bootutil: Add support for devices without erase and reduced erases

The commit adds two MCUboot configuration options:
  - MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE
  - MCUBOOT_SUPPORT_DEV_WITH_ERASE
  - MCUBOOT_MINIMAL_SCRAMBLE

The first one should be enabled to support devices that do not require erase.
When such devices are used in system then MCUboot will avoid erasing such
device, which is not needed by hardware, and will just write data to it.
This allows to both improve device lifetime and reduce time of operations
like swap.

The second option is just bringing a configuration option for already existing
support for deviceses with erase.

The third option allows to reduce amount of removed data. When enabled,
MCUboot will remove enough of data, depending on the purpose of the removal,
to just fulfill the purpose; for example if removal of data is done to
make image unrecognizable for MCUboot, with this option, it will only
remove header.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>

Author: de-nordic

boot/boot_serial/src/boot_serial.c

@@ -856,7 +856,7 @@ static off_t erase_range(const struct flash_area *fap, off_t start, off_t end)
     BOOT_LOG_DBG("Erasing range 0x%jx:0x%jx", (intmax_t)start,
 		 (intmax_t)(start + size - 1));
 
-    rc = flash_area_erase(fap, start, size);
+    rc = boot_erase_region(fap, start, size);
     if (rc != 0) {
         BOOT_LOG_ERR("Error %d while erasing range", rc);
         return -EINVAL;
@@ -1000,7 +1000,7 @@ bs_upload(char *buf, int len)
         /* Non-progressive erase erases entire image slot when first chunk of
          * an image is received.
          */
-        rc = flash_area_erase(fap, 0, area_size);
+        rc = boot_erase_region(fap, 0, area_size);
         if (rc) {
             goto out_invalid_data;
         }

boot/boot_serial/src/boot_serial_encryption.c

@@ -187,7 +187,7 @@ decrypt_region_inplace(struct boot_loader_state *state,
                     (off + bytes_copied + idx) - hdr->ih_hdr_size, blk_sz,
                     blk_off, &buf[idx]);
         }
-        rc = flash_area_erase(fap, off + bytes_copied, chunk_sz);
+        rc = boot_erase_region(fap, off + bytes_copied, chunk_sz);
         if (rc != 0) {
             return BOOT_EFLASH;
         }

boot/bootutil/src/bootutil_misc.c

@@ -135,6 +135,74 @@ boot_trailer_sz(uint32_t min_write_sz)
     return boot_status_sz(min_write_sz) + boot_trailer_info_sz();
 }
 
+int boot_trailer_scramble_offset(const struct flash_area *fa, size_t alignment,
+                                 size_t *off)
+{
+    int ret = 0;
+
+    /* Not allowed to enforce alignment smaller than device allows */
+    if (alignment < flash_area_align(fa)) {
+        alignment = flash_area_align(fa);
+    }
+
+    if (device_requires_erase(fa)) {
+        /* For device requiring erase align to erase unit */
+        struct flash_sector sector;
+
+        ret = flash_area_get_sector(fa, flash_area_get_size(fa) - boot_trailer_sz(alignment),
+                                    &sector);
+        if (ret < 0) {
+            return ret;
+        }
+
+        *off = flash_sector_get_off(&sector);
+    } else {
+        /* For device not requiring erase align to write block */
+        *off = flash_area_get_size(fa) - ALIGN_DOWN(boot_trailer_sz(alignment), alignment);
+    }
+
+    return ret;
+}
+
+int boot_header_scramble_off_sz(const struct flash_area *fa, int slot, size_t *off,
+                                size_t *size)
+{
+    int ret = 0;
+    const size_t write_block = flash_area_align(fa);
+    size_t loff = 0;
+    struct flash_sector sector;
+
+    (void)slot;
+#if defined(MCUBOOT_SWAP_USING_OFFSET)
+    /* In case of swap offset, header of secondary slot image is positioned
+     * in second sector of slot.
+     */
+    if (slot == BOOT_SECONDARY_SLOT) {
+        ret = flash_area_get_sector(fa, 0, &sector);
+        if (ret < 0) {
+            return ret;
+        }
+        loff = flash_sector_get_off(&sector);
+    }
+#endif
+
+    if (device_requires_erase(fa)) {
+        /* For device requiring erase align to erase unit */
+        ret = flash_area_get_sector(fa, loff, &sector);
+        if (ret < 0) {
+            return ret;
+        }
+
+        *size = flash_sector_get_size(&sector);
+    } else {
+        /* For device not requiring erase align to write block */
+        *size = ALIGN_UP(sizeof(((struct image_header *)0)->ih_magic), write_block);
+    }
+    *off = loff;
+
+    return ret;
+}
+
 #if MCUBOOT_SWAP_USING_SCRATCH
 /*
  * Similar to `boot_trailer_sz` but this function returns the space used to

