[nrf noup] zephyr: Add support for compressed image updates

Adds support for LZMA-compressed firmware updates which also
supports encrypted images and supports more than 1 updateable image

Signed-off-by: Jamie McCrae <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit eb5056a)

Author: nordicjm

boot/bootutil/src/bootutil_misc.c

@@ -43,6 +43,11 @@
 #include "bootutil/enc_key.h"
 #endif
 
+#if defined(MCUBOOT_DECOMPRESS_IMAGES)
+#include <nrf_compress/implementation.h>
+#include <compression/decompression.h>
+#endif
+
 BOOT_LOG_MODULE_DECLARE(mcuboot);
 
 /* Currently only used by imgmgr */
@@ -523,35 +528,76 @@ boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size)
     fap = BOOT_IMG_AREA(state, slot);
     assert(fap != NULL);
 
-    off = BOOT_TLV_OFF(boot_img_hdr(state, slot));
+#ifdef MCUBOOT_DECOMPRESS_IMAGES
+    if (MUST_DECOMPRESS(fap, BOOT_CURR_IMG(state), boot_img_hdr(state, slot))) {
+        uint32_t tmp_size = 0;
 
-    if (flash_area_read(fap, off, &info, sizeof(info))) {
-        rc = BOOT_EFLASH;
-        goto done;
-    }
+        rc = bootutil_get_img_decomp_size(boot_img_hdr(state, slot), fap, &tmp_size);
+
+        if (rc) {
+            rc = BOOT_EBADIMAGE;
+            goto done;
+        }
+
+        off = boot_img_hdr(state, slot)->ih_hdr_size + tmp_size;
+
+        rc = boot_size_protected_tlvs(boot_img_hdr(state, slot), fap, &tmp_size);
 
-    protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size;
-    if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) {
-        if (protect_tlv_size != info.it_tlv_tot) {
+        if (rc) {
             rc = BOOT_EBADIMAGE;
             goto done;
         }
 
-        if (flash_area_read(fap, off + info.it_tlv_tot, &info, sizeof(info))) {
+        off += tmp_size;
+
+        if (flash_area_read(fap, (BOOT_TLV_OFF(boot_img_hdr(state, slot)) +
+                                  boot_img_hdr(state, slot)->ih_protect_tlv_size), &info,
+                            sizeof(info))) {
             rc = BOOT_EFLASH;
             goto done;
         }
-    } else if (protect_tlv_size != 0) {
-        rc = BOOT_EBADIMAGE;
-        goto done;
-    }
 
-    if (info.it_magic != IMAGE_TLV_INFO_MAGIC) {
-        rc = BOOT_EBADIMAGE;
-        goto done;
+        if (info.it_magic != IMAGE_TLV_INFO_MAGIC) {
+            rc = BOOT_EBADIMAGE;
+            goto done;
+        }
+
+        *size = off + info.it_tlv_tot;
+    } else {
+#else
+    if (1) {
+#endif
+        off = BOOT_TLV_OFF(boot_img_hdr(state, slot));
+
+        if (flash_area_read(fap, off, &info, sizeof(info))) {
+            rc = BOOT_EFLASH;
+            goto done;
+        }
+
+        protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size;
+        if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) {
+            if (protect_tlv_size != info.it_tlv_tot) {
+                rc = BOOT_EBADIMAGE;
+                goto done;
+            }
+
+            if (flash_area_read(fap, off + info.it_tlv_tot, &info, sizeof(info))) {
+                rc = BOOT_EFLASH;
+                goto done;
+            }
+        } else if (protect_tlv_size != 0) {
+            rc = BOOT_EBADIMAGE;
+            goto done;
+        }
+
+        if (info.it_magic != IMAGE_TLV_INFO_MAGIC) {
+            rc = BOOT_EBADIMAGE;
+            goto done;
+        }
+
+        *size = off + protect_tlv_size + info.it_tlv_tot;
     }
 
-    *size = off + protect_tlv_size + info.it_tlv_tot;
     rc = 0;
 
 done:

boot/bootutil/src/image_validate.c

@@ -42,6 +42,15 @@
 
 #include "mcuboot_config/mcuboot_config.h"
 
+#if defined(MCUBOOT_DECOMPRESS_IMAGES)
+#include <nrf_compress/implementation.h>
+#include <compression/decompression.h>
+#endif
+
+#include "bootutil/bootutil_log.h"
+
+BOOT_LOG_MODULE_DECLARE(mcuboot);
+
 #ifdef MCUBOOT_ENC_IMAGES
 #include "bootutil/enc_key.h"
 #endif
@@ -484,7 +493,7 @@ bootutil_img_validate(struct boot_loader_state *state,
 #endif
                      )
 {
-#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT)
+#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT) || defined(MCUBOOT_DECOMPRESS_IMAGES)
     int image_index = (state == NULL ? 0 : BOOT_CURR_IMG(state));
 #endif
     uint32_t off;
@@ -527,6 +536,68 @@ bootutil_img_validate(struct boot_loader_state *state,
     }
 #endif
 
+#ifdef MCUBOOT_DECOMPRESS_IMAGES
+    /* If the image is compressed, the integrity of the image must also be validated */
+    if (MUST_DECOMPRESS(fap, image_index, hdr)) {
+        bool found_decompressed_size = false;
+        bool found_decompressed_sha = false;
+        bool found_decompressed_signature = false;
+
+        rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_ANY, true);
+        if (rc) {
+            goto out;
+        }
+
+        if (it.tlv_end > bootutil_max_image_size(state, fap)) {
+            rc = -1;
+            goto out;
+        }
+
+        while (true) {
+            uint16_t expected_size = 0;
+            bool *found_flag = NULL;
+
+            rc = bootutil_tlv_iter_next(&it, &off, &len, &type);
+            if (rc < 0) {
+                goto out;
+            } else if (rc > 0) {
+                break;
+            }
+
+            switch (type) {
+            case IMAGE_TLV_DECOMP_SIZE:
+                expected_size = sizeof(size_t);
+                found_flag = &found_decompressed_size;
+                break;
+            case IMAGE_TLV_DECOMP_SHA:
+                expected_size = IMAGE_HASH_SIZE;
+                found_flag = &found_decompressed_sha;
+                break;
+            case IMAGE_TLV_DECOMP_SIGNATURE:
+                found_flag = &found_decompressed_signature;
+                break;
+            default:
+                continue;
+            };
+
+            if (type == IMAGE_TLV_DECOMP_SIGNATURE && !EXPECTED_SIG_LEN(len)) {
+                rc = -1;
+                goto out;
+            } else if (type != IMAGE_TLV_DECOMP_SIGNATURE && len != expected_size) {
+                rc = -1;
+                goto out;
+            }
+
+            *found_flag = true;
+        }
+
+        rc = (!found_decompressed_size || !found_decompressed_sha || !found_decompressed_signature);
+        if (rc) {
+            goto out;
+        }
+    }
+#endif
+
 #if defined(EXPECTED_HASH_TLV) && !defined(MCUBOOT_SIGN_PURE)
 #if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY)
     rc = bootutil_img_hash(state, hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len,
@@ -760,6 +831,161 @@ bootutil_img_validate(struct boot_loader_state *state,
 skip_security_counter_check:
 #endif
 
