From: Stephen Carlson stcarlso@microsoft.com
New config CONFIG_FIT_ROLLBACK_CHECK_GRACE to add a one unit grace version to OS anti-rollback protection, allowing images with anti-rollback counters exactly one less than the platform value to still be loaded. No update to the platform anti-rollback counter will be performed in this case.
Signed-off-by: Stephen Carlson stcarlso@microsoft.com Signed-off-by: Sean Edmond seanedmond@microsoft.com --- boot/Kconfig | 10 ++++++++++ boot/image-fit-sig.c | 7 ++++++- 2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/boot/Kconfig b/boot/Kconfig index 9180a1c8dc..95a717765c 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -112,6 +112,16 @@ config FIT_ROLLBACK_CHECK when a platform needs to retire previous versions of FIT images due to security flaws and prevent devices from being reverted to them.
+config FIT_ROLLBACK_CHECK_GRACE + bool "Enable FIT Anti rollback grace version" + depends on FIT_ARBP + default n + help + Enables a one unit grace version for FIT image anti-rollback protection, + where anti-rollback protection will still accept a FIT image with an + anti-rollback version one less than the current number, but will not + update the platform anti-rollback counter in that case. + config FIT_VERBOSE bool "Show verbose messages when FIT images fail" depends on FIT diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index 91eaf4baa8..5689a316b6 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -70,6 +70,7 @@ static int fit_image_verify_rollback(const void *fit, int image_noffset) #if !defined(USE_HOSTCC) u64 image_rollback; u64 plat_rollback = 0ULL; + u64 target_rollback; struct udevice *dev; int ret;
@@ -90,7 +91,11 @@ static int fit_image_verify_rollback(const void *fit, int image_noffset) if (ret) return -EIO;
- if (image_rollback < plat_rollback) { + target_rollback = plat_rollback; + /* Calculate target anti-rollback version, including grace version if enabled */ + if (CONFIG_IS_ENABLED(FIT_ROLLBACK_CHECK_GRACE) && plat_rollback > 0ULL) + target_rollback = plat_rollback - 1ULL; + if (image_rollback < target_rollback) { return -EPERM; } else if (image_rollback > plat_rollback) { ret = rollback_idx_set(dev, image_rollback);