call bootloader update from coreapp #5227
Conversation
|
TychoVrahe
force-pushed
the
tychovrahe/bootloader/update_fw
branch
4 times, most recently
from
936d0ff to
a256faa
Compare
…mcalls) [no changelog]
[no changelog]
…ript for sending the data
TychoVrahe
force-pushed
the
tychovrahe/bootloader/update_fw
branch
from
a256faa to
35c37af
Compare
TychoVrahe
requested review from
cepetr and
Copilot
and removed request for
prusnak
There was a problem hiding this comment.
Pull Request Overview
This PR refactors bootloader updates to be invoked from the coreapp via new syscalls/smcalls, adds signature and hash checks to maintain security, introduces a prodtest command and Python tool for chunked bootloader uploads, and removes duplicate bootloader embedding while restricting the hash processor to secure-only builds.
- Added
util/bl_checkmodule for verifying and replacing bootloader images. - Exposed new syscalls/smcalls (
BL_CHECK_CHECKandBL_CHECK_REPLACE) and integrated them into dispatch and stubs. - Created
core/tools/bld_update.pyfor CLI-driven USB-VCP bootloader uploads and updated prodtest to drive it.
Reviewed Changes
Copilot reviewed 45 out of 45 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| core/tools/bld_update.py | New Python CLI tool to compress and upload bootloader |
| core/embed/util/bl_check/inc/util/bl_check.h | Declares bl_check_check/bl_check_replace APIs |
| core/embed/sys/syscall/stm32/syscall_verifiers.c | Adds verification stub for bl_check_replace syscall |
| core/SConscript.firmware | Embeds compressed bootloader in firmware linker rules |
Comments suppressed due to low confidence (3)
core/embed/util/bl_check/inc/util/bl_check.h:33
- [nitpick] The function name
bl_check_checkis redundant and unclear. Consider renaming it to something more descriptive, such asbl_update_neededorbootloader_needs_update.
bool bl_check_check(void);
core/embed/projects/prodtest/cmd/prodtest_bootloader.c:62
- This new
prodtest_bootloader_updatecommand implements significant logic but lacks dedicated tests. Consider adding unit or integration tests to validate correct behavior across begin/chunk/end phases and error conditions.
static void prodtest_bootloader_update(cli_t *cli) {
core/SConscript.firmware:911
- [nitpick] Embedding the bootloader binary is now duplicated in multiple SConscript files. Consider centralizing this logic or defining a helper to reduce duplication and ease future updates.
tools.embed_compressed_binary(
| @@ -64,6 +64,19 @@ void sysevents_poll__verified(const sysevents_t *awaited, | |||
|
|
|||
| // --------------------------------------------------------------------- | |||
|
|
|||
| void bl_check_replace__verified(const uint8_t *data, size_t len) { | |||
There was a problem hiding this comment.
Add a bounds check on len (e.g., len <= BOOTLOADER_MAXSIZE) before calling into bl_check_replace to prevent oversized input from causing buffer overflows.
| void bl_check_replace__verified(const uint8_t *data, size_t len) { | |
| void bl_check_replace__verified(const uint8_t *data, size_t len) { | |
| if (len > BOOTLOADER_MAXSIZE) { | |
| goto access_violation; | |
| } |
Copilot uses AI. Check for mistakes.
| hexstr = chunk.hex() | ||
| send_cmd(ser, f"bootloader-update chunk {hexstr}") |
There was a problem hiding this comment.
[nitpick] Converting binary data to hex doubles the payload size and CPU cost. Consider using a more efficient binary-to-text encoding (e.g., Base64) or a raw binary transfer protocol if supported.
| hexstr = chunk.hex() | |
| send_cmd(ser, f"bootloader-update chunk {hexstr}") | |
| base64str = base64.b64encode(chunk).decode() | |
| send_cmd(ser, f"bootloader-update chunk {base64str}") |
Copilot uses AI. Check for mistakes.
| ); | ||
| show(&mut frame, true); | ||
| } | ||
| fn screen_update() {} |
There was a problem hiding this comment.
making these functions empty looks wrong at first glance
should we drop the whole function, if it is unused (as it seems, from the fact that Caesar / Delicia don't even have it)?
There was a problem hiding this comment.
All UIs have it and it is called (when bootloader is updating). We might want to implement it with some nice message, but since the update us fast i didnt want to waste my time with thay right now. On Bolt and Delizia this will cause quick fadeout-fadein when updating the bootloader, no effect on Ceasar. Cc also @Hannsek if this is acceptable.
core/embed/util/bl_check/bl_check.c
Outdated
|
|
||
| void check_and_replace_bootloader(void) { | ||
| #if PRODUCTION || BOOTLOADER_QA | ||
| bool bl_check_check(void) { |
There was a problem hiding this comment.
the hash value(s) to check against should come from the caller
because it's the caller who has the replacement data
|
@matejcik sharing the peripheral is tricky, as we'd need to synchronize usage between secure/non-secure world, as each has its own globals which are used for this purpose. While probably possible, the usage outside of secure world is now quite limited that i don't think its worth the effort. Alternatively we could use it through smcalls, but again, i don't think its worth the effort now. |
[no changelog]
[no changelog]
|
added two more commits
|
This PR changes the way bootloader update is invoked.
Instead of embedding bootloader into secmon/kernel, its embedded in firmware(coreapp), and bootloader update is invoked via syscall + smcall. To keep the security same, additional checks are added to update smcall ( signature and hash check).
New command is added to prodtest, which allows updating the bootloader via VPC. A simple script is added to upload the bootloader data by chunks.
This PR also fixes an issue with double-embedded bootloader when both secmon + kernel is used.
Hash processor is now made secure-only, as it is used for hashing the firmware image header in secmon.
fixes #4168