You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
987 lines
32 KiB
987 lines
32 KiB
/**
|
|
* Copyright (c) 2017 - 2021, Nordic Semiconductor ASA
|
|
*
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without modification,
|
|
* are permitted provided that the following conditions are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright notice, this
|
|
* list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form, except as embedded into a Nordic
|
|
* Semiconductor ASA integrated circuit in a product or a software update for
|
|
* such product, must reproduce the above copyright notice, this list of
|
|
* conditions and the following disclaimer in the documentation and/or other
|
|
* materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
|
|
* contributors may be used to endorse or promote products derived from this
|
|
* software without specific prior written permission.
|
|
*
|
|
* 4. This software, with or without modification, must only be used with a
|
|
* Nordic Semiconductor ASA integrated circuit.
|
|
*
|
|
* 5. Any software provided in binary form under this license must not be reverse
|
|
* engineered, decompiled, modified and/or disassembled.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
|
|
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
|
|
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
|
|
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
*/
|
|
#include <stdbool.h>
|
|
#include "nrf_dfu_types.h"
|
|
#include "nrf_dfu_settings.h"
|
|
#include "nrf_dfu_utils.h"
|
|
#include "nrf_dfu_flash.h"
|
|
#include "nrf_bootloader_info.h"
|
|
#include "pb.h"
|
|
#include "pb_common.h"
|
|
#include "pb_decode.h"
|
|
#include "dfu-cc.pb.h"
|
|
#include "crc32.h"
|
|
#include "nrf_assert.h"
|
|
#include "nrf_dfu_validation.h"
|
|
#include "nrf_dfu_ver_validation.h"
|
|
#include "nrf_strerror.h"
|
|
|
|
#include "blake2s.h"
|
|
#include "ed25519-donna/ed25519.h"
|
|
#include "secbool.h"
|
|
|
|
|
|
#define NRF_LOG_MODULE_NAME nrf_dfu_validation
|
|
#include "nrf_log.h"
|
|
#include "nrf_log_ctrl.h"
|
|
NRF_LOG_MODULE_REGISTER();
|
|
|
|
#ifndef DFU_REQUIRES_SOFTDEVICE
|
|
#if !defined(BLE_STACK_SUPPORT_REQD) && !defined(ANT_STACK_SUPPORT_REQD)
|
|
#define DFU_REQUIRES_SOFTDEVICE 0
|
|
#else
|
|
#define DFU_REQUIRES_SOFTDEVICE 1
|
|
#endif
|
|
#endif
|
|
|
|
#define EXT_ERR(err) (nrf_dfu_result_t)((uint32_t)NRF_DFU_RES_CODE_EXT_ERROR + (uint32_t)err)
|
|
|
|
/* Whether a complete init command has been received and prevalidated, but the firmware
|
|
* is not yet fully transferred. This value will also be correct after reset.
|
|
*/
|
|
static bool m_valid_init_cmd_present = false;
|
|
static dfu_Packet m_packet = dfu_Packet_init_default;
|
|
static uint8_t* m_init_packet_data_ptr = 0;
|
|
static uint32_t m_init_packet_data_len = 0;
|
|
static pb_istream_t m_pb_stream;
|
|
|
|
static dfu_InitCommand const * mp_init = NULL;
|
|
|
|
extern const uint8_t NRF_BOOTLOADER_KEY_M;
|
|
extern const uint8_t NRF_BOOTLOADER_KEY_N;
|
|
extern const uint8_t * const NRF_BOOTLOADER_KEYS[];
|
|
|
|
|
|
/** @brief Flag used by parser code to indicate that the init command has been found to be invalid.
|
|
*/
|
|
static bool m_init_packet_valid = false;
|
|
//
|
|
//static void pb_decoding_callback(pb_istream_t *str,
|
|
// uint32_t tag,
|
|
// pb_wire_type_t wire_type,
|
|
// void *iter)
|
|
//{
|
|
// pb_field_iter_t* p_iter = (pb_field_iter_t *) iter;
|
|
//
|
|
// // Match the beginning of the init command.
|
|
// if (p_iter->pos->ptr == &dfu_init_command_fields[0])
|
|
// {
|
|
// uint8_t * ptr = (uint8_t *)str->state;
|
|
// uint32_t size = str->bytes_left;
|
|
//
|
|
// if (m_init_packet_data_ptr != NULL || m_init_packet_data_len != 0)
|
|
// {
|
|
// m_init_packet_valid = false;
|
|
// return;
|
|
// }
|
|
//
|
|
// // Remove tag.
|
|
// while (*ptr & 0x80)
|
|
// {
|
|
// ptr++;
|
|
// size--;
|
|
// }
|
|
// ptr++;
|
|
// size--;
|
|
//
|
|
// // Store the info in init_packet_data.
|
|
// m_init_packet_data_ptr = ptr;
|
|
// m_init_packet_data_len = size;
|
|
// m_init_packet_valid = true;
|
|
//
|
|
// NRF_LOG_DEBUG("PB: Init packet data len: %d", size);
|
|
// }
|
|
//}
|
|
|
|
/** @brief Function for decoding byte stream into variable.
