Replace flash partitioning terminology
This change replaces the slot 0/1 terminology with primary/secondary
slot and replaces FLASH_AREA_IMAGE_0/1 with
FLASH_AREA_IMAGE_PRIMARY/SECONDARY. This naming convention may be more
understandable, fits better to MCUs with multiple images and it is an
architecture agnostic alternative as well.
Change-Id: I655a585f6ae023852c671ee6635399efe25209c9
Signed-off-by: David Vincze <david.vincze@arm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
diff --git a/.travis.yml b/.travis.yml
index 8f6a84a..042970f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -14,7 +14,7 @@
- os: linux
env: SINGLE_FEATURES="sig-ecdsa enc-kw bootstrap" TEST=sim
- os: linux
- env: SINGLE_FEATURES="none sig-rsa overwrite-only validate-slot0" TEST=sim
+ env: SINGLE_FEATURES="none sig-rsa overwrite-only validate-primary-slot" TEST=sim
- os: linux
env: SINGLE_FEATURES="enc-rsa" TEST=sim
@@ -25,19 +25,19 @@
- os: linux
env: MULTI_FEATURES="sig-rsa overwrite-only,sig-ecdsa overwrite-only" TEST=sim
- os: linux
- env: MULTI_FEATURES="sig-rsa validate-slot0,sig-ecdsa validate-slot0" TEST=sim
+ env: MULTI_FEATURES="sig-rsa validate-primary-slot,sig-ecdsa validate-primary-slot" TEST=sim
- os: linux
env: MULTI_FEATURES="enc-kw overwrite-only,enc-rsa overwrite-only" TEST=sim
- os: linux
- env: MULTI_FEATURES="sig-rsa enc-rsa validate-slot0" TEST=sim
+ env: MULTI_FEATURES="sig-rsa enc-rsa validate-primary-slot" TEST=sim
- os: linux
- env: MULTI_FEATURES="sig-rsa enc-kw validate-slot0 bootstrap" TEST=sim
+ env: MULTI_FEATURES="sig-rsa enc-kw validate-primary-slot bootstrap" TEST=sim
- os: linux
- env: MULTI_FEATURES="sig-ecdsa enc-kw validate-slot0" TEST=sim
+ env: MULTI_FEATURES="sig-ecdsa enc-kw validate-primary-slot" TEST=sim
# FIXME: this test actually fails and must be fixed
#- os: linux
- # env: MULTI_FEATURES="sig-rsa validate-slot0 overwrite-only"
+ # env: MULTI_FEATURES="sig-rsa validate-primary-slot overwrite-only"
- os: linux
language: go
diff --git a/boot/boot_serial/test/src/testcases/boot_serial_img_msg.c b/boot/boot_serial/test/src/testcases/boot_serial_img_msg.c
index a1aaf2f..e2c7dbd 100644
--- a/boot/boot_serial/test/src/testcases/boot_serial_img_msg.c
+++ b/boot/boot_serial/test/src/testcases/boot_serial_img_msg.c
@@ -59,9 +59,9 @@
tx_msg(buf, len);
/*
- * Validate contents inside image 0 slot
+ * Validate contents inside the primary slot
*/
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
assert(rc == 0);
rc = flash_area_read(fap, 0, enc_img, sizeof(img));
diff --git a/boot/boot_serial/test/src/testcases/boot_serial_upload_bigger_image.c b/boot/boot_serial/test/src/testcases/boot_serial_upload_bigger_image.c
index 1f4aa09..506000d 100644
--- a/boot/boot_serial/test/src/testcases/boot_serial_upload_bigger_image.c
+++ b/boot/boot_serial/test/src/testcases/boot_serial_upload_bigger_image.c
@@ -103,9 +103,9 @@
}
/*
- * Validate contents inside image 0 slot
+ * Validate contents inside the primary slot
*/
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
assert(rc == 0);
for (off = 0; off < sizeof(img); off += sizeof(enc_img)) {
diff --git a/boot/bootutil/include/bootutil/bootutil.h b/boot/bootutil/include/bootutil/bootutil.h
index 5f65866..b674823 100644
--- a/boot/bootutil/include/bootutil/bootutil.h
+++ b/boot/bootutil/include/bootutil/bootutil.h
@@ -26,13 +26,19 @@
extern "C" {
#endif
-/** Attempt to boot the contents of slot 0. */
+/** Attempt to boot the contents of the primary slot. */
#define BOOT_SWAP_TYPE_NONE 1
-/** Swap to slot 1. Absent a confirm command, revert back on next boot. */
+/**
+ * Swap to the secondary slot.
+ * Absent a confirm command, revert back on next boot.
+ */
#define BOOT_SWAP_TYPE_TEST 2
-/** Swap to slot 1, and permanently switch to booting its contents. */
+/**
+ * Swap to the secondary slot,
+ * and permanently switch to booting its contents.
+ */
#define BOOT_SWAP_TYPE_PERM 3
/** Swap back to alternate slot. A confirm changes this state to NONE. */
diff --git a/boot/bootutil/include/bootutil/caps.h b/boot/bootutil/include/bootutil/caps.h
index 6376683..dc4ba4a 100644
--- a/boot/bootutil/include/bootutil/caps.h
+++ b/boot/bootutil/include/bootutil/caps.h
@@ -32,14 +32,14 @@
*/
uint32_t bootutil_get_caps(void);
-#define BOOTUTIL_CAP_RSA2048 (1<<0)
-#define BOOTUTIL_CAP_ECDSA_P224 (1<<1)
-#define BOOTUTIL_CAP_ECDSA_P256 (1<<2)
-#define BOOTUTIL_CAP_SWAP_UPGRADE (1<<3)
-#define BOOTUTIL_CAP_OVERWRITE_UPGRADE (1<<4)
-#define BOOTUTIL_CAP_ENC_RSA (1<<5)
-#define BOOTUTIL_CAP_ENC_KW (1<<6)
-#define BOOTUTIL_CAP_VALIDATE_SLOT0 (1<<7)
+#define BOOTUTIL_CAP_RSA2048 (1<<0)
+#define BOOTUTIL_CAP_ECDSA_P224 (1<<1)
+#define BOOTUTIL_CAP_ECDSA_P256 (1<<2)
+#define BOOTUTIL_CAP_SWAP_UPGRADE (1<<3)
+#define BOOTUTIL_CAP_OVERWRITE_UPGRADE (1<<4)
+#define BOOTUTIL_CAP_ENC_RSA (1<<5)
+#define BOOTUTIL_CAP_ENC_KW (1<<6)
+#define BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT (1<<7)
#ifdef __cplusplus
}
diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c
index 47b41fd..514d669 100644
--- a/boot/bootutil/src/bootutil_misc.c
+++ b/boot/bootutil/src/bootutil_misc.c
@@ -51,11 +51,11 @@
const uint32_t BOOT_MAX_ALIGN = MAX_FLASH_ALIGN;
struct boot_swap_table {
- uint8_t magic_slot0;
- uint8_t magic_slot1;
- uint8_t image_ok_slot0;
- uint8_t image_ok_slot1;
- uint8_t copy_done_slot0;
+ uint8_t magic_primary_slot;
+ uint8_t magic_secondary_slot;
+ uint8_t image_ok_primary_slot;
+ uint8_t image_ok_secondary_slot;
+ uint8_t copy_done_primary_slot;
uint8_t swap_type;
};
@@ -64,36 +64,37 @@
* This set of tables maps image trailer contents to swap operation type.
* When searching for a match, these tables must be iterated sequentially.
*
- * NOTE: the table order is very important. The settings in Slot 1 always
- * are priority to Slot 0 and should be located earlier in the table.
+ * NOTE: the table order is very important. The settings in the secondary
+ * slot always are priority to the primary slot and should be located
+ * earlier in the table.
*
* The table lists only states where there is action needs to be taken by
* the bootloader, as in starting/finishing a swap operation.
*/
static const struct boot_swap_table boot_swap_tables[] = {
{
- .magic_slot0 = BOOT_MAGIC_ANY,
- .magic_slot1 = BOOT_MAGIC_GOOD,
- .image_ok_slot0 = BOOT_FLAG_ANY,
- .image_ok_slot1 = BOOT_FLAG_UNSET,
- .copy_done_slot0 = BOOT_FLAG_ANY,
- .swap_type = BOOT_SWAP_TYPE_TEST,
+ .magic_primary_slot = BOOT_MAGIC_ANY,
+ .magic_secondary_slot = BOOT_MAGIC_GOOD,
+ .image_ok_primary_slot = BOOT_FLAG_ANY,
+ .image_ok_secondary_slot = BOOT_FLAG_UNSET,
+ .copy_done_primary_slot = BOOT_FLAG_ANY,
+ .swap_type = BOOT_SWAP_TYPE_TEST,
},
{
- .magic_slot0 = BOOT_MAGIC_ANY,
- .magic_slot1 = BOOT_MAGIC_GOOD,
- .image_ok_slot0 = BOOT_FLAG_ANY,
- .image_ok_slot1 = BOOT_FLAG_SET,
- .copy_done_slot0 = BOOT_FLAG_ANY,
- .swap_type = BOOT_SWAP_TYPE_PERM,
+ .magic_primary_slot = BOOT_MAGIC_ANY,
+ .magic_secondary_slot = BOOT_MAGIC_GOOD,
+ .image_ok_primary_slot = BOOT_FLAG_ANY,
+ .image_ok_secondary_slot = BOOT_FLAG_SET,
+ .copy_done_primary_slot = BOOT_FLAG_ANY,
+ .swap_type = BOOT_SWAP_TYPE_PERM,
},
{
- .magic_slot0 = BOOT_MAGIC_GOOD,
- .magic_slot1 = BOOT_MAGIC_UNSET,
- .image_ok_slot0 = BOOT_FLAG_UNSET,
- .image_ok_slot1 = BOOT_FLAG_ANY,
- .copy_done_slot0 = BOOT_FLAG_SET,
- .swap_type = BOOT_SWAP_TYPE_REVERT,
+ .magic_primary_slot = BOOT_MAGIC_GOOD,
+ .magic_secondary_slot = BOOT_MAGIC_UNSET,
+ .image_ok_primary_slot = BOOT_FLAG_UNSET,
+ .image_ok_secondary_slot = BOOT_FLAG_ANY,
+ .copy_done_primary_slot = BOOT_FLAG_SET,
+ .swap_type = BOOT_SWAP_TYPE_REVERT,
},
};
@@ -157,8 +158,8 @@
boot_status_entries(const struct flash_area *fap)
{
switch (fap->fa_id) {
- case FLASH_AREA_IMAGE_0:
- case FLASH_AREA_IMAGE_1:
+ case FLASH_AREA_IMAGE_PRIMARY:
+ case FLASH_AREA_IMAGE_SECONDARY:
return BOOT_STATUS_STATE_COUNT * BOOT_STATUS_MAX_ENTRIES;
case FLASH_AREA_IMAGE_SCRATCH:
return BOOT_STATUS_STATE_COUNT;
@@ -262,7 +263,8 @@
}
off = boot_image_ok_off(fap);
- rc = flash_area_read_is_empty(fap, off, &state->image_ok, sizeof state->image_ok);
+ rc = flash_area_read_is_empty(fap, off, &state->image_ok,
+ sizeof state->image_ok);
if (rc < 0) {
return BOOT_EFLASH;
}
@@ -286,8 +288,8 @@
switch (flash_area_id) {
case FLASH_AREA_IMAGE_SCRATCH:
- case FLASH_AREA_IMAGE_0:
- case FLASH_AREA_IMAGE_1:
+ case FLASH_AREA_IMAGE_PRIMARY:
+ case FLASH_AREA_IMAGE_SECONDARY:
rc = flash_area_open(flash_area_id, &fap);
if (rc != 0) {
return BOOT_EFLASH;
@@ -312,13 +314,13 @@
/*
* In the middle a swap, tries to locate the saved swap size. Looks
- * for a valid magic, first on Slot 0, then on scratch. Both "slots"
- * can end up being temporary storage for a swap and it is assumed
- * that if magic is valid then swap size is too, because magic is
- * always written in the last step.
+ * for a valid magic, first on the primary slot, then on scratch.
+ * Both "slots" can end up being temporary storage for a swap and it
+ * is assumed that if magic is valid then swap size is too, because
+ * magic is always written in the last step.
*/
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
if (rc != 0) {
return BOOT_EFLASH;
}
@@ -332,7 +334,7 @@
if (memcmp(magic, boot_img_magic, BOOT_MAGIC_SZ) != 0) {
/*
- * If Slot 0 's magic is not valid, try scratch...
+ * If the primary slot's magic is not valid, try scratch...
*/
flash_area_close(fap);
@@ -372,7 +374,7 @@
const struct flash_area *fap;
int rc;
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
if (rc != 0) {
return BOOT_EFLASH;
}
@@ -386,7 +388,7 @@
if (memcmp(magic, boot_img_magic, BOOT_MAGIC_SZ) != 0) {
/*
- * If Slot 0 's magic is not valid, try scratch...
+ * If the primary slot's magic is not valid, try scratch...
*/
flash_area_close(fap);
@@ -528,17 +530,18 @@
boot_swap_type(void)
{
const struct boot_swap_table *table;
- struct boot_swap_state slot0;
- struct boot_swap_state slot1;
+ struct boot_swap_state primary_slot;
+ struct boot_swap_state secondary_slot;
int rc;
size_t i;
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_0, &slot0);
+ rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY, &primary_slot);
if (rc) {
return BOOT_SWAP_TYPE_PANIC;
}
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_1, &slot1);
+ rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY,
+ &secondary_slot);
if (rc) {
return BOOT_SWAP_TYPE_PANIC;
}
@@ -546,16 +549,16 @@
for (i = 0; i < BOOT_SWAP_TABLES_COUNT; i++) {
table = boot_swap_tables + i;
- if ((table->magic_slot0 == BOOT_MAGIC_ANY ||
- table->magic_slot0 == slot0.magic) &&
- (table->magic_slot1 == BOOT_MAGIC_ANY ||
- table->magic_slot1 == slot1.magic) &&
- (table->image_ok_slot0 == BOOT_FLAG_ANY ||
- table->image_ok_slot0 == slot0.image_ok) &&
- (table->image_ok_slot1 == BOOT_FLAG_ANY ||
- table->image_ok_slot1 == slot1.image_ok) &&
- (table->copy_done_slot0 == BOOT_FLAG_ANY ||
- table->copy_done_slot0 == slot0.copy_done)) {
+ if ((table->magic_primary_slot == BOOT_MAGIC_ANY ||
+ table->magic_primary_slot == primary_slot.magic) &&
+ (table->magic_secondary_slot == BOOT_MAGIC_ANY ||
+ table->magic_secondary_slot == secondary_slot.magic) &&
+ (table->image_ok_primary_slot == BOOT_FLAG_ANY ||
+ table->image_ok_primary_slot == primary_slot.image_ok) &&
+ (table->image_ok_secondary_slot == BOOT_FLAG_ANY ||
+ table->image_ok_secondary_slot == secondary_slot.image_ok) &&
+ (table->copy_done_primary_slot == BOOT_FLAG_ANY ||
+ table->copy_done_primary_slot == primary_slot.copy_done)) {
BOOT_LOG_INF("Swap type: %s",
table->swap_type == BOOT_SWAP_TYPE_TEST ? "test" :
table->swap_type == BOOT_SWAP_TYPE_PERM ? "perm" :
@@ -573,8 +576,8 @@
}
/**
- * Marks the image in slot 1 as pending. On the next reboot, the system will
- * perform a one-time boot of the slot 1 image.
+ * Marks the image in the secondary slot as pending. On the next reboot,
+ * the system will perform a one-time boot of the the secondary slot image.
*
* @param permanent Whether the image should be used permanently or
* only tested once:
@@ -587,21 +590,22 @@
boot_set_pending(int permanent)
{
const struct flash_area *fap;
- struct boot_swap_state state_slot1;
+ struct boot_swap_state state_secondary_slot;
int rc;
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_1, &state_slot1);
+ rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY,
+ &state_secondary_slot);
if (rc != 0) {
return rc;
}
- switch (state_slot1.magic) {
+ switch (state_secondary_slot.magic) {
case BOOT_MAGIC_GOOD:
/* Swap already scheduled. */
return 0;
case BOOT_MAGIC_UNSET:
- rc = flash_area_open(FLASH_AREA_IMAGE_1, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY, &fap);
if (rc != 0) {
rc = BOOT_EFLASH;
} else {
@@ -619,7 +623,7 @@
/* The image slot is corrupt. There is no way to recover, so erase the
* slot to allow future upgrades.
*/
- rc = flash_area_open(FLASH_AREA_IMAGE_1, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY, &fap);
if (rc != 0) {
return BOOT_EFLASH;
}
@@ -635,7 +639,9 @@
}
/**
- * Marks the image in slot 0 as confirmed. The system will continue booting into the image in slot 0 until told to boot from a different slot.
+ * Marks the image in the primary slot as confirmed. The system will continue
+ * booting into the image in the primary slot until told to boot from a
+ * different slot.
*
* @return 0 on success; nonzero on failure.
*/
@@ -643,15 +649,16 @@
boot_set_confirmed(void)
{
const struct flash_area *fap;
- struct boot_swap_state state_slot0;
+ struct boot_swap_state state_primary_slot;
int rc;
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_0, &state_slot0);
+ rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY,
+ &state_primary_slot);
if (rc != 0) {
return rc;
}
- switch (state_slot0.magic) {
+ switch (state_primary_slot.magic) {
case BOOT_MAGIC_GOOD:
/* Confirm needed; proceed. */
break;
@@ -665,19 +672,19 @@
return BOOT_EBADVECT;
}
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
if (rc) {
rc = BOOT_EFLASH;
goto done;
}
- if (state_slot0.copy_done == BOOT_FLAG_UNSET) {
+ if (state_primary_slot.copy_done == BOOT_FLAG_UNSET) {
/* Swap never completed. This is unexpected. */
rc = BOOT_EBADVECT;
goto done;
}
- if (state_slot0.image_ok != BOOT_FLAG_UNSET) {
+ if (state_primary_slot.image_ok != BOOT_FLAG_UNSET) {
/* Already confirmed. */
goto done;
}
diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h
index bc9c61f..b6bb792 100644
--- a/boot/bootutil/src/bootutil_priv.h
+++ b/boot/bootutil/src/bootutil_priv.h
@@ -129,18 +129,26 @@
#endif
/** Number of image slots in flash; currently limited to two. */
-#define BOOT_NUM_SLOTS 2
+#define BOOT_NUM_SLOTS 2
/** Maximum number of image sectors supported by the bootloader. */
-#define BOOT_STATUS_STATE_COUNT 3
-#define BOOT_STATUS_MAX_ENTRIES BOOT_MAX_IMG_SECTORS
+#define BOOT_STATUS_STATE_COUNT 3
+#define BOOT_STATUS_MAX_ENTRIES BOOT_MAX_IMG_SECTORS
-#define BOOT_STATUS_SOURCE_NONE 0
-#define BOOT_STATUS_SOURCE_SCRATCH 1
-#define BOOT_STATUS_SOURCE_SLOT0 2
+#define BOOT_PRIMARY_SLOT 0
+#define BOOT_SECONDARY_SLOT 1
-#define BOOT_FLAG_IMAGE_OK 0
-#define BOOT_FLAG_COPY_DONE 1
+#define BOOT_STATUS_SOURCE_NONE 0
+#define BOOT_STATUS_SOURCE_SCRATCH 1
+#define BOOT_STATUS_SOURCE_PRIMARY_SLOT 2
+
+#define BOOT_FLAG_IMAGE_OK 0
+#define BOOT_FLAG_COPY_DONE 1
+
+#if defined(MCUBOOT_MYNEWT)
+ #define FLASH_AREA_IMAGE_PRIMARY FLASH_AREA_IMAGE_0
+ #define FLASH_AREA_IMAGE_SECONDARY FLASH_AREA_IMAGE_1
+#endif
extern const uint32_t BOOT_MAGIC_SZ;
@@ -265,16 +273,19 @@
int rc;
switch (flash_area) {
- case FLASH_AREA_IMAGE_0:
- rc = flash_area_to_sectors(flash_area, &num_sectors, state->imgs[0].sectors);
- state->imgs[0].num_sectors = (size_t)num_sectors;
+ case FLASH_AREA_IMAGE_PRIMARY:
+ rc = flash_area_to_sectors(flash_area, &num_sectors,
+ state->imgs[BOOT_PRIMARY_SLOT].sectors);
+ state->imgs[BOOT_PRIMARY_SLOT].num_sectors = (size_t)num_sectors;
break;
- case FLASH_AREA_IMAGE_1:
- rc = flash_area_to_sectors(flash_area, &num_sectors, state->imgs[1].sectors);
- state->imgs[1].num_sectors = (size_t)num_sectors;
+ case FLASH_AREA_IMAGE_SECONDARY:
+ rc = flash_area_to_sectors(flash_area, &num_sectors,
+ state->imgs[BOOT_SECONDARY_SLOT].sectors);
+ state->imgs[BOOT_SECONDARY_SLOT].num_sectors = (size_t)num_sectors;
break;
case FLASH_AREA_IMAGE_SCRATCH:
- rc = flash_area_to_sectors(flash_area, &num_sectors, state->scratch.sectors);
+ rc = flash_area_to_sectors(flash_area, &num_sectors,
+ state->scratch.sectors);
state->scratch.num_sectors = (size_t)num_sectors;
break;
default:
@@ -310,15 +321,15 @@
int rc;
switch (flash_area) {
- case FLASH_AREA_IMAGE_0:
+ case FLASH_AREA_IMAGE_PRIMARY:
num_sectors = BOOT_MAX_IMG_SECTORS;
- out_sectors = state->imgs[0].sectors;
- out_num_sectors = &state->imgs[0].num_sectors;
+ out_sectors = state->imgs[BOOT_PRIMARY_SLOT].sectors;
+ out_num_sectors = &state->imgs[BOOT_PRIMARY_SLOT].num_sectors;
break;
- case FLASH_AREA_IMAGE_1:
+ case FLASH_AREA_IMAGE_SECONDARY:
num_sectors = BOOT_MAX_IMG_SECTORS;
- out_sectors = state->imgs[1].sectors;
- out_num_sectors = &state->imgs[1].num_sectors;
+ out_sectors = state->imgs[BOOT_SECONDARY_SLOT].sectors;
+ out_num_sectors = &state->imgs[BOOT_SECONDARY_SLOT].num_sectors;
break;
case FLASH_AREA_IMAGE_SCRATCH:
num_sectors = BOOT_MAX_IMG_SECTORS;
diff --git a/boot/bootutil/src/caps.c b/boot/bootutil/src/caps.c
index 85bd6fd..43e1bf6 100644
--- a/boot/bootutil/src/caps.c
+++ b/boot/bootutil/src/caps.c
@@ -41,8 +41,8 @@
#if defined(MCUBOOT_ENCRYPT_KW)
res |= BOOTUTIL_CAP_ENC_KW;
#endif
-#if defined(MCUBOOT_VALIDATE_SLOT0)
- res |= BOOTUTIL_CAP_VALIDATE_SLOT0;
+#if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT)
+ res |= BOOTUTIL_CAP_VALIDATE_PRIMARY_SLOT;
#endif
return res;
diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c
index fa502fe..14cbcd5 100644
--- a/boot/bootutil/src/encrypted.c
+++ b/boot/bootutil/src/encrypted.c
@@ -233,7 +233,7 @@
uint8_t enckey_type;
int rc;
- slot = fap->fa_id - FLASH_AREA_IMAGE_0;
+ slot = fap->fa_id - FLASH_AREA_IMAGE_PRIMARY;
/* Already loaded... */
if (enc_state[slot].valid) {
@@ -305,7 +305,7 @@
int
boot_enc_valid(const struct flash_area *fap)
{
- return enc_state[fap->fa_id - FLASH_AREA_IMAGE_0].valid;
+ return enc_state[fap->fa_id - FLASH_AREA_IMAGE_PRIMARY].valid;
}
void
@@ -325,7 +325,7 @@
nonce[14] = (uint8_t)(off >> 8);
nonce[15] = (uint8_t)off;
- enc = &enc_state[fap->fa_id - FLASH_AREA_IMAGE_0];
+ enc = &enc_state[fap->fa_id - FLASH_AREA_IMAGE_PRIMARY];
assert(enc->valid == 1);
for (i = 0; i < sz; i++) {
if (i == 0 || blk_off == 0) {
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index de2aa0e..9a5fe57 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -70,8 +70,10 @@
}
#ifdef MCUBOOT_ENC_IMAGES
- /* Encrypted images only exist in slot1 */
- if (fap->fa_id == FLASH_AREA_IMAGE_1 && IS_ENCRYPTED(hdr) && !boot_enc_valid(fap)) {
+ /* Encrypted images only exist in the secondary slot */
+ if (fap->fa_id == FLASH_AREA_IMAGE_SECONDARY &&
+ IS_ENCRYPTED(hdr) &&
+ !boot_enc_valid(fap)) {
return -1;
}
#endif
@@ -101,7 +103,9 @@
return rc;
}
#ifdef MCUBOOT_ENC_IMAGES
- if (fap->fa_id == FLASH_AREA_IMAGE_1 && IS_ENCRYPTED(hdr) && off >= hdr_size) {
+ if (fap->fa_id == FLASH_AREA_IMAGE_SECONDARY &&
+ IS_ENCRYPTED(hdr) &&
+ off >= hdr_size) {
blk_off = (off - hdr_size) & 0xf;
boot_encrypt(fap, off - hdr_size, blk_sz, blk_off, tmp_buf);
}
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
index af54b87..ac26bd2 100644
--- a/boot/bootutil/src/loader.c
+++ b/boot/bootutil/src/loader.c
@@ -44,7 +44,7 @@
static struct boot_loader_state boot_data;
-#if defined(MCUBOOT_VALIDATE_SLOT0) && !defined(MCUBOOT_OVERWRITE_ONLY)
+#if defined(MCUBOOT_VALIDATE_PRIMARY_SLOT) && !defined(MCUBOOT_OVERWRITE_ONLY)
static int boot_status_fails = 0;
#define BOOT_STATUS_ASSERT(x) \
do { \
@@ -57,9 +57,9 @@
#endif
struct boot_status_table {
- uint8_t bst_magic_slot0;
+ uint8_t bst_magic_primary_slot;
uint8_t bst_magic_scratch;
- uint8_t bst_copy_done_slot0;
+ uint8_t bst_copy_done_primary_slot;
uint8_t bst_status_source;
};
@@ -69,66 +69,66 @@
*/
static const struct boot_status_table boot_status_tables[] = {
{
- /* | slot-0 | scratch |
- * ----------+------------+------------|
- * magic | Good | Any |
- * copy-done | Set | N/A |
- * ----------+------------+------------'
- * source: none |
- * ------------------------------------'
+ /* | primary slot | scratch |
+ * ----------+--------------+--------------|
+ * magic | Good | Any |
+ * copy-done | Set | N/A |
+ * ----------+--------------+--------------'
+ * source: none |
+ * ----------------------------------------'
*/
- .bst_magic_slot0 = BOOT_MAGIC_GOOD,
- .bst_magic_scratch = BOOT_MAGIC_ANY,
- .bst_copy_done_slot0 = BOOT_FLAG_SET,
- .bst_status_source = BOOT_STATUS_SOURCE_NONE,
+ .bst_magic_primary_slot = BOOT_MAGIC_GOOD,
+ .bst_magic_scratch = BOOT_MAGIC_ANY,
+ .bst_copy_done_primary_slot = BOOT_FLAG_SET,
+ .bst_status_source = BOOT_STATUS_SOURCE_NONE,
},
{
- /* | slot-0 | scratch |
- * ----------+------------+------------|
- * magic | Good | Any |
- * copy-done | Unset | N/A |
- * ----------+------------+------------'
- * source: slot 0 |
- * ------------------------------------'
+ /* | primary slot | scratch |
+ * ----------+--------------+--------------|
+ * magic | Good | Any |
+ * copy-done | Unset | N/A |
+ * ----------+--------------+--------------'
+ * source: primary slot |
+ * ----------------------------------------'
*/
- .bst_magic_slot0 = BOOT_MAGIC_GOOD,
- .bst_magic_scratch = BOOT_MAGIC_ANY,
- .bst_copy_done_slot0 = BOOT_FLAG_UNSET,
- .bst_status_source = BOOT_STATUS_SOURCE_SLOT0,
+ .bst_magic_primary_slot = BOOT_MAGIC_GOOD,
+ .bst_magic_scratch = BOOT_MAGIC_ANY,
+ .bst_copy_done_primary_slot = BOOT_FLAG_UNSET,
+ .bst_status_source = BOOT_STATUS_SOURCE_PRIMARY_SLOT,
},
{
- /* | slot-0 | scratch |
- * ----------+------------+------------|
- * magic | Any | Good |
- * copy-done | Any | N/A |
- * ----------+------------+------------'
- * source: scratch |
- * ------------------------------------'
+ /* | primary slot | scratch |
+ * ----------+--------------+--------------|
+ * magic | Any | Good |
+ * copy-done | Any | N/A |
+ * ----------+--------------+--------------'
+ * source: scratch |
+ * ----------------------------------------'
*/
- .bst_magic_slot0 = BOOT_MAGIC_ANY,
- .bst_magic_scratch = BOOT_MAGIC_GOOD,
- .bst_copy_done_slot0 = BOOT_FLAG_ANY,
- .bst_status_source = BOOT_STATUS_SOURCE_SCRATCH,
+ .bst_magic_primary_slot = BOOT_MAGIC_ANY,
+ .bst_magic_scratch = BOOT_MAGIC_GOOD,
+ .bst_copy_done_primary_slot = BOOT_FLAG_ANY,
+ .bst_status_source = BOOT_STATUS_SOURCE_SCRATCH,
},
{
- /* | slot-0 | scratch |
- * ----------+------------+------------|
- * magic | Unset | Any |
- * copy-done | Unset | N/A |
- * ----------+------------+------------|
- * source: varies |
- * ------------------------------------+------------------------------+
+ /* | primary slot | scratch |
+ * ----------+--------------+--------------|
+ * magic | Unset | Any |
+ * copy-done | Unset | N/A |
+ * ----------+--------------+--------------|
+ * source: varies |
+ * ----------------------------------------+--------------------------+
* This represents one of two cases: |
* o No swaps ever (no status to read, so no harm in checking). |
- * o Mid-revert; status in slot 0. |
+ * o Mid-revert; status in primary slot. |
* -------------------------------------------------------------------'
*/
- .bst_magic_slot0 = BOOT_MAGIC_UNSET,
- .bst_magic_scratch = BOOT_MAGIC_ANY,
- .bst_copy_done_slot0 = BOOT_FLAG_UNSET,
- .bst_status_source = BOOT_STATUS_SOURCE_SLOT0,
+ .bst_magic_primary_slot = BOOT_MAGIC_UNSET,
+ .bst_magic_scratch = BOOT_MAGIC_ANY,
+ .bst_copy_done_primary_slot = BOOT_FLAG_UNSET,
+ .bst_status_source = BOOT_STATUS_SOURCE_PRIMARY_SLOT,
},
};
@@ -145,46 +145,49 @@
(state)->image_ok)
/**
- * Determines where in flash the most recent boot status is stored. The boot
+ * Determines where in flash the most recent boot status is stored. The boot
* status is necessary for completing a swap that was interrupted by a boot
* loader reset.
*
- * @return A BOOT_STATUS_SOURCE_[...] code indicating where * status should be read from.
+ * @return A BOOT_STATUS_SOURCE_[...] code indicating where status should
+ * be read from.
*/
static int
boot_status_source(void)
{
const struct boot_status_table *table;
struct boot_swap_state state_scratch;
- struct boot_swap_state state_slot0;
+ struct boot_swap_state state_primary_slot;
int rc;
size_t i;
uint8_t source;
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_0, &state_slot0);
+ rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_PRIMARY,
+ &state_primary_slot);
assert(rc == 0);
rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SCRATCH, &state_scratch);
assert(rc == 0);
- BOOT_LOG_SWAP_STATE("Image 0", &state_slot0);
+ BOOT_LOG_SWAP_STATE("Primary image", &state_primary_slot);
BOOT_LOG_SWAP_STATE("Scratch", &state_scratch);
for (i = 0; i < BOOT_STATUS_TABLES_COUNT; i++) {
table = &boot_status_tables[i];
- if ((table->bst_magic_slot0 == BOOT_MAGIC_ANY ||
- table->bst_magic_slot0 == state_slot0.magic) &&
- (table->bst_magic_scratch == BOOT_MAGIC_ANY ||
- table->bst_magic_scratch == state_scratch.magic) &&
- (table->bst_copy_done_slot0 == BOOT_FLAG_ANY ||
- table->bst_copy_done_slot0 == state_slot0.copy_done)) {
+ if ((table->bst_magic_primary_slot == BOOT_MAGIC_ANY ||
+ table->bst_magic_primary_slot == state_primary_slot.magic) &&
+ (table->bst_magic_scratch == BOOT_MAGIC_ANY ||
+ table->bst_magic_scratch == state_scratch.magic) &&
+ (table->bst_copy_done_primary_slot == BOOT_FLAG_ANY ||
+ table->bst_copy_done_primary_slot == state_primary_slot.copy_done))
+ {
source = table->bst_status_source;
BOOT_LOG_INF("Boot source: %s",
source == BOOT_STATUS_SOURCE_NONE ? "none" :
source == BOOT_STATUS_SOURCE_SCRATCH ? "scratch" :
- source == BOOT_STATUS_SOURCE_SLOT0 ? "slot 0" :
- "BUG; can't happen");
+ source == BOOT_STATUS_SOURCE_PRIMARY_SLOT ?
+ "primary slot" : "BUG; can't happen");
return source;
}
}
@@ -317,7 +320,7 @@
* on what the minimum write size is for scratch area, active image slot.
* We need to use the bigger of those 2 values.
*/
- elem_sz = flash_area_align(boot_data.imgs[0].area);
+ elem_sz = flash_area_align(boot_data.imgs[BOOT_PRIMARY_SLOT].area);
align = flash_area_align(boot_data.scratch.area);
if (align > elem_sz) {
elem_sz = align;
@@ -335,17 +338,20 @@
static int
boot_slots_compatible(void)
{
- size_t num_sectors_0;
- size_t num_sectors_1;
+ size_t num_sectors_primary;
+ size_t num_sectors_secondary;
size_t sz0, sz1;
- size_t slot0_sz, slot1_sz;
+ size_t primary_slot_sz, secondary_slot_sz;
size_t scratch_sz;
size_t i, j;
int8_t smaller;
- num_sectors_0 = boot_img_num_sectors(&boot_data, 0);
- num_sectors_1 = boot_img_num_sectors(&boot_data, 1);
- if (num_sectors_0 > BOOT_MAX_IMG_SECTORS || num_sectors_1 > BOOT_MAX_IMG_SECTORS) {
+ num_sectors_primary =
+ boot_img_num_sectors(&boot_data, BOOT_PRIMARY_SLOT);
+ num_sectors_secondary =
+ boot_img_num_sectors(&boot_data, BOOT_SECONDARY_SLOT);
+ if ((num_sectors_primary > BOOT_MAX_IMG_SECTORS) ||
+ (num_sectors_secondary > BOOT_MAX_IMG_SECTORS)) {
BOOT_LOG_WRN("Cannot upgrade: more sectors than allowed");
return 0;
}
@@ -359,18 +365,20 @@
* number of a slot's sectors are able to fit into another, which only
* excludes cases where sector sizes are not a multiple of each other.
*/
- i = sz0 = slot0_sz = 0;
- j = sz1 = slot1_sz = 0;
+ i = sz0 = primary_slot_sz = 0;
+ j = sz1 = secondary_slot_sz = 0;
smaller = 0;
- while (i < num_sectors_0 || j < num_sectors_1) {
+ while (i < num_sectors_primary || j < num_sectors_secondary) {
if (sz0 == sz1) {
- sz0 += boot_img_sector_size(&boot_data, 0, i);
- sz1 += boot_img_sector_size(&boot_data, 1, j);
+ sz0 += boot_img_sector_size(&boot_data, BOOT_PRIMARY_SLOT, i);
+ sz1 += boot_img_sector_size(&boot_data, BOOT_SECONDARY_SLOT, j);
i++;
j++;
} else if (sz0 < sz1) {
- sz0 += boot_img_sector_size(&boot_data, 0, i);
- /* guarantee that multiple sectors of slot1 fit into slot0 */
+ sz0 += boot_img_sector_size(&boot_data, BOOT_PRIMARY_SLOT, i);
+ /* Guarantee that multiple sectors of the secondary slot
+ * fit into the primary slot.
+ */
if (smaller == 2) {
BOOT_LOG_WRN("Cannot upgrade: slots have non-compatible sectors");
return 0;
@@ -378,8 +386,10 @@
smaller = 1;
i++;
} else {
- sz1 += boot_img_sector_size(&boot_data, 1, j);
- /* guarantee that multiple sectors of slot0 fit into slot1 */
+ sz1 += boot_img_sector_size(&boot_data, BOOT_SECONDARY_SLOT, j);
+ /* Guarantee that multiple sectors of the primary slot
+ * fit into the secondary slot.
+ */
if (smaller == 1) {
BOOT_LOG_WRN("Cannot upgrade: slots have non-compatible sectors");
return 0;
@@ -388,10 +398,10 @@
j++;
}
if (sz0 == sz1) {
- slot0_sz += sz0;
- slot1_sz += sz1;
- /* scratch has to fit each swap operation to the size of the larger
- * sector among slot0 and slot1
+ primary_slot_sz += sz0;
+ secondary_slot_sz += sz1;
+ /* Scratch has to fit each swap operation to the size of the larger
+ * sector among the primary slot and the secondary slot.
