The iminfo command already verifies hashes of images. This change also verifies signatures of configurations if enabled.
Adjusts error output slighly to be on stderr Signed-off-by: Ludwig Nussel <[email protected]> --- Changes in v3: - use log_err instead of printf in fit_config_verify_required_keys() - don't make iminfo fail unless FIT_SIGNATURE_REQUIRED is set - update fit_all_configurations_verify documentation - stub fit_all_configurations_verify unless FIT_SIGNATURES Changes in v2: - document fit_all_configurations_verify() boot/image-fit.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ cmd/bootm.c | 7 +++++++ include/image.h | 8 +++++++ 3 files changed, 69 insertions(+) diff --git a/boot/image-fit.c b/boot/image-fit.c index 2d2709aa5b1..d77f69953e2 100644 --- a/boot/image-fit.c +++ b/boot/image-fit.c @@ -1512,6 +1512,60 @@ int fit_all_image_verify(const void *fit) return 1; } +/** + * fit_all_configurations_verify - verify signatures of all configurations + * @fit: pointer to the FIT format image header + * + * fit_all_configurations_verify() iterates over all configurations + * in the FIT and checks the signatures. Returns success if all + * configurations have valid signatures. See documentation at + * fit_config_verify_required_keys() or fit_config_verify_key(). + * + * returns: + * 0, success + * -ENOENT, no configurations present + * <0, error + */ +#if FIT_IMAGE_ENABLE_VERIFY +int fit_all_configurations_verify(const void *fit) +{ + int confs_noffset; + int noffset; + int r = -ENOENT; + + /* Find configurations parent node offset */ + confs_noffset = fdt_path_offset(fit, FIT_CONFS_PATH); + if (confs_noffset < 0) { + log_err("Can't find configurations parent node '%s' (%s)\n", + FIT_CONFS_PATH, fdt_strerror(confs_noffset)); + return confs_noffset; + } + + /* Process all config subnodes, check signature for each */ + log_info("## Checking configuration signatures ...\n"); + + fdt_for_each_subnode(noffset, fit, confs_noffset) { + int ret; + + log_info(" %s ... ", fit_get_name(fit, noffset, NULL)); + /* fit_config_verify() prints results so we can be silent */ + ret = fit_config_verify(fit, noffset); + if (ret) { + r = ret; + log_err("FAIL\n"); + continue; + } + /* valid config found */ + if (r == -ENOENT) + r = 0; + + log_info("OK\n"); + } + + return r; +} +#endif + static int fit_image_uncipher(const void *fit, int image_noffset, void **data, size_t *size) { diff --git a/cmd/bootm.c b/cmd/bootm.c index ca7cec91fad..0aacf7b7d7b 100644 --- a/cmd/bootm.c +++ b/cmd/bootm.c @@ -335,6 +335,13 @@ static int image_info(ulong addr) return 1; } + if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && + fit_all_configurations_verify(hdr) != 0) { + puts("Signature verification failed!\n"); + unmap_sysmem(hdr); + return CONFIG_IS_ENABLED(FIT_SIGNATURE_REQUIRED) == 1; + } + unmap_sysmem(hdr); return 0; #endif diff --git a/include/image.h b/include/image.h index 34efac6056d..841b6fb77cf 100644 --- a/include/image.h +++ b/include/image.h @@ -1355,6 +1355,14 @@ static inline int fit_config_verify(const void *fit, int conf_noffset) } #endif int fit_all_image_verify(const void *fit); +#if CONFIG_IS_ENABLED(FIT_SIGNATURE) +int fit_all_configurations_verify(const void *fit); +#else +static inline int fit_all_configurations_verify(const void *fit) +{ + return 0; +} +#endif int fit_config_decrypt(const void *fit, int conf_noffset); int fit_image_check_os(const void *fit, int noffset, uint8_t os); int fit_image_check_arch(const void *fit, int noffset, uint8_t arch); -- 2.43.0
