Skip to content

Add MCUBOOT_CHECK_HEADER_LOAD_ADDRESS #2481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add MCUBOOT_CHECK_HEADER_LOAD_ADDRESS #2481

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
98cae9a
bootutil: Add MCUBOOT_CHECK_HEADER_LOAD_ADDRESS
de-nordic Oct 7, 2025
1b8b198
zephyr: Added MCUBOOT_CHECK_HEADER_LOAD_ADDRESS Kconfig
de-nordic Oct 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 30 additions & 6 deletions boot/bootutil/src/loader.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,13 @@ static struct image_max_size image_max_sizes[BOOT_IMAGE_NUMBER] = {0};
#define TARGET_STATIC
#endif

#if defined(MCUBOOT_VERIFY_IMG_ADDRESS) && defined(MCUBOOT_CHECK_HEADER_LOAD_ADDRESS)
#warning MCUBOOT_CHECK_HEADER_LOAD_ADDRESS takes precedence over MCUBOOT_VERIFY_IMG_ADDRESS
#endif

/* Valid only for ARM Cortext M */
#define RESET_OFFSET (2 * sizeof(uin32_t))

#if BOOT_MAX_ALIGN > 1024
#define BUF_SZ BOOT_MAX_ALIGN
#else
Expand Down Expand Up @@ -1002,24 +1009,41 @@ boot_validate_slot(struct boot_loader_state *state, int slot,
goto out;
}

#if MCUBOOT_IMAGE_NUMBER > 1 && !defined(MCUBOOT_ENC_IMAGES) && defined(MCUBOOT_VERIFY_IMG_ADDRESS)
#if defined(MCUBOOT_VERIFY_IMG_ADDRESS) && !defined(MCUBOOT_ENC_IMAGES) || \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing bracket here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is. I am still testing this locally and trying to make it run with sim.

defined(MCUBOOT_CHECK_HEADER_LOAD_ADDRESS)
/* Verify that the image in the secondary slot has a reset address
* located in the primary slot. This is done to avoid users incorrectly
* overwriting an application written to the incorrect slot.
* This feature is only supported by ARM platforms.
*/
if (fap == BOOT_IMG_AREA(state, BOOT_SLOT_SECONDARY)) {
const struct flash_area *pri_fa = BOOT_IMG_AREA(state, BOOT_SLOT_PRIMARY);
struct image_header *secondary_hdr = boot_img_hdr(state, slot);
uint32_t reset_value = 0;
uint32_t reset_addr = secondary_hdr->ih_hdr_size + sizeof(reset_value);
uint32_t internal_img_addr = 0; /* either the reset handler addres or the image beginning addres */
uint32_t min_addr;
uint32_t max_addr;

if (flash_area_read(fap, reset_addr, &reset_value, sizeof(reset_value)) != 0) {
min_addr = flash_area_get_off(BOOT_IMG_AREA(state, BOOT_SLOT_PRIMARY));
max_addr = flash_area_get_size(BOOT_IMG_AREA(state, BOOT_SLOT_PRIMARY)) + min_addr;

/* MCUBOOT_CHECK_HEADER_LOAD_ADDRESS takes priority over MCUBOOT_VERIFY_IMG_ADDRESS */
#ifdef MCUBOOT_CHECK_HEADER_LOAD_ADDRESS
internal_img_addr = secondary_hdr->ih_load_addr;
#else
/* This is platform specific code that should not be here */
const uint32_t offset = secondary_hdr->ih_hdr_size + RESET_OFFSET;
BOOT_LOG_DBG("Getting image %d internal addr from offset %u",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would mark this as deprecated then remove it in 2 releases

BOOT_CURR_IMG(state), offset);
if (flash_area_read(fap, offset, &internal_img_addr, sizeof(internal_img_addr)) != 0)
BOOT_LOG_ERR("Failed to read image %d load address", BOOT_CURR_IMG(state));
fih_rc = FIH_NO_BOOTABLE_IMAGE;
goto out;
}
#endif

if (reset_value < pri_fa->fa_off || reset_value> (pri_fa->fa_off + pri_fa->fa_size)) {
BOOT_LOG_DBG("Image %d expected load address 0x%x", BOOT_CURR_IMG(state), internal_img_addr);
BOOT_LOG_DBG("Check 0x%x is within [min_addr, max_addr] = [0x%x, 0x%x)",
internal_img_addr, min_addr, max_addr);
if (internal_img_addr < min_addr || internal_img_addr >= max_addr) {
BOOT_LOG_ERR("Reset address of image in secondary slot is not in the primary slot");
BOOT_LOG_ERR("Erasing image from secondary slot");

Expand Down
8 changes: 8 additions & 0 deletions boot/zephyr/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1308,6 +1308,14 @@ config USB_DEVICE_PRODUCT
config MCUBOOT_BOOTUTIL_LIB_OWN_LOG
bool

config MCUBOOT_CHECK_HEADER_LOAD_ADDRESS
bool "Use load address to verify application is in proper slot"
help
The bootloader will use the load address, from the image header,
to verify that binary is in slot designated for its execution.
When not selected reset vector, read from image, is used for
the same purpose.

config MCUBOOT_VERIFY_IMG_ADDRESS
bool "Verify reset address of image in secondary slot"
depends on UPDATEABLE_IMAGE_NUMBER > 1
Expand Down
4 changes: 4 additions & 0 deletions boot/zephyr/include/mcuboot_config/mcuboot_config.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,10 @@
#define MCUBOOT_FIND_NEXT_SLOT_HOOKS
#endif

#ifdef CONFIG_MCUBOOT_CHECK_HEADER_LOAD_ADDRESS
#define MCUBOOT_CHECK_HEADER_LOAD_ADDRESS
#endif

#ifdef CONFIG_MCUBOOT_VERIFY_IMG_ADDRESS
#define MCUBOOT_VERIFY_IMG_ADDRESS
#endif
Expand Down
Loading