From 3f07bdc9c3b77334899fe113f661e429e0602ef4 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 22 Aug 2024 10:43:14 +0100 Subject: [PATCH 1/3] bootutil: loader: Add state to boot_is_header_valid() function Adds the state object to this function so it can be referenced Signed-off-by: Jamie McCrae --- boot/bootutil/src/loader.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 8663fbf2a..491c83c1f 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -863,10 +863,13 @@ split_image_check(struct image_header *app_hdr, * within the flash area we are in. */ static bool -boot_is_header_valid(const struct image_header *hdr, const struct flash_area *fap) +boot_is_header_valid(const struct image_header *hdr, const struct flash_area *fap, + struct boot_loader_state *state) { uint32_t size; + (void)state; + if (hdr->ih_magic != IMAGE_MAGIC) { return false; } @@ -1033,7 +1036,7 @@ boot_validate_slot(struct boot_loader_state *state, int slot, { FIH_CALL(boot_image_check, fih_rc, state, hdr, fap, bs); } - if (!boot_is_header_valid(hdr, fap) || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + if (!boot_is_header_valid(hdr, fap, state) || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { if ((slot != BOOT_PRIMARY_SLOT) || ARE_SLOTS_EQUIVALENT()) { flash_area_erase(fap, 0, flash_area_get_size(fap)); /* Image is invalid, erase it to prevent further unnecessary @@ -2556,7 +2559,7 @@ boot_get_slot_usage(struct boot_loader_state *state) for (slot = 0; slot < BOOT_NUM_SLOTS; slot++) { hdr = boot_img_hdr(state, slot); - if (boot_is_header_valid(hdr, BOOT_IMG_AREA(state, slot))) { + if (boot_is_header_valid(hdr, BOOT_IMG_AREA(state, slot), state)) { state->slot_usage[BOOT_CURR_IMG(state)].slot_available[slot] = true; BOOT_LOG_IMAGE_INFO(slot, hdr); } else { From 15b35f6ad140d0aeadc760d4eb597958107e268e Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 22 Aug 2024 10:44:46 +0100 Subject: [PATCH 2/3] bootutil: loader: Verify image header before checking image Changes the order of operations to validate the image header before checking the image, it does not make sense to check the image if the header itself is invalid Signed-off-by: Jamie McCrae --- boot/bootutil/src/loader.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index 491c83c1f..3b4bd8ceb 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1030,13 +1030,16 @@ boot_validate_slot(struct boot_loader_state *state, int slot, } } #endif - BOOT_HOOK_CALL_FIH(boot_image_check_hook, FIH_BOOT_HOOK_REGULAR, - fih_rc, BOOT_CURR_IMG(state), slot); - if (FIH_EQ(fih_rc, FIH_BOOT_HOOK_REGULAR)) - { - FIH_CALL(boot_image_check, fih_rc, state, hdr, fap, bs); + if (!boot_is_header_valid(hdr, fap, state)) { + fih_rc = FIH_FAILURE; + } else { + BOOT_HOOK_CALL_FIH(boot_image_check_hook, FIH_BOOT_HOOK_REGULAR, + fih_rc, BOOT_CURR_IMG(state), slot); + if (FIH_EQ(fih_rc, FIH_BOOT_HOOK_REGULAR)) { + FIH_CALL(boot_image_check, fih_rc, state, hdr, fap, bs); + } } - if (!boot_is_header_valid(hdr, fap, state) || FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { if ((slot != BOOT_PRIMARY_SLOT) || ARE_SLOTS_EQUIVALENT()) { flash_area_erase(fap, 0, flash_area_get_size(fap)); /* Image is invalid, erase it to prevent further unnecessary From 49a587272cf8ceefe50dc0b85725529d6bd7df46 Mon Sep 17 00:00:00 2001 From: Jamie McCrae Date: Thu, 22 Aug 2024 10:49:05 +0100 Subject: [PATCH 3/3] docs: release-notes: Add note on bootutil changes Adds notes on the changed bootutil features Signed-off-by: Jamie McCrae --- docs/release-notes.d/bootutil-image-verification.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 docs/release-notes.d/bootutil-image-verification.md diff --git a/docs/release-notes.d/bootutil-image-verification.md b/docs/release-notes.d/bootutil-image-verification.md new file mode 100644 index 000000000..a1cc58842 --- /dev/null +++ b/docs/release-notes.d/bootutil-image-verification.md @@ -0,0 +1,4 @@ +- Changed bootutil's order of events to verify the image header + before checking the image. +- Added the bootloader state object to the bootutil + boot_is_header_valid() function