1 /*
2 * Copyright (c) 2012-2014 Wind River Systems, Inc.
3 * Copyright (c) 2017-2024 Arm Limited.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 #include "mcuboot_config/mcuboot_config.h"
19 #include <assert.h>
20 #include "target.h"
21 #include "tfm_hal_device_header.h"
22 #include "mbedtls/memory_buffer_alloc.h"
23 #include "bootutil/security_cnt.h"
24 #include "bootutil/bootutil_log.h"
25 #include "bootutil/image.h"
26 #include "bootutil/bootutil.h"
27 #include "bootutil/boot_record.h"
28 #include "bootutil/fault_injection_hardening.h"
29 #include "flash_map_backend/flash_map_backend.h"
30 #include "boot_hal.h"
31 #include "uart_stdout.h"
32 #include "tfm_plat_otp.h"
33 #include "tfm_plat_provisioning.h"
34 #ifdef TEST_BL2
35 #include "mcuboot_suites.h"
36 #endif /* TEST_BL2 */
37
38 #if defined(MCUBOOT_USE_PSA_CRYPTO)
39 #include "psa/crypto.h"
40 /* A few macros for stringification */
41 #define str(X) #X
42 #define xstr(X) str(X)
43 #endif /* MCUBOOT_USE_PSA_CRYPTO */
44
45 /* Avoids the semihosting issue */
46 #if defined (__ARMCC_VERSION) && (__ARMCC_VERSION >= 6010050)
47 __asm(" .global __ARM_use_no_argv\n");
48 #endif
49
50 #ifdef MCUBOOT_ENCRYPT_RSA
51 #define BL2_MBEDTLS_MEM_BUF_LEN 0x3000
52 #else
53 #define BL2_MBEDTLS_MEM_BUF_LEN 0x2000
54 #endif
55
56 /* Static buffer to be used by mbedtls for memory allocation */
57 static uint8_t mbedtls_mem_buf[BL2_MBEDTLS_MEM_BUF_LEN];
58 struct boot_rsp rsp;
59
do_boot(struct boot_rsp * rsp)60 static void do_boot(struct boot_rsp *rsp)
61 {
62 struct boot_arm_vector_table *vt;
63 uintptr_t flash_base;
64 int rc;
65
66 /* The beginning of the image is the ARM vector table, containing
67 * the initial stack pointer address and the reset vector
68 * consecutively. Manually set the stack pointer and jump into the
69 * reset vector
70 */
71 rc = flash_device_base(rsp->br_flash_dev_id, &flash_base);
72 assert(rc == 0);
73 (void)rc;
74
75 if (rsp->br_hdr->ih_flags & IMAGE_F_RAM_LOAD) {
76 /* The image has been copied to SRAM, find the vector table
77 * at the load address instead of image's address in flash
78 */
79 vt = (struct boot_arm_vector_table *)(rsp->br_hdr->ih_load_addr +
80 rsp->br_hdr->ih_hdr_size);
81 } else {
82 /* Using the flash address as not executing in SRAM */
83 vt = (struct boot_arm_vector_table *)(flash_base +
84 rsp->br_image_off +
85 rsp->br_hdr->ih_hdr_size);
86 }
87
88 #if MCUBOOT_LOG_LEVEL > MCUBOOT_LOG_LEVEL_OFF || TEST_BL2
89 stdio_uninit();
90 #endif
91
92 /* This function never returns, because it calls the secure application
93 * Reset_Handler().
94 */
95 boot_platform_quit(vt);
96 }
97
main(void)98 int main(void)
99 {
100 fih_ret fih_rc = FIH_FAILURE;
101 fih_ret recovery_succeeded = FIH_FAILURE;
102 enum tfm_plat_err_t plat_err;
103 int32_t image_id;
104
105 /* Initialise the mbedtls static memory allocator so that mbedtls allocates
106 * memory from the provided static buffer instead of from the heap.
107 */
108 mbedtls_memory_buffer_alloc_init(mbedtls_mem_buf, BL2_MBEDTLS_MEM_BUF_LEN);
109
110 #if MCUBOOT_LOG_LEVEL > MCUBOOT_LOG_LEVEL_OFF || TEST_BL2
111 stdio_init();
112 #endif
113
114 /* Perform platform specific initialization */
115 if (boot_platform_init() != 0) {
116 BOOT_LOG_ERR("Platform init failed");
117 FIH_PANIC;
118 }
119
120 BOOT_LOG_INF("Starting bootloader");
121
122 plat_err = tfm_plat_otp_init();
123 if (plat_err != TFM_PLAT_ERR_SUCCESS) {
124 BOOT_LOG_ERR("OTP system initialization failed");
125 FIH_PANIC;
126 }
127
128 if (tfm_plat_provisioning_is_required()) {
129 plat_err = tfm_plat_provisioning_perform();
130 if (plat_err != TFM_PLAT_ERR_SUCCESS) {
131 BOOT_LOG_ERR("Provisioning failed");
132 FIH_PANIC;
133 }
134 }
135 tfm_plat_provisioning_check_for_dummy_keys();
136
137 FIH_CALL(boot_nv_security_counter_init, fih_rc);
138 if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
139 BOOT_LOG_ERR("Error while initializing the security counter");
140 FIH_PANIC;
141 }
142
143 /* Perform platform specific post-initialization */
144 if (boot_platform_post_init() != 0) {
145 BOOT_LOG_ERR("Platform post init failed");
146 FIH_PANIC;
147 }
148
149 #if defined(MCUBOOT_USE_PSA_CRYPTO)
150 /* If the bootloader is configured to use PSA Crypto APIs in the
151 * abstraction layer, the component needs to be explicitly initialized
152 * before MCUboot APIs, as the crypto abstraction expects that the init
153 * has already happened
154 */
155 psa_status_t status = psa_crypto_init();
156 if (status != PSA_SUCCESS) {
157 BOOT_LOG_ERR("PSA Crypto init failed with error code %d", status);
158 FIH_PANIC;
159 }
160 BOOT_LOG_INF("PSA Crypto init done, sig_type: %s", xstr(MCUBOOT_SIGNATURE_TYPE));
161 #endif /* MCUBOOT_USE_PSA_CRYPTO */
162
163 #ifdef TEST_BL2
164 (void)run_mcuboot_testsuite();
165 #endif /* TEST_BL2 */
166
167 /* Images are loaded in reverse order so that the last image loaded is the
168 * TF-M image, which means the response is filled correctly.
169 */
170 for (image_id = MCUBOOT_IMAGE_NUMBER - 1; image_id >= 0; image_id--) {
171 if (!boot_platform_should_load_image(image_id)) {
172 continue;
173 }
174
175 if (boot_platform_pre_load(image_id)) {
176 BOOT_LOG_ERR("Pre-load step for image %d failed", image_id);
177 FIH_PANIC;
178 }
179
180 do {
181 /* Primary goal to zeroize the 'rsp' is to avoid to accidentally load
182 * the NS image in case of a fault injection attack. However, it is
183 * done anyway as a good practice to sanitize memory.
184 */
185 memset(&rsp, 0, sizeof(struct boot_rsp));
186
187 FIH_CALL(boot_go_for_image_id, fih_rc, &rsp, image_id);
188
189 if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
190 BOOT_LOG_ERR("Unable to find bootable image");
191
192 recovery_succeeded = fih_ret_encode_zero_equality(boot_initiate_recovery_mode(image_id));
193 if (FIH_NOT_EQ(recovery_succeeded, FIH_SUCCESS)) {
194 FIH_PANIC;
195 }
196 }
197 } while FIH_NOT_EQ(fih_rc, FIH_SUCCESS);
198
199 if (boot_platform_post_load(image_id)) {
200 BOOT_LOG_ERR("Post-load step for image %d failed", image_id);
201 FIH_PANIC;
202 }
203 }
204
205 BOOT_LOG_INF("Bootloader chainload address offset: 0x%x",
206 rsp.br_image_off);
207 BOOT_LOG_INF("Jumping to the first image slot");
208 do_boot(&rsp);
209
210 BOOT_LOG_ERR("Never should get here");
211 FIH_PANIC;
212
213 /* Dummy return to be compatible with some check tools */
214 return FIH_FAILURE;
215 }
216
217 #if defined(MCUBOOT_USE_PSA_CRYPTO)
218 /* When MCUBOOT_USE_PSA_CRYPTO is set, the PSA Crypto layer is configured
219 * to use an external RNG generator through MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
220 * But the cryptographic APIs required by BL2 don't require access to randomness
221 * hence we can just stub this API to always return an error code
222 */
mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t * context,uint8_t * output,size_t output_size,size_t * output_length)223 psa_status_t mbedtls_psa_external_get_random(
224 mbedtls_psa_external_random_context_t *context,
225 uint8_t *output, size_t output_size, size_t *output_length)
226 {
227 return PSA_ERROR_NOT_SUPPORTED;
228 }
229 #endif /* MCUBOOT_USE_PSA_CRYPTO */
230
