In fit_config_verify_sig(), when no 'signature*' subnode exists in
the configuration node, the fdt_for_each_subnode() loop is a no-op.
Therefore, no error flags are set, and 'err_,sg' is not populated
with an error string. This is incorrect behavior.
Populate err_msg to indicate that no 'signature' is found, before
entering the loop. The first call to fit_image_verify_sig() will
override clear err_msg, or set it to a more specific message.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When CONFIG_FIT_CIPHER=y and CONFIG_FIT_SIGNATURE=n is there is no
implementation of image_get_host_blob for mkimage/dumpimage:
/usr/bin/ld: tools/common/image-cipher.o: in function `fit_image_decrypt_data':
image-cipher.c:(.text+0x9a): undefined reference to `image_get_host_blob'
Move the implementation to a common file so it can be shaed between
image-cipher.c and image-fit-sig.c.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Currently FIT image must be signed by all required conf keys. This means
Verified Boot fails if there is a signature verification failure
using any required key in U-Boot DTB.
This patch introduces a new policy in DTB that can be set to any required
conf key. This means if verified boot passes with one of the required
keys, U-Boot will continue the OS hand off.
There were prior attempts to address this:
https://lists.denx.de/pipermail/u-boot/2019-April/366047.html
The above patch was failing "make tests".
https://lists.denx.de/pipermail/u-boot/2020-January/396629.html
Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The signature check on config node is broken on fit with padding.
To compute the signature for config node, U-Boot compute the
signature on all properties of requested node for this config,
except for the property "data". But, when padding is used for
binary in a fit, there isn't a property "data" but two properties:
"data-offset" and "data-size". So to fix the check of signature,
we also don't use the properties "data-offset" and "data-size"
when checking the signature on config node.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
fdt_region APIs are not part of libfdt. They are U-Boot extension
for the verified boot. Split the declarations related to fdt_region
out of <fdt_region.h>. This allows <linux/libfdt.h> to become a
simple wrapper file, like Linux does.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Introduce new configuration, CONFIG_RSA_VERIFY which will decouple building
RSA functions from FIT verification and allow for adding a RSA-based
signature verification for other file formats, in particular PE file
for UEFI secure boot.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>