Fixed security counter overflow detected to late

boot/bootutil/include/bootutil/security_cnt.h

@@ -72,6 +72,19 @@ fih_ret boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt);
 int32_t boot_nv_security_counter_update(uint32_t image_id,
                                         uint32_t img_security_cnt);
 
+/**
+ * This function verifies whether the security counter update to a given value is possible.
+ * The update might not be possible if the maximum amount of security counter updates
+ * was reached.
+ *
+ * @param image_id          Index of the image (from 0).
+ * @param img_security_cnt  New security counter value.
+ *
+ * @return                  FIH_SUCCESS if update is possible; FIH_FAILURE otherwise
+ */
+fih_ret boot_nv_security_counter_is_update_possible(uint32_t image_id,
+                                                    uint32_t img_security_cnt);
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/src/image_validate.c

@@ -839,6 +839,19 @@ bootutil_img_validate(struct boot_loader_state *state,
                 goto out;
             }
 
+#ifdef MCUBOOT_HW_ROLLBACK_PROT_COUNTER_LIMITED
+            if (img_security_cnt > (uint32_t)fih_int_decode(security_cnt)) {
+                FIH_CALL(boot_nv_security_counter_is_update_possible, fih_rc, image_index,
+                         img_security_cnt);
+                if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+                    FIH_SET(fih_rc, FIH_FAILURE);
+                    BOOT_LOG_ERR("Security counter update is not possible, possibly the maximum "
+                                 "number of security updates has been reached.");
+                    goto out;
+                }
+            }
+#endif
+
             /* The image's security counter has been successfully verified. */
             security_counter_valid = fih_rc;
 skip_security_counter_read:

boot/zephyr/Kconfig

@@ -1076,6 +1076,18 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION
 	  Because of the acceptance of equal values it allows for software
 	  downgrade to some extent.
 
+config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED
+	bool "HW based downgrade prevention counter has limited number of updates"
+	depends on MCUBOOT_HW_DOWNGRADE_PREVENTION
+	default y if SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX
+	help
+	  When this option is set, the hardware downgrade prevention counter
+	  has limited number of updates. This option will enable checking
+	  if it is possible to update the counter before performing
+	  the upgrade. If an update package contains a security counter
+	  value as a TLV but it is not possible to update the counter,
+	  the update will be rejected.
+
 endchoice
 
 config BOOT_WATCHDOG_FEED

boot/zephyr/include/mcuboot_config/mcuboot_config.h

@@ -209,6 +209,10 @@
 #define MCUBOOT_HW_ROLLBACK_PROT
 #endif
 
+#ifdef CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED
+#define MCUBOOT_HW_ROLLBACK_PROT_COUNTER_LIMITED
+#endif
+
 #ifdef CONFIG_MEASURED_BOOT
 #define MCUBOOT_MEASURED_BOOT
 #endif