suit: Add API to verify write access to variables

tomchy · degjorva · commit b9a4027646bb · 2025-01-08T16:42:18.000+01:00
Add API that checks if manifest with given component ID is entitled to
change the value of manifest variable.

Ref: NCSDK-30807

Signed-off-by: Tomasz Chyrowicz &lt;tomasz.chyrowicz@nordicsemi.no&gt;
diff --git a/subsys/suit/platform/include/suit_platform_internal.h b/subsys/suit/platform/include/suit_platform_internal.h
@@ -69,6 +69,18 @@ int suit_plat_component_id_get(suit_component_t handle, struct zcbor_string **co
 /** Return component type based on component handle */
 int suit_plat_component_type_get(suit_component_t handle, suit_component_type_t *component_type);
 
+/**
+ * @brief Verify if a manifest with given component ID is entitled to modify the manifest variable.
+ *
+ * @param[in] manifest_component_id  Component ID of a manifest that is requesting write access.
+ * @param[in] id                     Manifest variable ID.
+ *
+ * @retval SUIT_PLAT_SUCCESS                if modifications are allowed.
+ * @retval SUIT_ERR_DECODING                if decoding manifest component ID failed.
+ * @retval SUIT_ERR_UNAUTHORIZED_COMPONENT  if manifest is not allowed to modify the variable.
+ */
+int suit_plat_authorize_var_rw_access(struct zcbor_string *manifest_component_id, uint32_t id);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/subsys/suit/platform/sdfw/src/suit_plat_authenticate.c b/subsys/suit/platform/sdfw/src/suit_plat_authenticate.c
@@ -10,6 +10,10 @@
 #include <suit_plat_decode_util.h>
 #include <suit_plat_component_compatibility.h>
 #include <zephyr/logging/log.h>
+#ifdef CONFIG_SUIT_MANIFEST_VARIABLES
+#include <suit_manifest_variables.h>
+#include <suit_storage_mpi.h>
+#endif /* CONFIG_SUIT_MANIFEST_VARIABLES */
 
 LOG_MODULE_REGISTER(suit_plat_authenticate, CONFIG_SUIT_LOG_LEVEL);
 
@@ -190,3 +194,66 @@ int suit_plat_authorize_process_dependency(struct zcbor_string *parent_component
 
 	return SUIT_ERR_UNAUTHORIZED_COMPONENT;
 }
+
+int suit_plat_authorize_var_rw_access(struct zcbor_string *manifest_component_id, uint32_t id)
+{
+#ifdef CONFIG_SUIT_MANIFEST_VARIABLES
+	suit_manifest_role_t role = SUIT_MANIFEST_UNKNOWN;
+	uint32_t required_access_bits = 0xFF;
+	suit_manifest_class_id_t *class_id = NULL;
+	suit_plat_err_t plat_ret;
+	uint32_t access_mask;
+
+	if ((manifest_component_id == NULL) || (manifest_component_id->value == NULL) ||
+	    (manifest_component_id->len == 0)) {
+		return SUIT_ERR_DECODING;
+	}
+
+	/* Check if component ID is a manifest class */
+	if (suit_plat_decode_manifest_class_id(manifest_component_id, &class_id) !=
+	    SUIT_PLAT_SUCCESS) {
+		LOG_ERR("Component ID is not a manifest class");
+		return SUIT_ERR_UNAUTHORIZED_COMPONENT;
+	}
+
+	if (suit_storage_mpi_role_get(class_id, &role) != SUIT_PLAT_SUCCESS) {
+		LOG_ERR("Failed to identify manifest role");
+		return SUIT_ERR_UNAUTHORIZED_COMPONENT;
+	}
+
+	plat_ret = suit_mfst_var_get_access_mask(id, &access_mask);
+	if (plat_ret != SUIT_PLAT_SUCCESS) {
+		LOG_ERR("Unsupported manifest variable %d: %d", id, plat_ret);
+		return SUIT_ERR_UNAUTHORIZED_COMPONENT;
+	}
+
+	switch (role) {
+	case SUIT_MANIFEST_APP_ROOT:
+	case SUIT_MANIFEST_APP_RECOVERY:
+	case SUIT_MANIFEST_APP_LOCAL_1:
+	case SUIT_MANIFEST_APP_LOCAL_2:
+	case SUIT_MANIFEST_APP_LOCAL_3:
+		required_access_bits = MFST_VAR_ACCESS_APP;
+		break;
+	case SUIT_MANIFEST_RAD_RECOVERY:
+	case SUIT_MANIFEST_RAD_LOCAL_1:
+	case SUIT_MANIFEST_RAD_LOCAL_2:
+		required_access_bits = MFST_VAR_ACCESS_RAD;
+		break;
+	case SUIT_MANIFEST_SEC_TOP:
+	case SUIT_MANIFEST_SEC_SDFW:
+	case SUIT_MANIFEST_SEC_SYSCTRL:
+		required_access_bits = MFST_VAR_ACCESS_SEC;
+		break;
+	default:
+		LOG_ERR("Unsupported manifest role: %d", role);
+		return SUIT_ERR_UNAUTHORIZED_COMPONENT;
+	}
+
+	if ((access_mask & required_access_bits) == required_access_bits) {
+		return SUIT_SUCCESS;
+	}
+
+#endif /* CONFIG_SUIT_MANIFEST_VARIABLES */
+	return SUIT_ERR_UNAUTHORIZED_COMPONENT;
+}
