[PATCH 3/8] common: Add OS anti-rollback validation using rollback devices

seanedmond at linux.microsoft.com seanedmond at linux.microsoft.com
Tue Sep 12 11:47:26 CEST 2023 

From: Stephen Carlson <stcarlso at linux.microsoft.com>

New config CONFIG_ROLLBACK_CHECK to enable enforcement of OS anti-rollback
counter during image loading.

Images with an anti-rollback counter value "rollback" declared in the FDT
will be compared against the current device anti-rollback counter value,
and older images will not pass signature validation. If the image is
newer, the device anti-rollback counter value will be updated.

Signed-off-by: Stephen Carlson <stcarlso at linux.microsoft.com>
Signed-off-by: Sean Edmond <seanedmond at microsoft.com>
---
 boot/Kconfig         |  9 +++++
 boot/image-fit-sig.c | 92 ++++++++++++++++++++++++++++++++++++++++++++
 boot/image-fit.c     | 31 +++++++++++++++
 include/image.h      |  6 ++-
 4 files changed, 137 insertions(+), 1 deletion(-)

diff --git a/boot/Kconfig b/boot/Kconfig
index e8fb03b801..9180a1c8dc 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -103,6 +103,15 @@ config FIT_CIPHER
 	  Enable the feature of data ciphering/unciphering in the tool mkimage
 	  and in the u-boot support of the FIT image.
 
+config FIT_ROLLBACK_CHECK
+	bool "Enable Anti rollback version check for FIT images"
+	depends on FIT_SIGNATURE
+	default n
+	help
+	  Enables FIT image anti-rollback protection. This feature is required
+	  when a platform needs to retire previous versions of FIT images due to
+	  security flaws and prevent devices from being reverted to them.
+
 config FIT_VERBOSE
 	bool "Show verbose messages when FIT images fail"
 	depends on FIT
diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
index 12369896fe..91eaf4baa8 100644
--- a/boot/image-fit-sig.c
+++ b/boot/image-fit-sig.c
@@ -11,6 +11,8 @@
 #include <log.h>
 #include <malloc.h>
 #include <asm/global_data.h>
+#include <dm.h>
+#include <rollback.h>
 DECLARE_GLOBAL_DATA_PTR;
 #endif /* !USE_HOSTCC*/
 #include <fdt_region.h>
@@ -63,6 +65,44 @@ struct image_region *fit_region_make_list(const void *fit,
 	return region;
 }
 
+static int fit_image_verify_rollback(const void *fit, int image_noffset)
+{
+#if !defined(USE_HOSTCC)
+	u64 image_rollback;
+	u64 plat_rollback = 0ULL;
+	struct udevice *dev;
+	int ret;
+
+	ret = fit_image_get_rollback(fit, image_noffset, &image_rollback);
+
+	/* If the FIT doesn't contain the rollback property, assume an
+	 * anti-rollback version number of 0.  This ensures failure
+	 * if the platform anti-rollback version number is non-zero
+	 */
+	if (ret)
+		image_rollback = 0;
+
+	ret = uclass_first_device_err(UCLASS_ROLLBACK, &dev);
+	if (ret)
+		return ret;
+
+	ret = rollback_idx_get(dev, &plat_rollback);
+	if (ret)
+		return -EIO;
+
+	if (image_rollback < plat_rollback) {
+		return -EPERM;
+	} else if (image_rollback > plat_rollback) {
+		ret = rollback_idx_set(dev, image_rollback);
+		printf(" Updating OS anti-rollback to %llu from %llu\n",
+		       image_rollback, plat_rollback);
+		return ret;
+	}
+#endif
+
+	return 0;
+}
+
 static int fit_image_setup_verify(struct image_sign_info *info,
 				  const void *fit, int noffset,
 				  const void *key_blob, int required_keynode,
@@ -175,6 +215,16 @@ static int fit_image_verify_sig(const void *fit, int image_noffset,
 		goto error;
 	}
 
+	if (!tools_build()) {
+		if (FIT_IMAGE_ENABLE_ROLLBACK_CHECK && verified) {
+			ret = fit_image_verify_rollback(fit, image_noffset);
+			if (ret) {
+				err_msg = "Anti-rollback verification failed";
+				goto error;
+			}
+		}
+	}
+
 	return verified ? 0 : -EPERM;
 
 error:
@@ -385,6 +435,38 @@ static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset,
 	return 0;
 }
 
+static int fit_config_verify_rollback(const void *fit, int conf_noffset,
+				      int sig_offset)
+{
+	static const char default_list[] = FIT_KERNEL_PROP "\0"
+			FIT_FDT_PROP;
+	int ret, len;
+	const char *prop, *iname, *end;
+	int image_noffset;
+
+	/* If there is "sign-images" property, use that */
+	prop = fdt_getprop(fit, sig_offset, "sign-images", &len);
+	if (!prop) {
+		prop = default_list;
+		len = sizeof(default_list);
+	}
+
+	/* Locate the images */
+	end = prop + len;
+	for (iname = prop; iname < end; iname += strlen(iname) + 1) {
+		image_noffset = fit_conf_get_prop_node(fit, conf_noffset,
+						       iname, IH_PHASE_NONE);
+		if (image_noffset < 0)
+			return -ENOENT;
+
+		ret = fit_image_verify_rollback(fit, image_noffset);
+		if (ret)
+			return ret;
+	}
+
+	return 0;
+}
+
 /**
  * fit_config_verify_key() - Verify that a configuration is signed with a key
  *
@@ -444,6 +526,16 @@ static int fit_config_verify_key(const void *fit, int conf_noffset,
 		goto error;
 	}
 
+	if (!tools_build()) {
+		if (FIT_IMAGE_ENABLE_ROLLBACK_CHECK && verified) {
+			ret = fit_config_verify_rollback(fit, conf_noffset, noffset);
+			if (ret) {
+				err_msg = "Anti-rollback verification failed";
+				goto error;
+			}
+		}
+	}
+
 	if (verified)
 		return 0;
 
diff --git a/boot/image-fit.c b/boot/image-fit.c
index 3cc556b727..510cb51cd5 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -1084,6 +1084,37 @@ int fit_image_get_data_and_size(const void *fit, int noffset,
 	return ret;
 }
 
+/**
+ * fit_image_get_rollback - get anti-rollback counter
+ * @fit: pointer to the FIT image header
+ * @noffset: component image node offset
+ * @rollback: holds the rollback property value
+ *
+ * returns:
+ *     0, on success
+ *     -ENOENT if the property could not be found
+ */
+int fit_image_get_rollback(const void *fit, int noffset, uint64_t *rollback)
+{
+	const fdt64_t *val;
+	int len;
+
+	val = fdt_getprop(fit, noffset, FIT_ROLLBACK_PROP, &len);
+
+	if (!val) {
+		printf("error! Can't find property %s in FIT\n", FIT_ROLLBACK_PROP);
+		return -ENOENT;
+	}
+	if (len != sizeof(uint64_t)) {
+		printf("Property %s must be 64-bits\n", FIT_ROLLBACK_PROP);
+		return -ENOENT;
+	}
+
+	*rollback = fdt64_to_cpu(*val);
+
+	return 0;
+}
+
 /**
  * fit_image_hash_get_algo - get hash algorithm name
  * @fit: pointer to the FIT format image header
diff --git a/include/image.h b/include/image.h
index 01a6787d21..3283cd7717 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1024,6 +1024,7 @@ int booti_setup(ulong image, ulong *relocated_addr, ulong *size,
 #define FIT_COMP_PROP		"compression"
 #define FIT_ENTRY_PROP		"entry"
 #define FIT_LOAD_PROP		"load"
+#define FIT_ROLLBACK_PROP	"rollback"
 
 /* configuration node */
 #define FIT_KERNEL_PROP		"kernel"
@@ -1105,6 +1106,7 @@ int fit_image_get_data_size_unciphered(const void *fit, int noffset,
 				       size_t *data_size);
 int fit_image_get_data_and_size(const void *fit, int noffset,
 				const void **data, size_t *size);
+int fit_image_get_rollback(const void *fit, int noffset, uint64_t *rollback_idx);
 
 /**
  * fit_get_data_node() - Get verified image data for an image
@@ -1389,6 +1391,7 @@ int calculate_hash(const void *data, int data_len, const char *algo,
  * device
  */
 #if defined(USE_HOSTCC)
+# define FIT_IMAGE_ENABLE_ROLLBACK_CHECK	0
 # if defined(CONFIG_FIT_SIGNATURE)
 #  define IMAGE_ENABLE_SIGN	1
 #  define FIT_IMAGE_ENABLE_VERIFY	1
@@ -1399,7 +1402,8 @@ int calculate_hash(const void *data, int data_len, const char *algo,
 # endif
 #else
 # define IMAGE_ENABLE_SIGN	0
-# define FIT_IMAGE_ENABLE_VERIFY	CONFIG_IS_ENABLED(FIT_SIGNATURE)
+# define FIT_IMAGE_ENABLE_VERIFY		CONFIG_IS_ENABLED(FIT_SIGNATURE)
+# define FIT_IMAGE_ENABLE_ROLLBACK_CHECK	CONFIG_IS_ENABLED(FIT_ROLLBACK_CHECK)
 #endif
 
 #ifdef USE_HOSTCC
-- 
2.40.0

More information about the U-Boot mailing list