mcuboot icon indicating copy to clipboard operation
mcuboot copied to clipboard

Published 20 hours ago verified publisher icon mcu-tools

Add downgrade prevention for swaps

Open kasjer opened this issue 2 years ago • 3 comments

Currently, downgrade prevention was limited to overwrite only builds (version check) or devices with hardware storage for security counter.

This extends downgrade prevention to be used when swap update is selected. Unlike MCUBOOT_HW_ROLLBACK_PROT option it does not require user code to provide external way to store security counter. Security counter from slot 1 image is used for comparison. With security counter usage it is possible to have limited software rollback if security counter was not incremented.

It is possible to use image version where strict rule for image version comparison prevents any downgrades.

Downgrade prevention is also added to mynewt configuration.

If image in slot 1 is marked as pending and downgrade prevention is in place, image will be deleted to avoid check on next boot.

Signed-off-by: Jerzy Kasenberg [email protected]

kasjer avatar Apr 12 '22 13:04 kasjer

Hi, any update on this?

sjanc avatar Jun 27 '22 16:06 sjanc

It would be nice to also have support in the Zephyr kconfig files.

zephyr Kconfig updated as requested

kasjer avatar Jun 29 '22 13:06 kasjer

gentle ping :)

sjanc avatar Jul 26 '22 12:07 sjanc