wip

Author: michalek-no

boot/bootutil/src/ed25519_psa.c

@@ -32,6 +32,11 @@ static psa_key_id_t kmu_key_ids[3] =  {
     MAKE_PSA_KMU_KEY_ID(230)
 };
 
+#if defined(CONFIG_BOOT_AUTO_REVOKE_KMU)
+static psa_key_id_t *validated_with = NULL;
+#define MK_PSA_KEY_HANDLE(key) PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, key)
+#endif
+
 BUILD_ASSERT(CONFIG_BOOT_SIGNATURE_KMU_SLOTS <= ARRAY_SIZE(kmu_key_ids),
 	     "Invalid number of KMU slots, up to 3 are supported on nRF54L15");
 #endif
@@ -114,6 +119,10 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
                                     EDDSA_SIGNAGURE_LENGTH);
         if (status == PSA_SUCCESS) {
             ret = 1;
+#if defined(CONFIG_BOOT_AUTO_REVOKE_KMU)
+			BOOT_LOG_ERR("--------------- valid set to %d", i);
+            validated_with = kmu_key_ids + i;
+#endif
             break;
         }
 
@@ -122,4 +131,31 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
 
     return ret;
 }
+#if defined(CONFIG_BOOT_AUTO_REVOKE_KMU)
+void revoke_prev(void)
+{
+
+    psa_status_t status = psa_crypto_init();
+
+    if (status != PSA_SUCCESS) {
+            printk("PSA crypto init failed with error %d\n", status);
+            return;
+    }
+    BOOT_LOG_ERR("--------------- for");
+    for (int i = 0; i < CONFIG_BOOT_SIGNATURE_KMU_SLOTS; i++) {
+        if((kmu_key_ids + i) == validated_with){
+            break;
+        }
+        BOOT_LOG_ERR("--------------- invalidating %d", i);
+
+        status = psa_destroy_key(MK_PSA_KEY_HANDLE(kmu_key_ids[i]));
+        if (status == PSA_SUCCESS) {
+            printk("ok\n");
+        } else {
+            printk("destroy failed with: %d\n", status);
+        }
+    }
+
+}
+#endif
 #endif

boot/bootutil/src/image_validate.c

@@ -245,6 +245,13 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
 #   define KEY_BUF_SIZE         (SIG_BUF_SIZE + 24)
 #endif /* !MCUBOOT_HW_KEY */
 
+#if defined(CONFIG_BOOT_AUTO_REVOKE_KMU)
+extern void revoke_prev(void);
+static uint8_t ready_to_revoke = 0;
+void bootutil_revoke_after_validation(void){
+ready_to_revoke=1;}
+#endif
+
 #if !defined(CONFIG_BOOT_SIGNATURE_USING_KMU)
 #if !defined(MCUBOOT_HW_KEY)
 static int
@@ -681,6 +688,11 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
 #ifndef MCUBOOT_SIGN_PURE
             FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash),
                                                            buf, len, key_id);
+#if defined(CONFIG_BOOT_AUTO_REVOKE_KMU)
+        if(ready_to_revoke){
+    revoke_prev();
+        }
+#endif
 #else
             /* Directly check signature on the image, by using the mapping of
              * a device to memory. The pointer is beginning of image in flash,

boot/bootutil/src/loader.c

@@ -100,6 +100,9 @@ struct sector_buffer_t {
     boot_sector_t scratch[BOOT_MAX_IMG_SECTORS];
 #endif
 };
+#if defined(CONFIG_BOOT_AUTO_REVOKE_KMU)
+void bootutil_revoke_after_validation(void);
+#endif
 
 static struct sector_buffer_t sector_buffers;
 #endif
@@ -2733,6 +2736,10 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
         }
     }
 
+    if (BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_NONE) {
+		bootutil_revoke_after_validation();
+		BOOT_LOG_ERR("----------------------swap none");
+	}
     /* Iterate over all the images. At this point all required update operations
      * have finished. By the end of the loop each image in the primary slot will
      * have been re-validated.

boot/zephyr/Kconfig

@@ -327,6 +327,11 @@ config BOOT_SIGNATURE_KMU_SLOTS
 	  Selects the number of KMU key slots (also known as generations) to use when verifying
 	  an image.
 
+config BOOT_AUTO_REVOKE_KMU
+	bool "Auto revoke previous gen key"
+	help
+	  Automatically revoke previous generation key upon new valid key usage.
+
 endif
 
 if !BOOT_SIGNATURE_USING_KMU