[v6,15/16] cmd: verify: initial import

Add the command verify that check the signature of
an image with the pre-load header. If the check
succeed, the u-boot env variable 'loadaddr_verified'
is set to the address of the image (without the header).

It allows to run such commands:
tftp script.img && verify $loadaddr && source $loadaddr_verified

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
---
 cmd/Kconfig  |  7 +++++++
 cmd/Makefile |  1 +
 cmd/verify.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+)
 create mode 100644 cmd/verify.c

Hi Philippe,

On Fri, 25 Feb 2022 at 07:58, Philippe Reynes
<philippe.reynes@softathome.com> wrote:
>
> Add the command verify that check the signature of
> an image with the pre-load header. If the check
> succeed, the u-boot env variable 'loadaddr_verified'
> is set to the address of the image (without the header).
>
> It allows to run such commands:
> tftp script.img && verify $loadaddr && source $loadaddr_verified
>
> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
> ---
>  cmd/Kconfig  |  7 +++++++
>  cmd/Makefile |  1 +
>  cmd/verify.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 61 insertions(+)
>  create mode 100644 cmd/verify.c
>

Using the 'verify' command seems a bit vague. Could it be a
sub-command of bootm perhaps?

> diff --git a/cmd/Kconfig b/cmd/Kconfig
> index 87aa3fb11a..0460d5c3a0 100644
> --- a/cmd/Kconfig
> +++ b/cmd/Kconfig
> @@ -428,6 +428,13 @@ config CMD_THOR_DOWNLOAD
>           There is no documentation about this within the U-Boot source code
>           but you should be able to find something on the interwebs.
>
> +config CMD_VERIFY
> +       bool "verify the global signature"
> +        depends on CMD_BOOTM_PRE_LOAD
> +       help
> +         Verify the signature provided in a pre-load header of
> +         a full image.

Please point to docs here

> +
>  config CMD_ZBOOT
>         bool "zboot - x86 boot command"
>         help
> diff --git a/cmd/Makefile b/cmd/Makefile
> index 166c652d98..80e054e806 100644
> --- a/cmd/Makefile
> +++ b/cmd/Makefile
> @@ -177,6 +177,7 @@ obj-$(CONFIG_CMD_THOR_DOWNLOAD) += thordown.o
>  obj-$(CONFIG_CMD_XIMG) += ximg.o
>  obj-$(CONFIG_CMD_YAFFS2) += yaffs2.o
>  obj-$(CONFIG_CMD_SPL) += spl.o
> +obj-$(CONFIG_CMD_VERIFY) += verify.o
>  obj-$(CONFIG_CMD_W1) += w1.o
>  obj-$(CONFIG_CMD_ZIP) += zip.o
>  obj-$(CONFIG_CMD_ZFS) += zfs.o
> diff --git a/cmd/verify.c b/cmd/verify.c
> new file mode 100644
> index 0000000000..4d055e0790
> --- /dev/null
> +++ b/cmd/verify.c
> @@ -0,0 +1,53 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Copyright (C) 2022 Philippe Reynes <philippe.reynes@softathome.com>
> + */
> +
> +#include <common.h>
> +#include <env.h>
> +#include <image.h>
> +#include <mapmem.h>
> +
> +static ulong verify_get_addr(int argc, char *const argv[])
> +{
> +       ulong addr;
> +
> +       if (argc > 0)
> +               addr = simple_strtoul(argv[0], NULL, 16);

hextoul

> +       else
> +               addr = image_load_addr;
> +
> +       return addr;
> +}
> +
> +static int do_verify(struct cmd_tbl *cmdtp, int flag, int argc,
> +                    char *const argv[])
> +{
> +       ulong addr = verify_get_addr(argc, argv);
> +       int ret = 0;
> +
> +       argc--; argv++;
> +
> +       addr = verify_get_addr(argc, argv);
> +
> +       if (CONFIG_IS_ENABLED(CMD_BOOTM_PRE_LOAD)) {
> +               ret = image_pre_load(addr);
> +
> +               if (ret) {
> +                       ret = CMD_RET_FAILURE;
> +                       goto out;
> +               }
> +
> +               env_set_hex("loadaddr_verified", addr + image_load_offset);
> +       }
> +
> + out:
> +       return ret;
> +}
> +
> +U_BOOT_CMD(verify, 2, 1, do_verify,
> +          "verify the global signature provided in the pre-load header,\n"
> +          "\tif the check succeed, the u-boot env variable loadaddr_verified\n"
> +          "\tis set to the address of the image (without the header)",
> +          "<image addr>"
> +);
> --
> 2.17.1
>

Regards,
Simon

Hi Simon,


Le 03/03/2022 à 04:37, Simon Glass a écrit :
> Hi Philippe,
>
> On Fri, 25 Feb 2022 at 07:58, Philippe Reynes
> <philippe.reynes@softathome.com> wrote:
>> Add the command verify that check the signature of
>> an image with the pre-load header. If the check
>> succeed, the u-boot env variable 'loadaddr_verified'
>> is set to the address of the image (without the header).
>>
>> It allows to run such commands:
>> tftp script.img && verify $loadaddr && source $loadaddr_verified
>>
>> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
>> ---
>>   cmd/Kconfig  |  7 +++++++
>>   cmd/Makefile |  1 +
>>   cmd/verify.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>>   3 files changed, 61 insertions(+)
>>   create mode 100644 cmd/verify.c
>>
> Using the 'verify' command seems a bit vague. Could it be a
> sub-command of bootm perhaps?


The command verify may be used with any binary (script, video firmware, 
.....).
So a lot of binaries that are not launched by bootm.
I think that it is not "logic" to used a bootm subcommand.
But we could use another name if you want.
For example : pre_load_verify ?


>> diff --git a/cmd/Kconfig b/cmd/Kconfig
>> index 87aa3fb11a..0460d5c3a0 100644
>> --- a/cmd/Kconfig
>> +++ b/cmd/Kconfig
>> @@ -428,6 +428,13 @@ config CMD_THOR_DOWNLOAD
>>            There is no documentation about this within the U-Boot source code
>>            but you should be able to find something on the interwebs.
>>
>> +config CMD_VERIFY
>> +       bool "verify the global signature"
>> +        depends on CMD_BOOTM_PRE_LOAD
>> +       help
>> +         Verify the signature provided in a pre-load header of
>> +         a full image.
> Please point to docs here
>
>> +
>>   config CMD_ZBOOT
>>          bool "zboot - x86 boot command"
>>          help
>> diff --git a/cmd/Makefile b/cmd/Makefile
>> index 166c652d98..80e054e806 100644
>> --- a/cmd/Makefile
>> +++ b/cmd/Makefile
>> @@ -177,6 +177,7 @@ obj-$(CONFIG_CMD_THOR_DOWNLOAD) += thordown.o
>>   obj-$(CONFIG_CMD_XIMG) += ximg.o
>>   obj-$(CONFIG_CMD_YAFFS2) += yaffs2.o
>>   obj-$(CONFIG_CMD_SPL) += spl.o
>> +obj-$(CONFIG_CMD_VERIFY) += verify.o
>>   obj-$(CONFIG_CMD_W1) += w1.o
>>   obj-$(CONFIG_CMD_ZIP) += zip.o
>>   obj-$(CONFIG_CMD_ZFS) += zfs.o
>> diff --git a/cmd/verify.c b/cmd/verify.c
>> new file mode 100644
>> index 0000000000..4d055e0790
>> --- /dev/null
>> +++ b/cmd/verify.c
>> @@ -0,0 +1,53 @@
>> +// SPDX-License-Identifier: GPL-2.0+
>> +/*
>> + * Copyright (C) 2022 Philippe Reynes <philippe.reynes@softathome.com>
>> + */
>> +
>> +#include <common.h>
>> +#include <env.h>
>> +#include <image.h>
>> +#include <mapmem.h>
>> +
>> +static ulong verify_get_addr(int argc, char *const argv[])
>> +{
>> +       ulong addr;
>> +
>> +       if (argc > 0)
>> +               addr = simple_strtoul(argv[0], NULL, 16);
> hextoul
>
>> +       else
>> +               addr = image_load_addr;
>> +
>> +       return addr;
>> +}
>> +
>> +static int do_verify(struct cmd_tbl *cmdtp, int flag, int argc,
>> +                    char *const argv[])
>> +{
>> +       ulong addr = verify_get_addr(argc, argv);
>> +       int ret = 0;
>> +
>> +       argc--; argv++;
>> +
>> +       addr = verify_get_addr(argc, argv);
>> +
>> +       if (CONFIG_IS_ENABLED(CMD_BOOTM_PRE_LOAD)) {
>> +               ret = image_pre_load(addr);
>> +
>> +               if (ret) {
>> +                       ret = CMD_RET_FAILURE;
>> +                       goto out;
>> +               }
>> +
>> +               env_set_hex("loadaddr_verified", addr + image_load_offset);
>> +       }
>> +
>> + out:
>> +       return ret;
>> +}
>> +
>> +U_BOOT_CMD(verify, 2, 1, do_verify,
>> +          "verify the global signature provided in the pre-load header,\n"
>> +          "\tif the check succeed, the u-boot env variable loadaddr_verified\n"
>> +          "\tis set to the address of the image (without the header)",
>> +          "<image addr>"
>> +);
>> --
>> 2.17.1
>>
> Regards,
> Simon

Regards,

Philippe

Hi Philippe,

On Thu, 10 Mar 2022 at 09:53, Philippe REYNES
<philippe.reynes@softathome.com> wrote:
>
> Hi Simon,
>
>
> Le 03/03/2022 à 04:37, Simon Glass a écrit :
> > Hi Philippe,
> >
> > On Fri, 25 Feb 2022 at 07:58, Philippe Reynes
> > <philippe.reynes@softathome.com> wrote:
> >> Add the command verify that check the signature of
> >> an image with the pre-load header. If the check
> >> succeed, the u-boot env variable 'loadaddr_verified'
> >> is set to the address of the image (without the header).
> >>
> >> It allows to run such commands:
> >> tftp script.img && verify $loadaddr && source $loadaddr_verified
> >>
> >> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
> >> ---
> >>   cmd/Kconfig  |  7 +++++++
> >>   cmd/Makefile |  1 +
> >>   cmd/verify.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>   3 files changed, 61 insertions(+)
> >>   create mode 100644 cmd/verify.c
> >>
> > Using the 'verify' command seems a bit vague. Could it be a
> > sub-command of bootm perhaps?
>
>
> The command verify may be used with any binary (script, video firmware,
> .....).
> So a lot of binaries that are not launched by bootm.
> I think that it is not "logic" to used a bootm subcommand.
> But we could use another name if you want.
> For example : pre_load_verify ?

I see. Well, I suppose this is a boot loader, so 'verify' would be
expected to mean verifying an image or something to boot, so this
seems reasonable to me. But I do like the idea of putting pre_load in
there somewhere if you can, since we do most other verification as
part of the 'bootm' command. Up to you.

Reviewed-by: Simon Glass <sjg@chromium.org>

Regards,
Simon

Hi Simon,


Le 28/03/2022 à 08:35, Simon Glass a écrit :
> Hi Philippe,
>
> On Thu, 10 Mar 2022 at 09:53, Philippe REYNES
> <philippe.reynes@softathome.com> wrote:
>> Hi Simon,
>>
>>
>> Le 03/03/2022 à 04:37, Simon Glass a écrit :
>>> Hi Philippe,
>>>
>>> On Fri, 25 Feb 2022 at 07:58, Philippe Reynes
>>> <philippe.reynes@softathome.com> wrote:
>>>> Add the command verify that check the signature of
>>>> an image with the pre-load header. If the check
>>>> succeed, the u-boot env variable 'loadaddr_verified'
>>>> is set to the address of the image (without the header).
>>>>
>>>> It allows to run such commands:
>>>> tftp script.img && verify $loadaddr && source $loadaddr_verified
>>>>
>>>> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
>>>> ---
>>>>    cmd/Kconfig  |  7 +++++++
>>>>    cmd/Makefile |  1 +
>>>>    cmd/verify.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>    3 files changed, 61 insertions(+)
>>>>    create mode 100644 cmd/verify.c
>>>>
>>> Using the 'verify' command seems a bit vague. Could it be a
>>> sub-command of bootm perhaps?
>>
>> The command verify may be used with any binary (script, video firmware,
>> .....).
>> So a lot of binaries that are not launched by bootm.
>> I think that it is not "logic" to used a bootm subcommand.
>> But we could use another name if you want.
>> For example : pre_load_verify ?
> I see. Well, I suppose this is a boot loader, so 'verify' would be
> expected to mean verifying an image or something to boot, so this
> seems reasonable to me. But I do like the idea of putting pre_load in
> there somewhere if you can, since we do most other verification as
> part of the 'bootm' command. Up to you.


I have sent a v8 where I remove the command pre_load_verify,
and add the subcommand preload to bootm.


> Reviewed-by: Simon Glass <sjg@chromium.org>
>
> Regards,
> Simon

Regards,

Philippe