diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 6b38994928..f4a643a2c2 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -155,7 +155,7 @@ static int bootutil_check_for_pure(const struct image_header *hdr, } #endif -#ifndef ALLOW_ROGUE_TLVS +#ifdef MCUBOOT_USE_TLV_ALLOW_LIST /* * The following list of TLVs are the only entries allowed in the unprotected * TLV section. All other TLV entries must be in the protected section. @@ -293,7 +293,7 @@ bootutil_img_validate(struct boot_loader_state *state, break; } -#ifndef ALLOW_ROGUE_TLVS +#ifdef MCUBOOT_USE_TLV_ALLOW_LIST /* * Ensure that the non-protected TLV only has entries necessary to hold * the signature. We also allow encryption related keys to be in the diff --git a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h index 9af2a7d27a..77cb4b4d4a 100644 --- a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h +++ b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h @@ -25,6 +25,9 @@ #define MCUBOOT_MAX_IMG_SECTORS 2560 #endif +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + /* * Signature types * diff --git a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h index 2435172d81..d0085dc264 100644 --- a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h +++ b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h @@ -128,6 +128,9 @@ #define MCUBOOT_DEV_WITH_ERASE +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + /* Default maximum number of flash sectors per image slot; change * as desirable. */ #define MCUBOOT_MAX_IMG_SECTORS 512 diff --git a/boot/mbed/include/mcuboot_config/mcuboot_config.h b/boot/mbed/include/mcuboot_config/mcuboot_config.h index 4794d3db38..2d7ce19ca2 100644 --- a/boot/mbed/include/mcuboot_config/mcuboot_config.h +++ b/boot/mbed/include/mcuboot_config/mcuboot_config.h @@ -80,6 +80,9 @@ #define MCUBOOT_DEV_WITH_ERASE +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + /* * No watchdog integration for now */ diff --git a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h index 6ee2c2ad25..f83f268e46 100644 --- a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h +++ b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h @@ -139,6 +139,9 @@ #define MCUBOOT_DEV_WITH_ERASE +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + #if MYNEWT_VAL(BOOTUTIL_FEED_WATCHDOG) && MYNEWT_VAL(WATCHDOG_INTERVAL) #include #define MCUBOOT_WATCHDOG_FEED() \ diff --git a/boot/nuttx/include/mcuboot_config/mcuboot_config.h b/boot/nuttx/include/mcuboot_config/mcuboot_config.h index 8a3383f5bb..339f7273ca 100644 --- a/boot/nuttx/include/mcuboot_config/mcuboot_config.h +++ b/boot/nuttx/include/mcuboot_config/mcuboot_config.h @@ -134,6 +134,9 @@ #define MCUBOOT_DEV_WITH_ERASE +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + /* Default maximum number of flash sectors per image slot; change * as desirable. */ diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index f94ac439dd..d517dd8fc0 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -1146,6 +1146,18 @@ config MCUBOOT_BOOT_BANNER config BOOT_BANNER_STRING default "Using Zephyr OS build" if MCUBOOT_BOOT_BANNER +config MCUBOOT_USE_TLV_ALLOW_LIST + bool "Check unprotected TLVs against allow list" + default y + help + Every unprotected TLV will be checked against list of allowed TLVs, + which is compiled in and depends on configuration; an image that + contain TLV not present on the list will be automaticaly rejected. + This is additional check, as MCUboot will not be parsing TLVs it + has not been compiled to parse in the first place. + Disabling this option will cut down MCUboot size. + The Kconfig controlls MCUboot configuration option MCUBOOT_USE_TLV_ALLOW_LIST. + config BOOT_DECOMPRESSION_SUPPORT bool help diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 5285632ca3..266dec1629 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -150,6 +150,11 @@ #define MCUBOOT_HAVE_LOGGING 1 #endif +/* Enable/disable non-protected TLV check against allow list */ +#ifdef CONFIG_MCUBOOT_USE_TLV_ALLOW_LIST +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 +#endif + #ifdef CONFIG_BOOT_ENCRYPT_RSA #define MCUBOOT_ENC_IMAGES #define MCUBOOT_ENCRYPT_RSA diff --git a/docs/design.md b/docs/design.md index e4da1bfa85..2d30c78097 100755 --- a/docs/design.md +++ b/docs/design.md @@ -136,6 +136,14 @@ The `ih_hdr_size` field indicates the length of the header, and therefore the offset of the image itself. This field provides for backwards compatibility in case of changes to the format of the image header. +## [TLV allow list](#tlv-allow) + +While reading unprotected TLVs from an image, MCUboot will try to match TLVs +against list it has compiled in support for; each new defined TLV has to be added +to that list, which is named `allowed_unprot_tlvs` and defined in +image_validate.c. The usage of the list is optional and can be controlled +during compilation with `MCUBOOT_USE_TLV_ALLOW_LIST` config identifier. + ## [Flash map](#flash-map) A device's flash is partitioned according to its _flash map_. At a high diff --git a/docs/release-notes.d/tlv-allow-list.md b/docs/release-notes.d/tlv-allow-list.md new file mode 100644 index 0000000000..295b5f076f --- /dev/null +++ b/docs/release-notes.d/tlv-allow-list.md @@ -0,0 +1,2 @@ + - Control over compilation of unprotected TLV allow list has been exposed + using MCUBOOT_USE_TLV_ALLOW_LIST mcuboot configuration identifier.