* [PATCH v2] FIT: make RSA signature verification configurable
@ 2016-01-11 8:09 yegorslists
0 siblings, 0 replies; only message in thread
From: yegorslists @ 2016-01-11 8:09 UTC (permalink / raw)
To: barebox
From: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
---
Changes:
v2: get rid of #ifdefs, modify option description
commands/Kconfig | 10 ++++++++++
common/image-fit.c | 32 +++++++++++++++++++-------------
2 files changed, 29 insertions(+), 13 deletions(-)
diff --git a/commands/Kconfig b/commands/Kconfig
index 3e4a32a..e2e3127 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -428,6 +428,16 @@ config CMD_BOOTM_FITIMAGE
tree in the "doc/uImage.FIT" folder for more information:
http://git.denx.de/?p=u-boot.git;a=tree;f=doc/uImage.FIT
+config CMD_BOOTM_FITIMAGE_SIGNATURE
+ bool
+ prompt "Make signature verification mandatory"
+ depends on CMD_BOOTM_FITIMAGE
+ help
+ This option enables signature verification of FIT uImages,
+ using a hash signed and verified using RSA. If
+ CONFIG_SHA_PROG_HW_ACCEL is defined, i.e support for progressive
+ hashing is available using hardware, RSA library will use it.
+
config CMD_BOOTU
tristate
default y
diff --git a/common/image-fit.c b/common/image-fit.c
index 296285b..f943081 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -456,7 +456,7 @@ static int fit_open_configuration(struct fit_handle *handle, int num)
struct device_node *conf_node = NULL, *sig_node;
char unit_name[10];
const char *unit, *desc;
- int ret, level;
+ int level;
conf_node = of_get_child_by_name(handle->root, "configurations");
if (!conf_node)
@@ -482,19 +482,25 @@ static int fit_open_configuration(struct fit_handle *handle, int num)
}
level = CHECK_LEVEL_MAX;
- for_each_child_of_node(conf_node, sig_node) {
- if (handle->verbose)
- of_print_nodes(sig_node, 0);
- ret = fit_verify_signature(sig_node, handle->fit);
- if (ret < 0)
- return ret;
- level = min(level, ret);
- }
- if (level == CHECK_LEVEL_MAX)
- return -EINVAL;
- if (level != CHECK_LEVEL_SIG)
- return -EINVAL;
+ if (IS_ENABLED(CONFIG_CMD_BOOTM_FITIMAGE_SIGNATURE)) {
+ for_each_child_of_node(conf_node, sig_node) {
+ int ret;
+ if (handle->verbose)
+ of_print_nodes(sig_node, 0);
+ ret = fit_verify_signature(sig_node, handle->fit);
+ if (ret < 0)
+ return ret;
+ level = min(level, ret);
+ }
+ if (level == CHECK_LEVEL_MAX)
+ return -EINVAL;
+
+ if (level != CHECK_LEVEL_SIG)
+ return -EINVAL;
+ } else {
+ level = CHECK_LEVEL_SIG;
+ }
if (of_property_read_string(conf_node, "kernel", &unit) == 0)
level = min(level, fit_open_image(handle, unit));
--
2.1.4
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-01-11 8:10 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-11 8:09 [PATCH v2] FIT: make RSA signature verification configurable yegorslists
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox