Boot: Add security counter to image manifest
Add command line argument to the imgtool that can be used to add a
security counter TLV to the image manifest. This security counter value
can be used in rollback protection to compare the new image's security
counter against the active image's counter. It can be independent from
the image version, but if it is not specified in the argument list then
the script will generate it from the image version number
(not including the build number).
The value of the security counter is security critical data. Therefore,
this part of the TLV area must be included in the integrity protected
part of the image.
Add security counter to the build system. It can be specified at build
time with "-DSECURITY_COUNTER=<value>", otherwise the generated
security counter value will be added to the signed image.
Change-Id: Ia9773ad7a57fc3a8cc022e1c1df4321e27c912ec
Signed-off-by: David Vincze <david.vincze@arm.com>
diff --git a/bl2/ext/mcuboot/bootutil/include/bootutil/image.h b/bl2/ext/mcuboot/bootutil/include/bootutil/image.h
index 306ab31..871f3fb 100644
--- a/bl2/ext/mcuboot/bootutil/include/bootutil/image.h
+++ b/bl2/ext/mcuboot/bootutil/include/bootutil/image.h
@@ -19,8 +19,9 @@
/*
* Original code taken from mcuboot project at:
- * https://github.com/runtimeco/mcuboot
- * Modifications are Copyright (c) 2018 Arm Limited.
+ * https://github.com/JuulLabs-OSS/mcuboot
+ * Git SHA of the original version: b5b59f16a5768c5175cf6c7ab082e84a5843f06f
+ * Modifications are Copyright (c) 2018-2019 Arm Limited.
*/
#ifndef H_IMAGE_
@@ -66,6 +67,7 @@
#define IMAGE_TLV_KEYHASH 0x01 /* hash of the public key */
#define IMAGE_TLV_SHA256 0x10 /* SHA256 of image hdr and body */
#define IMAGE_TLV_RSA2048_PSS 0x20 /* RSA2048 of hash output */
+#define IMAGE_TLV_SEC_CNT 0x50 /* security counter */
#define IMAGE_VER_MAJOR_LENGTH 8
#define IMAGE_VER_MINOR_LENGTH 8
@@ -83,12 +85,12 @@
struct image_header {
uint32_t ih_magic;
uint32_t ih_load_addr;
- uint16_t ih_hdr_size; /* Size of image header (bytes). */
- uint16_t _pad1;
- uint32_t ih_img_size; /* Does not include header. */
- uint32_t ih_flags; /* IMAGE_F_[...]. */
+ uint16_t ih_hdr_size; /* Size of image header (bytes). */
+ uint16_t ih_protect_tlv_size; /* Size of protected TLV area (bytes). */
+ uint32_t ih_img_size; /* Does not include header. */
+ uint32_t ih_flags; /* IMAGE_F_[...]. */
struct image_version ih_ver;
- uint32_t _pad2;
+ uint32_t _pad1;
};
/** Image TLV header. All fields in little endian. */
diff --git a/bl2/ext/mcuboot/bootutil/src/image_validate.c b/bl2/ext/mcuboot/bootutil/src/image_validate.c
index 5cb4b49..68f1c40 100644
--- a/bl2/ext/mcuboot/bootutil/src/image_validate.c
+++ b/bl2/ext/mcuboot/bootutil/src/image_validate.c
@@ -63,11 +63,17 @@
bootutil_sha256_update(&sha256_ctx, seed, seed_len);
}
- /*
- * Hash is computed over image header and image itself. No TLV is
- * included ATM.
- */
+ /* Hash is computed over image header and image itself. */
size = hdr->ih_img_size + hdr->ih_hdr_size;
+
+ /* If a security counter TLV is present then the TLV info header and the
+ * security counter are also protected and must be included in the hash
+ * calculation.
+ */
+ if (hdr->ih_protect_tlv_size != 0) {
+ size += hdr->ih_protect_tlv_size;
+ }
+
for (off = 0; off < size; off += blk_sz) {
blk_sz = size - off;
if (blk_sz > tmp_buf_sz) {
@@ -229,7 +235,6 @@
}
/* The TLVs come after the image. */
- /* After image there are TLVs. */
off = hdr->ih_img_size + hdr->ih_hdr_size;
rc = flash_area_read(fap, off, &info, sizeof(info));