Actually the design doc propose to use a distinct security counter from image version (ih_ver in header). But in the most simple case this security counter can be derived from the image version, to have the exact same value (ignoring the build number).

The image signature cover these continues blocks in memory: - image header - image - some part of TLV section (currently not covered, but due to multi image support it is planned to introduce a signed TLV section)

Because these are contiguous regions in the memory it is not possible to place only the (header + TLV section) to the trusted memory but miss out the image itself (at least I cannot see how to solve)

Tamas

-----Original Message----- From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Michel JAOUEN via TF-M Sent: 08 April 2019 16:20 To: tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Trusted boot - rollback protection

For the platform without hardware for NV counter, but having trusted memory It is mentioned that the support is possible as follow : "an active image and related manifest data is stored in trusted memory then the included security counter cannot be compromised."

the impact for this implementation in mcu-boot is limited to :

* The test of the version (security counter is ih_ver from mcuboot header)

* The placement of active image and related manifest data in a trusted memory. Is my understanding correct ?

As the placement of full image in a trusted memory is a constraint. Can we limit the information placed in a trusted memory to :

* image header,

* TLV sections. This seems sufficient to support anti roll back.

Of course additional impact on mcu-boot must be planned but as multi image support is also targeted , the placement of all images in a trusted memory is likely to be unachievable for all configurations.

-- TF-M mailing list TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.