nrfconnect · nordicjm · Oct 10, 2023 · Mar 26, 2019 · Sep 3, 2021 · Sep 20, 2019
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -0,0 +1,31 @@
+name: Backport
+on:
+  pull_request_target:
+    types:
+      - closed
+      - labeled
+    branches:
+      - main
+
+jobs:
+  backport:
+    name: Backport
+    runs-on: ubuntu-22.04
+    # Only react to merged PRs for security reasons.
+    # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+    if: >
+      github.event.pull_request.merged &&
+      (
+        github.event.action == 'closed' ||
+        (
+          github.event.action == 'labeled' &&
+          contains(github.event.label.name, 'backport')
+        )
+      )
+    steps:
+      - name: Backport
+        uses: zephyrproject-rtos/[email protected]
+        with:
+          github_token: ${{ secrets.NCS_GITHUB_TOKEN }}
+          issue_labels: Backport
+          labels_template: '["Backport"]'
diff --git a/.github/workflows/commit-tags.yml b/.github/workflows/commit-tags.yml
@@ -0,0 +1,28 @@
+name: Commit tags
+
+on:
+  pull_request:
+    types: [synchronize, opened, reopened, edited, labeled, unlabeled,
+            milestoned, demilestoned, assigned, unassigned, ready_for_review,
+            review_requested]
+
+jobs:
+  commit_tags:
+    runs-on: ubuntu-22.04
+    name: Run commit tags checks on patch series (PR)
+    steps:
+    - name: Update PATH for west
+      run: |
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: Checkout the code
+      uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+        fetch-depth: 0
+
+    - name: Run the commit tags
+      uses: nrfconnect/action-commit-tags@main
+      with:
+        target: .
+        upstream: mcu-tools/mcuboot/main
diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa.h b/boot/bootutil/include/bootutil/crypto/ecdsa.h
@@ -34,6 +34,7 @@
 
 #if (defined(MCUBOOT_USE_TINYCRYPT) + \
      defined(MCUBOOT_USE_CC310) + \
+     defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
      defined(MCUBOOT_USE_PSA_OR_MBED_TLS)) != 1
     #error "One crypto backend must be defined: either CC310/TINYCRYPT/MBED_TLS/PSA_CRYPTO"
 #endif
@@ -70,12 +71,18 @@
 #include "bootutil/sign_key.h"
 #include "common.h"
 
+#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
+    #include <bl_crypto.h>
+    #define NUM_ECC_BYTES (256 / 8)
+#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 #if (defined(MCUBOOT_USE_TINYCRYPT) || defined(MCUBOOT_USE_MBED_TLS) || \
-     defined(MCUBOOT_USE_CC310)) && !defined(MCUBOOT_USE_PSA_CRYPTO)
+     defined(MCUBOOT_USE_CC310) || defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)) \
+     && !defined(MCUBOOT_USE_PSA_CRYPTO)
 /*
  * Declaring these like this adds NULL termination.
  */
@@ -127,8 +134,6 @@ static int bootutil_import_key(uint8_t **cp, uint8_t *end)
 }
 #endif /* (MCUBOOT_USE_TINYCRYPT || MCUBOOT_USE_MBED_TLS || MCUBOOT_USE_CC310) && !MCUBOOT_USE_PSA_CRYPTO */
 
-#if defined(MCUBOOT_USE_TINYCRYPT)
-#ifndef MCUBOOT_ECDSA_NEED_ASN1_SIG
 /*
  * cp points to ASN1 string containing an integer.
  * Verify the tag, and that the length is 32 bytes. Helper function.
@@ -178,8 +183,8 @@ static int bootutil_decode_sig(uint8_t signature[NUM_ECC_BYTES * 2], uint8_t *cp
     }
     return 0;
 }
-#endif /* not MCUBOOT_ECDSA_NEED_ASN1_SIG */
 
+#if defined(MCUBOOT_USE_TINYCRYPT)
 typedef uintptr_t bootutil_ecdsa_context;
 static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx)
 {
@@ -248,16 +253,20 @@ static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
 {
     (void)ctx;
     (void)pk_len;
-    (void)sig_len;
     (void)hash_len;
+    uint8_t dsig[2 * NUM_ECC_BYTES];
+
+    if (bootutil_decode_sig(dsig, sig, sig + sig_len)) {
+        return -1;
+    }
 
     /* Only support uncompressed keys. */
     if (pk[0] != 0x04) {
         return -1;
     }
     pk++;
 
-    return cc310_ecdsa_verify_secp256r1(hash, pk, sig, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE);
+    return cc310_ecdsa_verify_secp256r1(hash, pk, dsig, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE);
 }
 
 static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
@@ -613,6 +622,49 @@ static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
 
 #endif /* MCUBOOT_USE_MBED_TLS */
 
+#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
+typedef uintptr_t bootutil_ecdsa_context;
+static inline void bootutil_ecdsa_init(bootutil_ecdsa_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline void bootutil_ecdsa_drop(bootutil_ecdsa_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline int bootutil_ecdsa_verify(bootutil_ecdsa_context *ctx,
+                                        uint8_t *pk, size_t pk_len,
+                                        uint8_t *hash, size_t hash_len,
+                                        uint8_t *sig, size_t sig_len)
+{
+    (void)ctx;
+    (void)pk_len;
+    (void)hash_len;
+    uint8_t dsig[2 * NUM_ECC_BYTES];
+
+    if (bootutil_decode_sig(dsig, sig, sig + sig_len)) {
+        return -1;
+    }
+
+    /* Only support uncompressed keys. */
+    if (pk[0] != 0x04) {
+        return -1;
+    }
+    pk++;
+
+    return bl_secp256r1_validate(hash, BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE, pk, dsig);
+}
+
+static inline int bootutil_ecdsa_parse_public_key(bootutil_ecdsa_context *ctx,
+                                                  uint8_t **cp,uint8_t *end)
+{
+    (void)ctx;
+    return bootutil_import_key(cp, end);
+}
+#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/boot/bootutil/include/bootutil/crypto/sha.h b/boot/bootutil/include/bootutil/crypto/sha.h
@@ -30,6 +30,7 @@
 
 #if (defined(MCUBOOT_USE_PSA_OR_MBED_TLS) + \
      defined(MCUBOOT_USE_TINYCRYPT) + \
+     defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO) + \
      defined(MCUBOOT_USE_CC310)) != 1
     #error "One crypto backend must be defined: either CC310/MBED_TLS/TINYCRYPT/PSA_CRYPTO"
 #endif
@@ -270,6 +271,37 @@ static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
 }
 #endif /* MCUBOOT_USE_CC310 */
 
+#if defined(MCUBOOT_USE_NRF_EXTERNAL_CRYPTO)
+
+#include <bl_crypto.h>
+
+typedef bl_sha256_ctx_t bootutil_sha_context;
+
+static inline void bootutil_sha_init(bootutil_sha_context *ctx)
+{
+    bl_sha256_init(ctx);
+}
+
+static inline void bootutil_sha_drop(bootutil_sha_context *ctx)
+{
+    (void)ctx;
+}
+
+static inline int bootutil_sha_update(bootutil_sha_context *ctx,
+                                      const void *data,
+                                      uint32_t data_len)
+{
+    return bl_sha256_update(ctx, data, data_len);
+}
+
+static inline int bootutil_sha_finish(bootutil_sha_context *ctx,
+                                      uint8_t *output)
+{
+    bl_sha256_finalize(ctx, output);
+    return 0;
+}
+#endif /* MCUBOOT_USE_NRF_EXTERNAL_CRYPTO */
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/boot/bootutil/include/bootutil/key_revocation.h b/boot/bootutil/include/bootutil/key_revocation.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef H_KEY_REVOCATION_
+#define H_KEY_REVOCATION_
+
+#include <inttypes.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define BOOT_KEY_REVOKE_OK 0
+#define BOOT_KEY_REVOKE_NOT_READY 1
+#define BOOT_KEY_REVOKE_INVALID 2
+#define BOOT_KEY_REVOKE_FAILED 2
+
+
+void allow_revoke(void);
+
+int revoke(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/boot/bootutil/include/bootutil/security_cnt.h b/boot/bootutil/include/bootutil/security_cnt.h
@@ -39,6 +39,15 @@ extern "C" {
  */
 fih_ret boot_nv_security_counter_init(void);
 
+/**
+ * Checks if the specified image should have a security counter present on it or not
+ *
+ * @param image_index   Index of the image to check (from 0).
+ *
+ * @return              FIH_SUCCESS if security counter should be present; FIH_FAILURE if otherwise
+ */
+fih_ret boot_nv_image_should_have_security_counter(uint32_t image_index);
+
 /**
  * Reads the stored value of a given image's security counter.
  *

diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c
@@ -43,6 +43,11 @@
 #include "bootutil/enc_key.h"
 #endif
 
+#if defined(MCUBOOT_DECOMPRESS_IMAGES)
+#include <nrf_compress/implementation.h>
+#include <compression/decompression.h>
+#endif
+
 BOOT_LOG_MODULE_DECLARE(mcuboot);
 
 /* Currently only used by imgmgr */
@@ -523,35 +528,76 @@ boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *size)
     fap = BOOT_IMG_AREA(state, slot);
     assert(fap != NULL);
 
-    off = BOOT_TLV_OFF(boot_img_hdr(state, slot));
+#ifdef MCUBOOT_DECOMPRESS_IMAGES
+    if (MUST_DECOMPRESS(fap, BOOT_CURR_IMG(state), boot_img_hdr(state, slot))) {
+        uint32_t tmp_size = 0;
 
-    if (flash_area_read(fap, off, &info, sizeof(info))) {
-        rc = BOOT_EFLASH;
-        goto done;
-    }
+        rc = bootutil_get_img_decomp_size(boot_img_hdr(state, slot), fap, &tmp_size);
+
+        if (rc) {
+            rc = BOOT_EBADIMAGE;
+            goto done;
+        }
+
+        off = boot_img_hdr(state, slot)->ih_hdr_size + tmp_size;
+
+        rc = boot_size_protected_tlvs(boot_img_hdr(state, slot), fap, &tmp_size);
 
-    protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size;
-    if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) {
-        if (protect_tlv_size != info.it_tlv_tot) {
+        if (rc) {
             rc = BOOT_EBADIMAGE;
             goto done;
         }
 
-        if (flash_area_read(fap, off + info.it_tlv_tot, &info, sizeof(info))) {
+        off += tmp_size;
+
+        if (flash_area_read(fap, (BOOT_TLV_OFF(boot_img_hdr(state, slot)) +
+                                  boot_img_hdr(state, slot)->ih_protect_tlv_size), &info,
+                            sizeof(info))) {
             rc = BOOT_EFLASH;
             goto done;
         }
-    } else if (protect_tlv_size != 0) {
-        rc = BOOT_EBADIMAGE;
-        goto done;
-    }
 
-    if (info.it_magic != IMAGE_TLV_INFO_MAGIC) {
-        rc = BOOT_EBADIMAGE;
-        goto done;
+        if (info.it_magic != IMAGE_TLV_INFO_MAGIC) {
+            rc = BOOT_EBADIMAGE;
+            goto done;
+        }
+
+        *size = off + info.it_tlv_tot;
+    } else {
+#else
+    if (1) {
+#endif
+        off = BOOT_TLV_OFF(boot_img_hdr(state, slot));
+
+        if (flash_area_read(fap, off, &info, sizeof(info))) {
+            rc = BOOT_EFLASH;
+            goto done;
+        }
+
+        protect_tlv_size = boot_img_hdr(state, slot)->ih_protect_tlv_size;
+        if (info.it_magic == IMAGE_TLV_PROT_INFO_MAGIC) {
+            if (protect_tlv_size != info.it_tlv_tot) {
+                rc = BOOT_EBADIMAGE;
+                goto done;
+            }
+
+            if (flash_area_read(fap, off + info.it_tlv_tot, &info, sizeof(info))) {
+                rc = BOOT_EFLASH;
+                goto done;
+            }
+        } else if (protect_tlv_size != 0) {
+            rc = BOOT_EBADIMAGE;
+            goto done;
+        }
+
+        if (info.it_magic != IMAGE_TLV_INFO_MAGIC) {
+            rc = BOOT_EBADIMAGE;
+            goto done;
+        }
+
+        *size = off + protect_tlv_size + info.it_tlv_tot;
     }
 
-    *size = off + protect_tlv_size + info.it_tlv_tot;
     rc = 0;
 
 done: