> Subject: [PATCH v3] spl: allow board_spl_fit_post_load() to fail > > On i.MX platforms board_spl_fit_post_load() can check the loaded SPL image > for authenticity using its HAB engine. U-Boot's SPL mechanism allows > booting images from other sources as well, but in the current setup the SPL > would just hang if it encounters an image that does not pass scrutiny.
security. > Allowing the function to return an error, allows the SPL to try booting from > another source as a fallback instead of ending up as a brick. This will break secure boot chain. Regards, Peng. > > Signed-off-by: Patrick Wildt <patr...@blueri.se> > --- > Changes in v3: > - use EINVAL as return value to have a proper errno > > Changes in v2: > - set SPL_FIT_FOUND only after successful post load > > arch/arm/mach-imx/spl.c | 6 ++++-- > common/spl/spl_fit.c | 10 ++++++---- > include/spl.h | 2 +- > 3 files changed, 11 insertions(+), 7 deletions(-) > > diff --git a/arch/arm/mach-imx/spl.c b/arch/arm/mach-imx/spl.c index > 1a231c67f5a..1a0d979e2d0 100644 > --- a/arch/arm/mach-imx/spl.c > +++ b/arch/arm/mach-imx/spl.c > @@ -313,7 +313,7 @@ ulong board_spl_fit_size_align(ulong size) > return size; > } > > -void board_spl_fit_post_load(ulong load_addr, size_t length) > +int board_spl_fit_post_load(ulong load_addr, size_t length) > { > u32 offset = length - CONFIG_CSF_SIZE; > > @@ -321,8 +321,10 @@ void board_spl_fit_post_load(ulong load_addr, > size_t length) > offset + IVT_SIZE + CSF_PAD_SIZE, > offset)) { > puts("spl: ERROR: image authentication unsuccessful\n"); > - hang(); > + return -EINVAL; > } > + > + return 0; > } > #endif > > diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index > f581a224213..ead4c6713af 100644 > --- a/common/spl/spl_fit.c > +++ b/common/spl/spl_fit.c > @@ -26,8 +26,9 @@ DECLARE_GLOBAL_DATA_PTR; > #define CONFIG_SYS_BOOTM_LEN (64 << 20) > #endif > > -__weak void board_spl_fit_post_load(ulong load_addr, size_t length) > +__weak int board_spl_fit_post_load(ulong load_addr, size_t length) > { > + return 0; > } > > __weak ulong board_spl_fit_size_align(ulong size) @@ -677,11 +678,12 @@ > int spl_load_simple_fit(struct spl_image_info *spl_image, > if (spl_image->entry_point == FDT_ERROR || spl_image->entry_point == > 0) > spl_image->entry_point = spl_image->load_addr; > > - spl_image->flags |= SPL_FIT_FOUND; > - > #ifdef CONFIG_IMX_HAB > - board_spl_fit_post_load((ulong)fit, size); > + ret = board_spl_fit_post_load((ulong)fit, size); > + if (ret) > + return ret; > #endif > > + spl_image->flags |= SPL_FIT_FOUND; > return 0; > } > diff --git a/include/spl.h b/include/spl.h index b31c9bb4ab2..2607767d940 > 100644 > --- a/include/spl.h > +++ b/include/spl.h > @@ -564,7 +564,7 @@ int board_return_to_bootrom(struct spl_image_info > *spl_image, > * board_spl_fit_post_load - allow process images after loading finished > * > */ > -void board_spl_fit_post_load(ulong load_addr, size_t length); > +int board_spl_fit_post_load(ulong load_addr, size_t length); > > /** > * board_spl_fit_size_align - specific size align before processing payload > -- > 2.26.2