boot: Enforce TLV entries to be protected

Only allow TLV entries that are needed for signature verification to be placed
in the unprotected area of the TLV.

Signed-off-by: David Brown <david.brown@linaro.org>
This commit is contained in:
David Brown 2024-04-10 14:59:00 -06:00 committed by Dávid Vincze
parent ea1cdfdeff
commit da2e2ab4e3
1 changed files with 45 additions and 0 deletions

View File

@ -349,6 +349,30 @@ bootutil_get_img_security_cnt(struct image_header *hdr,
return 0; return 0;
} }
#ifndef ALLOW_ROGUE_TLVS
/*
* The following list of TLVs are the only entries allowed in the unprotected
* TLV section. All other TLV entries must be in the protected section.
*/
static const uint16_t allowed_unprot_tlvs[] = {
IMAGE_TLV_KEYHASH,
IMAGE_TLV_PUBKEY,
IMAGE_TLV_SHA256,
IMAGE_TLV_SHA384,
IMAGE_TLV_RSA2048_PSS,
IMAGE_TLV_ECDSA224,
IMAGE_TLV_ECDSA_SIG,
IMAGE_TLV_RSA3072_PSS,
IMAGE_TLV_ED25519,
IMAGE_TLV_ENC_RSA2048,
IMAGE_TLV_ENC_KW,
IMAGE_TLV_ENC_EC256,
IMAGE_TLV_ENC_X25519,
/* Mark end with ANY. */
IMAGE_TLV_ANY,
};
#endif
/* /*
* Verify the integrity of the image. * Verify the integrity of the image.
* Return non-zero if image could not be validated/does not validate. * Return non-zero if image could not be validated/does not validate.
@ -420,6 +444,27 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
break; break;
} }
#ifndef ALLOW_ROGUE_TLVS
/*
* Ensure that the non-protected TLV only has entries necessary to hold
* the signature. We also allow encryption related keys to be in the
* unprotected area.
*/
if (!bootutil_tlv_iter_is_prot(&it, off)) {
bool found = false;
for (const uint16_t *p = allowed_unprot_tlvs; *p != IMAGE_TLV_ANY; p++) {
if (type == *p) {
found = true;
break;
}
}
if (!found) {
FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
}
#endif
if (type == EXPECTED_HASH_TLV) { if (type == EXPECTED_HASH_TLV) {
/* Verify the image hash. This must always be present. */ /* Verify the image hash. This must always be present. */
if (len != sizeof(hash)) { if (len != sizeof(hash)) {