Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bootloader mcuboot with custom device #401

Open
lefebvresam opened this issue Dec 7, 2024 · 140 comments
Open

Bootloader mcuboot with custom device #401

lefebvresam opened this issue Dec 7, 2024 · 140 comments

Comments

@lefebvresam
Copy link

I'm doing an attempt to create a project with mcu-bootloader as described on mbed-mcuboot-demo

But with the new toolchain (git submodules, cmake, etc..)

After creating a project, importing the libs and producing the necessary files, I try to do sh build.sh -d and I get

-- Mbed: First CMake run detected, generating configs...
ERROR: Target specifies device_name HMC20 but this device is not
listed in /home/sam/git/mcuboot/mbed-os/tools/cmake/../../targets/cmsis_mcu_descriptions.json5.  Perhaps you need to use
the 'python -m mbed_tools.cli.main cmsis-mcu-descr fetch-missing' command to download
the missing MCU description?

More information may be available by using the command line option '-vv'.
CMake Error at mbed-os/tools/cmake/mbed_generate_configuration.cmake:123 (message):
  mbedtools configure failed! Cannot build this project.  Command was cd
  /home/sam/git/mcuboot/mbed-os/tools/cmake/../python &&
  /home/sam/git/mcuboot/mbed-os/venv/bin/python3.10 -m mbed_tools.cli.main -v
  configure -t GCC_ARM -m HMC20 --mbed-os-path
  /home/sam/git/mcuboot/mbed-os/tools/cmake/../..  --output-dir
  /home/sam/git/mcuboot/build --program-path /home/sam/git/mcuboot
Call Stack (most recent call first):
  mbed-os/tools/cmake/app.cmake:24 (include)
  CMakeLists.txt:7 (include)

'missing MCU description' and I have a custom_targets.json5

I made to project temporary public for testing purposes:

bitbucket.org/saleconix/mcuboot.git

Adding this

set(MBED_APP_JSON_PATH mbed_app.json5)
set(CUSTOM_TARGETS_JSON_PATH custom_targets.json5)

or this

set(MBED_APP_JSON_PATH ${CMAKE_CURRENT_SOURCE_DIR}/mbed_app.json5)
set(CUSTOM_TARGETS_JSON_PATH ${CMAKE_CURRENT_SOURCE_DIR}/custom_targets.json5)

is not helping

@lefebvresam
Copy link
Author

I had to remove "device_name": "HMC20" in custom targets. Strange that my original application never complained about this.

But now I have something like a loop:

/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:53: multiple definition of `mbed_error_in_progress'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:53: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_error_initialize':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:260: multiple definition of `mbed_error_initialize'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:260: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_get_first_error':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:267: multiple definition of `mbed_get_first_error'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:267: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_get_last_error':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:274: multiple definition of `mbed_get_last_error'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:274: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_get_error_count':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:281: multiple definition of `mbed_get_error_count'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:281: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `core_util_atomic_load_bool':
/home/sam/git/mcuboot/mbed-os/platform/include/platform/internal/mbed_atomic_impl.h:728: multiple definition of `mbed_get_error_in_progress'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/include/platform/internal/mbed_atomic_impl.h:728: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_warning':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:291: multiple definition of `mbed_warning'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:291: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_set_error_hook':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:351: multiple definition of `mbed_set_error_hook'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:351: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_reset_reboot_error_info':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:360: multiple definition of `mbed_reset_reboot_error_info'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:360: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_reset_reboot_count':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:387: multiple definition of `mbed_reset_reboot_count'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:387: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_get_reboot_error_info':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:404: multiple definition of `mbed_get_reboot_error_info'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:404: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_get_first_error_info':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:408: multiple definition of `mbed_get_first_error_info'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:408: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_get_last_error_info':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:415: multiple definition of `mbed_get_last_error_info'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:415: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_make_error':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:423: multiple definition of `mbed_make_error'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:423: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_error.c.obj: in function `mbed_clear_all_errors':
/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:456: multiple definition of `mbed_clear_all_errors'; mbed-os/CMakeFiles/mbed-baremetal.dir/platform/source/mbed_error.c.obj:/home/sam/git/mcuboot/mbed-os/platform/source/mbed_error.c:456: first defined here
/usr/local/gcc-arm/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld: mbed-os/CMakeFiles/mbed-os.dir/platform/source/mbed_mem_trace.cpp.obj: in function `SingletonPtr<rtos::Mutex>::get() const':

I was also wondering if I need:

"requires": ["bare-metal", "mbedtls", "mcuboot", "flashiap-block-device", "spif-driver", "qspif", "mbed-trace", "sd"],

@lefebvresam
Copy link
Author

https://github.com/JohnK1987

@lefebvresam this seems like a separate issue around project configuration...

@lefebvresam
Copy link
Author

First point was not comitted yet. If you mean this:

            "target.memory_bank_config": {
                "IROM1": {
                    "size": 0x20000
                }
            },

There was a complaint that IROM1 was not existing.

Point 2: Where is the clash then?

target_link_libraries(${LIB_BOOTUTIL}
    PUBLIC
        mbed-mcuboot
        mbed-mbedtls
)

versus?

target_link_libraries(${APP_TARGET}
    mbed-baremetal
    mbed-storage
    mbed-mcuboot
)

@lefebvresam
Copy link
Author

lefebvresam commented Dec 7, 2024

I just pushed my test changes but it is still not compiling. I always have the issue with 'first defined here'

To run, just 'sh build.sh -d'

@JohnK1987
Copy link
Member

Thank you!

  1. We can say your override of IROM1 via mbed_app.json is not working because there is nothing for override.
    Memory_banks are working in default with STM32H7 targets because there is everything prepared, but rest families are not ready for this. Linker script of STM32U5 is still use old definitions like APP_START and SIZE. So you should probably use it by old way. That mean you have to use names what will override these values which are used in the linker of STM32U575xG.
    Or you can update it by your self (I am not sure what all exactly need to be done at this moment, for this is maybe better to ask directly Jamie.) for STM32U5 familly based on the STM32H7 modifications.

  2. I have no info about progress but how Jamie wrote he already started to do something with MCUBOOT, so I believe this is good start - https://github.com/mbed-ce/mbed-mcuboot-bootloader

  3. Point 2: Where is the clash then?

    target_link_libraries(${LIB_BOOTUTIL}
        PUBLIC
            mbed-mcuboot
            mbed-mbedtls
    )
    

    versus?

    target_link_libraries(${APP_TARGET}
        mbed-baremetal
        mbed-storage
        mbed-mcuboot
    )
    

    I did not write about top lvl CMakeList of your project but the one of your imported mcuboot library - https://github.com/mcu-tools/mcuboot/blob/b778ad9e163da2212677d19ad6788c63127881a1/boot/mbed/CMakeLists.txt#L38-L48
    In Jamie's fork of mcuboot you can see a modification - https://github.com/multiplemonomials/mcuboot/blob/464c79661da3409ebe4abb8c4bb09f28d5ec5907/boot/mbed/CMakeLists.txt#L32

BR, Jan

@lefebvresam
Copy link
Author

lefebvresam commented Dec 7, 2024

It compiles when I put this in omment. No clue why you need mbed-core-flags then (also compiling without). It compiles also when I put mbed-baremetal in comment and make mbed-baremetal private in the top level.

# if("_RTE_" IN_LIST MBED_CONFIG_DEFINITIONS)
#     target_link_libraries(${LIB_TARGET}
#     PUBLIC
#         mbed-os
#     )
# else()
    target_link_libraries(${LIB_TARGET}
    PUBLIC
        mbed-baremetal
    )
# endif()

However I think I best change the dependency to Jamie's version.

@JohnK1987
Copy link
Member

JohnK1987 commented Dec 7, 2024

From my point of view you should have mbed-os or mbed-baremetal (never both at once) just one time per app.
However libraries (mcuboot is one of them) which use some dependencies from mbed-os need an access to mbed-os library, then you need link the library to mbed-core-flags or mbed-rtos-flags if the library needs to use RTOS features.

However I think I best change the dependency to Jamie's version.

Agreed.

@lefebvresam
Copy link
Author

I updated the project with the new lib and the branch.

Why this IROM1 setting is needed?
Do I have to reduce this setting to 0x20000 by overwriting it somewhere in the config?

#define MBED_ROM_SIZE 0x100000 // 1MB

A macro at custom targets?
@multiplemonomials can you elaborate on this?

@lefebvresam
Copy link
Author

What I also do not really understand is if you follow the procedure on AGlass0fMilk you get a file with rsa_pub_key[], and in the example I see enc_priv_key[].

@multiplemonomials
Copy link
Collaborator

Sorry I really just started on the mcuboot stuff, I haven't really done anything other than update the build system yet. You should definitely use my fork of mcuboot to fix the link errors, but I still need to actually get a basic example working

@multiplemonomials
Copy link
Collaborator

In order to make things work properly with the bootloader, you will need to use memory_bank_config to configure the ROM base address. This also requires that your target's linker script support memory bank configuration, which a lot of them currently don't

@lefebvresam
Copy link
Author

I use a custom target inherited from MCU_STM32U575xG. Are there some examples how to change/adapt the linker script?

@multiplemonomials
Copy link
Collaborator

Actually, yeah! Been working on an update for the K64F here: https://github.com/mbed-ce/mbed-os/tree/dev/k64f-linker-script-refactor

@lefebvresam
Copy link
Author

Is it the purpose that this:

image

Is in line with this:

image

Or where do you find the right details specific for the controller?

@multiplemonomials
Copy link
Collaborator

Yeah, you will find this info in the memory map section of the datasheet, or (apparently) in CubeIDE

@lefebvresam
Copy link
Author

I see it's essentially renaming stuff. In my case there is no differentiation between RAM1, 2 or 3. I'm I right that the only purpose is to let the compiler believe that the size of the flash is only 0x20000 in order to have the code fit in that part before adding different hex files to create the complete image? I have no clue what .text and .bss and others exaclty mean.

@JohnK1987
Copy link
Member

JohnK1987 commented Dec 8, 2024

These definitions allow you to change memory settings according to your requirements via configuration without direct intervention to the linker script.

It should working probably like that

  1. prepare custom_targets.json
    In case of custom target you should fill necessary information to custom_targets_json file as default target definition. For example your one

    For content click here
    	"HMC20": {
    		"inherits": [
    			"MCU_STM32U575xG"
    		],
    		"components_add" : ["SD", "SPIF"],
    		"overrides": {
    			"clock_source" : "USE_PLL_HSE_XTAL",
    			"lse_available" : "1",
    			"lse_drive_load_level" : "RCC_LSEDRIVE_HIGH"
    		},
    		"macros_add": [
    			"HSE_VALUE=10000000UL"
    		],
    		"device_has_remove": [
    			"ANALOGOUT",...
    		],
    		"device_name": "STM32U575VGTx"
    	}
    

    To device_name we will fill almost exact MCU name what we have. In our case STM32U575VG (not sure which one you really have). Then we will see error what you had

    -- Mbed: First CMake run detected, generating configs...
    ERROR: Target specifies device_name HMC20 but this device is not
    listed in /home/sam/git/mcuboot/mbed-os/tools/cmake/../../targets/cmsis_mcu_descriptions.json5.  Perhaps you need to use
    the 'python -m mbed_tools.cli.main cmsis-mcu-descr fetch-missing' command to download
    the missing MCU description?
    

    Then we go to '...project_name\mbed-os\tools\python' and call 'python -m mbed_tools.cli.main cmsis-mcu-descr fetch-missing'.
    If our device name is not correct then we will see something like this

    RuntimeError: MCU STM32U575VG is not present in the CMSIS MCU index (C:\Users\user\AppData\Local\cmsis-pack-manager\cmsis-pack-manager\index.json).  Maybe wrong part number, or this MCU simply doesn't exist in the CMSIS index and has to be added manually?
    

    So we check the name one more time or visit mentioned file index.json and look for best match. In our case "STM32U575VGTx". Then we update device_name parametr and perform 'fetch-missing' (from above) one more time. Then we update device_name parameter and perform 'fetch-missing' (from above) one more time. Then we see output in console like

