Merge pull request #466 from danielinux/delta_base_version_fix

Bugfix: delta update not rejecting wrong base_version

Author: dgarske

.github/workflows/test-powerfail-simulator.yml

@@ -203,6 +203,13 @@ jobs:
         run: |
           tools/scripts/sim-update-powerfail-resume.sh
 
+      - name: Rebuild with wrong delta base version
+        run: |
+          make clean && make test-sim-internal-flash-with-wrong-delta-update
+
+      - name: Run negative update test with wrong base version (DELTA)
+        run: |
+          tools/scripts/sim-delta-wrongversion-update.sh
 
      # TEST with encryption (aes128)
       - name: make clean

src/update_flash.c

@@ -215,6 +215,7 @@ static int wolfBoot_delta_update(struct wolfBoot_image *boot,
     uint32_t *img_size;
     uint32_t total_size;
     WB_PATCH_CTX ctx;
+    uint32_t cur_v, upd_v, delta_base_v;
 #ifdef EXT_ENCRYPTED
     uint8_t key[ENCRYPT_KEY_SIZE];
     uint8_t nonce[ENCRYPT_NONCE_SIZE];
@@ -237,20 +238,24 @@ static int wolfBoot_delta_update(struct wolfBoot_image *boot,
     if (wolfBoot_get_delta_info(PART_UPDATE, inverse, &img_offset, &img_size) < 0) {
         return -1;
     }
+    cur_v = wolfBoot_current_firmware_version();
+    upd_v = wolfBoot_update_firmware_version();
+    delta_base_v = wolfBoot_get_diffbase_version(PART_UPDATE);
     if (inverse) {
-        uint32_t cur_v, upd_v, delta_base_v;
-        cur_v = wolfBoot_current_firmware_version();
-        upd_v = wolfBoot_update_firmware_version();
-        delta_base_v = wolfBoot_get_diffbase_version(PART_UPDATE);
         if (((cur_v == upd_v) && (delta_base_v < cur_v)) || resume_inverse) {
             ret = wb_patch_init(&ctx, boot->hdr, boot->fw_size +
                     IMAGE_HEADER_SIZE, update->hdr + *img_offset, *img_size);
         } else {
             ret = -1;
         }
     } else {
-        ret = wb_patch_init(&ctx, boot->hdr, boot->fw_size + IMAGE_HEADER_SIZE,
-                update->hdr + IMAGE_HEADER_SIZE, *img_size);
+        if (!resume_inverse && (cur_v != delta_base_v)) {
+            /* Wrong base image, cannot apply delta patch */
+            ret = -1;
+        } else {
+            ret = wb_patch_init(&ctx, boot->hdr, boot->fw_size + IMAGE_HEADER_SIZE,
+                    update->hdr + IMAGE_HEADER_SIZE, *img_size);
+        }
     }
     if (ret < 0)
         goto out;
@@ -459,10 +464,7 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
         if (flag != SECT_FLAG_NEW &&
             wolfBoot_get_partition_state(PART_UPDATE, &st) == 0 &&
             st == IMG_STATE_UPDATING) {
-            if (cur_v == up_v) {
-                inverse = 0;
-            }
-            else if (cur_v < up_v) {
+            if ((cur_v == 0) || (cur_v == up_v)) {
                 inverse = 1;
                 inverse_resume = 1;
             }

tools/scripts/sim-delta-wrongversion-update.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+V=`./wolfboot.elf update_trigger get_version 2>/dev/null`
+if [ "x$V" != "x1" ]; then
+    echo "Failed first boot with update_trigger"
+    exit 1
+fi
+
+# First boot: attempt update, should be rejected
+V=`./wolfboot.elf success get_version 2>/dev/null`
+if [ "x$V" != "x1" ]; then
+    echo "Error: Delta update with wrong image reported as successful."
+    exit 1
+fi
+
+# Second boot to verify system is alive
+V=`./wolfboot.elf success get_version 2>/dev/null`
+if [ "x$V" != "x1" ]; then
+    echo "Error: System is possibly unrecoverable"
+    exit 1
+fi
+echo "Update successfully rejected (V: $V)"
+
+echo Test successful.
+exit 0
+
+

tools/scripts/sim-update-powerfail-resume.sh

@@ -38,8 +38,13 @@ if [ "x$V" != "x1" ]; then
 fi
 
 if [ "x$V" != "x1" ]; then
-    echo "Failed fallback (V: $V)"
-    exit 1
+    echo "Did not fallback (V: $V)"
+    echo "Retrying get_version after reboot..."
+    V=`./wolfboot.elf get_version 2>/dev/null`
+    if [ "x$V" != "x1" ]; then
+        echo "Error: failed fallback (V: $V)"
+        exit 1
+    fi
 fi
 
 echo Test successful.

tools/test.mk

@@ -237,6 +237,15 @@ test-sim-internal-flash-with-delta-update:
 		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS)-$(ARCH_FLASH_OFFSET))) test-app/image_v$(TEST_UPDATE_VERSION)_signed_diff.bin \
 		$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS)-$(ARCH_FLASH_OFFSET))) erased_sec.dd
 
+test-sim-internal-flash-with-wrong-delta-update:
+	make test-sim-internal-flash-with-update DELTA_UPDATE_OPTIONS="--delta test-app/image_v1_signed.bin"
+	make test-sim-internal-flash-with-update DELTA_UPDATE_OPTIONS="--delta test-app/image_v2_signed.bin" TEST_UPDATE_VERSION=3
+	$(Q)$(BINASSEMBLE) internal_flash.dd \
+		0 wolfboot.bin \
+		$$(($(WOLFBOOT_PARTITION_BOOT_ADDRESS) - $(ARCH_FLASH_OFFSET))) test-app/image_v1_signed.bin \
+		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS)-$(ARCH_FLASH_OFFSET))) test-app/image_v3_signed_diff.bin \
+		$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS)-$(ARCH_FLASH_OFFSET))) erased_sec.dd
+
 test-sim-update-flash: wolfboot.elf test-sim-internal-flash-with-update FORCE
 	$(Q)(test `./wolfboot.elf success update_trigger get_version` -eq 1)
 	$(Q)(test `./wolfboot.elf success get_version` -eq $(TEST_UPDATE_VERSION))