dany/u-boot-megous
1
0
Fork 0
mirror of https://xff.cz/git/u-boot/ synced 2025-09-01 08:42:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

SPL: Add signature verification when loading image

Browse Source 
U-boot proper signature is not verified by SPL on most platforms
even config SPL_FIT_SIGNATURE is enabled. Only fsl-layerscape
platform support secure boot in platform specific code. So
verified boot cannot be achieved if u-boot proper is loaded by
SPL.

This patch add signature verification to u-boot proper images
when loading FIT image in SPL. It is tested on Allwinner bananapi
zero board with H2+ SoC.

Signed-off-by: Jun Nie <jun.nie@linaro.org>
This commit is contained in:
Jun Nie
2018-02-27 16:55:58 +08:00
committed by Tom Rini
parent 50905b55c7
commit 5c643db4cc
3 changed files with 48 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
common/image-fit.c
View File

@@ -1068,34 +1068,14 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data,
return 0;
}
/**
* fit_image_verify - verify data integrity
* @fit: pointer to the FIT format image header
* @image_noffset: component image node offset
*
* fit_image_verify() goes over component image hash nodes,
* re-calculates each data hash and compares with the value stored in hash
* node.
*
* returns:
* 1, if all hashes are valid
* 0, otherwise (or on error)
*/
int fit_image_verify(const void *fit, int image_noffset)
int fit_image_verify_with_data(const void *fit, int image_noffset,
const void *data, size_t size)
{
const void *data;
size_t size;
int noffset = 0;
char *err_msg = "";
int verify_all = 1;
int ret;
/* Get image data and data length */
if (fit_image_get_data(fit, image_noffset, &data, &size)) {
err_msg = "Can't get image data/size";
goto error;
}
/* Verify all required signatures */
if (IMAGE_ENABLE_VERIFY &&
fit_image_verify_required_sigs(fit, image_noffset, data, size,
@@ -1152,6 +1132,38 @@ error:
return 0;
}
/**
* fit_image_verify - verify data integrity
* @fit: pointer to the FIT format image header
* @image_noffset: component image node offset
*
* fit_image_verify() goes over component image hash nodes,
* re-calculates each data hash and compares with the value stored in hash
* node.
*
* returns:
* 1, if all hashes are valid
* 0, otherwise (or on error)
*/
int fit_image_verify(const void *fit, int image_noffset)
{
const void *data;
size_t size;
int noffset = 0;
char *err_msg = "";
/* Get image data and data length */
if (fit_image_get_data(fit, image_noffset, &data, &size)) {
err_msg = "Can't get image data/size";
printf("error!\n%s for '%s' hash node in '%s' image node\n",
err_msg, fit_get_name(fit, noffset, NULL),
fit_get_name(fit, image_noffset, NULL));
return 0;
}
return fit_image_verify_with_data(fit, image_noffset, data, size);
}
/**
* fit_all_image_verify - verify data integrity for all images
* @fit: pointer to the FIT format image header