blob: b4e8b798332a5626e9cdef7e968a004aa23a54fd [file] [log] [blame]
Christopher Collins92ea77f2016-12-12 15:59:26 -08001/*
David Brownaac71112020-02-03 16:13:42 -07002 * SPDX-License-Identifier: Apache-2.0
3 *
4 * Copyright (c) 2017-2019 Linaro LTD
5 * Copyright (c) 2016-2019 JUUL Labs
David Vinczee3697842024-04-03 10:24:26 +02006 * Copyright (c) 2019-2024 Arm Limited
David Brownaac71112020-02-03 16:13:42 -07007 *
8 * Original license:
9 *
Christopher Collins92ea77f2016-12-12 15:59:26 -080010 * Licensed to the Apache Software Foundation (ASF) under one
11 * or more contributor license agreements. See the NOTICE file
12 * distributed with this work for additional information
13 * regarding copyright ownership. The ASF licenses this file
14 * to you under the Apache License, Version 2.0 (the
15 * "License"); you may not use this file except in compliance
16 * with the License. You may obtain a copy of the License at
17 *
18 * http://www.apache.org/licenses/LICENSE-2.0
19 *
20 * Unless required by applicable law or agreed to in writing,
21 * software distributed under the License is distributed on an
22 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
23 * KIND, either express or implied. See the License for the
24 * specific language governing permissions and limitations
25 * under the License.
26 */
27
Christopher Collins92ea77f2016-12-12 15:59:26 -080028#include <stddef.h>
David Vinczec3084132020-02-18 14:50:47 +010029#include <stdint.h>
Christopher Collins92ea77f2016-12-12 15:59:26 -080030#include <inttypes.h>
31#include <string.h>
32
Andrzej Puzdrowskib788c712018-04-12 12:42:49 +020033#include <flash_map_backend/flash_map_backend.h>
34
Christopher Collins92ea77f2016-12-12 15:59:26 -080035#include "bootutil/image.h"
Roland Mikhel03c9ad02023-03-08 15:56:43 +010036#include "bootutil/crypto/sha.h"
Christopher Collins92ea77f2016-12-12 15:59:26 -080037#include "bootutil/sign_key.h"
David Vinczec3084132020-02-18 14:50:47 +010038#include "bootutil/security_cnt.h"
Raef Colese8fe6cf2020-05-26 13:07:40 +010039#include "bootutil/fault_injection_hardening.h"
Christopher Collins92ea77f2016-12-12 15:59:26 -080040
Fabio Utzigba1fbe62017-07-21 14:01:20 -030041#include "mcuboot_config/mcuboot_config.h"
Fabio Utzigeed80b62017-06-10 08:03:05 -030042
Fabio Utzigba829042018-09-18 08:29:34 -030043#ifdef MCUBOOT_ENC_IMAGES
44#include "bootutil/enc_key.h"
45#endif
46#if defined(MCUBOOT_SIGN_RSA)
Christopher Collins92ea77f2016-12-12 15:59:26 -080047#include "mbedtls/rsa.h"
David Brownd7e350d2017-04-24 13:29:28 -060048#endif
Roland Mikhel206b9142023-02-23 15:28:52 +010049#if defined(MCUBOOT_SIGN_EC256)
Christopher Collins92ea77f2016-12-12 15:59:26 -080050#include "mbedtls/ecdsa.h"
David Brownd7e350d2017-04-24 13:29:28 -060051#endif
Arvin Farahmandf8240192020-05-05 11:43:52 -040052#if defined(MCUBOOT_ENC_IMAGES) || defined(MCUBOOT_SIGN_RSA) || \
Roland Mikhel206b9142023-02-23 15:28:52 +010053 defined(MCUBOOT_SIGN_EC256)
Christopher Collins92ea77f2016-12-12 15:59:26 -080054#include "mbedtls/asn1.h"
Arvin Farahmandf8240192020-05-05 11:43:52 -040055#endif
Christopher Collins92ea77f2016-12-12 15:59:26 -080056
57#include "bootutil_priv.h"
58
59/*
Roland Mikhel03c9ad02023-03-08 15:56:43 +010060 * Compute SHA hash over the image.
61 * (SHA384 if ECDSA-P384 is being used,
62 * SHA256 otherwise).
Christopher Collins92ea77f2016-12-12 15:59:26 -080063 */
64static int
Fabio Utzig10ee6482019-08-01 12:04:52 -030065bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
66 struct image_header *hdr, const struct flash_area *fap,
67 uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result,
68 uint8_t *seed, int seed_len)
Christopher Collins92ea77f2016-12-12 15:59:26 -080069{
Roland Mikhel03c9ad02023-03-08 15:56:43 +010070 bootutil_sha_context sha_ctx;
Christopher Collins92ea77f2016-12-12 15:59:26 -080071 uint32_t blk_sz;
72 uint32_t size;
Fabio Utzig2fc80df2018-12-14 06:47:38 -020073 uint16_t hdr_size;
Christopher Collins92ea77f2016-12-12 15:59:26 -080074 uint32_t off;
75 int rc;
Fabio Utzigba829042018-09-18 08:29:34 -030076 uint32_t blk_off;
Fabio Utzige52c08e2019-09-11 19:32:00 -030077 uint32_t tlv_off;
Christopher Collins92ea77f2016-12-12 15:59:26 -080078
Tamas Banfe031092020-09-10 17:32:39 +020079#if (BOOT_IMAGE_NUMBER == 1) || !defined(MCUBOOT_ENC_IMAGES) || \
80 defined(MCUBOOT_RAM_LOAD)
Fabio Utzig10ee6482019-08-01 12:04:52 -030081 (void)enc_state;
Fabio Utzigb0f04732019-07-31 09:49:19 -030082 (void)image_index;
Fabio Utzigc9621352019-08-08 12:15:51 -030083 (void)hdr_size;
Fabio Utzige52c08e2019-09-11 19:32:00 -030084 (void)blk_off;
85 (void)tlv_off;
Tamas Banfe031092020-09-10 17:32:39 +020086#ifdef MCUBOOT_RAM_LOAD
87 (void)blk_sz;
88 (void)off;
89 (void)rc;
David Brown122f9e72021-05-21 15:58:56 -060090 (void)fap;
91 (void)tmp_buf;
92 (void)tmp_buf_sz;
Tamas Banfe031092020-09-10 17:32:39 +020093#endif
Fabio Utzigb0f04732019-07-31 09:49:19 -030094#endif
95
Fabio Utzigbc077932019-08-26 11:16:34 -030096#ifdef MCUBOOT_ENC_IMAGES
97 /* Encrypted images only exist in the secondary slot */
98 if (MUST_DECRYPT(fap, image_index, hdr) &&
99 !boot_enc_valid(enc_state, image_index, fap)) {
100 return -1;
101 }
102#endif
103
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100104 bootutil_sha_init(&sha_ctx);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800105
106 /* in some cases (split image) the hash is seeded with data from
107 * the loader image */
Fabio Utzig53986042017-12-12 14:57:07 -0200108 if (seed && (seed_len > 0)) {
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100109 bootutil_sha_update(&sha_ctx, seed, seed_len);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800110 }
111
David Vinczee32483f2019-06-13 10:46:24 +0200112 /* Hash is computed over image header and image itself. */
Fabio Utzige52c08e2019-09-11 19:32:00 -0300113 size = hdr_size = hdr->ih_hdr_size;
114 size += hdr->ih_img_size;
115 tlv_off = size;
David Vinczee32483f2019-06-13 10:46:24 +0200116
Fabio Utzige52c08e2019-09-11 19:32:00 -0300117 /* If protected TLVs are present they are also hashed. */
118 size += hdr->ih_protect_tlv_size;
David Vinczee32483f2019-06-13 10:46:24 +0200119
Tamas Banfe031092020-09-10 17:32:39 +0200120#ifdef MCUBOOT_RAM_LOAD
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100121 bootutil_sha_update(&sha_ctx,
122 (void*)(IMAGE_RAM_BASE + hdr->ih_load_addr),
123 size);
Tamas Banfe031092020-09-10 17:32:39 +0200124#else
Christopher Collins92ea77f2016-12-12 15:59:26 -0800125 for (off = 0; off < size; off += blk_sz) {
126 blk_sz = size - off;
Fabio Utzige52c08e2019-09-11 19:32:00 -0300127 if (blk_sz > tmp_buf_sz) {
128 blk_sz = tmp_buf_sz;
129 }
Fabio Utzigc21c2102019-09-10 10:10:42 -0300130#ifdef MCUBOOT_ENC_IMAGES
131 /* The only data that is encrypted in an image is the payload;
132 * both header and TLVs (when protected) are not.