*/
if (sz0 > scratch_sz || sz1 > scratch_sz) {
BOOT_LOG_WRN("Cannot upgrade: not all sectors fit inside scratch");
@@ -401,7 +411,9 @@
}
}
- if (i != num_sectors_0 || j != num_sectors_1 || slot0_sz != slot1_sz) {
+ if ((i != num_sectors_primary) ||
+ (j != num_sectors_secondary) ||
+ (primary_slot_sz != secondary_slot_sz)) {
BOOT_LOG_WRN("Cannot upgrade: slots are not compatible");
return 0;
}
@@ -420,12 +432,12 @@
{
int rc;
- rc = boot_initialize_area(&boot_data, FLASH_AREA_IMAGE_0);
+ rc = boot_initialize_area(&boot_data, FLASH_AREA_IMAGE_PRIMARY);
if (rc != 0) {
return BOOT_EFLASH;
}
- rc = boot_initialize_area(&boot_data, FLASH_AREA_IMAGE_1);
+ rc = boot_initialize_area(&boot_data, FLASH_AREA_IMAGE_SECONDARY);
if (rc != 0) {
return BOOT_EFLASH;
}
@@ -499,9 +511,9 @@
*/
BOOT_LOG_ERR("Detected inconsistent status!");
-#if !defined(MCUBOOT_VALIDATE_SLOT0)
- /* With validation of slot0 disabled, there is no way to be sure the
- * swapped slot0 is OK, so abort!
+#if !defined(MCUBOOT_VALIDATE_PRIMARY_SLOT)
+ /* With validation of the primary slot disabled, there is no way
+ * to be sure the swapped primary slot is OK, so abort!
*/
assert(0);
#endif
@@ -551,8 +563,8 @@
area_id = FLASH_AREA_IMAGE_SCRATCH;
break;
- case BOOT_STATUS_SOURCE_SLOT0:
- area_id = FLASH_AREA_IMAGE_0;
+ case BOOT_STATUS_SOURCE_PRIMARY_SLOT:
+ area_id = FLASH_AREA_IMAGE_PRIMARY;
break;
default:
@@ -592,16 +604,17 @@
uint8_t erased_val;
/* NOTE: The first sector copied (that is the last sector on slot) contains
- * the trailer. Since in the last step SLOT 0 is erased, the first
- * two status writes go to the scratch which will be copied to SLOT 0!
+ * the trailer. Since in the last step the primary slot is erased, the
+ * first two status writes go to the scratch which will be copied to
+ * the primary slot!
*/
if (bs->use_scratch) {
/* Write to scratch. */
area_id = FLASH_AREA_IMAGE_SCRATCH;
} else {
- /* Write to slot 0. */
- area_id = FLASH_AREA_IMAGE_0;
+ /* Write to the primary slot. */
+ area_id = FLASH_AREA_IMAGE_PRIMARY;
}
rc = flash_area_open(area_id, &fap);
@@ -645,7 +658,7 @@
(void)bs;
(void)rc;
#else
- if (fap->fa_id == FLASH_AREA_IMAGE_1 && IS_ENCRYPTED(hdr)) {
+ if ((fap->fa_id == FLASH_AREA_IMAGE_SECONDARY) && IS_ENCRYPTED(hdr)) {
rc = boot_enc_load(hdr, fap, bs->enckey[1]);
if (rc < 0) {
return BOOT_EBADIMAGE;
@@ -746,24 +759,25 @@
hdr = boot_img_hdr(&boot_data, slot);
if (boot_check_header_erased(slot) == 0 || (hdr->ih_flags & IMAGE_F_NON_BOOTABLE)) {
- /* No bootable image in slot; continue booting from slot 0. */
+ /* No bootable image in slot; continue booting from the primary slot. */
rc = -1;
goto out;
}
if ((hdr->ih_magic != IMAGE_MAGIC || boot_image_check(hdr, fap, bs) != 0)) {
- if (slot != 0) {
+ if (slot != BOOT_PRIMARY_SLOT) {
flash_area_erase(fap, 0, fap->fa_size);
- /* Image in slot 1 is invalid. Erase the image and
- * continue booting from slot 0.
+ /* Image in the secondary slot is invalid. Erase the image and
+ * continue booting from the primary slot.
*/
}
- BOOT_LOG_ERR("Image in slot %d is not valid!", slot);
+ BOOT_LOG_ERR("Image in the %s slot is not valid!",
+ (slot == BOOT_PRIMARY_SLOT) ? "primary" : "secondary");
rc = -1;
goto out;
}
- /* Image in slot 1 is valid. */
+ /* Image in the secondary slot is valid. */
rc = 0;
out:
@@ -773,9 +787,9 @@
/**
* Determines which swap operation to perform, if any. If it is determined
- * that a swap operation is required, the image in the second slot is checked
- * for validity. If the image in the second slot is invalid, it is erased, and
- * a swap type of "none" is indicated.
+ * that a swap operation is required, the image in the secondary slot is checked
+ * for validity. If the image in the secondary slot is invalid, it is erased,
+ * and a swap type of "none" is indicated.
*
* @return The type of swap to perform (BOOT_SWAP_TYPE...)
*/
@@ -789,8 +803,10 @@
case BOOT_SWAP_TYPE_TEST:
case BOOT_SWAP_TYPE_PERM:
case BOOT_SWAP_TYPE_REVERT:
- /* Boot loader wants to switch to slot 1. Ensure image is valid. */
- if (boot_validate_slot(1, bs) != 0) {
+ /* Boot loader wants to switch to the secondary slot.
+ * Ensure image is valid.
+ */
+ if (boot_validate_slot(BOOT_SECONDARY_SLOT, bs) != 0) {
swap_type = BOOT_SWAP_TYPE_FAIL;
}
}
@@ -824,11 +840,11 @@
scratch_sz = boot_scratch_area_size(&boot_data);
for (i = last_sector_idx; i >= 0; i--) {
- new_sz = sz + boot_img_sector_size(&boot_data, 0, i);
+ new_sz = sz + boot_img_sector_size(&boot_data, BOOT_PRIMARY_SLOT, i);
/*
- * slot1 is not being checked here, because `boot_slots_compatible`
- * already provides assurance that the copy size will be compatible
- * with slot0 and scratch.
+ * The secondary slot is not being checked here, because
+ * `boot_slots_compatible` already provides assurance that the copy size
+ * will be compatible with the primary slot and scratch.
*/
if (new_sz > scratch_sz) {
break;
@@ -906,14 +922,14 @@
}
#ifdef MCUBOOT_ENC_IMAGES
- if (fap_src->fa_id == FLASH_AREA_IMAGE_1 ||
- fap_dst->fa_id == FLASH_AREA_IMAGE_1) {
- /* assume slot1 as src, needs decryption */
- hdr = boot_img_hdr(&boot_data, 1);
+ if ((fap_src->fa_id == FLASH_AREA_IMAGE_SECONDARY) ||
+ (fap_dst->fa_id == FLASH_AREA_IMAGE_SECONDARY)) {
+ /* assume the secondary slot as src, needs decryption */
+ hdr = boot_img_hdr(&boot_data, BOOT_SECONDARY_SLOT);
off = off_src;
- if (fap_dst->fa_id == FLASH_AREA_IMAGE_1) {
- /* might need encryption (metadata from slot0) */
- hdr = boot_img_hdr(&boot_data, 0);
+ if (fap_dst->fa_id == FLASH_AREA_IMAGE_SECONDARY) {
+ /* might need encryption (metadata from the primary slot) */
+ hdr = boot_img_hdr(&boot_data, BOOT_PRIMARY_SLOT);
off = off_dst;
}
if (IS_ENCRYPTED(hdr)) {
@@ -959,7 +975,7 @@
struct boot_swap_state swap_state;
int rc;
- rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_1, &swap_state);
+ rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY, &swap_state);
assert(rc == 0);
if (swap_state.image_ok == BOOT_FLAG_SET) {
@@ -998,11 +1014,11 @@
int rc;
switch (fap->fa_id) {
- case FLASH_AREA_IMAGE_0:
- slot = 0;
+ case FLASH_AREA_IMAGE_PRIMARY:
+ slot = BOOT_PRIMARY_SLOT;
break;
- case FLASH_AREA_IMAGE_1:
- slot = 1;
+ case FLASH_AREA_IMAGE_SECONDARY:
+ slot = BOOT_SECONDARY_SLOT;
break;
default:
return BOOT_EFLASH;
@@ -1041,8 +1057,8 @@
static void
boot_swap_sectors(int idx, uint32_t sz, struct boot_status *bs)
{
- const struct flash_area *fap_slot0;
- const struct flash_area *fap_slot1;
+ const struct flash_area *fap_primary_slot;
+ const struct flash_area *fap_secondary_slot;
const struct flash_area *fap_scratch;
uint32_t copy_sz;
uint32_t trailer_sz;
@@ -1053,7 +1069,7 @@
int rc;
/* Calculate offset from start of image area. */
- img_off = boot_img_sector_off(&boot_data, 0, idx);
+ img_off = boot_img_sector_off(&boot_data, BOOT_PRIMARY_SLOT, idx);
copy_sz = sz;
trailer_sz = boot_slots_trailer_sz(BOOT_WRITE_SZ(&boot_data));
@@ -1067,17 +1083,18 @@
* NOTE: `use_scratch` is a temporary flag (never written to flash) which
* controls if special handling is needed (swapping last sector).
*/
- last_sector = boot_img_num_sectors(&boot_data, 0) - 1;
- if (img_off + sz > boot_img_sector_off(&boot_data, 0, last_sector)) {
+ last_sector = boot_img_num_sectors(&boot_data, BOOT_PRIMARY_SLOT) - 1;
+ if (img_off + sz > boot_img_sector_off(&boot_data, BOOT_PRIMARY_SLOT,
+ last_sector)) {
copy_sz -= trailer_sz;
}
bs->use_scratch = (bs->idx == BOOT_STATUS_IDX_0 && copy_sz != sz);
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap_slot0);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap_primary_slot);
assert (rc == 0);
- rc = flash_area_open(FLASH_AREA_IMAGE_1, &fap_slot1);
+ rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY, &fap_secondary_slot);
assert (rc == 0);
rc = flash_area_open(FLASH_AREA_IMAGE_SCRATCH, &fap_scratch);
@@ -1087,7 +1104,8 @@
rc = boot_erase_sector(fap_scratch, 0, sz);
assert(rc == 0);
- rc = boot_copy_sector(fap_slot1, fap_scratch, img_off, 0, copy_sz);
+ rc = boot_copy_sector(fap_secondary_slot, fap_scratch,
+ img_off, 0, copy_sz);
assert(rc == 0);
if (bs->idx == BOOT_STATUS_IDX_0) {
@@ -1098,10 +1116,10 @@
* last sector is not being used by the image data so it's
* safe to erase.
*/
- rc = boot_erase_trailer_sectors(fap_slot0);
+ rc = boot_erase_trailer_sectors(fap_primary_slot);
assert(rc == 0);
- boot_status_init(fap_slot0, bs);
+ boot_status_init(fap_primary_slot, bs);
}
}
@@ -1111,17 +1129,18 @@
}
if (bs->state == BOOT_STATUS_STATE_1) {
- rc = boot_erase_sector(fap_slot1, img_off, sz);
+ rc = boot_erase_sector(fap_secondary_slot, img_off, sz);
assert(rc == 0);
- rc = boot_copy_sector(fap_slot0, fap_slot1, img_off, img_off, copy_sz);
+ rc = boot_copy_sector(fap_primary_slot, fap_secondary_slot,
+ img_off, img_off, copy_sz);
assert(rc == 0);
if (bs->idx == BOOT_STATUS_IDX_0 && !bs->use_scratch) {
/* If not all sectors of the slot are being swapped,
- * guarantee here that only slot0 will have the state.
+ * guarantee here that only the primary slot will have the state.
*/
- rc = boot_erase_trailer_sectors(fap_slot1);
+ rc = boot_erase_trailer_sectors(fap_secondary_slot);
assert(rc == 0);
}
@@ -1131,19 +1150,20 @@
}
if (bs->state == BOOT_STATUS_STATE_2) {
- rc = boot_erase_sector(fap_slot0, img_off, sz);
+ rc = boot_erase_sector(fap_primary_slot, img_off, sz);
assert(rc == 0);
/* NOTE: also copy trailer from scratch (has status info) */
- rc = boot_copy_sector(fap_scratch, fap_slot0, 0, img_off, copy_sz);
+ rc = boot_copy_sector(fap_scratch, fap_primary_slot,
+ 0, img_off, copy_sz);
assert(rc == 0);
if (bs->use_scratch) {
scratch_trailer_off = boot_status_off(fap_scratch);
/* copy current status that is being maintained in scratch */
- rc = boot_copy_sector(fap_scratch, fap_slot0, scratch_trailer_off,
- img_off + copy_sz,
+ rc = boot_copy_sector(fap_scratch, fap_primary_slot,
+ scratch_trailer_off, img_off + copy_sz,
BOOT_STATUS_STATE_COUNT * BOOT_WRITE_SZ(&boot_data));
BOOT_STATUS_ASSERT(rc == 0);
@@ -1152,22 +1172,22 @@
assert(rc == 0);
if (swap_state.image_ok == BOOT_FLAG_SET) {
- rc = boot_write_image_ok(fap_slot0);
+ rc = boot_write_image_ok(fap_primary_slot);
assert(rc == 0);
}
- rc = boot_write_swap_size(fap_slot0, bs->swap_size);
+ rc = boot_write_swap_size(fap_primary_slot, bs->swap_size);
assert(rc == 0);
#ifdef MCUBOOT_ENC_IMAGES
- rc = boot_write_enc_key(fap_slot0, 0, bs->enckey[0]);
+ rc = boot_write_enc_key(fap_primary_slot, 0, bs->enckey[0]);
assert(rc == 0);
- rc = boot_write_enc_key(fap_slot0, 1, bs->enckey[1]);
+ rc = boot_write_enc_key(fap_primary_slot, 1, bs->enckey[1]);
assert(rc == 0);
#endif
- rc = boot_write_magic(fap_slot0);
+ rc = boot_write_magic(fap_primary_slot);
assert(rc == 0);
}
@@ -1178,16 +1198,16 @@
BOOT_STATUS_ASSERT(rc == 0);
}
- flash_area_close(fap_slot0);
- flash_area_close(fap_slot1);
+ flash_area_close(fap_primary_slot);
+ flash_area_close(fap_secondary_slot);
flash_area_close(fap_scratch);
}
#endif /* !MCUBOOT_OVERWRITE_ONLY */
/**
- * Overwrite slot 0 with the image contained in slot 1. If a prior copy
- * operation was interrupted by a system reset, this function redos the
- * copy.
+ * Overwrite primary slot with the image contained in the secondary slot.
+ * If a prior copy operation was interrupted by a system reset, this function
+ * redos the copy.
*
* @param bs The current boot status. This function reads
* this struct to determine if it is resuming
@@ -1207,30 +1227,33 @@
size_t size;
size_t this_size;
size_t last_sector;
- const struct flash_area *fap_slot0;
- const struct flash_area *fap_slot1;
+ const struct flash_area *fap_primary_slot;
+ const struct flash_area *fap_secondary_slot;
+
(void)bs;
#if defined(MCUBOOT_OVERWRITE_ONLY_FAST)
uint32_t src_size = 0;
- rc = boot_read_image_size(1, boot_img_hdr(&boot_data, 1), &src_size);
+ rc = boot_read_image_size(BOOT_SECONDARY_SLOT,
+ boot_img_hdr(&boot_data, BOOT_SECONDARY_SLOT),
+ &src_size);
assert(rc == 0);
#endif
- BOOT_LOG_INF("Image upgrade slot1 -> slot0");
- BOOT_LOG_INF("Erasing slot0");
+ BOOT_LOG_INF("Image upgrade secondary slot -> primary slot");
+ BOOT_LOG_INF("Erasing the primary slot");
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap_slot0);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap_primary_slot);
assert (rc == 0);
- rc = flash_area_open(FLASH_AREA_IMAGE_1, &fap_slot1);
+ rc = flash_area_open(FLASH_AREA_IMAGE_SECONDARY, &fap_secondary_slot);
assert (rc == 0);
- sect_count = boot_img_num_sectors(&boot_data, 0);
+ sect_count = boot_img_num_sectors(&boot_data, BOOT_PRIMARY_SLOT);
for (sect = 0, size = 0; sect < sect_count; sect++) {
- this_size = boot_img_sector_size(&boot_data, 0, sect);
- rc = boot_erase_sector(fap_slot0, size, this_size);
+ this_size = boot_img_sector_size(&boot_data, BOOT_PRIMARY_SLOT, sect);
+ rc = boot_erase_sector(fap_primary_slot, size, this_size);
assert(rc == 0);
size += this_size;
@@ -1243,8 +1266,11 @@
}
#ifdef MCUBOOT_ENC_IMAGES
- if (IS_ENCRYPTED(boot_img_hdr(&boot_data, 1))) {
- rc = boot_enc_load(boot_img_hdr(&boot_data, 1), fap_slot1, bs->enckey[1]);
+ if (IS_ENCRYPTED(boot_img_hdr(&boot_data, BOOT_SECONDARY_SLOT))) {
+ rc = boot_enc_load(boot_img_hdr(&boot_data, BOOT_SECONDARY_SLOT),
+ fap_secondary_slot,
+ bs->enckey[1]);
+
if (rc < 0) {
return BOOT_EBADIMAGE;
}
@@ -1254,28 +1280,33 @@
}
#endif
- BOOT_LOG_INF("Copying slot 1 to slot 0: 0x%zx bytes", size);
- rc = boot_copy_sector(fap_slot1, fap_slot0, 0, 0, size);
+ BOOT_LOG_INF("Copying the secondary slot to the primary slot: 0x%zx bytes",
+ size);
+ rc = boot_copy_sector(fap_secondary_slot, fap_primary_slot, 0, 0, size);
/*
* Erases header and trailer. The trailer is erased because when a new
* image is written without a trailer as is the case when using newt, the
* trailer that was left might trigger a new upgrade.
*/
- rc = boot_erase_sector(fap_slot1,
- boot_img_sector_off(&boot_data, 1, 0),
- boot_img_sector_size(&boot_data, 1, 0));
+ rc = boot_erase_sector(fap_secondary_slot,
+ boot_img_sector_off(&boot_data,
+ BOOT_SECONDARY_SLOT, 0),
+ boot_img_sector_size(&boot_data,
+ BOOT_SECONDARY_SLOT, 0));
assert(rc == 0);
- last_sector = boot_img_num_sectors(&boot_data, 1) - 1;
- rc = boot_erase_sector(fap_slot1,
- boot_img_sector_off(&boot_data, 1, last_sector),
- boot_img_sector_size(&boot_data, 1, last_sector));
+ last_sector = boot_img_num_sectors(&boot_data, BOOT_SECONDARY_SLOT) - 1;
+ rc = boot_erase_sector(fap_secondary_slot,
+ boot_img_sector_off(&boot_data,
+ BOOT_SECONDARY_SLOT, last_sector),
+ boot_img_sector_size(&boot_data,
+ BOOT_SECONDARY_SLOT, last_sector));
assert(rc == 0);
- flash_area_close(fap_slot0);
- flash_area_close(fap_slot1);
+ flash_area_close(fap_primary_slot);
+ flash_area_close(fap_secondary_slot);
- /* TODO: Perhaps verify slot 0's signature again? */
+ /* TODO: Perhaps verify the primary slot's signature again? */
return 0;
}
@@ -1300,7 +1331,7 @@
uint32_t sz;
int first_sector_idx;
int last_sector_idx;
- int last_idx_slot1;
+ int last_idx_secondary_slot;
uint32_t swap_idx;
struct image_header *hdr;
#ifdef MCUBOOT_ENC_IMAGES
@@ -1310,8 +1341,8 @@
#endif
uint32_t size;
uint32_t copy_size;
- uint32_t slot0_size;
- uint32_t slot1_size;
+ uint32_t primary_slot_size;
+ uint32_t secondary_slot_size;
int rc;
/* FIXME: just do this if asked by user? */
@@ -1323,15 +1354,15 @@
* No swap ever happened, so need to find the largest image which
* will be used to determine the amount of sectors to swap.
