Improve TLV control under ALLOW_ROGUE_TLVS switch

The list of allowed unprotected tlvs is limited to expected TLV only,
depending on crypto scheme configuration. The original implementation
allows many additional TLV (related to other crypto schemes).

The allow_unprot_tlvs[] array changes requires the move of EXPECTED_ENC_TLV
definitions from encrypted.c to enc_key_public.h file.

Signed-off-by: Stephane Le Roy <[email protected]>

Author: Stephane-LeRoy

boot/bootutil/include/bootutil/enc_key_public.h

@@ -59,6 +59,28 @@ extern "C" {
 #define BOOT_ENC_TLV_SIZE TLV_ENC_KW_SZ
 #endif
 
+#define EXPECTED_ENC_LEN        BOOT_ENC_TLV_SIZE
+
+#if defined(MCUBOOT_ENCRYPT_RSA)
+#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_RSA2048
+#elif defined(MCUBOOT_ENCRYPT_KW)
+#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_KW
+#elif defined(MCUBOOT_ENCRYPT_EC256)
+#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_EC256
+#    define EC_PUBK_INDEX       (0)
+#    define EC_TAG_INDEX        (65)
+#    define EC_CIPHERKEY_INDEX  (65 + 32)
+_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
+        "Please fix ECIES-P256 component indexes");
+#elif defined(MCUBOOT_ENCRYPT_X25519)
+#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_X25519
+#    define EC_PUBK_INDEX       (0)
+#    define EC_TAG_INDEX        (32)
+#    define EC_CIPHERKEY_INDEX  (32 + 32)
+_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
+        "Please fix ECIES-X25519 component indexes");
+#endif
+
 #ifdef __cplusplus
 }
 #endif

boot/bootutil/src/encrypted.c

@@ -383,28 +383,6 @@ boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot,
     return 0;
 }
 
-#define EXPECTED_ENC_LEN        BOOT_ENC_TLV_SIZE
-
-#if defined(MCUBOOT_ENCRYPT_RSA)
-#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_RSA2048
-#elif defined(MCUBOOT_ENCRYPT_KW)
-#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_KW
-#elif defined(MCUBOOT_ENCRYPT_EC256)
-#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_EC256
-#    define EC_PUBK_INDEX       (0)
-#    define EC_TAG_INDEX        (65)
-#    define EC_CIPHERKEY_INDEX  (65 + 32)
-_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
-        "Please fix ECIES-P256 component indexes");
-#elif defined(MCUBOOT_ENCRYPT_X25519)
-#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_X25519
-#    define EC_PUBK_INDEX       (0)
-#    define EC_TAG_INDEX        (32)
-#    define EC_CIPHERKEY_INDEX  (32 + 32)
-_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
-        "Please fix ECIES-X25519 component indexes");
-#endif
-
 #if ( (defined(MCUBOOT_ENCRYPT_RSA) && defined(MCUBOOT_USE_MBED_TLS) && !defined(MCUBOOT_USE_PSA_CRYPTO)) || \
       (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS)) )
 #if MBEDTLS_VERSION_NUMBER >= 0x03000000

boot/bootutil/src/image_validate.c

@@ -358,20 +358,10 @@ bootutil_get_img_security_cnt(struct image_header *hdr,
  * TLV section.  All other TLV entries must be in the protected section.
  */
 static const uint16_t allowed_unprot_tlvs[] = {
-     IMAGE_TLV_KEYHASH,
-     IMAGE_TLV_PUBKEY,
-     IMAGE_TLV_SHA256,
-     IMAGE_TLV_SHA384,
-     IMAGE_TLV_SHA512,
-     IMAGE_TLV_RSA2048_PSS,
-     IMAGE_TLV_ECDSA224,
-     IMAGE_TLV_ECDSA_SIG,
-     IMAGE_TLV_RSA3072_PSS,
-     IMAGE_TLV_ED25519,
-     IMAGE_TLV_ENC_RSA2048,
-     IMAGE_TLV_ENC_KW,
-     IMAGE_TLV_ENC_EC256,
-     IMAGE_TLV_ENC_X25519,
+     EXPECTED_KEY_TLV,
+     EXPECTED_HASH_TLV,
+     EXPECTED_SIG_TLV,
+     EXPECTED_ENC_TLV,
      /* Mark end with ANY. */
      IMAGE_TLV_ANY,
 };