fih: Hardening of fault injection countermeasures
Returned values are now hardcoded. Indeed, while it is not
strictly needed (few return values different from SUCCESS
or FAILURE) complexity added by encoding return values might
cause the software to be vulnerable to fault attacks.
Return type changed from fih_int to fih_ret to make
the whole thing much simpler and therefore more robust
to fault attacks. In addition, its easier to predict
compiler behavior.
Affectation of sentive variables has been hardened using macro
FIH_SET (affectation + check wether write access has been properly
done). FIH_DECLARE() is added to ease the declaration of sentive
variables.
Equality tests fih_eq() and fih_not_eq() are now macros because
inlining produce more complex code (and weaker) than macros.
In addition fih_not_eq is modified to be the negation of fih_eq
which was not the case until now.
when FIH_NOT_EQ is used , FIH_SET(fih_rc, FIH_FAILURE) has been added
in some part of the code.
variable image_mask (bootutil_priv.h) is now volatile because a
double IF test is made on it.
some others parts of the code have been hardenned (eg. loop on images)
Signed-off-by: Michael Grand <m.grand@trustngo.tech>
diff --git a/boot/espressif/main.c b/boot/espressif/main.c
index 2cfe114..f7778b9 100644
--- a/boot/espressif/main.c
+++ b/boot/espressif/main.c
@@ -148,7 +148,7 @@
struct boot_rsp rsp;
- fih_int fih_rc = FIH_FAILURE;
+ FIH_DECLARE(fih_rc, FIH_FAILURE);
#ifdef CONFIG_MCUBOOT_SERIAL
boot_console_init();
@@ -166,7 +166,7 @@
* the load information for booting the main image
*/
FIH_CALL(boot_go, fih_rc, &rsp);
- if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
+ if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
BOOT_LOG_ERR("Unable to find bootable image");
#ifdef CONFIG_SECURE_BOOT
esp_efuse_batch_write_cancel();