133 */
134 if ((off < hdr_size) && ((off + blk_sz) > hdr_size)) {
135 /* read only the header */
136 blk_sz = hdr_size - off;
Fabio Utzige52c08e2019-09-11 19:32:00 -0300137 }
138 if ((off < tlv_off) && ((off + blk_sz) > tlv_off)) {
139 /* read only up to the end of the image payload */
140 blk_sz = tlv_off - off;
Fabio Utzigc21c2102019-09-10 10:10:42 -0300141 }
142#endif
Christopher Collins92ea77f2016-12-12 15:59:26 -0800143 rc = flash_area_read(fap, off, tmp_buf, blk_sz);
144 if (rc) {
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100145 bootutil_sha_drop(&sha_ctx);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800146 return rc;
147 }
Fabio Utzigba829042018-09-18 08:29:34 -0300148#ifdef MCUBOOT_ENC_IMAGES
Fabio Utzigc21c2102019-09-10 10:10:42 -0300149 if (MUST_DECRYPT(fap, image_index, hdr)) {
Fabio Utzige52c08e2019-09-11 19:32:00 -0300150 /* Only payload is encrypted (area between header and TLVs) */
151 if (off >= hdr_size && off < tlv_off) {
Fabio Utzigc21c2102019-09-10 10:10:42 -0300152 blk_off = (off - hdr_size) & 0xf;
Thomas Altenbach08d2d942024-04-25 15:29:21 +0200153 boot_encrypt(enc_state, image_index, flash_area_get_id(fap), off - hdr_size,
Fabio Utzigc21c2102019-09-10 10:10:42 -0300154 blk_sz, blk_off, tmp_buf);
155 }
Fabio Utzigba829042018-09-18 08:29:34 -0300156 }
157#endif
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100158 bootutil_sha_update(&sha_ctx, tmp_buf, blk_sz);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800159 }
Tamas Banfe031092020-09-10 17:32:39 +0200160#endif /* MCUBOOT_RAM_LOAD */
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100161 bootutil_sha_finish(&sha_ctx, hash_result);
162 bootutil_sha_drop(&sha_ctx);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800163
164 return 0;
165}
166
167/*
David Brown43cda332017-09-01 09:53:23 -0600168 * Currently, we only support being able to verify one type of
169 * signature, because there is a single verification function that we
170 * call. List the type of TLV we are expecting. If we aren't
171 * configured for any signature, don't define this macro.
172 */
Fabio Utzig48764842019-05-10 19:28:24 -0300173#if (defined(MCUBOOT_SIGN_RSA) + \
Fabio Utzig48764842019-05-10 19:28:24 -0300174 defined(MCUBOOT_SIGN_EC256) + \
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100175 defined(MCUBOOT_SIGN_EC384) + \
Fabio Utzig48764842019-05-10 19:28:24 -0300176 defined(MCUBOOT_SIGN_ED25519)) > 1
Fabio Utzig3501c012019-05-13 15:07:25 -0700177#error "Only a single signature type is supported!"
178#endif
179
David Brown43cda332017-09-01 09:53:23 -0600180#if defined(MCUBOOT_SIGN_RSA)
Fabio Utzig3501c012019-05-13 15:07:25 -0700181# if MCUBOOT_SIGN_RSA_LEN == 2048
182# define EXPECTED_SIG_TLV IMAGE_TLV_RSA2048_PSS
183# elif MCUBOOT_SIGN_RSA_LEN == 3072
184# define EXPECTED_SIG_TLV IMAGE_TLV_RSA3072_PSS
185# else
186# error "Unsupported RSA signature length"
David Brown43cda332017-09-01 09:53:23 -0600187# endif
Fabio Utzig3501c012019-05-13 15:07:25 -0700188# define SIG_BUF_SIZE (MCUBOOT_SIGN_RSA_LEN / 8)
189# define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE) /* 2048 bits */
Roland Mikhel63d23462023-02-08 14:00:54 +0100190#elif defined(MCUBOOT_SIGN_EC256) || \
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100191 defined(MCUBOOT_SIGN_EC384) || \
Roland Mikhel63d23462023-02-08 14:00:54 +0100192 defined(MCUBOOT_SIGN_EC)
193# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA_SIG
Fabio Utzig3501c012019-05-13 15:07:25 -0700194# define SIG_BUF_SIZE 128
Roland Mikhel63d23462023-02-08 14:00:54 +0100195# define EXPECTED_SIG_LEN(x) (1) /* always true, ASN.1 will validate */
Fabio Utzig48764842019-05-10 19:28:24 -0300196#elif defined(MCUBOOT_SIGN_ED25519)
197# define EXPECTED_SIG_TLV IMAGE_TLV_ED25519
198# define SIG_BUF_SIZE 64
199# define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE)
Fabio Utzig3501c012019-05-13 15:07:25 -0700200#else
201# define SIG_BUF_SIZE 32 /* no signing, sha256 digest only */
David Brown43cda332017-09-01 09:53:23 -0600202#endif
203
David Vinczee3697842024-04-03 10:24:26 +0200204#if (defined(MCUBOOT_HW_KEY) + \
205 defined(MCUBOOT_BUILTIN_KEY)) > 1
206#error "Please use either MCUBOOT_HW_KEY or the MCUBOOT_BUILTIN_KEY feature."
