a2a5a94569
Platform NV counter get updated (if cert NV counter > plat NV counter) before authenticating the certificate if the platform specifies NV counter method before signature authentication in its CoT, and this provides an opportunity for a tempered certificate to upgrade the platform NV counter. This is theoretical issue, as in practice none of the standard CoT (TBBR, dualroot) or upstream platforms ones (NXP) exercised this issue. To fix this issue, modified the auth_nvctr method to do only NV counter check, and flags if the NV counter upgrade is needed or not. Then ensured that the platform NV counter gets upgraded with the NV counter value from the certificate only after that certificate gets authenticated. This change is verified manually by modifying the CoT that specifies certificate with: 1. NV counter authentication before signature authentication method 2. NV counter authentication method only Change-Id: I1ad17f1a911fb1035a1a60976cc26b2965b05166 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> |
||
|---|---|---|
| .. | ||
| cryptocell | ||
| dualroot | ||
| mbedtls | ||
| tbbr | ||
| auth_mod.c | ||
| crypto_mod.c | ||
| img_parser_mod.c | ||