From: Andrew Jeffery <andrew@aj.id.au>
To: u-boot@lists.denx.de
Cc: openbmc@lists.ozlabs.org, sjg@chromium.org, chiawei_wang@aspeedtech.com
Subject: [PATCH] image: Control FIT signature verification at runtime
Date: Mon, 31 Jan 2022 14:11:47 +1030 [thread overview]
Message-ID: <20220131034147.106415-1-andrew@aj.id.au> (raw)
Some platform designs include support for disabling secure-boot via a
jumper on the board. Sometimes this control can be separate from the
mechanism enabling the root-of-trust for the platform. Add support for
this latter scenario by allowing boards to implement
board_fit_image_require_verfied(), which is then invoked in the usual
FIT verification paths.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
---
Hi,
This patch is extracted from and motivated by a series adding run-time
control of FIT signature verification to u-boot in OpenBMC:
https://lore.kernel.org/openbmc/20220131012538.73021-1-andrew@aj.id.au/
Unfortunately the OpenBMC u-boot tree is quite a way behind on tracking
upstream and contains a bunch of out-of-tree work as well. As such I'm
looking to upstream the couple of changes that make sense against
master.
Please take a look!
Andrew
boot/Kconfig | 8 ++++++++
boot/image-fit.c | 21 +++++++++++++++++----
include/image.h | 9 +++++++++
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/boot/Kconfig b/boot/Kconfig
index c8d5906cd304..ec413151fd5a 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -78,6 +78,14 @@ config FIT_SIGNATURE
format support in this case, enable it using
CONFIG_LEGACY_IMAGE_FORMAT.
+if FIT_SIGNATURE
+config FIT_RUNTIME_SIGNATURE
+ bool "Control verification of FIT uImages at runtime"
+ help
+ This option allows board support to disable verification of
+ signatures at runtime, for example through the state of a GPIO.
+endif # FIT_SIGNATURE
+
config FIT_SIGNATURE_MAX_SIZE
hex "Max size of signed FIT structures"
depends on FIT_SIGNATURE
diff --git a/boot/image-fit.c b/boot/image-fit.c
index f01cafe4e277..919dbfa4ee1d 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -1308,6 +1308,14 @@ static int fit_image_check_hash(const void *fit, int noffset, const void *data,
return 0;
}
+#ifndef __weak
+#define __weak
+#endif
+__weak int board_fit_image_require_verified(void)
+{
+ return 1;
+}
+
int fit_image_verify_with_data(const void *fit, int image_noffset,
const void *key_blob, const void *data,
size_t size)
@@ -1319,6 +1327,7 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
/* Verify all required signatures */
if (FIT_IMAGE_ENABLE_VERIFY &&
+ fit_image_require_verified() &&
fit_image_verify_required_sigs(fit, image_noffset, data, size,
key_blob, &verify_all)) {
err_msg = "Unable to verify required signature";
@@ -1340,9 +1349,11 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
&err_msg))
goto error;
puts("+ ");
- } else if (FIT_IMAGE_ENABLE_VERIFY && verify_all &&
- !strncmp(name, FIT_SIG_NODENAME,
- strlen(FIT_SIG_NODENAME))) {
+ } else if (FIT_IMAGE_ENABLE_VERIFY &&
+ fit_image_require_verified() &&
+ verify_all &&
+ !strncmp(name, FIT_SIG_NODENAME,
+ strlen(FIT_SIG_NODENAME))) {
ret = fit_image_check_sig(fit, noffset, data, size,
gd_fdt_blob(), -1, &err_msg);
@@ -2061,7 +2072,9 @@ int fit_image_load(bootm_headers_t *images, ulong addr,
if (image_type == IH_TYPE_KERNEL)
images->fit_uname_cfg = fit_base_uname_config;
- if (FIT_IMAGE_ENABLE_VERIFY && images->verify) {
+ if (FIT_IMAGE_ENABLE_VERIFY &&
+ fit_image_require_verified() &&
+ images->verify) {
puts(" Verifying Hash Integrity ... ");
if (fit_config_verify(fit, cfg_noffset)) {
puts("Bad Data Hash\n");
diff --git a/include/image.h b/include/image.h
index 97e5f2eb24d6..98900c2e839b 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1173,6 +1173,15 @@ int calculate_hash(const void *data, int data_len, const char *algo,
# define FIT_IMAGE_ENABLE_VERIFY CONFIG_IS_ENABLED(FIT_SIGNATURE)
#endif
+/*
+ * Further, allow run-time control of verification, e.g. via a jumper
+ */
+#if defined(CONFIG_FIT_RUNTIME_SIGNATURE)
+# define fit_image_require_verified() board_fit_image_require_verified()
+#else
+# define fit_image_require_verified() FIT_IMAGE_ENABLE_VERIFY
+#endif
+
#ifdef USE_HOSTCC
void *image_get_host_blob(void);
void image_set_host_blob(void *host_blob);
--
2.32.0
next reply other threads:[~2022-01-31 3:42 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-31 3:41 Andrew Jeffery [this message]
2022-02-07 1:07 ` [PATCH] image: Control FIT signature verification at runtime ChiaWei Wang
2022-02-08 21:55 ` Andrew Jeffery
2022-02-12 22:54 ` Dhananjay Phadke
2022-02-12 18:55 ` Alex G.
2022-02-14 1:13 ` Andrew Jeffery
2022-02-14 19:14 ` Dhananjay Phadke
2022-02-14 23:08 ` Andrew Jeffery
2022-02-14 23:13 ` Patrick Williams
2022-02-15 0:21 ` Andrew Jeffery
2022-02-15 3:12 ` Dhananjay Phadke
2022-02-15 3:25 ` Andrew Jeffery
2022-02-28 1:29 ` Andrew Jeffery
2022-02-28 22:12 ` Alex G.
2022-02-28 22:42 ` Andrew Jeffery
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220131034147.106415-1-andrew@aj.id.au \
--to=andrew@aj.id.au \
--cc=chiawei_wang@aspeedtech.com \
--cc=openbmc@lists.ozlabs.org \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).