207#endif
208
David Brown43cda332017-09-01 09:53:23 -0600209#ifdef EXPECTED_SIG_TLV
David Vinczee3697842024-04-03 10:24:26 +0200210
211#if !defined(MCUBOOT_BUILTIN_KEY)
212#if !defined(MCUBOOT_HW_KEY)
213/* The key TLV contains the hash of the public key. */
214# define EXPECTED_KEY_TLV IMAGE_TLV_KEYHASH
215# define KEY_BUF_SIZE IMAGE_HASH_SIZE
216#else
217/* The key TLV contains the whole public key.
218 * Add a few extra bytes to the key buffer size for encoding and
219 * for public exponent.
220 */
221# define EXPECTED_KEY_TLV IMAGE_TLV_PUBKEY
222# define KEY_BUF_SIZE (SIG_BUF_SIZE + 24)
223#endif /* !MCUBOOT_HW_KEY */
224
David Vincze03368b82020-04-01 12:53:53 +0200225#if !defined(MCUBOOT_HW_KEY)
David Brown43cda332017-09-01 09:53:23 -0600226static int
227bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len)
228{
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100229 bootutil_sha_context sha_ctx;
David Brown43cda332017-09-01 09:53:23 -0600230 int i;
231 const struct bootutil_key *key;
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100232 uint8_t hash[IMAGE_HASH_SIZE];
David Brown43cda332017-09-01 09:53:23 -0600233
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100234 if (keyhash_len > IMAGE_HASH_SIZE) {
Fabio Utzig15c14672019-08-09 07:45:20 -0300235 return -1;
236 }
David Brown43cda332017-09-01 09:53:23 -0600237
238 for (i = 0; i < bootutil_key_cnt; i++) {
239 key = &bootutil_keys[i];
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100240 bootutil_sha_init(&sha_ctx);
241 bootutil_sha_update(&sha_ctx, key->key, *key->len);
242 bootutil_sha_finish(&sha_ctx, hash);
David Brown43cda332017-09-01 09:53:23 -0600243 if (!memcmp(hash, keyhash, keyhash_len)) {
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100244 bootutil_sha_drop(&sha_ctx);
David Brown43cda332017-09-01 09:53:23 -0600245 return i;
246 }
247 }
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100248 bootutil_sha_drop(&sha_ctx);
David Brown43cda332017-09-01 09:53:23 -0600249 return -1;
250}
David Vinczee3697842024-04-03 10:24:26 +0200251#else /* !MCUBOOT_HW_KEY */
David Vincze03368b82020-04-01 12:53:53 +0200252extern unsigned int pub_key_len;
253static int
254bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len)
255{
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100256 bootutil_sha_context sha_ctx;
257 uint8_t hash[IMAGE_HASH_SIZE];
258 uint8_t key_hash[IMAGE_HASH_SIZE];
David Vincze03368b82020-04-01 12:53:53 +0200259 size_t key_hash_size = sizeof(key_hash);
260 int rc;
Michael Grand5047f032022-11-24 16:49:56 +0100261 FIH_DECLARE(fih_rc, FIH_FAILURE);
David Vincze03368b82020-04-01 12:53:53 +0200262
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100263 bootutil_sha_init(&sha_ctx);
264 bootutil_sha_update(&sha_ctx, key, key_len);
265 bootutil_sha_finish(&sha_ctx, hash);
266 bootutil_sha_drop(&sha_ctx);
David Vincze03368b82020-04-01 12:53:53 +0200267
268 rc = boot_retrieve_public_key_hash(image_index, key_hash, &key_hash_size);
269 if (rc) {
Mark Horvath7ebf0e82021-02-19 09:55:35 +0100270 return -1;
David Vincze03368b82020-04-01 12:53:53 +0200271 }
272
Raef Colese8fe6cf2020-05-26 13:07:40 +0100273 /* Adding hardening to avoid this potential attack:
274 * - Image is signed with an arbitrary key and the corresponding public
275 * key is added as a TLV field.
276 * - During public key validation (comparing against key-hash read from
277 * HW) a fault is injected to accept the public key as valid one.
278 */
279 FIH_CALL(boot_fih_memequal, fih_rc, hash, key_hash, key_hash_size);
Michael Grand5047f032022-11-24 16:49:56 +0100280 if (FIH_EQ(fih_rc, FIH_SUCCESS)) {
David Vincze03368b82020-04-01 12:53:53 +0200281 bootutil_keys[0].key = key;
282 pub_key_len = key_len;
283 return 0;
284 }
Raef Colese8fe6cf2020-05-26 13:07:40 +0100285
David Vincze03368b82020-04-01 12:53:53 +0200286 return -1;
287}
288#endif /* !MCUBOOT_HW_KEY */
David Vinczee3697842024-04-03 10:24:26 +0200289#endif /* !MCUBOOT_BUILTIN_KEY */
290#endif /* EXPECTED_SIG_TLV */
David Brown43cda332017-09-01 09:53:23 -0600291
David Vinczec3084132020-02-18 14:50:47 +0100292/**
293 * Reads the value of an image's security counter.
294 *
295 * @param hdr Pointer to the image header structure.
296 * @param fap Pointer to a description structure of the image's
297 * flash area.
298 * @param security_cnt Pointer to store the security counter value.
299 *
300 * @return 0 on success; nonzero on failure.
301 */
302int32_t
303bootutil_get_img_security_cnt(struct image_header *hdr,
304 const struct flash_area *fap,
305 uint32_t *img_security_cnt)
306{
307 struct image_tlv_iter it;
308 uint32_t off;
309 uint16_t len;
310 int32_t rc;
311
312 if ((hdr == NULL) ||
313 (fap == NULL) ||
314 (img_security_cnt == NULL)) {
315 /* Invalid parameter. */
316 return BOOT_EBADARGS;
317 }
318
319 /* The security counter TLV is in the protected part of the TLV area. */
320 if (hdr->ih_protect_tlv_size == 0) {
321 return BOOT_EBADIMAGE;
322 }
323
324 rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_SEC_CNT, true);
325 if (rc) {
326 return rc;
327 }
328
329 /* Traverse through the protected TLV area to find
330 * the security counter TLV.
331 */
332
333 rc = bootutil_tlv_iter_next(&it, &off, &len, NULL);
334 if (rc != 0) {
335 /* Security counter TLV has not been found. */
336 return -1;
337 }
338
339 if (len != sizeof(*img_security_cnt)) {
340 /* Security counter is not valid. */
341 return BOOT_EBADIMAGE;
342 }
343
Tamas Banfe031092020-09-10 17:32:39 +0200344 rc = LOAD_IMAGE_DATA(hdr, fap, off, img_security_cnt, len);
David Vinczec3084132020-02-18 14:50:47 +0100345 if (rc != 0) {
346 return BOOT_EFLASH;
347 }
348
349 return 0;
350}
David Vinczec3084132020-02-18 14:50:47 +0100351
David Brownda2e2ab2024-04-10 14:59:00 -0600352#ifndef ALLOW_ROGUE_TLVS
353/*
354 * The following list of TLVs are the only entries allowed in the unprotected
355 * TLV section. All other TLV entries must be in the protected section.
356 */
357static const uint16_t allowed_unprot_tlvs[] = {
358 IMAGE_TLV_KEYHASH,
359 IMAGE_TLV_PUBKEY,
360 IMAGE_TLV_SHA256,
361 IMAGE_TLV_SHA384,
362 IMAGE_TLV_RSA2048_PSS,
363 IMAGE_TLV_ECDSA224,
364 IMAGE_TLV_ECDSA_SIG,
365 IMAGE_TLV_RSA3072_PSS,
366 IMAGE_TLV_ED25519,
367 IMAGE_TLV_ENC_RSA2048,
368 IMAGE_TLV_ENC_KW,
369 IMAGE_TLV_ENC_EC256,
370 IMAGE_TLV_ENC_X25519,
371 /* Mark end with ANY. */
372 IMAGE_TLV_ANY,
373};
374#endif
375
David Brown43cda332017-09-01 09:53:23 -0600376/*
Christopher Collins92ea77f2016-12-12 15:59:26 -0800377 * Verify the integrity of the image.
378 * Return non-zero if image could not be validated/does not validate.
