bootutil: imgtool: Fix CI failures

For some platorms
image_validate.c: In function 'bootutil_img_validate':
image_validate.c:358:40: error: 'image_index' undeclared
(first use in this function); did you mean 'image_header'?
  358 |             key_id = bootutil_find_key(image_index, buf, len);
      |                                        ^~~~~~~~~~~

Resolve imgtool CI errors affecting certain signature verification tests.

Also, change the return type of boot_verify_key_id_for_image to reflect
its use as an FIH call.

Also add new bootutil source files to the Zephyr and
espressif CMakeLists.txt files to fix undefined symbols.

Signed-off-by: Maulik Patel <[email protected]>
Change-Id: Ie75e6c533631b2696a4a41d86b64d4009fac0c54

Author: maulik-arm

boot/bootutil/include/bootutil/sign_key.h

@@ -30,6 +30,9 @@
 #ifdef MCUBOOT_IMAGE_MULTI_SIG_SUPPORT
 #include <stdbool.h>
 #endif /* MCUBOOT_IMAGE_MULTI_SIG_SUPPORT */
+#ifdef MCUBOOT_BUILTIN_KEY
+#include "bootutil/fault_injection_hardening.h"
+#endif /* MCUBOOT_BUILTIN_KEY */
 
 #ifdef __cplusplus
 extern "C" {
@@ -51,7 +54,7 @@ extern const struct bootutil_key bootutil_keys[];
  *
  * @return                   0 if the key ID is valid for the image; nonzero on failure.
  */
-int boot_verify_key_id_for_image(uint8_t image_index, uint32_t key_id);
+fih_ret boot_verify_key_id_for_image(uint8_t image_index, uint32_t key_id);
 #endif /* MCUBOOT_BUILTIN_KEY */
 #else
 struct bootutil_key {

boot/bootutil/src/bootutil_find_key.c

@@ -28,14 +28,27 @@
 
 #include <stdint.h>
 
-#include "bootutil/bootutil_log.h"
 #include "bootutil/crypto/sha.h"
 #include "bootutil/fault_injection_hardening.h"
 #include "bootutil/image.h"
 #include "bootutil/sign_key.h"
 #include "bootutil_priv.h"
 #include "mcuboot_config/mcuboot_config.h"
+#include "bootutil/bootutil_log.h"
+
+BOOT_LOG_MODULE_DECLARE(mcuboot);
+
+#if defined(MCUBOOT_SIGN_RSA)       || \
+    defined(MCUBOOT_SIGN_EC256)     || \
+    defined(MCUBOOT_SIGN_EC384)     || \
+    defined(MCUBOOT_SIGN_EC)        || \
+    defined(MCUBOOT_SIGN_ED25519)
+#define IMAGE_VALIDATION_EXPECTS_KEY
+#else
+    /* no signing, sha256 digest only */
+#endif
 
+#ifdef IMAGE_VALIDATION_EXPECTS_KEY
 #ifdef MCUBOOT_IMAGE_MULTI_SIG_SUPPORT
 #define NUM_OF_KEYS MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE
 #else
@@ -135,3 +148,4 @@ int bootutil_find_key(uint8_t image_index, uint8_t *keyhash, uint8_t keyhash_len
     return -1;
 }
 #endif
+#endif /* IMAGE_VALIDATION_EXPECTS_KEY */

boot/bootutil/src/bootutil_img_hash.c

@@ -29,12 +29,14 @@
 #include <stdint.h>
 #include <flash_map_backend/flash_map_backend.h>
 
-#include "bootutil/bootutil_log.h"
 #include "bootutil/crypto/sha.h"
 #include "bootutil/fault_injection_hardening.h"
 #include "bootutil/image.h"
 #include "bootutil_priv.h"
 #include "mcuboot_config/mcuboot_config.h"
+#include "bootutil/bootutil_log.h"
+
+BOOT_LOG_MODULE_DECLARE(mcuboot);
 
 #ifndef MCUBOOT_SIGN_PURE
 /*

boot/bootutil/src/image_validate.c

@@ -205,7 +205,7 @@ bootutil_img_validate(struct boot_loader_state *state,
                       int seed_len, uint8_t *out_hash
                      )
 {
-#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT)
+#if defined(EXPECTED_KEY_TLV) || defined(MCUBOOT_HW_ROLLBACK_PROT)
     int image_index = (state == NULL ? 0 : BOOT_CURR_IMG(state));
 #endif
     uint32_t off;

boot/espressif/CMakeLists.txt

@@ -236,6 +236,9 @@ endif()
 
 set(bootutil_srcs
     ${BOOTUTIL_DIR}/src/boot_record.c
+    ${BOOTUTIL_DIR}/src/bootutil_find_key.c
+    ${BOOTUTIL_DIR}/src/bootutil_img_hash.c
+    ${BOOTUTIL_DIR}/src/bootutil_img_security_cnt.c
     ${BOOTUTIL_DIR}/src/bootutil_misc.c
     ${BOOTUTIL_DIR}/src/bootutil_public.c
     ${BOOTUTIL_DIR}/src/caps.c

