MCU bootloader Crc Check Option leads to to security breach

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MCU bootloader Crc Check Option leads to to security breach

1,770 Views
didierjeanjean
Contributor III

Hello,

One question about mcu bootloader on MCU Xpresso V11.01 and KinetisFlashTools.

Like i can see in the picture below it is possible to the mcu boot loader to launch an application whihout checking the crc.

pastedImage_3.jpg

I verify the code in mcu boot loader and it is true that it is possible to launch an application that the crc is not checking !

This seem to me a breach of security, because i can thrown anything ! even if the tag "kcfg" is necessary to disable  the crc check. 

My main question is that i don't understand the utility of disable crc check ? 

Thanks by advance and Best regards from France

Didier JEANJEAN

0 Kudos
Reply
4 Replies

1,603 Views
jingpan
NXP TechSupport
NXP TechSupport

Hi Didier,

MCUBoot doesn't check crc when downloading. It will check crc before jumping into application. You can see its call stack

get_active_peripheral() -> is_application_ready_for_executing() -> is_application_crc_check_pass()

If crc check fail, bootloader won't jump into application.

BTW, please make sure that BL_FEATURE_CRC_CHECK is defined as 1.

Regards,

Jing

0 Kudos
Reply

1,603 Views
didierjeanjean
Contributor III

Hello Jing,

I totally agree with what you are saying,

except the fact that you miss the possibily in the code to no check CRC before jumping to the application.

See the following  about code details inside mcu boot loader code. 

if you see in the function "is_application_crc_check_pass();"

you will  see that 

{

   bool isCrcCheckPassed = true;

   ...

   if (kStatus_AppCrcCheckInvalid != propertyStore-         >crcCheckStatus) //based on BCA information

   { //Check CRC...

   }

   return isCrcCheckPassed;
}

That mean :

if (Status_AppCrcCheckInvalid == propertyStore->crcCheckStatus)

the function return true without checking CRC

And it is bad VERY BAD,  it would be better to return "false" to avoid to jump the application that it is not CRC checking.

For me this must be corrected by NXP by putting "bool isCrcCheckPassed = false;"  at the beginning of the function

I made the correction in my own bootloader code.

AND THE QUESTION IS ALWAYS HERE,  IS IT A BUG OF NXP  OR  THIS HAS A UTILITY THAT I DON'T UNDERSTAND ?

 

Best regards from France

Didier 

0 Kudos
Reply

1,603 Views
jingpan
NXP TechSupport
NXP TechSupport

Hi,

As you know, application can enable CRC check or not. If user think they needn't CRC check, he can ignore kcfg area in application.

The bootloader will check if CRC area is valid before crc check. If it is not valid, propertyStore->crcCheckStatus = kStatus_AppCrcCheckInvalid. Then crc check will be jump over.

I think this is up to customer. The source is open to customer. If they think this is not reliable, they can enable CRC. Or, they can add new checking features.

Regards,

Jing

0 Kudos
Reply

1,602 Views
didierjeanjean
Contributor III

Hello,

I finally found the reason why the possibility of uncheck CRC is usefull.

It is usefull when we use SWD debugger to debbug application with mcu bootloader installed.  

Because the SWD probe modify code without modifing CRC, consequently CRC check must be disabled for development 

and enabled for real use.

Best regards from France

0 Kudos
Reply