Secondary bootloader may allow an unverified image to boot from UART

ID: LPCBARESDK-1145

Status: Open

First reported: 6.0.24.1464

Fixed in: TBD

Description

The secondary bootloader can allow an image to boot if the tool that downloads the image answers with an ACK after the CRC is received.

Workaround

Apply the following patch to ensure the bootloader rejects images that fail verification and/or decryption.

The change should be added immediately before the return fw_size; statement in the FwDownload() function of uart_booter.c in the secondary bootloader project.

#if SIGNED_IMAGE_SUPPORT_UART || AES_SUPPORT_ENCRYPTED_UART_IMAGE
    if (!uart_ver_dec_ok)
    {
        // Return an error if the image was not successfully verified/decrypted,
        // so that this image will not be booted
        return -11;
    }
#endif // SIGNED_IMAGE_SUPPORT_UART || AES_SUPPORT_ENCRYPTED_UART_IMAGE

Diff

utilities/secondary_bootloader/src/uart_booter.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/utilities/secondary_bootloader/src/uart_booter.c b/utilities/secondary_bootloader/src/uart_booter.c
--- a/utilities/secondary_bootloader/src/uart_booter.c
+++ b/utilities/secondary_bootloader/src/uart_booter.c
@@ -448,6 +448,14 @@ int FwDownload(void)
         return -8;
     }

+#if SIGNED_IMAGE_SUPPORT_UART || AES_SUPPORT_ENCRYPTED_UART_IMAGE
+    if (!uart_ver_dec_ok)
+    {
+        // Return an error if the image was not successfully verified/decrypted,
+        // so that this image will not be booted
+        return -11;
+    }
+#endif // SIGNED_IMAGE_SUPPORT_UART || AES_SUPPORT_ENCRYPTED_UART_IMAGE
+
     return fw_size;
 }
 #endif // defined (UART_SUPPORTED) || defined (ONE_WIRE_UART_SUPPORTED)