Using GnuK with DFU bootloader

[Peter Lebbing]

Hello Niibe and list,

I have implemented support for safe DFU uploads, and tested it with a
Maple Mini clone from Baite, with the STM32duino bootloader. As I said
before, unfortunately it is not possible to implement this with the
factory bootloader of Maple Mini's, because there is only 108 KiB flash
left with the factory bootloader, and GnuK is simply too large.

Normally, the SYS block of the code is at the start of the flash and is
the first thing executed. It cannot ever be updated with reGNUal. With
DFU, the DFU bootloader is at the start of the flash and GnuK starts at
an offset. Also, the DFU bootloader might leave the flash unprotected
from readout. I'm not experienced enough to say whether this is always
the case, but it is for the STM32duino bootloader and I expect it is
true for most DFU bootloaders.

We don't want the DFU bootloader to stay even when flash readout were
protected, as it might still expose the flash to readout. Flash readout
protection only protects from programming hardware, code in the flash
can still read the flash, unsurprisingly.

Also, if we want to use reGNUal to later update to a new GnuK version,
we need SYS at the start of flash because this is what reGNUal and the
new GnuK will expect.

So my implementation has two versions of SYS, one running version at an
offset, and one copy of a version at the start of the flash. The first
time GnuK runs, it will remove the DFU bootloader, install the copy of
SYS at the start of the flash and enable readout protection. It will
continue to use the copy at an offset, but the one at the start is there
for a future GnuK to start using.

The GnuK firmware increases in size by 1 kilobyte with this option.

Once reGNUal is used, the GnuK becomes identical to one that was flashed
"bare" in the usual way, without DFU. But this is not necessary for safe
operation, it is just there to provide an upgrade path. GnuK is safe to
use directly after being flashed with a DFU bootloader.

My changes can be found in commit
00039c2419919b396ff11f119820f8cae5ab1d31 at [1].

This might be useful to have during the 35C2 Congress[2] ;-) which is
from Dec 27 to Dec 30, in a bit more than a week! Niibe, I cannot ask
you to accept these changes on such short notice, so I won't. But I hope
the extra functionality is useful. I have tried several things with a
Maple Mini with this GnuK and it behaved completely normally.

By the way, I did not implement --gc-sections support for the copy of
SYS in stdaln-sys-bin.o because I seemed to be missing a small part of
the puzzle to make it work and it wasn't very necessary since the
Makefile only includes the object when DFU support is enabled. With
the current code, it is then also needed anyway.

HTH,

Peter.

[1] <https://gitlab.com/DigitalBrains1/gnuk/tree/dfu>

[2] It's the 35C3, but the last C is for Congress. Just like an LCD is
an LC display, when you write out the last C, you need to remove it from
the abbreviation, right? ;-P And as a proper name, a capitalized C.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnuk-users/attachments/20181218/06503610/attachment.sig>