|
|
*
|
|
* @retval true If the stored init command was successfully decoded.
|
|
* @retval false If there was no stored init command, or the decoding failed.
|
|
*/
|
|
static bool stored_init_cmd_decode(void)
|
|
{
|
|
m_pb_stream = pb_istream_from_buffer(s_dfu_settings.init_command,
|
|
s_dfu_settings.progress.command_size);
|
|
|
|
dfu_InitCommand * p_init;
|
|
|
|
// Attach our callback to follow the field decoding.
|
|
//m_pb_stream.decoding_callback = pb_decoding_callback;
|
|
|
|
m_init_packet_valid = false;
|
|
m_init_packet_data_ptr = NULL;
|
|
m_init_packet_data_len = 0;
|
|
memset(&m_packet, 0, sizeof(m_packet));
|
|
|
|
if (!pb_decode(&m_pb_stream, dfu_Packet_fields, &m_packet))
|
|
{
|
|
NRF_LOG_ERROR("Handler: Invalid protocol buffer m_pb_stream");
|
|
return false;
|
|
}
|
|
|
|
if (m_packet.has_signed_command && m_packet.has_command)
|
|
{
|
|
NRF_LOG_ERROR("Handler: Invalid init command.");
|
|
return false;
|
|
}
|
|
|
|
if (m_packet.has_signed_command) {
|
|
//TODO: this is where signed init command is stored, but is it guaranteed to be there always?
|
|
// pb_decoding_callback was meant to find it, how to do that without nanopb modifications?
|
|
m_init_packet_data_ptr = &s_dfu_settings.init_command[11];
|
|
m_init_packet_data_len = 128;
|
|
m_init_packet_valid = true;
|
|
}
|
|
|
|
if (!m_init_packet_valid || (m_packet.has_signed_command && m_packet.has_command))
|
|
{
|
|
NRF_LOG_ERROR("Handler: Invalid init command.");
|
|
return false;
|
|
}
|
|
else if (m_packet.has_signed_command && m_packet.signed_command.command.has_init)
|
|
{
|
|
p_init = &m_packet.signed_command.command.init;
|
|
|
|
m_pb_stream = pb_istream_from_buffer(m_init_packet_data_ptr, m_init_packet_data_len);
|
|
memset(p_init, 0, sizeof(dfu_InitCommand));
|
|
|
|
if (!pb_decode(&m_pb_stream, dfu_InitCommand_fields, p_init))
|
|
{
|
|
NRF_LOG_ERROR("Handler: Invalid protocol buffer m_pb_stream (init command)");
|
|
return false;
|
|
}
|
|
}
|
|
else if (m_packet.has_command && m_packet.command.has_init)
|
|
{
|
|
p_init = &m_packet.command.init;
|
|
}
|
|
else
|
|
{
|
|
return false;
|
|
}
|
|
|
|
mp_init = p_init;
|
|
|
|
return true;
|
|
}
|
|
|
|
void nrf_dfu_validation_init(void)
|
|
{
|
|
// If the command is stored to flash, init command was valid.
|
|
if ((s_dfu_settings.progress.command_size != 0) &&
|
|
stored_init_cmd_decode())
|
|
{
|
|
m_valid_init_cmd_present = true;
|
|
}
|
|
else
|
|
{
|
|
m_valid_init_cmd_present = false;
|
|
}
|
|
}
|
|
|
|
|
|
nrf_dfu_result_t nrf_dfu_validation_init_cmd_create(uint32_t size)
|
|
{
|
|
nrf_dfu_result_t ret_val = NRF_DFU_RES_CODE_SUCCESS;
|
|
if (size == 0)
|
|
{
|
|
ret_val = NRF_DFU_RES_CODE_INVALID_PARAMETER;
|
|
}
|
|
else if (size > INIT_COMMAND_MAX_SIZE)
|
|
{
|
|
ret_val = NRF_DFU_RES_CODE_INSUFFICIENT_RESOURCES;
|
|
}
|
|
else
|
|
{
|
|
// Set DFU to uninitialized.
|
|
m_valid_init_cmd_present = false;
|
|
|
|
// Reset all progress.
|
|
nrf_dfu_settings_progress_reset();
|
|
|
|
// Set the init command size.
|
|
s_dfu_settings.progress.command_size = size;
|
|
}
|
|
return ret_val;
|
|
}
|
|
|
|
|
|
nrf_dfu_result_t nrf_dfu_validation_init_cmd_append(uint8_t const * p_data, uint32_t length)
|
|
{
|
|
nrf_dfu_result_t ret_val = NRF_DFU_RES_CODE_SUCCESS;
|
|
if ((length + s_dfu_settings.progress.command_offset) > s_dfu_settings.progress.command_size)
|
|
{
|
|
NRF_LOG_ERROR("Init command larger than expected.");
|
|
ret_val = NRF_DFU_RES_CODE_INVALID_PARAMETER;
|
|
}
|
|
else
|
|
{
|
|
// Copy the received data to RAM, update offset and calculate CRC.
|
|
memcpy(&s_dfu_settings.init_command[s_dfu_settings.progress.command_offset],
|
|
p_data,
|
|
length);
|
|
|
|
s_dfu_settings.progress.command_offset += length;
|
|
s_dfu_settings.progress.command_crc = crc32_compute(p_data,
|
|
length,
|
|
&s_dfu_settings.progress.command_crc);
|
|
}
|
|
return ret_val;
|
|
}
|
|
|
|
|
|
void nrf_dfu_validation_init_cmd_status_get(uint32_t * p_offset,
|
|
uint32_t * p_crc,
|
|
uint32_t * p_max_size)
|
|
{
|
|
*p_offset = s_dfu_settings.progress.command_offset;
|
|
*p_crc = s_dfu_settings.progress.command_crc;
|
|
*p_max_size = INIT_COMMAND_MAX_SIZE;
|
|
}
|
|
|
|
|
|
bool nrf_dfu_validation_init_cmd_present(void)
|
|
{
|
|
return m_valid_init_cmd_present;
|
|
}
|
|
|
|
|
|
// Function determines if init command signature is obligatory.
|
|
static bool signature_required(dfu_FwType fw_type_to_be_updated)
|
|
{
|
|
bool result = true;
|
|
|
|
// DFU_FW_TYPE_EXTERNAL_APPLICATION and bootloader updates always require
|
|
// signature check
|
|
if ((!DFU_REQUIRES_SOFTDEVICE && (fw_type_to_be_updated == dfu_FwType_SOFTDEVICE)) ||
|
|
(fw_type_to_be_updated == dfu_FwType_APPLICATION))
|
|
{
|
|
result = NRF_DFU_REQUIRE_SIGNED_APP_UPDATE;
|
|
}
|
|
return result;
|
|
}
|
|
|
|
static secbool compute_pubkey(uint8_t sig_m, uint8_t sig_n,
|
|
const uint8_t *const *pub, uint8_t sigmask,
|
|
ed25519_public_key res) {
|
|
if (0 == sig_m || 0 == sig_n) return secfalse;
|
|
if (sig_m > sig_n) return secfalse;
|
|
|
|
// discard bits higher than sig_n
|
|
sigmask &= ((1 << sig_n) - 1);
|
|
|
|
// remove if number of set bits in sigmask is not equal to sig_m
|
|
if (__builtin_popcount(sigmask) != sig_m) return secfalse;
|
|
|
|
ed25519_public_key keys[sig_m];
|
|
int j = 0;
|
|
for (int i = 0; i < sig_n; i++) {
|
|
if ((1 << i) & sigmask) {
|
|
memcpy(keys[j], pub[i], 32);
|
|
j++;
|
|
}
|
|
}
|
|
|
|
return sectrue * (0 == ed25519_cosi_combine_publickeys(res, keys, sig_m));
|
|
}
|
|
|
|
secbool check_trezor_sig(const uint8_t * digest,
|
|
size_t digest_len,
|
|
uint8_t key_m,
|
|
uint8_t key_n,
|
|
uint8_t sigmask,
|
|
const uint8_t *const *keys,
|
|
uint8_t * sig) {
|
|
// check header signature
|
|
|
|
|
|
ed25519_public_key pub;
|
|
if (sectrue != compute_pubkey(key_m, key_n, keys, sigmask, pub))
|
|
return secfalse;
|
|
|
|
return sectrue *
|
|
(0 == ed25519_sign_open(digest, digest_len, pub,
|
|
sig));
|
|
}
|
|
|
|
|
|
// Function to perform signature check if required.
|
|
static nrf_dfu_result_t nrf_dfu_validation_signature_check(uint32_t sigmask,
|
|
uint8_t const * p_signature,
|
|
uint32_t signature_len,
|
|
uint8_t const * p_data,
|
|
uint32_t data_len)
|
|
{
|
|
ret_code_t err_code = NRF_SUCCESS;
|
|
|
|
uint8_t hash_digest[BLAKE2S_DIGEST_LENGTH];
|
|
uint8_t signature[64];
|
|
|
|
NRF_LOG_INFO("Signature required. Checking signature.")
|
|
if (p_signature == NULL)
|
|
{
|
|
NRF_LOG_WARNING("No signature found.");
|
|
return EXT_ERR(NRF_DFU_EXT_ERROR_SIGNATURE_MISSING);
|
|
}
|
|
|
|
|
|
NRF_LOG_INFO("Calculating hash (len: %d)", data_len);
|
|
|
|
blake2s(p_data, data_len, hash_digest, BLAKE2S_DIGEST_LENGTH);
|
|
|
|
|
|
if (sizeof(signature) != signature_len)
|
|
{
|
|
return NRF_DFU_RES_CODE_OPERATION_FAILED;
|
|
}
|
|
|
|
// Prepare the signature received over the air.
|
|
memcpy(signature, p_signature, signature_len);
|
|
|
|
// Calculate the signature.
