NCSDK-33237: Add manifest-based loader for Direct XIP

boot/boot_serial/src/boot_serial_encryption.c

@@ -31,11 +31,11 @@ boot_image_validate_encrypted(struct boot_loader_state *state,
     int rc;
 
     if (MUST_DECRYPT(fa_p, BOOT_CURR_IMG(state), hdr)) {
-        rc = boot_enc_load(state, 1, hdr, fa_p, bs);
+        rc = boot_enc_load(state, BOOT_SLOT_SECONDARY, hdr, fa_p, bs);
         if (rc < 0) {
             FIH_RET(fih_rc);
         }
-        rc = boot_enc_set_key(BOOT_CURR_ENC(state), 1, bs);
+        rc = boot_enc_set_key(BOOT_CURR_ENC_SLOT(state, BOOT_SLOT_SECONDARY), bs->enckey[BOOT_SLOT_SECONDARY]);
         if (rc < 0) {
             FIH_RET(fih_rc);
         }
@@ -169,7 +169,7 @@ decrypt_region_inplace(struct boot_loader_state *state,
                     blk_sz = tlv_off - (off + bytes_copied);
                 }
             }
-            boot_enc_decrypt(BOOT_CURR_ENC(state), slot,
+            boot_enc_decrypt(BOOT_CURR_ENC_SLOT(state, slot),
                     (off + bytes_copied + idx) - hdr->ih_hdr_size, blk_sz,
                     blk_off, &buf[idx]);
         }
@@ -235,11 +235,11 @@ decrypt_image_inplace(const struct flash_area *fa_p,
 #endif
         memset(&boot_data, 0, sizeof(struct boot_loader_state));
         /* Load the encryption keys into cache */
-        rc = boot_enc_load(state, 0, hdr, fa_p, bs);
+        rc = boot_enc_load(state, BOOT_SLOT_PRIMARY, hdr, fa_p, bs);
         if (rc < 0) {
             FIH_RET(fih_rc);
         }
-        if (rc == 0 && boot_enc_set_key(BOOT_CURR_ENC(state), 0, bs)) {
+        if (rc == 0 && boot_enc_set_key(BOOT_CURR_ENC_SLOT(state, BOOT_SLOT_PRIMARY), bs->enckey[BOOT_SLOT_PRIMARY])) {
             FIH_RET(fih_rc);
         }
     }

boot/bootutil/CMakeLists.txt

@@ -21,6 +21,8 @@ target_sources(bootutil
         src/bootutil_img_hash.c
         src/bootutil_img_security_cnt.c
         src/bootutil_misc.c
+        src/bootutil_area.c
+        src/bootutil_loader.c
         src/bootutil_public.c
         src/caps.c
         src/encrypted.c
@@ -31,6 +33,7 @@ target_sources(bootutil
         src/image_rsa.c
         src/image_validate.c
         src/loader.c
+        src/loader_manifest_xip.c
         src/swap_misc.c
         src/swap_move.c
         src/swap_scratch.c

boot/bootutil/include/bootutil/bootutil.h

@@ -88,9 +88,36 @@ fih_ret boot_go_for_image_id(struct boot_rsp *rsp, uint32_t image_id);
 
 void boot_state_clear(struct boot_loader_state *state);
 fih_ret context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp);
+
+/**
+ * Returns a pointer to the boot loader state structure.
+ *
+ * @return Pointer to the boot loader state structure.
+ */
 struct boot_loader_state *boot_get_loader_state(void);
+
+#if defined(MCUBOOT_SERIAL_IMG_GRP_SLOT_INFO) || defined(MCUBOOT_DATA_SHARING)
+/**
+ * Returns pointer to array of image maximum sizes.
+ *
+ * @note This function provides a RAW access to the structure. The sizes may not be
+ *       calculated yet. Use boot_get_max_app_size() to ensure the sizes are calculated.
+ *
+ * @return Pointer to array of image maximum sizes.
+ */
 struct image_max_size *boot_get_image_max_sizes(void);
+
+/**
+ * Fetches the maximum allowed size of all application images.
+ *
+ * @note In contrast to boot_get_image_max_sizes(), this function will fetch the sizes
+ *       if they are not yet calculated.
+ *
+ * @return A pointer to the structure containing the maximum sizes of images.
+ */
 const struct image_max_size *boot_get_max_app_size(void);
+#endif /* MCUBOOT_SERIAL_IMG_GRP_SLOT_INFO || MCUBOOT_DATA_SHARING */
+
 void boot_fetch_slot_state_sizes(void);
 uint32_t boot_get_state_secondary_offset(struct boot_loader_state *state,
                                          const struct flash_area *fap);

boot/bootutil/include/bootutil/enc_key.h

@@ -61,18 +61,18 @@ struct boot_loader_state;
 /* Decrypt random, symmetric encryption key */
 int boot_decrypt_key(const uint8_t *buf, uint8_t *enckey);
 
-int boot_enc_init(struct enc_key_data *enc_state, uint8_t slot);
-int boot_enc_drop(struct enc_key_data *enc_state, uint8_t slot);
-int boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot,
-                     const struct boot_status *bs);
+int boot_enc_init(struct enc_key_data *enc_state);
+int boot_enc_drop(struct enc_key_data *enc_state);
+int boot_enc_set_key(struct enc_key_data *enc_state, const uint8_t *key);
 int boot_enc_load(struct boot_loader_state *state, int slot,
                   const struct image_header *hdr, const struct flash_area *fap,
                   struct boot_status *bs);
-bool boot_enc_valid(struct enc_key_data *enc_state, int slot);
-void boot_enc_encrypt(struct enc_key_data *enc_state, int slot,
+bool boot_enc_valid(const struct enc_key_data *enc_state);
+void boot_enc_encrypt(struct enc_key_data *enc_state,
         uint32_t off, uint32_t sz, uint32_t blk_off, uint8_t *buf);
-void boot_enc_decrypt(struct enc_key_data *enc_state, int slot,
+void boot_enc_decrypt(struct enc_key_data *enc_state,
         uint32_t off, uint32_t sz, uint32_t blk_off, uint8_t *buf);
+/* Note that boot_enc_zeorize takes BOOT_CURR_ENC, not BOOT_CURR_ENC_SLOT */
 void boot_enc_zeroize(struct enc_key_data *enc_state);
 
 #ifdef __cplusplus

boot/bootutil/include/bootutil/image.h

@@ -134,6 +134,7 @@ extern "C" {
 #define IMAGE_TLV_COMP_DEC_SIZE     0x73    /* Compressed decrypted image size */
 #define IMAGE_TLV_UUID_VID          0x74    /* Vendor unique identifier */
 #define IMAGE_TLV_UUID_CID          0x75    /* Device class unique identifier */
+#define IMAGE_TLV_MANIFEST          0x76    /* Transaction manifest */
                                             /*
                                              * vendor reserved TLVs at xxA0-xxFF,
                                              * where xx denotes the upper byte

boot/bootutil/include/bootutil/mcuboot_manifest.h

@@ -0,0 +1,121 @@
+/*
+ *  Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef __MCUBOOT_MANIFEST_H__
+#define __MCUBOOT_MANIFEST_H__
+
+/**
+ * @file mcuboot_manifest.h
+ *
+ * @note This file is only used when MCUBOOT_MANIFEST_UPDATES is enabled.
+ */
+
+#include <stdint.h>
+#include "bootutil/bootutil.h"
+#ifdef CONFIG_MCUBOOT
+#include "bootutil/crypto/sha.h"
+#elif defined(CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512)
+    #define IMAGE_HASH_SIZE (64)
+#else
+    #define IMAGE_HASH_SIZE (32)
+#endif
+
+#ifndef MCUBOOT_MANIFEST_IMAGE_NUMBER
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER
+#define MCUBOOT_MANIFEST_IMAGE_NUMBER CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER
+#else
+#error "MCUBOOT_MANIFEST_IMAGE_NUMBER must be defined when MCUBOOT_MANIFEST_UPDATES is enabled"
+#endif
+#endif
+
+#ifndef MCUBOOT_IMAGE_NUMBER
+#ifdef CONFIG_UPDATEABLE_IMAGE_NUMBER
+#define MCUBOOT_IMAGE_NUMBER CONFIG_UPDATEABLE_IMAGE_NUMBER
+#else
+#error "MCUBOOT_IMAGE_NUMBER must be defined when MCUBOOT_MANIFEST_UPDATES is enabled"
+#endif
+#endif
+
+#ifndef __packed
+#define __packed __attribute__((__packed__))
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Manifest structure for image updates. */
+struct mcuboot_manifest {
+        uint32_t format;
+        uint32_t image_count;
+        /* Skip a digest of the MCUBOOT_MANIFEST_IMAGE_NUMBER image. */
+        uint8_t image_hash[MCUBOOT_IMAGE_NUMBER - 1][IMAGE_HASH_SIZE];
+} __packed;
+
+/**
+ * @brief Check if the specified manifest has the correct format.
+ *
+ * @param[in] manifest  The reference to the manifest structure.
+ *
+ * @return true on success.
+ */
+static inline bool bootutil_verify_manifest(const struct mcuboot_manifest *manifest)
+{
+    if (manifest == NULL) {
+        return false;
+    }
+
+    /* Currently only the simplest manifest format is supported */
+    if (manifest->format != 0x1) {
+        return false;
+    }
+
+    if (manifest->image_count != MCUBOOT_IMAGE_NUMBER - 1) {
+        return false;
+    }
+
+    return true;
+}
+
+/**
+ * @brief Get the image hash from the manifest.
+ *
+ * @param[in] manifest     The reference to the manifest structure.
+ * @param[in] image_index  The index of the image to get the hash for.
+ *                         Must be in range <0, MCUBOOT_IMAGE_NUMBER - 1>, but
+ *                         must not be equal to MCUBOOT_MANIFEST_IMAGE_NUMBER.
+ *
+ * @return true if hash matches with the manifest, false otherwise.
+ */
+static inline bool bootutil_verify_manifest_image_hash(const struct mcuboot_manifest *manifest,
+                                                       const uint8_t *exp_hash, uint32_t image_index)
+{
+    if (!bootutil_verify_manifest(manifest)) {
+        return false;
+    }
+
+    if (image_index >= MCUBOOT_IMAGE_NUMBER) {
+        return false;
+    }
+
+    if (image_index < MCUBOOT_MANIFEST_IMAGE_NUMBER) {
+        if (memcmp(exp_hash, manifest->image_hash[image_index], IMAGE_HASH_SIZE) == 0) {
+            return true;
+        }
+    } else if (image_index > MCUBOOT_MANIFEST_IMAGE_NUMBER) {
+        if (memcmp(exp_hash, manifest->image_hash[image_index - 1], IMAGE_HASH_SIZE) == 0) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __MCUBOOT_MANIFEST_H__ */