-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bootloader mcuboot with custom device #401
Comments
I had to remove "device_name": "HMC20" in custom targets. Strange that my original application never complained about this. But now I have something like a loop:
I was also wondering if I need:
|
@lefebvresam this seems like a separate issue around project configuration...
|
First point was not comitted yet. If you mean this:
There was a complaint that IROM1 was not existing. Point 2: Where is the clash then?
versus?
|
I just pushed my test changes but it is still not compiling. I always have the issue with 'first defined here' To run, just 'sh build.sh -d' |
Thank you!
BR, Jan |
It compiles when I put this in omment. No clue why you need mbed-core-flags then (also compiling without). It compiles also when I put mbed-baremetal in comment and make mbed-baremetal private in the top level.
However I think I best change the dependency to Jamie's version. |
From my point of view you should have mbed-os or mbed-baremetal (never both at once) just one time per app.
Agreed. |
I updated the project with the new lib and the branch. Why this IROM1 setting is needed? #define MBED_ROM_SIZE 0x100000 // 1MB A macro at custom targets? |
What I also do not really understand is if you follow the procedure on AGlass0fMilk you get a file with rsa_pub_key[], and in the example I see enc_priv_key[]. |
Sorry I really just started on the mcuboot stuff, I haven't really done anything other than update the build system yet. You should definitely use my fork of mcuboot to fix the link errors, but I still need to actually get a basic example working |
In order to make things work properly with the bootloader, you will need to use |
I use a custom target inherited from MCU_STM32U575xG. Are there some examples how to change/adapt the linker script? |
Actually, yeah! Been working on an update for the K64F here: https://github.com/mbed-ce/mbed-os/tree/dev/k64f-linker-script-refactor |
Yeah, you will find this info in the memory map section of the datasheet, or (apparently) in CubeIDE |
I see it's essentially renaming stuff. In my case there is no differentiation between RAM1, 2 or 3. I'm I right that the only purpose is to let the compiler believe that the size of the flash is only 0x20000 in order to have the code fit in that part before adding different hex files to create the complete image? I have no clue what .text and .bss and others exaclty mean. |
These definitions allow you to change memory settings according to your requirements via configuration without direct intervention to the linker script. It should working probably like that
These are basics how to achieve or understand a simple bootloader and also handy for start with Mcuboot I think. Only a method how to merge both binaries to one is missing. EDIT:
|
Thank you very much. I will test this procedure tomorrow. To be honest I never worked with linker scripts and I was starting to read a bit about this topic but it requires a deeper knowledge about ARM architecture I guess. I even didn't know exactly what to change and why. What is missing or wrong in the current linker scripts? Fyi the controller I use is STM32U575RGT6. To merge the hexes my idea is to test the procedure described on mbed-mcuboot-demo. The memory size is exactly the same as in my case (1MB) and my idea is to write a piece of software to transfer a bin file from the SD card to a separate flash chip I already use to store my images in my HMI display application to provide the secondary slot. |
I did the whole procedure and it compiles without errors, but the strange this is that I still see: ROM Bank Flash: 80505(+0)/1048576 bytes used, 7.7% (+0.0%) used -> that's still 1MB
|
This looks better, the "target.memory_bank_config" was not member of the HMC20 custom device.
|
Just for clarification. The "target.memory_bank_config" should be just in |
Is this still necessary in mbed_app.json5? And why the modficiations are needed in the linker script as you proposed in issuecomment-2526407974? It compiles exactly the same without these modifications. |
Nope, this one was working in ARM Mbed, in MbedCE this is not implemented.
