[U-Boot] [PATCH v2] SPL: Add signature verification when loading image

[U-Boot] [PATCH v2] SPL: Add signature verification when loading image

[Jun Nie]

U-boot proper signature is not verified by SPL on most platforms
even config SPL_FIT_SIGNATURE is enabled. Only fsl-layerscape
platform support secure boot in platform specific code. So
verified boot cannot be achieved if u-boot proper is loaded by
SPL.

This patch add signature verification to u-boot proper images
when loading FIT image in SPL. It is tested on Allwinner bananapi
zero board with H2+ SoC.

Signed-off-by: Jun Nie <jun.nie@linaro.org>
---
 common/image-fit.c   | 56 +++++++++++++++++++++++++++++++---------------------
 common/spl/spl_fit.c | 12 +++++++++++
 include/image.h      |  2 ++
 3 files changed, 48 insertions(+), 22 deletions(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index f6e956a..4b03390 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -1068,34 +1068,14 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data,
 	return 0;
 }
 
-/**
- * fit_image_verify - verify data integrity
- * @fit: pointer to the FIT format image header
- * @image_noffset: component image node offset
- *
- * fit_image_verify() goes over component image hash nodes,
- * re-calculates each data hash and compares with the value stored in hash
- * node.
- *
- * returns:
- *     1, if all hashes are valid
- *     0, otherwise (or on error)
- */
-int fit_image_verify(const void *fit, int image_noffset)
+int fit_image_verify_with_data(const void *fit, int image_noffset,
+			       const void *data, size_t size)
 {
-	const void	*data;
-	size_t		size;
 	int		noffset = 0;
 	char		*err_msg = "";
 	int verify_all = 1;
 	int ret;
 
-	/* Get image data and data length */
-	if (fit_image_get_data(fit, image_noffset, &data, &size)) {
-		err_msg = "Can't get image data/size";
-		goto error;
-	}
-
 	/* Verify all required signatures */
 	if (IMAGE_ENABLE_VERIFY &&
 	    fit_image_verify_required_sigs(fit, image_noffset, data, size,
@@ -1153,6 +1133,38 @@ error:
 }
 
 /**
+ * fit_image_verify - verify data integrity
+ * @fit: pointer to the FIT format image header
+ * @image_noffset: component image node offset
+ *
+ * fit_image_verify() goes over component image hash nodes,
+ * re-calculates each data hash and compares with the value stored in hash
+ * node.
+ *
+ * returns:
+ *     1, if all hashes are valid
+ *     0, otherwise (or on error)
+ */
+int fit_image_verify(const void *fit, int image_noffset)
+{
+	const void	*data;
+	size_t		size;
+	int		noffset = 0;
+	char		*err_msg = "";
+
+	/* Get image data and data length */
+	if (fit_image_get_data(fit, image_noffset, &data, &size)) {
+		err_msg = "Can't get image data/size";
+		printf("error!\n%s for '%s' hash node in '%s' image node\n",
+		       err_msg, fit_get_name(fit, noffset, NULL),
+		       fit_get_name(fit, image_noffset, NULL));
+		return 0;
+	}
+
+	return fit_image_verify_with_data(fit, image_noffset, data, size);
+}
+
+/**
  * fit_all_image_verify - verify data integrity for all images
  * @fit: pointer to the FIT format image header
  *
diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c
index cc07fbc..8d382eb 100644
--- a/common/spl/spl_fit.c
+++ b/common/spl/spl_fit.c
@@ -174,6 +174,9 @@ static int spl_load_fit_image(struct spl_load_info *info, ulong sector,
 	uint8_t image_comp = -1, type = -1;
 	const void *data;
 	bool external_data = false;
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+	int ret;
+#endif
 
 	if (IS_ENABLED(CONFIG_SPL_OS_BOOT) && IS_ENABLED(CONFIG_SPL_GZIP)) {
 		if (fit_image_get_comp(fit, node, &image_comp))
@@ -252,7 +255,16 @@ static int spl_load_fit_image(struct spl_load_info *info, ulong sector,
 		image_info->entry_point = fdt_getprop_u32(fit, node, "entry");
 	}
 
+#ifdef CONFIG_SPL_FIT_SIGNATURE
+	printf("## Checking hash(es) for Image %s ...\n",
+	       fit_get_name(fit, node, NULL));
+	ret = fit_image_verify_with_data(fit, node,
+					 (const void *)load_addr, length);
+	printf("\n");
+	return !ret;
+#else
 	return 0;
+#endif
 }
 
 static int spl_fit_append_fdt(struct spl_image_info *spl_image,
diff --git a/include/image.h b/include/image.h
index 325b014..77c11f8 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1013,6 +1013,8 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
 			      const char *comment, int require_keys,
 			      const char *engine_id);
 
+int fit_image_verify_with_data(const void *fit, int image_noffset,
+			       const void *data, size_t size);
 int fit_image_verify(const void *fit, int noffset);
 int fit_config_verify(const void *fit, int conf_noffset);
 int fit_all_image_verify(const void *fit);
-- 
1.9.1

[U-Boot] [U-Boot, v2] SPL: Add signature verification when loading image

[Tom Rini]

On Tue, Feb 27, 2018 at 04:55:58PM +0800, Jun Nie wrote:

> U-boot proper signature is not verified by SPL on most platforms
> even config SPL_FIT_SIGNATURE is enabled. Only fsl-layerscape
> platform support secure boot in platform specific code. So
> verified boot cannot be achieved if u-boot proper is loaded by
> SPL.
> 
> This patch add signature verification to u-boot proper images
> when loading FIT image in SPL. It is tested on Allwinner bananapi
> zero board with H2+ SoC.
> 
> Signed-off-by: Jun Nie <jun.nie@linaro.org>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/f82181d1/attachment.sig>