    For console output click here
    PS ...project_name\mbed-os\tools\python> python -m mbed_tools.cli.main cmsis-mcu-descr fetch-missing
    INFO: Custom_targets file detected -  ...project_name\custom_targets\custom_targets.json5
    INFO: Scanning targets.json5 for used MCU names...
    INFO: Scanning custom_targets.json/json5. for used MCU names...
    INFO: Scanning cmsis_mcu_descriptions.json5 file for missing MCUs...
    INFO: CMSIS MCU description cache was last updated: a day ago
    INFO: In case of Custom target remove 'device_name' from your custom_targets.json5 file and add
    just the 'memories' section as 'memory_banks' section from content below.
    Otherwise add the whole following entries to  ...project_name\mbed-os\targets\cmsis_mcu_descriptions.json5:
    {
    	"STM32U575VGTx": {
    		"algorithms": [
    			{
    				"default": true,
    				"file_name": "CMSIS/Flash/STM32U5xx_1M_0800.FLM",
    				"ram_size": 32768,
    				"ram_start": 536870912,
    				"size": 1048576,
    				"start": 134217728,
    				"style": "Keil"
    			},
    			{
    				"default": true,
    				"file_name": "CMSIS/Flash/STM32U5xx_1M_0C00.FLM",
    				"ram_size": 32768,
    				"ram_start": 536870912,
    				"size": 1048576,
    				"start": 201326592,
    				"style": "Keil"
    			},
    			{
    				"default": false,
    				"file_name": "CMSIS/Flash/MX25LM51245G_STM32U575I-EVAL.FLM",
    				"ram_size": 655360,
    				"ram_start": 536870912,
    				"size": 67108864,
    				"start": 1879048192,
    				"style": "Keil"
    			},
    			{
    				"default": false,
    				"file_name": "CMSIS/Flash/MX25LM51245G_STM32U585I_IOT02A.FLM",
    				"ram_size": 655360,
    				"ram_start": 536870912,
    				"size": 67108864,
    				"start": 1879048192,
    				"style": "Keil"
    			},
    			{
    				"default": false,
    				"file_name": "CMSIS/Flash/MX25LM51245G_STM32U599J-DK.FLM",
    				"ram_size": 65524,
    				"ram_start": 536870912,
    				"size": 67108864,
    				"start": 2415919104,
    				"style": "Keil"
    			}
    		],
    		"family": "STM32U5 Series",
    		"from_pack": {
    			"pack": "STM32U5xx_DFP",
    			"url": "https://www.keil.com/pack/",
    			"vendor": "Keil",
    			"version": "3.0.0"
    		},
    		"memories": {
    			"Flash": {
    				"access": {
    					"execute": true,
    					"non_secure": false,
    					"non_secure_callable": false,
    					"peripheral": false,
    					"read": true,
    					"secure": false,
    					"write": false
    				},
    				"default": true,
    				"p_name": null,
    				"size": 1048576,
    				"start": 134217728,
    				"startup": true
    			},
    			"SRAM1_2": {
    				"access": {
    					"execute": true,
    					"non_secure": false,
    					"non_secure_callable": false,
    					"peripheral": false,
    					"read": true,
    					"secure": false,
    					"write": true
    				},
    				"default": true,
    				"p_name": null,
    				"size": 262144,
    				"start": 536870912,
    				"startup": false
    			},
    			"SRAM3": {
    				"access": {
    					"execute": true,
    					"non_secure": false,
    					"non_secure_callable": false,
    					"peripheral": false,
    					"read": true,
    					"secure": false,
    					"write": true
    				},
    				"default": false,
    				"p_name": null,
    				"size": 524288,
    				"start": 537133056,
    				"startup": false
    			}
    		},
    		"name": "STM32U575VGTx",
    		"processors": [
    			{
    				"address": null,
    				"ap": 0,
    				"apid": null,
    				"core": "CortexM33",
    				"default_reset_sequence": null,
    				"dp": 0,
    				"fpu": "SinglePrecision",
    				"mpu": "Present",
    				"name": null,
    				"svd": "CMSIS/SVD/STM32U575.svd",
    				"unit": 0
    			}
    		],
    		"sub_family": "STM32U575",
    		"vendor": "STMicroelectronics:13"
    	}
    }
    

    Then we will copy memories section into our custom_targets.json file but under new section name memory_banks and then we delete the device_name section. When we will try call again command 'fetch-missing', then we will see INFO: No missing MCUs, no work to do.

    For final content click here
    	"HMC20": {
    		"inherits": [
    			"MCU_STM32U575xG"
    		],
    		"components_add" : ["SD", "SPIF"],
    		"overrides": {
    			"clock_source" : "USE_PLL_HSE_XTAL",
    			"lse_available" : "1",
    			"lse_drive_load_level" : "RCC_LSEDRIVE_HIGH"
    		},
    		"macros_add": [
    			"HSE_VALUE=10000000UL"
    		],
    		"device_has_remove": [
    			"ANALOGOUT",...
    		],
    		"memory_banks": {
    			"IROM1": {
    				"access": {
    					"execute": true,
    					"non_secure": false,
    					"non_secure_callable": false,
    					"peripheral": false,
    					"read": true,
    					"secure": false,
    					"write": false
    				},
    				"default": true,
    				"p_name": null,
    				"size": 1048576,
    				"start": 134217728,
    				"startup": true
    			},
    			"SRAM1_2": {
    				"access": {
    					"execute": true,
    					"non_secure": false,
    					"non_secure_callable": false,
    					"peripheral": false,
    					"read": true,
    					"secure": false,
    					"write": true
    				},
    				"default": true,
    				"p_name": null,
    				"size": 262144,
    				"start": 536870912,
    				"startup": false
    			},
    			"SRAM3": {
    				"access": {
    					"execute": true,
    					"non_secure": false,
    					"non_secure_callable": false,
    					"peripheral": false,
    					"read": true,
    					"secure": false,
    					"write": true
    				},
    				"default": false,
    				"p_name": null,
    				"size": 524288,
    				"start": 537133056,
    				"startup": false
    			}
    		}
    	}
    
  2. prepare linker script
    Because only linker script for STM32H7 is prepared then we need PR for modification of STM32U575 linker script where we need to see macros from memory_banks.
    I believe it will be something like below.
    From current

    MEMORY
    {
        FLASH (rx)  : ORIGIN = MBED_APP_START, LENGTH = MBED_APP_SIZE
        RAM (rwx)   : ORIGIN = MBED_RAM_START + VECTORS_SIZE, LENGTH = MBED_RAM_SIZE - VECTORS_SIZE
    }
    

    to something like

    MEMORY
    {
        FLASH (rx)   : ORIGIN = MBED_CONFIGURED_ROM_BANK_IROM1_START, LENGTH = MBED_CONFIGURED_ROM_BANK_IROM1_SIZE
        RAM (rwx)    : ORIGIN = MBED_RAM_BANK_SRAM1_2_START + VECTORS_SIZE, LENGTH = (MBED_RAM_BANK_SRAM1_2_SIZE + MBED_RAM_BANK_SRAM3_SIZE) - VECTORS_SIZE
    }
    

    Also this file should be modified.

