[PATCH 4/5] common: Add OS anti-rollback grace period

All of lore.kernel.org
 help / color / mirror / Atom feed

From: seanedmond@linux.microsoft.com
To: u-boot@lists.denx.de
Cc: sjg@chromium.org, stcarlso@linux.microsoft.com,
	ilias.apalodimas@linaro.org, abdellatif.elkhlifi@arm.com
Subject: [PATCH 4/5] common: Add OS anti-rollback grace period
Date: Fri, 11 Aug 2023 17:28:22 -0700	[thread overview]
Message-ID: <20230812002823.82576-5-seanedmond@linux.microsoft.com> (raw)
In-Reply-To: <20230812002823.82576-1-seanedmond@linux.microsoft.com>

From: Stephen Carlson <stcarlso@microsoft.com>

New config CONFIG_FIT_ARBVP_GRACE to add a one unit grace period to OS
anti-rollback protection, allowing images with anti-rollback counters
exactly one less than the platform value to still be loaded. No update to
the platform anti-rollback counter will be performed in this case.

Signed-off-by: Stephen Carlson <stcarlso@microsoft.com>
---
 boot/Kconfig         | 10 ++++++++++
 boot/image-fit-sig.c |  7 ++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/boot/Kconfig b/boot/Kconfig
index e08c274b7c..cd16bb8e53 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -112,6 +112,16 @@ config FIT_ARBP
 	  when a platform needs to retire previous versions of FIT images due to
 	  security flaws and prevent devices from being reverted to them.
 
+config FIT_ARBP_GRACE
+	bool "Enable FIT Anti rollback grace period"
+	depends on FIT_ARBP
+	default n
+	help
+	  Enables a one unit grace period for FIT image anti-rollback protection,
+	  where anti-rollback protection will still accept a FIT image with an
+	  anti-rollback version one less than the current number, but will not
+	  update the platform anti-rollback counter in that case.
+
 config FIT_VERBOSE
 	bool "Show verbose messages when FIT images fail"
 	depends on FIT
diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
index bf3b81a3a3..dc88a4b2cb 100644
--- a/boot/image-fit-sig.c
+++ b/boot/image-fit-sig.c
@@ -70,6 +70,7 @@ static int fit_image_verify_arbvn(const void *fit, int image_noffset)
 {
 	u64 image_arbvn;
 	u64 plat_arbvn = 0ULL;
+	u64 target_arbvn;
 	struct udevice *dev;
 	int ret;
 
@@ -85,7 +86,11 @@ static int fit_image_verify_arbvn(const void *fit, int image_noffset)
 	if (ret)
 		return -EIO;
 
-	if (image_arbvn < plat_arbvn) {
+	target_arbvn = plat_arbvn;
+	/* Calculate target ARBVN, including grace period if enabled */
+	if (CONFIG_IS_ENABLED(FIT_ARBP_GRACE) && plat_arbvn > 0ULL)
+		target_arbvn = plat_arbvn - 1ULL;
+	if (image_arbvn < target_arbvn) {
 		return -EPERM;
 	} else if (image_arbvn > plat_arbvn) {
 		ret = dm_security_arbvn_set(dev, image_arbvn);
-- 
2.40.0

next prev parent reply	other threads:[~2023-08-12  0:28 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-12  0:28 [PATCH 0/5] Add anti-rollback validation feature seanedmond
2023-08-12  0:28 ` [PATCH 1/5] drivers: security: Add security devices to driver model seanedmond
2023-08-16 13:14   ` Ilias Apalodimas
2023-08-17 13:41   ` Simon Glass
2023-08-12  0:28 ` [PATCH 2/5] drivers: security: Add TPM2 implementation of security devices seanedmond
2023-08-14  8:39   ` Ilias Apalodimas
2023-08-14 21:23     ` Sean Edmond
2023-08-16 13:55       ` Ilias Apalodimas
2023-08-17 13:41   ` Simon Glass
2023-08-17 23:29     ` Sean Edmond
2023-08-18  3:10       ` Simon Glass
2023-08-12  0:28 ` [PATCH 3/5] common: Add OS anti-rollback validation using " seanedmond
2023-08-17 13:41   ` Simon Glass
2023-08-12  0:28 ` seanedmond [this message]
2023-08-17 13:41   ` [PATCH 4/5] common: Add OS anti-rollback grace period Simon Glass
2023-08-12  0:28 ` [PATCH 5/5] dm: test: Add a test for security driver seanedmond
2023-08-17 13:41   ` Simon Glass
2023-08-17 13:41 ` [PATCH 0/5] Add anti-rollback validation feature Simon Glass

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e08c274b7 dfblob:cd16bb8e5 dfblob:bf3b81a3a dfblob:dc88a4b2c )
 OR (
bs:"[PATCH 4/5] common: Add OS anti-rollback grace period" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230812002823.82576-5-seanedmond@linux.microsoft.com \
    --to=seanedmond@linux.microsoft.com \
    --cc=abdellatif.elkhlifi@arm.com \
    --cc=ilias.apalodimas@linaro.org \
    --cc=sjg@chromium.org \
    --cc=stcarlso@linux.microsoft.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.