-
Notifications
You must be signed in to change notification settings - Fork 643
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for optional anti-rollback protection #224
Comments
I would like to open a discussion about the implementation of rollback protection in MCUBoot:
Aim of anti-rollback protection:
Some potential implementation of rollback protection:
What to use for security counter:
Extend the the integrity protection to some part of the TLV section:
Set the value of security counter:
Integration with update modes:
Impact on code size:
|
We potentially don't know vulnerability status of an application until it is exercised - reject this option.
I would Introduce a new rollback/security counter ore use version number form image header . In most of cases it will change with firmware version, except when an older version is loaded. My consideration bases on my experience form one of my previous project.
I would add command-line support via imagetool.py |
I think with this option one could have the opportunity to do intentional software downgrade to some extent and still would be able to create something like a "security boundary" to limit software downgrading. As an option, this security counter could be updated with each firmware update (i.e. to be equal with the main image version number). |
I might miss something but it seems very aligned to my suggestion. More strategy can be defined how to derive the security/rollback counter from image version. It can be a one to one assignment or just increase security counter if major version has changed, etc. But it can be independent at all. If operator roll out a new firmware which main goal to fix a security vulnerability then the security/rollback counter i the image must be increased. If the goal of the firmware upgrade just to fix a small operational bug then security/rollback counter can remain the same as previous image. Security counter might saved to an OTP(eFuse) memory, which can have limited range. So too frequent update of security counter might not the best strategy. |
Agree. |
I think we have two features that are being discussed here. @tamasban is suggesting a rollback counter, which is a hardware feature to prevent rollbacks beyond certain defined points. This hardware is now always available. What I'm suggesting in this issue is to have a simple software anti-rollback counter that merely compares the version number of the slot1 image, and ignores that image if its version number is less than the image in slot0. This would solve many of the threat cases, although it does require issuing a new image with a new version number if it is necessary to go back to an earlier version of the firmware. I would like to keep this issue to track the software anti-rollback, and create another issue to track implementing the HW rollback counter (which is implemented in the TF-M fork). |
HW anti-rollback counter issue will be tracked in #597. |
This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time. |
Some systems require anti-rollback protection to be in place. The easiest way for us to do this is to prevent upgrades to versions that are older than the currently running version.
In order to do this, we need to define what the ordering means with the version fields, and then add an option to enforce it.
The text was updated successfully, but these errors were encountered: