[PATCH] FIT: make RSA signature verification configurable
Marc Kleine-Budde
mkl at pengutronix.de
Fri Jan 8 08:11:01 PST 2016
On 01/08/2016 02:24 PM, yegorslists at googlemail.com wrote:
> From: Yegor Yefremov <yegorslists at googlemail.com>
>
> Signed-off-by: Yegor Yefremov <yegorslists at googlemail.com>
> ---
> commands/Kconfig | 10 ++++++++++
> common/image-fit.c | 15 +++++++++++++--
> 2 files changed, 23 insertions(+), 2 deletions(-)
>
> diff --git a/commands/Kconfig b/commands/Kconfig
> index 3e4a32a..2fe37b9 100644
> --- a/commands/Kconfig
> +++ b/commands/Kconfig
> @@ -428,6 +428,16 @@ config CMD_BOOTM_FITIMAGE
> tree in the "doc/uImage.FIT" folder for more information:
> http://git.denx.de/?p=u-boot.git;a=tree;f=doc/uImage.FIT
>
> +config CMD_BOOTM_FITIMAGE_SIGNATURE
> + bool
> + prompt "Enable signature verification of FIT images"
Make signature verification mandatory.
> + depends on CMD_BOOTM_FITIMAGE
> + help
> + This option enables signature verification of FIT uImages,
> + using a hash signed and verified using RSA. If
> + CONFIG_SHA_PROG_HW_ACCEL is defined, i.e support for progressive
> + hashing is available using hardware, RSA library will use it.
> +
> config CMD_BOOTU
> tristate
> default y
> diff --git a/common/image-fit.c b/common/image-fit.c
> index 296285b..96cc3e2 100644
> --- a/common/image-fit.c
> +++ b/common/image-fit.c
> @@ -40,6 +40,7 @@
> #define CHECK_LEVEL_SIG 2
> #define CHECK_LEVEL_MAX 3
>
> +#ifdef CONFIG_CMD_BOOTM_FITIMAGE_SIGNATURE
> static uint32_t dt_struct_advance(struct fdt_header *f, uint32_t dt, int size)
remove the ifdef.
> {
> dt += size;
> @@ -342,6 +343,7 @@ static int fit_verify_signature(struct device_node *sig_node, void *fit)
> out:
> return ret;
> }
> +#endif
>
> static int fit_verify_hash(struct device_node *hash, const void *data, int data_len)
> {
> @@ -453,10 +455,13 @@ static int fit_open_image(struct fit_handle *handle, const char* unit)
>
> static int fit_open_configuration(struct fit_handle *handle, int num)
> {
> - struct device_node *conf_node = NULL, *sig_node;
> + struct device_node *conf_node = NULL;
> char unit_name[10];
> const char *unit, *desc;
> - int ret, level;
> + int level;
> +#ifdef CONFIG_CMD_BOOTM_FITIMAGE_SIGNATURE
> + struct device_node *sig_node;
> +#endif
please remove the ifdef
>
> conf_node = of_get_child_by_name(handle->root, "configurations");
> if (!conf_node)
> @@ -482,7 +487,10 @@ static int fit_open_configuration(struct fit_handle *handle, int num)
> }
>
> level = CHECK_LEVEL_MAX;
> +
> +#ifdef CONFIG_CMD_BOOTM_FITIMAGE_SIGNATURE
please replace the ifdef by
if (IS_ENABLED(CONFIG_CMD_BOOTM_FITIMAGE_SIGNATURE))
> for_each_child_of_node(conf_node, sig_node) {
> + int ret;
> if (handle->verbose)
> of_print_nodes(sig_node, 0);
> ret = fit_verify_signature(sig_node, handle->fit);
> @@ -495,6 +503,9 @@ static int fit_open_configuration(struct fit_handle *handle, int num)
>
> if (level != CHECK_LEVEL_SIG)
> return -EINVAL;
> +#else
> + level = CHECK_LEVEL_SIG;
> +#endif
>
> if (of_property_read_string(conf_node, "kernel", &unit) == 0)
> level = min(level, fit_open_image(handle, unit));
>
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Industrial Linux Solutions | Phone: +49-231-2826-924 |
Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/barebox/attachments/20160108/db82ba25/attachment.sig>
More information about the barebox
mailing list