DFU working - but no signature validation for now.

5 files changed, 301 insertions, 21 deletions

diff --git a/projects/bootloader/Makefile b/projects/bootloader/Makefile
index 7cef633..4eef758 100644
--- a/projects/bootloader/Makefile
+++ b/projects/bootloader/Makefile
@@ -1,8 +1,10 @@
 PROG = bootloader
 
+OBJS = crc32.o dfu.o
+
 all: $(PROG:=.elf)
 
-%.elf: %.o $(BOARD_OBJS) $(LIBS)
+%.elf: %.o $(BOARD_OBJS) $(OBJS) $(LIBS)
 	$(CC) $(CFLAGS) $^ -o $@ -T$(BOOTLOADER_LDSCRIPT) -g -Wl,-Map=$*.map
 	$(OBJCOPY) -O ihex $*.elf $*.hex
 	$(OBJCOPY) -O binary $*.elf $*.bin
diff --git a/projects/bootloader/bootloader.c b/projects/bootloader/bootloader.c
index 1450c1a..ab3c1d9 100644
--- a/projects/bootloader/bootloader.c
+++ b/projects/bootloader/bootloader.c
@@ -1,22 +1,41 @@
 /*
+ * bootloader.c
+ * ------------
  * Bootloader to either install new firmware received from the MGMT UART,
  * or jump to previously installed firmware.
  *
+ * Copyright (c) 2016, NORDUnet A/S All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of the NORDUnet nor the names of its contributors may
+ *   be used to endorse or promote products derived from this software
+ *   without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-#include "stm32f4xx_hal.h"
 #include "stm-init.h"
 #include "stm-led.h"
 #include "stm-uart.h"
-
-/* Magic bytes to signal the bootloader it should jump to the firmware
- * instead of trying to receive a new firmware using the MGMT UART.
- */
-#define HARDWARE_EARLY_DFU_JUMP   0xBADABADA
-
-/* symbols defined in the linker script (STM32F429BI.ld) */
-extern uint32_t CRYPTECH_FIRMWARE_START;
-extern uint32_t CRYPTECH_FIRMWARE_END;
-extern uint32_t CRYPTECH_DFU_CONTROL;
+#include "dfu.h"
 
 /* Linker symbols are strange in C. Make regular pointers for sanity. */
 __IO uint32_t *dfu_control = &CRYPTECH_DFU_CONTROL;
@@ -42,10 +61,30 @@ void do_early_dfu_jump(void)
     while (1);
 }
 
+int should_dfu()
+{
+    int i;
+    uint8_t rx = 0;
+
+    /* While blinking the blue LED for one second, see if we receive a CR on the MGMT UART.
+     * We've discussed also requiring one or both of the FPGA config jumpers installed
+     * before allowing DFU of the STM32 - that check could be done here.
+     */
+    led_on(LED_BLUE);
+    for (i = 0; i < 10; i++) {
+	HAL_Delay(100);
+	led_toggle(LED_BLUE);
+	if (uart_recv_char2(STM_UART_MGMT, &rx, 0) == HAL_OK) {
+	    if (rx == 13) return 1;
+	}
+    }
+    return 0;
+}
+
 int
 main()
 {
-    int i;
+    int status;
 
     /* Check if we've just rebooted in order to jump to the firmware. */
     if (*dfu_control == HARDWARE_EARLY_DFU_JUMP) {
@@ -55,14 +94,23 @@ main()
 
     stm_init();
 
-    uart_send_string2(STM_UART_MGMT, (char *) "This is the bootloader speaking...");
-
-    /* This is where uploading of new firmware over UART could happen */
+    uart_send_string2(STM_UART_MGMT, (char *) "\r\n\r\nThis is the bootloader speaking...");
 
-    led_on(LED_BLUE);
-    for (i = 0; i < 10; i++) {
-	HAL_Delay(100);
-	led_toggle(LED_BLUE);
+    if (should_dfu()) {
+	led_off(LED_BLUE);
+	if ((status = dfu_receive_firmware()) != 0) {
+	    /* Upload of new firmware failed, reboot after lighting the red LED
+	     * for three seconds.
+	     */
+	    led_off(LED_BLUE);
+	    led_on(LED_RED);
+	    uart_send_string2(STM_UART_MGMT, (char *) "dfu_receive_firmware failed: ");
+	    uart_send_number2(STM_UART_MGMT, status, 3, 16);
+	    uart_send_string2(STM_UART_MGMT, (char *) "\r\n\r\nRebooting in three seconds\r\n");
+	    HAL_Delay(3000);
+	    HAL_NVIC_SystemReset();
+	    while (1) {};
+	}
     }
 
