base: u-boot-ostree-scr-fit: add rollback protection support

Add rollback protection support, which can be enabled by OTP variabled fiovb.rollback_protection. Signed-off-by: Igor Opaniuk <[email protected]>
foundriesio · Mar 16, 2023 · 54f30f4 · 54f30f4
1 parent 6705fa7
commit 54f30f4
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/meta-lmp-base/recipes-bsp/u-boot/u-boot-ostree-scr-fit/boot-common.cmd.in b/meta-lmp-base/recipes-bsp/u-boot/u-boot-ostree-scr-fit/boot-common.cmd.in
@@ -66,6 +66,7 @@ else
 	setenv fiovb.rollback "${rollback}"
 	setenv fiovb.upgrade_available "${upgrade_available}"
 	setenv fiovb.bootupgrade_available "${bootupgrade_available}"
+	setenv fiovb.bootfirmware_version "${bootfirmware_version}"
 	setenv fiovb.debug "${debug}"
 fi
 
@@ -97,6 +98,18 @@ if test "${fiovb.debug}" = "1"; then
 	echo "${fio_msg} ###########################################"
 fi
 
+if test -n "${fiovb_rpmb}"; then
+	if test "${fiovb.rollback_protection}" = "1"; then
+		echo "${fio_msg} Anti-rollback protection for boot firmware is enabled"
+		if test ${fiovb.bootfirmware_version} -gt ${dt_bootfirmware_version}; then
+			echo "${fio_msg} Error: It's impossible to downgrade to an older firmware, boot is aborted"
+			echo "${fio_msg} Error: Currently booted firmware: ${dt_bootfirmware_version}, previously booted: ${fiovb.bootfirmware_version} "
+			sleep 5
+			reset
+		fi
+	fi
+fi
+
 setenv fiovb.old_is_secondary_boot ${fiovb.is_secondary_boot}
 # Check state of SECONDARY_BOOT bit
 run check_secondary_boot