Change fixes check for upgrade-only to ensure that the the new image
version is greater than version of the currently running image.
Signed-off-by: Marek Pieta <Marek.Pieta@nordicsemi.no>
In case when CONFIG_MCUMGR_SMP_LEGACY_RC_BEHAVIOUR=n then
the image erase command would incorrectly return MGMT_ERR_EMSGSIZE,
even though no such error occurred.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The function should be used to reset map decoding state
between calls to zcbor_map_decode_bulk, while using the same map
for different buffers.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Due to broken logic in img_mgmt_state_confirm failure to confirm
was not reported to caller.
If hooks were enabled confirmation event would be passed regardless
whether it has been successful.
Fixes#56617
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The dummy header was an opt-in feature to allow testing without a
real image but since we support testing on Qemu in CI which
supports flash partitions, there isn't a need for this option. Not
being deprecated as Kconfig would only have been used as part of
CI, not user applications.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Function allows to check whether given key has been found
during map decoding with zcbor_map_decode_bulk.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
MISRA Rule 5.7 requires uniqueness of tag identifiers. Shell is
frequently problematic because many code uses `const struct shell
*shell`. This causes CI noise every time one of these shell files is
edited, so let's update all of them with `const struct shell *sh`
instead.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
The init infrastructure, found in `init.h`, is currently used by:
- `SYS_INIT`: to call functions before `main`
- `DEVICE_*`: to initialize devices
They are all sorted according to an initialization level + a priority.
`SYS_INIT` calls are really orthogonal to devices, however, the required
function signature requires a `const struct device *dev` as a first
argument. The only reason for that is because the same init machinery is
used by devices, so we have something like:
```c
struct init_entry {
int (*init)(const struct device *dev);
/* only set by DEVICE_*, otherwise NULL */
const struct device *dev;
}
```
As a result, we end up with such weird/ugly pattern:
```c
static int my_init(const struct device *dev)
{
/* always NULL! add ARG_UNUSED to avoid compiler warning */
ARG_UNUSED(dev);
...
}
```
This is really a result of poor internals isolation. This patch proposes
a to make init entries more flexible so that they can accept sytem
initialization calls like this:
```c
static int my_init(void)
{
...
}
```
This is achieved using a union:
```c
union init_function {
/* for SYS_INIT, used when init_entry.dev == NULL */
int (*sys)(void);
/* for DEVICE*, used when init_entry.dev != NULL */
int (*dev)(const struct device *dev);
};
struct init_entry {
/* stores init function (either for SYS_INIT or DEVICE*)
union init_function init_fn;
/* stores device pointer for DEVICE*, NULL for SYS_INIT. Allows
* to know which union entry to call.
*/
const struct device *dev;
}
```
This solution **does not increase ROM usage**, and allows to offer clean
public APIs for both SYS_INIT and DEVICE*. Note that however, init
machinery keeps a coupling with devices.
**NOTE**: This is a breaking change! All `SYS_INIT` functions will need
to be converted to the new signature. See the script offered in the
following commit.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
init: convert SYS_INIT functions to the new signature
Conversion scripted using scripts/utils/migrate_sys_init.py.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
manifest: update projects for SYS_INIT changes
Update modules with updated SYS_INIT calls:
- hal_ti
- lvgl
- sof
- TraceRecorderSource
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
tests: devicetree: devices: adjust test
Adjust test according to the recently introduced SYS_INIT
infrastructure.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
tests: kernel: threads: adjust SYS_INIT call
Adjust to the new signature: int (*init_fn)(void);
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Secure Channel Base Key (SCBK) is a secret key used to derive the session
keys used to encrypt and decrypt OSDP packets. Secure coding practice
requires us to clear such sensitive data from stack once we are done
needing it. This patch addresses this issue.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
OSDP secure channel message blocks are terminated with a 0x80. This means
that even for zero length messages, we would have at least one block of
encrypted data to decrypt (since message blocks are rounded up to the next
16 byte boundary). The current length assertion checks for 16 byte
alignment but a malicious peer could send a specially crafted packet with
zero length blocks. Fix this issue by adding check for length == 0 case.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
HID readers are responding to a KEYSET command with an ACK in plaintext
instead of using the current session keys to acknowledge this command
(which is the reasonable thing to do as the command itself was received
encrypted with the old key). Since the spec doesn't say anything about
this, both methods are technically correct.
Make changes to CP so it allows ACKs in plaintext for KEYSET command in
particular and make the PD implementation do this too as it makes the code
look cleaner there (perhaps HID did it for the same reasons :D).
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
If command or reply has no data, PD "should" use secure message types
SCS_15 or SCS_16. But some PD seem to not implement this correctly. We
will be tolerant towards those faulty implementations.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
OSDP command KEYSET is used to set the secure channel base key for all
connected PDs. This key is then used to derive the session keys for each
secure channel session. When the app wants to set the this key, it has
to issue a command and then both the CP/PD has to be notified of this
change so they can store this key in a non-volatile medium for future
operations across power cycles.
The current implementation of OSDP had limited support for key
management. This patch adds all the bells and whistles needed to handle
keyset command/event in the CP/PD application.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
Hoisting a `length--` helps simplify a lot of code which has ad-hoc -1s
in a bunch of places. Also, fix some formatting issues and remove
unnecessary log lines.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
Add a new backend for Host Commands that uses UART. The backend bases
asynchronous UART API.
The UART backend is mainly used by FPMCU.
Signed-off-by: Dawid Niedzwiecki <dawidn@google.com>
This vastly increases the performance of file transfers using the
fs_mgmt group over MCUmgr by allowing the file handle to remain open
between commands instead of having to open, feek, read/write then
close the file handle for each invocation.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
As name suggest upgrade only should allow image upgrades onlu, but due
to greater or eqal sign used in version comparison, upgrade actually
also accepted current version.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Adds an optional feature that can be used to time out a partially
received MCUmgr packet over the shell interface. Prior to this
change, if a header was received, then the whole shell would be
unavailable until the module is rebooted or additional full MCUmgr
packet was sent.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fix a memory issue when calling boot_read_bank_header the length should be
the size of `struct mcuboot_img_header`.
Fixes#54459.
Signed-off-by: Joel Guittet <joelguittet@gmail.com>
Changes Kconfig symbols to depend on symbols rather than selecting
them, this avoids a cmake dependency loop.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Changes Kconfig symbols to depend on symbols rather than selecting
them, this avoids a cmake dependency loop.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Rework the Host Command support. It includes:
-change API to backend
-change a way of defining rx and tx buffers
-fix synchronization between the handler and backend layer
-simplify the HC handler
Signed-off-by: Dawid Niedzwiecki <dawidn@google.com>
Follow naming pattern in the subsystems(logging or shell) and name
the layer between generic handler and peripheral driver "backend".
The name doesn't suit that well to the SHI backend, because there isn't
SHI API itself and the SHI interface is used only for the host
communication. So the backend code includes the peripheral driver itself.
Signed-off-by: Dawid Niedzwiecki <dawidn@google.com>
The Host Commands can be used with different transport layers e.g. SHI
or eSPI. The code that provides the peripheral API and allows sending
and receiving Host Commands via different transport layers is not
actually drivers of a peripheral, so move it to the
subsys/mgmt/ec_host_cmd folder.
Signed-off-by: Dawid Niedzwiecki <dawidn@google.com>
cp_build_command returns the length of the built packet and early
returns for errors. This means there is no need to keep track of return
code in a separate variable -- if we reached the end, we succeeded.
Along with this change, some more changes to enhance maintainability and
readability are also done.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
With changes to the phy layer and the way we build and dispatch
commands, we can now simplify some parts of CP state machine. This patch
builds on previous patches to reduce some state transitions and fixes
some bugs in those paths.
While at it, also implement an exponential back-off for PD offline after
a timeout. This is useful when there is a transient PD timeout but the
PD itself is not totally dead.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
After the check_packet() split from decode_packet() for handling multiple
packets in the RX buffer, PD state machine needed to me modified to
start handling it correctly. While at it, simplify the states as PD does
not have as much state anyways.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
The method send_command was building the packet and also sending it.
This is a problem because even command build failures are reported as
command send failures; although the former can be mitigated by changing
kconfig parameters depending on use cases.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
To handle multiple packets in RX buffer, we need to perform checks on
the buffer first and determine the length of one packet and extact only
that many bytes from the RX buffer instead of pulling everything at
once and failing if there are bytes from the next packet in the buffer.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
When a PD is set online, we need to do other actions along with it. To
make this easier in future, move cp_set_state(pd, OSDP_CP_STATE_ONLINE)
to it's own method cp_set_online(pd).
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
Select in Kconfig causes many issues with dependency loops, this
resolves the issue by replacing most select with depends on for
MCUmgr, including updates to the sample smp_svr application and
tests.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This patch replaces many instances where raw loops were used to copy bytes
with memcpy calls.
No functional change intended.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
Do not check or send the first entry in the pd->cp[] device capability
table which is for function code 0 which is not a defined function code.
Signed-off-by: David Vucich <dave@alcatraz.ai>
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
By default, on errors, pd_decode_command replies with osdp_NAK with
sub-error code set to OSDP_PD_NAK_CMD_LEN (achieved using the ret ==
OSDP_PD_ERR_GENERIC check before return). This is works for all packet
framing errors; but when a more specific error code needs to be sent, ret
has to be set to something other than OSDP_PD_ERR_GENERIC (a suitable error
code happens to be OSDP_PD_ERR_REPLY) to prevent the tail check from
overwriting the error info.
In CMD_KEYSET, we fill a more specific error code but do not set the ret to
OSDP_PD_ERR_REPLY. It causes this error to be reported as a framing
error hence loosing some extended info about the error. Fix this issue by
reordering the checks a bit.
Fixes: 7f4d2c741b "mgmt/osdp: Add support for Secure Channel"
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
Initially, subsys/mgmt had its own STR() macro for string pasting which was
replaced with the zephry provided STRINGIFY(). The definition of this macro
seems to have lingered on so remove it.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
During handshake, only certain types of secure block types (<= SCS_14)
are allowed. A rouge CP/PD can try to bypass the handshake by directly
sending a secure block type ahead of the sequence and gain a secure
channel. Fix this by adding a check in packet decode time.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
OSDP specification section 5.7 states that a transmitting device has to
drive the transmission line to a marking state for a period of one char
in the current baud rate. This can be achieved by sending 0xFF. Since
this is not mentioned in the packet structure definition, many commercial
implementations of OSDP out in the wild do not send/expect this byte.
To work with such non-conforming devices, we will try to be as flexible
as possible in the PD: send mark byte only if the other side sent one. In
case of CP, we have no option but to send the mark byte to be as close
to the specification as possible. If a particular use case needs the CP
to not send it, we will provide a Kconfig option to disable it.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
Now that we have the necessary infrastructure to collect events from PD
apps, we can use them to translate it to OSDP packet sequence for card
reads and key press events.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
OSDP compliant devices communicate their capabilities and discover what
their peer can and cannot do. Right now, PD advertises these capabilities
and expects CP to honor them. Although this is not known to cause any
issues, it is not desirable to allow such accesses.
Add a check of incoming commands to to validate that the corresponding
capability was enabled and advertised.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
Since cmd_data member is used by both commands and events to store the
contents of current transaction, rename it to ephemeral_data which
better reflects the purpose of the variable.
Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
Bluetooth does not need to be enabled to register services,
therefore the newly introduced automatic bluetooth SMP transport
registration system can be simplified by returning enabling of
bluetooth back to the application.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