379 */
Michael Grand5047f032022-11-24 16:49:56 +0100380fih_ret
Fabio Utzig10ee6482019-08-01 12:04:52 -0300381bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
382 struct image_header *hdr, const struct flash_area *fap,
383 uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *seed,
384 int seed_len, uint8_t *out_hash)
Christopher Collins92ea77f2016-12-12 15:59:26 -0800385{
386 uint32_t off;
Fabio Utzig61fd8882019-09-14 20:00:20 -0300387 uint16_t len;
David Brownd13318a2019-12-04 17:28:40 -0700388 uint16_t type;
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100389 int image_hash_valid = 0;
David Brown43cda332017-09-01 09:53:23 -0600390#ifdef EXPECTED_SIG_TLV
Michael Grand5047f032022-11-24 16:49:56 +0100391 FIH_DECLARE(valid_signature, FIH_FAILURE);
David Vinczee3697842024-04-03 10:24:26 +0200392#ifndef MCUBOOT_BUILTIN_KEY
David Brown43cda332017-09-01 09:53:23 -0600393 int key_id = -1;
David Vinczee3697842024-04-03 10:24:26 +0200394#else
395 /* Pass a key ID equal to the image index, the underlying crypto library
396 * is responsible for mapping the image index to a builtin key ID.
397 */
398 int key_id = image_index;
399#endif /* !MCUBOOT_BUILTIN_KEY */
David Vincze03368b82020-04-01 12:53:53 +0200400#ifdef MCUBOOT_HW_KEY
David Vinczee3697842024-04-03 10:24:26 +0200401 uint8_t key_buf[KEY_BUF_SIZE];
Christopher Collins92ea77f2016-12-12 15:59:26 -0800402#endif
David Vincze03368b82020-04-01 12:53:53 +0200403#endif /* EXPECTED_SIG_TLV */
Fabio Utzig61fd8882019-09-14 20:00:20 -0300404 struct image_tlv_iter it;
Fabio Utzig3501c012019-05-13 15:07:25 -0700405 uint8_t buf[SIG_BUF_SIZE];
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100406 uint8_t hash[IMAGE_HASH_SIZE];
Raef Colese8fe6cf2020-05-26 13:07:40 +0100407 int rc = 0;
Michael Grand5047f032022-11-24 16:49:56 +0100408 FIH_DECLARE(fih_rc, FIH_FAILURE);
David Vinczec3084132020-02-18 14:50:47 +0100409#ifdef MCUBOOT_HW_ROLLBACK_PROT
Raef Colese8fe6cf2020-05-26 13:07:40 +0100410 fih_int security_cnt = fih_int_encode(INT_MAX);
David Vinczec3084132020-02-18 14:50:47 +0100411 uint32_t img_security_cnt = 0;
Michael Grand5047f032022-11-24 16:49:56 +0100412 FIH_DECLARE(security_counter_valid, FIH_FAILURE);
David Vinczec3084132020-02-18 14:50:47 +0100413#endif
Christopher Collins92ea77f2016-12-12 15:59:26 -0800414
Fabio Utzig10ee6482019-08-01 12:04:52 -0300415 rc = bootutil_img_hash(enc_state, image_index, hdr, fap, tmp_buf,
416 tmp_buf_sz, hash, seed, seed_len);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800417 if (rc) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100418 goto out;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800419 }
420
421 if (out_hash) {
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100422 memcpy(out_hash, hash, IMAGE_HASH_SIZE);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800423 }
424
Fabio Utzig61fd8882019-09-14 20:00:20 -0300425 rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, false);
David Brownf5b33d82017-09-01 10:58:27 -0600426 if (rc) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100427 goto out;
David Brownf5b33d82017-09-01 10:58:27 -0600428 }
Christopher Collins92ea77f2016-12-12 15:59:26 -0800429
Andrzej Puzdrowski334b6a62022-01-21 16:59:18 +0100430 if (it.tlv_end > bootutil_max_image_size(fap)) {
431 rc = -1;
432 goto out;
433 }
434
David Brown43cda332017-09-01 09:53:23 -0600435 /*
436 * Traverse through all of the TLVs, performing any checks we know
437 * and are able to do.
438 */
Fabio Utzig61fd8882019-09-14 20:00:20 -0300439 while (true) {
440 rc = bootutil_tlv_iter_next(&it, &off, &len, &type);
441 if (rc < 0) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100442 goto out;
Fabio Utzig61fd8882019-09-14 20:00:20 -0300443 } else if (rc > 0) {
444 break;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800445 }
David Brown43cda332017-09-01 09:53:23 -0600446
David Brownda2e2ab2024-04-10 14:59:00 -0600447#ifndef ALLOW_ROGUE_TLVS
448 /*
449 * Ensure that the non-protected TLV only has entries necessary to hold
450 * the signature. We also allow encryption related keys to be in the
451 * unprotected area.
452 */
453 if (!bootutil_tlv_iter_is_prot(&it, off)) {
454 bool found = false;
455 for (const uint16_t *p = allowed_unprot_tlvs; *p != IMAGE_TLV_ANY; p++) {
456 if (type == *p) {
457 found = true;
458 break;
459 }
460 }
461 if (!found) {
462 FIH_SET(fih_rc, FIH_FAILURE);
463 goto out;
464 }
465 }
466#endif
467
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100468 if (type == EXPECTED_HASH_TLV) {
469 /* Verify the image hash. This must always be present. */
Fabio Utzig61fd8882019-09-14 20:00:20 -0300470 if (len != sizeof(hash)) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100471 rc = -1;
472 goto out;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800473 }
Tamas Banfe031092020-09-10 17:32:39 +0200474 rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, sizeof(hash));
David Brown43cda332017-09-01 09:53:23 -0600475 if (rc) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100476 goto out;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800477 }
Raef Colese8fe6cf2020-05-26 13:07:40 +0100478
479 FIH_CALL(boot_fih_memequal, fih_rc, hash, buf, sizeof(hash));
Michael Grand5047f032022-11-24 16:49:56 +0100480 if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
481 FIH_SET(fih_rc, FIH_FAILURE);
Raef Colese8fe6cf2020-05-26 13:07:40 +0100482 goto out;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800483 }
David Brown43cda332017-09-01 09:53:23 -0600484
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100485 image_hash_valid = 1;
David Vinczee3697842024-04-03 10:24:26 +0200486#ifdef EXPECTED_KEY_TLV
487 } else if (type == EXPECTED_KEY_TLV) {
Christopher Collins92ea77f2016-12-12 15:59:26 -0800488 /*
David Brown43cda332017-09-01 09:53:23 -0600489 * Determine which key we should be checking.
Christopher Collins92ea77f2016-12-12 15:59:26 -0800490 */
David Vinczee3697842024-04-03 10:24:26 +0200491 if (len > KEY_BUF_SIZE) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100492 rc = -1;
493 goto out;
David Brown43cda332017-09-01 09:53:23 -0600494 }
David Vinczee3697842024-04-03 10:24:26 +0200495#ifndef MCUBOOT_HW_KEY
Tamas Banfe031092020-09-10 17:32:39 +0200496 rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len);
David Brown43cda332017-09-01 09:53:23 -0600497 if (rc) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100498 goto out;
David Brown43cda332017-09-01 09:53:23 -0600499 }
Fabio Utzig61fd8882019-09-14 20:00:20 -0300500 key_id = bootutil_find_key(buf, len);
David Vincze03368b82020-04-01 12:53:53 +0200501#else
Tamas Banfe031092020-09-10 17:32:39 +0200502 rc = LOAD_IMAGE_DATA(hdr, fap, off, key_buf, len);
David Vincze03368b82020-04-01 12:53:53 +0200503 if (rc) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100504 goto out;
David Vincze03368b82020-04-01 12:53:53 +0200505 }
506 key_id = bootutil_find_key(image_index, key_buf, len);
David Vinczee3697842024-04-03 10:24:26 +0200507#endif /* !MCUBOOT_HW_KEY */
David Vincze03368b82020-04-01 12:53:53 +0200508 /*
509 * The key may not be found, which is acceptable. There
510 * can be multiple signatures, each preceded by a key.
511 */
David Vinczee3697842024-04-03 10:24:26 +0200512#endif /* EXPECTED_KEY_TLV */
513#ifdef EXPECTED_SIG_TLV
Fabio Utzig61fd8882019-09-14 20:00:20 -0300514 } else if (type == EXPECTED_SIG_TLV) {
David Brown43cda332017-09-01 09:53:23 -0600515 /* Ignore this signature if it is out of bounds. */
516 if (key_id < 0 || key_id >= bootutil_key_cnt) {
517 key_id = -1;
518 continue;
519 }
Fabio Utzig61fd8882019-09-14 20:00:20 -0300520 if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100521 rc = -1;
522 goto out;
David Brown43cda332017-09-01 09:53:23 -0600523 }
Tamas Banfe031092020-09-10 17:32:39 +0200524 rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len);
David Brown43cda332017-09-01 09:53:23 -0600525 if (rc) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100526 goto out;
David Brown43cda332017-09-01 09:53:23 -0600527 }
Raef Colese8fe6cf2020-05-26 13:07:40 +0100528 FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash),
529 buf, len, key_id);
David Brown43cda332017-09-01 09:53:23 -0600530 key_id = -1;
David Vinczec3084132020-02-18 14:50:47 +0100531#endif /* EXPECTED_SIG_TLV */
532#ifdef MCUBOOT_HW_ROLLBACK_PROT
533 } else if (type == IMAGE_TLV_SEC_CNT) {
534 /*
535 * Verify the image's security counter.
536 * This must always be present.
537 */
538 if (len != sizeof(img_security_cnt)) {
539 /* Security counter is not valid. */
Raef Colese8fe6cf2020-05-26 13:07:40 +0100540 rc = -1;
541 goto out;
David Vinczec3084132020-02-18 14:50:47 +0100542 }
543
Tamas Banfe031092020-09-10 17:32:39 +0200544 rc = LOAD_IMAGE_DATA(hdr, fap, off, &img_security_cnt, len);
David Vinczec3084132020-02-18 14:50:47 +0100545 if (rc) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100546 goto out;
David Vinczec3084132020-02-18 14:50:47 +0100547 }
548
Raef Colese8fe6cf2020-05-26 13:07:40 +0100549 FIH_CALL(boot_nv_security_counter_get, fih_rc, image_index,
550 &security_cnt);
Michael Grand5047f032022-11-24 16:49:56 +0100551 if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
552 FIH_SET(fih_rc, FIH_FAILURE);
Raef Colese8fe6cf2020-05-26 13:07:40 +0100553 goto out;
David Vinczec3084132020-02-18 14:50:47 +0100554 }
555
556 /* Compare the new image's security counter value against the
557 * stored security counter value.
558 */
Michael Grand5047f032022-11-24 16:49:56 +0100559 fih_rc = fih_ret_encode_zero_equality(img_security_cnt <
Roland Mikhel61962b92023-04-25 14:03:08 +0200560 (uint32_t)fih_int_decode(security_cnt));
Michael Grand5047f032022-11-24 16:49:56 +0100561 if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
562 FIH_SET(fih_rc, FIH_FAILURE);
Raef Colese8fe6cf2020-05-26 13:07:40 +0100563 goto out;
David Vinczec3084132020-02-18 14:50:47 +0100564 }
565
566 /* The image's security counter has been successfully verified. */
Raef Colese8fe6cf2020-05-26 13:07:40 +0100567 security_counter_valid = fih_rc;
David Vinczec3084132020-02-18 14:50:47 +0100568#endif /* MCUBOOT_HW_ROLLBACK_PROT */
Christopher Collins92ea77f2016-12-12 15:59:26 -0800569 }
570 }
David Brown43cda332017-09-01 09:53:23 -0600571
Roland Mikhel03c9ad02023-03-08 15:56:43 +0100572 rc = !image_hash_valid;
Raef Colese8fe6cf2020-05-26 13:07:40 +0100573 if (rc) {
574 goto out;
575 }
David Brown43cda332017-09-01 09:53:23 -0600576#ifdef EXPECTED_SIG_TLV
Michael Grand5047f032022-11-24 16:49:56 +0100577 FIH_SET(fih_rc, valid_signature);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800578#endif
David Vinczec3084132020-02-18 14:50:47 +0100579#ifdef MCUBOOT_HW_ROLLBACK_PROT
Michael Grand5047f032022-11-24 16:49:56 +0100580 if (FIH_NOT_EQ(security_counter_valid, FIH_SUCCESS)) {
Raef Colese8fe6cf2020-05-26 13:07:40 +0100581 rc = -1;
582 goto out;
583 }
David Vinczec3084132020-02-18 14:50:47 +0100584#endif
Raef Colese8fe6cf2020-05-26 13:07:40 +0100585
586out:
587 if (rc) {
Michael Grand5047f032022-11-24 16:49:56 +0100588 FIH_SET(fih_rc, FIH_FAILURE);
David Vinczec3084132020-02-18 14:50:47 +0100589 }
David Brown43cda332017-09-01 09:53:23 -0600590
Raef Colese8fe6cf2020-05-26 13:07:40 +0100591 FIH_RET(fih_rc);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800592}