Merge pull request #39 from jonasblixt/v2.0.0-cleanup1

V2.0.0

.github/workflows/punchboot-tools.yml

@@ -1,6 +1,5 @@
 name: Build punchboot-tools
-# push
-on: [pull_request]
+on: [pull_request, push, workflow_dispatch]
 
 # REMEMBER: If the libusb versions for macos are updated the 'macos deps',
 #  setup.py and pyproject.toml must also be updated since they have hard coded
@@ -50,7 +49,7 @@ jobs:
           install_name_tool -id @rpath/libusb-1.0.0.dylib libusb_arm64/1.0.26/lib/libusb-1.0.0.dylib
 
       - name: Build wheels
-        uses: pypa/cibuildwheel@v2.16.2
+        uses: pypa/cibuildwheel@v2.16.5
         with:
            package-dir: .
            output-dir: wheelhouse

.gitignore

@@ -40,3 +40,5 @@ tags
 download
 *.egg-info
 *.so
+build
+dist

.pre-commit-config.yaml

@@ -1,23 +1,36 @@
 repos:
-  - repo: https://github.com/psf/black
-    rev: 23.12.1
-    hooks:
-      - id: black
-        language_version: python3
-  - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
-    hooks:
-    - id: mypy
-      additional_dependencies:
-        - "semver>=3,<4"
-        - "click>=8,<9"
-      pass_filenames: false # This and the args, argument are needed to make mypy read pyproject.toml
-      args: ["."]
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.1.14
-    hooks:
-      - id: ruff
-  - repo: https://github.com/pre-commit/mirrors-clang-format
-    rev: v17.0.6
-    hooks:
-    - id: clang-format
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.5.0
+  hooks:
+    - id: check-added-large-files
+    - id: check-case-conflict
+    - id: check-json
+    - id: check-merge-conflict
+    - id: check-shebang-scripts-are-executable
+    - id: check-yaml
+    - id: end-of-file-fixer
+    - id: forbid-submodules
+    - id: requirements-txt-fixer
+    - id: trailing-whitespace
+
+- repo: https://github.com/pre-commit/mirrors-mypy
+  rev: v1.8.0
+  hooks:
+  - id: mypy
+    additional_dependencies:
+      - "semver>=3,<4"
+      - "click>=8,<9"
+      - "setuptools>=69,<70"
+    pass_filenames: false # This and the args, argument are needed to make mypy read pyproject.toml
+    args: ["."]
+
+- repo: https://github.com/astral-sh/ruff-pre-commit
+  rev: v0.2.1
+  hooks:
+  - id: ruff
+    args: [ --fix ]
+
+- repo: https://github.com/pre-commit/mirrors-clang-format
+  rev: v17.0.6
+  hooks:
+  - id: clang-format

LICENSE

@@ -1,32 +1,31 @@
 Punch BOOT
- 
+
   SPDX-License-Identifier: BSD-3-Clause
- 
+
 Copyright 2018, Jonas Blixt <jonpe960@gmail.com>
 
-Redistribution and use in source and binary forms, with or without modification, 
+Redistribution and use in source and binary forms, with or without modification,
     are permitted provided that the following conditions are met:
 
-1. Redistributions of source code must retain the above copyright notice, 
+1. Redistributions of source code must retain the above copyright notice,
             this list of conditions and the following disclaimer.
 
-2. Redistributions in binary form must reproduce the above copyright notice, 
-    this list of conditions and the following disclaimer in the documentation 
+2. Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
     and/or other materials provided with the distribution.
 
-3. Neither the name of the copyright holder nor the names of its contributors 
-    may be used to endorse or promote products derived from this software 
+3. Neither the name of the copyright holder nor the names of its contributors
+    may be used to endorse or promote products derived from this software
     without specific prior written permission.
 
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 
-GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 
-STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-

README.md

@@ -19,8 +19,8 @@ Punchboot is a secure and fast bootloader for embedded systems. It is designed t
  - Minimize software download time in production
  - Be useful for day-to-day development
 
-Punchboot is designed for embedded systems and therefore it has a minimalistic 
-apporach. There is no run-time configuration, everything is configured in 
+Punchboot is designed for embedded systems and therefore it has a minimalistic
+apporach. There is no run-time configuration, everything is configured in
 the board files.
 
