If U-Boot is built with signature verification but no keys are included in the device tree, the boot would still continue. Introduce FIT_SIGNATURE_REQUIRED to avoid a fail-open setup. The default is enabled which may break existing setups that rely on the insecure behavior.
Consistently use log_err for errors in fit_config_verify_required_keys() while at it Signed-off-by: Ludwig Nussel <[email protected]> --- Changes in v3: - clarify error message when no keys were found - change printfs to log_err - reword Kconfig - keep FIT_SIGNATURE_REQUIRED off by default Changes in v2: - introduce FIT_SIGNATURE_REQUIRED boot/Kconfig | 10 ++++++++++ boot/image-fit-sig.c | 22 ++++++++++++++-------- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/boot/Kconfig b/boot/Kconfig index ae6f09a6ede..e3aaa6a8544 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -124,6 +124,16 @@ config FIT_SIGNATURE format support in this case, enable it using CONFIG_LEGACY_IMAGE_FORMAT. +config FIT_SIGNATURE_REQUIRED + bool "Require signature verification of FIT uImages" + depends on FIT_SIGNATURE + help + This option requires that FIT uImages are signed or boot will fail. + That means the U-Boot device tree must contain a "/signature" node + and at least one public key with required="conf". All configuration + sections of a FIT file must be signed using those keys based on + "required-mode" policy. + config FIT_SIGNATURE_MAX_SIZE hex "Max size of signed FIT structures" depends on FIT_SIGNATURE diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index 433df20281f..1060ad042b8 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -632,15 +632,16 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, * name root but different @ suffix to be equal */ if (strchr(name, '@')) { - printf("Configuration node '%s' contains '@'\n", name); + log_err("Configuration node '%s' contains '@'\n", name); return -EPERM; } /* Work out what we need to verify */ key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME); if (key_node < 0) { - debug("%s: No signature node found: %s\n", __func__, - fdt_strerror(key_node)); + log_err("No signature node found: %s\n", fdt_strerror(key_node)); + if (IS_ENABLED(CONFIG_FIT_SIGNATURE_REQUIRED)) + return -EPERM; return 0; } @@ -674,8 +675,8 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, noffset); if (ret) { if (reqd_policy_all) { - printf("Failed to verify required signature '%s'\n", - fit_get_name(key_blob, noffset, NULL)); + log_err("Failed to verify required signature '%s'\n", + fit_get_name(key_blob, noffset, NULL)); return ret; } } else { @@ -685,9 +686,14 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, } } - if (reqd_sigs && !verified) { - printf("Failed to verify 'any' of the required signature(s)\n"); - return -EPERM; + if (!verified) { + if (reqd_sigs) { + log_err("Failed to verify 'any' of the required signature(s)\n"); + return -EPERM; + } else if (IS_ENABLED(CONFIG_FIT_SIGNATURE_REQUIRED)) { + log_err("No suitable keys found for configuration verification\n"); + return -EPERM; + } } return 0; -- 2.43.0
