[nrf mergeup] Merge upstream up to commit 018dc01

Regular upmerge.

Signed-off-by: Robert Lubos <[email protected]>

Author: rlubos

README.md

@@ -18,7 +18,7 @@
 [travis]: https://travis-ci.org/mcu-tools/mcuboot
 [license]: https://github.com/mcu-tools/mcuboot/blob/main/LICENSE
 
-This is MCUboot version 2.1.0-dev
+This is MCUboot version 2.1.0
 
 MCUboot is a secure bootloader for 32-bits microcontrollers. It defines a
 common infrastructure for the bootloader and the system flash layout on

boot/boot_serial/src/boot_serial.c

@@ -1169,10 +1169,6 @@ boot_serial_in_dec(char *in, int inlen, char *out, int *out_off, int maxout)
         return 0;
     }
 
-    if (len > *out_off - sizeof(uint16_t)) {
-        len = *out_off - sizeof(uint16_t);
-    }
-
     out += sizeof(uint16_t);
 #ifdef __ZEPHYR__
     crc = crc16_itu_t(CRC16_INITIAL_CRC, out, len);

boot/bootutil/include/bootutil/crypto/ecdsa.h

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: Apache-2.0
  *
- * Copyright (c) 2023 Arm Limited
+ * Copyright (c) 2023-2024 Arm Limited
  */
 
 /*
@@ -349,7 +349,7 @@ static void parse_signature_from_rfc5480_encoding(const uint8_t *sig,
 {
     const uint8_t *sig_ptr = NULL;
 
-    /* r or s can be greater than the expected size by one, due to the way 
+    /* r or s can be greater than the expected size by one, due to the way
      * ASN.1 encodes signed integers. If either r or s starts with a bit 1,
      * a zero byte will be added in front of the encoding
      */
@@ -395,9 +395,26 @@ static const uint8_t Secp384r1[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22};
 
 static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx)
 {
+#if !defined(MCUBOOT_BUILTIN_KEY)
     ctx->key_id = PSA_KEY_ID_NULL;
     ctx->curve_byte_count = 0;
     ctx->required_algorithm = 0;
+
+#else /* !MCUBOOT_BUILTIN_KEY */
+    /* The incoming key ID is equal to the image index. The key ID value must be
+     * shifted (by one in this case) because zero is reserved (PSA_KEY_ID_NULL)
+     * and considered invalid.
+     */
+    ctx->key_id++; /* Make sure it is not equal to 0. */
+#if defined(MCUBOOT_SIGN_EC256)
+    ctx->curve_byte_count = 32;
+    ctx->required_algorithm = PSA_ALG_SHA_256;
+#endif /* MCUBOOT_SIGN_EC256 */
+#if defined(MCUBOOT_SIGN_EC384)
+    ctx->curve_byte_count = 48;
+    ctx->required_algorithm = PSA_ALG_SHA_384;
+#endif /* MCUBOOT_SIGN_EC384 */
+#endif /* !MCUBOOT_BUILTIN_KEY */
 }
 
 static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx)
@@ -407,6 +424,7 @@ static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx)
     }
 }
 
+#if !defined(MCUBOOT_BUILTIN_KEY)
 /*
  * Parse a ECDSA public key with format specified in RFC5280 et al.
  *
@@ -451,6 +469,7 @@ static int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
 
     return (int)psa_import_key(&key_attributes, *cp, key_size, &ctx->key_id);
 }
+#endif /* !MCUBOOT_BUILTIN_KEY */
 
 /* Verify the signature against the provided hash. The signature gets parsed from
  * the encoding first, then PSA Crypto has a dedicated API for ECDSA verification

boot/bootutil/include/bootutil/image.h

@@ -186,6 +186,7 @@ int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
                             bool prot);
 int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
                            uint16_t *len, uint16_t *type);
+int bootutil_tlv_iter_is_prot(struct image_tlv_iter *it, uint32_t off);
 
 int32_t bootutil_get_img_security_cnt(struct image_header *hdr,
                                       const struct flash_area *fap,

boot/bootutil/pkg.yml

@@ -41,6 +41,9 @@ pkg.deps:
     - "@apache-mynewt-core/sys/defs"
     - "@mcuboot/boot/mynewt/flash_map_backend"
 
