Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/1745916/?format=api
{ "id": 1745916, "url": "http://patchwork.ozlabs.org/api/patches/1745916/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/patch/20230221201925.9644-45-pali@kernel.org/", "project": { "id": 18, "url": "http://patchwork.ozlabs.org/api/projects/18/?format=api", "name": "U-Boot", "link_name": "uboot", "list_id": "u-boot.lists.denx.de", "list_email": "u-boot@lists.denx.de", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20230221201925.9644-45-pali@kernel.org>", "list_archive_url": null, "date": "2023-02-21T20:19:10", "name": "[RFC,u-boot-mvebu,44/59] tools: kwbimage: Fix invalid secure boot header signature", "commit_ref": "9b4531f685fafeb2bb0139e323f635d3cda150f7", "pull_url": null, "state": "accepted", "archived": false, "hash": "611f23d93f6ee4aecda88c43c37976c46278134c", "submitter": { "id": 78810, "url": "http://patchwork.ozlabs.org/api/people/78810/?format=api", "name": "Pali Rohár", "email": "pali@kernel.org" }, "delegate": { "id": 1696, "url": "http://patchwork.ozlabs.org/api/users/1696/?format=api", "username": "stroese", "first_name": "Stefan", "last_name": "Roese", "email": "sr@denx.de" }, "mbox": "http://patchwork.ozlabs.org/project/uboot/patch/20230221201925.9644-45-pali@kernel.org/mbox/", "series": [ { "id": 343058, "url": "http://patchwork.ozlabs.org/api/series/343058/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/list/?series=343058", "date": "2023-02-21T20:18:27", "name": "arm: mvebu: Various fixes", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/343058/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/1745916/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/1745916/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<u-boot-bounces@lists.denx.de>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)", "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=flSQklV4;\n\tdkim-atps=neutral", "phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=kernel.org", "phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de", "phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.b=\"flSQklV4\";\n\tdkim-atps=neutral", "phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=kernel.org", "phobos.denx.de; spf=pass smtp.mailfrom=pali@kernel.org" ], "Received": [ "from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature ECDSA (P-384))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4PLrfV0JYwz240n\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Feb 2023 07:36:18 +1100 (AEDT)", "from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id AE9A285B30;\n\tTue, 21 Feb 2023 21:25:40 +0100 (CET)", "by phobos.denx.de (Postfix, from userid 109)\n id 214DD85B10; Tue, 21 Feb 2023 21:24:04 +0100 (CET)", "from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])\n (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n bits)) (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 983FF85B2A\n for <u-boot@lists.denx.de>; Tue, 21 Feb 2023 21:22:45 +0100 (CET)", "from smtp.kernel.org (relay.kernel.org [52.25.139.140])\n (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n (No client certificate requested)\n by dfw.source.kernel.org (Postfix) with ESMTPS id 38183611F4;\n Tue, 21 Feb 2023 20:22:36 +0000 (UTC)", "by smtp.kernel.org (Postfix) with ESMTPSA id 51251C433D2;\n Tue, 21 Feb 2023 20:22:35 +0000 (UTC)", "by pali.im (Postfix)\n id 0E536AA6; Tue, 21 Feb 2023 21:22:35 +0100 (CET)" ], "X-Spam-Checker-Version": "SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de", "X-Spam-Level": "", "X-Spam-Status": "No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,\n SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n s=k20201202; t=1677010955;\n bh=lkSLKbCzr7dScLJ/I75tEj3q3o0IA7tieTZnrn/c9pc=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=flSQklV4svAsCH7iYDarxwx0wqiECIq4boHawYo/Yt3cC5zEAH4x7wCW1E95uupeL\n AF061tCDBLEcdBb605oL+4FroJsyOrcDq0JPUP/vtKBErPWR0qyP/qImkT7wCNxdqG\n CIG95MeLjvzzTuOTo5SAHSzYWPizwH3pD1R0RS+UUXeGFwnH8n21WTT9O/uf7+vsBl\n d0G8ydm/d85fdZjuu8H2EmiG9yl2l0qtZOxrf0hCRlVUndUcKJ1yJwyIbNXcWRCin+\n RlwRtkr2xMzKsnHuq5vrP3Y7dUIl2M4Aa6Me+UxeCyZLfhSobjyvhMDJgLmxsdIc67\n SQTU9PKVqMEtQ==", "From": "=?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org>", "To": "u-boot@lists.denx.de", "Cc": "Stefan Roese <sr@denx.de>, Tony Dinh <mibodhi@gmail.com>,\n Josua Mayer <josua@solid-run.com>", "Subject": "[PATCH RFC u-boot-mvebu 44/59] tools: kwbimage: Fix invalid secure\n boot header signature", "Date": "Tue, 21 Feb 2023 21:19:10 +0100", "Message-Id": "<20230221201925.9644-45-pali@kernel.org>", "X-Mailer": "git-send-email 2.20.1", "In-Reply-To": "<20230221201925.9644-1-pali@kernel.org>", "References": "<20230221201925.9644-1-pali@kernel.org>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=UTF-8", "Content-Transfer-Encoding": "8bit", "X-BeenThere": "u-boot@lists.denx.de", "X-Mailman-Version": "2.1.39", "Precedence": "list", "List-Id": "U-Boot discussion <u-boot.lists.denx.de>", "List-Unsubscribe": "<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>", "List-Archive": "<https://lists.denx.de/pipermail/u-boot/>", "List-Post": "<mailto:u-boot@lists.denx.de>", "List-Help": "<mailto:u-boot-request@lists.denx.de?subject=help>", "List-Subscribe": "<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>", "Errors-To": "u-boot-bounces@lists.denx.de", "Sender": "\"U-Boot\" <u-boot-bounces@lists.denx.de>", "X-Virus-Scanned": "clamav-milter 0.103.6 at phobos.denx.de", "X-Virus-Status": "Clean" }, "content": "Secure boot header signature is calculated from the image header with\nzeroed header checksum. Calculation is done in add_secure_header_v1()\nfunction. So after calling this function no header member except\nmain_hdr->checksum can be modified. Commit 2b0980c24027 (\"tools: kwbimage:\nFill the real header size into the main header\") broke this requirement as\nfinal header size started to be filled into main_hdr->headersz_* members\nafter the add_secure_header_v1() call.\n\nFix this issue by following steps:\n- Split header size and image data offset into two variables (headersz and\n *dataoff).\n- Change image_headersz_v0() and add_binary_header_v1() functions to return\n real (unaligned) header size instead of image data offset.\n- On every place use correct variable (headersz or *dataoff)\n\nAfter these steps variable headersz is correctly filled into the\nmain_hdr->headersz_* members and so overwriting them in the end of the\nimage_create_v1() function is not needed anymore. Remove those overwriting\nwhich effectively reverts changes in problematic commit without affecting\nvalue in main_hdr->headersz_* members and makes secure boot header\nsignature valid again.\n\nFixes: 2b0980c24027 (\"tools: kwbimage: Fill the real header size into the main header\")\nSigned-off-by: Pali Rohár <pali@kernel.org>\n---\n tools/kwbimage.c | 41 ++++++++++++++---------------------------\n 1 file changed, 14 insertions(+), 27 deletions(-)", "diff": "diff --git a/tools/kwbimage.c b/tools/kwbimage.c\nindex a8a59c154b9c..da539541742d 100644\n--- a/tools/kwbimage.c\n+++ b/tools/kwbimage.c\n@@ -959,7 +959,7 @@ static size_t image_headersz_v0(int *hasext)\n \t\t\t*hasext = 1;\n \t}\n \n-\treturn image_headersz_align(headersz, image_get_bootfrom());\n+\treturn headersz;\n }\n \n static void *image_create_v0(size_t *dataoff, struct image_tool_params *params,\n@@ -972,10 +972,11 @@ static void *image_create_v0(size_t *dataoff, struct image_tool_params *params,\n \tint has_ext = 0;\n \n \t/*\n-\t * Calculate the size of the header and the size of the\n+\t * Calculate the size of the header and the offset of the\n \t * payload\n \t */\n \theadersz = image_headersz_v0(&has_ext);\n+\t*dataoff = image_headersz_align(headersz, image_get_bootfrom());\n \n \timage = malloc(headersz);\n \tif (!image) {\n@@ -990,7 +991,7 @@ static void *image_create_v0(size_t *dataoff, struct image_tool_params *params,\n \t/* Fill in the main header */\n \tmain_hdr->blocksize =\n \t\tcpu_to_le32(payloadsz);\n-\tmain_hdr->srcaddr = cpu_to_le32(headersz);\n+\tmain_hdr->srcaddr = cpu_to_le32(*dataoff);\n \tmain_hdr->ext = has_ext;\n \tmain_hdr->version = 0;\n \tmain_hdr->destaddr = cpu_to_le32(params->addr);\n@@ -1013,10 +1014,9 @@ static void *image_create_v0(size_t *dataoff, struct image_tool_params *params,\n \t/*\n \t * For SATA srcaddr is specified in number of sectors.\n \t * This expects the sector size to be 512 bytes.\n-\t * Header size is already aligned.\n \t */\n \tif (main_hdr->blockid == IBR_HDR_SATA_ID)\n-\t\tmain_hdr->srcaddr = cpu_to_le32(headersz / 512);\n+\t\tmain_hdr->srcaddr = cpu_to_le32(le32_to_cpu(main_hdr->srcaddr) / 512);\n \n \t/* For PCIe srcaddr is not used and must be set to 0xFFFFFFFF. */\n \tif (main_hdr->blockid == IBR_HDR_PEX_ID)\n@@ -1050,7 +1050,6 @@ static void *image_create_v0(size_t *dataoff, struct image_tool_params *params,\n \tmain_hdr->checksum = image_checksum8(image,\n \t\t\t\t\t sizeof(struct main_hdr_v0));\n \n-\t*dataoff = headersz;\n \treturn image;\n }\n \n@@ -1064,10 +1063,6 @@ static size_t image_headersz_v1(int *hasext)\n \tint cfgi;\n \tint ret;\n \n-\t/*\n-\t * Calculate the size of the header and the size of the\n-\t * payload\n-\t */\n \theadersz = sizeof(struct main_hdr_v1);\n \n \tif (image_get_csk_index() >= 0) {\n@@ -1163,7 +1158,7 @@ static size_t image_headersz_v1(int *hasext)\n \tif (count > 0)\n \t\theadersz += sizeof(struct register_set_hdr_v1) + 8 * count + 4;\n \n-\treturn image_headersz_align(headersz, image_get_bootfrom());\n+\treturn headersz;\n }\n \n static int add_binary_header_v1(uint8_t **cur, uint8_t **next_ext,\n@@ -1390,7 +1385,6 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,\n {\n \tstruct image_cfg_element *e;\n \tstruct main_hdr_v1 *main_hdr;\n-\tstruct opt_hdr_v1 *ohdr;\n \tstruct register_set_hdr_v1 *register_set_hdr;\n \tstruct secure_hdr_v1 *secure_hdr = NULL;\n \tsize_t headersz;\n@@ -1401,12 +1395,13 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,\n \tuint8_t delay;\n \n \t/*\n-\t * Calculate the size of the header and the size of the\n+\t * Calculate the size of the header and the offset of the\n \t * payload\n \t */\n \theadersz = image_headersz_v1(&hasext);\n \tif (headersz == 0)\n \t\treturn NULL;\n+\t*dataoff = image_headersz_align(headersz, image_get_bootfrom());\n \n \timage = malloc(headersz);\n \tif (!image) {\n@@ -1428,7 +1423,7 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,\n \tmain_hdr->headersz_msb = (headersz & 0xFFFF0000) >> 16;\n \tmain_hdr->destaddr = cpu_to_le32(params->addr);\n \tmain_hdr->execaddr = cpu_to_le32(params->ep);\n-\tmain_hdr->srcaddr = cpu_to_le32(headersz);\n+\tmain_hdr->srcaddr = cpu_to_le32(*dataoff);\n \tmain_hdr->ext = hasext;\n \tmain_hdr->version = 1;\n \tmain_hdr->blockid = image_get_bootfrom();\n@@ -1458,10 +1453,9 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,\n \t/*\n \t * For SATA srcaddr is specified in number of sectors.\n \t * This expects the sector size to be 512 bytes.\n-\t * Header size is already aligned.\n \t */\n \tif (main_hdr->blockid == IBR_HDR_SATA_ID)\n-\t\tmain_hdr->srcaddr = cpu_to_le32(headersz / 512);\n+\t\tmain_hdr->srcaddr = cpu_to_le32(le32_to_cpu(main_hdr->srcaddr) / 512);\n \n \t/* For PCIe srcaddr is not used and must be set to 0xFFFFFFFF. */\n \tif (main_hdr->blockid == IBR_HDR_PEX_ID)\n@@ -1528,19 +1522,10 @@ static void *image_create_v1(size_t *dataoff, struct image_tool_params *params,\n \t\t\t\t\t &datai, delay);\n \t}\n \n-\tif (secure_hdr && add_secure_header_v1(params, ptr + headersz, payloadsz,\n+\tif (secure_hdr && add_secure_header_v1(params, ptr + *dataoff, payloadsz,\n \t\t\t\t\t image, headersz, secure_hdr))\n \t\treturn NULL;\n \n-\t*dataoff = headersz;\n-\n-\t/* Fill the real header size without padding into the main header */\n-\theadersz = sizeof(*main_hdr);\n-\tfor_each_opt_hdr_v1 (ohdr, main_hdr)\n-\t\theadersz += opt_hdr_v1_size(ohdr);\n-\tmain_hdr->headersz_lsb = cpu_to_le16(headersz & 0xFFFF);\n-\tmain_hdr->headersz_msb = (headersz & 0xFFFF0000) >> 16;\n-\n \t/* Calculate and set the header checksum */\n \tmain_hdr->checksum = image_checksum8(main_hdr, headersz);\n \n@@ -1889,7 +1874,7 @@ static void kwbimage_set_header(void *ptr, struct stat *sbuf, int ifd,\n \tmemcpy((uint8_t *)ptr + dataoff + datasz, &checksum, sizeof(uint32_t));\n \n \t/* Finally copy the header into the image area */\n-\tmemcpy(ptr, image, dataoff);\n+\tmemcpy(ptr, image, kwbheader_size(image));\n \n \tfree(image);\n }\n@@ -2109,6 +2094,8 @@ static int kwbimage_generate(struct image_tool_params *params,\n \t\texit(EXIT_FAILURE);\n \t}\n \n+\talloc_len = image_headersz_align(alloc_len, image_get_bootfrom());\n+\n \tfree(image_cfg);\n \n \thdr = malloc(alloc_len);\n", "prefixes": [ "RFC", "u-boot-mvebu", "44/59" ] }