add emergency fallback test, currently fails due to #463
Conversation
jpbland1
force-pushed
the
bad-image-recovery
branch
from
ac45f22 to
f3f5eb7
Compare
jpbland1
force-pushed
the
bad-image-recovery
branch
from
5cc8667 to
6fb1230
Compare
src/update_flash.c
Outdated
| * we're updating or not */ | ||
| if (flag != SECT_FLAG_NEW) { | ||
| resume = 1; | ||
| if (cur_v < up_v && fallback_allowed == 1) { |
src/update_flash.c
Outdated
| if (updateRet || updateState != IMG_STATE_UPDATING) { | ||
| wolfBoot_update_trigger(); | ||
| if (resumedFinalErase != 0) { | ||
| if (bootRet == 0 && bootState == IMG_STATE_TESTING) { |
There was a problem hiding this comment.
nit: parenthesis ((bootRet == 0) && (bootState == IMG_STATE_TESTING))
src/update_flash.c
Outdated
| /* Check for new updates in the UPDATE partition or if we were | ||
| * interrupted during the flags setting */ | ||
| } | ||
| else if (updateRet == 0 && updateState == IMG_STATE_UPDATING) { |
src/update_flash.c
Outdated
| * header we can't determine the direction by version numbers. instead | ||
| * use the update partition state, updating means regular, new means | ||
| * reverting */ | ||
| if (stateRet == 0 && (flag != SECT_FLAG_NEW || cur_v == 0)) { |
There was a problem hiding this comment.
parenthesis around "==" conditions please
src/libwolfboot.c
Outdated
| /* Sanity check to prevent dereferencing unaligned half-words */ | ||
| if ((((size_t)p) & 0x01) != 0) { | ||
| if (*p == HDR_PADDING || (((size_t)p) & 0x01) != 0) { |
There was a problem hiding this comment.
nit: parenthesys around "==" conditions
|
@jpbland1 please work on cleaning up these minor issues and it will be ready for merge. |
jpbland1
force-pushed
the
bad-image-recovery
branch
from
dcd05fd to
a2e0008
Compare
include/wolfboot/wolfboot.h
Outdated
| @@ -257,16 +257,16 @@ extern "C" { | |||
| #ifndef WOLFBOOT_FLAGS_INVERT | |||
| #define IMG_STATE_NEW 0xFF | |||
| #define IMG_STATE_UPDATING 0x70 | |||
| #define IMG_STATE_FINAL_FLAGS 0x30 | |||
| #define IMG_STATE_FINAL_SWAP 0x30 | |||
There was a problem hiding this comment.
This value cannot be renamed because it will break customers. Either use the old name or add a new one.
jpbland1
force-pushed
the
bad-image-recovery
branch
2 times, most recently
from
26bc20b to
94848de
Compare
src/libwolfboot.c
Outdated
| /* Sanity check to prevent dereferencing unaligned half-words */ | ||
| if ((((size_t)p) & 0x01) != 0) { | ||
| if ((*p == HDR_PADDING) || ((((size_t)p) & 0x01) != 0)) { | ||
| /* Padding byte (skip one position) */ |
There was a problem hiding this comment.
Combing this logic is okay, but please update the comment. This is skipping a byte if its a padding byte or if its not an aligned half word.
| @@ -710,13 +708,7 @@ static void key_sha384(uint8_t key_slot, uint8_t *hash) | |||
| return; | |||
|
|
|||
| wc_InitSha384(&sha384_ctx); | |||
| while (i < (uint32_t)(pubkey_sz)) { | |||
There was a problem hiding this comment.
Why are you removing this logic? Guessing it is not required since the public key buffer is fully available? Is it possible that WOLFBOOT_SHA_BLOCK_SIZE might be useful for other reasons?
There was a problem hiding this comment.
wolfCrypts internal logic already loops over in the correct block size increments, the keybuffer is fully available so it's just wasted code size
There was a problem hiding this comment.
This is a different block size value. This is used to break the SHA processing into smaller chunks. This is typically used when the value being hashed comes from flash. This would read (by default) 128 bytes at a time.
There was a problem hiding this comment.
good to know, then it's almost certainly being re-adjusted by
if ((i + blksz) > (uint32_t)pubkey_sz)
blksz = pubkey_sz - i;
for ed and ecc keys, maybe rsa has bigger keys but in any case the entire key is still available and wc_Sha384Update can handle it all in a single function call
There was a problem hiding this comment.
I agree and I am okay removing this logic. Please make sure you do it consistently for the other algorithms too.
There was a problem hiding this comment.
No fun! I wanted to make an intern do that
| { | ||
| hal_flash_erase(addr_write, NVM_CACHE_SIZE); | ||
| } | ||
| /* Ensure that the destination was erased */ |
There was a problem hiding this comment.
Are you sure always doing the erase of the trailing here (vs conditional before) is the right assumption?
There was a problem hiding this comment.
this was part of code size reduction, worst case scenario from the old code we call erase on an already erased sector
src/update_flash.c
Outdated
| uint8_t st; | ||
| int eraseLen = WOLFBOOT_SECTOR_SIZE | ||
| #ifdef NVM_FLASH_WRITEONCE | ||
| /* need to erase the redundant sector too */ |
There was a problem hiding this comment.
Comment indent should match code below.
| st = IMG_STATE_TESTING; | ||
| wolfBoot_set_partition_state(PART_BOOT, st); | ||
| /* start re-entrant final erase */ | ||
| wolfBoot_swap_and_final_erase(0); |
There was a problem hiding this comment.
Why is the return code not checked?
There was a problem hiding this comment.
return code is only to tell wolfBoot_start if the final swap was resumed or not
There was a problem hiding this comment.
Then please document this in the code at this line.... why we don't need to check the return code.
| @@ -52,6 +52,9 @@ int do_cmd(const char *cmd) | |||
| if (strcmp(cmd, "powerfail") == 0) { | |||
| return 1; | |||
| } | |||
| if (strcmp(cmd, "emergency") == 0) { | |||
There was a problem hiding this comment.
Please update documentation for Sim to explain "emergency"
| @@ -194,6 +194,91 @@ static int RAMFUNCTION wolfBoot_copy_sector(struct wolfBoot_image *src, | |||
| return pos; | |||
| } | |||
|
|
|||
| static int wolfBoot_swap_and_final_erase(int resume) | |||
There was a problem hiding this comment.
Is this function always needed? Should it be wrapped with #ifndef DISABLE_BACKUP?
There was a problem hiding this comment.
I had thought it was never called for DISABLE_BACKUP but it's also called in wolfBoot_start, good point
tools/test.mk
Outdated
| @@ -977,29 +977,29 @@ test-all: clean | |||
|
|
|||
|
|
|||
| test-size-all: | |||
| make test-size SIGN=NONE LIMIT=4776 | |||
| make test-size SIGN=NONE LIMIT=4917 | |||
There was a problem hiding this comment.
Are these the actual increased values? Would you like me to recompute updated actuals? On my Ubuntu 24 box I can reproduce the values that match GitHub CI.
emergency fallback test
jpbland1
force-pushed
the
bad-image-recovery
branch
from
61e6f5a to
6c3940f
Compare
the sector flags needing to be reset by update trigger