+pkg.ign_files.BOOTUTIL_SINGLE_APPLICATION_SLOT:
+    - "loader.c"
+
 pkg.deps.BOOTUTIL_USE_MBED_TLS:
     - "@apache-mynewt-core/crypto/mbedtls"
 

boot/bootutil/src/encrypted.c

@@ -276,6 +276,8 @@ hkdf(uint8_t *ikm, uint16_t ikm_len, uint8_t *info, uint16_t info_len,
         goto error;
     }
 
+    bootutil_hmac_sha256_drop(&hmac);
+
     /*
      * Expand
      */
@@ -315,6 +317,8 @@ hkdf(uint8_t *ikm, uint16_t ikm_len, uint8_t *info, uint16_t info_len,
             goto error;
         }
 
+        bootutil_hmac_sha256_drop(&hmac);
+
         if (len > BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE) {
             memcpy(&okm[off], T, BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE);
             len -= BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE;
@@ -324,7 +328,6 @@ hkdf(uint8_t *ikm, uint16_t ikm_len, uint8_t *info, uint16_t info_len,
         }
     }
 
-    bootutil_hmac_sha256_drop(&hmac);
     return 0;
 
 error:

boot/bootutil/src/fault_injection_hardening_delay_rng_mbedtls.c

@@ -8,7 +8,6 @@
 
 #ifdef FIH_ENABLE_DELAY
 
-#include "mcuboot-mbedtls-cfg.h"
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/entropy.h"
 

boot/bootutil/src/image_ecdsa.c

@@ -3,7 +3,7 @@
  *
  * Copyright (c) 2016-2019 JUUL Labs
  * Copyright (c) 2017 Linaro LTD
- * Copyright (C) 2021-2023 Arm Limited
+ * Copyright (C) 2021-2024 Arm Limited
  *
  * Original license:
  *
@@ -35,6 +35,7 @@
 #include "bootutil/fault_injection_hardening.h"
 #include "bootutil/crypto/ecdsa.h"
 
+#if !defined(MCUBOOT_BUILTIN_KEY)
 fih_ret
 bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
                     uint8_t key_id)
@@ -65,5 +66,30 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
 
     FIH_RET(fih_rc);
 }
+#else /* !MCUBOOT_BUILTIN_KEY */
+fih_ret
+bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
+                    uint8_t key_id)
+{
+    int rc;
+    bootutil_ecdsa_context ctx;
+    FIH_DECLARE(fih_rc, FIH_FAILURE);
+
+    /* Use builtin key for image verification, no key parsing is required. */
+    ctx.key_id = key_id;
+    bootutil_ecdsa_init(&ctx);
+
+    /* The public key pointer and key size can be omitted. */
+    rc = bootutil_ecdsa_verify(&ctx, NULL, 0, hash, hlen, sig, slen);
+    fih_rc = fih_ret_encode_zero_equality(rc);
+    if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+        FIH_SET(fih_rc, FIH_FAILURE);
+    }
+
+    bootutil_ecdsa_drop(&ctx);
+
+    FIH_RET(fih_rc);
+}
+#endif /* MCUBOOT_BUILTIN_KEY */
 
 #endif /* MCUBOOT_SIGN_EC256 || MCUBOOT_SIGN_EC384 */

boot/bootutil/src/image_validate.c

@@ -3,7 +3,7 @@
  *
  * Copyright (c) 2017-2019 Linaro LTD
  * Copyright (c) 2016-2019 JUUL Labs
- * Copyright (c) 2019-2023 Arm Limited
+ * Copyright (c) 2019-2024 Arm Limited
  *
  * Original license:
  *
@@ -201,7 +201,27 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
 #    define SIG_BUF_SIZE 32 /* no signing, sha256 digest only */
 #endif
 
+#if (defined(MCUBOOT_HW_KEY)       + \
+     defined(MCUBOOT_BUILTIN_KEY)) > 1
+#error "Please use either MCUBOOT_HW_KEY or the MCUBOOT_BUILTIN_KEY feature."
+#endif
+
 #ifdef EXPECTED_SIG_TLV
+
+#if !defined(MCUBOOT_BUILTIN_KEY)
+#if !defined(MCUBOOT_HW_KEY)
+/* The key TLV contains the hash of the public key. */
+#   define EXPECTED_KEY_TLV     IMAGE_TLV_KEYHASH
+#   define KEY_BUF_SIZE         IMAGE_HASH_SIZE
+#else
+/* The key TLV contains the whole public key.
+ * Add a few extra bytes to the key buffer size for encoding and
+ * for public exponent.
+ */
+#   define EXPECTED_KEY_TLV     IMAGE_TLV_PUBKEY
+#   define KEY_BUF_SIZE         (SIG_BUF_SIZE + 24)
+#endif /* !MCUBOOT_HW_KEY */
+
 #if !defined(MCUBOOT_HW_KEY)
 static int
 bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len)
@@ -228,7 +248,7 @@ bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len)
     bootutil_sha_drop(&sha_ctx);
     return -1;
 }
-#else
+#else /* !MCUBOOT_HW_KEY */
 extern unsigned int pub_key_len;
 static int
 bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len)
@@ -266,7 +286,8 @@ bootutil_find_key(uint8_t image_index, uint8_t *key, uint16_t key_len)
     return -1;
 }
 #endif /* !MCUBOOT_HW_KEY */
-#endif
+#endif /* !MCUBOOT_BUILTIN_KEY */
+#endif /* EXPECTED_SIG_TLV */
 
 /**
  * Reads the value of an image's security counter.
@@ -328,6 +349,30 @@ bootutil_get_img_security_cnt(struct image_header *hdr,
     return 0;
 }
 
+#ifndef ALLOW_ROGUE_TLVS
+/*
+ * The following list of TLVs are the only entries allowed in the unprotected
+ * TLV section.  All other TLV entries must be in the protected section.
+ */
+static const uint16_t allowed_unprot_tlvs[] = {
+     IMAGE_TLV_KEYHASH,
+     IMAGE_TLV_PUBKEY,
+     IMAGE_TLV_SHA256,
+     IMAGE_TLV_SHA384,
+     IMAGE_TLV_RSA2048_PSS,
+     IMAGE_TLV_ECDSA224,
+     IMAGE_TLV_ECDSA_SIG,
+     IMAGE_TLV_RSA3072_PSS,
+     IMAGE_TLV_ED25519,
+     IMAGE_TLV_ENC_RSA2048,
+     IMAGE_TLV_ENC_KW,
+     IMAGE_TLV_ENC_EC256,
+     IMAGE_TLV_ENC_X25519,
+     /* Mark end with ANY. */
+     IMAGE_TLV_ANY,
+};
+#endif
+
 /*
  * Verify the integrity of the image.
  * Return non-zero if image could not be validated/does not validate.
@@ -344,10 +389,16 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
     int image_hash_valid = 0;
 #ifdef EXPECTED_SIG_TLV
     FIH_DECLARE(valid_signature, FIH_FAILURE);
+#ifndef MCUBOOT_BUILTIN_KEY
     int key_id = -1;
+#else
+    /* Pass a key ID equal to the image index, the underlying crypto library
+     * is responsible for mapping the image index to a builtin key ID.
+     */
+    int key_id = image_index;
+#endif /* !MCUBOOT_BUILTIN_KEY */
 #ifdef MCUBOOT_HW_KEY
-    /* Few extra bytes for encoding and for public exponent. */
-    uint8_t key_buf[SIG_BUF_SIZE + 24];
+    uint8_t key_buf[KEY_BUF_SIZE];
 #endif
 #endif /* EXPECTED_SIG_TLV */
     struct image_tlv_iter it;
@@ -393,6 +444,27 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
             break;
         }
 
+#ifndef ALLOW_ROGUE_TLVS
+        /*
+         * Ensure that the non-protected TLV only has entries necessary to hold
+         * the signature.  We also allow encryption related keys to be in the
+         * unprotected area.
+         */
+        if (!bootutil_tlv_iter_is_prot(&it, off)) {
+             bool found = false;
+             for (const uint16_t *p = allowed_unprot_tlvs; *p != IMAGE_TLV_ANY; p++) {
+                  if (type == *p) {
+                       found = true;
+                       break;
+                  }
+             }
+             if (!found) {
+                  FIH_SET(fih_rc, FIH_FAILURE);
+                  goto out;
+             }
+        }
+#endif
+
         if (type == EXPECTED_HASH_TLV) {
             /* Verify the image hash. This must always be present. */
             if (len != sizeof(hash)) {
@@ -411,44 +483,34 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
             }
 
             image_hash_valid = 1;
-#ifdef EXPECTED_SIG_TLV
-#ifndef MCUBOOT_HW_KEY
-        } else if (type == IMAGE_TLV_KEYHASH) {
+#ifdef EXPECTED_KEY_TLV
+        } else if (type == EXPECTED_KEY_TLV) {
             /*
              * Determine which key we should be checking.
              */
-            if (len > IMAGE_HASH_SIZE) {
+            if (len > KEY_BUF_SIZE) {
                 rc = -1;
                 goto out;
             }
+#ifndef MCUBOOT_HW_KEY
             rc = LOAD_IMAGE_DATA(hdr, fap, off, buf, len);
             if (rc) {
                 goto out;
             }
             key_id = bootutil_find_key(buf, len);
-            /*
-             * The key may not be found, which is acceptable.  There
-             * can be multiple signatures, each preceded by a key.
-             */
 #else
-        } else if (type == IMAGE_TLV_PUBKEY) {
-            /*
-             * Determine which key we should be checking.
-             */
-            if (len > sizeof(key_buf)) {
-                rc = -1;
-                goto out;
-            }
             rc = LOAD_IMAGE_DATA(hdr, fap, off, key_buf, len);
             if (rc) {
                 goto out;
             }
             key_id = bootutil_find_key(image_index, key_buf, len);
+#endif /* !MCUBOOT_HW_KEY */
             /*
              * The key may not be found, which is acceptable.  There
              * can be multiple signatures, each preceded by a key.
              */
-#endif /* !MCUBOOT_HW_KEY */
+#endif /* EXPECTED_KEY_TLV */
+#ifdef EXPECTED_SIG_TLV
         } else if (type == EXPECTED_SIG_TLV) {
             /* Ignore this signature if it is out of bounds. */
             if (key_id < 0 || key_id >= bootutil_key_cnt) {

boot/bootutil/src/loader.c

@@ -1703,6 +1703,7 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs)
     }
 #endif /* MCUBOOT_HW_ROLLBACK_PROT */
 
+#ifndef MCUBOOT_OVERWRITE_ONLY_KEEP_BACKUP
     /*
      * Erases header and trailer. The trailer is erased because when a new
      * image is written without a trailer as is the case when using newt, the
@@ -1713,6 +1714,8 @@ boot_copy_image(struct boot_loader_state *state, struct boot_status *bs)
                            boot_img_sector_off(state, BOOT_SECONDARY_SLOT, 0),
                            boot_img_sector_size(state, BOOT_SECONDARY_SLOT, 0));
     assert(rc == 0);
+#endif
+
     last_sector = boot_img_num_sectors(state, BOOT_SECONDARY_SLOT) - 1;
     BOOT_LOG_DBG("erasing secondary trailer");
     rc = boot_erase_region(fap_secondary_slot,