|
|
NRF_LOG_INFO("Verify signature");
|
|
|
|
if (sectrue != check_trezor_sig(hash_digest, BLAKE2S_DIGEST_LENGTH, NRF_BOOTLOADER_KEY_M, NRF_BOOTLOADER_KEY_N, sigmask, NRF_BOOTLOADER_KEYS, signature)){
|
|
NRF_LOG_ERROR("Signature failed");
|
|
err_code = NRF_DFU_ERROR_INVALID_SIGNATURE;
|
|
}
|
|
|
|
if (err_code != NRF_SUCCESS)
|
|
{
|
|
NRF_LOG_ERROR("Signature failed (err_code: 0x%x)", err_code);
|
|
NRF_LOG_DEBUG("Signature:");
|
|
NRF_LOG_HEXDUMP_DEBUG(signature, sizeof(signature));
|
|
NRF_LOG_DEBUG("Hash:");
|
|
NRF_LOG_HEXDUMP_DEBUG(hash_digest, BLAKE2S_DIGEST_LENGTH);
|
|
NRF_LOG_FLUSH();
|
|
|
|
return NRF_DFU_RES_CODE_INVALID_OBJECT;
|
|
}
|
|
|
|
NRF_LOG_INFO("Image verified");
|
|
return NRF_DFU_RES_CODE_SUCCESS;
|
|
}
|
|
|
|
|
|
// Function to calculate the total size of the firmware(s) in the update.
|
|
static nrf_dfu_result_t update_data_size_get(dfu_InitCommand const * p_init, uint32_t * p_size)
|
|
{
|
|
nrf_dfu_result_t ret_val = EXT_ERR(NRF_DFU_EXT_ERROR_INIT_COMMAND_INVALID);
|
|
uint32_t fw_sz = 0;
|
|
|
|
if ((p_init->type == dfu_FwType_APPLICATION ||
|
|
p_init->type == dfu_FwType_EXTERNAL_APPLICATION) &&
|
|
(p_init->has_app_size == true))
|
|
{
|
|
fw_sz = p_init->app_size;
|
|
}
|
|
else
|
|
{
|
|
if ((p_init->type & dfu_FwType_SOFTDEVICE) && (p_init->has_sd_size == true))
|
|
{
|
|
fw_sz = p_init->sd_size;
|
|
}
|
|
|
|
if ((p_init->type & dfu_FwType_BOOTLOADER) && (p_init->has_bl_size == true))
|
|
{
|
|
if (p_init->bl_size <= BOOTLOADER_SIZE)
|
|
{
|
|
fw_sz += p_init->bl_size;
|
|
}
|
|
else
|
|
{
|
|
NRF_LOG_ERROR("BL size (%d) over limit (%d)", p_init->bl_size, BOOTLOADER_SIZE);
|
|
fw_sz = 0;
|
|
ret_val = NRF_DFU_RES_CODE_INSUFFICIENT_RESOURCES;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (fw_sz)
|
|
{
|
|
*p_size = fw_sz;
|
|
ret_val = NRF_DFU_RES_CODE_SUCCESS;
|
|
}
|
|
else
|
|
{
|
|
NRF_LOG_ERROR("Init packet does not contain valid firmware size");
|
|
}
|
|
|
|
return ret_val;
|
|
}
|
|
|
|
|
|
/**
|
|
* @brief Function to check if single bank update should be used.
|
|
*
|
|
* @param new_fw_type Firmware type.
|
|
*/
|
|
static bool use_single_bank(dfu_FwType new_fw_type)
|
|
{
|
|
bool result = false;
|
|
|
|
// DFU_FW_TYPE_EXTERNAL_APPLICATION never uses single bank
|
|
if (((new_fw_type == dfu_FwType_APPLICATION) ||
|
|
(new_fw_type == dfu_FwType_SOFTDEVICE)) &&
|
|
NRF_DFU_SINGLE_BANK_APP_UPDATES)
|
|
{
|
|
result = true;
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
|
|
// Function to determine whether the new firmware needs a SoftDevice to be present.
|
|
static bool update_requires_softdevice(dfu_InitCommand const * p_init)
|
|
{
|
|
return ((p_init->sd_req_count > 0) && (p_init->sd_req[0] != SD_REQ_APP_OVERWRITES_SD));
|
|
}
|
|
|
|
|
|
// Function to determine whether the SoftDevice can be removed during the update or not.
|
|
static bool keep_softdevice(dfu_InitCommand const * p_init)
|
|
{
|
|
UNUSED_PARAMETER(p_init); // It's unused when DFU_REQUIRES_SOFTDEVICE is true.
|
|
return DFU_REQUIRES_SOFTDEVICE || update_requires_softdevice(p_init);
|
|
}
|
|
|
|
|
|
/**@brief Function to determine where to temporarily store the incoming firmware.
|
|
* This also checks whether the update will fit, and deletes existing
|
|
* firmware to make room for the new firmware.
|
|
*
|
|
* @param[in] p_init Init command.
|
|
* @param[in] fw_size The size of the incoming firmware.
|
|
* @param[out] p_addr The address at which to initially store the firmware.
|
|
*
|
|
* @retval NRF_DFU_RES_CODE_SUCCESS If the size check passed and
|
|
* an address was found.
|
|
* @retval NRF_DFU_RES_CODE_INSUFFICIENT_RESOURCES If the size check failed.
