Add vendor and image class UUID support #2409
Conversation
tomchy
requested review from
nordicjm,
de-nordic,
davidvincze and
d3zd3z
as code owners
tomchy
force-pushed
the
feature/bootutil/NCSDK-34175_Add_vid_cid_support_upstream
branch
from
ab8fffa to
fc4c042
Compare
| if (len != sizeof(img_uuid_vid)) { | ||
| /* Vendor UUID is not valid. */ | ||
| rc = -1; | ||
| goto out; | ||
| } | ||
|
|
||
| rc = LOAD_IMAGE_DATA(hdr, fap, off, img_uuid_vid.raw, len); | ||
| if (rc) { | ||
| goto out; | ||
| } |
There was a problem hiding this comment.
If it was decided to wrap uuid in fih, these should probably also report fih failure; i do not understand a difference between a failure in uuid check and inability to perform the check. And I know that we are inconsistent here, and maybe that is a good point to discuss it.
There was a problem hiding this comment.
There is a translation logic, based on the rc value:
if (rc) {
FIH_SET(fih_rc, FIH_FAILURE);
and the default value of uuid_vid_valid and uuid_cid_valid will either way mask the other failure reasons.
The difference is just that - inability (if possible) can report "incompatible image format" and the uuid check can report "invalid UUID value".
There is though no way to distinguish between those error reasons as there is just a single FIH_FAILURE error code.
There was a problem hiding this comment.
out: seams can't mock success - it only could mock failure as a glith.
| @@ -142,6 +142,8 @@ extern "C" { | |||
| * ... | |||
| * 0xffa0 - 0xfffe | |||
| */ | |||
| #define IMAGE_TLV_UUID_VID 0x80 /* Vendor unique identifier */ | |||
There was a problem hiding this comment.
These go above comment explaining vendor specific ids. If these are vendor specific ids, then they have in-proper codes.
There was a problem hiding this comment.
And should't really be here.
There was a problem hiding this comment.
What do you mean by "comment explaining vendor specific ids"?
There was a problem hiding this comment.
@tomchy move this just after #define IMAGE_TLV_COMP_DEC_SIZE 0x73 /* Compressed decrypted image size */ line.
@de-nordic Clarification: these are new MCUboot generic TLVs
|
|
||
| static fih_ret boot_uuid_compare(const struct image_uuid *uuid1, const struct image_uuid *uuid2) | ||
| { | ||
| return fih_ret_encode_zero_equality(memcmp(uuid1->raw, uuid2->raw, |
There was a problem hiding this comment.
Are we sure we want to get fih heavy on uuid comparisons? What is the attack vector here? As far as i cen tell they are already protected tlvs and, as such, are signed with image, and why would you bypass uid check? You would have to bypass signature first.
There was a problem hiding this comment.
The attack vector would be to install the FW not designed for a particular core as a result of glitching the UUID checks (skipping them or altering comparison results).
Honestly, I do not know where to draw a line between checks that should use FIH and checks that should not. The code was based on the way the security counter is implemented, thus by default it uses FIH routines.
tomchy
force-pushed
the
feature/bootutil/NCSDK-34175_Add_vid_cid_support_upstream
branch
from
fc4c042 to
54dd37c
Compare
tomchy
force-pushed
the
feature/bootutil/NCSDK-34175_Add_vid_cid_support_upstream
branch
from
54dd37c to
25b5c04
Compare
| @@ -142,6 +142,8 @@ extern "C" { | |||
| * ... | |||
| * 0xffa0 - 0xfffe | |||
| */ | |||
| #define IMAGE_TLV_UUID_VID 0x80 /* Vendor unique identifier */ | |||
There was a problem hiding this comment.
@tomchy move this just after #define IMAGE_TLV_COMP_DEC_SIZE 0x73 /* Compressed decrypted image size */ line.
@de-nordic Clarification: these are new MCUboot generic TLVs
| #define __MCUBOOT_UUID_H__ | ||
|
|
||
| /** | ||
| * @file uuid.h |
| if (len != sizeof(img_uuid_vid)) { | ||
| /* Vendor UUID is not valid. */ | ||
| rc = -1; | ||
| goto out; | ||
| } | ||
|
|
||
| rc = LOAD_IMAGE_DATA(hdr, fap, off, img_uuid_vid.raw, len); | ||
| if (rc) { | ||
| goto out; | ||
| } |
There was a problem hiding this comment.
out: seams can't mock success - it only could mock failure as a glith.
| identifier. | ||
| - Raw UUID (i.e. 12345678-1234-5678-1234-567812345678) | ||
|
|
||
| if MCUBOOT_UUID_CID |
There was a problem hiding this comment.
can we have as many entries as images number allowed for given mcuboot assembly?
There was a problem hiding this comment.
Added dependency on UPDATEABLE_IMAGE_NUMBER Kconfig value.
Add a possibility to express vendor ID and image class ID inside image's TLVs. Signed-off-by: Tomasz Chyrowicz <[email protected]>
Allow to specify VID and CID for an image. Signed-off-by: Tomasz Chyrowicz <[email protected]>
Add a possibility to configure vendor ID and image class ID through Kconfig. Signed-off-by: Tomasz Chyrowicz <[email protected]>
tomchy
force-pushed
the
feature/bootutil/NCSDK-34175_Add_vid_cid_support_upstream
branch
from
25b5c04 to
09fa479
Compare
According to the PSA Platform Security Boot Guide:
The manifest (which can be interpreted as image header and additional metadata stored inside TLVs) must include:
Instance ID.
This PR introduces two identifiers to meet those requirements: