add option for rollback protection
Depends on 'MCUBOOT_OVERWRITE_ONLY' option since swap info is not protected
by signature
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index 0a8f359..c40a8cd 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -346,4 +346,14 @@
help
Enables support of multi image update.
+config MCUBOOT_DOWNGRADE_PREVENTION
+ bool "Downgrade prevention"
+ depends on BOOT_UPGRADE_ONLY
+ help
+ Prevent downgrades by enforcing incrementing version numbers.
+ When this option is set, any upgrade must have greater major version
+ or greater minor version with equal major version. This mechanism
+ only protects against some attacks against version downgrades (for
+ example, a JTAG could be used to write an older version).
+
source "$ZEPHYR_BASE/Kconfig.zephyr"
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
index 0daecc7..14705d3 100644
--- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h
+++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -89,6 +89,10 @@
#define MCUBOOT_IMAGE_NUMBER 1
#endif
+#ifdef CONFIG_MCUBOOT_DOWNGRADE_PREVENTION
+#define MCUBOOT_DOWNGRADE_PREVENTION 1
+#endif
+
/*
* Enabling this option uses newer flash map APIs. This saves RAM and
* avoids deprecated API usage.