Added support for nrf9160 with Trustzone-M

.cargo/config.toml

@@ -1,6 +1,7 @@
 [alias]
 xtask = 'run -p xtask --'
 nrf52840 = 'run -p xtask --features nrf52840 -- nrf52840'
+nrf9160   = 'run -p xtask --features nrf9160 -- nrf9160'
 stm32f411 = 'run -p xtask --features stm32f411 -- stm32f411'
 stm32f446 = 'run -p xtask --features stm32f446 -- stm32f446'
 stm32f469 = 'run -p xtask --features stm32f469 -- stm32f469'

.github/workflows/ci.yml

@@ -38,6 +38,7 @@ jobs:
           cargo +nightly test --package rustBoot --lib --features stm32f746 -- parser::tests --nocapture
           cargo +nightly test --package rustBoot --lib --features stm32f334 -- parser::tests --nocapture
           cargo +nightly test --package rustBoot --lib --features rp2040 -- parser::tests --nocapture
+          cargo +nightly test --package rustBoot --lib --features nrf9160 -- parser::tests --nocapture
 
   builds:
     runs-on: ${{ matrix.os }}
@@ -72,6 +73,13 @@ jobs:
           use-cross: false
           command: run
           args: -p xtask --features nrf52840 -- nrf52840 build rustBoot-only
+      - name: nrf9160
+        if: matrix.target == 'thumbv8m.main-none-eabihf'
+        uses: actions-rs/cargo@v1
+        with:
+          use-cross: false
+          command: run
+          args: -p xtask --features nrf9160 -- nrf9160 build rustBoot-only
       - name: stm32f411
         if: matrix.target == 'thumbv7em-none-eabihf'
         uses: actions-rs/cargo@v1

DCO.md

@@ -0,0 +1,85 @@
+# Developer Certificate of Origin (DCO)
+
+rustBoot enforces the Developer Certificate of Origin (DCO). It requires all commit messages to contain the `Signed-off-by` line with an email address that matches the commit author and the name on your GitHub account.
+
+The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the DCO, reformatted for readability:
+
+```text
+By making a contribution to this project, I certify that:
+
+The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
+
+The contribution is based upon previous work that, to the best of my knowledge, is covered under an > appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or
+
+The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
+
+I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.
+```
+
+Contributors sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
+
+## How to sign-off
+
+The project requires a sign-off message in the following format appear on each commit in the pull request:
+
+```text
+feat: new feature
+
+Signed-off-by: John Smith <[email protected]>
+```
+
+The text can either be manually added to your commit body, or you can add either `-s` or `--signoff` to your usual git commit commands.
+
+#### Creating your signoff
+
+Git has a `-s | --signoff` command-line option to append this automatically to your commit message:
+
+```bash
+git commit --signoff --message 'This is my commit message'
+```
+
+```bash
+git commit -s -m "This is my commit message"
+```
+
+This will use your default git configuration which is found in `.git/config` and usually, it is the `username systemaddress` of the machine which you are using.
+
+To change this, you can use the following commands (Note these only change the current repo settings, you will need to add `--global` for these commands to change the installation default).
+
+Your name:
+
+```bash
+git config user.name "FIRST_NAME LAST_NAME"
+```
+
+Your email:
+
+```bash
+git config user.email "[email protected]"
+```
+
+#### How to amend a sign-off
+
+If you have authored a commit that is missing the signed-off-by line, you can amend your commits and push them to GitHub
+
+```bash
+git commit --amend --signoff
+```
+
+If you've pushed your changes to GitHub already you'll need to force push your branch after this with `git push -f`.
+
+## DCO Failures
+
+The project uses a DCO bot for all GitHub pulls to verify that each commit is signed off. When you create your pull request, it will automatically be verified by this bot. An example of what to expect is below.
+
+![DCO Bot image](docs/images/dco.png)
+
+If your Pull Request fails the DCO check, it's necessary to fix the entire commit history in the PR. Although this is a situation we'd like to avoid the best practice is to squash the commit history to a single commit, append the DCO sign-off as described above or interactively in the rebase comment editing process, and force push. For example, if you have 2 commits in your history (Note the ~2):
+
+```bash
+git rebase --interactive HEAD~2
+(interactive squash + DCO append)
+git push origin --force
+```
+
+> Note, that in general rewriting history in this way is something that can cause issues with the review process and this should only be done to correct a DCO mistake.

README.md

@@ -51,4 +51,4 @@ rustBoot is licensed under
 * MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
 
 ## Contributing:
-Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the MIT license, shall be licensed as above, without any additional terms or conditions.
+Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the MIT license, shall be licensed as above, without any additional terms or conditions.We enforce [developer certificate of origin (DCO) commit signing](./DCO.md).

boards/bootloaders/nrf9160/.cargo/config.toml

@@ -0,0 +1,17 @@
+# =============================================================================
+# Build configuration options for Cortex-M
+# =============================================================================
+
+[build]
+target = "thumbv8m.main-none-eabihf"
+
+[target.'cfg(all(target_arch = "arm", target_os = "none"))']
+runner = "probe-run --chip nRF9160_xxAA" # runner specific to nrf52840. Replace this with probe-run option for your board.
+rustflags = [
+  "-C", "linker=flip-link",
+  "-C", "link-arg=-Tlink.x",
+  # "-C", "link-arg=-Tdefmt.x",
+  # This is needed if your flash or ram addresses are not aligned to 0x10000 in memory.x
+  # See https://github.com/rust-embedded/cortex-m-quickstart/pull/95
+  "-C", "link-arg=--nmagic",
+] 

boards/bootloaders/nrf9160/Cargo.toml

@@ -0,0 +1,31 @@
+[package]
+build = "build.rs"
+edition = "2018"
+name = "nrf9160"
+version = "0.1.0"
+
+# makes `cargo check --all-targets` work
+[[bin]]
+bench = false
+doctest = false
+name = "nrf9160"
+test = false
+
+[dependencies]
+cortex-m-rt = "0.7"
+cortex-m = { version = "0.7.6", features = ["critical-section-single-core"] }
+rustBoot-hal = {path = "../../hal", features = ["nrf9160", "nrf"]}
+
+#trustzone-m-macros = { path = "../../../tools/trustzone-m-tools/macros" }
+#trustzone-m-secure-rt = {path = "../../tools/trustzone-m-tools/secure-rt", features = ["nrf9160"]}
+
+nrf9160-pac = "0.12.2"
+spin = "0.5"
+
+rustBoot-update = {path = "../../update", features = ["nrf9160"]}
+defmt = {version = "0.3.1", optional = true}
+defmt-rtt = {version = "0.3.2", optional = true}
+
+[features]
+default = ["defmt", "defmt-rtt"]
+

boards/bootloaders/nrf9160/README.md

@@ -0,0 +1,28 @@
+`rustBoot` support for [nrf9160](https://www.nordicsemi.com/Products/Development-hardware/nrf9160-dk) development board, we have one example. It has 4 leds. If you're using a different version of the board, you'll probably need to edit `firmware and hal implementations` to accomodate for differences. Just make sure you **dont change** the name of files/folders or the folder structure, as `cargo xtask` looks for these file/folder names.
+
+- In order to test this example you'll need a couple of things - `wolfcrypt, probe-run, python3, nrf-connect Programmer installed`
+- If you've managed to install all of them, you can use below commands to build and sign all 3 packages (i.e. bootloader + bootfw + updatefw) onto the board.
+    - Command for build rustBoot
+    `cargo nrf9160 build rustBoot-only`
+
+    - Command for build packages
+    `cargo nrf9160 build pkgs-for`
+
+    - Command for sign packages
+    `cargo nrf9160 sign pkgs-for`
+
+- In order to flash all 3 binarise (i.e. bootloader + bootfw + updatefw) I've used `probe-rs-cli` and `probe-rs-cli`.
+    - To flash bootloader use this command
+    `probe-run < bootloader file name > --chip NRF9160_XXAA`
+    - To flash bootfw + updatefw use following command
+    'probe-rs-cli download --format Bin --base-address {boot_part_addr} --chip nRF9160_xxAA nrf9160_bootfw_v_signed.bin'
+
+- In order to confirm that its working, I've configured the `bootfw to turn ON LED1 and blink LED2` for a few seconds, trigger an update and then reset. Upon reset, the bootloader verifies the update and swaps the contents of boot and update partitions. If everything checks out, it boots into the update, `turn ON LED3 and blink LED4` and finally sets the confirmation flag to indicate that the update was successful.
+
+Here's the [command line output](/boards/bootloaders/stm32h723/debug.md).
+
+## Blinky(s):
+
+**blinks green before image verification and swap, after trigger an update, blinks red after image verification and swap:**
+
+[![bootfw_and_updtfw](https://user-images.githubusercontent.com/92363511/173661166-bad18bd5-8e35-4429-8852-93ea29b46ed9.png)](https://user-images.githubusercontent.com/92363511/173660773-4f4d7cbd-6d43-4418-b5b5-099619054aff.mov)

boards/bootloaders/nrf9160/build.rs

@@ -0,0 +1,42 @@
+use std::env;
+use std::fs::File;
+use std::io::Write;
+use std::path::PathBuf;
+
+fn main() {
+    // Put the linker script somewhere the linker can find it
+    let out = &PathBuf::from(env::var_os("OUT_DIR").unwrap());
+    File::create(out.join("memory.x"))
+        .unwrap()
+        .write_all(include_bytes!("memory.x"))
+        .unwrap();
+
+    let mut linker_scripts = vec![(
+        &include_bytes!("trustzone_memory.x.in")[..],
+        "trustzone_memory.x",
+    )];
+
+    if cfg!(feature = "_nrf") {
+        linker_scripts.push((
+            &include_bytes!("nrf_region_asserts.x.in")[..],
+            "region_asserts.x",
+        ));
+    } else {
+        linker_scripts.push((
+            &include_bytes!("no_region_asserts.x.in")[..],
+            "region_asserts.x",
+        ));
+    }
+
+    for (script_bytes, script_name) in linker_scripts {
+        let mut f = File::create(out.join(script_name)).unwrap();
+        f.write_all(script_bytes).unwrap();
+
+        println!("cargo:rerun-if-changed={script_name}.in");
+    }
+
+    println!("cargo:rustc-link-search={}", out.display());
+    println!("cargo:rerun-if-changed=build.rs");
+    println!("cargo:rerun-if-changed=memory.x");
+
+}

boards/bootloaders/nrf9160/memory.x

@@ -0,0 +1,12 @@
+MEMORY
+{
+    FLASH                    : ORIGIN = 0x00000000, LENGTH = 188K
+    NSC_FLASH                : ORIGIN = 0x0002F000, LENGTH = 4K
+    NS_FLASH                 : ORIGIN = 0x00030000, LENGTH = 832K
+
+    RAM                      : ORIGIN = 0x20000000, LENGTH = 128K
+    NS_RAM                   : ORIGIN = 0x20020000, LENGTH = 128K
+}
+
+INCLUDE trustzone_memory.x
+

boards/bootloaders/nrf9160/no_region_asserts.x.in

@@ -0,0 +1 @@
+/* Purposefully left empty */

boards/bootloaders/nrf9160/nrf_region_asserts.x.in

@@ -0,0 +1,5 @@
+ASSERT(LENGTH(NSC_FLASH) <= 4096, "ERROR(trustzone): The NSC flash region cannot be bigger than 4096 bytes");
+ASSERT(LENGTH(NSC_FLASH) >= 32, "ERROR(trustzone): The NSC flash region cannot be smaller than 32 bytes");
+ASSERT((LENGTH(NSC_FLASH) & (LENGTH(NSC_FLASH) - 1)) == 0, "ERROR(trustzone): The NSC flash region must have a length that is a power of 2");
+
+ASSERT(_s_flash_end == _nsc_flash_start, "ERROR(trustzone): The NSC flash region must come right after the S flash region");

boards/bootloaders/nrf9160/src/main.rs

@@ -0,0 +1,102 @@
+#![no_std]
+#![no_main]
+#![feature(abi_c_cmse_nonsecure_call)]
+#![feature(cmse_nonsecure_entry)]
+#![feature(type_alias_impl_trait)]
+
+#[cfg(feature = "defmt")]
+use defmt_rtt as _; // global logger
+
+use rustBoot_hal::nrf::nrf9160::{FlashWriterEraser, initialize};
+use rustBoot_update::update::{update_flash::FlashUpdater, UpdateInterface};
+
+use cortex_m_rt::entry;
+
+#[entry]
+fn main() -> ! {
+    let dp = nrf9160_pac::Peripherals::take().unwrap();
+
+    unsafe {
+        (*cortex_m::peripheral::SCB::PTR)
+            .shcsr
+            .write((1 << 19) | (1 << 18) | (1 << 17) | (1 << 16))
+    };
+
+    initialize(
+        [
+            (dp.SPIM0_S, dp.SPIS0_S, dp.TWIM0_S, dp.TWIS0_S, dp.UARTE0_S).into(),
+            (dp.SPIM1_S, dp.SPIS1_S, dp.TWIM1_S, dp.TWIS1_S, dp.UARTE1_S).into(),
+            (dp.SPIM2_S, dp.SPIS2_S, dp.TWIM2_S, dp.TWIS2_S, dp.UARTE2_S).into(),
+            (dp.SPIM3_S, dp.SPIS3_S, dp.TWIM3_S, dp.TWIS3_S, dp.UARTE3_S).into(),
+            (&dp.P0_S).into(),
+            (&dp.KMU_S, &dp.NVMC_S).into(),
+            (dp.CLOCK_S, dp.POWER_S).into(),
+            (dp.RTC0_S).into(),
+            (dp.RTC1_S).into(),
+        ],
+        [
+            (0, 0),
+            (0, 1),
+            (0, 2),
+            (0, 3),
+            (0, 4),
+            (0, 5),
+            (0, 6),
+            (0, 7),
+            (0, 8),
+            (0, 9),
+            (0, 10),
+            (0, 11),
+            (0, 12),
+            (0, 13),
+            (0, 14),
+            (0, 15),
+            (0, 16),
+            (0, 17),
+            (0, 18),
+            (0, 19),
+            (0, 20),
+            (0, 21),
+            (0, 22),
+            (0, 23),
+            (0, 24),
+            (0, 25),
+            (0, 26),
+            (0, 27),
+            // (0, 28),
+            // (0, 29),
+            (0, 30),
+            // (0, 31),
+        ],
+        [
+            (0, 0),
+            (0, 1),
+            (0, 2),
+            (0, 3),
+            (0, 4),
+            (0, 5),
+            (0, 6),
+            (0, 7),
+            (0, 8),
+            (0, 9),
+            (0, 10),
+            (0, 11),
+            (0, 12),
+            (0, 13),
+            (0, 14),
+            (0, 15),
+        ],
+    );
+
+    // defmt::println!("Non secure memory initialized");
+
+    let updater = FlashUpdater::new(FlashWriterEraser::new(dp.NVMC_S, dp.NVMC_NS, true));
+    updater.rustboot_start()
+}
+
+#[panic_handler] // panicking behavior
+fn panic(_: &core::panic::PanicInfo) -> ! {
+    loop {
+        cortex_m::asm::bkpt();
+    }
+}