 Punchboot could be useful if you care about the following:
@@ -108,22 +108,22 @@ this way many different public keys can be stored in a flash memory and every
 time the device boots it will compute a sha256 checksum and compare it to the
 fused checksum.
 
-Punchboot is designed to be a part of a secure boot chain. This means that 
-the bootloader is cryptographically signed, the ROM code of the SoC must 
-support a mechanism to validate this signature, otherwise there is no 
+Punchboot is designed to be a part of a secure boot chain. This means that
+the bootloader is cryptographically signed, the ROM code of the SoC must
+support a mechanism to validate this signature, otherwise there is no
 root of trust.
 
 When punchboot has been verified it, in turn, will load and verify the next
 software component in the boot chain. The bootloader _only_ supports signed
 binaries.
 
 ## Testing and integration tests
-Punchboot uses QEMU for all module and integration tests. The 'test' platform 
-and board target relies on virtio serial ports and block devices. The punchboot 
-cli can be built with a domain socket transport instead of USB for communicating 
+Punchboot uses QEMU for all module and integration tests. The 'test' platform
+and board target relies on virtio serial ports and block devices. The punchboot
+cli can be built with a domain socket transport instead of USB for communicating
 with an QEMU environment.
 
-The test platform code includes gcov code that calls the QEMU semihosting API 
+The test platform code includes gcov code that calls the QEMU semihosting API
 for storing test coverage data on the host.
 
 Building and running tests:
@@ -135,30 +135,30 @@ $ make check
 
 ## Device identity
 
-Most modern SoC's provide some kind of unique identity, that is guaranteed to 
-be unique for that particular type of SoC / Vendor etc but can not be guarateed 
+Most modern SoC's provide some kind of unique identity, that is guaranteed to
+be unique for that particular type of SoC / Vendor etc but can not be guarateed
 to be globally unique.
 
-Punchboot provides a UUID3 device identity based on a combination of the unique 
+Punchboot provides a UUID3 device identity based on a combination of the unique
 data from the SoC and an allocated, random, namspace UUID per platform.
 
-When booting a linux system this information is relayed to linux through 
+When booting a linux system this information is relayed to linux through
 in-line patching of the device-tree.
 The device identity can be found in '/proc/device-tree/chosen/device-uuid'
 
 ## Command mode
 
-Command mode is entered when the system can't boot or if the bootloader is 
+Command mode is entered when the system can't boot or if the bootloader is
 forced by a configurable, external event to do so.
 
-In the command mode it is possible to update the bootloader, write data to 
-partitions and install default settings. From v0.3 and forward 
-an 'authentication cookie' must be used to interact with the bootloader to 
-prevent malicious activity. The only command that can be executed without 
+In the command mode it is possible to update the bootloader, write data to
+partitions and install default settings. From v0.3 and forward
+an 'authentication cookie' must be used to interact with the bootloader to
+prevent malicious activity. The only command that can be executed without
 authentication is listing the device information (including the device UUID)
 
-The authentication cookie consists of the device UUID encrypted with one of 
-the active key pair's private key. 
+The authentication cookie consists of the device UUID encrypted with one of
+the active key pair's private key.
 
 ## punchboot tool
 The punchboot CLI is used for interacting with the command mode. A summary of the features available:
@@ -223,7 +223,7 @@ Authenticating using key index 0 and './0B177094-6B62-3572-902E-C1DE339ECB01.tok
 Read 103 bytes
 Authentication successful
 ```
-Now the command mode is fully unlocked. The token is of course only valid for 
+Now the command mode is fully unlocked. The token is of course only valid for
 the individual unit with that perticular UUID.
 
 ## Metrics
@@ -279,4 +279,3 @@ The POR time is off due to some unidentified problem with the SCU firmware.
 3. Implement test case(s) to ensure that future changes do not break legacy
 4. Run checks: cp configs/test_defconfig .config && make check
 5. Create pull request
-