[nrf fromlist] bootutil: Add API to lock HW counter

Add a new API to lock further updates of the HW-based security counter.
This API may prevent the non-bootloader application from accidental
invalidation of the bootable firmware.

Upstream PR #: 2543

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

boot/bootutil/include/bootutil/security_cnt.h

@@ -85,6 +85,17 @@ int32_t boot_nv_security_counter_update(uint32_t image_id,
 fih_ret boot_nv_security_counter_is_update_possible(uint32_t image_id,
                                                     uint32_t img_security_cnt);
 
+#ifdef MCUBOOT_HW_ROLLBACK_PROT_LOCK
+/**
+ * Lock updates of the stored value of a given image's security counter.
+ *
+ * @param image_id          Index of the image (from 0).
+ *
+ * @return                  0 on success; nonzero on failure.
+ */
+int32_t boot_nv_security_counter_lock(uint32_t image_id);
+#endif /* MCUBOOT_HW_ROLLBACK_PROT_LOCK */
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/src/loader.c

@@ -2581,10 +2581,19 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state)
     if (swap_state.magic != BOOT_MAGIC_GOOD || swap_state.image_ok == BOOT_FLAG_SET) {
         rc = boot_update_security_counter(state, BOOT_SLOT_PRIMARY, BOOT_SLOT_PRIMARY);
         if (rc != 0) {
-            BOOT_LOG_ERR("Security counter update failed after image "
-                            "validation.");
+            BOOT_LOG_ERR("Security counter update failed after image %d validation.",
+                         BOOT_CURR_IMG(state));
+            return rc;
+        }
+
+#ifdef MCUBOOT_HW_ROLLBACK_PROT_LOCK
+        rc = boot_nv_security_counter_lock(BOOT_CURR_IMG(state));
+        if (rc != 0) {
+            BOOT_LOG_ERR("Security counter lock failed after image %d validation.",
+                         BOOT_CURR_IMG(state));
             return rc;
         }
+#endif /* MCUBOOT_HW_ROLLBACK_PROT_LOCK */
     }
 
     return 0;
@@ -3361,9 +3370,19 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state)
                                           state->slot_usage[BOOT_CURR_IMG(state)].active_slot,
                                           state->slot_usage[BOOT_CURR_IMG(state)].active_slot);
         if (rc != 0) {
-            BOOT_LOG_ERR("Security counter update failed after image %d validation.", BOOT_CURR_IMG(state));
+            BOOT_LOG_ERR("Security counter update failed after image %d validation.",
+                         BOOT_CURR_IMG(state));
+            return rc;
+        }
+
+#ifdef MCUBOOT_HW_ROLLBACK_PROT_LOCK
+        rc = boot_nv_security_counter_lock(BOOT_CURR_IMG(state));
+        if (rc != 0) {
+            BOOT_LOG_ERR("Security counter lock failed after image %d validation.",
+                         BOOT_CURR_IMG(state));
             return rc;
         }
+#endif /* MCUBOOT_HW_ROLLBACK_PROT_LOCK */
 #if defined(MCUBOOT_DIRECT_XIP) && defined(MCUBOOT_DIRECT_XIP_REVERT)
     }
 #endif

boot/zephyr/Kconfig

@@ -1154,6 +1154,17 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED
 	  value as a TLV but it is not possible to update the counter,
 	  the update will be rejected.
 
+config MCUBOOT_HW_DOWNGRADE_PREVENTION_LOCK
+	bool "Lock updates of HW based downgrade prevention counter before boot"
+	depends on MCUBOOT_HW_DOWNGRADE_PREVENTION
+	help
+	  When this option is set, the hardware downgrade prevention counter
+	  updates are locked before booting the application.
+	  This means that after booting the application it is not possible to
+	  update the counter until a reboot.
+	  This prevents the application from accidental updates of the counter,
+	  that may invalidate the currently running image.
+
 endchoice
 
 config MCUBOOT_UUID_VID

boot/zephyr/include/mcuboot_config/mcuboot_config.h

@@ -239,6 +239,10 @@
 #define MCUBOOT_HW_ROLLBACK_PROT_COUNTER_LIMITED
 #endif
 
+#ifdef CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_LOCK
+#define MCUBOOT_HW_ROLLBACK_PROT_LOCK
+#endif
+
 #ifdef CONFIG_MCUBOOT_UUID_VID
 #define MCUBOOT_UUID_VID
 #endif