[PATCH 0/5] Add anti-rollback validation feature
Simon Glass
sjg at chromium.org
Thu Aug 17 15:41:39 CEST 2023
Hi Sean,
On Fri, 11 Aug 2023 at 18:28, <seanedmond at linux.microsoft.com> wrote:
>
> From: Sean Edmond <seanedmond at microsoft.com>
>
> Adds Add anti-rollback version protection. Images with an anti-rollback counter
> value "arbvn" declared in the FDT will be compared against the current device
> anti-rollback counter value, and older images will not pass signature
> validation. If the image is newer, the device anti-rollback counter value will
> be updated.
>
> The "arbvn" value is stored/retrieved using the newly added security driver.
> A "TPM backed" and "sandbox backed" security driver have been provided as examples.
>
> Adds new configs:
> - CONFIG_DM_SECURITY : enable security device support
> - CONFIG_SECURITY_SANDBOX : enables "sandbox_security" driver
> - CONFIG_SECURITY_TPM : Enables "tpm_security" driver
> - CONFIG_ARBP : enable enforcement of OS anti-rollback counter during image loading
> - CONFIG_FIT_ARBVP_GRACE : adds a one unit grace period to OS anti-rollback protection
>
> Sean Edmond (1):
> dm: test: Add a test for security driver
>
> Stephen Carlson (4):
> drivers: security: Add security devices to driver model
> drivers: security: Add TPM2 implementation of security devices
> common: Add OS anti-rollback validation using security devices
> common: Add OS anti-rollback grace period
>
> MAINTAINERS | 9 ++
> arch/sandbox/dts/test.dts | 8 ++
> boot/Kconfig | 19 +++
> boot/image-fit-sig.c | 94 +++++++++++++++
> boot/image-fit.c | 23 ++++
> configs/sandbox_defconfig | 3 +
> drivers/Kconfig | 2 +
> drivers/Makefile | 1 +
> drivers/security/Kconfig | 25 ++++
> drivers/security/Makefile | 7 ++
> drivers/security/sandbox_security.c | 65 +++++++++++
> drivers/security/security-tpm.c | 173 ++++++++++++++++++++++++++++
> drivers/security/security-uclass.c | 30 +++++
> include/dm-security.h | 44 +++++++
> include/dm/uclass-id.h | 1 +
> include/image.h | 4 +
> include/tpm-v2.h | 1 +
> test/dm/Makefile | 1 +
> test/dm/security.c | 78 +++++++++++++
> 19 files changed, 588 insertions(+)
> create mode 100644 drivers/security/Kconfig
> create mode 100644 drivers/security/Makefile
> create mode 100644 drivers/security/sandbox_security.c
> create mode 100644 drivers/security/security-tpm.c
> create mode 100644 drivers/security/security-uclass.c
> create mode 100644 include/dm-security.h
> create mode 100644 test/dm/security.c
Can you please add something to doc/ about this?
Regards,
Simon
More information about the U-Boot
mailing list