Zephyr: Document testplan
This document describes the manual testing done on Zephyr. It uses a
bunch of git patches to make modifications to the code, where each is
then tried and then backed out.
Signed-off-by: David Brown <david.brown@linaro.org>
diff --git a/doc/testplan-zephyr.rst b/doc/testplan-zephyr.rst
new file mode 100644
index 0000000..8ea5274
--- /dev/null
+++ b/doc/testplan-zephyr.rst
@@ -0,0 +1,164 @@
+Zephyr Test Plan
+================
+
+The following roughly describes how mcuboot is tested on Zephyr. The
+testing is done with the code in ``samples/zephyr``. These examples
+were written using the FRDM-K64F, but other boards should be similar.
+At this time, however, the partitions are hardcoded in the Makefile
+targets to flash.
+
+Note that at the time of release of 0.9.0-rc2, the change `MPU flash
+write`_ had not been merged. This change fixes a problem interaction
+between the MPU and the flash drivers. Without this change, if the
+MPU is enabled (the default), the bootloader will abort immediately on
+boot, generally before printing any messages.
+
+.. _MPU flash write: https://github.com/zephyrproject-rtos/zephyr/pull/654
+
+At this time, most of the test variants are done by modifying either
+the code or Makefiles. A future goal is to automate this testing.
+
+Sanity Check
+------------
+
+Begin by running make in ``samples/zephyr``::
+
+ $ make clean
+ $ make all
+
+This will result in three binaries: ``mcuboot.bin``,
+``signed-hello1.bin``, and ``signed-hello2.bin``.
+
+The second file is marked as an "upgrade" by the image tool, so
+has an appended image trailer.
+
+Begin by doing a full erase, and programming the first image::
+
+ $ pyocd-flashtool -ce
+ $ make flash_boot
+
+After it resets, look for "main: Starting bootloader", a few debug
+messages, and lastly: "main: Unable to find bootable image".
+
+Then, load hello1::
+
+ $ make flash_hello1
+
+This should print "main: Jumping to the first image slot", and you
+should get an image "Hello World number 1!".
+
+For kicks, program slot 2's image into slot one. This has to be done
+manually, and it is good to verify these addresses in the Makefile::
+
+ $ pyocd-flashtool -a 0x20000 signed-hello1.bin
+
+This should boot, printing "Upgraded hello!".
+
+Now put back image 1, and put image 2 in as the upgrade::
+
+ $ make flash_hello1
+ $ make flash_hello2
+
+This should print a message: "boot_swap_type: Swap type: test", and
+you should see "Upgraded hello!".
+
+Now reset the target::
+
+ $ pyocd-tool reset
+
+And you should see a revert and "Hello world number 1" running.
+
+Repeat this, to make sure we can mark the image as OK, and that a
+revert doesn't happen::
+
+ $ make flash_hello1
+ $ make flash_hello2
+
+We should have just booted the Upgraded hello. Mark this as OK::
+
+ $ pyocd-flashtool -a 0x7ffe8 image_ok.bin
+ $ pyocd-tool reset
+
+And make sure this stays in the "Upgraded hello" image.
+
+Other Signature Combinations
+----------------------------
+
+.. note:: Make sure you don't have changes in your tree, as the
+ following step will undo them.
+
+As part of the above sanity check, we have tested the RSA signature
+algorithm, along with the new RSA-PSS signature algorithm. To test
+other configurations, we need to make some modifications to the code.
+This is easiest to do by applying some patches (in
+``testplan/zephyr``). For each of these patches, perform something
+along the lines of::
+
+ $ cd ../..
+ $ git apply testplan/zephyr/0001-try-rsa-pkcs1-v15.patch
+ $ cd samples/zephyr
+ $ make clean
+ $ make all
+ $ pyocd-flashtool -ce
+ $ make flash_boot
+ $ make flash_hello1
+
+Make sure image one boots if it is supposed to (and doesn't if it is
+not supposed to). Then try the upgrade::
+
+ $ make flash_hello2
+
+After this, make sure that the the image does or doesn't perform the
+upgrade (see test table below).
+
+After the upgrade runs, reset to make sure the revert works (or
+doesn't for the noted cases below)::
+
+ $ pyocd-tool reset
+
+Then undo the change::
+
+ $ cd ../..
+ $ git checkout -- .
+
+and repeat the above steps for each patch.
+
+The following patches are available:
+
+.. list-table:: Test configurations
+ :header-rows: 1
+
+ * - Patch
+ - hello1 boot?
+ - Upgrade?
+ * - 0001-bad-old-rsa-in-boot-not-in-image.patch
+ - no
+ - no
+ * - 0001-bad-old-RSA-no-slot0-check.patch
+ - yes
+ - no
+ * - 0001-good-rsa-pkcs-v1.5-good.patch
+ - yes
+ - yes
+ * - 0001-bad-ECDSA-P256-bootloader-not-in-images.patch
+ - no
+ - no
+ * - 0001-partial-ECDSA-P256-bootloader-slot0-ok-slot1-bad.patch
+ - yes
+ - no
+ * - 0001-good-ECDSA-P256-bootloader-images-signed.patch
+ - yes
+ - yes
+ * - 0001-partial-ECDSA-P256-bootloader-slot-0-bad-sig.patch
+ - no
+ - yes[1]_
+ * - 0001-partial-ECDSA-P256-bootloader-slot-1-bad-sig.patch
+ - yes
+ - no
+ * - 0001-partial-ECDSA-P256-slot-0-bad-no-verification.patch
+ - no
+ - yes[1]_
+
+.. [1] These tests with hello1 bad should perform an upgrade when
+ hello2 is flashed, but they should not revert the image
+ afterwards.
diff --git a/testplan/zephyr/0001-bad-ECDSA-P256-bootloader-not-in-images.patch b/testplan/zephyr/0001-bad-ECDSA-P256-bootloader-not-in-images.patch
new file mode 100644
index 0000000..68f4816
--- /dev/null
+++ b/testplan/zephyr/0001-bad-ECDSA-P256-bootloader-not-in-images.patch
@@ -0,0 +1,39 @@
+From 66f6f44bcea43ac991aa025d634fb98de964be05 Mon Sep 17 00:00:00 2001
+From: David Brown <david.brown@linaro.org>
+Date: Thu, 27 Jul 2017 10:05:47 -0600
+Subject: [PATCH] bad: ECDSA P256 bootloader, not in images
+
+This configures the bootloader to require an ECDSA P256 signature, but
+does not sign the images with it. Neither should boot.
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 1e9ec42..b0adf05 100644
+--- a/Makefile
++++ b/Makefile
+@@ -9,16 +9,16 @@
+ # lines there, and comment out any other blocks.
+
+ # RSA
+-CONF_FILE = boot/zephyr/prj.conf
+-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
++#CONF_FILE = boot/zephyr/prj.conf
++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+
+ # Newer uses should use the RSA-PSS signature algorithm. This define
+ # enables (and requires) this type of signature.
+ #CFLAGS += -DMCUBOOT_RSA_PKCS1_15
+
+ # ECDSA P-256
+-#CONF_FILE = boot/zephyr/prj-p256.conf
+-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
++CONF_FILE = boot/zephyr/prj-p256.conf
++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
+
+ # Enable this option to have the bootloader verify the signature of
+ # the primary image upon every boot. Without it, signature
+--
+2.11.0
+
diff --git a/testplan/zephyr/0001-bad-old-RSA-no-slot0-check.patch b/testplan/zephyr/0001-bad-old-RSA-no-slot0-check.patch
new file mode 100644
index 0000000..12e57ab
--- /dev/null
+++ b/testplan/zephyr/0001-bad-old-RSA-no-slot0-check.patch
@@ -0,0 +1,37 @@
+From a170ab0b596e480445a9b9e2fca6ca937034192c Mon Sep 17 00:00:00 2001
+From: David Brown <david.brown@linaro.org>
+Date: Thu, 27 Jul 2017 09:56:30 -0600
+Subject: [PATCH] bad: old RSA no slot0 check
+
+This builds the bootloader with the old RSA signature type, but not the
+images. It also disables verification of slot 0, so the image in slot 0
+should boot, but it should not perform an upgrade.
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 1e9ec42..d6e5876 100644
+--- a/Makefile
++++ b/Makefile
+@@ -14,7 +14,7 @@ CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+
+ # Newer uses should use the RSA-PSS signature algorithm. This define
+ # enables (and requires) this type of signature.
+-#CFLAGS += -DMCUBOOT_RSA_PKCS1_15
++CFLAGS += -DMCUBOOT_RSA_PKCS1_15
+
+ # ECDSA P-256
+ #CONF_FILE = boot/zephyr/prj-p256.conf
+@@ -23,7 +23,7 @@ CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+ # Enable this option to have the bootloader verify the signature of
+ # the primary image upon every boot. Without it, signature
+ # verification only happens on upgrade.
+-CFLAGS += -DMCUBOOT_VALIDATE_SLOT0
++# CFLAGS += -DMCUBOOT_VALIDATE_SLOT0
+
+ # Enabling this option uses newer flash map APIs. This saves RAM and
+ # avoids deprecated API usage.
+--
+2.11.0
+
diff --git a/testplan/zephyr/0001-bad-old-rsa-in-boot-not-in-image.patch b/testplan/zephyr/0001-bad-old-rsa-in-boot-not-in-image.patch
new file mode 100644
index 0000000..99d9d51
--- /dev/null
+++ b/testplan/zephyr/0001-bad-old-rsa-in-boot-not-in-image.patch
@@ -0,0 +1,28 @@
+From 8f3c2f2fe9ade9ff6fe2a37b39318b0186d08efb Mon Sep 17 00:00:00 2001
+From: David Brown <david.brown@linaro.org>
+Date: Thu, 27 Jul 2017 09:50:48 -0600
+Subject: [PATCH] bad: old rsa in boot, not in image
+
+This patch makes the bootloader use the old signature style, but does
+not modify the images. Neither image should boot.
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 1e9ec42..db97832 100644
+--- a/Makefile
++++ b/Makefile
+@@ -14,7 +14,7 @@ CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+
+ # Newer uses should use the RSA-PSS signature algorithm. This define
+ # enables (and requires) this type of signature.
+-#CFLAGS += -DMCUBOOT_RSA_PKCS1_15
++CFLAGS += -DMCUBOOT_RSA_PKCS1_15
+
+ # ECDSA P-256
+ #CONF_FILE = boot/zephyr/prj-p256.conf
+--
+2.11.0
+
diff --git a/testplan/zephyr/0001-good-ECDSA-P256-bootloader-images-signed.patch b/testplan/zephyr/0001-good-ECDSA-P256-bootloader-images-signed.patch
new file mode 100644
index 0000000..80a4aa5
--- /dev/null
+++ b/testplan/zephyr/0001-good-ECDSA-P256-bootloader-images-signed.patch
@@ -0,0 +1,62 @@
+From 5c9fd9690623165c3d1be4d3d219bb0d0c57647d Mon Sep 17 00:00:00 2001
+From: David Brown <david.brown@linaro.org>
+Date: Thu, 27 Jul 2017 10:05:47 -0600
+Subject: [PATCH] good: ECDSA P256 bootloader, images signed
+
+This configures the bootloader to require an ECDSA P256 signature, and
+both images signed properly. Both should work.
+---
+ Makefile | 8 ++++----
+ samples/zephyr/Makefile | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 1e9ec42..b0adf05 100644
+--- a/Makefile
++++ b/Makefile
+@@ -9,16 +9,16 @@
+ # lines there, and comment out any other blocks.
+
+ # RSA
+-CONF_FILE = boot/zephyr/prj.conf
+-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
++#CONF_FILE = boot/zephyr/prj.conf
++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+
+ # Newer uses should use the RSA-PSS signature algorithm. This define
+ # enables (and requires) this type of signature.
+ #CFLAGS += -DMCUBOOT_RSA_PKCS1_15
+
+ # ECDSA P-256
+-#CONF_FILE = boot/zephyr/prj-p256.conf
+-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
++CONF_FILE = boot/zephyr/prj-p256.conf
++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
+
+ # Enable this option to have the bootloader verify the signature of
+ # the primary image upon every boot. Without it, signature
+diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile
+index 7678615..1b90b7e 100644
+--- a/samples/zephyr/Makefile
++++ b/samples/zephyr/Makefile
+@@ -102,7 +102,7 @@ clean_boot: check
+ hello1: check
+ $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc)
+ $(IMGTOOL) sign \
+- --key $(SIGNING_KEY) \
++ --key ../../root-ec-p256.pem \
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
+@@ -121,7 +121,7 @@ clean_hello1: check
+ hello2: check
+ $(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc)
+ $(IMGTOOL) sign \
+- --key $(SIGNING_KEY) \
++ --key ../../root-ec-p256.pem \
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
+--
+2.11.0
+
diff --git a/testplan/zephyr/0001-good-rsa-pkcs-v1.5-good.patch b/testplan/zephyr/0001-good-rsa-pkcs-v1.5-good.patch
new file mode 100644
index 0000000..fa491f9
--- /dev/null
+++ b/testplan/zephyr/0001-good-rsa-pkcs-v1.5-good.patch
@@ -0,0 +1,48 @@
+From 950796d68430c2a2778689ee00560d2f455937d4 Mon Sep 17 00:00:00 2001
+From: David Brown <david.brown@linaro.org>
+Date: Thu, 27 Jul 2017 10:01:23 -0600
+Subject: [PATCH] good: rsa pkcs v1.5 good
+
+This builds the bootloader and each image with the older PKCS v1.5
+signature format. Both the image and the upgrade should work.
+---
+ Makefile | 2 +-
+ samples/zephyr/Makefile | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 1e9ec42..db97832 100644
+--- a/Makefile
++++ b/Makefile
+@@ -14,7 +14,7 @@ CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+
+ # Newer uses should use the RSA-PSS signature algorithm. This define
+ # enables (and requires) this type of signature.
+-#CFLAGS += -DMCUBOOT_RSA_PKCS1_15
++CFLAGS += -DMCUBOOT_RSA_PKCS1_15
+
+ # ECDSA P-256
+ #CONF_FILE = boot/zephyr/prj-p256.conf
+diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile
+index 7678615..07bb71c 100644
+--- a/samples/zephyr/Makefile
++++ b/samples/zephyr/Makefile
+@@ -106,6 +106,7 @@ hello1: check
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
++ --rsa-pkcs1-15 \
+ --included-header \
+ hello1/outdir/$(BOARD)/zephyr.bin \
+ signed-hello1.bin
+@@ -125,6 +126,7 @@ hello2: check
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
++ --rsa-pkcs1-15 \
+ --included-header \
+ --pad 0x60000 \
+ hello2/outdir/$(BOARD)/zephyr.bin \
+--
+2.11.0
+
diff --git a/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-0-bad-sig.patch b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-0-bad-sig.patch
new file mode 100644
index 0000000..1188bef
--- /dev/null
+++ b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-0-bad-sig.patch
@@ -0,0 +1,76 @@
+From 26115ff2752b40a5727bc9cf5c76300b30e04d09 Mon Sep 17 00:00:00 2001
+From: David Brown <david.brown@linaro.org>
+Date: Thu, 27 Jul 2017 10:05:47 -0600
+Subject: [PATCH] partial: ECDSA P256 bootloader, slot 0 bad sig
+
+This configures the bootloader to require an ECDSA P256 signature, with
+hello1 having an invalid signature. Slot 0 should fail to boot, but the
+upgrade should work.
+---
+ Makefile | 8 ++++----
+ bad-ec-p256.pem | 5 +++++
+ samples/zephyr/Makefile | 4 ++--
+ 3 files changed, 11 insertions(+), 6 deletions(-)
+ create mode 100644 bad-ec-p256.pem
+
+diff --git a/Makefile b/Makefile
+index 1e9ec42..b0adf05 100644
+--- a/Makefile
++++ b/Makefile
+@@ -9,16 +9,16 @@
+ # lines there, and comment out any other blocks.
+
+ # RSA
+-CONF_FILE = boot/zephyr/prj.conf
+-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
++#CONF_FILE = boot/zephyr/prj.conf
++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+
+ # Newer uses should use the RSA-PSS signature algorithm. This define
+ # enables (and requires) this type of signature.
+ #CFLAGS += -DMCUBOOT_RSA_PKCS1_15
+
+ # ECDSA P-256
+-#CONF_FILE = boot/zephyr/prj-p256.conf
+-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
++CONF_FILE = boot/zephyr/prj-p256.conf
++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
+
+ # Enable this option to have the bootloader verify the signature of
+ # the primary image upon every boot. Without it, signature
+diff --git a/bad-ec-p256.pem b/bad-ec-p256.pem
+new file mode 100644
+index 0000000..333f41f
+--- /dev/null
++++ b/bad-ec-p256.pem
+@@ -0,0 +1,5 @@
++-----BEGIN EC PRIVATE KEY-----
++MHcCAQEEILmqmiH6y3EGhLkTcnNtU7hZ1wnc51MIL53npseRX7vJoAoGCCqGSM49
++AwEHoUQDQgAEcX9ExNjZfsckp6AdutjPjVJsvP6ZZkKfLsGnRpKR+9OpO9/qmJHs
++ks+ZXo70SEANjWnNlxKNAVci8aUm8UskLw==
++-----END EC PRIVATE KEY-----
+diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile
+index 7678615..f84314d 100644
+--- a/samples/zephyr/Makefile
++++ b/samples/zephyr/Makefile
+@@ -102,7 +102,7 @@ clean_boot: check
+ hello1: check
+ $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc)
+ $(IMGTOOL) sign \
+- --key $(SIGNING_KEY) \
++ --key ../../bad-ec-p256.pem \
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
+@@ -121,7 +121,7 @@ clean_hello1: check
+ hello2: check
+ $(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc)
+ $(IMGTOOL) sign \
+- --key $(SIGNING_KEY) \
++ --key ../../root-ec-p256.pem \
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
+--
+2.11.0
+
diff --git a/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-1-bad-sig.patch b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-1-bad-sig.patch
new file mode 100644
index 0000000..3d83658
--- /dev/null
+++ b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot-1-bad-sig.patch
@@ -0,0 +1,76 @@
+From f261e0e1c7e0876094ed688f5f0923590aca3739 Mon Sep 17 00:00:00 2001
+From: David Brown <david.brown@linaro.org>
+Date: Thu, 27 Jul 2017 10:05:47 -0600
+Subject: [PATCH] partial: ECDSA P256 bootloader, slot 1 bad sig
+
+This configures the bootloader to require an ECDSA P256 signature, with
+hello2 having an invalid signature. Slot 0 should boot, but the upgrade
+should not work.
+---
+ Makefile | 8 ++++----
+ bad-ec-p256.pem | 5 +++++
+ samples/zephyr/Makefile | 4 ++--
+ 3 files changed, 11 insertions(+), 6 deletions(-)
+ create mode 100644 bad-ec-p256.pem
+
+diff --git a/Makefile b/Makefile
+index 1e9ec42..b0adf05 100644
+--- a/Makefile
++++ b/Makefile
+@@ -9,16 +9,16 @@
+ # lines there, and comment out any other blocks.
+
+ # RSA
+-CONF_FILE = boot/zephyr/prj.conf
+-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
++#CONF_FILE = boot/zephyr/prj.conf
++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+
+ # Newer uses should use the RSA-PSS signature algorithm. This define
+ # enables (and requires) this type of signature.
+ #CFLAGS += -DMCUBOOT_RSA_PKCS1_15
+
+ # ECDSA P-256
+-#CONF_FILE = boot/zephyr/prj-p256.conf
+-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
++CONF_FILE = boot/zephyr/prj-p256.conf
++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
+
+ # Enable this option to have the bootloader verify the signature of
+ # the primary image upon every boot. Without it, signature
+diff --git a/bad-ec-p256.pem b/bad-ec-p256.pem
+new file mode 100644
+index 0000000..333f41f
+--- /dev/null
++++ b/bad-ec-p256.pem
+@@ -0,0 +1,5 @@
++-----BEGIN EC PRIVATE KEY-----
++MHcCAQEEILmqmiH6y3EGhLkTcnNtU7hZ1wnc51MIL53npseRX7vJoAoGCCqGSM49
++AwEHoUQDQgAEcX9ExNjZfsckp6AdutjPjVJsvP6ZZkKfLsGnRpKR+9OpO9/qmJHs
++ks+ZXo70SEANjWnNlxKNAVci8aUm8UskLw==
++-----END EC PRIVATE KEY-----
+diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile
+index 7678615..02a54da 100644
+--- a/samples/zephyr/Makefile
++++ b/samples/zephyr/Makefile
+@@ -102,7 +102,7 @@ clean_boot: check
+ hello1: check
+ $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc)
+ $(IMGTOOL) sign \
+- --key $(SIGNING_KEY) \
++ --key ../../root-ec-p256.pem \
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
+@@ -121,7 +121,7 @@ clean_hello1: check
+ hello2: check
+ $(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc)
+ $(IMGTOOL) sign \
+- --key $(SIGNING_KEY) \
++ --key ../../bad-ec-p256.pem \
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
+--
+2.11.0
+
diff --git a/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot0-ok-slot1-bad.patch b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot0-ok-slot1-bad.patch
new file mode 100644
index 0000000..a879119
--- /dev/null
+++ b/testplan/zephyr/0001-partial-ECDSA-P256-bootloader-slot0-ok-slot1-bad.patch
@@ -0,0 +1,54 @@
+From 86f857cafbdd40d1ba158028e142c8cdf5c56e0d Mon Sep 17 00:00:00 2001
+From: David Brown <david.brown@linaro.org>
+Date: Thu, 27 Jul 2017 10:05:47 -0600
+Subject: [PATCH] partial: ECDSA P256 bootloader, slot0 ok slot1 bad
+
+This configures the bootloader to require an ECDSA P256 signature, and
+the slot 0 image as good. This should boot slot 0, but not perform the
+upgrade in slot 1.
+---
+ Makefile | 8 ++++----
+ samples/zephyr/Makefile | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 1e9ec42..b0adf05 100644
+--- a/Makefile
++++ b/Makefile
+@@ -9,16 +9,16 @@
+ # lines there, and comment out any other blocks.
+
+ # RSA
+-CONF_FILE = boot/zephyr/prj.conf
+-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
++#CONF_FILE = boot/zephyr/prj.conf
++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+
+ # Newer uses should use the RSA-PSS signature algorithm. This define
+ # enables (and requires) this type of signature.
+ #CFLAGS += -DMCUBOOT_RSA_PKCS1_15
+
+ # ECDSA P-256
+-#CONF_FILE = boot/zephyr/prj-p256.conf
+-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
++CONF_FILE = boot/zephyr/prj-p256.conf
++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
+
+ # Enable this option to have the bootloader verify the signature of
+ # the primary image upon every boot. Without it, signature
+diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile
+index 7678615..b62e966 100644
+--- a/samples/zephyr/Makefile
++++ b/samples/zephyr/Makefile
+@@ -102,7 +102,7 @@ clean_boot: check
+ hello1: check
+ $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc)
+ $(IMGTOOL) sign \
+- --key $(SIGNING_KEY) \
++ --key ../../root-ec-p256.pem \
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
+--
+2.11.0
+
diff --git a/testplan/zephyr/0001-partial-ECDSA-P256-slot-0-bad-no-verification.patch b/testplan/zephyr/0001-partial-ECDSA-P256-slot-0-bad-no-verification.patch
new file mode 100644
index 0000000..dead2c2
--- /dev/null
+++ b/testplan/zephyr/0001-partial-ECDSA-P256-slot-0-bad-no-verification.patch
@@ -0,0 +1,82 @@
+From b2d9560f05fabdcfdff549ccc361d9dfbe74735b Mon Sep 17 00:00:00 2001
+From: David Brown <david.brown@linaro.org>
+Date: Thu, 27 Jul 2017 10:05:47 -0600
+Subject: [PATCH] partial ECDSA P256 slot 0 bad, no verification
+
+This has a badly signed image in slot 0, which should boot because
+checking is off. It should perform the upgrade in slot 1, and not
+revert, because the old image is not valid.
