fih: Hardening of fault injection countermeasures
Returned values are now hardcoded. Indeed, while it is not
strictly needed (few return values different from SUCCESS
or FAILURE) complexity added by encoding return values might
cause the software to be vulnerable to fault attacks.
Return type changed from fih_int to fih_ret to make
the whole thing much simpler and therefore more robust
to fault attacks. In addition, its easier to predict
compiler behavior.
Affectation of sentive variables has been hardened using macro
FIH_SET (affectation + check wether write access has been properly
done). FIH_DECLARE() is added to ease the declaration of sentive
variables.
Equality tests fih_eq() and fih_not_eq() are now macros because
inlining produce more complex code (and weaker) than macros.
In addition fih_not_eq is modified to be the negation of fih_eq
which was not the case until now.
when FIH_NOT_EQ is used , FIH_SET(fih_rc, FIH_FAILURE) has been added
in some part of the code.
variable image_mask (bootutil_priv.h) is now volatile because a
double IF test is made on it.
some others parts of the code have been hardenned (eg. loop on images)
Signed-off-by: Michael Grand <m.grand@trustngo.tech>
diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c
index 9a79926..14de8c1 100644
--- a/boot/boot_serial/src/boot_serial.c
+++ b/boot/boot_serial/src/boot_serial.c
@@ -235,14 +235,14 @@
flash_area_read(fap, 0, &hdr, sizeof(hdr));
}
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
if (hdr.ih_magic == IMAGE_MAGIC)
{
BOOT_HOOK_CALL_FIH(boot_image_check_hook,
- fih_int_encode(BOOT_HOOK_REGULAR),
+ FIH_BOOT_HOOK_REGULAR,
fih_rc, image_index, slot);
- if (fih_eq(fih_rc, BOOT_HOOK_REGULAR))
+ if (FIH_EQ(fih_rc, FIH_BOOT_HOOK_REGULAR))
{
#ifdef MCUBOOT_ENC_IMAGES
if (slot == 0 && IS_ENCRYPTED(&hdr)) {
@@ -262,7 +262,7 @@
flash_area_close(fap);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
continue;
}
diff --git a/boot/bootutil/include/bootutil/boot_hooks.h b/boot/bootutil/include/bootutil/boot_hooks.h
index 61de3c4..f1fe152 100644
--- a/boot/bootutil/include/bootutil/boot_hooks.h
+++ b/boot/bootutil/include/bootutil/boot_hooks.h
@@ -80,9 +80,9 @@
*
* @retval FIH_SUCCESS: image is valid, skip direct validation
* FIH_FAILURE: image is invalid, skip direct validation
- * fih encoded BOOT_HOOK_REGULAR: follow the normal execution path.
+ * FIH_BOOT_HOOK_REGULAR: follow the normal execution path.
*/
-fih_int boot_image_check_hook(int img_index, int slot);
+fih_ret boot_image_check_hook(int img_index, int slot);
/** Hook for implement image update
*
diff --git a/boot/bootutil/include/bootutil/bootutil.h b/boot/bootutil/include/bootutil/bootutil.h
index 9c1fbab..9ad962e 100644
--- a/boot/bootutil/include/bootutil/bootutil.h
+++ b/boot/bootutil/include/bootutil/bootutil.h
@@ -78,18 +78,18 @@
};
/* you must have pre-allocated all the entries within this structure */
-fih_int boot_go(struct boot_rsp *rsp);
-fih_int boot_go_for_image_id(struct boot_rsp *rsp, uint32_t image_id);
+fih_ret boot_go(struct boot_rsp *rsp);
+fih_ret boot_go_for_image_id(struct boot_rsp *rsp, uint32_t image_id);
struct boot_loader_state;
void boot_state_clear(struct boot_loader_state *state);
-fih_int context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp);
+fih_ret context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp);
#define SPLIT_GO_OK (0)
#define SPLIT_GO_NON_MATCHING (-1)
#define SPLIT_GO_ERR (-2)
-fih_int split_go(int loader_slot, int split_slot, void **entry);
+fih_ret split_go(int loader_slot, int split_slot, void **entry);
#ifdef __cplusplus
}
diff --git a/boot/bootutil/include/bootutil/fault_injection_hardening.h b/boot/bootutil/include/bootutil/fault_injection_hardening.h
index 05ec6c2..518c137 100644