+#ifdef MCUBOOT_DECOMPRESS_IMAGES
+    /* Only after all previous verifications have passed, perform a dry-run of the decompression
+     * and ensure the image is valid
+     */
+    if (!rc && MUST_DECOMPRESS(fap, image_index, hdr)) {
+        image_hash_valid = 0;
+        FIH_SET(valid_signature, FIH_FAILURE);
+
+        rc = bootutil_img_hash_decompress(state, hdr, fap, tmp_buf, tmp_buf_sz,
+                                          hash, seed, seed_len);
+        if (rc) {
+            goto out;
+        }
+
+        rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SHA, true);
+        if (rc) {
+            goto out;
+        }
+
+        if (it.tlv_end > bootutil_max_image_size(state, fap)) {
+            rc = -1;
+            goto out;
+        }
+
+        while (true) {
+            rc = bootutil_tlv_iter_next(&it, &off, &len, &type);
+            if (rc < 0) {
+                goto out;
+            } else if (rc > 0) {
+                break;
+            }
+
+            if (type == IMAGE_TLV_DECOMP_SHA) {
+                /* Verify the image hash. This must always be present. */
+                if (len != sizeof(hash)) {
+                    rc = -1;
+                    goto out;
+                }
+                rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, sizeof(hash));
+                if (rc) {
+                    goto out;
+                }
+
+                FIH_CALL(boot_fih_memequal, fih_rc, hash, buf, sizeof(hash));
+                if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+                    FIH_SET(fih_rc, FIH_FAILURE);
+                    goto out;
+                }
+
+                image_hash_valid = 1;
+            }
+        }
+
+        rc = !image_hash_valid;
+        if (rc) {
+            goto out;
+        }
+
+#ifdef EXPECTED_SIG_TLV
+#ifdef EXPECTED_KEY_TLV
+        rc = bootutil_tlv_iter_begin(&it, hdr, fap, EXPECTED_KEY_TLV, false);
+        if (rc) {
+            goto out;
+        }
+
+        if (it.tlv_end > bootutil_max_image_size(state, fap)) {
+            rc = -1;
+            goto out;
+        }
+
+        while (true) {
+            rc = bootutil_tlv_iter_next(&it, &off, &len, &type);
+            if (rc < 0) {
+                goto out;
+            } else if (rc > 0) {
+                break;
+            }
+
+            if (type == EXPECTED_KEY_TLV) {
+                /*
+                 * Determine which key we should be checking.
+                 */
+                if (len > KEY_BUF_SIZE) {
+                    rc = -1;
+                    goto out;
+                 }
+#ifndef MCUBOOT_HW_KEY
+                rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len);
+                if (rc) {
+                    goto out;
+                }
+                key_id = bootutil_find_key(buf, len);
+#else
+                rc = LOAD_IMAGE_DATA(hdr, fap, off, key_buf, len);
+                if (rc) {
+                    goto out;
+                }
+                key_id = bootutil_find_key(image_index, key_buf, len);
+#endif /* !MCUBOOT_HW_KEY */
+                /*
+                 * The key may not be found, which is acceptable.  There
+                 * can be multiple signatures, each preceded by a key.
+                 */
+            }
+        }
+#endif /* EXPECTED_KEY_TLV */
+
+        rc = bootutil_tlv_iter_begin(&it, hdr, fap, IMAGE_TLV_DECOMP_SIGNATURE, true);
+        if (rc) {
+            goto out;
+        }
+
+        if (it.tlv_end > bootutil_max_image_size(state, fap)) {
+            rc = -1;
+            goto out;
+        }
+
+        while (true) {
+            rc = bootutil_tlv_iter_next(&it, &off, &len, &type);
+            if (rc < 0) {
+                goto out;
+            } else if (rc > 0) {
+                rc = 0;
+                break;
+            }
+
+            if (type == IMAGE_TLV_DECOMP_SIGNATURE) {
+                /* Ignore this signature if it is out of bounds. */
+                if (key_id < 0 || key_id >= bootutil_key_cnt) {
+                    key_id = -1;
+                    continue;
+                }
+
+                if (!EXPECTED_SIG_LEN(len) || len > sizeof(buf)) {
+                    rc = -1;
+                    goto out;
+                }
+                rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len);
+                if (rc) {
+                    goto out;
+                }
+
+                FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash),
+                                                               buf, len, key_id);
+                key_id = -1;
+            }
+        }
+#endif /* EXPECTED_SIG_TLV */
+    }
+#endif
+
+#ifdef EXPECTED_SIG_TLV
+    FIH_SET(fih_rc, valid_signature);
+#endif
+
 out:
     if (rc) {
         FIH_SET(fih_rc, FIH_FAILURE);