[2/2] incubator-mynewt-core git commit: boot loader - Update design doc.

2016-12-06 Thread ccollins 
boot loader - Update design doc.


Project: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/repo
Commit: 
http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/commit/bd9cb1c3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/tree/bd9cb1c3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/diff/bd9cb1c3

Branch: refs/heads/develop
Commit: bd9cb1c3dd51be994febf05c045b0787889db54a
Parents: 4e7f485
Author: Christopher Collins 
Authored: Tue Dec 6 15:40:38 2016 -0800
Committer: Christopher Collins 
Committed: Tue Dec 6 15:41:34 2016 -0800

--
 boot/bootutil/design.txt | 750 --
 1 file changed, 436 insertions(+), 314 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/bd9cb1c3/boot/bootutil/design.txt
--
diff --git a/boot/bootutil/design.txt b/boot/bootutil/design.txt
index a39759b..41065e4 100644
--- a/boot/bootutil/design.txt
+++ b/boot/bootutil/design.txt
@@ -17,42 +17,37 @@
 # under the License.
 #
 
-** BOOTUTIL
+** BOOT LOADER
 
 *** SUMMARY
 
-The bootutil library performs most of the functions of a boot loader.  In
-particular, the piece that is missing is the final step of actually jumping to
-the main image.  This last step should instead be implemented in an
-architecture-specific project.  Boot loader functionality is separated in this
-manner for the following two reasons:
+The Mynewt bootloader comprises two packages:
 
-1. By keeping architecture-dependent code separate, the bootutil library can be
-   reused among several boot loaders.
+* The bootutil library (boot/bootutil)
+* The boot application (apps/boot)
 
-2. By excluding the last boot step from the library, the rest of the code can
-   be tested in a sim environment.
-
-There is a boot loader project specific to the olimex_stm32-e407 devboard
-called "boot."  This project provides an example of how the bootutil library
-should be used.
+The bootutil library performs most of the functions of a boot loader.  In
+particular, the piece that is missing is the final step of actually jumping to
+the main image.  This last step is instead implemented by the boot application.
+Boot loader functionality is separated in this manner to enable unit testing of
+the boot loader.  A library can be unit tested, but an application can't.
+Therefore, functionality is delegated to the bootutil library when possible.
 
 *** LIMITATIONS
 
 The boot loader currently only supports images with the following
 characteristics:
 * Built to run from flash.
-* Build to run from a fixed location (i.e., position-independent).
-
-These limitations will likely be addressed soon.
-
+* Build to run from a fixed location (i.e., not position-independent).
 
 *** IMAGE FORMAT
 
-The following definitions describe the image header format.
+The following definitions describe the image format.
 
 #define IMAGE_MAGIC 0x96f3b83c
 
+#define IMAGE_HEADER_SIZE   32
+
 struct image_version {
 uint8_t iv_major;
 uint8_t iv_minor;
@@ -63,351 +58,478 @@ struct image_version {
 /** Image header.  All fields are in little endian byte order. */
 struct image_header {
 uint32_t ih_magic;
-uint32_t ih_crc32; /* Covers remainder of header and all of image body. */
-uint32_t ih_hdr_size;
+uint16_t ih_tlv_size; /* Combined size of trailing TLVs (bytes). */
+uint8_t  ih_key_id;   /* Which key image is signed with (0xff=unsigned). */
+uint8_t  _pad1;
+uint16_t ih_hdr_size; /* Size of image header (bytes). */
+uint16_t _pad2;
 uint32_t ih_img_size; /* Does not include header. */
-uint32_t ih_flags;
+uint32_t ih_flags;/* IMAGE_F_[...] */
 struct image_version ih_ver;
+uint32_t _pad3;
 };
 
-At this time, no flags have been defined.
+/** Image trailer TLV format. All fields in little endian. */
+struct image_tlv {
+uint8_t  it_type;   /* IMAGE_TLV_[...]. */
+uint8_t  _pad;
+uint16_t it_len /* Data length (not including TLV header). */
+};
+
+/*
+ * Image header flags.
+ */
+#define IMAGE_F_PIC   0x0001 /* Not currently supported. */
+#define IMAGE_F_SHA2560x0002 /* Image contains hash TLV */
+#define IMAGE_F_PKCS15_RSA2048_SHA256 0x0004 /* PKCS15 w/RSA and SHA */
+#define IMAGE_F_ECDSA224_SHA256   0x0008 /* ECDSA256 over SHA256 */
+#define IMAGE_F_NON_BOOTABLE  0x0010 /* Split image app. */
+
+/*
+ * Image trailer TLV types.
+ */
+#define IMAGE_TLV_SHA2561  /* SHA256 of image hdr and body */
+#define IMAGE_TLV_RSA2048   2  /* RSA2048 of hash output */
+#define IMAGE_TLV_ECDSA224  3   /* ECDSA of hash output */
+

[2/2] incubator-mynewt-core git commit: Boot loader update

2016-10-20 Thread ccollins 
Boot loader update

1. Increase copy magic number from 4 bytes to 16.
2. Ensure magic, status, and swap state get written sequentially within
   a sector.
3. Standardize on the flash_map API (flash_area_open(), etc.).
   Previously, we were using both the flash map API and direct HAL flash
   reads.
4. Remove boot request; now boot loader calculates flash information on
   its own.
5. Remove boot_req and boot_state global variables.


Project: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/repo
Commit: 
http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/commit/f855c453
Tree: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/tree/f855c453
Diff: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/diff/f855c453

Branch: refs/heads/develop
Commit: f855c453f9d0e8fe8289f81e200c04bb30ce8304
Parents: dbb7803
Author: Christopher Collins 
Authored: Wed Oct 19 17:23:37 2016 -0700
Committer: Christopher Collins 
Committed: Thu Oct 20 19:16:19 2016 -0700

--
 apps/boot/src/boot.c|  13 +-
 boot/boot_serial/src/boot_serial.c  |   4 +-
 boot/bootutil/include/bootutil/bootutil.h   |  43 +-
 boot/bootutil/include/bootutil/image.h  |  15 +-
 boot/bootutil/signed_images.md  |   8 +-
 boot/bootutil/src/bootutil_misc.c   | 315 --
 boot/bootutil/src/bootutil_priv.h   |  55 +-
 boot/bootutil/src/image_validate.c  |  34 +-
 boot/bootutil/src/loader.c  | 962 ++-
 boot/bootutil/syscfg.yml|   2 -
 boot/bootutil/test/src/boot_test.h  |   3 +-
 boot/bootutil/test/src/boot_test_utils.c|  67 +-
 .../test/src/testcases/boot_test_invalid_hash.c |  10 +-
 .../src/testcases/boot_test_no_flag_has_hash.c  |  10 +-
 .../test/src/testcases/boot_test_no_hash.c  |  10 +-
 .../test/src/testcases/boot_test_nv_bs_10.c |  10 +-
 .../test/src/testcases/boot_test_nv_bs_11.c |  13 +-
 .../src/testcases/boot_test_nv_bs_11_2areas.c   |  11 +-
 .../test/src/testcases/boot_test_nv_ns_01.c |  10 +-
 .../test/src/testcases/boot_test_nv_ns_10.c |  10 +-
 .../test/src/testcases/boot_test_nv_ns_11.c |  10 +-
 .../test/src/testcases/boot_test_revert.c   |  10 +-
 .../src/testcases/boot_test_revert_continue.c   |  11 +-
 .../test/src/testcases/boot_test_vb_ns_11.c |  10 +-
 .../test/src/testcases/boot_test_vm_ns_01.c |  10 +-
 .../test/src/testcases/boot_test_vm_ns_10.c |  10 +-
 .../src/testcases/boot_test_vm_ns_11_2areas.c   |  10 +-
 .../test/src/testcases/boot_test_vm_ns_11_a.c   |  10 +-
 .../test/src/testcases/boot_test_vm_ns_11_b.c   |  10 +-
 sys/flash_map/include/flash_map/flash_map.h |   2 +-
 sys/flash_map/src/flash_map.c   |   5 +-
 31 files changed, 908 insertions(+), 795 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/f855c453/apps/boot/src/boot.c
--
diff --git a/apps/boot/src/boot.c b/apps/boot/src/boot.c
index 6a25b57..966e453 100755
--- a/apps/boot/src/boot.c
+++ b/apps/boot/src/boot.c
@@ -50,14 +50,6 @@ static os_stack_t boot_ser_stack[BOOT_SER_STACK_SZ];
 int
 main(void)
 {
-struct flash_area descs[AREA_DESC_MAX];
-/** Areas representing the beginning of image slots. */
-uint8_t img_starts[2];
-struct boot_req req = {
-.br_area_descs = descs,
-.br_slot_areas = img_starts,
-};
-
 struct boot_rsp rsp;
 int rc;
 