|
|
*/
|
|
static nrf_dfu_result_t update_data_addr_get(dfu_InitCommand const * p_init,
|
|
uint32_t fw_size,
|
|
uint32_t * p_addr)
|
|
{
|
|
nrf_dfu_result_t ret_val = NRF_DFU_RES_CODE_SUCCESS;
|
|
ret_code_t err_code = nrf_dfu_cache_prepare(fw_size,
|
|
use_single_bank(p_init->type),
|
|
NRF_DFU_FORCE_DUAL_BANK_APP_UPDATES,
|
|
keep_softdevice(p_init));
|
|
if (err_code != NRF_SUCCESS)
|
|
{
|
|
NRF_LOG_ERROR("Can't find room for update");
|
|
ret_val = NRF_DFU_RES_CODE_INSUFFICIENT_RESOURCES;
|
|
}
|
|
else
|
|
{
|
|
*p_addr = nrf_dfu_bank1_start_addr();
|
|
NRF_LOG_DEBUG("Write address set to 0x%08x", *p_addr);
|
|
}
|
|
return ret_val;
|
|
}
|
|
|
|
|
|
nrf_dfu_result_t nrf_dfu_validation_prevalidate(void)
|
|
{
|
|
nrf_dfu_result_t ret_val = NRF_DFU_RES_CODE_SUCCESS;
|
|
dfu_Command const * p_command = &m_packet.command;
|
|
uint32_t sigmask = 0;
|
|
uint8_t const * p_signature = NULL;
|
|
uint32_t signature_len = 0;
|
|
|
|
if (m_packet.has_signed_command)
|
|
{
|
|
p_command = &m_packet.signed_command.command;
|
|
sigmask = m_packet.signed_command.sigmask;
|
|
p_signature = m_packet.signed_command.signature.bytes;
|
|
signature_len = m_packet.signed_command.signature.size;
|
|
}
|
|
|
|
// Validate signature.
|
|
if (signature_required(p_command->init.type))
|
|
{
|
|
ret_val = nrf_dfu_validation_signature_check(sigmask,
|
|
p_signature,
|
|
signature_len,
|
|
m_init_packet_data_ptr,
|
|
m_init_packet_data_len);
|
|
}
|
|
|
|
// Validate versions.
|
|
if (ret_val == NRF_DFU_RES_CODE_SUCCESS)
|
|
{
|
|
ret_val = nrf_dfu_ver_validation_check(&p_command->init);
|
|
}
|
|
|
|
if (ret_val != NRF_DFU_RES_CODE_SUCCESS)
|
|
{
|
|
NRF_LOG_WARNING("Prevalidation failed.");
|
|
NRF_LOG_DEBUG("Init command:");
|
|
NRF_LOG_HEXDUMP_DEBUG(m_init_packet_data_ptr, m_init_packet_data_len);
|
|
}
|
|
|
|
return ret_val;
|
|
}
|
|
|
|
|
|
nrf_dfu_result_t nrf_dfu_validation_init_cmd_execute(uint32_t * p_dst_data_addr,
|
|
uint32_t * p_data_len)
|
|
{
|
|
nrf_dfu_result_t ret_val = NRF_DFU_RES_CODE_SUCCESS;
|
|
|
|
if (s_dfu_settings.progress.command_offset != s_dfu_settings.progress.command_size)
|
|
{
|
|
// The object wasn't the right (requested) size.
|
|
NRF_LOG_ERROR("Execute with faulty offset");
|
|
ret_val = NRF_DFU_RES_CODE_OPERATION_NOT_PERMITTED;
|
|
}
|
|
else if (m_valid_init_cmd_present)
|
|
{
|
|
*p_dst_data_addr = nrf_dfu_bank1_start_addr();
|
|
ret_val = update_data_size_get(mp_init, p_data_len);
|
|
}
|
|
else if (stored_init_cmd_decode())
|
|
{
|
|
// Will only get here if init command was received since last reset.
|
|
// An init command should not be written to flash until after it's been checked here.
|
|
ret_val = nrf_dfu_validation_prevalidate();
|
|
|
|
*p_dst_data_addr = 0;
|
|
*p_data_len = 0;
|
|
|
|
// Get size of binary.
|
|
if (ret_val == NRF_DFU_RES_CODE_SUCCESS)
|
|
{
|
|
ret_val = update_data_size_get(mp_init, p_data_len);
|
|
}
|
|
|
|
// Get address where to flash the binary.
|
|
if (ret_val == NRF_DFU_RES_CODE_SUCCESS)
|
|
{
|
|
ret_val = update_data_addr_get(mp_init, *p_data_len, p_dst_data_addr);
|
|
}
|
|
|
|
// Set flag validating the init command.
|
|
if (ret_val == NRF_DFU_RES_CODE_SUCCESS)
|
|
{
|
|
m_valid_init_cmd_present = true;
|
|
}
|
|
else
|
|
{
|
|
nrf_dfu_settings_progress_reset();
|
|
}
|
|
}
|
|
else
|
|
{
|
|
NRF_LOG_ERROR("Failed to decode init packet");
|
|
ret_val = NRF_DFU_RES_CODE_INVALID_OBJECT;
|
|
}
|
|
|
|
return ret_val;
|
|
}
|
|
|
|
|
|
// Function to check the hash received in the init command against the received firmware.
|
|
// little_endian specifies the endianness of @p p_hash.
|
|
static bool nrf_dfu_validation_hash_ok(uint8_t const * p_hash, uint32_t src_addr, uint32_t data_len)
|
|
{
|
|
bool result = true;
|
|
uint8_t hash[BLAKE2S_DIGEST_LENGTH];
|
|
|
|
|
|
NRF_LOG_DEBUG("Hash verification. start address: 0x%x, size: 0x%x",
|
|
src_addr,
|
|
data_len);
|
|
|
|
blake2s( (uint8_t*)src_addr, data_len, hash, BLAKE2S_DIGEST_LENGTH);
|
|
|
|
if (memcmp(hash, p_hash, BLAKE2S_DIGEST_LENGTH) != 0)
|
|
{
|
|
NRF_LOG_WARNING("Hash verification failed.");
|
|
NRF_LOG_DEBUG("Expected FW hash:")
|
|
NRF_LOG_HEXDUMP_DEBUG(p_hash, BLAKE2S_DIGEST_LENGTH);
|
|
NRF_LOG_DEBUG("Actual FW hash:")
|
|
NRF_LOG_HEXDUMP_DEBUG(hash, BLAKE2S_DIGEST_LENGTH);
|
|
NRF_LOG_FLUSH();
|
|
|
|
result = false;
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
|
|
// Function to check the hash received in the init command against the received firmware.
|
|
bool fw_hash_ok(dfu_InitCommand const * p_init, uint32_t fw_start_addr, uint32_t fw_size)
|
|
{
|
|
ASSERT(p_init != NULL);
|
|
return nrf_dfu_validation_hash_ok((uint8_t *)p_init->hash.hash.bytes, fw_start_addr, fw_size);
|
|
}
|
|
|
|
|
|
// Function to check whether the update contains a SoftDevice and, if so, if it is of a different
|
|
// major version than the existing SoftDevice.
|
|
static bool is_major_softdevice_update(uint32_t new_sd_addr)
|
|
{
|
|
// True if there is no SD right now, but there is a new one coming. This counts as a major update.
|
|
bool result = !SD_PRESENT && (SD_MAGIC_NUMBER_GET(new_sd_addr) == SD_MAGIC_NUMBER);
|
|
|
|
if (SD_PRESENT && (SD_MAGIC_NUMBER_GET(new_sd_addr) == SD_MAGIC_NUMBER))
|
|
{
|
|
// Both SoftDevices are present.
|
|
uint32_t current_SD_major = SD_MAJOR_VERSION_EXTRACT(SD_VERSION_GET(MBR_SIZE));
|
|
uint32_t new_SD_major = SD_MAJOR_VERSION_EXTRACT(SD_VERSION_GET(new_sd_addr));
|
|
|
|
result = (current_SD_major != new_SD_major);
|
|
|
|
NRF_LOG_INFO("SoftDevice update is a %s version update. Current: %d. New: %d.",
|
|
result ? "major" : "minor",
|
|
current_SD_major,
|
|
new_SD_major);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
|
|
/**@brief Validate the SoftDevice size and magic number in structure found at 0x2000 in received SoftDevice.
|
|
*
|
|
* @param[in] sd_start_addr Start address of received SoftDevice.
|
|
* @param[in] sd_size Size of received SoftDevice in bytes.
|
|
*/
|
|
static bool softdevice_info_ok(uint32_t sd_start_addr, uint32_t sd_size)
|
|
{
|
|
bool result = true;
|
|
|
|
if (SD_MAGIC_NUMBER_GET(sd_start_addr) != SD_MAGIC_NUMBER)
|
|
{
|
|
NRF_LOG_ERROR("The SoftDevice does not contain the magic number identifying it as a SoftDevice.");
|
|
result = false;
|
|
}
|
|
else if (SD_SIZE_GET(sd_start_addr) < ALIGN_TO_PAGE(sd_size + MBR_SIZE))
|
|
{
|
|
// The size in the info struct should be rounded up to a page boundary
|
|
// and be larger than the actual size + the size of the MBR.
|
|
NRF_LOG_ERROR("The SoftDevice size in the info struct is too small compared with the size reported in the init command.");
|
|
result = false;
|
|
}
|
|
else if (SD_PRESENT && (SD_ID_GET(MBR_SIZE) != SD_ID_GET(sd_start_addr)))
|
|
{
|
|
NRF_LOG_ERROR("The new SoftDevice is of a different family than the present SoftDevice. Compatibility cannot be guaranteed.");
|
|
result = false;
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
|
|
static bool boot_validation_extract(boot_validation_t * p_boot_validation,
|
|
dfu_InitCommand const * p_init,
|
|
uint32_t index,
|
|
uint32_t start_addr,
|
|
uint32_t data_len,
|
|
boot_validation_type_t default_type)
|
|
{
|
|
memset(p_boot_validation, 0, sizeof(boot_validation_t));
|
|
p_boot_validation->sigmask = (boot_validation_type_t)p_init->boot_validation[index].sigmask;
|
|
|
|
memcpy(p_boot_validation->bytes, p_init->boot_validation[index].bytes.bytes, p_init->boot_validation[index].bytes.size);
|
|
|
|
if (default_type == NO_VALIDATION) {
|
|
return true;
|
|
}
|
|
|
|
return nrf_dfu_validation_boot_validate(p_boot_validation, start_addr, data_len);
|
|
}
|
|
|
|
|
|
// The is_trusted argument specifies whether the function should have side effects.
