Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enforce ascending writes in bootloader update #368

Merged
merged 1 commit into from Feb 6, 2020
Merged

enforce ascending writes in bootloader update #368

merged 1 commit into from Feb 6, 2020

Conversation

@conorpp
Copy link
Contributor

conorpp commented Feb 6, 2020

Fix an issue in Solo bootloader where the version check can be bypassed, allowing earlier firmware versions to be programmed on secure models. The fix is to enforce writes on ascending addresses.

@conorpp conorpp closed this Feb 6, 2020
@conorpp conorpp reopened this Feb 6, 2020
@conorpp conorpp merged commit f74dba7 into master Feb 6, 2020
8 checks passed
8 checks passed
Header rules - docs-solokeys-io-solo No header rules processed
Details
Pages changed - docs-solokeys-io-solo 2 new files uploaded
Details
Redirect rules - docs-solokeys-io-solo No redirect rules processed
Details
License Compliance All checks passed.
Details
Mixed content - docs-solokeys-io-solo No mixed content detected
Details
Travis CI - Branch Build Passed
Details
Travis CI - Pull Request Build Passed
Details
netlify/docs-solokeys-io-solo/deploy-preview Deploy preview ready!
Details
@conorpp

This comment has been minimized.

Copy link
Contributor Author

conorpp commented Feb 6, 2020

Thanks to @fcremo and @ikkisoft of Doyensec for the security audit and catching this!

@fcremo

This comment has been minimized.

Copy link

fcremo commented Feb 10, 2020

Almost LGTM. With this patch an attacker can't choose freely which bytes get interpreted as the version.
However, I think she can still call BootDone with an uninitialized last_written_app_address, and a valid firmware, maybe allowing to bypass the version check.

To do this, she could flash an older firmware with BootWrite commands, reboot the key, then issue the BootDone command, which would verify the signature correctly and then use an uninitialized pointer to read the firmware version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.