synchronized up to the mcu-tool/mcuboot 4eca54f417 (cfec947e) · Commits · Wenxi XU / Mcuboot

boot/boot_serial/src/boot_serial.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -21,6 +21,7 @@
		#include <inttypes.h>
		#include <ctype.h>
		#include <stdio.h>
		#include <errno.h>

		#include "sysflash/sysflash.h"

		@@ -32,6 +33,7 @@
		#include <zephyr/sys/byteorder.h>
		#include <zephyr/sys/__assert.h>
		#include <zephyr/drivers/flash.h>
		#include <zephyr/kernel.h>
		#include <zephyr/sys/crc.h>
		#include <zephyr/sys/base64.h>
		#include <hal/hal_flash.h>

boot/bootutil/src/bootutil_misc.c

+24 −0

Original line number	Diff line number	Diff line
		@@ -387,3 +387,27 @@ boot_write_enc_key(const struct flash_area *fap, uint8_t slot,
		return 0;
		}
		#endif

		uint32_t bootutil_max_image_size(const struct flash_area *fap)
		{
		#if defined(MCUBOOT_SWAP_USING_SCRATCH)
		return boot_status_off(fap);
		#elif defined(MCUBOOT_SWAP_USING_MOVE)
		struct flash_sector sector;
		/* get the last sector offset */
		int rc = flash_area_sector_from_off(boot_status_off(fap), &sector);
		if (rc) {
		BOOT_LOG_ERR("Unable to determine flash sector of the image trailer");
		return 0; /* Returning of zero here should cause any check which uses
		* this value to fail.
		*/
		}
		return flash_sector_get_off(&sector);
		#elif defined(MCUBOOT_OVERWRITE_ONLY)
		return boot_swap_info_off(fap);
		#elif defined(MCUBOOT_DIRECT_XIP)
		return boot_swap_info_off(fap);
		#elif defined(MCUBOOT_RAM_LOAD)
		return boot_swap_info_off(fap);
		#endif
		}

boot/bootutil/src/bootutil_priv.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -463,6 +463,8 @@ struct bootsim_ram_info *bootsim_get_ram_info(void);
		(flash_area_read((fap), (start), (output), (size)))
		#endif /* MCUBOOT_RAM_LOAD */

		uint32_t bootutil_max_image_size(const struct flash_area *fap);

		#ifdef __cplusplus
		}
		#endif

boot/bootutil/src/image_validate.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -268,7 +268,6 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len)
		#endif /* !MCUBOOT_HW_KEY */
		#endif

		#ifdef MCUBOOT_HW_ROLLBACK_PROT
		/**
		* Reads the value of an image's security counter.
		*
		@@ -328,7 +327,6 @@ bootutil_get_img_security_cnt(struct image_header *hdr,

		return 0;
		}
		#endif /* MCUBOOT_HW_ROLLBACK_PROT */

		/*
		* Verify the integrity of the image.
		@@ -378,6 +376,11 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
		goto out;
		}

		if (it.tlv_end > bootutil_max_image_size(fap)) {
		rc = -1;
		goto out;
		}

		/*
		* Traverse through all of the TLVs, performing any checks we know
		* and are able to do.

boot/bootutil/src/loader.c

+64 −2

Original line number	Diff line number	Diff line
		@@ -616,7 +616,7 @@ boot_check_header_erased(struct boot_loader_state *state, int slot)
		#if (BOOT_IMAGE_NUMBER > 1) \|\| \
		defined(MCUBOOT_DIRECT_XIP) \|\| \
		defined(MCUBOOT_RAM_LOAD) \|\| \
		(defined(MCUBOOT_OVERWRITE_ONLY) && defined(MCUBOOT_DOWNGRADE_PREVENTION))
		defined(MCUBOOT_DOWNGRADE_PREVENTION)
		/**
		* Compare image version numbers not including the build number
		*
		@@ -1332,6 +1332,8 @@ boot_swap_image(struct boot_loader_state state, struct boot_status bs)
		boot_status_fails);
		}
		#endif
		rc = BOOT_HOOK_CALL(boot_copy_region_post_hook, 0, BOOT_CURR_IMG(state),
		BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT), size);

		return 0;
		}
		@@ -1903,6 +1905,60 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state)
		#endif
		}

		/**
		* Checks test swap downgrade prevention conditions.
		*
		* Function called only for swap upgrades test run. It may prevent
		* swap if slot 1 image has <= version number or < security counter
		*
		* @param state Boot loader status information.
		*
		* @return 0 - image can be swapped, -1 downgrade prevention
		*/
		static int
		check_downgrade_prevention(struct boot_loader_state *state)
		{
		#if defined(MCUBOOT_DOWNGRADE_PREVENTION) && \
		(defined(MCUBOOT_SWAP_USING_MOVE) \|\| defined(MCUBOOT_SWAP_USING_SCRATCH))
		uint32_t security_counter[2];
		int rc;

		if (MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER) {
		/* If there was security no counter in slot 0, allow swap */
		rc = bootutil_get_img_security_cnt(&(BOOT_IMG(state, 0).hdr),
		BOOT_IMG(state, 0).area,
		&security_counter[0]);
		if (rc != 0) {
		return 0;
		}
		/* If there is no security counter in slot 1, or it's lower than
		* that of slot 0, prevent downgrade */
		rc = bootutil_get_img_security_cnt(&(BOOT_IMG(state, 1).hdr),
		BOOT_IMG(state, 1).area,
		&security_counter[1]);
		if (rc != 0 \|\| security_counter[0] > security_counter[1]) {
		rc = -1;
		}
		}
		else {
		rc = boot_version_cmp(&boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_ver,
		&boot_img_hdr(state, BOOT_PRIMARY_SLOT)->ih_ver);
		}
		if (rc < 0) {
		/* Image in slot 0 prevents downgrade, delete image in slot 1 */
		BOOT_LOG_INF("Image in slot 1 erased due to downgrade prevention");
		flash_area_erase(BOOT_IMG(state, 1).area, 0,
		flash_area_get_size(BOOT_IMG(state, 1).area));
		} else {
		rc = 0;
		}
		return rc;
		#else
		(void)state;
		return 0;
		#endif
		}

		fih_int
		context_boot_go(struct boot_loader_state state, struct boot_rsp rsp)
		{
		@@ -2031,7 +2087,13 @@ context_boot_go(struct boot_loader_state state, struct boot_rsp rsp)
		case BOOT_SWAP_TYPE_NONE:
		break;

		case BOOT_SWAP_TYPE_TEST: /* fallthrough */
		case BOOT_SWAP_TYPE_TEST:
		if (check_downgrade_prevention(state) != 0) {
		/* Downgrade prevented */
		BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_NONE;
		break;
		}
		/* fallthrough */
		case BOOT_SWAP_TYPE_PERM: /* fallthrough */
		case BOOT_SWAP_TYPE_REVERT:
		rc = BOOT_HOOK_CALL(boot_perform_update_hook, BOOT_HOOK_REGULAR,

Admin message