Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Anti-rollback protection support #1072

Merged
merged 10 commits into from
Apr 10, 2023
12 changes: 10 additions & 2 deletions meta-lmp-base/classes/fip-utils.bbclass
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
DEPENDS += "tf-a-tools-native"
DEPENDS += "tf-a-tools-native dtc-native"

# Define default TF-A FIP namings
FIP_BASENAME ?= "fip"
@@ -134,7 +134,15 @@ do_deploy:append:class-target() {
FIP_FWCONFIG="--fw-config ${FIP_DEPLOYDIR_FWCONF}/${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX}"
# Init FIP hw-config settings
[ -f "${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT_DTB}.${FIP_UBOOT_DTB_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT_DTB}.${FIP_UBOOT_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_UBOOT}"
FIP_HWCONFIG="--hw-config ${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT_DTB}.${FIP_UBOOT_DTB_SUFFIX}"
cp -L ${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT_DTB}.${FIP_UBOOT_DTB_SUFFIX} ${WORKDIR}/${FIP_UBOOT_DTB}.${FIP_UBOOT_DTB_SUFFIX}
# Add boot firmware version to U-Boot DTB (if it's defined and is not zero)
if [ -n "${LMP_BOOT_FIRMWARE_VERSION}" -a "${LMP_BOOT_FIRMWARE_VERSION}" != "0" ]; then
# Might return "FDT_ERR_EXISTS" error, if "lmp" node already exists
fdtput -c -t s "${WORKDIR}/${FIP_UBOOT_DTB}.${FIP_UBOOT_DTB_SUFFIX}" /firmware/bootloader || true
fdtput -t s "${WORKDIR}/${FIP_UBOOT_DTB}.${FIP_UBOOT_DTB_SUFFIX}" /firmware/bootloader compatible "lmp,bootloader"
fdtput -t s "${WORKDIR}/${FIP_UBOOT_DTB}.${FIP_UBOOT_DTB_SUFFIX}" /firmware/bootloader bootfirmware-version "${LMP_BOOT_FIRMWARE_VERSION}"
fi
FIP_HWCONFIG="--hw-config ${WORKDIR}/${FIP_UBOOT_DTB}.${FIP_UBOOT_DTB_SUFFIX}"
# Init FIP nt-fw config
[ -f "${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT}.${FIP_UBOOT_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT}.${FIP_UBOOT_SUFFIX} file in folder: ${FIP_DEPLOYDIR_UBOOT}"
FIP_NTFW="--nt-fw ${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT}.${FIP_UBOOT_SUFFIX}"
10 changes: 10 additions & 0 deletions meta-lmp-base/classes/uboot-fitimage.bbclass
Original file line number Diff line number Diff line change
@@ -3,6 +3,8 @@

inherit kernel-arch

DEPENDS += "dtc-native"

# Share same key as used by U-Boot by default
UBOOT_SPL_SIGN_ENABLE ??= "${UBOOT_SIGN_ENABLE}"
UBOOT_SPL_SIGN_KEYNAME ??= "${UBOOT_SIGN_KEYNAME}"
@@ -247,6 +249,14 @@ EOF
};
EOF

# Add boot firmware version to U-Boot DTB (if it's defined and is not zero)
if [ -n "${LMP_BOOT_FIRMWARE_VERSION}" -a "${LMP_BOOT_FIRMWARE_VERSION}" != "0" ]; then
# Might return "FDT_ERR_EXISTS" error, if "lmp" node already exists
fdtput -c -t s ${uboot_dtb} /firmware/bootloader || true
fdtput -t s ${uboot_dtb} /firmware/bootloader compatible "lmp,bootloader"
fdtput -t s ${uboot_dtb} /firmware/bootloader bootfirmware-version "${LMP_BOOT_FIRMWARE_VERSION}"
fi

# Assemble the ITB image
tools/mkimage -f u-boot.its ${1}
}
Original file line number Diff line number Diff line change
@@ -15,9 +15,10 @@ INHIBIT_DEFAULT_DEPS = "1"
PACKAGE_ARCH = "${MACHINE_ARCH}"

S = "${WORKDIR}"
LMP_BOOT_FIRMWARE_VERSION ?= "0"

# Can be replaced by the user (via bbappend), which will reflect into version.txt
PV = "0"
PV = "${LMP_BOOT_FIRMWARE_VERSION}"

# To be customized per machine (referenced from DEPLOY_DIR_IMAGE)
LMP_BOOT_FIRMWARE_FILES ?= ""
2 changes: 1 addition & 1 deletion meta-lmp-base/recipes-bsp/u-boot/u-boot-fio_2022.04.bb
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
require u-boot-fio-common.inc

SRCREV = "fd9b3d3ed417b954a714bd97ae47f2e2aeac8a3f"
SRCREV = "08452551bfa6fad7af475757be88d9cb0879eeff"
SRCBRANCH = "2022.04+fio"
LIC_FILES_CHKSUM = "file://Licenses/README;md5=5a7450c57ffe5ae63fd732446b988025"
Original file line number Diff line number Diff line change
@@ -52,11 +52,15 @@ if fiovb init ${devnum} && test -n "${board_is_closed}"; then
if test ! $? -eq 0; then fiovb write_pvalue debug 0; fi
fiovb read_pvalue is_secondary_boot 4
if test ! $? -eq 0; then fiovb write_pvalue is_secondary_boot 0; fi

# Try to read rollback-protection variable, but don't write, as this is OTP value
fiovb read_pvalue rollback_protection 4
else
echo "${fio_msg} Using ubootenv"
# Make sure initial environment is valid
if test -z "${bootcount}"; then setenv bootcount 0; setenv envsave 1; fi
if test -z "${rollback}"; then setenv rollback 0; setenv envsave 1; fi
if test -z "${rollback_protection}"; then setenv rollback_protection 0; setenv envsave 1; fi
if test -z "${upgrade_available}"; then setenv upgrade_available 0; setenv envsave 1; fi
if test -z "${bootupgrade_available}"; then setenv bootupgrade_available 0; setenv envsave 1; fi
if test -z "${bootupgrade_primary_updated}"; then setenv bootupgrade_primary_updated 0; setenv envsave 1; fi
@@ -67,9 +71,11 @@ else

setenv fiovb.bootcount "${bootcount}"
setenv fiovb.rollback "${rollback}"
setenv fiovb.rollback_protection "${rollback_protection}"
setenv fiovb.upgrade_available "${upgrade_available}"
setenv fiovb.bootupgrade_available "${bootupgrade_available}"
setenv fiovb.bootupgrade_primary_updated "${bootupgrade_primary_updated}"
setenv fiovb.bootfirmware_version "${bootfirmware_version}"
setenv fiovb.debug "${debug}"
fi

@@ -79,6 +85,7 @@ if test "${fiovb.debug}" = "1"; then
echo "${fio_msg} fiovb.is_secondary_boot = ${fiovb.is_secondary_boot}"
echo "${fio_msg} fiovb.bootcount = ${fiovb.bootcount}"
echo "${fio_msg} fiovb.rollback = ${fiovb.rollback}"
echo "${fio_msg} fiovb.rollback_protection = ${fiovb.rollback_protection}"
echo "${fio_msg} fiovb.upgrade_available = ${fiovb.upgrade_available}"
echo "${fio_msg} fiovb.bootupgrade_available = ${fiovb.bootupgrade_available}"
echo "${fio_msg} fiovb.bootupgrade_primary_updated = ${fiovb.bootupgrade_primary_updated}"
@@ -96,6 +103,22 @@ if test "${fiovb.debug}" = "1"; then
echo "${fio_msg} ###########################################"
fi

if test "${fiovb.rollback_protection}" = "1"; then
if test -z "${dt_bootfirmware_version}"; then
echo "${fio_msg} Error: Runtime boot firmware version is not available"
sleep 5
reset
fi

echo "${fio_msg} Anti-rollback protection for boot firmware is enabled"
if test ${fiovb.bootfirmware_version} -gt ${dt_bootfirmware_version}; then
echo "${fio_msg} Error: It is impossible to downgrade to an older firmware, boot is aborted"
echo "${fio_msg} Error: Currently booted firmware: ${dt_bootfirmware_version}, previously booted: ${fiovb.bootfirmware_version}"
sleep 5
reset
fi
fi

# Check state of SECONDARY_BOOT bit
setenv fiovb.old_is_secondary_boot ${fiovb.is_secondary_boot}
run check_secondary_boot
Original file line number Diff line number Diff line change
@@ -50,11 +50,15 @@ if fiovb init ${devnum} && test -n "${board_is_closed}"; then
if test ! $? -eq 0; then fiovb write_pvalue debug 0; fi
fiovb read_pvalue is_secondary_boot 4
if test ! $? -eq 0; then fiovb write_pvalue is_secondary_boot 0; fi

# Try to read rollback-protection variable, but don't write, as this is OTP value
fiovb read_pvalue rollback_protection 4
else
echo "${fio_msg} Using ubootenv"
# Make sure initial environment is valid
if test -z "${bootcount}"; then setenv bootcount 0; setenv envsave 1; fi
if test -z "${rollback}"; then setenv rollback 0; setenv envsave 1; fi
if test -z "${rollback_protection}"; then setenv rollback_protection 0; setenv envsave 1; fi
if test -z "${upgrade_available}"; then setenv upgrade_available 0; setenv envsave 1; fi
if test -z "${bootupgrade_available}"; then setenv bootupgrade_available 0; setenv envsave 1; fi
if test -z "${debug}"; then setenv debug 0; setenv envsave 1; fi
@@ -64,8 +68,10 @@ else

setenv fiovb.bootcount "${bootcount}"
setenv fiovb.rollback "${rollback}"
setenv fiovb.rollback_protection "${rollback_protection}"
setenv fiovb.upgrade_available "${upgrade_available}"
setenv fiovb.bootupgrade_available "${bootupgrade_available}"
setenv fiovb.bootfirmware_version "${bootfirmware_version}"
setenv fiovb.debug "${debug}"
fi

@@ -74,6 +80,7 @@ if test "${fiovb.debug}" = "1"; then
echo "${fio_msg} State machine variables:"
echo "${fio_msg} fiovb.bootcount = ${fiovb.bootcount}"
echo "${fio_msg} fiovb.rollback = ${fiovb.rollback}"
echo "${fio_msg} fiovb.rollback_protection = ${fiovb.rollback_protection}"
echo "${fio_msg} fiovb.upgrade_available = ${fiovb.upgrade_available}"
echo "${fio_msg} fiovb.bootupgrade_available = ${fiovb.bootupgrade_available}"
echo "${fio_msg} fiovb.is_secondary_boot = ${fiovb.is_secondary_boot}"
@@ -97,6 +104,22 @@ if test "${fiovb.debug}" = "1"; then
echo "${fio_msg} ###########################################"
fi

if test "${fiovb.rollback_protection}" = "1"; then
if test -z "${dt_bootfirmware_version}"; then
echo "${fio_msg} Error: Runtime boot firmware version is not available"
sleep 5
reset
fi

echo "${fio_msg} Anti-rollback protection for boot firmware is enabled"
if test ${fiovb.bootfirmware_version} -gt ${dt_bootfirmware_version}; then
echo "${fio_msg} Error: It is impossible to downgrade to an older firmware, boot is aborted"
echo "${fio_msg} Error: Currently booted firmware: ${dt_bootfirmware_version}, previously booted: ${fiovb.bootfirmware_version}"
sleep 5
reset
fi
fi

setenv fiovb.old_is_secondary_boot ${fiovb.is_secondary_boot}
# Check state of SECONDARY_BOOT bit
run check_secondary_boot
2 changes: 1 addition & 1 deletion meta-lmp-base/recipes-security/optee/optee-fiovb_git.bb
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@ DEPENDS = "optee-client optee-os-tadevkit"
require optee-fio.inc

SRC_URI = "git://github.com/foundriesio/optee-fiovb.git;protocol=https;branch=master"
SRCREV = "e23cc95bb6869571862327d799f0dac3ecba4f81"
SRCREV = "4a353dec862f6dcad47e455c3074f3a4cb512f36"

PACKAGE_ARCH = "${MACHINE_ARCH}"

1 change: 1 addition & 0 deletions meta-lmp-bsp/conf/machine/include/lmp-machine-custom.inc
Original file line number Diff line number Diff line change
@@ -550,6 +550,7 @@ USE_XSCT_TARBALL:zynqmp = "1"
## Avnet UltraZed with secure boot support
UBOOT_SIGN_ENABLE:sota:uz3eg-iocc-sec = "1"
SOTA_CLIENT_FEATURES:remove:sota:uz3eg-iocc-sec = "ubootenv"
LMP_BOOT_FIRMWARE_VERSION:uz3eg-iocc-sec = "8"
## Avnet UltraZed with secure boot support and EBBR
UBOOT_SPL_SIGN_ENABLE:sota:uz3eg-iocc-ebbr-sec = "1"
UBOOT_SIGN_ENABLE:sota:uz3eg-iocc-ebbr-sec = "0"
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"

PROVIDES:uz3eg-iocc-sec = "virtual/boot-bin"
PV:uz3eg-iocc-sec = "8"
SRC_URI:uz3eg-iocc-sec = "file://boot.bin"
Original file line number Diff line number Diff line change
@@ -166,7 +166,7 @@ index 05fb259b1..7604670ce 100644
#endif

+#define STM32MP_BOOTSCR_BASE U(0xc4100000)
+#define STM32MP_BOOTSCR_SIZE U(0x4000)
+#define STM32MP_BOOTSCR_SIZE U(0x10000)
+
#if STM32MP13
#define STM32MP_FW_CONFIG_BASE SRAM3_BASE
Original file line number Diff line number Diff line change
@@ -20,3 +20,4 @@ CONFIG_SYS_MMC_ENV_DEV=0
# CONFIG_FASTBOOT is not set
# CONFIG_CMD_FASTBOOT is not set
# CONFIG_USB_FUNCTION_FASTBOOT is not set
CONFIG_BOOTFIRMWARE_INFO=y
Original file line number Diff line number Diff line change
@@ -20,3 +20,4 @@ CONFIG_SYS_MMC_ENV_DEV=1
# CONFIG_FASTBOOT is not set
# CONFIG_CMD_FASTBOOT is not set
# CONFIG_USB_FUNCTION_FASTBOOT is not set
CONFIG_BOOTFIRMWARE_INFO=y