commit f616c5494b8ec6bccf4f7b683d33d11c72640fc1
author Fabio Utzig <utzig@apache.org> Thu Dec 19 15:23:32 2019 -0300
committer Fabio Utzig <utzig@utzig.org> Fri Dec 20 14:57:06 2019 -0300
tree b4f87a1574c7e5c8a90b6f766b6444e74cab4891
parent 3fbbdac56a1d43af68e63581b3654bdb47471e7c

bootutil: zero memory containing plain text keys

Avoid jumping into an image while still having encryption keys stored in
RAM, which could then be recovered by the app.

Signed-off-by: Fabio Utzig <utzig@apache.org>

boot/bootutil/src/loader.c

diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
index 6dee299..8f143a0 100644
--- a/boot/bootutil/src/loader.c
+++ b/boot/bootutil/src/loader.c
@@ -1657,6 +1657,13 @@
     BOOT_CURR_IMG(state) = 0;
 #endif
 
+    /*
+     * Since the boot_status struct stores plaintext encryption keys, reset
+     * them here to avoid the possibility of jumping into an image that could
+     * easily recover them.
+     */
+    memset(&bs, 0, sizeof(struct boot_status));
+
     rsp->br_flash_dev_id = BOOT_IMG_AREA(state, BOOT_PRIMARY_SLOT)->fa_device_id;
     rsp->br_image_off = boot_img_slot_off(state, BOOT_PRIMARY_SLOT);
     rsp->br_hdr = boot_img_hdr(state, BOOT_PRIMARY_SLOT);