Re: [U-Boot] [PATCH v3 8/8] tools, fit_check_sign: verify a signed fit image

2014-03-08 Thread Simon Glass 
+Charles for HOSTCC comments

Hi Heiko,

On 3 March 2014 04:19, Heiko Schocher h...@denx.de wrote:
 add host tool fit_check_sign which verifies, if a fit image is
 signed correct.

 Signed-off-by: Heiko Schocher h...@denx.de
 Cc: Simon Glass s...@chromium.org

Looks good - a few nits and the crash I mentioned.

It's interesting that the host and target environments are so
different - much of it is unavoidable but your patch is a good example
of what is needed when we 'bridge the gap.

Regards,
Simon
___
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot

[U-Boot] [PATCH v3 8/8] tools, fit_check_sign: verify a signed fit image

2014-03-03 Thread Heiko Schocher 
add host tool fit_check_sign which verifies, if a fit image is
signed correct.

Signed-off-by: Heiko Schocher h...@denx.de
Cc: Simon Glass s...@chromium.org

---
- changes for v2:
  - fixed compile error for sandbox
  - add fit_check_sign test to test/vboot/vboot_test.sh

- changes for v3:
  - add comment from Marek Vasut:
- do not use unlink
  - add comment from Simon Glass:
- get_blob not weak, rename it to image_get_host_blob()
- use getopt
- as we not write the file, get rid of some unneccessary checks
- move fdtdec_get_int() from lib/libfdt/fdt_wip.c to
  lib/fdtdec.c for HOSTCC compiles
  - rebased against current head eeb72e67619b98d2502fe634a3a5d9953de92ad0
- Makefile adaptions necessary introduced from kbuild changes
---
 common/image-sig.c   | 18 +-
 doc/uImage.FIT/signature.txt |  6 
 include/fdt_support.h|  5 +++
 include/image.h  | 17 +
 lib/fdtdec.c | 20 +++
 lib/rsa/rsa-checksum.c   | 10 --
 lib/rsa/rsa-sign.c   |  2 +-
 lib/rsa/rsa-verify.c | 18 +++---
 test/vboot/vboot_test.sh | 20 +++
 tools/.gitignore |  1 +
 tools/Makefile   |  7 ++--
 tools/fdt_host.h |  2 ++
 tools/fdtdec.c   |  1 +
 tools/fit_check_sign.c   | 85 
 tools/image-host.c   | 15 
 tools/rsa-checksum.c |  1 +
 tools/rsa-verify.c   |  1 +
 17 files changed, 204 insertions(+), 25 deletions(-)
 create mode 100644 tools/fdtdec.c
 create mode 100644 tools/fit_check_sign.c
 create mode 100644 tools/rsa-checksum.c
 create mode 100644 tools/rsa-verify.c

diff --git a/common/image-sig.c b/common/image-sig.c
index 763960a..72284eb 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -19,9 +19,14 @@ DECLARE_GLOBAL_DATA_PTR;
 #define IMAGE_MAX_HASHED_NODES 100
 
 #ifdef USE_HOSTCC
-__attribute__((weak)) void *get_blob(void)
+void *host_blob;
+void image_set_host_blob(void *blob)
 {
-   return NULL;
+   host_blob = blob;
+}
+void *image_get_host_blob(void)
+{
+   return host_blob;
 }
 #endif
 
@@ -32,10 +37,9 @@ struct checksum_algo checksum_algos[] = {
RSA2048_BYTES,
 #if IMAGE_ENABLE_SIGN
EVP_sha1,
-#else
+#endif
sha1_calculate,
padding_sha1_rsa2048,
-#endif
},
{
sha256,
@@ -43,10 +47,9 @@ struct checksum_algo checksum_algos[] = {
RSA2048_BYTES,
 #if IMAGE_ENABLE_SIGN
EVP_sha256,
-#else
+#endif
sha256_calculate,
padding_sha256_rsa2048,
-#endif
},
{
sha256,
@@ -54,10 +57,9 @@ struct checksum_algo checksum_algos[] = {
RSA4096_BYTES,
 #if IMAGE_ENABLE_SIGN
EVP_sha256,
-#else
+#endif
sha256_calculate,
padding_sha256_rsa4096,
-#endif
}
 
 };
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 71f8b6c..9502037 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -357,6 +357,9 @@ Build FIT with signed configuration
 Test Verified Boot Run: unsigned config: OK
 Sign images
 Test Verified Boot Run: signed config: OK
+check signed config on the host
+OK
+Test Verified Boot Run: signed config: OK
 Test Verified Boot Run: signed config with bad hash: OK
 do sha256 test
 Build FIT with signed images
@@ -367,6 +370,9 @@ Build FIT with signed configuration
 Test Verified Boot Run: unsigned config: OK
 Sign images
 Test Verified Boot Run: signed config: OK
+check signed config on the host
+OK
+Test Verified Boot Run: signed config: OK
 Test Verified Boot Run: signed config with bad hash: OK
 
 Test passed
diff --git a/include/fdt_support.h b/include/fdt_support.h
index 9871e2f..76c9b2e 100644
--- a/include/fdt_support.h
+++ b/include/fdt_support.h
@@ -115,4 +115,9 @@ static inline int fdt_status_disabled_by_alias(void *fdt, 
const char* alias)
 }
 
 #endif /* ifdef CONFIG_OF_LIBFDT */
+
+#ifdef USE_HOSTCC
+int fdtdec_get_int(const void *blob, int node, const char *prop_name,
+   int default_val);
+#endif
 #endif /* ifndef __FDT_SUPPORT_H */
diff --git a/include/image.h b/include/image.h
index 540afaa..2508d7d 100644
--- a/include/image.h
+++ b/include/image.h
@@ -832,7 +832,7 @@ int calculate_hash(const void *data, int data_len, const 
char *algo,
 #if defined(CONFIG_FIT_SIGNATURE)
 # ifdef USE_HOSTCC
 #  define IMAGE_ENABLE_SIGN1
-#  define IMAGE_ENABLE_VERIFY  0
+#  define IMAGE_ENABLE_VERIFY  1
 # include  openssl/evp.h
 #else
 #  define IMAGE_ENABLE_SIGN0
@@ -844,7 +844,9 @@ int calculate_hash(const void *data, int data_len, const 
char *algo,
 #endif
 
 #ifdef USE_HOSTCC
-# define gd_fdt_blob() NULL
+void *image_get_host_blob(void);
+void image_set_host_blob(void *host_blob);
+# define gd_fdt_blob()