smpmgr: upgrade: add --bypass-inspect option for non-MCUboot images#92
smpmgr: upgrade: add --bypass-inspect option for non-MCUboot images#92axelnxp wants to merge 1 commit intointercreate:mainfrom
Conversation
axelnxp
force-pushed
the
feature/image_inspection_bypass
branch
3 times, most recently
from
538426a to
f49d659
Compare
JPHutchins
left a comment
JPHutchins
left a comment
There was a problem hiding this comment.
Generally, this option looks OK to me. I'm curious about the scenario where this is required - build system, SMP server being used - perhaps we could document that?
Should this client be calculating the hash so that it can verify the integrity of the upload? It seems that leaving it out entirely allows us to load corrupted firmware, calculate the hash over the corrupted firmware, then permanently mark the corrupted image as not corrupted.
JPHutchins
requested review from
JPHutchins,
aldenhaase,
Copilot,
davedesro and
swoisz
and removed request for
Copilot
|
@JPHutchins so basically I'm working on a feature for Zephyr, you can find everything in this RFC: zephyrproject-rtos/zephyr#103999 The idea is to support custom bootloaders and not only mcuboot. In our case, the image format is very specific (NXP's SB3.1). Regarding your point on the potential for uploading corrupted firmware: in our case, the image integrity is validated by our bootloader, so the upgrade won't happen if the image is corrupted. But I totally agree that if the device is unable to validate the image integrity, then there's a risk. So, I think I can improve the option documentation, clearly stating that this option puts the responsibility on the device to validate the image, and if it's not the case, the user understands the image could be corrupted. Would that work for you ? |
axelnxp
force-pushed
the
feature/image_inspection_bypass
branch
from
f49d659 to
a45503d
Compare
Excellent! I will review ASAP.
If a SHA256 is not present in the image format itself, nor calculated by the client and then compared to the calculation done by the server, then how can smpmgr trust that the image has been copied over the wire and into NVM perfectly? A SHA256 calculated by the SMP server or bootloader after transport is only half of what's required, from smpmgr's perspective. I realize that you likely have this taken care of for the RFC, I am investigating to understand what warnings we might add to avoid misuse by less rigorous implementations. |
Sorry I wasn't clear, the hash is present in the image file, at least in our case (SB3.1). When the SB3 file is generated, the hash is encoded in the file. So, the bootloader checks the hash encoded in the file actually corresponds to what's written in flash. Edit: reading twice I realized you probably meant if someone uses another image format which doesn't encode a hash. Is that right? |
Perfect! In the long run, we'll probably add "image type" argument, including "unknown", which would bypass any checks like this implementation does. But we can run with this for now to facilitate testing and integration. |
Add a new `--bypass-inspect` flag to the `upgrade` command that allows uploading firmware images that are not in MCUboot format. When this option is enabled, the image hash is read from the device's image state via an SMP request instead of being extracted from the local file's TLV data. Signed-off-by: Axel Le Bourhis <axel.lebourhis@nxp.com>
axelnxp
force-pushed
the
feature/image_inspection_bypass
branch
from
a45503d to
aac9438
Compare
|
@JPHutchins I updated the change to clarify that it's assumed the image format encodes any sort of integrity check. |
2 participants
Add a new
--bypass-inspectflag to theupgradecommand that allows uploading firmware images that are not in MCUboot format.When this option is enabled, the image hash is read from the device's image state via an SMP request instead of being extracted from the local file's TLV data.