Hardware abstraction layer
In order to run wolfBoot on a target microcontroller, an implementation of the HAL must be provided.
The HAL's purpose is to allow write/erase operations from the bootloader and the application initiating the firmware upgrade through the application library, and ensuring that the MCU is running at full speed during boot (to optimize the verification of the signatures).
The implementation of the hardware-specific calls for each platform are grouped in a single c file in the hal
directory.
The directory also contains a platform-specific linker script for each supported MCU, with the same name and the .ld
extension. This is used to link the bootloader's firmware on the specific hardware, exporting all the necessary symbols for flash and RAM boundaries.
Supported platforms
Please see Chapter 3
API
The Hardware Abstraction Layer (HAL) consists of six function calls be implemented for each supported target:
void hal_init(void)
This function is called by the bootloader at the very beginning of the execution. Ideally, the implementation provided configures the clock settings for the target microcontroller, to ensure that it runs at at the required speed to shorten the time required for the cryptography primitives to verify the firmware images.
void hal_flash_unlock(void)
If the IAP interface of the flash memory of the target requires it, this function is called before every write and erase operations to unlock write access to the flash. On some targets, this function may be empty.
int hal_flash_write(uint32_t address, const uint8_t *data, int len)
This function provides an implementation of the flash write function, using the target's IAP interface. address
is the offset from the beginning of the flash area, data
is the payload to be stored in the flash using the IAP interface, and len
is the size of the payload.
Implementations of this function must be able to
handle writes of any size and alignment. Targets with a minimum programmable size
> 1 byte must implement the appropriate read-modify-write logic in order to enable
wolfBoot to perform unaligned single-byte writes.
hal_flash_write
should return 0 upon success, or a negative value in case of failure.
void hal_flash_lock(void)
If the IAP interface of the flash memory requires locking/unlocking, this function restores the flash write protection by excluding write accesses. This function is called by the bootloader at the end of every write and erase operations.
int hal_flash_erase(uint32_t address, int len)
Called by the bootloader to erase part of the flash memory to allow subsequent boots.
Erase operations must be performed via the specific IAP interface of the target microcontroller.
address
marks the start of the area that the bootloader wants to erase, and len
specifies
the size of the area to be erased. address
is guaranteed to be aligned to WOLFBOOT_SECTOR_SIZE
,
and len
is guaranteed to be a multiple of WOLFBOOT_SECTOR_SIZE
. This function must take into account
the geometry of the flash sectors, and erase all the sectors in between.
void hal_prepare_boot(void)
This function is called by the bootloader at a very late stage, before chain-loading the firmware in the next stage. This can be used to revert all the changes made to the clock settings, to ensure that the state of the microcontroller is restored to its original settings.
Optional support for external flash memory
WolfBoot can be compiled with the makefile option EXT_FLASH=1
. When the external flash support is
enabled, update and swap partitions can be associated to an external memory, and will use alternative
HAL function for read/write/erase access. It can also be used in any scenario where flash reads require
special handling and must be redirected to a custom implementation. Note that EXT_FLASH=1
is incompatible
with the NVM_FLASH_WRITEONCE
option.
To associate the update or the swap partition to an external memory, define PART_UPDATE_EXT
and/or
PART_SWAP_EXT
, respectively.
The following functions are used to access the external memory, and must be defined when EXT_FLASH
is on:
int ext_flash_write(uintptr_t address, const uint8_t *data, int len)
This function provides an implementation of the flash write function, using the
external memory's specific interface. address
is the offset from the beginning of the
addressable space in the device, data
is the payload to be stored,
and len
is the size of the payload. The function is subject to the same restrictions as
hal_flash_write()
. ext_flash_write
should return 0 upon success,
or a negative value in case of failure.
int ext_flash_read(uintptr_t address, uint8_t *data, int len)
This function provides an indirect read of the external memory, using the
driver's specific interface. address
is the offset from the beginning of the
addressable space in the device, data
is a pointer where payload is stored upon a successful
call, and len
is the maximum size allowed for the payload. This function must be able to handle
reads of any size and alignment. ext_flash_read
should return 0 upon success, or a negative value
in case of failure.
int ext_flash_erase(uintptr_t address, int len)
Called by the bootloader to erase part of the external memory.
Erase operations must be performed via the specific interface of the target driver (e.g. SPI flash).
address
marks the start of the area relative to the device, that the bootloader wants to erase,
and len
specifies the size of the area to be erased. This function is subject to the same restrictions
as hal_flash_erase()
and must take into account the geometry of the sectors, and erase all the sectors
in between.
void ext_flash_lock(void)
If the interface of the external flash memory requires locking/unlocking, this function may be used to restore the flash write protection or exclude write accesses. This function is called by the bootloader at the end of every write and erase operations on the external device.
void ext_flash_unlock(void)
If the IAP interface of the external memory requires it, this function is called before every write and erase operations to unlock write access to the device. On some drivers, this function may be empty.
Additional functions required by DUALBANK_SWAP
option
If the target device supports hardware-assisted bank swapping, it is appropriate to provide two additional functions in the port:
void hal_flash_dualbank_swap(void)
Called by the bootloader when the two banks must be swapped. On some architectures this operation implies a reboot, so this function may also never return.
void fork_bootloader(void)
This function is called to provide a second copy of the bootloader. Wolfboot will
clone itself if the content does not already match. fork_bootloader()
implementation in new ports must return immediately without performing any actions
if the content of the bootloader partition in the two banks already match.