|
40 | 40 |
|
41 | 41 | #include "mcuboot_config/mcuboot_config.h" |
42 | 42 |
|
| 43 | +#if defined(MCUBOOT_DECOMPRESS_IMAGES) |
| 44 | +#include <nrf_compress/implementation.h> |
| 45 | +#include <compression/decompression.h> |
| 46 | +#endif |
| 47 | + |
| 48 | +#include "bootutil/bootutil_log.h" |
| 49 | + |
| 50 | +BOOT_LOG_MODULE_DECLARE(mcuboot); |
| 51 | + |
43 | 52 | #ifdef MCUBOOT_ENC_IMAGES |
44 | 53 | #include "bootutil/enc_key.h" |
45 | 54 | #endif |
@@ -470,6 +479,68 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, |
470 | 479 | FIH_DECLARE(security_counter_valid, FIH_FAILURE); |
471 | 480 | #endif |
472 | 481 |
|
| 482 | +#ifdef MCUBOOT_DECOMPRESS_IMAGES |
| 483 | + /* If the image is compressed, the integrity of the image must also be validated */ |
| 484 | + if (MUST_DECOMPRESS(fap, image_index, hdr)) { |
| 485 | + bool found_decompressed_size = false; |
| 486 | + bool found_decompressed_sha = false; |
| 487 | + bool found_decompressed_signature = false; |
| 488 | + |
| 489 | + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, true); |
| 490 | + if (rc) { |
| 491 | + goto out; |
| 492 | + } |
| 493 | + |
| 494 | + if (it.tlv_end > bootutil_max_image_size(fap)) { |
| 495 | + rc = -1; |
| 496 | + goto out; |
| 497 | + } |
| 498 | + |
| 499 | + while (true) { |
| 500 | + uint16_t expected_size = 0; |
| 501 | + bool *found_flag = NULL; |
| 502 | + |
| 503 | + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); |
| 504 | + if (rc < 0) { |
| 505 | + goto out; |
| 506 | + } else if (rc > 0) { |
| 507 | + break; |
| 508 | + } |
| 509 | + |
| 510 | + switch (type) { |
| 511 | + case IMAGE_TLV_DECOMP_SIZE: |
| 512 | + expected_size = sizeof(size_t); |
| 513 | + found_flag = &found_decompressed_size; |
| 514 | + break; |
| 515 | + case IMAGE_TLV_DECOMP_SHA: |
| 516 | + expected_size = IMAGE_HASH_SIZE; |
| 517 | + found_flag = &found_decompressed_sha; |
| 518 | + break; |
| 519 | + case IMAGE_TLV_DECOMP_SIGNATURE: |
| 520 | + found_flag = &found_decompressed_signature; |
| 521 | + break; |
| 522 | + default: |
| 523 | + continue; |
| 524 | + }; |
| 525 | + |
| 526 | + if (type == IMAGE_TLV_DECOMP_SIGNATURE && !EXPECTED_SIG_LEN(len)) { |
| 527 | + rc = -1; |
| 528 | + goto out; |
| 529 | + } else if (type != IMAGE_TLV_DECOMP_SIGNATURE && len != expected_size) { |
| 530 | + rc = -1; |
| 531 | + goto out; |
| 532 | + } |
| 533 | + |
| 534 | + *found_flag = true; |
| 535 | + } |
| 536 | + |
| 537 | + rc = (!found_decompressed_size || !found_decompressed_sha || !found_decompressed_signature); |
| 538 | + if (rc) { |
| 539 | + goto out; |
| 540 | + } |
| 541 | + } |
| 542 | +#endif |
| 543 | + |
473 | 544 | #if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE) |
474 | 545 | rc = bootutil_img_hash(enc_state, image_index, hdr, fap, tmp_buf, |
475 | 546 | tmp_buf_sz, hash, seed, seed_len); |
@@ -680,6 +751,161 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index, |
680 | 751 | } |
681 | 752 | #endif |
682 | 753 |
|
| 754 | +#ifdef MCUBOOT_DECOMPRESS_IMAGES |
| 755 | + /* Only after all previous verifications have passed, perform a dry-run of the decompression |
| 756 | + * and ensure the image is valid |
| 757 | + */ |
| 758 | + if (!rc && MUST_DECOMPRESS(fap, image_index, hdr)) { |
| 759 | + image_hash_valid = 0; |
| 760 | + FIH_SET(valid_signature, FIH_FAILURE); |
| 761 | + |
| 762 | + rc = bootutil_img_hash_decompress(enc_state, image_index, hdr, fap, tmp_buf, tmp_buf_sz, |
| 763 | + hash, seed, seed_len); |
| 764 | + if (rc) { |
| 765 | + goto out; |
| 766 | + } |
| 767 | + |
| 768 | + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SHA, true); |
| 769 | + if (rc) { |
| 770 | + goto out; |
| 771 | + } |
| 772 | + |
| 773 | + if (it.tlv_end > bootutil_max_image_size(fap)) { |
| 774 | + rc = -1; |
| 775 | + goto out; |
| 776 | + } |
| 777 | + |
| 778 | + while (true) { |
| 779 | + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); |
| 780 | + if (rc < 0) { |
| 781 | + goto out; |
| 782 | + } else if (rc > 0) { |
| 783 | + break; |
| 784 | + } |
| 785 | + |
| 786 | + if (type == IMAGE_TLV_DECOMP_SHA) { |
| 787 | + /* Verify the image hash. This must always be present. */ |
| 788 | + if (len != sizeof(hash)) { |
| 789 | + rc = -1; |
| 790 | + goto out; |
| 791 | + } |
| 792 | + rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, sizeof(hash)); |
| 793 | + if (rc) { |
| 794 | + goto out; |
| 795 | + } |
| 796 | + |
| 797 | + FIH_CALL(boot_fih_memequal, fih_rc, hash, buf, sizeof(hash)); |
| 798 | + if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) { |
| 799 | + FIH_SET(fih_rc, FIH_FAILURE); |
| 800 | + goto out; |
| 801 | + } |
| 802 | + |
| 803 | + image_hash_valid = 1; |
| 804 | + } |
| 805 | + } |
| 806 | + |
| 807 | + rc = !image_hash_valid; |
| 808 | + if (rc) { |
| 809 | + goto out; |
| 810 | + } |
| 811 | + |
| 812 | +#ifdef EXPECTED_SIG_TLV |
| 813 | +#ifdef EXPECTED_KEY_TLV |
| 814 | + rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_KEY_TLV, false); |
| 815 | + if (rc) { |
| 816 | + goto out; |
| 817 | + } |
| 818 | + |
| 819 | + if (it.tlv_end > bootutil_max_image_size(fap)) { |
| 820 | + rc = -1; |
| 821 | + goto out; |
| 822 | + } |
| 823 | + |
| 824 | + while (true) { |
| 825 | + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); |
| 826 | + if (rc < 0) { |
| 827 | + goto out; |
| 828 | + } else if (rc > 0) { |
| 829 | + break; |
| 830 | + } |
| 831 | + |
| 832 | + if (type == EXPECTED_KEY_TLV) { |
| 833 | + /* |
| 834 | + * Determine which key we should be checking. |
| 835 | + */ |
| 836 | + if (len > KEY_BUF_SIZE) { |
| 837 | + rc = -1; |
| 838 | + goto out; |
| 839 | + } |
| 840 | +#ifndef MCUBOOT_HW_KEY |
| 841 | + rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len); |
| 842 | + if (rc) { |
| 843 | + goto out; |
| 844 | + } |
| 845 | + key_id = bootutil_find_key(buf, len); |
| 846 | +#else |
| 847 | + rc = LOAD_IMAGE_DATA(hdr, fap, off, key_buf, len); |
| 848 | + if (rc) { |
| 849 | + goto out; |
| 850 | + } |
| 851 | + key_id = bootutil_find_key(image_index, key_buf, len); |
| 852 | +#endif /* !MCUBOOT_HW_KEY */ |
| 853 | + /* |
| 854 | + * The key may not be found, which is acceptable. There |
| 855 | + * can be multiple signatures, each preceded by a key. |
| 856 | + */ |
| 857 | + } |
| 858 | + } |
| 859 | +#endif /* EXPECTED_KEY_TLV */ |
| 860 | + |
| 861 | + rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SIGNATURE, true); |
| 862 | + if (rc) { |
| 863 | + goto out; |
| 864 | + } |
| 865 | + |
| 866 | + if (it.tlv_end > bootutil_max_image_size(fap)) { |
| 867 | + rc = -1; |
| 868 | + goto out; |
| 869 | + } |
| 870 | + |
| 871 | + while (true) { |
| 872 | + rc = bootutil_tlv_iter_next(&it, &off, &len, &type); |
| 873 | + if (rc < 0) { |
| 874 | + goto out; |
| 875 | + } else if (rc > 0) { |
| 876 | + rc = 0; |
| 877 | + break; |
| 878 | + } |
| 879 | + |
| 880 | + if (type == IMAGE_TLV_DECOMP_SIGNATURE) { |
| 881 | + /* Ignore this signature if it is out of bounds. */ |
| 882 | + if (key_id < 0 || key_id >= bootutil_key_cnt) { |
| 883 | + key_id = -1; |
| 884 | + continue; |
| 885 | + } |
| 886 | + |
| 887 | + if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) { |
| 888 | + rc = -1; |
| 889 | + goto out; |
| 890 | + } |
| 891 | + rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len); |
| 892 | + if (rc) { |
| 893 | + goto out; |
| 894 | + } |
| 895 | + |
| 896 | + FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash), |
| 897 | + buf, len, key_id); |
| 898 | + key_id = -1; |
| 899 | + } |
| 900 | + } |
| 901 | +#endif /* EXPECTED_SIG_TLV */ |
| 902 | + } |
| 903 | +#endif |
| 904 | + |
| 905 | +#ifdef EXPECTED_SIG_TLV |
| 906 | + FIH_SET(fih_rc, valid_signature); |
| 907 | +#endif |
| 908 | + |
683 | 909 | out: |
684 | 910 | if (rc) { |
685 | 911 | FIH_SET(fih_rc, FIH_FAILURE); |
|
0 commit comments