suit: Apply limitations to CAND_* components

Apply the following policies:
 - CAND_MFST may be defined only in Nordic top,
   Application root and recovery manifests.
 - CAND_IMG cannot be defined by Nordic top and Application root
   manifests.

Ref: NCSDK-29237

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

subsys/suit/mci/src/suit_mci_nrf54h20.c

@@ -423,9 +423,10 @@ mci_err_t suit_mci_memory_access_rights_validate(const suit_manifest_class_id_t
 		return MCI_ERR_NOACCESS;
 
 	case SUIT_MANIFEST_SEC_SDFW:
-		/* Sec manifest - TODO - implement checks based on UICR/SICR
+		/* SDFW & SDFW Recovery manifest - ability to operate on memory ranges intentionally
+		 * blocked.
 		 */
-		return SUIT_PLAT_SUCCESS;
+		return MCI_ERR_NOACCESS;
 
 	case SUIT_MANIFEST_SEC_SYSCTRL:
 		/* Sysctrl manifest - TODO - implement checks based on UICR/SICR

subsys/suit/platform/sdfw/CMakeLists.txt

@@ -38,6 +38,7 @@ zephyr_library_link_libraries_ifdef(CONFIG_SUIT_STREAM suit_stream_sources_inter
 zephyr_library_link_libraries_ifdef(CONFIG_SUIT_SINK_SELECTOR suit_sink_selector_interface)
 zephyr_library_link_libraries_ifdef(CONFIG_SUIT_DEVCONFIG suit_storage_interface)
 zephyr_library_link_libraries_ifdef(CONFIG_SUIT_STORAGE suit_storage_interface)
+zephyr_library_link_libraries_ifdef(CONFIG_SUIT_PLAT_CHECK_COMPONENT_COMPATIBILITY suit_storage_interface)
 zephyr_library_link_libraries_ifdef(CONFIG_SUIT_STREAM_SOURCE_MEMPTR suit_stream_sources_interface)
 zephyr_library_link_libraries_ifdef(CONFIG_SUIT_DEVCONFIG suit_mci)
 zephyr_library_link_libraries_ifdef(CONFIG_SUIT_AUTHENTICATE suit_mci)

subsys/suit/platform/sdfw/src/suit_plat_component_compatibility.c

@@ -7,13 +7,15 @@
 #include <suit_mci.h>
 #include <suit_plat_decode_util.h>
 #include <suit_platform_internal.h>
+#include <suit_storage_mpi.h>
 
 /* -1 indicates no boot capability for given cpu id */
 #define NO_BOOT_CAPABILITY_CPU_ID 255
 
 int suit_plat_component_compatibility_check(const suit_manifest_class_id_t *class_id,
 					    struct zcbor_string *component_id)
 {
+	suit_manifest_role_t role = SUIT_MANIFEST_UNKNOWN;
 	suit_manifest_class_id_t *decoded_class_id;
 	suit_component_type_t type = SUIT_COMPONENT_TYPE_UNSUPPORTED;
 	intptr_t address;
@@ -37,6 +39,10 @@ int suit_plat_component_compatibility_check(const suit_manifest_class_id_t *clas
 		return SUIT_ERR_UNSUPPORTED_COMPONENT_ID;
 	}
 
+	if (suit_storage_mpi_role_get(class_id, &role) != SUIT_PLAT_SUCCESS) {
+		return SUIT_ERR_UNSUPPORTED_COMPONENT_ID;
+	}
+
 	switch (type) {
 	case SUIT_COMPONENT_TYPE_MEM:
 		/* Decode component_id */
@@ -57,6 +63,7 @@ int suit_plat_component_compatibility_check(const suit_manifest_class_id_t *clas
 			return SUIT_ERR_UNAUTHORIZED_COMPONENT;
 		}
 		break;
+
 	case SUIT_COMPONENT_TYPE_SOC_SPEC:
 		if (suit_plat_decode_component_number(component_id, &number) != SUIT_PLAT_SUCCESS) {
 			return SUIT_ERR_DECODING;
@@ -67,12 +74,37 @@ int suit_plat_component_compatibility_check(const suit_manifest_class_id_t *clas
 			return SUIT_ERR_UNAUTHORIZED_COMPONENT;
 		}
 		break;
+
 	case SUIT_COMPONENT_TYPE_CAND_MFST:
+		if (suit_plat_decode_component_number(component_id, &number) != SUIT_PLAT_SUCCESS) {
+			return SUIT_ERR_UNSUPPORTED_COMPONENT_ID;
+		}
+
+		if ((role != SUIT_MANIFEST_SEC_TOP) && (role != SUIT_MANIFEST_APP_ROOT) &&
+		    (role != SUIT_MANIFEST_APP_RECOVERY)) {
+			return SUIT_ERR_UNAUTHORIZED_COMPONENT;
+		}
+		break;
+
 	case SUIT_COMPONENT_TYPE_CAND_IMG:
+		if (suit_plat_decode_component_number(component_id, &number) != SUIT_PLAT_SUCCESS) {
+			return SUIT_ERR_UNSUPPORTED_COMPONENT_ID;
+		}
+
+		if ((role == SUIT_MANIFEST_SEC_TOP) || (role == SUIT_MANIFEST_APP_ROOT)) {
+			return SUIT_ERR_UNAUTHORIZED_COMPONENT;
+		}
+		break;
+
 	case SUIT_COMPONENT_TYPE_CACHE_POOL:
 		if (suit_plat_decode_component_number(component_id, &number) != SUIT_PLAT_SUCCESS) {
 			return SUIT_ERR_UNSUPPORTED_COMPONENT_ID;
 		}
+
+		if ((role == SUIT_MANIFEST_SEC_TOP) || (role == SUIT_MANIFEST_SEC_SDFW) ||
+		    (role == SUIT_MANIFEST_SEC_SYSCTRL) || (role == SUIT_MANIFEST_APP_ROOT)) {
+			return SUIT_ERR_UNAUTHORIZED_COMPONENT;
+		}
 		break;
 