     /* Set dfu_control to the magic value that will cause the us to call do_early_dfu_jump
@@ -70,7 +118,7 @@ main()
      */
     *dfu_control = HARDWARE_EARLY_DFU_JUMP;
 
-    uart_send_string2(STM_UART_MGMT, (char *) "loading firmware\r\n");
+    uart_send_string2(STM_UART_MGMT, (char *) "loading firmware\r\n\r\n");
 
     /* De-initialize hardware by rebooting */
     HAL_NVIC_SystemReset();
diff --git a/projects/bootloader/crc32.c b/projects/bootloader/crc32.c
new file mode 100644
index 0000000..4d1a0bc
--- /dev/null
+++ b/projects/bootloader/crc32.c
@@ -0,0 +1,62 @@
+/* Reference code from RFC1952. Not meant to be used outside test code. */
+
+#include "stm32f4xx_hal.h"
+
+
+/* Table of CRCs of all 8-bit messages. */
+unsigned long crc_table[256];
+
+/* Flag: has the table been computed? Initially false. */
+int crc_table_computed = 0;
+
+/* Make the table for a fast CRC. */
+void make_crc_table(void)
+{
+    unsigned long c;
+
+    int n, k;
+    for (n = 0; n < 256; n++) {
+	c = (unsigned long) n;
+	for (k = 0; k < 8; k++) {
+	    if (c & 1) {
+		c = 0xedb88320L ^ (c >> 1);
+	    } else {
+		c = c >> 1;
+	    }
+	}
+	crc_table[n] = c;
+    }
+    crc_table_computed = 1;
+}
+
+/*
+  Update a running crc with the bytes buf[0..len-1] and return
+  the updated crc. The crc should be initialized to zero. Pre- and
+  post-conditioning (one's complement) is performed within this
+  function so it shouldn't be done by the caller. Usage example:
+
+  unsigned long crc = 0L;
+
+  while (read_buffer(buffer, length) != EOF) {
+  crc = update_crc(crc, buffer, length);
+  }
+  if (crc != original_crc) error();
+*/
+uint32_t update_crc(uint32_t crc, uint8_t *buf, int len)
+{
+    unsigned long c = crc ^ 0xffffffffL;
+    int n;
+
+    if (!crc_table_computed)
+	make_crc_table();
+    for (n = 0; n < len; n++) {
+	c = crc_table[(c ^ buf[n]) & 0xff] ^ (c >> 8);
+    }
+    return c ^ 0xffffffffL;
+}
+
+/* Return the CRC of the bytes buf[0..len-1]. */
+unsigned long crc(unsigned char *buf, int len)
+{
+    return update_crc(0L, buf, len);
+}
diff --git a/projects/bootloader/dfu.c b/projects/bootloader/dfu.c
new file mode 100644
index 0000000..231e388
--- /dev/null
+++ b/projects/bootloader/dfu.c
@@ -0,0 +1,106 @@
+/*
+ * dfu.c
+ * ------------
+ * Receive new firmware from MGMT UART and write it to STM32 internal flash.
+ *
+ * Copyright (c) 2016, NORDUnet A/S All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of the NORDUnet nor the names of its contributors may
+ *   be used to endorse or promote products derived from this software
+ *   without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "dfu.h"
+#include "stm-led.h"
+#include "stm-uart.h"
+#include "stm-flash.h"
+
+#include <string.h>
+
+extern uint32_t update_crc(uint32_t crc, uint8_t *buf, int len);
+
+
+int dfu_receive_firmware(void)
+{
+    uint32_t filesize = 0, crc = 0, my_crc = 0, counter = 0;
+    uint32_t offset = DFU_FIRMWARE_ADDR, n = DFU_UPLOAD_CHUNK_SIZE;
+    uint32_t buf[DFU_UPLOAD_CHUNK_SIZE / 4];
+
+    uart_send_string2(STM_UART_MGMT, (char *) "\r\nOK, bootloader waiting for new firmware\r\n");
+
+    /* Read file size (4 bytes) */
+    uart_receive_bytes(STM_UART_MGMT, (void *) &filesize, 4, 1000);
+    if (filesize < 512 || filesize > DFU_FIRMWARE_END_ADDR - DFU_FIRMWARE_ADDR) {
+	return -1;
+    }
+
+    HAL_FLASH_Unlock();
+
+    while (filesize) {
+	/* By initializing buf to the same value that erased flash has (0xff), we don't
+	 * have to try and be smart when writing the last page of data to the memory.
+	 */
+	memset(buf, 0xffffffff, sizeof(buf));
+
+	if (filesize < n) {
+	    n = filesize;
+	}
+
+	if (uart_receive_bytes(STM_UART_MGMT, (void *) &buf, n, 1000) != HAL_OK) {
+	    return -2;
+	}
+	filesize -= n;
+
+	/* After reception of a chunk but before ACKing we have "all" the time in the world to
+	 * calculate CRC and write it to flash.
+	 */
+	my_crc = update_crc(my_crc, (uint8_t *) buf, n);
+	stm_flash_write32(offset, buf, sizeof(buf) / 4);
+	offset += DFU_UPLOAD_CHUNK_SIZE;
+
+	/* ACK this chunk by sending the current chunk counter (4 bytes) */
+	counter++;
+	uart_send_bytes(STM_UART_MGMT, (void *) &counter, 4);
+	led_toggle(LED_BLUE);
+    }
+
+    HAL_FLASH_Lock();
+
+    /* The sending side will now send it's calculated CRC-32 */
+    uart_receive_bytes(STM_UART_MGMT, (void *) &crc, 4, 1000);
+    if (crc == my_crc) {
+	uart_send_string2(STM_UART_MGMT, (char *) "\r\nSuccess\r\n");
+	return 0;
+    }
+
+    led_on(LED_RED);
+    led_on(LED_YELLOW);
+
+    /* Better to erase the known bad firmware */
+    stm_flash_erase_sectors(DFU_FIRMWARE_ADDR, DFU_FIRMWARE_END_ADDR);
+
+    led_off(LED_YELLOW);
+
+    return 0;
+}
diff --git a/projects/bootloader/dfu.h b/projects/bootloader/dfu.h
new file mode 100644
index 0000000..8dfed9d
--- /dev/null
+++ b/projects/bootloader/dfu.h
@@ -0,0 +1,62 @@
+/*
+ * dfu.h
+ * ---------
+ * Device Firmware Upgrade defines and prototypes.
+ *
+ * Copyright (c) 2016, NORDUnet A/S All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of the NORDUnet nor the names of its contributors may
+ *   be used to endorse or promote products derived from this software
+ *   without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __STM32_BOOTLOADER_DFU_H
+#define __STM32_BOOTLOADER_DFU_H
+
+#include "stm-init.h"
+
+/* symbols defined in the linker script (STM32F429BI_bootloader.ld) */
+extern uint32_t CRYPTECH_FIRMWARE_START;
+extern uint32_t CRYPTECH_FIRMWARE_END;
+extern uint32_t CRYPTECH_DFU_CONTROL;
+
+#define DFU_FIRMWARE_ADDR         ((uint32_t) &CRYPTECH_FIRMWARE_START)
+#define DFU_FIRMWARE_END_ADDR     ((uint32_t) &CRYPTECH_FIRMWARE_END)
+#define DFU_UPLOAD_CHUNK_SIZE     4096
+
+/* Magic bytes to signal the bootloader it should jump to the firmware
+ * instead of trying to receive a new firmware using the MGMT UART.
+ */
+#define HARDWARE_EARLY_DFU_JUMP   0xBADABADA
+
+extern __IO uint32_t *dfu_control;
+extern __IO uint32_t *dfu_firmware;
+extern __IO uint32_t *dfu_msp_ptr;
+extern __IO uint32_t *dfu_code_ptr;
+
+extern int dfu_receive_firmware(void);
+
+
+#endif /* __STM32_BOOTLOADER_DFU_H */