TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / sandbox / pfalcon / trusted-firmware-m / 060968d6eef3e570539fa942a8c0c5ec2388e798^! / . / docs
commit060968d6eef3e570539fa942a8c0c5ec2388e798[log] [tgz]
authorDavid Vincze <david.vincze@arm.com>Thu May 23 01:13:14 2019 +0200
committerDavid Vincze <david.vincze@arm.com>Fri May 24 14:18:39 2019 +0200
tree3ac28fd70d9918d53470d9d7f5768fa569623b11
parent8a2a4e2144abd738b797cdd64c3ba40556fca472 [diff]
Boot: Introduce rollback protection

- Add image security counter verification (read image security counter
  from the manifest and compare it against the stored security counter)
  as a mandatory part of the image validation process.
- Store the newest value of security counter in a non-volatile (NV)
  counter.
- Add security counter interface to MCUBoot.

Change-Id: I608508e707d01c3777788bc754810407fae610e2
Signed-off-by: David Vincze <david.vincze@arm.com>

diff --git a/docs/user_guides/tfm_secure_boot.rst b/docs/user_guides/tfm_secure_boot.rst
index 2aa91d4..9097538 100644
--- a/docs/user_guides/tfm_secure_boot.rst
+++ b/docs/user_guides/tfm_secure_boot.rst

@@ -246,6 +246,29 @@
 versioning, please start a clean build without specifying the image version
 number at all.
 
+Security counter
+================
+Each signed image contains a security counter in its manifest. It is used by the
+bootloader and its aim is to have an independent (from the image version)
+counter to ensure rollback protection by comparing the new image's security
+counter against the original (currently active) image's security counter during
+the image upgrade process. It is added to the manifest (to the TLV area that is
+appended to the end of the image) by one of the python scripts when signing the
+image. The value of the security counter is security critical data and it is in
+the integrity protected part of the image. The last valid security counter is
+always stored in a non-volatile and trusted component of the device and its
+value should always be increased if a security flaw was fixed in the current
+image version. The value of the security counter can be specified at build time
+in the cmake configuration step::
+
+    cmake -G"Unix Makefiles" -DTARGET_PLATFORM=AN521 -DCOMPILER=ARMCLANG -DSECURITY_COUNTER=42 ../
+
+The security counter can be independent from the image version, but not
+necessarily. Alternatively, if it is not specified at build time with the
+``SECURITY_COUNTER`` option the python script will automatically generate it
+from the image version number (not including the build number) and this value
+will be added to the signed image.
+
 ************************
 Testing firmware upgrade
 ************************