[nrf fromlist] bootutil: Add API to lock HW counter

tomchy · tomchy · commit ba9d3ad34e6d · 2025-11-12T15:10:39.000+01:00
Add a new API to lock further updates of the HW-based security counter.
This API may prevent the non-bootloader application from accidental
invalidation of the bootable firmware.

Upstream PR #: 2543

Signed-off-by: Tomasz Chyrowicz &lt;tomasz.chyrowicz@nordicsemi.no&gt;
diff --git a/boot/bootutil/include/bootutil/security_cnt.h b/boot/bootutil/include/bootutil/security_cnt.h
@@ -85,6 +85,15 @@ int32_t boot_nv_security_counter_update(uint32_t image_id,
 fih_ret boot_nv_security_counter_is_update_possible(uint32_t image_id,
                                                     uint32_t img_security_cnt);
 
+/**
+ * Lock updates of the stored value of a given image's security counter.
+ *
+ * @param image_id          Index of the image (from 0).
+ *
+ * @return                  0 on success; nonzero on failure.
+ */
+int32_t boot_nv_security_counter_lock(uint32_t image_id);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
@@ -2581,8 +2581,15 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state)
     if (swap_state.magic != BOOT_MAGIC_GOOD || swap_state.image_ok == BOOT_FLAG_SET) {
         rc = boot_update_security_counter(state, BOOT_SLOT_PRIMARY, BOOT_SLOT_PRIMARY);
         if (rc != 0) {
-            BOOT_LOG_ERR("Security counter update failed after image "
-                            "validation.");
+            BOOT_LOG_ERR("Security counter update failed after image %d validation.",
+                         BOOT_CURR_IMG(state));
+            return rc;
+        }
+
+        rc = boot_nv_security_counter_lock(BOOT_CURR_IMG(state));
+        if (rc != 0) {
+            BOOT_LOG_ERR("Security counter lock failed after image %d validation.",
+                         BOOT_CURR_IMG(state));
             return rc;
         }
     }
@@ -3361,7 +3368,15 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state)
                                           state->slot_usage[BOOT_CURR_IMG(state)].active_slot,
                                           state->slot_usage[BOOT_CURR_IMG(state)].active_slot);
         if (rc != 0) {
-            BOOT_LOG_ERR("Security counter update failed after image %d validation.", BOOT_CURR_IMG(state));
+            BOOT_LOG_ERR("Security counter update failed after image %d validation.",
+                         BOOT_CURR_IMG(state));
+            return rc;
+        }
+
+        rc = boot_nv_security_counter_lock(BOOT_CURR_IMG(state));
+        if (rc != 0) {
+            BOOT_LOG_ERR("Security counter lock failed after image %d validation.",
+                         BOOT_CURR_IMG(state));
             return rc;
         }
 #if defined(MCUBOOT_DIRECT_XIP) && defined(MCUBOOT_DIRECT_XIP_REVERT)