--- a/boot/bootutil/include/bootutil/fault_injection_hardening.h
+++ b/boot/bootutil/include/bootutil/fault_injection_hardening.h
@@ -43,9 +43,9 @@
*
* The basic call pattern is:
*
- * fih_int fih_rc = FIH_FAILURE;
+ * FIH_DECLARE(fih_rc, FIH_FAILURE);
* FIH_CALL(vulnerable_function, fih_rc, arg1, arg2);
- * if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ * if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
* FIH_PANIC;
* }
*
@@ -93,9 +93,13 @@
#ifndef MCUBOOT_FIH_PROFILE_OFF
#define FIH_POSITIVE_VALUE 0x1AAAAAAA
#define FIH_NEGATIVE_VALUE 0x15555555
+#define FIH_CONST1 0x1FCDEA88
+#define FIH_CONST2 0x19C1F6E1
#else
#define FIH_POSITIVE_VALUE 0
#define FIH_NEGATIVE_VALUE -1
+#define FIH_CONST1 1
+#define FIH_CONST2 1
#endif
/* A volatile mask is used to prevent compiler optimization - the mask is xored
@@ -115,15 +119,19 @@
volatile int val;
volatile int msk;
} fih_int;
+typedef volatile int fih_ret;
#else
typedef int fih_int;
+typedef int fih_ret;
#endif /* FIH_ENABLE_DOUBLE_VARS */
-extern fih_int FIH_SUCCESS;
-extern fih_int FIH_FAILURE;
+extern fih_ret FIH_SUCCESS;
+extern fih_ret FIH_FAILURE;
+extern fih_ret FIH_NO_BOOTABLE_IMAGE;
+extern fih_ret FIH_BOOT_HOOK_REGULAR;
#ifdef FIH_ENABLE_GLOBAL_FAIL
/* Global failure handler - more resistant to unlooping. noinline and used are
@@ -206,21 +214,9 @@
}
/* Standard equality. If A == B then 1, else 0 */
-__attribute__((always_inline)) inline
-int fih_eq(fih_int x, fih_int y)
-{
- fih_int_validate(x);
- fih_int_validate(y);
- return (x.val == y.val) && fih_delay() && (x.msk == y.msk);
-}
-
-__attribute__((always_inline)) inline
-int fih_not_eq(fih_int x, fih_int y)
-{
- fih_int_validate(x);
- fih_int_validate(y);
- return (x.val != y.val) && fih_delay() && (x.msk != y.msk);
-}
+#define FIH_EQ(x, y) ((x == y) && fih_delay() && !(y != x))
+#define FIH_NOT_EQ(x, y) ((x != y) || !fih_delay() || !(y == x))
+#define FIH_SET(x, y) x = y; if(fih_delay() && (x != y)) FIH_PANIC
#else
@@ -246,25 +242,22 @@
return x;
}
-__attribute__((always_inline)) inline
-int fih_eq(fih_int x, fih_int y)
-{
- return x == y;
-}
+#define FIH_EQ(x, y) (x == y)
+#define FIH_NOT_EQ(x, y) (x != y)
+#define FIH_SET(x, y) x = y
-__attribute__((always_inline)) inline
-int fih_not_eq(fih_int x, fih_int y)
-{
- return x != y;
-}
#endif /* FIH_ENABLE_DOUBLE_VARS */
+#define FIH_DECLARE(var, val) \
+ fih_ret var; \
+ FIH_SET(var, val);
+
/* C has a common return pattern where 0 is a correct value and all others are
* errors. This function converts 0 to FIH_SUCCESS and any other number to a
* value that is not FIH_SUCCESS
*/
__attribute__((always_inline)) inline
-fih_int fih_int_encode_zero_equality(int x)
+fih_ret fih_ret_encode_zero_equality(int x)
{
if (x) {
return FIH_FAILURE;
diff --git a/boot/bootutil/include/bootutil/image.h b/boot/bootutil/include/bootutil/image.h
index c7599d7..fa33732 100644
--- a/boot/bootutil/include/bootutil/image.h
+++ b/boot/bootutil/include/bootutil/image.h
@@ -159,7 +159,7 @@
"struct image_header not required size");
struct enc_key_data;
-fih_int bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
+fih_ret bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
struct image_header *hdr,
const struct flash_area *fap,
uint8_t *tmp_buf, uint32_t tmp_buf_sz,
diff --git a/boot/bootutil/include/bootutil/security_cnt.h b/boot/bootutil/include/bootutil/security_cnt.h
index b0f9f11..e1562d2 100644
--- a/boot/bootutil/include/bootutil/security_cnt.h
+++ b/boot/bootutil/include/bootutil/security_cnt.h
@@ -37,7 +37,7 @@
*
* @return FIH_SUCCESS on success
*/
-fih_int boot_nv_security_counter_init(void);
+fih_ret boot_nv_security_counter_init(void);
/**
* Reads the stored value of a given image's security counter.
@@ -47,7 +47,7 @@
*
* @return FIH_SUCCESS on success
*/
-fih_int boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt);
+fih_ret boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt);
/**
* Updates the stored value of a given image's security counter with a new
diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c
index 94521c4..0cfed0d 100644
--- a/boot/bootutil/src/bootutil_misc.c
+++ b/boot/bootutil/src/bootutil_misc.c
@@ -63,17 +63,17 @@
*/
#ifdef MCUBOOT_FIH_PROFILE_OFF
inline
-fih_int boot_fih_memequal(const void *s1, const void *s2, size_t n)
+fih_ret boot_fih_memequal(const void *s1, const void *s2, size_t n)
{
return memcmp(s1, s2, n);
}
#else
-fih_int boot_fih_memequal(const void *s1, const void *s2, size_t n)
+fih_ret boot_fih_memequal(const void *s1, const void *s2, size_t n)
{
size_t i;
uint8_t *s1_p = (uint8_t*) s1;
uint8_t *s2_p = (uint8_t*) s2;
- fih_int ret = FIH_FAILURE;
+ FIH_DECLARE(ret, FIH_FAILURE);
for (i = 0; i < n; i++) {
if (s1_p[i] != s2_p[i]) {
diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h
index 43a2bac..3517d37 100644
--- a/boot/bootutil/src/bootutil_priv.h
+++ b/boot/bootutil/src/bootutil_priv.h
@@ -256,10 +256,10 @@
#endif /* MCUBOOT_DIRECT_XIP || MCUBOOT_RAM_LOAD */
};
-fih_int bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig,
+fih_ret bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig,
size_t slen, uint8_t key_id);
-fih_int boot_fih_memequal(const void *s1, const void *s2, size_t n);
+fih_ret boot_fih_memequal(const void *s1, const void *s2, size_t n);
int boot_magic_compatible_check(uint8_t tbl_val, uint8_t val);
uint32_t boot_status_sz(uint32_t min_write_sz);
diff --git a/boot/bootutil/src/fault_injection_hardening.c b/boot/bootutil/src/fault_injection_hardening.c
index 5ee109c..11436cf 100644
--- a/boot/bootutil/src/fault_injection_hardening.c
+++ b/boot/bootutil/src/fault_injection_hardening.c
@@ -11,13 +11,13 @@
* not to optimize the double check. Value doesn't matter.
*/
volatile int _fih_mask = _FIH_MASK_VALUE;
-fih_int FIH_SUCCESS = {FIH_POSITIVE_VALUE, _FIH_MASK_VALUE ^ FIH_POSITIVE_VALUE};
-fih_int FIH_FAILURE = {FIH_NEGATIVE_VALUE, _FIH_MASK_VALUE ^ FIH_NEGATIVE_VALUE};
-#else
-fih_int FIH_SUCCESS = {FIH_POSITIVE_VALUE};
-fih_int FIH_FAILURE = {FIH_NEGATIVE_VALUE};
#endif /* FIH_ENABLE_DOUBLE_VARS */
+fih_ret FIH_SUCCESS = FIH_POSITIVE_VALUE;
+fih_ret FIH_FAILURE = FIH_NEGATIVE_VALUE;
+fih_ret FIH_NO_BOOTABLE_IMAGE = FIH_CONST1;
+fih_ret FIH_BOOT_HOOK_REGULAR = FIH_CONST2;
+
#ifdef FIH_ENABLE_CFI
#ifdef FIH_ENABLE_DOUBLE_VARS
diff --git a/boot/bootutil/src/image_rsa.c b/boot/bootutil/src/image_rsa.c
index 42d2db7..0e0782b 100644
--- a/boot/bootutil/src/image_rsa.c
+++ b/boot/bootutil/src/image_rsa.c
@@ -161,7 +161,7 @@
* v2.2, section 9.1.2, with many parameters required to have fixed
* values.
*/
-static fih_int
+static fih_ret
bootutil_cmp_rsasig(mbedtls_rsa_context *ctx, uint8_t *hash, uint32_t hlen,
uint8_t *sig)
{
@@ -170,22 +170,18 @@
uint8_t db_mask[PSS_MASK_LEN];
uint8_t h2[PSS_HLEN];
int i;
- int rc = 0;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
if (ctx->MBEDTLS_CONTEXT_MEMBER(len) != PSS_EMLEN ||
PSS_EMLEN > MBEDTLS_MPI_MAX_SIZE) {
- rc = -1;
goto out;
}
if (hlen != PSS_HLEN) {
- rc = -1;
goto out;
}
if (mbedtls_rsa_public(ctx, sig, em)) {
- rc = -1;
goto out;
}
@@ -214,7 +210,6 @@
* 0xbc, output inconsistent and stop.
*/
if (em[PSS_EMLEN - 1] != 0xbc) {
- rc = -1;
goto out;
}
@@ -255,13 +250,11 @@
* hexadecimal value 0x01, output "inconsistent" and stop. */
for (i = 0; i < PSS_MASK_ZERO_COUNT; i++) {
if (db_mask[i] != 0) {
- rc = -1;
goto out;
}
}
if (db_mask[PSS_MASK_ONE_POS] != 1) {
- rc = -1;
goto out;
}
@@ -282,20 +275,16 @@
FIH_CALL(boot_fih_memequal, fih_rc, h2, &em[PSS_HASH_OFFSET], PSS_HLEN);
out:
- if (rc) {
- fih_rc = fih_int_encode(rc);
- }
-
FIH_RET(fih_rc);
}
-fih_int
+fih_ret
bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
uint8_t key_id)
{
mbedtls_rsa_context ctx;
int rc;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
uint8_t *cp;
uint8_t *end;
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index fd4f4ce..a866281 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -238,7 +238,7 @@
uint8_t key_hash[32];
size_t key_hash_size = sizeof(key_hash);
int rc;
- fih_int fih_rc;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
bootutil_sha256_init(&sha256_ctx);
bootutil_sha256_update(&sha256_ctx, key, key_len);
@@ -257,7 +257,7 @@
* HW) a fault is injected to accept the public key as valid one.
*/
FIH_CALL(boot_fih_memequal, fih_rc, hash, key_hash, key_hash_size);
- if (fih_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_EQ(fih_rc, FIH_SUCCESS)) {
bootutil_keys[0].key = key;
pub_key_len = key_len;
return 0;
@@ -332,7 +332,7 @@
* Verify the integrity of the image.
* Return non-zero if image could not be validated/does not validate.
*/
-fih_int
+fih_ret
bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
struct image_header *hdr, const struct flash_area *fap,
uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *seed,
@@ -343,7 +343,7 @@
uint16_t type;
int sha256_valid = 0;
#ifdef EXPECTED_SIG_TLV
- fih_int valid_signature = FIH_FAILURE;
+ FIH_DECLARE(valid_signature, FIH_FAILURE);
int key_id = -1;
#ifdef MCUBOOT_HW_KEY
/* Few extra bytes for encoding and for public exponent. */
@@ -354,11 +354,11 @@
uint8_t buf[SIG_BUF_SIZE];
uint8_t hash[32];
int rc = 0;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
#ifdef MCUBOOT_HW_ROLLBACK_PROT
fih_int security_cnt = fih_int_encode(INT_MAX);
uint32_t img_security_cnt = 0;
- fih_int security_counter_valid = FIH_FAILURE;
+ FIH_DECLARE(security_counter_valid, FIH_FAILURE);
#endif
rc = bootutil_img_hash(enc_state, image_index, hdr, fap, tmp_buf,
@@ -408,7 +408,8 @@
}
FIH_CALL(boot_fih_memequal, fih_rc, hash, buf, sizeof(hash));
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
@@ -488,16 +489,18 @@
FIH_CALL(boot_nv_security_counter_get, fih_rc, image_index,
&security_cnt);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
/* Compare the new image's security counter value against the
* stored security counter value.
*/
- fih_rc = fih_int_encode_zero_equality(img_security_cnt <
+ fih_rc = fih_ret_encode_zero_equality(img_security_cnt <
fih_int_decode(security_cnt));
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
@@ -512,11 +515,10 @@
goto out;
}
#ifdef EXPECTED_SIG_TLV
- fih_rc = fih_int_encode_zero_equality(fih_not_eq(valid_signature,
- FIH_SUCCESS));
+ FIH_SET(fih_rc, valid_signature);
#endif
#ifdef MCUBOOT_HW_ROLLBACK_PROT
- if (fih_not_eq(security_counter_valid, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(security_counter_valid, FIH_SUCCESS)) {
rc = -1;
goto out;
}
@@ -524,7 +526,7 @@
out:
if (rc) {
- fih_rc = fih_int_encode(rc);
+ FIH_SET(fih_rc, FIH_FAILURE);
}
FIH_RET(fih_rc);
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
index e59fad7..aeced6f 100644
--- a/boot/bootutil/src/loader.c
+++ b/boot/bootutil/src/loader.c
@@ -475,14 +475,14 @@
/*
* Validate image hash/signature and optionally the security counter in a slot.
*/
-static fih_int
+static fih_ret
boot_image_check(struct boot_loader_state *state, struct image_header *hdr,
const struct flash_area *fap, struct boot_status *bs)
{
TARGET_STATIC uint8_t tmpbuf[BOOT_TMPBUF_SZ];
uint8_t image_index;
int rc;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
#if (BOOT_IMAGE_NUMBER == 1)
(void)state;
@@ -514,7 +514,7 @@
}
#if !defined(MCUBOOT_DIRECT_XIP) && !defined(MCUBOOT_RAM_LOAD)
-static fih_int
+static fih_ret
split_image_check(struct image_header *app_hdr,
const struct flash_area *app_fap,
struct image_header *loader_hdr,
@@ -522,7 +522,7 @@
{
static void *tmpbuf;
uint8_t loader_hash[32];
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
if (!tmpbuf) {
tmpbuf = malloc(BOOT_TMPBUF_SZ);
@@ -533,7 +533,7 @@
FIH_CALL(bootutil_img_validate, fih_rc, NULL, 0, loader_hdr, loader_fap,
tmpbuf, BOOT_TMPBUF_SZ, NULL, 0, loader_hash);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
FIH_RET(fih_rc);
}
@@ -699,17 +699,17 @@
*
* @returns
* FIH_SUCCESS if image was successfully validated
- * 1 (or its fih_int encoded form) if no bootloable image was found
+ * FIH_NO_BOOTABLE_IMAGE if no bootloable image was found
* FIH_FAILURE on any errors
*/
-static fih_int
+static fih_ret
boot_validate_slot(struct boot_loader_state *state, int slot,
struct boot_status *bs)
{
const struct flash_area *fap;
struct image_header *hdr;
int area_id;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
int rc;
area_id = flash_area_id_from_multi_image_slot(BOOT_CURR_IMG(state), slot);
@@ -739,7 +739,7 @@
#endif
/* No bootable image in slot; continue booting from the primary slot. */
- fih_rc = fih_int_encode(1);
+ fih_rc = FIH_NO_BOOTABLE_IMAGE;
goto out;
}
@@ -755,18 +755,18 @@
/* Image in the secondary slot does not satisfy version requirement.
* Erase the image and continue booting from the primary slot.
*/
- fih_rc = fih_int_encode(1);
+ fih_rc = FIH_NO_BOOTABLE_IMAGE;
goto out;
}
}
#endif
- BOOT_HOOK_CALL_FIH(boot_image_check_hook, fih_int_encode(BOOT_HOOK_REGULAR),
+ BOOT_HOOK_CALL_FIH(boot_image_check_hook, FIH_BOOT_HOOK_REGULAR,
fih_rc, BOOT_CURR_IMG(state), slot);
- if (fih_eq(fih_rc, fih_int_encode(BOOT_HOOK_REGULAR)))
+ if (FIH_EQ(fih_rc, FIH_BOOT_HOOK_REGULAR))
{
FIH_CALL(boot_image_check, fih_rc, state, hdr, fap, bs);
}
- if (!boot_is_header_valid(hdr, fap) || fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (!boot_is_header_valid(hdr, fap) || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
if ((slot != BOOT_PRIMARY_SLOT) || ARE_SLOTS_EQUIVALENT()) {
flash_area_erase(fap, 0, flash_area_get_size(fap));
/* Image is invalid, erase it to prevent further unnecessary
@@ -777,7 +777,7 @@
BOOT_LOG_ERR("Image in the %s slot is not valid!",
(slot == BOOT_PRIMARY_SLOT) ? "primary" : "secondary");
#endif
- fih_rc = fih_int_encode(1);
+ fih_rc = FIH_NO_BOOTABLE_IMAGE;
goto out;
}
@@ -795,7 +795,7 @@
rc = flash_area_read(fap, reset_addr, &reset_value, sizeof(reset_value));
if (rc != 0) {
- fih_rc = fih_int_encode(1);
+ fih_rc = FIH_NO_BOOTABLE_IMAGE;
goto out;
}
@@ -810,7 +810,7 @@
* Erase the image and continue booting from the primary slot.
*/
flash_area_erase(fap, 0, fap->fa_size);
- fih_rc = fih_int_encode(1);
+ fih_rc = FIH_NO_BOOTABLE_IMAGE;
goto out;
}
}
@@ -881,7 +881,7 @@
struct boot_status *bs)
{
int swap_type;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state));
if (BOOT_IS_UPGRADE(swap_type)) {
@@ -889,8 +889,8 @@
* Ensure image is valid.
*/
FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_SECONDARY_SLOT, bs);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
- if (fih_eq(fih_rc, fih_int_encode(1))) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+ if (FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) {
swap_type = BOOT_SWAP_TYPE_NONE;
} else {
swap_type = BOOT_SWAP_TYPE_FAIL;
@@ -1526,10 +1526,10 @@
* primary slot (the validity of the image in the secondary slot had
* already been checked).
*/
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
rc = boot_check_header_erased(state, BOOT_PRIMARY_SLOT);
FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, bs);
- if (rc == 0 || fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (rc == 0 || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
rc = boot_copy_image(state, bs);
} else {
rc = boot_swap_image(state, bs);
@@ -1711,7 +1711,7 @@
struct boot_status *bs)
{
int rc;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
/* Determine the sector layout of the image slots and scratch area. */
rc = boot_read_sectors(state);
@@ -1814,7 +1814,7 @@
} else {
FIH_CALL(boot_validate_slot, fih_rc,
state, BOOT_SECONDARY_SLOT, bs);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_FAIL;
} else {
BOOT_SWAP_TYPE(state) = bs->swap_type;
@@ -1837,13 +1837,13 @@
FIH_CALL(boot_validate_slot, fih_rc,
state, BOOT_PRIMARY_SLOT, bs);
- if (rc == 0 || fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (rc == 0 || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
rc = (boot_img_hdr(state, BOOT_SECONDARY_SLOT)->ih_magic == IMAGE_MAGIC) ? 1: 0;
FIH_CALL(boot_validate_slot, fih_rc,
state, BOOT_SECONDARY_SLOT, bs);
- if (rc == 1 && fih_eq(fih_rc, FIH_SUCCESS)) {
+ if (rc == 1 && FIH_EQ(fih_rc, FIH_SUCCESS)) {
/* Set swap type to REVERT to overwrite the primary
* slot with the image contained in secondary slot
* and to trigger the explicit setting of the
@@ -1959,16 +1959,17 @@
#endif
}
-fih_int
+fih_ret
context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
{
size_t slot;
struct boot_status bs;
int rc = -1;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
int fa_id;
int image_index;
bool has_upgrade;
+ volatile int fih_cnt;
/* The array of slot sectors are defined here (as opposed to file scope) so
* that they don't get allocated for non-boot-loader apps. This is
@@ -2137,9 +2138,16 @@
* have finished. By the end of the loop each image in the primary slot will
* have been re-validated.
*/
+ FIH_SET(fih_cnt, 0);
IMAGES_ITER(BOOT_CURR_IMG(state)) {
#if BOOT_IMAGE_NUMBER > 1
- if (state->img_mask[BOOT_CURR_IMG(state)]) {
+ /* Hardenned to prevent from skipping check of a given image,
+ * tmp_img_mask is declared volatile
+ */
+ volatile bool tmp_img_mask;
+ FIH_SET(tmp_img_mask, state->img_mask[BOOT_CURR_IMG(state)]);
+ if (FIH_EQ(tmp_img_mask, true)) {
+ ++fih_cnt;
continue;
}
#endif
@@ -2149,6 +2157,7 @@
*/
rc = boot_read_image_headers(state, false, &bs);
if (rc != 0) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
/* Since headers were reloaded, it can be assumed we just performed
@@ -2160,7 +2169,13 @@
#ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT
FIH_CALL(boot_validate_slot, fih_rc, state, BOOT_PRIMARY_SLOT, NULL);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ /* Check for all possible values is redundant in normal operation it
+ * is meant to prevent FI attack.
+ */
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS) ||
+ FIH_EQ(fih_rc, FIH_FAILURE) ||
+ FIH_EQ(fih_rc, FIH_NO_BOOTABLE_IMAGE)) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
#else
@@ -2173,21 +2188,32 @@
BOOT_IMG(state, BOOT_PRIMARY_SLOT).hdr.ih_magic,
BOOT_CURR_IMG(state));
rc = BOOT_EBADIMAGE;
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
#endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT */
rc = boot_update_hw_rollback_protection(state);
if (rc != 0) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
rc = boot_add_shared_data(state, BOOT_PRIMARY_SLOT);
if (rc != 0) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
+ ++fih_cnt;
}
-
+ /*
+ * fih_cnt should be equal to BOOT_IMAGE_NUMBER now.
+ * If this is not the case, at least one iteration of the loop
+ * has been skipped.
+ */
+ if(FIH_NOT_EQ(fih_cnt, BOOT_IMAGE_NUMBER)) {
+ FIH_PANIC;
+ }
/*
* Since the boot_status struct stores plaintext encryption keys, reset
* them here to avoid the possibility of jumping into an image that could
@@ -2200,15 +2226,10 @@
fih_rc = FIH_SUCCESS;
out:
close_all_flash_areas(state);
-
- if (rc) {
- fih_rc = fih_int_encode(rc);
- }
-
FIH_RET(fih_rc);
}
-fih_int
+fih_ret
split_go(int loader_slot, int split_slot, void **entry)
{
boot_sector_t *sectors;
@@ -2216,7 +2237,7 @@
int loader_flash_id;
int split_flash_id;
int rc;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
sectors = malloc(BOOT_MAX_IMG_SECTORS * 2 * sizeof *sectors);
if (sectors == NULL) {
@@ -2255,7 +2276,7 @@
BOOT_IMG_AREA(&boot_data, split_slot),
boot_img_hdr(&boot_data, loader_slot),
BOOT_IMG_AREA(&boot_data, loader_slot));
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
goto done;
}
@@ -2270,7 +2291,7 @@
free(sectors);
if (rc) {
- fih_rc = fih_int_encode(rc);
+ FIH_SET(fih_rc, FIH_FAILURE);
}
FIH_RET(fih_rc);
@@ -3035,12 +3056,12 @@
*
* @return 0 on success; nonzero on failure.
*/
-fih_int
+fih_ret
boot_load_and_validate_images(struct boot_loader_state *state)
{
uint32_t active_slot;
int rc;
- fih_int fih_rc;
+ fih_ret fih_rc;
/* Go over all the images and try to load one */
IMAGES_ITER(BOOT_CURR_IMG(state)) {
@@ -3108,7 +3129,7 @@
#endif /* MCUBOOT_RAM_LOAD */
FIH_CALL(boot_validate_slot, fih_rc, state, active_slot, NULL);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
/* Image is invalid. */
#ifdef MCUBOOT_RAM_LOAD
boot_remove_image_from_sram(state);
@@ -3170,11 +3191,11 @@
#endif
}
-fih_int
+fih_ret
context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
{
int rc;
- fih_int fih_rc = fih_int_encode(0);
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
rc = boot_get_slot_usage(state);
if (rc != 0) {
@@ -3185,7 +3206,8 @@
while (true) {
#endif
FIH_CALL(boot_load_and_validate_images, fih_rc, state);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
@@ -3211,11 +3233,13 @@
#endif
rc = boot_update_hw_rollback_protection(state);
if (rc != 0) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
rc = boot_add_shared_data(state, state->slot_usage[BOOT_CURR_IMG(state)].active_slot);
if (rc != 0) {
+ FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
}
@@ -3230,8 +3254,8 @@
out:
close_all_flash_areas(state);
- if (fih_eq(fih_rc, FIH_SUCCESS)) {
- fih_rc = fih_int_encode(rc);
+ if (rc != 0) {
+ FIH_SET(fih_rc, FIH_FAILURE);
}
FIH_RET(fih_rc);
@@ -3246,10 +3270,10 @@
*
* @return FIH_SUCCESS on success; nonzero on failure.
*/
-fih_int
+fih_ret
boot_go(struct boot_rsp *rsp)
{
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
boot_state_clear(NULL);
@@ -3268,10 +3292,10 @@
*
* @return FIH_SUCCESS on success; nonzero on failure.
*/
-fih_int
+fih_ret
boot_go_for_image_id(struct boot_rsp *rsp, uint32_t image_id)
{
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
if (image_id >= BOOT_IMAGE_NUMBER) {
FIH_RET(FIH_FAILURE);
diff --git a/boot/cypress/MCUBootApp/cy_security_cnt.c b/boot/cypress/MCUBootApp/cy_security_cnt.c
index 81aa54e..3c3b2ec 100644
--- a/boot/cypress/MCUBootApp/cy_security_cnt.c
+++ b/boot/cypress/MCUBootApp/cy_security_cnt.c
@@ -17,20 +17,20 @@
#include "bootutil/security_cnt.h"
#include <stdint.h>
-fih_int
+fih_ret
boot_nv_security_counter_init(void)
{
/* Do nothing. */
- return 0;
+ return FIH_SUCCESS;
}
-fih_int
+fih_ret
boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt)
{
(void)image_id;
*security_cnt = 30;
- return 0;
+ return FIH_SUCCESS;
}
int32_t
diff --git a/boot/cypress/MCUBootApp/main.c b/boot/cypress/MCUBootApp/main.c
index 6f987a6..a87d981 100644
--- a/boot/cypress/MCUBootApp/main.c
+++ b/boot/cypress/MCUBootApp/main.c
@@ -82,7 +82,7 @@
struct boot_rsp rsp;
cy_rslt_t rc = CY_RSLT_TYPE_ERROR;
bool boot_succeeded = false;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
SystemInit();
//init_cycfg_clocks();
@@ -138,7 +138,7 @@
{
FIH_CALL(boot_go, fih_rc, &rsp);
- if (fih_eq(fih_rc, FIH_SUCCESS))
+ if (FIH_EQ(fih_rc, FIH_SUCCESS))
{
BOOT_LOG_INF("User Application validated successfully");
/* initialize watchdog timer. it should be updated from user app
diff --git a/boot/espressif/main.c b/boot/espressif/main.c
index 2cfe114..f7778b9 100644
--- a/boot/espressif/main.c
+++ b/boot/espressif/main.c
@@ -148,7 +148,7 @@
struct boot_rsp rsp;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
#ifdef CONFIG_MCUBOOT_SERIAL
boot_console_init();
@@ -166,7 +166,7 @@
* the load information for booting the main image
*/
FIH_CALL(boot_go, fih_rc, &rsp);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
BOOT_LOG_ERR("Unable to find bootable image");
#ifdef CONFIG_SECURE_BOOT
esp_efuse_batch_write_cancel();
diff --git a/boot/mynewt/src/main.c b/boot/mynewt/src/main.c
index 0d8294d..a054fa9 100755
--- a/boot/mynewt/src/main.c
+++ b/boot/mynewt/src/main.c
@@ -219,7 +219,7 @@
struct boot_rsp rsp;
uintptr_t flash_base;
int rc;
- fih_int fih_rc = FIH_FAILURE;
+ fih_ret fih_rc = FIH_FAILURE;
hal_bsp_init();
@@ -247,8 +247,8 @@
boot_preboot();
#endif
FIH_CALL(boot_go, fih_rc, &rsp);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
- assert(fih_int_decode(fih_rc) == FIH_POSITIVE_VALUE);
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+ assert(fih_rc == FIH_SUCCESS);
FIH_PANIC;
}
diff --git a/boot/nuttx/main.c b/boot/nuttx/main.c
index 7921aa6..4460546 100644
--- a/boot/nuttx/main.c
+++ b/boot/nuttx/main.c
@@ -98,7 +98,7 @@
int main(int argc, FAR char *argv[])
{
struct boot_rsp rsp;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
#ifdef NEED_BOARDINIT
/* Perform architecture-specific initialization (if configured) */
@@ -125,7 +125,7 @@
FIH_CALL(boot_go, fih_rc, &rsp);
- if (fih_not_eq(fih_rc, FIH_SUCCESS))
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS))
{
syslog(LOG_ERR, "Unable to find bootable image\n");
FIH_PANIC;
diff --git a/boot/zephyr/hooks_sample.c b/boot/zephyr/hooks_sample.c
index baa2b75..a5a7293 100644
--- a/boot/zephyr/hooks_sample.c
+++ b/boot/zephyr/hooks_sample.c
@@ -42,13 +42,13 @@
* fih encoded BOOT_HOOK_REGULAR if hook not implemented for
* the image-slot.
*/
-fih_int boot_image_check_hook(int img_index, int slot)
+fih_ret boot_image_check_hook(int img_index, int slot)
{
if (img_index == 1 && slot == 0) {
FIH_RET(FIH_SUCCESS);
}
- FIH_RET(fih_int_encode(BOOT_HOOK_REGULAR));
+ FIH_RET(FIH_BOOT_HOOK_REGULAR);
}
int boot_perform_update_hook(int img_index, struct image_header *img_head,
diff --git a/boot/zephyr/include/single_loader.h b/boot/zephyr/include/single_loader.h
index e762d15..347fa09 100644
--- a/boot/zephyr/include/single_loader.h
+++ b/boot/zephyr/include/single_loader.h
@@ -15,6 +15,6 @@
*/
int boot_handle_enc_fw();
-fih_int boot_image_validate(const struct flash_area *fa_p,
+fih_ret boot_image_validate(const struct flash_area *fa_p,
struct image_header *hdr);
#endif
diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c
index 8b09c0f..09ac1d9 100644
--- a/boot/zephyr/main.c
+++ b/boot/zephyr/main.c
@@ -504,7 +504,7 @@
{
struct boot_rsp rsp;
int rc;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
MCUBOOT_WATCHDOG_FEED();
@@ -599,7 +599,7 @@
boot_serial_check_start(&boot_funcs,timeout_in_ms);
#endif
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
BOOT_LOG_ERR("Unable to find bootable image");
mcuboot_status_change(MCUBOOT_STATUS_NO_BOOTABLE_IMAGE_FOUND);
diff --git a/boot/zephyr/single_loader.c b/boot/zephyr/single_loader.c
index f6c65f6..253015e 100644
--- a/boot/zephyr/single_loader.c
+++ b/boot/zephyr/single_loader.c
@@ -28,12 +28,12 @@
*
* @return FIH_SUCCESS on success, error code otherwise
*/
-fih_int
+fih_ret
boot_image_validate(const struct flash_area *fa_p,
struct image_header *hdr)
{
static uint8_t tmpbuf[BOOT_TMPBUF_SZ];
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
/* NOTE: The first argument to boot_image_validate, for enc_state pointer,
* is allowed to be NULL only because the single image loader compiles
@@ -58,13 +58,13 @@
#endif /* MCUBOOT_VALIDATE_PRIMARY_SLOT || MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE*/
-inline static fih_int
+inline static fih_ret
boot_image_validate_once(const struct flash_area *fa_p,
struct image_header *hdr)
{
static struct boot_swap_state state;
int rc;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
memset(&state, 0, sizeof(struct boot_swap_state));
rc = boot_read_swap_state(fa_p, &state);
@@ -74,7 +74,7 @@
|| state.image_ok != BOOT_FLAG_SET) {
/* At least validate the image once */
FIH_CALL(boot_image_validate, fih_rc, fa_p, hdr);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
FIH_RET(FIH_FAILURE);
}
if (state.magic != BOOT_MAGIC_GOOD) {
@@ -140,12 +140,12 @@
*
* @return FIH_SUCCESS on success, error code otherwise
*/
-inline static fih_int
+inline static fih_ret
boot_image_validate_encrypted(const struct flash_area *fa_p,
struct image_header *hdr)
{
static uint8_t tmpbuf[BOOT_TMPBUF_SZ];
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
struct boot_loader_state boot_data;
struct boot_loader_state *state = &boot_data;
@@ -329,11 +329,11 @@
*
* @return FIH_SUCCESS on success, error code otherwise
*/
-inline static fih_int
+inline static fih_ret
decrypt_image_inplace(const struct flash_area *fa_p,
struct image_header *hdr)
{
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
int rc;
struct boot_loader_state boot_data;
struct boot_loader_state *state = &boot_data;
@@ -359,7 +359,7 @@
#if 0 //Skip this step?, the image will just not boot if it's not decrypted properly
/* First check if the encrypted image is a good image before decrypting */
FIH_CALL(boot_image_validate_encrypted,fih_rc,_fa_p,&_hdr);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
FIH_RET(fih_rc);
}
#endif
@@ -403,7 +403,7 @@
boot_handle_enc_fw()
{
int rc = -1;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(0), &_fa_p);
assert(rc == 0);
@@ -416,7 +416,7 @@
if (IS_ENCRYPTED(&_hdr)) {
//encrypted, we need to decrypt in place
FIH_CALL(decrypt_image_inplace,fih_rc,_fa_p,&_hdr);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
rc = -1;
goto out;
}
@@ -439,11 +439,11 @@
*
* @return FIH_SUCCESS on success; nonzero on failure.
*/
-fih_int
+fih_ret
boot_go(struct boot_rsp *rsp)
{
int rc = -1;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
rc = flash_area_open(FLASH_AREA_IMAGE_PRIMARY(0), &_fa_p);
assert(rc == 0);
@@ -454,12 +454,12 @@
#ifdef MCUBOOT_VALIDATE_PRIMARY_SLOT
FIH_CALL(boot_image_validate, fih_rc, _fa_p, &_hdr);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
goto out;
}
#elif defined(MCUBOOT_VALIDATE_PRIMARY_SLOT_ONCE)
FIH_CALL(boot_image_validate_once, fih_rc, _fa_p, &_hdr);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
goto out;
}
#else