Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement a software rollback protection policy in RoT update_server. #1809

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

lzrd
Copy link
Contributor

@lzrd lzrd commented Jun 10, 2024

Issue #1570 software anti-rollback

Implement a software rollback protection policy in RoT update_server using:

  • the epoch value in the optional ImageHeader for early rejection (1st block presented before any flash erase/write) or
  • the EPOC tag in optional caboose for rejecting activation of an image.

"optional" because there are existent Bootleby images without ImageHeader or Caboose and Hubris images images in the future that may eliminate ImageHeader. In cases where an epoch value is not present, the image epoch is treated as equal to zero.

Related PRs:
https://github.com/oxidecomputer/sprot-release/pull/11
oxidecomputer/hubtools#32
https://github.com/oxidecomputer/permission-slip/pull/205
oxidecomputer/management-gateway-service#240

Remove last of the saturated math calls.
Rename FlashRange::{store,exec} to {stored,at_runtime} for clarity.
Remove unnecessary image validation logic in fn padded_image_len.
Don't require updating to hubtools 0.4.7. There doesn't need to be
an 'EPOC' in the caboose as it is always "0" at this step in
the release engineering flow.

Fix complementary swapped args and corresponding swapped comparison to
read correctly.

Remove vestigial epoch header check. With the decision to not use
ImageHeader.epoch, a TBD prep_image_update variant will contain
the epoch information.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants