From b9fb4a64e61b36fde8c0366bb66eff2f7cc7f57e Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 31 Jul 2025 12:13:22 +0000 Subject: [PATCH 1/4] bootutil: Add MCUBOOT_USE_TLV_ALLOW_LIST The ALLOW_ROGUE_TLVS is used to turn off TLV filtering in code, basically to prevent processing TLVs that MCUboot is not compiled to serve anyway. The commit replaces identifier ALLOW_ROGUE_TLVS with MCUBOOT_USE_TLV_ALLOW_LIST and reverse the logic around it, as it now means opposite to the original. This gives the feature an identifier in style of the mcuboot_config.h defined identifiers. Signed-off-by: Dominik Ermel --- boot/bootutil/src/image_validate.c | 4 ++-- docs/release-notes.d/tlv-allow-list.md | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 docs/release-notes.d/tlv-allow-list.md diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c index 6b3899492..f4a643a2c 100644 --- a/boot/bootutil/src/image_validate.c +++ b/boot/bootutil/src/image_validate.c @@ -155,7 +155,7 @@ static int bootutil_check_for_pure(const struct image_header *hdr, } #endif -#ifndef ALLOW_ROGUE_TLVS +#ifdef MCUBOOT_USE_TLV_ALLOW_LIST /* * The following list of TLVs are the only entries allowed in the unprotected * TLV section. All other TLV entries must be in the protected section. @@ -293,7 +293,7 @@ bootutil_img_validate(struct boot_loader_state *state, break; } -#ifndef ALLOW_ROGUE_TLVS +#ifdef MCUBOOT_USE_TLV_ALLOW_LIST /* * Ensure that the non-protected TLV only has entries necessary to hold * the signature. We also allow encryption related keys to be in the diff --git a/docs/release-notes.d/tlv-allow-list.md b/docs/release-notes.d/tlv-allow-list.md new file mode 100644 index 000000000..295b5f076 --- /dev/null +++ b/docs/release-notes.d/tlv-allow-list.md @@ -0,0 +1,2 @@ + - Control over compilation of unprotected TLV allow list has been exposed + using MCUBOOT_USE_TLV_ALLOW_LIST mcuboot configuration identifier. From 3e2c9ea29eb7b246c7205fe891d306de7e3d5872 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 31 Jul 2025 12:18:08 +0000 Subject: [PATCH 2/4] zephyr: Kconfig to control MCUBOOT_USE_TLV_ALLOW_LIST The commit adds Kconfig MCUBOOT_USE_TLV_ALLOW_LIST that allows to control MCUboot config option MCUBOOT_USE_TLV_ALLOW_LIST. The Kconfig is set to y, by default, to keep legacy behaviour. Signed-off-by: Dominik Ermel --- boot/zephyr/Kconfig | 12 ++++++++++++ boot/zephyr/include/mcuboot_config/mcuboot_config.h | 5 +++++ 2 files changed, 17 insertions(+) diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig index f94ac439d..d517dd8fc 100644 --- a/boot/zephyr/Kconfig +++ b/boot/zephyr/Kconfig @@ -1146,6 +1146,18 @@ config MCUBOOT_BOOT_BANNER config BOOT_BANNER_STRING default "Using Zephyr OS build" if MCUBOOT_BOOT_BANNER +config MCUBOOT_USE_TLV_ALLOW_LIST + bool "Check unprotected TLVs against allow list" + default y + help + Every unprotected TLV will be checked against list of allowed TLVs, + which is compiled in and depends on configuration; an image that + contain TLV not present on the list will be automaticaly rejected. + This is additional check, as MCUboot will not be parsing TLVs it + has not been compiled to parse in the first place. + Disabling this option will cut down MCUboot size. + The Kconfig controlls MCUboot configuration option MCUBOOT_USE_TLV_ALLOW_LIST. + config BOOT_DECOMPRESSION_SUPPORT bool help diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h index 5285632ca..266dec162 100644 --- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h +++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h @@ -150,6 +150,11 @@ #define MCUBOOT_HAVE_LOGGING 1 #endif +/* Enable/disable non-protected TLV check against allow list */ +#ifdef CONFIG_MCUBOOT_USE_TLV_ALLOW_LIST +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 +#endif + #ifdef CONFIG_BOOT_ENCRYPT_RSA #define MCUBOOT_ENC_IMAGES #define MCUBOOT_ENCRYPT_RSA From 268bfc9d8bd7228fddf3823a06b0173740301ac8 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 31 Jul 2025 15:40:10 +0000 Subject: [PATCH 3/4] sys: Add MCUBOOT_USE_TLV_ALLOW_LIST to mcuboot_config.h Add #define MCUBOOT_USE_TLV_ALLOW_LIST 1, to keep behaviour where TLVs are matched against list of allowed TLVs, before being processed. Signed-off-by: Dominik Ermel --- boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h | 3 +++ boot/espressif/hal/include/mcuboot_config/mcuboot_config.h | 3 +++ boot/mbed/include/mcuboot_config/mcuboot_config.h | 3 +++ .../mcuboot_config/include/mcuboot_config/mcuboot_config.h | 3 +++ boot/nuttx/include/mcuboot_config/mcuboot_config.h | 3 +++ 5 files changed, 15 insertions(+) diff --git a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h index 9af2a7d27..77cb4b4d4 100644 --- a/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h +++ b/boot/cypress/MCUBootApp/config/mcuboot_config/mcuboot_config.h @@ -25,6 +25,9 @@ #define MCUBOOT_MAX_IMG_SECTORS 2560 #endif +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + /* * Signature types * diff --git a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h index 2435172d8..d0085dc26 100644 --- a/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h +++ b/boot/espressif/hal/include/mcuboot_config/mcuboot_config.h @@ -128,6 +128,9 @@ #define MCUBOOT_DEV_WITH_ERASE +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + /* Default maximum number of flash sectors per image slot; change * as desirable. */ #define MCUBOOT_MAX_IMG_SECTORS 512 diff --git a/boot/mbed/include/mcuboot_config/mcuboot_config.h b/boot/mbed/include/mcuboot_config/mcuboot_config.h index 4794d3db3..2d7ce19ca 100644 --- a/boot/mbed/include/mcuboot_config/mcuboot_config.h +++ b/boot/mbed/include/mcuboot_config/mcuboot_config.h @@ -80,6 +80,9 @@ #define MCUBOOT_DEV_WITH_ERASE +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + /* * No watchdog integration for now */ diff --git a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h index 6ee2c2ad2..f83f268e4 100644 --- a/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h +++ b/boot/mynewt/mcuboot_config/include/mcuboot_config/mcuboot_config.h @@ -139,6 +139,9 @@ #define MCUBOOT_DEV_WITH_ERASE +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + #if MYNEWT_VAL(BOOTUTIL_FEED_WATCHDOG) && MYNEWT_VAL(WATCHDOG_INTERVAL) #include #define MCUBOOT_WATCHDOG_FEED() \ diff --git a/boot/nuttx/include/mcuboot_config/mcuboot_config.h b/boot/nuttx/include/mcuboot_config/mcuboot_config.h index 8a3383f5b..339f7273c 100644 --- a/boot/nuttx/include/mcuboot_config/mcuboot_config.h +++ b/boot/nuttx/include/mcuboot_config/mcuboot_config.h @@ -134,6 +134,9 @@ #define MCUBOOT_DEV_WITH_ERASE +/* Enable non-protected TLV check against allow list */ +#define MCUBOOT_USE_TLV_ALLOW_LIST 1 + /* Default maximum number of flash sectors per image slot; change * as desirable. */ From d84226daa8c87af40caccd48c8b75ec6e560fec5 Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Thu, 31 Jul 2025 15:52:04 +0000 Subject: [PATCH 4/4] doc: Add information on TLV allow list Add information on TLV allow list and MCUBOOT_USE_TLV_ALLOW_LIST, MCUboot configuration identifier that controls its usage. Signed-off-by: Dominik Ermel --- docs/design.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/design.md b/docs/design.md index e4da1bfa8..2d30c7809 100755 --- a/docs/design.md +++ b/docs/design.md @@ -136,6 +136,14 @@ The `ih_hdr_size` field indicates the length of the header, and therefore the offset of the image itself. This field provides for backwards compatibility in case of changes to the format of the image header. +## [TLV allow list](#tlv-allow) + +While reading unprotected TLVs from an image, MCUboot will try to match TLVs +against list it has compiled in support for; each new defined TLV has to be added +to that list, which is named `allowed_unprot_tlvs` and defined in +image_validate.c. The usage of the list is optional and can be controlled +during compilation with `MCUBOOT_USE_TLV_ALLOW_LIST` config identifier. + ## [Flash map](#flash-map) A device's flash is partitioned according to its _flash map_. At a high