 	case SUIT_COMPONENT_TYPE_INSTLD_MFST:
@@ -90,6 +122,7 @@ int suit_plat_component_compatibility_check(const suit_manifest_class_id_t *clas
 		}
 
 		break;
+
 	default:
 		return SUIT_ERR_UNSUPPORTED_COMPONENT_ID;
 	}

tests/subsys/suit/check_image_match/boards/native_posix.conf

@@ -0,0 +1,8 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+CONFIG_FLASH_SIMULATOR=y
+CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y

tests/subsys/suit/check_image_match/boards/native_posix.overlay

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+&flash0 {
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		/* Use the last 40KB of NVM as suit storage. */
+		suit_storage: partition@f6000 {
+			reg = <0xf6000 DT_SIZE_K(40)>;
+		};
+	};
+};
+
+/ {
+	sram0: memory@20000000 {
+		compatible = "mmio-sram";
+		reg = <0x20000000 DT_SIZE_K(256)>;
+	};
+};

tests/subsys/suit/check_image_match/boards/native_posix_64.conf

@@ -0,0 +1,8 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+CONFIG_FLASH_SIMULATOR=y
+CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y

tests/subsys/suit/check_image_match/boards/native_posix_64.overlay

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+&flash0 {
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		/* Use the last 40KB of NVM as suit storage. */
+		suit_storage: partition@f6000 {
+			reg = <0xf6000 DT_SIZE_K(40)>;
+		};
+	};
+};
+
+/ {
+	sram0: memory@20000000 {
+		compatible = "mmio-sram";
+		reg = <0x20000000 DT_SIZE_K(256)>;
+	};
+};

tests/subsys/suit/check_image_match/boards/nrf52840dk_nrf52840.overlay

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+&flash0 {
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		/* Use the last 40KB of NVM as suit storage. */
+		suit_storage: partition@f6000 {
+			reg = <0xf6000 DT_SIZE_K(40)>;
+		};
+	};
+};

tests/subsys/suit/check_image_match/prj.conf

@@ -5,6 +5,7 @@
 #
 
 CONFIG_ZTEST=y
+CONFIG_FLASH=y
 
 CONFIG_SUIT=y
 CONFIG_SUIT_PROCESSOR=y
@@ -32,6 +33,7 @@ CONFIG_SUIT_LOG_LEVEL_DBG=y
 
 CONFIG_SUIT_PLAT_CHECK_COMPONENT_COMPATIBILITY=y
 CONFIG_SUIT_AUTHENTICATE=y
+CONFIG_SUIT_STORAGE=y
 CONFIG_SUIT_MCI=y
 CONFIG_SUIT_METADATA=y
 CONFIG_SUIT_EXECUTION_MODE=y

tests/subsys/suit/unit/mocks/include/mock_suit_storage.h

@@ -23,13 +23,18 @@ FAKE_VALUE_FUNC(int, suit_storage_install_envelope, const suit_manifest_class_id
 FAKE_VALUE_FUNC(int, suit_storage_update_cand_get, const suit_plat_mreg_t **, size_t *);
 FAKE_VALUE_FUNC(int, suit_storage_update_cand_set, suit_plat_mreg_t *, size_t);
 
+/* suit_storage_mpi.c */
+FAKE_VALUE_FUNC(int, suit_storage_mpi_role_get, const suit_manifest_class_id_t *,
+		suit_manifest_role_t *);
+
 static inline void mock_suit_storage_reset(void)
 {
 	RESET_FAKE(suit_storage_init);
 	RESET_FAKE(suit_storage_installed_envelope_get);
 	RESET_FAKE(suit_storage_install_envelope);
 	RESET_FAKE(suit_storage_update_cand_get);
 	RESET_FAKE(suit_storage_update_cand_set);
+	RESET_FAKE(suit_storage_mpi_role_get);
 }
 
 #endif /* MOCK_SUIT_STORAGE_H__ */