[PATCH 0/5] Add anti-rollback validation feature

Fri, 11 Aug 2023 17:28:41 -0700 

From: Sean Edmond <seanedm...@microsoft.com>

Adds Add anti-rollback version protection. Images with an anti-rollback counter
value "arbvn" declared in the FDT will be compared against the current device 
anti-rollback counter value, and older images will not pass signature 
validation. If the image is newer, the device anti-rollback counter value will
be updated.

The "arbvn" value is stored/retrieved using the newly added security driver.
A "TPM backed" and "sandbox backed" security driver have been provided as 
examples.

Adds new configs:
- CONFIG_DM_SECURITY : enable security device support
- CONFIG_SECURITY_SANDBOX : enables "sandbox_security" driver
- CONFIG_SECURITY_TPM : Enables "tpm_security" driver
- CONFIG_ARBP : enable enforcement of OS anti-rollback counter during image 
loading
- CONFIG_FIT_ARBVP_GRACE : adds a one unit grace period to OS anti-rollback 
protection

Sean Edmond (1):
  dm: test: Add a test for security driver

Stephen Carlson (4):
  drivers: security: Add security devices to driver model
  drivers: security: Add TPM2 implementation of security devices
  common: Add OS anti-rollback validation using security devices
  common: Add OS anti-rollback grace period

 MAINTAINERS                         |   9 ++
 arch/sandbox/dts/test.dts           |   8 ++
 boot/Kconfig                        |  19 +++
 boot/image-fit-sig.c                |  94 +++++++++++++++
 boot/image-fit.c                    |  23 ++++
 configs/sandbox_defconfig           |   3 +
 drivers/Kconfig                     |   2 +
 drivers/Makefile                    |   1 +
 drivers/security/Kconfig            |  25 ++++
 drivers/security/Makefile           |   7 ++
 drivers/security/sandbox_security.c |  65 +++++++++++
 drivers/security/security-tpm.c     | 173 ++++++++++++++++++++++++++++
 drivers/security/security-uclass.c  |  30 +++++
 include/dm-security.h               |  44 +++++++
 include/dm/uclass-id.h              |   1 +
 include/image.h                     |   4 +
 include/tpm-v2.h                    |   1 +
 test/dm/Makefile                    |   1 +
 test/dm/security.c                  |  78 +++++++++++++
 19 files changed, 588 insertions(+)
 create mode 100644 drivers/security/Kconfig
 create mode 100644 drivers/security/Makefile
 create mode 100644 drivers/security/sandbox_security.c
 create mode 100644 drivers/security/security-tpm.c
 create mode 100644 drivers/security/security-uclass.c
 create mode 100644 include/dm-security.h
 create mode 100644 test/dm/security.c

-- 
2.40.0

Reply via email to