primary slot. The image currently\nin the primary slot also needs to be retained in flash so that it can be used\nlater. Furthermore, both images need to be recoverable if the boot loader\nresets in the middle of the swap operation. The two images are swapped\naccording to the following procedure:\n\n\n1. Determine how many flash sectors each image slot consists of. This\n number must be the same for both slots.\n2. Iterate the list of sector indices in descending order (i.e., starting\n with the greatest index); current element = \nindex\n.\n b. Erase scratch area.\n c. Cop y slot0[index] to scratch area.\n d. Write updated swap status (i).\n\n e. Erase slot1[index]\n f. Copy slot0[index] to slot1[index]\n - If these are the last sectors (i.e., first swap being perfomed),\n copy the full sector *except* the image trailer.\n - Else, copy entire sector contents.\n g. Write updated swap status (ii).\n\n h. Erase slot0[index].\n i. Copy scratch area slot0[index].\n j. Write updated swap status (iii).\n\n3. Persist completion of swap procedure to slot 0 image trailer.\n\n\n\n\n\nThe additional caveats in step 2f are necessary so that the slot 1 image trailer\ncan be written by the user at a later time. With the image trailer unwritten,\nthe user can test the image in slot 1 (i.e., transition to state II).\n\n\nThe particulars of step 3 vary depending on whether an image is being tested or\nreverted:\n * test:\n o Write slot0.copy_done = 1\n (should now be in state III)\n\n\n* revert:\n o Write slot0.magic = BOOT_MAGIC\n o Write slot0.copy_done = 1\n o Write slot0.image_ok = 1\n (should now be in state IV)\n\n\n\n\n\nSwap Status\n\n\nThe swap status region allows the boot loader to recover in case it restarts in\nthe middle of an image swap operation. The swap status region consists of a\nseries of single-byte records. These records are written independently, and\ntherefore must be padded according to the minimum write size imposed by the\nflash hardware. In the below figure, a min-write-size of 1 is assumed for\nsimplicity. The structure of the swap status region is illustrated below. In\nthis figure, a min-write-size of 1 is assumed for simplicity.\n\n\n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n|sec127,state 0 |sec127,state 1 |sec127,state 2 |sec126,state 0 |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+\n|sec126,state 1 |sec126,state 2 |sec125,state 0 |sec125,state 1 |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n|sec125,state 2 | |\n+-+-+-+-+-+-+-+-+ +\n~ ~\n~ [Records for indices 124 through 1 ~\n~ ~\n~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n~ |sec000,state 0 |sec000,state 1 |sec000,state 2 |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\n\n\n\n\nAnd now, in English...\n\n\nEach image slot is partitioned into a sequence of flash sectors. If we were to\nenumerate the sectors in a single slot, starting at 0, we would have a list of\nsector indices. Since there are two image slots, each sector index would\ncorrespond to a pair of sector s. For example, sector index 0 corresponds to\nthe first sector in slot 0 and the first sector in slot 1. Furthermore, we\nimpose a limit of 128 indices. If an image slot consists of more than 128\nsectors, the flash layout is not compatible with this boot loader. Finally,\nreverse the list of indices such that the list starts with index 127 and ends\nwith 0. The swap status region is a representation of this reversed list.\n\n\nDuring a swap operation, each sector index transitions through four separate\nstates:\n 0. slot 0: image 0, slot 1: image 1, scratch: N/A\n 1. slot 0: image 0, slot 1: N/A, scratch: image 1 (1-\ns, erase 1)\n 2. slot 0: N/A, slot 1: image 0, scratch: image 1 (0-\n1, erase 0)\n 3. slot 0: image 1, slot 1: image 0, scratch: N/A (s-\n0)\n\n\nEach time a sector index transitions to a new state, the boot loader writes a\nrecord to the swap status region. Logically, the boot loader only needs one\nrecord per sector ind ex to keep track of the current swap state. However, due\nto limitations imposed by flash hardware, a record cannot be overwritten when\nan index's state changes. To solve this problem, the boot loader uses three\nrecords per sector index rather than just one.