bootutil: Add manifest-based loader for Direct XIP #2511
Conversation
tomchy
force-pushed
the
feature/mcuboot/NCSDK-NONE_Transaction_manifest_xip_upstream
branch
3 times, most recently
from
6ebfcaf to
aaf2a5a
Compare
tomchy
force-pushed
the
feature/mcuboot/NCSDK-NONE_Transaction_manifest_xip_upstream
branch
from
aaf2a5a to
d8e62ff
Compare
tomchy
requested review from
almir-okato,
d3zd3z,
davidvincze,
de-nordic and
nordicjm
as code owners
tomchy
force-pushed
the
feature/mcuboot/NCSDK-NONE_Transaction_manifest_xip_upstream
branch
from
d8e62ff to
3688d72
Compare
Add a possibility to attach a basic manifest with expected digests to an image. Alter the image verification logic, so only digests specified by the manifest are allowed on the device. Signed-off-by: Tomasz Chyrowicz <[email protected]>
Add a simple logic that allows to attach a manifest TLV to an image. Signed-off-by: Tomasz Chyrowicz <[email protected]>
Add a loader variant that is capable of booting images, based on a simple manifest. Signed-off-by: Tomasz Chyrowicz <[email protected]>
tomchy
force-pushed
the
feature/mcuboot/NCSDK-NONE_Transaction_manifest_xip_upstream
branch
from
3688d72 to
8eca34c
Compare
| return false; | ||
| } | ||
|
|
||
| if (manifest->image_count != BOOT_IMAGE_NUMBER - 1) { |
| * @return 0 on success; nonzero on failure. | ||
| */ | ||
| static int | ||
| boot_select_or_erase(struct boot_loader_state *state) |
There was a problem hiding this comment.
TODO: This should be executed only on the manifest image. If a manifest image is erased/not present, all other images will be rejected on the digest check.
| static inline const uint8_t *bootutil_get_image_hash(const struct mcuboot_manifest *manifest, | ||
| uint32_t image_index) | ||
| { | ||
| if (!bootutil_verify_manifest(manifest)) { | ||
| return NULL; | ||
| } | ||
|
|
||
| if (image_index >= BOOT_IMAGE_NUMBER) { | ||
| return NULL; | ||
| } | ||
|
|
||
| if (image_index < MCUBOOT_MANIFEST_IMAGE_NUMBER) { | ||
| return manifest->image_hash[image_index]; | ||
| } else if (image_index > MCUBOOT_MANIFEST_IMAGE_NUMBER) { | ||
| return manifest->image_hash[image_index - 1]; | ||
| } | ||
|
|
||
| return NULL; | ||
| } |
There was a problem hiding this comment.
I am not sure this should be able to return NULL in any case.
This should panic on any parameter that is not expected.
Since the function is always called before boot_fih_memequal I think that both functions should be merged and the bootutil_get_image_hash should be changed to FIH return function that will be given enough parameter to compare a hash without pulling it out of the manifest object.
This should also reduce code size, since the boot_fih_memequal and will be combined here and no need for external null checks.
|
|
||
| #if defined(MCUBOOT_MANIFEST_UPDATES) | ||
| struct mcuboot_manifest manifest[BOOT_NUM_SLOTS]; | ||
| bool manifest_valid[BOOT_NUM_SLOTS]; |
There was a problem hiding this comment.
Can we move that into the mcuboot_manifest? We can have different structs for TLV and internal usage.
| if (image_index == MCUBOOT_MANIFEST_IMAGE_NUMBER) { | ||
| if (!state->manifest_valid[slot]) { | ||
| /* Manifest TLV must be processed before any of the image's hash TLV. */ | ||
| BOOT_LOG_INF("bootutil_img_validate: image rejected, manifest not found before image %d hash", |
There was a problem hiding this comment.
Isn't that at least warning? It ends up in rc = -1, so basically fails the function.
|
|
||
| /* No matching manifest found. */ | ||
| if (state->matching_manifest[image_index][slot] == BOOT_SLOT_NONE) { | ||
| BOOT_LOG_INF("bootutil_img_validate: image rejected, no valid manifest for image %d slot %d", |
There was a problem hiding this comment.
This is either warning or error, we are failing function here.
| { | ||
| uint32_t active_slot; | ||
|
|
||
| (void)state; |
| active_slot = find_slot_with_highest_version(state); | ||
| } | ||
| if (active_slot == BOOT_SLOT_NONE) { | ||
| BOOT_LOG_INF("No more manifest slots available"); |
|
|
||
| /* Check headers in all slots */ | ||
| for (slot = 0; slot < BOOT_NUM_SLOTS; slot++) { | ||
| hdr = boot_img_hdr(state, slot); |
There was a problem hiding this comment.
Can be moved into if under 231, there is only usage of this.
|
|
||
| #ifdef MCUBOOT_MANIFEST_UPDATES | ||
| if (image_index == MCUBOOT_MANIFEST_IMAGE_NUMBER && (!manifest_found || !manifest_valid)) { | ||
| BOOT_LOG_INF("bootutil_img_validate: slot %d rejected, manifest missing or invalid", slot); |
4 participants
Add a loader variant that is capable of booting images, based on a simple manifest.
Ideas: