Daniele Alessandrelli. OpenIoT Summit North America 2017

Similar documents
Comm. Interface. Device Firmware Upgrade (DFU) Device State Machine. User Interface. Figure 1. SiMxxxxx Modular Bootloader Framework Overview

Enabling IoT OSs for Intel Quark MCU Platforms: the fast way. OpenIoT Summit Europe Andre Guedes

M2351 Trusted Boot. Application Note for 32-bit NuMicro Family

UM2330 User manual. ST8500 boot. Introduction

XMC4800 EtherCAT APP SSC Firmware Update Slave Example. Getting Started Version 3.0

Bootloader project Project with a Bootloader Component and communication Component.

NFC NUTSHELL KIT. MCU Modules USER MANUAL REVISION GMMC GmbH Keywords Abstract. Document information

Implementing Bootloaders on Renesas MCUs

USB Type-C Authentication

AN4491 Application note

Bootloader project Project with a Bootloader component and communication component.

WF121: b/g/n module. Product Presentation

AN LPC1700 secondary USB bootloader. Document information. LPC1700, Secondary USB Bootloader, ISP, IAP

BLE121LR Bluetooth Smart Long Range Module 5/12/2014 1

Bluegiga Bluetooth Smart Software v.1.3 5/28/2014 1

Scott Johnson Dominic Rizzo Parthasarathy Ranganathan Jon McCune Richard Ho. Titan: enabling a transparent silicon root of trust for Cloud

An Incubator Project in the Apache Software Foundation. 13 July 2016

New STM32WB Series MCU with Built-in BLE 5 and IEEE

Boot Loader. Bootloader

Titan silicon root of trust for Google Cloud

SMBus. Target Bootloader Firmware. Master Programmer Firmware. Figure 1. Firmware Update Setup

Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop

Resilient IoT Security: The end of flat security models

New STM32WB Series MCU with built-in Bluetooth 5 and IEEE

AN1053: Bluetooth Device Firmware Update over UART for EFR32xG1 and BGM11x Series Products

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

UG103.6: Bootloading Fundamentals

AN1086: Using the Gecko Bootloader with the Silicon Labs Bluetooth Applications

Security in NVMe Enterprise SSDs

CEC1702 clicker. a great idea is just a click away

AN5123 Application note

CAN In A Day 2L01I. Renesas Electronics America Inc Renesas Electronics America Inc. All rights reserved.

Connecting Securely to the Cloud

Kinetis Bootloader to Update Multiple Devices in a Field Bus Network

Statement of Volatility Dell PowerEdge R730 and R730XD

Target MCU. Master MCU. I2C to UART translation. Figure 1. I2C Bootloader Based on the Modular Bootloader Framework

Android Bootloader and Verified Boot

ECE 598 Advanced Operating Systems Lecture 4

)8-,768'HY.LW 2YHUYLHZ. )XMLWVX0LNURHOHNWURQLN*PE+ Am Siebenstein Dreieich-Buchschlag, Germany

Firmware Reprogramming Guide

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

Serial Boot Loader For CC2538 SoC

Project Cerberus Hardware Security

ESPino - Specifications

s132_nrf52 release notes

How to configure the BlueNRG-1 and BlueNRG-2 devices in network coprocessor mode. Main components Bluetooth Low Energy wireless system-on-chip

SPIRIT1 Development Kit Software Package

NVM Express 1.3 Delivering Continuous Innovation

GW-USB-05. User's Guide. FW v1.07. IQRF USB Gateway MICRORISC s.r.o. User_Guide_GW-USB-05_ Page 1

CSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3

HOW TO INTEGRATE NFC CONTROLLERS IN LINUX

Lesson 6 Intel Galileo and Edison Prototype Development Platforms. Chapter-8 L06: "Internet of Things ", Raj Kamal, Publs.: McGraw-Hill Education

AN1577 APPLICATION NOTE

Adafruit Feather nrf52840 Express

Particle E Series Cloud-integrated hardware platform for cellular IoT devices

FERGUSON BEAUREGARD. RTU-5000 Configurator User Manual

32-bit. Application Note. Microcontrollers. AVR32760: AVR32 UC3 USB DFU Bootloader Protocol. 1. Introduction. 1.1 Intended Audience. 1.