boot/zephyr/CMakeLists.txt

@@ -105,6 +105,9 @@ endif()
 # Generic bootutil sources and includes.
 zephyr_library_include_directories(${BOOT_DIR}/bootutil/include)
 zephyr_library_sources(
+  ${BOOT_DIR}/bootutil/src/bootutil_find_key.c
+  ${BOOT_DIR}/bootutil/src/bootutil_img_hash.c
+  ${BOOT_DIR}/bootutil/src/bootutil_img_security_cnt.c
   ${BOOT_DIR}/bootutil/src/image_validate.c
   ${BOOT_DIR}/bootutil/src/tlv.c
   ${BOOT_DIR}/bootutil/src/encrypted.c

scripts/imgtool/image.py

@@ -870,7 +870,12 @@ def verify(imgfile, key):
         # Locate the first TLV info header
         tlv_off = header_size + img_size
         tlv_info = b[tlv_off:tlv_off + TLV_INFO_SIZE]
-        magic, tlv_tot = struct.unpack('HH', tlv_info)
+        if len(tlv_info) < TLV_INFO_SIZE:
+            # no protected block present, jump straight to unprotected
+            magic = TLV_INFO_MAGIC
+            tlv_tot = len(b) - tlv_off
+        else:
+            magic, tlv_tot = struct.unpack('HH', tlv_info)
 
         # If it's the protected-TLV block, skip it
         if magic == TLV_PROT_INFO_MAGIC:
@@ -893,8 +898,12 @@ def verify(imgfile, key):
         is_pure = False
         scan_off = unprot_off
         while scan_off < unprot_end:
-            tlv = b[scan_off:scan_off + TLV_SIZE]
-            tlv_type, _, tlv_len = struct.unpack('BBH', tlv)
+            # if fewer than TLV_SIZE bytes remain, break
+            if scan_off + TLV_SIZE > len(b):
+                break
+            tlv_hdr = b[scan_off:scan_off + TLV_SIZE]
+            tlv_type, _, tlv_len = struct.unpack('BBH', tlv_hdr)
+
             if tlv_type == TLV_VALUES['SIG_PURE']:
                 is_pure = True
                 break
@@ -910,8 +919,11 @@ def verify(imgfile, key):
 
         # Verify hash and signatures
         while scan_off < unprot_end:
-            tlv = b[scan_off:scan_off + TLV_SIZE]
-            tlv_type, _, tlv_len = struct.unpack('BBH', tlv)
+            # stop if not enough bytes for another TLV header
+            if scan_off + TLV_SIZE > len(b):
+                break
+            tlv_hdr = b[scan_off:scan_off + TLV_SIZE]
+            tlv_type, _, tlv_len = struct.unpack('BBH', tlv_hdr)
             if is_sha_tlv(tlv_type):
                 if not tlv_matches_key_type(tlv_type, key[0]):
                     return VerifyResult.KEY_MISMATCH, None, None, None

scripts/imgtool/main.py

@@ -576,9 +576,12 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
         compression_tlvs["DECOMP_SHA"] = img.image_hash
         compression_tlvs_size = len(compression_tlvs["DECOMP_SIZE"])
         compression_tlvs_size += len(compression_tlvs["DECOMP_SHA"])
-        if img.get_signature():
-            compression_tlvs["DECOMP_SIGNATURE"] = img.get_signature()
-            compression_tlvs_size += len(compression_tlvs["DECOMP_SIGNATURE"])
+        sigs = img.get_signature()
+        if sigs:
+            sig = sigs[0] if isinstance(sigs, list) else sigs
+            compression_tlvs["DECOMP_SIGNATURE"] = sig
+            compression_tlvs_size += len(sig)
+
         if (compressed_size + compression_tlvs_size) < uncompressed_size:
             compression_header = create_lzma2_header(
                 dictsize = comp_default_dictsize, pb = comp_default_pb,
@@ -588,7 +591,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
             keep_comp_size = False;
             if enckey:
                 keep_comp_size = True
-            compressed_img.create(key, public_key_format, enckey,
+            compressed_img.create(loaded_keys, public_key_format, enckey,
                dependencies, boot_record, custom_tlvs, compression_tlvs,
                compression, int(encrypt_keylen), clear, baked_signature,
                pub_key, vector_to_sign, user_sha=user_sha, hmac_sha=hmac_sha,

sim/mcuboot-sys/build.rs

@@ -450,6 +450,7 @@ fn main() {
 
     conf.file("../../boot/bootutil/src/bootutil_find_key.c");
     conf.file("../../boot/bootutil/src/bootutil_img_hash.c");
+    conf.file("../../boot/bootutil/src/bootutil_img_security_cnt.c");
     conf.file("../../boot/bootutil/src/image_validate.c");
     if sig_rsa || sig_rsa3072 {
         conf.file("../../boot/bootutil/src/image_rsa.c");