+---
+ Makefile | 10 +++++-----
+ bad-ec-p256.pem | 5 +++++
+ samples/zephyr/Makefile | 4 ++--
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+ create mode 100644 bad-ec-p256.pem
+
+diff --git a/Makefile b/Makefile
+index 1e9ec42..3f875a2 100644
+--- a/Makefile
++++ b/Makefile
+@@ -9,21 +9,21 @@
+ # lines there, and comment out any other blocks.
+
+ # RSA
+-CONF_FILE = boot/zephyr/prj.conf
+-CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
++#CONF_FILE = boot/zephyr/prj.conf
++#CFLAGS += -DMCUBOOT_SIGN_RSA -DMCUBOOT_USE_MBED_TLS
+
+ # Newer uses should use the RSA-PSS signature algorithm. This define
+ # enables (and requires) this type of signature.
+ #CFLAGS += -DMCUBOOT_RSA_PKCS1_15
+
+ # ECDSA P-256
+-#CONF_FILE = boot/zephyr/prj-p256.conf
+-#CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
++CONF_FILE = boot/zephyr/prj-p256.conf
++CFLAGS += -DMCUBOOT_SIGN_EC256 -DMCUBOOT_USE_TINYCRYPT
+
+ # Enable this option to have the bootloader verify the signature of
+ # the primary image upon every boot. Without it, signature
+ # verification only happens on upgrade.
+-CFLAGS += -DMCUBOOT_VALIDATE_SLOT0
++#CFLAGS += -DMCUBOOT_VALIDATE_SLOT0
+
+ # Enabling this option uses newer flash map APIs. This saves RAM and
+ # avoids deprecated API usage.
+diff --git a/bad-ec-p256.pem b/bad-ec-p256.pem
+new file mode 100644
+index 0000000..333f41f
+--- /dev/null
++++ b/bad-ec-p256.pem
+@@ -0,0 +1,5 @@
++-----BEGIN EC PRIVATE KEY-----
++MHcCAQEEILmqmiH6y3EGhLkTcnNtU7hZ1wnc51MIL53npseRX7vJoAoGCCqGSM49
++AwEHoUQDQgAEcX9ExNjZfsckp6AdutjPjVJsvP6ZZkKfLsGnRpKR+9OpO9/qmJHs
++ks+ZXo70SEANjWnNlxKNAVci8aUm8UskLw==
++-----END EC PRIVATE KEY-----
+diff --git a/samples/zephyr/Makefile b/samples/zephyr/Makefile
+index 7678615..f84314d 100644
+--- a/samples/zephyr/Makefile
++++ b/samples/zephyr/Makefile
+@@ -102,7 +102,7 @@ clean_boot: check
+ hello1: check
+ $(MAKE) -C hello1 BOARD=$(BOARD) -j$(nproc)
+ $(IMGTOOL) sign \
+- --key $(SIGNING_KEY) \
++ --key ../../bad-ec-p256.pem \
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
+@@ -121,7 +121,7 @@ clean_hello1: check
+ hello2: check
+ $(MAKE) -C hello2 BOARD=$(BOARD) -j$(nproc)
+ $(IMGTOOL) sign \
+- --key $(SIGNING_KEY) \
++ --key ../../root-ec-p256.pem \
+ --header-size $(BOOT_HEADER_LEN) \
+ --align $(FLASH_ALIGNMENT) \
+ --version 1.2 \
+--
+2.11.0
+