[nrf noup] zephyr: Add basic UUID checks implementation

Provide an implementation for MCUboot UUID checks that specify a single,
common vendor identifier and a unique class identifier for each image.

Ref: NCSDK-34175

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

boot/zephyr/CMakeLists.txt

@@ -51,6 +51,9 @@ if(CONFIG_BOOT_USE_NRF_CC310_BL)
   endif()
 endif()
 
+# Include the UUID generation code
+add_subdirectory(uuid)
+
 zephyr_library_include_directories(
   include
   )

boot/zephyr/Kconfig

@@ -1125,6 +1125,8 @@ config MCUBOOT_UUID_CID
 	  Provide an image class identification scheme to prevent processing
 	  images for a different CPU or device produced by the same vendor.
 
+rsource "uuid/Kconfig"
+
 config BOOT_WATCHDOG_FEED
 	bool "Feed the watchdog while doing swap"
 	default y if WATCHDOG

boot/zephyr/uuid/CMakeLists.txt

@@ -0,0 +1,71 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if(CONFIG_NCS_MCUBOOT_UUID_SINGLE_VID)
+  if(CONFIG_MCUBOOT_UUID_VID OR CONFIG_MCUBOOT_UUID_CID)
+    zephyr_library_sources(
+      uuid.c
+      )
+  endif()
+
+  # Generate VID value and raw value definition
+  if(CONFIG_MCUBOOT_UUID_VID OR CONFIG_MCUBOOT_UUID_CID)
+    if("${CONFIG_NCS_MCUBOOT_UUID_VID_VALUE}" STREQUAL "" AND CONFIG_MCUBOOT_UUID_VID)
+        message(FATAL_ERROR "VID value not set")
+    endif()
+
+    string(REGEX MATCHALL "^([0-9A-F][0-9A-F]|\-)+$" match_parts "${CONFIG_NCS_MCUBOOT_UUID_VID_VALUE}")
+    if("${match_parts}" STREQUAL "${CONFIG_NCS_MCUBOOT_UUID_VID_VALUE}")
+      set(UUID_VID ${match_parts})
+    else()
+      set(UUID_DNS_NAMESPACE 6ba7b810-9dad-11d1-80b4-00c04fd430c8)
+      string(
+        UUID UUID_VID
+        NAMESPACE ${UUID_DNS_NAMESPACE}
+        NAME ${CONFIG_NCS_MCUBOOT_UUID_VID_VALUE}
+        TYPE SHA1 UPPER
+      )
+    endif()
+
+    if(CONFIG_MCUBOOT_UUID_VID)
+      # Convert UUID into C array.
+      string(REGEX REPLACE "([0-9A-F][0-9A-F])\-?" "0x\\1, " UUID_VID_RAW "${UUID_VID}")
+      zephyr_compile_definitions(NCS_MCUBOOT_UUID_VID_VALUE=${UUID_VID_RAW})
+    endif()
+  endif()
+
+  # Generate VID value(s) and raw value definition(s)
+  if(CONFIG_MCUBOOT_UUID_CID)
+    set(MCUBOOT_IMAGES_COUNT ${CONFIG_UPDATEABLE_IMAGE_NUMBER})
+    foreach(image_id RANGE ${MCUBOOT_IMAGES_COUNT})
+      if(CONFIG_NCS_MCUBOOT_UUID_CID_IMAGE_${image_id})
+        if("${CONFIG_NCS_MCUBOOT_UUID_CID_IMAGE_${image_id}_VALUE}" STREQUAL "")
+          message(FATAL_ERROR "CID value not set for image ${image_id}")
+        endif()
+
+        # Check if RAW UUID format is used
+        string(REGEX MATCHALL "^([0-9A-F][0-9A-F]|\-)+$" match_parts "${CONFIG_NCS_MCUBOOT_UUID_CID_IMAGE_${image_id}_VALUE}")
+        if("${match_parts}" STREQUAL "${CONFIG_NCS_MCUBOOT_UUID_CID_IMAGE_${image_id}_VALUE}")
+          set(UUID_CID_IMAGE_${image_id} ${match_parts})
+        elseif(NOT "${UUID_VID}" STREQUAL "")
+          # If not - generate UUID based on VID and CID values
+          string(
+            UUID UUID_CID_IMAGE_${image_id}
+            NAMESPACE ${UUID_VID}
+            NAME ${CONFIG_NCS_MCUBOOT_UUID_CID_IMAGE_${image_id}_VALUE}
+            TYPE SHA1 UPPER
+          )
+        else()
+          message(FATAL_ERROR "VID value not set, cannot generate CID for image ${image_id}")
+        endif()
+
+        # Convert UUID into C array.
+        string(REGEX REPLACE "([0-9A-F][0-9A-F])\-?" "0x\\1, " UUID_CID_IMAGE_${image_id}_RAW "${UUID_CID_IMAGE_${image_id}}")
+        zephyr_compile_definitions(NCS_MCUBOOT_UUID_CID_IMAGE_${image_id}_VALUE=${UUID_CID_IMAGE_${image_id}_RAW})
+      endif()
+    endforeach()
+  endif()
+endif()

