Upmerge 08.08.2025 #513
Open
Upmerge 08.08.2025 #513
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add a Kconfig symbol to allow selecting MCUBoot symbol MULTIPLE_EXECUTABLE_RAM_REGIONS. Signed-off-by: Erwan Gouriou <[email protected]>
…GIONS Now that a dedicated symbol exists, make use of it. Signed-off-by: Erwan Gouriou <[email protected]>
Add support for booting ARC processors to MCUBoot. ARC defines the reset vector as the first function pointer within the vector table. Signed-off-by: Daniel DeGrasse <[email protected]>
Information on TLV and format. Signed-off-by: Dominik Ermel <[email protected]>
Add support for HKDF/HMAC based on SHA512 for ECIES-X25519 key exchange. The commit adds MCUBOOT_HMAC_SHA512 that enables new TLV IMAGE_TLV_ENC_X25519_SHA512. Encryption code has been altered to support the MCUBOOT_HMAC_SHA512. Signed-off-by: Dominik Ermel <[email protected]>
The commit adds CONFIG_BOOT_HMAC_SHA512 that enables MCUboot configuration option MCUBOOT_HMAC_SHA512, that is used for switching HKDF/HMAC in ECIES key exchange to SHA512, from default SHA256. This option, currently, is only available for ECIES-X25519 with PSA as crypto backend. Signed-off-by: Dominik Ermel <[email protected]>
Commit adds imgtool command line option --hmac-sha allowing to select between SHA256 and SHA512 for HMAC/HKDF. Signed-off-by: Dominik Ermel <[email protected]>
During region copy, when chunk contains both header and TLVs, the encryption/decryption size is too large, as it takes into account TLVs only. The fix modifies the encryption/decryption size to take into account both header and TLVs. Signed-off-by: Stephane Le Roy <[email protected]>
Opening/closing all the flash areas is already implemented in loader.c and will be needed in boot_serial to initialize a bootloader state. To avoid code duplication, this commit creates a routine to open all the flash areas of a state and expose in bootutil_priv.h that routine and the existing close_all_flash_areas routine to be able to access them from boot_serial. Signed-off-by: Thomas Altenbach <[email protected]>
For most upgrade strategies, it is currently needed to determine the sector layout of each flash area to initialize a bootloader state. This is made in loader.c by the internal boot_read_sectors routine. Since doing so will also be needed in boot_serial, this commit exposes this routine in bootutil_priv.h. Previously boot_read_sectors was assuming the provided bootloader state already contained buffers where to store the sectors. To avoid code duplication, the routine is now also responsible for initializing the state with the buffers that are provided as argument. By default, the global static buffers defined in loader.c are used. This will avoid allocating dedicated buffers in boot_serial. Signed-off-by: Thomas Altenbach <[email protected]>
Until d00b11d, it was possible to call bootutil_img_validate with a NULL bootloader state, provided the image is not encrypted. This was used in boot_serial for bs_list and bs_set. However, for swap strategies, a valid bootloader state is now needed by bootutil_max_image_size, invoked from bootutil_img_validate. Therefore, that change caused a NULL pointer access when calling bs_list or bs_set. To fix that issue, a valid bootloader state is now initialized and given to bs_list and bs_set each time bs_list_set is called. This state needs to be initialized with flash areas and sectors, which are used in bootutil_max_image_size. To avoid superfluous memory allocations, the global bootloader state defined in loader.c is used. This is assuming boot_serial_start and context_boot_go cannot run concurrently. Signed-off-by: Thomas Altenbach <[email protected]>
Now we have a valid bootloader state in bs_list and bs_set, opening and closing the flash areas within those routines is no longer needed. This commit removes superfluous open/close. Signed-off-by: Thomas Altenbach <[email protected]>
When swap-offset is used, the bs_list and bs_set routines need to determine the size of the flash sectors. Now a valid bootloader state is available, the value can directly be retrieved using boot_img_sector_size. Signed-off-by: Thomas Altenbach <[email protected]>
When swap-offset is used, multiple routines called directly or indirectly by bs_list or bs_set needed to know the start offset of the image in the secondary slot. When a valid bootloader state is available, this value is simply retrieved from the state. Since bs_list and bs_set had no valid state, a start_off parameter was added to all those routines to obtain the start offset without using the bootloader state. This is no longer needed, and since the start_off parameters were used only by bs_list and bs_set, they can be removed, which make the code simpler and easier to read in numerous places. Signed-off-by: Thomas Altenbach <[email protected]>
…pted A valid bootloader state was needed to validate encrypted images, so the boot_image_validate_encrypted (only called from bs_list and bs_set) was allocating and initializing a minimal state with the required content. Now bs_list and bs_set have a valid bootloader state, the latter can be given to boot_image_validate_encrypted, avoiding two bootloader state allocations. Signed-off-by: Thomas Altenbach <[email protected]>
Option was removed before. Cleanup CMake, port of configuration and doc. Signed-off-by: Andrzej Puzdrowski <[email protected]>
Directly load an image to RAM and see if that works. Signed-off-by: Ederson de Souza <[email protected]>
The upstream tf-m repository is consistently unreliable, and causing numerous CI failures. Fix this by cloning from a github mirror maintained by this project. As the commit is pulled by sha, updating this mirror can be done manually when this is updated. Signed-off-by: David Brown <[email protected]>
This script is run with 'set -e' and will fail if any subcommand fails. There is no reason to chain a bunch of commands together with '&&' and it only serves to make the script more difficult to read and edit. Signed-off-by: David Brown <[email protected]>
Fixes passing the wrong slot ID to the hook calls in serial recovery mode Signed-off-by: Jamie McCrae <[email protected]>
Fixes an issue introduced in commit: 3553663 Which wrongly set the trailer size of non-swapping modes to 0 Signed-off-by: Jamie McCrae <[email protected]>
The define for the number of slots for this mode was wrongly set to 2 when it should have been 1 Signed-off-by: Jamie McCrae <[email protected]>
Fixes serial recovery issues in various MCUboot operating modes by moving functions that are needed out from loader to a common file and adapting them to work in these different modes Signed-off-by: Jamie McCrae <[email protected]>
Fixes the CBOR response when a flash area is not listed due to an error Signed-off-by: Jamie McCrae <[email protected]>
Fixes an issue whereby the offset of the secondary was wrongly used when uplading to the primary Signed-off-by: Jamie McCrae <[email protected]>
There was a faulty indent in some code Signed-off-by: Jamie McCrae <[email protected]>
Adds details about some fixed serial recovery issues Signed-off-by: Jamie McCrae <[email protected]>
Fetch the flash base address if direct hash calculation is performed. Signed-off-by: Tomasz Chyrowicz <[email protected]>
With CONFIG_STM32_MEMMAP flag get NOR flash 32 bytes header Read the NOR flash to get header of the image. The FLASH_DEVICE is now given by the parent of the "st,stm32-xspi-nor" node, which is the "st,stm32-xspi" compatible same for qspi/ospi instances of stm32 devices. Signed-off-by: Francois Ramu <[email protected]>
Define the stm32h7s7 board configuration to set the STM32 XIP mode that will enable the MemoryMapped mode. Gives larger sector size for the external NOR flash See Kconfig of the stm32 soc. Choose the mcu_boot partition where to build ../bootloader/mcuboot/boot/zephyr Signed-off-by: Francois Ramu <[email protected]>
Added procedure which does configure UARTE pins to the default states. This allows to reduce power consumption if pin is floating. clean-up UARTE only if its driver was enabled Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit fac7ac4)
Zephyr provides "mcuboot-mbedtls-cfg.h" as glue interface for configure mbedts. "config-tls-generic.h" default value was erroneously introduced during a meta codebase synchronization. Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit c6e2585)
Compile out code which does cleanup on UARTE pins as this cause issues on for some applications. ref.: NCSDK-33039 Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit 5f6e119)
adding default configs. Signed-off-by: Mateusz Michalek <[email protected]> (cherry picked from commit 1aa8af0)
This commit adds cleanup for GRTC and UARTE peripherals. ref: NCSDK-32966 Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit b6c992e)
Adds support for LZMA-compressed firmware updates which also supports encrypted images and supports more than 1 updateable image Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Michal Kozikowski <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit c3ba628) (cherry picked from commit 898b9bc)
Adds selecting the experimental Kconfig when compession is in use Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 0ae1441)
This commit aligns to the changes in the nrfcompress API, which now enables the caller to provide the expected size of the decompressed image. ref: NCSDK-32340 Signed-off-by: Michal Kozikowski <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 002515b)
Adds firmware loader code for use in baremetal mode Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 9200785)
Enable ed25519 signature as well as direct hashing while building for nRF54H20DK. Ref: NCSDK-34304 Signed-off-by: Tomasz Chyrowicz <[email protected]> (cherry picked from commit 068718a)
Intended mainly for direct-xip mode. Allows to control: - number of image validation attempts performed before considering the image invalid - time before next attempt is made Signed-off-by: Adam Szczygieł <[email protected]> (cherry picked from commit 2534681) (cherry picked from commit a9e70e4)
The commit adds verification of image using keys stored in KMU. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit e28f5e9) (cherry picked from commit 26192ca)
Adds a new Kconfig CONFIG_BOOT_SIGNATURE_KMU_SLOTS which allows specifying how many KMU key IDs are supported, the default is set to 1 instead of 3 which was set before NCSDK-30743 Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 373038b)
Disable previous generation key when update comes with new valid key and application is confirmed. Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 9dacf6d)
exclude certain crypto parts when PSA_CORE_LITE is selected. Signed-off-by: Mateusz Michalek <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 2f7059e)
This configuration has the purpose of using keys provisioned to the internal trusted storage (ITS). It makes use of the already existing parts of code for MCUBOOT_BUILTIN_KEY Signed-off-by: Artur Hadasz <[email protected]> (cherry picked from commit d69621e)
ECIES-X25519 key exchange on NRF54L will be using HMAC-SHA512 for MAC tagging encryption key. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 8b2d04c)
nrf-squash! [nrf noup] boot: Add retry for image verification Use NCS_ prefix, for Kconfigs added in noups, to avoid collisions. The NRF_ prefix will remain reserved for Kconfigs related to products or sdk-nrf subsystems. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 30e7326)
nrf-squash! [nrf noup] Added BOOT_SIGNATURE_USING_ITS for ecdsa configuration Replace NRF_BOOT_SIGNATURE_USING_ITS with NCS_BOOT_SIGNATURE_USING_ITS prefix. Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 4bfb139)
nrf-squash! [nrf noup] boot/zephyr/nrf_cleanup: cleanup uarte pins Fix indexing variable mismatch. Signed-off-by: Audun Korneliussen <[email protected]> (cherry picked from commit 58175b6)
Adding action to create manifest PRs automatically. Signed-off-by: Kari Hamalainen <[email protected]> (cherry picked from commit 37486f5)
Fixes wrongly including the asn1 MBEDTLS file when the Kconfig is set to not include it Upstream PR #: 2416 Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit bc5eb3f)
nrf-squash! [nrf noup] boot: zephyr: Add bm firmware loader code Fixes IO in BM mode to use the hal directly rather than a library that increases the build size by 2.5KiB for a simple button check Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit a184e32)
The default value of CONFIG_NRF_RTC_TIMER_USER_CHAN_COUNT for nRF52 SOCs has been changed from 0 to 3, but it makes MCUBoot get stuck on erasing flash pages when swapping two images. Restore the previous value until the RTC issue is resolved (see NCSDK-14427) Signed-off-by: Damian Krolik <[email protected]> Signed-off-by: Torsten Rasmussen <[email protected]> Signed-off-by: Jamie McCrae <[email protected]> Signed-off-by: Dominik Ermel <[email protected]> (cherry picked from commit 50e1caa)
Adds a boot banner which shows as MCUboot Signed-off-by: Jamie McCrae <[email protected]> (cherry picked from commit 8d31ad7)
…g status page For MCUboot's MCUBOOT_SINGLE_APPLICATION_SLOT, MCUBOOT_FIRMWARE_LOADER, MCUBOOT_SINGLE_APPLICATION_SLOT_RAM_LOAD modes there is not image run-time status data at the end on the image. Erase of that was done as the last image page erase - and was no harm before by luck. Following commit just reveled the issue: #35536633846b53ccdf01bea0594526de4b416fc0 Upstream PR #: 2417 Signed-off-by: Andrzej Puzdrowski <[email protected]> (cherry picked from commit c72ed15)
|
de-nordic
requested changes
Aug 14, 2025
There was a problem hiding this comment.
This [nrf noup] boot: Use NCS_ prefix for sdk-nrf specific Kconfigs should be squashed to this: [nrf noup] Added BOOT_SIGNATURE_USING_ITS for ecdsa configuration
And this one:[nrf noup] boot: Use NCS_ prefix for sdk-nrf specific Kconfigs should be squashed into this one [nrf noup] boot: Add retry for image verification
I was not really planning to do rebasing like this in the upmerge. We have a script that helps to solve cherry-pick conflicts but it does not support rebasing work. So I would need to do a manual squash of these every time a new upmerge "run" is done. I can try to manually squash these just before the PR is ready to be merged if possible. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Conflicting commits at the moment of creating the PR, please verify if conflicts were resolved correctly:
abaff57 - [nrf noup] zephyr: Restore default RTC user channel count
2cdbcb0 - [nrf noup] boot: nrf53-specific customizations
d5f373a - [nrf noup] boot: bootutil: loader: Add s0/s1 checking of MCUboot image
898b9bc - [nrf noup] zephyr: Add support for compressed image updates
a9e70e4 - [nrf noup] boot: Add retry for image verification
26192ca - [nrf noup] bootutil: Add support for KMU stored ED25519 signature key