EMBEDDED SYSTEMS WITH ROBOTICS AND SENSORS USING ERLANG

AN1085: Using the Gecko Bootloader with Silicon Labs Connect

Provisioning secure Identity for Microcontroller based IoT Devices

Bootloader Design Techniques for Microcontrollers

VORAGO VA108x0 Bootloader application note

FW UPGRADE SPECIFICATION

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

The following modifications have been made to this version of the DSM specification:

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Renesas Synergy MCUs Build a Foundation for Groundbreaking Integrated Embedded Platform Development

Battery Backup. Sanitization Procedure Waveform Data SDRAM 32 MB (-01/-21) No Yes Yes Cycle Power

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

Kinetis Flash Tool User's Guide

AMT vpro ME. How to Become the Sole Owner of Your PC. ptsecurity.com

Smallest RISC-V Device for Next-Generation Edge Computing

Farklı Arduino Boardlar

1. System Requirements Extract Evaluation Software PK-S5D9 Board Setup... 3

Bluegiga Wi-Fi Software 9/19/2013 1

Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft

Bluefly Processor. Security Policy. Bluefly Processor MSW4000. Darren Krahn. Security Policy. Secure Storage Products. 4.0 (Part # R)

Clear code memory to all ones. The successful operation of this function is not automatically verified. Program from File

Intel Galileo gen 2 Board

MINIPROG C User Manual Ver101

Getting Embedded Software into the Target System using Device Programmer

EmberZNet Stack Release Notes

Mercury System SB310

STSW-BLUENRG1-DK. BlueNRG-1, BlueNRG-2 DK SW package

The BlueNRG-1, BlueNRG-2 BLE OTA (over-the-air) firmware upgrade

Designing Security & Trust into Connected Devices

How to Enable Boot from HyperFlash and SD Card

Xerox Color 800i/1000i Press FreeFlow Print Server. Statement of Volatility Version 1.0

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

+ (5~27 VDC) GND. Bluetooth V4.2 BLE RS-422/485 Serial Adapter. Model: BLE-485C. 1. Package content: BLE RS-422/485 adapter

Guide for user design. Version:V1.0 Date: Application Note. Introduction

Programmer for flash micro computers. User s Manual

ESP8266 Application Note Firmware Download Protocol

Xerox Versant 3100 Press Xerox FreeFlow Print Server. Statement of Volatility Version 1.0

Pigeon Point BMR-H8S-EMMC Reference Design Board Management Reference Design for µtca Modules

ARM Security Solutions and Numonyx Authenticated Flash

How to protect Automotive systems with ARM Security Architecture

HPS SoC Boot Guide - Cyclone V SoC Development Kit

MPLAB Harmony Bootloader Library Help

STSW-BNRGUI. BlueNRG GUI SW package. Data brief. Features. Description

Transcription:

Daniele Alessandrelli OpenIoT Summit North America 2017

Goals of this talk Sharing our experience in developing a bootloader and a firmware management mechanism for MCUs Pointing other developers to open-source code they can reuse Collecting feedback and stimulating discussion 2

Outline Quark Bootloader Overview Firmware Management (FM) protocol stack Secure extension: authenticated firmware upgrades Internals: managing Bootloader Data (BL-Data) Concluding remarks 3

4

The Quark Bootloader (aka QM-Bootloader) Reference bootloader for the Intel Quark microcontroller family Intel Quark D2000 Microcontroller (D2000) Intel Quark SE Microcontroller C1000 (SE C1000) Developed as part of the Intel Quark MCUs Software Stack https://github.com/quark-mcu/ Originally integrated with the Intel Quark Microcontroller Software Interface (QMSI) 5

QM-Bootloader: Features Bootstrap features System initialization Trim code computation Restore context from sleep Security hardening features Root of Trust (RoT) setup Firmware Management functionality More details later 6

Quark MCUs: Quick Overview Quark D2000 1 processor core: x86 (Lakemont) @ 32MHz SRAM 8 kb Flash 32kB + 8kB OTP + 4kB data only Peripherals UART, I2C, SPI, GPIOs, ADC, etc. Quark SE C1000 2 processor cores: x86 (Lakemont) @ 32 MHz Sensor Subsystem (ARC) @ 32MHz SRAM 80 kb Flash 384 kb + 8 kb OTP Peripherals UART, I2C, SPI, USB1.1, GPIOs, ADC, etc. 7

Quark MCUs: Flash Layout Quark D2000 Quark SE C1000 OTP (8kB) Data (4kb) System Flash 0 (32kB) OTP (8kB) System Flash 0 (192kB) System Flash 1 (192kB) 8

Firmware Management (FM) module FM Features Multiple transports UART and USB Firmware upgrades Support for signed images Other FM functionality Key management System Information retrieval Application erase FM design goals Flash constraints Secure FM over UART must fit in OTP (8kB) Modular design / code reuse Both for target code and host tools Extensibility Allow for other transport to be easily supported 9

10

FM Protocol Stack: Overview DFU-based Firmware Management DFU is used for sending images and commands to the device The QDA protocol has been defined to enable DFUover-UART QFU image format, block-wise format designed to Work with generic DFU tools (e.g., dfu-util) Support firmware authentication QFM protocol, enabling DFU to be used also for FM operations other than firmware upgrades Application erase Layer USB mode UART mode DFU payload DFU flavor Quark Firmware Management (QFM) Protocol / Quark Firmware Update (QFU) Format USB/DFU Quark DFU Adaptation (QDA) Protocol Transport USB XMODEM-CRC Driver USB device driver UART driver System/Firmware information retrieval Key provisioning 11

(USB) DFU: Quick Introduction DFU: Device Firmware Upgrade Standard for performing firmware upgrades over USB DFU does not define any specific image format (but it specifies a DFU file suffix, useful only to the DFU host tool, which strips it off before downloading the image to the device) DFU provides two main functions: DFU_DNLOAD: to transfer (download) data to the device Used for FW upgrades DFU_UPLOAD: to transfer (upload) data from the device Used for FW extractions Both transfers are block-based (all blocks, except the last one, must use the same block size) 12

Why DFU? Open, well-documented standard Already used by many embedded devices Designed for resource-constrained devices Block-wise transfer/flashing Transmission flow controlled by the device Reusing existing host tools dfu-util (GPLv2) No constrains on image format We wanted to add our own metadata and authentication mechanism 13

FM Protocol Stack: DFU over UART DFU is extended to UART by means of: The Quark DFU Adaptation Protocol (QDA) Makes DFU functionality available over message-oriented transports (other than USB) The XMODEM-CRC protocol Old file transfer protocol Used to transport QDA packets Chosen for its simplicity Layer USB mode UART mode DFU payload DFU flavor Quark Firmware Management (QFM) Protocol / Quark Firmware Update (QFU) Format USB/DFU Quark DFU Adaptation (QDA) Protocol Transport USB XMODEM-CRC Driver USB device driver UART driver 14

QDA: Quark DFU Adaptation layer Provide all DFU request/response messages DFU_DETACH DFU_DNLOAD DFU_UPLOAD DFU_GETSTATUS (used for flow control during downloads) DFU_CLRSTATUS (exit from error) DFU_ABORT (abort download/upload) DFU_GETSTATE Mimic (some) generic USB functionality on which DFU relies Get device/configuration/interface descriptors Set active alternate settings QDA usage is not limited to XMODEM/UART, but it could be used with any message-oriented protocol (e.g., UDP) 15

QDA: qm-dfu-util (aka dfu-util-qda) QDA/UART support on the host side was also needed dfu-util is a well-known host-side tool for USB/DFU Open-source (GPLv2) http://dfu-util.sourceforge.net/ Multi-platform (Windows/Linux) We forked it, creating qm-dfu-util The USB layer (libusb) is replaced with a QDA/UART layer 16

FM Protocol Stack: Our DFU payload Thanks to USB/DFU and QDA we have a common (DFU-based) communication layer. On top of it we can transfer: Upgrade images In the QFU format Other FM requests Layer USB mode UART mode DFU payload DFU flavor Quark Firmware Management (QFM) Protocol / Quark Firmware Update (QFU) Format USB/DFU Quark DFU Adaptation (QDA) Protocol Transport USB XMODEM-CRC Driver USB device driver UART driver Using the QFM protocol 17

QFU Image Format: Overview Block-wise format: QFU images are divided in blocks of the same size (with the exception of the last one) 1st block: header Following blocks: raw firmware image (binary) Each block must be transferred in a single DFU DNLOAD request i.e., DFU tools must use the same block-size of the image (specified in the header) QFU Header [optional authentication data] Image Block 1 Image Block 2 Image Block N The DFU suffix is not shown since it is not processed by the device. 18

QFU Image Format: Header First-level header Containing common information for processing the image Can be followed by an extended header Containing information for image verification / authentication Block size is fixed to 2kB / 4kB (multiple of page size) in the current implementation For code / footprint optimization reasons vid (Vendor ID; hex16) pid_dfu (Product ID DFU; hex16) QFUH (Magic; 4 bytes) pid (Product ID; hex16) part_num (Partition number; uint16) app_version (Application version; hex32 vendor specific) blk_size = 2kB/4kB (Block size; uint16) ext_hdr (Extended header type; 2 bytes) blk_cnt (Total block number, incl. header; uint16) rsvd (reserved; 2 bytes) <Extended header content or zeroed padding> 19

QFU Image Format: Partitions Flash divided in partitions No explicit memory addresses Current partition scheme Quark D2000 1 partition (for x86) Quark SE C1000 2 partitions (one for x86, one for ARC) Other partition scheme are possible Including multiple partitions per core vid (Vendor ID; hex16) pid_dfu (Product ID DFU; hex16) QFUH (Magic; 4 bytes) pid (Product ID; hex16) part_num (Partition number; uint16) app_version (Application version; hex32 vendor specific) blk_size = 2kB/4kB (Block size; uint16) ext_hdr (Extended header type; 2 bytes) blk_cnt (Total block number, incl. header; uint16) rsvd (reserved; 2 bytes) <Extended header content or zeroed padding> 20

Flash layout: Application partitions Quark D2000 Quark SE C1000 ROM (Bootloader) OTP (8kB) BL-Data (4kB) x86 Partition (32kB) ROM (1 st stage BL) OTP (8kB) ARC Partition (188kB) BL-Data (4kB) x86 Partition (172kB) 2 nd -stage BL (20kB) Data (4kB) System Flash 0 (32kB) Sys Flash 0 (192kB) Sys Flash 1 (192kB) 21

QFM Protocol: Overview Providing extended-fm over DFU: Application erase Delete all application code (from every partition) Information retrieval Provide info about device s HW, SW, and configuration E.g., available partitions, bootloader version, application version, etc. Key provisioning Layer USB mode UART mode DFU payload DFU flavor Quark Firmware Management (QFM) Protocol / Quark Firmware Update (QFU) Format USB/DFU Quark DFU Adaptation (QDA) Protocol Transport USB XMODEM-CRC Driver USB device driver UART driver (it will be available in QMSI 1.4) 22

QFM Protocol: Packets Requests: 1. QFM_APP_ERASE 2. QFM_SYS_INFO_REQ Requests are sent using DFU_DNLOAD transactions 3. QFM_UPDATE_KEY Responses: 1. QFM_SYS_INFO_RESP Responses are sent using DFU_UPLOAD transactions 23

