mgmt: Handle manifest-based states

Add routines to parse and check manifest state.

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt.c

@@ -31,6 +31,11 @@
 #include <zephyr/dfu/flash_img.h>
 #endif
 
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+#include <bootutil/bootutil_public.h>
+#include <bootutil/mcuboot_manifest.h>
+#endif
+
 #ifdef CONFIG_MCUMGR_MGMT_NOTIFICATION_HOOKS
 #include <zephyr/mgmt/mcumgr/mgmt/callbacks.h>
 #include <mgmt/mcumgr/transport/smp_internal.h>
@@ -191,8 +196,7 @@ static bool img_mgmt_slot_max_size(size_t *area_sizes, zcbor_state_t *zse)
 
 	ARG_UNUSED(area_sizes);
 
-	rc = blinfo_lookup(BLINFO_MAX_APPLICATION_SIZE, &max_app_size, sizeof(max_app_size))
-
+	rc = blinfo_lookup(BLINFO_MAX_APPLICATION_SIZE, &max_app_size, sizeof(max_app_size));
 	if (rc < 0) {
 		LOG_ERR("Failed to lookup max application size: %d", rc);
 	} else if (rc > 0) {
@@ -274,6 +278,114 @@ int img_mgmt_active_image(void)
 	return ACTIVE_IMAGE_IS;
 }
 
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+/**
+ * Checks whether the manifest of the image in the specified slot can be used for booting.
+ *
+ * @param slot  The slot to check the manifest for.
+ *
+ * @return true if the manifest can be used, false otherwise.
+ */
+static bool boot_check_manifest(enum boot_slot slot)
+{
+	struct image_header hdr;
+	struct image_tlv tlv;
+	size_t data_off;
+	size_t data_end;
+	bool manifest_found;
+	uint8_t erased_val;
+	uint32_t erased_val_32;
+	struct mcuboot_manifest tmp_manifest;
+	uint8_t hash[IMAGE_HASH_SIZE];
+	int rc;
+	int image_slot = CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER * BOOT_SLOT_COUNT + slot;
+
+	rc = img_mgmt_erased_val(image_slot, &erased_val);
+	if (rc != 0) {
+		return false;
+	}
+
+	rc = img_mgmt_read(image_slot,
+			   boot_get_image_start_offset(img_mgmt_flash_area_id(image_slot)),
+			   &hdr, sizeof(hdr));
+	if (rc != 0) {
+		return false;
+	}
+
+	erased_val_32 = ERASED_VAL_32(erased_val);
+	if (hdr.ih_magic == IMAGE_MAGIC) {
+		/* Valid header */
+	} else if (hdr.ih_magic == erased_val_32) {
+		return false;
+	} else {
+		return false;
+	}
+
+	/* Read the image's TLVs. We try to find manifest only inside the protected TLVs.
+	 * If the manifest is missing, the image is considered invalid.
+	 */
+	data_off = hdr.ih_hdr_size + hdr.ih_img_size +
+		   boot_get_image_start_offset(img_mgmt_flash_area_id(image_slot));
+
+	rc = img_mgmt_find_tlvs(image_slot, &data_off, &data_end, IMAGE_TLV_PROT_INFO_MAGIC);
+	if (rc != 0) {
+		return IMG_MGMT_ERR_NO_TLVS;
+	}
+
+	manifest_found = false;
+	while (data_off + sizeof(tlv) <= data_end) {
+		rc = img_mgmt_read(image_slot, data_off, &tlv, sizeof(tlv));
+		if (rc != 0) {
+			return false;
+		}
+		if (tlv.it_type == 0xff && tlv.it_len == 0xffff) {
+			return false;
+		}
+		if ((tlv.it_type != IMAGE_TLV_MANIFEST) || (tlv.it_len != sizeof(struct mcuboot_manifest))) {
+			/* Non-manifest TLV. Skip it. */
+			data_off += sizeof(tlv) + tlv.it_len;
+			continue;
+		}
+
+		if (manifest_found) {
+			/* More than one manifest. */
+			return false;
+		}
+		manifest_found = true;
+
+		data_off += sizeof(tlv);
+		if (data_off + sizeof(struct mcuboot_manifest) > data_end) {
+			return false;
+		}
+		rc = img_mgmt_read(image_slot, data_off, &tmp_manifest, sizeof(struct mcuboot_manifest));
+		if (rc != 0) {
+			return false;
+		}
+	}
+
+	if (!manifest_found) {
+		return false;
+	}
+
+	for (size_t i = 0; i < BOOT_IMAGE_NUMBER; i++) {
+		if (CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER == i) {
+			continue;
+		}
+
+		rc = img_mgmt_read_info(i * BOOT_SLOT_COUNT + slot, NULL, hash, NULL);
+		if ((rc == 0) && bootutil_verify_manifest_image_hash(&tmp_manifest, hash, i)) {
+			/* Hash matches */
+			continue;
+		}
+
+		LOG_ERR("Manifest hash does not match image %d hash", i);
+		return false;
+	}
+
+	return true;
+}
+#endif /* CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES */
+
 /*
  * Reads the version and build hash from the specified image slot.
  */
@@ -317,6 +429,12 @@ int img_mgmt_read_info(int image_slot, struct image_version *ver, uint8_t *hash,
 
 	if (flags != NULL) {
 		*flags = hdr.ih_flags;
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+		/* Mark slot as unbootable if manifest is not satisfied. */
+		if (!boot_check_manifest(image_slot % SLOTS_PER_IMAGE)) {
+			*flags |= IMAGE_F_NON_BOOTABLE;
+		}
+#endif
 	}
 
 	/* Read the image's TLVs. We first try to find the protected TLVs, if the protected

subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c

@@ -131,6 +131,18 @@ img_mgmt_state_flags(int query_slot)
 	int image = query_slot / 2;	/* We support max 2 images for now */
 	int active_slot = img_mgmt_active_slot(image);
 
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+	/* If manifest-based updates are used, only the manifest image is considered. */
+	image = CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER;
+	if (query_slot == active_slot) {
+		active_slot = img_mgmt_active_slot(image);
+		query_slot = active_slot;
+	} else {
+		active_slot = img_mgmt_active_slot(image);
+		query_slot = img_mgmt_get_opposite_slot(active_slot);
+	}
+#endif /* CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES */
+
 	/* In case when MCUboot is configured for FW loader/updater mode, slots
 	 * can be either active or non-active. There is no concept of pending
 	 * or confirmed slots.
@@ -258,18 +270,23 @@ int img_mgmt_get_next_boot_slot(int image, enum img_mgmt_next_boot_type *type)
 {
 	struct image_version aver;
 	struct image_version over;
-	int active_slot = img_mgmt_active_slot(image);
-	int other_slot = img_mgmt_get_opposite_slot(active_slot);
 #if defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT)
 	int active_slot_state;
 	int other_slot_state;
 #endif /* defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT) */
 	enum img_mgmt_next_boot_type lt = NEXT_BOOT_TYPE_NORMAL;
-	int return_slot = active_slot;
 
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+	/* If manifest-based updates are used, only the manifest image is considered. */
+	int query_image = image;
+	image = CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER;
+#endif /* CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES */
 
+	int active_slot = img_mgmt_active_slot(image);
+	int other_slot = img_mgmt_get_opposite_slot(active_slot);
 	int rcs = img_mgmt_read_info(other_slot, &over, NULL, NULL);
 	int rca = img_mgmt_read_info(active_slot, &aver, NULL, NULL);
+	int return_slot = active_slot;
 
 #if defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT)
 	active_slot_state = read_directxip_state(active_slot);
@@ -364,6 +381,14 @@ int img_mgmt_get_next_boot_slot(int image, enum img_mgmt_next_boot_type *type)
 		*type = lt;
 	}
 
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+	if (return_slot != active_slot) {
+		return_slot = img_mgmt_get_opposite_slot(img_mgmt_active_slot(query_image));
+	} else {
+		return_slot = img_mgmt_active_slot(query_image);
+	}
+#endif /* CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES */
+
 	return return_slot;
 }
 #endif /* defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP) || \