commit e52c08edf0e6898941bd743f1c7c9b7323b2c514
author Fabio Utzig <utzig@apache.org> Wed Sep 11 19:32:00 2019 -0300
committer Fabio Utzig <utzig@utzig.org> Tue Oct 01 18:30:05 2019 -0300
tree 3b690d76320959f804ec3443dd3915e5e0c71628
parent fd140ecef26eb47da8f2110dca4dd9c4d6080f64

bootutil: update to new protected TLV format

Implements the validation system where hashing is performed over header
+ payload + protected TLVs.

Signed-off-by: Fabio Utzig <utzig@apache.org>

boot/bootutil/src/image_validate.c

diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index 1381808..9fbd88f 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -61,15 +61,15 @@
     uint16_t hdr_size;
     uint32_t off;
     int rc;
-#ifdef MCUBOOT_ENC_IMAGES
-    uint32_t protected_off;
     uint32_t blk_off;
-#endif
+    uint32_t tlv_off;
 
 #if (BOOT_IMAGE_NUMBER == 1) || !defined(MCUBOOT_ENC_IMAGES)
     (void)enc_state;
     (void)image_index;
     (void)hdr_size;
+    (void)blk_off;
+    (void)tlv_off;
 #endif
 
 #ifdef MCUBOOT_ENC_IMAGES
@@ -89,25 +89,18 @@
     }
 
     /* Hash is computed over image header and image itself. */
-    hdr_size = hdr->ih_hdr_size;
-    size = BOOT_TLV_OFF(hdr);
+    size = hdr_size = hdr->ih_hdr_size;
+    size += hdr->ih_img_size;
+    tlv_off = size;
 
-#ifdef MCUBOOT_ENC_IMAGES
-    protected_off = size;
-#endif
-
-#if (MCUBOOT_IMAGE_NUMBER > 1)
-    /* If dependency TLVs are present then the TLV info header and the
-     * dependency TLVs are also protected and have to be included in the hash
-     * calculation.
-     */
-    if (hdr->ih_protect_tlv_size != 0) {
-        size += hdr->ih_protect_tlv_size;
-    }
-#endif
+    /* If protected TLVs are present they are also hashed. */
+    size += hdr->ih_protect_tlv_size;
 
     for (off = 0; off < size; off += blk_sz) {
         blk_sz = size - off;
+        if (blk_sz > tmp_buf_sz) {
+            blk_sz = tmp_buf_sz;
+        }
 #ifdef MCUBOOT_ENC_IMAGES
         /* The only data that is encrypted in an image is the payload;
          * both header and TLVs (when protected) are not.
@@ -115,24 +108,20 @@
         if ((off < hdr_size) && ((off + blk_sz) > hdr_size)) {
             /* read only the header */
             blk_sz = hdr_size - off;
-        } else if (off >= protected_off) {
-            /* read protected TLVs */
-            blk_sz = size - off;
-        } else if ((off + blk_sz) > protected_off) {
-            /* do not copy beyond image payload */
-            blk_sz = protected_off - off;
+        }
+        if ((off < tlv_off) && ((off + blk_sz) > tlv_off)) {
+            /* read only up to the end of the image payload */
+            blk_sz = tlv_off - off;
         }
 #endif
-        if (blk_sz > tmp_buf_sz) {
-            blk_sz = tmp_buf_sz;
-        }
         rc = flash_area_read(fap, off, tmp_buf, blk_sz);
         if (rc) {
             return rc;
         }
 #ifdef MCUBOOT_ENC_IMAGES
         if (MUST_DECRYPT(fap, image_index, hdr)) {
-            if (off >= hdr_size && off < protected_off) {
+            /* Only payload is encrypted (area between header and TLVs) */
+            if (off >= hdr_size && off < tlv_off) {
                 blk_off = (off - hdr_size) & 0xf;
                 boot_encrypt(enc_state, image_index, fap, off - hdr_size,
                         blk_sz, blk_off, tmp_buf);