[RESEND PATCH v2 0/6] net: fm: Verify Fman microcode

[RESEND PATCH v2 0/6] net: fm: Verify Fman microcode

[Sean Anderson]

Surprisingly, Fman microcode does not seem to be verified. This series
aims to rectify this by introducing an optional FIT wrapper. This
wrapper is made mandatory if FIT_SIGNATURE is enabled. NXP boards do not
use this config, so the microcode will remain unverified for them. This
is OK, since we do not want to break existing systems.

This series depends on [1]. There is no logical dependency, but they
modify adjacent #includes, so the past patch will not apply cleanly
unless that series is applied.

[1] https://lore.kernel.org/u-boot/20220422173032.2259019-1-sean.anderson@seco.com/

Changes in v2:
- Document helpers
- Split off Fman microcode verification patches into their own series
- Split helper refactoring into a patch adding the helpers and one patch
  per subsystem.

Sean Anderson (6):
  ARMv8/sec_firmware: Remove SEC_FIRMWARE_FIT_CNF_NAME
  image: fit: Add some helpers for getting data
  ARMv8/sec_firmware: Convert to use fit_get_data_conf_prop
  cmd: fpga: Convert to use fit_get_data_node
  net: Convert fit verification to use fit_get_data_*
  net: fm: Add support for FIT firmware

 arch/arm/cpu/armv8/sec_firmware.c  | 52 ++--------------------
 boot/image-fit.c                   | 37 ++++++++++++++++
 cmd/fpga.c                         | 24 +++-------
 drivers/net/fm/fm.c                | 18 ++++++++
 drivers/net/fsl-mc/mc.c            | 30 ++-----------
 drivers/net/pfe_eth/pfe_firmware.c | 40 +----------------
 include/image.h                    | 70 ++++++++++++++++++++++++++++++
 7 files changed, 139 insertions(+), 132 deletions(-)

-- 
2.35.1.1320.gc452695387.dirty

[RESEND PATCH v2 1/6] ARMv8/sec_firmware: Remove SEC_FIRMWARE_FIT_CNF_NAME

[Sean Anderson]

The config to use for FIT images can be better specified by enabling
CONFIG_MULTI_DTB_FIT and implementing board_fit_config_name_match.

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
---

(no changes since v1)

 arch/arm/cpu/armv8/sec_firmware.c | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/arch/arm/cpu/armv8/sec_firmware.c b/arch/arm/cpu/armv8/sec_firmware.c
index 7e6e4064ffe..bbd3f2dca25 100644
--- a/arch/arm/cpu/armv8/sec_firmware.c
+++ b/arch/arm/cpu/armv8/sec_firmware.c
@@ -36,9 +36,6 @@ phys_addr_t sec_firmware_addr;
 #ifndef SEC_FIRMWARE_FIT_IMAGE
 #define SEC_FIRMWARE_FIT_IMAGE		"firmware"
 #endif
-#ifndef SEC_FIRMWARE_FIT_CNF_NAME
-#define SEC_FIRMWARE_FIT_CNF_NAME	"config-1"
-#endif
 #ifndef SEC_FIRMWARE_TARGET_EL
 #define SEC_FIRMWARE_TARGET_EL		2
 #endif
@@ -47,15 +44,12 @@ static int sec_firmware_get_data(const void *sec_firmware_img,
 				const void **data, size_t *size)
 {
 	int conf_node_off, fw_node_off;
-	char *conf_node_name = NULL;
 	char *desc;
 	int ret;
 
-	conf_node_name = SEC_FIRMWARE_FIT_CNF_NAME;
-
-	conf_node_off = fit_conf_get_node(sec_firmware_img, conf_node_name);
+	conf_node_off = fit_conf_get_node(sec_firmware_img, NULL);
 	if (conf_node_off < 0) {
-		printf("SEC Firmware: %s: no such config\n", conf_node_name);
+		puts("SEC Firmware: no config\n");
 		return -ENOENT;
 	}
 
@@ -124,18 +118,15 @@ static int sec_firmware_check_copy_loadable(const void *sec_firmware_img,
 {
 	phys_addr_t sec_firmware_loadable_addr = 0;
 	int conf_node_off, ld_node_off, images;
-	char *conf_node_name = NULL;
 	const void *data;
 	size_t size;
 	ulong load;
 	const char *name, *str, *type;
 	int len;
 
-	conf_node_name = SEC_FIRMWARE_FIT_CNF_NAME;
-
-	conf_node_off = fit_conf_get_node(sec_firmware_img, conf_node_name);
+	conf_node_off = fit_conf_get_node(sec_firmware_img, NULL);
 	if (conf_node_off < 0) {
-		printf("SEC Firmware: %s: no such config\n", conf_node_name);
+		puts("SEC Firmware: no config\n");
 		return -ENOENT;
 	}
 
-- 
2.35.1.1320.gc452695387.dirty

[RESEND PATCH v2 2/6] image: fit: Add some helpers for getting data

[Sean Anderson]

Several different firmware users have repetitive code to extract the
firmware data from a FIT. Add some helper functions to reduce the amount
of repetition. fit_conf_get_prop_node (eventually) calls
fdt_check_node_offset_, so we can avoid an explicit if. In general, this
version avoids printing on error because the callers are typically
library functions, and because the FIT code generally has (debug)
prints of its own. One difference in these helpers is that they use
fit_image_get_data_and_size instead of fit_image_get_data, as the former
handles external data correctly.

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
---

Changes in v2:
- Document helpers

 boot/image-fit.c | 37 +++++++++++++++++++++++++
 include/image.h  | 70 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 107 insertions(+)

diff --git a/boot/image-fit.c b/boot/image-fit.c
index df3e5df8836..9c04ff78a15 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -1917,6 +1917,43 @@ int fit_conf_get_prop_node(const void *fit, int noffset,
 	return fit_conf_get_prop_node_index(fit, noffset, prop_name, 0);
 }
 
+static int fit_get_data_tail(const void *fit, int noffset,
+			     const void **data, size_t *size)
+{
+	char *desc;
+
+	if (noffset < 0)
+		return noffset;
+
+	if (!fit_image_verify(fit, noffset))
+		return -EINVAL;
+
+	if (fit_image_get_data_and_size(fit, noffset, data, size))
+		return -ENOENT;
+
+	if (!fit_get_desc(fit, noffset, &desc))
+		printf("%s\n", desc);
+
+	return 0;
+}
+
+int fit_get_data_node(const void *fit, const char *image_uname,
+		      const void **data, size_t *size)
+{
+	int noffset = fit_image_get_node(fit, image_uname);
+
+	return fit_get_data_tail(fit, noffset, data, size);
+}
+
+int fit_get_data_conf_prop(const void *fit, const char *prop_name,
+			   const void **data, size_t *size)
+{
+	int noffset = fit_conf_get_node(fit, NULL);
+
+	noffset = fit_conf_get_prop_node(fit, noffset, prop_name);
+	return fit_get_data_tail(fit, noffset, data, size);
+}
+
 static int fit_image_select(const void *fit, int rd_noffset, int verify)
 {
 	fit_image_print(fit, rd_noffset, "   ");
diff --git a/include/image.h b/include/image.h
index e4c6a50b885..d7d756c6453 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1014,6 +1014,76 @@ int fit_image_get_data_size_unciphered(const void *fit, int noffset,
 int fit_image_get_data_and_size(const void *fit, int noffset,
 				const void **data, size_t *size);
 
+/**
+ * fit_get_data_node() - Get verified image data for an image
+ * @fit: Pointer to the FIT format image header
+ * @image_uname: The name of the image node
+ * @data: A pointer which will be filled with the location of the image data
+ * @size: A pointer which will be filled with the size of the image data
+ *
+ * This function looks up the location and size of an image specified by its
+ * name. For example, if you had a FIT like::
+ *
+ *     images {
+ *         my-firmware {
+ *             ...
+ *	   };
+ *      };
+ *
+ * Then you could look up the data location and size of the my-firmware image
+ * by calling this function with @image_uname set to "my-firmware". This
+ * function also verifies the image data (if enabled) before returning. The
+ * image description is printed out on success. @data and @size will not be
+ * modified on faulure.
+ *
+ * Return:
+ * * 0 on success
+ * * -EINVAL if the image could not be verified
+ * * -ENOENT if there was a problem getting the data/size
+ * * Another negative error if there was a problem looking up the image node.
+ */
+int fit_get_data_node(const void *fit, const char *image_uname,
+		      const void **data, size_t *size);
+
+/**
+ * fit_get_data_conf_prop() - Get verified image data for a property in /conf
+ * @fit: Pointer to the FIT format image header
+ * @prop_name: The name of the property in /conf referencing the image
+ * @data: A pointer which will be filled with the location of the image data
+ * @size: A pointer which will be filled with the size of the image data
+ *
+ * This function looks up the location and size of an image specified by a
+ * property in /conf. For example, if you had a FIT like::
+ *
+ *     images {
+ *         my-firmware {
+ *             ...
+ *	   };
+ *      };
+ *
+ *      configurations {
+ *          default = "conf-1";
+ *          conf-1 {
+ *              some-firmware = "my-firmware";
+ *          };
+ *      };
+ *
+ * Then you could look up the data location and size of the my-firmware image
+ * by calling this function with @prop_name set to "some-firmware". This
+ * function also verifies the image data (if enabled) before returning. The
+ * image description is printed out on success. @data and @size will not be
+ * modified on faulure.
+ *
+ * Return:
+ * * 0 on success
+ * * -EINVAL if the image could not be verified
+ * * -ENOENT if there was a problem getting the data/size
+ * * Another negative error if there was a problem looking up the configuration
+ *   or image node.
+ */
+int fit_get_data_conf_prop(const void *fit, const char *prop_name,
+			   const void **data, size_t *size);
+
 int fit_image_hash_get_algo(const void *fit, int noffset, const char **algo);
 int fit_image_hash_get_value(const void *fit, int noffset, uint8_t **value,
 				int *value_len);
-- 
2.35.1.1320.gc452695387.dirty

[RESEND PATCH v2 3/6] ARMv8/sec_firmware: Convert to use fit_get_data_conf_prop

[Sean Anderson]

This reduces sec_firmware_get_data to a single call to
fit_get_data_conf_prop. I think sec_firmware_check_copy_loadable could also
be converted, but it does not map as straightforwardly, so I have left it
for a future cleanup.

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
---

Changes in v2:
- New

 arch/arm/cpu/armv8/sec_firmware.c | 39 ++-----------------------------
 1 file changed, 2 insertions(+), 37 deletions(-)

diff --git a/arch/arm/cpu/armv8/sec_firmware.c b/arch/arm/cpu/armv8/sec_firmware.c
index bbd3f2dca25..540436ba028 100644
--- a/arch/arm/cpu/armv8/sec_firmware.c
+++ b/arch/arm/cpu/armv8/sec_firmware.c
@@ -43,43 +43,8 @@ phys_addr_t sec_firmware_addr;
 static int sec_firmware_get_data(const void *sec_firmware_img,
 				const void **data, size_t *size)
 {
-	int conf_node_off, fw_node_off;
-	char *desc;
-	int ret;
-
-	conf_node_off = fit_conf_get_node(sec_firmware_img, NULL);
-	if (conf_node_off < 0) {
-		puts("SEC Firmware: no config\n");
-		return -ENOENT;
-	}
-
-	fw_node_off = fit_conf_get_prop_node(sec_firmware_img, conf_node_off,
-			SEC_FIRMWARE_FIT_IMAGE);
-	if (fw_node_off < 0) {
-		printf("SEC Firmware: No '%s' in config\n",
-		       SEC_FIRMWARE_FIT_IMAGE);
-		return -ENOLINK;
-	}
-
-	/* Verify secure firmware image */
-	if (!(fit_image_verify(sec_firmware_img, fw_node_off))) {
-		printf("SEC Firmware: Bad firmware image (bad CRC)\n");
-		return -EINVAL;
-	}
-
-	if (fit_image_get_data(sec_firmware_img, fw_node_off, data, size)) {
-		printf("SEC Firmware: Can't get %s subimage data/size",
-		       SEC_FIRMWARE_FIT_IMAGE);
-		return -ENOENT;
-	}
-
-	ret = fit_get_desc(sec_firmware_img, fw_node_off, &desc);
-	if (ret)
-		printf("SEC Firmware: Can't get description\n");
-	else
-		printf("%s\n", desc);
-
-	return ret;
+	return fit_get_data_conf_prop(sec_firmware_img, SEC_FIRMWARE_FIT_IMAGE,
+				      data, size);
 }
 
 /*
-- 
2.35.1.1320.gc452695387.dirty

[RESEND PATCH v2 4/6] cmd: fpga: Convert to use fit_get_data_node

[Sean Anderson]

This converts the FIT loading process of the fpga command to use
fit_get_data_node.

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
---

Changes in v2:
- New

 cmd/fpga.c | 24 ++++++------------------
 1 file changed, 6 insertions(+), 18 deletions(-)

diff --git a/cmd/fpga.c b/cmd/fpga.c
index c4651dd403e..9cf7651d8c5 100644
--- a/cmd/fpga.c
+++ b/cmd/fpga.c
@@ -322,7 +322,7 @@ static int do_fpga_loadmk(struct cmd_tbl *cmdtp, int flag, int argc,
 	case IMAGE_FORMAT_FIT:
 	{
 		const void *fit_hdr = (const void *)fpga_data;
-		int noffset;
+		int err;
 		const void *fit_data;
 
 		if (!fit_uname) {
@@ -335,23 +335,11 @@ static int do_fpga_loadmk(struct cmd_tbl *cmdtp, int flag, int argc,
 			return CMD_RET_FAILURE;
 		}
 
-		/* get fpga component image node offset */
-		noffset = fit_image_get_node(fit_hdr, fit_uname);
-		if (noffset < 0) {
-			printf("Can't find '%s' FIT subimage\n", fit_uname);
-			return CMD_RET_FAILURE;
-		}
-
-		/* verify integrity */
-		if (!fit_image_verify(fit_hdr, noffset)) {
-			puts("Bad Data Hash\n");
-			return CMD_RET_FAILURE;
-		}
-
-		/* get fpga subimage/external data address and length */
-		if (fit_image_get_data_and_size(fit_hdr, noffset,
-					       &fit_data, &data_size)) {
-			puts("Fpga subimage data not found\n");
+		err = fit_get_data_node(fit_hdr, fit_uname, &fit_data,
+					&data_size);
+		if (err) {
+			printf("Could not load '%s' subimage (err %d)\n",
+			       fit_uname, err);
 			return CMD_RET_FAILURE;
 		}
 
-- 
2.35.1.1320.gc452695387.dirty

[RESEND PATCH v2 5/6] net: Convert fit verification to use fit_get_data_*

[Sean Anderson]

Several ethernet drivers load firmware from FIT images. Convert them to
use the fit_get_data helpers.

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
---

Changes in v2:
- New

 drivers/net/fsl-mc/mc.c            | 30 +++-------------------
 drivers/net/pfe_eth/pfe_firmware.c | 40 +-----------------------------
 2 files changed, 4 insertions(+), 66 deletions(-)

diff --git a/drivers/net/fsl-mc/mc.c b/drivers/net/fsl-mc/mc.c
index bc1c31d4675..68833f9ddd9 100644
--- a/drivers/net/fsl-mc/mc.c
+++ b/drivers/net/fsl-mc/mc.c
@@ -137,13 +137,7 @@ int parse_mc_firmware_fit_image(u64 mc_fw_addr,
 				size_t *raw_image_size)
 {
 	int format;
-	void *fit_hdr;
-	int node_offset;
-	const void *data;
-	size_t size;
-	const char *uname = "firmware";
-
-	fit_hdr = (void *)mc_fw_addr;
+	void *fit_hdr = (void *)mc_fw_addr;
 
 	/* Check if Image is in FIT format */
 	format = genimg_get_format(fit_hdr);
@@ -158,26 +152,8 @@ int parse_mc_firmware_fit_image(u64 mc_fw_addr,
 		return -EINVAL;
 	}
 
-	node_offset = fit_image_get_node(fit_hdr, uname);
-
-	if (node_offset < 0) {
-		printf("fsl-mc: ERR: Bad firmware image (missing subimage)\n");
-		return -ENOENT;
-	}
-
-	/* Verify MC firmware image */
-	if (!(fit_image_verify(fit_hdr, node_offset))) {
-		printf("fsl-mc: ERR: Bad firmware image (bad CRC)\n");
-		return -EINVAL;
-	}
-
-	/* Get address and size of raw image */
-	fit_image_get_data(fit_hdr, node_offset, &data, &size);
-
-	*raw_image_addr = data;
-	*raw_image_size = size;
-
-	return 0;
+	return fit_get_data_node(fit_hdr, "firmware", raw_image_addr,
+				 raw_image_size);
 }
 #endif
 
diff --git a/drivers/net/pfe_eth/pfe_firmware.c b/drivers/net/pfe_eth/pfe_firmware.c
index 82a4aa89a4d..da4f2ca42a5 100644
--- a/drivers/net/pfe_eth/pfe_firmware.c
+++ b/drivers/net/pfe_eth/pfe_firmware.c
@@ -104,45 +104,7 @@ err:
 static int pfe_get_fw(const void **data,
 		      size_t *size, char *fw_name)
 {
-	int conf_node_off, fw_node_off;
-	char *conf_node_name = NULL;
-	char *desc;
-	int ret = 0;
-
-	conf_node_name = PFE_FIRMWARE_FIT_CNF_NAME;
-
-	conf_node_off = fit_conf_get_node(pfe_fit_addr, conf_node_name);
-	if (conf_node_off < 0) {
-		printf("PFE Firmware: %s: no such config\n", conf_node_name);
-		return -ENOENT;
-	}
-
-	fw_node_off = fit_conf_get_prop_node(pfe_fit_addr, conf_node_off,
-					     fw_name);
-	if (fw_node_off < 0) {
-		printf("PFE Firmware: No '%s' in config\n",
-		       fw_name);
-		return -ENOLINK;
-	}
-
-	if (!(fit_image_verify(pfe_fit_addr, fw_node_off))) {
-		printf("PFE Firmware: Bad firmware image (bad CRC)\n");
-		return -EINVAL;
-	}
-
-	if (fit_image_get_data(pfe_fit_addr, fw_node_off, data, size)) {
-		printf("PFE Firmware: Can't get %s subimage data/size",
-		       fw_name);
-		return -ENOENT;
-	}
-
-	ret = fit_get_desc(pfe_fit_addr, fw_node_off, &desc);
-	if (ret)
-		printf("PFE Firmware: Can't get description\n");
-	else
-		printf("%s\n", desc);
-
-	return ret;
+	return fit_get_data_conf_prop(pfe_fit_addr, fw_name, data, size);
 }
 
 /*
-- 
2.35.1.1320.gc452695387.dirty

[RESEND PATCH v2 6/6] net: fm: Add support for FIT firmware

[Sean Anderson]

Fman microcode is executable code (AFAICT) loaded into a
coprocessor. As such, if verified boot is enabled, it must be verified
like other executable code. However, this is not currently done.

This commit adds verified boot functionality by encapsulating the
microcode in a FIT, which can then be signed/verified as normal. By
default we allow fallback to unencapsulated firmware, but if
CONFIG_FIT_SIGNATURE is enabled, then we make it mandatory. Because
existing Layerscape do not use this config (instead enabling
CONFIG_CHAIN_OF_TRUST), this should not break any existing boards.

An example (mildly-abbreviated) its is provided below:

/ {
    #address-cells = <1>;

    images {
        firmware {
            data = /incbin/(/path/to/firmware);
            type = "firmware";
            arch = "arm64";
            compression = "none";
	    signature {
                algo = "sha256,rsa2048";
                key-name-hint = "your key name";
            };
        };
    };

    configurations {
        default = "conf";
        conf {
            description = "Load FMAN microcode";
            fman = "firmware";
        };
    };
};

Signed-off-by: Sean Anderson <sean.anderson@seco.com>
---

(no changes since v1)

 drivers/net/fm/fm.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/drivers/net/fm/fm.c b/drivers/net/fm/fm.c
index 4f5d51251e5..894a5e29fa4 100644
--- a/drivers/net/fm/fm.c
+++ b/drivers/net/fm/fm.c
@@ -6,6 +6,7 @@
 #include <common.h>
 #include <env.h>
 #include <fs_loader.h>
+#include <image.h>
 #include <malloc.h>
 #include <asm/io.h>
 #include <dm/device_compat.h>
@@ -537,6 +538,23 @@ int fm_init_common(int index, struct ccsr_fman *reg, const char *firmware_name)
 	void *addr = NULL;
 #endif
 
+	rc = fit_check_format(addr, CONFIG_SYS_QE_FMAN_FW_LENGTH);
+	if (!rc) {
+		size_t unused;
+		const void *new_addr;
+
+		rc = fit_get_data_conf_prop(addr, "fman", &new_addr, &unused);
+		if (rc)
+			return rc;
+		addr = (void *)new_addr;
+	} else if (CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
+		/*
+		 * Using a (signed) FIT wrapper is mandatory if we are
+		 * doing verified boot.
+		 */
+		return rc;
+	}
+
 	/* Upload the Fman microcode if it's present */
 	rc = fman_upload_firmware(index, &reg->fm_imem, addr);
 	if (rc)
-- 
2.35.1.1320.gc452695387.dirty

Re: [RESEND PATCH v2 4/6] cmd: fpga: Convert to use fit_get_data_node

[Simon Glass]

On Tue, 16 Aug 2022 at 09:16, Sean Anderson <sean.anderson@seco.com> wrote:
>
> This converts the FIT loading process of the fpga command to use

s/This converts/Convert/

> fit_get_data_node.
>
> Signed-off-by: Sean Anderson <sean.anderson@seco.com>
> ---
>
> Changes in v2:
> - New
>
>  cmd/fpga.c | 24 ++++++------------------
>  1 file changed, 6 insertions(+), 18 deletions(-)

Reviewed-by: Simon Glass <sjg@chromium.org>


>
> diff --git a/cmd/fpga.c b/cmd/fpga.c
> index c4651dd403e..9cf7651d8c5 100644
> --- a/cmd/fpga.c
> +++ b/cmd/fpga.c
> @@ -322,7 +322,7 @@ static int do_fpga_loadmk(struct cmd_tbl *cmdtp, int flag, int argc,
>         case IMAGE_FORMAT_FIT:
>         {
>                 const void *fit_hdr = (const void *)fpga_data;
> -               int noffset;
> +               int err;
>                 const void *fit_data;
>
>                 if (!fit_uname) {
> @@ -335,23 +335,11 @@ static int do_fpga_loadmk(struct cmd_tbl *cmdtp, int flag, int argc,
>                         return CMD_RET_FAILURE;
>                 }
>
> -               /* get fpga component image node offset */
> -               noffset = fit_image_get_node(fit_hdr, fit_uname);
> -               if (noffset < 0) {
> -                       printf("Can't find '%s' FIT subimage\n", fit_uname);
> -                       return CMD_RET_FAILURE;
> -               }
> -
> -               /* verify integrity */
> -               if (!fit_image_verify(fit_hdr, noffset)) {
> -                       puts("Bad Data Hash\n");
> -                       return CMD_RET_FAILURE;
> -               }
> -
> -               /* get fpga subimage/external data address and length */
> -               if (fit_image_get_data_and_size(fit_hdr, noffset,
> -                                              &fit_data, &data_size)) {
> -                       puts("Fpga subimage data not found\n");
> +               err = fit_get_data_node(fit_hdr, fit_uname, &fit_data,
> +                                       &data_size);
> +               if (err) {
> +                       printf("Could not load '%s' subimage (err %d)\n",
> +                              fit_uname, err);
>                         return CMD_RET_FAILURE;
>                 }
>
> --
> 2.35.1.1320.gc452695387.dirty
>

Re: [RESEND PATCH v2 2/6] image: fit: Add some helpers for getting data

[Simon Glass]

On Tue, 16 Aug 2022 at 09:16, Sean Anderson <sean.anderson@seco.com> wrote:
>
> Several different firmware users have repetitive code to extract the
> firmware data from a FIT. Add some helper functions to reduce the amount
> of repetition. fit_conf_get_prop_node (eventually) calls
> fdt_check_node_offset_, so we can avoid an explicit if. In general, this
> version avoids printing on error because the callers are typically
> library functions, and because the FIT code generally has (debug)
> prints of its own. One difference in these helpers is that they use
> fit_image_get_data_and_size instead of fit_image_get_data, as the former
> handles external data correctly.
>
> Signed-off-by: Sean Anderson <sean.anderson@seco.com>
> ---
>
> Changes in v2:
> - Document helpers
>
>  boot/image-fit.c | 37 +++++++++++++++++++++++++
>  include/image.h  | 70 ++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 107 insertions(+)
>

Reviewed-by: Simon Glass <sjg@chromium.org>

Re: [RESEND PATCH v2 6/6] net: fm: Add support for FIT firmware

[Simon Glass]

On Tue, 16 Aug 2022 at 09:16, Sean Anderson <sean.anderson@seco.com> wrote:
>
> Fman microcode is executable code (AFAICT) loaded into a
> coprocessor. As such, if verified boot is enabled, it must be verified
> like other executable code. However, this is not currently done.
>
> This commit adds verified boot functionality by encapsulating the
> microcode in a FIT, which can then be signed/verified as normal. By
> default we allow fallback to unencapsulated firmware, but if
> CONFIG_FIT_SIGNATURE is enabled, then we make it mandatory. Because
> existing Layerscape do not use this config (instead enabling
> CONFIG_CHAIN_OF_TRUST), this should not break any existing boards.
>
> An example (mildly-abbreviated) its is provided below:
>
> / {
>     #address-cells = <1>;
>
>     images {
>         firmware {
>             data = /incbin/(/path/to/firmware);
>             type = "firmware";
>             arch = "arm64";
>             compression = "none";
>             signature {
>                 algo = "sha256,rsa2048";
>                 key-name-hint = "your key name";
>             };
>         };
>     };
>
>     configurations {
>         default = "conf";
>         conf {
>             description = "Load FMAN microcode";
>             fman = "firmware";
>         };
>     };
> };
>
> Signed-off-by: Sean Anderson <sean.anderson@seco.com>
> ---
>
> (no changes since v1)
>
>  drivers/net/fm/fm.c | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)

Reviewed-by: Simon Glass <sjg@chromium.org>

Re: [RESEND PATCH v2 5/6] net: Convert fit verification to use fit_get_data_*

[Simon Glass]

On Tue, 16 Aug 2022 at 09:16, Sean Anderson <sean.anderson@seco.com> wrote:
>
> Several ethernet drivers load firmware from FIT images. Convert them to
> use the fit_get_data helpers.
>
> Signed-off-by: Sean Anderson <sean.anderson@seco.com>
> ---
>
> Changes in v2:
> - New
>
>  drivers/net/fsl-mc/mc.c            | 30 +++-------------------
>  drivers/net/pfe_eth/pfe_firmware.c | 40 +-----------------------------
>  2 files changed, 4 insertions(+), 66 deletions(-)

Reviewed-by: Simon Glass <sjg@chromium.org>