mcuboot: Add hook for manifest-based boot

Add a bootloader hook that implements manifest-based boot logic.

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

modules/mcuboot/boot/zephyr/Kconfig

@@ -172,3 +172,11 @@ config FIND_NEXT_SLOT_HOOK_BOOT_REQ
 	help
 	  This will read the image preference from the bootloader requests
 	  module and if found, alter the Direct XIP slot selection.
+
+config NRF_MCUBOOT_LOAD_AND_VALIDATE_MANIFEST_IMAGES
+	bool "Enable load_and_validate_images hook that uses manifest to boot images"
+	default y if MCUBOOT_MANIFEST_UPDATES
+	depends on LOAD_AND_VALIDATE_IMAGES_HOOKS
+	help
+	  This will enable a hook that validates images based on the manifest
+	  information. This is required when using manifest updates.

modules/mcuboot/hooks/CMakeLists.txt

@@ -12,10 +12,14 @@ if(CONFIG_BOOT_IMAGE_ACCESS_HOOKS)
   endif()
 endif()
 
-if(CONFIG_FIND_NEXT_SLOT_HOOKS)
+if(CONFIG_FIND_NEXT_SLOT_HOOK_BOOT_REQ OR CONFIG_NRF_MCUBOOT_LOAD_AND_VALIDATE_MANIFEST_IMAGES)
+  zephyr_library()
+  zephyr_library_link_libraries(MCUBOOT_BOOTUTIL)
+
   if(CONFIG_FIND_NEXT_SLOT_HOOK_BOOT_REQ)
-    zephyr_library()
     zephyr_library_sources(hooks_find_next_slot.c)
-    zephyr_library_link_libraries(MCUBOOT_BOOTUTIL)
+  endif()
+  if(CONFIG_NRF_MCUBOOT_LOAD_AND_VALIDATE_MANIFEST_IMAGES)
+    zephyr_library_sources(hooks_load_and_validate_images.c)
   endif()
 endif()

modules/mcuboot/hooks/hooks_load_and_validate_images.c

@@ -0,0 +1,334 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Copyright (c) 2016-2020 Linaro LTD
+ * Copyright (c) 2016-2019 JUUL Labs
+ * Copyright (c) 2019-2023 Arm Limited
+ * Copyright (c) 2024-2025 Nordic Semiconductor ASA
+ *
+ * Original license:
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * This file provides an interface to the manifest-based boot loader.
+ * Functions defined in this file should only be called while the boot loader is
+ * running.
+ */
+
+#include <stdbool.h>
+#include <../../bootutil/src/bootutil_priv.h>
+#include "bootutil/bootutil_log.h"
+#include "bootutil/fault_injection_hardening.h"
+#include "bootutil/ramload.h"
+#include "bootutil/boot_hooks.h"
+#include "bootutil/mcuboot_manifest.h"
+
+BOOT_LOG_MODULE_DECLARE(mcuboot);
+
+#if defined(MCUBOOT_DIRECT_XIP)
+/**
+ * Check if image in slot has been set with specific ROM address to run from
+ * and whether the slot starts at that address.
+ *
+ * @returns 0 if IMAGE_F_ROM_FIXED flag is not set;
+ *          0 if IMAGE_F_ROM_FIXED flag is set and ROM address specified in
+ *            header matches the slot address;
+ *          1 if IMF_F_ROM_FIXED flag is set but ROM address specified in header
+ *          does not match the slot address.
+ */
+static bool boot_rom_address_check(struct boot_loader_state *state)
+{
+	uint32_t active_slot;
+	const struct image_header *hdr;
+	uint32_t f_off;
+
+	active_slot = state->slot_usage[BOOT_CURR_IMG(state)].active_slot;
+	hdr = boot_img_hdr(state, active_slot);
+	f_off = boot_img_slot_off(state, active_slot);
+
+	if (hdr->ih_flags & IMAGE_F_ROM_FIXED && hdr->ih_load_addr != f_off) {
+		BOOT_LOG_WRN("Image in %s slot at 0x%x has been built for offset 0x%x"
+			     ", skipping",
+			     active_slot == 0 ? "primary" : "secondary", f_off, hdr->ih_load_addr);
+
+		/* The image is not bootable from this slot. */
+		return 1;
+	}
+
+	return 0;
+}
+#endif
+
+/**
+ * Finds the slot containing the image with the highest version number for the
+ * current image.
+ *
+ * @param  state        Boot loader status information.
+ *
+ * @return              BOOT_SLOT_NONE if no available slot found, number of
+ *                      the found slot otherwise.
+ */
+static uint32_t find_slot_with_highest_version(struct boot_loader_state *state)
+{
+	uint32_t slot;
+	uint32_t candidate_slot = BOOT_SLOT_NONE;
+	int rc;
+
+	for (slot = 0; slot < BOOT_NUM_SLOTS; slot++) {
+		if (state->slot_usage[BOOT_CURR_IMG(state)].slot_available[slot]) {
+			if (candidate_slot == BOOT_SLOT_NONE) {
+				candidate_slot = slot;
+			} else {
+				rc = boot_version_cmp(&boot_img_hdr(state, slot)->ih_ver,
+						      &boot_img_hdr(state, candidate_slot)->ih_ver);
+				if (rc == 1) {
+					/* The version of the image being examined is greater than
+					 * the version of the current candidate.
+					 */
+					candidate_slot = slot;
+				}
+			}
+		}
+	}
+
+	return candidate_slot;
+}
+
+#if (defined(MCUBOOT_DIRECT_XIP) && defined(MCUBOOT_DIRECT_XIP_REVERT)) ||                         \
+	(defined(MCUBOOT_RAM_LOAD) && defined(MCUBOOT_RAM_LOAD_REVERT))
+/**
+ * Checks whether the active slot of the current image was previously selected
+ * to run. Erases the image if it was selected but its execution failed,
+ * otherwise marks it as selected if it has not been before.
+ *
+ * @param  state        Boot loader status information.
+ *
+ * @return              0 on success; nonzero on failure.
+ */
+static int boot_select_or_erase(struct boot_loader_state *state)
+{
+	const struct flash_area *fap = NULL;
+	int rc;
+	uint32_t active_slot;
+	struct boot_swap_state *active_swap_state;
+
+	active_slot = state->slot_usage[BOOT_CURR_IMG(state)].active_slot;
+
+	fap = BOOT_IMG_AREA(state, active_slot);
+	assert(fap != NULL);
+
+	active_swap_state = &(state->slot_usage[BOOT_CURR_IMG(state)].swap_state);
+
+	memset(active_swap_state, 0, sizeof(struct boot_swap_state));
+	rc = boot_read_swap_state(fap, active_swap_state);
+	assert(rc == 0);
+
+	if (active_swap_state->magic != BOOT_MAGIC_GOOD ||
+	    (active_swap_state->copy_done == BOOT_FLAG_SET &&
+	     active_swap_state->image_ok != BOOT_FLAG_SET)) {
+		/*
+		 * A reboot happened without the image being confirmed at
+		 * runtime or its trailer is corrupted/invalid. Erase the image
+		 * to prevent it from being selected again on the next reboot.
+		 */
+		BOOT_LOG_DBG("Erasing faulty image in the %s slot.",
+			     (active_slot == BOOT_SLOT_PRIMARY) ? "primary" : "secondary");
+		rc = boot_scramble_slot(fap, active_slot);
+		assert(rc == 0);
+		rc = -1;
+	} else {
+		if (active_swap_state->copy_done != BOOT_FLAG_SET) {
+			if (active_swap_state->copy_done == BOOT_FLAG_BAD) {
+				BOOT_LOG_DBG("The copy_done flag had an unexpected value. Its "
+					     "value was neither 'set' nor 'unset', but 'bad'.");
+			}
+			/*
+			 * Set the copy_done flag, indicating that the image has been
+			 * selected to boot. It can be set in advance, before even
+			 * validating the image, because in case the validation fails, the
+			 * entire image slot will be erased (including the trailer).
+			 */
+			rc = boot_write_copy_done(fap);
+			if (rc != 0) {
+				BOOT_LOG_WRN("Failed to set copy_done flag of the image in "
+					     "the %s slot.",
+					     (active_slot == BOOT_SLOT_PRIMARY) ? "primary"
+										: "secondary");
+				rc = 0;
+			}
+		}
+	}
+
+	return rc;
+}
+#endif /* MCUBOOT_DIRECT_XIP && MCUBOOT_DIRECT_XIP_REVERT ||                                       \
+	  MCUBOOT_RAM_LOAD && MCUBOOT_RAM_LOAD_REVERT */
+
+/**
+ * Tries to load and validate a single slot.
+ *
+ * @param  state        Boot loader status information.
+ *
+ * @return              0 on success; nonzero on failure.
+ */
+static fih_ret boot_load_and_validate_current_image(struct boot_loader_state *state)
+{
+	int rc;
+	fih_ret fih_rc;
+	uint32_t active_slot = state->slot_usage[BOOT_CURR_IMG(state)].active_slot;
+
+	if (active_slot == BOOT_SLOT_NONE) {
+		FIH_RET(FIH_FAILURE);
+	}
+
+    BOOT_LOG_INF("Loading image %d from slot %d", BOOT_CURR_IMG(state), active_slot);
+
+#ifdef MCUBOOT_DIRECT_XIP
+	rc = boot_rom_address_check(state);
+	if (rc != 0) {
+		FIH_RET(FIH_FAILURE);
+	}
+#endif /* MCUBOOT_DIRECT_XIP */
+
+#if defined(MCUBOOT_DIRECT_XIP_REVERT) || defined(MCUBOOT_RAM_LOAD_REVERT)
+	rc = boot_select_or_erase(state);
+	if (rc != 0) {
+		FIH_RET(FIH_FAILURE);
+	}
+#endif /* MCUBOOT_DIRECT_XIP_REVERT || MCUBOOT_RAM_LOAD_REVERT */
+
+#ifdef MCUBOOT_RAM_LOAD
+	/* Image is first loaded to RAM and authenticated there in order to
+	 * prevent TOCTOU attack during image copy. This could be applied
+	 * when loading images from external (untrusted) flash to internal
+	 * (trusted) RAM and image is authenticated before copying.
+	 */
+	rc = boot_load_image_to_sram(state);
+	if (rc != 0) {
+		/* Image cannot be ramloaded. */
+		boot_remove_image_from_flash(state, active_slot);
+		FIH_RET(FIH_FAILURE);
+	}
+#endif /* MCUBOOT_RAM_LOAD */
+
+	FIH_CALL(boot_validate_slot, fih_rc, state, active_slot, NULL, 0);
+	if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+		/* Image is invalid. */
+#ifdef MCUBOOT_RAM_LOAD
+		boot_remove_image_from_sram(state);
+#endif /* MCUBOOT_RAM_LOAD */
+		FIH_RET(FIH_FAILURE);
+	}
+
+	FIH_RET(FIH_SUCCESS);
+}
+
+/**
+ * Tries to load a slot for all the images with validation.
+ *
+ * @param  state        Boot loader status information.
+ *
+ * @return              0 on success; nonzero on failure.
+ */
+fih_ret boot_load_and_validate_images_hook(struct boot_loader_state *state)
+{
+	uint32_t active_slot;
+	int rc;
+	fih_ret fih_rc;
+
+	while (true) {
+#if (BOOT_IMAGE_NUMBER > 1)
+		BOOT_CURR_IMG(state) = MCUBOOT_MANIFEST_IMAGE_NUMBER;
+#endif
+		rc = BOOT_HOOK_FIND_SLOT_CALL(boot_find_next_slot_hook, BOOT_HOOK_REGULAR, state,
+					      BOOT_CURR_IMG(state), &active_slot);
+		if (rc == BOOT_HOOK_REGULAR) {
+			active_slot = find_slot_with_highest_version(state);
+		}
+		if (active_slot == BOOT_SLOT_NONE) {
+			BOOT_LOG_INF("No more manifest slots available");
+			FIH_RET(FIH_FAILURE);
+		}
+
+		/* Save the number of the active manifest slot. */
+		state->slot_usage[BOOT_CURR_IMG(state)].active_slot = active_slot;
+
+		FIH_CALL(boot_load_and_validate_current_image, fih_rc, state);
+		if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+			state->slot_usage[MCUBOOT_MANIFEST_IMAGE_NUMBER]
+				.slot_available[active_slot] = false;
+			state->slot_usage[MCUBOOT_MANIFEST_IMAGE_NUMBER].active_slot =
+				BOOT_SLOT_NONE;
+			BOOT_LOG_INF("No valid manifest in slot %d", active_slot);
+			continue;
+		}
+
+		BOOT_LOG_INF("Try to validate images using manifest in slot %d", active_slot);
+
+#if BOOT_IMAGE_NUMBER > 1
+		/* Go over all other images and try to load one */
+		IMAGES_ITER(BOOT_CURR_IMG(state))
+		{
+			/* Skip the image with manifest - it's been already verified. */
+			if (BOOT_CURR_IMG(state) == MCUBOOT_MANIFEST_IMAGE_NUMBER) {
+				continue;
+			}
+
+			/* Check if there is a matching slot available. */
+			if (!state->slot_usage[BOOT_CURR_IMG(state)].slot_available[active_slot]) {
+				/* Invalidate manifest */
+				FIH_SET(fih_rc, FIH_FAILURE);
+				break;
+			}
+
+			/* Save the number of the active slot. */
+			state->slot_usage[BOOT_CURR_IMG(state)].active_slot = active_slot;
+
+			FIH_CALL(boot_load_and_validate_current_image, fih_rc, state);
+			if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+				state->slot_usage[BOOT_CURR_IMG(state)]
+					.slot_available[active_slot] = false;
+				state->slot_usage[BOOT_CURR_IMG(state)].active_slot =
+					BOOT_SLOT_NONE;
+				/* Invalidate manifest */
+				break;
+			}
+		}
+#endif
+
+		if (FIH_EQ(fih_rc, FIH_SUCCESS)) {
+			/* All images have been loaded and validated successfully. */
+			break;
+		}
+
+		BOOT_LOG_DBG("Manifest in slot %d is invalid", active_slot);
+
+		/* Invalidate manifest */
+		state->slot_usage[MCUBOOT_MANIFEST_IMAGE_NUMBER].slot_available[active_slot] =
+			false;
+		state->slot_usage[MCUBOOT_MANIFEST_IMAGE_NUMBER].active_slot = BOOT_SLOT_NONE;
+#ifdef MCUBOOT_RAM_LOAD
+		BOOT_CURR_IMG(state) = MCUBOOT_MANIFEST_IMAGE_NUMBER;
+		boot_remove_image_from_sram(state);
+#endif /* MCUBOOT_RAM_LOAD */
+	}
+
+	FIH_RET(FIH_SUCCESS);
+}

west.yml

@@ -128,7 +128,7 @@ manifest:
           compare-by-default: true
     - name: mcuboot
       repo-path: sdk-mcuboot
-      revision: 6256d9f6df644231fd196c94a5a92f23c1ad24d4
+      revision: pull/551/head
       path: bootloader/mcuboot
     - name: qcbor
       url: https://github.com/laurencelundblade/QCBOR