*/
- hdr = boot_img_hdr(&boot_data, 0);
+ hdr = boot_img_hdr(&boot_data, BOOT_PRIMARY_SLOT);
if (hdr->ih_magic == IMAGE_MAGIC) {
- rc = boot_read_image_size(0, hdr, ©_size);
+ rc = boot_read_image_size(BOOT_PRIMARY_SLOT, hdr, ©_size);
assert(rc == 0);
}
#ifdef MCUBOOT_ENC_IMAGES
if (IS_ENCRYPTED(hdr)) {
- fap = BOOT_IMG_AREA(&boot_data, 0);
+ fap = BOOT_IMG_AREA(&boot_data, BOOT_PRIMARY_SLOT);
rc = boot_enc_load(hdr, fap, bs->enckey[0]);
assert(rc >= 0);
@@ -1346,16 +1377,16 @@
}
#endif
- hdr = boot_img_hdr(&boot_data, 1);
+ hdr = boot_img_hdr(&boot_data, BOOT_SECONDARY_SLOT);
if (hdr->ih_magic == IMAGE_MAGIC) {
- rc = boot_read_image_size(1, hdr, &size);
+ rc = boot_read_image_size(BOOT_SECONDARY_SLOT, hdr, &size);
assert(rc == 0);
}
#ifdef MCUBOOT_ENC_IMAGES
- hdr = boot_img_hdr(&boot_data, 1);
+ hdr = boot_img_hdr(&boot_data, BOOT_SECONDARY_SLOT);
if (IS_ENCRYPTED(hdr)) {
- fap = BOOT_IMG_AREA(&boot_data, 1);
+ fap = BOOT_IMG_AREA(&boot_data, BOOT_SECONDARY_SLOT);
rc = boot_enc_load(hdr, fap, bs->enckey[1]);
assert(rc >= 0);
@@ -1404,31 +1435,37 @@
#endif
}
- slot0_size = 0;
- slot1_size = 0;
+ primary_slot_size = 0;
+ secondary_slot_size = 0;
last_sector_idx = 0;
- last_idx_slot1 = 0;
+ last_idx_secondary_slot = 0;
/*
* Knowing the size of the largest image between both slots, here we
- * find what is the last sector in slot0 that needs swapping. Since we
- * already know that both slots are compatible, slot1's last sector is
- * not really required after this check is finished.
+ * find what is the last sector in the primary slot that needs swapping.
+ * Since we already know that both slots are compatible, the secondary
+ * slot's last sector is not really required after this check is finished.
*/
while (1) {
- if (slot0_size < copy_size || slot0_size < slot1_size) {
- slot0_size += boot_img_sector_size(&boot_data, 0, last_sector_idx);
+ if ((primary_slot_size < copy_size) ||
+ (primary_slot_size < secondary_slot_size)) {
+ primary_slot_size += boot_img_sector_size(&boot_data,
+ BOOT_PRIMARY_SLOT,
+ last_sector_idx);
}
- if (slot1_size < copy_size || slot1_size < slot0_size) {
- slot1_size += boot_img_sector_size(&boot_data, 1, last_idx_slot1);
+ if ((secondary_slot_size < copy_size) ||
+ (secondary_slot_size < primary_slot_size)) {
+ secondary_slot_size += boot_img_sector_size(&boot_data,
+ BOOT_SECONDARY_SLOT,
+ last_idx_secondary_slot);
}
- if (slot0_size >= copy_size &&
- slot1_size >= copy_size &&
- slot0_size == slot1_size) {
+ if (primary_slot_size >= copy_size &&
+ secondary_slot_size >= copy_size &&
+ primary_slot_size == secondary_slot_size) {
break;
}
last_sector_idx++;
- last_idx_slot1++;
+ last_idx_secondary_slot++;
}
swap_idx = 0;
@@ -1442,7 +1479,7 @@
swap_idx++;
}
-#ifdef MCUBOOT_VALIDATE_SLOT0
+#ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT
if (boot_status_fails > 0) {
BOOT_LOG_WRN("%d status write fails performing the swap", boot_status_fails);
}
@@ -1453,7 +1490,7 @@
#endif
/**
- * Marks the image in slot 0 as fully copied.
+ * Marks the image in the primary slot as fully copied.
*/
#ifndef MCUBOOT_OVERWRITE_ONLY
static int
@@ -1462,7 +1499,7 @@
const struct flash_area *fap;
int rc;
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
if (rc != 0) {
return BOOT_EFLASH;
}
@@ -1474,13 +1511,13 @@
#endif /* !MCUBOOT_OVERWRITE_ONLY */
/**
- * Marks a reverted image in slot 0 as confirmed. This is necessary to ensure
- * the status bytes from the image revert operation don't get processed on a
- * subsequent boot.
+ * Marks a reverted image in the primary slot as confirmed. This is necessary to
+ * ensure the status bytes from the image revert operation don't get processed
+ * on a subsequent boot.
*
* NOTE: image_ok is tested before writing because if there's a valid permanent
- * image installed on slot0 and the new image to be upgrade to has a bad sig,
- * image_ok would be overwritten.
+ * image installed on the primary slot and the new image to be upgrade to has a
+ * bad sig, image_ok would be overwritten.
*/
#ifndef MCUBOOT_OVERWRITE_ONLY
static int
@@ -1490,7 +1527,7 @@
struct boot_swap_state state;
int rc;
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
if (rc != 0) {
return BOOT_EFLASH;
}
@@ -1574,12 +1611,13 @@
* Header checks are done first because they are inexpensive.
* Since overwrite-only copies starting from offset 0, if
* interrupted, it might leave a valid header magic, so also
- * run validation on slot0 to be sure it's not OK.
+ * run validation on the primary slot to be sure it's not OK.
*/
- if (boot_check_header_erased(0) == 0 ||
- boot_validate_slot(0, &bs) != 0) {
- if (boot_img_hdr(&boot_data, 1)->ih_magic == IMAGE_MAGIC &&
- boot_validate_slot(1, &bs) == 0) {
+ if (boot_check_header_erased(BOOT_PRIMARY_SLOT) == 0 ||
+ boot_validate_slot(BOOT_PRIMARY_SLOT, &bs) != 0) {
+ if ((boot_img_hdr(&boot_data, BOOT_SECONDARY_SLOT)->ih_magic
+ == IMAGE_MAGIC ) &&
+ (boot_validate_slot(BOOT_SECONDARY_SLOT, &bs) == 0)) {
rc = boot_copy_image(&bs);
assert(rc == 0);
@@ -1618,11 +1656,11 @@
* necessary because the gcc option "-fdata-sections" doesn't seem to have
* any effect in older gcc versions (e.g., 4.8.4).
*/
- static boot_sector_t slot0_sectors[BOOT_MAX_IMG_SECTORS];
- static boot_sector_t slot1_sectors[BOOT_MAX_IMG_SECTORS];
+ static boot_sector_t primary_slot_sectors[BOOT_MAX_IMG_SECTORS];
+ static boot_sector_t secondary_slot_sectors[BOOT_MAX_IMG_SECTORS];
static boot_sector_t scratch_sectors[BOOT_MAX_IMG_SECTORS];
- boot_data.imgs[0].sectors = slot0_sectors;
- boot_data.imgs[1].sectors = slot1_sectors;
+ boot_data.imgs[BOOT_PRIMARY_SLOT].sectors = primary_slot_sectors;
+ boot_data.imgs[BOOT_SECONDARY_SLOT].sectors = secondary_slot_sectors;
boot_data.scratch.sectors = scratch_sectors;
#ifdef MCUBOOT_ENC_IMAGES
@@ -1655,7 +1693,7 @@
}
/* If the image slots aren't compatible, no swap is possible. Just boot
- * into slot 0.
+ * into the primary slot.
*/
if (boot_slots_compatible()) {
rc = boot_swap_if_needed(&swap_type);
@@ -1668,7 +1706,8 @@
* The following states need image_ok be explicitly set after the
* swap was finished to avoid a new revert.
*/
- if (swap_type == BOOT_SWAP_TYPE_REVERT || swap_type == BOOT_SWAP_TYPE_FAIL) {
+ if (swap_type == BOOT_SWAP_TYPE_REVERT ||
+ swap_type == BOOT_SWAP_TYPE_FAIL) {
#ifndef MCUBOOT_OVERWRITE_ONLY
rc = boot_set_image_ok();
if (rc != 0) {
@@ -1682,13 +1721,13 @@
switch (swap_type) {
case BOOT_SWAP_TYPE_NONE:
- slot = 0;
+ slot = BOOT_PRIMARY_SLOT;
break;
case BOOT_SWAP_TYPE_TEST: /* fallthrough */
case BOOT_SWAP_TYPE_PERM: /* fallthrough */
case BOOT_SWAP_TYPE_REVERT:
- slot = 1;
+ slot = BOOT_SECONDARY_SLOT;
reload_headers = true;
#ifndef MCUBOOT_OVERWRITE_ONLY
rc = boot_set_copy_done();
@@ -1699,11 +1738,11 @@
break;
case BOOT_SWAP_TYPE_FAIL:
- /* The image in slot 1 was invalid and is now erased. Ensure we don't
- * try to boot into it again on the next reboot. Do this by pretending
- * we just reverted back to slot 0.
+ /* The image in the secondary slot was invalid and is now erased.
+ * Ensure we don't try to boot into it again on the next reboot.
+ * Do this by pretending we just reverted back to the primary slot.
*/
- slot = 0;
+ slot = BOOT_PRIMARY_SLOT;
reload_headers = true;
break;
@@ -1726,33 +1765,34 @@
}
/* Since headers were reloaded, it can be assumed we just performed a
* swap or overwrite. Now the header info that should be used to
- * provide the data for the bootstrap, which previously was at Slot 1,
- * was updated to Slot 0.
+ * provide the data for the bootstrap, which previously was at the
+ * secondary slot, was updated to the primary slot.
*/
- slot = 0;
+ slot = BOOT_PRIMARY_SLOT;
}
-#ifdef MCUBOOT_VALIDATE_SLOT0
- rc = boot_validate_slot(0, NULL);
+#ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT
+ rc = boot_validate_slot(BOOT_PRIMARY_SLOT, NULL);
if (rc != 0) {
rc = BOOT_EBADIMAGE;
goto out;
}
#else
- /* Even if we're not re-validating slot 0, we could be booting
+ /* Even if we're not re-validating the primary slot, we could be booting
* onto an empty flash chip. At least do a basic sanity check that
* the magic number on the image is OK.
*/
- if (boot_data.imgs[0].hdr.ih_magic != IMAGE_MAGIC) {
- BOOT_LOG_ERR("bad image magic 0x%lx", (unsigned long)boot_data.imgs[0].hdr.ih_magic);
+ if (boot_data.imgs[BOOT_PRIMARY_SLOT].hdr.ih_magic != IMAGE_MAGIC) {
+ BOOT_LOG_ERR("bad image magic 0x%lx",
+ (unsigned long)boot_data.imgs[BOOT_PRIMARY_SLOT].hdr.ih_magic);
rc = BOOT_EBADIMAGE;
goto out;
}
#endif
/* Always boot from the primary slot. */
- rsp->br_flash_dev_id = boot_data.imgs[0].area->fa_device_id;
- rsp->br_image_off = boot_img_slot_off(&boot_data, 0);
+ rsp->br_flash_dev_id = boot_data.imgs[BOOT_PRIMARY_SLOT].area->fa_device_id;
+ rsp->br_image_off = boot_img_slot_off(&boot_data, BOOT_PRIMARY_SLOT);
rsp->br_hdr = boot_img_hdr(&boot_data, slot);
out:
diff --git a/boot/bootutil/test/src/boot_test.h b/boot/bootutil/test/src/boot_test.h
index eec85b1..08c9c08 100644
--- a/boot/bootutil/test/src/boot_test.h
+++ b/boot/bootutil/test/src/boot_test.h
@@ -73,9 +73,9 @@
uint32_t image_addr, int img_msb);
void boot_test_util_verify_status_clear(void);
void boot_test_util_verify_flash(const struct image_header *hdr0,
- int orig_slot_0,
+ int orig_primary_slot,
const struct image_header *hdr1,
- int orig_slot_1);
+ int orig_secondary_slot);
void boot_test_util_verify_all(int expected_swap_type,
const struct image_header *hdr0,
const struct image_header *hdr1);
diff --git a/boot/bootutil/test/src/boot_test_utils.c b/boot/bootutil/test/src/boot_test_utils.c
index bf66d24..3758743 100644
--- a/boot/bootutil/test/src/boot_test_utils.c
+++ b/boot/bootutil/test/src/boot_test_utils.c
@@ -62,7 +62,7 @@
const struct flash_area *fap;
int rc;
- rc = flash_area_open(FLASH_AREA_IMAGE_0, &fap);
+ rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY, &fap);
TEST_ASSERT_FATAL(rc == 0);
return flash_area_align(fap);
@@ -130,7 +130,7 @@
return size;
}
- /* Don't include trailer in copy to second slot. */
+ /* Don't include trailer in copy to the secondary slot. */
desc = boot_test_area_descs + dst_idx;
elem_sz = boot_test_util_flash_align();
trailer_start = desc->fa_size - boot_trailer_sz(elem_sz);
@@ -202,7 +202,7 @@
int rc;
int i;
- TEST_ASSERT(slot == 0 || slot == 1);
+ TEST_ASSERT(slot == BOOT_PRIMARY_SLOT || slot == BOOT_SECONDARY_SLOT);
flash_id = boot_test_img_addrs[slot].flash_id;
off = boot_test_img_addrs[slot].address;
@@ -313,25 +313,27 @@
void
boot_test_util_mark_revert(void)
{
- struct boot_swap_state state_slot0 = {
+ struct boot_swap_state state_primary_slot = {
.magic = BOOT_MAGIC_GOOD,
.copy_done = 0x01,
.image_ok = 0xff,
};
- boot_test_util_write_swap_state(FLASH_AREA_IMAGE_0, &state_slot0);
+ boot_test_util_write_swap_state(FLASH_AREA_IMAGE_PRIMARY,
+ &state_primary_slot);
}
void
boot_test_util_mark_swap_perm(void)
{
- struct boot_swap_state state_slot0 = {
+ struct boot_swap_state state_primary_slot = {
.magic = BOOT_MAGIC_GOOD,
.copy_done = 0x01,
.image_ok = 0x01,
};
- boot_test_util_write_swap_state(FLASH_AREA_IMAGE_0, &state_slot0);
+ boot_test_util_write_swap_state(FLASH_AREA_IMAGE_PRIMARY,
+ &state_primary_slot);
}
void
@@ -412,20 +414,22 @@
void
boot_test_util_verify_status_clear(void)
{
- struct boot_swap_state state_slot0;
+ struct boot_swap_state state_primary_slot;
int rc;
- rc = boot_read_swap_state_img(0, &state_slot0);
+ rc = boot_read_swap_state_img(0, &state_primary_slot);
assert(rc == 0);
- TEST_ASSERT(state_slot0.magic != BOOT_MAGIC_UNSET ||
- state_slot0.copy_done != 0);
+ TEST_ASSERT(state_primary_slot.magic != BOOT_MAGIC_UNSET ||
+ state_primary_slot.copy_done != 0);
}
void
-boot_test_util_verify_flash(const struct image_header *hdr0, int orig_slot_0,
- const struct image_header *hdr1, int orig_slot_1)
+boot_test_util_verify_flash(const struct image_header *hdr0,
+ int orig_primary_slot,
+ const struct image_header *hdr1,
+ int orig_secondary_slot)
{
const struct flash_area *area_desc;
int area_idx;
@@ -440,7 +444,8 @@
}
boot_test_util_verify_area(area_desc, hdr0,
- boot_test_img_addrs[0].address, orig_slot_0);
+ boot_test_img_addrs[0].address,
+ orig_primary_slot);
area_idx++;
}
@@ -451,7 +456,8 @@
area_desc = boot_test_area_descs + area_idx;
boot_test_util_verify_area(area_desc, hdr1,
- boot_test_img_addrs[1].address, orig_slot_1);
+ boot_test_img_addrs[1].address,
+ orig_secondary_slot);
area_idx++;
}
}
@@ -461,12 +467,12 @@
const struct image_header *hdr0,
const struct image_header *hdr1)
{
- const struct image_header *slot0hdr;
- const struct image_header *slot1hdr;
+ const struct image_header *primary_slot_hdr;
+ const struct image_header *secondary_slot_hdr;
struct boot_rsp rsp;
uintptr_t flash_base;
- int orig_slot_0;
- int orig_slot_1;
+ int orig_primary_slot;
+ int orig_secondary_slot;
int num_swaps;
int rc;
int i;
@@ -484,36 +490,37 @@
if (num_swaps % 2 == 0) {
if (hdr0 != NULL) {
- slot0hdr = hdr0;
- slot1hdr = hdr1;
+ primary_slot_hdr = hdr0;
+ secondary_slot_hdr = hdr1;
} else {
- slot0hdr = hdr1;
- slot1hdr = hdr0;
+ primary_slot_hdr = hdr1;
+ secondary_slot_hdr = hdr0;
}
- orig_slot_0 = 0;
- orig_slot_1 = 1;
+ orig_primary_slot = BOOT_PRIMARY_SLOT;
+ orig_secondary_slot = BOOT_SECONDARY_SLOT;
} else {
if (hdr1 != NULL) {
- slot0hdr = hdr1;
- slot1hdr = hdr0;
+ primary_slot_hdr = hdr1;
+ secondary_slot_hdr = hdr0;
} else {
- slot0hdr = hdr0;
- slot1hdr = hdr1;
+ primary_slot_hdr = hdr0;
+ secondary_slot_hdr = hdr1;
}
- orig_slot_0 = 1;
- orig_slot_1 = 0;
+ orig_primary_slot = BOOT_SECONDARY_SLOT;
+ orig_secondary_slot = BOOT_PRIMARY_SLOT;
}
rc = flash_device_base(rsp->br_flash_dev_id, &flash_base);
TEST_ASSERT_FATAL(rc == 0);
- TEST_ASSERT(memcmp(rsp.br_hdr, slot0hdr, sizeof *slot0hdr) == 0);
+ TEST_ASSERT(memcmp(rsp.br_hdr, primary_slot_hdr,
+ sizeof *primary_slot_hdr) == 0);
TEST_ASSERT(rsp.br_flash_dev_id == boot_test_img_addrs[0].flash_id);
TEST_ASSERT(flash_base + rsp.br_image_off ==
boot_test_img_addrs[0].address);
- boot_test_util_verify_flash(slot0hdr, orig_slot_0,
- slot1hdr, orig_slot_1);
+ boot_test_util_verify_flash(primary_slot_hdr, orig_primary_slot,
+ secondary_slot_hdr, orig_secondary_slot);
boot_test_util_verify_status_clear();
if (expected_swap_type != BOOT_SWAP_TYPE_NONE) {
diff --git a/boot/bootutil/test/src/testcases/boot_test_invalid_hash.c b/boot/bootutil/test/src/testcases/boot_test_invalid_hash.c
index bac3f7e..dedde95 100644
--- a/boot/bootutil/test/src/testcases/boot_test_invalid_hash.c
+++ b/boot/bootutil/test/src/testcases/boot_test_invalid_hash.c
@@ -44,9 +44,9 @@
.it_len = 32
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
rc = hal_flash_write(boot_test_img_addrs[1].flash_id,
boot_test_img_addrs[1].address + hdr1.ih_hdr_size + hdr1.ih_img_size,
&tlv, sizeof(tlv));
diff --git a/boot/bootutil/test/src/testcases/boot_test_no_flag_has_hash.c b/boot/bootutil/test/src/testcases/boot_test_no_flag_has_hash.c
index b6a8ec5..30e098d 100644
--- a/boot/bootutil/test/src/testcases/boot_test_no_flag_has_hash.c
+++ b/boot/bootutil/test/src/testcases/boot_test_no_flag_has_hash.c
@@ -40,10 +40,10 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
rc = boot_set_pending(0);
TEST_ASSERT(rc == 0);
diff --git a/boot/bootutil/test/src/testcases/boot_test_no_hash.c b/boot/bootutil/test/src/testcases/boot_test_no_hash.c
index 13fe7e1..ff40482 100644
--- a/boot/bootutil/test/src/testcases/boot_test_no_hash.c
+++ b/boot/bootutil/test/src/testcases/boot_test_no_hash.c
@@ -40,9 +40,9 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
rc = boot_set_pending(0);
TEST_ASSERT(rc == 0);
diff --git a/boot/bootutil/test/src/testcases/boot_test_nv_bs_10.c b/boot/bootutil/test/src/testcases/boot_test_nv_bs_10.c
index 1d8d50c..46548e0 100644
--- a/boot/bootutil/test/src/testcases/boot_test_nv_bs_10.c
+++ b/boot/bootutil/test/src/testcases/boot_test_nv_bs_10.c
@@ -30,8 +30,8 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr, 0);
- boot_test_util_write_hash(&hdr, 0);
