From patchwork Sat Jan 5 01:52:09 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 209619 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 5F8A32C008D for ; Sat, 5 Jan 2013 13:00:39 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 694E94A1F0; Sat, 5 Jan 2013 02:59:56 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yAkXl+QKQgvV; Sat, 5 Jan 2013 02:59:56 +0100 (CET) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id F1B884A10B; Sat, 5 Jan 2013 02:57:18 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 848EC4A051 for ; Sat, 5 Jan 2013 02:57:01 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ggwXV6052ZF for ; Sat, 5 Jan 2013 02:57:00 +0100 (CET) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mail-ee0-f74.google.com (mail-ee0-f74.google.com [74.125.83.74]) by theia.denx.de (Postfix) with ESMTPS id 901654A088 for ; Sat, 5 Jan 2013 02:56:40 +0100 (CET) Received: by mail-ee0-f74.google.com with SMTP id t10so1065358eei.1 for ; Fri, 04 Jan 2013 17:56:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references:x-gm-message-state; bh=UUKUv/bimKPAqA8QZuqUb9lRTbnKU9bKAbIbEhw1I7E=; b=LLnbfr0WSt9XYiDKzE6cvRaQI4u9GAxTKJIS6HO7tafQQhBXrYtazc6mO/YUlSyx9M dasFoKFnfY1otMV4ofXs1q6JLQhxXyy0Ar1bx9fjPoPw0YYbIr4vgPEFw3f+mBqiqN1M uOTGjBotw4qEtXfYehIYD/xbQq9pgAv6ar5ZaX/SDm5DrbDPslmcnc2Ep4kxikECBCzE ErKT40X61p2xj1g1E93qveXR7GVuMOiGtIErkgBwjh9OurZexwXpTTPRVHvMp0BEkruk AAlYZW8K4UIVKV3RcQEud3hJL6FuRkj4LGPcRWKRob+zQ841IC8DmxqXHqbJqxH/Yra7 sVFA== X-Received: by 10.14.208.198 with SMTP id q46mr69205512eeo.0.1357351000091; Fri, 04 Jan 2013 17:56:40 -0800 (PST) Received: from hpza10.eem.corp.google.com ([74.125.121.33]) by gmr-mx.google.com with ESMTPS id g9si4922990eeo.1.2013.01.04.17.56.40 (version=TLSv1/SSLv3 cipher=AES128-SHA); Fri, 04 Jan 2013 17:56:40 -0800 (PST) Received: from kaka.mtv.corp.google.com (kaka.mtv.corp.google.com [172.22.73.79]) by hpza10.eem.corp.google.com (Postfix) with ESMTP id 7A368200057; Fri, 4 Jan 2013 17:56:39 -0800 (PST) Received: by kaka.mtv.corp.google.com (Postfix, from userid 121222) id 39A47160D52; Fri, 4 Jan 2013 17:56:39 -0800 (PST) From: Simon Glass To: U-Boot Mailing List Date: Fri, 4 Jan 2013 17:52:09 -0800 Message-Id: <1357350734-13737-41-git-send-email-sjg@chromium.org> X-Mailer: git-send-email 1.7.7.3 In-Reply-To: <1357350734-13737-1-git-send-email-sjg@chromium.org> References: <1357350734-13737-1-git-send-email-sjg@chromium.org> X-Gm-Message-State: ALoCoQnLZUDj0pgZH1LQ8eC6W8D7cDIoTrDmuGyzgqQpo8K8q0zA6Jcf/LQh07uSQidNxYdm+fmRLQie8sFuygmDsGDP1WnDDclB+HSz4V1bHjl3J7VaBVpI54p1zcg/qPRr3OOPt+E0tzOz80A9YnCbe32msFFAoX5Y7VPud/U8USD9PV8eAs/QRnCEIkwUVvbAou75uZz2 Cc: Joel A Fernandes , Joe Hershberger , Tom Rini , Vadim Bendebury , =?UTF-8?q?Andreas=20B=C3=A4ck?= Subject: [U-Boot] [RFC PATCH 40/44] mkimage: Add -r option to specify keys that must be verified X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.11 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de Normally, multiple public keys can be provided and U-Boot is not required to use all of them for verification. This is because some images may not be signed, or may be optionally signed. But we still need a mechanism to determine when a key must be used. This feature cannot be implemented in the FIT itself, since anyone could change it to mark a key as optional. The requirement for key verification must go in with the public keys, in a place that is protected from modification. Add a -r option which tells mkimage to mark all keys that it uses for signing as 'required'. If some keys are optional and some are required, run mkimage several times (perhaps with different key directories if some keys are very secret) using the -F flag to update an existing FIT. Signed-off-by: Simon Glass Reviewed-by: Marek Vasut --- doc/mkimage.1 | 6 ++++++ tools/fit_image.c | 5 +++-- tools/mkimage.c | 7 +++++-- tools/mkimage.h | 1 + 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/doc/mkimage.1 b/doc/mkimage.1 index b67a351..14374da 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -133,6 +133,12 @@ the corresponding public key is written into this file for for run-time verification. Typically the file here is the device tree binary used by CONFIG_OF_CONTROL in U-Boot. +.TP +.BI "\-r +Specifies that keys used to sign the FIT are required. This means that they +must be verified for the image to boot. Without this option, the verification +will be optional (useful for testing but not for release). + .SH EXAMPLES List image information: diff --git a/tools/fit_image.c b/tools/fit_image.c index 82f1597..0b9f091 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -153,8 +153,9 @@ static int fit_handle_file (struct mkimage_params *params) /* set hashes for images in the blob */ if (fit_add_verification_data(params->keydir, - dest_blob, ptr, params->comment, 0)) { - fprintf (stderr, "%s Can't add hashes to FIT blob", + dest_blob, ptr, params->comment, + params->require_keys)) { + fprintf(stderr, "%s Can't add hashes to FIT blob\n", params->cmdname); goto err_add_hashes; } diff --git a/tools/mkimage.c b/tools/mkimage.c index d6e47a5..8af84ce 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -270,6 +270,9 @@ main (int argc, char **argv) usage (); params.imagename = *++argv; goto NXTARG; + case 'r': + params.require_keys = 1; + break; case 'R': if (--argc <= 0) usage(); @@ -641,8 +644,8 @@ usage () " -x ==> set XIP (execute in place)\n", params.cmdname); fprintf(stderr, " %s [-k keydir] [-K dtb] [-D dtc_options]" - " [ -c ] [-f fit-image.its|-F] fit-image\n", - params.cmdname); + " [ -c ] [-f fit-image.its|-F] [-r]" + " fit-image\n", params.cmdname); fprintf (stderr, " %s -V ==> print version information and exit\n", params.cmdname); diff --git a/tools/mkimage.h b/tools/mkimage.h index 4391ca8..d82be17 100644 --- a/tools/mkimage.h +++ b/tools/mkimage.h @@ -78,6 +78,7 @@ struct mkimage_params { const char *keydir; /* Directory holding private keys */ const char *keydest; /* Destination .dtb for public key */ const char *comment; /* Comment to add to signature node */ + int require_keys; /* 1 to mark signing keys as 'required' */ }; /*