Re: [PATCH v2 4/4] boards: qemu-virt: support passing in FIT public key

[Sascha Hauer <sha@pengutronix.de>]

On Fri, Feb 10, 2023 at 05:53:53PM +0100, Ahmad Fatoum wrote:
> FIT public key is usually passed in via board DT. Usual way to use
> barebox with QEMU Virt however is to use DT supplied by Qemu and apply
> overlay to it. mkimage doesn't generate overlay DTB though. To make
> barbebox Qemu Virt behave like other boards, let's define a dummy DT
> that includes CONFIG_BOOTM_FITIMAGE_PUBKEY, which is merged with the
> barebox live device tree.
> 
> Suggested-by: Jan Lübbe <jlu@pengutronix.de>
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
> v1 -> v2:
>   - no changes
> ---
>  common/boards/qemu-virt/Makefile            | 2 +-
>  common/boards/qemu-virt/board.c             | 7 ++++++-
>  common/boards/qemu-virt/fitimage-pubkey.dts | 7 +++++++
>  3 files changed, 14 insertions(+), 2 deletions(-)
>  create mode 100644 common/boards/qemu-virt/fitimage-pubkey.dts
> 
> diff --git a/common/boards/qemu-virt/Makefile b/common/boards/qemu-virt/Makefile
> index 88184e9a7969..00bfdfbda696 100644
> --- a/common/boards/qemu-virt/Makefile
> +++ b/common/boards/qemu-virt/Makefile
> @@ -1,7 +1,7 @@
>  # SPDX-License-Identifier: GPL-2.0-only
>  
>  obj-y += board.o
> -obj-y += overlay-of-flash.dtb.o
> +obj-y += overlay-of-flash.dtb.o fitimage-pubkey.dtb.o
>  ifeq ($(CONFIG_RISCV),y)
>  DTC_CPP_FLAGS_overlay-of-flash.dtb := -DRISCV_VIRT=1
>  endif
> diff --git a/common/boards/qemu-virt/board.c b/common/boards/qemu-virt/board.c
> index ec92ae94aec9..2669e9de5a2a 100644
> --- a/common/boards/qemu-virt/board.c
> +++ b/common/boards/qemu-virt/board.c
> @@ -35,10 +35,11 @@ static inline void arm_virt_init(void) {}
>  #endif
>  
>  extern char __dtb_overlay_of_flash_start[];
> +extern char __dtb_fitimage_pubkey_start[];
>  
>  static int virt_probe(struct device *dev)
>  {
> -	struct device_node *overlay;
> +	struct device_node *overlay, *pubkey;
>  	void (*init)(void);
>  
>  	init = device_get_match_data(dev);
> @@ -47,6 +48,10 @@ static int virt_probe(struct device *dev)
>  
>  	overlay = of_unflatten_dtb(__dtb_overlay_of_flash_start, INT_MAX);
>  	of_overlay_apply_tree(dev->of_node, overlay);
> +
> +	pubkey = of_unflatten_dtb(__dtb_fitimage_pubkey_start, INT_MAX);
> +	of_merge_nodes(dev->of_node, pubkey);
> +
>  	/* of_probe() will happen later at of_populate_initcall */
>  
>  	return 0;
> diff --git a/common/boards/qemu-virt/fitimage-pubkey.dts b/common/boards/qemu-virt/fitimage-pubkey.dts
> new file mode 100644
> index 000000000000..497799fa4b60
> --- /dev/null
> +++ b/common/boards/qemu-virt/fitimage-pubkey.dts
> @@ -0,0 +1,7 @@
> +/dts-v1/;
> +
> +#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
> +#include CONFIG_BOOTM_FITIMAGE_PUBKEY
> +#endif

I wonder if we've gone the wrong path here. Every board that wants to
put a key into the device tree needs this snippet.

Instead of compiling the dtsi containing the key into the barebox main
device tree wouldn't it be better to always create an extra dtb from
the dtsi provdided in CONFIG_BOOTM_FITIMAGE_PUBKEY and apply something
along the following?

What's missing is some Makefile magic to compile an extra dtb named
fitimage_pubkey from whatever name is provided in
CONFIG_BOOTM_FITIMAGE_PUBKEY, but that should be doable as well.


diff --git a/crypto/rsa.c b/crypto/rsa.c
index fc21efdb6d..6939513db9 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -491,16 +491,13 @@ static struct rsa_public_key *rsa_key_dup(const struct rsa_public_key *key)
 extern const struct rsa_public_key * const __rsa_keys_start;
 extern const struct rsa_public_key * const __rsa_keys_end;
 
-static void rsa_init_keys_of(void)
+static void rsa_init_keys_of(struct device_node *root)
 {
 	struct device_node *sigs, *sig;
 	struct rsa_public_key *key;
 	int ret;
 
-	if (!IS_ENABLED(CONFIG_OFTREE))
-		return;
-
-	sigs = of_find_node_by_path("/signature");
+	sigs = of_find_node_by_path_from(root, "/signature");
 	if (!sigs)
 		return;
 
@@ -519,6 +516,26 @@ static void rsa_init_keys_of(void)
 	}
 }
 
+extern char __dtb_fitimage_pubkey_start[];
+
+static void rsa_of_init_keys(void)
+{
+	struct device_node *root;
+
+	if (!IS_ENABLED(CONFIG_OFTREE))
+		return;
+
+	root = of_get_root_node();
+	if (root)
+		rsa_init_keys_of(root);
+
+#ifdef CONFIG_BOOTM_FITIMAGE_PUBKEY
+	root = of_unflatten_dtb(__dtb_fitimage_pubkey_start, INT_MAX);
+	if (root)
+		rsa_init_keys_of(root);
+#endif
+}
+
 static int rsa_init_keys(void)
 {
 	const struct rsa_public_key * const *iter;
@@ -533,7 +550,7 @@ static int rsa_init_keys(void)
 			       key->key_name_hint, strerror(-ret));
 	}
 
-	rsa_init_keys_of();
+	rsa_of_init_keys();
 
 	return 0;
 }
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |