From ce1400f6949bbfec01fe381a844b14844cb3be12 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Thu, 12 Jun 2014 07:24:53 -0600 Subject: [PATCH] Enhance fit_check_sign to check all images At present this tool only checks the configuration signing. Have it also look at each of the images in the configuration and confirm that they verify. Signed-off-by: Simon Glass Acked-by: Heiko Schocher (v1) --- common/bootm.c | 71 ++++++++++++++++++++++++++++++++++++ common/image-fit.c | 3 +- doc/uImage.FIT/signature.txt | 3 ++ include/bootm.h | 2 + include/image.h | 5 ++- tools/fit_check_sign.c | 7 +++- tools/image-host.c | 12 ++++-- 7 files changed, 96 insertions(+), 7 deletions(-) diff --git a/common/bootm.c b/common/bootm.c index d93d3f3f10..7ec2ed8f45 100644 --- a/common/bootm.c +++ b/common/bootm.c @@ -244,6 +244,7 @@ static int bootm_find_other(cmd_tbl_t *cmdtp, int flag, int argc, return 0; } +#endif /* USE_HOSTCC */ /** * decomp_image() - decompress the operating system @@ -353,6 +354,7 @@ static int decomp_image(int comp, ulong load, ulong image_start, int type, return 0; } +#ifndef USE_HOSTCC static int bootm_load_os(bootm_headers_t *images, unsigned long *load_end, int boot_progress) { @@ -838,5 +840,74 @@ static const void *boot_get_kernel(cmd_tbl_t *cmdtp, int flag, int argc, return buf; } +#else /* USE_HOSTCC */ + +void memmove_wd(void *to, void *from, size_t len, ulong chunksz) +{ + memmove(to, from, len); +} + +static int bootm_host_load_image(const void *fit, int req_image_type) +{ + const char *fit_uname_config = NULL; + ulong data, len; + bootm_headers_t images; + int noffset; + ulong load_end; + uint8_t image_type; + uint8_t imape_comp; + void *load_buf; + int ret; + + memset(&images, '\0', sizeof(images)); + images.verify = 1; + noffset = fit_image_load(&images, (ulong)fit, + NULL, &fit_uname_config, + IH_ARCH_DEFAULT, req_image_type, -1, + FIT_LOAD_IGNORED, &data, &len); + if (noffset < 0) + return noffset; + if (fit_image_get_type(fit, noffset, &image_type)) { + puts("Can't get image type!\n"); + return -EINVAL; + } + + if (fit_image_get_comp(fit, noffset, &imape_comp)) { + puts("Can't get image compression!\n"); + return -EINVAL; + } + + /* Allow the image to expand by a factor of 4, should be safe */ + load_buf = malloc((1 << 20) + len * 4); + ret = decomp_image(imape_comp, 0, data, image_type, load_buf, + (void *)data, len, &load_end); + free(load_buf); + if (ret && ret != BOOTM_ERR_UNIMPLEMENTED) + return ret; + + return 0; +} + +int bootm_host_load_images(const void *fit, int cfg_noffset) +{ + static uint8_t image_types[] = { + IH_TYPE_KERNEL, + IH_TYPE_FLATDT, + IH_TYPE_RAMDISK, + }; + int err = 0; + int i; + + for (i = 0; i < ARRAY_SIZE(image_types); i++) { + int ret; + + ret = bootm_host_load_image(fit, image_types[i]); + if (!err && ret && ret != -ENOENT) + err = ret; + } + + /* Return the first error we found */ + return err; +} #endif /* ndef USE_HOSTCC */ diff --git a/common/image-fit.c b/common/image-fit.c index 83fac9a401..3311343be6 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -1591,12 +1591,13 @@ int fit_image_load(bootm_headers_t *images, ulong addr, } bootstage_mark(bootstage_id + BOOTSTAGE_SUB_CHECK_ARCH); +#ifndef USE_HOSTCC if (!fit_image_check_target_arch(fit, noffset)) { puts("Unsupported Architecture\n"); bootstage_error(bootstage_id + BOOTSTAGE_SUB_CHECK_ARCH); return -ENOEXEC; } - +#endif if (image_type == IH_TYPE_FLATDT && !fit_image_check_comp(fit, noffset, IH_COMP_NONE)) { puts("FDT image is compressed"); diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 672dc3536f..a6ab543de4 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -361,6 +361,7 @@ Test Verified Boot Run: unsigned config: OK Sign images Test Verified Boot Run: signed config: OK check signed config on the host +Signature check OK OK Test Verified Boot Run: signed config: OK Test Verified Boot Run: signed config with bad hash: OK @@ -374,12 +375,14 @@ Test Verified Boot Run: unsigned config: OK Sign images Test Verified Boot Run: signed config: OK check signed config on the host +Signature check OK OK Test Verified Boot Run: signed config: OK Test Verified Boot Run: signed config with bad hash: OK Test passed + Future Work ----------- - Roll-back protection using a TPM is done using the tpm command. This can diff --git a/include/bootm.h b/include/bootm.h index 0a3ec566c9..4a308d8115 100644 --- a/include/bootm.h +++ b/include/bootm.h @@ -41,6 +41,8 @@ void lynxkdi_boot(image_header_t *hdr); boot_os_fn *bootm_os_get_boot_func(int os); +int bootm_host_load_images(const void *fit, int cfg_noffset); + int boot_selected_os(int argc, char * const argv[], int state, bootm_headers_t *images, boot_os_fn *boot_fn); diff --git a/include/image.h b/include/image.h index ae767f0c83..ab93eb6333 100644 --- a/include/image.h +++ b/include/image.h @@ -425,6 +425,7 @@ ulong genimg_get_image(ulong img_addr); int boot_get_ramdisk(int argc, char * const argv[], bootm_headers_t *images, uint8_t arch, ulong *rd_start, ulong *rd_end); +#endif /** * fit_image_load() - load an image from a FIT @@ -454,12 +455,14 @@ int boot_get_ramdisk(int argc, char * const argv[], bootm_headers_t *images, * @param load_op Decribes what to do with the load address * @param datap Returns address of loaded image * @param lenp Returns length of loaded image + * @return node offset of image, or -ve error code on error */ int fit_image_load(bootm_headers_t *images, ulong addr, const char **fit_unamep, const char **fit_uname_configp, int arch, int image_type, int bootstage_id, enum fit_load_op load_op, ulong *datap, ulong *lenp); +#ifndef USE_HOSTCC /** * fit_get_node_from_config() - Look up an image a FIT by type * @@ -604,8 +607,8 @@ int image_check_dcrc(const image_header_t *hdr); ulong getenv_bootm_low(void); phys_size_t getenv_bootm_size(void); phys_size_t getenv_bootm_mapsize(void); -void memmove_wd(void *to, void *from, size_t len, ulong chunksz); #endif +void memmove_wd(void *to, void *from, size_t len, ulong chunksz); static inline int image_check_magic(const image_header_t *hdr) { diff --git a/tools/fit_check_sign.c b/tools/fit_check_sign.c index 768be2f484..69e99c0d17 100644 --- a/tools/fit_check_sign.c +++ b/tools/fit_check_sign.c @@ -80,10 +80,13 @@ int main(int argc, char **argv) image_set_host_blob(key_blob); ret = fit_check_sign(fit_blob, key_blob); - if (!ret) + if (!ret) { ret = EXIT_SUCCESS; - else + fprintf(stderr, "Signature check OK\n"); + } else { ret = EXIT_FAILURE; + fprintf(stderr, "Signature check Bad (error %d)\n", ret); + } (void) munmap((void *)fit_blob, fsbuf.st_size); (void) munmap((void *)key_blob, ksbuf.st_size); diff --git a/tools/image-host.c b/tools/image-host.c index faeef66efc..0eff720b62 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -10,6 +10,7 @@ */ #include "mkimage.h" +#include #include #include @@ -707,16 +708,21 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit, } #ifdef CONFIG_FIT_SIGNATURE -int fit_check_sign(const void *working_fdt, const void *key) +int fit_check_sign(const void *fit, const void *key) { int cfg_noffset; int ret; - cfg_noffset = fit_conf_get_node(working_fdt, NULL); + cfg_noffset = fit_conf_get_node(fit, NULL); if (!cfg_noffset) return -1; - ret = fit_config_verify(working_fdt, cfg_noffset); + printf("Verifying Hash Integrity ... "); + ret = fit_config_verify(fit, cfg_noffset); + if (ret) + return ret; + ret = bootm_host_load_images(fit, cfg_noffset); + return ret; } #endif -- 2.39.2