mcuboot icon indicating copy to clipboard operation
mcuboot copied to clipboard
verified publisher icon mcu-tools

zephyr/single_loader #if 0 in image decryption code.

Open nvlsianpu opened this issue 3 years ago • 6 comments

https://github.com/mcu-tools/mcuboot/blob/d8eff810ad2ce08c66764560a82f415ca710e3f9/boot/zephyr/single_loader.c#L354

What we can do about that.

nvlsianpu avatar Feb 21 '22 16:02 nvlsianpu

cc @@wcappelle

nvlsianpu avatar Feb 21 '22 16:02 nvlsianpu

This step is skipped since it was introducing some extra latency. Skipping this means that the image is not first validated before decryption is started. So decryption is done, and after decryption is finished, I rely on the normal boot process to validate the decrypted image. I don't think this is a bad thing since an attacker still needs to have the private key to sign the image if he wants to run this. If you think this is a security risk, I would suggest to always enable it. During my development I had it initially enabled, but due to above reasoning, i've disabled it since i was working on a slow cortex-M0.

wcappelle avatar Feb 21 '22 16:02 wcappelle

@wcappelle I mean that this is no configurable, but just hardcoded. We should have a configuration option instead of #if 0

nvlsianpu avatar Feb 21 '22 16:02 nvlsianpu

I'm not sure this should be configurable? if it adds up to the security I would suggest to just always enable it, otherwise just delete the dead code?

wcappelle avatar Feb 21 '22 16:02 wcappelle

This excluded code gives possibility for reject either badly signed and badly encrypted image before non volatile decryption will happens. But gain is negligible - this is USB DFU - someone have already the way for writing to the image slot anytime that someone want.

For reference: Without the encryption, the image validation might be performed only before the application call.

Also a user might disabled image validation - if we make this code arbitrary ON this will introduce unwanted procedure.

I would remove that dead code.

nvlsianpu avatar Feb 23 '22 13:02 nvlsianpu

I'm also in favor of removing. I only left the code there since I was still in doubt what reviewers would want wrt to security concerns. But I follow the same reasoning.

wcappelle avatar Feb 23 '22 14:02 wcappelle

This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time.

github-actions[bot] avatar Aug 23 '22 03:08 github-actions[bot]