From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 355BFC001DB for ; Sat, 12 Aug 2023 00:28:54 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E48228695F; Sat, 12 Aug 2023 02:28:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="mfocBMwn"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0757E8694E; Sat, 12 Aug 2023 02:28:35 +0200 (CEST) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by phobos.denx.de (Postfix) with ESMTP id 6C4B18694B for ; Sat, 12 Aug 2023 02:28:31 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=seanedmond@linux.microsoft.com Received: from ovlvm106.redmond.corp.microsoft.com (unknown [131.107.147.185]) by linux.microsoft.com (Postfix) with ESMTPSA id 8466020FD0F1; Fri, 11 Aug 2023 17:28:30 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 8466020FD0F1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1691800110; bh=QRQfPgfrWKXF5zFEjD2DpN3tHax4FUtESfm8ajvUojo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mfocBMwnYQHMhKxsNrXB5c1JDjkNsFyySg9rQsm5jXCJFvOUZmkCNpzXxYCqJKqcF CkXo9RcGxicuzQF42CuM7grBD/Qs3EJhLjfGQzEGAAu1lJHEnyB3iIfpxYfAtX+JMS CJVdgBe9eKzQ5EVL208nPEVJBIkSv8eXZgyWiyhs= From: seanedmond@linux.microsoft.com To: u-boot@lists.denx.de Cc: sjg@chromium.org, stcarlso@linux.microsoft.com, ilias.apalodimas@linaro.org, abdellatif.elkhlifi@arm.com Subject: [PATCH 4/5] common: Add OS anti-rollback grace period Date: Fri, 11 Aug 2023 17:28:22 -0700 Message-Id: <20230812002823.82576-5-seanedmond@linux.microsoft.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230812002823.82576-1-seanedmond@linux.microsoft.com> References: <20230812002823.82576-1-seanedmond@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: Stephen Carlson New config CONFIG_FIT_ARBVP_GRACE to add a one unit grace period to OS anti-rollback protection, allowing images with anti-rollback counters exactly one less than the platform value to still be loaded. No update to the platform anti-rollback counter will be performed in this case. Signed-off-by: Stephen Carlson --- boot/Kconfig | 10 ++++++++++ boot/image-fit-sig.c | 7 ++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/boot/Kconfig b/boot/Kconfig index e08c274b7c..cd16bb8e53 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -112,6 +112,16 @@ config FIT_ARBP when a platform needs to retire previous versions of FIT images due to security flaws and prevent devices from being reverted to them. +config FIT_ARBP_GRACE + bool "Enable FIT Anti rollback grace period" + depends on FIT_ARBP + default n + help + Enables a one unit grace period for FIT image anti-rollback protection, + where anti-rollback protection will still accept a FIT image with an + anti-rollback version one less than the current number, but will not + update the platform anti-rollback counter in that case. + config FIT_VERBOSE bool "Show verbose messages when FIT images fail" depends on FIT diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index bf3b81a3a3..dc88a4b2cb 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -70,6 +70,7 @@ static int fit_image_verify_arbvn(const void *fit, int image_noffset) { u64 image_arbvn; u64 plat_arbvn = 0ULL; + u64 target_arbvn; struct udevice *dev; int ret; @@ -85,7 +86,11 @@ static int fit_image_verify_arbvn(const void *fit, int image_noffset) if (ret) return -EIO; - if (image_arbvn < plat_arbvn) { + target_arbvn = plat_arbvn; + /* Calculate target ARBVN, including grace period if enabled */ + if (CONFIG_IS_ENABLED(FIT_ARBP_GRACE) && plat_arbvn > 0ULL) + target_arbvn = plat_arbvn - 1ULL; + if (image_arbvn < target_arbvn) { return -EPERM; } else if (image_arbvn > plat_arbvn) { ret = dm_security_arbvn_set(dev, image_arbvn); -- 2.40.0