[PATCH 0/5] Add anti-rollback validation feature

Simon Glass sjg at chromium.org
Thu Aug 17 15:41:39 CEST 2023 

Hi Sean,

On Fri, 11 Aug 2023 at 18:28, <seanedmond at linux.microsoft.com> wrote:
>
> From: Sean Edmond <seanedmond at microsoft.com>
>
> Adds Add anti-rollback version protection. Images with an anti-rollback counter
> value "arbvn" declared in the FDT will be compared against the current device
> anti-rollback counter value, and older images will not pass signature
> validation. If the image is newer, the device anti-rollback counter value will
> be updated.
>
> The "arbvn" value is stored/retrieved using the newly added security driver.
> A "TPM backed" and "sandbox backed" security driver have been provided as examples.
>
> Adds new configs:
> - CONFIG_DM_SECURITY : enable security device support
> - CONFIG_SECURITY_SANDBOX : enables "sandbox_security" driver
> - CONFIG_SECURITY_TPM : Enables "tpm_security" driver
> - CONFIG_ARBP : enable enforcement of OS anti-rollback counter during image loading
> - CONFIG_FIT_ARBVP_GRACE : adds a one unit grace period to OS anti-rollback protection
>
> Sean Edmond (1):
>   dm: test: Add a test for security driver
>
> Stephen Carlson (4):
>   drivers: security: Add security devices to driver model
>   drivers: security: Add TPM2 implementation of security devices
>   common: Add OS anti-rollback validation using security devices
>   common: Add OS anti-rollback grace period
>
>  MAINTAINERS                         |   9 ++
>  arch/sandbox/dts/test.dts           |   8 ++
>  boot/Kconfig                        |  19 +++
>  boot/image-fit-sig.c                |  94 +++++++++++++++
>  boot/image-fit.c                    |  23 ++++
>  configs/sandbox_defconfig           |   3 +
>  drivers/Kconfig                     |   2 +
>  drivers/Makefile                    |   1 +
>  drivers/security/Kconfig            |  25 ++++
>  drivers/security/Makefile           |   7 ++
>  drivers/security/sandbox_security.c |  65 +++++++++++
>  drivers/security/security-tpm.c     | 173 ++++++++++++++++++++++++++++
>  drivers/security/security-uclass.c  |  30 +++++
>  include/dm-security.h               |  44 +++++++
>  include/dm/uclass-id.h              |   1 +
>  include/image.h                     |   4 +
>  include/tpm-v2.h                    |   1 +
>  test/dm/Makefile                    |   1 +
>  test/dm/security.c                  |  78 +++++++++++++
>  19 files changed, 588 insertions(+)
>  create mode 100644 drivers/security/Kconfig
>  create mode 100644 drivers/security/Makefile
>  create mode 100644 drivers/security/sandbox_security.c
>  create mode 100644 drivers/security/security-tpm.c
>  create mode 100644 drivers/security/security-uclass.c
>  create mode 100644 include/dm-security.h
>  create mode 100644 test/dm/security.c

Can you please add something to doc/ about this?

Regards,
Simon

More information about the U-Boot mailing list