There is no check to see if slot 0 is being uploaded from the device to the host.
When using encrypted images this means the unencrypted firmware can be retrieved easily.
The commands below can be used to reproduce the issue. I tested on Zephyr revision 4b6eb55. Note that image encryption isn't actually enabled to keep the demo simple. Since slot 0 is never encrypted this will yield the same effect as with an encrypted image.
west build -p -b nrf52840dk_nrf52840 bootloader/mcuboot/boot/zephyr/ -d build-mcuboot
west build -p -b nrf52840dk_nrf52840 zephyr/samples/subsys/usb/dfu -d build-dfu -- -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"bootloader/mcuboot/root-rsa-2048.pem\"
west flash -d build-mcuboot
west flash -d build-dfu
dfu-util --alt=0 -U slot0.bin # uploads slot 0 to host
hackwerken Analyst
Impact
There is no check to see if slot 0 is being uploaded from the device to the host.
When using encrypted images this means the unencrypted firmware can be retrieved easily.
There should be a check around this line:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/class/dfu/usb_dfu.c#L478. Or the developer should be
warned/forbidden to use USB DFU when encrypted images are used.
The commands below can be used to reproduce the issue. I tested on Zephyr revision 4b6eb55. Note that image encryption isn't actually enabled to keep the demo simple. Since slot 0 is never encrypted this will yield the same effect as with an encrypted image.
Patches
This has been fixed in:
For more information
If you have any questions or comments about this advisory:
embargo: 2022-05-09