|
I'm now preparing my main application. Do I also have to switch to bare metal? I currently have:
I'm also facing this now:
|
That is up to you. |
I see this error is invoked because of the latest commit in the branch mbed-ce-update-cmakelists, "Start on automation for creating images". Is this something I already have to deal with or do I need to stay on the previous commit? |
Sorry, I don't understand your description. Do you mean a commit in Jamie's McuBoot? I do not see any error. |
The requirement to define variabele MCUBOOT_SIGNING_KEY is something thas has been added in this recent commit of the mbed-ce-update-cmakelists branch of |
Ok, so it is related to McuBoot and Jamie's current work. I have no idea about this, sorry. |
After doing all the right configuration for the primary application it looks like the start address is not picked up in the right way:
And I get a lot of those messages:
Is there something I miss in the configuration? |
Why the update image must not be encrypted? The bootloader won't start the primary image, as at the error point has nothing to do with update image. |
mcuboot mbed_app.json
|
It looks like mcuboot don't know to start an encrypted image. And I did 'full' compiles by deleting the build folder first. |
Image for initial download shall NOT be encrypted. Encryption only applies to update image, to prevent them from being stolen during transportation or being stored in external devices such as SPIF or SD card. Remove `-E enc_key_pub.pem' and try again. I manually signed and encrypted images so I didn't notice this. @multiplemonomials could you remove encryption from signing tool for initial image? |
That looks better:
I updated my demo project with: Confirming the primary image is not necessary and gives an error:
Avoid endless loop:
Do automatic reboot:
I updated my two test projects:
|
What I do not understand is why you don't need to append application trailer TLV's in the update image during signing while they are a part of the secundary slot. |
And also, how to protect against copycat? Can you still do mcuboot updates when you protect the flash for readout? |
I didn't particularly look into this. My understanding is that this is mostly a workflow issue. Supposedly primary image will need to do some verification after acquiring/noticing the existence of image in secondary slot, then add necessary TLVs before handing it to bootloader. I actually padded update image as well to work around some other issues. The caveat is that once reboot, bootloader will always try to upgrade. If the update image is not padded, primary application needs to call But my understanding above is based on MCUBoot v1.8.0 and reading documentation from Mr. Beckstein's repo. In a later discussion with Mr. Smith, he mentioned that we shall/can use the same un-padded image for both initial download and upgrade, at least with the latest version of MCUBoot. So I might be wrong/out of dated. Please do some investigation and report back. |
That's what is encryption is for. Bootloader has a copy of private key, stored in |
Do you mean that primary image is adding some TLV's in the secundary slot after calling 'boot_set_pending'? |
So it means that the update image is deccrypted by the bootloader |
That's my understanding. When I tested on DISCO_F746NG, without calling this function, bootloader will ignore image stored in secondary slot, even it is a newer version. I treat this as some kind of feature, because sometimes you do want user's input/approval and not just blindly update whatever image in the secondary slot. |
And is there a way to allow only upgrade and not downgrade or do you need to program it by yourself in your application by using my new function to read-out image versions? |
MCUboot will decrypt encrypted image stored in secondary slot chunk by chunk before writing decrypted chunks into primary slot. There is some discussion about treatment of scratch/swap in the MCUboot documentation but I don't recall. For this and your other question, you will have to consult documentation of MCUboot. My understanding is once image chunk is decrypted and stored in primary slot, MCUboot will think it is secure and don't do anything about it. You will have to do something to prevent people from reading the entire internal flash through JTAG or similar. |
Wy this is needed? MBEDTLS_CIPHER_MODE_CTR It seems to work also when this is not present. |
This seems only needed for Mbed Studio/Mbed-OS + mcuboot v1.8.0. Without it, it will complain:
|
If you generate the keys with:
Do you get private and public key in one pem file? Why do you have to provide both for siging while you only need public for encrypting?
|
I think signing requires the private key while encrypting requires the public key |
Yes but is signing_keys.pem not both? |
The rational are two folds: 1) @multiplemonomials did you remove encryption from post build script for initial image in your latest commit? I believe the problem you had was related to that. |
I did remove encryption for the initial image. Only the update image is encrypted. |
By the way, Zhiyong and Sam, do you guys have discord accounts? I'd like to invite you guys to our dev discord server. Might make these sorts of discussions easier! |
I have one where I explained my project I wrote two test programs that I will close after new year. Next year it is time to find new (paid) consultancy projects. |
@multiplemonomials As a dinosaur I don't have a discord account yet but I have heard about it and can easily create one. I stumbled upon this issue when investigating encrypted images. In a nutshell, This is not mentioned in neither official documentation on
When you have a chance, could you include this into your auto signing script for initial image when path to an encryption key is provide? Changes are that it is not included yet because it is not mentioned in documentation. It creates a temporal security hole nonetheless. |
@multiplemonomials I just took a look at the cmake file to handle image encryption, I believe it needs to be something like the following:
The above code doesn't work, but it conveys the message. Essentially once image encryption is enabled, we will always have to pass encryption key to imgtool, no matter whether it is initial or update image. The only difference is, we pass an extra |
@zhiyong-ft That code looks good to me actually! Would you be able to open a PR on mcuboot with that change? |
I just took a second look. The problem is more than the extra tag. Assuming users passes a private RSA-2048 key for encryption, we will need to extract the public key, then use that key to actually encrypt image. Also there is the issue to extract public key from encryption key instead of signing key per recommendation by @utzig. Not sure if I am up to it, given that I am still learning the rope of CMake and all. But I will give it a try. |
Thanks! And let me know if you have any CMake questions! If you have a discord account let me know and I will add ya to our server |
This is my newly created discord id: zhiyong_ft_74542. I will give it a try in the coming weeks. |
I'm doing an attempt to create a project with mcu-bootloader as described on mbed-mcuboot-demo
But with the new toolchain (git submodules, cmake, etc..)
After creating a project, importing the libs and producing the necessary files, I try to do sh build.sh -d and I get
'missing MCU description' and I have a custom_targets.json5
I made to project temporary public for testing purposes:
bitbucket.org/saleconix/mcuboot.git
Adding this
or this
is not helping
The text was updated successfully, but these errors were encountered: