From mboxrd@z Thu Jan  1 00:00:00 1970
From: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
Date: Tue,  1 Sep 2020 13:48:14 -0700
Subject: [RFC PATCH 0/1] Anti rollback protection for FIT Images
Message-ID: <cover.1598373235.git.thiruan@linux.microsoft.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Anti rollback protection is required when there is a need to retire
previous versions of FIT images due to security flaws in them.
Currently U-Boot Verified boot does not have rollback protection to
protect against known security flaws.

This RFC introduces a proposal to add anti-rollback protection for
FIT images. This protection feature prevents U-Boot from accepting
an image if it has ever successfully loaded an image with a larger
anti-rollback version number.

Each sub-image node inside /images node has an
anti-rollback version number(arbvn) similar to rollback_index in
Android Verified Boot. This version number is part of signed data and
it is incremented as security flaws are discovered and fixed.
U-Boot stores the last seen arbvn for a given image type in platform
specific tamper-evident storage.

As part of signature verification, U-Boot enfroces arvbn based
protection if enabled. arvbn stored in secure storage is validated with
arbvn in the sub-image node. If the counter in the FIT image is lower than
the counter in platform secure storage, image validation has failed
i.e. verified boot failed. If both counters match or the image counter is
higher than that in the platform secure storage, the image validation is
successful. In the higher case, U-Boot stores the new counter in platform
secure storage.

Pseudo code is as follows:

ret = board_get_arbvn(type, &plat_arbvn);
...
if (image_arbvn < plat_arbvn) {
	return -EPERM;
} else if (image_arbvn > plat_arbvn) {
	ret = board_set_arbvn(type, image_arbvn);
	return ret;
} else {
	return 0;
}

The following board specific hooks are required to get/set arbvn
from platform specific tamper-evident storage.
int board_get_arbvn(uint8_t ih_type, uint32_t *arbvn);
int board_set_arbvn(uint8_t ih_type, uint32_t arbvn);

As an example, consider this FIT:
/ {
	images {
		kernel-1 {
			data = <data for kernel1>
			arbvn = <1>;
			hash-1 {
				algo = "sha1";
				value = <...kernel hash 1...>
			};
		};
		fdt-1 {
			data = <data for fdt1>;
			hash-1 {
				algo = "sha1";
				value = <...fdt hash 1...>
			};
		};
	};
	configurations {
		default = "conf-1";
		conf-1 {
			kernel = "kernel-1";
			fdt = "fdt-1";
			signature-1 {
				algo = "sha1,rsa2048";
				sign-images = "fdt", "kernel";
				value = <...conf 1 signature...>;
			};
		};
	};
};

In the above example, kernel-1 image has an arbvn of 1.
if plat_arbvn is 1, the system will boot with this FIT image.
if plat_arbvn is 2 or more, U-Boot will prevent the system from booting
with this FIT image.

Thirupathaiah Annapureddy (1):
  image: add anti rollback protection for FIT Images

 Kconfig                |  9 +++++
 common/image-fit-sig.c | 79 ++++++++++++++++++++++++++++++++++++++++++
 common/image-fit.c     | 24 +++++++++++++
 include/image.h        | 23 ++++++++++++
 4 files changed, 135 insertions(+)

-- 
2.25.2