Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nrfconnect/sdk-mcuboot
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 209a8aa6086dd97303ffa902c3a7856d0f9bedbb
Choose a base ref
..
head repository: nrfconnect/sdk-mcuboot
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: ac343a35b101282e9c64b82406bee5b13ecbcbc4
Choose a head ref
Showing with 77 additions and 4 deletions.
  1. +9 −0 boot/bootutil/include/bootutil/security_cnt.h
  2. +20 −0 boot/bootutil/src/image_validate.c
  3. +48 −4 boot/bootutil/src/loader.c
9 changes: 9 additions & 0 deletions boot/bootutil/include/bootutil/security_cnt.h
View file
Original file line number Diff line number Diff line change
@@ -39,6 +39,15 @@ extern "C" {
*/
fih_ret boot_nv_security_counter_init(void);

/**
* Checks if the specified image should have a security counter present on it or not
*
* @param image_index Index of the image to check (from 0).
*
* @return FIH_SUCCESS if security counter should be present; FIH_FAILURE if otherwise
*/
fih_ret boot_nv_image_should_have_security_counter(uint32_t image_index);

/**
* Reads the stored value of a given image's security counter.
*
20 changes: 20 additions & 0 deletions boot/bootutil/src/image_validate.c
View file
Original file line number Diff line number Diff line change
@@ -478,6 +478,15 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
fih_int security_cnt = fih_int_encode(INT_MAX);
uint32_t img_security_cnt = 0;
FIH_DECLARE(security_counter_valid, FIH_FAILURE);
FIH_DECLARE(security_counter_should_be_present, FIH_FAILURE);

FIH_CALL(boot_nv_image_should_have_security_counter, security_counter_should_be_present,
image_index);
if (FIH_NOT_EQ(security_counter_should_be_present, FIH_SUCCESS) &&
FIH_NOT_EQ(security_counter_should_be_present, FIH_FAILURE)) {
rc = -1;
goto out;
}
#endif

#ifdef MCUBOOT_DECOMPRESS_IMAGES
@@ -712,6 +721,10 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
goto out;
}

if (FIH_EQ(security_counter_should_be_present, FIH_FAILURE)) {
goto skip_security_counter_read;
}

FIH_CALL(boot_nv_security_counter_get, fih_rc, image_index,
&security_cnt);
if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
@@ -731,6 +744,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,

/* The image's security counter has been successfully verified. */
security_counter_valid = fih_rc;
skip_security_counter_read:
break;
}
#endif /* MCUBOOT_HW_ROLLBACK_PROT */
@@ -750,10 +764,16 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
FIH_SET(fih_rc, valid_signature);
#endif
#ifdef MCUBOOT_HW_ROLLBACK_PROT
if (FIH_EQ(security_counter_should_be_present, FIH_FAILURE)) {
goto skip_security_counter_check;
}

if (FIH_NOT_EQ(security_counter_valid, FIH_SUCCESS)) {
rc = -1;
goto out;
}

skip_security_counter_check:
#endif

#ifdef MCUBOOT_DECOMPRESS_IMAGES
52 changes: 48 additions & 4 deletions boot/bootutil/src/loader.c
View file
Original file line number Diff line number Diff line change
@@ -1237,6 +1237,38 @@ boot_validate_slot(struct boot_loader_state *state, int slot,
}

#ifdef MCUBOOT_HW_ROLLBACK_PROT
/**
* Checks if the specified image should have a security counter present on it or not
*
* @param image_index Index of the image to check.
*
* @return true if security counter should be present; false if otherwise
*/
fih_ret boot_nv_image_should_have_security_counter(uint32_t image_index)
{
#if defined(PM_S1_ADDRESS)
if (owner_nsib[image_index]) {
/*
* Downgrade prevention on S0/S1 image is managed by NSIB, which is a software (not
* hardware) check
*/
return FIH_FAILURE;
}
#endif

#if defined(CONFIG_SOC_NRF5340_CPUAPP) && CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
if (image_index == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) {
/*
* Downgrade prevention on network core image is managed by NSIB which is a software (not
* hardware) check
*/
return FIH_FAILURE;
}
#endif

return FIH_SUCCESS;
}

/**
* Updates the stored security counter value with the image's security counter
* value which resides in the given slot, only if it's greater than the stored
@@ -1260,14 +1292,20 @@ boot_update_security_counter(uint8_t image_index, int slot,

#if defined(PM_S1_ADDRESS)
if (owner_nsib[image_index]) {
/* Downgrade prevention on S0/S1 image is managed by NSIB */
/*
* Downgrade prevention on S0/S1 image is managed by NSIB which is a software (not
* hardware) check
*/
return 0;
}
#endif

#if defined(CONFIG_SOC_NRF5340_CPUAPP) && CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
if (image_index == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) {
/* Downgrade prevention on network core image is managed by NSIB */
/*
* Downgrade prevention on network core image is managed by NSIB which is a software (not
* hardware) check
*/
return 0;
}
#endif
@@ -2502,14 +2540,20 @@ check_downgrade_prevention(struct boot_loader_state *state)

#if defined(PM_S1_ADDRESS)
if (owner_nsib[BOOT_CURR_IMG(state)]) {
/* Downgrade prevention on S0/S1 image is managed by NSIB */
/*
* Downgrade prevention on S0/S1 image is managed by NSIB which is a software (not
* hardware) check
*/
return 0;
}
#endif

#if defined(CONFIG_SOC_NRF5340_CPUAPP) && CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) {
/* Downgrade prevention on network core image is managed by NSIB */
/*
* Downgrade prevention on network core image is managed by NSIB which is a software (not
* hardware) check
*/
return 0;
}
#endif