boot/zephyr/uuid/Kconfig

@@ -0,0 +1,55 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if MCUBOOT && (MCUBOOT_UUID_VID || MCUBOOT_UUID_CID)
+
+menu "Vendor and image Class UUIDs"
+
+choice NCS_MCUBOOT_UUID_IMPLEMENTATION
+	prompt "UUID checks implementation"
+	default NCS_MCUBOOT_UUID_SINGLE_VID
+
+config NCS_MCUBOOT_UUID_SINGLE_VID
+	bool "Single VID and one CID per image"
+	help
+	  This implementation allows to specify a single, common Vendor UUID
+	  (VID) for all images and a unique Class UUID (CID) for each image.
+
+endchoice # NCS_MCUBOOT_UUID_IMPLEMENTATION
+
+if NCS_MCUBOOT_UUID_SINGLE_VID
+
+config NCS_MCUBOOT_UUID_VID_VALUE
+	string "Vendor name"
+	default ""
+	help
+	  The vendor unique identifier.
+	  The following formats are supported:
+	   - Domain name (i.e. amce.corp) used to generate RFC 9562 UUID5
+	     identifier.
+	   - Raw UUID (i.e. 12345678-1234-5678-1234-567812345678)
+	   - Raw HEX UUID (i.e. 12345678123456781234567812345678)
+
+if MCUBOOT_UUID_CID
+
+image=0
+rsource "Kconfig.uuid.template"
+image=1
+rsource "Kconfig.uuid.template"
+image=2
+rsource "Kconfig.uuid.template"
+image=3
+rsource "Kconfig.uuid.template"
+image=4
+rsource "Kconfig.uuid.template"
+
+endif # MCUBOOT_UUID_CID
+
+endif # NCS_MCUBOOT_UUID_SINGLE_VID
+
+endmenu
+
+endif # BOOTLOADER_MCUBOOT && (MCUBOOT_UUID_VID || MCUBOOT_UUID_CID)

boot/zephyr/uuid/Kconfig.uuid.template

@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if UPDATEABLE_IMAGE_NUMBER > $(image)
+
+config NCS_MCUBOOT_UUID_CID_IMAGE_$(image)_VALUE
+	string "Image class name (image $(image))"
+	default ""
+	help
+	  The image class unique identifier.
+	  The following formats are supported:
+	   - Image class name (i.e. nRF5340_door_lock_btperipheral).
+	     This format requires NCS_MCUBOOT_UUID_VID_VALUE to be defined
+	     as the VID UUID is used as the namespace for generating RFC 9562
+	     UUID5 identifier.
+	   - Raw UUID (i.e. 12345678-1234-5678-1234-567812345678)
+	   - Raw HEX UUID (i.e. 12345678123456781234567812345678)
+
+config NCS_MCUBOOT_UUID_CID_IMAGE_$(image)
+	bool
+	default y
+	depends on NCS_MCUBOOT_UUID_CID_IMAGE_$(image)_VALUE != ""
+	help
+	  Helper symbol to simplify the active CId list generation.
+
+endif # UPDATEABLE_IMAGE_NUMBER > $(image)

boot/zephyr/uuid/uuid.c

@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2018 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <bootutil/mcuboot_uuid.h>
+
+#define IMAGE_ID_COUNT CONFIG_UPDATEABLE_IMAGE_NUMBER
+#define CID_INIT(index, label) \
+	static const struct image_uuid label = {{ \
+		NCS_MCUBOOT_UUID_CID_IMAGE_## index ##_VALUE \
+	}}
+#define CID_CONFIG(index) UTIL_CAT(CONFIG_NCS_MCUBOOT_UUID_CID_IMAGE_, index)
+#define CID_DEFINE(index, prefix) \
+	IF_ENABLED(CID_CONFIG(index), (CID_INIT(index, prefix##index)))
+
+#define CID_CONDITION(index, label) \
+	if (image_id == index) { \
+		*uuid_cid = &label; \
+		FIH_RET(FIH_SUCCESS); \
+	}
+#define CID_CHECK(index, prefix) \
+	IF_ENABLED(CID_CONFIG(index), (CID_CONDITION(index, prefix##index)))
+
+static fih_ret boot_uuid_compare(const struct image_uuid *uuid1, const struct image_uuid *uuid2)
+{
+	return fih_ret_encode_zero_equality(memcmp(uuid1->raw, uuid2->raw,
+					    ARRAY_SIZE(uuid1->raw)));
+}
+
+#ifdef CONFIG_MCUBOOT_UUID_CID
+LISTIFY(IMAGE_ID_COUNT, CID_DEFINE, (;), uuid_cid_image_);
+
+static fih_ret boot_uuid_cid_get(uint32_t image_id, const struct image_uuid **uuid_cid)
+{
+	if (uuid_cid != NULL) {
+		LISTIFY(IMAGE_ID_COUNT, CID_CHECK, (), uuid_cid_image_)
+	}
+
+	FIH_RET(FIH_FAILURE);
+}
+#endif /* CONFIG_MCUBOOT_UUID_CID */
+
+fih_ret boot_uuid_init(void)
+{
+	FIH_RET(FIH_SUCCESS);
+}
+
+#ifdef CONFIG_MCUBOOT_UUID_VID
+fih_ret boot_uuid_vid_match(uint32_t image_id, const struct image_uuid *uuid_vid)
+{
+	const struct image_uuid uuid_vid_c = {{
+		NCS_MCUBOOT_UUID_VID_VALUE
+	}};
+
+	return boot_uuid_compare(uuid_vid, &uuid_vid_c);
+}
+#endif /* CONFIG_MCUBOOT_UUID_VID */
+
+#ifdef CONFIG_MCUBOOT_UUID_CID
+fih_ret boot_uuid_cid_match(uint32_t image_id, const struct image_uuid *uuid_cid)
+{
+	FIH_DECLARE(ret_code, FIH_FAILURE);
+	const struct image_uuid *exp_uuid_cid = NULL;
+
+	FIH_CALL(boot_uuid_cid_get, ret_code, image_id, &exp_uuid_cid);
+	if (FIH_NOT_EQ(ret_code, FIH_SUCCESS) && FIH_NOT_EQ(ret_code, FIH_FAILURE)) {
+		FIH_RET(FIH_FAILURE);
+	}
+
+	return boot_uuid_compare(uuid_cid, exp_uuid_cid);
+}
+#endif /* CONFIG_MCUBOOT_UUID_CID */