[nrf noup] boot/bootutil/loader: image discovery by ih_load_address #461
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update the configuration files for the Thingy:91 X targets to the ones used in production. Signed-off-by: Maximilian Deubel <[email protected]> (cherry picked from commit ac22a22)
Enable backporting of PRs. Signed-off-by: Carles Cufi <[email protected]> (cherry picked from commit cc73fc8)
Moved configs from nrf54l15pdk. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit dfc1419)
…CTORS_AUTO Automatic calculation are based on DTS data which are no the right source on partition layout in case Partition manager does the partitioning. Signed-off-by: Andrzej Puzdrowski <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 5da97cf)
Adds additional conditions that lets the direct upload option to be selected on nRF5340 to allow for uploading network core updates directly to the network core with the flash simulator Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 036ae01)
Configured CONFIG_NRF_RRAM_WRITE_BUFFER_SIZE=32 Which ensure the fastest bulk RRAM write operations. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 9916ecd)
Removes stray child/parent references Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit d9a4196)
MCUboot uses SOC_FLASH_0_ID and SPI_FLASH_0_ID to distinguish between internal and external boot device. These IDs are provided by sysflash.h, but the pm_sysflash.h overrides entire file, and was lacking that definitions. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 7f34a02)
Disabled NCS BOOT BANNER to save some flash, as Thingy:53 stopped to fit in the mcuboot partition. The boot banner is not used anyway, as logs are disabled. Signed-off-by: Kamil Kasperczyk <[email protected]> (cherry picked from commit 560cc01)
Adds check to region of mcuboot_secondary_1 to put it in external flash only if CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY is set. This should allow for DFU from internal flash on the nRF5340 with dynamic partitioning. Also fixing a typo. Signed-off-by: Sigurd Hellesvik <[email protected]> (cherry picked from commit 27e4783)
Select proper configuration and disable mbedTLS selection, as we are using NRF Security enabled Oberon. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 4bcddc1)
Fixes path variables to use the proper Zephyr module variables Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit b808352)
Adds support for LZMA-compressed firmware updates which also supports encrypted images and supports more than 1 updateable image Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit eb5056a)
The commit adds verification of image using keys stored in KMU. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 7d649aa)
Adds selecting the experimental Kconfig when compession is in use Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 7aebe39)
Adds a new Kconfig CONFIG_BOOT_SIGNATURE_KMU_SLOTS which allows specifying how many KMU key IDs are supported, the default is set to 1 instead of 3 which was set before NCSDK-30743 Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 1a2e7b5)
Use snprinf, alloc, calloc and free from mbedTLS rather than from Zephyr. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit ec17f76)
Added basic support for nrf54h20dk_nrf54h20_cpuapp_iron board. This commit turns off CONFIG_FPROTECT for this board build. Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit e5ef402)
This commit removes NRF_CLOCK cleanup for this board build - for Lillium, there is no clock peripheral access from the app domain. Signed-off-by: Michal Kozikowski <[email protected]> (cherry picked from commit 0b41fc9)
Disable previous generation key when update comes with new valid key and application is confirmed. Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 4546dc5)
Added procedure which does configure UARTE pins to the default states. This allows to reduce power consumption if pin is floating. clean-up UARTE only if its driver was enabled Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit bc7bc71)
Zephyr provides "mcuboot-mbedtls-cfg.h" as glue interface for configure mbedts. "config-tls-generic.h" default value was erroneously introduced during a meta codebase synchronization. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit b09f774)
Compile out code which does cleanup on UARTE pins as this cause issues on for some applications. ref.: NCSDK-33039 Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 083cab6)
adding default configs. Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit b7633cc)
This commit adds cleanup for GRTC and UARTE peripherals. ref: NCSDK-32966 Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit 5afc0aa)
This commit aligns to the changes in the nrfcompress API, which now enables the caller to provide the expected size of the decompressed image. ref: NCSDK-32340 Signed-off-by: Michal Kozikowski <[email protected]>
pointer to the image ARM vector table should be placed out of stack which is being reconfigured before vt is used for branch to the application. This caused transient boot failure when CONFIG_LTO=y. Moved vt to static data scope. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 264f6ee)
Enable LTO to cut down the MCUboot size for nrf54l15 Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 671513c)
Remove unneeded and improve used. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 2367a60)
BOOT_ENC_KEY_SIZE is enough. BOOTUTIL_CRYPTO_AES_CTR_BLOCK_SIZE has been replaced with BOOT_ENC_BLOCK_SIZE. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 454cae8)
Remove redundant application size calculations in favor of a swap-specific function, implemented inside swap_<type>.c. In this way, slot sizes use the same restrictions as image validation. Upstream PR #: 2318 Signed-off-by: Tomasz Chyrowicz <[email protected]>
nrf-squash! [nrf noup] zephyr: add 'minimal' configuration files The boot banner caused enabling of CONFIG_PRINTK Signed-off-by: Artur Hadasz <[email protected]>
…configuration Remove configs that enable multithreading just because of SPI/QSPI use. Currently, nrf drivers do not depend on multithreading, so it is not needed and this change can save memory usage. Upstream PR #: 2375 Signed-off-by: Michal Kozikowski <[email protected]>
nrf-squash! [nrf noup] boot/zephyr: add nrf54l15dk ext flash configs This is a follow up to the upstream PR #2375 and it removes multithreading configs in 'noup' changes that were only here because of SPI/QSPI use. Signed-off-by: Michal Kozikowski <[email protected]>
nrf-squash! [nrf noup] boards: Thingy:91 X release config This is a follow up to the upstream PR #2375 and it removes multithreading configs in 'noup' changes that were only here because of SPI/QSPI use. Signed-off-by: Michal Kozikowski <[email protected]>
nrf-squash! [nrf noup] boot: nrf53-specific customizations This is a follow up to the upstream PR #2375 and it removes multithreading configs in 'noup' changes that were only here because of SPI/QSPI use. Signed-off-by: Michal Kozikowski <[email protected]>
Intended mainly for direct-xip mode. Allows to control: - number of image validation attempts performed before considering the image invalid - time before next attempt is made Signed-off-by: Adam Szczygieł <[email protected]>
This reverts commit 6227d66.
This reverts commit 324aed8.
…ture key" This reverts commit afb178a.
Option to put execution in infinite loop. Meant to be used for debug. Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 5eaf190)
The commit adds verification of image using keys stored in KMU. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 3e3db4b) (cherry picked from commit 6f91355)
Adds a new Kconfig CONFIG_BOOT_SIGNATURE_KMU_SLOTS which allows specifying how many KMU key IDs are supported, the default is set to 1 instead of 3 which was set before NCSDK-30743 Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 8a366a3) (cherry picked from commit 36c1fdf)
Disable previous generation key when update comes with new valid key and application is confirmed. Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 22c2cac) (cherry picked from commit 105551f)
This reverts commit ad2e825. Signed-off-by: Dominik Ermel <[email protected]>
Commit introduces BOOT_SOMETHING_USES_SHA<256,384,512> Kconfig options that can be used to control what algorithms should be compiled in with crypto backends. Upstream PR #: 2390 Signed-off-by: Dominik Ermel <[email protected]>
exclude certain crypto parts when PSA_CORE_LITE is selected. Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 1916314) (cherry picked from commit ad2e825)
Allow to depend on a specific slot while specifying the version number. This functionality is useful when the Direct XIP mode is used and the booting process of other images is done by the next stage, not the MCUboot itself. Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit dce784a)
Adds Kconfig option CONFIG_BOOT_ECDSA_PSA that allows to switch ECDSA to PSA backend. Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit 5ee96f5)
nrf-squash! [nrf noup] boot: Add shared crypto for ECDSA and SHA If ASN1 was not enabled (in case of PSA crypto) a "defined but not used" warning was issued. This changes could not be placed in upstream as the line was modified by commit e3d6091 Signed-off-by: Artur Hadasz <[email protected]>
Similiar changes were made earlier for ED25519: PSA_CORE_LITE and NRF_SECURITY are only available in NCS nrf-squash! [nrf noup] zephyr: sdk-nrf specific overrides on PSA Kconfigs Signed-off-by: Artur Hadasz <[email protected]>
Introduce alternative procedure for detecting to which partition image candidate belongs. This method uses ih_load_address field of the image header instead of reset vector address. This allows to match incoming image to the partition even when it is for instance encrypted, as the image header is always plain-text. This new procedure can be enabled using CONFIG_MCUBOOT_USE_CHECK_LOAD_ADDR=y. Firmware need to be signed with imgtool.py sign --rom-fixed <partition_address> parameter. ref.: NCSIDB-1173 Signed-off-by: Andrzej Puzdrowski <[email protected]>
nvlsianpu
force-pushed
the
img_disc_by_load_addr
branch
from
2fb0029 to
5155061
Compare
|
nordicjm
requested changes
Jul 24, 2025
| @@ -1331,15 +1331,19 @@ boot_validate_slot(struct boot_loader_state *state, int slot, | |||
| if (fap == BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT)) { | |||
| const struct flash_area *pri_fa = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT); | |||
| struct image_header *secondary_hdr = boot_img_hdr(state, slot); | |||
| uint32_t reset_value = 0; | |||
| uint32_t reset_addr = secondary_hdr->ih_hdr_size + sizeof(reset_value); | |||
| uint32_t internal_img_addr = 0; /* either the reset handler addres or the image beginning addres */ | |||
| @@ -1620,8 +1635,9 @@ boot_validated_swap_type(struct boot_loader_state *state, | |||
| const struct flash_area *secondary_fa = | |||
| BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT); | |||
| struct image_header *hdr = boot_img_hdr(state, BOOT_SECONDARY_SLOT); | |||
| uint32_t reset_addr = 0; | |||
| uint32_t internal_img_addr = 0; /* either the reset handler addres or the image beginning addres */ | |||
There was a problem hiding this comment.
few place it needs correcting
| @@ -1283,10 +1283,17 @@ config USB_DEVICE_PRODUCT | |||
| config MCUBOOT_BOOTUTIL_LIB_OWN_LOG | |||
| bool | |||
|
|
|||
| config MCUBOOT_USE_CHECK_LOAD_ADDR | |||
| bool "use check of load address" | |||
There was a problem hiding this comment.
Suggested change
| bool "use check of load address" | |
| bool "Use check of load address" |
if we're adding to all new images, do we want to default y this? Or I guess not right away so other things e.g. qspi xip can be updated
| @@ -1597,6 +1601,17 @@ static inline void sec_slot_cleanup_if_unusable(void) | |||
| #endif /* defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\ | |||
| defined(PM_S1_ADDRESS) || defined(CONFIG_SOC_NRF5340_CPUAPP) */ | |||
|
|
|||
| #define IS_IN_RANGE_CPUNET_APP_ADDR(_addr) ((_addr) >= PM_CPUNET_APP_ADDRESS && (_addr) < PM_CPUNET_APP_END_ADDRESS) | |||
| #define _IS_IN_RANGE_S_VARIANT_ADDR(_addr, x) ((_addr) >= PM_S##x_ADDRESS && (_addr) <= (PM_S##x_ADDRESS + PM_S##x_SIZE)) | |||
| #if (CONFIG_NCS_IS_VARIANT_IMAGE) | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduce alternative procedure for detecting to which partition
image candidate belongs. This method uses ih_load_address field of the
image header instead of reset vector address. This allows to match
incoming image to the partition even when it is for instance encrypted,
as the image header is always plain-text.
This new procedure can be enabled using
CONFIG_MCUBOOT_USE_CHECK_LOAD_ADDR=y. Firmware need to be signed with
imgtool.py sign --rom-fixed <partition_address> parameter.
ref.: NCSIDB-1173