From 4dc6d60efaa49019066734b87946e8713677506c Mon Sep 17 00:00:00 2001 From: Stephane Le Roy Date: Wed, 15 Jan 2025 09:13:16 +0100 Subject: [PATCH] Improve TLV control under ALLOW_ROGUE_TLVS switch The list of allowed unprotected tlvs is limited to expected TLV only, depending on crypto scheme configuration. The original implementation allows many additional TLV (related to other crypto schemes). The allow_unprot_tlvs[] array changes requires the move of EXPECTED_ENC_TLV definitions from encrypted.c to enc_key_public.h file. Signed-off-by: Stephane Le Roy --- .../include/bootutil/enc_key_public.h | 22 +++++++++++++++++++ boot/bootutil/src/encrypted.c | 22 ------------------- boot/bootutil/src/image_validate.c | 18 ++++----------- 3 files changed, 26 insertions(+), 36 deletions(-) diff --git a/boot/bootutil/include/bootutil/enc_key_public.h b/boot/bootutil/include/bootutil/enc_key_public.h index 6874cfbc8..0887c8579 100644 --- a/boot/bootutil/include/bootutil/enc_key_public.h +++ b/boot/bootutil/include/bootutil/enc_key_public.h @@ -59,6 +59,28 @@ extern "C" { #define BOOT_ENC_TLV_SIZE TLV_ENC_KW_SZ #endif +#define EXPECTED_ENC_LEN BOOT_ENC_TLV_SIZE + +#if defined(MCUBOOT_ENCRYPT_RSA) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_RSA2048 +#elif defined(MCUBOOT_ENCRYPT_KW) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_KW +#elif defined(MCUBOOT_ENCRYPT_EC256) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_EC256 +# define EC_PUBK_INDEX (0) +# define EC_TAG_INDEX (65) +# define EC_CIPHERKEY_INDEX (65 + 32) +_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, + "Please fix ECIES-P256 component indexes"); +#elif defined(MCUBOOT_ENCRYPT_X25519) +# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_X25519 +# define EC_PUBK_INDEX (0) +# define EC_TAG_INDEX (32) +# define EC_CIPHERKEY_INDEX (32 + 32) +_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, + "Please fix ECIES-X25519 component indexes"); +#endif + #ifdef __cplusplus } #endif diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index 8449a28dd..7bd38ccc6 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -383,28 +383,6 @@ boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot, return 0; } -#define EXPECTED_ENC_LEN BOOT_ENC_TLV_SIZE - -#if defined(MCUBOOT_ENCRYPT_RSA) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_RSA2048 -#elif defined(MCUBOOT_ENCRYPT_KW) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_KW -#elif defined(MCUBOOT_ENCRYPT_EC256) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_EC256 -# define EC_PUBK_INDEX (0) -# define EC_TAG_INDEX (65) -# define EC_CIPHERKEY_INDEX (65 + 32) -_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, - "Please fix ECIES-P256 component indexes"); -#elif defined(MCUBOOT_ENCRYPT_X25519) -# define EXPECTED_ENC_TLV IMAGE_TLV_ENC_X25519 -# define EC_PUBK_INDEX (0) -# define EC_TAG_INDEX (32) -# define EC_CIPHERKEY_INDEX (32 + 32) -_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN, - "Please fix ECIES-X25519 component indexes"); -#endif - #if ( (defined(MCUBOOT_ENCRYPT_RSA) && defined(MCUBOOT_USE_MBED_TLS) && !defined(MCUBOOT_USE_PSA_CRYPTO)) || \ (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS)) ) #if MBEDTLS_VERSION_NUMBER >= 0x03000000 diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index ec5d986df..3f560f05d 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -358,20 +358,10 @@ bootutil_get_img_security_cnt(struct image_header *hdr, * TLV section. All other TLV entries must be in the protected section. */ static const uint16_t allowed_unprot_tlvs[] = { - IMAGE_TLV_KEYHASH, - IMAGE_TLV_PUBKEY, - IMAGE_TLV_SHA256, - IMAGE_TLV_SHA384, - IMAGE_TLV_SHA512, - IMAGE_TLV_RSA2048_PSS, - IMAGE_TLV_ECDSA224, - IMAGE_TLV_ECDSA_SIG, - IMAGE_TLV_RSA3072_PSS, - IMAGE_TLV_ED25519, - IMAGE_TLV_ENC_RSA2048, - IMAGE_TLV_ENC_KW, - IMAGE_TLV_ENC_EC256, - IMAGE_TLV_ENC_X25519, + EXPECTED_KEY_TLV, + EXPECTED_HASH_TLV, + EXPECTED_SIG_TLV, + EXPECTED_ENC_TLV, /* Mark end with ANY. */ IMAGE_TLV_ANY, };