If U-Boot is built with signature verification but no keys are included in the device tree, the boot would still continue. Introduce FIT_SIGNATURE_REQUIRED to avoid a fail-open setup. Defaults to off so existing setups are not affected; boards wanting fail-closed behaviour must enable it explicitly.
Consistently use log_err for errors in fit_config_verify_required_keys() while at it Signed-off-by: Ludwig Nussel <[email protected]> Reviewed-by: Simon Glass <[email protected]> --- Changes in v4: - reword Kconfig help text - rename option to FIT_REQUIRE_CONFIG_SIGS - introduce SPL_FIT_REQUIRE_CONFIG_SIGS Changes in v3: - clarify error message when no keys were found - change printfs to log_err - reword Kconfig - keep FIT_SIGNATURE_REQUIRED off by default Changes in v2: - introduce FIT_SIGNATURE_REQUIRED boot/Kconfig | 22 ++++++++++++++++++++++ boot/image-fit-sig.c | 22 ++++++++++++++-------- 2 files changed, 36 insertions(+), 8 deletions(-) diff --git a/boot/Kconfig b/boot/Kconfig index ae6f09a6ede..c36a403063e 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -124,6 +124,23 @@ config FIT_SIGNATURE format support in this case, enable it using CONFIG_LEGACY_IMAGE_FORMAT. +config FIT_REQUIRE_CONFIG_SIGS + bool "Require configuration signature verification of FIT uImages" + depends on FIT_SIGNATURE + help + This option requires that FIT uImages have configuration + nodes that are signed or boot will fail. + That means the U-Boot device tree must contain a + "/signature" node and at least one public key with + required="conf". + All configuration sections of a FIT file must be signed + using those keys based on "required-mode" policy. + The option is useful to avoid fail-open situations so it + is recommended to enable. The option currently defaults to + off to avoid breaking existing setups. Keep it off if you + need to reuse the same u-boot binary in setups without + keys or rely on image node only signatures. + config FIT_SIGNATURE_MAX_SIZE hex "Max size of signed FIT structures" depends on FIT_SIGNATURE @@ -224,6 +241,11 @@ config SPL_FIT_SIGNATURE_MAX_SIZE device memory. Assure this size does not extend past expected storage space. +config SPL_FIT_REQUIRE_CONFIG_SIGS + bool "Require signature verification of FIT firmware within SPL" + depends on SPL_FIT_SIGNATURE + select FIT_REQUIRE_CONFIG_SIGS + config SPL_LOAD_FIT bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" depends on SPL diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index 433df20281f..dc38a2413b0 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -632,15 +632,16 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, * name root but different @ suffix to be equal */ if (strchr(name, '@')) { - printf("Configuration node '%s' contains '@'\n", name); + log_err("Configuration node '%s' contains '@'\n", name); return -EPERM; } /* Work out what we need to verify */ key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME); if (key_node < 0) { - debug("%s: No signature node found: %s\n", __func__, - fdt_strerror(key_node)); + log_err("No signature node found: %s\n", fdt_strerror(key_node)); + if (CONFIG_IS_ENABLED(FIT_REQUIRE_CONFIG_SIGS)) + return -EPERM; return 0; } @@ -674,8 +675,8 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, noffset); if (ret) { if (reqd_policy_all) { - printf("Failed to verify required signature '%s'\n", - fit_get_name(key_blob, noffset, NULL)); + log_err("Failed to verify required signature '%s'\n", + fit_get_name(key_blob, noffset, NULL)); return ret; } } else { @@ -685,9 +686,14 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, } } - if (reqd_sigs && !verified) { - printf("Failed to verify 'any' of the required signature(s)\n"); - return -EPERM; + if (!verified) { + if (reqd_sigs) { + log_err("Failed to verify 'any' of the required signature(s)\n"); + return -EPERM; + } else if (CONFIG_IS_ENABLED(FIT_REQUIRE_CONFIG_SIGS)) { + log_err("No suitable keys found for configuration verification\n"); + return -EPERM; + } } return 0; -- 2.43.0