\n\n\nEach sector-state pair is represented as a set of three records. The record\nvalues map to the above four states as follows\n\n\n | rec0 | rec1 | rec2\n--------+------+------+------\nstate 0 | 0xff | 0xff | 0xff\nstate 1 | 0x01 | 0xff | 0xff\nstate 2 | 0x01 | 0x02 | 0xff\nstate 3 | 0x01 | 0x02 | 0x03\n\n\n\n\n\nThe swap status region can accommodate 128 sector indices. Hence, the size of\nthe region, in bytes, is 128 * min-write-size * 3. The number 128 is chosen\nsomewhat arbitrarily and will likely be made configurable. The only\nrequirement for the index count is that is is great enough to account for a\nmaximum-sized image (i.e., at least as great as the total sector count in an\nimage slot). If a device 's image slots use less than 128 sectors, the first\nrecord that gets written will be somewhere in the middle of the region. For\nexample, if a slot uses 64 sectors, the first sector index that gets swapped is\n63, which corresponds to the exact halfway point within the region.\n\n\nReset Recovery\n\n\nIf the boot loader resets in the middle of a swap operation, the two images may\nbe discontiguous in flash. Bootutil recovers from this condition by using the\nboot vector to determine how the image parts are distributed in flash.\n\n\nThe first step is determine where the relevant swap status region is located.\nBecause this region is embedded within the image slots, its location in flash\nchanges during a swap operation. The below set of tables map boot vector\ncontents to swap status location. In these tables, the \"source\" field\nindicates where the swap status region is located.\n\n\n | slot-0 | scratch |\n----------+------------+------------|\n magic | Go od | Any |\ncopy-done | 0x01 | N/A |\n----------+------------+------------\n\nsource: none |\n------------------------------------\n\n\n | slot-0 | scratch |\n----------+------------+------------|\n magic | Good | Any |\ncopy-done | 0xff | N/A |\n----------+------------+------------\n\nsource: slot 0 |\n------------------------------------\n\n\n | slot-0 | scratch |\n----------+------------+------------|\n magic | Any | Good |\ncopy-done | Any | N/A |\n----------+------------+------------\n\nsource: scratch |\n------------------------------------\n\n\n | slot-0 | scratch |\n----------+------------+------------|\n magic | Unset | Any |\ncopy-done | 0xff | N/A |\n----------+------------+------------|\nsource: varies |\n------------------------ ------------+------------------------------+\nThis represents one of two cases: |\no No swaps ever (no status to read, so no harm in checking). |\no Mid-revert; status in slot 0. |\n-------------------------------------------------------------------\n\n\n\n\n\n\nIf the swap status region indicates that the images are not contiguous,\nbootutil completes the swap operation that was in progress when the system was\nreset. In other words, it applies the procedure defined in the previous\nsection, moving image 1 into slot 0 and image 0 into slot 1. If the boot\nstatus file indicates that an image part is present in the scratch area, this\npart is copied into the correct location by starting at step e or step h in the\narea-swap procedure, depending on whether the part belongs to image 0 or image\n1.\n\n\nAfter the swap operation has been completed, the boot loader proceeds as though\nit had just been started.\n\n \nIntegrity Check\n\n\nAn image is checked for integrity immediately before it gets copied into the\nprimary slot. If the boot loader doesn't perform an image swap, then it\ndoesn't perform an integrity check.\n\n\nDuring the integrity check, the boot loader verifies the following aspects of\nan image:\n * 32-bit magic number must be correct (0x96f3b83c).\n * Image must contain a SHA256 TLV.\n * Calculated SHA256 must matche SHA256 TLV contents.\n * Image \nmay\n contain a signature TLV. If it does, its contents must be\n verifiable using a key embedded in the boot loader.\n\n\nImage Signing and Verification\n\n\nAs indicated above, the final step of the integrity check is signature\nverification. The boot loader can have one or more public keys embedded in it\nat build time. During signature verification, the boot loader verifies that an\nimage was signed with a private key that corresponds to one of its public keys.\nThe image signature TLV indicates the index of the key that is has been signed\nwith. The boot loader uses this index to identify the corresponding public\nkey.\n\n\nFor information on embedding public keys in the boot loader, as well as\nproducing signed images, see: boot/bootutil/signed_images.md", + "text": "Bootloader\n\n\nThe \"bootloader\" is the code that loads the Mynewt OS image into memory and conducts some checks before allowing the OS to be run. It manages images for the embedded system and upgrades of those images using protocols over various interfaces (e.g. serial, BLE etc.). Typically, systems with bootloaders have at least two program images coexisting on the same microcontroller, and hence must include branch code that performs a check to see if an attempt to update software is already underway and manage the progress of the process.\n\n\nThe bootloader in the Apache Mynewt project verifies the cryptographic signature of the firmware image before running it. It maintains a detailed status log for each stage of the boot process. For verification of the authenticity of the OS image, it:\n\n\n\n\nCalculates hash of the image.\n\n\nUses public key to uncover hash value from included signature. \n\n\nCompares the calculated and uncovered hashes for a match .\n\n\n\n\nThe \"secure bootloader\" should be placed in protected memory on a given microcontroller.\n\n\nThe Mynewt bootloader comprises two packages:\n\n\n\n\nThe bootutil library (boot/bootutil)\n\n\nThe boot application (apps/boot)\n\n\n\n\nThe Mynewt code is thus structured so that the generic bootutil library performs most of the functions of a boot loader. The final step of actually jumping to the main image is kept out of the bootutil library. This last step should instead be implemented in an\narchitecture-specific project. Boot loader functionality is separated in this\nmanner for the following two reasons:\n\n\n\n\nBy keeping architecture-dependent code separate, the bootutil library can be\n reused among several boot loaders.\n\n\nBy excluding the last boot step from the library, the bootloader can be unit tested since a library can be unit tested but an applicant can't.\n\n\n\n\nLimitations\n\n\nThe boot loader currently only supports images with the following\ncha racteristics:\n\n\n\n\nBuilt to run from flash.\n\n\nBuild to run from a fixed location (i.e., position-independent).\n\n\n\n\nImage Format\n\n\nThe following definitions describe the image header format.\n\n\n#define IMAGE_MAGIC 0x96f3b83c\n\n\n#define IMAGE_MAGIC_NONE 0xffffffff\n\n\n\nstruct\n \nimage_version\n {\n \nuint8_t\n \niv_major\n;\n \nuint8_t\n \niv_minor\n;\n \nuint16_t\n \niv_revision\n;\n \nuint32_t\n \niv_build_num\n;\n};\n\n\n/** Image header. All fields are in little endian byte order. */\n\n\nstruct\n \nimage_header\n {\n \nuint32_t\n \nih_magic\n;\n \nuint16_t\n \nih_tlv_size\n; \n/* Trailing TLVs */\n\n \nuint8_t\n \nih_key_id\n;\n \nuint8_t\n \n_pad1\n;\n \nuint16_t\n \nih_hdr_s\n \nbok@bok\n.\nnet\n\n \nuint16_t\n \n_pad2\n;\n \nuint32_t\n \nih_img_size\n; \n/* Does not include header. */\n\n \nuint32_t\n \nih_flags\n;\n \nstruct\n \nimage_version\n \nih_ver\n;\n \nuint32_t\n \n_pad3\n;\n };\n\n\n\n\n\nThe \nih_hdr_size\n field indicates the length of the header, and therefore the\noffset of the image itself. This field provides for backwards compatibility in\ncase of changes to the format of the image header.\n\n\nThe following are the image header flags available.\n\n\n#define IMAGE_F_PIC 0x00000001\n\n\n#define IMAGE_F_SHA256 0x00000002 \n/* Image contains hash TLV */\n\n\n#define IMAGE_F_PKCS15_RSA2048_SHA256 0x00000004 \n/* PKCS15 w/RSA and SHA */\n\n\n#define IMAGE_F_ECDSA224_SHA256 0x00000008 \n/* ECDSA256 over SHA256 */\n\n\n#define IMAGE_F_NON_BOOTABLE 0x00000010\n\n\n#define IMAGE_HEADER_SIZE 32\n\n\n\n\n\n\nOptional type-length-value records (TLVs) containing image metadata are placed\nafter the end of the image. For example, security data gets added as a footer at the end of the image.\n\n\n/** Image trailer TLV format. All fields in little endian. */\n\n\nstruct\n \nimage_tlv\n {\n \nuint8 _t\n \nit_type\n; \n/* IMAGE_TLV_[...]. */\n\n \nuint8_t\n \n_pad\n;\n \nuint16_t\n \nit_len\n \n/* Data length (not including TLV header). */\n\n};\n\n\n/*\n\n\n * Image trailer TLV types.\n\n\n */\n\n\n#define IMAGE_TLV_SHA256 1 \n/* SHA256 of image hdr and body */\n\n\n#define IMAGE_TLV_RSA2048 2 \n/* RSA2048 of hash output */\n\n\n#define IMAGE_TLV_ECDSA224 3 \n/* ECDSA of hash output */\n\n\n\n\n\n\nFlash Map\n\n\nA Mynewt device's flash is partitioned according to its \nflash map\n. At a high\nlevel, the flash map maps numeric IDs to \nflash areas\n. A flash area is a\nregion of disk with the following properties:\n\n\n1. An area can be fully erased without affecting any other areas.\n2. A write to one area does not restrict writes to other areas.\n\n\n\n\n\nThe boot loader uses the following flash areas:\n\n\n#define FLASH_AREA_BOOTLOADER 0\n\n\n#define FLASH_AREA_IMAGE_0 1\n\n\n#defi ne FLASH_AREA_IMAGE_1 2\n\n\n#define FLASH_AREA_IMAGE_SCRATCH 3\n\n\n\n\n\n\nImage Slots\n\n\nA portion of the flash memory is partitioned into two image slots: a primary\nslot and a secondary slot. The boot loader will only run an image from the\nprimary slot, so images must be built such that they can run from that fixed\nlocation in flash. If the boot loader needs to run the image resident in the\nsecondary slot, it must swap the two images in flash prior to booting.\n\n\nIn addition to the two image slots, the boot loader requires a scratch area to\nallow for reliable image swapping.\n\n\nBoot States\n\n\nLogically, you can think of a pair of flags associated with each image slot:\npending and confirmed. On startup, the boot loader determines the state of the\ndevice by inspecting each pair of flags. These flags have the following\nmeanings:\n\n\n\n\npending: image gets tested on next reboot; absent subsequent confirm command,\n revert to original image on second reboot.\n\n\nconfirmed: always use image unless excluded by a test image.\n\n\n\n\nIn English, when the user wants to run the secondary image, they set the\npending flag for the second slot and reboot the device. On startup, the boot\nloader will swap the two images in flash, clear the secondary slot's pending\nflag, and run the newly-copied image in slot 0. This is a temporary state; if\nthe device reboots again, the boot loader swaps the images back to their\noriginal slots and boots into the original image. If the user doesn't want to\nrevert to the original state, they can make the current state permanent by\nsetting the confirmed flag in slot 0.\n\n\nSwitching to an alternate image is a two-step process (set + confirm) to\nprevent a device from becoming \"bricked\" by bad firmware. If the device\ncrashes immediately upon booting the second image, the boot loader reverts to\nthe working image, rather than repeatedly rebooting into the bad image.\n\n\nThe following set of tables illustrate the three possible states that the\ndevice can be in:\n\n\n | slot-0 | slot-1 |\n---------------+--------+--------|\n pending | | |\n confirmed | X | |\n---------------+--------+--------\n\nImage 0 confirmed; |\nNo change on reboot |\n---------------------------------\n\n\n | slot-0 | slot-1 |\n---------------+--------+--------|\n pending | | X |\n confirmed | X | |\n---------------+--------+--------\n\nImage 0 confirmed; |\nTest image 1 on next reboot |\n---------------------------------\n\n\n | slot-0 | slot-1 |\n---------------+--------+--------|\n pending | | |\n confirmed | | X |\n---------------+--------+--------\n\nTesting image 0; |\nRevert to image 1 on next reboot |\n---------------------------------\n\n\n\n\n\n\nBo ot Vector\n\n\nAt startup, the boot loader determines which of the above three boot states a device is in by inspecting the boot vector. The boot vector consists of two\nrecords (called \"image trailers\"), one written at the end of each image slot.