[nrf noup] bootutil: key revocation

michalek-no · michalek-no · commit 6fb292c818f9 · 2025-04-02T14:52:29.000+02:00
Disable previous generation key when update comes with
new valid key and application is confirmed.

Signed-off-by: Mateusz Michalek &lt;mateusz.michalek@nordicsemi.no&gt;
diff --git a/boot/bootutil/include/bootutil/key_revocation.h b/boot/bootutil/include/bootutil/key_revocation.h
@@ -0,0 +1,49 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * Original license:
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#ifndef H_KEY_REVOCATION_
+#define H_KEY_REVOCATION_
+
+#include <inttypes.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define BOOT_KEY_REVOKE_OK 0
+#define BOOT_KEY_REVOKE_NOT_READY 1
+#define BOOT_KEY_REVOKE_INVALID 2
+#define BOOT_KEY_REVOKE_FAILED 2
+
+
+void allow_revoke(void);
+
+int revoke(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c
@@ -32,6 +32,11 @@ static psa_key_id_t kmu_key_ids[3] =  {
     MAKE_PSA_KMU_KEY_ID(230)
 };
 
+#if defined(CONFIG_BOOT_KMU_KEYS_REVOCATION)
+#include <bootutil/key_revocation.h>
+static psa_key_id_t *validated_with = NULL;
+#endif
+
 BUILD_ASSERT(CONFIG_BOOT_SIGNATURE_KMU_SLOTS <= ARRAY_SIZE(kmu_key_ids),
 	     "Invalid number of KMU slots, up to 3 are supported on nRF54L15");
 #endif
@@ -114,6 +119,9 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
                                     EDDSA_SIGNAGURE_LENGTH);
         if (status == PSA_SUCCESS) {
             ret = 1;
+#if defined(CONFIG_BOOT_KMU_KEYS_REVOCATION)
+            validated_with = kmu_key_ids + i;
+#endif
             break;
         }
 
@@ -122,4 +130,37 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
 
     return ret;
 }
+#if defined(CONFIG_BOOT_KMU_KEYS_REVOCATION)
+int exec_revoke(void)
+{
+    int ret = BOOT_KEY_REVOKE_OK;
+    psa_status_t status = psa_crypto_init();
+
+    if (!validated_with) {
+        ret = BOOT_KEY_REVOKE_INVALID;
+        goto out;
+    }
+
+    if (status != PSA_SUCCESS) {
+            BOOT_LOG_ERR("PSA crypto init failed with error %d", status);
+            ret = BOOT_KEY_REVOKE_FAILED;
+            goto out;
+    }
+    for (int i = 0; i < CONFIG_BOOT_SIGNATURE_KMU_SLOTS; i++) {
+        if ((kmu_key_ids + i) == validated_with) {
+            break;
+        }
+        BOOT_LOG_DBG("Invalidating key ID %d", i);
+
+        status = psa_destroy_key(kmu_key_ids[i]);
+        if (status == PSA_SUCCESS) {
+            BOOT_LOG_DBG("Success on key ID %d", i);
+        } else {
+            BOOT_LOG_ERR("Key invalidation failed with: %d", status);
+        }
+    }
+out:
+    return ret;
+}
+#endif /* CONFIG_BOOT_KMU_KEYS_REVOCATION */
 #endif
diff --git a/boot/bootutil/src/key_revocation.c b/boot/bootutil/src/key_revocation.c
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2025, Nordic Semiconductor ASA
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <bootutil/key_revocation.h>
+
+extern int exec_revoke(void);
+
+static uint8_t ready_to_revoke;
+
+void allow_revoke(void)
+{
+	ready_to_revoke = 1;
+}
+
+int revoke(void)
+{
+	if (ready_to_revoke) {
+		return exec_revoke();
+	}
+	return BOOT_KEY_REVOKE_NOT_READY;
+}
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
@@ -76,6 +76,10 @@ int pcd_version_cmp_net(const struct flash_area *fap, struct image_header *hdr);
 
 #include "mcuboot_config/mcuboot_config.h"
 
+#if defined(CONFIG_BOOT_KEYS_REVOCATION)
+#include "bootutil/key_revocation.h"
+#endif
+
 BOOT_LOG_MODULE_DECLARE(mcuboot);
 
 static struct boot_loader_state boot_data;
@@ -2733,6 +2737,11 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
         }
     }
 
+#if defined(CONFIG_BOOT_KEYS_REVOCATION)
+    if (BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_NONE) {
+        allow_revoke();
+    }
+#endif
     /* Iterate over all the images. At this point all required update operations
      * have finished. By the end of the loop each image in the primary slot will
      * have been re-validated.
@@ -2838,6 +2847,12 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
     fill_rsp(state, rsp);
 
     fih_rc = FIH_SUCCESS;
+#if defined(CONFIG_BOOT_KEYS_REVOCATION)
+    rc = revoke();
+    if (rc != BOOT_KEY_REVOKE_OK) {
+        FIH_SET(fih_rc, FIH_FAILURE);
+    }
+#endif /* CONFIG_BOOT_KEYS_REVOCATION */
 out:
     /*
      * Since the boot_status struct stores plaintext encryption keys, reset
diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
@@ -91,6 +91,12 @@ if(DEFINED CONFIG_BOOT_SHARE_BACKEND_RETENTION)
     )
 endif()
 
+if(DEFINED CONFIG_BOOT_KEYS_REVOCATION)
+  zephyr_library_sources(
+    ${BOOT_DIR}/bootutil/src/key_revocation.c
+)
+endif()
+
 # Generic bootutil sources and includes.
 zephyr_library_include_directories(${BOOT_DIR}/bootutil/include)
 zephyr_library_sources(
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -329,6 +329,18 @@ config BOOT_SIGNATURE_KMU_SLOTS
 
 endif
 
+config BOOT_KEYS_REVOCATION
+	bool "Auto revoke previous gen key"
+	help
+	  Automatically revoke previous generation key upon new valid key usage.
+
+config BOOT_KMU_KEYS_REVOCATION
+	bool
+	depends on BOOT_KEYS_REVOCATION
+	default y if BOOT_SIGNATURE_USING_KMU
+	help
+	  Enabling KMU key revocation backend.
+
 if !BOOT_SIGNATURE_USING_KMU
 
 config BOOT_SIGNATURE_KEY_FILE
