Commit 6127fc06 authored by Artur Hadasz's avatar Artur Hadasz Committed by Jamie McCrae
Browse files

bootutil: Fixed security counter overflow detected to late 



This commit fixes the issue, occuring when the maximum amount of
security counter updates has been reached.

This fact was only detected after a permament update already
happened - the updated firmware was unable to boot, as it
failed when trying to update the security counter after
the permament swap.

This commit adds the check if the security counter can be
updated (i. e. free security counter slots are still available)
before the swap is performed, fixing the issue.

Signed-off-by: default avatarArtur Hadasz <artur.hadasz@nordicsemi.no>
(cherry picked from commit fe8f9fc0)
parent eddaafea

boot/bootutil/include/bootutil/security_cnt.h

+13 −0
Original line number Diff line number Diff line
@@ -63,6 +63,19 @@ fih_ret boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt); 
int32_t boot_nv_security_counter_update(uint32_t image_id,

                                        uint32_t img_security_cnt);



/**

 * This function verifies whether the security counter update to a given value is possible.

 * The update might not be possible if the maximum amount of security counter updates

 * was reached.

 *

 * @param image_id          Index of the image (from 0).

 * @param img_security_cnt  New security counter value.

 *

 * @return                  FIH_SUCCESS if update is possible; FIH_FAILURE otherwise

 */

fih_ret boot_nv_security_counter_is_update_possible(uint32_t image_id,

                                                    uint32_t img_security_cnt);



#ifdef __cplusplus

}

#endif

boot/bootutil/src/image_validate.c

+13 −0
Original line number Diff line number Diff line
@@ -581,6 +581,19 @@ bootutil_img_validate(struct boot_loader_state *state, 
                goto out;

            }



#ifdef MCUBOOT_HW_ROLLBACK_PROT_COUNTER_LIMITED

            if (img_security_cnt > (uint32_t)fih_int_decode(security_cnt)) {

                FIH_CALL(boot_nv_security_counter_is_update_possible, fih_rc, image_index,

                         img_security_cnt);

                if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {

                    FIH_SET(fih_rc, FIH_FAILURE);

                    BOOT_LOG_ERR("Security counter update is not possible, possibly the maximum "

                                 "number of security updates has been reached.");

                    goto out;

                }

            }

#endif



            /* The image's security counter has been successfully verified. */

            security_counter_valid = fih_rc;

#endif /* MCUBOOT_HW_ROLLBACK_PROT */

boot/zephyr/Kconfig

+11 −0
Original line number Diff line number Diff line
@@ -676,6 +676,17 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION 
	  Because of the acceptance of equal values it allows for software

	  downgrade to some extent.



config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED

	bool "HW based downgrade prevention counter has limited number of updates"

	depends on MCUBOOT_HW_DOWNGRADE_PREVENTION

	help

	  When this option is set, the hardware downgrade prevention counter

	  has limited number of updates. This option will enable checking

	  if it is possible to update the counter before performing

	  the upgrade. If an update package contains a security counter

	  value as a TLV but it is not possible to update the counter,

	  the update will be rejected.



endchoice



config BOOT_WATCHDOG_FEED

boot/zephyr/include/mcuboot_config/mcuboot_config.h

+4 −0
Original line number Diff line number Diff line
@@ -151,6 +151,10 @@ 
#define MCUBOOT_HW_ROLLBACK_PROT

#endif



#ifdef CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED

#define MCUBOOT_HW_ROLLBACK_PROT_COUNTER_LIMITED

#endif



#ifdef CONFIG_MEASURED_BOOT

#define MCUBOOT_MEASURED_BOOT

#endif

CRA Git | Maintained and supported by SUSTech CRA and CCSE