\nAn image trailer has the following structure:\n\n\n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n~ MAGIC (16 octets) ~\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n~ ~\n~ Swap status (128 * min-write-size * 3) ~\n~ ~\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| Copy done | 0xff padding (up to min-write-sz - 1) ~\n+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n| Image OK | 0xff padding (up to min-write-sz - 1) ~\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\n\n\n\n\nThese records are at the end of each image slot. The offset immediately\nfollowing such a record represents the start of the next flash area.\n\n\nNote: \"min-write-size\" is a property of the flash hardware. If the hardware\nallows individual bytes to be written at arbitrary addresses, then\nmin-write-size is 1. If the hardware only allows writes at even addresses,\nthen min-write-size is 2, and so on.\n\n\nThe fields are defined as follows:\n\n\n\n\n\n\nMAGIC: The following 16 bytes, written in host-byte-order:\n\n\nconst uint32_t boot_img_magic[4] = {\n 0xf395c277,\n 0x7fefd260,\n 0x0f505235,\n 0x8079b62c,\n};\n\n\n\n\n\n\nSwap status: A series of single-byte records. Each record corresponds to a\nflash sector in an image slot. A swap status byte indicate the location of\nthe corresp onding sector data. During an image swap, image data is moved one\nsector at a time. The swap status is necessary for resuming a swap operation\nif the device rebooted before a swap operation completed.\n\n\n\n\n\n\nCopy done: A single byte indicating whether the image in this slot is\ncomplete (0x01=d\n [email protected]\n35d33\n\n [email protected]\n42d39\n\n [email protected]\n55d51\n\n [email protected]\n110d105\n\n [email protected]; 0xff=not done).\n\n\n\n\n\n\nImage OK: A single byte indicating whether the image in this slot has been\nconfirmed as good by the user (0x01=confirmed; 0xff=not confirmed).\n\n\n\n\n\n\nThe boot vector records are structured around the limitations imposed by flash\nhardware. As a consequence, they do not have a very intuitive design, and it\nis difficult to get a sense of the state of the device just by looking at the\nboot vector. It is better to map all the possible vector states to the swap types (None, Test, Revert)\nvia a set of tables. These t ables are reproduced below.\nIn these tables, the \"pending\" and \"confirmed\" flags are shown for illustrative\npurposes; they are not actually present in the boot vector.\n\n\nState I\n | slot-0 | slot-1 |\n-----------------+--------+--------|\n magic | Unset | Unset |\n image-ok | Any | N/A |\n-----------------+--------+--------\n\n pending | | |\n confirmed | X | |\n-----------------+--------+--------\n\n swap: none |\n-----------------------------------\n\n\n\nState II\n | slot-0 | slot-1 |\n-----------------+--------+--------|\n magic | Any | Good |\n image-ok | Any | N/A |\n-----------------+--------+--------\n\n pending | | X |\n confirmed | X | |\n-----------------+--------+--------\n\n swap: test |\n-----------------------------------\n\n\n\nState III\n | slot-0 | slot-1 |\n-----------------+--------+--------|\n magic | Good | Unset |\n image-ok | 0xff | N/A |\n-----------------+--------+--------\n\n pending | | |\n confirmed | | X |\n-----------------+--------+--------\n\n swap: revert (test image running) |\n-----------------------------------\n\n\n\nState IV\n | slot-0 | slot-1 |\n-----------------+--------+--------|\n magic | Good | Unset |\n image-ok | 0x01 | N/A |\n-----------------+--------+--------\n\n pending | | |\n confirmed | X | |\n-----------------+--------+--------\n\n swap: none (confirmed test image) |\n-----------------------------------\n\n\n\n\n\n\nHigh-level Operation\n\n\nWith the terms defined, we can now explore the boot loader's operation. First,\na high-level overview of the boot process is presented. Then, the following\nsections describe each step of the p rocess in more detail.\n\n\nProcedure:\n\n\nA. Inspect swap status region; is an interrupted swap is being resumed?\n Yes: Complete the partial swap operation; skip to step C.\n No: Proceed to step B.\n\n\nB. Insect boot vector; is a swap requested?\n Yes.\n 1. Is the requested image valid (integrity and security check)?\n Yes.\n a. Perform swap operation.\n b. Persist completion of swap procedure to boot vector.\n c. Proceed to step C.\n No.\n a. Erase invalid image.\n b. Persist failure of swap procedure to boot vector.\n c. Proceed to step C.\n No: Proceed to step C.\n\n\nC. Boot into image in slot 0.\n\n\nImage Swapping\n\n\nThe boot loader swaps the contents of the two image slots for two reasons:\n * User has issued an \"image test\" operation; the image in slot-1 should be\n run once (state II).\n * Test image rebooted without being con firmed; the boot loader should\n revert to the original image currently in slot-1 (state III).\n\n\nIf the boot vector indicates that the image in the secondary slot should be\nrun, the boot loader needs to copy it to the primary slot. The image currently\nin the primary slot also needs to be retained in flash so that it can be used\nlater. Furthermore, both images need to be recoverable if the boot loader\nresets in the middle of the swap operation. The two images are swapped\naccording to the following procedure:\n\n\n1. Determine how many flash sectors each image slot consists of. This\n number must be the same for both slots.\n2. Iterate the list of sector indices in descending order (i.e., starting\n with the greatest index); current element = \nindex\n.\n b. Erase scratch area.\n c. Copy slot0[index] to scratch area.\n d. Write updated swap status (i).\n\n e. Erase slot1[index]\n f. Copy slot0[index] to slot1[index]\n - If these are the last sectors (i.e., first swap being perfomed),\n copy the full sector *except* the image trailer.\n - Else, copy entire sector contents.\n g. Write updated swap status (ii).\n\n h. Erase slot0[index].\n i. Copy scratch area slot0[index].\n j. Write updated swap status (iii).\n\n3. Persist completion of swap procedure to slot 0 image trailer.\n\n\n\n\n\nThe additional caveats in step 2f are necessary so that the slot 1 image trailer\ncan be written by the user at a later time. With the image trailer unwritten,\nthe user can test the image in slot 1 (i.e., transition to state II).\n\n\nThe particulars of step 3 vary depending on whether an image is being tested or\nreverted:\n * test:\n o Write slot0.copy_done = 1\n (should now be in state III)\n\n\n* revert:\n o Write slot0.magic = BOOT_MAGIC\n o Write slot0.copy_done = 1\n o Write slot0.image_ok = 1\n (should now be in state IV)\n\n\n\n\n\nSwap Status\n\n\nThe swap status region allows the boot loader to recover in case it restarts in\nthe middle of an image swap operation. The swap status region consists of a\nseries of single-byte records. These records are written independently, and\ntherefore must be padded according to the minimum write size imposed by the\nflash hardware. In the below figure, a min-write-size of 1 is assumed for\nsimplicity. The structure of the swap status region is illustrated below. In\nthis figure, a min-write-size of 1 is assumed for simplicity.\n\n\n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n|sec127,state 0 |sec127,state 1 |sec127,state 2 |sec126,state 0 |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n|sec126,state 1 |sec126,state 2 |sec125,state 0 |sec125,state 1 |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n|sec125,state 2 | |\n+-+-+-+-+-+-+-+-+ +\n~ ~\n~ [Records for indices 124 through 1 ~\n~ ~\n~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n~ |sec000,state 0 |sec000,state 1 |sec000,state 2 |\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\n\n\n\n\nAnd now, in English...\n\n\nEach image slot is partitioned into a sequence of flash sectors. If we were to\nenumerate the sectors in a single slot, starting at 0, we would have a list of\nsector indices. Since there are two image slots, each sector index would\ncorrespond to a pair of sectors. For example, sector index 0 corresponds to\nthe first sector in slot 0 and the first sector in slot 1. Furthermore, we\nimpose a limit of 128 indices. If an image slot c onsists of more than 128\nsectors, the flash layout is not compatible with this boot loader. Finally,\nreverse the list of indices such that the list starts with index 127 and ends\nwith 0. The swap status region is a representation of this reversed list.\n\n\nDuring a swap operation, each sector index transitions through four separate\nstates:\n 0. slot 0: image 0, slot 1: image 1, scratch: N/A\n 1. slot 0: image 0, slot 1: N/A, scratch: image 1 (1-\ns, erase 1)\n 2. slot 0: N/A, slot 1: image 0, scratch: image 1 (0-\n1, erase 0)\n 3. slot 0: image 1, slot 1: image 0, scratch: N/A (s-\n0)\n\n\nEach time a sector index transitions to a new state, the boot loader writes a\nrecord to the swap status region. Logically, the boot loader only needs one\nrecord per sector index to keep track of the current swap state. However, due\nto limitations imposed by flash hardware, a record cannot be overwritten when\nan index's state changes. To solve t his problem, the boot loader uses three\nrecords per sector index rather than just one.\n\n\nEach sector-state pair is represented as a set of three records. The record\nvalues map to the above four states as follows\n\n\n | rec0 | rec1 | rec2\n--------+------+------+------\nstate 0 | 0xff | 0xff | 0xff\nstate 1 | 0x01 | 0xff | 0xff\nstate 2 | 0x01 | 0x02 | 0xff\nstate 3 | 0x01 | 0x02 | 0x03\n\n\n\n\n\nThe swap status region can accommodate 128 sector indices. Hence, the size of\nthe region, in bytes, is 128 * min-write-size * 3. The number 128 is chosen\nsomewhat arbitrarily and will likely be made configurable. The only\nrequirement for the index count is that is is great enough to account for a\nmaximum-sized image (i.e., at least as great as the total sector count in an\nimage slot). If a device's image slots use less than 128 sectors, the first\nrecord that gets written will be somewhere in the middle of the region. For\nexample, if a slot uses 64 sectors, the firs t sector index that gets swapped is\n63, which corresponds to the exact halfway point within the region.\n\n\nReset Recovery\n\n\nIf the boot loader resets in the middle of a swap operation, the two images may\nbe discontiguous in flash. Bootutil recovers from this condition by using the\nboot vector to determine how the image parts are distributed in flash.\n\n\nThe first step is determine where the relevant swap status region is located.\nBecause this region is embedded within the image slots, its location in flash\nchanges during a swap operation. The below set of tables map boot vector\ncontents to swap status location. In these tables, the \"source\" field\nindicates where the swap status region is located.\n\n\n | slot-0 | scratch |\n----------+------------+------------|\n magic | Good | Any |\ncopy-done | 0x01 | N/A |\n----------+------------+------------\n\nsource: none |\n-------------------------------- ----\n\n\n | slot-0 | scratch |\n----------+------------+------------|\n magic | Good | Any |\ncopy-done | 0xff | N/A |\n----------+------------+------------\n\nsource: slot 0 |\n------------------------------------\n\n\n | slot-0 | scratch |\n----------+------------+------------|\n magic | Any | Good |\ncopy-done | Any | N/A |\n----------+------------+------------\n\nsource: scratch |\n------------------------------------\n\n\n | slot-0 | scratch |\n----------+------------+------------|\n magic | Unset | Any |\ncopy-done | 0xff | N/A |\n----------+------------+------------|\nsource: varies |\n------------------------------------+------------------------------+\nThis represents one of two cases: |\no No swaps ever (no status to read, so no harm in checking) . |\no Mid-revert; status in slot 0. |\n-------------------------------------------------------------------\n\n\n\n\n\n\nIf the swap status region indicates that the images are not contiguous,\nbootutil completes the swap operation that was in progress when the system was\nreset. In other words, it applies the procedure defined in the previous\nsection, moving image 1 into slot 0 and image 0 into slot 1. If the boot\nstatus file indicates that an image part is present in the scratch area, this\npart is copied into the correct location by starting at step e or step h in the\narea-swap procedure, depending on whether the part belongs to image 0 or image\n1.\n\n\nAfter the swap operation has been completed, the boot loader proceeds as though\nit had just been started.\n\n\nIntegrity Check\n\n\nAn image is checked for integrity immediately before it gets copied into the\nprimary slot. If the boot loader doesn't perform an image swap, then it\n doesn't perform an integrity check.\n\n\nDuring the integrity check, the boot loader verifies the following aspects of\nan image:\n * 32-bit magic number must be correct (0x96f3b83c).\n * Image must contain a SHA256 TLV.\n * Calculated SHA256 must matche SHA256 TLV contents.\n * Image \nmay\n contain a signature TLV. If it does, its contents must be\n verifiable using a key embedded in the boot loader.\n\n\nImage Signing and Verification\n\n\nAs indicated above, the final step of the integrity check is signature\nverification. The boot loader can have one or more public keys embedded in it\nat build time. During signature verification, the boot loader verifies that an\nimage was signed with a private key that corresponds to one of its public keys.\nThe image signature TLV indicates the index of the key that is has been signed\nwith. The boot loader uses this index to identify the corresponding public\nkey.\n\n\nFor information on embedding public keys in the boo t loader, as well as\nproducing signed images, see: boot/bootutil/signed_images.md", "title": "toc" }, { @@ -5337,7 +5337,7 @@ }, { "location": "/os/modules/bootloader/bootloader/#image-format", - "text": "The following definitions describe the image header format. #define IMAGE_MAGIC 0x96f3b83c #define IMAGE_MAGIC_NONE 0xffffffff struct image_version {\n uint8_t iv_major ;\n uint8_t iv_minor ;\n uint16_t iv_revision ;\n uint32_t iv_build_num ;\n}; /** Image header. All fields are in little endian byte order. */ struct image_header {\n uint32_t ih_magic ;\n uint16_t ih_tlv_size ; /* Trailing TLVs */ \n uint8_t ih_key_id ;\n uint8_t _pad1 ;\n uint16_t ih_hdr_s bok@bok . net 35 d33 ericmanganaro@gmail . com 42 d39 tam@proxy . co 55 d51 nathan@natb1 . com 110 d105 rvs@apache . orgize ;\n uint16_t _pad2 ;\n uint32_t ih_img_size ; /* Does not include header. */ \n uint32_t ih_flags ;\n struct image_version ih_ver ;\n uint32_t _pad3 ;\n}; The ih_hdr_size field indicates the length of the header, and therefore the\noffset of the image itself. This field provides for backwards compatibility in\ncase of changes to the format of the image header. The following are the image header flags available. #define IMAGE_F_PIC 0x00000001 #define IMAGE_F_SHA256 0x00000002 /* Image contains hash TLV */ #define IMAGE_F_PKCS15_RSA2048_SHA256 0x00000004 /* PKCS15 w/RSA and SHA */ #define IMAGE_F_ECDSA224_SHA256 0x00000008 /* ECDSA256 over SHA256 */ #define IMAGE_F_NON_BOOTABLE 0x00000010 #define IMAGE_HEADER_SIZE 32 Optional type-length-value records (TLVs) containing image metadata are placed\nafter the end of the image. For example, security data gets added as a footer at the end of the image. /** Image trailer TLV format. All fields in little endian. */ struct image_tlv {\n uint8_t it_type ; /* IMAGE_TLV_[...]. */ \n uint8_t _pad ;\n uint16_t it_len /* Data length (not including TLV header). */ \n}; /* * Ima ge trailer TLV types. */ #define IMAGE_TLV_SHA256 1 /* SHA256 of image hdr and body */ #define IMAGE_TLV_RSA2048 2 /* RSA2048 of hash output */ #define IMAGE_TLV_ECDSA224 3 /* ECDSA of hash output */", + "text": "The following definitions describe the image header format. #define IMAGE_MAGIC 0x96f3b83c #define IMAGE_MAGIC_NONE 0xffffffff struct image_version {\n uint8_t iv_major ;\n uint8_t iv_minor ;\n uint16_t iv_revision ;\n uint32_t iv_build_num ;\n}; /** Image header. All fields are in little endian byte order. */ struct image_header {\n uint32_t ih_magic ;\n uint16_t ih_tlv_size ; /* Trailing TLVs */ \n uint8_t ih_key_id ;\n uint8_t _pad1 ;\n uint16_t ih_hdr_s bok@bok . net \n uint16_t _pad2 ;\n uint32_t ih_img_size ; /* Does not include header. */ \n uint32_t ih_flags ;\n struct image_version ih_ver ;\n uint32_t _pad3 ;\n}; The ih_hdr_size field indicates the length of the header, and therefore the\noffset of the image itself. This field provides for backwards compatibility in\ncase of changes to the format of the image header. The following are the image header flags available.
<TRUNCATED>