|
|
static bool postvalidate_app(dfu_InitCommand const * p_init, uint32_t src_addr, uint32_t data_len, bool is_trusted)
|
|
{
|
|
boot_validation_t boot_validation;
|
|
|
|
ASSERT(p_init->type == dfu_FwType_APPLICATION);
|
|
|
|
if (!boot_validation_extract(&boot_validation, p_init, 0, src_addr, data_len, VALIDATE_ECDSA_P256_SHA256))
|
|
{
|
|
return false;
|
|
}
|
|
//#if !NRF_DFU_IN_APP
|
|
// else if (NRF_BL_APP_SIGNATURE_CHECK_REQUIRED &&
|
|
// (boot_validation.type != VALIDATE_ECDSA_P256_SHA256))
|
|
// {
|
|
// NRF_LOG_WARNING("The boot validation of the app must be a signature check.");
|
|
// return false;
|
|
// }
|
|
//#endif
|
|
|
|
if (!is_trusted)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
memcpy(&s_dfu_settings.boot_validation_app, &boot_validation, sizeof(boot_validation));
|
|
|
|
s_dfu_settings.bank_1.bank_code = NRF_DFU_BANK_VALID_APP;
|
|
|
|
NRF_LOG_DEBUG("Invalidating old application in bank 0.");
|
|
s_dfu_settings.bank_0.bank_code = NRF_DFU_BANK_INVALID;
|
|
|
|
if (!DFU_REQUIRES_SOFTDEVICE && !update_requires_softdevice(p_init))
|
|
{
|
|
// App does not need SD, so it should be placed where SD is.
|
|
nrf_dfu_softdevice_invalidate();
|
|
}
|
|
|
|
if (!NRF_DFU_DEBUG ||
|
|
(NRF_DFU_DEBUG && (p_init->has_is_debug == false || p_init->is_debug == false)))
|
|
{
|
|
s_dfu_settings.app_version = p_init->fw_version;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
// Function to check a received SoftDevice or Bootloader firmware, or both,
|
|
// before it is copied into place.
|
|
// The is_trusted argument specifies whether the function should have side effects.
|
|
static bool postvalidate_sd_bl(dfu_InitCommand const * p_init,
|
|
bool with_sd,
|
|
bool with_bl,
|
|
uint32_t start_addr,
|
|
uint32_t data_len,
|
|
bool is_trusted)
|
|
{
|
|
boot_validation_t boot_validation_sd = {NO_VALIDATION};
|
|
boot_validation_t boot_validation_bl = {NO_VALIDATION};
|
|
uint32_t bl_start = start_addr;
|
|
uint32_t bl_size = data_len;
|
|
|
|
ASSERT(with_sd || with_bl);
|
|
|
|
if (with_sd)
|
|
{
|
|
if (!softdevice_info_ok(start_addr, p_init->sd_size))
|
|
{
|
|
return false;
|
|
}
|
|
|
|
if (is_major_softdevice_update(start_addr))
|
|
{
|
|
NRF_LOG_WARNING("Invalidating app because it is incompatible with the SoftDevice.");
|
|
if (DFU_REQUIRES_SOFTDEVICE && !with_bl)
|
|
{
|
|
NRF_LOG_ERROR("Major SD update but no BL. Abort to avoid incapacitating the BL.");
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (!boot_validation_extract(&boot_validation_sd, p_init, 0, start_addr, p_init->sd_size, VALIDATE_ECDSA_P256_SHA256))
|
|
{
|
|
return false;
|
|
}
|
|
|
|
bl_start += p_init->sd_size;
|
|
bl_size -= p_init->sd_size;
|
|
}
|
|
if (with_bl)
|
|
{
|
|
boot_validation_extract(&boot_validation_bl, p_init, with_sd ? 1 : 0, bl_start, bl_size, NO_VALIDATION);
|
|
}
|
|
|
|
if (!is_trusted)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
if (with_sd)
|
|
{
|
|
if (is_major_softdevice_update(start_addr))
|
|
{
|
|
// Invalidate app since it may not be compatible with new SD.
|
|
nrf_dfu_bank_invalidate(&s_dfu_settings.bank_0);
|
|
}
|
|
|
|
memcpy(&s_dfu_settings.boot_validation_softdevice, &boot_validation_sd, sizeof(boot_validation_sd));
|
|
|
|
// Mark the update as valid.
|
|
s_dfu_settings.bank_1.bank_code = with_bl ? NRF_DFU_BANK_VALID_SD_BL
|
|
: NRF_DFU_BANK_VALID_SD;
|
|
|
|
s_dfu_settings.sd_size = p_init->sd_size;
|
|
}
|
|
else
|
|
{
|
|
s_dfu_settings.bank_1.bank_code = NRF_DFU_BANK_VALID_BL;
|
|
}
|
|
|
|
|
|
if (with_bl)
|
|
{
|
|
memcpy(&s_dfu_settings.boot_validation_bootloader, &boot_validation_bl, sizeof(boot_validation_bl));
|
|
|
|
if (!NRF_DFU_DEBUG ||
|
|
(NRF_DFU_DEBUG && (p_init->has_is_debug == false || p_init->is_debug == false)))
|
|
{
|
|
// If the update contains a bootloader, update the version.
