From: Stephen Carlson stcarlso@microsoft.com
New config CONFIG_FIT_ARBVP_GRACE to add a one unit grace period to OS anti-rollback protection, allowing images with anti-rollback counters exactly one less than the platform value to still be loaded. No update to the platform anti-rollback counter will be performed in this case.
Signed-off-by: Stephen Carlson stcarlso@microsoft.com --- boot/Kconfig | 10 ++++++++++ boot/image-fit-sig.c | 7 ++++++- 2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/boot/Kconfig b/boot/Kconfig index e08c274b7c..cd16bb8e53 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -112,6 +112,16 @@ config FIT_ARBP when a platform needs to retire previous versions of FIT images due to security flaws and prevent devices from being reverted to them.
+config FIT_ARBP_GRACE + bool "Enable FIT Anti rollback grace period" + depends on FIT_ARBP + default n + help + Enables a one unit grace period for FIT image anti-rollback protection, + where anti-rollback protection will still accept a FIT image with an + anti-rollback version one less than the current number, but will not + update the platform anti-rollback counter in that case. + config FIT_VERBOSE bool "Show verbose messages when FIT images fail" depends on FIT diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index bf3b81a3a3..dc88a4b2cb 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -70,6 +70,7 @@ static int fit_image_verify_arbvn(const void *fit, int image_noffset) { u64 image_arbvn; u64 plat_arbvn = 0ULL; + u64 target_arbvn; struct udevice *dev; int ret;
@@ -85,7 +86,11 @@ static int fit_image_verify_arbvn(const void *fit, int image_noffset) if (ret) return -EIO;
- if (image_arbvn < plat_arbvn) { + target_arbvn = plat_arbvn; + /* Calculate target ARBVN, including grace period if enabled */ + if (CONFIG_IS_ENABLED(FIT_ARBP_GRACE) && plat_arbvn > 0ULL) + target_arbvn = plat_arbvn - 1ULL; + if (image_arbvn < target_arbvn) { return -EPERM; } else if (image_arbvn > plat_arbvn) { ret = dm_security_arbvn_set(dev, image_arbvn);