[nrf noup] boot: bootutil: loader: Fix monotomic counter update issues

nrf-squash! [nrf noup] boot/../loader: skip downgrade prevention for s1/s0

Fixes 4 issues with monotomic counter usage:
1. Where the NSIB update skipped the check but would then wrongly
   update the monotomic counter after
2. Where a network core update on nRF5340 used the monotonic
   counter which only supports a single image
3. Where an NSIB update used the monotonic counter which only
   supports a single image
4. Where security counter validation was wrongly performed on other
   images against the main image security counter

Signed-off-by: Jamie McCrae <[email protected]>

Author: nordicjm

boot/bootutil/include/bootutil/security_cnt.h

@@ -39,6 +39,15 @@ extern "C" {
  */
 fih_ret boot_nv_security_counter_init(void);
 
+/**
+ * Checks if the specified image should have a security counter present on it or not
+ *
+ * @param image_index   Index of the image to check (from 0).
+ *
+ * @return              FIH_SUCCESS if security counter should be present; FIH_FAILURE if otherwise
+ */
+fih_ret boot_nv_image_should_have_security_counter(uint32_t image_index);
+
 /**
  * Reads the stored value of a given image's security counter.
  *

boot/bootutil/src/image_validate.c

@@ -527,6 +527,15 @@ bootutil_img_validate(struct boot_loader_state *state,
     fih_int security_cnt = fih_int_encode(INT_MAX);
     uint32_t img_security_cnt = 0;
     FIH_DECLARE(security_counter_valid, FIH_FAILURE);
+    FIH_DECLARE(security_counter_should_be_present, FIH_FAILURE);
+
+    FIH_CALL(boot_nv_image_should_have_security_counter, security_counter_should_be_present,
+             image_index);
+    if (FIH_NOT_EQ(security_counter_should_be_present, FIH_SUCCESS) &&
+        FIH_NOT_EQ(security_counter_should_be_present, FIH_FAILURE)) {
+        rc = -1;
+        goto out;
+    }
 #endif
 
 #ifdef MCUBOOT_DECOMPRESS_IMAGES
@@ -773,6 +782,10 @@ bootutil_img_validate(struct boot_loader_state *state,
                 goto out;
             }
 
+            if (FIH_EQ(security_counter_should_be_present, FIH_FAILURE)) {
+                goto skip_security_counter_read;
+            }
+
             FIH_CALL(boot_nv_security_counter_get, fih_rc, image_index,
                                                            &security_cnt);
             if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
@@ -792,6 +805,7 @@ bootutil_img_validate(struct boot_loader_state *state,
 
             /* The image's security counter has been successfully verified. */
             security_counter_valid = fih_rc;
+skip_security_counter_read:
             break;
         }
 #endif /* MCUBOOT_HW_ROLLBACK_PROT */
@@ -811,10 +825,16 @@ bootutil_img_validate(struct boot_loader_state *state,
     FIH_SET(fih_rc, valid_signature);
 #endif
 #ifdef MCUBOOT_HW_ROLLBACK_PROT
+    if (FIH_EQ(security_counter_should_be_present, FIH_FAILURE)) {
+        goto skip_security_counter_check;
+    }
+
     if (FIH_NOT_EQ(security_counter_valid, FIH_SUCCESS)) {
         rc = -1;
         goto out;
     }
+
+skip_security_counter_check:
 #endif
 
 #ifdef MCUBOOT_DECOMPRESS_IMAGES

boot/bootutil/src/loader.c

@@ -1303,6 +1303,38 @@ boot_validate_slot(struct boot_loader_state *state, int slot,
 }
 
 #ifdef MCUBOOT_HW_ROLLBACK_PROT
+/**
+ * Checks if the specified image should have a security counter present on it or not
+ *
+ * @param image_index   Index of the image to check.
+ *
+ * @return              true if security counter should be present; false if otherwise
+ */
+fih_ret boot_nv_image_should_have_security_counter(uint32_t image_index)
+{
+#if defined(PM_S1_ADDRESS)
+    if (owner_nsib[image_index]) {
+        /*
+         * Downgrade prevention on S0/S1 image is managed by NSIB, which is a software (not
+         * hardware) check
+         */
+        return FIH_FAILURE;
+    }
+#endif
+
+#if defined(CONFIG_SOC_NRF5340_CPUAPP) && CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
+    if (image_index == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) {
+        /*
+         * Downgrade prevention on network core image is managed by NSIB which is a software (not
+         * hardware) check
+         */
+        return FIH_FAILURE;
+    }
+#endif
+
+    return FIH_SUCCESS;
+}
+
 /**
  * Updates the stored security counter value with the image's security counter
  * value which resides in the given slot, only if it's greater than the stored
@@ -1324,6 +1356,26 @@ boot_update_security_counter(struct boot_loader_state *state, int slot, int hdr_
     uint32_t img_security_cnt;
     int rc;
 
+#if defined(PM_S1_ADDRESS)
+    if (owner_nsib[BOOT_CURR_IMG(state)]) {
+        /*
+         * Downgrade prevention on S0/S1 image is managed by NSIB which is a software (not
+         * hardware) check
+         */
+        return 0;
+    }
+#endif
+
+#if defined(CONFIG_SOC_NRF5340_CPUAPP) && CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
+    if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) {
+        /*
+         * Downgrade prevention on network core image is managed by NSIB which is a software (not
+         * hardware) check
+         */
+        return 0;
+    }
+#endif
+
     fap = BOOT_IMG_AREA(state, slot);
     assert(fap != NULL);
 
@@ -2574,7 +2626,20 @@ check_downgrade_prevention(struct boot_loader_state *state)
 
 #if defined(PM_S1_ADDRESS)
     if (owner_nsib[BOOT_CURR_IMG(state)]) {
-        /* Downgrade prevention on S0/S1 image is managed by NSIB */
+        /*
+         * Downgrade prevention on S0/S1 image is managed by NSIB which is a software (not
+         * hardware) check
+         */
+        return 0;
+    }
+#endif
+
+#if defined(CONFIG_SOC_NRF5340_CPUAPP) && CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
+    if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) {
+        /*
+         * Downgrade prevention on network core image is managed by NSIB which is a software (not
+         * hardware) check
+         */
         return 0;
     }
 #endif