|
|
// Unless the update is a debug packet.
|
|
s_dfu_settings.bootloader_version = p_init->fw_version;
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
bool nrf_dfu_validation_boot_validate(boot_validation_t const * p_validation, uint32_t data_addr, uint32_t data_len)
|
|
{
|
|
uint8_t const * p_data = (uint8_t*) data_addr;
|
|
|
|
nrf_dfu_result_t res_code = nrf_dfu_validation_signature_check(
|
|
p_validation->sigmask,
|
|
p_validation->bytes,
|
|
64,
|
|
p_data,
|
|
data_len);
|
|
return (res_code == NRF_DFU_RES_CODE_SUCCESS);
|
|
|
|
}
|
|
|
|
|
|
nrf_dfu_result_t postvalidate(uint32_t data_addr, uint32_t data_len, bool is_trusted)
|
|
{
|
|
nrf_dfu_result_t ret_val = NRF_DFU_RES_CODE_SUCCESS;
|
|
dfu_InitCommand const * p_init = mp_init;
|
|
|
|
if (!fw_hash_ok(p_init, data_addr, data_len))
|
|
{
|
|
ret_val = EXT_ERR(NRF_DFU_EXT_ERROR_VERIFICATION_FAILED);
|
|
}
|
|
else
|
|
{
|
|
if (p_init->type == dfu_FwType_APPLICATION)
|
|
{
|
|
if (!postvalidate_app(p_init, data_addr, data_len, is_trusted))
|
|
{
|
|
ret_val = NRF_DFU_RES_CODE_INVALID_OBJECT;
|
|
}
|
|
}
|
|
#if NRF_DFU_SUPPORTS_EXTERNAL_APP
|
|
else if (p_init->type == DFU_FW_TYPE_EXTERNAL_APPLICATION)
|
|
{
|
|
if (!is_trusted)
|
|
{
|
|
// This function must be implemented externally
|
|
ret_val = nrf_dfu_validation_post_external_app_execute(p_init, is_trusted);
|
|
}
|
|
else
|
|
{
|
|
s_dfu_settings.bank_1.bank_code = NRF_DFU_BANK_VALID_EXT_APP;
|
|
}
|
|
}
|
|
#endif // NRF_DFU_SUPPORTS_EXTERNAL_APP
|
|
else
|
|
{
|
|
bool with_sd = p_init->type & dfu_FwType_SOFTDEVICE;
|
|
bool with_bl = p_init->type & dfu_FwType_BOOTLOADER;
|
|
|
|
if (!postvalidate_sd_bl(p_init, with_sd, with_bl, data_addr, data_len, is_trusted))
|
|
{
|
|
ret_val = NRF_DFU_RES_CODE_INVALID_OBJECT;
|
|
if (is_trusted && with_sd && !DFU_REQUIRES_SOFTDEVICE &&
|
|
(data_addr == nrf_dfu_softdevice_start_address()))
|
|
{
|
|
nrf_dfu_softdevice_invalidate();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!is_trusted)
|
|
{
|
|
if (ret_val == NRF_DFU_RES_CODE_SUCCESS)
|
|
{
|
|
s_dfu_settings.bank_current = NRF_DFU_CURRENT_BANK_1;
|
|
}
|
|
else
|
|
{
|
|
nrf_dfu_settings_progress_reset();
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (ret_val == NRF_DFU_RES_CODE_SUCCESS)
|
|
{
|
|
// Mark the update as complete and valid.
|
|
s_dfu_settings.bank_1.image_crc = crc32_compute((uint8_t *)data_addr, data_len, NULL);
|
|
s_dfu_settings.bank_1.image_size = data_len;
|
|
}
|
|
else
|
|
{
|
|
nrf_dfu_bank_invalidate(&s_dfu_settings.bank_1);
|
|
}
|
|
|
|
nrf_dfu_settings_progress_reset();
|
|
s_dfu_settings.progress.update_start_address = data_addr;
|
|
}
|
|
|
|
return ret_val;
|
|
}
|
|
|
|
|
|
nrf_dfu_result_t nrf_dfu_validation_post_data_execute(uint32_t data_addr, uint32_t data_len)
|
|
{
|
|
return postvalidate(data_addr, data_len, false);
|
|
}
|
|
|
|
|
|
nrf_dfu_result_t nrf_dfu_validation_activation_prepare(uint32_t data_addr, uint32_t data_len)
|
|
{
|
|
return postvalidate(data_addr, data_len, true);
|
|
}
|
|
|
|
|
|
bool nrf_dfu_validation_valid_external_app(void)
|
|
{
|
|
return s_dfu_settings.bank_1.bank_code == NRF_DFU_BANK_VALID_EXT_APP;
|
|
}
|