[PATCH 4/5] common: Add OS anti-rollback grace period

Simon Glass sjg at chromium.org
Thu Aug 17 15:41:46 CEST 2023 

Hi Sean,

On Fri, 11 Aug 2023 at 18:28, <seanedmond at linux.microsoft.com> wrote:
>
> From: Stephen Carlson <stcarlso at microsoft.com>
>
> New config CONFIG_FIT_ARBVP_GRACE to add a one unit grace period to OS
> anti-rollback protection, allowing images with anti-rollback counters
> exactly one less than the platform value to still be loaded. No update to
> the platform anti-rollback counter will be performed in this case.

This seems like a grace version rather than a grace period? I'm not
sure if that is a better name, but I might imagine a grace period of
one month, for example.

>
> Signed-off-by: Stephen Carlson <stcarlso at microsoft.com>
> ---
>  boot/Kconfig         | 10 ++++++++++
>  boot/image-fit-sig.c |  7 ++++++-
>  2 files changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/boot/Kconfig b/boot/Kconfig
> index e08c274b7c..cd16bb8e53 100644
> --- a/boot/Kconfig
> +++ b/boot/Kconfig
> @@ -112,6 +112,16 @@ config FIT_ARBP
>           when a platform needs to retire previous versions of FIT images due to
>           security flaws and prevent devices from being reverted to them.
>
> +config FIT_ARBP_GRACE
> +       bool "Enable FIT Anti rollback grace period"
> +       depends on FIT_ARBP
> +       default n
> +       help
> +         Enables a one unit grace period for FIT image anti-rollback protection,
> +         where anti-rollback protection will still accept a FIT image with an
> +         anti-rollback version one less than the current number, but will not
> +         update the platform anti-rollback counter in that case.
> +
>  config FIT_VERBOSE
>         bool "Show verbose messages when FIT images fail"
>         depends on FIT
> diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
> index bf3b81a3a3..dc88a4b2cb 100644
> --- a/boot/image-fit-sig.c
> +++ b/boot/image-fit-sig.c
> @@ -70,6 +70,7 @@ static int fit_image_verify_arbvn(const void *fit, int image_noffset)
>  {
>         u64 image_arbvn;
>         u64 plat_arbvn = 0ULL;
> +       u64 target_arbvn;
>         struct udevice *dev;
>         int ret;
>
> @@ -85,7 +86,11 @@ static int fit_image_verify_arbvn(const void *fit, int image_noffset)
>         if (ret)
>                 return -EIO;
>
> -       if (image_arbvn < plat_arbvn) {
> +       target_arbvn = plat_arbvn;
> +       /* Calculate target ARBVN, including grace period if enabled */
> +       if (CONFIG_IS_ENABLED(FIT_ARBP_GRACE) && plat_arbvn > 0ULL)

> 0

> +               target_arbvn = plat_arbvn - 1ULL;
> +       if (image_arbvn < target_arbvn) {
>                 return -EPERM;
>         } else if (image_arbvn > plat_arbvn) {
>                 ret = dm_security_arbvn_set(dev, image_arbvn);
> --
> 2.40.0
>

Regards,
Simon

More information about the U-Boot mailing list