TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / c30841376029f53c099c7d78548dc555807da63d^! / . / boot / zephyr
commitc30841376029f53c099c7d78548dc555807da63d[log] [tgz]
authorDavid Vincze <david.vincze@arm.com>Tue Feb 18 14:50:47 2020 +0100
committerDavid Brown <davidb@davidb.org>Tue Feb 25 23:43:12 2020 +0100
treec2146bffd17c030d2853f5f5c0249476561fe0cb
parent1a7a6905c5ebc6cb4324d7426a6e1bb1c695912b [diff]
bootutil: Introduce HW rollback protection

- Add image security counter verification (read security counter value
  from the image manifest and compare it against the stored/active
  security counter) as an optional part of the image validation process
  to prevent the restoration of older, potentially vulnerable images.
- This feature can be enabled with the MCUBOOT_HW_ROLLBACK_PROT option.
- Add security counter interface to MCUBoot. If HW rollback protection
  is enabled then the platform must provide a mechanism to store and
  read the security counter value in a robust and secure way.

Change-Id: Iee4961c1da5275a98ef17982a65b361370d2a178
Signed-off-by: David Vincze <david.vincze@arm.com>

diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index a5009e4..dacaf3a 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig

@@ -1,4 +1,5 @@
 # Copyright (c) 2017 Linaro Limited
+# Copyright (c) 2020 Arm Limited
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -361,8 +362,12 @@
 	help
 	  Enables support of multi image update.
 
+choice
+	prompt "Downgrade prevention"
+	optional
+
 config MCUBOOT_DOWNGRADE_PREVENTION
-	bool "Downgrade prevention"
+	bool "SW based downgrade prevention"
 	depends on BOOT_UPGRADE_ONLY
 	help
 	  Prevent downgrades by enforcing incrementing version numbers.
@@ -371,4 +376,14 @@
 	  only protects against some attacks against version downgrades (for
 	  example, a JTAG could be used to write an older version).
 
+config MCUBOOT_HW_DOWNGRADE_PREVENTION
+	bool "HW based downgrade prevention"
+	help
+	  Prevent undesirable/malicious software downgrades. When this option is
+	  set, any upgrade must have greater or equal security counter value.
+	  Because of the acceptance of equal values it allows for software
+	  downgrade to some extent.
+
+endchoice
+
 source "Kconfig.zephyr"

diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
index 14705d3..2b998b5 100644
--- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h
+++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2018 Open Source Foundries Limited
- * Copyright (c) 2019 Arm Limited
+ * Copyright (c) 2019-2020 Arm Limited
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -93,6 +93,10 @@
 #define MCUBOOT_DOWNGRADE_PREVENTION 1
 #endif
 
+#ifdef CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION
+#define MCUBOOT_HW_ROLLBACK_PROT
+#endif
+
 /*
  * Enabling this option uses newer flash map APIs. This saves RAM and
  * avoids deprecated API usage.