add host tool fit_check_sign which verifies, if a fit image is
signed correct.
Signed-off-by: Heiko Schocher h...@denx.de
Cc: Simon Glass s...@chromium.org
---
- changes for v2:
- fixed compile error for sandbox
- add fit_check_sign test to test/vboot/vboot_test.sh
- changes for v3:
- add comment from Marek Vasut:
- do not use unlink
- add comment from Simon Glass:
- get_blob not weak, rename it to image_get_host_blob()
- use getopt
- as we not write the file, get rid of some unneccessary checks
- move fdtdec_get_int() from lib/libfdt/fdt_wip.c to
lib/fdtdec.c for HOSTCC compiles
- rebased against current head eeb72e67619b98d2502fe634a3a5d9953de92ad0
- Makefile adaptions necessary introduced from kbuild changes
---
common/image-sig.c | 18 +-
doc/uImage.FIT/signature.txt | 6
include/fdt_support.h| 5 +++
include/image.h | 17 +
lib/fdtdec.c | 20 +++
lib/rsa/rsa-checksum.c | 10 --
lib/rsa/rsa-sign.c | 2 +-
lib/rsa/rsa-verify.c | 18 +++---
test/vboot/vboot_test.sh | 20 +++
tools/.gitignore | 1 +
tools/Makefile | 7 ++--
tools/fdt_host.h | 2 ++
tools/fdtdec.c | 1 +
tools/fit_check_sign.c | 85
tools/image-host.c | 15
tools/rsa-checksum.c | 1 +
tools/rsa-verify.c | 1 +
17 files changed, 204 insertions(+), 25 deletions(-)
create mode 100644 tools/fdtdec.c
create mode 100644 tools/fit_check_sign.c
create mode 100644 tools/rsa-checksum.c
create mode 100644 tools/rsa-verify.c
diff --git a/common/image-sig.c b/common/image-sig.c
index 763960a..72284eb 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -19,9 +19,14 @@ DECLARE_GLOBAL_DATA_PTR;
#define IMAGE_MAX_HASHED_NODES 100
#ifdef USE_HOSTCC
-__attribute__((weak)) void *get_blob(void)
+void *host_blob;
+void image_set_host_blob(void *blob)
{
- return NULL;
+ host_blob = blob;
+}
+void *image_get_host_blob(void)
+{
+ return host_blob;
}
#endif
@@ -32,10 +37,9 @@ struct checksum_algo checksum_algos[] = {
RSA2048_BYTES,
#if IMAGE_ENABLE_SIGN
EVP_sha1,
-#else
+#endif
sha1_calculate,
padding_sha1_rsa2048,
-#endif
},
{
sha256,
@@ -43,10 +47,9 @@ struct checksum_algo checksum_algos[] = {
RSA2048_BYTES,
#if IMAGE_ENABLE_SIGN
EVP_sha256,
-#else
+#endif
sha256_calculate,
padding_sha256_rsa2048,
-#endif
},
{
sha256,
@@ -54,10 +57,9 @@ struct checksum_algo checksum_algos[] = {
RSA4096_BYTES,
#if IMAGE_ENABLE_SIGN
EVP_sha256,
-#else
+#endif
sha256_calculate,
padding_sha256_rsa4096,
-#endif
}
};
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 71f8b6c..9502037 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -357,6 +357,9 @@ Build FIT with signed configuration
Test Verified Boot Run: unsigned config: OK
Sign images
Test Verified Boot Run: signed config: OK
+check signed config on the host
+OK
+Test Verified Boot Run: signed config: OK
Test Verified Boot Run: signed config with bad hash: OK
do sha256 test
Build FIT with signed images
@@ -367,6 +370,9 @@ Build FIT with signed configuration
Test Verified Boot Run: unsigned config: OK
Sign images
Test Verified Boot Run: signed config: OK
+check signed config on the host
+OK
+Test Verified Boot Run: signed config: OK
Test Verified Boot Run: signed config with bad hash: OK
Test passed
diff --git a/include/fdt_support.h b/include/fdt_support.h
index 9871e2f..76c9b2e 100644
--- a/include/fdt_support.h
+++ b/include/fdt_support.h
@@ -115,4 +115,9 @@ static inline int fdt_status_disabled_by_alias(void *fdt,
const char* alias)
}
#endif /* ifdef CONFIG_OF_LIBFDT */
+
+#ifdef USE_HOSTCC
+int fdtdec_get_int(const void *blob, int node, const char *prop_name,
+ int default_val);
+#endif
#endif /* ifndef __FDT_SUPPORT_H */
diff --git a/include/image.h b/include/image.h
index 540afaa..2508d7d 100644
--- a/include/image.h
+++ b/include/image.h
@@ -832,7 +832,7 @@ int calculate_hash(const void *data, int data_len, const
char *algo,
#if defined(CONFIG_FIT_SIGNATURE)
# ifdef USE_HOSTCC
# define IMAGE_ENABLE_SIGN1
-# define IMAGE_ENABLE_VERIFY 0
+# define IMAGE_ENABLE_VERIFY 1
# include openssl/evp.h
#else
# define IMAGE_ENABLE_SIGN0
@@ -844,7 +844,9 @@ int calculate_hash(const void *data, int data_len, const
char *algo,
#endif
#ifdef USE_HOSTCC
-# define gd_fdt_blob() NULL
+void *image_get_host_blob(void);
+void image_set_host_blob(void *host_blob);
+# define gd_fdt_blob()