[nrf noup] Fixed security counter overflow detected to late

ahasztag · ahasztag · commit 6fd7e24dcad9 · 2025-08-06T17:16:18.000+02:00
This commit fixes the issue, occuring when the maximum amount of
security counter updates has been reached.

This fact was only detected after a permament update already
happened - the updated firmware was unable to boot, as it
failed when trying to update the security counter after
the permament swap.

This commit adds the check if the security counter can be
updated (i. e. free security counter slots are still available)
before the swap is performed, fixing the issue.

Signed-off-by: Artur Hadasz &lt;artur.hadasz@nordicsemi.no&gt;
diff --git a/boot/bootutil/include/bootutil/security_cnt.h b/boot/bootutil/include/bootutil/security_cnt.h
@@ -72,6 +72,17 @@ fih_ret boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt);
 int32_t boot_nv_security_counter_update(uint32_t image_id,
                                         uint32_t img_security_cnt);
 
+/**
+ * This function verifies whether the security counter update to a newer is possible.
+ * The update might not be possible if the maximum amount of security counter updates
+ * was reached.
+ *
+ * @param image_id          Index of the image (from 0).
+ *
+ * @return                  FIH_SUCCESS if update is possible; FIH_FAILURE otherwise
+ */
+fih_ret boot_nv_security_counter_is_update_possible(void);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
@@ -839,6 +839,16 @@ bootutil_img_validate(struct boot_loader_state *state,
                 goto out;
             }
 
+            if (img_security_cnt > (uint32_t)fih_int_decode(security_cnt)) {
+                FIH_CALL(boot_nv_security_counter_is_update_possible, fih_rc);
+                if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+                    FIH_SET(fih_rc, FIH_FAILURE);
+                    BOOT_LOG_ERR("Security counter update is not possible, possibly the maximum "
+                                 "number of security updates has been reached.");
+                    goto out;
+                }
+            }
+
             /* The image's security counter has been successfully verified. */
             security_counter_valid = fih_rc;
 skip_security_counter_read:
