From ad41a9fdc49a101cac4350d62f2bdf1501676584 Mon Sep 17 00:00:00 2001
From: tychovrahe <brunam@seznam.cz>
Date: Wed, 27 Aug 2025 11:51:04 +0200
Subject: [PATCH] feat: validate model identifier on boot

---
 boot/bootutil/src/image_validate.c            | 29 +++++++++++++++++++
 boot/zephyr/Kconfig                           |  3 ++
 .../include/mcuboot_config/mcuboot_config.h   |  3 ++
 3 files changed, 35 insertions(+)

diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index a3ae75b6a6..911f00e8c8 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -178,6 +178,7 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
 #define EXPECTED_SIG_0_TLV 0x00A0
 #define EXPECTED_SIG_1_TLV 0x00A1
 #define EXPECTED_SIGMASK_TLV 0x00A2
+#define EXPECTED_MODEL_TLV 0x00A3
 #define SIG_BUF_SIZE 64
 #define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE)
 
@@ -307,6 +308,7 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
     int rc = 0;
     bool sig_0_found = false;
     bool sig_1_found = false;
+    bool model_valid = false;
     uint16_t sigmask = 0;
     FIH_DECLARE(fih_rc, FIH_FAILURE);
     uint32_t off;
@@ -450,6 +452,28 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
               memcpy(sig1, buf, len);
               break;
           }
+          case EXPECTED_MODEL_TLV:
+          {
+              uint32_t model_identifier = 0;
+              if (len != sizeof(model_identifier)) {
+                  rc = -1;
+                  goto out;
+              }
+
+              rc = LOAD_IMAGE_DATA(hdr, fap, off, &model_identifier, len);
+              if (rc) {
+                  goto out;
+              }
+
+              if (model_identifier == MODEL_IDENTIFIER) {
+                  model_valid = true;
+              } else {
+                  rc = -1;
+                  goto out;
+              }
+
+              break;
+          }
         }
     }
 
@@ -458,6 +482,11 @@ bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
         goto out;
     }
 
+    if (!model_valid) {
+        rc = -1;
+        goto out;
+    }
+
     int sig0_idx = sigmask & (1 << 0) ? 0 : 1;
     int sig1_idx = sigmask & (1 << 2) ? 2 : 1;
 
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index eff5a2fc4c..417c0369c8 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -331,6 +331,9 @@ endif
 
 if !BOOT_SIGNATURE_USING_KMU
 
+config MODEL_IDENTIFIER
+    int "Model identifier"
+
 config BOOT_PRODUCTION_KEY
     bool "Use production key for signature verification"
     default n
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
index 76f82413fd..26bbd3e0bc 100644
--- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h
+++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -155,6 +155,9 @@
 #define MCUBOOT_PRODUCTION_KEY
 #endif
 
+#ifdef CONFIG_MODEL_IDENTIFIER
+#define MODEL_IDENTIFIER CONFIG_MODEL_IDENTIFIER
+#endif
 
 #ifdef CONFIG_BOOT_BOOTSTRAP
 #define MCUBOOT_BOOTSTRAP 1