Prevent downgrade attacks by default, unless compiled with

danielinux · danielinux · commit 27a306b7f550 · 2019-02-15T15:16:07.000+01:00
ALLOW_DOWNGRADE=1
diff --git a/Makefile b/Makefile
@@ -16,6 +16,7 @@ SWAP?=1
 CORTEX_M0?=0
 NO_ASM=0
 EXT_FLASH=0
+ALLOW_DOWNGRADE=0
 
 LSCRIPT:=hal/$(TARGET).ld
 
@@ -79,6 +80,10 @@ ifeq ($(EXT_FLASH),1)
   CFLAGS+=-DEXT_FLASH=1 -DPART_UPDATE_EXT=1 -DPART_SWAP_EXT=1
 endif
 
+ifeq ($(ALLOW_DOWNGRADE),1)
+  CFLAGS+=-DALLOW_DOWNGRADE
+endif
+
 
 ifeq ($(SIGN),ED25519)
   OBJS+= ./lib/wolfssl/wolfcrypt/src/sha512.o \
diff --git a/src/loader.c b/src/loader.c
@@ -82,14 +82,18 @@ static int wolfBoot_update(void)
     /* Check the first sector to detect interrupted update */
     if ((wolfBoot_get_sector_flag(PART_UPDATE, 0, &flag) < 0) || (flag == SECT_FLAG_NEW))
     {
-        /* In case this is a new update, check 
-         * integrity/authenticity of the firmware update 
+        /* In case this is a new update, do the required 
+         * checks on the firmware update 
          * before starting the swap
          */
         if (!update.hdr_ok || (wolfBoot_verify_integrity(&update) < 0)  
                 || (wolfBoot_verify_authenticity(&update) < 0)) {
             return -1;
         }
+#ifndef ALLOW_DOWNGRADE
+        if (wolfBoot_update_firmware_version() <= wolfBoot_current_firmware_version())
+            return -1;
+#endif
     }
 
     hal_flash_unlock();
