suit: orchestrate nordic top install from root

ahasztag · tomchy · commit cb968d1edcc1 · 2025-03-28T16:46:13.000+01:00
Add a possibility to block nordic_top updates in case
they should only be orchestrated from the root manifest.

Signed-off-by: Artur Hadasz &lt;artur.hadasz@nordicsemi.no&gt;
diff --git a/subsys/mgmt/suitfu/Kconfig b/subsys/mgmt/suitfu/Kconfig
@@ -15,6 +15,10 @@ menuconfig MGMT_SUITFU
 
 if MGMT_SUITFU
 
+config MGMT_SUITFU_WORKER_STACK_SIZE
+	int "Stack size for the MGMT SUITFU worker thread"
+	default 4096
+
 config MGMT_SUITFU_INITIALIZE_SUIT
 	bool "Initialize the SUIT DFU library on startup"
 	default y
diff --git a/subsys/mgmt/suitfu/src/suitfu_mgmt.c b/subsys/mgmt/suitfu/src/suitfu_mgmt.c
@@ -22,9 +22,7 @@
 
 LOG_MODULE_REGISTER(suitfu_mgmt, CONFIG_MGMT_SUITFU_LOG_LEVEL);
 
-#define SYSTEM_UPDATE_WORKER_STACK_SIZE 2048
-
-static K_THREAD_STACK_DEFINE(system_update_stack_area, SYSTEM_UPDATE_WORKER_STACK_SIZE);
+static K_THREAD_STACK_DEFINE(system_update_stack_area, CONFIG_MGMT_SUITFU_WORKER_STACK_SIZE);
 
 struct system_update_work {
 	struct k_work_delayable work;
diff --git a/subsys/suit/orchestrator_app/Kconfig b/subsys/suit/orchestrator_app/Kconfig
@@ -19,4 +19,9 @@ config SUIT_CLEANUP_ON_INIT
 	depends on SUIT_ORCHESTRATOR_APP_CANDIDATE_PROCESSING
 	default y
 
+config SUIT_NORDIC_TOP_INDEPENDENT_UPDATE_FORBIDDEN
+	bool "Disallow independent update of the Nordic Top envelope (not as part of the root envelope)"
+	depends on SUIT_ORCHESTRATOR_APP_CANDIDATE_PROCESSING
+	depends on SUIT_PROCESSOR
+
 endif # SUIT_ORCHESTRATOR_APP
diff --git a/subsys/suit/orchestrator_app/src/suit_orchestrator_app.c b/subsys/suit/orchestrator_app/src/suit_orchestrator_app.c
@@ -19,6 +19,7 @@
 #include <sdfw/sdfw_services/suit_service.h>
 #include <suit_envelope_info.h>
 #include <suit_plat_mem_util.h>
+#include <suit_plat_decode_util.h>
 #if CONFIG_SUIT_CACHE_RW
 #include <suit_dfu_cache_rw.h>
 #endif
@@ -64,6 +65,40 @@ static int dfu_partition_erase(void)
 
 #endif /* CONFIG_SUIT_ORCHESTRATOR_APP_CANDIDATE_PROCESSING */
 
+#if CONFIG_SUIT_NORDIC_TOP_INDEPENDENT_UPDATE_FORBIDDEN
+static int nordic_top_disallowed_check(uint8_t *candidate_envelope_address,
+				       size_t candidate_envelope_size)
+{
+	int err = 0;
+	struct zcbor_string manifest_component_id = {
+		.value = NULL,
+		.len = 0,
+	};
+	suit_manifest_class_id_t *candidate_class_id = NULL;
+	suit_ssf_manifest_class_info_t nordic_top_class_info;
+
+	err = suit_processor_get_manifest_metadata(
+		candidate_envelope_address, candidate_envelope_size, false, &manifest_component_id,
+		NULL, NULL, NULL, NULL, NULL);
+
+	if (suit_plat_decode_manifest_class_id(&manifest_component_id, &candidate_class_id) !=
+	    SUIT_PLAT_SUCCESS) {
+		LOG_ERR("Component ID of candidate is not a manifest class");
+		return SUIT_ERR_UNSUPPORTED_COMPONENT_ID;
+	}
+
+	suit_get_supported_manifest_info(SUIT_MANIFEST_SEC_TOP, &nordic_top_class_info);
+
+	if (suit_metadata_uuid_compare(candidate_class_id, &nordic_top_class_info.class_id) ==
+	    SUIT_PLAT_SUCCESS) {
+		LOG_ERR("Nordic top manifest class ID is not allowed in the update candidate");
+		return -EACCES;
+	}
+
+	return 0;
+}
+#endif /* CONFIG_SUIT_NORDIC_TOP_INDEPENDENT_UPDATE_FORBIDDEN */
+
 int suit_dfu_initialize(void)
 {
 	LOG_DBG("Enter");
@@ -182,6 +217,14 @@ int suit_dfu_candidate_preprocess(void)
 	LOG_INF("Update candidate envelope detected, addr: %p, size %d bytes",
 		(void *)candidate_envelope_address, candidate_envelope_size);
 
+#if CONFIG_SUIT_NORDIC_TOP_INDEPENDENT_UPDATE_FORBIDDEN
+	err = nordic_top_disallowed_check(candidate_envelope_address, candidate_envelope_size);
+
+	if (err != 0) {
+		return err;
+	}
+#endif /* CONFIG_SUIT_NORDIC_TOP_INDEPENDENT_UPDATE_FORBIDDEN */
+
 	err = suit_process_sequence(candidate_envelope_address, candidate_envelope_size,
 				    SUIT_SEQ_DEP_RESOLUTION);
 	if (err == SUIT_SUCCESS) {
