bootutil: imgtool: Fix CI failures

For some platorms
image_validate.c: In function 'bootutil_img_validate':
image_validate.c:358:40: error: 'image_index' undeclared
(first use in this function); did you mean 'image_header'?
  358 |             key_id = bootutil_find_key(image_index, buf, len);
      |                                        ^~~~~~~~~~~

Resolve imgtool CI errors affecting certain signature verification tests.

Change the return type of boot_verify_key_id_for_image to reflect
its use as an FIH call.

Add new bootutil source files to the Zephyr and
espressif CMakeLists.txt files to fix undefined symbols.

Update FIH tests to use the latest TFM version. This also requires
updating the toolchain version to 14.2 in the Docker image.

Signed-off-by: Maulik Patel <maulik.patel@arm.com>
Change-Id: Ie75e6c533631b2696a4a41d86b64d4009fac0c54

Author: maulik-arm

boot/bootutil/include/bootutil/sign_key.h

@@ -30,6 +30,9 @@
 #ifdef MCUBOOT_IMAGE_MULTI_SIG_SUPPORT
 #include <stdbool.h>
 #endif /* MCUBOOT_IMAGE_MULTI_SIG_SUPPORT */
+#ifdef MCUBOOT_BUILTIN_KEY
+#include "bootutil/fault_injection_hardening.h"
+#endif /* MCUBOOT_BUILTIN_KEY */
 
 #ifdef __cplusplus
 extern "C" {
@@ -51,7 +54,7 @@ extern const struct bootutil_key bootutil_keys[];
  *
  * @return                   0 if the key ID is valid for the image; nonzero on failure.
  */
-int boot_verify_key_id_for_image(uint8_t image_index, uint32_t key_id);
+fih_ret boot_verify_key_id_for_image(uint8_t image_index, uint32_t key_id);
 #endif /* MCUBOOT_BUILTIN_KEY */
 #else
 struct bootutil_key {

boot/bootutil/src/bootutil_find_key.c

@@ -28,14 +28,27 @@
 
 #include <stdint.h>
 
-#include "bootutil/bootutil_log.h"
 #include "bootutil/crypto/sha.h"
 #include "bootutil/fault_injection_hardening.h"
 #include "bootutil/image.h"
 #include "bootutil/sign_key.h"
 #include "bootutil_priv.h"
 #include "mcuboot_config/mcuboot_config.h"
+#include "bootutil/bootutil_log.h"
+
+BOOT_LOG_MODULE_DECLARE(mcuboot);
+
+#if defined(MCUBOOT_SIGN_RSA)       || \
+    defined(MCUBOOT_SIGN_EC256)     || \
+    defined(MCUBOOT_SIGN_EC384)     || \
+    defined(MCUBOOT_SIGN_EC)        || \
+    defined(MCUBOOT_SIGN_ED25519)
+#define IMAGE_VALIDATION_EXPECTS_KEY
+#else
+    /* no signing, sha256 digest only */
+#endif
 
+#ifdef IMAGE_VALIDATION_EXPECTS_KEY
 #ifdef MCUBOOT_IMAGE_MULTI_SIG_SUPPORT
 #define NUM_OF_KEYS MCUBOOT_ROTPK_MAX_KEYS_PER_IMAGE
 #else
@@ -135,3 +148,4 @@ int bootutil_find_key(uint8_t image_index, uint8_t *keyhash, uint8_t keyhash_len
     return -1;
 }
 #endif
+#endif /* IMAGE_VALIDATION_EXPECTS_KEY */

boot/bootutil/src/bootutil_img_hash.c

@@ -29,12 +29,14 @@
 #include <stdint.h>
 #include <flash_map_backend/flash_map_backend.h>
 
-#include "bootutil/bootutil_log.h"
 #include "bootutil/crypto/sha.h"
 #include "bootutil/fault_injection_hardening.h"
 #include "bootutil/image.h"
 #include "bootutil_priv.h"
 #include "mcuboot_config/mcuboot_config.h"
+#include "bootutil/bootutil_log.h"
+
+BOOT_LOG_MODULE_DECLARE(mcuboot);
 
 #ifndef MCUBOOT_SIGN_PURE
 /*

boot/bootutil/src/image_validate.c

@@ -205,7 +205,7 @@ bootutil_img_validate(struct boot_loader_state *state,
                       int seed_len, uint8_t *out_hash
                      )
 {
-#if (defined(EXPECTED_KEY_TLV) && defined(MCUBOOT_HW_KEY)) || defined(MCUBOOT_HW_ROLLBACK_PROT)
+#if defined(EXPECTED_KEY_TLV) || defined(MCUBOOT_HW_ROLLBACK_PROT)
     int image_index = (state == NULL ? 0 : BOOT_CURR_IMG(state));
 #endif
     uint32_t off;

boot/espressif/CMakeLists.txt

@@ -236,6 +236,9 @@ endif()
 
 set(bootutil_srcs
     ${BOOTUTIL_DIR}/src/boot_record.c
+    ${BOOTUTIL_DIR}/src/bootutil_find_key.c
+    ${BOOTUTIL_DIR}/src/bootutil_img_hash.c
+    ${BOOTUTIL_DIR}/src/bootutil_img_security_cnt.c
     ${BOOTUTIL_DIR}/src/bootutil_misc.c
     ${BOOTUTIL_DIR}/src/bootutil_public.c
     ${BOOTUTIL_DIR}/src/caps.c

boot/zephyr/CMakeLists.txt

@@ -105,6 +105,9 @@ endif()
 # Generic bootutil sources and includes.
 zephyr_library_include_directories(${BOOT_DIR}/bootutil/include)
 zephyr_library_sources(
+  ${BOOT_DIR}/bootutil/src/bootutil_find_key.c
+  ${BOOT_DIR}/bootutil/src/bootutil_img_hash.c
+  ${BOOT_DIR}/bootutil/src/bootutil_img_security_cnt.c
   ${BOOT_DIR}/bootutil/src/image_validate.c
   ${BOOT_DIR}/bootutil/src/tlv.c
   ${BOOT_DIR}/bootutil/src/encrypted.c

ci/fih-tests_run.sh

@@ -17,13 +17,14 @@
 set -e
 
 source $(dirname "$0")/fih-tests_version.sh
+TFM_TAG="958b54427156e66480489e53df6de085d62aef3a"
 
 # Note that we are pulling from a github mirror of these repos, not direct upstream.  If the sha
 # checked out below changes, the mirrors might need to be updated.
 pushd ..
 git clone https://github.com/mcu-tools/trusted-firmware-m
 pushd trusted-firmware-m
-git checkout eb8ff0db7d657b77abcd0262d5bf7f38eb1e1cdc
+git checkout $TFM_TAG
 source lib/ext/tf-m-tests/version.txt
 popd
 git clone https://github.com/mcu-tools/tf-m-tests.git

ci/fih_test_docker/execute_test.sh

@@ -16,13 +16,63 @@
 
 set -e
 
+# Function to update/install native GCC inside the Docker container
+update_native_gcc() {
+    REQUIRED_MAJOR=12
+    INSTALLED_MAJOR=$(gcc -dumpversion | cut -d. -f1 || echo 0)
+
+    if [[ "$INSTALLED_MAJOR" -lt "$REQUIRED_MAJOR" ]]; then
+        echo "Installing native GCC $REQUIRED_MAJOR..."
+        apt-get update
+        apt-get install -y --no-install-recommends gcc-$REQUIRED_MAJOR g++-$REQUIRED_MAJOR \
+            cpp-$REQUIRED_MAJOR libgcc-$REQUIRED_MAJOR-dev libstdc++-$REQUIRED_MAJOR-dev
+        update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-$REQUIRED_MAJOR 60
+        update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-$REQUIRED_MAJOR 60
+        rm -rf /var/lib/apt/lists/*
+    else
+        echo "Native GCC is already version $INSTALLED_MAJOR; skipping installation."
+    fi
+}
+
+# Function to update/install ARM Embedded GCC inside the Docker container
+update_cross_gcc() {
+    ARM_GCC_URL="https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-x86_64-arm-none-eabi.tar.xz"
+    TOOLCHAIN_DIR="/opt/arm-gcc"
+
+    # Install prerequisites
+    echo "Installing prerequisites for ARM toolchain..."
+    apt-get update
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        curl libncurses5 xz-utils file
+    rm -rf /var/lib/apt/lists/*
+
+    # Download and extract
+    echo "Downloading and extracting ARM Embedded GCC..."
+    mkdir -p "$TOOLCHAIN_DIR"
+    curl -SLf "$ARM_GCC_URL" -o /tmp/arm-gcc.tar.xz
+    tar -xJf /tmp/arm-gcc.tar.xz -C "$TOOLCHAIN_DIR" --strip-components=1
+    rm -f /tmp/arm-gcc.tar.xz
+
+    # Symlink into PATH
+    echo "Symlinking ARM toolchain into /usr/local/bin..."
+    ln -sf "$TOOLCHAIN_DIR/bin/"* /usr/local/bin/
+}
+
+# Ensure we have the proper compiler before running tests
+update_native_gcc
+update_cross_gcc
+
 source $(dirname "$0")/paths.sh
 
 SKIP_SIZE=$1
 BUILD_TYPE=$2
 DAMAGE_TYPE=$3
 FIH_LEVEL=$4
 
+# Required for git am to apply patches under TF-M
+git config --global user.email "docker@fih-test.com"
+git config --global user.name "fih-test docker"
+
 if test -z "$FIH_LEVEL"; then
     # Use the default level
     CMAKE_FIH_LEVEL=""

scripts/imgtool/image.py

@@ -870,7 +870,12 @@ def verify(imgfile, key):
         # Locate the first TLV info header
         tlv_off = header_size + img_size
         tlv_info = b[tlv_off:tlv_off + TLV_INFO_SIZE]
-        magic, tlv_tot = struct.unpack('HH', tlv_info)
+        if len(tlv_info) < TLV_INFO_SIZE:
+            # no protected block present, jump straight to unprotected
+            magic = TLV_INFO_MAGIC
+            tlv_tot = len(b) - tlv_off
+        else:
+            magic, tlv_tot = struct.unpack('HH', tlv_info)
 
         # If it's the protected-TLV block, skip it
         if magic == TLV_PROT_INFO_MAGIC:
@@ -893,8 +898,12 @@ def verify(imgfile, key):
         is_pure = False
         scan_off = unprot_off
         while scan_off < unprot_end:
-            tlv = b[scan_off:scan_off + TLV_SIZE]
-            tlv_type, _, tlv_len = struct.unpack('BBH', tlv)
+            # if fewer than TLV_SIZE bytes remain, break
+            if scan_off + TLV_SIZE > len(b):
+                break
+            tlv_hdr = b[scan_off:scan_off + TLV_SIZE]
+            tlv_type, _, tlv_len = struct.unpack('BBH', tlv_hdr)
+
             if tlv_type == TLV_VALUES['SIG_PURE']:
                 is_pure = True
                 break
@@ -910,8 +919,11 @@ def verify(imgfile, key):
 
         # Verify hash and signatures
         while scan_off < unprot_end:
-            tlv = b[scan_off:scan_off + TLV_SIZE]
-            tlv_type, _, tlv_len = struct.unpack('BBH', tlv)
+            # stop if not enough bytes for another TLV header
+            if scan_off + TLV_SIZE > len(b):
+                break
+            tlv_hdr = b[scan_off:scan_off + TLV_SIZE]
+            tlv_type, _, tlv_len = struct.unpack('BBH', tlv_hdr)
             if is_sha_tlv(tlv_type):
                 if not tlv_matches_key_type(tlv_type, key[0]):
                     return VerifyResult.KEY_MISMATCH, None, None, None

scripts/imgtool/main.py

@@ -576,9 +576,12 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
         compression_tlvs["DECOMP_SHA"] = img.image_hash
         compression_tlvs_size = len(compression_tlvs["DECOMP_SIZE"])
         compression_tlvs_size += len(compression_tlvs["DECOMP_SHA"])
-        if img.get_signature():
-            compression_tlvs["DECOMP_SIGNATURE"] = img.get_signature()
-            compression_tlvs_size += len(compression_tlvs["DECOMP_SIGNATURE"])
+        sigs = img.get_signature()
+        if sigs:
+            sig = sigs[0] if isinstance(sigs, list) else sigs
+            compression_tlvs["DECOMP_SIGNATURE"] = sig
+            compression_tlvs_size += len(sig)
+
         if (compressed_size + compression_tlvs_size) < uncompressed_size:
             compression_header = create_lzma2_header(
                 dictsize = comp_default_dictsize, pb = comp_default_pb,
@@ -588,7 +591,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
             keep_comp_size = False;
             if enckey:
                 keep_comp_size = True
-            compressed_img.create(key, public_key_format, enckey,
+            compressed_img.create(loaded_keys, public_key_format, enckey,
                dependencies, boot_record, custom_tlvs, compression_tlvs,
                compression, int(encrypt_keylen), clear, baked_signature,
                pub_key, vector_to_sign, user_sha=user_sha, hmac_sha=hmac_sha,