From patchwork Mon Mar 18 23:51:59 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 228864 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 6504F2C009B for ; Tue, 19 Mar 2013 11:01:26 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 983FF4A0B3; Tue, 19 Mar 2013 00:58:35 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XHjSbMrevS1a; Tue, 19 Mar 2013 00:58:35 +0100 (CET) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 9EADC4A137; Tue, 19 Mar 2013 00:54:22 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id B8F3D4A03C for ; Tue, 19 Mar 2013 00:53:42 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DgnX39JY4qkA for ; Tue, 19 Mar 2013 00:53:41 +0100 (CET) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mail-vc0-f201.google.com (mail-vc0-f201.google.com [209.85.220.201]) by theia.denx.de (Postfix) with ESMTPS id 8746B4A057 for ; Tue, 19 Mar 2013 00:53:24 +0100 (CET) Received: by mail-vc0-f201.google.com with SMTP id hf12so462697vcb.2 for ; Mon, 18 Mar 2013 16:53:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references:x-gm-message-state; bh=FtVMpYLPmlfcBhSV73Y2xdDAo/peRbb8nQ4xtruAsmc=; b=abcxH86cQYLrnYQkkiPZI8dCAGA/RjJU4WmJTl81Es8ZfYh0nxoFTs+3qKhBoejdeS jwLJZsRj441D1qD9wgWttM4Xmp1lN8TkXgFAphpBpnvP7yapqhisCkVEzzLh+6M/VGGI HUCN1CorAZh1D5eyMghtuU5N6nlxoP1BpzLG8fnZCq4GUueCzEFmAIHoOswyg6NsCDyv gsPTiCQFvTFutcu2vUy5v4dypaCgQiRBGOr0v9O/2Eum7k68q2PCmGA57GZAAdQLKw2I GfSdRZFv4/8vIore6sxXhdpLdit6vsbhV46prQfz1oeCnu83TNrkG+OGug6rypMEivbm 0XVw== X-Received: by 10.58.40.2 with SMTP id t2mr15612315vek.12.1363650803086; Mon, 18 Mar 2013 16:53:23 -0700 (PDT) Received: from corp2gmr1-1.hot.corp.google.com (corp2gmr1-1.hot.corp.google.com [172.24.189.92]) by gmr-mx.google.com with ESMTPS id k21si2190087yhh.1.2013.03.18.16.53.23 (version=TLSv1.1 cipher=AES128-SHA bits=128/128); Mon, 18 Mar 2013 16:53:23 -0700 (PDT) Received: from kaka.mtv.corp.google.com (kaka.mtv.corp.google.com [172.22.73.79]) by corp2gmr1-1.hot.corp.google.com (Postfix) with ESMTP id C493031C00F; Mon, 18 Mar 2013 16:53:22 -0700 (PDT) Received: by kaka.mtv.corp.google.com (Postfix, from userid 121222) id A34ED160341; Mon, 18 Mar 2013 16:53:22 -0700 (PDT) From: Simon Glass To: U-Boot Mailing List Date: Mon, 18 Mar 2013 16:51:59 -0700 Message-Id: <1363650725-30459-40-git-send-email-sjg@chromium.org> X-Mailer: git-send-email 1.8.1.3 In-Reply-To: <1363650725-30459-1-git-send-email-sjg@chromium.org> References: <1363650725-30459-1-git-send-email-sjg@chromium.org> X-Gm-Message-State: ALoCoQmp1FBHqGAhhxh1FOlfSN/PVeQooo33LjeeVsnYG5UKZm7Q6i8H4269s57Arnfix5DKiZS70Ua+IDjywd6jQQmArzNkjDvrhVqfT96UkVHLHI5g6cJJKZZKupWEfJQg3GW5LaqBfetFDWLSjuEq4J0BCG/xFvPGzO8DUj9vm0d6ItTIj/Sxvz/kxB1c990Sme2sOHhT Cc: Joel A Fernandes , Will Drewry , Joe Hershberger , u-boot-review@google.com, Bill Richardson , Randall Spangler , Tom Rini , Vadim Bendebury , =?UTF-8?q?Andreas=20B=C3=A4ck?= , Kees Cook Subject: [U-Boot] [PATCH v2 39/45] mkimage: Add -r option to specify keys that must be verified X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.11 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de Normally, multiple public keys can be provided and U-Boot is not required to use all of them for verification. This is because some images may not be signed, or may be optionally signed. But we still need a mechanism to determine when a key must be used. This feature cannot be implemented in the FIT itself, since anyone could change it to mark a key as optional. The requirement for key verification must go in with the public keys, in a place that is protected from modification. Add a -r option which tells mkimage to mark all keys that it uses for signing as 'required'. If some keys are optional and some are required, run mkimage several times (perhaps with different key directories if some keys are very secret) using the -F flag to update an existing FIT. Signed-off-by: Simon Glass Reviewed-by: Marek Vasut --- Changes in v2: - Adjust mkimage help to separate out signing options - Rebase on previous patches doc/mkimage.1 | 6 ++++++ tools/fit_image.c | 9 +++++---- tools/mkimage.c | 8 ++++++-- tools/mkimage.h | 1 + 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/doc/mkimage.1 b/doc/mkimage.1 index b67a351..14374da 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -133,6 +133,12 @@ the corresponding public key is written into this file for for run-time verification. Typically the file here is the device tree binary used by CONFIG_OF_CONTROL in U-Boot. +.TP +.BI "\-r +Specifies that keys used to sign the FIT are required. This means that they +must be verified for the image to boot. Without this option, the verification +will be optional (useful for testing but not for release). + .SH EXAMPLES List image information: diff --git a/tools/fit_image.c b/tools/fit_image.c index d48f571..281c2bd 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -152,10 +152,11 @@ static int fit_handle_file (struct mkimage_params *params) goto err_mmap; /* set hashes for images in the blob */ - if (fit_add_verification_data(params->keydir, dest_blob, ptr, - params->comment, 0)) { - fprintf (stderr, "%s Can't add hashes to FIT blob", - params->cmdname); + if (fit_add_verification_data(params->keydir, + dest_blob, ptr, params->comment, + params->require_keys)) { + fprintf(stderr, "%s Can't add hashes to FIT blob\n", + params->cmdname); goto err_add_hashes; } diff --git a/tools/mkimage.c b/tools/mkimage.c index b3b45a4..d312844 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -270,6 +270,9 @@ main (int argc, char **argv) usage (); params.imagename = *++argv; goto NXTARG; + case 'r': + params.require_keys = 1; + break; case 'R': if (--argc <= 0) usage(); @@ -645,11 +648,12 @@ usage () fprintf(stderr, " -D => set options for device tree compiler\n" " -f => input filename for FIT source\n"); #ifdef CONFIG_FIT_SIGNATURE - fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c ]\n" + fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c ] [-r]\n" " -k => set directory containing private keys\n" " -K => write public keys to this .dtb file\n" " -c => add comment in signature node\n" - " -F => re-sign existing FIT image\n"); + " -F => re-sign existing FIT image\n" + " -r => mark keys used as 'required' in dtb\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); #endif diff --git a/tools/mkimage.h b/tools/mkimage.h index 4391ca8..d82be17 100644 --- a/tools/mkimage.h +++ b/tools/mkimage.h @@ -78,6 +78,7 @@ struct mkimage_params { const char *keydir; /* Directory holding private keys */ const char *keydest; /* Destination .dtb for public key */ const char *comment; /* Comment to add to signature node */ + int require_keys; /* 1 to mark signing keys as 'required' */ }; /*