Always validate slot 0 when requested
The MCUBOOT_VALIDATE_SLOT0 feature only verifies the signature when
there is no swapping happening. The assumption was that if there is a
swap being done, the code will verify the signature of slot 1 before
doing the slot.
However, either due to bugs, or intentional trickery, it may be possible
to confuse the code into continuing a swap operation. If the data is
modified before this, the bootloader can be tricked into booting the
resulting image in slot 0 without having verified the signature.
Fix this by always verifying slot 0's signature before booting it.
JIRA: MCUB-64
Signed-off-by: David Brown <david.brown@linaro.org>
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
index dc1e88d..aa6e1ab 100644
--- a/boot/bootutil/src/loader.c
+++ b/boot/bootutil/src/loader.c
@@ -1273,14 +1273,6 @@
switch (swap_type) {
case BOOT_SWAP_TYPE_NONE:
-#ifdef MCUBOOT_VALIDATE_SLOT0
- rc = boot_validate_slot(0);
- assert(rc == 0);
- if (rc != 0) {
- rc = BOOT_EBADIMAGE;
- goto out;
- }
-#endif
slot = 0;
break;
@@ -1310,6 +1302,15 @@
break;
}
+#ifdef MCUBOOT_VALIDATE_SLOT0
+ rc = boot_validate_slot(0);
+ assert(rc == 0);
+ if (rc != 0) {
+ rc = BOOT_EBADIMAGE;
+ goto out;
+ }
+#endif
+
/* Always boot from the primary slot. */
rsp->br_flash_dev_id = boot_img_fa_device_id(&boot_data, 0);
rsp->br_image_off = boot_img_slot_off(&boot_data, 0);