From 75fcdca5355a63291b858dda5e88e841e01376dc Mon Sep 17 00:00:00 2001 From: Artur Hadasz Date: Wed, 6 Aug 2025 16:49:05 +0200 Subject: [PATCH 1/2] [nrf fromtree] bootutil: Fixed security counter overflow detected to late This commit fixes the issue, occuring when the maximum amount of security counter updates has been reached. This fact was only detected after a permament update already happened - the updated firmware was unable to boot, as it failed when trying to update the security counter after the permament swap. This commit adds the check if the security counter can be updated (i. e. free security counter slots are still available) before the swap is performed, fixing the issue. Signed-off-by: Artur Hadasz (cherry picked from commit fe8f9fc07a3b01e239fa2e999615227fa314520a) --- boot/bootutil/include/bootutil/security_cnt.h | 13 +++++++++++++ boot/bootutil/src/image_validate.c | 13 +++++++++++++ boot/zephyr/Kconfig | 11 +++++++++++ boot/zephyr/include/mcuboot_config/mcuboot_config.h | 4 ++++ 4 files changed, 41 insertions(+) diff --git a/boot/bootutil/include/bootutil/security_cnt.h b/boot/bootutil/include/bootutil/security_cnt.h index 7e1389618..ff3a7371c 100644 --- a/boot/bootutil/include/bootutil/security_cnt.h +++ b/boot/bootutil/include/bootutil/security_cnt.h @@ -72,6 +72,19 @@ fih_ret boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt); int32_t boot_nv_security_counter_update(uint32_t image_id, uint32_t img_security_cnt); +/** + * This function verifies whether the security counter update to a given value is possible. + * The update might not be possible if the maximum amount of security counter updates + * was reached. + * + * @param image_id Index of the image (from 0). + * @param img_security_cnt New security counter value. + * + * @return FIH_SUCCESS if update is possible; FIH_FAILURE otherwise + */ +fih_ret boot_nv_security_counter_is_update_possible(uint32_t image_id, + uint32_t img_security_cnt); + #ifdef __cplusplus } #endif diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 522e5da2d..ba31ddbf3 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -839,6 +839,19 @@ bootutil_img_validate(struct boot_loader_state *state, goto out; } +#ifdef MCUBOOT_HW_ROLLBACK_PROT_COUNTER_LIMITED + if (img_security_cnt > (uint32_t)fih_int_decode(security_cnt)) { + FIH_CALL(boot_nv_security_counter_is_update_possible, fih_rc, image_index, + img_security_cnt); + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + FIH_SET(fih_rc, FIH_FAILURE); + BOOT_LOG_ERR("Security counter update is not possible, possibly the maximum " + "number of security updates has been reached."); + goto out; + } + } +#endif + /* The image's security counter has been successfully verified. */ security_counter_valid = fih_rc; skip_security_counter_read: diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index cdb4d29cc..d18e3c5ae 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -1076,6 +1076,17 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION Because of the acceptance of equal values it allows for software downgrade to some extent. +config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED + bool "HW based downgrade prevention counter has limited number of updates" + depends on MCUBOOT_HW_DOWNGRADE_PREVENTION + help + When this option is set, the hardware downgrade prevention counter + has limited number of updates. This option will enable checking + if it is possible to update the counter before performing + the upgrade. If an update package contains a security counter + value as a TLV but it is not possible to update the counter, + the update will be rejected. + endchoice config BOOT_WATCHDOG_FEED diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 8ba030738..0c02f62bc 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -209,6 +209,10 @@ #define MCUBOOT_HW_ROLLBACK_PROT #endif +#ifdef CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED +#define MCUBOOT_HW_ROLLBACK_PROT_COUNTER_LIMITED +#endif + #ifdef CONFIG_MEASURED_BOOT #define MCUBOOT_MEASURED_BOOT #endif From 05e0add1fffc7bfa69ccaa814b4480c9421ba4f4 Mon Sep 17 00:00:00 2001 From: Artur Hadasz Date: Mon, 11 Aug 2025 14:23:04 +0200 Subject: [PATCH 2/2] [nrf noup] zephyr: hw security counter limited set by default This commit sets the MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED by default for platforms which support the security counter. Signed-off-by: Artur Hadasz --- boot/zephyr/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index d18e3c5ae..f1707759e 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -1079,6 +1079,7 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED bool "HW based downgrade prevention counter has limited number of updates" depends on MCUBOOT_HW_DOWNGRADE_PREVENTION + default y if SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX help When this option is set, the hardware downgrade prevention counter has limited number of updates. This option will enable checking