boot/bootutil/src/bootutil_priv.h

@@ -302,6 +302,16 @@ const struct flash_area *boot_find_status(const struct boot_loader_state *state,
 int boot_magic_compatible_check(uint8_t tbl_val, uint8_t val);
 uint32_t boot_status_sz(uint32_t min_write_sz);
 uint32_t boot_trailer_sz(uint32_t min_write_sz);
+/* Get offset of trailer aligned to either device erase unit or alignment
+ * depending on whether device has erase or not.
+ */
+int boot_trailer_scramble_offset(const struct flash_area *fa, size_t alignment,
+                                 size_t *off);
+/* Get size of header aligned to device erase unit or write block,
+ * depending on whether device has erase or not.
+ */
+int boot_header_scramble_off_sz(const struct flash_area *fa, int slot, size_t *off,
+                                size_t *size);
 int boot_status_entries(int image_index, const struct flash_area *fap);
 uint32_t boot_status_off(const struct flash_area *fap);
 int boot_read_swap_state(const struct flash_area *fap,
@@ -333,7 +343,19 @@ int boot_copy_region(struct boot_loader_state *state,
                      const struct flash_area *fap_dst,
                      uint32_t off_src, uint32_t off_dst, uint32_t sz);
 #endif
+/* Prepare for write device that requires erase prior to write. This will
+ * do nothing on devices without erase requirement.
+ */
 int boot_erase_region(const struct flash_area *fap, uint32_t off, uint32_t sz);
+/* Similar to boot_erase_region but will always remove data */
+int boot_scramble_region(const struct flash_area *fap, uint32_t off, uint32_t sz);
+/* Similar to boot_scramble_region but works backwards */
+int boot_scramble_region_backwards(const struct flash_area *fap, uint32_t off, uint32_t sz);
+/* Makes slot unbootable, either by scrambling header magic, header sector
+ * or entire slot, depending on settings.
+ * Note: slot is passed here becuase at this point there is no function
+ * matching flash_area object to slot */
+int boot_scramble_slot(const struct flash_area *fap, int slot);
 bool boot_status_is_reset(const struct boot_status *bs);
 
 #ifdef MCUBOOT_ENC_IMAGES
@@ -529,6 +551,20 @@ uint32_t bootutil_max_image_size(struct boot_loader_state *state, const struct f
 int boot_read_image_size(struct boot_loader_state *state, int slot,
                          uint32_t *size);
 
+/* Helper macro to avoid compile errors with systems that do not
+ * provide function to check device type.
+ * Note: it used to be inline, but somehow compiler would not
+ * optimize out branches that were impossible when this evaluated to
+ * just "true".
+ */
+#if defined(MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE) && defined(MCUBOOT_SUPPORT_DEV_WITH_ERASE)
+#define device_requires_erase(fa) (flash_area_erase_required(fa))
+#elif defined(MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE)
+#define device_requires_erase(fa) (false)
+#else
+#define device_requires_erase(fa) (true)
+#endif
+
 #ifdef __cplusplus
 }
 #endif