Damaging an update firmware makes rustboot hang at boot

[lionelains]

When manually changing the firmware payload of a signed firmware, rustboot seems to upgrade flash to it but subsequent boots never process correctly.

Found in 8437fd2

Scenario

Build the sample boot demo binaries from rustboot project:

• a rustboot bootloader code
• the initial firmware (on STM32 platforms, this is a green blinking firmware)
• the upgrade firmware (on STM32 platforms, this is a red blinking firmware)

Before programming these 3 firmwares, we modify at least one byte in the 3rd binary (the upgrade firmware), and program the 3 firmwares on the board.

Expected

green blinking firmware boots and refuses to program the red firmware
at all subsequent boots, only the green firmware boots

Observed

green blinking firmware boots
the board reboots
rustboot does not launch neither the red nor the green firmware and remains stuck in the boot phase
resetting the board does not revert to the green firmware either, possibly resulting in a bricked device

Steps to reproduce on NUCLEO-H723ZG

Run the normal demo:

cargo stm32h723 build-sign-flash rustBoot 1234 1235

Watch the green firmware blink, then red firmware

Alter the red firmware (overwrite 4 bytes at offset 1024) :

cp ./boards/sign_images/signed_images/stm32h723_updtfw_v1235_signed.bin /tmp/stm32h723_updtfw_v1235_signed.altered.bin
printf '\xff\x00\xff\x00' | dd of=/tmp/stm32h723_updtfw_v1235_signed.altered.bin bs=1 seek=1024 count=4 conv=notrunc

Program again the two application firmwares:

probe-rs-cli erase --chip STM32H723ZGTx
probe-rs-cli download --format Bin --base-address 0x8020000 --chip STM32H723ZGTx ./boards/sign_images/signed_images/stm32h723_bootfw_v1234_signed.bin
probe-rs-cli download --format Bin --base-address 0x8060000 --chip STM32H723ZGTx /tmp/stm32h723_updtfw_v1235_signed.altered.bin

Program rustboot and run the demo.

probe-rs-cli run --chip STM32H723ZGTx ./boards/target/thumbv7em-none-eabihf/release/stm32h723

Observe the board first running the green firmware, then reboot and hang while in rustboot.

[lionelains]

When rust boot hangs, execution seems to hit the following panic(), which actually makes sense:

rustBoot/rustBoot/src/image/image.rs

Line 572 in 8437fd2

panic!("..integrity check failed");

[nihalpasham]

@imrank03 - would you be able to look into this?

[imrank03]

@imrank03 - would you be able to look at this?

Hi @nihalpasham, since the issue seems to be functioning as expected, I didn't look into it further.

[nihalpasham]

@lionelains - I believe we are unable to recreate the above scenario. Can you help in recreating this bug?

[nihalpasham]

Closing. feel free re-open if needed

[lionelains]

I am going to give it a try again on my board. I'll keep you posted.

[lionelains]

I did reproduce on 8437fd2 and also on d4394d3

Same thing after a

rustup update

which leads to:

   stable-x86_64-unknown-linux-gnu updated - rustc 1.81.0 (eeb90cda1 2024-09-04) (from rustc 1.78.0 (9b00956e5 2024-04-29))
  nightly-x86_64-unknown-linux-gnu updated - rustc 1.83.0-nightly (9e394f551 2024-09-25) (from rustc 1.82.0-nightly (636d7ff91 2024-08-19))

I use the nightly toolchain to compile rustBoot (cargo +nightly stm32h723 build-sign-flash rustBoot 1234 1235).

In all these configurations, my board boots the green firmware, but never upgrades to the red (manually corrupted) firmware (as expected).
However, the board never boots any firmware anymore, even after pressing the black reset button on the NUCLEO-H723ZG board.

[nihalpasham]

@imrank03

[lionelains]

@imrank03, on which board did you try to run the test? on a NUCLEO-H723ZG?

[imrank03]

On which board did you try to run the test? on a NUCLEO-H723ZG?

• I tried on a NUCLEO-H723ZG.
• And I am going to give it a try again on my board.