From: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
To: barebox@lists.infradead.org
Subject: [PATCH 1/1] bootm: Allow loading OP-TEE from FIT image
Date: Tue, 15 Sep 2020 15:36:30 +0200 [thread overview]
Message-ID: <20200915133630.32511-2-a.schwarzkopf@phytec.de> (raw)
In-Reply-To: <20200915133630.32511-1-a.schwarzkopf@phytec.de>
Currently, TEE binaries can only be loaded if CONFIG_BOOTM_FORCE_SIGNED_IMAGES
is not set. No signature check is being performed on them.
Allow loading OP-TEE from FIT images. Therefore, now it's possible
to ensure that only trusted OP-TEE binaries will be loaded by using
signed FIT images.
Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
---
arch/arm/lib32/bootm.c | 44 +++++++++++++++++++++++++++++++++++++-----
1 file changed, 39 insertions(+), 5 deletions(-)
diff --git a/arch/arm/lib32/bootm.c b/arch/arm/lib32/bootm.c
index 971ebee8a..c33ecc2ad 100644
--- a/arch/arm/lib32/bootm.c
+++ b/arch/arm/lib32/bootm.c
@@ -20,7 +20,7 @@
#include <restart.h>
#include <globalvar.h>
#include <tee/optee.h>
-
+#include <image-fit.h>
#include <asm/byteorder.h>
#include <asm/setup.h>
#include <asm/barebox-arm.h>
@@ -166,6 +166,34 @@ static int optee_verify_header_request_region(struct image_data *data, struct op
return ret;
}
+static int bootm_load_tee_from_fit(struct image_data *data)
+{
+ int ret = 0;
+ struct optee_header hdr;
+
+ if (data->os_fit &&
+ fit_has_image(data->os_fit, data->fit_config, "tee")) {
+ const void *tee;
+ unsigned long tee_size;
+
+ ret = fit_open_image(data->os_fit, data->fit_config, "tee",
+ &tee, &tee_size);
+ if (ret) {
+ pr_err("Error opening tee fit image: %s\n", strerror(-ret));
+ return ret;
+ }
+ memcpy(&hdr, tee, sizeof(hdr));
+ if (optee_verify_header_request_region(data, &hdr) < 0) {
+ pr_err("%s", strerror(errno));
+ ret = -errno;
+ goto out;
+ }
+ memcpy((void *)data->tee_res->start, tee + sizeof(hdr), hdr.init_size);
+ printf("Read optee image to %pa, size 0x%08x\n", (void *)data->tee_res->start, hdr.init_size);
+ }
+out:
+ return ret;
+}
static int bootm_load_tee_from_file(struct image_data *data)
{
int fd, ret;
@@ -262,10 +290,16 @@ static int __do_bootm_linux(struct image_data *data, unsigned long free_mem,
return ret;
}
- if (IS_ENABLED(CONFIG_BOOTM_OPTEE) && data->tee_file) {
- ret = bootm_load_tee_from_file(data);
- if (ret)
- return ret;
+ if (IS_ENABLED(CONFIG_BOOTM_OPTEE)) {
+ if (data->tee_file && !IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
+ ret = bootm_load_tee_from_file(data);
+ if (ret)
+ return ret;
+ } else if (IS_ENABLED(CONFIG_FITIMAGE)) {
+ ret = bootm_load_tee_from_fit(data);
+ if (ret)
+ return ret;
+ }
}
--
2.17.1
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2020-09-15 13:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-15 13:36 [PATCH 0/1] " Albert Schwarzkopf
2020-09-15 13:36 ` Albert Schwarzkopf [this message]
2020-09-18 9:42 ` [PATCH 1/1] " Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200915133630.32511-2-a.schwarzkopf@phytec.de \
--to=a.schwarzkopf@phytec.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox