bootutil: Fixed security counter overflow detected to late

ahasztag · de-nordic · commit fe8f9fc07a3b · 2025-08-14T14:44:09.000+02:00
This commit fixes the issue, occuring when the maximum amount of
security counter updates has been reached.

This fact was only detected after a permament update already
happened - the updated firmware was unable to boot, as it
failed when trying to update the security counter after
the permament swap.

This commit adds the check if the security counter can be
updated (i. e. free security counter slots are still available)
before the swap is performed, fixing the issue.

Signed-off-by: Artur Hadasz &lt;artur.hadasz@nordicsemi.no&gt;
diff --git a/boot/bootutil/include/bootutil/security_cnt.h b/boot/bootutil/include/bootutil/security_cnt.h
@@ -63,6 +63,19 @@ fih_ret boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt);
 int32_t boot_nv_security_counter_update(uint32_t image_id,
                                         uint32_t img_security_cnt);
 
+/**
+ * This function verifies whether the security counter update to a given value is possible.
+ * The update might not be possible if the maximum amount of security counter updates
+ * was reached.
+ *
+ * @param image_id          Index of the image (from 0).
+ * @param img_security_cnt  New security counter value.
+ *
+ * @return                  FIH_SUCCESS if update is possible; FIH_FAILURE otherwise
+ */
+fih_ret boot_nv_security_counter_is_update_possible(uint32_t image_id,
+                                                    uint32_t img_security_cnt);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
@@ -445,6 +445,19 @@ bootutil_img_validate(struct boot_loader_state *state,
                 goto out;
             }
 
+#ifdef MCUBOOT_HW_ROLLBACK_PROT_COUNTER_LIMITED
+            if (img_security_cnt > (uint32_t)fih_int_decode(security_cnt)) {
+                FIH_CALL(boot_nv_security_counter_is_update_possible, fih_rc, image_index,
+                         img_security_cnt);
+                if (FIH_NOT_EQ(fih_rc, FIH_SUCCESS)) {
+                    FIH_SET(fih_rc, FIH_FAILURE);
+                    BOOT_LOG_ERR("Security counter update is not possible, possibly the maximum "
+                                 "number of security updates has been reached.");
+                    goto out;
+                }
+            }
+#endif
+
             /* The image's security counter has been successfully verified. */
             security_counter_valid = fih_rc;
             break;
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -1058,6 +1058,17 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION
 	  Because of the acceptance of equal values it allows for software
 	  downgrade to some extent.
 
+config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED
+	bool "HW based downgrade prevention counter has limited number of updates"
+	depends on MCUBOOT_HW_DOWNGRADE_PREVENTION
+	help
+	  When this option is set, the hardware downgrade prevention counter
+	  has limited number of updates. This option will enable checking
+	  if it is possible to update the counter before performing
+	  the upgrade. If an update package contains a security counter
+	  value as a TLV but it is not possible to update the counter,
+	  the update will be rejected.
+
 endchoice
 
 config BOOT_WATCHDOG_FEED
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -228,6 +228,10 @@
 #define MCUBOOT_HW_ROLLBACK_PROT
 #endif
 
+#ifdef CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_LIMITED
+#define MCUBOOT_HW_ROLLBACK_PROT_COUNTER_LIMITED
+#endif
+
 #ifdef CONFIG_MEASURED_BOOT
 #define MCUBOOT_MEASURED_BOOT
 #endif
