bootloader: Add support for IronSide counters

Add an implementation of HW rollback prevention, based on the IronSide
secure counters service.

Ref: NCSDK-36295

Signed-off-by: Tomasz Chyrwicz <[email protected]>

Author: tomchy

subsys/CMakeLists.txt

@@ -10,6 +10,7 @@ add_subdirectory_ifdef(CONFIG_IS_SECURE_BOOTLOADER bootloader)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_CRYPTO bootloader/bl_crypto)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_VALIDATION bootloader/bl_validation)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_STORAGE bootloader/bl_storage)
+add_subdirectory_ifdef(CONFIG_NRF_MCUBOOT_IRONSIDE_COUNTERS bootloader/ironside_counters)
 
 add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security)
 add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage)

subsys/bootloader/Kconfig

@@ -188,4 +188,6 @@ config NCS_MCUBOOT_BOOTLOADER_SIGN_MERGED_BINARY
 	help
 	  This is a Kconfig which is informative only, the value should not be changed.
 
+rsource "ironside_counters/Kconfig"
+
 endmenu

subsys/bootloader/ironside_counters/CMakeLists.txt

@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if(CONFIG_NRF_MCUBOOT_IRONSIDE_COUNTERS)
+  zephyr_library()
+  zephyr_library_sources(ironside_counters.c)
+endif()

subsys/bootloader/ironside_counters/Kconfig

@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+config NRF_MCUBOOT_IRONSIDE_COUNTERS
+	bool "Use IRonSide counters for MCUBoot hardware downgrade prevention"
+	depends on MCUBOOT_HW_DOWNGRADE_PREVENTION && NRF_IRONSIDE_COUNTER_SERVICE
+	imply MCUBOOT_HW_DOWNGRADE_PREVENTION_LOCK
+	help
+	  Use IronSide SE hardware counters to prevent rollback of firmware images
+	  in MCUBoot bootloader.

subsys/bootloader/ironside_counters/ironside_counters.c

@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+/**
+ * @file
+ * @brief MCUBoot IronSide security counters implementation.
+ */
+
+#include <stdint.h>
+#include <nrf_ironside/counter.h>
+#include "bootutil/fault_injection_hardening.h"
+#include "bootutil/bootutil_public.h"
+
+#define IRONSIDE_COUNTER_READ_RETRIES 3
+
+fih_int boot_nv_security_counter_init(void)
+{
+	return FIH_SUCCESS;
+}
+
+fih_int boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt)
+{
+	uint32_t cur_sec_cnt[IRONSIDE_COUNTER_READ_RETRIES];
+	size_t i;
+	int err;
+
+	if (security_cnt == NULL) {
+		FIH_RET(FIH_FAILURE);
+	}
+
+	if (image_id > IRONSIDE_COUNTER_MAX) {
+		FIH_RET(FIH_FAILURE);
+	}
+
+	/* Since the IronSide service is not protected against fault injection,
+	 * read the counter multiple times and compare the results.
+	 */
+	for (i = 0; i < IRONSIDE_COUNTER_READ_RETRIES; i++) {
+		err = ironside_counter_get(image_id, &cur_sec_cnt[i]);
+		if (err != 0) {
+			FIH_RET(FIH_FAILURE);
+		}
+	}
+
+	for (i = 1; i < IRONSIDE_COUNTER_READ_RETRIES; i++) {
+		if (cur_sec_cnt[0] != cur_sec_cnt[i]) {
+			FIH_RET(FIH_FAILURE);
+		}
+	}
+
+	if (cur_sec_cnt[0] != IRONSIDE_COUNTER_MAX_VALUE) {
+		*security_cnt = fih_int_encode(cur_sec_cnt[0]);
+		FIH_RET(FIH_SUCCESS);
+	}
+
+	FIH_RET(FIH_FAILURE);
+}
+
+int32_t boot_nv_security_counter_update(uint32_t image_id, uint32_t img_security_cnt)
+{
+	int err;
+
+	if ((img_security_cnt > IRONSIDE_COUNTER_MAX_VALUE) || (image_id > IRONSIDE_COUNTER_MAX)) {
+		return -BOOT_EBADARGS;
+	}
+
+	err = ironside_counter_set(image_id, img_security_cnt);
+
+	return err == 0 ? 0 : -BOOT_EBADSTATUS;
+}
+
+fih_int boot_nv_security_counter_is_update_possible(uint32_t image_id, uint32_t img_security_cnt)
+{
+	fih_int security_cnt;
+	fih_int fih_err;
+
+	FIH_CALL(boot_nv_security_counter_get, fih_err, image_id, &security_cnt);
+	if (FIH_NOT_EQ(fih_err, FIH_SUCCESS)) {
+		FIH_RET(FIH_FAILURE);
+	}
+
+        if (fih_int_decode(security_cnt) == IRONSIDE_COUNTER_MAX_VALUE) {
+                FIH_RET(FIH_FAILURE);
+        }
+
+        if (fih_int_decode(security_cnt) <= img_security_cnt) {
+		FIH_RET(FIH_SUCCESS);
+	}
+
+        FIH_RET(FIH_FAILURE);
+}
+
+int32_t boot_nv_security_counter_lock(uint32_t image_id)
+{
+        int err;
+
+        if (image_id > IRONSIDE_COUNTER_MAX) {
+                return -BOOT_EBADARGS;
+        }
+
+        err = ironside_counter_lock(image_id);
+
+        return err == 0 ? 0 : -BOOT_EBADSTATUS;
+}