From 816a0da0fd9bd9735e225b1502a704614627b947 Mon Sep 17 00:00:00 2001
From: Konstantin Kondrashov <konstantin@espressif.com>
Date: Sat, 29 Jun 2024 15:48:51 +0300
Subject: [PATCH] feat(bootloader): Adds bootloader anti rollback configs

---
 .../bootloader/Kconfig.bootloader_rollback    | 25 +++++++++++++++++++
 components/bootloader/Kconfig.projbuild       |  1 +
 .../esp_bootloader_desc.c                     |  5 ++++
 .../include/esp_bootloader_desc.h             |  3 ++-
 .../system/bootloader_image_format.rst        |  1 +
 5 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 components/bootloader/Kconfig.bootloader_rollback

diff --git a/components/bootloader/Kconfig.bootloader_rollback b/components/bootloader/Kconfig.bootloader_rollback
new file mode 100644
index 0000000000..f8c74dae15
--- /dev/null
+++ b/components/bootloader/Kconfig.bootloader_rollback
@@ -0,0 +1,25 @@
+menu "Bootloader Rollback"
+
+    config BOOTLOADER_ANTI_ROLLBACK_ENABLE
+        bool "Enable bootloader rollback support"
+        depends on SOC_RECOVERY_BOOTLOADER_SUPPORTED
+        default n
+        help
+            This option prevents rollback to previous bootloader image with lower security version.
+
+    config BOOTLOADER_SECURE_VERSION
+        int "Secure version of bootloader"
+        depends on BOOTLOADER_ANTI_ROLLBACK_ENABLE
+        default 0
+        range 0 4
+        help
+            The secure version is the sequence number stored in the header of each bootloader.
+
+            The ROM Bootloader which runs the 2nd stage bootloader (PRIMARY or RECOVERY) checks that
+            the security version is greater or equal that recorded in the eFuse field.
+            Bootloaders that have a secure version in the image < secure version in efuse will not boot.
+
+            The security version is worth increasing if in previous versions there is
+            a significant vulnerability and their use is not acceptable.
+
+endmenu
diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index bd9aba5b70..c11c7b95a4 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -2,6 +2,7 @@ menu "Bootloader config"
 
     orsource "../esp_bootloader_format/Kconfig.bootloader"
     orsource "Kconfig.app_rollback"
+    orsource "Kconfig.bootloader_rollback"
 
     config BOOTLOADER_OFFSET_IN_FLASH
         hex
diff --git a/components/esp_bootloader_format/esp_bootloader_desc.c b/components/esp_bootloader_format/esp_bootloader_desc.c
index fdcc2049ba..6c4c3caa94 100644
--- a/components/esp_bootloader_format/esp_bootloader_desc.c
+++ b/components/esp_bootloader_format/esp_bootloader_desc.c
@@ -17,6 +17,11 @@ __attribute__((weak))
 const esp_bootloader_desc_t esp_bootloader_desc = {
     .magic_byte = ESP_BOOTLOADER_DESC_MAGIC_BYTE,
     .reserved = { 0 },
+#if CONFIG_BOOTLOADER_ANTI_ROLLBACK_ENABLE
+    .secure_version = CONFIG_BOOTLOADER_SECURE_VERSION,
+#else
+    .secure_version = 0,
+#endif // CONFIG_BOOTLOADER_ANTI_ROLLBACK_ENABLE
     .version = CONFIG_BOOTLOADER_PROJECT_VER,
     .idf_ver = IDF_VER,
 #ifdef CONFIG_BOOTLOADER_COMPILE_TIME_DATE
diff --git a/components/esp_bootloader_format/include/esp_bootloader_desc.h b/components/esp_bootloader_format/include/esp_bootloader_desc.h
index 868fb9c735..5bee2f4d0a 100644
--- a/components/esp_bootloader_format/include/esp_bootloader_desc.h
+++ b/components/esp_bootloader_format/include/esp_bootloader_desc.h
@@ -24,7 +24,8 @@ extern "C"
  */
 typedef struct {
     uint8_t magic_byte;         /*!< Magic byte ESP_BOOTLOADER_DESC_MAGIC_BYTE */
-    uint8_t reserved[3];        /*!< reserved for IDF */
+    uint8_t reserved[2];        /*!< reserved for IDF */
+    uint8_t secure_version;     /*!< The version used by bootloader anti-rollback feature */
     uint32_t version;           /*!< Bootloader version */
     char idf_ver[32];           /*!< Version IDF */
     char date_time[24];         /*!< Compile date and time*/
diff --git a/docs/en/api-reference/system/bootloader_image_format.rst b/docs/en/api-reference/system/bootloader_image_format.rst
index 1937c81839..98710de96f 100644
--- a/docs/en/api-reference/system/bootloader_image_format.rst
+++ b/docs/en/api-reference/system/bootloader_image_format.rst
@@ -64,6 +64,7 @@ The ``DRAM0`` segment of the bootloader binary starts with the :cpp:type:`esp_bo
 
  * ``magic_byte``: the magic byte for the esp_bootloader_desc structure
  * ``reserved``: reserved for the future IDF use
+ * ``secure_version``: the secure version used by the bootloader anti-rollback feature, see :ref:`CONFIG_BOOTLOADER_ANTI_ROLLBACK_ENABLE`.
  * ``version``: bootloader version, see :ref:`CONFIG_BOOTLOADER_PROJECT_VER`
  * ``idf_ver``: ESP-IDF version. [#f1]_
  * ``date`` and ``time``: compile date and time