    This is not definitely optimal but I believe it is enough for a start and you do not need care rest of linker script.
    About names of macros I am not exactly sure but it seems like they should be generated by a python script, right @multiplemonomials ?

    EDIT: https://github.com/mbed-ce/mbed-os/wiki/Mbed-Memory-Bank-Information#32-specific-behavior

  3. preparation for bootloder and its app
    As soon as linker will be ready then you can place target.memory_bank_config into mbed_app.json5 with specific parts what should override default target definition just for specific application.
    The mbed_app.json5 of a bootloader:

             "target.memory_bank_config": {
                 "IROM1": {
                     "size": 0x20000
                 }
             },
    

    In this case we will set Flash size to just 128KB because we are sure or we want our bootloader will be not bigger than that. And according to RM0456 (section 7.3.1 Flash memory organization on page 290) the size must be divisible by 8kb (from my understanding the FlashIAP is able to erase and program only by whole sectors/pages).
    This size is also important for later calculation. It will be use like offset for app start address, app flash size reduction and also like address where bootloader should jump to.
    The mbed_app.json5 of an app:

             "target.memory_bank_config": {
                 "IROM1": {
                     "size": 0x80000
                     "start": 0x20000
                 }
             },
    

These are basics how to achieve or understand a simple bootloader and also handy for start with Mcuboot I think. Only a method how to merge both binaries to one is missing.

EDIT:
Good point

hexmerge.py utility from the intelhex

@lefebvresam
Copy link
Author

Thank you very much. I will test this procedure tomorrow. To be honest I never worked with linker scripts and I was starting to read a bit about this topic but it requires a deeper knowledge about ARM architecture I guess. I even didn't know exactly what to change and why. What is missing or wrong in the current linker scripts? Fyi the controller I use is STM32U575RGT6.

To merge the hexes my idea is to test the procedure described on mbed-mcuboot-demo. The memory size is exactly the same as in my case (1MB) and my idea is to write a piece of software to transfer a bin file from the SD card to a separate flash chip I already use to store my images in my HMI display application to provide the secondary slot.

@lefebvresam
Copy link
Author

I did the whole procedure and it compiles without errors, but the strange this is that I still see:

ROM Bank Flash: 80505(+0)/1048576 bytes used, 7.7% (+0.0%) used -> that's still 1MB

[410/410] Linking CXX executable mbed-mcuboot-bootloader.elf
-- built: /home/sam/git/mcuboot/build/mbed-mcuboot-bootloader.bin
-- built: /home/sam/git/mcuboot/build/mbed-mcuboot-bootloader.hex
/home/sam/git/mcuboot/mbed-os/tools/python/memap/memap.py:63: DeprecationWarning: the 'HEADER' constant is deprecated, use the 'HRuleStyle' and 'VRuleStyle' enums instead
  from prettytable import PrettyTable, HEADER
| Module                                 |         .text |     .data |          .bss |
|----------------------------------------|---------------|-----------|---------------|
| CMakeFiles/mbed-mcuboot-bootloader.dir |     516(+516) |     0(+0) |     408(+408) |
| [fill]                                 |       99(+99) |     4(+4) |       20(+20) |
| [lib]/bootutil.a                       |   7001(+7001) |     8(+8) | 10612(+10612) |
| [lib]/c_nano.a                         |   4648(+4648) |   92(+92) |     329(+329) |
| [lib]/gcc.a                            |   2748(+2748) |     0(+0) |         0(+0) |
| [lib]/mbed-mbedtls.a                   |   7978(+7978) |     0(+0) |         0(+0) |
| [lib]/mbed-mcuboot.a                   |   1644(+1644) |   16(+16) |     132(+132) |
| [lib]/mbed-storage-blockdevice.a       |   5172(+5172) |     0(+0) |         0(+0) |
| [lib]/mbed-storage-flashiap.a          |     997(+997) |     0(+0) |         0(+0) |
| [lib]/mbed-storage-spif.a              |   5373(+5373) |     0(+0) |       40(+40) |
| [lib]/misc                             |     296(+296) |   12(+12) |       25(+25) |
| [lib]/stdc++_nano.a                    |         1(+1) |     0(+0) |         0(+0) |
| mbed-os/CMakeFiles                     | 43528(+43528) | 364(+364) |   2026(+2026) |
| Subtotals                              | 80001(+80001) | 496(+496) | 13592(+13592) |
Total Static RAM memory (data + bss): 14088(+14088) bytes
Total Flash memory (text + data): 80497(+80497) bytes

RAM Bank SRAM1_2: 14112(+0)/262144 bytes used, 5.4% (+0.0%) used
RAM Bank SRAM3: 0(+0)/524288 bytes used, 0.0% (+0.0%) used
ROM Bank Flash: 80505(+0)/1048576 bytes used, 7.7% (+0.0%) used

@lefebvresam
Copy link
Author

This looks better, the "target.memory_bank_config" was not member of the HMC20 custom device.

[410/410] Linking CXX executable mbed-mcuboot-bootloader.elf
-- built: /home/sam/git/mcuboot/build/mbed-mcuboot-bootloader.bin
-- built: /home/sam/git/mcuboot/build/mbed-mcuboot-bootloader.hex
/home/sam/git/mcuboot/mbed-os/tools/python/memap/memap.py:63: DeprecationWarning: the 'HEADER' constant is deprecated, use the 'HRuleStyle' and 'VRuleStyle' enums instead
  from prettytable import PrettyTable, HEADER
| Module                                 |         .text |     .data |          .bss |
|----------------------------------------|---------------|-----------|---------------|
| CMakeFiles/mbed-mcuboot-bootloader.dir |     516(+516) |     0(+0) |     408(+408) |
| [fill]                                 |       99(+99) |     4(+4) |       20(+20) |
| [lib]/bootutil.a                       |   7001(+7001) |     8(+8) | 10612(+10612) |
| [lib]/c_nano.a                         |   4648(+4648) |   92(+92) |     329(+329) |
| [lib]/gcc.a                            |   2748(+2748) |     0(+0) |         0(+0) |
| [lib]/mbed-mbedtls.a                   |   7978(+7978) |     0(+0) |         0(+0) |
| [lib]/mbed-mcuboot.a                   |   1644(+1644) |   16(+16) |     132(+132) |
| [lib]/mbed-storage-blockdevice.a       |   5172(+5172) |     0(+0) |         0(+0) |
| [lib]/mbed-storage-flashiap.a          |     997(+997) |     0(+0) |         0(+0) |
| [lib]/mbed-storage-spif.a              |   5373(+5373) |     0(+0) |       40(+40) |
| [lib]/misc                             |     296(+296) |   12(+12) |       25(+25) |
| [lib]/stdc++_nano.a                    |         1(+1) |     0(+0) |         0(+0) |
| mbed-os/CMakeFiles                     | 43528(+43528) | 364(+364) |   2026(+2026) |
| Subtotals                              | 80001(+80001) | 496(+496) | 13592(+13592) |
Total Static RAM memory (data + bss): 14088(+14088) bytes
Total Flash memory (text + data): 80497(+80497) bytes

RAM Bank SRAM1_2: 14112(+0)/262144 bytes used, 5.4% (+0.0%) used
RAM Bank SRAM3: 0(+0)/524288 bytes used, 0.0% (+0.0%) used
ROM Bank Flash: 80505(+0)/131072 bytes used, 61.4% (+0.0%) used

@JohnK1987
Copy link
Member

This looks better, the "target.memory_bank_config" was not member of the HMC20 custom device.