QFM Protocol: Examples Key Update System Information Retrieval Host Device Host Device DFU_DNLOAD Data: [QFM_UPDATE_KEY] DFU_DNLOAD Data: [QFM_SYS_INFO_REQ] DFU_STATUS Status: OK/ERR DFU_STATUS Status: OK Request response piggy-backed in DFU Status DFU_UPLOAD request DFU_UPLOAD response Data: [QFM_SYS_INFO_RSP] 24

FM Protocol Stack: QFM / QFU selection Different DFU alternate settings used to switch between QFM and QFU: Alt-Setting 0 is for extended-fm DFU used to exchange QFM packets Alt-Settings 1+ are for FW upgrades DFU used to transfer QFU images Each alt-setting identifies a specific partition Layer USB mode UART mode DFU payload DFU flavor Quark Firmware Management (QFM) Protocol / Quark Firmware Update (QFU) Format USB/DFU Quark DFU Adaptation (QDA) Protocol Transport USB XMODEM-CRC Driver USB device driver UART driver $ dfu-util -l Found DFU: [8086:c100] ver=0100, [...], alt=2, name="partition2 (ARC)", serial="00.01" Found DFU: [8086:c100] ver=0100, [...], alt=1, name="partition1 (LMT)", serial="00.01" Found DFU: [8086:c100] ver=0100, [...], alt=0, name="qfm", serial="00.01" 25

QFU / QFM: Host Tools QFU image creator qm_make_dfu.py Converts a raw binary into a QFU/DFU image Adds the QFU header Adds the DFU suffix The image must be flashed separately Using a DFU tool (dfu-util / qm-dfu-util) QFM utility qm_manage.py Enables QFM functionality Info retrieval Application erase Key provisioning DFU tools are called directly To send QFM requests and collect QFM responses 26

Example: Create QFU image and perform upgrade 1. Build the binary 2. Create a QFU image Using the qm_make_dfu.py python script $ qm_make_dfu.py release/quark_se/x86/bin/blinky.bin -p 1 --app-version 42 3. Enter FM mode Ground FM pin and reset the board (not needed if a USB/DFU application is running) 4. Flash via dfu-util Using either the original dfu-util (for USB) or qm-dfu-util (for UART) $ dfu-util -D release/quark_se/x86/bin/blinky.bin.dfu -a 1 27

Example: Using QFM services Info retrieval $ qm_manage.py info d <vid>:<pid> Version : 1.4.0 SoC Type : Quark SE Auth. : NONE Target 00 : x86 (running application on partition 0) Target 01 : sensor (running application on partition 1) Part. 00 : App Version 42 Part. 01 : No application installed Application erase $ qm_manage.py erase d <vid>:<pid> Key provisioning $ qm_manage.py [set-rv-key set-fw-key] <key-file> d <vid>:<pid> 28

29

Secure FW Upgrade Feature: Overview What is provided (in forthcoming 1.4 release) Authenticated firmware upgrades Symmetric-key scheme HMAC256 authentication Key management First-time provisioning and subsequent updates Relaying on an additional key What is not provided Encryption Of the image Of key update request Image verification at boot Not difficult to implement though Excluded to minimize boot time 30

Secure FW Upgrade: QFU extension The QFU header is extended with an HMAC extended header Containing all the information needed to authenticate the image A list of block hashes One for blocks An HMAC digest authenticating the entire header Including all the hashes (also containing a Security Version Number SVN) vid pid_dfu blk_size = 2kB ext_hdr = HMAC256 QFUH app_version pid part_num total_blk_cnt rsvd svn (security version number; 4 bytes) blk_sha256[0] blk_sha256[data_blk_cnt - 1] (per-block SHA256 hashes; 32*data_blk_cnt bytes) hmac256 (HMAC256 of the whole header; 32 bytes) 31

Secure FW Upgrade: Upgrade flow blk_num == 0 hdr_magic == QFUH part_num == alt_setting blk_size == [2048 4096] vid, pid, dfu_pid ext_hdr == HMAC256 hmac == hmac(entire_header, fw_key) SVN >= current_svn hdr.sha256[blk_num-1] == sha256(block) Verify written block Write block Success QFU base header verify Success Authenticate header Success Receive new block Is last block? No Authenticate block Failure Failure Yes Failure Fail if blk_num is not sequential First DFU_DNLOAD block received Received all blocks? No blk_num == hdr.totoal_blk_cnt Yes Error (no partition erase) Done Error (partition erase) 32

Secure FW Upgrade: Ensuring partition consistency Problem: Unhandled failures (e.g., resets) can leave partitions in an inconsistent state Solution: Associate a consistency flag to every partition Stored in persistent Bootloader Data (BL-Data) Change consistency flag during FW upgrades Before starting the upgrade, mark partition as inconsistent When upgrade is complete, mark partition as consistent Sanitize partitions at every boot Look for inconsistent partitions and delete them 33

Secure FW Upgrade: Consistency flag and upgrade flow First data block of a QFU image has been received and validated No (error or user aborted) Erase partition Mark partition as not consistent (Update BL-Data) Receive and write each block Entire QFU image successfully written? Mark partition as consistent (Update BL-Data) Continue FM mode Yes If a reboot happens here, the partition is sanitized (erased and marked back as consistent) during the boot process 34

Key Management: Provisioning/update mechanism Both first time provisioning and subsequent updates are supported The key is sent to the device with a special key-update request Extension of the QFM protocol The request and the new key are authenticated with two keys (double signing): the old firmware key and an additional key, the revocation key The key-update request is not encrypted Since at the moment only wired and point-to-point transport (i.e., UART and USB) are supported 35

Key Management: Revocation and firmware keys The firmware key is used for authenticating both key-update request and upgrade images. The revocation key is used only for authenticating key-update requests. The revocation key can be updated too: The same key update request is used The request is authenticated with the current firmware key and the old provisioning key 36

Key Management: First-time provisioning In un-provisioned devices both keys have the same default ( magic ) value. First-time provisioning sequence: 1. Provide the revocation key Signing it with the magic key twice 2. Provide the firmware key Signing it with the magic key (in place of the old firmware key) and the revocation key Key provisioning enforcement: Firmware upgrades are enabled only if the firmware key is set The firmware key can be set only after the revocation key 37

Key Management: Key-update QFM packets Revocation key update qfm_pkt_type = QFM_UPDATE_RV_KEY [QFM packet type, 4 bytes] key [256-bit new revocation key, 32 bytes] hmac256 [HMAC256 signature of all the previous, done with the FW key and the old revocation key] Firmware key update qfm_pkt_type = QFM_UPDATE_FW_KEY [QFM packet type, 4 bytes] key [256-bit new firmware key, 32 bytes] hmac256 [HMAC256 signature of all the previous, done with the old FW key and the revocation key] Same algorithm: HMAC(HMAC(packet, current_fw_key), current_rv_key) 38

39

Persistent Bootloader Data (BL-Data) In order to enable Firmware Management (FM), the bootloader needs to store and maintain some (meta-)data Application version, partition consistency, etc. Authentication keys BL-Data management must be resilient to update failures and possible attacks. Resilience is achieved with: BL-Data duplication (backup copy) Verification at each boot (sanitization) 40

BL-Data: Duplication Two identical copies of BL-Data are maintained: BL-Data Main BL-Data Backup Each copy has a CRC to verify its integrity Copies are stored in different flash pages BL-Data Main BL-Data Backup Page N Page N+1 Since a flash update requires the entire page to be deleted and then rewritten When BL-Data is changed, copies are updated always in the same order First BL-Data Main, then BL-Data Backup 41

BL-Data: Flash location Quark D2000 Quark SE C1000 OTP (8kB) OTP (8kB) BL-Data (4kb) BL-Data (4kb) Data (4kB) System Flash 0 (32kB) Sys Flash 0 (192kB) Sys Flash 1 (192kB) 42

BL-Data: Verification flow At every boot, BL-Data is verified to detect special conditions requiring fixing: Lack of initialization. BL-Data Flash Section is blank and BL-Data (both copies) need to be initialized Single BL-Data Copy corrupted or missing An unhandled failure (e.g., a power loss) has happened during an update The other BL-Data copy contains the latest valid information and must be copied over the corrupted one Both BL-Data copies corrupted Some critical error has happened (hardware fault or security attack) This is an unrecoverable situation: enter infinite loop (customer return needed) 43

BL-Data: Verification flow BL-Data Main: CRC valid? Yes No BL-Data Backup: CRC valid? Yes No BL-Data Main == BL-Data Backup BL-Data cannot be reinitialized because authentication keys would be set back to their default values. BL-Data empty ( == 0xFF)? No Infinite Loop Yes Init BL-Data Section Copy BL-Data Backup BL-Data Main No Copy BL-Data Main BL-Data Backup Yes Look for inconsistent partitions, erase them, and mark them back as consistent Sanitize Partitions Continue Boot 44

BL-Data: Content Bootloader data Partition descriptor trim_codes partitions[n_parts] Shadowed trim codes Partition descriptors target_idx is_consistent The index of target (core) associated with the partition Consistency flag targets[n_targets] fw_key rv_key Target descriptors Firmware key Revocation key app_version <other> The version of the application installed in the partition Misc information about the structure of the partition (starting address, size, etc.) crc CRC of all of the above Target descriptor active_part_idx svn The index of the active partition for this target The SVN associated with this target 45

BL-Data: Partitions and targets A partition is a portion of flash designed to host an application. A partition is associated with a target, i.e., the core that will run the hosted application. We currently support only one partition per target On Quark D2000 we have only one target / partition (x86 partition) On Quark SE C1000 we have two targets / partitions (x86 and ARC partitions) But the design allows for multiple partitions per target Possible use case: fallback partition in case of failed OTA updates External targets / partitions are also envisioned Associated with board peripherals such as a BLE module 46

Flash layout Quark D2000 Quark SE C1000 ROM (Bootloader) OTP (8kB) BL-Data (4kB) x86 Partition (32kB) ROM (1 st stage BL) OTP (8kB) ARC Partition (188kB) BL-Data (4kB) x86 Partition (172kB) 2 nd -stage BL (20kB) Data (4kB) System Flash 0 (32kB) Sys Flash 0 (192kB) Sys Flash 1 (192kB) 47

48

Reusable software components DFU state machine Completely independent from the lower-level communication stack QDA (DFU over UART) Not just qm-dfu-util, but the deviceside code as well XMODEM You just have to define your own getc/putc functions QFM/QFU host tools (device-side components are more dependent on QMSI API) fw-manager/ dfu core dfu_core.c dfu_core.h dfu.h qda qda.c qda.h qda_packets.h xmodem.c xmodem.h xmodem_io.h xmodem_io_uart.c xmodem_io_uart.h usb-dfu [...] https://github.com/quark-mcu/qm-bootloader 49

Some lessons learnt Modular approach pays back in embedded as well Easier to adapt to changing requirements Some code reused also for host-tools (XMODEM/QDA) Code better validated (e.g., DFU state machine used twice) Reuse existing open-source code dfu-util, TinyCrypt, etc. LTO offsets most of the overhead of the modular approach 15%-20% flash saving But it complicates debugging When dealing with flash layouts use linker script symbols Especially if they are logical layouts App partitions, bl-data section, 2 nd - stage And don t be afraid of using the INCLUDE directive 50

Thank you! Any questions? 51

Intel, the Intel logo, Quark, the Intel. Experience What s Inside logo and Intel. Experience What s Inside are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. Intel Corporation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback