| Message ID | 1469639559-7339-1-git-send-email-dannenberg@ti.com |
|---|---|
| State | Accepted |
| Commit | eba3fbd6a12b1c4a75c24135535075f0d0fb8074 |
| Delegated to: | Tom Rini |
| Headers | show |
On Wed, Jul 27, 2016 at 12:12:39PM -0500, Andreas Dannenberg wrote: > This commit allows injecting a board/platform/device-specific post- > processing function into the FIT image data loading process, which can > include modifying the size and altering the starting source address of > an image data artifact. This might be desired to do things like strip > headers or footers attached to the images before they were packaged into > the FIT, or to perform operations such as decryption or authentication. > Introduce new configuration option CONFIG_FIT_IMAGE_POST_PROCESS to > allow controlling this feature. If enabled, a platform-specific post- > process function must be provided. > > Signed-off-by: Andreas Dannenberg <dannenberg@ti.com> Reviewed-by: Tom Rini <trini@konsulko.com>
On 27 July 2016 at 11:12, Andreas Dannenberg <dannenberg@ti.com> wrote: > This commit allows injecting a board/platform/device-specific post- > processing function into the FIT image data loading process, which can > include modifying the size and altering the starting source address of > an image data artifact. This might be desired to do things like strip > headers or footers attached to the images before they were packaged into > the FIT, or to perform operations such as decryption or authentication. > Introduce new configuration option CONFIG_FIT_IMAGE_POST_PROCESS to > allow controlling this feature. If enabled, a platform-specific post- > process function must be provided. > > Signed-off-by: Andreas Dannenberg <dannenberg@ti.com> > --- > > While not limited to this use case this commit allows for example on TI > high-security (HS) device variants to extend the secure boot chain to > Kernel, DTB, and initramfs (and anything else really that can be bundled > into a FIT image) by injecting calls to a TI-specific ROM API to perform > authentication (and optionally decryption) of blobs. > > At this stage of the boot process one is also free to use the FIT/ > RSA/SHA-based verified boot scheme already built-into U-Boot to perform > authentication on TI HS devices, providing a choice between a completely > open solution or continuing to perform ROM-based calls (which would have > the added benefit of supporting decryption, amongst other reasons such > as faster performance due to inherent crypto accelerator usage). > > This commit works in analogy to > da74d1f "spl: fit: add support for post-processing of images" > which introduced the CONFIG_SPL_FIT_IMAGE_POST_PROCESS option. > > > On a related note Andrew (on copy) will be taking over the work on this > patch to address any feedback there might be since my last day at TI will > be 07/29. I will still be monitoring the mailing list but might not be > able to respond in the current capacity. Thanks for your efforts and good luck! > > Thanks and Regards, > Andreas > > Kconfig | 14 ++++++++++++++ > common/image-fit.c | 26 +++++++++++++++++++++++++- > 2 files changed, 39 insertions(+), 1 deletion(-) Reviewed-by: Simon Glass <sjg@chromium.org>
On Fri, Jul 29, 2016 at 07:51:53AM -0600, Simon Glass wrote: > On 27 July 2016 at 11:12, Andreas Dannenberg <dannenberg@ti.com> wrote: > > This commit allows injecting a board/platform/device-specific post- > > processing function into the FIT image data loading process, which can > > include modifying the size and altering the starting source address of > > an image data artifact. This might be desired to do things like strip > > headers or footers attached to the images before they were packaged into > > the FIT, or to perform operations such as decryption or authentication. > > Introduce new configuration option CONFIG_FIT_IMAGE_POST_PROCESS to > > allow controlling this feature. If enabled, a platform-specific post- > > process function must be provided. > > > > Signed-off-by: Andreas Dannenberg <dannenberg@ti.com> > > --- > > > > While not limited to this use case this commit allows for example on TI > > high-security (HS) device variants to extend the secure boot chain to > > Kernel, DTB, and initramfs (and anything else really that can be bundled > > into a FIT image) by injecting calls to a TI-specific ROM API to perform > > authentication (and optionally decryption) of blobs. > > > > At this stage of the boot process one is also free to use the FIT/ > > RSA/SHA-based verified boot scheme already built-into U-Boot to perform > > authentication on TI HS devices, providing a choice between a completely > > open solution or continuing to perform ROM-based calls (which would have > > the added benefit of supporting decryption, amongst other reasons such > > as faster performance due to inherent crypto accelerator usage). > > > > This commit works in analogy to > > da74d1f "spl: fit: add support for post-processing of images" > > which introduced the CONFIG_SPL_FIT_IMAGE_POST_PROCESS option. > > > > > > On a related note Andrew (on copy) will be taking over the work on this > > patch to address any feedback there might be since my last day at TI will > > be 07/29. I will still be monitoring the mailing list but might not be > > able to respond in the current capacity. > > Thanks for your efforts and good luck! Thanks Simon! I very much enjoy working on U-Boot and Kernel OSS with the greater community and hope to find ways to stay involved moving forward beyond fiddling with my personal BeagleBone Blacks and Raspberry Pis :) Regards, Andreas > > > > Thanks and Regards, > > Andreas > > > > Kconfig | 14 ++++++++++++++ > > common/image-fit.c | 26 +++++++++++++++++++++++++- > > 2 files changed, 39 insertions(+), 1 deletion(-) > > Reviewed-by: Simon Glass <sjg@chromium.org>
On Wed, Jul 27, 2016 at 12:12:39PM -0500, Andreas Dannenberg wrote: > This commit allows injecting a board/platform/device-specific post- > processing function into the FIT image data loading process, which can > include modifying the size and altering the starting source address of > an image data artifact. This might be desired to do things like strip > headers or footers attached to the images before they were packaged into > the FIT, or to perform operations such as decryption or authentication. > Introduce new configuration option CONFIG_FIT_IMAGE_POST_PROCESS to > allow controlling this feature. If enabled, a platform-specific post- > process function must be provided. > > Signed-off-by: Andreas Dannenberg <dannenberg@ti.com> > Reviewed-by: Tom Rini <trini@konsulko.com> > Reviewed-by: Simon Glass <sjg@chromium.org> Applied to u-boot/master, thanks!
diff --git a/Kconfig b/Kconfig index ef12f9f..c5489dc 100644 --- a/Kconfig +++ b/Kconfig @@ -336,6 +336,20 @@ config SPL_FIT_IMAGE_POST_PROCESS injected into the FIT creation (i.e. the blobs would have been pre- processed before being added to the FIT image). +config FIT_IMAGE_POST_PROCESS + bool "Enable post-processing of FIT artifacts after loading by U-Boot" + depends on FIT && TI_SECURE_DEVICE + help + Allows doing any sort of manipulation to blobs after they got extracted + from FIT images like stripping off headers or modifying the size of the + blob, verification, authentication, decryption etc. in a platform or + board specific way. In order to use this feature a platform or board- + specific implementation of board_fit_image_post_process() must be + provided. Also, anything done during this post-processing step would + need to be comprehended in how the images were prepared before being + injected into the FIT creation (i.e. the blobs would have been pre- + processed before being added to the FIT image). + config SYS_CLK_FREQ depends on ARC || ARCH_SUNXI int "CPU clock frequency" diff --git a/common/image-fit.c b/common/image-fit.c index 73ad34e..d8d4e95 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -11,9 +11,9 @@ #ifdef USE_HOSTCC #include "mkimage.h" -#include <image.h> #include <time.h> #else +#include <linux/compiler.h> #include <common.h> #include <errno.h> #include <mapmem.h> @@ -21,6 +21,7 @@ DECLARE_GLOBAL_DATA_PTR; #endif /* !USE_HOSTCC*/ +#include <image.h> #include <bootstage.h> #include <u-boot/crc.h> #include <u-boot/md5.h> @@ -1507,6 +1508,12 @@ void fit_conf_print(const void *fit, int noffset, const char *p) static int fit_image_select(const void *fit, int rd_noffset, int verify) { +#if !defined(USE_HOSTCC) && defined(CONFIG_FIT_IMAGE_POST_PROCESS) + const void *data; + size_t size; + int ret; +#endif + fit_image_print(fit, rd_noffset, " "); if (verify) { @@ -1518,6 +1525,23 @@ static int fit_image_select(const void *fit, int rd_noffset, int verify) puts("OK\n"); } +#if !defined(USE_HOSTCC) && defined(CONFIG_FIT_IMAGE_POST_PROCESS) + ret = fit_image_get_data(fit, rd_noffset, &data, &size); + if (ret) + return ret; + + /* perform any post-processing on the image data */ + board_fit_image_post_process((void **)&data, &size); + + /* + * update U-Boot's understanding of the "data" property start address + * and size according to the performed post-processing + */ + ret = fdt_setprop((void *)fit, rd_noffset, FIT_DATA_PROP, data, size); + if (ret) + return ret; +#endif + return 0; }
This commit allows injecting a board/platform/device-specific post- processing function into the FIT image data loading process, which can include modifying the size and altering the starting source address of an image data artifact. This might be desired to do things like strip headers or footers attached to the images before they were packaged into the FIT, or to perform operations such as decryption or authentication. Introduce new configuration option CONFIG_FIT_IMAGE_POST_PROCESS to allow controlling this feature. If enabled, a platform-specific post- process function must be provided. Signed-off-by: Andreas Dannenberg <dannenberg@ti.com> --- While not limited to this use case this commit allows for example on TI high-security (HS) device variants to extend the secure boot chain to Kernel, DTB, and initramfs (and anything else really that can be bundled into a FIT image) by injecting calls to a TI-specific ROM API to perform authentication (and optionally decryption) of blobs. At this stage of the boot process one is also free to use the FIT/ RSA/SHA-based verified boot scheme already built-into U-Boot to perform authentication on TI HS devices, providing a choice between a completely open solution or continuing to perform ROM-based calls (which would have the added benefit of supporting decryption, amongst other reasons such as faster performance due to inherent crypto accelerator usage). This commit works in analogy to da74d1f "spl: fit: add support for post-processing of images" which introduced the CONFIG_SPL_FIT_IMAGE_POST_PROCESS option. On a related note Andrew (on copy) will be taking over the work on this patch to address any feedback there might be since my last day at TI will be 07/29. I will still be monitoring the mailing list but might not be able to respond in the current capacity. Thanks and Regards, Andreas Kconfig | 14 ++++++++++++++ common/image-fit.c | 26 +++++++++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-)