Just for clarification. The "target.memory_bank_config" should be just in mbed_app.json5 file under the override section. In custom_targets.json5 should be "memory_banks" like I wrote above. Because let say you want to set custom target settings for your HMC20 just once and then only copy&paste it to every new project. For application specific offsets like for bootloader or its apps you should use mbed_app.json5 file.

@lefebvresam
Copy link
Author

lefebvresam commented Dec 10, 2024

Is this still necessary in mbed_app.json5?
"target.restrict_size": "0x20000",

And why the modficiations are needed in the linker script as you proposed in issuecomment-2526407974? It compiles exactly the same without these modifications.

@JohnK1987
Copy link
Member

JohnK1987 commented Dec 10, 2024

Is this still necessary in mbed_app.json5?
"target.restrict_size": "0x20000",

Nope, this one was working in ARM Mbed, in MbedCE this is not implemented.
It was just for define that the bootloader can not be bigger than 128KB (0x20000), which we are able to do with mbed_app.json5 and content below

         "target.memory_bank_config": {
             "IROM1": {
                 "size": 0x20000
             }
         }

@lefebvresam
Copy link
Author

lefebvresam commented Dec 10, 2024

I'm now preparing my main application. Do I also have to switch to bare metal? I currently have:

target_link_libraries(${APP_TARGET} PRIVATE
    mbed-os
...

I'm also facing this now:

CMake Error at mcuboot/boot/mbed/mcuboot_imgtool.cmake:32 (message):
  Must specify path to valid image signing key via MCUBOOT_SIGNING_KEY in
  order to build this project.
Call Stack (most recent call first):
  mcuboot/boot/mbed/CMakeLists.txt:49 (include)

@JohnK1987
Copy link
Member

That is up to you.

@lefebvresam
Copy link
Author

I see this error is invoked because of the latest commit in the branch mbed-ce-update-cmakelists, "Start on automation for creating images". Is this something I already have to deal with or do I need to stay on the previous commit?

@JohnK1987
Copy link
Member

JohnK1987 commented Dec 10, 2024

Sorry, I don't understand your description. Do you mean a commit in Jamie's McuBoot? I do not see any error.

@lefebvresam
Copy link
Author

lefebvresam commented Dec 10, 2024

The requirement to define variabele MCUBOOT_SIGNING_KEY is something thas has been added in this recent commit of the mbed-ce-update-cmakelists branch of https://github.com/multiplemonomials/mcuboot.git. Is this something I can already use and how, or just neglect and still use the previous commit?

@JohnK1987
Copy link
Member

Ok, so it is related to McuBoot and Jamie's current work. I have no idea about this, sorry.

@lefebvresam
Copy link
Author

After doing all the right configuration for the primary application it looks like the start address is not picked up in the right way:

// This file contains application specific settings.
{
    "macros": [
        "MBED_HEAP_STATS_ENABLED=true",
        "MBED_THREAD_STATS_ENABLED=true",
        "OS_TIMERS=0"
    ],
    "config": {
        "serial-bootloader-enable": {
            "help": "Build bootloader with serial update support",
            "value": 0
        },
        "secondary-slot-in-flash": {
            "help": "If enabled, store the secondary slot in the application flash immediately after the primary slot.",
            "value": false
        }
    },    
    "target_overrides": {
        "*": {
            "mcuboot.bootloader-build": false,
            "target.c_lib": "small",
            "mcuboot.log-level": "MCUBOOT_LOG_LEVEL_DEBUG",
            "platform.stdio-baud-rate": 67800,
            "platform.stdio-buffered-serial": true,
            "platform.memory-tracing-enabled": true,
            "platform.callback-nontrivial": true,
            "target.printf_lib": "std",
            "mbed-trace.enable": true,
            "mbed-trace.max-level": "TRACE_LEVEL_DEBUG",
            "mbed-trace.fea-ipv6": false            
        },
        "HMC20": {
            "events.shared-dispatch-from-application": true,            
            "rtos.main-thread-stack-size": 11240,
            "drivers.uart-serial-rxbuf-size": 512,
            "drivers.uart-serial-txbuf-size": 512,
            "sd.SPI_CS": "SD_CS",
            "sd.SPI_MOSI": "SD_MOSI",
            "sd.SPI_MISO": "SD_MISO",
            "sd.SPI_CLK": "SD_CLK",
            "sd.TRX_FREQUENCY": 40000000,
            "spif-driver.SPI_CS": "SPIF_CS",
            "spif-driver.SPI_MOSI": "SPIF_MOSI",
            "spif-driver.SPI_MISO": "SPIF_MISO",
            "spif-driver.SPI_CLK": "SPIF_CLK",            
            "spif-driver.SPI_FREQ": 40000000,
            "mcuboot.primary-slot-address": "0x8020000",
            "mcuboot.slot-size": "0xC0000",
            "mcuboot.scratch-address": "0x80E0000",
            "mcuboot.scratch-size": "0x20000",
            "mcuboot.max-img-sectors": "0x180",
            "mcuboot.read-granularity": 1,
            // This replaces "target.restrict_size":
            "target.memory_bank_config": {
                "Flash": {
                    "size": 0xE0000,
                    "start": 0x8020000
                }
            }
        }
    }
}

And I get a lot of those messages:

...
Warning: Symbol .text._ZN6RA887514_readColorTrioEh (at address 0x801f40c, size 84) is not inside a defined memory bank for this target.
Warning: Symbol .text._ZN6RA887530SetBackgroundTransparencyColorEt (at address 0x801f460, size 28) is not inside a defined memory bank for this target.
Warning: Symbol .text._ZN6RA887530GetBackgroundTransparencyColorEv (at address 0x801f47c, size 6) is not inside a defined memory bank for this target.
Warning: Symbol .text._ZN6RA88759fontwidthEv (at address 0x801f482, size 30) is not inside a defined memory bank for this target.
Warning: Symbol .text._ZN6RA88757columnsEv (at address 0x801f4a0, size 16) is not inside a defined memory bank for this target.
Warning: Symbol .text._ZN6RA887512GetTextWidthEPKcb (at address 0x801f4b0, size 108) is not inside a defined memory bank for this target.
...