+ boot_test_util_write_image(&hdr, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr, BOOT_PRIMARY_SLOT);
boot_test_util_swap_areas(boot_test_slot_areas[1],
BOOT_TEST_AREA_IDX_SCRATCH);
diff --git a/boot/bootutil/test/src/testcases/boot_test_nv_bs_11.c b/boot/bootutil/test/src/testcases/boot_test_nv_bs_11.c
index eae13bd..26a5989 100644
--- a/boot/bootutil/test/src/testcases/boot_test_nv_bs_11.c
+++ b/boot/bootutil/test/src/testcases/boot_test_nv_bs_11.c
@@ -42,10 +42,10 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
rc = boot_set_pending(0);
boot_test_util_copy_area(5, BOOT_TEST_AREA_IDX_SCRATCH);
diff --git a/boot/bootutil/test/src/testcases/boot_test_nv_bs_11_2areas.c b/boot/bootutil/test/src/testcases/boot_test_nv_bs_11_2areas.c
index ba09ea1..ae5e1c4 100644
--- a/boot/bootutil/test/src/testcases/boot_test_nv_bs_11_2areas.c
+++ b/boot/bootutil/test/src/testcases/boot_test_nv_bs_11_2areas.c
@@ -42,10 +42,10 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
rc = boot_set_pending(0);
TEST_ASSERT_FATAL(rc == 0);
diff --git a/boot/bootutil/test/src/testcases/boot_test_nv_ns_01.c b/boot/bootutil/test/src/testcases/boot_test_nv_ns_01.c
index 8abd90e..7fdc0fd 100644
--- a/boot/bootutil/test/src/testcases/boot_test_nv_ns_01.c
+++ b/boot/bootutil/test/src/testcases/boot_test_nv_ns_01.c
@@ -30,8 +30,8 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr, 1);
- boot_test_util_write_hash(&hdr, 1);
+ boot_test_util_write_image(&hdr, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr, BOOT_SECONDARY_SLOT);
boot_set_pending(0);
diff --git a/boot/bootutil/test/src/testcases/boot_test_nv_ns_10.c b/boot/bootutil/test/src/testcases/boot_test_nv_ns_10.c
index 429416e..d548e05 100644
--- a/boot/bootutil/test/src/testcases/boot_test_nv_ns_10.c
+++ b/boot/bootutil/test/src/testcases/boot_test_nv_ns_10.c
@@ -30,8 +30,8 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr, 0);
- boot_test_util_write_hash(&hdr, 0);
+ boot_test_util_write_image(&hdr, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr, BOOT_PRIMARY_SLOT);
boot_test_util_verify_all(BOOT_SWAP_TYPE_NONE, &hdr, NULL);
}
diff --git a/boot/bootutil/test/src/testcases/boot_test_nv_ns_11.c b/boot/bootutil/test/src/testcases/boot_test_nv_ns_11.c
index 971a2cf..6e7bb47 100644
--- a/boot/bootutil/test/src/testcases/boot_test_nv_ns_11.c
+++ b/boot/bootutil/test/src/testcases/boot_test_nv_ns_11.c
@@ -39,10 +39,10 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
boot_test_util_verify_all(BOOT_SWAP_TYPE_NONE, &hdr0, &hdr1);
}
diff --git a/boot/bootutil/test/src/testcases/boot_test_permanent.c b/boot/bootutil/test/src/testcases/boot_test_permanent.c
index 489ebd6..839e65c 100644
--- a/boot/bootutil/test/src/testcases/boot_test_permanent.c
+++ b/boot/bootutil/test/src/testcases/boot_test_permanent.c
@@ -41,10 +41,10 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
rc = boot_set_pending(1);
TEST_ASSERT_FATAL(rc == 0);
diff --git a/boot/bootutil/test/src/testcases/boot_test_permanent_continue.c b/boot/bootutil/test/src/testcases/boot_test_permanent_continue.c
index 2417df0..9b5fe68 100644
--- a/boot/bootutil/test/src/testcases/boot_test_permanent_continue.c
+++ b/boot/bootutil/test/src/testcases/boot_test_permanent_continue.c
@@ -42,12 +42,12 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
- /* Indicate that the image in slot 0 is being permanently used. */
+ /* Indicate that the image in the primary slot is being permanently used. */
boot_test_util_mark_swap_perm();
boot_test_util_swap_areas(2, 5);
diff --git a/boot/bootutil/test/src/testcases/boot_test_revert.c b/boot/bootutil/test/src/testcases/boot_test_revert.c
index 4b78fb6..b44fbe1 100644
--- a/boot/bootutil/test/src/testcases/boot_test_revert.c
+++ b/boot/bootutil/test/src/testcases/boot_test_revert.c
@@ -38,12 +38,12 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
- /* Indicate that the image in slot 0 is being tested. */
+ /* Indicate that the image in the primary slot is being tested. */
boot_test_util_mark_revert();
boot_test_util_verify_all(BOOT_SWAP_TYPE_REVERT, &hdr0, &hdr1);
diff --git a/boot/bootutil/test/src/testcases/boot_test_revert_continue.c b/boot/bootutil/test/src/testcases/boot_test_revert_continue.c
index 9982646..3887f4f 100644
--- a/boot/bootutil/test/src/testcases/boot_test_revert_continue.c
+++ b/boot/bootutil/test/src/testcases/boot_test_revert_continue.c
@@ -42,12 +42,12 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
- /* Indicate that the image in slot 0 is being tested. */
+ /* Indicate that the image in the primary slot is being tested. */
boot_test_util_mark_revert();
boot_test_util_swap_areas(2, 5);
diff --git a/boot/bootutil/test/src/testcases/boot_test_vb_ns_11.c b/boot/bootutil/test/src/testcases/boot_test_vb_ns_11.c
index e9b961d..8b19f87 100644
--- a/boot/bootutil/test/src/testcases/boot_test_vb_ns_11.c
+++ b/boot/bootutil/test/src/testcases/boot_test_vb_ns_11.c
@@ -41,10 +41,10 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
rc = boot_set_pending(0);
TEST_ASSERT(rc == 0);
diff --git a/boot/bootutil/test/src/testcases/boot_test_vm_ns_01.c b/boot/bootutil/test/src/testcases/boot_test_vm_ns_01.c
index a539fa2..fb1983f 100644
--- a/boot/bootutil/test/src/testcases/boot_test_vm_ns_01.c
+++ b/boot/bootutil/test/src/testcases/boot_test_vm_ns_01.c
@@ -32,8 +32,8 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr, 1);
- boot_test_util_write_hash(&hdr, 1);
+ boot_test_util_write_image(&hdr, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr, BOOT_SECONDARY_SLOT);
rc = boot_set_pending(0);
TEST_ASSERT(rc == 0);
diff --git a/boot/bootutil/test/src/testcases/boot_test_vm_ns_10.c b/boot/bootutil/test/src/testcases/boot_test_vm_ns_10.c
index d6d217e..16bf5e9 100644
--- a/boot/bootutil/test/src/testcases/boot_test_vm_ns_10.c
+++ b/boot/bootutil/test/src/testcases/boot_test_vm_ns_10.c
@@ -30,8 +30,8 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr, 0);
- boot_test_util_write_hash(&hdr, 0);
+ boot_test_util_write_image(&hdr, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr, BOOT_PRIMARY_SLOT);
boot_test_util_verify_all(BOOT_SWAP_TYPE_NONE, &hdr, NULL);
}
diff --git a/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_2areas.c b/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_2areas.c
index 24b5da2..ab1723a 100644
--- a/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_2areas.c
+++ b/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_2areas.c
@@ -41,10 +41,10 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
rc = boot_set_pending(0);
TEST_ASSERT(rc == 0);
diff --git a/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_a.c b/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_a.c
index 433be25..0d46762 100644
--- a/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_a.c
+++ b/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_a.c
@@ -39,10 +39,10 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
boot_test_util_verify_all(BOOT_SWAP_TYPE_NONE, &hdr0, &hdr1);
}
diff --git a/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_b.c b/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_b.c
index e1a87c7..628ca58 100644
--- a/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_b.c
+++ b/boot/bootutil/test/src/testcases/boot_test_vm_ns_11_b.c
@@ -41,10 +41,10 @@
};
boot_test_util_init_flash();
- boot_test_util_write_image(&hdr0, 0);
- boot_test_util_write_hash(&hdr0, 0);
- boot_test_util_write_image(&hdr1, 1);
- boot_test_util_write_hash(&hdr1, 1);
+ boot_test_util_write_image(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_hash(&hdr0, BOOT_PRIMARY_SLOT);
+ boot_test_util_write_image(&hdr1, BOOT_SECONDARY_SLOT);
+ boot_test_util_write_hash(&hdr1, BOOT_SECONDARY_SLOT);
rc = boot_set_pending(0);
TEST_ASSERT(rc == 0);
diff --git a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h
index fb2ec6b..e826865 100644
--- a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h
+++ b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h
@@ -25,7 +25,7 @@
#define MCUBOOT_SERIAL 1
#endif
#if MYNEWT_VAL(BOOTUTIL_VALIDATE_SLOT0)
-#define MCUBOOT_VALIDATE_SLOT0 1
+#define MCUBOOT_VALIDATE_PRIMARY_SLOT 1
#endif
#if MYNEWT_VAL(BOOTUTIL_USE_MBED_TLS)
#define MCUBOOT_USE_MBED_TLS 1
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index 29193d1..4e75cef 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -72,11 +72,11 @@
default "mcuboot-mbedtls-cfg.h"
config BOOT_VALIDATE_SLOT0
- bool "Validate image slot 0 on every boot"
+ bool "Validate image in the primary slot on every boot"
default y
help
- If y, the bootloader attempts to validate the signature of
- slot0 every boot. This adds the signature check time to
+ If y, the bootloader attempts to validate the signature of the
+ primary slot every boot. This adds the signature check time to
every boot, but can mitigate against some changes that are
able to modify the flash image itself.
@@ -84,25 +84,25 @@
bool "Overwrite image updates instead of swapping"
default n
help
- If y, overwrite slot0 with the upgrade image instead of
- swapping them. This prevents the fallback recovery, but
+ If y, overwrite the primary slot with the upgrade image instead
+ of swapping them. This prevents the fallback recovery, but
uses a much simpler code path.
config BOOT_BOOTSTRAP
- bool "Boostrap erased slot0 from slot1"
+ bool "Boostrap erased the primary slot from the secondary slot"
default n
help
If y, enables bootstraping support. Bootstrapping allows an erased
- slot0 to be initialized from a valid image in slot1.
+ primary slot to be initialized from a valid image in the secondary slot.
If unsure, leave at the default value.
config BOOT_ENCRYPT_RSA
bool "Support for encrypted upgrade images"
default n
help
- If y, images in slot 1 can be encrypted and are decrypted
- on the fly when upgrading to slot 0, as well as encrypted
- back when swapping from slot 0 to slot 1.
+ If y, images in the secondary slot can be encrypted and are decrypted
+ on the fly when upgrading to the primary slot, as well as encrypted
+ back when swapping from the primary slot to the secondary slot.
config BOOT_MAX_IMG_SECTORS
int "Maximum number of sectors per image slot"
diff --git a/boot/zephyr/flash_map_extended.c b/boot/zephyr/flash_map_extended.c
index 0c3d428..1b1b5ad 100644
--- a/boot/zephyr/flash_map_extended.c
+++ b/boot/zephyr/flash_map_extended.c
@@ -50,12 +50,13 @@
/*
* This depends on the mappings defined in sysflash.h.
- * MCUBoot uses continuous numbering for slot 0, slot 1, and the scratch
- * while zephyr might number it differently.
+ * MCUBoot uses continuous numbering for the primary slot, the secondary slot,
+ * and the scratch while zephyr might number it differently.
*/
int flash_area_id_from_image_slot(int slot)
{
- static const int area_id_tab[] = {FLASH_AREA_IMAGE_0, FLASH_AREA_IMAGE_1,
+ static const int area_id_tab[] = {FLASH_AREA_IMAGE_PRIMARY,
+ FLASH_AREA_IMAGE_SECONDARY,
FLASH_AREA_IMAGE_SCRATCH};
if (slot >= 0 && slot < ARRAY_SIZE(area_id_tab)) {
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
index d30e108..dc70614 100644
--- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h
+++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -31,7 +31,7 @@
#endif
#ifdef CONFIG_BOOT_VALIDATE_SLOT0
-#define MCUBOOT_VALIDATE_SLOT0
+#define MCUBOOT_VALIDATE_PRIMARY_SLOT
#endif
#ifdef CONFIG_BOOT_UPGRADE_ONLY
diff --git a/boot/zephyr/include/sysflash/sysflash.h b/boot/zephyr/include/sysflash/sysflash.h
index 0fef026..2492244 100644
--- a/boot/zephyr/include/sysflash/sysflash.h
+++ b/boot/zephyr/include/sysflash/sysflash.h
@@ -5,8 +5,8 @@
#include <generated_dts_board.h>
-#define FLASH_AREA_IMAGE_0 DT_FLASH_AREA_IMAGE_0_ID
-#define FLASH_AREA_IMAGE_1 DT_FLASH_AREA_IMAGE_1_ID
-#define FLASH_AREA_IMAGE_SCRATCH DT_FLASH_AREA_IMAGE_SCRATCH_ID
+#define FLASH_AREA_IMAGE_PRIMARY DT_FLASH_AREA_IMAGE_0_ID
+#define FLASH_AREA_IMAGE_SECONDARY DT_FLASH_AREA_IMAGE_1_ID
+#define FLASH_AREA_IMAGE_SCRATCH DT_FLASH_AREA_IMAGE_SCRATCH_ID
#endif /* __SYSFLASH_H__ */
diff --git a/ci/sim_run.sh b/ci/sim_run.sh
index 0492cff..b0b70f7 100755
--- a/ci/sim_run.sh
+++ b/ci/sim_run.sh
@@ -17,7 +17,7 @@
EXIT_CODE=0
if [[ ! -z $SINGLE_FEATURES ]]; then
- all_features="sig-rsa sig-ecdsa overwrite-only validate-slot0 enc-rsa enc-kw boostrap"
+ all_features="sig-rsa sig-ecdsa overwrite-only validate-primary-slot enc-rsa enc-kw boostrap"
if [[ $SINGLE_FEATURES =~ "none" ]]; then
echo "Running cargo with no features"
diff --git a/docs/PORTING.md b/docs/PORTING.md
index e2ffb8a..2a63d50 100644
--- a/docs/PORTING.md
+++ b/docs/PORTING.md
@@ -86,9 +86,9 @@
`fa_id` is can be one of the following options:
```c
-#define FLASH_AREA_IMAGE_0 1
-#define FLASH_AREA_IMAGE_1 2
-#define FLASH_AREA_IMAGE_SCRATCH 3
+#define FLASH_AREA_IMAGE_PRIMARY 1
+#define FLASH_AREA_IMAGE_SECONDARY 2
+#define FLASH_AREA_IMAGE_SCRATCH 3
```
The functions that must be defined for working with the `flash_area`s are:
@@ -109,7 +109,7 @@
uint8_t flash_area_align(const struct flash_area *);
/*< Initializes an array of flash_area elements for the slot's sectors */
int flash_area_to_sectors(int idx, int *cnt, struct flash_area *ret);
-/*< Returns the `fa_id` for slot, where slot is 0 or 1 */
+/*< Returns the `fa_id` for slot, where slot is 0 (primary) or 1 (secondary) */
int flash_area_id_from_image_slot(int slot);
/*< Returns the slot, for the `fa_id` supplied */
int flash_area_id_to_image_slot(int area_id);
diff --git a/docs/design.md b/docs/design.md
index 4da4c99..13f60b1 100644
--- a/docs/design.md
+++ b/docs/design.md
@@ -116,10 +116,10 @@
The boot loader uses the following flash area IDs:
``` c
-#define FLASH_AREA_BOOTLOADER 0
-#define FLASH_AREA_IMAGE_0 1
-#define FLASH_AREA_IMAGE_1 2
-#define FLASH_AREA_IMAGE_SCRATCH 3
+#define FLASH_AREA_BOOTLOADER 0
+#define FLASH_AREA_IMAGE_PRIMARY 1
+#define FLASH_AREA_IMAGE_SECONDARY 2
+#define FLASH_AREA_IMAGE_SCRATCH 3
```
The bootloader area contains the bootloader image itself. The other areas are
@@ -140,14 +140,14 @@
In addition to the two image slots, the boot loader requires a scratch area to
allow for reliable image swapping. The scratch area must have a size that is
enough to store at least the largest sector that is going to be swapped. Many
-devices have small equally sized flash sectors, eg 4K, while others have variable
-sized sectors where the largest sectors might be 128K or 256K, so the scratch
-must be big enough to store that. The scratch is only ever used when swapping
-firmware, which means only when doing an upgrade. Given that, the main reason
-for using a larger size for the scratch is that flash wear will be more evenly
-distributed, because a single sector would be written twice the number of times
-than using two sectors, for example. To evaluate the ideal size of the scratch
-for your use case the following parameters are relevant:
+devices have small equally sized flash sectors, eg 4K, while others have
+variable sized sectors where the largest sectors might be 128K or 256K, so the
+scratch must be big enough to store that. The scratch is only ever used when
+swapping firmware, which means only when doing an upgrade. Given that, the main
+reason for using a larger size for the scratch is that flash wear will be more
+evenly distributed, because a single sector would be written twice the number of
+times than using two sectors, for example. To evaluate the ideal size of the
+scratch for your use case the following parameters are relevant:
* the ratio of image size / scratch size
* the number of erase cycles supported by the flash hardware
@@ -174,9 +174,9 @@
There is no *best* ratio, as the right size is use-case dependent. Factors to
consider include the number of times a device will be upgraded both in the field
-and during development, as well as any desired safety margin on the manufacturer's
-specified number of erase cycles. In general, using a ratio that allows hundreds
-to thousands of field upgrades in production is recommended.
+and during development, as well as any desired safety margin on the
+manufacturer's specified number of erase cycles. In general, using a ratio that
+allows hundreds to thousands of field upgrades in production is recommended.
The overwrite upgrade strategy is substantially simpler to implement than the
image swapping strategy, especially since the bootloader must work properly
@@ -187,10 +187,10 @@
## Boot Swap Types
When the device first boots under normal circumstances, there is an up-to-date
-firmware image in slot 0, which mcuboot can validate and then chain-load. In
-this case, no image swaps are necessary. During device upgrades, however, new
-candidate images are present in slot 1, which mcuboot must swap into slot 0
-before booting as discussed above.
+firmware image in the primary slot, which mcuboot can validate and then
+chain-load. In this case, no image swaps are necessary. During device upgrades,
+however, new candidate images are present in the secondary slot, which mcuboot
+must swap into the primary slot before booting as discussed above.
Upgrading an old image with a new one by swapping can be a two-step process. In
this process, mcuboot performs a "test" swap of image data in flash and boots
@@ -217,17 +217,18 @@
The possible swap types, and their meanings, are:
- `BOOT_SWAP_TYPE_NONE`: The "usual" or "no upgrade" case; attempt to boot the
- contents of slot 0.
+ contents of the primary slot.
-- `BOOT_SWAP_TYPE_TEST`: Boot the contents of slot 1 by swapping images. Unless
- the swap is made permanent, revert back on the next boot.
+- `BOOT_SWAP_TYPE_TEST`: Boot the contents of the secondary slot by swapping
+ images. Unless the swap is made permanent, revert back on the next boot.
- `BOOT_SWAP_TYPE_PERM`: Permanently swap images, and boot the upgraded image
firmware.
-- `BOOT_SWAP_TYPE_REVERT`: A previous test swap was not made permanent; swap back
- to the old image whose data are now in slot 1. If the old image marks itself
- "OK" when it boots, the next boot will have swap type `BOOT_SWAP_TYPE_NONE`.
+- `BOOT_SWAP_TYPE_REVERT`: A previous test swap was not made permanent;
+ swap back to the old image whose data are now in the secondary slot. If the
+ old image marks itself "OK" when it boots, the next boot will have swap type
+ `BOOT_SWAP_TYPE_NONE`.
- `BOOT_SWAP_TYPE_FAIL`: Swap failed because image to be run is not valid.
@@ -278,28 +279,30 @@
An image trailer contains the following fields:
1. Swap status: A series of records which records the progress of an image
- swap. To swap entire images, data are swapped between the two image areas one
- or more sectors at a time, like this:
+ swap. To swap entire images, data are swapped between the two image areas
+ one or more sectors at a time, like this:
- - sector data in slot 0 is copied into scratch, then erased
- - sector data in slot 1 is copied into slot 0, then erased
- - sector data in scratch is copied into slot 1
+ - sector data in the primary slot is copied into scratch, then erased
+ - sector data in the secondary slot is copied into the primary slot,
+ then erased
+ - sector data in scratch is copied into the secondary slot
As it swaps images, the bootloader updates the swap status field in a way that
allows it to compute how far this swap operation has progressed for each
sector. The swap status field can thus used to resume a swap operation if the
bootloader is halted while a swap operation is ongoing and later reset. The
-`BOOT_MAX_IMG_SECTORS` value is the configurable maximum number of sectors mcuboot
-supports for each image; its value defaults to 128, but allows for either
-decreasing this size, to limit RAM usage, or to increase it in devices that have
-massive amounts of Flash or very small sized sectors and thus require a bigger
-configuration to allow for the handling of all slot's sectors. The factor of
-min-write-sz is due to the behavior of flash hardware. The factor of 3 is
-explained below.
+`BOOT_MAX_IMG_SECTORS` value is the configurable maximum number of sectors
+mcuboot supports for each image; its value defaults to 128, but allows for
+either decreasing this size, to limit RAM usage, or to increase it in devices
+that have massive amounts of Flash or very small sized sectors and thus require
+a bigger configuration to allow for the handling of all slot's sectors.
+The factor of min-write-sz is due to the behavior of flash hardware. The factor
+of 3 is explained below.
2. Swap size: When beginning a new swap operation, the total size that needs
- to be swapped (based on the slot with largest image + tlvs) is written to this
- location for easier recovery in case of a reset while performing the swap.
+ to be swapped (based on the slot with largest image + tlvs) is written to
+ this location for easier recovery in case of a reset while performing the
+ swap.
3. Copy done: A single byte indicating whether the image in this slot is
complete (0x01=done; 0xff=not done).
@@ -324,9 +327,9 @@
image trailers. When using the term "image trailers" what is meant is the
aggregate information provided by both image slot's trailers.
-The image trailers records are structured around the limitations imposed by flash
-hardware. As a consequence, they do not have a very intuitive design, and it
-is difficult to get a sense of the state of the device just by looking at the
+The image trailers records are structured around the limitations imposed by
+flash hardware. As a consequence, they do not have a very intuitive design, and
+it is difficult to get a sense of the state of the device just by looking at the
image trailers. It is better to map all the possible trailer states to the swap
types described above via a set of tables. These tables are reproduced below.
@@ -336,36 +339,36 @@
```
State I
- | slot-0 | slot-1 |
- -----------------+--------+--------|
- magic | Any | Good |
- image-ok | Any | Unset |
- copy-done | Any | Any |
- -----------------+--------+--------'
- result: BOOT_SWAP_TYPE_TEST |
- -----------------------------------'
+ | primary slot | secondary slot |
+ -----------------+--------------+----------------|
+ magic | Any | Good |
+ image-ok | Any | Unset |
+ copy-done | Any | Any |
+ -----------------+--------------+----------------'
+ result: BOOT_SWAP_TYPE_TEST |
+ -------------------------------------------------'
State II
- | slot-0 | slot-1 |
- -----------------+--------+--------|
- magic | Any | Good |
- image-ok | Any | 0x01 |
- copy-done | Any | Any |
- -----------------+--------+--------'
- result: BOOT_SWAP_TYPE_PERM |
- -----------------------------------'
+ | primary slot | secondary slot |
+ -----------------+--------------+----------------|
+ magic | Any | Good |
+ image-ok | Any | 0x01 |
+ copy-done | Any | Any |
+ -----------------+--------------+----------------'
+ result: BOOT_SWAP_TYPE_PERM |
+ -------------------------------------------------'
State III
- | slot-0 | slot-1 |
- -----------------+--------+--------|
- magic | Good | Unset |
- image-ok | 0xff | Any |
- copy-done | 0x01 | Any |
- -----------------+--------+--------'
- result: BOOT_SWAP_TYPE_REVERT |
- -----------------------------------'
+ | primary slot | secondary slot |
+ -----------------+--------------+----------------|
+ magic | Good | Unset |
+ image-ok | 0xff | Any |
+ copy-done | 0x01 | Any |
+ -----------------+--------------+----------------'
+ result: BOOT_SWAP_TYPE_REVERT |
+ -------------------------------------------------'
```
Any of the above three states results in mcuboot attempting to swap images.
@@ -375,30 +378,30 @@
```
State IV
- | slot-0 | slot-1 |
- -----------------+--------+--------|
- magic | Any | Any |
- image-ok | Any | Any |
- copy-done | Any | Any |
- -----------------+--------+--------'
- result: BOOT_SWAP_TYPE_NONE, |
- BOOT_SWAP_TYPE_FAIL, or |
- BOOT_SWAP_TYPE_PANIC |
- -----------------------------------'
+ | primary slot | secondary slot |
+ -----------------+--------------+----------------|
+ magic | Any | Any |
+ image-ok | Any | Any |
+ copy-done | Any | Any |
+ -----------------+--------------+----------------'
+ result: BOOT_SWAP_TYPE_NONE, |
+ BOOT_SWAP_TYPE_FAIL, or |
+ BOOT_SWAP_TYPE_PANIC |
+ -------------------------------------------------'
```
In State IV, when no errors occur, mcuboot will attempt to boot the contents of
-slot 0 directly, and the result is `BOOT_SWAP_TYPE_NONE`. If the image in slot 0
-is not valid, the result is `BOOT_SWAP_TYPE_FAIL`. If a fatal error occurs during
-boot, the result is `BOOT_SWAP_TYPE_PANIC`. If the result is either
-`BOOT_SWAP_TYPE_FAIL` or `BOOT_SWAP_TYPE_PANIC`, mcuboot hangs rather than booting
-an invalid or compromised image.
+the primary slot directly, and the result is `BOOT_SWAP_TYPE_NONE`. If the image
+in the primary slot is not valid, the result is `BOOT_SWAP_TYPE_FAIL`. If a
+fatal error occurs during boot, the result is `BOOT_SWAP_TYPE_PANIC`. If the
+result is either `BOOT_SWAP_TYPE_FAIL` or `BOOT_SWAP_TYPE_PANIC`, mcuboot hangs
+rather than booting an invalid or compromised image.
Note: An important caveat to the above is the result when a swap is requested
- and the image in slot 1 fails to validate, due to a hashing or signing
- error. This state behaves as State IV with the extra action of marking
- the image in slot 0 as "OK", to prevent further attempts to swap.
-
+ and the image in the secondary slot fails to validate, due to a hashing or
+ signing error. This state behaves as State IV with the extra action of
+ marking the image in the primary slot as "OK", to prevent further attempts
+ to swap.
## High-Level Operation
@@ -414,27 +417,27 @@
2. Inspect image trailers; is a swap requested?
Yes.
- 1. Is the requested image valid (integrity and security check)?
- Yes.
- a. Perform swap operation.
- b. Persist completion of swap procedure to image trailers.
- c. Proceed to step 3.
- No.
- a. Erase invalid image.
- b. Persist failure of swap procedure to image trailers.
- c. Proceed to step 3.
+ 1. Is the requested image valid (integrity and security check)?
+ Yes.
+ a. Perform swap operation.
+ b. Persist completion of swap procedure to image trailers.
+ c. Proceed to step 3.
+ No.
+ a. Erase invalid image.
+ b. Persist failure of swap procedure to image trailers.
+ c. Proceed to step 3.
No: Proceed to step 3.
-3. Boot into image in slot 0.
+3. Boot into image in primary slot.
## Image Swapping
The boot loader swaps the contents of the two image slots for two reasons:
- * User has issued a "set pending" operation; the image in slot-1 should be
- run once (state II) or repeatedly (state III), depending on whether a
- permanent swap was specified.
- * Test image rebooted without being confirmed; the boot loader should
- revert to the original image currently in slot-1 (state IV).
+ * User has issued a "set pending" operation; the image in the secondary slot
+ should be run once (state II) or repeatedly (state III), depending on
+ whether a permanent swap was specified.
+ * Test image rebooted without being confirmed; the boot loader should
+ revert to the original image currently in the secondary slot (state IV).
If the image trailers indicates that the image in the secondary slot should be
run, the boot loader needs to copy it to the primary slot. The image currently
@@ -445,73 +448,70 @@
<!-- Markdown doesn't do nested numbered lists. It will do nested
bulletted lists, so maybe that is better. -->
- 1. Determine how many flash sectors each image slot consists of. This
- number must be the same for both slots.
- 2. Iterate the list of sector indices in descending order (i.e., starting
- with the greatest index); current element = "index".
- b. Erase scratch area.
- c. Copy slot1[index] to scratch area.
- - If these are the last sectors (i.e., first swap being perfomed),
- copy the full sector *except* the image trailer.
- - Else, copy entire sector contents.
- d. Write updated swap status (i).
+ 1. Determine how many flash sectors each image slot consists of. This
+ number must be the same for both slots.
+ 2. Iterate the list of sector indices in descending order (i.e., starting
+ with the greatest index); current element = "index".
+ b. Erase scratch area.
+ c. Copy secondary_slot[index] to scratch area.
+ - If these are the last sectors (i.e., first swap being perfomed),
+ copy the full sector *except* the image trailer.
+ - Else, copy entire sector contents.
+ d. Write updated swap status (i).
+ e. Erase secondary_slot[index]
+ f. Copy primary_slot[index] to secondary_slot[index]
+ - If these are the last sectors (i.e., first swap being perfomed),
+ copy the full sector *except* the image trailer.
+ - Else, copy entire sector contents.
+ g. Write updated swap status (ii).
+ h. Erase primary_slot[index].
+ i. Copy scratch area to primary_slot[index].
+ - If these are the last sectors (i.e., first swap being perfomed),
+ copy the full sector *except* the image trailer.
+ - Else, copy entire sector contents.
+ j. Write updated swap status (iii).
+ 3. Persist completion of swap procedure to the primary slot image trailer.
- e. Erase slot1[index]
- f. Copy slot0[index] to slot1[index]
- - If these are the last sectors (i.e., first swap being perfomed),
- copy the full sector *except* the image trailer.
- - Else, copy entire sector contents.
- g. Write updated swap status (ii).
-
- h. Erase slot0[index].
- i. Copy scratch area to slot0[index].
- - If these are the last sectors (i.e., first swap being perfomed),
- copy the full sector *except* the image trailer.
- - Else, copy entire sector contents.
- j. Write updated swap status (iii).
-
- 3. Persist completion of swap procedure to slot 0 image trailer.
-
-The additional caveats in step 2f are necessary so that the slot 1 image
+The additional caveats in step 2f are necessary so that the secondary slot image
trailer can be written by the user at a later time. With the image trailer
-unwritten, the user can test the image in slot 1 (i.e., transition to state
-II).
+unwritten, the user can test the image in the secondary slot
+(i.e., transition to state II).
Note1: If the sector being copied is the last sector, then swap status is
temporarily maintained on scratch for the duration of this operation, always
-using slot0's area otherwise.
+using the primary slot's area otherwise.
Note2: The bootloader tries to copy only used sectors (based on largest image
installed on any of the slots), minimizing the amount of sectors copied and
reducing the amount of time required for a swap operation.
The particulars of step 3 vary depending on whether an image is being tested,
-permanently used, reverted or a validation failure of slot 1 happened when a
-swap was requested:
+permanently used, reverted or a validation failure of the secondary slot
+happened when a swap was requested:
* test:
- o Write slot0.copy_done = 1
+ o Write primary_slot.copy_done = 1
(swap caused the following values to be written:
- slot0.magic = BOOT_MAGIC
- slot0.image_ok = Unset)
+ primary_slot.magic = BOOT_MAGIC
+ primary_slot.image_ok = Unset)
* permanent:
- o Write slot0.copy_done = 1
+ o Write primary_slot.copy_done = 1
(swap caused the following values to be written:
- slot0.magic = BOOT_MAGIC
- slot0.image_ok = 0x01)
+ primary_slot.magic = BOOT_MAGIC
+ primary_slot.image_ok = 0x01)
* revert:
- o Write slot0.copy_done = 1
- o Write slot0.image_ok = 1
+ o Write primary_slot.copy_done = 1
+ o Write primary_slot.image_ok = 1
(swap caused the following values to be written:
- slot0.magic = BOOT_MAGIC)
+ primary_slot.magic = BOOT_MAGIC)
- * failure to validate slot 1:
- o Write slot0.image_ok = 1
+ * failure to validate the secondary slot:
+ o Write primary_slot.image_ok = 1
-After completing the operations as described above the image in slot 0 should
-be booted.
+After completing the operations as described above the image in the primary slot
+should be booted.
## Swap Status
@@ -547,17 +547,18 @@
enumerate the sectors in a single slot, starting at 0, we would have a list of
sector indices. Since there are two image slots, each sector index would
correspond to a pair of sectors. For example, sector index 0 corresponds to
-the first sector in slot 0 and the first sector in slot 1. Finally, reverse
-the list of indices such that the list starts with index `BOOT_MAX_IMG_SECTORS - 1`
-and ends with 0. The swap status region is a representation of this reversed list.
+the first sector in the primary slot and the first sector in the secondary slot.
+Finally, reverse the list of indices such that the list starts with index
+`BOOT_MAX_IMG_SECTORS - 1` and ends with 0. The swap status region is a
+representation of this reversed list.
During a swap operation, each sector index transitions through four separate
states:
```
- 0. slot 0: image 0, slot 1: image 1, scratch: N/A
- 1. slot 0: image 0, slot 1: N/A, scratch: image 1 (1->s, erase 1)
- 2. slot 0: N/A, slot 1: image 0, scratch: image 1 (0->1, erase 0)
- 3. slot 0: image 1, slot 1: image 0, scratch: N/A (s->0)
+0. primary slot: image 0, secondary slot: image 1, scratch: N/A
+1. primary slot: image 0, secondary slot: N/A, scratch: image 1 (1->s, erase 1)
+2. primary slot: N/A, secondary slot: image 0, scratch: image 1 (0->1, erase 0)
+3. primary slot: image 1, secondary slot: image 0, scratch: N/A (s->0)
```
Each time a sector index transitions to a new state, the boot loader writes a
@@ -580,14 +581,15 @@
```
The swap status region can accommodate `BOOT_MAX_IMG_SECTORS` sector indices.
-Hence, the size of the region, in bytes, is `BOOT_MAX_IMG_SECTORS * min-write-size * 3`.
-The only requirement for the index count is that it is great enough to account for a
-maximum-sized image (i.e., at least as great as the total sector count in an
-image slot). If a device's image slots have been configured with
-`BOOT_MAX_IMG_SECTORS: 128` and use less than 128 sectors, the first
-record that gets written will be somewhere in the middle of the region. For
-example, if a slot uses 64 sectors, the first sector index that gets swapped is
-63, which corresponds to the exact halfway point within the region.
+Hence, the size of the region, in bytes, is
+`BOOT_MAX_IMG_SECTORS * min-write-size * 3`. The only requirement for the index
+count is that it is great enough to account for a maximum-sized image
+(i.e., at least as great as the total sector count in an image slot). If a
+device's image slots have been configured with `BOOT_MAX_IMG_SECTORS: 128` and
+use less than 128 sectors, the first record that gets written will be somewhere
+in the middle of the region. For example, if a slot uses 64 sectors, the first
+sector index that gets swapped is 63, which corresponds to the exact halfway
+point within the region.
Note: since the scratch area only ever needs to record swapping of the last
sector, it uses at most min-write-size * 3 bytes for its own status area.
@@ -605,53 +607,53 @@
indicates where the swap status region is located.
```
- | slot-0 | scratch |
- ----------+------------+------------|
- magic | Good | Any |
- copy-done | 0x01 | N/A |
- ----------+------------+------------'
- source: none |
- ------------------------------------'
+ | primary slot | scratch |
+ ----------+--------------+--------------|
+ magic | Good | Any |
+ copy-done | 0x01 | N/A |
+ ----------+--------------+--------------'
+ source: none |
+ ----------------------------------------'
- | slot-0 | scratch |
- ----------+------------+------------|
- magic | Good | Any |
- copy-done | 0xff | N/A |
- ----------+------------+------------'
- source: slot 0 |
- ------------------------------------'
+ | primary slot | scratch |
+ ----------+--------------+--------------|
+ magic | Good | Any |
+ copy-done | 0xff | N/A |
+ ----------+--------------+--------------'
+ source: primary slot |
+ ----------------------------------------'
- | slot-0 | scratch |
- ----------+------------+------------|
- magic | Any | Good |
- copy-done | Any | N/A |
- ----------+------------+------------'
- source: scratch |
- ------------------------------------'
+ | primary slot | scratch |
+ ----------+--------------+--------------|
+ magic | Any | Good |
+ copy-done | Any | N/A |
+ ----------+--------------+--------------'
+ source: scratch |
+ ----------------------------------------'
- | slot-0 | scratch |
- ----------+------------+------------|
- magic | Unset | Any |
- copy-done | 0xff | N/A |
- ----------+------------+------------|
- source: slot 0 |
- ------------------------------------+------------------------------+
- This represents one of two cases: |
- o No swaps ever (no status to read, so no harm in checking). |
- o Mid-revert; status in slot 0. |
- For this reason we assume slot 0 as source, to trigger a check |
- of the status area and find out if there was swapping under way. |
- -------------------------------------------------------------------'
+ | primary slot | scratch |
+ ----------+--------------+--------------|
+ magic | Unset | Any |
+ copy-done | 0xff | N/A |
+ ----------+--------------+--------------|
+ source: primary slot |
+ ----------------------------------------+------------------------------+
+ This represents one of two cases: |
+ o No swaps ever (no status to read, so no harm in checking). |
+ o Mid-revert; status in the primary slot. |
+ For this reason we assume the primary slot as source, to trigger a |
+ check of the status area and find out if there was swapping under way. |
+ -----------------------------------------------------------------------'
```
If the swap status region indicates that the images are not contiguous,
bootutil completes the swap operation that was in progress when the system was
reset. In other words, it applies the procedure defined in the previous
-section, moving image 1 into slot 0 and image 0 into slot 1. If the boot
-status file indicates that an image part is present in the scratch area, this
-part is copied into the correct location by starting at step e or step h in the
-area-swap procedure, depending on whether the part belongs to image 0 or image
-1.
+section, moving image 1 into the primary slot and image 0 into the secondary
+slot. If the boot status file indicates that an image part is present in the
+scratch area, this part is copied into the correct location by starting at step
+e or step h in the area-swap procedure, depending on whether the part belongs to
+image 0 or image 1.
After the swap operation has been completed, the boot loader proceeds as though
it had just been started.
@@ -660,20 +662,21 @@
An image is checked for integrity immediately before it gets copied into the
primary slot. If the boot loader doesn't perform an image swap, then it can
-perform an optional integrity check of the image in slot0 if
-`MCUBOOT_VALIDATE_SLOT0` is set, otherwise it doesn't perform an integrity check.
+perform an optional integrity check of the image in the primary slot if
+`MCUBOOT_VALIDATE_PRIMARY_SLOT` is set, otherwise it doesn't perform an
+integrity check.
During the integrity check, the boot loader verifies the following aspects of
an image:
- * 32-bit magic number must be correct (0x96f3b83d).
- * Image must contain an `image_tlv_info` struct, identified by its magic
- (0x6907) exactly following the firmware (hdr_size + img_size).
- * Image must contain a SHA256 TLV.
- * Calculated SHA256 must match SHA256 TLV contents.
- * Image *may* contain a signature TLV. If it does, it must also have a
- KEYHASH TLV with the hash of the key that was used to sign. The list of
- keys will then be iterated over looking for the matching key, which then
- will then be used to verify the image contents.
+ * 32-bit magic number must be correct (0x96f3b83d).
+ * Image must contain an `image_tlv_info` struct, identified by its magic
+ (0x6907) exactly following the firmware (hdr_size + img_size).
+ * Image must contain a SHA256 TLV.
+ * Calculated SHA256 must match SHA256 TLV contents.
+ * Image *may* contain a signature TLV. If it does, it must also have a
+ KEYHASH TLV with the hash of the key that was used to sign. The list of
+ keys will then be iterated over looking for the matching key, which then
+ will then be used to verify the image contents.
## Security
diff --git a/docs/encrypted_images.md b/docs/encrypted_images.md
index 82700e3..bc38ae7 100644
--- a/docs/encrypted_images.md
+++ b/docs/encrypted_images.md
@@ -27,16 +27,16 @@
The image header needs to flag this image as `ENCRYPTED` (0x04) and
a TLV with the key must be present in the image. When upgrading the
-image from `slot1` to `slot0` it is automatically decrypted (after
-validation). If swap upgrades are enabled, the image located in `slot0`,
-also having the `ENCRYPTED` flag set and the TLV present, is
-re-encrypted while swapping to `slot1`.
+image from the `secondary slot` to the `primary slot` it is automatically
+decrypted (after validation). If swap upgrades are enabled, the image
+located in the `primary slot`, also having the `ENCRYPTED` flag set and the
+TLV present, is re-encrypted while swapping to the `secondary slot`.
## Threat model
The encrypted image support is supposed to allow for confidentiality
if the image is not residing on the device or is written to external
-storage, eg a SPI flash being used for slot1.
+storage, eg a SPI flash being used for the secondary slot.
It does not protect against the possibility of attaching a JTAG and
reading the internal flash memory, or using some attack vector that
@@ -79,24 +79,25 @@
## Upgrade process
-When starting a new upgrade process, `MCUBoot` checks that the image in
-`slot1` has the `ENCRYPTED` flag set and has the required TLV with the
+When starting a new upgrade process, `MCUBoot` checks that the image in the
+`secondary slot` has the `ENCRYPTED` flag set and has the required TLV with the
encrypted key. It then uses its internal private/secret key to decrypt
the TLV containing the key. Given that no errors are found, it will then
start the validation process, decrypting the blocks before check. A good
image being determined, the upgrade consists in reading the blocks from
-`slot1`, decrypting and writing to `slot0`.
+the `secondary slot`, decrypting and writing to the `primary slot`.
If swap is used for the upgrade process, the encryption happens when
-copying the sectors of `slot1` to the scratch area.
+copying the sectors of the `secondary slot` to the scratch area.
The `scratch` area is not encrypted, so it must reside in the internal
flash of the MCU to avoid attacks that could interrupt the upgrade and
dump the data.
-Also when swap is used, the image in `slot0` is checked for presence of
-the `ENCRYPTED` flag and the key TLV. If those are present the sectors
-are re-encrypted when copying from `slot0` to `slot1`.
+Also when swap is used, the image in the `primary slot` is checked for
+presence of the `ENCRYPTED` flag and the key TLV. If those are present the
+sectors are re-encrypted when copying from the `primary slot` to
+the `secondary slot`.
PS: Each encrypted image must have its own key TLV that should be unique
and used only for this particular image.
diff --git a/docs/imgtool.md b/docs/imgtool.md
index 1d5a7d7..baace5f 100644
--- a/docs/imgtool.md
+++ b/docs/imgtool.md
@@ -47,8 +47,8 @@
## Signing images
-Image signing takes an image in binary or Intel Hex format intended for Slot 0
-and adds a header and trailer that the bootloader is expecting:
+Image signing takes an image in binary or Intel Hex format intended for the
+primary slot and adds a header and trailer that the bootloader is expecting:
Usage: imgtool.py sign [OPTIONS] INFILE OUTFILE
@@ -61,8 +61,8 @@
-H, --header-size INTEGER [required]
--pad-header Add --header-size zeroed bytes at the beginning
of the image
- -S, --slot-size INTEGER Size of the slot where the image will be written
- [required]
+ -S, --slot-size INTEGER Size of the slot where the image will be
+ written [required]
--pad Pad image to --slot-size bytes, adding trailer
magic
-M, --max-sectors INTEGER When padding allow for this amount of sectors
@@ -93,5 +93,5 @@
status area size when calculating overflow.
The optional `--pad` argument will place a trailer on the image that
-indicates that the image should be considered an upgrade. Writing
-this image in slot 1 will then cause the bootloader to upgrade to it.
+indicates that the image should be considered an upgrade. Writing this image
+in the secondary slot will then cause the bootloader to upgrade to it.
diff --git a/docs/readme-zephyr.md b/docs/readme-zephyr.md
index fd07244..ac183c5 100644
--- a/docs/readme-zephyr.md
+++ b/docs/readme-zephyr.md
@@ -13,8 +13,8 @@
partitions defined in its device tree. These partitions are:
- `boot_partition`: for MCUboot itself
-- `slot0_partition`: the primary image slot
-- `slot1_partition`: the secondary image slot
+- `primary_slot_partition`: the primary image slot
+- `secondary_slot_partition`: the secondary image slot
- `scratch_partition`: the scratch slot
Currently, the two image slots must be contiguous. If you are running
@@ -43,7 +43,7 @@
be made before building it. Most of this can be done as documented in
the `CMakeLists.txt` file in boot/zephyr. There are comments there for
guidance. It is important to select a signature algorithm, and decide
-if slot0 should be validated on every boot.
+if the primary slot should be validated on every boot.
To build MCUboot, create a build directory in boot/zephyr, and build
it as usual:
@@ -96,7 +96,7 @@
### Signing the application
In order to upgrade to an image (or even boot it, if
-`MCUBOOT_VALIDATE_SLOT0` is enabled), the images must be signed.
+`MCUBOOT_VALIDATE_PRIMARY_SLOT` is enabled), the images must be signed.
To make development easier, MCUboot is distributed with some example
keys. It is important to stress that these should never be used for
production, since the private key is publicly available in this
@@ -108,17 +108,17 @@
### Flashing the application
The application itself can flashed with regular flash tools, but will
-need to be programmed at the offset of slot-0 for this particular target.
-Depending on the platform and flash tool you might need to manually specify a
-flash offset corresponding to the slot-0 starting address. This is usually
-not relevant for flash tools that use Intel Hex images (.hex) instead of raw
-binary images (.bin) since the former include destination address information.
-Additionally you will need to make sure that the flash tool does not perform
-a mass erase (erasing the whole of the flash) or else you would be deleting
-MCUboot.
-These images can also be marked for upgrade, and loaded into slot-1,
+need to be programmed at the offset of the primary slot for this particular
+target. Depending on the platform and flash tool you might need to manually
+specify a flash offset corresponding to the primary slot starting address. This
+is usually not relevant for flash tools that use Intel Hex images (.hex) instead
+of raw binary images (.bin) since the former include destination address
+information. Additionally you will need to make sure that the flash tool does
+not perform a mass erase (erasing the whole of the flash) or else you would be
+deleting MCUboot.
+These images can also be marked for upgrade, and loaded into the secondary slot,
at which point the bootloader should perform an upgrade. It is up to
-the image to mark slot-0 as "image ok" before the next reboot,
+the image to mark the primary slot as "image ok" before the next reboot,
otherwise the bootloader will revert the application.
## Managing signing keys
diff --git a/samples/mcuboot_config/mcuboot_config.template.h b/samples/mcuboot_config/mcuboot_config.template.h
index 3dee47e..d29f4f6 100644
--- a/samples/mcuboot_config/mcuboot_config.template.h
+++ b/samples/mcuboot_config/mcuboot_config.template.h
@@ -45,7 +45,7 @@
/* #define MCUBOOT_OVERWRITE_ONLY */
#ifdef MCUBOOT_OVERWRITE_ONLY
-/* Uncomment to only erase and overwrite those slot 0 sectors needed
+/* Uncomment to only erase and overwrite those primary slot sectors needed
* to install the new image, rather than the entire image slot. */
/* #define MCUBOOT_OVERWRITE_ONLY_FAST */
#endif
@@ -64,11 +64,11 @@
/* #define MCUBOOT_USE_TINYCRYPT */
/*
- * Always check the signature of the image in slot 0 before booting,
+ * Always check the signature of the image in the primary slot before booting,
* even if no upgrade was performed. This is recommended if the boot
* time penalty is acceptable.
*/
-#define MCUBOOT_VALIDATE_SLOT0
+#define MCUBOOT_VALIDATE_PRIMARY_SLOT
/*
* Flash abstraction
diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile
index 938468e..62291e3 100644
--- a/samples/zephyr/Makefile
+++ b/samples/zephyr/Makefile
@@ -39,11 +39,11 @@
# time, you should see a message about the bootloader not being able
# to find a bootable image.
#
-# "make flash_hello1" will then flash the first application into
-# "slot0". This should boot into this app, print a small message, and
+# "make flash_hello1" will then flash the first application into the
+# "primary slot". This should boot into this app, print a small message, and
# give the zephyr console.
#
-# "make flash_hello2" will flash hello2 into the second slot. The
+# "make flash_hello2" will flash hello2 into the "secondary slot". The
# reset should upgrade and run the new image. Resetting again should
# then revert back to the first app, since we did not mark this image
# as good.
@@ -140,7 +140,7 @@
# This is the same signing command as above, except that it adds the
# "--pad" argument. This will also add the trailer that indicates
# this image is intended to be an upgrade. It should be flashed into
-# slot1 instead of slot0.
+# the secondary slot instead of the primary slot.
hello2: check
(mkdir -p $(BUILD_DIR_HELLO2) && \
cd $(BUILD_DIR_HELLO2) && \
@@ -244,7 +244,7 @@
SIGNING_KEY=../../root-rsa-2048.pem \
hello2
-# Test that when configured to not validate slot0, we still boot, but
+# Test that when configured to not validate the primary slot, we still boot, but
# don't upgrade.
# flash_boot: tries to boot and resets
# flash_hello1: hello1 runs
@@ -252,7 +252,7 @@
# reset: hello1 runs
test-no-bootcheck: clean
$(MAKE) \
- BOOTLOADER_OVERLAY_CONFIG=$(PWD)/overlay-skip-slot0-validate.conf \
+ BOOTLOADER_OVERLAY_CONFIG=$(PWD)/overlay-skip-primary-slot-validate.conf \
SIGNING_KEY=../../root-ec-p256.pem \
all
diff --git a/samples/zephyr/overlay-skip-primary-slot-validate.conf b/samples/zephyr/overlay-skip-primary-slot-validate.conf
new file mode 100644
index 0000000..e94518e
--- /dev/null
+++ b/samples/zephyr/overlay-skip-primary-slot-validate.conf
@@ -0,0 +1,3 @@
+# Kconfig overlay for building without validating primary slot.
+
+# CONFIG_BOOT_VALIDATE_SLOT0 is not set
diff --git a/samples/zephyr/overlay-skip-slot0-validate.conf b/samples/zephyr/overlay-skip-slot0-validate.conf
deleted file mode 100644
index dd3b2c2..0000000
--- a/samples/zephyr/overlay-skip-slot0-validate.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# Kconfig overlay for building without validating slot 0.
-
-# CONFIG_BOOT_VALIDATE_SLOT0 is not set
diff --git a/scripts/flash.sh b/scripts/flash.sh
index 7353dd7..a2c58c7 100755
--- a/scripts/flash.sh
+++ b/scripts/flash.sh
@@ -8,8 +8,8 @@
h
r
loadfile outdir/$BOARD/zephyr.bin $BASE_BOOT
-loadfile hello.signed.bin $BASE_SLOT0
-loadfile shell.signed.bin $BASE_SLOT1
+loadfile hello.signed.bin $BASE_PRIMARY_SLOT
+loadfile shell.signed.bin $BASE_SECONDARY_SLOT
q
EOF
diff --git a/sim/Cargo.toml b/sim/Cargo.toml
index 13533cd..d1cce96 100644
--- a/sim/Cargo.toml
+++ b/sim/Cargo.toml
@@ -10,7 +10,7 @@
sig-rsa = ["mcuboot-sys/sig-rsa"]
sig-ecdsa = ["mcuboot-sys/sig-ecdsa"]
overwrite-only = ["mcuboot-sys/overwrite-only"]
-validate-slot0 = ["mcuboot-sys/validate-slot0"]
+validate-primary-slot = ["mcuboot-sys/validate-primary-slot"]
enc-rsa = ["mcuboot-sys/enc-rsa"]
enc-kw = ["mcuboot-sys/enc-kw"]
bootstrap = ["mcuboot-sys/bootstrap"]
diff --git a/sim/mcuboot-sys/Cargo.toml b/sim/mcuboot-sys/Cargo.toml
index 79a2663..37dba5e 100644
--- a/sim/mcuboot-sys/Cargo.toml
+++ b/sim/mcuboot-sys/Cargo.toml
@@ -21,16 +21,16 @@
# Overwrite only upgrade
overwrite-only = []
-# Disable validation of slot0
-validate-slot0 = []
+# Disable validation of the primary slot
+validate-primary-slot = []
-# Encrypt image in slot1 using RSA-OAEP-2048
+# Encrypt image in the secondary slot using RSA-OAEP-2048
enc-rsa = []
-# Encrypt image in slot1 using AES-KW-128
+# Encrypt image in the secondary slot using AES-KW-128
enc-kw = []
-# Allow bootstrapping an empty/invalid slot0 from a valid slot1
+# Allow bootstrapping an empty/invalid primary slot from a valid secondary slot
bootstrap = []
[build-dependencies]
diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs
index 9e9ef36..088b470 100644
--- a/sim/mcuboot-sys/build.rs
+++ b/sim/mcuboot-sys/build.rs
@@ -12,7 +12,8 @@
let sig_rsa = env::var("CARGO_FEATURE_SIG_RSA").is_ok();
let sig_ecdsa = env::var("CARGO_FEATURE_SIG_ECDSA").is_ok();
let overwrite_only = env::var("CARGO_FEATURE_OVERWRITE_ONLY").is_ok();
- let validate_slot0 = env::var("CARGO_FEATURE_VALIDATE_SLOT0").is_ok();
+ let validate_primary_slot =
+ env::var("CARGO_FEATURE_VALIDATE_PRIMARY_SLOT").is_ok();
let enc_rsa = env::var("CARGO_FEATURE_ENC_RSA").is_ok();
let enc_kw = env::var("CARGO_FEATURE_ENC_KW").is_ok();
let bootstrap = env::var("CARGO_FEATURE_BOOTSTRAP").is_ok();
@@ -28,8 +29,8 @@
conf.define("MCUBOOT_BOOTSTRAP", None);
}
- if validate_slot0 {
- conf.define("MCUBOOT_VALIDATE_SLOT0", None);
+ if validate_primary_slot {
+ conf.define("MCUBOOT_VALIDATE_PRIMARY_SLOT", None);
}
// Currently, mbed TLS cannot build with both RSA and ECDSA.
diff --git a/sim/mcuboot-sys/src/area.rs b/sim/mcuboot-sys/src/area.rs
index 8666aa1..9b13098 100644
--- a/sim/mcuboot-sys/src/area.rs
+++ b/sim/mcuboot-sys/src/area.rs
@@ -27,7 +27,7 @@
/// Add a slot to the image. The slot must align with erasable units in the flash device.
/// Panics if the description is not valid. There are also bootloader assumptions that the
- /// slots are SLOT0, SLOT1, and SCRATCH in that order.
+ /// slots are PRIMARY_SLOT, SECONDARY_SLOT, and SCRATCH in that order.
pub fn add_image(&mut self, base: usize, len: usize, id: FlashId, dev_id: u8) {
let nid = id as usize;
let orig_base = base;
@@ -196,4 +196,3 @@
off: u32,
size: u32,
}
-
diff --git a/sim/src/caps.rs b/sim/src/caps.rs
index 499add0..09f6dee 100644
--- a/sim/src/caps.rs
+++ b/sim/src/caps.rs
@@ -4,14 +4,14 @@
#[derive(Copy, Clone, Eq, PartialEq)]
#[allow(unused)]
pub enum Caps {
- RSA2048 = (1 << 0),
- EcdsaP224 = (1 << 1),
- EcdsaP256 = (1 << 2),
- SwapUpgrade = (1 << 3),
- OverwriteUpgrade = (1 << 4),
- EncRsa = (1 << 5),
- EncKw = (1 << 6),
- ValidateSlot0 = (1 << 7),
+ RSA2048 = (1 << 0),
+ EcdsaP224 = (1 << 1),
+ EcdsaP256 = (1 << 2),
+ SwapUpgrade = (1 << 3),
+ OverwriteUpgrade = (1 << 4),
+ EncRsa = (1 << 5),
+ EncKw = (1 << 6),
+ ValidatePrimarySlot = (1 << 7),
}
impl Caps {
diff --git a/sim/src/image.rs b/sim/src/image.rs
index b940b6e..e41d1cd 100644
--- a/sim/src/image.rs
+++ b/sim/src/image.rs
@@ -76,19 +76,20 @@
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_SET, BOOT_FLAG_SET) {
- warn!("Mismatched trailer for Slot 0");
+ warn!("Mismatched trailer for the primary slot");
fails += 1;
}
if !verify_trailer(&flashmap, &self.slots, 1, BOOT_MAGIC_UNSET,
BOOT_FLAG_UNSET, BOOT_FLAG_UNSET) {
- warn!("Mismatched trailer for Slot 1");
+ warn!("Mismatched trailer for the secondary slot");
fails += 1;
}
if Caps::SwapUpgrade.present() {
if !verify_image(&flashmap, &self.slots, 1, &self.primaries) {
- warn!("Slot 1 FAIL at step {} of {}", i, total_flash_ops);
+ warn!("Secondary slot FAIL at step {} of {}",
+ i, total_flash_ops);
fails += 1;
}
}
@@ -113,26 +114,28 @@
total_flash_ops, total_fails);
info!("Random interruptions at reset points={:?}", total_counts);
- let slot0_ok = verify_image(&flashmap, &self.slots, 0, &self.upgrades);
- let slot1_ok = if Caps::SwapUpgrade.present() {
+ let primary_slot_ok = verify_image(&flashmap, &self.slots,
+ 0, &self.upgrades);
+ let secondary_slot_ok = if Caps::SwapUpgrade.present() {
verify_image(&flashmap, &self.slots, 1, &self.primaries)
} else {
true
};
- if !slot0_ok || !slot1_ok {
- error!("Image mismatch after random interrupts: slot0={} slot1={}",
- if slot0_ok { "ok" } else { "fail" },
- if slot1_ok { "ok" } else { "fail" });
+ if !primary_slot_ok || !secondary_slot_ok {
+ error!("Image mismatch after random interrupts: primary slot={} \
+ secondary slot={}",
+ if primary_slot_ok { "ok" } else { "fail" },
+ if secondary_slot_ok { "ok" } else { "fail" });
fails += 1;
}
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_SET, BOOT_FLAG_SET) {
- error!("Mismatched trailer for Slot 0");
+ error!("Mismatched trailer for the primary slot");
fails += 1;
}
if !verify_trailer(&flashmap, &self.slots, 1, BOOT_MAGIC_UNSET,
BOOT_FLAG_UNSET, BOOT_FLAG_UNSET) {
- error!("Mismatched trailer for Slot 1");
+ error!("Mismatched trailer for the secondary slot");
fails += 1;
}
@@ -184,26 +187,27 @@
// was ever done?
if !verify_image(&flashmap, &self.slots, 0, &self.upgrades) {
- warn!("Slot 0 image verification FAIL");
+ warn!("Primary slot image verification FAIL");
fails += 1;
}
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_UNSET, BOOT_FLAG_SET) {
- warn!("Mismatched trailer for Slot 0");
+ warn!("Mismatched trailer for the primary slot");
fails += 1;
}
if !verify_trailer(&flashmap, &self.slots, 1, BOOT_MAGIC_UNSET,
BOOT_FLAG_UNSET, BOOT_FLAG_UNSET) {
- warn!("Mismatched trailer for Slot 1");
+ warn!("Mismatched trailer for the secondary slot");
fails += 1;
}
- // Marks image in slot0 as permanent, no revert should happen...
+ // Marks image in the primary slot as permanent,
+ // no revert should happen...
mark_permanent_upgrade(&mut flashmap, &self.slots[0]);
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_SET, BOOT_FLAG_SET) {
- warn!("Mismatched trailer for Slot 0");
+ warn!("Mismatched trailer for the primary slot");
fails += 1;
}
@@ -215,7 +219,7 @@
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_SET, BOOT_FLAG_SET) {
- warn!("Mismatched trailer for Slot 0");
+ warn!("Mismatched trailer for the primary slot");
fails += 1;
}
if !verify_image(&flashmap, &self.slots, 0, &self.upgrades) {
@@ -230,8 +234,9 @@
fails > 0
}
- // Tests a new image written to slot0 that already has magic and image_ok set
- // while there is no image on slot1, so no revert should ever happen...
+ // Tests a new image written to the primary slot that already has magic and
+ // image_ok set while there is no image on the secondary slot, so no revert
+ // should ever happen...
pub fn run_norevert_newimage(&self) -> bool {
let mut flashmap = self.flashmap.clone();
let mut fails = 0;
@@ -240,10 +245,11 @@
mark_upgrade(&mut flashmap, &self.slots[0]);
- // This simulates writing an image created by imgtool to Slot 0
+ // This simulates writing an image created by imgtool to
+ // the primary slot
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_UNSET, BOOT_FLAG_UNSET) {
- warn!("Mismatched trailer for Slot 0");
+ warn!("Mismatched trailer for the primary slot");
fails += 1;
}
@@ -261,12 +267,12 @@
}
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_UNSET, BOOT_FLAG_UNSET) {
- warn!("Mismatched trailer for Slot 0");
+ warn!("Mismatched trailer for the primary slot");
fails += 1;
}
if !verify_trailer(&flashmap, &self.slots, 1, BOOT_MAGIC_UNSET,
BOOT_FLAG_UNSET, BOOT_FLAG_UNSET) {
- warn!("Mismatched trailer for Slot 1");
+ warn!("Mismatched trailer for the secondary slot");
fails += 1;
}
@@ -277,8 +283,9 @@
fails > 0
}
- // Tests a new image written to slot0 that already has magic and image_ok set
- // while there is no image on slot1, so no revert should ever happen...
+ // Tests a new image written to the primary slot that already has magic and
+ // image_ok set while there is no image on the secondary slot, so no revert
+ // should ever happen...
pub fn run_signfail_upgrade(&self) -> bool {
let mut flashmap = self.flashmap.clone();
let mut fails = 0;
@@ -291,7 +298,7 @@
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_SET, BOOT_FLAG_UNSET) {
- warn!("Mismatched trailer for Slot 0");
+ warn!("Mismatched trailer for the primary slot");
fails += 1;
}
@@ -309,7 +316,7 @@
}
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_SET, BOOT_FLAG_UNSET) {
- warn!("Mismatched trailer for Slot 0");
+ warn!("Mismatched trailer for the primary slot");
fails += 1;
}
@@ -339,7 +346,7 @@
/// allowing for fails in the status area. This should run to the end
/// and warn that write fails were detected...
pub fn run_with_status_fails_complete(&self) -> bool {
- if !Caps::ValidateSlot0.present() {
+ if !Caps::ValidatePrimarySlot.present() {
return false;
}
@@ -366,7 +373,7 @@
if !verify_trailer(&flashmap, &self.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_SET, BOOT_FLAG_SET) {
- warn!("Mismatched trailer for Slot 0");
+ warn!("Mismatched trailer for the primary slot");
fails += 1;
}
@@ -375,7 +382,8 @@
fails += 1;
}
- info!("validate slot0 enabled; re-run of boot_go should just work");
+ info!("validate primary slot enabled; \
+ re-run of boot_go should just work");
let (result, _) = c::boot_go(&mut flashmap, &self.areadesc, None, false);
if result != 0 {
warn!("Failed!");
@@ -395,7 +403,7 @@
pub fn run_with_status_fails_with_reset(&self) -> bool {
if Caps::OverwriteUpgrade.present() {
false
- } else if Caps::ValidateSlot0.present() {
+ } else if Caps::ValidatePrimarySlot.present() {
let mut flashmap = self.flashmap.clone();
let mut fails = 0;
@@ -425,7 +433,8 @@
// or throw a single assert for small sector devices that fail
// multiple times...
if asserts > 1 {
- warn!("Expected single assert validating slot0, more detected {}", asserts);
+ warn!("Expected single assert validating the primary slot, \
+ more detected {}", asserts);
fails += 1;
}
@@ -473,7 +482,7 @@
}
fn reset_bad_status(&self, flashmap: &mut SimFlashMap, slot: usize) {
- if !Caps::ValidateSlot0.present() {
+ if !Caps::ValidatePrimarySlot.present() {
return;
}
@@ -553,21 +562,23 @@
}
if !verify_image(&flashmap, &images.slots, 0, &images.upgrades) {
- warn!("Image in slot 0 before revert is invalid at stop={}", stop);
+ warn!("Image in the primary slot before revert is invalid at stop={}",
+ stop);
fails += 1;
}
if !verify_image(&flashmap, &images.slots, 1, &images.primaries) {
- warn!("Image in slot 1 before revert is invalid at stop={}", stop);
+ warn!("Image in the secondary slot before revert is invalid at stop={}",
+ stop);
fails += 1;
}
if !verify_trailer(&flashmap, &images.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_UNSET, BOOT_FLAG_SET) {
- warn!("Mismatched trailer for Slot 0 before revert");
+ warn!("Mismatched trailer for the primary slot before revert");
fails += 1;
}
if !verify_trailer(&flashmap, &images.slots, 1, BOOT_MAGIC_UNSET,
BOOT_FLAG_UNSET, BOOT_FLAG_UNSET) {
- warn!("Mismatched trailer for Slot 1 before revert");
+ warn!("Mismatched trailer for the secondary slot before revert");
fails += 1;
}
@@ -579,21 +590,23 @@
}
if !verify_image(&flashmap, &images.slots, 0, &images.primaries) {
- warn!("Image in slot 0 after revert is invalid at stop={}", stop);
+ warn!("Image in the primary slot after revert is invalid at stop={}",
+ stop);
fails += 1;
}
if !verify_image(&flashmap, &images.slots, 1, &images.upgrades) {
- warn!("Image in slot 1 after revert is invalid at stop={}", stop);
+ warn!("Image in the secondary slot after revert is invalid at stop={}",
+ stop);
fails += 1;
}
if !verify_trailer(&flashmap, &images.slots, 0, BOOT_MAGIC_GOOD,
BOOT_FLAG_SET, BOOT_FLAG_SET) {
- warn!("Mismatched trailer for Slot 1 after revert");
+ warn!("Mismatched trailer for the secondary slot after revert");
fails += 1;
}
if !verify_trailer(&flashmap, &images.slots, 1, BOOT_MAGIC_UNSET,
BOOT_FLAG_UNSET, BOOT_FLAG_UNSET) {
- warn!("Mismatched trailer for Slot 1 after revert");
+ warn!("Mismatched trailer for the secondary slot after revert");
fails += 1;
}
@@ -723,10 +736,10 @@
let result: [Option<Vec<u8>>; 2];
- // Since images are always non-encrypted in slot0, we first write an
- // encrypted image, re-read to use for verification, erase + flash
- // un-encrypted. In slot1 the image is written un-encrypted, and if
- // encryption is requested, it follows an erase + flash encrypted.
+ // Since images are always non-encrypted in the primary slot, we first write
+ // an encrypted image, re-read to use for verification, erase + flash
+ // un-encrypted. In the secondary slot the image is written un-encrypted,
+ // and if encryption is requested, it follows an erase + flash encrypted.
let flash = flashmap.get_mut(&dev_id).unwrap();
diff --git a/sim/src/lib.rs b/sim/src/lib.rs
index 8131a70..ce3abfc 100644
--- a/sim/src/lib.rs
+++ b/sim/src/lib.rs
@@ -162,32 +162,34 @@
pub fn new(device: DeviceName, align: u8, erased_val: u8) -> Run {
let (flashmap, areadesc) = make_device(device, align, erased_val);
- let (slot0_base, slot0_len, slot0_dev_id) = areadesc.find(FlashId::Image0);
- let (slot1_base, slot1_len, slot1_dev_id) = areadesc.find(FlashId::Image1);
+ let (primary_slot_base, primary_slot_len, primary_slot_dev_id) =
+ areadesc.find(FlashId::Image0);
+ let (secondary_slot_base, secondary_slot_len, secondary_slot_dev_id) =
+ areadesc.find(FlashId::Image1);
// NOTE: not accounting "swap_size" because it is not used by sim...
let offset_from_end = c::boot_magic_sz() + c::boot_max_align() * 2;
// Construct a primary image.
- let slot0 = SlotInfo {
- base_off: slot0_base as usize,
- trailer_off: slot0_base + slot0_len - offset_from_end,
- len: slot0_len as usize,
- dev_id: slot0_dev_id,
+ let primary_slot = SlotInfo {
+ base_off: primary_slot_base as usize,
+ trailer_off: primary_slot_base + primary_slot_len - offset_from_end,
+ len: primary_slot_len as usize,
+ dev_id: primary_slot_dev_id,
};
// And an upgrade image.
- let slot1 = SlotInfo {
- base_off: slot1_base as usize,
- trailer_off: slot1_base + slot1_len - offset_from_end,
- len: slot1_len as usize,
- dev_id: slot1_dev_id,
+ let secondary_slot = SlotInfo {
+ base_off: secondary_slot_base as usize,
+ trailer_off: secondary_slot_base + secondary_slot_len - offset_from_end,
+ len: secondary_slot_len as usize,
+ dev_id: secondary_slot_dev_id,
};
Run {
flashmap: flashmap,
areadesc: areadesc,
- slots: [slot0, slot1],
+ slots: [primary_slot, secondary_slot],
}
}
@@ -236,7 +238,7 @@
images
}
- pub fn make_bad_slot1_image(&self) -> Images {
+ pub fn make_bad_secondary_slot_image(&self) -> Images {
let mut bad_flashmap = self.flashmap.clone();
let primaries = install_image(&mut bad_flashmap, &self.slots, 0, 32784, false);
let upgrades = install_image(&mut bad_flashmap, &self.slots, 1, 41928, true);
@@ -272,11 +274,11 @@
let mut failed = false;
- // Creates a badly signed image in slot1 to check that it is not
- // upgraded to
- let bad_slot1_image = run.make_bad_slot1_image();
+ // Creates a badly signed image in the secondary slot to check that
+ // it is not upgraded to
+ let bad_secondary_slot_image = run.make_bad_secondary_slot_image();
- failed |= bad_slot1_image.run_signfail_upgrade();
+ failed |= bad_secondary_slot_image.run_signfail_upgrade();
let images = run.make_no_upgrade_image();
failed |= images.run_norevert_newimage();
diff --git a/sim/tests/core.rs b/sim/tests/core.rs
index 4a6cde3..4a1931f 100644
--- a/sim/tests/core.rs
+++ b/sim/tests/core.rs
@@ -18,7 +18,7 @@
};
}
-sim_test!(bad_slot1, make_bad_slot1_image, run_signfail_upgrade);
+sim_test!(bad_secondary_slot, make_bad_secondary_slot_image, run_signfail_upgrade);
sim_test!(norevert_newimage, make_no_upgrade_image, run_norevert_newimage);
sim_test!(basic_revert, make_image, run_basic_revert);
sim_test!(revert_with_fails, make_image, run_revert_with_fails);
diff --git a/testplan/mynewt/Makefile b/testplan/mynewt/Makefile
index c981073..86e7b9c 100644
--- a/testplan/mynewt/Makefile
+++ b/testplan/mynewt/Makefile
@@ -25,22 +25,22 @@
all: build-apps build-mcuboot
build-blinky:
- @echo "* Building blinky for slot 0... \c"
+ @echo "* Building blinky for the primary slot... \c"
@newt build -q $(BLINKY)
@echo "ok"
build-blinky2:
- @echo "* Building blinky2 for slot 1... \c"
+ @echo "* Building blinky2 for the secondary slot... \c"
@newt build -q $(BLINKY2)
@echo "ok"
build-slinky:
- @echo "* Building slinky for slot 0... \c"
+ @echo "* Building slinky for the primary slot... \c"
@newt build -q $(SLINKY)
@echo "ok"
build-slinky2:
- @echo "* Building slinky2 for slot 1... \c"
+ @echo "* Building slinky2 for the secondary slot... \c"
@newt build -q $(SLINKY2)
@echo "ok"
@@ -71,7 +71,7 @@
@echo "ok"
build-boot-rsa-validate0:
- @echo "* Building mcuboot with slot 0 validation... \c"
+ @echo "* Building mcuboot with primary slot validation... \c"
@newt build -q $(BOOT_RSA_VALIDATE0)
@echo "ok"