Merge pull request #463 from jpbland1/bad-image-recovery

add emergency fallback test, currently fails due to

Author: dgarske

.github/workflows/test-powerfail-simulator.yml

@@ -51,6 +51,14 @@ jobs:
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild wolfboot.elf
+        run: |
+          make clean && make test-sim-internal-flash-with-update
+
+      - name: Run emergency fallback test
+        run: |
+          tools/scripts/sim-update-emergency-fallback.sh
+
 
       # TEST with NVM_WRITEONCE enabled
       - name: make clean
@@ -89,6 +97,14 @@ jobs:
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild wolfboot.elf
+        run: |
+          make clean && make test-sim-internal-flash-with-update
+
+      - name: Run emergency fallback test
+        run: |
+          tools/scripts/sim-update-emergency-fallback.sh
+
 
       # TEST with NVM_WRITEONCE AND FLAGS_HOME enabled
       - name: make clean
@@ -127,6 +143,14 @@ jobs:
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild wolfboot.elf
+        run: |
+          make clean && make test-sim-internal-flash-with-update
+
+      - name: Run emergency fallback test
+        run: |
+          tools/scripts/sim-update-emergency-fallback.sh
+
 
       # TEST with NVM_WRITEONCE AND FLAGS_HOME AND FLAGS_INVERT enabled
       - name: make clean
@@ -165,6 +189,14 @@ jobs:
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild wolfboot.elf
+        run: |
+          make clean && make test-sim-external-flash-with-update
+
+      - name: Run emergency fallback test
+        run: |
+          tools/scripts/sim-update-emergency-fallback.sh
+
 
       # TEST with DELTA updates
       - name: make clean
@@ -189,15 +221,15 @@ jobs:
 
       - name: Rebuild wolfboot.elf
         run: |
-          make test-sim-internal-flash-with-delta-update
+          make clean && make test-sim-internal-flash-with-delta-update
 
       - name: Run update-revert test (DELTA)
         run: |
           tools/scripts/sim-update-fallback.sh
 
       - name: Rebuild wolfboot.elf
         run: |
-          make test-sim-internal-flash-with-delta-update
+          make clean && make test-sim-internal-flash-with-delta-update
 
       - name: Run update-revert test with power failures (DELTA)
         run: |
@@ -248,6 +280,14 @@ jobs:
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild wolfboot.elf
+        run: |
+          make clean && make test-sim-external-flash-with-enc-update
+
+      - name: Run emergency fallback test
+        run: |
+          tools/scripts/sim-update-emergency-fallback.sh
+
      # TEST with encryption (aes128) and delta updates
       - name: make clean
         run: |
@@ -322,6 +362,14 @@ jobs:
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild wolfboot.elf
+        run: |
+          make clean && make test-sim-external-flash-with-enc-update
+
+      - name: Run emergency fallback test
+        run: |
+          tools/scripts/sim-update-emergency-fallback.sh
+
      # TEST with encryption (aes128) and NVM_WRITEONCE and FLAGS_HOME
 
       - name: make clean
@@ -355,6 +403,14 @@ jobs:
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild wolfboot.elf
+        run: |
+          make clean && make test-sim-external-flash-with-enc-update
+
+      - name: Run emergency fallback test
+        run: |
+          tools/scripts/sim-update-emergency-fallback.sh
+
      # TEST with encryption (aes128) and NVM_WRITEONCE and FLAGS_HOME and FLAGS_INVERT
 
       - name: make clean
@@ -388,6 +444,14 @@ jobs:
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild wolfboot.elf
+        run: |
+          make clean && make test-sim-external-flash-with-enc-update
+
+      - name: Run emergency fallback test
+        run: |
+          tools/scripts/sim-update-emergency-fallback.sh
+
      # TEST with encryption (aes128) and NVM_WRITEONCE and DELTA updates
       - name: make clean
         run: |
@@ -451,6 +515,7 @@ jobs:
       - name: Run update test with DISABLE_BACKUP and powefail
         run: |
           tools/scripts/sim-update-powerfail-resume-nobackup.sh
+
     # TEST with backup disabled + NVM_WRITEONCE
       - name: make clean
         run: |
@@ -478,6 +543,7 @@ jobs:
       - name: Run update test with DISABLE_BACKUP and powefail
         run: |
           tools/scripts/sim-update-powerfail-resume-nobackup.sh
+
     # TEST with backup disabled + FLAGS_HOME
       - name: make clean
         run: |

hal/sim.c

@@ -45,6 +45,7 @@
 uint8_t *sim_ram_base;
 static uint8_t *flash_base;
 
+int forceEmergency = 0;
 uint32_t erasefail_address = 0xFFFFFFFF;
 
 #define INTERNAL_FLASH_FILE "./internal_flash.dd"
@@ -105,8 +106,29 @@ void hal_prepare_boot(void)
 
 int hal_flash_write(uintptr_t address, const uint8_t *data, int len)
 {
-    /* implicit cast abide compiler warning */
-    memcpy((void*)address, data, len);
+    int i;
+    if (forceEmergency == 1 && address == WOLFBOOT_PARTITION_BOOT_ADDRESS) {
+        /* implicit cast abide compiler warning */
+        memset((void*)address, 0, len);
+        /* let the rest of the writes work properly for the emergency update */
+        forceEmergency = 0;
+    }
+    else {
+        for (i = 0; i < len; i++) {
+#ifdef NVM_FLASH_WRITEONCE
+            if (((uint8_t*)address)[i] != FLASH_BYTE_ERASED) {
+                /* no writing to non-erased page in NVM_FLASH_WRITEONCE */
+                printf("NVM_FLASH_WRITEONCE non-erased write detected!\n");
+                return -1;
+            }
+#endif
+#ifdef WOLFBOOT_FLAGS_INVERT
+            ((uint8_t*)address)[i] |= data[i];
+#else
+            ((uint8_t*)address)[i] &= data[i];
+#endif
+        }
+    }
     return 0;
 }
 
@@ -150,8 +172,11 @@ void hal_init(void)
             erasefail_address = strtol(main_argv[++i], NULL,  16);
             fprintf(stderr, "Set power fail to erase at address %x\n",
                 erasefail_address);
-            break;
         }
+        /* force a bad write of the boot partition to trigger and test the
+         * emergency fallback feature */
+        else if (strcmp(main_argv[i], "emergency") == 0)
+            forceEmergency = 1;
     }
 }
 

include/wolfboot/wolfboot.h

@@ -257,16 +257,18 @@ extern "C" {
 #ifndef WOLFBOOT_FLAGS_INVERT
 #define IMG_STATE_NEW       0xFF
 #define IMG_STATE_UPDATING  0x70
-#define IMG_STATE_FINAL_FLAGS  0x30
+/* now just an intermediary state, update state will always be either new or
+ * updating before the application boots*/
+#define IMG_STATE_FINAL_FLAGS 0x30
 #define IMG_STATE_TESTING   0x10
 #define IMG_STATE_SUCCESS   0x00
 #define FLASH_BYTE_ERASED   0xFF
 #define FLASH_WORD_ERASED   0xFFFFFFFFUL
 #else
 #define IMG_STATE_NEW       0x00
 #define IMG_STATE_UPDATING  0x8F
-#define IMG_STATE_FINAL_FLAGS  0xBF
 #define IMG_STATE_TESTING   0xEF
+#define IMG_STATE_FINAL_FLAGS 0xBF
 #define IMG_STATE_SUCCESS   0xFF
 #define FLASH_BYTE_ERASED   0x00
 #define FLASH_WORD_ERASED   0x00000000UL

src/image.c

@@ -611,8 +611,6 @@ static int image_sha256(struct wolfBoot_image *img, uint8_t *hash)
  */
 static void key_sha256(uint8_t key_slot, uint8_t *hash)
 {
-    int blksz;
-    unsigned int i = 0;
     uint8_t *pubkey = keystore_get_buffer(key_slot);
     int pubkey_sz = keystore_get_size(key_slot);
     wc_Sha256 sha256_ctx;
@@ -621,13 +619,7 @@ static void key_sha256(uint8_t key_slot, uint8_t *hash)
         return;
 
     wc_InitSha256(&sha256_ctx);
-    while (i < (uint32_t)pubkey_sz) {
-        blksz = WOLFBOOT_SHA_BLOCK_SIZE;
-        if ((i + blksz) > (uint32_t)pubkey_sz)
-            blksz = pubkey_sz - i;
-        wc_Sha256Update(&sha256_ctx, (pubkey + i), blksz);
-        i += blksz;
-    }
+    wc_Sha256Update(&sha256_ctx, pubkey, (word32)pubkey_sz);
     wc_Sha256Final(&sha256_ctx, hash);
 }
 #endif /* WOLFBOOT_NO_SIGN */
@@ -700,8 +692,6 @@ static int image_sha384(struct wolfBoot_image *img, uint8_t *hash)
  */
 static void key_sha384(uint8_t key_slot, uint8_t *hash)
 {
-    int blksz;
-    unsigned int i = 0;
     uint8_t *pubkey = keystore_get_buffer(key_slot);
     int pubkey_sz = keystore_get_size(key_slot);
     wc_Sha384 sha384_ctx;
@@ -710,13 +700,7 @@ static void key_sha384(uint8_t key_slot, uint8_t *hash)
         return;
 
     wc_InitSha384(&sha384_ctx);
-    while (i < (uint32_t)(pubkey_sz)) {
-        blksz = WOLFBOOT_SHA_BLOCK_SIZE;
-        if ((i + blksz) > (uint32_t)pubkey_sz)
-            blksz = pubkey_sz - i;
-        wc_Sha384Update(&sha384_ctx, (pubkey + i), blksz);
-        i += blksz;
-    }
+    wc_Sha384Update(&sha384_ctx, pubkey, (word32)pubkey_sz);
     wc_Sha384Final(&sha384_ctx, hash);
 }
 #endif /* WOLFBOOT_NO_SIGN */
@@ -789,22 +773,14 @@ static int image_sha3_384(struct wolfBoot_image *img, uint8_t *hash)
  */
 static void key_sha3_384(uint8_t key_slot, uint8_t *hash)
 {
-    int blksz;
-    unsigned int i = 0;
     uint8_t *pubkey = keystore_get_buffer(key_slot);
     int pubkey_sz = keystore_get_size(key_slot);
     wc_Sha3 sha3_ctx;
 
     if (!pubkey || (pubkey_sz < 0))
         return;
     wc_InitSha3_384(&sha3_ctx, NULL, INVALID_DEVID);
-    while (i < (uint32_t)pubkey_sz) {
-        blksz = WOLFBOOT_SHA_BLOCK_SIZE;
-        if ((i + blksz) > (uint32_t)pubkey_sz)
-            blksz = pubkey_sz - i;
-        wc_Sha3_384_Update(&sha3_ctx, pubkey + i, blksz);
-        i += blksz;
-    }
+    wc_Sha3_384_Update(&sha3_ctx, pubkey, (word32)pubkey_sz);
     wc_Sha3_384_Final(&sha3_ctx, hash);
 }
 #endif /* WOLFBOOT_NO_SIGN */

src/libwolfboot.c

@@ -350,12 +350,8 @@ static int RAMFUNCTION trailer_write(uint8_t part, uintptr_t addr, uint8_t val)
     /* Calculate write address */
     addr_write = addr_align - ((!nvm_cached_sector) * NVM_CACHE_SIZE);
 
-    /* Ensure that the destination was erased, or force erase */
-    if (*((uint32_t *)(addr_write + NVM_CACHE_SIZE - sizeof(uint32_t)))
-            != FLASH_WORD_ERASED)
-    {
-        hal_flash_erase(addr_write, NVM_CACHE_SIZE);
-    }
+    /* Ensure that the destination was erased */
+    hal_flash_erase(addr_write, NVM_CACHE_SIZE);
 #if FLASHBUFFER_SIZE != WOLFBOOT_SECTOR_SIZE
     addr_off = 0;
     while ((addr_off < WOLFBOOT_SECTOR_SIZE) && (ret == 0)) {
@@ -718,17 +714,21 @@ void RAMFUNCTION wolfBoot_erase_partition(uint8_t part)
     uint32_t address = 0;
     int size = 0;
 
-    if (part == PART_BOOT) {
-        address = (uint32_t)WOLFBOOT_PARTITION_BOOT_ADDRESS;
-        size = WOLFBOOT_PARTITION_SIZE;
-    }
-    if (part == PART_UPDATE) {
-        address = (uint32_t)WOLFBOOT_PARTITION_UPDATE_ADDRESS;
-        size = WOLFBOOT_PARTITION_SIZE;
-    }
-    if (part == PART_SWAP) {
-        address = (uint32_t)WOLFBOOT_PARTITION_SWAP_ADDRESS;
-        size = WOLFBOOT_SECTOR_SIZE;
+    switch (part) {
+        case PART_BOOT:
+            address = (uint32_t)WOLFBOOT_PARTITION_BOOT_ADDRESS;
+            size = WOLFBOOT_PARTITION_SIZE;
+            break;
+        case PART_UPDATE:
+            address = (uint32_t)WOLFBOOT_PARTITION_UPDATE_ADDRESS;
+            size = WOLFBOOT_PARTITION_SIZE;
+            break;
+        case PART_SWAP:
+            address = (uint32_t)WOLFBOOT_PARTITION_SWAP_ADDRESS;
+            size = WOLFBOOT_SECTOR_SIZE;
+            break;
+        default:
+            break;
     }
 
     if (size > 0) {
@@ -819,16 +819,10 @@ void RAMFUNCTION wolfBoot_success(void)
     if (FLAGS_BOOT_EXT()) {
         ext_flash_unlock();
         wolfBoot_set_partition_state(PART_BOOT, st);
-        /* set update so IMG_STATE_FINAL_FLAGS isn't triggering pointless calls
-         * to wolfBoot update */
-        wolfBoot_set_partition_state(PART_UPDATE, st);
         ext_flash_lock();
     } else {
         hal_flash_unlock();
         wolfBoot_set_partition_state(PART_BOOT, st);
-        /* set update so IMG_STATE_FINAL_FLAGS isn't triggering pointless calls
-         * to wolfBoot update */
-        wolfBoot_set_partition_state(PART_UPDATE, st);
         hal_flash_lock();
     }
 #ifdef EXT_ENCRYPTED
@@ -866,13 +860,9 @@ uint16_t wolfBoot_find_header(uint8_t *haystack, uint16_t type, uint8_t **ptr)
             unit_dbg("Explicit end of options reached\n");
             break;
         }
-        if (*p == HDR_PADDING) {
-            /* Padding byte (skip one position) */
-            p++;
-            continue;
-        }
-        /* Sanity check to prevent dereferencing unaligned half-words */
-        if ((((size_t)p) & 0x01) != 0) {
+        /* Sanity check to prevent dereferencing unaligned half-words and skip
+         * past padding bytes */
+        if ((*p == HDR_PADDING) || ((((size_t)p) & 0x01) != 0)) {
             p++;
             continue;
         }