Is there something I miss in the configuration?

@lefebvresam
Copy link
Author

lefebvresam commented Dec 21, 2024

I pulled all the latest upstream updates in my mcuboot branch.

image

@lefebvresam
Copy link
Author

lefebvresam commented Dec 21, 2024

echo "Shift the update image"
arm-none-eabi-objcopy --change-addresses 0x40000 --set-start 0x7FC0345 signed-update.hex signed-update.hex

The update image doesn't seem to have been encrypted. I used the imgtool from mcuboot v1.8.0 to manually sign and encrypt images, only used the latest version as bootloader.

Why the update image must not be encrypted? The bootloader won't start the primary image, as at the error point has nothing to do with update image.

@lefebvresam
Copy link
Author

lefebvresam commented Dec 22, 2024

mcuboot mbed_app.json

// This file contains application specific settings.
{
    "macros": [
        "MCUBOOT_BOOT_MAX_ALIGN=16",
        "MBEDTLS_CIPHER_MODE_CTR"
    ],
    "config": {
        "serial-bootloader-enable": {
            "help": "Build bootloader with serial update support",
            "value": 0
        },
        "secondary-slot-in-flash": {
            "help": "If enabled, store the secondary slot in the application flash immediately after the primary slot.",
            "value": false
        }
    },
    "target_overrides": {
        "*": {
            "mcuboot.bootloader-build": true,
            "target.c_lib": "small",
            "mcuboot.log-enable": true,
            "mcuboot.log-level": "MCUBOOT_LOG_LEVEL_INFO",
            "mcuboot.log-bootloader-only": true,
            "mcuboot.encrypt-rsa": true,
            "platform.stdio-baud-rate": 67800,
            "mbed-trace.enable": true,
            "mbed-trace.max-level": "TRACE_LEVEL_DEBUG",
            "mbed-trace.fea-ipv6": false
        },
        "HMC20": {
            "events.shared-dispatch-from-application": true,            
            "rtos.main-thread-stack-size": 11240,
            "drivers.uart-serial-rxbuf-size": 512,
            "drivers.uart-serial-txbuf-size": 512,
            "sd.SPI_CS": "SD_CS",
            "sd.SPI_MOSI": "SD_MOSI",
            "sd.SPI_MISO": "SD_MISO",
            "sd.SPI_CLK": "SD_CLK",
            "sd.TRX_FREQUENCY": 40000000,
            "spif-driver.SPI_CS": "SPIF_CS",
            "spif-driver.SPI_MOSI": "SPIF_MOSI",
            "spif-driver.SPI_MISO": "SPIF_MISO",
            "spif-driver.SPI_CLK": "SPIF_CLK",            
            "spif-driver.SPI_FREQ": 40000000,
            "mcuboot.primary-slot-address": "0x8020000",
            "mcuboot.slot-size": "0xC0000",
            "mcuboot.header-size": "0x1000",
            "mcuboot.scratch-address": "0x80E0000",
            "mcuboot.scratch-size": "0x20000",
            "mcuboot.max-img-sectors": "0x180", // 0xC0000 / 1024 / 2 (based on the smallest sectors)
            "mcuboot.read-granularity": 1,
            // This replaces "target.restrict_size":
            "target.memory_bank_config": {
                "FLASH": {
                    "size": 0x20000
                }
            }
        }
    }
}

@lefebvresam
Copy link
Author

It looks like mcuboot don't know to start an encrypted image. And I did 'full' compiles by deleting the build folder first.

@zhiyong-ft
Copy link

zhiyong-ft commented Dec 22, 2024

mcuboot/scripts/imgtool.py sign -k signing-keys.pem --align 4 -v 1.2.3+4 --header-size 4096 --pad-header -S 0xC0000 -E enc_key_pub.pem --pad $HEX_APP_FILE signed.hex

Image for initial download shall NOT be encrypted. Encryption only applies to update image, to prevent them from being stolen during transportation or being stored in external devices such as SPIF or SD card. Remove `-E enc_key_pub.pem' and try again. I manually signed and encrypted images so I didn't notice this.

@multiplemonomials could you remove encryption from signing tool for initial image?

@lefebvresam
Copy link
Author

lefebvresam commented Dec 22, 2024

That looks better:

[INFO][BL]: Starting MCUboot
[INFO][MCUb]: Primary image: magic=bad, swap_type=0x0, copy_done=0x2, image_ok=0x2
[INFO][MCUb]: Scratch: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3
[INFO][MCUb]: Boot source: none
[INFO][MCUb]: Image index: 0, Swap type: none
[INFO][BL]: Booting firmware image at 0x8021000
[INFO][main]: Hello version 1.2.3+4
[INFO][main]: > Press button to erase secondary slot
[INFO][main]: Secondary BlockDevice inited
[INFO][main]: Erasing secondary BlockDevice...
[INFO][main]: Secondary BlockDevice erased
[INFO][main]: > Press button to copy update image to secondary BlockDevice
[INFO][main]: FlashIAPBlockDevice inited
[DBG ][main]: Copy chunk 0 at 0x00000
[DBG ][main]: Copy chunk 1 at 0x01000
[DBG ][main]: Copy chunk 2 at 0x02000
[DBG ][main]: Copy chunk 3 at 0x03000
[DBG ][main]: Copy chunk 4 at 0x04000
[DBG ][main]: Copy chunk 5 at 0x05000
[DBG ][main]: Copy chunk 6 at 0x06000
[DBG ][main]: Copy chunk 7 at 0x07000
[DBG ][main]: Copy chunk 8 at 0x08000
[DBG ][main]: Copy chunk 9 at 0x09000
[DBG ][main]: Copy chunk 10 at 0x0A000
[DBG ][main]: Copy chunk 11 at 0x0B000
[DBG ][main]: Copy chunk 12 at 0x0C000
[DBG ][main]: Copy chunk 13 at 0x0D000
[DBG ][main]: Copy chunk 14 at 0x0E000
[DBG ][main]: Copy chunk 15 at 0x0F000
[DBG ][main]: Copy chunk 16 at 0x10000
[DBG ][main]: Copy chunk 17 at 0x11000
[DBG ][main]: Copy chunk 18 at 0x12000
[INFO][main]: > Image copied to secondary BlockDevice, press button to activate
[INFO][main]: > Secondary image pending, reboot to update
[INFO][BL]: Starting MCUboot
[INFO][MCUb]: Primary image: magic=bad, swap_type=0x0, copy_done=0x2, image_ok=0x2
[INFO][MCUb]: Scratch: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3
[INFO][MCUb]: Boot source: none
[INFO][MCUb]: Image index: 0, Swap type: test
[INFO][MCUb]: Starting swap using scratch algorithm.
[INFO][BL]: Booting firmware image at 0x8021000
[INFO][main]: Hello version 1.2.3+5
[INFO][main]: Boot confirmed
[INFO][main]: > Press button to erase secondary slot
[INFO][main]: Secondary BlockDevice inited
[INFO][main]: Erasing secondary BlockDevice...
[INFO][main]: Secondary BlockDevice erased
[INFO][main]: > Update finished

I updated my demo project with:

Confirming the primary image is not necessary and gives an error:

    if(version.iv_build_num > 4) {
        ret = boot_set_confirmed();
        if (ret == 0) {
            tr_info("Boot confirmed");
        } else {
            tr_error("Failed to confirm boot: %d", ret);
        }
    }

Avoid endless loop:

if(version.iv_build_num > 4) goto end; // update finished

Do automatic reboot:

void mbed_reset() {
    fflush(stdout); // flush to kernel
    fsync(fileno(stdout)); // wait for kernel flush
    HAL_NVIC_SystemReset();
} 

I updated my two test projects:

[email protected]:saleconix/mcuboot_app.git
[email protected]:saleconix/mcuboot.git

@lefebvresam
Copy link
Author

What I do not understand is why you don't need to append application trailer TLV's in the update image during signing while they are a part of the secundary slot.

@lefebvresam
Copy link
Author

And also, how to protect against copycat? Can you still do mcuboot updates when you protect the flash for readout?

@zhiyong-ft
Copy link

zhiyong-ft commented Dec 22, 2024

What I do not understand is why you don't need to append application trailer TLV's in the update image during signing while they are a part of the secundary slot.

I didn't particularly look into this. My understanding is that this is mostly a workflow issue. Supposedly primary image will need to do some verification after acquiring/noticing the existence of image in secondary slot, then add necessary TLVs before handing it to bootloader.

I actually padded update image as well to work around some other issues. The caveat is that once reboot, bootloader will always try to upgrade. If the update image is not padded, primary application needs to call boot_set_pending() first before bootloader will try to upgrade.

But my understanding above is based on MCUBoot v1.8.0 and reading documentation from Mr. Beckstein's repo. In a later discussion with Mr. Smith, he mentioned that we shall/can use the same un-padded image for both initial download and upgrade, at least with the latest version of MCUBoot. So I might be wrong/out of dated. Please do some investigation and report back.

@zhiyong-ft
Copy link

zhiyong-ft commented Dec 22, 2024

And also, how to protect against copycat? Can you still do mcuboot updates when you protect the flash for readout?

That's what is encryption is for. Bootloader has a copy of private key, stored in enc_key.c, it will use this key to decrypt encrypted images in secondary slot. If a party acquires a copy of image encrypted by enc_key_pub.pem, they won't be able to make sense of it without corresponding private key.

@lefebvresam
Copy link
Author

What I do not understand is why you don't need to append application trailer TLV's in the update image during signing while they are a part of the secundary slot.

I didn't particularly look into this. My understanding is that this is mostly a workflow issue. Supposedly primary image will need to do some verification after acquiring/noticing the existence of image in secondary slot, then add necessary TLVs before handing it to bootloader.

I actually padded update image as well to work around some other issues. The caveat is that once reboot, bootloader will always try to upgrade. If the update image is not padded, primary application needs to call boot_set_pending() first before bootloader will try to upgrade.

Do you mean that primary image is adding some TLV's in the secundary slot after calling 'boot_set_pending'?

@lefebvresam
Copy link
Author

lefebvresam commented Dec 22, 2024

And also, how to protect against copycat? Can you still do mcuboot updates when you protect the flash for readout?

That's what is encryption is for. Bootloader has a copy of private key, stored in enc_key.c, it will use this key to decrypt encrypted images in secondary slot. If a party acquires a copy of encrypted image signed by enc_key_pub.pem, they won't be able to make sensor of it without corresponding private key.

So it means that the update image is deccrypted by the bootloader before it will be copied to the primary slot. So you need additional flash protection to protect against copy cat? (By using a programming device) And can you still write an update then?

@zhiyong-ft
Copy link

zhiyong-ft commented Dec 22, 2024

Do you mean that primary image is adding some TLV's in the secundary slot after calling 'boot_set_pending'?

That's my understanding. When I tested on DISCO_F746NG, without calling this function, bootloader will ignore image stored in secondary slot, even it is a newer version. I treat this as some kind of feature, because sometimes you do want user's input/approval and not just blindly update whatever image in the secondary slot.

@lefebvresam
Copy link
Author

And is there a way to allow only upgrade and not downgrade or do you need to program it by yourself in your application by using my new function to read-out image versions?

@zhiyong-ft
Copy link

So it means that the update image is deccrypted by the bootloader before it will be copied to the primary slot. So you need additional flash protection to protect against copy cat? (By using a programming device) And can you still write an update then?

MCUboot will decrypt encrypted image stored in secondary slot chunk by chunk before writing decrypted chunks into primary slot. There is some discussion about treatment of scratch/swap in the MCUboot documentation but I don't recall. For this and your other question, you will have to consult documentation of MCUboot. My understanding is once image chunk is decrypted and stored in primary slot, MCUboot will think it is secure and don't do anything about it. You will have to do something to prevent people from reading the entire internal flash through JTAG or similar.

@lefebvresam
Copy link
Author

@multiplemonomials the issue is in Mbed-CE itself. You are right that the linker script for F767 is either not updated or incorrect regarding to memory_bank_config. But as far as bootloader is concerned, it should be identical to F769, so I used the image built for F769 to get past that yesterday. I am having some trouble with S25FL256L flash, once I get past that, I will test encrypted image on F767. I will be surprised if encrypted image doesn't work on F767 while it works on F746, at least that is my test result.

The steps needed for encrypted images are:

  1. Extract private key into c format from private key (ideally from a different one other than signing key, otherwise both private key and public key(signing_keys.c in Mr. Beckstein's original port) reside in bootloader, this seems like a malpractice). This key was named as enc_key.c in Mr. Beckstein's repo. Apparent he made some progress on encrypted image.
  2. Extract public key into pem format from the same private key, probably can be called enc_key_pub.pem. I used openssl to do it, but the latest imgtool.py seems can do it too. This key will be used for encryption by imgtool.py as additional parameter like the following:
-E path/to/enc_key_pub.pem
  1. Enable image encryption by adding the following lines into mbed_app.json of bootloader application:
    "macros": [
        "MBEDTLS_CIPHER_MODE_CTR"
    ],
    // target_overrides:
    "mcuboot.encrypt-rsa": true,

This is probably unnecessary for primary application, because primary application only needs to call boot_set_confirmed() and 'boot_set_pending()`, both of which only deal with header/tlv portion of images that are not encrypted. But I tested with them added in primary application yesterday just to be safe.

See if you have time to test encrypted images. At this point, I think we have a feature complete bootloader for MBed-CE now, which is great news.

Wy this is needed?

MBEDTLS_CIPHER_MODE_CTR

It seems to work also when this is not present.

@zhiyong-ft
Copy link

Wy this is needed?

MBEDTLS_CIPHER_MODE_CTR

It seems to work also when this is not present.

This seems only needed for Mbed Studio/Mbed-OS + mcuboot v1.8.0. Without it, it will complain:

[Error] aes_ctr.h@69,12: use of undeclared identifier 'mbedtls_aes_crypt_ctr'

@lefebvresam
Copy link
Author

lefebvresam commented Dec 22, 2024

If you generate the keys with:

mcuboot/scripts/imgtool.py keygen -k signing_keys.pem -t rsa-2048

Do you get private and public key in one pem file?

Why do you have to provide both for siging while you only need public for encrypting?

mcuboot/scripts/imgtool.py sign -k signing_keys.pem --align 4 -v 1.2.3+5 --header-size 4096 --pad-header -S 0x13000 -E enc_key_pub.pem $HEX_APP_FILE signed-update.hex

@multiplemonomials
Copy link
Collaborator

multiplemonomials commented Dec 23, 2024

I think signing requires the private key while encrypting requires the public key

@lefebvresam
Copy link
Author

I think signing requires the private key while encrypting requires the public key

Yes but is signing_keys.pem not both?

@zhiyong-ft
Copy link

I think signing requires the private key while encrypting requires the public key

Yes but is signing_keys.pem not both?

The rational are two folds: 1) imgtool.py expects the file to contain only public key; 2) more importantly, we need to separate keys for signing and encryption.

@multiplemonomials did you remove encryption from post build script for initial image in your latest commit? I believe the problem you had was related to that.

@multiplemonomials
Copy link
Collaborator

I did remove encryption for the initial image. Only the update image is encrypted.

@multiplemonomials
Copy link
Collaborator

By the way, Zhiyong and Sam, do you guys have discord accounts? I'd like to invite you guys to our dev discord server. Might make these sorts of discussions easier!

@lefebvresam
Copy link
Author

lefebvresam commented Dec 31, 2024

I have one where I explained my project
In november I added json export and import and in december the bootloader.
Today I'm finding out a last issue where the update is not booted in my final application.
Product available on Robotshop

I wrote two test programs that I will close after new year.
They work perfectly and I used bash scripts to automate the siging process.
mcuboot
mucbootapp

Next year it is time to find new (paid) consultancy projects.
Best wishes for 2025.

@zhiyong-ft
Copy link

@multiplemonomials As a dinosaur I don't have a discord account yet but I have heard about it and can easily create one.

I stumbled upon this issue when investigating encrypted images. In a nutshell, --clear needs to be used when we prepare initial download images, otherwise during first firmware upgrade, an unencrypted image will be swapped into secondary slot from primary slot.

This is not mentioned in neither official documentation on imgtool nor in Mr. Becksteins port, but it is listed when --helpis passed toimgtool sign`:

  -c, --clear                     Output a non-encrypted image with encryption
                                  capabilities,so it can be installed in the
                                  primary slot, and encrypted when swapped to
                                  the secondary.

When you have a chance, could you include this into your auto signing script for initial image when path to an encryption key is provide? Changes are that it is not included yet because it is not mentioned in documentation. It creates a temporal security hole nonetheless.

@zhiyong-ft
Copy link

@multiplemonomials I just took a look at the cmake file to handle image encryption, I believe it needs to be something like the following:

  if(${IMAGE_TYPE} STREQUAL "update" AND "MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS)
    set(IMGTOOL_EXTRA_ARGS --encrypt ${MCUBOOT_ENCRYPTION_KEY_ABSPATH})
  elseif(${IMAGE_TYPE} STREQUAL "initial" AND "MCUBOOT_ENCRYPT_RSA=1" IN_LIST MBED_CONFIG_DEFINITIONS)
    # If encryption is enabled, generate unencrypted initial image which supports encryption.
    # See https://github.com/mbed-ce/mbed-os/issues/401#issuecomment-2567099213
    set(IMGTOOL_EXTRA_ARGS --encrypt ${MCUBOOT_ENCRYPTION_KEY_ABSPATH} --clear)
  else()
    set(IMGTOOL_EXTRA_ARGS "")
  endif()

The above code doesn't work, but it conveys the message. Essentially once image encryption is enabled, we will always have to pass encryption key to imgtool, no matter whether it is initial or update image. The only difference is, we pass an extra --clear for initial image.

@multiplemonomials
Copy link
Collaborator

@zhiyong-ft That code looks good to me actually! Would you be able to open a PR on mcuboot with that change?

@zhiyong-ft
Copy link

@zhiyong-ft That code looks good to me actually! Would you be able to open a PR on mcuboot with that change?

I just took a second look. The problem is more than the extra tag. Assuming users passes a private RSA-2048 key for encryption, we will need to extract the public key, then use that key to actually encrypt image. Also there is the issue to extract public key from encryption key instead of signing key per recommendation by @utzig. Not sure if I am up to it, given that I am still learning the rope of CMake and all. But I will give it a try.

@multiplemonomials
Copy link
Collaborator

Thanks! And let me know if you have any CMake questions! If you have a discord account let me know and I will add ya to our server

@zhiyong-ft
Copy link

This is my newly created discord id: zhiyong_ft_74542. I will give it a try in the coming weeks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants