mcu-tools · de-nordic · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025
@@ -155,7 +155,7 @@ static int bootutil_check_for_pure(const struct image_header *hdr,
 }
 #endif
 
-#ifndef ALLOW_ROGUE_TLVS
+#ifdef MCUBOOT_USE_TLV_ALLOW_LIST
 /*
  * The following list of TLVs are the only entries allowed in the unprotected
  * TLV section.  All other TLV entries must be in the protected section.
@@ -293,7 +293,7 @@ bootutil_img_validate(struct boot_loader_state *state,
             break;
         }
 
-#ifndef ALLOW_ROGUE_TLVS
+#ifdef MCUBOOT_USE_TLV_ALLOW_LIST
         /*
          * Ensure that the non-protected TLV only has entries necessary to hold
          * the signature.  We also allow encryption related keys to be in the

@@ -25,6 +25,9 @@
 #define MCUBOOT_MAX_IMG_SECTORS 2560
 #endif
 
+/* Enable non-protected TLV check against allow list */
+#define MCUBOOT_USE_TLV_ALLOW_LIST 1
+
 /*
  * Signature types
  *

@@ -128,6 +128,9 @@
 
 #define MCUBOOT_DEV_WITH_ERASE
 
+/* Enable non-protected TLV check against allow list */
+#define MCUBOOT_USE_TLV_ALLOW_LIST 1
+
 /* Default maximum number of flash sectors per image slot; change
  * as desirable. */
 #define MCUBOOT_MAX_IMG_SECTORS 512

@@ -80,6 +80,9 @@
 
 #define MCUBOOT_DEV_WITH_ERASE
 
+/* Enable non-protected TLV check against allow list */
+#define MCUBOOT_USE_TLV_ALLOW_LIST 1
+
 /*
  * No watchdog integration for now
  */

diff --git a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h
@@ -139,6 +139,9 @@
 
 #define MCUBOOT_DEV_WITH_ERASE
 
+/* Enable non-protected TLV check against allow list */
+#define MCUBOOT_USE_TLV_ALLOW_LIST 1
+
 #if MYNEWT_VAL(BOOTUTIL_FEED_WATCHDOG) && MYNEWT_VAL(WATCHDOG_INTERVAL)
 #include <hal/hal_watchdog.h>
 #define MCUBOOT_WATCHDOG_FEED()    \

diff --git a/boot/nuttx/include/mcuboot_config/mcuboot_config.h b/boot/nuttx/include/mcuboot_config/mcuboot_config.h
@@ -134,6 +134,9 @@
 
 #define MCUBOOT_DEV_WITH_ERASE
 
+/* Enable non-protected TLV check against allow list */
+#define MCUBOOT_USE_TLV_ALLOW_LIST 1
+
 /* Default maximum number of flash sectors per image slot; change
  * as desirable.
  */

@@ -1146,6 +1146,18 @@ config MCUBOOT_BOOT_BANNER
 config BOOT_BANNER_STRING
         default "Using Zephyr OS build" if MCUBOOT_BOOT_BANNER
 
+config MCUBOOT_USE_TLV_ALLOW_LIST
+	bool "Check unprotected TLVs against allow list"
+	default y
+	help
+	  Every unprotected TLV will be checked against list of allowed TLVs,
+	  which is compiled in and depends on configuration; an image that
+	  contain TLV not present on the list will be automaticaly rejected.
+	  This is additional check, as MCUboot will not be parsing TLVs it
+	  has not been compiled to parse in the first place.
+	  Disabling this option will cut down MCUboot size.
+	  The Kconfig controlls MCUboot configuration option MCUBOOT_USE_TLV_ALLOW_LIST.
+
 config BOOT_DECOMPRESSION_SUPPORT
 	bool
 	help

@@ -150,6 +150,11 @@
 #define MCUBOOT_HAVE_LOGGING 1
 #endif
 
+/* Enable/disable non-protected TLV check against allow list */
+#ifdef CONFIG_MCUBOOT_USE_TLV_ALLOW_LIST
+#define MCUBOOT_USE_TLV_ALLOW_LIST 1
+#endif
+
 #ifdef CONFIG_BOOT_ENCRYPT_RSA
 #define MCUBOOT_ENC_IMAGES
 #define MCUBOOT_ENCRYPT_RSA

@@ -136,6 +136,14 @@ The `ih_hdr_size` field indicates the length of the header, and therefore the
 offset of the image itself.  This field provides for backwards compatibility in
 case of changes to the format of the image header.
 
+## [TLV allow list](#tlv-allow)
+
+While reading unprotected TLVs from an image, MCUboot will try to match TLVs
+against list it has compiled in support for; each new defined TLV has to be added
+to that list, which is named `allowed_unprot_tlvs` and defined in
+image_validate.c. The usage of the list is optional and can be controlled
+during compilation with `MCUBOOT_USE_TLV_ALLOW_LIST` config identifier.
+
 ## [Flash map](#flash-map)
 
 A device's flash is partitioned according to its _flash map_.  At a high

@@ -0,0 +1,2 @@
+ - Control over compilation of unprotected TLV allow list has been exposed
+   using MCUBOOT_USE_TLV_ALLOW_LIST mcuboot configuration identifier.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- Control over compilation of unprotected TLV allow list has been exposed
		using MCUBOOT_USE_TLV_ALLOW_LIST mcuboot configuration identifier.