commit 2ee5f7f7f22805e0674cb69b9812e1a16d1a712d
author David Brown <david.brown@linaro.org> Mon Jan 13 14:04:01 2020 -0700
committer David Brown <davidb@davidb.org> Thu Jan 23 12:47:05 2020 -0700
tree 97b2bd365350f334e9325354102f813cad3aa590
parent 07e1381d0fe6620532b5db19a83698191ef3f4b4

sim: Test software rollback protection

Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>

sim/src/image.rs

diff --git a/sim/src/image.rs b/sim/src/image.rs
index 9c24a3e..2c99694 100644
--- a/sim/src/image.rs
+++ b/sim/src/image.rs
@@ -45,6 +45,7 @@
     Depender,
     DepTest,
     DepType,
+    NO_DEPS,
     PairDep,
     UpgradeInfo,
 };
@@ -177,7 +178,7 @@
             let dep: Box<dyn Depender> = if num_images > 1 {
                 Box::new(PairDep::new(num_images, image_num, deps))
             } else {
-                Box::new(BoringDep(image_num))
+                Box::new(BoringDep::new(image_num, deps))
             };
             let primaries = install_image(&mut flash, &slots[0], 42784, &*dep, false);
             let upgrades = match deps.depends[image_num] {
@@ -222,7 +223,7 @@
     pub fn make_bad_secondary_slot_image(self) -> Images {
         let mut bad_flash = self.flash;
         let images = self.slots.into_iter().enumerate().map(|(image_num, slots)| {
-            let dep = BoringDep(image_num);
+            let dep = BoringDep::new(image_num, &NO_DEPS);
             let primaries = install_image(&mut bad_flash, &slots[0], 32784, &dep, false);
             let upgrades = install_image(&mut bad_flash, &slots[1], 41928, &dep, true);
             OneImage {
@@ -569,6 +570,37 @@
         fails > 0
     }
 
+    // Test that an upgrade is rejected.  Assumes that the image was build
+    // such that the upgrade is instead a downgrade.
+    pub fn run_nodowngrade(&self) -> bool {
+        if !Caps::DowngradePrevention.present() {
+            return false;
+        }
+
+        let mut flash = self.flash.clone();
+        let mut fails = 0;
+
+        info!("Try no downgrade");
+
+        // First, do a normal upgrade.
+        let (result, _) = c::boot_go(&mut flash, &self.areadesc, None, false);
+        if result != 0 {
+            warn!("Failed first boot");
+            fails += 1;
+        }
+
+        if !self.verify_images(&flash, 0, 0) {
+            warn!("Failed verification after downgrade rejection");
+            fails += 1;
+        }
+
+        if fails > 0 {
+            error!("Error testing downgrade rejection");
+        }
+
+        fails > 0
+    }
+
     // Tests a new image written to the primary slot that already has magic and
     // image_ok set while there is no image on the secondary slot, so no revert
     // should ever happen...
@@ -1450,6 +1482,7 @@
 
 /// The image header
 #[repr(C)]
+#[derive(Debug)]
 pub struct ImageHeader {
     magic: u32,
     load_addr: u32,