TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / ae01f153b11637feaedbc9d9042172fba2e080c0
commitae01f153b11637feaedbc9d9042172fba2e080c0[log] [tgz]
authorChristopher Collins <ccollins@apache.org>Wed Jan 30 09:56:37 2019 -0800
committerFabio Utzig <utzig@utzig.org>Thu Jan 31 18:13:52 2019 -0200
tree8fcc95234d3e04e519ac5ac2e763b3155af6ad7e
parente82e3163de2a1ff78ea97f02d281f572d2f31d94 [diff]
Set pending: don't crash when image slot corrupt

This change affects the "set pending" operation.  That is, the operation
that configures mcuboot to temporarily swap images on the next boot.

PRIOR TO COMMIT:

If the slot 1 trailer contained an invalid 128-bit magic number, an
assertion would fail, causing a crash.

AFTER COMMIT:

If corruption is detected in the slot 1 trailer, the entire image slot
is erased, and the "set pending" operation fails with a `BOOT_EBADIMAGE`
status.

RATIONALE:

mcuboot cannot meaningfully recover from data corruption.  The only
recourse is to erase the bad data so that future upgrades can be
performed.  I was tempted to add a build-time setting to control whether
the image slot gets erased when corruption is detected, but I dont think this
freedom justifies the cost of extra config.  A device with a corrupt
image slot can no longer be upgraded, so the only reason someone would
want to preserve the corrupt data would be for debugging.

Signed-off-by: Christopher Collins <ccollins@apache.org>
1 file changed
tree: 8fcc95234d3e04e519ac5ac2e763b3155af6ad7e
  1. boot/
  2. docs/
  3. ext/
  4. ptest/
  5. samples/
  6. scripts/
  7. sim/
  8. testplan/
  9. .gitignore
  10. .gitmodules
  11. .travis.yml
  12. enc-aes128kw.b64
  13. enc-rsa2048-priv.pem
  14. enc-rsa2048-pub.pem
  15. LICENSE
  16. NOTICE
  17. project.yml
  18. README.md
  19. repository.yml
  20. root-ec-p256-pkcs8.pem
  21. root-ec-p256.pem
  22. root-rsa-2048.pem
  23. version.yml
README.md

mcuboot

Coverity Scan Build Status Build/Test

This is mcuboot, version 1.3.0-rc2

MCUboot is a secure bootloader for 32-bit MCUs. The goal of MCUboot is to define a common infrastructure for the bootloader, system flash layout on microcontroller systems, and to provide a secure bootloader that enables easy software upgrade.

MCUboot is operating system and hardware independent and relies on hardware porting layers from the operating system it works with. Currently, mcuboot works with both the Apache Mynewt, and Zephyr operating systems, but more ports are planned in the future. RIOT is currently supported as a boot target with a complete port planned.

Using MCUboot

Instructions for different operating systems can be found here:

Roadmap

The issues being planned and worked on are tracked using GitHub issues. To participate please visit:

MCUBoot GitHub Issues

Issues were previously tracked on MCUboot JIRA , but it is now deprecated.

Browsing

Information and documentation on the bootloader are stored within the source.

It was previously also documented on confluence: MCUBoot Confluence however, it is now deprecated and not currently maintained

For more information in the source, here are some pointers:

  • boot/bootutil: The core of the bootloader itself.
  • boot/boot_serial: Support for serial upgrade within the bootloader itself.
  • boot/zephyr: Port of the bootloader to Zephyr
  • boot/mynewt: Mynewt bootloader app
  • imgtool: A tool to securely sign firmware images for booting by mcuboot.
  • sim: A bootloader simulator for testing and regression

Joining

Developers welcome!