All of lore.kernel.org
 help / color / mirror / Atom feed
From: Simon Glass <sjg@chromium.org>
To: u-boot@lists.denx.de
Subject: [PATCH 1/3] mkimage: fit: only process one cipher node
Date: Mon, 27 Jul 2020 17:45:55 -0600	[thread overview]
Message-ID: <CAPnjgZ2k+wk2Y7MEQg9OPTZfow6BAuH2=tWB0ah_PmChvPGAHw@mail.gmail.com> (raw)
In-Reply-To: <20200717072825.371105-1-patrick.oppenlander@gmail.com>

Hi Patrick,

On Fri, 17 Jul 2020 at 05:30, <patrick.oppenlander@gmail.com> wrote:
>
> From: Patrick Oppenlander <patrick.oppenlander@gmail.com>
>
> Previously mkimage would process any node matching the regex cipher.*
> and apply the ciphers to the image data in the order they appeared in
> the FDT. This meant that data could be inadvertently ciphered multiple
> times.
>
> Switch to processing a single cipher node which exactly matches
> FIT_CIPHER_NODENAME.
>
> Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
> ---
>  tools/image-host.c | 56 +++++++++++++++++-----------------------------
>  1 file changed, 21 insertions(+), 35 deletions(-)

+Philippe Reynes for a review on these three patches too.

>
> diff --git a/tools/image-host.c b/tools/image-host.c
> index 9a83b7f675..8fa1b9aba7 100644
> --- a/tools/image-host.c
> +++ b/tools/image-host.c
> @@ -323,15 +323,15 @@ err:
>  static int fit_image_setup_cipher(struct image_cipher_info *info,
>                                   const char *keydir, void *fit,
>                                   const char *image_name, int image_noffset,
> -                                 const char *node_name, int noffset)
> +                                 int noffset)
>  {
>         char *algo_name;
>         char filename[128];
>         int ret = -1;
>
>         if (fit_image_cipher_get_algo(fit, noffset, &algo_name)) {
> -               printf("Can't get algo name for cipher '%s' in image '%s'\n",
> -                      node_name, image_name);
> +               printf("Can't get algo name for cipher in image '%s'\n",
> +                      image_name);
>                 goto out;
>         }
>
> @@ -340,16 +340,16 @@ static int fit_image_setup_cipher(struct image_cipher_info *info,
>         /* Read the key name */
>         info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
>         if (!info->keyname) {
> -               printf("Can't get key name for cipher '%s' in image '%s'\n",
> -                      node_name, image_name);
> +               printf("Can't get key name for cipher in image '%s'\n",
> +                      image_name);
>                 goto out;
>         }
>
>         /* Read the IV name */
>         info->ivname = fdt_getprop(fit, noffset, "iv-name-hint", NULL);
>         if (!info->ivname) {
> -               printf("Can't get iv name for cipher '%s' in image '%s'\n",
> -                      node_name, image_name);
> +               printf("Can't get iv name for cipher in image '%s'\n",
> +                      image_name);
>                 goto out;
>         }
>
> @@ -428,8 +428,7 @@ int fit_image_write_cipher(void *fit, int image_noffset, int noffset,
>  static int
>  fit_image_process_cipher(const char *keydir, void *keydest, void *fit,
>                          const char *image_name, int image_noffset,
> -                        const char *node_name, int node_noffset,
> -                        const void *data, size_t size,
> +                        int node_noffset, const void *data, size_t size,
>                          const char *cmdname)
>  {
>         struct image_cipher_info info;
> @@ -440,7 +439,7 @@ fit_image_process_cipher(const char *keydir, void *keydest, void *fit,
>         memset(&info, 0, sizeof(info));
>
>         ret = fit_image_setup_cipher(&info, keydir, fit, image_name,
> -                                    image_noffset, node_name, node_noffset);
> +                                    image_noffset, node_noffset);
>         if (ret)
>                 goto out;
>
> @@ -482,7 +481,7 @@ int fit_image_cipher_data(const char *keydir, void *keydest,
>         const char *image_name;
>         const void *data;
>         size_t size;
> -       int node_noffset;
> +       int cipher_node_offset;
>
>         /* Get image name */
>         image_name = fit_get_name(fit, image_noffset, NULL);
> @@ -497,32 +496,19 @@ int fit_image_cipher_data(const char *keydir, void *keydest,
>                 return -1;
>         }
>
> -       /* Process all hash subnodes of the component image node */
> -       for (node_noffset = fdt_first_subnode(fit, image_noffset);
> -            node_noffset >= 0;
> -            node_noffset = fdt_next_subnode(fit, node_noffset)) {
> -               const char *node_name;
> -               int ret = 0;
> -
> -               node_name = fit_get_name(fit, node_noffset, NULL);
> -               if (!node_name) {
> -                       printf("Can't get node name\n");
> -                       return -1;
> -               }
>
> -               if (IMAGE_ENABLE_ENCRYPT && keydir &&
> -                   !strncmp(node_name, FIT_CIPHER_NODENAME,
> -                            strlen(FIT_CIPHER_NODENAME)))
> -                       ret = fit_image_process_cipher(keydir, keydest,
> -                                                      fit, image_name,
> -                                                      image_noffset,
> -                                                      node_name, node_noffset,
> -                                                      data, size, cmdname);
> -               if (ret)
> -                       return ret;
> +       /* Process cipher node if present */
> +       cipher_node_offset = fdt_subnode_offset(fit, image_noffset, "cipher");
> +       if (cipher_node_offset == -FDT_ERR_NOTFOUND)
> +               return 0;
> +       if (cipher_node_offset < 0) {
> +               printf("Failure getting cipher node\n");
> +               return -1;
>         }
> -
> -       return 0;
> +       if (!IMAGE_ENABLE_ENCRYPT || !keydir)
> +               return 0;
> +       return fit_image_process_cipher(keydir, keydest, fit, image_name,
> +               image_noffset, cipher_node_offset, data, size, cmdname);
>  }
>
>  /**
> --
> 2.27.0
>

  parent reply	other threads:[~2020-07-27 23:45 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-17  7:28 [PATCH 1/3] mkimage: fit: only process one cipher node patrick.oppenlander at gmail.com
2020-07-17  7:28 ` [PATCH 2/3] mkimage: fit: handle FDT_ERR_NOSPACE when ciphering patrick.oppenlander at gmail.com
2020-07-29 15:02   ` Philippe REYNES
2020-07-30  1:19     ` Patrick Oppenlander
2020-07-17  7:28 ` [PATCH 3/3] mkimage: fit: don't cipher ciphered data patrick.oppenlander at gmail.com
2020-07-29 17:17   ` Philippe REYNES
2020-07-30  1:27     ` Patrick Oppenlander
2020-07-27 23:45 ` Simon Glass [this message]
2020-07-29 14:50 ` [PATCH 1/3] mkimage: fit: only process one cipher node Philippe REYNES

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAPnjgZ2k+wk2Y7MEQg9OPTZfow6BAuH2=tWB0ah_PmChvPGAHw@mail.gmail.com' \
    --to=sjg@chromium.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.