bootutil: Store image encrypted in scratch area #1952
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
As discussed on #1942, when swap using scratch is used, the image is currently decrypted while copying from the secondary slot to the scratch area. This means even when
BOOT_SWAP_SAVE_ENCTLV
is enabled, the scratch area has to reside in the MCU's internal flash memory.However, being able to place the scratch area in an external flash memory could be valuable since:
This PR proposes changes to perform the decryption while copying from the scratch area to the secondary slot instead, meaning the scratch area does not contain plaintext image data anymore.
The reason why this wasn't performed that way in the first place is probably that it introduces an issue when the device is reset after having erased the first sector of the secondary slot but before having copied it from the scratch area to the primary slot. Indeed, for being able to properly decrypt an image, MCUboot needs the header of that image (cf.
boot_copy_region
). This header is located at the beginning of the secondary slot until the first sector of the secondary slot is processed. At this time:If a reset occurs after step 1, the secondary image's header might not be located anymore in the secondary slot but is still needed when using encrypted scratch since the first segment of the image has to be decrypted during step 3. However, when using swap using scratch, MCUboot is currently always looking for the primary and secondary image's headers in respectively the primary and secondary slots, regardless of the current boot status (cf.
boot_read_image_header
). Therefore, this MR also modifies theboot_read_image_header
routine to properly load the image headers, according to the current progress of the upgrade.Tests
enc-x25519
,enc-x25519 multiimage
,enc-x25519 overwrite-only
,enc-x25519 ram-load
,enc-x25519 swap-move
anddirect-xip
.