From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=BBGX=NQ=lists.denx.de=u-boot-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D7195C4338F
	for <u-boot@archiver.kernel.org>; Wed, 25 Aug 2021 13:49:49 +0000 (UTC)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 5F366610D2
	for <u-boot@archiver.kernel.org>; Wed, 25 Aug 2021 13:49:49 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5F366610D2
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=nic.cz
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 7E17D82EE0;
	Wed, 25 Aug 2021 15:48:57 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=nic.cz
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; secure) header.d=nic.cz header.i=@nic.cz header.b="Z04/g49e";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 1CC2A82E0A; Wed, 25 Aug 2021 15:47:42 +0200 (CEST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 2B09E8312E
 for <u-boot@lists.denx.de>; Wed, 25 Aug 2021 15:46:38 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=nic.cz
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=marek.behun@nic.cz
Received: from dellmb.labs.office.nic.cz (unknown
 [IPv6:2001:1488:fffe:6:8747:7254:5571:3010])
 by mail.nic.cz (Postfix) with ESMTPSA id C199C140A73;
 Wed, 25 Aug 2021 15:46:37 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default;
 t=1629899197; bh=v3efYCGU7obAFLC00U+y//ZwCUgaIpDorC3UgJjpeL0=;
 h=From:To:Date;
 b=Z04/g49eAHJ7WYjy05QNjGeEmcBU1xkjOj4Asy1xzEc4J3v50v71Vz2I8AEdmJQFG
 Os097WB+t84OJFFJf1jViZPWoABGrpRttR8W1gMYDpf5GHlyR9jNJSEgHoTKEQ7Oj3
 TXJCPoubm8aNc1I8IWOdqpGFvtpqwJYL7XeTYWT0=
From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <marek.behun@nic.cz>
To: Stefan Roese <sr@denx.de>
Cc: u-boot@lists.denx.de, pali@kernel.org,
 Chris Packham <judge.packham@gmail.com>, Baruch Siach <baruch@tkos.co.il>,
 Dennis Gilmore <dgilmore@redhat.com>, Mario Six <mario.six@gdsys.cc>,
 Jon Nettleton <jon@solid-run.com>,
 =?UTF-8?q?Marek=20Beh=C3=BAn?= <marek.behun@nic.cz>
Subject: [PATCH u-boot-marvell 19/29] tools: kwboot: Don't patch image header
 if signed
Date: Wed, 25 Aug 2021 15:46:24 +0200
Message-Id: <20210825134634.3959-20-marek.behun@nic.cz>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210825134634.3959-1-marek.behun@nic.cz>
References: <20210825134634.3959-1-marek.behun@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

From: Pali Rohár <pali@kernel.org>

It is not possible to modify image with secure header due to
cryptographic signature.

Signed-off-by: Pali Rohár <pali@kernel.org>
[ refactored ]
Signed-off-by: Marek Behún <marek.behun@nic.cz>
---
 tools/kwboot.c | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/tools/kwboot.c b/tools/kwboot.c
index 031cea7550..c23357f5bc 100644
--- a/tools/kwboot.c
+++ b/tools/kwboot.c
@@ -739,6 +739,18 @@ kwboot_img_csum8(void *_data, size_t size)
 	return csum;
 }
 
+static int
+kwboot_img_is_secure(void *img)
+{
+	struct opt_hdr_v1 *ohdr;
+
+	for_each_opt_hdr_v1 (ohdr, img)
+		if (ohdr->headertype == OPT_HDR_V1_SECURE_TYPE)
+			return 1;
+
+	return 0;
+}
+
 static int
 kwboot_img_patch_hdr(void *img, size_t size)
 {
@@ -747,7 +759,9 @@ kwboot_img_patch_hdr(void *img, size_t size)
 	uint8_t csum;
 	size_t hdrsz = sizeof(*hdr);
 	int image_ver;
+	int is_secure;
 
+	is_secure = 0;
 	rc = -1;
 	hdr = img;
 
@@ -779,9 +793,16 @@ kwboot_img_patch_hdr(void *img, size_t size)
 		goto out;
 	}
 
-	if (hdr->blockid == IBR_HDR_UART_ID) {
-		rc = 0;
-		goto out;
+	is_secure = kwboot_img_is_secure(img);
+
+	if (hdr->blockid != IBR_HDR_UART_ID) {
+		if (is_secure) {
+			fprintf(stderr,
+				"Image has secure header with signature for non-UART booting\n");
+			errno = EINVAL;
+			goto out;
+		}
+		kwboot_printv("Patching image boot signature to UART\n");
 	}
 
 	hdr->blockid = IBR_HDR_UART_ID;
-- 
2.31.1