feat(bootloader): Adds bootloader anti rollback configs

2025-03-09 09:09:10 -04:00 · 2024-06-29 15:48:51 +03:00 · 2024-06-29 15:48:51 +03:00 · 816a0da0fd
commit 816a0da0fd
parent bb329c4e53
5 changed files with 34 additions and 1 deletions
--- a/components/bootloader/Kconfig.bootloader_rollback
+++ b/components/bootloader/Kconfig.bootloader_rollback
@ -0,0 +1,25 @@
+menu "Bootloader Rollback"
+
+    config BOOTLOADER_ANTI_ROLLBACK_ENABLE
+        bool "Enable bootloader rollback support"
+        depends on SOC_RECOVERY_BOOTLOADER_SUPPORTED
+        default n
+        help
+            This option prevents rollback to previous bootloader image with lower security version.
+
+    config BOOTLOADER_SECURE_VERSION
+        int "Secure version of bootloader"
+        depends on BOOTLOADER_ANTI_ROLLBACK_ENABLE
+        default 0
+        range 0 4
+        help
+            The secure version is the sequence number stored in the header of each bootloader.
+
+            The ROM Bootloader which runs the 2nd stage bootloader (PRIMARY or RECOVERY) checks that
+            the security version is greater or equal that recorded in the eFuse field.
+            Bootloaders that have a secure version in the image < secure version in efuse will not boot.
+
+            The security version is worth increasing if in previous versions there is
+            a significant vulnerability and their use is not acceptable.
+
+endmenu
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@ -2,6 +2,7 @@ menu "Bootloader config"

    orsource "../esp_bootloader_format/Kconfig.bootloader"
    orsource "Kconfig.app_rollback"
+    orsource "Kconfig.bootloader_rollback"

    config BOOTLOADER_OFFSET_IN_FLASH
        hex
--- a/components/esp_bootloader_format/esp_bootloader_desc.c
+++ b/components/esp_bootloader_format/esp_bootloader_desc.c
@ -17,6 +17,11 @@ __attribute__((weak))
 const esp_bootloader_desc_t esp_bootloader_desc = {
    .magic_byte = ESP_BOOTLOADER_DESC_MAGIC_BYTE,
    .reserved = { 0 },
+#if CONFIG_BOOTLOADER_ANTI_ROLLBACK_ENABLE
+    .secure_version = CONFIG_BOOTLOADER_SECURE_VERSION,
+#else
+    .secure_version = 0,
+#endif // CONFIG_BOOTLOADER_ANTI_ROLLBACK_ENABLE
    .version = CONFIG_BOOTLOADER_PROJECT_VER,
    .idf_ver = IDF_VER,
 #ifdef CONFIG_BOOTLOADER_COMPILE_TIME_DATE
--- a/components/esp_bootloader_format/include/esp_bootloader_desc.h
+++ b/components/esp_bootloader_format/include/esp_bootloader_desc.h
@ -24,7 +24,8 @@ extern "C"
 */
 typedef struct {
    uint8_t magic_byte;         /*!< Magic byte ESP_BOOTLOADER_DESC_MAGIC_BYTE */
-    uint8_t reserved[3];        /*!< reserved for IDF */
+    uint8_t reserved[2];        /*!< reserved for IDF */
+    uint8_t secure_version;     /*!< The version used by bootloader anti-rollback feature */
    uint32_t version;           /*!< Bootloader version */
    char idf_ver[32];           /*!< Version IDF */
    char date_time[24];         /*!< Compile date and time*/
--- a/docs/en/api-reference/system/bootloader_image_format.rst
+++ b/docs/en/api-reference/system/bootloader_image_format.rst
@ -64,6 +64,7 @@ The ``DRAM0`` segment of the bootloader binary starts with the :cpp:type:`esp_bo

 * ``magic_byte``: the magic byte for the esp_bootloader_desc structure
 * ``reserved``: reserved for the future IDF use
+ * ``secure_version``: the secure version used by the bootloader anti-rollback feature, see :ref:`CONFIG_BOOTLOADER_ANTI_ROLLBACK_ENABLE`.
 * ``version``: bootloader version, see :ref:`CONFIG_BOOTLOADER_PROJECT_VER`
 * ``idf_ver``: ESP-IDF version. [#f1]_
 * ``date`` and ``time``: compile date and time