Skip to content

Add vendor and image class UUID support #2409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add vendor and image class UUID support #2409

wants to merge 3 commits into from
+461 −23

Conversation

tomchy
Copy link
Contributor

@tomchy tomchy commented Jul 31, 2025

According to the PSA Platform Security Boot Guide:

R20_PSBG_MANIFEST: Each image manifest must contain the properties specified in Figure 2. It is permitted for
additional information to be included.

The manifest (which can be interpreted as image header and additional metadata stored inside TLVs) must include:

  • Image type: Specifically identifies the boot stage or peripheral. Also known as a purpose identifier. This field is not required if only one type of image is supported.
  • Product class: This can refer to a vendor ID, product ID, or a more specific identifier, such as the
    Instance ID.

This PR introduces two identifiers to meet those requirements:

  • Image class ID, defined as RFC 9562 UUID Version 5, that may contain all: image type and product type values as input.
  • Image vendor ID, defined as RFC 9562 UUID Version 5, that provides the namespace for the image class ID, so two devices with the same type/product name will have different image class UUIDs.

@tomchy tomchy mentioned this pull request Jul 31, 2025
Open
tomchy added 3 commits July 31, 2025 16:33
@tomchy
boot: Add VID and CID checks
a3812ad 
Add a possibility to express vendor ID and image class ID inside image's TLVs.

Signed-off-by: Tomasz Chyrowicz <[email protected]>
@tomchy
imgtool: Add support for VID and CID
ee21ade 
Allow to specify VID and CID for an image.

Signed-off-by: Tomasz Chyrowicz <[email protected]>
@tomchy
zephyr: Add Kconfig-based VID and CID checks
fc4c042 
Add a possibility to configure vendor ID and image class ID through Kconfig.

Signed-off-by: Tomasz Chyrowicz <[email protected]>
@tomchy tomchy force-pushed the feature/bootutil/NCSDK-34175_Add_vid_cid_support_upstream branch from ab8fffa to fc4c042 Compare July 31, 2025 14:33
de-nordic
de-nordic reviewed Aug 18, 2025
View reviewed changes
boot/bootutil/src/image_validate.c

FIH_CALL(boot_uuid_vid_match, fih_rc, image_index, &img_uuid_vid);
if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
FIH_SET(fih_rc, FIH_FAILURE);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line should set uuid_vid_valid, not the assignment below.

boot/bootutil/src/image_validate.c

FIH_CALL(boot_uuid_cid_match, fih_rc, image_index, &img_uuid_cid);
if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
FIH_SET(fih_rc, FIH_FAILURE);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line should set the uuid_cid_valid, not the assignment below.

boot/bootutil/src/image_validate.c
Comment on lines +771 to +780
if (len != sizeof(img_uuid_vid)) {
/* Vendor UUID is not valid. */
rc = -1;
goto out;
}

rc = LOAD_IMAGE_DATA(hdr, fap, off, img_uuid_vid.raw, len);
if (rc) {
goto out;
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it was decided to wrap uuid in fih, these should probably also report fih failure; i do not understand a difference between a failure in uuid check and inability to perform the check. And I know that we are inconsistent here, and maybe that is a good point to discuss it.

boot/bootutil/include/bootutil/image.h
@@ -142,6 +142,8 @@ extern "C" {
* ...
* 0xffa0 - 0xfffe
*/
#define IMAGE_TLV_UUID_VID 0x80 /* Vendor unique identifier */
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These go above comment explaining vendor specific ids. If these are vendor specific ids, then they have in-proper codes.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And should't really be here.

boot/zephyr/mcuboot_uuid.c

static fih_ret boot_uuid_compare(const struct image_uuid *uuid1, const struct image_uuid *uuid2)
{
return fih_ret_encode_zero_equality(memcmp(uuid1->raw, uuid2->raw,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure we want to get fih heavy on uuid comparisons? What is the attack vector here? As far as i cen tell they are already protected tlvs and, as such, are signed with image, and why would you bypass uid check? You would have to bypass signature first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@de-nordic de-nordic de-nordic left review comments

@nordicjm nordicjm Awaiting requested review from nordicjm nordicjm is a code owner

@davidvincze davidvincze Awaiting requested review from davidvincze davidvincze is a code owner

@d3zd3z d3zd3z Awaiting requested review from d3zd3z d3zd3z is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tomchy @de-nordic