TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m.git / 060968d6eef3e570539fa942a8c0c5ec2388e798^! / . / bl2 / ext / mcuboot / include
commit060968d6eef3e570539fa942a8c0c5ec2388e798[log] [tgz]
authorDavid Vincze <david.vincze@arm.com>Thu May 23 01:13:14 2019 +0200
committerDavid Vincze <david.vincze@arm.com>Fri May 24 14:18:39 2019 +0200
tree3ac28fd70d9918d53470d9d7f5768fa569623b11
parent8a2a4e2144abd738b797cdd64c3ba40556fca472 [diff]
Boot: Introduce rollback protection

- Add image security counter verification (read image security counter
  from the manifest and compare it against the stored security counter)
  as a mandatory part of the image validation process.
- Store the newest value of security counter in a non-volatile (NV)
  counter.
- Add security counter interface to MCUBoot.

Change-Id: I608508e707d01c3777788bc754810407fae610e2
Signed-off-by: David Vincze <david.vincze@arm.com>

diff --git a/bl2/ext/mcuboot/include/security_cnt.h b/bl2/ext/mcuboot/include/security_cnt.h
new file mode 100644
index 0000000..7c17a94
--- /dev/null
+++ b/bl2/ext/mcuboot/include/security_cnt.h

@@ -0,0 +1,64 @@
+/*
+ *  Copyright (c) 2019, Arm Limited. All rights reserved.
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef __SECURITY_CNT_H__
+#define __SECURITY_CNT_H__
+
+/**
+ * @file security_cnt.h
+ *
+ * @note The interface must be implemented in a fail-safe way that is
+ *       resistant to asynchronous power failures or it can use hardware
+ *       counters that have this capability, if supported by the platform.
+ *       When a counter incrementation was interrupted it must be able to
+ *       continue the incrementation process or recover the previous consistent
+ *       status of the counters. If the counters have reached a stable status
+ *       (every counter incrementation operation has finished), from that point
+ *       their value cannot decrease due to any kind of power failure.
+ */
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Initialises the security counters.
+ *
+ * @return                  0 on success; nonzero on failure.
+ */
+int32_t boot_nv_security_counter_init(void);
+
+/**
+ * Reads the stored value of a given image's security counter.
+ *
+ * @param image_id          Index of the image (from 0).
+ * @param security_cnt      Pointer to store the security counter value.
+ *
+ * @return                  0 on success; nonzero on failure.
+ */
+int32_t boot_nv_security_counter_get(uint32_t image_id, uint32_t *security_cnt);
+
+/**
+ * Updates the stored value of a given image's security counter with a new
+ * security counter value if the new one is greater.
+ *
+ * @param image_id          Index of the image (from 0).
+ * @param img_security_cnt  New security counter value. The new value must be
+ *                          between 0 and UINT32_MAX and it must be greater than
+ *                          or equal to the current security counter value.
+ *
+ * @return                  0 on success; nonzero on failure.
+ */
+int32_t boot_nv_security_counter_update(uint32_t image_id,
+                                        uint32_t img_security_cnt);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __SECURITY_CNT_H__ */