From f17e4f1b76dd10bcf464dbc718073284e61d16fa Mon Sep 17 00:00:00 2001
From: Dominik Ermel <dominik.ermel@nordicsemi.no>
Date: Mon, 25 Sep 2023 13:38:15 +0000
Subject: [PATCH] modules/MCUboot: Add new Kconfig indicating downgrade
 prevention

Add the MCUBOOT_BOOTLOADER_NO_DOWNGRADE Kconfig option that allows,
when paired with MCUboot mode Kconfig, to indicate that the MCUboot
has been configured with downgrade prevention, which means that only
application with version higher than running can be swapped on next boot.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
---
 modules/Kconfig.mcuboot | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/modules/Kconfig.mcuboot b/modules/Kconfig.mcuboot
index 5f83098a577..ab1dd44fbd5 100644
--- a/modules/Kconfig.mcuboot
+++ b/modules/Kconfig.mcuboot
@@ -116,7 +116,7 @@ config MCUBOOT_EXTRA_IMGTOOL_ARGS
 	help
 	  When signing (CONFIG_MCUBOOT_SIGNATURE_KEY_FILE is a non-empty
 	  string) you can use this option to pass extra options to
-	  imgtool.  For example, you could set this to "--version 1.2".
+	  imgtool. For example, you could set this to "--version 1.2".
 
 config MCUBOOT_GENERATE_UNSIGNED_IMAGE
 	bool "Generate unsigned binary image bootable with MCUboot"
@@ -136,6 +136,8 @@ config MCUBOOT_GENERATE_CONFIRMED_IMAGE
 	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
 	  and CONFIG_BUILD_OUTPUT_HEX.
 
+menu "On board MCUboot operation mode"
+
 choice MCUBOOT_BOOTLOADER_MODE
 	prompt "Application assumed MCUboot mode of operation"
 	default MCUBOOT_BOOTLOADER_MODE_SWAP_WITHOUT_SCRATCH # MCUBOOT_BOOTLOADER_MODE
@@ -154,31 +156,43 @@ config MCUBOOT_BOOTLOADER_MODE_SINGLE_APP
 
 config MCUBOOT_BOOTLOADER_MODE_SWAP_WITHOUT_SCRATCH
 	bool "MCUboot has been configured for swap without scratch operation"
+	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
 	help
 	  MCUboot expects slot0_partition and slot1_partition to be present
 	  in DT and application will boot from slot0_partition.
+	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE should also be selected
+	  if MCUboot has been built with MCUBOOT_DOWNGRADE_PREVENTION.
 
 config MCUBOOT_BOOTLOADER_MODE_SWAP_SCRATCH
 	bool "MCUboot has been configured for swap using scratch operation"
+	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
 	help
 	  MCUboot expects slot0_partition, slot1_partition and scratch_partition
 	  to be present in DT, and application will boot from slot0_partition.
 	  In this mode scratch_partition is used as temporary storage when
 	  MCUboot swaps application from the secondary slot to the primary
 	  slot.
+	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE should also be selected
+	  if MCUboot has been built with MCUBOOT_DOWNGRADE_PREVENTION.
 
 config MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP
 	bool "MCUboot has been configured for DirectXIP operation"
+	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
+	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
 	help
 	  MCUboot expects slot0_partition and slot1_partition to exist in DT.
 	  In this mode MCUboot can boot from either partition and will
 	  select one with higher application image version, which usually
 	  means major.minor.patch triple, unless BOOT_VERSION_CMP_USE_BUILD_NUMBER
 	  is also selected that enables comparison of build number.
+	  This option automatically selectes
+	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
+	  to swap back to older version of application.
 
 config MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT
 	bool "MCUboot has been configured for DirectXIP with revert"
 	select MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP
+	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
 	help
 	  MCUboot expects slot0_partition and slot1_partition to exist in DT.
 	  In this mode MCUboot will boot the application with the higher version
@@ -190,9 +204,30 @@ config MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT
 	  This mode does not allow freely switching between application
 	  versions, as, once higher version application is approved, it is
 	  not possible to select lower version for boot.
+	  This mode selects MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
+	  to downgrade running application, but note that MCUboot may do that
+	  if application with higher version will not get confirmed.
 
 endchoice # MCUBOOT_BOOTLOADER_MODE
 
+config MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
+	bool
+	help
+	  Selected mode supports downgrade prevention, where you cannot switch to
+	  an application with lower version than the currently running application.
+
+if MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
+config MCUBOOT_BOOTLOADER_NO_DOWNGRADE
+	bool "MCUboot mode has downgrade prevention enabled"
+	help
+	  Selected MCUboot mode has downgrade prevention enabled, where you are not
+	  able to change back to image with lower version number.
+	  This options should be selected when MCUboot has been built with
+	  MCUBOOT_DOWNGRADE_PREVENTION option enabled.
+endif
+
+endmenu # On board MCUboot operation mode
+
 endif # BOOTLOADER_MCUBOOT
 
 menuconfig MCUBOOT_BOOTUTIL_LIB