zephyr/Kconfig: Add downgrade prevention to swaps

kasjer · d3zd3z · commit b8801fc0ac2e · 2022-10-04T08:52:57.000-06:00
Downgrade prevention for swap upgrades that was added to
mcuboot is now configurable in zephyr.

It may be using software version number from image in slot 0,
or security counter from the image in slot 0 (for limited downgrade
availability).

Hardware base security counter check remains unchanged.

Signed-off-by: Jerzy Kasenberg &lt;jerzy.kasenberg@codecoup.pl&gt;
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -548,14 +548,25 @@ choice BOOT_DOWNGRADE_PREVENTION_CHOICE
 
 config MCUBOOT_DOWNGRADE_PREVENTION
 	bool "SW based downgrade prevention"
-	depends on BOOT_UPGRADE_ONLY
+	depends on !BOOT_DIRECT_XIP
 	help
 	  Prevent downgrades by enforcing incrementing version numbers.
 	  When this option is set, any upgrade must have greater major version
 	  or greater minor version with equal major version. This mechanism
 	  only protects against some attacks against version downgrades (for
 	  example, a JTAG could be used to write an older version).
 
+config MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER
+	bool "Use image security counter instead of version number"
+	depends on MCUBOOT_DOWNGRADE_PREVENTION
+	depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH)
+	help
+       Security counter is used for version eligibility check instead of pure
+       version.  When this option is set, any upgrade must have greater or
+       equal security counter value.
+       Because of the acceptance of equal values it allows for software
+       downgrades to some extent.
+
 config MCUBOOT_HW_DOWNGRADE_PREVENTION
 	bool "HW based downgrade prevention"
 	help
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -133,6 +133,14 @@
 
 #ifdef CONFIG_MCUBOOT_DOWNGRADE_PREVENTION
 #define MCUBOOT_DOWNGRADE_PREVENTION 1
+/* MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER is used later as bool value so it is
+ * always defined, (unlike MCUBOOT_DOWNGRADE_PREVENTION which is only used in
+ * preprocessor condition and my be not defined) */
+#  ifdef CONFIG_MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER
+#    define MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER 1
+#  else
+#    define MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER 0
+#  endif
 #endif
 
 #ifdef CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION
