firmware-update-log
A portable, tamper-evident firmware-update audit log built on <alp/update_log.h>. Works on every Alp SoM — the backend is selected at boot.
Source: examples/connectivity/firmware-update-log/.
What it does
- Opens the device's update log and appends a few entries (firmware version, SHA-256 image hash, status).
- Walks the chain with
alp_update_log_verify()and prints the verdict. - Reports the assurance tier —
SW_TAMPER_EVIDENT(SHA-256 hash-chain + monotonic counter) orHW_ENFORCED(TF-M Protected Storage + a hardware non-decrementable counter).
It runs on native_sim (software tier) and on SoMs with a TF-M + monotonic-counter backend (hardware tier). The Slice-1 store is in-RAM; durable persistence via NVS is follow-up work.
board.yaml
preset: native_sim
cores:
app:
app: ./src
diagnostics:
log_level: info
Expected output
[firmware-update-log] assurance: SW_TAMPER_EVIDENT
[firmware-update-log] appended seq 0..2
[firmware-update-log] verify -> OK
See also
<alp/update_log.h><alp/security.h>— the SHA-256 primitive underneath
Questions about this page? Discuss in Community Forum