From: yegorslists@googlemail.com
To: barebox@lists.infradead.org
Subject: [PATCH v2] FIT: make RSA signature verification configurable
Date: Mon, 11 Jan 2016 09:09:25 +0100 [thread overview]
Message-ID: <1452499765-14013-1-git-send-email-yegorslists@googlemail.com> (raw)
From: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
---
Changes:
v2: get rid of #ifdefs, modify option description
commands/Kconfig | 10 ++++++++++
common/image-fit.c | 32 +++++++++++++++++++-------------
2 files changed, 29 insertions(+), 13 deletions(-)
diff --git a/commands/Kconfig b/commands/Kconfig
index 3e4a32a..e2e3127 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -428,6 +428,16 @@ config CMD_BOOTM_FITIMAGE
tree in the "doc/uImage.FIT" folder for more information:
http://git.denx.de/?p=u-boot.git;a=tree;f=doc/uImage.FIT
+config CMD_BOOTM_FITIMAGE_SIGNATURE
+ bool
+ prompt "Make signature verification mandatory"
+ depends on CMD_BOOTM_FITIMAGE
+ help
+ This option enables signature verification of FIT uImages,
+ using a hash signed and verified using RSA. If
+ CONFIG_SHA_PROG_HW_ACCEL is defined, i.e support for progressive
+ hashing is available using hardware, RSA library will use it.
+
config CMD_BOOTU
tristate
default y
diff --git a/common/image-fit.c b/common/image-fit.c
index 296285b..f943081 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -456,7 +456,7 @@ static int fit_open_configuration(struct fit_handle *handle, int num)
struct device_node *conf_node = NULL, *sig_node;
char unit_name[10];
const char *unit, *desc;
- int ret, level;
+ int level;
conf_node = of_get_child_by_name(handle->root, "configurations");
if (!conf_node)
@@ -482,19 +482,25 @@ static int fit_open_configuration(struct fit_handle *handle, int num)
}
level = CHECK_LEVEL_MAX;
- for_each_child_of_node(conf_node, sig_node) {
- if (handle->verbose)
- of_print_nodes(sig_node, 0);
- ret = fit_verify_signature(sig_node, handle->fit);
- if (ret < 0)
- return ret;
- level = min(level, ret);
- }
- if (level == CHECK_LEVEL_MAX)
- return -EINVAL;
- if (level != CHECK_LEVEL_SIG)
- return -EINVAL;
+ if (IS_ENABLED(CONFIG_CMD_BOOTM_FITIMAGE_SIGNATURE)) {
+ for_each_child_of_node(conf_node, sig_node) {
+ int ret;
+ if (handle->verbose)
+ of_print_nodes(sig_node, 0);
+ ret = fit_verify_signature(sig_node, handle->fit);
+ if (ret < 0)
+ return ret;
+ level = min(level, ret);
+ }
+ if (level == CHECK_LEVEL_MAX)
+ return -EINVAL;
+
+ if (level != CHECK_LEVEL_SIG)
+ return -EINVAL;
+ } else {
+ level = CHECK_LEVEL_SIG;
+ }
if (of_property_read_string(conf_node, "kernel", &unit) == 0)
level = min(level, fit_open_image(handle, unit));
--
2.1.4
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
reply other threads:[~2016-01-11 8:10 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1452499765-14013-1-git-send-email-yegorslists@googlemail.com \
--to=yegorslists@googlemail.com \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox