Validate slot zero before booting Instead of just checking the upgrade image signature, check the signature on each boot. This helps to prevent rogue images being flash by a means other than the upgrade process.
This feature is controlled by whether BOOTUTIL_VALIDATE_SLOT0 is defined. Project: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/commit/8092bf70 Tree: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/tree/8092bf70 Diff: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/diff/8092bf70 Branch: refs/heads/develop Commit: 8092bf70896a8e55e4380e8e0277bed05a7fc61a Parents: bf13e99 Author: David Brown <[email protected]> Authored: Wed Dec 14 07:59:48 2016 -0700 Committer: Christopher Collins <[email protected]> Committed: Mon Feb 6 14:53:13 2017 -0800 ---------------------------------------------------------------------- boot/bootutil/src/loader.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/8092bf70/boot/bootutil/src/loader.c ---------------------------------------------------------------------- diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index f2497af..cff5acd 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -551,13 +551,13 @@ split_image_check(struct image_header *app_hdr, } static int -boot_validate_slot1(void) +boot_validate_slot(int slot) { const struct flash_area *fap; int rc; - if (boot_data.imgs[1].hdr.ih_magic == 0xffffffff || - boot_data.imgs[1].hdr.ih_flags & IMAGE_F_NON_BOOTABLE) { + if (boot_data.imgs[slot].hdr.ih_magic == 0xffffffff || + boot_data.imgs[slot].hdr.ih_flags & IMAGE_F_NON_BOOTABLE) { /* No bootable image in slot 1; continue booting from slot 0. */ return -1; @@ -566,13 +566,14 @@ boot_validate_slot1(void) /* Image in slot 1 is invalid. Erase the image and continue booting * from slot 0. */ - rc = flash_area_open(FLASH_AREA_IMAGE_1, &fap); + rc = flash_area_open(flash_area_id_from_image_slot(slot), &fap); if (rc != 0) { return BOOT_EFLASH; } - if (boot_data.imgs[1].hdr.ih_magic != IMAGE_MAGIC || - boot_image_check(&boot_data.imgs[1].hdr, fap) != 0) { + if ((boot_data.imgs[slot].hdr.ih_magic != IMAGE_MAGIC || + boot_image_check(&boot_data.imgs[slot].hdr, fap) != 0) && + slot == 1) { /* Image in slot 1 is invalid. Erase the image and continue booting * from slot 0. @@ -608,7 +609,7 @@ boot_validated_swap_type(void) } /* Boot loader wants to switch to slot 1. Ensure image is valid. */ - rc = boot_validate_slot1(); + rc = boot_validate_slot(1); if (rc != 0) { return BOOT_SWAP_TYPE_FAIL; } @@ -1045,6 +1046,12 @@ boot_go(struct boot_rsp *rsp) switch (swap_type) { case BOOT_SWAP_TYPE_NONE: +#ifdef BOOTUTIL_VALIDATE_SLOT0 + rc = boot_validate_slot(0); + if (rc != 0) { + return BOOT_EBADIMAGE; + } +#endif slot = 0; break;
