[nrf noup] bootloader: Add support for IronSide counters

tomchy · tomchy · commit d72e933262bb · 2025-11-13T15:43:31.000+01:00
Add an implementation of HW rollback prevention, based on the IronSide
secure counters service.

Ref: NCSDK-36295

Signed-off-by: Tomasz Chyrowicz &lt;tomasz.chyrowicz@nordicsemi.no&gt;
diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
@@ -54,6 +54,9 @@ endif()
 # Include the UUID generation code
 add_subdirectory(uuid)
 
+# Include the IronSide-based HW counters implementation
+add_subdirectory_ifdef(CONFIG_NRF_MCUBOOT_IRONSIDE_COUNTERS ironside_counters)
+
 zephyr_library_include_directories(
   include
   )
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -1167,6 +1167,8 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_LOCK
 	  This prevents the application from accidental updates of the counter,
 	  that may invalidate the currently running image.
 
+rsource "ironside_counters/Kconfig"
+
 config MCUBOOT_UUID_VID
 	bool "Expect vendor unique identifier in image's TLV"
 	help
diff --git a/boot/zephyr/ironside_counters/CMakeLists.txt b/boot/zephyr/ironside_counters/CMakeLists.txt
@@ -0,0 +1,7 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+zephyr_library_sources(ironside_counters.c)
diff --git a/boot/zephyr/ironside_counters/Kconfig b/boot/zephyr/ironside_counters/Kconfig
@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+config NRF_MCUBOOT_IRONSIDE_COUNTERS
+	bool "Use IRonSide counters for MCUBoot hardware downgrade prevention"
+	depends on MCUBOOT_HW_DOWNGRADE_PREVENTION && NRF_IRONSIDE_COUNTER_SERVICE
+	imply MCUBOOT_HW_DOWNGRADE_PREVENTION_LOCK
+	help
+	  Use IronSide SE hardware counters to prevent rollback of firmware images
+	  in MCUBoot bootloader.
diff --git a/boot/zephyr/ironside_counters/ironside_counters.c b/boot/zephyr/ironside_counters/ironside_counters.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+/**
+ * @file
+ * @brief MCUBoot IronSide security counters implementation.
+ */
+
+#include <stdint.h>
+#include <nrf_ironside/counter.h>
+#include "bootutil/fault_injection_hardening.h"
+#include "bootutil/bootutil_public.h"
+
+#define IRONSIDE_COUNTER_READ_RETRIES 3
+
+fih_int boot_nv_security_counter_init(void)
+{
+	return FIH_SUCCESS;
+}
+
+fih_int boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt)
+{
+	uint32_t cur_sec_cnt[IRONSIDE_COUNTER_READ_RETRIES];
+	size_t i;
+	int err;
+
+	if (security_cnt == NULL) {
+		FIH_RET(FIH_FAILURE);
+	}
+
+	if (image_id > IRONSIDE_COUNTER_MAX) {
+		FIH_RET(FIH_FAILURE);
+	}
+
+	/* Since the IronSide service is not protected against fault injection,
+	 * read the counter multiple times and compare the results.
+	 */
+	for (i = 0; i < IRONSIDE_COUNTER_READ_RETRIES; i++) {
+		err = ironside_counter_get(image_id, &cur_sec_cnt[i]);
+		if (err != 0) {
+			FIH_RET(FIH_FAILURE);
+		}
+	}
+
+	for (i = 1; i < IRONSIDE_COUNTER_READ_RETRIES; i++) {
+		if (cur_sec_cnt[0] != cur_sec_cnt[i]) {
+			FIH_RET(FIH_FAILURE);
+		}
+	}
+
+	if (cur_sec_cnt[0] != IRONSIDE_COUNTER_MAX_VALUE) {
+		*security_cnt = fih_int_encode(cur_sec_cnt[0]);
+		FIH_RET(FIH_SUCCESS);
+	}
+
+	FIH_RET(FIH_FAILURE);
+}
+
+int32_t boot_nv_security_counter_update(uint32_t image_id, uint32_t img_security_cnt)
+{
+	int err;
+
+	if ((img_security_cnt > IRONSIDE_COUNTER_MAX_VALUE) || (image_id > IRONSIDE_COUNTER_MAX)) {
+		return -BOOT_EBADARGS;
+	}
+
+	err = ironside_counter_set(image_id, img_security_cnt);
+
+	return err == 0 ? 0 : -BOOT_EBADSTATUS;
+}
+
+fih_int boot_nv_security_counter_is_update_possible(uint32_t image_id, uint32_t img_security_cnt)
+{
+	fih_int security_cnt;
+	fih_int fih_err;
+
+	FIH_CALL(boot_nv_security_counter_get, fih_err, image_id, &security_cnt);
+	if (FIH_NOT_EQ(fih_err, FIH_SUCCESS)) {
+		FIH_RET(FIH_FAILURE);
+	}
+
+        if (fih_int_decode(security_cnt) == IRONSIDE_COUNTER_MAX_VALUE) {
+                FIH_RET(FIH_FAILURE);
+        }
+
+        if (fih_int_decode(security_cnt) <= img_security_cnt) {
+		FIH_RET(FIH_SUCCESS);
+	}
+
+        FIH_RET(FIH_FAILURE);
+}
+
+int32_t boot_nv_security_counter_lock(uint32_t image_id)
+{
+        int err;
+
+        if (image_id > IRONSIDE_COUNTER_MAX) {
+                return -BOOT_EBADARGS;
+        }
+
+        err = ironside_counter_lock(image_id);
+
+        return err == 0 ? 0 : -BOOT_EBADSTATUS;
+}

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,9 @@ endif()`
`54`	`54`	`# Include the UUID generation code`
`55`	`55`	`add_subdirectory(uuid)`
`56`	`56`
	`57`	`+# Include the IronSide-based HW counters implementation`
	`58`	`+add_subdirectory_ifdef(CONFIG_NRF_MCUBOOT_IRONSIDE_COUNTERS ironside_counters)`
	`59`	`+`
`57`	`60`	`zephyr_library_include_directories(`
`58`	`61`	`include`
`59`	`62`	`)`