@@ -68,9 +60,6 @@ main(void)
 hal_bsp_init();
 #endif
 
-rc = boot_build_request(, AREA_DESC_MAX);
-assert(rc == 0);
-
 #if MYNEWT_VAL(BOOT_SERIAL)
 /*
  * Configure a GPIO as input, and compare it against expected value.
@@ -84,7 +73,7 @@ main(void)
 os_start();
 }
 #endif
-rc = boot_go(, );
+rc = boot_go();
 assert(rc == 0);
 
 system_start((void *)(rsp.br_image_addr + rsp.br_hdr->ih_hdr_size));

http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/f855c453/boot/boot_serial/src/boot_serial.c
--
diff --git a/boot/boot_serial/src/boot_serial.c 
b/boot/boot_serial/src/boot_serial.c
index 564fb41..fdc2d2e 100644
--- a/boot/boot_serial/src/boot_serial.c
+++ b/boot/boot_serial/src/boot_serial.c
@@ -110,8 +110,8 @@ bs_list(char *buf, int len)
 flash_area_read(fap, 0, , sizeof(hdr));
 
 if (hdr.ih_magic == IMAGE_MAGIC &&
-  bootutil_img_validate(, fap->fa_device_id, fap->fa_off,
-tmpbuf, sizeof(tmpbuf), NULL, 0, NULL) == 0) {
+  bootutil_img_validate(, fap, tmpbuf, sizeof(tmpbuf),
+NULL, 0, NULL) == 0) {
 good_img = 1;

[1/2] incubator-mynewt-core git commit: Boot loader update

2016-10-20 Thread ccollins 
Repository: incubator-mynewt-core
Updated Branches:
  refs/heads/develop dbb78037e -> f855c453f


http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/f855c453/boot/bootutil/test/src/testcases/boot_test_nv_ns_01.c
--
diff --git a/boot/bootutil/test/src/testcases/boot_test_nv_ns_01.c 
b/boot/bootutil/test/src/testcases/boot_test_nv_ns_01.c
index b4cb4ea..10bb38f 100644
--- a/boot/bootutil/test/src/testcases/boot_test_nv_ns_01.c
+++ b/boot/bootutil/test/src/testcases/boot_test_nv_ns_01.c
@@ -29,19 +29,11 @@ TEST_CASE(boot_test_nv_ns_01)
 .ih_ver = { 1, 2, 3, 432 },
 };
 
-struct boot_req req = {
-.br_area_descs = boot_test_area_descs,
-.br_slot_areas = boot_test_slot_areas,
-.br_num_image_areas = BOOT_TEST_AREA_IDX_SCRATCH + 1,
-.br_scratch_area_idx = BOOT_TEST_AREA_IDX_SCRATCH,
-.br_img_sz = (384 * 1024),
-};
-
 boot_test_util_init_flash();
 boot_test_util_write_image(, 1);
 boot_test_util_write_hash(, 1);
 
 boot_set_pending();
 
-boot_test_util_verify_all(, BOOT_SWAP_TYPE_REVERT, NULL, );
+boot_test_util_verify_all(BOOT_SWAP_TYPE_REVERT, NULL, );
 }

http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/f855c453/boot/bootutil/test/src/testcases/boot_test_nv_ns_10.c
--
diff --git a/boot/bootutil/test/src/testcases/boot_test_nv_ns_10.c 
b/boot/bootutil/test/src/testcases/boot_test_nv_ns_10.c
index a6bbff2..05095f0 100644
--- a/boot/bootutil/test/src/testcases/boot_test_nv_ns_10.c
+++ b/boot/bootutil/test/src/testcases/boot_test_nv_ns_10.c
@@ -29,17 +29,9 @@ TEST_CASE(boot_test_nv_ns_10)
 .ih_ver = { 0, 2, 3, 4 },
 };
 
-struct boot_req req = {
-.br_area_descs = boot_test_area_descs,
-.br_slot_areas = boot_test_slot_areas,
-.br_num_image_areas = BOOT_TEST_AREA_IDX_SCRATCH + 1,
-.br_scratch_area_idx = BOOT_TEST_AREA_IDX_SCRATCH,
-.br_img_sz = (384 * 1024),
-};
-
 boot_test_util_init_flash();
 boot_test_util_write_image(, 0);
 boot_test_util_write_hash(, 0);
 
-boot_test_util_verify_all(, BOOT_SWAP_TYPE_NONE, , NULL);
+boot_test_util_verify_all(BOOT_SWAP_TYPE_NONE, , NULL);
 }

http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/f855c453/boot/bootutil/test/src/testcases/boot_test_nv_ns_11.c
--
diff --git a/boot/bootutil/test/src/testcases/boot_test_nv_ns_11.c 
b/boot/bootutil/test/src/testcases/boot_test_nv_ns_11.c
index 4a43ef2..2191aaa 100644
--- a/boot/bootutil/test/src/testcases/boot_test_nv_ns_11.c
+++ b/boot/bootutil/test/src/testcases/boot_test_nv_ns_11.c
@@ -38,19 +38,11 @@ TEST_CASE(boot_test_nv_ns_11)
 .ih_ver = { 1, 2, 3, 432 },
 };
 
-struct boot_req req = {
-.br_area_descs = boot_test_area_descs,
-.br_slot_areas = boot_test_slot_areas,
-.br_num_image_areas = BOOT_TEST_AREA_IDX_SCRATCH + 1,
-.br_scratch_area_idx = BOOT_TEST_AREA_IDX_SCRATCH,
-.br_img_sz = (384 * 1024),
-};
-
 boot_test_util_init_flash();
 boot_test_util_write_image(, 0);
 boot_test_util_write_hash(, 0);
 boot_test_util_write_image(, 1);
 boot_test_util_write_hash(, 1);
 
-boot_test_util_verify_all(, BOOT_SWAP_TYPE_NONE, , );
+boot_test_util_verify_all(BOOT_SWAP_TYPE_NONE, , );
 }

http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/f855c453/boot/bootutil/test/src/testcases/boot_test_revert.c
--
diff --git a/boot/bootutil/test/src/testcases/boot_test_revert.c 
b/boot/bootutil/test/src/testcases/boot_test_revert.c
index f564f7c..4339afb 100644
--- a/boot/bootutil/test/src/testcases/boot_test_revert.c
+++ b/boot/bootutil/test/src/testcases/boot_test_revert.c
@@ -37,14 +37,6 @@ TEST_CASE(boot_test_revert)
 .ih_ver = { 1, 2, 3, 432 },
 };
 
-struct boot_req req = {
-.br_area_descs = boot_test_area_descs,
-.br_slot_areas = boot_test_slot_areas,
-.br_num_image_areas = BOOT_TEST_AREA_IDX_SCRATCH + 1,
-.br_scratch_area_idx = BOOT_TEST_AREA_IDX_SCRATCH,
-.br_img_sz = (384 * 1024),
-};
-
 boot_test_util_init_flash();
 boot_test_util_write_image(, 0);
 boot_test_util_write_hash(, 0);
@@ -54,5 +46,5 @@ TEST_CASE(boot_test_revert)
 /* Indicate that the image in slot 0 is being tested. */
 boot_test_util_mark_revert();
 
-boot_test_util_verify_all(, BOOT_SWAP_TYPE_REVERT, , );
+boot_test_util_verify_all(BOOT_SWAP_TYPE_REVERT, , );
 }

http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/f855c453/boot/bootutil/test/src/testcases/boot_test_revert_continue.c
--
diff --git

incubator-mynewt-core git commit: Boot loader update

2016-10-16 Thread ccollins 
Repository: incubator-mynewt-core
Updated Branches:
  refs/heads/develop 231691369 -> 8416e2cbf


Boot loader update

1. Increase max number of status entries

We weren't budgeting enough space for the swap status.  We were allowing
for 48 swap operations (32 * 4 / 3).  The nrf52dk, for example, requires
58 operations (232kB area / 4kB chunk = 58).

The result is that some status bytes could get copied to the opposing
slot.  On a subsequent swap, the status bytes would get copied back to
slot 0, corrupting the status.

2. Write status bytes in at increasing offsets

We were writing each subsequent status byte at an offset in flash
previous to the last.  Some flash hardware prohibits non-sequential
writes.

Still to do:

A. If the boot loader resets while it is in the middle of a revert (user
tests a new image, reboots, then reboots again), the behavior is
incorrect.  The image under test becomes confirmed - it should be the
original image that is confirmed.  The problem is that it is not
currently possible to determine the status of the previous swap
operation under these conditions.

Possible fix: when it appears there was no partial copy, search slot0's
status bytes for the swap status anyway.

B. If an image contains the "swap magic" (0x12344321) at an unfortunate
offset, the bootloader could get confused if it resets during a swap.
The boot loader.  I suggest we increase the size of the magic to 8 or 16
bytes.


Project: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/repo
Commit: 
http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/commit/8416e2cb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/tree/8416e2cb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/diff/8416e2cb

Branch: refs/heads/develop
Commit: 8416e2cbfbaac697d150b4ce5d3bc3fd26dcbc9e
Parents: 2316913
Author: Christopher Collins 
Authored: Sun Oct 16 16:57:26 2016 -0700
Committer: Christopher Collins 
Committed: Sun Oct 16 20:28:07 2016 -0700

--
 apps/boot/src/boot.c   |   3 +-
 apps/slinky/src/main.c |   2 +-
 apps/splitty/src/main.c|   2 +-
 boot/bootutil/include/bootutil/bootutil.h  | 112 
 boot/bootutil/include/bootutil/bootutil_misc.h |  41 --
 boot/bootutil/include/bootutil/loader.h|  92 
 boot/bootutil/src/bootutil_misc.c  | 573 
 boot/bootutil/src/bootutil_priv.h  |  69 +--
 boot/bootutil/src/loader.c | 189 ---
 boot/bootutil/test/src/boot_test.c | 125 +++--
 boot/split/include/split/split.h   |   2 +-
 boot/split/src/split.c |   3 +-
 boot/split/src/split_priv.h|   2 +-
 mgmt/imgmgr/src/imgmgr.c   |   2 +-
 mgmt/imgmgr/src/imgmgr_cli.c   |   2 +-
 mgmt/imgmgr/src/imgmgr_state.c |   6 +-
 sys/reboot/src/log_reboot.c|   2 +-
 sys/sysinit/include/sysinit/sysinit.h  |   6 +-
 18 files changed, 772 insertions(+), 461 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/8416e2cb/apps/boot/src/boot.c
--
diff --git a/apps/boot/src/boot.c b/apps/boot/src/boot.c
index ffad2d5..5e49825 100755
--- a/apps/boot/src/boot.c
+++ b/apps/boot/src/boot.c
@@ -33,8 +33,7 @@
 #endif
 #include 
 #include "bootutil/image.h"
-#include "bootutil/loader.h"
-#include "bootutil/bootutil_misc.h"
+#include "bootutil/bootutil.h"
 
 #define BOOT_AREA_DESC_MAX  (256)
 #define AREA_DESC_MAX   (BOOT_AREA_DESC_MAX)

http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/8416e2cb/apps/slinky/src/main.c
--
diff --git a/apps/slinky/src/main.c b/apps/slinky/src/main.c
index 1e63f3a..383db97 100755
--- a/apps/slinky/src/main.c
+++ b/apps/slinky/src/main.c
@@ -36,7 +36,7 @@
 #endif
 #include 
 #include 
-#include 
+#include 
 #include 
 #include 
 #include 

http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/8416e2cb/apps/splitty/src/main.c
--
diff --git a/apps/splitty/src/main.c b/apps/splitty/src/main.c
index 02aabb1..b9a4259 100755
--- a/apps/splitty/src/main.c
+++ b/apps/splitty/src/main.c
@@ -30,7 +30,7 @@
 #include 
 #include 
 #include 
-#include 
+#include 
 #include 
 #include 
 #include 

http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/8416e2cb/boot/bootutil/include/bootutil/bootutil.h
--
diff --git a/boot/bootutil/include/bootutil/bootutil.h